move ipsec attribute from rules to zones

4ff16c68 · Kaarle Ritvanen · 0c5c9c6a · 4ff16c68 · 4ff16c68
Commit 4ff16c68 authored Jul 17, 2016 by Kaarle Ritvanen
Hide whitespace changes
Inline Side-by-side

Showing with 50 additions and 25 deletions

README.md README.md +17 -15

awall/model.lua awall/model.lua +33 -10

No files found.
--- a/README.md
+++ b/README.md
@@ -127,13 +127,14 @@ of the top-level service dictionary.

 A *zone* represents a set of network hosts. A top-level attribute
 **zone** is a dictionary that maps zone names to zone objects. A zone
-object has an attribute named **iface**, **addr**, or both. **iface**
-is a list of network interfaces and **addr** is a list of IPv4/IPv6
-host and network addresses (CIDR notation). **addr** may also contain
-domain names, which are expanded to IP addresses using DNS
-resolution. If not defined, **addr** defaults to the entire address
-space and **iface** to all interfaces. An empty zone can be defined by
-setting either **addr** or **iface** to an empty list.
+object has any combination of attributes named **iface**, **addr**,
+and **ipsec**. **iface** is a list of network interfaces and **addr**
+is a list of IPv4/IPv6 host and network addresses (CIDR notation).
+**addr** may also contain domain names, which are expanded to IP
+addresses using DNS resolution. If not defined, **addr** defaults to
+the entire address space and **iface** to all interfaces. An empty
+zone can be defined by setting either **addr** or **iface** to an
+empty list.

 Rule objects contain two attributes, **in** and **out**, which are
 lists of zone names. These attributes control whether a packet matches
@@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their
 definitions overlap. In this case, the **route-back** attribute of the
 **out** zone determines the behavior.

+If used, the **ipsec** attribute is used to exclude from the zone any
+traffic that is or is not subject to IPsec processing. If set to
+**true** in the **in** zone, only the packets subject to IPsec
+decapsulation are considered originating from the zone. In the **out**
+zone, only the packets subject to IPsec encapsulation will be included
+if **ipsec** is set to **true**. The value of **false** would exclude
+any traffic requiring IPsec processing towards the respective
+direction.
+
 ### <a name="limit"></a>Limits

 A *limit* specifies the maximum rate for a flow of packets or new
@@ -320,14 +330,6 @@ attributes:
        order specified by <strong>args</strong>
      </td>
    </tr>
-    <tr>
-      <td><strong>ipsec</strong></td>
-      <td><strong>in</strong> or <strong>out</strong></td>
-      <td>
-        IPsec decapsulation perfomed on ingress (<strong>in</strong>)
-        or encapsulation performed on egress (<strong>out</strong>)
-      </td>
-    </tr>
  </tbody>
 </table>


--- a/awall/model.lua
+++ b/awall/model.lua
@@ -121,12 +121,23 @@ function M.Zone:optfrags(dir)
      end
   end

+   local popt
+   if self.ipsec ~= nil then
+      popt = {
+	 {
+	    opts='-m policy --dir '..dir..' --pol '..
+	       (self.ipsec and 'ipsec' or 'none')
+	 }
+      }
+   end
+
   return combinations(
      maplist(
 	 self.iface,
 	 function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end
      ),
-      aopts
+      aopts,
+      popt
   )
 end

@@ -174,6 +185,26 @@ function M.Rule:init(...)
      )
   end

+   -- alpine v3.4 compatibility
+   if self.ipsec then
+      if not contains({'in', 'out'}, self.ipsec) then
+	 self:error('Invalid ipsec policy direction')
+      end
+      self:warning('ipsec deprecated in rules, define in zones instead')
+      local zones = self[self.ipsec]
+      if zones then
+	 self[self.ipsec] = maplist(
+	    zones,
+	    function(z)
+	       return self:create(
+		  M.Zone, {iface=z.iface, addr=z.addr, ipsec=true}
+	       )
+	    end
+	 )
+      else self[self.ipsec] = {self:create(M.Zone, {ipsec=true})} end
+      self.ipsec = nil
+   end
+
   if self.service then
      if not self.label and type(self.service) == 'string' then
 	 self.label = self.service
@@ -461,11 +492,6 @@ function M.Rule:trules()
      res = combinations(res, ipsetofrags)
   end

-   if self.ipsec then
-      res = combinations(res,
-			 {{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}})
-   end
-
   res = combinations(res, self:servoptfrags())

   setfamilies(res)
@@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options)
   local params = {}

   for _, attr in ipairs(
-      extend(
-	 {'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'},
-	 options.attrs
-      )
+      extend({'in', 'out', 'src', 'dest', 'ipset', 'service'}, options.attrs)
   ) do
      params[attr] = (options.src or self)[attr]
   end