PreRelease Updates

Signed-off-by: Rob White <rob@blue-wave.net>
2026-01-10 20:37:54 -05:00 · 2021-08-08 20:20:27 +01:00
parent d40da0e2da
commit e9048ad313
6 changed files with 168 additions and 53 deletions
--- a/docs/source/changelog.rst
+++ b/docs/source/changelog.rst
@@ -4,6 +4,7 @@ What's New? - ChangeLog
 opennds (9.3.0)

  * This version adds new functionality, and fixes some issues
+  * Add - Add - firewall passthrough mode for authenticated users [bluewave.net]
  * Add - Add - use configured debuglevel in authmon [bluewave.net]
  * Add - automated log rotation and client_zone to binauth_log [bluewave.net]
  * Add - increased timeout interval for file downloads [bluewave.net]
@@ -12,6 +13,7 @@ opennds (9.3.0)
  * Add - config variables ext_interface and ext_gateway [bluewave.net]
  * Add - Start initial download of remotes only if online [bluewave.net]
  * Add - Router online/offline watchdog [bluewave.net]
+  * Fix - Segfault when gatewayfqdn is disabled [bluewave.net]
  * Fix - missing clientmac when not using themespec [bluewave.net]
  * Fix - some compiler warnings [bluewave.net]
  * Fix - use configured value for webroot for remote image symlink to images folder [bluewave.net]
@@ -19,7 +21,7 @@ opennds (9.3.0)
  * Fix - Prevent potential read overrun within the MHD page buffer [bluewave.net]
  * Remove - legacy get_ext_iface() function [bluewave.net]

- -- Rob White <dot@blue-wave.net> Sun, 1 Aug 2021 09:58:02 +0000
+ -- Rob White <dot@blue-wave.net> Sun, 8 Aug 2021 09:58:02 +0000

 opennds (9.2.0)

--- a/docs/source/config.rst
+++ b/docs/source/config.rst
@@ -863,41 +863,71 @@ Example:

 ``option preauth '/path/to/myscript/myscript.sh'``

-Block Private Subnets
-*********************
+Access Control For Authenticated Users
+**************************************

-Your router might have several private subnets on their own interfaces.
+Block Access For Authenticated Users (block)
+--------------------------------------------

-You will probably want to keep them private from clients using the public gatewayinterface.
+Default: None

-If so, you should block the entire subnets on those interfaces.
+If Block Access is specified, an allow or passthrough must be specified afterwards as any entries set here will override the access default.

 Examples:

-``list authenticated_users 'block to 192.168.0.0/16'``
+ You might want to block entire IP subnets. e.g.:

-``list authenticated_users 'block to 10.0.0.0/8'``
+ ``list authenticated_users 'block to 123.2.3.0/24'``
+
+ ``list authenticated_users 'block to 123.2.0.0/16'``
+
+ ``list authenticated_users 'block to 123.0.0.0/8'``
+
+or block access to a single IP address. e.g.:
+
+ ``list authenticated_users 'block to 123.2.3.4'``
+
+Do not forget to add an allow or passthrough if the default only is assumed (see Grant Access)


-Access For Authenticated Users
-******************************
+Grant Access For Authenticated Users (allow and passthrough)
+------------------------------------------------------------

-For authenticated users you will probably want to allow full access to the Internet, so use:
+* Access can be allowed by openNDS directly, overriding the operating system firewall rules

-``list authenticated_users 'allow all'``
+or

-If you want to restrict access for authenticated users, then at minimum you should open the following ports:
+* Access can be allowed by openNDS but the final decision can be passed on to the operating system firewall.

-``list authenticated_users 'allow tcp port 53'`` Allow DNS
+Default:

-``list authenticated_users 'allow udp port 53'`` Allow DNS
+No Entry, equivalent to

-``list authenticated_users 'allow tcp port 80'`` Allow standard http web sites
+ ``list authenticated_users 'passthrough all'``

-``list authenticated_users 'allow tcp port 443'`` Allow standard https web sites
+Any entries set here, or above in Block Access, will override the default

-Access For Preauthenticated Users:
-**********************************
+Example:
+
+Grant access overriding operating system firewall
+ ``list authenticated_users 'allow all'``
+
+Example:
+
+Grant access to https web sites, subject to the operating system's firewall rules
+
+ ``list authenticated_users 'passthrough tcp port 443'``
+
+Grant access to http web sites, overriding the operating system firewall rules.
+
+ ``list authenticated_users 'allow tcp port 80'``
+
+Grant access to udp services at address 123.1.1.1, on port 5000, overriding the operating system firewall rules.
+
+ ``list authenticated_users 'allow udp port 5000 to 123.1.1.1'``
+
+Access Control For Preauthenticated Users:
+******************************************

 **IMPORTANT**

--- a/linux_debian/doc/opennds.1
+++ b/linux_debian/doc/opennds.1
@@ -1,6 +1,6 @@
 .\" Man page generated from reStructuredText.
 .
-.TH "OPENNDS" "1" "Aug 05, 2021" "9.3.0" "openNDS"
+.TH "OPENNDS" "1" "Aug 08, 2021" "9.3.0" "openNDS"
 .SH NAME
 opennds \- opennds Documentation
 .
@@ -111,6 +111,8 @@ opennds (9.3.0)
 .IP \(bu 2
 This version adds new functionality, and fixes some issues
 .IP \(bu 2
+Add \- Add \- firewall passthrough mode for authenticated users [bluewave.net]
+.IP \(bu 2
 Add \- Add \- use configured debuglevel in authmon [bluewave.net]
 .IP \(bu 2
 Add \- automated log rotation and client_zone to binauth_log [bluewave.net]
@@ -127,6 +129,8 @@ Add \- Start initial download of remotes only if online [bluewave.net]
 .IP \(bu 2
 Add \- Router online/offline watchdog [bluewave.net]
 .IP \(bu 2
+Fix \- Segfault when gatewayfqdn is disabled [bluewave.net]
+.IP \(bu 2
 Fix \- missing clientmac when not using themespec [bluewave.net]
 .IP \(bu 2
 Fix \- some compiler warnings [bluewave.net]
@@ -141,7 +145,7 @@ Remove \- legacy get_ext_iface() function [bluewave.net]
 .UNINDENT
 .UNINDENT
 .UNINDENT
-\(em Rob White <\fI\%dot@blue\-wave.net\fP> Sun, 1 Aug 2021 09:58:02 +0000
+\(em Rob White <\fI\%dot@blue\-wave.net\fP> Sun, 8 Aug 2021 09:58:02 +0000
 .UNINDENT
 .UNINDENT
 .sp
@@ -2145,35 +2149,87 @@ All other FAS settings will be overidden.
 Example:
 .sp
 \fBoption preauth \(aq/path/to/myscript/myscript.sh\(aq\fP
-.SS Block Private Subnets
+.SS Access Control For Authenticated Users
+.SS Block Access For Authenticated Users (block)
 .sp
-Your router might have several private subnets on their own interfaces.
+Default: None
 .sp
-You will probably want to keep them private from clients using the public gatewayinterface.
-.sp
-If so, you should block the entire subnets on those interfaces.
+If Block Access is specified, an allow or passthrough must be specified afterwards as any entries set here will override the access default.
 .sp
 Examples:
+.INDENT 0.0
+.INDENT 3.5
+You might want to block entire IP subnets. e.g.:
 .sp
-\fBlist authenticated_users \(aqblock to 192.168.0.0/16\(aq\fP
+\fBlist authenticated_users \(aqblock to 123.2.3.0/24\(aq\fP
 .sp
-\fBlist authenticated_users \(aqblock to 10.0.0.0/8\(aq\fP
-.SS Access For Authenticated Users
+\fBlist authenticated_users \(aqblock to 123.2.0.0/16\(aq\fP
 .sp
-For authenticated users you will probably want to allow full access to the Internet, so use:
+\fBlist authenticated_users \(aqblock to 123.0.0.0/8\(aq\fP
+.UNINDENT
+.UNINDENT
 .sp
+or block access to a single IP address. e.g.:
+.INDENT 0.0
+.INDENT 3.5
+\fBlist authenticated_users \(aqblock to 123.2.3.4\(aq\fP
+.UNINDENT
+.UNINDENT
+.sp
+Do not forget to add an allow or passthrough if the default only is assumed (see Grant Access)
+.SS Grant Access For Authenticated Users (allow and passthrough)
+.INDENT 0.0
+.IP \(bu 2
+Access can be allowed by openNDS directly, overriding the operating system firewall rules
+.UNINDENT
+.sp
+or
+.INDENT 0.0
+.IP \(bu 2
+Access can be allowed by openNDS but the final decision can be passed on to the operating system firewall.
+.UNINDENT
+.sp
+Default:
+.sp
+No Entry, equivalent to
+.INDENT 0.0
+.INDENT 3.5
+\fBlist authenticated_users \(aqpassthrough all\(aq\fP
+.UNINDENT
+.UNINDENT
+.sp
+Any entries set here, or above in Block Access, will override the default
+.sp
+Example:
+.INDENT 0.0
+.TP
+.B Grant access overriding operating system firewall
 \fBlist authenticated_users \(aqallow all\(aq\fP
+.UNINDENT
 .sp
-If you want to restrict access for authenticated users, then at minimum you should open the following ports:
+Example:
 .sp
-\fBlist authenticated_users \(aqallow tcp port 53\(aq\fP Allow DNS
+Grant access to https web sites, subject to the operating system\(aqs firewall rules
+.INDENT 0.0
+.INDENT 3.5
+\fBlist authenticated_users \(aqpassthrough tcp port 443\(aq\fP
+.UNINDENT
+.UNINDENT
 .sp
-\fBlist authenticated_users \(aqallow udp port 53\(aq\fP Allow DNS
+Grant access to http web sites, overriding the operating system firewall rules.
+.INDENT 0.0
+.INDENT 3.5
+\fBlist authenticated_users \(aqallow tcp port 80\(aq\fP
+.UNINDENT
+.UNINDENT
 .sp
-\fBlist authenticated_users \(aqallow tcp port 80\(aq\fP Allow standard http web sites
-.sp
-\fBlist authenticated_users \(aqallow tcp port 443\(aq\fP Allow standard https web sites
-.SS Access For Preauthenticated Users:
+Grant access to udp services at address 123.1.1.1, on port 5000, overriding the operating system firewall rules.
+.INDENT 0.0
+.INDENT 3.5
+\fBlist authenticated_users \(aqallow udp port 5000 to 123.1.1.1\(aq\fP
+.UNINDENT
+.UNINDENT
+.SS Access Control For Preauthenticated Users:
 .sp
 \fBIMPORTANT\fP
 .INDENT 0.0
--- a/linux_openwrt/opennds/files/etc/config/opennds
+++ b/linux_openwrt/opennds/files/etc/config/opennds
@@ -593,22 +593,49 @@ config opennds
 	#option preauth '/path/to/myscript/myscript.sh'
 	###########################################################################################

-	# Your router may have several interfaces, and you
-	# probably want to keep them private from the gatewayinterface.
-	# If so, you should block the entire subnets on those interfaces, e.g.:
-	#list authenticated_users 'block to 192.168.0.0/16'
-	#list authenticated_users 'block to 10.0.0.0/8'
+	# Block Access For Authenticated Users (block):
+	# Default: None
+	#
+	# If Block Access is specified, an allow or passthrough must be specified afterwards
+	#	as any entries set here will override the access default
+	#
+	# Examples:
+	#
+	# You might want to block entire IP subnets. e.g.:
+	#list authenticated_users 'block to 123.2.3.0/24'
+	#list authenticated_users 'block to 123.2.0.0/16'
+	#list authenticated_users 'block to 123.0.0.0/8'
+	#
+	# or block access to a single IP address. e.g.:
+	#
+	#list authenticated_users 'block to 123.2.3.4'
+	#
+	# Do not forget to add an allow or passthrough if the default only is assumed (see Grant Access)
+	#
 	###########################################################################################

-	# For authenticated users:
-	# Typical ports you will probably want to open up.
-	#list authenticated_users 'allow tcp port 22'
-	#list authenticated_users 'allow tcp port 53'
-	#list authenticated_users 'allow udp port 53'
+	# Grant Access For Authenticated Users (allow and passthrough):
+	#
+	# Access can be allowed by openNDS directly, overriding the operating system firewall rules
+	# or Access can be allowed by openNDS but the final decision can be passed on to the operating system firewall.
+	#
+	# Default: list authenticated_users 'passthrough all'
+	#
+	# Any entries set here, or above in Block Access, will override the default
+	#
+	# Example: Grant access overriding operating system firewall
+	#list authenticated_users 'allow all'
+	#
+	# Example: 
+	# Grant access to https web sites, subject to the operating system firewall rules
+	#list authenticated_users 'passthrough tcp port 443'
+	#
+	# Grant access to http web sites, overriding the operating system firewall rules.
 	#list authenticated_users 'allow tcp port 80'
-	#list authenticated_users 'allow tcp port 443'
-	# Or for happy customers allow all
-	list authenticated_users 'allow all'
+	#
+	# Grant access to udp services at address 123.1.1.1, on port 5000, overriding the operating system firewall rules.
+	#list authenticated_users 'allow udp port 5000 to 123.1.1.1'
+	#
 	###########################################################################################

 	# For preauthenticated users:
--- a/notes/release_todos
+++ b/notes/release_todos
@@ -15,8 +15,8 @@ When ready to do a release, do the following:
 13. Github - Create Pull Request and Merge to master
 14. Github proceed to "Draft New Release"
 15. Github tag release as eg. v9.2.0 (remembering the leading "v"")
-	(or use git tag -a v9.2.0 -m "opennds release 9.2.0 " and git push --tags.)
+	(or use git tag -a v9.2.0 -m "opennds release 9.3.0 " and git push --tags.)
 16. In your local repository, make a new branch called "stable"
 17. Push branch "stable" to origin, overwriting the existing "stable".
 	Note:Branch stable is the source for the readthedocs stable documentation at https://openndsdocs.readthedocs.io/en/stable/
-18. In Master, set version to eg -beta eg 9.2.1-beta in conf.h, conf.py, openwrt/Makefile
+18. In Master, set version to eg -beta eg 9.3.1-beta in conf.h, conf.py, openwrt/Makefile
--- a/src/conf.c
+++ b/src/conf.c
@@ -381,7 +381,7 @@ add_ruleset(const char rulesetname[])
 		return ruleset;
 	}

-	debug(LOG_DEBUG, "add_ruleset(): Creating FirewallRuleSet %s.", rulesetname);
+	debug(LOG_DEBUG, "add_ruleset(): Creating FirewallRuleSet %s ruleset [%s].", rulesetname, ruleset);

 	// Create and place at head of config.rulesets
 	ruleset = safe_malloc(sizeof(t_firewall_ruleset));