filter.lua 11.7 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2016 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4
See LICENSE file for license details
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
5 6 7
]]--


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
8
local loadclass = require('awall').loadclass
9
local resolve = require('awall.host')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10

11
local model = require('awall.model')
12 13 14
local class = model.class
local Rule = model.Rule

15
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16

17
local util = require('awall.util')
18
local contains = util.contains
19
local extend = util.extend
20
local listpairs = util.listpairs
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
21 22


23 24 25 26 27 28 29 30 31
local RECENT_MAX_COUNT = 20

local FilterLimit = class(model.Limit)

function FilterLimit:recentofrags(name)
   local count = self.count
   local interval = self.interval

   if count > RECENT_MAX_COUNT then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
32
      count = self:intrate()
33 34 35 36 37 38 39 40 41 42 43
      interval = 1
   end

   if count > RECENT_MAX_COUNT then return end

   local uofs = {}
   local sofs = {}

   for _, family in ipairs{'inet', 'inet6'} do
      if type(self.mask[family].mode) ~= 'table' then return end
      local mask = ''
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
44
      local attr, len = table.unpack(self.mask[family].mode)
45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86

      if family == 'inet' then
	 local octet
	 for i = 0, 3 do
	    if len <= i * 8 then octet = 0
	    elseif len > i * 8 + 7 then octet = 255
	    else octet = 256 - 2^(8 - len % 8) end
	    mask = util.join(mask, '.', octet)
	 end

      elseif family == 'inet6' then
	 while len > 0 do
	    if #mask % 5 == 4 then mask = mask..':' end
	    mask = mask..('%x'):format(16 - 2^math.max(0, 4 - len))
	    len = len - 4
	 end
	 while #mask % 5 < 4 do mask = mask..'0' end
	 if #mask < 39 then mask = mask..'::' end
      end

      local rec = {
	 {
	    family=family,
	    opts='-m recent --name '..name..' --r'..
	       ({src='source', dest='dest'})[attr]..' --mask '..mask
	 }
      }

      extend(
	 uofs,
	 combinations(
	    rec,
	    {{opts='--update --hitcount '..count..' --seconds '..interval}}
	 )
      )
      extend(sofs, combinations(rec, {{opts='--set'}}))
   end

   return uofs, sofs
end


87 88 89 90 91 92 93 94
local TranslatingRule = class(Rule)

function TranslatingRule:destoptfrags()
   local ofrags = TranslatingRule.super(self):destoptfrags()
   if not self.dnat then return ofrags end

   ofrags = combinations(ofrags, {{family='inet6'}})
   local natof = self:create(
95
      model.Zone, {addr=self.dnat.addr}
96 97 98 99 100 101
   ):optfrags(self:direction('out'))
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133
function TranslatingRule:servoptfrags()
   local ofrags = TranslatingRule.super(self):servoptfrags()
   if not (self.dnat and self.dnat.port) then return ofrags end

   ofrags = combinations(ofrags, {{family='inet6'}})

   local protos = {}
   for _, serv in listpairs(self.service) do
      for _, sdef in listpairs(serv) do
	 if sdef.family ~= 'inet6' then
	    if not contains({'tcp', 'udp'}, sdef.proto) then
	       self:error('Cannot do port translation for '..sdef.proto)
	    end
	    protos[sdef.proto] = true
	 end
      end
   end
   for proto, _ in pairs(protos) do
      extend(
	 ofrags,
	 combinations(
	    self:create(
	       model.Rule, {service={proto=proto, port=self.dnat.port}}
	    ):servoptfrags(),
	    {{family='inet'}}
	 )
      )
   end

   return ofrags
end

134

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
135 136 137 138
local LoggingRule = class(TranslatingRule)

function LoggingRule:init(...)
   LoggingRule.super(self):init(...)
139
   util.setdefault(self, 'action', 'accept')
140 141 142
   if type(self.log) ~= 'table' then
      self.log = loadclass('log').get(self, self.log, self.action ~= 'accept')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
143 144 145 146 147
end

function LoggingRule:actiontarget() return 'ACCEPT' end

function LoggingRule:target()
148
   if self.log then return self:uniqueid('log'..self.action) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
149 150 151 152 153
   return self:actiontarget()
end

function LoggingRule:logchain(log, action, target)
   if not log then return {}, target end
154
   local chain = self:uniqueid('log'..action)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
155 156 157 158 159

   local ofrags = log:optfrags()
   table.insert(ofrags, {target=target})

   return combinations({{chain=chain}}, ofrags), chain
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
160 161 162 163 164 165 166
end

function LoggingRule:extraoptfrags()
   return self:logchain(self.log, self.action, self:actiontarget())
end


167
local RelatedRule = class(TranslatingRule)
168 169 170 171 172 173 174 175

function RelatedRule:servoptfrags()
   local helpers = {}
   for i, serv in listpairs(self.service) do
      for i, sdef in listpairs(serv) do
	 local helper = sdef['ct-helper']
	 if helper then
	    helpers[helper] = {
176
	       family=sdef.family,
177
	       opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
178 179 180 181 182 183 184
	    }
	 end
      end
   end
   return util.values(helpers)
end

185 186
function RelatedRule:target() return 'ACCEPT' end

187

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
188
local Filter = class(LoggingRule)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
189

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
190
function Filter:init(...)
191
   Filter.super(self):init(...)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
192 193

   -- alpine v2.4 compatibility
194
   if contains({'logdrop', 'logreject'}, self.action) then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
195
      self:warning('Deprecated action: '..self.action)
196
      self.action = self.action:sub(4, -1)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
197 198 199
   end

   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
200
   if limit then
201 202 203
      if limit == 'conn-limit' and self['no-track'] then
	 self:error('Tracking required with connection limit')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
204 205 206
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
207
      self[limit].log = loadclass('log').get(self, self[limit].log, true)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
208
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
209 210
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
211 212 213
function Filter:trules()
   local res = {}

214 215
   local function extrarules(label, cls, options)
      options = options or {}
216 217
      options.attrs = 'dnat'
      extend(res, self:extrarules(label, cls, options))
218 219
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
220
   if self.dnat then
221 222 223
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
224 225 226
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
227 228
      if self.ipset then
	 self:error('dnat and ipset options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
229 230
      end

231 232 233 234 235
      if type(self.dnat) == 'string' then self.dnat = {addr=self.dnat} end
      if self.dnat.addr:find('/') then
	 self:error('DNAT target cannot be a network address')
      end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
236
      local dnataddr
237
      for i, addr in ipairs(resolve(self.dnat.addr, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
238 239
	 if addr[1] == 'inet' then
	    if dnataddr then
240 241 242
	       self:error(
		  self.dnat.addr..' resolves to multiple IPv4 addresses'
	       )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
243 244 245 246 247
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
248
	 self:error(self.dnat.addr..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
249 250
      end

251 252 253 254 255 256 257 258
      extrarules(
	 'dnat',
	 'dnat',
	 {
	    update={['to-addr']=dnataddr, ['to-port']=self.dnat.port},
	    discard='out'
	 }
      )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
259 260
   end

261
   if self.action == 'tarpit' or self['no-track'] then
262
      extrarules('no-track', 'no-track')
263
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
264

265
   extend(res, Filter.super(self):trules())
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
266

267
   if self.action == 'accept' then
268
      if self:position() == 'prepend' then
269
	 extrarules('final', LoggingRule, {update={log=self.log}})
270 271
      end

272 273 274 275
      local nr = #res

      if self.related then
	 for i, rule in listpairs(self.related) do
276
	    extrarules(
277 278 279
	       'related',
	       RelatedRule,
	       {index=i, src=rule, update={service=self.service}}
280
	    )
281 282 283 284
	 end
      else
	 -- TODO avoid creating unnecessary RELATED rules by introducing
	 -- helper direction attributes to service definitions
285
	 extrarules('related', RelatedRule)
286
	 extrarules('related-reply', RelatedRule, {update={reverse=true}})
287 288 289 290 291 292
      end

      if self['no-track'] then
	 if #res > nr then
	    self:error('Tracking required by service')
	 end
293 294
	 extrarules('no-track-reply', 'no-track', {update={reverse=true}})
	 extrarules('reply', 'filter', {update={reverse=true}})
295
      end
296 297
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
298 299 300
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
301 302 303 304 305
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
306
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
307 308 309 310 311 312 313 314
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
315 316
   return not self['no-track'] and self:limit() == 'flow-limit'
      and 'prepend' or 'append'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
317 318
end

319 320
function Filter:actiontarget()
   if self.action == 'tarpit' then return 'tarpit' end
321
   if contains({'accept', 'drop', 'reject'}, self.action) then
322
      return self.action:upper()
323
   end
324
   self:error('Invalid filter action: '..self.action)
325 326
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
327
function Filter:target()
328
   if self:limit() then return self:uniqueid('limit') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
329
   return Filter.super(self).target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
330 331 332 333 334 335
end

function Filter:extraoptfrags()
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
336
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
337
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
338

339
      local limitchain = self:uniqueid('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
340
      local limitlog = self[limit].log
341
      local limitobj = self:create(FilterLimit, self[limit], 'limit')
342

343 344 345 346
      local ofrags = {}
      local logch, limitofs
      local accept = self:position() == 'append'

347
      local uofs, sofs = limitobj:recentofrags(limitchain)
348

349
      if uofs then
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
350
	 ofrags, logch = self:logchain(limitlog, 'drop', 'DROP')
351

352
	 limitofs = combinations(uofs, {{target=logch}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
353
	 if accept and self.log then extend(limitofs, self.log:optfrags()) end
354 355 356
	 extend(
	    limitofs, combinations(sofs, {{target=accept and 'ACCEPT' or nil}})
	 )
357 358 359 360 361 362

      else
	 if accept then
	    ofrags, logch = self:logchain(self.log, 'accept', 'ACCEPT')
	 else logch = 'RETURN' end

363 364 365
	 limitofs = combinations(
	    limitobj:limitofrags(limitchain), {{target=logch}}
	 )
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
366
	 if limitlog then extend(limitofs, limitlog:optfrags()) end
367
	 table.insert(limitofs, {target='DROP'})
368
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
369

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
370 371 372
      extend(ofrags, combinations({{chain=limitchain}}, limitofs))
      return ofrags
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
373

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
374
   return Filter.super(self):extraoptfrags()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
375 376 377
end


378
local Policy = class(Filter)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
379 380 381 382

function Policy:servoptfrags() return nil end


383 384
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

385
local function stateful(config)
386 387
   local res = {}

388 389 390 391 392
   for i, family in ipairs{'inet', 'inet6'} do

      local er = combinations(
	 fchains,
	 {{opts='-m conntrack --ctstate ESTABLISHED'}}
393
      )
394 395
      for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
	 table.insert(
396
	    er, {chain=chain, opts='-'..chain:sub(1, 1):lower()..' lo'}
397 398 399 400 401 402 403 404 405 406 407 408 409 410 411 412 413
	 )
      end
      extend(
	 res,
	 combinations(er, {{family=family, table='filter', target='ACCEPT'}})
      )

      -- TODO avoid creating unnecessary CT rules by inspecting the
      -- filter rules' target families and chains
      local visited = {}
      local ofrags = {}
      for i, rule in listpairs(config.filter) do
	 for i, serv in listpairs(rule.service) do
	    if not visited[serv] then
	       for i, sdef in listpairs(serv) do
		  if sdef['ct-helper'] then
		     local of = combinations(
414
			Rule.morph{service={sdef}}:servoptfrags(),
415 416 417 418 419 420 421 422
			{{family=family}}
		     )
		     if of[1] then
			assert(#of == 1)
			of[1].target = 'CT --helper '..sdef['ct-helper']
			table.insert(ofrags, of[1])
		     end
		  end
423
	       end
424
	       visited[serv] = true
425 426 427
	    end
	 end
      end
428 429 430 431 432 433 434
      extend(
	 res,
	 combinations(
	    {{table='raw'}},
	    {{chain='PREROUTING'}, {chain='OUTPUT'}},
	    ofrags
	 )
435
      )
436
   end
437 438

   return res
439
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
440

441 442
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
443 444 445 446 447 448 449
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
450 451

local function icmprules(ofrag, oname, types)
452 453 454 455 456 457 458 459 460
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
461 462 463
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
464

465 466 467 468 469 470 471 472 473 474
return {
   export={
      filter={class=Filter, before={'dnat', 'no-track'}},
      policy={class=Policy, after='%filter-after'},
      ['%filter-before']={rules=stateful, before='filter'},
      ['%filter-after']={rules=ir, after='filter'}
   },
   achains=combinations(
      {{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}}
   )
475
}