Commit 408d036c authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

support co-existence with other firewall management tools

parent c81d6fc2
......@@ -631,6 +631,17 @@ customized chain, using the **custom:** prefix. It is also possible to
constrain each rule to IPv4 or IPv6 only by defining the **family**
attribute as **inet** or **inet6**, respectively.
## <a name="dedicated">Co-Existence with Other Firewall Management Tools
If awall is used on a host running other software that manipulates
iptables rules, it is recommended to set the
**awall_dedicated_chains** variable to **true**, which will have the
following effects:
* Awall installs its own rules to dedicated chains prefixed with
**awall-**.
* Activation of awall rules leaves any unrelated rule intact.
## Command Line Syntax
### Translating Policy Files to Firewall Configuration Files
......@@ -656,9 +667,15 @@ the Return key within 10 seconds or the `--force` option is used, the
configuration is saved to the files. Otherwise, the old configuration
is restored.
**awall flush**
**awall flush** \[**-a** | **--all**\]
Normally, this command deletes all firewall rules and configures it to
drop all packets.
This command configures the firewall to drop all packets.
If awall is configured to [co-exist with other firewall management
tools](#dedicated), this command flushes only the rules installed by
awall. Specifying `--all` overrides this behavior and causes all rules
to be flushed.
### Optional Policies
......
......@@ -49,10 +49,15 @@ Run-time activation of new firewall configuration:
configuration is restored.
Flush firewall configuration:
awall flush
awall flush [-a|--all]
This command deletes all firewall rules and configures it to drop
all packets.
Normally, this command deletes all firewall rules and configures
it to drop all packets.
If awall is configured to co-exist with other firewall management
tools, this command flushes only the rules installed by awall.
Specifying --all overrides this behavior and causes all rules to
be flushed.
Enable/disable optional policies:
awall {enable|disable} <policy>...
......@@ -428,7 +433,9 @@ if not call(
end
elseif mode == 'flush' then iptables.flush()
elseif mode == 'flush' then
if all then iptables.flush()
else config:flush() end
else assert(false) end
......
......@@ -10,7 +10,7 @@ local M = {}
local class = require('awall.class')
local resolve = require('awall.dependency')
local IPSet = require('awall.ipset')
local IPTables = require('awall.iptables').IPTables
local iptables = require('awall.iptables')
local combinations = require('awall.optfrag').combinations
M.PolicySet = require('awall.policy')
......@@ -78,13 +78,19 @@ M.Config = class()
function M.Config:init(policyconfig)
self.objects = policyconfig:expand()
self.iptables = IPTables()
local dedicated = self.objects.variable.awall_dedicated_chains
self.iptables = dedicated and iptables.PartialIPTables() or
iptables.IPTables()
self.prefix = dedicated and 'awall-' or ''
local actions = {}
local function insertrules(trules, obj)
for _, trule in ipairs(trules) do
local t = self.iptables.config[trule.family][trule.table][trule.chain]
local t = self.iptables.config[trule.family][trule.table][
self.prefix..trule.chain
]
local opts = self:ofragcmd(trule)
if trule.target then
......@@ -150,11 +156,17 @@ function M.Config:init(policyconfig)
self.ipset = IPSet(self.objects.ipset)
end
function M.Config:ofragloc(of) return of.family..'/'..of.table..'/'..of.chain end
function M.Config:ofragloc(of)
return of.family..'/'..of.table..'/'..self.prefix..of.chain
end
function M.Config:ofragcmd(of)
return (of.match and of.match..' ' or '')..
(of.target and '-j '..of.target or '')
local target = ''
if of.target then
target = '-j '..(util.startswithupper(of.target) and '' or self.prefix)..
of.target
end
return (of.match and of.match..' ' or '')..target
end
function M.Config:print()
......@@ -178,5 +190,7 @@ function M.Config:activate()
self.iptables:activate()
end
function M.Config:flush() self.iptables:flush() end
return M
......@@ -16,6 +16,7 @@ local sortedkeys = util.sortedkeys
local lpc = require('lpc')
local posix = require('posix')
local stringy = require('stringy')
local M = {}
......@@ -141,6 +142,62 @@ function M.IPTables:dumpfile(family, iptfile)
end
M.PartialIPTables = class(M.IPTables)
function M.PartialIPTables:restorecmd(family, test)
local cmd = {M.PartialIPTables.super(self):restorecmd(family, test)}
table.insert(cmd, '-n')
return table.unpack(cmd)
end
function M.PartialIPTables:dumpfile(family, iptfile)
local tables = self.config[family]
for tbl, chains in pairs(tables) do
local builtins = {}
for chain, _ in pairs(chains) do
if stringy.startswith(chain, 'awall-') then
local base = chain:sub(7, -1)
if M.isbuiltin(tbl, base) then table.insert(builtins, base) end
end
end
for _, chain in ipairs(builtins) do
chains[chain] = {'-j awall-'..chain}
end
end
M.PartialIPTables.super(self):dumpfile(family, iptfile)
end
function M.PartialIPTables:flush()
for _, family in ipairs(actfamilies()) do
local cmd = families[family].cmd
for tbl, _ in pairs(builtin) do
local pid, stdin, stdout = lpc.run(cmd, '-t', tbl, '-S')
stdin:close()
local chains = {}
local rules = {}
for line in stdout:lines() do
if stringy.startswith(line, '-N awall-') then
table.insert(chains, line:sub(4, -1))
else
local chain, target = line:match('^%-A (%u+) %-j (awall%-%u+)$')
if chain then table.insert(rules, {chain, '-j', target}) end
end
end
stdout:close()
assert(lpc.wait(pid) == 0)
local function exec(...)
assert(util.execute(cmd, '-t', tbl, table.unpack{...}) == 0)
end
for _, rule in ipairs(rules) do exec('-D', table.unpack(rule)) end
for _, opt in ipairs{'-F', '-X'} do
for _, chain in ipairs(chains) do exec(opt, chain) end
end
end
end
end
local Current = class(BaseIPTables)
function Current:dumpfile(family, iptfile)
......
{
"before": "%defaults",
"variable": { "awall_tproxy_mark": 1 },
"variable": { "awall_dedicated_chains": false, "awall_tproxy_mark": 1 },
"log": { "_default": { "limit": 1 } }
}
{ "variable": { "awall_dedicated_chains": true } }
......@@ -8345,8 +8345,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
Variable awall_tproxy_mark 1
(defaults)
Variable awall_dedicated_chains false
(defaults)
Variable awall_tproxy_mark 1
(defaults)
Zone A {"iface":"eth0"}
......
......@@ -642,8 +642,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
Variable awall_tproxy_mark 1
(defaults)
Variable awall_dedicated_chains false
(defaults)
Variable awall_tproxy_mark 1
(defaults)
Zone A {"iface":"eth0"}
......
This diff is collapsed.
# ipset awall-masquerade
hash:net family inet
# rules-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:awall-FORWARD - [0:0]
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
:awall-logaccept-0 - [0:0]
:awall-logaccept-1 - [0:0]
:awall-logaccept-2 - [0:0]
:awall-logaccept-3 - [0:0]
:awall-logdrop-0 - [0:0]
:awall-logdrop-1 - [0:0]
:awall-logdrop-2 - [0:0]
:awall-logdrop-3 - [0:0]
:awall-logdrop-4 - [0:0]
:awall-logpass-0 - [0:0]
:awall-logpass-1 - [0:0]
:awall-logpass-2 - [0:0]
:awall-logpass-3 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j awall-logdrop-0
-A awall-FORWARD
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j DROP
-A awall-FORWARD
-A awall-FORWARD -j awall-logaccept-0
-A awall-FORWARD -j awall-logdrop-1
-A awall-FORWARD -j awall-logpass-0
-A awall-FORWARD -j awall-logaccept-1
-A awall-FORWARD -j awall-logdrop-2
-A awall-FORWARD -j awall-logpass-1
-A awall-FORWARD -j awall-logaccept-2
-A awall-FORWARD -j awall-logdrop-3
-A awall-FORWARD -j awall-logpass-2
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j DROP
-A awall-FORWARD
-A awall-FORWARD -j awall-logaccept-3
-A awall-FORWARD -j awall-logdrop-4
-A awall-FORWARD -j awall-logpass-3
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth2 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth3 -s 10.1.0.0/12 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth2 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth3 -d 10.1.0.0/12 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -p icmp -j awall-icmp-routing
-A awall-INPUT -m limit --limit 12/minute -j ULOG
-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A awall-INPUT -j TEE --gateway 10.0.0.2
-A awall-INPUT -j TEE --gateway 10.0.0.1
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j awall-logdrop-0
-A awall-INPUT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j DROP
-A awall-INPUT
-A awall-INPUT -j awall-logaccept-0
-A awall-INPUT -j awall-logdrop-1
-A awall-INPUT -j awall-logpass-0
-A awall-INPUT -j awall-logaccept-1
-A awall-INPUT -j awall-logdrop-2
-A awall-INPUT -j awall-logpass-1
-A awall-INPUT -j awall-logaccept-2
-A awall-INPUT -j awall-logdrop-3
-A awall-INPUT -j awall-logpass-2
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j DROP
-A awall-INPUT
-A awall-INPUT -j awall-logaccept-3
-A awall-INPUT -j awall-logdrop-4
-A awall-INPUT -j awall-logpass-3
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmp -j awall-icmp-routing
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j awall-logdrop-0
-A awall-OUTPUT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j DROP
-A awall-OUTPUT
-A awall-OUTPUT -j awall-logaccept-0
-A awall-OUTPUT -j awall-logdrop-1
-A awall-OUTPUT -j awall-logpass-0
-A awall-OUTPUT -j awall-logaccept-1
-A awall-OUTPUT -j awall-logdrop-2
-A awall-OUTPUT -j awall-logpass-1
-A awall-OUTPUT -j awall-logaccept-2
-A awall-OUTPUT -j awall-logdrop-3
-A awall-OUTPUT -j awall-logpass-2
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j DROP
-A awall-OUTPUT
-A awall-OUTPUT -j awall-logaccept-3
-A awall-OUTPUT -j awall-logdrop-4
-A awall-OUTPUT -j awall-logpass-3
-A awall-OUTPUT -m limit --limit 12/minute -j ULOG
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d 10.0.0.0/12 -j ACCEPT
-A awall-OUTPUT -p icmp -j awall-icmp-routing
-A awall-icmp-routing -p icmp --icmp-type 3 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 11 -j ACCEPT
-A awall-icmp-routing -p icmp --icmp-type 12 -j ACCEPT
-A awall-logaccept-0 -m limit --limit 1/second -j LOG
-A awall-logaccept-0 -j ACCEPT
-A awall-logaccept-1 -j LOG
-A awall-logaccept-1 -j ACCEPT
-A awall-logaccept-2 -j TEE --gateway 10.0.0.1
-A awall-logaccept-2 -j TEE --gateway 10.0.0.2
-A awall-logaccept-2 -j ACCEPT
-A awall-logaccept-3 -m limit --limit 12/minute -j ULOG
-A awall-logaccept-3 -j ACCEPT
-A awall-logdrop-0 -m limit --limit 1/second -j LOG
-A awall-logdrop-0 -j DROP
-A awall-logdrop-1 -m limit --limit 1/second -j LOG
-A awall-logdrop-1 -j DROP
-A awall-logdrop-2 -j LOG
-A awall-logdrop-2 -j DROP
-A awall-logdrop-3 -j TEE --gateway 10.0.0.1
-A awall-logdrop-3 -j TEE --gateway 10.0.0.2
-A awall-logdrop-3 -j DROP
-A awall-logdrop-4 -m limit --limit 12/minute -j ULOG
-A awall-logdrop-4 -j DROP
-A awall-logpass-0 -m limit --limit 1/second -j LOG
-A awall-logpass-1 -j LOG
-A awall-logpass-2 -j TEE --gateway 10.0.0.1
-A awall-logpass-2 -j TEE --gateway 10.0.0.2
-A awall-logpass-3 -m limit --limit 12/minute -j ULOG
COMMIT
*mangle
:FORWARD ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-FORWARD - [0:0]
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-POSTROUTING - [0:0]
:awall-PREROUTING - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A POSTROUTING -j awall-POSTROUTING
-A PREROUTING -j awall-PREROUTING
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth2 -d 10.1.0.0/12 -j MARK --set-mark 2
-A awall-FORWARD -i eth1 -s 10.0.0.0/12 -o eth3 -d 10.1.0.0/12 -j MARK --set-mark 2
-A awall-INPUT -j MARK --set-mark 3
-A awall-OUTPUT -j MARK --set-mark 1
-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MARK --set-mark 3
-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*nat
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-POSTROUTING - [0:0]
:awall-PREROUTING - [0:0]
:awall-awall-masquerade - [0:0]
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A POSTROUTING -j awall-POSTROUTING
-A PREROUTING -j awall-PREROUTING
-A awall-INPUT -j MASQUERADE
-A awall-OUTPUT -j REDIRECT
-A awall-POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
-A awall-POSTROUTING -m set --match-set awall-masquerade src -j awall-awall-masquerade
-A awall-PREROUTING -i eth0 -j REDIRECT
-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j REDIRECT
-A awall-awall-masquerade -m set ! --match-set awall-masquerade dst -j MASQUERADE
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-OUTPUT - [0:0]
:awall-PREROUTING - [0:0]
-A OUTPUT -j awall-OUTPUT
-A PREROUTING -j awall-PREROUTING
-A awall-OUTPUT -j CT --notrack
-A awall-PREROUTING -i eth0 -j CT --notrack
-A awall-PREROUTING -i eth1 -s 10.0.0.0/12 -j CT --notrack
-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
# rules6-save generated by awall
*filter
:FORWARD DROP [0:0]
:INPUT DROP [0:0]
:OUTPUT DROP [0:0]
:awall-FORWARD - [0:0]
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-icmp-routing - [0:0]
:awall-logaccept-0 - [0:0]
:awall-logaccept-1 - [0:0]
:awall-logaccept-2 - [0:0]
:awall-logaccept-3 - [0:0]
:awall-logdrop-0 - [0:0]
:awall-logdrop-1 - [0:0]
:awall-logdrop-2 - [0:0]
:awall-logdrop-3 - [0:0]
:awall-logdrop-4 - [0:0]
:awall-logpass-0 - [0:0]
:awall-logpass-1 - [0:0]
:awall-logpass-2 - [0:0]
-A FORWARD -j awall-FORWARD
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A awall-FORWARD -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j awall-logdrop-0
-A awall-FORWARD
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j DROP
-A awall-FORWARD
-A awall-FORWARD -j awall-logaccept-0
-A awall-FORWARD -j awall-logdrop-1
-A awall-FORWARD -j awall-logpass-0
-A awall-FORWARD -j awall-logaccept-1
-A awall-FORWARD -j awall-logdrop-2
-A awall-FORWARD -j awall-logpass-1
-A awall-FORWARD -j awall-logaccept-2
-A awall-FORWARD -j awall-logdrop-3
-A awall-FORWARD -j awall-logpass-2
-A awall-FORWARD -j ACCEPT
-A awall-FORWARD -j DROP
-A awall-FORWARD
-A awall-FORWARD -j awall-logaccept-3
-A awall-FORWARD -j awall-logdrop-4
-A awall-FORWARD -i eth0 -j ACCEPT
-A awall-FORWARD -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth0 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth0 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth1 -s fc00::/7 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth1 -s fc00::/7 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth1 -s fc00::/7 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth1 -s fc00::/7 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth4 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth0 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth4 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth4 -j ACCEPT
-A awall-FORWARD -i eth5 -o eth5 -j ACCEPT
-A awall-FORWARD -i eth4 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -i eth5 -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth0 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth1 -d fc00::/7 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth4 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -o eth5 -j ACCEPT
-A awall-FORWARD -m policy --dir in --pol ipsec -m policy --dir out --pol ipsec -j ACCEPT
-A awall-FORWARD -p icmpv6 -j awall-icmp-routing
-A awall-INPUT -j NFLOG --nflog-group 1 --nflog-size 128
-A awall-INPUT -j TEE --gateway fc00::2
-A awall-INPUT -m limit --limit 1/second -j LOG
-A awall-INPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-INPUT -i lo -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j awall-logdrop-0
-A awall-INPUT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j DROP
-A awall-INPUT
-A awall-INPUT -j awall-logaccept-0
-A awall-INPUT -j awall-logdrop-1
-A awall-INPUT -j awall-logpass-0
-A awall-INPUT -j awall-logaccept-1
-A awall-INPUT -j awall-logdrop-2
-A awall-INPUT -j awall-logpass-1
-A awall-INPUT -j awall-logaccept-2
-A awall-INPUT -j awall-logdrop-3
-A awall-INPUT -j awall-logpass-2
-A awall-INPUT -j ACCEPT
-A awall-INPUT -j DROP
-A awall-INPUT
-A awall-INPUT -j awall-logaccept-3
-A awall-INPUT -j awall-logdrop-4
-A awall-INPUT -i eth0 -j ACCEPT
-A awall-INPUT -j ACCEPT
-A awall-INPUT -p icmpv6 -j ACCEPT
-A awall-OUTPUT -m conntrack --ctstate ESTABLISHED -j ACCEPT
-A awall-OUTPUT -o lo -j ACCEPT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j awall-logdrop-0
-A awall-OUTPUT
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j DROP
-A awall-OUTPUT
-A awall-OUTPUT -j awall-logaccept-0
-A awall-OUTPUT -j awall-logdrop-1
-A awall-OUTPUT -j awall-logpass-0
-A awall-OUTPUT -j awall-logaccept-1
-A awall-OUTPUT -j awall-logdrop-2
-A awall-OUTPUT -j awall-logpass-1
-A awall-OUTPUT -j awall-logaccept-2
-A awall-OUTPUT -j awall-logdrop-3
-A awall-OUTPUT -j awall-logpass-2
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -j DROP
-A awall-OUTPUT
-A awall-OUTPUT -j awall-logaccept-3
-A awall-OUTPUT -j awall-logdrop-4
-A awall-OUTPUT -j ACCEPT
-A awall-OUTPUT -o eth1 -d fc00::/7 -j ACCEPT
-A awall-OUTPUT -p icmpv6 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 1 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 2 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 3 -j ACCEPT
-A awall-icmp-routing -p icmpv6 --icmpv6-type 4 -j ACCEPT
-A awall-logaccept-0 -m limit --limit 1/second -j LOG
-A awall-logaccept-0 -j ACCEPT
-A awall-logaccept-1 -j LOG
-A awall-logaccept-1 -j TEE --gateway fc00::1
-A awall-logaccept-1 -j ACCEPT
-A awall-logaccept-2 -j TEE --gateway fc00::2
-A awall-logaccept-2 -j ACCEPT
-A awall-logaccept-3 -j ACCEPT
-A awall-logdrop-0 -m limit --limit 1/second -j LOG
-A awall-logdrop-0 -j DROP
-A awall-logdrop-1 -m limit --limit 1/second -j LOG
-A awall-logdrop-1 -j DROP
-A awall-logdrop-2 -j LOG
-A awall-logdrop-2 -j TEE --gateway fc00::1
-A awall-logdrop-2 -j DROP
-A awall-logdrop-3 -j TEE --gateway fc00::2
-A awall-logdrop-3 -j DROP
-A awall-logdrop-4 -j DROP
-A awall-logpass-0 -m limit --limit 1/second -j LOG
-A awall-logpass-1 -j LOG
-A awall-logpass-1 -j TEE --gateway fc00::1
-A awall-logpass-2 -j TEE --gateway fc00::2
COMMIT
*mangle
:INPUT ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-INPUT - [0:0]
:awall-OUTPUT - [0:0]
:awall-POSTROUTING - [0:0]
:awall-PREROUTING - [0:0]
-A INPUT -j awall-INPUT
-A OUTPUT -j awall-OUTPUT
-A POSTROUTING -j awall-POSTROUTING
-A PREROUTING -j awall-PREROUTING
-A awall-INPUT -j MARK --set-mark 3
-A awall-OUTPUT -j MARK --set-mark 1
-A awall-POSTROUTING -o eth1 -d fc00::/7 -j MARK --set-mark 3
-A awall-PREROUTING -i eth0 -j MARK --set-mark 1
COMMIT
*raw
:OUTPUT ACCEPT [0:0]
:PREROUTING ACCEPT [0:0]
:awall-OUTPUT - [0:0]
:awall-PREROUTING - [0:0]
-A OUTPUT -j awall-OUTPUT
-A PREROUTING -j awall-PREROUTING
-A awall-OUTPUT -j CT --notrack
-A awall-PREROUTING -i eth0 -j CT --notrack
-A awall-PREROUTING -i eth1 -s fc00::/7 -j CT --notrack
-A awall-PREROUTING -m addrtype --dst-type LOCAL -j CT --notrack
COMMIT
......@@ -635,8 +635,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
Variable awall_tproxy_mark 1
(defaults)
Variable awall_dedicated_chains false
(defaults)
Variable awall_tproxy_mark 1
(defaults)
Zone A {"iface":"eth0"}
......
......@@ -59773,8 +59773,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
Variable awall_tproxy_mark 1
(defaults)
Variable awall_dedicated_chains false
(defaults)
Variable awall_tproxy_mark 1
(defaults)
Zone A {"iface":"eth0"}
......@@ -693,8 +693,11 @@ Snat 1 {"out":["_fw","B"]}
inet/nat/POSTROUTING -o eth1 -d 10.0.0.0/12 -j MASQUERADE
Variable awall_tproxy_mark 1
(defaults)
Variable awall_dedicated_chains false
(defaults)
Variable awall_tproxy_mark 1
(defaults)
Zone A {"iface":"eth0"}
......