#include "rules.h"
-static struct fw3_option rule_opts[] = {
- FW3_OPT("name", string, rule, name),
- FW3_OPT("family", family, rule, family),
+const struct fw3_option fw3_rule_opts[] = {
+ FW3_OPT("enabled", bool, rule, enabled),
- FW3_OPT("src", device, rule, src),
- FW3_OPT("dest", device, rule, dest),
+ FW3_OPT("name", string, rule, name),
+ FW3_OPT("family", family, rule, family),
- FW3_OPT("ipset", device, rule, ipset),
+ FW3_OPT("src", device, rule, src),
+ FW3_OPT("dest", device, rule, dest),
- FW3_LIST("proto", protocol, rule, proto),
+ FW3_OPT("ipset", device, rule, ipset),
- FW3_LIST("src_ip", address, rule, ip_src),
- FW3_LIST("src_mac", mac, rule, mac_src),
- FW3_LIST("src_port", port, rule, port_src),
+ FW3_LIST("proto", protocol, rule, proto),
- FW3_LIST("dest_ip", address, rule, ip_dest),
- FW3_LIST("dest_port", port, rule, port_dest),
+ FW3_LIST("src_ip", address, rule, ip_src),
+ FW3_LIST("src_mac", mac, rule, mac_src),
+ FW3_LIST("src_port", port, rule, port_src),
- FW3_LIST("icmp_type", icmptype, rule, icmp_type),
- FW3_OPT("extra", string, rule, extra),
+ FW3_LIST("dest_ip", address, rule, ip_dest),
+ FW3_LIST("dest_port", port, rule, port_dest),
- FW3_OPT("limit", limit, rule, limit),
- FW3_OPT("limit_burst", int, rule, limit.burst),
+ FW3_LIST("icmp_type", icmptype, rule, icmp_type),
+ FW3_OPT("extra", string, rule, extra),
- FW3_OPT("target", target, rule, target),
+ FW3_OPT("limit", limit, rule, limit),
+ FW3_OPT("limit_burst", int, rule, limit.burst),
+
+ FW3_OPT("utc_time", bool, rule, time.utc),
+ FW3_OPT("start_date", date, rule, time.datestart),
+ FW3_OPT("stop_date", date, rule, time.datestop),
+ FW3_OPT("start_time", time, rule, time.timestart),
+ FW3_OPT("stop_time", time, rule, time.timestop),
+ FW3_OPT("weekdays", weekdays, rule, time.weekdays),
+ FW3_OPT("monthdays", monthdays, rule, time.monthdays),
+
+ FW3_OPT("target", target, rule, target),
+
+ { }
};
INIT_LIST_HEAD(&rule->icmp_type);
- fw3_parse_options(rule, rule_opts, ARRAY_SIZE(rule_opts), s);
+ rule->enabled = true;
+
+ fw3_parse_options(rule, fw3_rule_opts, s);
+
+ if (!rule->enabled)
+ {
+ fw3_free_rule(rule);
+ continue;
+ }
if (rule->src.invert || rule->dest.invert)
{
continue;
}
else if (rule->src.set && !rule->src.any &&
- !(rule->_src = fw3_lookup_zone(state, rule->src.name)))
+ !(rule->_src = fw3_lookup_zone(state, rule->src.name, false)))
{
warn_elem(e, "refers to not existing zone '%s'", rule->src.name);
fw3_free_rule(rule);
continue;
}
else if (rule->dest.set && !rule->dest.any &&
- !(rule->_dest = fw3_lookup_zone(state, rule->dest.name)))
+ !(rule->_dest = fw3_lookup_zone(state, rule->dest.name, false)))
{
warn_elem(e, "refers to not existing zone '%s'", rule->dest.name);
fw3_free_rule(rule);
continue;
}
else if (rule->ipset.set && !rule->ipset.any &&
- !(rule->_ipset = fw3_lookup_ipset(state, rule->ipset.name)))
+ !(rule->_ipset = fw3_lookup_ipset(state, rule->ipset.name, false)))
{
warn_elem(e, "refers to unknown ipset '%s'", rule->ipset.name);
fw3_free_rule(rule);
rule->target = FW3_TARGET_REJECT;
}
+ /* NB: rule family... */
if (rule->_dest)
- setbit(rule->_dest->dst_flags, rule->target);
+ {
+ setbit(rule->_dest->flags[0], rule->target);
+ setbit(rule->_dest->flags[1], rule->target);
+ }
list_add_tail(&rule->list, &state->rules);
continue;
fw3_format_icmptype(icmptype, family);
fw3_format_mac(mac);
fw3_format_limit(&rule->limit);
+ fw3_format_time(&rule->time);
fw3_format_extra(rule->extra);
fw3_format_comment(rule->name);
print_target(rule);
return;
}
- setbit(rule->_ipset->flags, family);
+ set(rule->_ipset->flags, family, family);
}
list_for_each_entry(proto, &rule->proto, list)
list_for_each_entry(rule, &state->rules, list)
expand_rule(table, family, rule, num++);
}
-
-void
-fw3_free_rule(struct fw3_rule *rule)
-{
- fw3_free_list(&rule->proto);
-
- fw3_free_list(&rule->ip_src);
- fw3_free_list(&rule->mac_src);
- fw3_free_list(&rule->port_dest);
-
- fw3_free_list(&rule->ip_dest);
- fw3_free_list(&rule->port_dest);
-
- fw3_free_list(&rule->icmp_type);
-
- free(rule);
-}