diff options
| -rwxr-xr-x | awall-cli | 67 | ||||
| -rw-r--r-- | awall/class.lua (renamed from awall/object.lua) | 8 | ||||
| -rw-r--r-- | awall/dependency.lua | 11 | ||||
| -rw-r--r-- | awall/host.lua | 4 | ||||
| -rw-r--r-- | awall/init.lua | 58 | ||||
| -rw-r--r-- | awall/ipset.lua | 11 | ||||
| -rw-r--r-- | awall/iptables.lua | 55 | ||||
| -rw-r--r-- | awall/model.lua | 212 | ||||
| -rw-r--r-- | awall/modules/clampmss.lua | 10 | ||||
| -rw-r--r-- | awall/modules/filter.lua | 41 | ||||
| -rw-r--r-- | awall/modules/log.lua | 16 | ||||
| -rw-r--r-- | awall/modules/mark.lua | 16 | ||||
| -rw-r--r-- | awall/modules/masquerade.lua | 42 | ||||
| -rw-r--r-- | awall/modules/nat.lua | 21 | ||||
| -rw-r--r-- | awall/modules/notrack.lua | 8 | ||||
| -rw-r--r-- | awall/modules/tproxy.lua | 10 | ||||
| -rw-r--r-- | awall/optfrag.lua | 14 | ||||
| -rw-r--r-- | awall/policy.lua | 18 | ||||
| -rw-r--r-- | awall/uerror.lua | 9 | ||||
| -rw-r--r-- | awall/util.lua | 50 |
20 files changed, 350 insertions, 331 deletions
@@ -6,10 +6,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -require 'alt_getopt' -require 'lfs' -require 'signal' -require 'stringy' +get_opts = require('alt_getopt').get_opts +signal = require('signal') +stringy = require('stringy') function help() io.stderr:write([[ @@ -78,7 +77,7 @@ if not stringy.startswith(arg[1], '-') then table.remove(arg, 1) end -opts, opind = alt_getopt.get_opts( +opts, opind = get_opts( arg, 'afo:V', {all='a', force='f', ['output-dir']='o', verify='V'} @@ -98,12 +97,22 @@ if not mode then end -require 'awall.util' -util = awall.util +util = require('awall.util') +contains = util.contains -if not util.contains({'translate', 'activate', 'fallback', 'flush', - 'enable', 'disable', 'list', 'dump'}, - mode) then help() end +if not contains( + { + 'translate', + 'activate', + 'fallback', + 'flush', + 'enable', + 'disable', + 'list', + 'dump' + }, + mode +) then help() end pol_paths = {} for i, cls in ipairs{'mandatory', 'optional', 'private'} do @@ -119,12 +128,14 @@ if stringy.endswith(arg[0], '/awall-cli') then table.insert(pol_paths.mandatory, basedir..'/json') end -local uerror = require('awall.uerror') +uerror = require('awall.uerror') +call = uerror.call -if not uerror.call( +if not call( function() - require 'awall' + local awall = require('awall') + local printtabular = util.printtabular policyset = awall.PolicySet(pol_paths) @@ -137,7 +148,7 @@ if not uerror.call( if all or policy.type == 'optional' then if policy.enabled then status = 'enabled' - elseif util.contains(imported, name) then status = 'required' + elseif contains(imported, name) then status = 'required' else status = 'disabled' end polinfo = {name, status, policy:load().description} @@ -151,11 +162,11 @@ if not uerror.call( end end - util.printtabular(data) + printtabular(data) os.exit() end - if util.contains({'disable', 'enable'}, mode) then + if contains({'disable', 'enable'}, mode) then if opind > #arg then help() end repeat name = arg[opind] @@ -178,10 +189,10 @@ if not uerror.call( end - require 'awall.iptables' + local iptables = require('awall.iptables') if mode == 'dump' then - require 'json' + local json = require('json') expinput = input:expand() function capitalize(cls) @@ -189,7 +200,7 @@ if not uerror.call( end for cls, objs in pairs(input.data) do - if level > 2 or (level == 2 and cls ~= 'service') or util.contains( + if level > 2 or (level == 2 and cls ~= 'service') or contains( {'variable', 'zone'}, cls ) then @@ -224,7 +235,7 @@ if not uerror.call( end table.sort(items, function(a, b) return a[1] < b[1] end) - if level == 0 then util.printtabular(items) + if level == 0 then printtabular(items) else util.printtabulars( util.map(items, function(x) return x[2] end) @@ -242,7 +253,9 @@ if not uerror.call( elseif mode == 'activate' then - awall.iptables.backup() + local lpc = require('lpc') + + iptables.backup() if not force then signal.signal( @@ -261,7 +274,6 @@ if not uerror.call( ) end - require 'lpc' pid, stdio, stdout = lpc.run(arg[0], 'fallback') stdio:close() stdout:close() @@ -274,11 +286,11 @@ if not uerror.call( end function revert() - awall.iptables.revert() + iptables.revert() os.exit(1) end - if uerror.call(config.activate, config) then + if call(config.activate, config) then if not force then io.stderr:write('New firewall configuration activated\n') @@ -309,13 +321,12 @@ if not uerror.call( signal.signal('SIG'..sig, function() end) end - require 'lsleep' - lsleep.sleep(10) + require('lsleep').sleep(10) io.stderr:write('\nTimeout, reverting to the old configuration\n') - awall.iptables.revert() + iptables.revert() - elseif mode == 'flush' then awall.iptables.flush() + elseif mode == 'flush' then iptables.flush() else assert(false) end diff --git a/awall/object.lua b/awall/class.lua index a9a5d5d..de36a43 100644 --- a/awall/object.lua +++ b/awall/class.lua @@ -4,10 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- +local Object -module(..., package.seeall) - -function class(base) +local function class(base) local cls = {} function cls.super(obj) @@ -42,5 +41,6 @@ function class(base) end Object = class() - function Object:init(...) end + +return class diff --git a/awall/dependency.lua b/awall/dependency.lua index 720ec44..aead42e 100644 --- a/awall/dependency.lua +++ b/awall/dependency.lua @@ -1,25 +1,24 @@ --[[ Dependency order resolver for Alpine Wall -Copyright (C) 2012-2013 Kaarle Ritvanen +Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) - local util = require('awall.util') +local contains = util.contains -function order(items) +return function(items) local visited = {} local res = {} local function visit(key) - if util.contains(res, key) then return end + if contains(res, key) then return end if visited[key] then return key end visited[key] = true local after = util.list(items[key].after) for k, v in pairs(items) do - if util.contains(v.before, key) then table.insert(after, k) end + if contains(v.before, key) then table.insert(after, k) end end for i, k in ipairs(after) do if items[k] then diff --git a/awall/host.lua b/awall/host.lua index 0a5fde6..53b1d58 100644 --- a/awall/host.lua +++ b/awall/host.lua @@ -5,8 +5,6 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - local familypatterns = {inet='%d[%.%d/]+', inet6='[:%x/]+', domain='[%a-][%.%w-]*'} @@ -20,7 +18,7 @@ end local dnscache = {} -function resolve(host, context) +return function(host, context) local family = getfamily(host, context) if family == 'domain' then diff --git a/awall/init.lua b/awall/init.lua index 1bdc299..d954849 100644 --- a/awall/init.lua +++ b/awall/init.lua @@ -4,28 +4,27 @@ Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) -require 'lfs' -require 'stringy' +local M = {} -require 'awall.dependency' -require 'awall.ipset' -require 'awall.iptables' -require 'awall.model' -require 'awall.object' -require 'awall.optfrag' -require 'awall.policy' -require 'awall.util' +local class = require('awall.class') +local resolve = require('awall.dependency') +local IPSet = require('awall.ipset') +local IPTables = require('awall.iptables').IPTables +local optfrag = require('awall.optfrag') +M.PolicySet = require('awall.policy') +local util = require('awall.util') -local optfrag = awall.optfrag + +local lfs = require('lfs') +local endswith = require('stringy').endswith local events local procorder local achains -function loadmodules(path) +function M.loadmodules(path) events = {} achains = {} @@ -38,10 +37,10 @@ function loadmodules(path) achains[name] = opts end - return awall.util.keys(export) + return util.keys(export) end - readmetadata(model) + readmetadata(require('awall.model')) local cdir = lfs.currentdir() if path then lfs.chdir(path) end @@ -56,31 +55,27 @@ function loadmodules(path) local imported = {} for i, name in ipairs(modules) do - require(name) - awall.util.extend(imported, readmetadata(package.loaded[name])) + util.extend(imported, readmetadata(require(name))) end lfs.chdir(cdir) events['%modules'] = {before=imported} - procorder = awall.dependency.order(events) + procorder = resolve(events) end -function loadclass(path) +function M.loadclass(path) assert(path:sub(1, 1) ~= '%') return events[path] and events[path].class end -PolicySet = policy.PolicySet - - -Config = object.class() +M.Config = class() -function Config:init(policyconfig) +function M.Config:init(policyconfig) self.objects = policyconfig:expand() - self.iptables = iptables.IPTables() + self.iptables = IPTables() local acfrags = {} @@ -138,26 +133,29 @@ function Config:init(policyconfig) for k, v in pairs(acfrags) do table.insert(ofrags, v) end insertrules(optfrag.combinations(achains, ofrags)) - self.ipset = ipset.IPSet(self.objects.ipset) + self.ipset = IPSet(self.objects.ipset) end -function Config:print() +function M.Config:print() self.ipset:print() print() self.iptables:print() end -function Config:dump(dir) +function M.Config:dump(dir) self.ipset:dump(dir or '/etc/ipset.d') self.iptables:dump(dir or '/etc/iptables') end -function Config:test() +function M.Config:test() self.ipset:create() self.iptables:test() end -function Config:activate() +function M.Config:activate() self:test() self.iptables:activate() end + + +return M diff --git a/awall/ipset.lua b/awall/ipset.lua index 28cc05b..21c1b16 100644 --- a/awall/ipset.lua +++ b/awall/ipset.lua @@ -1,15 +1,10 @@ --[[ Ipset file dumper for Alpine Wall -Copyright (C) 2012-2013 Kaarle Ritvanen +Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- - -module(..., package.seeall) - -require 'awall.object' - -IPSet = awall.object.class() +local IPSet = require('awall.class')() function IPSet:init(config) self.config = config or {} end @@ -47,3 +42,5 @@ function IPSet:dump(ipsdir) file:close() end end + +return IPSet diff --git a/awall/iptables.lua b/awall/iptables.lua index e8f9374..aed05f2 100644 --- a/awall/iptables.lua +++ b/awall/iptables.lua @@ -5,20 +5,19 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - -require 'lfs' -require 'lpc' - -require 'awall.object' -require 'awall.uerror' +local class = require('awall.class') +local raise = require('awall.uerror').raise local util = require('awall.util') local sortedkeys = util.sortedkeys -local class = awall.object.class + +local mkdir = require('lfs').mkdir +local lpc = require('lpc') +local M = {} + local families = {inet={cmd='iptables', file='rules-save', procfile='/proc/net/ip_tables_names'}, @@ -26,11 +25,13 @@ local families = {inet={cmd='iptables', file='rules6-save', procfile='/proc/net/ip6_tables_names'}} -builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'}, - mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, - nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, - raw={'OUTPUT', 'PREROUTING'}, - security={'FORWARD', 'INPUT', 'OUTPUT'}} +M.builtin = { + filter={'FORWARD', 'INPUT', 'OUTPUT'}, + mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, + nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, + raw={'OUTPUT', 'PREROUTING'}, + security={'FORWARD', 'INPUT', 'OUTPUT'} +} local backupdir = '/var/run/awall' @@ -74,20 +75,20 @@ function BaseIPTables:restore(test) end end - if disabled then awall.uerror.raise('Firewall not enabled in kernel') end + if disabled then raise('Firewall not enabled in kernel') end end function BaseIPTables:activate() - flush() + M.flush() self:restore(false) end function BaseIPTables:test() self:restore(true) end -IPTables = class(BaseIPTables) +M.IPTables = class(BaseIPTables) -function IPTables:init() +function M.IPTables:init() self.config = {} setmetatable(self.config, {__index=function(t, k) @@ -97,7 +98,7 @@ function IPTables:init() end}) end -function IPTables:dumpfile(family, iptfile) +function M.IPTables:dumpfile(family, iptfile) iptfile:write('# '..families[family].file..' generated by awall\n') local tables = self.config[family] for i, tbl in sortedkeys(tables) do @@ -105,7 +106,7 @@ function IPTables:dumpfile(family, iptfile) local chains = tables[tbl] for i, chain in sortedkeys(chains) do local policy = '-' - if util.contains(builtin[tbl], chain) then + if util.contains(M.builtin[tbl], chain) then policy = tbl == 'filter' and 'DROP' or 'ACCEPT' end iptfile:write(':'..chain..' '..policy..' [0:0]\n') @@ -140,22 +141,20 @@ function Backup:dumpfile(family, iptfile) end -function backup() - lfs.mkdir(backupdir) +function M.backup() + mkdir(backupdir) Current():dump(backupdir) end -function revert() - Backup():activate() -end +function M.revert() Backup():activate() end -function flush() - local empty = IPTables() +function M.flush() + local empty = M.IPTables() for family, params in pairs(families) do local success, lines = pcall(io.lines, params.procfile) if success then for tbl in lines do - for i, chain in ipairs(builtin[tbl]) do + for i, chain in ipairs(M.builtin[tbl]) do empty.config[family][tbl][chain] = {} end end @@ -163,3 +162,5 @@ function flush() end empty:restore(false) end + +return M diff --git a/awall/model.lua b/awall/model.lua index 0897108..77993e8 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -5,27 +5,33 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) +local M = {} -require 'awall' -require 'awall.host' -require 'awall.iptables' -require 'awall.object' -require 'awall.optfrag' -require 'awall.uerror' -require 'awall.util' -local util = awall.util -local combinations = awall.optfrag.combinations +local loadclass = require('awall').loadclass +M.class = require('awall.class') +local resolve = require('awall.host') +local builtin = require('awall.iptables').builtin -class = awall.object.class +local optfrag = require('awall.optfrag') +local combinations = optfrag.combinations -require 'stringy' +local raise = require('awall.uerror').raise +local util = require('awall.util') +local contains = util.contains +local extend = util.extend +local filter = util.filter +local listpairs = util.listpairs +local maplist = util.maplist -ConfigObject = class() -function ConfigObject:init(context, location) +local startswith = require('stringy').startswith + + +M.ConfigObject = M.class() + +function M.ConfigObject:init(context, location) if context then self.context = context self.root = context.objects @@ -33,10 +39,10 @@ function ConfigObject:init(context, location) self.location = location end -function ConfigObject:create(cls, params) +function M.ConfigObject:create(cls, params) if type(cls) == 'string' then local name = cls - cls = awall.loadclass(cls) + cls = loadclass(cls) if not cls then self:error('Support for '..name..' objects not installed') end @@ -44,30 +50,32 @@ function ConfigObject:create(cls, params) return cls.morph(params, self.context, self.location) end -function ConfigObject:error(msg) - awall.uerror.raise(self.location..': '..msg) -end +function M.ConfigObject:error(msg) raise(self.location..': '..msg) end -function ConfigObject:warning(msg) +function M.ConfigObject:warning(msg) io.stderr:write(self.location..': '..msg..'\n') end -function ConfigObject:trules() return {} end +function M.ConfigObject:trules() return {} end -function ConfigObject:info() +function M.ConfigObject:info() local res = {} for i, trule in ipairs(self:trules()) do - table.insert(res, - {' '..awall.optfrag.location(trule), - (trule.opts and trule.opts..' ' or '')..'-j '..trule.target}) + table.insert( + res, + { + ' '..optfrag.location(trule), + (trule.opts and trule.opts..' ' or '')..'-j '..trule.target + } + ) end return res end -Zone = class(ConfigObject) +M.Zone = M.class(M.ConfigObject) -function Zone:optfrags(dir) +function M.Zone:optfrags(dir) local iopt, aopt, iprop, aprop if dir == 'in' then iopt, aopt, iprop, aprop = 'i', 's', 'in', 'src' @@ -78,8 +86,8 @@ function Zone:optfrags(dir) local aopts = nil if self.addr then aopts = {} - for i, hostdef in util.listpairs(self.addr) do - for i, addr in ipairs(awall.host.resolve(hostdef, self)) do + for i, hostdef in listpairs(self.addr) do + for i, addr in ipairs(resolve(hostdef, self)) do table.insert(aopts, {family=addr[1], [aprop]=addr[2], @@ -88,31 +96,32 @@ function Zone:optfrags(dir) end end - return combinations(util.maplist(self.iface, - function(x) - return {[iprop]=x, - opts='-'..iopt..' '..x} - end), - aopts) + return combinations( + maplist( + self.iface, + function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end + ), + aopts + ) end -fwzone = Zone() +M.fwzone = M.Zone() -IPSet = class(ConfigObject) +local IPSet = M.class(M.ConfigObject) function IPSet:init(...) IPSet.super(self):init(...) if not self.type then self:error('Type not defined') end - if stringy.startswith(self.type, 'bitmap:') then + if startswith(self.type, 'bitmap:') then if not self.range then self:error('Range not defined') end self.options = {self.type, 'range', self.range} self.family = 'inet' - elseif stringy.startswith(self.type, 'hash:') then + elseif startswith(self.type, 'hash:') then if not self.family then self:error('Family not defined') end self.options = {self.type, 'family', self.family} @@ -122,43 +131,47 @@ function IPSet:init(...) end -Rule = class(ConfigObject) +M.Rule = M.class(M.ConfigObject) -function Rule:init(...) - Rule.super(self):init(...) +function M.Rule:init(...) + M.Rule.super(self):init(...) self.newchains = {} for i, prop in ipairs({'in', 'out'}) do - self[prop] = self[prop] and util.maplist(self[prop], - function(z) - if type(z) ~= 'string' then return z end - return z == '_fw' and fwzone or - self.root.zone[z] or - self:error('Invalid zone: '..z) - end) + self[prop] = self[prop] and maplist( + self[prop], + function(z) + if type(z) ~= 'string' then return z end + return z == '_fw' and M.fwzone or + self.root.zone[z] or + self:error('Invalid zone: '..z) + end + ) end if self.service then if type(self.service) == 'string' then self.label = self.service end - self.service = util.maplist(self.service, - function(s) - if type(s) ~= 'string' then return s end - return self.root.service[s] or self:error('Invalid service: '..s) - end) + self.service = maplist( + self.service, + function(s) + if type(s) ~= 'string' then return s end + return self.root.service[s] or self:error('Invalid service: '..s) + end + ) end end -function Rule:direction(dir) +function M.Rule:direction(dir) if dir == 'in' then return self.reverse and 'out' or 'in' end if dir == 'out' then return self.reverse and 'in' or 'out' end self:error('Invalid direction: '..dir) end -function Rule:zoneoptfrags() +function M.Rule:zoneoptfrags() local function zonepair(zin, zout) @@ -169,10 +182,10 @@ function Rule:zoneoptfrags() local chain, ofrags - if zin == fwzone or zout == fwzone then + if zin == M.fwzone or zout == M.fwzone then if zin == zout then return {} end local dir, z = 'in', zin - if zin == fwzone then dir, z = 'out', zout end + if zin == M.fwzone then dir, z = 'out', zout end chain = dir:upper()..'PUT' ofrags = zofs(z, dir) @@ -192,11 +205,12 @@ function Rule:zoneoptfrags() ofrags = combinations(zofs(zin, 'in'), zofs(zout, 'out')) if ofrags and not zout['route-back'] then - ofrags = util.filter(ofrags, - function(of) - return not (of['in'] and of.out and - of['in'] == of.out) - end) + ofrags = filter( + ofrags, + function(of) + return not (of['in'] and of.out and of['in'] == of.out) + end + ) end end @@ -211,7 +225,7 @@ function Rule:zoneoptfrags() for i = 1,math.max(1, table.maxn(izones)) do for j = 1,math.max(1, table.maxn(ozones)) do - util.extend(res, zonepair(izones[i], ozones[j])) + extend(res, zonepair(izones[i], ozones[j])) end end @@ -219,7 +233,7 @@ function Rule:zoneoptfrags() end -function Rule:servoptfrags() +function M.Rule:servoptfrags() if not self.service then return end @@ -227,10 +241,10 @@ function Rule:servoptfrags() local res = {} for i, serv in ipairs(self.service) do - for i, sdef in util.listpairs(serv) do + for i, sdef in listpairs(serv) do if not sdef.proto then self:error('Protocol not defined') end - if util.contains({6, 'tcp', 17, 'udp'}, sdef.proto) then + if contains({6, 'tcp', 17, 'udp'}, sdef.proto) then for family, ports in pairs(fports) do if not sdef.family or family == sdef.family then @@ -239,9 +253,9 @@ function Rule:servoptfrags() if new or ports[sdef.proto][1] then if sdef.port then - util.extend( + extend( ports[sdef.proto], - util.maplist( + maplist( sdef.port, function(p) return tostring(p):gsub('-', ':') end ) @@ -258,10 +272,10 @@ function Rule:servoptfrags() -- TODO multiple ICMP types per rule local oname - if util.contains({1, 'icmp'}, sdef.proto) then + if contains({1, 'icmp'}, sdef.proto) then family = 'inet' oname = 'icmp-type' - elseif util.contains({58, 'ipv6-icmp', 'icmpv6'}, sdef.proto) then + elseif contains({58, 'ipv6-icmp', 'icmpv6'}, sdef.proto) then family = 'inet6' oname = 'icmpv6-type' elseif sdef.type or sdef['reply-type'] then @@ -326,21 +340,21 @@ function Rule:servoptfrags() else table.insert(ofrags, {opts=propt}) end end - util.extend(res, combinations(ofrags, {{family=family}})) + extend(res, combinations(ofrags, {{family=family}})) end return res end -function Rule:destoptfrags() - return self:create(Zone, {addr=self.dest}):optfrags(self:direction('out')) +function M.Rule:destoptfrags() + return self:create(M.Zone, {addr=self.dest}):optfrags(self:direction('out')) end -function Rule:table() return 'filter' end +function M.Rule:table() return 'filter' end -function Rule:position() return 'append' end +function M.Rule:position() return 'append' end -function Rule:target() +function M.Rule:target() -- alpine v2.7 compatibility if self.action == 'accept' then self:warning("'accept' action deprecated in favor of 'exclude'") @@ -354,7 +368,7 @@ function Rule:target() end -function Rule:trules() +function M.Rule:trules() local function tag(ofrags, tag, value) for i, ofrag in ipairs(ofrags) do @@ -380,18 +394,19 @@ function Rule:trules() local function ffilter(ofrags) if not ofrags or not ofrags[1] or not families then return ofrags end - return util.filter(ofrags, - function(of) - return not of.family or util.contains(families, - of.family) - end) + return filter( + ofrags, + function(of) + return not of.family or contains(families, of.family) + end + ) end local res = self:zoneoptfrags() if self.ipset then local ipsetofrags = {} - for i, ipset in util.listpairs(self.ipset) do + for i, ipset in listpairs(self.ipset) do if not ipset.name then self:error('Set name not defined') end local setdef = self.root.ipset and self.root.ipset[ipset.name] @@ -424,9 +439,10 @@ function Rule:trules() setfamilies(res) - local addrofrags = combinations(self:create(Zone, - {addr=self.src}):optfrags(self:direction('in')), - self:destoptfrags()) + local addrofrags = combinations( + self:create(M.Zone, {addr=self.src}):optfrags(self:direction('in')), + self:destoptfrags() + ) local combined = res if addrofrags then @@ -441,7 +457,7 @@ function Rule:trules() combined = nil break end - util.extend(combined, cc) + extend(combined, cc) end end @@ -458,13 +474,13 @@ function Rule:trules() res = combinations(res, {{target=target}}) if not combined then - util.extend( + extend( res, combinations(addrofrags, {{chain=target, target=self:target()}}) ) end - util.extend(res, self:extraoptfrags()) + extend(res, self:extraoptfrags()) local tbl = self:table() @@ -473,9 +489,7 @@ function Rule:trules() for i, ofrag in ipairs(ofrags) do - if util.contains(awall.iptables.builtin[tbl], ofrag.chain) then - table.insert(res, ofrag) - + if contains(builtin[tbl], ofrag.chain) then table.insert(res, ofrag) else local ofs, recursive if ofrag.chain == 'PREROUTING' then @@ -495,7 +509,7 @@ function Rule:trules() ofrag.chain = nil ofs = combinations(ofs, {ofrag}) if recursive then ofs = convertchains(ofs) end - util.extend(res, ofs) + extend(res, ofs) else table.insert(res, ofrag) end end @@ -508,7 +522,7 @@ function Rule:trules() tag(res, 'table', tbl, false) local function checkzof(ofrag, dir, chains) - if ofrag[dir] and util.contains(chains, ofrag.chain) then + if ofrag[dir] and contains(chains, ofrag.chain) then self:error('Cannot specify '..dir..'bound interface ('..ofrag[dir]..')') end end @@ -521,9 +535,9 @@ function Rule:trules() return combinations(res, ffilter({{family='inet'}, {family='inet6'}})) end -function Rule:extraoptfrags() return {} end +function M.Rule:extraoptfrags() return {} end -function Rule:newchain(key) +function M.Rule:newchain(key) if self.newchains[key] then return self.newchains[key] end if not self.context.lastid then self.context.lastid = {} end @@ -540,4 +554,6 @@ function Rule:newchain(key) end -export = {zone={class=Zone}, ipset={class=IPSet, before='%modules'}} +M.export = {zone={class=M.Zone}, ipset={class=IPSet, before='%modules'}} + +return M diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua index 9dcf402..e991e1e 100644 --- a/awall/modules/clampmss.lua +++ b/awall/modules/clampmss.lua @@ -1,15 +1,11 @@ --[[ TCP MSS clamping module for Alpine Wall -Copyright (C) 2012-2013 Kaarle Ritvanen +Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) - -require 'awall.model' - -local model = awall.model +local model = require('awall.model') local ClampMSSRule = model.class(model.Rule) @@ -25,4 +21,4 @@ function ClampMSSRule:target() end -export = {['clamp-mss']={class=ClampMSSRule, before='tproxy'}} +return {export={['clamp-mss']={class=ClampMSSRule, before='tproxy'}}} diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index e878d8f..cb1d66d 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -5,20 +5,23 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) +local resolve = require('awall.host') -local resolve = require('awall.host').resolve local model = require('awall.model') +local class = model.class +local Rule = model.Rule + local combinations = require('awall.optfrag').combinations local util = require('awall.util') +local contains = util.contains local extend = util.extend local listpairs = util.listpairs local RECENT_MAX_COUNT = 20 -local RelatedRule = model.class(model.Rule) +local RelatedRule = class(Rule) function RelatedRule:servoptfrags() local helpers = {} @@ -39,7 +42,7 @@ end function RelatedRule:target() return 'ACCEPT' end -local Filter = model.class(model.Rule) +local Filter = class(Rule) function Filter:init(...) Filter.super(self):init(...) @@ -47,7 +50,7 @@ function Filter:init(...) if not self.action then self.action = 'accept' end -- alpine v2.4 compatibility - if util.contains({'logdrop', 'logreject'}, self.action) then + if contains({'logdrop', 'logreject'}, self.action) then self:warning('Deprecated action: '..self.action) self.action = self.action:sub(4, -1) end @@ -176,7 +179,7 @@ end function Filter:actiontarget() if self.action == 'tarpit' then return 'tarpit' end - if util.contains({'accept', 'drop', 'reject'}, self.action) then + if contains({'accept', 'drop', 'reject'}, self.action) then return self.action:upper() end self:error('Invalid filter action: '..self.action) @@ -250,14 +253,14 @@ end -local Policy = model.class(Filter) +local Policy = class(Filter) function Policy:servoptfrags() return nil end local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}} -function stateful(config) +local function stateful(config) local res = {} for i, family in ipairs{'inet', 'inet6'} do @@ -286,7 +289,7 @@ function stateful(config) for i, sdef in listpairs(serv) do if sdef['ct-helper'] then local of = combinations( - model.Rule.morph{service={sdef}}:servoptfrags(), + Rule.morph{service={sdef}}:servoptfrags(), {{family=family}} ) if of[1] then @@ -337,14 +340,14 @@ end icmprules(icmp, 'icmp-type', {3, 11, 12}) icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4}) -export = { - filter={class=Filter, before={'dnat', 'no-track'}}, - policy={class=Policy, after='%filter-after'}, - ['%filter-before']={rules=stateful, before='filter'}, - ['%filter-after']={rules=ir, after='filter'} +return { + export={ + filter={class=Filter, before={'dnat', 'no-track'}}, + policy={class=Policy, after='%filter-after'}, + ['%filter-before']={rules=stateful, before='filter'}, + ['%filter-after']={rules=ir, after='filter'} + }, + achains=combinations( + {{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}} + ) } - -achains = combinations({{chain='tarpit'}}, - {{opts='-p tcp', target='TARPIT'}, - {target='DROP'}}) - diff --git a/awall/modules/log.lua b/awall/modules/log.lua index 2ece446..eba6cd5 100644 --- a/awall/modules/log.lua +++ b/awall/modules/log.lua @@ -5,13 +5,13 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - local model = require('awall.model') +local class = model.class + local combinations = require('awall.optfrag').combinations -local Log = model.class(model.ConfigObject) +local Log = class(model.ConfigObject) function Log:matchofrag() local selector, opts @@ -78,7 +78,7 @@ function Log.get(rule, spec, default) end -local LogRule = model.class(model.Rule) +local LogRule = class(model.Rule) function LogRule:init(...) LogRule.super(self):init(...) @@ -95,7 +95,9 @@ end function LogRule:target() return self.log:target() end -export = { - log={class=Log}, - ['packet-log']={class=LogRule, after='%filter-after'} + +return { + export={ + log={class=Log}, ['packet-log']={class=LogRule, after='%filter-after'} + } } diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 43122d9..a6bb8b8 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -5,13 +5,11 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - local model = require('awall.model') local class = model.class local combinations = require('awall.optfrag').combinations -local util = require('awall.util') +local list = require('awall.util').list local MarkRule = class(model.Rule) @@ -45,7 +43,7 @@ end local function restoremark(config) - if util.list(config['route-track'])[1] then + if list(config['route-track'])[1] then return combinations( {{family='inet'}, {family='inet6'}}, {{chain='OUTPUT'}, {chain='PREROUTING'}}, @@ -61,8 +59,10 @@ local function restoremark(config) end -export = { - mark={class=MarkRule}, - ['route-track']={class=RouteTrackRule, before='mark'}, - ['%mark-restore']={rules=restoremark, before='route-track'} +return { + export={ + mark={class=MarkRule}, + ['route-track']={class=RouteTrackRule, before='mark'}, + ['%mark-restore']={rules=restoremark, before='route-track'} + } } diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua index 72a36bd..cc549f8 100644 --- a/awall/modules/masquerade.lua +++ b/awall/modules/masquerade.lua @@ -1,31 +1,31 @@ --[[ IPSet-based masquerading module for Alpine Wall -Copyright (C) 2012-2013 Kaarle Ritvanen +Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) - -- TODO configuration of the ipset via JSON config -export = { - ['%masquerade']={ - rules={ - { - family='inet', - table='nat', - chain='POSTROUTING', - opts='-m set --match-set awall-masquerade src', - target='awall-masquerade' +return { + export={ + ['%masquerade']={ + rules={ + { + family='inet', + table='nat', + chain='POSTROUTING', + opts='-m set --match-set awall-masquerade src', + target='awall-masquerade' + }, + { + family='inet', + table='nat', + chain='awall-masquerade', + opts='-m set ! --match-set awall-masquerade dst', + target='MASQUERADE' + } }, - { - family='inet', - table='nat', - chain='awall-masquerade', - opts='-m set ! --match-set awall-masquerade dst', - target='MASQUERADE' - } - }, - after='snat' + after='snat' + } } } diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 6f696d4..c628e36 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -5,15 +5,13 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) +local model = require('awall.model') +local class = model.class -require 'awall.model' -require 'awall.util' +local contains = require('awall.util').contains -local model = awall.model - -local NATRule = model.class(model.Rule) +local NATRule = class(model.Rule) -- alpine v2.4 compatibility function NATRule:init(...) @@ -30,7 +28,7 @@ end function NATRule:trules() local res = {} for i, ofrags in ipairs(NATRule.super(self):trules()) do - if not awall.util.contains(self.params.chains, ofrags.chain) then + if not contains(self.params.chains, ofrags.chain) then self:error('Inappropriate zone definitions for a '..self.params.target..' rule') end if ofrags.family == 'inet' then table.insert(res, ofrags) end @@ -58,7 +56,7 @@ function NATRule:target() end -local DNATRule = model.class(NATRule) +local DNATRule = class(NATRule) function DNATRule:init(...) DNATRule.super(self):init(...) @@ -68,7 +66,7 @@ function DNATRule:init(...) end -local SNATRule = model.class(NATRule) +local SNATRule = class(NATRule) function SNATRule:init(...) SNATRule.super(self):init(...) @@ -78,7 +76,4 @@ function SNATRule:init(...) end -export = { - dnat={class=DNATRule}, - snat={class=SNATRule} -} +return {export={dnat={class=DNATRule}, snat={class=SNATRule}}} diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua index ba9fa72..9821672 100644 --- a/awall/modules/notrack.lua +++ b/awall/modules/notrack.lua @@ -5,11 +5,7 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - -require 'awall.model' - -local model = awall.model +local model = require('awall.model') local NoTrackRule = model.class(model.Rule) @@ -21,4 +17,4 @@ function NoTrackRule:target() end -export = {['no-track']={class=NoTrackRule}} +return {export={['no-track']={class=NoTrackRule}}} diff --git a/awall/modules/tproxy.lua b/awall/modules/tproxy.lua index 8ea8893..0451500 100644 --- a/awall/modules/tproxy.lua +++ b/awall/modules/tproxy.lua @@ -5,8 +5,6 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) - local model = require('awall.model') local combinations = require('awall.optfrag').combinations @@ -68,7 +66,9 @@ local function divert(config) end -export = { - tproxy={class=TProxyRule, before='%mark-restore'}, - ['%tproxy-divert']={rules=divert, before='tproxy'} +return { + export={ + tproxy={class=TProxyRule, before='%mark-restore'}, + ['%tproxy-divert']={rules=divert, before='tproxy'} + } } diff --git a/awall/optfrag.lua b/awall/optfrag.lua index 56fbd88..80c7acc 100644 --- a/awall/optfrag.lua +++ b/awall/optfrag.lua @@ -5,18 +5,18 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) +local M = {} -function combinations(of1, ...) +function M.combinations(of1, ...) local arg = {...} if #arg == 0 then return of1 end - if not of1 then return combinations(...) end + if not of1 then return M.combinations(...) end local of2 = arg[1] table.remove(arg, 1) - if not of2 then return combinations(of1, unpack(arg)) end + if not of2 then return M.combinations(of1, unpack(arg)) end local res = {} for i, x in ipairs(of1) do @@ -48,7 +48,9 @@ function combinations(of1, ...) end end - return combinations(res, unpack(arg)) + return M.combinations(res, unpack(arg)) end -function location(of) return of.family..'/'..of.table..'/'..of.chain end +function M.location(of) return of.family..'/'..of.table..'/'..of.chain end + +return M diff --git a/awall/policy.lua b/awall/policy.lua index 1d66656..8f13dd1 100644 --- a/awall/policy.lua +++ b/awall/policy.lua @@ -4,13 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) -require 'json' -require 'lfs' - -require 'awall.dependency' -local class = require('awall.object').class +local resolve = require('awall.dependency') +local class = require('awall.class') local raise = require('awall.uerror').raise local util = require('awall.util') @@ -18,6 +14,10 @@ local contains = util.contains local listpairs = util.listpairs +local json = require('json') +local lfs = require('lfs') + + local PolicyConfig = class() function PolicyConfig:init(data, source, policies) @@ -102,7 +102,7 @@ local defdirs = { private={'/etc/awall/private', '/usr/share/awall/private'} } -PolicySet = class() +local PolicySet = class() function PolicySet:init(dirs) local confdir = (dirs.mandatory or defdirs.mandatory)[1] @@ -189,7 +189,7 @@ function PolicySet:load() end - local order = awall.dependency.order(imported) + local order = resolve(imported) if type(order) ~= 'table' then raise('Circular ordering directives: '..order) end @@ -227,3 +227,5 @@ function PolicySet:load() return PolicyConfig(input, source, util.keys(imported)) end + +return PolicySet diff --git a/awall/uerror.lua b/awall/uerror.lua index 6b6e875..3acf517 100644 --- a/awall/uerror.lua +++ b/awall/uerror.lua @@ -4,13 +4,14 @@ Copyright (C) 2012-2014 Kaarle Ritvanen See LICENSE file for license details ]]-- -module(..., package.seeall) + +local M = {} local prefix = 'awall user error: ' -function raise(msg) error(prefix..msg) end +function M.raise(msg) error(prefix..msg) end -function call(f, ...) +function M.call(f, ...) local arg = {...} return xpcall( function() f(unpack(arg)) end, @@ -22,3 +23,5 @@ function call(f, ...) end ) end + +return M diff --git a/awall/util.lua b/awall/util.lua index 2d0c445..019a078 100644 --- a/awall/util.lua +++ b/awall/util.lua @@ -5,9 +5,9 @@ See LICENSE file for license details ]]-- -module(..., package.seeall) +local M = {} -function split(s, sep) +function M.split(s, sep) if s == '' then return {} end local res = {} while true do @@ -21,85 +21,83 @@ function split(s, sep) end end -function list(var) +function M.list(var) if not var then return {} end if type(var) ~= 'table' then return {var} end if not next(var) then return {} end return var[1] and var or {var} end -function listpairs(var) - return ipairs(list(var)) -end +function M.listpairs(var) return ipairs(M.list(var)) end -function filter(var, func) +function M.filter(var, func) local res = {} for i, v in ipairs(var) do if func(v) then table.insert(res, v) end end return res end -function map(var, func) +function M.map(var, func) local res = {} for k, v in pairs(var) do res[k] = func(v) end return res end -function maplist(var, func) +function M.maplist(var, func) if not var then return var end - return map(list(var), func) + return M.map(M.list(var), func) end -function contains(tbl, value) - for k, v in listpairs(tbl) do if v == value then return true end end +function M.contains(tbl, value) + for k, v in M.listpairs(tbl) do if v == value then return true end end return false end -function keys(tbl) +function M.keys(tbl) local res = {} for k, v in pairs(tbl) do table.insert(res, k) end return res end -function values(tbl) +function M.values(tbl) local res = {} for k, v in pairs(tbl) do table.insert(res, v) end return res end -function sortedkeys(tbl) - local res = keys(tbl) +function M.sortedkeys(tbl) + local res = M.keys(tbl) table.sort(res) return ipairs(res) end -function extend(tbl1, tbl2) - for i, var in listpairs(tbl2) do table.insert(tbl1, var) end +function M.extend(tbl1, tbl2) + for i, var in M.listpairs(tbl2) do table.insert(tbl1, var) end end -function update(tbl1, tbl2) +function M.update(tbl1, tbl2) if tbl2 then for k, v in pairs(tbl2) do tbl1[k] = v end end return tbl1 end -function copy(tbl) return update({}, tbl) end +function M.copy(tbl) return M.update({}, tbl) end -function compare(a, b) +function M.compare(a, b) local t = type(a) if t ~= type(b) then return false end if t ~= 'table' then return a == b end local keys = {} for k, v in pairs(a) do - if not compare(v, b[k]) then return false end + if not M.compare(v, b[k]) then return false end table.insert(keys, k) end for k, v in pairs(b) do - if not contains(keys, k) then return false end + if not M.contains(keys, k) then return false end end return true end -function printtabulars(tables) +function M.printtabulars(tables) local colwidth = {} for i, tbl in ipairs(tables) do for j, row in ipairs(tbl) do @@ -123,4 +121,6 @@ function printtabulars(tables) end end -function printtabular(tbl) printtabulars({tbl}) end +function M.printtabular(tbl) M.printtabulars({tbl}) end + +return M |