/*
* firewall3 - 3rd OpenWrt UCI firewall implementation
*
- * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
+ * Copyright (C) 2013-2014 Jo-Philipp Wich <jo@mein.io>
*
* Permission to use, copy, modify, and/or distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
*/
#include "options.h"
+#include "ubus.h"
-const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1] = {
+
+static bool
+put_value(void *ptr, void *val, int elem_size, bool is_list)
+{
+ void *copy;
+
+ if (is_list)
+ {
+ copy = malloc(elem_size);
+
+ if (!copy)
+ return false;
+
+ memcpy(copy, val, elem_size);
+ list_add_tail((struct list_head *)copy, (struct list_head *)ptr);
+ return true;
+ }
+
+ memcpy(ptr, val, elem_size);
+ return false;
+}
+
+static bool
+parse_enum(void *ptr, const char *val, const char **values, int min, int max)
+{
+ int i, l = strlen(val);
+
+ if (l > 0)
+ {
+ for (i = 0; i <= (max - min); i++)
+ {
+ if (!strncasecmp(val, values[i], l))
+ {
+ *((int *)ptr) = min + i;
+ return true;
+ }
+ }
+ }
+
+ return false;
+}
+
+
+const char *fw3_flag_names[__FW3_FLAG_MAX] = {
"filter",
"nat",
"mangle",
"REJECT",
"DROP",
"NOTRACK",
+ "MARK",
"DNAT",
"SNAT",
+ "MASQUERADE",
+
+ "ACCEPT",
+ "REJECT",
+ "DROP",
+};
+
+const char *fw3_limit_units[__FW3_LIMIT_UNIT_MAX] = {
+ "second",
+ "minute",
+ "hour",
+ "day",
+};
+
+const char *fw3_ipset_method_names[__FW3_IPSET_METHOD_MAX] = {
+ "(bug)",
+ "bitmap",
+ "hash",
+ "list",
+};
+
+const char *fw3_ipset_type_names[__FW3_IPSET_TYPE_MAX] = {
+ "(bug)",
+ "ip",
+ "port",
+ "mac",
+ "net",
+ "set",
+};
+
+static const char *weekdays[] = {
+ "monday",
+ "tuesday",
+ "wednesday",
+ "thursday",
+ "friday",
+ "saturday",
+ "sunday",
+};
+
+static const char *include_types[] = {
+ "script",
+ "restore",
+};
+
+static const char *reflection_sources[] = {
+ "internal",
+ "external",
};
+
bool
-fw3_parse_bool(void *ptr, const char *val)
+fw3_parse_bool(void *ptr, const char *val, bool is_list)
{
if (!strcmp(val, "true") || !strcmp(val, "yes") || !strcmp(val, "1"))
*((bool *)ptr) = true;
}
bool
-fw3_parse_int(void *ptr, const char *val)
+fw3_parse_int(void *ptr, const char *val, bool is_list)
{
- int n = strtol(val, NULL, 10);
+ char *e;
+ int n = strtol(val, &e, 0);
- if (errno == ERANGE || errno == EINVAL)
+ if (e == val || *e)
return false;
*((int *)ptr) = n;
}
bool
-fw3_parse_string(void *ptr, const char *val)
+fw3_parse_string(void *ptr, const char *val, bool is_list)
{
*((char **)ptr) = (char *)val;
return true;
}
bool
-fw3_parse_target(void *ptr, const char *val)
+fw3_parse_target(void *ptr, const char *val, bool is_list)
{
- if (!strcmp(val, "ACCEPT"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_ACCEPT;
- return true;
- }
- else if (!strcmp(val, "REJECT"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_REJECT;
- return true;
- }
- else if (!strcmp(val, "DROP"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_DROP;
- return true;
- }
- else if (!strcmp(val, "NOTRACK"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_NOTRACK;
- return true;
- }
- else if (!strcmp(val, "DNAT"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_DNAT;
- return true;
- }
- else if (!strcmp(val, "SNAT"))
- {
- *((enum fw3_target *)ptr) = FW3_TARGET_SNAT;
- return true;
- }
-
- return false;
+ return parse_enum(ptr, val, &fw3_flag_names[FW3_FLAG_ACCEPT],
+ FW3_FLAG_ACCEPT, FW3_FLAG_MASQUERADE);
}
bool
-fw3_parse_limit(void *ptr, const char *val)
+fw3_parse_limit(void *ptr, const char *val, bool is_list)
{
struct fw3_limit *limit = ptr;
enum fw3_limit_unit u = FW3_LIMIT_UNIT_SECOND;
if (!strlen(e))
return false;
- if (!strncmp(e, "second", strlen(e)))
- u = FW3_LIMIT_UNIT_SECOND;
- else if (!strncmp(e, "minute", strlen(e)))
- u = FW3_LIMIT_UNIT_MINUTE;
- else if (!strncmp(e, "hour", strlen(e)))
- u = FW3_LIMIT_UNIT_HOUR;
- else if (!strncmp(e, "day", strlen(e)))
- u = FW3_LIMIT_UNIT_DAY;
- else
+ if (!parse_enum(&u, e, fw3_limit_units, 0, FW3_LIMIT_UNIT_DAY))
return false;
limit->rate = n;
}
bool
-fw3_parse_device(void *ptr, const char *val)
+fw3_parse_device(void *ptr, const char *val, bool is_list)
{
- struct fw3_device *dev = ptr;
+ char *p;
+ struct fw3_device dev = { };
if (*val == '*')
{
- dev->set = true;
- dev->any = true;
+ dev.set = true;
+ dev.any = true;
+ put_value(ptr, &dev, sizeof(dev), is_list);
return true;
}
if (*val == '!')
{
- dev->invert = true;
+ dev.invert = true;
while (isspace(*++val));
}
+ if ((p = strchr(val, '@')) != NULL)
+ {
+ *p++ = 0;
+ snprintf(dev.network, sizeof(dev.network), "%s", p);
+ }
+
if (*val)
- snprintf(dev->name, sizeof(dev->name), "%s", val);
+ snprintf(dev.name, sizeof(dev.name), "%s", val);
else
return false;
- dev->set = true;
+ dev.set = true;
+ put_value(ptr, &dev, sizeof(dev), is_list);
return true;
}
bool
-fw3_parse_address(void *ptr, const char *val)
+fw3_parse_address(void *ptr, const char *val, bool is_list)
{
- struct fw3_address *addr = ptr;
+ struct fw3_address addr = { };
struct in_addr v4;
struct in6_addr v6;
- char *p, *s, *e;
- int i, m = -1;
+ char *p = NULL, *m = NULL, *s, *e;
+ int bits = -1;
if (*val == '!')
{
- addr->invert = true;
+ addr.invert = true;
while (isspace(*++val));
}
if (!s)
return false;
- if ((p = strchr(s, '/')) != NULL)
- {
+ if ((m = strchr(s, '/')) != NULL)
+ *m++ = 0;
+ else if ((p = strchr(s, '-')) != NULL)
*p++ = 0;
- m = strtoul(p, &e, 10);
- if ((e == p) || (*e != 0))
+ if (inet_pton(AF_INET6, s, &v6))
+ {
+ addr.family = FW3_FAMILY_V6;
+ addr.address.v6 = v6;
+
+ if (m)
{
- if (strchr(s, ':') || !inet_pton(AF_INET, p, &v4))
+ if (!inet_pton(AF_INET6, m, &v6))
{
- free(s);
- return false;
- }
+ bits = strtol(m, &e, 10);
- for (i = 0, m = 32; !(v4.s_addr & 1) && (i < 32); i++)
- {
- m--;
- v4.s_addr >>= 1;
+ if ((*e != 0) || !fw3_bitlen2netmask(addr.family, bits, &v6))
+ goto fail;
}
+
+ addr.mask.v6 = v6;
+ }
+ else if (p)
+ {
+ if (!inet_pton(AF_INET6, p, &addr.mask.v6))
+ goto fail;
+
+ addr.range = true;
+ }
+ else
+ {
+ memset(addr.mask.v6.s6_addr, 0xFF, 16);
}
}
- else if ((p = strchr(s, '-')) != NULL)
+ else if (inet_pton(AF_INET, s, &v4))
{
- *p++ = 0;
+ addr.family = FW3_FAMILY_V4;
+ addr.address.v4 = v4;
- if (inet_pton(AF_INET6, p, &v6))
+ if (m)
{
- addr->family = FW3_FAMILY_V6;
- addr->address2.v6 = v6;
- addr->range = true;
+ if (!inet_pton(AF_INET, m, &v4))
+ {
+ bits = strtol(m, &e, 10);
+
+ if ((*e != 0) || !fw3_bitlen2netmask(addr.family, bits, &v4))
+ goto fail;
+ }
+
+ addr.mask.v4 = v4;
}
- else if (inet_pton(AF_INET, p, &v4))
+ else if (p)
{
- addr->family = FW3_FAMILY_V4;
- addr->address2.v4 = v4;
- addr->range = true;
+ if (!inet_pton(AF_INET, p, &addr.mask.v4))
+ goto fail;
+
+ addr.range = true;
}
else
{
- free(s);
- return false;
+ addr.mask.v4.s_addr = 0xFFFFFFFF;
}
}
-
- if (inet_pton(AF_INET6, s, &v6))
- {
- addr->family = FW3_FAMILY_V6;
- addr->address.v6 = v6;
- addr->mask = (m >= 0) ? m : 128;
- }
- else if (inet_pton(AF_INET, s, &v4))
- {
- addr->family = FW3_FAMILY_V4;
- addr->address.v4 = v4;
- addr->mask = (m >= 0) ? m : 32;
- }
else
{
- free(s);
- return false;
+ goto fail;
}
free(s);
- addr->set = true;
+ addr.set = true;
+ put_value(ptr, &addr, sizeof(addr), is_list);
return true;
+
+fail:
+ free(s);
+ return false;
}
bool
-fw3_parse_mac(void *ptr, const char *val)
+fw3_parse_network(void *ptr, const char *val, bool is_list)
{
- struct fw3_mac *addr = ptr;
+ struct fw3_device dev = { };
+ struct fw3_address *addr, *tmp;
+ LIST_HEAD(addr_list);
+
+ if (!fw3_parse_address(ptr, val, is_list))
+ {
+ if (!fw3_parse_device(&dev, val, false))
+ return false;
+
+ fw3_ubus_address(&addr_list, dev.name);
+ list_for_each_entry(addr, &addr_list, list)
+ {
+ addr->invert = dev.invert;
+ addr->resolved = true;
+ }
+
+ if (is_list)
+ {
+ list_splice_tail(&addr_list, ptr);
+ }
+ else if (!list_empty(&addr_list))
+ {
+ memcpy(ptr, list_first_entry(&addr_list, typeof(*addr), list),
+ sizeof(*addr));
+
+ list_for_each_entry_safe(addr, tmp, &addr_list, list)
+ free(addr);
+ }
+ }
+
+ return true;
+}
+
+bool
+fw3_parse_mac(void *ptr, const char *val, bool is_list)
+{
+ struct fw3_mac addr = { };
struct ether_addr *mac;
if (*val == '!')
{
- addr->invert = true;
+ addr.invert = true;
while (isspace(*++val));
}
if ((mac = ether_aton(val)) != NULL)
{
- addr->mac = *mac;
- addr->set = true;
+ addr.mac = *mac;
+ addr.set = true;
+
+ put_value(ptr, &addr, sizeof(addr), is_list);
return true;
}
}
bool
-fw3_parse_port(void *ptr, const char *val)
+fw3_parse_port(void *ptr, const char *val, bool is_list)
{
- struct fw3_port *range = ptr;
+ struct fw3_port range = { };
uint16_t n;
uint16_t m;
char *p;
if (*val == '!')
{
- range->invert = true;
+ range.invert = true;
while (isspace(*++val));
}
if (errno == ERANGE || errno == EINVAL || m < n)
return false;
- range->port_min = n;
- range->port_max = m;
+ range.port_min = n;
+ range.port_max = m;
}
else
{
- range->port_min = n;
- range->port_max = n;
+ range.port_min = n;
+ range.port_max = n;
}
- range->set = true;
+ range.set = true;
+ put_value(ptr, &range, sizeof(range), is_list);
return true;
}
bool
-fw3_parse_family(void *ptr, const char *val)
+fw3_parse_family(void *ptr, const char *val, bool is_list)
{
- if (!strcmp(val, "any"))
+ if (!strcmp(val, "any") || !strcmp(val, "*"))
*((enum fw3_family *)ptr) = FW3_FAMILY_ANY;
else if (!strcmp(val, "inet") || strrchr(val, '4'))
*((enum fw3_family *)ptr) = FW3_FAMILY_V4;
}
bool
-fw3_parse_icmptype(void *ptr, const char *val)
+fw3_parse_icmptype(void *ptr, const char *val, bool is_list)
{
- struct fw3_icmptype *icmp = ptr;
+ struct fw3_icmptype icmp = { };
bool v4 = false;
bool v6 = false;
char *p;
{
if (!strcmp(val, fw3_icmptype_list_v4[i].name))
{
- icmp->type = fw3_icmptype_list_v4[i].type;
- icmp->code_min = fw3_icmptype_list_v4[i].code_min;
- icmp->code_max = fw3_icmptype_list_v4[i].code_max;
+ icmp.type = fw3_icmptype_list_v4[i].type;
+ icmp.code_min = fw3_icmptype_list_v4[i].code_min;
+ icmp.code_max = fw3_icmptype_list_v4[i].code_max;
v4 = true;
break;
{
if (!strcmp(val, fw3_icmptype_list_v6[i].name))
{
- icmp->type6 = fw3_icmptype_list_v6[i].type;
- icmp->code6_min = fw3_icmptype_list_v6[i].code_min;
- icmp->code6_max = fw3_icmptype_list_v6[i].code_max;
+ icmp.type6 = fw3_icmptype_list_v6[i].type;
+ icmp.code6_min = fw3_icmptype_list_v6[i].code_min;
+ icmp.code6_max = fw3_icmptype_list_v6[i].code_max;
v6 = true;
break;
if ((p == val) || (*p != '/' && *p != 0) || (i > 0xFF))
return false;
- icmp->type = i;
+ icmp.type = i;
if (*p == '/')
{
if ((p == val) || (*p != 0) || (i > 0xFF))
return false;
- icmp->code_min = i;
- icmp->code_max = i;
+ icmp.code_min = i;
+ icmp.code_max = i;
}
else
{
- icmp->code_min = 0;
- icmp->code_max = 0xFF;
+ icmp.code_min = 0;
+ icmp.code_max = 0xFF;
}
- icmp->type6 = icmp->type;
- icmp->code6_min = icmp->code_max;
- icmp->code6_max = icmp->code_max;
+ icmp.type6 = icmp.type;
+ icmp.code6_min = icmp.code_max;
+ icmp.code6_max = icmp.code_max;
v4 = true;
v6 = true;
}
- icmp->family = (v4 && v6) ? FW3_FAMILY_ANY
- : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
+ icmp.family = (v4 && v6) ? FW3_FAMILY_ANY
+ : (v6 ? FW3_FAMILY_V6 : FW3_FAMILY_V4);
+ put_value(ptr, &icmp, sizeof(icmp), is_list);
return true;
}
bool
-fw3_parse_protocol(void *ptr, const char *val)
+fw3_parse_protocol(void *ptr, const char *val, bool is_list)
{
- struct fw3_protocol *proto = ptr;
+ struct fw3_protocol proto = { };
struct protoent *ent;
+ char *e;
if (*val == '!')
{
- proto->invert = true;
+ proto.invert = true;
while (isspace(*++val));
}
- if (!strcmp(val, "all"))
+ if (!strcmp(val, "all") || !strcmp(val, "any") || !strcmp(val, "*"))
{
- proto->any = true;
+ proto.any = true;
+ put_value(ptr, &proto, sizeof(proto), is_list);
return true;
}
else if (!strcmp(val, "icmpv6"))
{
val = "ipv6-icmp";
}
+ else if (!strcmp(val, "tcpudp"))
+ {
+ proto.protocol = 6;
+ if (put_value(ptr, &proto, sizeof(proto), is_list))
+ {
+ proto.protocol = 17;
+ put_value(ptr, &proto, sizeof(proto), is_list);
+ }
+
+ return true;
+ }
ent = getprotobyname(val);
if (ent)
{
- proto->protocol = ent->p_proto;
+ proto.protocol = ent->p_proto;
+ put_value(ptr, &proto, sizeof(proto), is_list);
return true;
}
- proto->protocol = strtoul(val, NULL, 10);
- return (errno != ERANGE && errno != EINVAL);
+ proto.protocol = strtoul(val, &e, 10);
+
+ if ((e == val) || (*e != 0))
+ return false;
+
+ put_value(ptr, &proto, sizeof(proto), is_list);
+ return true;
}
bool
-fw3_parse_ipset_method(void *ptr, const char *val)
+fw3_parse_ipset_method(void *ptr, const char *val, bool is_list)
{
- if (!strncmp(val, "bitmap", strlen(val)))
- {
- *((enum fw3_ipset_method *)ptr) = FW3_IPSET_METHOD_BITMAP;
- return true;
- }
- else if (!strncmp(val, "hash", strlen(val)))
- {
- *((enum fw3_ipset_method *)ptr) = FW3_IPSET_METHOD_HASH;
- return true;
- }
- else if (!strncmp(val, "list", strlen(val)))
- {
- *((enum fw3_ipset_method *)ptr) = FW3_IPSET_METHOD_LIST;
- return true;
- }
-
- return false;
+ return parse_enum(ptr, val, &fw3_ipset_method_names[FW3_IPSET_METHOD_BITMAP],
+ FW3_IPSET_METHOD_BITMAP, FW3_IPSET_METHOD_LIST);
}
bool
-fw3_parse_ipset_datatype(void *ptr, const char *val)
+fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list)
{
- struct fw3_ipset_datatype *type = ptr;
+ struct fw3_ipset_datatype type = { };
+
+ type.dir = "src";
if (!strncmp(val, "dest_", 5))
{
val += 5;
- type->dest = true;
+ type.dir = "dst";
}
else if (!strncmp(val, "dst_", 4))
{
val += 4;
- type->dest = true;
+ type.dir = "dst";
}
else if (!strncmp(val, "src_", 4))
{
val += 4;
- type->dest = false;
+ type.dir = "src";
}
- if (!strncmp(val, "ip", strlen(val)))
+ if (parse_enum(&type.type, val, &fw3_ipset_type_names[FW3_IPSET_TYPE_IP],
+ FW3_IPSET_TYPE_IP, FW3_IPSET_TYPE_SET))
{
- type->type = FW3_IPSET_TYPE_IP;
- return true;
- }
- else if (!strncmp(val, "port", strlen(val)))
- {
- type->type = FW3_IPSET_TYPE_PORT;
- return true;
- }
- else if (!strncmp(val, "mac", strlen(val)))
- {
- type->type = FW3_IPSET_TYPE_MAC;
- return true;
- }
- else if (!strncmp(val, "net", strlen(val)))
- {
- type->type = FW3_IPSET_TYPE_NET;
- return true;
- }
- else if (!strncmp(val, "set", strlen(val)))
- {
- type->type = FW3_IPSET_TYPE_SET;
+ put_value(ptr, &type, sizeof(type), is_list);
return true;
}
}
bool
-fw3_parse_date(void *ptr, const char *val)
+fw3_parse_date(void *ptr, const char *val, bool is_list)
{
unsigned int year = 1970, mon = 1, day = 1, hour = 0, min = 0, sec = 0;
struct tm tm = { 0 };
}
bool
-fw3_parse_time(void *ptr, const char *val)
+fw3_parse_time(void *ptr, const char *val, bool is_list)
{
unsigned int hour = 0, min = 0, sec = 0;
char *p;
}
bool
-fw3_parse_weekdays(void *ptr, const char *val)
+fw3_parse_weekdays(void *ptr, const char *val, bool is_list)
{
- unsigned int w;
- char *p;
+ unsigned int w = 0;
+ char *p, *s;
if (*val == '!')
{
- setbit(*(uint8_t *)ptr, 0);
+ fw3_setbit(*(uint8_t *)ptr, 0);
while (isspace(*++val));
}
- for (p = strtok((char *)val, " \t"); p; p = strtok(NULL, " \t"))
+ if (!(s = strdup(val)))
+ return false;
+
+ for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
{
- if (!strncasecmp(p, "monday", strlen(p)))
- w = 1;
- else if (!strncasecmp(p, "tuesday", strlen(p)))
- w = 2;
- else if (!strncasecmp(p, "wednesday", strlen(p)))
- w = 3;
- else if (!strncasecmp(p, "thursday", strlen(p)))
- w = 4;
- else if (!strncasecmp(p, "friday", strlen(p)))
- w = 5;
- else if (!strncasecmp(p, "saturday", strlen(p)))
- w = 6;
- else if (!strncasecmp(p, "sunday", strlen(p)))
- w = 7;
- else
+ if (!parse_enum(&w, p, weekdays, 1, 7))
{
w = strtoul(p, &p, 10);
if (*p || w < 1 || w > 7)
+ {
+ free(s);
return false;
+ }
}
- setbit(*(uint8_t *)ptr, w);
+ fw3_setbit(*(uint8_t *)ptr, w);
}
+ free(s);
return true;
}
bool
-fw3_parse_monthdays(void *ptr, const char *val)
+fw3_parse_monthdays(void *ptr, const char *val, bool is_list)
{
unsigned int d;
- char *p;
+ char *p, *s;
if (*val == '!')
{
- setbit(*(uint32_t *)ptr, 0);
+ fw3_setbit(*(uint32_t *)ptr, 0);
while (isspace(*++val));
}
- for (p = strtok((char *)val, " \t"); p; p = strtok(NULL, " \t"))
+ if (!(s = strdup(val)))
+ return false;
+
+ for (p = strtok(s, " \t"); p; p = strtok(NULL, " \t"))
{
d = strtoul(p, &p, 10);
if (*p || d < 1 || d > 31)
+ {
+ free(s);
+ return false;
+ }
+
+ fw3_setbit(*(uint32_t *)ptr, d);
+ }
+
+ free(s);
+ return true;
+}
+
+bool
+fw3_parse_include_type(void *ptr, const char *val, bool is_list)
+{
+ return parse_enum(ptr, val, include_types,
+ FW3_INC_TYPE_SCRIPT, FW3_INC_TYPE_RESTORE);
+}
+
+bool
+fw3_parse_reflection_source(void *ptr, const char *val, bool is_list)
+{
+ return parse_enum(ptr, val, reflection_sources,
+ FW3_REFLECTION_INTERNAL, FW3_REFLECTION_EXTERNAL);
+}
+
+bool
+fw3_parse_mark(void *ptr, const char *val, bool is_list)
+{
+ uint32_t n;
+ char *s, *e;
+ struct fw3_mark *m = ptr;
+
+ if (*val == '!')
+ {
+ m->invert = true;
+ while (isspace(*++val));
+ }
+
+ if ((s = strchr(val, '/')) != NULL)
+ *s++ = 0;
+
+ n = strtoul(val, &e, 0);
+
+ if (e == val || *e)
+ return false;
+
+ m->mark = n;
+ m->mask = 0xFFFFFFFF;
+
+ if (s)
+ {
+ n = strtoul(s, &e, 0);
+
+ if (e == s || *e)
return false;
- setbit(*(uint32_t *)ptr, d);
+ m->mask = n;
+ }
+
+ m->set = true;
+ return true;
+}
+
+bool
+fw3_parse_setmatch(void *ptr, const char *val, bool is_list)
+{
+ struct fw3_setmatch *m = ptr;
+ char *p, *s;
+ int i;
+
+ if (*val == '!')
+ {
+ m->invert = true;
+ while (isspace(*++val));
+ }
+
+ if (!(s = strdup(val)))
+ return false;
+
+ if (!(p = strtok(s, " \t")))
+ {
+ free(s);
+ return false;
+ }
+
+ strncpy(m->name, p, sizeof(m->name));
+
+ for (i = 0, p = strtok(NULL, " \t,");
+ i < 3 && p != NULL;
+ i++, p = strtok(NULL, " \t,"))
+ {
+ if (!strncmp(p, "dest", 4) || !strncmp(p, "dst", 3))
+ m->dir[i] = "dst";
+ else if (!strncmp(p, "src", 3))
+ m->dir[i] = "src";
}
+ free(s);
+
+ m->set = true;
return true;
}
+bool
+fw3_parse_direction(void *ptr, const char *val, bool is_list)
+{
+ bool *is_out = ptr;
+ bool valid = true;
-void
+ if (!strcmp(val, "in") || !strcmp(val, "ingress"))
+ *is_out = false;
+ else if (!strcmp(val, "out") || !strcmp(val, "egress"))
+ *is_out = true;
+ else
+ valid = false;
+
+ return valid;
+}
+
+
+bool
fw3_parse_options(void *s, const struct fw3_option *opts,
struct uci_section *section)
{
- char *p;
+ char *p, *v;
bool known;
struct uci_element *e, *l;
struct uci_option *o;
const struct fw3_option *opt;
- struct list_head *item;
struct list_head *dest;
+ bool valid = true;
uci_foreach_element(§ion->options, e)
{
if (!opt->elem_size)
{
warn_elem(e, "must not be a list");
+ valid = false;
}
else
{
+ dest = (struct list_head *)((char *)s + opt->offset);
+
uci_foreach_element(&o->v.list, l)
{
if (!l->name)
continue;
- item = malloc(opt->elem_size);
-
- if (!item)
- continue;
-
- memset(item, 0, opt->elem_size);
-
- if (!opt->parse(item, l->name))
+ if (!opt->parse(dest, l->name, true))
{
warn_elem(e, "has invalid value '%s'", l->name);
- free(item);
+ valid = false;
continue;
}
-
- dest = (struct list_head *)((char *)s + opt->offset);
- list_add_tail(item, dest);
}
}
}
else
{
- if (!o->v.string)
+ v = o->v.string;
+
+ if (!v)
continue;
if (!opt->elem_size)
{
- if (!opt->parse((char *)s + opt->offset, o->v.string))
+ if (!opt->parse((char *)s + opt->offset, o->v.string, false))
+ {
warn_elem(e, "has invalid value '%s'", o->v.string);
+ valid = false;
+ }
}
else
{
- for (p = strtok(o->v.string, " \t");
- p != NULL;
- p = strtok(NULL, " \t"))
- {
- item = malloc(opt->elem_size);
-
- if (!item)
- continue;
+ dest = (struct list_head *)((char *)s + opt->offset);
- memset(item, 0, opt->elem_size);
-
- if (!opt->parse(item, p))
+ for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
+ {
+ if (!opt->parse(dest, p, true))
{
warn_elem(e, "has invalid value '%s'", p);
- free(item);
+ valid = false;
continue;
}
-
- dest = (struct list_head *)((char *)s + opt->offset);
- list_add_tail(item, dest);
}
}
}
if (!known)
warn_elem(e, "is unknown");
}
-}
-
-
-void
-fw3_format_in_out(struct fw3_device *in, struct fw3_device *out)
-{
- if (in && !in->any)
- fw3_pr(" %s-i %s", in->invert ? "! " : "", in->name);
- if (out && !out->any)
- fw3_pr(" %s-o %s", out->invert ? "! " : "", out->name);
+ return valid;
}
-void
-fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest)
-{
- char s[INET6_ADDRSTRLEN];
-
- if ((src && src->range) || (dest && dest->range))
- fw3_pr(" -m iprange");
-
- if (src && src->set)
- {
- if (src->range)
- {
- inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &src->address.v4, s, sizeof(s));
-
- fw3_pr(" %s--src-range %s", src->invert ? "! " : "", s);
- inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &src->address2.v4, s, sizeof(s));
-
- fw3_pr("-%s", s);
- }
- else
- {
- inet_ntop(src->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &src->address.v4, s, sizeof(s));
-
- fw3_pr(" %s-s %s/%u", src->invert ? "! " : "", s, src->mask);
- }
- }
+bool
+fw3_parse_blob_options(void *s, const struct fw3_option *opts,
+ struct blob_attr *a, const char *name)
+{
+ char *p, *v, buf[16];
+ bool known;
+ unsigned rem, erem;
+ struct blob_attr *o, *e;
+ const struct fw3_option *opt;
+ struct list_head *dest;
+ bool valid = true;
- if (dest && dest->set)
+ blobmsg_for_each_attr(o, a, rem)
{
- if (dest->range)
- {
- inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &dest->address.v4, s, sizeof(s));
-
- fw3_pr(" %s--dst-range %s", dest->invert ? "! " : "", s);
-
- inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &dest->address2.v4, s, sizeof(s));
+ known = false;
- fw3_pr("-%s", s);
- }
- else
+ for (opt = opts; opt->name; opt++)
{
- inet_ntop(dest->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
- &dest->address.v4, s, sizeof(s));
-
- fw3_pr(" %s-d %s/%u", dest->invert ? "! " : "", s, dest->mask);
- }
- }
-}
-
-void
-fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp)
-{
- if (sp && sp->set)
- {
- if (sp->port_min == sp->port_max)
- fw3_pr(" %s--sport %u", sp->invert ? "! " : "", sp->port_min);
- else
- fw3_pr(" %s--sport %u:%u",
- sp->invert ? "! " : "", sp->port_min, sp->port_max);
- }
+ if (!opt->parse)
+ continue;
- if (dp && dp->set)
- {
- if (dp->port_min == dp->port_max)
- fw3_pr(" %s--dport %u", dp->invert ? "! " : "", dp->port_min);
- else
- fw3_pr(" %s--dport %u:%u",
- dp->invert ? "! " : "", dp->port_min, dp->port_max);
- }
-}
+ if (strcmp(opt->name, blobmsg_name(o)))
+ continue;
-void
-fw3_format_mac(struct fw3_mac *mac)
-{
- if (!mac)
- return;
+ if (blobmsg_type(o) == BLOBMSG_TYPE_ARRAY)
+ {
+ if (!opt->elem_size)
+ {
+ fprintf(stderr, "%s: '%s' must not be a list\n",
+ name, opt->name);
- fw3_pr(" -m mac %s--mac-source %s",
- mac->invert ? "! " : "", ether_ntoa(&mac->mac));
-}
+ valid = false;
+ }
+ else
+ {
+ dest = (struct list_head *)((char *)s + opt->offset);
-void
-fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family)
-{
- uint16_t pr;
+ blobmsg_for_each_attr(e, o, erem)
+ {
+ if (blobmsg_type(e) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(e));
+ v = buf;
+ } else {
+ v = blobmsg_get_string(e);
+ }
- if (!proto)
- return;
+ if (!opt->parse(dest, v, true))
+ {
+ fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
+ name, opt->name, v);
+ valid = false;
+ continue;
+ }
+ }
+ }
+ }
+ else
+ {
+ if (blobmsg_type(o) == BLOBMSG_TYPE_INT32) {
+ snprintf(buf, sizeof(buf), "%d", blobmsg_get_u32(o));
+ v = buf;
+ } else {
+ v = blobmsg_get_string(o);
+ }
- pr = proto->protocol;
+ if (!v)
+ continue;
- if (pr == 1 && family == FW3_FAMILY_V6)
- pr = 58;
+ if (!opt->elem_size)
+ {
+ if (!opt->parse((char *)s + opt->offset, v, false))
+ {
+ fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
+ name, opt->name, v);
+ valid = false;
+ }
+ }
+ else
+ {
+ dest = (struct list_head *)((char *)s + opt->offset);
- if (proto->any)
- fw3_pr(" -p all");
- else
- fw3_pr(" %s-p %u", proto->invert ? "! " : "", pr);
-}
+ for (p = strtok(v, " \t"); p != NULL; p = strtok(NULL, " \t"))
+ {
+ if (!opt->parse(dest, p, true))
+ {
+ fprintf(stderr, "%s: '%s' has invalid value '%s'\n",
+ name, opt->name, p);
+ valid = false;
+ continue;
+ }
+ }
+ }
+ }
-void
-fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family)
-{
- if (!icmp)
- return;
+ known = true;
+ break;
+ }
- if (family != FW3_FAMILY_V6)
- {
- if (icmp->code_min == 0 && icmp->code_max == 0xFF)
- fw3_pr(" %s--icmp-type %u", icmp->invert ? "! " : "", icmp->type);
- else
- fw3_pr(" %s--icmp-type %u/%u",
- icmp->invert ? "! " : "", icmp->type, icmp->code_min);
- }
- else
- {
- if (icmp->code6_min == 0 && icmp->code6_max == 0xFF)
- fw3_pr(" %s--icmpv6-type %u", icmp->invert ? "! " : "", icmp->type6);
- else
- fw3_pr(" %s--icmpv6-type %u/%u",
- icmp->invert ? "! " : "", icmp->type6, icmp->code6_min);
+ if (!known && strcmp(blobmsg_name(o), "type"))
+ fprintf(stderr, "%s: '%s' is unknown\n", name, blobmsg_name(o));
}
-}
-void
-fw3_format_limit(struct fw3_limit *limit)
-{
- if (!limit)
- return;
-
- const char *units[] = {
- [FW3_LIMIT_UNIT_SECOND] = "second",
- [FW3_LIMIT_UNIT_MINUTE] = "minute",
- [FW3_LIMIT_UNIT_HOUR] = "hour",
- [FW3_LIMIT_UNIT_DAY] = "day",
- };
-
- if (limit->rate > 0)
- {
- fw3_pr(" -m limit %s--limit %u/%s",
- limit->invert ? "! " : "", limit->rate, units[limit->unit]);
-
- if (limit->burst > 0)
- fw3_pr(" --limit-burst %u", limit->burst);
- }
+ return valid;
}
-void
-fw3_format_ipset(struct fw3_ipset *ipset, bool invert)
-{
- bool first = true;
- const char *name = NULL;
- struct fw3_ipset_datatype *type;
-
- if (!ipset)
- return;
-
- if (ipset->external && *ipset->external)
- name = ipset->external;
- else
- name = ipset->name;
- fw3_pr(" -m set %s--match-set %s", invert ? "! " : "", name);
-
- list_for_each_entry(type, &ipset->datatypes, list)
- {
- fw3_pr("%c%s", first ? ' ' : ',', type->dest ? "dst" : "src");
- first = false;
- }
-}
-
-void
-fw3_format_time(struct fw3_time *time)
+const char *
+fw3_address_to_string(struct fw3_address *address, bool allow_invert, bool as_cidr)
{
- int i;
- struct tm empty = { 0 };
- char buf[sizeof("9999-99-99T23:59:59\0")];
- bool d1 = memcmp(&time->datestart, &empty, sizeof(empty));
- bool d2 = memcmp(&time->datestop, &empty, sizeof(empty));
- bool first;
-
- if (!d1 && !d2 && !time->timestart && !time->timestop &&
- !(time->monthdays & 0xFFFFFFFE) && !(time->weekdays & 0xFE))
- {
- return;
- }
+ char *p, ip[INET6_ADDRSTRLEN];
+ static char buf[INET6_ADDRSTRLEN * 2 + 2];
- fw3_pr(" -m time");
+ p = buf;
- if (time->utc)
- fw3_pr(" --utc");
+ if (address->invert && allow_invert)
+ p += sprintf(p, "!");
- if (d1)
- {
- strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestart);
- fw3_pr(" --datestart %s", buf);
- }
+ inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
+ &address->address.v4, ip, sizeof(ip));
- if (d2)
- {
- strftime(buf, sizeof(buf), "%Y-%m-%dT%H:%M:%S", &time->datestop);
- fw3_pr(" --datestop %s", buf);
- }
+ p += sprintf(p, "%s", ip);
- if (time->timestart)
+ if (address->range)
{
- fw3_pr(" --timestart %02d:%02d:%02d",
- time->timestart / 3600,
- time->timestart % 3600 / 60,
- time->timestart % 60);
- }
+ inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
+ &address->mask.v4, ip, sizeof(ip));
- if (time->timestop)
- {
- fw3_pr(" --timestop %02d:%02d:%02d",
- time->timestop / 3600,
- time->timestop % 3600 / 60,
- time->timestop % 60);
+ p += sprintf(p, "-%s", ip);
}
-
- if (time->monthdays & 0xFFFFFFFE)
+ else if (!as_cidr)
{
- fw3_pr(" %s--monthdays", hasbit(time->monthdays, 0) ? "! " : "");
+ inet_ntop(address->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6,
+ &address->mask.v4, ip, sizeof(ip));
- for (i = 1, first = true; i < 32; i++)
- {
- if (hasbit(time->monthdays, i))
- {
- fw3_pr("%c%u", first ? ' ' : ',', i);
- first = false;
- }
- }
+ p += sprintf(p, "/%s", ip);
}
-
- if (time->weekdays & 0xFE)
- {
- fw3_pr(" %s--weekdays", hasbit(time->weekdays, 0) ? "! " : "");
-
- for (i = 1, first = true; i < 8; i++)
- {
- if (hasbit(time->weekdays, i))
- {
- fw3_pr("%c%u", first ? ' ' : ',', i);
- first = false;
- }
- }
- }
-}
-
-void
-__fw3_format_comment(const char *comment, ...)
-{
- va_list ap;
- int len = 0;
- const char *c;
-
- if (!comment || !*comment)
- return;
-
- fw3_pr(" -m comment --comment \"");
-
- c = comment;
-
- va_start(ap, comment);
-
- do
+ else
{
- while (*c)
- {
- switch (*c)
- {
- case '"':
- case '$':
- case '`':
- case '\\':
- fw3_pr("\\");
- /* fall through */
-
- default:
- fw3_pr("%c", *c);
- break;
- }
-
- c++;
-
- if (len++ >= 255)
- goto end;
- }
-
- c = va_arg(ap, const char *);
+ p += sprintf(p, "/%u", fw3_netmask2bitlen(address->family,
+ &address->mask.v6));
}
- while (c);
-
-end:
- va_end(ap);
- fw3_pr("\"");
-}
-
-void
-fw3_format_extra(const char *extra)
-{
- if (!extra || !*extra)
- return;
- fw3_pr(" %s", extra);
+ return buf;
}