feat: Firewall ipv6 implementation #4802
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
To test the IPv6 firewall implementation, try to apply a snapshot containing the configuration. The code below is an example (the syntax for the rules are the same than the IPv4 firewall): <esf:configuration pid="org.eclipse.kura.net.admin.ipv6.FirewallConfigurationServiceIPv6">
<esf:properties>
<esf:property array="false" encrypted="false" name="firewall.ipv6.open.ports" type="String">
<esf:value>8001,tcp,::0/0,wlan0,,,,#</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="firewall.ipv6.nat" type="String">
<esf:value>eth0,wlan0,tcp,::/0,::/0,true,#;</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="firewall.ipv6.port.forwarding" type="String">
<esf:value>eth0,wlan0,2a00:1450:400c:c01::71,tcp,2020,1010,true,2001:db8::/64,aa:bb:cc:dd:ee:ff,10100:10200,#</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="kura.service.pid" type="String">
<esf:value>org.eclipse.kura.net.admin.ipv6.FirewallConfigurationServiceIPv6</esf:value>
</esf:property>
<esf:property array="false" encrypted="false" name="service.pid" type="String">
<esf:value>org.eclipse.kura.net.admin.ipv6.FirewallConfigurationServiceIPv6</esf:value>
</esf:property>
</esf:properties>
</esf:configuration> |
| @@ -172,10 +244,70 @@ public String getSourcePortRange() { | |||
| return this.sourcePortRange; | |||
| } | |||
|
|
|||
| /** | |||
| * @deprecated since 2.6. se the FirewallOpenPortConfigIP builder | |||
There was a problem hiding this comment.
MIspelling on the comment, se -> see. Same applies for setPermittedMac, setUnpermittedInterfaceName, setUnpermittedInterfaceName, setPermittedInterfaceName, setPermittedNetwork, setProtocol, and setPortRange.
|
|
||
| public synchronized void updated(Map<String, Object> properties) { | ||
| logger.debug("updated()"); | ||
| for (Entry<String, Object> entry : properties.entrySet()) { |
There was a problem hiding this comment.
We should check the log level before entering this for loop. Something like:
if (logger.getLogLevel() == LogLevel.DEBUG) {
for (Entry ...
}| <provide interface="org.eclipse.kura.net.admin.ipv6.FirewallConfigurationServiceIPv6"/> | ||
| <provide interface="org.eclipse.kura.configuration.SelfConfiguringComponent"/> | ||
| </service> | ||
| <reference bind="setEventAdmin" cardinality="1..1" interface="org.osgi.service.event.EventAdmin" name="EventAdmin" policy="static" unbind="unsetEventAdmin"/> |
There was a problem hiding this comment.
Unbind methods are not necessary for static service references
| String unpermittedInterfaceName, String permittedMAC, String sourcePortRange) { | ||
| public LocalRule(int port, String protocol, NetworkPair<? extends IPAddress> permittedNetwork, | ||
| String permittedInterfaceName, String unpermittedInterfaceName, String permittedMAC, | ||
| String sourcePortRange) { | ||
| this.port = port; | ||
| this.portRange = null; |
There was a problem hiding this comment.
Can we use an optional here? Or does it affect old implementations?
| @@ -68,8 +68,8 @@ public FirewallConfiguration(Map<String, Object> properties) { | |||
| private void parseNatRules(Map<String, Object> properties) { | |||
| String str; | |||
| String[] astr; | |||
There was a problem hiding this comment.
I would suggest to use more meaningful names for some variables.
str -> openPorts
astr -> rules
private void parseOpenPortRule(String sop) -> private void parseOpenPortRule(String **rule**)
|
|
||
| public FirewallConfiguration() { |
There was a problem hiding this comment.
This is a breaking change in terms of API
There was a problem hiding this comment.
Should we rename this to AbstractFirewallConfigration and rename FirewallConfigurationIPv4 to FirewallConfiguration and keep the same public interface of this class? otherwise we have to bump the exported version of the org.eclipse.kura.core.net package to 2.0.0
| @@ -55,7 +55,7 @@ Export-Package: org.eclipse.kura.internal.board;version="1.0.0";x-internal:=true | |||
| org.eclipse.kura.usb", | |||
| org.eclipse.kura.linux.net.dhcp;version="2.1.0";uses:="org.eclipse.kura.net.dhcp", | |||
| org.eclipse.kura.linux.net.dns;version="1.1.0";uses:="org.eclipse.kura.net,org.eclipse.kura.net.dns", | |||
| org.eclipse.kura.linux.net.iptables;version="1.1.0";uses:="org.eclipse.kura.net", | |||
There was a problem hiding this comment.
This PR adds breaking changes in this package.
pierantoniomerlino
force-pushed
the
firewall_ipv6_implementation
branch
from
2fffe0a to
4cb0b89
Compare
nicolatimeus
approved these changes
Aug 24, 2023
marcellorinaldo
approved these changes
Aug 24, 2023
pierantoniomerlino
force-pushed
the
firewall_ipv6_implementation
branch
from
4cb0b89 to
1996e95
Compare
Signed-off-by: pierantoniomerlino <[email protected]> Updated firewall implementation classes Signed-off-by: pierantoniomerlino <[email protected]> Added static methods to IPXaddress classes; aligned default values to old behavior for rules builder Signed-off-by: pierantoniomerlino <[email protected]> Fixed imports versions Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Improved builders for firewall classes Signed-off-by: pierantoniomerlino <[email protected]> Updated FirewallConfigurationServiceImpl with the new APIs Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests again Signed-off-by: pierantoniomerlino <[email protected]> Updated copyright headers Signed-off-by: pierantoniomerlino <[email protected]> Updated copyright headers again Signed-off-by: pierantoniomerlino <[email protected]> Added since annotations Signed-off-by: pierantoniomerlino <[email protected]> Added APIs for firewall ipv6; refactored APIs for firewall ipv4 Signed-off-by: pierantoniomerlino <[email protected]> Updated firewall implementation classes Signed-off-by: pierantoniomerlino <[email protected]> Added static methods to IPXaddress classes; aligned default values to old behavior for rules builder Signed-off-by: pierantoniomerlino <[email protected]> Fixed imports versions Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> First attempto to implement firewall ipv6 Signed-off-by: pierantoniomerlino <[email protected]> Updated net.admin.firewall classes for ipv6 support Signed-off-by: pierantoniomerlino <[email protected]> Updated core.net and linux.net for ipv6 firewall support Signed-off-by: pierantoniomerlino <[email protected]> Moved firewall ipv6 in net.admin.firewall bundle Signed-off-by: pierantoniomerlino <[email protected]> Added abstract class for FirewallConfigurationServices Signed-off-by: pierantoniomerlino <[email protected]> Added missing rules for creating mangle chains Signed-off-by: pierantoniomerlino <[email protected]> Fixed ipv6 properties and forwarding file Signed-off-by: pierantoniomerlino <[email protected]> Fixed icmp rules for ipv6 Signed-off-by: pierantoniomerlino <[email protected]> Updated rules classes Signed-off-by: pierantoniomerlino <[email protected]> Fixed typo Signed-off-by: pierantoniomerlino <[email protected]> Fixed warnings on generics; updated tests Signed-off-by: pierantoniomerlino <[email protected]> Added checkstyle suppression; fixed old net.admin firewall classes Signed-off-by: pierantoniomerlino <[email protected]> Fixed Sonar complains Signed-off-by: pierantoniomerlino <[email protected]> Small refactors Signed-off-by: pierantoniomerlino <[email protected]> Recovered FirewallConfiguration file Signed-off-by: pierantoniomerlino <[email protected]> Recovered IptablesConfigConstants file Signed-off-by: pierantoniomerlino <[email protected]> Updated missing file Signed-off-by: pierantoniomerlino <[email protected]> Hide firewall config in web ui Signed-off-by: pierantoniomerlino <[email protected]> Updated icmpv6 default rules Signed-off-by: pierantoniomerlino <[email protected]> Updated javadoc for Sonar complains Signed-off-by: pierantoniomerlino <[email protected]>
Signed-off-by: pierantoniomerlino <[email protected]>
pierantoniomerlino
force-pushed
the
firewall_ipv6_implementation
branch
from
2d45754 to
ecfba36
Compare
|
The build fails due to code duplication. This is accepted by the team: the IPv4 code has been duplicated and adapted to support IPv6. The duplication is accepted for now as we are planning to rework this in a more organic way in a later release. |
pierantoniomerlino
added a commit
that referenced
this pull request
Sep 26, 2023
* Added APIs for firewall ipv6; refactored APIs for firewall ipv4 Signed-off-by: pierantoniomerlino <[email protected]> Updated firewall implementation classes Signed-off-by: pierantoniomerlino <[email protected]> Added static methods to IPXaddress classes; aligned default values to old behavior for rules builder Signed-off-by: pierantoniomerlino <[email protected]> Fixed imports versions Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Improved builders for firewall classes Signed-off-by: pierantoniomerlino <[email protected]> Updated FirewallConfigurationServiceImpl with the new APIs Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests again Signed-off-by: pierantoniomerlino <[email protected]> Updated copyright headers Signed-off-by: pierantoniomerlino <[email protected]> Updated copyright headers again Signed-off-by: pierantoniomerlino <[email protected]> Added since annotations Signed-off-by: pierantoniomerlino <[email protected]> Added APIs for firewall ipv6; refactored APIs for firewall ipv4 Signed-off-by: pierantoniomerlino <[email protected]> Updated firewall implementation classes Signed-off-by: pierantoniomerlino <[email protected]> Added static methods to IPXaddress classes; aligned default values to old behavior for rules builder Signed-off-by: pierantoniomerlino <[email protected]> Fixed imports versions Signed-off-by: pierantoniomerlino <[email protected]> Fixed tests Signed-off-by: pierantoniomerlino <[email protected]> First attempto to implement firewall ipv6 Signed-off-by: pierantoniomerlino <[email protected]> Updated net.admin.firewall classes for ipv6 support Signed-off-by: pierantoniomerlino <[email protected]> Updated core.net and linux.net for ipv6 firewall support Signed-off-by: pierantoniomerlino <[email protected]> Moved firewall ipv6 in net.admin.firewall bundle Signed-off-by: pierantoniomerlino <[email protected]> Added abstract class for FirewallConfigurationServices Signed-off-by: pierantoniomerlino <[email protected]> Added missing rules for creating mangle chains Signed-off-by: pierantoniomerlino <[email protected]> Fixed ipv6 properties and forwarding file Signed-off-by: pierantoniomerlino <[email protected]> Fixed icmp rules for ipv6 Signed-off-by: pierantoniomerlino <[email protected]> Updated rules classes Signed-off-by: pierantoniomerlino <[email protected]> Fixed typo Signed-off-by: pierantoniomerlino <[email protected]> Fixed warnings on generics; updated tests Signed-off-by: pierantoniomerlino <[email protected]> Added checkstyle suppression; fixed old net.admin firewall classes Signed-off-by: pierantoniomerlino <[email protected]> Fixed Sonar complains Signed-off-by: pierantoniomerlino <[email protected]> Small refactors Signed-off-by: pierantoniomerlino <[email protected]> Recovered FirewallConfiguration file Signed-off-by: pierantoniomerlino <[email protected]> Recovered IptablesConfigConstants file Signed-off-by: pierantoniomerlino <[email protected]> Updated missing file Signed-off-by: pierantoniomerlino <[email protected]> Hide firewall config in web ui Signed-off-by: pierantoniomerlino <[email protected]> Updated icmpv6 default rules Signed-off-by: pierantoniomerlino <[email protected]> Updated javadoc for Sonar complains Signed-off-by: pierantoniomerlino <[email protected]> * Fixed checkstyle issues Signed-off-by: pierantoniomerlino <[email protected]> --------- Signed-off-by: pierantoniomerlino <[email protected]>
This was referenced Nov 23, 2023
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
After the merge of #4793, this PR adds the support for the IPv6 firewall. The implementation was done tring to re-use as much code as possible, creating abstract classes to share common methods. The new feature is added to the
org.eclipse.kura.net.admin.firewallpackage used only in generics profiles.Standard profiles will not support the IPv6 firewall.
Since we decided to keep the old firewall implementation in the
org.eclipse.kura.net.adminbundle, some degree of code duplication should be tolerated.