Commit 964e8f25 authored by Marek Vavrusa's avatar Marek Vavrusa
Browse files

modules/policy: doc update, compat with 1.0 api

parent 5b80a057
...@@ -8,64 +8,67 @@ This module is a high-level interface for other powerful filtering modules and D ...@@ -8,64 +8,67 @@ This module is a high-level interface for other powerful filtering modules and D
Example configuration Example configuration
^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^
Firewall rules are declarative and consist of filters and actions. Filters have ``field operator operand`` notation (e.g. ``qname = example.com``), and may be chained using AND/OR keywords. Actions may or may not have parameters after the action name.
.. code-block:: lua .. code-block:: lua
modules = { 'http', 'daf' } -- Let's write some daft rules!
modules = { 'daf' }
-- Let's write some daft rules!
-- Block all queries with QNAME = example.com
-- Block all queries with QNAME = example.com daf.add 'qname = example.com deny'
daf.add 'qname = example.com deny'
-- Filters can be combined using AND/OR...
-- Filters can be combined using AND/OR... -- Block all queries with QNAME match regex and coming from given subnet
-- Block all queries with QNAME match regex and coming from given subnet daf.add 'qname ~ %w+.example.com AND src = 192.0.2.0/24 deny'
daf.add 'qname ~ %w+.example.com AND src = 192.0.2.0/24 deny'
-- We also can reroute addresses in response to alternate target
-- We also can reroute addresses in response to alternate target -- This reroutes 1.2.3.4 to localhost
-- This reroutes 1.2.3.4 to localhost daf.add 'src = 127.0.0.0/8 reroute 192.0.2.1-127.0.0.1'
daf.add 'src = 127.0.0.0/8 reroute 192.0.2.1-127.0.0.1'
-- Subnets work too, this reroutes a whole subnet
-- Subnets work too, this reroutes a whole subnet -- e.g. 192.0.2.55 to 127.0.0.55
-- e.g. 192.0.2.55 to 127.0.0.55 daf.add 'src = 127.0.0.0/8 reroute 192.0.2.0/24-127.0.0.0'
daf.add 'src = 127.0.0.0/8 reroute 192.0.2.0/24-127.0.0.0'
-- This rewrites all A answers for 'example.com' from
-- This rewrites all A answers for 'example.com' from -- whatever the original address was to 127.0.0.2
-- whatever the original address was to 127.0.0.2 daf.add 'src = 127.0.0.0/8 rewrite example.com A 127.0.0.2'
daf.add 'src = 127.0.0.0/8 rewrite example.com A 127.0.0.2'
-- Mirror queries matching given name to DNS logger
-- Mirror queries matching given name to DNS logger daf.add 'qname ~ %w+.example.com MIRROR 127.0.0.2'
daf.add 'qname ~ %w+.example.com MIRROR 127.0.0.2'
-- Truncate queries based on destination IPs
-- Truncate queries based on destination IPs daf.add 'dst = 192.0.2.51 truncate'
daf.add 'dst = 192.0.2.51 truncate'
-- Disable a rule
-- Show active rules daf.disable 2
daf.rules -- Enable a rule
[1] => { daf.enable 2
[rule] => { -- Delete a rule
[count] => 42 daf.del 2
[id] => 1
[cb] => function: 0x1a3eda38 If you're not sure what firewall rules are in effect, see ``daf.rules``:
}
[info] => qname = example.com AND src = 127.0.0.1/8 deny .. code-block:: text
[policy] => function: 0x1a3eda38
}
[2] => {
[rule] => {
[suspended] => true
[count] => 123522
[id] => 2
[cb] => function: 0x1a3ede88
}
[info] => qname ~ %w+.facebook.com AND src = 127.0.0.1/8 deny...
[policy] => function: 0x1a3ede88
}
...
-- Disable a rule
daf.disable 2
-- Enable a rule
daf.enable 2
-- Delete a rule
daf.del 2
-- Show active rules
> daf.rules
[1] => {
[rule] => {
[count] => 42
[id] => 1
[cb] => function: 0x1a3eda38
}
[info] => qname = example.com AND src = 127.0.0.1/8 deny
[policy] => function: 0x1a3eda38
}
[2] => {
[rule] => {
[suspended] => true
[count] => 123522
[id] => 2
[cb] => function: 0x1a3ede88
}
[info] => qname ~ %w+.facebook.com AND src = 127.0.0.1/8 deny...
[policy] => function: 0x1a3ede88
}
...@@ -243,6 +243,13 @@ policy.layer = { ...@@ -243,6 +243,13 @@ policy.layer = {
-- Add rule to policy list -- Add rule to policy list
function policy.add(rule, postrule) function policy.add(rule, postrule)
-- Compatibility with 1.0.0 API
-- it will be dropped in 1.2.0
if rule == policy then
rule = postrule
postrule = nil
end
-- End of compatibility shim
local desc = {id=getruleid(), cb=rule, count=0} local desc = {id=getruleid(), cb=rule, count=0}
table.insert(postrule and policy.postrules or policy.rules, desc) table.insert(postrule and policy.postrules or policy.rules, desc)
return desc return desc
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment