Add support for managing forwarding rules

This commit is contained in:
Timotej Lazar 2023-05-29 12:24:21 +02:00
parent 52a5b7cd11
commit 765d4a3ce7
8 changed files with 169 additions and 4 deletions

View file

@ -50,6 +50,9 @@ def create_app(test_config=None):
from . import config
app.register_blueprint(config.blueprint)
from . import rules
app.register_blueprint(rules.blueprint)
from . import vpn
app.register_blueprint(vpn.blueprint)

View file

@ -11,7 +11,7 @@ class User(flask_login.UserMixin):
self.dn = dn
self.username = username
self.data = data
self.groups = data.get('memberOf', [])
self.groups = set(data.get('memberOf', ()))
try:
self.is_admin = db.load('settings').get('ldap_admin') in self.groups
except:

88
web/rules.py Normal file
View file

@ -0,0 +1,88 @@
import flask
import flask_login
from . import db
from . import system
blueprint = flask.Blueprint('rules', __name__, url_prefix='/rules')
@blueprint.route('/', methods=('GET', 'POST'))
@flask_login.login_required
def index():
try:
if not flask_login.current_user.is_admin:
return flask.Response('forbidden', status=403, mimetype='text/plain')
if flask.request.method == 'POST':
with db.locked():
rules = db.read('rules')
form = flask.request.form
oldrules = {rule['name']: rule for rule in rules}
rules = []
for index, name in sorted(
zip(form.getlist('index'), form.getlist('name')), key=lambda e: int(e[0] or 0)):
if index and name:
rules.append(oldrules.get(name, {'name': name}))
db.write('rules', rules)
system.run(system.save_config)
return flask.render_template('rules/index.html', rules=db.load('rules'))
except Exception as e:
return flask.Response(f'something went catastrophically wrong: {e}',
status=400, mimetype='text/plain')
@blueprint.route('/edit/<int:index>', methods=('GET', 'POST'))
@flask_login.login_required
def edit(index):
try:
if not flask_login.current_user.is_admin:
return flask.Response('forbidden', status=403, mimetype='text/plain')
if flask.request.method == 'POST':
with db.locked():
form = flask.request.form
rules = db.read('rules')
rules[index]['name'] = form.get('name')
rules[index]['text'] = form.get('text')
rules[index]['managers'] = [m for m in form.getlist('manager') if m]
db.write('rules', rules)
system.run(system.save_config)
return flask.render_template('rules/edit.html', index=index, rule=db.load('rules')[index])
except IndexError as e:
return flask.Response(f'invalid rule: {index}', status=400, mimetype='text/plain')
except Exception as e:
return flask.Response(f'something went catastrophically wrong: {e}',
status=400, mimetype='text/plain')
def can_toggle(user, rule):
return user.is_admin or not user.groups.isdisjoint(rule.get('managers', ()))
@blueprint.route('/manage')
@flask_login.login_required
def manage():
try:
rules = [rule|{'index': index} for index, rule in enumerate(db.load('rules'))
if can_toggle(flask_login.current_user, rule)]
return flask.render_template('rules/manage.html', rules=rules)
except Exception as e:
return flask.Response(f'something went catastrophically wrong: {e}',
status=400, mimetype='text/plain')
@blueprint.route('/toggle/<int:index>/<enable>')
@flask_login.login_required
def toggle(index, enable):
try:
with db.locked():
rules = db.read('rules')
if not can_toggle(flask_login.current_user, rules[index]):
return flask.Response('forbidden', status=403, mimetype='text/plain')
rules[index]['enabled'] = (enable == 'true')
db.write('rules', rules)
system.run(system.save_config)
return flask.redirect(flask.url_for('rules.manage'))
except IndexError as e:
return flask.Response(f'invalid rule: {index}', status=400, mimetype='text/plain')
except Exception as e:
return flask.Response(f'something went catastrophically wrong: {e}',
status=400, mimetype='text/plain')

View file

@ -117,8 +117,12 @@ map {name} {{
# Print forwarding rules.
with open(f'{output}/etc/nftables.d/forward.nft', 'w', encoding='utf-8') as f:
for forward in db.read('forwards'):
print(forward, file=f)
for index, rule in enumerate(db.read('rules')):
if rule.get('enabled') and rule.get('text'):
if 'name' in rule:
print(f'# {index}. {rule["name"]}', file=f)
print(rule['text'], file=f)
print(file=f)
# Print wireguard config.
with open(f'{output}/etc/wireguard/wg.conf', 'w', encoding='utf-8') as f:

View file

@ -8,7 +8,7 @@
<dd>nastavitve aplikacije FRIwall
<dt><a href="{{ url_for('config.edit', name='networks') }}">Omrežja</a>
<dd>definicije obsegov IP
<dt><a href="{{ url_for('config.edit', name='forwards') }}">Luknje</a>
<dt><a href="{{ url_for('rules.index') }}">Urejanje pravil</a>
<dd>pravila za posredovanje prometa
<dt><a href="{{ url_for('config.edit', name='nat') }}">NAT</a>
<dd>javni naslovi za pisarniška omrežja
@ -22,6 +22,8 @@
<section>
<dt><a href="{{ url_for('vpn.index') }}">VPN</a>
<dd>urejanje ključev za WireGuard VPN
<dt><a href="{{ url_for('rules.manage') }}">Pravila</a>
<dd>vklop / izklop pravil za požarni zid
</dl>
</section>
{% endblock %}

View file

@ -0,0 +1,25 @@
{% extends 'base.html' %}
{% block content %}
<p>
Urejate pravilo #{{ index }}.
<form id="request" method="POST">
<p>
<label for="name">Ime</label><br>
<input name="name" value="{{ rule.name }}" />
<p>
Uporabniki, ki lahko o(ne)mogočijo pravilo<br>
{% for manager in rule.managers %}
<input name="manager" type="text" style="width: 50%" value="{{ manager }}" /><br>
{% endfor %}
<input name="manager" type="text" style="width: 50%" value="" />
<p>
<label for="text">Pravila nftables</label>
<textarea id="text" name="text" style="width: 100%; height: 20em;">{{ rule.text }}</textarea>
<p><button id="submit" type="submit">Shrani</button>
</form>
{% endblock %}

View file

@ -0,0 +1,23 @@
{% extends 'base.html' %}
{% block content %}
<p>
Urejate prioritete pravil za požarni zid. Pravilo odstranite tako, da izbrišete pripadajočo številko. V zadnji vrstici lahko dodate novo pravilo.
<form id="request" method="POST">
<table>
<tbody>
{% for rule in rules %}
<tr>
<td><input name="index" type="number" min="0" size="2" value="{{ loop.index * 10 }}" />
<td><input type="hidden" name="name" value="{{ rule.name }}" />
<a href="{{ url_for('rules.edit', index=loop.index0) }}">{{ rule.name }}</a>
{% endfor %}
<tr>
<td><input name="index" type="number" min="0" size="2" />
<td><input name="name" type="text" size="40" />
</table>
<p><button id="submit" type="submit">Shrani</button>
</form>
{% endblock %}

View file

@ -0,0 +1,20 @@
{% extends 'base.html' %}
{% block content %}
<p>
Tu lahko vklopite in izklopite posamezna pravila za požarni zid.
<dl>
{% for rule in rules %}
<dt>
{% if rule.enabled %}
<font color="green"></font> {{ rule.name }} <a href="{{ url_for('rules.toggle', index=rule.index, enable='false') }}">onemogoči</a>
{% else %}
<font color="red"></font> {{ rule.name }} <a href="{{ url_for('rules.toggle', index=rule.index, enable='true') }}">omogoči</a>
{% endif %}
<dd>
<pre><code>{{ rule.text }}</code></pre>
{% endfor %}
</dl>
{% endblock %}