diff --git a/awall/model.lua b/awall/model.lua index 126841bfe2b37002750968cb7099f35bca19ddc3..3ef5a3d04d694add3478d78aad79920d9acc22e5 100644 --- a/awall/model.lua +++ b/awall/model.lua @@ -113,10 +113,10 @@ function M.Zone:optfrags(dir) aopts = {} for i, hostdef in listpairs(self.addr) do for i, addr in ipairs(resolve(hostdef, self)) do - table.insert(aopts, - {family=addr[1], - [aprop]=addr[2], - opts='-'..aopt..' '..addr[2]}) + table.insert( + aopts, + {family=addr[1], [aprop]=addr[2], match='-'..aopt..' '..addr[2]} + ) end end end @@ -125,7 +125,7 @@ function M.Zone:optfrags(dir) if self.ipsec ~= nil then popt = { { - opts='-m policy --dir '..dir..' --pol '.. + match='-m policy --dir '..dir..' --pol '.. (self.ipsec and 'ipsec' or 'none') } } @@ -134,7 +134,7 @@ function M.Zone:optfrags(dir) return combinations( maplist( self.iface, - function(x) return {[iprop]=x, opts='-'..iopt..' '..x} end + function(x) return {[iprop]=x, match='-'..iopt..' '..x} end ), aopts, popt @@ -358,7 +358,7 @@ function M.Rule:servoptfrags() self.reverse and sdef['reply-type'] or sdef.type ) end - table.insert(res, {family=family, opts=opts}) + table.insert(res, {family=family, match=opts}) end end end @@ -396,10 +396,10 @@ function M.Rule:servoptfrags() until len == 0 end - table.insert(ofrags, {opts=opts}) + table.insert(ofrags, {match=opts}) until len == 0 - else table.insert(ofrags, {opts=propt}) end + else table.insert(ofrags, {match=propt}) end end extend(res, combinations(ofrags, {{family=family}})) @@ -487,12 +487,12 @@ function M.Rule:trules() return 'dst' end), ',') - table.insert(ipsetofrags, {family=setdef.family, opts=setopts}) + table.insert(ipsetofrags, {family=setdef.family, match=setopts}) end ofrags = combinations(ofrags, ipsetofrags) end - if self.match then ofrags = combinations(ofrags, {{opts=self.match}}) end + if self.match then ofrags = combinations(ofrags, {{match=self.match}}) end ofrags = combinations(ofrags, self:servoptfrags()) @@ -561,10 +561,12 @@ function M.Rule:trules() ofs = {{chain='FORWARD'}, {chain='OUTPUT'}} recursive = true elseif ofrag.chain == 'INPUT' then - ofs = {{opts='-m addrtype --dst-type LOCAL', chain='PREROUTING'}} + ofs = { + {match='-m addrtype --dst-type LOCAL', chain='PREROUTING'} + } elseif ofrag.chain == 'FORWARD' then ofs = { - {opts='-m addrtype ! --dst-type LOCAL', chain='PREROUTING'} + {match='-m addrtype ! --dst-type LOCAL', chain='PREROUTING'} } end @@ -703,7 +705,7 @@ function M.Limit:limitofrags(name) ofrags, { family=family, - opts=keys[1] and + match=keys[1] and '-m hashlimit --hashlimit-upto '..rate..' --hashlimit-burst '.. self:intrate()..' --hashlimit-mode '..table.concat(keys, ',').. maskopts..' --hashlimit-name '..(name or self:uniqueid()) or diff --git a/awall/modules/clampmss.lua b/awall/modules/clampmss.lua index e991e1e4b9d6b941f1931f66a01709040a8085e5..b29dcab2e48e8a30c6ccb7c93b01c61895f127c1 100644 --- a/awall/modules/clampmss.lua +++ b/awall/modules/clampmss.lua @@ -1,6 +1,6 @@ --[[ TCP MSS clamping module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -13,7 +13,7 @@ local ClampMSSRule = model.class(model.Rule) function ClampMSSRule:table() return 'mangle' end function ClampMSSRule:servoptfrags() - return {{opts='-p tcp --tcp-flags SYN,RST SYN'}} + return {{match='-p tcp --tcp-flags SYN,RST SYN'}} end function ClampMSSRule:target() diff --git a/awall/modules/filter.lua b/awall/modules/filter.lua index 48165b4e5269af362754747d1faf469d026d9f81..849127a9922feaf785f1ad3f7331d89020156454 100644 --- a/awall/modules/filter.lua +++ b/awall/modules/filter.lua @@ -65,7 +65,7 @@ function FilterLimit:recentofrags(name) local rec = { { family=family, - opts='-m recent --name '..name..' --r'.. + match='-m recent --name '..name..' --r'.. ({src='source', dest='dest'})[attr]..' --mask '..mask } } @@ -74,10 +74,10 @@ function FilterLimit:recentofrags(name) uofs, combinations( rec, - {{opts='--update --hitcount '..count..' --seconds '..interval}} + {{match='--update --hitcount '..count..' --seconds '..interval}} ) ) - extend(sofs, combinations(rec, {{opts='--set'}})) + extend(sofs, combinations(rec, {{match='--set'}})) end return uofs, sofs @@ -188,7 +188,8 @@ function RelatedRule:servoptfrags() if helper then helpers[helper] = { family=sdef.family, - opts='-m conntrack --ctstate RELATED -m helper --helper '..helper + match='-m conntrack --ctstate RELATED -m helper --helper '.. + helper } end end @@ -400,11 +401,11 @@ local function stateful(config) local er = combinations( fchains, - {{opts='-m conntrack --ctstate ESTABLISHED'}} + {{match='-m conntrack --ctstate ESTABLISHED'}} ) for i, chain in ipairs({'INPUT', 'OUTPUT'}) do table.insert( - er, {chain=chain, opts='-'..chain:sub(1, 1):lower()..' lo'} + er, {chain=chain, match='-'..chain:sub(1, 1):lower()..' lo'} ) end extend( @@ -449,8 +450,8 @@ local function stateful(config) return res end -local icmp = {{family='inet', table='filter', opts='-p icmp'}} -local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}} +local icmp = {{family='inet', table='filter', match='-p icmp'}} +local icmp6 = {{family='inet6', table='filter', match='-p icmpv6'}} local ir = combinations( icmp6, {{chain='INPUT'}, {chain='OUTPUT'}}, @@ -462,12 +463,11 @@ extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}})) local function icmprules(ofrag, oname, types) extend( ir, - combinations(ofrag, - {{chain='icmp-routing', target='ACCEPT'}}, - util.map(types, - function(t) - return {opts='--'..oname..' '..t} - end)) + combinations( + ofrag, + {{chain='icmp-routing', target='ACCEPT'}}, + util.map(types, function(t) return {match='--'..oname..' '..t} end) + ) ) end icmprules(icmp, 'icmp-type', {3, 11, 12}) @@ -481,6 +481,6 @@ return { ['%filter-after']={rules=ir, after='filter'} }, achains=combinations( - {{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}} + {{chain='tarpit'}}, {{match='-p tcp', target='TARPIT'}, {target='DROP'}} ) } diff --git a/awall/modules/log.lua b/awall/modules/log.lua index a4ce1e59890956d665276b1017a81545f4e2e14d..076a8a0f5e22ca349362b5eac27fdd8b1d3db137 100644 --- a/awall/modules/log.lua +++ b/awall/modules/log.lua @@ -1,6 +1,6 @@ --[[ Packet logging module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -35,12 +35,12 @@ function Log:matchofrags() if sel == 'every' then ofrags = { - {opts='-m statistic --mode nth --every '..value..' --packet 0'} + {match='-m statistic --mode nth --every '..value..' --packet 0'} } elseif sel == 'limit' then ofrags = self:create(LogLimit, value, 'loglimit'):limitofrags() elseif sel == 'probability' then - ofrags = {{opts='-m statistic --mode random --probability '..value}} + ofrags = {{match='-m statistic --mode random --probability '..value}} else assert(false) end end end diff --git a/awall/modules/mark.lua b/awall/modules/mark.lua index 7b0be1af508707435355ada88ef22c87a4ba2312..56348d3030e425a1302870507391b12977c8f347 100644 --- a/awall/modules/mark.lua +++ b/awall/modules/mark.lua @@ -1,6 +1,6 @@ --[[ Packet marking module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -30,7 +30,7 @@ function RouteTrackRule:target() return self:uniqueid('mark') end function RouteTrackRule:servoptfrags() return combinations( - RouteTrackRule.super(self):servoptfrags(), {{opts='-m mark --mark 0'}} + RouteTrackRule.super(self):servoptfrags(), {{match='-m mark --mark 0'}} ) end @@ -50,7 +50,7 @@ local function restoremark(config) { { table='mangle', - opts='-m connmark ! --mark 0', + match='-m connmark ! --mark 0', target='CONNMARK --restore-mark' } } diff --git a/awall/modules/masquerade.lua b/awall/modules/masquerade.lua index cc549f893d1cdc101e94ca2cb1ce7256f637c238..0ee9c9456206d7cc26c7dc0e8d7ddc623392792c 100644 --- a/awall/modules/masquerade.lua +++ b/awall/modules/masquerade.lua @@ -1,6 +1,6 @@ --[[ IPSet-based masquerading module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -14,14 +14,14 @@ return { family='inet', table='nat', chain='POSTROUTING', - opts='-m set --match-set awall-masquerade src', + match='-m set --match-set awall-masquerade src', target='awall-masquerade' }, { family='inet', table='nat', chain='awall-masquerade', - opts='-m set ! --match-set awall-masquerade dst', + match='-m set ! --match-set awall-masquerade dst', target='MASQUERADE' } }, diff --git a/awall/modules/tproxy.lua b/awall/modules/tproxy.lua index 045150033d93ad45f8f26dd853ffff9ecea77c70..5831f3b8813b243247d9f834e8d5d45342707ef3 100644 --- a/awall/modules/tproxy.lua +++ b/awall/modules/tproxy.lua @@ -1,6 +1,6 @@ --[[ Transparent proxy module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -55,7 +55,7 @@ local function divert(config) ) table.insert( ofrags, - {chain='PREROUTING', opts='-m socket', target='divert'} + {chain='PREROUTING', match='-m socket', target='divert'} ) return combinations( {{family='inet'}, {family='inet6'}}, diff --git a/awall/optfrag.lua b/awall/optfrag.lua index e24177f5f343b82f73479b90262ce6b7d7e2bce7..cedf42f569deb89e13adbadb52fae61cfca01c32 100644 --- a/awall/optfrag.lua +++ b/awall/optfrag.lua @@ -1,6 +1,6 @@ --[[ Option fragment module for Alpine Wall -Copyright (C) 2012-2014 Kaarle Ritvanen +Copyright (C) 2012-2016 Kaarle Ritvanen See LICENSE file for license details ]]-- @@ -24,12 +24,12 @@ function M.combinations(of1, ...) local of = {} for k, v in pairs(x) do - if k ~= 'opts' then of[k] = v end + if k ~= 'match' then of[k] = v end end local match = true for k, v in pairs(y) do - if k ~= 'opts' then + if k ~= 'match' then if of[k] and v ~= of[k] then match = false break @@ -39,10 +39,10 @@ function M.combinations(of1, ...) end if match then - if x.opts then - if y.opts then of.opts = x.opts..' '..y.opts - else of.opts = x.opts end - else of.opts = y.opts end + if x.match then + if y.match then of.match = x.match..' '..y.match + else of.match = x.match end + else of.match = y.match end table.insert(res, of) end end @@ -54,7 +54,7 @@ end function M.location(of) return of.family..'/'..of.table..'/'..of.chain end function M.command(of) - return (of.opts and of.opts..' ' or '').. + return (of.match and of.match..' ' or '').. (of.target and '-j '..of.target or '') end