v9.3 feat: OPNsense standalone import module#4761
Draft
tpurschke wants to merge 26 commits into
Draft
Conversation
Adds an initial OPNsense (25ff) firewall importer that reads the full config.xml core backup via the OPNsense API, cherry-picked from CactuseSecurity#4742. - new fw_modules/opnsense25ff importer package (parser, normalizer, sanitizer, model, helper, fwcommon) - wire OPNsense25common into common.get_module dispatch - register 'OPNsense standalone' 25ff device type in stm_dev_typ - add xmltodict and netaddr_pydantic importer dependencies - add OPNsense importer API documentation Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Introduce version 9.3 with upgrade/9.3.sql registering the 'OPNsense standalone' 25ff device type so existing installs pick up the new import module on upgrade. - add roles/database/files/upgrade/9.3.sql (stm_dev_typ id 30) - bump product_version 9.1.7 -> 9.3 - record 9.3 in develop revision history and version-feature overview Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
Contributor
Author
tpurschke
changed the title
tpurschke
changed the title
4 tasks
…-orchestrator into feat/opnsense-import-module
diff --git a/roles/importer/files/importer/fw_modules/opnsense25ff/opnsense_normalizer.py b/roles/importer/files/importer/fw_modules/opnsense25ff/opnsense_normalizer.py
index 5cbe2912e..4d93353b0 100644
--- a/roles/importer/files/importer/fw_modules/opnsense25ff/opnsense_normalizer.py
+++ b/roles/importer/files/importer/fw_modules/opnsense25ff/opnsense_normalizer.py
@@ -22,7 +22,6 @@ from fw_modules.opnsense25ff.opnsense_model import (
from fw_modules.opnsense25ff.opnsense_parser import parse_opnsense_config
from fwo_base import ConfigAction, sort_and_join
from fwo_base import generate_hash_from_dict as fwo_base_generate_hash_from_dict
-from fwo_const import RULE_NUM_NUMERIC_STEPS
from fwo_log import FWOLogger
from model_controllers.fwconfigmanagerlist_controller import FwConfigManagerListController
from model_controllers.import_state_controller import ImportStateController
@@ -558,7 +557,6 @@ def _upsert_rulebase_rule(
def _create_rulebases_from_access_rules(os_config: OPNsenseConfig, mgm_uid: str) -> list[Rulebase]:
rbs_dict: dict[str, Rulebase] = {}
- rule_num = 0
for rule in os_config.access_rules:
r_normalized = _create_normalized_rule_from_access_rule(rule)
@@ -566,10 +564,6 @@ def _create_rulebases_from_access_rules(os_config: OPNsenseConfig, mgm_uid: str)
if rule_uid is None:
FWOLogger.warning(f"[*] skipping OPNsense rule without uid:\n {rule}")
continue
- # update rule priority
- r_normalized.rule_num = int(rule_num)
- r_normalized.rule_num_numeric = float(rule_num)
- rule_num += RULE_NUM_NUMERIC_STEPS
rulebase_name = _access_rule_rulebase_name(rule, os_config)
if rulebase_name is not None:
_upsert_rulebase_rule(rbs_dict, rulebase_name, mgm_uid, rule_uid, r_normalized)would fix this open issue:
impact:
I'm currently not sure if suppressing the warnings is worth this impact. |
Contributor
Author
thanks, as rule_num is deprecated and will be removed, you patch is perfectly fine. |
…-orchestrator into feat/opnsense-import-module
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Cherry-picks the new OPNsense (25ff) import module from #4742 onto
develop, isolated to just the importer module plus the minimal wiring needed to make it functional.Big thanks to our first time contributor https://github.com/nox-x !
Adds initial support for importing OPNsense firewall configs via the full config.xml core backup API.
What's included
roles/importer/files/importer/fw_modules/opnsense25ff/importer package (parser, normalizer, sanitizer, model, helper,fwcommon)OPNsense25commonintocommon.get_moduledispatch (package nameopnsensestandalone25ff)OPNsense standalone/25ffdevice type (dev_typ_id=30) infworch-fill-stm.sqlxmltodictandnetaddr_pydantictorequirements.txtWhat's intentionally NOT included
Only the
opnsense25ffmodule and its required wiring were picked from #4742. The unrelated dependency version downgrades present in that branch (it predates currentdevelop) were excluded.Notes / open TODOs (carried over from #4742)
This is an initial, still-WIP module. Known open items from the source PR:
rule_numupdates after rule sequence changes emit value-mismatch warnings