Beispiel #1
0
def _snat_rules(action, form):
    fields = SimpleNamespace(**form)
    # TODO: make this code for snat (currently using dnat code as template)
    if (action == 'remove'):
        try:
            # NOTE: validation needs to know the zone so it can ensure the position is valid
            validate.del_nat_rule(fields)
        except ValidationError as ve:
            error = ve

        else:
            with IPTablesManager() as iptables:
                iptables.delete_nat(fields)

    elif (action == 'add'):
        try:
            validate.add_snat_rule(fields)

            validate.ip_address(
                ip_iter=[fields.orig_src_ip, fields.new_src_ip])

        except ValidationError as ve:
            error = ve
        else:
            with IPTablesManager() as iptables:
                iptables.add_nat(fields)

    else:
        return INVALID_FORM

    return error
Beispiel #2
0
def _dnat_rules(action, form):
    error = None

    fields = SimpleNamespace(**form)
    if (action == 'remove'):
        try:
            # NOTE: validation needs to know the zone so it can ensure the position is valid
            validate.del_nat_rule(fields)
        except ValidationError as ve:
            error = ve

        else:
            with IPTablesManager() as iptables:
                iptables.delete_nat(fields)

                configure.del_open_wan_protocol(fields)

    elif (action == 'add'):
        try:
            # checking all required fields are present and some other basic rules are followed
            # before validating values of standard fields.
            validate.add_dnat_rule(fields)

            if (fields.protocol in ['tcp', 'udp']):
                validate.network_port(fields.dst_port)
                validate.network_port(fields.host_port)

            validate.ip_address(fields.host_ip)

            if (fields.dst_ip != ''):
                validate.ip_address(fields.dst_ip)

        except ValidationError as ve:
            error = ve
        else:
            with IPTablesManager() as iptables:
                iptables.add_nat(fields)

                configure.add_open_wan_protocol(fields)

    else:
        return INVALID_FORM

    return error
Beispiel #3
0
def update_page(form):
    if ('update_wan_state' in form):
        wan_state = form.get('update_wan_state', DATA.INVALID)
        if wan_state is DATA.INVALID:
            return INVALID_FORM

        try:
            wan_state = INTF(validate.convert_int(wan_state))
        except (ValidationError, KeyError):
            return INVALID_FORM

        else:
            configure.set_wan_interface(wan_state)

    elif ('update_wan_ip' in form):
        wan_ip_settings = {
            'ip': form.get('wan_ip', DATA.INVALID),
            'cidr': form.get('wan_cidr', DATA.INVALID),
            'dfg': form.get('wan_dfg', DATA.INVALID)
        }

        if (DATA.INVALID in wan_ip_settings.values()):
            return INVALID_FORM

        try:
            validate.ip_address(wan_ip_settings['ip'])
            validate.cidr(wan_ip_settings['cidr'])
            validate.ip_address(wan_ip_settings['dfg'])
        except ValidationError as ve:
            return ve

        configure.set_wan_ip(wan_ip_settings)

    elif (_IP_DISABLED):
        return 'wan interface configuration currently disabled for system rework.'

    elif ('wan_ip_update' in form):
        wan_ip = form.get('ud_wan_ip', None)
        cidr = form.get('ud_wan_cidr', None)
        default_gateway = form.get('ud_wan_dfg', None)
        # missing forms keys. potential client side manipulation
        if any(x is None for x in [wan_ip, cidr, default_gateway]):
            return INVALID_FORM

        if ('static_wan' in form):
            # keys present, but fields left empty. (unable to force client side)
            if (not wan_ip or not default_gateway):
                return 'All fields are required when setting the wan interface to static.'

            try:
                validate.ip_address(wan_ip)
                validate.cidr(cidr)
                validate.default_gateway(default_gateway)
            except ValidationError as ve:
                return ve
            else:
                wan_settings = {
                    'ip_address': wan_ip,
                    'cidr': cidr,
                    'default_gateway': default_gateway
                }
                configure.set_wan_interface(wan_settings)

        else:
            # no arg indicates dynamic ip/dhcp assignment
            configure.set_wan_interface()

    elif ('wan_mac_update' in form):
        mac_address = form.get('ud_wan_mac', None)
        if (not mac_address):
            return INVALID_FORM

        try:
            validate.mac_address(mac_address)
        except ValidationError as ve:
            return ve
        else:
            configure.set_wan_mac(CFG.ADD, mac_address=mac_address)

    elif ('wan_mac_restore' in form):
        configure.set_wan_mac(CFG.DEL)

    else:
        return INVALID_FORM
Beispiel #4
0
def update_page(form):

    print(form)

    if ('dhcp_res_add' in form):
        dhcp_settings = {
            'zone': form.get('zone', DATA.INVALID),
            'mac': form.get('mac_address', ''),
            'ip': form.get('ip_address', DATA.INVALID),
            'description': form.get('description', DATA.INVALID)
        }

        if (DATA.INVALID in dhcp_settings.values()):
            return INVALID_FORM

        try:
            validate.dhcp_reservation(dhcp_settings)

            # will raise exception if ip address is already reserved
            configure.set_dhcp_reservation(dhcp_settings, CFG.ADD)
        except ValidationError as ve:
            return ve

    # Matching DHCP reservation REMOVE and sending to configuration method.
    elif ('dhcp_res_remove' in form):
        mac_address = form.get('dhcp_res_remove', None)
        if (not mac_address):
            return INVALID_FORM

        try:
            validate.mac_address(mac_address)
        except ValidationError as ve:
            return ve
        else:
            dhcp_settings = {'mac': mac_address.replace(':', '')}

            configure.set_dhcp_reservation(dhcp_settings, CFG.DEL)

    elif ('dhcp_lease_remove' in form):
        ip_addr = form.get('dhcp_lease_remove', None)
        if (not ip_addr):
            return INVALID_FORM

        try:
            validate.ip_address(ip_addr)

            configure.remove_dhcp_lease(ip_addr)
        except ValidationError as ve:
            return ve

    elif ('general_settings' in form):
        server_settings = {
            'interface': form.get('interface', DATA.INVALID),

            # NOTE: switch does not post field if disabled. if not present, the server will disable the
            # corresponding field as normal.
            'enabled': True if form.get('server_enabled', False) else False,
            'icmp_check': True if form.get('icmp_check', False) else False,

            'lease_range': {
                'start': validate.get_convert_int(form, 'start'),
                'end': validate.get_convert_int(form, 'end')
            }
        }

        if (DATA.INVALID in server_settings.values()):
                return INVALID_FORM

        try:
            validate.dhcp_general_settings(server_settings)
        except ValidationError as ve:
            return ve

        else:
            configure.set_dhcp_settings(server_settings)

    else:
        return INVALID_FORM
Beispiel #5
0
def update_page(form):
    if (_SYSLOG_DISABLED):
        return 'Syslog is currently disabled due to rework.'

    elif ('servers_update' in form):
        syslog_server1 = form.get('syslog_server1', None)
        syslog_server2 = form.get('syslog_server2', None)

        syslog_port1 = form.get('syslog_port1', None)
        syslog_port2 = form.get('syslog_port2', None)

        syslog_servers = {
            'server1': {
                'ip_address': syslog_server1,
                'port': syslog_port1
            },
            'server2': {
                'ip_address': syslog_server2,
                'port': syslog_port2
            }
        }

        # both servers are not present/ form keys missing
        if (any(x is None for x in [syslog_server1, syslog_port1])
                or any(x is None for x in [syslog_server2, syslog_port2])):
            return INVALID_FORM

        try:
            for server_info in syslog_servers.values():
                if (server_info['ip_address'] or server_info['port']):
                    validate.ip_address(server_info['ip_address'])
                    validate.network_port(server_info['port'])
        except ValidationError as ve:
            return ve
        else:
            configure.set_syslog_servers(syslog_servers)

    elif ('server_remove' in form):
        syslog_server_number = form.get('syslog_server_remove')
        server_num = validate.convert_int(syslog_server_number)
        if (not server_num):
            return INVALID_FORM

        configure.remove_syslog_server(server_num)

    elif ('settings_update' in form):
        enabled_tls_settings = form.getlist('syslog_tls')
        enabled_syslog_settings = form.getlist('syslog_settings')
        fallback_settings = form.getlist('fallback_settings')

        tls_retry = form.get('tls_retry_time', None)
        tcp_retry = form.get('tcp_retry_time', None)
        syslog_settings = {
            'tls': enabled_tls_settings,
            'syslog': enabled_syslog_settings,
            'fallback': fallback_settings,
            'tls_retry': tls_retry,
            'tcp_retry': tcp_retry
        }

        if (not tls_retry or not tcp_retry):
            return INVALID_FORM

        try:
            validate.syslog_settings(syslog_settings)
        except ValidationError as ve:
            return ve
        else:
            configure.set_syslog_settings(syslog_settings)

        return INVALID_FORM
Beispiel #6
0
def update_page(form):
    if ('wl_add' in form):
        whitelist_settings = {
            'domain': form.get('domain', DATA.INVALID),
            'timer': validate.get_convert_int(form, 'rule_length')
        }
        if (DATA.INVALID in whitelist_settings.values()):
            return INVALID_FORM

        try:
            validate.domain(whitelist_settings['domain'])
            validate.timer(whitelist_settings['timer'])
        except ValidationError as ve:
            return ve
        else:
            configure.add_proxy_domain(whitelist_settings, ruleset='whitelist')

    elif ('wl_remove' in form):
        domain = form.get('wl_remove', DATA.INVALID)

        if (domain is DATA.INVALID):
            return INVALID_FORM

        configure.del_proxy_domain(domain, ruleset='whitelist')

    elif ('exc_add' in form):
        exception_settings = {
            'domain': form.get('domain', DATA.INVALID),
            'reason': form.get('reason', DATA.INVALID),
            'action': CFG.ADD
        }
        if (DATA.INVALID in exception_settings.values()):
            return INVALID_FORM

        try:
            validate.domain(exception_settings['domain'])
            validate.standard(exception_settings['reason'])
        except ValidationError as ve:
            return ve
        else:
            configure.set_proxy_exception(exception_settings,
                                          ruleset='whitelist')

    elif ('exc_remove' in form):
        exception_settings = {
            'domain': form.get('exc_remove', DATA.INVALID),
            'reason': None,
            'action': CFG.DEL
        }
        if (exception_settings['domain'] is DATA.INVALID):
            return INVALID_FORM

        configure.set_proxy_exception(exception_settings, ruleset='whitelist')

    # TODO: this should not restrict ips to only "local_net" now that we have multiple interfaces.
    # we should have the user select which interface it will be active on so we can properly validate the
    # ip address falls within that subnet.

    elif ('ip_wl_add' in form):
        whitelist_settings = {
            'ip': form.get('ip_wl_ip', DATA.INVALID),
            'user': form.get('ip_wl_user', DATA.INVALID),
            'type': form.get('ip_wl_type', DATA.INVALID)
        }
        if (DATA.INVALID in whitelist_settings.values()):
            return INVALID_FORM

        try:
            validate.add_ip_whitelist(whitelist_settings)
        except ValidationError as ve:
            return ve
        else:
            configure.add_proxy_ip_whitelist(whitelist_settings)

    elif ('ip_wl_remove' in form):
        whitelist_ip = form.get('ip_wl_ip', DATA.INVALID)

        if (whitelist_ip is DATA.INVALID):
            return INVALID_FORM

        try:
            validate.ip_address(whitelist_ip)
        except ValidationError as ve:
            return ve
        else:
            configure.del_proxy_ip_whitelist(whitelist_ip)

    else:
        return INVALID_FORM
Beispiel #7
0
def update_page(form):
    # TODO: i dont like this. fix this. i did alittle, but more can be done

    if ('dns_update' in form):
        dns_servers = {
            form.get('dnsname1', DATA.INVALID): form.get('dnsserver1', DATA.INVALID),
            form.get('dnsname2', DATA.INVALID): form.get('dnsserver2', DATA.INVALID)
        }

        # explicit identity check on None to prevent from matching empty fields vs missing for keys.
        if (DATA.INVALID in [*dns_servers.keys(), *dns_servers.values()]):
            return INVALID_FORM

        try:
            dns_server_info = {}
            for i, (server_name, server_ip) in enumerate(dns_servers.items(), 1):
                if (server_ip != ''):
                    validate.standard(server_name)
                    validate.ip_address(server_ip)

                dns_server_info[form.get(f'dnsname{i}')] = form.get(f'dnsserver{i}')
        except ValidationError as ve:
            return ve

        else:
            configure.set_dns_servers(dns_server_info)

    elif ('dns_record_update' in form):
        dns_record_name = form.get('dns_record_name', None)
        dns_record_ip = form.get('dns_record_ip', None)
        if (not dns_record_name or not dns_record_ip):
            return INVALID_FORM

        try:
            validate.dns_record_add(dns_record_name)
            validate.ip_address(dns_record_ip)
        except ValidationError as ve:
            return ve

        else:
            configure.update_dns_record(dns_record_name, CFG.ADD, dns_record_ip)

    elif ('dns_record_remove' in form):
        dns_record_name = form.get('dns_record_remove', None)
        if (not dns_record_name):
            return INVALID_FORM

        try:
            validate.dns_record_remove(dns_record_name)
        except ValidationError as ve:
            return ve

        else:
            configure.update_dns_record(dns_record_name, CFG.DEL)

    elif ('dns_protocol_update' in form):
        dns_tls_settings = {
            'enabled': form.getlist('dns-protocol-settings')
        }

        try:
            validate.dns_over_tls(dns_tls_settings)
        except ValidationError as ve:
            return ve
        else:
            configure.set_dns_over_tls(dns_tls_settings)

    elif ('dns_cache_clear' in form):
        clear_dns_cache = {
            'top_domains': form.get('clear_top_domains', DATA.INVALID),
            'dns_cache': form.get('clear_dns_cache', DATA.INVALID)
        }

        # only one is required, so will only be invalid if both are missing.
        if all([x is DATA.INVALID for x in clear_dns_cache.values()]):
            return INVALID_FORM

        configure.set_dns_cache_clear_flag(clear_dns_cache)

    else:
        return INVALID_FORM
Beispiel #8
0
def update_page(form):
    # Matching logging update form and sending to configuration method.
    if ('dnx_ddos_update' in form):
        action = CFG.ADD if 'ddos' in form else CFG.DEL

        ddos_limits = {}
        for protocol in ['tcp', 'udp', 'icmp']:
            form_limit = form.get(f'{protocol}_limit', None)
            if (form_limit is None):
                return INVALID_FORM

            if (form_limit == ''): continue

            limit = validate.convert_int(form_limit)
            if (not limit):
                return f'{protocol} limit must be an integer or left empty.'

            if (not 5 <= limit <= 200):
                return f'{protocol} limit must be in range 5-200.'

            ddos_limits[protocol] = limit

        configure.set_ips_ddos(action)

        if (ddos_limits):
            configure.set_ips_ddos_limits(ddos_limits)

    elif ('dnx_portscan_update' in form):
        enabled_settings = form.getlist('ps_settings', None)
        try:
            validate.portscan_settings(enabled_settings)
        except ValidationError as ve:
            return ve
        else:
            configure.set_ips_portscan(enabled_settings)

    elif ('general_settings' in form):
        ids_mode = True if 'ids_mode' in form else False
        passive_block_length = form.get('passive_block_length', None)
        if (not passive_block_length):
            return INVALID_FORM

        pb_length = validate.convert_int(passive_block_length)
        try:
            validate.ips_passive_block_length(pb_length)
        except ValidationError as ve:
            return ve
        else:
            configure.set_ips_general_settings(pb_length, ids_mode)

    elif ('ips_wl_add' in form):
        whitelist_ip = form.get('ips_wl_ip', None)
        whitelist_name = form.get('ips_wl_name', None)
        if (not whitelist_ip or not whitelist_name):
            return INVALID_FORM

        try:
            validate.ip_address(whitelist_ip)
            validate.standard(whitelist_name)
        except ValidationError as ve:
            return ve
        else:
            configure.update_ips_ip_whitelist(whitelist_ip,
                                              whitelist_name,
                                              action=CFG.ADD)

    elif ('ips_wl_remove' in form):
        whitelist_ip = form.get('ips_wl_ip', None)
        if (not whitelist_ip):
            return INVALID_FORM

        try:
            validate.ip_address(whitelist_ip)
        except ValidationError as ve:
            return ve
        else:
            configure.update_ips_ip_whitelist(whitelist_ip,
                                              None,
                                              action=CFG.DEL)

    elif ('ips_wl_dns' in form):
        action = CFG.ADD if 'dns_enabled' in form else CFG.DEL

        configure.update_ips_dns_whitelist(action)

    elif ('ips_pbl_remove' in form):
        host_info = form.get('ips_pbl_remove', DATA.INVALID)
        if (host_info is DATA.INVALID):
            return INVALID_FORM

        try:
            host_ip, timestamp = host_info.split('/')

            validate.ip_address(host_ip)
        except:
            return INVALID_FORM

        if (validate.convert_int(timestamp) is DATA.INVALID):
            return INVALID_FORM

        else:
            with IPTablesManager() as iptables:
                iptables.remove_passive_block(host_ip, timestamp)

    else:
        return INVALID_FORM