#define firewall_rule "rule"
#define firewall_rule_length 4
- #define firewall_direction "direction"
- #define firewall_direction_input "input"
- #define firewall_direction_output "output"
- #define firewall_direction_forward "forward"
- #define firewall_direction_postrouting "postrouting"
- #define firewall_direction_prerouting "prerouting"
- #define firewall_direction_none "none"
-
- #define firewall_direction_length 9
- #define firewall_direction_input_length 5
- #define firewall_direction_output_length 6
- #define firewall_direction_forward_length 7
- #define firewall_direction_postrouting_length 12
- #define firewall_direction_prerouting_length 11
- #define firewall_direction_none_length 4
-
- #define firewall_direction_forward_input "forward-input"
- #define firewall_direction_forward_output "forward-output"
- #define firewall_direction_postrouting_input "postrouting-input"
- #define firewall_direction_postrouting_output "postrouting-output"
- #define firewall_direction_prerouting_input "prerouting-input"
- #define firewall_direction_prerouting_output "prerouting-output"
-
- #define firewall_direction_forward_input_length 13
- #define firewall_direction_forward_output_length 14
- #define firewall_direction_postrouting_input_length 17
- #define firewall_direction_postrouting_output_length 18
- #define firewall_direction_prerouting_input_length 16
- #define firewall_direction_prerouting_output_length 17
-
- #define firewall_direction_input_command "INPUT"
- #define firewall_direction_output_command "OUTPUT"
- #define firewall_direction_forward_command "FORWARD"
- #define firewall_direction_postrouting_command "POSTROUTING"
- #define firewall_direction_prerouting_command "PREROUTING"
-
- #define firewall_direction_input_command_length 5
- #define firewall_direction_output_command_length 6
- #define firewall_direction_forward_command_length 7
- #define firewall_direction_postrouting_command_length 11
- #define firewall_direction_prerouting_command_length 10
+ #define firewall_chain "chain"
+ #define firewall_chain_forward "FORWARD"
+ #define firewall_chain_input "INPUT"
+ #define firewall_chain_none "none"
+ #define firewall_chain_output "OUTPUT"
+ #define firewall_chain_postrouting "POSTROUTING"
+ #define firewall_chain_prerouting "PREROUTING"
+
+ #define firewall_chain_length 5
+ #define firewall_chain_forward_length 7
+ #define firewall_chain_input_length 5
+ #define firewall_chain_none_length 4
+ #define firewall_chain_output_length 6
+ #define firewall_chain_postrouting_length 12
+ #define firewall_chain_prerouting_length 11
+
+ #define firewall_direction "direction"
+ #define firewall_direction_input "input"
+ #define firewall_direction_output "output"
+ #define firewall_direction_none "none"
+
+ #define firewall_direction_length 9
+ #define firewall_direction_input_length 5
+ #define firewall_direction_output_length 6
+ #define firewall_direction_none_length 4
#define firewall_action "action"
#define firewall_action_append "append"
#define firewall_protocol_length 8
#define firewall_protocol_none_length 4
- #define firewall_protocol_command "-p"
-
+ #define firewall_protocol_command "-p"
#define firewall_protocol_command_length 2
#define firewall_chain_create_command "-N"
- #define firewall_chain_unchain_command "-X"
+ #define firewall_chain_unchain_command "-X"
- #define firewall_chain_create_command_length 2
+ #define firewall_chain_create_command_length 2
#define firewall_chain_unchain_command_length 2
enum {
firewall_parameter_light,
firewall_parameter_no_color,
firewall_parameter_version,
+ firewall_parameter_debug,
firewall_parameter_command_start,
firewall_parameter_command_stop,
firewall_parameter_command_restart,
firewall_parameter_command_lock,
firewall_parameter_command_show,
- firewall_direction_forward_id,
- firewall_direction_postrouting_id,
- firewall_direction_prerouting_id,
+ firewall_direction_input_id,
+ firewall_direction_output_id,
firewall_direction_none_id,
+ firewall_chain_forward_id,
+ firewall_chain_custom_id,
+ firewall_chain_input_id,
+ firewall_chain_none_id,
+ firewall_chain_output_id,
+ firewall_chain_postrouting_id,
+ firewall_chain_prerouting_id,
+
firewall_action_append_id,
firewall_action_insert_id,
firewall_action_policy_id,
firewall_action_none_id,
};
- #define f_console_parameter_initialize_firewall \
- { \
- f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \
- f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \
- f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \
- f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \
- f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \
- f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \
- f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \
- f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \
- f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \
- }
-
- #define firewall_total_parameters 9
+ #ifdef _en_firewall_debug_
+ #define f_console_parameter_initialize_firewall \
+ { \
+ f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \
+ f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(f_console_standard_short_debug, f_console_standard_long_debug, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \
+ }
+
+ #define firewall_total_parameters 10
+ #else
+ #define f_console_parameter_initialize_firewall \
+ { \
+ f_console_parameter_initialize(f_console_standard_short_help, f_console_standard_long_help, 0, 0, f_false, f_console_type_normal, 0), \
+ f_console_parameter_initialize(f_console_standard_short_light, f_console_standard_long_light, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(f_console_standard_short_no_color, f_console_standard_long_no_color, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(f_console_standard_short_version, f_console_standard_long_version, 0, 0, f_false, f_console_type_inverse, 0), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_start, f_false, f_console_type_other, firewall_command_start_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_stop, f_false, f_console_type_other, firewall_command_stop_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_restart, f_false, f_console_type_other, firewall_command_restart_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_lock, f_false, f_console_type_other, firewall_command_lock_length), \
+ f_console_parameter_initialize(0, 0, 0, firewall_command_show, f_false, f_console_type_other, firewall_command_show_length), \
+ }
+
+ #define firewall_total_parameters 9
+ #endif // _en_firewall_debug_
#endif // _di_firewall_defines_
#ifndef _di_firewall_data_
f_dynamic_string ip_list = f_dynamic_string_initialize;
// iptables command arguments
- f_bool direction_input = f_true;
- f_bool direction_output = f_false;
f_bool device_all = f_false;
f_bool ip_list_direction = f_false; // false = source, true = destination
f_bool use_protocol = f_false;
uint8_t tool = firewall_program_ip46tables;
+ uint8_t chain = firewall_chain_none_id;
f_array_length repeat = 2;
f_array_length r = 0;
device.used = data.devices.array[local.device].used;
}
+ // for custom chains, the chain command may not be specified.
+ if (!(local.is_main || local.is_stop || local.is_lock)) {
+ chain = firewall_chain_custom_id;
+ }
+
for (; i < local.rule_objects.used; i++) {
length = (local.rule_objects.array[i].stop - local.rule_objects.array[i].start) + 1;
invalid = f_false;
f_delete_dynamic_string(status2, ip_list);
- if (length >= firewall_direction_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_direction, length, firewall_direction_length) == f_equal_to) {
+ // process chain rule
+ if (length >= firewall_chain_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_chain, length, firewall_chain_length) == f_equal_to) {
+ if (chain == firewall_chain_custom_id) {
+ // custom chains can only apply to themselves, so silently ignore chain commands specified within a custom chain.
+ fprintf(f_standard_warning, "WARNING: At line %u, the chain option is meaningless inside of a custom chain.", (unsigned int) i);
+ continue;
+ }
+
length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) {
invalid = f_true;
- } else {
- if (length < firewall_direction_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_input, length, firewall_direction_input_length) == f_not_equal_to) {
- if (length < firewall_direction_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_output, length, firewall_direction_output_length) == f_not_equal_to) {
- if (length < firewall_direction_forward_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward, length, firewall_direction_forward_length) == f_not_equal_to) {
- if (length < firewall_direction_postrouting_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting, length, firewall_direction_postrouting_length) == f_not_equal_to) {
- if (length < firewall_direction_prerouting_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting, length, firewall_direction_prerouting_length) == f_not_equal_to) {
- if (length < firewall_direction_none_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_none, length, firewall_direction_none_length) == f_not_equal_to) {
- if (length < firewall_direction_forward_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward_input, length, firewall_direction_forward_input_length) == f_not_equal_to) {
- if (length < firewall_direction_forward_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_forward_output, length, firewall_direction_forward_output_length) == f_not_equal_to) {
- if (length < firewall_direction_postrouting_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting_input, length, firewall_direction_postrouting_input_length) == f_not_equal_to) {
- if (length < firewall_direction_postrouting_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_postrouting_output, length, firewall_direction_postrouting_output_length) == f_not_equal_to) {
- if (length < firewall_direction_prerouting_input_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting_input, length, firewall_direction_prerouting_input_length) == f_not_equal_to) {
- if (length < firewall_direction_prerouting_output_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_prerouting_output, length, firewall_direction_prerouting_output_length) == f_not_equal_to) {
- invalid = f_true;
- } else {
- direction_input = f_false;
- direction_output = f_true;
- direction = firewall_direction_prerouting_id;
- }
- } else {
- direction_input = f_true;
- direction_output = f_false;
- direction = firewall_direction_prerouting_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_true;
- direction = firewall_direction_postrouting_id;
- }
- } else {
- direction_input = f_true;
- direction_output = f_false;
- direction = firewall_direction_postrouting_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_true;
- direction = firewall_direction_forward_id;
- }
- } else {
- direction_input = f_true;
- direction_output = f_false;
- direction = firewall_direction_forward_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_false;
- direction = firewall_direction_none_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_false;
- direction = firewall_direction_postrouting_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_false;
- direction = firewall_direction_prerouting_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_false;
- direction = firewall_direction_forward_id;
- }
- } else {
- direction_input = f_false;
- direction_output = f_true;
- direction = firewall_direction_none_id;
- }
- } else {
- direction_input = f_true;
- direction_output = f_false;
- direction = firewall_direction_none_id;
- }
+ }
+ else if (length >= firewall_chain_input_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_input, length, firewall_chain_input_length) == f_equal_to) {
+ chain = firewall_chain_input_id;
+ }
+ else if (length >= firewall_chain_output_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_output, length, firewall_chain_output_length) == f_equal_to) {
+ chain = firewall_chain_output_id;
+ }
+ else if (length >= firewall_chain_forward_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_forward, length, firewall_chain_forward_length) == f_equal_to) {
+ chain = firewall_chain_forward_id;
+ }
+ else if (length >= firewall_chain_postrouting_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_postrouting, length, firewall_chain_postrouting_length) == f_equal_to) {
+ chain = firewall_chain_postrouting_id;
+ }
+ else if (length >= firewall_chain_prerouting_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_prerouting, length, firewall_chain_prerouting_length) == f_equal_to) {
+ chain = firewall_chain_prerouting_id;
+ }
+ else if (length >= firewall_chain_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_chain_none, length, firewall_chain_none_length) == f_equal_to) {
+ chain = firewall_chain_none_id;
+ }
+ else {
+ invalid = f_true;
+ }
+
+ if (!invalid) continue;
+ }
+ // process direction rule
+ else if (length >= firewall_direction_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_direction, length, firewall_direction_length) == f_equal_to) {
+ length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
+
+ if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) {
+ invalid = f_true;
+ }
+ else if (length >= firewall_direction_input_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_input, length, firewall_direction_input_length) == f_equal_to) {
+ direction = firewall_direction_input_id;
+ }
+ else if (length >= firewall_direction_output_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_output, length, firewall_direction_output_length) == f_equal_to) {
+ direction = firewall_direction_output_id;
+ }
+ else if (length >= firewall_direction_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_direction_none, length, firewall_direction_none_length) == f_equal_to) {
+ direction = firewall_direction_none_id;
+ }
+ else {
+ // direction must be specified, and no custom directions are allowed.
+ invalid = f_true;
}
if (!invalid) continue;
- } else if (length >= firewall_device_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_device, length, firewall_device_length) == f_equal_to) {
+ }
+ // process device rule.
+ else if (length >= firewall_device_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_device, length, firewall_device_length) == f_equal_to) {
length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) {
if (f_error_is_error(status)) break;
strncat(device.string, local.buffer.string + local.rule_contents.array[i].array[0].start, length);
- device.used = length;
+ device.used = length;
device_all = f_false;
continue;
}
- } else if (length >= firewall_action_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_action, length, firewall_action_length) == f_equal_to) {
+ }
+ // process action rule.
+ else if (length >= firewall_action_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_action, length, firewall_action_length) == f_equal_to) {
length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) {
invalid = f_true;
- } else if (length < firewall_action_append_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_append, length, firewall_action_append_length) == f_not_equal_to) {
- if (length < firewall_action_insert_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_insert, length, firewall_action_insert_length) == f_not_equal_to) {
- if (length < firewall_action_policy_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_policy, length, firewall_action_policy_length) == f_not_equal_to) {
- if (length < firewall_action_none_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_none, length, firewall_action_none_length) == f_not_equal_to) {
- invalid = f_true;
- } else {
- action = firewall_action_none_id;
- }
- } else {
- action = firewall_action_policy_id;
- }
- } else {
- action = firewall_action_insert_id;
- }
- } else {
+ }
+ else if (length >= firewall_action_append_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_append, length, firewall_action_append_length) == f_equal_to) {
action = firewall_action_append_id;
}
+ else if (length >= firewall_action_insert_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_insert, length, firewall_action_insert_length) == f_equal_to) {
+ action = firewall_action_insert_id;
+ }
+ else if (length >= firewall_action_policy_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_policy, length, firewall_action_policy_length) == f_equal_to) {
+ action = firewall_action_policy_id;
+ }
+ else if (length >= firewall_action_none_length && fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_action_none, length, firewall_action_none_length) == f_equal_to) {
+ action = firewall_action_none_id;
+ }
+ else {
+ invalid = f_true;
+ }
if (!invalid) continue;
- } else if (length >= firewall_ip_list_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_ip_list, length, firewall_ip_list_length) == f_equal_to) {
+ }
+ // process ip_list rule.
+ else if (length >= firewall_ip_list_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_ip_list, length, firewall_ip_list_length) == f_equal_to) {
length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
is_ip_list = f_true;
continue;
}
- } else if (length >= firewall_tool_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_tool, length, firewall_tool_length) == f_equal_to) {
+ }
+ // process tool rule.
+ else if (length >= firewall_tool_length && fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_tool, length, firewall_tool_length) == f_equal_to) {
length = (local.rule_contents.array[i].array[0].stop - local.rule_contents.array[i].array[0].start) + 1;
if (local.rule_contents.array[i].used <= 0 || local.rule_contents.array[i].used > 1) {
if (!invalid) continue;
}
- } else if (length < firewall_rule_length || fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_rule, length, firewall_rule_length) == f_not_equal_to) {
+ }
+ // process rule rule, if the remaining rule does not match as firewall_rule, then it is an invalid rule.
+ else if (length < firewall_rule_length || fl_compare_strings(local.buffer.string + local.rule_objects.array[i].start, (f_string) firewall_rule, length, firewall_rule_length) == f_not_equal_to) {
if (length > 0) {
fl_print_color_code(f_standard_warning, data.context.warning);
fprintf(f_standard_warning, "WARNING: At line %u, the object '", (unsigned int) i);
// FIXME: (this issue is probably everywhere) Implement an strncat function for dynamic strings or if I already have one implement, make sure it is used in every applicable place
// (this way I can automatically handle updating the used buffer)
// also look into auto-allocated space if necessary with the said function
- if (action == firewall_action_append_id) {
- f_resize_dynamic_string(status, argument, firewall_action_append_command_length);
-
- if (f_error_is_error(status)) break;
-
- strncat(argument.string, firewall_action_append_command, firewall_action_append_command_length);
- argument.used = firewall_action_append_command_length;
- } else if (action == firewall_action_insert_id) {
- f_resize_dynamic_string(status, argument, firewall_action_insert_command_length);
-
- if (f_error_is_error(status)) break;
- strncat(argument.string, firewall_action_insert_command, firewall_action_insert_command_length);
- argument.used = firewall_action_insert_command_length;
- } else if (action == firewall_action_policy_id) {
- f_resize_dynamic_string(status, argument, firewall_action_policy_command_length);
+ // process the action when a non-none chain is specified.
+ if (chain != firewall_chain_none_id && action != firewall_action_none_id) {
+ if (action == firewall_action_append_id) {
+ f_resize_dynamic_string(status, argument, firewall_action_append_command_length);
- if (f_error_is_error(status)) break;
-
- strncat(argument.string, firewall_action_policy_command, firewall_action_policy_command_length);
- argument.used = firewall_action_policy_command_length;
- }
-
- if (argument.used > 0) {
- f_resize_dynamic_strings(status, arguments, arguments.used + 1);
-
- if (f_error_is_error(status)) break;
+ if (f_error_is_error(status)) break;
- arguments.array[arguments.used].string = argument.string;
- arguments.array[arguments.used].size = argument.size;
- arguments.array[arguments.used].used = argument.used;
- arguments.used++;
- argument.string = f_null;
- argument.size = 0;
- argument.used = 0;
- }
+ strncat(argument.string, firewall_action_append_command, firewall_action_append_command_length);
+ argument.used = firewall_action_append_command_length;
+ } else if (action == firewall_action_insert_id) {
+ f_resize_dynamic_string(status, argument, firewall_action_insert_command_length);
+ if (f_error_is_error(status)) break;
- if (action != firewall_action_none_id) {
- if (!(local.is_main || local.is_stop || local.is_lock)) {
- f_resize_dynamic_string(status, argument, data.chains.array[local.chain_ids.array[local.chain]].used);
+ strncat(argument.string, firewall_action_insert_command, firewall_action_insert_command_length);
+ argument.used = firewall_action_insert_command_length;
+ } else if (action == firewall_action_policy_id) {
+ f_resize_dynamic_string(status, argument, firewall_action_policy_command_length);
if (f_error_is_error(status)) break;
- strncat(argument.string, data.chains.array[local.chain_ids.array[local.chain]].string, data.chains.array[local.chain_ids.array[local.chain]].used);
- argument.used = data.chains.array[local.chain].used;
+ strncat(argument.string, firewall_action_policy_command, firewall_action_policy_command_length);
+ argument.used = firewall_action_policy_command_length;
+ }
- } else if (direction == firewall_direction_forward_id) {
- f_resize_dynamic_string(status, argument, firewall_direction_forward_command_length);
+ if (argument.used > 0) {
+ f_resize_dynamic_strings(status, arguments, arguments.used + 1);
if (f_error_is_error(status)) break;
- strncat(argument.string, firewall_direction_forward_command, firewall_direction_forward_command_length);
- argument.used = firewall_direction_forward_command_length;
- } else if (direction == firewall_direction_postrouting_id) {
- f_resize_dynamic_string(status, argument, firewall_direction_postrouting_command_length);
-
- if (f_error_is_error(status)) break;
+ arguments.array[arguments.used].string = argument.string;
+ arguments.array[arguments.used].size = argument.size;
+ arguments.array[arguments.used].used = argument.used;
+ arguments.used++;
+ argument.string = f_null;
+ argument.size = 0;
+ argument.used = 0;
- strncat(argument.string, firewall_direction_postrouting_command, firewall_direction_postrouting_command_length);
- argument.used += firewall_direction_postrouting_command_length;
- } else if (direction == firewall_direction_prerouting_id) {
- f_resize_dynamic_string(status, argument, firewall_direction_prerouting_command_length);
+ // process the chain, which is required by the action.
+ if (chain == firewall_chain_custom_id) {
+ f_resize_dynamic_string(status, argument, data.chains.array[local.chain_ids.array[local.chain]].used);
+ if (f_error_is_error(status)) break;
- if (f_error_is_error(status)) break;
+ strncat(argument.string, data.chains.array[local.chain_ids.array[local.chain]].string, data.chains.array[local.chain_ids.array[local.chain]].used);
+ argument.used = data.chains.array[local.chain].used;
+ } else if (chain == firewall_chain_forward_id) {
+ f_resize_dynamic_string(status, argument, firewall_chain_forward_length);
+ if (f_error_is_error(status)) break;
- strncat(argument.string, firewall_direction_prerouting_command, firewall_direction_prerouting_command_length);
- argument.used = firewall_direction_prerouting_command_length;
- } else if (direction_input) {
- f_resize_dynamic_string(status, argument, firewall_direction_input_command_length);
+ strncat(argument.string, firewall_chain_forward, firewall_chain_forward_length);
+ argument.used = firewall_chain_forward_length;
+ } else if (chain == firewall_chain_postrouting_id) {
+ f_resize_dynamic_string(status, argument, firewall_chain_postrouting_length);
+ if (f_error_is_error(status)) break;
- if (f_error_is_error(status)) break;
+ strncat(argument.string, firewall_chain_postrouting, firewall_chain_postrouting_length);
+ argument.used += firewall_chain_postrouting_length;
+ } else if (chain == firewall_chain_prerouting_id) {
+ f_resize_dynamic_string(status, argument, firewall_chain_prerouting_length);
+ if (f_error_is_error(status)) break;
- strncat(argument.string, firewall_direction_input_command, firewall_direction_input_command_length);
- argument.used = firewall_direction_input_command_length;
- } else if (direction_output) {
- f_resize_dynamic_string(status, argument, firewall_direction_output_command_length);
+ strncat(argument.string, firewall_chain_prerouting, firewall_chain_prerouting_length);
+ argument.used = firewall_chain_prerouting_length;
+ } else if (chain == firewall_chain_input_id) {
+ f_resize_dynamic_string(status, argument, firewall_chain_input_length);
+ if (f_error_is_error(status)) break;
- if (f_error_is_error(status)) break;
+ strncat(argument.string, firewall_chain_input, firewall_chain_input_length);
+ argument.used = firewall_chain_input_length;
+ } else if (chain == firewall_chain_output_id) {
+ f_resize_dynamic_string(status, argument, firewall_chain_output_length);
+ if (f_error_is_error(status)) break;
- strncat(argument.string, firewall_direction_output_command, firewall_direction_output_command_length);
- argument.used = firewall_direction_output_command_length;
- }
- }
+ strncat(argument.string, firewall_chain_output, firewall_chain_output_length);
+ argument.used = firewall_chain_output_length;
+ }
- if (argument.used > 0) {
- f_resize_dynamic_strings(status, arguments, arguments.used + 1);
+ if (argument.used > 0) {
+ f_resize_dynamic_strings(status, arguments, arguments.used + 1);
- if (f_error_is_error(status)) break;
+ if (f_error_is_error(status)) break;
- arguments.array[arguments.used].string = argument.string;
- arguments.array[arguments.used].size = argument.size;
- arguments.array[arguments.used].used = argument.used;
- arguments.used++;
- argument.string = f_null;
- argument.size = 0;
- argument.used = 0;
+ arguments.array[arguments.used].string = argument.string;
+ arguments.array[arguments.used].size = argument.size;
+ arguments.array[arguments.used].used = argument.used;
+ arguments.used++;
+ argument.string = f_null;
+ argument.size = 0;
+ argument.used = 0;
+ }
+ }
}
- if (device.used > 0) {
+ // add the device if and only if a non-none direction is specified.
+ if (device.used > 0 && (direction == firewall_direction_input_id || direction == firewall_direction_output_id)) {
if (length < firewall_device_all_length || fl_compare_strings(local.buffer.string + local.rule_contents.array[i].array[0].start, (f_string) firewall_device_all, length, firewall_device_all_length) == f_not_equal_to) {
- if (direction_input) {
+ if (direction == firewall_direction_input_id) {
f_resize_dynamic_string(status, argument, firewall_device_input_command_length);
if (f_error_is_error(status)) break;
strncat(argument.string, firewall_device_input_command, firewall_device_input_command_length);
argument.used = firewall_device_input_command_length;
- } else if (direction_output) {
+ }
+ else if (direction == firewall_direction_output_id) {
f_resize_dynamic_string(status, argument, firewall_device_output_command_length);
if (f_error_is_error(status)) break;
strncat(argument.string, firewall_device_output_command, firewall_device_output_command_length);
argument.used = firewall_device_output_command_length;
}
+
+ if (argument.used > 0) {
+ f_resize_dynamic_strings(status, arguments, arguments.used + 1);
+
+ if (f_error_is_error(status)) break;
+
+ arguments.array[arguments.used].string = argument.string;
+ arguments.array[arguments.used].size = argument.size;
+ arguments.array[arguments.used].used = argument.used;
+ arguments.used++;
+ argument.string = f_null;
+ argument.size = 0;
+ argument.used = 0;
+ }
}
+ // add the device.
+ f_resize_dynamic_string(status, argument, device.used);
+ if (f_error_is_error(status)) break;
+
+ strncat(argument.string, device.string, device.used);
+ argument.used = device.used;
+
if (argument.used > 0) {
f_resize_dynamic_strings(status, arguments, arguments.used + 1);
argument.size = 0;
argument.used = 0;
}
-
- if (direction_input || direction_output) {
- f_resize_dynamic_string(status, argument, device.used);
- if (f_error_is_error(status)) break;
-
- strncat(argument.string, device.string, device.used);
- argument.used = device.used;
- }
- }
-
- if (argument.used > 0) {
- f_resize_dynamic_strings(status, arguments, arguments.used + 1);
-
- if (f_error_is_error(status)) break;
-
- arguments.array[arguments.used].string = argument.string;
- arguments.array[arguments.used].size = argument.size;
- arguments.array[arguments.used].used = argument.used;
- arguments.used++;
- argument.string = f_null;
- argument.size = 0;
- argument.used = 0;
}
if (use_protocol) {
if (argument.used > 0) {
f_resize_dynamic_strings(status, arguments, arguments.used + 1);
-
if (f_error_is_error(status)) break;
arguments.array[arguments.used].string = argument.string;
strncat(argument.string, protocol.string, protocol.used);
argument.used = protocol.used;
- }
- if (argument.used > 0) {
- f_resize_dynamic_strings(status, arguments, arguments.used + 1);
+ if (argument.used > 0) {
+ f_resize_dynamic_strings(status, arguments, arguments.used + 1);
- if (f_error_is_error(status)) break;
+ if (f_error_is_error(status)) break;
- arguments.array[arguments.used].string = argument.string;
- arguments.array[arguments.used].size = argument.size;
- arguments.array[arguments.used].used = argument.used;
- arguments.used++;
- argument.string = f_null;
- argument.size = 0;
- argument.used = 0;
+ arguments.array[arguments.used].string = argument.string;
+ arguments.array[arguments.used].size = argument.size;
+ arguments.array[arguments.used].used = argument.used;
+ arguments.used++;
+ argument.string = f_null;
+ argument.size = 0;
+ argument.used = 0;
+ }
}
// last up is the "rule"
f_string_length subcounter = 0;
if (is_ip_list) {
- // skip past the direction
+ // skip past the chain
subcounter++;
length = (local.rule_contents.array[i].array[subcounter].stop - local.rule_contents.array[i].array[subcounter].start) + 1;
break;
}
+ // now execute the generated commands.
if (arguments.used > 1) {
if (is_ip_list) {
f_file file = f_file_initialize;
arguments.array[arguments.used].used = ip_argument.used;
arguments.used++;
+ // print command when debugging.
+ #ifdef _en_firewall_debug_
+ if (data.parameters[firewall_parameter_debug].result == f_console_result_found) {
+ f_string_length i = 0;
+
+ fprintf(f_standard_output, "DEBUG: ");
+ for (; i < arguments.used; i++) {
+ fprintf(f_standard_output, "%s ", arguments.array[i].string);
+ }
+ fprintf(f_standard_output, "\n");
+ }
+ #endif // _en_firewall_debug_
+
status = fll_execute_program((f_string) current_tool, arguments, &results);
if (status == f_failure) {
if (status == f_failure || status == f_invalid_parameter) break;
} else {
+ // print command when debugging.
+ #ifdef _en_firewall_debug_
+ if (data.parameters[firewall_parameter_debug].result == f_console_result_found) {
+ f_string_length i = 0;
+
+ fprintf(f_standard_output, "DEBUG: ");
+ for (; i < arguments.used; i++) {
+ fprintf(f_standard_output, "%s ", arguments.array[i].string);
+ }
+ fprintf(f_standard_output, "\n");
+ }
+ #endif // _en_firewall_debug_
+
status = fll_execute_program(current_tool, arguments, &results);
if (status == f_failure) {
break;
}
}
- } // for
- }
- }
+ }
+ } // for
+ } // for
f_delete_dynamic_string(status2, ip_list);
f_delete_dynamic_string(status2, argument);
return status;
}
+ // print command when debugging.
+ #ifdef _en_firewall_debug_
+ if (data->parameters[firewall_parameter_debug].result == f_console_result_found) {
+ f_string_length i = 0;
+
+ fprintf(f_standard_output, "DEBUG: ");
+ for (; i < arguments.used; i++) {
+ fprintf(f_standard_output, "%s ", arguments.array[i].string);
+ }
+ fprintf(f_standard_output, "\n");
+ }
+ #endif // _en_firewall_debug_
+
tool = firewall_program_iptables;
status = fll_execute_program((f_string) firewall_tool_iptables, arguments, &results);
arguments.array[0].used = firewall_tool_ip6tables_length;
arguments.used = 3;
+ // print command when debugging.
+ #ifdef _en_firewall_debug_
+ if (data->parameters[firewall_parameter_debug].result == f_console_result_found) {
+ f_string_length i = 0;
+
+ fprintf(f_standard_output, "DEBUG: ");
+ for (; i < arguments.used; i++) {
+ fprintf(f_standard_output, "%s ", arguments.array[i].string);
+ }
+ fprintf(f_standard_output, "\n");
+ }
+ #endif // _en_firewall_debug_
+
tool = firewall_program_ip6tables;
status = fll_execute_program((f_string) firewall_tool_ip6tables, arguments, &results);
}
# fss-0002
# valid tool: iptables, ip6tables, ip46tables (ip46tables = both ip4 and ip6 tables, which is the default).
-# valid direction: input, output, forward, postrouting, postrouting-output, postrouting-input, prerouting, prerouting-output, prerouting-input, none.
+# valid direction: input, output, none.
# valid device: all, this, (any device name goes here without parenthesis).
# valid action: append, insert, policy, none.
# valid procotol: none, (any valid iptables protocol type, such as tcp, udp, and icmp).
+# reserved chains: INPUT, OUTPUT, FORWARD, POSTROUTING, PREROUTING, none (this only applies from within a 'main' list).
# some options for -j: ACCEPT, REJECT, DROP, RETURN, LOG, AUDIT, CHECKSUM, CLASSIFY, CLUSTERIP, CONNMARK, CONNSECMARK, CT, DNAT, DNPT, DSCP, ECN, HL, HMARK, IDLETIMER, LED, MARK, MASQUERADE, MIRROR, NETMAP, NFLOG, NFQUEUE, NOTRACK, RATETEST, REDIRECT, SAME, SECMARK, SET, SNAT, SNPT, TCPMSS,TCPOPTSTRIP, TEE, TOS, TPROXY, TRACE, TTL, ULOG.
# some options for -t: nat, mangle, filter, raw, security (filter is the default).
# some options for --state: NEW, ESTABLISHED, RELATED, INVALID, UNTRACKED, SNAT, DNAT.
# some options for --ctstatus: NONE, EXPECTED, SEEN_REPLY, ASSURED, CONFIRMED.
main:
+ chain INPUT
device this
- direction input
+ direction none
# Define a blacklist and a whitelist, put ip addresses in the file named 'example-device-whitelist' separated by whitespace to whitelist an ip address
# (ip_list might be removed in the future once I figure out how ipset works and confirm if ipset can replace my ip_list.)
#ip_list destination example-device-blacklist -j REJECT
# Connection marking for vlans or QoS (via: tc).
- #direction prerouting
+ #chain PREROUTING
#rule -t mangle -j CONNMARK --restore-mark
- #direction input
+ #chain INPUT
# save markings that have been restored (prerouting).
- #direction prerouting
+ #chain PREROUTING
#rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark
#rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark
- #direction input
+ #chain INPUT
# example rate limit using marking for port 22
#protocol tcp
+ #chain OUTPUT
#direction output
#rule -t mangle --sport 22 -j MARK --set-mark 2
+ #chain INPUT
#direction input
#rule -t mangle --dport 22 -j MARK --set-mark 2
+ #direction none
# rate limit when there are 8 or more connections from a single host.
#protocol tcp
- #direction output
+ #chain OUTPUT
#rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3
- #direction input
+ #chain INPUT
#rule -t mangle -m connlimit --connlimit-above 7 -j MARK --set-mark 3
# save markings that have been assigned (postrouting).
#protocol none
- #direction postrouting
+ #chain POSTROUTING
#rule -t mangle -m mark --mark 2 -j CONNMARK --save-mark
#rule -t mangle -m mark --mark 3 -j CONNMARK --save-mark
- #direction input
+ #chain INPUT
# randomly trigger the rule (51% of the time) and then the reset of the time go to the second rule.
protocol tcp
## Http / Web
- #rule --dport 80 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB "
- #rule --dport 80 -m state --state NEW -j ACCEPT
+ #rule --dport 80 -j LOG --log-prefix "TRAFFIC:WEB "
+ #rule --dport 80 -j ACCEPT
## Http / Web redirect to Https / Secure Web
#tool iptables
- #direction prerouting-input
- #rule -t nat --dport 80 -m state --state NEW -j REDIRECT --to-port 443
+ #rule -t nat --dport 80 -j REDIRECT --to-port 443
#tool ip46tables
#direction input
## Https / Secure Web
- #rule --dport 443 -m state --state NEW -j LOG --log-prefix "TRAFFIC:WEB "
- #rule --dport 443 -m state --state NEW -j ACCEPT
+ #rule --dport 443 -j LOG --log-prefix "TRAFFIC:WEB "
+ #rule --dport 443 -j ACCEPT
## Http / Https / Web throttle connections that occur too often.
#rule --dport 80 --sync -m recent --name http_throttle --set
#rule --dport 443 --sync -m recent --name http_throttle --update --seconds 3 --hitcount 10 -j DROP
## MySQL
- #rule --dport 3306 -m state --state NEW -j ACCEPT
+ #rule --dport 3306 -j ACCEPT
## Music Player Daemon
- #rule --dport 6600 -m state --state NEW -j ACCEPT
+ #rule --dport 6600 -j ACCEPT
## Camsource
- #rule --dport 9192 -m state --state NEW -j ACCEPT
+ #rule --dport 9192 -j ACCEPT
## Cups Printer Administration
- #rule --dport 631 -m state --state NEW -j ACCEPT
+ #rule --dport 631 -j ACCEPT
## Ssh (OpenSSH)
- #rule --dport 22 -m state --state NEW -j LOG --log-prefix "TRAFFIC:SSH "
- #rule --dport 22 -m state --state NEW -j ACCEPT
+ #rule --dport 22 -j LOG --log-prefix "TRAFFIC:SSH "
+ #rule --dport 22 -j ACCEPT
## clamd (Clam Antivirus) - remote access, not needed for normal
- #rule --dport 3310 -m state --state NEW -j ACCEPT
+ #rule --dport 3310 -j ACCEPT
## Virtual Network Client Server (add 1 for each seperat vnc server)
- #rule --dport 5900 -m state --state NEW -j ACCEPT
+ #rule --dport 5900 -j ACCEPT
## Printer Port, is probably open...safer to close unless you are SERVING a printer
- #rule --dport 515 -m state --state NEW -j REJECT
+ #rule --dport 515 -j REJECT
## Subversion server
- #rule --dport 3690 -m state --state NEW -j ACCEPT
+ #rule --dport 3690 -j ACCEPT
## Silc server
- #rule --dport 706 -m state --state NEW -j ACCEPT
+ #rule --dport 706 -j ACCEPT
## Worms of Prey
- #rule --dport 47288 -m state --state NEW -j ACCEPT
+ #rule --dport 47288 -j ACCEPT
## Git Daemon
- #rule --dport 9418 -m state --state NEW -j ACCEPT
+ #rule --dport 9418 -j ACCEPT
## Ldap Server
#rule --dport 389 -j ACCEPT
protocol udp
## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion)
- #rule --dport 53 -m state --state NEW -j ACCEPT
+ #rule --dport 53 -j ACCEPT
- ## DHCP Server
- #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT
- #rule -m state --state NEW --dport 68 --sport 67 -j ACCEPT
+ ## DHCP Server (providing dhcp address to clients)
+ #tool iptables
+ #rule --sport 68 -d 255.255.255.255 --dport 67 -j ACCEPT
+ #tool ip46tables
## Subversion server
- #rule --dport 3690 -m state --state NEW -j ACCEPT
+ #rule --dport 3690 -j ACCEPT
## Worms of Prey
- #rule --sport 47288:47544 -m state --state NEW -j ACCEPT
- #rule --dport 47288:47544 -m state --state NEW -j ACCEPT
+ #rule --sport 47288:47544 -j ACCEPT
+ #rule --dport 47288:47544 -j ACCEPT
input-icmp:
protocol icmp
# allow all icmp input, such as pings
- #rule -m state --state NEW -j ACCEPT
+ #rule -j ACCEPT
# allow icmp: echo reply (outbound ping)
- ##rule --icmp-type 0 -m state --state NEW -j ACCEPT
+ ##rule --icmp-type 0 -j ACCEPT
# allow icmp: destination unreachable
- #rule --icmp-type 3 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 3 -j ACCEPT
# allow icmp: source quench
- #rule --icmp-type 4 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 4 -j ACCEPT
# allow icmp: redirect
- #rule --icmp-type 5 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 5 -j ACCEPT
# allow icmp: echo request (inbound ping)
- #rule --icmp-type 8 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 8 -j ACCEPT
# allow icmp: router advertisement
- #rule --icmp-type 9 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 9 -j ACCEPT
# allow icmp: router Solicitation
- #rule --icmp-type 10 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 10 -j ACCEPT
# allow icmp: time exceeded
- #rule --icmp-type 11 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 11 -j ACCEPT
# allow icmp: bad ip header
- #rule --icmp-type 12 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 12 -j ACCEPT
# allow icmp: timestamp
- #rule --icmp-type 13 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 13 -j ACCEPT
# allow icmp: timestamp reply
- #rule --icmp-type 14 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 14 -j ACCEPT
# allow icmp: information request
- #rule --icmp-type 15 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 15 -j ACCEPT
# allow icmp: information reply
- #rule --icmp-type 16 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 16 -j ACCEPT
# allow icmp: address request
- #rule --icmp-type 17 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 17 -j ACCEPT
# allow icmp: address reply
- #rule --icmp-type 18 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 18 -j ACCEPT
# allow icmp: traceroute
- #rule --icmp-type 30 -m state --state NEW -j ACCEPT
+ #rule --icmp-type 30 -j ACCEPT
output-tcp:
protocol udp
## DNS Server (Bind or Maradns) (zoneserver from maradns does this portion)
- #rule --dport 53 -m state --state NEW -j ACCEPT
+ #rule --dport 53 -j ACCEPT
- ## DHCP Server
- #rule -m state --state NEW --dport 67 --sport 68 -j ACCEPT
+ ## DHCP Server (providing dhcp address to clients)
+ #tool iptables
+ #rule --sport 67 -d 255.255.255.255 --dport 68 -j ACCEPT
+ #tool ip46tables
output-icmp:
projects / fll / commitdiff