#include "Firewall.h" ESPFirewall::ESPFirewall(int api_port) { this->setup_eeprom(); this->setup_certificate(); this->setup_firewall_api(api_port); } void ESPFirewall::handle_firewall_api_clients() { this->firewall_api->loop(); } String ESPFirewall::protocol_to_string(firewall_protocol_t &protocol) { switch (protocol) { case FW_TCP: return "TCP"; case FW_UDP: return "UDP"; default: return "ALL"; } } firewall_protocol_t ESPFirewall::string_to_protocol(std::string &protocol) { if (protocol.compare("TCP") == 0) return FW_TCP; else if (protocol.compare("UDP") == 0) return FW_UDP; else return FW_ALL; } String ESPFirewall::target_to_string(firewall_target_t &target) { switch (target) { case FW_REJECT: return "REJECT"; case FW_DROP: return "DROP"; default: return "ACCEPT"; } } firewall_target_t ESPFirewall::string_to_target(std::string &target) { if (target.compare("REJECT") == 0) return FW_REJECT; else if (target.compare("DROP") == 0) return FW_DROP; else return FW_ACCEPT; } void ESPFirewall::setup_eeprom() { EEPROM.begin(this->eeprom_size); this->amount_of_rules = EEPROM.read(this->eeprom_settings_head); uint8_t security_number = EEPROM.read(this->eeprom_settings_head + 1); if (this->amount_of_rules > 50 || security_number != this->security_number) { this->amount_of_rules = 0; EEPROM.write(this->eeprom_settings_head, this->amount_of_rules); EEPROM.write(this->eeprom_settings_head + 1, this->security_number); EEPROM.commit(); } log_i("Amount of existing Rules %i", this->amount_of_rules); this->eeprom_read_firewall_rules(); } void ESPFirewall::eeprom_write_firewall_rule(firewall_rule_t *rule_ptr) { EEPROM.write(this->eeprom_settings_head, this->amount_of_rules); EEPROM.writeString(this->eeprom_rules_head, rule_ptr->source); this->eeprom_rules_head += IP4ADDR_STRLEN_MAX; EEPROM.writeString(this->eeprom_rules_head, rule_ptr->destination); this->eeprom_rules_head += IP4ADDR_STRLEN_MAX; EEPROM.write(this->eeprom_rules_head, rule_ptr->protocol); this->eeprom_rules_head += sizeof(firewall_protocol_t); EEPROM.write(this->eeprom_rules_head, rule_ptr->target); this->eeprom_rules_head += sizeof(firewall_target_t); EEPROM.commit(); } void ESPFirewall::eeprom_write_firewall_rules() { this->eeprom_rules_head = eeprom_start_firewall_rules; firewall_rule_t *rule_ptr = this->head; while (rule_ptr != NULL) { this->eeprom_write_firewall_rule(rule_ptr); rule_ptr = rule_ptr->next; } } void ESPFirewall::eeprom_read_firewall_rule(uint8_t &eeprom_address, uint8_t &rule_nr) { firewall_rule_t *rule_ptr = (firewall_rule_t *)malloc(sizeof(firewall_rule_t)); rule_ptr->key = rule_nr; strcpy(rule_ptr->source, EEPROM.readString(eeprom_address).c_str()); eeprom_address += IP4ADDR_STRLEN_MAX; strcpy(rule_ptr->destination, EEPROM.readString(eeprom_address).c_str()); eeprom_address += IP4ADDR_STRLEN_MAX; rule_ptr->protocol = static_cast(EEPROM.read(eeprom_address)); eeprom_address += sizeof(firewall_protocol_t); rule_ptr->target = static_cast(EEPROM.read(eeprom_address)); eeprom_address += sizeof(firewall_target_t); add_rule_to_firewall(rule_ptr); log_i("%s, %s, %s, %s", rule_ptr->source, rule_ptr->destination, protocol_to_string(rule_ptr->protocol), target_to_string(rule_ptr->target)); } void ESPFirewall::eeprom_read_firewall_rules() { uint8_t eeprom_address = eeprom_start_firewall_rules; for (uint8_t i = 1; i <= this->amount_of_rules; i++) { eeprom_read_firewall_rule(eeprom_address, i); } } void ESPFirewall::add_rule_to_firewall(firewall_rule_t *rule_ptr) { firewall_rule_t *temp; if (this->head == NULL) { this->head = rule_ptr; rule_ptr->next = NULL; return; } temp = this->head; while (temp->next != NULL) { temp = temp->next; } temp->next = rule_ptr; rule_ptr->next = NULL; return; } firewall_rule_t *ESPFirewall::get_rule_from_firewall(uint8_t key) { firewall_rule_t *rule_ptr = this->head; if (this->head == NULL) { return NULL; } while (rule_ptr->key != key) { if (rule_ptr->next == NULL) { return NULL; } else { rule_ptr = rule_ptr->next; } } return rule_ptr; } bool ESPFirewall::delete_rule_from_firewall(uint8_t key) { if (this->head == NULL) { return false; } firewall_rule_t *current_rule_ptr = this->head; firewall_rule_t *previous_rule_ptr = NULL; firewall_rule_t *temp = NULL; while (current_rule_ptr->key != key) { if (current_rule_ptr->next == NULL) { return false; } else { previous_rule_ptr = current_rule_ptr; current_rule_ptr = current_rule_ptr->next; } } if (current_rule_ptr == this->head) { this->head = head->next; temp = this->head; } else { previous_rule_ptr->next = current_rule_ptr->next; temp = previous_rule_ptr->next; } while (temp != NULL) { temp->key--; temp = temp->next; } free(current_rule_ptr); this->amount_of_rules--; this->eeprom_write_firewall_rules(); return true; } void ESPFirewall::setup_certificate() { log_i("Creating the certificate..."); this->certificate = new SSLCert(); int createCertResult = createSelfSignedCert( *this->certificate, KEYSIZE_2048, "CN=myesp32.local,O=Firewall,C=DE", "20220101000000", "20320101000000"); if (createCertResult != 0) { log_e("Cerating certificate failed. Error Code = 0x%02X, check SSLCert.hpp for details", createCertResult); while (true) delay(500); } log_i("Creating the certificate was successful"); } void ESPFirewall::setup_firewall_api(int api_port) { this->firewall_api = new HTTPSServer(this->certificate, api_port, 5); ResourceNode *get_firewall_rule = new ResourceNode("/api/v1/firewall/*", "GET", std::bind(&ESPFirewall::get_firewall_rule_handler, this, std::placeholders::_1, std::placeholders::_2)); ResourceNode *get_firewall_rules = new ResourceNode("/api/v1/firewall", "GET", std::bind(&ESPFirewall::get_firewall_rules_handler, this, std::placeholders::_1, std::placeholders::_2)); ResourceNode *post_firewall = new ResourceNode("/api/v1/firewall", "POST", std::bind(&ESPFirewall::post_firewall_handler, this, std::placeholders::_1, std::placeholders::_2)); ResourceNode *delete_firewall = new ResourceNode("/api/v1/firewall/*", "DELETE", std::bind(&ESPFirewall::delete_firewall_handler, this, std::placeholders::_1, std::placeholders::_2)); ResourceNode *restart_device = new ResourceNode("/api/v1/device/restart", "GET", std::bind(&ESPFirewall::restart_device_handler, this, std::placeholders::_1, std::placeholders::_2)); ResourceNode *not_found = new ResourceNode("", "GET", std::bind(&ESPFirewall::not_found_handler, this, std::placeholders::_1, std::placeholders::_2)); this->firewall_api->registerNode(get_firewall_rule); this->firewall_api->registerNode(get_firewall_rules); this->firewall_api->registerNode(post_firewall); this->firewall_api->registerNode(delete_firewall); this->firewall_api->setDefaultNode(restart_device); this->firewall_api->setDefaultNode(not_found); log_i("Starting server..."); this->firewall_api->start(); if (this->firewall_api->isRunning()) { log_i("Server ready."); } } void ESPFirewall::json_generic_response(HTTPResponse *response, String serialized, int response_code) { response->setHeader("Content-Type", "application/json"); response->setStatusCode(response_code); response->println(serialized); } void ESPFirewall::json_message_response(HTTPResponse *response, String message, int response_code) { response->setHeader("Content-Type", "application/json"); response->setStatusCode(response_code); StaticJsonDocument<96> json; String serialized; json["message"] = message; serializeJson(json, serialized); response->println(serialized); } String ESPFirewall::construct_json_firewall_rule(firewall_rule_t *rule_ptr) { StaticJsonDocument<256> doc; doc["key"] = rule_ptr->key; doc["source"] = rule_ptr->source; doc["destination"] = rule_ptr->destination; doc["protocol"] = protocol_to_string(rule_ptr->protocol); doc["target"] = target_to_string(rule_ptr->target); String response; serializeJson(doc, response); return response; } String ESPFirewall::construct_json_firewall() { firewall_rule_t *rule_ptr = this->head; // Size for approx. 12 Rules StaticJsonDocument<2048> doc; String response; doc["amount_of_rules"] = this->amount_of_rules; JsonArray rules = doc.createNestedArray("rules"); while (rule_ptr != NULL) { JsonObject rule = rules.createNestedObject(); rule["key"] = rule_ptr->key; rule["source"] = rule_ptr->source; rule["destination"] = rule_ptr->destination; rule["protocol"] = protocol_to_string(rule_ptr->protocol); rule["target"] = target_to_string(rule_ptr->target); rule_ptr = rule_ptr->next; } serializeJson(doc, response); return response; } void ESPFirewall::not_found_handler(HTTPRequest *request, HTTPResponse *response) { this->json_message_response(response, "not found", 404); } void ESPFirewall::restart_device_handler(HTTPRequest *request, HTTPResponse *response) { this->json_message_response(response, "restarting device in 2 sec", 200); sleep(2000); esp_restart(); } void ESPFirewall::get_firewall_rule_handler(HTTPRequest *request, HTTPResponse *response) { ResourceParameters *params = request->getParams(); int rule_number = atoi(params->getPathParameter(0).c_str()); firewall_rule_t *rule_ptr = this->get_rule_from_firewall(rule_number); if (rule_ptr == NULL) { this->json_message_response(response, "rule not found", 404); } else { response->setHeader("Content-Type", "application/json"); response->setStatusCode(200); response->print(this->construct_json_firewall_rule(rule_ptr)); } } void ESPFirewall::get_firewall_rules_handler(HTTPRequest *request, HTTPResponse *response) { this->json_generic_response(response, this->construct_json_firewall(), 200); } bool ESPFirewall::request_has_firewall_parameter(ResourceParameters *params) { return params->isQueryParameterSet("source") || params->isQueryParameterSet("destination") || params->isQueryParameterSet("protocol") || params->isQueryParameterSet("target"); } void ESPFirewall::post_firewall_handler(HTTPRequest *request, HTTPResponse *response) { ResourceParameters *params = request->getParams(); if (request_has_firewall_parameter(params)) { firewall_rule_t *rule_ptr = (firewall_rule_t *)malloc(sizeof(firewall_rule_t)); rule_ptr->key = ++amount_of_rules; // carefully copying c-string that is shorter then the destination char-array length std::string source; params->getQueryParameter("source", source); strcpy(rule_ptr->source, source.length() <= IP4ADDR_STRLEN_MAX ? source.c_str() : ""); std::string destination; params->getQueryParameter("destination", destination); strcpy(rule_ptr->destination, destination.length() <= IP4ADDR_STRLEN_MAX ? destination.c_str() : ""); std::string protocol; params->getQueryParameter("protocol", protocol); rule_ptr->protocol = string_to_protocol(protocol); std::string target; params->getQueryParameter("target", target); rule_ptr->target = string_to_target(target); this->add_rule_to_firewall(rule_ptr); this->eeprom_write_firewall_rule(rule_ptr); this->json_generic_response(response, this->construct_json_firewall_rule(rule_ptr), 200); } else { this->json_message_response(response, "not enough parameter", 400); } } void ESPFirewall::delete_firewall_handler(HTTPRequest *request, HTTPResponse *response) { ResourceParameters *params = request->getParams(); int rule_number = atoi(params->getPathParameter(0).c_str()); if (this->delete_rule_from_firewall(rule_number)) { this->json_message_response(response, "firewall rule deleted", 200); } else { this->json_message_response(response, "cannot delete firewall rule", 500); } }