2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
22 const struct fw3_option fw3_ipset_opts[] = {
23 FW3_OPT("enabled", bool, ipset, enabled),
24 FW3_OPT("reload_set", bool, ipset, reload_set),
25 FW3_OPT("counters", bool, ipset, counters),
26 FW3_OPT("comment", bool, ipset, comment),
28 FW3_OPT("name", string, ipset, name),
29 FW3_OPT("family", family, ipset, family),
31 FW3_OPT("storage", ipset_method, ipset, method),
32 FW3_LIST("match", ipset_datatype, ipset, datatypes),
34 FW3_OPT("iprange", address, ipset, iprange),
35 FW3_OPT("portrange", port, ipset, portrange),
37 FW3_OPT("netmask", int, ipset, netmask),
38 FW3_OPT("maxelem", int, ipset, maxelem),
39 FW3_OPT("hashsize", int, ipset, hashsize),
40 FW3_OPT("timeout", int, ipset, timeout),
42 FW3_OPT("external", string, ipset, external),
44 FW3_LIST("entry", setentry, ipset, entries),
45 FW3_OPT("loadfile", string, ipset, loadfile),
50 #define T(m, t1, t2, t3, r, o) \
51 { FW3_IPSET_METHOD_##m, \
52 FW3_IPSET_TYPE_##t1 | (FW3_IPSET_TYPE_##t2 << 8) | (FW3_IPSET_TYPE_##t3 << 16), \
56 OPT_IPRANGE = (1 << 0),
57 OPT_PORTRANGE = (1 << 1),
58 OPT_NETMASK = (1 << 2),
59 OPT_HASHSIZE = (1 << 3),
60 OPT_MAXELEM = (1 << 4),
61 OPT_FAMILY = (1 << 5),
65 enum fw3_ipset_method method;
71 static struct ipset_type ipset_types[] = {
72 T(BITMAP, IP, UNSPEC, UNSPEC, OPT_IPRANGE, OPT_NETMASK),
73 T(BITMAP, IP, MAC, UNSPEC, OPT_IPRANGE, 0),
74 T(BITMAP, PORT, UNSPEC, UNSPEC, OPT_PORTRANGE, 0),
76 T(HASH, IP, UNSPEC, UNSPEC, 0,
77 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM | OPT_NETMASK),
78 T(HASH, NET, UNSPEC, UNSPEC, 0,
79 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM),
80 T(HASH, IP, PORT, UNSPEC, 0,
81 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM),
82 T(HASH, NET, PORT, UNSPEC, 0,
83 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM),
84 T(HASH, IP, PORT, IP, 0,
85 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM),
86 T(HASH, IP, PORT, NET, 0,
87 OPT_FAMILY | OPT_HASHSIZE | OPT_MAXELEM),
89 T(LIST, SET, UNSPEC, UNSPEC, 0, OPT_MAXELEM),
94 check_types(struct uci_element *e, struct fw3_ipset *ipset)
97 uint32_t typelist = 0;
98 struct fw3_ipset_datatype *type;
100 list_for_each_entry(type, &ipset->datatypes, list)
104 warn_section("ipset", ipset, e, "must not have more than 3 datatypes assigned");
108 typelist |= (type->type << (i++ * 8));
111 /* find a suitable storage method if none specified */
112 if (ipset->method == FW3_IPSET_METHOD_UNSPEC)
114 for (i = 0; i < ARRAY_SIZE(ipset_types); i++)
116 /* skip type for v6 if it does not support family */
117 if (ipset->family != FW3_FAMILY_V4 &&
118 !(ipset_types[i].optional & OPT_FAMILY))
121 if (ipset_types[i].types == typelist)
123 ipset->method = ipset_types[i].method;
125 warn_section("ipset", ipset, e, "defines no storage method, assuming '%s'",
126 fw3_ipset_method_names[ipset->method]);
133 //typelist |= ipset->method;
135 for (i = 0; i < ARRAY_SIZE(ipset_types); i++)
137 if (ipset_types[i].method == ipset->method &&
138 ipset_types[i].types == typelist)
140 if (!ipset->external)
142 if ((ipset_types[i].required & OPT_IPRANGE) &&
145 warn_section("ipset", ipset, e, "requires an ip range");
149 if ((ipset_types[i].required & OPT_PORTRANGE) &&
150 !ipset->portrange.set)
152 warn_section("ipset", ipset, e, "requires a port range");
156 if (!(ipset_types[i].required & OPT_IPRANGE) &&
159 warn_section("ipset", ipset, e, "iprange ignored");
160 ipset->iprange.set = false;
163 if (!(ipset_types[i].required & OPT_PORTRANGE) &&
164 ipset->portrange.set)
166 warn_section("ipset", ipset, e, "portrange ignored");
167 ipset->portrange.set = false;
170 if (!(ipset_types[i].optional & OPT_NETMASK) &&
173 warn_section("ipset", ipset, e, "netmask ignored");
177 if (!(ipset_types[i].optional & OPT_HASHSIZE) &&
180 warn_section("ipset", ipset, e, "hashsize ignored");
184 if (!(ipset_types[i].optional & OPT_MAXELEM) &&
187 warn_section("ipset", ipset, e, "maxelem ignored");
191 if (!(ipset_types[i].optional & OPT_FAMILY) &&
192 ipset->family != FW3_FAMILY_V4)
194 warn_section("ipset", ipset, e, "family ignored");
195 ipset->family = FW3_FAMILY_V4;
203 warn_section("ipset", ipset, e, "has an invalid combination of storage method and matches");
208 check_ipset(struct fw3_state *state, struct fw3_ipset *ipset, struct uci_element *e)
210 if (!ipset->enabled) {
216 if (!*ipset->external)
217 ipset->external = NULL;
218 else if (!ipset->name)
219 ipset->name = ipset->external;
222 if (!ipset->name || !*ipset->name)
224 warn_section("ipset", ipset, e, "ipset must have a name assigned");
226 //else if (fw3_lookup_ipset(state, ipset->name) != NULL)
228 // warn_section("ipset", ipset, e, "has duplicated set name", ipset->name);
230 else if (ipset->family == FW3_FAMILY_ANY)
232 warn_section("ipset", ipset, e, "must not have family 'any'");
234 else if (ipset->iprange.set && ipset->family != ipset->iprange.family)
236 warn_section("ipset", ipset, e, "has iprange of wrong address family");
238 else if (list_empty(&ipset->datatypes))
240 warn_section("ipset", ipset, e, "has no datatypes assigned");
242 else if (check_types(e, ipset))
250 static struct fw3_ipset *
251 fw3_alloc_ipset(struct fw3_state *state)
253 struct fw3_ipset *ipset;
255 ipset = calloc(1, sizeof(*ipset));
259 INIT_LIST_HEAD(&ipset->datatypes);
260 INIT_LIST_HEAD(&ipset->entries);
262 ipset->comment = false;
263 ipset->counters = false;
264 ipset->enabled = true;
265 ipset->family = FW3_FAMILY_V4;
266 ipset->reload_set = false;
268 list_add_tail(&ipset->list, &state->ipsets);
274 fw3_load_ipsets(struct fw3_state *state, struct uci_package *p,
277 struct uci_section *s;
278 struct uci_element *e;
279 struct fw3_ipset *ipset;
280 struct blob_attr *entry;
283 INIT_LIST_HEAD(&state->ipsets);
285 if (state->disable_ipsets)
288 blob_for_each_attr(entry, a, rem)
291 const char *name = "ubus ipset";
293 if (!fw3_attr_parse_name_type(entry, &name, &type))
296 if (strcmp(type, "ipset"))
299 ipset = fw3_alloc_ipset(state);
303 if (!fw3_parse_blob_options(ipset, fw3_ipset_opts, entry, name))
305 warn_section("ipset", ipset, NULL, "skipped due to invalid options");
306 fw3_free_ipset(ipset);
310 if (!check_ipset(state, ipset, NULL))
311 fw3_free_ipset(ipset);
314 uci_foreach_element(&p->sections, e)
316 s = uci_to_section(e);
318 if (strcmp(s->type, "ipset"))
321 ipset = fw3_alloc_ipset(state);
326 if (!fw3_parse_options(ipset, fw3_ipset_opts, s))
327 warn_elem(e, "has invalid options");
329 if (!check_ipset(state, ipset, e))
330 fw3_free_ipset(ipset);
336 load_file(struct fw3_ipset *ipset)
341 if (!ipset->loadfile)
344 info(" * Loading file %s", ipset->loadfile);
346 f = fopen(ipset->loadfile, "r");
349 info(" ! Skipping due to open error: %s", strerror(errno));
353 while (fgets(line, sizeof(line), f))
354 fw3_pr("add %s %s", ipset->name, line);
360 create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
363 struct fw3_setentry *entry;
364 struct fw3_ipset_datatype *type;
366 info(" * Creating ipset %s", ipset->name);
369 fw3_pr("create %s %s", ipset->name, fw3_ipset_method_names[ipset->method]);
371 list_for_each_entry(type, &ipset->datatypes, list)
373 fw3_pr("%c%s", first ? ':' : ',', fw3_ipset_type_names[type->type]);
377 if (ipset->method == FW3_IPSET_METHOD_HASH)
378 fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6");
380 if (ipset->iprange.set)
382 fw3_pr(" range %s", fw3_address_to_string(&ipset->iprange, false, true));
384 else if (ipset->portrange.set)
386 fw3_pr(" range %u-%u",
387 ipset->portrange.port_min, ipset->portrange.port_max);
390 if (ipset->timeout > 0)
391 fw3_pr(" timeout %u", ipset->timeout);
393 if (ipset->maxelem > 0)
394 fw3_pr(" maxelem %u", ipset->maxelem);
396 if (ipset->netmask > 0)
397 fw3_pr(" netmask %u", ipset->netmask);
399 if (ipset->hashsize > 0)
400 fw3_pr(" hashsize %u", ipset->hashsize);
410 list_for_each_entry(entry, &ipset->entries, list)
411 fw3_pr("add %s %s\n", ipset->name, entry->value);
417 fw3_create_ipsets(struct fw3_state *state, enum fw3_family family,
420 unsigned int delay, tries;
422 struct fw3_ipset *ipset;
424 if (state->disable_ipsets)
428 list_for_each_entry(ipset, &state->ipsets, list)
430 if (ipset->family != family)
436 if (fw3_check_ipset(ipset) &&
437 (reload_set && !ipset->reload_set))
442 exec = fw3_command_pipe(false, "ipset", "-exist", "-");
448 create_ipset(ipset, state);
457 /* wait a little expontially for ipsets to appear */
458 list_for_each_entry(ipset, &state->ipsets, list)
464 for (tries = 0; !fw3_check_ipset(ipset) && tries < 10; tries++)
470 fw3_destroy_ipsets(struct fw3_state *state, enum fw3_family family,
473 unsigned int delay, tries;
475 struct fw3_ipset *ipset;
477 if (state->disable_ipsets)
481 list_for_each_entry(ipset, &state->ipsets, list)
483 if (ipset->family != family ||
484 (reload_set && !ipset->reload_set))
489 exec = fw3_command_pipe(false, "ipset", "-exist", "-");
495 info(" * Deleting ipset %s", ipset->name);
497 fw3_pr("flush %s\n", ipset->name);
498 fw3_pr("destroy %s\n", ipset->name);
507 /* wait for ipsets to disappear */
508 list_for_each_entry(ipset, &state->ipsets, list)
514 for (tries = 0; fw3_check_ipset(ipset) && tries < 10; tries++)
520 fw3_lookup_ipset(struct fw3_state *state, const char *name)
524 if (list_empty(&state->ipsets))
527 list_for_each_entry(s, &state->ipsets, list)
529 if (strcmp(s->name, name))
539 fw3_check_ipset(struct fw3_ipset *set)
544 int s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
545 struct ip_set_req_version req_ver;
546 struct ip_set_req_get_set req_name;
548 if (s < 0 || fcntl(s, F_SETFD, FD_CLOEXEC))
551 sz = sizeof(req_ver);
552 req_ver.op = IP_SET_OP_VERSION;
554 if (getsockopt(s, SOL_IP, SO_IP_SET, &req_ver, &sz))
557 sz = sizeof(req_name);
558 req_name.op = IP_SET_OP_GET_BYNAME;
559 req_name.version = req_ver.version;
560 snprintf(req_name.set.name, IPSET_MAXNAMELEN - 1, "%s",
561 set->external ? set->external : set->name);
563 if (getsockopt(s, SOL_IP, SO_IP_SET, &req_name, &sz))
566 rv = ((sz == sizeof(req_name)) && (req_name.set.index != IPSET_INVALID_ID));
576 fw3_ipsets_update_run_state(enum fw3_family family, struct fw3_state *run_state,
577 struct fw3_state *cfg_state)
579 struct fw3_ipset *ipset_run, *ipset_cfg;
582 list_for_each_entry(ipset_run, &run_state->ipsets, list) {
583 if (ipset_run->family != family)
588 list_for_each_entry(ipset_cfg, &cfg_state->ipsets, list) {
589 if (ipset_cfg->family != family)
592 if (strlen(ipset_run->name) ==
593 strlen(ipset_cfg->name) &&
594 !strcmp(ipset_run->name, ipset_cfg->name)) {
600 /* If a set is found in run_state, but not in cfg_state then the
601 * set has been deleted/renamed. Set reload_set to true to force
602 * the old set to be destroyed in the "stop" fase of the reload.
603 * If the set is found, then copy the reload_set value from the
604 * configuration state. This ensures that the elements are
605 * always updated according to the configuration, and not the
606 * runtime state (which the user might have forgotten).
609 ipset_run->reload_set = true;
611 ipset_run->reload_set = ipset_cfg->reload_set;
projects / oweals / firewall3.git / blob