diff options
Diffstat (limited to 'acf/modules/awall.lua')
-rw-r--r-- | acf/modules/awall.lua | 103 |
1 files changed, 67 insertions, 36 deletions
diff --git a/acf/modules/awall.lua b/acf/modules/awall.lua index ed6f45d..91b6a84 100644 --- a/acf/modules/awall.lua +++ b/acf/modules/awall.lua @@ -10,8 +10,10 @@ local object = require('acf.object') local Direction = object.class(M.String) -function Direction:init() - object.super(self, Direction):init{choice={'in', 'out'}} +function Direction:init(params) + if not params then params = {} end + params.choice = {'in', 'out'} + object.super(self, Direction):init(params) end @@ -25,21 +27,21 @@ IPSet.family = M.String{required=true, choice={'inet', 'inet6'}} IPSet.range = M.Range{type=M.net.IPv4Address} local Service = M.new() -Service.proto = M.String{required=true} +Service.proto = M.String{required=true, ui_name='Protocol'} Service.port = M.Collection{type=M.Range{type=M.net.Port}} -Service['icmp-type'] = M.String -Service['ct-helper'] = M.String +Service['icmp-type'] = M.String{ui_name='ICMP type'} +Service['ct-helper'] = M.String{ui_name='Connection tracking helper'} -- TODO fw zone local Zone = M.new() -Zone.iface = M.Set{type=M.String} -Zone.addr = M.Set{type=M.String} +Zone.iface = M.Set{type=M.String, ui_name='Interfaces'} +Zone.addr = M.Set{type=M.String, ui_name='Addresses'} Zone['route-back'] = M.Boolean{default=false} local LogClass = M.new() LogClass.mode = M.String{default='log', choice={'log', 'nflog', 'ulog'}} -LogClass.every = M.Integer +LogClass.every = M.Integer{ui_name='Sampling frequency'} LogClass.limit = M.Integer LogClass.prefix = M.String LogClass.probability = M.Number @@ -49,21 +51,27 @@ LogClass.threshold = M.Integer local IPSetReference = M.new() IPSetReference.name = M.Reference{scope='../../../ipset', required=true} -IPSetReference.args = M.Collection{type=Direction, required=true} +IPSetReference.args = M.Collection{ + type=Direction, required=true, ui_name='Arguments' +} local Rule = M.new() -Rule['in'] = M.Collection{type=M.Reference{scope='../../../zone'}} -Rule.out = M.Collection{type=M.Reference{scope='../../../zone'}} -Rule.src = M.Collection{type=M.String} -Rule.dest = M.Collection{type=M.String} -Rule.ipset = IPSetReference -Rule.ipsec = Direction +Rule['in'] = M.Collection{ + type=M.Reference{scope='../../../zone'}, ui_name='Ingess zones' +} +Rule.out = M.Collection{ + type=M.Reference{scope='../../../zone'}, ui_name='Egress zones' +} +Rule.src = M.Collection{type=M.String, ui_name='Sources'} +Rule.dest = M.Collection{type=M.String, ui_name='Destinations'} +Rule.ipset = M.Model{model=IPSetReference, ui_name='IP set'} +Rule.ipsec = Direction{ui_name='Require IPsec'} Rule.service = M.Collection{type=M.Reference{scope='../../../service'}} Rule.action = M.String{choice={'accept'}} local PacketLogRule = M.new(Rule) -PacketLogRule.log = M.Reference{scope='../../log'} +PacketLogRule.log = M.Reference{scope='../../log', ui_name='Log class'} -- TODO no service field local PolicyRule = M.new(PacketLogRule) @@ -77,46 +85,69 @@ Limit.interval = M.Integer Limit.log = M.Reference{scope='../../../log'} local FilterRule = M.new(PolicyRule) -FilterRule['conn-limit'] = Limit -FilterRule['flow-limit'] = Limit -FilterRule.dnat = M.net.IPv4Address -FilterRule['no-track'] = M.Boolean{default=false} -FilterRule.related = M.Collection{type=Rule} +FilterRule['conn-limit'] = M.Model{model=Limit, ui_name='Connection limit'} +FilterRule['flow-limit'] = M.Model{model=Limit, ui_name='Flow limit'} +FilterRule.dnat = M.net.IPv4Address{ui_name='DNAT target'} +FilterRule['no-track'] = M.Boolean{default=false, ui_name='CT bypass'} +FilterRule.related = M.Collection{type=Rule, ui_name='Related packet rules'} local DivertRule = M.new(Rule) -DivertRule['to-port'] = M.Range{type=M.net.Port} +DivertRule['to-port'] = M.Range{type=M.net.Port, ui_name='Target port'} local NATRule = M.new(DivertRule) -NATRule['to-addr'] = M.Range{type=M.net.IPv4Address} +NATRule['to-addr'] = M.Range{type=M.net.IPv4Address, ui_name='Target address'} local MarkRule = M.new(Rule) MarkRule.mark = M.Integer{required=true} local ClampMSSRule = M.new(Rule) -ClampMSSRule.mss = M.Integer +ClampMSSRule.mss = M.Integer{ui_name='MSS'} local AWall = M.new() -- TODO differentiate lists? AWall.service = M.Collection{type=M.Collection{type=Service}} AWall.zone = M.Collection{type=Zone} -AWall.log = M.Collection{type=LogClass} -AWall.policy = M.Collection{type=PolicyRule} -AWall['packet-log'] = M.Collection{type=PacketLogRule} +AWall.log = M.Collection{ + type=LogClass, ui_name='Log classes', ui_member='Log class' +} +AWall.policy = M.Collection{ + type=PolicyRule, ui_name='Policies', ui_member='Policy' +} +AWall['packet-log'] = M.Collection{ + type=PacketLogRule, ui_name='Logging', ui_member='Logging rule' +} AWall.filter = M.Collection{type=FilterRule} -AWall.dnat = M.Collection{type=NATRule} -AWall.snat = M.Collection{type=NATRule} -AWall.mark = M.Collection{type=MarkRule} -AWall['route-track'] = M.Collection{type=MarkRule} -AWall.tproxy = M.Collection{type=DivertRule} -AWall['clamp-mss'] = M.Collection{type=ClampMSSRule} -AWall['no-track'] = M.Collection{type=Rule} -AWall.ipset = M.Collection{type=IPSet} +AWall.dnat = M.Collection{type=NATRule, ui_name='DNAT', ui_member='DNAT rule'} +AWall.snat = M.Collection{type=NATRule, ui_name='SNAT', ui_member='SNAT rule'} +AWall.mark = M.Collection{ + type=MarkRule, ui_name='Packet marking', ui_member='Packet marking rule' +} +AWall['route-track'] = M.Collection{ + type=MarkRule, ui_name='Route tracking', ui_member='Route tracking rule' +} +AWall.tproxy = M.Collection{ + type=DivertRule, + ui_name='Transparent proxy', + ui_member='Transparent proxy rule' +} +AWall['clamp-mss'] = M.Collection{ + type=ClampMSSRule, ui_name='MSS clamping', ui_member='MSS clamping rule' +} +AWall['no-track'] = M.Collection{ + type=Rule, ui_name='CT bypass', ui_member='Connection tracking bypass rule' +} +AWall.ipset = M.Collection{ + type=IPSet, ui_name='IP sets', ui_member='IP set' +} M.register( 'awall', AWall, - '/json'..require('posix').getcwd()..'/config/awall.json' + { + addr='/json'..require('posix').getcwd()..'/config/awall.json', + ui_name='Alpine Wall' + } ) M.permission.defaults('/awall') |