X-Git-Url: http://git.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=defaults.c;h=85a3750a52c6e6bcfc9ee12b424d44ac946f8041;hp=127f7506782c29b16dfd354db5a823dc87da25f4;hb=HEAD;hpb=52d62c3d4654c39b39f4851d2884884e0c104b24 diff --git a/defaults.c b/defaults.c index 127f750..8a9a929 100644 --- a/defaults.c +++ b/defaults.c @@ -1,7 +1,7 @@ /* * firewall3 - 3rd OpenWrt UCI firewall implementation * - * Copyright (C) 2013 Jo-Philipp Wich + * Copyright (C) 2013 Jo-Philipp Wich * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -23,25 +23,15 @@ { FW3_FAMILY_##f, FW3_TABLE_##tbl, FW3_FLAG_##def, fmt } static const struct fw3_chain_spec default_chains[] = { - C(ANY, FILTER, UNSPEC, "delegate_input"), - C(ANY, FILTER, UNSPEC, "delegate_output"), - C(ANY, FILTER, UNSPEC, "delegate_forward"), C(ANY, FILTER, UNSPEC, "reject"), C(ANY, FILTER, CUSTOM_CHAINS, "input_rule"), C(ANY, FILTER, CUSTOM_CHAINS, "output_rule"), C(ANY, FILTER, CUSTOM_CHAINS, "forwarding_rule"), C(ANY, FILTER, SYN_FLOOD, "syn_flood"), - C(V4, NAT, UNSPEC, "delegate_prerouting"), - C(V4, NAT, UNSPEC, "delegate_postrouting"), C(V4, NAT, CUSTOM_CHAINS, "prerouting_rule"), C(V4, NAT, CUSTOM_CHAINS, "postrouting_rule"), - C(ANY, MANGLE, UNSPEC, "mssfix"), - C(ANY, MANGLE, UNSPEC, "fwmark"), - - C(ANY, RAW, UNSPEC, "notrack"), - { } }; @@ -51,6 +41,8 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("output", target, defaults, policy_output), FW3_OPT("drop_invalid", bool, defaults, drop_invalid), + FW3_OPT("tcp_reject_code", reject_code, defaults, tcp_reject_code), + FW3_OPT("any_reject_code", reject_code, defaults, any_reject_code), FW3_OPT("syn_flood", bool, defaults, syn_flood), FW3_OPT("synflood_protect", bool, defaults, syn_flood), @@ -58,14 +50,17 @@ const struct fw3_option fw3_flag_opts[] = { FW3_OPT("synflood_burst", int, defaults, syn_flood_rate.burst), FW3_OPT("tcp_syncookies", bool, defaults, tcp_syncookies), - FW3_OPT("tcp_ecn", bool, defaults, tcp_ecn), + FW3_OPT("tcp_ecn", int, defaults, tcp_ecn), FW3_OPT("tcp_window_scaling", bool, defaults, tcp_window_scaling), FW3_OPT("accept_redirects", bool, defaults, accept_redirects), FW3_OPT("accept_source_route", bool, defaults, accept_source_route), + FW3_OPT("auto_helper", bool, defaults, auto_helper), FW3_OPT("custom_chains", bool, defaults, custom_chains), FW3_OPT("disable_ipv6", bool, defaults, disable_ipv6), + FW3_OPT("flow_offloading", bool, defaults, flow_offloading), + FW3_OPT("flow_offloading_hw", bool, defaults, flow_offloading_hw), FW3_OPT("__flags_v4", int, defaults, flags[0]), FW3_OPT("__flags_v6", int, defaults, flags[1]), @@ -89,6 +84,41 @@ check_policy(struct uci_element *e, enum fw3_flag *pol, const char *name) } } +static void +check_target(struct uci_element *e, bool *available, const char *target, const bool ipv6) +{ + const bool b = fw3_has_target(ipv6, target); + if (!b) + { + warn_elem(e, "requires unavailable target extension %s, disabling", target); + *available = false; + } +} + +static void +check_any_reject_code(struct uci_element *e, enum fw3_reject_code *any_reject_code) +{ + if (*any_reject_code == FW3_REJECT_CODE_TCP_RESET) { + warn_elem(e, "tcp-reset not valid for any_reject_code, defaulting to port-unreach"); + *any_reject_code = FW3_REJECT_CODE_PORT_UNREACH; + } +} + +static const char* +get_reject_code(enum fw3_family family, enum fw3_reject_code reject_code) +{ + switch (reject_code) { + case FW3_REJECT_CODE_TCP_RESET: + return "tcp-reset"; + case FW3_REJECT_CODE_PORT_UNREACH: + return "port-unreach"; + case FW3_REJECT_CODE_ADM_PROHIBITED: + return family == FW3_FAMILY_V6 ? "adm-prohibited": "admin-prohib"; + default: + return "unknown"; + } +} + void fw3_load_defaults(struct fw3_state *state, struct uci_package *p) { @@ -98,11 +128,14 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) bool seen = false; + defs->tcp_reject_code = FW3_REJECT_CODE_TCP_RESET; + defs->any_reject_code = FW3_REJECT_CODE_PORT_UNREACH; defs->syn_flood_rate.rate = 25; defs->syn_flood_rate.burst = 50; defs->tcp_syncookies = true; defs->tcp_window_scaling = true; defs->custom_chains = true; + defs->auto_helper = true; uci_foreach_element(&p->sections, e) { @@ -117,11 +150,19 @@ fw3_load_defaults(struct fw3_state *state, struct uci_package *p) continue; } - fw3_parse_options(&state->defaults, fw3_flag_opts, s); + seen = true; + + if(!fw3_parse_options(&state->defaults, fw3_flag_opts, s)) + warn_elem(e, "has invalid options"); check_policy(e, &defs->policy_input, "input"); check_policy(e, &defs->policy_output, "output"); check_policy(e, &defs->policy_forward, "forward"); + + check_any_reject_code(e, &defs->any_reject_code); + + /* exists in both ipv4 and ipv6, if at all, so only check ipv4 */ + check_target(e, &defs->flow_offloading, "FLOWOFFLOAD", false); } } @@ -153,10 +194,6 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state, for (c = default_chains; c->format; c++) { - /* don't touch user chains on selective stop */ - if (reload && c->flag == FW3_FLAG_CUSTOM_CHAINS) - continue; - if (!fw3_is_family(c, handle->family)) continue; @@ -164,90 +201,65 @@ fw3_print_default_chains(struct fw3_ipt_handle *handle, struct fw3_state *state, continue; if (c->flag && - !hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag)) + !fw3_hasbit(defs->flags[handle->family == FW3_FAMILY_V6], c->flag)) continue; - fw3_ipt_create_chain(handle, c->format); + fw3_ipt_create_chain(handle, reload, c->format); } set(defs->flags, handle->family, handle->table); } - -struct toplevel_rule { - enum fw3_table table; - const char *chain; - const char *target; -}; - void fw3_print_default_head_rules(struct fw3_ipt_handle *handle, struct fw3_state *state, bool reload) { int i; struct fw3_defaults *defs = &state->defaults; - struct fw3_device lodev = { .set = true }; + struct fw3_device lodev = { .set = true, .name = "lo" }; struct fw3_protocol tcp = { .protocol = 6 }; struct fw3_ipt_rule *r; - struct toplevel_rule *tr; const char *chains[] = { - "delegate_input", "input", - "delegate_output", "output", - "delegate_forward", "forwarding", + "INPUT", "input", + "OUTPUT", "output", + "FORWARD", "forwarding", }; - struct toplevel_rule rules[] = { - { FW3_TABLE_FILTER, "INPUT", "delegate_input" }, - { FW3_TABLE_FILTER, "OUTPUT", "delegate_output" }, - { FW3_TABLE_FILTER, "FORWARD", "delegate_forward" }, - - { FW3_TABLE_NAT, "PREROUTING", "delegate_prerouting" }, - { FW3_TABLE_NAT, "POSTROUTING", "delegate_postrouting" }, - - { FW3_TABLE_MANGLE, "FORWARD", "mssfix" }, - { FW3_TABLE_MANGLE, "PREROUTING", "fwmark" }, - - { FW3_TABLE_RAW, "PREROUTING", "notrack" }, - - { 0, NULL }, - }; - - for (tr = rules; tr->chain; tr++) - { - if (tr->table != handle->table) - continue; - - r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_target(r, tr->target); - fw3_ipt_rule_replace(r, tr->chain); - } - switch (handle->table) { case FW3_TABLE_FILTER: - sprintf(lodev.name, "lo"); - r = fw3_ipt_rule_create(handle, NULL, &lodev, NULL, NULL, NULL); fw3_ipt_rule_target(r, "ACCEPT"); - fw3_ipt_rule_append(r, "delegate_input"); + fw3_ipt_rule_append(r, "INPUT"); r = fw3_ipt_rule_create(handle, NULL, NULL, &lodev, NULL, NULL); fw3_ipt_rule_target(r, "ACCEPT"); - fw3_ipt_rule_append(r, "delegate_output"); + fw3_ipt_rule_append(r, "OUTPUT"); if (defs->custom_chains) { for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for %s", chains[i+1]); + fw3_ipt_rule_comment(r, "Custom %s rule chain", chains[i+1]); fw3_ipt_rule_target(r, "%s_rule", chains[i+1]); fw3_ipt_rule_append(r, chains[i]); } } + if (defs->flow_offloading) + { + r = fw3_ipt_rule_new(handle); + fw3_ipt_rule_comment(r, "Traffic offloading"); + fw3_ipt_rule_extra(r, "-m conntrack --ctstate RELATED,ESTABLISHED"); + fw3_ipt_rule_target(r, "FLOWOFFLOAD"); + if (defs->flow_offloading_hw) + fw3_ipt_rule_addarg(r, false, "--hw", NULL); + fw3_ipt_rule_append(r, "FORWARD"); + } + for (i = 0; i < ARRAY_SIZE(chains); i += 2) { r = fw3_ipt_rule_new(handle); @@ -266,8 +278,7 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, if (defs->syn_flood) { - r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); - fw3_ipt_rule_extra(r, "--syn"); + r = fw3_ipt_rule_create(handle, NULL, NULL, NULL, NULL, NULL); fw3_ipt_rule_limit(r, &defs->syn_flood_rate); fw3_ipt_rule_target(r, "RETURN"); fw3_ipt_rule_append(r, "syn_flood"); @@ -279,17 +290,17 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); fw3_ipt_rule_extra(r, "--syn"); fw3_ipt_rule_target(r, "syn_flood"); - fw3_ipt_rule_append(r, "delegate_input"); + fw3_ipt_rule_append(r, "INPUT"); } r = fw3_ipt_rule_create(handle, &tcp, NULL, NULL, NULL, NULL); fw3_ipt_rule_target(r, "REJECT"); - fw3_ipt_rule_addarg(r, false, "--reject-with", "tcp-reset"); + fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->tcp_reject_code)); fw3_ipt_rule_append(r, "reject"); r = fw3_ipt_rule_new(handle); fw3_ipt_rule_target(r, "REJECT"); - fw3_ipt_rule_addarg(r, false, "--reject-with", "port-unreach"); + fw3_ipt_rule_addarg(r, false, "--reject-with", get_reject_code(handle->family, defs->any_reject_code)); fw3_ipt_rule_append(r, "reject"); break; @@ -298,14 +309,14 @@ fw3_print_default_head_rules(struct fw3_ipt_handle *handle, if (defs->custom_chains) { r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for prerouting"); + fw3_ipt_rule_comment(r, "Custom prerouting rule chain"); fw3_ipt_rule_target(r, "prerouting_rule"); - fw3_ipt_rule_append(r, "delegate_prerouting"); + fw3_ipt_rule_append(r, "PREROUTING"); r = fw3_ipt_rule_new(handle); - fw3_ipt_rule_comment(r, "user chain for postrouting"); + fw3_ipt_rule_comment(r, "Custom postrouting rule chain"); fw3_ipt_rule_target(r, "postrouting_rule"); - fw3_ipt_rule_append(r, "delegate_postrouting"); + fw3_ipt_rule_append(r, "POSTROUTING"); } break; @@ -332,7 +343,7 @@ fw3_print_default_tail_rules(struct fw3_ipt_handle *handle, return; fw3_ipt_rule_target(r, "reject"); - fw3_ipt_rule_append(r, "delegate_input"); + fw3_ipt_rule_append(r, "INPUT"); } if (defs->policy_output == FW3_FLAG_REJECT) @@ -343,7 +354,7 @@ fw3_print_default_tail_rules(struct fw3_ipt_handle *handle, return; fw3_ipt_rule_target(r, "reject"); - fw3_ipt_rule_append(r, "delegate_output"); + fw3_ipt_rule_append(r, "OUTPUT"); } if (defs->policy_forward == FW3_FLAG_REJECT) @@ -354,19 +365,19 @@ fw3_print_default_tail_rules(struct fw3_ipt_handle *handle, return; fw3_ipt_rule_target(r, "reject"); - fw3_ipt_rule_append(r, "delegate_forward"); + fw3_ipt_rule_append(r, "FORWARD"); } } static void -set_default(const char *name, bool set) +set_default(const char *name, int set) { FILE *f; - char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling\0")]; + char path[sizeof("/proc/sys/net/ipv4/tcp_window_scaling")]; snprintf(path, sizeof(path), "/proc/sys/net/ipv4/tcp_%s", name); - info(" * Set tcp_%s to %s", name, set ? "on" : "off", name); + info(" * Set tcp_%s to %s", name, set ? "on" : "off"); if (!(f = fopen(path, "w"))) { @@ -404,6 +415,13 @@ fw3_flush_rules(struct fw3_ipt_handle *handle, struct fw3_state *state, fw3_ipt_set_policy(handle, "FORWARD", policy); } + fw3_ipt_delete_id_rules(handle, "INPUT"); + fw3_ipt_delete_id_rules(handle, "OUTPUT"); + fw3_ipt_delete_id_rules(handle, "FORWARD"); + fw3_ipt_delete_id_rules(handle, "PREROUTING"); + fw3_ipt_delete_id_rules(handle, "POSTROUTING"); + + /* first flush all the rules ... */ for (c = default_chains; c->format; c++) { /* don't touch user chains on selective stop */ @@ -420,13 +438,21 @@ fw3_flush_rules(struct fw3_ipt_handle *handle, struct fw3_state *state, continue; fw3_ipt_flush_chain(handle, c->format); + } + + /* ... then remove the chains */ + for (c = default_chains; c->format; c++) + { + if (!fw3_is_family(c, handle->family)) + continue; - /* keep certain basic chains that do not depend on any settings to - avoid purging unrelated user rules pointing to them */ - if (reload && !c->flag) + if (c->table != handle->table) + continue; + + if (c->flag && !has(defs->flags, handle->family, c->flag)) continue; - fw3_ipt_delete_chain(handle, c->format); + fw3_ipt_delete_chain(handle, reload, c->format); } del(defs->flags, handle->family, handle->table);