Commit c5056f21 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

generalize pruning based on address family

eliminates source chains without proper destination chains (e.g. IPv6 addresses
with pass action and ulog)
parent c9c83971
...@@ -16,6 +16,7 @@ local builtin = require('awall.iptables').builtin ...@@ -16,6 +16,7 @@ local builtin = require('awall.iptables').builtin
local optfrag = require('awall.optfrag') local optfrag = require('awall.optfrag')
local FAMILIES = optfrag.FAMILIES local FAMILIES = optfrag.FAMILIES
local combinations = optfrag.combinations local combinations = optfrag.combinations
local prune = optfrag.prune
local raise = require('awall.uerror').raise local raise = require('awall.uerror').raise
...@@ -462,6 +463,8 @@ function M.Rule:combine(ofs1, ofs2, key, unique) ...@@ -462,6 +463,8 @@ function M.Rule:combine(ofs1, ofs2, key, unique)
return extend(map(ofs1, setvar('target')), map(ofs2, setvar('chain'))) return extend(map(ofs1, setvar('target')), map(ofs2, setvar('chain')))
end end
ofs1, ofs2 = prune(ofs1, ofs2)
local chainless = filter(ofs2, function(of) return not of.chain end) local chainless = filter(ofs2, function(of) return not of.chain end)
local created local created
local res = {} local res = {}
...@@ -510,31 +513,6 @@ function M.Rule:trules() ...@@ -510,31 +513,6 @@ function M.Rule:trules()
end end
end end
local families
local function setfamilies(ofrags)
if ofrags then
families = {}
for i, ofrag in ipairs(ofrags) do
if not ofrag.family then
families = nil
return
end
table.insert(families, ofrag.family)
end
else families = nil end
end
local function ffilter(ofrags)
if not ofrags or not ofrags[1] or not families then return ofrags end
return filter(
ofrags,
function(of)
return not of.family or contains(families, of.family)
end
)
end
local ofrags = self:zoneoptfrags() local ofrags = self:zoneoptfrags()
if self.ipset then if self.ipset then
...@@ -587,26 +565,20 @@ function M.Rule:trules() ...@@ -587,26 +565,20 @@ function M.Rule:trules()
tag(ofrags, 'position', self:position()) tag(ofrags, 'position', self:position())
setfamilies(ofrags)
local addrofrags = combinations( local addrofrags = combinations(
self:create(M.Zone, {addr=self.src}):optfrags(self:direction('in')), self:create(M.Zone, {addr=self.src}):optfrags(self:direction('in')),
self:destoptfrags() self:destoptfrags()
) )
if addrofrags then if addrofrags then ofrags = self:combine(ofrags, addrofrags, 'address') end
addrofrags = ffilter(addrofrags)
setfamilies(addrofrags)
ofrags = self:combine(ffilter(ofrags), addrofrags, 'address')
end
ofrags = self:mangleoptfrags(ofrags) ofrags = prune(self:mangleoptfrags(ofrags), ofrags)
local custom = self:customtarget() local custom = self:customtarget()
for _, ofrag in ipairs(ofrags) do for _, ofrag in ipairs(ofrags) do
setdefault(ofrag, 'target', custom or self:target()) setdefault(ofrag, 'target', custom or self:target())
end end
ofrags = self:convertchains(ffilter(ofrags)) ofrags = self:convertchains(ofrags)
tag(ofrags, 'table', self:table(), false) tag(ofrags, 'table', self:table(), false)
local function checkzof(ofrag, dir, chains) local function checkzof(ofrag, dir, chains)
...@@ -621,7 +593,7 @@ function M.Rule:trules() ...@@ -621,7 +593,7 @@ function M.Rule:trules()
end end
ofrags = filter( ofrags = filter(
combinations(ofrags, ffilter(optfrag.FAMILYFRAGS)), combinations(ofrags, optfrag.FAMILYFRAGS),
function(r) return self:trulefilter(r) end function(r) return self:trulefilter(r) end
) )
......
...@@ -7,10 +7,15 @@ See LICENSE file for license details ...@@ -7,10 +7,15 @@ See LICENSE file for license details
local M = {} local M = {}
local util = require('awall.util')
local map = util.map
local function ffrags(families)
return map(families, function(f) return {family=f} end)
end
M.FAMILIES = {'inet', 'inet6'} M.FAMILIES = {'inet', 'inet6'}
M.FAMILYFRAGS = require('awall.util').map( M.FAMILYFRAGS = ffrags(M.FAMILIES)
M.FAMILIES, function(f) return {family=f} end
)
function M.combinations(of1, ...) function M.combinations(of1, ...)
local arg = {...} local arg = {...}
...@@ -56,6 +61,30 @@ function M.combinations(of1, ...) ...@@ -56,6 +61,30 @@ function M.combinations(of1, ...)
return M.combinations(res, table.unpack(arg)) return M.combinations(res, table.unpack(arg))
end end
function M.prune(...)
local arg = {...}
local families = {}
for i, ofrags in ipairs(arg) do
families[i] = {}
for _, ofrag in ipairs(ofrags) do
if not ofrag.family then
families[i] = false
break
end
families[i][ofrag.family] = true
end
end
local ff
for _, f in ipairs(families) do
ff = M.combinations(ff, f and ffrags(util.keys(f)) or nil)
end
return table.unpack(
map(arg, function(ofs) return M.combinations(ofs, ff) end)
)
end
function M.location(of) return of.family..'/'..of.table..'/'..of.chain end function M.location(of) return of.family..'/'..of.table..'/'..of.chain end
function M.command(of) function M.command(of)
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment