2 * firewall3 - 3rd OpenWrt UCI firewall implementation
4 * Copyright (C) 2013-2018 Jo-Philipp Wich <jo@mein.io>
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
19 #include "redirects.h"
22 const struct fw3_option fw3_redirect_opts[] = {
23 FW3_OPT("enabled", bool, redirect, enabled),
25 FW3_OPT("name", string, redirect, name),
26 FW3_OPT("family", family, redirect, family),
28 FW3_OPT("src", device, redirect, src),
29 FW3_OPT("dest", device, redirect, dest),
31 FW3_OPT("ipset", setmatch, redirect, ipset),
32 FW3_OPT("helper", cthelper, redirect, helper),
34 FW3_LIST("proto", protocol, redirect, proto),
36 FW3_OPT("src_ip", network, redirect, ip_src),
37 FW3_LIST("src_mac", mac, redirect, mac_src),
38 FW3_OPT("src_port", port, redirect, port_src),
40 FW3_OPT("src_dip", network, redirect, ip_dest),
41 FW3_OPT("src_dport", port, redirect, port_dest),
43 FW3_OPT("dest_ip", network, redirect, ip_redir),
44 FW3_OPT("dest_port", port, redirect, port_redir),
46 FW3_OPT("extra", string, redirect, extra),
48 FW3_OPT("limit", limit, redirect, limit),
49 FW3_OPT("limit_burst", int, redirect, limit.burst),
51 FW3_OPT("utc_time", bool, redirect, time.utc),
52 FW3_OPT("start_date", date, redirect, time.datestart),
53 FW3_OPT("stop_date", date, redirect, time.datestop),
54 FW3_OPT("start_time", time, redirect, time.timestart),
55 FW3_OPT("stop_time", time, redirect, time.timestop),
56 FW3_OPT("weekdays", weekdays, redirect, time.weekdays),
57 FW3_OPT("monthdays", monthdays, redirect, time.monthdays),
59 FW3_OPT("mark", mark, redirect, mark),
61 FW3_OPT("reflection", bool, redirect, reflection),
62 FW3_OPT("reflection_src", reflection_source,
63 redirect, reflection_src),
65 FW3_OPT("target", target, redirect, target),
72 check_families(struct uci_element *e, struct fw3_redirect *r)
74 if (r->family == FW3_FAMILY_ANY)
77 if (r->_src && r->_src->family && r->_src->family != r->family)
79 warn_elem(e, "refers to source zone with different family");
83 if (r->_dest && r->_dest->family && r->_dest->family != r->family)
85 warn_elem(e, "refers to destination zone with different family");
89 if (r->ipset.ptr && r->ipset.ptr->family &&
90 r->ipset.ptr->family != r->family)
92 warn_elem(e, "refers to ipset with different family");
96 if (r->helper.ptr && r->helper.ptr->family &&
97 r->helper.ptr->family != r->family)
99 warn_elem(e, "refers to CT helper not supporting family");
103 if (r->ip_src.family && r->ip_src.family != r->family)
105 warn_elem(e, "uses source ip with different family");
109 if (r->ip_dest.family && r->ip_dest.family != r->family)
111 warn_elem(e, "uses destination ip with different family");
115 if (r->ip_redir.family && r->ip_redir.family != r->family)
117 warn_elem(e, "uses redirect ip with different family");
125 compare_addr(struct fw3_address *a, struct fw3_address *b)
127 if (a->family != FW3_FAMILY_V4 || b->family != FW3_FAMILY_V4)
130 return ((a->address.v4.s_addr & a->mask.v4.s_addr) ==
131 (b->address.v4.s_addr & a->mask.v4.s_addr));
135 resolve_dest(struct uci_element *e, struct fw3_redirect *redir,
136 struct fw3_state *state)
138 struct fw3_zone *zone;
139 struct fw3_address *addr;
140 struct list_head *addrs;
142 if (!redir->ip_redir.set)
145 list_for_each_entry(zone, &state->zones, list)
147 addrs = fw3_resolve_zone_addresses(zone, NULL);
152 list_for_each_entry(addr, addrs, list)
154 if (!compare_addr(addr, &redir->ip_redir))
157 strncpy(redir->dest.name, zone->name, sizeof(redir->dest.name) - 1);
158 redir->dest.set = true;
164 fw3_free_list(addrs);
174 check_local(struct uci_element *e, struct fw3_redirect *redir,
175 struct fw3_state *state)
177 if (redir->target != FW3_FLAG_DNAT)
180 if (!redir->ip_redir.set)
187 select_helper(struct fw3_state *state, struct fw3_redirect *redir)
189 struct fw3_protocol *proto;
190 struct fw3_cthelper *helper;
193 if (!state->defaults.auto_helper)
196 if (!redir->_src || redir->target != FW3_FLAG_DNAT)
199 if (!redir->port_redir.set || redir->port_redir.invert)
202 if (redir->helper.set || redir->helper.ptr)
205 if (list_empty(&redir->proto))
208 list_for_each_entry(proto, &redir->proto, list)
210 helper = fw3_lookup_cthelper_by_proto_port(state, proto, &redir->port_redir);
219 /* store pointer to auto-selected helper but set ".set" flag to false,
220 * to allow later code to decide between configured or auto-selected
222 redir->helper.set = false;
223 redir->helper.ptr = helper;
225 set(redir->_src->flags, FW3_FAMILY_V4, FW3_FLAG_HELPER);
229 check_redirect(struct fw3_state *state, struct fw3_redirect *redir, struct uci_element *e)
236 if (redir->src.invert)
238 warn_section("redirect", redir, e, "must not have an inverted source");
241 else if (redir->src.set && !redir->src.any &&
242 !(redir->_src = fw3_lookup_zone(state, redir->src.name)))
244 warn_section("redirect", redir, e, "refers to not existing zone '%s'",
248 else if (redir->dest.set && !redir->dest.any &&
249 !(redir->_dest = fw3_lookup_zone(state, redir->dest.name)))
251 warn_section("redirect", redir, e, "refers to not existing zone '%s'",
255 else if (redir->ipset.set && state->disable_ipsets)
257 warn_section("redirect", redir, e, "skipped due to disabled ipset support");
260 else if (redir->ipset.set &&
261 !(redir->ipset.ptr = fw3_lookup_ipset(state, redir->ipset.name)))
263 warn_section("redirect", redir, e, "refers to unknown ipset '%s'",
267 else if (redir->helper.set &&
268 !(redir->helper.ptr = fw3_lookup_cthelper(state, redir->helper.name)))
270 warn_section("redirect", redir, e, "refers to unknown CT helper '%s'",
275 if (!check_families(e, redir))
278 if (redir->target == FW3_FLAG_UNSPEC)
280 warn_section("redirect", redir, e, "has no target specified, defaulting to DNAT");
281 redir->target = FW3_FLAG_DNAT;
283 else if (redir->target < FW3_FLAG_DNAT || redir->target > FW3_FLAG_SNAT)
285 warn_section("redirect", redir, e, "has invalid target specified, defaulting to DNAT");
286 redir->target = FW3_FLAG_DNAT;
291 if (redir->target == FW3_FLAG_DNAT)
294 warn_section("redirect", redir, e, "must not have source '*' for DNAT target");
295 else if (!redir->_src)
296 warn_section("redirect", redir, e, "has no source specified");
297 else if (redir->helper.invert)
298 warn_section("redirect", redir, e, "must not use a negated helper match");
301 set(redir->_src->flags, FW3_FAMILY_V4, redir->target);
304 if (!check_local(e, redir, state) && !redir->dest.set &&
305 resolve_dest(e, redir, state))
307 warn_section("redirect", redir, e,
308 "does not specify a destination, assuming '%s'",
312 if (redir->reflection && redir->_dest && redir->_src->masq)
314 set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_ACCEPT);
315 set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_DNAT);
316 set(redir->_dest->flags, FW3_FAMILY_V4, FW3_FLAG_SNAT);
319 if (redir->helper.ptr)
320 set(redir->_src->flags, FW3_FAMILY_V4, FW3_FLAG_HELPER);
326 warn_section("redirect", redir, e,
327 "must not have destination '*' for SNAT target");
328 else if (!redir->_dest)
329 warn_section("redirect", redir, e, "has no destination specified");
330 else if (!redir->ip_dest.set)
331 warn_section("redirect", redir, e, "has no src_dip option specified");
332 else if (!list_empty(&redir->mac_src))
333 warn_section("redirect", redir, e, "must not use 'src_mac' option for SNAT target");
334 else if (redir->helper.set)
335 warn_section("redirect", redir, e, "must not use 'helper' option for SNAT target");
338 set(redir->_dest->flags, FW3_FAMILY_V4, redir->target);
343 if (list_empty(&redir->proto))
345 warn_section("redirect", redir, e, "does not specify a protocol, assuming TCP+UDP");
346 fw3_parse_protocol(&redir->proto, "tcpudp", true);
352 if (redir->target == FW3_FLAG_DNAT && !redir->port_redir.set)
353 redir->port_redir = redir->port_dest;
358 static struct fw3_redirect *
359 fw3_alloc_redirect(struct fw3_state *state)
361 struct fw3_redirect *redir;
363 redir = calloc(1, sizeof(*redir));
367 INIT_LIST_HEAD(&redir->proto);
368 INIT_LIST_HEAD(&redir->mac_src);
370 redir->enabled = true;
371 redir->reflection = true;
373 list_add_tail(&redir->list, &state->redirects);
379 fw3_load_redirects(struct fw3_state *state, struct uci_package *p,
382 struct uci_section *s;
383 struct uci_element *e;
384 struct fw3_redirect *redir;
385 struct blob_attr *entry;
388 INIT_LIST_HEAD(&state->redirects);
390 blob_for_each_attr(entry, a, rem)
393 const char *name = "ubus redirect";
395 if (!fw3_attr_parse_name_type(entry, &name, &type))
398 if (strcmp(type, "redirect"))
401 redir = fw3_alloc_redirect(state);
405 if (!fw3_parse_blob_options(redir, fw3_redirect_opts, entry, name))
407 warn_section("redirect", redir, NULL, "skipped due to invalid options");
408 fw3_free_redirect(redir);
412 if (!check_redirect(state, redir, NULL)) {
413 fw3_free_redirect(redir);
417 select_helper(state, redir);
420 uci_foreach_element(&p->sections, e)
422 s = uci_to_section(e);
424 if (strcmp(s->type, "redirect"))
427 redir = fw3_alloc_redirect(state);
431 if (!fw3_parse_options(redir, fw3_redirect_opts, s))
433 warn_elem(e, "skipped due to invalid options");
434 fw3_free_redirect(redir);
438 if (!check_redirect(state, redir, e)) {
439 fw3_free_redirect(redir);
443 select_helper(state, redir);
448 append_chain_nat(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
450 if (redir->target == FW3_FLAG_DNAT)
451 fw3_ipt_rule_append(r, "zone_%s_prerouting", redir->src.name);
453 fw3_ipt_rule_append(r, "zone_%s_postrouting", redir->dest.name);
457 set_redirect(struct fw3_ipt_rule *r, struct fw3_port *port)
459 char buf[sizeof("65535-65535\0")];
461 fw3_ipt_rule_target(r, "REDIRECT");
463 if (port && port->set)
465 if (port->port_min == port->port_max)
466 sprintf(buf, "%u", port->port_min);
468 snprintf(buf, sizeof(buf), "%u-%u", port->port_min, port->port_max);
470 fw3_ipt_rule_addarg(r, false, "--to-ports", buf);
475 set_snat_dnat(struct fw3_ipt_rule *r, enum fw3_flag target,
476 struct fw3_address *addr, struct fw3_port *port)
478 char buf[sizeof("255.255.255.255:65535-65535\0")];
482 if (addr && addr->set)
484 inet_ntop(AF_INET, &addr->address.v4, buf, sizeof(buf));
487 if (port && port->set)
489 if (port->port_min == port->port_max)
490 sprintf(buf + strlen(buf), ":%u", port->port_min);
492 sprintf(buf + strlen(buf), ":%u-%u",
493 port->port_min, port->port_max);
496 if (target == FW3_FLAG_DNAT)
498 fw3_ipt_rule_target(r, "DNAT");
499 fw3_ipt_rule_addarg(r, false, "--to-destination", buf);
503 fw3_ipt_rule_target(r, "SNAT");
504 fw3_ipt_rule_addarg(r, false, "--to-source", buf);
509 set_target_nat(struct fw3_ipt_rule *r, struct fw3_redirect *redir)
512 set_redirect(r, &redir->port_redir);
513 else if (redir->target == FW3_FLAG_DNAT)
514 set_snat_dnat(r, redir->target, &redir->ip_redir, &redir->port_redir);
516 set_snat_dnat(r, redir->target, &redir->ip_dest, &redir->port_dest);
520 set_comment(struct fw3_ipt_rule *r, const char *name, int num, const char *suffix)
525 fw3_ipt_rule_comment(r, "%s (%s)", name, suffix);
527 fw3_ipt_rule_comment(r, name);
532 fw3_ipt_rule_comment(r, "@redirect[%u] (%s)", num, suffix);
534 fw3_ipt_rule_comment(r, "@redirect[%u]", num);
539 print_redirect(struct fw3_ipt_handle *h, struct fw3_state *state,
540 struct fw3_redirect *redir, int num,
541 struct fw3_protocol *proto, struct fw3_mac *mac)
543 struct fw3_ipt_rule *r;
544 struct fw3_address *src, *dst;
545 struct fw3_port *spt, *dpt;
550 src = &redir->ip_src;
551 dst = &redir->ip_dest;
552 spt = &redir->port_src;
553 dpt = &redir->port_dest;
555 if (redir->target == FW3_FLAG_SNAT)
557 dst = &redir->ip_redir;
558 dpt = &redir->port_redir;
561 r = fw3_ipt_rule_create(h, proto, NULL, NULL, src, dst);
562 fw3_ipt_rule_sport_dport(r, spt, dpt);
563 fw3_ipt_rule_mac(r, mac);
564 fw3_ipt_rule_ipset(r, &redir->ipset);
565 fw3_ipt_rule_helper(r, &redir->helper);
566 fw3_ipt_rule_limit(r, &redir->limit);
567 fw3_ipt_rule_time(r, &redir->time);
568 fw3_ipt_rule_mark(r, &redir->mark);
569 set_target_nat(r, redir);
570 fw3_ipt_rule_extra(r, redir->extra);
571 set_comment(r, redir->name, num, NULL);
572 append_chain_nat(r, redir);
576 if (redir->target == FW3_FLAG_DNAT && redir->helper.ptr)
578 if (!fw3_cthelper_check_proto(redir->helper.ptr, proto))
580 info(" ! Skipping protocol %s since helper '%s' does not support it",
581 fw3_protoname(proto), redir->helper.ptr->name);
585 if (!redir->helper.set)
586 info(" - Auto-selected conntrack helper '%s' based on proto/port",
587 redir->helper.ptr->name);
589 r = fw3_ipt_rule_create(h, proto, NULL, NULL, &redir->ip_src, &redir->ip_redir);
590 fw3_ipt_rule_sport_dport(r, &redir->port_src, &redir->port_redir);
591 fw3_ipt_rule_mac(r, mac);
592 fw3_ipt_rule_ipset(r, &redir->ipset);
593 fw3_ipt_rule_limit(r, &redir->limit);
594 fw3_ipt_rule_time(r, &redir->time);
595 fw3_ipt_rule_mark(r, &redir->mark);
596 fw3_ipt_rule_addarg(r, false, "-m", "conntrack");
597 fw3_ipt_rule_addarg(r, false, "--ctstate", "DNAT");
598 fw3_ipt_rule_target(r, "CT");
599 fw3_ipt_rule_addarg(r, false, "--helper", redir->helper.ptr->name);
600 set_comment(r, redir->name, num, "CT helper");
601 fw3_ipt_rule_append(r, "zone_%s_helper", redir->_src->name);
611 print_reflection(struct fw3_ipt_handle *h, struct fw3_state *state,
612 struct fw3_redirect *redir, int num,
613 struct fw3_protocol *proto, struct fw3_address *ra,
614 struct fw3_address *ia, struct fw3_address *ea)
616 struct fw3_ipt_rule *r;
621 r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, ea);
622 fw3_ipt_rule_sport_dport(r, NULL, &redir->port_dest);
623 fw3_ipt_rule_limit(r, &redir->limit);
624 fw3_ipt_rule_time(r, &redir->time);
625 set_comment(r, redir->name, num, "reflection");
626 set_snat_dnat(r, FW3_FLAG_DNAT, &redir->ip_redir, &redir->port_redir);
627 fw3_ipt_rule_replace(r, "zone_%s_prerouting", redir->dest.name);
629 r = fw3_ipt_rule_create(h, proto, NULL, NULL, ia, &redir->ip_redir);
630 fw3_ipt_rule_sport_dport(r, NULL, &redir->port_redir);
631 fw3_ipt_rule_limit(r, &redir->limit);
632 fw3_ipt_rule_time(r, &redir->time);
633 set_comment(r, redir->name, num, "reflection");
634 set_snat_dnat(r, FW3_FLAG_SNAT, ra, NULL);
635 fw3_ipt_rule_replace(r, "zone_%s_postrouting", redir->dest.name);
644 expand_redirect(struct fw3_ipt_handle *handle, struct fw3_state *state,
645 struct fw3_redirect *redir, int num)
647 struct list_head *ext_addrs, *int_addrs;
648 struct fw3_address *ext_addr, *int_addr, ref_addr;
649 struct fw3_protocol *proto;
653 info(" * Redirect '%s'", redir->name);
655 info(" * Redirect #%u", num);
657 if (!fw3_is_family(redir->_src, handle->family) ||
658 !fw3_is_family(redir->_dest, handle->family))
660 info(" ! Skipping due to different family of zone");
664 if (!fw3_is_family(&redir->ip_src, handle->family) ||
665 !fw3_is_family(&redir->ip_dest, handle->family) ||
666 !fw3_is_family(&redir->ip_redir, handle->family))
668 if (!redir->ip_src.resolved ||
669 !redir->ip_dest.resolved ||
670 !redir->ip_redir.resolved)
671 info(" ! Skipping due to different family of ip address");
676 if (redir->ipset.ptr)
678 if (!fw3_is_family(redir->ipset.ptr, handle->family))
680 info(" ! Skipping due to different family in ipset");
684 if (!fw3_check_ipset(redir->ipset.ptr))
686 info(" ! Skipping due to missing ipset '%s'",
687 redir->ipset.ptr->external ?
688 redir->ipset.ptr->external : redir->ipset.ptr->name);
692 set(redir->ipset.ptr->flags, handle->family, handle->family);
695 fw3_foreach(proto, &redir->proto)
696 fw3_foreach(mac, &redir->mac_src)
697 print_redirect(handle, state, redir, num, proto, mac);
699 /* reflection rules */
700 if (redir->target != FW3_FLAG_DNAT || !redir->reflection || redir->local)
703 if (!redir->_dest || !redir->_src->masq)
706 ext_addrs = fw3_resolve_zone_addresses(redir->_src, &redir->ip_dest);
707 int_addrs = fw3_resolve_zone_addresses(redir->_dest, NULL);
709 if (!ext_addrs || !int_addrs)
712 list_for_each_entry(ext_addr, ext_addrs, list)
714 if (!fw3_is_family(ext_addr, handle->family))
717 list_for_each_entry(int_addr, int_addrs, list)
719 if (!fw3_is_family(int_addr, handle->family))
722 fw3_foreach(proto, &redir->proto)
727 if (redir->reflection_src == FW3_REFLECTION_INTERNAL)
728 ref_addr = *int_addr;
730 ref_addr = *ext_addr;
732 ref_addr.mask.v4.s_addr = 0xFFFFFFFF;
733 ext_addr->mask.v4.s_addr = 0xFFFFFFFF;
735 print_reflection(handle, state, redir, num, proto,
736 &ref_addr, int_addr, ext_addr);
742 fw3_free_list(ext_addrs);
743 fw3_free_list(int_addrs);
747 fw3_print_redirects(struct fw3_ipt_handle *handle, struct fw3_state *state)
750 struct fw3_redirect *redir;
752 if (handle->family == FW3_FAMILY_V6)
755 if (handle->table != FW3_TABLE_FILTER &&
756 handle->table != FW3_TABLE_NAT &&
757 handle->table != FW3_TABLE_RAW)
760 list_for_each_entry(redir, &state->redirects, list)
762 if (handle->table == FW3_TABLE_RAW && !redir->helper.ptr)
765 expand_redirect(handle, state, redir, num++);