Commit 8e0c7cb2 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

eliminate deprecated module style

parent 8d100441
...@@ -6,10 +6,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen ...@@ -6,10 +6,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
require 'alt_getopt' get_opts = require('alt_getopt').get_opts
require 'lfs' signal = require('signal')
require 'signal' stringy = require('stringy')
require 'stringy'
function help() function help()
io.stderr:write([[ io.stderr:write([[
...@@ -78,7 +77,7 @@ if not stringy.startswith(arg[1], '-') then ...@@ -78,7 +77,7 @@ if not stringy.startswith(arg[1], '-') then
table.remove(arg, 1) table.remove(arg, 1)
end end
opts, opind = alt_getopt.get_opts( opts, opind = get_opts(
arg, arg,
'afo:V', 'afo:V',
{all='a', force='f', ['output-dir']='o', verify='V'} {all='a', force='f', ['output-dir']='o', verify='V'}
...@@ -98,12 +97,22 @@ if not mode then ...@@ -98,12 +97,22 @@ if not mode then
end end
require 'awall.util' util = require('awall.util')
util = awall.util contains = util.contains
if not util.contains({'translate', 'activate', 'fallback', 'flush', if not contains(
'enable', 'disable', 'list', 'dump'}, {
mode) then help() end 'translate',
'activate',
'fallback',
'flush',
'enable',
'disable',
'list',
'dump'
},
mode
) then help() end
pol_paths = {} pol_paths = {}
for i, cls in ipairs{'mandatory', 'optional', 'private'} do for i, cls in ipairs{'mandatory', 'optional', 'private'} do
...@@ -119,12 +128,14 @@ if stringy.endswith(arg[0], '/awall-cli') then ...@@ -119,12 +128,14 @@ if stringy.endswith(arg[0], '/awall-cli') then
table.insert(pol_paths.mandatory, basedir..'/json') table.insert(pol_paths.mandatory, basedir..'/json')
end end
local uerror = require('awall.uerror') uerror = require('awall.uerror')
call = uerror.call
if not uerror.call( if not call(
function() function()
require 'awall' local awall = require('awall')
local printtabular = util.printtabular
policyset = awall.PolicySet(pol_paths) policyset = awall.PolicySet(pol_paths)
...@@ -137,7 +148,7 @@ if not uerror.call( ...@@ -137,7 +148,7 @@ if not uerror.call(
if all or policy.type == 'optional' then if all or policy.type == 'optional' then
if policy.enabled then status = 'enabled' if policy.enabled then status = 'enabled'
elseif util.contains(imported, name) then status = 'required' elseif contains(imported, name) then status = 'required'
else status = 'disabled' end else status = 'disabled' end
polinfo = {name, status, policy:load().description} polinfo = {name, status, policy:load().description}
...@@ -151,11 +162,11 @@ if not uerror.call( ...@@ -151,11 +162,11 @@ if not uerror.call(
end end
end end
util.printtabular(data) printtabular(data)
os.exit() os.exit()
end end
if util.contains({'disable', 'enable'}, mode) then if contains({'disable', 'enable'}, mode) then
if opind > #arg then help() end if opind > #arg then help() end
repeat repeat
name = arg[opind] name = arg[opind]
...@@ -178,10 +189,10 @@ if not uerror.call( ...@@ -178,10 +189,10 @@ if not uerror.call(
end end
require 'awall.iptables' local iptables = require('awall.iptables')
if mode == 'dump' then if mode == 'dump' then
require 'json' local json = require('json')
expinput = input:expand() expinput = input:expand()
function capitalize(cls) function capitalize(cls)
...@@ -189,7 +200,7 @@ if not uerror.call( ...@@ -189,7 +200,7 @@ if not uerror.call(
end end
for cls, objs in pairs(input.data) do for cls, objs in pairs(input.data) do
if level > 2 or (level == 2 and cls ~= 'service') or util.contains( if level > 2 or (level == 2 and cls ~= 'service') or contains(
{'variable', 'zone'}, {'variable', 'zone'},
cls cls
) then ) then
...@@ -224,7 +235,7 @@ if not uerror.call( ...@@ -224,7 +235,7 @@ if not uerror.call(
end end
table.sort(items, function(a, b) return a[1] < b[1] end) table.sort(items, function(a, b) return a[1] < b[1] end)
if level == 0 then util.printtabular(items) if level == 0 then printtabular(items)
else else
util.printtabulars( util.printtabulars(
util.map(items, function(x) return x[2] end) util.map(items, function(x) return x[2] end)
...@@ -242,7 +253,9 @@ if not uerror.call( ...@@ -242,7 +253,9 @@ if not uerror.call(
elseif mode == 'activate' then elseif mode == 'activate' then
awall.iptables.backup() local lpc = require('lpc')
iptables.backup()
if not force then if not force then
signal.signal( signal.signal(
...@@ -261,7 +274,6 @@ if not uerror.call( ...@@ -261,7 +274,6 @@ if not uerror.call(
) )
end end
require 'lpc'
pid, stdio, stdout = lpc.run(arg[0], 'fallback') pid, stdio, stdout = lpc.run(arg[0], 'fallback')
stdio:close() stdio:close()
stdout:close() stdout:close()
...@@ -274,11 +286,11 @@ if not uerror.call( ...@@ -274,11 +286,11 @@ if not uerror.call(
end end
function revert() function revert()
awall.iptables.revert() iptables.revert()
os.exit(1) os.exit(1)
end end
if uerror.call(config.activate, config) then if call(config.activate, config) then
if not force then if not force then
io.stderr:write('New firewall configuration activated\n') io.stderr:write('New firewall configuration activated\n')
...@@ -309,13 +321,12 @@ if not uerror.call( ...@@ -309,13 +321,12 @@ if not uerror.call(
signal.signal('SIG'..sig, function() end) signal.signal('SIG'..sig, function() end)
end end
require 'lsleep' require('lsleep').sleep(10)
lsleep.sleep(10)
io.stderr:write('\nTimeout, reverting to the old configuration\n') io.stderr:write('\nTimeout, reverting to the old configuration\n')
awall.iptables.revert() iptables.revert()
elseif mode == 'flush' then awall.iptables.flush() elseif mode == 'flush' then iptables.flush()
else assert(false) end else assert(false) end
......
...@@ -4,10 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen ...@@ -4,10 +4,9 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
local Object
module(..., package.seeall) local function class(base)
function class(base)
local cls = {} local cls = {}
function cls.super(obj) function cls.super(obj)
...@@ -42,5 +41,6 @@ function class(base) ...@@ -42,5 +41,6 @@ function class(base)
end end
Object = class() Object = class()
function Object:init(...) end function Object:init(...) end
return class
--[[ --[[
Dependency order resolver for Alpine Wall Dependency order resolver for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
module(..., package.seeall)
local util = require('awall.util') local util = require('awall.util')
local contains = util.contains
function order(items) return function(items)
local visited = {} local visited = {}
local res = {} local res = {}
local function visit(key) local function visit(key)
if util.contains(res, key) then return end if contains(res, key) then return end
if visited[key] then return key end if visited[key] then return key end
visited[key] = true visited[key] = true
local after = util.list(items[key].after) local after = util.list(items[key].after)
for k, v in pairs(items) do for k, v in pairs(items) do
if util.contains(v.before, key) then table.insert(after, k) end if contains(v.before, key) then table.insert(after, k) end
end end
for i, k in ipairs(after) do for i, k in ipairs(after) do
if items[k] then if items[k] then
......
...@@ -5,8 +5,6 @@ See LICENSE file for license details ...@@ -5,8 +5,6 @@ See LICENSE file for license details
]]-- ]]--
module(..., package.seeall)
local familypatterns = {inet='%d[%.%d/]+', local familypatterns = {inet='%d[%.%d/]+',
inet6='[:%x/]+', inet6='[:%x/]+',
domain='[%a-][%.%w-]*'} domain='[%a-][%.%w-]*'}
...@@ -20,7 +18,7 @@ end ...@@ -20,7 +18,7 @@ end
local dnscache = {} local dnscache = {}
function resolve(host, context) return function(host, context)
local family = getfamily(host, context) local family = getfamily(host, context)
if family == 'domain' then if family == 'domain' then
......
...@@ -4,28 +4,27 @@ Copyright (C) 2012-2014 Kaarle Ritvanen ...@@ -4,28 +4,27 @@ Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
module(..., package.seeall)
require 'lfs' local M = {}
require 'stringy'
require 'awall.dependency' local class = require('awall.class')
require 'awall.ipset' local resolve = require('awall.dependency')
require 'awall.iptables' local IPSet = require('awall.ipset')
require 'awall.model' local IPTables = require('awall.iptables').IPTables
require 'awall.object' local optfrag = require('awall.optfrag')
require 'awall.optfrag' M.PolicySet = require('awall.policy')
require 'awall.policy' local util = require('awall.util')
require 'awall.util'
local optfrag = awall.optfrag
local lfs = require('lfs')
local endswith = require('stringy').endswith
local events local events
local procorder local procorder
local achains local achains
function loadmodules(path) function M.loadmodules(path)
events = {} events = {}
achains = {} achains = {}
...@@ -38,10 +37,10 @@ function loadmodules(path) ...@@ -38,10 +37,10 @@ function loadmodules(path)
achains[name] = opts achains[name] = opts
end end
return awall.util.keys(export) return util.keys(export)
end end
readmetadata(model) readmetadata(require('awall.model'))
local cdir = lfs.currentdir() local cdir = lfs.currentdir()
if path then lfs.chdir(path) end if path then lfs.chdir(path) end
...@@ -56,31 +55,27 @@ function loadmodules(path) ...@@ -56,31 +55,27 @@ function loadmodules(path)
local imported = {} local imported = {}
for i, name in ipairs(modules) do for i, name in ipairs(modules) do
require(name) util.extend(imported, readmetadata(require(name)))
awall.util.extend(imported, readmetadata(package.loaded[name]))
end end
lfs.chdir(cdir) lfs.chdir(cdir)
events['%modules'] = {before=imported} events['%modules'] = {before=imported}
procorder = awall.dependency.order(events) procorder = resolve(events)
end end
function loadclass(path) function M.loadclass(path)
assert(path:sub(1, 1) ~= '%') assert(path:sub(1, 1) ~= '%')
return events[path] and events[path].class return events[path] and events[path].class
end end
PolicySet = policy.PolicySet M.Config = class()
Config = object.class()
function Config:init(policyconfig) function M.Config:init(policyconfig)
self.objects = policyconfig:expand() self.objects = policyconfig:expand()
self.iptables = iptables.IPTables() self.iptables = IPTables()
local acfrags = {} local acfrags = {}
...@@ -138,26 +133,29 @@ function Config:init(policyconfig) ...@@ -138,26 +133,29 @@ function Config:init(policyconfig)
for k, v in pairs(acfrags) do table.insert(ofrags, v) end for k, v in pairs(acfrags) do table.insert(ofrags, v) end
insertrules(optfrag.combinations(achains, ofrags)) insertrules(optfrag.combinations(achains, ofrags))
self.ipset = ipset.IPSet(self.objects.ipset) self.ipset = IPSet(self.objects.ipset)
end end
function Config:print() function M.Config:print()
self.ipset:print() self.ipset:print()
print() print()
self.iptables:print() self.iptables:print()
end end
function Config:dump(dir) function M.Config:dump(dir)
self.ipset:dump(dir or '/etc/ipset.d') self.ipset:dump(dir or '/etc/ipset.d')
self.iptables:dump(dir or '/etc/iptables') self.iptables:dump(dir or '/etc/iptables')
end end
function Config:test() function M.Config:test()
self.ipset:create() self.ipset:create()
self.iptables:test() self.iptables:test()
end end
function Config:activate() function M.Config:activate()
self:test() self:test()
self.iptables:activate() self.iptables:activate()
end end
return M
--[[ --[[
Ipset file dumper for Alpine Wall Ipset file dumper for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
local IPSet = require('awall.class')()
module(..., package.seeall)
require 'awall.object'
IPSet = awall.object.class()
function IPSet:init(config) self.config = config or {} end function IPSet:init(config) self.config = config or {} end
...@@ -47,3 +42,5 @@ function IPSet:dump(ipsdir) ...@@ -47,3 +42,5 @@ function IPSet:dump(ipsdir)
file:close() file:close()
end end
end end
return IPSet
...@@ -5,20 +5,19 @@ See LICENSE file for license details ...@@ -5,20 +5,19 @@ See LICENSE file for license details
]]-- ]]--
module(..., package.seeall) local class = require('awall.class')
local raise = require('awall.uerror').raise
require 'lfs'
require 'lpc'
require 'awall.object'
require 'awall.uerror'
local util = require('awall.util') local util = require('awall.util')
local sortedkeys = util.sortedkeys local sortedkeys = util.sortedkeys
local class = awall.object.class
local mkdir = require('lfs').mkdir
local lpc = require('lpc')
local M = {}
local families = {inet={cmd='iptables', local families = {inet={cmd='iptables',
file='rules-save', file='rules-save',
procfile='/proc/net/ip_tables_names'}, procfile='/proc/net/ip_tables_names'},
...@@ -26,11 +25,13 @@ local families = {inet={cmd='iptables', ...@@ -26,11 +25,13 @@ local families = {inet={cmd='iptables',
file='rules6-save', file='rules6-save',
procfile='/proc/net/ip6_tables_names'}} procfile='/proc/net/ip6_tables_names'}}
builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'}, M.builtin = {
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, filter={'FORWARD', 'INPUT', 'OUTPUT'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'}, mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'}, nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}} raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}
}
local backupdir = '/var/run/awall' local backupdir = '/var/run/awall'
...@@ -74,20 +75,20 @@ function BaseIPTables:restore(test) ...@@ -74,20 +75,20 @@ function BaseIPTables:restore(test)
end end
end end
if disabled then awall.uerror.raise('Firewall not enabled in kernel') end if disabled then raise('Firewall not enabled in kernel') end
end end
function BaseIPTables:activate() function BaseIPTables:activate()
flush() M.flush()
self:restore(false) self:restore(false)
end end
function BaseIPTables:test() self:restore(true) end function BaseIPTables:test() self:restore(true) end
IPTables = class(BaseIPTables) M.IPTables = class(BaseIPTables)
function IPTables:init() function M.IPTables:init()
self.config = {} self.config = {}
setmetatable(self.config, setmetatable(self.config,
{__index=function(t, k) {__index=function(t, k)
...@@ -97,7 +98,7 @@ function IPTables:init() ...@@ -97,7 +98,7 @@ function IPTables:init()
end}) end})
end end
function IPTables:dumpfile(family, iptfile) function M.IPTables:dumpfile(family, iptfile)
iptfile:write('# '..families[family].file..' generated by awall\n') iptfile:write('# '..families[family].file..' generated by awall\n')
local tables = self.config[family] local tables = self.config[family]
for i, tbl in sortedkeys(tables) do for i, tbl in sortedkeys(tables) do
...@@ -105,7 +106,7 @@ function IPTables:dumpfile(family, iptfile) ...@@ -105,7 +106,7 @@ function IPTables:dumpfile(family, iptfile)
local chains = tables[tbl] local chains = tables[tbl]
for i, chain in sortedkeys(chains) do for i, chain in sortedkeys(chains) do
local policy = '-' local policy = '-'
if util.contains(builtin[tbl], chain) then if util.contains(M.builtin[tbl], chain) then
policy = tbl == 'filter' and 'DROP' or 'ACCEPT' policy = tbl == 'filter' and 'DROP' or 'ACCEPT'
end end
iptfile:write(':'..chain..' '..policy..' [0:0]\n') iptfile:write(':'..chain..' '..policy..' [0:0]\n')
...@@ -140,22 +141,20 @@ function Backup:dumpfile(family, iptfile) ...@@ -140,22 +141,20 @@ function Backup:dumpfile(family, iptfile)
end end
function backup() function M.backup()
lfs.mkdir(backupdir) mkdir(backupdir)
Current():dump(backupdir) Current():dump(backupdir)
end end
function revert() function M.revert() Backup():activate() end
Backup():activate()
end
function flush() function M.flush()
local empty = IPTables() local empty = M.IPTables()
for family, params in pairs(families) do for family, params in pairs(families) do
local success, lines = pcall(io.lines, params.procfile) local success, lines = pcall(io.lines, params.procfile)
if success then if success then
for tbl in lines do for tbl in lines do
for i, chain in ipairs(builtin[tbl]) do for i, chain in ipairs(M.builtin[tbl]) do
empty.config[family][tbl][chain] = {} empty.config[family][tbl][chain] = {}
end end
end end
...@@ -163,3 +162,5 @@ function flush() ...@@ -163,3 +162,5 @@ function flush()
end end
empty:restore(false) empty:restore(false)
end end
return M
This diff is collapsed.
--[[ --[[
TCP MSS clamping module for Alpine Wall TCP MSS clamping module for Alpine Wall
Copyright (C) 2012-2013 Kaarle Ritvanen Copyright (C) 2012-2014 Kaarle Ritvanen
See LICENSE file for license details See LICENSE file for license details
]]-- ]]--
module(..., package.seeall) local model = require('awall.model')
require 'awall.model'
local model = awall.model
local ClampMSSRule = model.class(model.Rule) local ClampMSSRule = model.class(model.Rule)
...@@ -25,4 +21,4 @@ function ClampMSSRule:target() ...@@ -25,4 +21,4 @@ function ClampMSSRule:target()
end end
export = {['clamp-mss']={class=ClampMSSRule, before='tproxy'}} return {export={['clamp-mss']={class=ClampMSSRule, before='tproxy'}}}
...@@ -5,20 +5,23 @@ See LICENSE file for license details ...@@ -5,20 +5,23 @@ See LICENSE file for license details
]]-- ]]--
module(..., package.seeall) local resolve = require('awall.host')
local resolve = require('awall.host').resolve