awall module: add support for new features

1 files changed, 34 insertions, 18 deletions

diff --git a/acf/modules/awall.lua b/acf/modules/awall.lua
index 76f9943..ed6f45d 100644
--- a/acf/modules/awall.lua
+++ b/acf/modules/awall.lua
@@ -9,7 +9,7 @@ local M = require('acf.model')
 local object = require('acf.object')
 
 
-Direction = object.class(M.String)
+local Direction = object.class(M.String)
 function Direction:init()
    object.super(self, Direction):init{choice={'in', 'out'}}
 end
@@ -17,33 +17,41 @@ end
 
 -- TODO reference types?
 
-IPSet = M.new()
+local IPSet = M.new()
 -- TODO choices
 IPSet.type = M.String{required=true}
 IPSet.family = M.String{required=true, choice={'inet', 'inet6'}}
+-- TODO only for bitmaps
+IPSet.range = M.Range{type=M.net.IPv4Address}
 
-Service = M.new()
+local Service = M.new()
 Service.proto = M.String{required=true}
 Service.port = M.Collection{type=M.Range{type=M.net.Port}}
 Service['icmp-type'] = M.String
+Service['ct-helper'] = M.String
 
 -- TODO fw zone
 
-Zone = M.new()
+local Zone = M.new()
 Zone.iface = M.Set{type=M.String}
 Zone.addr = M.Set{type=M.String}
 Zone['route-back'] = M.Boolean{default=false}
 
-LogClass = M.new()
+local LogClass = M.new()
 LogClass.mode = M.String{default='log', choice={'log', 'nflog', 'ulog'}}
+LogClass.every = M.Integer
 LogClass.limit = M.Integer
 LogClass.prefix = M.String
+LogClass.probability = M.Number
+LogClass.group = M.Integer
+LogClass.range = M.Integer
+LogClass.threshold = M.Integer
 
-IPSetReference = M.new()
+local IPSetReference = M.new()
 IPSetReference.name = M.Reference{scope='../../../ipset', required=true}
 IPSetReference.args = M.Collection{type=Direction, required=true}
 
-Rule = M.new()
+local Rule = M.new()
 Rule['in'] = M.Collection{type=M.Reference{scope='../../../zone'}}
 Rule.out = M.Collection{type=M.Reference{scope='../../../zone'}}
 Rule.src = M.Collection{type=M.String}
@@ -54,45 +62,53 @@ Rule.service = M.Collection{type=M.Reference{scope='../../../service'}}
 Rule.action = M.String{choice={'accept'}}
 
 
+local PacketLogRule = M.new(Rule)
+PacketLogRule.log = M.Reference{scope='../../log'}
+
 -- TODO no service field
-PolicyRule = M.new(Rule)
-PolicyRule.log = M.Reference{scope='../../log'}
-PolicyRule.action = M.String{required=true,
-				 choice={'accept', 'drop', 'reject', 'tarpit'}}
+local PolicyRule = M.new(PacketLogRule)
+PolicyRule.action = M.String{
+   required=true, choice={'accept', 'drop', 'reject', 'tarpit'}
+}
 
-Limit = M.new()
+local Limit = M.new()
 Limit.count = M.Integer
 Limit.interval = M.Integer
 Limit.log = M.Reference{scope='../../../log'}
 
-FilterRule = M.new(PolicyRule)
+local FilterRule = M.new(PolicyRule)
 FilterRule['conn-limit'] = Limit
 FilterRule['flow-limit'] = Limit
 FilterRule.dnat = M.net.IPv4Address
 FilterRule['no-track'] = M.Boolean{default=false}
+FilterRule.related = M.Collection{type=Rule}
+
+local DivertRule = M.new(Rule)
+DivertRule['to-port'] = M.Range{type=M.net.Port}
 
-NATRule = M.new(Rule)
+local NATRule = M.new(DivertRule)
 NATRule['to-addr'] = M.Range{type=M.net.IPv4Address}
-NATRule['to-port'] = M.Range{type=M.net.Port}
 
-MarkRule = M.new(Rule)
+local MarkRule = M.new(Rule)
 MarkRule.mark = M.Integer{required=true}
 
-ClampMSSRule = M.new(Rule)
+local ClampMSSRule = M.new(Rule)
 ClampMSSRule.mss = M.Integer
 
 
-AWall = M.new()
+local AWall = M.new()
 -- TODO differentiate lists?
 AWall.service = M.Collection{type=M.Collection{type=Service}}
 AWall.zone = M.Collection{type=Zone}
 AWall.log = M.Collection{type=LogClass}
 AWall.policy = M.Collection{type=PolicyRule}
+AWall['packet-log'] = M.Collection{type=PacketLogRule}
 AWall.filter = M.Collection{type=FilterRule}
 AWall.dnat = M.Collection{type=NATRule}
 AWall.snat = M.Collection{type=NATRule}
 AWall.mark = M.Collection{type=MarkRule}
 AWall['route-track'] = M.Collection{type=MarkRule}
+AWall.tproxy = M.Collection{type=DivertRule}
 AWall['clamp-mss'] = M.Collection{type=ClampMSSRule}
 AWall['no-track'] = M.Collection{type=Rule}
 AWall.ipset = M.Collection{type=IPSet}