diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-01-08 22:17:19 +0200 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2017-01-24 01:52:49 +0200 |
| commit | 0a9a8db212d5d45b136c103fd6b8db6d16dad895 (patch) | |
| tree | 1bf844fe28b170c8ff6c4ad69e178fbb12823d31 | |
| parent | aaececd5db5356acffc23283ffc9c3483d677476 (diff) | |
| download | awall-0a9a8db212d5d45b136c103fd6b8db6d16dad895.tar.bz2 awall-0a9a8db212d5d45b136c103fd6b8db6d16dad895.tar.xz | |
Limit: split mask attribute
| -rw-r--r-- | README.md | 23 | ||||
| -rw-r--r-- | awall/model.lua | 52 | ||||
| -rw-r--r-- | awall/modules/log.lua | 4 |
3 files changed, 49 insertions, 30 deletions
@@ -209,18 +209,17 @@ default value is 1. The maximum rate defined by a limit may be absolute or specific to blocks of IP addresses or pairs thereof. The number of most significant bits taken into account when mapping the source and -destination IP addresses to blocks can be specified with the **mask** -attribute. The **mask** attribute is an object with two attributes -defining the prefix lengths, named **src** and -**dest**. Alternatively, the **mask** object may have object -attributes named **inet** and **inet6** which contain address -family–specific prefix length pairs. If **mask** is defined as -an integer, it is interpreted as the source address prefix length. - -The default value for **mask** depends on the type of the enclosing -object. For [filters](#filter), the default behavior is to apply the -limit for each source address separately. For [logging classes](#log), -the limit is considered absolute by default. +destination IP addresses to blocks can be specified with the +**src-mask** and **dest-mask** attributes, respectively. If set to +**true** (boolean), all bits are considered. The value of **false** +causes the respective address to be ignored. Address +family–specific prefix lengths can be set by defining the mask +as an object with attributes named **inet** and **inet6**. + +The default behavior with respect to the masks depends on the type of +the enclosing object. For [filters](#filter), the default behavior is +to apply the limit for each source address separately. For [logging +classes](#log), the limit is considered absolute by default. ### <a name="log"></a>Logging Classes diff --git a/awall/model.lua b/awall/model.lua index d9a8fa2..79460d8 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -690,28 +690,48 @@ function M.Limit:init(...) setdefault(self, 'interval', 1) - if type(setdefault(self, 'mask', {})) == 'number' then - self.mask = {src=self.mask} + -- alpine v3.5 compatibility + if self.mask then + self:warning( + "'mask' attribute is deprecated, please use 'src-mask' and 'dest-mask'" + ) + self['src-mask'] = {} + self['dest-mask'] = {} + if type(self.mask) == 'number' then self.mask = {src=self.mask} end + for _, family in ipairs{'inet', 'inet6'} do + setdefault(self.mask, family, util.copy(self.mask)) + for _, attr in ipairs{'src', 'dest'} do + self[attr..'-mask'][family] = self.mask[family][attr] or + ({src=({inet=32, inet6=128})[family], dest=0})[attr] + end + end end - for _, family in ipairs{'inet', 'inet6'} do - setdefault(self.mask, family, util.copy(self.mask)) - for _, attr in ipairs{'src', 'dest'} do - setdefault( - self.mask[family], - attr, - ({src=({inet=32, inet6=128})[family], dest=0})[attr] - ) + + setdefault(self, 'src-mask', not self['dest-mask']) + setdefault(self, 'dest-mask', false) + + for _, addr in ipairs{'src', 'dest'} do + local mask = addr..'-mask' + if type(self[mask]) ~= 'table' then + self[mask] = {inet=self[mask], inet6=self[mask]} + end + for _, family in ipairs{'inet', 'inet6'} do + local value = self[mask][family] + if not value then self[mask][family] = 0 + elseif value == true then + self[mask][family] = ({inet=32, inet6=128})[family] + end end end end function M.Limit:maskmode(family) local res - for _, attr in ipairs{'src', 'dest'} do - local mask = self.mask[family][attr] + for _, addr in ipairs{'src', 'dest'} do + local mask = self[addr..'-mask'][family] if mask > 0 then if res then return end - res = {attr, mask} + res = {addr, mask} end end if res then return table.unpack(res) end @@ -738,10 +758,10 @@ function M.Limit:limitofrags(name) for _, family in ipairs{'inet', 'inet6'} do local keys = {} local maskopts = '' - for _, attr in ipairs{'src', 'dest'} do - local mask = self.mask[family][attr] + for _, addr in ipairs{'src', 'dest'} do + local mask = self[addr..'-mask'][family] if mask > 0 then - local opt = ({src='src', dest='dst'})[attr] + local opt = ({src='src', dest='dst'})[addr] table.insert(keys, opt..'ip') maskopts = maskopts..' --hashlimit-'..opt..'mask '..mask end diff --git a/awall/modules/log.lua b/awall/modules/log.lua index 076a8a0..d9e4b6c 100644 --- a/awall/modules/log.lua +++ b/awall/modules/log.lua @@ -1,6 +1,6 @@ --[[ Packet logging module for Alpine Wall -Copyright (C) 2012-2016 Kaarle Ritvanen +Copyright (C) 2012-2017 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -15,7 +15,7 @@ local setdefault = require('awall.util').setdefault local LogLimit = class(model.Limit) function LogLimit:init(...) - setdefault(self, 'mask', 0) + setdefault(self, 'src-mask', false) LogLimit.super(self):init(...) end |