Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

firewall: zones, add log field #70

Merged
merged 1 commit into from
Oct 4, 2024
Merged

firewall: zones, add log field #70

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 7 additions & 2 deletions src/nethsec/firewall/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,7 @@ def zone_exists(u, zone_name):


def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None,
forwards_from: list[str] = None) -> {str, set[str]}:
forwards_from: list[str] = None, log: bool = False) -> {str, set[str]}:
"""
Add zone to firewall config.

Expand All @@ -785,6 +785,7 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa
traffic_to_wan: if True, add forwarding from zone to wan
forwards_to: list of zones to forward traffic to
forwards_from: list of zones to forward traffic from
log: if True, log blocked traffic destined to this zone

Returns:
tuple of zone config name and set of added forwarding configs
Expand All @@ -800,6 +801,7 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa
uci.set('firewall', zone_config_name, 'input', input)
uci.set('firewall', zone_config_name, 'forward', forward)
uci.set('firewall', zone_config_name, 'output', 'ACCEPT')
uci.set('firewall', zone_config_name, 'log', '1' if log else '0')

forwardings_added = set()

Expand All @@ -813,13 +815,14 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa
if forwards_from is not None:
for forward_from in forwards_from:
forwardings_added.add(add_forwarding(uci, forward_from, name))

uci.save('firewall')
reorder_firewall_config(uci)
return zone_config_name, forwardings_added


def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None,
forwards_from: list[str] = None) -> {str, set[str]}:
forwards_from: list[str] = None, log: bool = False) -> {str, set[str]}:
"""
Edit an existing zone.

Expand All @@ -831,6 +834,7 @@ def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = F
traffic_to_wan: if True, add forwarding from zone to wan
forwards_to: list of zones to forward traffic to
forwards_from: list of zones to forward traffic from
log: if True, log blocked traffic destined to this zone

Returns:
tuple of zone config name and set of updated forwarding configs
Expand All @@ -842,6 +846,7 @@ def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = F
uci.set('firewall', zone_config_name, 'input', input)
uci.set('firewall', zone_config_name, 'forward', forward)
uci.set('firewall', zone_config_name, 'output', 'ACCEPT')
uci.set('firewall', zone_config_name, 'log', '1' if log else '0')

# delete old forwardings

Expand Down
10 changes: 10 additions & 0 deletions tests/test_firewall.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -325,6 +325,7 @@
option forward 'REJECT'
option masq '1'
option mtu_fix '1'
option log '1'
list network 'wan6'
list network 'RED_2'
list network 'RED_3'
Expand Down Expand Up @@ -731,6 +732,7 @@ def test_list_zones(u):
assert firewall.list_zones(u)["ns_wan"]["output"] == "ACCEPT"
assert firewall.list_zones(u)["ns_wan"]["forward"] == "REJECT"
assert firewall.list_zones(u)["ns_wan"]["network"] == ("wan6", "RED_2", "RED_3", "RED_1")
assert firewall.list_zones(u)["ns_wan"]["log"] == "1"


def list_zones_no_aliases(u):
Expand All @@ -751,6 +753,7 @@ def test_add_zone(u):
assert u.get("firewall", "ns_new_zone", "input") == "REJECT"
assert u.get("firewall", "ns_new_zone", "output") == "ACCEPT"
assert u.get("firewall", "ns_new_zone", "forward") == "DROP"
assert u.get("firewall", "ns_new_zone", "log") == "0"
assert u.get("firewall", "ns_new_zone2wan", "src") == "new_zone"
assert u.get("firewall", "ns_new_zone2wan", "dest") == "wan"
assert u.get("firewall", "ns_new_zone2lan", "src") == "new_zone"
Expand All @@ -759,6 +762,9 @@ def test_add_zone(u):
assert u.get("firewall", "ns_lan2new_zone", "dest") == "new_zone"
assert u.get("firewall", "ns_guest2new_zone", "src") == "guest"
assert u.get("firewall", "ns_guest2new_zone", "dest") == "new_zone"
assert firewall.add_zone(u, "new_zone_with_log", "REJECT", "DROP", True, ["lan"], ["lan", "guest"], True)
assert u.get("firewall", "ns_new_zone_with_log", "log") == "1"


def test_edit_zone(u):
assert firewall.edit_zone(u, "new_zone", "DROP", "ACCEPT", False, ["lan"], ["lan", "guest"]) == (
Expand All @@ -773,6 +779,10 @@ def test_edit_zone(u):
assert u.get("firewall", "ns_lan2new_zone", "dest") == "new_zone"
assert u.get("firewall", "ns_guest2new_zone", "src") == "guest"
assert u.get("firewall", "ns_guest2new_zone", "dest") == "new_zone"
assert u.get("firewall", "ns_new_zone", "log") == "0"
assert firewall.edit_zone(u, "new_zone", "DROP", "ACCEPT", False, ["lan"], ["lan", "guest"], True)
assert u.get("firewall", "ns_new_zone", "log") == "1"


def test_delete_zone(u):
assert firewall.delete_zone(u, "ns_new_zone") == (
Expand Down
Loading