Commit ea47a4aa authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

remove rule type-specific handling of zones and chains

parent d44d633a
......@@ -22,12 +22,11 @@ local families = {inet={cmd='iptables',
file='rules6-save',
procfile='/proc/net/ip6_tables_names'}}
local builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING',
'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}}
builtin = {filter={'FORWARD', 'INPUT', 'OUTPUT'},
mangle={'FORWARD', 'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
nat={'INPUT', 'OUTPUT', 'POSTROUTING', 'PREROUTING'},
raw={'OUTPUT', 'PREROUTING'},
security={'FORWARD', 'INPUT', 'OUTPUT'}}
local backupdir = '/var/run/awall'
......
......@@ -9,9 +9,10 @@ module(..., package.seeall)
require 'awall'
require 'awall.host'
require 'awall.util'
require 'awall.iptables'
require 'awall.object'
require 'awall.optfrag'
require 'awall.util'
local util = awall.util
local combinations = awall.optfrag.combinations
......@@ -118,8 +119,6 @@ function Rule:init(...)
end
end
function Rule:defaultzones() return {nil, fwzone} end
function Rule:zoneoptfrags()
......@@ -139,6 +138,17 @@ function Rule:zoneoptfrags()
chain = string.upper(dir)..'PUT'
ofrags = zofs(z, dir)
elseif not zin or not zout then
if zin then
chain = 'PREROUTING'
ofrags = zofs(zin, 'in')
elseif zout then
chain = 'POSTROUTING'
ofrags = zofs(zout, 'out')
end
else
chain = 'FORWARD'
ofrags = combinations(zofs(zin, 'in'), zofs(zout, 'out'))
......@@ -152,16 +162,14 @@ function Rule:zoneoptfrags()
end
end
if not ofrags then ofrags = {{}} end
for i, ofrag in ipairs(ofrags) do ofrag.fchain = chain end
return ofrags
return combinations(ofrags,
chain and {{chain=chain}} or {{chain='PREROUTING'},
{chain='OUTPUT'}})
end
local res = {}
local izones = self['in'] or self:defaultzones()
local ozones = self.out or self:defaultzones()
local izones = self['in'] or {}
local ozones = self.out or {}
for i = 1,math.max(1, table.maxn(izones)) do
for j = 1,math.max(1, table.maxn(ozones)) do
......@@ -248,8 +256,6 @@ end
function Rule:table() return 'filter' end
function Rule:chain() return nil end
function Rule:position() return 'append' end
function Rule:target()
......@@ -327,7 +333,6 @@ function Rule:trules()
res = combinations(res, self:servoptfrags())
setfamilies(res)
tag(res, 'chain', self:chain())
local addrofrags = combinations(self:create(Zone, {addr=self.src}):optfrags('in'),
self:destoptfrags())
......@@ -366,7 +371,42 @@ function Rule:trules()
util.extend(res, ffilter(self:extraoptfrags()))
tag(res, 'table', self:table(), false)
local tbl = self:table()
local function convertchains(ofrags)
local res = {}
for i, ofrag in ipairs(ofrags) do
if util.contains(awall.iptables.builtin[tbl], ofrag.chain) then
table.insert(res, ofrag)
else
local chains
if ofrag.chain == 'PREROUTING' then chains = {'FORWARD', 'INPUT'}
elseif ofrag.chain == 'POSTROUTING' then
chains = {'FORWARD', 'OUTPUT'}
elseif util.contains({'INPUT', 'FORWARD'}, ofrag.chain) then
chains = {'PREROUTING'}
end
if chains then
ofrag.chain = nil
util.extend(res,
convertchains(combinations({ofrag},
util.map(chains,
function(c)
return {chain=c}
end))))
else table.insert(res, ofrag) end
end
end
return res
end
res = convertchains(res)
tag(res, 'table', tbl, false)
local function checkzof(ofrag, dir, chains)
if ofrag[dir] and util.contains(chains, ofrag.chain) then
......@@ -401,21 +441,5 @@ function Rule:newchain(key)
end
ForwardOnlyRule = class(Rule)
function ForwardOnlyRule:init(...)
Rule.init(self, unpack(arg))
for i, dir in ipairs({'in', 'out'}) do
if self[dir] and util.contains(self[dir], fwzone) then
self:error('Not applicable to the firewall zone')
end
end
end
function ForwardOnlyRule:defaultzones() return {nil} end
function ForwardOnlyRule:chain() return 'PREROUTING' end
classes = {{'zone', Zone}}
......@@ -12,12 +12,10 @@ require 'awall.model'
local model = awall.model
local ClampMSSRule = model.class(model.ForwardOnlyRule)
local ClampMSSRule = model.class(model.Rule)
function ClampMSSRule:table() return 'mangle' end
function ClampMSSRule:chain() return 'POSTROUTING' end
function ClampMSSRule:servoptfrags()
return {{opts='-p tcp --tcp-flags SYN,RST SYN'}}
end
......
......@@ -14,7 +14,7 @@ require 'awall.util'
local model = awall.model
local MarkRule = model.class(model.ForwardOnlyRule)
local MarkRule = model.class(model.Rule)
function MarkRule:table() return 'mangle' end
......
......@@ -8,15 +8,19 @@ Licensed under the terms of GPL2
module(..., package.seeall)
require 'awall.model'
require 'awall.util'
local model = awall.model
local NATRule = model.class(model.ForwardOnlyRule)
local NATRule = model.class(model.Rule)
function NATRule:trules()
local res = {}
for i, ofrags in ipairs(model.ForwardOnlyRule.trules(self)) do
for i, ofrags in ipairs(model.Rule.trules(self)) do
if not awall.util.contains(self.params.chains, ofrags.chain) then
self:error('Inappropriate zone definitions for a '..self.params.target..' rule')
end
if ofrags.family == 'inet' then table.insert(res, ofrags) end
end
return res
......@@ -24,10 +28,8 @@ end
function NATRule:table() return 'nat' end
function NATRule:chain() return self.params.chain end
function NATRule:target()
if self.action then return model.ForwardOnlyRule.target(self) end
if self.action then return model.Rule.target(self) end
local target
if self['ip-range'] then
......@@ -44,7 +46,8 @@ local DNATRule = model.class(NATRule)
function DNATRule:init(...)
NATRule.init(self, unpack(arg))
self.params = {forbidif='out', subject='destination',
chain='PREROUTING', target='DNAT', deftarget='REDIRECT'}
chains={'INPUT', 'PREROUTING'},
target='DNAT', deftarget='REDIRECT'}
end
......@@ -53,7 +56,8 @@ local SNATRule = model.class(NATRule)
function SNATRule:init(...)
NATRule.init(self, unpack(arg))
self.params = {forbidif='in', subject='source',
chain='POSTROUTING', target='SNAT', deftarget='MASQUERADE'}
chains={'OUTPUT', 'POSTROUTING'},
target='SNAT', deftarget='MASQUERADE'}
end
......
......@@ -12,12 +12,12 @@ require 'awall.model'
local model = awall.model
local NoTrackRule = model.class(model.ForwardOnlyRule)
local NoTrackRule = model.class(model.Rule)
function NoTrackRule:table() return 'raw' end
function NoTrackRule:target()
if self.action then return model.ForwardOnlyRule.target(self) end
if self.action then return model.Rule.target(self) end
return 'NOTRACK'
end
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment