2022-05-07 13:56:34 +03:00
|
|
|
/* This file is part of the KDE project
|
|
|
|
|
Copyright (C) 2022 Ivailo Monev <xakepa10@gmail.com>
|
|
|
|
|
|
|
|
|
|
This library is free software; you can redistribute it and/or
|
|
|
|
|
modify it under the terms of the GNU Library General Public
|
|
|
|
|
License version 2, as published by the Free Software Foundation.
|
|
|
|
|
|
|
|
|
|
This library is distributed in the hope that it will be useful,
|
|
|
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
|
|
|
|
|
Library General Public License for more details.
|
|
|
|
|
|
|
|
|
|
You should have received a copy of the GNU Library General Public License
|
|
|
|
|
along with this library; see the file COPYING.LIB. If not, write to
|
|
|
|
|
the Free Software Foundation, Inc., 51 Franklin Street, Fifth Floor,
|
|
|
|
|
Boston, MA 02110-1301, USA.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
#include "kfirewallhelper.h"
|
|
|
|
|
|
|
|
|
|
#include <QProcess>
|
|
|
|
|
#include <kstandarddirs.h>
|
|
|
|
|
#include <kdebug.h>
|
|
|
|
|
|
|
|
|
|
static QByteArray ruleForSettings(const QByteArray &uservalue, const QByteArray &trafficvalue,
|
|
|
|
|
const QByteArray &addressvalue, const uint portvalue,
|
|
|
|
|
const QByteArray &actionvalue, const bool appendrules, const bool tcprule)
|
|
|
|
|
{
|
|
|
|
|
if (!tcprule && portvalue <= 0) {
|
|
|
|
|
// no port specified
|
|
|
|
|
return QByteArray();
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
QByteArray iptablesruledata;
|
|
|
|
|
bool isinbound = false;
|
|
|
|
|
QByteArray iptablestraffic = trafficvalue.toUpper();
|
|
|
|
|
if (iptablestraffic == "INBOUND") {
|
|
|
|
|
iptablestraffic = "INPUT";
|
|
|
|
|
isinbound = true;
|
|
|
|
|
} else {
|
|
|
|
|
iptablestraffic = "OUTPUT";
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (appendrules) {
|
|
|
|
|
iptablesruledata.append("--append ");
|
|
|
|
|
} else {
|
|
|
|
|
iptablesruledata.append("--delete ");
|
|
|
|
|
}
|
|
|
|
|
iptablesruledata.append(iptablestraffic);
|
|
|
|
|
if (!addressvalue.isEmpty()) {
|
|
|
|
|
iptablesruledata.append(" --destination ");
|
|
|
|
|
iptablesruledata.append(addressvalue);
|
|
|
|
|
}
|
|
|
|
|
if (portvalue > 0) {
|
|
|
|
|
if (tcprule) {
|
|
|
|
|
iptablesruledata.append(" --proto tcp --dport ");
|
|
|
|
|
iptablesruledata.append(QByteArray::number(portvalue));
|
|
|
|
|
} else {
|
|
|
|
|
iptablesruledata.append(" --proto udp --dport ");
|
|
|
|
|
iptablesruledata.append(QByteArray::number(portvalue));
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (!isinbound) {
|
|
|
|
|
// NOTE: only output can be user-bound
|
|
|
|
|
iptablesruledata.append(" --match owner --uid-owner ");
|
|
|
|
|
iptablesruledata.append(uservalue);
|
|
|
|
|
}
|
|
|
|
|
iptablesruledata.append(" --jump ");
|
|
|
|
|
iptablesruledata.append(actionvalue.toUpper());
|
|
|
|
|
iptablesruledata.append("\n");
|
|
|
|
|
return iptablesruledata;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static QByteArray rulesForParameters(const QVariantMap ¶meters, const bool appendrules)
|
|
|
|
|
{
|
|
|
|
|
QByteArray iptablesruledata("*filter\n");
|
|
|
|
|
foreach (const QString &key, parameters.keys()) {
|
|
|
|
|
const QVariantMap rulesettingsmap = parameters.value(key).toMap();
|
|
|
|
|
const QByteArray uservalue = rulesettingsmap.value(QString::fromLatin1("user")).toByteArray();
|
|
|
|
|
const QByteArray trafficvalue = rulesettingsmap.value(QString::fromLatin1("traffic")).toByteArray();
|
|
|
|
|
const QByteArray addressvalue = rulesettingsmap.value(QString::fromLatin1("address")).toByteArray();
|
|
|
|
|
const uint portvalue = rulesettingsmap.value(QString::fromLatin1("port")).toUInt();
|
|
|
|
|
const QByteArray actionvalue = rulesettingsmap.value(QString::fromLatin1("action")).toByteArray();
|
|
|
|
|
// qDebug() << Q_FUNC_INFO << trafficvalue << addressvalue << portvalue << actionvalue;
|
|
|
|
|
|
|
|
|
|
iptablesruledata.append(
|
|
|
|
|
ruleForSettings(
|
|
|
|
|
uservalue, trafficvalue, addressvalue, portvalue, actionvalue,
|
|
|
|
|
appendrules, true
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
iptablesruledata.append(
|
|
|
|
|
ruleForSettings(
|
|
|
|
|
uservalue, trafficvalue, addressvalue, portvalue, actionvalue,
|
|
|
|
|
appendrules, false
|
|
|
|
|
)
|
|
|
|
|
);
|
|
|
|
|
}
|
|
|
|
|
iptablesruledata.append("COMMIT\n");
|
|
|
|
|
// qDebug() << Q_FUNC_INFO << iptablesruledata;
|
|
|
|
|
return iptablesruledata;
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 04:28:48 +02:00
|
|
|
static int applyRules(KFirewallHelper *helper, const QString &iptablesexe,
|
2022-05-07 13:56:34 +03:00
|
|
|
const QByteArray &iptablesruledata)
|
|
|
|
|
{
|
|
|
|
|
QProcess iptablesproc(helper);
|
|
|
|
|
iptablesproc.start(iptablesexe);
|
|
|
|
|
if (!iptablesproc.waitForStarted()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Could not start iptables-restore";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
if (iptablesproc.write(iptablesruledata) != iptablesruledata.size()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Could not write rules";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
iptablesproc.closeWriteChannel();
|
|
|
|
|
iptablesproc.waitForFinished();
|
|
|
|
|
if (iptablesproc.exitCode() != 0) {
|
|
|
|
|
QString errorstring = iptablesproc.readAllStandardError().trimmed();
|
|
|
|
|
if (errorstring.isEmpty()) {
|
|
|
|
|
errorstring = QString::fromLatin1("Could not apply rules");
|
|
|
|
|
}
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << errorstring;
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
2022-12-02 04:28:48 +02:00
|
|
|
return KAuthorization::NoError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
2023-06-20 04:48:50 +03:00
|
|
|
KFirewallHelper::KFirewallHelper(const char* const helper, QObject *parent)
|
|
|
|
|
: KAuthorization(helper, parent)
|
|
|
|
|
{
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 04:28:48 +02:00
|
|
|
int KFirewallHelper::apply(const QVariantMap ¶meters)
|
2022-05-07 13:56:34 +03:00
|
|
|
{
|
|
|
|
|
if (parameters.isEmpty()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Empty rules";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const QString iptablesexe = KStandardDirs::findRootExe("iptables-restore");
|
|
|
|
|
if (iptablesexe.isEmpty()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Could not find iptables-restore";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return applyRules(this, iptablesexe, rulesForParameters(parameters, true));
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 04:28:48 +02:00
|
|
|
int KFirewallHelper::revert(const QVariantMap ¶meters)
|
2022-05-07 13:56:34 +03:00
|
|
|
{
|
|
|
|
|
//qDebug() << Q_FUNC_INFO << parameters;
|
|
|
|
|
|
|
|
|
|
if (parameters.isEmpty()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Empty rules";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
const QString iptablesexe = KStandardDirs::findRootExe("iptables-restore");
|
|
|
|
|
if (iptablesexe.isEmpty()) {
|
2022-12-02 04:28:48 +02:00
|
|
|
kWarning() << "Could not find iptables-restore";
|
|
|
|
|
return KAuthorization::HelperError;
|
2022-05-07 13:56:34 +03:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return applyRules(this, iptablesexe, rulesForParameters(parameters, false));
|
|
|
|
|
}
|
|
|
|
|
|
2022-12-02 04:28:48 +02:00
|
|
|
K_AUTH_MAIN("org.kde.kcontrol.kcmkfirewall", KFirewallHelper)
|
