X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=redirects.c;h=23dc0341c8cdff5440f6719f143fdd7418f3678c;hp=f8eaed3f6e8c02fb63623c740f94e969932342d2;hb=a4b710143626b399783865a3ea31bdb25aa1bac9;hpb=5b051a66fad3c208380d69b4b13d09929fcfe101 diff --git a/redirects.c b/redirects.c index f8eaed3..23dc034 100644 --- a/redirects.c +++ b/redirects.c @@ -19,35 +19,92 @@ #include "redirects.h" -static struct fw3_option redirect_opts[] = { - FW3_OPT("name", string, redirect, name), - FW3_OPT("family", family, redirect, family), +const struct fw3_option fw3_redirect_opts[] = { + FW3_OPT("enabled", bool, redirect, enabled), - FW3_OPT("src", device, redirect, src), - FW3_OPT("dest", device, redirect, dest), + FW3_OPT("name", string, redirect, name), + FW3_OPT("family", family, redirect, family), - FW3_OPT("ipset", device, redirect, ipset), + FW3_OPT("src", device, redirect, src), + FW3_OPT("dest", device, redirect, dest), - FW3_LIST("proto", protocol, redirect, proto), + FW3_OPT("ipset", device, redirect, ipset), - FW3_OPT("src_ip", address, redirect, ip_src), - FW3_LIST("src_mac", mac, redirect, mac_src), - FW3_OPT("src_port", port, redirect, port_src), + FW3_LIST("proto", protocol, redirect, proto), - FW3_OPT("src_dip", address, redirect, ip_dest), - FW3_OPT("src_dport", port, redirect, port_dest), + FW3_OPT("src_ip", address, redirect, ip_src), + FW3_LIST("src_mac", mac, redirect, mac_src), + FW3_OPT("src_port", port, redirect, port_src), - FW3_OPT("dest_ip", address, redirect, ip_redir), - FW3_OPT("dest_port", port, redirect, port_redir), + FW3_OPT("src_dip", address, redirect, ip_dest), + FW3_OPT("src_dport", port, redirect, port_dest), - FW3_OPT("extra", string, redirect, extra), + FW3_OPT("dest_ip", address, redirect, ip_redir), + FW3_OPT("dest_port", port, redirect, port_redir), - FW3_OPT("reflection", bool, redirect, reflection), + FW3_OPT("extra", string, redirect, extra), - FW3_OPT("target", target, redirect, target), + FW3_OPT("utc_time", bool, redirect, time.utc), + FW3_OPT("start_date", date, redirect, time.datestart), + FW3_OPT("stop_date", date, redirect, time.datestop), + FW3_OPT("start_time", time, redirect, time.timestart), + FW3_OPT("stop_time", time, redirect, time.timestop), + FW3_OPT("weekdays", weekdays, redirect, time.weekdays), + FW3_OPT("monthdays", monthdays, redirect, time.monthdays), + + FW3_OPT("reflection", bool, redirect, reflection), + + FW3_OPT("target", target, redirect, target), + + { } }; +static bool +check_families(struct uci_element *e, struct fw3_redirect *r) +{ + if (r->family == FW3_FAMILY_ANY) + return true; + + if (r->_src && r->_src->family && r->_src->family != r->family) + { + warn_elem(e, "refers to source zone with different family"); + return false; + } + + if (r->_dest && r->_dest->family && r->_dest->family != r->family) + { + warn_elem(e, "refers to destination zone with different family"); + return false; + } + + if (r->_ipset && r->_ipset->family && r->_ipset->family != r->family) + { + warn_elem(e, "refers to ipset with different family"); + return false; + } + + if (r->ip_src.family && r->ip_src.family != r->family) + { + warn_elem(e, "uses source ip with different family"); + return false; + } + + if (r->ip_dest.family && r->ip_dest.family != r->family) + { + warn_elem(e, "uses destination ip with different family"); + return false; + } + + if (r->ip_redir.family && r->ip_redir.family != r->family) + { + warn_elem(e, "uses redirect ip with different family"); + return false; + } + + return true; +} + void fw3_load_redirects(struct fw3_state *state, struct uci_package *p) { @@ -76,9 +133,16 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) INIT_LIST_HEAD(&redir->proto); INIT_LIST_HEAD(&redir->mac_src); + redir->enabled = true; redir->reflection = true; - fw3_parse_options(redir, redirect_opts, ARRAY_SIZE(redirect_opts), s); + fw3_parse_options(redir, fw3_redirect_opts, s); + + if (!redir->enabled) + { + fw3_free_redirect(redir); + continue; + } if (redir->src.invert) { @@ -87,14 +151,14 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) continue; } else if (redir->src.set && !redir->src.any && - !(redir->_src = fw3_lookup_zone(state, redir->src.name))) + !(redir->_src = fw3_lookup_zone(state, redir->src.name, false))) { warn_elem(e, "refers to not existing zone '%s'", redir->src.name); fw3_free_redirect(redir); continue; } else if (redir->dest.set && !redir->dest.any && - !(redir->_dest = fw3_lookup_zone(state, redir->dest.name))) + !(redir->_dest = fw3_lookup_zone(state, redir->dest.name, false))) { warn_elem(e, "refers to not existing zone '%s'", redir->dest.name); fw3_free_redirect(redir); @@ -107,9 +171,15 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) continue; } else if (redir->ipset.set && !redir->ipset.any && - !(redir->_ipset = fw3_lookup_ipset(state, redir->ipset.name))) + !(redir->_ipset = fw3_lookup_ipset(state, redir->ipset.name, false))) + { + warn_elem(e, "refers to unknown ipset '%s'", redir->ipset.name); + fw3_free_redirect(redir); + continue; + } + + if (!check_families(e, redir)) { - warn_elem(e, "refers to not declared ipset '%s'", redir->ipset.name); fw3_free_redirect(redir); continue; } @@ -133,16 +203,16 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) warn_elem(e, "has no source specified"); else { - setbit(redir->_src->has_dest_target, redir->target); + setbit(redir->_src->flags, redir->target); redir->_src->conntrack = true; valid = true; } if (redir->reflection && redir->_dest && redir->_src->masq) { - setbit(redir->_dest->has_dest_target, FW3_TARGET_ACCEPT); - setbit(redir->_dest->has_dest_target, FW3_TARGET_DNAT); - setbit(redir->_dest->has_dest_target, FW3_TARGET_SNAT); + setbit(redir->_dest->flags, FW3_TARGET_ACCEPT); + setbit(redir->_dest->flags, FW3_TARGET_DNAT); + setbit(redir->_dest->flags, FW3_TARGET_SNAT); } } else @@ -155,7 +225,7 @@ fw3_load_redirects(struct fw3_state *state, struct uci_package *p) warn_elem(e, "has no src_dip option specified"); else { - setbit(redir->_dest->has_dest_target, redir->target); + setbit(redir->_dest->flags, redir->target); redir->_dest->conntrack = true; valid = true; } @@ -259,16 +329,42 @@ print_redirect(enum fw3_table table, enum fw3_family family, struct fw3_protocol *proto; struct fw3_mac *mac; + if (redir->name) + info(" * Redirect '%s'", redir->name); + else + info(" * Redirect #%u", num); + + if (!fw3_is_family(redir->_src, family) || + !fw3_is_family(redir->_dest, family)) + { + info(" ! Skipping due to different family of zone"); + return; + } + + if (!fw3_is_family(&redir->ip_src, family) || + !fw3_is_family(&redir->ip_dest, family) || + !fw3_is_family(&redir->ip_redir, family)) + { + info(" ! Skipping due to different family of ip address"); + return; + } + + if (redir->_ipset) + { + if (!fw3_is_family(redir->_ipset, family)) + { + info(" ! Skipping due to different family in ipset"); + return; + } + + setbit(redir->_ipset->flags, family); + } + fw3_foreach(proto, &redir->proto) fw3_foreach(mac, &redir->mac_src) { if (table == FW3_TABLE_NAT) { - if (redir->name) - info(" * Redirect '%s'", redir->name); - else - info(" * Redirect #%u", num); - print_chain_nat(redir); fw3_format_ipset(redir->_ipset, redir->ipset.invert); fw3_format_protocol(proto, family); @@ -285,23 +381,20 @@ print_redirect(enum fw3_table table, enum fw3_family family, } fw3_format_mac(mac); + fw3_format_time(&redir->time); fw3_format_extra(redir->extra); fw3_format_comment(redir->name); print_target_nat(redir); } else if (table == FW3_TABLE_FILTER) { - if (redir->name) - info(" * Redirect '%s'", redir->name); - else - info(" * Redirect #%u", num); - print_chain_filter(redir); fw3_format_ipset(redir->_ipset, redir->ipset.invert); fw3_format_protocol(proto, family); fw3_format_src_dest(&redir->ip_src, &redir->ip_redir); fw3_format_sport_dport(&redir->port_src, &redir->port_redir); fw3_format_mac(mac); + fw3_format_time(&redir->time); fw3_format_extra(redir->extra); fw3_format_comment(redir->name); print_target_filter(redir); @@ -348,6 +441,7 @@ print_redirect(enum fw3_table table, enum fw3_family family, fw3_format_protocol(proto, family); fw3_format_src_dest(int_addr, ext_addr); fw3_format_sport_dport(NULL, &redir->port_dest); + fw3_format_time(&redir->time); fw3_format_comment(redir->name, " (reflection)"); print_snat_dnat(FW3_TARGET_DNAT, &redir->ip_redir, &redir->port_redir); @@ -356,6 +450,7 @@ print_redirect(enum fw3_table table, enum fw3_family family, fw3_format_protocol(proto, family); fw3_format_src_dest(int_addr, &redir->ip_redir); fw3_format_sport_dport(NULL, &redir->port_redir); + fw3_format_time(&redir->time); fw3_format_comment(redir->name, " (reflection)"); print_snat_dnat(FW3_TARGET_SNAT, ext_addr, NULL); } @@ -365,6 +460,7 @@ print_redirect(enum fw3_table table, enum fw3_family family, fw3_format_protocol(proto, family); fw3_format_src_dest(int_addr, &redir->ip_redir); fw3_format_sport_dport(NULL, &redir->port_redir); + fw3_format_time(&redir->time); fw3_format_comment(redir->name, " (reflection)"); fw3_pr(" -j zone_%s_dest_ACCEPT\n", redir->dest.name); } @@ -387,14 +483,9 @@ fw3_print_redirects(enum fw3_table table, enum fw3_family family, if (family == FW3_FAMILY_V6) return; + if (table != FW3_TABLE_FILTER && table != FW3_TABLE_NAT) + return; + list_for_each_entry(redir, &state->redirects, list) print_redirect(table, family, redir, num++); } - -void -fw3_free_redirect(struct fw3_redirect *redir) -{ - fw3_free_list(&redir->proto); - fw3_free_list(&redir->mac_src); - free(redir); -}