2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 parse_enum(void *ptr, const char *val, const char **values, int min, int max)
25 int i, l = strlen(val);
29 for (i = 0; i <= (max - min); i++)
31 if (!strncasecmp(val, values[i], l))
33 *((int *)ptr) = min + i;
43 const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1] = {
64 static const char *limit_units[] = {
71 static const char *ipset_methods[] = {
77 static const char *ipset_types[] = {
85 static const char *weekdays[] = {
95 static const char *include_types[] = {
102 fw3_parse_bool(void *ptr, const char *val)
104 if (!strcmp(val, "true") || !strcmp(val, "yes") || !strcmp(val, "1"))
105 *((bool *)ptr) = true;
107 *((bool *)ptr) = false;
113 fw3_parse_int(void *ptr, const char *val)
115 int n = strtol(val, NULL, 10);
117 if (errno == ERANGE || errno == EINVAL)
126 fw3_parse_string(void *ptr, const char *val)
128 *((char **)ptr) = (char *)val;
133 fw3_parse_target(void *ptr, const char *val)
135 return parse_enum(ptr, val, &fw3_flag_names[FW3_TARGET_ACCEPT],
136 FW3_TARGET_ACCEPT, FW3_TARGET_SNAT);
140 fw3_parse_limit(void *ptr, const char *val)
142 struct fw3_limit *limit = ptr;
143 enum fw3_limit_unit u = FW3_LIMIT_UNIT_SECOND;
149 limit->invert = true;
150 while (isspace(*++val));
153 n = strtol(val, &e, 10);
155 if (errno == ERANGE || errno == EINVAL)
158 if (*e && *e++ != '/')
164 if (!parse_enum(&u, e, limit_units, 0, FW3_LIMIT_UNIT_DAY))
174 fw3_parse_device(void *ptr, const char *val)
176 struct fw3_device *dev = ptr;
188 while (isspace(*++val));
192 snprintf(dev->name, sizeof(dev->name), "%s", val);
201 fw3_parse_address(void *ptr, const char *val)
203 struct fw3_address *addr = ptr;
212 while (isspace(*++val));
220 if ((p = strchr(s, '/')) != NULL)
223 m = strtoul(p, &e, 10);
225 if ((e == p) || (*e != 0))
227 if (strchr(s, ':') || !inet_pton(AF_INET, p, &v4))
233 for (i = 0, m = 32; !(v4.s_addr & 1) && (i < 32); i++)
240 else if ((p = strchr(s, '-')) != NULL)
244 if (inet_pton(AF_INET6, p, &v6))
246 addr->family = FW3_FAMILY_V6;
247 addr->address2.v6 = v6;
250 else if (inet_pton(AF_INET, p, &v4))
252 addr->family = FW3_FAMILY_V4;
253 addr->address2.v4 = v4;
263 if (inet_pton(AF_INET6, s, &v6))
265 addr->family = FW3_FAMILY_V6;
266 addr->address.v6 = v6;
267 addr->mask = (m >= 0) ? m : 128;
269 else if (inet_pton(AF_INET, s, &v4))
271 addr->family = FW3_FAMILY_V4;
272 addr->address.v4 = v4;
273 addr->mask = (m >= 0) ? m : 32;
287 fw3_parse_mac(void *ptr, const char *val)
289 struct fw3_mac *addr = ptr;
290 struct ether_addr *mac;
295 while (isspace(*++val));
298 if ((mac = ether_aton(val)) != NULL)
309 fw3_parse_port(void *ptr, const char *val)
311 struct fw3_port *range = ptr;
318 range->invert = true;
319 while (isspace(*++val));
322 n = strtoul(val, &p, 10);
324 if (errno == ERANGE || errno == EINVAL)
327 if (*p && *p != '-' && *p != ':')
332 m = strtoul(++p, NULL, 10);
334 if (errno == ERANGE || errno == EINVAL || m < n)
351 fw3_parse_family(void *ptr, const char *val)
353 if (!strcmp(val, "any"))
354 *((enum fw3_family *)ptr) = FW3_FAMILY_ANY;
355 else if (!strcmp(val, "inet") || strrchr(val, '4'))
356 *((enum fw3_family *)ptr) = FW3_FAMILY_V4;
357 else if (!strcmp(val, "inet6") || strrchr(val, '6'))
358 *((enum fw3_family *)ptr) = FW3_FAMILY_V6;
366 fw3_parse_icmptype(void *ptr, const char *val)
368 struct fw3_icmptype *icmp = ptr;
374 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v4); i++)
376 if (!strcmp(val, fw3_icmptype_list_v4[i].name))
378 icmp->type = fw3_icmptype_list_v4[i].type;
379 icmp->code_min = fw3_icmptype_list_v4[i].code_min;
380 icmp->code_max = fw3_icmptype_list_v4[i].code_max;
387 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v6); i++)
389 if (!strcmp(val, fw3_icmptype_list_v6[i].name))
391 icmp->type6 = fw3_icmptype_list_v6[i].type;
392 icmp->code6_min = fw3_icmptype_list_v6[i].code_min;
393 icmp->code6_max = fw3_icmptype_list_v6[i].code_max;
402 i = strtoul(val, &p, 10);
404 if ((p == val) || (*p != '/' && *p != 0) || (i > 0xFF))
412 i = strtoul(val, &p, 10);
414 if ((p == val) || (*p != 0) || (i > 0xFF))
423 icmp->code_max = 0xFF;
426 icmp->type6 = icmp->type;
427 icmp->code6_min = icmp->code_max;
428 icmp->code6_max = icmp->code_max;
434 icmp->family = (v4 && v6) ? FW3_FAMILY_ANY
435 : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
441 fw3_parse_protocol(void *ptr, const char *val)
443 struct fw3_protocol *proto = ptr;
444 struct protoent *ent;
448 proto->invert = true;
449 while (isspace(*++val));
452 if (!strcmp(val, "all"))
457 else if (!strcmp(val, "icmpv6"))
462 ent = getprotobyname(val);
466 proto->protocol = ent->p_proto;
470 proto->protocol = strtoul(val, NULL, 10);
471 return (errno != ERANGE && errno != EINVAL);
475 fw3_parse_ipset_method(void *ptr, const char *val)
477 return parse_enum(ptr, val, ipset_methods,
478 FW3_IPSET_METHOD_BITMAP, FW3_IPSET_METHOD_LIST);
482 fw3_parse_ipset_datatype(void *ptr, const char *val)
484 struct fw3_ipset_datatype *type = ptr;
486 if (!strncmp(val, "dest_", 5))
491 else if (!strncmp(val, "dst_", 4))
496 else if (!strncmp(val, "src_", 4))
502 return parse_enum(&type->type, val, ipset_types,
503 FW3_IPSET_TYPE_IP, FW3_IPSET_TYPE_SET);
507 fw3_parse_date(void *ptr, const char *val)
509 unsigned int year = 1970, mon = 1, day = 1, hour = 0, min = 0, sec = 0;
510 struct tm tm = { 0 };
513 year = strtoul(val, &p, 10);
514 if ((*p != '-' && *p) || year < 1970 || year > 2038)
519 mon = strtoul(++p, &p, 10);
520 if ((*p != '-' && *p) || mon > 12)
525 day = strtoul(++p, &p, 10);
526 if ((*p != 'T' && *p) || day > 31)
531 hour = strtoul(++p, &p, 10);
532 if ((*p != ':' && *p) || hour > 23)
537 min = strtoul(++p, &p, 10);
538 if ((*p != ':' && *p) || min > 59)
543 sec = strtoul(++p, &p, 10);
548 tm.tm_year = year - 1900;
555 if (mktime(&tm) >= 0)
557 *((struct tm *)ptr) = tm;
566 fw3_parse_time(void *ptr, const char *val)
568 unsigned int hour = 0, min = 0, sec = 0;
571 hour = strtoul(val, &p, 10);
572 if (*p != ':' || hour > 23)
575 min = strtoul(++p, &p, 10);
576 if ((*p != ':' && *p) || min > 59)
581 sec = strtoul(++p, &p, 10);
586 *((int *)ptr) = 60 * 60 * hour + 60 * min + sec;
594 fw3_parse_weekdays(void *ptr, const char *val)
601 setbit(*(uint8_t *)ptr, 0);
602 while (isspace(*++val));
605 if (!(s = strdup(val)))
608 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
610 if (!parse_enum(&w, p, weekdays, 1, 7))
612 w = strtoul(p, &p, 10);
614 if (*p || w < 1 || w > 7)
621 setbit(*(uint8_t *)ptr, w);
629 fw3_parse_monthdays(void *ptr, const char *val)
636 setbit(*(uint32_t *)ptr, 0);
637 while (isspace(*++val));
640 if (!(s = strdup(val)))
643 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
645 d = strtoul(p, &p, 10);
647 if (*p || d < 1 || d > 31)
653 setbit(*(uint32_t *)ptr, d);
661 fw3_parse_include_type(void *ptr, const char *val)
663 return parse_enum(ptr, val, include_types,
664 FW3_INC_TYPE_SCRIPT, FW3_INC_TYPE_RESTORE);
669 fw3_parse_options(void *s, const struct fw3_option *opts,
670 struct uci_section *section)
674 struct uci_element *e, *l;
675 struct uci_option *o;
676 const struct fw3_option *opt;
677 struct list_head *item;
678 struct list_head *dest;
680 uci_foreach_element(§ion->options, e)
682 o = uci_to_option(e);
685 for (opt = opts; opt->name; opt++)
690 if (strcmp(opt->name, e->name))
693 if (o->type == UCI_TYPE_LIST)
697 warn_elem(e, "must not be a list");
701 uci_foreach_element(&o->v.list, l)
706 item = malloc(opt->elem_size);
711 memset(item, 0, opt->elem_size);
713 if (!opt->parse(item, l->name))
715 warn_elem(e, "has invalid value '%s'", l->name);
720 dest = (struct list_head *)((char *)s + opt->offset);
721 list_add_tail(item, dest);
732 /* protocol "tcpudp" compatibility hack */
733 if (opt->parse == fw3_parse_protocol && !strcmp(v, "tcpudp"))
734 v = strdup("tcp udp");
738 if (!opt->parse((char *)s + opt->offset, o->v.string))
739 warn_elem(e, "has invalid value '%s'", o->v.string);
743 for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
745 item = malloc(opt->elem_size);
750 memset(item, 0, opt->elem_size);
752 if (!opt->parse(item, p))
754 warn_elem(e, "has invalid value '%s'", p);
759 dest = (struct list_head *)((char *)s + opt->offset);
760 list_add_tail(item, dest);
764 if (v != o->v.string)
773 warn_elem(e, "is unknown");
779 fw3_format_in_out(struct fw3_device *in, struct fw3_device *out)
782 fw3_pr(" %s-i %s", in->invert ? "! " : "", in->name);
784 if (out && !out->any)
785 fw3_pr(" %s-o %s", out->invert ? "! " : "", out->name);
789 fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest)
791 char s[INET6_ADDRSTRLEN];
793 if ((src && src->range) || (dest && dest->range))
794 fw3_pr(" -m iprange");
800 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
801 &src->address.v4, s, sizeof(s));
803 fw3_pr(" %s--src-range %s", src->invert ? "! " : "", s);
805 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
806 &src->address2.v4, s, sizeof(s));
812 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
813 &src->address.v4, s, sizeof(s));
815 fw3_pr(" %s-s %s/%u", src->invert ? "! " : "", s, src->mask);
819 if (dest && dest->set)
823 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
824 &dest->address.v4, s, sizeof(s));
826 fw3_pr(" %s--dst-range %s", dest->invert ? "! " : "", s);
828 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
829 &dest->address2.v4, s, sizeof(s));
835 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
836 &dest->address.v4, s, sizeof(s));
838 fw3_pr(" %s-d %s/%u", dest->invert ? "! " : "", s, dest->mask);
844 fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp)
848 if (sp->port_min == sp->port_max)
849 fw3_pr(" %s--sport %u", sp->invert ? "! " : "", sp->port_min);
851 fw3_pr(" %s--sport %u:%u",
852 sp->invert ? "! " : "", sp->port_min, sp->port_max);
857 if (dp->port_min == dp->port_max)
858 fw3_pr(" %s--dport %u", dp->invert ? "! " : "", dp->port_min);
860 fw3_pr(" %s--dport %u:%u",
861 dp->invert ? "! " : "", dp->port_min, dp->port_max);
866 fw3_format_mac(struct fw3_mac *mac)
871 fw3_pr(" -m mac %s--mac-source %s",
872 mac->invert ? "! " : "", ether_ntoa(&mac->mac));
876 fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family)
883 pr = proto->protocol;
885 if (pr == 1 && family == FW3_FAMILY_V6)
891 fw3_pr(" %s-p %u", proto->invert ? "! " : "", pr);
895 fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family)
900 if (family != FW3_FAMILY_V6)
902 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
903 fw3_pr(" %s--icmp-type %u", icmp->invert ? "! " : "", icmp->type);
905 fw3_pr(" %s--icmp-type %u/%u",
906 icmp->invert ? "! " : "", icmp->type, icmp->code_min);
910 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
911 fw3_pr(" %s--icmpv6-type %u", icmp->invert ? "! " : "", icmp->type6);
913 fw3_pr(" %s--icmpv6-type %u/%u",
914 icmp->invert ? "! " : "", icmp->type6, icmp->code6_min);
919 fw3_format_limit(struct fw3_limit *limit)
926 fw3_pr(" -m limit %s--limit %u/%s",
927 limit->invert ? "! " : "",
928 limit->rate, limit_units[limit->unit]);
930 if (limit->burst > 0)
931 fw3_pr(" --limit-burst %u", limit->burst);
936 fw3_format_ipset(struct fw3_ipset *ipset, bool invert)
939 const char *name = NULL;
940 struct fw3_ipset_datatype *type;
945 if (ipset->external && *ipset->external)
946 name = ipset->external;
950 fw3_pr(" -m set %s--match-set %s", invert ? "! " : "", name);
952 list_for_each_entry(type, &ipset->datatypes, list)
954 fw3_pr("%c%s", first ? ' ' : ',', type->dest ? "dst" : "src");
960 fw3_format_time(struct fw3_time *time)
963 struct tm empty = { 0 };
964 char buf[sizeof("9999-99-99T23:59:59\0")];
965 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
966 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
969 if (!d1 && !d2 && !time->timestart && !time->timestop &&
970 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
982 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
983 fw3_pr(" --datestart %s", buf);
988 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
989 fw3_pr(" --datestop %s", buf);
994 fw3_pr(" --timestart %02d:%02d:%02d",
995 time->timestart / 3600,
996 time->timestart % 3600 / 60,
997 time->timestart % 60);
1002 fw3_pr(" --timestop %02d:%02d:%02d",
1003 time->timestop / 3600,
1004 time->timestop % 3600 / 60,
1005 time->timestop % 60);
1008 if (time->monthdays & 0xFFFFFFFE)
1010 fw3_pr(" %s--monthdays", hasbit(time->monthdays, 0) ? "! " : "");
1012 for (i = 1, first = true; i < 32; i++)
1014 if (hasbit(time->monthdays, i))
1016 fw3_pr("%c%u", first ? ' ' : ',', i);
1022 if (time->weekdays & 0xFE)
1024 fw3_pr(" %s--weekdays", hasbit(time->weekdays, 0) ? "! " : "");
1026 for (i = 1, first = true; i < 8; i++)
1028 if (hasbit(time->weekdays, i))
1030 fw3_pr("%c%u", first ? ' ' : ',', i);
1038 __fw3_format_comment(const char *comment, ...)
1044 if (!comment || !*comment)
1047 fw3_pr(" -m comment --comment \"");
1051 va_start(ap, comment);
1077 c = va_arg(ap, const char *);
1087 fw3_format_extra(const char *extra)
1089 if (!extra || !*extra)
1092 fw3_pr(" %s", extra);
projects / project / firewall3.git / blob