Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
10
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Open sidebar
alpine
awall
Commits
0b156793
Commit
0b156793
authored
Jun 21, 2012
by
Kaarle Ritvanen
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
multi-stage processing of default rules
parent
f664311a
Changes
3
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
30 additions
and
21 deletions
+30
-21
awall/init.lua
awall/init.lua
+22
-13
awall/modules/filter.lua
awall/modules/filter.lua
+4
-4
awall/modules/nat.lua
awall/modules/nat.lua
+4
-4
No files found.
awall/init.lua
View file @
0b156793
...
...
@@ -31,7 +31,10 @@ function loadmodules(path)
classmap
[
path
]
=
cls
table.insert
(
procorder
,
path
)
end
util
.
extend
(
defrules
,
mod
.
defrules
)
for
phase
,
rules
in
pairs
(
mod
.
defrules
)
do
if
not
defrules
[
phase
]
then
defrules
[
phase
]
=
{}
end
util
.
extend
(
defrules
[
phase
],
rules
)
end
end
readmetadata
(
model
)
...
...
@@ -101,7 +104,8 @@ function Config:init(policyset)
end
local
function
insertrule
(
trule
)
local
function
insertrules
(
trules
)
for
i
,
trule
in
ipairs
(
trules
)
do
local
t
=
self
.
iptables
.
config
[
trule
.
family
][
trule
.
table
][
trule
.
chain
]
if
trule
.
position
==
'prepend'
then
table.insert
(
t
,
1
,
trule
.
opts
)
...
...
@@ -109,23 +113,28 @@ function Config:init(policyset)
table.insert
(
t
,
trule
.
opts
)
end
end
end
local
locations
=
{}
local
function
insertdefrules
(
phase
)
if
defrules
[
phase
]
then
insertrules
(
defrules
[
phase
])
end
end
for
i
,
path
in
ipairs
(
procorder
)
do
if
self
.
input
[
path
]
then
util
.
map
(
self
.
input
[
path
],
function
(
obj
)
return
classmap
[
path
].
morph
(
obj
,
self
)
end
)
table.insert
(
locations
,
self
.
input
[
path
])
end
end
for
i
,
rule
in
ipairs
(
defrules
)
do
insertrule
(
rule
)
end
insertdefrules
(
'pre'
)
for
i
,
location
in
ipairs
(
locations
)
do
for
i
,
rule
in
ipairs
(
location
)
do
for
i
,
trule
in
ipairs
(
rule
:
trules
())
do
insertrule
(
trule
)
end
for
i
,
path
in
ipairs
(
procorder
)
do
if
self
.
input
[
path
]
then
for
i
,
rule
in
ipairs
(
self
.
input
[
path
])
do
insertrules
(
rule
:
trules
())
end
end
insertdefrules
(
'post-'
..
path
)
end
self
.
ipset
=
ipset
.
IPSet
.
new
(
self
.
input
.
ipset
)
...
...
awall/modules/filter.lua
View file @
0b156793
...
...
@@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end
classes
=
{{
'filter'
,
Filter
},
{
'policy'
,
Policy
}}
defrules
=
{}
defrules
=
{
pre
=
{}
}
for
i
,
family
in
ipairs
({
'inet'
,
'inet6'
})
do
for
i
,
target
in
ipairs
({
'DROP'
,
'REJECT'
})
do
for
i
,
opts
in
ipairs
({
'-m limit --limit 1/second -j LOG'
,
'-j '
..
target
})
do
table.insert
(
defrules
,
table.insert
(
defrules
.
pre
,
{
family
=
family
,
table
=
'filter'
,
chain
=
'LOG'
..
target
,
...
...
@@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end
for
i
,
chain
in
ipairs
({
'FORWARD'
,
'INPUT'
,
'OUTPUT'
})
do
table.insert
(
defrules
,
table.insert
(
defrules
.
pre
,
{
family
=
family
,
table
=
'filter'
,
chain
=
chain
,
...
...
@@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
end
for
i
,
chain
in
ipairs
({
'INPUT'
,
'OUTPUT'
})
do
table.insert
(
defrules
,
table.insert
(
defrules
.
pre
,
{
family
=
family
,
table
=
'filter'
,
chain
=
chain
,
...
...
awall/modules/nat.lua
View file @
0b156793
...
...
@@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule},
{
'snat'
,
SNATRule
}}
-- TODO configuration of the ipset via JSON config
defrules
=
{{
family
=
'inet'
,
table
=
'nat'
,
chain
=
'POSTROUTING'
,
defrules
=
{
pre
=
{{
family
=
'inet'
,
table
=
'nat'
,
chain
=
'POSTROUTING'
,
opts
=
'-m set --match-set awall-masquerade src -j awall-masquerade'
},
{
family
=
'inet'
,
table
=
'nat'
,
chain
=
'awall-masquerade'
,
opts
=
'-m set ! --match-set awall-masquerade dst -j MASQUERADE'
}}
opts
=
'-m set ! --match-set awall-masquerade dst -j MASQUERADE'
}}
}
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment