summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2012-09-03 09:44:01 +0000
committerKaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>2012-09-03 09:53:39 +0000
commit932b4bad1842cef6523d22eb9512062df729a59b (patch)
tree19b52608227234ca8ee9b11f10b1a6f0b8b55622
parent1aab0c8ff06412bc2f7b579355adcb6845776c35 (diff)
downloadawall-932b4bad1842cef6523d22eb9512062df729a59b.tar.bz2
awall-932b4bad1842cef6523d22eb9512062df729a59b.tar.xz
support bypassing connection tracking per filter rule
rules for reverse direction created automatically
-rw-r--r--awall/model.lua31
-rw-r--r--awall/modules/filter.lua12
2 files changed, 32 insertions, 11 deletions
diff --git a/awall/model.lua b/awall/model.lua
index fe31cbf..db5f5a1 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -124,6 +124,13 @@ function Rule:init(...)
end
+function Rule:direction(dir)
+ if dir == 'in' then return self.reverse and 'out' or 'in' end
+ if dir == 'out' then return self.reverse and 'in' or 'out' end
+ self:error('Invalid direction: '..dir)
+end
+
+
function Rule:zoneoptfrags()
local function zonepair(zin, zout)
@@ -172,8 +179,8 @@ function Rule:zoneoptfrags()
end
local res = {}
- local izones = self['in'] or {}
- local ozones = self.out or {}
+ local izones = self[self:direction('in')] or {}
+ local ozones = self[self:direction('out')] or {}
for i = 1,math.max(1, table.maxn(izones)) do
for j = 1,math.max(1, table.maxn(ozones)) do
@@ -234,14 +241,15 @@ function Rule:servoptfrags()
end
end
+ local popt = ' --'..(self.reverse and 's' or 'd')..'port'
for proto, plist in pairs(ports) do
local opts = '-p '..proto
local len = table.maxn(plist)
if len == 1 then
- opts = opts..' --dport '..plist[1]
+ opts = opts..popt..' '..plist[1]
elseif len > 1 then
- opts = opts..' -m multiport --dports '..table.concat(plist, ',')
+ opts = opts..' -m multiport'..popt..'s '..table.concat(plist, ',')
end
table.insert(res, {opts=opts})
@@ -251,7 +259,7 @@ function Rule:servoptfrags()
end
function Rule:destoptfrags()
- return self:create(Zone, {addr=self.dest}):optfrags('out')
+ return self:create(Zone, {addr=self.dest}):optfrags(self:direction('out'))
end
function Rule:table() return 'filter' end
@@ -317,9 +325,10 @@ function Rule:trules()
local setopts = '-m set --match-set '..ipset.name..' '
setopts = setopts..table.concat(util.map(util.list(ipset.args),
function(a)
- if a == 'in' then return 'src' end
- if a == 'out' then return 'dst' end
- self:error('Invalid set direction argument')
+ if self:direction(a) == 'in' then
+ return 'src'
+ end
+ return 'dst'
end),
',')
table.insert(ipsetofrags, {family=setdef.family, opts=setopts})
@@ -328,14 +337,16 @@ function Rule:trules()
end
if self.ipsec then
- res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}})
+ res = combinations(res,
+ {{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}})
end
res = combinations(res, self:servoptfrags())
setfamilies(res)
- local addrofrags = combinations(self:create(Zone, {addr=self.src}):optfrags('in'),
+ local addrofrags = combinations(self:create(Zone,
+ {addr=self.src}):optfrags(self:direction('in')),
self:destoptfrags())
if addrofrags then
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index 733263f..b6d1426 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -79,6 +79,9 @@ function Filter:trules()
if self.action ~= 'accept' then
self:error('dnat option not allowed with '..self.action..' action')
end
+ if self['no-track'] then
+ self:error('dnat option not allowed with no-track')
+ end
if not self.dest then
self:error('Destination address must be specified with DNAT')
end
@@ -107,10 +110,17 @@ function Filter:trules()
extrarules('dnat', {['ip-range']=dnataddr, out=nil})
end
- if self.action == 'tarpit' then extrarules('no-track') end
+ if self.action == 'tarpit' or self['no-track'] then
+ extrarules('no-track')
+ end
extend(res, model.Rule.trules(self))
+ if self['no-track'] and self.action == 'accept' then
+ extrarules('no-track', {reverse=true})
+ extrarules('filter', {reverse=true, action='accept', log=false})
+ end
+
return res
end