Implement update firewall function

- cleanup firewall.php - add function updateFirewall - add standalone script update_firewall.sh to update the firewall rules
2025-03-01 10:31:47 +00:00 · 2021-09-08 10:59:58 +02:00
parent 6be1ad1612
commit d07fd0a327
3 changed files with 86 additions and 27 deletions
--- a/includes/firewall.php
+++ b/includes/firewall.php
@@ -8,9 +8,9 @@ define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh");

 /**
 *
- * @param  string $rule
- * @param  string $conf
- * @return string $don
+ * @param  array $rule
+ * @param  array $conf
+ * @return array $don
 */
 function getDependson(&$rule, &$conf)
 {
@@ -27,9 +27,9 @@ function getDependson(&$rule, &$conf)

 /**
 *
- * @param  string $sect
- * @param  string $conf
- * @return string $active
+ * @param  array $sect
+ * @param  array $conf
+ * @return boolean $active
 */
 function isRuleEnabled(&$sect, &$conf)
 {
@@ -46,8 +46,8 @@ function isRuleEnabled(&$sect, &$conf)

 /**
 *
- * @param  string $sect
- * @param  string $conf
+ * @param  array $sect
+ * @param  array $conf
 * @return string $str
 */
 function createRuleStr(&$sect, &$conf)
@@ -105,8 +105,8 @@ function createRuleStr(&$sect, &$conf)

 /**
 *
- * @param  string $rule
- * @return string boolean
+ * @param  array $rule
+ * @return boolean
 */
 function isIPv4(&$rule)
 {
@@ -115,7 +115,7 @@ function isIPv4(&$rule)

 /**
 *
- * @param  string $rule
+ * @param  array $rule
 * @return boolean
 */
 function isIPv6(&$rule)
@@ -125,7 +125,7 @@ function isIPv6(&$rule)

 /**
 *
- * @return string $count
+ * @return boolean 
 */
 function configureFirewall()
 {
@@ -164,19 +164,19 @@ function configureFirewall()
    if ($count > 0 ) {
        exec("chmod +x ".RASPAP_IPTABLES_SCRIPT);
        exec("sudo ".RASPAP_IPTABLES_SCRIPT);
-        //       exec("sudo iptables-save > /etc/iptables/rules.v4");
-        //       unlink(RASPAP_IPTABLES_SCRIPT);
+        exec("sudo iptables-save | sudo tee /etc/iptables/rules.v4");
+        unlink(RASPAP_IPTABLES_SCRIPT);
        exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
        exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
-        //       exec("sudo iptables-save > /etc/iptables/rules.v6");
-        //       unlink(RASPAP_IP6TABLES_SCRIPT);
+        exec("sudo ip6tables-save | sudo tee /etc/iptables/rules.v6");
+        unlink(RASPAP_IP6TABLES_SCRIPT);
    }
    return ($count > 0);
 }

 /**
 *
- * @param string $conf
+ * @param array $conf
 * @return string $ret
 */
 function WriteFirewallConf($conf)
@@ -189,14 +189,15 @@ function WriteFirewallConf($conf)

 /**
 *
- * @return string $conf
+ * @return array $conf
 */
 function ReadFirewallConf()
 {
+    $conf = array();
    if (file_exists(RASPI_FIREWALL_CONF) ) {
        $conf = parse_ini_file(RASPI_FIREWALL_CONF);
-    } else {
-        $conf = array();
+    }
+    if ( !isset($conf["firewall-enable"]) ) {
        $conf["firewall-enable"] = false;
        $conf["ssh-enable"] = false;
        $conf["http-enable"] = false;
@@ -260,14 +261,13 @@ function getVPN_IPs()

 /**
 *
+ * @return array $fw_conf
 */
-function DisplayFirewallConfig()
+function getFirewallConfiguration() 
 {
-
-    $status = new StatusMessages();
-
+    $fw_conf = ReadFirewallConf();
+    
    $json = file_get_contents(RASPI_IPTABLES_CONF);
-    $ipt_rules = json_decode($json, true);
    getWifiInterface();
    $ap_device = $_SESSION['ap_interface'];
    $clients = getClients();
@@ -279,11 +279,38 @@ function DisplayFirewallConfig()
            $str_clients .= $dev["name"];
        }
    }
-    $fw_conf = ReadFirewallConf();
    $fw_conf["ap-device"] = $ap_device;
+    $fw_conf["client-list"] = $str_clients;
    $id=findCurrentClientIndex($clients);
    if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"];
    }
+    return $fw_conf;
+}
+
+/**
+ *
+ */
+function updateFirewall() 
+{
+    $fw_conf = getFirewallConfiguration();
+    if ( isset($fw_conf["firewall-enable"]) ) {
+        WriteFirewallConf($fw_conf);
+        configureFirewall();
+    }
+    return;
+}
+
+/**
+ *
+ */
+function DisplayFirewallConfig()
+{
+    $status = new StatusMessages();
+
+    $fw_conf = getFirewallConfiguration();
+    $ap_device = $fw_conf["ap-device"];
+    $str_clients = $fw_conf["client-list"];
+
    if (!empty($_POST)) {
        $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']);
        $fw_conf["http-enable"] = isset($_POST['http-enable']);
@@ -334,7 +361,6 @@ function DisplayFirewallConfig()
            "ap_device",
            "str_clients",
            "fw_conf",
-            "ipt_rules",
            "vpn_ips"
        )
    );
--- a/installers/raspap.sudoers
+++ b/installers/raspap.sudoers
@@ -64,3 +64,7 @@ www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf
 www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key
 www-data ALL=(ALL) NOPASSWD:/tmp/iptables_raspap.sh
 www-data ALL=(ALL) NOPASSWD:/tmp/ip6tables_raspap.sh
+www-data ALL=(ALL) NOPASSWD:/usr/sbin/iptables-save
+www-data ALL=(ALL) NOPASSWD:/usr/sbin/ip6tables-save
+www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v4
+www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v6
--- a/installers/update_firewall.sh
+++ b/installers/update_firewall.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+# include the raspap helper functions
+source /usr/local/sbin/raspap_helpers.sh
+
+_getWebRoot
+
+echo -n "Update firewall ... "
+
+cat << EOF > /tmp/updateFirewall.php
+<?php
+//set_include_path('/var/www/html/');
+\$_SESSION['locale']="en_GB.UTF-8";
+
+require_once 'includes/config.php';
+require_once 'includes/defaults.php';
+require_once RASPI_CONFIG.'/raspap.php';
+require_once 'includes/locale.php';
+require_once 'includes/wifi_functions.php';
+require_once 'includes/get_clients.php';
+require_once 'includes/firewall.php';
+
+updateFirewall();
+
+?>
+EOF
+
+sudo php -d include_path=$raspap_webroot /tmp/updateFirewall.php
+rm /tmp/updateFirewall.php
+echo "done."