filter.lua 6.43 KB
Newer Older
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
1 2
--[[
Filter module for Alpine Wall
3
Copyright (C) 2012-2013 Kaarle Ritvanen
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
4 5 6 7 8 9
Licensed under the terms of GPL2
]]--


module(..., package.seeall)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
10 11
require 'awall'
require 'awall.host'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
12
require 'awall.model'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
13
require 'awall.object'
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
14 15 16
require 'awall.optfrag'
require 'awall.util'

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
17
local model = awall.model
18
local combinations = awall.optfrag.combinations
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
19 20 21
local extend = awall.util.extend


22
local Log = awall.object.class()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
23 24 25 26 27

function Log:matchopts()
   return self.limit and '-m limit --limit '..self.limit..'/second'
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
28 29 30 31 32
function Log:target()
   local mode = self.mode or 'log'
   local prefix = self.prefix and ' --'..mode..'-prefix '..self.prefix or ''
   return string.upper(mode)..prefix
end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
33

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
34 35 36

local Filter = model.class(model.Rule)

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57
function Filter:init(...)
   model.Rule.init(self, unpack(arg))

   -- alpine v2.4 compatibility
   if util.contains({'logdrop', 'logreject'}, self.action) then
      self:warning('Deprecated action: '..self.action)
      self.action = string.sub(self.action, 4, -1)
   end

   local function log(spec, default)
      if spec == nil then spec = default end
      if spec == false then return end
      if spec == true then spec = '_default' end
      return self.root.log[spec] or self:error('Invalid log: '..spec)
   end

   self.log = log(self.log, self.action ~= 'accept')
   local limit = self:limit()
   if limit then self[limit].log = log(self[limit].log, true) end
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
58 59 60 61
function Filter:destoptfrags()
   local ofrags = model.Rule.destoptfrags(self)
   if not self.dnat then return ofrags end

62
   ofrags = combinations(ofrags, {{family='inet6'}})
63
   local natof = self:create(model.Zone, {addr=self.dnat}):optfrags('out')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
64 65 66 67 68 69 70 71
   assert(#natof == 1)
   table.insert(ofrags, natof[1])
   return ofrags
end

function Filter:trules()
   local res = {}

72 73 74 75 76 77 78
   local function extrarules(cls, extra)
      local params = {}
      for i, attr in ipairs({'in', 'out', 'src', 'dest',
			     'ipset', 'ipsec', 'service'}) do
	 params[attr] = self[attr]
      end
      if extra then for k, v in pairs(extra) do params[k] = v end end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
79
      return extend(res, self:create(cls, params):trules())
80 81
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
82
   if self.dnat then
83 84 85
      if self.action ~= 'accept' then
	 self:error('dnat option not allowed with '..self.action..' action')
      end
86 87 88
      if self['no-track'] then
	 self:error('dnat option not allowed with no-track')
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
89
      if not self.dest then
90
	 self:error('Destination address must be specified with DNAT')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
91 92
      end
      if string.find(self.dnat, '/') then
93
	 self:error('DNAT target cannot be a network address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
94 95 96
      end
      for i, attr in ipairs({'ipsec', 'ipset'}) do
	 if self[attr] then
97
	    self:error('dnat and '..attr..' options cannot be used simultaneously')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
98 99 100 101
	 end
      end

      local dnataddr
102
      for i, addr in ipairs(awall.host.resolve(self.dnat, self)) do
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
103 104
	 if addr[1] == 'inet' then
	    if dnataddr then
105
	       self:error(self.dnat..' resolves to multiple IPv4 addresses')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
106 107 108 109 110
	    end
	    dnataddr = addr[2]
	 end
      end
      if not dnataddr then
111
	 self:error(self.dnat..' does not resolve to any IPv4 address')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
112 113
      end

114
      extrarules('dnat', {['to-addr']=dnataddr, out=nil})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
115 116
   end

117 118 119
   if self.action == 'tarpit' or self['no-track'] then
      extrarules('no-track')
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
120

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
121
   extend(res, model.Rule.trules(self))
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
122

123 124 125 126 127
   if self['no-track'] and self.action == 'accept' then
      extrarules('no-track', {reverse=true})
      extrarules('filter', {reverse=true, action='accept', log=false})
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
128 129 130
   return res
end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
131 132 133 134 135
function Filter:limit()
   local res
   for i, limit in ipairs({'conn-limit', 'flow-limit'}) do
      if self[limit] then
	 if res then
136
	    self:error('Cannot specify multiple limits for a single filter rule')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
137 138 139 140 141 142 143 144 145 146 147 148
	 end
	 res = limit
      end
   end
   return res
end

function Filter:position()
   return self:limit() == 'flow-limit' and 'prepend' or 'append'
end

function Filter:target()
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
149 150 151
   if self:limit() then return self:newchain('limit') end
   if self.log then return self:newchain('log'..self.action) end
   return model.Rule.target(self)
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
152 153 154 155
end

function Filter:extraoptfrags()
   local res = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
156 157 158 159 160 161 162

   local function logchain(action, log, target)
      extend(res, combinations({{chain=self:newchain('log'..action)}},
			       {{opts=log:matchopts(), target=log:target()},
				{target=target}}))
   end

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
163 164 165
   local limit = self:limit()
   if limit then
      if self.action ~= 'accept' then
166
	 self:error('Cannot specify limit for '..self.action..' filter')
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
167
      end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
168 169 170 171 172 173 174 175 176 177 178 179 180

      local chain = self:newchain('limit')
      local limitlog = self[limit].log

      extend(res,
	     combinations({{chain=chain,
			    opts='-m recent --name '..chain}},
			  {{opts='--update --hitcount '..self[limit].count..' --seconds '..self[limit].interval,
				target=limitlog and self:newchain('logdrop') or 'DROP'},
			     {opts='--set',
			      target=self.log and self:newchain('log'..self.action) or 'ACCEPT'}}))

      if limitlog then logchain('drop', limitlog, 'DROP') end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
181
   end
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
182 183 184

   if self.log then logchain(self.action, self.log, model.Rule.target(self)) end
   
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
185 186 187 188 189 190 191 192 193 194
   return res
end



local Policy = model.class(Filter)

function Policy:servoptfrags() return nil end


Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
195 196
classes = {{'log', Log},
	   {'filter', Filter},
197
	   {'policy', Policy}}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
198

199

200
defrules = {}
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
201

202 203 204
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}

local dar = combinations(fchains,
205
			 {{opts='-m conntrack --ctstate RELATED,ESTABLISHED'}})
206 207 208 209 210
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
   table.insert(dar,
		{chain=chain,
		 opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
211 212
defrules.pre = combinations(dar,
			    {{table='filter', target='ACCEPT'}},
213
			    {{family='inet'}, {family='inet6'}})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
214

215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
defrules['post-filter'] = combinations(icmp6,
				       {{chain='INPUT'}, {chain='OUTPUT'}},
				       {{target='ACCEPT'}})
extend(defrules['post-filter'],
       combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(defrules['post-filter'],
       combinations(icmp, fchains, {{target='icmp-routing'}}))

local function icmprules(ofrag, oname, types)
   extend(defrules['post-filter'],
	  combinations(ofrag,
		       {{chain='icmp-routing', target='ACCEPT'}},
		       util.map(types,
				function(t)
				   return {opts='--'..oname..' '..t}
				end)))
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
236

Kaarle Ritvanen's avatar
Kaarle Ritvanen committed
237 238 239
achains = combinations({{chain='tarpit'}},
		       {{opts='-p tcp', target='TARPIT'},
			{target='DROP'}})