Skip to content

Commit

Permalink
[openwrt] Add more parameters to firewall defaults schema
Browse files Browse the repository at this point in the history
Signed-off-by: Jonathan G. Underwood <[email protected]>
  • Loading branch information
jonathanunderwood committed Feb 9, 2021
1 parent 657f03b commit 312e575
Show file tree
Hide file tree
Showing 3 changed files with 177 additions and 3 deletions.
18 changes: 17 additions & 1 deletion netjsonconfig/backends/openwrt/converters/firewall.py
Original file line number Diff line number Diff line change
Expand Up @@ -177,9 +177,25 @@ def to_netjson_loop(self, block, result, index):
return self.type_cast(result)

def __netjson_defaults(self, defaults):
for param in ["synflood_protect"]:
for param in [
"drop_invalid",
"synflood_protect",
"tcp_syncookies",
"tcp_ecn",
"tcp_window_scaling",
"accept_redirects",
"accept_source_route",
"custom_chains",
"disable_ipv6",
"flow_offloading",
"flow_offloading_hw",
"auto_helper",
]:
if param in defaults:
defaults[param] = self.__netjson_generic_boolean(defaults[param])
for param in ["synflood_limit", "synflood_burst"]:
if param in defaults:
defaults[param] = int(defaults[param])
return self.type_cast(defaults)

def __netjson_rule(self, rule):
Expand Down
110 changes: 108 additions & 2 deletions netjsonconfig/backends/openwrt/schema.py
Original file line number Diff line number Diff line change
Expand Up @@ -1058,13 +1058,120 @@
},
]
},
"drop_invalid": {
"type": "boolean",
"title": "Drop invalid packets.",
"description": "If True then any invalid packets will be dropped.",
"default": False,
"format": "checkbox",
"propertyOrder": 4,
},
"synflood_protect": {
"type": "boolean",
"title": "Enable SYN flood protection.",
"description": "Enables SYN flood protection.",
"default": False,
"format": "checkbox",
"propertyOrder": 4,
"propertyOrder": 5,
},
"synflood_rate": {
"type": "integer",
"title": "Rate limit (packets/second) for SYN packets above which the traffic is considered a flood.",
"description": "Number of packets/second for SYN packets above which the traffic is considered a "
"flood.",
"default": 25,
"propertyOrder": 6,
},
"synflood_burst": {
"type": "integer",
"title": "Burst limit (packets/second) for SYN packets above which the traffic is considered a "
"flood.",
"description": "Set burst limit for SYN packets above which the traffic is considered a flood if it "
"exceeds the allowed rate.",
"default": 50,
"propertyOrder": 7,
},
"tcp_syncookies": {
"type": "boolean",
"title": "Enable the use of TCP SYN cookies.",
"description": "If True, enables the use of SYN cookies.",
"default": True,
"format": "checkbox",
"propertyOrder": 8,
},
"tcp_ecn": {
"type": "boolean",
"title": "Enable Explicit Congestion Notification.",
"description": "If True, enables Explicit Congestion Notification.",
"default": False,
"format": "checkbox",
"propertyOrder": 9,
},
"tcp_window_scaling": {
"type": "boolean",
"title": "Enable TCP window scaling.",
"description": "If True, enables TCP window scaling.",
"default": True,
"format": "checkbox",
"propertyOrder": 10,
},
"accept_redirects": {
"type": "boolean",
"title": "Accept redirects.",
"description": "If True, accept redirects.",
"default": False,
"format": "checkbox",
"propertyOrder": 11,
},
"accept_source_route": {
"type": "boolean",
"title": "Accept source routes.",
"description": "If True, accept source routes.",
"default": False,
"format": "checkbox",
"propertyOrder": 12,
},
"custom_chains": {
"type": "boolean",
"title": "Enable generation of custom rule chain hooks for user generated rules.",
"description": "If True, enable generation of custom rule chain hooks for user generated rules. "
"User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use "
"of these hooks.",
"default": True,
"format": "checkbox",
"propertyOrder": 13,
},
"disable_ipv6": {
"type": "boolean",
"title": "Disable IPv6 firewall rules.",
"description": "If True, disable IPv6 firewall rules.",
"default": False,
"format": "checkbox",
"propertyOrder": 14,
},
"flow_offlocaing": {
"type": "boolean",
"title": "Enable software flow offloading for connections.",
"description": "If True, enable software flow offloading for connections.",
"default": False,
"format": "checkbox",
"propertyOrder": 15,
},
"flow_offlocaing_hw": {
"type": "boolean",
"title": "Enable hardware flow offloading for connections.",
"description": "If True, enable hardware flow offloading for connections.",
"default": False,
"format": "checkbox",
"propertyOrder": 16,
},
"auto_helper": {
"type": "boolean",
"title": "Enable Conntrack helpers ",
"description": "If True, enable Conntrack helpers ",
"default": True,
"format": "checkbox",
"propertyOrder": 17,
},
}

Expand All @@ -1075,7 +1182,6 @@
"description": "Defaults for the fireall",
"propertyOrder": 4,
"properties": firewall_defaults,
"required": ["input", "output", "forward", "synflood_protect"],
},
"forwardings": {
"type": "array",
Expand Down
52 changes: 52 additions & 0 deletions tests/openwrt/test_firewall.py
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,58 @@ def test_parse_defaults_1(self):
o = OpenWrt(native=self._defaults_1_uci)
self.assertEqual(o.config, self._defaults_1_netjson)

_defaults_2_netjson = {
"firewall": {
"defaults": {
"input": "ACCEPT",
"output": "ACCEPT",
"forward": "REJECT",
"custom_chains": True,
"drop_invalid": True,
"synflood_protect": True,
"synflood_burst": 50,
"tcp_ecn": True,
"tcp_syncookies": True,
"tcp_window_scaling": True,
"disable_ipv6": False,
"flow_offloading": False,
"flow_offloading_hw": False,
"auto_helper": True,
}
}
}

_defaults_2_uci = textwrap.dedent(
"""\
package firewall
config defaults 'defaults'
option input 'ACCEPT'
option output 'ACCEPT'
option forward 'REJECT'
option custom_chains '1'
option drop_invalid '1'
option synflood_protect '1'
option synflood_burst '50'
option tcp_ecn '1'
option tcp_syncookies '1'
option tcp_window_scaling '1'
option disable_ipv6 '0'
option flow_offloading '0'
option flow_offloading_hw '0'
option auto_helper '1'
"""
)

def test_render_defaults_2(self):
o = OpenWrt(self._defaults_2_netjson)
expected = self._tabs(self._defaults_2_uci)
self.assertEqual(o.render(), expected)

def test_parse_defaults_2(self):
o = OpenWrt(native=self._defaults_2_uci)
self.assertEqual(o.config, self._defaults_2_netjson)

_rule_1_netjson = {
"firewall": {
"rules": [
Expand Down

0 comments on commit 312e575

Please sign in to comment.