2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26 #include "redirects.h"
32 static bool print_rules = false;
33 static enum fw3_family use_family = FW3_FAMILY_ANY;
35 static const char *families[] = {
41 static const char *tables[] = {
49 static struct fw3_state *
52 struct fw3_state *state = NULL;
53 struct uci_package *p = NULL;
55 state = malloc(sizeof(*state));
58 error("Out of memory");
60 memset(state, 0, sizeof(*state));
61 state->uci = uci_alloc_context();
64 error("Out of memory");
66 if (uci_load(state->uci, "firewall", &p))
68 uci_perror(state->uci, NULL);
69 error("Failed to load /etc/config/firewall");
72 if (!fw3_find_command("ipset"))
74 warn("Unable to locate ipset utility, disabling ipset support");
75 state->disable_ipsets = true;
78 fw3_load_defaults(state, p);
79 fw3_load_ipsets(state, p);
80 fw3_load_zones(state, p);
81 fw3_load_rules(state, p);
82 fw3_load_redirects(state, p);
83 fw3_load_forwards(state, p);
89 free_state(struct fw3_state *state)
91 struct list_head *cur, *tmp;
93 list_for_each_safe(cur, tmp, &state->zones)
94 fw3_free_zone((struct fw3_zone *)cur);
96 list_for_each_safe(cur, tmp, &state->rules)
97 fw3_free_rule((struct fw3_rule *)cur);
99 list_for_each_safe(cur, tmp, &state->redirects)
100 fw3_free_redirect((struct fw3_redirect *)cur);
102 list_for_each_safe(cur, tmp, &state->forwards)
103 fw3_free_forward((struct fw3_forward *)cur);
105 uci_free_context(state->uci);
109 fw3_ubus_disconnect();
114 restore_pipe(enum fw3_family family, bool silent)
116 const char *cmd[] = {
123 return fw3_stdout_pipe();
125 if (!fw3_command_pipe(silent, cmd[family], "--lenient", "--noflush"))
127 warn("Unable to execute %s", cmd[family]);
135 family_running(struct list_head *statefile, enum fw3_family family)
137 struct fw3_statefile_entry *e;
141 list_for_each_entry(e, statefile, list)
143 if (e->type != FW3_TYPE_DEFAULTS)
146 return hasbit(e->flags[0], family);
154 family_used(enum fw3_family family)
156 return (use_family == FW3_FAMILY_ANY) || (use_family == family);
160 family_loaded(struct fw3_state *state, enum fw3_family family)
162 return hasbit(state->defaults.flags, family);
166 family_set(struct fw3_state *state, enum fw3_family family, bool set)
169 setbit(state->defaults.flags, family);
171 delbit(state->defaults.flags, family);
175 stop(struct fw3_state *state, bool complete, bool restart)
178 enum fw3_family family;
179 enum fw3_table table;
181 struct list_head *statefile = fw3_read_statefile();
183 if (!complete && !statefile)
186 warn("The firewall appears to be stopped. "
187 "Use the 'flush' command to forcefully purge all rules.");
192 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
194 if (!complete && !family_running(statefile, family))
197 if (!family_used(family) || !restore_pipe(family, true))
200 info("Removing %s rules ...", families[family]);
202 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
204 if (!fw3_has_table(family == FW3_FAMILY_V6, tables[table]))
207 info(" * %sing %s table",
208 complete ? "Flush" : "Clear", tables[table]);
210 fw3_pr("*%s\n", tables[table]);
214 fw3_flush_all(table);
219 fw3_flush_rules(table, family, false, statefile);
220 fw3_flush_zones(table, family, false, statefile);
223 fw3_flush_rules(table, family, true, statefile);
224 fw3_flush_zones(table, family, true, statefile);
233 family_set(state, family, false);
239 !family_loaded(state, FW3_FAMILY_V4) &&
240 !family_loaded(state, FW3_FAMILY_V6) &&
241 fw3_command_pipe(false, "ipset", "-exist", "-"))
243 fw3_destroy_ipsets(statefile);
247 fw3_free_statefile(statefile);
250 fw3_write_statefile(state);
256 start(struct fw3_state *state, bool restart)
259 enum fw3_family family;
260 enum fw3_table table;
262 struct list_head *statefile = fw3_read_statefile();
264 if (!print_rules && !restart &&
265 fw3_command_pipe(false, "ipset", "-exist", "-"))
267 fw3_create_ipsets(state);
271 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
273 if (!family_used(family))
276 if (!family_loaded(state, family) || !restore_pipe(family, false))
279 if (!restart && family_running(statefile, family))
281 warn("The %s firewall appears to be started already. "
282 "If it is indeed empty, remove the %s file and retry.",
283 families[family], FW3_STATEFILE);
288 info("Constructing %s rules ...", families[family]);
290 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
292 if (!fw3_has_table(family == FW3_FAMILY_V6, tables[table]))
295 info(" * Populating %s table", tables[table]);
297 fw3_pr("*%s\n", tables[table]);
298 fw3_print_default_chains(table, family, state);
299 fw3_print_zone_chains(table, family, state);
300 fw3_print_default_head_rules(table, family, state);
301 fw3_print_rules(table, family, state);
302 fw3_print_redirects(table, family, state);
303 fw3_print_forwards(table, family, state);
304 fw3_print_zone_rules(table, family, state);
305 fw3_print_default_tail_rules(table, family, state);
310 family_set(state, family, true);
315 fw3_free_statefile(statefile);
318 fw3_write_statefile(state);
324 lookup_network(struct fw3_state *state, const char *net)
327 struct fw3_device *d;
329 list_for_each_entry(z, &state->zones, list)
331 list_for_each_entry(d, &z->networks, list)
333 if (!strcmp(d->name, net))
335 printf("%s\n", z->name);
345 lookup_device(struct fw3_state *state, const char *dev)
348 struct fw3_device *d;
350 list_for_each_entry(z, &state->zones, list)
352 list_for_each_entry(d, &z->devices, list)
354 if (!strcmp(d->name, dev))
356 printf("%s\n", z->name);
368 fprintf(stderr, "fw3 [-4] [-6] [-q] {start|stop|flush|restart|print}\n");
369 fprintf(stderr, "fw3 [-q] network {net}\n");
370 fprintf(stderr, "fw3 [-q] device {dev}\n");
376 int main(int argc, char **argv)
379 struct fw3_state *state = NULL;
380 struct fw3_defaults *defs = NULL;
382 while ((ch = getopt(argc, argv, "46qh")) != -1)
387 use_family = FW3_FAMILY_V4;
391 use_family = FW3_FAMILY_V6;
395 freopen("/dev/null", "w", stderr);
404 if (!fw3_ubus_connect())
405 error("Failed to connect to ubus");
407 state = build_state();
408 defs = &state->defaults;
419 if (use_family == FW3_FAMILY_V6 && defs->disable_ipv6)
420 warn("IPv6 rules globally disabled in configuration");
422 if (!strcmp(argv[optind], "print"))
424 freopen("/dev/null", "w", stderr);
426 state->disable_ipsets = true;
429 rv = start(state, false);
431 else if (!strcmp(argv[optind], "start"))
433 rv = start(state, false);
435 else if (!strcmp(argv[optind], "stop"))
437 rv = stop(state, false, false);
439 else if (!strcmp(argv[optind], "flush"))
441 rv = stop(state, true, false);
443 else if (!strcmp(argv[optind], "restart"))
445 rv = stop(state, false, true);
446 rv = start(state, !rv);
448 else if (!strcmp(argv[optind], "network") && (optind + 1) < argc)
450 rv = lookup_network(state, argv[optind + 1]);
452 else if (!strcmp(argv[optind], "device") && (optind + 1) < argc)
454 rv = lookup_device(state, argv[optind + 1]);
projects / project / firewall3.git / blob