#131993 Added custom rules

evsinev · Feb 9, 2024 · a536768 · a536768
1 parent 78bb928
commit a536768
Show file tree

Hide file tree

Showing 7 changed files with 96 additions and 0 deletions.
diff --git a/src/main/java/com/payneteasy/firewall/Main.java b/src/main/java/com/payneteasy/firewall/Main.java
@@ -2,6 +2,7 @@
 
 import com.payneteasy.firewall.dao.ConfigDaoYaml;
 import com.payneteasy.firewall.dao.IConfigDao;
+import com.payneteasy.firewall.dao.model.ChainType;
 import com.payneteasy.firewall.dao.model.TBlockedIpAddress;
 import com.payneteasy.firewall.dao.model.THost;
 import com.payneteasy.firewall.service.ConfigurationException;
@@ -66,6 +67,11 @@ private static void createFirewallConfig(String host, String aDir, IPacketServic
         velocity.add("vrrp-packets", vrrpPackets);
         velocity.add("linked-vrrp-packets", linkedVrrpPackets);
         velocity.add("blocked-ip-addresses", blockedIpAddresses);
+        velocity.add("custom-input-rules"      , packetService.getCustomRules(host, ChainType.INPUT));
+        velocity.add("custom-output-rules"     , packetService.getCustomRules(host, ChainType.OUTPUT));
+        velocity.add("custom-forward-rules"    , packetService.getCustomRules(host, ChainType.FORWARD));
+        velocity.add("custom-prerouting-rules" , packetService.getCustomRules(host, ChainType.PREROUTING));
+        velocity.add("custom-postrouting-rules", packetService.getCustomRules(host, ChainType.POSTROUTING));
 
         PrintWriter out = new PrintWriter(new FileWriter(new File(aDir, host)));
         try {

diff --git a/src/main/java/com/payneteasy/firewall/dao/model/ChainType.java b/src/main/java/com/payneteasy/firewall/dao/model/ChainType.java
@@ -0,0 +1,5 @@
+package com.payneteasy.firewall.dao.model;
+
+public enum ChainType {
+    INPUT, OUTPUT, FORWARD, POSTROUTING, PREROUTING
+}
diff --git a/src/main/java/com/payneteasy/firewall/dao/model/TCustomRule.java b/src/main/java/com/payneteasy/firewall/dao/model/TCustomRule.java
@@ -0,0 +1,24 @@
+package com.payneteasy.firewall.dao.model;
+
+public class TCustomRule {
+    public ChainType chain;
+    public String    rule;
+    public String    description;
+    public String    justification;
+
+    public ChainType getChain() {
+        return chain;
+    }
+
+    public String getRule() {
+        return rule;
+    }
+
+    public String getDescription() {
+        return description;
+    }
+
+    public String getJustification() {
+        return justification;
+    }
+}
diff --git a/src/main/java/com/payneteasy/firewall/dao/model/THost.java b/src/main/java/com/payneteasy/firewall/dao/model/THost.java
@@ -5,6 +5,7 @@
 
 import java.util.ArrayList;
 import java.util.List;
+import java.util.StringJoiner;
 import java.util.stream.Collectors;
 
 /**
@@ -59,6 +60,8 @@ public List<TInterface> getL2Interfaces() {
                 .collect(Collectors.toList());
     }
 
+    public List<TCustomRule> customRules;
+
     @Override
     public String toString() {
         return "THost{" +
@@ -70,7 +73,9 @@ public String toString() {
                 ", interfaces=" + interfaces +
                 ", services=" + services +
                 ", color='" + color + '\'' +
+                ", blockedIpAddresses=" + blockedIpAddresses +
                 ", services_links='" + services_links + '\'' +
+                ", customRules=" + customRules +
                 '}';
     }
 }
diff --git a/src/main/java/com/payneteasy/firewall/service/IPacketService.java b/src/main/java/com/payneteasy/firewall/service/IPacketService.java
@@ -1,6 +1,8 @@
 package com.payneteasy.firewall.service;
 
+import com.payneteasy.firewall.dao.model.ChainType;
 import com.payneteasy.firewall.dao.model.TBlockedIpAddress;
+import com.payneteasy.firewall.dao.model.TCustomRule;
 import com.payneteasy.firewall.service.model.*;
 
 import java.util.List;
@@ -24,4 +26,6 @@ public interface IPacketService {
     List<LinkedVrrpPacket> getLinkedVrrpPackets(String aHostname);
 
     List<TBlockedIpAddress> getBlockedIpAddresses(String aHostname);
+
+    List<TCustomRule> getCustomRules(String aHost, ChainType aChainType);
 }
diff --git a/src/main/java/com/payneteasy/firewall/service/impl/PacketServiceImpl.java b/src/main/java/com/payneteasy/firewall/service/impl/PacketServiceImpl.java
@@ -16,6 +16,7 @@
 import java.net.InetAddress;
 import java.net.UnknownHostException;
 import java.util.*;
+import java.util.stream.Collectors;
 
 import static com.google.common.base.Preconditions.checkNotNull;
 import static com.payneteasy.firewall.util.Strings.first;
@@ -550,6 +551,20 @@ public int compare(OutputPacket aLeft, OutputPacket aRight) {
         return ret;
     }
 
+    @Override
+    public List<TCustomRule> getCustomRules(String aHostname, ChainType aChainType) {
+        THost host = theConfigDao.getHostByName(aHostname);
+
+        if (host.customRules == null) {
+            return Collections.emptyList();
+        }
+
+        return host.customRules.stream()
+                .filter(it -> it.chain == aChainType)
+                .collect(Collectors.toList());
+    }
+
+
     private String findInterfaceByIp(String aAddress, List<TInterface> aInterfaces, String aHostname) throws ConfigurationException {
         for (TInterface iface : aInterfaces) {
             if(aAddress.equals(iface.ip) || aAddress.equals(iface.vip) ) {

diff --git a/src/main/resources/iptables.vm b/src/main/resources/iptables.vm
@@ -64,6 +64,13 @@
 -A INPUT --protocol icmp --icmp-type echo-request             -j ACCEPT
 -A INPUT --protocol icmp --icmp-type time-exceeded            -j ACCEPT
 
+#if ( $custom-input-rules.size() > 0 )
+# Custom INPUT Rules
+#foreach( $rule in $custom-input-rules )
+# $rule.description / $rule.justification
+$rule.rule
+#end
+#end
 
 #
 # OUTPUT packets
@@ -85,6 +92,13 @@
 -A OUTPUT --protocol icmp --icmp-type echo-request             -j ACCEPT
 -A OUTPUT --protocol icmp --icmp-type time-exceeded            -j ACCEPT
 
+#if ( $custom-output-rules.size() > 0 )
+# Custom OUTPUT Rules
+#foreach( $rule in $custom-output-rules )
+# $rule.description / $rule.justification
+$rule.rule
+#end
+#end
 #
 # FORWARD packets 2
 #
@@ -116,6 +130,14 @@
 -A FORWARD --protocol icmp --icmp-type echo-request             -j ACCEPT
 -A FORWARD --protocol icmp --icmp-type time-exceeded            -j ACCEPT
 #end
+#if ( $custom-output-rules.size() > 0 )
+
+# Custom FORWARD Rules
+#foreach( $rule in $custom-forward-rules )
+# $rule.description / $rule.justification
+$rule.rule
+#end
+#end
 
 # for tcp --reject-with tcp-reset
 # for REJECT we send tcp packet with ACK and RST flags
@@ -157,6 +179,21 @@ COMMIT
 -A PREROUTING -d $p.destination_nat_address -p $p.protocol -j DNAT --to-destination $p.destination_address
 #end
 
+#end
+#end
+#if ( $custom-prerouting-rules.size() > 0 )
+# Custom PREROUTING Rules
+#foreach( $rule in $custom-prerouting-rules )
+# $rule.description / $rule.justification
+$rule.rule
+#end
+#end
+#if ( $custom-postrouting-rules.size() > 0 )
+
+# Custom POSTROUTING Rules
+#foreach( $rule in $custom-postrouting-rules )
+# $rule.description / $rule.justification
+$rule.rule
 #end
 #end