From a0e901dfc39bd465fe1d64a3a895b79341263264 Mon Sep 17 00:00:00 2001 From: FĂ©lix Sipma Date: Thu, 4 Feb 2016 17:40:09 +0100 Subject: Firewall: add Table (api change) (cherry picked from commit 202f9c282ee34897461dc56a79e607244c94cd99) --- src/Propellor/Property/Firewall.hs | 79 +++++++++++++++++++++++++++++++++----- 1 file changed, 70 insertions(+), 9 deletions(-) (limited to 'src/Propellor/Property/Firewall.hs') diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs index b90f588a..4498b82d 100644 --- a/src/Propellor/Property/Firewall.hs +++ b/src/Propellor/Property/Firewall.hs @@ -6,10 +6,16 @@ module Propellor.Property.Firewall ( rule, installed, Chain(..), - Target(..), + Table(..), + TargetFilter(..), + TargetNat(..), + TargetMangle(..), + TargetRaw(..), + TargetSecurity(..), Proto(..), Rules(..), - ConnectionState(..) + ConnectionState(..), + IPWithMask(..) ) where import Data.Monoid @@ -23,7 +29,7 @@ import qualified Propellor.Property.Network as Network installed :: Property NoInfo installed = Apt.installed ["iptables"] -rule :: Chain -> Target -> Rules -> Property NoInfo +rule :: Chain -> Table -> Rules -> Property NoInfo rule c t rs = property ("firewall rule: " <> show r) addIpTable where r = Rule c t rs @@ -39,7 +45,7 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable toIpTable :: Rule -> [CommandParam] toIpTable r = map Param $ show (ruleChain r) : - toIpTableArg (ruleRules r) ++ [ "-j" , fromTarget $ ruleTarget r ] + toIpTableArg (ruleRules r) ++ toIpTableTable (ruleTable r) toIpTableArg :: Rules -> [String] toIpTableArg Everything = [] @@ -74,19 +80,74 @@ fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m data Rule = Rule { ruleChain :: Chain - , ruleTarget :: Target + , ruleTable :: Table , ruleRules :: Rules } deriving (Eq, Show) +data Table = Filter TargetFilter | Nat TargetNat | Mangle TargetMangle | Raw TargetRaw | Security TargetSecurity + deriving (Eq, Show) + +toIpTableTable :: Table -> [String] +toIpTableTable f = ["-t", table, "-j", target] + where + (table, target) = toIpTableTable' f + +toIpTableTable' :: Table -> (String, String) +toIpTableTable' (Filter target) = ("filter", fromTargetFilter target) +toIpTableTable' (Nat target) = ("nat", fromTargetNat target) +toIpTableTable' (Mangle target) = ("mangle", fromTargetMangle target) +toIpTableTable' (Raw target) = ("raw", fromTargetRaw target) +toIpTableTable' (Security target) = ("security", fromTargetSecurity target) + data Chain = INPUT | OUTPUT | FORWARD deriving (Eq, Show) -data Target = ACCEPT | REJECT | DROP | LOG | CustomTarget String +data TargetFilter = ACCEPT | REJECT | DROP | LOG | FilterCustom String + deriving (Eq, Show) + +fromTargetFilter :: TargetFilter -> String +fromTargetFilter ACCEPT = "ACCEPT" +fromTargetFilter REJECT = "REJECT" +fromTargetFilter DROP = "DROP" +fromTargetFilter LOG = "LOG" +fromTargetFilter (FilterCustom f) = f + +data TargetNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String + deriving (Eq, Show) + +fromTargetNat :: TargetNat -> String +fromTargetNat NatPREROUTING = "PREROUTING" +fromTargetNat NatOUTPUT = "OUTPUT" +fromTargetNat NatPOSTROUTING = "POSTROUTING" +fromTargetNat (NatCustom f) = f + +data TargetMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String + deriving (Eq, Show) + +fromTargetMangle :: TargetMangle -> String +fromTargetMangle ManglePREROUTING = "PREROUTING" +fromTargetMangle MangleOUTPUT = "OUTPUT" +fromTargetMangle MangleINPUT = "INPUT" +fromTargetMangle MangleFORWARD = "FORWARD" +fromTargetMangle ManglePOSTROUTING = "POSTROUTING" +fromTargetMangle (MangleCustom f) = f + +data TargetRaw = RawPREROUTING | RawOUTPUT | RawCustom String + deriving (Eq, Show) + +fromTargetRaw :: TargetRaw -> String +fromTargetRaw RawPREROUTING = "PREROUTING" +fromTargetRaw RawOUTPUT = "OUTPUT" +fromTargetRaw (RawCustom f) = f + +data TargetSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String deriving (Eq, Show) -fromTarget :: Target -> String -fromTarget (CustomTarget ct) = ct -fromTarget t = show t +fromTargetSecurity :: TargetSecurity -> String +fromTargetSecurity SecurityINPUT = "INPUT" +fromTargetSecurity SecurityOUTPUT = "OUTPUT" +fromTargetSecurity SecurityFORWARD = "FORWARD" +fromTargetSecurity (SecurityCustom f) = f data Proto = TCP | UDP | ICMP deriving (Eq, Show) -- cgit v1.2.3