network: firewall: Add Windows and multiport support

driver/network/firewall_linux.go

@@ -6,7 +6,6 @@ import (
 	"github.com/cloud-barista/cm-honeybee/pkg/api/rest/model/onprem/network"
 	"github.com/coreos/go-iptables/iptables"
 	"github.com/jollaman999/utils/logger"
-	"strconv"
 	"strings"
 )
 
@@ -50,22 +49,27 @@ func parseIptablesRules(ipt *iptables.IPTables, rules []string, prevPriority *ui
 					fwRule.Dst = ruleSplited[i+1]
 				case "-p":
 					protocol := strings.ToLower(ruleSplited[i+1])
+					fwRule.Protocol = protocol
 					if protocol == "tcp" || protocol == "udp" {
-						fwRule.Protocol = protocol
 						for j, str := range ruleSplited {
 							if strings.HasPrefix(str, "--") && ruleSplitedLen > j+1 {
 								switch str {
 								case "--sport":
-									sport, _ := strconv.Atoi(ruleSplited[j+1])
-									fwRule.SrcPort = uint(sport)
+									fallthrough
+								case "--sports":
+									fwRule.SrcPorts = ruleSplited[j+1]
 								case "--dport":
-									dport, _ := strconv.Atoi(ruleSplited[j+1])
-									fwRule.DstPort = uint(dport)
+									fallthrough
+								case "--dports":
+									fwRule.DstPorts = ruleSplited[j+1]
 								}
 							}
 						}
+						fwRule.SrcPorts = strings.ReplaceAll(fwRule.SrcPorts, ":", "-")
+						fwRule.DstPorts = strings.ReplaceAll(fwRule.DstPorts, ":", "-")
+					} else if protocol == "ipv6-icmp" {
+						fwRule.Protocol = "icmpv6"
 					}
-					fwRule.Protocol = protocol
 				}
 			}
 		}
@@ -77,6 +81,15 @@ func parseIptablesRules(ipt *iptables.IPTables, rules []string, prevPriority *ui
 
 		fwRule.Direction = direction
 		fwRule.Priority = *prevPriority
+		if len(fwRule.Protocol) == 0 {
+			fwRule.Protocol = "*"
+		}
+		if len(fwRule.SrcPorts) == 0 {
+			fwRule.SrcPorts = "*"
+		}
+		if len(fwRule.DstPorts) == 0 {
+			fwRule.DstPorts = "*"
+		}
 
 		fwRules = append(fwRules, fwRule)
 	}
@@ -105,7 +118,6 @@ func iptablesToModelFirewallRule(ipt *iptables.IPTables) ([]network.FirewallRule
 	return fw, nil
 }
 
-// GetFirewallRules
 func GetFirewallRules() ([]network.FirewallRule, error) {
 	var fw = make([]network.FirewallRule, 0)
 

driver/network/firewall_windows.go

@@ -4,20 +4,84 @@ package network
 
 import (
 	"github.com/cloud-barista/cm-honeybee/pkg/api/rest/model/onprem/network"
+	"github.com/kumako/go-win64api"
 )
 
-// GetFirewallRules TODO
+const protocolUnknown = "unknown"
+
+func parseProtocol(fwRuleProtocol int32) string {
+	switch fwRuleProtocol {
+	case winapi.NET_FW_IP_PROTOCOL_ANY:
+		return "*"
+	case winapi.NET_FW_IP_PROTOCOL_TCP:
+		return "tcp"
+	case winapi.NET_FW_IP_PROTOCOL_UDP:
+		return "udp"
+	case winapi.NET_FW_IP_PROTOCOL_ICMPv4:
+		return "icmp"
+	case winapi.NET_FW_IP_PROTOCOL_ICMPv6:
+		return "icmpv6"
+	default:
+		return protocolUnknown
+	}
+}
+
 func GetFirewallRules() ([]network.FirewallRule, error) {
-	return []network.FirewallRule{
-		{
-			Priority:  0,
-			Src:       "TODO",
-			Dst:       "TODO",
-			SrcPort:   0,
-			DstPort:   0,
-			Protocol:  "TODO",
-			Direction: "TODO",
-			Action:    "TODO",
-		},
-	}, nil
+	var fwRules = make([]network.FirewallRule, 0)
+
+	rules, err := winapi.FirewallRulesGet()
+	if err != nil {
+		return nil, err
+	}
+
+	priority := 0
+	for _, rule := range rules {
+		if rule.Enabled {
+			var fwRule network.FirewallRule
+
+			protocol := parseProtocol(rule.Protocol)
+			if protocol == protocolUnknown {
+				continue
+			}
+
+			// Skip all of any-any allows
+			if (rule.LocalAddresses == "*" || rule.LocalAddresses == "LocalSubnet") &&
+				(rule.RemoteAddresses == "*" || rule.RemoteAddresses == "LocalSubnet") &&
+				(rule.LocalPorts == "*" || rule.LocalPorts == "LocalSubnet" || rule.LocalPorts == "") &&
+				(rule.RemotePorts == "*" || rule.RemotePorts == "LocalSubnet" || rule.RemotePorts == "") {
+				continue
+			}
+
+			fwRule.Protocol = protocol
+
+			if rule.Direction == winapi.NET_FW_RULE_DIR_IN {
+				fwRule.Direction = "inbound"
+				fwRule.Src = rule.RemoteAddresses
+				fwRule.SrcPorts = rule.RemotePorts
+				fwRule.Dst = rule.LocalAddresses
+				fwRule.DstPorts = rule.LocalPorts
+			} else if rule.Direction == winapi.NET_FW_RULE_DIR_OUT {
+				fwRule.Direction = "outbound"
+				fwRule.Src = rule.LocalAddresses
+				fwRule.SrcPorts = rule.LocalPorts
+				fwRule.Dst = rule.RemoteAddresses
+				fwRule.DstPorts = rule.RemotePorts
+			} else {
+				continue
+			}
+
+			if rule.Action == winapi.NET_FW_ACTION_ALLOW {
+				fwRule.Action = "allow"
+			} else if rule.Action == winapi.NET_FW_ACTION_BLOCK {
+				fwRule.Action = "deny"
+			}
+
+			priority++
+			fwRule.Priority = uint(priority)
+
+			fwRules = append(fwRules, fwRule)
+		}
+	}
+
+	return fwRules, nil
 }

go.mod

@@ -20,6 +20,7 @@ require (
 require (
 	github.com/coreos/go-iptables v0.7.0
 	github.com/glebarez/sqlite v1.11.0
+	github.com/kumako/go-win64api v0.0.0-20200829071356-ddc2195639e5
 	github.com/swaggo/echo-swagger v1.4.1
 	github.com/swaggo/swag v1.16.3
 	github.com/taigrr/systemctl v1.0.6

go.sum

@@ -42,6 +42,7 @@ github.com/go-logr/logr v1.4.1 h1:pKouT5E8xu9zeFC39JXRDukb6JFQPXM5p5I91188VAQ=
 github.com/go-logr/logr v1.4.1/go.mod h1:9T104GzyrTigFIr8wt5mBrctHMim0Nb2HLGrmQ40KvY=
 github.com/go-logr/stdr v1.2.2 h1:hSWxHoqTgW2S2qGc0LTAI563KZ5YKYRhT3MFKZMbjag=
 github.com/go-logr/stdr v1.2.2/go.mod h1:mMo/vtBO5dYbehREoey6XUKy/eSumjCCveDpRre4VKE=
+github.com/go-ole/go-ole v1.2.4/go.mod h1:XCwSNxSkXRo4vlyPy93sltvi/qJq0jqQhjqQNIwKuxM=
 github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
 github.com/go-ole/go-ole v1.3.0 h1:Dt6ye7+vXGIKZ7Xtk4s6/xVdGDQynvom7xCFEdWr6uE=
 github.com/go-ole/go-ole v1.3.0/go.mod h1:5LS6F96DhAwUc7C+1HLexzMXY1xGRSryjyPPKW6zv78=
@@ -94,6 +95,8 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
+github.com/kumako/go-win64api v0.0.0-20200829071356-ddc2195639e5 h1:cMCOV9y7KHrbTmli0/+bo0ThyYkoqZtGNLwkCKuU/04=
+github.com/kumako/go-win64api v0.0.0-20200829071356-ddc2195639e5/go.mod h1:QErslf4fQWjLog9REVFLv/fOBHP3ceRkHde6hEngOIs=
 github.com/labstack/echo/v4 v4.12.0 h1:IKpw49IMryVB2p1a4dzwlhP1O2Tf2E0Ir/450lH+kI0=
 github.com/labstack/echo/v4 v4.12.0/go.mod h1:UP9Cr2DJXbOK3Kr9ONYzNowSh7HP0aG0ShAyycHSJvM=
 github.com/labstack/gommon v0.4.2 h1:F8qTUNXgG1+6WQmqoUWnz8WiEU60mXVVw0P4ht1WRA0=
@@ -214,6 +217,7 @@ golang.org/x/sync v0.7.0/go.mod h1:Czt+wKu1gCyEFDUtn0jG5QVvpJ6rzVqr5aXyt9drQfk=
 golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
 golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190916202348-b4ddaad3f8a3/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200622182413-4b0db7f3f76b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20201204225414-ed752295db88/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210616094352-59db8d763f22/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=

pkg/api/rest/docs/docs.go

@@ -1023,8 +1023,8 @@ const docTemplate = `{
                 "dst": {
                     "type": "string"
                 },
-                "dst_port": {
-                    "type": "integer"
+                "dst_ports": {
+                    "type": "string"
                 },
                 "priority": {
                     "description": "Lower has higher priority",
@@ -1037,8 +1037,8 @@ const docTemplate = `{
                 "src": {
                     "type": "string"
                 },
-                "src_port": {
-                    "type": "integer"
+                "src_ports": {
+                    "type": "string"
                 }
             }
         },

pkg/api/rest/docs/swagger.json

@@ -1012,8 +1012,8 @@
                 "dst": {
                     "type": "string"
                 },
-                "dst_port": {
-                    "type": "integer"
+                "dst_ports": {
+                    "type": "string"
                 },
                 "priority": {
                     "description": "Lower has higher priority",
@@ -1026,8 +1026,8 @@
                 "src": {
                     "type": "string"
                 },
-                "src_port": {
-                    "type": "integer"
+                "src_ports": {
+                    "type": "string"
                 }
             }
         },

pkg/api/rest/docs/swagger.yaml

@@ -301,8 +301,8 @@ definitions:
         type: string
       dst:
         type: string
-      dst_port:
-        type: integer
+      dst_ports:
+        type: string
       priority:
         description: Lower has higher priority
         type: integer
@@ -311,8 +311,8 @@ definitions:
         type: string
       src:
         type: string
-      src_port:
-        type: integer
+      src_ports:
+        type: string
     type: object
   github_com_cloud-barista_cm-honeybee_pkg_api_rest_model_onprem_network.Host:
     properties:

pkg/api/rest/model/onprem/network/firewall.go

@@ -1,12 +1,11 @@
 package network
 
-// FirewallRule
 type FirewallRule struct {
 	Priority  uint   `json:"priority"` // Lower has higher priority
 	Src       string `json:"src"`
 	Dst       string `json:"dst"`
-	SrcPort   uint   `json:"src_port"`
-	DstPort   uint   `json:"dst_port"`
+	SrcPorts  string `json:"src_ports"`
+	DstPorts  string `json:"dst_ports"`
 	Protocol  string `json:"protocol"`  // TCP, UDP, ICMP
 	Direction string `json:"direction"` // inbound, outbound
 	Action    string `json:"action"`    // allow, deny