0xb00b5/firegex-traffic-viewer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

add: default policy

Browse Source
This commit is contained in:
Domingo Dirutigliano
2023-09-23 00:23:01 +02:00
parent cc4db16f2d
commit e549d9cf2a
6 changed files with 56 additions and 36 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
backend/modules/firewall/firewall.py
View File

@@ -15,10 +15,10 @@ class FirewallManager:
nft.reset()
async def init(self):
FiregexTables().init()
nft.init()
await self.reload()
async def reload(self):
async with self.lock:
nft.set(map(Rule.from_dict, self.db.query('SELECT * FROM rules WHERE active = 1 ORDER BY rule_id;')))
nft.set(map(Rule.from_dict, self.db.query('SELECT * FROM rules WHERE active = 1 ORDER BY rule_id;')), policy=self.db.get('POLICY', 'accept'))

8
backend/modules/firewall/models.py
View File

@@ -1,8 +1,5 @@
class Rule:
def __init__(self, rule_id: int, name: str, active: bool, proto: str, ip_src:str, ip_dst:str, port_src_from:str, port_dst_from:str, port_src_to:str, port_dst_to:str, action:str, mode:str):
self.rule_id = rule_id
self.active = active
self.name = name
def __init__(self, proto: str, ip_src:str, ip_dst:str, port_src_from:str, port_dst_from:str, port_src_to:str, port_dst_to:str, action:str, mode:str):
self.proto = proto
self.ip_src = ip_src
self.ip_dst = ip_dst
@@ -18,9 +15,6 @@ class Rule:
@classmethod
def from_dict(cls, var: dict):
return cls(
rule_id=var["rule_id"],
active=var["active"],
name=var["name"],
proto=var["proto"],
ip_src=var["ip_src"],
ip_dst=var["ip_dst"],

42
backend/modules/firewall/nftables.py
View File

@@ -28,8 +28,8 @@ class FiregexTables(NFTableManager):
rules_chain_in = "firewall_rules_in"
rules_chain_out = "firewall_rules_out"
def __init__(self):
super().__init__([
def init_comands(self, policy:str="accept", policy_out:str="accept"):
return [
{"add":{"chain":{
"family":"inet",
"table":self.table_name,
@@ -37,7 +37,7 @@ class FiregexTables(NFTableManager):
"type":"filter",
"hook":"prerouting",
"prio":-300,
"policy":"accept"
"policy":policy
}}},
{"add":{"chain":{
"family":"inet",
@@ -46,24 +46,38 @@ class FiregexTables(NFTableManager):
"type":"filter",
"hook":"postrouting",
"prio":-300,
"policy":"accept"
"policy":policy_out
}}},
],[
]
def __init__(self):
super().__init__(self.init_comands(),[
{"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_in}}},
{"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_in}}},
{"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_out}}},
{"delete":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_out}}},
])
def delete_all(self):
self.cmd(
{"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_in}}},
{"flush":{"chain":{"table":self.table_name,"family":"inet", "name":self.rules_chain_out}}},
)
def set(self, srv:list[Rule]):
self.delete_all()
for ele in srv: self.add(ele)
def set(self, srvs:list[Rule], policy:str="accept"):
srvs = list(srvs)
self.reset()
if policy == "reject":
policy = "drop"
srvs.extend([
Rule(
proto="any",
ip_src=iprule,
ip_dst=iprule,
port_src_from=1,
port_dst_from=1,
port_src_to=65535,
port_dst_to=65535,
action="reject",
mode="I"
) for iprule in ["0.0.0.0/0", "::/0"]
])
self.cmd(*self.init_comands(policy))
for ele in srvs[::-1]: self.add(ele)
def add(self, srv:Rule):
port_filters = []