From 910dbf056d62d6255c6947c0b221e5f3aaf055ae Mon Sep 17 00:00:00 2001 From: containerscrew Date: Wed, 4 Dec 2024 18:10:02 +0100 Subject: [PATCH] wip --- nflux.toml | 8 +--- nflux/src/config.rs | 92 +++++++++++++++++++++++++++++++++++++++++++++ nflux/src/lib.rs | 3 +- 3 files changed, 95 insertions(+), 8 deletions(-) diff --git a/nflux.toml b/nflux.toml index 0d65833..c308281 100644 --- a/nflux.toml +++ b/nflux.toml @@ -8,8 +8,8 @@ log_type = "text" # text or json. Defaults to text if not set [ip_rules] # Fine-tuned rules for IP-based filtering -"192.168.0.0/24" = { priority = 1, action = "deny", ports = [22], protocol = "tcp" } -"192.168.0.170/32" = { priority = 1, action = "allow", ports = [22], protocol = "tcp", log = true, description = "Block SSH for single IP" } +"192.168.0.0/24" = { priority = 1, action = "allow", ports = [22], log = false, protocol = "tcp", description = ""} +"192.168.0.172/32" = { priority = 2, action = "deny", ports = [53], protocol = "udp", log = false, description = "Block UDP port" } # "192.168.0.170/24" = { priority = 2, action = "deny", ports = [22], protocol = "tcp", log = false, description = "Deny SSH from entire subnet" } # "2001:0db8:85a3:0000:0000:8a2e:0370:7334" = { action = "deny", ports = [80], protocol = "tcp" } @@ -29,7 +29,3 @@ log_denied_packets = true log_allowed_packets = false log_format = "json" log_file = "/var/log/firewall.log" - -[failsafe] -# Failsafe rule for unmatched traffic -action = "log" diff --git a/nflux/src/config.rs b/nflux/src/config.rs index 8b13789..0aba033 100644 --- a/nflux/src/config.rs +++ b/nflux/src/config.rs @@ -1 +1,93 @@ +use anyhow::{Context, Result}; +use serde::{Deserialize, Deserializer}; +use std::collections::HashMap; +use std::env; +use std::fs; +/// Enum for `action` +#[derive(Debug, Deserialize)] +#[serde(rename_all = "lowercase")] // Allow "deny" or "allow" in config +pub enum Action { + Deny, + Allow, +} + +/// Enum for `protocol` +#[derive(Debug, Deserialize)] +#[serde(rename_all = "lowercase")] // Allow "tcp" or "udp" in config +pub enum Protocol { + Tcp, + Udp, + Icmp, +} + +/// Generic rule for both IPv4 and IPv6 +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct Rules { + pub priority: u32, + pub action: Action, + pub ports: Vec, + pub protocol: Protocol, + pub log: bool, + pub description: String, +} + +/// Configuration for ICMP rules +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct IcmpRules { + pub action: Action, // Allow or Deny + pub protocol: String, // Always "icmp" +} + +/// Configuration for MAC-based rules +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct MacRule { + pub action: Action, // Allow or Deny +} + +/// General firewall configuration +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct Firewall { + pub interface_names: Vec, // List of interfaces + pub log_level: String, // Log level + pub log_type: String, // Log type +} + +/// Logging configuration +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct LoggingConfig { + pub log_denied_packets: bool, + pub log_allowed_packets: bool, + pub log_format: String, + pub log_file: String, +} + +/// Top-level configuration structure +#[derive(Debug, Deserialize)] +#[allow(dead_code)] +pub struct FirewallConfig { + pub firewall: Firewall, + pub ip_rules: HashMap, + pub icmp_rules: HashMap, + pub mac_rules: HashMap, + pub logging: LoggingConfig, +} + +impl FirewallConfig { + /// Load the configuration from a file, defaulting to `/etc/nflux/nflux.toml` if not specified + pub fn load() -> Result { + let config_file = env::var("NFLUX_CONFIG_FILE_PATH") + .unwrap_or_else(|_| "/etc/nflux/nflux.toml".to_string()); + + let config_content = fs::read_to_string(&config_file) + .with_context(|| format!("Failed to read configuration file: {}", config_file))?; + + toml::from_str(&config_content) + .with_context(|| format!("Failed to parse configuration file: {}", config_file)) + } +} diff --git a/nflux/src/lib.rs b/nflux/src/lib.rs index ade8fa3..82c1749 100644 --- a/nflux/src/lib.rs +++ b/nflux/src/lib.rs @@ -4,8 +4,7 @@ mod logger; mod utils; // Dependencies -pub use config::Action; -pub use config::{FirewallConfig, FirewallGlobalConfig, IcmpRules, Protocol}; +pub use config::{FirewallConfig, IcmpRules, Protocol, Rules}; pub use core::set_mem_limit; /// RXH version.