Firewall and network interfaces
The goal of a router is to forward packet streams from incoming network interfaces to outgoing network interfaces. Firewall rules add another layer of granularity to what is allowed to be forwarded across interfaces - and additionally which packets are allowed to be inputted to, and outputted from, the router itself. This section discusses the relationships between the firewall code and the network interfaces.
At the heart of all routers is a hardware switch with a number of interface ports. When a packet enters one of the switch ports, the hardware switch matches a fixed field in the packet and forwards the packet to an output port which transmits it.
防火墙和网络接口
路由器的目标是从入向网络接口到出向网络接口转发分组流。防火墙规则增加了另一个层面的粒度;即,什么分组可以跨接口转发,还有哪些分组可以被允许进入和离开该路由器。本章讨论防火墙代码和网络接口之间的关系。
所有路由器的核心就是一个带有一些端口硬件交换机。当一个分组进入其中一个交换端口,硬件交换机匹配该分组内固定的字段并转发到一个可传输它的出接口。
The switch generally uses the layer-2 destination MAC address in the packet to switch on. Each port has a cache of MAC addresses for stations reachable by (attached to) that port. Entries in the MAC cache gradually out, so must be re-discovered if used again. Layer-2 frames with a known destination MAC are switched to the desired LAN port. If the MAC is not present anywhere in the switch cache, a broadcast packet (e.g. ARP) is flooded to all LAN ports to discover which has access to the destination MAC.
交换机通常使用分组中的二层目的MAC地址进行分组交换。每个端口都有一个MAC地址缓存表记录与它可达的(直连的)站点。MAC缓存条目会逐渐消失,所以必须重新发现,如果要被使用的话。已知目的MAC的二层帧被交换到期待的LAN口。如果MAC在交换机缓存中不存在,则一个广播包(如ARP)会被泛洪到所有的LAN口用来发现哪个口接着该目的MAC。
OpenWrt routers have two types of LAN interface: wired Ethernet (IEEE802.3 or RFC894 Ethernet II, Ethernet II being the most common) and wireless Ethernet (IEEE802.11.)
The wired LAN ports each map directly to a single switch port. Generally there is one 802.11 Wi-Fi port attached to a Wi-Fi radio chip (2.4Ghz, 5Ghz). Each handles one or more IEEE802.11 standard protocols (e.g. 802.11a, 802.11n) and ancillary support for wireless networks (e.g. 802.11s mesh networking). The Wi-Fi chips convert the 802.11 signal into a canonical ethernet frame injected into the switch port for routing. All Wi-Fi stations connected to the 802.11 Access Point use the same radio(s) and the same switch port.
OpenWrt路由器有两种LAN接口:有线以太网(IEEE802.3 或RFC894 EthernetII,EthernetII是最常见的)和无线以太网(IEEE802.11)。
每个有线LAN端口直接对应一个单独的交换口。通常有一个802.11Wi-Fi口附在一个Wi-Fi无线电芯片(2.4Ghz,5Ghz)。每个处理一个或多个IEEE802.11标准协议(如802.11a,802.11n)和对无线网络的附加支持(如802.11s mesh网络)。WiFi芯片将802.11信号转换到一个添加到交换端口来进行路由的典型以太网帧。所有连接到802.11无线接入点的Wi-Fi站点使用相同的无线电接收器在相同的交换端口。
LAN bridge
The LAN bridge combines the WLAN interface(s) with the wired LAN ports to create a single logical network. In the interface configuration set option type bridge or in LuCI Network→Interfaces→LAN Bridge interfaces box and select the physical interfaces to bridge together. All switch ports in the bridge will act as a single network.
The new pseudo-interface has a br- prepended to the interface name, generally br-lan.
Use bridging when combining WLAN and wired Ethernet ports. Otherwise partition the ports into VLANs.
局域网网桥
LAN网桥组合WLAN接口和有线LAN接口用来创建一个单独的逻辑网络。在‘interface’配置中设置‘option type bridge’或LuCI中’Network’-‘Interfaces’-‘LAN网桥接口’选项并选择需要桥接在一起的物理接口。所有网桥中的交换端口将成为一个单独的网络。
新的伪端口有一个’br-‘在接口名字前,通常为’br-lan’。
当组合WLAN和有线以太网时使用桥接。否则应使用VLAN分割端口。
Firewall Zones
The firewall of an OpenWrt router is able to collect interfaces into zones to more logically filter traffic. A zone can be configured to any set of interfaces but generally there are at least two zones: lan for the collection of LAN interfaces and wan for the WAN interfaces.
This simplifies the firewall rule logic somewhat by conceptually grouping the interfaces:
A rule for a packet originating in a zone must be entering the router on one of the zone’s interfaces,
A rule for a packet being forwarded to a zone must be exiting the router on one of the zone’s interfaces.
recognize the zone concept does not significantly simplify a simple SOHO router with a single br-lan interface and a single wan interface. Each interface has a one-to-one mapping with a zone.
防火墙区域
OpenWrt路由器上的防火墙能够帮接口集中在区域中用来更逻辑化地过滤流量。一个区域可以被配置到任何一个接口组但通常至少有两个区域:lan用来集中LAN接口,wan用来集中WAN接口。
通过概念上给接口分组某种程度上简化了防火墙的规则逻辑:
源于一个区域的数据包的规则是必须在路由器该区域的一个接口进入
被转发到一个区域的分组的规则是必须在路由器该区域的一个接口离开
注意区域的概念不能显著简化一个简单的SOHO路由器通过单独的br-lan接口和单独的wan接口。每个接口都有一个1对1映射的区域。
Firewall components
The OpenWrt firewall implementation is the mechanism by which network traffic is filtered coming through the router. At a high level, one of three outcomes will occur: either the packet is discarded (dropped) without any further action, rejected (with an appropriate response to the source), or accepted (routed to the destination). Note that the router itself is a destination for management and monitoring.
The OpenWrt firewall revolves around the Linux netfilter project. There are the following main components to the OpenWrt firewall:
the firewall3 application
a set of netfilter hooks in the kernel networking stacks
a set of linux kernel modules that handle the inspection of network packets
a set of kernel tuning parameters to configure the network stacks and firewall modules
This documentation is based on OpenWrt 18.06.0. Many of the configurations have been tested against this release using the test network
Firewall3 (fw3)
The fw3 application package is the main application used to provision the firewall. It was developed by the OpenWrt team specifically for the project.
防火墙组成
OpenWrt防火墙的运行机制就是过滤通过路由器的网络流量。在更高的层面上,三个当中的一个结果将会发生:分组要么被丢弃而没有任何进一步操作,要么被拒绝(对源有适当的响应),要么被接受(路由到目的地)。注意路由器本身是一个管理和监控的目的地。
fw3
fw3应用包是主要的用来置备(prov团ision)防火墙的应用。它由OpenWrt团队为这个项目特别开发。
Kernel netfilter hooks
Each of the network stacks have netfilter functions call hooks embedded at specific places in the code. As a network packet moves through the stack, each hook is called to check the packet against possible netfilter rules bound to the hook.
The netfilter hook code uses the NF_HOOK set of macros. Each hook takes the following arguments:
network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet
hook num: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING
net structure: context for the network stack
socket: BSD socket used for packet
network packet: a socket buffer containing the network packet
incoming device (interface): the source of the packet
outgoing device (interface): the destination of the packet after routing
a function callback if the packet passes the filter
内核netfilter hooks
每个网络栈都有一个netfilter功能嵌入在代码中的某个特殊地方。当一个网络分组在堆栈中移动时,每个hook会被调用来根据绑定到狗子的可能的netfilter规则检查分组。
Netfilter hook代码使用NF_HOOK宏组。每个hook采用以下参数:
network protocol: unspec (all), ipv4, ipv6, arp, bridge, decnet
hook num: PRE_ROUTING, LOCAL_IN, FORWARD, LOCAL_OUT, POST_ROUTING
net structure: 网络栈的环境
socket: 为分组使用的BSD套接字
network packet: 一个包含分组的套接字缓存
incoming device (interface): 分组源
outgoing device (interface): 分组路由后的目的r
回调函数,如果分组通过过滤器
Kernel netfilter modules
The netfilter kernel modules are loaded at boot depend on the configured. There are roughly 35 kernel modules to support the standard netfilter capabilities but there are many more depending on the requirements of the router. For example, many routers use the ipset feature. This adds ~16 additional kernel modules.
Most of the netfilter modules are small, providing a single specific capability. For example:
ipt_REJECT performs REJECT (target),
xt_multiport performs match of the IP port (match)
xt_TCPMSS performs Maximum Segment Size adjustment in the TCP header (target in mangle table)
Several of the netfilter modules are larger. For example:
nf_conntrack performs connection tracking for masquerading (NAT) and packet de-fragmentation.
Kernel tuning via sysctl
/etc/init.d/sysctl is executed at boot time. This is a shell script that loads /etc/sysctl.conf and all files under /etc/sysctl.d/. These set/tune kernel parameters to provide OpenWrt features. See sysctl.conf.
All are parameters documented under the Documentation/networking directory of kernel source tree so the specifics will not be repeated here. See ip-sysctl.txt and nf_conntrack-sysctl.txt for reference.
Since the OpenWrt feature set is fairly static, the kernel parameters almost certainly do not need to tuned beyond the defaults provided in the build.
Notice that netfilter bridging support in the kernel is disabled! See ip-sysctl.txt:
1 | bridge-nf-call-iptables - BOOLEAN |
内核netfilter模块
netfilter内核模块按照配置在启动时被加载。有大概35个内核模块支持标准网络过滤能力,但是有很多更取决于路由器的条件。比如,很多路由器使用ipset功能。这增加了~16个额外内核模块。
大多数的netfilter模块比较小,提供一个单独而特殊的能力。例如:
ipt_REJECT — REJECT (target),
xt_multiport — match of the IP port (match)
xt_TCPMSS — Maximum Segment Size adjustment in the TCP header (target in mangle table)
有几个netfilter模块很大。例如:
- nf_conntrack — connection tracking for masquerading (NAT) and packet de-fragmentation.
内核调节通过sysctl
/etc/init.d/sysctl在启动时执行。这是一个shell脚本来载入/etc/sysctl.conf和在/etc/sysctl.d/下的所有文件。这些设置/调整内核参数提供了OpenWrt的功能。参见sysctl.conf。
所有都是在内核源码树的Documentation/networking目录下记录的参数,这里不再赘述。 请参阅 ip-sysctl.txt 和 nf_conntrack-sysctl.txt 以供参考。
既然OpenWrt功能集合是比较静态的,内核参数几乎不需要调整到超出构建时的默认值。
注意netfilter桥接支持在内核中是关闭的!参见ip-sysctl.txt:
1 | bridge-nf-call-iptables - BOOLEAN |