diff options
author | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-08-16 10:43:28 +0000 |
---|---|---|
committer | Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi> | 2012-08-16 10:43:28 +0000 |
commit | ea47a4aa30bf0c3ab88b93f8e8c09198a0f8dbb1 (patch) | |
tree | 1991739bbedab0300af0eb60f4acce9032976ceb /awall | |
parent | d44d633a041120f655c04cfb7391c585364bcc2a (diff) | |
download | awall-ea47a4aa30bf0c3ab88b93f8e8c09198a0f8dbb1.tar.bz2 awall-ea47a4aa30bf0c3ab88b93f8e8c09198a0f8dbb1.tar.xz |
remove rule type-specific handling of zones and chains
Diffstat (limited to 'awall')
-rw-r--r-- | awall/iptables.lua | 11 | ||||
-rw-r--r-- | awall/model.lua | 84 | ||||
-rw-r--r-- | awall/modules/clampmss.lua | 4 | ||||
-rw-r--r-- | awall/modules/mark.lua | 2 | ||||
-rw-r--r-- | awall/modules/nat.lua | 18 | ||||
-rw-r--r-- | awall/modules/notrack.lua | 4 |
6 files changed, 74 insertions, 49 deletions
diff --git a/awall/iptables.lua b/awall/iptables.lua index 78dc48d..a974c84 100644 --- a/awall/iptables.lua +++ b/awall/iptables.lua @@ -22,12 +22,11 @@ local families = {inet={cmd='iptables', file='rules6-save', procfile='/proc/net/ip6_tables_names'}} -local builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'}, - mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', - 'PREROUTING'}, - nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, - raw={'OUTPUT', 'PREROUTING'}, - security={'FORWARD', 'INPUT', 'OUTPUT'}} +builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'}, + mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, + nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, + raw={'OUTPUT', 'PREROUTING'}, + security={'FORWARD', 'INPUT', 'OUTPUT'}} local backupdir = '/var/run/awall' diff --git a/awall/model.lua b/awall/model.lua index f28dd8e..c722c94 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -9,9 +9,10 @@ module(..., package.seeall) require 'awall' require 'awall.host' -require 'awall.util' +require 'awall.iptables' require 'awall.object' require 'awall.optfrag' +require 'awall.util' local util = awall.util local combinations = awall.optfrag.combinations @@ -118,8 +119,6 @@ function Rule:init(...) end end -function Rule:defaultzones() return {nil, fwzone} end - function Rule:zoneoptfrags() @@ -139,6 +138,17 @@ function Rule:zoneoptfrags() chain = string.upper(dir)..'PUT' ofrags = zofs(z, dir) + elseif not zin or not zout then + + if zin then + chain = 'PREROUTING' + ofrags = zofs(zin, 'in') + + elseif zout then + chain = 'POSTROUTING' + ofrags = zofs(zout, 'out') + end + else chain = 'FORWARD' ofrags = combinations(zofs(zin, 'in'), zofs(zout, 'out')) @@ -152,16 +162,14 @@ function Rule:zoneoptfrags() end end - if not ofrags then ofrags = {{}} end - - for i, ofrag in ipairs(ofrags) do ofrag.fchain = chain end - - return ofrags + return combinations(ofrags, + chain and {{chain=chain}} or {{chain='PREROUTING'}, + {chain='OUTPUT'}}) end local res = {} - local izones = self['in'] or self:defaultzones() - local ozones = self.out or self:defaultzones() + local izones = self['in'] or {} + local ozones = self.out or {} for i = 1,math.max(1, table.maxn(izones)) do for j = 1,math.max(1, table.maxn(ozones)) do @@ -248,8 +256,6 @@ end function Rule:table() return 'filter' end -function Rule:chain() return nil end - function Rule:position() return 'append' end function Rule:target() @@ -327,7 +333,6 @@ function Rule:trules() res = combinations(res, self:servoptfrags()) setfamilies(res) - tag(res, 'chain', self:chain()) local addrofrags = combinations(self:create(Zone, {addr=self.src}):optfrags('in'), self:destoptfrags()) @@ -366,7 +371,42 @@ function Rule:trules() util.extend(res, ffilter(self:extraoptfrags())) - tag(res, 'table', self:table(), false) + local tbl = self:table() + + local function convertchains(ofrags) + local res = {} + + for i, ofrag in ipairs(ofrags) do + + if util.contains(awall.iptables.builtin[tbl], ofrag.chain) then + table.insert(res, ofrag) + + else + local chains + if ofrag.chain == 'PREROUTING' then chains = {'FORWARD', 'INPUT'} + elseif ofrag.chain == 'POSTROUTING' then + chains = {'FORWARD', 'OUTPUT'} + elseif util.contains({'INPUT', 'FORWARD'}, ofrag.chain) then + chains = {'PREROUTING'} + end + + if chains then + ofrag.chain = nil + util.extend(res, + convertchains(combinations({ofrag}, + util.map(chains, + function(c) + return {chain=c} + end)))) + else table.insert(res, ofrag) end + end + end + + return res + end + + res = convertchains(res) + tag(res, 'table', tbl, false) local function checkzof(ofrag, dir, chains) if ofrag[dir] and util.contains(chains, ofrag.chain) then @@ -401,21 +441,5 @@ function Rule:newchain(key) end -ForwardOnlyRule = class(Rule) - -function ForwardOnlyRule:init(...) - Rule.init(self, unpack(arg)) - for i, dir in ipairs({'in', 'out'}) do - if self[dir] and util.contains(self[dir], fwzone) then - self:error('Not applicable to the firewall zone') - end - end -end - -function ForwardOnlyRule:defaultzones() return {nil} end - -function ForwardOnlyRule:chain() return 'PREROUTING' end - - classes = {{'zone', Zone}} diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua index e4c26da..d78302d 100644 --- a/awall/modules/clampmss.lua +++ b/awall/modules/clampmss.lua @@ -12,12 +12,10 @@ require 'awall.model' local model = awall.model -local ClampMSSRule = model.class(model.ForwardOnlyRule) +local ClampMSSRule = model.class(model.Rule) function ClampMSSRule:table() return 'mangle' end -function ClampMSSRule:chain() return 'POSTROUTING' end - function ClampMSSRule:servoptfrags() return {{opts='-p tcp --tcp-flags SYN,RST SYN'}} end diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 23b2743..7dc0b6e 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -14,7 +14,7 @@ require 'awall.util' local model = awall.model -local MarkRule = model.class(model.ForwardOnlyRule) +local MarkRule = model.class(model.Rule) function MarkRule:table() return 'mangle' end diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 3a23558..68c452d 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -8,15 +8,19 @@ Licensed under the terms of GPL2 module(..., package.seeall) require 'awall.model' +require 'awall.util' local model = awall.model -local NATRule = model.class(model.ForwardOnlyRule) +local NATRule = model.class(model.Rule) function NATRule:trules() local res = {} - for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do + for i, ofrags in ipairs(model.Rule.trules(self)) do + if not awall.util.contains(self.params.chains, ofrags.chain) then + self:error('Inappropriate zone definitions for a '..self.params.target..' rule') + end if ofrags.family == 'inet' then table.insert(res, ofrags) end end return res @@ -24,10 +28,8 @@ end function NATRule:table() return 'nat' end -function NATRule:chain() return self.params.chain end - function NATRule:target() - if self.action then return model.ForwardOnlyRule.target(self) end + if self.action then return model.Rule.target(self) end local target if self['ip-range'] then @@ -44,7 +46,8 @@ local DNATRule = model.class(NATRule) function DNATRule:init(...) NATRule.init(self, unpack(arg)) self.params = {forbidif='out', subject='destination', - chain='PREROUTING', target='DNAT', deftarget='REDIRECT'} + chains={'INPUT', 'PREROUTING'}, + target='DNAT', deftarget='REDIRECT'} end @@ -53,7 +56,8 @@ local SNATRule = model.class(NATRule) function SNATRule:init(...) NATRule.init(self, unpack(arg)) self.params = {forbidif='in', subject='source', - chain='POSTROUTING', target='SNAT', deftarget='MASQUERADE'} + chains={'OUTPUT', 'POSTROUTING'}, + target='SNAT', deftarget='MASQUERADE'} end diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua index 84d516d..6ff715c 100644 --- a/awall/modules/notrack.lua +++ b/awall/modules/notrack.lua @@ -12,12 +12,12 @@ require 'awall.model' local model = awall.model -local NoTrackRule = model.class(model.ForwardOnlyRule) +local NoTrackRule = model.class(model.Rule) function NoTrackRule:table() return 'raw' end function NoTrackRule:target() - if self.action then return model.ForwardOnlyRule.target(self) end + if self.action then return model.Rule.target(self) end return 'NOTRACK' end |