CIDR subnet/mask matching support for firewall rules.

shw_dev
shw 8 years ago
parent 1cd25ed699
commit fa70c06af2

@ -105,6 +105,7 @@ var FilterResultValue = map[string]FilterResult{
// DbusRule struct of the rule passed to the dbus interface // DbusRule struct of the rule passed to the dbus interface
type DbusRule struct { type DbusRule struct {
ID uint32 ID uint32
// Net string
App string App string
Path string Path string
Verb uint16 Verb uint16

@ -93,8 +93,14 @@ func (ds *dbusServer) IsEnabled() (bool, *dbus.Error) {
} }
func createDbusRule(r *Rule) DbusRule { func createDbusRule(r *Rule) DbusRule {
// XXX: Uncommenting will require fw-settings upgrade.
/* netstr := ""
if r.network != nil {
netstr = r.network.String()
} */
return DbusRule{ return DbusRule{
ID: uint32(r.id), ID: uint32(r.id),
// Net: netstr,
App: path.Base(r.policy.path), App: path.Base(r.policy.path),
Path: r.policy.path, Path: r.policy.path,
Verb: uint16(r.rtype), Verb: uint16(r.rtype),

@ -26,6 +26,7 @@ type Rule struct {
mode RuleMode mode RuleMode
rtype RuleAction rtype RuleAction
hostname string hostname string
network *net.IPNet
addr uint32 addr uint32
saddr net.IP saddr net.IP
port uint16 port uint16
@ -53,6 +54,8 @@ func (r *Rule) AddrString(redact bool) string {
port := "*" port := "*"
if r.hostname != "" { if r.hostname != "" {
addr = r.hostname addr = r.hostname
} else if r.network != nil {
addr = r.network.String()
} else if r.addr != matchAny && r.addr != noAddress { } else if r.addr != matchAny && r.addr != noAddress {
bs := make([]byte, 4) bs := make([]byte, 4)
binary.BigEndian.PutUint32(bs, r.addr) binary.BigEndian.PutUint32(bs, r.addr)
@ -96,6 +99,9 @@ log.Notice("comparison: ", hostname, " / ", dst, " : ", dstPort, " -> ", xip, "
} }
return r.hostname == hostname return r.hostname == hostname
} }
if r.network != nil && r.network.Contains(dst) {
return true
}
return r.addr == binary.BigEndian.Uint32(dst.To4()) return r.addr == binary.BigEndian.Uint32(dst.To4())
} }
@ -179,7 +185,7 @@ func (r *Rule) parse(s string) bool {
} else if len(parts) > 2 { } else if len(parts) > 2 {
r.saddr = net.ParseIP(parts[2]) r.saddr = net.ParseIP(parts[2])
} }
fmt.Println("----- rule parser: srcip = ", r.saddr)
return r.parseVerb(parts[0]) && r.parseTarget(parts[1]) return r.parseVerb(parts[0]) && r.parseTarget(parts[1])
} }
@ -200,6 +206,7 @@ func (r *Rule) parseTarget(t string) bool {
if len(addrPort) != 2 { if len(addrPort) != 2 {
return false return false
} }
return r.parseAddr(addrPort[0]) && r.parsePort(addrPort[1]) return r.parseAddr(addrPort[0]) && r.parsePort(addrPort[1])
} }
@ -213,10 +220,12 @@ func (r *Rule) parseAddr(a string) bool {
r.hostname = a r.hostname = a
return true return true
} }
ip := net.ParseIP(a) // ip := net.ParseIP(a)
if ip == nil { ip, ipnet, err := net.ParseCIDR(a)
if err != nil || ip == nil {
return false return false
} }
r.network = ipnet
r.addr = binary.BigEndian.Uint32(ip.To4()) r.addr = binary.BigEndian.Uint32(ip.To4())
return true return true
} }

Loading…
Cancel
Save