From 69f35659e205e69a017ff2f3f39393ed4c403937 Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 4 Feb 2016 12:40:01 +0100
Subject: Firewall: add InIFace/OutIFace Rules

(cherry picked from commit 717e693b2ad0bf39865ef28952f37670e70d8582)
---
 src/Propellor/Property/Firewall.hs | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 20b44845..a851f885 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -1,5 +1,5 @@
 -- | Maintainer: Arnaud Bailly <arnaud.oqube@gmail.com>
--- 
+--
 -- Properties for configuring firewall (iptables) rules
 
 module Propellor.Property.Firewall (
@@ -47,7 +47,8 @@ toIpTableArg (Proto proto) = ["-p", map toLower $ show proto]
 toIpTableArg (DPort (Port port)) = ["--dport", show port]
 toIpTableArg (DPortRange (Port f, Port t)) =
 	["--dport", show f ++ ":" ++ show t]
-toIpTableArg (IFace iface) = ["-i", iface]
+toIpTableArg (InIFace iface) = ["-i", iface]
+toIpTableArg (OutIFace iface) = ["-o", iface]
 toIpTableArg (Ctstate states) =
 	[ "-m"
 	, "conntrack"
@@ -80,7 +81,8 @@ data Rules
 	-- data type with proto + ports
 	| DPort Port
 	| DPortRange (Port,Port)
-	| IFace Network.Interface
+	| InIFace Network.Interface
+	| OutIFace Network.Interface
 	| Ctstate [ ConnectionState ]
 	| Rules :- Rules   -- ^Combine two rules
 	deriving (Eq, Show)
-- 
cgit v1.3-2-g0d8e


From 39825733d28dc9ea59386073879ba0e754c42028 Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 4 Feb 2016 12:42:11 +0100
Subject: Firewall: add Source/Destination Rules

(cherry picked from commit 34ee25d51b502af8da81c7b0701ac02cf1f43c1e)
---
 src/Propellor/Property/Firewall.hs | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index a851f885..13db38df 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -54,8 +54,24 @@ toIpTableArg (Ctstate states) =
 	, "conntrack"
 	, "--ctstate", concat $ intersperse "," (map show states)
 	]
+toIpTableArg (Source ipwm) =
+	[ "-s"
+	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	]
+toIpTableArg (Destination ipwm) =
+	[ "-d"
+	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	]
 toIpTableArg (r :- r') = toIpTableArg r <> toIpTableArg r'
 
+data IPWithMask = IPWithNoMask IPAddr | IPWithIPMask IPAddr IPAddr | IPWithNumMask IPAddr Int
+	deriving (Eq, Show)
+
+fromIPWithMask :: IPWithMask -> String
+fromIPWithMask (IPWithNoMask ip) = fromIPAddr ip
+fromIPWithMask (IPWithIPMask ip ipm) = fromIPAddr ip ++ "/" ++ fromIPAddr ipm
+fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m
+
 data Rule = Rule
 	{ ruleChain :: Chain
 	, ruleTarget :: Target
@@ -84,6 +100,8 @@ data Rules
 	| InIFace Network.Interface
 	| OutIFace Network.Interface
 	| Ctstate [ ConnectionState ]
+	| Source [ IPWithMask ]
+	| Destination [ IPWithMask ]
 	| Rules :- Rules   -- ^Combine two rules
 	deriving (Eq, Show)
 
-- 
cgit v1.3-2-g0d8e


From c6fcacb6e41f678757599b00eb653b3df489f19a Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 4 Feb 2016 14:09:32 +0100
Subject: Firewall: minor hlint fixes

(cherry picked from commit d4653a2c4683ff3eeb4decbb3c61bb9e9cef2c64)
---
 src/Propellor/Property/Firewall.hs | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 13db38df..2dff2953 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -33,13 +33,13 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable
 		if exist
 			then return NoChange
 			else toResult <$> boolSystem "iptables" (add args)
-	add params = (Param "-A") : params
-	chk params = (Param "-C") : params
+	add params = Param "-A" : params
+	chk params = Param "-C" : params
 
 toIpTable :: Rule -> [CommandParam]
 toIpTable r =  map Param $
-	(show $ ruleChain r) :
-	(toIpTableArg (ruleRules r)) ++ [ "-j" , show $ ruleTarget r ]
+	show (ruleChain r) :
+	toIpTableArg (ruleRules r) ++ [ "-j" , show $ ruleTarget r ]
 
 toIpTableArg :: Rules -> [String]
 toIpTableArg Everything = []
@@ -52,15 +52,15 @@ toIpTableArg (OutIFace iface) = ["-o", iface]
 toIpTableArg (Ctstate states) =
 	[ "-m"
 	, "conntrack"
-	, "--ctstate", concat $ intersperse "," (map show states)
+	, "--ctstate", intercalate "," (map show states)
 	]
 toIpTableArg (Source ipwm) =
 	[ "-s"
-	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	, intercalate "," (map fromIPWithMask ipwm)
 	]
 toIpTableArg (Destination ipwm) =
 	[ "-d"
-	, concat $ intersperse "," (map fromIPWithMask ipwm)
+	, intercalate "," (map fromIPWithMask ipwm)
 	]
 toIpTableArg (r :- r') = toIpTableArg r <> toIpTableArg r'
 
-- 
cgit v1.3-2-g0d8e


From bd84117979a8e934d0c0922aca4eef27815155f8 Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 4 Feb 2016 16:00:50 +0100
Subject: Firewall: add CustomTarget

(cherry picked from commit ecff879cfeacfbff00649f4a3b9dd19eaefe134f)
---
 src/Propellor/Property/Firewall.hs | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 2dff2953..b90f588a 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -39,7 +39,7 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable
 toIpTable :: Rule -> [CommandParam]
 toIpTable r =  map Param $
 	show (ruleChain r) :
-	toIpTableArg (ruleRules r) ++ [ "-j" , show $ ruleTarget r ]
+	toIpTableArg (ruleRules r) ++ [ "-j" , fromTarget $ ruleTarget r ]
 
 toIpTableArg :: Rules -> [String]
 toIpTableArg Everything = []
@@ -81,9 +81,13 @@ data Rule = Rule
 data Chain = INPUT | OUTPUT | FORWARD
 	deriving (Eq, Show)
 
-data Target = ACCEPT | REJECT | DROP | LOG
+data Target = ACCEPT | REJECT | DROP | LOG | CustomTarget String
 	deriving (Eq, Show)
 
+fromTarget :: Target -> String
+fromTarget (CustomTarget ct) = ct
+fromTarget t = show t
+
 data Proto = TCP | UDP | ICMP
 	deriving (Eq, Show)
 
-- 
cgit v1.3-2-g0d8e


From a0e901dfc39bd465fe1d64a3a895b79341263264 Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 4 Feb 2016 17:40:09 +0100
Subject: Firewall: add Table (api change)

(cherry picked from commit 202f9c282ee34897461dc56a79e607244c94cd99)
---
 src/Propellor/Property/Firewall.hs | 79 +++++++++++++++++++++++++++++++++-----
 1 file changed, 70 insertions(+), 9 deletions(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index b90f588a..4498b82d 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -6,10 +6,16 @@ module Propellor.Property.Firewall (
 	rule,
 	installed,
 	Chain(..),
-	Target(..),
+	Table(..),
+	TargetFilter(..),
+	TargetNat(..),
+	TargetMangle(..),
+	TargetRaw(..),
+	TargetSecurity(..),
 	Proto(..),
 	Rules(..),
-	ConnectionState(..)
+	ConnectionState(..),
+	IPWithMask(..)
 ) where
 
 import Data.Monoid
@@ -23,7 +29,7 @@ import qualified Propellor.Property.Network as Network
 installed :: Property NoInfo
 installed = Apt.installed ["iptables"]
 
-rule :: Chain -> Target -> Rules -> Property NoInfo
+rule :: Chain -> Table -> Rules -> Property NoInfo
 rule c t rs = property ("firewall rule: " <> show r) addIpTable
   where
 	r = Rule c t rs
@@ -39,7 +45,7 @@ rule c t rs = property ("firewall rule: " <> show r) addIpTable
 toIpTable :: Rule -> [CommandParam]
 toIpTable r =  map Param $
 	show (ruleChain r) :
-	toIpTableArg (ruleRules r) ++ [ "-j" , fromTarget $ ruleTarget r ]
+	toIpTableArg (ruleRules r) ++ toIpTableTable (ruleTable r)
 
 toIpTableArg :: Rules -> [String]
 toIpTableArg Everything = []
@@ -74,19 +80,74 @@ fromIPWithMask (IPWithNumMask ip m) = fromIPAddr ip ++ "/" ++ show m
 
 data Rule = Rule
 	{ ruleChain :: Chain
-	, ruleTarget :: Target
+	, ruleTable :: Table
 	, ruleRules :: Rules
 	} deriving (Eq, Show)
 
+data Table = Filter TargetFilter | Nat TargetNat | Mangle TargetMangle | Raw TargetRaw | Security TargetSecurity
+	deriving (Eq, Show)
+
+toIpTableTable :: Table -> [String]
+toIpTableTable f = ["-t", table, "-j", target]
+  where
+	(table, target) = toIpTableTable' f
+
+toIpTableTable' :: Table -> (String, String)
+toIpTableTable' (Filter target) = ("filter", fromTargetFilter target)
+toIpTableTable' (Nat target) = ("nat", fromTargetNat target)
+toIpTableTable' (Mangle target) = ("mangle", fromTargetMangle target)
+toIpTableTable' (Raw target) = ("raw", fromTargetRaw target)
+toIpTableTable' (Security target) = ("security", fromTargetSecurity target)
+
 data Chain = INPUT | OUTPUT | FORWARD
 	deriving (Eq, Show)
 
-data Target = ACCEPT | REJECT | DROP | LOG | CustomTarget String
+data TargetFilter = ACCEPT | REJECT | DROP | LOG | FilterCustom String
+	deriving (Eq, Show)
+
+fromTargetFilter :: TargetFilter -> String
+fromTargetFilter ACCEPT = "ACCEPT"
+fromTargetFilter REJECT = "REJECT"
+fromTargetFilter DROP = "DROP"
+fromTargetFilter LOG = "LOG"
+fromTargetFilter (FilterCustom f) = f
+
+data TargetNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String
+	deriving (Eq, Show)
+
+fromTargetNat :: TargetNat -> String
+fromTargetNat NatPREROUTING = "PREROUTING"
+fromTargetNat NatOUTPUT = "OUTPUT"
+fromTargetNat NatPOSTROUTING = "POSTROUTING"
+fromTargetNat (NatCustom f) = f
+
+data TargetMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String
+	deriving (Eq, Show)
+
+fromTargetMangle :: TargetMangle -> String
+fromTargetMangle ManglePREROUTING = "PREROUTING"
+fromTargetMangle MangleOUTPUT = "OUTPUT"
+fromTargetMangle MangleINPUT = "INPUT"
+fromTargetMangle MangleFORWARD = "FORWARD"
+fromTargetMangle ManglePOSTROUTING = "POSTROUTING"
+fromTargetMangle (MangleCustom f) = f
+
+data TargetRaw = RawPREROUTING | RawOUTPUT | RawCustom String
+	deriving (Eq, Show)
+
+fromTargetRaw :: TargetRaw -> String
+fromTargetRaw RawPREROUTING = "PREROUTING"
+fromTargetRaw RawOUTPUT = "OUTPUT"
+fromTargetRaw (RawCustom f) = f
+
+data TargetSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String
 	deriving (Eq, Show)
 
-fromTarget :: Target -> String
-fromTarget (CustomTarget ct) = ct
-fromTarget t = show t
+fromTargetSecurity :: TargetSecurity -> String
+fromTargetSecurity SecurityINPUT = "INPUT"
+fromTargetSecurity SecurityOUTPUT = "OUTPUT"
+fromTargetSecurity SecurityFORWARD = "FORWARD"
+fromTargetSecurity (SecurityCustom f) = f
 
 data Proto = TCP | UDP | ICMP
 	deriving (Eq, Show)
-- 
cgit v1.3-2-g0d8e


From a447ac06b17beb444c922136c0124c1781f3f63a Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Mon, 8 Feb 2016 11:33:48 +0100
Subject: Firewall: export fromIPWithMask

(cherry picked from commit 57f7d81f1124fa5c56a593b9d5de6448155a938e)
---
 src/Propellor/Property/Firewall.hs | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index 4498b82d..d7a2d9bc 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -15,7 +15,8 @@ module Propellor.Property.Firewall (
 	Proto(..),
 	Rules(..),
 	ConnectionState(..),
-	IPWithMask(..)
+	IPWithMask(..),
+	fromIPWithMask
 ) where
 
 import Data.Monoid
-- 
cgit v1.3-2-g0d8e


From 3fd1c61d1c526bf68b5e52b638bf68a1af95bc2b Mon Sep 17 00:00:00 2001
From: Félix Sipma <felix.sipma@no-log.org>
Date: Thu, 25 Feb 2016 17:55:26 +0100
Subject: add FromTarget class

(cherry picked from commit 226bf3e8230037ad2de38760c962033ab6c64d9f)
---
 src/Propellor/Property/Firewall.hs | 67 ++++++++++++++++++++------------------
 1 file changed, 35 insertions(+), 32 deletions(-)

(limited to 'src/Propellor/Property/Firewall.hs')

diff --git a/src/Propellor/Property/Firewall.hs b/src/Propellor/Property/Firewall.hs
index d7a2d9bc..eefc8342 100644
--- a/src/Propellor/Property/Firewall.hs
+++ b/src/Propellor/Property/Firewall.hs
@@ -94,11 +94,11 @@ toIpTableTable f = ["-t", table, "-j", target]
 	(table, target) = toIpTableTable' f
 
 toIpTableTable' :: Table -> (String, String)
-toIpTableTable' (Filter target) = ("filter", fromTargetFilter target)
-toIpTableTable' (Nat target) = ("nat", fromTargetNat target)
-toIpTableTable' (Mangle target) = ("mangle", fromTargetMangle target)
-toIpTableTable' (Raw target) = ("raw", fromTargetRaw target)
-toIpTableTable' (Security target) = ("security", fromTargetSecurity target)
+toIpTableTable' (Filter target) = ("filter", fromTarget target)
+toIpTableTable' (Nat target) = ("nat", fromTarget target)
+toIpTableTable' (Mangle target) = ("mangle", fromTarget target)
+toIpTableTable' (Raw target) = ("raw", fromTarget target)
+toIpTableTable' (Security target) = ("security", fromTarget target)
 
 data Chain = INPUT | OUTPUT | FORWARD
 	deriving (Eq, Show)
@@ -106,49 +106,52 @@ data Chain = INPUT | OUTPUT | FORWARD
 data TargetFilter = ACCEPT | REJECT | DROP | LOG | FilterCustom String
 	deriving (Eq, Show)
 
-fromTargetFilter :: TargetFilter -> String
-fromTargetFilter ACCEPT = "ACCEPT"
-fromTargetFilter REJECT = "REJECT"
-fromTargetFilter DROP = "DROP"
-fromTargetFilter LOG = "LOG"
-fromTargetFilter (FilterCustom f) = f
+class FromTarget a where
+	fromTarget :: a -> String
+
+instance FromTarget TargetFilter where
+	fromTarget ACCEPT = "ACCEPT"
+	fromTarget REJECT = "REJECT"
+	fromTarget DROP = "DROP"
+	fromTarget LOG = "LOG"
+	fromTarget (FilterCustom f) = f
 
 data TargetNat = NatPREROUTING | NatOUTPUT | NatPOSTROUTING | NatCustom String
 	deriving (Eq, Show)
 
-fromTargetNat :: TargetNat -> String
-fromTargetNat NatPREROUTING = "PREROUTING"
-fromTargetNat NatOUTPUT = "OUTPUT"
-fromTargetNat NatPOSTROUTING = "POSTROUTING"
-fromTargetNat (NatCustom f) = f
+instance FromTarget TargetNat where
+	fromTarget NatPREROUTING = "PREROUTING"
+	fromTarget NatOUTPUT = "OUTPUT"
+	fromTarget NatPOSTROUTING = "POSTROUTING"
+	fromTarget (NatCustom f) = f
 
 data TargetMangle = ManglePREROUTING | MangleOUTPUT | MangleINPUT | MangleFORWARD | ManglePOSTROUTING | MangleCustom String
 	deriving (Eq, Show)
 
-fromTargetMangle :: TargetMangle -> String
-fromTargetMangle ManglePREROUTING = "PREROUTING"
-fromTargetMangle MangleOUTPUT = "OUTPUT"
-fromTargetMangle MangleINPUT = "INPUT"
-fromTargetMangle MangleFORWARD = "FORWARD"
-fromTargetMangle ManglePOSTROUTING = "POSTROUTING"
-fromTargetMangle (MangleCustom f) = f
+instance FromTarget TargetMangle where
+	fromTarget ManglePREROUTING = "PREROUTING"
+	fromTarget MangleOUTPUT = "OUTPUT"
+	fromTarget MangleINPUT = "INPUT"
+	fromTarget MangleFORWARD = "FORWARD"
+	fromTarget ManglePOSTROUTING = "POSTROUTING"
+	fromTarget (MangleCustom f) = f
 
 data TargetRaw = RawPREROUTING | RawOUTPUT | RawCustom String
 	deriving (Eq, Show)
 
-fromTargetRaw :: TargetRaw -> String
-fromTargetRaw RawPREROUTING = "PREROUTING"
-fromTargetRaw RawOUTPUT = "OUTPUT"
-fromTargetRaw (RawCustom f) = f
+instance FromTarget TargetRaw where
+	fromTarget RawPREROUTING = "PREROUTING"
+	fromTarget RawOUTPUT = "OUTPUT"
+	fromTarget (RawCustom f) = f
 
 data TargetSecurity = SecurityINPUT | SecurityOUTPUT | SecurityFORWARD | SecurityCustom String
 	deriving (Eq, Show)
 
-fromTargetSecurity :: TargetSecurity -> String
-fromTargetSecurity SecurityINPUT = "INPUT"
-fromTargetSecurity SecurityOUTPUT = "OUTPUT"
-fromTargetSecurity SecurityFORWARD = "FORWARD"
-fromTargetSecurity (SecurityCustom f) = f
+instance FromTarget TargetSecurity where
+	fromTarget SecurityINPUT = "INPUT"
+	fromTarget SecurityOUTPUT = "OUTPUT"
+	fromTarget SecurityFORWARD = "FORWARD"
+	fromTarget (SecurityCustom f) = f
 
 data Proto = TCP | UDP | ICMP
 	deriving (Eq, Show)
-- 
cgit v1.3-2-g0d8e