Skip to content

Commit 82d6d57

Browse files
committed
Add drop target for FirewallRule
Use an enum for the target list Signed-off-by: Etienne CHAMPETIER <etienne.champetier@free.fr>
1 parent 2ce0491 commit 82d6d57

4 files changed

Lines changed: 38 additions & 13 deletions

File tree

src/conf.c

Lines changed: 9 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -467,7 +467,7 @@ static int
467467
_parse_firewall_rule(const char *ruleset, char *leftover)
468468
{
469469
int i;
470-
int block_allow = 0; /**< 0 == block, 1 == allow, 2 == log, 3 == ulog */
470+
t_firewall_target target = TARGET_REJECT; /**< firewall target */
471471
int all_nums = 1; /**< If 0, port contained non-numerics */
472472
int finished = 0; /**< reached end of line */
473473
char *token = NULL; /**< First word */
@@ -491,16 +491,18 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
491491

492492
/* Parse token */
493493
if (!strcasecmp(token, "block") || finished) {
494-
block_allow = 0;
494+
target = TARGET_REJECT;
495+
} else if (!strcasecmp(token, "drop")) {
496+
target = TARGET_DROP;
495497
} else if (!strcasecmp(token, "allow")) {
496-
block_allow = 1;
498+
target = TARGET_ACCEPT;
497499
} else if (!strcasecmp(token, "log")) {
498-
block_allow = 2;
500+
target = TARGET_LOG;
499501
} else if (!strcasecmp(token, "ulog")) {
500-
block_allow = 3;
502+
target = TARGET_ULOG;
501503
} else {
502504
debug(LOG_ERR, "Invalid rule type %s, expecting "
503-
"\"block\",\"allow\",\"log\" or \"ulog\"", token);
505+
"\"block\",\"drop\",\"allow\",\"log\" or \"ulog\"", token);
504506
return -1;
505507
}
506508

@@ -556,7 +558,7 @@ _parse_firewall_rule(const char *ruleset, char *leftover)
556558
/* Generate rule record */
557559
tmp = safe_malloc(sizeof(t_firewall_rule));
558560
memset((void *)tmp, 0, sizeof(t_firewall_rule));
559-
tmp->block_allow = block_allow;
561+
tmp->target = target;
560562
if (protocol != NULL)
561563
tmp->protocol = safe_strdup(protocol);
562564
if (port != NULL)

src/conf.h

Lines changed: 12 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -89,11 +89,22 @@ typedef struct _auth_serv_t {
8989
struct _auth_serv_t *next;
9090
} t_auth_serv;
9191

92+
/**
93+
* Firewall targets
94+
*/
95+
typedef enum {
96+
TARGET_DROP,
97+
TARGET_REJECT,
98+
TARGET_ACCEPT,
99+
TARGET_LOG,
100+
TARGET_ULOG
101+
} t_firewall_target;
102+
92103
/**
93104
* Firewall rules
94105
*/
95106
typedef struct _firewall_rule_t {
96-
int block_allow; /**< @brief 0 = Block rule, 1 = Allow rule, 2 = Log Rule, 3 = Ulog Rule */
107+
t_firewall_target target; /**< @brief t_firewall_target */
97108
char *protocol; /**< @brief tcp, udp, etc ... */
98109
char *port; /**< @brief Port to block/allow */
99110
char *mask; /**< @brief Mask for the rule *destination* */

src/fw_iptables.c

Lines changed: 13 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -141,14 +141,22 @@ iptables_compile(const char * table, const char *chain, const t_firewall_rule *r
141141

142142
memset(command, 0, MAX_BUF);
143143

144-
if (rule->block_allow == 1) {
144+
switch (rule->target){
145+
case TARGET_DROP:
146+
mode = safe_strdup("DROP");
147+
break;
148+
case TARGET_REJECT:
149+
mode = safe_strdup("REJECT");
150+
break;
151+
case TARGET_ACCEPT:
145152
mode = safe_strdup("ACCEPT");
146-
} else if (rule->block_allow == 2) {
153+
break;
154+
case TARGET_LOG:
147155
mode = safe_strdup("LOG");
148-
} else if (rule->block_allow == 3) {
156+
break;
157+
case TARGET_ULOG:
149158
mode = safe_strdup("ULOG");
150-
} else {
151-
mode = safe_strdup("REJECT");
159+
break;
152160
}
153161

154162
snprintf(command, sizeof(command), "-t %s -A %s ",table, chain);

wifidog.conf

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -182,6 +182,10 @@ ClientTimeout 5
182182
#
183183
# Used for rules to be applied to all other rulesets except locked.
184184
FirewallRuleSet global {
185+
186+
# FirewallRule syntax:
187+
# FirewallRule (block|drop|allow|log|ulog) [(tcp|udp|icmp) [port X]] [to IP/CIDR]
188+
185189
## To block SMTP out, as it's a tech support nightmare, and a legal liability
186190
#FirewallRule block tcp port 25
187191

0 commit comments

Comments
 (0)