filter.lua 6.03 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1
2
3
4
5
6
7
8
9
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10
11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13
require 'awall.object'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
14
15
16
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17
local model = awall.model
18
local combinations = awall.optfrag.combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
19
20
21
22
23
24
25
26
27
28
29
local extend = awall.util.extend


Log = awall.object.class(awall.object.Object)

function Log:matchopts()
   return self.limit and '-m limit --limit '..self.limit..'/second'
end

function Log:target() return string.upper(self.mode or 'log') end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
30
31
32

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

   local function log(spec, default)
      if spec == nil then spec = default end
      if spec == false then return end
      if spec == true then spec = '_default' end
      return self.root.log[spec] or self:error('Invalid log: '..spec)
   end

   self.log = log(self.log, self.action ~= 'accept')
   local limit = self:limit()
   if limit then self[limit].log = log(self[limit].log, true) end
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54
55
56
57
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

58
   ofrags = combinations(ofrags, {{family='inet6'}})
59
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
60
61
62
63
64
65
66
67
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

68
69
70
71
72
73
74
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
      if extra then for k, v in pairs(extra) do params[k] = v end end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
75
      return extend(res, self:create(cls, params):trules())
76
77
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
78
   if self.dnat then
79
80
81
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
82
      if not self.dest then
83
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
84
85
      end
      if string.find(self.dnat, '/') then
86
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
87
88
89
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
90
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
91
92
93
94
	 end
      end

      local dnataddr
95
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
96
97
	 if addr[1] == 'inet' then
	    if dnataddr then
98
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
99
100
101
102
103
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
104
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
105
106
      end

107
      extrarules('dnat', {['ip-range']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
108
109
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
110
111
   if self.action == 'tarpit' then extrarules('no-track') end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
112
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
113
114
115
116

   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
117
118
119
120
121
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
122
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
123
124
125
126
127
128
129
130
131
132
133
134
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
135
136
137
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
   return model.Rule.target(self)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
138
139
140
141
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
142
143
144
145
146
147
148

   local function logchain(action, log, target)
      extend(res, combinations({{chain=self:newchain('log'..action)}},
			       {{opts=log:matchopts(), target=log:target()},
				{target=target}}))
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
149
150
151
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
152
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
153
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
154
155
156
157
158
159
160
161
162
163
164
165
166

      local chain = self:newchain('limit')
      local limitlog = self[limit].log

      extend(res,
	     combinations({{chain=chain,
			    opts='-m recent --name '..chain}},
			  {{opts='--update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
				target=limitlog and self:newchain('logdrop') or 'DROP'},
			     {opts='--set',
			      target=self.log and self:newchain('log'..self.action) or 'ACCEPT'}}))

      if limitlog then logchain('drop', limitlog, 'DROP') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
167
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
168
169
170

   if self.log then logchain(self.action, self.log, model.Rule.target(self)) end
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
171
172
173
174
175
176
177
178
179
180
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
181
182
classes = {{'log', Log},
	   {'filter', Filter},
183
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
184

185

186
defrules = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
187

188
189
190
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

local dar = combinations(fchains,
191
192
193
194
195
196
			 {{opts='-m state --state RELATED,ESTABLISHED'}})
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(dar,
		{chain=chain,
		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
197
198
defrules.pre = combinations(dar,
			    {{table='filter', target='ACCEPT'}},
199
			    {{family='inet'}, {family='inet6'}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
200

201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
defrules['post-filter'] = combinations(icmp6,
				       {{chain='INPUT'}, {chain='OUTPUT'}},
				       {{target='ACCEPT'}})
extend(defrules['post-filter'],
       combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(defrules['post-filter'],
       combinations(icmp, fchains, {{target='icmp-routing'}}))

local function icmprules(ofrag, oname, types)
   extend(defrules['post-filter'],
	  combinations(ofrag,
		       {{chain='icmp-routing', target='ACCEPT'}},
		       util.map(types,
				function(t)
				   return {opts='--'..oname..' '..t}
				end)))
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
222

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
223
224
225
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})