X-Git-Url: http://git.openwrt.org/?p=project%2Ffirewall3.git;a=blobdiff_plain;f=utils.c;h=024f95e16d5df1e1d2cc2adb399f42e589c91000;hp=f43a859bbb038b86cce8839552281531c5e1dbf8;hb=HEAD;hpb=1ccbcc2642e5cfeed375cf56130ab6ecaad35052 diff --git a/utils.c b/utils.c index f43a859..faa51a1 100644 --- a/utils.c +++ b/utils.c @@ -1,7 +1,7 @@ /* * firewall3 - 3rd OpenWrt UCI firewall implementation * - * Copyright (C) 2013 Jo-Philipp Wich + * Copyright (C) 2013 Jo-Philipp Wich * * Permission to use, copy, modify, and/or distribute this software for any * purpose with or without fee is hereby granted, provided that the above @@ -16,13 +16,25 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ +#define _GNU_SOURCE + +#include +#include + #include "utils.h" #include "options.h" -static int lock_fd = -1; +#include "zones.h" +#include "ipsets.h" + + +static int fw3_lock_fd = -1; static pid_t pipe_pid = -1; static FILE *pipe_fd = NULL; +bool fw3_pr_debug = false; + + static void warn_elem_section_name(struct uci_section *s, bool find_name) { @@ -125,6 +137,32 @@ info(const char* format, ...) fprintf(stderr, "\n"); } +void * +fw3_alloc(size_t size) +{ + void *mem; + + mem = calloc(1, size); + + if (!mem) + error("Out of memory while allocating %zd bytes", size); + + return mem; +} + +char * +fw3_strdup(const char *s) +{ + char *ns; + + ns = strdup(s); + + if (!ns) + error("Out of memory while duplicating string '%s'", s); + + return ns; +} + const char * fw3_find_command(const char *cmd) { @@ -153,8 +191,7 @@ fw3_find_command(const char *cmd) if ((plen + clen) >= sizeof(path)) continue; - strncpy(path, search, plen); - sprintf(path + plen, "/%s", cmd); + snprintf(path, sizeof(path), "%.*s/%s", plen, search, cmd); if (!stat(path, &s) && S_ISREG(s.st_mode)) return path; @@ -191,7 +228,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) return false; argn = 2; - args = malloc(argn * sizeof(arg)); + args = calloc(argn, sizeof(arg)); if (!args) return false; @@ -218,6 +255,7 @@ __fw3_command_pipe(bool silent, const char *command, ...) switch ((pid = fork())) { case -1: + free(args); return false; case 0: @@ -237,19 +275,29 @@ __fw3_command_pipe(bool silent, const char *command, ...) signal(SIGPIPE, SIG_IGN); pipe_pid = pid; close(pfds[0]); + fcntl(pfds[1], F_SETFD, fcntl(pfds[1], F_GETFD) | FD_CLOEXEC); } pipe_fd = fdopen(pfds[1], "w"); + free(args); return true; } void fw3_pr(const char *fmt, ...) { - va_list args; - va_start(args, fmt); - vfprintf(pipe_fd, fmt, args); - va_end(args); + va_list args; + + if (fw3_pr_debug && pipe_fd != stdout) + { + va_start(args, fmt); + vfprintf(stderr, fmt, args); + va_end(args); + } + + va_start(args, fmt); + vfprintf(pipe_fd, fmt, args); + va_end(args); } void @@ -267,23 +315,19 @@ fw3_command_close(void) pipe_pid = -1; } -bool -fw3_has_table(bool ipv6, const char *table) +static bool +file_contains(const char *path, const char *str) { FILE *f; - char line[12]; bool seen = false; - const char *path = ipv6 - ? "/proc/net/ip6_tables_names" : "/proc/net/ip_tables_names"; - if (!(f = fopen(path, "r"))) return false; while (fgets(line, sizeof(line), f)) { - if (!strncmp(line, table, strlen(table))) + if (!strncmp(line, str, strlen(str))) { seen = true; break; @@ -295,103 +339,325 @@ fw3_has_table(bool ipv6, const char *table) return seen; } +bool +fw3_has_target(const bool ipv6, const char *target) +{ + const char *path = ipv6 + ? "/proc/net/ip6_tables_targets" : "/proc/net/ip_tables_targets"; + + return file_contains(path, target); +} bool -fw3_lock(void) +fw3_lock_path(int *fd, const char *path) { - lock_fd = open(FW3_LOCKFILE, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); + int lock_fd = open(path, O_CREAT|O_WRONLY, S_IRUSR|S_IWUSR); if (lock_fd < 0) { - warn("Cannot create lock file %s: %s", FW3_LOCKFILE, strerror(errno)); + warn("Cannot create lock file %s: %s", path, strerror(errno)); return false; } if (flock(lock_fd, LOCK_EX)) { warn("Cannot acquire exclusive lock: %s", strerror(errno)); + close(lock_fd); return false; } + *fd = lock_fd; + return true; } +bool +fw3_lock() +{ + return fw3_lock_path(&fw3_lock_fd, FW3_LOCKFILE); +} + + void -fw3_unlock(void) +fw3_unlock_path(int *fd, const char *lockpath) { - if (lock_fd < 0) + if (*fd < 0) return; - if (flock(lock_fd, LOCK_UN)) + if (flock(*fd, LOCK_UN)) warn("Cannot release exclusive lock: %s", strerror(errno)); - close(lock_fd); - unlink(FW3_LOCKFILE); + close(*fd); - lock_fd = -1; + *fd = -1; } -struct list_head * -fw3_read_statefile(void) +void +fw3_unlock(void) { - FILE *sf; + fw3_unlock_path(&fw3_lock_fd, FW3_LOCKFILE); +} - int n; - char line[128]; - const char *p; - struct list_head *state; - struct fw3_statefile_entry *entry; +static void +write_defaults_uci(struct uci_context *ctx, struct fw3_defaults *d, + struct uci_package *dest) +{ + char buf[sizeof("0xffffffff")]; + struct uci_ptr ptr = { .p = dest }; + + uci_add_section(ctx, dest, "defaults", &ptr.s); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[d->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[d->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[d->policy_forward]; + uci_set(ctx, &ptr); + + snprintf(buf, sizeof(buf), "0x%x", d->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + snprintf(buf, sizeof(buf), "0x%x", d->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} - sf = fopen(FW3_STATEFILE, "r"); +static void +write_zone_uci(struct uci_context *ctx, struct fw3_zone *z, + struct uci_package *dest, struct ifaddrs *ifaddr) +{ + struct fw3_device *dev; + struct fw3_address *sub; + struct ifaddrs *ifa; + enum fw3_family fam = FW3_FAMILY_ANY; - if (!sf) - return NULL; + char *p, buf[INET6_ADDRSTRLEN]; - state = malloc(sizeof(*state)); + struct uci_ptr ptr = { .p = dest }; - if (!state) - return NULL; + if (!z->enabled) + return; + + if (fw3_no_table(z->flags[0]) && !fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V6; + else if (!fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + fam = FW3_FAMILY_V4; + else if (fw3_no_table(z->flags[0]) && fw3_no_table(z->flags[1])) + return; + + uci_add_section(ctx, dest, "zone", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = z->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "input"; + ptr.value = fw3_flag_names[z->policy_input]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "output"; + ptr.value = fw3_flag_names[z->policy_output]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "forward"; + ptr.value = fw3_flag_names[z->policy_forward]; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "masq"; + ptr.value = z->masq ? "1" : "0"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "mtu_fix"; + ptr.value = z->mtu_fix ? "1" : "0"; + uci_set(ctx, &ptr); - INIT_LIST_HEAD(state); + ptr.o = NULL; + ptr.option = "custom_chains"; + ptr.value = z->custom_chains ? "1" : "0"; + uci_set(ctx, &ptr); - while (fgets(line, sizeof(line), sf)) + if (fam != FW3_FAMILY_ANY) { - entry = malloc(sizeof(*entry)); + ptr.o = NULL; + ptr.option = "family"; + ptr.value = fw3_flag_names[fam]; + uci_set(ctx, &ptr); + } + + ptr.o = NULL; + ptr.option = "device"; + + fw3_foreach(dev, &z->devices) + { + char *ep; - if (!entry) + if (!dev) continue; - memset(entry, 0, sizeof(*entry)); + p = buf; + ep = buf + sizeof(buf); - p = strtok(line, " \t\n"); + if (dev->invert) + p += snprintf(p, ep - p, "!"); - if (!p) - continue; + if (*dev->network) + p += snprintf(p, ep - p, "%s@%s", dev->name, dev->network); + else + p += snprintf(p, ep - p, "%s", dev->name); - entry->type = strtoul(p, NULL, 10); + ptr.value = buf; + uci_add_list(ctx, &ptr); + } - p = strtok(NULL, " \t\n"); + ptr.o = NULL; + ptr.option = "subnet"; - if (!p) + fw3_foreach(sub, &z->subnets) + { + if (!sub) continue; - entry->name = strdup(p); + ptr.value = fw3_address_to_string(sub, true, false); + uci_add_list(ctx, &ptr); + } - for (n = 0, p = strtok(NULL, " \t\n"); - n < ARRAY_SIZE(entry->flags) && p != NULL; - n++, p = strtok(NULL, " \t\n")) + ptr.o = NULL; + ptr.option = "__addrs"; + + fw3_foreach(dev, &z->devices) + { + if (!dev) + continue; + + for (ifa = ifaddr; ifa; ifa = ifa->ifa_next) { - entry->flags[n] = strtoul(p, NULL, 10); + if (!ifa->ifa_addr || strcmp(dev->name, ifa->ifa_name)) + continue; + + if (ifa->ifa_addr->sa_family == AF_INET) + inet_ntop(AF_INET, + &((struct sockaddr_in *)ifa->ifa_addr)->sin_addr, + buf, sizeof(buf)); + else if (ifa->ifa_addr->sa_family == AF_INET6) + inet_ntop(AF_INET6, + &((struct sockaddr_in6 *)ifa->ifa_addr)->sin6_addr, + buf, sizeof(buf)); + else + continue; + + ptr.value = buf; + uci_add_list(ctx, &ptr); } + } - list_add_tail(&entry->list, state); + if (z->extra_src) + { + ptr.o = NULL; + ptr.option = "extra_src"; + ptr.value = z->extra_src; + uci_set(ctx, &ptr); } - fclose(sf); + if (z->extra_dest) + { + ptr.o = NULL; + ptr.option = "extra_dest"; + ptr.value = z->extra_dest; + uci_set(ctx, &ptr); + } - return state; + snprintf(buf, sizeof(buf), "0x%x", z->flags[0]); + ptr.o = NULL; + ptr.option = "__flags_v4"; + ptr.value = buf; + uci_set(ctx, &ptr); + + snprintf(buf, sizeof(buf), "0x%x", z->flags[1]); + ptr.o = NULL; + ptr.option = "__flags_v6"; + ptr.value = buf; + uci_set(ctx, &ptr); +} + +static void +write_ipset_uci(struct uci_context *ctx, struct fw3_ipset *s, + struct uci_package *dest) +{ + struct fw3_ipset_datatype *type; + + char buf[sizeof("65535-65535")]; + + struct uci_ptr ptr = { .p = dest }; + + if (!s->enabled || s->external) + return; + + uci_add_section(ctx, dest, "ipset", &ptr.s); + + ptr.o = NULL; + ptr.option = "name"; + ptr.value = s->name; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "family"; + if (s->family == FW3_FAMILY_V4) + ptr.value = "ipv4"; + else + ptr.value = "ipv6"; + uci_set(ctx, &ptr); + + ptr.o = NULL; + ptr.option = "storage"; + ptr.value = fw3_ipset_method_names[s->method]; + uci_set(ctx, &ptr); + + list_for_each_entry(type, &s->datatypes, list) + { + snprintf(buf, sizeof(buf), "%s_%s", type->dir, fw3_ipset_type_names[type->type]); + ptr.o = NULL; + ptr.option = "match"; + ptr.value = buf; + uci_add_list(ctx, &ptr); + } + + if (s->iprange.set) + { + ptr.o = NULL; + ptr.option = "iprange"; + ptr.value = fw3_address_to_string(&s->iprange, false, false); + uci_set(ctx, &ptr); + } + + if (s->portrange.set) + { + snprintf(buf, sizeof(buf), "%u-%u", s->portrange.port_min, s->portrange.port_max); + ptr.o = NULL; + ptr.option = "portrange"; + ptr.value = buf; + uci_set(ctx, &ptr); + } } void @@ -399,62 +665,360 @@ fw3_write_statefile(void *state) { FILE *sf; struct fw3_state *s = state; - struct fw3_defaults *d = &s->defaults; struct fw3_zone *z; struct fw3_ipset *i; + struct ifaddrs *ifaddr; - int mask = (1 << FW3_DEFAULT_IPV4_LOADED) | (1 << FW3_DEFAULT_IPV6_LOADED); + struct uci_package *p; - if (!(d->flags & mask)) + if (fw3_no_family(s->defaults.flags[0]) && + fw3_no_family(s->defaults.flags[1])) + { + unlink(FW3_STATEFILE); + } + else { - if (unlink(FW3_STATEFILE)) - warn("Unable to remove state %s: %s", - FW3_STATEFILE, strerror(errno)); + sf = fopen(FW3_STATEFILE, "w+"); - return; + if (!sf) + { + warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + return; + } + + if (getifaddrs(&ifaddr)) + { + warn("Cannot get interface addresses: %s", strerror(errno)); + ifaddr = NULL; + } + + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + uci_unload(s->uci, p); + + uci_import(s->uci, sf, "fw3_state", NULL, true); + + if ((p = uci_lookup_package(s->uci, "fw3_state")) != NULL) + { + write_defaults_uci(s->uci, &s->defaults, p); + + list_for_each_entry(z, &s->zones, list) + write_zone_uci(s->uci, z, p, ifaddr); + + list_for_each_entry(i, &s->ipsets, list) + write_ipset_uci(s->uci, i, p); + + uci_export(s->uci, sf, p, true); + uci_unload(s->uci, p); + } + + fsync(fileno(sf)); + fclose(sf); + + if (ifaddr) + freeifaddrs(ifaddr); } +} + - sf = fopen(FW3_STATEFILE, "w"); +void +fw3_free_object(void *obj, const void *opts) +{ + const struct fw3_option *ol; + struct list_head *list, *cur, *tmp; - if (!sf) + for (ol = opts; ol->name; ol++) { - warn("Cannot create state %s: %s", FW3_STATEFILE, strerror(errno)); + if (!ol->elem_size) + continue; + + list = (struct list_head *)((char *)obj + ol->offset); + list_for_each_safe(cur, tmp, list) + { + list_del(cur); + free(cur); + } + } + + free(obj); +} + +void +fw3_free_list(struct list_head *head) +{ + struct list_head *entry, *tmp; + + if (!head) return; + + list_for_each_safe(entry, tmp, head) + { + list_del(entry); + free(entry); } - fprintf(sf, "%u - %u\n", FW3_TYPE_DEFAULTS, d->flags); + free(head); +} + +bool +fw3_hotplug(bool add, void *zone, void *device) +{ + struct fw3_zone *z = zone; + struct fw3_device *d = device; - list_for_each_entry(z, &s->zones, list) + if (!*d->network) + return false; + + switch (fork()) { - fprintf(sf, "%u %s %u %u\n", FW3_TYPE_ZONE, - z->name, z->src_flags, z->dst_flags); + case -1: + warn("Unable to fork(): %s\n", strerror(errno)); + return false; + + case 0: + break; + + default: + return true; } - list_for_each_entry(i, &s->ipsets, list) + close(0); + close(1); + close(2); + if (chdir("/")) {}; + + clearenv(); + setenv("ACTION", add ? "add" : "remove", 1); + setenv("ZONE", z->name, 1); + setenv("INTERFACE", d->network, 1); + setenv("DEVICE", d->name, 1); + + execl(FW3_HOTPLUG, FW3_HOTPLUG, "firewall", NULL); + + /* unreached */ + return false; +} + +int +fw3_netmask2bitlen(int family, void *mask) +{ + int bits; + struct in_addr *v4; + struct in6_addr *v6; + + if (family == FW3_FAMILY_V6) + for (bits = 0, v6 = mask; + bits < 128 && (v6->s6_addr[bits / 8] << (bits % 8)) & 128; + bits++); + else + for (bits = 0, v4 = mask; + bits < 32 && (ntohl(v4->s_addr) << bits) & 0x80000000; + bits++); + + return bits; +} + +bool +fw3_bitlen2netmask(int family, int bits, void *mask) +{ + int i; + uint8_t rem, b; + struct in_addr *v4; + struct in6_addr *v6; + + if (family == FW3_FAMILY_V6) { - if (i->external && *i->external) - continue; + if (bits < -128 || bits > 128) + return false; - fprintf(sf, "%u %s\n", FW3_TYPE_IPSET, i->name); + v6 = mask; + rem = abs(bits); + + for (i = 0; i < sizeof(v6->s6_addr); i++) + { + b = (rem > 8) ? 8 : rem; + v6->s6_addr[i] = (uint8_t)(0xFF << (8 - b)); + rem -= b; + } + + if (bits < 0) + for (i = 0; i < sizeof(v6->s6_addr); i++) + v6->s6_addr[i] = ~v6->s6_addr[i]; + } + else + { + if (bits < -32 || bits > 32) + return false; + + v4 = mask; + v4->s_addr = bits ? htonl(~((1 << (32 - abs(bits))) - 1)) : 0; + + if (bits < 0) + v4->s_addr = ~v4->s_addr; } - fclose(sf); + return true; } void -fw3_free_statefile(struct list_head *statefile) +fw3_flush_conntrack(void *state) { - struct fw3_statefile_entry *e, *tmp; + bool found; + struct fw3_state *s = state; + struct fw3_address *addr; + struct fw3_device *dev; + struct fw3_zone *zone; + struct ifaddrs *ifaddr, *ifa; + struct sockaddr_in *sin; + struct sockaddr_in6 *sin6; + char buf[INET6_ADDRSTRLEN]; + FILE *ct; - if (!statefile) + if (!state) + { + if ((ct = fopen("/proc/net/nf_conntrack", "w")) != NULL) + { + info(" * Flushing conntrack table ..."); + + fwrite("f\n", 1, 2, ct); + fclose(ct); + } + + return; + } + + if (getifaddrs(&ifaddr)) + { + warn("Cannot get interface addresses: %s", strerror(errno)); return; + } + + if ((ct = fopen("/proc/net/nf_conntrack", "w")) != NULL) + { + list_for_each_entry(zone, &s->zones, list) + list_for_each_entry(addr, &zone->old_addrs, list) + { + found = false; + + list_for_each_entry(dev, &zone->devices, list) + { + for (ifa = ifaddr; ifa && !found; ifa = ifa->ifa_next) + { + if (!ifa->ifa_addr || strcmp(dev->name, ifa->ifa_name)) + continue; + + sin = (struct sockaddr_in *)ifa->ifa_addr; + sin6 = (struct sockaddr_in6 *)ifa->ifa_addr; + + if (addr->family == FW3_FAMILY_V4 && + sin->sin_family == AF_INET) + { + found = !memcmp(&addr->address.v4, &sin->sin_addr, + sizeof(sin->sin_addr)); + } + else if (addr->family == FW3_FAMILY_V6 && + sin6->sin6_family == AF_INET6) + { + found = !memcmp(&addr->address.v6, &sin6->sin6_addr, + sizeof(sin6->sin6_addr)); + } + } + + if (found) + break; + } + + if (!found) + { + inet_ntop(addr->family == FW3_FAMILY_V4 ? AF_INET : AF_INET6, + &addr->address.v4, buf, sizeof(buf)); + + info(" * Flushing conntrack: %s", buf); + fprintf(ct, "%s\n", buf); + } + } + + fclose(ct); + } + + freeifaddrs(ifaddr); +} + +bool fw3_attr_parse_name_type(struct blob_attr *entry, const char **name, const char **type) +{ + struct blob_attr *opt; + unsigned orem; - list_for_each_entry_safe(e, tmp, statefile, list) + if (!type || !name) + return false; + + *type = NULL; + + blobmsg_for_each_attr(opt, entry, orem) + if (!strcmp(blobmsg_name(opt), "type")) + *type = blobmsg_get_string(opt); + else if (!strcmp(blobmsg_name(opt), "name")) + *name = blobmsg_get_string(opt); + + return *type != NULL ? true : false; +} + +const char * +fw3_protoname(void *proto) +{ + static char buf[sizeof("4294967295")]; + struct fw3_protocol *p = proto; + struct protoent *pe; + + if (!p) + return "?"; + + pe = getprotobynumber(p->protocol); + + if (!pe) { - list_del(&e->list); - free(e->name); - free(e); + snprintf(buf, sizeof(buf), "%u", p->protocol); + return buf; } - free(statefile); + return pe->p_name; +} + +bool +fw3_check_loopback_dev(const char *name) +{ + struct ifreq ifr; + int s; + bool rv = false; + + s = socket(AF_LOCAL, SOCK_DGRAM, 0); + + if (s < 0) + return false; + + memset(&ifr, 0, sizeof(ifr)); + snprintf(ifr.ifr_name, sizeof(ifr.ifr_name), "%s", name); + + if (ioctl(s, SIOCGIFFLAGS, &ifr) >= 0) { + if (ifr.ifr_flags & IFF_LOOPBACK) + rv = true; + } + + close(s); + + return rv; +} + +bool +fw3_check_loopback_addr(struct fw3_address *addr) +{ + if (addr->family == FW3_FAMILY_V4 && + (ntohl(addr->address.v4.s_addr) >> IN_CLASSA_NSHIFT) == IN_LOOPBACKNET) + return true; + + if (addr->family == FW3_FAMILY_V6 && !addr->range && + fw3_netmask2bitlen(FW3_FAMILY_V6, &addr->mask.v6) == 128 && + IN6_IS_ADDR_LOOPBACK(&addr->address.v6)) + return true; + + return false; }