def sync_settings(self, settings_file, prefix, delete_list):
"""syncs settings"""
if board_util.is_docker():
self.write_watchdog_disabler(prefix)
self.write_rpfilter_disabler(prefix)
system = settings_file.settings.get('system')
if system is None:
return
hostname = system.get('hostName')
if hostname is not None:
self.write_hostname_setter(hostname, prefix)
self.write_cron_file(settings_file.settings, prefix)
self.write_wizard_status(settings_file.settings, prefix)
self.write_system_reloader(prefix)
network = settings_file.settings.get('network')
self.write_nic_setter(network['interfaces'], prefix)
time_zone = system.get('timeZone')
if time_zone is None:
pass
# If the timezone is just a string, use that
# In old settings.json, time_zone was just a string
elif isinstance(time_zone, str):
self.write_timezone_setter(time_zone, prefix)
elif isinstance(time_zone, dict):
time_zone_value = time_zone.get('value')
if time_zone_value is not None:
self.write_timezone_setter(time_zone_value, prefix)
def write_files(self, settings, prefix, delete_list):
"""writes the rule files"""
if settings.get('firewall') is None or settings.get('firewall').get(
'tables') is None:
return
i = 0
for _, table in sorted(settings.get('firewall').get('tables').items()):
if table.get('name') is None:
raise Exception('Invalid table: Missing name')
if table.get('family') is None:
raise Exception('Invalid table %s: Missing family' %
table.get('name'))
if table.get('chains') is None:
raise Exception('Invalid table %s: Missing chains' %
table.get('name'))
# XXX
# docker runs in the same kernel as the host, most hosts kernel do not yet support multiple NAT hooks
# docker needs the iptables NAT hooks so we can't insert nft nat rules or it will break iptables NAT
if board_util.is_docker() and (table.get('name') == "nat"
or table.get('name')
== "port-forward"):
continue
filename_noprefix = self.filename_prefix + ("%02d-%s" %
(i, table.get('name')))
filename = prefix + filename_noprefix
try:
delete_list.remove(filename_noprefix)
except:
pass
write_file(filename, table, prefix)
i = i + 1
def create_settings(self, settings_file, prefix, delete_list, filename):
"""creates settings"""
print("%s: Initializing settings" % self.__class__.__name__)
settings_file.settings['system'] = {}
settings_file.settings['system']['hostName'] = 'mfw'
settings_file.settings['system']['domainName'] = 'example.com'
settings_file.settings['system']['timeZone'] = {
"displayName": "UTC",
"value": "UTC"
}
settings_file.settings['system']['cloud'] = {
"enabled": True,
"supportAccessEnabled": True,
"cloudServers": ["cmd.untangle.com"]
}
if board_util.is_docker():
settings_file.settings['system']['setupWizard'] = {
"completed": True
}
else:
settings_file.settings['system']['setupWizard'] = {
"completed": False
}
settings_file.settings['system']['autoUpgrade'] = {
"dayOfWeek": 6,
"hourOfDay": 0,
"minuteOfHour": 0,
"enabled": True,
}
def write_files(self, settings, prefix, delete_list):
"""writes the rule files"""
if settings.get('firewall') is None or settings.get('firewall').get('tables') is None:
return
i = 0
for _, table in sorted(settings.get('firewall').get('tables').items()):
if table.get('name') is None:
raise Exception('Invalid table: Missing name')
if table.get('family') is None:
raise Exception('Invalid table %s: Missing family' % table.get('name'))
if table.get('chains') is None:
raise Exception('Invalid table %s: Missing chains' % table.get('name'))
# XXX
# docker runs in the same kernel as the host, most hosts kernel do not yet support multiple NAT hooks
# docker needs the iptables NAT hooks so we can't insert nft nat rules or it will break iptables NAT
if board_util.is_docker() and (table.get('name') == "nat" or table.get('name') == "port-forward"):
continue
filename_noprefix = self.filename_prefix + ("%02d-%s" % (i, table.get('name')))
filename = prefix + filename_noprefix
try:
delete_list.remove(filename_noprefix)
except:
pass
write_file(filename, table, prefix)
i = i+1
def sync_settings(self, settings, prefix, delete_list):
"""syncs settings"""
if board_util.is_docker():
self.write_watchdog_disabler(prefix)
self.write_rpfilter_disabler(prefix)
system = settings.get('system')
if system is None:
return
hostname = system.get('hostName')
if hostname is not None:
self.write_hostname_setter(hostname, prefix)
self.write_cron_file(settings, prefix)
time_zone = system.get('timeZone')
if time_zone is None:
return
# If the timezone is just a string, use that
# In old settings.json, time_zone was just a string
if isinstance(time_zone, str):
self.write_timezone_setter(time_zone, prefix)
return
if isinstance(time_zone, dict):
time_zone_value = time_zone.get('value')
if time_zone_value is None:
return
self.write_timezone_setter(time_zone_value, prefix)
return
def create_settings(self, settings, prefix, delete_list, filename):
"""creates settings"""
print("%s: Initializing settings" % self.__class__.__name__)
settings['system'] = {}
settings['system']['hostName'] = 'mfw'
settings['system']['domainName'] = 'example.com'
settings['system']['timeZone'] = {
"displayName": "UTC",
"value": "UTC"
}
settings['system']['cloud'] = {
"enabled": True,
"supportAccessEnabled": True,
"cloudServers": ["cmd.untangle.com"]
}
if board_util.is_docker():
settings['system']['setupWizard'] = {"completed": True}
else:
settings['system']['setupWizard'] = {"completed": False}
def write_nat_rules_sys_file(self, settings, prefix):
"write the nat rules file"
filename = prefix + self.nat_rules_sys_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
# docker runs in the same kernel as the host, most hosts kernel do not yet support multiple NAT hooks
# docker needs the iptables NAT hooks so we can't insert nft nat rules or it will break iptables NAT
if board_util.is_docker():
file.write("iptables -t nat -A POSTROUTING -j MASQUERADE" + "\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return
file.write(r"""
nft delete table ip nat-sys 2>/dev/null || true
nft delete table ip6 nat-sys 2>/dev/null || true
nft add table ip nat-sys
nft add table ip6 nat-sys
nft add chain ip nat-sys postrouting-nat "{ type nat hook postrouting priority 100 ; }"
nft add chain ip nat-sys prerouting-nat "{ type nat hook prerouting priority -50 ; }"
nft add chain ip6 nat-sys postrouting-nat "{ type nat hook postrouting priority 100 ; }"
nft add chain ip6 nat-sys prerouting-nat "{ type nat hook prerouting priority -50 ; }"
nft add chain ip nat-sys miniupnpd
nft add chain ip nat-sys nat-rules-sys
nft add rule ip nat-sys postrouting-nat oifname lo accept
nft add rule ip nat-sys postrouting-nat iifname lo accept
nft add rule ip nat-sys postrouting-nat jump nat-rules-sys
nft add rule ip nat-sys prerouting-nat jump miniupnpd
nft add chain ip nat-sys filter-rules-nat "{ type filter hook forward priority -5 ; }"
""")
interfaces = settings.get('network').get('interfaces')
for intf in interfaces:
if intf.get('configType') == 'DISABLED':
continue
if intf.get('natEgress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Egress traffic to interface %i\n" % intf.get('interfaceId'))
file.write("nft add rule ip nat-sys nat-rules-sys oifname %s masquerade\n" % intf.get('netfilterDev'))
if intf.get('natIngress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Ingress traffic from interface %i\n" % intf.get('interfaceId'))
file.write("nft add rule ip nat-sys nat-rules-sys iifname %s masquerade\n" % intf.get('netfilterDev'))
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return
def write_nat_rules_sys_file(self, settings, prefix):
"write the nat rules file"
filename = prefix + self.nat_rules_sys_filename
file_dir = os.path.dirname(filename)
if not os.path.exists(file_dir):
os.makedirs(file_dir)
file = open(filename, "w+")
# docker runs in the same kernel as the host, most hosts kernel do not yet support multiple NAT hooks
# docker needs the iptables NAT hooks so we can't insert nft nat rules or it will break iptables NAT
if board_util.is_docker():
file.write("#!/bin/sh")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n")
file.write("iptables -t nat -A POSTROUTING -j MASQUERADE" + "\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return
file.write("#!/usr/bin/nft_debug -f")
file.write("\n\n")
file.write("## Auto Generated\n")
file.write("## DO NOT EDIT. Changes will be overwritten.\n")
file.write("\n\n")
file.write(r"""
add table ip nat-sys
flush table ip nat-sys
add table ip6 nat-sys
flush table ip6 nat-sys
add chain ip nat-sys postrouting-nat { type nat hook postrouting priority 100 ; }
add chain ip nat-sys prerouting-nat { type nat hook prerouting priority -50 ; }
add chain ip6 nat-sys postrouting-nat { type nat hook postrouting priority 100 ; }
add chain ip6 nat-sys prerouting-nat { type nat hook prerouting priority -50 ; }
add chain ip nat-sys miniupnpd
add chain ip nat-sys nat-rules-sys
add rule ip nat-sys postrouting-nat oifname lo accept
add rule ip nat-sys postrouting-nat iifname lo accept
add rule ip nat-sys postrouting-nat jump nat-rules-sys
add rule ip nat-sys prerouting-nat jump miniupnpd
add chain ip nat-sys filter-rules-nat { type filter hook forward priority -5 ; }
""")
interfaces = settings.get('network').get('interfaces')
for intf in interfaces:
if not intf.get('enabled'):
continue
if intf.get('natEgress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Egress traffic to interface %i\n" %
intf.get('interfaceId'))
file.write(
"add rule ip nat-sys nat-rules-sys oifname %s masquerade\n"
% intf.get('netfilterDev'))
if intf.get('natIngress'):
# FIXME - this should be a rule based on mark instead of netfilterDev
# The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now
file.write("# NAT Ingress traffic from interface %i\n" %
intf.get('interfaceId'))
file.write(
"add rule ip nat-sys nat-rules-sys iifname %s masquerade\n"
% intf.get('netfilterDev'))
file.write("\n")
file.flush()
file.close()
os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC)
print("NatManager: Wrote %s" % filename)
return