diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-03-16 08:02:16 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-03-16 08:02:16 +0000 |
commit | 4de7b59a62ef616460f69aa9abc4f939875e71a9 (patch) | |
tree | e5552d7ad178b8b569a5548523c5e28bd0f522eb /awall/model.lua | |
parent | 8d6917d7fffdb10b3e37849a03847abdcc552608 (diff) | |
download | awall-4de7b59a62ef616460f69aa9abc4f939875e71a9.tar.bz2 awall-4de7b59a62ef616460f69aa9abc4f939875e71a9.tar.xz |
support for using externally controlled ipsets in rules
Diffstat (limited to 'awall/model.lua')
-rw-r--r-- | awall/model.lua | 18 |
1 files changed, 16 insertions, 2 deletions
diff --git a/awall/model.lua b/awall/model.lua index 8a8e801..0f37b59 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -51,8 +51,6 @@ function Zone:optfrags(dir) iopt, aopt, iprop, aprop = 'o', 'd', 'out', 'dest' else assert(false) end - -- TODO support for externally controlled ipsets - local aopts = {} for i, hostdef in util.listpairs(self.addr) do for i, addr in ipairs(awall.host.resolve(hostdef)) do @@ -277,6 +275,22 @@ function Rule:trules() local res = self:zoneoptfrags() + if self.ipset then + if not self.ipset.name then error('Set name not defined') end + if not self.ipset.args then + error('Set direction arguments not defined') + end + + local setopts = '-m set --match-set '..self.ipset.name..' ' + for i, arg in util.listpairs(self.ipset.args) do + if i > 1 then setopts = setopts..',' end + if arg == 'in' then setopts = setopts..'src' + elseif arg == 'out' then setopts = setopts..'dst' + else error('Invalid set direction argument') end + end + res = combinations(res, {{opts=setopts}}) + end + if self.ipsec then res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}}) end |