add support for per-zone user chains

diff --git a/defaults.c b/defaults.c
index 7f3272857548f95c21c6f0aa847dcc7ecd861917..973b3a7cadfa2cab7a6eb0ef4a40a0b6ab177f0f 100644 (file)
--- a/defaults.c
+++ b/defaults.c
@@ -223,9 +223,14 @@ fw3_print_default_head_rules(enum fw3_table table, enum fw3_family family,
 
                if (defs->custom_chains)
                {
-                       fw3_pr("-A delegate_input -j input_rule\n");
-                       fw3_pr("-A delegate_output -j output_rule\n");
-                       fw3_pr("-A delegate_forward -j forwarding_rule\n");
+                       fw3_pr("-A delegate_input -j input_rule "
+                              "-m comment --comment \"user chain for input\"\n");
+
+                       fw3_pr("-A delegate_output -j output_rule "
+                              "-m comment --comment \"user chain for output\"\n");
+
+                       fw3_pr("-A delegate_forward -j forwarding_rule "
+                              "-m comment --comment \"user chain for forwarding\"\n");
                }
 
                for (i = 0; i < ARRAY_SIZE(chains); i++)
@@ -258,8 +263,11 @@ fw3_print_default_head_rules(enum fw3_table table, enum fw3_family family,
        case FW3_TABLE_NAT:
                if (defs->custom_chains)
                {
-                       fw3_pr("-A delegate_prerouting -j prerouting_rule\n");
-                       fw3_pr("-A delegate_postrouting -j postrouting_rule\n");
+                       fw3_pr("-A delegate_prerouting -j prerouting_rule "
+                              "-m comment --comment \"user chain for prerouting\"\n");
+
+                       fw3_pr("-A delegate_postrouting -j postrouting_rule "
+                              "-m comment --comment \"user chain for postrouting\"\n");
                }
                break;
 

diff --git a/main.c b/main.c
index 79d3b0b37acc7b2b33e4ff4ecf1373e5d9807a21..cd821fcd8dadb3d2be9e7f8211e75de4ec243d16 100644 (file)
--- a/main.c
+++ b/main.c
@@ -206,11 +206,11 @@ stop(struct fw3_state *state, bool complete, bool reload)
                        {
                                /* pass 1 */
                                fw3_flush_rules(table, family, false, state, policy);
-                               fw3_flush_zones(table, family, false, state);
+                               fw3_flush_zones(table, family, false, reload, state);
 
                                /* pass 2 */
                                fw3_flush_rules(table, family, true, state, policy);
-                               fw3_flush_zones(table, family, true, state);
+                               fw3_flush_zones(table, family, true, reload, state);
                        }
 
                        fw3_pr("COMMIT\n");

diff --git a/options.h b/options.h
index 2af443b6fbf03d5ae26e76da801b73e0f917d11e..7881375f41b589fc3646dab026a30280e8a17428 100644 (file)
--- a/options.h
+++ b/options.h
@@ -63,13 +63,14 @@ enum fw3_family
 
 enum fw3_target
 {
-       FW3_TARGET_UNSPEC  = 0,
-       FW3_TARGET_ACCEPT  = 6,
-       FW3_TARGET_REJECT  = 7,
-       FW3_TARGET_DROP    = 8,
-       FW3_TARGET_NOTRACK = 9,
-       FW3_TARGET_DNAT    = 10,
-       FW3_TARGET_SNAT    = 11,
+       FW3_TARGET_UNSPEC        = 0,
+       FW3_TARGET_ACCEPT        = 6,
+       FW3_TARGET_REJECT        = 7,
+       FW3_TARGET_DROP          = 8,
+       FW3_TARGET_NOTRACK       = 9,
+       FW3_TARGET_DNAT          = 10,
+       FW3_TARGET_SNAT          = 11,
+       FW3_TARGET_CUSTOM_CHAINS = 12, /* alias to FW3_DEFAULT_CUSTOM_CHAINS */
 };
 
 enum fw3_default

diff --git a/zones.c b/zones.c
index 82b76b4ea6c1834e459a3a17d20415120332de3d..c81125f0eb71f8dd66636f64f689bd125ce21953 100644 (file)
--- a/zones.c
+++ b/zones.c
@@ -47,6 +47,13 @@ static const struct chain dst_chains[] = {
 
        C(V4,  NAT,    SNAT,    "zone_%s_postrouting"),
        C(V4,  NAT,    DNAT,    "zone_%s_prerouting"),
+
+       C(ANY, FILTER, CUSTOM_CHAINS, "input_%s_rule"),
+       C(ANY, FILTER, CUSTOM_CHAINS, "output_%s_rule"),
+       C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_%s_rule"),
+
+       C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_%s_rule"),
+       C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_%s_rule"),
 };
 
 const struct fw3_option fw3_zone_opts[] = {
@@ -165,6 +172,7 @@ fw3_alloc_zone(void)
        INIT_LIST_HEAD(&zone->masq_dest);
 
        zone->enabled = true;
+       zone->custom_chains = true;
        zone->log_limit.rate = 10;
 
        return zone;
@@ -203,6 +211,9 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
                if (!zone->extra_dest)
                        zone->extra_dest = zone->extra_src;
 
+               if (!defs->custom_chains && zone->custom_chains)
+                       zone->custom_chains = false;
+
                if (!zone->name || !*zone->name)
                {
                        warn_elem(e, "has no name - ignoring");
@@ -228,6 +239,12 @@ fw3_load_zones(struct fw3_state *state, struct uci_package *p)
                        zone->conntrack = true;
                }
 
+               if (zone->custom_chains)
+               {
+                       setbit(zone->dst_flags, FW3_TARGET_SNAT);
+                       setbit(zone->dst_flags, FW3_TARGET_DNAT);
+               }
+
                setbit(zone->src_flags, zone->policy_input);
                setbit(zone->dst_flags, zone->policy_output);
                setbit(zone->dst_flags, zone->policy_forward);
@@ -242,20 +259,58 @@ print_zone_chain(enum fw3_table table, enum fw3_family family,
                  struct fw3_zone *zone, struct fw3_state *state)
 {
        bool s, d;
+       uint16_t mask = ~0;
 
        if (!fw3_is_family(zone, family))
                return;
 
        setbit(zone->dst_flags, family);
 
+       /* user chains already loaded, don't create again */
+       if (hasbit(zone->dst_flags, FW3_TARGET_CUSTOM_CHAINS))
+               delbit(mask, FW3_TARGET_CUSTOM_CHAINS);
+
+       if (zone->custom_chains)
+               setbit(zone->dst_flags, FW3_TARGET_CUSTOM_CHAINS);
+
        if (!zone->conntrack && !state->defaults.drop_invalid)
                setbit(zone->dst_flags, FW3_TARGET_NOTRACK);
 
        s = print_chains(table, family, ":%s - [0:0]\n", zone->name,
-                        zone->src_flags, src_chains, ARRAY_SIZE(src_chains));
+                        zone->src_flags & mask,
+                        src_chains, ARRAY_SIZE(src_chains));
 
        d = print_chains(table, family, ":%s - [0:0]\n", zone->name,
-                        zone->dst_flags, dst_chains, ARRAY_SIZE(dst_chains));
+                        zone->dst_flags & mask,
+                        dst_chains, ARRAY_SIZE(dst_chains));
+
+       if (zone->custom_chains)
+       {
+               if (table == FW3_TABLE_FILTER)
+               {
+                       fw3_pr("-A zone_%s_input -j input_%s_rule "
+                                  "-m comment --comment \"user chain for %s input\"\n",
+                              zone->name, zone->name, zone->name);
+
+                       fw3_pr("-A zone_%s_output -j output_%s_rule "
+                                  "-m comment --comment \"user chain for %s output\"\n",
+                              zone->name, zone->name, zone->name);
+
+                       fw3_pr("-A zone_%s_forward -j forwarding_%s_rule "
+                                  "-m comment --comment \"user chain for %s forwarding\"\n",
+                              zone->name, zone->name, zone->name);
+               }
+               else if (table == FW3_TABLE_NAT)
+               {
+                       fw3_pr("-A zone_%s_prerouting -j prerouting_%s_rule "
+                              "-m comment --comment \"user chain for %s prerouting\"\n",
+                              zone->name, zone->name, zone->name);
+
+                       fw3_pr("-A zone_%s_postrouting -j postrouting_%s_rule "
+                              "-m comment --comment \"user chain for %s postrouting\"\n",
+                              zone->name, zone->name, zone->name);
+               }
+       }
 
        if (s || d)
        {
@@ -482,10 +537,15 @@ fw3_print_zone_rules(enum fw3_table table, enum fw3_family family,
 
 void
 fw3_flush_zones(enum fw3_table table, enum fw3_family family,
-                           bool pass2, struct fw3_state *state)
+                           bool pass2, bool reload, struct fw3_state *state)
 {
        struct fw3_zone *z, *tmp;
-       int mask = (1 << FW3_FAMILY_V4) | (1 << FW3_FAMILY_V6);
+       uint16_t mask = ~0;
+       uint16_t families = (1 << FW3_FAMILY_V4) | (1 << FW3_FAMILY_V6);
+
+       /* don't touch user chains on selective stop */
+       if (reload)
+               delbit(mask, FW3_DEFAULT_CUSTOM_CHAINS);
 
        list_for_each_entry_safe(z, tmp, &state->running_zones, running_list)
        {
@@ -493,16 +553,18 @@ fw3_flush_zones(enum fw3_table table, enum fw3_family family,
                        continue;
 
                print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n",
-                            z->name, z->src_flags, src_chains, ARRAY_SIZE(src_chains));
+                            z->name, z->src_flags & mask,
+                            src_chains, ARRAY_SIZE(src_chains));
 
                print_chains(table, family, pass2 ? "-X %s\n" : "-F %s\n",
-                            z->name, z->dst_flags, dst_chains, ARRAY_SIZE(dst_chains));
+                            z->name, z->dst_flags & mask,
+                            dst_chains, ARRAY_SIZE(dst_chains));
 
                if (pass2)
                {
                        delbit(z->dst_flags, family);
 
-                       if (!(z->dst_flags & mask))
+                       if (!(z->dst_flags & families))
                                fw3_set_running(z, NULL);
                }
        }

diff --git a/zones.h b/zones.h
index 84619c2764cbb22742e26dd488d0087f4d158f17..be331dfc776151d50542b9291c8a2f5e02b3af79 100644 (file)
--- a/zones.h
+++ b/zones.h
@@ -34,7 +34,7 @@ void fw3_print_zone_rules(enum fw3_table table, enum fw3_family family,
                           struct fw3_state *state);
 
 void fw3_flush_zones(enum fw3_table table, enum fw3_family family,
-                     bool pass2, struct fw3_state *state);
+                     bool pass2, bool reload, struct fw3_state *state);
 
 struct fw3_zone * fw3_lookup_zone(struct fw3_state *state, const char *name,
                                   bool running);