summaryrefslogtreecommitdiff
path: root/python/vyos/firewall.py
diff options
context:
space:
mode:
authorChristian Poessinger <christian@poessinger.com>2022-12-17 08:29:12 +0100
committerGitHub <noreply@github.com>2022-12-17 08:29:12 +0100
commit76cf45917de5ed3a04132029d33a240ebd5877d6 (patch)
tree07ffee72afccd941a60508ba56b6e65424d96bd0 /python/vyos/firewall.py
parent0c51111829dcd7660fc5405ae6ac651a8b6987b8 (diff)
parentd7a67aa4a7e7bb82a60ad18103abc6b966a2f8b8 (diff)
downloadvyos-1x-76cf45917de5ed3a04132029d33a240ebd5877d6.tar.gz
vyos-1x-76cf45917de5ed3a04132029d33a240ebd5877d6.zip
Merge branch 'current' into goodnetnick-shloginotp-T4754
Diffstat (limited to 'python/vyos/firewall.py')
-rw-r--r--python/vyos/firewall.py111
1 files changed, 49 insertions, 62 deletions
diff --git a/python/vyos/firewall.py b/python/vyos/firewall.py
index 4075e55b0..48263eef5 100644
--- a/python/vyos/firewall.py
+++ b/python/vyos/firewall.py
@@ -20,6 +20,9 @@ import os
import re
from pathlib import Path
+from socket import AF_INET
+from socket import AF_INET6
+from socket import getaddrinfo
from time import strftime
from vyos.remote import download
@@ -31,65 +34,31 @@ from vyos.util import dict_search_args
from vyos.util import dict_search_recursive
from vyos.util import run
+# Domain Resolver
-# Functions for firewall group domain-groups
-def get_ips_domains_dict(list_domains):
- """
- Get list of IPv4 addresses by list of domains
- Ex: get_ips_domains_dict(['ex1.com', 'ex2.com'])
- {'ex1.com': ['192.0.2.1'], 'ex2.com': ['192.0.2.2', '192.0.2.3']}
- """
- from socket import gethostbyname_ex
- from socket import gaierror
-
- ip_dict = {}
- for domain in list_domains:
- try:
- _, _, ips = gethostbyname_ex(domain)
- ip_dict[domain] = ips
- except gaierror:
- pass
-
- return ip_dict
-
-def nft_init_set(group_name, table="vyos_filter", family="ip"):
- """
- table ip vyos_filter {
- set GROUP_NAME
- type ipv4_addr
- flags interval
- }
- """
- return call(f'nft add set ip {table} {group_name} {{ type ipv4_addr\\; flags interval\\; }}')
-
-
-def nft_add_set_elements(group_name, elements, table="vyos_filter", family="ip"):
- """
- table ip vyos_filter {
- set GROUP_NAME {
- type ipv4_addr
- flags interval
- elements = { 192.0.2.1, 192.0.2.2 }
- }
- """
- elements = ", ".join(elements)
- return call(f'nft add element {family} {table} {group_name} {{ {elements} }} ')
-
-def nft_flush_set(group_name, table="vyos_filter", family="ip"):
- """
- Flush elements of nft set
- """
- return call(f'nft flush set {family} {table} {group_name}')
-
-def nft_update_set_elements(group_name, elements, table="vyos_filter", family="ip"):
- """
- Update elements of nft set
- """
- flush_set = nft_flush_set(group_name, table="vyos_filter", family="ip")
- nft_add_set = nft_add_set_elements(group_name, elements, table="vyos_filter", family="ip")
- return flush_set, nft_add_set
-
-# END firewall group domain-group (sets)
+def fqdn_config_parse(firewall):
+ firewall['ip_fqdn'] = {}
+ firewall['ip6_fqdn'] = {}
+
+ for domain, path in dict_search_recursive(firewall, 'fqdn'):
+ fw_name = path[1] # name/ipv6-name
+ rule = path[3] # rule id
+ suffix = path[4][0] # source/destination (1 char)
+ set_name = f'{fw_name}_{rule}_{suffix}'
+
+ if path[0] == 'name':
+ firewall['ip_fqdn'][set_name] = domain
+ elif path[0] == 'ipv6_name':
+ firewall['ip6_fqdn'][set_name] = domain
+
+def fqdn_resolve(fqdn, ipv6=False):
+ try:
+ res = getaddrinfo(fqdn, None, AF_INET6 if ipv6 else AF_INET)
+ return set(item[4][0] for item in res)
+ except:
+ return None
+
+# End Domain Resolver
def find_nftables_rule(table, chain, rule_matches=[]):
# Find rule in table/chain that matches all criteria and return the handle
@@ -144,12 +113,26 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if side in rule_conf:
prefix = side[0]
side_conf = rule_conf[side]
+ address_mask = side_conf.get('address_mask', None)
if 'address' in side_conf:
suffix = side_conf['address']
- if suffix[0] == '!':
- suffix = f'!= {suffix[1:]}'
- output.append(f'{ip_name} {prefix}addr {suffix}')
+ operator = ''
+ exclude = suffix[0] == '!'
+ if exclude:
+ operator = '!= '
+ suffix = suffix[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator} '
+ output.append(f'{ip_name} {prefix}addr {operator}{suffix}')
+
+ if 'fqdn' in side_conf:
+ fqdn = side_conf['fqdn']
+ operator = ''
+ if fqdn[0] == '!':
+ operator = '!='
+ output.append(f'{ip_name} {prefix}addr {operator} @FQDN_{fw_name}_{rule_id}_{prefix}')
if dict_search_args(side_conf, 'geoip', 'country_code'):
operator = ''
@@ -192,9 +175,13 @@ def parse_rule(rule_conf, fw_name, rule_id, ip_name):
if 'address_group' in group:
group_name = group['address_group']
operator = ''
- if group_name[0] == '!':
+ exclude = group_name[0] == "!"
+ if exclude:
operator = '!='
group_name = group_name[1:]
+ if address_mask:
+ operator = '!=' if exclude else '=='
+ operator = f'& {address_mask} {operator}'
output.append(f'{ip_name} {prefix}addr {operator} @A{def_suffix}_{group_name}')
# Generate firewall group domain-group
elif 'domain_group' in group: