From 0a565bdd1796f3fca53dfa745f165ada34c228f3 Mon Sep 17 00:00:00 2001 From: James Valleroy Date: Wed, 21 Jun 2023 21:51:58 -0400 Subject: [PATCH] firewall: Add diagnostic for default zone Tests: - Change the firewalld default zone to public, and restart firewalld. The diagnostic is failed. - Change the default zone back to external, and restart firewalld. The diagnostic is passed. Signed-off-by: James Valleroy Reviewed-by: Sunil Mohan Adapa --- plinth/modules/firewall/__init__.py | 15 +++++++++++++++ plinth/modules/firewall/privileged.py | 7 +++++++ 2 files changed, 22 insertions(+) diff --git a/plinth/modules/firewall/__init__.py b/plinth/modules/firewall/__init__.py index 1b0340501..46a0b3f8b 100644 --- a/plinth/modules/firewall/__init__.py +++ b/plinth/modules/firewall/__init__.py @@ -4,6 +4,7 @@ import contextlib import logging +from django.utils.translation import gettext from django.utils.translation import gettext_lazy as _ from plinth import app as app_module @@ -94,6 +95,12 @@ class FirewallApp(app_module.App): _run_setup() return True + def diagnose(self): + """Run diagnostics and return the results.""" + results = super().diagnose() + results.append(_diagnose_default_zone()) + return results + def _run_setup(): """Run firewalld setup.""" @@ -252,3 +259,11 @@ def remove_passthrough(ipv, *args): config_direct = _get_dbus_proxy(_CONFIG_OBJECT, _CONFIG_DIRECT_INTERFACE) if config_direct.queryPassthrough('(sas)', ipv, args): config_direct.removePassthrough('(sas)', ipv, args) + + +def _diagnose_default_zone(): + """Diagnose whether the default zone is external.""" + default_zone = privileged.get_default_zone() + testname = gettext('Default zone is external') + result = 'passed' if default_zone == 'external' else 'failed' + return [testname, result] diff --git a/plinth/modules/firewall/privileged.py b/plinth/modules/firewall/privileged.py index 6bf4d9ebd..398f68464 100644 --- a/plinth/modules/firewall/privileged.py +++ b/plinth/modules/firewall/privileged.py @@ -129,3 +129,10 @@ def setup(): set_firewall_backend('nftables') _setup_local_service_protection() + + +@privileged +def get_default_zone(): + """Return the firewalld default zone.""" + output = subprocess.check_output(['firewall-cmd', '--get-default-zone']) + return output.decode().strip()