diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-01-24 11:36:50 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2013-01-24 14:20:08 +0200 |
commit | 97769b1755164e9af4670daa089b84110dadf54b (patch) | |
tree | ce0d917021040b80a441aac7d897388de0d013f1 /awall | |
parent | eedc06380f17061b3cb3de66dd578c6d05d3910b (diff) | |
download | awall-97769b1755164e9af4670daa089b84110dadf54b.tar.bz2 awall-97769b1755164e9af4670daa089b84110dadf54b.tar.xz |
explicit processing order directives for modules
Diffstat (limited to 'awall')
-rw-r--r-- | awall/init.lua | 72 | ||||
-rw-r--r-- | awall/model.lua | 3 | ||||
-rw-r--r-- | awall/modules/clampmss.lua | 4 | ||||
-rw-r--r-- | awall/modules/filter.lua | 54 | ||||
-rw-r--r-- | awall/modules/mark.lua | 15 | ||||
-rw-r--r-- | awall/modules/masquerade.lua | 31 | ||||
-rw-r--r-- | awall/modules/nat.lua | 8 | ||||
-rw-r--r-- | awall/modules/notrack.lua | 4 |
8 files changed, 106 insertions, 85 deletions
diff --git a/awall/init.lua b/awall/init.lua index 1d77f0a..a126872 100644 --- a/awall/init.lua +++ b/awall/init.lua @@ -9,6 +9,7 @@ module(..., package.seeall) require 'lfs' require 'stringy' +require 'awall.dependency' require 'awall.ipset' require 'awall.iptables' require 'awall.model' @@ -20,24 +21,21 @@ require 'awall.util' local optfrag = awall.optfrag +local events local procorder -local defrules +local achains function loadmodules(path) + events = {} classmap = {} - procorder = {} - defrules = {} achains = {} local function readmetadata(mod) - for i, clsdef in ipairs(mod.classes or {}) do - local path, cls = unpack(clsdef) - classmap[path] = cls - table.insert(procorder, path) - end - for phase, rules in pairs(mod.defrules or {}) do - if not defrules[phase] then defrules[phase] = {} end - table.insert(defrules[phase], rules) + for name, target in pairs(mod.export or {}) do + events[name] = target + if string.sub(name, 1, 1) ~= '%' then + classmap[name] = target.class + end end for name, opts in pairs(mod.achains or {}) do assert(not achains[name]) @@ -53,16 +51,20 @@ function loadmodules(path) local modules = {} for modfile in lfs.dir((path or '/usr/share/lua/5.1')..'/awall/modules') do if stringy.endswith(modfile, '.lua') then - table.insert(modules, 'awall.modules.'..string.sub(modfile, 1, -5)) + table.insert(modules, string.sub(modfile, 1, -5)) end end table.sort(modules) for i, name in ipairs(modules) do - require(name) - readmetadata(package.loaded[name]) + local fname = 'awall.modules.'..name + require(fname) + readmetadata(package.loaded[fname]) end lfs.chdir(cdir) + + events['%modules'] = {before=modules} + procorder = awall.dependency.order(events) end @@ -96,36 +98,34 @@ function Config:init(policyconfig) end end - local function insertdefrules(phase) - for i, rulegroup in ipairs(defrules[phase] or {}) do - if type(rulegroup) == 'function' then - insertrules(rulegroup(self.objects)) - else insertrules(rulegroup) end - end - end - for i, path in ipairs(procorder) do - local objs = self.objects[path] - if objs then - for k, v in pairs(objs) do - objs[k] = classmap[path].morph( - v, - self, - path..' '..k..' ('..policyconfig.source[path][k]..')' - ) + if string.sub(path, 1, 1) ~= '%' then + local objs = self.objects[path] + if objs then + for k, v in pairs(objs) do + objs[k] = classmap[path].morph( + v, + self, + path..' '..k..' ('..policyconfig.source[path][k]..')' + ) + end end end end - insertdefrules('pre') - - for i, path in ipairs(procorder) do - if self.objects[path] then - for i, rule in ipairs(self.objects[path]) do + for i, event in ipairs(procorder) do + if string.sub(event, 1, 1) == '%' then + local r = events[event].rules + if r then + if type(r) == 'function' then r = r(self.objects) end + assert(type(r) == 'table') + insertrules(r) + end + elseif self.objects[event] then + for i, rule in ipairs(self.objects[event]) do insertrules(rule:trules()) end end - insertdefrules('post-'..path) end local ofrags = {} diff --git a/awall/model.lua b/awall/model.lua index 21ff390..5bd2811 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -479,5 +479,4 @@ function Rule:newchain(key) end -classes = {{'zone', Zone}, {'ipset', IPSet}} - +export = {zone={class=Zone}, ipset={class=IPSet, before='%modules'}} diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua index d78302d..dc7719e 100644 --- a/awall/modules/clampmss.lua +++ b/awall/modules/clampmss.lua @@ -1,6 +1,6 @@ --[[ TCP MSS clamping module for Alpine Wall -Copyright (C) 2012 Kaarle Ritvanen +Copyright (C) 2012-2013 Kaarle Ritvanen Licensed under the terms of GPL2 ]]-- @@ -25,4 +25,4 @@ function ClampMSSRule:target() end -classes = {{'clamp-mss', ClampMSSRule}} +export = {['clamp-mss']={class=ClampMSSRule}} diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index 0ce68a9..d833ffc 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -192,13 +192,6 @@ local Policy = model.class(Filter) function Policy:servoptfrags() return nil end -classes = {{'log', Log}, - {'filter', Filter}, - {'policy', Policy}} - - -defrules = {} - local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}} local dar = combinations(fchains, @@ -208,32 +201,45 @@ for i, chain in ipairs({'INPUT', 'OUTPUT'}) do {chain=chain, opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'}) end -defrules.pre = combinations(dar, - {{table='filter', target='ACCEPT'}}, - {{family='inet'}, {family='inet6'}}) +dar = combinations( + dar, + {{table='filter', target='ACCEPT'}}, + {{family='inet'}, {family='inet6'}} +) local icmp = {{family='inet', table='filter', opts='-p icmp'}} local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}} -defrules['post-filter'] = combinations(icmp6, - {{chain='INPUT'}, {chain='OUTPUT'}}, - {{target='ACCEPT'}}) -extend(defrules['post-filter'], - combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}})) -extend(defrules['post-filter'], - combinations(icmp, fchains, {{target='icmp-routing'}})) +local ir = combinations( + icmp6, + {{chain='INPUT'}, {chain='OUTPUT'}}, + {{target='ACCEPT'}} +) +extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}})) +extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}})) local function icmprules(ofrag, oname, types) - extend(defrules['post-filter'], - combinations(ofrag, - {{chain='icmp-routing', target='ACCEPT'}}, - util.map(types, - function(t) - return {opts='--'..oname..' '..t} - end))) + extend( + ir, + combinations(ofrag, + {{chain='icmp-routing', target='ACCEPT'}}, + util.map(types, + function(t) + return {opts='--'..oname..' '..t} + end)) + ) end icmprules(icmp, 'icmp-type', {3, 11, 12}) icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4}) +export = { + filter={class=Filter, before={'dnat', 'no-track'}}, + log={class=Log}, + policy={class=Policy, after='%filter-after'}, + ['%filter-before']={rules=dar, before='filter'}, + ['%filter-after']={rules=ir, after='filter'} +} + achains = combinations({{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}}) + diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 7dc0b6e..ebdb169 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -1,6 +1,6 @@ --[[ Packet marking module for Alpine Wall -Copyright (C) 2012 Kaarle Ritvanen +Copyright (C) 2012-2013 Kaarle Ritvanen Licensed under the terms of GPL2 ]]-- @@ -39,12 +39,7 @@ function RouteTrackRule:extraoptfrags() end -classes = {{'route-track', RouteTrackRule}, - {'mark', MarkRule}} - -defrules = {} - -function defrules.pre(config) +local function rt(config) local res = {} if awall.util.list(config['route-track'])[1] then for i, family in ipairs({'inet', 'inet6'}) do @@ -60,3 +55,9 @@ function defrules.pre(config) end return res end + +export = { + mark={class=MarkRule}, + ['route-track']={class=RouteTrackRule, before='mark'}, + ['%mark-rt']={rules=rt, before='route-track'} +} diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua index e6b8c71..98086cc 100644 --- a/awall/modules/masquerade.lua +++ b/awall/modules/masquerade.lua @@ -1,6 +1,6 @@ --[[ IPSet-based masquerading module for Alpine Wall -Copyright (C) 2012 Kaarle Ritvanen +Copyright (C) 2012-2013 Kaarle Ritvanen Licensed under the terms of GPL2 ]]-- @@ -8,11 +8,24 @@ Licensed under the terms of GPL2 module(..., package.seeall) -- TODO configuration of the ipset via JSON config -defrules = {['post-snat']={{family='inet', table='nat', - chain='POSTROUTING', - opts='-m set --match-set awall-masquerade src', - target='awall-masquerade'}, - {family='inet', table='nat', - chain='awall-masquerade', - opts='-m set ! --match-set awall-masquerade dst', - target='MASQUERADE'}}} +export = { + ['%masquerade']={ + rules={ + { + family='inet', + table='nat', + chain='POSTROUTING', + opts='-m set --match-set awall-masquerade src', + target='awall-masquerade' + }, + { + family='inet', + table='nat', + chain='awall-masquerade', + opts='-m set ! --match-set awall-masquerade dst', + target='MASQUERADE' + } + }, + after='snat' + } +} diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 4a1984b..51d8446 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -1,6 +1,6 @@ --[[ NAT module for Alpine Wall -Copyright (C) 2012 Kaarle Ritvanen +Copyright (C) 2012-2013 Kaarle Ritvanen Licensed under the terms of GPL2 ]]-- @@ -76,5 +76,7 @@ function SNATRule:init(...) end -classes = {{'dnat', DNATRule}, - {'snat', SNATRule}} +export = { + dnat={class=DNATRule}, + snat={class=SNATRule} +} diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua index 6ff715c..6ae893c 100644 --- a/awall/modules/notrack.lua +++ b/awall/modules/notrack.lua @@ -1,6 +1,6 @@ --[[ Connection tracking bypass module for Alpine Wall -Copyright (C) 2012 Kaarle Ritvanen +Copyright (C) 2012-2013 Kaarle Ritvanen Licensed under the terms of GPL2 ]]-- @@ -22,4 +22,4 @@ function NoTrackRule:target() end -classes = {{'no-track', NoTrackRule}} +export = {['no-track']={class=NoTrackRule}} |