X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=utils.c;h=9f57e9f8e03701a33010a0ffb26790680b45e7a0;hp=1942cbc71068effda0c923f4e4f0ec55cfaf0aa9;hb=a1cf3074e2eae780226c79477e895479ba6e29f2;hpb=061fdb168b98f6d4f23bebf5153d51bb3a85611e diff --git a/utils.c b/utils.c index 1942cbc..9f57e9f 100644 --- a/utils.c +++ b/utils.c @@ -244,6 +244,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) signal(SIGPIPE, SIG_IGN); pipe_pid = pid; close(pfds[0]); + fcntl(pfds[1], F_SETFD, fcntl(pfds[1], F_GETFD) | FD_CLOEXEC); } pipe_fd = fdopen(pfds[1], "w"); @@ -347,118 +348,166 @@ fw3_unlock(void) } -bool -fw3_read_statefile(void *state) +static void +write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, + struct uci_package *dest) { - FILE *sf; + char buf[8]; + struct uci_ptr ptr = { .p = dest }; + + uci_add_section(ctx, dest, "defaults", &ptr.s); + + sprintf(buf, "%u", d->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "%u", d->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} - int type; - char line[128]; - const char *p, *name; +static void +write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, + struct uci_package *dest) +{ + struct fw3_device *dev; + struct fw3_address *sub; + enum fw3_family fam = FW3_FAMILY_ANY; - uint32_t flags[2]; + char addr[INET6_ADDRSTRLEN]; + char buf[INET6_ADDRSTRLEN * 2 + 2]; + char *p; - struct fw3_state *s = state; - struct fw3_zone *zone; - struct fw3_ipset *ipset; - struct fw3_device *net, *dev; + struct uci_ptr ptr = { .p = dest }; - sf = fopen(FW3_STATEFILE, "r"); + if (!z->enabled) + return; - if (!sf) - return false; + if (fw3_no_table(z->flags[0]) && !fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V6; + else if (!fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V4; + else if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + return; - while (fgets(line, sizeof(line), sf)) + uci_add_section(ctx, dest, "zone", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = z->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[z->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[z->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[z->policy_forward]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "masq"; + ptr.value = z->masq ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "conntrack"; + ptr.value = z->conntrack ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "mtu_fix"; + ptr.value = z->mtu_fix ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "custom_chains"; + ptr.value = z->custom_chains ? "1" : "0"; + uci_set(ctx, &ptr); + + if (fam != FW3_FAMILY_ANY) { - p = strtok(line, " \t\n"); - - if (!p) - continue; - - type = strtoul(p, NULL, 16); - name = strtok(NULL, " \t\n"); - - if (!name) - continue; - - if (!(p = strtok(NULL, " \t\n"))) - continue; + ptr.o = NULL; + ptr.option = "family"; + ptr.value = fw3_flag_names[fam]; + uci_set(ctx, &ptr); + } - flags[0] = strtoul(p, NULL, 16); + ptr.o = NULL; + ptr.option = "device"; - if (!(p = strtok(NULL, " \t\n"))) + fw3_foreach(dev, &z->devices) + { + if (!dev) continue; - flags[1] = strtoul(p, NULL, 16); + p = buf; - switch (type) - { - case FW3_TYPE_DEFAULTS: - s->defaults.flags[0] = flags[0]; - s->defaults.flags[1] = flags[1]; - break; - - case FW3_TYPE_ZONE: - if (!(zone = fw3_lookup_zone(state, name, false))) - { - zone = fw3_alloc_zone(); + if (dev->invert) + p += sprintf(p, "!"); - if (!zone) - continue; + p += sprintf(p, "%s", dev->name); - zone->name = strdup(name); - list_add_tail(&zone->list, &s->zones); - } - - zone->flags[0] = flags[0]; - zone->flags[1] = flags[1]; - list_add_tail(&zone->running_list, &s->running_zones); - break; - - case FW3_TYPE_IPSET: - if (!(ipset = fw3_lookup_ipset(state, name, false))) - { - ipset = fw3_alloc_ipset(); - - if (!ipset) - continue; + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - ipset->name = strdup(name); - list_add_tail(&ipset->list, &s->ipsets); - } + ptr.o = NULL; + ptr.option = "subnet"; - ipset->flags[0] = flags[0]; - ipset->flags[1] = flags[1]; - list_add_tail(&ipset->running_list, &s->running_ipsets); - break; + fw3_foreach(sub, &z->subnets) + { + if (!sub) + continue; - case FW3_TYPE_NETWORK: - if (!(zone = fw3_lookup_zone(state, name, false))) - continue; + p = buf; - if (!(p = strtok(NULL, " \t\n")) || !(name = strtok(NULL, " \t\n"))) - continue; + if (sub->invert) + p += sprintf(p, "!"); - if (!(net = malloc(sizeof(*net)))) - continue; + inet_ntop(sub->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &sub->address.v4, addr, sizeof(addr)); - memset(net, 0, sizeof(*net)); - snprintf(net->name, sizeof(net->name), "%s", p); - list_add_tail(&net->list, &zone->running_networks); + p += sprintf(p, "%s", addr); - if (!(dev = malloc(sizeof(*dev)))) - continue; + if (sub->range) + { + inet_ntop(sub->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &sub->address2.v4, addr, sizeof(addr)); - memset(dev, 0, sizeof(*dev)); - dev->network = net; - snprintf(dev->name, sizeof(dev->name), "%s", name); - list_add_tail(&dev->list, &zone->running_devices); + p += sprintf(p, "-%s", addr); + } + else + { + p += sprintf(p, "/%u", sub->mask); } - } - fclose(sf); + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - return true; + sprintf(buf, "%u", z->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "%u", z->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); } void @@ -466,79 +515,46 @@ fw3_write_statefile(void *state) { FILE *sf; struct fw3_state *s = state; - struct fw3_defaults *defs = &s->defaults; struct fw3_zone *z; - struct fw3_ipset *i; - struct fw3_device *d; - - if (fw3_no_table(defs->flags[0]) && fw3_no_table(defs->flags[1])) - { - if (unlink(FW3_STATEFILE)) - warn("Unable to remove state %s: %s", - FW3_STATEFILE, strerror(errno)); - - return; - } - sf = fopen(FW3_STATEFILE, "w"); + struct uci_package *p; - if (!sf) + if (fw3_no_family(s->defaults.flags[0]) && + fw3_no_family(s->defaults.flags[1])) { - warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); - return; + unlink(FW3_STATEFILE); } - - fprintf(sf, "%x - %x %x\n", - FW3_TYPE_DEFAULTS, defs->flags[0], defs->flags[1]); - - list_for_each_entry(z, &s->running_zones, running_list) + else { - if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) - continue; + sf = fopen(FW3_STATEFILE, "w+"); - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_ZONE, z->name, z->flags[0], z->flags[1]); - - list_for_each_entry(d, &z->devices, list) + if (!sf) { - if (!d->network) - continue; - - fprintf(sf, "%x %s 0 0 %s %s\n", - FW3_TYPE_NETWORK, z->name, d->network->name, d->name); + warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + return; } - } - list_for_each_entry(i, &s->running_ipsets, running_list) - { - if (!fw3_no_family(i->flags[0]) || !fw3_no_family(i->flags[1])) - { - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_IPSET, i->name, i->flags[0], i->flags[1]); - } - } + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + uci_unload(s->uci, p); - fclose(sf); -} + uci_import(s->uci, sf, "fw3_state", NULL, true); + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + { + write_defaults_uci(s->uci, &s->defaults, p); -struct object_list_heads -{ - struct list_head list; - struct list_head running_list; -}; + list_for_each_entry(z, &s->zones, list) + write_zone_uci(s->uci, z, p); -void -fw3_set_running(void *object, struct list_head *dest) -{ - struct object_list_heads *o = object; + uci_export(s->uci, sf, p, true); + uci_unload(s->uci, p); + } - if (dest && !o->running_list.next) - list_add_tail(&o->running_list, dest); - else if (!dest && o->running_list.next) - list_del(&o->running_list); + fclose(sf); + } } + void fw3_free_object(void *obj, const void *opts) { @@ -597,3 +613,43 @@ fw3_pr_rulespec(int table, int family, uint32_t *flags, uint32_t mask, return rv; } + + +bool +fw3_hotplug(bool add, void *zone, void *device) +{ + struct fw3_zone *z = zone; + struct fw3_device *d = device; + + if (!d->network) + return false; + + switch (fork()) + { + case -1: + warn("Unable to fork(): %s\n", strerror(errno)); + return false; + + case 0: + break; + + default: + return true; + } + + close(0); + close(1); + close(2); + chdir("/"); + + clearenv(); + setenv("ACTION", add ? "add" : "remove", 1); + setenv("ZONE", z->name, 1); + setenv("INTERFACE", d->network->name, 1); + setenv("DEVICE", d->name, 1); + + execl(FW3_HOTPLUG, FW3_HOTPLUG, "firewall", NULL); + + /* unreached */ + return false; +}