From patchwork Thu Apr 20 16:05:40 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pierre Lebleu X-Patchwork-Id: 752875 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from bombadil.infradead.org (bombadil.infradead.org [65.50.211.133]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ozlabs.org (Postfix) with ESMTPS id 3w83fT4tqVz9s65 for ; Fri, 21 Apr 2017 02:07:13 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=lists.infradead.org header.i=@lists.infradead.org header.b="tCReO+fP"; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="EdEUEBOe"; dkim-atps=neutral DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20170209; h=Sender: Content-Transfer-Encoding:Content-Type:MIME-Version:Cc:List-Subscribe: List-Help:List-Post:List-Archive:List-Unsubscribe:List-Id:Subject:References: In-Reply-To:Message-Id:Date:To:From:Reply-To:Content-ID:Content-Description: Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID: List-Owner; bh=K5ZWCHTOFODH5qnT6qfYGs818+15o/g15esphZc/xwQ=; b=tCReO+fPDGR7I8 rpOms20QQ6q4Gp7PunCnOwIMJ7I0VQK+AHeA6jDC1x6DUACyxbdlHZzUIGc2oWXR1+sUp/8TIG0Qj JtFylds3LxhZLdMbNPcCD3NSSxLiqhdrrQ4D5FKJqTtsNacf6mRz8hpp4M5jgcuycULQH/PwBTKCs pnPmyjNsgL3Esw2g0l2GXJsCw116Z+ztBQFWyJQyqwfCuf6v/zeFB4diP0NfL0t295dBqu3zgGHPB ysyR1hV9gLgBnpg/ZxaOIQSMu6GqBHIzjqwWfnBlFgH4Dzd05J1gmHCirsfjSW2Ci2nvoxOaH8tXM 0Qr4GR76F/4FD41rigaQ==; Received: from localhost ([127.0.0.1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.87 #1 (Red Hat Linux)) id 1d1Ebs-0007dG-EV; Thu, 20 Apr 2017 16:07:08 +0000 Received: from mail-io0-x243.google.com ([2607:f8b0:4001:c06::243]) by bombadil.infradead.org with esmtps (Exim 4.87 #1 (Red Hat Linux)) id 1d1Eb4-0006WI-Bl for lede-dev@lists.infradead.org; Thu, 20 Apr 2017 16:06:20 +0000 Received: by mail-io0-x243.google.com with SMTP id k87so17802335ioi.0 for ; Thu, 20 Apr 2017 09:05:57 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id:in-reply-to:references; bh=LeCFgId3VIb3uAOPxMQMbNU1rWZZ8hIBQL25zwyGPo4=; b=EdEUEBOedNXrn2IQHh8o/h3Ebsyoc4cuncr1CMM2o24WoR9pNgt85f2bi8xdlqJ+NQ uwuH8US67eB3Yp1S86HqfeQAeNuRufw+WfrAjqzF6IUCAd2Bhky6nc3cfkVA+YzohKe2 0EiyEtoDC4J110Og2Gfzr96rG21kHagsJygMTPI7QelS6p9MM8sdzS9zJw+/+NJ3Yt9g M6f2/eT4/gT5vCWJVbEOrus3537Orsj94l6vci08RkUuDhsBrowD8+IqqAPYoySM9SJr H87OTsLJYWYrVhpzjMmnS9RtGW0uxEG2tX311XldV62kJbDkVo+fetL7xVKVzC7MMdzq e+Xg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id:in-reply-to :references; bh=LeCFgId3VIb3uAOPxMQMbNU1rWZZ8hIBQL25zwyGPo4=; b=RwXqkiNy3byncP5BCR3QwoKy403LUDcPykSDGIl7saFTQNQWzcQRxXIUgDzwW3+5XJ FrvvnujjRQGt4tI+RmUR8T1ZgxesrarD0k/6O/Yav8P/xTWAVZ49XmWMBooyoplvM6dP 1uxvOw/7jmvpF1O66MJPChbGcrF51evYZlzlz2JWakbq6jWRwsiY8D84OAn1ycWLUfzo GZ7O9VHUV4ueSTPBvhQnaTD+OYl4H7mXV58+hdeVhLsiuVzL2LFu8JqhJBOfiGJkXc0/ qL5XNKHqK+Vym4RaKC0GymxPme6TeskftYiM6OL/wobuVNg7cuZRHlRp2voOsrfId25k bWHA== X-Gm-Message-State: AN3rC/7tWVLKPJbMJFZDEhzLzpuRuSndqMFE651fLzY+IpinKOyNPVek P0yupkHUZc8bUQ== X-Received: by 10.107.131.224 with SMTP id n93mr11065396ioi.39.1492704357260; Thu, 20 Apr 2017 09:05:57 -0700 (PDT) Received: from smtp.gmail.com (14.125.146.82.ipv4.evonet.be. [82.146.125.14]) by smtp.gmail.com with ESMTPSA id u191sm7931652ita.15.2017.04.20.09.05.54 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 20 Apr 2017 09:05:55 -0700 (PDT) From: Pierre Lebleu To: lede-dev@lists.infradead.org Date: Thu, 20 Apr 2017 18:05:40 +0200 Message-Id: <1492704342-24042-5-git-send-email-pme.lebleu@gmail.com> X-Mailer: git-send-email 1.7.9.5 In-Reply-To: <1492704342-24042-1-git-send-email-pme.lebleu@gmail.com> References: <1492704342-24042-1-git-send-email-pme.lebleu@gmail.com> X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20170420_090618_471418_84AE4ADF X-CRM114-Status: GOOD ( 14.05 ) X-Spam-Score: -2.7 (--) X-Spam-Report: SpamAssassin version 3.4.1 on bombadil.infradead.org summary: Content analysis details: (-2.7 points) pts rule name description ---- ---------------------- -------------------------------------------------- -0.7 RCVD_IN_DNSWL_LOW RBL: Sender listed at http://www.dnswl.org/, low trust [2607:f8b0:4001:c06:0:0:0:243 listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider (pme.lebleu[at]gmail.com) -1.9 BAYES_00 BODY: Bayes spam probability is 0 to 1% [score: 0.0000] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature Subject: [LEDE-DEV] [PATCH 5/7] firewall3: add UBUS support for ipset sections X-BeenThere: lede-dev@lists.infradead.org X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: Pierre Lebleu , jow@mein.io MIME-Version: 1.0 Sender: "Lede-dev" Errors-To: lede-dev-bounces+incoming=patchwork.ozlabs.org@lists.infradead.org It gives the ability to create ipset rules via procd services and netifd interface firewall data. Signed-off-by: Pierre Lebleu --- ipsets.c | 83 +++++++++++++++++++++++++++++++++++++++++++------------------- ipsets.h | 11 +++++---- main.c | 2 +- 3 files changed, 65 insertions(+), 31 deletions(-) diff --git a/ipsets.c b/ipsets.c index 3b1ba00..a3e8ee7 100644 --- a/ipsets.c +++ b/ipsets.c @@ -85,7 +85,7 @@ static struct ipset_type ipset_types[] = { static bool -check_types(struct uci_element *e, struct fw3_ipset *ipset) +check_types(struct fw3_ipset *ipset) { int i = 0; uint32_t typelist = 0; @@ -95,7 +95,8 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset) { if (i >= 3) { - warn_elem(e, "must not have more than 3 datatypes assigned"); + warn("%s must not have more than 3 datatypes assigned", + ipset->name); return false; } @@ -116,8 +117,9 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset) { ipset->method = ipset_types[i].method; - warn_elem(e, "defines no storage method, assuming '%s'", - fw3_ipset_method_names[ipset->method]); + warn("%s defines no storage method, assuming '%s'", + ipset->name, + fw3_ipset_method_names[ipset->method]); break; } @@ -136,56 +138,56 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset) if ((ipset_types[i].required & OPT_IPRANGE) && !ipset->iprange.set) { - warn_elem(e, "requires an ip range"); + warn("%s requires an ip range", ipset->name); return false; } if ((ipset_types[i].required & OPT_PORTRANGE) && !ipset->portrange.set) { - warn_elem(e, "requires a port range"); + warn("%s requires a port range", ipset->name); return false; } if (!(ipset_types[i].required & OPT_IPRANGE) && ipset->iprange.set) { - warn_elem(e, "iprange ignored"); + warn("%s iprange ignored", ipset->name); ipset->iprange.set = false; } if (!(ipset_types[i].required & OPT_PORTRANGE) && ipset->portrange.set) { - warn_elem(e, "portrange ignored"); + warn("%s portrange ignored", ipset->name); ipset->portrange.set = false; } if (!(ipset_types[i].optional & OPT_NETMASK) && ipset->netmask > 0) { - warn_elem(e, "netmask ignored"); + warn("%s netmask ignored", ipset->name); ipset->netmask = 0; } if (!(ipset_types[i].optional & OPT_HASHSIZE) && ipset->hashsize > 0) { - warn_elem(e, "hashsize ignored"); + warn("%s hashsize ignored", ipset->name); ipset->hashsize = 0; } if (!(ipset_types[i].optional & OPT_MAXELEM) && ipset->maxelem > 0) { - warn_elem(e, "maxelem ignored"); + warn("%s maxelem ignored", ipset->name); ipset->maxelem = 0; } if (!(ipset_types[i].optional & OPT_FAMILY) && ipset->family != FW3_FAMILY_V4) { - warn_elem(e, "family ignored"); + warn("%s family ignored", ipset->name); ipset->family = FW3_FAMILY_V4; } } @@ -194,12 +196,12 @@ check_types(struct uci_element *e, struct fw3_ipset *ipset) } } - warn_elem(e, "has an invalid combination of storage method and matches"); + warn("%s has an invalid combination of storage method and matches", ipset->name); return false; } -struct fw3_ipset * -fw3_alloc_ipset(void) +static struct fw3_ipset * +fw3_alloc_ipset(struct fw3_state *state) { struct fw3_ipset *ipset; @@ -212,21 +214,50 @@ fw3_alloc_ipset(void) ipset->enabled = true; ipset->family = FW3_FAMILY_V4; + list_add_tail(&ipset->list, &state->ipsets); + return ipset; } void -fw3_load_ipsets(struct fw3_state *state, struct uci_package *p) +fw3_load_ipsets(struct fw3_state *state, struct uci_package *p, + struct blob_attr *a) { struct uci_section *s; struct uci_element *e; - struct fw3_ipset *ipset; + struct fw3_ipset *ipset, *n; + struct blob_attr *entry, *opt; + unsigned rem, orem; INIT_LIST_HEAD(&state->ipsets); if (state->disable_ipsets) return; + blob_for_each_attr(entry, a, rem) + { + const char *type = NULL; + const char *name = "ubus ipset"; + blobmsg_for_each_attr(opt, entry, orem) + if (!strcmp(blobmsg_name(opt), "type")) + type = blobmsg_get_string(opt); + else if (!strcmp(blobmsg_name(opt), "name")) + name = blobmsg_get_string(opt); + + if (!type || strcmp(type, "ipset")) + continue; + + if (!(ipset = fw3_alloc_ipset(state))) + continue; + + if (!fw3_parse_blob_options(ipset, fw3_ipset_opts, entry, name)) + { + warn("%s skipped due to invalid options\n", name); + fw3_free_ipset(ipset); + continue; + } + } + uci_foreach_element(&p->sections, e) { s = uci_to_section(e); @@ -234,7 +265,7 @@ fw3_load_ipsets(struct fw3_state *state, struct uci_package *p) if (strcmp(s->type, "ipset")) continue; - ipset = fw3_alloc_ipset(); + ipset = fw3_alloc_ipset(state); if (!ipset) continue; @@ -245,7 +276,10 @@ fw3_load_ipsets(struct fw3_state *state, struct uci_package *p) fw3_free_ipset(ipset); continue; } + } + list_for_each_entry_safe(ipset, n, &state->ipsets, list) + { if (ipset->external) { if (!*ipset->external) @@ -256,27 +290,26 @@ fw3_load_ipsets(struct fw3_state *state, struct uci_package *p) if (!ipset->name || !*ipset->name) { - warn_elem(e, "must have a name assigned"); + warn("ipset must have a name assigned"); } //else if (fw3_lookup_ipset(state, ipset->name) != NULL) //{ - // warn_elem(e, "has duplicated set name '%s'", ipset->name); + // warn("%s has duplicated set name", ipset->name); //} else if (ipset->family == FW3_FAMILY_ANY) { - warn_elem(e, "must not have family 'any'"); + warn("%s must not have family 'any'", ipset->name); } else if (ipset->iprange.set && ipset->family != ipset->iprange.family) { - warn_elem(e, "has iprange of wrong address family"); + warn("%s has iprange of wrong address family", ipset->name); } else if (list_empty(&ipset->datatypes)) { - warn_elem(e, "has no datatypes assigned"); + warn("%s has no datatypes assigned", ipset->name); } - else if (check_types(e, ipset)) + else if (check_types(ipset)) { - list_add_tail(&ipset->list, &state->ipsets); continue; } diff --git a/ipsets.h b/ipsets.h index b5fee6c..2ba862d 100644 --- a/ipsets.h +++ b/ipsets.h @@ -27,8 +27,7 @@ extern const struct fw3_option fw3_ipset_opts[]; -struct fw3_ipset * fw3_alloc_ipset(void); -void fw3_load_ipsets(struct fw3_state *state, struct uci_package *p); +void fw3_load_ipsets(struct fw3_state *state, struct uci_package *p, struct blob_attr *a); void fw3_create_ipsets(struct fw3_state *state); void fw3_destroy_ipsets(struct fw3_state *state); @@ -36,9 +35,11 @@ struct fw3_ipset * fw3_lookup_ipset(struct fw3_state *state, const char *name); bool fw3_check_ipset(struct fw3_ipset *set); -#define fw3_free_ipset(ipset) \ - fw3_free_object(ipset, fw3_ipset_opts) - +static inline void fw3_free_ipset(struct fw3_ipset *ipset) +{ + list_del(&ipset->list); + fw3_free_object(ipset, fw3_ipset_opts); +} #ifndef SO_IP_SET diff --git a/main.c b/main.c index 4cf46fd..6e275ef 100644 --- a/main.c +++ b/main.c @@ -101,7 +101,7 @@ build_state(bool runtime) fw3_ubus_rules(&b); fw3_load_defaults(state, p); - fw3_load_ipsets(state, p); + fw3_load_ipsets(state, p, b.head); fw3_load_zones(state, p); fw3_load_rules(state, p, b.head); fw3_load_redirects(state, p, b.head);