Commit cb6011fa authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

fixed transparent proxy support

use -p option in TPROXY rules
constrain TPROXY rules to PREROUTING chain
parent 8f4e609a
......@@ -13,7 +13,9 @@ local class = model.class
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local contains = util.contains
local list = util.list
local listpairs = util.listpairs
local MarkRule = class(model.Rule)
......@@ -47,30 +49,50 @@ end
local TProxyRule = class(MarkRule)
function TProxyRule:init(...)
MarkRule.init(self, unpack(arg))
if not self['in'] then self:error('Ingress zone must be specified') end
if contains(list(self['in']), model.fwzone) then
self:error('Transparent proxy cannot be used for firewall zone')
end
if self.out then self:error('Egress zone cannot be specified') end
end
function TProxyRule:target() return self:newchain('tproxy') end
function TProxyRule:extraoptfrags()
local res = combinations(
{{chain='OUTPUT'}, {chain='PREROUTING'}},
local res = {
{
{
opts='-m socket -m mark --mark '..self.mark,
target='ACCEPT',
position='prepend'
}
}
)
chain='PREROUTING',
opts='-m socket -m mark --mark '..self.mark,
target='ACCEPT',
position='prepend'
},
{chain=self:target(), target='CONNMARK --set-mark '..self.mark},
}
local popts = {}
for i, serv in listpairs(self.service) do
for i, sdef in listpairs(serv) do
if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then
self:error('Transparent proxy not available for protocol '..sdef.proto)
end
popts[sdef.proto] = {opts='-p '..sdef.proto}
end
end
local port = self['to-port'] or 0
util.extend(
res,
{
{chain=self:target(), target='CONNMARK --set-mark '..self.mark},
combinations(
util.values(popts),
{
chain=self:target(),
target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port
{
chain=self:target(),
target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port
}
}
}
)
)
return res
......@@ -78,21 +100,23 @@ end
local function restoremark(config)
if list(config['route-track'])[1] or list(config['tproxy'])[1] then
return combinations(
{{family='inet'}, {family='inet6'}},
{{chain='OUTPUT'}, {chain='PREROUTING'}},
local chopts = {}
if list(config['route-track'])[1] then
chopts = {{chain='OUTPUT'}, {chain='PREROUTING'}}
elseif list(config['tproxy'])[1] then chopts = {{chain='PREROUTING'}} end
return combinations(
{{family='inet'}, {family='inet6'}},
chopts,
{
{
{
table='mangle',
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark',
position='prepend'
}
table='mangle',
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark',
position='prepend'
}
)
end
return {}
}
)
end
export = {
......
......@@ -60,6 +60,12 @@ function keys(tbl)
return res
end
function values(tbl)
local res = {}
for k, v in pairs(tbl) do table.insert(res, v) end
return res
end
function sortedkeys(tbl)
local res = keys(tbl)
table.sort(res)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment