Implement update firewall function

- cleanup firewall.php - add function updateFirewall - add standalone script update_firewall.sh to update the firewall rules
2023-10-10 13:37:24 +02:00 · 2021-09-08 10:59:58 +02:00 · 2021-09-08 10:59:58 +02:00 · d07fd0a327
commit d07fd0a327
parent 6be1ad1612
3 changed files with 86 additions and 27 deletions
--- a/includes/firewall.php
+++ b/includes/firewall.php
@ -8,9 +8,9 @@ define('RASPAP_IP6TABLES_SCRIPT', "/tmp/ip6tables_raspap.sh");
 /**
 *
- * @param  string $rule
+ * @param  array $rule
- * @param  string $conf
+ * @param  array $conf
- * @return string $don
+ * @return array $don
 */
 function getDependson(&$rule, &$conf)
 {
@ -27,9 +27,9 @@ function getDependson(&$rule, &$conf)
 /**
 *
- * @param  string $sect
+ * @param  array $sect
- * @param  string $conf
+ * @param  array $conf
- * @return string $active
+ * @return boolean $active
 */
 function isRuleEnabled(&$sect, &$conf)
 {
@ -46,8 +46,8 @@ function isRuleEnabled(&$sect, &$conf)
 /**
 *
- * @param  string $sect
+ * @param  array $sect
- * @param  string $conf
+ * @param  array $conf
 * @return string $str
 */
 function createRuleStr(&$sect, &$conf)
@ -105,8 +105,8 @@ function createRuleStr(&$sect, &$conf)
 /**
 *
- * @param  string $rule
+ * @param  array $rule
- * @return string boolean
+ * @return boolean
 */
 function isIPv4(&$rule)
 {
@ -115,7 +115,7 @@ function isIPv4(&$rule)
 /**
 *
- * @param  string $rule
+ * @param  array $rule
 * @return boolean
 */
 function isIPv6(&$rule)
@ -125,7 +125,7 @@ function isIPv6(&$rule)
 /**
 *
- * @return string $count
+ * @return boolean 
 */
 function configureFirewall()
 {
@ -164,19 +164,19 @@ function configureFirewall()
    if ($count > 0 ) {
        exec("chmod +x ".RASPAP_IPTABLES_SCRIPT);
        exec("sudo ".RASPAP_IPTABLES_SCRIPT);
-        //       exec("sudo iptables-save > /etc/iptables/rules.v4");
+        exec("sudo iptables-save | sudo tee /etc/iptables/rules.v4");
-        //       unlink(RASPAP_IPTABLES_SCRIPT);
+        unlink(RASPAP_IPTABLES_SCRIPT);
        exec("chmod +x ".RASPAP_IP6TABLES_SCRIPT);
        exec("sudo ".RASPAP_IP6TABLES_SCRIPT);
-        //       exec("sudo iptables-save > /etc/iptables/rules.v6");
+        exec("sudo ip6tables-save | sudo tee /etc/iptables/rules.v6");
-        //       unlink(RASPAP_IP6TABLES_SCRIPT);
+        unlink(RASPAP_IP6TABLES_SCRIPT);
    }
    return ($count > 0);
 }
 /**
 *
- * @param string $conf
+ * @param array $conf
 * @return string $ret
 */
 function WriteFirewallConf($conf)
@ -189,14 +189,15 @@ function WriteFirewallConf($conf)
 /**
 *
- * @return string $conf
+ * @return array $conf
 */
 function ReadFirewallConf()
 {
    $conf = array();
    if (file_exists(RASPI_FIREWALL_CONF) ) {
        $conf = parse_ini_file(RASPI_FIREWALL_CONF);
-    } else {
+    }
-        $conf = array();
+    if ( !isset($conf["firewall-enable"]) ) {
        $conf["firewall-enable"] = false;
        $conf["ssh-enable"] = false;
        $conf["http-enable"] = false;
@ -260,14 +261,13 @@ function getVPN_IPs()
 /**
 *
 * @return array $fw_conf
 */
-function DisplayFirewallConfig()
+function getFirewallConfiguration() 
 {
-
+    $fw_conf = ReadFirewallConf();
    $status = new StatusMessages();
    $json = file_get_contents(RASPI_IPTABLES_CONF);
    $ipt_rules = json_decode($json, true);
    getWifiInterface();
    $ap_device = $_SESSION['ap_interface'];
    $clients = getClients();
@ -279,11 +279,38 @@ function DisplayFirewallConfig()
            $str_clients .= $dev["name"];
        }
    }
    $fw_conf = ReadFirewallConf();
    $fw_conf["ap-device"] = $ap_device;
    $fw_conf["client-list"] = $str_clients;
    $id=findCurrentClientIndex($clients);
    if ($id >= 0 ) { $fw_conf["client-device"] = $clients["device"][$id]["name"];
    }
    return $fw_conf;
 }
 /**
 *
 */
 function updateFirewall() 
 {
    $fw_conf = getFirewallConfiguration();
    if ( isset($fw_conf["firewall-enable"]) ) {
        WriteFirewallConf($fw_conf);
        configureFirewall();
    }
    return;
 }
 /**
 *
 */
 function DisplayFirewallConfig()
 {
    $status = new StatusMessages();
    $fw_conf = getFirewallConfiguration();
    $ap_device = $fw_conf["ap-device"];
    $str_clients = $fw_conf["client-list"];
    if (!empty($_POST)) {
        $fw_conf["ssh-enable"] = isset($_POST['ssh-enable']);
        $fw_conf["http-enable"] = isset($_POST['http-enable']);
@ -334,7 +361,6 @@ function DisplayFirewallConfig()
            "ap_device",
            "str_clients",
            "fw_conf",
            "ipt_rules",
            "vpn_ips"
        )
    );
--- a/installers/raspap.sudoers
+++ b/installers/raspap.sudoers
@ -64,3 +64,7 @@ www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/*.conf
 www-data ALL=(ALL) NOPASSWD:/bin/rm /etc/wireguard/wg-*.key
 www-data ALL=(ALL) NOPASSWD:/tmp/iptables_raspap.sh
 www-data ALL=(ALL) NOPASSWD:/tmp/ip6tables_raspap.sh
 www-data ALL=(ALL) NOPASSWD:/usr/sbin/iptables-save
 www-data ALL=(ALL) NOPASSWD:/usr/sbin/ip6tables-save
 www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v4
 www-data ALL=(ALL) NOPASSWD:/usr/bin/tee /etc/iptables/rules.v6
--- a/installers/update_firewall.sh
+++ b/installers/update_firewall.sh
@ -0,0 +1,29 @@
 #!/bin/bash
 # include the raspap helper functions
 source /usr/local/sbin/raspap_helpers.sh
 _getWebRoot
 echo -n "Update firewall ... "
 cat << EOF > /tmp/updateFirewall.php
 <?php
 //set_include_path('/var/www/html/');
 \$_SESSION['locale']="en_GB.UTF-8";
 require_once 'includes/config.php';
 require_once 'includes/defaults.php';
 require_once RASPI_CONFIG.'/raspap.php';
 require_once 'includes/locale.php';
 require_once 'includes/wifi_functions.php';
 require_once 'includes/get_clients.php';
 require_once 'includes/firewall.php';
 updateFirewall();
 ?>
 EOF
 sudo php -d include_path=$raspap_webroot /tmp/updateFirewall.php
 rm /tmp/updateFirewall.php
 echo "done."