Verified Commit 25c488a1 authored by Martin Matějek's avatar Martin Matějek
Browse files

guest: fix guest network firewall rules

From OpenWrt 21.02 now on firewall zone name is limited by 11
characters.

See following commit:
https://git.openwrt.org/?p=project/firewall3.git;a=commit;h=8c2f9fad9ca644af911e0d4113a890c3c84aa738

This leads to situation where firewall rules for guest network failed to
load and traffic was not passing from guest network through wan.

Shorten zone name "guest_turris" -> "tr_guest".
parent 92561936
Pipeline #93432 passed with stage
in 10 minutes and 40 seconds
#
# foris-controller
# Copyright (C) 2018-2019, 2021 CZ.NIC, z.s.p.o. (http://www.nic.cz/)
# Copyright (C) 2018-2019, 2021-2022 CZ.NIC, z.s.p.o. (http://www.nic.cz/)
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
......@@ -19,18 +19,21 @@
import logging
from foris_controller_backends.uci import parse_bool, get_option_named, store_bool, UciBackend
from foris_controller.exceptions import UciRecordNotFound, UciException
from foris_controller_backends.lan import LanUci, LanFiles
from foris_controller.exceptions import UciException, UciRecordNotFound
from foris_controller_backends.lan import LanFiles, LanUci
from foris_controller_backends.maintain import MaintainCommands
from foris_controller_backends.services import OpenwrtServices
from foris_controller_backends.uci import (
UciBackend,
get_option_named,
parse_bool,
store_bool,
)
logger = logging.getLogger(__name__)
class GuestUci(object):
class GuestUci:
DEFAULT_GUEST_ADDRESS = "10.111.222.1"
DEFAULT_GUEST_NETMASK = "255.255.255.0"
DEFAULT_GUEST_DHCP_LEASE_TIME = 60 * 60
......@@ -119,6 +122,8 @@ class GuestUci(object):
"""
enabled = store_bool(guest_network["enabled"])
# On OpenWrt >=21.02 firewall zone name is limited to max 11 chars
guest_zone_name = "tr_guest"
# update network interface list
backend.add_section("network", "interface", "guest_turris")
......@@ -137,7 +142,7 @@ class GuestUci(object):
# update firewall config
backend.add_section("firewall", "zone", "guest_turris")
backend.set_option("firewall", "guest_turris", "enabled", enabled)
backend.set_option("firewall", "guest_turris", "name", "guest_turris")
backend.set_option("firewall", "guest_turris", "name", guest_zone_name)
backend.replace_list("firewall", "guest_turris", "network", ["guest_turris"])
backend.set_option("firewall", "guest_turris", "input", "REJECT")
backend.set_option("firewall", "guest_turris", "forward", "REJECT")
......@@ -146,13 +151,13 @@ class GuestUci(object):
backend.add_section("firewall", "forwarding", "guest_turris_forward_wan")
backend.set_option("firewall", "guest_turris_forward_wan", "enabled", enabled)
backend.set_option("firewall", "guest_turris_forward_wan", "name", "guest to wan forward")
backend.set_option("firewall", "guest_turris_forward_wan", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_forward_wan", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_forward_wan", "dest", "wan")
backend.add_section("firewall", "rule", "guest_turris_dns_rule")
backend.set_option("firewall", "guest_turris_dns_rule", "enabled", enabled)
backend.set_option("firewall", "guest_turris_dns_rule", "name", "guest dns rule")
backend.set_option("firewall", "guest_turris_dns_rule", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_dns_rule", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_dns_rule", "proto", "tcpudp")
backend.set_option("firewall", "guest_turris_dns_rule", "dest_port", "53")
backend.set_option("firewall", "guest_turris_dns_rule", "target", "ACCEPT")
......@@ -160,14 +165,14 @@ class GuestUci(object):
backend.add_section("firewall", "rule", "guest_turris_dhcp_rule")
backend.set_option("firewall", "guest_turris_dhcp_rule", "enabled", enabled)
backend.set_option("firewall", "guest_turris_dhcp_rule", "name", "guest dhcp rule")
backend.set_option("firewall", "guest_turris_dhcp_rule", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_dhcp_rule", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_dhcp_rule", "proto", "udp")
backend.set_option("firewall", "guest_turris_dhcp_rule", "src_port", "67-68")
backend.set_option("firewall", "guest_turris_dhcp_rule", "dest_port", "67-68")
backend.set_option("firewall", "guest_turris_dhcp_rule", "target", "ACCEPT")
backend.add_section("firewall", "rule", "guest_turris_Allow_DHCPv6")
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "proto", "udp")
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "src_ip", "fe80::/10")
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "src_port", "546-547")
......@@ -177,7 +182,7 @@ class GuestUci(object):
backend.set_option("firewall", "guest_turris_Allow_DHCPv6", "target", "ACCEPT")
backend.add_section("firewall", "rule", "guest_turris_Allow_MLD")
backend.set_option("firewall", "guest_turris_Allow_MLD", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_Allow_MLD", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_Allow_MLD", "proto", "icmp")
backend.set_option("firewall", "guest_turris_Allow_MLD", "src_ip", "fe80::/10")
backend.set_option("firewall", "guest_turris_Allow_MLD", "family", "ipv6")
......@@ -185,7 +190,7 @@ class GuestUci(object):
backend.replace_list("firewall", "guest_turris_Allow_MLD", "icmp_type", ['130/0', '131/0', '132/0', '143/0'])
backend.add_section("firewall", "rule", "guest_turris_Allow_ICMPv6_Input")
backend.set_option("firewall", "guest_turris_Allow_ICMPv6_Input", "src", "guest_turris")
backend.set_option("firewall", "guest_turris_Allow_ICMPv6_Input", "src", guest_zone_name)
backend.set_option("firewall", "guest_turris_Allow_ICMPv6_Input", "proto", "icmp")
backend.set_option("firewall", "guest_turris_Allow_ICMPv6_Input", "limit", "1000/sec")
backend.set_option("firewall", "guest_turris_Allow_ICMPv6_Input", "family", "ipv6")
......
......@@ -229,7 +229,7 @@ def test_update_settings_openwrt(
assert uci.get_option_named(data, "dhcp", "guest_turris", "dhcp_option") == ["6,192.168.8.1"]
assert uci.parse_bool(uci.get_option_named(data, "firewall", "guest_turris", "enabled"))
assert uci.get_option_named(data, "firewall", "guest_turris", "name") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris", "name") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris", "input") == "REJECT"
assert uci.get_option_named(data, "firewall", "guest_turris", "forward") == "REJECT"
assert uci.get_option_named(data, "firewall", "guest_turris", "output") == "ACCEPT"
......@@ -237,27 +237,27 @@ def test_update_settings_openwrt(
uci.get_option_named(data, "firewall", "guest_turris_forward_wan", "enabled")
)
assert (
uci.get_option_named(data, "firewall", "guest_turris_forward_wan", "src") == "guest_turris"
uci.get_option_named(data, "firewall", "guest_turris_forward_wan", "src") == "tr_guest"
)
assert uci.get_option_named(data, "firewall", "guest_turris_forward_wan", "dest") == "wan"
assert uci.parse_bool(
uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "enabled")
)
assert uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "src") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "src") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "proto") == "tcpudp"
assert uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "dest_port") == "53"
assert uci.get_option_named(data, "firewall", "guest_turris_dns_rule", "target") == "ACCEPT"
assert uci.parse_bool(
uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "enabled")
)
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "src") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "src") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "proto") == "udp"
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "src_port") == "67-68"
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "dest_port") == "67-68"
assert uci.get_option_named(data, "firewall", "guest_turris_dhcp_rule", "target") == "ACCEPT"
# ipv6 dhcp
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "src") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "src") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "proto") == "udp"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "src_ip") == "fe80::/10"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "src_port") == "546-547"
......@@ -266,7 +266,7 @@ def test_update_settings_openwrt(
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "family") == "ipv6"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_DHCPv6", "target") == "ACCEPT"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_MLD", "src") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_MLD", "src") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_MLD", "proto") == "icmp"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_MLD", "src_ip") == "fe80::/10"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_MLD", "family") == "ipv6"
......@@ -275,7 +275,7 @@ def test_update_settings_openwrt(
'130/0', '131/0', '132/0', '143/0'
]
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_ICMPv6_Input", "src") == "guest_turris"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_ICMPv6_Input", "src") == "tr_guest"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_ICMPv6_Input", "proto") == "icmp"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_ICMPv6_Input", "limit") == "1000/sec"
assert uci.get_option_named(data, "firewall", "guest_turris_Allow_ICMPv6_Input", "family") == "ipv6"
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment