| 123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989 |
- from django.shortcuts import render
- from django.http import HttpResponse
- from django.template import loader
- from django.shortcuts import redirect
- from django.conf import settings
- from django.urls import reverse
- from django.http import QueryDict
- import vyos
- import vycontrol_vyos_api_lib as vapilib
- import vycontrol_vyos_api as vapi
- import vycontrol_messages as vmsg
- from performance import timer
- from perms import is_authenticated
- import perms
- import network
- import json
- import pprint
- import types
- from filters.vycontrol_filters import get_item
- from filters.vycontrol_filters import get_item_port
- from filters.vycontrol_filters import get_item_network
- @is_authenticated
- def index(request):
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall_by_group(request)
- hostname_default = vyos.get_hostname_prefered(request)
- firewall2 = vapilib.api(
- hostname = hostname_default,
- api = 'get',
- op = 'showConfig',
- cmd = {"op": "showConfig", "path": ["firewall"]},
- description = "get all firewall",
- )
- is_superuser = perms.get_is_superuser(request.user)
- firewall_all = vyos.get_firewall_all(hostname_default)
- if firewall_all == False:
- return redirect('firewall:firewall-create')
- for xitem in firewall_all['name']:
- if 'default-action' in firewall_all['name'][xitem]:
- firewall_all['name'][xitem]['default_action'] = firewall_all['name'][xitem]['default-action']
- del firewall_all['name'][xitem]['default-action']
- template = loader.get_template('firewall/list.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'firewall_all': firewall_all,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def create(request):
-
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- if 'name' in request.POST:
- cmd = {"op": "set", "path": ["firewall", "name", request.POST['name']]}
- result1 = vyos.set_config(hostname_default, cmd)
- print(result1)
- if 'description' in request.POST:
- cmd = {"op": "set", "path": ["firewall", "name", request.POST['name'], "description", request.POST['description']]}
- result2 = vyos.set_config(hostname_default, cmd)
- print(result2)
- if 'action' in request.POST:
- cmd = {"op": "set", "path": ["firewall", "name", request.POST['name'], "default-action", request.POST['action']]}
- result3 = vyos.set_config(hostname_default, cmd)
- print(result3)
- return redirect('firewall:firewall-list')
- template = loader.get_template('firewall/create.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_removerule(request, firewall_name, firewall_rulenumber):
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- firewall = vyos.get_firewall(hostname_default, firewall_name)
- firewall_rule = vyos.get_firewall_rule(hostname_default, firewall_name, firewall_rulenumber)
- if firewall_rule and firewall:
- vyos.delete_route_rule(hostname_default, firewall_name, firewall_rulenumber)
- return redirect('firewall:show', firewall_name)
- def changerule(request, firewall_name, mode, rulenumber=None):
- msg = vmsg.msg()
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- # get all firewall groups
- firewall_group = {}
- changed = False
- rulenumber_valid = False
- ruledata = {}
- # netservices /etc/services parser
- netservices = network.get_services()
- # firewall groups
- firewall_group['network-group'] = {}
- firewall_group['address-group'] = {}
- firewall_group['port-group'] = {}
- firewall_group_raw = vapi.get_firewall_group(hostname_default)
- if firewall_group_raw.success:
- if 'network-group' in firewall_group_raw.data:
- firewall_group['network-group'] = firewall_group_raw.data['network-group']
- if 'address-group' in firewall_group_raw.data:
- firewall_group['address-group'] = firewall_group_raw.data['address-group']
- if 'port-group' in firewall_group_raw.data:
- firewall_group['port-group'] = firewall_group_raw.data['port-group']
-
- # edit rule without valid rulenumber
- if mode == "editrule":
- if rulenumber == None:
- msg.add_error("Rule number empty")
- else:
- v = vapi.get_firewall_rulenumber(hostname_default, firewall_name, rulenumber)
- if v.success:
- ruledata = v.data
- # if rule exists control variables are true
- rulenumber_valid = True
- else:
- msg.add_error("There is no rule number inside firewall")
- # mode add rule
- elif mode == "addrule":
- if request.POST.get('rulenumber', None) == None:
- #msg.add_error("Rule number empty")
- # before fill form rule number is empty
- pass
- else:
- rulenumber = request.POST.get('rulenumber')
- if int(rulenumber) >= 1 and int(rulenumber) <= 9999:
- rulenumber_valid = True
- rulenumber = request.POST.get('rulenumber')
- else:
- rulenumber_valid = False
- msg.add_error("Rule number must be between 1 and 9999")
- ###############################################################################################################################################################
- # update rule action
- if rulenumber_valid and request.POST.get('ruleaction', None) != None:
- if request.POST.get('ruleaction') in ["accept", "drop", "reject"]:
- if mode == "editrule" and ruledata['action'] and request.POST.get('ruleaction') == ruledata['action']:
- msg.add_debug("Action: not changed")
- else:
- v = vapi.set_firewall_rule_action(hostname_default, firewall_name, rulenumber, request.POST.get('ruleaction'))
- if v.success == False:
- msg.add_error("Action: fail to change - " + v.reason)
- else:
- # updating ruledata
- ruledata['action'] = request.POST.get('ruleaction')
- changed = True
- msg.add_success("Action: updated")
- else:
- msg.add_error("Action invalid")
- ###############################################################################################################################################################
- # update rule status
- if rulenumber_valid and request.POST.get('status', None) != None:
- if mode == "editrule":
- if request.POST.get('status') == "enable" and "disable" not in ruledata:
- msg.add_debug("Status: not changed")
- elif request.POST.get('status') == "disable" and "disable" in ruledata:
- msg.add_debug("Status: not changed")
- elif request.POST.get('status') == "disable" and "disable" not in ruledata:
- v = vapi.set_firewall_rule_disabled(hostname_default, firewall_name, rulenumber)
- if v.success == False:
- msg.add_error("Status: failed to disable - " + v.reason)
- else:
- # updating ruledata
- ruledata['disable'] = {}
- ruledata['status'] = 'disabled'
- changed = True
- msg.add_success("Status disabled")
- elif request.POST.get('status') == "enable" and "disable" in ruledata:
- v = vapi.set_firewall_rule_enabled(hostname_default, firewall_name, rulenumber)
- if v.success == False:
- msg.add_error("Status: failed to enable - " + v.reason)
- else:
- # updating ruledata
- del ruledata['disable']
- ruledata['status'] = 'enabled'
- changed = True
- msg.add_success("Status: enabled")
- elif mode == "addrule":
- if request.POST.get('status') == "disable":
- v = vapi.set_firewall_rule_disabled(hostname_default, firewall_name, rulenumber)
- if v.success == False:
- msg.add_error("Status: failed to disable - " + v.reason)
- else:
- # updating ruledata
- ruledata['disable'] = {}
- ruledata['status'] = 'disabled'
- changed = True
- msg.add_info("Status: disabled")
- else:
- # nothing to do if status = enable
- pass
- ###############################################################################################################################################################
- # update description
- if rulenumber_valid == True and request.POST.get('description', None) != None:
- if 'description' in ruledata and request.POST.get('description') == ruledata['description']:
- msg.add_debug("Description: not changed")
- else:
- v = vapi.set_firewall_rule_description(hostname_default, firewall_name, rulenumber, request.POST.get('description'))
- if v.success == False:
- msg.add_error("Description: failed to update")
- else:
- # updating ruledata
- ruledata['description'] = request.POST.get('description')
- changed = True
- msg.add_success("Description: updated")
- ###############################################################################################################################################################
- # update criteria_protocol
- if rulenumber_valid == True and request.POST.get('criteria_protocol', None) == "1":
- protocol_criteria = None
- protocol_criteria_delete = False
- # other protocol - todo validate data
- if request.POST.get('protocol_criteria', None) == "other":
- if request.POST.get('protocol_custom', None) != None:
- protocol_criteria = request.POST.get('protocol_custom')
- # delete protocol
- elif request.POST.get('protocol_criteria', None) == "none":
- protocol_criteria_delete = True
- if 'protocol' in ruledata:
- v = vapi.set_firewall_rule_protocol_delete(hostname_default, firewall_name, rulenumber)
- if v.success == False:
- msg.add_error("Criteria Protocol: failed to unset - " + v.reason)
- else:
- del ruledata['protocol']
- changed = True
- msg.add_success("Criteria Protocol: unset")
- else:
- msg.add_debug("Criteria Protocol: not changed unset not needed")
- # common protocols
- elif request.POST.get('protocol_criteria', None) in ['all', 'tcp', 'udp', 'tcp_udp', 'icmp']:
- protocol_criteria = request.POST.get('protocol_criteria')
- # other cases did not checked anything
- if protocol_criteria != None:
- # negate protocol
- if request.POST.get('protocol_negate', None) == "1":
- protocol_negate = "!"
- else:
- protocol_negate = ""
- protocol_criteria_txt = protocol_negate + protocol_criteria
- if 'protocol' in ruledata and protocol_criteria_txt == ruledata['protocol']:
- msg.add_debug("Criteria Protocol: not changed")
- else:
- v = vapi.set_firewall_rule_protocol(hostname_default, firewall_name, rulenumber, protocol_criteria_txt)
- if v.success == False:
- msg.add_error("Criteria Protocol: failed to update - " + v.reason)
- else:
- # updating ruledata
- ruledata['protocol'] = protocol_criteria_txt
- changed = True
- msg.add_success("Criteria Protocol: updated")
- else:
- if protocol_criteria_delete != True:
- msg.add_error("Criteria Protocol: invalid protocol")
-
- ###############################################################################################################################################################
- # update criteria_port (True only to group if block on Visual Studio)
- if True:
- destinationport_json = request.POST.get('destinationport_json', None)
- sourceport_json = request.POST.get('sourceport_json', None)
- dport_form = []
- sport_form = []
- if destinationport_json != None:
- try:
- dport_form = json.loads(destinationport_json)
- except ValueError:
- pass
- if sourceport_json != None:
- try:
- sport_form = json.loads(sourceport_json)
- except ValueError:
- pass
-
- # remove ports unset
- dport_delete = []
- sport_delete = []
- if 'destination' in ruledata and 'port' in ruledata['destination']:
- dport_ruledata = ruledata['destination']['port'].split(",")
- else:
- dport_ruledata = []
- if 'source' in ruledata and 'port' in ruledata['source']:
- sport_ruledata = ruledata['source']['port'].split(",")
- else:
- sport_ruledata = []
- dport_changes = 0
- sport_changes = 0
- dport_delete_all = False
- sport_delete_all = False
- #msg.add_debug("Criteria Ports Destination: ports - " + pprint.pformat(dport_ruledata))
- #msg.add_debug("Criteria Ports Source: ports - " + pprint.pformat(sport_ruledata))
- # find ports to mark as removed
- if rulenumber_valid == True and request.POST.get('criteria_port', None) == "1":
- if len(sport_form) == 0:
- msg.add_debug("Criteria Ports Source: remove all ports")
- sport_ruledata = []
- sport_changes = sport_changes + 1
- sport_delete_all = True
- else:
- for port in sport_ruledata:
- if port not in sport_form:
- sport_ruledata.remove(port)
- sport_delete.append(port)
- sport_changes = sport_changes + 1
- for port in sport_form:
- if port not in sport_ruledata:
- sport_ruledata.append(port)
- sport_changes = sport_changes + 1
- if rulenumber_valid == True and request.POST.get('criteria_port', None) == "1":
- if len(dport_form) <= 0:
- msg.add_debug("Criteria Ports Destination: remove all ports")
- dport_ruledata = []
- dport_changes = dport_changes + 1
- dport_delete_all = True
- else:
- for port in dport_ruledata:
- if port not in dport_form:
- dport_ruledata.remove(port)
- dport_delete.append(port)
- dport_changes = dport_changes + 1
- for port in dport_form:
- if port not in dport_ruledata:
- dport_ruledata.append(port)
- dport_changes = dport_changes + 1
- if len(dport_delete) > 0:
- msg.add_debug("Criteria Ports Destination: remove ports - " + ",".join(dport_delete))
- if len(sport_delete) > 0:
- msg.add_debug("Criteria Ports Source: remove ports - " + ",".join(sport_delete))
- if rulenumber_valid == True and dport_changes > 0:
- if dport_delete_all == True:
- v = vapi.set_firewall_rule_destination_ports_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Ports Destination: updated delete all destination success")
- if 'destination' in ruledata and 'port' in ruledata['destination']:
- del ruledata['destination']['port']
- else:
- msg.add_error("Criteria Ports Destination: delete all failed - " + v.reason)
- else:
- msg.add_debug("Criteria Ports Destination: ports - " + ",".join(dport_ruledata))
- v = vapi.set_firewall_rule_destination_ports(hostname_default, firewall_name, rulenumber, dport_ruledata)
- if v.success:
- changed = True
- msg.add_success("Criteria Ports Destination: updated")
- ruledata['destination']['port'] = ','.join(dport_ruledata)
- else:
- msg.add_error("Criteria Ports Destination: failed - " + v.reason)
- if rulenumber_valid == True and sport_changes > 0:
- if sport_delete_all == True:
- v = vapi.set_firewall_rule_source_ports_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Ports Destination: updated delete all source success")
- if 'source' in ruledata and 'port' in ruledata['source']:
- del ruledata['source']['port']
- else:
- msg.add_error("Criteria Ports Destination: delete all failed - " + v.reason)
- else:
- msg.add_debug("Criteria Ports Source: ports - " + ",".join(sport_ruledata))
- v = vapi.set_firewall_rule_source_ports(hostname_default, firewall_name, rulenumber, sport_ruledata)
- if v.success:
- changed = True
- msg.add_success("Criteria Ports Source: updated")
- ruledata['source']['port'] = ','.join(sport_ruledata)
- else:
- msg.add_error("Criteria Ports Source: failed - " + v.reason)
-
- ###############################################################################################################################################################
- # update criteria_tcpflags
- if request.POST.get('criteria_tcpflags', None) == "1":
- tcpflags_form = []
-
- if request.POST.get('tcpflags_syn', None) == "1":
- tcpflags_form.append('SYN')
- if request.POST.get('tcpflags_isyn', None) == "1":
- tcpflags_form.append('!SYN')
-
- if request.POST.get('tcpflags_ack', None) == "1":
- tcpflags_form.append('ACK')
- if request.POST.get('tcpflags_iack', None) == "1":
- tcpflags_form.append('!ACK')
- if request.POST.get('tcpflags_fin', None) == "1":
- tcpflags_form.append('FIN')
- if request.POST.get('tcpflags_ifin', None) == "1":
- tcpflags_form.append('!FIN')
-
- if request.POST.get('tcpflags_rst', None) == "1":
- tcpflags_form.append('RST')
- if request.POST.get('tcpflags_irst', None) == "1":
- tcpflags_form.append('!RST')
- if request.POST.get('tcpflags_urg', None) == "1":
- tcpflags_form.append('URG')
- if request.POST.get('tcpflags_iurg', None) == "1":
- tcpflags_form.append('!URG')
- if request.POST.get('tcpflags_psh', None) == "1":
- tcpflags_form.append('PSH')
- if request.POST.get('tcpflags_ipsh', None) == "1":
- tcpflags_form.append('!PSH')
- if request.POST.get('tcpflags_all', None) == "1":
- tcpflags_form.append('ALL')
- if request.POST.get('tcpflags_iall', None) == "1":
- tcpflags_form.append('!ALL')
-
- # will need to empty tcpflags
- if 'tcp' in ruledata and 'flags' in ruledata['tcp']:
- tcpflags_rule = ruledata['tcp']['flags'].split(',')
- else:
- tcpflags_rule = []
- if len(tcpflags_form) == 0 and len(tcpflags_rule) > 0:
- v = vapi.set_firewall_rule_tcpflags_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria TCP Ports: empty tcp flags success")
- if 'tcp' in ruledata:
- if 'flags' in ruledata['tcp']:
- del ruledata['tcp']['flags']
- else:
- msg.add_error("Criteria TCP Ports: empty tcp failed - " + v.reason)
- elif len(tcpflags_form) > 0:
- v = vapi.set_firewall_rule_tcpflags(hostname_default, firewall_name, rulenumber, tcpflags_form)
- if v.success:
- changed = True
- msg.add_success("Criteria TCP Ports: updated success")
- if 'tcp' not in ruledata:
- ruledata['tcp'] = {}
- ruledata['tcp']['flags'] = ",".join(tcpflags_form)
- else:
- msg.add_error("Criteria TCP Ports: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_address
- if request.POST.get('criteria_address', None) == "1":
- if request.POST.get('saddress', None) != None:
- saddress = request.POST.get('saddress')
- if len(saddress.strip()) == 0:
- v = vapi.set_firewall_rule_source_address_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Address: clean success")
- if 'source' in ruledata:
- if 'address' in ruledata['source']:
- del ruledata['source']['address']
- else:
- msg.add_error("Criteria Source Address: clean failed - " + v.reason)
- else:
- # negate saddress
- if request.POST.get('saddress_negate', None) == "1":
- saddress_negate = "!"
- else:
- saddress_negate = ""
-
- saddress_txt = saddress_negate + saddress
-
- v = vapi.set_firewall_rule_source_address(hostname_default, firewall_name, rulenumber, saddress_txt)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Address: updated success")
- if 'source' not in ruledata:
- ruledata['source'] = {}
- ruledata['source']['address'] = saddress_txt
- else:
- msg.add_error("Criteria Source Address: updated failed - " + v.reason)
- if request.POST.get('daddress', None) != None:
- daddress = request.POST.get('daddress')
- if len(daddress.strip()) == 0:
- v = vapi.set_firewall_rule_destination_address_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Address: clean success")
- if 'destination' in ruledata:
- if 'address' in ruledata['destination']:
- del ruledata['destination']['address']
- else:
- msg.add_error("Criteria Destination Address: clean failed - " + v.reason)
- else:
- # negate daddress_negate
- if request.POST.get('daddress_negate', None) == "1":
- daddress_negate = "!"
- else:
- daddress_negate = ""
- daddress_txt = daddress_negate + daddress
- v = vapi.set_firewall_rule_destination_address(hostname_default, firewall_name, rulenumber, daddress_txt)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Address: updated success")
- if 'destination' not in ruledata:
- ruledata['destination'] = {}
- ruledata['destination']['address'] = daddress
- else:
- msg.add_error("Criteria Destination Address: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_addressgroup
- if request.POST.get('criteria_addressgroup', None) == "1":
-
- # source address
- if request.POST.get('saddressgroup', None) != None:
- saddressgroup = request.POST.get('saddressgroup').strip()
- else:
- saddressgroup = ''
- saddressgroup_ruledata = ''
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'address-group' in ruledata['source']['group']:
- saddressgroup_ruledata = ruledata['source']['group']['address-group']
- if len(saddressgroup) == 0:
- v = vapi.set_firewall_rule_source_addressgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Address Group: delete success")
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'address-group' in ruledata['source']['group']:
- del ruledata['source']['group']['address-group']
- else:
- msg.add_error("Criteria Source Address Group: delete failed - " + v.reason)
- elif saddressgroup != saddressgroup_ruledata:
- v = vapi.set_firewall_rule_source_addressgroup(hostname_default, firewall_name, rulenumber, saddressgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Address Group: updated success")
- if 'source' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['source']:
- ruledata['source']['group'] = {}
- ruledata['source']['group']['address-group'] = saddressgroup
- else:
- msg.add_error("Criteria Source Address Group: updated failed - " + v.reason)
- # destination address
- if request.POST.get('daddressgroup', None) != None:
- daddressgroup = request.POST.get('daddressgroup').strip()
- else:
- daddressgroup = ''
- daddressgroup_ruledata = ''
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'address-group' in ruledata['destination']['group']:
- daddressgroup_ruledata = ruledata['destination']['group']['address-group']
- if len(daddressgroup) == 0:
- v = vapi.set_firewall_rule_destination_addressgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Address Group: delete success")
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'address-group' in ruledata['destination']['group']:
- del ruledata['destination']['group']['address-group']
- else:
- msg.add_error("Criteria Destination Address Group: delete failed - " + v.reason)
- elif daddressgroup != daddressgroup_ruledata:
- v = vapi.set_firewall_rule_destination_addressgroup(hostname_default, firewall_name, rulenumber, daddressgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Address Group: updated success")
- if 'destination' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['destination']:
- ruledata['destination']['group'] = {}
- ruledata['destination']['group']['address-group'] = daddressgroup
- else:
- msg.add_error("Criteria Destination Address Group: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_networkgroup
- if request.POST.get('criteria_networkgroup', None) == "1":
-
- # source group
- if request.POST.get('snetworkgroup', None) != None:
- snetworkgroup = request.POST.get('snetworkgroup').strip()
- else:
- snetworkgroup = ''
- snetworkgroup_ruledata = ''
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'network-group' in ruledata['source']['group']:
- snetworkgroup_ruledata = ruledata['source']['group']['network-group']
- if len(snetworkgroup) == 0:
- v = vapi.set_firewall_rule_source_networkgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Network Group: delete success")
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'network-group' in ruledata['source']['group']:
- del ruledata['source']['group']['network-group']
- else:
- msg.add_error("Criteria Source Network Group: delete failed - " + v.reason)
- elif snetworkgroup != snetworkgroup_ruledata:
- v = vapi.set_firewall_rule_source_networkgroup(hostname_default, firewall_name, rulenumber, snetworkgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Network Group: updated success")
- if 'source' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['source']:
- ruledata['source']['group'] = {}
- ruledata['source']['group']['network-group'] = snetworkgroup
- else:
- msg.add_error("Criteria Source Network Group: updated failed - " + v.reason)
- # destination group
- if request.POST.get('dnetworkgroup', None) != None:
- dnetworkgroup = request.POST.get('dnetworkgroup').strip()
- else:
- dnetworkgroup = ''
- dnetworkgroup_ruledata = ''
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'network-group' in ruledata['destination']['group']:
- dnetworkgroup_ruledata = ruledata['destination']['group']['network-group']
- if len(dnetworkgroup) == 0:
- v = vapi.set_firewall_rule_destination_networkgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Network Group: delete success")
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'network-group' in ruledata['destination']['group']:
- del ruledata['destination']['group']['network-group']
- else:
- msg.add_error("Criteria Destination Network Group: delete failed - " + v.reason)
- elif dnetworkgroup != dnetworkgroup_ruledata:
- v = vapi.set_firewall_rule_destination_networkgroup(hostname_default, firewall_name, rulenumber, dnetworkgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Network Group: updated success")
- if 'destination' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['destination']:
- ruledata['destination']['group'] = {}
- ruledata['destination']['group']['network-group'] = dnetworkgroup
- else:
- msg.add_error("Criteria Destination Network Group: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_portgroup
- if request.POST.get('criteria_portgroup', None) == "1":
-
- # source port
- if request.POST.get('sportgroup', None) != None:
- sportgroup = request.POST.get('sportgroup').strip()
- else:
- sportgroup = ''
- sportgroup_ruledata = ''
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'port-group' in ruledata['source']['group']:
- sportgroup_ruledata = ruledata['source']['group']['port-group']
- if len(sportgroup) == 0:
- v = vapi.set_firewall_rule_source_portgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Port Group: delete success")
- if 'source' in ruledata:
- if 'group' in ruledata['source']:
- if 'port-group' in ruledata['source']['group']:
- del ruledata['source']['group']['port-group']
- else:
- msg.add_error("Criteria Source Port Group: delete failed - " + v.reason)
- elif sportgroup != sportgroup_ruledata:
- v = vapi.set_firewall_rule_source_portgroup(hostname_default, firewall_name, rulenumber, sportgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Port Group: updated success")
- if 'source' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['source']:
- ruledata['source']['group'] = {}
- ruledata['source']['group']['port-group'] = sportgroup
- else:
- msg.add_error("Criteria Source Port Group: updated failed - " + v.reason)
- # destination port
- if request.POST.get('dportgroup', None) != None:
- dportgroup = request.POST.get('dportgroup').strip()
- else:
- dportgroup = ''
- dportgroup_ruledata = ''
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'port-group' in ruledata['destination']['group']:
- dportgroup_ruledata = ruledata['destination']['group']['port-group']
- if len(dportgroup) == 0:
- v = vapi.set_firewall_rule_destination_portgroup_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Port Group: delete success")
- if 'destination' in ruledata:
- if 'group' in ruledata['destination']:
- if 'port-group' in ruledata['destination']['group']:
- del ruledata['destination']['group']['port-group']
- else:
- msg.add_error("Criteria Destination Port Group: delete failed - " + v.reason)
- elif dportgroup != dportgroup_ruledata:
- v = vapi.set_firewall_rule_destination_portgroup(hostname_default, firewall_name, rulenumber, dportgroup)
- if v.success:
- changed = True
- msg.add_success("Criteria Destination Port Group: updated success")
- if 'destination' not in ruledata:
- ruledata['source'] = {}
- if 'group' not in ruledata['destination']:
- ruledata['destination']['group'] = {}
- ruledata['destination']['group']['port-group'] = dportgroup
- else:
- msg.add_error("Criteria Destination Port Group: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_sourcemac
- if request.POST.get('criteria_sourcemac', None) == "1":
- if request.POST.get('smac_source', None) != None:
- smac = request.POST.get('smac_source')
- smac = smac.replace("-",":")
- smac = smac.lower()
- if len(smac.strip()) == 0:
- v = vapi.set_firewall_rule_source_mac_delete(hostname_default, firewall_name, rulenumber)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Mac Address: clean success")
- if 'source' in ruledata:
- if 'mac-address' in ruledata['source']:
- del ruledata['source']['mac-address']
- else:
- msg.add_error("Criteria Source Mac Address: clean failed - " + v.reason)
- else:
- # negate smac
- if request.POST.get('smac_source_negate', None) == "1":
- smac_negate = "!"
- else:
- smac_negate = ""
-
- smac_txt = smac_negate + smac
- smac_original = ''
- if 'source' in ruledata:
- if 'mac-address' in ruledata['source']:
- smac_original = ruledata['source']['mac-address']
- if smac_txt != smac_original:
- v = vapi.set_firewall_rule_source_mac(hostname_default, firewall_name, rulenumber, smac_txt)
- if v.success:
- changed = True
- msg.add_success("Criteria Source Mac Address: updated success")
- if 'source' not in ruledata:
- ruledata['source'] = {}
- ruledata['source']['mac-address'] = smac_txt
- else:
- msg.add_error("Criteria Source Mac Address: updated failed - " + v.reason)
- ###############################################################################################################################################################
- # update criteria_packetstate
- if request.POST.get('criteria_packetstate', None) == "1":
- packetstates_all = ['established', 'invalid', 'new', 'related']
- packetstates_form = []
- packetstates_add = []
- packetstates_delete = []
-
- if request.POST.get('packetstate_established', None) == "1":
- packetstates_form.append('established')
- if request.POST.get('packetstate_invalid', None) == "1":
- packetstates_form.append('invalid')
- if request.POST.get('packetstate_new', None) == "1":
- packetstates_form.append('new')
- if request.POST.get('packetstate_related', None) == "1":
- packetstates_form.append('related')
- if len(packetstates_form) == 0:
- if 'state' in ruledata:
- for pstate in ruledata['state']:
- packetstates_delete.append(pstate)
- if len(packetstates_form) > 0:
- for pstate in packetstates_all:
- # check what to add
- if 'state' not in ruledata:
- if pstate in packetstates_form:
- packetstates_add.append(pstate)
- else:
- if pstate not in ruledata['state']:
- if pstate in packetstates_form:
- packetstates_add.append(pstate)
- else:
- if ruledata['state'][pstate] != 'enable':
- if pstate in packetstates_form:
- packetstates_add.append(pstate)
- # check what to delete
- if 'state' in ruledata:
- if pstate in ruledata['state']:
- if ruledata['state'][pstate] == 'enable':
- if pstate not in packetstates_form:
- packetstates_delete.append(pstate)
- if 'state' not in ruledata:
- ruledata['state'] = {}
-
- for pstate in packetstates_add:
- v = vapi.set_firewall_rule_packetstate(hostname_default, firewall_name, rulenumber, pstate)
- if v.success:
- changed = True
- msg.add_success("Criteria Packet State: state added")
- ruledata['state'][pstate] = 'enable'
- for pstate in packetstates_delete:
- v = vapi.set_firewall_rule_packetstate_delete(hostname_default, firewall_name, rulenumber, pstate)
- if v.success:
- changed = True
- msg.add_success("Criteria Packet State: state delete")
- if pstate in ruledata['state']:
- del ruledata['state'][pstate]
- if changed == True:
- msg.add_success("Firewall rule saved")
-
- ruledata_json = json.dumps(ruledata)
- #vmsg.log("json", ruledata_json)
- template = loader.get_template("firewall/editrule.html")
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'firewall_name': firewall_name,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- 'services' : netservices['services'],
- 'services_common' : netservices['common'],
- 'firewall_networkgroup': firewall_group['network-group'],
- 'firewall_addressgroup': firewall_group['address-group'],
- 'firewall_portgroup': firewall_group['port-group'],
- 'mode' : mode,
- 'msg' : msg.get_all(),
- 'ruledata' : ruledata,
- 'ruledata_pretty' : pprint.pformat(ruledata, indent=4, width=120),
- 'ruledata_json' : ruledata_json,
- 'rulenumber' : rulenumber,
- }
- return HttpResponse(template.render(context, request))
-
- @is_authenticated
- def addrule(request, firewall_name):
- return changerule(request, firewall_name, mode="addrule", rulenumber=None)
- @is_authenticated
- def editrule(request, firewall_name, rulenumber):
- return changerule(request, firewall_name, mode="editrule", rulenumber=rulenumber)
- @is_authenticated
- def show(request, firewall_name):
-
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- firewall = vyos.get_firewall(hostname_default, firewall_name)
-
- template = loader.get_template('firewall/show.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'firewall': firewall,
- 'firewall_name': firewall_name,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_portgroup_list(request):
-
- hostname_default = vyos.get_hostname_prefered(request)
- firewall_portgroup = vyos.get_firewall_portgroup(hostname_default)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- template = loader.get_template('firewall/portgroup-list.html')
- context = {
- 'firewall_portgroup': firewall_portgroup,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_portgroup_del(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- vyos.set_firewall_portgroup_del(hostname_default, groupname)
- return redirect('firewall:firewall-portgroup-list')
- @is_authenticated
- def firewall_portgroup_add(request):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- netservices = network.get_services()
- if request.POST.get('name', None) != None and request.POST.get('portgroup_ports_hidden', None) != None and request.POST.get('portgroup_ports_hidden') != '':
- try:
- ports = json.loads(request.POST.get('portgroup_ports_hidden'))
- except ValueError:
- return redirect('firewall:firewall-portgroup-list')
- for port in ports:
- vyos.set_firewall_portgroup_add(hostname_default, request.POST.get('name'), port)
- if request.POST.get('description', None) != None:
- vyos.set_firewall_portgroup_description(hostname_default, request.POST.get('name'), request.POST.get('description'))
- return redirect('firewall:firewall-portgroup-list')
- template = loader.get_template('firewall/portgroup-add.html')
- context = {
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- 'services_common' : netservices['common'],
- 'services' : netservices['services'],
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_portgroup_edit(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- netservices = network.get_services()
- portgroups = vyos.get_firewall_portgroup(hostname_default)
- portgroups_json = json.dumps(portgroups['port-group'][groupname], separators=(',', ':'))
- description = portgroups['port-group'][groupname]['description']
- if request.POST.get('description', None) != None:
- vyos.set_firewall_portgroup_description(hostname_default, groupname, request.POST.get('description'))
- if request.POST.get('portgroup_ports_hidden', None) != None and request.POST.get('portgroup_ports_hidden') != '':
- try:
- ports = json.loads(request.POST.get('portgroup_ports_hidden'))
- except ValueError:
- return redirect('firewall:firewall-portgroup-list')
- port_remove = []
- port_add = []
- # each port in vyos database
- for port in portgroups['port-group'][groupname]['port']:
- # vyos port not in form
- if port not in ports:
- # so mark to remove
- port_remove.append(port)
- # each port comming from form
- for port in ports:
- # form port not in vyos database
- if port not in portgroups['port-group'][groupname]['port']:
- # so mark to add
- port_add.append(port)
- # add ports to vyos database
- for port in port_add:
- vyos.set_firewall_portgroup_add(hostname_default, groupname, port)
- # remove ports to vyos database
- for port in port_remove:
- vyos.set_firewall_portgroup_delete_port(hostname_default, groupname, port)
- if request.POST.get('description', None) != None:
- vyos.set_firewall_portgroup_description(hostname_default, request.POST.get('name'), request.POST.get('description'))
- return redirect('firewall:firewall-portgroup-list')
- template = loader.get_template('firewall/portgroup-edit.html')
- context = {
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- 'groupname' : groupname,
- 'services_common' : netservices['common'],
- 'services' : netservices['services'],
- 'description' : description,
- 'portgroups_json' : portgroups_json,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_networkgroup_list(request):
-
- hostname_default = vyos.get_hostname_prefered(request)
- firewall_networkgroup = vyos.get_firewall_networkgroup(hostname_default)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- template = loader.get_template('firewall/networkgroup-list.html')
- context = {
- 'firewall_networkgroup': firewall_networkgroup,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_networkgroup_add(request):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- if ( request.POST.get('name', None) != None
- and request.POST.get('networkgroup_json', None) != None):
- group = request.POST.get('name', None)
- description = request.POST.get('description', None)
- try:
- networks = json.loads(request.POST.get('networkgroup_json'))
- except ValueError:
- networks = {}
- changed = False
- vmsg.log('networks', networks)
- for network in networks:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "network-group", group, "network", network],
- description = "add network-group network",
- )
- if v.success and changed == False:
- changed = True
-
- # set network description if it was created
- if changed == True:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "network-group", group, "description", description],
- description = "set network-group description",
- )
- return redirect('firewall:firewall-networkgroup-list')
- template = loader.get_template('firewall/networkgroup-add.html')
- context = {
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_networkgroup_del(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- vyos.set_firewall_networkgroup_del(hostname_default, groupname)
- return redirect('firewall:firewall-networkgroup-list')
- @is_authenticated
- def firewall_addressgroup_list(request):
-
- hostname_default = vyos.get_hostname_prefered(request)
- firewall_addressgroup = vyos.get_firewall_addressgroup(hostname_default)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- template = loader.get_template('firewall/addressgroup-list.html')
- context = {
- 'firewall_addressgroup': firewall_addressgroup,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_addressgroup_add(request):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- if ( request.POST.get('name', None) != None
- and request.POST.get('addressgroup_json', None) != None):
- group = request.POST.get('name', None)
- description = request.POST.get('description', None)
- try:
- networks = json.loads(request.POST.get('addressgroup_json'))
- except ValueError:
- networks = {}
- changed = False
- vmsg.log('networks', networks)
- for network in networks:
- v = vapilib.api (
- hostname = hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "address-group", group, "address", network],
- description = "add address-group network",
- )
- if v.success and changed == False:
- changed = True
-
- # set network description if it was created
- if changed == True:
- if description != None:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "address-group", group, "description", description],
- description = "set address-group description",
- )
- return redirect('firewall:firewall-addressgroup-list')
- template = loader.get_template('firewall/addressgroup-add.html')
- context = {
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_addressgroup_del(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- vyos.set_firewall_addressgroup_del(hostname_default, groupname)
- return redirect('firewall:firewall-addressgroup-list')
- @is_authenticated
- def firewall_addressgroup_desc(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- v = vapilib.api (
- hostname= hostname_default,
- api = "get",
- op = "showConfig",
- cmd = ["firewall", "group", "address-group", groupname],
- description = "show address-group config",
- )
- groupinfo = v.data
- if 'address' not in groupinfo:
- networks_original = []
- else:
- networks_original = groupinfo['address']
- if type(networks_original) is str:
- vmsg.log("tipo", type(networks_original))
- networks_original = [groupinfo['address']]
- else:
- networks_original = groupinfo['address']
- vmsg.log("networks_original", networks_original)
- networks_json = json.dumps(networks_original)
- changed = False
- if v.success:
- if request.POST.get('description', None) != None:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "address-group", groupname, "description", request.POST.get('description')],
- description = "set network-group description",
- )
- changed = True
- if request.POST.get('networkgroup_json', None) != None:
- try:
- networks_new = json.loads(request.POST.get('networkgroup_json'))
- except ValueError:
- networks_new = {}
- vmsg.log('networks new', networks_new)
- for network in networks_new:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "address-group", groupname, "address", network],
- description = "edit address-group network",
- )
- if v.success and changed == False:
- changed = True
-
- vmsg.log('networks original', networks_original)
- for network in networks_original:
- if network not in networks_new:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "delete",
- cmd = ["firewall", "group", "address-group", groupname, "address", network],
- description = "delete address-group network",
- )
- if v.success and changed == False:
- changed = True
- if changed == True:
- return redirect('firewall:firewall-addressgroup-list')
- template = loader.get_template('firewall/addressgroup-desc.html')
- context = {
- 'groupinfo': groupinfo,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- 'groupname': groupname,
- 'networks_json' : networks_json,
- }
- return HttpResponse(template.render(context, request))
- else:
- return redirect('firewall:firewall-addressgroup-list')
- @is_authenticated
- def firewall_networkgroup_desc(request, groupname):
- hostname_default = vyos.get_hostname_prefered(request)
- all_instances = vyos.instance_getall_by_group(request)
- is_superuser = perms.get_is_superuser(request.user)
- v = vapilib.api (
- hostname= hostname_default,
- api = "get",
- op = "showConfig",
- cmd = ["firewall", "group", "network-group", groupname],
- description = "show network-group config",
- )
- groupinfo = v.data
- if 'network' not in groupinfo:
- networks_original = []
- else:
- networks_original = groupinfo['network']
- if type(networks_original) is str:
- vmsg.log("tipo", type(networks_original))
- networks_original = [groupinfo['network']]
- else:
- networks_original = groupinfo['network']
- vmsg.log("networks_original", networks_original)
- networks_json = json.dumps(networks_original)
- changed = False
- if v.success:
- if request.POST.get('description', None) != None:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "network-group", groupname, "description", request.POST.get('description')],
- description = "set network-group description",
- )
- changed = True
- if request.POST.get('networkgroup_json', None) != None:
- try:
- networks_new = json.loads(request.POST.get('networkgroup_json'))
- except ValueError:
- networks_new = {}
- vmsg.log('networks new', networks_new)
- for network in networks_new:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "set",
- cmd = ["firewall", "group", "network-group", groupname, "network", network],
- description = "edit network-group network",
- )
- if v.success and changed == False:
- changed = True
-
- vmsg.log('networks original', networks_original)
- for network in networks_original:
- if network not in networks_new:
- v = vapilib.api (
- hostname= hostname_default,
- api = "post",
- op = "delete",
- cmd = ["firewall", "group", "network-group", groupname, "network", network],
- description = "delete network-group network",
- )
- if v.success and changed == False:
- changed = True
- if changed == True:
- return redirect('firewall:firewall-networkgroup-list')
- template = loader.get_template('firewall/networkgroup-desc.html')
- context = {
- 'groupinfo': groupinfo,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'instances': all_instances,
- 'is_superuser' : is_superuser,
- 'groupname': groupname,
- 'networks_json' : networks_json,
- }
- return HttpResponse(template.render(context, request))
- else:
- return redirect('firewall:firewall-networkgroup-list')
- @is_authenticated
- def firewall_config(request, firewall_name):
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
-
- firewall = vyos.get_firewall(hostname_default, firewall_name)
-
- template = loader.get_template('firewall/show.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'firewall': firewall,
- 'firewall_name': firewall_name,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_global(request):
-
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- if int(request.POST.get('allping', 0)) == 1:
- vyos.set_firewall_allping_enable(hostname_default)
- else:
- vyos.set_firewall_allping_disable(hostname_default)
- if int(request.POST.get('syncookies', 0)) == 1:
- vyos.set_firewall_syncookies_enable(hostname_default)
- else:
- vyos.set_firewall_syncookies_disable(hostname_default)
-
- return redirect('firewall:firewall-list')
- @is_authenticated
- def firewall_remove(request, firewall_name):
-
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- firewall = vyos.delete_firewall(hostname_default, firewall_name)
-
- return redirect('firewall:firewall-list')
- @is_authenticated
- def firewall_edit(request, firewall_name):
-
- #interfaces = vyos.get_interfaces()
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- firewall = vyos.get_firewall(hostname_default, firewall_name)
- firewall['defaultaction'] = firewall['default-action']
- is_superuser = perms.get_is_superuser(request.user)
- changed = False
- if 'description' in request.POST:
- cmd = {"op": "set", "path": ["firewall", "name", firewall_name, "description", request.POST['description']]}
- result2 = vyos.set_config(hostname_default, cmd)
- print(result2)
- changed = True
- if 'action' in request.POST:
- cmd = {"op": "set", "path": ["firewall", "name", firewall_name, "default-action", request.POST['action']]}
- result3 = vyos.set_config(hostname_default, cmd)
- print(result3)
- changed = True
- if changed == True:
- return redirect('firewall:firewall-list')
- template = loader.get_template('firewall/edit.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'firewall_name': firewall_name,
- 'firewall': firewall,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_zones(request):
- # basic methods all views should call
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- # local methods to prepare env
- get_firewall_zones = vapi.get_firewall_zones(hostname_default) # get all zones since we cannot allow an interface belongs more than one zone
- interfaces_defined = []
- interfaces_defined_form = []
- interfaces_zone = {}
- allzones = []
- if get_firewall_zones.success:
- allzones = get_firewall_zones.data
- if 'zone' in allzones:
- for zone in allzones['zone']:
- if 'interface' in allzones['zone'][zone]:
- for zoneinterface in allzones['zone'][zone]['interface']:
- interfaces_defined.append(zoneinterface)
- interfaces_defined_form.append("interface_" + zoneinterface)
- interfaces_zone[zoneinterface] = zone
-
- if 'zone' in allzones:
- allzones2 = []
- for zone in allzones['zone']:
- zonec = allzones['zone'][zone]
- zonec['name'] = zone
- allzones2.append(zonec)
-
- template = loader.get_template('firewall/zones.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser' : is_superuser,
- 'allzones': allzones2,
- 'allzones_pretty': pprint.pformat(allzones2, indent=4, width=120),
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_zones_add(request):
- msg = vmsg.msg()
- # basic methods all views should call
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- # local methods to prepare env
- interfaces = vyos.get_interfaces(hostname_default)
- interfaces_all_names = vyos.get_interfaces_all_names(hostname_default)
- get_firewall_zones = vapi.get_firewall_zones(hostname_default) # get all zones since we cannot allow an interface belongs more than one zone
- interfaces_defined = []
- interfaces_defined_form = []
- interfaces_zone = {}
- allzones = []
- if get_firewall_zones.success:
- allzones = get_firewall_zones.data
- if 'zone' in allzones:
- for zone in allzones['zone']:
- if 'interface' in allzones['zone'][zone]:
- for zoneinterface in allzones['zone'][zone]['interface']:
- interfaces_defined.append(zoneinterface)
- interfaces_defined_form.append("interface_" + zoneinterface)
- interfaces_zone[zoneinterface] = zone
- # local control vars
- valid = False
- localzone = False
- if request.POST.get('name', None) != None:
- zonename = request.POST.get('name')
- zonename = zonename.strip()
- if request.POST.get('localzone', None) != None:
- # set local-zone
- v = vapi.set_firewall_zone_localzone(hostname_default, zonename)
- if v.success:
- valid = True
- msg.add_success("Local-zone defined")
- else:
- msg.add_error("Local-zone failed to set")
- else:
- # add all interfaces
- interfaces_form = []
- for rv in request.POST:
- iface_form = None
- if rv.startswith("interface_"):
- rvprefixlen = len("interface_")
- iface_form = rv[rvprefixlen:]
- interfaces_form.append(iface_form)
- v = vapi.set_firewall_zone_interface(hostname_default, zonename, iface_form)
- if v.success:
- valid = True
- msg.add_success("Interface added to zone: " + iface_form)
- else:
- msg.add_error("Interface not added to zone: " + iface_form + " - " + v.reason)
- if valid == True:
- # if editing remove localzone if set
- pass
- if valid == True:
- if request.POST.get('description', None) != None:
- zonedescription = request.POST.get('description')
- zonedescription = zonedescription.strip()
- if len(zonedescription) > 0:
- v = vapi.set_firewall_zone_description(hostname_default, zonename, zonedescription)
- if v.success:
- valid = True
- msg.add_success("Description defined")
- else:
- msg.add_error("Description failed to set")
- if request.POST.get('action', None) != None:
- zoneaction = request.POST.get('action')
- zoneaction = zoneaction.strip()
- if zoneaction in ['drop', 'reject']:
- v = vapi.set_firewall_zone_defaultaction(hostname_default, zonename, zoneaction)
- if v.success:
- valid = True
- msg.add_success("Default action defined")
- else:
- msg.add_error("Default action failed to set")
- msg.add_success("Zone added")
- template = loader.get_template('firewall/zones-add.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser': is_superuser,
- 'interfaces': interfaces,
- 'interfaces_pretty': pprint.pformat(interfaces, indent=4, width=120),
- 'interfaces_all_names_pretty': pprint.pformat(interfaces_all_names, indent=4, width=120),
- 'interfaces_all_names': interfaces_all_names,
- 'msg' : msg.get_all(),
- 'allzones': allzones,
- 'interfaces_defined': interfaces_defined,
- 'interfaces_defined_form': interfaces_defined_form,
- 'interfaces_zone': interfaces_zone,
- 'form_added': valid,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_zones_edit(request, zonename):
- # validation
- zonename = zonename.strip()
-
- msg = vmsg.msg()
-
- # basic methods all views should call
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- # local methods to prepare env
- interfaces = vyos.get_interfaces(hostname_default)
- interfaces_all_names = vyos.get_interfaces_all_names(hostname_default)
- get_firewall_zones = vapi.get_firewall_zones(hostname_default) # get all zones since we cannot allow an interface belongs more than one zone
- get_firewall_zone = vapi.get_firewall_zone(hostname_default, zonename)
- zoneinfo = get_firewall_zone.data
- form_changed = False
- if request.POST.get('form_changed', None) == "1":
- form_changed = True
- # set interface_alias in format eth0 if has not vif and eth0.vlan if has vlan
- for iname in interfaces_all_names:
- if 'vif' in iname:
- iname['interface_alias'] = "{interface_name}.{vif}".format(interface_name=iname['interface_name'], vif=iname['vif'])
- else:
- iname['interface_alias'] = iname['interface_name']
- # create a dict
- interfaces_all_names_dict = {}
- for iname in interfaces_all_names:
- if 'vif' in iname:
- ialias = "{interface_name}.{vif}".format(interface_name=iname['interface_name'], vif=iname['vif'])
- else:
- ialias = iname['interface_name']
- interfaces_all_names_dict[ialias] = iname
- if zoneinfo == None:
- msg.add_error("Zone not exists")
- template = loader.get_template('firewall/zones-edit.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser': is_superuser,
- 'interfaces': interfaces,
- 'interfaces_all_names_pretty': pprint.pformat(interfaces_all_names, indent=4, width=120),
- 'interfaces_all_names': interfaces_all_names,
- 'msg' : msg.get_all(),
- "zoneinfo": zoneinfo,
- "zonename": zonename,
- "exists": False
- }
- return HttpResponse(template.render(context, request))
- interfaces_defined = []
- interfaces_defined_form = []
- allzones = []
- interfaces_zone_alias = []
- interfaces_zone_alias_other = []
- interfaces_zone = []
- interfaces_zone_other = []
- if get_firewall_zones.success:
- allzones = get_firewall_zones.data
- if 'zone' in allzones:
- for zone in allzones['zone']:
- if 'interface' in allzones['zone'][zone]:
- if isinstance(allzones['zone'][zone]['interface'], list):
- for zoneinterface in allzones['zone'][zone]['interface']:
- if zone == zonename:
- #print("@@@", zone, zoneinterface)
- interfaces_zone_alias.append("interface_" + zoneinterface)
- interfaces_zone.append(zoneinterface)
- else:
- interfaces_zone_alias_other.append("interface_" + zoneinterface)
- interfaces_zone_other.append(zoneinterface)
- interfaces_defined.append(zoneinterface)
- interfaces_defined_form.append("interface_" + zoneinterface)
- else:
- zoneinterface = allzones['zone'][zone]['interface']
- if zone == zonename:
- # print("@@@", zone, zoneinterface)
- interfaces_zone_alias.append("interface_" + zoneinterface)
- interfaces_zone.append(zoneinterface)
- else:
- interfaces_zone_alias_other.append("interface_" + zoneinterface)
- interfaces_zone_other.append(zoneinterface)
-
- interfaces_defined.append(zoneinterface)
- interfaces_defined_form.append("interface_" + zoneinterface)
-
-
- # local control vars
- valid = False
- localzone = False
- # add all interfaces
- interfaces_form = []
- for rv in request.POST:
- iface_form = None
- if rv.startswith("interface_"):
- rvprefixlen = len("interface_")
- iface_form = rv[rvprefixlen:]
- interfaces_form.append(iface_form)
- # each interface unset on form we need to delete from zone
- if form_changed:
- for iface in interfaces_all_names:
- # interface belongs to zone currently
- if iface["interface_alias"] in interfaces_zone:
- # interface not marked on form
- if iface["interface_alias"] not in interfaces_form:
- v = vapi.delete_firewall_zone_interface(hostname_default, zonename, iface["interface_alias"])
- if v.success:
- valid = True
- msg.add_success("Interface {iface} removed from zone.".format(iface=iface["interface_alias"]))
- zalias = "interface_" + iface["interface_alias"]
- if zalias in interfaces_zone_alias:
- interfaces_zone_alias.remove(zalias)
- else:
- msg.add_error("Interface {iface} not removed from zone: {error}".format(iface=iface["interface_alias"], error=v.reason))
- # each interface set on form we need to add to zone
- for iface in interfaces_form:
- if iface in interfaces_zone:
- msg.add_info("Zone add interface {iface} not added since already addded.".format(iface=iface))
- elif iface in interfaces_zone_other:
- msg.add_alert("Zone add interface {iface} not added since belongs to other zone.".format(iface=iface))
- else:
- v = vapi.set_firewall_zone_interface(hostname_default, zonename, iface)
- if v.success:
- valid = True
- msg.add_success("Zone add interface {iface} added.".format(iface=iface))
- zalias = "interface_" + iface
- interfaces_zone_alias.append(zalias)
- else:
- msg.add_success("Zone add interface {iface} not added: {error}.".format(iface=iface, error=v.reason))
-
- if request.POST.get('description', None) != None:
- zonedescription = request.POST.get('description')
- zonedescription = zonedescription.strip()
- if zoneinfo['description'] != zonedescription:
- if len(zonedescription) > 0:
- v = vapi.set_firewall_zone_description(hostname_default, zonename, zonedescription)
- if v.success:
- valid = True
- msg.add_success("Description defined")
- zoneinfo['description'] = zonedescription
- else:
- msg.add_success("Description failed to set")
- if request.POST.get('action', None) != None:
- zoneaction = request.POST.get('action')
- zoneaction = zoneaction.strip()
- if zoneaction in ['drop', 'reject']:
- if 'default-action' not in zoneinfo or zoneinfo['default-action'] != zoneaction:
- v = vapi.set_firewall_zone_defaultaction(hostname_default, zonename, zoneaction)
- if v.success:
- valid = True
- msg.add_success("Default action defined")
- zoneinfo['default-action'] = zoneaction
- else:
- msg.add_success("Default action failed to set")
- """if request.POST.get('localzone', None) != None:
- # set local-zone
- v = vapi.set_firewall_zone_localzone(hostname_default, zonename)
- if v.success:
- valid = True
- msg.add_success("Local-zone defined")
- else:
- msg.add_success("Local-zone failed to set")"""
- zoneaction = None
- if 'default-action' in zoneinfo:
- zoneaction = zoneinfo['default-action']
- template = loader.get_template('firewall/zones-edit.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser': is_superuser,
- 'interfaces': interfaces,
- 'interfaces_pretty': pprint.pformat(interfaces, indent=4, width=120),
- 'interfaces_all_names_pretty': pprint.pformat(interfaces_all_names, indent=4, width=120),
- 'interfaces_all_names': interfaces_all_names,
- 'msg' : msg.get_all(),
- 'allzones': allzones,
- 'interfaces_defined': interfaces_defined,
- 'interfaces_defined_form': interfaces_defined_form,
- 'interfaces_zone_alias': interfaces_zone_alias,
- 'interfaces_zone_alias_other': interfaces_zone_alias_other,
- "zoneinfo": zoneinfo,
- "allzones_pretty": pprint.pformat(allzones, indent=4, width=120),
- "zonename": zonename,
- "exists": True,
- 'interfaces_all_names_dict': interfaces_all_names_dict,
- 'interfaces_all_names_dict_pretty': pprint.pformat(interfaces_all_names_dict, indent=4, width=120),
- 'zoneaction': zoneaction,
- }
- return HttpResponse(template.render(context, request))
- @is_authenticated
- def firewall_zones_remove(request, zonename):
- # validation
- zonename = zonename.strip()
-
- msg = vmsg.msg()
-
- # basic methods all views should call
- all_instances = vyos.instance_getall()
- hostname_default = vyos.get_hostname_prefered(request)
- is_superuser = perms.get_is_superuser(request.user)
- # local methods to prepare env
- interfaces = vyos.get_interfaces(hostname_default)
- interfaces_all_names = vyos.get_interfaces_all_names(hostname_default)
- get_firewall_zone = vapi.get_firewall_zone(hostname_default, zonename)
- zoneinfo = get_firewall_zone.data
- if zoneinfo == None:
- msg.add_error("Zone not exists")
- else:
- v = vapi.delete_firewall_zone(hostname_default, zonename)
- if v.success:
- msg.add_success("Zone {zone} removed".format(zone=zonename))
- else:
- msg.add_error("Zone {zone} not removed: {error}".format(zone=zonename, error=v.reason))
- template = loader.get_template('firewall/zones-remove.html')
- context = {
- #'interfaces': interfaces,
- 'instances': all_instances,
- 'hostname_default': hostname_default,
- 'username': request.user,
- 'is_superuser': is_superuser,
- 'interfaces': interfaces,
- 'interfaces_all_names_pretty': pprint.pformat(interfaces_all_names, indent=4, width=120),
- 'interfaces_all_names': interfaces_all_names,
- 'msg' : msg.get_all(),
- "zoneinfo": zoneinfo,
- "zonename": zonename,
- }
- return HttpResponse(template.render(context, request))
|
