Commit 1b3c188b authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

base class for rules applicable to forwarded packets only

parent d86f9e21
......@@ -369,5 +369,27 @@ function Rule:newchain(base)
end
ForwardOnlyRule = class(Rule)
function ForwardOnlyRule:init(...)
Rule.init(self, unpack(arg))
for i, dir in ipairs({'in', 'out'}) do
if util.contains(self[dir], fwzone) then
self:error('Not applicable to the firewall zone')
end
end
end
function ForwardOnlyRule:defaultzones() return {nil} end
function ForwardOnlyRule:checkzoneoptfrag(ofrag)
if ofrag.out then
self:error('Cannot specify outbound interface ('..ofrag.out..')')
end
end
function ForwardOnlyRule:chain() return 'PREROUTING' end
classes = {{'zone', Zone}}
defrules = {}
......@@ -8,33 +8,22 @@ Licensed under the terms of GPL2
module(..., package.seeall)
require 'awall.model'
require 'awall.util'
local model = awall.model
local NATRule = model.class(model.Rule)
function NATRule:init(...)
model.Rule.init(self, unpack(arg))
for i, dir in ipairs({'in', 'out'}) do
if awall.util.contains(self[dir], model.fwzone) then
self:error('NAT rules not allowed for firewall zone')
end
end
end
function NATRule:defaultzones() return {nil} end
local NATRule = model.class(model.ForwardOnlyRule)
function NATRule:checkzoneoptfrag(ofrag)
if ofrag[self.params.forbidif] then
self:error('Cannot specify '..self.params.forbidif..'bound interface for '..self.params.target..' rule')
local iface = ofrag[self.params.forbidif]
if iface then
self:error('Cannot specify '..self.params.forbidif..'bound interface ('..iface..')')
end
end
function NATRule:trules()
local res = {}
for i, ofrags in ipairs(model.Rule.trules(self)) do
for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do
if ofrags.family == 'inet' then table.insert(res, ofrags) end
end
return res
......@@ -45,7 +34,7 @@ function NATRule:table() return 'nat' end
function NATRule:chain() return self.params.chain end
function NATRule:target()
if self.action then return model.Rule.target(self) end
if self.action then return model.ForwardOnlyRule.target(self) end
local target
if self['ip-range'] then
......
......@@ -8,36 +8,16 @@ Licensed under the terms of GPL2
module(..., package.seeall)
require 'awall.model'
require 'awall.util'
local model = awall.model
local NoTrackRule = model.class(model.Rule)
function NoTrackRule:init(...)
model.Rule.init(self, unpack(arg))
for i, dir in ipairs({'in', 'out'}) do
if awall.util.contains(self[dir], model.fwzone) then
self:error('Connection tracking bypass rules not allowed for firewall zone')
end
end
end
function NoTrackRule:defaultzones() return {nil} end
function NoTrackRule:checkzoneoptfrag(ofrag)
if ofrag.out then
self:error('Cannot specify outbound interface for connection tracking bypass rule')
end
end
local NoTrackRule = model.class(model.ForwardOnlyRule)
function NoTrackRule:table() return 'raw' end
function NoTrackRule:chain() return 'PREROUTING' end
function NoTrackRule:target()
if self.action then return model.Rule.target(self) end
if self.action then return model.ForwardOnlyRule.target(self) end
return 'NOTRACK'
end
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment