Commit 9fdf8d72 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

constrain 'netbios-ns' service to IPv4 only

parent 4313b0b6
......@@ -223,12 +223,7 @@ function Rule:servoptfrags()
if not self.service then return end
local function containskey(tbl, key)
for k, v in pairs(tbl) do if k == key then return true end end
return false
end
local ports = {}
local fports = {inet={}, inet6={}}
local res = {}
for i, serv in ipairs(self.service) do
......@@ -236,16 +231,25 @@ function Rule:servoptfrags()
if not sdef.proto then self:error('Protocol not defined') end
if util.contains({6, 'tcp', 17, 'udp'}, sdef.proto) then
local new = not containskey(ports, sdef.proto)
for family, ports in pairs(fports) do
if not sdef.family or family == sdef.family then
local new = not ports[sdef.proto]
if new then ports[sdef.proto] = {} end
if new or ports[sdef.proto][1] then
if sdef.port then
util.extend(ports[sdef.proto],
util.maplist(sdef.port,
function(p) return string.gsub(p, '-', ':') end))
util.extend(
ports[sdef.proto],
util.maplist(
sdef.port,
function(p) return string.gsub(p, '-', ':') end
)
)
else ports[sdef.proto] = {} end
end
end
end
else
......@@ -263,24 +267,36 @@ function Rule:servoptfrags()
elseif sdef.type then
self:error('Type specification not valid with '..sdef.proto)
end
if sdef.type then opts = opts..' --'..oname..' '..sdef.type end
if sdef.family then
if not family then family = sdef.family
elseif family ~= sdef.family then
self:error(
'Protocol '..sdef.proto..' is incompatible with '..sdef.family
)
end
end
if sdef.type then opts = opts..' --'..oname..' '..sdef.type end
table.insert(res, {family=family, opts=opts})
end
end
end
local popt = ' --'..(self.reverse and 's' or 'd')..'port'
for proto, plist in pairs(ports) do
for family, pports in pairs(fports) do
local ofrags = {}
for proto, ports in pairs(pports) do
local propt = '-p '..proto
if plist[1] then
local len = #plist
if ports[1] then
local len = #ports
repeat
local opts
if len == 1 then
opts = propt..popt..' '..plist[1]
opts = propt..popt..' '..ports[1]
len = 0
else
......@@ -288,22 +304,25 @@ function Rule:servoptfrags()
local pc = 0
repeat
local sep = pc == 0 and '' or ','
local port = plist[1]
local port = ports[1]
pc = pc + (string.find(port, ':') and 2 or 1)
if pc > 15 then break end
opts = opts..sep..port
table.remove(plist, 1)
table.remove(ports, 1)
len = len - 1
until len == 0
end
table.insert(res, {opts=opts})
table.insert(ofrags, {opts=opts})
until len == 0
else table.insert(res, {opts=propt}) end
else table.insert(ofrags, {opts=propt}) end
end
util.extend(res, combinations(ofrags, {{family=family}}))
end
return res
......
......@@ -27,6 +27,7 @@ function RelatedRule:servoptfrags()
local helper = sdef['ct-helper']
if helper then
helpers[helper] = {
family=sdef.family,
opts='-m conntrack --ctstate RELATED -m helper --helper '..helper
}
end
......@@ -259,7 +260,7 @@ local fchains = {{chain='FORWARD'}, {chain='INPUT'}, {chain='OUTPUT'}}
function stateful(config)
local res = {}
local families = {{family='inet'}, {family='inet6'}}
for i, family in ipairs{'inet', 'inet6'} do
local er = combinations(
fchains,
......@@ -274,7 +275,10 @@ function stateful(config)
}
)
end
extend(res, combinations(families, er, {{table='filter', target='ACCEPT'}}))
extend(
res,
combinations(er, {{family=family, table='filter', target='ACCEPT'}})
)
-- TODO avoid creating unnecessary CT rules by inspecting the
-- filter rules' target families and chains
......@@ -285,12 +289,17 @@ function stateful(config)
if not visited[serv] then
for i, sdef in listpairs(serv) do
if sdef['ct-helper'] then
local of = model.Rule.morph({service={sdef}}):servoptfrags()
local of = combinations(
model.Rule.morph{service={sdef}}:servoptfrags(),
{{family=family}}
)
if of[1] then
assert(#of == 1)
of[1].target = 'CT --helper '..sdef['ct-helper']
table.insert(ofrags, of[1])
end
end
end
visited[serv] = true
end
end
......@@ -298,12 +307,12 @@ function stateful(config)
extend(
res,
combinations(
families,
{{table='raw'}},
{{chain='PREROUTING'}, {chain='OUTPUT'}},
ofrags
)
)
end
return res
end
......
......@@ -66,8 +66,13 @@
{ "proto": "udp", "port": 138 }
],
"netbios-ns": [
{ "proto": "tcp", "port": 137 },
{ "proto": "udp", "port": 137, "ct-helper": "netbios-ns" }
{ "family": "inet", "proto": "tcp", "port": 137 },
{
"family": "inet",
"proto": "udp",
"port": 137,
"ct-helper": "netbios-ns"
}
],
"netbios-ssn": [
{ "proto": "tcp", "port": 139 },
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment