projects / project / firewall3.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
remove ip range list hack since fw3_address can now represent true ranges
[project/firewall3.git] / options.h
1 /*
2 * firewall3 - 3rd OpenWrt UCI firewall implementation
3 *
4 * Copyright (C) 2013 Jo-Philipp Wich <jow@openwrt.org>
5 *
6 * Permission to use, copy, modify, and/or distribute this software for any
7 * purpose with or without fee is hereby granted, provided that the above
8 * copyright notice and this permission notice appear in all copies.
9 *
10 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
11 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
12 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
13 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
14 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
15 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */
18
19 #ifndef __FW3_OPTIONS_H
20 #define __FW3_OPTIONS_H
21
22
23 #include <errno.h>
24
25 #include <stdlib.h>
26 #include <stdarg.h>
27 #include <stdbool.h>
28
29 #include <ctype.h>
30 #include <string.h>
31
32 #include <netdb.h>
33 #include <arpa/inet.h>
34 #include <sys/socket.h>
35 #include <netinet/in.h>
36 #include <netinet/ether.h>
37
38 #include <uci.h>
39
40 #include <libubox/list.h>
41 #include <libubox/utils.h>
42
43 #include "icmp_codes.h"
44 #include "utils.h"
45
46
47 enum fw3_table
48 {
49 FW3_TABLE_FILTER = 0,
50 FW3_TABLE_NAT = 1,
51 FW3_TABLE_MANGLE = 2,
52 FW3_TABLE_RAW = 3,
53 };
54
55 enum fw3_family
56 {
57 FW3_FAMILY_ANY = 0,
58 FW3_FAMILY_V4 = 4,
59 FW3_FAMILY_V6 = 5,
60 };
61
62 enum fw3_target
63 {
64 FW3_TARGET_UNSPEC = 0,
65 FW3_TARGET_ACCEPT = 6,
66 FW3_TARGET_REJECT = 7,
67 FW3_TARGET_DROP = 8,
68 FW3_TARGET_NOTRACK = 9,
69 FW3_TARGET_DNAT = 10,
70 FW3_TARGET_SNAT = 11,
71 };
72
73 enum fw3_default
74 {
75 FW3_DEFAULT_UNSPEC = 0,
76 FW3_DEFAULT_CUSTOM_CHAINS = 12,
77 FW3_DEFAULT_SYN_FLOOD = 13,
78 FW3_DEFAULT_MTU_FIX = 14,
79 FW3_DEFAULT_DROP_INVALID = 15,
80 };
81
82 extern const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1];
83
84
85 enum fw3_limit_unit
86 {
87 FW3_LIMIT_UNIT_SECOND = 0,
88 FW3_LIMIT_UNIT_MINUTE = 1,
89 FW3_LIMIT_UNIT_HOUR = 2,
90 FW3_LIMIT_UNIT_DAY = 3,
91 };
92
93 enum fw3_ipset_method
94 {
95 FW3_IPSET_METHOD_UNSPEC = 0,
96 FW3_IPSET_METHOD_BITMAP = 1,
97 FW3_IPSET_METHOD_HASH = 2,
98 FW3_IPSET_METHOD_LIST = 3,
99 };
100
101 enum fw3_ipset_type
102 {
103 FW3_IPSET_TYPE_UNSPEC = 0,
104 FW3_IPSET_TYPE_IP = 1,
105 FW3_IPSET_TYPE_PORT = 2,
106 FW3_IPSET_TYPE_MAC = 3,
107 FW3_IPSET_TYPE_NET = 4,
108 FW3_IPSET_TYPE_SET = 5,
109 };
110
111 struct fw3_ipset_datatype
112 {
113 struct list_head list;
114 enum fw3_ipset_type type;
115 bool dest;
116 };
117
118 struct fw3_device
119 {
120 struct list_head list;
121
122 bool set;
123 bool any;
124 bool invert;
125 char name[32];
126 };
127
128 struct fw3_address
129 {
130 struct list_head list;
131
132 bool set;
133 bool range;
134 bool invert;
135 enum fw3_family family;
136 int mask;
137 union {
138 struct in_addr v4;
139 struct in6_addr v6;
140 struct ether_addr mac;
141 } address;
142 union {
143 struct in_addr v4;
144 struct in6_addr v6;
145 struct ether_addr mac;
146 } address2;
147 };
148
149 struct fw3_mac
150 {
151 struct list_head list;
152
153 bool set;
154 bool invert;
155 struct ether_addr mac;
156 };
157
158 struct fw3_protocol
159 {
160 struct list_head list;
161
162 bool any;
163 bool invert;
164 uint16_t protocol;
165 };
166
167 struct fw3_port
168 {
169 struct list_head list;
170
171 bool set;
172 bool invert;
173 uint16_t port_min;
174 uint16_t port_max;
175 };
176
177 struct fw3_icmptype
178 {
179 struct list_head list;
180
181 bool invert;
182 enum fw3_family family;
183 uint8_t type;
184 uint8_t code_min;
185 uint8_t code_max;
186 uint8_t type6;
187 uint8_t code6_min;
188 uint8_t code6_max;
189 };
190
191 struct fw3_limit
192 {
193 bool invert;
194 int rate;
195 int burst;
196 enum fw3_limit_unit unit;
197 };
198
199 struct fw3_defaults
200 {
201 enum fw3_target policy_input;
202 enum fw3_target policy_output;
203 enum fw3_target policy_forward;
204
205 bool drop_invalid;
206
207 bool syn_flood;
208 struct fw3_limit syn_flood_rate;
209
210 bool tcp_syncookies;
211 bool tcp_ecn;
212 bool tcp_westwood;
213 bool tcp_window_scaling;
214
215 bool accept_redirects;
216 bool accept_source_route;
217
218 bool custom_chains;
219
220 bool disable_ipv6;
221
222 uint16_t flags;
223 };
224
225 struct fw3_zone
226 {
227 struct list_head list;
228 struct list_head running_list;
229
230 const char *name;
231
232 enum fw3_family family;
233
234 enum fw3_target policy_input;
235 enum fw3_target policy_output;
236 enum fw3_target policy_forward;
237
238 struct list_head networks;
239 struct list_head devices;
240 struct list_head subnets;
241
242 const char *extra_src;
243 const char *extra_dest;
244
245 bool masq;
246 struct list_head masq_src;
247 struct list_head masq_dest;
248
249 bool conntrack;
250 bool mtu_fix;
251
252 bool log;
253 struct fw3_limit log_limit;
254
255 bool custom_chains;
256
257 uint16_t src_flags;
258 uint16_t dst_flags;
259 };
260
261 struct fw3_rule
262 {
263 struct list_head list;
264
265 const char *name;
266
267 enum fw3_family family;
268
269 struct fw3_zone *_src;
270 struct fw3_zone *_dest;
271
272 struct fw3_device src;
273 struct fw3_device dest;
274
275 struct fw3_ipset *_ipset;
276 struct fw3_device ipset;
277
278 struct list_head proto;
279
280 struct list_head ip_src;
281 struct list_head mac_src;
282 struct list_head port_src;
283
284 struct list_head ip_dest;
285 struct list_head port_dest;
286
287 struct list_head icmp_type;
288
289 enum fw3_target target;
290
291 struct fw3_limit limit;
292
293 const char *extra;
294 };
295
296 struct fw3_redirect
297 {
298 struct list_head list;
299
300 const char *name;
301
302 enum fw3_family family;
303
304 struct fw3_zone *_src;
305 struct fw3_zone *_dest;
306
307 struct fw3_device src;
308 struct fw3_device dest;
309
310 struct fw3_ipset *_ipset;
311 struct fw3_device ipset;
312
313 struct list_head proto;
314
315 struct fw3_address ip_src;
316 struct list_head mac_src;
317 struct fw3_port port_src;
318
319 struct fw3_address ip_dest;
320 struct fw3_port port_dest;
321
322 struct fw3_address ip_redir;
323 struct fw3_port port_redir;
324
325 enum fw3_target target;
326
327 const char *extra;
328
329 bool reflection;
330 };
331
332 struct fw3_forward
333 {
334 struct list_head list;
335
336 const char *name;
337
338 enum fw3_family family;
339
340 struct fw3_zone *_src;
341 struct fw3_zone *_dest;
342
343 struct fw3_device src;
344 struct fw3_device dest;
345 };
346
347 struct fw3_ipset
348 {
349 struct list_head list;
350 struct list_head running_list;
351
352 const char *name;
353 enum fw3_family family;
354
355 enum fw3_ipset_method method;
356 struct list_head datatypes;
357
358 struct fw3_address iprange;
359 struct fw3_port portrange;
360
361 int netmask;
362 int maxelem;
363 int hashsize;
364
365 int timeout;
366
367 const char *external;
368
369 uint16_t flags;
370 };
371
372 struct fw3_state
373 {
374 struct uci_context *uci;
375 struct fw3_defaults defaults;
376 struct list_head zones;
377 struct list_head rules;
378 struct list_head redirects;
379 struct list_head forwards;
380 struct list_head ipsets;
381
382 struct fw3_defaults running_defaults;
383 struct list_head running_zones;
384 struct list_head running_ipsets;
385
386 bool disable_ipsets;
387 bool statefile;
388 };
389
390
391 struct fw3_option
392 {
393 const char *name;
394 bool (*parse)(void *, const char *);
395 uintptr_t offset;
396 size_t elem_size;
397 };
398
399 #define FW3_OPT(name, parse, structure, member) \
400 { name, fw3_parse_##parse, offsetof(struct fw3_##structure, member) }
401
402 #define FW3_LIST(name, parse, structure, member) \
403 { name, fw3_parse_##parse, offsetof(struct fw3_##structure, member), \
404 sizeof(struct fw3_##structure) }
405
406
407 bool fw3_parse_bool(void *ptr, const char *val);
408 bool fw3_parse_int(void *ptr, const char *val);
409 bool fw3_parse_string(void *ptr, const char *val);
410 bool fw3_parse_target(void *ptr, const char *val);
411 bool fw3_parse_limit(void *ptr, const char *val);
412 bool fw3_parse_device(void *ptr, const char *val);
413 bool fw3_parse_address(void *ptr, const char *val);
414 bool fw3_parse_mac(void *ptr, const char *val);
415 bool fw3_parse_port(void *ptr, const char *val);
416 bool fw3_parse_family(void *ptr, const char *val);
417 bool fw3_parse_icmptype(void *ptr, const char *val);
418 bool fw3_parse_protocol(void *ptr, const char *val);
419 bool fw3_parse_ipset_method(void *ptr, const char *val);
420 bool fw3_parse_ipset_datatype(void *ptr, const char *val);
421
422 void fw3_parse_options(void *s, const struct fw3_option *opts,
423 struct uci_section *section);
424
425 void fw3_format_in_out(struct fw3_device *in, struct fw3_device *out);
426 void fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest);
427 void fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp);
428 void fw3_format_mac(struct fw3_mac *mac);
429 void fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family);
430 void fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family);
431 void fw3_format_limit(struct fw3_limit *limit);
432 void fw3_format_ipset(struct fw3_ipset *ipset, bool invert);
433
434 void __fw3_format_comment(const char *comment, ...);
435 #define fw3_format_comment(...) __fw3_format_comment(__VA_ARGS__, NULL)
436
437 void fw3_format_extra(const char *extra);
438
439 #endif
OpenWrt firewall configuration utility