Commit 06774cfa authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

use the same mark for all transparent proxy rules

parent 045ca4a9
......@@ -11,11 +11,7 @@ local model = require('awall.model')
local class = model.class
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local contains = util.contains
local list = util.list
local listpairs = util.listpairs
local MarkRule = class(model.Rule)
......@@ -47,81 +43,25 @@ function RouteTrackRule:extraoptfrags()
end
local TProxyRule = class(MarkRule)
function TProxyRule:init(...)
MarkRule.init(self, unpack(arg))
if not self['in'] then self:error('Ingress zone must be specified') end
if contains(list(self['in']), model.fwzone) then
self:error('Transparent proxy cannot be used for firewall zone')
end
if self.out then self:error('Egress zone cannot be specified') end
end
function TProxyRule:target() return self:newchain('tproxy') end
function TProxyRule:extraoptfrags()
local res = {
{
chain='PREROUTING',
opts='-m socket -m mark --mark '..self.mark,
target='ACCEPT',
position='prepend'
},
{chain=self:target(), target='CONNMARK --set-mark '..self.mark},
}
local popts = {}
for i, serv in listpairs(self.service) do
for i, sdef in listpairs(serv) do
if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then
self:error('Transparent proxy not available for protocol '..sdef.proto)
end
popts[sdef.proto] = {opts='-p '..sdef.proto}
end
end
local port = self['to-port'] or 0
util.extend(
res,
combinations(
util.values(popts),
local function restoremark(config)
if util.list(config['route-track'])[1] then
return combinations(
{{family='inet'}, {family='inet6'}},
{{chain='OUTPUT'}, {chain='PREROUTING'}},
{
{
chain=self:target(),
target='TPROXY --tproxy-mark '..self.mark..' --on-port '..port
table='mangle',
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark'
}
}
)
)
return res
end
end
local function restoremark(config)
local chopts = {}
if list(config['route-track'])[1] then
chopts = {{chain='OUTPUT'}, {chain='PREROUTING'}}
elseif list(config['tproxy'])[1] then chopts = {{chain='PREROUTING'}} end
return combinations(
{{family='inet'}, {family='inet6'}},
chopts,
{
{
table='mangle',
opts='-m connmark ! --mark 0',
target='CONNMARK --restore-mark',
position='prepend'
}
}
)
end
export = {
mark={class=MarkRule},
['route-track']={class=RouteTrackRule, before='mark'},
tproxy={class=TProxyRule, before='route-track'},
['%mark-restore']={rules=restoremark, after='tproxy'}
['%mark-restore']={rules=restoremark, before='route-track'}
}
--[[
Transparent proxy module for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
local model = require('awall.model')
local Rule = model.Rule
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local contains = util.contains
local list = util.list
local listpairs = util.listpairs
local TProxyRule = model.class(Rule)
function TProxyRule:init(...)
Rule.init(self, unpack(arg))
if not self['in'] then self:error('Ingress zone must be specified') end
if contains(list(self['in']), model.fwzone) then
self:error('Transparent proxy cannot be used for firewall zone')
end
if self.out then self:error('Egress zone cannot be specified') end
if not self.service then self:error('Service must be defined') end
for i, serv in listpairs(self.service) do
for i, sdef in listpairs(serv) do
if not contains({6, 'tcp', 17, 'udp'}, sdef.proto) then
self:error('Transparent proxy not available for protocol '..sdef.proto)
end
end
end
end
function TProxyRule:table() return 'mangle' end
function TProxyRule:target()
local mark = self.root.variable['awall_tproxy_mark']
local port = self['to-port'] or 0
return 'TPROXY --tproxy-mark '..mark..' --on-port '..port
end
local function divert(config)
if list(config.tproxy)[1] then
local ofrags = combinations(
{{chain='divert'}},
{
{target='MARK --set-mark '..config.variable['awall_tproxy_mark']},
{target='ACCEPT'}
}
)
table.insert(
ofrags,
{chain='PREROUTING', opts='-m socket', target='divert'}
)
return combinations(
{{family='inet'}, {family='inet6'}},
{{table='mangle'}},
ofrags
)
end
end
export = {
tproxy={class=TProxyRule, before='%mark-restore'},
['%tproxy-divert']={rules=divert, before='tproxy'}
}
{
"before": "%defaults",
"variable": { "awall_tproxy_mark": 1 },
"log": { "_default": { "limit": 1 } }
}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment