#include "utils.h"
#include "options.h"
+#include "zones.h"
+#include "ipsets.h"
+
+
static int lock_fd = -1;
static pid_t pipe_pid = -1;
static FILE *pipe_fd = NULL;
+bool fw3_pr_debug = false;
+
+
static void
warn_elem_section_name(struct uci_section *s, bool find_name)
{
signal(SIGPIPE, SIG_IGN);
pipe_pid = pid;
close(pfds[0]);
+ fcntl(pfds[1], F_SETFD, fcntl(pfds[1], F_GETFD) | FD_CLOEXEC);
}
pipe_fd = fdopen(pfds[1], "w");
void
fw3_pr(const char *fmt, ...)
{
- va_list args;
- va_start(args, fmt);
- vfprintf(pipe_fd, fmt, args);
- va_end(args);
+ va_list args;
+
+ if (fw3_pr_debug && pipe_fd != stdout)
+ {
+ va_start(args, fmt);
+ vfprintf(stderr, fmt, args);
+ va_end(args);
+ }
+
+ va_start(args, fmt);
+ vfprintf(pipe_fd, fmt, args);
+ va_end(args);
}
void
return seen;
}
+
bool
-fw3_check_statefile(bool test_exists)
+fw3_lock(void)
{
- struct stat s;
+ lock_fd = open(FW3_LOCKFILE, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR);
- if (!stat(FW3_STATEFILE, &s))
+ if (lock_fd < 0)
{
- if (test_exists)
- return true;
-
- warn("The firewall appears to be started already. "
- "If it is indeed empty, remove the %s file and retry.",
- FW3_STATEFILE);
-
+ warn("Cannot create lock file %s: %s", FW3_LOCKFILE, strerror(errno));
return false;
}
- else if (test_exists)
+
+ if (flock(lock_fd, LOCK_EX))
{
- warn("The firewall appears to stopped already.");
+ warn("Cannot acquire exclusive lock: %s", strerror(errno));
return false;
}
- lock_fd = open(FW3_STATEFILE, O_CREAT | O_RDWR);
+ return true;
+}
+void
+fw3_unlock(void)
+{
if (lock_fd < 0)
+ return;
+
+ if (flock(lock_fd, LOCK_UN))
+ warn("Cannot release exclusive lock: %s", strerror(errno));
+
+ close(lock_fd);
+ unlink(FW3_LOCKFILE);
+
+ lock_fd = -1;
+}
+
+
+bool
+fw3_read_statefile(void *state)
+{
+ FILE *sf;
+
+ int type;
+ char line[128];
+ const char *p, *name;
+
+ uint32_t flags[2];
+
+ struct fw3_state *s = state;
+ struct fw3_zone *zone;
+ struct fw3_ipset *ipset;
+ struct fw3_device *net, *dev;
+
+ sf = fopen(FW3_STATEFILE, "r");
+
+ if (!sf)
+ return false;
+
+ while (fgets(line, sizeof(line), sf))
{
- warn("Unable to create %s file", FW3_STATEFILE);
- goto fail;
+ p = strtok(line, " \t\n");
+
+ if (!p)
+ continue;
+
+ type = strtoul(p, NULL, 16);
+ name = strtok(NULL, " \t\n");
+
+ if (!name)
+ continue;
+
+ if (!(p = strtok(NULL, " \t\n")))
+ continue;
+
+ flags[0] = strtoul(p, NULL, 16);
+
+ if (!(p = strtok(NULL, " \t\n")))
+ continue;
+
+ flags[1] = strtoul(p, NULL, 16);
+
+ switch (type)
+ {
+ case FW3_TYPE_DEFAULTS:
+ s->defaults.flags[0] = flags[0];
+ s->defaults.flags[1] = flags[1];
+ break;
+
+ case FW3_TYPE_ZONE:
+ if (!(zone = fw3_lookup_zone(state, name, false)))
+ {
+ zone = fw3_alloc_zone();
+
+ if (!zone)
+ continue;
+
+ zone->name = strdup(name);
+ list_add_tail(&zone->list, &s->zones);
+ }
+
+ zone->flags[0] = flags[0];
+ zone->flags[1] = flags[1];
+ list_add_tail(&zone->running_list, &s->running_zones);
+ break;
+
+ case FW3_TYPE_IPSET:
+ if (!(ipset = fw3_lookup_ipset(state, name, false)))
+ {
+ ipset = fw3_alloc_ipset();
+
+ if (!ipset)
+ continue;
+
+ ipset->name = strdup(name);
+ list_add_tail(&ipset->list, &s->ipsets);
+ }
+
+ ipset->flags[0] = flags[0];
+ ipset->flags[1] = flags[1];
+ list_add_tail(&ipset->running_list, &s->running_ipsets);
+ break;
+
+ case FW3_TYPE_NETWORK:
+ if (!(zone = fw3_lookup_zone(state, name, false)))
+ continue;
+
+ if (!(p = strtok(NULL, " \t\n")) || !(name = strtok(NULL, " \t\n")))
+ continue;
+
+ if (!(net = malloc(sizeof(*net))))
+ continue;
+
+ memset(net, 0, sizeof(*net));
+ snprintf(net->name, sizeof(net->name), "%s", p);
+ list_add_tail(&net->list, &zone->running_networks);
+
+ if (!(dev = malloc(sizeof(*dev))))
+ continue;
+
+ memset(dev, 0, sizeof(*dev));
+ dev->network = net;
+ snprintf(dev->name, sizeof(dev->name), "%s", name);
+ list_add_tail(&dev->list, &zone->running_devices);
+ }
}
- if (flock(lock_fd, LOCK_EX))
+ fclose(sf);
+
+ return true;
+}
+
+void
+fw3_write_statefile(void *state)
+{
+ FILE *sf;
+ struct fw3_state *s = state;
+ struct fw3_defaults *defs = &s->defaults;
+ struct fw3_zone *z;
+ struct fw3_ipset *i;
+ struct fw3_device *d;
+
+ if (fw3_no_table(defs->flags[0]) && fw3_no_table(defs->flags[1]))
{
- warn("Unable to acquire exclusive lock on %s file", FW3_STATEFILE);
- goto fail;
+ if (unlink(FW3_STATEFILE))
+ warn("Unable to remove state %s: %s",
+ FW3_STATEFILE, strerror(errno));
+ return;
}
- return true;
+ sf = fopen(FW3_STATEFILE, "w");
-fail:
- if (lock_fd > -1)
+ if (!sf)
{
- close(lock_fd);
- lock_fd = -1;
+ warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno));
+ return;
}
- return false;
+ fprintf(sf, "%x - %x %x\n",
+ FW3_TYPE_DEFAULTS, defs->flags[0], defs->flags[1]);
+
+ list_for_each_entry(z, &s->running_zones, running_list)
+ {
+ if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1]))
+ continue;
+
+ fprintf(sf, "%x %s %x %x\n",
+ FW3_TYPE_ZONE, z->name, z->flags[0], z->flags[1]);
+
+ list_for_each_entry(d, &z->devices, list)
+ {
+ if (!d->network)
+ continue;
+
+ fprintf(sf, "%x %s 0 0 %s %s\n",
+ FW3_TYPE_NETWORK, z->name, d->network->name, d->name);
+ }
+ }
+
+ list_for_each_entry(i, &s->running_ipsets, running_list)
+ {
+ if (!fw3_no_family(i->flags[0]) || !fw3_no_family(i->flags[1]))
+ {
+ fprintf(sf, "%x %s %x %x\n",
+ FW3_TYPE_IPSET, i->name, i->flags[0], i->flags[1]);
+ }
+ }
+
+ fclose(sf);
}
+
+struct object_list_heads
+{
+ struct list_head list;
+ struct list_head running_list;
+};
+
void
-fw3_remove_statefile(void)
+fw3_set_running(void *object, struct list_head *dest)
{
- if (lock_fd > -1)
- fw3_close_statefile();
+ struct object_list_heads *o = object;
- if (unlink(FW3_STATEFILE))
- warn("Unable to delete %s file", FW3_STATEFILE);
+ if (dest && !o->running_list.next)
+ list_add_tail(&o->running_list, dest);
+ else if (!dest && o->running_list.next)
+ list_del(&o->running_list);
}
void
-fw3_close_statefile(void)
+fw3_free_object(void *obj, const void *opts)
{
- flock(lock_fd, LOCK_UN);
- close(lock_fd);
+ const struct fw3_option *ol;
+ struct list_head *list, *cur, *tmp;
- lock_fd = -1;
+ for (ol = opts; ol->name; ol++)
+ {
+ if (!ol->elem_size)
+ continue;
+
+ list = (struct list_head *)((char *)obj + ol->offset);
+ list_for_each_safe(cur, tmp, list)
+ {
+ list_del(cur);
+ free(cur);
+ }
+ }
+
+ free(obj);
+}
+
+
+bool
+fw3_pr_rulespec(int table, int family, uint32_t *flags, uint32_t mask,
+ const struct fw3_rule_spec *r, const char *fmt, ...)
+{
+ char buf[256];
+ bool rv = false;
+
+ va_list ap;
+ uint32_t f = flags ? flags[family == FW3_FAMILY_V6] : 0;
+
+ if (mask)
+ f &= mask;
+
+ for (; r->format; r++)
+ {
+ if (!fw3_is_family(r, family))
+ continue;
+
+ if (r->table != table)
+ continue;
+
+ if ((r->flag != 0) && !hasbit(f, r->flag))
+ continue;
+
+ va_start(ap, fmt);
+ vsnprintf(buf, sizeof(buf), r->format, ap);
+ va_end(ap);
+
+ fw3_pr(fmt, buf);
+
+ rv = true;
+ }
+
+ return rv;
+}
+
+
+bool
+fw3_hotplug(bool add, void *zone, void *device)
+{
+ struct fw3_zone *z = zone;
+ struct fw3_device *d = device;
+
+ if (!d->network)
+ return false;
+
+ switch (fork())
+ {
+ case -1:
+ warn("Unable to fork(): %s\n", strerror(errno));
+ return false;
+
+ case 0:
+ break;
+
+ default:
+ return true;
+ }
+
+ close(0);
+ close(1);
+ close(2);
+ chdir("/");
+
+ clearenv();
+ setenv("ACTION", add ? "add" : "remove", 1);
+ setenv("ZONE", z->name, 1);
+ setenv("INTERFACE", d->network->name, 1);
+ setenv("DEVICE", d->name, 1);
+
+ execl(FW3_HOTPLUG, FW3_HOTPLUG, "firewall", NULL);
+
+ /* unreached */
+ return false;
}