#include "rules.h"
-static struct fw3_option rule_opts[] = {
- FW3_OPT("name", string, rule, name),
- FW3_OPT("family", family, rule, family),
+const struct fw3_option fw3_rule_opts[] = {
+ FW3_OPT("enabled", bool, rule, enabled),
- FW3_OPT("src", device, rule, src),
- FW3_OPT("dest", device, rule, dest),
+ FW3_OPT("name", string, rule, name),
+ FW3_OPT("family", family, rule, family),
- FW3_OPT("ipset", device, rule, ipset),
+ FW3_OPT("src", device, rule, src),
+ FW3_OPT("dest", device, rule, dest),
- FW3_LIST("proto", protocol, rule, proto),
+ FW3_OPT("ipset", device, rule, ipset),
- FW3_LIST("src_ip", address, rule, ip_src),
- FW3_LIST("src_mac", mac, rule, mac_src),
- FW3_LIST("src_port", port, rule, port_src),
+ FW3_LIST("proto", protocol, rule, proto),
- FW3_LIST("dest_ip", address, rule, ip_dest),
- FW3_LIST("dest_port", port, rule, port_dest),
+ FW3_LIST("src_ip", address, rule, ip_src),
+ FW3_LIST("src_mac", mac, rule, mac_src),
+ FW3_LIST("src_port", port, rule, port_src),
- FW3_LIST("icmp_type", icmptype, rule, icmp_type),
- FW3_OPT("extra", string, rule, extra),
+ FW3_LIST("dest_ip", address, rule, ip_dest),
+ FW3_LIST("dest_port", port, rule, port_dest),
- FW3_OPT("limit", limit, rule, limit),
- FW3_OPT("limit_burst", int, rule, limit.burst),
+ FW3_LIST("icmp_type", icmptype, rule, icmp_type),
+ FW3_OPT("extra", string, rule, extra),
- FW3_OPT("target", target, rule, target),
+ FW3_OPT("limit", limit, rule, limit),
+ FW3_OPT("limit_burst", int, rule, limit.burst),
+
+ FW3_OPT("utc_time", bool, rule, time.utc),
+ FW3_OPT("start_date", date, rule, time.datestart),
+ FW3_OPT("stop_date", date, rule, time.datestop),
+ FW3_OPT("start_time", time, rule, time.timestart),
+ FW3_OPT("stop_time", time, rule, time.timestop),
+ FW3_OPT("weekdays", weekdays, rule, time.weekdays),
+ FW3_OPT("monthdays", monthdays, rule, time.monthdays),
+
+ FW3_OPT("target", target, rule, target),
+
+ { }
};
INIT_LIST_HEAD(&rule->icmp_type);
- fw3_parse_options(rule, rule_opts, ARRAY_SIZE(rule_opts), s);
+ rule->enabled = true;
+
+ fw3_parse_options(rule, fw3_rule_opts, s);
+
+ if (!rule->enabled)
+ {
+ fw3_free_rule(rule);
+ continue;
+ }
if (rule->src.invert || rule->dest.invert)
{
continue;
}
else if (rule->src.set && !rule->src.any &&
- !(rule->_src = fw3_lookup_zone(state, rule->src.name)))
+ !(rule->_src = fw3_lookup_zone(state, rule->src.name, false)))
{
warn_elem(e, "refers to not existing zone '%s'", rule->src.name);
fw3_free_rule(rule);
continue;
}
else if (rule->dest.set && !rule->dest.any &&
- !(rule->_dest = fw3_lookup_zone(state, rule->dest.name)))
+ !(rule->_dest = fw3_lookup_zone(state, rule->dest.name, false)))
{
warn_elem(e, "refers to not existing zone '%s'", rule->dest.name);
fw3_free_rule(rule);
continue;
}
else if (rule->ipset.set && !rule->ipset.any &&
- !(rule->_ipset = fw3_lookup_ipset(state, rule->ipset.name)))
+ !(rule->_ipset = fw3_lookup_ipset(state, rule->ipset.name, false)))
{
- warn_elem(e, "refers to not declared ipset '%s'", rule->ipset.name);
+ warn_elem(e, "refers to unknown ipset '%s'", rule->ipset.name);
fw3_free_rule(rule);
continue;
}
static void print_target(struct fw3_rule *rule)
{
- char target[256];
+ const char *target;
switch(rule->target)
{
case FW3_TARGET_ACCEPT:
- sprintf(target, "ACCEPT");
- break;
-
case FW3_TARGET_DROP:
- sprintf(target, "DROP");
- break;
-
case FW3_TARGET_NOTRACK:
- sprintf(target, "NOTRACK");
+ target = fw3_flag_names[rule->target];
break;
default:
- sprintf(target, "REJECT");
+ target = fw3_flag_names[FW3_TARGET_REJECT];
break;
}
if (rule->dest.set && !rule->dest.any)
fw3_pr(" -j zone_%s_dest_%s\n", rule->dest.name, target);
- else if (!strcmp(target, "REJECT"))
+ else if (rule->target == FW3_TARGET_REJECT)
fw3_pr(" -j reject\n");
else
fw3_pr(" -j %s\n", target);
struct fw3_mac *mac, struct fw3_icmptype *icmptype)
{
if (!fw3_is_family(sip, family) || !fw3_is_family(dip, family))
+ {
+ info(" ! Skipping due to different family of ip address");
return;
+ }
if (proto->protocol == 58 && family == FW3_FAMILY_V4)
+ {
+ info(" ! Skipping due to different family of protocol");
return;
+ }
print_chain(rule);
fw3_format_ipset(rule->_ipset, rule->ipset.invert);
fw3_format_icmptype(icmptype, family);
fw3_format_mac(mac);
fw3_format_limit(&rule->limit);
+ fw3_format_time(&rule->time);
fw3_format_extra(rule->extra);
fw3_format_comment(rule->name);
print_target(rule);
else
info(" * Rule #%u", num);
+ if (!fw3_is_family(rule->_src, family) ||
+ !fw3_is_family(rule->_dest, family))
+ {
+ info(" ! Skipping due to different family of zone");
+ return;
+ }
+
+ if (rule->_ipset)
+ {
+ if (!fw3_is_family(rule->_ipset, family))
+ {
+ info(" ! Skipping due to different family in ipset");
+ return;
+ }
+
+ setbit(rule->_ipset->flags, family);
+ }
+
list_for_each_entry(proto, &rule->proto, list)
{
/* icmp / ipv6-icmp */
list_for_each_entry(rule, &state->rules, list)
expand_rule(table, family, rule, num++);
}
-
-void
-fw3_free_rule(struct fw3_rule *rule)
-{
- fw3_free_list(&rule->proto);
-
- fw3_free_list(&rule->ip_src);
- fw3_free_list(&rule->mac_src);
- fw3_free_list(&rule->port_dest);
-
- fw3_free_list(&rule->ip_dest);
- fw3_free_list(&rule->port_dest);
-
- fw3_free_list(&rule->icmp_type);
-
- free(rule);
-}