2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 put_value(void *ptr, void *val, int elem_size, bool is_list)
30 copy = malloc(elem_size);
35 memcpy(copy, val, elem_size);
36 list_add_tail((struct list_head *)copy, (struct list_head *)ptr);
40 memcpy(ptr, val, elem_size);
45 parse_enum(void *ptr, const char *val, const char **values, int min, int max)
47 int i, l = strlen(val);
51 for (i = 0; i <= (max - min); i++)
53 if (!strncasecmp(val, values[i], l))
55 *((int *)ptr) = min + i;
65 const char *fw3_flag_names[__FW3_FLAG_MAX] = {
86 static const char *limit_units[] = {
93 static const char *ipset_methods[] = {
99 static const char *ipset_types[] = {
107 static const char *weekdays[] = {
117 static const char *include_types[] = {
122 static const char *reflection_sources[] = {
129 fw3_parse_bool(void *ptr, const char *val, bool is_list)
131 if (!strcmp(val, "true") || !strcmp(val, "yes") || !strcmp(val, "1"))
132 *((bool *)ptr) = true;
134 *((bool *)ptr) = false;
140 fw3_parse_int(void *ptr, const char *val, bool is_list)
142 int n = strtol(val, NULL, 10);
144 if (errno == ERANGE || errno == EINVAL)
153 fw3_parse_string(void *ptr, const char *val, bool is_list)
155 *((char **)ptr) = (char *)val;
160 fw3_parse_target(void *ptr, const char *val, bool is_list)
162 return parse_enum(ptr, val, &fw3_flag_names[FW3_FLAG_ACCEPT],
163 FW3_FLAG_ACCEPT, FW3_FLAG_SNAT);
167 fw3_parse_limit(void *ptr, const char *val, bool is_list)
169 struct fw3_limit *limit = ptr;
170 enum fw3_limit_unit u = FW3_LIMIT_UNIT_SECOND;
176 limit->invert = true;
177 while (isspace(*++val));
180 n = strtol(val, &e, 10);
182 if (errno == ERANGE || errno == EINVAL)
185 if (*e && *e++ != '/')
191 if (!parse_enum(&u, e, limit_units, 0, FW3_LIMIT_UNIT_DAY))
201 fw3_parse_device(void *ptr, const char *val, bool is_list)
203 struct fw3_device dev = { };
215 while (isspace(*++val));
219 snprintf(dev.name, sizeof(dev.name), "%s", val);
224 put_value(ptr, &dev, sizeof(dev), is_list);
229 fw3_parse_address(void *ptr, const char *val, bool is_list)
231 struct fw3_address addr = { };
240 while (isspace(*++val));
248 if ((p = strchr(s, '/')) != NULL)
251 m = strtoul(p, &e, 10);
253 if ((e == p) || (*e != 0))
255 if (strchr(s, ':') || !inet_pton(AF_INET, p, &v4))
261 for (i = 0, m = 32; !(v4.s_addr & 1) && (i < 32); i++)
268 else if ((p = strchr(s, '-')) != NULL)
272 if (inet_pton(AF_INET6, p, &v6))
274 addr.family = FW3_FAMILY_V6;
275 addr.address2.v6 = v6;
278 else if (inet_pton(AF_INET, p, &v4))
280 addr.family = FW3_FAMILY_V4;
281 addr.address2.v4 = v4;
291 if (inet_pton(AF_INET6, s, &v6))
293 addr.family = FW3_FAMILY_V6;
294 addr.address.v6 = v6;
295 addr.mask = (m >= 0) ? m : 128;
297 else if (inet_pton(AF_INET, s, &v4))
299 addr.family = FW3_FAMILY_V4;
300 addr.address.v4 = v4;
301 addr.mask = (m >= 0) ? m : 32;
311 put_value(ptr, &addr, sizeof(addr), is_list);
316 fw3_parse_network(void *ptr, const char *val, bool is_list)
318 struct fw3_device dev = { };
319 struct fw3_address *addr;
320 struct list_head *addr_list;
322 if (!fw3_parse_address(ptr, val, is_list))
324 if (!fw3_parse_device(&dev, val, false))
327 addr_list = fw3_ubus_address(dev.name);
331 list_for_each_entry(addr, addr_list, list)
333 addr->invert = dev.invert;
335 if (!put_value(ptr, addr, sizeof(*addr), is_list))
339 fw3_ubus_address_free(addr_list);
347 fw3_parse_mac(void *ptr, const char *val, bool is_list)
349 struct fw3_mac addr = { };
350 struct ether_addr *mac;
355 while (isspace(*++val));
358 if ((mac = ether_aton(val)) != NULL)
363 put_value(ptr, &addr, sizeof(addr), is_list);
371 fw3_parse_port(void *ptr, const char *val, bool is_list)
373 struct fw3_port range = { };
381 while (isspace(*++val));
384 n = strtoul(val, &p, 10);
386 if (errno == ERANGE || errno == EINVAL)
389 if (*p && *p != '-' && *p != ':')
394 m = strtoul(++p, NULL, 10);
396 if (errno == ERANGE || errno == EINVAL || m < n)
409 put_value(ptr, &range, sizeof(range), is_list);
414 fw3_parse_family(void *ptr, const char *val, bool is_list)
416 if (!strcmp(val, "any"))
417 *((enum fw3_family *)ptr) = FW3_FAMILY_ANY;
418 else if (!strcmp(val, "inet") || strrchr(val, '4'))
419 *((enum fw3_family *)ptr) = FW3_FAMILY_V4;
420 else if (!strcmp(val, "inet6") || strrchr(val, '6'))
421 *((enum fw3_family *)ptr) = FW3_FAMILY_V6;
429 fw3_parse_icmptype(void *ptr, const char *val, bool is_list)
431 struct fw3_icmptype icmp = { };
437 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v4); i++)
439 if (!strcmp(val, fw3_icmptype_list_v4[i].name))
441 icmp.type = fw3_icmptype_list_v4[i].type;
442 icmp.code_min = fw3_icmptype_list_v4[i].code_min;
443 icmp.code_max = fw3_icmptype_list_v4[i].code_max;
450 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v6); i++)
452 if (!strcmp(val, fw3_icmptype_list_v6[i].name))
454 icmp.type6 = fw3_icmptype_list_v6[i].type;
455 icmp.code6_min = fw3_icmptype_list_v6[i].code_min;
456 icmp.code6_max = fw3_icmptype_list_v6[i].code_max;
465 i = strtoul(val, &p, 10);
467 if ((p == val) || (*p != '/' && *p != 0) || (i > 0xFF))
475 i = strtoul(val, &p, 10);
477 if ((p == val) || (*p != 0) || (i > 0xFF))
486 icmp.code_max = 0xFF;
489 icmp.type6 = icmp.type;
490 icmp.code6_min = icmp.code_max;
491 icmp.code6_max = icmp.code_max;
497 icmp.family = (v4 && v6) ? FW3_FAMILY_ANY
498 : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
500 put_value(ptr, &icmp, sizeof(icmp), is_list);
505 fw3_parse_protocol(void *ptr, const char *val, bool is_list)
507 struct fw3_protocol proto = { };
508 struct protoent *ent;
513 while (isspace(*++val));
516 if (!strcmp(val, "all"))
521 else if (!strcmp(val, "icmpv6"))
525 else if (!strcmp(val, "tcpudp"))
528 if (put_value(ptr, &proto, sizeof(proto), is_list))
531 put_value(ptr, &proto, sizeof(proto), is_list);
537 ent = getprotobyname(val);
541 proto.protocol = ent->p_proto;
542 put_value(ptr, &proto, sizeof(proto), is_list);
546 proto.protocol = strtoul(val, NULL, 10);
548 if (errno == ERANGE || errno == EINVAL)
551 put_value(ptr, &proto, sizeof(proto), is_list);
556 fw3_parse_ipset_method(void *ptr, const char *val, bool is_list)
558 return parse_enum(ptr, val, ipset_methods,
559 FW3_IPSET_METHOD_BITMAP, FW3_IPSET_METHOD_LIST);
563 fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list)
565 struct fw3_ipset_datatype *type = ptr;
567 if (!strncmp(val, "dest_", 5))
572 else if (!strncmp(val, "dst_", 4))
577 else if (!strncmp(val, "src_", 4))
583 return parse_enum(&type->type, val, ipset_types,
584 FW3_IPSET_TYPE_IP, FW3_IPSET_TYPE_SET);
588 fw3_parse_date(void *ptr, const char *val, bool is_list)
590 unsigned int year = 1970, mon = 1, day = 1, hour = 0, min = 0, sec = 0;
591 struct tm tm = { 0 };
594 year = strtoul(val, &p, 10);
595 if ((*p != '-' && *p) || year < 1970 || year > 2038)
600 mon = strtoul(++p, &p, 10);
601 if ((*p != '-' && *p) || mon > 12)
606 day = strtoul(++p, &p, 10);
607 if ((*p != 'T' && *p) || day > 31)
612 hour = strtoul(++p, &p, 10);
613 if ((*p != ':' && *p) || hour > 23)
618 min = strtoul(++p, &p, 10);
619 if ((*p != ':' && *p) || min > 59)
624 sec = strtoul(++p, &p, 10);
629 tm.tm_year = year - 1900;
636 if (mktime(&tm) >= 0)
638 *((struct tm *)ptr) = tm;
647 fw3_parse_time(void *ptr, const char *val, bool is_list)
649 unsigned int hour = 0, min = 0, sec = 0;
652 hour = strtoul(val, &p, 10);
653 if (*p != ':' || hour > 23)
656 min = strtoul(++p, &p, 10);
657 if ((*p != ':' && *p) || min > 59)
662 sec = strtoul(++p, &p, 10);
667 *((int *)ptr) = 60 * 60 * hour + 60 * min + sec;
675 fw3_parse_weekdays(void *ptr, const char *val, bool is_list)
682 setbit(*(uint8_t *)ptr, 0);
683 while (isspace(*++val));
686 if (!(s = strdup(val)))
689 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
691 if (!parse_enum(&w, p, weekdays, 1, 7))
693 w = strtoul(p, &p, 10);
695 if (*p || w < 1 || w > 7)
702 setbit(*(uint8_t *)ptr, w);
710 fw3_parse_monthdays(void *ptr, const char *val, bool is_list)
717 setbit(*(uint32_t *)ptr, 0);
718 while (isspace(*++val));
721 if (!(s = strdup(val)))
724 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
726 d = strtoul(p, &p, 10);
728 if (*p || d < 1 || d > 31)
734 setbit(*(uint32_t *)ptr, d);
742 fw3_parse_include_type(void *ptr, const char *val, bool is_list)
744 return parse_enum(ptr, val, include_types,
745 FW3_INC_TYPE_SCRIPT, FW3_INC_TYPE_RESTORE);
749 fw3_parse_reflection_source(void *ptr, const char *val, bool is_list)
751 return parse_enum(ptr, val, reflection_sources,
752 FW3_REFLECTION_INTERNAL, FW3_REFLECTION_EXTERNAL);
757 fw3_parse_options(void *s, const struct fw3_option *opts,
758 struct uci_section *section)
762 struct uci_element *e, *l;
763 struct uci_option *o;
764 const struct fw3_option *opt;
765 struct list_head *dest;
767 uci_foreach_element(§ion->options, e)
769 o = uci_to_option(e);
772 for (opt = opts; opt->name; opt++)
777 if (strcmp(opt->name, e->name))
780 if (o->type == UCI_TYPE_LIST)
784 warn_elem(e, "must not be a list");
788 dest = (struct list_head *)((char *)s + opt->offset);
790 uci_foreach_element(&o->v.list, l)
795 if (!opt->parse(dest, l->name, true))
797 warn_elem(e, "has invalid value '%s'", l->name);
812 if (!opt->parse((char *)s + opt->offset, o->v.string, false))
813 warn_elem(e, "has invalid value '%s'", o->v.string);
817 dest = (struct list_head *)((char *)s + opt->offset);
819 for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
821 if (!opt->parse(dest, p, true))
823 warn_elem(e, "has invalid value '%s'", p);
835 warn_elem(e, "is unknown");
841 fw3_format_in_out(struct fw3_device *in, struct fw3_device *out)
844 fw3_pr(" %s-i %s", in->invert ? "! " : "", in->name);
846 if (out && !out->any)
847 fw3_pr(" %s-o %s", out->invert ? "! " : "", out->name);
851 fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest)
853 char s[INET6_ADDRSTRLEN];
855 if ((src && src->range) || (dest && dest->range))
856 fw3_pr(" -m iprange");
862 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
863 &src->address.v4, s, sizeof(s));
865 fw3_pr(" %s--src-range %s", src->invert ? "! " : "", s);
867 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
868 &src->address2.v4, s, sizeof(s));
874 inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
875 &src->address.v4, s, sizeof(s));
877 fw3_pr(" %s-s %s/%u", src->invert ? "! " : "", s, src->mask);
881 if (dest && dest->set)
885 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
886 &dest->address.v4, s, sizeof(s));
888 fw3_pr(" %s--dst-range %s", dest->invert ? "! " : "", s);
890 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
891 &dest->address2.v4, s, sizeof(s));
897 inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
898 &dest->address.v4, s, sizeof(s));
900 fw3_pr(" %s-d %s/%u", dest->invert ? "! " : "", s, dest->mask);
906 fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp)
910 if (sp->port_min == sp->port_max)
911 fw3_pr(" %s--sport %u", sp->invert ? "! " : "", sp->port_min);
913 fw3_pr(" %s--sport %u:%u",
914 sp->invert ? "! " : "", sp->port_min, sp->port_max);
919 if (dp->port_min == dp->port_max)
920 fw3_pr(" %s--dport %u", dp->invert ? "! " : "", dp->port_min);
922 fw3_pr(" %s--dport %u:%u",
923 dp->invert ? "! " : "", dp->port_min, dp->port_max);
928 fw3_format_mac(struct fw3_mac *mac)
933 fw3_pr(" -m mac %s--mac-source %s",
934 mac->invert ? "! " : "", ether_ntoa(&mac->mac));
938 fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family)
945 pr = proto->protocol;
947 if (pr == 1 && family == FW3_FAMILY_V6)
953 fw3_pr(" %s-p %u", proto->invert ? "! " : "", pr);
957 fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family)
962 if (family != FW3_FAMILY_V6)
964 if (icmp->code_min == 0 && icmp->code_max == 0xFF)
965 fw3_pr(" %s--icmp-type %u", icmp->invert ? "! " : "", icmp->type);
967 fw3_pr(" %s--icmp-type %u/%u",
968 icmp->invert ? "! " : "", icmp->type, icmp->code_min);
972 if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
973 fw3_pr(" %s--icmpv6-type %u", icmp->invert ? "! " : "", icmp->type6);
975 fw3_pr(" %s--icmpv6-type %u/%u",
976 icmp->invert ? "! " : "", icmp->type6, icmp->code6_min);
981 fw3_format_limit(struct fw3_limit *limit)
988 fw3_pr(" -m limit %s--limit %u/%s",
989 limit->invert ? "! " : "",
990 limit->rate, limit_units[limit->unit]);
992 if (limit->burst > 0)
993 fw3_pr(" --limit-burst %u", limit->burst);
998 fw3_format_ipset(struct fw3_ipset *ipset, bool invert)
1001 const char *name = NULL;
1002 struct fw3_ipset_datatype *type;
1007 if (ipset->external && *ipset->external)
1008 name = ipset->external;
1012 fw3_pr(" -m set %s--match-set %s", invert ? "! " : "", name);
1014 list_for_each_entry(type, &ipset->datatypes, list)
1016 fw3_pr("%c%s", first ? ' ' : ',', type->dest ? "dst" : "src");
1022 fw3_format_time(struct fw3_time *time)
1025 struct tm empty = { 0 };
1026 char buf[sizeof("9999-99-99T23:59:59\0")];
1027 bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
1028 bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
1031 if (!d1 && !d2 && !time->timestart && !time->timestop &&
1032 !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
1044 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
1045 fw3_pr(" --datestart %s", buf);
1050 strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
1051 fw3_pr(" --datestop %s", buf);
1054 if (time->timestart)
1056 fw3_pr(" --timestart %02d:%02d:%02d",
1057 time->timestart / 3600,
1058 time->timestart % 3600 / 60,
1059 time->timestart % 60);
1064 fw3_pr(" --timestop %02d:%02d:%02d",
1065 time->timestop / 3600,
1066 time->timestop % 3600 / 60,
1067 time->timestop % 60);
1070 if (time->monthdays & 0xFFFFFFFE)
1072 fw3_pr(" %s--monthdays", hasbit(time->monthdays, 0) ? "! " : "");
1074 for (i = 1, first = true; i < 32; i++)
1076 if (hasbit(time->monthdays, i))
1078 fw3_pr("%c%u", first ? ' ' : ',', i);
1084 if (time->weekdays & 0xFE)
1086 fw3_pr(" %s--weekdays", hasbit(time->weekdays, 0) ? "! " : "");
1088 for (i = 1, first = true; i < 8; i++)
1090 if (hasbit(time->weekdays, i))
1092 fw3_pr("%c%u", first ? ' ' : ',', i);
1100 __fw3_format_comment(const char *comment, ...)
1106 if (!comment || !*comment)
1109 fw3_pr(" -m comment --comment \"");
1113 va_start(ap, comment);
1139 c = va_arg(ap, const char *);
1149 fw3_format_extra(const char *extra)
1151 if (!extra || !*extra)
1154 fw3_pr(" %s", extra);
projects / project / firewall3.git / blob