feat: Firewall IPV6 support in UI

Signed-off-by: MMaiero <[email protected]> Implemented missing methods for ipv6 firewall webui Signed-off-by: pierantoniomerlino <[email protected]> Fixed ipv4/6 validators Signed-off-by: pierantoniomerlino <[email protected]> Fixed portforwarding ipv6 Signed-off-by: pierantoniomerlino <[email protected]> Added default single host netmask value Signed-off-by: pierantoniomerlino <[email protected]> Fixed ip6address in port forward config Signed-off-by: pierantoniomerlino <[email protected]> Refactored gwt firewall methods Signed-off-by: pierantoniomerlino <[email protected]> Fixed ipv6 address validator Signed-off-by: pierantoniomerlino <[email protected]> Updated messages and tooltips Signed-off-by: pierantoniomerlino <[email protected]> Aligned unknown net value in update methods Signed-off-by: pierantoniomerlino <[email protected]> Fixed linux.net.iptables tests Signed-off-by: pierantoniomerlino <[email protected]>
eclipse-kura · Oct 20, 2023 · 6a7477f · 6a7477f
1 parent 1aea966
commit 6a7477f
Show file tree

Hide file tree

Showing 31 changed files with 3,975 additions and 308 deletions.
diff --git a/...lipse.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfig.java b/...lipse.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfig.java
@@ -58,6 +58,14 @@ public interface FirewallPortForwardConfig extends NetConfig {
      */
     public IPAddress getIPAddress();
 
+    /**
+     * The netmask of the LAN IP address to forward connections to
+     *
+     * @return The netmask of the LAN IPAddress to forward connections to
+     * @since 2.6
+     */
+    public short getIPAddressNetmask();
+
     /**
      * Gets the type of network protocol (TCP or UDP) that is used for this configuration
      *

diff --git a/...se.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfigIP4.java b/...se.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfigIP4.java
@@ -61,6 +61,14 @@ public static FirewallPortForwardConfigIP4Builder builder() {
         return new FirewallPortForwardConfigIP4Builder();
     }
 
+    /**
+     * @since 2.6
+     */
+    @Override
+    public short getIPAddressNetmask() {
+        return (short) 32;
+    }
+
     /**
      * The builder class for the IPv4 firewall port forward configuration
      * 

diff --git a/...se.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfigIP6.java b/...se.kura.api/src/main/java/org/eclipse/kura/net/firewall/FirewallPortForwardConfigIP6.java
@@ -36,6 +36,14 @@ public static FirewallPortForwardConfigIP6Builder builder() {
         return new FirewallPortForwardConfigIP6Builder();
     }
 
+    /**
+     * @since 2.6
+     */
+    @Override
+    public short getIPAddressNetmask() {
+        return (short) 128;
+    }
+
     /**
      * The builder class for the IPv6 firewall port forward configuration
      */

diff --git a/....eclipse.kura.core.net/src/main/java/org/eclipse/kura/core/net/FirewallConfiguration.java b/....eclipse.kura.core.net/src/main/java/org/eclipse/kura/core/net/FirewallConfiguration.java
@@ -377,7 +377,7 @@ private String formPortForwardConfigPropValue() {
             }
             sb.append(',');
             if (portForwardConfig.getIPAddress() != null) {
-                sb.append(portForwardConfig.getIPAddress());
+                sb.append(portForwardConfig.getIPAddress().getHostAddress());
             }
             sb.append(',');
             if (portForwardConfig.getProtocol() != null) {

diff --git a/...ra.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/AbstractLinuxFirewall.java b/...ra.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/AbstractLinuxFirewall.java
@@ -66,6 +66,13 @@ protected void setExecutorService(CommandExecutorService executorService) {
 
     protected abstract String getIpForwardFileName();
 
+    /*
+     * Add a Local rule to the firewall.
+     * 
+     * @deprecated since 1.2. Use {@link addLocalRules(List<LocalRule>
+     * newLocalRules)}
+     */
+    @Deprecated
     @SuppressWarnings("checkstyle:parameterNumber")
     public void addLocalRule(int port, String protocol, String permittedNetwork, String permittedNetworkPrefix,
             String permittedInterfaceName, String unpermittedInterfaceName, String permittedMAC, String sourcePortRange)
@@ -117,6 +124,13 @@ public void addLocalRules(List<LocalRule> newLocalRules) throws KuraException {
         }
     }
 
+    /*
+     * Add a Port Forward rule to the firewall.
+     * 
+     * @deprecated since 1.2. Use {@link addPortForwardRules(List<PortForwardRule>
+     * newPortForwardRules)}
+     */
+    @Deprecated
     @SuppressWarnings("checkstyle:parameterNumber")
     public void addPortForwardRule(String inboundIface, String outboundIface, String address, String protocol,
             int inPort, int outPort, boolean masquerade, String permittedNetwork, String permittedNetworkPrefix,
@@ -157,15 +171,12 @@ public void addPortForwardRules(List<PortForwardRule> newPortForwardRules) throw
         }
     }
 
-    /**
-     * Adds automatic NAT rule
-     *
-     * @param sourceInterface
-     * @param destinationInterface
-     * @param masquerade
-     * @param type
-     * @throws KuraException
+    /*
+     * Add a Nat rule to the firewall.
+     * 
+     * @deprecated since 1.2. Use {@link aaddNatRules(List<NATRule> newNatRules))}
      */
+    @Deprecated
     public void addNatRule(String sourceInterface, String destinationInterface, boolean masquerade, RuleType type)
             throws KuraException {
         if (sourceInterface == null || sourceInterface.isEmpty()) {
@@ -182,18 +193,12 @@ public void addNatRule(String sourceInterface, String destinationInterface, bool
         addAutoNatRules(natRuleList);
     }
 
-    /**
-     * Adds NAT Rule
-     *
-     * @param sourceInterface
-     * @param destinationInterface
-     * @param protocol
-     * @param source
-     * @param destination
-     * @param masquerade
-     * @param type
-     * @throws KuraException
+    /*
+     * Add a Nat Forward rule to the firewall.
+     * 
+     * @deprecated since 1.2. Use {@link addNatRules(List<NATRule> newNatRules)}
      */
+    @Deprecated
     public void addNatRule(String sourceInterface, String destinationInterface, String protocol, String source,
             String destination, boolean masquerade, RuleType type) throws KuraException {
 
@@ -282,6 +287,14 @@ public void deleteAutoNatRule(NATRule rule) throws KuraException {
         update();
     }
 
+    public void deleteNatRule(NATRule rule) throws KuraException {
+        if (this.natRules == null) {
+            return;
+        }
+        this.natRules.remove(rule);
+        update();
+    }
+
     public void deleteAllLocalRules() throws KuraException {
         this.localRules.clear();
         update();

diff --git a/...a.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/FilterForwardChainRule.java b/...a.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/FilterForwardChainRule.java
@@ -147,16 +147,10 @@ public List<String> toStrings() {
         List<String> ret = new ArrayList<>();
         StringBuilder sb = new StringBuilder("-A " + chain);
         if (this.srcNetwork != null) {
-            sb.append(" -s ") //
-                    .append(this.srcNetwork) //
-                    .append('/') //
-                    .append(this.srcMask);
+            sb.append(" -s ").append(this.srcNetwork).append('/').append(this.srcMask);
         }
         if (this.dstNetwork != null) {
-            sb.append(" -d ") //
-                    .append(this.dstNetwork) //
-                    .append('/') //
-                    .append(this.dstMask);
+            sb.append(" -d ").append(this.dstNetwork).append('/').append(this.dstMask);
         }
         sb.append(" -i ").append(this.inputInterface);
         sb.append(" -o ").append(this.outputInterface);
@@ -168,10 +162,7 @@ public List<String> toStrings() {
             sb.append(" -m mac --mac-source ").append(this.permittedMacAddress);
         }
         if (this.srcPortFirst > 0 && this.srcPortLast >= this.srcPortFirst) {
-            sb.append(" --sport ") //
-                    .append(this.srcPortFirst) //
-                    .append(':') //
-                    .append(this.srcPortLast);
+            sb.append(" --sport ").append(this.srcPortFirst).append(':').append(this.srcPortLast);
         }
         if (this.dstPort > 0) {
             sb.append(" --dport ").append(this.dstPort);
@@ -180,10 +171,7 @@ public List<String> toStrings() {
         ret.add(sb.toString());
         sb = new StringBuilder("-A " + chain);
         if (this.dstNetwork != null) {
-            sb.append(" -s ") //
-                    .append(this.dstNetwork) //
-                    .append('/') //
-                    .append(this.dstMask);
+            sb.append(" -s ").append(this.dstNetwork).append('/').append(this.dstMask);
         }
         sb.append(" -i ").append(this.outputInterface);
         sb.append(" -o ").append(this.inputInterface);

diff --git a/...g.eclipse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/LocalRule.java b/...g.eclipse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/LocalRule.java
@@ -407,61 +407,34 @@ public String getPermittedMAC() {
      */
     @Override
     public String toString() {
-        String interfaceString = null;
+        StringBuilder localRuleSB = new StringBuilder(A_INPUT_KURA_P).append(this.protocol);
+
+        this.permittedNetworkString.ifPresent(permittedNetwork -> {
+            localRuleSB.append(" -s ").append(permittedNetwork);
+        });
+
         if (this.permittedInterfaceName.isPresent()) {
-            interfaceString = new StringBuilder().append(" -i ").append(this.permittedInterfaceName.get()).toString();
+            localRuleSB.append(" -i ").append(this.permittedInterfaceName.get()).toString();
         } else if (this.unpermittedInterfaceName.isPresent()) {
-            interfaceString = new StringBuilder().append(" ! -i ").append(this.unpermittedInterfaceName.get())
-                    .toString();
+            localRuleSB.append(" ! -i ").append(this.unpermittedInterfaceName.get()).toString();
         }
 
+        this.permittedMAC.ifPresent(permittedMAC -> {
+            localRuleSB.append(M_MAC_MAC_SOURCE).append(permittedMAC);
+        });
+
+        this.sourcePortRange.ifPresent(sourcePortRange -> {
+            localRuleSB.append(SPORT).append(sourcePortRange);
+        });
+
         if (this.port != -1) {
-            return getLocalRuleWithPort(interfaceString);
+            localRuleSB.append(DPORT).append(this.port);
         } else {
-            return getLocalRuleWithoutPort(interfaceString);
+            localRuleSB.append(DPORT).append(this.portRange.get());
         }
-    }
 
-    private String getLocalRuleWithPort(String interfaceString) {
-        String localRuleString = "";
-        if (!this.permittedMAC.isPresent() && !this.sourcePortRange.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + DPORT + this.port + J_ACCEPT;
-        } else if (!this.permittedMAC.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + SPORT + this.sourcePortRange.get() + DPORT
-                    + this.port + J_ACCEPT;
-        } else if (!this.sourcePortRange.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + M_MAC_MAC_SOURCE + this.permittedMAC.get()
-                    + DPORT + this.port + J_ACCEPT;
-        } else {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + M_MAC_MAC_SOURCE + this.permittedMAC.get()
-                    + SPORT + this.sourcePortRange.get() + DPORT + this.port + J_ACCEPT;
-        }
-        return localRuleString;
-    }
-
-    private String getLocalRuleWithoutPort(String interfaceString) {
-        String localRuleString = "";
-        if (!this.permittedMAC.isPresent() && !this.sourcePortRange.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + DPORT + this.portRange.get() + J_ACCEPT;
-        } else if (!this.permittedMAC.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + SPORT + this.sourcePortRange.get() + DPORT
-                    + this.portRange.get() + J_ACCEPT;
-        } else if (!this.sourcePortRange.isPresent()) {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + M_MAC_MAC_SOURCE + this.permittedMAC.get()
-                    + DPORT + this.portRange.get() + J_ACCEPT;
-        } else {
-            localRuleString = A_INPUT_KURA_P + this.protocol + " -s " + this.permittedNetworkString.get()
-                    + (interfaceString != null ? interfaceString : "") + M_MAC_MAC_SOURCE + this.permittedMAC.get()
-                    + SPORT + this.sourcePortRange.get() + DPORT + this.portRange.get() + J_ACCEPT;
-        }
-        return localRuleString;
+        localRuleSB.append(J_ACCEPT);
+        return localRuleSB.toString();
     }
 
     private boolean isPortRangeValid(String range) {

diff --git a/...pse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/PortForwardRule.java b/...pse.kura.linux.net/src/main/java/org/eclipse/kura/linux/net/iptables/PortForwardRule.java
@@ -26,6 +26,7 @@ public class PortForwardRule {
     private String inboundIface;
     private String outboundIface;
     private String address;
+    private int addressMask;
     private String protocol;
     private int inPort;
     private int outPort;
@@ -51,6 +52,8 @@ public class PortForwardRule {
      *            protocol of port connection (tcp, udp)
      * @param address
      *            destination IP address to forward IP traffic
+     * @param addressMask
+     *            destination IP address netmask
      * @param outPort
      *            destination port to forward IP traffic
      * @param masquerade
@@ -70,6 +73,7 @@ public PortForwardRule() {
         this.inPort = 0;
         this.protocol = null;
         this.address = null;
+        this.addressMask = 0;
         this.outPort = 0;
         this.masquerade = false;
         this.permittedNetworkMask = 0;
@@ -94,6 +98,11 @@ public PortForwardRule address(String address) {
         return this;
     }
 
+    public PortForwardRule addressMask(int addressMask) {
+        this.addressMask = addressMask;
+        return this;
+    }
+
     public PortForwardRule protocol(String protocol) {
         this.protocol = protocol;
         return this;
@@ -170,7 +179,7 @@ public NatPreroutingChainRule getNatPreroutingChainRule() {
     }
 
     public NatPostroutingChainRule getNatPostroutingChainRule() {
-        return new NatPostroutingChainRule().dstNetwork(this.address).dstMask((short) 32)
+        return new NatPostroutingChainRule().dstNetwork(this.address).dstMask((short) this.addressMask)
                 .srcNetwork(this.permittedNetwork).srcMask((short) this.permittedNetworkMask)
                 .dstInterface(this.outboundIface).protocol(this.protocol).masquerade(this.masquerade)
                 .type(RuleType.PORT_FORWARDING);
@@ -179,7 +188,7 @@ public NatPostroutingChainRule getNatPostroutingChainRule() {
     public FilterForwardChainRule getFilterForwardChainRule() {
         return new FilterForwardChainRule().inputInterface(this.inboundIface).outputInterface(this.outboundIface)
                 .srcNetwork(this.permittedNetwork).srcMask((short) this.permittedNetworkMask).dstNetwork(this.address)
-                .dstMask((short) 32).protocol(this.protocol).permittedMacAddress(this.permittedMAC)
+                .dstMask((short) this.addressMask).protocol(this.protocol).permittedMacAddress(this.permittedMAC)
                 .srcPortFirst(this.sourcePortStart).srcPortLast(this.sourcePortEnd).type(RuleType.PORT_FORWARDING);
     }
 

diff --git a/...ll/src/main/java/org/eclipse/kura/net/admin/AbstractFirewallConfigurationServiceImpl.java b/...ll/src/main/java/org/eclipse/kura/net/admin/AbstractFirewallConfigurationServiceImpl.java
@@ -258,6 +258,7 @@ public void setFirewallPortForwardingConfiguration(
                         .inboundIface(portForwardEntry.getInboundInterface())
                         .outboundIface(portForwardEntry.getOutboundInterface())
                         .address(portForwardEntry.getIPAddress().getHostAddress())
+                        .addressMask(portForwardEntry.getIPAddressNetmask())
                         .protocol(portForwardEntry.getProtocol().name()).inPort(portForwardEntry.getInPort())
                         .outPort(portForwardEntry.getOutPort()).masquerade(portForwardEntry.isMasquerade())
                         .permittedNetwork(convertNetworkPairToString(portForwardEntry.getPermittedNetwork()))

diff --git a/...n.firewall/src/main/java/org/eclipse/kura/net/admin/FirewallConfigurationServiceImpl.java b/...n.firewall/src/main/java/org/eclipse/kura/net/admin/FirewallConfigurationServiceImpl.java
@@ -143,4 +143,5 @@ protected AbstractLinuxFirewall getLinuxFirewall() {
         }
         return this.firewall;
     }
+
 }
diff --git a/kura/org.eclipse.kura.web2/META-INF/MANIFEST.MF b/kura/org.eclipse.kura.web2/META-INF/MANIFEST.MF
@@ -62,6 +62,7 @@ Import-Package: com.eclipsesource.json;version="0.9.5",
  org.eclipse.kura.marshalling;version="[1.0,2.0)",
  org.eclipse.kura.net;version="[2.1,3.0)",
  org.eclipse.kura.net.admin;version="[1.6,3.0)";resolution:=optional,
+ org.eclipse.kura.net.admin.ipv6;version="[1.0,2.0)";resolution:=optional,
  org.eclipse.kura.net.dhcp;version="[1.0,2.0)",
  org.eclipse.kura.net.firewall;version="[2.0,3.0)",
  org.eclipse.kura.net.modem;version="[2.2,3.0)",
@@ -70,7 +71,7 @@ Import-Package: com.eclipsesource.json;version="0.9.5",
  org.eclipse.kura.net.status.modem;version="[1.0,2.0)",
  org.eclipse.kura.net.status.wifi;version="[1.0,2.0)",
  org.eclipse.kura.net.status.vlan;version="[1.0,2.0)",
- org.eclipse.kura.net.wifi;version="[2.4,2.5)",
+ org.eclipse.kura.net.wifi;version="[2.4,3.0)",
  org.eclipse.kura.net.vlan;version="[1.0,2.0)",
  org.eclipse.kura.position;version="[1.0,2.0)",
  org.eclipse.kura.rest.configuration.api;version="[1.0,2.0)",
-Original file line number
+Diff line change
@@ Expand Up / @@ -143,4 +143,5 @@ protected AbstractLinuxFirewall getLinuxFirewall() { @@
             }
             return this.firewall;
         }
     }