xorp

firewall_entry.hh

00001 // -*- c-basic-offset: 4; tab-width: 8; indent-tabs-mode: t -*-
00002 
00003 // Copyright (c) 2008-2011 XORP, Inc and Others
00004 //
00005 // This program is free software; you can redistribute it and/or modify
00006 // it under the terms of the GNU General Public License, Version 2, June
00007 // 1991 as published by the Free Software Foundation. Redistribution
00008 // and/or modification of this program under the terms of any other
00009 // version of the GNU General Public License is not permitted.
00010 // 
00011 // This program is distributed in the hope that it will be useful, but
00012 // WITHOUT ANY WARRANTY; without even the implied warranty of
00013 // MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. For more details,
00014 // see the GNU General Public License, Version 2, a copy of which can be
00015 // found in the XORP LICENSE.gpl file.
00016 // 
00017 // XORP Inc, 2953 Bunker Hill Lane, Suite 204, Santa Clara, CA 95054, USA;
00018 // http://xorp.net
00019 
00020 // $XORP: xorp/fea/firewall_entry.hh,v 1.3 2008/10/02 21:56:46 bms Exp $
00021 
00022 #ifndef __FEA_FIREWALL_ENTRY_HH__
00023 #define __FEA_FIREWALL_ENTRY_HH__
00024 
00025 #include "libxorp/ipv4.hh"
00026 #include "libxorp/ipv6.hh"
00027 #include "libxorp/ipvx.hh"
00028 #include "libxorp/ipv4net.hh"
00029 #include "libxorp/ipv6net.hh"
00030 #include "libxorp/ipvxnet.hh"
00031 
00032 
00038 class FirewallEntry {
00039 public:
00040     // Possible actions for firewall rules
00041     enum Action {
00042     ACTION_MIN  = 0x00,     // Min value for action
00043     ACTION_ANY  = 0x00,     // For match comparison during delete
00044     ACTION_NONE = 0x01,
00045     ACTION_PASS = 0x02,
00046     ACTION_DROP = 0x03,
00047     ACTION_REJECT   = 0x04,
00048     ACTION_MAX  = 0x05,     // Max number of possible actions
00049     ACTION_INVALID  = 0xff      // Invalid string conversion
00050     };
00051 
00052     // Matching values for firewall rules
00053     enum {
00054     RULE_NUMBER_DEFAULT = 0,
00055     IP_PROTOCOL_MIN     = 0,
00056     IP_PROTOCOL_MAX     = 255,
00057     IP_PROTOCOL_ANY     = 0,
00058     PORT_MIN        = 0,
00059     PORT_MAX        = 65535,
00060     };
00061 
00062     explicit FirewallEntry(int family)
00063     : _rule_number(RULE_NUMBER_DEFAULT), _src_network(family),
00064       _dst_network(family), _ip_protocol(IP_PROTOCOL_ANY),
00065       _src_port_begin(PORT_MIN), _src_port_end(PORT_MAX),
00066       _dst_port_begin(PORT_MIN), _dst_port_end(PORT_MAX),
00067       _action(ACTION_INVALID) {}
00068 
00069 #ifdef XORP_USE_USTL
00070     FirewallEntry() { FirewallEntry(AF_INET); }
00071 #endif
00072 
00073     FirewallEntry(uint32_t      rule_number,
00074           const string&     ifname,
00075           const string&     vifname,
00076           const IPvXNet&    src_network,
00077           const IPvXNet&    dst_network,
00078           uint8_t       ip_protocol,
00079           uint16_t      src_port_begin,
00080           uint16_t      src_port_end,
00081           uint16_t      dst_port_begin,
00082           uint16_t      dst_port_end,
00083           FirewallEntry::Action action)
00084     : _rule_number(rule_number), _ifname(ifname), _vifname(vifname),
00085       _src_network(src_network), _dst_network(dst_network),
00086       _ip_protocol(ip_protocol), _src_port_begin(src_port_begin),
00087       _src_port_end(src_port_end), _dst_port_begin(dst_port_begin),
00088       _dst_port_end(dst_port_end), _action(action) {}
00089 
00095     bool is_ipv4() const { return _src_network.is_ipv4(); }
00096 
00102     bool is_ipv6() const { return _src_network.is_ipv6(); }
00103 
00104     uint32_t rule_number() const    { return _rule_number; }
00105     const string& ifname() const    { return _ifname; }
00106     const string& vifname() const   { return _vifname; }
00107     const IPvXNet& src_network() const  { return _src_network; }
00108     const IPvXNet& dst_network() const  { return _dst_network; }
00109     uint8_t ip_protocol() const     { return _ip_protocol; }
00110     uint32_t src_port_begin() const { return _src_port_begin; }
00111     uint32_t src_port_end() const   { return _src_port_end; }
00112     uint32_t dst_port_begin() const { return _dst_port_begin; }
00113     uint32_t dst_port_end() const   { return _dst_port_end; }
00114     FirewallEntry::Action action() const { return _action; }
00115 
00119     void zero() {
00120     _rule_number = RULE_NUMBER_DEFAULT;
00121     _ifname.erase();
00122     _vifname.erase();
00123     _src_network = IPvXNet(IPvX::ZERO(_src_network.af()), 0);
00124     _dst_network = IPvXNet(IPvX::ZERO(_dst_network.af()), 0);
00125     _ip_protocol = IP_PROTOCOL_ANY;
00126     _src_port_begin = PORT_MIN;
00127     _src_port_end = PORT_MAX;
00128     _dst_port_begin = PORT_MIN;
00129     _dst_port_end = PORT_MAX;
00130     _action = ACTION_INVALID;
00131     }
00132 
00142     bool match(const FirewallEntry& other) const {
00143     return ((_rule_number == other.rule_number())
00144         && (_ifname == other.ifname())
00145         && (_vifname == other.vifname())
00146         && (_src_network == other.src_network())
00147         && (_dst_network == other.dst_network())
00148         && (_ip_protocol == other.ip_protocol())
00149         && (_src_port_begin == other.src_port_begin())
00150         && (_src_port_end == other.src_port_end())
00151         && (_dst_port_begin == other.dst_port_begin())
00152         && (_dst_port_end == other.dst_port_end()));
00153     }
00154 
00161     static string action2str(FirewallEntry::Action action);
00162 
00171     static FirewallEntry::Action str2action(const string& name);
00172 
00176     string str() const {
00177     return c_format("rule number = %u ifname = %s vifname = %s "
00178             "source network = %s destination network = %s "
00179             "IP protocol = %d source port begin = %u "
00180             "source port end = %u destination port begin = %u "
00181             "destination port end = %u action = %s",
00182             _rule_number, _ifname.c_str(), _vifname.c_str(),
00183             _src_network.str().c_str(),
00184             _dst_network.str().c_str(),
00185             _ip_protocol, _src_port_begin, _src_port_end,
00186             _dst_port_begin, _dst_port_end,
00187             action2str(_action).c_str());
00188     }
00189 
00190 private:
00191     uint32_t    _rule_number;       // The rule number
00192     string  _ifname;        // Interface name
00193     string  _vifname;       // Virtual interface name
00194     IPvXNet _src_network;       // Source network address prefix
00195     IPvXNet _dst_network;       // Destination network address prefix
00196     uint8_t _ip_protocol;       // IP protocol number: 1-255,
00197                     // or 0 if wildcard
00198     uint16_t    _src_port_begin;    // Source TCP/UDP begin port: 0-65535
00199     uint32_t    _src_port_end;      // Source TCP/UDP end port: 0-65535
00200     uint32_t    _dst_port_begin;    // Dest. TCP/UDP begin port: 0-65535
00201     uint32_t    _dst_port_end;      // Dest. TCP/UDP end port: 0-65535
00202     FirewallEntry::Action _action;  // The action
00203 };
00204 
00205 #endif  // __FEA_FIREWALL_ENTRY_HH__
 All Classes Namespaces Functions Variables Typedefs Enumerations