Why fw3, not fw5, or fwx/y/z?

Dummmm question. But thanks for your attention 8^)

1 Like


it is called firewall3 because it is the 3rd implementation of the UCI firewall package processing the /etc/config/firewall configuration.

The first iteration was simply called uci firewall - it was introduced by @blogic in 2008 as a pure shell script based solution and replaced an even older implementation reading a line-based configuration using a mixture of shell and awk scripting. This first iteration supported IPv4 only.

The second iteration was a larger rewrite contributed by Malte S. Stretz as part of a diploma thesis. The rewrite introduced simultaneous IPv4 and IPv6 dual stack support by translating abstract UCI firewall rules to both iptables and ip6tables commands internally (unless the abstract rules happened to contain AF specific bits such as IPv4 or IPv6 IP addresses or certain matches which were only applicable to either address family). This rewrite was merged in 2010 and became the new OpenWrt default firewall. Despite the complexity of the dual stack logic, the implementation was done in shell scripting as well.

The third iteration - which is the one we use today - is a rewrite of the second iteration in C, it features better performance when processing complex rule sets and is able to interface with the kernel directly instead of funneling all rules through the iptables executable internally. It started as a 1:1 rewrite of the existing, shell based dual stack firewall and gradually added more features since then. It was merged in 2013. Since firewall3 was meant to coexist with firewall(2) for some time, its internal cli executables were suffixed with 3 to distinguish them from the existing ones. This naming schema was kept, even after the original shell based firewall got dropped.


This topic was automatically closed 10 days after the last reply. New replies are no longer allowed.