Keep all basic chains on reload and only flush them, this allows user rules to jump...
[project/firewall3.git] / redirects.c
index 1f10b42..15855c9 100644 (file)
@@ -28,7 +28,7 @@ const struct fw3_option fw3_redirect_opts[] = {
        FW3_OPT("src",                 device,    redirect,     src),
        FW3_OPT("dest",                device,    redirect,     dest),
 
-       FW3_OPT("ipset",               device,    redirect,     ipset),
+       FW3_OPT("ipset",               setmatch,  redirect,     ipset),
 
        FW3_LIST("proto",              protocol,  redirect,     proto),
 
@@ -44,6 +44,9 @@ const struct fw3_option fw3_redirect_opts[] = {
 
        FW3_OPT("extra",               string,    redirect,     extra),
 
+       FW3_OPT("limit",               limit,     redirect,     limit),
+       FW3_OPT("limit_burst",         int,       redirect,     limit.burst),
+
        FW3_OPT("utc_time",            bool,      redirect,     time.utc),
        FW3_OPT("start_date",          date,      redirect,     time.datestart),
        FW3_OPT("stop_date",           date,      redirect,     time.datestop),
@@ -82,7 +85,8 @@ check_families(struct uci_element *e, struct fw3_redirect *r)
                return false;
        }
 
-       if (r->_ipset && r->_ipset->family && r->_ipset->family != r->family)
+       if (r->ipset.ptr && r->ipset.ptr->family &&
+           r->ipset.ptr->family != r->family)
        {
                warn_elem(e, "refers to ipset with different family");
                return false;
@@ -117,7 +121,7 @@ compare_addr(struct fw3_address *a, struct fw3_address *b)
        if (a->family != FW3_FAMILY_V4)
                return false;
 
-       mask = ~((1 << (32 - a->mask)) - 1);
+       mask = htonl(~((1 << (32 - a->mask)) - 1));
 
        return ((a->address.v4.s_addr & mask) == (b->address.v4.s_addr & mask));
 }
@@ -228,8 +232,8 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
                        fw3_free_redirect(redir);
                        continue;
                }
-               else if (redir->ipset.set && !redir->ipset.any &&
-                        !(redir->_ipset = fw3_lookup_ipset(state, redir->ipset.name)))
+               else if (redir->ipset.set &&
+                        !(redir->ipset.ptr = fw3_lookup_ipset(state, redir->ipset.name)))
                {
                        warn_elem(e, "refers to unknown ipset '%s'", redir->ipset.name);
                        fw3_free_redirect(redir);
@@ -268,7 +272,7 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p)
 
                        if (!redir->dest.set && resolve_dest(e, redir, state))
                        {
-                               warn_elem(e, "has no destination specified, assuming zone '%s'",
+                               warn_elem(e, "does not specify a destination, assuming '%s'",
                                          redir->dest.name);
                        }
 
@@ -443,7 +447,8 @@ print_redirect(struct fw3_ipt_handle *h, struct fw3_state *state,
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
                fw3_ipt_rule_sport_dport(r, spt, dpt);
                fw3_ipt_rule_mac(r, mac);
-               fw3_ipt_rule_ipset(r, redir->_ipset, redir->ipset.invert);
+               fw3_ipt_rule_ipset(r, &redir->ipset);
+               fw3_ipt_rule_limit(r, &redir->limit);
                fw3_ipt_rule_time(r, &redir->time);
                fw3_ipt_rule_mark(r, &redir->mark);
                set_target_nat(r, redir);
@@ -461,7 +466,8 @@ print_redirect(struct fw3_ipt_handle *h, struct fw3_state *state,
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
                fw3_ipt_rule_sport_dport(r, spt, dpt);
                fw3_ipt_rule_mac(r, mac);
-               fw3_ipt_rule_ipset(r, redir->_ipset, redir->ipset.invert);
+               fw3_ipt_rule_ipset(r, &redir->ipset);
+               fw3_ipt_rule_limit(r, &redir->limit);
                fw3_ipt_rule_time(r, &redir->time);
                fw3_ipt_rule_mark(r, &redir->mark);
                set_target_filter(r, redir);
@@ -488,6 +494,7 @@ print_reflection(struct fw3_ipt_handle *h, struct fw3_state *state,
        case FW3_TABLE_NAT:
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, ea);
                fw3_ipt_rule_sport_dport(r, NULL, &redir->port_dest);
+               fw3_ipt_rule_limit(r, &redir->limit);
                fw3_ipt_rule_time(r, &redir->time);
                set_comment(r, redir->name, num, true);
                set_snat_dnat(r, FW3_FLAG_DNAT, &redir->ip_redir, &redir->port_redir);
@@ -495,6 +502,7 @@ print_reflection(struct fw3_ipt_handle *h, struct fw3_state *state,
 
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, &redir->ip_redir);
                fw3_ipt_rule_sport_dport(r, NULL, &redir->port_redir);
+               fw3_ipt_rule_limit(r, &redir->limit);
                fw3_ipt_rule_time(r, &redir->time);
                set_comment(r, redir->name, num, true);
                set_snat_dnat(r, FW3_FLAG_SNAT, ra, NULL);
@@ -504,6 +512,7 @@ print_reflection(struct fw3_ipt_handle *h, struct fw3_state *state,
        case FW3_TABLE_FILTER:
                r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, &redir->ip_redir);
                fw3_ipt_rule_sport_dport(r, NULL, &redir->port_redir);
+               fw3_ipt_rule_limit(r, &redir->limit);
                fw3_ipt_rule_time(r, &redir->time);
                set_comment(r, redir->name, num, true);
                fw3_ipt_rule_target(r, "zone_%s_dest_ACCEPT", redir->dest.name);
@@ -540,27 +549,31 @@ expand_redirect(struct fw3_ipt_handle *handle, struct fw3_state *state,
            !fw3_is_family(&redir->ip_dest, handle->family) ||
                !fw3_is_family(&redir->ip_redir, handle->family))
        {
-               info("     ! Skipping due to different family of ip address");
+               if (!redir->ip_src.resolved ||
+                   !redir->ip_dest.resolved ||
+                   !redir->ip_redir.resolved)
+                       info("     ! Skipping due to different family of ip address");
+
                return;
        }
 
-       if (redir->_ipset)
+       if (redir->ipset.ptr)
        {
-               if (!fw3_is_family(redir->_ipset, handle->family))
+               if (!fw3_is_family(redir->ipset.ptr, handle->family))
                {
                        info("     ! Skipping due to different family in ipset");
                        return;
                }
 
-               if (!fw3_check_ipset(redir->_ipset))
+               if (!fw3_check_ipset(redir->ipset.ptr))
                {
                        info("     ! Skipping due to missing ipset '%s'",
-                            redir->_ipset->external ?
-                                       redir->_ipset->external : redir->_ipset->name);
+                            redir->ipset.ptr->external ?
+                                       redir->ipset.ptr->external : redir->ipset.ptr->name);
                        return;
                }
 
-               set(redir->_ipset->flags, handle->family, handle->family);
+               set(redir->ipset.ptr->flags, handle->family, handle->family);
        }
 
        fw3_foreach(proto, &redir->proto)