self.file.write("\n")
self.file.write("# Call bypass-rules chain from PREROUTING chain to forward traffic" + "\n")
self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -m comment --comment \"Bypass rules\" -j bypass-rules >/dev/null 2>&1" + "\n")
self.file.write("${IPTABLES} -t filter -A FORWARD -m conntrack --ctstate NEW -m comment --comment \"Bypass rules\" -j bypass-rules" + "\n")
self.file.write("\n")
self.file.write("# Bypass all packets and sessions to the local server" + "\n")
self.file.write("${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound packets\"" % self.bypass_mark_mask + "\n")
self.file.write("${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound sessions\"" % self.bypass_mark_mask + "\n")
self.file.write("\n")
self.file.write("# Bypass all packets and sessions from the local server" + "\n")
self.file.write("${IPTABLES} -A output-set-marks -t mangle -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound packets\"" % self.bypass_mark_mask + "\n")
self.file.write("${IPTABLES} -A output-set-marks -t mangle -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound sessions\"" % self.bypass_mark_mask + "\n")
self.file.write("\n")
self.write_restore_bypass_mark(settings)
self.write_set_bypass_mark(settings)
self.write_bypass_rules(settings)
self.file.flush()
self.file.close()
print("BypassRulesManager: Wrote %s" % self.filename)
return
registrar.register_manager(BypassRuleManager())
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write('TMPFILE="/tmp/shadow"\n')
file.write('/bin/sed -e \'s|^\\(root:\\)[^:]*:[^:]*\\(:.*\\)$|\\1')
file.write(phash.replace("$", r"\$"))
file.write(':\\2|\' /etc/shadow > $TMPFILE\n')
file.write('\n')
file.write(
'if ! diff /etc/shadow $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/shadow ; fi\n'
)
file.write('\n')
file.write('rm -f $TMPFILE')
file.write('\n')
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("AccountsManager: Wrote %s" % filename)
return
registrar.register_manager(AccountsManager())
self.file.write("# If its local and port 80 and hasnt already been handled in this chain, block it\n")
self.file.write("${IPTABLES} -t nat -A port-forward-rules -p tcp -m addrtype --dst-type local --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\"" + "\n")
self.file.write("\n")
# write a rule to protect http port for primary address when coming from a bridged interface
# add rule to block at the end. If that point is reached then it hasn't been protected or port forwarded
# The block rule exists so that when the port is changed from the default the original port won't still work
# This is for bridged cases. If the primary IP of external is 1.2.3.4 we want to reserve 1.2.3.4:80 for http, but ONLY from the inside so that port forwards work externally.
for intf in settings.get('interfaces'):
if intf.get('configType') == 'ADDRESSED' and intf.get('isWan'):
# now find all interfaces bridged to this WAN
for sub_intf in settings.get('interfaces'):
if sub_intf.get('configType') == 'BRIDGED' and sub_intf.get('bridgedTo') == intf.get('interfaceId'):
self.file.write("# don't allow port forwarding of http port of primary IP of WAN from bridged interface %i.\n" % sub_intf.get('interfaceId'))
self.file.write("ADDR=\"`ip addr show %s | awk '/^ *inet.*scope global/ { interface = $2 ; sub( \"/.*\", \"\", interface ) ; print interface ; exit }'`\"\n" % intf.get('symbolicDev'))
self.file.write("if [ ! -z \"${ADDR}\" ] ; then" + "\n")
self.file.write("\t${IPTABLES} -t nat -I port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port %i -j DNAT --to-destination ${ADDR}:80 -m comment --comment \"Reserve port 80 on ${ADDR} for blockpages\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask, http_port) + "\n")
self.file.write("\t${IPTABLES} -t nat -A port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask) + "\n")
self.file.write("fi" + "\n")
self.file.write("\n")
self.file.write("\n\n")
self.file.flush()
self.file.close()
print("PortForwardManager: Wrote %s" % self.filename)
registrar.register_manager(PortForwardManager())
class SettingsManager:
def initialize(self):
pass
def sanitize_settings(self, settings):
pass
def validate_settings(self, settings):
fixup_settings(settings)
cleanup_settings(settings)
def sync_settings(self, settings, prefix, delete_list):
pass
registrar.register_manager(SettingsManager())
def fixup_settings(json_obj):
"""
Fixes JSON serialization oddities in the JSON object
"""
if isinstance(json_obj, dict):
for key in list(json_obj.keys()):
value = json_obj.get(key)
if isinstance(value, dict):
if value.get('list') != None and value.get('javaClass') != None and "List" in value.get('javaClass'):
# Java serializes list objects as:
# "foo": { "javaClass": "java.util.LinkedList", "list": [] },
# This will change it to this for simplicity:
# "foo": []
new_value = value.get('list')
# Instead manually kill all process with ddclient in name
pgrep ddclient | while read pid ; do kill $pid ; done
fi
""")
else:
file.write(r"""
# ddclient process changes its own name, no "pidof ddclient" does not work
DDCLIENT_PID="`pgrep ddclient`"
# Restart ddclient if it isnt found
# Or if ddclient.conf orhas been written since ddclient was started
if [ -z "$DDCLIENT_PID" ] ; then
systemctl --no-block restart ddclient
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! /etc/ddclient.conf -ot /proc/$DDCLIENT_PID ] ; then
systemctl --no-block restart ddclient
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("DdclientManager: Wrote %s" % filename)
return
registrar.register_manager(DdclientManager())
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 6667 -j CT --helper irc" + "\n");
# file.write("\n");
# # XXX - in testing it seems this PPTP helper does not work
# # The GRE session does not get redirected
# # the nf_nat_pptp and associated GRE plugin do work correctly, but is deprecated in newer kernels
# file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 1723 -j CT --helper pptp" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 69 -j CT --helper tftp" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 137 -j CT --helper netbios-ns" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 161 -j CT --helper snmp" + "\n");
# file.write("\n");
# file.write("fi" + "\n");
# file.write("\n");
file.flush()
file.close()
print("IptablesManager: Wrote %s" % filename)
registrar.register_manager(IptablesManager())
def sync_settings(self, settings, prefix, delete_list):
"""syncs settings"""
# Add all /etc/config/nftables-rules.d/2.* files to the delete_list
# Remove all the files that we write later
# This ensures that all the existing /etc/config/nftables-rules.d/2* that we don't
# write get removed
for (dirpath, _, filenames) in os.walk("/etc/config/nftables-rules.d/"):
for filename in filenames:
if filename.startswith("2"):
full_name = dirpath + filename
delete_list.append(full_name)
# Write all the /etc/config/nftables-rules.d/2.* files
self.write_files(settings, prefix, delete_list)
registrar.register_manager(TableManager())
def write_file(filename, table_settings, prefix):
"""write_file writes the specified file"""
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
def validate_settings(self, settings):
"""validates settings"""
pass
def create_settings(self, settings, prefix, delete_list, filename):
"""creates settings"""
print("%s: Initializing settings" % self.__class__.__name__)
settings['reports'] = default_reports_settings()
settings['dashboard'] = default_dashboard_settings()
def sync_settings(self, settings, prefix, delete_list):
"""syncs settings"""
pass
registrar.register_manager(ReportsManager())
def default_reports_settings():
"""default reports settings"""
return {
"entries": []
}
def default_dashboard_settings():
"""default dashboard settings"""
return {
"widgets": [{
"name": "Interface Usage",
"interval": 30
}, {
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write("# Force send ARP to the gateways to update MAC table" + "\n")
file.write("# This is necessary for malfunctioning ISP routers that have permanent ARP caches" + "\n")
file.write("\n")
for intf in settings['interfaces']:
if intf.get('v4ConfigType') == 'STATIC':
if 'v4StaticGateway' in intf and 'v4StaticAddress' in intf:
file.write("# Static IP of interface %i\n" % intf.get('interfaceId'))
file.write("arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), intf.get('v4StaticAddress'), intf.get('v4StaticGateway')))
if intf.get('v4Aliases') != None:
for alias in intf.get('v4Aliases'):
file.write("# Alias IPs of interface %i\n" % intf.get('interfaceId'))
file.write("arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), alias.get('staticAddress'), intf.get('v4StaticGateway')))
file.write("\n\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("ArpManager: Wrote %s" % filename)
return
registrar.register_manager(ArpManager())
file.write("\ttrue" + "\n")
else:
# And should not be loaded - unload it!
file.write("\techo Unloading nf_conntrack_sip kernel module..." + "\n")
file.write("\tmodprobe -r nf_conntrack_sip" + "\n")
file.write("else" + "\n")
# Its not loaded
if settings.get('enableSipNatHelper'):
# And should be loaded - load it!
file.write("\techo Loading nf_conntrack_sip kernel module..." + "\n")
file.write("\tmodprobe nf_conntrack_sip" + "\n")
else:
# And should not be loaded - do nothing!
file.write("\ttrue" + "\n")
file.write("fi" + "\n")
file.write("fi" + "\n")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("KernelManager: Wrote %s" % filename)
registrar.register_manager(KernelManager())
def write_resolve_file(self, settings, prefix):
if 'hostName' not in settings:
print("ERROR: Missing hostname setting")
return
filename = prefix + self.resolv_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n")
file.write("nameserver 127.0.0.1" + "\n")
if settings.get('domainName') != None:
file.write("search %s" % settings.get('domainName') + "\n")
file.write("\n")
file.flush()
file.close()
print("HostsManager: Wrote %s" % filename)
return
registrar.register_manager(HostsManager())
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n")
file.write(r"""
RADVD_PID="`pidof radvd`"
# Start radvd if it isnt found and is needed (config file is non-zero)
# Restart radvd if it is found and but is outdated and is needed (config file is non-zero)
# Stop if radvd is found, but no longer needed (config file is zero size)
# The reason we don't just stop and then start if needed if to avoid doing anything if nothing is required.
if [ -z "$RADVD_PID" ] && [ -s /etc/radvd.conf ] ; then
systemctl --no-block start radvd
elif [ /etc/radvd.conf -nt /proc/$RADVD_PID ] && [ -s /etc/radvd.conf ] ; then
systemctl --no-block restart radvd
elif [ ! -z "$RADVD_PID" ] && [ ! -s /etc/radvd.conf ] ; then
systemctl --no-block stop radvd
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("RadvdManager: Wrote %s" % filename)
return
registrar.register_manager(RadvdManager())
(self.SERVER_INTERFACE_MASK, (interface_id << self.SERVER_INTERFACE_SHIFT), self.CLIENT_TYPE_MASK_INVERSE, interface_type << self.CLIENT_TYPE_SHIFT))
file.write("# if ct mark client interface is X then set the mark server interface to X\n")
file.write("nft add rule inet interface-marks restore-interface-marks-reply ct mark and 0x%x == 0x%x mark set mark and 0x%x or 0x%x\n" %
(self.CLIENT_INTERFACE_MASK, (interface_id << self.CLIENT_INTERFACE_SHIFT), self.SERVER_INTERFACE_MASK_INVERSE, interface_id << self.SERVER_INTERFACE_SHIFT))
file.write("# if ct mark client interface is X then set the mark server type to Xs type\n")
file.write("nft add rule inet interface-marks restore-interface-marks-reply ct mark and 0x%x == 0x%x mark set mark and 0x%x or 0x%x\n" %
(self.CLIENT_INTERFACE_MASK, (interface_id << self.CLIENT_INTERFACE_SHIFT), self.SERVER_TYPE_MASK_INVERSE, interface_type << self.SERVER_TYPE_SHIFT))
file.write("# restore original direction interface marks\n")
file.write("nft add rule inet interface-marks restore-interface-marks-original mark set ct mark and 0x%x\n" % (self.ALL_MASK))
file.write("nft add rule inet interface-marks check-src-interface-mark mark and 0x%x == 0 iifname != lo log prefix \\\"WARNING: Unknown src intf: \\\"\n" % (self.SRC_INTERFACE_MASK))
file.write("nft add rule inet interface-marks check-dst-interface-mark mark and 0x%x == 0 oifname != lo log prefix \\\"WARNING: Unknown dst intf: \\\"\n" % (self.DST_INTERFACE_MASK))
# We could just have static rules in restore-interface-marks-reply that just apply the original marks but shifted around a bit
# However This would require something like:
# mark set mark or ct mark and 0xff << 8
# However nft won't let you do this:
# Error: Right hand side of binary operation (|) must be constant
# So we have to use a ton of rules to do the same thing above
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("InterfaceManager: Wrote %s" % filename)
return
registrar.register_manager(InterfaceManager())
The miniupnp packaging calls these scripts in the postinst
We must overwrite them so they don't fail with an error
"""
filename = prefix + self.iptables_init_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh\n")
file.write("exit 0\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("UpnpManager: Wrote %s" % filename)
filename = prefix + self.ip6tables_init_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh\n")
file.write("exit 0\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("UpnpManager: Wrote %s" % filename)
return
registrar.register_manager(UpnpManager())
else:
file.write("\toption mode 'sta'\n")
file.write("\toption ssid '%s'\n" % intf.get('wirelessSsid'))
if intf.get('wirelessEncryption') == 'NONE':
file.write("\toption encryption 'none'\n")
elif intf.get('wirelessEncryption') == 'WPA1':
file.write("\toption encryption 'psk'\n")
file.write("\toption key '%s'\n" % intf.get('wirelessPassword'))
elif intf.get('wirelessEncryption') == 'WPA12':
file.write("\toption encryption 'psk-mixed+tkip+ccmp'\n")
file.write("\toption key '%s'\n" % intf.get('wirelessPassword'))
else:
file.write("\toption encryption 'psk2'\n")
file.write("\toption key '%s'\n" % intf.get('wirelessPassword'))
self.write_macaddr(file, intf.get('macaddr'))
file.write("\n")
devidx += 1
file.flush()
file.close()
print("%s: Wrote %s" % (self.__class__.__name__, filename))
def enabled_wifi(intf):
"""returns true if the interface is an enabled wifi interface"""
if intf.get('configType') != 'DISABLED' and intf.get('type') == 'WIFI':
return True
return False
registrar.register_manager(WirelessManager())
PPPOE_UPLINK_INDEX=`echo ${CONNECTION_FILE} | sed -e 's/connection\.intf//'`
/bin/echo -e "[DEBUG: `date`] Interface index: ${PPPOE_UPLINK_INDEX}"
if [ -z "${PPPOE_UPLINK_INDEX}" ]; then
/bin/echo -e "[DEBUG: `date`] Unknown interface index! Quitting..."
return
fi
make_resolv_conf
/usr/share/untangle-sync-settings/bin/add-uplink.sh ${PPP_IFACE} ${PPP_REMOTE} "uplink.${PPPOE_UPLINK_INDEX}" -4
/usr/share/untangle-sync-settings/bin/add-source-route.sh ${PPP_LOCAL} "uplink.${PPPOE_UPLINK_INDEX}" -4
write_status_file ${PPP_IFACE} ${PPPOE_UPLINK_INDEX}
# XXX - should we run this here?
# run-parts /etc/untangle/post-network-hook.d
true
""")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("PPPoEManager: Wrote %s" % filename)
registrar.register_manager(PPPoEManager())
# Instead manually kill all process with ddclient in name
pgrep ddclient | while read pid ; do kill $pid ; done
fi
""")
else:
file.write(r"""
# ddclient process changes its own name, no "pidof ddclient" does not work
DDCLIENT_PID="`pgrep ddclient`"
# Restart ddclient if it isnt found
# Or if ddclient.conf orhas been written since ddclient was started
if [ -z "$DDCLIENT_PID" ] ; then
systemctl --no-block restart ddclient
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! /etc/ddclient.conf -ot /proc/$DDCLIENT_PID ] ; then
systemctl --no-block restart ddclient
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("DdclientManager: Wrote %s" % filename)
return
registrar.register_manager(DdclientManager())
if qos_settings['dnsPriority'] != None and qos_settings['dnsPriority'] != 0:
file.write("# Dns Priority " + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -p udp --dport 53 -g qos-class%i -m comment --comment \"set DNS priority\"" % qos_settings['dnsPriority'] + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -p tcp --dport 53 -g qos-class%i -m comment --comment \"set DNS priority\"" % qos_settings['dnsPriority'] + "\n")
file.write("\n")
if qos_settings['openvpnPriority'] != None and qos_settings['openvpnPriority'] != 0:
file.write("# Openvpn Priority " + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -p udp --dport 1194 -g qos-class%i -m comment --comment \"set openvpn priority\"" % qos_settings['openvpnPriority'] + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -p tcp --dport 1194 -g qos-class%i -m comment --comment \"set openvpn priority\"" % qos_settings['openvpnPriority'] + "\n")
file.write("\n")
self.write_qos_custom_rules(qos_settings)
if qos_settings['defaultPriority'] != None and qos_settings['defaultPriority'] != 0:
file.write("# Default Priority " + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -m mark --mark 0/0x000F0000 -g qos-class%i -m comment --comment \"set default priority if unset\"" % qos_settings['defaultPriority'] + "\n")
file.write("${IPTABLES} -t mangle -A qos-rules -m connmark --mark 0/0x000F0000 -g qos-class%i -m comment --comment \"set default priority if unset\"" % qos_settings['defaultPriority'] + "\n")
file.write("\n")
file.flush()
file.close()
print("QosManager: Wrote %s" % filename)
return
registrar.register_manager(QosManager())
self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n")
self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -m comment --comment \"block traffic to NATd interfaces\" -j nat-reverse-filter >/dev/null 2>&1" + "\n")
self.file.write("${IPTABLES} -t filter -A FORWARD -m conntrack --ctstate NEW -m comment --comment \"block traffic to NATd interfaces\" -j nat-reverse-filter" + "\n")
self.file.write("\n")
self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n")
self.file.write("${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN >/dev/null 2>&1" + "\n")
self.file.write("${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN" + "\n")
self.file.write("\n")
self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n")
self.file.write("${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN >/dev/null 2>&1" + "\n")
self.file.write("${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN" + "\n")
self.file.write("\n")
self.write_nat_rules(settings)
self.write_interface_nat_options(settings)
self.write_implicit_nat_rules(settings)
self.write_lxc_nat_rules(settings)
self.file.flush()
self.file.close()
print("NatRulesManager: Wrote %s" % self.filename)
return
registrar.register_manager(NatRulesManager())
self.file.write(
"${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN"
+ "\n")
self.file.write("\n")
self.file.write(
"# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" "
+ "\n")
self.file.write(
"${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN >/dev/null 2>&1"
+ "\n")
self.file.write(
"${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN"
+ "\n")
self.file.write("\n")
self.write_nat_rules(settings)
self.write_interface_nat_options(settings)
self.write_implicit_nat_rules(settings)
self.write_lxc_nat_rules(settings)
self.file.flush()
self.file.close()
print("NatRulesManager: Wrote %s" % self.filename)
return
registrar.register_manager(NatRulesManager())
for intf in interfaces:
if not intf.get('enabled'):
continue
if intf.get('natEgress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Egress traffic to interface %i\n" %
intf.get('interfaceId'))
file.write(
"add rule ip nat-sys nat-rules-sys oifname %s masquerade\n"
% intf.get('netfilterDev'))
if intf.get('natIngress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Ingress traffic from interface %i\n" %
intf.get('interfaceId'))
file.write(
"add rule ip nat-sys nat-rules-sys iifname %s masquerade\n"
% intf.get('netfilterDev'))
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return
registrar.register_manager(NatManager())
file.write("flush table inet qos\n")
file.write("add chain inet qos restore-priority-mark\n")
file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x40000 ct mark set ct mark and 0xff00ffff or 0x40000 ip dscp set cs1 counter\n")
file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x30000 ct mark set ct mark and 0xff00ffff or 0x30000 ip dscp set cs0 counter\n")
file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x20000 ct mark set ct mark and 0xff00ffff or 0x20000 ip dscp set cs2 counter\n")
file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x10000 ct mark set ct mark and 0xff00ffff or 0x10000 ip dscp set cs7 counter\n")
file.write("add chain inet qos postrouting-qos { type filter hook postrouting priority 50 ; }\n")
file.write("add rule inet qos postrouting-qos jump restore-priority-mark\n")
except:
print("ERROR:")
traceback.print_exc()
finally:
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("QosManager: Wrote %s" % filename)
def sync_settings(self, settings, prefix, delete_list):
"""syncs settings"""
self.write_qos_rules_sys_file(settings, prefix)
for (dirpath, _, filenames) in os.walk(self.qos_file_path + "/"):
for filename in filenames:
full_name = dirpath + filename
delete_list.append(full_name)
# Write all the /etc/config/qos.d/* files
self.write_qos_files(settings, prefix, delete_list)
registrar.register_manager(QosManager())
file.write(
"find /proc/sys/net/ipv4/conf -type f -name 'arp_announce' | while read f ; do"
+ "\n")
file.write(" echo 2 > ${f}" + "\n")
file.write("done" + "\n")
file.write("\n")
else:
file.write("# set default ARP mode (arp flux)" + "\n")
file.write(
"find /proc/sys/net/ipv4/conf -type f -name 'arp_ignore' | while read f ; do"
+ "\n")
file.write(" echo 0 > ${f}" + "\n")
file.write("done" + "\n")
file.write(
"find /proc/sys/net/ipv4/conf -type f -name 'arp_announce' | while read f ; do"
+ "\n")
file.write(" echo 0 > ${f}" + "\n")
file.write("done" + "\n")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("SysctlManager: Wrote %s" % filename)
return
registrar.register_manager(SysctlManager())
file.write(
"# Delete the main table, we do this because some routes may have been removed\n"
)
file.write("# All routes will be recreated later\n")
file.write("ip route flush table main \n")
file.write("\n")
file.write("# Delete the old routing priorities\n")
file.write(
"ip rule ls | grep -E '^36[5-6][0-9]{3}:' | awk -F: '{print $1}' | while read i ; do ip rule delete priority $i ; done\n"
)
file.write("\n")
file.write("# Delete source route rules\n")
file.write(
"""ip -4 rule show | awk -v min_priority=50000 -v max_priority=59999 '{ sub( ":", "" ) ; if (( $1 >= min_priority ) && ( $1 < max_priority ) ) print $1 }' | while read prio ; do ip rule delete priority $prio ; done"""
+ "\n")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("RouteManager: Wrote %s" % filename)
return
registrar.register_manager(RouteManager())
if parsed_uri.host is not None:
server = parsed_uri.host
line = "{config_option}{server}\n".format(
config_option=match.group(1), server=server)
match = re.search(self.pyconnector_defaults_port, line)
if match:
default_server = match.group(1)
port = default_port
if parsed_uri.port is not None:
port = parsed_uri.port
line = "{config_option}{port}\n".format(
config_option=match.group(1), port=port)
if write_line == True:
self.out_file.write(line)
# Write the next line unless overidden by an updater.
write_line = True
self.out_file.flush()
self.out_file.close()
if self.in_file_name.endswith(".last"):
os.remove(self.in_file_name)
os.chmod(self.out_file_name,
os.stat(self.out_file_name).st_mode | stat.S_IEXEC)
print("PyconnectorManager: Wrote %s" % self.out_file_name)
return
registrar.register_manager(PyconnectorManager())
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
for intf in interfaces:
if 'ethAutoneg' in intf and 'ethSpeed' in intf and 'ethDuplex' in intf:
autoneg = 'on' if intf['ethAutoneg'] else 'off'
if autoneg is 'off':
file.write(
"/usr/sbin/ethtool -s {} speed {} duplex {} autoneg {}\n"
.format(intf['device'], intf['ethSpeed'],
intf['ethDuplex'], autoneg))
else:
file.write("/usr/sbin/ethtool -s {} autoneg {}\n".format(
intf['device'], autoneg))
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("SystemManager: Wrote %s" % filename)
registrar.register_manager(SystemManager())
"${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound packets\""
% self.bypass_mark_mask + "\n")
self.file.write(
"${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound sessions\""
% self.bypass_mark_mask + "\n")
self.file.write("\n")
self.file.write(
"# Bypass all packets and sessions from the local server" + "\n")
self.file.write(
"${IPTABLES} -A output-set-marks -t mangle -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound packets\""
% self.bypass_mark_mask + "\n")
self.file.write(
"${IPTABLES} -A output-set-marks -t mangle -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound sessions\""
% self.bypass_mark_mask + "\n")
self.file.write("\n")
self.write_restore_bypass_mark(settings)
self.write_set_bypass_mark(settings)
self.write_bypass_rules(settings)
self.file.flush()
self.file.close()
print("BypassRulesManager: Wrote %s" % self.filename)
return
registrar.register_manager(BypassRuleManager())
class SettingsManager(Manager):
def initialize(self):
registrar.register_settings_file("*", self)
pass
def validate_settings(self, settings_file):
fixup_settings(settings_file.settings)
cleanup_settings(settings_file)
def sync_settings(self, settings, prefix, delete_list):
pass
registrar.register_manager(SettingsManager())
def fixup_settings(json_obj):
"""
Fixes JSON serialization oddities in the JSON object
"""
if isinstance(json_obj, dict):
for key in list(json_obj.keys()):
value = json_obj.get(key)
if isinstance(value, dict):
if value.get('list') != None and value.get(
'javaClass') != None and "List" in value.get(
'javaClass'):
# Java serializes list objects as:
# "foo": { "javaClass": "java.util.LinkedList", "list": [] },
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n")
file.write(r"""
DNSMASQ_PID="`pidof dnsmasq`"
# Restart dnsmasq if it isnt found
# Or if dnsmasq.conf or hosts.dnsmasq has been written since dnsmasq was started
if [ -z "$DNSMASQ_PID" ] ; then
systemctl --no-block restart dnsmasq
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! /etc/dnsmasq.conf -ot /proc/$DNSMASQ_PID ] ; then
systemctl --no-block restart dnsmasq
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! /etc/hosts.dnsmasq -ot /proc/$DNSMASQ_PID ] ; then
systemctl --no-block restart dnsmasq
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("DnsMasqManager: Wrote %s" % filename)
return
registrar.register_manager(DnsMasqManager())
deviceSettings.get('deviceName'),
"100-full-duplex") + "\n")
elif duplexString == "M100_HALF_DUPLEX":
file.write("%s %s %s" %
(self.set_link_media_script,
deviceSettings.get('deviceName'),
"100-half-duplex") + "\n")
elif duplexString == "M10_FULL_DUPLEX":
file.write("%s %s %s" %
(self.set_link_media_script,
deviceSettings.get('deviceName'),
"10-full-duplex") + "\n")
elif duplexString == "M10_HALF_DUPLEX":
file.write("%s %s %s" %
(self.set_link_media_script,
deviceSettings.get('deviceName'),
"10-half-duplex") + "\n")
else:
print("ERROR: Unknown duplex: %s" % duplexString)
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("EthernetManager: Wrote %s" % filename)
return
registrar.register_manager(EthernetManager())
for rule in new_rules:
self.out_file.write(' ' + rule + "\n")
self.out_file.write('fi' + "\n")
self.out_file.flush()
self.out_file.close()
os.chmod(self.out_file_name,
os.stat(self.out_file_name).st_mode | stat.S_IEXEC)
print("WireguardManager: Wrote %s" % self.out_file_name)
def create_new_rule(self, rule, format_map):
"""
Create a new (add or insert) iptables rule
"""
template = self.add_rule_template
if 'new' in rule and rule['new'] == 'insert':
template = self.insert_rule_template
if 'index' in rule:
format_map['index'] = rule['index']
else:
format_map['index'] = ''
new_rule = template.format_map(format_map)
if 'index' in rule:
del rule['index']
return new_rule
registrar.register_manager(WireguardManager())
else:
for daemon in ['zebra', 'bgpd', 'ospfd']:
if daemon_enableds[daemon] is False:
file.write(r"""
systemctl --no-block stop {0}
""".format(daemon))
else:
file.write(r"""
{0}_PID="`pidof {1}`"
# Restart quagga if it isnt found
# Or if zebra.conf or has been written since quagga was started
if [ -z "${0}_PID" ] ; then
systemctl --no-block restart {1}
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! {2} -ot /proc/${0}_PID ] ; then
systemctl --no-block restart {1}
fi
""".format(daemon.upper(), daemon, self.daemons_conf_filename))
file.write("\n")
file.flush()
file.close()
os.system("chmod a+x %s" % filename)
print("DynamicRoutingManager: Wrote %s" % filename)
return
registrar.register_manager(DynamicRoutingManager())
match = re.search(self.bdadmserver_conf_update_url_antivirus,
line)
if match:
config_option = match.group(1)
path = "/" + match.group(3)
for uri in settings_file.settings['uriTranslations']:
if uri['uri'] == self.update_uri:
new_uri = copy.deepcopy(uri)
uri['path'] = path
new_uri = UriUtil.build_uri(self.update_uri, uri)
line = "{config_option}{new_uri}\n".format(
config_option=config_option, new_uri=new_uri)
if write_line == True:
self.out_file.write(line)
# Write the next line unless overidden by an updater.
write_line = True
self.out_file.flush()
self.out_file.close()
if self.in_file_name.endswith(".last"):
os.remove(self.in_file_name)
os.chmod(self.out_file_name,
os.stat(self.out_file_name).st_mode | stat.S_IEXEC)
print("BdamserverManager: Wrote %s" % self.out_file_name)
return
registrar.register_manager(BdamserverManager())
if hostname != None:
file.write("send host-name \"%s\";" % hostname + "\n")
file.flush()
file.close()
print("DhcpManager: Wrote %s" % filename)
def write_dhcp_ddclient_file(self, settings, prefix=""):
filename = prefix + self.ddclient_hook_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write("# The dhcp exit hook packaged with ddclient has syntax error" + "\n")
file.write("# Since the DHCP hooks are sources, syntax erros break DHCP" + "\n")
file.write("# This blank script is written to replace it" + "\n")
file.flush()
file.close()
print("DhcpManager: Wrote %s" % filename)
registrar.register_manager(DhcpManager())
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write('TMPFILE="/tmp/shadow"\n')
file.write('/bin/sed -e \'s|^\\(root:\\)[^:]*:[^:]*\\(:.*\\)$|\\1')
file.write(phash.replace("$", r"\$"))
file.write(':\\2|\' /etc/shadow > $TMPFILE\n')
file.write('\n')
file.write('if ! diff /etc/shadow $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/shadow ; fi\n')
file.write('\n')
file.write('rm -f $TMPFILE')
file.write('\n')
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("AccountsManager: Wrote %s" % filename)
return
registrar.register_manager(AccountsManager())
file.close()
return uid
def write_bctid_file(self, settings, prefix):
"write the bctid file"
filename = prefix + self.bctid_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
# grab the 'stock' bcti.cfg
stock = open("/usr/share/untangle-bctid/bcti.cfg", "r")
contents = stock.read()
stock.close()
# Add this device UID
contents = contents.replace('UID=XXX', 'UID=' + self.get_uid())
# write it to /etc/config
file = open(filename, "w+")
file.write(contents)
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("ThreatPreventionManager: Wrote %s" % filename)
return
registrar.register_manager(ThreatPreventionManager())
# And should not be loaded - unload it!
file.write("\techo Unloading nf_conntrack_sip kernel module..." +
"\n")
file.write("\tmodprobe -r nf_conntrack_sip" + "\n")
file.write("else" + "\n")
# Its not loaded
if settings.get('enableSipNatHelper'):
# And should be loaded - load it!
file.write("\techo Loading nf_conntrack_sip kernel module..." +
"\n")
file.write("\tmodprobe nf_conntrack_sip" + "\n")
else:
# And should not be loaded - do nothing!
file.write("\ttrue" + "\n")
file.write("fi" + "\n")
file.write("fi" + "\n")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("KernelManager: Wrote %s" % filename)
registrar.register_manager(KernelManager())
def validate_settings(self, settings):
"""validates settings"""
pass
def create_settings(self, settings, prefix, delete_list, filename):
"""creates settings"""
print("%s: Initializing settings" % self.__class__.__name__)
settings['reports'] = default_reports_settings()
settings['dashboard'] = default_dashboard_settings()
def sync_settings(self, settings, prefix, delete_list):
"""syncs settings"""
pass
registrar.register_manager(ReportsManager())
def default_reports_settings():
"""default reports settings"""
return {"entries": []}
def default_dashboard_settings():
"""default dashboard settings"""
# {
# "name": "Map Distribution",
# "isReport": False,
# "interval": 30
# }
file.write("[ -z \"$INTERFACE\" ] && {\n")
file.write("\tupdate_default_route\n")
file.write("}\n\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("%s: Wrote %s" % (self.__class__.__name__, filename))
def get_number_of_wans(settings):
"""returns number of enabled wan interfaces"""
wans = 0
interfaces = settings.get('network').get('interfaces')
for intf in interfaces:
if enabled_wan(intf):
wans += 1
return wans
def enabled_wan(intf):
"""returns true if the interface is an enabled wan"""
if intf is None:
return False
if intf.get('configType') != 'DISABLED' and intf.get('wan'):
return True
return False
registrar.register_manager(RouteManager())
self.write_access_rules(settings)
self.write_filter_rules(settings)
self.file.write("\n")
self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -j DROP -m comment --comment \"drop sessions during restart\" >/dev/null 2>&1\n")
self.file.write("${IPTABLES} -t filter -D INPUT -m conntrack --ctstate NEW -j DROP -m comment --comment \"drop sessions during restart\" >/dev/null 2>&1\n")
self.file.write("\n")
# self.file.write("# Flush IPv6 Rules" + "\n");
#self.file.write("${IP6TABLES} -t filter -F FORWARD -m comment --comment \"Flush IPv6 rules\" >/dev/null 2>&1" + "\n");
# if settings.get('blockIpv6Forwarding'):
# self.file.write("# Block IPv6 Fowarding" + "\n");
# self.file.write("${IP6TABLES} -t filter -A FORWARD -j DROP -m comment --comment \"Do not allow IPv6 forwarding\" >/dev/null 2>&1" + "\n");
# self.file.write("\n");
# self.file.write("# Block IPv6 Input" + "\n");
#self.file.write("${IP6TABLES} -t filter -F INPUT -m comment --comment \"Flush IPv6 filter rules\" >/dev/null 2>&1" + "\n");
#self.file.write("${IP6TABLES} -t filter -A INPUT -p icmpv6 -j RETURN -m comment --comment \"Allow IPv6 icmp RA, solicitions, ping etc\" >/dev/null 2>&1" + "\n");
#self.file.write("${IP6TABLES} -t filter -A INPUT -j DROP -m comment --comment \"Do not allow IPv6 input\" >/dev/null 2>&1" + "\n");
# self.file.write("\n");
self.file.flush()
self.file.close()
print("FilterRulesManager: Wrote %s" % self.filename)
return
registrar.register_manager(FilterRulesManager())
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n")
file.write(r"""
RADVD_PID="`pidof radvd`"
# Start radvd if it isnt found and is needed (config file is non-zero)
# Restart radvd if it is found and but is outdated and is needed (config file is non-zero)
# Stop if radvd is found, but no longer needed (config file is zero size)
# The reason we don't just stop and then start if needed if to avoid doing anything if nothing is required.
if [ -z "$RADVD_PID" ] && [ -s /etc/radvd.conf ] ; then
systemctl --no-block start radvd
elif [ /etc/radvd.conf -nt /proc/$RADVD_PID ] && [ -s /etc/radvd.conf ] ; then
systemctl --no-block restart radvd
elif [ ! -z "$RADVD_PID" ] && [ ! -s /etc/radvd.conf ] ; then
systemctl --no-block stop radvd
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("RadvdManager: Wrote %s" % filename)
return
registrar.register_manager(RadvdManager())
self.wpasupplicantConfFile.write("}\n")
self.wpasupplicantConfFile.flush()
self.wpasupplicantConfFile.close()
print("WirelessManager: Wrote " + filename)
def write_crda_file(self, settings, prefix=""):
crdaFilename = prefix + self.crda_default_filename
for filename in [crdaFilename]:
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
# FIXME need to get regulatory domain from the UI
self.crdaDefaultFile = open(crdaFilename, "w+")
self.crdaDefaultFile.write("## Auto Generated\n")
self.crdaDefaultFile.write(
"## DO NOT EDIT. Changes will be overwritten.\n")
self.crdaDefaultFile.write("REGDOMAIN=US\n")
self.crdaDefaultFile.flush()
self.crdaDefaultFile.close()
print("WirelessManager: Wrote " + crdaFilename)
return
registrar.register_manager(WirelessManager())
if settings_file.id == "uris":
match = re.search(self.geoip_update_untangle_source, line)
if match:
config_option = match.group(1)
current_uri = match.group(2)
for uri in settings_file.settings['uriTranslations']:
if uri['uri'] == self.update_uri:
new_uri = copy.deepcopy(uri)
# Use current URI to preserve existing auth
new_uri = UriUtil.build_uri(current_uri, uri)
line = "{config_option}{new_uri}\n".format(
config_option=config_option, new_uri=new_uri)
if write_line == True:
self.out_file.write(line)
# Write the next line unless overidden by an updater.
write_line = True
self.out_file.flush()
self.out_file.close()
if self.in_file_name.endswith(".last"):
os.remove(self.in_file_name)
os.chmod(self.out_file_name,
os.stat(self.out_file_name).st_mode | stat.S_IEXEC)
print("GeoipManager: Wrote %s" % self.out_file_name)
return
registrar.register_manager(GeoIpManager())
else:
for daemon in ['zebra', 'bgpd', 'ospfd']:
if daemon_enableds[daemon] is False:
file.write(r"""
systemctl --no-block stop {0}
""".format(daemon))
else:
file.write(r"""
{0}_PID="`pidof {1}`"
# Restart quagga if it isnt found
# Or if zebra.conf or has been written since quagga was started
if [ -z "${0}_PID" ] ; then
systemctl --no-block restart {1}
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! {2} -ot /proc/${0}_PID ] ; then
systemctl --no-block restart {1}
fi
""".format(daemon.upper(), daemon, self.daemons_conf_filename))
file.write("\n")
file.flush()
file.close()
os.system("chmod a+x %s" % filename)
print("DynamicRoutingManager: Wrote %s" % filename)
return
registrar.register_manager(DynamicRoutingManager())
nft add chain ip nat-sys filter-rules-nat "{ type filter hook forward priority -5 ; }"
""")
interfaces = settings.get('network').get('interfaces')
for intf in interfaces:
if intf.get('configType') == 'DISABLED':
continue
if intf.get('natEgress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Egress traffic to interface %i\n" % intf.get('interfaceId'))
file.write("nft add rule ip nat-sys nat-rules-sys oifname %s masquerade\n" % intf.get('netfilterDev'))
if intf.get('natIngress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Ingress traffic from interface %i\n" % intf.get('interfaceId'))
file.write("nft add rule ip nat-sys nat-rules-sys iifname %s masquerade\n" % intf.get('netfilterDev'))
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return
registrar.register_manager(NatManager())
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write('TMPFILE="/tmp/system"\n')
file.write(r'''/bin/sed -e "s/option timezone .*/option timezone '%s'/" /etc/config/system > $TMPFILE''' % time_zone)
file.write('\n\n')
file.write('if ! diff /etc/config/system $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/config/system ; fi\n')
file.write('\n')
file.write('rm -f $TMPFILE')
file.write('\n')
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("SystemManager: Wrote %s" % filename)
return
registrar.register_manager(SystemManager())
file.close()
print("%s: Wrote %s" % (self.__class__.__name__, filename))
def write_relay_options(file, isWan):
file.write("\toption dhcpv6 'relay'\n")
file.write("\toption ra 'relay'\n")
file.write("\toption ndp 'relay'\n")
if isWan:
file.write("\toption master '1'\n")
def calc_dhcp_range_start(ip, prefix, start):
"""calucale a good dhcp range start"""
ip_int = int(ipaddress.IPv4Address(ip))
netmask_int = int(
ipaddress.IPv4Address(network_util.ipv4_prefix_to_netmask(prefix)))
start_int = int(ipaddress.IPv4Address(start))
return start_int - (ip_int & netmask_int)
def calc_dhcp_range_limit(start, end):
"""calucale a good dhcp range limit"""
start_int = int(ipaddress.IPv4Address(start))
end_int = int(ipaddress.IPv4Address(end))
return end_int - start_int + 1
registrar.register_manager(DhcpManager())
if intf.get('v4ConfigType') == 'STATIC':
if 'v4StaticGateway' in intf and 'v4StaticAddress' in intf:
file.write("# Static IP of interface %i\n" %
intf.get('interfaceId'))
file.write(
"arping -U -c 1 -I %s -s %s %s >/dev/null &\n" %
(intf.get('systemDev'), intf.get('v4StaticAddress'),
intf.get('v4StaticGateway')))
if intf.get('v4Aliases') != None:
for alias in intf.get('v4Aliases'):
file.write("# Alias IPs of interface %i\n" %
intf.get('interfaceId'))
file.write(
"arping -U -c 1 -I %s -s %s %s >/dev/null &\n"
% (intf.get('systemDev'),
alias.get('staticAddress'),
intf.get('v4StaticGateway')))
file.write("\n\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("ArpManager: Wrote %s" % filename)
return
registrar.register_manager(ArpManager())
The miniupnp packaging calls these scripts in the postinst
We must overwrite them so they don't fail with an error
"""
filename = prefix + self.iptables_init_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh\n")
file.write("exit 0\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("UpnpManager: Wrote %s" % filename)
filename = prefix + self.ip6tables_init_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh\n")
file.write("exit 0\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("UpnpManager: Wrote %s" % filename)
return
registrar.register_manager(UpnpManager())
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 6667 -j CT --helper irc" + "\n");
# file.write("\n");
# # XXX - in testing it seems this PPTP helper does not work
# # The GRE session does not get redirected
# # the nf_nat_pptp and associated GRE plugin do work correctly, but is deprecated in newer kernels
# file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 1723 -j CT --helper pptp" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 69 -j CT --helper tftp" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 137 -j CT --helper netbios-ns" + "\n");
# file.write("\n");
# file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 161 -j CT --helper snmp" + "\n");
# file.write("\n");
# file.write("fi" + "\n");
# file.write("\n");
file.flush()
file.close()
print("IptablesManager: Wrote %s" % filename)
registrar.register_manager(IptablesManager())
# Stop softflowd if running
if [ ! -z "$SOFTFLOWD_PID" ] ; then
systemctl --no-block stop softflowd
fi
""")
else:
file.write(r"""
SOFTFLOWD_PID="`pidof softflowd`"
# Restart softflowd if it isnt found
# Or if /etc/default/softflowd has been written since softflowd was started
if [ ! -z "$SOFTFLOWD_PID" ] ; then
systemctl --no-block restart softflowd
# use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart
elif [ ! /etc/default/softflowd -ot /proc/$SOFTFLOWD_PID ] ; then
systemctl --no-block restart softflowd
fi
""")
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NetflowManager: Wrote %s" % filename)
return
registrar.register_manager(NetflowManager())
# Add all /etc/config/nftables-rules.d/2.* files to the delete_list
# Remove all the files that we write later
# This ensures that all the existing /etc/config/nftables-rules.d/2* that we don't
# write get removed
for (dirpath, _,
filenames) in os.walk("/etc/config/nftables-rules.d/"):
for filename in filenames:
if filename.startswith("2"):
full_name = dirpath + filename
delete_list.append(full_name)
# Write all the /etc/config/nftables-rules.d/2.* files
self.write_files(settings, prefix, delete_list)
registrar.register_manager(TableManager())
def write_file(filename, table_settings, prefix):
"""write_file writes the specified file"""
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
% (self.DST_INTERFACE_MASK))
# We could just have static rules in restore-interface-marks-reply that just apply the original marks but shifted around a bit
# However This would require something like:
# mark set mark or ct mark and 0xff << 8
# However nft won't let you do this:
# Error: Right hand side of binary operation (|) must be constant
# So we have to use a ton of rules to do the same thing above
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("InterfaceManager: Wrote %s" % filename)
return
def sanitize_settings(self, settings_file):
# Upgrade 2 -> 3, Add speed/duplex/negotiation options. Default to auto negotiation.
if settings_file.settings['version'] < 3:
interfaces = settings_file.settings.get('network').get(
'interfaces')
for intf in interfaces:
if intf["type"] == "NIC":
intf['ethSpeed'] = 1000
intf['ethDuplex'] = "full"
intf['ethAutoneg'] = True
registrar.register_manager(InterfaceManager())
if sub_intf.get(
'configType') == 'BRIDGED' and sub_intf.get(
'bridgedTo') == intf.get('interfaceId'):
self.file.write(
"# don't allow port forwarding of http port of primary IP of WAN from bridged interface %i.\n"
% sub_intf.get('interfaceId'))
self.file.write(
"ADDR=\"`ip addr show %s | awk '/^ *inet.*scope global/ { interface = $2 ; sub( \"/.*\", \"\", interface ) ; print interface ; exit }'`\"\n"
% intf.get('symbolicDev'))
self.file.write("if [ ! -z \"${ADDR}\" ] ; then" +
"\n")
self.file.write(
"\t${IPTABLES} -t nat -I port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port %i -j DNAT --to-destination ${ADDR}:80 -m comment --comment \"Reserve port 80 on ${ADDR} for blockpages\""
% (sub_intf.get('interfaceId'),
self.src_interface_mark_mask, http_port) + "\n")
self.file.write(
"\t${IPTABLES} -t nat -A port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\""
% (sub_intf.get('interfaceId'),
self.src_interface_mark_mask) + "\n")
self.file.write("fi" + "\n")
self.file.write("\n")
self.file.write("\n\n")
self.file.flush()
self.file.close()
print("PortForwardManager: Wrote %s" % self.filename)
registrar.register_manager(PortForwardManager())
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "auto") + "\n")
elif duplexString == "M10000_FULL_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10000-full-duplex") + "\n")
elif duplexString == "M10000_HALF_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10000-half-duplex") + "\n")
elif duplexString == "M1000_FULL_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "1000-full-duplex") + "\n")
elif duplexString == "M1000_HALF_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "1000-half-duplex") + "\n")
elif duplexString == "M100_FULL_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "100-full-duplex") + "\n")
elif duplexString == "M100_HALF_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "100-half-duplex") + "\n")
elif duplexString == "M10_FULL_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-full-duplex") + "\n")
elif duplexString == "M10_HALF_DUPLEX":
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-half-duplex") + "\n")
else:
print("ERROR: Unknown duplex: %s" % duplexString)
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("EthernetManager: Wrote %s" % filename)
return
registrar.register_manager(EthernetManager())
