Commit 0b156793 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

multi-stage processing of default rules

parent f664311a
...@@ -31,7 +31,10 @@ function loadmodules(path) ...@@ -31,7 +31,10 @@ function loadmodules(path)
classmap[path] = cls classmap[path] = cls
table.insert(procorder, path) table.insert(procorder, path)
end end
util.extend(defrules, mod.defrules) for phase, rules in pairs(mod.defrules) do
if not defrules[phase] then defrules[phase] = {} end
util.extend(defrules[phase], rules)
end
end end
readmetadata(model) readmetadata(model)
...@@ -101,31 +104,37 @@ function Config:init(policyset) ...@@ -101,31 +104,37 @@ function Config:init(policyset)
end end
local function insertrule(trule) local function insertrules(trules)
local t = self.iptables.config[trule.family][trule.table][trule.chain] for i, trule in ipairs(trules) do
if trule.position == 'prepend' then local t = self.iptables.config[trule.family][trule.table][trule.chain]
table.insert(t, 1, trule.opts) if trule.position == 'prepend' then
else table.insert(t, 1, trule.opts)
table.insert(t, trule.opts) else
table.insert(t, trule.opts)
end
end end
end end
local locations = {} local function insertdefrules(phase)
if defrules[phase] then insertrules(defrules[phase]) end
end
for i, path in ipairs(procorder) do for i, path in ipairs(procorder) do
if self.input[path] then if self.input[path] then
util.map(self.input[path], util.map(self.input[path],
function(obj) return classmap[path].morph(obj, self) end) function(obj) return classmap[path].morph(obj, self) end)
table.insert(locations, self.input[path])
end end
end end
for i, rule in ipairs(defrules) do insertrule(rule) end insertdefrules('pre')
for i, location in ipairs(locations) do for i, path in ipairs(procorder) do
for i, rule in ipairs(location) do if self.input[path] then
for i, trule in ipairs(rule:trules()) do insertrule(trule) end for i, rule in ipairs(self.input[path]) do
insertrules(rule:trules())
end
end end
insertdefrules('post-'..path)
end end
self.ipset = ipset.IPSet.new(self.input.ipset) self.ipset = ipset.IPSet.new(self.input.ipset)
......
...@@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end ...@@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end
classes = {{'filter', Filter}, classes = {{'filter', Filter},
{'policy', Policy}} {'policy', Policy}}
defrules = {} defrules = {pre={}}
for i, family in ipairs({'inet', 'inet6'}) do for i, family in ipairs({'inet', 'inet6'}) do
for i, target in ipairs({'DROP', 'REJECT'}) do for i, target in ipairs({'DROP', 'REJECT'}) do
for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do
table.insert(defrules, table.insert(defrules.pre,
{family=family, {family=family,
table='filter', table='filter',
chain='LOG'..target, chain='LOG'..target,
...@@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do ...@@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end end
for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
table.insert(defrules, table.insert(defrules.pre,
{family=family, {family=family,
table='filter', table='filter',
chain=chain, chain=chain,
...@@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do ...@@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end end
for i, chain in ipairs({'INPUT', 'OUTPUT'}) do for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
table.insert(defrules, table.insert(defrules.pre,
{family=family, {family=family,
table='filter', table='filter',
chain=chain, chain=chain,
......
...@@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule}, ...@@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule},
{'snat', SNATRule}} {'snat', SNATRule}}
-- TODO configuration of the ipset via JSON config -- TODO configuration of the ipset via JSON config
defrules = {{family='inet', table='nat', chain='POSTROUTING', defrules = {pre={{family='inet', table='nat', chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src -j awall-masquerade'}, opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
{family='inet', table='nat', chain='awall-masquerade', {family='inet', table='nat', chain='awall-masquerade',
opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}} opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment