diff --git a/src/nethsec/firewall/__init__.py b/src/nethsec/firewall/__init__.py index 4689daf8..4adb67ba 100644 --- a/src/nethsec/firewall/__init__.py +++ b/src/nethsec/firewall/__init__.py @@ -18,7 +18,7 @@ from nethsec import utils, objects PROTOCOLS = ['tcp', 'udp', 'udplite', 'icmp', 'esp', 'ah', 'sctp'] -TARGETS = ['ACCEPT', 'DROP', 'REJECT'] +TARGETS = ['ACCEPT', 'DROP', 'REJECT', 'NOTRACK'] def add_device_to_zone(uci, device, zone): ''' @@ -1464,7 +1464,7 @@ def validate_rule(uci, src: str, src_ip: list[str], dest: str, dest_ip: list[str dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with `-` (eg. 80-90) - target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' + target: target, must be one of 'ACCEPT', 'REJECT', 'DROP', 'NOTRACK' service: service name ns_src: an object in the form `/` ns_dst: an object in the form `/` @@ -1533,7 +1533,7 @@ def setup_rule(uci, id: str, name: str, src: str, src_ip: list[str], dest: str, dest_ip: a list of destination IP addresses proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element can be a port number, a comma-separated list of port numbers, or a range with `-` (e.g., 80-90) - target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' + target: target, must be one of 'ACCEPT', 'REJECT', 'DROP', 'NOTRACK' service: service name enabled: if True, rule is enabled; if False, rule is disabled log: if True, log traffic @@ -1680,7 +1680,7 @@ def add_rule(uci, name: str, src: str, src_ip: list[str], dest: str, dest_ip: li dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with `-` (eg. 80-90) - target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' + target: target, must be one of 'ACCEPT', 'REJECT', 'DROP', 'NOTRACK' service: service name enabled: if True, rule is enabled, if False, rule is disabled log: if True, log traffic @@ -1728,7 +1728,7 @@ def edit_rule(uci, id: str, name: str, src: str, src_ip: list[str], dest: str, d dest_ip: a list of destination ip proto: protocol, must be a list of protocols in "tcp", "udp", "udplite", "icmp", "esp", "ah", "sctp" dest_port: a list of destination ports, each element cna be be a port number, a comma-separated list of port numbers or a range with `-` (eg. 80-90) - target: target, must be one of 'ACCEPT', 'REJECT', 'DROP' + target: target, must be one of 'ACCEPT', 'REJECT', 'DROP', 'NOTRACK' service: service name enabled: if True, rule is enabled, if False, rule is disabled log: if True, log traffic diff --git a/tests/test_firewall.py b/tests/test_firewall.py index 17c3d192..0920bcb3 100644 --- a/tests/test_firewall.py +++ b/tests/test_firewall.py @@ -960,6 +960,27 @@ def test_edit_rule(u, mocker): assert u.get_all("firewall", rid, "proto") == ('tcp',) assert u.get("firewall", rid, "dest_port") == "80" +def test_add_rule_with_notrack(u, mocker): + mocker.patch('builtins.open', mocker.mock_open(read_data=services_file)) + mock_isfile = mocker.patch('os.path.isfile') + mock_isfile.return_value = True + rid = firewall.add_rule(u, 'notrack_rule', 'lan', ['192.168.1.0/24'], 'wan', [], [], '', 'NOTRACK', "*", True, False, [], False) + assert u.get("firewall", rid, "name") == "notrack_rule" + assert u.get("firewall", rid, "target") == "NOTRACK" + assert u.get("firewall", rid, "src") == "lan" + assert u.get("firewall", rid, "dest") == "wan" + assert u.get_all("firewall", rid, "src_ip") == ("192.168.1.0/24",) + assert u.get("firewall", rid, "enabled") == "1" + +def test_edit_rule_to_notrack(u, mocker): + mocker.patch('builtins.open', mocker.mock_open(read_data=services_file)) + mock_isfile = mocker.patch('os.path.isfile') + mock_isfile.return_value = True + rid = firewall.add_rule(u, 'rule_to_change', 'lan', [], 'wan', [], [], '', 'ACCEPT', "*", True, False, [], False) + assert u.get("firewall", rid, "target") == "ACCEPT" + firewall.edit_rule(u, rid, 'rule_to_change', 'lan', [], 'wan', [], [], '', 'NOTRACK', "*", True, False, []) + assert u.get("firewall", rid, "target") == "NOTRACK" + def test_delete_rule(u): ids = firewall.list_rule_ids(u) id_to_delete = ids.pop() diff --git a/tests/test_inventory.py b/tests/test_inventory.py index f0ede5e1..009e3743 100644 --- a/tests/test_inventory.py +++ b/tests/test_inventory.py @@ -951,7 +951,7 @@ def test_fact_firewall_stats(tmp_path): assert result['firewall']['nat']['accept'] == 2 assert result['firewall']['netmap']['source'] == 3 assert result['firewall']['netmap']['destination'] == 2 - assert result['firewall']['rules']['forward'] == 17 + assert result['firewall']['rules']['forward'] == 19 assert result['firewall']['rules']['input'] == 7 assert result['firewall']['rules']['output'] == 2