X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=utils.c;h=b2fbe0223c6d7338600654c09750a7d2a5b9622a;hp=e7a22159244ec702a1a18a5a285f1ca54728c55e;hb=c03e20d7f594058ff223f30cf34de1b5e8210b8d;hpb=71d9d828691cefcac19201079473e600ffa596c9 diff --git a/utils.c b/utils.c index e7a2215..b2fbe02 100644 --- a/utils.c +++ b/utils.c @@ -16,6 +16,7 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#define _GNU_SOURCE #include "utils.h" #include "options.h" @@ -132,6 +133,32 @@ info(const char* format, ...) fprintf(stderr, "\n"); } +void * +fw3_alloc(size_t size) +{ + void *mem; + + mem = calloc(1, size); + + if (!mem) + error("Out of memory while allocating %d bytes", size); + + return mem; +} + +char * +fw3_strdup(const char *s) +{ + char *ns; + + ns = strdup(s); + + if (!ns) + error("Out of memory while duplicating string '%s'", s); + + return ns; +} + const char * fw3_find_command(const char *cmd) { @@ -198,7 +225,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) return false; argn = 2; - args = malloc(argn * sizeof(arg)); + args = calloc(argn, sizeof(arg)); if (!args) return false; @@ -348,122 +375,242 @@ fw3_unlock(void) } -bool -fw3_read_statefile(void *state) +static void +write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, + struct uci_package *dest) { - FILE *sf; + char buf[sizeof("0xffffffff\0")]; + struct uci_ptr ptr = { .p = dest }; + + uci_add_section(ctx, dest, "defaults", &ptr.s); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[d->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[d->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[d->policy_forward]; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", d->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", d->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} - int type; - char line[128]; - const char *p, *name; +static void +write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, + struct uci_package *dest, struct ifaddrs *ifaddr) +{ + struct fw3_device *dev; + struct fw3_address *sub; + struct ifaddrs *ifa; + enum fw3_family fam = FW3_FAMILY_ANY; - uint32_t flags[2]; + char *p, buf[INET6_ADDRSTRLEN]; - struct fw3_state *s = state; - struct fw3_zone *zone; - struct fw3_ipset *ipset; - struct fw3_device *net, *dev; + struct uci_ptr ptr = { .p = dest }; - sf = fopen(FW3_STATEFILE, "r"); + if (!z->enabled) + return; - if (!sf) - return false; + if (fw3_no_table(z->flags[0]) && !fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V6; + else if (!fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V4; + else if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + return; - while (fgets(line, sizeof(line), sf)) + uci_add_section(ctx, dest, "zone", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = z->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[z->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[z->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[z->policy_forward]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "masq"; + ptr.value = z->masq ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "conntrack"; + ptr.value = z->conntrack ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "mtu_fix"; + ptr.value = z->mtu_fix ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "custom_chains"; + ptr.value = z->custom_chains ? "1" : "0"; + uci_set(ctx, &ptr); + + if (fam != FW3_FAMILY_ANY) { - p = strtok(line, " \t\n"); - - if (!p) - continue; + ptr.o = NULL; + ptr.option = "family"; + ptr.value = fw3_flag_names[fam]; + uci_set(ctx, &ptr); + } - type = strtoul(p, NULL, 16); - name = strtok(NULL, " \t\n"); + ptr.o = NULL; + ptr.option = "device"; - if (!name) + fw3_foreach(dev, &z->devices) + { + if (!dev) continue; - if (!(p = strtok(NULL, " \t\n"))) - continue; + p = buf; - flags[0] = strtoul(p, NULL, 16); + if (dev->invert) + p += sprintf(p, "!"); - if (!(p = strtok(NULL, " \t\n"))) - continue; + if (*dev->network) + p += sprintf(p, "%s@%s", dev->name, dev->network); + else + p += sprintf(p, "%s", dev->name); - flags[1] = strtoul(p, NULL, 16); + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - switch (type) - { - case FW3_TYPE_DEFAULTS: - s->defaults.flags[0] = flags[0]; - s->defaults.flags[1] = flags[1]; - break; + ptr.o = NULL; + ptr.option = "subnet"; - case FW3_TYPE_ZONE: - if (!(zone = fw3_lookup_zone(state, name, false))) - { - zone = fw3_alloc_zone(); + fw3_foreach(sub, &z->subnets) + { + if (!sub) + continue; - if (!zone) - continue; + ptr.value = fw3_address_to_string(sub, true, false); + uci_add_list(ctx, &ptr); + } - zone->name = strdup(name); - list_add_tail(&zone->list, &s->zones); + ptr.o = NULL; + ptr.option = "__addrs"; - setbit(flags[0], FW3_FLAG_DELETED); - } + fw3_foreach(dev, &z->devices) + { + if (!dev) + continue; - zone->flags[0] = flags[0]; - zone->flags[1] = flags[1]; - list_add_tail(&zone->running_list, &s->running_zones); - break; + for (ifa = ifaddr; ifa; ifa = ifa->ifa_next) + { + if (!ifa->ifa_addr || strcmp(dev->name, ifa->ifa_name)) + continue; - case FW3_TYPE_IPSET: - if (!(ipset = fw3_lookup_ipset(state, name, false))) - { - ipset = fw3_alloc_ipset(); + if (ifa->ifa_addr->sa_family == AF_INET) + inet_ntop(AF_INET, + &((struct sockaddr_in *)ifa->ifa_addr)->sin_addr, + buf, sizeof(buf)); + else if (ifa->ifa_addr->sa_family == AF_INET6) + inet_ntop(AF_INET6, + &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr, + buf, sizeof(buf)); + else + continue; - if (!ipset) - continue; + ptr.value = buf; + uci_add_list(ctx, &ptr); + } + } - ipset->name = strdup(name); - list_add_tail(&ipset->list, &s->ipsets); + sprintf(buf, "0x%x", z->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", z->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} - setbit(flags[0], FW3_FLAG_DELETED); - } +static void +write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, + struct uci_package *dest) +{ + struct fw3_ipset_datatype *type; - ipset->flags[0] = flags[0]; - ipset->flags[1] = flags[1]; - list_add_tail(&ipset->running_list, &s->running_ipsets); - break; + char buf[sizeof("65535-65535\0")]; - case FW3_TYPE_NETWORK: - if (!(zone = fw3_lookup_zone(state, name, false))) - continue; + struct uci_ptr ptr = { .p = dest }; - if (!(p = strtok(NULL, " \t\n")) || !(name = strtok(NULL, " \t\n"))) - continue; + if (!s->enabled || s->external) + return; - if (!(net = malloc(sizeof(*net)))) - continue; + uci_add_section(ctx, dest, "ipset", &ptr.s); - memset(net, 0, sizeof(*net)); - snprintf(net->name, sizeof(net->name), "%s", p); - list_add_tail(&net->list, &zone->running_networks); + ptr.o = NULL; + ptr.option = "name"; + ptr.value = s->name; + uci_set(ctx, &ptr); - if (!(dev = malloc(sizeof(*dev)))) - continue; + ptr.o = NULL; + ptr.option = "storage"; + ptr.value = fw3_ipset_method_names[s->method]; + uci_set(ctx, &ptr); - memset(dev, 0, sizeof(*dev)); - dev->network = net; - snprintf(dev->name, sizeof(dev->name), "%s", name); - list_add_tail(&dev->list, &zone->running_devices); - } + list_for_each_entry(type, &s->datatypes, list) + { + sprintf(buf, "%s_%s", type->dir, fw3_ipset_type_names[type->type]); + ptr.o = NULL; + ptr.option = "match"; + ptr.value = buf; + uci_add_list(ctx, &ptr); } - fclose(sf); + if (s->iprange.set) + { + ptr.o = NULL; + ptr.option = "iprange"; + ptr.value = fw3_address_to_string(&s->iprange, false, false); + uci_set(ctx, &ptr); + } - return true; + if (s->portrange.set) + { + sprintf(buf, "%u-%u", s->portrange.port_min, s->portrange.port_max); + ptr.o = NULL; + ptr.option = "portrange"; + ptr.value = buf; + uci_set(ctx, &ptr); + } } void @@ -471,85 +618,61 @@ fw3_write_statefile(void *state) { FILE *sf; struct fw3_state *s = state; - struct fw3_defaults *defs = &s->defaults; struct fw3_zone *z; struct fw3_ipset *i; - struct fw3_device *d; + struct ifaddrs *ifaddr; - if (fw3_no_table(defs->flags[0]) && fw3_no_table(defs->flags[1])) - { - if (unlink(FW3_STATEFILE)) - warn("Unable to remove state %s: %s", - FW3_STATEFILE, strerror(errno)); - - return; - } - - sf = fopen(FW3_STATEFILE, "w"); + struct uci_package *p; - if (!sf) + if (fw3_no_family(s->defaults.flags[0]) && + fw3_no_family(s->defaults.flags[1])) { - warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); - return; + unlink(FW3_STATEFILE); } - - fprintf(sf, "%x - %x %x\n", - FW3_TYPE_DEFAULTS, defs->flags[0], defs->flags[1]); - - list_for_each_entry(z, &s->running_zones, running_list) + else { - if (hasbit(z->flags[0], FW3_FLAG_DELETED)) - continue; + sf = fopen(FW3_STATEFILE, "w+"); - if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) - continue; - - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_ZONE, z->name, z->flags[0], z->flags[1]); - - list_for_each_entry(d, &z->devices, list) + if (!sf) { - if (!d->network) - continue; + warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + return; + } - fprintf(sf, "%x %s 0 0 %s %s\n", - FW3_TYPE_NETWORK, z->name, d->network->name, d->name); + if (getifaddrs(&ifaddr)) + { + warn("Cannot get interface addresses: %s", strerror(errno)); + ifaddr = NULL; } - } - list_for_each_entry(i, &s->running_ipsets, running_list) - { - if (hasbit(z->flags[0], FW3_FLAG_DELETED)) - continue; + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + uci_unload(s->uci, p); + + uci_import(s->uci, sf, "fw3_state", NULL, true); - if (!fw3_no_family(i->flags[0]) || !fw3_no_family(i->flags[1])) + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) { - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_IPSET, i->name, i->flags[0], i->flags[1]); - } - } + write_defaults_uci(s->uci, &s->defaults, p); - fclose(sf); -} + list_for_each_entry(z, &s->zones, list) + write_zone_uci(s->uci, z, p, ifaddr); + list_for_each_entry(i, &s->ipsets, list) + write_ipset_uci(s->uci, i, p); -struct object_list_heads -{ - struct list_head list; - struct list_head running_list; -}; + uci_export(s->uci, sf, p, true); + uci_unload(s->uci, p); + } -void -fw3_set_running(void *object, struct list_head *dest) -{ - struct object_list_heads *o = object; + fsync(fileno(sf)); + fclose(sf); - if (dest && !o->running_list.next) - list_add_tail(&o->running_list, dest); - else if (!dest && o->running_list.next) - list_del(&o->running_list); + if (ifaddr) + freeifaddrs(ifaddr); + } } + void fw3_free_object(void *obj, const void *opts) { @@ -572,51 +695,30 @@ fw3_free_object(void *obj, const void *opts) free(obj); } - -bool -fw3_pr_rulespec(int table, int family, uint32_t *flags, uint32_t mask, - const struct fw3_rule_spec *r, const char *fmt, ...) +void +fw3_free_list(struct list_head *head) { - char buf[256]; - bool rv = false; - - va_list ap; - uint32_t f = flags ? flags[family == FW3_FAMILY_V6] : 0; + struct list_head *entry, *tmp; - if (mask) - f &= mask; + if (!head) + return; - for (; r->format; r++) + list_for_each_safe(entry, tmp, head) { - if (!fw3_is_family(r, family)) - continue; - - if (r->table != table) - continue; - - if ((r->flag != 0) && !hasbit(f, r->flag)) - continue; - - va_start(ap, fmt); - vsnprintf(buf, sizeof(buf), r->format, ap); - va_end(ap); - - fw3_pr(fmt, buf); - - rv = true; + list_del(entry); + free(entry); } - return rv; + free(head); } - bool fw3_hotplug(bool add, void *zone, void *device) { struct fw3_zone *z = zone; struct fw3_device *d = device; - if (!d->network) + if (!*d->network) return false; switch (fork()) @@ -635,12 +737,12 @@ fw3_hotplug(bool add, void *zone, void *device) close(0); close(1); close(2); - chdir("/"); + if (chdir("/")) {}; clearenv(); setenv("ACTION", add ? "add" : "remove", 1); setenv("ZONE", z->name, 1); - setenv("INTERFACE", d->network->name, 1); + setenv("INTERFACE", d->network, 1); setenv("DEVICE", d->name, 1); execl(FW3_HOTPLUG, FW3_HOTPLUG, "firewall", NULL); @@ -648,3 +750,148 @@ fw3_hotplug(bool add, void *zone, void *device) /* unreached */ return false; } + +int +fw3_netmask2bitlen(int family, void *mask) +{ + int bits; + struct in_addr *v4; + struct in6_addr *v6; + + if (family == FW3_FAMILY_V6) + for (bits = 0, v6 = mask; + bits < 128 && (v6->s6_addr[bits / 8] << (bits % 8)) & 128; + bits++); + else + for (bits = 0, v4 = mask; + bits < 32 && (ntohl(v4->s_addr) << bits) & 0x80000000; + bits++); + + return bits; +} + +bool +fw3_bitlen2netmask(int family, int bits, void *mask) +{ + int i; + uint8_t rem, b; + struct in_addr *v4; + struct in6_addr *v6; + + if (family == FW3_FAMILY_V6) + { + if (bits < -128 || bits > 128) + return false; + + v6 = mask; + rem = abs(bits); + + for (i = 0; i < sizeof(v6->s6_addr); i++) + { + b = (rem > 8) ? 8 : rem; + v6->s6_addr[i] = (uint8_t)(0xFF << (8 - b)); + rem -= b; + } + + if (bits < 0) + for (i = 0; i < sizeof(v6->s6_addr); i++) + v6->s6_addr[i] = ~v6->s6_addr[i]; + } + else + { + if (bits < -32 || bits > 32) + return false; + + v4 = mask; + v4->s_addr = bits ? htonl(~((1 << (32 - abs(bits))) - 1)) : 0; + + if (bits < 0) + v4->s_addr = ~v4->s_addr; + } + + return true; +} + +void +fw3_flush_conntrack(void *state) +{ + bool found; + struct fw3_state *s = state; + struct fw3_address *addr; + struct fw3_device *dev; + struct fw3_zone *zone; + struct ifaddrs *ifaddr, *ifa; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + char buf[INET6_ADDRSTRLEN]; + FILE *ct; + + if (!state) + { + if ((ct = fopen("/proc/net/nf_conntrack", "w")) != NULL) + { + info(" * Flushing conntrack table ..."); + + fwrite("f\n", 1, 2, ct); + fclose(ct); + } + + return; + } + + if (getifaddrs(&ifaddr)) + { + warn("Cannot get interface addresses: %s", strerror(errno)); + return; + } + + if ((ct = fopen("/proc/net/nf_conntrack", "w")) != NULL) + { + list_for_each_entry(zone, &s->zones, list) + list_for_each_entry(addr, &zone->old_addrs, list) + { + found = false; + + list_for_each_entry(dev, &zone->devices, list) + { + for (ifa = ifaddr; ifa && !found; ifa = ifa->ifa_next) + { + if (!ifa->ifa_addr || strcmp(dev->name, ifa->ifa_name)) + continue; + + sin = (struct sockaddr_in *)ifa->ifa_addr; + sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; + + if (addr->family == FW3_FAMILY_V4 && + sin->sin_family == AF_INET) + { + found = !memcmp(&addr->address.v4, &sin->sin_addr, + sizeof(sin->sin_addr)); + } + else if (addr->family == FW3_FAMILY_V6 && + sin6->sin6_family == AF_INET6) + { + found = !memcmp(&addr->address.v6, &sin6->sin6_addr, + sizeof(sin6->sin6_addr)); + } + } + + if (found) + break; + } + + if (!found) + { + inet_ntop(addr->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &addr->address.v4, buf, sizeof(buf)); + + info(" * Flushing conntrack: %s", buf); + fprintf(ct, "%s\n", buf); + } + } + + fclose(ct); + } + + freeifaddrs(ifaddr); +}