filter.lua 1.98 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

require 'awall.model'
local model = awall.model

local Filter = model.class(model.Rule)

function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
	    error('Cannot specify multiple limits for a single filter rule')
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
   if not self:limit() then return model.Rule.target(self) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
34
   if not self['limit-target'] then self['limit-target'] = self:newchain('limit') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60
   return self['limit-target']
end

function Filter:extraoptfrags()
   local res = {}
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
	 error('Cannot specify limit for '..self.action..' filter')
      end
      local optbase = '-m recent --name '..self:target()
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval..' -j LOGDROP'})
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --set -j ACCEPT'})
   end
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


61 62
classes = {{'filter', Filter},
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
63 64

defrules = {}
65
for i, family in ipairs({'inet', 'inet6'}) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82
   for i, target in ipairs({'DROP', 'REJECT'}) do
      for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do
	 table.insert(defrules,
		      {family=family,
		       table='filter',
		       chain='LOG'..target,
		       opts=opts})
      end
   end
   for i, chain in ipairs({'FORWARD', 'INPUT'}) do
      table.insert(defrules,
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-m state --state RELATED,ESTABLISHED -j ACCEPT'})
   end
end