diff options
author | Jo-Philipp Wich <jow@openwrt.org> | 2009-12-09 02:15:59 +0000 |
---|---|---|
committer | Jo-Philipp Wich <jow@openwrt.org> | 2009-12-09 02:15:59 +0000 |
commit | 2e9ac3b3420350737aa37d01c0418bede10ab401 (patch) | |
tree | 352ff51ea0379c7709deb28dc8a18318ba47f806 /contrib/fwd/src/fwd_config.c | |
parent | e8220d96a52be888db8611e2908cb3ba97dfe2f8 (diff) |
contrib: fwd - initial C implementation of the uci firewall
Diffstat (limited to 'contrib/fwd/src/fwd_config.c')
-rw-r--r-- | contrib/fwd/src/fwd_config.c | 870 |
1 files changed, 870 insertions, 0 deletions
diff --git a/contrib/fwd/src/fwd_config.c b/contrib/fwd/src/fwd_config.c new file mode 100644 index 0000000000..1d16606d36 --- /dev/null +++ b/contrib/fwd/src/fwd_config.c @@ -0,0 +1,870 @@ +/* + * fwd - OpenWrt firewall daemon - config parsing + * + * Copyright (C) 2009 Jo-Philipp Wich <xm@subsignal.org> + * + * The fwd program is free software: you can redistribute it and/or + * modify it under the terms of the GNU General Public License version 2 + * as published by the Free Software Foundation. + * + * The fwd program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. + * See the GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License along + * with the fwd program. If not, see http://www.gnu.org/licenses/. + */ + + +#include "fwd.h" +#include "fwd_addr.h" +#include "fwd_config.h" + +#include "ucix.h" + + +#define fwd_read_error(...) do { \ + fprintf(stderr, "ERROR: "); \ + fprintf(stderr, __VA_ARGS__); \ + fprintf(stderr, "\n"); \ + return; \ +} while(0) + + +/* + * Parse helpers + */ +static int +fwd_read_policy(struct uci_context *uci, const char *s, const char *o) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + + if( val != NULL ) + { + switch( val[0] ) + { + case 'D': + case 'd': + return FWD_P_DROP; + + case 'R': + case 'r': + return FWD_P_REJECT; + + case 'A': + case 'a': + return FWD_P_ACCEPT; + } + } + + return FWD_P_UNSPEC; +} + +static int +fwd_read_bool(struct uci_context *uci, const char *s, const char *o, int d) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + + if( val != NULL ) + { + if( !strcmp(val, "yes") || !strcmp(val, "true") || !strcmp(val, "1") ) + return 1; + else + return 0; + } + + return d; +} + +static unsigned int +fwd_read_uint(struct uci_context *uci, const char *s, const char *o, unsigned int d) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + + if( val != NULL ) + { + return atoi(val); + } + + return d; +} + +static int +fwd_read_cidr(struct uci_context *uci, const char *s, const char *o, struct fwd_cidr **c) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + char ip[32], prefix[32]; + struct in_addr ina; + + memset(ip, 0, 32); + memset(prefix, 0, 32); + + if( val == NULL ) + { + return 0; + } + else if( (strlen(val) < 32) && (sscanf(val, "%[^/]/%s", ip, prefix) > 0) ) + { + if( !(*c = fwd_alloc_ptr(struct fwd_cidr)) ) + goto inval; + + if( inet_aton(ip, &ina) ) + { + (*c)->addr.s_addr = ina.s_addr; + + if( strchr(prefix, '.') ) + { + if( inet_aton(prefix, &ina) ) + { + (*c)->prefix = 32; + ina.s_addr = ntohl(ina.s_addr); + + while( !(ina.s_addr & 1) ) + { + ina.s_addr >>= 1; + (*c)->prefix--; + } + } + else + { + goto inval; + } + } + else + { + (*c)->prefix = prefix[0] ? atoi(prefix) : 32; + + if( ((*c)->prefix < 0) || ((*c)->prefix > 32) ) + { + goto inval; + } + } + + return 0; + } + } + + inval: + fwd_free_ptr(*c); + return -1; +} + +static int +fwd_read_mac(struct uci_context *uci, const char *s, const char *o, struct fwd_mac **m) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + + if( val == NULL ) + { + return 0; + } + else + { + if( (*m = fwd_alloc_ptr(struct fwd_mac)) != NULL ) + { + if( sscanf(val, "%2x:%2x:%2x:%2x:%2x:%2x", + (unsigned int *)&(*m)->mac[0], (unsigned int *)&(*m)->mac[1], + (unsigned int *)&(*m)->mac[2], (unsigned int *)&(*m)->mac[3], + (unsigned int *)&(*m)->mac[4], (unsigned int *)&(*m)->mac[5]) == 6 + ) { + return 0; + } + } + } + + fwd_free_ptr(*m); + return -1; +} + +static int +fwd_read_portrange(struct uci_context *uci, const char *s, const char *o, struct fwd_portrange **p) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + int min = -1; + int max = -1; + unsigned int tmp; + + if( val == NULL ) + { + return 0; + } + else if( sscanf(val, "%u%*[:-]%u", &min, &max) > 0 ) + { + if( max == -1 ) + { + max = min; + } + else if( min > max ) + { + tmp = max; + max = min; + min = tmp; + } + + if( (min >= 0) && (min <= 65535) && (max >= 0) && (max <= 65535) ) + { + if( (*p = fwd_alloc_ptr(struct fwd_portrange)) != NULL ) + { + (*p)->min = min; + (*p)->max = max; + return 0; + } + } + } + + fwd_free_ptr(*p); + return -1; +} + +static int +fwd_read_proto(struct uci_context *uci, const char *s, const char *o, struct fwd_proto **p) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + int proto; + + if( val == NULL ) + { + return 0; + } + else + { + if( (*p = fwd_alloc_ptr(struct fwd_proto)) != NULL ) + { + proto = atoi(val); + + if( !strcasecmp(val, "all") ) + { + (*p)->type = FWD_PR_ALL; + (*p)->proto = 0; + } + else if( !strcasecmp(val, "icmp") ) + { + (*p)->type = FWD_PR_ICMP; + (*p)->proto = 0; + } + else if( !strcasecmp(val, "udp") ) + { + (*p)->type = FWD_PR_UDP; + (*p)->proto = 0; + } + else if( !strcasecmp(val, "tcp") ) + { + (*p)->type = FWD_PR_TCP; + (*p)->proto = 0; + } + else if( !strcasecmp(val, "tcpudp") ) + { + (*p)->type = FWD_PR_TCPUDP; + (*p)->proto = 0; + } + else if( proto > 0 ) + { + (*p)->type = FWD_PR_CUSTOM; + (*p)->proto = proto; + } + else + { + goto inval; + } + + return 0; + } + } + + inval: + fwd_free_ptr(*p); + return -1; +} + +static int +fwd_read_icmptype(struct uci_context *uci, const char *s, const char *o, struct fwd_icmptype **i) +{ + const char *val = ucix_get_option(uci, "firewall", s, o); + unsigned int type, code; + + if( val == NULL ) + { + return 0; + } + else + { + if( (*i = fwd_alloc_ptr(struct fwd_icmptype)) != NULL ) + { + if( sscanf(val, "%u/%u", &type, &code) == 2 ) + { + if( (type > 255) || (code > 255) ) + goto inval; + + (*i)->type = type; + (*i)->code = code; + + return 0; + } + + else if( sscanf(val, "%u", &type) == 1 ) + { + if( type > 255 ) + goto inval; + + (*i)->type = type; + (*i)->code = -1; + + return 0; + } + + /* XXX: no validity check here but I do not want to + duplicate libipt_icmp.c ... */ + else if( sscanf(val, "%31s", (*i)->name) == 1 ) + { + return 0; + } + } + } + + inval: + fwd_free_ptr(*i); + return -1; +} + +static const char * +fwd_read_string(struct uci_context *uci, const char *s, const char *o) +{ + return ucix_get_option(uci, "firewall", s, o); +} + + +static void +fwd_append_config(struct fwd_data *h, struct fwd_data *a) +{ + while( h->next ) + h = h->next; + + h->next = a; +} + + +/* + * config defaults + */ +static void fwd_read_defaults_cb( + struct uci_context *uci, + const char *s, struct fwd_defaults *d +) { + d->input = fwd_read_policy(uci, s, "input"); + d->forward = fwd_read_policy(uci, s, "forward"); + d->output = fwd_read_policy(uci, s, "output"); + d->syn_flood = fwd_read_bool(uci, s, "syn_flood", 1); + d->syn_rate = fwd_read_uint(uci, s, "syn_rate", 25); + d->syn_burst = fwd_read_uint(uci, s, "syn_burst", 50); + d->drop_invalid = fwd_read_bool(uci, s, "drop_invalid", 1); +} + +static struct fwd_data * +fwd_read_defaults(struct uci_context *uci) +{ + struct fwd_data *dt; + struct fwd_defaults d; + + if( (dt = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + memset(&d, 0, sizeof(d)); + + ucix_for_each_section_type(uci, "firewall", "defaults", + (void *)fwd_read_defaults_cb, &d); + + memcpy(&dt->section.defaults, &d, sizeof(d)); + + dt->type = FWD_S_DEFAULTS; + dt->next = NULL; + + return dt; + } + + return NULL; +} + + +/* + * config zone + */ +static void fwd_read_zone_networks_cb( + const char *net, struct fwd_network_list **np +) { + struct fwd_network_list *nn; + + if( (nn = fwd_alloc_ptr(struct fwd_network_list)) != NULL ) + { + nn->name = strdup(net); + nn->next = *np; + *np = nn; + } +} + +static void fwd_read_zones_cb( + struct uci_context *uci, + const char *s, struct fwd_data_conveyor *cv +) { + struct fwd_data *dtn; + struct fwd_network_list *net = NULL; + const char *name; + + if( !(name = fwd_read_string(uci, s, "name")) ) + fwd_read_error("section '%s' is missing 'name' option!", s); + + if( (dtn = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + dtn->section.zone.name = strdup(name); + dtn->section.zone.masq = fwd_read_bool(uci, s, "masq", 0); + dtn->section.zone.mtu_fix = fwd_read_bool(uci, s, "mtu_fix", 0); + dtn->section.zone.conntrack = fwd_read_bool(uci, s, "conntrack", 0); + + dtn->section.zone.input = fwd_read_policy(uci, s, "input") + ?: cv->head->section.defaults.input ?: FWD_P_DROP; + + dtn->section.zone.forward = fwd_read_policy(uci, s, "forward") + ?: cv->head->section.defaults.forward ?: FWD_P_DROP; + + dtn->section.zone.output = fwd_read_policy(uci, s, "output") + ?: cv->head->section.defaults.output ?: FWD_P_DROP; + + /* try to parse option/list network ... */ + if( ucix_for_each_list(uci, "firewall", s, "network", + (void *)&fwd_read_zone_networks_cb, &net) < 0 ) + { + /* ... didn't work, fallback to option name */ + fwd_read_zone_networks_cb(name, &net); + } + + dtn->section.zone.networks = net; + dtn->type = FWD_S_ZONE; + dtn->next = cv->cursor; + cv->cursor = dtn; + } +} + +static struct fwd_data * +fwd_read_zones(struct uci_context *uci, struct fwd_data *def) +{ + struct fwd_data_conveyor cv; + + cv.cursor = NULL; + cv.head = def; + + ucix_for_each_section_type(uci, "firewall", "zone", + (void *)fwd_read_zones_cb, &cv); + + return cv.cursor; +} + + +/* + * config forwarding + */ +static void fwd_read_forwards_cb( + struct uci_context *uci, + const char *s, struct fwd_data_conveyor *cv +) { + const char *src, *dest; + struct fwd_data *dtn; + struct fwd_zone *zsrc = NULL; + struct fwd_zone *zdest = NULL; + + if( (src = fwd_read_string(uci, s, "src")) != NULL ) + { + if( !(zsrc = fwd_lookup_zone(cv->head, src)) ) + fwd_read_error("section '%s' references unknown src zone '%s'!", s, src); + } + + if( (dest = fwd_read_string(uci, s, "dest")) != NULL ) + { + if( !(zdest = fwd_lookup_zone(cv->head, dest)) ) + fwd_read_error("section '%s' references unknown dest zone '%s'!", s, dest); + } + + if( (dtn = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + dtn->section.forwarding.src = zsrc; + dtn->section.forwarding.dest = zdest; + dtn->section.forwarding.mtu_fix = fwd_read_bool(uci, s, "mtu_fix", 0); + dtn->section.forwarding.masq = fwd_read_bool(uci, s, "masq", 0); + + dtn->type = FWD_S_FORWARD; + dtn->next = cv->cursor; + cv->cursor = dtn; + } + else + { + fwd_read_error("out of memory while parsing config!"); + } +} + +static struct fwd_data * +fwd_read_forwards(struct uci_context *uci, struct fwd_data *zones) +{ + struct fwd_data_conveyor cv; + + cv.cursor = NULL; + cv.head = zones; + + ucix_for_each_section_type(uci, "firewall", "forwarding", + (void *)fwd_read_forwards_cb, &cv); + + return cv.cursor; +} + + +/* + * config redirect + */ +static void fwd_read_redirects_cb( + struct uci_context *uci, + const char *s, struct fwd_data_conveyor *cv +) { + const char *src; + struct fwd_data *dtn = NULL; + struct fwd_zone *zsrc = NULL; + + /* check zone */ + if( !(src = fwd_read_string(uci, s, "src")) ) + fwd_read_error( + "section '%s' is missing 'src' option!", + s + ); + + else if( !(zsrc = fwd_lookup_zone(cv->head, src)) ) + fwd_read_error( + "section '%s' references unknown src zone '%s'!", + s, src + ); + + /* uci context, section, name, type */ + fwd_check_option(uci, s, src_ip, cidr); + fwd_check_option(uci, s, src_mac, mac); + fwd_check_option(uci, s, src_port, portrange); + fwd_check_option(uci, s, src_dport, portrange); + fwd_check_option(uci, s, dest_ip, cidr); + fwd_check_option(uci, s, dest_port, portrange); + fwd_check_option(uci, s, proto, proto); + + if( (dtn = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + dtn->section.redirect.proto = proto; + dtn->section.redirect.src = zsrc; + dtn->section.redirect.src_ip = src_ip; + dtn->section.redirect.src_mac = src_mac; + dtn->section.redirect.src_port = src_port; + dtn->section.redirect.src_dport = src_dport; + dtn->section.redirect.dest_ip = dest_ip; + dtn->section.redirect.dest_port = dest_port; + + dtn->type = FWD_S_REDIRECT; + dtn->next = cv->cursor; + cv->cursor = dtn; + } + else + { + fwd_read_error("out of memory while parsing config!"); + } +} + +static struct fwd_data * +fwd_read_redirects(struct uci_context *uci, struct fwd_data *zones) +{ + struct fwd_data_conveyor cv; + + cv.cursor = NULL; + cv.head = zones; + + ucix_for_each_section_type(uci, "firewall", "redirect", + (void *)fwd_read_redirects_cb, &cv); + + return cv.cursor; +} + + +/* + * config rule + */ +static void fwd_read_rules_cb( + struct uci_context *uci, + const char *s, struct fwd_data_conveyor *cv +) { + const char *src, *dest; + struct fwd_data *dtn = NULL; + struct fwd_zone *zsrc = NULL; + struct fwd_zone *zdest = NULL; + + /* check zones */ + if( !(src = fwd_read_string(uci, s, "src")) ) + fwd_read_error( + "section '%s' is missing 'src' option!", + s + ); + + else if( !(zsrc = fwd_lookup_zone(cv->head, src)) ) + fwd_read_error( + "section '%s' references unknown src zone '%s'!", + s, src + ); + + if( (dest = fwd_read_string(uci, s, "dest")) != NULL ) + if( !(zdest = fwd_lookup_zone(cv->head, dest)) ) + fwd_read_error( + "section '%s' references unknown dest zone '%s'!", + s, dest + ); + + /* uci context, section, name, type */ + fwd_check_option(uci, s, src_ip, cidr); + fwd_check_option(uci, s, src_mac, mac); + fwd_check_option(uci, s, src_port, portrange); + fwd_check_option(uci, s, dest_ip, cidr); + fwd_check_option(uci, s, dest_port, portrange); + fwd_check_option(uci, s, proto, proto); + fwd_check_option(uci, s, icmptype, icmptype); + + if( (dtn = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + dtn->section.rule.proto = proto; + dtn->section.rule.icmp_type = icmptype; + dtn->section.rule.src = zsrc; + dtn->section.rule.src_ip = src_ip; + dtn->section.rule.src_mac = src_mac; + dtn->section.rule.src_port = src_port; + dtn->section.rule.dest = zdest; + dtn->section.rule.dest_ip = dest_ip; + dtn->section.rule.dest_port = dest_port; + dtn->section.rule.target = fwd_read_policy(uci, s, "target"); + + dtn->type = FWD_S_RULE; + dtn->next = cv->cursor; + cv->cursor = dtn; + } + else + { + fwd_read_error("out of memory while parsing config!"); + } +} + +static struct fwd_data * +fwd_read_rules(struct uci_context *uci, struct fwd_data *zones) +{ + struct fwd_data_conveyor cv; + + cv.cursor = NULL; + cv.head = zones; + + ucix_for_each_section_type(uci, "firewall", "rule", + (void *)fwd_read_rules_cb, &cv); + + return cv.cursor; +} + + +/* + * config include + */ +static void fwd_read_includes_cb( + struct uci_context *uci, + const char *s, struct fwd_data_conveyor *cv +) { + const char *path = fwd_read_string(uci, s, "path"); + struct fwd_data *dtn = NULL; + + if( path != NULL ) + { + if( (dtn = fwd_alloc_ptr(struct fwd_data)) != NULL ) + { + dtn->section.include.path = strdup(path); + + dtn->type = FWD_S_INCLUDE; + dtn->next = cv->cursor; + cv->cursor = dtn; + } + else + { + fwd_read_error("out of memory while parsing config!"); + } + } +} + +static struct fwd_data * +fwd_read_includes(struct uci_context *uci) +{ + struct fwd_data_conveyor cv; + + cv.cursor = NULL; + cv.head = NULL; + + ucix_for_each_section_type(uci, "firewall", "include", + (void *)fwd_read_includes_cb, &cv); + + return cv.cursor; +} + + +/* + * config interface + */ +static void fwd_read_network_data( + struct uci_context *uci, struct fwd_network_list *net +) { + struct fwd_network_list *e; + const char *type, *ifname; + + for( e = net; e; e = e->next ) + { + if( (type = ucix_get_option(uci, "network", e->name, NULL)) != NULL ) + { + if( !(ifname = ucix_get_option(uci, "network", e->name, "ifname")) ) + fwd_read_error( + "section '%s' is missing 'ifname' option!", + e->name + ); + + e->isalias = (strcmp(type, "alias") ? 0 : 1); + e->ifname = strdup(ifname); + } + } +} + +static void fwd_read_networks( + struct uci_context *uci, struct fwd_data *zones +) { + struct fwd_data *e; + + for( e = zones; e; e = e->next ) + if( e->type == FWD_S_ZONE ) + fwd_read_network_data(uci, e->section.zone.networks); +} + +static void fwd_free_networks(struct fwd_network_list *h) +{ + struct fwd_network_list *e = h; + + while( h != NULL ) + { + e = h->next; + + fwd_free_ptr(h->name); + fwd_free_ptr(h->ifname); + fwd_free_ptr(h->addr); + + free(h); + h = e; + } + + e = h = NULL; +} + + + +struct fwd_data * fwd_read_config(void) +{ + struct uci_context *ctx; + struct fwd_data *defaults, *zones; + + if( (ctx = ucix_init("firewall")) != NULL ) + { + if( !(defaults = fwd_read_defaults(ctx)) ) + goto error; + + if( !(zones = fwd_read_zones(ctx, defaults)) ) + goto error; + + fwd_append_config(defaults, zones); + fwd_append_config(defaults, fwd_read_forwards(ctx, zones)); + fwd_append_config(defaults, fwd_read_redirects(ctx, zones)); + fwd_append_config(defaults, fwd_read_rules(ctx, zones)); + fwd_append_config(defaults, fwd_read_includes(ctx)); + + ucix_cleanup(ctx); + + if( (ctx = ucix_init("network")) != NULL ) + { + fwd_read_networks(ctx, zones); + ucix_cleanup(ctx); + + return defaults; + } + } + + error: + if( ctx ) ucix_cleanup(ctx); + fwd_free_config(defaults); + fwd_free_config(zones); + return NULL; +} + + +void fwd_free_config(struct fwd_data *h) +{ + struct fwd_data *e = h; + + while( h != NULL ) + { + e = h->next; + + switch(h->type) + { + case FWD_S_INCLUDE: + fwd_free_ptr(h->section.include.path); + break; + + case FWD_S_ZONE: + fwd_free_ptr(h->section.zone.name); + fwd_free_networks(h->section.zone.networks); + break; + + case FWD_S_REDIRECT: + fwd_free_ptr(h->section.redirect.src_ip); + fwd_free_ptr(h->section.redirect.src_mac); + fwd_free_ptr(h->section.redirect.src_port); + fwd_free_ptr(h->section.redirect.src_dport); + fwd_free_ptr(h->section.redirect.dest_ip); + fwd_free_ptr(h->section.redirect.dest_port); + fwd_free_ptr(h->section.redirect.proto); + break; + + case FWD_S_RULE: + fwd_free_ptr(h->section.rule.src_ip); + fwd_free_ptr(h->section.rule.src_mac); + fwd_free_ptr(h->section.rule.src_port); + fwd_free_ptr(h->section.rule.dest_ip); + fwd_free_ptr(h->section.rule.dest_port); + fwd_free_ptr(h->section.rule.proto); + fwd_free_ptr(h->section.rule.icmp_type); + break; + + case FWD_S_DEFAULTS: + case FWD_S_FORWARD: + /* Make gcc happy */ + break; + } + + free(h); + h = e; + } + + e = h = NULL; +} + + +struct fwd_zone * +fwd_lookup_zone(struct fwd_data *h, const char *n) +{ + struct fwd_data *e; + + if( n != NULL ) + { + for( e = h; e; e = e->next ) + { + if( (e->type = FWD_S_ZONE) && !strcmp(e->section.zone.name, n) ) + return &e->section.zone; + } + } + + return NULL; +} + |