firewalld-recode October 2014

firewalld-recode@lists.stg.fedorahosted.org

1 participants
42 discussions

[firewalld-recode] master: Added MapOp::findOne convenience function (7a73cfa)
by mildew＠fedoraproject.org 23 Oct '14

23 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 7a73cfa1c3565b5e6e6e950d8cd9480d7f75f950 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Thu Oct 23 12:31:36 2014 +0200 Added MapOp::findOne convenience function >--------------------------------------------------------------- src/Common/Types.hpp | 13 +++++++++++++ 1 files changed, 13 insertions(+), 0 deletions(-) diff --git a/src/Common/Types.hpp b/src/Common/Types.hpp index 78f4109..e681954 100644 --- a/src/Common/Types.hpp +++ b/src/Common/Types.hpp @@ -87,6 +87,19 @@ namespace firewalld return std::move(std::unique_ptr<pointer_type>(new pointer_type(std::forward<Args>(args)...))); } + namespace MapOp { + template<typename map_type> + typename map_type::mapped_type findOne(const map_type& map, const typename map_type::key_type& key) + { + auto it = map.find(key); + if (it == map.end()) { + return typename map_type::mapped_type(); + } else { + return it->second; + } + } + } + namespace PointerMapOp { template<typename key_type, typename pointer_type> Pointer<pointer_type> findOne(const PointerMap<key_type, pointer_type>& map,

1 0

[firewalld-recode] master: Generalize the tokenizeString utility function (1464b6f)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 1464b6f29a2bee7bbe19fe1aac7caad5fa55f368 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:15:04 2014 +0200 Generalize the tokenizeString utility function >--------------------------------------------------------------- src/Common/Utility.cpp | 23 ----------------------- src/Common/Utility.hpp | 24 +++++++++++++++++++++++- 2 files changed, 23 insertions(+), 24 deletions(-) diff --git a/src/Common/Utility.cpp b/src/Common/Utility.cpp index 59e89de..3bb73ab 100644 --- a/src/Common/Utility.cpp +++ b/src/Common/Utility.cpp @@ -218,29 +218,6 @@ namespace firewalld return retval; } - void tokenizeString(const String& str, StringVector& tokens, const String& delimiters, bool trim_empty) - { - String::size_type pos, last_pos = 0; - while(true) { - pos = str.find_first_of(delimiters, last_pos); - if(pos == String::npos) { - pos = str.length(); - - if(pos != last_pos || !trim_empty) { - tokens.push_back(StringVector::value_type(str.data() + last_pos, pos - last_pos)); - } - - break; - } else { - if(pos != last_pos || !trim_empty) { - tokens.push_back(StringVector::value_type(str.data() + last_pos, pos - last_pos)); - } - } - - last_pos = pos + 1; - } - } - String filenameFromPath(const String& filepath, bool include_extension) { const String directory_separator = "/"; diff --git a/src/Common/Utility.hpp b/src/Common/Utility.hpp index a748888..a73abef 100644 --- a/src/Common/Utility.hpp +++ b/src/Common/Utility.hpp @@ -47,7 +47,29 @@ namespace firewalld int runCommand(const char *path, const char *arg1, const char *arg2, int timeout_secs = 10); int runCommand(const String& path, const std::vector<String>& args = std::vector<String>(), int timeout_secs = 10); - void tokenizeString(const String& str, StringVector& tokens, const String& delimiters = " ", bool trim_empty = false); + template<typename StringType> + void tokenizeString(const StringType& str, std::vector<StringType>& tokens, const typename std::vector<StringType>::value_type delimiters, bool trim_empty = false) + { + typename StringType::size_type pos, last_pos = 0; + while(true) { + pos = str.find_first_of(delimiters, last_pos); + if(pos == StringType::npos) { + pos = str.length(); + + if(pos != last_pos || !trim_empty) { + tokens.push_back(StringType(str.data() + last_pos, pos - last_pos)); + } + + break; + } else { + if(pos != last_pos || !trim_empty) { + tokens.push_back(StringType(str.data() + last_pos, pos - last_pos)); + } + } + + last_pos = pos + 1; + } + } template<typename T> String numberToString(T number)

1 0

[firewalld-recode] master: Remove unused methods and add transaction related ones to the Firewall class (a187923)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit a187923ddd71aff67006f1733c9366ab5ec8d5a6 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:12:53 2014 +0200 Remove unused methods and add transaction related ones to the Firewall class >--------------------------------------------------------------- src/Daemon/Firewall/Firewall.cpp | 80 ++++++++++--------------------------- src/Daemon/Firewall/Firewall.hpp | 24 ++++------- 2 files changed, 31 insertions(+), 73 deletions(-) diff --git a/src/Daemon/Firewall/Firewall.cpp b/src/Daemon/Firewall/Firewall.cpp index 18a2c35..f2d09d1 100644 --- a/src/Daemon/Firewall/Firewall.cpp +++ b/src/Daemon/Firewall/Firewall.cpp @@ -146,24 +146,6 @@ namespace firewalld } } - void Firewall::getAllZoneNames(UStringVector& names) const - { - for (auto const& map_entry : _zone_map) { - auto zone = map_entry.second; - names.push_back(zone->name()); - } - } - - void Firewall::getActiveZoneNames(UStringVector& names) const - { - for (auto const& map_entry : _zone_map) { - auto zone = map_entry.second; - if (zone->isActive()) { - names.push_back(zone->name()); - } - } - } - Pointer<Source> Firewall::getSource(const UString& source_spec) const { for (auto& map_entry : _zone_map) { @@ -188,86 +170,68 @@ namespace firewalld return nullptr; } - /////////////////////////// - const UString& Firewall::getDefaultZoneName() const { - Glib::Threads::Mutex::Lock lock(_mutex); return _default_zone; } bool Firewall::setDefaultZoneName(const UString& name) { - Glib::Threads::Mutex::Lock lock(_mutex); _default_zone = name; return true; } UStringVector Firewall::getAllZoneNames() const { - Glib::Threads::Mutex::Lock lock(_mutex); UStringVector keys; for (auto const& entry : _zone_map) { keys.push_back(entry.first); } - return keys; - } - - bool Firewall::addZoneName(const UString& name) - { - return true; + return std::move(keys); } UStringVector Firewall::getActiveZoneNames() const { - Glib::Threads::Mutex::Lock lock(_mutex); - UStringVector active_zones; + UStringVector names; - return active_zones; - } + for (auto const& map_entry : _zone_map) { + auto zone = map_entry.second; + if (zone->isActive()) { + names.push_back(zone->name()); + } + } - UStringVector Firewall::getZoneInterfaces(const UString& zone_name) const - { - Glib::Threads::Mutex::Lock lock(_mutex); + return std::move(names); } - UStringVector Firewall::getZoneSources(const UString& zone_name) const + Pointer<Transaction> Firewall::createTransaction() { - Glib::Threads::Mutex::Lock lock(_mutex); + return _backend->createTransaction(); } - void Firewall::addInterfaceToZone(const UString& zone_name, const UString& interface) + void Firewall::commitTransaction(Pointer<Transaction> transaction) { - Glib::Threads::Mutex::Lock lock(_mutex); + // TODO: process at the internal state level + // before executing the transaction in the + // backend + _backend->commitTransaction(transaction); } - void Firewall::addSourceToZone(const UString& zone_name, const UString& source) + void Firewall::removeTransaction(const String& identifier) { - Glib::Threads::Mutex::Lock lock(_mutex); + _backend->removeTransaction(identifier); } - void Firewall::removeSourceFromZone(const UString& zone_name, const UString& source) + size_t Firewall::countTransactions() const { - Glib::Threads::Mutex::Lock lock(_mutex); - - return; + return _backend->countTransactions(); } - UString Firewall::getZoneOfSource(const UString& source) const + void Firewall::processOperation(const UStringVector& op, bool undo) { - return UString(); + // TODO } } /* namespace firewalld */ - - - - - - - - - - diff --git a/src/Daemon/Firewall/Firewall.hpp b/src/Daemon/Firewall/Firewall.hpp index 7fa1115..f873ce8 100644 --- a/src/Daemon/Firewall/Firewall.hpp +++ b/src/Daemon/Firewall/Firewall.hpp @@ -65,34 +65,28 @@ namespace firewalld bool directIPv4QueryRule(const String& table, const String& chain, const String& rule_specification, int rule_num); bool directIPv6QueryRule(const String& table, const String& chain, const String& rule_specification, int rule_num); - // - // Zone interface - // + bool zoneExists(const UString& name) const; Pointer<Zone> getZone(const UString& name) const; - void getAllZoneNames(UStringVector& names) const; - void getActiveZoneNames(UStringVector& names) const; Pointer<Source> getSource(const UString& source_spec) const; Pointer<Interface> getInterface(const UString& interface_identifier) const; - /// REFACTORING /// const UString& getDefaultZoneName() const; bool setDefaultZoneName(const UString& name); - UStringVector getAllZoneNames() const; - bool addZoneName(const UString&); + UStringVector getAllZoneNames() const; UStringVector getActiveZoneNames() const; - UStringVector getZoneInterfaces(const UString& zone_name) const; - UStringVector getZoneSources(const UString& zone_name) const; - void addInterfaceToZone(const UString& zone_name, const UString& interface); - void addSourceToZone(const UString& zone_name, const UString& source); - void removeSourceFromZone(const UString& zone_name, const UString& source); - UString getZoneOfSource(const UString& source) const; + Pointer<Transaction> createTransaction(); + void commitTransaction(Pointer<Transaction> transaction); + void removeTransaction(const String& identifier); + size_t countTransactions() const; + + protected: + void processOperation(const UStringVector& op, bool undo = false); private: - mutable Glib::Threads::Mutex _mutex; UString _default_zone; PointerMap<UString,Zone> _zone_map;

1 0

[firewalld-recode] master: Initialize the nat table in LinuxXTables backend (564ecef)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 564ecef947b2cdee6dcd2a3f2639ab9c8987c089 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:11:56 2014 +0200 Initialize the nat table in LinuxXTables backend >--------------------------------------------------------------- src/Daemon/Backends/LinuxXTables.cpp | 11 +++++++++-- 1 files changed, 9 insertions(+), 2 deletions(-) diff --git a/src/Daemon/Backends/LinuxXTables.cpp b/src/Daemon/Backends/LinuxXTables.cpp index 782172f..8f57893 100644 --- a/src/Daemon/Backends/LinuxXTables.cpp +++ b/src/Daemon/Backends/LinuxXTables.cpp @@ -87,7 +87,15 @@ namespace firewalld // // Initialize -t nat chains // - + ipXtables->newChain("nat", "PREROUTING_ZONES"); + ipXtables->newChain("nat", "PREROUTING_ZONES_SOURCE"); + ipXtables->insertRule("nat", "PREROUTING", "-j PREROUTING_ZONES_SOURCE", 1); + ipXtables->insertRule("nat", "PREROUTING", "-j PREROUTING_ZONES", 2); + + ipXtables->newChain("nat", "POSTROUTING_ZONES"); + ipXtables->newChain("nat", "POSTROUTING_ZONES_SOURCE"); + ipXtables->insertRule("nat", "POSTROUTING", "-j POSTROUTING_ZONES_SOURCE", 1); + ipXtables->insertRule("nat", "POSTROUTING", "-j POSTROUTING_ZONES", 2); } } @@ -117,7 +125,6 @@ namespace firewalld String zone_name = op[1]; // XXX: Do we trust the input values? - for (IPTables * const ipXtables : { &_ip4tables, &_ip6tables }) { for (const String& prefix : { "IN_", "FWDI_", "FWDO_" }) { for (const String& suffix : { "", "_allow", "_deny", "_log" }) {

1 0

[firewalld-recode] master: Setup correct default state in EB/IPtables classes (09fd81e)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 09fd81efe96f7daedf4dff6672eb4375c1b988f4 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:10:53 2014 +0200 Setup correct default state in EB/IPtables classes >--------------------------------------------------------------- src/Daemon/Backends/Linux/EBTables.cpp | 19 ++++++++++++++----- src/Daemon/Backends/Linux/IPTables.cpp | 15 +++++++++++++-- 2 files changed, 27 insertions(+), 7 deletions(-) diff --git a/src/Daemon/Backends/Linux/EBTables.cpp b/src/Daemon/Backends/Linux/EBTables.cpp index c7b80fa..c00ab5b 100644 --- a/src/Daemon/Backends/Linux/EBTables.cpp +++ b/src/Daemon/Backends/Linux/EBTables.cpp @@ -25,18 +25,27 @@ namespace firewalld { EBTables::EBTables() { - newChain("filter", "INPUT", false); + newChain("filter", "INPUT", false, true); setChainPolicy("filter", "INPUT", "ACCEPT"); - newChain("filter", "FORWARD", false); + newChain("filter", "FORWARD", false, true); setChainPolicy("filter", "FORWARD", "ACCEPT"); - newChain("filter", "OUTPUT", false); + newChain("filter", "OUTPUT", false, true); setChainPolicy("filter", "OUTPUT", "ACCEPT"); + + newChain("broute", "BROUTING", false, true); + setChainPolicy("broute", "BROUTING", "ACCEPT"); + + newChain("nat", "PREROUTING", false, true); + setChainPolicy("nat", "PREROUTING", "ACCEPT"); + newChain("nat", "OUTPUT", false, true); + setChainPolicy("nat", "OUTPUT", "ACCEPT"); + newChain("nat", "POSTROUTING", false, true); + setChainPolicy("nat", "POSTROUTING", "ACCEPT"); } const StringVector EBTables::listTables() const { - const StringVector tables({ "filter", "nat", "broute" }); - return tables; + return { "filter", "nat", "broute" }; } XTable& EBTables::getTableRef(const String& table) diff --git a/src/Daemon/Backends/Linux/IPTables.cpp b/src/Daemon/Backends/Linux/IPTables.cpp index f6d36ee..2787019 100644 --- a/src/Daemon/Backends/Linux/IPTables.cpp +++ b/src/Daemon/Backends/Linux/IPTables.cpp @@ -57,6 +57,18 @@ namespace firewalld setChainPolicy("mangle", "OUTPUT", "ACCEPT"); newChain("mangle", "POSTROUTING", false, true); setChainPolicy("mangle", "POSTROUTING", "ACCEPT"); + + newChain("raw", "PREROUTING", false, true); + setChainPolicy("raw", "PREROUTING", "ACCEPT"); + newChain("raw", "OUTPUT", false, true); + setChainPolicy("raw", "OUTPUT", "ACCEPT"); + + newChain("security", "INPUT", false, true); + setChainPolicy("security", "INPUT", "ACCEPT"); + newChain("security", "FORWARD", false, true); + setChainPolicy("security", "FORWARD", "ACCEPT"); + newChain("security", "OUTPUT", false, true); + setChainPolicy("security", "OUTPUT", "ACCEPT"); } XTable& IPTables::getTableRef(const String& table) @@ -71,8 +83,7 @@ namespace firewalld const StringVector IPTables::listTables() const { - StringVector tables({"security", "raw", "nat", "mangle", "filter"}); - return tables; + return {"security", "raw", "nat", "mangle", "filter"}; } int IPTables::execute(const XTables::Operation& op)

1 0

[firewalld-recode] master: Remove locking code from XTable::Operation structure implementation (19c4c42)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 19c4c42635e8f5e7ae64bfe6915d66f5fb7c9be0 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:10:06 2014 +0200 Remove locking code from XTable::Operation structure implementation >--------------------------------------------------------------- src/Daemon/Backends/Linux/XTables.hpp | 18 +++++------------- 1 files changed, 5 insertions(+), 13 deletions(-) diff --git a/src/Daemon/Backends/Linux/XTables.hpp b/src/Daemon/Backends/Linux/XTables.hpp index 6994300..1c9a428 100644 --- a/src/Daemon/Backends/Linux/XTables.hpp +++ b/src/Daemon/Backends/Linux/XTables.hpp @@ -71,7 +71,6 @@ namespace firewalld String _name; StringVector _direct; ChainMap _chains; - Glib::Threads::Mutex _mutex; friend class XTables; }; @@ -97,36 +96,31 @@ namespace firewalld struct Operation { Operation(XTable& _table, Command _command) - : _lock(_table._mutex), - table(_table), + : table(_table), chain(""), command(_command), specification(""), rule_priority(-1) {} Operation(XTable& _table, const String& _chain, Command _command, const String& _specification = "") - : _lock(_table._mutex), - table(_table), + : table(_table), chain(_chain), command(_command), specification(_specification), rule_priority(-1) {} Operation(XTable& _table, const String& _chain, Command _command, int _rule_priority) - : _lock(_table._mutex), - table(_table), + : table(_table), chain(_chain), command(_command), specification(""), rule_priority(_rule_priority) {} Operation(XTable& _table, const String& _chain, Command _command, const String& _specification, int _rule_priority) - : _lock(_table._mutex), - table(_table), + : table(_table), chain(_chain), command(_command), specification(_specification), rule_priority(_rule_priority) {} Operation(XTable& _table, Command _command, const String& _specification) - : _lock(_table._mutex), - table(_table), + : table(_table), chain(""), command(_command), specification(_specification), @@ -137,8 +131,6 @@ namespace firewalld Command command; const String& specification; int rule_priority; - private: - Glib::Threads::Mutex::Lock _lock; }; virtual const StringVector listTables() const = 0;

1 0

[firewalld-recode] master: Overload << operator for list and vector type (eac51ef)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit eac51ef7577a31a6f679bbf184d584c4440d0ffe Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:08:22 2014 +0200 Overload << operator for list and vector type >--------------------------------------------------------------- src/Common/Types.hpp | 12 ++++++++++++ 1 files changed, 12 insertions(+), 0 deletions(-) diff --git a/src/Common/Types.hpp b/src/Common/Types.hpp index 999ea78..78f4109 100644 --- a/src/Common/Types.hpp +++ b/src/Common/Types.hpp @@ -28,6 +28,18 @@ namespace firewalld { + template<typename T> + void operator<<(std::list<T> list, const T& value) + { + list.push_back(value); + } + + template<typename T> + void operator<<(std::vector<T> list, const T& value) + { + list.push_back(value); + } + // char strings typedef std::string String; typedef std::vector<String> StringVector;

1 0

[firewalld-recode] master: Added IPAddress type implementation (2912a7b)
by mildew＠fedoraproject.org 22 Oct '14

22 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 2912a7b44773a2165e0e49bdb7066b0d7d9742a3 Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Wed Oct 22 13:05:38 2014 +0200 Added IPAddress type implementation >--------------------------------------------------------------- src/Daemon/Firewall/IPAddress.cpp | 83 +++++++++++++++++++++++++++++++++++++ src/Daemon/Firewall/IPAddress.hpp | 32 ++++++++++++++ 2 files changed, 115 insertions(+), 0 deletions(-) diff --git a/src/Daemon/Firewall/IPAddress.cpp b/src/Daemon/Firewall/IPAddress.cpp new file mode 100644 index 0000000..ed64bf6 --- /dev/null +++ b/src/Daemon/Firewall/IPAddress.cpp @@ -0,0 +1,83 @@ +#include "Common/Types.hpp" +#include "Common/Utility.hpp" +#include "IPAddress.hpp" +#include <arpa/inet.h> +#include <stdexcept> +#include <glibmm/regex.h> + +namespace firewalld +{ + + IPAddress::IPAddress(const UString& addr_spec) + { + UString ip; + UString net; + Protocol ip_protocol = Protocol::Unknown; + Protocol net_protocol = Protocol::Unknown; + + UString::size_type slash_pos = addr_spec.find_first_of('/'); + + if (slash_pos != UString::npos) { + _is_network = true; + ip = addr_spec.substr(0, slash_pos); + net = addr_spec.substr(slash_pos + 1); + + // + // Net has to be either /<N> (IPv4/6) or /<n>.<n>.<n>.<n> (IPv4) + // + auto regex_cidr = Glib::Regex::create("^[0-9]{1,2}$"); + auto regex_ipv4 = Glib::Regex::create("^([0-9]{1,2}\\.){3}[0-9]{1,2}$"); + + if (regex_ipv4->match(net)) { + struct ::sockaddr_storage sa; + if (::inet_pton(AF_INET, net.c_str(), &sa) != 1) { + + } + net_protocol = Protocol::IPv4; + } else if (regex_cidr->match(net)) { + int cidr = stringToNumber<int>(net); + if (cidr < 0 || cidr > 32) { + throw std::runtime_error("Invalid IP address cidr subnet specification "); + } + } else { + throw std::runtime_error("Invalid IP address subnet specification"); + } + } else { + _is_network = false; + ip = addr_spec; + } + + struct ::sockaddr_storage sa; + + if (::inet_pton(AF_INET, ip.c_str(), &sa) != 1) { + if (::inet_pton(AF_INET6, ip.c_str(), &sa) != 1) { + throw std::runtime_error("Invalid IP address"); + } + } + // + // If we got here, it's a correct IP address spec + // + _addr_spec = addr_spec; + } + + bool IPAddress::isNetwork() const + { + return _is_network; + } + + IPAddress::Protocol IPAddress::protocol() const + { + return _protocol; + } + + const UString& IPAddress::toUString() const + { + return _addr_spec; + } + + const String& IPAddress::toString() const + { + return _addr_spec.raw(); + } + +} /* namespace firewalld */ diff --git a/src/Daemon/Firewall/IPAddress.hpp b/src/Daemon/Firewall/IPAddress.hpp new file mode 100644 index 0000000..7b6e5f2 --- /dev/null +++ b/src/Daemon/Firewall/IPAddress.hpp @@ -0,0 +1,32 @@ +#ifndef FIREWALLD_FIREWALL_IPADDRESS_HPP +#define FIREWALLD_FIREWALL_IPADDRESS_HPP + +namespace firewalld +{ + + class IPAddress + { + public: + enum Protocol { + IPv4, + IPv6, + Unknown + }; + + IPAddress(const UString& addr_spec); + + bool isNetwork() const; + Protocol protocol() const; + + const UString& toUString() const; + const String& toString() const; + + private: + UString _addr_spec; + Protocol _protocol; + bool _is_network; + }; + +} /* namespace firewalld */ + +#endif /* FIREWALLD_FIREWALL_IPADDRESS_HPP */

1 0

[firewalld-recode] master: Use a transaction based backend abstraction (99fa453)
by mildew＠fedoraproject.org 20 Oct '14

20 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 99fa453cccd526c24fb7092da104eb86e49abd6b Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Mon Oct 20 14:07:34 2014 +0200 Use a transaction based backend abstraction - use a simple transaction protocol for interacting with the system firewall via a firewall backend implementation (initial implementation) - got rid of useless methods in XTables derived classes - require implementation of getTableRef, listTables and the execute methods in XTables derived classes - Adapt EB/IPTables code >--------------------------------------------------------------- CMakeLists.txt | 3 +- src/Daemon/Backends/Linux/EBTables.cpp | 66 +-------- src/Daemon/Backends/Linux/EBTables.hpp | 16 +-- src/Daemon/Backends/Linux/IPTables.cpp | 138 +++++------------- src/Daemon/Backends/Linux/IPTables.hpp | 31 +--- src/Daemon/Backends/Linux/XTables.hpp | 54 +++++-- src/Daemon/Backends/LinuxXTables.cpp | 255 ++++++++++++++++++++++++++++++++ src/Daemon/Backends/LinuxXTables.hpp | 38 +++++ src/Daemon/Firewall/Backend.cpp | 12 ++- src/Daemon/Firewall/Backend.hpp | 10 +- src/Daemon/Firewall/BackendOpTable.hpp | 30 ++++ src/Daemon/Firewall/Firewall.cpp | 25 +-- src/Daemon/Firewall/Firewall.hpp | 9 +- src/Daemon/Firewall/Transaction.cpp | 4 +- src/Daemon/Firewall/Transaction.hpp | 6 +- tests/iptables/test_iptables.cpp | 4 +- 16 files changed, 448 insertions(+), 253 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 90c5357..9233894 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -25,6 +25,7 @@ file(GLOB daemon_dbus_methods_SOURCES file(GLOB daemon_SOURCES "src/Daemon/*.cpp" "src/Daemon/*.hpp" + "src/Daemon/Backends/*.[ch]pp" "src/Daemon/Backends/Linux/*.cpp" "src/Daemon/Backends/Linux/*.hpp" "src/Daemon/Firewall/*.cpp" @@ -49,7 +50,7 @@ include_directories(${CMAKE_SOURCE_DIR}/src/) add_executable(glib-vgsupp-helper glib-vgsupp-helper.cpp) target_link_libraries(glib-vgsupp-helper ${GLIBMM_LIBRARIES} ${GIOMM_LIBRARIES}) -set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DUNITTEST") +#set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -DUNITTEST") # Compile test: sysctl add_executable(test_sysctl diff --git a/src/Daemon/Backends/Linux/EBTables.cpp b/src/Daemon/Backends/Linux/EBTables.cpp index f25b960..c7b80fa 100644 --- a/src/Daemon/Backends/Linux/EBTables.cpp +++ b/src/Daemon/Backends/Linux/EBTables.cpp @@ -33,10 +33,10 @@ namespace firewalld setChainPolicy("filter", "OUTPUT", "ACCEPT"); } - int EBTables::listTables(StringVector &tables) const + const StringVector EBTables::listTables() const { - tables = { "filter", "nat", "broute" }; - return 0; + const StringVector tables({ "filter", "nat", "broute" }); + return tables; } XTable& EBTables::getTableRef(const String& table) @@ -47,66 +47,6 @@ namespace firewalld throw std::runtime_error("Unknown EBtables table name"); } - int EBTables::appendRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::appendRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - int EBTables::deleteRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::deleteRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - bool EBTables::ruleExists(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::ruleExists(getTableRef(table), chain, rule_spec, rule_priority); - } - - int EBTables::insertRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::insertRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - int EBTables::listRules(const String& table, const String& chain, StringVectorMap<int>& rule_specs) - { - return XTables::listRules(getTableRef(table), chain, rule_specs); - } - - int EBTables::newChain(const String& table, const String& chain, bool user_defined) - { - return XTables::newChain(getTableRef(table), chain, user_defined); - } - - int EBTables::setChainPolicy(const String& table, const String& chain, const String& policy) - { - return XTables::setChainPolicy(getTableRef(table), chain, policy); - } - - int EBTables::renameChain(const String& table, const String& old_chain_name, const String& new_chain_name) - { - return XTables::renameChain(getTableRef(table), old_chain_name, new_chain_name); - } - - int EBTables::deleteChain(const String& table, const String& chain) - { - return XTables::deleteChain(getTableRef(table), chain); - } - - int EBTables::listChains(const String& table, StringVector& chains) - { - return XTables::listChains(getTableRef(table), chains); - } - - bool EBTables::chainExists(const String& table, const String& chain) - { - return XTables::chainExists(getTableRef(table), chain); - } - - int EBTables::passthrough(const String& table, const String& direct_specification) - { - return XTables::direct(getTableRef(table), direct_specification); - } - int EBTables::execute(const XTables::Operation &op) { StringVector args; diff --git a/src/Daemon/Backends/Linux/EBTables.hpp b/src/Daemon/Backends/Linux/EBTables.hpp index c1dd93e..1398ab4 100644 --- a/src/Daemon/Backends/Linux/EBTables.hpp +++ b/src/Daemon/Backends/Linux/EBTables.hpp @@ -34,21 +34,7 @@ namespace firewalld public: EBTables(); - int listTables(StringVector& tables) const; - - int appendRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int deleteRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - bool ruleExists(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int insertRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int listRules(const String& table, const String& chain, StringVectorMap<int>& rule_specs); - - int newChain(const String& table, const String& chain, bool user_defined = true); - int setChainPolicy(const String& table, const String& chain, const String& policy); - int renameChain(const String& table, const String& old_chain_name, const String& new_chain_name); - int deleteChain(const String& table, const String& chain); - int listChains(const String& table, StringVector& chains); - bool chainExists(const String& table, const String& chain); - int passthrough(const String& table, const String& direct_specification); + const StringVector listTables() const; protected: XTable& getTableRef(const String& table); diff --git a/src/Daemon/Backends/Linux/IPTables.cpp b/src/Daemon/Backends/Linux/IPTables.cpp index 84fa330..f6d36ee 100644 --- a/src/Daemon/Backends/Linux/IPTables.cpp +++ b/src/Daemon/Backends/Linux/IPTables.cpp @@ -27,122 +27,52 @@ namespace firewalld : _filter("filter"), _nat("nat"), _mangle("mangle"), + _security("security"), + _raw("raw"), _ipXtables_path(ipXtables_path) { - XTables::newChain(_filter, "INPUT", false, true); - XTables::setChainPolicy(_filter, "INPUT", "ACCEPT"); - XTables::newChain(_filter, "FORWARD", false, true); - XTables::setChainPolicy(_filter, "FORWARD", "ACCEPT"); - XTables::newChain(_filter, "OUTPUT", false, true); - XTables::setChainPolicy(_filter, "OUTPUT", "ACCEPT"); - - XTables::newChain(_nat, "PREROUTING", false, true); - XTables::setChainPolicy(_nat, "PREROUTING", "ACCEPT"); - XTables::newChain(_nat, "INPUT", false, true); - XTables::setChainPolicy(_nat, "INPUT", "ACCEPT"); - XTables::newChain(_nat, "OUTPUT", false, true); - XTables::setChainPolicy(_nat, "OUTPUT", "ACCEPT"); - XTables::newChain(_nat, "POSTROUTING", false, true); - XTables::setChainPolicy(_nat, "POSTROUTING", "ACCEPT"); - - XTables::newChain(_mangle, "PREROUTING", false, true); - XTables::setChainPolicy(_mangle, "PREROUTING", "ACCEPT"); - XTables::newChain(_mangle, "INPUT", false, true); - XTables::setChainPolicy(_mangle, "INPUT", "ACCEPT"); - XTables::newChain(_mangle, "FORWARD", false, true); - XTables::setChainPolicy(_mangle, "FORWARD", "ACCEPT"); - XTables::newChain(_mangle, "OUTPUT", false, true); - XTables::setChainPolicy(_mangle, "OUTPUT", "ACCEPT"); - XTables::newChain(_mangle, "POSTROUTING", false, true); - XTables::setChainPolicy(_mangle, "POSTROUTING", "ACCEPT"); - } - - XTable& IPTables::getTableRef(Table table) - { - switch(table) { - case Table::Filter: return _filter; - case Table::NAT: return _nat; - case Table::Mangle: return _mangle; - } + newChain("filter", "INPUT", false, true); + setChainPolicy("filter", "INPUT", "ACCEPT"); + newChain("filter", "FORWARD", false, true); + setChainPolicy("filter", "FORWARD", "ACCEPT"); + newChain("filter", "OUTPUT", false, true); + setChainPolicy("filter", "OUTPUT", "ACCEPT"); + + newChain("nat", "PREROUTING", false, true); + setChainPolicy("nat", "PREROUTING", "ACCEPT"); + newChain("nat", "INPUT", false, true); + setChainPolicy("nat", "INPUT", "ACCEPT"); + newChain("nat", "OUTPUT", false, true); + setChainPolicy("nat", "OUTPUT", "ACCEPT"); + newChain("nat", "POSTROUTING", false, true); + setChainPolicy("nat", "POSTROUTING", "ACCEPT"); + + newChain("mangle", "PREROUTING", false, true); + setChainPolicy("mangle", "PREROUTING", "ACCEPT"); + newChain("mangle", "INPUT", false, true); + setChainPolicy("mangle", "INPUT", "ACCEPT"); + newChain("mangle", "FORWARD", false, true); + setChainPolicy("mangle", "FORWARD", "ACCEPT"); + newChain("mangle", "OUTPUT", false, true); + setChainPolicy("mangle", "OUTPUT", "ACCEPT"); + newChain("mangle", "POSTROUTING", false, true); + setChainPolicy("mangle", "POSTROUTING", "ACCEPT"); } XTable& IPTables::getTableRef(const String& table) { + if (table == "security") return _security; + if (table == "raw") return _raw; if (table == "filter") return _filter; if (table == "nat") return _nat; if (table == "mangle") return _mangle; throw std::runtime_error("Unknown IPTables table name"); } - int IPTables::listTables(StringVector &tables) const - { - tables = { "filter", "nat", "mangle" }; - return 0; - } - - int IPTables::appendRule(Table table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::appendRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - int IPTables::appendRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::appendRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - int IPTables::deleteRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::deleteRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - bool IPTables::ruleExists(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::ruleExists(getTableRef(table), chain, rule_spec, rule_priority); - } - - int IPTables::insertRule(const String& table, const String& chain, const String& rule_spec, int rule_priority) - { - return XTables::insertRule(getTableRef(table), chain, rule_spec, rule_priority); - } - - int IPTables::listRules(const String& table, const String& chain, StringVectorMap<int>& rule_specs) - { - return XTables::listRules(getTableRef(table), chain, rule_specs); - } - - int IPTables::newChain(const String& table, const String& chain, bool user_defined) - { - return XTables::newChain(getTableRef(table), chain, user_defined); - } - - int IPTables::setChainPolicy(const String& table, const String& chain, const String& policy) - { - return XTables::setChainPolicy(getTableRef(table), chain, policy); - } - - int IPTables::renameChain(const String& table, const String& old_chain_name, const String& new_chain_name) - { - return XTables::renameChain(getTableRef(table), old_chain_name, new_chain_name); - } - - int IPTables::deleteChain(const String& table, const String& chain) - { - return XTables::deleteChain(getTableRef(table), chain); - } - - int IPTables::listChains(const String& table, StringVector& chains) - { - return XTables::listChains(getTableRef(table), chains); - } - - bool IPTables::chainExists(const String& table, const String& chain) - { - return XTables::chainExists(getTableRef(table), chain); - } - - int IPTables::passthrough(const String& table, const String& direct_specification) + const StringVector IPTables::listTables() const { - return XTables::direct(getTableRef(table), direct_specification); + StringVector tables({"security", "raw", "nat", "mangle", "filter"}); + return tables; } int IPTables::execute(const XTables::Operation& op) @@ -239,8 +169,8 @@ namespace firewalld int IPTables::execute(const StringVector& args) { -#ifdef UNITTEST LOG(DEBUG) << _ipXtables_path << " " << args; +#ifdef UNITTEST return 0; #else return runCommand(_ipXtables_path, args); diff --git a/src/Daemon/Backends/Linux/IPTables.hpp b/src/Daemon/Backends/Linux/IPTables.hpp index 16263e6..81b0881 100644 --- a/src/Daemon/Backends/Linux/IPTables.hpp +++ b/src/Daemon/Backends/Linux/IPTables.hpp @@ -34,42 +34,23 @@ namespace firewalld class IPTables : public XTables { public: - enum class Table { - Filter, - NAT, - Mangle - }; - IPTables(const char * const ipXtables_path); - int listTables(StringVector& tables) const; - - int appendRule(Table table, const String& chain, const String& rule_spec, int rule_priority); - int appendRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int deleteRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - bool ruleExists(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int insertRule(const String& table, const String& chain, const String& rule_spec, int rule_priority); - int listRules(const String& table, const String& chain, StringVectorMap<int>& rule_specs); - - int newChain(const String& table, const String& chain, bool user_defined = true); - int setChainPolicy(const String& table, const String& chain, const String& policy); - int renameChain(const String& table, const String& old_chain_name, const String& new_chain_name); - int deleteChain(const String& table, const String& chain); - int listChains(const String& table, StringVector& chains); - bool chainExists(const String& table, const String& chain); - int passthrough(const String& table, const String& direct_specification); + const StringVector listTables() const; protected: - XTable& getTableRef(Table table); XTable& getTableRef(const String& table); int execute(const XTables::Operation& op); int execute(const StringVector& args); private: const char * const _ipXtables_path; - XTable _filter; - XTable _nat; + + XTable _security; + XTable _raw; XTable _mangle; + XTable _nat; + XTable _filter; }; class IP4Tables : public IPTables diff --git a/src/Daemon/Backends/Linux/XTables.hpp b/src/Daemon/Backends/Linux/XTables.hpp index 62ff2f1..6994300 100644 --- a/src/Daemon/Backends/Linux/XTables.hpp +++ b/src/Daemon/Backends/Linux/XTables.hpp @@ -38,14 +38,16 @@ namespace firewalld void deleteRule(const String& chain, const String& rule_spec, int rule_priority); bool ruleExists(const String& name, const String& rule_spec, int rule_priority); void insertRule(const String& chain, const String& rule_spec, int rule_priority); - //void replaceRule(const String& chain, int old_rule_num, const String& rule_spec); void listRules(const String& chain, StringVectorMap<int>& rules); + void newChain(const String& chain, bool user_defined = true); void setChainPolicy(const String& chain, const String& policy); void renameChain(const String& old_chain_name, const String& new_chain_name); + void flushChain(const String& name); void deleteChain(const String& name); void listChains(StringVector& chains); bool chainExists(const String& chain); + void addDirect(const String& direct_specification); private: @@ -139,10 +141,11 @@ namespace firewalld Glib::Threads::Mutex::Lock _lock; }; - virtual int listTables(StringVector& tables) const = 0; + virtual const StringVector listTables() const = 0; - virtual int appendRule(XTable& table, const String& chain, const String& rule_spec, int rule_priority) + int appendRule(const String& table_name, const String& chain, const String& rule_spec, int rule_priority) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::Append, rule_spec, rule_priority); int return_code = execute(op); if (return_code == 0) { @@ -151,14 +154,16 @@ namespace firewalld return return_code; } - virtual int checkRule(XTable& table, const String& chain, const String& rule_spec) + int checkRule(const String& table_name, const String& chain, const String& rule_spec) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::Check, rule_spec); return execute(op); } - virtual int deleteRule(XTable& table, const String& chain, const String& rule_spec, int rule_priority) + int deleteRule(const String& table_name, const String& chain, const String& rule_spec, int rule_priority) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::Delete, rule_spec, rule_priority); int return_code = execute(op); if (return_code == 0) { @@ -167,14 +172,16 @@ namespace firewalld return return_code; } - virtual bool ruleExists(XTable& table, const String& chain, const String& rule_spec, int rule_priority) + bool ruleExists(const String& table_name, const String& chain, const String& rule_spec, int rule_priority) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::ListRules, rule_spec, rule_priority); return table.ruleExists(chain, rule_spec, rule_priority); } - virtual int insertRule(XTable& table, const String& chain, const String& rule_spec, int rule_priority) + int insertRule(const String& table_name, const String& chain, const String& rule_spec, int rule_priority) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::Insert, rule_spec, rule_priority); int return_code = execute(op); if (return_code == 0) { @@ -183,15 +190,17 @@ namespace firewalld return return_code; } - virtual int listRules(XTable& table, const String& chain, StringVectorMap<int>& rule_specs) + int listRules(const String& table_name, const String& chain, StringVectorMap<int>& rule_specs) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::ListRules); table.listRules(chain, rule_specs); return 0; } - virtual int newChain(XTable& table, const String& chain, bool user_defined = true, bool builtin = false) + int newChain(const String& table_name, const String& chain, bool user_defined = true, bool builtin = false) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::New); int return_code; if (!builtin) { @@ -206,8 +215,9 @@ namespace firewalld return return_code; } - virtual int setChainPolicy(XTable& table, const String& chain, const String& policy) + int setChainPolicy(const String& table_name, const String& chain, const String& policy) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::SetPolicy, policy); int return_code = execute(op); if (return_code == 0) { @@ -216,8 +226,9 @@ namespace firewalld return return_code; } - virtual int renameChain(XTable& table, const String& old_chain_name, const String& new_chain_name) + int renameChain(const String& table_name, const String& old_chain_name, const String& new_chain_name) { + XTable& table = getTableRef(table_name); Operation op(table, old_chain_name, Command::Rename, new_chain_name); int return_code = execute(op); if (return_code == 0) { @@ -226,8 +237,9 @@ namespace firewalld return return_code; } - virtual int deleteChain(XTable& table, const String& chain) + int deleteChain(const String& table_name, const String& chain) { + XTable& table = getTableRef(table_name); Operation op(table, chain, Command::Delete); int return_code = execute(op); if (return_code == 0) { @@ -236,21 +248,32 @@ namespace firewalld return return_code; } - virtual int listChains(XTable& table, StringVector& chains) + int listChains(const String& table_name, StringVector& chains) { + XTable& table = getTableRef(table_name); Operation op(table, Command::ListChains); table.listChains(chains); return 0; } - virtual int chainExists(XTable& table, const String& chain) + StringVector listChains(const String& table_name) + { + XTable& table = getTableRef(table_name); + StringVector chains; + table.listChains(chains); + return std::move(chains); + } + + int chainExists(const String& table_name, const String& chain) { + XTable& table = getTableRef(table_name); Operation op(table, Command::ListChains); return table.chainExists(chain); } - virtual int direct(XTable& table, const String& args) + int direct(const String& table_name, const String& args) { + XTable& table = getTableRef(table_name); Operation op(table, Command::Direct, args); int return_code = execute(op); if (return_code == 0) { @@ -262,6 +285,7 @@ namespace firewalld protected: virtual int execute(const Operation& op) = 0; virtual int execute(const StringVector& args) = 0; + virtual XTable& getTableRef(const String& table) = 0; }; } /* namespace firewalld */ diff --git a/src/Daemon/Backends/LinuxXTables.cpp b/src/Daemon/Backends/LinuxXTables.cpp new file mode 100644 index 0000000..782172f --- /dev/null +++ b/src/Daemon/Backends/LinuxXTables.cpp @@ -0,0 +1,255 @@ +#include "LinuxXTables.hpp" +#include "Common/Types.hpp" +#include "Common/Logging.hpp" + +namespace firewalld +{ + LinuxXTables::LinuxXTables() + : Backend("LinuxXTables"), + _ip4tables(FIREWALLD_IP4TABLES_PATH), + _ip6tables(FIREWALLD_IP6TABLES_PATH) + { + initDefaultChains(); + + registerOperationHandler("ZONE", &LinuxXTables::opZone); + registerOperationHandler("ZONE_INTERFACE", &LinuxXTables::opZoneInterface); + registerOperationHandler("ZONE_PORT", &LinuxXTables::opZonePort); + registerOperationHandler("ZONE_PORT_FORWARD", &LinuxXTables::opZonePortForward); + registerOperationHandler("ZONE_ICMP_BLOCK", &LinuxXTables::opZoneICMPBlock); + registerOperationHandler("ZONE_MASQUERADE", &LinuxXTables::opZoneMasquerade); + registerOperationHandler("LOAD_HELPER", &LinuxXTables::opLoadHelper); + } + + void LinuxXTables::initDefaultChains() + { + for (IPTables * const ipXtables : { &_ip4tables, &_ip6tables }) { + String icmp, reject; + + if (ipXtables == &_ip4tables) { + icmp = "icmp"; + reject = "REJECT --reject-with icmp-host-prohibited"; + } else { + icmp = "ipv6-icmp"; + reject = "REJECT --reject-with icmp6-adm-prohibited"; + } + + // + // Initialize _direct chains + // + // <CHAIN>_direct chains are used for rules added via the + // direct interface. If a built-in chain named `CHAIN` is + // used, it is replaced with `CHAIN_direct` before executing + // the requested {ip,ip6,eb}tables command. + // + for (const String& table : ipXtables->listTables()) { + for (const String& chain : ipXtables->listChains(table)) { + ipXtables->newChain(table, chain + "_direct"); + ipXtables->appendRule(table, chain, "-j " + chain + "_direct", 0); + } + } + + // + // Initialize -t filter chains + // + ipXtables->newChain("filter", "INPUT_ZONES"); + ipXtables->newChain("filter", "INPUT_ZONES_SOURCE"); + + ipXtables->insertRule("filter", "INPUT", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", 1); + ipXtables->insertRule("filter", "INPUT", "-i lo -j ACCEPT", 3); + ipXtables->insertRule("filter", "INPUT", "-j INPUT_ZONES_SOURCE", 4); + ipXtables->insertRule("filter", "INPUT", "-j INPUT_ZONES", 5); + ipXtables->insertRule("filter", "INPUT", "-p " + icmp + " -j ACCEPT", 6); + ipXtables->insertRule("filter", "INPUT", "-j " + reject, 7); + + ipXtables->newChain("filter", "FORWARD_IN_ZONES"); + ipXtables->newChain("filter", "FORWARD_IN_ZONES_SOURCE"); + ipXtables->newChain("filter", "FORWARD_OUT_ZONES"); + ipXtables->newChain("filter", "FORWARD_OUT_ZONES_SOURCE"); + + ipXtables->insertRule("filter", "FORWARD", "-m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT", 1); + ipXtables->insertRule("filter", "FORWARD", "-i lo -j ACCEPT", 3); + ipXtables->insertRule("filter", "FORWARD", "-j FORWARD_IN_ZONES_SOURCE", 4); + ipXtables->insertRule("filter", "FORWARD", "-j FORWARD_IN_ZONES", 5); + ipXtables->insertRule("filter", "FORWARD", "-j FORWARD_OUT_ZONES_SOURCE", 6); + ipXtables->insertRule("filter", "FORWARD", "-j FORWARD_OUT_ZONES", 7); + ipXtables->insertRule("filter", "FORWARD", "-p " + icmp + " -j ACCEPT", 8); + ipXtables->insertRule("filter", "FORWARD", "-j " + reject, 9); + + // + // Initialize -t mangle chains + // + ipXtables->newChain("mangle", "PREROUTING_ZONES"); + ipXtables->newChain("mangle", "PREROUTING_ZONES_SOURCE"); + + ipXtables->insertRule("mangle", "PREROUTING", "-j PREROUTING_ZONES_SOURCE", 1); + ipXtables->insertRule("mangle", "PREROUTING", "-j PREROUTING_ZONES", 2); + + // + // Initialize -t nat chains + // + + } + } + + void LinuxXTables::cleanup() + { + } + + void LinuxXTables::processOperation(const UStringVector& op, bool undo) + { + if (op.size() < 1) { + /* NOOP */ + return; + } + + auto op_handler = operationHandler(op.front()); + + if (op_handler) { + VLOG(4) << "OP: " << (undo ? "-" : "+") << op; + (*this.*op_handler)(op, undo); + } + + return; + } + + void LinuxXTables::opZone(const UStringVector& op, bool undo) + { + String zone_name = op[1]; + + // XXX: Do we trust the input values? + + for (IPTables * const ipXtables : { &_ip4tables, &_ip6tables }) { + for (const String& prefix : { "IN_", "FWDI_", "FWDO_" }) { + for (const String& suffix : { "", "_allow", "_deny", "_log" }) { + if (!undo) { + ipXtables->newChain("filter", prefix + zone_name + suffix); + } else { + ipXtables->deleteChain("filter", prefix + zone_name + suffix); + } + } + } + + if (!undo) { + for (const String& prefix : { "IN_", "FWDI_", "FWDO_" }) { + for (const String& suffix : { "_log", "_deny", "_allow" }) { + ipXtables->appendRule("filter", prefix + zone_name, "-j " + prefix + zone_name + suffix, 0); + } + } + } + + for (const String& prefix : { "PRE_" }) { + for (const String& suffix : { "", "_allow", "_deny", "_log" }) { + if (!undo) { + ipXtables->newChain("mangle", prefix + zone_name + suffix); + } else { + ipXtables->deleteChain("mangle", prefix + zone_name + suffix); + } + } + } + + if (!undo) { + for (const String& prefix : { "PRE_" }) { + for (const String& suffix : { "_log", "_deny", "_allow" }) { + ipXtables->appendRule("mangle", prefix + zone_name, "-j " + prefix + zone_name + suffix, 0); + } + } + } + } + + return; + } + + void LinuxXTables::opZoneInterface(const UStringVector& op, bool undo) + { + String zone_name = op[1]; + String interface = op[2]; + + for (IPTables * const ipXtables : { &_ip4tables, &_ip6tables }) { + if (!undo) { + ipXtables->appendRule("filter", "INPUT_ZONES", "-i " + interface + " -g IN_" + zone_name, 0); + ipXtables->appendRule("filter", "FORWARD_IN_ZONES", "-i " + interface + " -g FWDI_" + zone_name, 0); + ipXtables->appendRule("filter", "FORWARD_OUT_ZONES", "-o " + interface + " -g FWDO_" + zone_name, 0); + } else { + ipXtables->deleteRule("filter", "INPUT_ZONES", "-i " + interface + " -g IN_" + zone_name, 0); + ipXtables->deleteRule("filter", "FORWARD_IN_ZONES", "-i " + interface + " -g FWDI_" + zone_name, 0); + ipXtables->deleteRule("filter", "FORWARD_OUT_ZONES", "-o " + interface + " -g FWDO_" + zone_name, 0); + } + } + + return; + } + + void LinuxXTables::opZonePort(const UStringVector& op, bool undo) + { + String zone_name = op[1]; + String protocol = op[2]; + String port_from = op[3]; + String port_to; + + if (op.size() == 5) { + port_to = op[4]; + } else { + port_to = op[3]; + } + + String rule_spec; + + if (protocol == "tcp") { + rule_spec = "-p tcp -m tcp --dport "; + } + else if (protocol == "udp") { + rule_spec = "-p udp -m udp --dport "; + } + + rule_spec += port_from + (port_from != port_to ? ":" + port_to : ""); + rule_spec += " -m conntrack --ctstate NEW -j ACCEPT"; + + for (IPTables * const ipXtables : { &_ip4tables, &_ip6tables }) { + if (!undo) { + ipXtables->appendRule("filter", "IN_" + zone_name + "_allow", rule_spec, 0); + } else { + ipXtables->deleteRule("filter", "IN_" + zone_name + "_allow", rule_spec, 0); + } + } + + return; + } + + void LinuxXTables::opZonePortForward(const UStringVector& op, bool undo) + { + } + + void LinuxXTables::opZoneICMPBlock(const UStringVector& op, bool undo) + { + String zone_name = op[1]; + String icmptype = op[2]; + String protocol = op[3]; + String rule_spec; + IPTables * ipXtables; + + if (protocol == "ipv4") { + rule_spec = "-p icmp -m icmp --icmp-type " + icmptype; + rule_spec += " -j REJECT --reject-with icmp-host-prohibited"; + ipXtables = &_ip4tables; + } + else if (protocol == "ipv6") { + rule_spec = "-p ipv6-icmp -m icmp6 --icmpv6-type " + icmptype; + rule_spec += " -j REJECT --reject-with icmp6-adm-prohibited"; + ipXtables = &_ip6tables; + } + + ipXtables->appendRule("filter", "IN_" + zone_name + "_deny", rule_spec, 0); + ipXtables->appendRule("filter", "FWDI_" + zone_name + "_deny", rule_spec, 0); + + return; + } + + void LinuxXTables::opZoneMasquerade(const UStringVector& op, bool undo) + { + } + + void LinuxXTables::opLoadHelper(const UStringVector& op, bool undo) + { + } + +} /* namespace firewalld */ diff --git a/src/Daemon/Backends/LinuxXTables.hpp b/src/Daemon/Backends/LinuxXTables.hpp new file mode 100644 index 0000000..4abc9ab --- /dev/null +++ b/src/Daemon/Backends/LinuxXTables.hpp @@ -0,0 +1,38 @@ +#ifndef FIREWALLD_BACKENDS_LINUXXTABLES_HPP +#define FIREWALLD_BACKENDS_LINUXXTABLES_HPP + +#include "Daemon/Backends/Linux/IPTables.hpp" +#include "Daemon/Backends/Linux/EBTables.hpp" + +#include "Daemon/Firewall/Backend.hpp" +#include "Daemon/Firewall/BackendOpTable.hpp" + +namespace firewalld +{ + class LinuxXTables : public Backend, private BackendOpTable<LinuxXTables> + { + public: + LinuxXTables(); + + protected: + void processOperation(const UStringVector& op, bool undo = false); + + void initDefaultChains(); + void cleanup(); + + void opZone(const UStringVector& op, bool undo); + void opZoneInterface(const UStringVector& op, bool undo); + void opZonePort(const UStringVector& op, bool undo); + void opZonePortForward(const UStringVector& op, bool undo); + void opZoneICMPBlock(const UStringVector& op, bool undo); + void opZoneMasquerade(const UStringVector& op, bool undo); + void opLoadHelper(const UStringVector& op, bool undo); + + private: + IPTables _ip4tables; + IPTables _ip6tables; + EBTables _ebtables; + }; +} /* namespace firewalld */ + +#endif /* FIREWALLD_BACKENDS_LINUXXTABLES_HPP */ diff --git a/src/Daemon/Firewall/Backend.cpp b/src/Daemon/Firewall/Backend.cpp index cab311e..0ece111 100644 --- a/src/Daemon/Firewall/Backend.cpp +++ b/src/Daemon/Firewall/Backend.cpp @@ -25,11 +25,21 @@ namespace firewalld { - Backend::Backend() + Backend::Backend(const UString& identifier) { + _identifier = identifier; _transaction_counter = 0; } + Backend::~Backend() + { + } + + const UString& Backend::identifier() const + { + return _identifier; + } + Pointer<Transaction> Backend::createTransaction() { std::lock_guard<std::mutex> backend_lock(_backend_mutex); diff --git a/src/Daemon/Firewall/Backend.hpp b/src/Daemon/Firewall/Backend.hpp index 109520a..d227733 100644 --- a/src/Daemon/Firewall/Backend.hpp +++ b/src/Daemon/Firewall/Backend.hpp @@ -30,18 +30,22 @@ namespace firewalld class Backend { public: - Backend(); - virtual const UString& identifier() const = 0; + Backend(const UString& identifier); + virtual ~Backend(); + + const UString& identifier() const; + Pointer<Transaction> createTransaction(); void commitTransaction(Pointer<Transaction> transaction); void removeTransaction(const String& identifier); size_t countTransactions() const; protected: - virtual void processOperation(const UStringList& op, bool undo = false) = 0; + virtual void processOperation(const UStringVector& op, bool undo = false) = 0; void removeTransactionUnlocked(const String& identifier); private: + UString _identifier; PointerVector<Transaction> _transactions; mutable std::mutex _backend_mutex; uint64_t _transaction_counter; diff --git a/src/Daemon/Firewall/BackendOpTable.hpp b/src/Daemon/Firewall/BackendOpTable.hpp new file mode 100644 index 0000000..97bb6a8 --- /dev/null +++ b/src/Daemon/Firewall/BackendOpTable.hpp @@ -0,0 +1,30 @@ +#ifndef FIREWALLD_FIREWALL_BACKENDOPTABLE_HPP +#define FIREWALLD_FIREWALL_BACKENDOPTABLE_HPP + +#include "Common/Types.hpp" + +namespace firewalld +{ + template<class C> + class BackendOpTable + { + public: + typedef void(C::*OpMethodPointer)(const UStringVector&, bool); + + void registerOperationHandler(const UString& name, OpMethodPointer method_pointer) + { + _op_method_table[name] = method_pointer; + } + + OpMethodPointer operationHandler(const UString& name) const + { + return MapOp::findOne(_op_method_table, name); + } + + private: + typedef std::map<UString, OpMethodPointer> OpMethodTable; + OpMethodTable _op_method_table; + }; +} + +#endif /* FIREWALLD_FIREWALL_BACKENDOPTABLE_HPP */ diff --git a/src/Daemon/Firewall/Firewall.cpp b/src/Daemon/Firewall/Firewall.cpp index fa626c1..18a2c35 100644 --- a/src/Daemon/Firewall/Firewall.cpp +++ b/src/Daemon/Firewall/Firewall.cpp @@ -18,44 +18,37 @@ // #include "Daemon/FirewallD.hpp" #include "Daemon/Firewall/Firewall.hpp" +#include "Daemon/Firewall/Backend.hpp" +#include "Daemon/Backends/LinuxXTables.hpp" #include "Common/Types.hpp" namespace firewalld { - Firewall::Firewall() { - // Insert the default zones - addZoneName("block"); - addZoneName("home"); - addZoneName("public"); - addZoneName("work"); - addZoneName("trusted"); - addZoneName("drop"); - // Initialize the default zone name - _default_zone = "public"; - - addInterfaceToZone("public", "eth0"); + _backend = new LinuxXTables(); } bool Firewall::directIPv4getTables(StringVector& tables) { - return (_ip4tables.listTables(tables) == 0); + tables = _ip4tables.listTables(); + return true; } bool Firewall::directIPv6getTables(StringVector& tables) { - return (_ip6tables.listTables(tables) == 0); + tables = _ip6tables.listTables(); + return true; } bool Firewall::directIPv4Passthrough(const String& direct_specification) { - return (_ip4tables.passthrough("filter", direct_specification) == 0); + return (_ip4tables.direct("filter", direct_specification) == 0); } bool Firewall::directIPv6Passthrough(const String& direct_specification) { - return (_ip6tables.passthrough("filter", direct_specification) == 0); + return (_ip6tables.direct("filter", direct_specification) == 0); } bool Firewall::directIPv4AddChain(const String& table, const String& chain) diff --git a/src/Daemon/Firewall/Firewall.hpp b/src/Daemon/Firewall/Firewall.hpp index 3a4ab5d..7fa1115 100644 --- a/src/Daemon/Firewall/Firewall.hpp +++ b/src/Daemon/Firewall/Firewall.hpp @@ -20,11 +20,13 @@ #define _FIREWALL_H_ #include "Common/Types.hpp" -#include "Daemon/Backends/Linux/IPTables.hpp" -#include "Daemon/Backends/Linux/EBTables.hpp" #include "Daemon/Firewall/Zone.hpp" #include "Daemon/Firewall/Service.hpp" #include "Daemon/Firewall/ICMPType.hpp" +#include "Daemon/Firewall/Backend.hpp" + +#include "Daemon/Backends/Linux/IPTables.hpp" +#include "Daemon/Backends/Linux/EBTables.hpp" #include <glibmm.h> #include <giomm.h> @@ -33,7 +35,6 @@ namespace firewalld { - class Firewall { public: @@ -95,6 +96,8 @@ namespace firewalld UString _default_zone; PointerMap<UString,Zone> _zone_map; + Backend *_backend; + IP4Tables _ip4tables; IP6Tables _ip6tables; EBTables _ebtables; diff --git a/src/Daemon/Firewall/Transaction.cpp b/src/Daemon/Firewall/Transaction.cpp index b9f59f4..73be1d2 100644 --- a/src/Daemon/Firewall/Transaction.cpp +++ b/src/Daemon/Firewall/Transaction.cpp @@ -32,7 +32,7 @@ namespace firewalld return _identifier; } - const UStringList& Transaction::operation(size_t index) const + const UStringVector& Transaction::operation(size_t index) const { return _operations.at(index); } @@ -42,7 +42,7 @@ namespace firewalld return _operations.size(); } - size_t Transaction::appendOperation(const UStringList& op) + size_t Transaction::appendOperation(const UStringVector& op) { _operations.push_back(op); return (_operations.size() - 1); diff --git a/src/Daemon/Firewall/Transaction.hpp b/src/Daemon/Firewall/Transaction.hpp index 5b23a48..07b49fb 100644 --- a/src/Daemon/Firewall/Transaction.hpp +++ b/src/Daemon/Firewall/Transaction.hpp @@ -33,17 +33,17 @@ namespace firewalld const String& identifier() const; - const UStringList& operation(size_t index) const; + const UStringVector& operation(size_t index) const; size_t countOperations() const; - size_t appendOperation(const UStringList& op); + size_t appendOperation(const UStringVector& op); void removeOperation(size_t index); bool operator==(const Transaction& rhs) const; private: String _identifier; - std::vector<UStringList> _operations; + std::vector<UStringVector> _operations; }; class TransactionError : public std::runtime_error diff --git a/tests/iptables/test_iptables.cpp b/tests/iptables/test_iptables.cpp index e79ef12..99d6610 100644 --- a/tests/iptables/test_iptables.cpp +++ b/tests/iptables/test_iptables.cpp @@ -29,7 +29,7 @@ int main(int argc, char *argv[]) IP4Tables iptables; IP6Tables ip6tables; - iptables.appendRule(IP4Tables::Table::Filter, "INPUT", "-s 127.0.0.1 -j DROP", 1); + iptables.appendRule("filter", "INPUT", "-s 127.0.0.1 -j DROP", 1); iptables.appendRule("filter", "INPUT", "-s 127.0.0.1 -j DROP", 1); iptables.deleteRule("filter", "INPUT", "-s 127.0.0.1 -j DROP", 1); iptables.insertRule("filter", "INPUT", "-s 127.0.0.2 -j DROP", 1); @@ -37,7 +37,7 @@ int main(int argc, char *argv[]) iptables.setChainPolicy("filter", "FOOchain", "RETURN"); iptables.renameChain("filter", "FOOchain", "BARchain"); iptables.deleteChain("filter", "BARchain"); - iptables.passthrough("filter", "-A OUTPUT -d 1.2.3.4 -j RETURN"); + iptables.direct("filter", "-A OUTPUT -d 1.2.3.4 -j RETURN"); return 0; }

1 0

[firewalld-recode] master: Generate transaction id from the time in seconds and transaction number (6865fef)
by mildew＠fedoraproject.org 14 Oct '14

14 Oct '14

Repository : http://git.fedorahosted.org/cgit/firewalld-recode.git On branch : master >--------------------------------------------------------------- commit 6865fefce31cdf702abb46f07851015c485f9b8b Author: Daniel Kopecek <dkopecek(a)redhat.com> Date: Tue Oct 14 17:13:08 2014 +0200 Generate transaction id from the time in seconds and transaction number >--------------------------------------------------------------- src/Daemon/Firewall/Backend.cpp | 9 ++++++++- src/Daemon/Firewall/Backend.hpp | 2 ++ 2 files changed, 10 insertions(+), 1 deletions(-) diff --git a/src/Daemon/Firewall/Backend.cpp b/src/Daemon/Firewall/Backend.cpp index 43dc1ae..cab311e 100644 --- a/src/Daemon/Firewall/Backend.cpp +++ b/src/Daemon/Firewall/Backend.cpp @@ -17,17 +17,24 @@ // Authors: Daniel Kopecek <dkopecek(a)redhat.com> // #include "Common/Types.hpp" +#include "Common/Utility.hpp" #include "Daemon/Firewall/Transaction.hpp" #include "Backend.hpp" #include <mutex> +#include <time.h> namespace firewalld { + Backend::Backend() + { + _transaction_counter = 0; + } Pointer<Transaction> Backend::createTransaction() { std::lock_guard<std::mutex> backend_lock(_backend_mutex); - Pointer<Transaction> transaction = makePointer<Transaction>(""); + String identifier = numberToString(::time(nullptr)) + "-" + numberToString(_transaction_counter++); + Pointer<Transaction> transaction = makePointer<Transaction>(identifier); _transactions.push_back(transaction); return transaction; } diff --git a/src/Daemon/Firewall/Backend.hpp b/src/Daemon/Firewall/Backend.hpp index 97eb0ca..109520a 100644 --- a/src/Daemon/Firewall/Backend.hpp +++ b/src/Daemon/Firewall/Backend.hpp @@ -30,6 +30,7 @@ namespace firewalld class Backend { public: + Backend(); virtual const UString& identifier() const = 0; Pointer<Transaction> createTransaction(); void commitTransaction(Pointer<Transaction> transaction); @@ -43,6 +44,7 @@ namespace firewalld private: PointerVector<Transaction> _transactions; mutable std::mutex _backend_mutex; + uint64_t _transaction_counter; }; } /* namespace firewalld */

1 0

2026

2025

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

firewalld-recode October 2014