fix: setting implmented + fixed and optimized rules adding
This commit is contained in:
Domingo Dirutigliano
@@ -20,17 +20,32 @@ class FirewallManager:
|
|||||||
|
|
||||||
async def reload(self):
|
async def reload(self):
|
||||||
async with self.lock:
|
async with self.lock:
|
||||||
if self.db.get("ENABLED", "0") == "1":
|
if self.enabled:
|
||||||
additional_rules = []
|
nft.set(
|
||||||
if self.allow_loopback:
|
map(Rule.from_dict, self.db.query('SELECT * FROM rules WHERE active = 1 ORDER BY rule_id;')),
|
||||||
pass #TODO complete rule
|
policy=self.policy,
|
||||||
if self.allow_established:
|
allow_loopback=self.allow_loopback,
|
||||||
pass #TODO complete rule
|
allow_established=self.allow_established
|
||||||
rules = list(map(Rule.from_dict, self.db.query('SELECT * FROM rules WHERE active = 1 ORDER BY rule_id;')), policy=self.db.get('POLICY', 'accept'))
|
)
|
||||||
nft.set(additional_rules + rules)
|
|
||||||
else:
|
else:
|
||||||
nft.reset()
|
nft.reset()
|
||||||
|
|
||||||
|
@property
|
||||||
|
def policy(self):
|
||||||
|
return self.db.get("POLICY", "accept")
|
||||||
|
|
||||||
|
@policy.setter
|
||||||
|
def policy(self, value):
|
||||||
|
self.db.set("POLICY", value)
|
||||||
|
|
||||||
|
@property
|
||||||
|
def enabled(self):
|
||||||
|
return self.db.get("ENABLED", "0") == "1"
|
||||||
|
|
||||||
|
@enabled.setter
|
||||||
|
def enabled(self, value):
|
||||||
|
self.db.set("ENABLED", "1" if value else "0")
|
||||||
|
|
||||||
@property
|
@property
|
||||||
def keep_rules(self):
|
def keep_rules(self):
|
||||||
return self.db.get("keep_rules", "0") == "1"
|
return self.db.get("keep_rules", "0") == "1"
|
||||||
|
|||||||
@@ -28,7 +28,7 @@ class FiregexTables(NFTableManager):
|
|||||||
rules_chain_in = "firewall_rules_in"
|
rules_chain_in = "firewall_rules_in"
|
||||||
rules_chain_out = "firewall_rules_out"
|
rules_chain_out = "firewall_rules_out"
|
||||||
|
|
||||||
def init_comands(self, policy:str="accept", policy_out:str="accept"):
|
def init_comands(self, policy:str="accept", policy_out:str="accept", allow_loopback=False, allow_established=False):
|
||||||
return [
|
return [
|
||||||
{"add":{"chain":{
|
{"add":{"chain":{
|
||||||
"family":"inet",
|
"family":"inet",
|
||||||
@@ -36,7 +36,7 @@ class FiregexTables(NFTableManager):
|
|||||||
"name":self.rules_chain_in,
|
"name":self.rules_chain_in,
|
||||||
"type":"filter",
|
"type":"filter",
|
||||||
"hook":"prerouting",
|
"hook":"prerouting",
|
||||||
"prio":-300,
|
"prio":-150,
|
||||||
"policy":policy
|
"policy":policy
|
||||||
}}},
|
}}},
|
||||||
{"add":{"chain":{
|
{"add":{"chain":{
|
||||||
@@ -45,10 +45,24 @@ class FiregexTables(NFTableManager):
|
|||||||
"name":self.rules_chain_out,
|
"name":self.rules_chain_out,
|
||||||
"type":"filter",
|
"type":"filter",
|
||||||
"hook":"postrouting",
|
"hook":"postrouting",
|
||||||
"prio":-300,
|
"prio":-150,
|
||||||
"policy":policy_out
|
"policy":policy_out
|
||||||
}}},
|
}}},
|
||||||
]
|
] + ([
|
||||||
|
{ "add":{ "rule": {
|
||||||
|
"family": "inet", "table": self.table_name, "chain": self.rules_chain_out,
|
||||||
|
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif"}}, "right": "lo"}},{"accept": None}]
|
||||||
|
}}},
|
||||||
|
{ "add":{ "rule": {
|
||||||
|
"family": "inet", "table": self.table_name, "chain": self.rules_chain_in,
|
||||||
|
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif"}}, "right": "lo"}},{"accept": None}]
|
||||||
|
}}}
|
||||||
|
] if allow_loopback else []) + ([
|
||||||
|
{ "add":{ "rule": {
|
||||||
|
"family": "inet", "table": self.table_name, "chain": self.rules_chain_in,
|
||||||
|
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established"]} }, { "accept": None }]
|
||||||
|
}}}
|
||||||
|
] if allow_established else [])
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
super().__init__(self.init_comands(),[
|
super().__init__(self.init_comands(),[
|
||||||
@@ -58,52 +72,55 @@ class FiregexTables(NFTableManager):
|
|||||||
{"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_out}}},
|
{"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_out}}},
|
||||||
])
|
])
|
||||||
|
|
||||||
def set(self, srvs:list[Rule], policy:str="accept"):
|
def set(self, srvs:list[Rule], policy:str="accept", allow_loopback=False, allow_established=False):
|
||||||
srvs = list(srvs)
|
srvs = list(srvs)
|
||||||
self.reset()
|
self.reset()
|
||||||
if policy == "reject":
|
if policy == "reject":
|
||||||
policy = "drop"
|
policy = "drop"
|
||||||
srvs.extend([
|
srvs.append(Rule(
|
||||||
Rule(
|
proto="any",
|
||||||
proto="any",
|
ip_src="any",
|
||||||
ip_src=iprule,
|
ip_dst="any",
|
||||||
ip_dst=iprule,
|
port_src_from=1,
|
||||||
port_src_from=1,
|
port_dst_from=1,
|
||||||
port_dst_from=1,
|
port_src_to=65535,
|
||||||
port_src_to=65535,
|
port_dst_to=65535,
|
||||||
port_dst_to=65535,
|
action="reject",
|
||||||
action="reject",
|
mode="I"
|
||||||
mode="I"
|
))
|
||||||
) for iprule in ["0.0.0.0/0", "::/0"]
|
rules = self.init_comands(policy, allow_loopback=allow_loopback, allow_established=allow_established) + self.get_rules(*srvs)
|
||||||
])
|
self.cmd(*rules)
|
||||||
self.cmd(*self.init_comands(policy))
|
|
||||||
for ele in srvs[::-1]: self.add(ele)
|
|
||||||
|
|
||||||
def add(self, srv:Rule):
|
def get_rules(self,*srvs:Rule):
|
||||||
ip_filters = []
|
rules = []
|
||||||
if srv.ip_src.lower() != "any" and srv.ip_dst.lower() != "any":
|
for srv in srvs:
|
||||||
ip_filters = [
|
ip_filters = []
|
||||||
{'match': {'left': {'payload': {'protocol': ip_family(srv.ip_src), 'field': 'saddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_src)}},
|
if srv.ip_src.lower() != "any" and srv.ip_dst.lower() != "any":
|
||||||
{'match': {'left': {'payload': {'protocol': ip_family(srv.ip_dst), 'field': 'daddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_dst)}},
|
ip_filters = [
|
||||||
]
|
{'match': {'left': {'payload': {'protocol': ip_family(srv.ip_src), 'field': 'saddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_src)}},
|
||||||
|
{'match': {'left': {'payload': {'protocol': ip_family(srv.ip_dst), 'field': 'daddr'}}, 'op': '==', 'right': nftables_int_to_json(srv.ip_dst)}},
|
||||||
port_filters = []
|
]
|
||||||
if srv.proto != "any":
|
|
||||||
if srv.port_src_from != 1 or srv.port_src_to != 65535: #Any Port
|
port_filters = []
|
||||||
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '>=', 'right': int(srv.port_src_from)}})
|
if srv.proto != "any":
|
||||||
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '<=', 'right': int(srv.port_src_to)}})
|
if srv.port_src_from != 1 or srv.port_src_to != 65535: #Any Port
|
||||||
if srv.port_dst_from != 1 or srv.port_dst_to != 65535: #Any Port
|
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '>=', 'right': int(srv.port_src_from)}})
|
||||||
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'dport'}}, 'op': '>=', 'right': int(srv.port_dst_from)}})
|
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '<=', 'right': int(srv.port_src_to)}})
|
||||||
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'dport'}}, 'op': '<=', 'right': int(srv.port_dst_to)}})
|
if srv.port_dst_from != 1 or srv.port_dst_to != 65535: #Any Port
|
||||||
if len(port_filters) == 0:
|
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'dport'}}, 'op': '>=', 'right': int(srv.port_dst_from)}})
|
||||||
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '!=', 'right': 0}}) #filter the protocol if no port is specified
|
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'dport'}}, 'op': '<=', 'right': int(srv.port_dst_to)}})
|
||||||
|
if len(port_filters) == 0:
|
||||||
end_rules = [{'accept': None} if srv.action == "accept" else {'reject': {}} if (srv.action == "reject" and not srv.output_mode) else {'drop': None}]
|
port_filters.append({'match': {'left': {'payload': {'protocol': str(srv.proto), 'field': 'sport'}}, 'op': '!=', 'right': 0}}) #filter the protocol if no port is specified
|
||||||
|
|
||||||
self.cmd({ "insert":{ "rule": {
|
end_rules = [{'accept': None} if srv.action == "accept" else {'reject': {}} if (srv.action == "reject" and not srv.output_mode) else {'drop': None}]
|
||||||
"family": "inet",
|
rules.append({ "add":{ "rule": {
|
||||||
"table": self.table_name,
|
"family": "inet",
|
||||||
"chain": self.rules_chain_out if srv.output_mode else self.rules_chain_in,
|
"table": self.table_name,
|
||||||
"expr": ip_filters + port_filters + end_rules
|
"chain": self.rules_chain_out if srv.output_mode else self.rules_chain_in,
|
||||||
#If srv.output_mode is True, then the rule is in the output chain, so the reject action is not allowed
|
"expr": ip_filters + port_filters + end_rules
|
||||||
}}})
|
#If srv.output_mode is True, then the rule is in the output chain, so the reject action is not allowed
|
||||||
|
}}})
|
||||||
|
return rules
|
||||||
|
|
||||||
|
def add(self, *srvs:Rule):
|
||||||
|
self.cmd(*self.get_rules(*srvs))
|
||||||
@@ -119,21 +119,21 @@ async def set_settings(form: FirewallSettings):
|
|||||||
async def get_rule_list():
|
async def get_rule_list():
|
||||||
"""Get the list of existent firegex rules"""
|
"""Get the list of existent firegex rules"""
|
||||||
return {
|
return {
|
||||||
"policy": db.get("POLICY", "accept"),
|
"policy": firewall.policy,
|
||||||
"rules": db.query("SELECT active, name, proto, ip_src, ip_dst, port_src_from, port_dst_from, port_src_to, port_dst_to, action, mode FROM rules ORDER BY rule_id;"),
|
"rules": db.query("SELECT active, name, proto, ip_src, ip_dst, port_src_from, port_dst_from, port_src_to, port_dst_to, action, mode FROM rules ORDER BY rule_id;"),
|
||||||
"enabled": db.get("ENABLED", "0") == "1"
|
"enabled": firewall.enabled
|
||||||
}
|
}
|
||||||
|
|
||||||
@app.get('/enable', response_model=StatusMessageModel)
|
@app.get('/enable', response_model=StatusMessageModel)
|
||||||
async def enable_firewall():
|
async def enable_firewall():
|
||||||
"""Request enabling the firewall"""
|
"""Request enabling the firewall"""
|
||||||
db.set("ENABLED", "1")
|
firewall.enabled = True
|
||||||
return await apply_changes()
|
return await apply_changes()
|
||||||
|
|
||||||
@app.get('/disable', response_model=StatusMessageModel)
|
@app.get('/disable', response_model=StatusMessageModel)
|
||||||
async def disable_firewall():
|
async def disable_firewall():
|
||||||
"""Request disabling the firewall"""
|
"""Request disabling the firewall"""
|
||||||
db.set("ENABLED", "0")
|
firewall.enabled = False
|
||||||
return await apply_changes()
|
return await apply_changes()
|
||||||
|
|
||||||
def parse_and_check_rule(rule:RuleModel):
|
def parse_and_check_rule(rule:RuleModel):
|
||||||
@@ -186,7 +186,7 @@ async def add_new_service(form: RuleFormAdd):
|
|||||||
ele.action, ele.mode
|
ele.action, ele.mode
|
||||||
) for rid, ele in enumerate(rules)]
|
) for rid, ele in enumerate(rules)]
|
||||||
)
|
)
|
||||||
db.set("POLICY", form.policy)
|
firewall.policy = form.policy
|
||||||
except sqlite3.IntegrityError:
|
except sqlite3.IntegrityError:
|
||||||
raise HTTPException(status_code=400, detail="Error saving the rules: maybe there are duplicated rules")
|
raise HTTPException(status_code=400, detail="Error saving the rules: maybe there are duplicated rules")
|
||||||
return await apply_changes()
|
return await apply_changes()
|
||||||
|
|||||||
Reference in New Issue
Block a user