filter.lua 6.95 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2013 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4 5 6 7 8 9
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

10 11 12
local resolve = require('awall.host').resolve
local model = require('awall.model')
local combinations = require('awall.optfrag').combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13

14 15
local util = require('awall.util')
local extend = util.extend
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16

17 18
local RECENT_MAX_COUNT = 20

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
19

20
local Log = model.class()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
21 22 23 24 25

function Log:matchopts()
   return self.limit and '-m limit --limit '..self.limit..'/second'
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
26 27 28 29 30
function Log:target()
   local mode = self.mode or 'log'
   local prefix = self.prefix and ' --'..mode..'-prefix '..self.prefix or ''
   return string.upper(mode)..prefix
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
31

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
32 33 34

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

   local function log(spec, default)
      if spec == nil then spec = default end
      if spec == false then return end
      if spec == true then spec = '_default' end
      return self.root.log[spec] or self:error('Invalid log: '..spec)
   end

   self.log = log(self.log, self.action ~= 'accept')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
52

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53
   local limit = self:limit()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54 55 56 57 58 59
   if limit then
      if type(self[limit]) ~= 'table' then
	 self[limit] = {count=self[limit]}
      end
      self[limit].log = log(self[limit].log, true)
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
60 61
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
62 63 64 65
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

66
   ofrags = combinations(ofrags, {{family='inet6'}})
67
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
68 69 70 71 72 73 74 75
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

76 77 78 79 80 81
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
82
      util.update(params, extra)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
83
      return extend(res, self:create(cls, params):trules())
84 85
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
86
   if self.dnat then
87 88 89
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
90 91 92
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
93
      if not self.dest then
94
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
95 96
      end
      if string.find(self.dnat, '/') then
97
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
98 99 100
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
101
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
102 103 104 105
	 end
      end

      local dnataddr
106
      for i, addr in ipairs(resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
107 108
	 if addr[1] == 'inet' then
	    if dnataddr then
109
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
110 111 112 113 114
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
115
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
116 117
      end

118
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
119 120
   end

121 122 123
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
124

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
125
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
126

127 128 129 130 131
   if self['no-track'] and self.action == 'accept' then
      extrarules('no-track', {reverse=true})
      extrarules('filter', {reverse=true, action='accept', log=false})
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
132 133 134
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
135 136 137 138 139
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
140
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
141 142 143 144 145 146 147 148 149 150 151 152
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
153 154 155
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
   return model.Rule.target(self)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
156 157 158 159
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
160 161 162 163 164 165 166

   local function logchain(action, log, target)
      extend(res, combinations({{chain=self:newchain('log'..action)}},
			       {{opts=log:matchopts(), target=log:target()},
				{target=target}}))
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
167 168 169
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
170
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
171
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
172 173

      local limitlog = self[limit].log
174
      local count = self[limit].count
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
175
      local interval = self[limit].interval or 1
176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203

      local chain = self:newchain('limit')
      local atgt = self.log and self:newchain('logaccept') or 'ACCEPT'
      local dtgt = limitlog and self:newchain('logdrop') or 'DROP'

      if count > RECENT_MAX_COUNT then
	 count = math.ceil(count / interval)
	 interval = 1
      end

      local ofrags
      if count > RECENT_MAX_COUNT then
	 ofrags = {
	    {opts='-m limit --limit '..count..'/second', target=atgt},
	    {target=dtgt}
	 }
      else
	 ofrags = combinations(
	    {{opts='-m recent --name '..chain}},
	    {
	       {
		  opts='--update --hitcount '..count..' --seconds '..interval,
		  target=dtgt
	       },
	       {opts='--set', target=atgt}
	    }
	 )
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
204

205
      extend(res, combinations({{chain=chain}}, ofrags))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
206 207

      if limitlog then logchain('drop', limitlog, 'DROP') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
208
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
209 210 211

   if self.log then logchain(self.action, self.log, model.Rule.target(self)) end
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
212 213 214 215 216 217 218 219 220 221
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


222 223 224
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

local dar = combinations(fchains,
225
			 {{opts='-m conntrack --ctstate RELATED,ESTABLISHED'}})
226 227 228 229 230
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(dar,
		{chain=chain,
		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
231 232 233 234 235
dar = combinations(
   dar,
   {{table='filter', target='ACCEPT'}},
   {{family='inet'}, {family='inet6'}}
)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
236

237 238
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
239 240 241 242 243 244 245
local ir = combinations(
   icmp6,
   {{chain='INPUT'}, {chain='OUTPUT'}},
   {{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
246 247

local function icmprules(ofrag, oname, types)
248 249 250 251 252 253 254 255 256
   extend(
      ir,
      combinations(ofrag,
		   {{chain='icmp-routing', target='ACCEPT'}},
		   util.map(types,
			    function(t)
			       return {opts='--'..oname..' '..t}
			    end))
   )
257 258 259
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
260

261 262 263 264 265 266 267 268
export = {
   filter={class=Filter, before={'dnat', 'no-track'}},
   log={class=Log},
   policy={class=Policy, after='%filter-after'},
   ['%filter-before']={rules=dar, before='filter'},
   ['%filter-after']={rules=ir, after='filter'}
}

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
269 270 271
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})
272