filter.lua 4.1 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2 3 4 5 6 7 8 9
--[[
Filter module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10 11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13 14 15
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
16 17 18 19
local model = awall.model

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
20 21 22 23 24 25 26 27
function Filter:defaultzones()
   return self.dnat and {nil} or model.Rule.defaultzones(self)
end

function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
28
   ofrags = awall.optfrag.combinations(ofrags, {{family='inet6'}})
29
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
30 31 32 33 34 35 36 37 38 39
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

   if self.dnat then
      if not self.dest then
40
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
41 42
      end
      if string.find(self.dnat, '/') then
43
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
44 45 46
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
47
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
48 49 50 51
	 end
      end

      local dnataddr
52
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
53 54
	 if addr[1] == 'inet' then
	    if dnataddr then
55
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
56 57 58 59 60
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
61
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
62 63 64 65 66 67 68
      end

      local dnat = {['ip-range']=dnataddr}
      for i, attr in ipairs({'in', 'src', 'dest', 'service'}) do
	 dnat[attr] = self[attr]
      end

69
      if not awall.classmap.dnat then self:error('NAT module not installed') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
70

71
      awall.util.extend(res, self:create(awall.classmap.dnat, dnat):trules())
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
72 73 74 75 76 77 78
   end

   awall.util.extend(res, model.Rule.trules(self))

   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
79 80 81 82 83
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
84
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
85 86 87 88 89 90 91 92 93 94 95 96 97
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
   if not self:limit() then return model.Rule.target(self) end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
98
   if not self['limit-target'] then self['limit-target'] = self:newchain('limit') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
99 100 101 102 103 104 105 106
   return self['limit-target']
end

function Filter:extraoptfrags()
   local res = {}
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
107
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124
      end
      local optbase = '-m recent --name '..self:target()
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --update --hitcount '..self[limit].count..' --seconds '..self[limit].interval..' -j LOGDROP'})
      table.insert(res, {chain=self:target(),
			 opts=optbase..' --set -j ACCEPT'})
   end
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


125 126
classes = {{'filter', Filter},
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
127

128 129
defrules = {pre={}, ['post-filter']={}}

130
for i, family in ipairs({'inet', 'inet6'}) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
131 132
   for i, target in ipairs({'DROP', 'REJECT'}) do
      for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do
133
	 table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
134 135 136 137 138 139
		      {family=family,
		       table='filter',
		       chain='LOG'..target,
		       opts=opts})
      end
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
140

141
   for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
142
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
143 144 145 146 147
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-m state --state RELATED,ESTABLISHED -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
148 149

   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
150
      table.insert(defrules.pre,
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
151 152 153 154 155
		   {family=family,
		    table='filter',
		    chain=chain,
		    opts='-'..string.lower(string.sub(chain, 1, 1))..' lo -j ACCEPT'})
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
156
end
157 158 159 160 161 162 163 164

for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(defrules['post-filter'],
		{family='inet6',
		 table='filter',
		 chain=chain,
		 opts='-p icmpv6 -j ACCEPT'})
end