1 /* 2 3 Firewall Builder 4 5 Copyright (C) 2007 NetCitadel, LLC 6 7 Author: Vadim Kurland vadim@fwbuilder.org 8 9 This program is free software which we release under the GNU General Public 10 License. You may redistribute and/or modify this program under the terms 11 of that license as published by the Free Software Foundation; either 12 version 2 of the License, or (at your option) any later version. 13 14 This program is distributed in the hope that it will be useful, 15 but WITHOUT ANY WARRANTY; without even the implied warranty of 16 MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 17 GNU General Public License for more details. 18 19 To get a copy of the GNU General Public License, write to the Free Software 20 Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA 21 22 */ 23 24 25 #ifndef _FWB_POLICY_IMPORTER_IPT_H_ 26 #define _FWB_POLICY_IMPORTER_IPT_H_ 27 28 #include <map> 29 #include <list> 30 #include <string> 31 #include <functional> 32 #include <sstream> 33 34 #include "Importer.h" 35 36 #include "fwbuilder/libfwbuilder-config.h" 37 #include "fwbuilder/Logger.h" 38 #include "fwbuilder/Policy.h" 39 #include "fwbuilder/NAT.h" 40 41 #include <QString> 42 #include <QStringList> 43 #include <QMap> 44 45 46 class IPTImporter : public Importer 47 { 48 49 QMap<QString, QString> reject_action_arg_mapping; 50 int aux_branch_number; 51 52 libfwbuilder::FWObject* createTCPUDPService(str_tuple &src_range, 53 str_tuple &dst_range, 54 const std::string &proto); 55 56 libfwbuilder::FWObject* createTCPUDPService(const std::string &proto); 57 58 virtual libfwbuilder::FWObject* createTCPService(const QString &name=""); 59 virtual libfwbuilder::FWObject* createUDPService(const QString &name=""); 60 61 virtual libfwbuilder::FWObject* makeSrcObj(); 62 virtual libfwbuilder::FWObject* makeDstObj(); 63 64 void processModuleMatches(); 65 void addAllModuleMatches(libfwbuilder::PolicyRule *rule); 66 void addMarkMatch(libfwbuilder::PolicyRule *rule); 67 void addLengthMatch(libfwbuilder::PolicyRule *rule); 68 void addLimitMatch(libfwbuilder::PolicyRule *rule); 69 void addRecentMatch(libfwbuilder::PolicyRule *rule); 70 void addPktTypeMatch(libfwbuilder::PolicyRule *rule); 71 void addStateMatch(libfwbuilder::PolicyRule *rule, const std::string &state); 72 73 std::string getBranchName(const std::string &suffix); 74 75 libfwbuilder::PolicyRule* createPolicyBranch( 76 libfwbuilder::PolicyRule *rule, const std::string &branch_name, 77 bool clear_rule_elements, bool make_stateless); 78 79 libfwbuilder::NATRule* createNATBranch( 80 libfwbuilder::NATRule *rule, const std::string &branch_name, 81 bool clear_rule_elements); 82 83 public: 84 85 int service_group_name_seed; 86 87 std::string current_table; 88 std::string current_chain; 89 std::string current_state; 90 91 std::string i_intf; 92 std::string o_intf; 93 std::string target; 94 95 std::string tmp_port_range_start; 96 std::string tmp_port_range_end; 97 98 std::list<str_tuple> src_port_list; 99 std::list<str_tuple> dst_port_list; 100 std::list<str_tuple> both_port_list; 101 102 std::map<std::string, std::string> action_params; 103 104 // need to keep track of branches in 2.1 105 // should not be neccessary in 3.0 when multiple 106 // rule can refer to the same branch ruleset 107 std::map<std::string, UnidirectionalRuleSet*> branch_rulesets; 108 109 std::string match_mark; 110 bool neg_match_mark; 111 112 bool src_neg; 113 bool dst_neg; 114 bool srv_neg; 115 bool intf_neg; 116 bool tmp_neg; 117 118 std::string limit_val; 119 std::string limit_suffix; 120 std::string limit_burst; 121 std::string length_spec; 122 std::string recent_match; 123 std::string pkt_type_spec; 124 125 std::string nat_addr1; 126 std::string nat_addr2; 127 std::string nat_nm; 128 std::string nat_port_range_start; 129 std::string nat_port_range_end; 130 131 bool using_iprange_src; 132 std::string iprange_src_from; 133 std::string iprange_src_to; 134 bool using_iprange_dst; 135 std::string iprange_dst_from; 136 std::string iprange_dst_to; 137 138 libfwbuilder::PolicyRule *last_mark_rule; 139 140 IPTImporter(libfwbuilder::FWObject *lib, 141 std::istringstream &input, 142 libfwbuilder::Logger *log, 143 const std::string &fwname); 144 ~IPTImporter(); 145 146 virtual void run(); 147 virtual void clear(); 148 149 void startSrcMultiPort(); 150 void pushTmpPortSpecToSrcPortList(); 151 152 void startDstMultiPort(); 153 void pushTmpPortSpecToDstPortList(); 154 155 void startBothMultiPort(); 156 void pushTmpPortSpecToBothPortList(); 157 158 void pushPolicyRule(); 159 void pushNATRule(); 160 161 virtual void addSrv(); 162 163 virtual void pushRule(); 164 165 virtual UnidirectionalRuleSet* getUnidirRuleSet( 166 const std::string &rsname, const std::string &ruleset_type_name); 167 168 virtual UnidirectionalRuleSet* checkUnidirRuleSet( 169 const std::string &rsname); 170 171 virtual void newUnidirRuleSet(const std::string &name, const std::string &ruleset_type); 172 173 // this method actually adds interfaces to the firewall object 174 // and does final clean up. 175 virtual libfwbuilder::Firewall* finalize(); 176 177 bool isStandardChain(const std::string &ipt_chain); 178 179 void registerTable(const std::string &table_name); 180 181 bool isSupportedTable(const std::string &table_name); 182 }; 183 184 #endif 185