Skip to content

Commit

Permalink
fix: firewall, avoid duplicate forwardings and zones
Browse files Browse the repository at this point in the history
  • Loading branch information
gsanchietti committed Dec 20, 2023
1 parent 6d55061 commit e2dcf7f
Show file tree
Hide file tree
Showing 2 changed files with 22 additions and 3 deletions.
6 changes: 6 additions & 0 deletions src/nethsec/firewall/__init__.py
Original file line number Diff line number Diff line change
Expand Up @@ -195,6 +195,7 @@ def add_trusted_zone(uci, name, networks = [], link = ""):
- be able to access lan and wan zone
- be accessible from lan zone
If a zone with the same name already exists, do not recreate it.
Changes are saved to staging area.
Arguments:
Expand All @@ -211,6 +212,11 @@ def add_trusted_zone(uci, name, networks = [], link = ""):
if len(name) > 12:
return None, None

# avoid duplicated zones
zones = utils.get_all_by_type(uci, 'firewall', 'zone')
for z in zones:
if zones[z].get("name", "") == name:
return None, None
forwardings = list()
zname = utils.get_random_id()
name = utils.sanitize(name)
Expand Down
19 changes: 16 additions & 3 deletions tests/test_firewall.py
Original file line number Diff line number Diff line change
Expand Up @@ -302,6 +302,19 @@ def test_add_trusted_zone(tmp_path):
assert u.get("firewall", forwardings[1], 'ns_link') == link
assert u.get("firewall", forwardings[2], 'ns_link') == link

def test_duplicated_add_trusted_zone(tmp_path):
u = _setup_db(tmp_path)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mytrusted')
assert zone is None
assert forwardings is None

trusted = 0
for s in u.get_all('firewall'):
if u.get('firewall', s) == 'forwarding':
if u.get('firewall', s, 'src', default='') == "mytrusted" and u.get('firewall', s, 'dest', default='') == "lan":
trusted = trusted + 1
assert trusted == 1

def test_add_trusted_zone_with_networks(tmp_path):
u = _setup_db(tmp_path)
interface = firewall.add_vpn_interface(u, 'testvpn2', 'tuntest2')
Expand Down Expand Up @@ -394,7 +407,7 @@ def test_get_all_linked(tmp_path):
sections = firewall.add_template_service_group(u, "ns_web_secure", "blue", "yellow", link=link)
rule = firewall.add_service(u, "my_service", "443", "tcp", link=link)
interface = firewall.add_vpn_interface(u, 'p2p', 'ppp10', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked2', link=link)
linked = firewall.get_all_linked(u, link)
for s in sections:
assert s in linked['firewall']
Expand All @@ -411,7 +424,7 @@ def test_disable_linked_rules(tmp_path):
sections = firewall.add_template_service_group(u, "ns_web_secure", "blue", "yellow", link=link)
rule = firewall.add_service(u, "my_service", "443", "tcp", link=link)
interface = firewall.add_vpn_interface(u, 'p2p', 'ppp10', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked4', link=link)
disabled = firewall.disable_linked_rules(u, link)
for s in sections:
assert u.get("firewall", s, "enabled") == "0"
Expand All @@ -429,7 +442,7 @@ def test_delete_linked_sections(tmp_path):
sections = firewall.add_template_service_group(u, "ns_web_secure", "blue", "yellow", link=link)
rule = firewall.add_service(u, "my_service", "443", "tcp", link=link)
interface = firewall.add_vpn_interface(u, 'p2p', 'ppp10', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked', link=link)
(zone, forwardings) = firewall.add_trusted_zone(u, 'mylinked3', link=link)
deleted = firewall.delete_linked_sections(u, link)
assert len(deleted) > 0
with pytest.raises(UciExceptionNotFound):
Expand Down

0 comments on commit e2dcf7f

Please sign in to comment.