NethServer::Firewall
NAME
NethServer::Firewall -- extensible module for firewall rules generation
DESCRIPTION
This modules implements many utilities and can determinate the zone of a given ip address using the getZone function.
The module also defines an API to extend getZone function behavior. For example, VPNs bring new zones. Each VPN package, using the API system, can find if the given address belongs to their own zones.
Each package will be a "provider", implementing a special callback function.
To define a provider function, add a Perl module under Firewall/ directory, with namespace prefix NethServer::Firewall.
The callback function must:
- return the name of the zone if the ip address belongs to a zone defined by the package
- othwerwise, an empty string
USAGE
This is an example provider "Provider1" definition.
package NethServer::Firewall::Provider1; use NethServer::Firewall qw(register_callback);
register_callback(&provider1);
sub provider1
{
my $value = shift;
# return the name of the zone if $value is in my zone
# return '' otherwise
}
FUNCTIONS
new Create a NethServer::Firewall instance.
getAddress(id, expand_zone = 0) Return the address value corresponding to given id. If id matches a valid IP or CIDR syntax, simply return it. Otherwise lookup for the id inside other databases and return the value of the key.
If expand_zone flag is set to 1, zone name will be replaced with CIDR notation or interface name.
getZoneInterface($zone) Return a list of interfaces associated with given zone.
getZoneCIDR($zone) Return the CIDR rappresentation of given zone.
isValidNdpiProtocol(protocol) Return 1 if given protocol is listed in xt_ndpi kernel module, return 0 otherwise.
getNdpiProtocol(id) Return the nDPI protocol for the service id, only if the protocol is defined in /proc/net/xt_ndpi/proto . Otherwise return undef
getTimel(id) Return the time string in UTC. Return an '-' if the key doesn't exists;
getPorts(id) Return the port value corresponding to given service id. If id matches a valid port or port list syntax, simply return it. Otherwise lookup for the id inside other databases and return an hash containg port grouped by protocol.
Example: { tcp => 1234 udp => 1234,456:500 }
getZone(value) Return the given value prefixed with its own zone. Value can be an ip address, an host group or a CIDR subnet. This function is used to create Shorewall rules file.
Example: $v = $fw->getZone('192.168.1.2'); $v will be "loc:192.168.1.2"
outMangleRule Return the mangle rule(s) in Shorewall format.
outRule Return the rule(s) in Shorewall format.
Fields:
1. ACTION 2. SOURCE 3. DEST 4. PROTO 5. DPORT 6. SPORT (unused) 7. ORIGDEST (unused) 8. RATE (unused) 9. USER (unused) 10. MARK (unused) 11. CONNLIMIT (unused) 12. TIME
listZones Return an hash of zones with the following format: zone_name => shorewall_name
isNdpiEnabled Return 1 if the current xt_ndpi module is loaded, 0 otherwise
isNdpiService Return 1 if the current service is a nDPI target, 0 otherwise
getNdpiMark Return ndpi mark shifted by 8
isZone Return 1 if the given key is a zone, 0 otherwise
getProviders Return the provider list ordered by weight (descending order). Each record has all database properties plus mask, number and name fields. The mask field is ready to be used inside Shorewall configuration.
Each entry is a reference to hash of properties.
getRules Return the rule list ordered by Position property (ascending order). Each record has all database properties.
getTcRules Return the tc rule list ordered by Position property (ascending order). Each record has all database properties.
getBypassRules Return the list of proxy bypasses by source or destination. Each record has all database properties.
getPortForwards Return the list of port forward. Each record has all database properties.
getInterfaceFromIP Return the name of the interfa connected to the given ip, or undef if no interface can be found.
countReferences(db, key) Returns the number of references of the given <DB, key>. The object is searched inside one of following lists: * firewall rules * proxy bypasses * traffic shaping rules * port forwards
The last documentation
perldoc NethServer::Firewall