multi-stage processing of default rules

0b156793 · Kaarle Ritvanen · f664311a · 0b156793 · 0b156793 · 0b156793
Commit 0b156793 authored Jun 21, 2012 by Kaarle Ritvanen
Show whitespace changes
Inline Side-by-side

Showing with 30 additions and 21 deletions

awall/init.lua awall/init.lua +22 -13

awall/modules/filter.lua awall/modules/filter.lua +4 -4

awall/modules/nat.lua awall/modules/nat.lua +4 -4

No files found.
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -31,7 +31,10 @@ function loadmodules(path)
 	 classmap[path] = cls
 	 table.insert(procorder, path)
      end
-      util.extend(defrules, mod.defrules)
+      for phase, rules in pairs(mod.defrules) do
+	 if not defrules[phase] then defrules[phase] = {} end
+	 util.extend(defrules[phase], rules)
+      end
   end

   readmetadata(model)
@@ -101,7 +104,8 @@ function Config:init(policyset)
   end


-   local function insertrule(trule)
+   local function insertrules(trules)
+      for i, trule in ipairs(trules) do
 	 local t = self.iptables.config[trule.family][trule.table][trule.chain]
 	 if trule.position == 'prepend' then
 	    table.insert(t, 1, trule.opts)
@@ -109,23 +113,28 @@ function Config:init(policyset)
 	    table.insert(t, trule.opts)
 	 end
      end
+   end

-   local locations = {}
+   local function insertdefrules(phase)
+      if defrules[phase] then insertrules(defrules[phase]) end
+   end

   for i, path in ipairs(procorder) do
      if self.input[path] then
 	 util.map(self.input[path],
 		  function(obj) return classmap[path].morph(obj, self) end)
-	 table.insert(locations, self.input[path])
      end
   end

-   for i, rule in ipairs(defrules) do insertrule(rule) end
+   insertdefrules('pre')

-   for i, location in ipairs(locations) do
-      for i, rule in ipairs(location) do
-	 for i, trule in ipairs(rule:trules()) do insertrule(trule) end
+   for i, path in ipairs(procorder) do
+      if self.input[path] then
+	 for i, rule in ipairs(self.input[path]) do
+	    insertrules(rule:trules())
+	 end
      end
+      insertdefrules('post-'..path)
   end

   self.ipset = ipset.IPSet.new(self.input.ipset)

--- a/awall/modules/filter.lua
+++ b/awall/modules/filter.lua
@@ -126,11 +126,11 @@ function Policy:servoptfrags() return nil end
 classes = {{'filter', Filter},
 	   {'policy', Policy}}

-defrules = {}
+defrules = {pre={}}
 for i, family in ipairs({'inet', 'inet6'}) do
   for i, target in ipairs({'DROP', 'REJECT'}) do
      for i, opts in ipairs({'-m limit --limit 1/second -j LOG', '-j '..target}) do
-	 table.insert(defrules,
+	 table.insert(defrules.pre,
 		      {family=family,
 		       table='filter',
 		       chain='LOG'..target,
@@ -139,7 +139,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
   end

   for i, chain in ipairs({'FORWARD', 'INPUT', 'OUTPUT'}) do
-      table.insert(defrules,
+      table.insert(defrules.pre,
 		   {family=family,
 		    table='filter',
 		    chain=chain,
@@ -147,7 +147,7 @@ for i, family in ipairs({'inet', 'inet6'}) do
   end

   for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
-      table.insert(defrules,
+      table.insert(defrules.pre,
 		   {family=family,
 		    table='filter',
 		    chain=chain,

--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -79,7 +79,7 @@ classes = {{'dnat', DNATRule},
 	   {'snat', SNATRule}}

 -- TODO configuration of the ipset via JSON config
-defrules = {{family='inet', table='nat', chain='POSTROUTING',
+defrules = {pre={{family='inet', table='nat', chain='POSTROUTING',
 		  opts='-m set --match-set awall-masquerade src -j awall-masquerade'},
 		 {family='inet', table='nat', chain='awall-masquerade',
-	     opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}
+		  opts='-m set ! --match-set awall-masquerade dst -j MASQUERADE'}}}