1 /* 2 * firewall3 - 3rd OpenWrt UCI firewall implementation 3 * 4 * Copyright (C) 2013-2014 Jo-Philipp Wich <jo@mein.io> 5 * 6 * Permission to use, copy, modify, and/or distribute this software for any 7 * purpose with or without fee is hereby granted, provided that the above 8 * copyright notice and this permission notice appear in all copies. 9 * 10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES 11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF 12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR 13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES 14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN 15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 17 */ 18 19 #ifndef __FW3_OPTIONS_H 20 #define __FW3_OPTIONS_H 21 22 23 #include <errno.h> 24 25 #include <stdlib.h> 26 #include <stdarg.h> 27 #include <stdbool.h> 28 29 #include <ctype.h> 30 #include <string.h> 31 32 #include <netdb.h> 33 #include <arpa/inet.h> 34 #include <sys/socket.h> 35 #define _LINUX_IN_H 36 #define _LINUX_IN6_H 37 #include <netinet/in.h> 38 #include <netinet/ether.h> 39 40 #include <time.h> 41 42 #include <uci.h> 43 44 #include <libubox/list.h> 45 #include <libubox/utils.h> 46 #include <libubox/blobmsg.h> 47 48 #include "icmp_codes.h" 49 #include "utils.h" 50 51 52 enum fw3_table 53 { 54 FW3_TABLE_FILTER = 0, 55 FW3_TABLE_NAT = 1, 56 FW3_TABLE_MANGLE = 2, 57 FW3_TABLE_RAW = 3, 58 }; 59 60 enum fw3_family 61 { 62 FW3_FAMILY_ANY = 0, 63 FW3_FAMILY_V4 = 4, 64 FW3_FAMILY_V6 = 5, 65 }; 66 67 enum fw3_flag 68 { 69 FW3_FLAG_UNSPEC = 0, 70 FW3_FLAG_ACCEPT = 6, 71 FW3_FLAG_REJECT = 7, 72 FW3_FLAG_DROP = 8, 73 FW3_FLAG_NOTRACK = 9, 74 FW3_FLAG_HELPER = 10, 75 FW3_FLAG_MARK = 11, 76 FW3_FLAG_DSCP = 12, 77 FW3_FLAG_DNAT = 13, 78 FW3_FLAG_SNAT = 14, 79 FW3_FLAG_MASQUERADE = 15, 80 FW3_FLAG_SRC_ACCEPT = 16, 81 FW3_FLAG_SRC_REJECT = 17, 82 FW3_FLAG_SRC_DROP = 18, 83 FW3_FLAG_CUSTOM_CHAINS = 19, 84 FW3_FLAG_SYN_FLOOD = 20, 85 FW3_FLAG_MTU_FIX = 21, 86 FW3_FLAG_DROP_INVALID = 22, 87 FW3_FLAG_HOTPLUG = 23, 88 89 __FW3_FLAG_MAX 90 }; 91 92 enum fw3_reject_code 93 { 94 FW3_REJECT_CODE_TCP_RESET = 0, 95 FW3_REJECT_CODE_PORT_UNREACH = 1, 96 FW3_REJECT_CODE_ADM_PROHIBITED = 2, 97 98 __FW3_REJECT_CODE_MAX 99 }; 100 101 extern const char *fw3_flag_names[__FW3_FLAG_MAX]; 102 103 104 enum fw3_limit_unit 105 { 106 FW3_LIMIT_UNIT_SECOND = 0, 107 FW3_LIMIT_UNIT_MINUTE = 1, 108 FW3_LIMIT_UNIT_HOUR = 2, 109 FW3_LIMIT_UNIT_DAY = 3, 110 111 __FW3_LIMIT_UNIT_MAX 112 }; 113 114 extern const char *fw3_limit_units[__FW3_LIMIT_UNIT_MAX]; 115 116 117 enum fw3_ipset_method 118 { 119 FW3_IPSET_METHOD_UNSPEC = 0, 120 FW3_IPSET_METHOD_BITMAP = 1, 121 FW3_IPSET_METHOD_HASH = 2, 122 FW3_IPSET_METHOD_LIST = 3, 123 124 __FW3_IPSET_METHOD_MAX 125 }; 126 127 enum fw3_ipset_type 128 { 129 FW3_IPSET_TYPE_UNSPEC = 0, 130 FW3_IPSET_TYPE_IP = 1, 131 FW3_IPSET_TYPE_PORT = 2, 132 FW3_IPSET_TYPE_MAC = 3, 133 FW3_IPSET_TYPE_NET = 4, 134 FW3_IPSET_TYPE_SET = 5, 135 136 __FW3_IPSET_TYPE_MAX 137 }; 138 139 extern const char *fw3_ipset_method_names[__FW3_IPSET_METHOD_MAX]; 140 extern const char *fw3_ipset_type_names[__FW3_IPSET_TYPE_MAX]; 141 142 143 enum fw3_include_type 144 { 145 FW3_INC_TYPE_SCRIPT = 0, 146 FW3_INC_TYPE_RESTORE = 1, 147 }; 148 149 enum fw3_reflection_source 150 { 151 FW3_REFLECTION_INTERNAL = 0, 152 FW3_REFLECTION_EXTERNAL = 1, 153 }; 154 155 struct fw3_ipset_datatype 156 { 157 struct list_head list; 158 enum fw3_ipset_type type; 159 const char *dir; 160 }; 161 162 struct fw3_setmatch 163 { 164 bool set; 165 bool invert; 166 char name[32]; 167 const char *dir[3]; 168 struct fw3_ipset *ptr; 169 }; 170 171 struct fw3_device 172 { 173 struct list_head list; 174 175 bool set; 176 bool any; 177 bool invert; 178 char name[32]; 179 char network[32]; 180 }; 181 182 struct fw3_address 183 { 184 struct list_head list; 185 186 bool set; 187 bool range; 188 bool invert; 189 bool resolved; 190 enum fw3_family family; 191 union { 192 struct in_addr v4; 193 struct in6_addr v6; 194 struct ether_addr mac; 195 } address; 196 union { 197 struct in_addr v4; 198 struct in6_addr v6; 199 struct ether_addr mac; 200 } mask; 201 }; 202 203 struct fw3_mac 204 { 205 struct list_head list; 206 207 bool set; 208 bool invert; 209 struct ether_addr mac; 210 }; 211 212 struct fw3_protocol 213 { 214 struct list_head list; 215 216 bool any; 217 bool invert; 218 uint32_t protocol; 219 }; 220 221 struct fw3_port 222 { 223 struct list_head list; 224 225 bool set; 226 bool invert; 227 uint16_t port_min; 228 uint16_t port_max; 229 }; 230 231 struct fw3_icmptype 232 { 233 struct list_head list; 234 235 bool invert; 236 enum fw3_family family; 237 uint8_t type; 238 uint8_t code_min; 239 uint8_t code_max; 240 uint8_t type6; 241 uint8_t code6_min; 242 uint8_t code6_max; 243 }; 244 245 struct fw3_limit 246 { 247 bool invert; 248 int rate; 249 int burst; 250 enum fw3_limit_unit unit; 251 }; 252 253 struct fw3_time 254 { 255 bool utc; 256 struct tm datestart; 257 struct tm datestop; 258 uint32_t timestart; 259 uint32_t timestop; 260 uint32_t monthdays; /* bit 0 is invert + 1 .. 31 */ 261 uint8_t weekdays; /* bit 0 is invert + 1 .. 7 */ 262 }; 263 264 struct fw3_mark 265 { 266 bool set; 267 bool invert; 268 uint32_t mark; 269 uint32_t mask; 270 }; 271 272 struct fw3_dscp 273 { 274 bool set; 275 bool invert; 276 uint8_t dscp; 277 }; 278 279 struct fw3_cthelpermatch 280 { 281 struct list_head list; 282 283 bool set; 284 bool invert; 285 char name[32]; 286 struct fw3_cthelper *ptr; 287 }; 288 289 struct fw3_defaults 290 { 291 enum fw3_flag policy_input; 292 enum fw3_flag policy_output; 293 enum fw3_flag policy_forward; 294 295 bool drop_invalid; 296 enum fw3_reject_code tcp_reject_code; 297 enum fw3_reject_code any_reject_code; 298 299 bool syn_flood; 300 struct fw3_limit syn_flood_rate; 301 302 bool tcp_syncookies; 303 int tcp_ecn; 304 bool tcp_window_scaling; 305 306 bool accept_redirects; 307 bool accept_source_route; 308 309 bool custom_chains; 310 bool auto_helper; 311 bool flow_offloading; 312 bool flow_offloading_hw; 313 314 bool disable_ipv6; 315 316 uint32_t flags[2]; 317 }; 318 319 struct fw3_zone 320 { 321 struct list_head list; 322 323 bool enabled; 324 const char *name; 325 326 enum fw3_family family; 327 328 enum fw3_flag policy_input; 329 enum fw3_flag policy_output; 330 enum fw3_flag policy_forward; 331 332 struct list_head networks; 333 struct list_head devices; 334 struct list_head subnets; 335 336 const char *extra_src; 337 const char *extra_dest; 338 339 bool masq; 340 bool masq_allow_invalid; 341 struct list_head masq_src; 342 struct list_head masq_dest; 343 344 bool mtu_fix; 345 346 struct list_head cthelpers; 347 348 int log; 349 struct fw3_limit log_limit; 350 351 bool custom_chains; 352 bool auto_helper; 353 354 uint32_t flags[2]; 355 356 struct list_head old_addrs; 357 }; 358 359 struct fw3_rule 360 { 361 struct list_head list; 362 363 bool enabled; 364 const char *name; 365 366 enum fw3_family family; 367 368 struct fw3_zone *_src; 369 struct fw3_zone *_dest; 370 371 const char *device; 372 bool direction_out; 373 374 struct fw3_device src; 375 struct fw3_device dest; 376 struct fw3_setmatch ipset; 377 struct fw3_cthelpermatch helper; 378 379 struct list_head proto; 380 381 struct list_head ip_src; 382 struct list_head mac_src; 383 struct list_head port_src; 384 385 struct list_head ip_dest; 386 struct list_head port_dest; 387 388 struct list_head icmp_type; 389 390 struct fw3_limit limit; 391 struct fw3_time time; 392 struct fw3_mark mark; 393 struct fw3_dscp dscp; 394 395 enum fw3_flag target; 396 struct fw3_mark set_mark; 397 struct fw3_mark set_xmark; 398 struct fw3_dscp set_dscp; 399 struct fw3_cthelpermatch set_helper; 400 401 const char *extra; 402 }; 403 404 struct fw3_redirect 405 { 406 struct list_head list; 407 408 bool enabled; 409 const char *name; 410 411 enum fw3_family family; 412 413 struct fw3_zone *_src; 414 struct fw3_zone *_dest; 415 416 struct fw3_device src; 417 struct fw3_device dest; 418 struct fw3_setmatch ipset; 419 struct fw3_cthelpermatch helper; 420 421 struct list_head proto; 422 423 struct fw3_address ip_src; 424 struct list_head mac_src; 425 struct fw3_port port_src; 426 427 struct fw3_address ip_dest; 428 struct fw3_port port_dest; 429 430 struct fw3_address ip_redir; 431 struct fw3_port port_redir; 432 433 struct fw3_limit limit; 434 struct fw3_time time; 435 struct fw3_mark mark; 436 437 enum fw3_flag target; 438 439 const char *extra; 440 441 bool local; 442 bool reflection; 443 enum fw3_reflection_source reflection_src; 444 struct list_head reflection_zones; 445 }; 446 447 struct fw3_snat 448 { 449 struct list_head list; 450 451 bool enabled; 452 const char *name; 453 454 enum fw3_family family; 455 456 struct fw3_zone *_src; 457 458 struct fw3_device src; 459 struct fw3_setmatch ipset; 460 struct fw3_cthelpermatch helper; 461 const char *device; 462 463 struct list_head proto; 464 465 struct fw3_address ip_src; 466 struct fw3_port port_src; 467 468 struct fw3_address ip_dest; 469 struct fw3_port port_dest; 470 471 struct fw3_address ip_snat; 472 struct fw3_port port_snat; 473 474 struct fw3_limit limit; 475 struct fw3_time time; 476 struct fw3_mark mark; 477 bool connlimit_ports; 478 479 enum fw3_flag target; 480 481 const char *extra; 482 }; 483 484 struct fw3_forward 485 { 486 struct list_head list; 487 488 bool enabled; 489 const char *name; 490 491 enum fw3_family family; 492 493 struct fw3_zone *_src; 494 struct fw3_zone *_dest; 495 496 struct fw3_device src; 497 struct fw3_device dest; 498 }; 499 500 struct fw3_ipset 501 { 502 struct list_head list; 503 504 bool enabled; 505 bool reload_set; 506 bool counters; 507 bool comment; 508 509 const char *name; 510 enum fw3_family family; 511 512 enum fw3_ipset_method method; 513 struct list_head datatypes; 514 515 struct fw3_address iprange; 516 struct fw3_port portrange; 517 518 int netmask; 519 int maxelem; 520 int hashsize; 521 522 int timeout; 523 524 const char *external; 525 526 struct list_head entries; 527 const char *loadfile; 528 529 uint32_t flags[2]; 530 }; 531 532 struct fw3_include 533 { 534 struct list_head list; 535 536 bool enabled; 537 const char *name; 538 enum fw3_family family; 539 540 const char *path; 541 enum fw3_include_type type; 542 543 bool reload; 544 }; 545 546 struct fw3_cthelper 547 { 548 struct list_head list; 549 550 bool enabled; 551 const char *name; 552 const char *module; 553 const char *description; 554 enum fw3_family family; 555 struct list_head proto; 556 struct fw3_port port; 557 }; 558 559 struct fw3_setentry 560 { 561 struct list_head list; 562 const char *value; 563 }; 564 565 struct fw3_state 566 { 567 struct uci_context *uci; 568 struct fw3_defaults defaults; 569 struct list_head zones; 570 struct list_head rules; 571 struct list_head redirects; 572 struct list_head snats; 573 struct list_head forwards; 574 struct list_head ipsets; 575 struct list_head includes; 576 struct list_head cthelpers; 577 578 bool disable_ipsets; 579 bool statefile; 580 }; 581 582 struct fw3_chain_spec { 583 int family; 584 int table; 585 int flag; 586 const char *format; 587 }; 588 589 590 struct fw3_option 591 { 592 const char *name; 593 bool (*parse)(void *, const char *, bool); 594 uintptr_t offset; 595 size_t elem_size; 596 }; 597 598 #define FW3_OPT(name, parse, structure, member) \ 599 { name, fw3_parse_##parse, offsetof(struct fw3_##structure, member) } 600 601 #define FW3_LIST(name, parse, structure, member) \ 602 { name, fw3_parse_##parse, offsetof(struct fw3_##structure, member), \ 603 sizeof(struct fw3_##structure) } 604 605 bool fw3_parse_bool(void *ptr, const char *val, bool is_list); 606 bool fw3_parse_int(void *ptr, const char *val, bool is_list); 607 bool fw3_parse_string(void *ptr, const char *val, bool is_list); 608 bool fw3_parse_target(void *ptr, const char *val, bool is_list); 609 bool fw3_parse_reject_code(void *ptr, const char *val, bool is_list); 610 bool fw3_parse_limit(void *ptr, const char *val, bool is_list); 611 bool fw3_parse_device(void *ptr, const char *val, bool is_list); 612 bool fw3_parse_address(void *ptr, const char *val, bool is_list); 613 bool fw3_parse_network(void *ptr, const char *val, bool is_list); 614 bool fw3_parse_mac(void *ptr, const char *val, bool is_list); 615 bool fw3_parse_port(void *ptr, const char *val, bool is_list); 616 bool fw3_parse_family(void *ptr, const char *val, bool is_list); 617 bool fw3_parse_icmptype(void *ptr, const char *val, bool is_list); 618 bool fw3_parse_protocol(void *ptr, const char *val, bool is_list); 619 620 bool fw3_parse_ipset_method(void *ptr, const char *val, bool is_list); 621 bool fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list); 622 623 bool fw3_parse_include_type(void *ptr, const char *val, bool is_list); 624 bool fw3_parse_reflection_source(void *ptr, const char *val, bool is_list); 625 626 bool fw3_parse_date(void *ptr, const char *val, bool is_list); 627 bool fw3_parse_time(void *ptr, const char *val, bool is_list); 628 bool fw3_parse_weekdays(void *ptr, const char *val, bool is_list); 629 bool fw3_parse_monthdays(void *ptr, const char *val, bool is_list); 630 bool fw3_parse_mark(void *ptr, const char *val, bool is_list); 631 bool fw3_parse_dscp(void *ptr, const char *val, bool is_list); 632 bool fw3_parse_setmatch(void *ptr, const char *val, bool is_list); 633 bool fw3_parse_direction(void *ptr, const char *val, bool is_list); 634 bool fw3_parse_cthelper(void *ptr, const char *val, bool is_list); 635 bool fw3_parse_setentry(void *ptr, const char *val, bool is_list); 636 637 bool fw3_parse_options(void *s, const struct fw3_option *opts, 638 struct uci_section *section); 639 bool fw3_parse_blob_options(void *s, const struct fw3_option *opts, 640 struct blob_attr *a, const char *name); 641 642 const char * fw3_address_to_string(struct fw3_address *address, 643 bool allow_invert, bool as_cidr); 644 645 #endif 646
This page was automatically generated by LXR 0.3.1. • OpenWrt