summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorViacheslav Hletenko <v.gletenko@vyos.io>2022-05-17 21:30:50 +0000
committerViacheslav Hletenko <v.gletenko@vyos.io>2022-05-28 13:20:13 +0000
commite990b2f4c045f5d1be02915ec7d8869d5475ed4e (patch)
tree47d28c45e5cabe54ec9507e9bc44e894ab4b8b2d /python/vyos/firewall.py
parent9347dc53c5bd3d5712121524ea16f3030d735601 (diff)
downloadvyos-1x-e990b2f4c045f5d1be02915ec7d8869d5475ed4e.tar.gz
vyos-1x-e990b2f4c045f5d1be02915ec7d8869d5475ed4e.zip
firewall: T970: Add firewall group domain-group
Domain group allows to filter addresses by domain main Resolved addresses as elements are stored to named "nft set" that used in the nftables rules Also added a dynamic "resolver" systemd daemon vyos-domain-group-resolve.service which starts python script for the domain-group addresses resolving by timeout 300 sec set firewall group domain-group DOMAINS address 'example.com' set firewall group domain-group DOMAINS address 'example.org' set firewall name FOO rule 10 action 'drop' set firewall name FOO rule 10 source group domain-group 'DOMAINS' set interfaces ethernet eth0 firewall local name 'FOO' nft list table ip filter table ip filter { set DOMAINS { type ipv4_addr flags interval elements = { 192.0.2.1, 192.0.2.85, 203.0.113.55, 203.0.113.58 } } chain NAME_FOO { ip saddr @DOMAINS counter packets 0 bytes 0 drop comment "FOO-10" counter packets 0 bytes 0 return comment "FOO default-action accept" } }
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py72
1 files changed, 71 insertions, 1 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 04fd44173..8a1237ca9 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -1,6 +1,6 @@
#!/usr/bin/env python3
#
-# Copyright (C) 2021 VyOS maintainers and contributors
+# Copyright (C) 2021-2022 VyOS maintainers and contributors
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License version 2 or later as
@@ -16,9 +16,71 @@
import re
+from vyos.util import call
from vyos.util import cmd
from vyos.util import dict_search_args
+
+# Functions for firewall group domain-groups
+def get_ips_domains_dict(list_domains):
+ """
+ Get list of IPv4 addresses by list of domains
+ Ex: get_ips_domains_dict(['ex1.com', 'ex2.com'])
+ ['192.0.2.1', '192.0.2.2', '192.0.2.3']
+ """
+ from socket import gethostbyname_ex
+ from socket import gaierror
+
+ ip_list = []
+ for domain in list_domains:
+ try:
+ _, _, ips = gethostbyname_ex(domain)
+ for entry in ips:
+ ip_list.append(entry)
+ except gaierror:
+ pass
+
+ return ip_list
+
+def nft_init_set(group_name, table="filter", family="ip"):
+ """
+ table ip filter {
+ set GROUP_NAME
+ type ipv4_addr
+ flags interval
+ }
+ """
+ return call(f'nft add set ip {table} {group_name} {{ type ipv4_addr\\; flags interval\\; }}')
+
+
+def nft_add_set_elements(group_name, elements, table="filter", family="ip"):
+ """
+ table ip filter {
+ set GROUP_NAME {
+ type ipv4_addr
+ flags interval
+ elements = { 192.0.2.1, 192.0.2.2 }
+ }
+ """
+ elements = ", ".join(elements)
+ return call(f'nft add element {family} {table} {group_name} {{ {elements} }} ')
+
+def nft_flush_set(group_name, table="filter", family="ip"):
+ """
+ Flush elements of nft set
+ """
+ return call(f'nft flush set {family} {table} {group_name}')
+
+def nft_update_set_elements(group_name, elements, table="filter", family="ip"):
+ """
+ Update elements of nft set
+ """
+ flush_set = nft_flush_set(group_name, table="filter", family="ip")
+ nft_add_set = nft_add_set_elements(group_name, elements, table="filter", family="ip")
+ return flush_set, nft_add_set
+
+# END firewall group domain-group (sets)
+
def find_nftables_rule(table, chain, rule_matches=[]):
# Find rule in table/chain that matches all criteria and return the handle
results = cmd(f'sudo nft -a list chain {table} {chain}').split("\n")
@@ -118,6 +180,14 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
operator = '!='
group_name = group_name[1:]
output.append(f'{ip_name} {prefix}addr {operator} $A{def_suffix}_{group_name}')
+ # Generate firewall group domain-group
+ elif 'domain_group' in group:
+ group_name = group['domain_group']
+ operator = ''
+ if group_name[0] == '!':
+ operator = '!='
+ group_name = group_name[1:]
+ output.append(f'{ip_name} {prefix}addr {operator} @{group_name}')
elif 'network_group' in group:
group_name = group['network_group']
operator = ''