1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
|
--[[
Alpine Wall main module
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
module(..., package.seeall)
require 'lfs'
require 'stringy'
require 'awall.ipset'
require 'awall.iptables'
require 'awall.model'
require 'awall.object'
require 'awall.policy'
require 'awall.util'
local procorder
local defrules
function loadmodules(path)
classmap = {}
procorder = {}
defrules = {}
local function readmetadata(mod)
for i, clsdef in ipairs(mod.classes or {}) do
local path, cls = unpack(clsdef)
classmap[path] = cls
table.insert(procorder, path)
end
for phase, rules in pairs(mod.defrules or {}) do
if not defrules[phase] then defrules[phase] = {} end
table.insert(defrules[phase], rules)
end
end
readmetadata(model)
local cdir = lfs.currentdir()
if path then lfs.chdir(path) end
for modfile in lfs.dir((path or '/usr/share/lua/5.1')..'/awall/modules') do
if stringy.endswith(modfile, '.lua') then
local name = 'awall.modules.'..string.sub(modfile, 1, -5)
require(name)
readmetadata(package.loaded[name])
end
end
lfs.chdir(cdir)
end
PolicySet = policy.PolicySet
Config = object.class(object.Object)
function Config:init(policyconfig)
self.objects = policyconfig:expand()
self.iptables = iptables.IPTables.new()
local function morph(path, cls)
local objs = self.objects[path]
if objs then
for k, v in pairs(objs) do
objs[k] = cls.morph(v,
self,
path..' '..k..' ('..policyconfig.source[path][k]..')')
end
end
end
local function insertrules(trules)
for i, trule in ipairs(trules) do
local t = self.iptables.config[trule.family][trule.table][trule.chain]
if trule.position == 'prepend' then
table.insert(t, 1, trule.opts)
else
table.insert(t, trule.opts)
end
end
end
local function insertdefrules(phase)
for i, rulegroup in ipairs(defrules[phase] or {}) do
if type(rulegroup) == 'function' then
insertrules(rulegroup(self.objects))
else insertrules(rulegroup) end
end
end
for i, path in ipairs(procorder) do morph(path, classmap[path]) end
insertdefrules('pre')
for i, path in ipairs(procorder) do
if self.objects[path] then
for i, rule in ipairs(self.objects[path]) do
insertrules(rule:trules())
end
end
insertdefrules('post-'..path)
end
morph('ipset', awall.model.ConfigObject)
self.ipset = ipset.IPSet.new(self.objects.ipset)
end
function Config:print()
self.ipset:print()
print()
self.iptables:print()
end
function Config:dump(iptdir, ipsfile)
self.ipset:dump(ipsfile or '/etc/ipset.d/awall')
self.iptables:dump(iptdir or '/etc/iptables')
end
function Config:test()
self.ipset:create()
self.iptables:test()
end
function Config:activate()
self:test()
self.iptables:activate()
end
|
