firewall.py complete revamp

YunoHost · Dec 9, 2024 · e3fc473 · e3fc473
1 parent b063f50
commit e3fc473
Show file tree

Hide file tree

Showing 6 changed files with 453 additions and 493 deletions.
diff --git a/conf/yunohost/firewall.yml b/conf/yunohost/firewall.yml
@@ -1,12 +1,49 @@
-uPnP:
-    enabled: false
-    TCP: [22, 25, 80, 443, 587, 993, 5222, 5269]
-    UDP: []
-    TCP_TO_CLOSE: []
-    UDP_TO_CLOSE: []
-ipv4:
-    TCP: [22, 25, 53, 80, 443, 587, 993, 5222, 5269]
-    UDP: [53, 5353]
-ipv6:
-    TCP: [22, 25, 53, 80, 443, 587, 993, 5222, 5269]
-    UDP: [53, 5353]
+router_forwarding_upnp: false
+
+tcp:
+    22:
+        open: true
+        upnp: true
+        comment: Default SSH port
+    25:
+        open: true
+        upnp: true
+        comment: SMTP email server
+    80:
+        open: true
+        upnp: true
+        comment: HTTP server
+    443:
+        open: true
+        upnp: true
+        comment: HTTPS server
+    587:
+        open: true
+        upnp: true
+        comment: SMTP MSA email server
+    993:
+        open: true
+        upnp: true
+        comment: IMAP email server
+    5222:
+        open: true
+        upnp: true
+        comment: XMPP server
+    5269:
+        open: true
+        upnp: true
+        comment: XMPP server-to-server
+
+udp:
+    53:
+        open: true
+        upnp: false
+        comment: DNS server
+    1900:
+        open: true
+        upnp: false
+        comment: UPnP services
+    5353:
+        open: true
+        upnp: false
+        comment: mDNS
diff --git a/share/actionsmap.yml b/share/actionsmap.yml
@@ -1396,79 +1396,87 @@ firewall:
                     full: --raw
                     help: Return the complete YAML dict
                     action: store_true
-                -i:
-                    full: --by-ip-version
-                    help: List rules by IP version
-                    action: store_true
+                protocol:
+                    help: "If not raw, protocol type to list (tcp/udp)"
+                    choices:
+                        - tcp
+                        - udp
                 -f:
-                    full: --list-forwarded
-                    help: List forwarded ports with UPnP
+                    full: --forwarded
+                    help: If not raw, list UPnP forwarded ports instead of open ports
                     action: store_true
 
-        ### firewall_allow()
-        allow:
+        ### firewall_open()
+        open:
             action_help: Allow connections on a port
-            api: PUT /firewall/<protocol>/allow/<port>
+            api: PUT /firewall/<protocol>/open/<port>
             arguments:
                 protocol:
-                    help: "Protocol type to allow (TCP/UDP/Both)"
+                    help: "Protocol type (tcp/udp/both)"
                     choices:
-                        - TCP
-                        - UDP
-                        - Both
-                    default: TCP
+                        - tcp
+                        - udp
+                        - both
+                    default: tcp
                 port:
                     help: Port or range of ports to open
                     extra:
                         pattern: &pattern_port_or_range
                             - !!str ((^|(?!\A):)([0-9]{1,4}|[1-5][0-9]{4}|6[0-4][0-9]{3}|65[0-4][0-9]{2}|655[0-2][0-9]|6553[0-5])){1,2}?$
                             - "pattern_port_or_range"
-                -4:
-                    full: --ipv4-only
-                    help: Only add a rule for IPv4 connections
-                    action: store_true
-                -6:
-                    full: --ipv6-only
-                    help: Only add a rule for IPv6 connections
-                    action: store_true
-                --no-upnp:
-                    help: Do not add forwarding of this port with UPnP
+                comment:
+                    help: A reason for the port to be open (like the app's name)
+                    default: ""
+                --upnp:
+                    help: Add forwarding of this port with UPnP
                     action: store_true
                 --no-reload:
                     help: Do not reload firewall rules
                     action: store_true
 
-        ### firewall_disallow()
-        disallow:
+        ### firewall_close()
+        close:
             action_help: Disallow connections on a port
-            api: PUT /firewall/<protocol>/disallow/<port>
+            api: PUT /firewall/<protocol>/close/<port>
             arguments:
                 protocol:
-                    help: "Protocol type to allow (TCP/UDP/Both)"
+                    help: "Protocol type (tcp/udp/both)"
                     choices:
-                        - TCP
-                        - UDP
-                        - Both
-                    default: TCP
+                        - tcp
+                        - udp
+                        - both
+                    default: tcp
                 port:
                     help: Port or range of ports to close
                     extra:
                         pattern: *pattern_port_or_range
-                -4:
-                    full: --ipv4-only
-                    help: Only remove the rule for IPv4 connections
-                    action: store_true
-                -6:
-                    full: --ipv6-only
-                    help: Only remove the rule for IPv6 connections
-                    action: store_true
                 --upnp-only:
                     help: Only remove forwarding of this port with UPnP
                     action: store_true
                 --no-reload:
                     help: Do not reload firewall rules
                     action: store_true
 
+        ### firewall_delete()
+        delete:
+            action_help: Unregister a port from YunoHost
+            api: PUT /firewall/<protocol>/delete/<port>
+            arguments:
+                protocol:
+                    help: "Protocol type (tcp/udp/both)"
+                    choices:
+                        - tcp
+                        - udp
+                        - both
+                    default: tcp
+                port:
+                    help: Port or range of ports to delete
+                    extra:
+                        pattern: *pattern_port_or_range
+                --no-reload:
+                    help: Do not reload firewall rules
+                    action: store_true
+
         ### firewall_upnp()
         upnp:
             action_help: Manage port forwarding using UPnP
@@ -1479,7 +1487,6 @@ firewall:
                         - enable
                         - disable
                         - status
-                        - reload
                     nargs: "?"
                     default: status
                 --no-refresh: