diff options
| author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-08-02 23:54:39 +0300 |
|---|---|---|
| committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2016-09-30 12:38:01 +0300 |
| commit | 08529e3f63430b90d146c902f8eda516bdd2b880 (patch) | |
| tree | 6d718d6c8620079dfc5af60c81ef0555a21b68bf | |
| parent | ad7909da0108426e1fd0e5d090b927e581a47315 (diff) | |
| download | awall-08529e3f63430b90d146c902f8eda516bdd2b880.tar.bz2 awall-08529e3f63430b90d146c902f8eda516bdd2b880.tar.xz | |
Rule: trule filtering and amendment
| -rw-r--r-- | awall/model.lua | 10 | ||||
| -rw-r--r-- | awall/modules/classify.lua | 17 | ||||
| -rw-r--r-- | awall/modules/filter.lua | 10 | ||||
| -rw-r--r-- | awall/modules/nat.lua | 16 | ||||
| -rw-r--r-- | awall/modules/ttl.lua | 8 |
5 files changed, 28 insertions, 33 deletions
diff --git a/awall/model.lua b/awall/model.lua index c8fe2ec..2a2d4c9 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -590,11 +590,19 @@ function M.Rule:trules() checkzof(ofrag, 'out', {'INPUT', 'PREROUTING'}) end - return combinations(ofrags, ffilter({{family='inet'}, {family='inet6'}})) + ofrags = filter( + combinations(ofrags, ffilter({{family='inet'}, {family='inet6'}})), + function(r) return self:trulefilter(r) end + ) + return extend(ofrags, self:extratrules(ofrags)) end function M.Rule:extraoptfrags() return {} end +function M.Rule:trulefilter(rule) return true end + +function M.Rule:extratrules(rules) return {} end + function M.Rule:extrarules(label, cls, options) local params = {} diff --git a/awall/modules/classify.lua b/awall/modules/classify.lua index 355563e..caea68e 100644 --- a/awall/modules/classify.lua +++ b/awall/modules/classify.lua @@ -1,6 +1,6 @@ --[[ Packet classification module for Alpine Wall -Copyright (C) 2012-2015 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -22,17 +22,10 @@ function ClassificationRule:target() return 'DSCP --set-dscp-class '..self.class end -function ClassificationRule:trules() - local res = ClassificationRule.super(self):trules() - if not self.reverse then - extend( - res, - self:extrarules( - 'reply', 'classify', {attrs='class', update={reverse=true}} - ) - ) - end - return res +function ClassificationRule:extratrules(rules) + return not self.reverse and self:extrarules( + 'reply', 'classify', {attrs='class', update={reverse=true}} + ) end return {export={classify={class=ClassificationRule}}} diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index cd7381a..f12359e 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -86,6 +86,11 @@ end local TranslatingRule = class(Rule) +function TranslatingRule:init(...) + TranslatingRule.super(self):init(...) + if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end +end + function TranslatingRule:destoptfrags() local ofrags = TranslatingRule.super(self):destoptfrags() if not self.dnat then return ofrags end @@ -208,7 +213,7 @@ function Filter:init(...) end end -function Filter:trules() +function Filter:extratrules() local res = {} local function extrarules(label, cls, options) @@ -228,7 +233,6 @@ function Filter:trules() self:error('dnat and ipset options cannot be used simultaneously') end - if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end if self.dnat.addr:find('/') then self:error('DNAT target cannot be a network address') end @@ -262,8 +266,6 @@ function Filter:trules() extrarules('no-track', 'no-track') end - extend(res, Filter.super(self):trules()) - if self.action == 'accept' then if self:position() == 'prepend' then extrarules('final', LoggingRule, {update={log=self.log}}) diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 198b28a..2991dbf 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -1,6 +1,6 @@ --[[ NAT module for Alpine Wall -Copyright (C) 2012-2015 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -25,15 +25,13 @@ function NATRule:init(...) end end -function NATRule:trules() - local res = {} - for i, ofrags in ipairs(NATRule.super(self):trules()) do - if not contains(self.params.chains, ofrags.chain) then - self:error('Inappropriate zone definitions for a '..self.params.target..' rule') - end - if ofrags.family == 'inet' then table.insert(res, ofrags) end +function NATRule:trulefilter(rule) + if not contains(self.params.chains, rule.chain) then + self:error( + 'Inappropriate zone definitions for a '..self.params.target..' rule' + ) end - return res + return rule.family == 'inet' end function NATRule:table() return 'nat' end diff --git a/awall/modules/ttl.lua b/awall/modules/ttl.lua index 3a1da36..8add3ee 100644 --- a/awall/modules/ttl.lua +++ b/awall/modules/ttl.lua @@ -10,13 +10,7 @@ local model = require('awall.model') local TTLRule = model.class(model.Rule) -function TTLRule:trules() - local res = {} - for _, rule in ipairs(TTLRule.super(self):trules()) do - if rule.family == 'inet' then table.insert(res, rule) end - end - return res -end +function TTLRule:trulefilter(rule) return rule.family == 'inet' end function TTLRule:table() return 'mangle' end |