X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=utils.c;h=ea409742f829bd720dd043eff822a11235506c91;hp=9899d4d5d507471848cf0f16b6937f6e467bee82;hb=294f209f64dca84d1c4dd801a1f7e615e39f0726;hpb=8fee8f9c520c58d07772cc6bd8f65d9eb1776a56 diff --git a/utils.c b/utils.c index 9899d4d..ea40974 100644 --- a/utils.c +++ b/utils.c @@ -19,10 +19,17 @@ #include "utils.h" #include "options.h" +#include "zones.h" +#include "ipsets.h" + + static int lock_fd = -1; static pid_t pipe_pid = -1; static FILE *pipe_fd = NULL; +bool fw3_pr_debug = false; + + static void warn_elem_section_name(struct uci_section *s, bool find_name) { @@ -125,6 +132,32 @@ info(const char* format, ...) fprintf(stderr, "\n"); } +void * +fw3_alloc(size_t size) +{ + void *mem; + + mem = calloc(1, size); + + if (!mem) + error("Out of memory while allocating %d bytes", size); + + return mem; +} + +char * +fw3_strdup(const char *s) +{ + char *ns; + + ns = strdup(s); + + if (!ns) + error("Out of memory while duplicating string '%s'", s); + + return ns; +} + const char * fw3_find_command(const char *cmd) { @@ -237,6 +270,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) signal(SIGPIPE, SIG_IGN); pipe_pid = pid; close(pfds[0]); + fcntl(pfds[1], F_SETFD, fcntl(pfds[1], F_GETFD) | FD_CLOEXEC); } pipe_fd = fdopen(pfds[1], "w"); @@ -246,10 +280,18 @@ __fw3_command_pipe(bool silent, const char *command, ...) void fw3_pr(const char *fmt, ...) { - va_list args; - va_start(args, fmt); - vfprintf(pipe_fd, fmt, args); - va_end(args); + va_list args; + + if (fw3_pr_debug && pipe_fd != stdout) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + } + + va_start(args, fmt); + vfprintf(pipe_fd, fmt, args); + va_end(args); } void @@ -295,70 +337,361 @@ fw3_has_table(bool ipv6, const char *table) return seen; } + bool -fw3_check_statefile(bool test_exists) +fw3_lock(void) { - struct stat s; + lock_fd = open(FW3_LOCKFILE, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); - if (!stat(FW3_STATEFILE, &s)) + if (lock_fd < 0) { - if (test_exists) - return true; - - warn("The firewall appears to be started already. " - "If it is indeed empty, remove the %s file and retry.", - FW3_STATEFILE); - + warn("Cannot create lock file %s: %s", FW3_LOCKFILE, strerror(errno)); return false; } - else if (test_exists) + + if (flock(lock_fd, LOCK_EX)) { - warn("The firewall appears to stopped already."); + warn("Cannot acquire exclusive lock: %s", strerror(errno)); return false; } - lock_fd = open(FW3_STATEFILE, O_CREAT | O_RDWR); + return true; +} +void +fw3_unlock(void) +{ if (lock_fd < 0) + return; + + if (flock(lock_fd, LOCK_UN)) + warn("Cannot release exclusive lock: %s", strerror(errno)); + + close(lock_fd); + unlink(FW3_LOCKFILE); + + lock_fd = -1; +} + + +static void +write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, + struct uci_package *dest) +{ + char buf[sizeof("0xffffffff\0")]; + struct uci_ptr ptr = { .p = dest }; + + uci_add_section(ctx, dest, "defaults", &ptr.s); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[d->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[d->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[d->policy_forward]; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", d->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", d->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} + +static void +write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, + struct uci_package *dest) +{ + struct fw3_device *dev; + struct fw3_address *sub; + enum fw3_family fam = FW3_FAMILY_ANY; + + char *p, buf[34]; + + struct uci_ptr ptr = { .p = dest }; + + if (!z->enabled) + return; + + if (fw3_no_table(z->flags[0]) && !fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V6; + else if (!fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V4; + else if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + return; + + uci_add_section(ctx, dest, "zone", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = z->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[z->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[z->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[z->policy_forward]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "masq"; + ptr.value = z->masq ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "conntrack"; + ptr.value = z->conntrack ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "mtu_fix"; + ptr.value = z->mtu_fix ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "custom_chains"; + ptr.value = z->custom_chains ? "1" : "0"; + uci_set(ctx, &ptr); + + if (fam != FW3_FAMILY_ANY) { - warn("Unable to create %s file", FW3_STATEFILE); - goto fail; + ptr.o = NULL; + ptr.option = "family"; + ptr.value = fw3_flag_names[fam]; + uci_set(ctx, &ptr); } - if (flock(lock_fd, LOCK_EX)) + ptr.o = NULL; + ptr.option = "device"; + + fw3_foreach(dev, &z->devices) { - warn("Unable to acquire exclusive lock on %s file", FW3_STATEFILE); - goto fail; + if (!dev) + continue; + + p = buf; + + if (dev->invert) + p += sprintf(p, "!"); + + if (*dev->network) + p += sprintf(p, "%s@%s", dev->name, dev->network); + else + p += sprintf(p, "%s", dev->name); + ptr.value = buf; + uci_add_list(ctx, &ptr); } - return true; + ptr.o = NULL; + ptr.option = "subnet"; -fail: - if (lock_fd > -1) + fw3_foreach(sub, &z->subnets) { - close(lock_fd); - lock_fd = -1; + if (!sub) + continue; + + ptr.value = fw3_address_to_string(sub, true); + uci_add_list(ctx, &ptr); } - return false; + sprintf(buf, "0x%x", z->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "0x%x", z->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} + +static void +write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, + struct uci_package *dest) +{ + struct fw3_ipset_datatype *type; + + char buf[sizeof("65535-65535\0")]; + + struct uci_ptr ptr = { .p = dest }; + + if (!s->enabled || s->external) + return; + + uci_add_section(ctx, dest, "ipset", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = s->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "storage"; + ptr.value = fw3_ipset_method_names[s->method]; + uci_set(ctx, &ptr); + + list_for_each_entry(type, &s->datatypes, list) + { + sprintf(buf, "%s_%s", type->dest ? "dst" : "src", + fw3_ipset_type_names[type->type]); + + ptr.o = NULL; + ptr.option = "match"; + ptr.value = buf; + uci_add_list(ctx, &ptr); + } + + if (s->iprange.set) + { + ptr.o = NULL; + ptr.option = "iprange"; + ptr.value = fw3_address_to_string(&s->iprange, false); + uci_set(ctx, &ptr); + } + + if (s->portrange.set) + { + sprintf(buf, "%u-%u", s->portrange.port_min, s->portrange.port_max); + ptr.o = NULL; + ptr.option = "portrange"; + ptr.value = buf; + uci_set(ctx, &ptr); + } } void -fw3_remove_statefile(void) +fw3_write_statefile(void *state) { - if (lock_fd > -1) - fw3_close_statefile(); + FILE *sf; + struct fw3_state *s = state; + struct fw3_zone *z; + struct fw3_ipset *i; + + struct uci_package *p; - if (unlink(FW3_STATEFILE)) - warn("Unable to delete %s file", FW3_STATEFILE); + if (fw3_no_family(s->defaults.flags[0]) && + fw3_no_family(s->defaults.flags[1])) + { + unlink(FW3_STATEFILE); + } + else + { + sf = fopen(FW3_STATEFILE, "w+"); + + if (!sf) + { + warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + return; + } + + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + uci_unload(s->uci, p); + + uci_import(s->uci, sf, "fw3_state", NULL, true); + + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + { + write_defaults_uci(s->uci, &s->defaults, p); + + list_for_each_entry(z, &s->zones, list) + write_zone_uci(s->uci, z, p); + + list_for_each_entry(i, &s->ipsets, list) + write_ipset_uci(s->uci, i, p); + + uci_export(s->uci, sf, p, true); + uci_unload(s->uci, p); + } + + fsync(fileno(sf)); + fclose(sf); + } } + void -fw3_close_statefile(void) +fw3_free_object(void *obj, const void *opts) { - flock(lock_fd, LOCK_UN); - close(lock_fd); + const struct fw3_option *ol; + struct list_head *list, *cur, *tmp; - lock_fd = -1; + for (ol = opts; ol->name; ol++) + { + if (!ol->elem_size) + continue; + + list = (struct list_head *)((char *)obj + ol->offset); + list_for_each_safe(cur, tmp, list) + { + list_del(cur); + free(cur); + } + } + + free(obj); +} + + +bool +fw3_hotplug(bool add, void *zone, void *device) +{ + struct fw3_zone *z = zone; + struct fw3_device *d = device; + + if (!*d->network) + return false; + + switch (fork()) + { + case -1: + warn("Unable to fork(): %s\n", strerror(errno)); + return false; + + case 0: + break; + + default: + return true; + } + + close(0); + close(1); + close(2); + chdir("/"); + + clearenv(); + setenv("ACTION", add ? "add" : "remove", 1); + setenv("ZONE", z->name, 1); + setenv("INTERFACE", d->network, 1); + setenv("DEVICE", d->name, 1); + + execl(FW3_HOTPLUG, FW3_HOTPLUG, "firewall", NULL); + + /* unreached */ + return false; }