2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
23 #define C(f, tbl, tgt, name) \
24 { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_TARGET_##tgt, name }
27 enum fw3_family family;
29 enum fw3_target target;
33 static const struct chain src_chains[] = {
34 C(ANY, FILTER, UNSPEC, "zone_%s_input"),
35 C(ANY, FILTER, UNSPEC, "zone_%s_output"),
36 C(ANY, FILTER, UNSPEC, "zone_%s_forward"),
38 C(ANY, FILTER, ACCEPT, "zone_%s_src_ACCEPT"),
39 C(ANY, FILTER, REJECT, "zone_%s_src_REJECT"),
40 C(ANY, FILTER, DROP, "zone_%s_src_DROP"),
43 static const struct chain dst_chains[] = {
44 C(ANY, FILTER, ACCEPT, "zone_%s_dest_ACCEPT"),
45 C(ANY, FILTER, REJECT, "zone_%s_dest_REJECT"),
46 C(ANY, FILTER, DROP, "zone_%s_dest_DROP"),
48 C(V4, NAT, SNAT, "zone_%s_postrouting"),
49 C(V4, NAT, DNAT, "zone_%s_prerouting"),
51 C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
52 C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
53 C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
55 C(V4, NAT, CUSTOM_CHAINS, "prerouting_%s_rule"),
56 C(V4, NAT, CUSTOM_CHAINS, "postrouting_%s_rule"),
59 const struct fw3_option fw3_zone_opts[] = {
60 FW3_OPT("enabled", bool, zone, enabled),
62 FW3_OPT("name", string, zone, name),
63 FW3_OPT("family", family, zone, family),
65 FW3_LIST("network", device, zone, networks),
66 FW3_LIST("device", device, zone, devices),
67 FW3_LIST("subnet", address, zone, subnets),
69 FW3_OPT("input", target, zone, policy_input),
70 FW3_OPT("forward", target, zone, policy_forward),
71 FW3_OPT("output", target, zone, policy_output),
73 FW3_OPT("masq", bool, zone, masq),
74 FW3_LIST("masq_src", address, zone, masq_src),
75 FW3_LIST("masq_dest", address, zone, masq_dest),
77 FW3_OPT("extra", string, zone, extra_src),
78 FW3_OPT("extra_src", string, zone, extra_src),
79 FW3_OPT("extra_dest", string, zone, extra_dest),
81 FW3_OPT("conntrack", bool, zone, conntrack),
82 FW3_OPT("mtu_fix", bool, zone, mtu_fix),
83 FW3_OPT("custom_chains", bool, zone, custom_chains),
85 FW3_OPT("log", bool, zone, log),
86 FW3_OPT("log_limit", limit, zone, log_limit),
93 print_chains(enum fw3_table table, enum fw3_family family,
94 const char *fmt, const char *name, uint16_t targets,
95 const struct chain *chains, int n)
99 const struct chain *c;
101 for (c = chains; n > 0; c++, n--)
103 if (!fw3_is_family(c, family))
106 if (c->table != table)
109 if ((c->target != FW3_TARGET_UNSPEC) && !hasbit(targets, c->target))
112 snprintf(cn, sizeof(cn), c->name, name);
122 check_policy(struct uci_element *e, enum fw3_target *pol, enum fw3_target def,
125 if (*pol == FW3_TARGET_UNSPEC)
127 warn_elem(e, "has no %s policy specified, using default", name);
130 else if (*pol > FW3_TARGET_DROP)
132 warn_elem(e, "has invalid %s policy, using default", name);
138 resolve_networks(struct uci_element *e, struct fw3_zone *zone)
140 struct fw3_device *net, *tmp;
142 list_for_each_entry(net, &zone->networks, list)
144 tmp = fw3_ubus_device(net->name);
148 warn_elem(e, "cannot resolve device of network '%s'", net->name);
152 list_add_tail(&tmp->list, &zone->devices);
159 struct fw3_zone *zone;
161 zone = malloc(sizeof(*zone));
166 memset(zone, 0, sizeof(*zone));
168 INIT_LIST_HEAD(&zone->networks);
169 INIT_LIST_HEAD(&zone->devices);
170 INIT_LIST_HEAD(&zone->subnets);
171 INIT_LIST_HEAD(&zone->masq_src);
172 INIT_LIST_HEAD(&zone->masq_dest);
174 zone->enabled = true;
175 zone->custom_chains = true;
176 zone->log_limit.rate = 10;
182 fw3_load_zones(struct fw3_state *state, struct uci_package *p)
184 struct uci_section *s;
185 struct uci_element *e;
186 struct fw3_zone *zone;
187 struct fw3_defaults *defs = &state->defaults;
189 INIT_LIST_HEAD(&state->zones);
191 uci_foreach_element(&p->sections, e)
193 s = uci_to_section(e);
195 if (strcmp(s->type, "zone"))
198 zone = fw3_alloc_zone();
203 fw3_parse_options(zone, fw3_zone_opts, s);
211 if (!zone->extra_dest)
212 zone->extra_dest = zone->extra_src;
214 if (!defs->custom_chains && zone->custom_chains)
215 zone->custom_chains = false;
217 if (!zone->name || !*zone->name)
219 warn_elem(e, "has no name - ignoring");
224 if (list_empty(&zone->networks) && list_empty(&zone->devices) &&
225 list_empty(&zone->subnets) && !zone->extra_src)
227 warn_elem(e, "has no device, network, subnet or extra options");
230 check_policy(e, &zone->policy_input, defs->policy_input, "input");
231 check_policy(e, &zone->policy_output, defs->policy_output, "output");
232 check_policy(e, &zone->policy_forward, defs->policy_forward, "forward");
234 resolve_networks(e, zone);
238 setbit(zone->dst_flags, FW3_TARGET_SNAT);
239 zone->conntrack = true;
242 if (zone->custom_chains)
244 setbit(zone->dst_flags, FW3_TARGET_SNAT);
245 setbit(zone->dst_flags, FW3_TARGET_DNAT);
248 setbit(zone->src_flags, zone->policy_input);
249 setbit(zone->dst_flags, zone->policy_output);
250 setbit(zone->dst_flags, zone->policy_forward);
252 list_add_tail(&zone->list, &state->zones);
258 print_zone_chain(enum fw3_table table, enum fw3_family family,
259 struct fw3_zone *zone, struct fw3_state *state)
264 if (!fw3_is_family(zone, family))
267 setbit(zone->dst_flags, family);
269 /* user chains already loaded, don't create again */
270 if (hasbit(zone->dst_flags, FW3_TARGET_CUSTOM_CHAINS))
271 delbit(mask, FW3_TARGET_CUSTOM_CHAINS);
273 if (zone->custom_chains)
274 setbit(zone->dst_flags, FW3_TARGET_CUSTOM_CHAINS);
276 if (!zone->conntrack && !state->defaults.drop_invalid)
277 setbit(zone->dst_flags, FW3_TARGET_NOTRACK);
279 s = print_chains(table, family, ":%s - [0:0]\n", zone->name,
280 zone->src_flags & mask,
281 src_chains, ARRAY_SIZE(src_chains));
283 d = print_chains(table, family, ":%s - [0:0]\n", zone->name,
284 zone->dst_flags & mask,
285 dst_chains, ARRAY_SIZE(dst_chains));
287 if (zone->custom_chains)
289 if (table == FW3_TABLE_FILTER)
291 fw3_pr("-A zone_%s_input -j input_%s_rule "
292 "-m comment --comment \"user chain for %s input\"\n",
293 zone->name, zone->name, zone->name);
295 fw3_pr("-A zone_%s_output -j output_%s_rule "
296 "-m comment --comment \"user chain for %s output\"\n",
297 zone->name, zone->name, zone->name);
299 fw3_pr("-A zone_%s_forward -j forwarding_%s_rule "
300 "-m comment --comment \"user chain for %s forwarding\"\n",
301 zone->name, zone->name, zone->name);
303 else if (table == FW3_TABLE_NAT)
305 fw3_pr("-A zone_%s_prerouting -j prerouting_%s_rule "
306 "-m comment --comment \"user chain for %s prerouting\"\n",
307 zone->name, zone->name, zone->name);
309 fw3_pr("-A zone_%s_postrouting -j postrouting_%s_rule "
310 "-m comment --comment \"user chain for %s postrouting\"\n",
311 zone->name, zone->name, zone->name);
317 info(" * Zone '%s'", zone->name);
318 fw3_set_running(zone, &state->running_zones);
323 print_interface_rule(enum fw3_table table, enum fw3_family family,
324 struct fw3_zone *zone, struct fw3_device *dev,
325 struct fw3_address *sub, bool disable_notrack)
329 #define jump_target(t) \
330 ((t == FW3_TARGET_REJECT) ? "reject" : fw3_flag_names[t])
332 if (table == FW3_TABLE_FILTER)
334 for (t = FW3_TARGET_ACCEPT; t <= FW3_TARGET_DROP; t++)
336 if (hasbit(zone->src_flags, t))
338 fw3_pr("-A zone_%s_src_%s", zone->name, fw3_flag_names[t]);
339 fw3_format_in_out(dev, NULL);
340 fw3_format_src_dest(sub, NULL);
341 fw3_format_extra(zone->extra_src);
342 fw3_pr(" -j %s\n", jump_target(t));
345 if (hasbit(zone->dst_flags, t))
347 fw3_pr("-A zone_%s_dest_%s", zone->name, fw3_flag_names[t]);
348 fw3_format_in_out(NULL, dev);
349 fw3_format_src_dest(NULL, sub);
350 fw3_format_extra(zone->extra_dest);
351 fw3_pr(" -j %s\n", jump_target(t));
355 fw3_pr("-A delegate_input");
356 fw3_format_in_out(dev, NULL);
357 fw3_format_src_dest(sub, NULL);
358 fw3_format_extra(zone->extra_src);
359 fw3_pr(" -j zone_%s_input\n", zone->name);
361 fw3_pr("-A delegate_forward");
362 fw3_format_in_out(dev, NULL);
363 fw3_format_src_dest(sub, NULL);
364 fw3_format_extra(zone->extra_src);
365 fw3_pr(" -j zone_%s_forward\n", zone->name);
367 fw3_pr("-A delegate_output");
368 fw3_format_in_out(NULL, dev);
369 fw3_format_src_dest(NULL, sub);
370 fw3_format_extra(zone->extra_dest);
371 fw3_pr(" -j zone_%s_output\n", zone->name);
373 else if (table == FW3_TABLE_NAT)
375 if (hasbit(zone->dst_flags, FW3_TARGET_DNAT))
377 fw3_pr("-A delegate_prerouting");
378 fw3_format_in_out(dev, NULL);
379 fw3_format_src_dest(sub, NULL);
380 fw3_format_extra(zone->extra_src);
381 fw3_pr(" -j zone_%s_prerouting\n", zone->name);
384 if (hasbit(zone->dst_flags, FW3_TARGET_SNAT))
386 fw3_pr("-A delegate_postrouting");
387 fw3_format_in_out(NULL, dev);
388 fw3_format_src_dest(NULL, sub);
389 fw3_format_extra(zone->extra_dest);
390 fw3_pr(" -j zone_%s_postrouting\n", zone->name);
393 else if (table == FW3_TABLE_MANGLE)
400 fw3_format_in_out(NULL, dev);
401 fw3_format_src_dest(NULL, sub);
402 fw3_pr(" -p tcp --tcp-flags SYN,RST SYN");
403 fw3_format_limit(&zone->log_limit);
404 fw3_format_comment(zone->name, " (mtu_fix logging)");
405 fw3_pr(" -j LOG --log-prefix \"MSSFIX(%s): \"\n", zone->name);
409 fw3_format_in_out(NULL, dev);
410 fw3_format_src_dest(NULL, sub);
411 fw3_pr(" -p tcp --tcp-flags SYN,RST SYN");
412 fw3_format_comment(zone->name, " (mtu_fix)");
413 fw3_pr(" -j TCPMSS --clamp-mss-to-pmtu\n");
416 else if (table == FW3_TABLE_RAW)
418 if (!zone->conntrack && !disable_notrack)
420 fw3_pr("-A notrack");
421 fw3_format_in_out(dev, NULL);
422 fw3_format_src_dest(sub, NULL);
423 fw3_format_extra(zone->extra_src);
424 fw3_format_comment(zone->name, " (notrack)");
425 fw3_pr(" -j CT --notrack\n", zone->name);
431 print_interface_rules(enum fw3_table table, enum fw3_family family,
432 struct fw3_zone *zone, bool disable_notrack)
434 struct fw3_device *dev;
435 struct fw3_address *sub;
437 fw3_foreach(dev, &zone->devices)
438 fw3_foreach(sub, &zone->subnets)
440 if (!fw3_is_family(sub, family))
446 print_interface_rule(table, family, zone, dev, sub, disable_notrack);
451 print_zone_rule(enum fw3_table table, enum fw3_family family,
452 struct fw3_zone *zone, bool disable_notrack)
454 struct fw3_address *msrc;
455 struct fw3_address *mdest;
459 if (!fw3_is_family(zone, family))
464 case FW3_TABLE_FILTER:
465 fw3_pr("-A zone_%s_input -j zone_%s_src_%s\n",
466 zone->name, zone->name, fw3_flag_names[zone->policy_input]);
468 fw3_pr("-A zone_%s_forward -j zone_%s_dest_%s\n",
469 zone->name, zone->name, fw3_flag_names[zone->policy_forward]);
471 fw3_pr("-A zone_%s_output -j zone_%s_dest_%s\n",
472 zone->name, zone->name, fw3_flag_names[zone->policy_output]);
476 for (t = FW3_TARGET_REJECT; t <= FW3_TARGET_DROP; t++)
478 if (hasbit(zone->src_flags, t))
480 fw3_pr("-A zone_%s_src_%s", zone->name, fw3_flag_names[t]);
481 fw3_format_limit(&zone->log_limit);
482 fw3_pr(" -j LOG --log-prefix \"%s(src %s)\"\n",
483 fw3_flag_names[t], zone->name);
486 if (hasbit(zone->dst_flags, t))
488 fw3_pr("-A zone_%s_dest_%s", zone->name, fw3_flag_names[t]);
489 fw3_format_limit(&zone->log_limit);
490 fw3_pr(" -j LOG --log-prefix \"%s(dest %s)\"\n",
491 fw3_flag_names[t], zone->name);
498 if (zone->masq && family == FW3_FAMILY_V4)
500 fw3_foreach(msrc, &zone->masq_src)
501 fw3_foreach(mdest, &zone->masq_dest)
503 fw3_pr("-A zone_%s_postrouting ", zone->name);
504 fw3_format_src_dest(msrc, mdest);
505 fw3_pr("-j MASQUERADE\n");
511 case FW3_TABLE_MANGLE:
515 print_interface_rules(table, family, zone, disable_notrack);
519 fw3_print_zone_chains(enum fw3_table table, enum fw3_family family,
520 struct fw3_state *state)
522 struct fw3_zone *zone;
524 list_for_each_entry(zone, &state->zones, list)
525 print_zone_chain(table, family, zone, state);
529 fw3_print_zone_rules(enum fw3_table table, enum fw3_family family,
530 struct fw3_state *state)
532 struct fw3_zone *zone;
534 list_for_each_entry(zone, &state->zones, list)
535 print_zone_rule(table, family, zone, state->defaults.drop_invalid);
539 fw3_flush_zones(enum fw3_table table, enum fw3_family family,
540 bool pass2, bool reload, struct fw3_state *state)
542 struct fw3_zone *z, *tmp;
544 uint16_t families = (1 << FW3_FAMILY_V4) | (1 << FW3_FAMILY_V6);
546 /* don't touch user chains on selective stop */
548 delbit(mask, FW3_DEFAULT_CUSTOM_CHAINS);
550 list_for_each_entry_safe(z, tmp, &state->running_zones, running_list)
552 if (!hasbit(z->dst_flags, family))
555 print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n",
556 z->name, z->src_flags & mask,
557 src_chains, ARRAY_SIZE(src_chains));
559 print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n",
560 z->name, z->dst_flags & mask,
561 dst_chains, ARRAY_SIZE(dst_chains));
565 delbit(z->dst_flags, family);
567 if (!(z->dst_flags & families))
568 fw3_set_running(z, NULL);
574 fw3_lookup_zone(struct fw3_state *state, const char *name, bool running)
578 if (list_empty(&state->zones))
581 list_for_each_entry(z, &state->zones, list)
583 if (strcmp(z->name, name))
586 if (!running || z->running_list.next)
projects / project / firewall3.git / blob