d_port2 INT,
ifname TEXT NOT NULL,
target INT,
+ log_level INT,
+ log_prefix TEXT NOT NULL,
+ nflog_group INT,
+ nflog_prefix TEXT NOT NULL,
+ nflog_range INT,
+ nflog_threshold INT,
identifier TEXT NOT NULL
);
typedef enum {
STC_FW_CHAIN_TARGET_NONE,
STC_FW_CHAIN_TARGET_INPUT,
- STC_FW_CHAIN_TARGET_OUTPUT
+ STC_FW_CHAIN_TARGET_OUTPUT,
+ STC_FW_CHAIN_TARGET_MAX
} stc_fw_chain_target_e;
typedef enum {
STC_FW_RULE_TARGET_ACCEPT,
STC_FW_RULE_TARGET_DROP,
STC_FW_RULE_TARGET_LOG,
+ STC_FW_RULE_TARGET_NFLOG,
+ STC_FW_RULE_TARGET_MAX
} stc_fw_rule_target_e;
/**
Name: stc-manager
Summary: STC(Smart Traffic Control) manager
-Version: 0.0.71
+Version: 0.0.72
Release: 0
Group: Network & Connectivity/Other
License: Apache-2.0
#define SELECT_FIREWALL_RULE "SELECT key, " \
"chain, direction, s_ip_type, d_ip_type, s_port_type, " \
"d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \
- "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier " \
+ "s_port1, s_port2, d_port1, d_port2, ifname, target, " \
+ "log_level, log_prefix, " \
+ "nflog_group, nflog_prefix, nflog_range, nflog_threshold, " \
+ "identifier " \
"FROM fw_rules"
#define SELECT_FIREWALL_RULE_PER_CHAIN "SELECT key, " \
"chain, direction, s_ip_type, d_ip_type, s_port_type, " \
"d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \
- "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier " \
+ "s_port1, s_port2, d_port1, d_port2, ifname, target, " \
+ "log_level, log_prefix, " \
+ "nflog_group, nflog_prefix, nflog_range, nflog_threshold, " \
+ "identifier " \
"FROM fw_rules INDEXED BY rules_index " \
"WHERE chain = ?"
"SET chain = ?, direction = ?, s_ip_type = ?, d_ip_type = ?, " \
"s_port_type = ?, d_port_type = ?, protocol = ?, family = ?, " \
"s_ip1 = ?, s_ip2 = ?, d_ip1 = ?, d_ip2 = ?, s_port1 = ?, " \
- "s_port2 = ?, d_port1 = ?, d_port2 = ?, ifname = ?, " \
- "target = ?, identifier = ?, key = ? " \
+ "s_port2 = ?, d_port1 = ?, d_port2 = ?, ifname = ?, target = ?, " \
+ "log_level = ?, log_prefix = ?, " \
+ "nflog_group = ?, nflog_prefix = ?, nflog_range = ?, nflog_threshold = ?, " \
+ "identifier = ?, key = ? " \
"WHERE key = ?"
/* INSERT statement */
#define INSERT_FIREWALL_RULE "INSERT INTO fw_rules " \
"(key, chain, direction, s_ip_type, d_ip_type, s_port_type, " \
"d_port_type, protocol, family, s_ip1, s_ip2, d_ip1, d_ip2, " \
- "s_port1, s_port2, d_port1, d_port2, ifname, target, identifier) " \
- "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
+ "s_port1, s_port2, d_port1, d_port2, ifname, target, " \
+ "log_level, log_prefix, " \
+ "nflog_group, nflog_prefix, nflog_range, nflog_threshold, " \
+ "identifier) " \
+ "VALUES (?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, " \
+ "?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?, ?)"
static void __finalize_delete(void);
DB_ACTION(sqlite3_bind_text(stmt, 18, info->ifname ? info->ifname : "",
-1, SQLITE_TRANSIENT));
DB_ACTION(sqlite3_bind_int(stmt, 19, info->target));
- DB_ACTION(sqlite3_bind_text(stmt, 20, info->identifier ? info->identifier : "",
+ DB_ACTION(sqlite3_bind_int(stmt, 20, info->log_level));
+ DB_ACTION(sqlite3_bind_text(stmt, 21, info->log_prefix ? info->log_prefix : "",
+ -1, SQLITE_TRANSIENT));
+ DB_ACTION(sqlite3_bind_int(stmt, 22, info->nflog_group));
+ DB_ACTION(sqlite3_bind_text(stmt, 23, info->nflog_prefix ? info->nflog_prefix : "",
+ -1, SQLITE_TRANSIENT));
+ DB_ACTION(sqlite3_bind_int(stmt, 24, info->nflog_range));
+ DB_ACTION(sqlite3_bind_int(stmt, 25, info->nflog_threshold));
+ DB_ACTION(sqlite3_bind_text(stmt, 26, info->identifier ? info->identifier : "",
-1, SQLITE_TRANSIENT));
if (sqlite3_step(stmt) != SQLITE_DONE) {
DB_ACTION(sqlite3_bind_text(stmt, 17, info->ifname ? info->ifname : "",
-1, SQLITE_TRANSIENT));
DB_ACTION(sqlite3_bind_int(stmt, 18, info->target));
- DB_ACTION(sqlite3_bind_text(stmt, 19, info->identifier ? info->identifier : "",
+ DB_ACTION(sqlite3_bind_int(stmt, 19, info->log_level));
+ DB_ACTION(sqlite3_bind_text(stmt, 20, info->log_prefix ? info->log_prefix : "",
+ -1, SQLITE_TRANSIENT));
+ DB_ACTION(sqlite3_bind_int(stmt, 21, info->nflog_group));
+ DB_ACTION(sqlite3_bind_text(stmt, 22, info->nflog_prefix ? info->nflog_prefix : "",
+ -1, SQLITE_TRANSIENT));
+ DB_ACTION(sqlite3_bind_int(stmt, 23, info->nflog_range));
+ DB_ACTION(sqlite3_bind_int(stmt, 24, info->nflog_threshold));
+ DB_ACTION(sqlite3_bind_text(stmt, 25, info->identifier ? info->identifier : "",
-1, SQLITE_TRANSIENT));
- DB_ACTION(sqlite3_bind_int64(stmt, 20, info->key));
- DB_ACTION(sqlite3_bind_int64(stmt, 21, key));
+ DB_ACTION(sqlite3_bind_int64(stmt, 26, info->key));
+ DB_ACTION(sqlite3_bind_int64(stmt, 27, key));
if (sqlite3_step(stmt) != SQLITE_DONE) {
STC_LOGE("Failed to update firewall rule %s\n",
info.d_port2 = sqlite3_column_int(stmt, 16);
info.ifname = (char *)sqlite3_column_text(stmt, 17);
info.target = sqlite3_column_int(stmt, 18);
- info.identifier = (char *)sqlite3_column_text(stmt, 19);
+ info.log_level = sqlite3_column_int(stmt, 19);
+ info.log_prefix = (char *)sqlite3_column_text(stmt, 20);
+ info.nflog_group = sqlite3_column_int(stmt, 21);
+ info.nflog_prefix = (char *)sqlite3_column_text(stmt, 22);
+ info.nflog_range = sqlite3_column_int(stmt, 23);
+ info.nflog_threshold = sqlite3_column_int(stmt, 24);
+ info.identifier = (char *)sqlite3_column_text(stmt, 25);
if (info_cb(&info, user_data) == STC_CANCEL)
rc = SQLITE_DONE;
#define BUF_SIZE_FOR_IP 64
-#define RULE_CHAIN "chain"
-#define RULE_DIRECTION "direction"
-#define RULE_IFNAME "ifname"
-#define RULE_PROTOCOL "protocol"
-#define RULE_TARGET "target"
-
-#define RULE_FAMILY "family"
-#define RULE_SIPTYPE "s_ip_type"
-#define RULE_SIP1 "s_ip1"
-#define RULE_SIP2 "s_ip2"
-#define RULE_DIPTYPE "d_ip_type"
-#define RULE_DIP1 "d_ip1"
-#define RULE_DIP2 "d_ip2"
-#define RULE_SPORTTYPE "s_port_type"
-#define RULE_SPORT1 "s_port1"
-#define RULE_SPORT2 "s_port2"
-#define RULE_DPORTTYPE "d_port_type"
-#define RULE_DPORT1 "d_port1"
-#define RULE_DPORT2 "d_port2"
-
static void __fw_add_rule_info_to_builder(GVariantBuilder *builder,
firewall_rule_s *rule)
{
switch (rule->family) {
case STC_FW_FAMILY_V4:
- if (rule->s_ip1.Ipv4.s_addr)
- g_variant_builder_add(builder, "{sv}", RULE_SIP1,
- g_variant_new_uint32(rule->s_ip1.Ipv4.s_addr));
+ if (rule->s_ip_type != STC_FW_IP_NONE) {
+ if (rule->s_ip1.Ipv4.s_addr)
+ g_variant_builder_add(builder, "{sv}", RULE_SIP1,
+ g_variant_new_uint32(rule->s_ip1.Ipv4.s_addr));
- if (rule->s_ip2.Ipv4.s_addr)
- g_variant_builder_add(builder, "{sv}", RULE_SIP2,
- g_variant_new_uint32(rule->s_ip2.Ipv4.s_addr));
+ if (rule->s_ip2.Ipv4.s_addr)
+ g_variant_builder_add(builder, "{sv}", RULE_SIP2,
+ g_variant_new_uint32(rule->s_ip2.Ipv4.s_addr));
+ }
- if (rule->d_ip1.Ipv4.s_addr)
- g_variant_builder_add(builder, "{sv}", RULE_DIP1,
- g_variant_new_uint32(rule->d_ip1.Ipv4.s_addr));
+ if (rule->d_ip_type != STC_FW_IP_NONE) {
+ if (rule->d_ip1.Ipv4.s_addr)
+ g_variant_builder_add(builder, "{sv}", RULE_DIP1,
+ g_variant_new_uint32(rule->d_ip1.Ipv4.s_addr));
- if (rule->d_ip2.Ipv4.s_addr)
- g_variant_builder_add(builder, "{sv}", RULE_DIP2,
- g_variant_new_uint32(rule->d_ip2.Ipv4.s_addr));
+ if (rule->d_ip2.Ipv4.s_addr)
+ g_variant_builder_add(builder, "{sv}", RULE_DIP2,
+ g_variant_new_uint32(rule->d_ip2.Ipv4.s_addr));
+ }
break;
case STC_FW_FAMILY_V6:
{
char buf[BUF_SIZE_FOR_IP];
- if (rule->s_ip1.Ipv6.s6_addr32[0] || rule->s_ip1.Ipv6.s6_addr32[1] ||
- rule->s_ip1.Ipv6.s6_addr32[2] || rule->s_ip1.Ipv6.s6_addr32[3]) {
- memset(buf, 0, sizeof(buf));
- snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
- rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1],
- rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]);
- g_variant_builder_add(builder, "{sv}", RULE_SIP1,
- g_variant_new_string(buf));
+ if (rule->s_ip_type != STC_FW_IP_NONE) {
+ if (rule->s_ip1.Ipv6.s6_addr32[0] || rule->s_ip1.Ipv6.s6_addr32[1] ||
+ rule->s_ip1.Ipv6.s6_addr32[2] || rule->s_ip1.Ipv6.s6_addr32[3]) {
+ memset(buf, 0, sizeof(buf));
+ snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
+ rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1],
+ rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]);
+ g_variant_builder_add(builder, "{sv}", RULE_SIP1,
+ g_variant_new_string(buf));
+ }
+
+ if (rule->s_ip2.Ipv6.s6_addr32[0] || rule->s_ip2.Ipv6.s6_addr32[1] ||
+ rule->s_ip2.Ipv6.s6_addr32[2] || rule->s_ip2.Ipv6.s6_addr32[3]) {
+ memset(buf, 0, sizeof(buf));
+ snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
+ rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1],
+ rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]);
+ g_variant_builder_add(builder, "{sv}", RULE_SIP2,
+ g_variant_new_string(buf));
+ }
}
- if (rule->s_ip2.Ipv6.s6_addr32[0] || rule->s_ip2.Ipv6.s6_addr32[1] ||
- rule->s_ip2.Ipv6.s6_addr32[2] || rule->s_ip2.Ipv6.s6_addr32[3]) {
- memset(buf, 0, sizeof(buf));
- snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
- rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1],
- rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]);
- g_variant_builder_add(builder, "{sv}", RULE_SIP2,
- g_variant_new_string(buf));
+ if (rule->d_ip_type != STC_FW_IP_NONE) {
+ if (rule->d_ip1.Ipv6.s6_addr32[0] || rule->d_ip1.Ipv6.s6_addr32[1] ||
+ rule->d_ip1.Ipv6.s6_addr32[2] || rule->d_ip1.Ipv6.s6_addr32[3]) {
+ memset(buf, 0, sizeof(buf));
+ snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
+ rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1],
+ rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]);
+ g_variant_builder_add(builder, "{sv}", RULE_DIP1,
+ g_variant_new_string(buf));
+ }
+
+ if (rule->d_ip2.Ipv6.s6_addr32[0] || rule->d_ip2.Ipv6.s6_addr32[1] ||
+ rule->d_ip2.Ipv6.s6_addr32[2] || rule->d_ip2.Ipv6.s6_addr32[3]) {
+ memset(buf, 0, sizeof(buf));
+ snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
+ rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1],
+ rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]);
+ g_variant_builder_add(builder, "{sv}", RULE_DIP2,
+ g_variant_new_string(buf));
+ }
}
- if (rule->d_ip1.Ipv6.s6_addr32[0] || rule->d_ip1.Ipv6.s6_addr32[1] ||
- rule->d_ip1.Ipv6.s6_addr32[2] || rule->d_ip1.Ipv6.s6_addr32[3]) {
- memset(buf, 0, sizeof(buf));
- snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
- rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1],
- rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]);
- g_variant_builder_add(builder, "{sv}", RULE_DIP1,
- g_variant_new_string(buf));
- }
-
- if (rule->d_ip2.Ipv6.s6_addr32[0] || rule->d_ip2.Ipv6.s6_addr32[1] ||
- rule->d_ip2.Ipv6.s6_addr32[2] || rule->d_ip2.Ipv6.s6_addr32[3]) {
- memset(buf, 0, sizeof(buf));
- snprintf(buf, sizeof(buf), "%08x:%08x:%08x:%08x",
- rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1],
- rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]);
- g_variant_builder_add(builder, "{sv}", RULE_DIP2,
- g_variant_new_string(buf));
- }
}
break;
default:
break;
}
- if (rule->s_port1)
- g_variant_builder_add(builder, "{sv}", RULE_SPORT1,
- g_variant_new_uint32(rule->s_port1));
+ if (rule->s_port_type != STC_FW_PORT_NONE) {
+ if (rule->s_port1)
+ g_variant_builder_add(builder, "{sv}", RULE_SPORT1,
+ g_variant_new_uint32(rule->s_port1));
- if (rule->s_port2)
- g_variant_builder_add(builder, "{sv}", RULE_SPORT2,
- g_variant_new_uint32(rule->s_port2));
+ if (rule->s_port2)
+ g_variant_builder_add(builder, "{sv}", RULE_SPORT2,
+ g_variant_new_uint32(rule->s_port2));
+ }
- if (rule->d_port1)
- g_variant_builder_add(builder, "{sv}", RULE_DPORT1,
- g_variant_new_uint32(rule->d_port1));
+ if (rule->s_port_type != STC_FW_PORT_NONE) {
+ if (rule->d_port1)
+ g_variant_builder_add(builder, "{sv}", RULE_DPORT1,
+ g_variant_new_uint32(rule->d_port1));
- if (rule->d_port2)
- g_variant_builder_add(builder, "{sv}", RULE_DPORT2,
- g_variant_new_uint32(rule->d_port2));
+ if (rule->d_port2)
+ g_variant_builder_add(builder, "{sv}", RULE_DPORT2,
+ g_variant_new_uint32(rule->d_port2));
+ }
- if (rule->ifname)
- g_variant_builder_add(builder, "{sv}", RULE_IFNAME,
- g_variant_new_string(rule->ifname));
+ if (rule->direction != STC_FW_DIRECTION_NONE) {
+ if (rule->ifname && rule->ifname[0] != '\0')
+ g_variant_builder_add(builder, "{sv}", RULE_IFNAME,
+ g_variant_new_string(rule->ifname));
+ }
- if (rule->target_str)
+ if (rule->target_str && rule->target_str[0] != '\0')
g_variant_builder_add(builder, "{sv}", RULE_TARGET,
g_variant_new_string(rule->target_str));
+
+ if (rule->target != STC_FW_RULE_TARGET_NONE)
+ g_variant_builder_add(builder, "{sv}", RULE_TARGETTYPE,
+ g_variant_new_uint16(rule->target));
+
+ switch (rule->target) {
+ case STC_FW_RULE_TARGET_LOG:
+ g_variant_builder_add(builder, "{sv}", RULE_LOG_LEVEL,
+ g_variant_new_uint16(rule->log_level));
+
+ if (rule->log_prefix && rule->log_prefix[0] != '\0')
+ g_variant_builder_add(builder, "{sv}", RULE_LOG_PREFIX,
+ g_variant_new_string(rule->log_prefix));
+ break;
+ case STC_FW_RULE_TARGET_NFLOG:
+ g_variant_builder_add(builder, "{sv}", RULE_NFLOG_GROUP,
+ g_variant_new_uint16(rule->nflog_group));
+
+ if (rule->nflog_prefix && rule->nflog_prefix[0] != '\0')
+ g_variant_builder_add(builder, "{sv}", RULE_NFLOG_PREFIX,
+ g_variant_new_string(rule->nflog_prefix));
+
+ g_variant_builder_add(builder, "{sv}", RULE_NFLOG_RANGE,
+ g_variant_new_uint16(rule->nflog_range));
+
+ g_variant_builder_add(builder, "{sv}", RULE_NFLOG_THRESHOLD,
+ g_variant_new_uint16(rule->nflog_threshold));
+ break;
+ default:
+ break;
+ }
}
static int __fw_add_chain(GDBusConnection *connection,
stc_error_e firewall_rule_add(firewall_rule_s *rule)
{
- __STC_LOG_FUNC_ENTER__;
-
stc_error_e ret = STC_ERROR_NONE;
stc_s *stc = stc_get_manager();
break;
}
- __STC_LOG_FUNC_EXIT__;
return ret;
}
stc_error_e firewall_rule_remove(firewall_rule_s *rule)
{
- __STC_LOG_FUNC_ENTER__;
-
stc_error_e ret = STC_ERROR_NONE;
stc_s *stc = stc_get_manager();
break;
}
- __STC_LOG_FUNC_EXIT__;
return ret;
}
#define FIREWALL_RULE_TARGET_ACCEPT "ACCEPT"
#define FIREWALL_RULE_TARGET_DROP "DROP"
#define FIREWALL_RULE_TARGET_LOG "LOG"
+#define FIREWALL_RULE_TARGET_NFLOG "NFLOG"
+
+#define RULE_CHAIN "chain"
+#define RULE_DIRECTION "direction"
+#define RULE_IFNAME "ifname"
+#define RULE_PROTOCOL "protocol"
+#define RULE_TARGET "target"
+#define RULE_TARGETTYPE "target_type"
+
+#define RULE_FAMILY "family"
+#define RULE_SIPTYPE "s_ip_type"
+#define RULE_SIP1 "s_ip1"
+#define RULE_SIP2 "s_ip2"
+#define RULE_DIPTYPE "d_ip_type"
+#define RULE_DIP1 "d_ip1"
+#define RULE_DIP2 "d_ip2"
+#define RULE_SPORTTYPE "s_port_type"
+#define RULE_SPORT1 "s_port1"
+#define RULE_SPORT2 "s_port2"
+#define RULE_DPORTTYPE "d_port_type"
+#define RULE_DPORT1 "d_port1"
+#define RULE_DPORT2 "d_port2"
+
+#define RULE_LOG_LEVEL "log_level"
+#define RULE_LOG_PREFIX "log_prefix"
+#define RULE_NFLOG_GROUP "nflog_group"
+#define RULE_NFLOG_PREFIX "nflog_prefix"
+#define RULE_NFLOG_RANGE "nflog_range"
+#define RULE_NFLOG_THRESHOLD "nflog_threshold"
typedef enum {
FIREWALL_UNKONWN,
char *ifname;
stc_fw_rule_target_e target;
char *target_str;
+ guchar log_level;
+ char *log_prefix;
+ guint nflog_group;
+ char *nflog_prefix;
+ guint nflog_range;
+ guint nflog_threshold;
char *identifier;
} firewall_rule_s;
#define CHAIN_TARGET "target"
#define CHAIN_PRIORITY "priority"
-#define RULE_CHAIN "chain"
-#define RULE_DIRECTION "direction"
-#define RULE_SIPTYPE "s_ip_type"
-#define RULE_DIPTYPE "d_ip_type"
-#define RULE_SPORTTYPE "s_port_type"
-#define RULE_DPORTTYPE "d_port_type"
-#define RULE_PROTOCOL "protocol"
-#define RULE_FAMILY "family"
-#define RULE_SIP1 "s_ip1"
-#define RULE_SIP2 "s_ip2"
-#define RULE_DIP1 "d_ip1"
-#define RULE_DIP2 "d_ip2"
-#define RULE_SPORT1 "s_port1"
-#define RULE_SPORT2 "s_port2"
-#define RULE_DPORT1 "d_port1"
-#define RULE_DPORT2 "d_port2"
-#define RULE_IFNAME "ifname"
-#define RULE_TARGET "target"
#define RULE_IDENTIFIER "identifier"
#define RULE_KEY "key"
-#define RULE_TARGET_ACCEPT "ACCEPT"
-#define RULE_TARGET_DROP "DROP"
-#define RULE_TARGET_LOG "LOG"
-
#define FIREWALL_DBUS_ERROR_NAME "net.stc.firewall.Error.Failed"
#define STC_FIREWALL_DBUS_REPLY_ERROR(invocation, err_num) \
rule->target_str = g_strdup(info->target_str);
}
+ rule->log_level = info->log_level;
+
+ if (info->log_prefix) {
+ FREE(rule->log_prefix);
+ rule->log_prefix = g_strdup(info->log_prefix);
+ }
+
+ rule->nflog_group = info->nflog_group;
+ rule->nflog_range = info->nflog_range;
+ rule->nflog_threshold = info->nflog_threshold;
+
+ if (info->nflog_prefix) {
+ FREE(rule->nflog_prefix);
+ rule->nflog_prefix = g_strdup(info->nflog_prefix);
+ }
+
if (info->identifier) {
FREE(rule->identifier);
rule->identifier = g_strdup(info->identifier);
g_string_append_printf(str, "_%s", (rule->ifname) ? rule->ifname : "");
g_string_append_printf(str, "_%u", rule->target);
+ switch (rule->target) {
+ case STC_FW_RULE_TARGET_LOG:
+ g_string_append_printf(str, "_%u", rule->log_level);
+ g_string_append_printf(str, "_%s", rule->log_prefix);
+ break;
+ case STC_FW_RULE_TARGET_NFLOG:
+ g_string_append_printf(str, "_%u", rule->nflog_group);
+ g_string_append_printf(str, "_%s", rule->nflog_prefix);
+ g_string_append_printf(str, "_%u", rule->nflog_range);
+ g_string_append_printf(str, "_%u", rule->nflog_threshold);
+ break;
+ default:
+ break;
+ }
+
FREE(rule->identifier);
rule->identifier = g_string_free(str, FALSE);
rule->key = g_str_hash(rule->identifier);
FREE(rule->chain);
FREE(rule->ifname);
+ FREE(rule->target_str);
+ FREE(rule->log_prefix);
+ FREE(rule->nflog_prefix);
FREE(rule->identifier);
FREE(rule);
}
g_variant_builder_add(&sub_builder, "{sv}", RULE_TARGET,
g_variant_new_uint16(rule->target));
+ switch (rule->target) {
+ case STC_FW_RULE_TARGET_LOG:
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_LOG_LEVEL,
+ g_variant_new_uint16(rule->log_level));
+
+ if (rule->log_prefix)
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_LOG_PREFIX,
+ g_variant_new_string(rule->log_prefix));
+ break;
+ case STC_FW_RULE_TARGET_NFLOG:
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_NFLOG_GROUP,
+ g_variant_new_uint16(rule->nflog_group));
+
+ if (rule->nflog_prefix)
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_NFLOG_PREFIX,
+ g_variant_new_string(rule->nflog_prefix));
+
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_NFLOG_RANGE,
+ g_variant_new_uint16(rule->nflog_range));
+
+ g_variant_builder_add(&sub_builder, "{sv}", RULE_NFLOG_THRESHOLD,
+ g_variant_new_uint16(rule->nflog_threshold));
+ break;
+ default:
+ break;
+ }
+
g_variant_builder_add(&sub_builder, "{sv}", RULE_IDENTIFIER,
g_variant_new_string(rule->identifier));
static void __fw_rule_set_to_chain(gpointer data, gpointer user_data)
{
- firewall_rule_s *info = (firewall_rule_s *)data;
+ firewall_rule_s *rule = (firewall_rule_s *)data;
char *chain = (char *)user_data;
- firewall_rule_s rule;
- if (chain && (g_strcmp0(info->chain, chain) != 0))
+ if (chain && (g_strcmp0(rule->chain, chain) != 0))
return;
- memset(&rule, 0, sizeof(firewall_rule_s));
- memcpy(&rule, info, sizeof(firewall_rule_s));
- rule.chain = g_strdup(info->chain);
- rule.ifname = g_strdup(info->ifname);
- switch (rule.target) {
+ switch (rule->target) {
case STC_FW_RULE_TARGET_ACCEPT:
- rule.target_str = g_strdup(FIREWALL_RULE_TARGET_ACCEPT);
+ FREE(rule->target_str);
+ rule->target_str = g_strdup(FIREWALL_RULE_TARGET_ACCEPT);
break;
case STC_FW_RULE_TARGET_DROP:
- rule.target_str = g_strdup(FIREWALL_RULE_TARGET_DROP);
+ FREE(rule->target_str);
+ rule->target_str = g_strdup(FIREWALL_RULE_TARGET_DROP);
break;
case STC_FW_RULE_TARGET_LOG:
- rule.target_str = g_strdup(FIREWALL_RULE_TARGET_LOG);
+ FREE(rule->target_str);
+ rule->target_str = g_strdup(FIREWALL_RULE_TARGET_LOG);
+ break;
+ case STC_FW_RULE_TARGET_NFLOG:
+ FREE(rule->target_str);
+ rule->target_str = g_strdup(FIREWALL_RULE_TARGET_NFLOG);
+ break;
+ default:
+ break;
+ }
+
+ firewall_rule_add(rule);
+}
+
+static void __fw_rule_print_rules(gpointer data, gpointer user_data)
+{
+ firewall_rule_s *rule = (firewall_rule_s *)data;
+
+ STC_LOGD("[%s][%d][%s][%d][%d][%04x][%04x]"
+ "[%d][%04x][%04x][%d][%s][%d][%s][%d][%d]",
+ rule->chain, rule->direction, rule->ifname,
+ rule->protocol,
+ rule->s_port_type, rule->s_port1, rule->s_port2,
+ rule->d_port_type, rule->d_port1, rule->d_port2,
+ rule->target, rule->target_str,
+ rule->nflog_group, rule->nflog_prefix,
+ rule->nflog_range, rule->nflog_threshold);
+
+ switch (rule->family) {
+ case STC_FW_FAMILY_V4:
+ STC_LOGD("[%d][%d][%08x][%08x][%d][%08x][%08x]",
+ rule->family,
+ rule->s_ip_type, rule->s_ip1.Ipv4.s_addr, rule->s_ip2.Ipv4.s_addr,
+ rule->d_ip_type, rule->d_ip1.Ipv4.s_addr, rule->d_ip2.Ipv4.s_addr);
+ break;
+ case STC_FW_FAMILY_V6:
+ STC_LOGD("[%d][%d][%08x:%08x:%08x:%08x][%08x:%08x:%08x:%08x]"
+ "[%d][%08x:%08x:%08x:%08x][%08x:%08x:%08x:%08x]",
+ rule->family,
+ rule->s_ip_type,
+ rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1],
+ rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3],
+ rule->d_ip_type,
+ rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1],
+ rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]);
break;
default:
break;
}
+}
- firewall_rule_add(&rule);
+static void __fw_foreach_to_print_rule(gpointer key, gpointer value,
+ gpointer user_data)
+{
+ stc_fw_data_s *data = (stc_fw_data_s *)value;
- FREE(rule.chain);
- FREE(rule.ifname);
- FREE(rule.target_str);
+ g_slist_foreach(data->rules, __fw_rule_print_rules, user_data);
}
static void __fw_foreach_to_make_rule_param(gpointer key, gpointer value,
return STC_ERROR_NONE;
}
-static stc_error_e __fw_rule_update(const firewall_rule_s *info)
+static stc_error_e __fw_rule_update(firewall_rule_s *info)
{
stc_fw_data_s *lookup;
GSList *rule_list;
static void __fw_rule_extract(const char *key, GVariant *value,
void *user_data)
{
- __STC_LOG_FUNC_ENTER__;
-
firewall_rule_s *rule = (firewall_rule_s *)user_data;
if (rule == NULL) {
__STC_LOG_FUNC_EXIT__;
STC_LOGD("%s: [%u]", RULE_FAMILY, rule->family);
} else if (g_strcmp0(key, RULE_SIP1) == 0) {
- guint str_length;
- const gchar *str = g_variant_get_string(value, &str_length);
- if (rule->family == STC_FW_FAMILY_V4) {
- inet_pton(AF_INET, str, &(rule->s_ip1.Ipv4));
- STC_LOGD("%s: [%08x]", RULE_SIP1, rule->s_ip1.Ipv4.s_addr);
- } else if (rule->family == STC_FW_FAMILY_V6) {
- inet_pton(AF_INET6, str, &(rule->s_ip1.Ipv6));
- STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP1,
- rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1],
- rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]);
+ if (rule->s_ip_type != STC_FW_IP_NONE) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ if (rule->family == STC_FW_FAMILY_V4) {
+ inet_pton(AF_INET, str, &(rule->s_ip1.Ipv4));
+ STC_LOGD("%s: [%08x]", RULE_SIP1, rule->s_ip1.Ipv4.s_addr);
+ } else if (rule->family == STC_FW_FAMILY_V6) {
+ inet_pton(AF_INET6, str, &(rule->s_ip1.Ipv6));
+ STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP1,
+ rule->s_ip1.Ipv6.s6_addr32[0], rule->s_ip1.Ipv6.s6_addr32[1],
+ rule->s_ip1.Ipv6.s6_addr32[2], rule->s_ip1.Ipv6.s6_addr32[3]);
+ }
}
} else if (g_strcmp0(key, RULE_SIP2) == 0) {
- guint str_length;
- const gchar *str = g_variant_get_string(value, &str_length);
- if (rule->family == STC_FW_FAMILY_V4) {
- inet_pton(AF_INET, str, &(rule->s_ip2.Ipv4));
- STC_LOGD("%s: [%08x]", RULE_SIP2, rule->s_ip2.Ipv4.s_addr);
- } else if (rule->family == STC_FW_FAMILY_V6) {
- inet_pton(AF_INET6, str, &(rule->s_ip2.Ipv6));
- STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP2,
- rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1],
- rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]);
+ if (rule->s_ip_type != STC_FW_IP_NONE) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ if (rule->family == STC_FW_FAMILY_V4) {
+ inet_pton(AF_INET, str, &(rule->s_ip2.Ipv4));
+ STC_LOGD("%s: [%08x]", RULE_SIP2, rule->s_ip2.Ipv4.s_addr);
+ } else if (rule->family == STC_FW_FAMILY_V6) {
+ inet_pton(AF_INET6, str, &(rule->s_ip2.Ipv6));
+ STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_SIP2,
+ rule->s_ip2.Ipv6.s6_addr32[0], rule->s_ip2.Ipv6.s6_addr32[1],
+ rule->s_ip2.Ipv6.s6_addr32[2], rule->s_ip2.Ipv6.s6_addr32[3]);
+ }
}
} else if (g_strcmp0(key, RULE_DIP1) == 0) {
- guint str_length;
- const gchar *str = g_variant_get_string(value, &str_length);
- if (rule->family == STC_FW_FAMILY_V4) {
- inet_pton(AF_INET, str, &(rule->d_ip1.Ipv4));
- STC_LOGD("%s: [%08x]", RULE_DIP1, rule->d_ip1.Ipv4.s_addr);
- } else if (rule->family == STC_FW_FAMILY_V6) {
- inet_pton(AF_INET6, str, &(rule->d_ip1.Ipv6));
- STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP1,
- rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1],
- rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]);
+ if (rule->d_ip_type != STC_FW_IP_NONE) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ if (rule->family == STC_FW_FAMILY_V4) {
+ inet_pton(AF_INET, str, &(rule->d_ip1.Ipv4));
+ STC_LOGD("%s: [%08x]", RULE_DIP1, rule->d_ip1.Ipv4.s_addr);
+ } else if (rule->family == STC_FW_FAMILY_V6) {
+ inet_pton(AF_INET6, str, &(rule->d_ip1.Ipv6));
+ STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP1,
+ rule->d_ip1.Ipv6.s6_addr32[0], rule->d_ip1.Ipv6.s6_addr32[1],
+ rule->d_ip1.Ipv6.s6_addr32[2], rule->d_ip1.Ipv6.s6_addr32[3]);
+ }
}
} else if (g_strcmp0(key, RULE_DIP2) == 0) {
- guint str_length;
- const gchar *str = g_variant_get_string(value, &str_length);
- if (rule->family == STC_FW_FAMILY_V4) {
- inet_pton(AF_INET, str, &(rule->d_ip2.Ipv4));
- STC_LOGD("%s: [%08x]", RULE_DIP2, rule->d_ip2.Ipv4.s_addr);
- } else if (rule->family == STC_FW_FAMILY_V6) {
- inet_pton(AF_INET6, str, &(rule->d_ip2.Ipv6));
- STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP2,
- rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1],
- rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]);
+ if (rule->d_ip_type != STC_FW_IP_NONE) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ if (rule->family == STC_FW_FAMILY_V4) {
+ inet_pton(AF_INET, str, &(rule->d_ip2.Ipv4));
+ STC_LOGD("%s: [%08x]", RULE_DIP2, rule->d_ip2.Ipv4.s_addr);
+ } else if (rule->family == STC_FW_FAMILY_V6) {
+ inet_pton(AF_INET6, str, &(rule->d_ip2.Ipv6));
+ STC_LOGD("%s: [%08x:%08x:%08x:%08x]", RULE_DIP2,
+ rule->d_ip2.Ipv6.s6_addr32[0], rule->d_ip2.Ipv6.s6_addr32[1],
+ rule->d_ip2.Ipv6.s6_addr32[2], rule->d_ip2.Ipv6.s6_addr32[3]);
+ }
}
} else if (g_strcmp0(key, RULE_SPORT1) == 0) {
- rule->s_port1 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_SPORT1, rule->s_port1);
+ if (rule->s_port_type != STC_FW_PORT_NONE) {
+ rule->s_port1 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_SPORT1, rule->s_port1);
+ }
} else if (g_strcmp0(key, RULE_SPORT2) == 0) {
- rule->s_port2 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_SPORT2, rule->s_port2);
+ if (rule->s_port_type != STC_FW_PORT_NONE) {
+ rule->s_port2 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_SPORT2, rule->s_port2);
+ }
} else if (g_strcmp0(key, RULE_DPORT1) == 0) {
- rule->d_port1 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_DPORT1, rule->d_port1);
+ if (rule->s_port_type != STC_FW_PORT_NONE) {
+ rule->d_port1 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_DPORT1, rule->d_port1);
+ }
} else if (g_strcmp0(key, RULE_DPORT2) == 0) {
- rule->d_port2 = g_variant_get_uint32(value);
- STC_LOGD("%s: [%04x]", RULE_DPORT2, rule->d_port2);
+ if (rule->d_port_type != STC_FW_PORT_NONE) {
+ rule->d_port2 = g_variant_get_uint32(value);
+ STC_LOGD("%s: [%04x]", RULE_DPORT2, rule->d_port2);
+ }
} else if (g_strcmp0(key, RULE_IFNAME) == 0) {
- guint str_length;
- const gchar *str = g_variant_get_string(value, &str_length);
- rule->ifname = g_strdup(str);
- STC_LOGD("%s: [%s]", RULE_IFNAME, rule->ifname);
+ if (rule->direction != STC_FW_DIRECTION_NONE) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ rule->ifname = g_strdup(str);
+ STC_LOGD("%s: [%s]", RULE_IFNAME, rule->ifname);
+ }
} else if (g_strcmp0(key, RULE_TARGET) == 0) {
rule->target = g_variant_get_uint16(value);
STC_LOGD("%s: [%u]", RULE_TARGET, rule->target);
+ } else if (g_strcmp0(key, RULE_LOG_LEVEL) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_LOG) {
+ rule->log_level = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_LOG_LEVEL, rule->log_level);
+ }
+
+ } else if (g_strcmp0(key, RULE_LOG_PREFIX) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_LOG) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ rule->log_prefix = g_strdup(str);
+ STC_LOGD("%s: [%s]", RULE_LOG_PREFIX, rule->log_prefix);
+ }
+
+ } else if (g_strcmp0(key, RULE_NFLOG_GROUP) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_NFLOG) {
+ rule->nflog_group = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_GROUP, rule->nflog_group);
+ }
+
+ } else if (g_strcmp0(key, RULE_NFLOG_PREFIX) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_NFLOG) {
+ guint str_length;
+ const gchar *str = g_variant_get_string(value, &str_length);
+ rule->nflog_prefix = g_strdup(str);
+ STC_LOGD("%s: [%s]", RULE_NFLOG_PREFIX, rule->nflog_prefix);
+ }
+
+ } else if (g_strcmp0(key, RULE_NFLOG_RANGE) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_NFLOG) {
+ rule->nflog_range = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_RANGE, rule->nflog_range);
+ }
+
+ } else if (g_strcmp0(key, RULE_NFLOG_THRESHOLD) == 0) {
+ if (rule->target == STC_FW_RULE_TARGET_NFLOG) {
+ rule->nflog_threshold = g_variant_get_uint16(value);
+ STC_LOGD("%s: [%u]", RULE_NFLOG_THRESHOLD, rule->nflog_threshold);
+ }
+
} else if (g_strcmp0(key, RULE_IDENTIFIER) == 0) {
guint str_length;
const gchar *str = g_variant_get_string(value, &str_length);
} else {
STC_LOGD("Unknown rule [%s]", key);
}
-
- __STC_LOG_FUNC_EXIT__;
}
gboolean __validate_fw_rule(firewall_rule_s *rule)
return FALSE;
}
+ if (rule->target == STC_FW_RULE_TARGET_LOG &&
+ (rule->log_prefix == NULL ||
+ rule->log_prefix[0] == '\0')) {
+ __STC_LOG_FUNC_EXIT__;
+ return FALSE;
+ }
+
+ if (rule->target == STC_FW_RULE_TARGET_NFLOG &&
+ (rule->nflog_prefix == NULL ||
+ rule->nflog_prefix[0] == '\0')) {
+ __STC_LOG_FUNC_EXIT__;
+ return FALSE;
+ }
+
__STC_LOG_FUNC_EXIT__;
return TRUE;
}
STC_FIREWALL_CHECK_LOCK_STATE(invocation);
if (chain == NULL ||
- target > STC_FW_CHAIN_TARGET_OUTPUT) {
+ target >= STC_FW_CHAIN_TARGET_MAX) {
STC_FIREWALL_DBUS_REPLY_ERROR(invocation,
STC_ERROR_INVALID_PARAMETER);
__STC_LOG_FUNC_EXIT__;
}
__fw_chain_foreach(__fw_foreach_to_set_rule_to_chain, chain);
-
ret = firewall_chain_set(&info);
if (ret != STC_ERROR_NONE) {
STC_FIREWALL_DBUS_REPLY_ERROR(invocation, ret);
builder = g_variant_builder_new(G_VARIANT_TYPE("aa{sv}"));
__fw_chain_foreach(__fw_foreach_to_make_rule_param, builder);
+ __fw_chain_foreach(__fw_foreach_to_print_rule, NULL);
return_parameters = g_variant_new("(aa{sv})", builder);
g_variant_builder_unref(builder);