diff options
| author | hagbard <vyosdev@derith.de> | 2018-12-11 14:06:43 -0800 |
|---|---|---|
| committer | hagbard <vyosdev@derith.de> | 2018-12-11 14:06:43 -0800 |
| commit | 51f61991092a163f680e4ec8f122e73f4074ddf9 (patch) | |
| tree | 9daeccc59aa4b86337917f8c0b485f1d291aff2f | |
| parent | f968d0846abc416c0eac51aeff55551f9df2dea0 (diff) | |
| download | vyos-1x-51f61991092a163f680e4ec8f122e73f4074ddf9.tar.gz vyos-1x-51f61991092a163f680e4ec8f122e73f4074ddf9.zip | |
T1087: Firewall on Wireguard Interface implementation
| -rw-r--r-- | debian/changelog | 5 | ||||
| -rw-r--r-- | interface-definitions/wireguard.xml | 76 | ||||
| -rwxr-xr-x | src/conf_mode/wireguard.py | 89 |
3 files changed, 168 insertions, 2 deletions
diff --git a/debian/changelog b/debian/changelog index 7666cfd68..f1293e076 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,8 @@ +vyos-1x (1.2.0-8) unstable; urgency=low + + * T1087: Firewall on Wireguard Interface + + -- hagbard <vyosdev@derith.de> Tue, 11 Dec 2018 14:06:14 -0800 vyos-1x (1.2.0-7) unstable; urgency=low * T1061: Wireguard: Missing option to administrativly shutdown interface diff --git a/interface-definitions/wireguard.xml b/interface-definitions/wireguard.xml index 8bfffac9d..b7a76eedb 100644 --- a/interface-definitions/wireguard.xml +++ b/interface-definitions/wireguard.xml @@ -73,6 +73,82 @@ </constraint> </properties> </leafNode> + <node name="firewall" owner="${vyatta_sbindir}/vyatta-firewall-trap.pl --level='interfaces wireguard $VAR(../@) firewall'"> + <properties> + <help>Firewall options</help> + </properties> + <children> + <node name="in"> + <properties> + <help>Ruleset for forwarded packets on inbound interface</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Inbound IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ipv6-name"> + <properties> + <help>Inbound IPv6 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <node name="local"> + <properties> + <help>Ruleset for packets destined for this router</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Local IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ipv6-name"> + <properties> + <help>Local IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + <node name="out"> + <properties> + <help>Ruleset for forwarded packets on outbound interface</help> + </properties> + <children> + <leafNode name="name"> + <properties> + <help>Outbound IPv4 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall name</path> + </completionHelp> + </properties> + </leafNode> + <leafNode name="ipv6-name"> + <properties> + <help>Outbound IPv6 firewall ruleset name for interface</help> + <completionHelp> + <path>firewall ipv6-name</path> + </completionHelp> + </properties> + </leafNode> + </children> + </node> + </children> + </node> <tagNode name="peer"> <properties> <help>peer alias</help> diff --git a/src/conf_mode/wireguard.py b/src/conf_mode/wireguard.py index f5452579e..c46cf7703 100755 --- a/src/conf_mode/wireguard.py +++ b/src/conf_mode/wireguard.py @@ -64,7 +64,17 @@ def get_config(): 'status' : 'exists', 'state' : 'enabled', 'mtu' : '1420', - 'peer' : {} + 'peer' : {}, + 'fw' : { + 'in' : None, + 'local' : None, + 'out' : None + }, + 'fwv6' : { + 'in' : None, + 'local' : None, + 'out' : None + } } } ) @@ -101,6 +111,21 @@ def get_config(): ### mtu if c.exists(cnf + ' mtu'): config_data['interfaces'][intfc]['mtu'] = c.return_value(cnf + ' mtu') + ### firewall name + if c.exists(cnf + ' firewall in name'): + config_data['interfaces'][intfc]['fw']['in'] = c.return_value(cnf + ' firewall in name') + if c.exists(cnf + ' firewall local name'): + config_data['interfaces'][intfc]['fw']['local'] = c.return_value(cnf + ' firewall local name') + if c.exists(cnf + ' firewall out name'): + config_data['interfaces'][intfc]['fw']['out'] = c.return_value(cnf + ' firewall out name') + + if c.exists(cnf + ' firewall in ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['in'] = c.return_value(cnf + ' firewall in ipv6-name') + if c.exists(cnf + ' firewall local ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['local'] = c.return_value(cnf + ' firewall local ipv6-name') + if c.exists(cnf + ' firewall out ipv6-name'): + config_data['interfaces'][intfc]['fwv6']['out'] = c.return_value(cnf + ' firewall out ipv6-name') + ### peers if c.exists(cnf + ' peer'): for p in c.list_nodes(cnf + ' peer'): @@ -123,7 +148,6 @@ def get_config(): config_data['interfaces'][intfc]['peer'][p]['persistent-keepalive'] = c.return_value(cnf + ' peer ' + p + ' persistent-keepalive') if c.exists(cnf + ' peer ' + p + ' preshared-key'): config_data['interfaces'][intfc]['peer'][p]['psk'] = c.return_value(cnf + ' peer ' + p + ' preshared-key') - return config_data @@ -267,6 +291,67 @@ def apply(c): with open('/sys/class/net/' + str(intf) + '/ifalias', 'w') as fh: fh.write(str(cnf_descr)) + ### firewall v4 + fw_eff_in = c_eff.return_effective_value(intf + ' firewall in name') + fw_eff_loc = c_eff.return_effective_value(intf + ' firewall local name') + fw_eff_out = c_eff.return_effective_value(intf + ' firewall out name') + + if fw_eff_in != c['interfaces'][intf]['fw']['in']: + if c['interfaces'][intf]['fw']['in'] == None: + update_firewall(intf, fw_eff_in, 'v4', 'delete', 'in') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['in'], 'v4', 'update', 'in') + + if fw_eff_loc != c['interfaces'][intf]['fw']['local']: + if c['interfaces'][intf]['fw']['local'] == None: + update_firewall(intf, fw_eff_loc, 'v4', 'delete', 'local') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['local'], 'v4', 'update', 'local') + + if fw_eff_out != c['interfaces'][intf]['fw']['out']: + if c['interfaces'][intf]['fw']['out'] == None: + update_firewall(intf, fw_eff_out, 'v4', 'delete', 'out') + else: + update_firewall(intf, c['interfaces'][intf]['fw']['out'], 'v4', 'update', 'out') + + ### firewall v6 + fwv6_eff_in = c_eff.return_effective_value(intf + ' firewall in ipv6-name') + fwv6_eff_loc = c_eff.return_effective_value(intf + ' firewall local ipv6-name') + fwv6_eff_out = c_eff.return_effective_value(intf + ' firewall out ipv6-name') + + if fwv6_eff_in != c['interfaces'][intf]['fwv6']['in']: + if c['interfaces'][intf]['fwv6']['in'] == None: + update_firewall(intf, fwv6_eff_in, 'v6', 'delete', 'in') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['in'], 'v6', 'update', 'in') + + if fwv6_eff_loc != c['interfaces'][intf]['fwv6']['local']: + if c['interfaces'][intf]['fwv6']['local'] == None: + update_firewall(intf, fwv6_eff_loc, 'v6', 'delete', 'local') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['local'], 'v6', 'update', 'local') + + if fwv6_eff_out != c['interfaces'][intf]['fwv6']['out']: + if c['interfaces'][intf]['fwv6']['out'] == None: + update_firewall(intf, fwv6_eff_out, 'v6', 'delete', 'out') + else: + update_firewall(intf, c['interfaces'][intf]['fwv6']['out'], 'v6', 'update', 'out') + + return 0 + + +def update_firewall(interf, fw_name, ver, action, table): + cmd = r'sudo /opt/vyatta/sbin/vyatta-firewall.pl --update-interfaces ' + cmd += action + ' ' + interf + ' ' + table + ' ' + fw_name + if ver == 'v4': + cmd += ' \"firewall name\"' + if ver == 'v6': + cmd += ' \"firewall ipv6-name\"' + + sl.syslog(sl.LOG_NOTICE, "fw update executing: " + cmd) + subprocess.call([cmd], shell=True) + return 0 + def configure_interface(c, intf): for p in c['interfaces'][intf]['peer']: ## config init for wg call |