feat: ipsec, add zone function

NethServer · Nov 7, 2023 · c06d6ed · c06d6ed
1 parent 916b744
commit c06d6ed
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 1 deletion.
diff --git a/src/nethsec/ipsec/__init__.py b/src/nethsec/ipsec/__init__.py
@@ -78,3 +78,17 @@ def open_firewall_ports(uci):
 
     if not nat_accepted or not ike_accept or not esp_accepted:
         uci.save('firewall')
+
+def add_trusted_interface(uci, interface):
+    '''
+    Add the interface to the 'ipsec' trusted zone. The function also creates the trusted zone, if needed.
+
+    Changes are saved to staging area.
+
+    Arguments:
+      - uci -- EUci pointer
+    '''
+    if firewall.zone_exists(uci, IPSEC_ZONE):
+        firewall.add_interface_to_zone(uci, interface, IPSEC_ZONE)
+    else:
+        firewall.add_trusted_zone(uci, IPSEC_ZONE, [interface])
diff --git a/tests/test_ipsec.py b/tests/test_ipsec.py
@@ -56,11 +56,35 @@ def test_open_firewall_ports(e_uci_with_data):
     nat = ike = esp = False
     for r in utils.get_all_by_type(e_uci_with_data, 'firewall', 'rule'):
         name = e_uci_with_data.get('firewall', r, 'name')
-        print(name)
         if name == 'Allow-IPSec-NAT':
             nat = True
         elif name == 'Allow-IPSec-IKE':
             ike = True
         elif name == 'Allow-IPSec-ESP':
             esp = True
     assert (nat and ipsec and esp)
+
+def test_add_trusted_interface(e_uci_with_data):
+    ipsec.add_trusted_interface(e_uci_with_data, 'ipsec1')
+    count = 0
+    zid = ''
+    # check the zone has been created
+    for section in e_uci_with_data.get_all('firewall'):
+        if e_uci_with_data.get('firewall', section) == 'zone':
+            if e_uci_with_data.get('firewall', section, 'name') == ipsec.IPSEC_ZONE:
+                count = count + 1
+                zid = section
+    assert(count == 1)
+    assert(zid)
+    assert(e_uci_with_data.get_all('firewall', zid, 'network') == ('ipsec1',))
+    # check the zone has not been duplicated
+    count = 0
+    ipsec.add_trusted_interface(e_uci_with_data, 'ipsec2')
+    for section in e_uci_with_data.get_all('firewall'):
+        if e_uci_with_data.get('firewall', section) == 'zone':
+            if e_uci_with_data.get('firewall', section, 'name') == ipsec.IPSEC_ZONE:
+                count = count + 1
+    assert(count == 1)
+    assert('ipsec1' in e_uci_with_data.get_all('firewall', zid, 'network'))
+    assert('ipsec2' in e_uci_with_data.get_all('firewall', zid, 'network'))
+