2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013-2014 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26 #include "redirects.h"
36 static enum fw3_family print_family = FW3_FAMILY_ANY;
38 static struct fw3_state *run_state = NULL;
39 static struct fw3_state *cfg_state = NULL;
43 build_state(bool runtime)
45 struct fw3_state *state = NULL;
46 struct uci_package *p = NULL;
49 state = calloc(1, sizeof(*state));
51 error("Out of memory");
53 state->uci = uci_alloc_context();
56 error("Out of memory");
60 sf = fopen(FW3_STATEFILE, "r");
64 uci_import(state->uci, sf, "fw3_state", &p, true);
70 uci_free_context(state->uci);
76 state->statefile = true;
82 if (!fw3_ubus_connect())
83 warn("Failed to connect to ubus");
85 if (uci_load(state->uci, "firewall", &p))
87 uci_perror(state->uci, NULL);
88 error("Failed to load /etc/config/firewall");
91 if (!fw3_find_command("ipset"))
93 warn("Unable to locate ipset utility, disabling ipset support");
94 state->disable_ipsets = true;
101 struct blob_buf b = {NULL, NULL, 0, NULL};
104 fw3_load_defaults(state, p);
105 fw3_load_cthelpers(state, p);
106 fw3_load_ipsets(state, p, b.head);
107 fw3_load_zones(state, p);
108 fw3_load_rules(state, p, b.head);
109 fw3_load_redirects(state, p, b.head);
110 fw3_load_snats(state, p, b.head);
111 fw3_load_forwards(state, p, b.head);
112 fw3_load_includes(state, p, b.head);
118 free_state(struct fw3_state *state)
120 struct list_head *cur, *tmp;
122 list_for_each_safe(cur, tmp, &state->zones)
123 fw3_free_zone((struct fw3_zone *)cur);
125 list_for_each_safe(cur, tmp, &state->rules)
126 fw3_free_rule((struct fw3_rule *)cur);
128 list_for_each_safe(cur, tmp, &state->redirects)
129 fw3_free_redirect((struct fw3_redirect *)cur);
131 list_for_each_safe(cur, tmp, &state->snats)
132 fw3_free_snat((struct fw3_snat *)cur);
134 list_for_each_safe(cur, tmp, &state->forwards)
135 fw3_free_forward((struct fw3_forward *)cur);
137 list_for_each_safe(cur, tmp, &state->ipsets)
138 fw3_free_ipset((struct fw3_ipset *)cur);
140 list_for_each_safe(cur, tmp, &state->includes)
141 fw3_free_include((struct fw3_include *)cur);
143 list_for_each_safe(cur, tmp, &state->cthelpers)
144 fw3_free_cthelper((struct fw3_cthelper *)cur);
146 uci_free_context(state->uci);
150 fw3_ubus_disconnect();
155 family_running(enum fw3_family family)
157 return (run_state && has(run_state->defaults.flags, family, family));
161 family_set(struct fw3_state *state, enum fw3_family family, bool set)
167 set(state->defaults.flags, family, family);
169 del(state->defaults.flags, family, family);
176 enum fw3_family family;
177 enum fw3_table table;
178 struct fw3_ipt_handle *handle;
180 if (!complete && !run_state)
182 warn("The firewall appears to be stopped. "
183 "Use the 'flush' command to forcefully purge all rules.");
188 if (!print_family && run_state)
189 fw3_hotplug_zones(run_state, false);
191 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
193 if (!complete && !family_running(family))
196 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
198 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
201 if (!(handle = fw3_ipt_open(family, table)))
204 info(" * %sing %s %s table", complete ? "Flush" : "Clear",
205 fw3_flag_names[family], fw3_flag_names[table]);
209 fw3_flush_all(handle);
213 fw3_flush_rules(handle, run_state, false);
214 fw3_flush_zones(handle, run_state, false);
217 fw3_ipt_commit(handle);
218 fw3_ipt_close(handle);
221 family_set(run_state, family, false);
222 family_set(cfg_state, family, false);
228 fw3_destroy_ipsets(run_state);
231 fw3_flush_conntrack(NULL);
233 if (!rv && run_state)
234 fw3_write_statefile(run_state);
243 enum fw3_family family;
244 enum fw3_table table;
245 struct fw3_ipt_handle *handle;
248 fw3_create_ipsets(cfg_state);
250 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
252 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
255 if (print_family && family != print_family)
258 if (!print_family && family_running(family))
260 warn("The %s firewall appears to be started already. "
261 "If it is indeed empty, remove the %s file and retry.",
262 fw3_flag_names[family], FW3_STATEFILE);
267 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
269 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
272 if (!(handle = fw3_ipt_open(family, table)))
275 info(" * Populating %s %s table",
276 fw3_flag_names[family], fw3_flag_names[table]);
278 fw3_print_default_chains(handle, cfg_state, false);
279 fw3_print_zone_chains(handle, cfg_state, false);
280 fw3_print_default_head_rules(handle, cfg_state, false);
281 fw3_print_rules(handle, cfg_state);
282 fw3_print_redirects(handle, cfg_state);
283 fw3_print_snats(handle, cfg_state);
284 fw3_print_forwards(handle, cfg_state);
285 fw3_print_zone_rules(handle, cfg_state, false);
286 fw3_print_default_tail_rules(handle, cfg_state, false);
289 fw3_ipt_commit(handle);
291 fw3_ipt_close(handle);
295 fw3_print_includes(cfg_state, family, false);
297 family_set(run_state, family, true);
298 family_set(cfg_state, family, true);
305 fw3_flush_conntrack(run_state);
306 fw3_set_defaults(cfg_state);
310 fw3_run_includes(cfg_state, false);
311 fw3_hotplug_zones(cfg_state, true);
312 fw3_write_statefile(cfg_state);
324 enum fw3_family family;
325 enum fw3_table table;
326 struct fw3_ipt_handle *handle;
331 fw3_hotplug_zones(run_state, false);
333 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
335 if (!family_running(family))
338 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
340 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
343 if (!(handle = fw3_ipt_open(family, table)))
346 info(" * Clearing %s %s table",
347 fw3_flag_names[family], fw3_flag_names[table]);
349 fw3_flush_rules(handle, run_state, true);
350 fw3_flush_zones(handle, run_state, true);
351 fw3_ipt_commit(handle);
352 fw3_ipt_close(handle);
355 family_set(run_state, family, false);
356 family_set(cfg_state, family, false);
359 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
362 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
364 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
367 if (!(handle = fw3_ipt_open(family, table)))
370 info(" * Populating %s %s table",
371 fw3_flag_names[family], fw3_flag_names[table]);
373 fw3_print_default_chains(handle, cfg_state, true);
374 fw3_print_zone_chains(handle, cfg_state, true);
375 fw3_print_default_head_rules(handle, cfg_state, true);
376 fw3_print_rules(handle, cfg_state);
377 fw3_print_redirects(handle, cfg_state);
378 fw3_print_snats(handle, cfg_state);
379 fw3_print_forwards(handle, cfg_state);
380 fw3_print_zone_rules(handle, cfg_state, true);
381 fw3_print_default_tail_rules(handle, cfg_state, true);
383 fw3_ipt_commit(handle);
384 fw3_ipt_close(handle);
387 fw3_print_includes(cfg_state, family, true);
389 family_set(run_state, family, true);
390 family_set(cfg_state, family, true);
397 fw3_flush_conntrack(run_state);
399 fw3_set_defaults(cfg_state);
400 fw3_run_includes(cfg_state, true);
401 fw3_hotplug_zones(cfg_state, true);
402 fw3_write_statefile(cfg_state);
411 enum fw3_family family;
412 enum fw3_table table;
413 struct fw3_ipt_handle *handle;
415 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
417 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
420 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
422 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
425 if (!(handle = fw3_ipt_open(family, table)))
429 fw3_ipt_commit(handle);
430 fw3_ipt_close(handle);
438 lookup_network(const char *net)
441 struct fw3_device *d;
443 list_for_each_entry(z, &cfg_state->zones, list)
445 list_for_each_entry(d, &z->networks, list)
447 if (!strcmp(d->name, net))
449 printf("%s\n", z->name);
459 lookup_device(const char *dev)
462 struct fw3_device *d;
464 list_for_each_entry(z, &cfg_state->zones, list)
466 list_for_each_entry(d, &z->devices, list)
468 if (!strcmp(d->name, dev))
470 printf("%s\n", z->name);
480 lookup_zone(const char *zone, const char *device)
483 struct fw3_device *d;
485 list_for_each_entry(z, &cfg_state->zones, list)
487 if (strcmp(z->name, zone))
490 list_for_each_entry(d, &z->devices, list)
492 if (device && strcmp(device, d->name))
495 printf("%s\n", d->name);
511 fprintf(stderr, "fw3 [-4] [-6] [-q] print\n");
512 fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n");
513 fprintf(stderr, "fw3 [-q] network {net}\n");
514 fprintf(stderr, "fw3 [-q] device {dev}\n");
515 fprintf(stderr, "fw3 [-q] zone {zone} [dev]\n");
521 int main(int argc, char **argv)
524 enum fw3_family family = FW3_FAMILY_ANY;
525 struct fw3_defaults *defs = NULL;
527 while ((ch = getopt(argc, argv, "46dqh")) != -1)
532 family = FW3_FAMILY_V4;
536 family = FW3_FAMILY_V6;
544 if (freopen("/dev/null", "w", stderr)) {}
554 defs = &cfg_state->defaults;
562 if (!strcmp(argv[optind], "print"))
564 if (family == FW3_FAMILY_ANY)
566 family = FW3_FAMILY_V4;
568 else if (family == FW3_FAMILY_V6)
570 if (defs->disable_ipv6)
571 warn("IPv6 rules globally disabled in configuration");
574 warn("IPv6 support is not compiled in");
578 if (freopen("/dev/null", "w", stderr)) {};
580 cfg_state->disable_ipsets = true;
581 print_family = family;
591 else if (!strcmp(argv[optind], "start"))
600 else if (!strcmp(argv[optind], "stop"))
609 else if (!strcmp(argv[optind], "flush"))
618 else if (!strcmp(argv[optind], "restart"))
628 else if (!strcmp(argv[optind], "reload"))
637 else if (!strcmp(argv[optind], "gc"))
645 else if (!strcmp(argv[optind], "network") && (optind + 1) < argc)
647 rv = lookup_network(argv[optind + 1]);
649 else if (!strcmp(argv[optind], "device") && (optind + 1) < argc)
651 rv = lookup_device(argv[optind + 1]);
653 else if (!strcmp(argv[optind], "zone") && (optind + 1) < argc)
655 rv = lookup_zone(argv[optind + 1], argv[optind + 2]);
664 free_state(cfg_state);
667 free_state(run_state);
projects / project / firewall3.git / blob