2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013-2014 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
26 #include "redirects.h"
36 static enum fw3_family print_family = FW3_FAMILY_ANY;
38 static struct fw3_state *run_state = NULL;
39 static struct fw3_state *cfg_state = NULL;
43 build_state(bool runtime)
45 struct fw3_state *state = NULL;
46 struct uci_package *p = NULL;
49 state = calloc(1, sizeof(*state));
51 error("Out of memory");
53 state->uci = uci_alloc_context();
56 error("Out of memory");
60 sf = fopen(FW3_STATEFILE, "r");
64 uci_import(state->uci, sf, "fw3_state", &p, true);
70 uci_free_context(state->uci);
76 state->statefile = true;
82 if (!fw3_ubus_connect())
83 warn("Failed to connect to ubus");
85 if (uci_load(state->uci, "firewall", &p))
87 uci_perror(state->uci, NULL);
88 error("Failed to load /etc/config/firewall");
91 if (!fw3_find_command("ipset"))
93 warn("Unable to locate ipset utility, disabling ipset support");
94 state->disable_ipsets = true;
101 struct blob_buf b = {NULL, NULL, 0, NULL};
104 fw3_load_defaults(state, p);
105 fw3_load_cthelpers(state, p);
106 fw3_load_ipsets(state, p, b.head);
107 fw3_load_zones(state, p);
108 fw3_load_rules(state, p, b.head);
109 fw3_load_redirects(state, p, b.head);
110 fw3_load_snats(state, p, b.head);
111 fw3_load_forwards(state, p, b.head);
112 fw3_load_includes(state, p, b.head);
118 free_state(struct fw3_state *state)
120 struct list_head *cur, *tmp;
122 list_for_each_safe(cur, tmp, &state->zones)
123 fw3_free_zone((struct fw3_zone *)cur);
125 list_for_each_safe(cur, tmp, &state->rules)
126 fw3_free_rule((struct fw3_rule *)cur);
128 list_for_each_safe(cur, tmp, &state->redirects)
129 fw3_free_redirect((struct fw3_redirect *)cur);
131 list_for_each_safe(cur, tmp, &state->snats)
132 fw3_free_snat((struct fw3_snat *)cur);
134 list_for_each_safe(cur, tmp, &state->forwards)
135 fw3_free_forward((struct fw3_forward *)cur);
137 list_for_each_safe(cur, tmp, &state->ipsets)
138 fw3_free_ipset((struct fw3_ipset *)cur);
140 list_for_each_safe(cur, tmp, &state->includes)
141 fw3_free_include((struct fw3_include *)cur);
143 list_for_each_safe(cur, tmp, &state->cthelpers)
144 fw3_free_cthelper((struct fw3_cthelper *)cur);
146 uci_free_context(state->uci);
150 fw3_ubus_disconnect();
155 family_running(enum fw3_family family)
157 return (run_state && has(run_state->defaults.flags, family, family));
161 family_set(struct fw3_state *state, enum fw3_family family, bool set)
167 set(state->defaults.flags, family, family);
169 del(state->defaults.flags, family, family);
176 enum fw3_family family;
177 enum fw3_table table;
178 struct fw3_ipt_handle *handle;
180 if (!complete && !run_state)
182 warn("The firewall appears to be stopped. "
183 "Use the 'flush' command to forcefully purge all rules.");
188 if (!print_family && run_state)
189 fw3_hotplug_zones(run_state, false);
191 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
193 if (!complete && !family_running(family))
196 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
198 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
201 if (!(handle = fw3_ipt_open(family, table)))
204 info(" * %sing %s %s table", complete ? "Flush" : "Clear",
205 fw3_flag_names[family], fw3_flag_names[table]);
209 fw3_flush_all(handle);
213 fw3_flush_rules(handle, run_state, false);
214 fw3_flush_zones(handle, run_state, false);
217 fw3_ipt_commit(handle);
218 fw3_ipt_close(handle);
221 family_set(run_state, family, false);
222 family_set(cfg_state, family, false);
228 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
229 fw3_destroy_ipsets(run_state, family, false);
233 fw3_flush_conntrack(NULL);
235 if (!rv && run_state)
236 fw3_write_statefile(run_state);
245 enum fw3_family family;
246 enum fw3_table table;
247 struct fw3_ipt_handle *handle;
249 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
252 fw3_create_ipsets(cfg_state, family, false);
254 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
257 if (print_family && family != print_family)
260 if (!print_family && family_running(family))
262 warn("The %s firewall appears to be started already. "
263 "If it is indeed empty, remove the %s file and retry.",
264 fw3_flag_names[family], FW3_STATEFILE);
269 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
271 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
274 if (!(handle = fw3_ipt_open(family, table)))
277 info(" * Populating %s %s table",
278 fw3_flag_names[family], fw3_flag_names[table]);
280 fw3_print_default_chains(handle, cfg_state, false);
281 fw3_print_zone_chains(handle, cfg_state, false);
282 fw3_print_default_head_rules(handle, cfg_state, false);
283 fw3_print_rules(handle, cfg_state);
284 fw3_print_redirects(handle, cfg_state);
285 fw3_print_snats(handle, cfg_state);
286 fw3_print_forwards(handle, cfg_state);
287 fw3_print_zone_rules(handle, cfg_state, false);
288 fw3_print_default_tail_rules(handle, cfg_state, false);
291 fw3_ipt_commit(handle);
293 fw3_ipt_close(handle);
297 fw3_print_includes(cfg_state, family, false);
299 family_set(run_state, family, true);
300 family_set(cfg_state, family, true);
307 fw3_flush_conntrack(run_state);
308 fw3_set_defaults(cfg_state);
312 fw3_run_includes(cfg_state, false);
313 fw3_hotplug_zones(cfg_state, true);
314 fw3_write_statefile(cfg_state);
326 enum fw3_family family;
327 enum fw3_table table;
328 struct fw3_ipt_handle *handle;
333 fw3_hotplug_zones(run_state, false);
335 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
337 if (!family_running(family))
340 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
342 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
345 if (!(handle = fw3_ipt_open(family, table)))
348 info(" * Clearing %s %s table",
349 fw3_flag_names[family], fw3_flag_names[table]);
351 fw3_flush_rules(handle, run_state, true);
352 fw3_flush_zones(handle, run_state, true);
353 fw3_ipt_commit(handle);
354 fw3_ipt_close(handle);
357 fw3_destroy_ipsets(run_state, family, true);
359 family_set(run_state, family, false);
360 family_set(cfg_state, family, false);
363 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
366 fw3_create_ipsets(cfg_state, family, true);
368 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
370 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
373 if (!(handle = fw3_ipt_open(family, table)))
376 info(" * Populating %s %s table",
377 fw3_flag_names[family], fw3_flag_names[table]);
379 fw3_print_default_chains(handle, cfg_state, true);
380 fw3_print_zone_chains(handle, cfg_state, true);
381 fw3_print_default_head_rules(handle, cfg_state, true);
382 fw3_print_rules(handle, cfg_state);
383 fw3_print_redirects(handle, cfg_state);
384 fw3_print_snats(handle, cfg_state);
385 fw3_print_forwards(handle, cfg_state);
386 fw3_print_zone_rules(handle, cfg_state, true);
387 fw3_print_default_tail_rules(handle, cfg_state, true);
389 fw3_ipt_commit(handle);
390 fw3_ipt_close(handle);
393 fw3_print_includes(cfg_state, family, true);
395 family_set(run_state, family, true);
396 family_set(cfg_state, family, true);
403 fw3_flush_conntrack(run_state);
405 fw3_set_defaults(cfg_state);
406 fw3_run_includes(cfg_state, true);
407 fw3_hotplug_zones(cfg_state, true);
408 fw3_write_statefile(cfg_state);
417 enum fw3_family family;
418 enum fw3_table table;
419 struct fw3_ipt_handle *handle;
421 for (family = FW3_FAMILY_V4; family <= FW3_FAMILY_V6; family++)
423 if (family == FW3_FAMILY_V6 && cfg_state->defaults.disable_ipv6)
426 for (table = FW3_TABLE_FILTER; table <= FW3_TABLE_RAW; table++)
428 if (!fw3_has_table(family == FW3_FAMILY_V6, fw3_flag_names[table]))
431 if (!(handle = fw3_ipt_open(family, table)))
435 fw3_ipt_commit(handle);
436 fw3_ipt_close(handle);
444 lookup_network(const char *net)
447 struct fw3_device *d;
449 list_for_each_entry(z, &cfg_state->zones, list)
451 list_for_each_entry(d, &z->networks, list)
453 if (!strcmp(d->name, net))
455 printf("%s\n", z->name);
465 lookup_device(const char *dev)
468 struct fw3_device *d;
470 list_for_each_entry(z, &cfg_state->zones, list)
472 list_for_each_entry(d, &z->devices, list)
474 if (!strcmp(d->name, dev))
476 printf("%s\n", z->name);
486 lookup_zone(const char *zone, const char *device)
489 struct fw3_device *d;
491 list_for_each_entry(z, &cfg_state->zones, list)
493 if (strcmp(z->name, zone))
496 list_for_each_entry(d, &z->devices, list)
498 if (device && strcmp(device, d->name))
501 printf("%s\n", d->name);
517 fprintf(stderr, "fw3 [-4] [-6] [-q] print\n");
518 fprintf(stderr, "fw3 [-q] {start|stop|flush|reload|restart}\n");
519 fprintf(stderr, "fw3 [-q] network {net}\n");
520 fprintf(stderr, "fw3 [-q] device {dev}\n");
521 fprintf(stderr, "fw3 [-q] zone {zone} [dev]\n");
527 int main(int argc, char **argv)
530 enum fw3_family family = FW3_FAMILY_ANY;
531 struct fw3_defaults *defs = NULL;
533 while ((ch = getopt(argc, argv, "46dqh")) != -1)
538 family = FW3_FAMILY_V4;
542 family = FW3_FAMILY_V6;
550 if (freopen("/dev/null", "w", stderr)) {}
560 defs = &cfg_state->defaults;
568 if (!strcmp(argv[optind], "print"))
570 if (family == FW3_FAMILY_ANY)
572 family = FW3_FAMILY_V4;
574 else if (family == FW3_FAMILY_V6)
576 if (defs->disable_ipv6)
577 warn("IPv6 rules globally disabled in configuration");
580 warn("IPv6 support is not compiled in");
584 if (freopen("/dev/null", "w", stderr)) {};
586 cfg_state->disable_ipsets = true;
587 print_family = family;
597 else if (!strcmp(argv[optind], "start"))
606 else if (!strcmp(argv[optind], "stop"))
615 else if (!strcmp(argv[optind], "flush"))
624 else if (!strcmp(argv[optind], "restart"))
634 else if (!strcmp(argv[optind], "reload"))
643 else if (!strcmp(argv[optind], "gc"))
651 else if (!strcmp(argv[optind], "network") && (optind + 1) < argc)
653 rv = lookup_network(argv[optind + 1]);
655 else if (!strcmp(argv[optind], "device") && (optind + 1) < argc)
657 rv = lookup_device(argv[optind + 1]);
659 else if (!strcmp(argv[optind], "zone") && (optind + 1) < argc)
661 rv = lookup_zone(argv[optind + 1], argv[optind + 2]);
670 free_state(cfg_state);
673 free_state(run_state);
projects / oweals / firewall3.git / blob