Commit 8e0c7cb2 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

eliminate deprecated module style

parent 8d100441
......@@ -6,10 +6,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
require 'alt_getopt'
require 'lfs'
require 'signal'
require 'stringy'
get_opts = require('alt_getopt').get_opts
signal = require('signal')
stringy = require('stringy')
function help()
io.stderr:write([[
......@@ -78,7 +77,7 @@ if not stringy.startswith(arg[1], '-') then
table.remove(arg, 1)
end
opts, opind = alt_getopt.get_opts(
opts, opind = get_opts(
arg,
'afo:V',
{all='a', force='f', ['output-dir']='o', verify='V'}
......@@ -98,12 +97,22 @@ if not mode then
end
require 'awall.util'
util = awall.util
util = require('awall.util')
contains = util.contains
if not util.contains({'translate', 'activate', 'fallback', 'flush',
'enable', 'disable', 'list', 'dump'},
mode) then help() end
if not contains(
{
'translate',
'activate',
'fallback',
'flush',
'enable',
'disable',
'list',
'dump'
},
mode
) then help() end
pol_paths = {}
for i, cls in ipairs{'mandatory', 'optional', 'private'} do
......@@ -119,12 +128,14 @@ if stringy.endswith(arg[0], '/awall-cli') then
table.insert(pol_paths.mandatory, basedir..'/json')
end
local uerror = require('awall.uerror')
uerror = require('awall.uerror')
call = uerror.call
if not uerror.call(
if not call(
function()
require 'awall'
local awall = require('awall')
local printtabular = util.printtabular
policyset = awall.PolicySet(pol_paths)
......@@ -137,7 +148,7 @@ if not uerror.call(
if all or policy.type == 'optional' then
if policy.enabled then status = 'enabled'
elseif util.contains(imported, name) then status = 'required'
elseif contains(imported, name) then status = 'required'
else status = 'disabled' end
polinfo = {name, status, policy:load().description}
......@@ -151,11 +162,11 @@ if not uerror.call(
end
end
util.printtabular(data)
printtabular(data)
os.exit()
end
if util.contains({'disable', 'enable'}, mode) then
if contains({'disable', 'enable'}, mode) then
if opind > #arg then help() end
repeat
name = arg[opind]
......@@ -178,10 +189,10 @@ if not uerror.call(
end
require 'awall.iptables'
local iptables = require('awall.iptables')
if mode == 'dump' then
require 'json'
local json = require('json')
expinput = input:expand()
function capitalize(cls)
......@@ -189,7 +200,7 @@ if not uerror.call(
end
for cls, objs in pairs(input.data) do
if level > 2 or (level == 2 and cls ~= 'service') or util.contains(
if level > 2 or (level == 2 and cls ~= 'service') or contains(
{'variable', 'zone'},
cls
) then
......@@ -224,7 +235,7 @@ if not uerror.call(
end
table.sort(items, function(a, b) return a[1] < b[1] end)
if level == 0 then util.printtabular(items)
if level == 0 then printtabular(items)
else
util.printtabulars(
util.map(items, function(x) return x[2] end)
......@@ -242,7 +253,9 @@ if not uerror.call(
elseif mode == 'activate' then
awall.iptables.backup()
local lpc = require('lpc')
iptables.backup()
if not force then
signal.signal(
......@@ -261,7 +274,6 @@ if not uerror.call(
)
end
require 'lpc'
pid, stdio, stdout = lpc.run(arg[0], 'fallback')
stdio:close()
stdout:close()
......@@ -274,11 +286,11 @@ if not uerror.call(
end
function revert()
awall.iptables.revert()
iptables.revert()
os.exit(1)
end
if uerror.call(config.activate, config) then
if call(config.activate, config) then
if not force then
io.stderr:write('New firewall configuration activated\n')
......@@ -309,13 +321,12 @@ if not uerror.call(
signal.signal('SIG'..sig, function() end)
end
require 'lsleep'
lsleep.sleep(10)
require('lsleep').sleep(10)
io.stderr:write('\nTimeout, reverting to the old configuration\n')
awall.iptables.revert()
iptables.revert()
elseif mode == 'flush' then awall.iptables.flush()
elseif mode == 'flush' then iptables.flush()
else assert(false) end
......
......@@ -4,10 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
local Object
module(..., package.seeall)
function class(base)
local function class(base)
local cls = {}
function cls.super(obj)
......@@ -42,5 +41,6 @@ function class(base)
end
Object = class()
function Object:init(...) end
return class
--[[
Dependency order resolver for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
local util = require('awall.util')
local contains = util.contains
function order(items)
return function(items)
local visited = {}
local res = {}
local function visit(key)
if util.contains(res, key) then return end
if contains(res, key) then return end
if visited[key] then return key end
visited[key] = true
local after = util.list(items[key].after)
for k, v in pairs(items) do
if util.contains(v.before, key) then table.insert(after, k) end
if contains(v.before, key) then table.insert(after, k) end
end
for i, k in ipairs(after) do
if items[k] then
......
......@@ -5,8 +5,6 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local familypatterns = {inet='%d[%.%d/]+',
inet6='[:%x/]+',
domain='[%a-][%.%w-]*'}
......@@ -20,7 +18,7 @@ end
local dnscache = {}
function resolve(host, context)
return function(host, context)
local family = getfamily(host, context)
if family == 'domain' then
......
......@@ -4,28 +4,27 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
require 'lfs'
require 'stringy'
local M = {}
require 'awall.dependency'
require 'awall.ipset'
require 'awall.iptables'
require 'awall.model'
require 'awall.object'
require 'awall.optfrag'
require 'awall.policy'
require 'awall.util'
local class = require('awall.class')
local resolve = require('awall.dependency')
local IPSet = require('awall.ipset')
local IPTables = require('awall.iptables').IPTables
local optfrag = require('awall.optfrag')
M.PolicySet = require('awall.policy')
local util = require('awall.util')
local optfrag = awall.optfrag
local lfs = require('lfs')
local endswith = require('stringy').endswith
local events
local procorder
local achains
function loadmodules(path)
function M.loadmodules(path)
events = {}
achains = {}
......@@ -38,10 +37,10 @@ function loadmodules(path)
achains[name] = opts
end
return awall.util.keys(export)
return util.keys(export)
end
readmetadata(model)
readmetadata(require('awall.model'))
local cdir = lfs.currentdir()
if path then lfs.chdir(path) end
......@@ -56,31 +55,27 @@ function loadmodules(path)
local imported = {}
for i, name in ipairs(modules) do
require(name)
awall.util.extend(imported, readmetadata(package.loaded[name]))
util.extend(imported, readmetadata(require(name)))
end
lfs.chdir(cdir)
events['%modules'] = {before=imported}
procorder = awall.dependency.order(events)
procorder = resolve(events)
end
function loadclass(path)
function M.loadclass(path)
assert(path:sub(1, 1) ~= '%')
return events[path] and events[path].class
end
PolicySet = policy.PolicySet
Config = object.class()
M.Config = class()
function Config:init(policyconfig)
function M.Config:init(policyconfig)
self.objects = policyconfig:expand()
self.iptables = iptables.IPTables()
self.iptables = IPTables()
local acfrags = {}
......@@ -138,26 +133,29 @@ function Config:init(policyconfig)
for k, v in pairs(acfrags) do table.insert(ofrags, v) end
insertrules(optfrag.combinations(achains, ofrags))
self.ipset = ipset.IPSet(self.objects.ipset)
self.ipset = IPSet(self.objects.ipset)
end
function Config:print()
function M.Config:print()
self.ipset:print()
print()
self.iptables:print()
end
function Config:dump(dir)
function M.Config:dump(dir)
self.ipset:dump(dir or '/etc/ipset.d')
self.iptables:dump(dir or '/etc/iptables')
end
function Config:test()
function M.Config:test()
self.ipset:create()
self.iptables:test()
end
function Config:activate()
function M.Config:activate()
self:test()
self.iptables:activate()
end
return M
--[[
Ipset file dumper for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
require 'awall.object'
IPSet = awall.object.class()
local IPSet = require('awall.class')()
function IPSet:init(config) self.config = config or {} end
......@@ -47,3 +42,5 @@ function IPSet:dump(ipsdir)
file:close()
end
end
return IPSet
......@@ -5,20 +5,19 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
require 'lfs'
require 'lpc'
require 'awall.object'
require 'awall.uerror'
local class = require('awall.class')
local raise = require('awall.uerror').raise
local util = require('awall.util')
local sortedkeys = util.sortedkeys
local class = awall.object.class
local mkdir = require('lfs').mkdir
local lpc = require('lpc')
local M = {}
local families = {inet={cmd='iptables',
file='rules-save',
procfile='/proc/net/ip_tables_names'},
......@@ -26,11 +25,13 @@ local families = {inet={cmd='iptables',
file='rules6-save',
procfile='/proc/net/ip6_tables_names'}}
builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}}
M.builtin = {
filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}
}
local backupdir = '/var/run/awall'
......@@ -74,20 +75,20 @@ function BaseIPTables:restore(test)
end
end
if disabled then awall.uerror.raise('Firewall not enabled in kernel') end
if disabled then raise('Firewall not enabled in kernel') end
end
function BaseIPTables:activate()
flush()
M.flush()
self:restore(false)
end
function BaseIPTables:test() self:restore(true) end
IPTables = class(BaseIPTables)
M.IPTables = class(BaseIPTables)
function IPTables:init()
function M.IPTables:init()
self.config = {}
setmetatable(self.config,
{__index=function(t, k)
......@@ -97,7 +98,7 @@ function IPTables:init()
end})
end
function IPTables:dumpfile(family, iptfile)
function M.IPTables:dumpfile(family, iptfile)
iptfile:write('# '..families[family].file..' generated by awall\n')
local tables = self.config[family]
for i, tbl in sortedkeys(tables) do
......@@ -105,7 +106,7 @@ function IPTables:dumpfile(family, iptfile)
local chains = tables[tbl]
for i, chain in sortedkeys(chains) do
local policy = '-'
if util.contains(builtin[tbl], chain) then
if util.contains(M.builtin[tbl], chain) then
policy = tbl == 'filter' and 'DROP' or 'ACCEPT'
end
iptfile:write(':'..chain..' '..policy..' [0:0]\n')
......@@ -140,22 +141,20 @@ function Backup:dumpfile(family, iptfile)
end
function backup()
lfs.mkdir(backupdir)
function M.backup()
mkdir(backupdir)
Current():dump(backupdir)
end
function revert()
Backup():activate()
end
function M.revert() Backup():activate() end
function flush()
local empty = IPTables()
function M.flush()
local empty = M.IPTables()
for family, params in pairs(families) do
local success, lines = pcall(io.lines, params.procfile)
if success then
for tbl in lines do
for i, chain in ipairs(builtin[tbl]) do
for i, chain in ipairs(M.builtin[tbl]) do
empty.config[family][tbl][chain] = {}
end
end
......@@ -163,3 +162,5 @@ function flush()
end
empty:restore(false)
end
return M
This diff is collapsed.
--[[
TCP MSS clamping module for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
require 'awall.model'
local model = awall.model
local model = require('awall.model')
local ClampMSSRule = model.class(model.Rule)
......@@ -25,4 +21,4 @@ function ClampMSSRule:target()
end
export = {['clamp-mss']={class=ClampMSSRule, before='tproxy'}}
return {export={['clamp-mss']={class=ClampMSSRule, before='tproxy'}}}
......@@ -5,20 +5,23 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local resolve = require('awall.host')
local resolve = require('awall.host').resolve
local model = require('awall.model')
local class = model.class
local Rule = model.Rule
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local contains = util.contains
local extend = util.extend
local listpairs = util.listpairs
local RECENT_MAX_COUNT = 20
local RelatedRule = model.class(model.Rule)
local RelatedRule = class(Rule)
function RelatedRule:servoptfrags()
local helpers = {}
......@@ -39,7 +42,7 @@ end
function RelatedRule:target() return 'ACCEPT' end
local Filter = model.class(model.Rule)
local Filter = class(Rule)
function Filter:init(...)
Filter.super(self):init(...)
......@@ -47,7 +50,7 @@ function Filter:init(...)
if not self.action then self.action = 'accept' end
-- alpine v2.4 compatibility
if util.contains({'logdrop', 'logreject'}, self.action) then
if contains({'logdrop', 'logreject'}, self.action) then
self:warning('Deprecated action: '..self.action)
self.action = self.action:sub(4, -1)
end
......@@ -176,7 +179,7 @@ end
function Filter:actiontarget()
if self.action == 'tarpit' then return 'tarpit' end
if util.contains({'accept', 'drop', 'reject'}, self.action) then
if contains({'accept', 'drop', 'reject'}, self.action) then
return self.action:upper()
end
self:error('Invalid filter action: '..self.action)
......@@ -250,14 +253,14 @@ end
local Policy = model.class(Filter)
local Policy = class(Filter)
function Policy:servoptfrags() return nil end
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}
function stateful(config)
local function stateful(config)
local res = {}
for i, family in ipairs{'inet', 'inet6'} do
......@@ -286,7 +289,7 @@ function stateful(config)
for i, sdef in listpairs(serv) do
if sdef['ct-helper'] then
local of = combinations(
model.Rule.morph{service={sdef}}:servoptfrags(),
Rule.morph{service={sdef}}:servoptfrags(),
{{family=family}}
)
if of[1] then
......@@ -337,14 +340,14 @@ end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
export = {
filter={class=Filter, before={'dnat', 'no-track'}},
policy={class=Policy, after='%filter-after'},
['%filter-before']={rules=stateful, before='filter'},
['%filter-after']={rules=ir, after='filter'}
return {
export={
filter={class=Filter, before={'dnat', 'no-track'}},
policy={class=Policy, after='%filter-after'},
['%filter-before']={rules=stateful, before='filter'},
['%filter-after']={rules=ir, after='filter'}
},
achains=combinations(
{{chain='tarpit'}}, {{opts='-p tcp', target='TARPIT'}, {target='DROP'}}
)
}
achains = combinations({{chain='tarpit'}},
{{opts='-p tcp', target='TARPIT'},
{target='DROP'}})
......@@ -5,13 +5,13 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local model = require('awall.model')
local class = model.class
local combinations = require('awall.optfrag').combinations
local Log = model.class(model.ConfigObject)
local Log = class(model.ConfigObject)
function Log:matchofrag()
local selector, opts
......@@ -78,7 +78,7 @@ function Log.get(rule, spec, default)
end
local LogRule = model.class(model.Rule)
local LogRule = class(model.Rule)
function LogRule:init(...)
LogRule.super(self):init(...)
......@@ -95,7 +95,9 @@ end
function LogRule:target() return self.log:target() end
export = {
log={class=Log},
['packet-log']={class=LogRule, after='%filter-after'}
return {
export={
log={class=Log}, ['packet-log']={class=LogRule, after='%filter-after'}
}
}
......@@ -5,13 +5,11 @@ See LICENSE file for license details
]]--
module(..., package.seeall)
local model = require('awall.model')
local class = model.class
local combinations = require('awall.optfrag').combinations
local util = require('awall.util')
local list = require('awall.util').list
local MarkRule = class(model.Rule)
......@@ -45,7 +43,7 @@ end
local function restoremark(config)
if util.list(config['route-track'])[1] then
if list(config['route-track'])[1] then
return combinations(
{{family='inet'}, {family='inet6'}},
{{chain='OUTPUT'}, {chain='PREROUTING'}},
......@@ -61,8 +59,10 @@ local function restoremark(config)
end
export = {
mark={class=MarkRule},
['route-track']={class=RouteTrackRule, before='mark'},
['%mark-restore']={rules=restoremark, before='route-track'}
return {
export={
mark={class=MarkRule},
['route-track']={class=RouteTrackRule, before='mark'},
['%mark-restore']={rules=restoremark, before='route-track'}
}
}
--[[
IPSet-based masquerading module for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen
Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details
]]--
module(..., package.seeall)
-- TODO configuration of the ipset via JSON config
export = {
['%masquerade']={
rules={
{
family='inet',
table='nat',
chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src',
target='awall-masquerade'
return {
export={
['%masquerade']={
rules={
{
family='inet',
table='nat',
chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src',
target='awall-masquerade'
},
{
family='inet',
table='nat',
chain='awall-masquerade',