X-Git-Url: http://git.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=options.h;h=6edd174819b59aa8ef82b1907892b823a7e4dc97;hp=fe9816e495e30b647696696728ab909fe6b7366e;hb=HEAD;hpb=fe3ecee341da8542aa25b962dcb8bcc628fcdd1e diff --git a/options.h b/options.h index fe9816e..e20c89b 100644 --- a/options.h +++ b/options.h @@ -1,7 +1,7 @@ /* * firewall3 - 3rd OpenWrt UCI firewall implementation * - * Copyright (C) 2013 Jo-Philipp Wich + * Copyright (C) 2013-2014 Jo-Philipp Wich * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -32,6 +32,8 @@ #include #include #include +#define _LINUX_IN_H +#define _LINUX_IN6_H #include #include @@ -41,6 +43,7 @@ #include #include +#include #include "icmp_codes.h" #include "utils.h" @@ -61,27 +64,41 @@ enum fw3_family FW3_FAMILY_V6 = 5, }; -enum fw3_target +enum fw3_flag { - FW3_TARGET_UNSPEC = 0, - FW3_TARGET_ACCEPT = 6, - FW3_TARGET_REJECT = 7, - FW3_TARGET_DROP = 8, - FW3_TARGET_NOTRACK = 9, - FW3_TARGET_DNAT = 10, - FW3_TARGET_SNAT = 11, + FW3_FLAG_UNSPEC = 0, + FW3_FLAG_ACCEPT = 6, + FW3_FLAG_REJECT = 7, + FW3_FLAG_DROP = 8, + FW3_FLAG_NOTRACK = 9, + FW3_FLAG_HELPER = 10, + FW3_FLAG_MARK = 11, + FW3_FLAG_DSCP = 12, + FW3_FLAG_DNAT = 13, + FW3_FLAG_SNAT = 14, + FW3_FLAG_MASQUERADE = 15, + FW3_FLAG_SRC_ACCEPT = 16, + FW3_FLAG_SRC_REJECT = 17, + FW3_FLAG_SRC_DROP = 18, + FW3_FLAG_CUSTOM_CHAINS = 19, + FW3_FLAG_SYN_FLOOD = 20, + FW3_FLAG_MTU_FIX = 21, + FW3_FLAG_DROP_INVALID = 22, + FW3_FLAG_HOTPLUG = 23, + + __FW3_FLAG_MAX }; -enum fw3_default +enum fw3_reject_code { - FW3_DEFAULT_UNSPEC = 0, - FW3_DEFAULT_CUSTOM_CHAINS = 12, - FW3_DEFAULT_SYN_FLOOD = 13, - FW3_DEFAULT_MTU_FIX = 14, - FW3_DEFAULT_DROP_INVALID = 15, + FW3_REJECT_CODE_TCP_RESET = 0, + FW3_REJECT_CODE_PORT_UNREACH = 1, + FW3_REJECT_CODE_ADM_PROHIBITED = 2, + + __FW3_REJECT_CODE_MAX }; -extern const char *fw3_flag_names[FW3_DEFAULT_DROP_INVALID + 1]; +extern const char *fw3_flag_names[__FW3_FLAG_MAX]; enum fw3_limit_unit @@ -90,14 +107,21 @@ enum fw3_limit_unit FW3_LIMIT_UNIT_MINUTE = 1, FW3_LIMIT_UNIT_HOUR = 2, FW3_LIMIT_UNIT_DAY = 3, + + __FW3_LIMIT_UNIT_MAX }; +extern const char *fw3_limit_units[__FW3_LIMIT_UNIT_MAX]; + + enum fw3_ipset_method { FW3_IPSET_METHOD_UNSPEC = 0, FW3_IPSET_METHOD_BITMAP = 1, FW3_IPSET_METHOD_HASH = 2, FW3_IPSET_METHOD_LIST = 3, + + __FW3_IPSET_METHOD_MAX }; enum fw3_ipset_type @@ -108,13 +132,40 @@ enum fw3_ipset_type FW3_IPSET_TYPE_MAC = 3, FW3_IPSET_TYPE_NET = 4, FW3_IPSET_TYPE_SET = 5, + + __FW3_IPSET_TYPE_MAX +}; + +extern const char *fw3_ipset_method_names[__FW3_IPSET_METHOD_MAX]; +extern const char *fw3_ipset_type_names[__FW3_IPSET_TYPE_MAX]; + + +enum fw3_include_type +{ + FW3_INC_TYPE_SCRIPT = 0, + FW3_INC_TYPE_RESTORE = 1, +}; + +enum fw3_reflection_source +{ + FW3_REFLECTION_INTERNAL = 0, + FW3_REFLECTION_EXTERNAL = 1, }; struct fw3_ipset_datatype { struct list_head list; enum fw3_ipset_type type; - bool dest; + const char *dir; +}; + +struct fw3_setmatch +{ + bool set; + bool invert; + char name[32]; + const char *dir[3]; + struct fw3_ipset *ptr; }; struct fw3_device @@ -125,6 +176,7 @@ struct fw3_device bool any; bool invert; char name[32]; + char network[32]; }; struct fw3_address @@ -134,8 +186,8 @@ struct fw3_address bool set; bool range; bool invert; + bool resolved; enum fw3_family family; - int mask; union { struct in_addr v4; struct in6_addr v6; @@ -145,7 +197,7 @@ struct fw3_address struct in_addr v4; struct in6_addr v6; struct ether_addr mac; - } address2; + } mask; }; struct fw3_mac @@ -163,7 +215,7 @@ struct fw3_protocol bool any; bool invert; - uint16_t protocol; + uint32_t protocol; }; struct fw3_port @@ -209,44 +261,73 @@ struct fw3_time uint8_t weekdays; /* bit 0 is invert + 1 .. 7 */ }; +struct fw3_mark +{ + bool set; + bool invert; + uint32_t mark; + uint32_t mask; +}; + +struct fw3_dscp +{ + bool set; + bool invert; + uint8_t dscp; +}; + +struct fw3_cthelpermatch +{ + struct list_head list; + + bool set; + bool invert; + char name[32]; + struct fw3_cthelper *ptr; +}; + struct fw3_defaults { - enum fw3_target policy_input; - enum fw3_target policy_output; - enum fw3_target policy_forward; + enum fw3_flag policy_input; + enum fw3_flag policy_output; + enum fw3_flag policy_forward; bool drop_invalid; + enum fw3_reject_code tcp_reject_code; + enum fw3_reject_code any_reject_code; bool syn_flood; struct fw3_limit syn_flood_rate; bool tcp_syncookies; - bool tcp_ecn; - bool tcp_westwood; + int tcp_ecn; bool tcp_window_scaling; bool accept_redirects; bool accept_source_route; bool custom_chains; + bool auto_helper; + bool flow_offloading; + bool flow_offloading_hw; bool disable_ipv6; - uint16_t flags; + uint32_t flags[2]; }; struct fw3_zone { struct list_head list; - struct list_head running_list; + bool enabled; const char *name; enum fw3_family family; - enum fw3_target policy_input; - enum fw3_target policy_output; - enum fw3_target policy_forward; + enum fw3_flag policy_input; + enum fw3_flag policy_output; + enum fw3_flag policy_forward; struct list_head networks; struct list_head devices; @@ -256,25 +337,30 @@ struct fw3_zone const char *extra_dest; bool masq; + bool masq_allow_invalid; struct list_head masq_src; struct list_head masq_dest; - bool conntrack; bool mtu_fix; - bool log; + struct list_head cthelpers; + + int log; struct fw3_limit log_limit; bool custom_chains; + bool auto_helper; + + uint32_t flags[2]; - uint16_t src_flags; - uint16_t dst_flags; + struct list_head old_addrs; }; struct fw3_rule { struct list_head list; + bool enabled; const char *name; enum fw3_family family; @@ -282,11 +368,13 @@ struct fw3_rule struct fw3_zone *_src; struct fw3_zone *_dest; + const char *device; + bool direction_out; + struct fw3_device src; struct fw3_device dest; - - struct fw3_ipset *_ipset; - struct fw3_device ipset; + struct fw3_setmatch ipset; + struct fw3_cthelpermatch helper; struct list_head proto; @@ -301,8 +389,14 @@ struct fw3_rule struct fw3_limit limit; struct fw3_time time; + struct fw3_mark mark; + struct fw3_dscp dscp; - enum fw3_target target; + enum fw3_flag target; + struct fw3_mark set_mark; + struct fw3_mark set_xmark; + struct fw3_dscp set_dscp; + struct fw3_cthelpermatch set_helper; const char *extra; }; @@ -311,6 +405,7 @@ struct fw3_redirect { struct list_head list; + bool enabled; const char *name; enum fw3_family family; @@ -320,9 +415,8 @@ struct fw3_redirect struct fw3_device src; struct fw3_device dest; - - struct fw3_ipset *_ipset; - struct fw3_device ipset; + struct fw3_setmatch ipset; + struct fw3_cthelpermatch helper; struct list_head proto; @@ -336,19 +430,62 @@ struct fw3_redirect struct fw3_address ip_redir; struct fw3_port port_redir; + struct fw3_limit limit; struct fw3_time time; + struct fw3_mark mark; - enum fw3_target target; + enum fw3_flag target; const char *extra; + bool local; bool reflection; + enum fw3_reflection_source reflection_src; + struct list_head reflection_zones; +}; + +struct fw3_snat +{ + struct list_head list; + + bool enabled; + const char *name; + + enum fw3_family family; + + struct fw3_zone *_src; + + struct fw3_device src; + struct fw3_setmatch ipset; + struct fw3_cthelpermatch helper; + const char *device; + + struct list_head proto; + + struct fw3_address ip_src; + struct fw3_port port_src; + + struct fw3_address ip_dest; + struct fw3_port port_dest; + + struct fw3_address ip_snat; + struct fw3_port port_snat; + + struct fw3_limit limit; + struct fw3_time time; + struct fw3_mark mark; + bool connlimit_ports; + + enum fw3_flag target; + + const char *extra; }; struct fw3_forward { struct list_head list; + bool enabled; const char *name; enum fw3_family family; @@ -363,7 +500,11 @@ struct fw3_forward struct fw3_ipset { struct list_head list; - struct list_head running_list; + + bool enabled; + bool reload_set; + bool counters; + bool comment; const char *name; enum fw3_family family; @@ -382,7 +523,43 @@ struct fw3_ipset const char *external; - uint16_t flags; + struct list_head entries; + const char *loadfile; + + uint32_t flags[2]; +}; + +struct fw3_include +{ + struct list_head list; + + bool enabled; + const char *name; + enum fw3_family family; + + const char *path; + enum fw3_include_type type; + + bool reload; +}; + +struct fw3_cthelper +{ + struct list_head list; + + bool enabled; + const char *name; + const char *module; + const char *description; + enum fw3_family family; + struct list_head proto; + struct fw3_port port; +}; + +struct fw3_setentry +{ + struct list_head list; + const char *value; }; struct fw3_state @@ -392,22 +569,28 @@ struct fw3_state struct list_head zones; struct list_head rules; struct list_head redirects; + struct list_head snats; struct list_head forwards; struct list_head ipsets; - - struct fw3_defaults running_defaults; - struct list_head running_zones; - struct list_head running_ipsets; + struct list_head includes; + struct list_head cthelpers; bool disable_ipsets; bool statefile; }; +struct fw3_chain_spec { + int family; + int table; + int flag; + const char *format; +}; + struct fw3_option { const char *name; - bool (*parse)(void *, const char *); + bool (*parse)(void *, const char *, bool); uintptr_t offset; size_t elem_size; }; @@ -419,44 +602,44 @@ struct fw3_option { name, fw3_parse_##parse, offsetof(struct fw3_##structure, member), \ sizeof(struct fw3_##structure) } - -bool fw3_parse_bool(void *ptr, const char *val); -bool fw3_parse_int(void *ptr, const char *val); -bool fw3_parse_string(void *ptr, const char *val); -bool fw3_parse_target(void *ptr, const char *val); -bool fw3_parse_limit(void *ptr, const char *val); -bool fw3_parse_device(void *ptr, const char *val); -bool fw3_parse_address(void *ptr, const char *val); -bool fw3_parse_mac(void *ptr, const char *val); -bool fw3_parse_port(void *ptr, const char *val); -bool fw3_parse_family(void *ptr, const char *val); -bool fw3_parse_icmptype(void *ptr, const char *val); -bool fw3_parse_protocol(void *ptr, const char *val); - -bool fw3_parse_ipset_method(void *ptr, const char *val); -bool fw3_parse_ipset_datatype(void *ptr, const char *val); - -bool fw3_parse_date(void *ptr, const char *val); -bool fw3_parse_time(void *ptr, const char *val); -bool fw3_parse_weekdays(void *ptr, const char *val); -bool fw3_parse_monthdays(void *ptr, const char *val); - -void fw3_parse_options(void *s, const struct fw3_option *opts, +bool fw3_parse_bool(void *ptr, const char *val, bool is_list); +bool fw3_parse_int(void *ptr, const char *val, bool is_list); +bool fw3_parse_string(void *ptr, const char *val, bool is_list); +bool fw3_parse_target(void *ptr, const char *val, bool is_list); +bool fw3_parse_reject_code(void *ptr, const char *val, bool is_list); +bool fw3_parse_limit(void *ptr, const char *val, bool is_list); +bool fw3_parse_device(void *ptr, const char *val, bool is_list); +bool fw3_parse_address(void *ptr, const char *val, bool is_list); +bool fw3_parse_network(void *ptr, const char *val, bool is_list); +bool fw3_parse_mac(void *ptr, const char *val, bool is_list); +bool fw3_parse_port(void *ptr, const char *val, bool is_list); +bool fw3_parse_family(void *ptr, const char *val, bool is_list); +bool fw3_parse_icmptype(void *ptr, const char *val, bool is_list); +bool fw3_parse_protocol(void *ptr, const char *val, bool is_list); + +bool fw3_parse_ipset_method(void *ptr, const char *val, bool is_list); +bool fw3_parse_ipset_datatype(void *ptr, const char *val, bool is_list); + +bool fw3_parse_include_type(void *ptr, const char *val, bool is_list); +bool fw3_parse_reflection_source(void *ptr, const char *val, bool is_list); + +bool fw3_parse_date(void *ptr, const char *val, bool is_list); +bool fw3_parse_time(void *ptr, const char *val, bool is_list); +bool fw3_parse_weekdays(void *ptr, const char *val, bool is_list); +bool fw3_parse_monthdays(void *ptr, const char *val, bool is_list); +bool fw3_parse_mark(void *ptr, const char *val, bool is_list); +bool fw3_parse_dscp(void *ptr, const char *val, bool is_list); +bool fw3_parse_setmatch(void *ptr, const char *val, bool is_list); +bool fw3_parse_direction(void *ptr, const char *val, bool is_list); +bool fw3_parse_cthelper(void *ptr, const char *val, bool is_list); +bool fw3_parse_setentry(void *ptr, const char *val, bool is_list); + +bool fw3_parse_options(void *s, const struct fw3_option *opts, struct uci_section *section); +bool fw3_parse_blob_options(void *s, const struct fw3_option *opts, + struct blob_attr *a, const char *name); -void fw3_format_in_out(struct fw3_device *in, struct fw3_device *out); -void fw3_format_src_dest(struct fw3_address *src, struct fw3_address *dest); -void fw3_format_sport_dport(struct fw3_port *sp, struct fw3_port *dp); -void fw3_format_mac(struct fw3_mac *mac); -void fw3_format_protocol(struct fw3_protocol *proto, enum fw3_family family); -void fw3_format_icmptype(struct fw3_icmptype *icmp, enum fw3_family family); -void fw3_format_limit(struct fw3_limit *limit); -void fw3_format_ipset(struct fw3_ipset *ipset, bool invert); -void fw3_format_time(struct fw3_time *time); - -void __fw3_format_comment(const char *comment, ...); -#define fw3_format_comment(...) __fw3_format_comment(__VA_ARGS__, NULL) - -void fw3_format_extra(const char *extra); +const char * fw3_address_to_string(struct fw3_address *address, + bool allow_invert, bool as_cidr); #endif