base class for rules applicable to forwarded packets only

3 files changed, 30 insertions, 39 deletions

diff --git a/awall/model.lua b/awall/model.lua
index 176d59d..179f0e1 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -369,5 +369,27 @@ function Rule:newchain(base)
 end
 
 
+ForwardOnlyRule = class(Rule)
+
+function ForwardOnlyRule:init(...)
+   Rule.init(self, unpack(arg))
+   for i, dir in ipairs({'in', 'out'}) do
+      if util.contains(self[dir], fwzone) then
+	 self:error('Not applicable to the firewall zone')
+      end
+   end
+end
+
+function ForwardOnlyRule:defaultzones() return {nil} end
+
+function ForwardOnlyRule:checkzoneoptfrag(ofrag)
+   if ofrag.out then
+      self:error('Cannot specify outbound interface ('..ofrag.out..')')
+   end
+end
+
+function ForwardOnlyRule:chain() return 'PREROUTING' end
+
+
 classes = {{'zone', Zone}}
 defrules = {}
diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua
index 9dffaad..6ec39a2 100644
--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -8,33 +8,22 @@ Licensed under the terms of GPL2
 module(..., package.seeall)
 
 require 'awall.model'
-require 'awall.util'
 
 local model = awall.model
 
 
-local NATRule = model.class(model.Rule)
-
-function NATRule:init(...)
-   model.Rule.init(self, unpack(arg))
-   for i, dir in ipairs({'in', 'out'}) do
-      if awall.util.contains(self[dir], model.fwzone) then
-	 self:error('NAT rules not allowed for firewall zone')
-      end
-   end
-end
-
-function NATRule:defaultzones() return {nil} end
+local NATRule = model.class(model.ForwardOnlyRule)
 
 function NATRule:checkzoneoptfrag(ofrag)
-   if ofrag[self.params.forbidif] then
-      self:error('Cannot specify '..self.params.forbidif..'bound interface for '..self.params.target..' rule')
+   local iface = ofrag[self.params.forbidif]
+   if iface then
+      self:error('Cannot specify '..self.params.forbidif..'bound interface ('..iface..')')
    end
 end
 
 function NATRule:trules()
    local res = {}
-   for i, ofrags in ipairs(model.Rule.trules(self)) do
+   for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do
       if ofrags.family == 'inet' then table.insert(res, ofrags) end
    end
    return res
@@ -45,7 +34,7 @@ function NATRule:table() return 'nat' end
 function NATRule:chain() return self.params.chain end
 
 function NATRule:target()
-   if self.action then return model.Rule.target(self) end
+   if self.action then return model.ForwardOnlyRule.target(self) end
 
    local target
    if self['ip-range'] then
diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua
index 4b302fb..4e7d66f 100644
--- a/awall/modules/notrack.lua
+++ b/awall/modules/notrack.lua
@@ -8,36 +8,16 @@ Licensed under the terms of GPL2
 module(..., package.seeall)
 
 require 'awall.model'
-require 'awall.util'
 
 local model = awall.model
 
 
-local NoTrackRule = model.class(model.Rule)
-
-function NoTrackRule:init(...)
-   model.Rule.init(self, unpack(arg))
-   for i, dir in ipairs({'in', 'out'}) do
-      if awall.util.contains(self[dir], model.fwzone) then
-	 self:error('Connection tracking bypass rules not allowed for firewall zone')
-      end
-   end
-end
-
-function NoTrackRule:defaultzones() return {nil} end
-
-function NoTrackRule:checkzoneoptfrag(ofrag)
-   if ofrag.out then
-      self:error('Cannot specify outbound interface for connection tracking bypass rule')
-   end
-end
+local NoTrackRule = model.class(model.ForwardOnlyRule)
 
 function NoTrackRule:table() return 'raw' end
 
-function NoTrackRule:chain() return 'PREROUTING' end
-
 function NoTrackRule:target()
-   if self.action then return model.Rule.target(self) end
+   if self.action then return model.ForwardOnlyRule.target(self) end
    return 'NOTRACK'
 end