speatzle/nfsense
1
0
Fork 0
mirror of https://github.com/speatzle/nfsense.git synced 2025-05-10 18:38:22 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Implement Service Based nftables Match Generator

Browse source
This commit is contained in:
Samuel Lorch 2023-03-02 00:10:38 +01:00
parent b70a2688b5
commit 82f90aabb8
7 changed files with 76 additions and 15 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
pkg/definitions/match.go
View file

@ -1,12 +1,6 @@
package definitions package definitions
import "fmt"
type Match struct { type Match struct {
TCPDestinationPort uint64 `json:"tcp_destination_port,omitempty"` TCPDestinationPort uint64 `json:"tcp_destination_port,omitempty"`
Service []string `json:"service,omitempty"` Services []string `json:"services,omitempty"`
}
func (m Match) Nftables() string {
return fmt.Sprintf("tcp dport %d", m.TCPDestinationPort)
} }

65
pkg/nftables/match.go Normal file
View file

@ -0,0 +1,65 @@
package nftables
import (
"fmt"
"github.con/speatzle/nfsense/pkg/definitions"
"github.con/speatzle/nfsense/pkg/util"
)
func GenerateMatcher(services *map[string]definitions.Service, addresses *map[string]definitions.Address, match definitions.Match) (string, error) {
return GenerateServiceMatcher(services, match), nil
}
func GenerateServiceMatcher(allServices *map[string]definitions.Service, match definitions.Match) string {
serviceList := util.ResolveBaseServices(*allServices, match.Services)
tcpSPorts := []string{}
tcpDPorts := []string{}
udpSPorts := []string{}
udpDPorts := []string{}
icmpCodes := []string{}
for _, service := range serviceList {
switch service.Type {
case definitions.TCP:
if service.GetSPort() != "0" {
tcpSPorts = append(tcpSPorts, service.GetSPort())
}
if service.GetDPort() != "0" {
tcpDPorts = append(tcpDPorts, service.GetDPort())
}
case definitions.UDP:
if service.GetSPort() != "0" {
udpSPorts = append(udpSPorts, service.GetSPort())
}
if service.GetDPort() != "0" {
udpDPorts = append(udpDPorts, service.GetDPort())
}
case definitions.ICMP:
icmpCodes = append(icmpCodes, fmt.Sprint(service.ICMPCode))
default:
panic("invalid service type")
}
}
res := ""
if len(tcpSPorts) != 0 {
res += "tcp sport " + util.ConvertSliceToSetString(tcpSPorts) + " "
}
if len(tcpDPorts) != 0 {
res += "tcp dport " + util.ConvertSliceToSetString(tcpDPorts) + " "
}
if len(udpSPorts) != 0 {
res += "udp sport " + util.ConvertSliceToSetString(udpSPorts) + " "
}
if len(udpDPorts) != 0 {
res += "udp dport " + util.ConvertSliceToSetString(udpDPorts) + " "
}
if len(icmpCodes) != 0 {
res += "icmp codes " + util.ConvertSliceToSetString(icmpCodes) + " "
}
return res
}

8
pkg/nftables/template.go
View file

@ -10,8 +10,14 @@ var templateFS embed.FS
var templates *template.Template var templates *template.Template
func init() { func init() {
funcMap := template.FuncMap{
// The name "title" is what the function will be called in the template text.
"matcher": GenerateMatcher,
}
var err error var err error
templates, err = template.ParseFS(templateFS, "template/*.tmpl") templates, err = template.New("").Funcs(funcMap).ParseFS(templateFS, "template/*.tmpl")
if err != nil { if err != nil {
panic(err) panic(err)
} }

2
pkg/nftables/template/destination_nat_rules.tmpl
View file

@ -1,2 +1,2 @@
{{ range $rule := .Netfilter.DestinationNATRules }} {{ range $rule := .Netfilter.DestinationNATRules }}
{{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} {{ matcher .Services .Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}

2
pkg/nftables/template/forward_rules.tmpl
View file

@ -1,2 +1,2 @@
{{range $rule := .Netfilter.ForwardRules}} {{range $rule := .Netfilter.ForwardRules}}
{{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }} {{ $rule.Verdict.String }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} {{ matcher .Services .Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }} {{ $rule.Verdict.String }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}

4
pkg/nftables/template/nftables.tmpl
View file

@ -17,7 +17,6 @@ table inet nfsense_inet {
# allow loopback traffic # allow loopback traffic
iifname lo accept iifname lo accept
{{template "inbound_rules.tmpl" .}} {{template "inbound_rules.tmpl" .}}
} }
@ -27,21 +26,18 @@ table inet nfsense_inet {
# Allow traffic from established and related packets, drop invalid # Allow traffic from established and related packets, drop invalid
ct state vmap { established : accept, related : accept, invalid : drop } ct state vmap { established : accept, related : accept, invalid : drop }
{{template "forward_rules.tmpl" .}} {{template "forward_rules.tmpl" .}}
} }
# Destination NAT Rules # Destination NAT Rules
chain prerouting { chain prerouting {
type nat hook prerouting priority -100; policy accept; type nat hook prerouting priority -100; policy accept;
{{template "destination_nat_rules.tmpl" .}} {{template "destination_nat_rules.tmpl" .}}
} }
# Source NAT Rules # Source NAT Rules
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;
{{template "source_nat_rules.tmpl" .}} {{template "source_nat_rules.tmpl" .}}
} }
} }

2
pkg/nftables/template/source_nat_rules.tmpl
View file

@ -1,2 +1,2 @@
{{ range $rule := .Netfilter.SourceNATRules }} {{ range $rule := .Netfilter.SourceNATRules }}
{{ .Match.Nftables }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }} {{ matcher .Services .Addresses $rule.Match }}{{ if $rule.Counter }} counter{{ end }}{{ if ne $rule.Comment "" }} comment "{{ $rule.Comment }}"{{ end }}{{ end }}