#define C(f, tbl, def, fmt) \
- { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_DEFAULT_##def, fmt }
+ { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##def, fmt }
static const struct fw3_rule_spec default_chains[] = {
C(ANY, FILTER, UNSPEC, "delegate_input"),
{ }
};
-const struct fw3_option fw3_default_opts[] = {
+const struct fw3_option fw3_flag_opts[] = {
FW3_OPT("input", target, defaults, policy_input),
FW3_OPT("forward", target, defaults, policy_forward),
FW3_OPT("output", target, defaults, policy_output),
static void
-check_policy(struct uci_element *e, enum fw3_target *pol, const char *name)
+check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name)
{
- if (*pol == FW3_TARGET_UNSPEC)
+ if (*pol == FW3_FLAG_UNSPEC)
{
warn_elem(e, "has no %s policy specified, defaulting to DROP", name);
- *pol = FW3_TARGET_DROP;
+ *pol = FW3_FLAG_DROP;
}
- else if (*pol > FW3_TARGET_DROP)
+ else if (*pol > FW3_FLAG_DROP)
{
warn_elem(e, "has invalid %s policy, defaulting to DROP", name);
- *pol = FW3_TARGET_DROP;
+ *pol = FW3_FLAG_DROP;
}
}
continue;
}
- fw3_parse_options(&state->defaults, fw3_default_opts, s);
+ fw3_parse_options(&state->defaults, fw3_flag_opts, s);
check_policy(e, &defs->policy_input, "input");
check_policy(e, &defs->policy_output, "output");
uint32_t custom_mask = ~0;
#define policy(t) \
- ((t == FW3_TARGET_REJECT) ? "DROP" : fw3_flag_names[t])
+ ((t == FW3_FLAG_REJECT) ? "DROP" : fw3_flag_names[t])
if (family == FW3_FAMILY_V6 && defs->disable_ipv6)
return;
/* Don't touch user chains on reload */
if (reload)
- delbit(custom_mask, FW3_DEFAULT_CUSTOM_CHAINS);
+ delbit(custom_mask, FW3_FLAG_CUSTOM_CHAINS);
if (defs->custom_chains)
- set(defs->flags, family, FW3_DEFAULT_CUSTOM_CHAINS);
+ set(defs->flags, family, FW3_FLAG_CUSTOM_CHAINS);
if (defs->syn_flood)
- set(defs->flags, family, FW3_DEFAULT_SYN_FLOOD);
+ set(defs->flags, family, FW3_FLAG_SYN_FLOOD);
rv = fw3_pr_rulespec(table, family, defs->flags, custom_mask,
default_chains, ":%s - [0:0]\n");
if (table != FW3_TABLE_FILTER)
return;
- if (defs->policy_input == FW3_TARGET_REJECT)
+ if (defs->policy_input == FW3_FLAG_REJECT)
fw3_pr("-A delegate_input -j reject\n");
- if (defs->policy_output == FW3_TARGET_REJECT)
+ if (defs->policy_output == FW3_FLAG_REJECT)
fw3_pr("-A delegate_output -j reject\n");
- if (defs->policy_forward == FW3_TARGET_REJECT)
+ if (defs->policy_forward == FW3_FLAG_REJECT)
fw3_pr("-A delegate_forward -j reject\n");
}
}
static void
-reset_policy(enum fw3_table table, enum fw3_target policy)
+reset_policy(enum fw3_table table, enum fw3_flag policy)
{
if (table != FW3_TABLE_FILTER)
return;
/* don't touch user chains on selective stop */
if (reload)
- delbit(custom_mask, FW3_DEFAULT_CUSTOM_CHAINS);
+ delbit(custom_mask, FW3_FLAG_CUSTOM_CHAINS);
if (!pass2)
{
- reset_policy(table, reload ? FW3_TARGET_DROP : FW3_TARGET_ACCEPT);
+ reset_policy(table, reload ? FW3_FLAG_DROP : FW3_FLAG_ACCEPT);
fw3_pr_rulespec(table, family, defs->flags, custom_mask,
toplevel_rules, "-D %s\n");
void
fw3_flush_all(enum fw3_table table)
{
- reset_policy(table, FW3_TARGET_ACCEPT);
+ reset_policy(table, FW3_FLAG_ACCEPT);
fw3_pr("-F\n");
fw3_pr("-X\n");
#include "options.h"
-extern const struct fw3_option fw3_default_opts[];
+extern const struct fw3_option fw3_flag_opts[];
void fw3_load_defaults(struct fw3_state *state, struct uci_package *p);
/* NB: forward family... */
if (forward->_dest)
{
- setbit(forward->_dest->flags[0], FW3_TARGET_ACCEPT);
- setbit(forward->_dest->flags[1], FW3_TARGET_ACCEPT);
+ setbit(forward->_dest->flags[0], FW3_FLAG_ACCEPT);
+ setbit(forward->_dest->flags[1], FW3_FLAG_ACCEPT);
if (forward->_src &&
(forward->_src->conntrack || forward->_dest->conntrack))
}
-const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1] = {
+const char *fw3_flag_names[__FW3_FLAG_MAX] = {
"filter",
"nat",
"mangle",
bool
fw3_parse_target(void *ptr, const char *val)
{
- return parse_enum(ptr, val, &fw3_flag_names[FW3_TARGET_ACCEPT],
- FW3_TARGET_ACCEPT, FW3_TARGET_SNAT);
+ return parse_enum(ptr, val, &fw3_flag_names[FW3_FLAG_ACCEPT],
+ FW3_FLAG_ACCEPT, FW3_FLAG_SNAT);
}
bool
FW3_FAMILY_V6 = 5,
};
-enum fw3_target
+enum fw3_flag
{
- FW3_TARGET_UNSPEC = 0,
- FW3_TARGET_ACCEPT = 6,
- FW3_TARGET_REJECT = 7,
- FW3_TARGET_DROP = 8,
- FW3_TARGET_NOTRACK = 9,
- FW3_TARGET_DNAT = 10,
- FW3_TARGET_SNAT = 11,
- FW3_TARGET_SRC_ACCEPT = 12,
- FW3_TARGET_SRC_REJECT = 13,
- FW3_TARGET_SRC_DROP = 14,
- FW3_TARGET_CUSTOM_CHAINS = 15,
+ FW3_FLAG_UNSPEC = 0,
+ FW3_FLAG_ACCEPT = 6,
+ FW3_FLAG_REJECT = 7,
+ FW3_FLAG_DROP = 8,
+ FW3_FLAG_NOTRACK = 9,
+ FW3_FLAG_DNAT = 10,
+ FW3_FLAG_SNAT = 11,
+ FW3_FLAG_SRC_ACCEPT = 12,
+ FW3_FLAG_SRC_REJECT = 13,
+ FW3_FLAG_SRC_DROP = 14,
+ FW3_FLAG_CUSTOM_CHAINS = 15,
+ FW3_FLAG_SYN_FLOOD = 16,
+ FW3_FLAG_MTU_FIX = 17,
+ FW3_FLAG_DROP_INVALID = 18,
+
+ __FW3_FLAG_MAX
};
-enum fw3_default
-{
- FW3_DEFAULT_UNSPEC = 0,
- FW3_DEFAULT_CUSTOM_CHAINS = 16,
- FW3_DEFAULT_SYN_FLOOD = 17,
- FW3_DEFAULT_MTU_FIX = 18,
- FW3_DEFAULT_DROP_INVALID = 19,
-};
-
-extern const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1];
+extern const char *fw3_flag_names[__FW3_FLAG_MAX];
enum fw3_limit_unit
struct fw3_defaults
{
- enum fw3_target policy_input;
- enum fw3_target policy_output;
- enum fw3_target policy_forward;
+ enum fw3_flag policy_input;
+ enum fw3_flag policy_output;
+ enum fw3_flag policy_forward;
bool drop_invalid;
enum fw3_family family;
- enum fw3_target policy_input;
- enum fw3_target policy_output;
- enum fw3_target policy_forward;
+ enum fw3_flag policy_input;
+ enum fw3_flag policy_output;
+ enum fw3_flag policy_forward;
struct list_head networks;
struct list_head devices;
struct fw3_limit limit;
struct fw3_time time;
- enum fw3_target target;
+ enum fw3_flag target;
const char *extra;
};
struct fw3_time time;
- enum fw3_target target;
+ enum fw3_flag target;
const char *extra;
continue;
}
- if (redir->target == FW3_TARGET_UNSPEC)
+ if (redir->target == FW3_FLAG_UNSPEC)
{
warn_elem(e, "has no target specified, defaulting to DNAT");
- redir->target = FW3_TARGET_DNAT;
+ redir->target = FW3_FLAG_DNAT;
}
- else if (redir->target < FW3_TARGET_DNAT)
+ else if (redir->target < FW3_FLAG_DNAT)
{
warn_elem(e, "has invalid target specified, defaulting to DNAT");
- redir->target = FW3_TARGET_DNAT;
+ redir->target = FW3_FLAG_DNAT;
}
- if (redir->target == FW3_TARGET_DNAT)
+ if (redir->target == FW3_FLAG_DNAT)
{
if (redir->src.any)
warn_elem(e, "must not have source '*' for DNAT target");
if (redir->reflection && redir->_dest && redir->_src->masq)
{
- set(redir->_dest->flags, FW3_FAMILY_V4, FW3_TARGET_ACCEPT);
- set(redir->_dest->flags, FW3_FAMILY_V4, FW3_TARGET_DNAT);
- set(redir->_dest->flags, FW3_FAMILY_V4, FW3_TARGET_SNAT);
+ set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_ACCEPT);
+ set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_DNAT);
+ set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
}
}
else
static void
print_chain_nat(struct fw3_redirect *redir)
{
- if (redir->target == FW3_TARGET_DNAT)
+ if (redir->target == FW3_FLAG_DNAT)
fw3_pr("-A zone_%s_prerouting", redir->src.name);
else
fw3_pr("-A zone_%s_postrouting", redir->dest.name);
}
static void
-print_snat_dnat(enum fw3_target target,
+print_snat_dnat(enum fw3_flag target,
struct fw3_address *addr, struct fw3_port *port)
{
const char *t;
char s[sizeof("255.255.255.255 ")];
- if (target == FW3_TARGET_DNAT)
+ if (target == FW3_FLAG_DNAT)
t = "DNAT --to-destination";
else
t = "SNAT --to-source";
static void
print_target_nat(struct fw3_redirect *redir)
{
- if (redir->target == FW3_TARGET_DNAT)
+ if (redir->target == FW3_FLAG_DNAT)
print_snat_dnat(redir->target, &redir->ip_redir, &redir->port_redir);
else
print_snat_dnat(redir->target, &redir->ip_dest, &redir->port_dest);
static void
print_chain_filter(struct fw3_redirect *redir)
{
- if (redir->target == FW3_TARGET_DNAT)
+ if (redir->target == FW3_FLAG_DNAT)
{
/* XXX: check for local ip */
if (!redir->ip_redir.set)
print_target_filter(struct fw3_redirect *redir)
{
/* XXX: check for local ip */
- if (redir->target == FW3_TARGET_DNAT && !redir->ip_redir.set)
+ if (redir->target == FW3_FLAG_DNAT && !redir->ip_redir.set)
fw3_pr(" -m conntrack --ctstate DNAT -j ACCEPT\n");
else
fw3_pr(" -j ACCEPT\n");
fw3_format_ipset(redir->_ipset, redir->ipset.invert);
fw3_format_protocol(proto, family);
- if (redir->target == FW3_TARGET_DNAT)
+ if (redir->target == FW3_FLAG_DNAT)
{
fw3_format_src_dest(&redir->ip_src, &redir->ip_dest);
fw3_format_sport_dport(&redir->port_src, &redir->port_dest);
}
/* reflection rules */
- if (redir->target != FW3_TARGET_DNAT || !redir->reflection)
+ if (redir->target != FW3_FLAG_DNAT || !redir->reflection)
return;
if (!redir->_dest || !redir->_src->masq)
fw3_format_sport_dport(NULL, &redir->port_dest);
fw3_format_time(&redir->time);
fw3_format_comment(redir->name, " (reflection)");
- print_snat_dnat(FW3_TARGET_DNAT,
+ print_snat_dnat(FW3_FLAG_DNAT,
&redir->ip_redir, &redir->port_redir);
fw3_pr("-A zone_%s_postrouting", redir->dest.name);
fw3_format_sport_dport(NULL, &redir->port_redir);
fw3_format_time(&redir->time);
fw3_format_comment(redir->name, " (reflection)");
- print_snat_dnat(FW3_TARGET_SNAT, ext_addr, NULL);
+ print_snat_dnat(FW3_FLAG_SNAT, ext_addr, NULL);
}
else if (table == FW3_TABLE_FILTER)
{
continue;
}
- if (!rule->_src && rule->target == FW3_TARGET_NOTRACK)
+ if (!rule->_src && rule->target == FW3_FLAG_NOTRACK)
{
warn_elem(e, "is set to target NOTRACK but has no source assigned");
fw3_free_rule(rule);
"- assuming an output rule");
}
- if (rule->target == FW3_TARGET_UNSPEC)
+ if (rule->target == FW3_FLAG_UNSPEC)
{
warn_elem(e, "has no target specified, defaulting to REJECT");
- rule->target = FW3_TARGET_REJECT;
+ rule->target = FW3_FLAG_REJECT;
}
- else if (rule->target > FW3_TARGET_NOTRACK)
+ else if (rule->target > FW3_FLAG_NOTRACK)
{
warn_elem(e, "has invalid target specified, defaulting to REJECT");
- rule->target = FW3_TARGET_REJECT;
+ rule->target = FW3_FLAG_REJECT;
}
/* NB: rule family... */
sprintf(chain, "delegate_output");
- if (rule->target == FW3_TARGET_NOTRACK)
+ if (rule->target == FW3_FLAG_NOTRACK)
{
sprintf(chain, "zone_%s_notrack", rule->src.name);
}
switch(rule->target)
{
- case FW3_TARGET_ACCEPT:
- case FW3_TARGET_DROP:
- case FW3_TARGET_NOTRACK:
+ case FW3_FLAG_ACCEPT:
+ case FW3_FLAG_DROP:
+ case FW3_FLAG_NOTRACK:
target = fw3_flag_names[rule->target];
break;
default:
- target = fw3_flag_names[FW3_TARGET_REJECT];
+ target = fw3_flag_names[FW3_FLAG_REJECT];
break;
}
if (rule->dest.set && !rule->dest.any)
fw3_pr(" -j zone_%s_dest_%s\n", rule->dest.name, target);
- else if (rule->target == FW3_TARGET_REJECT)
+ else if (rule->target == FW3_FLAG_REJECT)
fw3_pr(" -j reject\n");
else
fw3_pr(" -j %s\n", target);
if (!fw3_is_family(rule, family))
return;
- if ((table == FW3_TABLE_RAW && rule->target != FW3_TARGET_NOTRACK) ||
+ if ((table == FW3_TABLE_RAW && rule->target != FW3_FLAG_NOTRACK) ||
(table != FW3_TABLE_FILTER))
return;
#define C(f, tbl, tgt, fmt) \
- { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_TARGET_##tgt, fmt }
+ { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##tgt, fmt }
static const struct fw3_rule_spec zone_chains[] = {
C(ANY, FILTER, UNSPEC, "zone_%1$s_input"),
static void
-check_policy(struct uci_element *e, enum fw3_target *pol, enum fw3_target def,
+check_policy(struct uci_element *e, enum fw3_flag *pol, enum fw3_flag def,
const char *name)
{
- if (*pol == FW3_TARGET_UNSPEC)
+ if (*pol == FW3_FLAG_UNSPEC)
{
warn_elem(e, "has no %s policy specified, using default", name);
*pol = def;
}
- else if (*pol > FW3_TARGET_DROP)
+ else if (*pol > FW3_FLAG_DROP)
{
warn_elem(e, "has invalid %s policy, using default", name);
*pol = def;
if (zone->masq)
{
- setbit(zone->flags[0], FW3_TARGET_SNAT);
+ setbit(zone->flags[0], FW3_FLAG_SNAT);
zone->conntrack = true;
}
if (zone->custom_chains)
{
- setbit(zone->flags[0], FW3_TARGET_SNAT);
- setbit(zone->flags[0], FW3_TARGET_DNAT);
+ setbit(zone->flags[0], FW3_FLAG_SNAT);
+ setbit(zone->flags[0], FW3_FLAG_DNAT);
}
setbit(zone->flags[0], fw3_to_src_target(zone->policy_input));
/* Don't touch user chains on reload */
if (reload)
- delbit(custom_mask, FW3_TARGET_CUSTOM_CHAINS);
+ delbit(custom_mask, FW3_FLAG_CUSTOM_CHAINS);
if (zone->custom_chains)
- set(zone->flags, family, FW3_TARGET_CUSTOM_CHAINS);
+ set(zone->flags, family, FW3_FLAG_CUSTOM_CHAINS);
if (!zone->conntrack && !state->defaults.drop_invalid)
- set(zone->flags, family, FW3_TARGET_NOTRACK);
+ set(zone->flags, family, FW3_FLAG_NOTRACK);
c = fw3_pr_rulespec(table, family, zone->flags, custom_mask, zone_chains,
":%s - [0:0]\n", zone->name);
struct fw3_zone *zone, struct fw3_device *dev,
struct fw3_address *sub, bool reload, bool disable_notrack)
{
- enum fw3_target t;
+ enum fw3_flag t;
#define jump_target(t) \
- ((t == FW3_TARGET_REJECT) ? "reject" : fw3_flag_names[t])
+ ((t == FW3_FLAG_REJECT) ? "reject" : fw3_flag_names[t])
if (table == FW3_TABLE_FILTER)
{
- for (t = FW3_TARGET_ACCEPT; t <= FW3_TARGET_DROP; t++)
+ for (t = FW3_FLAG_ACCEPT; t <= FW3_FLAG_DROP; t++)
{
if (has(zone->flags, family, fw3_to_src_target(t)))
{
}
else if (table == FW3_TABLE_NAT)
{
- if (has(zone->flags, family, FW3_TARGET_DNAT))
+ if (has(zone->flags, family, FW3_FLAG_DNAT))
{
fw3_pr("-A delegate_prerouting");
fw3_format_in_out(dev, NULL);
fw3_pr(" -j zone_%s_prerouting\n", zone->name);
}
- if (has(zone->flags, family, FW3_TARGET_SNAT))
+ if (has(zone->flags, family, FW3_FLAG_SNAT))
{
fw3_pr("-A delegate_postrouting");
fw3_format_in_out(NULL, dev);
struct fw3_address *msrc;
struct fw3_address *mdest;
- enum fw3_target t;
+ enum fw3_flag t;
if (!fw3_is_family(zone, family))
return;
if (zone->log)
{
- for (t = FW3_TARGET_REJECT; t <= FW3_TARGET_DROP; t++)
+ for (t = FW3_FLAG_REJECT; t <= FW3_FLAG_DROP; t++)
{
if (has(zone->flags, family, fw3_to_src_target(t)))
{
/* don't touch user chains on selective stop */
if (reload)
- delbit(custom_mask, FW3_TARGET_CUSTOM_CHAINS);
+ delbit(custom_mask, FW3_FLAG_CUSTOM_CHAINS);
list_for_each_entry_safe(z, tmp, &state->running_zones, running_list)
{
bool running);
#define fw3_to_src_target(t) \
- (FW3_TARGET_SRC_ACCEPT - FW3_TARGET_ACCEPT + t)
+ (FW3_FLAG_SRC_ACCEPT - FW3_FLAG_ACCEPT + t)
#define fw3_free_zone(zone) \
fw3_free_object(zone, fw3_zone_opts)