remove rule type-specific handling of zones and chains

6 files changed, 74 insertions, 49 deletions

diff --git a/awall/iptables.lua b/awall/iptables.lua
index 78dc48d..a974c84 100644
--- a/awall/iptables.lua
+++ b/awall/iptables.lua
@@ -22,12 +22,11 @@ local families = {inet={cmd='iptables',
 			 file='rules6-save',
 			 procfile='/proc/net/ip6_tables_names'}}
 
-local builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
-		 mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING',
-			 'PREROUTING'},
-		 nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
-		 raw={'OUTPUT', 'PREROUTING'},
-		 security={'FORWARD', 'INPUT', 'OUTPUT'}}
+builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
+	   mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
+	   nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
+	   raw={'OUTPUT', 'PREROUTING'},
+	   security={'FORWARD', 'INPUT', 'OUTPUT'}}
 
 local backupdir = '/var/run/awall'
 
diff --git a/awall/model.lua b/awall/model.lua
index f28dd8e..c722c94 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -9,9 +9,10 @@ module(..., package.seeall)
 
 require 'awall'
 require 'awall.host'
-require 'awall.util'
+require 'awall.iptables'
 require 'awall.object'
 require 'awall.optfrag'
+require 'awall.util'
 
 local util = awall.util
 local combinations = awall.optfrag.combinations
@@ -118,8 +119,6 @@ function Rule:init(...)
    end
 end
 
-function Rule:defaultzones() return {nil, fwzone} end
-
 
 function Rule:zoneoptfrags()
 
@@ -139,6 +138,17 @@ function Rule:zoneoptfrags()
 	 chain = string.upper(dir)..'PUT'
 	 ofrags = zofs(z, dir)
 
+      elseif not zin or not zout then
+
+	 if zin then
+	    chain = 'PREROUTING'
+	    ofrags = zofs(zin, 'in')
+
+	 elseif zout then
+	    chain = 'POSTROUTING'
+	    ofrags = zofs(zout, 'out')
+	 end
+
       else
 	 chain = 'FORWARD'
 	 ofrags = combinations(zofs(zin, 'in'), zofs(zout, 'out'))
@@ -152,16 +162,14 @@ function Rule:zoneoptfrags()
 	 end
       end
 
-      if not ofrags then ofrags = {{}} end
-
-      for i, ofrag in ipairs(ofrags) do ofrag.fchain = chain end
-
-      return ofrags
+      return combinations(ofrags,
+			  chain and {{chain=chain}} or {{chain='PREROUTING'},
+							{chain='OUTPUT'}})
    end
 
    local res = {}
-   local izones = self['in'] or self:defaultzones()
-   local ozones = self.out or self:defaultzones()
+   local izones = self['in'] or {}
+   local ozones = self.out or {}
 
    for i = 1,math.max(1, table.maxn(izones)) do
       for j = 1,math.max(1, table.maxn(ozones)) do
@@ -248,8 +256,6 @@ end
 
 function Rule:table() return 'filter' end
 
-function Rule:chain() return nil end
-
 function Rule:position() return 'append' end
 
 function Rule:target()
@@ -327,7 +333,6 @@ function Rule:trules()
    res = combinations(res, self:servoptfrags())
 
    setfamilies(res)
-   tag(res, 'chain', self:chain())
 
    local addrofrags = combinations(self:create(Zone, {addr=self.src}):optfrags('in'),
 				   self:destoptfrags())
@@ -366,7 +371,42 @@ function Rule:trules()
 
    util.extend(res, ffilter(self:extraoptfrags()))
 
-   tag(res, 'table', self:table(), false)
+   local tbl = self:table()
+
+   local function convertchains(ofrags)
+      local res = {}
+
+      for i, ofrag in ipairs(ofrags) do
+
+	 if util.contains(awall.iptables.builtin[tbl], ofrag.chain) then
+	    table.insert(res, ofrag)
+
+	 else
+	    local chains
+	    if ofrag.chain == 'PREROUTING' then chains = {'FORWARD', 'INPUT'}
+	    elseif ofrag.chain == 'POSTROUTING' then
+	       chains = {'FORWARD', 'OUTPUT'}
+	    elseif util.contains({'INPUT', 'FORWARD'}, ofrag.chain) then
+	       chains = {'PREROUTING'}
+	    end
+
+	    if chains then
+	       ofrag.chain = nil
+	       util.extend(res,
+			   convertchains(combinations({ofrag},
+						      util.map(chains,
+							       function(c)
+								  return {chain=c}
+							       end))))
+	    else table.insert(res, ofrag) end
+	 end
+      end
+
+      return res
+   end
+
+   res = convertchains(res)
+   tag(res, 'table', tbl, false)
 
    local function checkzof(ofrag, dir, chains)
       if ofrag[dir] and util.contains(chains, ofrag.chain) then
@@ -401,21 +441,5 @@ function Rule:newchain(key)
 end
 
 
-ForwardOnlyRule = class(Rule)
-
-function ForwardOnlyRule:init(...)
-   Rule.init(self, unpack(arg))
-   for i, dir in ipairs({'in', 'out'}) do
-      if self[dir] and util.contains(self[dir], fwzone) then
-	 self:error('Not applicable to the firewall zone')
-      end
-   end
-end
-
-function ForwardOnlyRule:defaultzones() return {nil} end
-
-function ForwardOnlyRule:chain() return 'PREROUTING' end
-
-
 classes = {{'zone', Zone}}
 
diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua
index e4c26da..d78302d 100644
--- a/awall/modules/clampmss.lua
+++ b/awall/modules/clampmss.lua
@@ -12,12 +12,10 @@ require 'awall.model'
 local model = awall.model
 
 
-local ClampMSSRule = model.class(model.ForwardOnlyRule)
+local ClampMSSRule = model.class(model.Rule)
 
 function ClampMSSRule:table() return 'mangle' end
 
-function ClampMSSRule:chain() return 'POSTROUTING' end
-
 function ClampMSSRule:servoptfrags()
    return {{opts='-p tcp --tcp-flags SYN,RST SYN'}}
 end
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua
index 23b2743..7dc0b6e 100644
--- a/awall/modules/mark.lua
+++ b/awall/modules/mark.lua
@@ -14,7 +14,7 @@ require 'awall.util'
 local model = awall.model
 
 
-local MarkRule = model.class(model.ForwardOnlyRule)
+local MarkRule = model.class(model.Rule)
 
 function MarkRule:table() return 'mangle' end
 
diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua
index 3a23558..68c452d 100644
--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -8,15 +8,19 @@ Licensed under the terms of GPL2
 module(..., package.seeall)
 
 require 'awall.model'
+require 'awall.util'
 
 local model = awall.model
 
 
-local NATRule = model.class(model.ForwardOnlyRule)
+local NATRule = model.class(model.Rule)
 
 function NATRule:trules()
    local res = {}
-   for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do
+   for i, ofrags in ipairs(model.Rule.trules(self)) do
+      if not awall.util.contains(self.params.chains, ofrags.chain) then
+	 self:error('Inappropriate zone definitions for a '..self.params.target..' rule')
+      end
       if ofrags.family == 'inet' then table.insert(res, ofrags) end
    end
    return res
@@ -24,10 +28,8 @@ end
 
 function NATRule:table() return 'nat' end
 
-function NATRule:chain() return self.params.chain end
-
 function NATRule:target()
-   if self.action then return model.ForwardOnlyRule.target(self) end
+   if self.action then return model.Rule.target(self) end
 
    local target
    if self['ip-range'] then
@@ -44,7 +46,8 @@ local DNATRule = model.class(NATRule)
 function DNATRule:init(...)
    NATRule.init(self, unpack(arg))
    self.params = {forbidif='out', subject='destination',
-		  chain='PREROUTING', target='DNAT', deftarget='REDIRECT'}
+		  chains={'INPUT', 'PREROUTING'},
+		  target='DNAT', deftarget='REDIRECT'}
 end
 
 
@@ -53,7 +56,8 @@ local SNATRule = model.class(NATRule)
 function SNATRule:init(...)
    NATRule.init(self, unpack(arg))
    self.params = {forbidif='in', subject='source',
-		  chain='POSTROUTING', target='SNAT', deftarget='MASQUERADE'}
+		  chains={'OUTPUT', 'POSTROUTING'},
+		  target='SNAT', deftarget='MASQUERADE'}
 end
 
 
diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua
index 84d516d..6ff715c 100644
--- a/awall/modules/notrack.lua
+++ b/awall/modules/notrack.lua
@@ -12,12 +12,12 @@ require 'awall.model'
 local model = awall.model
 
 
-local NoTrackRule = model.class(model.ForwardOnlyRule)
+local NoTrackRule = model.class(model.Rule)
 
 function NoTrackRule:table() return 'raw' end
 
 function NoTrackRule:target()
-   if self.action then return model.ForwardOnlyRule.target(self) end
+   if self.action then return model.Rule.target(self) end
    return 'NOTRACK'
 end