enable, disable, and list optional policy files

2 files changed, 84 insertions, 8 deletions

diff --git a/awall-cli b/awall-cli
index c70519e..25b64eb 100755
--- a/awall-cli
+++ b/awall-cli
@@ -11,26 +11,33 @@ require 'lfs'
 require 'signal'
 require 'stringy'
 
-short_opts = 'aFo:V'
+short_opts = 'ad:e:Flo:V'
 long_opts = {activate='a',
+	     disable='d',
+	     enable='e',
+	     list='l',
 	     ['output-dir']='o',
 	     verify='V'}
 
+params = {d = {}, e = {}}
+
 if stringy.endswith(arg[0], '/awall-cli') then
    basedir = string.sub(arg[0], 1, -11)
-   input = {basedir..'/json'}
-   import = {}
+   params.i = {basedir..'/json'}
+   params.I = {}
 
    short_opts = short_opts..'i:I:'
    long_opts['input-dir'] = 'i'
    long_opts['import-path'] = 'I'
 end
 
+require 'awall.util'
+
 for switch, value in pairs(alt_getopt.get_opts(arg, short_opts, long_opts)) do
-   if switch == 'a' then activate = true
+   if awall.util.contains({'a', 'l'}, switch) then mode = switch
+   elseif awall.util.contains({'d', 'e', 'i', 'I'}, switch) then
+      table.insert(awall.util.params[switch], value)
    elseif switch == 'F' then fallback = true
-   elseif switch == 'i' then table.insert(input, value)
-   elseif switch == 'I' then table.insert(import, value)
    elseif switch == 'o' then
       iptdir = value
       ipsfile = value..'/ipset'
@@ -39,14 +46,33 @@ for switch, value in pairs(alt_getopt.get_opts(arg, short_opts, long_opts)) do
 end
 
 
+require 'awall.policy'
+
+for i, action in ipairs({'disable', 'enable'}) do
+   for i, policy in ipairs(params[string.sub(action, 1, 1)]) do
+      policyset = policyset or awall.policy.PolicySet.new(params.i, params.I)
+      policyset[action](policyset, policy, confdir, import)
+   end
+end
+if policyset then os.exit() end
+
+if mode == 'l' then
+   for name, status in awall.policy.PolicySet.new(params.i,
+						  params.I):list() do
+      print(name, status)
+   end
+   os.exit()
+end
+
+
 require 'awall'
 require 'awall.iptables'
 awall.loadmodules(basedir)
 
-config = awall.Config.new(input, import)
+config = awall.Config.new(params.i, params.I)
 
 
-if activate then
+if mode == 'a' then
 
    awall.iptables.backup()
 
diff --git a/awall/policy.lua b/awall/policy.lua
index 9e45a21..b75ec92 100644
--- a/awall/policy.lua
+++ b/awall/policy.lua
@@ -27,6 +27,12 @@ local function open(name, dirs)
    end
 end
 
+local function find(name, dirs)
+   local file, path = open(name, dirs)
+   if file then file:close() end
+   return path
+end
+
 local function list(dirs)
    local allnames = {}
    local res = {}
@@ -107,3 +113,47 @@ function PolicySet:load()
 
    return input, imported
 end
+
+
+function PolicySet:findsymlink(name)
+   local symlink = find(name, {self.confdir})
+   if symlink and lfs.symlinkattributes(symlink).mode ~= 'link' then
+      error('Not an optional policy: '..name)
+   end
+   return symlink
+end
+
+function PolicySet:enable(name)
+   if self:findsymlink(name) then error('Policy already enabled: '..name)
+   else
+      local target = find(name, self.importdirs)
+      if not target then error('Policy not found: '..name) end
+      if string.sub(target, 1, 1) ~= '/' then
+	 target = lfs.currentdir()..'/'..target
+      end
+
+      pid, stdin, stdout = lpc.run('ln', '-s', target, self.confdir)
+      stdin:close()
+      stdout:close()
+      assert(lpc.wait(pid) == 0)
+   end
+end
+
+function PolicySet:disable(name)
+   local symlink = self:findsymlink(name)
+   if not symlink then error('Policy not enabled: '..name) end
+   assert(os.remove(symlink))
+end
+
+function PolicySet:list()
+   local input, imported = self:load()
+   local pols = list(self.importdirs)
+   local i = 0
+
+   return function()
+	     i = i + 1
+	     if i > #pols then return end
+	     local name = pols[i][1]
+	     return name, self:findsymlink(name) and 'enabled' or util.contains(imported, name) and 'required'or 'disabled'
+	  end
+end