projects / project / firewall3.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
firewall3: check the return value of fw3_parse_options()
[project/firewall3.git] / zones.c
diff --git a/zones.c b/zones.c
index a95e363..2aa7473 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -66,6 +66,7 @@ const struct fw3_option fw3_zone_opts[] = {
        FW3_OPT("output",              target,   zone,     policy_output),
 
        FW3_OPT("masq",                bool,     zone,     masq),
        FW3_OPT("output",              target,   zone,     policy_output),
 
        FW3_OPT("masq",                bool,     zone,     masq),
+       FW3_OPT("masq_allow_invalid",  bool,     zone,     masq_allow_invalid),
        FW3_LIST("masq_src",           network,  zone,     masq_src),
        FW3_LIST("masq_dest",          network,  zone,     masq_dest),
 
        FW3_LIST("masq_src",           network,  zone,     masq_src),
        FW3_LIST("masq_dest",          network,  zone,     masq_dest),
 
@@ -73,7 +74,6 @@ const struct fw3_option fw3_zone_opts[] = {
        FW3_OPT("extra_src",           string,   zone,     extra_src),
        FW3_OPT("extra_dest",          string,   zone,     extra_dest),
 
        FW3_OPT("extra_src",           string,   zone,     extra_src),
        FW3_OPT("extra_dest",          string,   zone,     extra_dest),
 
-       FW3_OPT("conntrack",           bool,     zone,     conntrack),
        FW3_OPT("mtu_fix",             bool,     zone,     mtu_fix),
        FW3_OPT("custom_chains",       bool,     zone,     custom_chains),
 
        FW3_OPT("mtu_fix",             bool,     zone,     mtu_fix),
        FW3_OPT("custom_chains",       bool,     zone,     custom_chains),
 
@@ -171,7 +171,8 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
                if (!zone)
                        continue;
 
                if (!zone)
                        continue;
 
-               fw3_parse_options(zone, fw3_zone_opts, s);
+               if (!fw3_parse_options(zone, fw3_zone_opts, s))
+                       warn_elem(e, "has invalid options");
 
                if (!zone->enabled)
                {
 
                if (!zone->enabled)
                {
@@ -217,7 +218,6 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
                if (zone->masq)
                {
                        fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
                if (zone->masq)
                {
                        fw3_setbit(zone->flags[0], FW3_FLAG_SNAT);
-                       zone->conntrack = true;
                }
 
                if (zone->custom_chains)
                }
 
                if (zone->custom_chains)
@@ -268,9 +268,6 @@ print_zone_chain(struct fw3_ipt_handle *handle, struct fw3_state *state,
        if (zone->custom_chains)
                set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
 
        if (zone->custom_chains)
                set(zone->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
 
-       if (!zone->conntrack && !state->defaults.drop_invalid)
-               set(zone->flags, handle->family, FW3_FLAG_NOTRACK);
-
        for (c = zone_chains; c->format; c++)
        {
                /* don't touch user chains on selective stop */
        for (c = zone_chains; c->format; c++)
        {
                /* don't touch user chains on selective stop */
@@ -359,14 +356,20 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 
                        if (has(zone->flags, handle->family, t))
                        {
 
                        if (has(zone->flags, handle->family, t))
                        {
+                               if (t == FW3_FLAG_ACCEPT &&
+                                   zone->masq && !zone->masq_allow_invalid)
+                               {
+                                       r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
+                                       fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
+                                       fw3_ipt_rule_comment(r, "Prevent NAT leakage");
+                                       fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_DROP]);
+                                       fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
+                                                            fw3_flag_names[t]);
+                               }
+
                                r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
                                fw3_ipt_rule_target(r, jump_target(t));
                                fw3_ipt_rule_extra(r, zone->extra_dest);
                                r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
                                fw3_ipt_rule_target(r, jump_target(t));
                                fw3_ipt_rule_extra(r, zone->extra_dest);
-
-                               if (t == FW3_FLAG_ACCEPT && !state->defaults.drop_invalid)
-                                       fw3_ipt_rule_extra(r,
-                                                          "-m conntrack --ctstate NEW,UNTRACKED");
-
                                fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
                                                     fw3_flag_names[t]);
                        }
                                fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
                                                     fw3_flag_names[t]);
                        }
@@ -488,7 +491,6 @@ static void
 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                 bool reload, struct fw3_zone *zone)
 {
 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                 bool reload, struct fw3_zone *zone)
 {
-       bool disable_notrack = state->defaults.drop_invalid;
        bool first_src, first_dest;
        struct fw3_address *msrc;
        struct fw3_address *mdest;
        bool first_src, first_dest;
        struct fw3_address *msrc;
        struct fw3_address *mdest;
@@ -620,15 +622,6 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                break;
 
        case FW3_TABLE_RAW:
                break;
 
        case FW3_TABLE_RAW:
-               if (!zone->conntrack && !disable_notrack)
-               {
-                       r = fw3_ipt_rule_new(handle);
-                       fw3_ipt_rule_target(r, "CT");
-                       fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
-                       fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name);
-               }
-               break;
-
        case FW3_TABLE_MANGLE:
                break;
        }
        case FW3_TABLE_MANGLE:
                break;
        }
OpenWrt firewall configuration utility