Limit: split mask attribute

0a9a8db2 · Kaarle Ritvanen · aaececd5 · 0a9a8db2 · 0a9a8db2 · 0a9a8db2
Commit 0a9a8db2 authored Jan 08, 2017 by Kaarle Ritvanen
Hide whitespace changes
Inline Side-by-side

Showing with 49 additions and 30 deletions

README.md README.md +11 -12

awall/model.lua awall/model.lua +36 -16

awall/modules/log.lua awall/modules/log.lua +2 -2

No files found.
--- a/README.md
+++ b/README.md
@@ -209,18 +209,17 @@ default value is 1.
 The maximum rate defined by a limit may be absolute or specific to
 blocks of IP addresses or pairs thereof. The number of most
 significant bits taken into account when mapping the source and
-destination IP addresses to blocks can be specified with the **mask**
-attribute. The **mask** attribute is an object with two attributes
-defining the prefix lengths, named **src** and
-**dest**. Alternatively, the **mask** object may have object
-attributes named **inet** and **inet6** which contain address
-family&ndash;specific prefix length pairs. If **mask** is defined as
-an integer, it is interpreted as the source address prefix length.
-
-The default value for **mask** depends on the type of the enclosing
-object. For [filters](#filter), the default behavior is to apply the
-limit for each source address separately. For [logging classes](#log),
-the limit is considered absolute by default.
+destination IP addresses to blocks can be specified with the
+**src-mask** and **dest-mask** attributes, respectively. If set to
+**true** (boolean), all bits are considered. The value of **false**
+causes the respective address to be ignored. Address
+family&ndash;specific prefix lengths can be set by defining the mask
+as an object with attributes named **inet** and **inet6**.
+
+The default behavior with respect to the masks depends on the type of
+the enclosing object. For [filters](#filter), the default behavior is
+to apply the limit for each source address separately. For [logging
+classes](#log), the limit is considered absolute by default.

 ### <a name="log"></a>Logging Classes


--- a/awall/model.lua
+++ b/awall/model.lua
@@ -690,28 +690,48 @@ function M.Limit:init(...)

   setdefault(self, 'interval', 1)

-   if type(setdefault(self, 'mask', {})) == 'number' then
-      self.mask = {src=self.mask}
+   -- alpine v3.5 compatibility
+   if self.mask then
+      self:warning(
+	 "'mask' attribute is deprecated, please use 'src-mask' and 'dest-mask'"
+      )
+      self['src-mask'] = {}
+      self['dest-mask'] = {}
+      if type(self.mask) == 'number' then self.mask = {src=self.mask} end
+      for _, family in ipairs{'inet', 'inet6'} do
+	 setdefault(self.mask, family, util.copy(self.mask))
+	 for _, attr in ipairs{'src', 'dest'} do
+	    self[attr..'-mask'][family] = self.mask[family][attr] or
+	       ({src=({inet=32, inet6=128})[family], dest=0})[attr]
+	 end
+      end
   end
-   for _, family in ipairs{'inet', 'inet6'} do
-      setdefault(self.mask, family, util.copy(self.mask))
-      for _, attr in ipairs{'src', 'dest'} do
-	 setdefault(
-	    self.mask[family],
-	    attr,
-	    ({src=({inet=32, inet6=128})[family], dest=0})[attr]
-	 )
+
+   setdefault(self, 'src-mask', not self['dest-mask'])
+   setdefault(self, 'dest-mask', false)
+
+   for _, addr in ipairs{'src', 'dest'} do
+      local mask = addr..'-mask'
+      if type(self[mask]) ~= 'table' then
+	 self[mask] = {inet=self[mask], inet6=self[mask]}
+      end
+      for _, family in ipairs{'inet', 'inet6'} do
+	 local value = self[mask][family]
+	 if not value then self[mask][family] = 0
+	 elseif value == true then
+	    self[mask][family] = ({inet=32, inet6=128})[family]
+	 end
      end
   end
 end

 function M.Limit:maskmode(family)
   local res
-   for _, attr in ipairs{'src', 'dest'} do
-      local mask = self.mask[family][attr]
+   for _, addr in ipairs{'src', 'dest'} do
+      local mask = self[addr..'-mask'][family]
      if mask > 0 then
 	 if res then return end
-	 res = {attr, mask}
+	 res = {addr, mask}
      end
   end
   if res then return table.unpack(res) end
@@ -738,10 +758,10 @@ function M.Limit:limitofrags(name)
   for _, family in ipairs{'inet', 'inet6'} do
      local keys = {}
      local maskopts = ''
-      for _, attr in ipairs{'src', 'dest'} do
-	 local mask = self.mask[family][attr]
+      for _, addr in ipairs{'src', 'dest'} do
+	 local mask = self[addr..'-mask'][family]
 	 if mask > 0 then
-	    local opt = ({src='src', dest='dst'})[attr]
+	    local opt = ({src='src', dest='dst'})[addr]
 	    table.insert(keys, opt..'ip')
 	    maskopts = maskopts..' --hashlimit-'..opt..'mask '..mask
 	 end

--- a/awall/modules/log.lua
+++ b/awall/modules/log.lua
 --[[
 Packet logging module for Alpine Wall
-Copyright (C) 2012-2016 Kaarle Ritvanen
+Copyright (C) 2012-2017 Kaarle Ritvanen
 See LICENSE file for license details
 ]]--

@@ -15,7 +15,7 @@ local setdefault = require('awall.util').setdefault
 local LogLimit = class(model.Limit)

 function LogLimit:init(...)
-   setdefault(self, 'mask', 0)
+   setdefault(self, 'src-mask', false)
   LogLimit.super(self):init(...)
 end