def _dnat_rules(zone, action, form): error = None fields = SimpleNamespace(**form) if (action == 'remove'): try: # NOTE: validation needs to know the zone so it can ensure the position is valid validate.del_nat_rule(fields) except ValidationError as ve: error = ve else: with IPTableManager() as iptables: iptables.delete_nat(fields) elif (action == 'add'): try: validate.add_dnat_rule(fields) if (fields.protocol in ['tcp', 'udp']): validate.network_port(fields.dst_port) validate.network_port(fields.host_port) validate.ip_address(fields.host_ip) except ValidationError as ve: error = ve else: with IPTableManager() as iptables: iptables.add_nat(fields) configure.add_open_wan_protocol(fields) else: return INVALID_FORM, zone return error, zone
def _snat_rules(zone, action, form): error = None print(333333, form) fields = SimpleNamespace(**form) # TODO: make this code for snat (currently using dnat code as template) if (action == 'remove'): try: # NOTE: validation needs to know the zone so it can ensure the position is valid validate.del_nat_rule(fields) except ValidationError as ve: error = ve else: with IPTableManager() as iptables: iptables.delete_nat(fields) elif (action == 'add'): try: validate.add_snat_rule(fields) validate.ip_address( ip_iter=[fields.orig_src_ip, fields.new_src_ip]) except ValidationError as ve: error = ve else: with IPTableManager() as iptables: iptables.add_nat(fields) else: return INVALID_FORM, zone return error, zone
def update_page(form): ## Matching wan MAC Address Update and sending to configuration method if ('wan_mac_update' in form): mac_address = form.get('ud_wan_mac', None) if (not mac_address): return INVALID_FORM try: validate.mac_address(mac_address) except ValidationError as ve: return ve else: configure.set_wan_mac(CFG.ADD, mac_address=mac_address) ## Matching wan MAC Address Restore to Default and sending to configuration method elif ('wan_mac_restore' in form): configure.set_wan_mac(CFG.DEL) if (_IP_DISABLED): return 'ip address configuration currently disabled for system rework.' elif ('wan_ip_update' in form): wan_ip = form.get('ud_wan_ip', None) cidr = form.get('ud_wan_cidr', None) default_gateway = form.get('ud_wan_dfg', None) # missing forms keys. potential client side manipulation if any(x is None for x in [wan_ip, cidr, default_gateway]): return INVALID_FORM if ('static_wan' in form): # keys present, but fields left empty. (unable to force client side) if (not wan_ip or not default_gateway): return 'All fields are required when setting the wan interface to static.' try: validate.ip_address(wan_ip) validate.cidr(cidr) validate.default_gateway(default_gateway) except ValidationError as ve: return ve else: wan_settings = { 'ip_address': wan_ip, 'cidr': cidr, 'default_gateway': default_gateway } configure.set_wan_interface(wan_settings) else: # no arg indicates dynamic ip/dhcp assignment configure.set_wan_interface() return INVALID_FORM
def _firewall_rules(zone, action, form): error = None # moving form data into a simple namespace. this will allow us to validate and mutate it easier # that its current state of immutable dict. print(form) fields = SimpleNamespace(**form) if (action == 'remove'): try: # NOTE: validation needs to know the zone so it can ensure the position is valid validate.del_firewall_rule(fields) except ValidationError as ve: error = ve else: with IPTableManager() as iptables: iptables.delete_rule(fields) elif (action =='add'): if not all([x in form for x in valid_standard_rule_fields]): return INVALID_FORM, zone fields.action = 'ACCEPT' if 'accept' in form else 'DROP' try: validate.add_firewall_rule(fields) if (fields.dst_port): validate.network_port(fields.dst_port) if (fields.src_ip): validate.ip_address(fields.src_ip) validate.cidr(fields.src_netmask) validate.ip_address(fields.dst_ip) validate.cidr(fields.dst_netmask) except ValidationError as ve: error = ve else: if (not fields.src_ip): fields.src_ip, fields.src_netmask = '0', '0' with IPTableManager() as iptables: iptables.add_rule(fields) elif ('change_interface' not in form): return INVALID_FORM, zone return error, zone
def update_page(form): # Matching logging update form and sending to configuration method. if ('dnx_ddos_update' in form): action = CFG.ADD if 'ddos' in form else CFG.DEL ddos_limits = {} for protocol in ['tcp', 'udp', 'icmp']: form_limit = form.get(f'{protocol}_limit', None) if (form_limit is None): return INVALID_FORM if (form_limit == ''): continue limit = validate.convert_int(form_limit) if (not limit): return f'{protocol} limit must be an integer or left empty.' if (not 10 <= limit <= 200): return f'{protocol} limit must be in range 20-200.' ddos_limits[protocol] = form_limit configure.set_ips_ddos(action) if (ddos_limits): configure.set_ips_ddos_limits(ddos_limits) elif ('dnx_portscan_update' in form): enabled_settings = form.getlist('ps_settings', None) try: validate.portscan_settings(enabled_settings) except ValidationError as ve: return ve else: configure.set_ips_portscan(enabled_settings) elif ('general_settings' in form): ids_mode = True if 'ids_mode' in form else False passive_block_length = form.get('passive_block_length', None) if (not passive_block_length): return INVALID_FORM try: pb_length = validate.ips_passive_block_length(passive_block_length) except ValidationError as ve: return ve else: configure.set_ips_general_settings(pb_length, ids_mode) elif ('ips_wl_add' in form): whitelist_ip = form.get('ips_wl_ip', None) whitelist_name = form.get('ips_wl_name', None) if (not whitelist_ip or not whitelist_name): return INVALID_FORM try: validate.ip_address(whitelist_ip) validate.standard(whitelist_name) except ValidationError as ve: return ve else: configure.update_ips_ip_whitelist(whitelist_ip, whitelist_name, CFG.ADD) elif ('ips_wl_remove' in form): whitelist_ip = form.get('ips_wl_ip', None) if (not whitelist_ip): return INVALID_FORM try: validate.ip_address(whitelist_ip) except ValidationError as ve: return ve else: configure.update_ips_ip_whitelist(whitelist_ip, None, CFG.DEL) elif ('ips_wl_dns' in form): action = CFG.ADD if 'dns_enabled' in form else CFG.DEL configure.update_ips_dns_whitelist(action) else: return INVALID_FORM
def update_page(form): # Matching DNS Update form and sending to configuration method. if ('dns_update' in form): dnsname1 = form.get('dnsname1', None) dnsname2 = form.get('dnsname2', None) dnsserver1 = form.get('dnsserver1', None) dnsserver2 = form.get('dnsserver2', None) dns_servers = {dnsname1: dnsserver1, dnsname2: dnsserver2} # explicit identity check on None to prevent from matching empty fields vs missing for keys. if any(x is None for x in [dnsname1, dnsname2, dnsserver1, dnsserver2]): return INVALID_FORM try: dns_server_info = {} for i, (server_name, server_ip) in enumerate(dns_servers.items(), 1): if (server_ip != ''): validate.standard(server_name) validate.ip_address(server_ip) dns_server_info[form.get(f'dnsname{i}')] = form.get(f'dnsserver{i}') except ValidationError as ve: return ve else: configure.set_dns_servers(dns_server_info) elif ('dns_record_update' in form): dns_record_name = form.get('dns_record_name', None) dns_record_ip = form.get('dns_record_ip', None) if (not dns_record_name or not dns_record_ip): return INVALID_FORM try: validate.dns_record_add(dns_record_name) validate.ip_address(dns_record_ip) except ValidationError as ve: return ve else: configure.update_dns_record(dns_record_name, CFG.ADD, dns_record_ip) elif ('dns_record_remove' in form): dns_record_name = form.get('dns_record_remove', None) if (not dns_record_name): return INVALID_FORM try: validate.dns_record_remove(dns_record_name) except ValidationError as ve: return ve else: configure.update_dns_record(dns_record_name, CFG.DEL) elif ('dns_protocol_update' in form): dns_tls_settings = { 'enabled': form.getlist('dns-protocol-settings') } try: validate.dns_over_tls(dns_tls_settings) except ValidationError as ve: return ve else: configure.set_dns_over_tls(dns_tls_settings) elif ('dns_cache_clear' in form): top_domains = form.get('clear_top_domains', None) dns_cache = form.get('clear_dns_cache', None) if (not top_domains and not dns_cache): return INVALID_FORM clear_dns_cache = {'top_domains': top_domains, 'standard': dns_cache} configure.set_dns_cache_clear_flag(clear_dns_cache) else: return INVALID_FORM
def update_page(form): if (_SYSLOG_DISABLED): return 'Syslog is currently disabled due to rework.' elif ('servers_update' in form): syslog_server1 = form.get('syslog_server1', None) syslog_server2 = form.get('syslog_server2', None) syslog_port1 = form.get('syslog_port1', None) syslog_port2 = form.get('syslog_port2', None) syslog_servers = { 'server1': { 'ip_address': syslog_server1, 'port': syslog_port1 }, 'server2': { 'ip_address': syslog_server2, 'port': syslog_port2 } } # both servers are not present/ form keys missing if (any(x is None for x in [syslog_server1, syslog_port1]) or any(x is None for x in [syslog_server2, syslog_port2])): return INVALID_FORM try: for server_info in syslog_servers.values(): if (server_info['ip_address'] or server_info['port']): validate.ip_address(server_info['ip_address']) validate.network_port(server_info['port']) except ValidationError as ve: return ve else: configure.set_syslog_servers(syslog_servers) elif ('server_remove' in form): syslog_server_number = form.get('syslog_server_remove') server_num = validate.convert_int(syslog_server_number) if (not server_num): return INVALID_FORM configure.remove_syslog_server(server_num) elif ('settings_update' in form): enabled_tls_settings = form.getlist('syslog_tls') enabled_syslog_settings = form.getlist('syslog_settings') fallback_settings = form.getlist('fallback_settings') tls_retry = form.get('tls_retry_time', None) tcp_retry = form.get('tcp_retry_time', None) syslog_settings = { 'tls': enabled_tls_settings, 'syslog': enabled_syslog_settings, 'fallback': fallback_settings, 'tls_retry': tls_retry, 'tcp_retry': tcp_retry } if (not tls_retry or not tcp_retry): return INVALID_FORM try: validate.syslog_settings(syslog_settings) except ValidationError as ve: return ve else: configure.set_syslog_settings(syslog_settings) return INVALID_FORM
def update_page(form): if ('fw_remove' in form): fw_rule = form.get('fw_remove', None) chain = 'FIREWALL' if (not fw_rule): return INVALID_FORM try: validate.del_firewall_rule(fw_rule, chain) except ValidationError as ve: return ve else: with IPTableManager() as iptables: iptables.delete_rule(fw_rule, chain='FIREWALL') elif ('fw_add' in form): pos = form.get('position', None) dst_ip = form.get('dst_ip', None) dst_netmask = form.get('dst_netmask', None) src_ip = form.get('src_ip', None) src_netmask = form.get('src_netmask', None) protocol = form.get('protocol', None) dst_port = form.get('dst_port', False) if (dst_port == ''): dst_port = None if (src_ip == ''): src_ip = '0' src_netmask = '0' if ('accept' in form): action = 'ACCEPT' else: action = 'DROP' iptable_rule = { 'pos': pos, 'src_ip': src_ip, 'src_netmask': src_netmask, 'dst_ip': dst_ip, 'dst_netmask': dst_netmask, 'dst_port': dst_port, 'protocol': protocol, 'action': action } # TODO: make this less compiticated? if (pos and dst_ip and dst_netmask and src_ip and src_netmask and protocol and dst_port is not False): try: validate.add_firewall_rule(iptable_rule) if (dst_port != None): validate.network_port(dst_port) if (src_ip != '0'): validate.ip_address(src_ip) validate.cidr(src_netmask) validate.cidr(dst_netmask) validate.ip_address(dst_ip) with IPTableManager() as iptables: iptables.add_rule(iptable_rule) except ValidationError as ve: return ve else: return INVALID_FORM elif ('nat_remove' in form): nat_rule = form.get('nat_remove', None) if (not nat_rule): return INVALID_FORM try: validate.del_firewall_rule(nat_rule, chain='NAT') except ValidationError as ve: return ve else: configure.del_open_wan_protocol(nat_rule) with IPTableManager() as iptables: iptables.delete_nat(nat_rule) elif ('nat_add' in form): host_ip = form.get('host_ip', None) protocol = form.get('protocol', None) if (protocol in ['tcp', 'udp']): dst_port = form.get('dst_port') host_port = form.get('host_port') elif (protocol in ['icmp']): dst_port = None host_port = None open_protocols = load_configuration('ips.json') icmp_allow = open_protocols['ips']['open_protocols']['icmp'] if (icmp_allow): return 'Only one ICMP rule can be active at a time. Remove existing rule before adding another.' else: return INVALID_FORM try: if (protocol in ['tcp', 'udp']): validate.network_port(dst_port) validate.network_port(host_port) validate.ip_address(host_ip) except ValidationError as ve: return ve else: with IPTableManager() as iptables: iptables.add_nat(protocol, dst_port, host_ip, host_port) configure.add_open_wan_protocol(protocol, dst_port, host_port) else: return INVALID_FORM
def update_page(form): if ('wl_add' in form): domain = form.get('domain', None) timer = form.get('rule_length', None) if (not domain or not timer): return INVALID_FORM try: validate.domain(domain) validate.timer(timer) except ValidationError as ve: return ve else: configure.add_proxy_domain(domain, timer, ruleset='whitelist') elif ('wl_remove' in form): domain = form.get('wl_remove', None) if (not domain): return INVALID_FORM configure.del_proxy_domain(domain, ruleset='whitelist') elif ('exc_add' in form): domain = form.get('domain', None) reason = form.get('reason', None) if (not domain or not reason): return INVALID_FORM try: validate.domain(domain) validate.standard(reason) except ValidationError as ve: return ve else: configure.set_proxy_exception(domain, CFG.ADD, reason, ruleset='whitelist') elif ('exc_remove' in form): domain = form.get('exc_remove', None) if (not domain): return INVALID_FORM configure.set_proxy_exception(domain, CFG.DEL, ruleset='whitelist') elif ('ip_wl_add' in form): whitelist_ip = form.get('ip_wl_ip', None) whitelist_user = form.get('ip_wl_user', None) whitelist_type = form.get('ip_wl_type', None) whitelist_settings = {'user': whitelist_user, 'type': whitelist_type} if not all([whitelist_ip, whitelist_type, whitelist_user]): return INVALID_FORM try: validate.ip_address(whitelist_ip) validate.add_ip_whitelist(whitelist_ip, whitelist_settings) except ValidationError as ve: return ve else: configure.add_proxy_ip_whitelist(whitelist_ip, whitelist_settings) elif ('ip_wl_remove' in form): whitelist_ip = form.get('ip_wl_ip', None) whitelist_type = form.get('ip_wl_type', None) if (not whitelist_ip or not whitelist_type): return INVALID_FORM try: validate.ip_address(whitelist_ip) validate.del_ip_whitelist(whitelist_type) except ValidationError as ve: return ve else: configure.del_proxy_ip_whitelist(whitelist_ip, whitelist_type) else: return INVALID_FORM
def update_page(form): if ('wl_add' in form): whitelist_settings = { 'domain': form.get('domain', DATA.INVALID), 'timer': validate.get_convert_int(form, 'rule_length') } if (DATA.INVALID in whitelist_settings.values()): return INVALID_FORM try: validate.domain(whitelist_settings['domain']) validate.timer(whitelist_settings['timer']) except ValidationError as ve: return ve else: configure.add_proxy_domain(whitelist_settings, ruleset='whitelist') elif ('wl_remove' in form): domain = form.get('wl_remove', DATA.INVALID) if (domain is DATA.INVALID): return INVALID_FORM configure.del_proxy_domain(domain, ruleset='whitelist') elif ('exc_add' in form): exception_settings = { 'domain': form.get('domain', DATA.INVALID), 'reason': form.get('reason', DATA.INVALID), 'action': CFG.ADD } if (DATA.INVALID in exception_settings.values()): return INVALID_FORM try: validate.domain(exception_settings['domain']) validate.standard(exception_settings['reason']) except ValidationError as ve: return ve else: configure.set_proxy_exception(exception_settings, ruleset='whitelist') elif ('exc_remove' in form): exception_settings = { 'domain': form.get('exc_remove', DATA.INVALID), 'reason': None, 'action': CFG.DEL } if (exception_settings['domain'] is DATA.INVALID): return INVALID_FORM configure.set_proxy_exception(exception_settings, ruleset='whitelist') # TODO: this should not restrict ips to only "local_net" now that we have multiple interfaces. # we should have the user select which interface it will be active on so we can properly validate the # ip address falls within that subnet. elif ('ip_wl_add' in form): whitelist_settings = { 'ip': form.get('ip_wl_ip', DATA.INVALID), 'user': form.get('ip_wl_user', DATA.INVALID), 'type': form.get('ip_wl_type', DATA.INVALID) } if (DATA.INVALID in whitelist_settings.values()): return INVALID_FORM try: validate.add_ip_whitelist(whitelist_settings) except ValidationError as ve: return ve else: configure.add_proxy_ip_whitelist(whitelist_settings) elif ('ip_wl_remove' in form): whitelist_ip = form.get('ip_wl_ip', DATA.INVALID) if (whitelist_ip is DATA.INVALID): return INVALID_FORM try: validate.ip_address(whitelist_ip) except ValidationError as ve: return ve else: configure.del_proxy_ip_whitelist(whitelist_ip) else: return INVALID_FORM