output verification using ip[6]tables-restore

output saved as rules[6]-save corrected a couple of syntax errors in output disabled the default rule in nat module

output verification using ip[6]tables-restore
output saved as rules[6]-save corrected a couple of syntax errors in output disabled the default rule in nat module
e97510c3 · Kaarle Ritvanen · 8cc299ff · e97510c3 · e97510c3 · e97510c3
Commit e97510c3 authored Feb 23, 2012 by Kaarle Ritvanen
Showing with 40 additions and 22 deletions

awall/init.lua awall/init.lua +1 -1

awall/iptables.lua awall/iptables.lua +33 -16

awall/model.lua awall/model.lua +2 -2

awall/modules/nat.lua awall/modules/nat.lua +4 -3

No files found.
--- a/awall/init.lua
+++ b/awall/init.lua
@@ -84,6 +84,6 @@ function translate()
      end
   end

-   awall.iptables.dump()
+   awall.iptables.dump(testmode and 'output' or '/etc/iptables')

 end
--- a/awall/iptables.lua
+++ b/awall/iptables.lua
@@ -7,7 +7,16 @@ Licensed under the terms of GPL2

 module(..., package.seeall)

-local iptfiles = {ip4='iptables', ip6='ip6tables'}
+require 'lpc'
+
+require 'awall.util'
+contains = awall.util.contains
+
+local families = {ip4={cmd='iptables-restore', file='rules-save'},
+		  ip6={cmd='ip6tables-restore', file='rules6-save'}}
+
+local builtin = {'INPUT', 'FORWARD', 'OUTPUT',
+		 'PREROUTING', 'POSTROUTING'}

 config = {}
 setmetatable(config,
@@ -17,22 +26,30 @@ setmetatable(config,
 			 return t[k]
 		      end})

-function dump()
-   for family, tbls in pairs(config) do
-      local iptfile = io.output('output/'..iptfiles[family])
-      iptfile:write('# '..iptfiles[family]..' generated by awall\n')
-      for tbl, chains in pairs(tbls) do
-	 iptfile:write('*'..tbl..'\n')
-	 for chain, rules in pairs(chains) do
-	    iptfile:write(':'..chain..' '..(chain == string.upper(chain) and
-					 'DROP' or '-')..' [0:0]\n')
-	 end
-	 for chain, rules in pairs(chains) do
-	    for i, rule in ipairs(rules) do
-	       iptfile:write('-A '..chain..' '..rule..'\n')
-	    end
+local function dumpfile(family, iptfile)
+   iptfile:write('# '..families[family].file..' generated by awall\n')
+   for tbl, chains in pairs(config[family]) do
+      iptfile:write('*'..tbl..'\n')
+      for chain, rules in pairs(chains) do
+	 iptfile:write(':'..chain..' '..(contains(builtin, chain) and
+				      'DROP' or '-')..' [0:0]\n')
+      end
+      for chain, rules in pairs(chains) do
+	 for i, rule in ipairs(rules) do
+	    iptfile:write('-A '..chain..' '..rule..'\n')
 	 end
-	 iptfile:write('COMMIT\n')
      end
+      iptfile:write('COMMIT\n')
+   end
+end
+
+function dump(dir)
+   for family, tbls in pairs(config) do
+      local pid, stdin = lpc.run(families[family].cmd, '-t')
+      dumpfile(family, stdin)
+      stdin:close()
+      assert(lpc.wait(pid) == 0)
+
+      dumpfile(family, io.output(dir..'/'..families[family].file))
   end
 end
--- a/awall/model.lua
+++ b/awall/model.lua
@@ -277,8 +277,8 @@ function Rule:trules()

   local res = self:zoneoptfrags()

-   if self.ipsec == 'true' then
-      res = combinations(res, {{opts='-m policy --pol ipsec'}})
+   if self.ipsec then
+      res = combinations(res, {{opts='-m policy --pol ipsec --dir '..self.ipsec}})
   end

   res = combinations(res, self:servoptfrags())

--- a/awall/modules/nat.lua
+++ b/awall/modules/nat.lua
@@ -76,7 +76,8 @@ end

 classmap = {dnat=DNATRule, snat=SNATRule}

-- TODO configuration of _nat ipset via config.json
+defrules = {}

-defrules = {{family='ip4', table='nat', chain='POSTROUTING',
-	     opts='-m set --match-set _nat src ! --match-set _nat dst -j MASQUERADE'}}
+-- TODO configuration of _nat ipset via config.json
+--defrules = {{family='ip4', table='nat', chain='POSTROUTING',
+--	     opts='-m set --match-set _nat src ! --match-set _nat dst -j MASQUERADE'}}