X-Git-Url: http://git.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=utils.c;h=faa51a1a589b277421f1e5c16ee35d43eea89d92;hp=aca98d59657d037b8789769a0e18244c757c7405;hb=HEAD;hpb=be8ead27f625b3e4ed383f270dcfee2d158231ec diff --git a/utils.c b/utils.c index aca98d5..faa51a1 100644 --- a/utils.c +++ b/utils.c @@ -17,6 +17,10 @@ */ #define _GNU_SOURCE + +#include +#include + #include "utils.h" #include "options.h" @@ -24,7 +28,7 @@ #include "ipsets.h" -static int lock_fd = -1; +static int fw3_lock_fd = -1; static pid_t pipe_pid = -1; static FILE *pipe_fd = NULL; @@ -141,7 +145,7 @@ fw3_alloc(size_t size) mem = calloc(1, size); if (!mem) - error("Out of memory while allocating %d bytes", size); + error("Out of memory while allocating %zd bytes", size); return mem; } @@ -187,8 +191,7 @@ fw3_find_command(const char *cmd) if ((plen + clen) >= sizeof(path)) continue; - strncpy(path, search, plen); - sprintf(path + plen, "/%s", cmd); + snprintf(path, sizeof(path), "%.*s/%s", plen, search, cmd); if (!stat(path, &s) && S_ISREG(s.st_mode)) return path; @@ -252,6 +255,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) switch ((pid = fork())) { case -1: + free(args); return false; case 0: @@ -275,6 +279,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) } pipe_fd = fdopen(pfds[1], "w"); + free(args); return true; } @@ -310,23 +315,19 @@ fw3_command_close(void) pipe_pid = -1; } -bool -fw3_has_table(bool ipv6, const char *table) +static bool +file_contains(const char *path, const char *str) { FILE *f; - char line[12]; bool seen = false; - const char *path = ipv6 - ? "/proc/net/ip6_tables_names" : "/proc/net/ip_tables_names"; - if (!(f = fopen(path, "r"))) return false; while (fgets(line, sizeof(line), f)) { - if (!strncmp(line, table, strlen(table))) + if (!strncmp(line, str, strlen(str))) { seen = true; break; @@ -338,40 +339,64 @@ fw3_has_table(bool ipv6, const char *table) return seen; } +bool +fw3_has_target(const bool ipv6, const char *target) +{ + const char *path = ipv6 + ? "/proc/net/ip6_tables_targets" : "/proc/net/ip_tables_targets"; + + return file_contains(path, target); +} bool -fw3_lock(void) +fw3_lock_path(int *fd, const char *path) { - lock_fd = open(FW3_LOCKFILE, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); + int lock_fd = open(path, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); if (lock_fd < 0) { - warn("Cannot create lock file %s: %s", FW3_LOCKFILE, strerror(errno)); + warn("Cannot create lock file %s: %s", path, strerror(errno)); return false; } if (flock(lock_fd, LOCK_EX)) { warn("Cannot acquire exclusive lock: %s", strerror(errno)); + close(lock_fd); return false; } + *fd = lock_fd; + return true; } +bool +fw3_lock() +{ + return fw3_lock_path(&fw3_lock_fd, FW3_LOCKFILE); +} + + void -fw3_unlock(void) +fw3_unlock_path(int *fd, const char *lockpath) { - if (lock_fd < 0) + if (*fd < 0) return; - if (flock(lock_fd, LOCK_UN)) + if (flock(*fd, LOCK_UN)) warn("Cannot release exclusive lock: %s", strerror(errno)); - close(lock_fd); - unlink(FW3_LOCKFILE); + close(*fd); - lock_fd = -1; + *fd = -1; +} + + +void +fw3_unlock(void) +{ + fw3_unlock_path(&fw3_lock_fd, FW3_LOCKFILE); } @@ -379,7 +404,7 @@ static void write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, struct uci_package *dest) { - char buf[sizeof("0xffffffff\0")]; + char buf[sizeof("0xffffffff")]; struct uci_ptr ptr = { .p = dest }; uci_add_section(ctx, dest, "defaults", &ptr.s); @@ -399,13 +424,13 @@ write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, ptr.value = fw3_flag_names[d->policy_forward]; uci_set(ctx, &ptr); - sprintf(buf, "0x%x", d->flags[0]); + snprintf(buf, sizeof(buf), "0x%x", d->flags[0]); ptr.o = NULL; ptr.option = "__flags_v4"; ptr.value = buf; uci_set(ctx, &ptr); - sprintf(buf, "0x%x", d->flags[1]); + snprintf(buf, sizeof(buf), "0x%x", d->flags[1]); ptr.o = NULL; ptr.option = "__flags_v6"; ptr.value = buf; @@ -462,11 +487,6 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, ptr.value = z->masq ? "1" : "0"; uci_set(ctx, &ptr); - ptr.o = NULL; - ptr.option = "conntrack"; - ptr.value = z->conntrack ? "1" : "0"; - uci_set(ctx, &ptr); - ptr.o = NULL; ptr.option = "mtu_fix"; ptr.value = z->mtu_fix ? "1" : "0"; @@ -490,18 +510,21 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, fw3_foreach(dev, &z->devices) { + char *ep; + if (!dev) continue; p = buf; + ep = buf + sizeof(buf); if (dev->invert) - p += sprintf(p, "!"); + p += snprintf(p, ep - p, "!"); if (*dev->network) - p += sprintf(p, "%s@%s", dev->name, dev->network); + p += snprintf(p, ep - p, "%s@%s", dev->name, dev->network); else - p += sprintf(p, "%s", dev->name); + p += snprintf(p, ep - p, "%s", dev->name); ptr.value = buf; uci_add_list(ctx, &ptr); @@ -548,13 +571,29 @@ write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, } } - sprintf(buf, "0x%x", z->flags[0]); + if (z->extra_src) + { + ptr.o = NULL; + ptr.option = "extra_src"; + ptr.value = z->extra_src; + uci_set(ctx, &ptr); + } + + if (z->extra_dest) + { + ptr.o = NULL; + ptr.option = "extra_dest"; + ptr.value = z->extra_dest; + uci_set(ctx, &ptr); + } + + snprintf(buf, sizeof(buf), "0x%x", z->flags[0]); ptr.o = NULL; ptr.option = "__flags_v4"; ptr.value = buf; uci_set(ctx, &ptr); - sprintf(buf, "0x%x", z->flags[1]); + snprintf(buf, sizeof(buf), "0x%x", z->flags[1]); ptr.o = NULL; ptr.option = "__flags_v6"; ptr.value = buf; @@ -567,7 +606,7 @@ write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, { struct fw3_ipset_datatype *type; - char buf[sizeof("65535-65535\0")]; + char buf[sizeof("65535-65535")]; struct uci_ptr ptr = { .p = dest }; @@ -581,6 +620,14 @@ write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, ptr.value = s->name; uci_set(ctx, &ptr); + ptr.o = NULL; + ptr.option = "family"; + if (s->family == FW3_FAMILY_V4) + ptr.value = "ipv4"; + else + ptr.value = "ipv6"; + uci_set(ctx, &ptr); + ptr.o = NULL; ptr.option = "storage"; ptr.value = fw3_ipset_method_names[s->method]; @@ -588,7 +635,7 @@ write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, list_for_each_entry(type, &s->datatypes, list) { - sprintf(buf, "%s_%s", type->dir, fw3_ipset_type_names[type->type]); + snprintf(buf, sizeof(buf), "%s_%s", type->dir, fw3_ipset_type_names[type->type]); ptr.o = NULL; ptr.option = "match"; ptr.value = buf; @@ -605,7 +652,7 @@ write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, if (s->portrange.set) { - sprintf(buf, "%u-%u", s->portrange.port_min, s->portrange.port_max); + snprintf(buf, sizeof(buf), "%u-%u", s->portrange.port_min, s->portrange.port_max); ptr.o = NULL; ptr.option = "portrange"; ptr.value = buf; @@ -895,3 +942,83 @@ fw3_flush_conntrack(void *state) freeifaddrs(ifaddr); } + +bool fw3_attr_parse_name_type(struct blob_attr *entry, const char **name, const char **type) +{ + struct blob_attr *opt; + unsigned orem; + + if (!type || !name) + return false; + + *type = NULL; + + blobmsg_for_each_attr(opt, entry, orem) + if (!strcmp(blobmsg_name(opt), "type")) + *type = blobmsg_get_string(opt); + else if (!strcmp(blobmsg_name(opt), "name")) + *name = blobmsg_get_string(opt); + + return *type != NULL ? true : false; +} + +const char * +fw3_protoname(void *proto) +{ + static char buf[sizeof("4294967295")]; + struct fw3_protocol *p = proto; + struct protoent *pe; + + if (!p) + return "?"; + + pe = getprotobynumber(p->protocol); + + if (!pe) + { + snprintf(buf, sizeof(buf), "%u", p->protocol); + return buf; + } + + return pe->p_name; +} + +bool +fw3_check_loopback_dev(const char *name) +{ + struct ifreq ifr; + int s; + bool rv = false; + + s = socket(AF_LOCAL, SOCK_DGRAM, 0); + + if (s < 0) + return false; + + memset(&ifr, 0, sizeof(ifr)); + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", name); + + if (ioctl(s, SIOCGIFFLAGS, &ifr) >= 0) { + if (ifr.ifr_flags & IFF_LOOPBACK) + rv = true; + } + + close(s); + + return rv; +} + +bool +fw3_check_loopback_addr(struct fw3_address *addr) +{ + if (addr->family == FW3_FAMILY_V4 && + (ntohl(addr->address.v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + return true; + + if (addr->family == FW3_FAMILY_V6 && !addr->range && + fw3_netmask2bitlen(FW3_FAMILY_V6, &addr->mask.v6) == 128 && + IN6_IS_ADDR_LOOPBACK(&addr->address.v6)) + return true; + + return false; +}