2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013-2014 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
24 put_value(void *ptr, void *val, int elem_size, bool is_list)
30 copy = malloc(elem_size);
35 memcpy(copy, val, elem_size);
36 list_add_tail((struct list_head *)copy, (struct list_head *)ptr);
40 memcpy(ptr, val, elem_size);
45 parse_enum(void *ptr, const char *val, const char **values, int min, int max)
47 int i, l = strlen(val);
51 for (i = 0; i <= (max - min); i++)
53 if (!strncasecmp(val, values[i], l))
55 *((int *)ptr) = min + i;
65 const char *fw3_flag_names[__FW3_FLAG_MAX] = {
90 const char *fw3_reject_code_names[__FW3_REJECT_CODE_MAX] = {
96 const char *fw3_limit_units[__FW3_LIMIT_UNIT_MAX] = {
103 const char *fw3_ipset_method_names[__FW3_IPSET_METHOD_MAX] = {
110 const char *fw3_ipset_type_names[__FW3_IPSET_TYPE_MAX] = {
119 static const char *weekdays[] = {
129 static const char *include_types[] = {
134 static const char *reflection_sources[] = {
139 static const struct { const char *name; uint8_t dscp; } dscp_classes[] = {
166 fw3_parse_bool(void *ptr, const char *val, bool is_list)
168 if (!strcmp(val, "true") || !strcmp(val, "yes") || !strcmp(val, "1"))
169 *((bool *)ptr) = true;
171 *((bool *)ptr) = false;
177 fw3_parse_int(void *ptr, const char *val, bool is_list)
180 int n = strtol(val, &e, 0);
191 fw3_parse_string(void *ptr, const char *val, bool is_list)
193 *((char **)ptr) = (char *)val;
198 fw3_parse_target(void *ptr, const char *val, bool is_list)
200 return parse_enum(ptr, val, &fw3_flag_names[FW3_FLAG_ACCEPT],
201 FW3_FLAG_ACCEPT, FW3_FLAG_MASQUERADE);
205 fw3_parse_reject_code(void *ptr, const char *val, bool is_list)
207 return parse_enum(ptr, val, &fw3_reject_code_names[FW3_REJECT_CODE_TCP_RESET],
208 FW3_REJECT_CODE_TCP_RESET, FW3_REJECT_CODE_ADM_PROHIBITED);
212 fw3_parse_limit(void *ptr, const char *val, bool is_list)
214 struct fw3_limit *limit = ptr;
215 enum fw3_limit_unit u = FW3_LIMIT_UNIT_SECOND;
221 limit->invert = true;
222 while (isspace(*++val));
225 n = strtol(val, &e, 10);
227 if (errno == ERANGE || errno == EINVAL)
230 if (*e && *e++ != '/')
236 if (!parse_enum(&u, e, fw3_limit_units, 0, FW3_LIMIT_UNIT_DAY))
246 fw3_parse_device(void *ptr, const char *val, bool is_list)
249 struct fw3_device dev = { };
255 put_value(ptr, &dev, sizeof(dev), is_list);
262 while (isspace(*++val));
265 if ((p = strchr(val, '@')) != NULL)
268 snprintf(dev.network, sizeof(dev.network), "%s", p);
272 snprintf(dev.name, sizeof(dev.name), "%s", val);
277 put_value(ptr, &dev, sizeof(dev), is_list);
282 fw3_parse_address(void *ptr, const char *val, bool is_list)
284 struct fw3_address addr = { };
287 char *p = NULL, *m = NULL, *s, *e;
293 while (isspace(*++val));
301 if ((m = strchr(s, '/')) != NULL)
303 else if ((p = strchr(s, '-')) != NULL)
306 if (inet_pton(AF_INET6, s, &v6))
308 addr.family = FW3_FAMILY_V6;
309 addr.address.v6 = v6;
313 if (!inet_pton(AF_INET6, m, &v6))
315 bits = strtol(m, &e, 10);
317 if ((*e != 0) || !fw3_bitlen2netmask(addr.family, bits, &v6))
325 if (!inet_pton(AF_INET6, p, &addr.mask.v6))
332 memset(addr.mask.v6.s6_addr, 0xFF, 16);
335 else if (inet_pton(AF_INET, s, &v4))
337 addr.family = FW3_FAMILY_V4;
338 addr.address.v4 = v4;
342 if (!inet_pton(AF_INET, m, &v4))
344 bits = strtol(m, &e, 10);
346 if ((*e != 0) || !fw3_bitlen2netmask(addr.family, bits, &v4))
354 if (!inet_pton(AF_INET, p, &addr.mask.v4))
361 addr.mask.v4.s_addr = 0xFFFFFFFF;
371 put_value(ptr, &addr, sizeof(addr), is_list);
380 fw3_parse_network(void *ptr, const char *val, bool is_list)
382 struct fw3_device dev = { };
383 struct fw3_address *addr, *tmp;
384 LIST_HEAD(addr_list);
387 if (!fw3_parse_address(ptr, val, is_list))
389 if (!fw3_parse_device(&dev, val, false))
392 n_addrs = fw3_ubus_address(&addr_list, dev.name);
394 list_for_each_entry(addr, &addr_list, list)
396 addr->invert = dev.invert;
397 addr->resolved = true;
400 /* add an empty address member with .set = false, .resolved = true
401 * to signal resolving failure to callers */
404 tmp = fw3_alloc(sizeof(*tmp));
405 tmp->resolved = true;
407 list_add_tail(&tmp->list, &addr_list);
412 list_splice_tail(&addr_list, ptr);
414 else if (!list_empty(&addr_list))
416 memcpy(ptr, list_first_entry(&addr_list, typeof(*addr), list),
419 list_for_each_entry_safe(addr, tmp, &addr_list, list)
428 fw3_parse_mac(void *ptr, const char *val, bool is_list)
430 struct fw3_mac addr = { };
431 struct ether_addr *mac;
436 while (isspace(*++val));
439 if ((mac = ether_aton(val)) != NULL)
444 put_value(ptr, &addr, sizeof(addr), is_list);
452 fw3_parse_port(void *ptr, const char *val, bool is_list)
454 struct fw3_port range = { };
462 while (isspace(*++val));
465 n = strtoul(val, &p, 10);
467 if (errno == ERANGE || errno == EINVAL)
470 if (*p && *p != '-' && *p != ':')
475 m = strtoul(++p, NULL, 10);
477 if (errno == ERANGE || errno == EINVAL || m < n)
490 put_value(ptr, &range, sizeof(range), is_list);
495 fw3_parse_family(void *ptr, const char *val, bool is_list)
497 if (!strcmp(val, "any") || !strcmp(val, "*"))
498 *((enum fw3_family *)ptr) = FW3_FAMILY_ANY;
499 else if (!strcmp(val, "inet") || strrchr(val, '4'))
500 *((enum fw3_family *)ptr) = FW3_FAMILY_V4;
501 else if (!strcmp(val, "inet6") || strrchr(val, '6'))
502 *((enum fw3_family *)ptr) = FW3_FAMILY_V6;
510 fw3_parse_icmptype(void *ptr, const char *val, bool is_list)
512 struct fw3_icmptype icmp = { };
518 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v4); i++)
520 if (!strcmp(val, fw3_icmptype_list_v4[i].name))
522 icmp.type = fw3_icmptype_list_v4[i].type;
523 icmp.code_min = fw3_icmptype_list_v4[i].code_min;
524 icmp.code_max = fw3_icmptype_list_v4[i].code_max;
531 for (i = 0; i < ARRAY_SIZE(fw3_icmptype_list_v6); i++)
533 if (!strcmp(val, fw3_icmptype_list_v6[i].name))
535 icmp.type6 = fw3_icmptype_list_v6[i].type;
536 icmp.code6_min = fw3_icmptype_list_v6[i].code_min;
537 icmp.code6_max = fw3_icmptype_list_v6[i].code_max;
546 i = strtoul(val, &p, 10);
548 if ((p == val) || (*p != '/' && *p != 0) || (i > 0xFF))
556 i = strtoul(val, &p, 10);
558 if ((p == val) || (*p != 0) || (i > 0xFF))
567 icmp.code_max = 0xFF;
570 icmp.type6 = icmp.type;
571 icmp.code6_min = icmp.code_min;
572 icmp.code6_max = icmp.code_max;
578 icmp.family = (v4 && v6) ? FW3_FAMILY_ANY
579 : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
581 put_value(ptr, &icmp, sizeof(icmp), is_list);
586 fw3_parse_protocol(void *ptr, const char *val, bool is_list)
588 struct fw3_protocol proto = { };
589 struct protoent *ent;
595 while (isspace(*++val));
598 if (!strcmp(val, "all") || !strcmp(val, "any") || !strcmp(val, "*"))
601 put_value(ptr, &proto, sizeof(proto), is_list);
604 else if (!strcmp(val, "icmpv6"))
608 else if (!strcmp(val, "tcpudp"))
611 if (put_value(ptr, &proto, sizeof(proto), is_list))
614 put_value(ptr, &proto, sizeof(proto), is_list);
620 ent = getprotobyname(val);
624 proto.protocol = ent->p_proto;
625 put_value(ptr, &proto, sizeof(proto), is_list);
629 proto.protocol = strtoul(val, &e, 10);
631 if ((e == val) || (*e != 0))
634 put_value(ptr, &proto, sizeof(proto), is_list);
639 fw3_parse_ipset_method(void *ptr, const char *val, bool is_list)
641 return parse_enum(ptr, val, &fw3_ipset_method_names[FW3_IPSET_METHOD_BITMAP],
642 FW3_IPSET_METHOD_BITMAP, FW3_IPSET_METHOD_LIST);
646 fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list)
648 struct fw3_ipset_datatype type = { };
652 if (!strncmp(val, "dest_", 5))
657 else if (!strncmp(val, "dst_", 4))
662 else if (!strncmp(val, "src_", 4))
668 if (parse_enum(&type.type, val, &fw3_ipset_type_names[FW3_IPSET_TYPE_IP],
669 FW3_IPSET_TYPE_IP, FW3_IPSET_TYPE_SET))
671 put_value(ptr, &type, sizeof(type), is_list);
679 fw3_parse_date(void *ptr, const char *val, bool is_list)
681 unsigned int year = 1970, mon = 1, day = 1, hour = 0, min = 0, sec = 0;
682 struct tm tm = { 0 };
686 year = strtoul(val, &p, 10);
687 if ((*p != '-' && *p) || year < 1970 || year > 2038)
692 mon = strtoul(++p, &p, 10);
693 if ((*p != '-' && *p) || mon > 12)
698 day = strtoul(++p, &p, 10);
699 if ((*p != 'T' && *p) || day > 31)
704 hour = strtoul(++p, &p, 10);
705 if ((*p != ':' && *p) || hour > 23)
710 min = strtoul(++p, &p, 10);
711 if ((*p != ':' && *p) || min > 59)
716 sec = strtoul(++p, &p, 10);
721 tm.tm_year = year - 1900;
728 ts = mktime(&tm) - timezone;
732 gmtime_r(&ts, (struct tm *)ptr);
741 fw3_parse_time(void *ptr, const char *val, bool is_list)
743 unsigned int hour = 0, min = 0, sec = 0;
746 hour = strtoul(val, &p, 10);
747 if (*p != ':' || hour > 23)
750 min = strtoul(++p, &p, 10);
751 if ((*p != ':' && *p) || min > 59)
756 sec = strtoul(++p, &p, 10);
761 *((int *)ptr) = 60 * 60 * hour + 60 * min + sec;
769 fw3_parse_weekdays(void *ptr, const char *val, bool is_list)
776 fw3_setbit(*(uint8_t *)ptr, 0);
777 while (isspace(*++val));
780 if (!(s = strdup(val)))
783 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
785 if (!parse_enum(&w, p, weekdays, 1, 7))
787 w = strtoul(p, &p, 10);
789 if (*p || w < 1 || w > 7)
796 fw3_setbit(*(uint8_t *)ptr, w);
804 fw3_parse_monthdays(void *ptr, const char *val, bool is_list)
811 fw3_setbit(*(uint32_t *)ptr, 0);
812 while (isspace(*++val));
815 if (!(s = strdup(val)))
818 for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
820 d = strtoul(p, &p, 10);
822 if (*p || d < 1 || d > 31)
828 fw3_setbit(*(uint32_t *)ptr, d);
836 fw3_parse_include_type(void *ptr, const char *val, bool is_list)
838 return parse_enum(ptr, val, include_types,
839 FW3_INC_TYPE_SCRIPT, FW3_INC_TYPE_RESTORE);
843 fw3_parse_reflection_source(void *ptr, const char *val, bool is_list)
845 return parse_enum(ptr, val, reflection_sources,
846 FW3_REFLECTION_INTERNAL, FW3_REFLECTION_EXTERNAL);
850 fw3_parse_mark(void *ptr, const char *val, bool is_list)
854 struct fw3_mark *m = ptr;
859 while (isspace(*++val));
862 if ((s = strchr(val, '/')) != NULL)
865 n = strtoul(val, &e, 0);
871 m->mask = 0xFFFFFFFF;
875 n = strtoul(s, &e, 0);
888 fw3_parse_dscp(void *ptr, const char *val, bool is_list)
892 struct fw3_dscp *d = ptr;
897 while (isspace(*++val));
900 for (n = 0; n < sizeof(dscp_classes) / sizeof(dscp_classes[0]); n++)
902 if (strcmp(dscp_classes[n].name, val))
906 d->dscp = dscp_classes[n].dscp;
910 n = strtoul(val, &e, 0);
912 if (e == val || *e || n > 0x3F)
921 fw3_parse_setmatch(void *ptr, const char *val, bool is_list)
923 struct fw3_setmatch *m = ptr;
930 while (isspace(*++val));
933 if (!(s = strdup(val)))
936 if (!(p = strtok(s, " \t")))
942 snprintf(m->name, sizeof(m->name), "%s", p);
944 for (i = 0, p = strtok(NULL, " \t,");
946 i++, p = strtok(NULL, " \t,"))
948 if (!strncmp(p, "dest", 4) || !strncmp(p, "dst", 3))
950 else if (!strncmp(p, "src", 3))
961 fw3_parse_direction(void *ptr, const char *val, bool is_list)
966 if (!strcmp(val, "in") || !strcmp(val, "ingress"))
968 else if (!strcmp(val, "out") || !strcmp(val, "egress"))
977 fw3_parse_cthelper(void *ptr, const char *val, bool is_list)
979 struct fw3_cthelpermatch m = { };
984 while (isspace(*++val));
990 snprintf(m.name, sizeof(m.name), "%s", val);
991 put_value(ptr, &m, sizeof(m), is_list);
999 fw3_parse_setentry(void *ptr, const char *val, bool is_list)
1001 struct fw3_setentry e = { };
1004 put_value(ptr, &e, sizeof(e), is_list);
1011 fw3_parse_options(void *s, const struct fw3_option *opts,
1012 struct uci_section *section)
1016 struct uci_element *e, *l;
1017 struct uci_option *o;
1018 const struct fw3_option *opt;
1019 struct list_head *dest;
1022 uci_foreach_element(§ion->options, e)
1024 o = uci_to_option(e);
1027 for (opt = opts; opt->name; opt++)
1032 if (strcmp(opt->name, e->name))
1035 if (o->type == UCI_TYPE_LIST)
1037 if (!opt->elem_size)
1039 warn_elem(e, "must not be a list");
1044 dest = (struct list_head *)((char *)s + opt->offset);
1046 uci_foreach_element(&o->v.list, l)
1051 if (!opt->parse(dest, l->name, true))
1053 warn_elem(e, "has invalid value '%s'", l->name);
1067 if (!opt->elem_size)
1069 if (!opt->parse((char *)s + opt->offset, o->v.string, false))
1071 warn_elem(e, "has invalid value '%s'", o->v.string);
1078 dest = (struct list_head *)((char *)s + opt->offset);
1080 for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
1082 /* If we encounter a sole "!" token, assume that it
1083 * is meant to be part of the next token, so silently
1084 * skip it and remember the state... */
1085 if (!strcmp(p, "!"))
1091 /* The previous token was a sole "!", rewind pointer
1092 * back by one byte to precede the value with an
1093 * exclamation mark which effectively turns
1094 * ("!", "foo") into ("!foo") */
1101 if (!opt->parse(dest, p, true))
1103 warn_elem(e, "has invalid value '%s'", p);
1109 /* The last token was a sole "!" without any subsequent
1110 * text, so pass it to the option parser as-is. */
1111 if (inv && !opt->parse(dest, "!", true))
1113 warn_elem(e, "has invalid value '%s'", p);
1124 warn_elem(e, "is unknown");
1132 fw3_parse_blob_options(void *s, const struct fw3_option *opts,
1133 struct blob_attr *a, const char *name)
1135 char *p, *v, buf[16];
1138 struct blob_attr *o, *e;
1139 const struct fw3_option *opt;
1140 struct list_head *dest;
1143 blobmsg_for_each_attr(o, a, rem)
1147 for (opt = opts; opt->name; opt++)
1152 if (strcmp(opt->name, blobmsg_name(o)))
1155 if (blobmsg_type(o) == BLOBMSG_TYPE_ARRAY)
1157 if (!opt->elem_size)
1159 fprintf(stderr, "%s: '%s' must not be a list\n",
1166 dest = (struct list_head *)((char *)s + opt->offset);
1168 blobmsg_for_each_attr(e, o, erem)
1170 if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
1171 snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
1174 v = blobmsg_get_string(e);
1177 if (!opt->parse(dest, v, true))
1179 fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
1180 name, opt->name, v);
1189 if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
1190 snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
1193 v = blobmsg_get_string(o);
1199 if (!opt->elem_size)
1201 if (!opt->parse((char *)s + opt->offset, v, false))
1203 fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
1204 name, opt->name, v);
1210 dest = (struct list_head *)((char *)s + opt->offset);
1212 for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
1214 if (!opt->parse(dest, p, true))
1216 fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
1217 name, opt->name, p);
1229 if (!known && strcmp(blobmsg_name(o), "type"))
1230 fprintf(stderr, "%s: '%s' is unknown\n", name, blobmsg_name(o));
1238 fw3_address_to_string(struct fw3_address *address, bool allow_invert, bool as_cidr)
1240 char *p, ip[INET6_ADDRSTRLEN];
1241 static char buf[INET6_ADDRSTRLEN * 2 + 2];
1242 size_t rem = sizeof(buf);
1247 if (address->invert && allow_invert) {
1253 inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
1254 &address->address.v4, ip, sizeof(ip));
1256 len = snprintf(p, rem, "%s", ip);
1258 if (len < 0 || len >= rem)
1266 inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
1267 &address->mask.v4, ip, sizeof(ip));
1269 snprintf(p, rem, "-%s", ip);
1273 inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
1274 &address->mask.v4, ip, sizeof(ip));
1276 snprintf(p, rem, "/%s", ip);
1280 snprintf(p, rem, "/%u",
1281 fw3_netmask2bitlen(address->family, &address->mask.v6));
projects / oweals / firewall3.git / blob