def sanitize_settings(self, settings_file):
"""sanitizes settings"""
wan = settings_file.settings['wan']
nftables_util.create_id_seq(wan, wan.get('policies'), 'policyIdSeq',
'policyId')
for chain in wan.get('policy_chains'):
nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq',
'ruleId')
nftables_util.clean_rule_actions(chain, chain.get('rules'))
def sanitize_settings(self, settings_file):
"""sanitizes settings"""
settings = settings_file.settings
wan = settings['wan']
policies = wan.get('policies')
# Check for newly created wan interfaces (which will be flagged with
# a 'new' field by the UI) For new wan interfaces create a SPECIFIC_WAN
# policy and then remove the new field
interfaces = settings.get('network').get('interfaces')
for interface in interfaces:
if interface.get('new') is not None:
policy = {}
policy['description'] = "Send all traffic to " + interface.get('name')
policy['enabled'] = interface.get('enabled')
policy['interfaces'] = [{ "interfaceId": interface.get('interfaceId') }]
policy['type'] = "SPECIFIC_WAN"
policy['policyId'] = 0
policies.append(policy)
del interface['new']
nftables_util.create_id_seq(wan, wan.get('policies'), 'policyIdSeq', 'policyId')
for chain in wan.get('policy_chains'):
nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq', 'ruleId')
nftables_util.clean_rule_actions(chain, chain.get('rules'))
#Clean up rules and policies that may be referencing a disabled interface, only if Force is passed as true
if Variables.get('force') != None and Variables.get('force').lower() == 'true':
for pidx, policy in enumerate(policies):
interfaces = policy.get('interfaces')
for iidx, interface in enumerate(interfaces):
curr_intf = network_util.get_interface_by_id(settings, interface.get('interfaceId'));
if policy.get("enabled") and interface.get('interfaceId') != 0 and (curr_intf is None or curr_intf.get('enabled') == False):
policies[pidx]['enabled'] = False
policy_chains = wan.get("policy_chains")
for pcidx, policy_chain in enumerate(policy_chains):
for ridx, rule in enumerate(policy_chain.get("rules")):
action = rule.get("action")
if action.get("type") == "WAN_POLICY":
policy = action.get("policy")
curr_pol = network_util.get_policy_by_id(settings, policy)
if rule.get("enabled") and (curr_pol is None or curr_pol.get('enabled') == False):
policy_chain.get("rules")[ridx]['enabled'] = False
def sanitize_settings(self, settings_file):
"""sanitizes settings"""
# Walk interfaces looking for new or modified WireGuard interfaces.
access_rules = settings_file.get_settings_by_path("firewall/tables/access/chains/name=access-rules/rules")
interfaces = settings_file.settings.get('network').get('interfaces')
for interface in interfaces:
rule = None
add_rule = False
if interface.get("type") == "WIREGUARD" and interface.get("wireguardType") == "TUNNEL":
if interface.get('new') is not None:
# Build new rule from template.
rule = copy.deepcopy(self.wireguard_access_rule_template)
add_rule = True
else:
# Look for existing rule.
find_rule = copy.deepcopy(self.wireguard_access_rule_template)
# Only value that can't change is interfaceId in descripton
find_rule["description"] = self.wireguard_description_template.format(name=".*", id=interface.get("interfaceId"))
rules = settings_file.find_settings_list(access_rules, find_rule)
if len(rules) == 0:
# Could be coming from roaming
rule = copy.deepcopy(self.wireguard_access_rule_template)
add_rule = True
else:
rule = rules[0]
if rule is not None:
## Populate rule from interface.
rule["description"] = self.wireguard_description_template.format(name=interface.get("name"), id=interface.get("interfaceId"))
for condition in rule.get("conditions"):
if condition.get("type") == "SOURCE_INTERFACE_ZONE":
condition["value"] = interface.get("boundInterfaceId")
elif condition.get("type") == "DESTINATION_PORT":
condition["value"] = interface.get("wireguardPort")
if add_rule is True:
access_rules.insert(0, rule)
# Look for rules to delete
find_delete_rule = copy.deepcopy(self.wireguard_access_rule_template)
wg_access_rules = settings_file.find_settings_list(access_rules, find_delete_rule)
if len(wg_access_rules) > 0:
wg_description_re = re.compile(self.wireguard_description_template_regex.format(name=".*", id="(\d+)"))
delete_rules = []
for rule in wg_access_rules:
matches = wg_description_re.match(rule.get("description"))
if matches is not None and matches.lastindex > 0:
interface_found = False
interface_id = int(matches.group(1))
for interface in interfaces:
if interface.get("interfaceId") == interface_id:
interface_found = True
if interface.get("type") == "WIREGUARD" and interface.get("wireguardType") == "ROAMING":
# Found rule but we're now ROAMING.
delete_rules.append(rule)
if interface_found == False:
# Interface not found.
delete_rules.append(rule)
for rule in delete_rules:
access_rules.remove(rule)
# deal with threat prevention settings.
tpConfig = settings_file.settings.get('threatprevention')
if tpConfig is None:
settings_file.settings['threatprevention'] = {}
settings_file.settings['threatprevention'] = {
"enabled": True,
"passList": [],
"sensitivity" : 20,
"redirect": False,
}
tpConfig = settings_file.settings.get('threatprevention')
# Need to enabled or add default TP rules to access list
rule_enabled = tpConfig['redirect'] and tpConfig['enabled']
rule_found = False
accessrules = settings_file.settings['firewall']['tables']['access']['chains'][0]['rules']
for accessrule in accessrules:
conditions = accessrule['conditions']
if len(conditions):
if conditions[0]['type'] == "DESTINATION_PORT" and conditions[0]['value'] == "8485":
accessrule["enabled"] = rule_enabled
rule_found = True
if conditions[0]['type'] == "DESTINATION_PORT" and conditions[0]['value'] == "8486":
accessrule["enabled"] = rule_enabled
rule_found = True
if not rule_found:
accessrules[-1:-1] = self.defaultTPrules
# Set the rule_id to unique values of every chain
# Disable rules that don't match valid dict value expresions
for table in ['filter', 'port-forward', 'nat', 'access', 'web-filter', 'captive-portal', 'shaping']:
for chain in settings_file.settings['firewall']['tables'][table]['chains']:
nftables_util.create_id_seq(chain, chain.get('rules'), 'ruleIdSeq', 'ruleId')
nftables_util.clean_rule_actions(chain, chain.get('rules'), table)
# Version check, use MFW version for the version bump
if settings_file.settings['version'] < 3:
nftables_util.fix_MFW_1082_rules(table, chain.get('rules'))
nftables_util.fix_port_proto_rules(chain.get('rules'))
for rule in chain.get('rules'):
if rule.get('conditions'):
for condition in rule.get('conditions'):
type = condition.get('type')
if type in TableManager.dict_int_value_types:
matches = TableManager.dict_value_int_re.match(condition.get('value'))
if matches is None:
rule["enabled"] = False