Commit 4ff16c68 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

move ipsec attribute from rules to zones

parent 0c5c9c6a
...@@ -127,13 +127,14 @@ of the top-level service dictionary. ...@@ -127,13 +127,14 @@ of the top-level service dictionary.
A *zone* represents a set of network hosts. A top-level attribute A *zone* represents a set of network hosts. A top-level attribute
**zone** is a dictionary that maps zone names to zone objects. A zone **zone** is a dictionary that maps zone names to zone objects. A zone
object has an attribute named **iface**, **addr**, or both. **iface** object has any combination of attributes named **iface**, **addr**,
is a list of network interfaces and **addr** is a list of IPv4/IPv6 and **ipsec**. **iface** is a list of network interfaces and **addr**
host and network addresses (CIDR notation). **addr** may also contain is a list of IPv4/IPv6 host and network addresses (CIDR notation).
domain names, which are expanded to IP addresses using DNS **addr** may also contain domain names, which are expanded to IP
resolution. If not defined, **addr** defaults to the entire address addresses using DNS resolution. If not defined, **addr** defaults to
space and **iface** to all interfaces. An empty zone can be defined by the entire address space and **iface** to all interfaces. An empty
setting either **addr** or **iface** to an empty list. zone can be defined by setting either **addr** or **iface** to an
empty list.
Rule objects contain two attributes, **in** and **out**, which are Rule objects contain two attributes, **in** and **out**, which are
lists of zone names. These attributes control whether a packet matches lists of zone names. These attributes control whether a packet matches
...@@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their ...@@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their
definitions overlap. In this case, the **route-back** attribute of the definitions overlap. In this case, the **route-back** attribute of the
**out** zone determines the behavior. **out** zone determines the behavior.
If used, the **ipsec** attribute is used to exclude from the zone any
traffic that is or is not subject to IPsec processing. If set to
**true** in the **in** zone, only the packets subject to IPsec
decapsulation are considered originating from the zone. In the **out**
zone, only the packets subject to IPsec encapsulation will be included
if **ipsec** is set to **true**. The value of **false** would exclude
any traffic requiring IPsec processing towards the respective
direction.
### <a name="limit"></a>Limits ### <a name="limit"></a>Limits
A *limit* specifies the maximum rate for a flow of packets or new A *limit* specifies the maximum rate for a flow of packets or new
...@@ -320,14 +330,6 @@ attributes: ...@@ -320,14 +330,6 @@ attributes:
order specified by <strong>args</strong> order specified by <strong>args</strong>
</td> </td>
</tr> </tr>
<tr>
<td><strong>ipsec</strong></td>
<td><strong>in</strong> or <strong>out</strong></td>
<td>
IPsec decapsulation perfomed on ingress (<strong>in</strong>)
or encapsulation performed on egress (<strong>out</strong>)
</td>
</tr>
</tbody> </tbody>
</table> </table>
......
...@@ -121,12 +121,23 @@ function M.Zone:optfrags(dir) ...@@ -121,12 +121,23 @@ function M.Zone:optfrags(dir)
end end
end end
local popt
if self.ipsec ~= nil then
popt = {
{
opts='-m policy --dir '..dir..' --pol '..
(self.ipsec and 'ipsec' or 'none')
}
}
end
return combinations( return combinations(
maplist( maplist(
self.iface, self.iface,
function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end
), ),
aopts aopts,
popt
) )
end end
...@@ -174,6 +185,26 @@ function M.Rule:init(...) ...@@ -174,6 +185,26 @@ function M.Rule:init(...)
) )
end end
-- alpine v3.4 compatibility
if self.ipsec then
if not contains({'in', 'out'}, self.ipsec) then
self:error('Invalid ipsec policy direction')
end
self:warning('ipsec deprecated in rules, define in zones instead')
local zones = self[self.ipsec]
if zones then
self[self.ipsec] = maplist(
zones,
function(z)
return self:create(
M.Zone, {iface=z.iface, addr=z.addr, ipsec=true}
)
end
)
else self[self.ipsec] = {self:create(M.Zone, {ipsec=true})} end
self.ipsec = nil
end
if self.service then if self.service then
if not self.label and type(self.service) == 'string' then if not self.label and type(self.service) == 'string' then
self.label = self.service self.label = self.service
...@@ -461,11 +492,6 @@ function M.Rule:trules() ...@@ -461,11 +492,6 @@ function M.Rule:trules()
res = combinations(res, ipsetofrags) res = combinations(res, ipsetofrags)
end end
if self.ipsec then
res = combinations(res,
{{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}})
end
res = combinations(res, self:servoptfrags()) res = combinations(res, self:servoptfrags())
setfamilies(res) setfamilies(res)
...@@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options) ...@@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options)
local params = {} local params = {}
for _, attr in ipairs( for _, attr in ipairs(
extend( extend({'in', 'out', 'src', 'dest', 'ipset', 'service'}, options.attrs)
{'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'},
options.attrs
)
) do ) do
params[attr] = (options.src or self)[attr] params[attr] = (options.src or self)[attr]
end end
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment