diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-08 20:40:07 +0200 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-02-08 20:40:07 +0200 |
commit | cb6011fac4342a4cb6a913ae0e3a82306260c188 (patch) | |
tree | 8dbc2a69b162a84de021d7871a4be7ca67622fba | |
parent | 8f4e609a893d5a11b356ff04284264a1e77a3e3e (diff) | |
download | awall-cb6011fac4342a4cb6a913ae0e3a82306260c188.tar.bz2 awall-cb6011fac4342a4cb6a913ae0e3a82306260c188.tar.xz |
fixed transparent proxy support
use -p option in TPROXY rules
constrain TPROXY rules to PREROUTING chain
-rw-r--r-- | awall/modules/mark.lua | 78 | ||||
-rw-r--r-- | awall/util.lua | 6 |
2 files changed, 57 insertions, 27 deletions
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index d35de5e..4d681b3 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -13,7 +13,9 @@ local class = model.class local combinations = require('awall.optfrag').combinations local util = require('awall.util') +local contains = util.contains local list = util.list +local listpairs = util.listpairs local MarkRule = class(model.Rule) @@ -47,30 +49,50 @@ end local TProxyRule = class(MarkRule) +function TProxyRule:init(...) + MarkRule.init(self, unpack(arg)) + if not self['in'] then self:error('Ingress zone must be specified') end + if contains(list(self['in']), model.fwzone) then + self:error('Transparent proxy cannot be used for firewall zone') + end + if self.out then self:error('Egress zone cannot be specified') end +end + function TProxyRule:target() return self:newchain('tproxy') end function TProxyRule:extraoptfrags() - local res = combinations( - {{chain='OUTPUT'}, {chain='PREROUTING'}}, + local res = { { - { - opts='-m socket -m mark --mark '..self.mark, - target='ACCEPT', - position='prepend' - } - } - ) + chain='PREROUTING', + opts='-m socket -m mark --mark '..self.mark, + target='ACCEPT', + position='prepend' + }, + {chain=self:target(), target='CONNMARK --set-mark '..self.mark}, + } + + local popts = {} + for i, serv in listpairs(self.service) do + for i, sdef in listpairs(serv) do + if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then + self:error('Transparent proxy not available for protocol '..sdef.proto) + end + popts[sdef.proto] = {opts='-p '..sdef.proto} + end + end local port = self['to-port'] or 0 util.extend( res, - { - {chain=self:target(), target='CONNMARK --set-mark '..self.mark}, + combinations( + util.values(popts), { - chain=self:target(), - target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port + { + chain=self:target(), + target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port + } } - } + ) ) return res @@ -78,21 +100,23 @@ end local function restoremark(config) - if list(config['route-track'])[1] or list(config['tproxy'])[1] then - return combinations( - {{family='inet'}, {family='inet6'}}, - {{chain='OUTPUT'}, {chain='PREROUTING'}}, + local chopts = {} + if list(config['route-track'])[1] then + chopts = {{chain='OUTPUT'}, {chain='PREROUTING'}} + elseif list(config['tproxy'])[1] then chopts = {{chain='PREROUTING'}} end + + return combinations( + {{family='inet'}, {family='inet6'}}, + chopts, + { { - { - table='mangle', - opts='-m connmark ! --mark 0', - target='CONNMARK --restore-mark', - position='prepend' - } + table='mangle', + opts='-m connmark ! --mark 0', + target='CONNMARK --restore-mark', + position='prepend' } - ) - end - return {} + } + ) end export = { diff --git a/awall/util.lua b/awall/util.lua index 4360198..68090bd 100644 --- a/awall/util.lua +++ b/awall/util.lua @@ -60,6 +60,12 @@ function keys(tbl) return res end +function values(tbl) + local res = {} + for k, v in pairs(tbl) do table.insert(res, v) end + return res +end + function sortedkeys(tbl) local res = keys(tbl) table.sort(res) |