summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorFĂ©lix Sipma2016-02-04 17:40:09 +0100
committerJoey Hess2016-02-25 17:20:02 -0400
commita0e901dfc39bd465fe1d64a3a895b79341263264 (patch)
tree9a9d8a936ebc14af6808bd6fe86f875f95e30f52 /src
parentbd84117979a8e934d0c0922aca4eef27815155f8 (diff)
Firewall: add Table (api change)
(cherry picked from commit 202f9c282ee34897461dc56a79e607244c94cd99)
Diffstat (limited to 'src')
-rw-r--r--src/Propellor/Property/Firewall.hs79
1 files changed, 70 insertions, 9 deletions
diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index b90f588a..4498b82d 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -6,10 +6,16 @@ module Propellor.Property.Firewall (
rule,
installed,
Chain(..),
- Target(..),
+ Table(..),
+ TargetFilter(..),
+ TargetNat(..),
+ TargetMangle(..),
+ TargetRaw(..),
+ TargetSecurity(..),
Proto(..),
Rules(..),
- ConnectionState(..)
+ ConnectionState(..),
+ IPWithMask(..)
) where
import Data.Monoid
@@ -23,7 +29,7 @@ import qualified Propellor.Property.Network as Network
installed :: Property NoInfo
installed = Apt.installed ["iptables"]
-rule :: Chain -> Target -> Rules -> Property NoInfo
+rule :: Chain -> Table -> Rules -> Property NoInfo
rule c t rs = property ("firewall rule: " <> show r) addIpTable
where
r = Rule c t rs
@@ -39,7 +45,7 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable
toIpTable :: Rule -> [CommandParam]
toIpTable r = map Param $
show (ruleChain r) :
- toIpTableArg (ruleRules r) ++ [ "-j" , fromTarget $ ruleTarget r ]
+ toIpTableArg (ruleRules r) ++ toIpTableTable (ruleTable r)
toIpTableArg :: Rules -> [String]
toIpTableArg Everything = []
@@ -74,19 +80,74 @@ fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m
data Rule = Rule
{ ruleChain :: Chain
- , ruleTarget :: Target
+ , ruleTable :: Table
, ruleRules :: Rules
} deriving (Eq, Show)
+data Table = Filter TargetFilter | Nat TargetNat | Mangle TargetMangle | Raw TargetRaw | Security TargetSecurity
+ deriving (Eq, Show)
+
+toIpTableTable :: Table -> [String]
+toIpTableTable f = ["-t", table, "-j", target]
+ where
+ (table, target) = toIpTableTable' f
+
+toIpTableTable' :: Table -> (String, String)
+toIpTableTable' (Filter target) = ("filter", fromTargetFilter target)
+toIpTableTable' (Nat target) = ("nat", fromTargetNat target)
+toIpTableTable' (Mangle target) = ("mangle", fromTargetMangle target)
+toIpTableTable' (Raw target) = ("raw", fromTargetRaw target)
+toIpTableTable' (Security target) = ("security", fromTargetSecurity target)
+
data Chain = INPUT | OUTPUT | FORWARD
deriving (Eq, Show)
-data Target = ACCEPT | REJECT | DROP | LOG | CustomTarget String
+data TargetFilter = ACCEPT | REJECT | DROP | LOG | FilterCustom String
+ deriving (Eq, Show)
+
+fromTargetFilter :: TargetFilter -> String
+fromTargetFilter ACCEPT = "ACCEPT"
+fromTargetFilter REJECT = "REJECT"
+fromTargetFilter DROP = "DROP"
+fromTargetFilter LOG = "LOG"
+fromTargetFilter (FilterCustom f) = f
+
+data TargetNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String
+ deriving (Eq, Show)
+
+fromTargetNat :: TargetNat -> String
+fromTargetNat NatPREROUTING = "PREROUTING"
+fromTargetNat NatOUTPUT = "OUTPUT"
+fromTargetNat NatPOSTROUTING = "POSTROUTING"
+fromTargetNat (NatCustom f) = f
+
+data TargetMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String
+ deriving (Eq, Show)
+
+fromTargetMangle :: TargetMangle -> String
+fromTargetMangle ManglePREROUTING = "PREROUTING"
+fromTargetMangle MangleOUTPUT = "OUTPUT"
+fromTargetMangle MangleINPUT = "INPUT"
+fromTargetMangle MangleFORWARD = "FORWARD"
+fromTargetMangle ManglePOSTROUTING = "POSTROUTING"
+fromTargetMangle (MangleCustom f) = f
+
+data TargetRaw = RawPREROUTING | RawOUTPUT | RawCustom String
+ deriving (Eq, Show)
+
+fromTargetRaw :: TargetRaw -> String
+fromTargetRaw RawPREROUTING = "PREROUTING"
+fromTargetRaw RawOUTPUT = "OUTPUT"
+fromTargetRaw (RawCustom f) = f
+
+data TargetSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String
deriving (Eq, Show)
-fromTarget :: Target -> String
-fromTarget (CustomTarget ct) = ct
-fromTarget t = show t
+fromTargetSecurity :: TargetSecurity -> String
+fromTargetSecurity SecurityINPUT = "INPUT"
+fromTargetSecurity SecurityOUTPUT = "OUTPUT"
+fromTargetSecurity SecurityFORWARD = "FORWARD"
+fromTargetSecurity (SecurityCustom f) = f
data Proto = TCP | UDP | ICMP
deriving (Eq, Show)