filter.lua 6.52 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1
2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2013 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5
6
7
8
9
]]--


module(..., package.seeall)

10
11
12
local resolve = require('awall.host').resolve
local model = require('awall.model')
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13

14
15
local util = require('awall.util')
local extend = util.extend
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16

17
18
local RECENT_MAX_COUNT = 20

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
19

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20
21
local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
22
23
24
25
26
27
28
29
30
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

31
32
   local log = require('awall').loadclass('log').get
   self.log = log(self, self.log, self.action ~= 'accept')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
33

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
34
   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
35
36
37
38
   if limit then
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
39
      self[limit].log = log(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
40
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
41
42
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
43
44
45
46
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

47
   ofrags = combinations(ofrags, {{family='inet6'}})
48
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
49
50
51
52
53
54
55
56
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

57
58
59
60
61
62
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
63
      util.update(params, extra)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
64
      return extend(res, self:create(cls, params):trules())
65
66
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
67
   if self.dnat then
68
69
70
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
71
72
73
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
74
      if not self.dest then
75
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
76
77
      end
      if string.find(self.dnat, '/') then
78
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
79
80
81
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
82
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
83
84
85
86
	 end
      end

      local dnataddr
87
      for i, addr in ipairs(resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
88
89
	 if addr[1] == 'inet' then
	    if dnataddr then
90
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
91
92
93
94
95
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
96
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
97
98
      end

99
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
100
101
   end

102
103
104
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
105

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
106
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
107

108
109
110
111
112
   if self['no-track'] and self.action == 'accept' then
      extrarules('no-track', {reverse=true})
      extrarules('filter', {reverse=true, action='accept', log=false})
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
113
114
115
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
116
117
118
119
120
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
121
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
122
123
124
125
126
127
128
129
130
131
132
133
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
134
135
136
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
   return model.Rule.target(self)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
137
138
139
140
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
141

142
143
144
145
146
147
148
149
   local function logchain(log, action, target)
      if not log then return target end
      local chain = self:newchain('log'..action)
      extend(
	 res,
	 combinations({{chain=chain}}, {log:optfrag(), {target=target}})
      )
      return chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
150
151
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
152
153
154
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
155
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
156
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157

158
      local chain = self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
159
      local limitlog = self[limit].log
160
      local count = self[limit].count
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
161
      local interval = self[limit].interval or 1
162
163
164
165
166
167
168
169
170

      if count > RECENT_MAX_COUNT then
	 count = math.ceil(count / interval)
	 interval = 1
      end

      local ofrags
      if count > RECENT_MAX_COUNT then
	 ofrags = {
171
172
173
174
175
	    {
	       opts='-m limit --limit '..count..'/second',
	       target=logchain(self.log, 'accept', 'ACCEPT')
	    },
	    {target='DROP'}
176
	 }
177
	 if limitlog then table.insert(ofrags, 2, limitlog:optfrag()) end
178
179
180
181
182
183
      else
	 ofrags = combinations(
	    {{opts='-m recent --name '..chain}},
	    {
	       {
		  opts='--update --hitcount '..count..' --seconds '..interval,
184
		  target=logchain(limitlog, 'drop', 'DROP')
185
	       },
186
	       {opts='--set', target='ACCEPT'}
187
188
	    }
	 )
189
	 if self.log then table.insert(ofrags, 2, self.log:optfrag()) end
190
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
191

192
      extend(res, combinations({{chain=chain}}, ofrags))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
193

194
   else logchain(self.log, self.action, model.Rule.target(self)) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
195
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
196
197
198
199
200
201
202
203
204
205
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


206
207
208
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

local dar = combinations(fchains,
209
			 {{opts='-m conntrack --ctstate RELATED,ESTABLISHED'}})
210
211
212
213
214
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(dar,
		{chain=chain,
		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
215
216
217
218
219
dar = combinations(
   dar,
   {{table='filter', target='ACCEPT'}},
   {{family='inet'}, {family='inet6'}}
)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
220

221
222
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
223
224
225
226
227
228
229
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
230
231

local function icmprules(ofrag, oname, types)
232
233
234
235
236
237
238
239
240
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
241
242
243
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
244

245
246
247
248
249
250
251
export = {
   filter={class=Filter, before={'dnat', 'no-track'}},
   policy={class=Policy, after='%filter-after'},
   ['%filter-before']={rules=dar, before='filter'},
   ['%filter-after']={rules=ir, after='filter'}
}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
252
253
254
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})
255