filter.lua 4.25 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2 3 4 5 6 7 8 9
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10 11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13 14 15
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16 17 18 19
local model = awall.model

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20 21 22 23 24 25 26 27
function Filter:defaultzones()
   return self.dnat and {nil} or model.Rule.defaultzones(self)
end

function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
28
   ofrags = awall.optfrag.combinations(ofrags, {{family='inet6'}})
29
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
30 31 32 33 34 35 36 37
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

38 39 40 41 42 43 44 45 46 47
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
      if extra then for k, v in pairs(extra) do params[k] = v end end
      return awall.util.extend(res, self:create(cls, params):trules())
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
48
   if self.dnat then
49 50 51
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
52
      if not self.dest then
53
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54 55
      end
      if string.find(self.dnat, '/') then
56
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
57 58 59
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
60
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
61 62 63 64
	 end
      end

      local dnataddr
65
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
66 67
	 if addr[1] == 'inet' then
	    if dnataddr then
68
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
69 70 71 72 73
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
74
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
75 76
      end

77
      extrarules('dnat', {['ip-range']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
78 79 80 81 82 83 84
   end

   awall.util.extend(res, model.Rule.trules(self))

   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
85 86 87 88 89
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
90
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
91 92 93 94 95 96 97 98 99 100 101 102 103
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
   if not self:limit() then return model.Rule.target(self) end
104
   return self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
105 106 107 108 109 110 111
end

function Filter:extraoptfrags()
   local res = {}
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
112
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
113 114 115
      end
      local optbase = '-m recent --name '..self:target()
      table.insert(res, {chain=self:target(),
116
			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval..' -j logdrop'})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
117 118 119 120 121 122 123 124 125 126 127 128 129
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --set -j ACCEPT'})
   end
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


130 131
classes = {{'filter', Filter},
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
132

133 134
defrules = {pre={}, ['post-filter']={}}

135
for i, family in ipairs({'inet', 'inet6'}) do
136 137 138
   for i, target in ipairs({'drop', 'reject'}) do
      for i, opts in ipairs({'-m limit --limit 1/second -j LOG',
	    '-j '..string.upper(target)}) do
139
	 table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
140 141
		      {family=family,
		       table='filter',
142
		       chain='log'..target,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
143 144 145
		       opts=opts})
      end
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
146

147
   for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
148
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
149 150 151 152 153
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-m state --state RELATED,ESTABLISHED -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
154 155

   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
156
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157 158 159 160 161
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-'..string.lower(string.sub(chain, 1, 1))..' lo -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
162
end
163 164 165 166 167 168 169 170

for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(defrules['post-filter'],
		{family='inet6',
		 table='filter',
		 chain=chain,
		 opts='-p icmpv6 -j ACCEPT'})
end