output verification using ip[6]tables-restore

output saved as rules[6]-save
corrected a couple of syntax errors in output
disabled the default rule in nat module

4 files changed, 40 insertions, 22 deletions

diff --git a/awall/init.lua b/awall/init.lua
index 6e5f22f..4635ff8 100644
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -84,6 +84,6 @@ function translate()
       end
    end
 
-   awall.iptables.dump()
+   awall.iptables.dump(testmode and 'output' or '/etc/iptables')
 
 end
diff --git a/awall/iptables.lua b/awall/iptables.lua
index bade70c..d4de949 100644
--- a/awall/iptables.lua
+++ b/awall/iptables.lua
@@ -7,7 +7,16 @@ Licensed under the terms of GPL2
 
 module(..., package.seeall)
 
-local iptfiles = {ip4='iptables', ip6='ip6tables'}
+require 'lpc'
+
+require 'awall.util'
+contains = awall.util.contains
+
+local families = {ip4={cmd='iptables-restore', file='rules-save'},
+		  ip6={cmd='ip6tables-restore', file='rules6-save'}}
+
+local builtin = {'INPUT', 'FORWARD', 'OUTPUT',
+		 'PREROUTING', 'POSTROUTING'}
 
 config = {}
 setmetatable(config,
@@ -17,22 +26,30 @@ setmetatable(config,
 			 return t[k]
 		      end})
 
-function dump()
-   for family, tbls in pairs(config) do
-      local iptfile = io.output('output/'..iptfiles[family])
-      iptfile:write('# '..iptfiles[family]..' generated by awall\n')
-      for tbl, chains in pairs(tbls) do
-	 iptfile:write('*'..tbl..'\n')
-	 for chain, rules in pairs(chains) do
-	    iptfile:write(':'..chain..' '..(chain == string.upper(chain) and
-					 'DROP' or '-')..' [0:0]\n')
-	 end
-	 for chain, rules in pairs(chains) do
-	    for i, rule in ipairs(rules) do
-	       iptfile:write('-A '..chain..' '..rule..'\n')
-	    end
+local function dumpfile(family, iptfile)
+   iptfile:write('# '..families[family].file..' generated by awall\n')
+   for tbl, chains in pairs(config[family]) do
+      iptfile:write('*'..tbl..'\n')
+      for chain, rules in pairs(chains) do
+	 iptfile:write(':'..chain..' '..(contains(builtin, chain) and
+				      'DROP' or '-')..' [0:0]\n')
+      end
+      for chain, rules in pairs(chains) do
+	 for i, rule in ipairs(rules) do
+	    iptfile:write('-A '..chain..' '..rule..'\n')
 	 end
-	 iptfile:write('COMMIT\n')
       end
+      iptfile:write('COMMIT\n')
+   end
+end
+
+function dump(dir)
+   for family, tbls in pairs(config) do
+      local pid, stdin = lpc.run(families[family].cmd, '-t')
+      dumpfile(family, stdin)
+      stdin:close()
+      assert(lpc.wait(pid) == 0)
+
+      dumpfile(family, io.output(dir..'/'..families[family].file))
    end
 end
diff --git a/awall/model.lua b/awall/model.lua
index 6e5fb3b..8a8e801 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -277,8 +277,8 @@ function Rule:trules()
 
    local res = self:zoneoptfrags()
 
-   if self.ipsec == 'true' then
-      res = combinations(res, {{opts='-m policy --pol ipsec'}})
+   if self.ipsec then
+      res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}})
    end
 
    res = combinations(res, self:servoptfrags())
diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua
index 4fae505..4327f4c 100644
--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -76,7 +76,8 @@ end
 
 classmap = {dnat=DNATRule, snat=SNATRule}
 
--- TODO configuration of _nat ipset via config.json
+defrules = {}
 
-defrules = {{family='ip4', table='nat', chain='POSTROUTING',
-	     opts='-m set --match-set _nat src ! --match-set _nat dst -j MASQUERADE'}}
+-- TODO configuration of _nat ipset via config.json
+--defrules = {{family='ip4', table='nat', chain='POSTROUTING',
+--	     opts='-m set --match-set _nat src ! --match-set _nat dst -j MASQUERADE'}}