let NO_INVERT = 0x04;
let UNSUPPORTED = 0x08;
let REQUIRED = 0x10;
+let DEPRECATED = 0x20;
let ipv4_icmptypes = {
"any": [ 0xFF, 0, 0xFF ],
"CS6": 0x30,
"CS7": 0x38,
"BE": 0x00,
+ "LE": 0x01,
"AF11": 0x0a,
"AF12": 0x0c,
"AF13": 0x0e,
return length(rv) ? rv : null;
}
+function null_if_empty(x) {
+ return length(x) ? x : null;
+}
+
function subnets_split_af(x) {
let rv = [];
return rv;
}
+function subnets_group_by_masking(x) {
+ let groups = [], plain = [], nc = [], invert_plain = [], invert_masked = [];
+
+ for (let a in to_array(x)) {
+ if (a.bits == -1 && !a.invert)
+ push(nc, a);
+ else if (!a.invert)
+ push(plain, a);
+ else if (a.bits == -1)
+ push(invert_masked, a);
+ else
+ push(invert_plain, a);
+ }
+
+ for (let a in nc)
+ push(groups, [ null, null_if_empty(invert_plain), [ a, ...invert_masked ] ]);
+
+ if (length(plain)) {
+ push(groups, [
+ plain,
+ null_if_empty(invert_plain),
+ null_if_empty(invert_masked)
+ ]);
+ }
+ else if (!length(groups)) {
+ push(groups, [
+ null,
+ null_if_empty(invert_plain),
+ null_if_empty(invert_masked)
+ ]);
+ }
+
+ return groups;
+}
+
function ensure_tcpudp(x) {
if (length(filter(x, p => (p.name == "tcp" || p.name == "udp"))))
return true;
return false;
}
-let is_family = (x, v) => (x.family == 0 || x.family == v);
-let family_is_ipv4 = (x) => (x.family == 0 || x.family == 4);
-let family_is_ipv6 = (x) => (x.family == 0 || x.family == 6);
+let is_family = (x, v) => (!x.family || x.family == v);
+let family_is_ipv4 = (x) => (!x.family || x.family == 4);
+let family_is_ipv6 = (x) => (!x.family || x.family == 6);
function infer_family(f, objects) {
let res = f;
desc = objects[i + 1];
for (let obj in objs) {
- if (!obj || obj.family == 0 || obj.family == res)
+ if (!obj || !obj.family || obj.family == res)
continue;
if (res == 0) {
return fields;
}
+function resolve_lower_devices(devstatus, devname) {
+ let dir = fs.opendir("/sys/class/net/" + devname);
+ let devs = [];
+
+ if (dir) {
+ if (!devstatus || devstatus[devname]?.["hw-tc-offload"]) {
+ push(devs, devname);
+ }
+ else {
+ let e;
+
+ while ((e = dir.read()) != null)
+ if (index(e, "lower_") === 0)
+ push(devs, ...resolve_lower_devices(devstatus, substr(e, 6)));
+ }
+
+ dir.close();
+ }
+
+ return devs;
+}
+
+function nft_json_command(...args) {
+ let cmd = [ "/usr/sbin/nft", "--terse", "--json", ...args ];
+ let nft = fs.popen(join(" ", cmd), "r");
+ let info;
+
+ if (nft) {
+ try {
+ info = filter(json(nft.read("all"))?.nftables,
+ item => (type(item) == "object" && !item.metainfo));
+ }
+ catch (e) {
+ warn(sprintf("Unable to parse nftables JSON output: %s\n", e));
+ }
+
+ nft.close();
+ }
+ else {
+ warn(sprintf("Unable to popen() %s: %s\n", cmd, fs.error()));
+ }
+
+ return info || [];
+}
+
+function nft_try_hw_offload(devices) {
+ let nft_test =
+ 'add table inet fw4-hw-offload-test; ' +
+ 'add flowtable inet fw4-hw-offload-test ft { ' +
+ 'hook ingress priority 0; ' +
+ 'devices = { "' + join('", "', devices) + '" }; ' +
+ 'flags offload; ' +
+ '}';
+
+ let rc = system(sprintf("/usr/sbin/nft -c '%s' 2>/dev/null", replace(nft_test, "'", "'\\''")));
+
+ return (rc == 0);
+}
+
return {
read_kernel_version: function() {
return v;
},
+ resolve_offload_devices: function() {
+ if (!this.default_option("flow_offloading"))
+ return [];
+
+ let devstatus = null;
+ let devices = [];
+
+ if (this.default_option("flow_offloading_hw")) {
+ let bus = ubus.connect();
+
+ if (bus) {
+ devstatus = bus.call("network.device", "status") || {};
+ bus.disconnect();
+ }
+
+ for (let zone in this.zones())
+ for (let device in zone.match_devices)
+ push(devices, ...resolve_lower_devices(devstatus, device));
+
+ devices = uniq(devices);
+
+ if (nft_try_hw_offload(devices))
+ return devices;
+
+ this.warn('Hardware flow offloading unavailable, falling back to software offloading');
+ this.state.defaults.flow_offloading_hw = false;
+ }
+
+ devices = [];
+
+ for (let zone in this.zones())
+ for (let device in zone.match_devices)
+ push(devices, ...resolve_lower_devices(null, device));
+
+ return uniq(devices);
+ },
+
+ check_set_types: function() {
+ let sets = {};
+
+ for (let item in nft_json_command("list", "sets", "inet"))
+ if (item.set?.table == "fw4")
+ sets[item.set.name] = (type(item.set.type) == "array") ? item.set.type : [ item.set.type ];
+
+ return sets;
+ },
+
+ check_flowtable: function() {
+ for (let item in nft_json_command("list", "flowtables", "inet"))
+ if (item.flowtable?.table == "fw4" && item.flowtable?.name == "ft")
+ return true;
+
+ return false;
+ },
+
read_state: function() {
let fd = fs.open(STATEFILE, "r");
let state = null;
for (let ifc in ifaces.interface) {
let net = {
up: ifc.up,
- device: ifc.l3_device
+ device: ifc.l3_device,
+ zone: ifc.data?.zone
};
if (type(ifc["ipv4-address"]) == "array") {
//
- // Build list of forwardings
+ // Build list of rules
//
- this.cursor.foreach("firewall", "forwarding", f => self.parse_forwarding(f));
+ map(filter(this.state.ubus_rules, r => (r.type == "rule")), r => self.parse_rule(r));
+ this.cursor.foreach("firewall", "rule", r => self.parse_rule(r));
//
- // Build list of rules
+ // Build list of forwardings
//
- map(filter(this.state.ubus_rules, r => (r.type == "rule")), r => self.parse_rule(r));
- this.cursor.foreach("firewall", "rule", r => self.parse_rule(r));
+ this.cursor.foreach("firewall", "forwarding", f => self.parse_forwarding(f));
//
}
if (res != null) {
- if (flags & UNSUPPORTED)
+ if (flags & DEPRECATED)
+ this.warn_section(s, "option '" + key + "' is deprecated by fw4");
+ else if (flags & UNSUPPORTED)
this.warn_section(s, "option '" + key + "' is not supported by fw4");
else
rv[key] = res;
for (let opt in s) {
if (index(opt, '.') != 0 && opt != 'type' && !exists(spec, opt)) {
this.warn_section(s, "specifies unknown option '" + opt + "'");
- return false;
}
}
b = to_bits(parts[1]);
- if (b == null)
- return null;
+ /* allow non-contiguous masks such as `::ffff:ffff:ffff:ffff` */
+ if (b == null) {
+ b = -1;
+
+ for (let i, x in m)
+ a[i] &= x;
+ }
m = arrtoip(m);
}
let nets = this.parse_subnet(rv.val);
if (nets === null)
- return false;
+ return null;
if (length(nets))
rv.addrs = [ ...nets ];
rv.dscp = dscp_classes[rv.val];
}
else {
- let n = +val;
+ let n = +rv.val;
if (n != n || n < 0 || n > 0x3F)
return null;
for (let i, t in set.types) {
switch (t) {
case 'ipv4_addr':
- ip = iptoarr(values[i]);
+ ip = filter(this.parse_subnet(values[i]), a => (a.family == 4));
- if (length(ip) != 4)
- return null;
+ switch (length(ip)) {
+ case 0: return null;
+ case 1: break;
+ default: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+ }
- rv[i] = arrtoip(ip);
+ rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
break;
case 'ipv6_addr':
- ip = iptoarr(values[i]);
+ ip = filter(this.parse_subnet(values[i]), a => (a.family == 6));
- if (length(ip) != 16)
- return null;
+ switch(length(ip)) {
+ case 0: return null;
+ case 1: break;
+ case 2: this.warn("Set entry '%s' resolves to multiple addresses, using first one", values[i]);
+ }
+
+ rv[i] = ("net" in set.fw4types) ? ip[0].addr + "/" + ip[0].bits : ip[0].addr;
- rv[i] = arrtoip(ip);
break;
case 'ether_addr':
},
quote: function(s, force) {
- if (force === true || !match(s, /^([0-9A-Fa-f:.\/]+)( \. [0-9A-Fa-f:.\/]+)*$/))
+ if (force === true || !match(s, /^([0-9A-Fa-f:.\/-]+)( \. [0-9A-Fa-f:.\/-]+)*$/))
return sprintf('"%s"', replace(s + "", /(["\\])/g, '\\$1'));
return s;
(a.family == 6 && a.bits == 128))
return a.addr;
- return sprintf("%s/%d", apply_mask(a.addr, a.bits), a.bits);
+ if (a.bits >= 0)
+ return sprintf("%s/%d", apply_mask(a.addr, a.bits), a.bits);
+
+ return sprintf("%s/%s", a.addr, a.mask);
},
host: function(a) {
},
set: function(v, force) {
- v = to_array(v);
+ let seen = {};
+
+ v = filter(to_array(v), item => !seen[item]++);
if (force || length(v) != 1)
return sprintf('{ %s }', join(', ', map(v, this.quote)));
},
filter_loopback_devs: function(devs, invert) {
- let self = this;
- return filter(devs, d => (self.is_loopback_dev(d) == invert));
+ return null_if_empty(filter(devs, d => (this.is_loopback_dev(d) == invert)));
},
filter_loopback_addrs: function(addrs, invert) {
- let self = this;
- return filter(addrs, a => (self.is_loopback_addr(a) == invert));
+ return null_if_empty(filter(addrs, a => (this.is_loopback_addr(a) == invert)));
},
auto_helper: [ "bool", "1" ],
custom_chains: [ "bool", null, UNSUPPORTED ],
disable_ipv6: [ "bool", null, UNSUPPORTED ],
- flow_offloading: [ "bool", null, UNSUPPORTED ],
- flow_offloading_hw: [ "bool", null, UNSUPPORTED ]
+ flow_offloading: [ "bool", "0" ],
+ flow_offloading_hw: [ "bool", "0" ]
});
- if (defs === false) {
- this.warn_section(data, "skipped due to invalid options");
- return;
- }
-
if (defs.synflood_protect === null)
defs.synflood_protect = defs.syn_flood;
- delete(defs, "syn_flood");
+ delete defs.syn_flood;
this.state.defaults = defs;
},
masq_src: [ "network", null, PARSE_LIST ],
masq_dest: [ "network", null, PARSE_LIST ],
+ masq6: [ "bool" ],
+
extra: [ "string", null, UNSUPPORTED ],
extra_src: [ "string", null, UNSUPPORTED ],
extra_dest: [ "string", null, UNSUPPORTED ],
let match_devices = [];
let related_subnets = [];
+ let related_ubus_networks = [];
let match_subnets, masq_src_subnets, masq_dest_subnets;
- for (let e in to_array(zone.network)) {
+ for (let name, net in this.state.networks) {
+ if (net.zone === zone.name)
+ push(related_ubus_networks, { invert: false, device: name });
+ }
+
+ for (let e in [ ...to_array(zone.network), ...related_ubus_networks ]) {
if (exists(this.state.networks, e.device)) {
let net = this.state.networks[e.device];
r.family = family;
- r.devices_pos = map(filter_pos(devices), d => d.device);
- r.devices_neg = map(filter_neg(devices), d => d.device);
+ r.devices_pos = null_if_empty(devices[0]);
+ r.devices_neg = null_if_empty(devices[1]);
+ r.devices_neg_wildcard = null_if_empty(devices[2]);
- r.subnets_pos = map(filter_pos(subnets), this.cidr);
- r.subnets_neg = map(filter_neg(subnets), this.cidr);
+ r.subnets_pos = map(subnets[0], this.cidr);
+ r.subnets_neg = map(subnets[1], this.cidr);
+ r.subnets_masked = subnets[2];
push(match_rules, r);
};
zone.helper, "ct helper"
]);
- // check if there's no AF specific bits, in this case we can do AF agnostic matching
- if (!family && length(match_devices) && !length(match_subnets[0]) && !length(match_subnets[1])) {
- add_rule(0, match_devices, null, zone);
- }
+ // group non-inverted device matches into wildcard and non-wildcard ones
+ let devices = [], plain_devices = [], plain_invert_devices = [], wildcard_invert_devices = [];
- // we need to emit one or two AF specific rules
- else {
- if (family_is_ipv4(zone) && (length(match_devices) || length(match_subnets[0])))
- add_rule(4, match_devices, match_subnets[0], zone);
+ for (let device in match_devices) {
+ let m = match(device.device, /^([^+]*)(\+)?$/);
- if (family_is_ipv6(zone) && (length(match_devices) || length(match_subnets[1])))
- add_rule(6, match_devices, match_subnets[1], zone);
- }
+ if (!m) {
+ this.warn_section(data, "skipping invalid wildcard pattern '" + device.device + '"');
+ continue;
+ }
- zone.match_rules = match_rules;
+ // filter `+` (match any device) since nftables does not support
+ // wildcard only matches
+ if (!device.invert && m[0] == '+')
+ continue;
- if (masq_src_subnets[0]) {
- zone.masq4_src_pos = map(filter_pos(masq_src_subnets[0]), this.cidr);
- zone.masq4_src_neg = map(filter_neg(masq_src_subnets[0]), this.cidr);
- }
+ // replace inverted `+` (match no device) with invalid pattern
+ if (device.invert && m[0] == '+') {
+ device.device = '/never/';
+ device.invert = false;
+ }
- if (masq_src_subnets[1]) {
- zone.masq6_src_pos = map(filter_pos(masq_src_subnets[1]), this.cidr);
- zone.masq6_src_neg = map(filter_neg(masq_src_subnets[1]), this.cidr);
- }
+ // replace "name+" matches with "name*"
+ else if (m[2] == '+')
+ device.device = m[1] + '*';
- if (masq_dest_subnets[0]) {
- zone.masq4_dest_pos = map(filter_pos(masq_dest_subnets[0]), this.cidr);
- zone.masq4_dest_neg = map(filter_neg(masq_dest_subnets[0]), this.cidr);
+ device.wildcard = !!m[2];
+
+ if (!device.invert && device.wildcard)
+ push(devices, [ [ device.device ], plain_invert_devices, wildcard_invert_devices ]);
+ else if (!device.invert)
+ push(plain_devices, device.device);
+ else if (device.wildcard)
+ push(wildcard_invert_devices, device.device);
+ else
+ push(plain_invert_devices, device.device);
}
- if (masq_dest_subnets[1]) {
- zone.masq6_dest_pos = map(filter_pos(masq_dest_subnets[1]), this.cidr);
- zone.masq6_dest_neg = map(filter_neg(masq_dest_subnets[1]), this.cidr);
+ if (length(plain_devices))
+ push(devices, [
+ plain_devices,
+ plain_invert_devices,
+ wildcard_invert_devices
+ ]);
+ else if (!length(devices))
+ push(devices, [
+ null,
+ plain_invert_devices,
+ wildcard_invert_devices
+ ]);
+
+ // emit zone jump rules for each device group
+ if (length(match_devices) || length(match_subnets[0]) || length(match_subnets[1])) {
+ for (let devgroup in devices) {
+ // check if there's no AF specific bits, in this case we can do AF agnostic matching
+ if (!family && !length(match_subnets[0]) && !length(match_subnets[1])) {
+ add_rule(0, devgroup, [], zone);
+ }
+
+ // we need to emit one or two AF specific rules
+ else {
+ if (family_is_ipv4(zone) && length(match_subnets[0]))
+ for (let subnets in subnets_group_by_masking(match_subnets[0]))
+ add_rule(4, devgroup, subnets, zone);
+
+ if (family_is_ipv6(zone) && length(match_subnets[1]))
+ for (let subnets in subnets_group_by_masking(match_subnets[1]))
+ add_rule(6, devgroup, subnets, zone);
+ }
+ }
}
+ zone.match_rules = match_rules;
+
+ zone.masq4_src_subnets = subnets_group_by_masking(masq_src_subnets[0]);
+ zone.masq4_dest_subnets = subnets_group_by_masking(masq_dest_subnets[0]);
+
+ zone.masq6_src_subnets = subnets_group_by_masking(masq_src_subnets[1]);
+ zone.masq6_dest_subnets = subnets_group_by_masking(masq_dest_subnets[1]);
+
zone.sflags = {};
zone.sflags[zone.input] = true;
zone.dflags[zone.forward] = true;
zone.match_devices = map(filter(match_devices, d => !d.invert), d => d.device);
- zone.match_subnets = map(filter(related_subnets, s => !s.invert), this.cidr);
+ zone.match_subnets = map(filter(related_subnets, s => !s.invert && s.bits != -1), this.cidr);
zone.related_subnets = related_subnets;
let f1 = fwd.src.zone ? fwd.src.zone.family : 0;
let f2 = fwd.dest.zone ? fwd.dest.zone.family : 0;
- if (f1 != 0 && f2 != 0 && f1 != f2) {
+ if (f1 && f2 && f1 != f2) {
this.warn_section(data,
- sprintf("references src %s restricted to %s and dest restricted to %s, ignoring forwarding",
+ sprintf("references src %s restricted to %s and dest %s restricted to %s, ignoring forwarding",
fwd.src.zone.name, this.nfproto(f1, true),
fwd.dest.zone.name, this.nfproto(f2, true)));
enabled: [ "bool", "1" ],
name: [ "string", this.section_id(data[".name"]) ],
+ _name: [ "string", null, DEPRECATED ],
family: [ "family" ],
src: [ "zone_ref" ],
this.warn_section(data, "must specify a source zone for target '" + rule.target + "'");
return;
}
- else if (rule.target in ["dscp", "mark"] && rule.dest) {
- this.warn_section(data, "must not specify option 'dest' for target '" + rule.target + "'");
- return;
- }
else if (rule.target == "dscp" && !rule.set_dscp) {
this.warn_section(data, "must specify option 'set_dscp' for target 'dscp'");
return;
family: family,
proto: proto,
- has_addrs: !!(length(saddrs) || length(daddrs)),
+ has_addrs: !!(saddrs[0] || saddrs[1] || saddrs[2] || daddrs[0] || daddrs[1] || daddrs[2]),
has_ports: !!(length(sports) || length(dports)),
- saddrs_pos: map(filter_pos(saddrs), this.cidr),
- saddrs_neg: map(filter_neg(saddrs), this.cidr),
- daddrs_pos: map(filter_pos(daddrs), this.cidr),
- daddrs_neg: map(filter_neg(daddrs), this.cidr),
+ saddrs_pos: map(saddrs[0], this.cidr),
+ saddrs_neg: map(saddrs[1], this.cidr),
+ saddrs_masked: saddrs[2],
+ daddrs_pos: map(daddrs[0], this.cidr),
+ daddrs_neg: map(daddrs[1], this.cidr),
+ daddrs_masked: daddrs[2],
sports_pos: map(filter_pos(sports), this.port),
sports_neg: map(filter_neg(sports), this.port),
dports_pos: map(filter_pos(dports), this.port),
};
if (!length(r.icmp_types))
- delete(r, "icmp_types");
+ delete r.icmp_types;
if (!length(r.icmp_codes))
- delete(r, "icmp_codes");
+ delete r.icmp_codes;
if (r.set_mark) {
r.set_xmark = {
mask: r.set_mark.mark | r.set_mark.mask
};
- delete(r, "set_mark");
+ delete r.set_mark;
}
let set_types = map_setmatch(ipset, rule.ipset, proto.name);
r.src.zone.dflags.helper = true;
}
else if (r.target == "mark" || r.target == "dscp") {
- if (r.src) {
+ if ((r.src?.any && r.dest?.any) || (r.src?.zone && r.dest?.zone))
+ r.chain = "mangle_forward";
+ else if (r.src?.any && r.dest?.zone)
+ r.chain = "mangle_postrouting";
+ else if (r.src?.zone && r.dest?.any)
r.chain = "mangle_prerouting";
- r.src.zone.dflags[r.target] = true;
- }
- else {
+ else if (r.src && !r.dest)
+ r.chain = "mangle_input";
+ else
r.chain = "mangle_output";
- }
+
+ if (r.src?.zone)
+ r.src.zone.dflags[r.target] = true;
+
+ if (r.dest?.zone)
+ r.dest.zone.dflags[r.target] = true;
}
else {
r.chain = "output";
sip = subnets_split_af(rule.src_ip);
dip = subnets_split_af(rule.dest_ip);
- let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4));
- let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6));
+ let has_ipv4_specifics = (length(sip[0]) || length(dip[0]) || length(itypes4) || rule.dscp !== null);
+ let has_ipv6_specifics = (length(sip[1]) || length(dip[1]) || length(itypes6) || rule.dscp !== null);
/* if no family was configured, infer target family from IP addresses */
if (family === null) {
/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
if (!family && rule.target != "dscp" && !has_ipv4_specifics && !has_ipv6_specifics) {
- add_rule(0, proto, null, null, sports, dports, null, null, null, rule);
+ add_rule(0, proto, [], [], sports, dports, null, null, null, rule);
}
/* we need to emit one or two AF specific rules */
let icmp_types = filter(itypes4, i => (i.code_min == 0 && i.code_max == 0xFF));
let icmp_codes = filter(itypes4, i => (i.code_min != 0 || i.code_max != 0xFF));
- if (length(icmp_types) || (!length(icmp_types) && !length(icmp_codes)))
- add_rule(4, proto, sip[0], dip[0], sports, dports, icmp_types, null, ipset, rule);
+ for (let saddrs in subnets_group_by_masking(sip[0])) {
+ for (let daddrs in subnets_group_by_masking(dip[0])) {
+ if (length(icmp_types) || (!length(icmp_types) && !length(icmp_codes)))
+ add_rule(4, proto, saddrs, daddrs, sports, dports, icmp_types, null, ipset, rule);
- if (length(icmp_codes))
- add_rule(4, proto, sip[0], dip[0], sports, dports, null, icmp_codes, ipset, rule);
+ if (length(icmp_codes))
+ add_rule(4, proto, saddrs, daddrs, sports, dports, null, icmp_codes, ipset, rule);
+ }
+ }
}
if (family == 0 || family == 6) {
let icmp_types = filter(itypes6, i => (i.code_min == 0 && i.code_max == 0xFF));
let icmp_codes = filter(itypes6, i => (i.code_min != 0 || i.code_max != 0xFF));
- if (length(icmp_types) || (!length(icmp_types) && !length(icmp_codes)))
- add_rule(6, proto, sip[1], dip[1], sports, dports, icmp_types, null, ipset, rule);
+ for (let saddrs in subnets_group_by_masking(sip[1])) {
+ for (let daddrs in subnets_group_by_masking(dip[1])) {
+ if (length(icmp_types) || (!length(icmp_types) && !length(icmp_codes)))
+ add_rule(6, proto, saddrs, daddrs, sports, dports, icmp_types, null, ipset, rule);
- if (length(icmp_codes))
- add_rule(6, proto, sip[1], dip[1], sports, dports, null, icmp_codes, ipset, rule);
+ if (length(icmp_codes))
+ add_rule(6, proto, saddrs, daddrs, sports, dports, null, icmp_codes, ipset, rule);
+ }
+ }
}
}
}
enabled: [ "bool", "1" ],
name: [ "string", this.section_id(data[".name"]) ],
- family: [ "family", "4" ],
+ _name: [ "string", null, DEPRECATED ],
+ family: [ "family" ],
src: [ "zone_ref" ],
dest: [ "zone_ref" ],
let resolve_dest = (redir) => {
for (let zone in this.state.zones) {
- for (let addr in zone.related_subnets) {
- if (redir.dest_ip.family != addr.family)
- continue;
+ for (let zone_addr in zone.related_subnets) {
+ for (let dest_addr in redir.dest_ip.addrs) {
+ if (dest_addr.family != zone_addr.family)
+ continue;
- let a = apply_mask(redir.dest_ip.addr, addr.bits);
- let b = apply_mask(addr.addr, addr.bits);
+ let a = apply_mask(dest_addr.addr, zone_addr.mask);
+ let b = apply_mask(zone_addr.addr, zone_addr.mask);
- if (a != b)
- continue;
+ if (a != b)
+ continue;
- redir.dest = {
- any: false,
- zone: zone
- };
+ redir.dest = {
+ any: false,
+ zone: zone
+ };
- return true;
+ return true;
+ }
}
}
if (redir.target == "dnat") {
if (!redir.src)
- return this.warn_section(r, "has no source specified");
+ return this.warn_section(data, "has no source specified");
else if (redir.src.any)
- return this.warn_section(r, "must not have source '*' for dnat target");
+ return this.warn_section(data, "must not have source '*' for dnat target");
else if (redir.dest_ip && redir.dest_ip.invert)
- return this.warn_section(r, "must not specify a negated 'dest_ip' value");
+ return this.warn_section(data, "must not specify a negated 'dest_ip' value");
+ else if (redir.dest_ip && length(filter(redir.dest_ip.addrs, a => a.bits == -1)))
+ return this.warn_section(data, "must not use non-contiguous masks in 'dest_ip'");
if (!redir.dest && redir.dest_ip && resolve_dest(redir))
- this.warn_section(r, "does not specify a destination, assuming '" + redir.dest.zone.name + "'");
+ this.warn_section(data, "does not specify a destination, assuming '" + redir.dest.zone.name + "'");
if (!redir.dest_port)
redir.dest_port = redir.src_dport;
return this.warn_section(data, "has no 'src_dip' option specified");
else if (redir.src_dip.invert)
return this.warn_section(data, "must not specify a negated 'src_dip' value");
+ else if (length(filter(redir.src_dip.addrs, a => a.bits == -1)))
+ return this.warn_section(data, "must not use non-contiguous masks in 'src_dip'");
else if (redir.src_mac)
return this.warn_section(data, "must not use 'src_mac' option for snat target");
else if (redir.helper)
family: family,
proto: proto,
- has_addrs: !!(length(saddrs) || length(daddrs)),
+ has_addrs: !!(saddrs[0] || saddrs[1] || saddrs[2] || daddrs[0] || daddrs[1] || daddrs[2]),
has_ports: !!(sport || dport || rport),
- saddrs_pos: map(filter_pos(saddrs), this.cidr),
- saddrs_neg: map(filter_neg(saddrs), this.cidr),
- daddrs_pos: map(filter_pos(daddrs), this.cidr),
- daddrs_neg: map(filter_neg(daddrs), this.cidr),
+ saddrs_pos: map(saddrs[0], this.cidr),
+ saddrs_neg: map(saddrs[1], this.cidr),
+ saddrs_masked: saddrs[2],
+ daddrs_pos: map(daddrs[0], this.cidr),
+ daddrs_neg: map(daddrs[1], this.cidr),
+ daddrs_masked: daddrs[2],
sports_pos: map(filter_pos(to_array(sport)), this.port),
sports_neg: map(filter_neg(to_array(sport)), this.port),
dports_pos: map(filter_pos(to_array(dport)), this.port),
switch (r.target) {
case "dnat":
r.chain = sprintf("dstnat_%s", r.src.zone.name);
+ r.src.zone.dflags.dnat = true;
if (!r.raddr)
r.target = "redirect";
case "snat":
r.chain = sprintf("srcnat_%s", r.dest.zone.name);
+ r.dest.zone.dflags.snat = true;
break;
}
}
/* build reflection rules */
- if (redir.reflection && (length(rip[0]) || length(rip[1])) &&
- redir.src && redir.src.zone && redir.src.zone[family == 4 ? "masq" : "masq6"] &&
- redir.dest && redir.dest.zone) {
-
+ if (redir.reflection && (length(rip[0]) || length(rip[1])) && redir.src?.zone && redir.dest?.zone) {
let refredir = {
name: redir.name + " (reflection)",
mark: redir.mark
};
- let eaddrs = subnets_split_af(length(dip) ? dip : { addrs: redir.src.zone.related_subnets });
+ let eaddrs = length(dip) ? dip : subnets_split_af({ addrs: map(redir.src.zone.related_subnets, to_hostaddr) });
let rzones = length(redir.reflection_zone) ? redir.reflection_zone : [ redir.dest ];
for (let rzone in rzones) {
let iaddrs = subnets_split_af({ addrs: rzone.zone.related_subnets });
let refaddrs = (redir.reflection_src == "internal") ? iaddrs : eaddrs;
- refaddrs = [
- map(refaddrs[0], to_hostaddr),
- map(refaddrs[1], to_hostaddr)
- ];
+ for (let i = 0; i <= 1; i++) {
+ if (redir.src.zone[i ? "masq6" : "masq"] && length(rip[i])) {
+ let snat_addr = refaddrs[i]?.[0];
+
+ /* For internal reflection sources try to find a suitable candiate IP
+ * among the reflection zone subnets which is within the same subnet
+ * as the original DNAT destination. If we can't find any matching
+ * one then simply take the first candidate. */
+ if (redir.reflection_src == "internal") {
+ for (let zone_addr in rzone.zone.related_subnets) {
+ if (zone_addr.family != rip[i][0].family)
+ continue;
+
+ let r = apply_mask(rip[i][0].addr, zone_addr.mask);
+ let a = apply_mask(zone_addr.addr, zone_addr.mask);
+
+ if (r != a)
+ continue;
+
+ snat_addr = zone_addr;
+ break;
+ }
+ }
- eaddrs = [
- map(eaddrs[0], to_hostaddr),
- map(eaddrs[1], to_hostaddr)
- ];
+ if (snat_addr) {
+ refredir.src = rzone;
+ refredir.dest = null;
+ refredir.target = "dnat";
- for (let i = 0; i <= 1; i++) {
- if (length(rip[i])) {
- refredir.src = rzone;
- refredir.dest = null;
- refredir.target = "dnat";
- add_rule(i ? 6 : 4, proto, iaddrs[i], eaddrs[i], rip[i], sport, dport, rport, null, refredir);
+ for (let saddrs in subnets_group_by_masking(iaddrs[i]))
+ for (let daddrs in subnets_group_by_masking(eaddrs[i]))
+ add_rule(i ? 6 : 4, proto, saddrs, daddrs, rip[i], sport, dport, rport, null, refredir);
- for (let refaddr in refaddrs[i]) {
refredir.src = null;
refredir.dest = rzone;
refredir.target = "snat";
- add_rule(i ? 6 : 4, proto, iaddrs[i], rip[i], [ refaddr ], null, rport, null, null, refredir);
+
+ for (let daddrs in subnets_group_by_masking(rip[i]))
+ for (let saddrs in subnets_group_by_masking(iaddrs[i]))
+ add_rule(i ? 6 : 4, proto, saddrs, daddrs, [ to_hostaddr(snat_addr) ], null, rport, null, null, refredir);
}
}
}
/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
if (!family && !length(sip[0]) && !length(sip[1]) && !length(dip[0]) && !length(dip[1]) && !length(rip[0]) && !length(rip[1])) {
- add_rule(0, proto, null, null, null, sport, dport, rport, null, redir);
+ /* for backwards compatibility, treat unspecified family as IPv4 unless user explicitly requested any (0) */
+ if (family == null)
+ family = 4;
+
+ add_rule(family, proto, [], [], null, sport, dport, rport, null, redir);
}
/* we need to emit one or two AF specific rules */
else {
- if (family == 0 || family == 4)
- add_rule(4, proto, sip[0], dip[0], rip[0], sport, dport, rport, ipset, redir);
+ if ((!family || family == 4) && (length(sip[0]) || length(dip[0]) || length(rip[0]))) {
+ for (let saddrs in subnets_group_by_masking(sip[0]))
+ for (let daddrs in subnets_group_by_masking(dip[0]))
+ add_rule(4, proto, saddrs, daddrs, rip[0], sport, dport, rport, ipset, redir);
+ }
- if (family == 0 || family == 6)
- add_rule(6, proto, sip[1], dip[1], rip[1], sport, dport, rport, ipset, redir);
+ if ((!family || family == 6) && (length(sip[1]) || length(dip[1]) || length(rip[1]))) {
+ for (let saddrs in subnets_group_by_masking(sip[1]))
+ for (let daddrs in subnets_group_by_masking(dip[1]))
+ add_rule(6, proto, saddrs, daddrs, rip[1], sport, dport, rport, ipset, redir);
+ }
}
}
},
return;
}
+ if (snat.snat_ip && length(filter(snat.snat_ip.addrs, a => a.bits == -1 || a.invert))) {
+ this.warn_section(data, "must not use inversion or non-contiguous masks in 'snat_ip', ignoring section");
+ return;
+ }
+
if (snat.src && snat.src.zone)
snat.src.zone.dflags.snat = true;
family: family,
proto: proto,
- has_addrs: !!(length(saddrs) || length(daddrs) || length(raddrs)),
+ has_addrs: !!(saddrs[0] || saddrs[1] || saddrs[2] || daddrs[0] || daddrs[1] || daddrs[2]),
has_ports: !!(sport || dport),
- saddrs_pos: map(filter_pos(saddrs), this.cidr),
- saddrs_neg: map(filter_neg(saddrs), this.cidr),
- daddrs_pos: map(filter_pos(daddrs), this.cidr),
- daddrs_neg: map(filter_neg(daddrs), this.cidr),
+ saddrs_pos: map(saddrs[0], this.cidr),
+ saddrs_neg: map(saddrs[1], this.cidr),
+ saddrs_masked: saddrs[2],
+ daddrs_pos: map(daddrs[0], this.cidr),
+ daddrs_neg: map(daddrs[1], this.cidr),
+ daddrs_masked: daddrs[2],
sports_pos: map(filter_pos(to_array(sport)), this.port),
sports_neg: map(filter_neg(to_array(sport)), this.port),
dports_pos: map(filter_pos(to_array(dport)), this.port),
/* check if there's no AF specific bits, in this case we can do an AF agnostic rule */
if (!family && !length(sip[0]) && !length(sip[1]) && !length(dip[0]) && !length(dip[1]) && !length(rip[0]) && !length(rip[1])) {
- add_rule(0, proto, null, null, null, sport, dport, rport, snat);
+ add_rule(0, proto, [], [], null, sport, dport, rport, snat);
}
/* we need to emit one or two AF specific rules */
else {
if (family == 0 || family == 4)
- add_rule(4, proto, sip[0], dip[0], rip[0], sport, dport, rport, snat);
+ for (let saddr in subnets_group_by_masking(sip[0]))
+ for (let daddr in subnets_group_by_masking(dip[0]))
+ add_rule(4, proto, saddr, daddr, rip[0], sport, dport, rport, snat);
if (family == 0 || family == 6)
- add_rule(6, proto, sip[1], dip[1], rip[1], sport, dport, rport, snat);
+ for (let saddr in subnets_group_by_masking(sip[1]))
+ for (let daddr in subnets_group_by_masking(dip[1]))
+ add_rule(6, proto, saddr, daddr, rip[1], sport, dport, rport, snat);
}
}
},
netmask: [ "int", null, UNSUPPORTED ],
maxelem: [ "int" ],
hashsize: [ "int", null, UNSUPPORTED ],
- timeout: [ "int", null, UNSUPPORTED ],
+ timeout: [ "int", "-1" ],
external: [ "string", null, UNSUPPORTED ],
let s = {
...ipset,
+ fw4types: types,
+
types: map(types, (t) => {
switch (t) {
case 'ip':
projects / project / firewall4.git / blobdiff