Skip to content

feat: add rich rules #971

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
gsanchietti merged 2 commits into from
Dec 3, 2025
Merged

feat: add rich rules #971

gsanchietti merged 2 commits into from
Dec 3, 2025

Conversation

@gsanchietti
Copy link
Member

@gsanchietti gsanchietti commented Oct 28, 2025
edited
Loading

This pull request adds support for managing firewall rich rules at the node level.

This feature is required for NethVoice Proxy.
Fixes NethServer/dev#7725
Fixes NethServer/dev#7776

Firewall rich rule management:

  • Added add_rich_rules and remove_rich_rules functions to agent/__init__.py to enable adding and removing arrays of rich rules on a node using firewall-cmd.
  • Introduced new node actions: add-rich-rules and remove-rich-rules, each with a Python script to apply or remove rich rules and reload the firewall configuration. [1] [2]
  • Added JSON schema validation files for both actions to validate input structure for rich rules. [1] [2]

Permission and role updates:

  • Updated add-node/50update and node/install-finalize.sh scripts to grant add-rich-rules and remove-rich-rules permissions to relevant roles (fwadm, portsadm, tunadm). [1] [2] [3] [4]

Usage example

Add rules:

import agent

# Add two rich rules (example: forward and allow)
rules_to_add = [
    "rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060",
    "rule family=ipv4 source address=203.0.113.5 accept"
]
success = agent.add_rich_rules(rules_to_add)

Remove rules:

import agent

# Remove them later
rules_to_remove = = [
    "rule family=ipv4 forward-port port=5060 protocol=udp to-port=5060",
    "rule family=ipv4 source address=203.0.113.5 accept"
]
success = agent.remove_rich_rules(rules_to_remove)

Update an existing machine

api-cli run update-core --data '{"core_url":"ghcr.io/nethserver/core:port_forward","nodes":[1]}'

Install a new machine

curl https://raw.githubusercontent.com/NethServer/ns8-core/main/core/install.sh > install.sh 
bash install.sh ghcr.io/nethserver/core:port_forward

github-actions bot pushed a commit that referenced this pull request Oct 28, 2025
@nethbot
apidoc@port_forward #971
fc9c0a8
@gsanchietti gsanchietti mentioned this pull request Oct 28, 2025
Closed
@gsanchietti gsanchietti self-assigned this Oct 28, 2025
@gsanchietti gsanchietti force-pushed the port_forward branch 2 times, most recently from 411d5cb to 9e982bf Compare December 2, 2025 15:28
github-actions bot pushed a commit that referenced this pull request Dec 2, 2025
@nethbot
apidoc@port_forward #971
b2eb665
github-actions bot pushed a commit that referenced this pull request Dec 2, 2025
@nethbot
apidoc@port_forward #971
61a93a4
github-actions bot pushed a commit that referenced this pull request Dec 2, 2025
@nethbot
apidoc@port_forward #971
9142805
github-actions bot pushed a commit that referenced this pull request Dec 2, 2025
@nethbot
apidoc@port_forward #971
8093c05
@gsanchietti gsanchietti changed the title feat: add port forwarding feat: add rich rules Dec 3, 2025
@gsanchietti
feat: add firewall reach rules
6130de7 
This can be usefull to:
- redirect a public to an internal port (NethVoice proxy)
- forward a public port to a remote host
- create complex rules for the default zone
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
40a5834
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
ff44214
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
ad5fb2b
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
2dd56ed
@gsanchietti gsanchietti marked this pull request as ready for review December 3, 2025 11:13
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
8638ba1
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
bfc30be
github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
3e0dc3c
Copilot AI reviewed Dec 3, 2025
View reviewed changes
Copy link
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for managing firewall rich rules at the node level, enabling applications like NethVoice Proxy to configure advanced firewall rules programmatically. The implementation introduces two new node actions (add-rich-rules and remove-rich-rules) with corresponding Python helper functions in the agent module.

Key changes:

  • New node actions with JSON schema validation for adding and removing firewall rich rules using firewall-cmd
  • Agent module functions add_rich_rules() and remove_rich_rules() for programmatic access
  • Permission grants for fwadm and portsadm roles (incomplete - missing tunadm grants)

Reviewed changes

Copilot reviewed 7 out of 7 changed files in this pull request and generated 7 comments.

Show a summary per file
File Description
core/imageroot/var/lib/nethserver/node/actions/add-rich-rules/50add Python script to add rich rules and reload firewall configuration
core/imageroot/var/lib/nethserver/node/actions/add-rich-rules/validate-input.json JSON schema validation for add-rich-rules input
core/imageroot/var/lib/nethserver/node/actions/remove-rich-rules/50remove Python script to remove rich rules and reload firewall configuration
core/imageroot/var/lib/nethserver/node/actions/remove-rich-rules/validate-input.json JSON schema validation for remove-rich-rules input
core/imageroot/usr/local/agent/pypkg/agent/__init__.py Added add_rich_rules() and remove_rich_rules() helper functions
core/imageroot/var/lib/nethserver/cluster/actions/add-node/50update Grants permissions for new actions when adding nodes (incomplete role coverage)
core/imageroot/var/lib/nethserver/node/install-finalize.sh Grants permissions for new actions during node initialization (incomplete role coverage)

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

github-actions bot pushed a commit that referenced this pull request Dec 3, 2025
@nethbot
apidoc@port_forward #971
abeb7f1
@gsanchietti gsanchietti merged commit 44cafe1 into main Dec 3, 2025
3 checks passed
@gsanchietti gsanchietti deleted the port_forward branch December 3, 2025 13:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@DavidePrincipi DavidePrincipi DavidePrincipi approved these changes

Assignees

@gsanchietti gsanchietti

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

NethVoice Proxy: Use local IP in SDP for local clients to simplify NAT configuration Add rich rules support

3 participants

@gsanchietti @DavidePrincipi