Commit 97769b17 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

explicit processing order directives for modules

parent eedc0638
......@@ -9,6 +9,7 @@ module(..., package.seeall)
require 'lfs'
require 'stringy'
require 'awall.dependency'
require 'awall.ipset'
require 'awall.iptables'
require 'awall.model'
......@@ -20,24 +21,21 @@ require 'awall.util'
local optfrag = awall.optfrag
local events
local procorder
local defrules
local achains
function loadmodules(path)
events = {}
classmap = {}
procorder = {}
defrules = {}
achains = {}
local function readmetadata(mod)
for i, clsdef in ipairs(mod.classes or {}) do
local path, cls = unpack(clsdef)
classmap[path] = cls
table.insert(procorder, path)
end
for phase, rules in pairs(mod.defrules or {}) do
if not defrules[phase] then defrules[phase] = {} end
table.insert(defrules[phase], rules)
for name, target in pairs(mod.export or {}) do
events[name] = target
if string.sub(name, 1, 1) ~= '%' then
classmap[name] = target.class
end
end
for name, opts in pairs(mod.achains or {}) do
assert(not achains[name])
......@@ -53,16 +51,20 @@ function loadmodules(path)
local modules = {}
for modfile in lfs.dir((path or '/usr/share/lua/5.1')..'/awall/modules') do
if stringy.endswith(modfile, '.lua') then
table.insert(modules, 'awall.modules.'..string.sub(modfile, 1, -5))
table.insert(modules, string.sub(modfile, 1, -5))
end
end
table.sort(modules)
for i, name in ipairs(modules) do
require(name)
readmetadata(package.loaded[name])
local fname = 'awall.modules.'..name
require(fname)
readmetadata(package.loaded[fname])
end
lfs.chdir(cdir)
events['%modules'] = {before=modules}
procorder = awall.dependency.order(events)
end
......@@ -96,36 +98,34 @@ function Config:init(policyconfig)
end
end
local function insertdefrules(phase)
for i, rulegroup in ipairs(defrules[phase] or {}) do
if type(rulegroup) == 'function' then
insertrules(rulegroup(self.objects))
else insertrules(rulegroup) end
end
end
for i, path in ipairs(procorder) do
local objs = self.objects[path]
if objs then
for k, v in pairs(objs) do
objs[k] = classmap[path].morph(
v,
self,
path..' '..k..' ('..policyconfig.source[path][k]..')'
)
if string.sub(path, 1, 1) ~= '%' then
local objs = self.objects[path]
if objs then
for k, v in pairs(objs) do
objs[k] = classmap[path].morph(
v,
self,
path..' '..k..' ('..policyconfig.source[path][k]..')'
)
end
end
end
end
insertdefrules('pre')
for i, path in ipairs(procorder) do
if self.objects[path] then
for i, rule in ipairs(self.objects[path]) do
for i, event in ipairs(procorder) do
if string.sub(event, 1, 1) == '%' then
local r = events[event].rules
if r then
if type(r) == 'function' then r = r(self.objects) end
assert(type(r) == 'table')
insertrules(r)
end
elseif self.objects[event] then
for i, rule in ipairs(self.objects[event]) do
insertrules(rule:trules())
end
end
insertdefrules('post-'..path)
end
local ofrags = {}
......
......@@ -479,5 +479,4 @@ function Rule:newchain(key)
end
classes = {{'zone', Zone}, {'ipset', IPSet}}
export = {zone={class=Zone}, ipset={class=IPSet, before='%modules'}}
--[[
TCP MSS clamping module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Copyright (C) 2012-2013 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
......@@ -25,4 +25,4 @@ function ClampMSSRule:target()
end
classes = {{'clamp-mss', ClampMSSRule}}
export = {['clamp-mss']={class=ClampMSSRule}}
......@@ -192,13 +192,6 @@ local Policy = model.class(Filter)
function Policy:servoptfrags() return nil end
classes = {{'log', Log},
{'filter', Filter},
{'policy', Policy}}
defrules = {}
local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}
local dar = combinations(fchains,
......@@ -208,32 +201,45 @@ for i, chain in ipairs({'INPUT', 'OUTPUT'}) do
{chain=chain,
opts='-'..string.lower(string.sub(chain, 1, 1))..' lo'})
end
defrules.pre = combinations(dar,
{{table='filter', target='ACCEPT'}},
{{family='inet'}, {family='inet6'}})
dar = combinations(
dar,
{{table='filter', target='ACCEPT'}},
{{family='inet'}, {family='inet6'}}
)
local icmp = {{family='inet', table='filter', opts='-p icmp'}}
local icmp6 = {{family='inet6', table='filter', opts='-p icmpv6'}}
defrules['post-filter'] = combinations(icmp6,
{{chain='INPUT'}, {chain='OUTPUT'}},
{{target='ACCEPT'}})
extend(defrules['post-filter'],
combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(defrules['post-filter'],
combinations(icmp, fchains, {{target='icmp-routing'}}))
local ir = combinations(
icmp6,
{{chain='INPUT'}, {chain='OUTPUT'}},
{{target='ACCEPT'}}
)
extend(ir, combinations(icmp6, {{chain='FORWARD', target='icmp-routing'}}))
extend(ir, combinations(icmp, fchains, {{target='icmp-routing'}}))
local function icmprules(ofrag, oname, types)
extend(defrules['post-filter'],
combinations(ofrag,
{{chain='icmp-routing', target='ACCEPT'}},
util.map(types,
function(t)
return {opts='--'..oname..' '..t}
end)))
extend(
ir,
combinations(ofrag,
{{chain='icmp-routing', target='ACCEPT'}},
util.map(types,
function(t)
return {opts='--'..oname..' '..t}
end))
)
end
icmprules(icmp, 'icmp-type', {3, 11, 12})
icmprules(icmp6, 'icmpv6-type', {1, 2, 3, 4})
export = {
filter={class=Filter, before={'dnat', 'no-track'}},
log={class=Log},
policy={class=Policy, after='%filter-after'},
['%filter-before']={rules=dar, before='filter'},
['%filter-after']={rules=ir, after='filter'}
}
achains = combinations({{chain='tarpit'}},
{{opts='-p tcp', target='TARPIT'},
{target='DROP'}})
--[[
Packet marking module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Copyright (C) 2012-2013 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
......@@ -39,12 +39,7 @@ function RouteTrackRule:extraoptfrags()
end
classes = {{'route-track', RouteTrackRule},
{'mark', MarkRule}}
defrules = {}
function defrules.pre(config)
local function rt(config)
local res = {}
if awall.util.list(config['route-track'])[1] then
for i, family in ipairs({'inet', 'inet6'}) do
......@@ -60,3 +55,9 @@ function defrules.pre(config)
end
return res
end
export = {
mark={class=MarkRule},
['route-track']={class=RouteTrackRule, before='mark'},
['%mark-rt']={rules=rt, before='route-track'}
}
--[[
IPSet-based masquerading module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Copyright (C) 2012-2013 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
......@@ -8,11 +8,24 @@ Licensed under the terms of GPL2
module(..., package.seeall)
-- TODO configuration of the ipset via JSON config
defrules = {['post-snat']={{family='inet', table='nat',
chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src',
target='awall-masquerade'},
{family='inet', table='nat',
chain='awall-masquerade',
opts='-m set ! --match-set awall-masquerade dst',
target='MASQUERADE'}}}
export = {
['%masquerade']={
rules={
{
family='inet',
table='nat',
chain='POSTROUTING',
opts='-m set --match-set awall-masquerade src',
target='awall-masquerade'
},
{
family='inet',
table='nat',
chain='awall-masquerade',
opts='-m set ! --match-set awall-masquerade dst',
target='MASQUERADE'
}
},
after='snat'
}
}
--[[
NAT module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Copyright (C) 2012-2013 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
......@@ -76,5 +76,7 @@ function SNATRule:init(...)
end
classes = {{'dnat', DNATRule},
{'snat', SNATRule}}
export = {
dnat={class=DNATRule},
snat={class=SNATRule}
}
--[[
Connection tracking bypass module for Alpine Wall
Copyright (C) 2012 Kaarle Ritvanen
Copyright (C) 2012-2013 Kaarle Ritvanen
Licensed under the terms of GPL2
]]--
......@@ -22,4 +22,4 @@ function NoTrackRule:target()
end
classes = {{'no-track', NoTrackRule}}
export = {['no-track']={class=NoTrackRule}}
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment