Commit 13773e66 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

NATRule: allow port translation only for TCP and UDP

parent 32e64f6d
......@@ -217,6 +217,7 @@ function M.Rule:init(...)
self.ipsec = nil
end
local ptrans = self:porttrans()
if self.service then
if not self.label and type(self.service) == 'string' then
self.label = self.service
......@@ -234,12 +235,18 @@ function M.Rule:init(...)
sdef.proto = (
{[1]='icmp', [6]='tcp', [17]='udp', [58]='ipv6-icmp'}
)[sdef.proto] or sdef.proto
if ptrans and not contains({'tcp', 'udp'}, sdef.proto) then
self:error('Invalid protocol for port translation: '..sdef.proto)
end
end
end
end
elseif ptrans then self:error('Service not defined') end
end
function M.Rule:porttrans() return false end
function M.Rule:direction(dir)
if dir == 'in' then return self.reverse and 'out' or 'in' end
if dir == 'out' then return self.reverse and 'in' or 'out' end
......
--[[
Filter module for Alpine Wall
Copyright (C) 2012-2019 Kaarle Ritvanen
Copyright (C) 2012-2020 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -150,14 +150,9 @@ function TranslatingRule:servoptfrags()
ofrags = combinations(ofrags, {{family='inet6'}})
local protos = {}
for _, serv in listpairs(self.service) do
for _, serv in ipairs(self.service) do
for _, sdef in listpairs(serv) do
if sdef.family ~= 'inet6' then
if not contains({'tcp', 'udp'}, sdef.proto) then
self:error('Cannot do port translation for '..sdef.proto)
end
protos[sdef.proto] = true
end
if sdef.family ~= 'inet6' then protos[sdef.proto] = true end
end
end
for proto, _ in pairs(protos) do
......
......@@ -25,6 +25,8 @@ function NATRule:init(...)
end
end
function NATRule:porttrans() return self['to-port'] end
function NATRule:trulefilter(rule)
if not contains(self.params.chains, rule.chain) then
self:error(
......
--[[
Transparent proxy module for Alpine Wall
Copyright (C) 2012-2019 Kaarle Ritvanen
Copyright (C) 2012-2020 Kaarle Ritvanen
See LICENSE file for license details
]]--
......@@ -11,9 +11,7 @@ local optfrag = require('awall.optfrag')
local combinations = optfrag.combinations
local util = require('awall.util')
local contains = util.contains
local list = util.list
local listpairs = util.listpairs
local TProxyRule = model.class(model.Rule)
......@@ -22,21 +20,14 @@ function TProxyRule:init(...)
TProxyRule.super(self):init(...)
if not self['in'] then self:error('Ingress zone must be specified') end
if contains(list(self['in']), model.fwzone) then
if util.contains(list(self['in']), model.fwzone) then
self:error('Transparent proxy cannot be used for firewall zone')
end
if self.out then self:error('Egress zone cannot be specified') end
if not self.service then self:error('Service must be defined') end
for i, serv in listpairs(self.service) do
for i, sdef in listpairs(serv) do
if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then
self:error('Transparent proxy not available for protocol '..sdef.proto)
end
end
end
end
function TProxyRule:porttrans() return true end
function TProxyRule:table() return 'mangle' end
function TProxyRule:target()
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment