Commit 0b156793 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

multi-stage processing of default rules

parent f664311a
......@@ -31,7 +31,10 @@ function loadmodules(path)
classmap[path] = cls
table.insert(procorder, path)
end
util.extend(defrules, mod.defrules)
for phase, rules in pairs(mod.defrules) do
if not defrules[phase] then defrules[phase] = {} end
util.extend(defrules[phase], rules)
end
end
readmetadata(model)
......@@ -101,31 +104,37 @@ function Config:init(policyset)
end
local function insertrule(trule)
local t = self.iptables.config[trule.family][trule.table][trule.chain]
if trule.position == 'prepend' then
table.insert(t, 1, trule.opts)
else
table.insert(t, trule.opts)
local function insertrules(trules)
for i, trule in ipairs(trules) do
local t = self.iptables.config[trule.family][trule.table][trule.chain]
if trule.position == 'prepend' then
table.insert(t, 1, trule.opts)
else
table.insert(t, trule.opts)
end
end
end
local locations = {}
local function insertdefrules(phase)
if defrules[phase] then insertrules(defrules[phase]) end
end
for i, path in ipairs(procorder) do
if self.input[path] then
util.map(self.input[path],
function(obj) return classmap[path].morph(obj, self) end)
table.insert(locations, self.input[path])
end
end
for i, rule in ipairs(defrules) do insertrule(rule) end
insertdefrules('pre')
for i, location in ipairs(locations) do
for i, rule in ipairs(location) do
for i, trule in ipairs(rule:trules()) do insertrule(trule) end
for i, path in ipairs(procorder) do
if self.input[path] then
for i, rule in ipairs(self.input[path]) do
insertrules(rule:trules())
end
end
insertdefrules('post-'..path)
end
self.ipset = ipset.IPSet.new(self.input.ipset)
......
......@@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end
classes = {{'filter', Filter},
{'policy', Policy}}
defrules = {}
defrules = {pre={}}
for i, family in ipairs({'inet', 'inet6'}) do
for i, target in ipairs({'DROP', 'REJECT'}) do
for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do
table.insert(defrules,
table.insert(defrules.pre,
{family=family,
table='filter',
chain='LOG'..target,
......@@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end
for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
table.insert(defrules,
table.insert(defrules.pre,
{family=family,
table='filter',
chain=chain,
......@@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
table.insert(defrules,
table.insert(defrules.pre,
{family=family,
table='filter',
chain=chain,
......
......@@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule},
{'snat', SNATRule}}
-- TODO configuration of the ipset via JSON config
defrules = {{family='inet', table='nat', chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
{family='inet', table='nat', chain='awall-masquerade',
opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}
defrules = {pre={{family='inet', table='nat', chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
{family='inet', table='nat', chain='awall-masquerade',
opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment