Enhancement #2774

Firewall: support objects on port forward and traffic shaping rules

Added by Giacomo Sanchietti over 5 years ago. Updated about 5 years ago.

Status:CLOSEDStart date:
Priority:NormalDue date:
Assignee:-% Done:

100%

Category:nethserver-firewall-base
Target version:v6.5
Resolution: NEEDINFO:No

Description

Actual implementation of firewall port forward and traffic shaping do not support firewall objects.

New implementation must:
  • allow use of firewall objects (see: #2716)
  • use name of properties with first letter uppercase
  • migrate old implementation to the new one

Related issues

Related to NethServer 6 - Enhancement #2762: Cannot create a port forward rule with a range of ports CLOSED
Related to NethServer 6 - Bug #2846: Firewall: add migration fragment for tc database CLOSED

Associated revisions

Revision 34e3ed10
Added by Giacomo Sanchietti over 5 years ago

Update rules, tcinterfaces, tcpri templates. Refs #2774

Use firewall objects on portforward and handle port ranges
Use firewall objects on traffic shaping
Use props with first letter capitalized

Revision a63d205e
Added by Giacomo Sanchietti over 5 years ago

Web UI: update interface for new behavior. Refs #2774

Revision b15367f8
Added by Giacomo Sanchietti over 5 years ago

Web UI: add external IP in port forward. Refs #2774"

Revision e3f89b0a
Added by Giacomo Sanchietti over 5 years ago

Policy template: skip aliases. Refs #2774

Revision 3ed06726
Added by Giacomo Sanchietti over 5 years ago

Web UI: removed 'Check firewall' button. Refs #2774

Revision 337609d0
Added by Giacomo Sanchietti over 5 years ago

System validator: add firewall-objects-exists validator. Refs #2774

Revision c4b31542
Added by Davide Principi over 5 years ago

Fixes Proto parameter renaming on commit:a63d205e. Refs #2774

Revision 4fff9662
Added by Davide Principi over 5 years ago

Pick object on PortForward and TrafficShaping modules. Refs #2774

Revision f2bd959f
Added by Davide Principi over 5 years ago

PortForward, TrafficShaping. Use firewall-object-exists platform validator. Refs #2774

Revision 882ae389
Added by Davide Principi over 5 years ago

PickObject: use search result localized title. Refs #2774

Revision 3988344b
Added by Davide Principi over 5 years ago

PickObject: restricted search results based on caller module. Refs #2774

Revision 6add8a1e
Added by Davide Principi over 5 years ago

Help {en,it}: fixed formatting, updated contents for PickObject fields. Refs #2774

Revision 8f017215
Added by Davide Principi over 5 years ago

PortForward: fix Destionation host visualization, on opening. Refs #2774

Revision a2d20aee
Added by Davide Principi about 5 years ago

PickObject: select host, remote, local record types in TrafficShaping and PortForward modules. Refs #2774

Revision c3032d03
Added by Davide Principi about 5 years ago

PickObject: translate fw objects titles. Refs #2774

Revision b45d6dfd
Added by Davide Principi about 5 years ago

FirewallRules, TrafficShaping, PortForward pages: use translate() to print firewall object titles. Refs #2774

Revision 4d1bd977
Added by Davide Principi about 5 years ago

PortForward, TrafficShaping UI modules: detached firewall-adjust task. Refs #2774

Revision d37ac429
Added by Davide Principi about 5 years ago

PortForward, TrafficShaping: removed unused fw objects types from PickObject. Refs #2774

Revision bfa5c347
Added by Davide Principi about 5 years ago

Release 2.0.0-2

Migration fragment 000_capitalize_props for portforward DB. Refs #2774

See commit:34e3ed10 "Use props with first letter capitalized"

History

#1 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from NEW to TRIAGED
  • Target version set to v6.5
  • % Done changed from 0 to 20

#2 Updated by Giacomo Sanchietti over 5 years ago

  • Subject changed from Firewall: support objects on on port foward and traffic shaping rules to Firewall: support objects on port foward and traffic shaping rules

#3 Updated by Giacomo Sanchietti over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Giacomo Sanchietti
  • % Done changed from 20 to 30

#4 Updated by Giacomo Sanchietti over 5 years ago

  • Assignee deleted (Giacomo Sanchietti)
Modifications on branch b2774:
  • Port forwarding:
    • Support for empty destination port
    • Port range
    • Multiple protocol
    • Host object
    • Capitalized properties
    • Removed "Check firewall" action
  • Port forwarding:
    • Capitalized properties
    • Host object in rules based on source ip
    • Removed support for mac-based rules
What is missing:
  • integration of firewall objects picker into the web interface

#5 Updated by Giacomo Sanchietti over 5 years ago

  • Related to Enhancement #2762: Cannot create a port forward rule with a range of ports added

#6 Updated by Giacomo Sanchietti over 5 years ago

  • Subject changed from Firewall: support objects on port foward and traffic shaping rules to Firewall: support objects on port forward and traffic shaping rules

#7 Updated by Davide Principi over 5 years ago

  • Assignee set to Davide Principi

#8 Updated by Davide Principi over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60
  • NEEDINFO changed from No to Yes

Added the firewall object select/create workflow to PortForward/Modify and TrafficShaping/Ip/Modify controllers.

Test case 1

When editing/creating a PortForward:
  • select existing firewall object as Destination host
  • check new firewall object creation wokflow

The form state must be consistent on any possible workflow path.

Test case 2

When creating a TrafficShaping rule:
  • select existing firewall object as Source host
  • check new firewall object creation wokflow

The form state must be consistent on any possible workflow path.

TODO

Limit selection to specific object types:
  • PortForward host
  • TrafficShaping zone host and host-group (?)

#9 Updated by Davide Principi over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-firewall-base-1.1.0-75.0gitf2bd959f.ns6.noarch.rpm

#10 Updated by Davide Principi over 5 years ago

  • Status changed from ON_QA to TRIAGED
  • % Done changed from 70 to 20
  • NEEDINFO changed from Yes to No

#11 Updated by Davide Principi over 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#12 Updated by Davide Principi over 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

Test case 3

The selection of firewall objects must be limited, depending on the current page/field:
  • PortForward: host
  • TrafficShaping: zone host and host-group
  • Firewall Rules: anything but services, for Source and Destination, and service only for Service field.

#13 Updated by Davide Principi over 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-firewall-base-1.1.0-77.0git3988344b.ns6.noarch.rpm

#14 Updated by Davide Principi over 5 years ago

Rebuilt RPM with merge from branches b2774 and b2776.

In nethserver-testing:
nethserver-firewall-base-1.1.0-96.0git6f85adb5.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-97.0git3def7d4e.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-97.0git60f1df33.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-100.0git8f017215.ns6.noarch.rpm

#15 Updated by Giacomo Sanchietti about 5 years ago

  • Assignee set to Giacomo Sanchietti

#16 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_QA to TRIAGED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 20
The object picker must always show all hosts from:
  • firewall objects: db hosts record type @host
  • dhcp reservations: db hosts record type local
  • dns record: db hosts record type remote

All hosts should be preceded by a label or a icon indicating the host type.

The selection of firewall objects must be limited, depending on the current page/field:
  • PortForward: host
  • TrafficShaping: host
  • Firewall Rules: anything but services, for Source and Destination, and service only for Service field.

#17 Updated by Davide Principi about 5 years ago

  • Status changed from TRIAGED to ON_DEV
  • Assignee set to Davide Principi
  • % Done changed from 20 to 30

#18 Updated by Davide Principi about 5 years ago

  • Status changed from ON_DEV to MODIFIED
  • Assignee deleted (Davide Principi)
  • % Done changed from 30 to 60

#19 Updated by Davide Principi about 5 years ago

MODIFIED

PortForward and TrafficShaping modules now run firewall-adjust event as a detached task.

#20 Updated by Davide Principi about 5 years ago

  • Status changed from MODIFIED to ON_QA
  • % Done changed from 60 to 70

In nethserver-testing:
nethserver-firewall-base-1.1.0-108.0git4d1bd977.ns6.noarch.rpm
nethserver-firewall-base-1.1.0-110.0gitd37ac429.ns6.noarch.rpm
nethserver-httpd-admin-1.2.3-99.19gitd9c4f44.ns6.noarch.rpm

#21 Updated by Giacomo Sanchietti about 5 years ago

  • Assignee set to Giacomo Sanchietti

#22 Updated by Giacomo Sanchietti about 5 years ago

  • Status changed from ON_QA to VERIFIED
  • Assignee deleted (Giacomo Sanchietti)
  • % Done changed from 70 to 90

All tests passed.

#23 Updated by Davide Principi about 5 years ago

  • Status changed from VERIFIED to CLOSED
  • % Done changed from 90 to 100

In nethserver-updates:
nethserver-firewall-base-2.0.0-1.ns6.noarch.rpm
nethserver-firewall-base-2.0.0-2.ns6.noarch.rpm (added migration fragment 000_capitalize_props)

#24 Updated by Giacomo Sanchietti about 5 years ago

  • Related to Bug #2846: Firewall: add migration fragment for tc database added

Also available in: Atom PDF