CIDR subnet/mask matching support for firewall rules.

shw_dev
shw 8 years ago
parent 1cd25ed699
commit fa70c06af2

@ -105,6 +105,7 @@ var FilterResultValue = map[string]FilterResult{
// DbusRule struct of the rule passed to the dbus interface
type DbusRule struct {
ID uint32
// Net string
App string
Path string
Verb uint16

@ -93,8 +93,14 @@ func (ds *dbusServer) IsEnabled() (bool, *dbus.Error) {
}
func createDbusRule(r *Rule) DbusRule {
// XXX: Uncommenting will require fw-settings upgrade.
/* netstr := ""
if r.network != nil {
netstr = r.network.String()
} */
return DbusRule{
ID: uint32(r.id),
// Net: netstr,
App: path.Base(r.policy.path),
Path: r.policy.path,
Verb: uint16(r.rtype),

@ -26,6 +26,7 @@ type Rule struct {
mode RuleMode
rtype RuleAction
hostname string
network *net.IPNet
addr uint32
saddr net.IP
port uint16
@ -53,6 +54,8 @@ func (r *Rule) AddrString(redact bool) string {
port := "*"
if r.hostname != "" {
addr = r.hostname
} else if r.network != nil {
addr = r.network.String()
} else if r.addr != matchAny && r.addr != noAddress {
bs := make([]byte, 4)
binary.BigEndian.PutUint32(bs, r.addr)
@ -96,6 +99,9 @@ log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, "
}
return r.hostname == hostname
}
if r.network != nil && r.network.Contains(dst) {
return true
}
return r.addr == binary.BigEndian.Uint32(dst.To4())
}
@ -179,7 +185,7 @@ func (r *Rule) parse(s string) bool {
} else if len(parts) > 2 {
r.saddr = net.ParseIP(parts[2])
}
fmt.Println("----- rule parser: srcip = ", r.saddr)
return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
}
@ -200,6 +206,7 @@ func (r *Rule) parseTarget(t string) bool {
if len(addrPort) != 2 {
return false
}
return r.parseAddr(addrPort[0]) && r.parsePort(addrPort[1])
}
@ -213,10 +220,12 @@ func (r *Rule) parseAddr(a string) bool {
r.hostname = a
return true
}
ip := net.ParseIP(a)
if ip == nil {
// ip := net.ParseIP(a)
ip, ipnet, err := net.ParseCIDR(a)
if err != nil || ip == nil {
return false
}
r.network = ipnet
r.addr = binary.BigEndian.Uint32(ip.To4())
return true
}

Loading…
Cancel
Save