From 12baf1a7d393cc57d33d8705acd77d0c473a95cd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Gustavo=20I=C3=B1iguez=20Goia?= Date: Mon, 16 Dec 2024 21:15:09 +0100 Subject: [PATCH] ui,fw: fixed restoring policies when disabling fw When disabling the fw, we change the default input and output policy to Accept, not to block connections. Due to a problem reloading the fw in the daemon, the policy was not changed as expected. This problem must be fixed in the daemon, but for the time being, sending two configuration changes solves the issue (one for changing the policy, and another one for disabling the fw). Closes: #1225 (cherry picked from commit d825f1e9b0d78611b79eaf8a49d600cf5068ce1a) --- ui/opensnitch/dialogs/firewall.py | 63 ++++++++++++++++++++----------- 1 file changed, 41 insertions(+), 22 deletions(-) diff --git a/ui/opensnitch/dialogs/firewall.py b/ui/opensnitch/dialogs/firewall.py index 93a204e311..691f6b9ad2 100644 --- a/ui/opensnitch/dialogs/firewall.py +++ b/ui/opensnitch/dialogs/firewall.py @@ -304,33 +304,52 @@ def change_fw(self, addr, node_cfg): return False def enable_fw(self, enable): - self._disable_widgets(not enable) - if enable: - self._set_status_message(QC.translate("firewall", "Enabling firewall...")) - else: - self._set_status_message(QC.translate("firewall", "Disabling firewall...")) + try: + self._disable_widgets(not enable) + if enable: + self._set_status_message(QC.translate("firewall", "Enabling firewall...")) + else: + self._set_status_message(QC.translate("firewall", "Disabling firewall...")) + + # if previous input policy was DROP, when disabling the firewall it + # must be ACCEPT to allow output traffic. + if not enable and self.comboInput.currentIndex() == self.POLICY_DROP: + self.comboInput.blockSignals(True) + self.comboInput.setCurrentIndex(self.POLICY_ACCEPT) + self.comboInput.blockSignals(False) + for addr in self._nodes.get(): + json_profile = json.dumps(FwProfiles.ProfileAcceptInput.value) + ok, err = self._fw.apply_profile(addr, json_profile) + if not ok: + self._set_status_error( + QC.translate("firewall", "Error applying INPUT ACCEPT profile: {0}".format(err)) + ) + return - # if previous input policy was DROP, when disabling the firewall it - # must be ACCEPT to allow output traffic. - if not enable and self.comboInput.currentIndex() == self.POLICY_DROP: - self.comboInput.blockSignals(True) - self.comboInput.setCurrentIndex(self.POLICY_ACCEPT) - self.comboInput.blockSignals(False) for addr in self._nodes.get(): - json_profile = json.dumps(FwProfiles.ProfileAcceptInput.value) - ok, err = self._fw.apply_profile(addr, json_profile) - if not ok: - print("[firewall] Error applying INPUT ACCEPT profile: {0}".format(err)) + # FIXME: + # Due to how the daemon reacts to events when the fw configuration + # is modified, changing the policy + disabling the fw doesn't work + # as expected. + # The daemon detects that the fw is disabled, and it never changes + # the policy. + # As a workaround to this problem, we send 2 fw changes: + # - one for changing the policy + # - another one for disabling the fw - for addr in self._nodes.get(): - fwcfg = self._nodes.get_node(addr)['firewall'] - fwcfg.Enabled = True if enable else False - self.send_notification(addr, fwcfg) + fwcfg = self._nodes.get_node(addr)['firewall'] + self.send_notification(addr, fwcfg) + time.sleep(0.5) + fwcfg.Enabled = True if enable else False + self.send_notification(addr, fwcfg) + + self.lblStatusIcon.setEnabled(enable) + self.policiesBox.setEnabled(enable) - self.lblStatusIcon.setEnabled(enable) - self.policiesBox.setEnabled(enable) + time.sleep(0.5) - time.sleep(0.5) + except Exception as e: + QC.translate("firewall", "Error: {0}".format(e)) def load_rule(self, addr, uuid): self._fwrule_dialog.load(addr, uuid)