diff --git a/awall/init.lua b/awall/init.lua index 05017c0c9b1fe4e96bd19668030ee62e6bc20e09..098af852f3d2fcd216f32ff94ef2d81ee86d8782 100644 --- a/awall/init.lua +++ b/awall/init.lua @@ -31,7 +31,10 @@ function loadmodules(path) classmap[path] = cls table.insert(procorder, path) end - util.extend(defrules, mod.defrules) + for phase, rules in pairs(mod.defrules) do + if not defrules[phase] then defrules[phase] = {} end + util.extend(defrules[phase], rules) + end end readmetadata(model) @@ -101,31 +104,37 @@ function Config:init(policyset) end - local function insertrule(trule) - local t = self.iptables.config[trule.family][trule.table][trule.chain] - if trule.position == 'prepend' then - table.insert(t, 1, trule.opts) - else - table.insert(t, trule.opts) + local function insertrules(trules) + for i, trule in ipairs(trules) do + local t = self.iptables.config[trule.family][trule.table][trule.chain] + if trule.position == 'prepend' then + table.insert(t, 1, trule.opts) + else + table.insert(t, trule.opts) + end end end - local locations = {} + local function insertdefrules(phase) + if defrules[phase] then insertrules(defrules[phase]) end + end for i, path in ipairs(procorder) do if self.input[path] then util.map(self.input[path], function(obj) return classmap[path].morph(obj, self) end) - table.insert(locations, self.input[path]) end end - for i, rule in ipairs(defrules) do insertrule(rule) end + insertdefrules('pre') - for i, location in ipairs(locations) do - for i, rule in ipairs(location) do - for i, trule in ipairs(rule:trules()) do insertrule(trule) end + for i, path in ipairs(procorder) do + if self.input[path] then + for i, rule in ipairs(self.input[path]) do + insertrules(rule:trules()) + end end + insertdefrules('post-'..path) end self.ipset = ipset.IPSet.new(self.input.ipset) diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index a2604b014b8ffb5de67ef17d8b53839a15a527e0..5678cdaa726bec5907c95d7b151badc1ae8a9983 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end classes = {{'filter', Filter}, {'policy', Policy}} -defrules = {} +defrules = {pre={}} for i, family in ipairs({'inet', 'inet6'}) do for i, target in ipairs({'DROP', 'REJECT'}) do for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do - table.insert(defrules, + table.insert(defrules.pre, {family=family, table='filter', chain='LOG'..target, @@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do end for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do - table.insert(defrules, + table.insert(defrules.pre, {family=family, table='filter', chain=chain, @@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do end for i, chain in ipairs({'INPUT', 'OUTPUT'}) do - table.insert(defrules, + table.insert(defrules.pre, {family=family, table='filter', chain=chain, diff --git a/awall/modules/nat.lua b/awall/modules/nat.lua index 09875f70188e4909356d2ee1d3962478f987f9c0..c88b8c6b9dadf08b96116e3dd630196e7ca70e23 100644 --- a/awall/modules/nat.lua +++ b/awall/modules/nat.lua @@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule}, {'snat', SNATRule}} -- TODO configuration of the ipset via JSON config -defrules = {{family='inet', table='nat', chain='POSTROUTING', - opts='-m set --match-set awall-masquerade src -j awall-masquerade'}, - {family='inet', table='nat', chain='awall-masquerade', - opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}} +defrules = {pre={{family='inet', table='nat', chain='POSTROUTING', + opts='-m set --match-set awall-masquerade src -j awall-masquerade'}, + {family='inet', table='nat', chain='awall-masquerade', + opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}}