Commit 8e0c7cb2 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

eliminate deprecated module style

parent 8d100441
......@@ -6,10 +6,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
require 'alt_getopt'
require 'lfs'
require 'signal'
require 'stringy'
get_opts = require('alt_getopt').get_opts
signal = require('signal')
stringy = require('stringy')
function help()
io.stderr:write([[
......@@ -78,7 +77,7 @@ if not stringy.startswith(arg[1], '-') then
table.remove(arg, 1)
end
opts, opind = alt_getopt.get_opts(
opts, opind = get_opts(
arg,
'afo:V',
{all='a', force='f', ['output-dir']='o', verify='V'}
......@@ -98,12 +97,22 @@ if not mode then
end
require 'awall.util'
util = awall.util
util = require('awall.util')
contains = util.contains
if not util.contains({'translate', 'activate', 'fallback', 'flush',
'enable', 'disable', 'list', 'dump'},
mode) then help() end
if not contains(
{
'translate',
'activate',
'fallback',
'flush',
'enable',
'disable',
'list',
'dump'
},
mode
) then help() end
pol_paths = {}
for i, cls in ipairs{'mandatory', 'optional', 'private'} do
......@@ -119,12 +128,14 @@ if stringy.endswith(arg[0], '/awall-cli') then
table.insert(pol_paths.mandatory, basedir..'/json')
end
local uerror = require('awall.uerror')
uerror = require('awall.uerror')
call = uerror.call
if not uerror.call(
if not call(
function()
require 'awall'
local awall = require('awall')
local printtabular = util.printtabular
policyset = awall.PolicySet(pol_paths)
......@@ -137,7 +148,7 @@ if not uerror.call(
if all or policy.type == 'optional' then
if policy.enabled then status = 'enabled'
elseif util.contains(imported, name) then status = 'required'
elseif contains(imported, name) then status = 'required'
else status = 'disabled' end
polinfo = {name, status, policy:load().description}
......@@ -151,11 +162,11 @@ if not uerror.call(
end
end
util.printtabular(data)
printtabular(data)
os.exit()
end
if util.contains({'disable', 'enable'}, mode) then
if contains({'disable', 'enable'}, mode) then
if opind > #arg then help() end
repeat
name = arg[opind]
......@@ -178,10 +189,10 @@ if not uerror.call(
end
require 'awall.iptables'
local iptables = require('awall.iptables')
if mode == 'dump' then
require 'json'
local json = require('json')
expinput = input:expand()
function capitalize(cls)
......@@ -189,7 +200,7 @@ if not uerror.call(
end
for cls, objs in pairs(input.data) do
if level > 2 or (level == 2 and cls ~= 'service') or util.contains(
if level > 2 or (level == 2 and cls ~= 'service') or contains(
{'variable', 'zone'},
cls
) then
......@@ -224,7 +235,7 @@ if not uerror.call(
end
table.sort(items, function(a, b) return a[1] < b[1] end)
if level == 0 then util.printtabular(items)
if level == 0 then printtabular(items)
else
util.printtabulars(
util.map(items, function(x) return x[2] end)
......@@ -242,7 +253,9 @@ if not uerror.call(
elseif mode == 'activate' then
awall.iptables.backup()
local lpc = require('lpc')
iptables.backup()
if not force then
signal.signal(
......@@ -261,7 +274,6 @@ if not uerror.call(
)
end
require 'lpc'
pid, stdio, stdout = lpc.run(arg[0], 'fallback')
stdio:close()
stdout:close()
......@@ -274,11 +286,11 @@ if not uerror.call(
end
function revert()
awall.iptables.revert()
iptables.revert()
os.exit(1)
end
if uerror.call(config.activate, config) then
if call(config.activate, config) then
if not force then
io.stderr:write('New firewall configuration activated\n')
......@@ -309,13 +321,12 @@ if not uerror.call(
signal.signal('SIG'..sig, function() end)
end
require 'lsleep'
lsleep.sleep(10)
require('lsleep').sleep(10)
io.stderr:write('\nTimeout, reverting to the old configuration\n')
awall.iptables.revert()
iptables.revert()
elseif mode == 'flush' then awall.iptables.flush()
elseif mode == 'flush' then iptables.flush()
else assert(false) end
......
......@@ -4,10 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
local Object
module(..., package.seeall)
function class(base)
local function class(base)
local cls = {}
function cls.super(obj)
......@@ -42,5 +41,6 @@ function class(base)
end
Object = class()
function Object:init(...) end
return class
--[[
Dependency order resolver for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
local util = require('awall.util')
local contains = util.contains
function order(items)
return function(items)
local visited = {}
local res = {}
local function visit(key)
if util.contains(res, key) then return end
if contains(res, key) then return end
if visited[key] then return key end
visited[key] = true
local after = util.list(items[key].after)
for k, v in pairs(items) do
if util.contains(v.before, key) then table.insert(after, k) end
if contains(v.before, key) then table.insert(after, k) end
end
for i, k in ipairs(after) do
if items[k] then
......
......@@ -5,8 +5,6 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local familypatterns = {inet='%d[%.%d/]+',
inet6='[:%x/]+',
domain='[%a-][%.%w-]*'}
......@@ -20,7 +18,7 @@ end
local dnscache = {}
function resolve(host, context)
return function(host, context)
local family = getfamily(host, context)
if family == 'domain' then
......
......@@ -4,28 +4,27 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
require 'lfs'
require 'stringy'
local M = {}
require 'awall.dependency'
require 'awall.ipset'
require 'awall.iptables'
require 'awall.model'
require 'awall.object'
require 'awall.optfrag'
require 'awall.policy'
require 'awall.util'
local class = require('awall.class')
local resolve = require('awall.dependency')
local IPSet = require('awall.ipset')
local IPTables = require('awall.iptables').IPTables
local optfrag = require('awall.optfrag')
M.PolicySet = require('awall.policy')
local util = require('awall.util')
local optfrag = awall.optfrag
local lfs = require('lfs')
local endswith = require('stringy').endswith
local events
local procorder
local achains
function loadmodules(path)
function M.loadmodules(path)
events = {}
achains = {}
......@@ -38,10 +37,10 @@ function loadmodules(path)
achains[name] = opts
end
return awall.util.keys(export)
return util.keys(export)
end
readmetadata(model)
readmetadata(require('awall.model'))
local cdir = lfs.currentdir()
if path then lfs.chdir(path) end
......@@ -56,31 +55,27 @@ function loadmodules(path)
local imported = {}
for i, name in ipairs(modules) do
require(name)
awall.util.extend(imported, readmetadata(package.loaded[name]))
util.extend(imported, readmetadata(require(name)))
end
lfs.chdir(cdir)
events['%modules'] = {before=imported}
procorder = awall.dependency.order(events)
procorder = resolve(events)
end
function loadclass(path)
function M.loadclass(path)
assert(path:sub(1, 1) ~= '%')
return events[path] and events[path].class
end
PolicySet = policy.PolicySet
Config = object.class()
M.Config = class()
function Config:init(policyconfig)
function M.Config:init(policyconfig)
self.objects = policyconfig:expand()
self.iptables = iptables.IPTables()
self.iptables = IPTables()
local acfrags = {}
......@@ -138,26 +133,29 @@ function Config:init(policyconfig)
for k, v in pairs(acfrags) do table.insert(ofrags, v) end
insertrules(optfrag.combinations(achains, ofrags))
self.ipset = ipset.IPSet(self.objects.ipset)
self.ipset = IPSet(self.objects.ipset)
end
function Config:print()
function M.Config:print()
self.ipset:print()
print()
self.iptables:print()
end
function Config:dump(dir)
function M.Config:dump(dir)
self.ipset:dump(dir or '/etc/ipset.d')
self.iptables:dump(dir or '/etc/iptables')
end
function Config:test()
function M.Config:test()
self.ipset:create()
self.iptables:test()
end
function Config:activate()
function M.Config:activate()
self:test()
self.iptables:activate()
end
return M
--[[
Ipset file dumper for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
require 'awall.object'
IPSet = awall.object.class()
local IPSet = require('awall.class')()
function IPSet:init(config) self.config = config or {} end
......@@ -47,3 +42,5 @@ function IPSet:dump(ipsdir)
file:close()
end
end
return IPSet
......@@ -5,20 +5,19 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
require 'lfs'
require 'lpc'
require 'awall.object'
require 'awall.uerror'
local class = require('awall.class')
local raise = require('awall.uerror').raise
local util = require('awall.util')
local sortedkeys = util.sortedkeys
local class = awall.object.class
local mkdir = require('lfs').mkdir
local lpc = require('lpc')
local M = {}
local families = {inet={cmd='iptables',
file='rules-save',
procfile='/proc/net/ip_tables_names'},
......@@ -26,11 +25,13 @@ local families = {inet={cmd='iptables',
file='rules6-save',
procfile='/proc/net/ip6_tables_names'}}
builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}}
M.builtin = {
filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}
}
local backupdir = '/var/run/awall'
......@@ -74,20 +75,20 @@ function BaseIPTables:restore(test)
end
end
if disabled then awall.uerror.raise('Firewall not enabled in kernel') end
if disabled then raise('Firewall not enabled in kernel') end
end
function BaseIPTables:activate()
flush()
M.flush()
self:restore(false)
end
function BaseIPTables:test() self:restore(true) end
IPTables = class(BaseIPTables)
M.IPTables = class(BaseIPTables)
function IPTables:init()
function M.IPTables:init()
self.config = {}
setmetatable(self.config,
{__index=function(t, k)
......@@ -97,7 +98,7 @@ function IPTables:init()
end})
end
function IPTables:dumpfile(family, iptfile)
function M.IPTables:dumpfile(family, iptfile)
iptfile:write('# '..families[family].file..' generated by awall\n')
local tables = self.config[family]
for i, tbl in sortedkeys(tables) do
......@@ -105,7 +106,7 @@ function IPTables:dumpfile(family, iptfile)
local chains = tables[tbl]
for i, chain in sortedkeys(chains) do
local policy = '-'
if util.contains(builtin[tbl], chain) then
if util.contains(M.builtin[tbl], chain) then
policy = tbl == 'filter' and 'DROP' or 'ACCEPT'
end
iptfile:write(':'..chain..' '..policy..' [0:0]\n')
......@@ -140,22 +141,20 @@ function Backup:dumpfile(family, iptfile)
end
function backup()
lfs.mkdir(backupdir)
function M.backup()
mkdir(backupdir)
Current():dump(backupdir)
end
function revert()
Backup():activate()
end
function M.revert() Backup():activate() end
function flush()
local empty = IPTables()
function M.flush()
local empty = M.IPTables()
for family, params in pairs(families) do
local success, lines = pcall(io.lines, params.procfile)
if success then
for tbl in lines do
for i, chain in ipairs(builtin[tbl]) do
for i, chain in ipairs(M.builtin[tbl]) do
empty.config[family][tbl][chain] = {}
end
end
......@@ -163,3 +162,5 @@ function flush()
end
empty:restore(false)
end
return M
......@@ -5,27 +5,33 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local M = {}
require 'awall'
require 'awall.host'
require 'awall.iptables'
require 'awall.object'
require 'awall.optfrag'
require 'awall.uerror'
require 'awall.util'
local util = awall.util
local combinations = awall.optfrag.combinations
local loadclass = require('awall').loadclass
M.class = require('awall.class')
local resolve = require('awall.host')
local builtin = require('awall.iptables').builtin
class = awall.object.class
local optfrag = require('awall.optfrag')
local combinations = optfrag.combinations
require 'stringy'
local raise = require('awall.uerror').raise
local util = require('awall.util')
local contains = util.contains
local extend = util.extend
local filter = util.filter
local listpairs = util.listpairs
local maplist = util.maplist
ConfigObject = class()
function ConfigObject:init(context, location)
local startswith = require('stringy').startswith
M.ConfigObject = M.class()
function M.ConfigObject:init(context, location)
if context then
self.context = context
self.root = context.objects
......@@ -33,10 +39,10 @@ function ConfigObject:init(context, location)
self.location = location
end
function ConfigObject:create(cls, params)
function M.ConfigObject:create(cls, params)
if type(cls) == 'string' then
local name = cls
cls = awall.loadclass(cls)
cls = loadclass(cls)
if not cls then
self:error('Support for '..name..' objects not installed')
end
......@@ -44,30 +50,32 @@ function ConfigObject:create(cls, params)
return cls.morph(params, self.context, self.location)
end
function ConfigObject:error(msg)
awall.uerror.raise(self.location..': '..msg)
end
function M.ConfigObject:error(msg) raise(self.location..': '..msg) end
function ConfigObject:warning(msg)
function M.ConfigObject:warning(msg)
io.stderr:write(self.location..': '..msg..'\n')
end
function ConfigObject:trules() return {} end
function M.ConfigObject:trules() return {} end
function ConfigObject:info()
function M.ConfigObject:info()
local res = {}
for i, trule in ipairs(self:trules()) do
table.insert(res,
{' '..awall.optfrag.location(trule),
(trule.opts and trule.opts..' ' or '')..'-j '..trule.target})
table.insert(
res,
{
' '..optfrag.location(trule),
(trule.opts and trule.opts..' ' or '')..'-j '..trule.target
}
)
end
return res
end
Zone = class(ConfigObject)
M.Zone = M.class(M.ConfigObject)
function Zone:optfrags(dir)
function M.Zone:optfrags(dir)
local iopt, aopt, iprop, aprop
if dir == 'in' then
iopt, aopt, iprop, aprop = 'i', 's', 'in', 'src'
......@@ -78,8 +86,8 @@ function Zone:optfrags(dir)
local aopts = nil
if self.addr then
aopts = {}
for i, hostdef in util.listpairs(self.addr) do
for i, addr in ipairs(awall.host.resolve(hostdef, self)) do
for i, hostdef in listpairs(self.addr) do
for i, addr in ipairs(resolve(hostdef, self)) do
table.insert(aopts,
{family=addr[1],
[aprop]=addr[2],
......@@ -88,31 +96,32 @@ function Zone:optfrags(dir)
end
end
return combinations(util.maplist(self.iface,
function(x)
return {[iprop]=x,
opts='-'..iopt..' '..x}
end),
aopts)
return combinations(
maplist(
self.iface,
function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end
),
aopts
)
end
fwzone = Zone()
M.fwzone = M.Zone()
IPSet = class(ConfigObject)
local IPSet = M.class(M.ConfigObject)
function IPSet:init(...)
IPSet.super(self):init(...)
if not self.type then self:error('Type not defined') end
if stringy.startswith(self.type, 'bitmap:') then
if startswith(self.type, 'bitmap:') then
if not self.range then self:error('Range not defined') end
self.options = {self.type, 'range', self.range}
self.family = 'inet'
elseif stringy.startswith(self.type, 'hash:') then
elseif startswith(self.type, 'hash:') then
if not self.family then self:error('Family not defined') end
self.options = {self.type, 'family', self.family}
......@@ -122,43 +131,47 @@ function IPSet:init(...)
end
Rule = class(ConfigObject)
M.Rule = M.class(M.ConfigObject)
function Rule:init(...)
Rule.super(self):init(...)
function M.Rule:init(...)
M.Rule.super(self):init(...)
self.newchains = {}
for i, prop in ipairs({'in', 'out'}) do
self[prop] = self[prop] and util.maplist(self[prop],
function(z)
if type(z) ~= 'string' then return z end
return z == '_fw' and fwzone or
self.root.zone[z] or
self:error('Invalid zone: '..z)
end)
self[prop] = self[prop] and maplist(
self[prop],
function(z)
if type(z) ~= 'string' then return z end
return z == '_fw' and M.fwzone or
self.root.zone[z] or
self:error('Invalid zone: '..z)
end
)
end
if self.service then
if type(self.service) == 'string' then self.label = self.service end
self.service = util.maplist(self.service,
function(s)
if type(s) ~= 'string' then return s end
return self.root.service[s] or self:error('Invalid service: '..s)
end)
self.service = maplist(
self.service,
function(s)
if type(s) ~= 'string' then return s end
return self.root.service[s] or self:error('Invalid service: '..s)
end
)
end
end
function Rule:direction(dir)
function M.Rule:direction(dir)
if dir == 'in' then return self.reverse and 'out' or 'in' end
if dir == 'out' then return self.reverse and 'in' or 'out' end
self:error('Invalid direction: '..dir)
end
function Rule:zoneoptfrags()
function M.Rule:zoneoptfrags()
local function zonepair(zin, zout)
......@@ -169,10 +182,10 @@ function Rule:zoneoptfrags()