filter.lua 8.79 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2014 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5 6 7 8 9
]]--


module(..., package.seeall)

10 11 12
local resolve = require('awall.host').resolve
local model = require('awall.model')
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13

14 15
local util = require('awall.util')
local extend = util.extend
16
local listpairs = util.listpairs
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17

18 19
local RECENT_MAX_COUNT = 20

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20

21 22 23 24 25 26 27 28 29
local RelatedRule = model.class(model.Rule)

function RelatedRule:servoptfrags()
   local helpers = {}
   for i, serv in listpairs(self.service) do
      for i, sdef in listpairs(serv) do
	 local helper = sdef['ct-helper']
	 if helper then
	    helpers[helper] = {
30
	       family=sdef.family,
31
	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
32 33 34 35 36 37 38
	    }
	 end
      end
   end
   return util.values(helpers)
end

39 40
function RelatedRule:target() return 'ACCEPT' end

41

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
42 43
local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
44
function Filter:init(...)
45
   Filter.super(self):init(...)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
46

47 48
   if not self.action then self.action = 'accept' end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
49 50 51
   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
52
      self.action = self.action:sub(4, -1)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53 54
   end

55 56
   local log = require('awall').loadclass('log').get
   self.log = log(self, self.log, self.action ~= 'accept')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
57

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
58
   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
59 60 61 62
   if limit then
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
63
      self[limit].log = log(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
64
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
65 66
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
67
function Filter:destoptfrags()
68
   local ofrags = Filter.super(self):destoptfrags()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
69 70
   if not self.dnat then return ofrags end

71
   ofrags = combinations(ofrags, {{family='inet6'}})
72
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
73 74 75 76 77 78 79 80
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

81 82
   local function extrarules(cls, extra, src)
      if not src then src = self end
83
      local params = {}
84 85 86 87
      for i, attr in ipairs(
	 {'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'}
      ) do
	 params[attr] = src[attr]
88
      end
89
      util.update(params, extra)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
90
      return extend(res, self:create(cls, params):trules())
91 92
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
93
   if self.dnat then
94 95 96
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
97 98 99
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
100
      if not self.dest then
101
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
102
      end
103
      if self.dnat:find('/') then
104
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
105 106 107
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
108
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
109 110 111 112
	 end
      end

      local dnataddr
113
      for i, addr in ipairs(resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
114 115
	 if addr[1] == 'inet' then
	    if dnataddr then
116
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
117 118 119 120 121
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
122
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
123 124
      end

125
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
126 127
   end

128 129 130
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
131

132
   extend(res, Filter.super(self):trules())
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
133

134 135 136 137 138
   if self.action == 'accept' then
      local nr = #res

      if self.related then
	 for i, rule in listpairs(self.related) do
139
	    extrarules(RelatedRule, {service=self.service}, rule)
140 141 142 143
	 end
      else
	 -- TODO avoid creating unnecessary RELATED rules by introducing
	 -- helper direction attributes to service definitions
144 145
	 extrarules(RelatedRule)
	 extrarules(RelatedRule, {reverse=true})
146 147 148 149 150 151 152 153 154
      end

      if self['no-track'] then
	 if #res > nr then
	    self:error('Tracking required by service')
	 end
	 extrarules('no-track', {reverse=true})
	 extrarules('filter', {reverse=true, action='accept', log=false})
      end
155 156
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157 158 159
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
160 161 162 163 164
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
165
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
166 167 168 169 170 171 172 173 174 175 176
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

177 178
function Filter:actiontarget()
   if self.action == 'tarpit' then return 'tarpit' end
179
   if util.contains({'accept', 'drop', 'reject'}, self.action) then
180
      return self.action:upper()
181
   end
182
   self:error('Invalid filter action: '..self.action)
183 184
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
185
function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
186 187
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
188
   return self:actiontarget()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
189 190 191 192
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
193

194 195 196 197 198 199 200 201
   local function logchain(log, action, target)
      if not log then return target end
      local chain = self:newchain('log'..action)
      extend(
	 res,
	 combinations({{chain=chain}}, {log:optfrag(), {target=target}})
      )
      return chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
202 203
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
204 205 206
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
207
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
208
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
209

210
      local chain = self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
211
      local limitlog = self[limit].log
212
      local count = self[limit].count
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
213
      local interval = self[limit].interval or 1
214 215 216 217 218 219 220 221 222

      if count > RECENT_MAX_COUNT then
	 count = math.ceil(count / interval)
	 interval = 1
      end

      local ofrags
      if count > RECENT_MAX_COUNT then
	 ofrags = {
223
	    {
224
	       opts='-m hashlimit --hashlimit-upto '..count..'/second --hashlimit-burst '..count..' --hashlimit-mode srcip --hashlimit-name '..chain,
225 226 227
	       target=logchain(self.log, 'accept', 'ACCEPT')
	    },
	    {target='DROP'}
228
	 }
229
	 if limitlog then table.insert(ofrags, 2, limitlog:optfrag()) end
230 231 232 233 234 235
      else
	 ofrags = combinations(
	    {{opts='-m recent --name '..chain}},
	    {
	       {
		  opts='--update --hitcount '..count..' --seconds '..interval,
236
		  target=logchain(limitlog, 'drop', 'DROP')
237
	       },
238
	       {opts='--set', target='ACCEPT'}
239 240
	    }
	 )
241
	 if self.log then table.insert(ofrags, 2, self.log:optfrag()) end
242
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
243

244
      extend(res, combinations({{chain=chain}}, ofrags))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
245

246
   else logchain(self.log, self.action, self:actiontarget()) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
247
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
248 249 250 251 252 253 254 255 256 257
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


258 259
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

260 261 262
function stateful(config)
   local res = {}

263 264 265 266 267
   for i, family in ipairs{'inet', 'inet6'} do

      local er = combinations(
	 fchains,
	 {{opts='-m conntrack --ctstate ESTABLISHED'}}
268
      )
269 270
      for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
	 table.insert(
271
	    er, {chain=chain, opts='-'..chain:sub(1, 1):lower()..' lo'}
272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297
	 )
      end
      extend(
	 res,
	 combinations(er, {{family=family, table='filter', target='ACCEPT'}})
      )

      -- TODO avoid creating unnecessary CT rules by inspecting the
      -- filter rules' target families and chains
      local visited = {}
      local ofrags = {}
      for i, rule in listpairs(config.filter) do
	 for i, serv in listpairs(rule.service) do
	    if not visited[serv] then
	       for i, sdef in listpairs(serv) do
		  if sdef['ct-helper'] then
		     local of = combinations(
			model.Rule.morph{service={sdef}}:servoptfrags(),
			{{family=family}}
		     )
		     if of[1] then
			assert(#of == 1)
			of[1].target = 'CT --helper '..sdef['ct-helper']
			table.insert(ofrags, of[1])
		     end
		  end
298
	       end
299
	       visited[serv] = true
300 301 302
	    end
	 end
      end
303 304 305 306 307 308 309
      extend(
	 res,
	 combinations(
	    {{table='raw'}},
	    {{chain='PREROUTING'}, {chain='OUTPUT'}},
	    ofrags
	 )
310
      )
311
   end
312 313

   return res
314
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
315

316 317
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
318 319 320 321 322 323 324
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
325 326

local function icmprules(ofrag, oname, types)
327 328 329 330 331 332 333 334 335
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
336 337 338
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
339

340 341 342
export = {
   filter={class=Filter, before={'dnat', 'no-track'}},
   policy={class=Policy, after='%filter-after'},
343
   ['%filter-before']={rules=stateful, before='filter'},
344 345 346
   ['%filter-after']={rules=ir, after='filter'}
}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
347 348 349
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})
350