aboutsummaryrefslogtreecommitdiffstats
path: root/awall/iptables.lua
diff options
context:
space:
mode:
Diffstat (limited to 'awall/iptables.lua')
-rw-r--r--awall/iptables.lua49
1 files changed, 33 insertions, 16 deletions
diff --git a/awall/iptables.lua b/awall/iptables.lua
index bade70c..d4de949 100644
--- a/awall/iptables.lua
+++ b/awall/iptables.lua
@@ -7,7 +7,16 @@ Licensed under the terms of GPL2
module(..., package.seeall)
-local iptfiles = {ip4='iptables', ip6='ip6tables'}
+require 'lpc'
+
+require 'awall.util'
+contains = awall.util.contains
+
+local families = {ip4={cmd='iptables-restore', file='rules-save'},
+ ip6={cmd='ip6tables-restore', file='rules6-save'}}
+
+local builtin = {'INPUT', 'FORWARD', 'OUTPUT',
+ 'PREROUTING', 'POSTROUTING'}
config = {}
setmetatable(config,
@@ -17,22 +26,30 @@ setmetatable(config,
return t[k]
end})
-function dump()
- for family, tbls in pairs(config) do
- local iptfile = io.output('output/'..iptfiles[family])
- iptfile:write('# '..iptfiles[family]..' generated by awall\n')
- for tbl, chains in pairs(tbls) do
- iptfile:write('*'..tbl..'\n')
- for chain, rules in pairs(chains) do
- iptfile:write(':'..chain..' '..(chain == string.upper(chain) and
- 'DROP' or '-')..' [0:0]\n')
- end
- for chain, rules in pairs(chains) do
- for i, rule in ipairs(rules) do
- iptfile:write('-A '..chain..' '..rule..'\n')
- end
+local function dumpfile(family, iptfile)
+ iptfile:write('# '..families[family].file..' generated by awall\n')
+ for tbl, chains in pairs(config[family]) do
+ iptfile:write('*'..tbl..'\n')
+ for chain, rules in pairs(chains) do
+ iptfile:write(':'..chain..' '..(contains(builtin, chain) and
+ 'DROP' or '-')..' [0:0]\n')
+ end
+ for chain, rules in pairs(chains) do
+ for i, rule in ipairs(rules) do
+ iptfile:write('-A '..chain..' '..rule..'\n')
end
- iptfile:write('COMMIT\n')
end
+ iptfile:write('COMMIT\n')
+ end
+end
+
+function dump(dir)
+ for family, tbls in pairs(config) do
+ local pid, stdin = lpc.run(families[family].cmd, '-t')
+ dumpfile(family, stdin)
+ stdin:close()
+ assert(lpc.wait(pid) == 0)
+
+ dumpfile(family, io.output(dir..'/'..families[family].file))
end
end
generated by cgit v1.2.3 (git 2.25.1) at 2025-09-13 02:25:26 +0000