// -*- c-basic-offset: 4; tab-width: 8; indent-tabs-mode: t -*- // Copyright (c) 2008-2009 XORP, Inc. // // This program is free software; you can redistribute it and/or modify // it under the terms of the GNU General Public License, Version 2, June // 1991 as published by the Free Software Foundation. Redistribution // and/or modification of this program under the terms of any other // version of the GNU General Public License is not permitted. // // This program is distributed in the hope that it will be useful, but // WITHOUT ANY WARRANTY; without even the implied warranty of // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For more details, // see the GNU General Public License, Version 2, a copy of which can be // found in the XORP LICENSE.gpl file. // // XORP Inc, 2953 Bunker Hill Lane, Suite 204, Santa Clara, CA 95054, USA; // http://xorp.net // $XORP: xorp/fea/firewall_entry.hh,v 1.4 2009/01/05 18:30:49 jtc Exp $ #ifndef __FEA_FIREWALL_ENTRY_HH__ #define __FEA_FIREWALL_ENTRY_HH__ #include "libxorp/ipv4.hh" #include "libxorp/ipv6.hh" #include "libxorp/ipvx.hh" #include "libxorp/ipv4net.hh" #include "libxorp/ipv6net.hh" #include "libxorp/ipvxnet.hh" /** * @short Firewall Table Entry. * * Representation of a firewall table entry. */ class FirewallEntry { public: // Possible actions for firewall rules enum Action { ACTION_MIN = 0x00, // Min value for action ACTION_ANY = 0x00, // For match comparison during delete ACTION_NONE = 0x01, ACTION_PASS = 0x02, ACTION_DROP = 0x03, ACTION_REJECT = 0x04, ACTION_MAX = 0x05, // Max number of possible actions ACTION_INVALID = 0xff // Invalid string conversion }; // Matching values for firewall rules enum { RULE_NUMBER_DEFAULT = 0, IP_PROTOCOL_MIN = 0, IP_PROTOCOL_MAX = 255, IP_PROTOCOL_ANY = 0, PORT_MIN = 0, PORT_MAX = 65535, }; explicit FirewallEntry(int family) : _rule_number(RULE_NUMBER_DEFAULT), _src_network(family), _dst_network(family), _ip_protocol(IP_PROTOCOL_ANY), _src_port_begin(PORT_MIN), _src_port_end(PORT_MAX), _dst_port_begin(PORT_MIN), _dst_port_end(PORT_MAX), _action(ACTION_INVALID) {} FirewallEntry(uint32_t rule_number, const string& ifname, const string& vifname, const IPvXNet& src_network, const IPvXNet& dst_network, uint8_t ip_protocol, uint16_t src_port_begin, uint16_t src_port_end, uint16_t dst_port_begin, uint16_t dst_port_end, FirewallEntry::Action action) : _rule_number(rule_number), _ifname(ifname), _vifname(vifname), _src_network(src_network), _dst_network(dst_network), _ip_protocol(ip_protocol), _src_port_begin(src_port_begin), _src_port_end(src_port_end), _dst_port_begin(dst_port_begin), _dst_port_end(dst_port_end), _action(action) {} /** * Test whether this is an IPv4 entry. * * @return true if this is an IPv4 entry, otherwise false. */ bool is_ipv4() const { return _src_network.is_ipv4(); } /** * Test whether this is an IPv6 entry. * * @return true if this is an IPv6 entry, otherwise false. */ bool is_ipv6() const { return _src_network.is_ipv6(); } uint32_t rule_number() const { return _rule_number; } const string& ifname() const { return _ifname; } const string& vifname() const { return _vifname; } const IPvXNet& src_network() const { return _src_network; } const IPvXNet& dst_network() const { return _dst_network; } uint8_t ip_protocol() const { return _ip_protocol; } uint32_t src_port_begin() const { return _src_port_begin; } uint32_t src_port_end() const { return _src_port_end; } uint32_t dst_port_begin() const { return _dst_port_begin; } uint32_t dst_port_end() const { return _dst_port_end; } FirewallEntry::Action action() const { return _action; } /** * Reset all members. */ void zero() { _rule_number = RULE_NUMBER_DEFAULT; _ifname.erase(); _vifname.erase(); _src_network = IPvXNet(IPvX::ZERO(_src_network.af()), 0); _dst_network = IPvXNet(IPvX::ZERO(_dst_network.af()), 0); _ip_protocol = IP_PROTOCOL_ANY; _src_port_begin = PORT_MIN; _src_port_end = PORT_MAX; _dst_port_begin = PORT_MIN; _dst_port_end = PORT_MAX; _action = ACTION_INVALID; } /** * Comparison function for an exact match with the entry. * * Note that the action is masked off in the comparison, and only * the rule-match part of the tuple is evaluated. * * @return true if the rule-match portion of the entry is matched, * otherwise false. */ bool match(const FirewallEntry& other) const { return ((_rule_number == other.rule_number()) && (_ifname == other.ifname()) && (_vifname == other.vifname()) && (_src_network == other.src_network()) && (_dst_network == other.dst_network()) && (_ip_protocol == other.ip_protocol()) && (_src_port_begin == other.src_port_begin()) && (_src_port_end == other.src_port_end()) && (_dst_port_begin == other.dst_port_begin()) && (_dst_port_end == other.dst_port_end())); } /** * Convert firewall entry action value to a string representation. * * @param action the action to convert. * @return the string representation of the action value. */ static string action2str(FirewallEntry::Action action); /** * Convert string representation to a firewall entry action value. * * @param name the name of the action. It is one of the following * keywords: "none", "pass", "drop", "reject". * @return the firewall entry action value if the name is valid, * otherwise ACTION_INVALID. */ static FirewallEntry::Action str2action(const string& name); /** * @return a string representation of the entry. */ string str() const { return c_format("rule number = %u ifname = %s vifname = %s " "source network = %s destination network = %s " "IP protocol = %d source port begin = %u " "source port end = %u destination port begin = %u " "destination port end = %u action = %s", _rule_number, _ifname.c_str(), _vifname.c_str(), _src_network.str().c_str(), _dst_network.str().c_str(), _ip_protocol, _src_port_begin, _src_port_end, _dst_port_begin, _dst_port_end, action2str(_action).c_str()); } private: uint32_t _rule_number; // The rule number string _ifname; // Interface name string _vifname; // Virtual interface name IPvXNet _src_network; // Source network address prefix IPvXNet _dst_network; // Destination network address prefix uint8_t _ip_protocol; // IP protocol number: 1-255, // or 0 if wildcard uint16_t _src_port_begin; // Source TCP/UDP begin port: 0-65535 uint32_t _src_port_end; // Source TCP/UDP end port: 0-65535 uint32_t _dst_port_begin; // Dest. TCP/UDP begin port: 0-65535 uint32_t _dst_port_end; // Dest. TCP/UDP end port: 0-65535 FirewallEntry::Action _action; // The action }; #endif // __FEA_FIREWALL_ENTRY_HH__