From be91d8e4e4e4f58720dd05da6d262e6fc6897d08 Mon Sep 17 00:00:00 2001
From: James Valleroy <jvalleroy@mailbox.org>
Date: Thu, 22 Jun 2023 16:53:30 -0400
Subject: [PATCH] firewall: Add diagnostic check for backend

Tests:
- Change the backend to iptables, and restart firewalld. The diagnostic
  is failed.
- Change the backend back to nftables, and restart firewalld. The
  diagnostic is passed.

Signed-off-by: James Valleroy <jvalleroy@mailbox.org>
[sunil: Use augeas transform operation]
Signed-off-by: Sunil Mohan Adapa <sunil@medhas.org>
Reviewed-by: Sunil Mohan Adapa <sunil@medhas.org>
---
 plinth/modules/firewall/__init__.py   | 16 ++++++++++++----
 plinth/modules/firewall/privileged.py | 19 ++++++++++++++++---
 2 files changed, 28 insertions(+), 7 deletions(-)

diff --git a/plinth/modules/firewall/__init__.py b/plinth/modules/firewall/__init__.py
index 46a0b3f8b..36b50925c 100644
--- a/plinth/modules/firewall/__init__.py
+++ b/plinth/modules/firewall/__init__.py
@@ -98,7 +98,9 @@ class FirewallApp(app_module.App):
     def diagnose(self):
         """Run diagnostics and return the results."""
         results = super().diagnose()
-        results.append(_diagnose_default_zone())
+        config = privileged.get_config()
+        results.append(_diagnose_default_zone(config))
+        results.append(_diagnose_firewall_backend(config))
         return results
 
 
@@ -261,9 +263,15 @@ def remove_passthrough(ipv, *args):
         config_direct.removePassthrough('(sas)', ipv, args)
 
 
-def _diagnose_default_zone():
+def _diagnose_default_zone(config):
     """Diagnose whether the default zone is external."""
-    default_zone = privileged.get_default_zone()
     testname = gettext('Default zone is external')
-    result = 'passed' if default_zone == 'external' else 'failed'
+    result = 'passed' if config['default_zone'] == 'external' else 'failed'
+    return [testname, result]
+
+
+def _diagnose_firewall_backend(config):
+    """Diagnose whether the firewall backend is nftables."""
+    testname = gettext('Firewall backend is nftables')
+    result = 'passed' if config['backend'] == 'nftables' else 'failed'
     return [testname, result]
diff --git a/plinth/modules/firewall/privileged.py b/plinth/modules/firewall/privileged.py
index 398f68464..8d86d3800 100644
--- a/plinth/modules/firewall/privileged.py
+++ b/plinth/modules/firewall/privileged.py
@@ -132,7 +132,20 @@ def setup():
 
 
 @privileged
-def get_default_zone():
-    """Return the firewalld default zone."""
+def get_config():
+    """Return firewalld configuration for diagnostics."""
+    config = {}
+
     output = subprocess.check_output(['firewall-cmd', '--get-default-zone'])
-    return output.decode().strip()
+    config['default_zone'] = output.decode().strip()
+
+    conf_file = '/etc/firewalld/firewalld.conf'
+    aug = augeas.Augeas(flags=augeas.Augeas.NO_LOAD +
+                        augeas.Augeas.NO_MODL_AUTOLOAD)
+    aug.transform('Shellvars', conf_file)
+    aug.set('/augeas/context', '/files' + conf_file)
+    aug.load()
+
+    config['backend'] = aug.get('FirewallBackend')
+
+    return config