Commit Graph

5 Commits

Author SHA1 Message Date
Red Bear OS 579a512545 filter: add unit tests + chain_summary method
5 new unit tests in filter::table::tests:
- drop_rule_actually_drops (R33 bug regression test)
- accept_rule_actually_accepts (R33 bug regression test)
- rule_matching_other_hook_does_not_apply (hook isolation)
- default_policy_applied_when_no_rules (fallback)
- reset_counters_clears_metrics_keeps_rules (R34 method coverage)

All 5 tests pass — proves the critical verdict bug from R33
is fixed and reset_counters from R34 works correctly.

Also adds FilterTable::chain_summary() returning:
  'input: pkts=12 bytes=5678 policy=ACCEPT' (per-chain line)
for use by future netcfg summary extension.
2026-07-08 19:47:47 +03:00
Red Bear OS ecc0ef33de netfilter: add counters/reset path — preserves rules
Previously '/reset' replaced the entire FilterTable (destructive).
Added '/counters/reset' that clears:
- chain_counters (per-chain packets/bytes)
- rule.match_count (per-rule match counts)
WITHOUT removing rules or resetting policies.

FilterTable gains reset_counters() method.

Usage:
  echo > /scheme/netfilter/reset           # wipe everything
  echo > /scheme/netfilter/counters/reset  # clear metrics only

Mirrors Linux 'iptables -Z' (zero counters) vs full flush.
2026-07-08 19:41:05 +03:00
Red Bear OS 48cb44cb3e filter: critical bug fix — evaluate() was ignoring all rule verdicts!
FilterTable::evaluate() set final_verdict for matched rules but never
returned it — always returned the chain's default_policy instead.
This meant every firewall rule (ACCEPT/DROP/REJECT/LOG) was being
evaluated (correctly) but its verdict was DISCARDED.

Symptoms:
- 'DROP' rules had no effect — packets flowed through
- 'ACCEPT' rules had no effect — packets flowed through
- Only default_policy was ever applied

Fix: return final_verdict.unwrap_or(default_policy).

Now 'iptables-style' rules actually take effect:
- DROP rules block traffic
- ACCEPT rules allow traffic (before default)
- REJECT rules send ICMP unreachable
- LOG rules log and continue

This bug was introduced when the filter evaluation logic was
refactored and the return statement was left pointing at the
default policy instead of the verdict from the rule loop.

Confirmed via cargo build; warning 'value assigned to final_verdict
is never read' is now gone.
2026-07-08 19:36:50 +03:00
Red Bear OS 93f026f292 conntrack: ICMP echo rate limiting (ping flood protection)
Conntrack now rate-limits ICMP/ICMPv6 echo requests per source:
- is_echo_request() detects Type 8 (ICMPv4) / Type 128 (ICMPv6)
- check_icmp_limit() enforces 20 echoes/sec per source IP
- Over-limit returns ConnState::OverLimit, increments over_limit_count

Mirrors existing SYN flood protection (100 SYN/sec per source).
Smaller threshold (20/sec) because ICMP is cheaper to generate.

Reuses same rate_limits map — TCP SYNs and ICMP echoes share the
budget. Side effect: 100 SYN + 20 echo = 120 packets/sec from one
source before any trigger, which is reasonable.
2026-07-08 19:25:07 +03:00
Red Bear OS bb3e36e4e0 restore: networking stack files from reflog (Phases 1-6)
Recovered from reflog commits 1c80937e and d0ecc067 after force-push data loss.
Includes: filter/, icmp_error.rs, slaac.rs, bond.rs, bridge.rs, gre.rs, ipip.rs,
qdisc.rs, tun.rs, vlan.rs, vxlan.rs, netfilter.rs, tun.rs, conntrack.rs, nat.rs,
rule.rs, table.rs, redbear-ufw/, dhcpv6d/, netdiag/ — 39 files total.
2026-07-08 13:27:49 +03:00