firewall/nft.py

from dataclasses import dataclass, field
from itertools import chain
from ipaddress import IPv4Address, IPv4Network, IPv6Network
from typing import Any, Generic, TypeVar, get_args

T = TypeVar("T")
JsonNftables = dict[str, Any]


def flatten(l: list[list[T]]) -> list[T]:
    return list(chain.from_iterable(l))


Immediate = int | str | bool | set | range | IPv4Network | IPv6Network


@dataclass
class Ct:
    key: str

    def to_nft(self) -> JsonNftables:
        return {"ct": {"key": self.key}}


@dataclass
class Fib:
    flags: list[str]
    result: str

    def to_nft(self) -> JsonNftables:
        return {"fib": {"flags": self.flags, "result": self.result}}


@dataclass
class Meta:
    key: str

    def to_nft(self) -> JsonNftables:
        return {"meta": {"key": self.key}}


@dataclass
class Payload:
    protocol: str
    field: str

    def to_nft(self) -> JsonNftables:
        return {"payload": {"protocol": self.protocol, "field": self.field}}


Expression = Ct | Fib | Immediate | Meta | Payload


def imm_to_nft(value: Immediate) -> Any:
    if isinstance(value, range):
        return {"range": [value.start, value.stop - 1]}

    elif isinstance(value, IPv4Network | IPv6Network):
        return {
            "prefix": {
                "addr": str(value.network_address),
                "len": value.prefixlen,
            }
        }

    elif isinstance(value, set):
        return {"set": [expr_to_nft(e) for e in value]}

    return value


def expr_to_nft(value: Expression) -> Any:
    if isinstance(value, get_args(Immediate)):
        return imm_to_nft(value)  # type: ignore

    return value.to_nft()  # type: ignore


# Statements
@dataclass
class Counter:
    def to_nft(self) -> JsonNftables:
        return {"counter": {"packets": 0, "bytes": 0}}


@dataclass
class Goto:
    target: str

    def to_nft(self) -> JsonNftables:
        return {"goto": {"target": self.target}}


@dataclass
class Jump:
    target: str

    def to_nft(self) -> JsonNftables:
        return {"jump": {"target": self.target}}


@dataclass
class Match:
    op: str
    left: Expression
    right: Expression

    def to_nft(self) -> JsonNftables:
        match = {
            "op": self.op,
            "left": expr_to_nft(self.left),
            "right": expr_to_nft(self.right),
        }

        return {"match": match}


@dataclass
class Snat:
    addr: IPv4Network | IPv4Address
    port: range | None
    persistent: bool

    def to_nft(self) -> JsonNftables:
        snat: JsonNftables = {}

        if isinstance(self.addr, IPv4Network):
            snat["addr"] = {"range": [str(self.addr[0]), str(self.addr[-1])]}
        else:
            snat["addr"] = str(self.addr)

        if self.port is not None:
            snat["port"] = imm_to_nft(self.port)

        if self.persistent:
            snat["flags"] = "persistent"

        return {"snat": snat}


@dataclass
class Verdict:
    verdict: str

    target: str | None = None

    def to_nft(self) -> JsonNftables:
        return {self.verdict: self.target}


Statement = Counter | Goto | Jump | Match | Snat | Verdict


# Ruleset
@dataclass
class Set:
    name: str
    type: str

    flags: list[str] | None = None
    elements: list[Immediate] = field(default_factory=list)

    def to_nft(self, family: str, table: str) -> JsonNftables:
        set: JsonNftables = {
            "name": self.name,
            "family": family,
            "table": table,
            "type": self.type,
        }

        if self.elements:
            set["elem"] = [imm_to_nft(e) for e in self.elements]

        if self.flags:
            set["flags"] = self.flags

        return {"add": {"set": set}}


@dataclass
class Rule:
    stmts: list[Statement] = field(default_factory=list)

    def to_nft(self, family: str, table: str, chain: str) -> JsonNftables:
        rule = {
            "family": family,
            "table": table,
            "chain": chain,
            "expr": [stmt.to_nft() for stmt in self.stmts],
        }

        return {"add": {"rule": rule}}


@dataclass
class Chain:
    name: str

    type: str | None = None
    hook: str | None = None
    priority: int | None = None
    policy: str | None = None

    rules: list[Rule] = field(default_factory=list)

    def to_nft(self, family: str, table: str) -> list[JsonNftables]:
        chain: JsonNftables = {
            "name": self.name,
            "family": family,
            "table": table,
        }

        if self.type is not None:
            chain["type"] = self.type

        if self.hook is not None:
            chain["hook"] = self.hook

        if self.priority is not None:
            chain["prio"] = self.priority

        if self.policy is not None:
            chain["policy"] = self.policy

        commands = [{"add": {"chain": chain}}]

        for rule in self.rules:
            commands.append(rule.to_nft(family, table, self.name))

        return commands


@dataclass
class Table:
    family: str
    name: str

    chains: list[Chain] = field(default_factory=list)
    sets: list[Set] = field(default_factory=list)

    def to_nft(self) -> list[JsonNftables]:
        commands = [{"add": {"table": {"family": self.family, "name": self.name}}}]

        for set in self.sets:
            commands.append(set.to_nft(self.family, self.name))

        for chain in self.chains:
            commands.extend(chain.to_nft(self.family, self.name))

        return commands


@dataclass
class Ruleset:
    flush: bool

    tables: list[Table] = field(default_factory=list)

    def to_nft(self) -> JsonNftables:
        ruleset = flatten([table.to_nft() for table in self.tables])

        if self.flush:
            ruleset.insert(0, {"flush": {"ruleset": None}})

        return {"nftables": ruleset}
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`from dataclasses import dataclass, field`
			`from itertools import chain`
feat(nat): Add whole NAT 2023-08-30 22:34:29 +02:00			`from ipaddress import IPv4Address, IPv4Network, IPv6Network`
fix: Types 2023-08-30 16:22:44 +02:00			`from typing import Any, Generic, TypeVar, get_args`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
			`T = TypeVar("T")`
			`JsonNftables = dict[str, Any]`


			`def flatten(l: list[list[T]]) -> list[T]:`
			`return list(chain.from_iterable(l))`


fix: Types 2023-08-30 16:22:44 +02:00			`Immediate = int \| str \| bool \| set \| range \| IPv4Network \| IPv6Network`


feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Ct:`
feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`key: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"ct": {"key": self.key}}`


feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Fib:`
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`flags: list[str]`
			`result: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"fib": {"flags": self.flags, "result": self.result}}`


			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Meta:`
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`key: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"meta": {"key": self.key}}`


feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Payload:`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`protocol: str`
			`field: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"payload": {"protocol": self.protocol, "field": self.field}}`


fix: Types 2023-08-30 16:22:44 +02:00			`Expression = Ct \| Fib \| Immediate \| Meta \| Payload`
various fixes 2023-08-29 21:20:28 +02:00
fix: Types 2023-08-30 16:22:44 +02:00
			`def imm_to_nft(value: Immediate) -> Any:`
various fixes 2023-08-29 21:20:28 +02:00			`if isinstance(value, range):`
fix: Types 2023-08-30 16:22:44 +02:00			`return {"range": [value.start, value.stop - 1]}`

various fixes 2023-08-29 21:20:28 +02:00			`elif isinstance(value, IPv4Network \| IPv6Network):`
			`return {`
			`"prefix": {`
			`"addr": str(value.network_address),`
			`"len": value.prefixlen,`
			`}`
			`}`
fix: Types 2023-08-30 16:22:44 +02:00
various fixes 2023-08-29 21:20:28 +02:00			`elif isinstance(value, set):`
fix: Types 2023-08-30 16:22:44 +02:00			`return {"set": [expr_to_nft(e) for e in value]}`

various fixes 2023-08-29 21:20:28 +02:00			`return value`


fix: Types 2023-08-30 16:22:44 +02:00			`def expr_to_nft(value: Expression) -> Any:`
			`if isinstance(value, get_args(Immediate)):`
			`return imm_to_nft(value) # type: ignore`

			`return value.to_nft() # type: ignore`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00

feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`# Statements`
feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Counter:`
feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`def to_nft(self) -> JsonNftables:`
			`return {"counter": {"packets": 0, "bytes": 0}}`


			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Goto:`
feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`target: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"goto": {"target": self.target}}`


minor fixes 2023-08-28 11:09:59 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Jump:`
minor fixes 2023-08-28 11:09:59 +02:00			`target: str`

			`def to_nft(self) -> JsonNftables:`
			`return {"jump": {"target": self.target}}`


feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Match:`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`op: str`
			`left: Expression`
			`right: Expression`

			`def to_nft(self) -> JsonNftables:`
chore(nft): Readability 2023-08-27 21:35:39 +02:00			`match = {`
			`"op": self.op,`
fix: Types 2023-08-30 16:22:44 +02:00			`"left": expr_to_nft(self.left),`
			`"right": expr_to_nft(self.right),`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`}`

chore(nft): Readability 2023-08-27 21:35:39 +02:00			`return {"match": match}`

feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
feat(nat): Add whole NAT 2023-08-30 22:34:29 +02:00			`@dataclass`
			`class Snat:`
			`addr: IPv4Network \| IPv4Address`
			`port: range \| None`
			`persistent: bool`

			`def to_nft(self) -> JsonNftables:`
			`snat: JsonNftables = {}`

			`if isinstance(self.addr, IPv4Network):`
			`snat["addr"] = {"range": [str(self.addr[0]), str(self.addr[-1])]}`
			`else:`
			`snat["addr"] = str(self.addr)`

			`if self.port is not None:`
			`snat["port"] = imm_to_nft(self.port)`

			`if self.persistent:`
			`snat["flags"] = "persistent"`

			`return {"snat": snat}`


feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`@dataclass`
various fixes 2023-08-29 21:20:28 +02:00			`class Verdict:`
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`verdict: str`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`target: str \| None = None`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`def to_nft(self) -> JsonNftables:`
			`return {self.verdict: self.target}`


feat(nat): Add whole NAT 2023-08-30 22:34:29 +02:00			`Statement = Counter \| Goto \| Jump \| Match \| Snat \| Verdict`
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00

			`# Ruleset`
chore(nft): Readability 2023-08-27 21:35:39 +02:00			`@dataclass`
			`class Set:`
			`name: str`
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`type: str`
chore(nft): Readability 2023-08-27 21:35:39 +02:00
feat(input): Add iif + protocols 2023-08-28 02:32:40 +02:00			`flags: list[str] \| None = None`
various fixes 2023-08-28 12:34:59 +02:00			`elements: list[Immediate] = field(default_factory=list)`
chore(nft): Readability 2023-08-27 21:35:39 +02:00
			`def to_nft(self, family: str, table: str) -> JsonNftables:`
			`set: JsonNftables = {`
			`"name": self.name,`
			`"family": family,`
			`"table": table,`
			`"type": self.type,`
			`}`

			`if self.elements:`
various fixes 2023-08-29 21:20:28 +02:00			`set["elem"] = [imm_to_nft(e) for e in self.elements]`
chore(nft): Readability 2023-08-27 21:35:39 +02:00
feat: Add reverse path filter 2023-08-27 22:32:33 +02:00			`if self.flags:`
			`set["flags"] = self.flags`

chore(nft): Readability 2023-08-27 21:35:39 +02:00			`return {"add": {"set": set}}`


feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`@dataclass`
			`class Rule:`
feat(nat): Add whole NAT 2023-08-30 22:34:29 +02:00			`stmts: list[Statement] = field(default_factory=list)`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
			`def to_nft(self, family: str, table: str, chain: str) -> JsonNftables:`
chore(nft): Readability 2023-08-27 21:35:39 +02:00			`rule = {`
			`"family": family,`
			`"table": table,`
			`"chain": chain,`
			`"expr": [stmt.to_nft() for stmt in self.stmts],`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00			`}`

chore(nft): Readability 2023-08-27 21:35:39 +02:00			`return {"add": {"rule": rule}}`

feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
			`@dataclass`
			`class Chain:`
			`name: str`

			`type: str \| None = None`
			`hook: str \| None = None`
			`priority: int \| None = None`
			`policy: str \| None = None`

			`rules: list[Rule] = field(default_factory=list)`

			`def to_nft(self, family: str, table: str) -> list[JsonNftables]:`
			`chain: JsonNftables = {`
			`"name": self.name,`
			`"family": family,`
			`"table": table,`
			`}`

			`if self.type is not None:`
			`chain["type"] = self.type`

			`if self.hook is not None:`
			`chain["hook"] = self.hook`

			`if self.priority is not None:`
			`chain["prio"] = self.priority`

			`if self.policy is not None:`
			`chain["policy"] = self.policy`

			`commands = [{"add": {"chain": chain}}]`

			`for rule in self.rules:`
			`commands.append(rule.to_nft(family, table, self.name))`

			`return commands`


			`@dataclass`
			`class Table:`
			`family: str`
			`name: str`

			`chains: list[Chain] = field(default_factory=list)`
			`sets: list[Set] = field(default_factory=list)`

			`def to_nft(self) -> list[JsonNftables]:`
fix: Types 2023-08-30 16:22:44 +02:00			`commands = [{"add": {"table": {"family": self.family, "name": self.name}}}]`
feat(blacklist): Add NFT blacklist 2023-08-27 12:56:41 +02:00
			`for set in self.sets:`
			`commands.append(set.to_nft(self.family, self.name))`

			`for chain in self.chains:`
			`commands.extend(chain.to_nft(self.family, self.name))`

			`return commands`


			`@dataclass`
			`class Ruleset:`
			`flush: bool`

			`tables: list[Table] = field(default_factory=list)`

			`def to_nft(self) -> JsonNftables:`
			`ruleset = flatten([table.to_nft() for table in self.tables])`

			`if self.flush:`
			`ruleset.insert(0, {"flush": {"ruleset": None}})`

			`return {"nftables": ruleset}`