]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/firewall-util.c
projects / thirdparty / systemd.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
core: hook up MountFlags= to the transient unit logic
[thirdparty/systemd.git] / src / shared / firewall-util.c
1 /***
2 This file is part of systemd.
3
4 Copyright 2015 Lennart Poettering
5
6 systemd is free software; you can redistribute it and/or modify it
7 under the terms of the GNU Lesser General Public License as published by
8 the Free Software Foundation; either version 2.1 of the License, or
9 (at your option) any later version.
10
11 systemd is distributed in the hope that it will be useful, but
12 WITHOUT ANY WARRANTY; without even the implied warranty of
13 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
14 Lesser General Public License for more details.
15
16 You should have received a copy of the GNU Lesser General Public License
17 along with systemd; If not, see <http://www.gnu.org/licenses/>.
18 ***/
19
20 /* Temporary work-around for broken glibc vs. linux kernel header definitions
21 * This is already fixed upstream, remove this when distributions have updated.
22 */
23 #define _NET_IF_H 1
24
25 #include <alloca.h>
26 #include <arpa/inet.h>
27 #include <endian.h>
28 #include <errno.h>
29 #include <stddef.h>
30 #include <string.h>
31 #include <sys/socket.h>
32 #include <net/if.h>
33 #ifndef IFNAMSIZ
34 #define IFNAMSIZ 16
35 #endif
36 #include <linux/if.h>
37 #include <linux/netfilter_ipv4/ip_tables.h>
38 #include <linux/netfilter/nf_nat.h>
39 #include <linux/netfilter/xt_addrtype.h>
40 #include <libiptc/libiptc.h>
41
42 #include "alloc-util.h"
43 #include "firewall-util.h"
44 #include "in-addr-util.h"
45 #include "macro.h"
46 #include "socket-util.h"
47
48 DEFINE_TRIVIAL_CLEANUP_FUNC(struct xtc_handle*, iptc_free);
49
50 static int entry_fill_basics(
51 struct ipt_entry *entry,
52 int protocol,
53 const char *in_interface,
54 const union in_addr_union *source,
55 unsigned source_prefixlen,
56 const char *out_interface,
57 const union in_addr_union *destination,
58 unsigned destination_prefixlen) {
59
60 assert(entry);
61
62 if (out_interface && !ifname_valid(out_interface))
63 return -EINVAL;
64 if (in_interface && !ifname_valid(in_interface))
65 return -EINVAL;
66
67 entry->ip.proto = protocol;
68
69 if (in_interface) {
70 strcpy(entry->ip.iniface, in_interface);
71 memset(entry->ip.iniface_mask, 0xFF, strlen(in_interface)+1);
72 }
73 if (source) {
74 entry->ip.src = source->in;
75 in_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
76 }
77
78 if (out_interface) {
79 strcpy(entry->ip.outiface, out_interface);
80 memset(entry->ip.outiface_mask, 0xFF, strlen(out_interface)+1);
81 }
82 if (destination) {
83 entry->ip.dst = destination->in;
84 in_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
85 }
86
87 return 0;
88 }
89
90 int fw_add_masquerade(
91 bool add,
92 int af,
93 int protocol,
94 const union in_addr_union *source,
95 unsigned source_prefixlen,
96 const char *out_interface,
97 const union in_addr_union *destination,
98 unsigned destination_prefixlen) {
99
100 _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
101 struct ipt_entry *entry, *mask;
102 struct ipt_entry_target *t;
103 size_t sz;
104 struct nf_nat_ipv4_multi_range_compat *mr;
105 int r;
106
107 if (af != AF_INET)
108 return -EOPNOTSUPP;
109
110 if (protocol != 0 && protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
111 return -EOPNOTSUPP;
112
113 h = iptc_init("nat");
114 if (!h)
115 return -errno;
116
117 sz = XT_ALIGN(sizeof(struct ipt_entry)) +
118 XT_ALIGN(sizeof(struct ipt_entry_target)) +
119 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
120
121 /* Put together the entry we want to add or remove */
122 entry = alloca0(sz);
123 entry->next_offset = sz;
124 entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
125 r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
126 if (r < 0)
127 return r;
128
129 /* Fill in target part */
130 t = ipt_get_target(entry);
131 t->u.target_size =
132 XT_ALIGN(sizeof(struct ipt_entry_target)) +
133 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
134 strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
135 mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
136 mr->rangesize = 1;
137
138 /* Create a search mask entry */
139 mask = alloca(sz);
140 memset(mask, 0xFF, sz);
141
142 if (add) {
143 if (iptc_check_entry("POSTROUTING", entry, (unsigned char*) mask, h))
144 return 0;
145 if (errno != ENOENT) /* if other error than not existing yet, fail */
146 return -errno;
147
148 if (!iptc_insert_entry("POSTROUTING", entry, 0, h))
149 return -errno;
150 } else {
151 if (!iptc_delete_entry("POSTROUTING", entry, (unsigned char*) mask, h)) {
152 if (errno == ENOENT) /* if it's already gone, all is good! */
153 return 0;
154
155 return -errno;
156 }
157 }
158
159 if (!iptc_commit(h))
160 return -errno;
161
162 return 0;
163 }
164
165 int fw_add_local_dnat(
166 bool add,
167 int af,
168 int protocol,
169 const char *in_interface,
170 const union in_addr_union *source,
171 unsigned source_prefixlen,
172 const union in_addr_union *destination,
173 unsigned destination_prefixlen,
174 uint16_t local_port,
175 const union in_addr_union *remote,
176 uint16_t remote_port,
177 const union in_addr_union *previous_remote) {
178
179
180 _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
181 struct ipt_entry *entry, *mask;
182 struct ipt_entry_target *t;
183 struct ipt_entry_match *m;
184 struct xt_addrtype_info_v1 *at;
185 struct nf_nat_ipv4_multi_range_compat *mr;
186 size_t sz, msz;
187 int r;
188
189 assert(add || !previous_remote);
190
191 if (af != AF_INET)
192 return -EOPNOTSUPP;
193
194 if (protocol != IPPROTO_TCP && protocol != IPPROTO_UDP)
195 return -EOPNOTSUPP;
196
197 if (local_port <= 0)
198 return -EINVAL;
199
200 if (remote_port <= 0)
201 return -EINVAL;
202
203 h = iptc_init("nat");
204 if (!h)
205 return -errno;
206
207 sz = XT_ALIGN(sizeof(struct ipt_entry)) +
208 XT_ALIGN(sizeof(struct ipt_entry_match)) +
209 XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
210 XT_ALIGN(sizeof(struct ipt_entry_target)) +
211 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
212
213 if (protocol == IPPROTO_TCP)
214 msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
215 XT_ALIGN(sizeof(struct xt_tcp));
216 else
217 msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
218 XT_ALIGN(sizeof(struct xt_udp));
219
220 sz += msz;
221
222 /* Fill in basic part */
223 entry = alloca0(sz);
224 entry->next_offset = sz;
225 entry->target_offset =
226 XT_ALIGN(sizeof(struct ipt_entry)) +
227 XT_ALIGN(sizeof(struct ipt_entry_match)) +
228 XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
229 msz;
230 r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
231 if (r < 0)
232 return r;
233
234 /* Fill in first match */
235 m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
236 m->u.match_size = msz;
237 if (protocol == IPPROTO_TCP) {
238 struct xt_tcp *tcp;
239
240 strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
241 tcp = (struct xt_tcp*) m->data;
242 tcp->dpts[0] = tcp->dpts[1] = local_port;
243 tcp->spts[0] = 0;
244 tcp->spts[1] = 0xFFFF;
245
246 } else {
247 struct xt_udp *udp;
248
249 strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
250 udp = (struct xt_udp*) m->data;
251 udp->dpts[0] = udp->dpts[1] = local_port;
252 udp->spts[0] = 0;
253 udp->spts[1] = 0xFFFF;
254 }
255
256 /* Fill in second match */
257 m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
258 m->u.match_size =
259 XT_ALIGN(sizeof(struct ipt_entry_match)) +
260 XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
261 strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
262 m->u.user.revision = 1;
263 at = (struct xt_addrtype_info_v1*) m->data;
264 at->dest = XT_ADDRTYPE_LOCAL;
265
266 /* Fill in target part */
267 t = ipt_get_target(entry);
268 t->u.target_size =
269 XT_ALIGN(sizeof(struct ipt_entry_target)) +
270 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
271 strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
272 mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
273 mr->rangesize = 1;
274 mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
275 mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
276 if (protocol == IPPROTO_TCP)
277 mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htons(remote_port);
278 else
279 mr->range[0].min.udp.port = mr->range[0].max.udp.port = htons(remote_port);
280
281 mask = alloca0(sz);
282 memset(mask, 0xFF, sz);
283
284 if (add) {
285 /* Add the PREROUTING rule, if it is missing so far */
286 if (!iptc_check_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
287 if (errno != ENOENT)
288 return -EINVAL;
289
290 if (!iptc_insert_entry("PREROUTING", entry, 0, h))
291 return -errno;
292 }
293
294 /* If a previous remote is set, remove its entry */
295 if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
296 mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
297
298 if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
299 if (errno != ENOENT)
300 return -errno;
301 }
302
303 mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
304 }
305
306 /* Add the OUTPUT rule, if it is missing so far */
307 if (!in_interface) {
308
309 /* Don't apply onto loopback addresses */
310 if (!destination) {
311 entry->ip.dst.s_addr = htobe32(0x7F000000);
312 entry->ip.dmsk.s_addr = htobe32(0xFF000000);
313 entry->ip.invflags = IPT_INV_DSTIP;
314 }
315
316 if (!iptc_check_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
317 if (errno != ENOENT)
318 return -errno;
319
320 if (!iptc_insert_entry("OUTPUT", entry, 0, h))
321 return -errno;
322 }
323
324 /* If a previous remote is set, remove its entry */
325 if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
326 mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
327
328 if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
329 if (errno != ENOENT)
330 return -errno;
331 }
332 }
333 }
334 } else {
335 if (!iptc_delete_entry("PREROUTING", entry, (unsigned char*) mask, h)) {
336 if (errno != ENOENT)
337 return -errno;
338 }
339
340 if (!in_interface) {
341 if (!destination) {
342 entry->ip.dst.s_addr = htobe32(0x7F000000);
343 entry->ip.dmsk.s_addr = htobe32(0xFF000000);
344 entry->ip.invflags = IPT_INV_DSTIP;
345 }
346
347 if (!iptc_delete_entry("OUTPUT", entry, (unsigned char*) mask, h)) {
348 if (errno != ENOENT)
349 return -errno;
350 }
351 }
352 }
353
354 if (!iptc_commit(h))
355 return -errno;
356
357 return 0;
358 }
Unnamed repository; edit this file 'description' to name the repository.