1 /*
2 
3                           Firewall Builder
4 
5                  Copyright (C) 2007 NetCitadel, LLC
6 
7   Author:  Vadim Kurland     vadim@fwbuilder.org
8 
9   This program is free software which we release under the GNU General Public
10   License. You may redistribute and/or modify this program under the terms
11   of that license as published by the Free Software Foundation; either
12   version 2 of the License, or (at your option) any later version.
13 
14   This program is distributed in the hope that it will be useful,
15   but WITHOUT ANY WARRANTY; without even the implied warranty of
16   MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
17   GNU General Public License for more details.
18 
19   To get a copy of the GNU General Public License, write to the Free Software
20   Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA  02111-1307  USA
21 
22 */
23 
24 
25 #ifndef _FWB_POLICY_IMPORTER_IPT_H_
26 #define _FWB_POLICY_IMPORTER_IPT_H_
27 
28 #include <map>
29 #include <list>
30 #include <string>
31 #include <functional>
32 #include <sstream>
33 
34 #include "Importer.h"
35 
36 #include "fwbuilder/libfwbuilder-config.h"
37 #include "fwbuilder/Logger.h"
38 #include "fwbuilder/Policy.h"
39 #include "fwbuilder/NAT.h"
40 
41 #include <QString>
42 #include <QStringList>
43 #include <QMap>
44 
45 
46 class IPTImporter : public Importer
47 {
48 
49     QMap<QString, QString> reject_action_arg_mapping;
50     int aux_branch_number;
51 
52     libfwbuilder::FWObject* createTCPUDPService(str_tuple &src_range,
53                                                 str_tuple &dst_range,
54                                                 const std::string &proto);
55 
56     libfwbuilder::FWObject* createTCPUDPService(const std::string &proto);
57 
58     virtual libfwbuilder::FWObject* createTCPService(const QString &name="");
59     virtual libfwbuilder::FWObject* createUDPService(const QString &name="");
60 
61     virtual libfwbuilder::FWObject* makeSrcObj();
62     virtual libfwbuilder::FWObject* makeDstObj();
63 
64     void processModuleMatches();
65     void addAllModuleMatches(libfwbuilder::PolicyRule *rule);
66     void addMarkMatch(libfwbuilder::PolicyRule *rule);
67     void addLengthMatch(libfwbuilder::PolicyRule *rule);
68     void addLimitMatch(libfwbuilder::PolicyRule *rule);
69     void addRecentMatch(libfwbuilder::PolicyRule *rule);
70     void addPktTypeMatch(libfwbuilder::PolicyRule *rule);
71     void addStateMatch(libfwbuilder::PolicyRule *rule, const std::string &state);
72 
73     std::string getBranchName(const std::string &suffix);
74 
75     libfwbuilder::PolicyRule* createPolicyBranch(
76         libfwbuilder::PolicyRule *rule, const std::string &branch_name,
77         bool clear_rule_elements, bool make_stateless);
78 
79     libfwbuilder::NATRule* createNATBranch(
80         libfwbuilder::NATRule *rule, const std::string &branch_name,
81         bool clear_rule_elements);
82 
83     public:
84 
85     int service_group_name_seed;
86 
87     std::string current_table;
88     std::string current_chain;
89     std::string current_state;
90 
91     std::string i_intf;
92     std::string o_intf;
93     std::string target;
94 
95     std::string tmp_port_range_start;
96     std::string tmp_port_range_end;
97 
98     std::list<str_tuple> src_port_list;
99     std::list<str_tuple> dst_port_list;
100     std::list<str_tuple> both_port_list;
101 
102     std::map<std::string, std::string> action_params;
103 
104     // need to keep track of branches in 2.1
105     // should not be neccessary in 3.0 when multiple
106     // rule can refer to the same branch ruleset
107     std::map<std::string, UnidirectionalRuleSet*> branch_rulesets;
108 
109     std::string match_mark;
110     bool neg_match_mark;
111 
112     bool src_neg;
113     bool dst_neg;
114     bool srv_neg;
115     bool intf_neg;
116     bool tmp_neg;
117 
118     std::string limit_val;
119     std::string limit_suffix;
120     std::string limit_burst;
121     std::string length_spec;
122     std::string recent_match;
123     std::string pkt_type_spec;
124 
125     std::string nat_addr1;
126     std::string nat_addr2;
127     std::string nat_nm;
128     std::string nat_port_range_start;
129     std::string nat_port_range_end;
130 
131     bool using_iprange_src;
132     std::string iprange_src_from;
133     std::string iprange_src_to;
134     bool using_iprange_dst;
135     std::string iprange_dst_from;
136     std::string iprange_dst_to;
137 
138     libfwbuilder::PolicyRule *last_mark_rule;
139 
140     IPTImporter(libfwbuilder::FWObject *lib,
141                 std::istringstream &input,
142                 libfwbuilder::Logger *log,
143                 const std::string &fwname);
144     ~IPTImporter();
145 
146     virtual void run();
147     virtual void clear();
148 
149     void startSrcMultiPort();
150     void pushTmpPortSpecToSrcPortList();
151 
152     void startDstMultiPort();
153     void pushTmpPortSpecToDstPortList();
154 
155     void startBothMultiPort();
156     void pushTmpPortSpecToBothPortList();
157 
158     void pushPolicyRule();
159     void pushNATRule();
160 
161     virtual void addSrv();
162 
163     virtual void pushRule();
164 
165     virtual UnidirectionalRuleSet* getUnidirRuleSet(
166         const std::string &rsname, const std::string &ruleset_type_name);
167 
168     virtual UnidirectionalRuleSet* checkUnidirRuleSet(
169         const std::string &rsname);
170 
171     virtual void newUnidirRuleSet(const std::string &name, const std::string &ruleset_type);
172 
173     // this method actually adds interfaces to the firewall object
174     // and does final clean up.
175     virtual libfwbuilder::Firewall* finalize();
176 
177     bool isStandardChain(const std::string &ipt_chain);
178 
179     void registerTable(const std::string &table_name);
180 
181     bool isSupportedTable(const std::string &table_name);
182 };
183 
184 #endif
185