base class for rules applicable to forwarded packets only

1b3c188b · Kaarle Ritvanen · d86f9e21 · 1b3c188b · 1b3c188b · 1b3c188b
Commit 1b3c188b authored Jul 13, 2012 by Kaarle Ritvanen
Hide whitespace changes
Inline Side-by-side

Showing with 30 additions and 39 deletions

awall/model.lua awall/model.lua +22 -0

awall/modules/nat.lua awall/modules/nat.lua +6 -17

awall/modules/notrack.lua awall/modules/notrack.lua +2 -22

No files found.
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -369,5 +369,27 @@ function Rule:newchain(base)
 end


+ForwardOnlyRule = class(Rule)
+
+function ForwardOnlyRule:init(...)
+   Rule.init(self, unpack(arg))
+   for i, dir in ipairs({'in', 'out'}) do
+      if util.contains(self[dir], fwzone) then
+	 self:error('Not applicable to the firewall zone')
+      end
+   end
+end
+
+function ForwardOnlyRule:defaultzones() return {nil} end
+
+function ForwardOnlyRule:checkzoneoptfrag(ofrag)
+   if ofrag.out then
+      self:error('Cannot specify outbound interface ('..ofrag.out..')')
+   end
+end
+
+function ForwardOnlyRule:chain() return 'PREROUTING' end
+
+
 classes = {{'zone', Zone}}
 defrules = {}
--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -8,33 +8,22 @@ Licensed under the terms of GPL2
 module(..., package.seeall)

 require 'awall.model'
-require 'awall.util'

 local model = awall.model


-local NATRule = model.class(model.Rule)
-
-function NATRule:init(...)
-   model.Rule.init(self, unpack(arg))
-   for i, dir in ipairs({'in', 'out'}) do
-      if awall.util.contains(self[dir], model.fwzone) then
-	 self:error('NAT rules not allowed for firewall zone')
-      end
-   end
-end
-
-function NATRule:defaultzones() return {nil} end
+local NATRule = model.class(model.ForwardOnlyRule)

 function NATRule:checkzoneoptfrag(ofrag)
-   if ofrag[self.params.forbidif] then
-      self:error('Cannot specify '..self.params.forbidif..'bound interface for '..self.params.target..' rule')
+   local iface = ofrag[self.params.forbidif]
+   if iface then
+      self:error('Cannot specify '..self.params.forbidif..'bound interface ('..iface..')')
   end
 end

 function NATRule:trules()
   local res = {}
-   for i, ofrags in ipairs(model.Rule.trules(self)) do
+   for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do
      if ofrags.family == 'inet' then table.insert(res, ofrags) end
   end
   return res
@@ -45,7 +34,7 @@ function NATRule:table() return 'nat' end
 function NATRule:chain() return self.params.chain end

 function NATRule:target()
-   if self.action then return model.Rule.target(self) end
+   if self.action then return model.ForwardOnlyRule.target(self) end

   local target
   if self['ip-range'] then

--- a/awall/modules/notrack.lua
+++ b/awall/modules/notrack.lua
@@ -8,36 +8,16 @@ Licensed under the terms of GPL2
 module(..., package.seeall)

 require 'awall.model'
-require 'awall.util'

 local model = awall.model


-local NoTrackRule = model.class(model.Rule)
-
-function NoTrackRule:init(...)
-   model.Rule.init(self, unpack(arg))
-   for i, dir in ipairs({'in', 'out'}) do
-      if awall.util.contains(self[dir], model.fwzone) then
-	 self:error('Connection tracking bypass rules not allowed for firewall zone')
-      end
-   end
-end
-
-function NoTrackRule:defaultzones() return {nil} end
-
-function NoTrackRule:checkzoneoptfrag(ofrag)
-   if ofrag.out then
-      self:error('Cannot specify outbound interface for connection tracking bypass rule')
-   end
-end
+local NoTrackRule = model.class(model.ForwardOnlyRule)

 function NoTrackRule:table() return 'raw' end

-function NoTrackRule:chain() return 'PREROUTING' end
-
 function NoTrackRule:target()
-   if self.action then return model.Rule.target(self) end
+   if self.action then return model.ForwardOnlyRule.target(self) end
   return 'NOTRACK'
 end