ok
Mini Shell
"""This plugin periodically checks set of rules and ipsets,
and recreates it if needed, process block/unblock messages."""
import asyncio
import json
import logging
import os
import time
from contextlib import suppress
from typing import Set
from defence360agent import utils
from defence360agent.contracts.config import UserConfig
from defence360agent.contracts.messages import MessageType
from defence360agent.contracts.plugins import MessageSink, expect
from defence360agent.internals.global_scope import g
from defence360agent.utils import log_error_and_ignore, recurring_check, timeit
from defence360agent.utils.common import DAY, ServiceBase, rate_limit
from im360.contracts.config import Firewall, NetworkInterface
from im360.contracts.config import Protector as Config
from im360.contracts.config import Webshield
from im360.files import GEO, WHITELISTS
from im360.internals.core import IPSetNoRedirectPort, RuleSet, ip_versions
from im360.internals.core.ipset.libipset import IPSetError
from im360.internals.core.firewall import get_firewall
from im360.internals.core.firewall.base import (
FirewallBatchCommandError,
FirewallError,
FirewallTemporaryError,
)
from im360.internals.core.ipset.country import IPSetCountry
from im360.internals.core.ipset.ip import (
IPSetBlack,
IPSetCustomBlacklist,
IPSetCustomWhitelist,
IPSetGray,
IPSetGraySplashScreen,
IPSetIgnore,
IPSetStatic,
IPSetStaticRemoteProxy,
IPSetWhite,
)
from im360.internals.core.ipset.port_deny import (
InputPortBlockingDenyModeIPSet,
OutputPortBlockingDenyModeIPSet,
)
from im360.model.firewall import IPList
from im360.subsys.webshield_mode import Mode as WebshieldMode
from im360.utils.validate import IP, IPVersion
from im360.subsys import smtp_blocking
logger = logging.getLogger(__name__)
class VersionState:
def __init__(self):
self.errors = 0
self.next_try_time = 0.0
self.running = True
class RulesChecker(ServiceBase):
"""Periodically checks if rules exist and if not, recreate them."""
#: delay in secs between two iptables rule/ipsets checks
RULE_CHECK_INTERVAL = int(
os.environ.get("IMUNIFY360_RULE_CHECK_INTERVAL", 30)
)
CONSECUTIVE_ERROR_LIMIT = 10 # retries until giving up
ERROR_THRESHOLD = 10 # disabled IPv6 support after this many failures
RETRY_INTERVAL = 3600 # interval between attempts to enable IPv6
CAPTURE_CSF_LOCK = True
CSF_LOCK_TIMEOUT = 300 # seconds
IPSETS_CHECK_INTERVAL = DAY # seconds
def __init__(self, loop):
super().__init__(loop)
self.ruleset = RuleSet()
# Prevent rules create/destroy public method calls
# from overlapping with @recurring_check->create_rules/destroy_rules()
#
# Use this lock to operate on rules (add to ipset)
# while keeping the rules in consistent state (not half created
# or half destroyed).
self.lock_rules_create_destroy = Config.RULE_EDIT_LOCK
self.active_interface_conf = NetworkInterface.get_interface_conf()
self.versions = {ver: VersionState() for ver in ip_versions.all()}
self._ipsets_outdated_events = {
ver: asyncio.Event() for ver in self.versions
}
self.outdated_ipsets = {ver: set() for ver in ip_versions.all()}
self.ipset_lock = asyncio.Lock()
async def recreate_rules_if_needed(self, recreate_any_way=False) -> None:
# re-reading config file
async with self.lock_rules_create_destroy:
new_conf = NetworkInterface.get_interface_conf()
if not new_conf == self.active_interface_conf:
logger.info(
"Target & ignore interfaces config was changed,"
"recreating rules"
)
await self._destroy_rules_and_sets(self.active_interface_conf)
await self._ensure_rules_exist_for_all_versions(
new_conf, recreate_any_way
)
self.active_interface_conf = new_conf
@recurring_check(RULE_CHECK_INTERVAL, CONSECUTIVE_ERROR_LIMIT)
async def _run(self):
if g.get("shutdown_started"):
logger.info("Shutdown started, stopping rules checker")
return
await self.recreate_rules_if_needed()
await self.check_ipsets_consistent() # pragma: no cover
await self.check_smtp_state_and_reset()
logger.info("IP sets verification and initialization completed")
@rate_limit(period=IPSETS_CHECK_INTERVAL)
@log_error_and_ignore()
async def check_ipsets_consistent(self): # pragma: no cover
await self._check_ipsets_consistent()
async def _check_ipsets_consistent(self):
async with self.lock_rules_create_destroy:
for version, state in self.versions.items():
with timeit(
f"Checking outdated ipsets {version}", log=logger.info
):
if state.running:
if outdated := await self.ruleset.get_outdated_ipsets(
version
):
self.outdated_ipsets[version] = set(
ip_count.name for ip_count in outdated
)
self._ipsets_outdated_events[version].set()
logger.warning(
"%s ipsets are outdated. Recreate them",
outdated,
)
else:
self.outdated_ipsets[version] = set()
async def _ensure_rules(
self, interface_conf, recreate_any_way=False
) -> bool:
now = time.monotonic()
target_versions = set(
version
for version in ip_versions.all()
if (
ip_versions.is_enabled(version)
or self.versions[version].next_try_time < now
)
)
recreated_any = False
has_failed = False
for version in target_versions:
self.versions[version].running = False
try:
async with self.ipset_lock:
r = await self._ensure_for(
version, interface_conf, recreate_any_way
)
recreated_any = recreated_any or r
except (FirewallTemporaryError, IPSetError) as exc:
has_failed = True
logger.info(
"Transient error while creating firewall rules for %s: %s",
version,
exc,
)
except FirewallError as exc:
enabled_ip_version = ip_versions.is_enabled(version)
if enabled_ip_version:
has_failed = True
self.versions[version].errors += 1
if self.versions[version].errors >= self.ERROR_THRESHOLD:
if ip_versions.disable(version):
self.versions[version].next_try_time = (
now + self.RETRY_INTERVAL
)
logger.info(
"%s firewall support is disabled due"
" to multiple consecutive errors",
version,
)
else:
self.versions[version].next_try_time = (
now + self.RETRY_INTERVAL
)
logger.warning(
"Failed to recreate firewall rules for %s %s: %s",
"enabled" if enabled_ip_version else "disabled",
version,
exc,
)
else:
self.versions[version].running = True
self.versions[version].errors = 0
if not ip_versions.is_enabled(version):
ip_versions.enable(version)
logger.info("%s firewall support is enabled", version)
# whether recreated rules for any ip version and no failures
# in creating rules for enabled ip versions
return recreated_any and not has_failed
async def _ensure_rules_exist_for_all_versions(
self, interface_conf=None, recreate_any_way=False
):
interface_conf = interface_conf or self.active_interface_conf
if await self._ensure_rules(interface_conf, recreate_any_way):
logger.info(
"Rules and sets successfully recreated for enabled ip versions"
)
async def _recreate_for(
self,
ip_version: IPVersion,
interface_conf: dict,
recreate_ipsets: bool,
outdated_ipsets: Set[str],
missing_ipsets: Set[str],
redundant_ipsets: Set[str],
recreate_rules: bool,
):
if recreate_rules or redundant_ipsets:
with timeit(f"Destroying rules for {ip_version}", log=logger.info):
await self._destroy_rules(interface_conf, ip_version)
if redundant_ipsets:
with timeit(
f"Destroying redundant ipsets: {redundant_ipsets}",
log=logger.info,
):
await self.ruleset.destroy_ipsets(ip_version, redundant_ipsets)
if missing_ipsets:
with timeit(
f"Creating missing ipsets: {missing_ipsets}", log=logger.info
):
await self.ruleset.fill_ipsets(ip_version, missing_ipsets)
if recreate_rules or redundant_ipsets:
with timeit(f"Recreating rules for {ip_version}", log=logger.info):
await self._create_rules(interface_conf, ip_version)
if recreate_ipsets:
with timeit(f"Recreating ipsets", log=logger.info):
await self.ruleset.recreate_ipsets(ip_version, outdated_ipsets)
async def _ensure_for(
self,
ip_version: IPVersion,
interface_conf: dict,
recreate_any_way=False,
) -> bool:
"""Creates imunify360 ruleset for given IP version in iptables.
If all required ipsets, rules and chains exist, does nothing.
Otherwise recreates everything as required.
Returns True if rules or sets has been (re-)created, False
otherwise."""
existing_ipsets = await self.ruleset.existing_ipsets(ip_version)
required_ipsets = self.ruleset.required_ipsets(ip_version)
redundant_ipsets = set()
missing_ipsets = required_ipsets.copy()
ipsets_ok = (
existing_ipsets == required_ipsets
and not self._ipsets_outdated_events[ip_version].is_set()
)
redundant_ipsets = existing_ipsets - required_ipsets
missing_ipsets -= existing_ipsets
# don't log in case when no existing ipsets, it is OK on start
if existing_ipsets and existing_ipsets != required_ipsets:
_log_ipsets_mismatch(
missing_ipsets=missing_ipsets,
redundant_ipsets=redundant_ipsets,
log=logger.warning,
)
rules_ok = await self._rules_ok(interface_conf, ip_version)
# remove redundant ipsets from outdated ipsets, as they will be
# removed anyway
# remove missing ipsets from outdated ipsets, as they will be
# created anyway
outdated_ipsets = (
self.outdated_ipsets[ip_version]
- redundant_ipsets
- missing_ipsets
)
if g.get("DEBUG"):
logger.info("Required ipsets: %s", required_ipsets)
logger.info("Existing ipsets: %s", existing_ipsets)
logger.info("Missing ipsets: %s", missing_ipsets)
logger.info("Redundant ipsets: %s", redundant_ipsets)
logger.info("Outdated ipsets: %s", outdated_ipsets)
if not (rules_ok and ipsets_ok and not recreate_any_way):
if not ipsets_ok: # ipsets will be re-created
self._ipsets_outdated_events[ip_version].clear()
self.outdated_ipsets[ip_version].clear()
logger.info(
"Rules status for %s [rules: %s], [ipset: %s]",
ip_version,
"ok" if rules_ok else "bad",
"ok" if ipsets_ok else "bad",
)
await self._recreate_for(
ip_version,
interface_conf,
recreate_ipsets=not ipsets_ok,
outdated_ipsets=outdated_ipsets,
redundant_ipsets=redundant_ipsets,
missing_ipsets=missing_ipsets,
recreate_rules=not rules_ok or recreate_any_way,
)
return True
return False
async def _create_rules(
self, interface_conf, ip_version: IPVersion
) -> None:
async with await get_firewall(ip_version) as firewall:
batch = await self.ruleset.create_commands(
firewall, interface_conf, ip_version
)
await firewall.commit(batch)
async def _destroy_rules(
self, interface_conf, ip_version: IPVersion
) -> None:
async with await get_firewall(ip_version) as firewall:
for batch in self.ruleset.destroy_commands(
firewall, interface_conf, ip_version
):
with suppress(FirewallBatchCommandError):
# Command may fail and that is ok
await firewall.commit(batch)
async def _rules_ok(self, interface_conf, ip_version: IPVersion) -> bool:
async with await get_firewall(ip_version) as firewall:
actions = await self.ruleset.check_commands(
firewall, interface_conf, ip_version
)
try:
await firewall.commit(actions)
except FirewallBatchCommandError:
return False
else:
return True
async def _destroy_rules_and_sets(self, interface_conf):
errors = []
for ip_version in ip_versions.enabled():
self.versions[ip_version].running = False
try:
await self._destroy_rules(interface_conf, ip_version)
await self.ruleset.destroy_ipsets(ip_version)
except Exception as e:
errors.append(e)
if not errors:
return
elif len(errors) == 1:
raise errors[0]
elif len(errors) == 2:
# hack: to get "free" readable traceback for both errors
raise errors[1] from errors[0]
else: # pragma: no cover
assert 0, "max 2 ip versions expected"
async def clear_everything(self, interface_conf=None) -> None:
interface_conf = interface_conf or self.active_interface_conf
async with self.lock_rules_create_destroy:
await smtp_blocking.reset_rules_for_all_versions()
await self._destroy_rules_and_sets(interface_conf)
async def check_smtp_state_and_reset(self, check_settings=False):
new_settings = smtp_blocking.read_SMTP_settings()
if check_settings and not self._is_smtp_settings_changed(new_settings):
return
if not await smtp_blocking.is_SMTP_blocking_supported():
return
if await smtp_blocking.conflicts_exist():
await smtp_blocking.reset_rules_for_all_versions()
return
await smtp_blocking.sync_rules_for_all_versions(new_settings)
@staticmethod
def _is_smtp_settings_changed(new_settings):
return any(
active_settings != new_settings
for active_settings in smtp_blocking.get_active_settings_list()
)
class RealProtector(MessageSink):
PROCESSING_ORDER = MessageSink.ProcessingOrder.IPSET_PROTECTOR
SHUTDOWN_PRIORITY = 200 # shuts down last
AVAILABLE_ON_FREEMIUM = False
def __init__(self):
super().__init__()
self._port_blocking_mode = Firewall.port_blocking_mode
self._port_blocking_deny_mode_values = (
self._get_port_blocking_deny_mode_values()
)
# saving webshield status before updating the rules
# (on _rules_checker.start()), to avoid re-checking
# the rules on the 1st ConfigUpdate (on start-up)
self._webshield_status = (
Webshield.ENABLE,
WebshieldMode.wants_redirect(WebshieldMode.get()),
Webshield.SPLASH_SCREEN,
Webshield.PANEL_PROTECTION,
)
async def create_sink(self, loop, rules_checker=None):
"""Create all ipset sets"""
self._loop = loop
self._process_config_update_lock = asyncio.Lock()
self._shutdown_lock = asyncio.Lock()
self._rules_checker = rules_checker or RulesChecker(loop)
self._rules_checker.start()
async def shutdown(self):
async with self._shutdown_lock:
self._rules_checker.should_stop()
await self._rules_checker.wait()
await self._rules_checker.clear_everything()
logger.info("IP sets and rules have been removed successfully.")
def _get_port_blocking_deny_mode_values(self):
return (
Firewall.TCP_IN_IPV4,
Firewall.TCP_OUT_IPV4,
Firewall.UDP_IN_IPV4,
Firewall.UDP_OUT_IPV4,
)
def _get_current_ttl(self, expiration):
if expiration:
return int(expiration - time.time())
return 0
def _rules_running(self, ip_version: IPVersion) -> bool:
return self._rules_checker.versions[ip_version].running
@expect(MessageType.BlockUnblockList)
async def process_block_unblock_list(self, message):
"""Block/unblock in batch in ipset"""
# ipset are reloaded back from the db when rules recreated
async with self._rules_checker.lock_rules_create_destroy:
# remove ips with inactive ip versions
lists = {
"blocklist": {
(ip, listname): properties
for (ip, listname), properties in message[
"blocklist"
].items()
if self._rules_running(IP.type_of(ip))
},
"unblocklist": [
(ip, listname)
for ip, listname in message["unblocklist"]
if self._rules_running(IP.type_of(ip))
],
}
num_tot = sum(map(len, lists.values()))
async def block_unblock_many(IPSet, listname):
"""
Add *listname*'s *blocklist* ips to *IPSet*.
Remove *unblocklist* ips from *IPSet*.
Remove non-*listname*'s *blocklist* ips from *IPSet*
"""
ipset = IPSet()
if not ipset.is_enabled():
logger.warning(
"%s ipset is disabled. Skip block/unblock.",
ipset.__class__.__qualname__,
)
return
to_block = (
(ip, properties)
for (ip, block_listname), properties in lists[
"blocklist"
].items()
if block_listname == listname
)
to_unblock = (
ip
for ip, unblock_listname in lists["unblocklist"]
if unblock_listname == listname
)
await ipset.restore(to_block, to_unblock)
with timeit(
"Restoring to ipset on synclist response %d ips" % num_tot,
logger,
):
await block_unblock_many(IPSetIgnore, IPList.IGNORE)
await block_unblock_many(IPSetGray, IPList.GRAY)
await block_unblock_many(
IPSetGraySplashScreen, IPList.GRAY_SPLASHSCREEN
)
await block_unblock_many(IPSetBlack, IPList.BLACK)
await block_unblock_many(IPSetWhite, IPList.WHITE)
@expect(MessageType.IpsetUpdate)
async def process_ipset_update(self, _):
await self._rules_checker.recreate_rules_if_needed()
@expect(MessageType.FilesUpdated, files_type=WHITELISTS)
async def process_global_whitelist_update(self, _):
# whitelist update will be applied to ipset when rules/ipsets
# are reloaded back from the db
async with self._rules_checker.lock_rules_create_destroy:
logger.info("Applying global white list update")
for ipset in [IPSetStatic(), IPSetStaticRemoteProxy()]:
if ipset.is_enabled():
await ipset.reset()
@expect(MessageType.FilesUpdated, files_type=GEO)
async def update_rules_and_ipset(self, _) -> None:
async with self._rules_checker.lock_rules_create_destroy:
logger.info("Updating ipset rules on geo ip update")
for ip_version in ip_versions.enabled():
await IPSetCountry().restore(ip_version)
@expect(MessageType.UpdateCustomLists)
async def process_custom_lists_update(self, _):
async with self._rules_checker.lock_rules_create_destroy:
await IPSetCustomBlacklist().reset()
await IPSetCustomWhitelist().reset()
logger.info("IPSet custom black and white lists are updated")
@expect(MessageType.ConfigUpdate)
@utils.log_error_and_ignore()
async def process_config_update(self, message):
"""
Recreate firewall rules and/or ipsets if corresponding settings change.
"""
if isinstance(message["conf"], UserConfig):
return # do nothing for non-root config updates
async with self._process_config_update_lock:
await self._rules_checker.check_smtp_state_and_reset()
return await self._on_config_update_unlocked(message)
async def _on_config_update_unlocked(self, message):
recreate = False
current_status = (
Webshield.ENABLE,
WebshieldMode.wants_redirect(WebshieldMode.get()),
Webshield.SPLASH_SCREEN,
Webshield.PANEL_PROTECTION,
)
recreate_any_way = False
if current_status != self._webshield_status:
logger.info(
"Webshield status (Webshield.ENABLE, "
"WebshieldMode.wants_redirect, Webshield.SPLASH_SCREEN, "
"Webshield.PANEL_PROTECTION) changed from %s to %s",
self._webshield_status,
current_status,
)
if Webshield.PANEL_PROTECTION != self._webshield_status[-1]:
recreate_any_way = True
self._webshield_status = current_status
recreate = True
current_port_blocking_mode = Firewall.port_blocking_mode
if self._port_blocking_mode != current_port_blocking_mode:
logger.info(
"Ports blocking mode changed from %s to %s",
self._port_blocking_mode,
current_port_blocking_mode,
)
self._port_blocking_mode = current_port_blocking_mode
recreate = True
if recreate: # recreate everything
await self._rules_checker.recreate_rules_if_needed(
recreate_any_way
)
logger.info("Firewall rules recreated due to ConfigUpdate")
else: # update just port blocking deny mode
if await self._update_port_blocking_deny_mode_ipsets_if_needed():
logger.info("Blocked ports deny mode updated on ConfigUpdate")
async def _update_port_blocking_deny_mode_ipsets_if_needed(self):
updated = False
new_ports_blocking_values = self._get_port_blocking_deny_mode_values()
if new_ports_blocking_values != self._port_blocking_deny_mode_values:
logger.info(
"Port blocking deny mode changed from %s to %s",
_format_ports(self._port_blocking_deny_mode_values),
_format_ports(new_ports_blocking_values),
)
self._port_blocking_deny_mode_values = new_ports_blocking_values
async with self._rules_checker.lock_rules_create_destroy:
sets = [
InputPortBlockingDenyModeIPSet(),
OutputPortBlockingDenyModeIPSet(),
IPSetNoRedirectPort(),
]
for ip_set in sets:
# FIREWALL.port_blocking_mode supports only ipv4
await ip_set.restore(IP.V4)
updated = True
return updated
@expect(MessageType.StrategyChange)
async def on_strategy_change(self, message: MessageType.StrategyChange):
await self._rules_checker.recreate_rules_if_needed()
logger.info(
"Firewall rules recreated due to StrategyChange %s",
message.strategy,
)
def _log_ipsets_mismatch(missing_ipsets, redundant_ipsets, log):
"""Report missing/redundant ipsets."""
assert missing_ipsets or redundant_ipsets
log(
"Detected %s%s%s ipsets while ensuring ipsets/rules%s%s",
"missing" * bool(missing_ipsets),
"/" * bool(missing_ipsets and redundant_ipsets),
"redundant" * bool(redundant_ipsets),
f"; missing ipsets: {missing_ipsets}" * bool(missing_ipsets),
f"; redundant ipsets: {redundant_ipsets}" * bool(redundant_ipsets),
)
def _format_ports(ports):
"""Format ports for logging."""
# note: the order is asserted in unit tests
return json.dumps(
dict(
zip(
"TCP_IN_IPV4 TCP_OUT_IPV4 UDP_IN_IPV4 UDP_OUT_IPV4".split(),
ports,
)
)
)
Zerion Mini Shell 1.0