From d44d633a041120f655c04cfb7391c585364bcc2a Mon Sep 17 00:00:00 2001
From: Kaarle Ritvanen <kaarle.ritvanen@datakunkku.fi>
Date: Thu, 16 Aug 2012 10:37:34 +0000
Subject: do not create helper chains for unused actions only the minimum set
 of targets is required of the kernel

---
 awall/init.lua               | 25 +++++++++++++--
 awall/model.lua              | 12 +++-----
 awall/modules/filter.lua     | 73 ++++++++++++++++++++------------------------
 awall/modules/mark.lua       |  7 +++--
 awall/modules/masquerade.lua |  6 ++--
 awall/optfrag.lua            |  2 ++
 6 files changed, 70 insertions(+), 55 deletions(-)

(limited to 'awall')

diff --git a/awall/init.lua b/awall/init.lua
index 14f2d08..47cead4 100644
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -13,9 +13,12 @@ require 'awall.ipset'
 require 'awall.iptables'
 require 'awall.model'
 require 'awall.object'
+require 'awall.optfrag'
 require 'awall.policy'
 require 'awall.util'
 
+local optfrag = awall.optfrag
+
 
 local procorder
 local defrules
@@ -24,6 +27,7 @@ function loadmodules(path)
    classmap = {}
    procorder = {}
    defrules = {}
+   achains = {}
 
    local function readmetadata(mod)
       for i, clsdef in ipairs(mod.classes or {}) do
@@ -35,6 +39,10 @@ function loadmodules(path)
 	 if not defrules[phase] then defrules[phase] = {} end
 	 table.insert(defrules[phase], rules)
       end
+      for name, opts in pairs(mod.achains or {}) do
+	 assert(not achains[name])
+	 achains[name] = opts
+      end
    end
 
    readmetadata(model)
@@ -75,13 +83,22 @@ function Config:init(policyconfig)
       end
    end
 
+   local acfrags = {}
+
    local function insertrules(trules)
       for i, trule in ipairs(trules) do
 	 local t = self.iptables.config[trule.family][trule.table][trule.chain]
+	 local opts = (trule.opts and trule.opts..' ' or '')..'-j '..trule.target
+
+	 local acfrag = {family=trule.family,
+			 table=trule.table,
+			 chain=trule.target}
+	 acfrags[optfrag.location(acfrag)] = acfrag
+
 	 if trule.position == 'prepend' then
-	    table.insert(t, 1, trule.opts)
+	    table.insert(t, 1, opts)
 	 else
-	    table.insert(t, trule.opts)
+	    table.insert(t, opts)
 	 end
       end
    end
@@ -107,6 +124,10 @@ function Config:init(policyconfig)
       insertdefrules('post-'..path)
    end
 
+   local ofrags = {}
+   for k, v in pairs(acfrags) do table.insert(ofrags, v) end
+   insertrules(optfrag.combinations(achains, ofrags))
+
    morph('ipset', awall.model.ConfigObject)
    self.ipset = ipset.IPSet.new(self.objects.ipset)
 end
diff --git a/awall/model.lua b/awall/model.lua
index 4a8ad1a..f28dd8e 100644
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -48,8 +48,8 @@ function ConfigObject:info()
    local res = {}
    for i, trule in ipairs(self:trules()) do
       table.insert(res,
-		   {'  '..trule.family..'/'..trule.table..'/'..trule.chain,
-		    trule.opts})
+		   {'  '..awall.optfrag.location(trule),
+		    (trule.opts and trule.opts..' ' or '')..'-j '..trule.target})
    end
    return res
 end
@@ -294,10 +294,6 @@ function Rule:trules()
 			 end)
    end
 
-   local function appendtarget(ofrag, target)
-      ofrag.opts = (ofrag.opts and ofrag.opts..' ' or '')..'-j '..target
-   end
-
    local res = self:zoneoptfrags()
 
    if self.ipset then
@@ -358,12 +354,12 @@ function Rule:trules()
 
    tag(res, 'position', self:position())
 
-   for i, ofrag in ipairs(res) do appendtarget(ofrag, target) end
+   res = combinations(res, {{target=target}})
 
    if addrchain then
       for i, ofrag in ipairs(addrofrags) do
 	 ofrag.chain = target
-	 appendtarget(ofrag, self:target())
+	 ofrag.target = self:target()
 	 table.insert(res, ofrag)
       end      
    end
diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua
index c04f74e..d5652f4 100644
--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -14,6 +14,7 @@ require 'awall.optfrag'
 require 'awall.util'
 
 local model = awall.model
+local combinations = awall.optfrag.combinations
 
 local Filter = model.class(model.Rule)
 
@@ -25,7 +26,7 @@ function Filter:destoptfrags()
    local ofrags = model.Rule.destoptfrags(self)
    if not self.dnat then return ofrags end
 
-   ofrags = awall.optfrag.combinations(ofrags, {{family='inet6'}})
+   ofrags = combinations(ofrags, {{family='inet6'}})
    local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
    assert(#natof == 1)
    table.insert(ofrags, natof[1])
@@ -115,9 +116,11 @@ function Filter:extraoptfrags()
       end
       local optbase = '-m recent --name '..self:target()
       table.insert(res, {chain=self:target(),
-			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval..' -j logdrop'})
+			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
+			 target='logdrop'})
       table.insert(res, {chain=self:target(),
-			 opts=optbase..' --set -j ACCEPT'})
+			 opts=optbase..' --set',
+			 target='ACCEPT'})
    end
    return res
 end
@@ -132,47 +135,37 @@ function Policy:servoptfrags() return nil end
 classes = {{'filter', Filter},
 	   {'policy', Policy}}
 
-defrules = {pre={}, ['post-filter']={}}
 
-local limitedlog = '-m limit --limit 1/second -j LOG'
+defrules = {}
 
-for i, family in ipairs({'inet', 'inet6'}) do
-   for i, target in ipairs({'drop', 'reject'}) do
-      for i, opts in ipairs({limitedlog, '-j '..string.upper(target)}) do
-	 table.insert(defrules.pre,
-		      {family=family,
-		       table='filter',
-		       chain='log'..target,
-		       opts=opts})
-      end
-   end
+local dar = combinations({{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}},
+			 {{opts='-m state --state RELATED,ESTABLISHED'}})
+for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
+   table.insert(dar,
+		{chain=chain,
+		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
+end
+defrules.pre = combinations(combinations(dar,
+					 {{table='filter', target='ACCEPT'}}),
+			    {{family='inet'}, {family='inet6'}})
 
-   for i, opts in ipairs({limitedlog, '-p tcp -j TARPIT', '-j DROP'}) do
-      table.insert(defrules.pre,
-		   {family=family, table='filter', chain='tarpit', opts=opts})
-   end
+defrules['post-filter'] = combinations({{family='inet6',
+					 table='filter',
+					 opts='-p icmpv6',
+					 target='ACCEPT'}},
+				       {{chain='INPUT'}, {chain='OUTPUT'}})
 
-   for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
-      table.insert(defrules.pre,
-		   {family=family,
-		    table='filter',
-		    chain=chain,
-		    opts='-m state --state RELATED,ESTABLISHED -j ACCEPT'})
-   end
 
-   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
-      table.insert(defrules.pre,
-		   {family=family,
-		    table='filter',
-		    chain=chain,
-		    opts='-'..string.lower(string.sub(chain, 1, 1))..' lo -j ACCEPT'})
-   end
-end
+achains = {}
 
-for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
-   table.insert(defrules['post-filter'],
-		{family='inet6',
-		 table='filter',
-		 chain=chain,
-		 opts='-p icmpv6 -j ACCEPT'})
+local limitedlog = {opts='-m limit --limit 1/second', target='LOG'}
+for i, target in ipairs({'drop', 'reject'}) do
+   util.extend(achains,
+	       combinations({{chain='log'..target}},
+			    {limitedlog, {target=string.upper(target)}}))
 end
+util.extend(achains,
+	    combinations({{chain='tarpit'}},
+			 {limitedlog,
+			  {opts='-p tcp', target='TARPIT'},
+			  {target='DROP'}}))
diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua
index bdc469c..23b2743 100644
--- a/awall/modules/mark.lua
+++ b/awall/modules/mark.lua
@@ -34,8 +34,8 @@ function RouteTrackRule:servoptfrags()
 end
 
 function RouteTrackRule:extraoptfrags()
-   return {{chain=self:target(), opts='-j '..MarkRule.target(self)},
-	   {chain=self:target(), opts='-j CONNMARK --save-mark'}}
+   return {{chain=self:target(), target=MarkRule.target(self)},
+	   {chain=self:target(), target='CONNMARK --save-mark'}}
 end
 
 
@@ -53,7 +53,8 @@ function defrules.pre(config)
 			 {family=family,
 			  table='mangle',
 			  chain=chain,
-			  opts='-m connmark ! --mark 0 -j CONNMARK --restore-mark'})
+			  opts='-m connmark ! --mark 0',
+			  target='CONNMARK --restore-mark'})
 	 end
       end
    end
diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua
index 2ca8d47..e6b8c71 100644
--- a/awall/modules/masquerade.lua
+++ b/awall/modules/masquerade.lua
@@ -10,7 +10,9 @@ module(..., package.seeall)
 -- TODO configuration of the ipset via JSON config
 defrules = {['post-snat']={{family='inet', table='nat',
 			    chain='POSTROUTING',
-			    opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
+			    opts='-m set --match-set awall-masquerade src',
+			    target='awall-masquerade'},
 			   {family='inet', table='nat',
 			    chain='awall-masquerade',
-			    opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}}
+			    opts='-m set ! --match-set awall-masquerade dst',
+			    target='MASQUERADE'}}}
diff --git a/awall/optfrag.lua b/awall/optfrag.lua
index 2b3dea4..97d8cc8 100644
--- a/awall/optfrag.lua
+++ b/awall/optfrag.lua
@@ -46,3 +46,5 @@ function combinations(of1, of2)
 
    return res
 end
+
+function location(of) return of.family..'/'..of.table..'/'..of.chain end
-- 
cgit v1.2.3