veridian_kernel/net/firewall/

chain.rs

//! Firewall chain and table management
//!
//! Implements the netfilter-style chain architecture with five hook points
//! (PreRouting, Input, Forward, Output, PostRouting), three table types
//! (Filter, Nat, Mangle), and a packet processing engine that evaluates
//! rules in priority order and returns a verdict.

#![allow(dead_code)]

#[cfg(feature = "alloc")]
use alloc::string::String;
#[cfg(feature = "alloc")]
use alloc::vec::Vec;

use super::rules::{FirewallRule, PacketMetadata, RuleAction, RuleEngine};
use crate::{error::KernelError, sync::once_lock::GlobalState};

// ============================================================================
// Hook Points & Enums
// ============================================================================

/// Netfilter-style hook points in the packet processing path
#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
pub enum HookPoint {
    /// Before routing decision (inbound packets)
    PreRouting,
    /// Destined for the local host
    Input,
    /// Being forwarded to another interface
    Forward,
    /// Generated by the local host
    Output,
    /// After routing decision (outbound packets)
    PostRouting,
}

/// Default policy for a chain when no rules match
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
pub enum ChainPolicy {
    /// Allow the packet through
    #[default]
    Accept,
    /// Silently discard the packet
    Drop,
}

/// Type of firewall table
#[derive(Debug, Clone, Copy, PartialEq, Eq)]
pub enum ChainType {
    /// Packet filtering (accept/drop/reject)
    Filter,
    /// Network address translation
    Nat,
    /// Packet header modification
    Mangle,
}

/// Result of processing a packet through the firewall
#[derive(Debug, Clone, Copy, PartialEq, Eq, Default)]
pub enum Verdict {
    /// Allow the packet
    #[default]
    Accept,
    /// Silently drop the packet
    Drop,
    /// Drop and send ICMP unreachable
    Reject,
    /// Send to userspace queue for inspection
    Queue,
}

// ============================================================================
// Chain
// ============================================================================

/// A chain of firewall rules evaluated in order
#[derive(Debug, Clone)]
pub struct Chain {
    /// Name of this chain (e.g., "INPUT", "FORWARD", "custom_chain")
    pub name: String,
    /// Hook point this chain is attached to
    pub hook_point: HookPoint,
    /// Default policy when no rules match
    pub policy: ChainPolicy,
    /// Rule IDs in evaluation order (lower index = higher priority)
    pub rule_ids: Vec<u64>,
}

impl Chain {
    /// Create a new chain with the given name and hook point
    pub fn new(name: &str, hook_point: HookPoint, policy: ChainPolicy) -> Self {
        Self {
            name: String::from(name),
            hook_point,
            policy,
            rule_ids: Vec::new(),
        }
    }

    /// Append a rule ID to this chain
    pub fn add_rule(&mut self, rule_id: u64) {
        self.rule_ids.push(rule_id);
    }

    /// Remove a rule ID from this chain
    pub fn remove_rule(&mut self, rule_id: u64) -> bool {
        if let Some(pos) = self.rule_ids.iter().position(|&id| id == rule_id) {
            self.rule_ids.remove(pos);
            true
        } else {
            false
        }
    }

    /// Insert a rule ID at the given position
    pub fn insert_rule(&mut self, index: usize, rule_id: u64) {
        let idx = index.min(self.rule_ids.len());
        self.rule_ids.insert(idx, rule_id);
    }

    /// Number of rules in this chain
    pub fn rule_count(&self) -> usize {
        self.rule_ids.len()
    }
}

// ============================================================================
// Firewall Table
// ============================================================================

/// A firewall table containing chains for a specific purpose
#[derive(Debug, Clone)]
pub struct FirewallTable {
    /// Table type
    pub table_type: ChainType,
    /// Chains belonging to this table
    pub chains: Vec<Chain>,
}

impl FirewallTable {
    /// Create a new filter table with default INPUT, FORWARD, OUTPUT chains
    pub fn new_filter() -> Self {
        Self {
            table_type: ChainType::Filter,
            chains: alloc::vec![
                Chain::new("INPUT", HookPoint::Input, ChainPolicy::Accept),
                Chain::new("FORWARD", HookPoint::Forward, ChainPolicy::Drop),
                Chain::new("OUTPUT", HookPoint::Output, ChainPolicy::Accept),
            ],
        }
    }

    /// Create a new NAT table with default PREROUTING, POSTROUTING chains
    pub fn new_nat() -> Self {
        Self {
            table_type: ChainType::Nat,
            chains: alloc::vec![
                Chain::new("PREROUTING", HookPoint::PreRouting, ChainPolicy::Accept),
                Chain::new("POSTROUTING", HookPoint::PostRouting, ChainPolicy::Accept),
                Chain::new("OUTPUT", HookPoint::Output, ChainPolicy::Accept),
            ],
        }
    }

    /// Create a new mangle table with all five hook points
    pub fn new_mangle() -> Self {
        Self {
            table_type: ChainType::Mangle,
            chains: alloc::vec![
                Chain::new("PREROUTING", HookPoint::PreRouting, ChainPolicy::Accept),
                Chain::new("INPUT", HookPoint::Input, ChainPolicy::Accept),
                Chain::new("FORWARD", HookPoint::Forward, ChainPolicy::Accept),
                Chain::new("OUTPUT", HookPoint::Output, ChainPolicy::Accept),
                Chain::new("POSTROUTING", HookPoint::PostRouting, ChainPolicy::Accept),
            ],
        }
    }

    /// Find a chain by name
    pub fn get_chain(&self, name: &str) -> Option<&Chain> {
        self.chains.iter().find(|c| c.name == name)
    }

    /// Find a mutable chain by name
    pub fn get_chain_mut(&mut self, name: &str) -> Option<&mut Chain> {
        self.chains.iter_mut().find(|c| c.name == name)
    }

    /// Get all chains for a specific hook point
    pub fn chains_for_hook(&self, hook: HookPoint) -> Vec<&Chain> {
        self.chains
            .iter()
            .filter(|c| c.hook_point == hook)
            .collect()
    }
}

// ============================================================================
// Firewall Engine
// ============================================================================

/// The main firewall engine that manages tables and processes packets
pub struct FirewallEngine {
    /// Filter table
    pub filter: FirewallTable,
    /// NAT table
    pub nat: FirewallTable,
    /// Mangle table
    pub mangle: FirewallTable,
    /// Rule engine for evaluating individual rules
    pub rule_engine: RuleEngine,
    /// Packet counter
    pub total_packets: u64,
    /// Dropped packet counter
    pub dropped_packets: u64,
}

impl FirewallEngine {
    /// Create a new firewall engine with default tables
    pub fn new() -> Self {
        Self {
            filter: FirewallTable::new_filter(),
            nat: FirewallTable::new_nat(),
            mangle: FirewallTable::new_mangle(),
            rule_engine: RuleEngine::new(),
            total_packets: 0,
            dropped_packets: 0,
        }
    }

    /// Add a rule to the rule engine and return its ID
    pub fn add_rule(&mut self, rule: FirewallRule) -> u64 {
        self.rule_engine.add_rule(rule)
    }

    /// Add a rule ID to a specific chain in the filter table
    pub fn add_to_filter_chain(&mut self, chain_name: &str, rule_id: u64) -> bool {
        if let Some(chain) = self.filter.get_chain_mut(chain_name) {
            chain.add_rule(rule_id);
            true
        } else {
            false
        }
    }

    /// Add a rule ID to a specific chain in the NAT table
    pub fn add_to_nat_chain(&mut self, chain_name: &str, rule_id: u64) -> bool {
        if let Some(chain) = self.nat.get_chain_mut(chain_name) {
            chain.add_rule(rule_id);
            true
        } else {
            false
        }
    }

    /// Set the policy for a chain in the filter table
    pub fn set_filter_policy(&mut self, chain_name: &str, policy: ChainPolicy) -> bool {
        if let Some(chain) = self.filter.get_chain_mut(chain_name) {
            chain.policy = policy;
            true
        } else {
            false
        }
    }

    /// Process a packet through chains at a specific hook point
    ///
    /// Evaluates mangle first, then filter (or nat for PreRouting/PostRouting).
    /// Returns the final verdict.
    pub fn process_packet(&mut self, hook: HookPoint, metadata: &PacketMetadata) -> Verdict {
        self.total_packets += 1;

        // Phase 1: Mangle table
        let mangle_verdict = self.evaluate_table_chains(&self.mangle, hook);
        if mangle_verdict != Verdict::Accept {
            if mangle_verdict == Verdict::Drop || mangle_verdict == Verdict::Reject {
                self.dropped_packets += 1;
            }
            return mangle_verdict;
        }

        // Phase 2: NAT table (only for PreRouting, PostRouting, Output)
        match hook {
            HookPoint::PreRouting | HookPoint::PostRouting | HookPoint::Output => {
                let nat_verdict = self.evaluate_table_chains(&self.nat, hook);
                if nat_verdict != Verdict::Accept {
                    if nat_verdict == Verdict::Drop || nat_verdict == Verdict::Reject {
                        self.dropped_packets += 1;
                    }
                    return nat_verdict;
                }
            }
            _ => {}
        }

        // Phase 3: Filter table (for Input, Forward, Output)
        match hook {
            HookPoint::Input | HookPoint::Forward | HookPoint::Output => {
                let filter_verdict = self.evaluate_filter_chains(hook, metadata);
                if filter_verdict != Verdict::Accept {
                    if filter_verdict == Verdict::Drop || filter_verdict == Verdict::Reject {
                        self.dropped_packets += 1;
                    }
                    return filter_verdict;
                }
            }
            _ => {}
        }

        Verdict::Accept
    }

    /// Evaluate all chains in a table for a given hook point (no rule matching)
    fn evaluate_table_chains(&self, table: &FirewallTable, hook: HookPoint) -> Verdict {
        for chain in table.chains_for_hook(hook) {
            if chain.rule_ids.is_empty() {
                // No rules -- apply chain default policy
                continue;
            }
            // Chain has rules but no metadata-based evaluation here.
            // Real evaluation happens in evaluate_filter_chains.
            // Apply chain policy for non-filter tables.
            match chain.policy {
                ChainPolicy::Drop => return Verdict::Drop,
                ChainPolicy::Accept => continue,
            }
        }
        Verdict::Accept
    }

    /// Evaluate filter chains with full rule matching
    fn evaluate_filter_chains(&mut self, hook: HookPoint, metadata: &PacketMetadata) -> Verdict {
        // Clone rule_ids to avoid borrow conflict
        let chains: Vec<(ChainPolicy, Vec<u64>)> = self
            .filter
            .chains_for_hook(hook)
            .iter()
            .map(|c| (c.policy, c.rule_ids.clone()))
            .collect();

        for (policy, rule_ids) in &chains {
            for &rule_id in rule_ids {
                if let Some(rule) = self.rule_engine.get_rule_mut(rule_id) {
                    if !rule.enabled {
                        continue;
                    }
                    if rule.matches_packet(metadata) {
                        rule.packets += 1;
                        rule.bytes += metadata.packet_len as u64;
                        match rule.action {
                            RuleAction::Accept => return Verdict::Accept,
                            RuleAction::Drop => return Verdict::Drop,
                            RuleAction::Reject => return Verdict::Reject,
                            RuleAction::Log => continue, // Log and continue evaluation
                            RuleAction::Return => break, // Return to calling chain
                            _ => return Verdict::Accept,
                        }
                    }
                }
            }

            // No rule matched (or Return action) -- apply chain default policy
            match policy {
                ChainPolicy::Accept => {} // continue to next chain
                ChainPolicy::Drop => return Verdict::Drop,
            }
        }

        Verdict::Accept
    }
}

impl Default for FirewallEngine {
    fn default() -> Self {
        Self::new()
    }
}

// ============================================================================
// Global State
// ============================================================================

static FIREWALL_ENGINE: GlobalState<spin::Mutex<FirewallEngine>> = GlobalState::new();

/// Initialize the firewall chain subsystem
pub fn init() -> Result<(), KernelError> {
    FIREWALL_ENGINE
        .init(spin::Mutex::new(FirewallEngine::new()))
        .map_err(|_| KernelError::InvalidAddress { addr: 0 })?;
    Ok(())
}

/// Access the global firewall engine
pub fn with_engine<R, F: FnOnce(&mut FirewallEngine) -> R>(f: F) -> Option<R> {
    FIREWALL_ENGINE.with(|lock| {
        let mut engine = lock.lock();
        f(&mut engine)
    })
}

// ============================================================================
// Tests
// ============================================================================

#[cfg(test)]
mod tests {
    use super::*;

    #[test]
    fn test_hook_point_equality() {
        assert_eq!(HookPoint::Input, HookPoint::Input);
        assert_ne!(HookPoint::Input, HookPoint::Output);
    }

    #[test]
    fn test_chain_policy_default() {
        assert_eq!(ChainPolicy::default(), ChainPolicy::Accept);
    }

    #[test]
    fn test_verdict_default() {
        assert_eq!(Verdict::default(), Verdict::Accept);
    }

    #[test]
    fn test_chain_new() {
        let chain = Chain::new("TEST", HookPoint::Input, ChainPolicy::Drop);
        assert_eq!(chain.name, "TEST");
        assert_eq!(chain.hook_point, HookPoint::Input);
        assert_eq!(chain.policy, ChainPolicy::Drop);
        assert_eq!(chain.rule_count(), 0);
    }

    #[test]
    fn test_chain_add_remove_rule() {
        let mut chain = Chain::new("INPUT", HookPoint::Input, ChainPolicy::Accept);
        chain.add_rule(1);
        chain.add_rule(2);
        chain.add_rule(3);
        assert_eq!(chain.rule_count(), 3);

        assert!(chain.remove_rule(2));
        assert_eq!(chain.rule_count(), 2);
        assert!(!chain.remove_rule(99));
    }

    #[test]
    fn test_chain_insert_rule() {
        let mut chain = Chain::new("INPUT", HookPoint::Input, ChainPolicy::Accept);
        chain.add_rule(10);
        chain.add_rule(30);
        chain.insert_rule(1, 20);
        assert_eq!(chain.rule_ids, alloc::vec![10, 20, 30]);
    }

    #[test]
    fn test_chain_insert_clamped() {
        let mut chain = Chain::new("INPUT", HookPoint::Input, ChainPolicy::Accept);
        chain.add_rule(1);
        chain.insert_rule(100, 2); // Index beyond length -> appended
        assert_eq!(chain.rule_ids, alloc::vec![1, 2]);
    }

    #[test]
    fn test_filter_table_default_chains() {
        let table = FirewallTable::new_filter();
        assert_eq!(table.table_type, ChainType::Filter);
        assert_eq!(table.chains.len(), 3);
        assert!(table.get_chain("INPUT").is_some());
        assert!(table.get_chain("FORWARD").is_some());
        assert!(table.get_chain("OUTPUT").is_some());
        assert!(table.get_chain("NONEXISTENT").is_none());
    }

    #[test]
    fn test_nat_table_default_chains() {
        let table = FirewallTable::new_nat();
        assert_eq!(table.table_type, ChainType::Nat);
        assert_eq!(table.chains.len(), 3);
        assert!(table.get_chain("PREROUTING").is_some());
        assert!(table.get_chain("POSTROUTING").is_some());
        assert!(table.get_chain("OUTPUT").is_some());
    }

    #[test]
    fn test_mangle_table_default_chains() {
        let table = FirewallTable::new_mangle();
        assert_eq!(table.table_type, ChainType::Mangle);
        assert_eq!(table.chains.len(), 5);
    }

    #[test]
    fn test_table_chains_for_hook() {
        let table = FirewallTable::new_filter();
        let input_chains = table.chains_for_hook(HookPoint::Input);
        assert_eq!(input_chains.len(), 1);
        assert_eq!(input_chains[0].name, "INPUT");

        let prerouting_chains = table.chains_for_hook(HookPoint::PreRouting);
        assert_eq!(prerouting_chains.len(), 0);
    }

    #[test]
    fn test_engine_default() {
        let engine = FirewallEngine::new();
        assert_eq!(engine.total_packets, 0);
        assert_eq!(engine.dropped_packets, 0);
        assert_eq!(engine.filter.chains.len(), 3);
        assert_eq!(engine.nat.chains.len(), 3);
        assert_eq!(engine.mangle.chains.len(), 5);
    }

    #[test]
    fn test_engine_process_accept_default() {
        let mut engine = FirewallEngine::new();
        let metadata = PacketMetadata::default();
        let verdict = engine.process_packet(HookPoint::Input, &metadata);
        assert_eq!(verdict, Verdict::Accept);
        assert_eq!(engine.total_packets, 1);
        assert_eq!(engine.dropped_packets, 0);
    }
}