filter.lua 8.66 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1
2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2013 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5
6
7
8
9
]]--


module(..., package.seeall)

10
11
12
local resolve = require('awall.host').resolve
local model = require('awall.model')
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13

14
15
local util = require('awall.util')
local extend = util.extend
16
local listpairs = util.listpairs
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17

18
19
local RECENT_MAX_COUNT = 20

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20

21
22
23
24
25
26
27
28
29
local RelatedRule = model.class(model.Rule)

function RelatedRule:servoptfrags()
   local helpers = {}
   for i, serv in listpairs(self.service) do
      for i, sdef in listpairs(serv) do
	 local helper = sdef['ct-helper']
	 if helper then
	    helpers[helper] = {
30
	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
31
32
33
34
35
36
37
38
	    }
	 end
      end
   end
   return util.values(helpers)
end


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
39
40
local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
41
42
43
44
45
46
47
48
49
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

50
51
   local log = require('awall').loadclass('log').get
   self.log = log(self, self.log, self.action ~= 'accept')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
52

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53
   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54
55
56
57
   if limit then
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
58
      self[limit].log = log(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
59
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
60
61
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
62
63
64
65
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

66
   ofrags = combinations(ofrags, {{family='inet6'}})
67
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
68
69
70
71
72
73
74
75
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

76
77
   local function extrarules(cls, extra, src)
      if not src then src = self end
78
      local params = {}
79
80
81
82
      for i, attr in ipairs(
	 {'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'}
      ) do
	 params[attr] = src[attr]
83
      end
84
      util.update(params, extra)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
85
      return extend(res, self:create(cls, params):trules())
86
87
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
88
   if self.dnat then
89
90
91
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
92
93
94
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
95
      if not self.dest then
96
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
97
98
      end
      if string.find(self.dnat, '/') then
99
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
100
101
102
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
103
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
104
105
106
107
	 end
      end

      local dnataddr
108
      for i, addr in ipairs(resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
109
110
	 if addr[1] == 'inet' then
	    if dnataddr then
111
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
112
113
114
115
116
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
117
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
118
119
      end

120
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
121
122
   end

123
124
125
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
126

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
127
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
128

129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
   if self.action == 'accept' then
      local nr = #res

      if self.related then
	 for i, rule in listpairs(self.related) do
	    extrarules(
	       RelatedRule,
	       {service=self.service, action='accept'},
	       rule
	    )
	 end
      else
	 -- TODO avoid creating unnecessary RELATED rules by introducing
	 -- helper direction attributes to service definitions
	 extrarules(RelatedRule, {action='accept'})
	 extrarules(RelatedRule, {reverse=true, action='accept'})
      end

      if self['no-track'] then
	 if #res > nr then
	    self:error('Tracking required by service')
	 end
	 extrarules('no-track', {reverse=true})
	 extrarules('filter', {reverse=true, action='accept', log=false})
      end
154
155
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
156
157
158
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
159
160
161
162
163
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
164
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
165
166
167
168
169
170
171
172
173
174
175
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

176
177
178
179
180
181
182
183
function Filter:actiontarget()
   if self.action == 'tarpit' then return 'tarpit' end
   if util.contains({'drop', 'reject'}, self.action) then
      return string.upper(self.action)
   end
   return model.Rule.target(self)
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
184
function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
185
186
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
187
   return self:actiontarget()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
188
189
190
191
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
192

193
194
195
196
197
198
199
200
   local function logchain(log, action, target)
      if not log then return target end
      local chain = self:newchain('log'..action)
      extend(
	 res,
	 combinations({{chain=chain}}, {log:optfrag(), {target=target}})
      )
      return chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
201
202
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
203
204
205
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
206
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
207
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
208

209
      local chain = self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
210
      local limitlog = self[limit].log
211
      local count = self[limit].count
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
212
      local interval = self[limit].interval or 1
213
214
215
216
217
218
219
220
221

      if count > RECENT_MAX_COUNT then
	 count = math.ceil(count / interval)
	 interval = 1
      end

      local ofrags
      if count > RECENT_MAX_COUNT then
	 ofrags = {
222
	    {
223
	       opts='-m hashlimit --hashlimit-upto '..count..'/second --hashlimit-burst '..count..' --hashlimit-mode srcip --hashlimit-name '..chain,
224
225
226
	       target=logchain(self.log, 'accept', 'ACCEPT')
	    },
	    {target='DROP'}
227
	 }
228
	 if limitlog then table.insert(ofrags, 2, limitlog:optfrag()) end
229
230
231
232
233
234
      else
	 ofrags = combinations(
	    {{opts='-m recent --name '..chain}},
	    {
	       {
		  opts='--update --hitcount '..count..' --seconds '..interval,
235
		  target=logchain(limitlog, 'drop', 'DROP')
236
	       },
237
	       {opts='--set', target='ACCEPT'}
238
239
	    }
	 )
240
	 if self.log then table.insert(ofrags, 2, self.log:optfrag()) end
241
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
242

243
      extend(res, combinations({{chain=chain}}, ofrags))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
244

245
   else logchain(self.log, self.action, self:actiontarget()) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
246
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
247
248
249
250
251
252
253
254
255
256
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


257
258
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
function stateful(config)
   local res = {}

   local families = {{family='inet'}, {family='inet6'}}

   local er = combinations(
      fchains,
      {{opts='-m conntrack --ctstate ESTABLISHED'}}
   )
   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
      table.insert(
	 er,
	 {
	    chain=chain,
	    opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'
	 }
      )
   end
   extend(res, combinations(families, er, {{table='filter', target='ACCEPT'}}))

   -- TODO avoid creating unnecessary CT rules by inspecting the
   -- filter rules' target families and chains
   local visited = {}
   local ofrags = {}
   for i, rule in listpairs(config.filter) do
      for i, serv in listpairs(rule.service) do
	 if not visited[serv] then
	    for i, sdef in listpairs(serv) do
	       if sdef['ct-helper'] then
		  local of = model.Rule.morph({service={sdef}}):servoptfrags()
		  assert(#of == 1)
		  of[1].target = 'CT --helper '..sdef['ct-helper']
		  table.insert(ofrags, of[1])
	       end
	    end
	    visited[serv] = true
	 end
      end
   end
   extend(
      res,
      combinations(
	 families,
	 {{table='raw'}},
	 {{chain='PREROUTING'}, {chain='OUTPUT'}},
	 ofrags
      )
   )

   return res
309
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
310

311
312
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
313
314
315
316
317
318
319
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
320
321

local function icmprules(ofrag, oname, types)
322
323
324
325
326
327
328
329
330
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
331
332
333
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
334

335
336
337
export = {
   filter={class=Filter, before={'dnat', 'no-track'}},
   policy={class=Policy, after='%filter-after'},
338
   ['%filter-before']={rules=stateful, before='filter'},
339
340
341
   ['%filter-after']={rules=ir, after='filter'}
}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
342
343
344
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})
345