From 932b4bad1842cef6523d22eb9512062df729a59b Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Mon, 3 Sep 2012 09:44:01 +0000 Subject: support bypassing connection tracking per filter rule rules for reverse direction created automatically --- awall/model.lua | 31 +++++++++++++++++++++---------- awall/modules/filter.lua | 12 +++++++++++- 2 files changed, 32 insertions(+), 11 deletions(-) diff --git a/awall/model.lua b/awall/model.lua index fe31cbf..db5f5a1 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -124,6 +124,13 @@ function Rule:init(...) end +function Rule:direction(dir) + if dir == 'in' then return self.reverse and 'out' or 'in' end + if dir == 'out' then return self.reverse and 'in' or 'out' end + self:error('Invalid direction: '..dir) +end + + function Rule:zoneoptfrags() local function zonepair(zin, zout) @@ -172,8 +179,8 @@ function Rule:zoneoptfrags() end local res = {} - local izones = self['in'] or {} - local ozones = self.out or {} + local izones = self[self:direction('in')] or {} + local ozones = self[self:direction('out')] or {} for i = 1,math.max(1, table.maxn(izones)) do for j = 1,math.max(1, table.maxn(ozones)) do @@ -234,14 +241,15 @@ function Rule:servoptfrags() end end + local popt = ' --'..(self.reverse and 's' or 'd')..'port' for proto, plist in pairs(ports) do local opts = '-p '..proto local len = table.maxn(plist) if len == 1 then - opts = opts..' --dport '..plist[1] + opts = opts..popt..' '..plist[1] elseif len > 1 then - opts = opts..' -m multiport --dports '..table.concat(plist, ',') + opts = opts..' -m multiport'..popt..'s '..table.concat(plist, ',') end table.insert(res, {opts=opts}) @@ -251,7 +259,7 @@ function Rule:servoptfrags() end function Rule:destoptfrags() - return self:create(Zone, {addr=self.dest}):optfrags('out') + return self:create(Zone, {addr=self.dest}):optfrags(self:direction('out')) end function Rule:table() return 'filter' end @@ -317,9 +325,10 @@ function Rule:trules() local setopts = '-m set --match-set '..ipset.name..' ' setopts = setopts..table.concat(util.map(util.list(ipset.args), function(a) - if a == 'in' then return 'src' end - if a == 'out' then return 'dst' end - self:error('Invalid set direction argument') + if self:direction(a) == 'in' then + return 'src' + end + return 'dst' end), ',') table.insert(ipsetofrags, {family=setdef.family, opts=setopts}) @@ -328,14 +337,16 @@ function Rule:trules() end if self.ipsec then - res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}}) + res = combinations(res, + {{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}}) end res = combinations(res, self:servoptfrags()) setfamilies(res) - local addrofrags = combinations(self:create(Zone, {addr=self.src}):optfrags('in'), + local addrofrags = combinations(self:create(Zone, + {addr=self.src}):optfrags(self:direction('in')), self:destoptfrags()) if addrofrags then diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index 733263f..b6d1426 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -79,6 +79,9 @@ function Filter:trules() if self.action ~= 'accept' then self:error('dnat option not allowed with '..self.action..' action') end + if self['no-track'] then + self:error('dnat option not allowed with no-track') + end if not self.dest then self:error('Destination address must be specified with DNAT') end @@ -107,10 +110,17 @@ function Filter:trules() extrarules('dnat', {['ip-range']=dnataddr, out=nil}) end - if self.action == 'tarpit' then extrarules('no-track') end + if self.action == 'tarpit' or self['no-track'] then + extrarules('no-track') + end extend(res, model.Rule.trules(self)) + if self['no-track'] and self.action == 'accept' then + extrarules('no-track', {reverse=true}) + extrarules('filter', {reverse=true, action='accept', log=false}) + end + return res end -- cgit v1.2.3