From 3abf0af94cd7cf4d0c0666a40deff43ca590a597 Mon Sep 17 00:00:00 2001 From: FĂ©lix Sipma Date: Mon, 29 Feb 2016 08:59:58 +0100 Subject: Firewall: separate Table and Target (cherry picked from commit c97f1308739aa7877aac2f3c949c4aadf2266775) --- src/Propellor/Property/Firewall.hs | 125 +++++++++++++++++++------------------ 1 file changed, 65 insertions(+), 60 deletions(-) (limited to 'src/Propellor/Property/Firewall.hs') diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs index eefc8342..62adf33a 100644 --- a/src/Propellor/Property/Firewall.hs +++ b/src/Propellor/Property/Firewall.hs @@ -7,11 +7,7 @@ module Propellor.Property.Firewall ( installed, Chain(..), Table(..), - TargetFilter(..), - TargetNat(..), - TargetMangle(..), - TargetRaw(..), - TargetSecurity(..), + Target(..), Proto(..), Rules(..), ConnectionState(..), @@ -30,10 +26,10 @@ import qualified Propellor.Property.Network as Network installed :: Property NoInfo installed = Apt.installed ["iptables"] -rule :: Chain -> Table -> Rules -> Property NoInfo -rule c t rs = property ("firewall rule: " <> show r) addIpTable +rule :: Chain -> Table -> Target -> Rules -> Property NoInfo +rule c tb tg rs = property ("firewall rule: " <> show r) addIpTable where - r = Rule c t rs + r = Rule c tb tg rs addIpTable = liftIO $ do let args = toIpTable r exist <- boolSystem "iptables" (chk args) @@ -45,8 +41,9 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable toIpTable :: Rule -> [CommandParam] toIpTable r = map Param $ - show (ruleChain r) : - toIpTableArg (ruleRules r) ++ toIpTableTable (ruleTable r) + fromChain (ruleChain r) : + toIpTableArg (ruleRules r) ++ + ["-t", fromTable (ruleTable r), "-j", fromTarget (ruleTarget r)] toIpTableArg :: Rules -> [String] toIpTableArg Everything = [] @@ -80,78 +77,86 @@ fromIPWithMask (IPWithIPMask ip ipm) = fromIPAddr ip ++ "/" ++ fromIPAddr ipm fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m data Rule = Rule - { ruleChain :: Chain - , ruleTable :: Table - , ruleRules :: Rules + { ruleChain :: Chain + , ruleTable :: Table + , ruleTarget :: Target + , ruleRules :: Rules } deriving (Eq, Show) -data Table = Filter TargetFilter | Nat TargetNat | Mangle TargetMangle | Raw TargetRaw | Security TargetSecurity +data Table = Filter | Nat | Mangle | Raw | Security deriving (Eq, Show) -toIpTableTable :: Table -> [String] -toIpTableTable f = ["-t", table, "-j", target] - where - (table, target) = toIpTableTable' f - -toIpTableTable' :: Table -> (String, String) -toIpTableTable' (Filter target) = ("filter", fromTarget target) -toIpTableTable' (Nat target) = ("nat", fromTarget target) -toIpTableTable' (Mangle target) = ("mangle", fromTarget target) -toIpTableTable' (Raw target) = ("raw", fromTarget target) -toIpTableTable' (Security target) = ("security", fromTarget target) +fromTable :: Table -> String +fromTable Filter = "filter" +fromTable Nat = "nat" +fromTable Mangle = "mangle" +fromTable Raw = "raw" +fromTable Security = "security" -data Chain = INPUT | OUTPUT | FORWARD +data Target = ACCEPT | REJECT | DROP | LOG | TargetCustom String deriving (Eq, Show) -data TargetFilter = ACCEPT | REJECT | DROP | LOG | FilterCustom String +fromTarget :: Target -> String +fromTarget ACCEPT = "ACCEPT" +fromTarget REJECT = "REJECT" +fromTarget DROP = "DROP" +fromTarget LOG = "LOG" +fromTarget (TargetCustom t) = t + +data Chain = ChainFilter | ChainNat | ChainMangle | ChainRaw | ChainSecurity deriving (Eq, Show) -class FromTarget a where - fromTarget :: a -> String +instance FromChain Chain where + fromChain = fromChain + +class FromChain a where + fromChain :: a -> String + +data ChainFilter = INPUT | OUTPUT | FORWARD | FilterCustom String + deriving (Eq, Show) -instance FromTarget TargetFilter where - fromTarget ACCEPT = "ACCEPT" - fromTarget REJECT = "REJECT" - fromTarget DROP = "DROP" - fromTarget LOG = "LOG" - fromTarget (FilterCustom f) = f +instance FromChain ChainFilter where + fromChain INPUT = "INPUT" + fromChain OUTPUT = "OUTPUT" + fromChain FORWARD = "FORWARD" + fromChain (FilterCustom c) = c -data TargetNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String +data ChainNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String deriving (Eq, Show) -instance FromTarget TargetNat where - fromTarget NatPREROUTING = "PREROUTING" - fromTarget NatOUTPUT = "OUTPUT" - fromTarget NatPOSTROUTING = "POSTROUTING" - fromTarget (NatCustom f) = f +instance FromChain ChainNat where + fromChain NatPREROUTING = "PREROUTING" + fromChain NatOUTPUT = "OUTPUT" + fromChain NatPOSTROUTING = "POSTROUTING" + fromChain (NatCustom f) = f -data TargetMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String +data ChainMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String deriving (Eq, Show) -instance FromTarget TargetMangle where - fromTarget ManglePREROUTING = "PREROUTING" - fromTarget MangleOUTPUT = "OUTPUT" - fromTarget MangleINPUT = "INPUT" - fromTarget MangleFORWARD = "FORWARD" - fromTarget ManglePOSTROUTING = "POSTROUTING" - fromTarget (MangleCustom f) = f +instance FromChain ChainMangle where + fromChain ManglePREROUTING = "PREROUTING" + fromChain MangleOUTPUT = "OUTPUT" + fromChain MangleINPUT = "INPUT" + fromChain MangleFORWARD = "FORWARD" + fromChain ManglePOSTROUTING = "POSTROUTING" + fromChain (MangleCustom f) = f -data TargetRaw = RawPREROUTING | RawOUTPUT | RawCustom String +data ChainRaw = RawPREROUTING | RawOUTPUT | RawCustom String deriving (Eq, Show) -instance FromTarget TargetRaw where - fromTarget RawPREROUTING = "PREROUTING" - fromTarget RawOUTPUT = "OUTPUT" - fromTarget (RawCustom f) = f +instance FromChain ChainRaw where + fromChain RawPREROUTING = "PREROUTING" + fromChain RawOUTPUT = "OUTPUT" + fromChain (RawCustom f) = f -data TargetSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String +data ChainSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String deriving (Eq, Show) -instance FromTarget TargetSecurity where - fromTarget SecurityINPUT = "INPUT" - fromTarget SecurityOUTPUT = "OUTPUT" - fromTarget SecurityFORWARD = "FORWARD" - fromTarget (SecurityCustom f) = f +instance FromChain ChainSecurity where + fromChain SecurityINPUT = "INPUT" + fromChain SecurityOUTPUT = "OUTPUT" + fromChain SecurityFORWARD = "FORWARD" + fromChain (SecurityCustom f) = f data Proto = TCP | UDP | ICMP deriving (Eq, Show) -- cgit v1.2.3