diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-19 08:15:01 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-19 08:15:01 +0000 |
commit | 06774cfa4f1d00e4de2ba539ff4ef2cd38e83ea7 (patch) | |
tree | e67fbcae22674b1614aa847da622d019735cffd8 | |
parent | 045ca4a948940c3257efd3997d3aa0ff6acc8b8a (diff) | |
download | awall-06774cfa4f1d00e4de2ba539ff4ef2cd38e83ea7.tar.bz2 awall-06774cfa4f1d00e4de2ba539ff4ef2cd38e83ea7.tar.xz |
use the same mark for all transparent proxy rules
-rw-r--r-- | awall/modules/mark.lua | 80 | ||||
-rw-r--r-- | awall/modules/tproxy.lua | 76 | ||||
-rw-r--r-- | json/defaults.json (renamed from json/default-log.json) | 1 |
3 files changed, 87 insertions, 70 deletions
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 4d681b3..edfaa19 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -11,11 +11,7 @@ local model = require('awall.model') local class = model.class local combinations = require('awall.optfrag').combinations - local util = require('awall.util') -local contains = util.contains -local list = util.list -local listpairs = util.listpairs local MarkRule = class(model.Rule) @@ -47,81 +43,25 @@ function RouteTrackRule:extraoptfrags() end -local TProxyRule = class(MarkRule) - -function TProxyRule:init(...) - MarkRule.init(self, unpack(arg)) - if not self['in'] then self:error('Ingress zone must be specified') end - if contains(list(self['in']), model.fwzone) then - self:error('Transparent proxy cannot be used for firewall zone') - end - if self.out then self:error('Egress zone cannot be specified') end -end - -function TProxyRule:target() return self:newchain('tproxy') end - -function TProxyRule:extraoptfrags() - local res = { - { - chain='PREROUTING', - opts='-m socket -m mark --mark '..self.mark, - target='ACCEPT', - position='prepend' - }, - {chain=self:target(), target='CONNMARK --set-mark '..self.mark}, - } - - local popts = {} - for i, serv in listpairs(self.service) do - for i, sdef in listpairs(serv) do - if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then - self:error('Transparent proxy not available for protocol '..sdef.proto) - end - popts[sdef.proto] = {opts='-p '..sdef.proto} - end - end - - local port = self['to-port'] or 0 - util.extend( - res, - combinations( - util.values(popts), +local function restoremark(config) + if util.list(config['route-track'])[1] then + return combinations( + {{family='inet'}, {family='inet6'}}, + {{chain='OUTPUT'}, {chain='PREROUTING'}}, { { - chain=self:target(), - target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port + table='mangle', + opts='-m connmark ! --mark 0', + target='CONNMARK --restore-mark' } } ) - ) - - return res + end end -local function restoremark(config) - local chopts = {} - if list(config['route-track'])[1] then - chopts = {{chain='OUTPUT'}, {chain='PREROUTING'}} - elseif list(config['tproxy'])[1] then chopts = {{chain='PREROUTING'}} end - - return combinations( - {{family='inet'}, {family='inet6'}}, - chopts, - { - { - table='mangle', - opts='-m connmark ! --mark 0', - target='CONNMARK --restore-mark', - position='prepend' - } - } - ) -end - export = { mark={class=MarkRule}, ['route-track']={class=RouteTrackRule, before='mark'}, - tproxy={class=TProxyRule, before='route-track'}, - ['%mark-restore']={rules=restoremark, after='tproxy'} + ['%mark-restore']={rules=restoremark, before='route-track'} } diff --git a/awall/modules/tproxy.lua b/awall/modules/tproxy.lua new file mode 100644 index 0000000..65add4a --- /dev/null +++ b/awall/modules/tproxy.lua @@ -0,0 +1,76 @@ +--[[ +Transparent proxy module for Alpine Wall +Copyright (C) 2012-2013 Kaarle Ritvanen +See LICENSE file for license details +]]-- + + +module(..., package.seeall) + +local model = require('awall.model') +local Rule = model.Rule + +local combinations = require('awall.optfrag').combinations + +local util = require('awall.util') +local contains = util.contains +local list = util.list +local listpairs = util.listpairs + + +local TProxyRule = model.class(Rule) + +function TProxyRule:init(...) + Rule.init(self, unpack(arg)) + + if not self['in'] then self:error('Ingress zone must be specified') end + if contains(list(self['in']), model.fwzone) then + self:error('Transparent proxy cannot be used for firewall zone') + end + if self.out then self:error('Egress zone cannot be specified') end + + if not self.service then self:error('Service must be defined') end + for i, serv in listpairs(self.service) do + for i, sdef in listpairs(serv) do + if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then + self:error('Transparent proxy not available for protocol '..sdef.proto) + end + end + end +end + +function TProxyRule:table() return 'mangle' end + +function TProxyRule:target() + local mark = self.root.variable['awall_tproxy_mark'] + local port = self['to-port'] or 0 + return 'TPROXY --tproxy-mark '..mark..' --on-port '..port +end + + +local function divert(config) + if list(config.tproxy)[1] then + local ofrags = combinations( + {{chain='divert'}}, + { + {target='MARK --set-mark '..config.variable['awall_tproxy_mark']}, + {target='ACCEPT'} + } + ) + table.insert( + ofrags, + {chain='PREROUTING', opts='-m socket', target='divert'} + ) + return combinations( + {{family='inet'}, {family='inet6'}}, + {{table='mangle'}}, + ofrags + ) + end +end + + +export = { + tproxy={class=TProxyRule, before='%mark-restore'}, + ['%tproxy-divert']={rules=divert, before='tproxy'} +} diff --git a/json/default-log.json b/json/defaults.json index da387e0..b0e1082 100644 --- a/json/default-log.json +++ b/json/defaults.json @@ -1,4 +1,5 @@ { "before": "%defaults", + "variable": { "awall_tproxy_mark": 1 }, "log": { "_default": { "limit": 1 } } } |