diff options
| -rw-r--r-- | README.md | 32 | ||||
| -rw-r--r-- | awall/model.lua | 43 |
2 files changed, 50 insertions, 25 deletions
@@ -127,13 +127,14 @@ of the top-level service dictionary. A *zone* represents a set of network hosts. A top-level attribute **zone** is a dictionary that maps zone names to zone objects. A zone -object has an attribute named **iface**, **addr**, or both. **iface** -is a list of network interfaces and **addr** is a list of IPv4/IPv6 -host and network addresses (CIDR notation). **addr** may also contain -domain names, which are expanded to IP addresses using DNS -resolution. If not defined, **addr** defaults to the entire address -space and **iface** to all interfaces. An empty zone can be defined by -setting either **addr** or **iface** to an empty list. +object has any combination of attributes named **iface**, **addr**, +and **ipsec**. **iface** is a list of network interfaces and **addr** +is a list of IPv4/IPv6 host and network addresses (CIDR notation). +**addr** may also contain domain names, which are expanded to IP +addresses using DNS resolution. If not defined, **addr** defaults to +the entire address space and **iface** to all interfaces. An empty +zone can be defined by setting either **addr** or **iface** to an +empty list. Rule objects contain two attributes, **in** and **out**, which are lists of zone names. These attributes control whether a packet matches @@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their definitions overlap. In this case, the **route-back** attribute of the **out** zone determines the behavior. +If used, the **ipsec** attribute is used to exclude from the zone any +traffic that is or is not subject to IPsec processing. If set to +**true** in the **in** zone, only the packets subject to IPsec +decapsulation are considered originating from the zone. In the **out** +zone, only the packets subject to IPsec encapsulation will be included +if **ipsec** is set to **true**. The value of **false** would exclude +any traffic requiring IPsec processing towards the respective +direction. + ### <a name="limit"></a>Limits A *limit* specifies the maximum rate for a flow of packets or new @@ -320,14 +330,6 @@ attributes: order specified by <strong>args</strong> </td> </tr> - <tr> - <td><strong>ipsec</strong></td> - <td><strong>in</strong> or <strong>out</strong></td> - <td> - IPsec decapsulation perfomed on ingress (<strong>in</strong>) - or encapsulation performed on egress (<strong>out</strong>) - </td> - </tr> </tbody> </table> diff --git a/awall/model.lua b/awall/model.lua index 982a35e..c768b70 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -121,12 +121,23 @@ function M.Zone:optfrags(dir) end end + local popt + if self.ipsec ~= nil then + popt = { + { + opts='-m policy --dir '..dir..' --pol '.. + (self.ipsec and 'ipsec' or 'none') + } + } + end + return combinations( maplist( self.iface, function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end ), - aopts + aopts, + popt ) end @@ -174,6 +185,26 @@ function M.Rule:init(...) ) end + -- alpine v3.4 compatibility + if self.ipsec then + if not contains({'in', 'out'}, self.ipsec) then + self:error('Invalid ipsec policy direction') + end + self:warning('ipsec deprecated in rules, define in zones instead') + local zones = self[self.ipsec] + if zones then + self[self.ipsec] = maplist( + zones, + function(z) + return self:create( + M.Zone, {iface=z.iface, addr=z.addr, ipsec=true} + ) + end + ) + else self[self.ipsec] = {self:create(M.Zone, {ipsec=true})} end + self.ipsec = nil + end + if self.service then if not self.label and type(self.service) == 'string' then self.label = self.service @@ -461,11 +492,6 @@ function M.Rule:trules() res = combinations(res, ipsetofrags) end - if self.ipsec then - res = combinations(res, - {{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}}) - end - res = combinations(res, self:servoptfrags()) setfamilies(res) @@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options) local params = {} for _, attr in ipairs( - extend( - {'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'}, - options.attrs - ) + extend({'in', 'out', 'src', 'dest', 'ipset', 'service'}, options.attrs) ) do params[attr] = (options.src or self)[attr] end |