Add support for netifd-generated rules

author Steven Barth <steven@midlink.org>

Sun, 13 Apr 2014 16:48:39 +0000 (18:48 +0200)

committer Steven Barth <steven@midlink.org>

Mon, 14 Apr 2014 06:50:30 +0000 (08:50 +0200)
author Steven Barth <steven@midlink.org>
Sun, 13 Apr 2014 16:48:39 +0000 (18:48 +0200)
committer Steven Barth <steven@midlink.org>
Mon, 14 Apr 2014 06:50:30 +0000 (08:50 +0200)
diff --git a/main.c b/main.c

index bc1cfd73c3a885803dc8901e9c9b8b8d93a57591..27d5298191f9e7c894fbfdb6342720a85be2f0b6 100644 (file)
--- a/main.c
+++ b/main.c
@@ -98,12 +98,16 @@ build_state(bool runtime)
                 cfg_state = state;
         }
  
+
+       struct blob_buf b = {NULL, NULL, 0, NULL};
+       fw3_ubus_rules(&b);
+
         fw3_load_defaults(state, p);
         fw3_load_ipsets(state, p);
         fw3_load_zones(state, p);
-       fw3_load_rules(state, p);
+       fw3_load_rules(state, p, b.head);
         fw3_load_redirects(state, p);
-       fw3_load_snats(state, p);
+       fw3_load_snats(state, p, b.head);
         fw3_load_forwards(state, p);
         fw3_load_includes(state, p);
  
diff --git a/options.c b/options.c

index 1dbdca8b9169d4f8411d5965ef7c1ed6775acb54..80e5542a420385a3e393164b2ac1f120982cc31c 100644 (file)
--- a/options.c
+++ b/options.c
@@ -964,6 +964,107 @@ fw3_parse_options(void *s, const struct fw3_option *opts,
  }
  
  
+bool
+fw3_parse_blob_options(void *s, const struct fw3_option *opts,
+                  struct blob_attr *a)
+{
+       char *p, *v, buf[16];
+       bool known;
+       unsigned rem, erem;
+       struct blob_attr *o, *e;
+       const struct fw3_option *opt;
+       struct list_head *dest;
+       bool valid = true;
+
+       blobmsg_for_each_attr(o, a, rem)
+       {
+               known = false;
+
+               for (opt = opts; opt->name; opt++)
+               {
+                       if (!opt->parse)
+                               continue;
+
+                       if (strcmp(opt->name, blobmsg_name(o)))
+                               continue;
+
+                       if (blobmsg_type(o) == BLOBMSG_TYPE_ARRAY)
+                       {
+                               if (!opt->elem_size)
+                               {
+                                       fprintf(stderr, "%s must not be a list\n", opt->name);
+                                       valid = false;
+                               }
+                               else
+                               {
+                                       dest = (struct list_head *)((char *)s + opt->offset);
+
+                                       blobmsg_for_each_attr(e, o, erem)
+                                       {
+                                               if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+                                                       snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+                                                       v = buf;
+                                               } else {
+                                                       v = blobmsg_get_string(e);
+                                               }
+
+                                               if (!opt->parse(dest, v, true))
+                                               {
+                                                       fprintf(stderr, "%s has invalid value '%s'\n", opt->name, v);
+                                                       valid = false;
+                                                       continue;
+                                               }
+                                       }
+                               }
+                       }
+                       else
+                       {
+                               if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+                                       snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+                                       v = buf;
+                               } else {
+                                       v = blobmsg_get_string(o);
+                               }
+
+                               if (!v)
+                                       continue;
+
+                               if (!opt->elem_size)
+                               {
+                                       if (!opt->parse((char *)s + opt->offset, v, false))
+                                       {
+                                               fprintf(stderr, "%s has invalid value '%s'\n", opt->name, v);
+                                               valid = false;
+                                       }
+                               }
+                               else
+                               {
+                                       dest = (struct list_head *)((char *)s + opt->offset);
+
+                                       for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
+                                       {
+                                               if (!opt->parse(dest, p, true))
+                                               {
+                                                       fprintf(stderr, "%s has invalid value '%s'\n", opt->name, p);
+                                                       valid = false;
+                                                       continue;
+                                               }
+                                       }
+                               }
+                       }
+
+                       known = true;
+                       break;
+               }
+
+               if (!known)
+                       fprintf(stderr, "%s is unknown\n", blobmsg_name(o));
+       }
+
+       return valid;
+}
+
+
  const char *
  fw3_address_to_string(struct fw3_address *address, bool allow_invert)
  {
diff --git a/options.h b/options.h

index 30c0a95bdd57f2201c7442408f0b8b5689dc9951..0a2fa7f45c54005b4d3e624e128b9aa9a49018d3 100644 (file)
--- a/options.h
+++ b/options.h
@@ -41,6 +41,7 @@
  
  #include <libubox/list.h>
  #include <libubox/utils.h>
+#include <libubox/blobmsg.h>
  
  #include "icmp_codes.h"
  #include "utils.h"
@@ -558,6 +559,8 @@ bool fw3_parse_direction(void *ptr, const char *val, bool is_list);
  
  bool fw3_parse_options(void *s, const struct fw3_option *opts,
                         struct uci_section *section);
+bool fw3_parse_blob_options(void *s, const struct fw3_option *opts,
+                       struct blob_attr *a);
  
  const char * fw3_address_to_string(struct fw3_address *address,
                                     bool allow_invert);
diff --git a/rules.c b/rules.c

index b41dfac5e6d981e4d032de4cfa0239a09f174526..f45de6eb6e864f7d881ec95c19bbe36bbde18580 100644 (file)
--- a/rules.c
+++ b/rules.c
@@ -72,41 +72,71 @@ need_src_action_chain(struct fw3_rule *r)
         return (r->_src && r->_src->log && (r->target > FW3_FLAG_ACCEPT));
  }
  
+static struct fw3_rule*
+alloc_rule(struct fw3_state *state)
+{
+       struct fw3_rule *rule = calloc(1, sizeof(*rule));
+
+       if (rule) {
+               INIT_LIST_HEAD(&rule->proto);
+
+               INIT_LIST_HEAD(&rule->ip_src);
+               INIT_LIST_HEAD(&rule->mac_src);
+               INIT_LIST_HEAD(&rule->port_src);
+
+               INIT_LIST_HEAD(&rule->ip_dest);
+               INIT_LIST_HEAD(&rule->port_dest);
+
+               INIT_LIST_HEAD(&rule->icmp_type);
+
+               list_add_tail(&rule->list, &state->rules);
+               rule->enabled = true;
+       }
+
+       return rule;
+}
+
  void
-fw3_load_rules(struct fw3_state *state, struct uci_package *p)
+fw3_load_rules(struct fw3_state *state, struct uci_package *p,
+               struct blob_attr *a)
  {
         struct uci_section *s;
         struct uci_element *e;
-       struct fw3_rule *rule;
+       struct fw3_rule *rule, *n;
+       struct blob_attr *entry, *opt;
+       unsigned rem, orem;
  
         INIT_LIST_HEAD(&state->rules);
  
-       uci_foreach_element(&p->sections, e)
-       {
-               s = uci_to_section(e);
+       blob_for_each_attr(entry, a, rem) {
+               const char *type = NULL;
+               blobmsg_for_each_attr(opt, entry, orem)
+                       if (!strcmp(blobmsg_name(opt), "type"))
+                               type = blobmsg_get_string(opt);
  
-               if (strcmp(s->type, "rule"))
+               if (!type || strcmp(type, "rule"))
                         continue;
  
-               rule = malloc(sizeof(*rule));
-
-               if (!rule)
+               if (!(rule = alloc_rule(state)))
                         continue;
  
-               memset(rule, 0, sizeof(*rule));
-
-               INIT_LIST_HEAD(&rule->proto);
-
-               INIT_LIST_HEAD(&rule->ip_src);
-               INIT_LIST_HEAD(&rule->mac_src);
-               INIT_LIST_HEAD(&rule->port_src);
+               if (!fw3_parse_blob_options(rule, fw3_rule_opts, entry))
+               {
+                       fprintf(stderr, "ubus section skipped due to invalid options\n");
+                       fw3_free_rule(rule);
+                       continue;
+               }
+       }
  
-               INIT_LIST_HEAD(&rule->ip_dest);
-               INIT_LIST_HEAD(&rule->port_dest);
+       uci_foreach_element(&p->sections, e)
+       {
+               s = uci_to_section(e);
  
-               INIT_LIST_HEAD(&rule->icmp_type);
+               if (strcmp(s->type, "rule"))
+                       continue;
  
-               rule->enabled = true;
+               if (!(rule = alloc_rule(state)))
+                       continue;
  
                 if (!fw3_parse_options(rule, fw3_rule_opts, s))
                 {
@@ -114,7 +144,10 @@ fw3_load_rules(struct fw3_state *state, struct uci_package *p)
                         fw3_free_rule(rule);
                         continue;
                 }
+       }
  
+       list_for_each_entry_safe(rule, n, &state->rules, list)
+       {
                 if (!rule->enabled)
                 {
                         fw3_free_rule(rule);
@@ -219,9 +252,6 @@ fw3_load_rules(struct fw3_state *state, struct uci_package *p)
                         setbit(rule->_src->flags[0], fw3_to_src_target(rule->target));
                         setbit(rule->_src->flags[1], fw3_to_src_target(rule->target));
                 }
-
-               list_add_tail(&rule->list, &state->rules);
-               continue;
         }
  }
  
diff --git a/rules.h b/rules.h

index 6d332fc61e5ca3002a49a70bc79a9f0335936994..bdd36a2fa2965a0c6dd1ea76260ae43fa7eddbaf 100644 (file)
--- a/rules.h
+++ b/rules.h
@@ -27,10 +27,13 @@
  
  extern const struct fw3_option fw3_rule_opts[];
  
-void fw3_load_rules(struct fw3_state *state, struct uci_package *p);
+void fw3_load_rules(struct fw3_state *state, struct uci_package *p, struct blob_attr *a);
  void fw3_print_rules(struct fw3_ipt_handle *handle, struct fw3_state *state);
  
-#define fw3_free_rule(rule) \
-       fw3_free_object(rule, fw3_rule_opts)
+static inline void fw3_free_rule(struct fw3_rule *rule)
+{
+       list_del(&rule->list);
+       fw3_free_object(rule, fw3_rule_opts);
+}
  
  #endif
diff --git a/snats.c b/snats.c

index 1e0119265e6ddb896f0da68b2ab043c27dd1e3c3..7dae2eef0774871d47d0e8f2e6baa946aa743af0 100644 (file)
--- a/snats.c
+++ b/snats.c
@@ -104,32 +104,62 @@ check_families(struct uci_element *e, struct fw3_snat *r)
         return true;
  }
  
+
+static struct fw3_snat*
+alloc_snat(struct fw3_state *state)
+{
+       struct fw3_snat *snat = calloc(1, sizeof(*snat));
+
+       if (snat) {
+               INIT_LIST_HEAD(&snat->proto);
+               list_add_tail(&snat->list, &state->snats);
+               snat->enabled = true;
+       }
+
+       return snat;
+}
+
+
  void
-fw3_load_snats(struct fw3_state *state, struct uci_package *p)
+fw3_load_snats(struct fw3_state *state, struct uci_package *p, struct blob_attr *a)
  {
         struct uci_section *s;
         struct uci_element *e;
-       struct fw3_snat *snat;
+       struct fw3_snat *snat, *n;
+       struct blob_attr *rule, *opt;
+       unsigned rem, orem;
  
         INIT_LIST_HEAD(&state->snats);
  
-       uci_foreach_element(&p->sections, e)
-       {
-               s = uci_to_section(e);
+       blob_for_each_attr(rule, a, rem) {
+               const char *type = NULL;
+               blobmsg_for_each_attr(opt, rule, orem)
+                       if (!strcmp(blobmsg_name(opt), "type"))
+                               type = blobmsg_get_string(opt);
  
-               if (strcmp(s->type, "nat"))
+               if (!type || strcmp(type, "nat"))
                         continue;
  
-               snat = malloc(sizeof(*snat));
+               if (!(snat = alloc_snat(state)))
+                       continue;
  
-               if (!snat)
+               if (!fw3_parse_blob_options(snat, fw3_snat_opts, rule))
+               {
+                       fprintf(stderr, "ubus section skipped due to invalid options\n");
+                       fw3_free_snat(snat);
                         continue;
+               }
+       }
  
-               memset(snat, 0, sizeof(*snat));
+       uci_foreach_element(&p->sections, e)
+       {
+               s = uci_to_section(e);
  
-               INIT_LIST_HEAD(&snat->proto);
+               if (strcmp(s->type, "nat"))
+                       continue;
  
-               snat->enabled = true;
+               if (!(snat = alloc_snat(state)))
+                       continue;
  
                 if (!fw3_parse_options(snat, fw3_snat_opts, s))
                 {
@@ -137,7 +167,10 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p)
                         fw3_free_snat(snat);
                         continue;
                 }
+       }
  
+       list_for_each_entry_safe(snat, n, &state->snats, list)
+       {
                 if (!snat->enabled)
                 {
                         fw3_free_snat(snat);
@@ -220,8 +253,6 @@ fw3_load_snats(struct fw3_state *state, struct uci_package *p)
                         set(snat->_src->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
                         snat->_src->conntrack = true;
                 }
-
-               list_add_tail(&snat->list, &state->snats);
         }
  }
  
diff --git a/snats.h b/snats.h

index 00d14060b08cbf8ebeb14fd254fcd3471181efac..cf51151b92076943cca0bb0a06bb6d092f2f5e05 100644 (file)
--- a/snats.h
+++ b/snats.h
@@ -27,10 +27,13 @@
  
  extern const struct fw3_option fw3_snat_opts[];
  
-void fw3_load_snats(struct fw3_state *state, struct uci_package *p);
+void fw3_load_snats(struct fw3_state *state, struct uci_package *p, struct blob_attr *a);
  void fw3_print_snats(struct fw3_ipt_handle *handle, struct fw3_state *state);
  
-#define fw3_free_snat(redir) \
-       fw3_free_object(redir, fw3_snat_opts)
+static inline void fw3_free_snat(struct fw3_snat *snat)
+{
+       list_del(&snat->list);
+       fw3_free_object(snat, fw3_snat_opts);
+}
  
  #endif
diff --git a/ubus.c b/ubus.c

index f8b0143d7fa8a5f8efa31a89da26f8769f7dadfc..ec6d84f89c0873f714893c044475cf374b6ede1a 100644 (file)
--- a/ubus.c
+++ b/ubus.c
@@ -212,3 +212,43 @@ fw3_ubus_zone_devices(struct fw3_zone *zone)
                         fw3_parse_device(&zone->networks, name, true);
         }
  }
+
+void
+fw3_ubus_rules(struct blob_buf *b)
+{
+       blob_buf_init(b, 0);
+
+       struct blob_attr *c, *cur, *dcur, *rule, *ropt;
+       unsigned r, rem, drem, rrem, orem;
+
+       blobmsg_for_each_attr(c, interfaces, r) {
+               const char *l3_device = NULL;
+               struct blob_attr *data = NULL;
+
+               blobmsg_for_each_attr(cur, c, rem) {
+                       if (!strcmp(blobmsg_name(cur), "l3_device"))
+                               l3_device = blobmsg_get_string(cur);
+                       else if (!strcmp(blobmsg_name(cur), "data"))
+                               data = cur;
+               }
+
+               if (!data || !l3_device)
+                       continue;
+
+               blobmsg_for_each_attr(dcur, data, drem) {
+                       if (strcmp(blobmsg_name(dcur), "firewall"))
+                               continue;
+
+                       blobmsg_for_each_attr(rule, dcur, rrem) {
+                               void *k = blobmsg_open_table(b, "");
+
+                               blobmsg_for_each_attr(ropt, rule, orem)
+                                       if (strcmp(blobmsg_name(ropt), "device"))
+                                               blobmsg_add_blob(b, ropt);
+
+                               blobmsg_add_string(b, "device", l3_device);
+                               blobmsg_close_table(b, k);
+                       }
+               }
+       }
+}
diff --git a/ubus.h b/ubus.h

index 4c104812757d17f274403657b3166f263e94be93..35eac906d130fa40ceb476877e963f36e3160f99 100644 (file)
--- a/ubus.h
+++ b/ubus.h
@@ -34,4 +34,6 @@ struct list_head * fw3_ubus_address(const char *net);
  
  void fw3_ubus_zone_devices(struct fw3_zone *zone);
  
+void fw3_ubus_rules(struct blob_buf *b);
+
  #endif
author	Steven Barth <steven@midlink.org>
	Sun, 13 Apr 2014 16:48:39 +0000 (18:48 +0200)
committer	Steven Barth <steven@midlink.org>
	Mon, 14 Apr 2014 06:50:30 +0000 (08:50 +0200)
main.c		patch \| blob \| history
options.c		patch \| blob \| history
options.h		patch \| blob \| history
rules.c		patch \| blob \| history
rules.h		patch \| blob \| history
snats.c		patch \| blob \| history
snats.h		patch \| blob \| history
ubus.c		patch \| blob \| history
ubus.h		patch \| blob \| history