base: more readable log-format

Author: superstes

docs/source/usage/3_run.rst

@@ -82,34 +82,34 @@ Pass Example
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
     > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
+    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER (2 rules)
     > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
     > 🛈 ROUTER: Packet outbound-interface: wan
-    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope global
     > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
     > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
+    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
     > 🛈 FIREWALL: > Chain FORWARD | Rule 1
     > 🛈 FIREWALL: > Chain FORWARD | Rule 2
     > 🛈 FIREWALL: > Chain FORWARD | Rule 3
     > 🛈 FIREWALL: > Chain FORWARD | Rule 4 | Match => jump
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD
+    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD (4 rules)
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT
+    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-CT | Rule 0
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 1 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-ISOLATION-STAGE-1
+    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-ISOLATION-STAGE-1 (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Sub-Chain: DOCKER-ISOLATION-STAGE-2
+    > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Sub-Chain: DOCKER-ISOLATION-STAGE-2 (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-2 | Rule 0
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 2 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-BRIDGE
+    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-BRIDGE (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Rule 0
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 3 | Match => accept
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain POSTROUTING ip4 nat
     > 🛈 FIREWALL: > Chain POSTROUTING | Rule 0 | Match => snat
-    > 🛈 FIREWALL: Performed SNAT
+    > 🛈 FIREWALL: Performed SNAT: 172.17.11.5 => 10.255.255.48
     > ✓ FIREWALL: Packet passed
 
 ----
@@ -125,16 +125,17 @@ Block Example
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
     > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
+    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER (2 rules)
     > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
     > 🛈 ROUTER: Packet outbound-interface: wan
-    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope global
     > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
     > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
+    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER (1 rules)
     > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
     > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
+    > ✖ FIREWALL: Packet blocked by rule: Seq 1, Action: drop, Rule: #101 "TEST IP4-DADDR DROP"
+    >              > Matches: {'proto_l3': {'==': 'ip4'}, 'ip_daddr': {'==': ['2.2.2.2/32']}}
 
 ----
 
@@ -150,26 +151,38 @@ You can get more detailed output by increasing the verbosity:
     > 🛈 ROUTER: Packet inbound-interface: docker0
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
-    > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #3 | Matches: []}
-    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return | {'action': 'return', 'seq': 0, 'raw': Rule: #10 | Matches: [ni_in == ['docker0']]}
+    > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump | Seq 0, Action: jump, Rule: #3
+    >              > Matches: {}
+    >
+    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER (2 rules)
+    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return | Seq 0, Action: return, Rule: #10
+    >              > Matches: {'ni_in': {'==': ['docker0']}}
+    >
     > 🛈 FIREWALL: Flow-type: forward
     > 🛈 ROUTER: Packet outbound-interface: wan
-    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope global
     > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
-    > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #20 | Matches: []}
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
-    > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return | {'action': 'return', 'seq': 0, 'raw': Rule: #19 | Matches: []}
-    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop | {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump | Seq 0, Action: jump, Rule: #20
+    >              > Matches: {}
+    >
+    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER (1 rules)
+    > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return | Seq 0, Action: return, Rule: #19
+    >              > Matches: {}
+    >
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop | Seq 1, Action: drop, Rule: #101 "TEST IP4-DADDR DROP"
+    >              > Matches: {'proto_l3': {'==': 'ip4'}, 'ip_daddr': {'==': ['2.2.2.2/32']}}
+    >
+    > ✖ FIREWALL: Packet blocked by rule: Seq 1, Action: drop, Rule: #101 "TEST IP4-DADDR DROP"
+    >              > Matches: {'proto_l3': {'==': 'ip4'}, 'ip_daddr': {'==': ['2.2.2.2/32']}}
 
 Or use the silent-mode:
 
 .. code-block:: bash
 
     ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2 --verbosity silent
 
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
+    > ✖ FIREWALL: Packet blocked by rule: Seq 1, Action: drop, Rule: #101 "TEST IP4-DADDR DROP"
+    >              > Matches: {'proto_l3': {'==': 'ip4'}, 'ip_daddr': {'==': ['2.2.2.2/32']}}
 
 ----
 
@@ -186,7 +199,7 @@ Depending on the system-specific configuration traffic can be dropped by non-fir
     > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
     > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
+    > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER (2 rules)
     > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
     > 🛈 ROUTER: Packet outbound-interface: wan
     > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote

src/firewall_test/plugins/translate/netfilter/elements.py

@@ -4,7 +4,7 @@
 from config import ProtoL3, ProtoL3IP4, ProtoL3IP6, MatchPort, ProtoL4ICMP, ProtoL4TCP, ProtoL4UDP, ProtoL3IP4IP6, \
     PROTO_L4_MAPPING, PROTO_L3_MAPPING
 from plugins.translate.netfilter.parts import RULE_ACTIONS, IGNORE_RULE_EXPRESSIONS, IGNORE_LEFT
-from utils.logger import log_warn
+from utils.logger import log_warn, rule_repr
 
 # pylint: disable=R0801
 
@@ -437,15 +437,4 @@ def get_matches(self) -> dict:
         return matches
 
     def __repr__(self) -> str:
-        cmt = ''
-        if self.comment is not None:
-            cmt = f' "{self.comment}"'
-
-        if self.handle is not None:
-            cmt += f' (handle {self.handle})'
-
-        matches = str(self.matches)
-        if len(matches) > 500:
-            matches = matches[:500] + '...'
-
-        return f"Rule: #{self.handle}{cmt} | Matches: {matches}"
+        return rule_repr(uid=self.handle, matches=self.get_matches(), cmt=self.comment)

src/firewall_test/plugins/translate/opnsense/rule.py

@@ -1,6 +1,7 @@
 from ipaddress import IPv4Network, IPv6Network
 
 from config import ProtoL3IP4IP6, PROTOS_L3, PROTOS_L4
+from utils.logger import rule_repr
 
 # pylint: disable=R0801
 
@@ -10,13 +11,16 @@ class OPNsenseRule:
     DIRECTION_OUT = 'out'
     DIRECTION_ANY = 'any'
 
+    OP_EQ = '=='
+    OP_NE = '!='
+
     def __init__(
             self,
             nr: int,
+            uuid: str,
             nis: list[str] = None,
             ni_direction: str = None,
             desc: str = None,
-            quick: bool = True,
             ipprotocol: PROTOS_L3 = ProtoL3IP4IP6,
             protocol: PROTOS_L4 = None,
             source: list[(IPv4Network, IPv6Network)] = None,
@@ -29,10 +33,10 @@ def __init__(
             destination_any: bool = False,
     ):
         self.nr = nr
+        self.uuid = uuid
         self.nis = nis
         self.ni_direction = ni_direction
         self.desc = desc
-        self.quick = quick
         self.ipp = ipprotocol
         self.proto = protocol
         self.src = source
@@ -73,42 +77,49 @@ def match_ip_saddr(self) -> bool:
 
     @property
     def match_ip_daddr(self) -> bool:
-        if self.dst_any or (self.src is not None and len(self.src) > 0):
+        if self.dst_any or (self.dst is not None and len(self.dst) > 0):
             return True
 
         return False
 
-    def get_match_types(self) -> (list[str], None):
-        match = []
+    def get_matches(self) -> (dict, None):
+        matches = {}
         if self.ipp is not None:
-            match.append('proto_l3')
+            matches['proto_l3'] = self.ipp.N
 
         if self.proto is not None:
-            match.append('proto_l4')
+            matches['proto_l4'] = [v.N for v in self.proto]
 
         if self.match_ip_saddr:
-            match.append('ip_saddr')
+            op = self.OP_NE if self.src_invert else self.OP_EQ
+            src = 'any' if self.src_any else [str(v) for v in self.src]
+            matches['ip_saddr'] = {op: src}
 
         if self.match_ip_daddr:
-            match.append('ip_daddr')
+            op = self.OP_NE if self.dst_invert else self.OP_EQ
+            dst = 'any' if self.dst_any else [str(v) for v in self.dst]
+            matches['ip_daddr'] = {op: dst}
 
         if self.match_ni_in:
-            match.append('ni_in')
+            matches['ni_in'] = self.nis
 
         if self.match_ni_out:
-            match.append('ni_out')
+            matches['ni_out'] = self.nis
 
         if self.src_port is not None and len(self.src_port) > 0:
-            match.append('src-port')
+            matches['src_port'] = self.src_port
 
         if self.dst_port is not None and len(self.dst_port) > 0:
-            match.append('dst-port')
+            matches['dst_port'] = self.dst_port
 
-        if len(match) == 0:
-            match = None
+        if len(matches) == 0:
+            return None
 
-        return match
+        return matches
 
     def __repr__(self) -> str:
-        desc = '' if self.desc is None else f' ({self.desc})'
-        return f"Rule: #{self.nr}{desc} | Matches: {self.get_match_types()}"
+        cmt = '' if self.desc is None else f' "{self.desc}"'
+        if self.uuid is not None:
+            cmt += f' (UUID: {self.uuid})'
+
+        return rule_repr(uid=self.nr, matches=self.get_matches(), cmt=cmt)

src/firewall_test/plugins/translate/opnsense/ruleset_test.py

@@ -23,7 +23,7 @@ def test_opnsense_ruleset():
     for c in table.chains:
         c.validate()
 
-    assert len(r.aliases) == 73  # todo: find missing 1 alias!
+    assert len(r.aliases) == 72  # todo: find missing 1 alias!
     assert len(r.aliases['HOST_DNS_TRUSTED_REPOS']) > 0
     for e in r.aliases['HOST_DNS_TRUSTED_REPOS']:
         assert isinstance(e, (IPv4Network, IPv6Network))
@@ -55,23 +55,65 @@ def test_opnsense_ruleset():
     ]
 
     assert len(r.chain_dnat.rules) == 0
-    assert len(r.chain_floating.rules) == 17
+    assert len(r.chain_floating.rules) == 14
     assert len(r.chain_ni_grp.rules) == 7
-    assert len(r.chain_ni.rules) == 87
+    assert len(r.chain_ni.rules) == 82
     assert len(r.chain_snat.rules) == 0
 
+    # todo: mock external responses (IPLists, DNS-resolution) for stable tests
     # todo: validate that matches are correct..
+
+    # drop any traffic to blacklisted targets (dst = iplist/urltable)
     r1 = r.chain_floating.rules[1]
     assert r1.seq == 2
     assert r1.action == RuleActionDrop
-    assert r1.raw.get_match_types() == ['proto_l3', 'ip_saddr']
-
+    m = r1.raw.get_matches()
+    assert 'ip_daddr' in m
+    assert '==' in m['ip_daddr']
+    assert len(m['ip_daddr']['==']) > 10  # IP-List content
+    assert 'ip_saddr' in m
+    assert '==' in m['ip_saddr'] and m['ip_saddr']['=='] == 'any'
+    assert 'proto_l3' in m
+    assert m['proto_l3'] == 'ip4'
+
+    # allow some server to sync with external pop3s
     r2 = r.chain_ni_grp.rules[4]
     assert r2.seq == 5
     assert r2.action == RuleActionAccept
-    assert r2.raw.get_match_types() == ['proto_l3', 'proto_l4', 'ip_saddr', 'ip_daddr', 'dst-port']
+    m = r2.raw.get_matches()
+    for e in ['dst_port', 'ip_daddr', 'ip_saddr', 'proto_l3', 'proto_l4']:
+        assert e in m
+
+    assert m['dst_port'] == [993]
+    assert '!=' in m['ip_daddr']
+    assert m['ip_daddr']['!='] == [
+        '10.38.0.0/16',
+        '10.0.0.0/8',
+        '172.16.0.0/12',
+    ]
+    assert '==' in m['ip_saddr']
+    assert m['ip_saddr']['=='] == ['10.34.28.206/32']
+    assert m['proto_l3'] == 'ip4'
+    assert m['proto_l4'] == ['tcp']
 
+    # allow some internal hosts http+s to an external service via DNS
     r3 = r.chain_ni.rules[42]
-    assert r3.seq == 43
+    assert r3.seq == 44
     assert r3.action == RuleActionAccept
-    assert r3.raw.get_match_types() == ['proto_l3', 'proto_l4', 'ip_saddr', 'ip_daddr', 'dst-port']
+    m = r3.raw.get_matches()
+    for e in ['dst_port', 'ip_daddr', 'ip_saddr', 'proto_l3', 'proto_l4']:
+        assert e in m
+
+    assert m['dst_port'] == [80, 443]
+    assert '==' in m['ip_daddr']
+    assert len(m['ip_daddr']['==']) > 10  # DNS-resolved alias
+    assert '==' in m['ip_saddr']
+    assert m['ip_saddr']['=='] == [
+        '10.38.13.201/32',
+        '10.34.28.101/32',
+    ]
+    assert m['proto_l3'] == 'ip4'
+    assert m['proto_l4'] == ['tcp']
+
+
+# todo: add tests for many possible real-life rule-expression-combinations to catch edge-cases

src/firewall_test/simulator/firewall.py

@@ -33,7 +33,7 @@ def _log_match(self, chain: Chain, rule: Rule, debug: bool = False):
             lazy_action = ' (lazy)'
 
         msg = f'> Chain {chain.name} | Rule {rule.seq} | Match => {rule.action.N}{lazy_action}'
-        v2 = f' | {rule.dump()}'
+        v2 = f' | {rule.log()}'
         if debug:
             log_debug('Firewall', msg + v2)
 
@@ -116,7 +116,7 @@ def process(self, chain: Chain, packet: PACKET_KINDS) -> (bool, (Rule, None)):
 
                 log_info(
                     label='Firewall',
-                    v1=f'> Chain {chain.name} | Sub-Chain: {target_chain.name}',
+                    v1=f'> Chain {chain.name} | Sub-Chain: {target_chain.name} ({len(target_chain.rules)} rules)',
                     v3=f' {target_chain.family.N} {target_chain.type}'
                 )
                 target_chain.run_table = chain.run_table

src/firewall_test/simulator/main.py

@@ -59,7 +59,7 @@ def __init__(self, packet: PACKET_KINDS, simulator):
         _, self.dnat = self._s.fw.process_dnat(packet=packet, flow=self.flow_type)
         self._dnat_done = True
         if self.dnat is not None:
-            log_info(label='Firewall', v1='Performed DNAT', v2=f': {self.packet.dnat_str}')
+            log_info(label='Firewall', v1=f'Performed DNAT: {self.packet.dnat_str}')
 
         ### UPDATE TRAFFIC FLOW AND OUTBOUND-NETWORK-INTERFACE ###
 
@@ -114,7 +114,7 @@ def __init__(self, packet: PACKET_KINDS, simulator):
                 else:
                     self.packet.src = self._get_snat_masquerade_ip()
 
-            log_info(label='Firewall', v1='Performed SNAT', v2=f': {self.packet.snat_str()}')
+            log_info(label='Firewall', v1=f'Performed SNAT: {self.packet.snat_str()}')
 
         elif self.flow_type == FlowOutput:
             # use the correct outbound-IP if the traffic originated from this host itself
@@ -261,7 +261,7 @@ def _log_block(rule: (Rule, None)):
             log_error(label='Firewall', v1='Packet blocked by chain default-policy', final=True)
 
         else:
-            log_error(label='Firewall', v1='Packet blocked by rule', v2=f': {rule.dump()}', final=True)
+            log_error(label='Firewall', v1='Packet blocked by rule', v2=f': {rule.log()}', final=True)
 
 
 class Simulator: