Skip to content
GitLab
Projects
Groups
Snippets
/
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in / Register
Toggle navigation
Menu
Open sidebar
alpine
awall
Commits
4ff16c68
Commit
4ff16c68
authored
Jul 17, 2016
by
Kaarle Ritvanen
Browse files
move ipsec attribute from rules to zones
parent
0c5c9c6a
Changes
2
Hide whitespace changes
Inline
Side-by-side
README.md
View file @
4ff16c68
...
...
@@ -127,13 +127,14 @@ of the top-level service dictionary.
A
*zone*
represents a set of network hosts. A top-level attribute
**zone**
is a dictionary that maps zone names to zone objects. A zone
object has an attribute named
**iface**
,
**addr**
, or both.
**iface**
is a list of network interfaces and
**addr**
is a list of IPv4/IPv6
host and network addresses (CIDR notation).
**addr**
may also contain
domain names, which are expanded to IP addresses using DNS
resolution. If not defined,
**addr**
defaults to the entire address
space and
**iface**
to all interfaces. An empty zone can be defined by
setting either
**addr**
or
**iface**
to an empty list.
object has any combination of attributes named
**iface**
,
**addr**
,
and
**ipsec**
.
**iface**
is a list of network interfaces and
**addr**
is a list of IPv4/IPv6 host and network addresses (CIDR notation).
**addr**
may also contain domain names, which are expanded to IP
addresses using DNS resolution. If not defined,
**addr**
defaults to
the entire address space and
**iface**
to all interfaces. An empty
zone can be defined by setting either
**addr**
or
**iface**
to an
empty list.
Rule objects contain two attributes,
**in**
and
**out**
, which are
lists of zone names. These attributes control whether a packet matches
...
...
@@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their
definitions overlap. In this case, the
**route-back**
attribute of the
**out**
zone determines the behavior.
If used, the
**ipsec**
attribute is used to exclude from the zone any
traffic that is or is not subject to IPsec processing. If set to
**true**
in the
**in**
zone, only the packets subject to IPsec
decapsulation are considered originating from the zone. In the
**out**
zone, only the packets subject to IPsec encapsulation will be included
if
**ipsec**
is set to
**true**
. The value of
**false**
would exclude
any traffic requiring IPsec processing towards the respective
direction.
### <a name="limit"></a>Limits
A
*limit*
specifies the maximum rate for a flow of packets or new
...
...
@@ -320,14 +330,6 @@ attributes:
order specified by
<strong>
args
</strong>
</td>
</tr>
<tr>
<td><strong>
ipsec
</strong></td>
<td><strong>
in
</strong>
or
<strong>
out
</strong></td>
<td>
IPsec decapsulation perfomed on ingress (
<strong>
in
</strong>
)
or encapsulation performed on egress (
<strong>
out
</strong>
)
</td>
</tr>
</tbody>
</table>
...
...
awall/model.lua
View file @
4ff16c68
...
...
@@ -121,12 +121,23 @@ function M.Zone:optfrags(dir)
end
end
local
popt
if
self
.
ipsec
~=
nil
then
popt
=
{
{
opts
=
'-m policy --dir '
..
dir
..
' --pol '
..
(
self
.
ipsec
and
'ipsec'
or
'none'
)
}
}
end
return
combinations
(
maplist
(
self
.
iface
,
function
(
x
)
return
{[
iprop
]
=
x
,
opts
=
'-'
..
iopt
..
' '
..
x
}
end
),
aopts
aopts
,
popt
)
end
...
...
@@ -174,6 +185,26 @@ function M.Rule:init(...)
)
end
-- alpine v3.4 compatibility
if
self
.
ipsec
then
if
not
contains
({
'in'
,
'out'
},
self
.
ipsec
)
then
self
:
error
(
'Invalid ipsec policy direction'
)
end
self
:
warning
(
'ipsec deprecated in rules, define in zones instead'
)
local
zones
=
self
[
self
.
ipsec
]
if
zones
then
self
[
self
.
ipsec
]
=
maplist
(
zones
,
function
(
z
)
return
self
:
create
(
M
.
Zone
,
{
iface
=
z
.
iface
,
addr
=
z
.
addr
,
ipsec
=
true
}
)
end
)
else
self
[
self
.
ipsec
]
=
{
self
:
create
(
M
.
Zone
,
{
ipsec
=
true
})}
end
self
.
ipsec
=
nil
end
if
self
.
service
then
if
not
self
.
label
and
type
(
self
.
service
)
==
'string'
then
self
.
label
=
self
.
service
...
...
@@ -461,11 +492,6 @@ function M.Rule:trules()
res
=
combinations
(
res
,
ipsetofrags
)
end
if
self
.
ipsec
then
res
=
combinations
(
res
,
{{
opts
=
'-m policy --pol ipsec --dir '
..
self
:
direction
(
self
.
ipsec
)}})
end
res
=
combinations
(
res
,
self
:
servoptfrags
())
setfamilies
(
res
)
...
...
@@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options)
local
params
=
{}
for
_
,
attr
in
ipairs
(
extend
(
{
'in'
,
'out'
,
'src'
,
'dest'
,
'ipset'
,
'ipsec'
,
'service'
},
options
.
attrs
)
extend
({
'in'
,
'out'
,
'src'
,
'dest'
,
'ipset'
,
'service'
},
options
.
attrs
)
)
do
params
[
attr
]
=
(
options
.
src
or
self
)[
attr
]
end
...
...
Write
Preview
Supports
Markdown
0%
Try again
or
attach a new file
.
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment