Skip to content

feat(firewall): added synflood management #102

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
Tbaile wants to merge 1 commit into from
Closed

feat(firewall): added synflood management #102

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 17 additions & 2 deletions src/nethsec/firewall/__init__.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -773,7 +773,8 @@ def zone_exists(u, zone_name):


def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None,
forwards_from: list[str] = None, log: bool = False) -> {str, set[str]}:
forwards_from: list[str] = None, log: bool = False, synflood_protect: bool = True,
synflood_rate: str = '', synflood_burst: str = '') -> {str, set[str]}:
"""
Add zone to firewall config.

Expand All @@ -786,6 +787,9 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa
forwards_to: list of zones to forward traffic to
forwards_from: list of zones to forward traffic from
log: if True, log blocked traffic destined to this zone
synflood_protect: if True, enable synflood protection
synflood_rate: rate for synflood protection, default is '25/s'
synflood_burst: burst for synflood protection, default is 50

Returns:
tuple of zone config name and set of added forwarding configs
Expand All @@ -812,6 +816,10 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa
except:
pass

uci.set('firewall', zone_config_name, 'synflood_protect', synflood_protect)
uci.set('firewall', zone_config_name, 'synflood_rate', synflood_rate)
uci.set('firewall', zone_config_name, 'synflood_burst', synflood_burst)


forwardings_added = set()

Expand All @@ -832,7 +840,8 @@ def add_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = Fa


def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = False, forwards_to: list[str] = None,
forwards_from: list[str] = None, log: bool = False) -> {str, set[str]}:
forwards_from: list[str] = None, log: bool = False, synflood_protect: bool = True,
synflood_rate: str = '', synflood_burst: str = '') -> {str, set[str]}:
"""
Edit an existing zone.

Expand All @@ -845,6 +854,9 @@ def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = F
forwards_to: list of zones to forward traffic to
forwards_from: list of zones to forward traffic from
log: if True, log blocked traffic destined to this zone
synflood_protect: if True, enable synflood protection
synflood_rate: rate for synflood protection, default is '25/s'
synflood_burst: burst for synflood protection, default is 50

Returns:
tuple of zone config name and set of updated forwarding configs
Expand All @@ -856,6 +868,9 @@ def edit_zone(uci, name: str, input: str, forward: str, traffic_to_wan: bool = F
uci.set('firewall', zone_config_name, 'input', input)
uci.set('firewall', zone_config_name, 'forward', forward)
uci.set('firewall', zone_config_name, 'output', 'ACCEPT')
uci.set('firewall', zone_config_name, 'synflood_protect', synflood_protect)
uci.set('firewall', zone_config_name, 'synflood_rate', synflood_rate)
uci.set('firewall', zone_config_name, 'synflood_burst', synflood_burst)
if log:
uci.set('firewall', zone_config_name, 'log', '1')
if uci.get('firewall', zone_config_name, 'log_limit', default=None) is None:
Expand Down
18 changes: 18 additions & 0 deletions tests/test_firewall.py
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1229,3 +1229,21 @@ def test_apply_default_logging_options(u):
assert u.get("firewall", "o1", "log_limit", default=None) == None
assert u.get("firewall", "redirect3", "log_limit", default=None) == None


def test_synflood_zone(u):
firewall.add_zone(u, "new_zone", "REJECT", "DROP", True, ["lan"], ["lan", "guest"], False, True, '', '')
assert u.get('firewall', 'ns_new_zone', 'synflood_protect') == '1'
assert u.get('firewall', 'ns_new_zone', 'synflood_rate', default='') == ''
assert u.get('firewall', 'ns_new_zone', 'synflood_burst', default='') == ''
firewall.edit_zone(u, "new_zone", "REJECT", "DROP", True, ["lan"], ["lan", "guest"], False, False, '5/s', '10')
assert u.get('firewall', 'ns_new_zone', 'synflood_protect') == '0'
assert u.get('firewall', 'ns_new_zone', 'synflood_rate') == '5/s'
assert u.get('firewall', 'ns_new_zone', 'synflood_burst') == '10'
firewall.add_zone(u, "another_zone", "REJECT", "DROP", True, ["lan"], ["lan", "guest"], False, False, '10/s', '20')
assert u.get('firewall', 'ns_another_zone', 'synflood_protect') == '0'
assert u.get('firewall', 'ns_another_zone', 'synflood_rate') == '10/s'
assert u.get('firewall', 'ns_another_zone', 'synflood_burst') == '20'
firewall.edit_zone(u, "another_zone", "REJECT", "DROP", True, ["lan"], ["lan", "guest"], False, True, '', '')
assert u.get('firewall', 'ns_another_zone', 'synflood_protect') == '1'
assert u.get('firewall', 'ns_another_zone', 'synflood_rate', default='') == ''
assert u.get('firewall', 'ns_another_zone', 'synflood_burst', default='') == ''