[openwrt] Add more parameters to firewall defaults schema

jonathanunderwood · jonathanunderwood · commit 312e575ee919 · 2021-02-09T20:56:43.000Z
Signed-off-by: Jonathan G. Underwood &lt;jonathan.underwood@gmail.com&gt;
diff --git a/netjsonconfig/backends/openwrt/converters/firewall.py b/netjsonconfig/backends/openwrt/converters/firewall.py
@@ -177,9 +177,25 @@ def to_netjson_loop(self, block, result, index):
         return self.type_cast(result)
 
     def __netjson_defaults(self, defaults):
-        for param in ["synflood_protect"]:
+        for param in [
+            "drop_invalid",
+            "synflood_protect",
+            "tcp_syncookies",
+            "tcp_ecn",
+            "tcp_window_scaling",
+            "accept_redirects",
+            "accept_source_route",
+            "custom_chains",
+            "disable_ipv6",
+            "flow_offloading",
+            "flow_offloading_hw",
+            "auto_helper",
+        ]:
             if param in defaults:
                 defaults[param] = self.__netjson_generic_boolean(defaults[param])
+        for param in ["synflood_limit", "synflood_burst"]:
+            if param in defaults:
+                defaults[param] = int(defaults[param])
         return self.type_cast(defaults)
 
     def __netjson_rule(self, rule):
diff --git a/netjsonconfig/backends/openwrt/schema.py b/netjsonconfig/backends/openwrt/schema.py
@@ -1058,13 +1058,120 @@
             },
         ]
     },
+    "drop_invalid": {
+        "type": "boolean",
+        "title": "Drop invalid packets.",
+        "description": "If True then any invalid packets will be dropped.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 4,
+    },
     "synflood_protect": {
         "type": "boolean",
         "title": "Enable SYN flood protection.",
         "description": "Enables SYN flood protection.",
         "default": False,
         "format": "checkbox",
-        "propertyOrder": 4,
+        "propertyOrder": 5,
+    },
+    "synflood_rate": {
+        "type": "integer",
+        "title": "Rate limit (packets/second) for SYN packets above which the traffic is considered a flood.",
+        "description": "Number of packets/second for SYN packets above which the traffic is considered a "
+        "flood.",
+        "default": 25,
+        "propertyOrder": 6,
+    },
+    "synflood_burst": {
+        "type": "integer",
+        "title": "Burst limit (packets/second) for SYN packets above which the traffic is considered a "
+        "flood.",
+        "description": "Set burst limit for SYN packets above which the traffic is considered a flood if it "
+        "exceeds the allowed rate.",
+        "default": 50,
+        "propertyOrder": 7,
+    },
+    "tcp_syncookies": {
+        "type": "boolean",
+        "title": "Enable the use of TCP SYN cookies.",
+        "description": "If True, enables the use of SYN cookies.",
+        "default": True,
+        "format": "checkbox",
+        "propertyOrder": 8,
+    },
+    "tcp_ecn": {
+        "type": "boolean",
+        "title": "Enable Explicit Congestion Notification.",
+        "description": "If True, enables Explicit Congestion Notification.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 9,
+    },
+    "tcp_window_scaling": {
+        "type": "boolean",
+        "title": "Enable TCP window scaling.",
+        "description": "If True, enables TCP window scaling.",
+        "default": True,
+        "format": "checkbox",
+        "propertyOrder": 10,
+    },
+    "accept_redirects": {
+        "type": "boolean",
+        "title": "Accept redirects.",
+        "description": "If True, accept redirects.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 11,
+    },
+    "accept_source_route": {
+        "type": "boolean",
+        "title": "Accept source routes.",
+        "description": "If True, accept source routes.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 12,
+    },
+    "custom_chains": {
+        "type": "boolean",
+        "title": "Enable generation of custom rule chain hooks for user generated rules.",
+        "description": "If True, enable generation of custom rule chain hooks for user generated rules. "
+        "User rules would be typically stored in firewall.user but some packages e.g. BCP38 also make use "
+        "of these hooks.",
+        "default": True,
+        "format": "checkbox",
+        "propertyOrder": 13,
+    },
+    "disable_ipv6": {
+        "type": "boolean",
+        "title": "Disable IPv6 firewall rules.",
+        "description": "If True, disable IPv6 firewall rules.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 14,
+    },
+    "flow_offlocaing": {
+        "type": "boolean",
+        "title": "Enable software flow offloading for connections.",
+        "description": "If True, enable software flow offloading for connections.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 15,
+    },
+    "flow_offlocaing_hw": {
+        "type": "boolean",
+        "title": "Enable hardware flow offloading for connections.",
+        "description": "If True, enable hardware flow offloading for connections.",
+        "default": False,
+        "format": "checkbox",
+        "propertyOrder": 16,
+    },
+    "auto_helper": {
+        "type": "boolean",
+        "title": "Enable Conntrack helpers ",
+        "description": "If True, enable Conntrack helpers ",
+        "default": True,
+        "format": "checkbox",
+        "propertyOrder": 17,
     },
 }
 
@@ -1075,7 +1182,6 @@
         "description": "Defaults for the fireall",
         "propertyOrder": 4,
         "properties": firewall_defaults,
-        "required": ["input", "output", "forward", "synflood_protect"],
     },
     "forwardings": {
         "type": "array",
diff --git a/tests/openwrt/test_firewall.py b/tests/openwrt/test_firewall.py
@@ -41,6 +41,58 @@ def test_parse_defaults_1(self):
         o = OpenWrt(native=self._defaults_1_uci)
         self.assertEqual(o.config, self._defaults_1_netjson)
 
+    _defaults_2_netjson = {
+        "firewall": {
+            "defaults": {
+                "input": "ACCEPT",
+                "output": "ACCEPT",
+                "forward": "REJECT",
+                "custom_chains": True,
+                "drop_invalid": True,
+                "synflood_protect": True,
+                "synflood_burst": 50,
+                "tcp_ecn": True,
+                "tcp_syncookies": True,
+                "tcp_window_scaling": True,
+                "disable_ipv6": False,
+                "flow_offloading": False,
+                "flow_offloading_hw": False,
+                "auto_helper": True,
+            }
+        }
+    }
+
+    _defaults_2_uci = textwrap.dedent(
+        """\
+        package firewall
+
+        config defaults 'defaults'
+            option input 'ACCEPT'
+            option output 'ACCEPT'
+            option forward 'REJECT'
+            option custom_chains '1'
+            option drop_invalid '1'
+            option synflood_protect '1'
+            option synflood_burst '50'
+            option tcp_ecn '1'
+            option tcp_syncookies '1'
+            option tcp_window_scaling '1'
+            option disable_ipv6 '0'
+            option flow_offloading '0'
+            option flow_offloading_hw '0'
+            option auto_helper '1'
+       """
+    )
+
+    def test_render_defaults_2(self):
+        o = OpenWrt(self._defaults_2_netjson)
+        expected = self._tabs(self._defaults_2_uci)
+        self.assertEqual(o.render(), expected)
+
+    def test_parse_defaults_2(self):
+        o = OpenWrt(native=self._defaults_2_uci)
+        self.assertEqual(o.config, self._defaults_2_netjson)
+
     _rule_1_netjson = {
         "firewall": {
             "rules": [
