Commit 4ff16c68 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

move ipsec attribute from rules to zones

parent 0c5c9c6a
......@@ -127,13 +127,14 @@ of the top-level service dictionary.
A *zone* represents a set of network hosts. A top-level attribute
**zone** is a dictionary that maps zone names to zone objects. A zone
object has an attribute named **iface**, **addr**, or both. **iface**
is a list of network interfaces and **addr** is a list of IPv4/IPv6
host and network addresses (CIDR notation). **addr** may also contain
domain names, which are expanded to IP addresses using DNS
resolution. If not defined, **addr** defaults to the entire address
space and **iface** to all interfaces. An empty zone can be defined by
setting either **addr** or **iface** to an empty list.
object has any combination of attributes named **iface**, **addr**,
and **ipsec**. **iface** is a list of network interfaces and **addr**
is a list of IPv4/IPv6 host and network addresses (CIDR notation).
**addr** may also contain domain names, which are expanded to IP
addresses using DNS resolution. If not defined, **addr** defaults to
the entire address space and **iface** to all interfaces. An empty
zone can be defined by setting either **addr** or **iface** to an
empty list.
Rule objects contain two attributes, **in** and **out**, which are
lists of zone names. These attributes control whether a packet matches
......@@ -164,6 +165,15 @@ where **in** and **out** attributes of a rule are not equal but their
definitions overlap. In this case, the **route-back** attribute of the
**out** zone determines the behavior.
If used, the **ipsec** attribute is used to exclude from the zone any
traffic that is or is not subject to IPsec processing. If set to
**true** in the **in** zone, only the packets subject to IPsec
decapsulation are considered originating from the zone. In the **out**
zone, only the packets subject to IPsec encapsulation will be included
if **ipsec** is set to **true**. The value of **false** would exclude
any traffic requiring IPsec processing towards the respective
direction.
### <a name="limit"></a>Limits
A *limit* specifies the maximum rate for a flow of packets or new
......@@ -320,14 +330,6 @@ attributes:
order specified by <strong>args</strong>
</td>
</tr>
<tr>
<td><strong>ipsec</strong></td>
<td><strong>in</strong> or <strong>out</strong></td>
<td>
IPsec decapsulation perfomed on ingress (<strong>in</strong>)
or encapsulation performed on egress (<strong>out</strong>)
</td>
</tr>
</tbody>
</table>
......
......@@ -121,12 +121,23 @@ function M.Zone:optfrags(dir)
end
end
local popt
if self.ipsec ~= nil then
popt = {
{
opts='-m policy --dir '..dir..' --pol '..
(self.ipsec and 'ipsec' or 'none')
}
}
end
return combinations(
maplist(
self.iface,
function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end
),
aopts
aopts,
popt
)
end
......@@ -174,6 +185,26 @@ function M.Rule:init(...)
)
end
-- alpine v3.4 compatibility
if self.ipsec then
if not contains({'in', 'out'}, self.ipsec) then
self:error('Invalid ipsec policy direction')
end
self:warning('ipsec deprecated in rules, define in zones instead')
local zones = self[self.ipsec]
if zones then
self[self.ipsec] = maplist(
zones,
function(z)
return self:create(
M.Zone, {iface=z.iface, addr=z.addr, ipsec=true}
)
end
)
else self[self.ipsec] = {self:create(M.Zone, {ipsec=true})} end
self.ipsec = nil
end
if self.service then
if not self.label and type(self.service) == 'string' then
self.label = self.service
......@@ -461,11 +492,6 @@ function M.Rule:trules()
res = combinations(res, ipsetofrags)
end
if self.ipsec then
res = combinations(res,
{{opts='-m policy --pol ipsec --dir '..self:direction(self.ipsec)}})
end
res = combinations(res, self:servoptfrags())
setfamilies(res)
......@@ -571,10 +597,7 @@ function M.Rule:extrarules(label, cls, options)
local params = {}
for _, attr in ipairs(
extend(
{'in', 'out', 'src', 'dest', 'ipset', 'ipsec', 'service'},
options.attrs
)
extend({'in', 'out', 'src', 'dest', 'ipset', 'service'}, options.attrs)
) do
params[attr] = (options.src or self)[attr]
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment