apply prior drop/reject rules to accept rules with flow-limit

author: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2014-04-02 23:46:21 +0300
committer: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> 2014-04-02 23:46:21 +0300
commit: d59b05d52fc4884ac0b0c572eee4d874812b2c4c (patch)
tree: 636dd2bfa5101c65271d486635b8c31a3d96bb88
parent: 96170d14402d106064c05a8ae6a46ac09ddbc6b6 (diff)
download: awall-d59b05d52fc4884ac0b0c572eee4d874812b2c4c.tar.bz2
awall-d59b05d52fc4884ac0b0c572eee4d874812b2c4c.tar.xz
4 files changed, 37 insertions, 18 deletions
diff --git a/awall/init.lua b/awall/init.lua
index 42b25e6..4845b61 100644
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -82,12 +82,16 @@ function M.Config:init(policyconfig)
    local function insertrules(trules)
       for i, trule in ipairs(trules) do
 	 local t = self.iptables.config[trule.family][trule.table][trule.chain]
-	 local opts = (trule.opts and trule.opts..' ' or '')..'-j '..trule.target
-
-	 local acfrag = {family=trule.family,
-			 table=trule.table,
-			 chain=trule.target}
-	 acfrags[optfrag.location(acfrag)] = acfrag
+	 local opts = optfrag.command(trule)
+
+	 if trule.target then
+	    local acfrag = {
+	       family=trule.family,
+	       table=trule.table,
+	       chain=trule.target
+	    }
+	    acfrags[optfrag.location(acfrag)] = acfrag
+	 end
 
 	 if trule.position == 'prepend' then
 	    table.insert(t, 1, opts)
diff --git a/awall/model.lua b/awall/model.lua
index 77993e8..80349fc 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -61,13 +61,7 @@ function M.ConfigObject:trules() return {} end
 function M.ConfigObject:info()
    local res = {}
    for i, trule in ipairs(self:trules()) do
-      table.insert(
-	 res,
-	 {
-	    '  '..optfrag.location(trule),
-	    (trule.opts and trule.opts..' ' or '')..'-j '..trule.target
-	 }
-      )
+      table.insert(res, {'  '..optfrag.location(trule), optfrag.command(trule)})
    end
    return res
 end
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index c6311f3..25180aa 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -43,7 +43,9 @@ local LoggingRule = class(TranslatingRule)
 function LoggingRule:init(...)
    LoggingRule.super(self):init(...)
    if not self.action then self.action = 'accept' end
-   self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
+   if type(self.log) ~= 'table' then
+      self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
+   end
 end
 
 function LoggingRule:actiontarget() return 'ACCEPT' end
@@ -165,6 +167,10 @@ function Filter:trules()
    extend(res, Filter.super(self):trules())
 
    if self.action == 'accept' then
+      if self:position() == 'prepend' then
+	 extrarules(LoggingRule, {log=self.log})
+      end
+
       local nr = #res
 
       if self.related then
@@ -238,9 +244,15 @@ function Filter:extraoptfrags()
 	 interval = 1
       end
 
-      local ofrags, logch, limitofs
+      local ofrags = {}
+      local logch, limitofs
+      local accept = self:position() == 'append'
+
       if count > RECENT_MAX_COUNT then
-	 ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
+	 if accept then
+	    ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
+	 else logch = 'RETURN' end
+
 	 limitofs = {
 	    {
 	       opts='-m hashlimit --hashlimit-upto '..count..'/second --hashlimit-burst '..count..' --hashlimit-mode srcip --hashlimit-name '..limitchain,
@@ -249,8 +261,10 @@ function Filter:extraoptfrags()
 	    {target='DROP'}
 	 }
 	 if limitlog then table.insert(limitofs, 2, limitlog:optfrag()) end
+
       else
 	 ofrags, logch = self:logchain(limitlog, 'drop', 'DROP')
+
 	 limitofs = combinations(
 	    {{opts='-m recent --name '..limitchain}},
 	    {
@@ -258,10 +272,12 @@ function Filter:extraoptfrags()
 		  opts='--update --hitcount '..count..' --seconds '..interval,
 		  target=logch
 	       },
-	       {opts='--set', target='ACCEPT'}
+	       {opts='--set', target=accept and 'ACCEPT' or nil}
 	    }
 	 )
-	 if self.log then table.insert(limitofs, 2, self.log:optfrag()) end
+	 if accept and self.log then
+	    table.insert(limitofs, 2, self.log:optfrag())
+	 end
       end
 
       extend(ofrags, combinations({{chain=limitchain}}, limitofs))
diff --git a/awall/optfrag.lua b/awall/optfrag.lua
index 80c7acc..72bbdbc 100644
--- a/awall/optfrag.lua
+++ b/awall/optfrag.lua
@@ -53,4 +53,9 @@ end
 
 function M.location(of) return of.family..'/'..of.table..'/'..of.chain end
 
+function M.command(of)
+   return (of.opts and of.opts..' ' or '')..
+      (of.target and '-j '..of.target or '')
+end
+
 return M
author	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2014-04-02 23:46:21 +0300
committer	Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>	2014-04-02 23:46:21 +0300
commit	d59b05d52fc4884ac0b0c572eee4d874812b2c4c (patch)
tree	636dd2bfa5101c65271d486635b8c31a3d96bb88
parent	96170d14402d106064c05a8ae6a46ac09ddbc6b6 (diff)
download	awall-d59b05d52fc4884ac0b0c572eee4d874812b2c4c.tar.bz2 awall-d59b05d52fc4884ac0b0c572eee4d874812b2c4c.tar.xz