Skip to content

Firewall address-set support#1563

Open
troglobit wants to merge 12 commits into
mainfrom
misc
Open

Firewall address-set support#1563
troglobit wants to merge 12 commits into
mainfrom
misc

Conversation

@troglobit

@troglobit troglobit commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

Description

Add support for firewall address-set (ipset) ACLs, with YANG actions to add/remove/flush dynamic entries on demand at runtime.

Also, some WebUI fixes to the firewall, and sibling wrappers.

We also introduce an optional download mirror mechanism, and a mirror sync script for setting up a local file server. This PR also enables the mirror in all local runners: build, build-boot, and release.

During the setup of the file server it was discovered that Arm and RiscV builds did not use pre-built Go toolchain, so a fix for that is also included.

There's a few other fixes as well, just to make sure it's a pure "misc" branch 😅

Checklist

Tick relevant boxes, this PR is-a or has-a:

  • Bugfix
    • Regression tests
    • ChangeLog updates (for next release)
  • Feature
    • YANG model change => revision updated?
    • Regression tests added?
    • ChangeLog updates (for next release)
    • Documentation added?
  • Test changes
    • Checked in changed Readme.adoc (make test-spec)
    • Added new test to group Readme.adoc and yaml file
  • Code style update (formatting, renaming)
  • Refactoring (please detail in commit messages)
  • Build related changes
  • Documentation content changes
    • ChangeLog updated (for major changes)
  • Other (please describe):

troglobit added 3 commits July 1, 2026 10:33
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Add firewall address-sets: named sets of IP addresses and networks,
usable as zone sources for per-IP access control, issue #1189.  Static
entries are part of the configuration; dynamic entries are managed at
runtime with new add/remove/flush actions, from the CLI or over
NETCONF/RESTCONF.  Dynamic entries survive firewall configuration
changes but are not saved to the configuration.  Sets with a timeout
expire their entries automatically.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
@troglobit troglobit requested a review from mattiaswal July 3, 2026 09:32
@troglobit troglobit added the ci:main Build default defconfig, not minimal label Jul 3, 2026
troglobit added 9 commits July 4, 2026 09:32
Resetting a zone's services (or interfaces) wiped the entire zone:
action, interfaces, address-sets, everything but the name.

The keyed zone GET decodes into a wrapper expecting the node bare, but
the server nests it under the full parent path:

    {"infix-firewall:firewall": {"zone": [ ... ]}}

The decode silently matched nothing, so the reset handler rebuilt the
zone from an empty struct and PUT only the zone name.  The same
mismatch also broke network preservation when saving a zone.

Clear leaf-lists by deleting each instance instead of rebuilding the
zone with PUT, so a reset cannot touch anything else.  Fix the wrapper
shape, document the nesting convention on the RESTCONF client Get, and
log a warning when a non-empty response decodes to a zero-valued
wrapper.  When saving zones, omit empty leaf-lists and a defaulted
action.  Refresh the firewall page after resets and update the handler
tests to mock the real response shape.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Three more RESTCONF wrappers assume the response to a keyed GET is the
bare node, when the server nests it under the full parent path: the
container resource-usage stats always read zero, the WireGuard listen
port never populated, and resetting advertised link modes silently
re-enabled auto-negotiation on links where it was forced off.

Same class of bug as the firewall zone reset fix: the decode matches
nothing and the zero value is used as if valid.  Model the full nesting
in all three wrappers, reusing the existing container list wrapper.

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Closes #985

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Developer builds report the bare upstream U-Boot version, e.g.
2025.01, and are easily mistaken for release builds.  Nothing stamps
a local version on non-release builds to tell them apart.

Write a .scmversion of -DEVEL from a pre-build hook when INFIX_RELEASE
is unset, so developer builds report 2025.01-DEVEL.  Release builds
are left untouched.

Closes #919

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Services could not bind to addresses not yet present on an interface,
e.g. floating VIPs managed by a routing daemon, since nonlocal bind
was left at the kernel default of disabled.

Enable net.ipv4.ip_nonlocal_bind and net.ipv6.ip_nonlocal_bind among
the router defaults in /etc/sysctl.d.

Closes #1022

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Releases exposed the RAUC upgrade bundle only inside the per-arch
tarball, and shipped no ready-to-flash Raspberry Pi image; users had
to unpack the tarball or assemble an image from a separate bootloader.

Upload output/images/*.pkg as its own artifact, and build an rpi64 SD
card image in the aarch64 release leg before rootfs.squashfs is
stripped from the tarball, combining it with the rpi64 bootloader from
the latest-boot release.  Publish both as release assets; the tarball
still carries the .pkg too.

Closes #1084

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Infix defines its own Kconfig options with unprefixed names (IMAGE_*,
QEMU_*, TRUSTED_KEYS*) and an INFIX_ prefix.  Unprefixed names risk
clashing with Buildroot and with other br2-externals/spins that source
our tree.

Rename all 86 options to a common IX_ prefix, collapsing the existing
INFIX_ ones, e.g. INFIX_IMAGE_ID becomes IX_IMAGE_ID.  The os-release
INFIX_DESC field is a runtime interface, not a Kconfig option, and is
kept; the qemu Config.in generator's @arch@ symbol is updated to match.

Closes #1305

Signed-off-by: Joachim Wiberg <troglobit@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

ci:main Build default defconfig, not minimal

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant