def _dnat_rules(zone, action, form):
error = None
fields = SimpleNamespace(**form)
if (action == 'remove'):
try:
# NOTE: validation needs to know the zone so it can ensure the position is valid
validate.del_nat_rule(fields)
except ValidationError as ve:
error = ve
else:
with IPTableManager() as iptables:
iptables.delete_nat(fields)
elif (action == 'add'):
try:
validate.add_dnat_rule(fields)
if (fields.protocol in ['tcp', 'udp']):
validate.network_port(fields.dst_port)
validate.network_port(fields.host_port)
validate.ip_address(fields.host_ip)
except ValidationError as ve:
error = ve
else:
with IPTableManager() as iptables:
iptables.add_nat(fields)
configure.add_open_wan_protocol(fields)
else:
return INVALID_FORM, zone
return error, zone
def _snat_rules(zone, action, form):
error = None
print(333333, form)
fields = SimpleNamespace(**form)
# TODO: make this code for snat (currently using dnat code as template)
if (action == 'remove'):
try:
# NOTE: validation needs to know the zone so it can ensure the position is valid
validate.del_nat_rule(fields)
except ValidationError as ve:
error = ve
else:
with IPTableManager() as iptables:
iptables.delete_nat(fields)
elif (action == 'add'):
try:
validate.add_snat_rule(fields)
validate.ip_address(
ip_iter=[fields.orig_src_ip, fields.new_src_ip])
except ValidationError as ve:
error = ve
else:
with IPTableManager() as iptables:
iptables.add_nat(fields)
else:
return INVALID_FORM, zone
return error, zone
def update_page(form):
## Matching wan MAC Address Update and sending to configuration method
if ('wan_mac_update' in form):
mac_address = form.get('ud_wan_mac', None)
if (not mac_address):
return INVALID_FORM
try:
validate.mac_address(mac_address)
except ValidationError as ve:
return ve
else:
configure.set_wan_mac(CFG.ADD, mac_address=mac_address)
## Matching wan MAC Address Restore to Default and sending to configuration method
elif ('wan_mac_restore' in form):
configure.set_wan_mac(CFG.DEL)
if (_IP_DISABLED):
return 'ip address configuration currently disabled for system rework.'
elif ('wan_ip_update' in form):
wan_ip = form.get('ud_wan_ip', None)
cidr = form.get('ud_wan_cidr', None)
default_gateway = form.get('ud_wan_dfg', None)
# missing forms keys. potential client side manipulation
if any(x is None for x in [wan_ip, cidr, default_gateway]):
return INVALID_FORM
if ('static_wan' in form):
# keys present, but fields left empty. (unable to force client side)
if (not wan_ip or not default_gateway):
return 'All fields are required when setting the wan interface to static.'
try:
validate.ip_address(wan_ip)
validate.cidr(cidr)
validate.default_gateway(default_gateway)
except ValidationError as ve:
return ve
else:
wan_settings = {
'ip_address': wan_ip, 'cidr': cidr, 'default_gateway': default_gateway
}
configure.set_wan_interface(wan_settings)
else:
# no arg indicates dynamic ip/dhcp assignment
configure.set_wan_interface()
return INVALID_FORM
def _firewall_rules(zone, action, form):
error = None
# moving form data into a simple namespace. this will allow us to validate and mutate it easier
# that its current state of immutable dict.
print(form)
fields = SimpleNamespace(**form)
if (action == 'remove'):
try:
# NOTE: validation needs to know the zone so it can ensure the position is valid
validate.del_firewall_rule(fields)
except ValidationError as ve:
error = ve
else:
with IPTableManager() as iptables:
iptables.delete_rule(fields)
elif (action =='add'):
if not all([x in form for x in valid_standard_rule_fields]):
return INVALID_FORM, zone
fields.action = 'ACCEPT' if 'accept' in form else 'DROP'
try:
validate.add_firewall_rule(fields)
if (fields.dst_port):
validate.network_port(fields.dst_port)
if (fields.src_ip):
validate.ip_address(fields.src_ip)
validate.cidr(fields.src_netmask)
validate.ip_address(fields.dst_ip)
validate.cidr(fields.dst_netmask)
except ValidationError as ve:
error = ve
else:
if (not fields.src_ip):
fields.src_ip, fields.src_netmask = '0', '0'
with IPTableManager() as iptables:
iptables.add_rule(fields)
elif ('change_interface' not in form):
return INVALID_FORM, zone
return error, zone
def update_page(form):
# Matching logging update form and sending to configuration method.
if ('dnx_ddos_update' in form):
action = CFG.ADD if 'ddos' in form else CFG.DEL
ddos_limits = {}
for protocol in ['tcp', 'udp', 'icmp']:
form_limit = form.get(f'{protocol}_limit', None)
if (form_limit is None):
return INVALID_FORM
if (form_limit == ''): continue
limit = validate.convert_int(form_limit)
if (not limit):
return f'{protocol} limit must be an integer or left empty.'
if (not 10 <= limit <= 200):
return f'{protocol} limit must be in range 20-200.'
ddos_limits[protocol] = form_limit
configure.set_ips_ddos(action)
if (ddos_limits):
configure.set_ips_ddos_limits(ddos_limits)
elif ('dnx_portscan_update' in form):
enabled_settings = form.getlist('ps_settings', None)
try:
validate.portscan_settings(enabled_settings)
except ValidationError as ve:
return ve
else:
configure.set_ips_portscan(enabled_settings)
elif ('general_settings' in form):
ids_mode = True if 'ids_mode' in form else False
passive_block_length = form.get('passive_block_length', None)
if (not passive_block_length):
return INVALID_FORM
try:
pb_length = validate.ips_passive_block_length(passive_block_length)
except ValidationError as ve:
return ve
else:
configure.set_ips_general_settings(pb_length, ids_mode)
elif ('ips_wl_add' in form):
whitelist_ip = form.get('ips_wl_ip', None)
whitelist_name = form.get('ips_wl_name', None)
if (not whitelist_ip or not whitelist_name):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
validate.standard(whitelist_name)
except ValidationError as ve:
return ve
else:
configure.update_ips_ip_whitelist(whitelist_ip, whitelist_name, CFG.ADD)
elif ('ips_wl_remove' in form):
whitelist_ip = form.get('ips_wl_ip', None)
if (not whitelist_ip):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
except ValidationError as ve:
return ve
else:
configure.update_ips_ip_whitelist(whitelist_ip, None, CFG.DEL)
elif ('ips_wl_dns' in form):
action = CFG.ADD if 'dns_enabled' in form else CFG.DEL
configure.update_ips_dns_whitelist(action)
else:
return INVALID_FORM
def update_page(form):
# Matching DNS Update form and sending to configuration method.
if ('dns_update' in form):
dnsname1 = form.get('dnsname1', None)
dnsname2 = form.get('dnsname2', None)
dnsserver1 = form.get('dnsserver1', None)
dnsserver2 = form.get('dnsserver2', None)
dns_servers = {dnsname1: dnsserver1, dnsname2: dnsserver2}
# explicit identity check on None to prevent from matching empty fields vs missing for keys.
if any(x is None for x in [dnsname1, dnsname2, dnsserver1, dnsserver2]):
return INVALID_FORM
try:
dns_server_info = {}
for i, (server_name, server_ip) in enumerate(dns_servers.items(), 1):
if (server_ip != ''):
validate.standard(server_name)
validate.ip_address(server_ip)
dns_server_info[form.get(f'dnsname{i}')] = form.get(f'dnsserver{i}')
except ValidationError as ve:
return ve
else:
configure.set_dns_servers(dns_server_info)
elif ('dns_record_update' in form):
dns_record_name = form.get('dns_record_name', None)
dns_record_ip = form.get('dns_record_ip', None)
if (not dns_record_name or not dns_record_ip):
return INVALID_FORM
try:
validate.dns_record_add(dns_record_name)
validate.ip_address(dns_record_ip)
except ValidationError as ve:
return ve
else:
configure.update_dns_record(dns_record_name, CFG.ADD, dns_record_ip)
elif ('dns_record_remove' in form):
dns_record_name = form.get('dns_record_remove', None)
if (not dns_record_name):
return INVALID_FORM
try:
validate.dns_record_remove(dns_record_name)
except ValidationError as ve:
return ve
else:
configure.update_dns_record(dns_record_name, CFG.DEL)
elif ('dns_protocol_update' in form):
dns_tls_settings = {
'enabled': form.getlist('dns-protocol-settings')
}
try:
validate.dns_over_tls(dns_tls_settings)
except ValidationError as ve:
return ve
else:
configure.set_dns_over_tls(dns_tls_settings)
elif ('dns_cache_clear' in form):
top_domains = form.get('clear_top_domains', None)
dns_cache = form.get('clear_dns_cache', None)
if (not top_domains and not dns_cache):
return INVALID_FORM
clear_dns_cache = {'top_domains': top_domains, 'standard': dns_cache}
configure.set_dns_cache_clear_flag(clear_dns_cache)
else:
return INVALID_FORM
def update_page(form):
if (_SYSLOG_DISABLED):
return 'Syslog is currently disabled due to rework.'
elif ('servers_update' in form):
syslog_server1 = form.get('syslog_server1', None)
syslog_server2 = form.get('syslog_server2', None)
syslog_port1 = form.get('syslog_port1', None)
syslog_port2 = form.get('syslog_port2', None)
syslog_servers = {
'server1': {
'ip_address': syslog_server1,
'port': syslog_port1
},
'server2': {
'ip_address': syslog_server2,
'port': syslog_port2
}
}
# both servers are not present/ form keys missing
if (any(x is None for x in [syslog_server1, syslog_port1])
or any(x is None for x in [syslog_server2, syslog_port2])):
return INVALID_FORM
try:
for server_info in syslog_servers.values():
if (server_info['ip_address'] or server_info['port']):
validate.ip_address(server_info['ip_address'])
validate.network_port(server_info['port'])
except ValidationError as ve:
return ve
else:
configure.set_syslog_servers(syslog_servers)
elif ('server_remove' in form):
syslog_server_number = form.get('syslog_server_remove')
server_num = validate.convert_int(syslog_server_number)
if (not server_num):
return INVALID_FORM
configure.remove_syslog_server(server_num)
elif ('settings_update' in form):
enabled_tls_settings = form.getlist('syslog_tls')
enabled_syslog_settings = form.getlist('syslog_settings')
fallback_settings = form.getlist('fallback_settings')
tls_retry = form.get('tls_retry_time', None)
tcp_retry = form.get('tcp_retry_time', None)
syslog_settings = {
'tls': enabled_tls_settings,
'syslog': enabled_syslog_settings,
'fallback': fallback_settings,
'tls_retry': tls_retry,
'tcp_retry': tcp_retry
}
if (not tls_retry or not tcp_retry):
return INVALID_FORM
try:
validate.syslog_settings(syslog_settings)
except ValidationError as ve:
return ve
else:
configure.set_syslog_settings(syslog_settings)
return INVALID_FORM
def update_page(form):
if ('fw_remove' in form):
fw_rule = form.get('fw_remove', None)
chain = 'FIREWALL'
if (not fw_rule):
return INVALID_FORM
try:
validate.del_firewall_rule(fw_rule, chain)
except ValidationError as ve:
return ve
else:
with IPTableManager() as iptables:
iptables.delete_rule(fw_rule, chain='FIREWALL')
elif ('fw_add' in form):
pos = form.get('position', None)
dst_ip = form.get('dst_ip', None)
dst_netmask = form.get('dst_netmask', None)
src_ip = form.get('src_ip', None)
src_netmask = form.get('src_netmask', None)
protocol = form.get('protocol', None)
dst_port = form.get('dst_port', False)
if (dst_port == ''):
dst_port = None
if (src_ip == ''):
src_ip = '0'
src_netmask = '0'
if ('accept' in form):
action = 'ACCEPT'
else:
action = 'DROP'
iptable_rule = {
'pos': pos,
'src_ip': src_ip,
'src_netmask': src_netmask,
'dst_ip': dst_ip,
'dst_netmask': dst_netmask,
'dst_port': dst_port,
'protocol': protocol,
'action': action
}
# TODO: make this less compiticated?
if (pos and dst_ip and dst_netmask and src_ip and src_netmask
and protocol and dst_port is not False):
try:
validate.add_firewall_rule(iptable_rule)
if (dst_port != None):
validate.network_port(dst_port)
if (src_ip != '0'):
validate.ip_address(src_ip)
validate.cidr(src_netmask)
validate.cidr(dst_netmask)
validate.ip_address(dst_ip)
with IPTableManager() as iptables:
iptables.add_rule(iptable_rule)
except ValidationError as ve:
return ve
else:
return INVALID_FORM
elif ('nat_remove' in form):
nat_rule = form.get('nat_remove', None)
if (not nat_rule):
return INVALID_FORM
try:
validate.del_firewall_rule(nat_rule, chain='NAT')
except ValidationError as ve:
return ve
else:
configure.del_open_wan_protocol(nat_rule)
with IPTableManager() as iptables:
iptables.delete_nat(nat_rule)
elif ('nat_add' in form):
host_ip = form.get('host_ip', None)
protocol = form.get('protocol', None)
if (protocol in ['tcp', 'udp']):
dst_port = form.get('dst_port')
host_port = form.get('host_port')
elif (protocol in ['icmp']):
dst_port = None
host_port = None
open_protocols = load_configuration('ips.json')
icmp_allow = open_protocols['ips']['open_protocols']['icmp']
if (icmp_allow):
return 'Only one ICMP rule can be active at a time. Remove existing rule before adding another.'
else:
return INVALID_FORM
try:
if (protocol in ['tcp', 'udp']):
validate.network_port(dst_port)
validate.network_port(host_port)
validate.ip_address(host_ip)
except ValidationError as ve:
return ve
else:
with IPTableManager() as iptables:
iptables.add_nat(protocol, dst_port, host_ip, host_port)
configure.add_open_wan_protocol(protocol, dst_port, host_port)
else:
return INVALID_FORM
def update_page(form):
if ('wl_add' in form):
domain = form.get('domain', None)
timer = form.get('rule_length', None)
if (not domain or not timer):
return INVALID_FORM
try:
validate.domain(domain)
validate.timer(timer)
except ValidationError as ve:
return ve
else:
configure.add_proxy_domain(domain, timer, ruleset='whitelist')
elif ('wl_remove' in form):
domain = form.get('wl_remove', None)
if (not domain):
return INVALID_FORM
configure.del_proxy_domain(domain, ruleset='whitelist')
elif ('exc_add' in form):
domain = form.get('domain', None)
reason = form.get('reason', None)
if (not domain or not reason):
return INVALID_FORM
try:
validate.domain(domain)
validate.standard(reason)
except ValidationError as ve:
return ve
else:
configure.set_proxy_exception(domain, CFG.ADD, reason, ruleset='whitelist')
elif ('exc_remove' in form):
domain = form.get('exc_remove', None)
if (not domain):
return INVALID_FORM
configure.set_proxy_exception(domain, CFG.DEL, ruleset='whitelist')
elif ('ip_wl_add' in form):
whitelist_ip = form.get('ip_wl_ip', None)
whitelist_user = form.get('ip_wl_user', None)
whitelist_type = form.get('ip_wl_type', None)
whitelist_settings = {'user': whitelist_user, 'type': whitelist_type}
if not all([whitelist_ip, whitelist_type, whitelist_user]):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
validate.add_ip_whitelist(whitelist_ip, whitelist_settings)
except ValidationError as ve:
return ve
else:
configure.add_proxy_ip_whitelist(whitelist_ip, whitelist_settings)
elif ('ip_wl_remove' in form):
whitelist_ip = form.get('ip_wl_ip', None)
whitelist_type = form.get('ip_wl_type', None)
if (not whitelist_ip or not whitelist_type):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
validate.del_ip_whitelist(whitelist_type)
except ValidationError as ve:
return ve
else:
configure.del_proxy_ip_whitelist(whitelist_ip, whitelist_type)
else:
return INVALID_FORM
def update_page(form):
if ('wl_add' in form):
whitelist_settings = {
'domain': form.get('domain', DATA.INVALID),
'timer': validate.get_convert_int(form, 'rule_length')
}
if (DATA.INVALID in whitelist_settings.values()):
return INVALID_FORM
try:
validate.domain(whitelist_settings['domain'])
validate.timer(whitelist_settings['timer'])
except ValidationError as ve:
return ve
else:
configure.add_proxy_domain(whitelist_settings, ruleset='whitelist')
elif ('wl_remove' in form):
domain = form.get('wl_remove', DATA.INVALID)
if (domain is DATA.INVALID):
return INVALID_FORM
configure.del_proxy_domain(domain, ruleset='whitelist')
elif ('exc_add' in form):
exception_settings = {
'domain': form.get('domain', DATA.INVALID),
'reason': form.get('reason', DATA.INVALID),
'action': CFG.ADD
}
if (DATA.INVALID in exception_settings.values()):
return INVALID_FORM
try:
validate.domain(exception_settings['domain'])
validate.standard(exception_settings['reason'])
except ValidationError as ve:
return ve
else:
configure.set_proxy_exception(exception_settings,
ruleset='whitelist')
elif ('exc_remove' in form):
exception_settings = {
'domain': form.get('exc_remove', DATA.INVALID),
'reason': None,
'action': CFG.DEL
}
if (exception_settings['domain'] is DATA.INVALID):
return INVALID_FORM
configure.set_proxy_exception(exception_settings, ruleset='whitelist')
# TODO: this should not restrict ips to only "local_net" now that we have multiple interfaces.
# we should have the user select which interface it will be active on so we can properly validate the
# ip address falls within that subnet.
elif ('ip_wl_add' in form):
whitelist_settings = {
'ip': form.get('ip_wl_ip', DATA.INVALID),
'user': form.get('ip_wl_user', DATA.INVALID),
'type': form.get('ip_wl_type', DATA.INVALID)
}
if (DATA.INVALID in whitelist_settings.values()):
return INVALID_FORM
try:
validate.add_ip_whitelist(whitelist_settings)
except ValidationError as ve:
return ve
else:
configure.add_proxy_ip_whitelist(whitelist_settings)
elif ('ip_wl_remove' in form):
whitelist_ip = form.get('ip_wl_ip', DATA.INVALID)
if (whitelist_ip is DATA.INVALID):
return INVALID_FORM
try:
validate.ip_address(whitelist_ip)
except ValidationError as ve:
return ve
else:
configure.del_proxy_ip_whitelist(whitelist_ip)
else:
return INVALID_FORM
