init.lua 2.8 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2 3 4 5 6 7 8
--[[
Alpine Wall main module
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--

module(..., package.seeall)

9
require 'lfs'
10
require 'stringy'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
11

12
require 'awall.ipset'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13
require 'awall.iptables'
14
require 'awall.model'
15
require 'awall.object'
16
require 'awall.policy'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17 18 19
require 'awall.util'


20 21
local procorder
local defrules
22 23

function loadmodules(path)
24 25 26 27 28 29 30 31 32 33
   classmap = {}
   procorder = {}
   defrules = {}

   local function readmetadata(mod)
      for i, clsdef in ipairs(mod.classes) do
	 local path, cls = unpack(clsdef)
	 classmap[path] = cls
	 table.insert(procorder, path)
      end
34 35
      for phase, rules in pairs(mod.defrules) do
	 if not defrules[phase] then defrules[phase] = {} end
36
	 table.insert(defrules[phase], rules)
37
      end
38 39 40 41
   end

   readmetadata(model)

42 43 44
   local cdir = lfs.currentdir()
   if path then lfs.chdir(path) end

45 46 47 48
   for modfile in lfs.dir((path or '/usr/share/lua/5.1')..'/awall/modules') do
      if stringy.endswith(modfile, '.lua') then
	 local name = 'awall.modules.'..string.sub(modfile, 1, -5)
	 require(name)
49
	 readmetadata(package.loaded[name])
50
      end
51
   end
52 53

   lfs.chdir(cdir)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
54 55 56
end


57 58 59
PolicySet = policy.PolicySet


60
Config = object.class(object.Object)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
61

62
function Config:init(policyconfig)
63

64
   self.input = policyconfig:expand()
65
   self.iptables = iptables.IPTables.new()
66

67 68 69 70 71 72 73 74 75 76 77
   local function morph(path, cls)
      local objs = self.input[path]
      if objs then
	 for k, v in pairs(objs) do
	    objs[k] = cls.morph(v,
				self,
				path..' '..k..' ('..policyconfig.source[path][k]..')')
	 end
      end
   end

78 79 80 81 82 83 84 85
   local function insertrules(trules)
      for i, trule in ipairs(trules) do
	 local t = self.iptables.config[trule.family][trule.table][trule.chain]
	 if trule.position == 'prepend' then
	    table.insert(t, 1, trule.opts)
	 else
	    table.insert(t, trule.opts)
	 end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
86 87 88
      end
   end

89
   local function insertdefrules(phase)
90 91 92 93 94
      for i, rulegroup in ipairs(defrules[phase] or {}) do
	 if type(rulegroup) == 'function' then
	    insertrules(rulegroup(self.input))
	 else insertrules(rulegroup) end
      end
95
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
96

97
   for i, path in ipairs(procorder) do morph(path, classmap[path]) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
98

99
   insertdefrules('pre')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
100

101 102 103 104 105
   for i, path in ipairs(procorder) do
      if self.input[path] then
	 for i, rule in ipairs(self.input[path]) do
	    insertrules(rule:trules())
	 end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
106
      end
107
      insertdefrules('post-'..path)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
108
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
109

110
   morph('ipset', awall.model.ConfigObject)
111
   self.ipset = ipset.IPSet.new(self.input.ipset)
112
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
113

114 115 116 117 118 119
function Config:print()
   self.ipset:print()
   print()
   self.iptables:print()
end

120 121 122
function Config:dump(iptdir, ipsfile)
   self.ipset:dump(ipsfile or '/etc/ipset.d/awall')
   self.iptables:dump(iptdir or '/etc/iptables')
123
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
124

125 126 127
function Config:test()
   self.ipset:create()
   self.iptables:test()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
128
end
129 130 131 132 133

function Config:activate()
   self:test()
   self.iptables:activate()
end