Services: Kea DHCP [new]: Kea DHCPv4 - add optional automatic firewal…

…l rules for dhcpv4 access. closes #7188
opnsense · Feb 1, 2024 · b1685d8 · b1685d8
1 parent 46e0bc6
commit b1685d8
Show file tree

Hide file tree

Showing 4 changed files with 61 additions and 1 deletion.
diff --git a/src/etc/inc/plugins.inc.d/kea.inc b/src/etc/inc/plugins.inc.d/kea.inc
@@ -54,6 +54,45 @@ function kea_syslog()
 }
 
 
+function kea_firewall($fw)
+{
+    global $config;
+    $keav4 = new \OPNsense\Kea\KeaDhcpv4();
+    if ($keav4->fwrulesEnabled()) {
+        // automatic (IPv4) rules enabled
+        foreach (explode(',', $keav4->general->interfaces) as $intf) {
+            $fw->registerFilterRule(
+                1,
+                [
+                    'protocol' => 'udp',
+                    'direction' => 'in',
+                    'from_port' => 68,
+                    'to' => '255.255.255.255',
+                    '#ref' => 'ui/kea/dhcp/v4',
+                    'to_port' => 67,
+                    'interface' => $intf,
+                    'descr' => 'allow access to DHCP server',
+                    'log' => !isset($config['syslog']['nologdefaultpass'])
+                ]
+            );
+            $fw->registerFilterRule(
+                1,
+                [
+                    'protocol' => 'udp',
+                    'direction' => 'in',
+                    'from_port' => 68,
+                    'to' => '(self)',
+                    '#ref' => 'ui/kea/dhcp/v4',
+                    'to_port' => 67,
+                    'interface' => $intf,
+                    'descr' => 'allow access to DHCP server',
+                    'log' => !isset($config['syslog']['nologdefaultpass'])
+                ]
+            );
+        }
+    }
+}
+
 function kea_xmlrpc_sync()
 {
     $result = [];

diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml
@@ -21,6 +21,12 @@
         <type>text</type>
         <help>Defines how long the addresses (leases) given out by the server are valid (in seconds)</help>
     </field>
+    <field>
+        <id>dhcpv4.general.fwrules</id>
+        <label>Firewall rules</label>
+        <type>checkbox</type>
+        <help>Automatically add a basic set of firewall rules to allow dhcp traffic, more fine grained controls can be offered manually when disabling this option.</help>
+    </field>
     <field>
         <type>header</type>
         <label>High Availability</label>

diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php
@@ -65,4 +65,15 @@ public function setNodes($data)
         }
         return parent::setNodes($data);
     }
+
+    /**
+     * should filter rules be enabled
+     * @return bool
+     */
+    public function fwrulesEnabled()
+    {
+        return  (string)$this->general->enabled == '1' &&
+                (string)$this->general->fwrules == '1' &&
+                !empty((string)(string)$this->general->interfaces);
+    }
 }
diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml
@@ -1,6 +1,6 @@
 <model>
     <mount>//OPNsense/Kea/dhcp4</mount>
-    <version>0.0.1</version>
+    <version>1.0.0</version>
     <description>Kea DHCPv4 configuration</description>
     <items>
         <general>
@@ -15,6 +15,10 @@
                 <Default>4000</Default>
                 <Required>Y</Required>
             </valid_lifetime>
+            <fwrules type="BooleanField">
+                <Required>Y</Required>
+                <Default>1</Default>
+            </fwrules>
         </general>
         <ha>
             <enabled type="BooleanField">