filter.lua 4.51 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1
2
3
4
5
6
7
8
9
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10
11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13
14
15
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16
17
18
19
local model = awall.model

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20
21
22
23
24
25
26
27
function Filter:defaultzones()
   return self.dnat and {nil} or model.Rule.defaultzones(self)
end

function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
28
   ofrags = awall.optfrag.combinations(ofrags, {{family='inet6'}})
29
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
30
31
32
33
34
35
36
37
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

38
39
40
41
42
43
44
45
46
47
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
      if extra then for k, v in pairs(extra) do params[k] = v end end
      return awall.util.extend(res, self:create(cls, params):trules())
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
48
   if self.dnat then
49
50
51
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
52
      if not self.dest then
53
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54
55
      end
      if string.find(self.dnat, '/') then
56
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
57
58
59
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
60
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
61
62
63
64
	 end
      end

      local dnataddr
65
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
66
67
	 if addr[1] == 'inet' then
	    if dnataddr then
68
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
69
70
71
72
73
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
74
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
75
76
      end

77
      extrarules('dnat', {['ip-range']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
78
79
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
80
81
   if self.action == 'tarpit' then extrarules('no-track') end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
82
83
84
85
86
   awall.util.extend(res, model.Rule.trules(self))

   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
87
88
89
90
91
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
92
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
93
94
95
96
97
98
99
100
101
102
103
104
105
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
   if not self:limit() then return model.Rule.target(self) end
106
   return self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
107
108
109
110
111
112
113
end

function Filter:extraoptfrags()
   local res = {}
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
114
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
115
116
117
      end
      local optbase = '-m recent --name '..self:target()
      table.insert(res, {chain=self:target(),
118
			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval..' -j logdrop'})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
119
120
121
122
123
124
125
126
127
128
129
130
131
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --set -j ACCEPT'})
   end
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


132
133
classes = {{'filter', Filter},
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
134

135
136
defrules = {pre={}, ['post-filter']={}}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
137
138
local limitedlog = '-m limit --limit 1/second -j LOG'

139
for i, family in ipairs({'inet', 'inet6'}) do
140
   for i, target in ipairs({'drop', 'reject'}) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
141
      for i, opts in ipairs({limitedlog, '-j '..string.upper(target)}) do
142
	 table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
143
144
		      {family=family,
		       table='filter',
145
		       chain='log'..target,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
146
147
148
		       opts=opts})
      end
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
149

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
150
151
152
153
154
   for i, opts in ipairs({limitedlog, '-p tcp -j TARPIT', '-j DROP'}) do
      table.insert(defrules.pre,
		   {family=family, table='filter', chain='tarpit', opts=opts})
   end

155
   for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
156
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157
158
159
160
161
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-m state --state RELATED,ESTABLISHED -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
162
163

   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
164
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
165
166
167
168
169
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-'..string.lower(string.sub(chain, 1, 1))..' lo -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
170
end
171
172
173
174
175
176
177
178

for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(defrules['post-filter'],
		{family='inet6',
		 table='filter',
		 chain=chain,
		 opts='-p icmpv6 -j ACCEPT'})
end