diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-08 15:10:34 +0200 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-08 15:12:59 +0200 |
commit | c0284e07b1c571f394f284e3944766e7726ba9b5 (patch) | |
tree | d3dcd27b45b8433276390b9b8ee0b996f40bc0d9 | |
parent | d22129e9feab6a7aa57d9512d73d2cf6a5088afb (diff) | |
download | awall-c0284e07b1c571f394f284e3944766e7726ba9b5.tar.bz2 awall-c0284e07b1c571f394f284e3944766e7726ba9b5.tar.xz |
use connection marking with transparent proxies
-rw-r--r-- | awall/model.lua | 10 | ||||
-rw-r--r-- | awall/modules/clampmss.lua | 2 | ||||
-rw-r--r-- | awall/modules/mark.lua | 84 | ||||
-rw-r--r-- | awall/modules/tproxy.lua | 41 |
4 files changed, 64 insertions, 73 deletions
diff --git a/awall/model.lua b/awall/model.lua index c234bb8..090e50f 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -414,11 +414,7 @@ function Rule:trules() ) end - local ofrags = {} - for i, ofrag in ipairs(res) do - util.extend(ofrags, self:mangleoptfrag(ofrag)) - end - util.extend(ofrags, self:extraoptfrags()) + util.extend(res, self:extraoptfrags()) local tbl = self:table() @@ -454,7 +450,7 @@ function Rule:trules() return res end - res = convertchains(ffilter(ofrags)) + res = convertchains(ffilter(res)) tag(res, 'table', tbl, false) local function checkzof(ofrag, dir, chains) @@ -471,8 +467,6 @@ function Rule:trules() return combinations(res, ffilter({{family='inet'}, {family='inet6'}})) end -function Rule:mangleoptfrag(ofrag) return {ofrag} end - function Rule:extraoptfrags() return {} end function Rule:newchain(key) diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua index c32707e..9dcf402 100644 --- a/awall/modules/clampmss.lua +++ b/awall/modules/clampmss.lua @@ -25,4 +25,4 @@ function ClampMSSRule:target() end -export = {['clamp-mss']={class=ClampMSSRule}} +export = {['clamp-mss']={class=ClampMSSRule, before='tproxy'}} diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 97cc8cc..d35de5e 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -7,14 +7,16 @@ See LICENSE file for license details module(..., package.seeall) -require 'awall.model' -require 'awall.optfrag' -require 'awall.util' +local model = require('awall.model') +local class = model.class -local model = awall.model +local combinations = require('awall.optfrag').combinations +local util = require('awall.util') +local list = util.list -local MarkRule = model.class(model.Rule) + +local MarkRule = class(model.Rule) function MarkRule:init(...) model.Rule.init(self, unpack(arg)) @@ -26,13 +28,15 @@ function MarkRule:table() return 'mangle' end function MarkRule:target() return 'MARK --set-mark '..self.mark end -local RouteTrackRule = model.class(MarkRule) +local RouteTrackRule = class(MarkRule) function RouteTrackRule:target() return self:newchain('mark') end function RouteTrackRule:servoptfrags() - return awall.optfrag.combinations(MarkRule.servoptfrags(self), - {{opts='-m mark --mark 0'}}) + return combinations( + MarkRule.servoptfrags(self), + {{opts='-m mark --mark 0'}} + ) end function RouteTrackRule:extraoptfrags() @@ -41,25 +45,59 @@ function RouteTrackRule:extraoptfrags() end -local function rt(config) - local res = {} - if awall.util.list(config['route-track'])[1] then - for i, family in ipairs({'inet', 'inet6'}) do - for i, chain in ipairs({'OUTPUT', 'PREROUTING'}) do - table.insert(res, - {family=family, - table='mangle', - chain=chain, - opts='-m connmark ! --mark 0', - target='CONNMARK --restore-mark'}) - end - end - end +local TProxyRule = class(MarkRule) + +function TProxyRule:target() return self:newchain('tproxy') end + +function TProxyRule:extraoptfrags() + local res = combinations( + {{chain='OUTPUT'}, {chain='PREROUTING'}}, + { + { + opts='-m socket -m mark --mark '..self.mark, + target='ACCEPT', + position='prepend' + } + } + ) + + local port = self['to-port'] or 0 + util.extend( + res, + { + {chain=self:target(), target='CONNMARK --set-mark '..self.mark}, + { + chain=self:target(), + target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port + } + } + ) + return res end + +local function restoremark(config) + if list(config['route-track'])[1] or list(config['tproxy'])[1] then + return combinations( + {{family='inet'}, {family='inet6'}}, + {{chain='OUTPUT'}, {chain='PREROUTING'}}, + { + { + table='mangle', + opts='-m connmark ! --mark 0', + target='CONNMARK --restore-mark', + position='prepend' + } + } + ) + end + return {} +end + export = { mark={class=MarkRule}, ['route-track']={class=RouteTrackRule, before='mark'}, - ['%mark-rt']={rules=rt, before='route-track'} + tproxy={class=TProxyRule, before='route-track'}, + ['%mark-restore']={rules=restoremark, after='tproxy'} } diff --git a/awall/modules/tproxy.lua b/awall/modules/tproxy.lua deleted file mode 100644 index 18e207d..0000000 --- a/awall/modules/tproxy.lua +++ /dev/null @@ -1,41 +0,0 @@ ---[[ -Transparent proxy module for Alpine Wall -Copyright (C) 2012-2013 Kaarle Ritvanen -See LICENSE file for license details -]]-- - - -module(..., package.seeall) - -local class = require('awall.model').class -local combinations = require('awall.optfrag').combinations -local util = require('awall.util') - -local MarkRule = require('awall').loadclass('mark') - -local TProxyRule = class(MarkRule) - -function TProxyRule:target() - local port = self['to-port'] or 0 - return 'TPROXY --tproxy-mark '..self.mark..' --on-port '..port -end - -function TProxyRule:mangleoptfrag(ofrag) - local dof = util.copy(ofrag) - dof.target = nil - local res = combinations( - {dof}, - {{opts='-m socket', target=self:newchain('divert')}} - ) - table.insert(res, ofrag) - return res -end - -function TProxyRule:extraoptfrags() - return combinations( - {{chain=self:newchain('divert')}}, - {{target=MarkRule.target(self)}, {target='ACCEPT'}} - ) -end - -export = {tproxy={class=TProxyRule, before={'clamp-mss', '%mark-rt'}}} |