X-Git-Url: http://git.archive.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=zones.c;h=2ddd7b44443f3b2714e19ffb2f8b8b29320700d2;hp=3d3812ccdf7845aee795233f7c58616024cd2691;hb=b59934331c4b9271ceb5e30b793a552618299d39;hpb=d7988a8aaedbf22cf1d34268615034e3082613ce

diff --git a/zones.c b/zones.c
index 3d3812c..2ddd7b4 100644
--- a/zones.c
+++ b/zones.c
@@ -39,6 +39,8 @@ static const struct fw3_chain_spec zone_chains[] = {
 	C(V4,  NAT,    SNAT,          "zone_%s_postrouting"),
 	C(V4,  NAT,    DNAT,          "zone_%s_prerouting"),
 
+	C(ANY, RAW,    NOTRACK,       "zone_%s_notrack"),
+
 	C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
 	C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
@@ -81,6 +83,8 @@ const struct fw3_option fw3_zone_opts[] = {
 	FW3_OPT("__flags_v4",          int,      zone,     flags[0]),
 	FW3_OPT("__flags_v6",          int,      zone,     flags[1]),
 
+	FW3_LIST("__addrs",            address,  zone,     old_addrs),
+
 	{ }
 };
 
@@ -126,19 +130,18 @@ fw3_alloc_zone(void)
 {
 	struct fw3_zone *zone;
 
-	zone = malloc(sizeof(*zone));
-
+	zone = calloc(1, sizeof(*zone));
 	if (!zone)
 		return NULL;
 
-	memset(zone, 0, sizeof(*zone));
-
 	INIT_LIST_HEAD(&zone->networks);
 	INIT_LIST_HEAD(&zone->devices);
 	INIT_LIST_HEAD(&zone->subnets);
 	INIT_LIST_HEAD(&zone->masq_src);
 	INIT_LIST_HEAD(&zone->masq_dest);
 
+	INIT_LIST_HEAD(&zone->old_addrs);
+
 	zone->enabled = true;
 	zone->custom_chains = true;
 	zone->log_limit.rate = 10;
@@ -189,6 +192,16 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 			continue;
 		}
 
+		if (strlen(zone->name) > FW3_ZONE_MAXNAMELEN)
+		{
+			warn_elem(e, "must not have a name longer than %u characters",
+			             FW3_ZONE_MAXNAMELEN);
+			fw3_free_zone(zone);
+			continue;
+		}
+
+		fw3_ubus_zone_devices(zone);
+
 		if (list_empty(&zone->networks) && list_empty(&zone->devices) &&
 		    list_empty(&zone->subnets) && !zone->extra_src)
 		{
@@ -214,12 +227,12 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
 		}
 
 		setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
-		setbit(zone->flags[0], zone->policy_output);
 		setbit(zone->flags[0], zone->policy_forward);
+		setbit(zone->flags[0], zone->policy_output);
 
 		setbit(zone->flags[1], fw3_to_src_target(zone->policy_input));
-		setbit(zone->flags[1], zone->policy_output);
 		setbit(zone->flags[1], zone->policy_forward);
+		setbit(zone->flags[1], zone->policy_output);
 
 		list_add_tail(&zone->list, &state->zones);
 	}
@@ -309,7 +322,6 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 					 bool reload, struct fw3_zone *zone,
                      struct fw3_device *dev, struct fw3_address *sub)
 {
-	bool disable_notrack = state->defaults.drop_invalid;
 	struct fw3_protocol tcp = { .protocol = 6 };
 	struct fw3_ipt_rule *r;
 	enum fw3_flag t;
@@ -336,8 +348,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
 				fw3_ipt_rule_target(r, jump_target(t));
 				fw3_ipt_rule_extra(r, zone->extra_src);
-				fw3_ipt_rule_append(r, "zone_%s_src_%s", zone->name,
-				                    fw3_flag_names[t]);
+				fw3_ipt_rule_replace(r, "zone_%s_src_%s", zone->name,
+				                     fw3_flag_names[t]);
 			}
 
 			if (has(zone->flags, handle->family, t))
@@ -345,8 +357,8 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
 				fw3_ipt_rule_target(r, jump_target(t));
 				fw3_ipt_rule_extra(r, zone->extra_dest);
-				fw3_ipt_rule_append(r, "zone_%s_dest_%s", zone->name,
-				                    fw3_flag_names[t]);
+				fw3_ipt_rule_replace(r, "zone_%s_dest_%s", zone->name,
+				                     fw3_flag_names[t]);
 			}
 		}
 
@@ -364,7 +376,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			else
 				fw3_ipt_rule_extra(r, zone->extra_src);
 
-			fw3_ipt_rule_append(r, "delegate_%s", chains[i]);
+			fw3_ipt_rule_replace(r, "delegate_%s", chains[i]);
 		}
 	}
 	else if (handle->table == FW3_TABLE_NAT)
@@ -374,7 +386,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
 			fw3_ipt_rule_target(r, "zone_%s_prerouting", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_append(r, "delegate_prerouting");
+			fw3_ipt_rule_replace(r, "delegate_prerouting");
 		}
 
 		if (has(zone->flags, handle->family, FW3_FLAG_SNAT))
@@ -382,7 +394,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			r = fw3_ipt_rule_create(handle, NULL, NULL, dev, NULL, sub);
 			fw3_ipt_rule_target(r, "zone_%s_postrouting", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_dest);
-			fw3_ipt_rule_append(r, "delegate_postrouting");
+			fw3_ipt_rule_replace(r, "delegate_postrouting");
 		}
 	}
 	else if (handle->table == FW3_TABLE_MANGLE)
@@ -400,7 +412,7 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				fw3_ipt_rule_comment(r, "%s (mtu_fix logging)", zone->name);
 				fw3_ipt_rule_target(r, "LOG");
 				fw3_ipt_rule_addarg(r, false, "--log-prefix", buf);
-				fw3_ipt_rule_append(r, "mssfix");
+				fw3_ipt_rule_replace(r, "mssfix");
 			}
 
 			r = fw3_ipt_rule_create(handle, &tcp, NULL, dev, NULL, sub);
@@ -409,18 +421,17 @@ print_interface_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 			fw3_ipt_rule_comment(r, "%s (mtu_fix)", zone->name);
 			fw3_ipt_rule_target(r, "TCPMSS");
 			fw3_ipt_rule_addarg(r, false, "--clamp-mss-to-pmtu", NULL);
-			fw3_ipt_rule_append(r, "mssfix");
+			fw3_ipt_rule_replace(r, "mssfix");
 		}
 	}
 	else if (handle->table == FW3_TABLE_RAW)
 	{
-		if (!zone->conntrack && !disable_notrack)
+		if (has(zone->flags, handle->family, FW3_FLAG_NOTRACK))
 		{
 			r = fw3_ipt_rule_create(handle, NULL, dev, NULL, sub, NULL);
-			fw3_ipt_rule_target(r, "CT");
-			fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
+			fw3_ipt_rule_target(r, "zone_%s_notrack", zone->name);
 			fw3_ipt_rule_extra(r, zone->extra_src);
-			fw3_ipt_rule_append(r, "notrack");
+			fw3_ipt_rule_replace(r, "delegate_notrack");
 		}
 	}
 }
@@ -449,6 +460,7 @@ static void
 print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
                 bool reload, struct fw3_zone *zone)
 {
+	bool disable_notrack = state->defaults.drop_invalid;
 	struct fw3_address *msrc;
 	struct fw3_address *mdest;
 	struct fw3_ipt_rule *r;
@@ -462,6 +474,21 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 	switch (handle->table)
 	{
 	case FW3_TABLE_FILTER:
+		if (has(zone->flags, handle->family, FW3_FLAG_DNAT))
+		{
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port redirections");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_input", zone->name);
+
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_extra(r, "-m conntrack --ctstate DNAT");
+			fw3_ipt_rule_comment(r, "Accept port forwards");
+			fw3_ipt_rule_target(r, fw3_flag_names[FW3_FLAG_ACCEPT]);
+			fw3_ipt_rule_append(r, "zone_%s_forward", zone->name);
+		}
+
 		r = fw3_ipt_rule_new(handle);
 		fw3_ipt_rule_target(r, "zone_%s_src_%s", zone->name,
 		                     fw3_flag_names[zone->policy_input]);
@@ -531,6 +558,15 @@ print_zone_rule(struct fw3_ipt_handle *handle, struct fw3_state *state,
 		break;
 
 	case FW3_TABLE_RAW:
+		if (!zone->conntrack && !disable_notrack)
+		{
+			r = fw3_ipt_rule_new(handle);
+			fw3_ipt_rule_target(r, "CT");
+			fw3_ipt_rule_addarg(r, false, "--notrack", NULL);
+			fw3_ipt_rule_append(r, "zone_%s_notrack", zone->name);
+		}
+		break;
+
 	case FW3_TABLE_MANGLE:
 		break;
 	}
@@ -587,7 +623,13 @@ fw3_flush_zones(struct fw3_ipt_handle *handle, struct fw3_state *state,
 				continue;
 
 			snprintf(chain, sizeof(chain), c->format, z->name);
-			fw3_ipt_delete_rules(handle, chain);
+			fw3_ipt_flush_chain(handle, chain);
+
+			/* keep certain basic chains that do not depend on any settings to
+			   avoid purging unrelated user rules pointing to them */
+			if (reload && !c->flag)
+				continue;
+
 			fw3_ipt_delete_chain(handle, chain);
 		}
 
@@ -635,22 +677,45 @@ fw3_lookup_zone(struct fw3_state *state, const char *name)
 	return NULL;
 }
 
-void
-fw3_free_zone(struct fw3_zone *zone)
+struct list_head *
+fw3_resolve_zone_addresses(struct fw3_zone *zone, struct fw3_address *addr)
 {
-	struct fw3_device *dev, *tmp;
+	struct fw3_device *net;
+	struct fw3_address *cur, *tmp;
+	struct list_head *all;
+
+	all = calloc(1, sizeof(*all));
+	if (!all)
+		return NULL;
+
+	INIT_LIST_HEAD(all);
 
-	list_for_each_entry_safe(dev, tmp, &zone->devices, list)
+	if (addr && addr->set)
 	{
-		list_del(&dev->list);
-		free(dev);
-	}
+		tmp = malloc(sizeof(*tmp));
 
-	list_for_each_entry_safe(dev, tmp, &zone->networks, list)
+		if (tmp)
+		{
+			*tmp = *addr;
+			list_add_tail(&tmp->list, all);
+		}
+	}
+	else
 	{
-		list_del(&dev->list);
-		free(dev);
+		list_for_each_entry(net, &zone->networks, list)
+			fw3_ubus_address(all, net->name);
+
+		list_for_each_entry(cur, &zone->subnets, list)
+		{
+			tmp = malloc(sizeof(*tmp));
+
+			if (!tmp)
+				continue;
+
+			*tmp = *cur;
+			list_add_tail(&tmp->list, all);
+		}
 	}
 
-	fw3_free_object(zone, fw3_zone_opts);
+	return all;
 }