From b09875fd85c4a13550e1e1c94ea44433a1b8b24d Mon Sep 17 00:00:00 2001 From: Samuel Lorch Date: Wed, 1 Mar 2023 18:20:47 +0100 Subject: [PATCH] rework rules --- pkg/definitions/destination_nat.go | 7 +++ pkg/definitions/match.go | 12 +++++ pkg/definitions/rule.go | 49 +++++++++++++++++++ pkg/definitions/rules.go | 23 --------- pkg/definitions/source_nat.go | 42 ++++++++++++++++ .../template/destination_nat_rules.tmpl | 5 +- pkg/nftables/template/forward_rules.tmpl | 3 +- pkg/nftables/template/rule_match.tmpl | 1 - pkg/nftables/template/source_nat_rules.tmpl | 5 +- 9 files changed, 115 insertions(+), 32 deletions(-) create mode 100644 pkg/definitions/destination_nat.go create mode 100644 pkg/definitions/match.go create mode 100644 pkg/definitions/rule.go delete mode 100644 pkg/definitions/rules.go create mode 100644 pkg/definitions/source_nat.go delete mode 100644 pkg/nftables/template/rule_match.tmpl diff --git a/pkg/definitions/destination_nat.go b/pkg/definitions/destination_nat.go new file mode 100644 index 0000000..3573ca0 --- /dev/null +++ b/pkg/definitions/destination_nat.go @@ -0,0 +1,7 @@ +package definitions + +type DestinationNATRule struct { + Rule + Address string `json:"address,omitempty"` + Service string `json:"service,omitempty"` +} diff --git a/pkg/definitions/match.go b/pkg/definitions/match.go new file mode 100644 index 0000000..38ad16b --- /dev/null +++ b/pkg/definitions/match.go @@ -0,0 +1,12 @@ +package definitions + +import "fmt" + +type Match struct { + TCPDestinationPort uint64 `json:"tcp_destination_port,omitempty"` + Service []string `json:"service,omitempty"` +} + +func (m Match) Nftables() string { + return fmt.Sprintf("tcp dport %d", m.TCPDestinationPort) +} diff --git a/pkg/definitions/rule.go b/pkg/definitions/rule.go new file mode 100644 index 0000000..65ae33a --- /dev/null +++ b/pkg/definitions/rule.go @@ -0,0 +1,49 @@ +package definitions + +import "encoding/json" + +type Rule struct { + Name string `json:"name"` + Match Match `json:"match"` + Comment string `json:"comment,omitempty"` + Counter bool `json:"counter,omitempty"` +} + +type ForwardRule struct { + Rule + Verdict Verdict `json:"verdict"` +} + +type Verdict int + +const ( + Accept Verdict = iota + Drop + Continue +) + +func (t Verdict) String() string { + return [...]string{"accept", "drop", "continue"}[t] +} + +func (t *Verdict) FromString(input string) Verdict { + return map[string]Verdict{ + "accept": Accept, + "drop": Drop, + "continue": Continue, + }[input] +} + +func (t Verdict) MarshalJSON() ([]byte, error) { + return json.Marshal(t.String()) +} + +func (t *Verdict) UnmarshalJSON(b []byte) error { + var s string + err := json.Unmarshal(b, &s) + if err != nil { + return err + } + *t = t.FromString(s) + return nil +} diff --git a/pkg/definitions/rules.go b/pkg/definitions/rules.go deleted file mode 100644 index d7610eb..0000000 --- a/pkg/definitions/rules.go +++ /dev/null @@ -1,23 +0,0 @@ -package definitions - -type Rule struct { - Match RuleMatch `json:"match"` - Comment string `json:"comment"` - Counter bool `json:"counter"` -} - -type RuleMatch struct { - TCPDestinationPort uint64 `json:"tcp_destination_port"` -} - -type ForwardRule struct { - Rule -} - -type DestinationNATRule struct { - Rule -} - -type SourceNATRule struct { - Rule -} diff --git a/pkg/definitions/source_nat.go b/pkg/definitions/source_nat.go new file mode 100644 index 0000000..5678b29 --- /dev/null +++ b/pkg/definitions/source_nat.go @@ -0,0 +1,42 @@ +package definitions + +import "encoding/json" + +type SourceNATRule struct { + Rule + Type SnatType `json:"type"` + Address string `json:"address,omitempty"` + Service string `json:"service,omitempty"` +} + +type SnatType int + +const ( + Snat SnatType = iota + Masquerade +) + +func (t SnatType) String() string { + return [...]string{"snat", "masquerade"}[t] +} + +func (t *SnatType) FromString(input string) SnatType { + return map[string]SnatType{ + "snat": Snat, + "masquerade": Masquerade, + }[input] +} + +func (t SnatType) MarshalJSON() ([]byte, error) { + return json.Marshal(t.String()) +} + +func (t *SnatType) UnmarshalJSON(b []byte) error { + var s string + err := json.Unmarshal(b, &s) + if err != nil { + return err + } + *t = t.FromString(s) + return nil +} diff --git a/pkg/nftables/template/destination_nat_rules.tmpl b/pkg/nftables/template/destination_nat_rules.tmpl index 2f16efb..b3114eb 100644 --- a/pkg/nftables/template/destination_nat_rules.tmpl +++ b/pkg/nftables/template/destination_nat_rules.tmpl @@ -1,3 +1,2 @@ -{{range $rule := .Netfilter.DestinationNATRules}} - {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}" {{ end }} -{{end}} \ No newline at end of file +{{ range $rule := .Netfilter.DestinationNATRules }} + {{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} \ No newline at end of file diff --git a/pkg/nftables/template/forward_rules.tmpl b/pkg/nftables/template/forward_rules.tmpl index 5843178..5d90757 100644 --- a/pkg/nftables/template/forward_rules.tmpl +++ b/pkg/nftables/template/forward_rules.tmpl @@ -1,3 +1,2 @@ {{range $rule := .Netfilter.ForwardRules}} - {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}" {{ end }} -{{end}} + {{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }} {{ $rule.Verdict.String }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} diff --git a/pkg/nftables/template/rule_match.tmpl b/pkg/nftables/template/rule_match.tmpl deleted file mode 100644 index e74c639..0000000 --- a/pkg/nftables/template/rule_match.tmpl +++ /dev/null @@ -1 +0,0 @@ - tcp dport {{ .TCPDestinationPort }} \ No newline at end of file diff --git a/pkg/nftables/template/source_nat_rules.tmpl b/pkg/nftables/template/source_nat_rules.tmpl index 1340aee..3b7a2a5 100644 --- a/pkg/nftables/template/source_nat_rules.tmpl +++ b/pkg/nftables/template/source_nat_rules.tmpl @@ -1,3 +1,2 @@ -{{range $rule := .Netfilter.SourceNATRules}} - {{template "rule_match.tmpl" .Match}} {{ if $rule.Counter }} counter {{ end }} {{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}" {{ end }} -{{end}} \ No newline at end of file +{{ range $rule := .Netfilter.SourceNATRules }} + {{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} \ No newline at end of file