2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #define C(f, tbl, tgt, fmt) \
24 { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##tgt, fmt }
26 static const struct fw3_chain_spec zone_chains[] = {
27 C(ANY, FILTER, UNSPEC, "zone_%s_input"),
28 C(ANY, FILTER, UNSPEC, "zone_%s_output"),
29 C(ANY, FILTER, UNSPEC, "zone_%s_forward"),
31 C(ANY, FILTER, SRC_ACCEPT, "zone_%s_src_ACCEPT"),
32 C(ANY, FILTER, SRC_REJECT, "zone_%s_src_REJECT"),
33 C(ANY, FILTER, SRC_DROP, "zone_%s_src_DROP"),
35 C(ANY, FILTER, ACCEPT, "zone_%s_dest_ACCEPT"),
36 C(ANY, FILTER, REJECT, "zone_%s_dest_REJECT"),
37 C(ANY, FILTER, DROP, "zone_%s_dest_DROP"),
39 C(V4, NAT, SNAT, "zone_%s_postrouting"),
40 C(V4, NAT, DNAT, "zone_%s_prerouting"),
42 C(ANY, RAW, NOTRACK, "zone_%s_notrack"),
44 C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
45 C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
46 C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
48 C(V4, NAT, CUSTOM_CHAINS, "prerouting_%s_rule"),
49 C(V4, NAT, CUSTOM_CHAINS, "postrouting_%s_rule"),
54 const struct fw3_option fw3_zone_opts[] = {
55 FW3_OPT("enabled", bool, zone, enabled),
57 FW3_OPT("name", string, zone, name),
58 FW3_OPT("family", family, zone, family),
60 FW3_LIST("network", device, zone, networks),
61 FW3_LIST("device", device, zone, devices),
62 FW3_LIST("subnet", network, zone, subnets),
64 FW3_OPT("input", target, zone, policy_input),
65 FW3_OPT("forward", target, zone, policy_forward),
66 FW3_OPT("output", target, zone, policy_output),
68 FW3_OPT("masq", bool, zone, masq),
69 FW3_OPT("masq_allow_invalid", bool, zone, masq_allow_invalid),
70 FW3_LIST("masq_src", network, zone, masq_src),
71 FW3_LIST("masq_dest", network, zone, masq_dest),
73 FW3_OPT("extra", string, zone, extra_src),
74 FW3_OPT("extra_src", string, zone, extra_src),
75 FW3_OPT("extra_dest", string, zone, extra_dest),
77 FW3_OPT("mtu_fix", bool, zone, mtu_fix),
78 FW3_OPT("custom_chains", bool, zone, custom_chains),
80 FW3_OPT("log", bool, zone, log),
81 FW3_OPT("log_limit", limit, zone, log_limit),
83 FW3_OPT("__flags_v4", int, zone, flags[0]),
84 FW3_OPT("__flags_v6", int, zone, flags[1]),
86 FW3_LIST("__addrs", address, zone, old_addrs),
93 check_policy(struct uci_element *e, enum fw3_flag *pol, enum fw3_flag def,
96 if (*pol == FW3_FLAG_UNSPEC)
98 warn_elem(e, "has no %s policy specified, using default", name);
101 else if (*pol > FW3_FLAG_DROP)
103 warn_elem(e, "has invalid %s policy, using default", name);
109 resolve_networks(struct uci_element *e, struct fw3_zone *zone)
111 struct fw3_device *net, *tmp;
113 list_for_each_entry(net, &zone->networks, list)
115 tmp = fw3_ubus_device(net->name);
119 warn_elem(e, "cannot resolve device of network '%s'", net->name);
123 snprintf(tmp->network, sizeof(tmp->network), "%s", net->name);
124 list_add_tail(&tmp->list, &zone->devices);
131 struct fw3_zone *zone;
133 zone = calloc(1, sizeof(*zone));
137 INIT_LIST_HEAD(&zone->networks);
138 INIT_LIST_HEAD(&zone->devices);
139 INIT_LIST_HEAD(&zone->subnets);
140 INIT_LIST_HEAD(&zone->masq_src);
141 INIT_LIST_HEAD(&zone->masq_dest);
143 INIT_LIST_HEAD(&zone->old_addrs);
145 zone->enabled = true;
146 zone->custom_chains = true;
147 zone->log_limit.rate = 10;
153 fw3_load_zones(struct fw3_state *state, struct uci_package *p)
155 struct uci_section *s;
156 struct uci_element *e;
157 struct fw3_zone *zone;
158 struct fw3_defaults *defs = &state->defaults;
160 INIT_LIST_HEAD(&state->zones);
162 uci_foreach_element(&p->sections, e)
164 s = uci_to_section(e);
166 if (strcmp(s->type, "zone"))
169 zone = fw3_alloc_zone();
174 fw3_parse_options(zone, fw3_zone_opts, s);
182 if (!zone->extra_dest)
183 zone->extra_dest = zone->extra_src;
185 if (!defs->custom_chains && zone->custom_chains)
186 zone->custom_chains = false;
188 if (!zone->name || !*zone->name)
190 warn_elem(e, "has no name - ignoring");
195 if (strlen(zone->name) > FW3_ZONE_MAXNAMELEN)
197 warn_elem(e, "must not have a name longer than %u characters",
198 FW3_ZONE_MAXNAMELEN);
203 fw3_ubus_zone_devices(zone);
205 if (list_empty(&zone->networks) && list_empty(&zone->devices) &&
206 list_empty(&zone->subnets) && !zone->extra_src)
208 warn_elem(e, "has no device, network, subnet or extra options");
211 check_policy(e, &zone->policy_input, defs->policy_input, "input");
212 check_policy(e, &zone->policy_output, defs->policy_output, "output");
213 check_policy(e, &zone->policy_forward, defs->policy_forward, "forward");
215 resolve_networks(e, zone);
219 fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
222 if (zone->custom_chains)
224 fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
225 fw3_setbit(zone->flags[0], FW3_FLAG_DNAT);
228 fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
229 fw3_setbit(zone->flags[0], zone->policy_forward);
230 fw3_setbit(zone->flags[0], zone->policy_output);
232 fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
233 fw3_setbit(zone->flags[1], zone->policy_forward);
234 fw3_setbit(zone->flags[1], zone->policy_output);
236 list_add_tail(&zone->list, &state->zones);
242 print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state,
243 bool reload, struct fw3_zone *zone)
246 struct fw3_ipt_rule *r;
247 const struct fw3_chain_spec *c;
249 const char *flt_chains[] = {
252 "forward", "forwarding",
255 const char *nat_chains[] = {
256 "prerouting", "prerouting",
257 "postrouting", "postrouting",
260 if (!fw3_is_family(zone, handle->family))
263 info(" * Zone '%s'", zone->name);
265 set(zone->flags, handle->family, handle->table);
267 if (zone->custom_chains)
268 set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
270 for (c = zone_chains; c->format; c++)
272 /* don't touch user chains on selective stop */
273 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
276 if (!fw3_is_family(c, handle->family))
279 if (c->table != handle->table)
283 !fw3_hasbit(zone->flags[handle->family == FW3_FAMILY_V6], c->flag))
286 fw3_ipt_create_chain(handle, c->format, zone->name);
289 if (zone->custom_chains)
291 if (handle->table == FW3_TABLE_FILTER)
293 for (i = 0; i < sizeof(flt_chains)/sizeof(flt_chains[0]); i += 2)
295 r = fw3_ipt_rule_new(handle);
296 fw3_ipt_rule_comment(r, "user chain for %s", flt_chains[i+1]);
297 fw3_ipt_rule_target(r, "%s_%s_rule", flt_chains[i+1], zone->name);
298 fw3_ipt_rule_append(r, "zone_%s_%s", zone->name, flt_chains[i]);
301 else if (handle->table == FW3_TABLE_NAT)
303 for (i = 0; i < sizeof(nat_chains)/sizeof(nat_chains[0]); i += 2)
305 r = fw3_ipt_rule_new(handle);
306 fw3_ipt_rule_comment(r, "user chain for %s", nat_chains[i+1]);
307 fw3_ipt_rule_target(r, "%s_%s_rule", nat_chains[i+1], zone->name);
308 fw3_ipt_rule_append(r, "zone_%s_%s", zone->name, nat_chains[i]);
313 set(zone->flags, handle->family, handle->table);
317 print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
318 bool reload, struct fw3_zone *zone,
319 struct fw3_device *dev, struct fw3_address *sub)
321 struct fw3_protocol tcp = { .protocol = 6 };
322 struct fw3_ipt_rule *r;
329 const char *chains[] = {
332 "forward", "FORWARD",
335 #define jump_target(t) \
336 ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])
338 if (handle->table == FW3_TABLE_FILTER)
340 for (t = FW3_FLAG_ACCEPT; t <= FW3_FLAG_DROP; t++)
342 if (has(zone->flags, handle->family, fw3_to_src_target(t)))
344 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
345 fw3_ipt_rule_target(r, jump_target(t));
346 fw3_ipt_rule_extra(r, zone->extra_src);
348 if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid)
349 fw3_ipt_rule_extra(r,
350 "-m conntrack --ctstate NEW,UNTRACKED");
352 fw3_ipt_rule_replace(r, "zone_%s_src_%s", zone->name,
356 if (has(zone->flags, handle->family, t))
358 if (t == FW3_FLAG_ACCEPT &&
359 zone->masq && !zone->masq_allow_invalid)
361 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
362 fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
363 fw3_ipt_rule_comment(r, "Prevent NAT leakage");
364 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]);
365 fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
369 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
370 fw3_ipt_rule_target(r, jump_target(t));
371 fw3_ipt_rule_extra(r, zone->extra_dest);
372 fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
377 for (i = 0; i < sizeof(chains)/sizeof(chains[0]); i += 2)
379 if (*chains[i] == 'o')
380 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
382 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
384 fw3_ipt_rule_target(r, "zone_%s_%s", zone->name, chains[i]);
386 if (*chains[i] == 'o')
387 fw3_ipt_rule_extra(r, zone->extra_dest);
389 fw3_ipt_rule_extra(r, zone->extra_src);
391 fw3_ipt_rule_replace(r, chains[i + 1]);
394 else if (handle->table == FW3_TABLE_NAT)
396 if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
398 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
399 fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
400 fw3_ipt_rule_extra(r, zone->extra_src);
401 fw3_ipt_rule_replace(r, "PREROUTING");
404 if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
406 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
407 fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name);
408 fw3_ipt_rule_extra(r, zone->extra_dest);
409 fw3_ipt_rule_replace(r, "POSTROUTING");
412 else if (handle->table == FW3_TABLE_MANGLE)
418 snprintf(buf, sizeof(buf) - 1, "MSSFIX(%s): ", zone->name);
420 r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
421 fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
422 fw3_ipt_rule_addarg(r, false, "SYN", NULL);
423 fw3_ipt_rule_limit(r, &zone->log_limit);
424 fw3_ipt_rule_comment(r, "%s (mtu_fix logging)", zone->name);
425 fw3_ipt_rule_target(r, "LOG");
426 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
427 fw3_ipt_rule_replace(r, "FORWARD");
430 r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
431 fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
432 fw3_ipt_rule_addarg(r, false, "SYN", NULL);
433 fw3_ipt_rule_comment(r, "%s (mtu_fix)", zone->name);
434 fw3_ipt_rule_target(r, "TCPMSS");
435 fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
436 fw3_ipt_rule_replace(r, "FORWARD");
439 else if (handle->table == FW3_TABLE_RAW)
441 if (has(zone->flags, handle->family, FW3_FLAG_NOTRACK))
443 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
444 fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
445 fw3_ipt_rule_extra(r, zone->extra_src);
446 fw3_ipt_rule_replace(r, "PREROUTING");
452 print_interface_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
453 bool reload, struct fw3_zone *zone)
455 struct fw3_device *dev;
456 struct fw3_address *sub;
458 fw3_foreach(dev, &zone->devices)
459 fw3_foreach(sub, &zone->subnets)
461 if (!fw3_is_family(sub, handle->family))
467 print_interface_rule(handle, state, reload, zone, dev, sub);
471 static struct fw3_address *
472 next_addr(struct fw3_address *addr, struct list_head *list,
473 enum fw3_family family, bool invert)
476 struct fw3_address *rv;
478 for (p = addr ? addr->list.next : list->next; p != list; p = p->next)
480 rv = list_entry(p, struct fw3_address, list);
482 if (fw3_is_family(rv, family) && rv->invert == invert)
490 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
491 bool reload, struct fw3_zone *zone)
493 bool first_src, first_dest;
494 struct fw3_address *msrc;
495 struct fw3_address *mdest;
496 struct fw3_ipt_rule *r;
501 if (!fw3_is_family(zone, handle->family))
504 switch (handle->table)
506 case FW3_TABLE_FILTER:
507 if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
509 r = fw3_ipt_rule_new(handle);
510 fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
511 fw3_ipt_rule_comment(r, "Accept port redirections");
512 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
513 fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
515 r = fw3_ipt_rule_new(handle);
516 fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
517 fw3_ipt_rule_comment(r, "Accept port forwards");
518 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
519 fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
522 r = fw3_ipt_rule_new(handle);
523 fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
524 fw3_flag_names[zone->policy_input]);
525 fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
527 r = fw3_ipt_rule_new(handle);
528 fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
529 fw3_flag_names[zone->policy_forward]);
530 fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
532 r = fw3_ipt_rule_new(handle);
533 fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
534 fw3_flag_names[zone->policy_output]);
535 fw3_ipt_rule_append(r, "zone_%s_output", zone->name);
539 for (t = FW3_FLAG_REJECT; t <= FW3_FLAG_DROP; t++)
541 if (has(zone->flags, handle->family, fw3_to_src_target(t)))
543 r = fw3_ipt_rule_new(handle);
545 snprintf(buf, sizeof(buf) - 1, "%s(src %s)",
546 fw3_flag_names[t], zone->name);
548 fw3_ipt_rule_limit(r, &zone->log_limit);
549 fw3_ipt_rule_target(r, "LOG");
550 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
551 fw3_ipt_rule_append(r, "zone_%s_src_%s",
552 zone->name, fw3_flag_names[t]);
555 if (has(zone->flags, handle->family, t))
557 r = fw3_ipt_rule_new(handle);
559 snprintf(buf, sizeof(buf) - 1, "%s(dest %s)",
560 fw3_flag_names[t], zone->name);
562 fw3_ipt_rule_limit(r, &zone->log_limit);
563 fw3_ipt_rule_target(r, "LOG");
564 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
565 fw3_ipt_rule_append(r, "zone_%s_dest_%s",
566 zone->name, fw3_flag_names[t]);
573 if (zone->masq && handle->family == FW3_FAMILY_V4)
575 /* for any negated masq_src ip, emit -s addr -j RETURN rules */
577 (msrc = next_addr(msrc, &zone->masq_src,
578 handle->family, true)) != NULL; )
580 msrc->invert = false;
581 r = fw3_ipt_rule_new(handle);
582 fw3_ipt_rule_src_dest(r, msrc, NULL);
583 fw3_ipt_rule_target(r, "RETURN");
584 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
588 /* for any negated masq_dest ip, emit -d addr -j RETURN rules */
590 (mdest = next_addr(mdest, &zone->masq_dest,
591 handle->family, true)) != NULL; )
593 mdest->invert = false;
594 r = fw3_ipt_rule_new(handle);
595 fw3_ipt_rule_src_dest(r, NULL, mdest);
596 fw3_ipt_rule_target(r, "RETURN");
597 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
598 mdest->invert = true;
601 /* emit masquerading entries for non-negated addresses
602 and ensure that both src and dest loops run at least once,
603 even if there are no relevant addresses */
604 for (first_src = true, msrc = NULL;
605 (msrc = next_addr(msrc, &zone->masq_src,
606 handle->family, false)) || first_src;
609 for (first_dest = true, mdest = NULL;
610 (mdest = next_addr(mdest, &zone->masq_dest,
611 handle->family, false)) || first_dest;
614 r = fw3_ipt_rule_new(handle);
615 fw3_ipt_rule_src_dest(r, msrc, mdest);
616 fw3_ipt_rule_target(r, "MASQUERADE");
617 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
624 case FW3_TABLE_MANGLE:
628 print_interface_rules(handle, state, reload, zone);
632 fw3_print_zone_chains(struct fw3_ipt_handle *handle, struct fw3_state *state,
635 struct fw3_zone *zone;
637 list_for_each_entry(zone, &state->zones, list)
638 print_zone_chain(handle, state, reload, zone);
642 fw3_print_zone_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
645 struct fw3_zone *zone;
647 list_for_each_entry(zone, &state->zones, list)
648 print_zone_rule(handle, state, reload, zone);
652 fw3_flush_zones(struct fw3_ipt_handle *handle, struct fw3_state *state,
655 struct fw3_zone *z, *tmp;
656 const struct fw3_chain_spec *c;
659 list_for_each_entry_safe(z, tmp, &state->zones, list)
661 if (!has(z->flags, handle->family, handle->table))
664 for (c = zone_chains; c->format; c++)
666 /* don't touch user chains on selective stop */
667 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
670 if (!fw3_is_family(c, handle->family))
673 if (c->table != handle->table)
676 if (c->flag && !has(z->flags, handle->family, c->flag))
679 snprintf(chain, sizeof(chain), c->format, z->name);
680 fw3_ipt_flush_chain(handle, chain);
682 /* keep certain basic chains that do not depend on any settings to
683 avoid purging unrelated user rules pointing to them */
684 if (reload && !c->flag)
687 fw3_ipt_delete_chain(handle, chain);
690 del(z->flags, handle->family, handle->table);
695 fw3_hotplug_zones(struct fw3_state *state, bool add)
698 struct fw3_device *d;
700 list_for_each_entry(z, &state->zones, list)
702 if (add != fw3_hasbit(z->flags[0], FW3_FLAG_HOTPLUG))
704 list_for_each_entry(d, &z->devices, list)
705 fw3_hotplug(add, z, d);
708 fw3_setbit(z->flags[0], FW3_FLAG_HOTPLUG);
710 fw3_delbit(z->flags[0], FW3_FLAG_HOTPLUG);
716 fw3_lookup_zone(struct fw3_state *state, const char *name)
720 if (list_empty(&state->zones))
723 list_for_each_entry(z, &state->zones, list)
725 if (strcmp(z->name, name))
735 fw3_resolve_zone_addresses(struct fw3_zone *zone, struct fw3_address *addr)
737 struct fw3_device *net;
738 struct fw3_address *cur, *tmp;
739 struct list_head *all;
741 all = calloc(1, sizeof(*all));
747 if (addr && addr->set)
749 tmp = malloc(sizeof(*tmp));
754 list_add_tail(&tmp->list, all);
759 list_for_each_entry(net, &zone->networks, list)
760 fw3_ubus_address(all, net->name);
762 list_for_each_entry(cur, &zone->subnets, list)
764 tmp = malloc(sizeof(*tmp));
770 list_add_tail(&tmp->list, all);
projects / project / firewall3.git / blob