From c044383fd0bec73103f153b6312f87ed99b0b6e4 Mon Sep 17 00:00:00 2001
From: Domingo Dirutigliano <me@domy.sh>
Date: Thu, 12 Oct 2023 12:53:44 +0200
Subject: [PATCH] add: dhcp on firewall

---
 backend/modules/firewall/firewall.py          | 11 ++++++++++-
 backend/modules/firewall/models.py            |  3 ++-
 backend/modules/firewall/nftables.py          | 19 +++++++++++++++++++
 frontend/src/components/Firewall/utils.ts     |  3 ++-
 frontend/src/pages/Firewall/SettingsModal.tsx |  3 ++-
 start.py                                      |  2 +-
 6 files changed, 36 insertions(+), 5 deletions(-)

diff --git a/backend/modules/firewall/firewall.py b/backend/modules/firewall/firewall.py
index 9bfd1ee..13c0122 100644
--- a/backend/modules/firewall/firewall.py
+++ b/backend/modules/firewall/firewall.py
@@ -39,7 +39,8 @@ class FirewallManager:
                 allow_icmp=self.allow_icmp,
                 multicast_dns=self.multicast_dns,
                 allow_upnp=self.allow_upnp,
-                drop_invalid=self.drop_invalid
+                drop_invalid=self.drop_invalid,
+                allow_dhcp=self.allow_dhcp
             )
     
     @settings.setter
@@ -51,6 +52,7 @@ class FirewallManager:
         self.multicast_dns=value.multicast_dns
         self.allow_upnp=value.allow_upnp
         self.drop_invalid=value.drop_invalid
+        self.allow_dhcp=value.allow_dhcp
 
     @property
     def policy(self):
@@ -124,3 +126,10 @@ class FirewallManager:
     def drop_invalid(self, value):
         self.db.set("drop_invalid", "1" if value else "0")
     
+    @property
+    def allow_dhcp(self):
+        return self.db.get("allow_dhcp", "1") == "1"
+    
+    @drop_invalid.setter
+    def allow_dhcp(self, value):
+        self.db.set("allow_dhcp", "1" if value else "0")
diff --git a/backend/modules/firewall/models.py b/backend/modules/firewall/models.py
index 54dd3b8..81e4991 100644
--- a/backend/modules/firewall/models.py
+++ b/backend/modules/firewall/models.py
@@ -69,4 +69,5 @@ class FirewallSettings(BaseModel):
     allow_icmp: bool
     multicast_dns: bool
     allow_upnp: bool
-    drop_invalid: bool
\ No newline at end of file
+    drop_invalid: bool
+    allow_dhcp: bool
\ No newline at end of file
diff --git a/backend/modules/firewall/nftables.py b/backend/modules/firewall/nftables.py
index d61e236..64b66d4 100644
--- a/backend/modules/firewall/nftables.py
+++ b/backend/modules/firewall/nftables.py
@@ -135,6 +135,25 @@ class FiregexTables(NFTableManager):
                     ]
                 }}},
             ])
+        if opt.allow_dhcp:
+            rules.extend([
+                { "add":{ "rule": {
+                    "family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
+                    "expr": [
+                        { 'match': {'left': {'payload': {'protocol': "udp", 'field': 'sport'}}, 'op': '==', 'right': 67} },
+                        { 'match': {'left': {'payload': {'protocol': "udp", 'field': 'dport'}}, 'op': '==', 'right': 68} },
+                        { "accept": None }
+                    ]
+                }}},
+                { "add":{ "rule": {
+                    "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in,
+                    "expr": [
+                        { 'match': {'left': {'payload': {'protocol': "udp", 'field': 'sport'}}, 'op': '==', 'right': 67} },
+                        { 'match': {'left': {'payload': {'protocol': "udp", 'field': 'dport'}}, 'op': '==', 'right': 68} },
+                        { "accept": None }
+                    ]
+                }}},
+            ])
         return rules
     
     def __init__(self):
diff --git a/frontend/src/components/Firewall/utils.ts b/frontend/src/components/Firewall/utils.ts
index 5683426..488cbcc 100644
--- a/frontend/src/components/Firewall/utils.ts
+++ b/frontend/src/components/Firewall/utils.ts
@@ -53,7 +53,8 @@ export type FirewallSettings = {
     allow_icmp: boolean,
     multicast_dns: boolean,
     allow_upnp: boolean,
-    drop_invalid: boolean
+    drop_invalid: boolean,
+    allow_dhcp: boolean
 }
 
 
diff --git a/frontend/src/pages/Firewall/SettingsModal.tsx b/frontend/src/pages/Firewall/SettingsModal.tsx
index 7c62c40..bdd2add 100644
--- a/frontend/src/pages/Firewall/SettingsModal.tsx
+++ b/frontend/src/pages/Firewall/SettingsModal.tsx
@@ -46,7 +46,8 @@ export function SettingsModal({ opened, onClose }:{ opened:boolean, onClose:()=>
             <Switch label="Allow UPnP protocol" checked={settings.allow_upnp} onChange={v => setSettings({...settings, allow_upnp:v.target.checked})}/>
             <Space h="md" />
             <Switch label="Drop invalid packet" checked={settings.drop_invalid} onChange={v => setSettings({...settings, drop_invalid:v.target.checked})}/>
-
+            <Space h="md" />
+            <Switch label="Allow DHCP" checked={settings.allow_dhcp} onChange={v => setSettings({...settings, allow_dhcp:v.target.checked})}/>
             <Group position="right" mt="md">
                 <Button loading={submitLoading} onClick={submitRequest}>Save Setting</Button>
             </Group>
diff --git a/start.py b/start.py
index 6c0881a..e86eb2e 100755
--- a/start.py
+++ b/start.py
@@ -114,7 +114,7 @@ volumes:
         else:
             sep()
             puts("--- WARNING ---", color=colors.yellow)
-            puts("You are not in a linux machine, due to docker limitation on other platform, the firewall will not work in this machine. You will only see the interface of firegex.", color=colors.red)
+            puts("You are not in a linux machine, the firewall will not work in this machine.", color=colors.red)
             compose.write(f"""
 version: '3.9'