aurore/firewall
10
0
Fork 0
Code Issues Pull requests Releases Activity

feat(pydantic): Add ZoneEntries

Browse source
This commit is contained in:
v-lafeychine 2023-06-17 00:19:19 +02:00
parent e827d4b1c6
commit 7e5608081d
Signed by: v-lafeychine
GPG key ID: F46CAAD27C7AB0D5
2 changed files with 29 additions and 16 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

30
example.yaml
View file

@ -2,23 +2,23 @@
zones: zones:
- name: users-internet-allowed - name: users-internet-allowed
include: include:
- rules.yaml files: [example.yaml]
- name: mgmt - name: mgmt
include: include:
- 10.203.0.0/16 addrs: [10.203.0.0/16]
- name: adm - name: adm
include: include:
- 2a09:6840::/29 addrs: [2a09:6840::/29, 10.128.0.0/16]
- 10.128.0.0/16
- name: internet - name: internet
exclude: exclude:
- adm zones: [adm, mgmt]
- mgmt
blacklist: blacklist:
enabled: true enabled: true
addr: addr: [0.0.0.0]
- 0.0.0.0
reverse_path_filter: reverse_path_filter:
enabled: true enabled: true
@ -27,11 +27,13 @@ filter:
input: input:
- iif: lo - iif: lo
verdict: accept verdict: accept
- src: mgmt - src: mgmt
protocols: protocols:
tcp: tcp:
dport: [22, 240..242] dport: [22, 240..242]
verdict: accept verdict: accept
- src: backbone - src: backbone
protocols: protocols:
ospf: true ospf: true
@ -39,27 +41,33 @@ filter:
tcp: tcp:
dport: [179] dport: [179]
verdict: accept verdict: accept
- protocols: - protocols:
icmp: true icmp: true
verdict: accept verdict: accept
output: output:
- verdict: accept - verdict: accept
forward: forward:
- src: interco-crans - src: interco-crans
verdict: accept verdict: accept
- src: users-internet-allowed - src: users-internet-allowed
protocols: protocols:
tcp: tcp:
dport: [25] dport: [25]
verdict: drop verdict: drop
- src: users-internet-allowed - src: users-internet-allowed
dest: dest:
- internet addrs: [10.0.0.1]
- 10.0.0.1 zones: [internet]
verdict: accept verdict: accept
nat: nat:
- src: mgmt - src:
zones: [mgmt]
snat: snat:
addr: 45.66.108.14 addr: 45.66.108.14
persistent: true persistent: true

15
nftables.py
View file

@ -1,6 +1,5 @@
#!/usr/bin/env python3 #!/usr/bin/env python3
from __future__ import annotations
from argparse import ArgumentParser, FileType from argparse import ArgumentParser, FileType
from enum import Enum from enum import Enum
from pydantic import ( from pydantic import (
@ -49,10 +48,16 @@ class ZoneName(str):
pass pass
class ZoneEntries(RestrictiveBaseModel):
addrs: list[IPvAnyNetwork] | None
files: list[FilePath] | None
zones: list[ZoneName] | None
class Zone(RestrictiveBaseModel): class Zone(RestrictiveBaseModel):
name: ZoneName name: ZoneName
exclude: list[IPvAnyNetwork | ZoneName | FilePath] | None exclude: ZoneEntries | None
include: list[IPvAnyNetwork | ZoneName | FilePath] | None include: ZoneEntries | None
@root_validator() @root_validator()
def validate_mutually_exactly_one(cls, values): def validate_mutually_exactly_one(cls, values):
@ -110,7 +115,7 @@ class Rule(RestrictiveBaseModel):
class ForwardRule(Rule): class ForwardRule(Rule):
dest: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None dest: ZoneEntries | None
class Filter(RestrictiveBaseModel): class Filter(RestrictiveBaseModel):
@ -126,7 +131,7 @@ class SNat(RestrictiveBaseModel):
class Nat(RestrictiveBaseModel): class Nat(RestrictiveBaseModel):
src: ZoneName | list[IPvAnyNetwork | ZoneName | FilePath] | None src: ZoneEntries | None
snat: SNat snat: SNat