From: Jo-Philipp Wich Date: Sat, 27 Apr 2013 15:20:56 +0000 (+0200) Subject: Split runtime and config states, store runtime state in UCI format X-Git-Url: https://git.librecmc.org/?a=commitdiff_plain;h=ebe3dbe3e8063ed63011bf505fc371d6b0f88aad;p=oweals%2Ffirewall3.git Split runtime and config states, store runtime state in UCI format --- diff --git a/defaults.c b/defaults.c index b5a94e6..f87ac92 100644 --- a/defaults.c +++ b/defaults.c @@ -83,6 +83,9 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("custom_chains", bool, defaults, custom_chains), FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6), + FW3_OPT("__flags_v4", int, defaults, flags[0]), + FW3_OPT("__flags_v6", int, defaults, flags[1]), + { } }; diff --git a/ipsets.c b/ipsets.c index af03ddc..ecccd69 100644 --- a/ipsets.c +++ b/ipsets.c @@ -353,8 +353,6 @@ create_ipset(struct fw3_ipset *ipset, struct fw3_state *state) fw3_pr(" hashsize %u", ipset->hashsize); fw3_pr("\n"); - - fw3_set_running(ipset, &state->running_ipsets); } void @@ -378,7 +376,7 @@ fw3_destroy_ipsets(struct fw3_state *state, enum fw3_family family) { struct fw3_ipset *s, *tmp; - list_for_each_entry_safe(s, tmp, &state->running_ipsets, running_list) + list_for_each_entry_safe(s, tmp, &state->ipsets, list) { del(s->flags, family, family); @@ -388,8 +386,6 @@ fw3_destroy_ipsets(struct fw3_state *state, enum fw3_family family) fw3_pr("flush %s\n", s->name); fw3_pr("destroy %s\n", s->name); - - fw3_set_running(s, NULL); } } } @@ -407,10 +403,7 @@ fw3_lookup_ipset(struct fw3_state *state, const char *name, bool running) if (strcmp(s->name, name)) continue; - if (!running || s->running_list.next) - return s; - - break; + return s; } return NULL; diff --git a/main.c b/main.c index d4d7b7b..5580c7d 100644 --- a/main.c +++ b/main.c @@ -31,17 +31,17 @@ static bool print_rules = false; -static enum fw3_family use_family = FW3_FAMILY_ANY; +static struct fw3_state *run_state = NULL; +static struct fw3_state *cfg_state = NULL; -static struct fw3_state * -build_state(void) + +static bool +build_state(bool runtime) { struct fw3_state *state = NULL; struct uci_package *p = NULL; - - if (!fw3_ubus_connect()) - error("Failed to connect to ubus"); + FILE *sf; state = malloc(sizeof(*state)); @@ -54,20 +54,47 @@ build_state(void) if (!state->uci) error("Out of memory"); - if (uci_load(state->uci, "firewall", &p)) + if (runtime) { - uci_perror(state->uci, NULL); - error("Failed to load /etc/config/firewall"); - } + sf = fopen(FW3_STATEFILE, "r"); - if (!fw3_find_command("ipset")) - { - warn("Unable to locate ipset utility, disabling ipset support"); - state->disable_ipsets = true; + if (sf) + { + uci_import(state->uci, sf, "fw3_state", &p, true); + fclose(sf); + } + + if (!p) + { + uci_free_context(state->uci); + free(state); + + return false; + } + + state->statefile = true; + + run_state = state; } + else + { + if (!fw3_ubus_connect()) + error("Failed to connect to ubus"); + + if (uci_load(state->uci, "firewall", &p)) + { + uci_perror(state->uci, NULL); + error("Failed to load /etc/config/firewall"); + } - INIT_LIST_HEAD(&state->running_zones); - INIT_LIST_HEAD(&state->running_ipsets); + if (!fw3_find_command("ipset")) + { + warn("Unable to locate ipset utility, disabling ipset support"); + state->disable_ipsets = true; + } + + cfg_state = state; + } fw3_load_defaults(state, p); fw3_load_ipsets(state, p); @@ -77,9 +104,7 @@ build_state(void) fw3_load_forwards(state, p); fw3_load_includes(state, p); - state->statefile = fw3_read_statefile(state); - - return state; + return true; } static void @@ -133,20 +158,17 @@ restore_pipe(enum fw3_family family, bool silent) } static bool -family_running(struct fw3_state *state, enum fw3_family family) -{ - return has(state->defaults.flags, family, family); -} - -static bool -family_used(enum fw3_family family) +family_running(enum fw3_family family) { - return (use_family == FW3_FAMILY_ANY) || (use_family == family); + return (run_state && has(run_state->defaults.flags, family, family)); } static void family_set(struct fw3_state *state, enum fw3_family family, bool set) { + if (!state) + return; + if (set) set(state->defaults.flags, family, family); else @@ -154,7 +176,7 @@ family_set(struct fw3_state *state, enum fw3_family family, bool set) } static int -stop(struct fw3_state *state, bool complete, bool reload) +stop(bool complete, bool reload) { FILE *ct; @@ -162,7 +184,7 @@ stop(struct fw3_state *state, bool complete, bool reload) enum fw3_family family; enum fw3_table table; - if (!complete && !state->statefile) + if (!complete && !run_state) { if (!reload) warn("The firewall appears to be stopped. " @@ -171,15 +193,15 @@ stop(struct fw3_state *state, bool complete, bool reload) return rv; } - if (!print_rules) - fw3_hotplug_zones(state, false); + if (!print_rules && run_state) + fw3_hotplug_zones(run_state, false); for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++) { - if (!complete && !family_running(state, family)) + if (!complete && !family_running(family)) continue; - if (!family_used(family) || !restore_pipe(family, true)) + if (!restore_pipe(family, true)) continue; for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++) @@ -196,15 +218,15 @@ stop(struct fw3_state *state, bool complete, bool reload) { fw3_flush_all(table); } - else + else if (run_state) { /* pass 1 */ - fw3_flush_rules(state, family, table, reload, false); - fw3_flush_zones(state, family, table, reload, false); + fw3_flush_rules(run_state, family, table, reload, false); + fw3_flush_zones(run_state, family, table, reload, false); /* pass 2 */ - fw3_flush_rules(state, family, table, reload, true); - fw3_flush_zones(state, family, table, reload, true); + fw3_flush_rules(run_state, family, table, reload, true); + fw3_flush_zones(run_state, family, table, reload, true); } fw3_pr("COMMIT\n"); @@ -212,15 +234,16 @@ stop(struct fw3_state *state, bool complete, bool reload) fw3_command_close(); - if (!reload) + if (!reload && run_state) { if (fw3_command_pipe(false, "ipset", "-exist", "-")) { - fw3_destroy_ipsets(state, family); + fw3_destroy_ipsets(run_state, family); fw3_command_close(); } - family_set(state, family, false); + family_set(run_state, family, false); + family_set(cfg_state, family, false); } rv = 0; @@ -234,14 +257,14 @@ stop(struct fw3_state *state, bool complete, bool reload) fclose(ct); } - if (!rv) - fw3_write_statefile(state); + if (!rv && run_state) + fw3_write_statefile(run_state); return rv; } static int -start(struct fw3_state *state, bool reload) +start(bool reload) { int rv = 1; enum fw3_family family; @@ -251,17 +274,17 @@ start(struct fw3_state *state, bool reload) { if (fw3_command_pipe(false, "ipset", "-exist", "-")) { - fw3_create_ipsets(state); + fw3_create_ipsets(cfg_state); fw3_command_close(); } } for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++) { - if (!family_used(family)) + if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6) continue; - if (!print_rules && !reload && family_running(state, family)) + if (!print_rules && !reload && family_running(family)) { warn("The %s firewall appears to be started already. " "If it is indeed empty, remove the %s file and retry.", @@ -282,34 +305,35 @@ start(struct fw3_state *state, bool reload) fw3_flag_names[family], fw3_flag_names[table]); fw3_pr("*%s\n", fw3_flag_names[table]); - fw3_print_default_chains(state, family, table, reload); - fw3_print_zone_chains(state, family, table, reload); - fw3_print_default_head_rules(state, family, table, reload); - fw3_print_rules(state, family, table); - fw3_print_redirects(state, family, table); - fw3_print_forwards(state, family, table); - fw3_print_zone_rules(state, family, table, reload); - fw3_print_default_tail_rules(state, family, table, reload); + fw3_print_default_chains(cfg_state, family, table, reload); + fw3_print_zone_chains(cfg_state, family, table, reload); + fw3_print_default_head_rules(cfg_state, family, table, reload); + fw3_print_rules(cfg_state, family, table); + fw3_print_redirects(cfg_state, family, table); + fw3_print_forwards(cfg_state, family, table); + fw3_print_zone_rules(cfg_state, family, table, reload); + fw3_print_default_tail_rules(cfg_state, family, table, reload); fw3_pr("COMMIT\n"); } - fw3_print_includes(state, family, reload); + fw3_print_includes(cfg_state, family, reload); fw3_command_close(); - family_set(state, family, true); + family_set(run_state, family, true); + family_set(cfg_state, family, true); rv = 0; } if (!rv) { - fw3_set_defaults(state); + fw3_set_defaults(cfg_state); if (!print_rules) { - fw3_run_includes(state, reload); - fw3_hotplug_zones(state, true); - fw3_write_statefile(state); + fw3_run_includes(cfg_state, reload); + fw3_hotplug_zones(cfg_state, true); + fw3_write_statefile(cfg_state); } } @@ -317,12 +341,12 @@ start(struct fw3_state *state, bool reload) } static int -lookup_network(struct fw3_state *state, const char *net) +lookup_network(const char *net) { struct fw3_zone *z; struct fw3_device *d; - list_for_each_entry(z, &state->zones, list) + list_for_each_entry(z, &cfg_state->zones, list) { list_for_each_entry(d, &z->networks, list) { @@ -338,12 +362,12 @@ lookup_network(struct fw3_state *state, const char *net) } static int -lookup_device(struct fw3_state *state, const char *dev) +lookup_device(const char *dev) { struct fw3_zone *z; struct fw3_device *d; - list_for_each_entry(z, &state->zones, list) + list_for_each_entry(z, &cfg_state->zones, list) { list_for_each_entry(d, &z->devices, list) { @@ -361,7 +385,8 @@ lookup_device(struct fw3_state *state, const char *dev) static int usage(void) { - fprintf(stderr, "fw3 [-4] [-6] [-q] {start|stop|flush|reload|restart|print}\n"); + fprintf(stderr, "fw3 [-4] [-6] [-q] print\n"); + fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n"); fprintf(stderr, "fw3 [-q] network {net}\n"); fprintf(stderr, "fw3 [-q] device {dev}\n"); @@ -372,8 +397,8 @@ usage(void) int main(int argc, char **argv) { int ch, rv = 1; - struct fw3_state *state = NULL; struct fw3_defaults *defs = NULL; + enum fw3_family use_family = FW3_FAMILY_ANY; while ((ch = getopt(argc, argv, "46dqh")) != -1) { @@ -401,8 +426,9 @@ int main(int argc, char **argv) } } - state = build_state(); - defs = &state->defaults; + build_state(false); + build_state(true); + defs = &cfg_state->defaults; if (optind >= argc) { @@ -410,26 +436,25 @@ int main(int argc, char **argv) goto out; } - if (use_family == FW3_FAMILY_V6 && defs->disable_ipv6) - warn("IPv6 rules globally disabled in configuration"); - if (!strcmp(argv[optind], "print")) { if (use_family == FW3_FAMILY_ANY) use_family = FW3_FAMILY_V4; + else if (use_family == FW3_FAMILY_V6 && defs->disable_ipv6) + warn("IPv6 rules globally disabled in configuration"); freopen("/dev/null", "w", stderr); - state->disable_ipsets = true; + cfg_state->disable_ipsets = true; print_rules = true; - rv = start(state, false); + rv = start(false); } else if (!strcmp(argv[optind], "start")) { if (fw3_lock()) { - rv = start(state, false); + rv = start(false); fw3_unlock(); } } @@ -437,7 +462,7 @@ int main(int argc, char **argv) { if (fw3_lock()) { - rv = stop(state, false, false); + rv = stop(false, false); fw3_unlock(); } } @@ -445,7 +470,7 @@ int main(int argc, char **argv) { if (fw3_lock()) { - rv = stop(state, true, false); + rv = stop(true, false); fw3_unlock(); } } @@ -453,11 +478,8 @@ int main(int argc, char **argv) { if (fw3_lock()) { - stop(state, true, false); - free_state(state); - - state = build_state(); - rv = start(state, false); + stop(true, false); + rv = start(false); fw3_unlock(); } @@ -466,19 +488,19 @@ int main(int argc, char **argv) { if (fw3_lock()) { - rv = stop(state, false, true); - rv = start(state, !rv); + rv = stop(false, true); + rv = start(!rv); fw3_unlock(); } } else if (!strcmp(argv[optind], "network") && (optind + 1) < argc) { - rv = lookup_network(state, argv[optind + 1]); + rv = lookup_network(argv[optind + 1]); } else if (!strcmp(argv[optind], "device") && (optind + 1) < argc) { - rv = lookup_device(state, argv[optind + 1]); + rv = lookup_device(argv[optind + 1]); } else { @@ -486,8 +508,11 @@ int main(int argc, char **argv) } out: - if (state) - free_state(state); + if (cfg_state) + free_state(cfg_state); + + if (run_state) + free_state(run_state); return rv; } diff --git a/options.h b/options.h index 3fb7a9c..0ce9152 100644 --- a/options.h +++ b/options.h @@ -261,7 +261,6 @@ struct fw3_defaults struct fw3_zone { struct list_head list; - struct list_head running_list; bool enabled; const char *name; @@ -276,9 +275,6 @@ struct fw3_zone struct list_head devices; struct list_head subnets; - struct list_head running_networks; - struct list_head running_devices; - const char *extra_src; const char *extra_dest; @@ -397,7 +393,6 @@ struct fw3_forward struct fw3_ipset { struct list_head list; - struct list_head running_list; bool enabled; const char *name; @@ -423,7 +418,6 @@ struct fw3_ipset struct fw3_include { struct list_head list; - struct list_head running_list; bool enabled; const char *name; @@ -446,9 +440,6 @@ struct fw3_state struct list_head ipsets; struct list_head includes; - struct list_head running_zones; - struct list_head running_ipsets; - bool disable_ipsets; bool statefile; }; diff --git a/utils.c b/utils.c index e7a2215..9f57e9f 100644 --- a/utils.c +++ b/utils.c @@ -348,122 +348,166 @@ fw3_unlock(void) } -bool -fw3_read_statefile(void *state) +static void +write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, + struct uci_package *dest) { - FILE *sf; + char buf[8]; + struct uci_ptr ptr = { .p = dest }; + + uci_add_section(ctx, dest, "defaults", &ptr.s); + + sprintf(buf, "%u", d->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "%u", d->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} - int type; - char line[128]; - const char *p, *name; +static void +write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, + struct uci_package *dest) +{ + struct fw3_device *dev; + struct fw3_address *sub; + enum fw3_family fam = FW3_FAMILY_ANY; - uint32_t flags[2]; + char addr[INET6_ADDRSTRLEN]; + char buf[INET6_ADDRSTRLEN * 2 + 2]; + char *p; - struct fw3_state *s = state; - struct fw3_zone *zone; - struct fw3_ipset *ipset; - struct fw3_device *net, *dev; + struct uci_ptr ptr = { .p = dest }; - sf = fopen(FW3_STATEFILE, "r"); + if (!z->enabled) + return; - if (!sf) - return false; + if (fw3_no_table(z->flags[0]) && !fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V6; + else if (!fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V4; + else if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + return; - while (fgets(line, sizeof(line), sf)) + uci_add_section(ctx, dest, "zone", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = z->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[z->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[z->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[z->policy_forward]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "masq"; + ptr.value = z->masq ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "conntrack"; + ptr.value = z->conntrack ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "mtu_fix"; + ptr.value = z->mtu_fix ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "custom_chains"; + ptr.value = z->custom_chains ? "1" : "0"; + uci_set(ctx, &ptr); + + if (fam != FW3_FAMILY_ANY) { - p = strtok(line, " \t\n"); - - if (!p) - continue; - - type = strtoul(p, NULL, 16); - name = strtok(NULL, " \t\n"); - - if (!name) - continue; - - if (!(p = strtok(NULL, " \t\n"))) - continue; + ptr.o = NULL; + ptr.option = "family"; + ptr.value = fw3_flag_names[fam]; + uci_set(ctx, &ptr); + } - flags[0] = strtoul(p, NULL, 16); + ptr.o = NULL; + ptr.option = "device"; - if (!(p = strtok(NULL, " \t\n"))) + fw3_foreach(dev, &z->devices) + { + if (!dev) continue; - flags[1] = strtoul(p, NULL, 16); + p = buf; - switch (type) - { - case FW3_TYPE_DEFAULTS: - s->defaults.flags[0] = flags[0]; - s->defaults.flags[1] = flags[1]; - break; - - case FW3_TYPE_ZONE: - if (!(zone = fw3_lookup_zone(state, name, false))) - { - zone = fw3_alloc_zone(); - - if (!zone) - continue; + if (dev->invert) + p += sprintf(p, "!"); - zone->name = strdup(name); - list_add_tail(&zone->list, &s->zones); + p += sprintf(p, "%s", dev->name); - setbit(flags[0], FW3_FLAG_DELETED); - } - - zone->flags[0] = flags[0]; - zone->flags[1] = flags[1]; - list_add_tail(&zone->running_list, &s->running_zones); - break; - - case FW3_TYPE_IPSET: - if (!(ipset = fw3_lookup_ipset(state, name, false))) - { - ipset = fw3_alloc_ipset(); - - if (!ipset) - continue; + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - ipset->name = strdup(name); - list_add_tail(&ipset->list, &s->ipsets); + ptr.o = NULL; + ptr.option = "subnet"; - setbit(flags[0], FW3_FLAG_DELETED); - } - - ipset->flags[0] = flags[0]; - ipset->flags[1] = flags[1]; - list_add_tail(&ipset->running_list, &s->running_ipsets); - break; + fw3_foreach(sub, &z->subnets) + { + if (!sub) + continue; - case FW3_TYPE_NETWORK: - if (!(zone = fw3_lookup_zone(state, name, false))) - continue; + p = buf; - if (!(p = strtok(NULL, " \t\n")) || !(name = strtok(NULL, " \t\n"))) - continue; + if (sub->invert) + p += sprintf(p, "!"); - if (!(net = malloc(sizeof(*net)))) - continue; + inet_ntop(sub->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &sub->address.v4, addr, sizeof(addr)); - memset(net, 0, sizeof(*net)); - snprintf(net->name, sizeof(net->name), "%s", p); - list_add_tail(&net->list, &zone->running_networks); + p += sprintf(p, "%s", addr); - if (!(dev = malloc(sizeof(*dev)))) - continue; + if (sub->range) + { + inet_ntop(sub->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &sub->address2.v4, addr, sizeof(addr)); - memset(dev, 0, sizeof(*dev)); - dev->network = net; - snprintf(dev->name, sizeof(dev->name), "%s", name); - list_add_tail(&dev->list, &zone->running_devices); + p += sprintf(p, "-%s", addr); + } + else + { + p += sprintf(p, "/%u", sub->mask); } - } - fclose(sf); + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - return true; + sprintf(buf, "%u", z->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + sprintf(buf, "%u", z->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); } void @@ -471,85 +515,46 @@ fw3_write_statefile(void *state) { FILE *sf; struct fw3_state *s = state; - struct fw3_defaults *defs = &s->defaults; struct fw3_zone *z; - struct fw3_ipset *i; - struct fw3_device *d; - if (fw3_no_table(defs->flags[0]) && fw3_no_table(defs->flags[1])) - { - if (unlink(FW3_STATEFILE)) - warn("Unable to remove state %s: %s", - FW3_STATEFILE, strerror(errno)); + struct uci_package *p; - return; - } - - sf = fopen(FW3_STATEFILE, "w"); - - if (!sf) + if (fw3_no_family(s->defaults.flags[0]) && + fw3_no_family(s->defaults.flags[1])) { - warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); - return; + unlink(FW3_STATEFILE); } - - fprintf(sf, "%x - %x %x\n", - FW3_TYPE_DEFAULTS, defs->flags[0], defs->flags[1]); - - list_for_each_entry(z, &s->running_zones, running_list) + else { - if (hasbit(z->flags[0], FW3_FLAG_DELETED)) - continue; - - if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) - continue; - - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_ZONE, z->name, z->flags[0], z->flags[1]); + sf = fopen(FW3_STATEFILE, "w+"); - list_for_each_entry(d, &z->devices, list) + if (!sf) { - if (!d->network) - continue; - - fprintf(sf, "%x %s 0 0 %s %s\n", - FW3_TYPE_NETWORK, z->name, d->network->name, d->name); + warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + return; } - } - list_for_each_entry(i, &s->running_ipsets, running_list) - { - if (hasbit(z->flags[0], FW3_FLAG_DELETED)) - continue; + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + uci_unload(s->uci, p); - if (!fw3_no_family(i->flags[0]) || !fw3_no_family(i->flags[1])) - { - fprintf(sf, "%x %s %x %x\n", - FW3_TYPE_IPSET, i->name, i->flags[0], i->flags[1]); - } - } + uci_import(s->uci, sf, "fw3_state", NULL, true); - fclose(sf); -} + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + { + write_defaults_uci(s->uci, &s->defaults, p); + list_for_each_entry(z, &s->zones, list) + write_zone_uci(s->uci, z, p); -struct object_list_heads -{ - struct list_head list; - struct list_head running_list; -}; - -void -fw3_set_running(void *object, struct list_head *dest) -{ - struct object_list_heads *o = object; + uci_export(s->uci, sf, p, true); + uci_unload(s->uci, p); + } - if (dest && !o->running_list.next) - list_add_tail(&o->running_list, dest); - else if (!dest && o->running_list.next) - list_del(&o->running_list); + fclose(sf); + } } + void fw3_free_object(void *obj, const void *opts) { diff --git a/utils.h b/utils.h index eee1f40..3573e14 100644 --- a/utils.h +++ b/utils.h @@ -84,19 +84,8 @@ bool fw3_lock(void); void fw3_unlock(void); -enum fw3_statefile_type -{ - FW3_TYPE_DEFAULTS = 0, - FW3_TYPE_ZONE = 1, - FW3_TYPE_NETWORK = 2, - FW3_TYPE_IPSET = 3, -}; - -bool fw3_read_statefile(void *state); void fw3_write_statefile(void *state); -void fw3_set_running(void *object, struct list_head *dest); - void fw3_free_object(void *obj, const void *opts); diff --git a/zones.c b/zones.c index a9a559e..0306a0c 100644 --- a/zones.c +++ b/zones.c @@ -94,6 +94,9 @@ const struct fw3_option fw3_zone_opts[] = { FW3_OPT("log", bool, zone, log), FW3_OPT("log_limit", limit, zone, log_limit), + FW3_OPT("__flags_v4", int, zone, flags[0]), + FW3_OPT("__flags_v6", int, zone, flags[1]), + { } }; @@ -152,9 +155,6 @@ fw3_alloc_zone(void) INIT_LIST_HEAD(&zone->masq_src); INIT_LIST_HEAD(&zone->masq_dest); - INIT_LIST_HEAD(&zone->running_networks); - INIT_LIST_HEAD(&zone->running_devices); - zone->enabled = true; zone->custom_chains = true; zone->log_limit.rate = 10; @@ -273,7 +273,6 @@ print_zone_chain(struct fw3_state *state, enum fw3_family family, if (c || r) { info(" * Zone '%s'", zone->name); - fw3_set_running(zone, &state->running_zones); set(zone->flags, family, table); } @@ -514,7 +513,7 @@ fw3_flush_zones(struct fw3_state *state, enum fw3_family family, if (reload) delbit(custom_mask, FW3_FLAG_CUSTOM_CHAINS); - list_for_each_entry_safe(z, tmp, &state->running_zones, running_list) + list_for_each_entry_safe(z, tmp, &state->zones, list) { if (!has(z->flags, family, table)) continue; @@ -535,7 +534,7 @@ fw3_hotplug_zones(struct fw3_state *state, bool add) if (add) { - list_for_each_entry(z, &state->running_zones, running_list) + list_for_each_entry(z, &state->zones, list) { if (!hasbit(z->flags[0], FW3_FLAG_HOTPLUG)) { @@ -548,11 +547,11 @@ fw3_hotplug_zones(struct fw3_state *state, bool add) } else { - list_for_each_entry(z, &state->running_zones, running_list) + list_for_each_entry(z, &state->zones, list) { if (hasbit(z->flags[0], FW3_FLAG_HOTPLUG)) { - list_for_each_entry(d, &z->running_devices, list) + list_for_each_entry(d, &z->devices, list) fw3_hotplug(add, z, d); delbit(z->flags[0], FW3_FLAG_HOTPLUG); @@ -574,10 +573,7 @@ fw3_lookup_zone(struct fw3_state *state, const char *name, bool running) if (strcmp(z->name, name)) continue; - if (!running || z->running_list.next) - return z; - - break; + return z; } return NULL; @@ -588,13 +584,13 @@ fw3_free_zone(struct fw3_zone *zone) { struct fw3_device *dev, *tmp; - list_for_each_entry_safe(dev, tmp, &zone->running_devices, list) + list_for_each_entry_safe(dev, tmp, &zone->devices, list) { list_del(&dev->list); free(dev); } - list_for_each_entry_safe(dev, tmp, &zone->running_networks, list) + list_for_each_entry_safe(dev, tmp, &zone->networks, list) { list_del(&dev->list); free(dev);