explicit processing order directives for modules

8 files changed, 106 insertions, 85 deletions

diff --git a/awall/init.lua b/awall/init.lua
index 1d77f0a..a126872 100644
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -9,6 +9,7 @@ module(..., package.seeall)
 require 'lfs'
 require 'stringy'
 
+require 'awall.dependency'
 require 'awall.ipset'
 require 'awall.iptables'
 require 'awall.model'
@@ -20,24 +21,21 @@ require 'awall.util'
 local optfrag = awall.optfrag
 
 
+local events
 local procorder
-local defrules
+local achains
 
 function loadmodules(path)
+   events = {}
    classmap = {}
-   procorder = {}
-   defrules = {}
    achains = {}
 
    local function readmetadata(mod)
-      for i, clsdef in ipairs(mod.classes or {}) do
-	 local path, cls = unpack(clsdef)
-	 classmap[path] = cls
-	 table.insert(procorder, path)
-      end
-      for phase, rules in pairs(mod.defrules or {}) do
-	 if not defrules[phase] then defrules[phase] = {} end
-	 table.insert(defrules[phase], rules)
+      for name, target in pairs(mod.export or {}) do
+	 events[name] = target
+	 if string.sub(name, 1, 1) ~= '%' then
+	    classmap[name] = target.class
+	 end
       end
       for name, opts in pairs(mod.achains or {}) do
 	 assert(not achains[name])
@@ -53,16 +51,20 @@ function loadmodules(path)
    local modules = {}
    for modfile in lfs.dir((path or '/usr/share/lua/5.1')..'/awall/modules') do
       if stringy.endswith(modfile, '.lua') then
-	 table.insert(modules, 'awall.modules.'..string.sub(modfile, 1, -5))
+	 table.insert(modules, string.sub(modfile, 1, -5))
       end
    end
    table.sort(modules)
    for i, name in ipairs(modules) do
-      require(name)
-      readmetadata(package.loaded[name])
+      local fname = 'awall.modules.'..name
+      require(fname)
+      readmetadata(package.loaded[fname])
    end
 
    lfs.chdir(cdir)
+
+   events['%modules'] = {before=modules}
+   procorder = awall.dependency.order(events)
 end
 
 
@@ -96,36 +98,34 @@ function Config:init(policyconfig)
       end
    end
 
-   local function insertdefrules(phase)
-      for i, rulegroup in ipairs(defrules[phase] or {}) do
-	 if type(rulegroup) == 'function' then
-	    insertrules(rulegroup(self.objects))
-	 else insertrules(rulegroup) end
-      end
-   end
-
    for i, path in ipairs(procorder) do
-      local objs = self.objects[path]
-      if objs then
-	 for k, v in pairs(objs) do
-	    objs[k] = classmap[path].morph(
-	       v,
-	       self,
-	       path..' '..k..' ('..policyconfig.source[path][k]..')'
-	    )
+      if string.sub(path, 1, 1) ~= '%' then
+	 local objs = self.objects[path]
+	 if objs then
+	    for k, v in pairs(objs) do
+	       objs[k] = classmap[path].morph(
+		  v,
+		  self,
+		  path..' '..k..' ('..policyconfig.source[path][k]..')'
+	       )
+	    end
 	 end
       end
    end
 
-   insertdefrules('pre')
-
-   for i, path in ipairs(procorder) do
-      if self.objects[path] then
-	 for i, rule in ipairs(self.objects[path]) do
+   for i, event in ipairs(procorder) do
+      if string.sub(event, 1, 1) == '%' then
+	 local r = events[event].rules
+	 if r then
+	    if type(r) == 'function' then r = r(self.objects) end
+	    assert(type(r) == 'table')
+	    insertrules(r)
+	 end
+      elseif self.objects[event] then
+	 for i, rule in ipairs(self.objects[event]) do
 	    insertrules(rule:trules())
 	 end
       end
-      insertdefrules('post-'..path)
    end
 
    local ofrags = {}
diff --git a/awall/model.lua b/awall/model.lua
index 21ff390..5bd2811 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -479,5 +479,4 @@ function Rule:newchain(key)
 end
 
 
-classes = {{'zone', Zone}, {'ipset', IPSet}}
-
+export = {zone={class=Zone}, ipset={class=IPSet, before='%modules'}}
diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua
index d78302d..dc7719e 100644
--- a/awall/modules/clampmss.lua
+++ b/awall/modules/clampmss.lua
@@ -1,6 +1,6 @@
 --[[
 TCP MSS clamping module for Alpine Wall
-Copyright (C) 2012 Kaarle Ritvanen
+Copyright (C) 2012-2013 Kaarle Ritvanen
 Licensed under the terms of GPL2
 ]]--
 
@@ -25,4 +25,4 @@ function ClampMSSRule:target()
 end
 
 
-classes = {{'clamp-mss', ClampMSSRule}}
+export = {['clamp-mss']={class=ClampMSSRule}}
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index 0ce68a9..d833ffc 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -192,13 +192,6 @@ local Policy = model.class(Filter)
 function Policy:servoptfrags() return nil end
 
 
-classes = {{'log', Log},
-	   {'filter', Filter},
-	   {'policy', Policy}}
-
-
-defrules = {}
-
 local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}
 
 local dar = combinations(fchains,
@@ -208,32 +201,45 @@ for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
 		{chain=chain,
 		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
 end
-defrules.pre = combinations(dar,
-			    {{table='filter', target='ACCEPT'}},
-			    {{family='inet'}, {family='inet6'}})
+dar = combinations(
+   dar,
+   {{table='filter', target='ACCEPT'}},
+   {{family='inet'}, {family='inet6'}}
+)
 
 local icmp = {{family='inet', table='filter', opts='-p icmp'}}
 local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
-defrules['post-filter'] = combinations(icmp6,
-				       {{chain='INPUT'}, {chain='OUTPUT'}},
-				       {{target='ACCEPT'}})
-extend(defrules['post-filter'],
-       combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
-extend(defrules['post-filter'],
-       combinations(icmp, fchains, {{target='icmp-routing'}}))
+local ir = combinations(
+   icmp6,
+   {{chain='INPUT'}, {chain='OUTPUT'}},
+   {{target='ACCEPT'}}
+)
+extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
+extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
 
 local function icmprules(ofrag, oname, types)
-   extend(defrules['post-filter'],
-	  combinations(ofrag,
-		       {{chain='icmp-routing', target='ACCEPT'}},
-		       util.map(types,
-				function(t)
-				   return {opts='--'..oname..' '..t}
-				end)))
+   extend(
+      ir,
+      combinations(ofrag,
+		   {{chain='icmp-routing', target='ACCEPT'}},
+		   util.map(types,
+			    function(t)
+			       return {opts='--'..oname..' '..t}
+			    end))
+   )
 end
 icmprules(icmp, 'icmp-type', {3, 11, 12})
 icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
 
+export = {
+   filter={class=Filter, before={'dnat', 'no-track'}},
+   log={class=Log},
+   policy={class=Policy, after='%filter-after'},
+   ['%filter-before']={rules=dar, before='filter'},
+   ['%filter-after']={rules=ir, after='filter'}
+}
+
 achains = combinations({{chain='tarpit'}},
 		       {{opts='-p tcp', target='TARPIT'},
 			{target='DROP'}})
+
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua
index 7dc0b6e..ebdb169 100644
--- a/awall/modules/mark.lua
+++ b/awall/modules/mark.lua
@@ -1,6 +1,6 @@
 --[[
 Packet marking module for Alpine Wall
-Copyright (C) 2012 Kaarle Ritvanen
+Copyright (C) 2012-2013 Kaarle Ritvanen
 Licensed under the terms of GPL2
 ]]--
 
@@ -39,12 +39,7 @@ function RouteTrackRule:extraoptfrags()
 end
 
 
-classes = {{'route-track', RouteTrackRule},
-	   {'mark', MarkRule}}
-
-defrules = {}
-
-function defrules.pre(config)
+local function rt(config)
    local res = {}
    if awall.util.list(config['route-track'])[1] then
       for i, family in ipairs({'inet', 'inet6'}) do
@@ -60,3 +55,9 @@ function defrules.pre(config)
    end
    return res
 end
+
+export = {
+   mark={class=MarkRule},
+   ['route-track']={class=RouteTrackRule, before='mark'},
+   ['%mark-rt']={rules=rt, before='route-track'}
+}
diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua
index e6b8c71..98086cc 100644
--- a/awall/modules/masquerade.lua
+++ b/awall/modules/masquerade.lua
@@ -1,6 +1,6 @@
 --[[
 IPSet-based masquerading module for Alpine Wall
-Copyright (C) 2012 Kaarle Ritvanen
+Copyright (C) 2012-2013 Kaarle Ritvanen
 Licensed under the terms of GPL2
 ]]--
 
@@ -8,11 +8,24 @@ Licensed under the terms of GPL2
 module(..., package.seeall)
 
 -- TODO configuration of the ipset via JSON config
-defrules = {['post-snat']={{family='inet', table='nat',
-			    chain='POSTROUTING',
-			    opts='-m set --match-set awall-masquerade src',
-			    target='awall-masquerade'},
-			   {family='inet', table='nat',
-			    chain='awall-masquerade',
-			    opts='-m set ! --match-set awall-masquerade dst',
-			    target='MASQUERADE'}}}
+export = {
+   ['%masquerade']={
+      rules={
+	 {
+	    family='inet',
+	    table='nat',
+	    chain='POSTROUTING',
+	    opts='-m set --match-set awall-masquerade src',
+	    target='awall-masquerade'
+	 },
+	 {
+	    family='inet',
+	    table='nat',
+	    chain='awall-masquerade',
+	    opts='-m set ! --match-set awall-masquerade dst',
+	    target='MASQUERADE'
+	 }
+      },
+      after='snat'
+   }
+}
diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua
index 4a1984b..51d8446 100644
--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -1,6 +1,6 @@
 --[[
 NAT module for Alpine Wall
-Copyright (C) 2012 Kaarle Ritvanen
+Copyright (C) 2012-2013 Kaarle Ritvanen
 Licensed under the terms of GPL2
 ]]--
 
@@ -76,5 +76,7 @@ function SNATRule:init(...)
 end
 
 
-classes = {{'dnat', DNATRule},
-	   {'snat', SNATRule}}
+export = {
+   dnat={class=DNATRule},
+   snat={class=SNATRule}
+}
diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua
index 6ff715c..6ae893c 100644
--- a/awall/modules/notrack.lua
+++ b/awall/modules/notrack.lua
@@ -1,6 +1,6 @@
 --[[
 Connection tracking bypass module for Alpine Wall
-Copyright (C) 2012 Kaarle Ritvanen
+Copyright (C) 2012-2013 Kaarle Ritvanen
 Licensed under the terms of GPL2
 ]]--
 
@@ -22,4 +22,4 @@ function NoTrackRule:target()
 end
 
 
-classes = {{'no-track', NoTrackRule}}
+export = {['no-track']={class=NoTrackRule}}