Firewall::getNat() - Code Metrics - Inspection of "add Info test" - eduVPN/vpn-server-api - Measure and Improve Code Quality continuously with Scrutinizer

Completed

Push — master ( 0f5b77...f26127 )

by François

created 2016-05-18 12:16 UTC

Firewall::getNat() A

↳ Parent: Firewall

Complexity

Conditions	1
Paths	1

Size

Total Lines	11
Code Lines	8

Duplication

Lines	0
Ratio	0 %

Importance

Changes	2
Bugs	0	Features	0

Metric	Value
c	2
b	0
f	0
dl	0
loc	11
rs	9.4285
cc	1
eloc	8
nc	1
nop	1

<?php
/**
 * Copyright 2016 François Kooman <[email protected]>.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 * http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 */

namespace fkooman\VPN\Server;

class Firewall
{
    public static function getFirewall4(Pools $p, $extIf, $useNat, $disableForward = false, $asArray = false)
    {
        return self::getFirewall($p, 4, $extIf, $useNat, $disableForward, $asArray);
    }

    public static function getFirewall6(Pools $p, $extIf, $useNat, $disableForward = false, $asArray = false)
    {
        return self::getFirewall($p, 6, $extIf, $useNat, $disableForward, $asArray);
    }

    private static function getFirewall(Pools $p, $inetFamily, $extIf, $useNat, $disableForward, $asArray)
    {
        $firewall = [];
        // NAT
        if ($useNat) {
            $firewall = array_merge($firewall, self::getNat($extIf));
        }

        // FILTER
        $firewall = array_merge($firewall, self::getFilter($p, $inetFamily, $extIf, $disableForward));

        if ($asArray) {
            return $firewall;
        }

        return implode(PHP_EOL, $firewall).PHP_EOL;
    }

    private static function getFilter(Pools $p, $inetFamily, $extIf, $disableForward)
    {
        $filter = [
            '*filter',
            ':INPUT ACCEPT [0:0]',
            ':FORWARD ACCEPT [0:0]',
            ':OUTPUT ACCEPT [0:0]',
        ];

        // INPUT
        $filter = array_merge($filter, self::getInputChain($p, $inetFamily));

        // FORWARD
        $filter = array_merge($filter, self::getForwardChain($p, $inetFamily, $extIf, $disableForward));

        $filter[] = 'COMMIT';

        return $filter;
    }

    private static function getInputChain(Pools $p, $inetFamily)
    {
        $inputChain = [
            '-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT',
            sprintf('-A INPUT -p %s -j ACCEPT', 4 === $inetFamily ? 'icmp' : 'ipv6-icmp'),
            '-A INPUT -i lo -j ACCEPT',
        ];

        $inputPorts = self::getIngressPorts($p);
        foreach ($inputPorts as $inputPort) {
            list($proto, $port) = explode('/', $inputPort);
            $inputChain[] = sprintf('-A INPUT -m state --state NEW -m %s -p %s --dport %d -j ACCEPT', $proto, $proto, $port);
        }

        $inputChain[] = sprintf('-A INPUT -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');

        return $inputChain;
    }

    private static function getForwardChain(Pools $p, $inetFamily, $extIf, $disableForward)
    {
        $forwardChain = [
            '-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT',
        ];

        if (!$disableForward) {
            foreach ($p as $pool) {
                if (4 === $inetFamily) {
                    // get the IPv4 range
                    $srcNet = $pool->getRange()->getAddressPrefix();
                } else {
                    // get the IPv6 range
                    $srcNet = $pool->getRange6()->getAddressPrefix();
                }
                $forwardChain[] = sprintf('-N vpn-%s', $pool->getId());
                $forwardChain[] = sprintf('-A FORWARD -i tun-%s+ -s %s -j vpn-%s', $pool->getId(), $srcNet, $pool->getId());
                if ($pool->getClientToClient()) {
                    // allow client-to-client
                    $forwardChain[] = sprintf('-A vpn-%s -o tun-%s+ -d %s -j ACCEPT', $pool->getId(), $pool->getId(), $srcNet);
                }
                if ($pool->getDefaultGateway()) {
                    // allow all traffic to the external interface
                    $forwardChain[] = sprintf('-A vpn-%s -o %s -j ACCEPT', $pool->getId(), $extIf, $srcNet);
                } else {
                    // only allow certain traffic to the external interface
                    foreach ($pool->getRoutes() as $route) {
                        if ($inetFamily === $route->getFamily()) {
                            $forwardChain[] = sprintf('-A vpn-%s -o %s -d %s -j ACCEPT', $pool->getId(), $extIf, $route->getAddressPrefix());
                        }
                    }
                }
            }
        }

        $forwardChain[] = sprintf('-A FORWARD -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');

        return $forwardChain;
    }

    private static function getNat($extIf)
    {
        return [
            '*nat',
            ':PREROUTING ACCEPT [0:0]',
            ':OUTPUT ACCEPT [0:0]',
            ':POSTROUTING ACCEPT [0:0]',
            sprintf('-A POSTROUTING -o %s -j MASQUERADE', $extIf),
            'COMMIT',
        ];
    }

    private static function getIngressPorts(Pools $p)
    {
        $ingressPorts = ['tcp/22', 'tcp/80', 'tcp/443'];

        // we only care about additional UDP ports, as we only want UDP and 
        // fallback to tcp/443
        foreach ($p as $pool) {
            foreach ($pool->getInstances() as $instance) {
                if ('udp' === $instance->getProto()) {
                    $port = sprintf('udp/%d', $instance->getPort());
                    if (!in_array($port, $ingressPorts)) {
                        $ingressPorts[] = $port;
                    }
                }
            }
        }

        return $ingressPorts;
    }
}


1			<?php
2			/**
3			* Copyright 2016 François Kooman <[email protected]>.
4			*
5			* Licensed under the Apache License, Version 2.0 (the "License");
6			* you may not use this file except in compliance with the License.
7			* You may obtain a copy of the License at
8			*
9			* http://www.apache.org/licenses/LICENSE-2.0
10			*
11			* Unless required by applicable law or agreed to in writing, software
12			* distributed under the License is distributed on an "AS IS" BASIS,
13			* WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
14			* See the License for the specific language governing permissions and
15			* limitations under the License.
16			*/
17
18			namespace fkooman\VPN\Server;
19
20			class Firewall
21			{
22			public static function getFirewall4(Pools $p, $extIf, $useNat, $disableForward = false, $asArray = false)
23			{
24			return self::getFirewall($p, 4, $extIf, $useNat, $disableForward, $asArray);
25			}
26
27			public static function getFirewall6(Pools $p, $extIf, $useNat, $disableForward = false, $asArray = false)
28			{
29			return self::getFirewall($p, 6, $extIf, $useNat, $disableForward, $asArray);
30			}
31
32			private static function getFirewall(Pools $p, $inetFamily, $extIf, $useNat, $disableForward, $asArray)
33			{
34			$firewall = [];
35			// NAT
36			if ($useNat) {
37			$firewall = array_merge($firewall, self::getNat($extIf));
38			}
39
40			// FILTER
41			$firewall = array_merge($firewall, self::getFilter($p, $inetFamily, $extIf, $disableForward));
42
43			if ($asArray) {
44			return $firewall;
45			}
46
47			return implode(PHP_EOL, $firewall).PHP_EOL;
48			}
49
50			private static function getFilter(Pools $p, $inetFamily, $extIf, $disableForward)
51			{
52			$filter = [
53			'*filter',
54			':INPUT ACCEPT [0:0]',
55			':FORWARD ACCEPT [0:0]',
56			':OUTPUT ACCEPT [0:0]',
57			];
58
59			// INPUT
60			$filter = array_merge($filter, self::getInputChain($p, $inetFamily));
61
62			// FORWARD
63			$filter = array_merge($filter, self::getForwardChain($p, $inetFamily, $extIf, $disableForward));
64
65			$filter[] = 'COMMIT';
66
67			return $filter;
68			}
69
70			private static function getInputChain(Pools $p, $inetFamily)
71			{
72			$inputChain = [
73			'-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT',
74			sprintf('-A INPUT -p %s -j ACCEPT', 4 === $inetFamily ? 'icmp' : 'ipv6-icmp'),
75			'-A INPUT -i lo -j ACCEPT',
76			];
77
78			$inputPorts = self::getIngressPorts($p);
79			foreach ($inputPorts as $inputPort) {
80			list($proto, $port) = explode('/', $inputPort);
81			$inputChain[] = sprintf('-A INPUT -m state --state NEW -m %s -p %s --dport %d -j ACCEPT', $proto, $proto, $port);
82			}
83
84			$inputChain[] = sprintf('-A INPUT -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
85
86			return $inputChain;
87			}
88
89			private static function getForwardChain(Pools $p, $inetFamily, $extIf, $disableForward)
90			{
91			$forwardChain = [
92			'-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT',
93			];
94
95			if (!$disableForward) {
96			foreach ($p as $pool) {
97			if (4 === $inetFamily) {
98			// get the IPv4 range
99			$srcNet = $pool->getRange()->getAddressPrefix();
100			} else {
101			// get the IPv6 range
102			$srcNet = $pool->getRange6()->getAddressPrefix();
103			}
104			$forwardChain[] = sprintf('-N vpn-%s', $pool->getId());
105			$forwardChain[] = sprintf('-A FORWARD -i tun-%s+ -s %s -j vpn-%s', $pool->getId(), $srcNet, $pool->getId());
106			if ($pool->getClientToClient()) {
107			// allow client-to-client
108			$forwardChain[] = sprintf('-A vpn-%s -o tun-%s+ -d %s -j ACCEPT', $pool->getId(), $pool->getId(), $srcNet);
109			}
110			if ($pool->getDefaultGateway()) {
111			// allow all traffic to the external interface
112			$forwardChain[] = sprintf('-A vpn-%s -o %s -j ACCEPT', $pool->getId(), $extIf, $srcNet);
113			} else {
114			// only allow certain traffic to the external interface
115			foreach ($pool->getRoutes() as $route) {
116			if ($inetFamily === $route->getFamily()) {
117			$forwardChain[] = sprintf('-A vpn-%s -o %s -d %s -j ACCEPT', $pool->getId(), $extIf, $route->getAddressPrefix());
118			}
119			}
120			}
121			}
122			}
123
124			$forwardChain[] = sprintf('-A FORWARD -j REJECT --reject-with %s', 4 === $inetFamily ? 'icmp-host-prohibited' : 'icmp6-adm-prohibited');
125
126			return $forwardChain;
127			}
128
129			private static function getNat($extIf)
130			{
131			return [
132			'*nat',
133			':PREROUTING ACCEPT [0:0]',
134			':OUTPUT ACCEPT [0:0]',
135			':POSTROUTING ACCEPT [0:0]',
136			sprintf('-A POSTROUTING -o %s -j MASQUERADE', $extIf),
137			'COMMIT',
138			];
139			}
140
141			private static function getIngressPorts(Pools $p)
142			{
143			$ingressPorts = ['tcp/22', 'tcp/80', 'tcp/443'];
144
145			// we only care about additional UDP ports, as we only want UDP and
146			// fallback to tcp/443
147			foreach ($p as $pool) {
148			foreach ($pool->getInstances() as $instance) {
149			if ('udp' === $instance->getProto()) {
150			$port = sprintf('udp/%d', $instance->getPort());
151			if (!in_array($port, $ingressPorts)) {
152			$ingressPorts[] = $port;
153			}
154			}
155			}
156			}
157
158			return $ingressPorts;
159			}
160			}
161

eduVPN / vpn-server-api

GitHub Access Token became invalid

Push — master ( 0f5b77...f26127 )

Firewall::getNat() A

Complexity

Size

Duplication

Importance

Duplication Side-by-Side

Filter issues like