search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
Revert "TODO epan/dissectors/asn1/kerberos/packet-kerberos-template.c new GSS flags"
[wireshark-sm.git] / ui / firewall_rules.c
blob7d127c58c57261ee2758dbebaed6af73a32ff57e
1 /* firewall_rules_dlg.c
2 *
3 * SPDX-License-Identifier: GPL-2.0-or-later
4 */
5
6 /*
7 * Generate firewall ACL rules based on packet addresses and ports.
8 * For directional rules, an outside interface is assumed.
9 *
10 * There may be better ways to present the information, e.g. all rules
11 * in one huge text window, or some sort of tree view.
12 */
13
14 /*
15 * To add a new product, add syntax functions modify the products[] array.
16 *
17 * To add a new syntax function, add its prototype above the products[]
18 * array, and add the function below with all the others.
19 */
20
21 /* Copied from gtk/firewall_rules.c */
22
23 #include "config.h"
24
25 #include <glib.h>
26
27 #include <wsutil/array.h>
28 #include "epan/address.h"
29
30 #include "firewall_rules.h"
31
32 static void sf_ipfw_mac(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
33 static void sf_netfilter_mac(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
34
35 static void sf_ios_std_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
36 static void sf_ios_ext_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
37 static void sf_ipfilter_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
38 static void sf_ipfw_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
39 static void sf_netfilter_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
40 static void sf_pf_ipv4(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
41 /* XXX - Can you addresses-only filters using WFW/netsh? */
42
43 static void sf_ios_ext_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
44 static void sf_ipfilter_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
45 static void sf_ipfw_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
46 static void sf_netfilter_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
47 static void sf_pf_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
48 static void sf_netsh_port_old(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
49 static void sf_netsh_port_new(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
50
51 static void sf_ios_ext_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
52 static void sf_ipfilter_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
53 static void sf_ipfw_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
54 static void sf_netfilter_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
55 static void sf_pf_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
56 static void sf_netsh_ipv4_port_old(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
57 static void sf_netsh_ipv4_port_new(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny);
58
59 typedef struct _fw_product_t {
60 const char *name;
61 const char *rule_hint;
62 const char *comment_pfx;
63 syntax_func mac_func;
64 syntax_func ipv4_func;
65 syntax_func port_func;
66 syntax_func ipv4_port_func;
67 bool does_inbound;
68 } fw_product;
69
70 static fw_product products[] = {
71 { "Cisco IOS (standard)", "Change NUMBER to a valid ACL number.", "!",
72 NULL, sf_ios_std_ipv4, NULL, NULL, false },
73 { "Cisco IOS (extended)", "Change NUMBER to a valid ACL number.", "!",
74 NULL, sf_ios_ext_ipv4, sf_ios_ext_port, sf_ios_ext_ipv4_port, true },
75 { "IP Filter (ipfilter)", "Change le0 to a valid interface if needed.", "#",
76 NULL, sf_ipfilter_ipv4, sf_ipfilter_port, sf_ipfilter_ipv4_port, true },
77 { "IPFirewall (ipfw)", "", "#",
78 sf_ipfw_mac, sf_ipfw_ipv4, sf_ipfw_port, sf_ipfw_ipv4_port, true },
79 { "Netfilter (iptables)", "Change eth0 to a valid interface if needed.", "#",
80 sf_netfilter_mac, sf_netfilter_ipv4, sf_netfilter_port,
81 sf_netfilter_ipv4_port, true },
82 { "Packet Filter (pf)", "$ext_if should be set to a valid interface.", "#",
83 NULL, sf_pf_ipv4, sf_pf_port, sf_pf_ipv4_port, true },
84 { "Windows Firewall (netsh old syntax)", "", "#",
85 NULL, NULL, sf_netsh_port_old, sf_netsh_ipv4_port_old, false },
86 { "Windows Firewall (netsh new syntax)", "", "#",
87 NULL, NULL, sf_netsh_port_new, sf_netsh_ipv4_port_new, false }
88 };
89 #define NUM_PRODS array_length(products)
90
91
92 size_t firewall_product_count(void)
93 {
94 return NUM_PRODS;
95 }
96
97 const char *firewall_product_name(size_t product_idx)
98 {
99 if (product_idx >= NUM_PRODS) return "Unknown";
100 return products[product_idx].name;
101 }
102
103 const char *firewall_product_rule_hint(size_t product_idx)
104 {
105 if (product_idx >= NUM_PRODS) return "";
106 return products[product_idx].rule_hint;
107 }
108
109 const char *firewall_product_comment_prefix(size_t product_idx)
110 {
111 if (product_idx >= NUM_PRODS) return "";
112 return products[product_idx].comment_pfx;
113 }
114
115 syntax_func firewall_product_mac_func(size_t product_idx)
116 {
117 if (product_idx >= NUM_PRODS) return NULL;
118 return products[product_idx].mac_func;
119 }
120
121
122 syntax_func firewall_product_ipv4_func(size_t product_idx)
123 {
124 if (product_idx >= NUM_PRODS) return NULL;
125 return products[product_idx].ipv4_func;
126 }
127
128
129 syntax_func firewall_product_port_func(size_t product_idx)
130 {
131 if (product_idx >= NUM_PRODS) return NULL;
132 return products[product_idx].port_func;
133 }
134
135
136 syntax_func firewall_product_ipv4_port_func(size_t product_idx)
137 {
138 if (product_idx >= NUM_PRODS) return NULL;
139 return products[product_idx].ipv4_port_func;
140 }
141
142 bool firewall_product_does_inbound(size_t product_idx)
143 {
144 if (product_idx >= NUM_PRODS) return false;
145 return products[product_idx].does_inbound;
146 }
147
148
149 /* MAC */
150 #define IPFW_RULE(deny) ((deny) ? "deny" : "allow")
151 #define IPFW_DIR(inbound) ((inbound) ? "in" : "out")
152 static void sf_ipfw_mac(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
153 g_string_append_printf(rtxt, "add %s MAC %s any %s",
154 IPFW_RULE(deny), addr, IPFW_DIR(inbound));
155 }
156
157 #define NF_RULE(deny) ((deny) ? "DROP" : "ACCEPT")
158 #define NF_DIR(inbound) ((inbound) ? "INPUT" : "OUTPUT")
159 static void sf_netfilter_mac(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
160 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --mac-source %s --jump %s",
161 NF_DIR(inbound), addr, NF_RULE(deny));
162 }
163
164 /* IPv4 */
165 #define IOS_RULE(deny) ((deny) ? "deny" : "permit")
166 static void sf_ios_std_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound _U_, bool deny) {
167 g_string_append_printf(rtxt, "access-list NUMBER %s host %s", IOS_RULE(deny), addr);
168 }
169
170 static void sf_ios_ext_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
171 if (inbound)
172 g_string_append_printf(rtxt, "access-list NUMBER %s ip host %s any", IOS_RULE(deny), addr);
173 else
174 g_string_append_printf(rtxt, "access-list NUMBER %s ip any host %s", IOS_RULE(deny), addr);
175 }
176
177 #define IPFILTER_RULE(deny) ((deny) ? "block" : "pass")
178 #define IPFILTER_DIR(inbound) ((inbound) ? "in" : "out")
179
180 static void sf_ipfilter_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
181 g_string_append_printf(rtxt, "%s %s on le0 from %s to any",
182 IPFILTER_RULE(deny), IPFILTER_DIR(inbound), addr);
183 }
184
185 static void sf_ipfw_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
186 g_string_append_printf(rtxt, "add %s ip from %s to any %s",
187 IPFW_RULE(deny), addr, IPFW_DIR(inbound));
188 }
189
190 #define NF_ADDR_DIR(inbound) ((inbound) ? "--source" : "--destination")
191 static void sf_netfilter_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
192 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 %s %s/32 --jump %s",
193 NF_DIR(inbound), NF_ADDR_DIR(inbound), addr, NF_RULE(deny));
194 }
195
196 #define PF_RULE(deny) ((deny) ? "block" : "pass")
197 #define PF_DIR(inbound) ((inbound) ? "in" : "out")
198 static void sf_pf_ipv4(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype _U_, bool inbound, bool deny) {
199 g_string_append_printf(rtxt, "%s %s quick on $ext_if from %s to any",
200 PF_RULE(deny), PF_DIR(inbound), addr);
201 }
202
203 /* Port */
204 #define RT_TCP_UDP(ptype) ((ptype) == PT_TCP ? "tcp" : "udp")
205 static void sf_ios_ext_port(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound _U_, bool deny) {
206 g_string_append_printf(rtxt, "access-list NUMBER %s %s any any eq %u",
207 IOS_RULE(deny), RT_TCP_UDP(ptype), port);
208 }
209
210 static void sf_ipfilter_port(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound, bool deny) {
211 g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to any port = %u",
212 IPFILTER_RULE(deny), IPFILTER_DIR(inbound), RT_TCP_UDP(ptype), port);
213 }
214
215 static void sf_ipfw_port(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound, bool deny) {
216 g_string_append_printf(rtxt, "add %s %s from any to any %u %s",
217 IPFW_RULE(deny), RT_TCP_UDP(ptype), port, IPFW_DIR(inbound));
218 }
219
220 #define NF_PORT_DIR(inbound) ((inbound) ? "--source-port" : "--destination-port")
221 static void sf_netfilter_port(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound, bool deny) {
222 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %u --jump %s",
223 NF_DIR(inbound), RT_TCP_UDP(ptype), NF_PORT_DIR(inbound), port, NF_RULE(deny));
224 }
225
226 static void sf_pf_port(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound, bool deny) {
227 g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from any to any port %u",
228 PF_RULE(deny), PF_DIR(inbound), RT_TCP_UDP(ptype), port);
229 }
230
231 #define NETSH_RULE_OLD(deny) ((deny) ? "DISABLE" : "ENABLE")
232 static void sf_netsh_port_old(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound _U_, bool deny) {
233 g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s",
234 RT_TCP_UDP(ptype), port, NETSH_RULE_OLD(deny));
235 }
236
237 #define NETSH_RULE_NEW(deny) ((deny) ? "block" : "allow")
238 static void sf_netsh_port_new(GString *rtxt, char *addr _U_, uint32_t port, port_type ptype, bool inbound _U_, bool deny) {
239 g_string_append_printf(rtxt, "add rule name=\"Wireshark\" dir=in action=%s protocol=%s localport=%u",
240 NETSH_RULE_NEW(deny), RT_TCP_UDP(ptype), port);
241 }
242
243 /* IPv4 + port */
244 static void sf_ios_ext_ipv4_port(GString *rtxt, char *addr, uint32_t port _U_, port_type ptype, bool inbound, bool deny) {
245 if (inbound)
246 g_string_append_printf(rtxt, "access-list NUMBER %s %s host %s eq %u any", IOS_RULE(deny), RT_TCP_UDP(ptype), addr, port);
247 else
248 g_string_append_printf(rtxt, "access-list NUMBER %s %s any host %s eq %u", IOS_RULE(deny), RT_TCP_UDP(ptype), addr, port);
249 }
250
251 static void sf_ipfilter_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny) {
252 if (inbound)
253 g_string_append_printf(rtxt, "%s %s on le0 proto %s from %s port = %u to any",
254 IPFILTER_RULE(deny), IPFILTER_DIR(inbound), RT_TCP_UDP(ptype), addr, port);
255 else
256 g_string_append_printf(rtxt, "%s %s on le0 proto %s from any to %s port = %u",
257 IPFILTER_RULE(deny), IPFILTER_DIR(inbound), RT_TCP_UDP(ptype), addr, port);
258 }
259
260 static void sf_ipfw_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny) {
261 g_string_append_printf(rtxt, "add %s %s from %s %u to any %s",
262 IPFW_RULE(deny), RT_TCP_UDP(ptype), addr, port, IPFW_DIR(inbound));
263 }
264
265 static void sf_pf_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny) {
266 g_string_append_printf(rtxt, "%s %s quick on $ext_if proto %s from %s to any port %u",
267 PF_RULE(deny), PF_DIR(inbound), RT_TCP_UDP(ptype), addr, port);
268 }
269
270 static void sf_netfilter_ipv4_port(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound, bool deny) {
271 g_string_append_printf(rtxt, "iptables --append %s --in-interface eth0 --protocol %s %s %s/32 %s %u --jump %s",
272 NF_DIR(inbound), RT_TCP_UDP(ptype), NF_ADDR_DIR(inbound), addr, NF_PORT_DIR(inbound), port, NF_RULE(deny));
273 }
274
275 static void sf_netsh_ipv4_port_old(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound _U_, bool deny) {
276 g_string_append_printf(rtxt, "add portopening %s %u Wireshark %s %s",
277 RT_TCP_UDP(ptype), port, NETSH_RULE_OLD(deny), addr);
278 }
279
280 static void sf_netsh_ipv4_port_new(GString *rtxt, char *addr, uint32_t port, port_type ptype, bool inbound _U_, bool deny) {
281 g_string_append_printf(rtxt, "add rule name=\"Wireshark\" dir=in action=%s protocol=%s localport=%u remoteip=%s",
282 NETSH_RULE_NEW(deny), RT_TCP_UDP(ptype), port, addr);
283 }
Metzes wireshark repo