Commit c0284e07 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

use connection marking with transparent proxies

parent d22129e9
......@@ -414,11 +414,7 @@ function Rule:trules()
)
end
local ofrags = {}
for i, ofrag in ipairs(res) do
util.extend(ofrags, self:mangleoptfrag(ofrag))
end
util.extend(ofrags, self:extraoptfrags())
util.extend(res, self:extraoptfrags())
local tbl = self:table()
......@@ -454,7 +450,7 @@ function Rule:trules()
return res
end
res = convertchains(ffilter(ofrags))
res = convertchains(ffilter(res))
tag(res, 'table', tbl, false)
local function checkzof(ofrag, dir, chains)
......@@ -471,8 +467,6 @@ function Rule:trules()
return combinations(res, ffilter({{family='inet'}, {family='inet6'}}))
end
function Rule:mangleoptfrag(ofrag) return {ofrag} end
function Rule:extraoptfrags() return {} end
function Rule:newchain(key)
......
......@@ -25,4 +25,4 @@ function ClampMSSRule:target()
end
export = {['clamp-mss']={class=ClampMSSRule}}
export = {['clamp-mss']={class=ClampMSSRule, before='tproxy'}}
......@@ -7,14 +7,16 @@ See LICENSE file for license details
module(..., package.seeall)
require 'awall.model'
require 'awall.optfrag'
require 'awall.util'
local model = require('awall.model')
local class = model.class
local model = awall.model
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local list = util.list
local MarkRule = model.class(model.Rule)
local MarkRule = class(model.Rule)
function MarkRule:init(...)
model.Rule.init(self, unpack(arg))
......@@ -26,13 +28,15 @@ function MarkRule:table() return 'mangle' end
function MarkRule:target() return 'MARK --set-mark '..self.mark end
local RouteTrackRule = model.class(MarkRule)
local RouteTrackRule = class(MarkRule)
function RouteTrackRule:target() return self:newchain('mark') end
function RouteTrackRule:servoptfrags()
return awall.optfrag.combinations(MarkRule.servoptfrags(self),
{{opts='-m mark --mark 0'}})
return combinations(
MarkRule.servoptfrags(self),
{{opts='-m mark --mark 0'}}
)
end
function RouteTrackRule:extraoptfrags()
......@@ -41,25 +45,59 @@ function RouteTrackRule:extraoptfrags()
end
local function rt(config)
local res = {}
if awall.util.list(config['route-track'])[1] then
for i, family in ipairs({'inet', 'inet6'}) do
for i, chain in ipairs({'OUTPUT', 'PREROUTING'}) do
table.insert(res,
{family=family,
table='mangle',
chain=chain,
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark'})
end
end
end
local TProxyRule = class(MarkRule)
function TProxyRule:target() return self:newchain('tproxy') end
function TProxyRule:extraoptfrags()
local res = combinations(
{{chain='OUTPUT'}, {chain='PREROUTING'}},
{
{
opts='-m socket -m mark --mark '..self.mark,
target='ACCEPT',
position='prepend'
}
}
)
local port = self['to-port'] or 0
util.extend(
res,
{
{chain=self:target(), target='CONNMARK --set-mark '..self.mark},
{
chain=self:target(),
target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port
}
}
)
return res
end
local function restoremark(config)
if list(config['route-track'])[1] or list(config['tproxy'])[1] then
return combinations(
{{family='inet'}, {family='inet6'}},
{{chain='OUTPUT'}, {chain='PREROUTING'}},
{
{
table='mangle',
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark',
position='prepend'
}
}
)
end
return {}
end
export = {
mark={class=MarkRule},
['route-track']={class=RouteTrackRule, before='mark'},
['%mark-rt']={rules=rt, before='route-track'}
tproxy={class=TProxyRule, before='route-track'},
['%mark-restore']={rules=restoremark, after='tproxy'}
}
--[[
Transparent proxy module for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
local class = require('awall.model').class
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local MarkRule = require('awall').loadclass('mark')
local TProxyRule = class(MarkRule)
function TProxyRule:target()
local port = self['to-port'] or 0
return 'TPROXY --tproxy-mark '..self.mark..' --on-port '..port
end
function TProxyRule:mangleoptfrag(ofrag)
local dof = util.copy(ofrag)
dof.target = nil
local res = combinations(
{dof},
{{opts='-m socket', target=self:newchain('divert')}}
)
table.insert(res, ofrag)
return res
end
function TProxyRule:extraoptfrags()
return combinations(
{{chain=self:newchain('divert')}},
{{target=MarkRule.target(self)}, {target='ACCEPT'}}
)
end
export = {tproxy={class=TProxyRule, before={'clamp-mss', '%mark-rt'}}}
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment