summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorTed Trask <ttrask01@yahoo.com>2012-04-06 17:17:03 +0000
committerTed Trask <ttrask01@yahoo.com>2012-04-06 17:17:03 +0000
commitce765fba9cf9fd1c4b1981ab137df35c4b662b04 (patch)
tree3e0397c542ab4d779aa10d668afa7bd5ce309827
parent5dd7ad9734e776e4466d28109cdcc4e74f661a07 (diff)
downloadacf-iptables-ce765fba9cf9fd1c4b1981ab137df35c4b662b04.tar.bz2
acf-iptables-ce765fba9cf9fd1c4b1981ab137df35c4b662b04.tar.xz
Fixed ! handling for several rule options, fixed reading of icmptype, fixed comments broken by escapes
Thanks to Der Tiger <der.tiger.alpine@arcor.de> for reporting
-rw-r--r--iptables-model.lua45
1 files changed, 25 insertions, 20 deletions
diff --git a/iptables-model.lua b/iptables-model.lua
index 5a1310a..d1443d3 100644
--- a/iptables-model.lua
+++ b/iptables-model.lua
@@ -121,6 +121,7 @@ end
local function generate_rule_specification(rule)
local spec = {}
+ -- notfirst parameter indicates that the "not" (!) must come before the option name
function addparameter(value, option, notfirst)
if value ~= "" then
if string.find(value, "^!") then
@@ -132,7 +133,7 @@ local function generate_rule_specification(rule)
end
end
spec[#spec + 1] = option
- spec[#spec + 1] = value
+ spec[#spec + 1] = format.escapespecialcharacters(value)
end
end
function addmodule(values, mod)
@@ -144,13 +145,13 @@ local function generate_rule_specification(rule)
end
end
- addparameter(rule.value.protocol.value, "-p")
- addparameter(rule.value.source.value, "-s")
- addparameter(rule.value.destination.value, "-d")
+ addparameter(rule.value.protocol.value, "-p", true)
+ addparameter(rule.value.source.value, "-s", true)
+ addparameter(rule.value.destination.value, "-d", true)
addparameter(rule.value.jump.value, "-j")
addparameter(rule.value.goto.value, "-g")
- addparameter(rule.value.in_interface.value, "-i")
- addparameter(rule.value.out_interface.value, "-o")
+ addparameter(rule.value.in_interface.value, "-i", true)
+ addparameter(rule.value.out_interface.value, "-o", true)
if rule.value.fragment.value == "!" then
spec[#spec + 1] = "! -f"
elseif rule.value.fragment.value ~= "" then
@@ -162,27 +163,28 @@ local function generate_rule_specification(rule)
addparameter(rule.value.addrtype_dst_type.value, "--dst-type")
addmodule({rule.value.comment.value}, "comment")
if rule.value.comment.value ~= "" then
- addparameter('"' .. rule.value.comment.value .. '"', "--comment")
+ spec[#spec + 1] = "--comment"
+ spec[#spec + 1] = '"' .. rule.value.comment.value .. '"'
end
addmodule({rule.value.icmp_type.value}, "icmp")
- addparameter(rule.value.icmp_type.value, "--icmp-type", false)
+ addparameter(rule.value.icmp_type.value, "--icmp-type", true)
addmodule({rule.value.src_range.value, rule.value.dst_range.value}, "iprange")
addparameter(rule.value.src_range.value, "--src-range", true)
addparameter(rule.value.dst_range.value, "--dst-range", true)
addmodule({rule.value.mac_source.value}, "mac")
- addparameter(rule.value.mac_source.value, "--mac-source", false)
+ addparameter(rule.value.mac_source.value, "--mac-source", true)
addmodule({rule.value.sports.value, rule.value.dports.value, rule.value.ports.value}, "multiport")
- addparameter(rule.value.sports.value, "--sports", false)
- addparameter(rule.value.dports.value, "--dports", false)
- addparameter(rule.value.ports.value, "--ports", false)
+ addparameter(rule.value.sports.value, "--sports", true)
+ addparameter(rule.value.dports.value, "--dports", true)
+ addparameter(rule.value.ports.value, "--ports", true)
addmodule({rule.value.state.value}, "state")
addparameter(rule.value.state.value, "--state")
addmodule({rule.value.tcp_sport.value, rule.value.tcp_dport.value}, "tcp")
- addparameter(rule.value.tcp_sport.value, "--sport", false)
- addparameter(rule.value.tcp_dport.value, "--dport", false)
+ addparameter(rule.value.tcp_sport.value, "--sport", true)
+ addparameter(rule.value.tcp_dport.value, "--dport", true)
addmodule({rule.value.udp_sport.value, rule.value.udp_dport.value}, "udp")
- addparameter(rule.value.udp_sport.value, "--sport", false)
- addparameter(rule.value.udp_dport.value, "--dport", false)
+ addparameter(rule.value.udp_sport.value, "--sport", true)
+ addparameter(rule.value.udp_dport.value, "--dport", true)
return table.concat(spec, " ")
end
@@ -352,7 +354,7 @@ function read_rule(tab, chain, pos)
retval.addrtype_src_type = cfe({ type="select", label="Source Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
retval.addrtype_dst_type = cfe({ type="select", label="Destination Address Type", option={"", "UNSPEC", "UNICAST", "LOCAL", "BROADCAST", "ANYCAST", "MULTICAST", "BLACKHOLE", "UNREACHABLE", "PROHIBIT"} })
retval.comment = cfe({ label="Comment" })
- retval.icmp_type = cfe({ label="ICMP Type", descr="Type by name or number" })
+ retval.icmp_type = cfe({ label="ICMP Type", descr="Type by name or number. A '!' before the type inverts the test." })
retval.src_range = cfe({ label="Source IP Range", descr="'ip-ip' to match source IP. A '!' before the range inverts the test." })
retval.dst_range = cfe({ label="Destination IP Range", descr="'ip-ip' to match destination IP. A '!' before the range inverts the test." })
retval.mac_source = cfe({ label="Source MAC address", descr="'XX:XX:XX:XX:XX:XX' to match the ethernet source MAC. A '!' before the address inverts the test." })
@@ -412,8 +414,11 @@ function read_rule(tab, chain, pos)
elseif words[i] == "dst-type" then
retval.addrtype_dst_type.value = words[i+1]
i = i+1
+ elseif words[i] == "icmptype" then
+ retval.icmp_type.value = words[i+1]
+ i = i+1
elseif words[i] == "icmp" then
- retval.icmp_type.value = words[i+2]
+ retval.icmp_type.value = "!" .. words[i+2]
i = i+2
elseif words[i] == "source" and words[i+1] == "IP" and words[i+2] == "range" then
if words[i+3] == "!" then
@@ -494,7 +499,7 @@ function create_rule(rule)
else
cmd = cmd .. " -A " .. format.escapespecialcharacters(rule.value.chain.value)
end
- cmd = cmd .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
+ cmd = cmd .. " " .. spec .. " 2>&1"
local f = io.popen(cmd)
rule.errtxt = f:read("*a")
f:close()
@@ -517,7 +522,7 @@ function update_rule(rule)
if success then
local spec = generate_rule_specification(rule)
- local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value) .. " -R " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value) .. " " .. format.escapespecialcharacters(spec) .. " 2>&1"
+ local cmd = path .. "iptables -t " .. format.escapespecialcharacters(rule.value.table.value) .. " -R " .. format.escapespecialcharacters(rule.value.chain.value) .. " " .. format.escapespecialcharacters(rule.value.position.value) .. " " .. spec .. " 2>&1"
local f = io.popen(cmd)
rule.errtxt = f:read("*a")
f:close()