handle terminal-actions from child-chains and chain default-policies, moved translate-config

Author: superstes

README.md

@@ -28,38 +28,23 @@ ftf-cli --firewall-system 'linux_netfilter' \
         --file-routes 'testdata/plugin_translate_linux_routes.json' \
         --file-route-rules 'testdata/plugin_translate_linux_route-rules.json' \
         --file-ruleset 'testdata/plugin_translate_netfilter_ruleset.json' \
-        --src-ip 10.0.0.1 \
-        --dst-ip 172.17.10.6
+        --src-ip 172.17.11.5 \
+        --dst-ip 2.2.2.2
 
-> 🛈 ROUTER: Packet inbound-interface: wan
-> 🛈 ROUTER: Packet inbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+> 🛈 ROUTER: Packet inbound-interface: docker0
+> 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
 > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
 > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
 > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
-> 🛈 FIREWALL: > Chain DOCKER | Rule 0
-> 🛈 FIREWALL: > Chain DOCKER | Rule 1
-> 🛈 ROUTER: Packet outbound-interface: docker0
-> 🛈 ROUTER: Packet outbound-route: 172.17.0.0/16, scope link
+> 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
+> 🛈 ROUTER: Packet outbound-interface: wan
+> 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
 > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
 > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
 > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
 > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
-> 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => jump
-> 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 0 | Match => jump
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT
-> 🛈 FIREWALL: > Chain DOCKER-CT | Rule 0 | Match => accept
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 1 | Match => jump
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-ISOLATION-STAGE-1
-> 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Rule 0
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 2 | Match => jump
-> 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-BRIDGE
-> 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Rule 0 | Match => jump
-> 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Sub-Chain: DOCKER
-> 🛈 FIREWALL: > Chain DOCKER | Rule 0
-> 🛈 FIREWALL: > Chain DOCKER | Rule 1 | Match => drop
-> ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
-
+> 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop
+> ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
 ```
 
 ----

docs/source/usage/3_run.rst

@@ -90,7 +90,10 @@ Pass Example
     > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
     > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
     > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
-    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => jump
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 1
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 2
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 3
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 4 | Match => jump
     > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 0 | Match => jump
     > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT
@@ -116,36 +119,22 @@ Block Example
 
 .. code-block:: bash
 
-    ftf-cli ... --src-ip 10.0.0.1 --dst-ip 172.17.10.6
+    ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2
 
-    > 🛈 ROUTER: Packet inbound-interface: wan
-    > 🛈 ROUTER: Packet inbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+    > 🛈 ROUTER: Packet inbound-interface: docker0
+    > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
     > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump
     > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 0
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 1
-    > 🛈 ROUTER: Packet outbound-interface: docker0
-    > 🛈 ROUTER: Packet outbound-route: 172.17.0.0/16, scope link
+    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return
+    > 🛈 ROUTER: Packet outbound-interface: wan
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
     > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
     > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump
     > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
     > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return
-    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => jump
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT
-    > 🛈 FIREWALL: > Chain DOCKER-CT | Rule 0 | Match => accept
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 1 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-ISOLATION-STAGE-1
-    > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Rule 0
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 2 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-BRIDGE
-    > 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Rule 0 | Match => jump
-    > 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Sub-Chain: DOCKER
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 0
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 1 | Match => drop
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop
+    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
 
 ----
 
@@ -156,45 +145,31 @@ You can get more detailed output by increasing the verbosity:
 
 .. code-block:: bash
 
-    ftf-cli ... --src-ip 10.0.0.1 --dst-ip 172.17.10.6 --verbosity 2
+    ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2 --verbosity 2
 
-    > 🛈 ROUTER: Packet inbound-interface: wan
-    > 🛈 ROUTER: Packet inbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
+    > 🛈 ROUTER: Packet inbound-interface: docker0
+    > 🛈 ROUTER: Packet inbound-route: 172.17.0.0/16, scope link
     > 🛈 FIREWALL: Processing Chain: Table nat ip4 | Chain PREROUTING ip4 nat
     > 🛈 FIREWALL: > Chain PREROUTING | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #3 | Matches: []}
     > 🛈 FIREWALL: > Chain PREROUTING | Sub-Chain: DOCKER
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | {'action': 'return', 'seq': 0, 'raw': Rule: #10 | Matches: [ni_in == ['docker0']]}
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 1 | {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
+    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | Match => return | {'action': 'return', 'seq': 0, 'raw': Rule: #10 | Matches: [ni_in == ['docker0']]}
     > 🛈 FIREWALL: Flow-type: forward
-    > 🛈 ROUTER: Packet outbound-interface: docker0
-    > 🛈 ROUTER: Packet outbound-route: 172.17.0.0/16, scope link
+    > 🛈 ROUTER: Packet outbound-interface: wan
+    > 🛈 ROUTER: Packet outbound-route: 0.0.0.0/0, gw 10.255.255.254, metric 600, scope remote
     > 🛈 FIREWALL: Processing Chain: Table filter ip4 | Chain FORWARD ip4 filter
     > 🛈 FIREWALL: > Chain FORWARD | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #20 | Matches: []}
     > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-USER
     > 🛈 FIREWALL: > Chain DOCKER-USER | Rule 0 | Match => return | {'action': 'return', 'seq': 0, 'raw': Rule: #19 | Matches: []}
-    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => jump | {'action': 'jump', 'seq': 1, 'raw': Rule: #8 | Matches: []}
-    > 🛈 FIREWALL: > Chain FORWARD | Sub-Chain: DOCKER-FORWARD
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #11 | Matches: []}
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-CT
-    > 🛈 FIREWALL: > Chain DOCKER-CT | Rule 0 | Match => accept | {'action': 'accept', 'seq': 0, 'raw': Rule: #23 | Matches: [ni_out == ['docker0']]}
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 1 | Match => jump | {'action': 'jump', 'seq': 1, 'raw': Rule: #10 | Matches: []}
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-ISOLATION-STAGE-1
-    > 🛈 FIREWALL: > Chain DOCKER-ISOLATION-STAGE-1 | Rule 0 | {'action': 'jump', 'seq': 0, 'raw': Rule: #25 | Matches: [ni_in == ['docker0'], ni_out != ['docker0']]}
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Rule 2 | Match => jump | {'action': 'jump', 'seq': 2, 'raw': Rule: #9 | Matches: []}
-    > 🛈 FIREWALL: > Chain DOCKER-FORWARD | Sub-Chain: DOCKER-BRIDGE
-    > 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Rule 0 | Match => jump | {'action': 'jump', 'seq': 0, 'raw': Rule: #24 | Matches: [ni_out == ['docker0']]}
-    > 🛈 FIREWALL: > Chain DOCKER-BRIDGE | Sub-Chain: DOCKER
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 0 | {'action': 'return', 'seq': 0, 'raw': Rule: #10 | Matches: [ni_in == ['docker0']]}
-    > 🛈 FIREWALL: > Chain DOCKER | Rule 1 | Match => drop | {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
+    > 🛈 FIREWALL: > Chain FORWARD | Rule 1 | Match => drop | {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
+    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
 
 Or run use the silent-mode:
 
 .. code-block:: bash
 
-    ftf-cli ... --src-ip 10.0.0.1 --dst-ip 172.17.10.6 --verbosity silent
+    ftf-cli ... --src-ip 172.17.11.5 --dst-ip 2.2.2.2 --verbosity silent
 
-    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #22 | Matches: [ni_in != ['docker0'], ni_out == ['docker0']]}
+    > ✖ FIREWALL: Packet blocked by rule: {'action': 'drop', 'seq': 1, 'raw': Rule: #101 "TEST IP4-DADDR DROP" | Matches: [proto_l3 == ip4 & ip_daddr == ['2.2.2.2/32']]}
 
 ----
 

src/firewall_test/config.py

@@ -89,3 +89,77 @@ class Match(ABC):
 
 class MatchPort(Match):
     N = 'port'
+
+
+class RuleAction(ABC):
+    N = 'Abstract Rule-Action'
+
+
+class RuleActionKindTerminal(RuleAction):
+    N = 'Abstract Rule-Action Terminal'
+
+
+class RuleActionKindTerminalKill(RuleActionKindTerminal):
+    N = 'Abstract Rule-Action Terminal'
+
+
+class RuleActionAccept(RuleActionKindTerminal):
+    N = 'accept'
+
+
+class RuleActionDrop(RuleActionKindTerminalKill):
+    N = 'drop'
+
+
+class RuleActionReject(RuleActionKindTerminalKill):
+    N = 'reject'
+
+
+class RuleActionKindToChain(RuleAction):
+    N = 'Abstract Rule-Action To-Chain'
+
+
+class RuleActionJump(RuleActionKindToChain):
+    N = 'jump'
+
+
+class RuleActionGoTo(RuleActionKindToChain):
+    N = 'goto'
+
+
+class RuleActionReturn(RuleActionKindTerminal):
+    N = 'return'
+
+
+class RuleActionContinue(RuleAction):
+    N = 'continue'
+
+
+class RuleActionKindNAT(RuleAction):
+    N = 'Abstract Rule-Action NAT'
+
+
+class RuleActionDNAT(RuleActionKindNAT):
+    N = 'dnat'
+
+
+class RuleActionSNAT(RuleActionKindNAT):
+    N = 'snat'
+
+
+RULE_ACTIONS = [
+    RuleActionAccept, RuleActionDrop, RuleActionReject,
+    RuleActionJump, RuleActionGoTo, RuleActionContinue, RuleActionReturn,
+    RuleActionDNAT, RuleActionSNAT,
+]
+RULE_ACTION_MAPPING = {
+    RuleActionAccept.N: RuleActionAccept,
+    RuleActionDrop.N: RuleActionDrop,
+    RuleActionReject.N: RuleActionReject,
+    RuleActionJump.N: RuleActionJump,
+    RuleActionGoTo.N: RuleActionGoTo,
+    RuleActionContinue.N: RuleActionContinue,
+    RuleActionReturn.N: RuleActionReturn,
+    RuleActionDNAT.N: RuleActionDNAT,
+    RuleActionSNAT.N: RuleActionSNAT,
+}

src/firewall_test/plugins/system/abstract_rule_match.py

@@ -1,8 +1,8 @@
 from abc import abstractmethod
 from ipaddress import IPv4Address, IPv6Address
 
+from config import RuleAction
 from plugins.system.abstract import BaseRuleMatcher
-from plugins.translate.config import RuleAction
 from plugins.translate.abstract import Table, Rule
 from simulator.packet import PacketIP
 

src/firewall_test/plugins/system/firewall_netfilter.py

@@ -1,5 +1,5 @@
+from config import RuleActionKindTerminal, RuleActionKindToChain, RuleActionKindNAT
 from plugins.system.abstract_rule_match import RuleMatcher, RuleMatchResult
-from plugins.translate.config import RuleActionKindTerminal, RuleActionKindToChain, RuleActionKindNAT
 from plugins.translate.abstract import Rule
 from plugins.translate.netfilter.parse import NftRule
 from simulator.packet import PacketIP, PacketTCPUDP, PacketICMP

src/firewall_test/plugins/translate/abstract.py

@@ -2,9 +2,9 @@
 from ipaddress import ip_network, ip_address, IPv4Network, IPv6Network, IPv4Address, IPv6Address
 from re import compile as regex_compile
 
-from config import ProtoL3, ProtoL3IP4, ProtoL3IP6, PROTOS_L3, ProtoL3IP4IP6
-from plugins.translate.config import RuleAction, RuleActionAccept, RuleActionReject, RuleActionDrop, \
-    RuleActionJump, RuleActionGoTo, RuleActionContinue, RULE_ACTIONS, RuleActionReturn
+from config import ProtoL3, ProtoL3IP4, ProtoL3IP6, PROTOS_L3, ProtoL3IP4IP6, \
+    RuleAction, RuleActionAccept, RuleActionReject, RuleActionDrop, \
+    RuleActionJump, RuleActionGoTo, RuleActionContinue, RULE_ACTIONS, RuleActionReturn, RULE_ACTION_MAPPING
 
 REGEX_MAC_ADDRESS = regex_compile(r'^[\da-f]{2}:[\da-f]{2}:[\da-f]{2}:[\da-f]{2}:[\da-f]{2}:[\da-f]{2}$')
 
@@ -295,15 +295,14 @@ class Chain(TranslateOutput):
     FAMILY_IP6 = ProtoL3IP6.N
     FAMILIES = [FAMILY_IP, FAMILY_IP4, FAMILY_IP6]
 
-    POLICY_ACCEPT = 'accept'
-    POLICY_DROP = 'drop'
-    POLICY_REJECT = 'reject'
-    POLICIES = [POLICY_ACCEPT, POLICY_DROP, POLICY_REJECT]
+    POLICY_ACCEPT = RuleActionAccept
+    POLICY_DROP = RuleActionDrop
+    POLICY_REJECT = RuleActionReject
 
     # pylint: disable=W0622
     def __init__(
-        self, name: str, hook: str, policy: str, rules: list[Rule], priority: int = 0,
-            type: str = 'filter', family: type[ProtoL3] = ProtoL3IP4IP6,
+        self, name: str, hook: str, policy: (None, RuleActionAccept, RuleActionDrop, RuleActionReject),
+            rules: list[Rule], priority: int = 0, type: str = 'filter', family: type[ProtoL3] = ProtoL3IP4IP6,
     ):
         self.name = name
         self.type = type
@@ -313,6 +312,9 @@ def __init__(
         self.policy = policy
         self.rules = rules
 
+        if self.policy is None:
+            self.policy = RuleActionAccept
+
         # runtime infos
         self.run_table = None
 
@@ -321,7 +323,7 @@ def dump(self) -> dict:
             "name": self.name,
             "type": self.type,
             "hook": self.hook,
-            "policy": self.policy,
+            "policy": self.policy.N,
             "priority": self.priority,
             "family": self.family.N,
             "rules": [r.dump() for r in self.rules],
@@ -336,7 +338,7 @@ def validate(self):
         r = self.dump()
         assert isinstance(r['name'], str)
         assert len(r['name']) > 0
-        assert r['policy'] in self.POLICIES
+        assert r['policy'] in RULE_ACTION_MAPPING
         assert isinstance(r['priority'], int)
         assert r['type'] in self.TYPES
         if len(r['rules']) > 0: