diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-05-21 13:41:55 +0300 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-05-21 13:41:55 +0300 |
commit | 4d835e9db2be5b912b963e165f97b71822f664fa (patch) | |
tree | 05ee156a7ae946aa60867e85256995893a81b984 /acf | |
parent | 4c65f31abb5695fac3a42a784894d2f6de5869ab (diff) | |
download | aconf-4d835e9db2be5b912b963e165f97b71822f664fa.tar.bz2 aconf-4d835e9db2be5b912b963e165f97b71822f664fa.tar.xz |
awall module: add support for new features
Diffstat (limited to 'acf')
-rw-r--r-- | acf/modules/awall.lua | 52 |
1 files changed, 34 insertions, 18 deletions
diff --git a/acf/modules/awall.lua b/acf/modules/awall.lua index 76f9943..ed6f45d 100644 --- a/acf/modules/awall.lua +++ b/acf/modules/awall.lua @@ -9,7 +9,7 @@ local M = require('acf.model') local object = require('acf.object') -Direction = object.class(M.String) +local Direction = object.class(M.String) function Direction:init() object.super(self, Direction):init{choice={'in', 'out'}} end @@ -17,33 +17,41 @@ end -- TODO reference types? -IPSet = M.new() +local IPSet = M.new() -- TODO choices IPSet.type = M.String{required=true} IPSet.family = M.String{required=true, choice={'inet', 'inet6'}} +-- TODO only for bitmaps +IPSet.range = M.Range{type=M.net.IPv4Address} -Service = M.new() +local Service = M.new() Service.proto = M.String{required=true} Service.port = M.Collection{type=M.Range{type=M.net.Port}} Service['icmp-type'] = M.String +Service['ct-helper'] = M.String -- TODO fw zone -Zone = M.new() +local Zone = M.new() Zone.iface = M.Set{type=M.String} Zone.addr = M.Set{type=M.String} Zone['route-back'] = M.Boolean{default=false} -LogClass = M.new() +local LogClass = M.new() LogClass.mode = M.String{default='log', choice={'log', 'nflog', 'ulog'}} +LogClass.every = M.Integer LogClass.limit = M.Integer LogClass.prefix = M.String +LogClass.probability = M.Number +LogClass.group = M.Integer +LogClass.range = M.Integer +LogClass.threshold = M.Integer -IPSetReference = M.new() +local IPSetReference = M.new() IPSetReference.name = M.Reference{scope='../../../ipset', required=true} IPSetReference.args = M.Collection{type=Direction, required=true} -Rule = M.new() +local Rule = M.new() Rule['in'] = M.Collection{type=M.Reference{scope='../../../zone'}} Rule.out = M.Collection{type=M.Reference{scope='../../../zone'}} Rule.src = M.Collection{type=M.String} @@ -54,45 +62,53 @@ Rule.service = M.Collection{type=M.Reference{scope='../../../service'}} Rule.action = M.String{choice={'accept'}} +local PacketLogRule = M.new(Rule) +PacketLogRule.log = M.Reference{scope='../../log'} + -- TODO no service field -PolicyRule = M.new(Rule) -PolicyRule.log = M.Reference{scope='../../log'} -PolicyRule.action = M.String{required=true, - choice={'accept', 'drop', 'reject', 'tarpit'}} +local PolicyRule = M.new(PacketLogRule) +PolicyRule.action = M.String{ + required=true, choice={'accept', 'drop', 'reject', 'tarpit'} +} -Limit = M.new() +local Limit = M.new() Limit.count = M.Integer Limit.interval = M.Integer Limit.log = M.Reference{scope='../../../log'} -FilterRule = M.new(PolicyRule) +local FilterRule = M.new(PolicyRule) FilterRule['conn-limit'] = Limit FilterRule['flow-limit'] = Limit FilterRule.dnat = M.net.IPv4Address FilterRule['no-track'] = M.Boolean{default=false} +FilterRule.related = M.Collection{type=Rule} + +local DivertRule = M.new(Rule) +DivertRule['to-port'] = M.Range{type=M.net.Port} -NATRule = M.new(Rule) +local NATRule = M.new(DivertRule) NATRule['to-addr'] = M.Range{type=M.net.IPv4Address} -NATRule['to-port'] = M.Range{type=M.net.Port} -MarkRule = M.new(Rule) +local MarkRule = M.new(Rule) MarkRule.mark = M.Integer{required=true} -ClampMSSRule = M.new(Rule) +local ClampMSSRule = M.new(Rule) ClampMSSRule.mss = M.Integer -AWall = M.new() +local AWall = M.new() -- TODO differentiate lists? AWall.service = M.Collection{type=M.Collection{type=Service}} AWall.zone = M.Collection{type=Zone} AWall.log = M.Collection{type=LogClass} AWall.policy = M.Collection{type=PolicyRule} +AWall['packet-log'] = M.Collection{type=PacketLogRule} AWall.filter = M.Collection{type=FilterRule} AWall.dnat = M.Collection{type=NATRule} AWall.snat = M.Collection{type=NATRule} AWall.mark = M.Collection{type=MarkRule} AWall['route-track'] = M.Collection{type=MarkRule} +AWall.tproxy = M.Collection{type=DivertRule} AWall['clamp-mss'] = M.Collection{type=ClampMSSRule} AWall['no-track'] = M.Collection{type=Rule} AWall.ipset = M.Collection{type=IPSet} |