projects / project / firewall3.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
firewall3: Fix some format string problems
[project/firewall3.git] / helpers.c
1 /*
2 * firewall3 - 3rd OpenWrt UCI firewall implementation
3 *
4 * Copyright (C) 2018 Jo-Philipp Wich <jo@mein.io>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #include "helpers.h"
20
21
22 const struct fw3_option fw3_cthelper_opts[] = {
23 FW3_OPT("enabled", bool, cthelper, enabled),
24 FW3_OPT("name", string, cthelper, name),
25 FW3_OPT("module", string, cthelper, module),
26 FW3_OPT("description", string, cthelper, description),
27 FW3_OPT("family", family, cthelper, family),
28 FW3_LIST("proto", protocol, cthelper, proto),
29 FW3_OPT("port", port, cthelper, port),
30
31 { }
32 };
33
34
35 static bool
36 test_module(struct fw3_cthelper *helper)
37 {
38 struct stat s;
39 char path[sizeof("/sys/module/nf_conntrack_xxxxxxxxxxxxxxxx")];
40
41 snprintf(path, sizeof(path), "/sys/module/%s", helper->module);
42
43 if (stat(path, &s) || !S_ISDIR(s.st_mode))
44 return false;
45
46 return true;
47 }
48
49 static bool
50 check_cthelper_proto(const struct fw3_cthelper *helper)
51 {
52 struct fw3_protocol *proto;
53
54 if (list_empty(&helper->proto))
55 return false;
56
57 list_for_each_entry(proto, &helper->proto, list)
58 {
59 if (!proto->protocol || proto->any || proto->invert)
60 return false;
61 }
62
63 return true;
64 }
65
66 static bool
67 check_cthelper(struct fw3_state *state, struct fw3_cthelper *helper, struct uci_element *e)
68 {
69 if (!helper->name || !*helper->name)
70 {
71 warn_section("helper", helper, e, "must have a name assigned");
72 }
73 else if (!helper->module || !*helper->module)
74 {
75 warn_section("helper", helper, e, "must have a module assigned");
76 }
77 else if (!check_cthelper_proto(helper))
78 {
79 warn_section("helper", helper, e, "must specify a protocol");
80 }
81 else if (helper->port.set && helper->port.invert)
82 {
83 warn_section("helper", helper, e, "must not specify negated ports");
84 }
85 else
86 {
87 return true;
88 }
89
90 return false;
91 }
92
93 static struct fw3_cthelper *
94 fw3_alloc_cthelper(struct fw3_state *state)
95 {
96 struct fw3_cthelper *helper;
97
98 helper = calloc(1, sizeof(*helper));
99 if (!helper)
100 return NULL;
101
102 helper->enabled = true;
103 helper->family = FW3_FAMILY_ANY;
104 INIT_LIST_HEAD(&helper->proto);
105
106 list_add_tail(&helper->list, &state->cthelpers);
107
108 return helper;
109 }
110
111 static void
112 load_cthelpers(struct fw3_state *state, struct uci_package *p)
113 {
114 struct fw3_cthelper *helper;
115 struct uci_section *s;
116 struct uci_element *e;
117
118 uci_foreach_element(&p->sections, e)
119 {
120 s = uci_to_section(e);
121
122 if (strcmp(s->type, "helper"))
123 continue;
124
125 helper = fw3_alloc_cthelper(state);
126
127 if (!helper)
128 continue;
129
130 if (!fw3_parse_options(helper, fw3_cthelper_opts, s))
131 warn_elem(e, "has invalid options");
132
133 if (!check_cthelper(state, helper, e))
134 fw3_free_cthelper(helper);
135 }
136 }
137
138 void
139 fw3_load_cthelpers(struct fw3_state *state, struct uci_package *p)
140 {
141 struct uci_package *hp = NULL;
142 FILE *fp;
143
144 INIT_LIST_HEAD(&state->cthelpers);
145
146 fp = fopen(FW3_HELPERCONF, "r");
147
148 if (fp) {
149 uci_import(state->uci, fp, "fw3_ct_helpers", &hp, true);
150 fclose(fp);
151
152 if (hp)
153 load_cthelpers(state, hp);
154 }
155
156 load_cthelpers(state, p);
157 }
158
159 struct fw3_cthelper *
160 fw3_lookup_cthelper(struct fw3_state *state, const char *name)
161 {
162 struct fw3_cthelper *h;
163
164 if (list_empty(&state->cthelpers))
165 return NULL;
166
167 list_for_each_entry(h, &state->cthelpers, list)
168 {
169 if (strcasecmp(h->name, name))
170 continue;
171
172 return h;
173 }
174
175 return NULL;
176 }
177
178 bool
179 fw3_cthelper_check_proto(const struct fw3_cthelper *h, const struct fw3_protocol *proto)
180 {
181 struct fw3_protocol *p;
182
183 list_for_each_entry(p, &h->proto, list)
184 {
185 if (p->protocol == proto->protocol)
186 return true;
187 }
188
189 return false;
190 }
191
192 struct fw3_cthelper *
193 fw3_lookup_cthelper_by_proto_port(struct fw3_state *state,
194 struct fw3_protocol *proto,
195 struct fw3_port *port)
196 {
197 struct fw3_cthelper *h;
198
199 if (list_empty(&state->cthelpers))
200 return NULL;
201
202 if (!proto || !proto->protocol || proto->any || proto->invert)
203 return NULL;
204
205 if (port && port->invert)
206 return NULL;
207
208 list_for_each_entry(h, &state->cthelpers, list)
209 {
210 if (!h->enabled)
211 continue;
212
213 if (!fw3_cthelper_check_proto(h, proto))
214 continue;
215
216 if (h->port.set && (!port || !port->set))
217 continue;
218
219 if (!h->port.set && (!port || !port->set))
220 return h;
221
222 if (h->port.set && port && port->set &&
223 h->port.port_min <= port->port_min &&
224 h->port.port_max >= port->port_max)
225 return h;
226 }
227
228 return NULL;
229 }
230
231 static void
232 print_helper_rule(struct fw3_ipt_handle *handle, struct fw3_cthelper *helper,
233 struct fw3_zone *zone, struct fw3_protocol *proto)
234 {
235 struct fw3_ipt_rule *r;
236
237 r = fw3_ipt_rule_create(handle, proto, NULL, NULL, NULL, NULL);
238
239 if (helper->description && *helper->description)
240 fw3_ipt_rule_comment(r, helper->description);
241 else
242 fw3_ipt_rule_comment(r, helper->name);
243
244 fw3_ipt_rule_sport_dport(r, NULL, &helper->port);
245 fw3_ipt_rule_target(r, "CT");
246 fw3_ipt_rule_addarg(r, false, "--helper", helper->name);
247 fw3_ipt_rule_replace(r, "zone_%s_helper", zone->name);
248 }
249
250 static void
251 expand_helper_rule(struct fw3_ipt_handle *handle, struct fw3_cthelper *helper,
252 struct fw3_zone *zone)
253 {
254 struct fw3_protocol *proto;
255
256 list_for_each_entry(proto, &helper->proto, list)
257 print_helper_rule(handle, helper, zone, proto);
258 }
259
260 void
261 fw3_print_cthelpers(struct fw3_ipt_handle *handle, struct fw3_state *state,
262 struct fw3_zone *zone)
263 {
264 struct fw3_cthelper *helper;
265 struct fw3_cthelpermatch *match;
266
267 if (handle->table != FW3_TABLE_RAW)
268 return;
269
270 if (!fw3_is_family(zone, handle->family))
271 return;
272
273 if (list_empty(&zone->cthelpers))
274 {
275 if (zone->masq || !zone->auto_helper)
276 return;
277
278 if (list_empty(&state->cthelpers))
279 return;
280
281 info(" - Using automatic conntrack helper attachment");
282
283 list_for_each_entry(helper, &state->cthelpers, list)
284 {
285 if (!helper || !helper->enabled)
286 continue;
287
288 if (!fw3_is_family(helper, handle->family))
289 continue;
290
291 if (!test_module(helper))
292 continue;
293
294 expand_helper_rule(handle, helper, zone);
295 }
296 }
297 else
298 {
299 list_for_each_entry(match, &zone->cthelpers, list)
300 {
301 helper = match->ptr;
302
303 if (!helper || !helper->enabled)
304 continue;
305
306 if (!fw3_is_family(helper, handle->family))
307 continue;
308
309 if (!test_module(helper))
310 {
311 info(" ! Conntrack module '%s' for helper '%s' is not loaded",
312 helper->module, helper->name);
313 continue;
314 }
315
316 expand_helper_rule(handle, helper, zone);
317 }
318 }
319 }
OpenWrt firewall configuration utility