Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Firewall / Aliases - Allow to create firewall rules for logged in OpenVPN users #6312

Closed
2 tasks done
AdSchellevis opened this issue Feb 9, 2023 · 3 comments
Closed
2 tasks done

Firewall / Aliases - Allow to create firewall rules for logged in OpenVPN users #6312

AdSchellevis opened this issue Feb 9, 2023 · 3 comments
Assignees
@AdSchellevis
Labels
feature Adding new functionality roadmap Major roadmap item
Milestone
23.7

Comments

@AdSchellevis
Copy link
Member

Important notices

Before you add a new report, we ask you kindly to acknowledge the following:

Is your feature request related to a problem? Please describe.

It would be practical to support a pattern in which logged in (open)vpn users are able to have their own set of firewall rules. In which case we are able to allow certain traffic for groups of users

Describe the solution you like

As we already do have aliases for all sorts of types, the most logical option is to hook an alias type which is maintained in the firewall/aliases section and collects addresses for groups of openvpn users.

Describe alternatives you considered

Pin the addresses using client specific overwrites, but this involves more maintenance and these are not 100% guaranteed to be applied.

Additional context
@AdSchellevis AdSchellevis added feature Adding new functionality roadmap Major roadmap item labels Feb 9, 2023
@AdSchellevis AdSchellevis self-assigned this Feb 9, 2023
@fichtner fichtner added this to the 23.7 milestone Feb 9, 2023
AdSchellevis added a commit that referenced this issue Feb 15, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
a3a1a58 
o move all pf actions to it's own class
o move AliasParser to alias.py to make update_tables.py more readable
AdSchellevis added a commit that referenced this issue Feb 19, 2023
@AdSchellevis
Firewall/Aliases - extendupdate script (for #6312)
cde35b5 
o add targetted alias updates (update a list of aliases including dependencies)

interface alias types need a bit of work still as using __interface types will likely lead to empty targets at the moment.
AdSchellevis added a commit that referenced this issue Feb 20, 2023
@AdSchellevis
Firewall/Aliases - extendupdate script (for #6312)
22b9b5d 
o add targetted alias updates (update a list of aliases including dependencies)
o cache non managed aliases as well, so targetted updates have the opportunity to nest these (interface or bogus aliases for example)
o refactor cleanup a bit to keep store and keep "txt" files for external aliases
AdSchellevis added a commit that referenced this issue Feb 21, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
5021ebd 
o move all pf actions to it's own class
o move AliasParser to alias.py to make update_tables.py more readable
AdSchellevis added a commit that referenced this issue Feb 21, 2023
@AdSchellevis
Firewall/Aliases - extendupdate script (for #6312)
f0b03b5 
o add targetted alias updates (update a list of aliases including dependencies)
o cache non managed aliases as well, so targetted updates have the opportunity to nest these (interface or bogus aliases for example)
o refactor cleanup a bit to keep store and keep "txt" files for external aliases
AdSchellevis added a commit that referenced this issue Feb 21, 2023
@AdSchellevis
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
d56a40c 
…onnected clients, refactor legacy backend code while here (#6312)
AdSchellevis added a commit that referenced this issue Feb 22, 2023
@AdSchellevis
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
86c1d61 
…onnected clients, refactor legacy backend code while here (#6312)
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
069a901 
…onnected clients, refactor legacy backend code while here (#6312)
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
d372350 
…onnected clients, refactor legacy backend code while here (#6312)

Eventually the old gui code should be replaced as well, but this is an easy to release step in between offering nearly the same output (p2p's presentation is aligned with server in stead of client) with code we are able to reuse for the openvpn aliases.
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
bb1aa66 
…onnected clients, refactor legacy backend code while here (#6312)

Eventually the old gui code should be replaced as well, but this is an easy to release step in between offering nearly the same output (p2p's presentation is aligned with server in stead of client) with code we are able to reuse for the openvpn aliases.
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
d4df635 
o move all pf actions to it's own class
o move AliasParser to alias.py to make update_tables.py more readable
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - extendupdate script (for #6312)
246723b 
o add targetted alias updates (update a list of aliases including dependencies)
o cache non managed aliases as well, so targetted updates have the opportunity to nest these (interface or bogus aliases for example)
o refactor cleanup a bit to keep store and keep "txt" files for external aliases
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
System/Auth - add simple script and configd action to list current gr…
3af5fe9 
…oup membership (auth list groups). requirement for #6312
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
28cf892 
MAke alias implementations more pluggable by making sure get_parser() always returns objects derived from a common model.
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
System/Auth - add simple script and configd action to list current gr…
a6a4f22 
…oup membership (auth list groups). requirement for #6312
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
9b7cdfb 
o move all pf actions to it's own class
o move AliasParser to alias.py to make update_tables.py more readable
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - extendupdate script (for #6312)
8d8f848 
o add targetted alias updates (update a list of aliases including dependencies)
o cache non managed aliases as well, so targetted updates have the opportunity to nest these (interface or bogus aliases for example)
o refactor cleanup a bit to keep store and keep "txt" files for external aliases
AdSchellevis added a commit that referenced this issue Feb 23, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
4dc717a 
Make alias implementations more pluggable by making sure get_parser() always returns objects derived from a common model.
AdSchellevis added a commit that referenced this issue Feb 25, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
75faa0f 
Make alias implementations more pluggable by making sure get_parser() always returns objects derived from a common model.
AdSchellevis added a commit that referenced this issue Feb 26, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312)
d1c5b73 
Make alias implementations more pluggable by making sure get_parser() always returns objects derived from a common model.

Add --types option to request updates on selected types.
AdSchellevis added a commit that referenced this issue Feb 26, 2023
@AdSchellevis
Firewall/Aliases - refactor alias update script (for #6312) (#6362)
78b76cb 
Cleanup alias handling uniforming operations so new types can be adopted more easily. 

o move all pf actions to it's own class
o move all alias related modules to l`ib/alias`
o move AliasParser to alias.py to make update_tables.py more readable
o add targetted alias (type) updates (update a list of aliases including dependencies)
o cache non managed aliases as well, so targeted updates have the opportunity to nest these (interface or bogus aliases for example)
o refactor cleanup a bit to store and keep "txt" files for external aliases
o add `BaseContentParser` type which should be inherited by all parsers and wrap existing types into the new base class.
o add unit tests for all current parsers.
AdSchellevis added a commit that referenced this issue Feb 27, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
2d20b96 
…nVPN user groups. (#6312)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
AdSchellevis added a commit that referenced this issue Feb 28, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
8fdf2e9 
…nVPN user groups. (#6312)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.
AdSchellevis added a commit that referenced this issue Mar 1, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
58f3f52 
…nVPN user groups. (#6312)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.
AdSchellevis added a commit that referenced this issue Mar 1, 2023
@AdSchellevis
System/Auth - add simple script and configd action to list current gr…
0aa9e0b 
…oup membership (auth list groups). requirement for #6312

redux (use group ids instead of names), correction on a6a4f22 as group names maybe changed.
AdSchellevis added a commit that referenced this issue Mar 1, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
5f15316 
…nVPN user groups. (#6312)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.
@AdSchellevis AdSchellevis mentioned this issue Mar 1, 2023
Merged
AdSchellevis added a commit that referenced this issue Mar 1, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
2b7d1b0 
…nVPN user groups. (#6312)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.
AdSchellevis added a commit that referenced this issue Mar 1, 2023
@AdSchellevis
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
bee2f89 
…nVPN user groups. (#6312) (#6367)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.
fichtner pushed a commit that referenced this issue Mar 3, 2023
@AdSchellevis @fichtner
System/Auth - add simple script and configd action to list current gr…
41e7589 
…oup membership (auth list groups). requirement for #6312

(cherry picked from commit a6a4f22)
(cherry picked from commit 0641671)
(cherry picked from commit 0aa9e0b)
fichtner pushed a commit that referenced this issue Mar 14, 2023
@AdSchellevis @fichtner
VPN/OpenVPN - add ovpn_status.py script and configd action to fetch c…
7272b4b 
…onnected clients

PR: #6312

(cherry picked from commit bb1aa66)
(cherry picked from commit 9975cc9)
(cherry picked from commit c56ad1f)
fichtner pushed a commit that referenced this issue Mar 24, 2023
@AdSchellevis @fichtner
Firewall/Aliases - refactor alias update script
7aabcae 
PR: #6312

(cherry picked from commit 78b76cb)
(cherry picked from commit 88a8a97)
(cherry picked from commit 06cbfb5)
fichtner pushed a commit that referenced this issue Apr 13, 2023
@AdSchellevis @fichtner
Firewall / Aliases - Allow to create firewall rules for logged in Ope…
947c415 
…nVPN user groups. (#6312) (#6367)

o extend model with authgroup type (currently only for OpenVPN)
o add controller action to list user groups
o modify alias form to show group list in a similar way as network groups, simplify some of the code to prevent copying.
o add AuthGroup parser to glue the output of list_group_members.php and ovpn_status.py to a set of addresses per group for our new authgroup alias type to use
o hook 'learn-address' event in openvpn to trigger an alias update

Although theoretically we could pass addresses and common_names from learn-address further in our pipeline, for now we choose to use a common approach which should always offer the correct dataset (also after changing aliases and re-applying them). If for some reason this isn't fast enough, there are always options available to improve the situation, but usually at a cost in terms of complexity.

(cherry picked from commit bee2f89)
(cherry picked from commit 2d31af2)
@rene-bayer
Copy link
Contributor

Please extend this to IPSEC Users (IKEv2 Mobile VPN)!

@jerryhze
Copy link

jerryhze commented May 9, 2023

Please extend this to IPSEC Users (IKEv2 Mobile VPN)!

amen!

@fichtner
Copy link
Member

fichtner commented May 9, 2023

Let's try not to rush this ;) It was discussed but we have other priorities at the moment.

@AdSchellevis AdSchellevis mentioned this issue Jun 28, 2023
Closed
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@AdSchellevis AdSchellevis

Labels
feature Adding new functionality roadmap Major roadmap item
Milestone
23.7
Development

No branches or pull requests
4 participants
@fichtner @AdSchellevis @rene-bayer @jerryhze