filter.lua 11.7 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2016 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5 6 7
]]--


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
8
local loadclass = require('awall').loadclass
9
local resolve = require('awall.host')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10

11
local model = require('awall.model')
12 13 14
local class = model.class
local Rule = model.Rule

15
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16

17
local util = require('awall.util')
18
local contains = util.contains
19
local extend = util.extend
20
local listpairs = util.listpairs
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
21 22


23 24 25 26 27 28 29 30 31
local RECENT_MAX_COUNT = 20

local FilterLimit = class(model.Limit)

function FilterLimit:recentofrags(name)
   local count = self.count
   local interval = self.interval

   if count > RECENT_MAX_COUNT then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
32
      count = self:intrate()
33 34 35 36 37 38 39 40 41 42 43
      interval = 1
   end

   if count > RECENT_MAX_COUNT then return end

   local uofs = {}
   local sofs = {}

   for _, family in ipairs{'inet', 'inet6'} do
      if type(self.mask[family].mode) ~= 'table' then return end
      local mask = ''
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
44
      local attr, len = table.unpack(self.mask[family].mode)
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

      if family == 'inet' then
	 local octet
	 for i = 0, 3 do
	    if len <= i * 8 then octet = 0
	    elseif len > i * 8 + 7 then octet = 255
	    else octet = 256 - 2^(8 - len % 8) end
	    mask = util.join(mask, '.', octet)
	 end

      elseif family == 'inet6' then
	 while len > 0 do
	    if #mask % 5 == 4 then mask = mask..':' end
	    mask = mask..('%x'):format(16 - 2^math.max(0, 4 - len))
	    len = len - 4
	 end
	 while #mask % 5 < 4 do mask = mask..'0' end
	 if #mask < 39 then mask = mask..'::' end
      end

      local rec = {
	 {
	    family=family,
	    opts='-m recent --name '..name..' --r'..
	       ({src='source', dest='dest'})[attr]..' --mask '..mask
	 }
      }

      extend(
	 uofs,
	 combinations(
	    rec,
	    {{opts='--update --hitcount '..count..' --seconds '..interval}}
	 )
      )
      extend(sofs, combinations(rec, {{opts='--set'}}))
   end

   return uofs, sofs
end


87 88
local TranslatingRule = class(Rule)

89 90 91 92 93
function TranslatingRule:init(...)
   TranslatingRule.super(self):init(...)
   if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end
end

94 95 96 97 98 99
function TranslatingRule:destoptfrags()
   local ofrags = TranslatingRule.super(self):destoptfrags()
   if not self.dnat then return ofrags end

   ofrags = combinations(ofrags, {{family='inet6'}})
   local natof = self:create(
100
      model.Zone, {addr=self.dnat.addr}
101 102 103 104 105 106
   ):optfrags(self:direction('out'))
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138
function TranslatingRule:servoptfrags()
   local ofrags = TranslatingRule.super(self):servoptfrags()
   if not (self.dnat and self.dnat.port) then return ofrags end

   ofrags = combinations(ofrags, {{family='inet6'}})

   local protos = {}
   for _, serv in listpairs(self.service) do
      for _, sdef in listpairs(serv) do
	 if sdef.family ~= 'inet6' then
	    if not contains({'tcp', 'udp'}, sdef.proto) then
	       self:error('Cannot do port translation for '..sdef.proto)
	    end
	    protos[sdef.proto] = true
	 end
      end
   end
   for proto, _ in pairs(protos) do
      extend(
	 ofrags,
	 combinations(
	    self:create(
	       model.Rule, {service={proto=proto, port=self.dnat.port}}
	    ):servoptfrags(),
	    {{family='inet'}}
	 )
      )
   end

   return ofrags
end

139

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
140 141 142 143
local LoggingRule = class(TranslatingRule)

function LoggingRule:init(...)
   LoggingRule.super(self):init(...)
144
   util.setdefault(self, 'action', 'accept')
145 146 147
   if type(self.log) ~= 'table' then
      self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
148 149 150 151 152
end

function LoggingRule:actiontarget() return 'ACCEPT' end

function LoggingRule:target()
153
   if self.log then return self:uniqueid('log'..self.action) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
154 155 156 157 158
   return self:actiontarget()
end

function LoggingRule:logchain(log, action, target)
   if not log then return {}, target end
159
   local chain = self:uniqueid('log'..action)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
160 161 162 163 164

   local ofrags = log:optfrags()
   table.insert(ofrags, {target=target})

   return combinations({{chain=chain}}, ofrags), chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
165 166 167 168 169 170 171
end

function LoggingRule:extraoptfrags()
   return self:logchain(self.log, self.action, self:actiontarget())
end


172
local RelatedRule = class(TranslatingRule)
173 174 175 176 177 178 179 180

function RelatedRule:servoptfrags()
   local helpers = {}
   for i, serv in listpairs(self.service) do
      for i, sdef in listpairs(serv) do
	 local helper = sdef['ct-helper']
	 if helper then
	    helpers[helper] = {
181
	       family=sdef.family,
182
	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
183 184 185 186 187 188 189
	    }
	 end
      end
   end
   return util.values(helpers)
end

190 191
function RelatedRule:target() return 'ACCEPT' end

192

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
193
local Filter = class(LoggingRule)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
194

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
195
function Filter:init(...)
196
   Filter.super(self):init(...)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
197 198

   -- alpine v2.4 compatibility
199
   if contains({'logdrop', 'logreject'}, self.action) then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
200
      self:warning('Deprecated action: '..self.action)
201
      self.action = self.action:sub(4, -1)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
202 203 204
   end

   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
205
   if limit then
206 207 208
      if limit == 'conn-limit' and self['no-track'] then
	 self:error('Tracking required with connection limit')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
209 210 211
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
212
      self[limit].log = loadclass('log').get(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
213
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
214 215
end

216
function Filter:extratrules()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
217 218
   local res = {}

219 220
   local function extrarules(label, cls, options)
      options = options or {}
221 222
      options.attrs = 'dnat'
      extend(res, self:extrarules(label, cls, options))
223 224
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
225
   if self.dnat then
226 227 228
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
229 230 231
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
232 233
      if self.ipset then
	 self:error('dnat and ipset options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
234 235
      end

236 237 238 239
      if self.dnat.addr:find('/') then
	 self:error('DNAT target cannot be a network address')
      end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
240
      local dnataddr
241
      for i, addr in ipairs(resolve(self.dnat.addr, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
242 243
	 if addr[1] == 'inet' then
	    if dnataddr then
244 245 246
	       self:error(
		  self.dnat.addr..' resolves to multiple IPv4 addresses'
	       )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
247 248 249 250 251
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
252
	 self:error(self.dnat.addr..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
253 254
      end

255 256 257 258 259 260 261 262
      extrarules(
	 'dnat',
	 'dnat',
	 {
	    update={['to-addr']=dnataddr, ['to-port']=self.dnat.port},
	    discard='out'
	 }
      )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
263 264
   end

265
   if self.action == 'tarpit' or self['no-track'] then
266
      extrarules('no-track', 'no-track')
267
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
268

269
   if self.action == 'accept' then
270
      if self:position() == 'prepend' then
271
	 extrarules('final', LoggingRule, {update={log=self.log}})
272 273
      end

274 275 276 277
      local nr = #res

      if self.related then
	 for i, rule in listpairs(self.related) do
278
	    extrarules(
279 280 281
	       'related',
	       RelatedRule,
	       {index=i, src=rule, update={service=self.service}}
282
	    )
283 284 285 286
	 end
      else
	 -- TODO avoid creating unnecessary RELATED rules by introducing
	 -- helper direction attributes to service definitions
287
	 extrarules('related', RelatedRule)
288
	 extrarules('related-reply', RelatedRule, {update={reverse=true}})
289 290 291 292 293 294
      end

      if self['no-track'] then
	 if #res > nr then
	    self:error('Tracking required by service')
	 end
295 296
	 extrarules('no-track-reply', 'no-track', {update={reverse=true}})
	 extrarules('reply', 'filter', {update={reverse=true}})
297
      end
298 299
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
300 301 302
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
303 304 305 306 307
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
308
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
309 310 311 312 313 314 315 316
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
317 318
   return not self['no-track'] and self:limit() == 'flow-limit'
      and 'prepend' or 'append'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
319 320
end

321 322
function Filter:actiontarget()
   if self.action == 'tarpit' then return 'tarpit' end
323
   if contains({'accept', 'drop', 'reject'}, self.action) then
324
      return self.action:upper()
325
   end
326
   self:error('Invalid filter action: '..self.action)
327 328
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
329
function Filter:target()
330
   if self:limit() then return self:uniqueid('limit') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
331
   return Filter.super(self).target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
332 333 334 335 336 337
end

function Filter:extraoptfrags()
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
338
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
339
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
340

341
      local limitchain = self:uniqueid('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
342
      local limitlog = self[limit].log
343
      local limitobj = self:create(FilterLimit, self[limit], 'limit')
344

345 346 347 348
      local ofrags = {}
      local logch, limitofs
      local accept = self:position() == 'append'

349
      local uofs, sofs = limitobj:recentofrags(limitchain)
350

351
      if uofs then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
352
	 ofrags, logch = self:logchain(limitlog, 'drop', 'DROP')
353

354
	 limitofs = combinations(uofs, {{target=logch}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
355
	 if accept and self.log then extend(limitofs, self.log:optfrags()) end
356 357 358
	 extend(
	    limitofs, combinations(sofs, {{target=accept and 'ACCEPT' or nil}})
	 )
359 360 361 362 363 364

      else
	 if accept then
	    ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
	 else logch = 'RETURN' end

365 366 367
	 limitofs = combinations(
	    limitobj:limitofrags(limitchain), {{target=logch}}
	 )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
368
	 if limitlog then extend(limitofs, limitlog:optfrags()) end
369
	 table.insert(limitofs, {target='DROP'})
370
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
371

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
372 373 374
      extend(ofrags, combinations({{chain=limitchain}}, limitofs))
      return ofrags
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
375

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
376
   return Filter.super(self):extraoptfrags()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
377 378 379
end


380
local Policy = class(Filter)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
381 382 383 384

function Policy:servoptfrags() return nil end


385 386
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

387
local function stateful(config)
388 389
   local res = {}

390 391 392 393 394
   for i, family in ipairs{'inet', 'inet6'} do

      local er = combinations(
	 fchains,
	 {{opts='-m conntrack --ctstate ESTABLISHED'}}
395
      )
396 397
      for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
	 table.insert(
398
	    er, {chain=chain, opts='-'..chain:sub(1, 1):lower()..' lo'}
399 400 401 402 403 404 405 406 407 408 409 410 411 412 413 414 415
	 )
      end
      extend(
	 res,
	 combinations(er, {{family=family, table='filter', target='ACCEPT'}})
      )

      -- TODO avoid creating unnecessary CT rules by inspecting the
      -- filter rules' target families and chains
      local visited = {}
      local ofrags = {}
      for i, rule in listpairs(config.filter) do
	 for i, serv in listpairs(rule.service) do
	    if not visited[serv] then
	       for i, sdef in listpairs(serv) do
		  if sdef['ct-helper'] then
		     local of = combinations(
416
			Rule.morph{service={sdef}}:servoptfrags(),
417 418 419 420 421 422 423 424
			{{family=family}}
		     )
		     if of[1] then
			assert(#of == 1)
			of[1].target = 'CT --helper '..sdef['ct-helper']
			table.insert(ofrags, of[1])
		     end
		  end
425
	       end
426
	       visited[serv] = true
427 428 429
	    end
	 end
      end
430 431 432 433 434 435 436
      extend(
	 res,
	 combinations(
	    {{table='raw'}},
	    {{chain='PREROUTING'}, {chain='OUTPUT'}},
	    ofrags
	 )
437
      )
438
   end
439 440

   return res
441
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
442

443 444
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
445 446 447 448 449 450 451
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
452 453

local function icmprules(ofrag, oname, types)
454 455 456 457 458 459 460 461 462
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
463 464 465
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
466

467 468 469 470 471 472 473 474 475 476
return {
   export={
      filter={class=Filter, before={'dnat', 'no-track'}},
      policy={class=Policy, after='%filter-after'},
      ['%filter-before']={rules=stateful, before='filter'},
      ['%filter-after']={rules=ir, after='filter'}
   },
   achains=combinations(
      {{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}}
   )
477
}