driver: api: Implement of collecting firewall inforamtion on Linux

cloud-barista · May 5, 2024 · b405b72 · b405b72
1 parent be67123
commit b405b72
Show file tree

Hide file tree

Showing 4 changed files with 131 additions and 62 deletions.
diff --git a/driver/network/firewall_linux.go b/driver/network/firewall_linux.go
@@ -4,69 +4,135 @@ package network
 
 import (
 	"github.com/cloud-barista/cm-honeybee/pkg/api/rest/model/onprem/network"
+	"github.com/coreos/go-iptables/iptables"
+	"github.com/jollaman999/utils/logger"
+	"strconv"
+	"strings"
 )
 
-const (
-	TableFilter   = "filter"
-	TableNat      = "nat"
-	TableMangle   = "mangle"
-	TableRaw      = "raw"
-	TableSecurity = "security"
-)
+func parseIptablesRules(ipt *iptables.IPTables, rules []string, prevPriority *uint, direction string) []network.FirewallRule {
+	var fwRules = make([]network.FirewallRule, 0)
+
+	for _, rule := range rules {
+		var fwRule network.FirewallRule
+		var skip bool
+
+		ruleSplited := strings.Split(rule, " ")
+		ruleSplitedLen := len(ruleSplited)
+		for i, str := range ruleSplited {
+			if strings.HasPrefix(str, "-") && ruleSplitedLen > i+1 {
+				switch str {
+				case "-P":
+					fallthrough
+				case "-N":
+					skip = true
+				case "-j":
+					jump := strings.ToLower(ruleSplited[i+1])
+					if jump == "accept" {
+						fwRule.Action = "allow"
+					} else if jump == "drop" || jump == "deny" {
+						fwRule.Action = "deny"
+					} else {
+						subRules, err := ipt.List("filter", ruleSplited[i+1])
+						if err != nil {
+							logger.Println(logger.DEBUG, true, "FIREWALL: "+err.Error())
+							skip = true
+							break
+						}
+						fwSubRules := parseIptablesRules(ipt, subRules, prevPriority, direction)
+						fwRules = append(fwRules, fwSubRules...)
+						skip = true
+						break
+					}
+				case "-s":
+					fwRule.Src = ruleSplited[i+1]
+				case "-d":
+					fwRule.Dst = ruleSplited[i+1]
+				case "-p":
+					protocol := strings.ToLower(ruleSplited[i+1])
+					if protocol == "tcp" || protocol == "udp" {
+						fwRule.Protocol = protocol
+						for j, str := range ruleSplited {
+							if strings.HasPrefix(str, "--") && ruleSplitedLen > j+1 {
+								switch str {
+								case "--sport":
+									sport, _ := strconv.Atoi(ruleSplited[j+1])
+									fwRule.SrcPort = uint(sport)
+								case "--dport":
+									dport, _ := strconv.Atoi(ruleSplited[j+1])
+									fwRule.DstPort = uint(dport)
+								}
+							}
+						}
+					}
+					fwRule.Protocol = protocol
+				}
+			}
+		}
+		if skip {
+			continue
+		}
+
+		*prevPriority++
+
+		fwRule.Direction = direction
+		fwRule.Priority = *prevPriority
+
+		fwRules = append(fwRules, fwRule)
+	}
+
+	return fwRules
+}
+
+func iptablesToModelFirewallRule(ipt *iptables.IPTables) ([]network.FirewallRule, error) {
+	var fw = make([]network.FirewallRule, 0)
+	var prevPriority uint
 
-var Tables = []string{TableFilter, TableNat, TableMangle, TableRaw, TableSecurity}
-
-//
-//func iptablesToModelTables(ipt *iptables.IPTables) []network.Table {
-//	var ts = make([]network.Table, 0)
-//
-//	for _, table := range Tables {
-//		var t network.Table
-//		var cs []network.Chain
-//
-//		chains, err := ipt.ListChains(table)
-//		if err != nil {
-//			logger.Println(logger.DEBUG, true, "NETFILTER: "+err.Error())
-//			continue
-//		}
-//
-//		for _, chain := range chains {
-//			var c network.Chain
-//			var rs []string
-//
-//			rules, err := ipt.List(table, chain)
-//			if err != nil {
-//				logger.Println(logger.DEBUG, true, "NETFILTER: "+err.Error())
-//				continue
-//			}
-//
-//			rs = append(rs, rules...)
-//
-//			c.ChainName = chain
-//			c.Rules = rs
-//			cs = append(cs, c)
-//		}
-//
-//		t.TableName = table
-//		t.Chains = cs
-//		ts = append(ts, t)
-//	}
-//
-//	return ts
-//}
-
-// GetFirewallRules TODO
+	rules, err := ipt.List("filter", "INPUT")
+	if err != nil {
+		logger.Println(logger.DEBUG, true, "FIREWALL: "+err.Error())
+		return fw, err
+	}
+	fw = append(fw, parseIptablesRules(ipt, rules, &prevPriority, "inbound")...)
+
+	rules, err = ipt.List("filter", "OUTPUT")
+	if err != nil {
+		logger.Println(logger.DEBUG, true, "FIREWALL: "+err.Error())
+		return fw, err
+	}
+	fw = append(fw, parseIptablesRules(ipt, rules, &prevPriority, "outbound")...)
+
+	return fw, nil
+}
+
+// GetFirewallRules
 func GetFirewallRules() ([]network.FirewallRule, error) {
-	return []network.FirewallRule{
-		{
-			Priority:  0,
-			Src:       "TODO",
-			Dst:       "TODO",
-			SrcPort:   0,
-			DstPort:   0,
-			Protocol:  "TODO",
-			Direction: "TODO",
-			Action:    "TODO",
-		},
-	}, nil
+	var fw = make([]network.FirewallRule, 0)
+
+	ipt4, err := iptables.New(iptables.IPFamily(iptables.ProtocolIPv4))
+	if err != nil {
+		logger.Println(logger.ERROR, false, "FIREWALL: Failed to handle iptables.")
+		return []network.FirewallRule{}, err
+	}
+
+	ipv4fw, err := iptablesToModelFirewallRule(ipt4)
+	if err != nil {
+		logger.Println(logger.ERROR, false, "FIREWALL: Failed to get IPv4 rules.")
+		return []network.FirewallRule{}, err
+	}
+	fw = append(fw, ipv4fw...)
+
+	ipt6, err := iptables.New(iptables.IPFamily(iptables.ProtocolIPv6))
+	if err != nil {
+		logger.Println(logger.ERROR, false, "FIREWALL: Failed to handle ip6tables.")
+	}
+
+	ipv6fw, err := iptablesToModelFirewallRule(ipt6)
+	if err != nil {
+		logger.Println(logger.ERROR, false, "FIREWALL: Failed to get IPv4 rules.")
+		return []network.FirewallRule{}, err
+	}
+	fw = append(fw, ipv6fw...)
+
+	return fw, nil
 }
diff --git a/go.mod b/go.mod
@@ -18,6 +18,7 @@ require (
 )
 
 require (
+	github.com/coreos/go-iptables v0.7.0
 	github.com/swaggo/echo-swagger v1.4.1
 	github.com/swaggo/swag v1.16.3
 )

diff --git a/go.sum b/go.sum
@@ -10,6 +10,8 @@ github.com/cenkalti/backoff/v4 v4.2.1 h1:y4OZtCnogmCPw98Zjyt5a6+QwPLGkiQsYW5oUqy
 github.com/cenkalti/backoff/v4 v4.2.1/go.mod h1:Y3VNntkOUPxTVeUxJ/G5vcM//AlwfmyYozVcomhLiZE=
 github.com/containerd/log v0.1.0 h1:TCJt7ioM2cr/tfR8GPbGf9/VRAX8D2B4PjzCpfX540I=
 github.com/containerd/log v0.1.0/go.mod h1:VRRf09a7mHDIRezVKTRCrOq78v577GXq3bSa3EhrzVo=
+github.com/coreos/go-iptables v0.7.0 h1:XWM3V+MPRr5/q51NuWSgU0fqMad64Zyxs8ZUoMsamr8=
+github.com/coreos/go-iptables v0.7.0/go.mod h1:Qe8Bv2Xik5FyTXwgIbLAnv2sWSBmvWdFETJConOQ//Q=
 github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=
 github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c=
 github.com/davecgh/go-spew v1.1.1/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38=

diff --git a/pkg/api/rest/model/onprem/network/firewall.go b/pkg/api/rest/model/onprem/network/firewall.go
@@ -1,6 +1,6 @@
 package network
 
-// FirewallRule TODO
+// FirewallRule
 type FirewallRule struct {
 	Priority  uint   `json:"priority"` // Lower has higher priority
 	Src       string `json:"src"`