feat: add firewall reach rules

This can be usefull to:
- redirect a public to an internal port (NethVoice proxy)
- forward a public port to a remote host
- create complex rules for the default zone

Author: gsanchietti

core/imageroot/usr/local/agent/pypkg/agent/__init__.py

@@ -485,6 +485,37 @@ def remove_custom_zone(name):
     )
     return response['exit_code'] == 0
 
+def add_rich_rules(rich_rules):
+    """
+    Apply an array of firewall rich rules on the node using firewall-cmd.
+    Each element of `rich_rules` should be a complete rich-rule string as
+    accepted by `--add-rich-rule`. Example:
+      'rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060 to-addr=192.168.1.100'
+    """
+    node_id = os.environ['NODE_ID']
+    data = {'rich_rules': rich_rules}
+    response = agent.tasks.run(
+        agent_id=f'node/{node_id}',
+        action='add-rich-rules',
+        data=data
+    )
+    return response['exit_code'] == 0
+
+def remove_rich_rules(rich_rules):
+    """
+    Remove an array of firewall rich rules on the node using firewall-cmd.
+    Each element of `rich_rules` should be a complete rich-rule string as
+    accepted by `--remove-rich-rule` (the same format used for add).
+    """
+    node_id = os.environ['NODE_ID']
+    data = {'rich_rules': rich_rules}
+    response = agent.tasks.run(
+        agent_id=f'node/{node_id}',
+        action='remove-rich-rules',
+        data=data
+    )
+    return response['exit_code'] == 0
+
 
 def list_service_providers(rdb, service, transport='*', filters={}):
     """Look up the endpoint information about a given service. Filter

core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update

@@ -184,6 +184,8 @@ cluster.grants.grant(rdb, "add-public-service",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "add-custom-zone",  f'node/{node_id}', "fwadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm")
+cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm")
+cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm")
 
 cluster.grants.grant(rdb, "add-public-service",  f'node/{node_id}', "tunadm")
 cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm")
@@ -200,6 +202,9 @@ cluster.grants.grant(rdb, "add-public-service", f'node/{node_id}', "fwadm,portsa
 cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "fwadm,portsadm")
 cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "fwadm,portsadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "fwadm,portsadm")
+cluster.grants.grant(rdb, "add-rich-rules",  f'node/{node_id}', "fwadm,portsadm")
+cluster.grants.grant(rdb, "remove-rich-rules", f'node/{node_id}', "fwadm,portsadm")
+
 cluster.grants.grant(rdb, "allocate-ports", f'node/{node_id}', "tunadm,portsadm")
 cluster.grants.grant(rdb, "deallocate-ports", f'node/{node_id}', "tunadm,portsadm")
 cluster.grants.grant(rdb, "add-tun", f'node/{node_id}', "tunadm,portsadm")
@@ -209,6 +214,7 @@ cluster.grants.grant(rdb, "remove-public-service", f'node/{node_id}', "tunadm,po
 cluster.grants.grant(rdb, "add-custom-zone", f'node/{node_id}', "tunadm,portsadm")
 cluster.grants.grant(rdb, "remove-custom-zone", f'node/{node_id}', "tunadm,portsadm")
 
+
 # Grant on cascade the owner role on the new node, to users with the owner
 # role on cluster
 for userk in rdb.scan_iter('roles/*'):

core/imageroot/var/lib/nethserver/node/actions/add-rich-rules/50add

@@ -0,0 +1,24 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import sys
+import json
+import agent
+
+request = json.load(sys.stdin)
+
+rich_rules = request.get('rich_rules', [])
+if not isinstance(rich_rules, list) or len(rich_rules) == 0:
+    agent.assert_exp(False, 'rich_rules must be a non-empty array')
+
+for rule in rich_rules:
+    # Apply rule for both families if not already family-qualified
+    print(agent.SD_INFO + f'Adding rich-rule: {rule}', file=sys.stderr)
+    agent.run_helper('firewall-cmd', '--permanent', f'--add-rich-rule={rule}')
+
+# Apply the configuration
+agent.run_helper('firewall-cmd', '--reload').check_returncode()

core/imageroot/var/lib/nethserver/node/actions/add-rich-rules/validate-input.json

@@ -0,0 +1,23 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "add-rich-rules input",
+    "$id": "http://schema.nethserver.org/node/add-rich-rules-input.json",
+    "description": "Add firewall rich rules",
+    "examples": [
+        {
+            "rich_rules": [
+                "rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060",
+                "rule family=ipv6 forward-port port=5060 protocol=udp to-port=5060 to-addr=2001:db8::1"
+            ]
+        }
+    ],
+    "type": "object",
+    "required": ["rich_rules"],
+    "properties": {
+        "rich_rules": {
+            "type": "array",
+            "minItems": 1,
+            "items": { "type": "string" }
+        }
+    }
+}

core/imageroot/var/lib/nethserver/node/actions/remove-rich-rules/50remove

@@ -0,0 +1,23 @@
+#!/usr/bin/env python3
+
+#
+# Copyright (C) 2025 Nethesis S.r.l.
+# SPDX-License-Identifier: GPL-3.0-or-later
+#
+
+import sys
+import json
+import agent
+
+request = json.load(sys.stdin)
+
+rich_rules = request.get('rich_rules', [])
+if not isinstance(rich_rules, list) or len(rich_rules) == 0:
+    agent.assert_exp(False, 'rich_rules must be a non-empty array')
+
+for rule in rich_rules:
+    print(agent.SD_INFO + f'Removing rich-rule: {rule}', file=sys.stderr)
+    agent.run_helper('firewall-cmd', '--permanent', f'--remove-rich-rule={rule}')
+
+# Apply the configuration
+agent.run_helper('firewall-cmd', '--reload').check_returncode()

core/imageroot/var/lib/nethserver/node/actions/remove-rich-rules/validate-input.json

@@ -0,0 +1,23 @@
+{
+    "$schema": "http://json-schema.org/draft-07/schema#",
+    "title": "remove-rich-rules input",
+    "$id": "http://schema.nethserver.org/node/remove-rich-rules-input.json",
+    "description": "Remove firewall rich rules",
+    "examples": [
+        {
+            "rich_rules": [
+                "rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060",
+                "rule family=ipv6 forward-port port=5060 protocol=udp to-port=5060 to-addr=2001:db8::1"
+            ]
+        }
+    ],
+    "type": "object",
+    "required": ["rich_rules"],
+    "properties": {
+        "rich_rules": {
+            "type": "array",
+            "minItems": 1,
+            "items": { "type": "string" }
+        }
+    }
+}

core/imageroot/var/lib/nethserver/node/install-finalize.sh

@@ -145,6 +145,8 @@ cluster.grants.grant(rdb, action_clause="add-public-service",  to_clause="tunadm
 cluster.grants.grant(rdb, action_clause="remove-public-service",  to_clause="tunadm,portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="add-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
 cluster.grants.grant(rdb, action_clause="remove-custom-zone",  to_clause="tunadm,portsadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="add-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
+cluster.grants.grant(rdb, action_clause="remove-rich-rules",  to_clause="fwadm,portsadm", on_clause='node/1')
 
 cluster.grants.grant(rdb, action_clause="update-routes", to_clause="accountprovider", on_clause='cluster')
 cluster.grants.grant(rdb, action_clause="bind-user-domains",  to_clause="accountconsumer", on_clause='cluster')