8 #include "wvipfirewall.h"
9 #include "wvinterface.h"
13 bool WvIPFirewall::enable =
false, WvIPFirewall::ignore_errors =
true;
16 WvIPFirewall::WvIPFirewall() : log(
"Firewall",
WvLog::Debug2)
23 WvIPFirewall::~WvIPFirewall()
29 WvString WvIPFirewall::port_command(
const char *cmd,
const char *proto,
34 return WvString(
"iptables %s Services -j ACCEPT -p %s "
49 return WvString(
"iptables -t nat %s TProxy "
50 "-p tcp %s --dport %s "
51 "-j REDIRECT --to-ports %s "
59 WvString WvIPFirewall::forward_command(
const char *cmd,
64 WvIPAddr srcaddr(src), dstaddr(dst), zero;
65 WvString haveiface(
""), haveoface(
"");
66 if (!(srcaddr == zero))
68 haveiface.append(
"-d ");
74 if ((dst ==
WvIPAddr(
"127.0.0.1")) || (dst == zero))
76 retval.append(
"iptables -t nat %s FASTFORWARD -p %s --dport %s %s "
77 "-j REDIRECT --to-port %s %s \n",
78 cmd, proto, src.port, haveiface, dst.port, shutup());
82 haveoface.append(
"-d ");
85 retval.append(
"iptables -t nat %s FASTFORWARD -p %s --dport %s %s "
86 "-j DNAT --to-destination %s "
87 "%s \n", cmd, proto, src.port, haveiface, dst, shutup());
98 retval.append(
"iptables -t mangle %s FASTFORWARD -p %s --dport %s "
99 "-j MARK --set-mark %s %s %s\n", cmd, proto, src.port,
100 snat ?
"0xFA58" :
"0xFA57", haveiface, shutup());
103 retval.append(
"iptables %s FFASTFORWARD -j ACCEPT -p %s "
104 "--dport %s -m mark --mark %s %s %s\n", cmd, proto, dst.port,
105 snat ?
"0xFA58" :
"0xFA57", haveoface, shutup());
110 WvString WvIPFirewall::redir_port_range_command(
const char *cmd,
115 return WvString(
"iptables -t nat %s TProxy "
116 "-p tcp %s --dport %s:%s "
117 "-j REDIRECT --to-ports %s "
127 WvString WvIPFirewall::redir_all_command(
const char *cmd,
int dstport)
129 return WvString(
"iptables -t nat %s TProxy "
131 "-j REDIRECT --to-ports %s "
138 WvString WvIPFirewall::proto_command(
const char *cmd,
const char *proto)
140 return WvString(
"iptables %s Services -p %s -j ACCEPT "
142 cmd, proto, shutup());
149 WvString s(port_command(
"-A",
"tcp", addr)),
150 s2(port_command(
"-A",
"udp", addr));
162 WvIPPortAddrList::Iter i(addrs);
163 for (i.rewind(); i.next(); )
167 WvString s(port_command(
"-D",
"tcp", addr)),
168 s2(port_command(
"-D",
"udp", addr));
182 ffwds.append(
new FFwd(src, dst, snat),
true);
183 WvString s(forward_command(
"-A",
"tcp", src, dst, snat)),
184 s2(forward_command(
"-A",
"udp", src, dst, snat));
186 log(
"Add Forwards (%s):\n%s\n%s\n", enable, s, s2);
198 FFwdList::Iter i(ffwds);
199 for (i.rewind(); i.next();)
201 if (i->src == src && i->dst == dst && i->snat == snat)
203 WvString s(forward_command(
"-D",
"tcp", src, dst, snat)),
204 s2(forward_command(
"-D",
"udp", src, dst, snat));
206 log(
"Delete Forward (%s):\n%s\n%s\n", enable, s, s2);
217 void WvIPFirewall::add_redir(
const WvIPPortAddr &src,
int dstport)
219 redirs.append(
new Redir(src, dstport),
true);
220 WvString s(redir_command(
"-A", src, dstport));
221 if (enable) system(s);
225 void WvIPFirewall::del_redir(
const WvIPPortAddr &src,
int dstport)
227 RedirList::Iter i(redirs);
228 for (i.rewind(); i.next(); )
230 if (i->src == src && i->dstport == dstport)
232 WvString s(redir_command(
"-D", src, dstport));
233 if (enable) system(s);
239 void WvIPFirewall::add_redir_all(
int dstport)
241 redir_alls.append(
new RedirAll(dstport),
true);
242 WvString s(redir_all_command(
"-A", dstport));
243 if (enable) system(s);
247 void WvIPFirewall::del_redir_all(
int dstport)
249 RedirAllList::Iter i(redir_alls);
250 for (i.rewind(); i.next(); )
252 if (i->dstport == dstport)
254 WvString s(redir_all_command(
"-D", dstport));
255 if (enable) system(s);
261 void WvIPFirewall::add_redir_port_range(
const WvIPPortAddr &src_min,
264 redir_port_ranges.append(
new RedirPortRange(src_min, src_max, dstport),
true);
265 WvString s(redir_port_range_command(
"-A", src_min, src_max, dstport));
266 if (enable) system(s);
270 void WvIPFirewall::del_redir_port_range(
const WvIPPortAddr &src_min,
273 RedirPortRangeList::Iter i(redir_port_ranges);
274 for (i.rewind(); i.next(); )
276 if (i->src_min == src_min && i->src_max == src_max
277 && i->dstport == dstport)
279 WvString s(redir_port_range_command(
"-D", src_min, src_max, dstport));
280 if (enable) system(s);
287 void WvIPFirewall::add_proto(WvStringParm proto)
289 protos.append(
new WvString(proto),
true);
290 WvString s(proto_command(
"-A", proto));
291 if (enable) system(s);
295 void WvIPFirewall::del_proto(WvStringParm proto)
297 WvStringList::Iter i(protos);
298 for (i.rewind(); i.next(); )
302 WvString s(proto_command(
"-D", proto));
303 if (enable) system(s);
311 void WvIPFirewall::zap()
313 WvIPPortAddrList::Iter i(addrs);
314 for (i.rewind(); i.next(); )
320 FFwdList::Iter ifwd(ffwds);
321 for (ifwd.rewind(); ifwd.next();)
323 del_forward(ifwd->src, ifwd->dst, ifwd->snat);
327 RedirList::Iter i2(redirs);
328 for (i2.rewind(); i2.next(); )
330 del_redir(i2->src, i2->dstport);
334 RedirAllList::Iter i2_5(redir_alls);
335 for (i2_5.rewind(); i2_5.next(); )
337 del_redir_all(i2_5->dstport);
341 RedirPortRangeList::Iter port_range(redir_port_ranges);
342 for (port_range.rewind(); port_range.next(); )
344 del_redir_port_range(port_range->src_min, port_range->src_max,
345 port_range->dstport);
346 port_range.xunlink();
349 WvStringList::Iter i3(protos);
350 for (i3.rewind(); i3.next(); )