usrfwtutorial.c

firewall PNE 3.3 source code, running at more than vxworks6.x version.

/* usrFwTutorial.c  - Firewall tutorial rules */

/* Copyright 2004-2005 Wind River Systems, Inc. */
#include "copyright_wrs.h"

/*
modification history
--------------------
01c,29mar05,svk  Correct the Firewall manual name
01b,08oct04,svk  incorporated review comments
01a,01aug04,myz  created
*/

/* 
DESCRIPTION

This file supplies the firewall tutorial rules. Please refer to the 
Firewall User's Guide for the tutorial.
*/

/* includes */

#include <vxWorks.h>
#include <stdio.h>
#include "netinet/ip.h"
#include "netinet/ip_icmp.h"
#include "wrn/firewall/fwLib.h"


/***************************************************************************
*
* usrFwTutorial - Set the firewall tutorial rules
*
* RETURNS: OK (success), or ERROR (failure)
*/

STATUS usrFwTutorial 
    (
    char * pPublicIfName,  /* name of interface connected to public net */
    int    publicIfUnit,   /* unit of interface connected to public net */
    char * pPrivateIfName, /* name of interface connected to private net */
    int    privateIfUnit,  /* unit of interface connected to private net */
    char * hostAIpAddrStr, /* host A IP address */
    char * hostXIpAddrStr  /* host X IP address */
    )
    {
    void * outGroup;
    void * inGroup;
    void * stateRule;
    void * pingRule;

    /* Sanity check */

    if ((pPublicIfName == NULL) || (pPrivateIfName == NULL) ||
        (hostAIpAddrStr == NULL) || (hostXIpAddrStr == NULL))
        {
        printf("Invalid parameter specified!\n");
        return ERROR;
        }

    /* 
     * Install rule filter at the forward filter location with a REJECT 
     * default action. Assume no rule filter is installed in any other 
     * locations.
     */

    if (fwRuleFilterInstall(FW_FORW_LOC, FW_REJECT, NULL, NULL, NULL, 0)
        == ERROR)
        {
        printf("Failed to install Rule Filter!\n");
        return ERROR;
        }

    /* 
     * Create a rule group for packets outgoing from private network to the
     * public network. This rule group will record the state of these packets
     * and allow them out.
     */

    outGroup = fwRuleGroupCreate(FW_FORW_LOC,
                         "Outgoing packets from private to public network",
                         40);

    if (outGroup == NULL)
        {
        printf("outGroup: Can't create group\n");
        return ERROR;
        }

    /* 
     * Set the packet direction by setting the source interface as 
     *  private interface and destination interface as public interface.
     */
 
    if (fwRuleFieldSet(outGroup, FW_FIELD_NETIF, 
                       (UINT32)pPrivateIfName, privateIfUnit,
                       (UINT32)pPublicIfName, publicIfUnit) == ERROR)
        {
        printf("outGroup: Failed to set interface field\n");
        return ERROR;
        }

    /* Record the state of the packets */

    if (fwRuleFieldSet(outGroup, FW_FIELD_STATE, FW_CONN_INITIATOR,
                       FW_CONN_STATE_ALL) == ERROR)
        {
        printf("outGroup: Failed to set state\n");
        return ERROR;
        }

    /* Allow all the packets out */

    if (fwRuleFieldSet(outGroup, FW_FIELD_ACTION, FW_ACCEPT) == ERROR)
        {
        printf("outGroup: Failed to set action\n");
        return ERROR;
        }

    /* 
     * Create a rule group for packets incoming from public network to the
     * private network. This rule group will contain one rule to allow 
     * packets that belong to established connections and another rule 
     * to allow pings from the public host A to the private host X.
     */

    inGroup = fwRuleGroupCreate(FW_FORW_LOC,
                        "Incoming packets from public to private network",
                        40);

    if (inGroup == NULL)
        {
        printf("inGroup: Can't create group\n");
        return ERROR;
        }

    /* 
     * Set the packet direction by setting the source interface as 
     * public interface and destination interface as private interface.
     */

    if (fwRuleFieldSet(inGroup, FW_FIELD_NETIF, 
                      (UINT32)pPublicIfName, publicIfUnit,
                      (UINT32)pPrivateIfName, privateIfUnit) == ERROR)
        {
        printf("inGroup: Failed to set interface field\n");
        return ERROR;
        }

    /* Create a rule to do check the state of the packets */

    stateRule = fwRuleCreate(inGroup);

    if (stateRule == NULL)
        {
        printf("stateRule: Can't create rule\n");
        return ERROR;
        }

    /* Check the state - do the packets belong to established connections? */

    if (fwRuleFieldSet(stateRule, FW_FIELD_STATE, FW_CONN_RESPONDER, 
                       FW_CONN_STATE_ESTABLISHED) == ERROR)
        {
        printf("stateRule: Failed to set state\n");
        return ERROR;
        }

    /* Allow the packets that match the state rule */

    if (fwRuleFieldSet(stateRule, FW_FIELD_ACTION, FW_ACCEPT) == ERROR)
        {
        printf("stateRule: Failed to set action\n");
        return ERROR;
        }

    /* Create a rule to allow pings from public host A to private host X */

    pingRule = fwRuleCreate(inGroup);

    if (pingRule == NULL)
        {
        printf("pingRule: Can't create rule\n");
        return ERROR;
        }

    /* Check if the packet is ping - i.e., ICMP echo */

    if (fwRuleFieldSet(pingRule, FW_FIELD_ICMP, ICMP_ECHO, 0) == ERROR)
        {
        printf("pingRule: Failed to set ICMP field\n");
        return ERROR;
        }

    /* Check if the packet source address is A and destination address is X */

    if (fwRuleFieldSet(pingRule, FW_FIELD_IPADDRSTR,
                       (UINT32)hostAIpAddrStr, hostAIpAddrStr,
                       (UINT32)hostXIpAddrStr, hostXIpAddrStr) == ERROR)
        {
        printf("pingRule: Failed to set IP address field\n");
        return ERROR;
        }

    /*  Allow and log the packets that match the ping rule */

    if (fwRuleFieldSet(pingRule, FW_FIELD_ACTION, FW_ACCEPT | FW_LOG) == ERROR)
        {
        printf("pingRule: Failed to set action\n");
        return ERROR;
        }

    /*
     * Note that incoming packets that do not match the state rule or the 
     * ping rule will be rejected because the default action of the 
     * rule filter is set to REJECT.
     */

    return OK;
    }