def sanitize_settings(self, settings_file): """sanitizes settings""" wan = settings_file.settings['wan'] nftables_util.create_id_seq(wan, wan.get('policies'), 'policyIdSeq', 'policyId') for chain in wan.get('policy_chains'): nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq', 'ruleId') nftables_util.clean_rule_actions(chain, chain.get('rules'))
def sanitize_settings(self, settings_file): """sanitizes settings""" settings = settings_file.settings wan = settings['wan'] policies = wan.get('policies') # Check for newly created wan interfaces (which will be flagged with # a 'new' field by the UI) For new wan interfaces create a SPECIFIC_WAN # policy and then remove the new field interfaces = settings.get('network').get('interfaces') for interface in interfaces: if interface.get('new') is not None: policy = {} policy['description'] = "Send all traffic to " + interface.get('name') policy['enabled'] = interface.get('enabled') policy['interfaces'] = [{ "interfaceId": interface.get('interfaceId') }] policy['type'] = "SPECIFIC_WAN" policy['policyId'] = 0 policies.append(policy) del interface['new'] nftables_util.create_id_seq(wan, wan.get('policies'), 'policyIdSeq', 'policyId') for chain in wan.get('policy_chains'): nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq', 'ruleId') nftables_util.clean_rule_actions(chain, chain.get('rules')) #Clean up rules and policies that may be referencing a disabled interface, only if Force is passed as true if Variables.get('force') != None and Variables.get('force').lower() == 'true': for pidx, policy in enumerate(policies): interfaces = policy.get('interfaces') for iidx, interface in enumerate(interfaces): curr_intf = network_util.get_interface_by_id(settings, interface.get('interfaceId')); if policy.get("enabled") and interface.get('interfaceId') != 0 and (curr_intf is None or curr_intf.get('enabled') == False): policies[pidx]['enabled'] = False policy_chains = wan.get("policy_chains") for pcidx, policy_chain in enumerate(policy_chains): for ridx, rule in enumerate(policy_chain.get("rules")): action = rule.get("action") if action.get("type") == "WAN_POLICY": policy = action.get("policy") curr_pol = network_util.get_policy_by_id(settings, policy) if rule.get("enabled") and (curr_pol is None or curr_pol.get('enabled') == False): policy_chain.get("rules")[ridx]['enabled'] = False
def sanitize_settings(self, settings_file): """sanitizes settings""" # Walk interfaces looking for new or modified WireGuard interfaces. access_rules = settings_file.get_settings_by_path("firewall/tables/access/chains/name=access-rules/rules") interfaces = settings_file.settings.get('network').get('interfaces') for interface in interfaces: rule = None add_rule = False if interface.get("type") == "WIREGUARD" and interface.get("wireguardType") == "TUNNEL": if interface.get('new') is not None: # Build new rule from template. rule = copy.deepcopy(self.wireguard_access_rule_template) add_rule = True else: # Look for existing rule. find_rule = copy.deepcopy(self.wireguard_access_rule_template) # Only value that can't change is interfaceId in descripton find_rule["description"] = self.wireguard_description_template.format(name=".*", id=interface.get("interfaceId")) rules = settings_file.find_settings_list(access_rules, find_rule) if len(rules) == 0: # Could be coming from roaming rule = copy.deepcopy(self.wireguard_access_rule_template) add_rule = True else: rule = rules[0] if rule is not None: ## Populate rule from interface. rule["description"] = self.wireguard_description_template.format(name=interface.get("name"), id=interface.get("interfaceId")) for condition in rule.get("conditions"): if condition.get("type") == "SOURCE_INTERFACE_ZONE": condition["value"] = interface.get("boundInterfaceId") elif condition.get("type") == "DESTINATION_PORT": condition["value"] = interface.get("wireguardPort") if add_rule is True: access_rules.insert(0, rule) # Look for rules to delete find_delete_rule = copy.deepcopy(self.wireguard_access_rule_template) wg_access_rules = settings_file.find_settings_list(access_rules, find_delete_rule) if len(wg_access_rules) > 0: wg_description_re = re.compile(self.wireguard_description_template_regex.format(name=".*", id="(\d+)")) delete_rules = [] for rule in wg_access_rules: matches = wg_description_re.match(rule.get("description")) if matches is not None and matches.lastindex > 0: interface_found = False interface_id = int(matches.group(1)) for interface in interfaces: if interface.get("interfaceId") == interface_id: interface_found = True if interface.get("type") == "WIREGUARD" and interface.get("wireguardType") == "ROAMING": # Found rule but we're now ROAMING. delete_rules.append(rule) if interface_found == False: # Interface not found. delete_rules.append(rule) for rule in delete_rules: access_rules.remove(rule) # deal with threat prevention settings. tpConfig = settings_file.settings.get('threatprevention') if tpConfig is None: settings_file.settings['threatprevention'] = {} settings_file.settings['threatprevention'] = { "enabled": True, "passList": [], "sensitivity" : 20, "redirect": False, } tpConfig = settings_file.settings.get('threatprevention') # Need to enabled or add default TP rules to access list rule_enabled = tpConfig['redirect'] and tpConfig['enabled'] rule_found = False accessrules = settings_file.settings['firewall']['tables']['access']['chains'][0]['rules'] for accessrule in accessrules: conditions = accessrule['conditions'] if len(conditions): if conditions[0]['type'] == "DESTINATION_PORT" and conditions[0]['value'] == "8485": accessrule["enabled"] = rule_enabled rule_found = True if conditions[0]['type'] == "DESTINATION_PORT" and conditions[0]['value'] == "8486": accessrule["enabled"] = rule_enabled rule_found = True if not rule_found: accessrules[-1:-1] = self.defaultTPrules # Set the rule_id to unique values of every chain # Disable rules that don't match valid dict value expresions for table in ['filter', 'port-forward', 'nat', 'access', 'web-filter', 'captive-portal', 'shaping']: for chain in settings_file.settings['firewall']['tables'][table]['chains']: nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq', 'ruleId') nftables_util.clean_rule_actions(chain, chain.get('rules'), table) # Version check, use MFW version for the version bump if settings_file.settings['version'] < 3: nftables_util.fix_MFW_1082_rules(table, chain.get('rules')) nftables_util.fix_port_proto_rules(chain.get('rules')) for rule in chain.get('rules'): if rule.get('conditions'): for condition in rule.get('conditions'): type = condition.get('type') if type in TableManager.dict_int_value_types: matches = TableManager.dict_value_int_re.match(condition.get('value')) if matches is None: rule["enabled"] = False