Filter Rules Management: filter_rules_create / filter_rules_delele

slayercat · slayercat · commit 901bde5d6a17 · 2020-01-19T14:36:42.000+08:00
Signed-off-by: lilinzhe &lt;slayercat.subscription@gmail.com&gt;
diff --git a/README.md b/README.md
@@ -28,6 +28,8 @@ tasks feasible.
  - [network_address_aliases_update](#user-content-network_address_aliases_update) - Update a address aliaes. Returns newest result
  - [network_address_aliases_delete](#user-content-network_address_aliases_delete) - delete a address aliaes. Returns newest result
  - [filter_rules_get](#user-content-filter_rules_get) - Returns firewall filters.
+ - [filter_rules_create](#user-content-filter_rules_create) - Creates firewall filters.
+ - [filter_rules_delete](#user-content-filter_rules_delete) - Deletes firewall filters.
 
 
 ## Approach
@@ -916,13 +918,13 @@ curl \
  - HTTP: **POST**
  - Params: none
  - Request body: json
-     - **name** :<string> name of aliases
-     - **type** :<string> type of aliases. **MUST** be `network` for now.
-     - **cidr_addresses** : < list of <object> > name alias what
+     - **name** :< string > name of aliases
+     - **type** :< string > type of aliases. **MUST** be `network` for now.
+     - **cidr_addresses** : < list of < object > > name alias what
         - **address** an ip address or a network prefix.
         - **details** a description of this address. for human readable documentation.
-     - **descr** : <string> the description of current aliases.
-  - Response: json <object>: the items after created
+     - **descr** : < string > the description of current aliases.
+  - Response: json < object >: the items after created
 
 *Example Request*
 ```bash
@@ -969,13 +971,13 @@ curl \
  - HTTP: **POST**
  - Params: none
  - Request body: json
-     - **name** :<string> name of aliases. identiy which aliases frr modify
-     - **type** :<string> type of aliases. **MUST** be `network` for now.
-     - **cidr_addresses** : < list of <object> > name alias what
+     - **name** :< string > name of aliases. identiy which aliases frr modify
+     - **type** :< string > type of aliases. **MUST** be `network` for now.
+     - **cidr_addresses** : < list of < object > > name alias what
         - **address** an ip address or a network prefix.
         - **details** a description of this address. for human readable documentation.
-     - **descr** : <string> the description of current aliases.
-  - Response: json <object>: the items after created
+     - **descr** : < string > the description of current aliases.
+  - Response: json < object >: the items after created
 
 *Example Request*
 ```bash
@@ -1022,8 +1024,8 @@ curl \
  - HTTP: **POST**
  - Params: none
  - Request body: json
-     - **name** :<string> name of aliases. identiy which aliase to delete 
-  - Response: json <object>: the items after created
+     - **name** :< string > name of aliases. identiy which aliase to delete 
+  - Response: json < object >: the items after created
 
 *Example Request*
 ```bash
@@ -1149,6 +1151,67 @@ curl \
     }
 }
 ```
+---
+### filter_rules_create
+ - Creates firewall filters
+ - HTTP: **POST**
+ - Params: none
+ - Request body: json
+    - **position**: < int >: insert to which position.
+    - **rule**: < object >: what is the rule. 
+      - **type** :< string > : Type of filter. could take value: pass / block / reject
+      - **ipprotocol**: < string >: Which network type? could take value: inet / inet6 / inet46
+      - **protocol**: < string >: if seted. could only take value: tcp. used for port match.
+      - **descr** : < string > : Used for description.
+      - **interface**: < string >: To which interface. e.g. WAN
+      - **source**: < object > : match source item.
+          - `{"any":""}`: matchs any address.
+          - `{"address": "network_address_aliases"}`: matchs any network_address_aliases.
+          - `{"address": "1.2.3.4"}`: matchs address 1.2.3.4
+          - `{"any":"", "port": "443-443"}: matchs 443 port. uses with protocol
+      - **destination**: < object >: match description. -- same as above.
+  - Response: json < object >: the items after created
+
+* Test it carefully before going to wild please.  USE AT YOUR OWN RISK *
+
+*Example Request*
+```bash
+curl \
+    -X POST \
+    --silent \
+    --insecure \
+    --header "fauxapi-auth: <auth-value>" \
+    --data '{"position": 1, "rule": {"type": "reject", "ipprotocol": "inet", "descr": "testobject", "interface": "wan", "source": {"any": ""}, "destination": {"address": "1.2.3.4"}}}' \
+    "https://<host-address>/fauxapi/v1/?action=filter_rules_create"
+```
+*Example Response*
+Same As [filter_rules_get](#user-content-filter_rules_get)
+---
+### filter_rules_delete
+ - Returns firewall filters.
+ - HTTP: **POST**
+ - Params: none
+ - Request body: json
+    - **position**: <int>: deletes which position.
+
+* Test it carefully before going to wild please.  USE AT YOUR OWN RISK *
+
+Because there's nothing like Unique ID or name in rule. Currently we could only take the position to identify which rule shell be deleted.
+
+*Example Request*
+```bash
+curl \
+    -X POST \
+    --silent \
+    --insecure \
+    --header "fauxapi-auth: <auth-value>" \
+    --data '{"position": 1}' \
+    "https://<host-address>/fauxapi/v1/?action=filter_rules_delete"
+```
+
+*Example Response*
+Same As [filter_rules_get](#user-content-filter_rules_get)
+
 ---
 
 ## Versions and Testing
diff --git a/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_actions.inc b/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_actions.inc
@@ -427,6 +427,66 @@ class fauxApiActions {
         return TRUE;
     }
 
+    /**
+     * filter_rules_create()
+     * 
+     * @return boolean
+     */
+    public function filter_rules_create() {
+        fauxApiLogger::debug(__METHOD__);
+                
+        $position = $this->action_input_data["position"];
+        $ruleobj = $this->action_input_data["rule"];
+        $rules = $this->PfsenseInterface->filter_rules_create($position, $ruleobj);
+        
+        if (empty($rules)) {
+            $this->response->http_code = 500;
+            $this->response->message = 'unable to get filter rule(s)';
+            return FALSE;
+        }
+        $this->response->http_code = 200;
+        $this->response->message = 'ok';
+        $this->response->data = array(
+            'filter' => array(
+                'rules' => $rules
+            ),           
+        );
+        return TRUE;
+    }
+
+    /**
+     * filter_rules_create()
+     * 
+     * @return boolean
+     */
+    public function filter_rules_delete() {
+        fauxApiLogger::debug(__METHOD__);
+        
+        if(!isset($this->action_input_data["position"])) {
+            $error_message = "could only delete by position at now";
+            $error_data = array('postdata' => $this->action_input_data);
+            fauxApiLogger::error($error_message, $error_data);
+            throw new \Exception($error_message);
+            return FALSE;
+        }
+        $position = $this->action_input_data["position"];
+        $rules = $this->PfsenseInterface->filter_rules_delete_by_position($position);
+        
+        if (empty($rules)) {
+            $this->response->http_code = 500;
+            $this->response->message = 'unable to get filter rule(s)';
+            return FALSE;
+        }
+        $this->response->http_code = 200;
+        $this->response->message = 'ok';
+        $this->response->data = array(
+            'filter' => array(
+                'rules' => $rules
+            ),           
+        );
+        return TRUE;
+    }
+
     /**
      * network_address_aliases_get()
      * 
diff --git a/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface.inc b/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface.inc
@@ -29,6 +29,7 @@ include_once '/etc/inc/config.lib.inc';
 include_once '/etc/inc/system.inc';
 
 include_once 'fauxapi_pfsense_interface_alias.inc';
+include_once 'fauxapi_pfsense_interface_filter_rules.inc';
 class fauxApiPfsenseInterface {
 
     public $config_xml_root = 'pfsense';
@@ -720,16 +721,8 @@ class fauxApiPfsenseInterface {
         return \pfSense_get_interface_stats($interface);
     }
     
-    /**
-     * filter_rules_get()
-     * 
-     * @return array
-     */
-    public function filter_rules_get(){
-        global $config;
-        fauxApiLogger::debug(__METHOD__);
-        return $config["filter"]["rule"];
-    }
+    
+    use network_filter_rules;
     
     use network_address_aliases;
 
diff --git a/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_alias.priv.inc b/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_alias.priv.inc
@@ -2,8 +2,8 @@
 namespace fauxapi\v1;
 
 // write_config requires functions from this
-include '/etc/inc/phpsessionmanager.inc';
-include '/etc/inc/auth.inc';
+include_once '/etc/inc/phpsessionmanager.inc';
+include_once '/etc/inc/auth.inc';
 
 class fauxApiInterfaceAliasTools
 {
diff --git a/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_filter_rules.inc b/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_filter_rules.inc
@@ -0,0 +1,63 @@
+<?php
+
+namespace fauxapi\v1;
+
+include 'fauxapi_pfsense_interface_filter_rules.priv.inc';
+trait network_filter_rules
+{
+    /**
+     * filter_rules_get()
+     * 
+     * @return array
+     */
+    public function filter_rules_get()
+    {
+        global $config;
+        fauxApiLogger::debug(__METHOD__);
+        return $config["filter"]["rule"];
+    }
+
+    /**
+     * filter_rules_create()
+     * 
+     * @return array
+     */
+    public function filter_rules_create($position, $ruleobj)
+    {
+        global $config;
+        fauxApiLogger::debug(__METHOD__, array("rule" => $ruleobj));
+        if (isset($ruleobj["id"])) {
+            $error_message = "rules create obj could not have id";
+            $error_data = array('ruleobj' => $ruleobj);
+            fauxApiLogger::error($error_message, $error_data);
+            throw new \Exception($error_message);
+        }
+        $error_message = fauxApiFiltersRulesTools::CheckRuleObject($ruleobj);
+        if ($error_message != NULL) {
+            $error_data = array('ruleobj' => $ruleobj);
+            fauxApiLogger::error($error_message, $error_data);
+            throw new \Exception($error_message);
+        }
+        $target = fauxApiFiltersRulesTools::BuildRuleConfig($ruleobj);
+        // insert position
+        array_splice($config["filter"]["rule"], $position, 0, array($target));
+        filter_rules_sort();
+        fauxApiFiltersRulesTools::WriteConfig();
+        return $config["filter"]["rule"];
+    }
+
+
+    /**
+     * filter_rules_delete_by_position()
+     * 
+     * @return array
+     */
+    public function filter_rules_delete_by_position($position)
+    {
+        global $config;
+        \array_splice($config["filter"]["rule"], $position, 1);
+        filter_rules_sort();
+        fauxApiFiltersRulesTools::WriteConfig();
+        return $config["filter"]["rule"];
+    }
+}
diff --git a/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_filter_rules.priv.inc b/pfSense-pkg-FauxAPI/files/etc/inc/fauxapi/fauxapi_pfsense_interface_filter_rules.priv.inc

Original file line number	Diff line number	Diff line change
`@@ -2,8 +2,8 @@`
`2`	`2`	`namespace fauxapi\v1;`
`3`	`3`
`4`	`4`	`// write_config requires functions from this`
`5`		`-include '/etc/inc/phpsessionmanager.inc';`
`6`		`-include '/etc/inc/auth.inc';`
	`5`	`+include_once '/etc/inc/phpsessionmanager.inc';`
	`6`	`+include_once '/etc/inc/auth.inc';`
`7`	`7`
`8`	`8`	`class fauxApiInterfaceAliasTools`
`9`	`9`	`{`