From patchwork Sun Jan 9 10:54:16 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Rui Salvaterra X-Patchwork-Id: 1577381 X-Patchwork-Delegate: rsalvaterra@gmail.com Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: bilbo.ozlabs.org; dkim=pass (2048-bit key; secure) header.d=lists.infradead.org header.i=@lists.infradead.org header.a=rsa-sha256 header.s=bombadil.20210309 header.b=ZVUiVOG8; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.a=rsa-sha256 header.s=20210112 header.b=DqOlhDvS; dkim-atps=neutral Authentication-Results: ozlabs.org; spf=none (no SPF record) smtp.mailfrom=lists.openwrt.org (client-ip=2607:7c80:54:e::133; helo=bombadil.infradead.org; envelope-from=openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org; receiver=) Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:e::133]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by bilbo.ozlabs.org (Postfix) with ESMTPS id 4JWv8S4RtWz9sCD for ; Sun, 9 Jan 2022 21:58:45 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=lists.infradead.org; s=bombadil.20210309; h=Sender: Content-Transfer-Encoding:Content-Type:List-Subscribe:List-Help:List-Post: List-Archive:List-Unsubscribe:List-Id:MIME-Version:Message-Id:Date:Subject:Cc :To:From:Reply-To:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:References: List-Owner; bh=o/p9fQgJ89tRTRZFu1T+7ibrSJKjPIXB5F2b/x5NqYk=; b=ZVUiVOG8hUwhp3 8//RnekGu51v8GTMJ77Wy2qhfELQw1SvGdxbQ/4AD7giCu6IjsYa27Oaw4F57c2ACLok1Ud6dQDc9 j4y4zKpsvitoiQUr6E1KXJf32w/MSZhJQpNiT0t4Fe/WeTPq+pKSe/+R+tXbIj9gbK2AmzBPtPrbg +nCaaveKorTWqO6HCdabnxnLd2c/1W7+EfhdIXe6464Y+utrkKhXd8CdSAvBWeVeDgfGsclO2aDoV SiIiIP4EMEn56x8yqIkwhJSm6zRdISVGVnObwGPB2Im6uRYv1Qr+9owEjQNdgm7LXZ4JzMH1hiFtw szy2Qe2REwP0+7XVLlLg==; Received: from localhost ([::1] helo=bombadil.infradead.org) by bombadil.infradead.org with esmtp (Exim 4.94.2 #2 (Red Hat Linux)) id 1n6VqE-007eOB-Ao; Sun, 09 Jan 2022 10:54:26 +0000 Received: from mail-lf1-x12b.google.com ([2a00:1450:4864:20::12b]) by bombadil.infradead.org with esmtps (Exim 4.94.2 #2 (Red Hat Linux)) id 1n6VqA-007eNq-OD for openwrt-devel@lists.openwrt.org; Sun, 09 Jan 2022 10:54:24 +0000 Received: by mail-lf1-x12b.google.com with SMTP id x7so33821054lfu.8 for ; Sun, 09 Jan 2022 02:54:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HYHe40BODvxtGsafS4pXTBIp76rmAXFdu1zjCstvzXc=; b=DqOlhDvSkooPt+2N/p09QMrQPk81QJaWOH+V+zRBngltl3enECWQQyVGhgQmhSTXPB to3cWLyDltriWILVdLsh3j99En+HeW2/XFWndYfd/oDE4yRmH+PdyRD/ga5up4emr9yW Mm75oesMnqaPgS70T1ZVmgaYMJxVAFHqeO8H+CB1MmkNcC4mfOI12Y0LHYZtGPoB2lvT ldk4m7Rau78ZMakRYhnbFrYYb3ah+qFZLruozD8h15V86NWY4SpF4DTffZSa3TQCzVll BLQ7qr0VxRkMkgf1xDQpduxZlh2+chcOBCyb0hMui/K5LOhetd2auuNNzGkLEAwU8nRO 8ing== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version :content-transfer-encoding; bh=HYHe40BODvxtGsafS4pXTBIp76rmAXFdu1zjCstvzXc=; b=bkx86qJGWfWe+1tpm7AuTFIl9RAV8JS75C23aNPog619Zrstmost076Mm0rpKk1lzS NU0ZWoNeeBtzn1hauV/IixGx7fpNZ0q0rIstEYpqvt0vjcN8sXglcwaLn4aSmvQFL8DV hBqOrg65QNLl/wLc2iIP7+5b0yxeWvalIYUBjapkmcGojbVofJnNVjPE2ndE2gJNJZS0 Ql+WrfMv6pVxr3Mdowzn/ihuR1gO5rvgVPkz0r5m81BqDuJiF9TGRJjA89zNUWltxmU8 RhTydqyHyN4s4fAryczg3hMMrCJZAvNMw5Y6+lEonxZyaDA+rxMGBW/J2fovpBkUiMhu 6z7g== X-Gm-Message-State: AOAM532hhisvpFPlFZsiznxgnjEh0VwBgQ7tKmll6ApfhvjgjA/9WBfy kXAvvvZTvhVK/ObRtWpnhaIZaXTsnQ== X-Google-Smtp-Source: ABdhPJznSusgowz7d0tPFmsFFZSE7TOJOGN326HHqDBLjhgrlat0PsFZyEfR+1EYCnGCvYwTCFzakA== X-Received: by 2002:a05:6512:3196:: with SMTP id i22mr60791032lfe.241.1641725660905; Sun, 09 Jan 2022 02:54:20 -0800 (PST) Received: from crystalwell.adg.lan (a109-49-8-180.cpe.netcabo.pt. [109.49.8.180]) by smtp.gmail.com with ESMTPSA id v21sm598696ljj.130.2022.01.09.02.54.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 09 Jan 2022 02:54:20 -0800 (PST) From: Rui Salvaterra To: openwrt-devel@lists.openwrt.org Cc: jo@mein.io, Rui Salvaterra Subject: [PATCH] firewall3: don't cater to old iptables Date: Sun, 9 Jan 2022 10:54:16 +0000 Message-Id: <20220109105416.768-1-rsalvaterra@gmail.com> X-Mailer: git-send-email 2.34.1 MIME-Version: 1.0 X-CRM114-Version: 20100106-BlameMichelson ( TRE 0.8.0 (BSD) ) MR-646709E3 X-CRM114-CacheID: sfid-20220109_025422_841732_CB46B253 X-CRM114-Status: GOOD ( 15.52 ) X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "bombadil.infradead.org", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: It's been eight years, we can safely assume iptables is recent enough. Signed-off-by: Rui Salvaterra --- This has obviously been build/run-tested without any issues whatsoever. Even though firewall3 isn't a priority, this is a nice cleanup in itself. Content analysis details: (-0.2 points, 5.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [2a00:1450:4864:20:0:0:0:12b listed in] [list.dnswl.org] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 FREEMAIL_FROM Sender email is commonly abused enduser mail provider [rsalvaterra[at]gmail.com] -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain X-BeenThere: openwrt-devel@lists.openwrt.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: OpenWrt Development List List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: "openwrt-devel" Errors-To: openwrt-devel-bounces+incoming=patchwork.ozlabs.org@lists.openwrt.org It's been eight years, we can safely assume iptables is recent enough. Signed-off-by: Rui Salvaterra --- This has obviously been build/run-tested without any issues whatsoever. Even though firewall3 isn't a priority, this is a nice cleanup in itself. iptables.c | 13 +-- xtables-5.h | 221 -------------------------------------- xtables-10.h => xtables.h | 4 +- 3 files changed, 3 insertions(+), 235 deletions(-) delete mode 100644 xtables-5.h rename xtables-10.h => xtables.h (98%) diff --git a/iptables.c b/iptables.c index 49b3439..4b11818 100644 --- a/iptables.c +++ b/iptables.c @@ -44,14 +44,7 @@ #include "options.h" -/* xtables interface */ -#if (XTABLES_VERSION_CODE >= 10) -# include "xtables-10.h" -#elif (XTABLES_VERSION_CODE == 5) -# include "xtables-5.h" -#else -# error "Unsupported xtables version" -#endif +#include "xtables.h" #include "iptables.h" @@ -109,9 +102,7 @@ static struct xtables_globals xtg = { .program_version = "4", .orig_opts = base_opts, .exit_err = fw3_ipt_error_handler, -#if XTABLES_VERSION_CODE > 10 .compat_rev = xtables_compatible_revision, -#endif }; static struct xtables_globals xtg6 = { @@ -119,9 +110,7 @@ static struct xtables_globals xtg6 = { .program_version = "6", .orig_opts = base_opts, .exit_err = fw3_ipt_error_handler, -#if XTABLES_VERSION_CODE > 10 .compat_rev = xtables_compatible_revision, -#endif }; static struct { diff --git a/xtables-5.h b/xtables-5.h deleted file mode 100644 index 14b54af..0000000 --- a/xtables-5.h +++ /dev/null @@ -1,221 +0,0 @@ -/* - * firewall3 - 3rd OpenWrt UCI firewall implementation - * - * Copyright (C) 2013 Jo-Philipp Wich - * - * Permission to use, copy, modify, and/or distribute this software for any - * purpose with or without fee is hereby granted, provided that the above - * copyright notice and this permission notice appear in all copies. - * - * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES - * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF - * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR - * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES - * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN - * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF - * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. - */ - -#ifndef __FW3_XTABLES_5_H -#define __FW3_XTABLES_5_H - -static inline void -fw3_xt_reset(void) -{ - xtables_matches = NULL; - xtables_targets = NULL; -} - - -static inline const char * -fw3_xt_get_match_name(struct xtables_match *m) -{ - return m->m->u.user.name; -} - -static inline void -fw3_xt_set_match_name(struct xtables_match *m) -{ - snprintf(m->m->u.user.name, sizeof(m->m->u.user.name), "%s", m->name); -} - -static inline bool -fw3_xt_has_match_parse(struct xtables_match *m) -{ - return !!m->parse; -} - -static inline void -fw3_xt_free_match_udata(struct xtables_match *m) -{ - return; -} - -static inline void -fw3_xt_merge_match_options(struct xtables_globals *g, struct xtables_match *m) -{ - g->opts = xtables_merge_options(g->opts, m->extra_opts, &m->option_offset); -} - - -static inline const char * -fw3_xt_get_target_name(struct xtables_target *t) -{ - return t->t->u.user.name; -} - -static inline void -fw3_xt_set_target_name(struct xtables_target *t, const char *name) -{ - snprintf(t->t->u.user.name, sizeof(t->t->u.user.name), "%s", name); -} - -static inline bool -fw3_xt_has_target_parse(struct xtables_target *t) -{ - return !!t->parse; -} - -static inline void -fw3_xt_free_target_udata(struct xtables_target *t) -{ - return; -} - -static inline void -fw3_xt_merge_target_options(struct xtables_globals *g, struct xtables_target *t) -{ - g->opts = xtables_merge_options(g->opts, t->extra_opts, &t->option_offset); -} - -static inline void -fw3_xt_print_matches(void *ip, struct xtables_rule_match *matches) -{ - struct xtables_rule_match *rm; - struct xtables_match *m; - - printf(" "); - - for (rm = matches; rm; rm = rm->next) - { - m = rm->match; - printf("-m %s ", fw3_xt_get_match_name(m)); - - if (m->save) - m->save(ip, m->m); - } -} - -static inline void -fw3_xt_print_target(void *ip, struct xtables_target *target) -{ - if (target) - { - printf("-j %s ", fw3_xt_get_target_name(target)); - - if (target->save) - target->save(ip, target->t); - } -} - - -/* xtables api addons */ - -static inline void -xtables_option_mpcall(unsigned int c, char **argv, bool invert, - struct xtables_match *m, void *fw) -{ - if (m->parse) - m->parse(c - m->option_offset, argv, invert, &m->mflags, fw, &m->m); -} - -static inline void -xtables_option_mfcall(struct xtables_match *m) -{ - if (m->final_check) - m->final_check(m->mflags); -} - -static inline void -xtables_option_tpcall(unsigned int c, char **argv, bool invert, - struct xtables_target *t, void *fw) -{ - if (t->parse) - t->parse(c - t->option_offset, argv, invert, &t->tflags, fw, &t->t); -} - -static inline void -xtables_option_tfcall(struct xtables_target *t) -{ - if (t->final_check) - t->final_check(t->tflags); -} - -static inline void -xtables_rule_matches_free(struct xtables_rule_match **matches) -{ - struct xtables_rule_match *mp, *tmp; - - for (mp = *matches; mp;) - { - tmp = mp->next; - - if (mp->match->m) - { - free(mp->match->m); - mp->match->m = NULL; - } - - if (mp->match == mp->match->next) - { - free(mp->match); - mp->match = NULL; - } - - free(mp); - mp = tmp; - } - - *matches = NULL; -} - -static inline int -xtables_ipmask_to_cidr(const struct in_addr *mask) -{ - int bits; - uint32_t m; - - for (m = ntohl(mask->s_addr), bits = 0; m & 0x80000000; m <<= 1) - bits++; - - return bits; -} - -static inline int -xtables_ip6mask_to_cidr(const struct in6_addr *mask) -{ - int bits = 0; - uint32_t a, b, c, d; - - a = ntohl(mask->s6_addr32[0]); - b = ntohl(mask->s6_addr32[1]); - c = ntohl(mask->s6_addr32[2]); - d = ntohl(mask->s6_addr32[3]); - - while (a & 0x80000000U) - { - a <<= 1; - a |= (b >> 31) & 1; - b <<= 1; - b |= (c >> 31) & 1; - c <<= 1; - c |= (d >> 31) & 1; - d <<= 1; - - bits++; - } - - return bits; -} - -#endif diff --git a/xtables-10.h b/xtables.h similarity index 98% rename from xtables-10.h rename to xtables.h index 6a2275d..8fd8293 100644 --- a/xtables-10.h +++ b/xtables.h @@ -16,8 +16,8 @@ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ -#ifndef __FW3_XTABLES_10_H -#define __FW3_XTABLES_10_H +#ifndef __FW3_XTABLES_H +#define __FW3_XTABLES_H extern struct xtables_match *xtables_pending_matches; extern struct xtables_target *xtables_pending_targets;