add system-config setting to dis-allow traffic-forwarding

Author: superstes

src/firewall_test/plugins/system/abstract.py

@@ -16,7 +16,10 @@ class FirewallSystem(ABC):
     ROUTE_STATIC_RULES = False
 
     # if the system allows traffic to bogon-networks to be sent to wan/default-route
-    FIREWALL_DROP_WAN_BOGONS = True
+    SYSTEM_DROP_WAN_BOGONS = True
+
+    # if the system allows traffic to be forwarded; todo: should be instance-specific
+    SYSTEM_DROP_FORWARD = False
 
     # the firewall supports bsd-pf-style quick/lazy matching
     FIREWALL_ACTION_LAZY = False

src/firewall_test/plugins/system/system_linux_netfilter.py

@@ -9,7 +9,9 @@ class SystemLinuxNetfilter(FirewallSystem):
     ROUTE_STATIC = True
     ROUTE_STATIC_RULES = True
 
-    FIREWALL_DROP_WAN_BOGONS = True
+    SYSTEM_DROP_WAN_BOGONS = True
+    SYSTEM_DROP_FORWARD = False
+
     FIREWALL_ACTION_LAZY = False
     FIREWALL_CT = True
     FIREWALL_PRIO_LOWER_BETTER = True

src/firewall_test/simulator/main.py

@@ -89,6 +89,11 @@ def __init__(self, packet: PACKET_KINDS, simulator):
                 log_error('System', 'Dropping traffic to WAN targeting bogons', final=True)
                 return
 
+        if self.flow_type == FlowForward and self._s.system.SYSTEM_DROP_FORWARD:
+            # DROP PACKET IF TRAFFIC-FORWARDING IS NOT ALLOWED
+            log_error('System', 'Dropping forward traffic', final=True)
+            return
+
         ### PROCESSING MAIN FIREWALL-FILTERS ###
 
         result, rule = self._s.fw.process_main(packet=packet, flow=self.flow_type)