2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 #define C(f, tbl, tgt, fmt) \
25 { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##tgt, fmt }
27 static const struct fw3_chain_spec zone_chains[] = {
28 C(ANY, FILTER, UNSPEC, "zone_%s_input"),
29 C(ANY, FILTER, UNSPEC, "zone_%s_output"),
30 C(ANY, FILTER, UNSPEC, "zone_%s_forward"),
32 C(ANY, FILTER, SRC_ACCEPT, "zone_%s_src_ACCEPT"),
33 C(ANY, FILTER, SRC_REJECT, "zone_%s_src_REJECT"),
34 C(ANY, FILTER, SRC_DROP, "zone_%s_src_DROP"),
36 C(ANY, FILTER, ACCEPT, "zone_%s_dest_ACCEPT"),
37 C(ANY, FILTER, REJECT, "zone_%s_dest_REJECT"),
38 C(ANY, FILTER, DROP, "zone_%s_dest_DROP"),
40 C(V4, NAT, SNAT, "zone_%s_postrouting"),
41 C(V4, NAT, DNAT, "zone_%s_prerouting"),
43 C(ANY, RAW, HELPER, "zone_%s_helper"),
44 C(ANY, RAW, NOTRACK, "zone_%s_notrack"),
46 C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
47 C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
48 C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
50 C(V4, NAT, CUSTOM_CHAINS, "prerouting_%s_rule"),
51 C(V4, NAT, CUSTOM_CHAINS, "postrouting_%s_rule"),
56 enum fw3_zone_logmask {
57 FW3_ZONE_LOG_FILTER = (1 << 0),
58 FW3_ZONE_LOG_MANGLE = (1 << 1),
61 const struct fw3_option fw3_zone_opts[] = {
62 FW3_OPT("enabled", bool, zone, enabled),
64 FW3_OPT("name", string, zone, name),
65 FW3_OPT("family", family, zone, family),
67 FW3_LIST("network", device, zone, networks),
68 FW3_LIST("device", device, zone, devices),
69 FW3_LIST("subnet", network, zone, subnets),
71 FW3_OPT("input", target, zone, policy_input),
72 FW3_OPT("forward", target, zone, policy_forward),
73 FW3_OPT("output", target, zone, policy_output),
75 FW3_OPT("masq", bool, zone, masq),
76 FW3_OPT("masq_allow_invalid", bool, zone, masq_allow_invalid),
77 FW3_LIST("masq_src", network, zone, masq_src),
78 FW3_LIST("masq_dest", network, zone, masq_dest),
80 FW3_OPT("extra", string, zone, extra_src),
81 FW3_OPT("extra_src", string, zone, extra_src),
82 FW3_OPT("extra_dest", string, zone, extra_dest),
84 FW3_OPT("mtu_fix", bool, zone, mtu_fix),
85 FW3_OPT("custom_chains", bool, zone, custom_chains),
87 FW3_OPT("log", int, zone, log),
88 FW3_OPT("log_limit", limit, zone, log_limit),
90 FW3_OPT("auto_helper", bool, zone, auto_helper),
91 FW3_LIST("helper", cthelper, zone, cthelpers),
93 FW3_OPT("__flags_v4", int, zone, flags[0]),
94 FW3_OPT("__flags_v6", int, zone, flags[1]),
96 FW3_LIST("__addrs", address, zone, old_addrs),
103 check_policy(struct uci_element *e, enum fw3_flag *pol, enum fw3_flag def,
106 if (*pol == FW3_FLAG_UNSPEC)
108 warn_elem(e, "has no %s policy specified, using default", name);
111 else if (*pol > FW3_FLAG_DROP)
113 warn_elem(e, "has invalid %s policy, using default", name);
119 check_masq_addrs(struct list_head *head)
121 struct fw3_address *addr;
122 int n_addr = 0, n_failed = 0;
124 list_for_each_entry(addr, head, list)
131 if (!addr->set && addr->resolved)
135 return (n_addr == 0 || n_failed < n_addr);
139 resolve_networks(struct uci_element *e, struct fw3_zone *zone)
141 struct fw3_device *net, *tmp;
143 list_for_each_entry(net, &zone->networks, list)
145 tmp = fw3_ubus_device(net->name);
149 warn_elem(e, "cannot resolve device of network '%s'", net->name);
153 snprintf(tmp->network, sizeof(tmp->network), "%s", net->name);
154 list_add_tail(&tmp->list, &zone->devices);
159 resolve_cthelpers(struct fw3_state *s, struct uci_element *e, struct fw3_zone *zone)
161 struct fw3_cthelpermatch *match;
163 if (list_empty(&zone->cthelpers))
165 if (!zone->masq && zone->auto_helper)
167 fw3_setbit(zone->flags[0], FW3_FLAG_HELPER);
168 fw3_setbit(zone->flags[1], FW3_FLAG_HELPER);
174 list_for_each_entry(match, &zone->cthelpers, list)
178 warn_elem(e, "must not use a negated helper match");
182 match->ptr = fw3_lookup_cthelper(s, match->name);
186 warn_elem(e, "refers to not existing helper '%s'", match->name);
190 if (fw3_is_family(match->ptr, FW3_FAMILY_V4))
191 fw3_setbit(zone->flags[0], FW3_FLAG_HELPER);
193 if (fw3_is_family(match->ptr, FW3_FAMILY_V6))
194 fw3_setbit(zone->flags[1], FW3_FLAG_HELPER);
201 struct fw3_zone *zone;
203 zone = calloc(1, sizeof(*zone));
207 INIT_LIST_HEAD(&zone->networks);
208 INIT_LIST_HEAD(&zone->devices);
209 INIT_LIST_HEAD(&zone->subnets);
210 INIT_LIST_HEAD(&zone->masq_src);
211 INIT_LIST_HEAD(&zone->masq_dest);
212 INIT_LIST_HEAD(&zone->cthelpers);
214 INIT_LIST_HEAD(&zone->old_addrs);
216 zone->enabled = true;
217 zone->auto_helper = true;
218 zone->custom_chains = true;
219 zone->log_limit.rate = 10;
225 fw3_load_zones(struct fw3_state *state, struct uci_package *p)
227 struct uci_section *s;
228 struct uci_element *e;
229 struct fw3_zone *zone;
230 struct fw3_defaults *defs = &state->defaults;
232 INIT_LIST_HEAD(&state->zones);
234 uci_foreach_element(&p->sections, e)
236 s = uci_to_section(e);
238 if (strcmp(s->type, "zone"))
241 zone = fw3_alloc_zone();
246 if (!fw3_parse_options(zone, fw3_zone_opts, s))
247 warn_elem(e, "has invalid options");
255 if (!zone->extra_dest)
256 zone->extra_dest = zone->extra_src;
258 if (!defs->custom_chains && zone->custom_chains)
259 zone->custom_chains = false;
261 if (!defs->auto_helper && zone->auto_helper)
262 zone->auto_helper = false;
264 if (!zone->name || !*zone->name)
266 warn_elem(e, "has no name - ignoring");
271 if (strlen(zone->name) > FW3_ZONE_MAXNAMELEN)
273 warn_elem(e, "must not have a name longer than %u characters",
274 FW3_ZONE_MAXNAMELEN);
279 fw3_ubus_zone_devices(zone);
281 if (list_empty(&zone->networks) && list_empty(&zone->devices) &&
282 list_empty(&zone->subnets) && !zone->extra_src)
284 warn_elem(e, "has no device, network, subnet or extra options");
287 if (!check_masq_addrs(&zone->masq_src))
289 warn_elem(e, "has unresolved masq_src, disabling masq");
293 if (!check_masq_addrs(&zone->masq_dest))
295 warn_elem(e, "has unresolved masq_dest, disabling masq");
299 check_policy(e, &zone->policy_input, defs->policy_input, "input");
300 check_policy(e, &zone->policy_output, defs->policy_output, "output");
301 check_policy(e, &zone->policy_forward, defs->policy_forward, "forward");
303 resolve_networks(e, zone);
307 fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
310 if (zone->custom_chains)
312 fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
313 fw3_setbit(zone->flags[0], FW3_FLAG_DNAT);
316 resolve_cthelpers(state, e, zone);
318 fw3_setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
319 fw3_setbit(zone->flags[0], zone->policy_forward);
320 fw3_setbit(zone->flags[0], zone->policy_output);
322 fw3_setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
323 fw3_setbit(zone->flags[1], zone->policy_forward);
324 fw3_setbit(zone->flags[1], zone->policy_output);
326 list_add_tail(&zone->list, &state->zones);
332 print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state,
333 bool reload, struct fw3_zone *zone)
336 struct fw3_ipt_rule *r;
337 const struct fw3_chain_spec *c;
339 const char *flt_chains[] = {
342 "forward", "forwarding",
345 const char *nat_chains[] = {
346 "prerouting", "prerouting",
347 "postrouting", "postrouting",
350 if (!fw3_is_family(zone, handle->family))
353 set(zone->flags, handle->family, handle->table);
355 if (zone->custom_chains)
356 set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
358 for (c = zone_chains; c->format; c++)
360 /* don't touch user chains on selective stop */
361 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
364 if (!fw3_is_family(c, handle->family))
367 if (c->table != handle->table)
371 !fw3_hasbit(zone->flags[handle->family == FW3_FAMILY_V6], c->flag))
374 fw3_ipt_create_chain(handle, c->format, zone->name);
377 if (zone->custom_chains)
379 if (handle->table == FW3_TABLE_FILTER)
381 for (i = 0; i < sizeof(flt_chains)/sizeof(flt_chains[0]); i += 2)
383 r = fw3_ipt_rule_new(handle);
384 fw3_ipt_rule_comment(r, "Custom %s %s rule chain", zone->name, flt_chains[i+1]);
385 fw3_ipt_rule_target(r, "%s_%s_rule", flt_chains[i+1], zone->name);
386 fw3_ipt_rule_append(r, "zone_%s_%s", zone->name, flt_chains[i]);
389 else if (handle->table == FW3_TABLE_NAT)
391 for (i = 0; i < sizeof(nat_chains)/sizeof(nat_chains[0]); i += 2)
393 r = fw3_ipt_rule_new(handle);
394 fw3_ipt_rule_comment(r, "Custom %s %s rule chain", zone->name, nat_chains[i+1]);
395 fw3_ipt_rule_target(r, "%s_%s_rule", nat_chains[i+1], zone->name);
396 fw3_ipt_rule_append(r, "zone_%s_%s", zone->name, nat_chains[i]);
401 set(zone->flags, handle->family, handle->table);
405 print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
406 bool reload, struct fw3_zone *zone,
407 struct fw3_device *dev, struct fw3_address *sub)
409 struct fw3_protocol tcp = { .protocol = 6 };
410 struct fw3_ipt_rule *r;
417 const char *chains[] = {
420 "forward", "FORWARD",
423 #define jump_target(t) \
424 ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])
426 if (handle->table == FW3_TABLE_FILTER)
428 for (t = FW3_FLAG_ACCEPT; t <= FW3_FLAG_DROP; t++)
430 if (t > FW3_FLAG_ACCEPT && zone->log & FW3_ZONE_LOG_FILTER)
432 if (has(zone->flags, handle->family, fw3_to_src_target(t)))
434 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
436 snprintf(buf, sizeof(buf) - 1, "%s %s in: ",
437 fw3_flag_names[t], zone->name);
439 fw3_ipt_rule_limit(r, &zone->log_limit);
440 fw3_ipt_rule_target(r, "LOG");
441 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
442 fw3_ipt_rule_replace(r, "zone_%s_src_%s",
443 zone->name, fw3_flag_names[t]);
446 if (has(zone->flags, handle->family, t))
448 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
450 snprintf(buf, sizeof(buf) - 1, "%s %s out: ",
451 fw3_flag_names[t], zone->name);
453 fw3_ipt_rule_limit(r, &zone->log_limit);
454 fw3_ipt_rule_target(r, "LOG");
455 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
456 fw3_ipt_rule_replace(r, "zone_%s_dest_%s",
457 zone->name, fw3_flag_names[t]);
461 if (has(zone->flags, handle->family, fw3_to_src_target(t)))
463 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
464 fw3_ipt_rule_target(r, jump_target(t));
465 fw3_ipt_rule_extra(r, zone->extra_src);
467 if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid)
468 fw3_ipt_rule_extra(r,
469 "-m conntrack --ctstate NEW,UNTRACKED");
471 fw3_ipt_rule_replace(r, "zone_%s_src_%s", zone->name,
475 if (has(zone->flags, handle->family, t))
477 if (t == FW3_FLAG_ACCEPT &&
478 zone->masq && !zone->masq_allow_invalid)
480 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
481 fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
482 fw3_ipt_rule_comment(r, "Prevent NAT leakage");
483 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]);
484 fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
488 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
489 fw3_ipt_rule_target(r, jump_target(t));
490 fw3_ipt_rule_extra(r, zone->extra_dest);
491 fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
496 for (i = 0; i < sizeof(chains)/sizeof(chains[0]); i += 2)
498 if (*chains[i] == 'o')
499 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
501 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
503 fw3_ipt_rule_target(r, "zone_%s_%s", zone->name, chains[i]);
505 if (*chains[i] == 'o')
506 fw3_ipt_rule_extra(r, zone->extra_dest);
508 fw3_ipt_rule_extra(r, zone->extra_src);
510 fw3_ipt_rule_replace(r, chains[i + 1]);
513 else if (handle->table == FW3_TABLE_NAT)
515 if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
517 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
518 fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
519 fw3_ipt_rule_extra(r, zone->extra_src);
520 fw3_ipt_rule_replace(r, "PREROUTING");
523 if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
525 r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
526 fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name);
527 fw3_ipt_rule_extra(r, zone->extra_dest);
528 fw3_ipt_rule_replace(r, "POSTROUTING");
531 else if (handle->table == FW3_TABLE_MANGLE)
535 if (zone->log & FW3_ZONE_LOG_MANGLE)
537 snprintf(buf, sizeof(buf) - 1, "MSSFIX %s out: ", zone->name);
539 r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
540 fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
541 fw3_ipt_rule_addarg(r, false, "SYN", NULL);
542 fw3_ipt_rule_limit(r, &zone->log_limit);
543 fw3_ipt_rule_comment(r, "Zone %s MTU fix logging", zone->name);
544 fw3_ipt_rule_target(r, "LOG");
545 fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
546 fw3_ipt_rule_replace(r, "FORWARD");
549 r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
550 fw3_ipt_rule_addarg(r, false, "--tcp-flags", "SYN,RST");
551 fw3_ipt_rule_addarg(r, false, "SYN", NULL);
552 fw3_ipt_rule_comment(r, "Zone %s MTU fixing", zone->name);
553 fw3_ipt_rule_target(r, "TCPMSS");
554 fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
555 fw3_ipt_rule_replace(r, "FORWARD");
558 else if (handle->table == FW3_TABLE_RAW)
560 if (has(zone->flags, handle->family, FW3_FLAG_HELPER))
562 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
563 fw3_ipt_rule_comment(r, "%s CT helper assignment", zone->name);
564 fw3_ipt_rule_target(r, "zone_%s_helper", zone->name);
565 fw3_ipt_rule_extra(r, zone->extra_src);
566 fw3_ipt_rule_replace(r, "PREROUTING");
569 if (has(zone->flags, handle->family, FW3_FLAG_NOTRACK))
571 r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
572 fw3_ipt_rule_comment(r, "%s CT bypass", zone->name);
573 fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
574 fw3_ipt_rule_extra(r, zone->extra_src);
575 fw3_ipt_rule_replace(r, "PREROUTING");
581 print_interface_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
582 bool reload, struct fw3_zone *zone)
584 struct fw3_device *dev;
585 struct fw3_address *sub;
587 fw3_foreach(dev, &zone->devices)
588 fw3_foreach(sub, &zone->subnets)
590 if (!fw3_is_family(sub, handle->family))
596 print_interface_rule(handle, state, reload, zone, dev, sub);
600 static struct fw3_address *
601 next_addr(struct fw3_address *addr, struct list_head *list,
602 enum fw3_family family, bool invert)
605 struct fw3_address *rv;
607 for (p = addr ? addr->list.next : list->next; p != list; p = p->next)
609 rv = list_entry(p, struct fw3_address, list);
611 if (fw3_is_family(rv, family) && rv->set && rv->invert == invert)
619 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
620 bool reload, struct fw3_zone *zone)
622 bool first_src, first_dest;
623 struct fw3_address *msrc;
624 struct fw3_address *mdest;
625 struct fw3_ipt_rule *r;
627 if (!fw3_is_family(zone, handle->family))
630 info(" * Zone '%s'", zone->name);
632 switch (handle->table)
634 case FW3_TABLE_FILTER:
635 if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
637 r = fw3_ipt_rule_new(handle);
638 fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
639 fw3_ipt_rule_comment(r, "Accept port redirections");
640 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
641 fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
643 r = fw3_ipt_rule_new(handle);
644 fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
645 fw3_ipt_rule_comment(r, "Accept port forwards");
646 fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
647 fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
650 r = fw3_ipt_rule_new(handle);
651 fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
652 fw3_flag_names[zone->policy_input]);
653 fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
655 r = fw3_ipt_rule_new(handle);
656 fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
657 fw3_flag_names[zone->policy_forward]);
658 fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
660 r = fw3_ipt_rule_new(handle);
661 fw3_ipt_rule_target(r, "zone_%s_dest_%s", zone->name,
662 fw3_flag_names[zone->policy_output]);
663 fw3_ipt_rule_append(r, "zone_%s_output", zone->name);
668 if (zone->masq && handle->family == FW3_FAMILY_V4)
670 /* for any negated masq_src ip, emit -s addr -j RETURN rules */
672 (msrc = next_addr(msrc, &zone->masq_src,
673 handle->family, true)) != NULL; )
675 msrc->invert = false;
676 r = fw3_ipt_rule_new(handle);
677 fw3_ipt_rule_src_dest(r, msrc, NULL);
678 fw3_ipt_rule_target(r, "RETURN");
679 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
683 /* for any negated masq_dest ip, emit -d addr -j RETURN rules */
685 (mdest = next_addr(mdest, &zone->masq_dest,
686 handle->family, true)) != NULL; )
688 mdest->invert = false;
689 r = fw3_ipt_rule_new(handle);
690 fw3_ipt_rule_src_dest(r, NULL, mdest);
691 fw3_ipt_rule_target(r, "RETURN");
692 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
693 mdest->invert = true;
696 /* emit masquerading entries for non-negated addresses
697 and ensure that both src and dest loops run at least once,
698 even if there are no relevant addresses */
699 for (first_src = true, msrc = NULL;
700 (msrc = next_addr(msrc, &zone->masq_src,
701 handle->family, false)) || first_src;
704 for (first_dest = true, mdest = NULL;
705 (mdest = next_addr(mdest, &zone->masq_dest,
706 handle->family, false)) || first_dest;
709 r = fw3_ipt_rule_new(handle);
710 fw3_ipt_rule_src_dest(r, msrc, mdest);
711 fw3_ipt_rule_target(r, "MASQUERADE");
712 fw3_ipt_rule_append(r, "zone_%s_postrouting", zone->name);
719 fw3_print_cthelpers(handle, state, zone);
722 case FW3_TABLE_MANGLE:
726 print_interface_rules(handle, state, reload, zone);
730 fw3_print_zone_chains(struct fw3_ipt_handle *handle, struct fw3_state *state,
733 struct fw3_zone *zone;
735 list_for_each_entry(zone, &state->zones, list)
736 print_zone_chain(handle, state, reload, zone);
740 fw3_print_zone_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
743 struct fw3_zone *zone;
745 list_for_each_entry(zone, &state->zones, list)
746 print_zone_rule(handle, state, reload, zone);
750 fw3_flush_zones(struct fw3_ipt_handle *handle, struct fw3_state *state,
753 struct fw3_zone *z, *tmp;
754 const struct fw3_chain_spec *c;
757 list_for_each_entry_safe(z, tmp, &state->zones, list)
759 if (!has(z->flags, handle->family, handle->table))
762 for (c = zone_chains; c->format; c++)
764 /* don't touch user chains on selective stop */
765 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
768 if (!fw3_is_family(c, handle->family))
771 if (c->table != handle->table)
774 if (c->flag && !has(z->flags, handle->family, c->flag))
777 snprintf(chain, sizeof(chain), c->format, z->name);
778 fw3_ipt_flush_chain(handle, chain);
780 /* keep certain basic chains that do not depend on any settings to
781 avoid purging unrelated user rules pointing to them */
782 if (reload && !c->flag)
785 fw3_ipt_delete_chain(handle, chain);
788 del(z->flags, handle->family, handle->table);
793 fw3_hotplug_zones(struct fw3_state *state, bool add)
796 struct fw3_device *d;
798 list_for_each_entry(z, &state->zones, list)
800 if (add != fw3_hasbit(z->flags[0], FW3_FLAG_HOTPLUG))
802 list_for_each_entry(d, &z->devices, list)
803 fw3_hotplug(add, z, d);
806 fw3_setbit(z->flags[0], FW3_FLAG_HOTPLUG);
808 fw3_delbit(z->flags[0], FW3_FLAG_HOTPLUG);
814 fw3_lookup_zone(struct fw3_state *state, const char *name)
818 if (list_empty(&state->zones))
821 list_for_each_entry(z, &state->zones, list)
823 if (strcmp(z->name, name))
833 fw3_resolve_zone_addresses(struct fw3_zone *zone, struct fw3_address *addr)
835 struct fw3_device *net;
836 struct fw3_address *cur, *tmp;
837 struct list_head *all;
839 all = calloc(1, sizeof(*all));
845 if (addr && addr->set)
847 tmp = malloc(sizeof(*tmp));
852 list_add_tail(&tmp->list, all);
857 list_for_each_entry(net, &zone->networks, list)
858 fw3_ubus_address(all, net->name);
860 list_for_each_entry(cur, &zone->subnets, list)
862 tmp = malloc(sizeof(*tmp));
868 list_add_tail(&tmp->list, all);
projects / project / firewall3.git / blob