fw: minor changes for better code reading

2025-03-04 08:34:40 +01:00 · 2023-01-30 13:43:44 +01:00 · 2023-01-30 13:43:44 +01:00 · b7c6c8b8db
commit b7c6c8b8db
parent e2dfb3a021
7 changed files with 43 additions and 28 deletions
--- a/daemon/firewall/common/common.go
+++ b/daemon/firewall/common/common.go
@ -7,6 +7,17 @@ import (
 	"github.com/evilsocket/opensnitch/daemon/log"
 )

+// default arguments for various functions
+var (
+	EnableRule     = true
+	DoLogErrors    = true
+	ForcedDelRules = true
+	ReloadRules    = true
+	RestoreChains  = true
+	BackupChains   = true
+	ReloadConf     = true
+)
+
 type (
 	callback     func()
 	callbackBool func() bool
--- a/daemon/firewall/iptables/iptables.go
+++ b/daemon/firewall/iptables/iptables.go
@ -106,12 +106,12 @@ func (ipt *Iptables) Init(qNum *int) {
 	// we need to load the fw configuration first to know what rules
 	// were configured.
 	ipt.NewSystemFwConfig(ipt.preloadConfCallback, ipt.reloadRulesCallback)
-	ipt.LoadDiskConfiguration(false)
+	ipt.LoadDiskConfiguration(!common.ReloadConf)

 	// start from a clean state
 	ipt.CleanRules(false)
 	ipt.EnableInterception()
-	ipt.AddSystemRules(false, true)
+	ipt.AddSystemRules(!common.ReloadRules, common.BackupChains)

 	ipt.Running = true
 }
@ -140,9 +140,9 @@ func IsAvailable() error {

 // EnableInterception adds fw rules to intercept connections.
 func (ipt *Iptables) EnableInterception() {
-	if err4, err6 := ipt.QueueConnections(true, true); err4 != nil || err6 != nil {
+	if err4, err6 := ipt.QueueConnections(common.EnableRule, true); err4 != nil || err6 != nil {
 		log.Fatal("Error while running conntrack firewall rule: %s %s", err4, err6)
-	} else if err4, err6 = ipt.QueueDNSResponses(true, true); err4 != nil || err6 != nil {
+	} else if err4, err6 = ipt.QueueDNSResponses(common.EnableRule, true); err4 != nil || err6 != nil {
 		log.Error("Error while running DNS firewall rule: %s %s", err4, err6)
 	}
 	// start monitoring firewall rules to intercept network traffic
@ -152,14 +152,14 @@ func (ipt *Iptables) EnableInterception() {
 // DisableInterception removes firewall rules to intercept outbound connections.
 func (ipt *Iptables) DisableInterception(logErrors bool) {
 	ipt.StopCheckingRules()
-	ipt.QueueDNSResponses(false, logErrors)
-	ipt.QueueConnections(false, logErrors)
+	ipt.QueueDNSResponses(!common.EnableRule, logErrors)
+	ipt.QueueConnections(!common.EnableRule, logErrors)
 }

 // CleanRules deletes the rules we added.
 func (ipt *Iptables) CleanRules(logErrors bool) {
 	ipt.DisableInterception(logErrors)
-	ipt.DeleteSystemRules(true, true, logErrors)
+	ipt.DeleteSystemRules(common.ForcedDelRules, common.BackupChains, logErrors)
 }

 // Serialize converts the configuration from json to protobuf
--- a/daemon/firewall/iptables/monitor.go
+++ b/daemon/firewall/iptables/monitor.go
@ -2,6 +2,7 @@ package iptables

 import (
 	"github.com/evilsocket/opensnitch/daemon/core"
+	"github.com/evilsocket/opensnitch/daemon/firewall/common"
 	"github.com/evilsocket/opensnitch/daemon/log"
 )

@ -57,12 +58,12 @@ func (ipt *Iptables) AreRulesLoaded() bool {
 func (ipt *Iptables) reloadRulesCallback() {
 	log.Important("firewall rules changed, reloading")
 	ipt.CleanRules(false)
-	ipt.AddSystemRules(true, true)
+	ipt.AddSystemRules(common.ReloadRules, common.BackupChains)
 	ipt.EnableInterception()
 }

 // preloadConfCallback gets called before the fw configuration is reloaded
 func (ipt *Iptables) preloadConfCallback() {
 	log.Info("iptables config changed, reloading")
-	ipt.DeleteSystemRules(true, true, log.GetLogLevel() == log.DEBUG)
+	ipt.DeleteSystemRules(common.ForcedDelRules, common.BackupChains, log.GetLogLevel() == log.DEBUG)
 }
--- a/daemon/firewall/iptables/system.go
+++ b/daemon/firewall/iptables/system.go
@ -3,6 +3,7 @@ package iptables
 import (
 	"strings"

+	"github.com/evilsocket/opensnitch/daemon/firewall/common"
 	"github.com/evilsocket/opensnitch/daemon/firewall/config"
 )

@ -24,10 +25,10 @@ func (ipt *Iptables) CreateSystemRule(rule *config.FwRule, table, chain, hook st
 	if _, ok := ipt.chains.Rules[table+"-"+chainName]; ok {
 		return false
 	}
-	ipt.RunRule(NEWCHAIN, true, logErrors, []string{chainName, "-t", table})
+	ipt.RunRule(NEWCHAIN, common.EnableRule, logErrors, []string{chainName, "-t", table})

 	// Insert the rule at the top of the chain
-	if err4, err6 := ipt.RunRule(INSERT, true, logErrors, []string{hook, "-t", table, "-j", chainName}); err4 == nil && err6 == nil {
+	if err4, err6 := ipt.RunRule(INSERT, common.EnableRule, logErrors, []string{hook, "-t", table, "-j", chainName}); err4 == nil && err6 == nil {
 		ipt.chains.Rules[table+"-"+chainName] = &SystemRule{
 			Table: table,
 			Chain: chain,
@ -47,8 +48,8 @@ func (ipt *Iptables) AddSystemRules(reload, backupExistingChains bool) {

 	for _, cfg := range ipt.SysConfig.SystemRules {
 		if cfg.Rule != nil {
-			ipt.CreateSystemRule(cfg.Rule, cfg.Rule.Table, cfg.Rule.Chain, cfg.Rule.Chain, true)
-			ipt.AddSystemRule(ADD, cfg.Rule, cfg.Rule.Table, cfg.Rule.Chain, true)
+			ipt.CreateSystemRule(cfg.Rule, cfg.Rule.Table, cfg.Rule.Chain, cfg.Rule.Chain, common.EnableRule)
+			ipt.AddSystemRule(ADD, cfg.Rule, cfg.Rule.Table, cfg.Rule.Chain, common.EnableRule)
 			continue
 		}

@ -77,9 +78,9 @@ func (ipt *Iptables) DeleteSystemRules(force, backupExistingChains, logErrors bo
 		if _, ok := ipt.chains.Rules[fwCfg.Rule.Table+"-"+chain]; !ok && !force {
 			continue
 		}
-		ipt.RunRule(FLUSH, true, false, []string{chain, "-t", fwCfg.Rule.Table})
-		ipt.RunRule(DELETE, false, logErrors, []string{fwCfg.Rule.Chain, "-t", fwCfg.Rule.Table, "-j", chain})
-		ipt.RunRule(DELCHAIN, true, false, []string{chain, "-t", fwCfg.Rule.Table})
+		ipt.RunRule(FLUSH, common.EnableRule, false, []string{chain, "-t", fwCfg.Rule.Table})
+		ipt.RunRule(DELETE, !common.EnableRule, logErrors, []string{fwCfg.Rule.Chain, "-t", fwCfg.Rule.Table, "-j", chain})
+		ipt.RunRule(DELCHAIN, common.EnableRule, false, []string{chain, "-t", fwCfg.Rule.Table})
 		delete(ipt.chains.Rules, fwCfg.Rule.Table+"-"+chain)

 		for _, chn := range fwCfg.Chains {
@ -91,9 +92,9 @@ func (ipt *Iptables) DeleteSystemRules(force, backupExistingChains, logErrors bo
 				continue
 			}

-			ipt.RunRule(FLUSH, true, logErrors, []string{chain, "-t", chn.Type})
-			ipt.RunRule(DELETE, false, logErrors, []string{chn.Hook, "-t", chn.Type, "-j", chain})
-			ipt.RunRule(DELCHAIN, true, logErrors, []string{chain, "-t", chn.Type})
+			ipt.RunRule(FLUSH, common.EnableRule, logErrors, []string{chain, "-t", chn.Type})
+			ipt.RunRule(DELETE, !common.EnableRule, logErrors, []string{chn.Hook, "-t", chn.Type, "-j", chain})
+			ipt.RunRule(DELCHAIN, common.EnableRule, logErrors, []string{chain, "-t", chn.Type})
 			delete(ipt.chains.Rules, chn.Type+"-"+chain)

 		}
--- a/daemon/firewall/nftables/monitor.go
+++ b/daemon/firewall/nftables/monitor.go
@ -3,6 +3,7 @@ package nftables
 import (
 	"time"

+	"github.com/evilsocket/opensnitch/daemon/firewall/common"
 	"github.com/evilsocket/opensnitch/daemon/firewall/nftables/exprs"
 	"github.com/evilsocket/opensnitch/daemon/log"
 )
@ -48,14 +49,14 @@ func (n *Nft) AreRulesLoaded() bool {
 // reloadConfCallback gets called after the configuration changes.
 func (n *Nft) reloadConfCallback() {
 	log.Important("reloadConfCallback changed, reloading")
-	n.DeleteSystemRules(false, false, log.GetLogLevel() == log.DEBUG)
-	n.AddSystemRules(true, false)
+	n.DeleteSystemRules(!common.ForcedDelRules, !common.RestoreChains, log.GetLogLevel() == log.DEBUG)
+	n.AddSystemRules(common.ReloadRules, !common.BackupChains)
 }

 // reloadRulesCallback gets called when the interception rules are not present.
 func (n *Nft) reloadRulesCallback() {
 	log.Important("nftables firewall rules changed, reloading")
-	n.DisableInterception(true)
+	n.DisableInterception(log.GetLogLevel() == log.DEBUG)
 	time.Sleep(time.Millisecond * 500)
 	n.EnableInterception()
 }
@ -63,5 +64,5 @@ func (n *Nft) reloadRulesCallback() {
 // preloadConfCallback gets called before the fw configuration is loaded
 func (n *Nft) preloadConfCallback() {
 	log.Info("nftables config changed, reloading")
-	n.DeleteSystemRules(false, true, log.GetLogLevel() == log.DEBUG)
+	n.DeleteSystemRules(!common.ForcedDelRules, common.RestoreChains, log.GetLogLevel() == log.DEBUG)
 }
--- a/daemon/firewall/nftables/nftables.go
+++ b/daemon/firewall/nftables/nftables.go
@ -83,13 +83,13 @@ func (n *Nft) Init(qNum *int) {
 	// we need to load the fw configuration first to know what rules
 	// were configured.
 	n.NewSystemFwConfig(n.preloadConfCallback, n.reloadConfCallback)
-	n.LoadDiskConfiguration(false)
+	n.LoadDiskConfiguration(!common.ReloadConf)

 	// start from a clean state
 	// The daemon may have exited unexpectedly, leaving residual fw rules, so we
 	// need to clean them up to avoid duplicated rules.
 	n.delInterceptionRules()
-	n.AddSystemRules(false, true)
+	n.AddSystemRules(!common.ReloadRules, common.BackupChains)
 	n.EnableInterception()

 	n.Running = true
@ -137,7 +137,7 @@ func (n *Nft) DisableInterception(logErrors bool) {
 // CleanRules deletes the rules we added.
 func (n *Nft) CleanRules(logErrors bool) {
 	n.DisableInterception(logErrors)
-	n.DeleteSystemRules(true, true, logErrors)
+	n.DeleteSystemRules(common.ForcedDelRules, common.RestoreChains, logErrors)
 }

 // Commit applies the queued changes, creating new objects (tables, chains, etc).
--- a/daemon/firewall/rules.go
+++ b/daemon/firewall/rules.go
@ -3,6 +3,7 @@ package firewall
 import (
 	"fmt"

+	"github.com/evilsocket/opensnitch/daemon/firewall/common"
 	"github.com/evilsocket/opensnitch/daemon/firewall/iptables"
 	"github.com/evilsocket/opensnitch/daemon/firewall/nftables"
 	"github.com/evilsocket/opensnitch/daemon/log"
@ -100,8 +101,8 @@ func Reload() {

 // ReloadSystemRules deletes existing rules, and add them again
 func ReloadSystemRules() {
-	fw.DeleteSystemRules(false, true, true)
-	fw.AddSystemRules(true, true)
+	fw.DeleteSystemRules(!common.ForcedDelRules, common.RestoreChains, true)
+	fw.AddSystemRules(common.ReloadRules, common.BackupChains)
 }

 // EnableInterception removes the rules to intercept outbound connections.