2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 put_value(void *ptr, void *val, int elem_size, bool is_list)
30 copy = malloc(elem_size);
35 memcpy(copy, val, elem_size);
36 list_add_tail((struct list_head *)copy, (struct list_head *)ptr);
40 memcpy(ptr, val, elem_size);
45 parse_enum(void *ptr, const char *val, const char **values, int min, int max)
47 int i, l = strlen(val);
51 for (i = 0; i <= (max - min); i++)
53 if (!strncasecmp(val, values[i], l))
55 *((int *)ptr) = min + i;
65 const char *fw3_flag_names[__FW3_FLAG_MAX] = {
86 static const char *limit_units[] = {
93 static const char *ipset_methods[] = {
99 static const char *ipset_types[] = {
107 static const char *weekdays[] = {
117 static const char *include_types[] = {
122 static const char *reflection_sources[] = {
129 fw3_parse_bool(void *ptr, const char *val, bool is_list)
131 if (!strcmp(val, "true") || !strcmp(val, "yes") || !strcmp(val, "1"))
132 *((bool *)ptr) = true;
134 *((bool *)ptr) = false;
140 fw3_parse_int(void *ptr, const char *val, bool is_list)
142 int n = strtol(val, NULL, 10);
144 if (errno == ERANGE || errno == EINVAL)
153 fw3_parse_string(void *ptr, const char *val, bool is_list)
155 *((char **)ptr) = (char *)val;
160 fw3_parse_target(void *ptr, const char *val, bool is_list)
162 return parse_enum(ptr, val, &fw3_flag_names[FW3_FLAG_ACCEPT],
163 FW3_FLAG_ACCEPT, FW3_FLAG_SNAT);
167 fw3_parse_limit(void *ptr, const char *val, bool is_list)
169 struct fw3_limit *limit = ptr;
170 enum fw3_limit_unit u = FW3_LIMIT_UNIT_SECOND;
176 limit->invert = true;
177 while (isspace(*++val));
180 n = strtol(val, &e, 10);
182 if (errno == ERANGE || errno == EINVAL)
185 if (*e && *e++ != '/')
191 if (!parse_enum(&u, e, limit_units, 0, FW3_LIMIT_UNIT_DAY))
201 fw3_parse_device(void *ptr, const char *val, bool is_list)
203 struct fw3_device dev = { };
209 put_value(ptr, &dev, sizeof(dev), is_list);
216 while (isspace(*++val));
220 snprintf(dev.name, sizeof(dev.name), "%s", val);
225 put_value(ptr, &dev, sizeof(dev), is_list);
230 fw3_parse_address(void *ptr, const char *val, bool is_list)
232 struct fw3_address addr = { };
241 while (isspace(*++val));
249 if ((p = strchr(s, '/')) != NULL)
252 m = strtoul(p, &e, 10);
254 if ((e == p) || (*e != 0))
256 if (strchr(s, ':') || !inet_pton(AF_INET, p, &v4))
262 for (i = 0, m = 32; !(v4.s_addr & 1) && (i < 32); i++)
269 else if ((p = strchr(s, '-')) != NULL)
273 if (inet_pton(AF_INET6, p, &v6))
275 addr.family = FW3_FAMILY_V6;
276 addr.address2.v6 = v6;
279 else if (inet_pton(AF_INET, p, &v4))
281 addr.family = FW3_FAMILY_V4;
282 addr.address2.v4 = v4;
292 if (inet_pton(AF_INET6, s, &v6))
294 addr.family = FW3_FAMILY_V6;
295 addr.address.v6 = v6;
296 addr.mask = (m >= 0) ? m : 128;
298 else if (inet_pton(AF_INET, s, &v4))
300 addr.family = FW3_FAMILY_V4;
301 addr.address.v4 = v4;
302 addr.mask = (m >= 0) ? m : 32;
312 put_value(ptr, &addr, sizeof(addr), is_list);
317 fw3_parse_network(void *ptr, const char *val, bool is_list)
319 struct fw3_device dev = { };
320 struct fw3_address *addr;
321 struct list_head *addr_list;
323 if (!fw3_parse_address(ptr, val, is_list))
325 if (!fw3_parse_device(&dev, val, false))
328 addr_list = fw3_ubus_address(dev.name);
332 list_for_each_entry(addr, addr_list, list)
334 addr->invert = dev.invert;
336 if (!put_value(ptr, addr, sizeof(*addr), is_list))
340 fw3_ubus_address_free(addr_list);
348 fw3_parse_mac(void *ptr, const char *val, bool is_list)
350 struct fw3_mac addr = { };
351 struct ether_addr *mac;
356 while (isspace(*++val));
359 if ((mac = ether_aton(val)) != NULL)
364 put_value(ptr, &addr, sizeof(addr), is_list);
372 fw3_parse_port(void *ptr, const char *val, bool is_list)
374 struct fw3_port range = { };
382 while (isspace(*++val));
385 n = strtoul(val, &p, 10);
387 if (errno == ERANGE || errno == EINVAL)
390 if (*p && *p != '-' && *p != ':')
395 m = strtoul(++p, NULL, 10);
397 if (errno == ERANGE || errno == EINVAL || m < n)
410 put_value(ptr, &range, sizeof(range), is_list);
415 fw3_parse_family(void *ptr, const char *val, bool is_list)
417 if (!strcmp(val, "any"))
418 *((enum fw3_family *)ptr) = FW3_FAMILY_ANY;
419 else if (!strcmp(val, "inet") || strrchr(val, '4'))
420 *((enum fw3_family *)ptr) = FW3_FAMILY_V4;
421 else if (!strcmp(val, "inet6") || strrchr(val, '6'))
422 *((enum fw3_family *)ptr) = FW3_FAMILY_V6;
430 fw3_parse_icmptype(void *ptr, const char *val, bool is_list)
432 struct fw3_icmptype icmp = { };
438 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v4); i++)
440 if (!strcmp(val, fw3_icmptype_list_v4[i].name))
442 icmp.type = fw3_icmptype_list_v4[i].type;
443 icmp.code_min = fw3_icmptype_list_v4[i].code_min;
444 icmp.code_max = fw3_icmptype_list_v4[i].code_max;
451 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v6); i++)
453 if (!strcmp(val, fw3_icmptype_list_v6[i].name))
455 icmp.type6 = fw3_icmptype_list_v6[i].type;
456 icmp.code6_min = fw3_icmptype_list_v6[i].code_min;
457 icmp.code6_max = fw3_icmptype_list_v6[i].code_max;
466 i = strtoul(val, &p, 10);
468 if ((p == val) || (*p != '/' && *p != 0) || (i > 0xFF))
476 i = strtoul(val, &p, 10);
478 if ((p == val) || (*p != 0) || (i > 0xFF))
487 icmp.code_max = 0xFF;
490 icmp.type6 = icmp.type;
491 icmp.code6_min = icmp.code_max;
492 icmp.code6_max = icmp.code_max;
498 icmp.family = (v4 && v6) ? FW3_FAMILY_ANY
499 : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
501 put_value(ptr, &icmp, sizeof(icmp), is_list);
506 fw3_parse_protocol(void *ptr, const char *val, bool is_list)
508 struct fw3_protocol proto = { };
509 struct protoent *ent;
514 while (isspace(*++val));
517 if (!strcmp(val, "all"))
520 put_value(ptr, &proto, sizeof(proto), is_list);
523 else if (!strcmp(val, "icmpv6"))
527 else if (!strcmp(val, "tcpudp"))
530 if (put_value(ptr, &proto, sizeof(proto), is_list))
533 put_value(ptr, &proto, sizeof(proto), is_list);
539 ent = getprotobyname(val);
543 proto.protocol = ent->p_proto;
544 put_value(ptr, &proto, sizeof(proto), is_list);
548 proto.protocol = strtoul(val, NULL, 10);
550 if (errno == ERANGE || errno == EINVAL)
553 put_value(ptr, &proto, sizeof(proto), is_list);
558 fw3_parse_ipset_method(void *ptr, const char *val, bool is_list)
560 return parse_enum(ptr, val, ipset_methods,
561 FW3_IPSET_METHOD_BITMAP, FW3_IPSET_METHOD_LIST);
565 fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list)
567 struct fw3_ipset_datatype *type = ptr;
569 if (!strncmp(val, "dest_", 5))
574 else if (!strncmp(val, "dst_", 4))
579 else if (!strncmp(val, "src_", 4))
585 return parse_enum(&type->type, val, ipset_types,
586 FW3_IPSET_TYPE_IP, FW3_IPSET_TYPE_SET);
590 fw3_parse_date(void *ptr, const char *val, bool is_list)
592 unsigned int year = 1970, mon = 1, day = 1, hour = 0, min = 0, sec = 0;
593 struct tm tm = { 0 };
596 year = strtoul(val, &p, 10);
597 if ((*p != '-' && *p) || year < 1970 || year > 2038)
602 mon = strtoul(++p, &p, 10);
603 if ((*p != '-' && *p) || mon > 12)
608 day = strtoul(++p, &p, 10);
609 if ((*p != 'T' && *p) || day > 31)
614 hour = strtoul(++p, &p, 10);
615 if ((*p != ':' && *p) || hour > 23)
620 min = strtoul(++p, &p, 10);
621 if ((*p != ':' && *p) || min > 59)
626 sec = strtoul(++p, &p, 10);
631 tm.tm_year = year - 1900;
638 if (mktime(&tm) >= 0)
640 *((struct tm *)ptr) = tm;
649 fw3_parse_time(void *ptr, const char *val, bool is_list)
651 unsigned int hour = 0, min = 0, sec = 0;
654 hour = strtoul(val, &p, 10);
655 if (*p != ':' || hour > 23)
658 min = strtoul(++p, &p, 10);
659 if ((*p != ':' && *p) || min > 59)
664 sec = strtoul(++p, &p, 10);
669 *((int *)ptr) = 60 * 60 * hour + 60 * min + sec;
677 fw3_parse_weekdays(void *ptr, const char *val, bool is_list)
684 setbit(*(uint8_t *)ptr, 0);
685 while (isspace(*++val));
688 if (!(s = strdup(val)))
691 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
693 if (!parse_enum(&w, p, weekdays, 1, 7))
695 w = strtoul(p, &p, 10);
697 if (*p || w < 1 || w > 7)
704 setbit(*(uint8_t *)ptr, w);
712 fw3_parse_monthdays(void *ptr, const char *val, bool is_list)
719 setbit(*(uint32_t *)ptr, 0);
720 while (isspace(*++val));
723 if (!(s = strdup(val)))
726 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
728 d = strtoul(p, &p, 10);
730 if (*p || d < 1 || d > 31)
736 setbit(*(uint32_t *)ptr, d);
744 fw3_parse_include_type(void *ptr, const char *val, bool is_list)
746 return parse_enum(ptr, val, include_types,
747 FW3_INC_TYPE_SCRIPT, FW3_INC_TYPE_RESTORE);
751 fw3_parse_reflection_source(void *ptr, const char *val, bool is_list)
753 return parse_enum(ptr, val, reflection_sources,
754 FW3_REFLECTION_INTERNAL, FW3_REFLECTION_EXTERNAL);
759 fw3_parse_options(void *s, const struct fw3_option *opts,
760 struct uci_section *section)
764 struct uci_element *e, *l;
765 struct uci_option *o;
766 const struct fw3_option *opt;
767 struct list_head *dest;
769 uci_foreach_element(§ion->options, e)
771 o = uci_to_option(e);
774 for (opt = opts; opt->name; opt++)
779 if (strcmp(opt->name, e->name))
782 if (o->type == UCI_TYPE_LIST)
786 warn_elem(e, "must not be a list");
790 dest = (struct list_head *)((char *)s + opt->offset);
792 uci_foreach_element(&o->v.list, l)
797 if (!opt->parse(dest, l->name, true))
799 warn_elem(e, "has invalid value '%s'", l->name);
814 if (!opt->parse((char *)s + opt->offset, o->v.string, false))
815 warn_elem(e, "has invalid value '%s'", o->v.string);
819 dest = (struct list_head *)((char *)s + opt->offset);
821 for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
823 if (!opt->parse(dest, p, true))
825 warn_elem(e, "has invalid value '%s'", p);
837 warn_elem(e, "is unknown");
843 fw3_format_in_out(struct fw3_device *in, struct fw3_device *out)
846 fw3_pr(" %s-i %s", in->invert ? "! " : "", in->name);
848 if (out && !out->any)
849 fw3_pr(" %s-o %s", out->invert ? "! " : "", out->name);
853 fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest)
855 char s[INET6_ADDRSTRLEN];
857 if ((src && src->range) || (dest && dest->range))
858 fw3_pr(" -m iprange");
864 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
865 &src->address.v4, s, sizeof(s));
867 fw3_pr(" %s--src-range %s", src->invert ? "! " : "", s);
869 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
870 &src->address2.v4, s, sizeof(s));
876 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
877 &src->address.v4, s, sizeof(s));
879 fw3_pr(" %s-s %s/%u", src->invert ? "! " : "", s, src->mask);
883 if (dest && dest->set)
887 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
888 &dest->address.v4, s, sizeof(s));
890 fw3_pr(" %s--dst-range %s", dest->invert ? "! " : "", s);
892 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
893 &dest->address2.v4, s, sizeof(s));
899 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
900 &dest->address.v4, s, sizeof(s));
902 fw3_pr(" %s-d %s/%u", dest->invert ? "! " : "", s, dest->mask);
908 fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp)
912 if (sp->port_min == sp->port_max)
913 fw3_pr(" %s--sport %u", sp->invert ? "! " : "", sp->port_min);
915 fw3_pr(" %s--sport %u:%u",
916 sp->invert ? "! " : "", sp->port_min, sp->port_max);
921 if (dp->port_min == dp->port_max)
922 fw3_pr(" %s--dport %u", dp->invert ? "! " : "", dp->port_min);
924 fw3_pr(" %s--dport %u:%u",
925 dp->invert ? "! " : "", dp->port_min, dp->port_max);
930 fw3_format_mac(struct fw3_mac *mac)
935 fw3_pr(" -m mac %s--mac-source %s",
936 mac->invert ? "! " : "", ether_ntoa(&mac->mac));
940 fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family)
947 pr = proto->protocol;
949 if (pr == 1 && family == FW3_FAMILY_V6)
955 fw3_pr(" %s-p %u", proto->invert ? "! " : "", pr);
959 fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family)
964 if (family != FW3_FAMILY_V6)
966 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
967 fw3_pr(" %s--icmp-type %u", icmp->invert ? "! " : "", icmp->type);
969 fw3_pr(" %s--icmp-type %u/%u",
970 icmp->invert ? "! " : "", icmp->type, icmp->code_min);
974 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
975 fw3_pr(" %s--icmpv6-type %u", icmp->invert ? "! " : "", icmp->type6);
977 fw3_pr(" %s--icmpv6-type %u/%u",
978 icmp->invert ? "! " : "", icmp->type6, icmp->code6_min);
983 fw3_format_limit(struct fw3_limit *limit)
990 fw3_pr(" -m limit %s--limit %u/%s",
991 limit->invert ? "! " : "",
992 limit->rate, limit_units[limit->unit]);
994 if (limit->burst > 0)
995 fw3_pr(" --limit-burst %u", limit->burst);
1000 fw3_format_ipset(struct fw3_ipset *ipset, bool invert)
1003 const char *name = NULL;
1004 struct fw3_ipset_datatype *type;
1009 if (ipset->external && *ipset->external)
1010 name = ipset->external;
1014 fw3_pr(" -m set %s--match-set %s", invert ? "! " : "", name);
1016 list_for_each_entry(type, &ipset->datatypes, list)
1018 fw3_pr("%c%s", first ? ' ' : ',', type->dest ? "dst" : "src");
1024 fw3_format_time(struct fw3_time *time)
1027 struct tm empty = { 0 };
1028 char buf[sizeof("9999-99-99T23:59:59\0")];
1029 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
1030 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
1033 if (!d1 && !d2 && !time->timestart && !time->timestop &&
1034 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
1046 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
1047 fw3_pr(" --datestart %s", buf);
1052 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
1053 fw3_pr(" --datestop %s", buf);
1056 if (time->timestart)
1058 fw3_pr(" --timestart %02d:%02d:%02d",
1059 time->timestart / 3600,
1060 time->timestart % 3600 / 60,
1061 time->timestart % 60);
1066 fw3_pr(" --timestop %02d:%02d:%02d",
1067 time->timestop / 3600,
1068 time->timestop % 3600 / 60,
1069 time->timestop % 60);
1072 if (time->monthdays & 0xFFFFFFFE)
1074 fw3_pr(" %s--monthdays", hasbit(time->monthdays, 0) ? "! " : "");
1076 for (i = 1, first = true; i < 32; i++)
1078 if (hasbit(time->monthdays, i))
1080 fw3_pr("%c%u", first ? ' ' : ',', i);
1086 if (time->weekdays & 0xFE)
1088 fw3_pr(" %s--weekdays", hasbit(time->weekdays, 0) ? "! " : "");
1090 for (i = 1, first = true; i < 8; i++)
1092 if (hasbit(time->weekdays, i))
1094 fw3_pr("%c%u", first ? ' ' : ',', i);
1102 __fw3_format_comment(const char *comment, ...)
1108 if (!comment || !*comment)
1111 fw3_pr(" -m comment --comment \"");
1115 va_start(ap, comment);
1141 c = va_arg(ap, const char *);
1151 fw3_format_extra(const char *extra)
1153 if (!extra || !*extra)
1156 fw3_pr(" %s", extra);
projects / project / firewall3.git / blob