The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). Note that the router itself is a destination for management and monitoring.
The OpenWrt firewall revolves around the Linux netfilter project. There are the following main components to the OpenWrt firewall:
The fw3 application package is the main application used to provision the firewall. It was developed by the OpenWrt team specifically for the project.
Each of the network stacks have netfilter functions call
hooks embedded at
specific places in the code. As a network packet moves through the stack, each
hook is called to check the packet against possible netfilter rules bound to
The netfilter hook code uses the
NF_HOOK set of macros. Each hook takes the
The netfilter kernel modules are loaded at boot depend on the configured. There are roughly 35 kernel modules to support the standard netfilter capabilities but there are many more depending on the requirements of the router. For example, many routers use the ipset feature. This adds ~16 additional kernel modules.
Most of the netfilter modules are small, providing a single specific capability. For example:
ipt_REJECTperforms REJECT (target),
xt_multiportperforms match of the IP port (match)
xt_TCPMSSperforms Maximum Segment Size adjustment in the TCP header (target in
Several of the netfilter modules are larger. For example:
nf_conntrackperforms connection tracking for masquerading (NAT) and packet de-fragmentation.
/etc/init.d/sysctl is executed at boot time. This is a shell script that
/etc/sysctl.conf and all files under
set/tune kernel parameters to provide OpenWrt features. See
All are parameters documented under the
of kernel source tree so the specifics will not be repeated here. See
nf_conntrack-sysctl.txt for reference.
Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build.
Notice that netfilter bridging support in the kernel is disabled! See
bridge-nf-call-iptables - BOOLEAN 1 : pass bridged IPv4 traffic to iptables' chains. 0 : disable this. Default: 1
: the sysctl directives in
/etc/init.d/sysctl are a superset of
those in the
/etc/sysctl.d files. The files in
entirely redundant. This may be a product of the build process.