plugin opnsense: fix for chains (remove hooks and use goto instead)

superstes · superstes · commit b7a8bc8e8fca · 2025-09-10T00:16:28.000+02:00
diff --git a/docs/source/plugins/firewall_opnsense.rst b/docs/source/plugins/firewall_opnsense.rst
@@ -41,6 +41,105 @@ Here is an example on how to run it with the exported config:
             --src-ip 10.57.65.44 \
             --dst-ip 1.1.1.1
 
+Example
+*******
+
+**Note**: NAT is not yet implemented for this example.
+
+.. code-block:: bash
+
+    ftf-cli --firewall-system 'opnsense' \
+            --file-ruleset 'testdata/plugin_translate_opnsense_config.xml' \
+            --file-interfaces 'testdata/plugin_translate_opnsense_network.json' \
+            --file-routes 'testdata/plugin_translate_opnsense_network.json' \
+            --src-ip 10.34.28.206 \
+            --dst-ip 1.1.1.1 \
+            --port 993
+
+    > ⚠ FIREWALL PLUGIN: Unable to resolve alias DNS: "test.some-invalid-domain.oxl.aaaa"
+    > ⚠ FIREWALL PLUGIN: Unsupported alias-type "geoip" will be skipped: "GEOIP_NEARBY"
+    > ⚠ FIREWALL PLUGIN: Unable to parse rule-address: "GEOIP_NEARBY"
+    > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain floating, Rule 15
+    > ⚠ FIREWALL PLUGIN: Unable to parse rule-address: "GEOIP_NEARBY"
+    > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain interfaces, Rule 9 (GeoIP Block)
+    > ⚠ FIREWALL PLUGIN: Unable to parse rule-address: "GEOIP_NEARBY"
+    > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain interfaces, Rule 80
+    > ⚠ FIREWALL PLUGIN: Unable to parse rule-address: "GEOIP_NEARBY"
+    > ⚠ FIREWALL PLUGIN: Unsupported rule: Chain interfaces, Rule 85 (SVC_1 Proxies)
+    > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
+    > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
+    > 🛈 ROUTER: Packet outbound-interface: opt5 (WAN2)
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 169.169.169.1, scope global
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "floating" ip filter (15 rules)
+    > 🛈 FIREWALL: > Chain floating | Rule 1
+    > 🛈 FIREWALL: > Chain floating | Rule 2
+    > 🛈 FIREWALL: > Chain floating | Rule 3
+    > 🛈 FIREWALL: > Chain floating | Rule 4
+    > 🛈 FIREWALL: > Chain floating | Rule 5
+    > 🛈 FIREWALL: > Chain floating | Rule 6
+    > 🛈 FIREWALL: > Chain floating | Rule 7
+    > 🛈 FIREWALL: > Chain floating | Rule 8
+    > 🛈 FIREWALL: > Chain floating | Rule 9
+    > 🛈 FIREWALL: > Chain floating | Rule 10
+    > 🛈 FIREWALL: > Chain floating | Rule 11
+    > 🛈 FIREWALL: > Chain floating | Rule 12
+    > 🛈 FIREWALL: > Chain floating | Rule 13
+    > 🛈 FIREWALL: > Chain floating | Rule 14
+    > 🛈 FIREWALL: > Chain floating | Rule 1000000 | Match => goto
+    > 🛈 FIREWALL: > Chain floating | Sub-Chain: interface_groups (8 rules)
+    > 🛈 FIREWALL: > Chain interface_groups | Rule 1
+    > 🛈 FIREWALL: > Chain interface_groups | Rule 2
+    > 🛈 FIREWALL: > Chain interface_groups | Rule 3
+    > 🛈 FIREWALL: > Chain interface_groups | Rule 4
+    > 🛈 FIREWALL: > Chain interface_groups | Rule 5 | Match => accept
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "snat" ip nat (0 rules)
+    > ⚠ FIREWALL: Source is bogon-network and heading to Public-WAN without SNAT!
+    > ✓ FIREWALL: Packet passed
+
+**Block Example**:
+
+.. code-block:: bash
+
+    ftf-cli ... --src-ip 10.34.28.206 --dst-ip 1.10.16.4
+
+    ...
+    > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
+    > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
+    > 🛈 ROUTER: Packet outbound-interface: opt5 (WAN2)
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 169.169.169.1, scope global
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "floating" ip filter (15 rules)
+    > 🛈 FIREWALL: > Chain floating | Rule 1
+    > 🛈 FIREWALL: > Chain floating | Rule 2 | Match => drop
+    > ✖ FIREWALL: Packet blocked by rule: Seq 2, Action: drop, Rule: #2 "SpamHaus DROP Block Outbound"
+    >              > Matches: {'proto_l3': 'ip4', 'ip_saddr': {'==': 'any'}, 'ip_daddr': {'==': ['1.10.16.0/20', '1.19.0.0/16', '1.32.128.0/18', '2.56.192.0/22', '2.57.122.0/24', '2.57.232.0/23', '2.57.234.0/23', '2.59.152.0/24', '2.59.154.0/24', '5.42.92.0/24', '5.105.220.0/24', '5.133.101.0/24', '5.134.128.0/19', '5.183.60.0/22', '5.183.129.0/24', '5.188.10.0/23', '5.188.11.0/24', '5.188.236.0/23', '14.128.32.0/20', '14.128.48.0/21', '14.152.94.0/24', '23.94.58.0/24', '23.129.252.0/23', '23.137.100.0/24', '23.146.240.0/24'...
+
+**Increased Verbosity**:
+
+Use the :code:`verbosity` flag to get more information about the rules and matching.
+
+.. code-block:: bash
+
+    ftf-cli ... --src-ip 10.34.28.206 --dst-ip 1.10.16.4 --verbosity 2
+
+    ...
+    > 🛈 ROUTER: Packet inbound-interface: lan (LAN)
+    > 🛈 ROUTER: Packet inbound-route: 10.34.28.0/24, scope link
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "dnat" ip nat (0 rules)
+    > 🛈 FIREWALL: Flow-type: forward
+    > 🛈 ROUTER: Packet outbound-interface: opt5 (WAN2)
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 169.169.169.1, scope global
+    > 🛈 FIREWALL: Processing Chain: Table "default" ip | Chain "floating" ip filter (15 rules)
+    > 🛈 FIREWALL: > Chain floating | Rule 1 | Seq 1, Action: accept, Rule: #1
+    >              > Matches: {'proto_l3': 'ip4', 'ip_saddr': {'==': ['192.168.0.0/30']}, 'ip_daddr': {'==': ['192.168.0.0/30']}}
+    >
+    > 🛈 FIREWALL: > Chain floating | Rule 2 | Match => drop | Seq 2, Action: drop, Rule: #2 "SpamHaus DROP Block Outbound"
+    >              > Matches: {'proto_l3': 'ip4', 'ip_saddr': {'==': 'any'}, 'ip_daddr': {'==': ['1.10.16.0/20', '1.19.0.0/16', '1.32.128.0/18', '2.56.192.0/22', '2.57.122.0/24', '2.57.232.0/23', '2.57.234.0/23', '2.59.152.0/24', '2.59.154.0/24', '5.42.92.0/24', '5.105.220.0/24', '5.133.101.0/24', '5.134.128.0/19', '5.183.60.0/22', '5.183.129.0/24', '5.188.10.0/23', '5.188.11.0/24', '5.188.236.0/23', '14.128.32.0/20', '14.128.48.0/21', '14.152.94.0/24', '23.94.58.0/24', '23.129.252.0/23', '23.137.100.0/24', '23.146.240.0/24'...
+    >
+    > ✖ FIREWALL: Packet blocked by rule: Seq 2, Action: drop, Rule: #2 "SpamHaus DROP Block Outbound"
+    >              > Matches: {'proto_l3': 'ip4', 'ip_saddr': {'==': 'any'}, 'ip_daddr': {'==': ['1.10.16.0/20', '1.19.0.0/16', '1.32.128.0/18', '2.56.192.0/22', '2.57.122.0/24', '2.57.232.0/23', '2.57.234.0/23', '2.59.152.0/24', '2.59.154.0/24', '5.42.92.0/24', '5.105.220.0/24', '5.133.101.0/24', '5.134.128.0/19', '5.183.60.0/22', '5.183.129.0/24', '5.188.10.0/23', '5.188.11.0/24', '5.188.236.0/23', '14.128.32.0/20', '14.128.48.0/21', '14.152.94.0/24', '23.94.58.0/24', '23.129.252.0/23', '23.137.100.0/24', '23.146.240.0/24'...
+
 ----
 
 Source Code
diff --git a/src/firewall_test/plugins/system/firewall_opnsense.py b/src/firewall_test/plugins/system/firewall_opnsense.py
@@ -1,8 +1,8 @@
-from config import ProtoL3IP4IP6
+from config import ProtoL3IP4IP6, RuleActionGoTo
 from simulator.packet import PACKET_KINDS, PacketTCPUDP
 from plugins.translate.abstract import Rule
 from plugins.system.abstract_rule_match import RuleMatcher, RuleMatchResult
-from plugins.translate.opnsense.rule import OPNsenseRule
+from plugins.translate.opnsense.rule import OPNsenseRule, RULE_SEQUENCE_NEXT_CHAIN
 from utils.logger import log_warn, log_debug
 
 # todo: add explicit match-tests
@@ -16,8 +16,17 @@ def matches(self, packet: PACKET_KINDS, rule: Rule) -> RuleMatchResult:
         :param rule: Rule to check
         :return: RuleMatchResult
         """
-        opn_rule: OPNsenseRule = rule.raw
 
+        if rule.action == RuleActionGoTo and rule.seq == RULE_SEQUENCE_NEXT_CHAIN:
+            return RuleMatchResult(
+                matched=True,
+                action=rule.action,
+                target_chain_name=rule.raw,  # will only contain chain-name in that case
+                target_nat_ip=None,
+                target_nat_port=None,
+            )
+
+        opn_rule: OPNsenseRule = rule.raw
         results = []
         ### NETWORK INTERFACES ###
         if opn_rule.match_ni_in:
diff --git a/src/firewall_test/plugins/system/system_opnsense.py b/src/firewall_test/plugins/system/system_opnsense.py
@@ -21,10 +21,10 @@ class SystemOPNsense(FirewallSystem):
 
     # see: https://docs.opnsense.org/manual/firewall.html#processing-order
     FIREWALL_HOOKS = {
-        FlowInput: ['dnat', 'floating', 'interface_groups', 'interfaces'],
-        FlowForward: ['dnat', 'floating', 'interface_groups', 'interfaces', 'snat'],
-        FlowOutput: ['dnat', 'floating', 'interface_groups', 'interfaces', 'snat'],
-        'full': ['dnat', 'floating', 'interface_groups', 'interfaces', 'snat'],
+        FlowInput: ['dnat', 'filters'],
+        FlowForward: ['dnat', 'filters', 'snat'],
+        FlowOutput: ['dnat', 'filters', 'snat'],
+        'full': ['dnat', 'filters', 'snat'],
     }
     FIREWALL_INGRESS = {
         FlowInput: {'hook': 'prerouting', 'priority': 1000},
diff --git a/src/firewall_test/plugins/translate/abstract.py b/src/firewall_test/plugins/translate/abstract.py
@@ -304,7 +304,7 @@ class Chain(TranslateOutput):
 
     # pylint: disable=W0622
     def __init__(
-        self, name: str, hook: str, policy: (None, RuleActionAccept, RuleActionDrop, RuleActionReject),
+        self, name: str, hook: (str, None), policy: (None, RuleActionAccept, RuleActionDrop, RuleActionReject),
             rules: list[Rule], priority: int = 0, type: str = 'filter', family: type[ProtoL3] = ProtoL3IP4IP6,
     ):
         self.name = name
diff --git a/src/firewall_test/plugins/translate/opnsense/rule.py b/src/firewall_test/plugins/translate/opnsense/rule.py
@@ -5,6 +5,9 @@
 
 # pylint: disable=R0801
 
+RULE_SEQUENCE_NEXT_CHAIN = 1_000_000
+
+
 # pylint: disable=R0912,R0913,R0914,R0915,R0917
 class OPNsenseRule:
     DIRECTION_IN = 'in'
diff --git a/src/firewall_test/plugins/translate/opnsense/ruleset.py b/src/firewall_test/plugins/translate/opnsense/ruleset.py
@@ -14,8 +14,8 @@
     IPLIST_COMMENT_CHARS, ProtoL4ICMP, ProtoL4TCP, ProtoL4UDP, ProtoL3IP4, ProtoL3IP6, BOGONS
 from plugins.system.system_opnsense import SystemOPNsense
 from plugins.translate.abstract import Ruleset, TranslatePluginRuleset, Table, Chain, Rule, \
-    RuleActionAccept, RuleActionDrop
-from plugins.translate.opnsense.rule import OPNsenseRule
+    RuleActionAccept, RuleActionDrop, RuleActionGoTo
+from plugins.translate.opnsense.rule import OPNsenseRule, RULE_SEQUENCE_NEXT_CHAIN
 from utils.logger import log_warn
 
 XML_ELEMENT_NIS = 'interfaces'
@@ -100,13 +100,13 @@ def __init__(self, raw: str):
             name='dnat', hook='dnat', policy=RuleActionAccept, type='nat', rules=[],
         )
         self.chain_floating = OPNsenseChainOutput(
-            name='floating', hook='floating', policy=RuleActionAccept, rules=[],
+            name='floating', hook='filters', policy=RuleActionDrop, rules=[],
         )
         self.chain_ni_grp = OPNsenseChainOutput(
-            name='interface_groups', hook='interface_groups', policy=RuleActionAccept, rules=[],
+            name='interface_groups', hook=None, policy=RuleActionAccept, rules=[],
         )
         self.chain_ni = OPNsenseChainOutput(
-            name='interfaces', hook='interfaces', policy=RuleActionDrop, rules=[],
+            name='interfaces', hook=None, policy=RuleActionDrop, rules=[],
         )
         self.chain_snat = OPNsenseChainOutput(
             name='snat', hook='snat', policy=RuleActionAccept, type='nat', rules=[],
@@ -133,6 +133,16 @@ def get(self) -> Ruleset:
         self.aliases['bogons'] = BOGONS
 
         self._parse_rules_old()
+        self.chain_floating.rules.append(Rule(
+            action=RuleActionGoTo,
+            seq=RULE_SEQUENCE_NEXT_CHAIN,
+            raw='interface_groups',
+        ))
+        self.chain_ni_grp.rules.append(Rule(
+            action=RuleActionGoTo,
+            seq=RULE_SEQUENCE_NEXT_CHAIN,
+            raw='interfaces',
+        ))
 
         return Ruleset(tables=[
             Table(
