The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). Note that the router itself is a destination for management and monitoring.
The OpenWrt firewall revolves around the Linux netfilter project. There are the following main components to the OpenWrt firewall:
The fw3 application package is the main application used to provision the firewall. It was developed by the OpenWrt team specifically for the project.
Each of the network stacks have netfilter functions call
hooks embedded at specific places in the code.
As a network packet moves through the stack, each hook is called to check the packet against possible netfilter rules bound to the hook.
The netfilter hook code uses the
NF_HOOK set of macros.
Each hook takes the following arguments:
The netfilter kernel modules are loaded at boot depend on the configured. There are roughly 35 kernel modules to support the standard netfilter capabilities but there are many more depending on the requirements of the router. For example, many routers use the ipset feature. This adds ~16 additional kernel modules.
Most of the netfilter modules are small, providing a single specific capability. For example:
ipt_REJECTperforms REJECT (target),
xt_multiportperforms match of the IP port (match)
xt_TCPMSSperforms Maximum Segment Size adjustment in the TCP header (target in
Several of the netfilter modules are larger. For example:
nf_conntrackperforms connection tracking for masquerading (NAT) and packet de-fragmentation.
/etc/init.d/sysctl is executed at boot time.
This is a shell script that loads
/etc/sysctl.conf and all files under
These set/tune kernel parameters to provide OpenWrt features.
All are parameters documented under the
Documentation/networking directory of kernel source tree so the specifics will not be repeated here.
nf_conntrack-sysctl.txt for reference.
Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build.
Notice that netfilter bridging support in the kernel is disabled!
bridge-nf-call-iptables - BOOLEAN 1 : pass bridged IPv4 traffic to iptables' chains. 0 : disable this. Default: 1