diff options
author | Gerald Combs <gerald@zing.org> | 2016-05-31 18:29:39 -0700 |
---|---|---|
committer | Gerald Combs <gerald@wireshark.org> | 2016-06-01 23:37:25 +0000 |
commit | 987ff3ee1bed5fe17d3889411687283818cee29f (patch) | |
tree | 32a8079efadab5f0a51b06db69bcf16701f92035 /ui/firewall_rules.c | |
parent | 4b216aea944b0478fa0310b2e47a11761219ffe8 (diff) | |
download | wireshark-987ff3ee1bed5fe17d3889411687283818cee29f.tar.gz |
Qt: Firewall Rules dialog.
Add the Firewall ACL Rules dialog. Try showing all valid rules for a
given product instead of making the user select from a combobox. We can
add the combo back easily enough if that's desired.
Add a rule hint field and use it in the Qt and GTK+ UIs.
Bug: 12469
Change-Id: I39dd840e9838f96d7c5e2b4c34662811c21d0386
Reviewed-on: https://code.wireshark.org/review/15689
Petri-Dish: Gerald Combs <gerald@wireshark.org>
Tested-by: Petri Dish Buildbot <buildbot-no-reply@wireshark.org>
Reviewed-by: Gerald Combs <gerald@wireshark.org>
Diffstat (limited to 'ui/firewall_rules.c')
-rw-r--r-- | ui/firewall_rules.c | 290 |
1 files changed, 290 insertions, 0 deletions
diff --git a/ui/firewall_rules.c b/ui/firewall_rules.c new file mode 100644 index 0000000000..ae7db51848 --- /dev/null +++ b/ui/firewall_rules.c @@ -0,0 +1,290 @@ +/* firewall_rules_dlg.c + * + * This program is free software; you can redistribute it and/or + * modify it under the terms of the GNU General Public License + * as published by the Free Software Foundation; either version 2 + * of the License, or (at your option) any later version. + * + * This program is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + * GNU General Public License for more details. + * + * You should have received a copy of the GNU General Public License + * along with this program; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA. + */ + +/* + * Generate firewall ACL rules based on packet addresses and ports. + * For directional rules, an outside interface is assumed. + * + * There may be better ways to present the information, e.g. all rules + * in one huge text window, or some sort of tree view. + */ + +/* + * To add a new product, add syntax functions modify the products[] array. + * + * To add a new syntax function, add its prototype above the products[] + * array, and add the function below with all the others. + */ + + /* Copied from gtk/firewall_rules.c */ + +#include "config.h" + +#include <glib.h> + +#include "epan/address.h" + +#include "firewall_rules.h" + +static void sf_ipfw_mac(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netfilter_mac(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); + +static void sf_ios_std_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ios_ext_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfilter_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfw_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netfilter_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_pf_ipv4(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +/* XXX - Can you addresses-only filters using WFW/netsh? */ + +static void sf_ios_ext_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfilter_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfw_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netfilter_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_pf_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netsh_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); + +static void sf_ios_ext_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_ipfw_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_pf_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); +static void sf_netsh_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny); + +typedef struct _fw_product_t { + const char *name; + const char *rule_hint; + const char *comment_pfx; + syntax_func mac_func; + syntax_func ipv4_func; + syntax_func port_func; + syntax_func ipv4_port_func; + gboolean does_inbound; +} fw_product; + +static fw_product products[] = { + { "Cisco IOS (standard)", "Change NUMBER to a valid ACL number.", "!", + NULL, sf_ios_std_ipv4, NULL, NULL, FALSE }, + { "Cisco IOS (extended)", "Change NUMBER to a valid ACL number.", "!", + NULL, sf_ios_ext_ipv4, sf_ios_ext_port, sf_ios_ext_ipv4_port, TRUE }, + { "IP Filter (ipfilter)", "Change le0 to a valid interface.", "#", + NULL, sf_ipfilter_ipv4, sf_ipfilter_port, sf_ipfilter_ipv4_port, TRUE }, + { "IPFirewall (ipfw)", "", "#", + sf_ipfw_mac, sf_ipfw_ipv4, sf_ipfw_port, sf_ipfw_ipv4_port, TRUE }, + { "Netfilter (iptables)", "Change eth0 to a valid interface.", "#", + sf_netfilter_mac, sf_netfilter_ipv4, sf_netfilter_port, + sf_netfilter_ipv4_port, TRUE }, + { "Packet Filter (pf)", "$ext_if should be set to a valid interface.", "#", + NULL, sf_pf_ipv4, sf_pf_port, sf_pf_ipv4_port, TRUE }, + { "Windows Firewall (netsh)", "", "#", + NULL, NULL, sf_netsh_port, sf_netsh_ipv4_port, FALSE } +}; +#define NUM_PRODS (sizeof(products) / sizeof(fw_product)) + + +size_t firewall_product_count(void) +{ + return NUM_PRODS; +} + +const char *firewall_product_name(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return "Unknown"; + return products[product_idx].name; +} + +const char *firewall_product_rule_hint(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return ""; + return products[product_idx].rule_hint; +} + +const char *firewall_product_comment_prefix(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return ""; + return products[product_idx].comment_pfx; +} + +syntax_func firewall_product_mac_func(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return NULL; + return products[product_idx].mac_func; +} + + +syntax_func firewall_product_ipv4_func(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return NULL; + return products[product_idx].ipv4_func; +} + + +syntax_func firewall_product_port_func(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return NULL; + return products[product_idx].port_func; +} + + +syntax_func firewall_product_ipv4_port_func(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return NULL; + return products[product_idx].ipv4_port_func; +} + +gboolean firewall_product_does_inbound(size_t product_idx) +{ + if (product_idx >= NUM_PRODS) return FALSE; + return products[product_idx].does_inbound; +} + + +/* MAC */ +#define IPFW_DENY (deny ? "deny" : "allow") +#define IPFW_IN (inbound ? "in" : "out") +static void sf_ipfw_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "add %s MAC %s any %s", + IPFW_DENY, addr, IPFW_IN); +} + +#define NF_DROP (deny ? "DROP" : "ACCEPT") +#define NF_INPUT (inbound ? "INPUT" : "OUTPUT") +static void sf_netfilter_mac(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "iptables -A %s -i eth0 --mac-source %s -j %s", + NF_INPUT, addr, NF_DROP); +} + +/* IPv4 */ +#define IOS_DENY (deny ? "deny" : "permit") +static void sf_ios_std_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound _U_, gboolean deny) { + g_string_append_printf(rtxt, "access-list NUMBER %s host %s", IOS_DENY, addr); +} + +static void sf_ios_ext_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + if (inbound) + g_string_append_printf(rtxt, "access-list NUMBER %s ip host %s any", IOS_DENY, addr); + else + g_string_append_printf(rtxt, "access-list NUMBER %s ip any host %s", IOS_DENY, addr); +} + +#define IPFILTER_DENY (deny ? "block" : "pass") +#define IPFILTER_IN (inbound ? "in" : "out") +static void sf_ipfilter_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "%s %s on le0 from %s to any", + IPFILTER_DENY, IPFILTER_IN, addr); +} + +static void sf_ipfw_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "add %s ip from %s to any %s", + IPFW_DENY, addr, IPFW_IN); +} + +static void sf_netfilter_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "iptables -A %s -i eth0 -d %s/32 -j %s", + NF_INPUT, addr, NF_DROP); +} + +#define PF_DENY (deny ? "block" : "pass") +#define PF_IN (inbound ? "in" : "out") +static void sf_pf_ipv4(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "%s %s quick on $ext_if from %s to any", + PF_DENY, PF_IN, addr); +} + +/* Port */ +#define RT_TCP_UDP (ptype == PT_TCP ? "tcp" : "udp") +static void sf_ios_ext_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) { + g_string_append_printf(rtxt, "access-list NUMBER %s %s any any eq %u", + IOS_DENY, RT_TCP_UDP, port); +} + +static void sf_ipfilter_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype _U_, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to any port = %u", + IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, port); +} + +static void sf_ipfw_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "add %s %s from any to any %u %s", + IPFW_DENY, RT_TCP_UDP, port, IPFW_IN); +} + +static void sf_netfilter_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "iptables -A %s -i eth0 -p %s --destination-port %u -j %s", + NF_INPUT, RT_TCP_UDP, port, NF_DROP); +} + +static void sf_pf_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from any to any port %u", + PF_DENY, PF_IN, RT_TCP_UDP, port); +} + +#define NETSH_DENY (deny ? "DISABLE" : "ENABLE") +static void sf_netsh_port(GString *rtxt, gchar *addr _U_, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) { + g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s", + RT_TCP_UDP, port, NETSH_DENY); +} + +/* IPv4 + port */ +static void sf_ios_ext_ipv4_port(GString *rtxt, gchar *addr, guint32 port _U_, port_type ptype _U_, gboolean inbound, gboolean deny) { + if (inbound) + g_string_append_printf(rtxt, "access-list NUMBER %s %s host %s any eq %u", IOS_DENY, RT_TCP_UDP, addr, port); + else + g_string_append_printf(rtxt, "access-list NUMBER %s %s any host %s eq %u", IOS_DENY, RT_TCP_UDP, addr, port); +} + +static void sf_ipfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + if (inbound) + g_string_append_printf(rtxt, "%s %s on le0 proto %s from %s to any port = %u", + IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, addr, port); + else + g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to %s port = %u", + IPFILTER_DENY, IPFILTER_IN, RT_TCP_UDP, addr, port); +} + +static void sf_ipfw_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "add %s %s from %s to any %u %s", + IPFW_DENY, RT_TCP_UDP, addr, port, IPFW_IN); +} + +static void sf_pf_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from %s to any port %u", + PF_DENY, PF_IN, RT_TCP_UDP, addr, port); +} + +static void sf_netfilter_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound, gboolean deny) { + g_string_append_printf(rtxt, "iptables -A %s -i eth0 -p %s -d %s/32 --destination-port %u -j %s", + NF_INPUT, RT_TCP_UDP, addr, port, NF_DROP); +} + +static void sf_netsh_ipv4_port(GString *rtxt, gchar *addr, guint32 port, port_type ptype, gboolean inbound _U_, gboolean deny) { + g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s %s", + RT_TCP_UDP, port, NETSH_DENY, addr); +} + + +/* + * Editor modelines - http://www.wireshark.org/tools/modelines.html + * + * Local variables: + * c-basic-offset: 4 + * tab-width: 8 + * indent-tabs-mode: nil + * End: + * + * vi: set shiftwidth=4 tabstop=8 expandtab: + * :indentSize=4:tabSize=8:noTabs=true: + */ |