From b1685d8e467d755fa1cf7203a82b63f2a115cb05 Mon Sep 17 00:00:00 2001 From: Ad Schellevis Date: Thu, 1 Feb 2024 14:05:12 +0100 Subject: [PATCH] Services: Kea DHCP [new]: Kea DHCPv4 - add optional automatic firewall rules for dhcpv4 access. closes https://github.com/opnsense/core/issues/7188 --- src/etc/inc/plugins.inc.d/kea.inc | 39 +++++++++++++++++++ .../OPNsense/Kea/forms/generalSettings4.xml | 6 +++ .../mvc/app/models/OPNsense/Kea/KeaDhcpv4.php | 11 ++++++ .../mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml | 6 ++- 4 files changed, 61 insertions(+), 1 deletion(-) diff --git a/src/etc/inc/plugins.inc.d/kea.inc b/src/etc/inc/plugins.inc.d/kea.inc index b510e7c5fb7..6028e9ffe30 100644 --- a/src/etc/inc/plugins.inc.d/kea.inc +++ b/src/etc/inc/plugins.inc.d/kea.inc @@ -54,6 +54,45 @@ function kea_syslog() } +function kea_firewall($fw) +{ + global $config; + $keav4 = new \OPNsense\Kea\KeaDhcpv4(); + if ($keav4->fwrulesEnabled()) { + // automatic (IPv4) rules enabled + foreach (explode(',', $keav4->general->interfaces) as $intf) { + $fw->registerFilterRule( + 1, + [ + 'protocol' => 'udp', + 'direction' => 'in', + 'from_port' => 68, + 'to' => '255.255.255.255', + '#ref' => 'ui/kea/dhcp/v4', + 'to_port' => 67, + 'interface' => $intf, + 'descr' => 'allow access to DHCP server', + 'log' => !isset($config['syslog']['nologdefaultpass']) + ] + ); + $fw->registerFilterRule( + 1, + [ + 'protocol' => 'udp', + 'direction' => 'in', + 'from_port' => 68, + 'to' => '(self)', + '#ref' => 'ui/kea/dhcp/v4', + 'to_port' => 67, + 'interface' => $intf, + 'descr' => 'allow access to DHCP server', + 'log' => !isset($config['syslog']['nologdefaultpass']) + ] + ); + } + } +} + function kea_xmlrpc_sync() { $result = []; diff --git a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml index 04b4de9e1ed..e2c82fe9fbe 100644 --- a/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml +++ b/src/opnsense/mvc/app/controllers/OPNsense/Kea/forms/generalSettings4.xml @@ -21,6 +21,12 @@ text Defines how long the addresses (leases) given out by the server are valid (in seconds) + + dhcpv4.general.fwrules + + checkbox + Automatically add a basic set of firewall rules to allow dhcp traffic, more fine grained controls can be offered manually when disabling this option. + header diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php index 5fda86f59d9..7ef659725bb 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php +++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.php @@ -65,4 +65,15 @@ public function setNodes($data) } return parent::setNodes($data); } + + /** + * should filter rules be enabled + * @return bool + */ + public function fwrulesEnabled() + { + return (string)$this->general->enabled == '1' && + (string)$this->general->fwrules == '1' && + !empty((string)(string)$this->general->interfaces); + } } diff --git a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml index 201a73bc292..b32705d67fd 100644 --- a/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml +++ b/src/opnsense/mvc/app/models/OPNsense/Kea/KeaDhcpv4.xml @@ -1,6 +1,6 @@ //OPNsense/Kea/dhcp4 - 0.0.1 + 1.0.0 Kea DHCPv4 configuration @@ -15,6 +15,10 @@ 4000 Y + + Y + 1 +