support for TARPIT targetv0.2.3

automatic logging, handling of non-TCP packets, and connection tracking bypass

1 files changed, 10 insertions, 2 deletions

diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index cde2112..c04f74e 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -77,6 +77,8 @@ function Filter:trules()
       extrarules('dnat', {['ip-range']=dnataddr, out=nil})
    end
 
+   if self.action == 'tarpit' then extrarules('no-track') end
+
    awall.util.extend(res, model.Rule.trules(self))
 
    return res
@@ -132,10 +134,11 @@ classes = {{'filter', Filter},
 
 defrules = {pre={}, ['post-filter']={}}
 
+local limitedlog = '-m limit --limit 1/second -j LOG'
+
 for i, family in ipairs({'inet', 'inet6'}) do
    for i, target in ipairs({'drop', 'reject'}) do
-      for i, opts in ipairs({'-m limit --limit 1/second -j LOG',
-	    '-j '..string.upper(target)}) do
+      for i, opts in ipairs({limitedlog, '-j '..string.upper(target)}) do
 	 table.insert(defrules.pre,
 		      {family=family,
 		       table='filter',
@@ -144,6 +147,11 @@ for i, family in ipairs({'inet', 'inet6'}) do
       end
    end
 
+   for i, opts in ipairs({limitedlog, '-p tcp -j TARPIT', '-j DROP'}) do
+      table.insert(defrules.pre,
+		   {family=family, table='filter', chain='tarpit', opts=opts})
+   end
+
    for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
       table.insert(defrules.pre,
 		   {family=family,