@@ -489,6 +489,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
489489 char * protocol = NULL ; /**< protocol to block, tcp/udp/icmp */
490490 char * mask = NULL ; /**< Netmask */
491491 char * other_kw = NULL ; /**< other key word */
492+ int mask_is_ipset = 0 ;
492493 t_firewall_ruleset * tmpr ;
493494 t_firewall_ruleset * tmpr2 ;
494495 t_firewall_rule * tmp ;
@@ -531,6 +532,11 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
531532
532533 /* Get the optional port or port range */
533534 if (strncmp (leftover , "port" , 4 ) == 0 ) {
535+ if (protocol == NULL ||
536+ !(strncmp (protocol , "tcp" , 3 ) == 0 || strncmp (protocol , "udp" , 3 ) == 0 )) {
537+ debug (LOG_ERR , "ERROR: wifidog config file, section FirewallRuleset %s. Port without tcp or udp protocol." , ruleset );
538+ return -3 ; /*< Fail */
539+ }
534540 TO_NEXT_WORD (leftover , finished );
535541 /* Get port now */
536542 port = leftover ;
@@ -539,31 +545,49 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
539545 if (!isdigit ((unsigned char )* (port + i )) && ((unsigned char )* (port + i ) != ':' ))
540546 all_nums = 0 ; /*< No longer only digits */
541547 if (!all_nums ) {
542- debug (LOG_ERR , "Invalid port %s" , port );
548+ debug (LOG_ERR , "ERROR: wifidog config file, section FirewallRuleset %s. Invalid port %s" , ruleset , port );
543549 return -3 ; /*< Fail */
544550 }
545551 }
546552
547553 /* Now, further stuff is optional */
548554 if (!finished ) {
549- /* should be exactly "to" */
555+ /* should be exactly "to" or "to-ipset" */
550556 other_kw = leftover ;
551557 TO_NEXT_WORD (leftover , finished );
552- if (strcmp (other_kw , "to" ) || finished ) {
558+ if (!finished ) {
559+ /* Get arg now and check validity in next section */
560+ mask = leftover ;
561+ }
562+ if (strncmp (other_kw , "to-ipset" , 8 ) == 0 && !finished ) {
563+ mask_is_ipset = 1 ;
564+ } else if (strncmp (other_kw , "to" , 2 ) == 0 && !finished ) {
565+ /* Check if mask is valid */
566+ all_nums = 1 ;
567+ for (i = 0 ; * (mask + i ) != '\0' ; i ++ )
568+ if (!isdigit ((unsigned char )* (mask + i )) && (* (mask + i ) != '.' )
569+ && (* (mask + i ) != '/' ))
570+ all_nums = 0 ; /*< No longer only digits */
571+ if (!all_nums ) {
572+ debug (LOG_ERR , "Invalid mask %s" , mask );
573+ return -3 ; /*< Fail */
574+ }
575+ } else {
553576 debug (LOG_ERR , "Invalid or unexpected keyword %s, "
554- "expecting \"to\"" , other_kw );
577+ "expecting \"to\" or \"to-ipset\" " , other_kw );
555578 return -4 ; /*< Fail */
556579 }
557-
558- /* Get port now */
559- mask = leftover ;
560580 TO_NEXT_WORD (leftover , finished );
581+ if (!finished ) {
582+ debug (LOG_WARNING , "Ignoring trailining string after successfully parsing rule: %s" ,
583+ leftover );
584+ }
561585 }
562-
563586 /* Generate rule record */
564587 tmp = safe_malloc (sizeof (t_firewall_rule ));
565588 memset ((void * )tmp , 0 , sizeof (t_firewall_rule ));
566589 tmp -> target = target ;
590+ tmp -> mask_is_ipset = mask_is_ipset ;
567591 if (protocol != NULL )
568592 tmp -> protocol = safe_strdup (protocol );
569593 if (port != NULL )
@@ -574,7 +598,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
574598 tmp -> mask = safe_strdup (mask );
575599
576600 debug (LOG_DEBUG , "Adding Firewall Rule %s %s port %s to %s" , token , tmp -> protocol , tmp -> port , tmp -> mask );
577-
601+
578602 /* Append the rule record */
579603 if (config .rulesets == NULL ) {
580604 config .rulesets = safe_malloc (sizeof (t_firewall_ruleset ));
@@ -606,7 +630,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
606630 tmp2 = tmp2 -> next ;
607631 tmp2 -> next = tmp ;
608632 }
609-
633+
610634 return 1 ;
611635}
612636
@@ -810,11 +834,11 @@ parse_boolean_value(char *line)
810834
811835/* Parse possiblemac to see if it is valid MAC address format */
812836int check_mac_format (char * possiblemac ) {
813- char hex2 [3 ];
814- return
815- sscanf (possiblemac ,
816- "%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]" ,
817- hex2 ,hex2 ,hex2 ,hex2 ,hex2 ,hex2 ) == 6 ;
837+ char hex2 [3 ];
838+ return
839+ sscanf (possiblemac ,
840+ "%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]:%2[A-Fa-f0-9]" ,
841+ hex2 ,hex2 ,hex2 ,hex2 ,hex2 ,hex2 ) == 6 ;
818842}
819843
820844void parse_trusted_mac_list (const char * ptr ) {
@@ -832,11 +856,10 @@ void parse_trusted_mac_list(const char *ptr) {
832856
833857 while ((possiblemac = strsep (& ptrcopy , ", " ))) {
834858 /* check for valid format */
835-
836- if (!check_mac_format (possiblemac )) {
837- debug (LOG_ERR , "[%s] not a valid MAC address to trust. See option TrustedMACList in wifidog.conf for correct this mistake." , possiblemac );
838- return ;
839- } else {
859+ if (!check_mac_format (possiblemac )) {
860+ debug (LOG_ERR , "[%s] not a valid MAC address to trust. See option TrustedMACList in wifidog.conf for correct this mistake." , possiblemac );
861+ return ;
862+ } else {
840863 if (sscanf (possiblemac , " %17[A-Fa-f0-9:]" , mac ) == 1 ) {
841864 /* Copy mac to the list */
842865
0 commit comments