]> git.ipfire.org Git - thirdparty/systemd.git/blob - src/shared/firewall-util.c
projects / thirdparty / systemd.git / blob
? search:


c142b2e9a1752ac97690fcd48f76d2f9d1ef748c
[thirdparty/systemd.git] / src / shared / firewall-util.c
1 /* SPDX-License-Identifier: LGPL-2.1+ */
2
3 /* Temporary work-around for broken glibc vs. linux kernel header definitions
4 * This is already fixed upstream, remove this when distributions have updated.
5 */
6 #define _NET_IF_H 1
7
8 #include <arpa/inet.h>
9 #include <endian.h>
10 #include <errno.h>
11 #include <stddef.h>
12 #include <string.h>
13 #include <sys/socket.h>
14 #include <net/if.h>
15 #ifndef IFNAMSIZ
16 #define IFNAMSIZ 16
17 #endif
18 #include <linux/if.h>
19 #include <linux/netfilter_ipv4/ip_tables.h>
20 #include <linux/netfilter/nf_nat.h>
21 #include <linux/netfilter/xt_addrtype.h>
22 #include <libiptc/libiptc.h>
23
24 #include "alloc-util.h"
25 #include "firewall-util.h"
26 #include "in-addr-util.h"
27 #include "macro.h"
28 #include "socket-util.h"
29
30 DEFINE_TRIVIAL_CLEANUP_FUNC(struct xtc_handle*, iptc_free);
31
32 static int entry_fill_basics(
33 struct ipt_entry *entry,
34 int protocol,
35 const char *in_interface,
36 const union in_addr_union *source,
37 unsigned source_prefixlen,
38 const char *out_interface,
39 const union in_addr_union *destination,
40 unsigned destination_prefixlen) {
41
42 assert(entry);
43
44 if (out_interface && !ifname_valid(out_interface))
45 return -EINVAL;
46 if (in_interface && !ifname_valid(in_interface))
47 return -EINVAL;
48
49 entry->ip.proto = protocol;
50
51 if (in_interface) {
52 size_t l;
53
54 l = strlen(in_interface);
55 assert(l < sizeof entry->ip.iniface);
56 assert(l < sizeof entry->ip.iniface_mask);
57
58 strcpy(entry->ip.iniface, in_interface);
59 memset(entry->ip.iniface_mask, 0xFF, l + 1);
60 }
61 if (source) {
62 entry->ip.src = source->in;
63 in4_addr_prefixlen_to_netmask(&entry->ip.smsk, source_prefixlen);
64 }
65
66 if (out_interface) {
67 size_t l = strlen(out_interface);
68 assert(l < sizeof entry->ip.outiface);
69 assert(l < sizeof entry->ip.outiface_mask);
70
71 strcpy(entry->ip.outiface, out_interface);
72 memset(entry->ip.outiface_mask, 0xFF, l + 1);
73 }
74 if (destination) {
75 entry->ip.dst = destination->in;
76 in4_addr_prefixlen_to_netmask(&entry->ip.dmsk, destination_prefixlen);
77 }
78
79 return 0;
80 }
81
82 int fw_add_masquerade(
83 bool add,
84 int af,
85 int protocol,
86 const union in_addr_union *source,
87 unsigned source_prefixlen,
88 const char *out_interface,
89 const union in_addr_union *destination,
90 unsigned destination_prefixlen) {
91
92 static const xt_chainlabel chain = "POSTROUTING";
93 _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
94 struct ipt_entry *entry, *mask;
95 struct ipt_entry_target *t;
96 size_t sz;
97 struct nf_nat_ipv4_multi_range_compat *mr;
98 int r;
99
100 if (af != AF_INET)
101 return -EOPNOTSUPP;
102
103 if (!IN_SET(protocol, 0, IPPROTO_TCP, IPPROTO_UDP))
104 return -EOPNOTSUPP;
105
106 h = iptc_init("nat");
107 if (!h)
108 return -errno;
109
110 sz = XT_ALIGN(sizeof(struct ipt_entry)) +
111 XT_ALIGN(sizeof(struct ipt_entry_target)) +
112 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
113
114 /* Put together the entry we want to add or remove */
115 entry = alloca0(sz);
116 entry->next_offset = sz;
117 entry->target_offset = XT_ALIGN(sizeof(struct ipt_entry));
118 r = entry_fill_basics(entry, protocol, NULL, source, source_prefixlen, out_interface, destination, destination_prefixlen);
119 if (r < 0)
120 return r;
121
122 /* Fill in target part */
123 t = ipt_get_target(entry);
124 t->u.target_size =
125 XT_ALIGN(sizeof(struct ipt_entry_target)) +
126 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
127 strncpy(t->u.user.name, "MASQUERADE", sizeof(t->u.user.name));
128 mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
129 mr->rangesize = 1;
130
131 /* Create a search mask entry */
132 mask = alloca(sz);
133 memset(mask, 0xFF, sz);
134
135 if (add) {
136 if (iptc_check_entry(chain, entry, (unsigned char*) mask, h))
137 return 0;
138 if (errno != ENOENT) /* if other error than not existing yet, fail */
139 return -errno;
140
141 if (!iptc_insert_entry(chain, entry, 0, h))
142 return -errno;
143 } else {
144 if (!iptc_delete_entry(chain, entry, (unsigned char*) mask, h)) {
145 if (errno == ENOENT) /* if it's already gone, all is good! */
146 return 0;
147
148 return -errno;
149 }
150 }
151
152 if (!iptc_commit(h))
153 return -errno;
154
155 return 0;
156 }
157
158 int fw_add_local_dnat(
159 bool add,
160 int af,
161 int protocol,
162 const char *in_interface,
163 const union in_addr_union *source,
164 unsigned source_prefixlen,
165 const union in_addr_union *destination,
166 unsigned destination_prefixlen,
167 uint16_t local_port,
168 const union in_addr_union *remote,
169 uint16_t remote_port,
170 const union in_addr_union *previous_remote) {
171
172 static const xt_chainlabel chain_pre = "PREROUTING", chain_output = "OUTPUT";
173 _cleanup_(iptc_freep) struct xtc_handle *h = NULL;
174 struct ipt_entry *entry, *mask;
175 struct ipt_entry_target *t;
176 struct ipt_entry_match *m;
177 struct xt_addrtype_info_v1 *at;
178 struct nf_nat_ipv4_multi_range_compat *mr;
179 size_t sz, msz;
180 int r;
181
182 assert(add || !previous_remote);
183
184 if (af != AF_INET)
185 return -EOPNOTSUPP;
186
187 if (!IN_SET(protocol, IPPROTO_TCP, IPPROTO_UDP))
188 return -EOPNOTSUPP;
189
190 if (local_port <= 0)
191 return -EINVAL;
192
193 if (remote_port <= 0)
194 return -EINVAL;
195
196 h = iptc_init("nat");
197 if (!h)
198 return -errno;
199
200 sz = XT_ALIGN(sizeof(struct ipt_entry)) +
201 XT_ALIGN(sizeof(struct ipt_entry_match)) +
202 XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
203 XT_ALIGN(sizeof(struct ipt_entry_target)) +
204 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
205
206 if (protocol == IPPROTO_TCP)
207 msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
208 XT_ALIGN(sizeof(struct xt_tcp));
209 else
210 msz = XT_ALIGN(sizeof(struct ipt_entry_match)) +
211 XT_ALIGN(sizeof(struct xt_udp));
212
213 sz += msz;
214
215 /* Fill in basic part */
216 entry = alloca0(sz);
217 entry->next_offset = sz;
218 entry->target_offset =
219 XT_ALIGN(sizeof(struct ipt_entry)) +
220 XT_ALIGN(sizeof(struct ipt_entry_match)) +
221 XT_ALIGN(sizeof(struct xt_addrtype_info_v1)) +
222 msz;
223 r = entry_fill_basics(entry, protocol, in_interface, source, source_prefixlen, NULL, destination, destination_prefixlen);
224 if (r < 0)
225 return r;
226
227 /* Fill in first match */
228 m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)));
229 m->u.match_size = msz;
230 if (protocol == IPPROTO_TCP) {
231 struct xt_tcp *tcp;
232
233 strncpy(m->u.user.name, "tcp", sizeof(m->u.user.name));
234 tcp = (struct xt_tcp*) m->data;
235 tcp->dpts[0] = tcp->dpts[1] = local_port;
236 tcp->spts[0] = 0;
237 tcp->spts[1] = 0xFFFF;
238
239 } else {
240 struct xt_udp *udp;
241
242 strncpy(m->u.user.name, "udp", sizeof(m->u.user.name));
243 udp = (struct xt_udp*) m->data;
244 udp->dpts[0] = udp->dpts[1] = local_port;
245 udp->spts[0] = 0;
246 udp->spts[1] = 0xFFFF;
247 }
248
249 /* Fill in second match */
250 m = (struct ipt_entry_match*) ((uint8_t*) entry + XT_ALIGN(sizeof(struct ipt_entry)) + msz);
251 m->u.match_size =
252 XT_ALIGN(sizeof(struct ipt_entry_match)) +
253 XT_ALIGN(sizeof(struct xt_addrtype_info_v1));
254 strncpy(m->u.user.name, "addrtype", sizeof(m->u.user.name));
255 m->u.user.revision = 1;
256 at = (struct xt_addrtype_info_v1*) m->data;
257 at->dest = XT_ADDRTYPE_LOCAL;
258
259 /* Fill in target part */
260 t = ipt_get_target(entry);
261 t->u.target_size =
262 XT_ALIGN(sizeof(struct ipt_entry_target)) +
263 XT_ALIGN(sizeof(struct nf_nat_ipv4_multi_range_compat));
264 strncpy(t->u.user.name, "DNAT", sizeof(t->u.user.name));
265 mr = (struct nf_nat_ipv4_multi_range_compat*) t->data;
266 mr->rangesize = 1;
267 mr->range[0].flags = NF_NAT_RANGE_PROTO_SPECIFIED|NF_NAT_RANGE_MAP_IPS;
268 mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
269 if (protocol == IPPROTO_TCP)
270 mr->range[0].min.tcp.port = mr->range[0].max.tcp.port = htobe16(remote_port);
271 else
272 mr->range[0].min.udp.port = mr->range[0].max.udp.port = htobe16(remote_port);
273
274 mask = alloca0(sz);
275 memset(mask, 0xFF, sz);
276
277 if (add) {
278 /* Add the PREROUTING rule, if it is missing so far */
279 if (!iptc_check_entry(chain_pre, entry, (unsigned char*) mask, h)) {
280 if (errno != ENOENT)
281 return -EINVAL;
282
283 if (!iptc_insert_entry(chain_pre, entry, 0, h))
284 return -errno;
285 }
286
287 /* If a previous remote is set, remove its entry */
288 if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
289 mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
290
291 if (!iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
292 if (errno != ENOENT)
293 return -errno;
294 }
295
296 mr->range[0].min_ip = mr->range[0].max_ip = remote->in.s_addr;
297 }
298
299 /* Add the OUTPUT rule, if it is missing so far */
300 if (!in_interface) {
301
302 /* Don't apply onto loopback addresses */
303 if (!destination) {
304 entry->ip.dst.s_addr = htobe32(0x7F000000);
305 entry->ip.dmsk.s_addr = htobe32(0xFF000000);
306 entry->ip.invflags = IPT_INV_DSTIP;
307 }
308
309 if (!iptc_check_entry(chain_output, entry, (unsigned char*) mask, h)) {
310 if (errno != ENOENT)
311 return -errno;
312
313 if (!iptc_insert_entry(chain_output, entry, 0, h))
314 return -errno;
315 }
316
317 /* If a previous remote is set, remove its entry */
318 if (previous_remote && previous_remote->in.s_addr != remote->in.s_addr) {
319 mr->range[0].min_ip = mr->range[0].max_ip = previous_remote->in.s_addr;
320
321 if (!iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
322 if (errno != ENOENT)
323 return -errno;
324 }
325 }
326 }
327 } else {
328 if (!iptc_delete_entry(chain_pre, entry, (unsigned char*) mask, h)) {
329 if (errno != ENOENT)
330 return -errno;
331 }
332
333 if (!in_interface) {
334 if (!destination) {
335 entry->ip.dst.s_addr = htobe32(0x7F000000);
336 entry->ip.dmsk.s_addr = htobe32(0xFF000000);
337 entry->ip.invflags = IPT_INV_DSTIP;
338 }
339
340 if (!iptc_delete_entry(chain_output, entry, (unsigned char*) mask, h)) {
341 if (errno != ENOENT)
342 return -errno;
343 }
344 }
345 }
346
347 if (!iptc_commit(h))
348 return -errno;
349
350 return 0;
351 }
Unnamed repository; edit this file 'description' to name the repository.