firewall3: add UBUS support for include scripts

It gives the ability to include scripts via procd
services and netifd interface firewall data.

Signed-off-by: Pierre Lebleu <[email protected]>

Author: pticon

includes.c

@@ -30,52 +30,97 @@ const struct fw3_option fw3_include_opts[] = {
 	{ }
 };
 
+static bool
+check_include(struct fw3_state *state, struct fw3_include *include, struct uci_element *e)
+{
+	if (!include->enabled)
+		return false;
+
+	if (!include->path)
+	{
+		warn_section("include", include, e, "must specify a path");
+		return false;
+	}
+
+	if (include->type == FW3_INC_TYPE_RESTORE && !include->family)
+		warn_section("include", include, e, "does not specify a family, include will get"
+				"loaded with both iptables-restore and ip6tables-restore!");
+
+	return true;
+}
+
+static struct fw3_include *
+fw3_alloc_include(struct fw3_state *state)
+{
+	struct fw3_include *include;
+
+	include = calloc(1, sizeof(*include));
+	if (!include)
+		return NULL;
+
+	include->enabled = true;
+
+	list_add_tail(&include->list, &state->includes);
+
+	return include;
+}
 
 void
-fw3_load_includes(struct fw3_state *state, struct uci_package *p)
+fw3_load_includes(struct fw3_state *state, struct uci_package *p,
+		struct blob_attr *a)
 {
 	struct uci_section *s;
 	struct uci_element *e;
 	struct fw3_include *include;
+	struct blob_attr *entry;
+	unsigned rem;
 
 	INIT_LIST_HEAD(&state->includes);
 
-	uci_foreach_element(&p->sections, e)
+	blob_for_each_attr(entry, a, rem)
 	{
-		s = uci_to_section(e);
+		const char *type;
+		const char *name = "ubus include";
 
-		if (strcmp(s->type, "include"))
+		if (!fw3_attr_parse_name_type(entry, &name, &type))
 			continue;
 
-		include = calloc(1, sizeof(*include));
-		if (!include)
+		if (strcmp(type, "script") && strcmp(type, "restore"))
 			continue;
 
-		include->name = e->name;
-		include->enabled = true;
-
-		if (!fw3_parse_options(include, fw3_include_opts, s))
-			warn_elem(e, "has invalid options");
+		include = fw3_alloc_include(state);
+		if (!include)
+			continue;
 
-		if (!include->enabled)
+		if (!fw3_parse_blob_options(include, fw3_include_opts, entry, name))
 		{
+			warn_section("include", include, NULL, "skipped due to invalid options");
 			fw3_free_include(include);
 			continue;
 		}
 
-		if (!include->path)
-		{
-			warn_elem(e, "must specify a path");
+		if (!check_include(state, include, NULL))
 			fw3_free_include(include);
+	}
+
+	uci_foreach_element(&p->sections, e)
+	{
+		s = uci_to_section(e);
+
+		if (strcmp(s->type, "include"))
+			continue;
+
+		include = fw3_alloc_include(state);
+		if (!include)
 			continue;
-		}
 
-		if (include->type == FW3_INC_TYPE_RESTORE && !include->family)
-			warn_elem(e, "does not specify a family, include will get loaded "
-			             "with both iptables-restore and ip6tables-restore!");
+		include->name = e->name;
 
-		list_add_tail(&include->list, &state->includes);
-		continue;
+		if (!fw3_parse_options(include, fw3_include_opts, s))
+			warn_elem(e, "has invalid options");
+
+		if (!check_include(state, include, e))
+			fw3_free_include(include);
 	}
 }
 

includes.h

@@ -24,14 +24,17 @@
 
 extern const struct fw3_option fw3_include_opts[];
 
-void fw3_load_includes(struct fw3_state *state, struct uci_package *p);
+void fw3_load_includes(struct fw3_state *state, struct uci_package *p, struct blob_attr *a);
 
 void fw3_print_includes(struct fw3_state *state, enum fw3_family family,
                         bool reload);
 
 void fw3_run_includes(struct fw3_state *state, bool reload);
 
-#define fw3_free_include(include) \
-	fw3_free_object(include, fw3_include_opts)
+static inline void fw3_free_include(struct fw3_include *include)
+{
+	list_del(&include->list);
+	fw3_free_object(include, fw3_include_opts);
+}
 
 #endif

main.c

@@ -107,7 +107,7 @@ build_state(bool runtime)
 	fw3_load_redirects(state, p, b.head);
 	fw3_load_snats(state, p, b.head);
 	fw3_load_forwards(state, p, b.head);
-	fw3_load_includes(state, p);
+	fw3_load_includes(state, p, b.head);
 
 	return true;
 }