route tracking for incoming connections

awall/modules/mark.lua

@@ -8,6 +8,8 @@ Licensed under the terms of GPL2
 module(..., package.seeall)
 
 require 'awall.model'
+require 'awall.optfrag'
+require 'awall.util'
 
 local model = awall.model
 
@@ -22,6 +24,43 @@ function MarkRule:target()
 end
 
 
-classes = {{'mark', MarkRule}}
+local RouteTrackRule = model.class(MarkRule)
+
+function RouteTrackRule:target()
+   if not self['mark-target'] then
+      self['mark-target'] = self:newchain('mark')
+   end
+   return self['mark-target']
+end
+
+function RouteTrackRule:servoptfrags()
+   return awall.optfrag.combinations(MarkRule.servoptfrags(self),
+				     {{opts='-m mark --mark 0'}})
+end
+
+function RouteTrackRule:extraoptfrags()
+   return {{chain=self:target(), opts='-j '..MarkRule.target(self)},
+	   {chain=self:target(), opts='-j CONNMARK --save-mark'}}
+end
+
+
+classes = {{'route-track', RouteTrackRule},
+	   {'mark', MarkRule}}
 
 defrules = {}
+
+function defrules.pre(config)
+   local res = {}
+   if awall.util.list(config['route-track'])[1] then
+      for i, family in ipairs({'inet', 'inet6'}) do
+	 for i, chain in ipairs({'OUTPUT', 'PREROUTING'}) do
+	    table.insert(res,
+			 {family=family,
+			  table='mangle',
+			  chain=chain,
+			  opts='-m connmark ! --mark 0 -j CONNMARK --restore-mark'})
+	 end
+      end
+   end
+   return res
+end

awall/util.lua

@@ -7,7 +7,7 @@ Licensed under the terms of GPL2
 
 module(..., package.seeall)
 
-local function list(var)
+function list(var)
    if not var then return {} end
    if type(var) ~= 'table' then return {var} end
    if not next(var) then return {} end