WIP: Add support for firewall configuration to the OpenWrt backend

[okraits]

This PR adds support for the firewall configuration to the OpenWRT backend:

https://openwrt.org/docs/guide-user/firewall/firewall_configuration

Todos:

• add rules
• finish converters
• add tests
• add documentation

[nemesifier]

@okraits could you add some tests for this please?
That should help me better understand how this would work.

At some points some basic docs will be needed too, but we can think about those later.

[okraits]

Sure, I will add tests when I think I have finished the converter.

[okraits]

@nemesisdesign I did quite some tests now of the firewall configuration with openwisp-controller and openwisp-config. With my recent bugfixes for openwisp-config this looks good.

But if I run the nosetests then they fail because of the config defined in tests.openwrt.test_default.TestDefault. Does that mean that this config isn't validated by my schema extensions for firewall? I'm not familiar yet with the netjsonconfig tests so I'm a little bit lost here.

[edoput]

The error is that you passed an array instead of an object as the rules for the firewall

Failed validating 'type' in schema['properties']['firewall']:
    OrderedDict([('type', 'object'),
    ...

Changing the schema from object to array fails but does not raise a validation error of your input

index 7b165f2..75aad1c 100644
--- a/netjsonconfig/backends/openwrt/schema.py
+++ b/netjsonconfig/backends/openwrt/schema.py
@@ -474,7 +474,7 @@ schema = merge_config(default_schema, {
             }
         },
         "firewall": {
-            "type": "object",
+            "type": "array",
             "title": "Firewall",
             "additionalProperties": True,
             "propertyOrder": 11,

The test fails but does not raise a validation error

..................................................................F.............................................................................................................................................................................................................................................................................
======================================================================
FAIL: test_render_default (tests.openwrt.test_default.TestDefault)
----------------------------------------------------------------------
Traceback (most recent call last):
  File "/home/edoput/repo/netjsonconfig/tests/openwrt/test_default.py", line 91, in test_render_default
    self.assertEqual(o.render(), expected)
AssertionError: "pack[18 chars]nfig defaults 'defaults'\n\toption config_name[458 chars]s'\n" != "pack[18 chars]nfig rule 'rule_1'\n\toption family 'ipv6'\n\t[700 chars]s'\n"
  package firewall
  
- config defaults 'defaults'
- 	option config_name 'rule'
+ config rule 'rule_1'
+ 	option family 'ipv6'
+ 	list icmp_type '130/0'
+ 	list icmp_type '131/0'
+ 	list icmp_type '132/0'
+ 	list icmp_type '143/0'
+ 	option name 'Allow-MLD'
+ 	option proto 'icmp'
+ 	option src 'wan'
+ 	option src_ip 'fe80::/10'
+ 	option target 'ACCEPT'
+ 
+ config rule 'rule_2'
  	option family 'ipv4'
  	list icmp_type '130/0'
  	list icmp_type '131/0'
  	list icmp_type '132/0'
  	list icmp_type '143/0'
  	option name 'Rule2'
  	option proto 'icmp'
  	option src 'wan'
  	option src_ip '192.168.1.1/24'
  	option target 'ACCEPT'
  
  package luci
  
  config core 'main'
  	option boolean '1'
  	option lang 'auto'
  	option mediaurlbase '/luci-static/bootstrap'
  	option number '4'
  	option resourcebase '/luci-static/resources'


----------------------------------------------------------------------
Ran 336 tests in 14.233s

FAILED (failures=1)

[steffenmllr]

May I ask what the status of this is? Trying to find a sane way to configure a openwrt access point and netjson looks like a good way to do this :)

[okraits]

@steffenmllr The implementation is done for now, but the tests need to be fixed/finished.

[jonathanunderwood]

@okraits Interested to know if you have any plans to pick this up? If not, would you be able to share what you think remains to be done? A quick scan over the commits and I see a few tests. I might have some time available to help move this forward, any guidance would be appreciated.

[nemesifier]

@jonathanunderwood first steps in the right direction are to fix the conflicts with the current master and ensure the build passes, do you think you can do that? If yes I can prepare a branch where we can work together on getting this finished.

@okraits have you been using this solution in your application?

[okraits]

@okraits have you been using this solution in your application?

This is included in our application but I'm not sure if there is a case where we're doing firewall configuration right now.

But afaik it's mostly the tests which need to be fixed/finished to complete this PR.

[jonathanunderwood]

@jonathanunderwood first steps in the right direction are to fix the conflicts with the current master and ensure the build passes, do you think you can do that? If yes I can prepare a branch where we can work together on getting this finished.

Yup, no problem. I'll look at this next week when I am on leave.

[nemesifier]

@jonathanunderwood here: https://github.com/openwisp/netjsonconfig/tree/openwrt-firewall you should have write access to that branch, please keep the authorship of @okraits intact 👍 thanks in advance

[nemesifier]

Closing to continue on #162. @okraits you should have permissions to push on that branch if you need.