From e245e6788356096fc2821d6e4f4baf246d909372 Mon Sep 17 00:00:00 2001 From: Rene Rath Date: Sat, 19 Aug 2023 11:11:52 +0200 Subject: [PATCH] init --- .github/workflows/autolint.yml | 36 ++ .pylintrc | 633 +++++++++++++++++++++++++++++++++ README.md | 140 ++++++++ lib/dns.py | 53 +++ lib/dns_resolver.py | 42 +++ lib/util.py | 141 ++++++++ requirements_lint.txt | 1 + 7 files changed, 1046 insertions(+) create mode 100644 .github/workflows/autolint.yml create mode 100644 .pylintrc create mode 100644 README.md create mode 100644 lib/dns.py create mode 100644 lib/dns_resolver.py create mode 100644 lib/util.py create mode 100644 requirements_lint.txt diff --git a/.github/workflows/autolint.yml b/.github/workflows/autolint.yml new file mode 100644 index 0000000..4a90a60 --- /dev/null +++ b/.github/workflows/autolint.yml @@ -0,0 +1,36 @@ +--- + +name: AutoLint + +on: + push: + branches: [latest] + pull_request: + branches: [latest] + +jobs: + build: + strategy: + matrix: + python-version: [3.10] + runs-on: ubuntu-latest + + steps: + - name: Checkout + uses: actions/checkout@v3 + with: + ref: ${{ github.ref }} + + - name: Install python + uses: actions/setup-python@v4 + with: + python-version: '3.10' + + - name: Install dependencies + run: | + pip install -r requirements_lint.txt + shell: bash + + - name: Running PyLint + run: pylint --recursive=y . + shell: bash diff --git a/.pylintrc b/.pylintrc new file mode 100644 index 0000000..507c0b8 --- /dev/null +++ b/.pylintrc @@ -0,0 +1,633 @@ +[MAIN] + +# Analyse import fallback blocks. This can be used to support both Python 2 and +# 3 compatible code, which means that the block might have code that exists +# only in one or another interpreter, leading to false positives when analysed. +analyse-fallback-blocks=no + +# Clear in-memory caches upon conclusion of linting. Useful if running pylint +# in a server-like mode. +clear-cache-post-run=no + +# Load and enable all available extensions. Use --list-extensions to see a list +# all available extensions. +#enable-all-extensions= + +# In error mode, messages with a category besides ERROR or FATAL are +# suppressed, and no reports are done by default. Error mode is compatible with +# disabling specific errors. +#errors-only= + +# Always return a 0 (non-error) status code, even if lint errors are found. +# This is primarily useful in continuous integration scripts. +#exit-zero= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. +extension-pkg-allow-list= + +# A comma-separated list of package or module names from where C extensions may +# be loaded. Extensions are loading into the active Python interpreter and may +# run arbitrary code. (This is an alternative name to extension-pkg-allow-list +# for backward compatibility.) +extension-pkg-whitelist= + +# Return non-zero exit code if any of these messages/categories are detected, +# even if score is above --fail-under value. Syntax same as enable. Messages +# specified are enabled, while categories only check already-enabled messages. +fail-on= + +# Specify a score threshold under which the program will exit with error. +fail-under=10 + +# Interpret the stdin as a python script, whose filename needs to be passed as +# the module_or_package argument. +#from-stdin= + +# Files or directories to be skipped. They should be base names, not paths. +ignore=CVS + +# Add files or directories matching the regular expressions patterns to the +# ignore-list. The regex matches against paths and can be in Posix or Windows +# format. Because '\\' represents the directory delimiter on Windows systems, +# it can't be used as an escape character. +ignore-paths= + +# Files or directories matching the regular expression patterns are skipped. +# The regex matches against base names, not paths. The default value ignores +# Emacs file locks +ignore-patterns=^\.# + +# List of module names for which member attributes should not be checked +# (useful for modules/projects where namespaces are manipulated during runtime +# and thus existing member attributes cannot be deduced by static analysis). It +# supports qualified module names, as well as Unix pattern matching. +ignored-modules= + +# Python code to execute, usually for sys.path manipulation such as +# pygtk.require(). +#init-hook= + +# Use multiple processes to speed up Pylint. Specifying 0 will auto-detect the +# number of processors available to use, and will cap the count on Windows to +# avoid hangs. +jobs=1 + +# Control the amount of potential inferred values when inferring a single +# object. This can help the performance when dealing with large functions or +# complex, nested conditions. +limit-inference-results=100 + +# List of plugins (as comma separated values of python module names) to load, +# usually to register additional checkers. +load-plugins= + +# Pickle collected data for later comparisons. +persistent=yes + +# Minimum Python version to use for version dependent checks. Will default to +# the version used to run pylint. +py-version=3.10 + +# Discover python modules and packages in the file system subtree. +recursive=no + +# Add paths to the list of the source roots. Supports globbing patterns. The +# source root is an absolute path or a path relative to the current working +# directory used to determine a package namespace for modules located under the +# source root. +source-roots= + +# When enabled, pylint would attempt to guess common misconfiguration and emit +# user-friendly hints instead of false-positive error messages. +suggestion-mode=yes + +# Allow loading of arbitrary C extensions. Extensions are imported into the +# active Python interpreter and may run arbitrary code. +unsafe-load-any-extension=no + +# In verbose mode, extra non-checker-related info will be displayed. +#verbose= + + +[BASIC] + +# Naming style matching correct argument names. +argument-naming-style=snake_case + +# Regular expression matching correct argument names. Overrides argument- +# naming-style. If left empty, argument names will be checked with the set +# naming style. +#argument-rgx= + +# Naming style matching correct attribute names. +attr-naming-style=snake_case + +# Regular expression matching correct attribute names. Overrides attr-naming- +# style. If left empty, attribute names will be checked with the set naming +# style. +#attr-rgx= + +# Bad variable names which should always be refused, separated by a comma. +bad-names=foo, + bar, + baz, + toto, + tutu, + tata + +# Bad variable names regexes, separated by a comma. If names match any regex, +# they will always be refused +bad-names-rgxs= + +# Naming style matching correct class attribute names. +class-attribute-naming-style=any + +# Regular expression matching correct class attribute names. Overrides class- +# attribute-naming-style. If left empty, class attribute names will be checked +# with the set naming style. +#class-attribute-rgx= + +# Naming style matching correct class constant names. +class-const-naming-style=UPPER_CASE + +# Regular expression matching correct class constant names. Overrides class- +# const-naming-style. If left empty, class constant names will be checked with +# the set naming style. +#class-const-rgx= + +# Naming style matching correct class names. +class-naming-style=PascalCase + +# Regular expression matching correct class names. Overrides class-naming- +# style. If left empty, class names will be checked with the set naming style. +#class-rgx= + +# Naming style matching correct constant names. +const-naming-style=UPPER_CASE + +# Regular expression matching correct constant names. Overrides const-naming- +# style. If left empty, constant names will be checked with the set naming +# style. +#const-rgx= + +# Minimum line length for functions/classes that require docstrings, shorter +# ones are exempt. +docstring-min-length=-1 + +# Naming style matching correct function names. +function-naming-style=snake_case + +# Regular expression matching correct function names. Overrides function- +# naming-style. If left empty, function names will be checked with the set +# naming style. +#function-rgx= + +# Good variable names which should always be accepted, separated by a comma. +good-names=i, + j, + k, + ex, + Run, + _ + +# Good variable names regexes, separated by a comma. If names match any regex, +# they will always be accepted +good-names-rgxs= + +# Include a hint for the correct naming format with invalid-name. +include-naming-hint=no + +# Naming style matching correct inline iteration names. +inlinevar-naming-style=any + +# Regular expression matching correct inline iteration names. Overrides +# inlinevar-naming-style. If left empty, inline iteration names will be checked +# with the set naming style. +#inlinevar-rgx= + +# Naming style matching correct method names. +method-naming-style=snake_case + +# Regular expression matching correct method names. Overrides method-naming- +# style. If left empty, method names will be checked with the set naming style. +#method-rgx= + +# Naming style matching correct module names. +module-naming-style=snake_case + +# Regular expression matching correct module names. Overrides module-naming- +# style. If left empty, module names will be checked with the set naming style. +#module-rgx= + +# Colon-delimited sets of names that determine each other's naming style when +# the name regexes allow several styles. +name-group= + +# Regular expression which should only match function or class names that do +# not require a docstring. +no-docstring-rgx=^_ + +# List of decorators that produce properties, such as abc.abstractproperty. Add +# to this list to register other decorators that produce valid properties. +# These decorators are taken in consideration only for invalid-name. +property-classes=abc.abstractproperty + +# Regular expression matching correct type alias names. If left empty, type +# alias names will be checked with the set naming style. +#typealias-rgx= + +# Regular expression matching correct type variable names. If left empty, type +# variable names will be checked with the set naming style. +#typevar-rgx= + +# Naming style matching correct variable names. +variable-naming-style=snake_case + +# Regular expression matching correct variable names. Overrides variable- +# naming-style. If left empty, variable names will be checked with the set +# naming style. +#variable-rgx= + + +[CLASSES] + +# Warn about protected attribute access inside special methods +check-protected-access-in-special-methods=no + +# List of method names used to declare (i.e. assign) instance attributes. +defining-attr-methods=__init__, + __new__, + setUp, + asyncSetUp, + __post_init__ + +# List of member names, which should be excluded from the protected access +# warning. +exclude-protected=_asdict,_fields,_replace,_source,_make,os._exit + +# List of valid names for the first argument in a class method. +valid-classmethod-first-arg=cls + +# List of valid names for the first argument in a metaclass class method. +valid-metaclass-classmethod-first-arg=mcs + + +[DESIGN] + +# List of regular expressions of class ancestor names to ignore when counting +# public methods (see R0903) +exclude-too-few-public-methods= + +# List of qualified class names to ignore when counting class parents (see +# R0901) +ignored-parents= + +# Maximum number of arguments for function / method. +max-args=5 + +# Maximum number of attributes for a class (see R0902). +max-attributes=7 + +# Maximum number of boolean expressions in an if statement (see R0916). +max-bool-expr=5 + +# Maximum number of branch for function / method body. +max-branches=12 + +# Maximum number of locals for function / method body. +max-locals=15 + +# Maximum number of parents for a class (see R0901). +max-parents=7 + +# Maximum number of public methods for a class (see R0904). +max-public-methods=20 + +# Maximum number of return / yield for function / method body. +max-returns=6 + +# Maximum number of statements in function / method body. +max-statements=50 + +# Minimum number of public methods for a class (see R0903). +min-public-methods=2 + + +[EXCEPTIONS] + +# Exceptions that will emit a warning when caught. +overgeneral-exceptions=builtins.BaseException,builtins.Exception + + +[FORMAT] + +# Expected format of line ending, e.g. empty (any line ending), LF or CRLF. +expected-line-ending-format= + +# Regexp for a line that is allowed to be longer than the limit. +ignore-long-lines=^\s*(# )??$ + +# Number of spaces of indent required inside a hanging or continued line. +indent-after-paren=4 + +# String used as indentation unit. This is usually " " (4 spaces) or "\t" (1 +# tab). +indent-string=' ' + +# Maximum number of characters on a single line. +max-line-length=160 + +# Maximum number of lines in a module. +max-module-lines=1000 + +# Allow the body of a class to be on the same line as the declaration if body +# contains single statement. +single-line-class-stmt=no + +# Allow the body of an if to be on the same line as the test if there is no +# else. +single-line-if-stmt=no + + +[IMPORTS] + +# List of modules that can be imported at any level, not just the top level +# one. +allow-any-import-level= + +# Allow explicit reexports by alias from a package __init__. +allow-reexport-from-package=no + +# Allow wildcard imports from modules that define __all__. +allow-wildcard-with-all=no + +# Deprecated modules which should not be used, separated by a comma. +deprecated-modules= + +# Output a graph (.gv or any supported image format) of external dependencies +# to the given file (report RP0402 must not be disabled). +ext-import-graph= + +# Output a graph (.gv or any supported image format) of all (i.e. internal and +# external) dependencies to the given file (report RP0402 must not be +# disabled). +import-graph= + +# Output a graph (.gv or any supported image format) of internal dependencies +# to the given file (report RP0402 must not be disabled). +int-import-graph= + +# Force import order to recognize a module as part of the standard +# compatibility libraries. +known-standard-library= + +# Force import order to recognize a module as part of a third party library. +known-third-party=enchant + +# Couples of modules and preferred modules, separated by a comma. +preferred-modules= + + +[LOGGING] + +# The type of string formatting that logging methods do. `old` means using % +# formatting, `new` is for `{}` formatting. +logging-format-style=old + +# Logging modules to check that the string format arguments are in logging +# function parameter format. +logging-modules=logging + + +[MESSAGES CONTROL] + +# Only show warnings with the listed confidence levels. Leave empty to show +# all. Valid levels: HIGH, CONTROL_FLOW, INFERENCE, INFERENCE_FAILURE, +# UNDEFINED. +confidence=HIGH, + CONTROL_FLOW, + INFERENCE, + INFERENCE_FAILURE, + UNDEFINED + +# Disable the message, report, category or checker with the given id(s). You +# can either give multiple identifiers separated by comma (,) or put this +# option multiple times (only on the command line, not in the configuration +# file where it should appear only once). You can also use "--disable=all" to +# disable everything first and then re-enable specific checks. For example, if +# you want to run only the similarities checker, you can use "--disable=all +# --enable=similarities". If you want to run only the classes checker, but have +# no Warning level messages displayed, use "--disable=all --enable=classes +# --disable=W". +disable=raw-checker-failed, + bad-inline-option, + locally-disabled, + file-ignored, + suppressed-message, + useless-suppression, + deprecated-pragma, + use-symbolic-message-instead, + C0114, C0115, C0116, # docstrings + C0103, # var-naming + +# Enable the message, report, category or checker with the given id(s). You can +# either give multiple identifier separated by comma (,) or put this option +# multiple time (only on the command line, not in the configuration file where +# it should appear only once). See also the "--disable" option for examples. +enable=c-extension-no-member + + +[METHOD_ARGS] + +# List of qualified names (i.e., library.method) which require a timeout +# parameter e.g. 'requests.api.get,requests.api.post' +timeout-methods=requests.api.delete,requests.api.get,requests.api.head,requests.api.options,requests.api.patch,requests.api.post,requests.api.put,requests.api.request + + +[MISCELLANEOUS] + +# List of note tags to take in consideration, separated by a comma. +notes=FIXME, + XXX, + TODO + +# Regular expression of note tags to take in consideration. +notes-rgx= + + +[REFACTORING] + +# Maximum number of nested blocks for function / method body +max-nested-blocks=5 + +# Complete name of functions that never returns. When checking for +# inconsistent-return-statements if a never returning function is called then +# it will be considered as an explicit return statement and no message will be +# printed. +never-returning-functions=sys.exit,argparse.parse_error + + +[REPORTS] + +# Python expression which should return a score less than or equal to 10. You +# have access to the variables 'fatal', 'error', 'warning', 'refactor', +# 'convention', and 'info' which contain the number of messages in each +# category, as well as 'statement' which is the total number of statements +# analyzed. This score is used by the global evaluation report (RP0004). +evaluation=max(0, 0 if fatal else 10.0 - ((float(5 * error + warning + refactor + convention) / statement) * 10)) + +# Template used to display messages. This is a python new-style format string +# used to format the message information. See doc for all details. +msg-template= + +# Set the output format. Available formats are text, parseable, colorized, json +# and msvs (visual studio). You can also give a reporter class, e.g. +# mypackage.mymodule.MyReporterClass. +#output-format= + +# Tells whether to display a full report or only the messages. +reports=no + +# Activate the evaluation score. +score=yes + + +[SIMILARITIES] + +# Comments are removed from the similarity computation +ignore-comments=yes + +# Docstrings are removed from the similarity computation +ignore-docstrings=yes + +# Imports are removed from the similarity computation +ignore-imports=yes + +# Signatures are removed from the similarity computation +ignore-signatures=yes + +# Minimum lines number of a similarity. +min-similarity-lines=4 + + +[SPELLING] + +# Limits count of emitted suggestions for spelling mistakes. +max-spelling-suggestions=4 + +# Spelling dictionary name. No available dictionaries : You need to install +# both the python package and the system dependency for enchant to work.. +spelling-dict= + +# List of comma separated words that should be considered directives if they +# appear at the beginning of a comment and should not be checked. +spelling-ignore-comment-directives=fmt: on,fmt: off,noqa:,noqa,nosec,isort:skip,mypy: + +# List of comma separated words that should not be checked. +spelling-ignore-words= + +# A path to a file that contains the private dictionary; one word per line. +spelling-private-dict-file= + +# Tells whether to store unknown words to the private dictionary (see the +# --spelling-private-dict-file option) instead of raising a message. +spelling-store-unknown-words=no + + +[STRING] + +# This flag controls whether inconsistent-quotes generates a warning when the +# character used as a quote delimiter is used inconsistently within a module. +check-quote-consistency=no + +# This flag controls whether the implicit-str-concat should generate a warning +# on implicit string concatenation in sequences defined over several lines. +check-str-concat-over-line-jumps=no + + +[TYPECHECK] + +# List of decorators that produce context managers, such as +# contextlib.contextmanager. Add to this list to register other decorators that +# produce valid context managers. +contextmanager-decorators=contextlib.contextmanager + +# List of members which are set dynamically and missed by pylint inference +# system, and so shouldn't trigger E1101 when accessed. Python regular +# expressions are accepted. +generated-members= + +# Tells whether to warn about missing members when the owner of the attribute +# is inferred to be None. +ignore-none=yes + +# This flag controls whether pylint should warn about no-member and similar +# checks whenever an opaque object is returned when inferring. The inference +# can return multiple potential results while evaluating a Python object, but +# some branches might not be evaluated, which results in partial inference. In +# that case, it might be useful to still emit no-member and other checks for +# the rest of the inferred objects. +ignore-on-opaque-inference=yes + +# List of symbolic message names to ignore for Mixin members. +ignored-checks-for-mixins=no-member, + not-async-context-manager, + not-context-manager, + attribute-defined-outside-init + +# List of class names for which member attributes should not be checked (useful +# for classes with dynamically set attributes). This supports the use of +# qualified names. +ignored-classes=optparse.Values,thread._local,_thread._local,argparse.Namespace + +# Show a hint with possible names when a member name was not found. The aspect +# of finding the hint is based on edit distance. +missing-member-hint=yes + +# The minimum edit distance a name should have in order to be considered a +# similar match for a missing member name. +missing-member-hint-distance=1 + +# The total number of similar names that should be taken in consideration when +# showing a hint for a missing member. +missing-member-max-choices=1 + +# Regex pattern to define which classes are considered mixins. +mixin-class-rgx=.*[Mm]ixin + +# List of decorators that change the signature of a decorated function. +signature-mutators= + + +[VARIABLES] + +# List of additional names supposed to be defined in builtins. Remember that +# you should avoid defining new builtins when possible. +additional-builtins= + +# Tells whether unused global variables should be treated as a violation. +allow-global-unused-variables=yes + +# List of names allowed to shadow builtins +allowed-redefined-builtins= + +# List of strings which can identify a callback function by name. A callback +# name must start or end with one of those strings. +callbacks=cb_, + _cb + +# A regular expression matching the name of dummy variables (i.e. expected to +# not be used). +dummy-variables-rgx=_+$|(_[a-zA-Z0-9_]*[a-zA-Z0-9]+?$)|dummy|^ignored_|^unused_ + +# Argument names that match this expression will be ignored. +ignored-argument-names=_.*|^ignored_|^unused_ + +# Tells whether we should check for unused import in __init__ files. +init-import=no + +# List of qualified module names which can have objects that can redefine +# builtins. +redefining-builtins-modules=six.moves,past.builtins,future.builtins,builtins,io diff --git a/README.md b/README.md new file mode 100644 index 0000000..6a2e9e6 --- /dev/null +++ b/README.md @@ -0,0 +1,140 @@ +# NFTables Addon - DNS Resolution + +NFTables lacks some functionality, that is commonly used in firewalling. + +Having variables that hold the IPs of some DNS-record is one of those. + +NFTables CAN resolve DNS-records - but will throw an error if the record resolves to more than one IP.. (`Error: Hostname resolves to multiple addresses`) + +---- + +### Result + +```text +cat /etc/nftables.d/addons/dns.nft +> # Auto-Generated config - DO NOT EDIT MANUALLY! +> +> define site_github_v4 = { 140.82.121.3, 140.82.121.10 } +> define site_github_v6 = { :: } +> define repo_debian_v4 = { 151.101.86.132 } +> define repo_debian_v6 = { 2a04:4e42:14::644 } +> define ntp_pool_v4 = { 158.43.128.33, 178.62.250.107, 194.58.207.20, 37.252.127.156 } +> define ntp_pool_v6 = { :: } +``` + +---- + +## How does it work? + +1. A configuration file needs to be created: + + `/etc/nftables.d/addons/dns.json` + + ```json + { + "dns": { + "site_github": ["github.com", "codeload.github.com"], + "repo_debian": "deb.debian.org", + "ntp_pool": "europe.pool.ntp.org" + } + } + ``` + +2. The script is executed + + `python3 /usr/lib/nftables/dns.py` + + * It will load the configuration + * Resolve IPv4 and IPv6 (_if enabled_) for all configured variables + * If it was unable to resolve some record - a placeholder-value will be set: + + IPv4: `0.0.0.0` + + IPv6: `::` + + * The new addon-config is written to `/tmp/nftables_dns.nft` + * Its md5-hash is compared to the existing config to check if it changed + + * **If it has changed**: + * **Config validation** is done: + + * An include-file is written to `/tmp/nftables_main.nft`: + + ```nft + include /tmp/nftables_dns.nft + # including all other adoon configs + include /etc/nftables.d/addons/other_addon1.nft + include /etc/nftables.d/addons/other_addon2.nft + # include other main configs + include /etc/nftables.d/*.nft + ``` + + * This include-file is validated: + + `sudo nft -cf /tmp/nftables_main.nft` + + * The new config is written to `/etc/nftables.d/addons/dns.nft` + * The actual config is validated: `sudo nft -cf /etc/nftables.conf` + * NFTables is reloaded: `sudo systemctl reload nftables.service` + +3. You will have to include the addon-config in your main-config file `/etc/nftables.conf`: + + ``` + ... + include /etc/nftables.d/addons/*.nft + ... + ``` + +---- + +## Privileges + +If the script should be run as non-root user - you will need to add a sudoers.d file to add the needed privileges: + +```text +Cmnd_Alias NFTABLES_ADDON_DNS = \ + /usr/bin/systemctl reload nftables.service, + /usr/sbin/nft -cf * + +service_user ALL=(ALL) NOPASSWD: NFTABLES_ADDON_DNS +``` + +You may not change the owner of the addon-files as the script will not be able to overwrite them. + +---- + +## Safety + +As explained above - there is a config-validation process to ensure the addon will not supply a bad config and lead to a failed nftables reload/restart. + +If you want to be even safer - you can add a config-validation inside the `nftables.service`: + +```text +# /etc/systemd/system/nftables.service.d/override.conf +[Service] +ExecStartPre=/usr/sbin/nft -cf /etc/nftables.conf + +ExecReload= +ExecReload=/usr/sbin/nft -cf /etc/nftables.conf +ExecReload=/usr/sbin/nft -f /etc/nftables.conf +``` + +This will catch and log config-errors before doing a reload/restart. + +---- + +## Scheduling + +You can either: + +* Add a Systemd Timer: [example](https://github.com/ansibleguy/addons_nftables/tree/latest/templates/etc/systemd/system) +* Add a cron job + +---- + +## Ansible + +Here you can find an Ansible Role to manage NFTables Addons: + +* [ansibleguy.addons_nftables](https://github.com/ansibleguy/addons_nftables) +* [examples](https://github.com/ansibleguy/addons_nftables/blob/latest/Example.md) diff --git a/lib/dns.py b/lib/dns.py new file mode 100644 index 0000000..afbc07a --- /dev/null +++ b/lib/dns.py @@ -0,0 +1,53 @@ +#!/usr/bin/env python3 + +from dns_resolver import resolve_ipv4, resolve_ipv6 +from util import validate_and_write, load_config, format_var + +PROCESS_IPv6 = True + +# paths are set in util (shared between addons) +APPENDIX_4 = '' +APPENDIX_6 = '_v6' +CONFIG_FILE = 'dns.json' +CONFIG_FILE_KEY = 'dns' +OUT_FILE = 'dns.nft' + +CONFIG = load_config(file=CONFIG_FILE, key=CONFIG_FILE_KEY) + +if CONFIG is None or len(CONFIG) == 0: + raise SystemExit(f"Config file could not be loaded: '{CONFIG_FILE}'!") + +lines = [] +for var, hostnames in CONFIG.items(): + if not isinstance(hostnames, list): + hostnames = [hostnames] + + values_v4 = [] + values_v6 = [] + + for hostname in hostnames: + values_v4.extend(resolve_ipv4(hostname)) + + if PROCESS_IPv6: + values_v6.extend(resolve_ipv6(hostname)) + + lines.append( + format_var( + name=var, + append=APPENDIX_4, + data=values_v4, + version=4, + ) + ) + + if PROCESS_IPv6: + lines.append( + format_var( + name=var, + append=APPENDIX_6, + data=values_v6, + version=6, + ) + ) + +validate_and_write(lines=lines, file=OUT_FILE, key=CONFIG_FILE_KEY) diff --git a/lib/dns_resolver.py b/lib/dns_resolver.py new file mode 100644 index 0000000..7816d4c --- /dev/null +++ b/lib/dns_resolver.py @@ -0,0 +1,42 @@ +#!/usr/bin/env python3 + +# Source: https://github.com/superstes/python3-resolver +# Copyright (C) 2023 René Pascal Rath +# License: GNU General Public License v3.0 + +from socket import getaddrinfo, gaierror +from ipaddress import IPv4Address, AddressValueError + +DUMMY_PORT = 80 + + +def _is_ipv4_address(i: str) -> bool: + try: + IPv4Address(i) + return True + + except AddressValueError: + return False + + +def _sorted(data: list) -> list: + data.sort() + return data + + +def resolve(name: str) -> list: + try: + raw = getaddrinfo(name, DUMMY_PORT) + # pylint: disable=R1718 + return _sorted(list(set([r[4][0] for r in raw]))) + + except (gaierror, UnicodeError): + return [] + + +def resolve_ipv4(name: str) -> list: + return _sorted([i for i in resolve(name) if _is_ipv4_address(i)]) + + +def resolve_ipv6(name: str) -> list: + return _sorted([i for i in resolve(name) if not _is_ipv4_address(i)]) diff --git a/lib/util.py b/lib/util.py new file mode 100644 index 0000000..2b38c30 --- /dev/null +++ b/lib/util.py @@ -0,0 +1,141 @@ +#!/usr/bin/env python3 + +from os import listdir +from time import time +from pathlib import Path +from hashlib import md5 as md5_hash +from subprocess import Popen as subprocess_popen +from subprocess import PIPE as subprocess_pipe +from json import loads as json_loads +from json import JSONDecodeError + +CMD_RELOAD = 'sudo systemctl reload nftables.service' # has to be changed if no systemd is available +CONFIG = '/etc/nftables.conf' +BASE_DIR = '/etc/nftables.d' +ADDON_DIR = '/etc/nftables.d/addons' +CONFIG_EXT = 'nft' + +if not CONFIG_EXT.startswith('.'): + CONFIG_EXT = f'.{CONFIG_EXT}' + +FALLBACK_VAR_VALUE = { + 4: '0.0.0.0', + 6: '::', +} +FILE_TMP_PREFIX = '/tmp/nftables_' +FILE_HEADER = '# Auto-Generated config - DO NOT EDIT MANUALLY!\n\n' + + +def format_var(name: str, data: list, version: int, append: str = None) -> str: + if version not in FALLBACK_VAR_VALUE: + version = 4 + + if append not in [None, ' ', '']: + name = f'{name}_{append}' + + raw = f"define { name } = {{ %s }}" + + if len(data) == 0: + return raw % FALLBACK_VAR_VALUE[version] + + return raw % ', '.join(map(str, data)) + + +def load_config(file: str, key: str = None) -> (dict, list, None): + with open(file, 'r', encoding='utf-8') as _cnf: + try: + if key is None: + return json_loads(_cnf.read()) + + return json_loads(_cnf.read())[key] + + except JSONDecodeError: + return None + + +def _exec(cmd: (str, list)) -> int: + if isinstance(cmd, str): + cmd = cmd.split(' ') + + with subprocess_popen(cmd, stdout=subprocess_pipe) as p: + _ = p.communicate()[0] + return p.returncode + + +def _reload() -> bool: + print('INFO: Reloading NFTables!') + return _exec(CMD_RELOAD) == 0 + + +def _validate(file: str) -> bool: + return _exec(['sudo', '/usr/sbin/nft', '-cf', file]) == 0 + + +def _write(file: str, content: str): + with open(file, 'w', encoding='utf-8') as config: + config.write(content + '\n\n') + + _exec(['chmod', '640', file]) + + +def _file_hash(file: str) -> str: + if Path(file).exists(): + with open(file, 'rb') as _c: + return md5_hash(_c.read()).hexdigest() + + else: + return md5_hash(b'').hexdigest() + + +def validate_and_write(key: str, lines: list, file: str): + file_out = f'{file}{CONFIG_EXT}' + file_out_path = f'{ADDON_DIR}/{file_out}' + file_tmp = f'{FILE_TMP_PREFIX}{key}_{time()}{CONFIG_EXT}' + file_tmp_main = f'{FILE_TMP_PREFIX}main_{time()}{CONFIG_EXT}' + content = FILE_HEADER + '\n'.join(lines) + '\n' + + _write(file=file_tmp, content=content) + + config_hash = { + 'before': _file_hash(file=file_out_path), + 'after': _file_hash(file=file_tmp), + } + config_changed = config_hash['before'] != config_hash['after'] + + if config_changed: + # create config to include existing main-config; must be valid in combination with new one + addon_includes = '' + + for inc in listdir(ADDON_DIR): + if inc.endswith(CONFIG_EXT) and inc != file_out: + addon_includes += f'include "{ADDON_DIR}/{inc}"\n' + + if BASE_DIR not in ['', ' ']: + addon_includes += f'include "{BASE_DIR}/*{CONFIG_EXT}"\n' + + _write( + file=file_tmp_main, + content=f'include "{file_tmp}"\n' + f'{addon_includes}\n' + ) + + if _validate(file=file_tmp_main): + print('INFO: Test-config validated successfully!') + _write(file=file_out_path, content=content) + + if _validate(file=CONFIG): + print('INFO: Real-config validated successfully!') + _reload() + + else: + raise SystemExit('ERROR: Failed to validate real-config!') + + else: + raise SystemExit('WARN: Failed to validate test-config!') + + _exec(['rm', file_tmp_main]) + + else: + print('INFO: Config unchanged - nothing to do.') + + _exec(['rm', file_tmp]) diff --git a/requirements_lint.txt b/requirements_lint.txt new file mode 100644 index 0000000..54b18e2 --- /dev/null +++ b/requirements_lint.txt @@ -0,0 +1 @@ +pylint \ No newline at end of file