nethsec.firewall

package documentation

(source)

Firewall utilities

From __init__.py:

Function	`add_default_ipv6_rules`	Add default ipv6 rules to firewall config, if they don't exist already.
Function	`add_device_to_lan`	Shortuct to add a device to lan zone
Function	`add_device_to_wan`	Shortuct to add a device to wan zone
Function	`add_device_to_zone`	Add given device to a firewall zone. The device is not added if the firewall zone does not exists Changes are saved to staging area.
Function	`add_forwarding`	Add forwarding from src to dest.
Function	`add_interface_to_zone`	Add given interface to a firewall zone. The interface is not added if the firewall zone does not exists Changes are saved to staging area.
Function	`add_nat_rule`	Add nat rule to firewall config.
Function	`add_netmap_rule`	Add netmap rule to netmap config.
Function	`add_rule`	Add rule to firewall config.
Function	`add_service`	Create an ACCEPT traffic rule for the given service Changes are saved to staging area.
Function	`add_template_forwarding`	Create a forwarding from templates database. Changes are saved to staging area.
Function	`add_template_rule`	Create a rule from templates database. Changes are saved to staging area.
Function	`add_template_service_group`	Create all rules for the given service group Changes are saved to staging area.
Function	`add_template_zone`	Create a zone from templates database. Changes are saved to staging area.
Function	`add_trusted_zone`	be able to access lan and wan zone
Function	`add_vpn_interface`	Create a network interface for the given device. The interface can be used for PBR (Policy Based Routing). Changes are saved to staging area.
Function	`add_zone`	Add zone to firewall config.
Function	`apply`	commit changes to firewall config
Function	`delete_linked_sections`	Delete all sections matching the given link. Changes are saved to staging area.
Function	`delete_nat_rule`	Delete nat rule from firewall config.
Function	`delete_netmap_rule`	Delete netmap rule from netmap config.
Function	`delete_rule`	Delete rule from firewall config.
Function	`delete_zone`	Delete zone and all forwardings that are connected to it.
Function	`disable_ipv6_firewall`	Disable all rules, forwardings, redirects, zones and ipsets for ipv6-only family. Changes are saved to staging area.
Function	`disable_linked_rules`	Disable all rules matching the given link Changes are saved to staging area.
Function	`disable_rule`	Disable rule from firewall config.
Function	`disable_service`	Disable the ACCEPT rule traffic for the given service. Changes are saved to staging area.
Function	`edit_nat_rule`	Edit nat rule in firewall config.
Function	`edit_netmap_rule`	Edit netmap rule in netmap config.
Function	`edit_rule`	Edit rule in firewall config.
Function	`edit_zone`	Edit an existing zone.
Function	`enable_rule`	Enable rule from firewall config.
Function	`enable_service`	Disable the ACCEPT rule traffic for the given service Changes are saved to staging area.
Function	`enrich_rule`	Enrich rule with more human-readable data and missing fields
Function	`get_all_linked`	Search all database, execpt templates one, for entities with the given link
Function	`get_rule_by_name`	Get rule config name and rule data by rule name, optionally filtered by tag. Assume there is only one rule with the same name.
Function	`get_service_by_name`	Get service by name.
Function	`get_zone_by_name`	Get zone config name by zone name.
Function	`is_forward_rule`	Check if rule is a forward rule
Function	`is_input_rule`	Check if rule is an input rule
Function	`is_ipv6_enabled`	Search the network database for devices and interfaces using IPv6
Function	`is_output_rule`	Check if rule is an output rule
Function	`list_active_leases`	Get all active leases from /tmp/dhcp.leases
Function	`list_forward_rules`	Get all forward rules from firewall config
Function	`list_forwardings`	Get all forwardings from firewall config
Function	`list_host_suggestions`	Get all hosts from dhcp and network config
Function	`list_input_rules`	Get all input rules from firewall config
Function	`list_nat_rules`	Get all nat rules from firewall config
Function	`list_netmap_devices`	Get all network devices from ip command
Function	`list_netmap_rules`	Get all netmap rules from netmap config
Function	`list_object_suggestions`	Get all objects from objects config
Function	`list_output_rules`	Get all output rules from firewall config
Function	`list_rule_ids`	Get all rule ids from firewall config
Function	`list_rules`	Get all rules from firewall config
Function	`list_service_suggestions`	Get all services from /etc/services
Function	`list_zones`	Get all zones from firewall config
Function	`list_zones_no_aliases`	Get all zones from firewall config, excluding aliases in network section
Function	`order_rules`	Orders firewall rules, moves everything else but rules to the end of the list.
Function	`remove_device_from_zone`	Remove the given device from a firewall zone. The operation always succeed if the zone does not exists
Function	`remove_interface_from_zone`	Remove the given interface from a firewall zone. The operation always succeed if the zone does not exists
Function	`remove_service`	Remove the ACCEPT traffic rule for the given service Changes are saved to staging area.
Function	`reorder_firewall_config`	Reorder firewall config, moving all rules at the bottom. The order in the file will be: - defaults and includes - zones - forwardings - forward rules - output rules - input rules
Function	`resolve_address`	Resolve address to a more human-redeable name.
Function	`setup_rule`	Set up a rule in the firewall config.
Function	`split_firewall_config`	Split firewall config into sections.
Function	`update_firewall_rules`	Update firewall rules with ipset field set and ns_src set.
Function	`update_redirect_rules`	Update redirect rules with ipset field set and ns_src set.
Function	`validate_address_format`	Validate address format. Valid formats are: - ip address - ip range like 192.168.100.1-192.168.100.10 - ip cidr
Function	`validate_netmap_rule`	Undocumented
Function	`validate_port_format`	Validate port format.
Function	`validate_rule`	Validate rule.
Function	`zone_exists`	Check if a zone with name zone_name already exists
Constant	`PROTOCOLS`	Undocumented
Constant	`TARGETS`	Undocumented

def add_default_ipv6_rules(uci): (source) ¶

Add default ipv6 rules to firewall config, if they don't exist already.

Args:: uci: EUci pointer
Returns:: list of added rule config names

def add_device_to_lan(uci, device): (source) ¶

Shortuct to add a device to lan zone

Arguments:

uci -- EUci pointer
device -- Device name

Returns:

The name of section or None

def add_device_to_wan(uci, device): (source) ¶

Shortuct to add a device to wan zone

Arguments:

uci -- EUci pointer
device -- Device name

Returns:

The name of the configuration section or None

def add_device_to_zone(uci, device, zone): (source) ¶

Add given device to a firewall zone. The device is not added if the firewall zone does not exists Changes are saved to staging area.

Arguments:

uci -- EUci pointer
device -- Device name
zone -- Firewall zone name

Returns:

If the firewall zone exists, the name of the section where the device has been added.
None, otherwise.

def add_forwarding(uci, src: str, dest: str) -> str: (source) ¶

Add forwarding from src to dest.

Args:: uci: EUci pointer src: source zone, must be zone name, not config name dest: destination zone, must be zone name, not config name
Returns:: name of forwarding config that was added

def add_interface_to_zone(uci, interface, zone): (source) ¶

Add given interface to a firewall zone. The interface is not added if the firewall zone does not exists Changes are saved to staging area.

Arguments:

uci -- EUci pointer
interface -- Interface name
zone -- Firewall zone name

Returns:

If the firewall zone exists, the name of the section where the device has been added.
None, otherwise.

def add_nat_rule(uci, name: str, target: str, src: str = '*', src_ip: str = '', dest_ip: str = '', snat_ip: str = '') -> str: (source) ¶

Add nat rule to firewall config.

Args:: uci: EUci pointer name: name of rule target: target, must be one of 'SNAT', 'DNAT' src: source zone, must be zone name, not config name src_ip: source ip dest_ip: destination ip snat_ip: snat ip
Returns:: name of rule config that was added

def add_netmap_rule(uci, name: str, src: str, dest: str, device_in: list[str], device_out: list[str], map_from: str, map_to: str) -> str: (source) ¶

Add netmap rule to netmap config.

Args:: uci: EUci pointer name: name of rule src: source zone, must be zone name, not config name dest: destination zone, must be zone name, not config name device_in: list of incoming network interfaces device_out: list of outgoing network interfaces map_from: source network address map_to: destination network address
Returns:: name of rule config that was added

def add_rule(uci, name: str, src: str, src_ip: list[str], dest: str, dest_ip: list[str], proto: list, dest_port: list[str], target: str, service: str, enabled: bool = True, log: bool = False, tag=[], add_to_top: bool = False, ns_src: str = None, ns_dst: str = None) -> str: (source) ¶

Add rule to firewall config.

Args:: uci: EUci pointer id: id of rule to edit name: name of rule src: source zone, must be zone name, not config name src_ip: a list of source ip dest: destination zone, must be zone name, not config name dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with - (eg. 80-90) target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' service: service name enabled: if True, rule is enabled, if False, rule is disabled log: if True, log traffic tag: list of optional tags add_to_top: if True, add rule to the top of the list, otherwise add to the bottom ns_src: an object in the form <database>/ ns_dst: an object in the form <database>/
Returns:: name of rule config that was added

def add_service(uci, name, port, proto, link=''): (source) ¶

Create an ACCEPT traffic rule for the given service Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Service name
port -- Service port number as string or array
proto -- List of service protocols
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns:

The name of the configuration section

def add_template_forwarding(uci, name, link=''): (source) ¶

Create a forwarding from templates database. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Name of the template forwarding from the templates database
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns a tuple:

The name of the configuration section for the forwarding or None in case of error

def add_template_rule(uci, name, proto='', port='', link=''): (source) ¶

Create a rule from templates database. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Name of the template rule from the templates database
proto -- A valid UCI protocol (optional)
port -- A port or comma-separated list of ports (optional)
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns:

The name of the configuration section for the rule or None in case of error

def add_template_service_group(uci, name, src='lan', dest='wan', link=''): (source) ¶

Create all rules for the given service group Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Name of the service group from the templates database
src -- Source zone, default is 'lan'. The zone must already exists inside the firewall db
dest -- Destination zone, default is 'wan'. The zone must already exists inside the firewall db
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns:

A list of configuration section names of each rule, None in case of error

def add_template_zone(uci, name, networks=[], link=''): (source) ¶

Create a zone from templates database. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Name of the zone from the templates database
network -- A list of interfaces to be added to the zone (optional)
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns a tuple:

The name of the configuration section for the zone or None in case of error
A list of configuration section names for the forwardings or None in case of error

def add_trusted_zone(uci, name, networks=[], link=''): (source) ¶

Create a trusted zone. The zone will:

be able to access lan and wan zone
be accessible from lan zone

If a zone with the same name already exists, do not recreate it. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Zone name, maximum length is 12
network -- A list of interfaces to be added to the zone (optional)
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns a tuple:

The name of the configuration section or None in case of error
A list of configuration sections or an empy list in case of error

def add_vpn_interface(uci, name, device, link=''): (source) ¶

Create a network interface for the given device. The interface can be used for PBR (Policy Based Routing). Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Interface name
device -- Device name
link -- A reference to an existing key in the format <database>/<keyname> (optional)

Returns:

The name of the configuration section or None in case of error

def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None, forwards_from: list[str] = None, log: bool = False) -> set([str, set[str]]): (source) ¶

Add zone to firewall config.

Args:: uci: EUci pointer name: name of zone input: rule for input traffic, must be one of 'ACCEPT', 'REJECT', 'DROP' forward: rule for forward traffic, must be one of 'ACCEPT', 'REJECT', 'DROP' traffic_to_wan: if True, add forwarding from zone to wan forwards_to: list of zones to forward traffic to forwards_from: list of zones to forward traffic from log: if True, log blocked traffic destined to this zone
Returns:: tuple of zone config name and set of added forwarding configs

def apply(uci): (source) ¶

Apply firewall configuration:

commit changes to firewall config
reload the firewall service

Arguments:

uci -- EUci pointer

def delete_linked_sections(uci, link): (source) ¶

Delete all sections matching the given link. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
link -- A reference to an existing key in the format <database>/<keyname>

Returns:

A list of deleted sections

def delete_nat_rule(uci, id: str) -> str: (source) ¶

Delete nat rule from firewall config.

Args:: uci: EUci pointer id: id of rule to delete
Returns:: name of rule config that was deleted

def delete_netmap_rule(uci, id: str) -> str: (source) ¶

Delete netmap rule from netmap config.

Args:: uci: EUci pointer id: id of rule to delete
Returns:: name of rule config that was deleted

def delete_rule(uci, id: str) -> str: (source) ¶

Delete rule from firewall config.

Args:: uci: EUci pointer id: name of rule config to delete
Returns:: name of rule config that was deleted
Raises:: ValueError: if id is not a valid rule config name

def delete_zone(uci, zone_config_name: str) -> set([str, set[str]]): (source) ¶

Delete zone and all forwardings that are connected to it.

Args:: uci: EUci pointer zone_config_name: name of zone config to delete
Returns:: tuple of zone config name and set of deleted forwarding configs
Raises:: ValueError: if zone_config_name is not a valid zone config name

def disable_ipv6_firewall(uci): (source) ¶

Disable all rules, forwardings, redirects, zones and ipsets for ipv6-only family. Changes are saved to staging area.

Arguments:

uci -- EUci pointer

Returns:

A list of disabled sections

def disable_linked_rules(uci, link): (source) ¶

Disable all rules matching the given link Changes are saved to staging area.

Arguments:

uci -- EUci pointer
link -- A reference to an existing key in the format <database>/<keyname>

Returns:

A list of disabled sections

def disable_rule(uci, id: str) -> str: (source) ¶

Disable rule from firewall config.

Args:: uci: EUci pointer id: name of rule config to disable
Returns:: name of rule config that was disabled
Raises:: ValueError: if id is not a valid rule config name

def disable_service(uci, name): (source) ¶

Disable the ACCEPT rule traffic for the given service. Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Service name

Returns:

The name of the configuration section if found, None otherwise

def edit_nat_rule(uci, id: str, name: str, target: str, src: str = '*', src_ip: str = '', dest_ip: str = '', snat_ip: str = '') -> str: (source) ¶

Edit nat rule in firewall config.

Args:: uci: EUci pointer id: id of rule to edit name: name of rule target: target, must be one of 'SNAT', 'DNAT' src: source zone, must be zone name, not config name src_ip: source ip dest_ip: destination ip snat_ip: snat ip
Returns:: name of rule config that was edited

def edit_netmap_rule(uci, id: str, name: str, src: str, dest: str, device_in: list[str], device_out: list[str], map_from: str, map_to: str) -> str: (source) ¶

Edit netmap rule in netmap config.

Args:: uci: EUci pointer id: id of rule to edit name: name of rule src: source zone, must be zone name, not config name dest: destination zone, must be zone name, not config name device_in: list of incoming network interfaces device_out: list of outgoing network interfaces map_from: source network address map_to: destination network address
Returns:: name of rule config that was edited

def edit_rule(uci, id: str, name: str, src: str, src_ip: list[str], dest: str, dest_ip: list[str], proto: list, dest_port: list[str], target: str, service: str, enabled: bool = True, log: bool = False, tag=[], ns_src: str = None, ns_dst: str = None) -> str: (source) ¶

Edit rule in firewall config.

Args:: uci: EUci pointer id: id of rule to edit name: name of rule src: source zone, must be zone name, not config name src_ip: a list of source ip dest: destination zone, must be zone name, not config name dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with - (eg. 80-90) target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' service: service name enabled: if True, rule is enabled, if False, rule is disabled log: if True, log traffic tag: list of optional tags ns_src: an object in the form <database>/ ns_dst: an object in the form <database>/
Returns:: name of rule config that was edited

def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None, forwards_from: list[str] = None, log: bool = False) -> set([str, set[str]]): (source) ¶

Edit an existing zone.

Args:: uci: EUci pointer name: name of zone to edit input: rule for input traffic, must be one of 'ACCEPT', 'REJECT', 'DROP' forward: rule for forward traffic, must be one of 'ACCEPT', 'REJECT', 'DROP' traffic_to_wan: if True, add forwarding from zone to wan forwards_to: list of zones to forward traffic to forwards_from: list of zones to forward traffic from log: if True, log blocked traffic destined to this zone
Returns:: tuple of zone config name and set of updated forwarding configs

def enable_rule(uci, id: str) -> str: (source) ¶

Enable rule from firewall config.

Args:: uci: EUci pointer id: name of rule config to enable
Returns:: name of rule config that was enabled
Raises:: ValueError: if id is not a valid rule config name

def enable_service(uci, name): (source) ¶

Disable the ACCEPT rule traffic for the given service Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Service name

Returns:

The name of the configuration section if found, None otherwise

def enrich_rule(uci, rule: dict) -> dict: (source) ¶

Enrich rule with more human-readable data and missing fields

Args:: uci: EUci pointer rule: rule to enrich
Returns:: enriched rule

def get_all_linked(uci, link): (source) ¶

Search all database, execpt templates one, for entities with the given link

Arguments:

uci -- EUci pointer
link -- A reference to an existing key in the format <database>/<keyname>

Returns:

A dictionary of all matched sections like {"db1": ["key1", "key2"], "db2": [...] }

def get_rule_by_name(uci, name: str, tag='') -> str: (source) ¶

Get rule config name and rule data by rule name, optionally filtered by tag. Assume there is only one rule with the same name.

Args:: uci: EUci pointer name: rule name tag: optional tag to filter rules
Returns:: tuple of rule config name and rule config if rule with name name exists, (None, None) otherwise

def get_service_by_name(name: str) -> dict: (source) ¶

Get service by name.

Args:: name: service name
Returns:: service dict if service with name name exists, None otherwise

def get_zone_by_name(uci, name: str) -> str: (source) ¶

Get zone config name by zone name.

Args:: uci: EUci pointer name: zone name
Returns:: tuple of zone config name and zone config if zone with name name exists, (None, None) otherwise

def is_forward_rule(rule: dict) -> bool: (source) ¶

Check if rule is a forward rule

Args:: rule: rule to check
Returns:: True if rule is a forward rule, False otherwise

def is_input_rule(rule: dict) -> bool: (source) ¶

Check if rule is an input rule

Args:: rule: rule to check
Returns:: True if rule is an input rule, False otherwise

def is_ipv6_enabled(uci): (source) ¶

Search the network database for devices and interfaces using IPv6

Arguments:

uci -- EUci pointer

Returns:

True if IPv6 is enabled at least on a device or interface, False otherwise

def is_output_rule(rule: dict) -> bool: (source) ¶

Check if rule is an output rule

Args:: rule: rule to check
Returns:: True if rule is an output rule, False otherwise

def list_active_leases(): (source) ¶

Get all active leases from /tmp/dhcp.leases

Returns:: a list of all active leases, each lease is a dict with keys value, label, type

def list_forward_rules(uci) -> list: (source) ¶

Get all forward rules from firewall config

Args:: uci: EUci pointer
Returns:: a list of all forward rules

def list_forwardings(uci) -> dict: (source) ¶

Get all forwardings from firewall config

Args:: uci: EUci pointer
Returns:: dict with all forwardings

def list_host_suggestions(uci): (source) ¶

Get all hosts from dhcp and network config

Args:: uci: EUci pointer
Returns:: a list of all hosts, each host is a dict with keys value, label, type

def list_input_rules(uci) -> list: (source) ¶

Get all input rules from firewall config

Args:: uci: EUci pointer
Returns:: a list of all input rules

def list_nat_rules(uci) -> list: (source) ¶

Get all nat rules from firewall config

Args:: uci: EUci pointer
Returns:: a list of all nat rules

def list_netmap_devices(uci) -> list: (source) ¶

Get all network devices from ip command

Args:: uci: EUci pointer
Returns:: a list of all network devices

def list_netmap_rules(uci) -> list: (source) ¶

Get all netmap rules from netmap config

Args:: uci: EUci pointer
Returns:: a list of all netmap rules

def list_object_suggestions(uci, expand=False): (source) ¶

Get all objects from objects config

Args:: uci: EUci pointer expand: if True, expand object details
Returns:: a list of all objects, each object is a dict with keys value, label, type

def list_output_rules(uci) -> list: (source) ¶

Get all output rules from firewall config

Args:: uci: EUci pointer
Returns:: a list of all output rules

def list_rule_ids(uci) -> list[str]: (source) ¶

Get all rule ids from firewall config

Args:: uci: EUci pointer
Returns:: list of all rule ids

def list_rules(uci, rule_type=None) -> list: (source) ¶

Get all rules from firewall config

Args:: uci: EUci pointer rule_type: optional rule type to filter, must be one of 'input', 'output' or 'forward'
Returns:: a list of all rules

def list_service_suggestions(): (source) ¶

Get all services from /etc/services

Returns:: a list of all services, each service is a dict with keys id, port, proto

def list_zones(uci) -> dict: (source) ¶

Get all zones from firewall config

Args:: uci: EUci pointer
Returns:: dict with all zones

def list_zones_no_aliases(uci) -> dict: (source) ¶

Get all zones from firewall config, excluding aliases in network section

Args:

uci: EUci pointer

Returns:

dict with all zones

def order_rules(uci, rule_type: str, order: list[str]) -> list[str]: (source) ¶

Orders firewall rules, moves everything else but rules to the end of the list.

Args:: e_uci: euci instance rule_type: type of rule to order, must be 'input', 'output' or 'forward' rules: which order to put rules
Returns:: list of ordered rules entries
Raises:: ValidationError: if a rule is not present in /etc/config/firewall

def remove_device_from_zone(uci, device, zone): (source) ¶

Remove the given device from a firewall zone. The operation always succeed if the zone does not exists

Changes are saved to staging area.

Arguments:

uci -- EUci pointer
device -- Device name
zone -- Firewall zone name

Returns:

If the firewall zone exists, the name of the section where the device has been removed.
None, otherwise.

def remove_interface_from_zone(uci, interface, zone): (source) ¶

Remove the given interface from a firewall zone. The operation always succeed if the zone does not exists

Changes are saved to staging area.

Arguments:

uci -- EUci pointer
interface -- Interface name
zone -- Firewall zone name

Returns:

If the firewall zone exists, the name of the section where the interface has been removed.
None, otherwise.

def remove_service(uci, name): (source) ¶

Remove the ACCEPT traffic rule for the given service Changes are saved to staging area.

Arguments:

uci -- EUci pointer
name -- Service name

Returns:

The name of the configuration section

def reorder_firewall_config(uci): (source) ¶

Reorder firewall config, moving all rules at the bottom. The order in the file will be: - defaults and includes - zones - forwardings - forward rules - output rules - input rules

Args:: uci: EUci pointer

def resolve_address(uci, address: str) -> str: (source) ¶

Resolve address to a more human-redeable name.

Args:: uci: EUci pointer address: address to resolve
Returns:: resolved address as a dict with keys value, label and type

def setup_rule(uci, id: str, name: str, src: str, src_ip: list[str], dest: str, dest_ip: list[str], proto: list, dest_port: list[str], target: str, service: str, enabled: bool = True, log: bool = False, tag=[], ns_src: str = None, ns_dst: str = None): (source) ¶

Set up a rule in the firewall config.

Args:: uci: EUci pointer id: id of the rule name: name of the rule src: source zone, must be zone name, not config name src_ip: a list of source IP addresses dest: destination zone, must be zone name, not config name dest_ip: a list of destination IP addresses proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element can be a port number, a comma-separated list of port numbers, or a range with - (e.g., 80-90) target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' service: service name enabled: if True, rule is enabled; if False, rule is disabled log: if True, log traffic tag: list of optional tags ns_src: an object in the form <database>/ ns_dst: an object in the form <database>/

def split_firewall_config(uci): (source) ¶

Split firewall config into sections.

Args:: uci: EUci pointer
Returns:: tuple of lists of sections, in the following order: defaults, zones, forwardings, other_rules, forward_rules, output_rules, input_rules

def update_firewall_rules(uci): (source) ¶

Update firewall rules with ipset field set and ns_src set.

Args:: uci: EUci pointer

def update_redirect_rules(uci): (source) ¶

Update redirect rules with ipset field set and ns_src set.

Args:: uci: EUci pointer changed_sections: list of changed objects, each object is in the form of <database>/

def validate_address_format(address: str) -> bool: (source) ¶

Validate address format. Valid formats are: - ip address - ip range like 192.168.100.1-192.168.100.10 - ip cidr

Args:: address: address to validate
Returns:: True if address is valid, False otherwise

def validate_netmap_rule(name: str, src: str, dest: str, map_from: str, map_to: str): (source) ¶

Undocumented

def validate_port_format(port: str) -> bool: (source) ¶

Validate port format.

Args:: port: port to validate
Returns:: True if port is valid, False otherwise

def validate_rule(uci, src: str, src_ip: list[str], dest: str, dest_ip: list[str], proto: list, dest_port: list[str], target: str, service: str, ns_src: str, ns_dst: str): (source) ¶

Validate rule.

Args:: src: source zone, must be zone name, not config name src_ip: a list of source ip dest: destination zone, must be zone name, not config name dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with - (eg. 80-90) target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' service: service name ns_src: an object in the form <database>/ ns_dst: an object in the form <database>/
Raises:: ValidationError: if rule is invalid

def zone_exists(u, zone_name): (source) ¶

Check if a zone with name zone_name already exists

Args:: u: EUci pointer zone_name: zone name to check
Returns:: true if a zone with name zone_name already exists, false otherwise

PROTOCOLS: list[str] = (source) ¶

Undocumented

Value

['tcp', 'udp', 'udplite', 'icmp', 'esp', 'ah', 'sctp']

TARGETS: list[str] = (source) ¶

Undocumented

Value

['ACCEPT', 'DROP', 'REJECT']