From 1b3c188b580c6ade43ac7aec908643cc00418654 Mon Sep 17 00:00:00 2001 From: Kaarle Ritvanen Date: Fri, 13 Jul 2012 08:05:03 +0000 Subject: base class for rules applicable to forwarded packets only --- awall/model.lua | 22 ++++++++++++++++++++++ awall/modules/nat.lua | 23 ++++++----------------- awall/modules/notrack.lua | 24 ++---------------------- 3 files changed, 30 insertions(+), 39 deletions(-) (limited to 'awall') diff --git a/awall/model.lua b/awall/model.lua index 176d59d..179f0e1 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -369,5 +369,27 @@ function Rule:newchain(base) end +ForwardOnlyRule = class(Rule) + +function ForwardOnlyRule:init(...) + Rule.init(self, unpack(arg)) + for i, dir in ipairs({'in', 'out'}) do + if util.contains(self[dir], fwzone) then + self:error('Not applicable to the firewall zone') + end + end +end + +function ForwardOnlyRule:defaultzones() return {nil} end + +function ForwardOnlyRule:checkzoneoptfrag(ofrag) + if ofrag.out then + self:error('Cannot specify outbound interface ('..ofrag.out..')') + end +end + +function ForwardOnlyRule:chain() return 'PREROUTING' end + + classes = {{'zone', Zone}} defrules = {} diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 9dffaad..6ec39a2 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -8,33 +8,22 @@ Licensed under the terms of GPL2 module(..., package.seeall) require 'awall.model' -require 'awall.util' local model = awall.model -local NATRule = model.class(model.Rule) - -function NATRule:init(...) - model.Rule.init(self, unpack(arg)) - for i, dir in ipairs({'in', 'out'}) do - if awall.util.contains(self[dir], model.fwzone) then - self:error('NAT rules not allowed for firewall zone') - end - end -end - -function NATRule:defaultzones() return {nil} end +local NATRule = model.class(model.ForwardOnlyRule) function NATRule:checkzoneoptfrag(ofrag) - if ofrag[self.params.forbidif] then - self:error('Cannot specify '..self.params.forbidif..'bound interface for '..self.params.target..' rule') + local iface = ofrag[self.params.forbidif] + if iface then + self:error('Cannot specify '..self.params.forbidif..'bound interface ('..iface..')') end end function NATRule:trules() local res = {} - for i, ofrags in ipairs(model.Rule.trules(self)) do + for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do if ofrags.family == 'inet' then table.insert(res, ofrags) end end return res @@ -45,7 +34,7 @@ function NATRule:table() return 'nat' end function NATRule:chain() return self.params.chain end function NATRule:target() - if self.action then return model.Rule.target(self) end + if self.action then return model.ForwardOnlyRule.target(self) end local target if self['ip-range'] then diff --git a/awall/modules/notrack.lua b/awall/modules/notrack.lua index 4b302fb..4e7d66f 100644 --- a/awall/modules/notrack.lua +++ b/awall/modules/notrack.lua @@ -8,36 +8,16 @@ Licensed under the terms of GPL2 module(..., package.seeall) require 'awall.model' -require 'awall.util' local model = awall.model -local NoTrackRule = model.class(model.Rule) - -function NoTrackRule:init(...) - model.Rule.init(self, unpack(arg)) - for i, dir in ipairs({'in', 'out'}) do - if awall.util.contains(self[dir], model.fwzone) then - self:error('Connection tracking bypass rules not allowed for firewall zone') - end - end -end - -function NoTrackRule:defaultzones() return {nil} end - -function NoTrackRule:checkzoneoptfrag(ofrag) - if ofrag.out then - self:error('Cannot specify outbound interface for connection tracking bypass rule') - end -end +local NoTrackRule = model.class(model.ForwardOnlyRule) function NoTrackRule:table() return 'raw' end -function NoTrackRule:chain() return 'PREROUTING' end - function NoTrackRule:target() - if self.action then return model.Rule.target(self) end + if self.action then return model.ForwardOnlyRule.target(self) end return 'NOTRACK' end -- cgit v1.2.3