0xb00b5/firegex-traffic-viewer
5
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: settings update fixed + packet invalid drop

Browse Source
This commit is contained in:
Domingo Dirutigliano
2023-10-01 02:01:47 +02:00
parent b11fa66909
commit e96c38b186
5 changed files with 135 additions and 105 deletions
Download Patch File Download Diff File Expand all files Collapse all files

22
backend/modules/firewall/firewall.py
View File

@@ -38,17 +38,19 @@ class FirewallManager:
allow_established=self.allow_established, allow_established=self.allow_established,
allow_icmp=self.allow_icmp, allow_icmp=self.allow_icmp,
multicast_dns=self.multicast_dns, multicast_dns=self.multicast_dns,
allow_upnp=self.allow_upnp allow_upnp=self.allow_upnp,
drop_invalid=self.drop_invalid
) )
@settings.setter @settings.setter
def settings(self, value:FirewallSettings): def settings(self, value:FirewallSettings):
self.keep_rules=value.keep_rules, self.keep_rules = value.keep_rules
self.allow_loopback=value.allow_loopback, self.allow_loopback=value.allow_loopback
self.allow_established=value.allow_established, self.allow_established=value.allow_established
self.allow_icmp=value.allow_icmp, self.allow_icmp=value.allow_icmp
self.multicast_dns=value.multicast_dns, self.multicast_dns=value.multicast_dns
self.allow_upnp=value.allow_upnp self.allow_upnp=value.allow_upnp
self.drop_invalid=value.drop_invalid
@property @property
def policy(self): def policy(self):
@@ -114,3 +116,11 @@ class FirewallManager:
def allow_upnp(self, value): def allow_upnp(self, value):
self.db.set("allow_upnp", "1" if value else "0") self.db.set("allow_upnp", "1" if value else "0")
@property
def drop_invalid(self):
return self.db.get("drop_invalid", "1") == "1"
@drop_invalid.setter
def drop_invalid(self, value):
self.db.set("drop_invalid", "1" if value else "0")

1
backend/modules/firewall/models.py
View File

@@ -69,3 +69,4 @@ class FirewallSettings(BaseModel):
allow_icmp: bool allow_icmp: bool
multicast_dns: bool multicast_dns: bool
allow_upnp: bool allow_upnp: bool
drop_invalid: bool

52
backend/modules/firewall/nftables.py
View File

@@ -8,8 +8,8 @@ class FiregexTables(NFTableManager):
rules_chain_fwd = "firegex_firewall_rules_fwd" rules_chain_fwd = "firegex_firewall_rules_fwd"
filter_table = "filter" filter_table = "filter"
def init_comands(self, policy:str=Action.ACCEPT, opt: FirewallSettings = None): def init_comands(self, policy:str=Action.ACCEPT, opt: FirewallSettings|None = None):
return [ rules = [
{"add":{"table":{"name":self.filter_table,"family":"ip"}}}, {"add":{"table":{"name":self.filter_table,"family":"ip"}}},
{"add":{"table":{"name":self.filter_table,"family":"ip6"}}}, {"add":{"table":{"name":self.filter_table,"family":"ip6"}}},
@@ -26,7 +26,11 @@ class FiregexTables(NFTableManager):
{"add":{"chain":{"family":"ip6","table":self.filter_table,"name":self.rules_chain_out}}}, {"add":{"chain":{"family":"ip6","table":self.filter_table,"name":self.rules_chain_out}}},
{"add":{"chain":{"family":"ip","table":self.filter_table,"name":self.rules_chain_fwd}}}, {"add":{"chain":{"family":"ip","table":self.filter_table,"name":self.rules_chain_fwd}}},
{"add":{"chain":{"family":"ip6","table":self.filter_table,"name":self.rules_chain_fwd}}}, {"add":{"chain":{"family":"ip6","table":self.filter_table,"name":self.rules_chain_fwd}}},
] + (([ ]
if opt is None: return rules
if opt.allow_loopback:
rules.extend([
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_out, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_out,
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif" }}, "right": "lo"}},{"accept": None}] "expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif" }}, "right": "lo"}},{"accept": None}]
@@ -43,32 +47,39 @@ class FiregexTables(NFTableManager):
"family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif" }}, "right": "lo"}},{"accept": None}] "expr": [{ "match": { "op": "==", "left": { "meta": { "key": "iif" }}, "right": "lo"}},{"accept": None}]
}}} }}}
] if opt.allow_loopback else []) + ([ ])
if opt.allow_established:
rules.extend([
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }] "expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["related", "established"]} },{ "accept": None }]
}}}, }}},
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_fwd, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_fwd,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }] "expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["related", "established"]} },{ "accept": None }]
}}},
{ "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_out,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }]
}}}, }}},
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }] "expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["related", "established"]} },{ "accept": None }]
}}}, }}},
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip6", "table": self.filter_table, "chain": self.rules_chain_fwd, "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_fwd,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }] "expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["related", "established"]} },{ "accept": None }]
}}}
])
if opt.drop_invalid:
rules.extend([
{ "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": {"op": "==", "left": { "ct": { "key": "state" }},"right": "invalid"} },{ "drop": None }]
}}}, }}},
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip6", "table": self.filter_table, "chain": self.rules_chain_out, "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": {"op": "in", "left": { "ct": { "key": "state" }},"right": ["established", "related"]} }, { "accept": None }] "expr": [{ "match": {"op": "==", "left": { "ct": { "key": "state" }},"right": "invalid"} },{ "drop": None }]
}}} }}}
] if opt.allow_established else []) + ([ ])
if opt.allow_icmp:
rules.extend([
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "icmp"} },{ "accept": None }] "expr": [{ "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "icmp"} },{ "accept": None }]
@@ -85,7 +96,9 @@ class FiregexTables(NFTableManager):
"family": "ip6", "table": self.filter_table, "chain": self.rules_chain_fwd, "family": "ip6", "table": self.filter_table, "chain": self.rules_chain_fwd,
"expr": [{ "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "ipv6-icmp"} },{ "accept": None }] "expr": [{ "match": { "op": "==", "left": { "meta": { "key": "l4proto" } }, "right": "ipv6-icmp"} },{ "accept": None }]
}}} }}}
] if opt.allow_icmp else []) + ([ ])
if opt.multicast_dns:
rules.extend([
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [ "expr": [
@@ -102,7 +115,9 @@ class FiregexTables(NFTableManager):
{ "accept": None } { "accept": None }
] ]
}}}, }}},
] if opt.multicast_dns else []) + ([ ])
if opt.allow_upnp:
rules.extend([
{ "add":{ "rule": { { "add":{ "rule": {
"family": "ip", "table": self.filter_table, "chain": self.rules_chain_in, "family": "ip", "table": self.filter_table, "chain": self.rules_chain_in,
"expr": [ "expr": [
@@ -119,7 +134,8 @@ class FiregexTables(NFTableManager):
{ "accept": None } { "accept": None }
] ]
}}}, }}},
] if opt.allow_upnp else [])) if opt else [] ])
return rules
def __init__(self): def __init__(self):
super().__init__(self.init_comands(),[ super().__init__(self.init_comands(),[

3
frontend/src/components/Firewall/utils.ts
View File

@@ -52,7 +52,8 @@ export type FirewallSettings = {
allow_established: boolean, allow_established: boolean,
allow_icmp: boolean, allow_icmp: boolean,
multicast_dns: boolean, multicast_dns: boolean,
allow_upnp: boolean allow_upnp: boolean,
drop_invalid: boolean
} }

4
frontend/src/pages/Firewall/SettingsModal.tsx
View File

@@ -5,7 +5,7 @@ import { FirewallSettings, firewall } from '../../components/Firewall/utils';
export function SettingsModal({ opened, onClose }:{ opened:boolean, onClose:()=>void }) { export function SettingsModal({ opened, onClose }:{ opened:boolean, onClose:()=>void }) {
const [settings, setSettings] = useState<FirewallSettings>({keep_rules:false, allow_established:true, allow_loopback:true, allow_icmp:true, allow_upnp:true, multicast_dns:true}) const [settings, setSettings] = useState<FirewallSettings>({} as FirewallSettings)
useEffect(()=>{ useEffect(()=>{
firewall.settings().then( res => { firewall.settings().then( res => {
@@ -44,6 +44,8 @@ export function SettingsModal({ opened, onClose }:{ opened:boolean, onClose:()=>
<Switch label="Allow multicast DNS" checked={settings.multicast_dns} onChange={v => setSettings({...settings, multicast_dns:v.target.checked})}/> <Switch label="Allow multicast DNS" checked={settings.multicast_dns} onChange={v => setSettings({...settings, multicast_dns:v.target.checked})}/>
<Space h="md" /> <Space h="md" />
<Switch label="Allow UPnP protocol" checked={settings.allow_upnp} onChange={v => setSettings({...settings, allow_upnp:v.target.checked})}/> <Switch label="Allow UPnP protocol" checked={settings.allow_upnp} onChange={v => setSettings({...settings, allow_upnp:v.target.checked})}/>
<Space h="md" />
<Switch label="Drop invalid packet" checked={settings.drop_invalid} onChange={v => setSettings({...settings, drop_invalid:v.target.checked})}/>
<Group position="right" mt="md"> <Group position="right" mt="md">
<Button loading={submitLoading} onClick={submitRequest}>Save Setting</Button> <Button loading={submitLoading} onClick={submitRequest}>Save Setting</Button>