filter.lua 4.35 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2 3 4 5 6 7 8 9
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10 11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13 14 15
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16
local model = awall.model
17
local combinations = awall.optfrag.combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
18 19 20

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
21 22 23 24 25 26 27 28
function Filter:defaultzones()
   return self.dnat and {nil} or model.Rule.defaultzones(self)
end

function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

29
   ofrags = combinations(ofrags, {{family='inet6'}})
30
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
31 32 33 34 35 36 37 38
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

39 40 41 42 43 44 45 46 47 48
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
      if extra then for k, v in pairs(extra) do params[k] = v end end
      return awall.util.extend(res, self:create(cls, params):trules())
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
49
   if self.dnat then
50 51 52
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53
      if not self.dest then
54
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
55 56
      end
      if string.find(self.dnat, '/') then
57
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
58 59 60
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
61
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
62 63 64 65
	 end
      end

      local dnataddr
66
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
67 68
	 if addr[1] == 'inet' then
	    if dnataddr then
69
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
70 71 72 73 74
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
75
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
76 77
      end

78
      extrarules('dnat', {['ip-range']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
79 80
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
81 82
   if self.action == 'tarpit' then extrarules('no-track') end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
83 84 85 86 87
   awall.util.extend(res, model.Rule.trules(self))

   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
88 89 90 91 92
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
93
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
94 95 96 97 98 99 100 101 102 103 104 105 106
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
   if not self:limit() then return model.Rule.target(self) end
107
   return self:newchain('limit')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
108 109 110 111 112 113 114
end

function Filter:extraoptfrags()
   local res = {}
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
115
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
116 117 118
      end
      local optbase = '-m recent --name '..self:target()
      table.insert(res, {chain=self:target(),
119 120
			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
			 target='logdrop'})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
121
      table.insert(res, {chain=self:target(),
122 123
			 opts=optbase..' --set',
			 target='ACCEPT'})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
124 125 126 127 128 129 130 131 132 133 134
   end
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


135 136
classes = {{'filter', Filter},
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
137

138

139
defrules = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
140

141 142 143 144 145 146 147 148 149 150
local dar = combinations({{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}},
			 {{opts='-m state --state RELATED,ESTABLISHED'}})
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(dar,
		{chain=chain,
		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
defrules.pre = combinations(combinations(dar,
					 {{table='filter', target='ACCEPT'}}),
			    {{family='inet'}, {family='inet6'}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
151

152 153 154 155 156
defrules['post-filter'] = combinations({{family='inet6',
					 table='filter',
					 opts='-p icmpv6',
					 target='ACCEPT'}},
				       {{chain='INPUT'}, {chain='OUTPUT'}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
157

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
158

159
achains = {}
160

161 162 163 164 165
local limitedlog = {opts='-m limit --limit 1/second', target='LOG'}
for i, target in ipairs({'drop', 'reject'}) do
   util.extend(achains,
	       combinations({{chain='log'..target}},
			    {limitedlog, {target=string.upper(target)}}))
166
end
167 168 169 170 171
util.extend(achains,
	    combinations({{chain='tarpit'}},
			 {limitedlog,
			  {opts='-p tcp', target='TARPIT'},
			  {target='DROP'}}))