• source navigation  • diff markup  • identifier search  • freetext search  • 

Sources/firewall3/defaults.c

  1 /*
  2  * firewall3 - 3rd OpenWrt UCI firewall implementation
  3  *
  4  *   Copyright (C) 2013 Jo-Philipp Wich <jo@mein.io>
  5  *
  6  * Permission to use, copy, modify, and/or distribute this software for any
  7  * purpose with or without fee is hereby granted, provided that the above
  8  * copyright notice and this permission notice appear in all copies.
  9  *
 10  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
 11  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
 12  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
 13  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
 14  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
 15  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
 16  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 17  */
 18 
 19 #include "defaults.h"
 20 
 21 
 22 #define C(f, tbl, def, fmt) \
 23         { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##def, fmt }
 24 
 25 static const struct fw3_chain_spec default_chains[] = {
 26         C(ANY, FILTER, UNSPEC,        "reject"),
 27         C(ANY, FILTER, CUSTOM_CHAINS, "input_rule"),
 28         C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"),
 29         C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"),
 30         C(ANY, FILTER, SYN_FLOOD,     "syn_flood"),
 31 
 32         C(V4,  NAT,    CUSTOM_CHAINS, "prerouting_rule"),
 33         C(V4,  NAT,    CUSTOM_CHAINS, "postrouting_rule"),
 34 
 35         { }
 36 };
 37 
 38 const struct fw3_option fw3_flag_opts[] = {
 39         FW3_OPT("input",               target,   defaults, policy_input),
 40         FW3_OPT("forward",             target,   defaults, policy_forward),
 41         FW3_OPT("output",              target,   defaults, policy_output),
 42 
 43         FW3_OPT("drop_invalid",        bool,     defaults, drop_invalid),
 44         FW3_OPT("tcp_reject_code",     reject_code, defaults, tcp_reject_code),
 45         FW3_OPT("any_reject_code",     reject_code, defaults, any_reject_code),
 46 
 47         FW3_OPT("syn_flood",           bool,     defaults, syn_flood),
 48         FW3_OPT("synflood_protect",    bool,     defaults, syn_flood),
 49         FW3_OPT("synflood_rate",       limit,    defaults, syn_flood_rate),
 50         FW3_OPT("synflood_burst",      int,      defaults, syn_flood_rate.burst),
 51 
 52         FW3_OPT("tcp_syncookies",      bool,     defaults, tcp_syncookies),
 53         FW3_OPT("tcp_ecn",             int,      defaults, tcp_ecn),
 54         FW3_OPT("tcp_window_scaling",  bool,     defaults, tcp_window_scaling),
 55 
 56         FW3_OPT("accept_redirects",    bool,     defaults, accept_redirects),
 57         FW3_OPT("accept_source_route", bool,     defaults, accept_source_route),
 58 
 59         FW3_OPT("auto_helper",         bool,     defaults, auto_helper),
 60         FW3_OPT("custom_chains",       bool,     defaults, custom_chains),
 61         FW3_OPT("disable_ipv6",        bool,     defaults, disable_ipv6),
 62         FW3_OPT("flow_offloading",     bool,     defaults, flow_offloading),
 63         FW3_OPT("flow_offloading_hw",  bool,     defaults, flow_offloading_hw),
 64 
 65         FW3_OPT("__flags_v4",          int,      defaults, flags[0]),
 66         FW3_OPT("__flags_v6",          int,      defaults, flags[1]),
 67 
 68         { }
 69 };
 70 
 71 
 72 static void
 73 check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name)
 74 {
 75         if (*pol == FW3_FLAG_UNSPEC)
 76         {
 77                 warn_elem(e, "has no %s policy specified, defaulting to DROP", name);
 78                 *pol = FW3_FLAG_DROP;
 79         }
 80         else if (*pol > FW3_FLAG_DROP)
 81         {
 82                 warn_elem(e, "has invalid %s policy, defaulting to DROP", name);
 83                 *pol = FW3_FLAG_DROP;
 84         }
 85 }
 86 
 87 static void
 88 check_target(struct uci_element *e, bool *available, const char *target, const bool ipv6)
 89 {
 90         const bool b = fw3_has_target(ipv6, target);
 91         if (!b)
 92         {
 93                 warn_elem(e, "requires unavailable target extension %s, disabling", target);
 94         }
 95         *available = b;
 96 }
 97 
 98 static void
 99 check_any_reject_code(struct uci_element *e, enum fw3_reject_code *any_reject_code)
100 {
101         if (*any_reject_code == FW3_REJECT_CODE_TCP_RESET) {
102                 warn_elem(e, "tcp-reset not valid for any_reject_code, defaulting to port-unreach");
103                 *any_reject_code = FW3_REJECT_CODE_PORT_UNREACH;
104         }
105 }
106 
107 static const char*
108 get_reject_code(enum fw3_family family, enum fw3_reject_code reject_code)
109 {
110         switch (reject_code) {
111         case FW3_REJECT_CODE_TCP_RESET:
112                 return "tcp-reset";
113         case FW3_REJECT_CODE_PORT_UNREACH:
114                 return "port-unreach";
115         case FW3_REJECT_CODE_ADM_PROHIBITED:
116                 return family == FW3_FAMILY_V6 ? "adm-prohibited": "admin-prohib";
117         default:
118                 return "unknown";
119         }
120 }
121 
122 void
123 fw3_load_defaults(struct fw3_state *state, struct uci_package *p)
124 {
125         struct uci_section *s;
126         struct uci_element *e;
127         struct fw3_defaults *defs = &state->defaults;
128 
129         bool flow_offload_avaliable = false;
130         bool seen = false;
131 
132         defs->tcp_reject_code      = FW3_REJECT_CODE_TCP_RESET;
133         defs->any_reject_code      = FW3_REJECT_CODE_PORT_UNREACH;
134         defs->syn_flood_rate.rate  = 25;
135         defs->syn_flood_rate.burst = 50;
136         defs->tcp_syncookies       = true;
137         defs->tcp_window_scaling   = true;
138         defs->custom_chains        = true;
139         defs->auto_helper          = true;
140 
141         uci_foreach_element(&p->sections, e)
142         {
143                 s = uci_to_section(e);
144 
145                 if (strcmp(s->type, "defaults"))
146                         continue;
147 
148                 if (seen)
149                 {
150                         warn_elem(e, "ignoring duplicate section");
151                         continue;
152                 }
153 
154                 if(!fw3_parse_options(&state->defaults, fw3_flag_opts, s))
155                         warn_elem(e, "has invalid options");
156 
157                 check_policy(e, &defs->policy_input, "input");
158                 check_policy(e, &defs->policy_output, "output");
159                 check_policy(e, &defs->policy_forward, "forward");
160 
161                 check_any_reject_code(e, &defs->any_reject_code);
162 
163                 /* exists in both ipv4 and ipv6, if at all, so only check ipv4 */
164                 check_target(e, &flow_offload_avaliable, "FLOWOFFLOAD", false);
165 
166                 if (!flow_offload_avaliable)
167                         defs->flow_offloading = false;
168         }
169 }
170 
171 void
172 fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state,
173                          bool reload)
174 {
175         struct fw3_defaults *defs = &state->defaults;
176         const struct fw3_chain_spec *c;
177 
178 #define policy(t) \
179         ((t == FW3_FLAG_REJECT) ? FW3_FLAG_DROP : t)
180 
181         if (handle->family == FW3_FAMILY_V6 && defs->disable_ipv6)
182                 return;
183 
184         if (handle->table == FW3_TABLE_FILTER)
185         {
186                 fw3_ipt_set_policy(handle, "INPUT",   policy(defs->policy_input));
187                 fw3_ipt_set_policy(handle, "OUTPUT",  policy(defs->policy_output));
188                 fw3_ipt_set_policy(handle, "FORWARD", policy(defs->policy_forward));
189         }
190 
191         if (defs->custom_chains)
192                 set(defs->flags, handle->family, FW3_FLAG_CUSTOM_CHAINS);
193 
194         if (defs->syn_flood)
195                 set(defs->flags, handle->family, FW3_FLAG_SYN_FLOOD);
196 
197         for (c = default_chains; c->format; c++)
198         {
199                 /* don't touch user chains on selective stop */
200                 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
201                         continue;
202 
203                 if (!fw3_is_family(c, handle->family))
204                         continue;
205 
206                 if (c->table != handle->table)
207                         continue;
208 
209                 if (c->flag &&
210                     !fw3_hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag))
211                         continue;
212 
213                 fw3_ipt_create_chain(handle, c->format);
214         }
215 
216         set(defs->flags, handle->family, handle->table);
217 }
218 
219 void
220 fw3_print_default_head_rules(struct fw3_ipt_handle *handle,
221                              struct fw3_state *state, bool reload)
222 {
223         int i;
224         struct fw3_defaults *defs = &state->defaults;
225         struct fw3_device lodev = { .set = true };
226         struct fw3_protocol tcp = { .protocol = 6 };
227         struct fw3_ipt_rule *r;
228 
229         const char *chains[] = {
230                 "INPUT", "input",
231                 "OUTPUT", "output",
232                 "FORWARD", "forwarding",
233         };
234 
235         switch (handle->table)
236         {
237         case FW3_TABLE_FILTER:
238 
239                 sprintf(lodev.name, "lo");
240 
241                 r = fw3_ipt_rule_create(handle, NULL, &lodev, NULL, NULL, NULL);
242                 fw3_ipt_rule_target(r, "ACCEPT");
243                 fw3_ipt_rule_append(r, "INPUT");
244 
245                 r = fw3_ipt_rule_create(handle, NULL, NULL, &lodev, NULL, NULL);
246                 fw3_ipt_rule_target(r, "ACCEPT");
247                 fw3_ipt_rule_append(r, "OUTPUT");
248 
249                 if (defs->custom_chains)
250                 {
251                         for (i = 0; i < ARRAY_SIZE(chains); i += 2)
252                         {
253                                 r = fw3_ipt_rule_new(handle);
254                                 fw3_ipt_rule_comment(r, "Custom %s rule chain", chains[i+1]);
255                                 fw3_ipt_rule_target(r, "%s_rule", chains[i+1]);
256                                 fw3_ipt_rule_append(r, chains[i]);
257                         }
258                 }
259 
260                 if (defs->flow_offloading)
261                 {
262                         r = fw3_ipt_rule_new(handle);
263                         fw3_ipt_rule_comment(r, "Traffic offloading");
264                         fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED");
265                         fw3_ipt_rule_target(r, "FLOWOFFLOAD");
266                         if (defs->flow_offloading_hw)
267                                 fw3_ipt_rule_addarg(r, false, "--hw", NULL);
268                         fw3_ipt_rule_append(r, "FORWARD");
269                 }
270 
271                 for (i = 0; i < ARRAY_SIZE(chains); i += 2)
272                 {
273                         r = fw3_ipt_rule_new(handle);
274                         fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED");
275                         fw3_ipt_rule_target(r, "ACCEPT");
276                         fw3_ipt_rule_append(r, chains[i]);
277 
278                         if (defs->drop_invalid)
279                         {
280                                 r = fw3_ipt_rule_new(handle);
281                                 fw3_ipt_rule_extra(r, "-m conntrack --ctstate INVALID");
282                                 fw3_ipt_rule_target(r, "DROP");
283                                 fw3_ipt_rule_append(r, chains[i]);
284                         }
285                 }
286 
287                 if (defs->syn_flood)
288                 {
289                         r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
290                         fw3_ipt_rule_extra(r, "--syn");
291                         fw3_ipt_rule_limit(r, &defs->syn_flood_rate);
292                         fw3_ipt_rule_target(r, "RETURN");
293                         fw3_ipt_rule_append(r, "syn_flood");
294 
295                         r = fw3_ipt_rule_new(handle);
296                         fw3_ipt_rule_target(r, "DROP");
297                         fw3_ipt_rule_append(r, "syn_flood");
298 
299                         r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
300                         fw3_ipt_rule_extra(r, "--syn");
301                         fw3_ipt_rule_target(r, "syn_flood");
302                         fw3_ipt_rule_append(r, "INPUT");
303                 }
304 
305                 r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL);
306                 fw3_ipt_rule_target(r, "REJECT");
307                 fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code));
308                 fw3_ipt_rule_append(r, "reject");
309 
310                 r = fw3_ipt_rule_new(handle);
311                 fw3_ipt_rule_target(r, "REJECT");
312                 fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->any_reject_code));
313                 fw3_ipt_rule_append(r, "reject");
314 
315                 break;
316 
317         case FW3_TABLE_NAT:
318                 if (defs->custom_chains)
319                 {
320                         r = fw3_ipt_rule_new(handle);
321                         fw3_ipt_rule_comment(r, "Custom prerouting rule chain");
322                         fw3_ipt_rule_target(r, "prerouting_rule");
323                         fw3_ipt_rule_append(r, "PREROUTING");
324 
325                         r = fw3_ipt_rule_new(handle);
326                         fw3_ipt_rule_comment(r, "Custom postrouting rule chain");
327                         fw3_ipt_rule_target(r, "postrouting_rule");
328                         fw3_ipt_rule_append(r, "POSTROUTING");
329                 }
330                 break;
331 
332         default:
333                 break;
334         }
335 }
336 
337 void
338 fw3_print_default_tail_rules(struct fw3_ipt_handle *handle,
339                              struct fw3_state *state, bool reload)
340 {
341         struct fw3_defaults *defs = &state->defaults;
342         struct fw3_ipt_rule *r;
343 
344         if (handle->table != FW3_TABLE_FILTER)
345                 return;
346 
347         if (defs->policy_input == FW3_FLAG_REJECT)
348         {
349                 r = fw3_ipt_rule_new(handle);
350 
351                 if (!r)
352                         return;
353 
354                 fw3_ipt_rule_target(r, "reject");
355                 fw3_ipt_rule_append(r, "INPUT");
356         }
357 
358         if (defs->policy_output == FW3_FLAG_REJECT)
359         {
360                 r = fw3_ipt_rule_new(handle);
361 
362                 if (!r)
363                         return;
364 
365                 fw3_ipt_rule_target(r, "reject");
366                 fw3_ipt_rule_append(r, "OUTPUT");
367         }
368 
369         if (defs->policy_forward == FW3_FLAG_REJECT)
370         {
371                 r = fw3_ipt_rule_new(handle);
372 
373                 if (!r)
374                         return;
375 
376                 fw3_ipt_rule_target(r, "reject");
377                 fw3_ipt_rule_append(r, "FORWARD");
378         }
379 }
380 
381 static void
382 set_default(const char *name, int set)
383 {
384         FILE *f;
385         char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling\0")];
386 
387         snprintf(path, sizeof(path), "/proc/sys/net/ipv4/tcp_%s", name);
388 
389         info(" * Set tcp_%s to %s", name, set ? "on" : "off");
390 
391         if (!(f = fopen(path, "w")))
392         {
393                 info("   ! Unable to write value: %s", strerror(errno));
394                 return;
395         }
396 
397         fprintf(f, "%u\n", set);
398         fclose(f);
399 }
400 
401 void
402 fw3_set_defaults(struct fw3_state *state)
403 {
404         set_default("ecn",            state->defaults.tcp_ecn);
405         set_default("syncookies",     state->defaults.tcp_syncookies);
406         set_default("window_scaling", state->defaults.tcp_window_scaling);
407 }
408 
409 void
410 fw3_flush_rules(struct fw3_ipt_handle *handle, struct fw3_state *state,
411                 bool reload)
412 {
413         enum fw3_flag policy = reload ? FW3_FLAG_DROP : FW3_FLAG_ACCEPT;
414         struct fw3_defaults *defs = &state->defaults;
415         const struct fw3_chain_spec *c;
416 
417         if (!has(defs->flags, handle->family, handle->table))
418                 return;
419 
420         if (handle->table == FW3_TABLE_FILTER)
421         {
422                 fw3_ipt_set_policy(handle, "INPUT",   policy);
423                 fw3_ipt_set_policy(handle, "OUTPUT",  policy);
424                 fw3_ipt_set_policy(handle, "FORWARD", policy);
425         }
426 
427         fw3_ipt_delete_id_rules(handle, "INPUT");
428         fw3_ipt_delete_id_rules(handle, "OUTPUT");
429         fw3_ipt_delete_id_rules(handle, "FORWARD");
430         fw3_ipt_delete_id_rules(handle, "PREROUTING");
431         fw3_ipt_delete_id_rules(handle, "POSTROUTING");
432 
433         for (c = default_chains; c->format; c++)
434         {
435                 /* don't touch user chains on selective stop */
436                 if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS)
437                         continue;
438 
439                 if (!fw3_is_family(c, handle->family))
440                         continue;
441 
442                 if (c->table != handle->table)
443                         continue;
444 
445                 if (c->flag && !has(defs->flags, handle->family, c->flag))
446                         continue;
447 
448                 fw3_ipt_flush_chain(handle, c->format);
449 
450                 /* keep certain basic chains that do not depend on any settings to
451                    avoid purging unrelated user rules pointing to them */
452                 if (reload && !c->flag)
453                         continue;
454 
455                 fw3_ipt_delete_chain(handle, c->format);
456         }
457 
458         del(defs->flags, handle->family, handle->table);
459 }
460 
461 void
462 fw3_flush_all(struct fw3_ipt_handle *handle)
463 {
464         if (handle->table == FW3_TABLE_FILTER)
465         {
466                 fw3_ipt_set_policy(handle, "INPUT",   FW3_FLAG_ACCEPT);
467                 fw3_ipt_set_policy(handle, "OUTPUT",  FW3_FLAG_ACCEPT);
468                 fw3_ipt_set_policy(handle, "FORWARD", FW3_FLAG_ACCEPT);
469         }
470 
471         fw3_ipt_flush(handle);
472 }
473 

This page was automatically generated by LXR 0.3.1.  •  OpenWrt