Merge pull request #79 from altlinux/firewall_applier

Firewall applier
2025-03-21 18:50:38 +03:00 · 2020-06-30 17:56:49 +04:00 · 2020-06-30 17:56:49 +04:00 · 7a90f3c0e6
commit 7a90f3c0e6
parent d1e9c31bef 272785a780
3 changed files with 152 additions and 0 deletions
--- a/gpoa/frontend/appliers/firewall_rule.py
+++ b/gpoa/frontend/appliers/firewall_rule.py
@ -0,0 +1,97 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2020 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+from enum import Enum
+import subprocess
+
+def getprops(param_list):
+    props = dict()
+
+    for entry in param_list:
+        lentry = entry.lower()
+        if lentry.startswith('action'):
+            props['action'] = lentry.rpartition('=')[2]
+        if lentry.startswith('protocol'):
+            props['protocol'] = lentry.rpartition('=')[2]
+        if lentry.startswith('dir'):
+            props['dir'] = lentry.rpartition('=')[2]
+
+    return props
+
+
+def get_ports(param_list):
+    portlist = list()
+
+    for entry in param_list:
+        lentry = entry.lower()
+        if lentry.startswith('lport'):
+            port = lentry.rpartition('=')[2]
+            portlist.append(port)
+
+    return portlist
+
+class PortState(Enum):
+    OPEN = 'Allow'
+    CLOSE = 'Deny'
+
+class Protocol(Enum):
+    TCP = 'tcp'
+    UDP = 'udp'
+
+class FirewallMode(Enum):
+    ROUTER = 'router'
+    GATEWAY = 'gateway'
+    HOST = 'host'
+
+# This shi^Wthing named alterator-net-iptables is unable to work in
+# multi-threaded environment
+class FirewallRule:
+    __alterator_command = '/usr/bin/alterator-net-iptables'
+
+    def __init__(self, data):
+        data_array = data.split('|')
+
+        self.version = data_array[0]
+        self.ports = get_ports(data_array[1:])
+        self.properties = getprops(data_array[1:])
+
+    def apply(self):
+        tcp_command = []
+        udp_command = []
+
+        for port in self.ports:
+            tcp_port = '{}'.format(port)
+            udp_port = '{}'.format(port)
+
+            if PortState.OPEN.value == self.properties['action']:
+                tcp_port = '+' + tcp_port
+                udp_port = '+' + udp_port
+            if PortState.CLOSE.value == self.properties['action']:
+                tcp_port = '-' + tcp_port
+                udp_port = '-' + udp_port
+
+            portcmd = [
+                  self.__alterator_command
+                , 'write'
+                , '-m', FirewallMode.HOST.value
+                , '-t', tcp_port
+                , '-u', udp_port
+            ]
+            proc = subprocess.Popen(portcmd)
+            proc.wait()
+
--- a/gpoa/frontend/firewall_applier.py
+++ b/gpoa/frontend/firewall_applier.py
@ -0,0 +1,53 @@
+#
+# GPOA - GPO Applier for Linux
+#
+# Copyright (C) 2019-2020 BaseALT Ltd.
+#
+# This program is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with this program.  If not, see <http://www.gnu.org/licenses/>.
+
+import logging
+from util.logging import slogm
+from .applier_frontend import (
+      applier_frontend
+    , check_enabled
+)
+from .appliers.firewall_rule import FirewallRule
+
+class firewall_applier(applier_frontend):
+    __module_name = 'FirewallApplier'
+    __module_experimental = True
+    __module_enabled = False
+    __firewall_branch = 'SOFTWARE\\Policies\\Microsoft\\WindowsFirewall\\FirewallRules'
+
+    def __init__(self, storage):
+        self.storage = storage
+        self.firewall_settings = self.storage.filter_hklm_entries('{}%'.format(self.__firewall_branch))
+        self.__module_enabled = check_enabled(
+              self.storage
+            , self.__module_name
+            , self.__module_experimental
+        )
+
+    def run(self):
+        for setting in self.firewall_settings:
+            rule = FirewallRule(setting.data)
+            rule.apply()
+
+    def apply(self):
+        if self.__module_enabled:
+            logging.debug(slogm('Running Firewall applier for machine'))
+            self.run()
+        else:
+            logging.debug(slogm('Firewall applier will not be started'))
+
--- a/gpoa/frontend/frontend_manager.py
+++ b/gpoa/frontend/frontend_manager.py
@ -39,6 +39,7 @@ from .gsettings_applier import (
    gsettings_applier,
    gsettings_applier_user
 )
+from .firewall_applier import firewall_applier
 from .folder_applier import (
      folder_applier
    , folder_applier_user
@ -98,6 +99,7 @@ class frontend_manager:
            , 'shortcuts': shortcut_applier(self.storage)
            , 'gsettings': gsettings_applier(self.storage)
            , 'cups': cups_applier(self.storage)
+            , 'firewall': firewall_applier(self.storage)
            , 'folders': folder_applier(self.storage, self.sid)
            , 'package': package_applier(self.storage)
        })