Differences
This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision | ||
| inbox:firewall:firewall_components [2018/08/22 15:40] – dturvene | docs:guide-user:firewall:firewall_components [2020/07/15 17:42] – [Kernel Tuning via sysctl] updated vgaetera | ||
|---|---|---|---|
| Line 11: | Line 11: | ||
| components to the OpenWrt firewall: | components to the OpenWrt firewall: | ||
| - | - the [[inbox:firewall:firewall3: | + | - the [[docs:guide-user:firewall: |
| - a set of netfilter hooks in the kernel networking stacks | - a set of netfilter hooks in the kernel networking stacks | ||
| - a set of linux kernel modules that handle the inspection of network packets | - a set of linux kernel modules that handle the inspection of network packets | ||
| - a set of kernel tuning parameters to configure the network stacks and firewall modules | - a set of kernel tuning parameters to configure the network stacks and firewall modules | ||
| - | This documentation is based on | + | This documentation is based on [[releases:18.06:notes-18.06.0|OpenWrt 18.06.0]]. |
| - | [[https:// | + | |
| Many of the configurations have been tested against this release using the | Many of the configurations have been tested against this release using the | ||
| - | [[inbox: | + | [[docs: |
| ===== Firewall3 (fw3) ===== | ===== Firewall3 (fw3) ===== | ||
| - | The [[inbox:firewall:firewall3: | + | The [[docs:guide-user:firewall: |
| application used to provision the firewall. | application used to provision the firewall. | ||
| team specifically for the project. | team specifically for the project. | ||
| ===== Kernel netfilter hooks ====== | ===== Kernel netfilter hooks ====== | ||
| - | Each of the network stacks have netfilter '' | + | Each of the network stacks have netfilter |
| - | in the code. As a network packet moves through the stack, each hook may be | + | specific places in the code. As a network packet moves through the stack, each |
| - | called to check the packet against | + | hook is called to check the packet against |
| + | the hook. | ||
| - | These hooks are placed in the kernel network stack code at specific points in | + | The netfilter |
| - | the packet processing. | + | following arguments: |
| - | hook takes the following arguments: | + | |
| * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet | * network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet | ||
| Line 45: | Line 44: | ||
| ===== netfilter kernel modules ===== | ===== netfilter kernel modules ===== | ||
| - | The netfilter kernel modules loaded at boot depend on the configured. | + | The netfilter kernel modules |
| - | are roughly 35 kernel modules to support the standard netfilter capabilities. | + | are roughly 35 kernel modules to support the standard netfilter capabilities |
| + | but there are many more depending on the requirements of the router. | ||
| + | example, many routers use the [[http:// | ||
| + | This adds ~16 additional kernel modules. | ||
| Most of the netfilter modules are small, providing a single specific | Most of the netfilter modules are small, providing a single specific | ||
| Line 58: | Line 60: | ||
| * '' | * '' | ||
| - | |||
| - | The number of kmods expands as netfilter capabilities are added. Just | ||
| - | enabling [[http:// | ||
| ===== Kernel Tuning via sysctl ===== | ===== Kernel Tuning via sysctl ===== | ||
| - | ''/ | + | ''/ |
| - | loads ''/ | + | This is a shell script that loads ''/ |
| - | set/tune kernel parameters to provide OpenWrt features. | + | These set/tune kernel parameters to provide OpenWrt features. |
| - | [[http:// | + | See [[man>sysctl.conf]]. |
| - | All are parameters documented under the '' | + | All are parameters documented under the '' |
| - | of kernel source tree so the specifics will not be repeated here. See | + | See '' |
| - | '' | + | |
| - | :!: Since the OpenWrt feature set is fairly static, the kernel parameters almost | + | :!: Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build. |
| - | certainly do not need to tuned beyond the defaults provided in the build. | + | |
| - | :!: Notice that netfilter bridging support in the kernel is disabled! | + | :!: Notice that netfilter bridging support in the kernel is disabled! |
| - | '' | + | See '' |
| - | <file> | + | <code> |
| bridge-nf-call-iptables - BOOLEAN | bridge-nf-call-iptables - BOOLEAN | ||
| 1 : pass bridged IPv4 traffic to iptables' | 1 : pass bridged IPv4 traffic to iptables' | ||
| 0 : disable this. | 0 : disable this. | ||
| Default: 1 | Default: 1 | ||
| - | </file> | + | </code> |
| - | + | ||
| - | FIXME : the **sysctl** directives in ''/ | + | |
| - | those in the ''/ | + | |
| - | entirely redundant. | + | |