ui,fw: allow to configure nodes policies

Previously you could only change firewall policies of one node.
Now if there's more than one node you can select the node, or change the
policies of all nodes.

Author: gustavo-iniguez-goya

ui/opensnitch/dialogs/firewall.py

@@ -27,6 +27,8 @@ class FirewallDialog(QtWidgets.QDialog, uic.loadUiType(DIALOG_UI_PATH)[0]):
     POLICY_ACCEPT = 0
     POLICY_DROP = 1
 
+    ALL_NODES = "all"
+
     _notification_callback = QtCore.pyqtSignal(str, ui_pb2.NotificationReply)
 
     def __init__(self, parent=None, appicon=None, node=None):
@@ -64,6 +66,7 @@ def __init__(self, parent=None, appicon=None, node=None):
         self.cmdAllowINService.clicked.connect(self._cb_allow_in_service_clicked)
         self.comboInput.currentIndexChanged.connect(lambda: self._cb_combo_policy_changed(self.COMBO_IN))
         self.comboProfile.currentIndexChanged.connect(self._cb_combo_profile_changed)
+        self.comboNodes.currentIndexChanged.connect(self._cb_combo_nodes_changed)
         self.sliderFwEnable.valueChanged.connect(self._cb_enable_fw_changed)
         self.cmdClose.clicked.connect(self._cb_close_clicked)
         self.cmdHelp.clicked.connect(
@@ -103,7 +106,16 @@ def _cb_notification_callback(self, addr, reply):
 
     @QtCore.pyqtSlot(int)
     def _cb_nodes_updated(self, total):
-        self._check_fw_status()
+        if self._nodes.count() <= 1:
+            self.load_fw_policies()
+
+    def _cb_combo_nodes_changed(self, idx):
+        nIdx = self.comboNodes.currentIndex()
+        addr = self.comboNodes.itemData(nIdx)
+        if nIdx >= 1:
+            self.block_combo_signals()
+            self.load_node_fw_policy(addr)
+            self.block_combo_signals(False)
 
     def _cb_combo_profile_changed(self, idx):
         combo_profile = self._fw_profiles[idx]
@@ -184,14 +196,13 @@ def _cb_enable_fw_changed(self, enable):
             self.sliderFwEnable.setValue(False)
             self.sliderFwEnable.blockSignals(False)
             return
-        self.enable_fw(enable)
+        nIdx = self.comboNodes.currentIndex()
+        addr = self.comboNodes.itemData(nIdx)
+        self.enable_fw(addr, enable)
 
     def _cb_close_clicked(self):
         self._close()
 
-    def _load_nodes(self):
-        self._nodes = self._nodes.get()
-
     def _close(self):
         self.hide()
 
@@ -202,63 +213,69 @@ def _change_fw_backend(self, addr, node_cfg):
     def showEvent(self, event):
         super(FirewallDialog, self).showEvent(event)
         self._reset_fields()
-        self._check_fw_status()
+        self._load_nodes()
+        self.load_fw_policies()
         self._fw_profiles = FwProfiles.Profiles.load_predefined_profiles()
         self.comboProfile.blockSignals(True)
         for pr in self._fw_profiles:
             self.comboProfile.addItem([pr[k] for k in pr][0]['Name'])
         self.comboProfile.blockSignals(False)
 
+    def _load_nodes(self):
+        self.comboNodes.blockSignals(True)
+        self.comboNodes.clear()
+        node_list = self._nodes.get()
+
+        self.comboNodes.addItem(QC.translate("firewall", "All"), self.ALL_NODES)
+        for node in node_list:
+            hostname = self._nodes.get_node_hostname(node)
+            self.comboNodes.addItem(hostname + " - " + node, node)
+
+        show_nodes = len(node_list) > 1
+        if show_nodes is False:
+            self.comboNodes.setCurrentIndex(1)
+        self.comboNodes.setVisible(show_nodes)
+
+        self.comboNodes.blockSignals(False)
+
     def send_notification(self, node_addr, fw_config):
         self._set_status_message(QC.translate("firewall", "Applying changes..."))
-        nid, notif = self._nodes.reload_fw(node_addr, fw_config, self._notification_callback)
-        self._notifications_sent[nid] = {'addr': node_addr, 'notif': notif}
 
-    def _check_fw_status(self):
+        nIdx = self.comboNodes.currentIndex()
+        addr = self.comboNodes.itemData(nIdx)
+        if addr == self.ALL_NODES and self._nodes.count() > 1:
+            for addr in self._nodes.get():
+                nid, notif = self._nodes.reload_fw(addr, fw_config, self._notification_callback)
+                self._notifications_sent[nid] = {'addr': addr, 'notif': notif}
+
+            return
+
+        nid, notif = self._nodes.reload_fw(addr, fw_config, self._notification_callback)
+        self._notifications_sent[nid] = {'addr': addr, 'notif': notif}
+
+    def load_fw_policies(self, node_addr=None):
         self.lblFwStatus.setText("")
         self.sliderFwEnable.blockSignals(True)
-        self.comboInput.blockSignals(True)
-        self.comboOutput.blockSignals(True)
-        self.comboProfile.blockSignals(True)
+        self.block_combo_signals()
 
         self._disable_widgets()
 
+        enableFw = False
         try:
-            enableFw = False
             enableFwBtn = (self._nodes.count() > 0)
             self.sliderFwEnable.setEnabled(enableFwBtn)
             if not enableFwBtn:
                 return
 
-            # TODO: handle nodes' firewall properly
-            for addr in self._nodes.get():
-                node = self._nodes.get_node(addr)
-                self._fwConfig = node['firewall']
-                enableFw |= self._fwConfig.Enabled
+            enableFw = self._nodes.count() > 1
+            if node_addr is None:
 
-                if self.fw_is_incompatible(addr, node):
-                    enableFw = False
+                if self._nodes.count() == 1:
+                    nIdx = self.comboNodes.currentIndex()
+                    node_addr = self.comboNodes.itemData(nIdx)
+                    enableFw = self.load_node_fw_policy(node_addr)
                     return
 
-                # XXX: Here we loop twice over the chains. We could have 1 loop.
-                pol_in = self._fw.chains.get_policy(addr, Fw.Hooks.INPUT.value)
-                pol_out = self._fw.chains.get_policy(addr, Fw.Hooks.OUTPUT.value, Fw.ChainType.MANGLE.value)
-
-                if pol_in != None:
-                    self.comboInput.setCurrentIndex(
-                        Fw.Policy.values().index(pol_in)
-                    )
-                else:
-                    self._set_status_error(QC.translate("firewall", "Error getting INPUT chain policy"))
-                    self._disable_widgets()
-                if pol_out != None:
-                    self.comboOutput.setCurrentIndex(
-                        Fw.Policy.values().index(pol_out)
-                    )
-                else:
-                    self._set_status_error(QC.translate("firewall", "Error getting OUTPUT chain policy"))
-                    self._disable_widgets()
-
         except Exception as e:
             self._set_status_error("Firewall status error (report on github please): {0}".format(e))
 
@@ -272,9 +289,44 @@ def _check_fw_status(self):
             self.sliderFwEnable.setValue(enableFw)
 
             self.sliderFwEnable.blockSignals(False)
-            self.comboInput.blockSignals(False)
-            self.comboOutput.blockSignals(False)
-            self.comboProfile.blockSignals(False)
+            self.block_combo_signals(False)
+
+    def load_node_fw_policy(self, addr):
+        enableFw = False
+        try:
+            node = self._nodes.get_node(addr)
+            self._fwConfig = node['firewall']
+            enableFw |= self._fwConfig.Enabled
+
+            if self.fw_is_incompatible(addr, node):
+                enableFw = False
+                return
+
+            # XXX: Here we loop twice over the chains. We could have 1 loop.
+            pol_in = self._fw.chains.get_policy(addr, Fw.Hooks.INPUT.value)
+            pol_out = self._fw.chains.get_policy(addr, Fw.Hooks.OUTPUT.value, Fw.ChainType.MANGLE.value)
+
+            if pol_in != None:
+                self.comboInput.setCurrentIndex(
+                    Fw.Policy.values().index(pol_in)
+                )
+            else:
+                self._set_status_error(QC.translate("firewall", "Error getting INPUT chain policy"))
+                self._disable_widgets()
+            if pol_out != None:
+                self.comboOutput.setCurrentIndex(
+                    Fw.Policy.values().index(pol_out)
+                )
+            else:
+                self._set_status_error(QC.translate("firewall", "Error getting OUTPUT chain policy"))
+                self._disable_widgets()
+
+        except Exception as e:
+            self._set_status_error("Firewall status error (report on github please): {0}".format(e))
+            enableFw = False
+
+        return enableFw
+
 
     def fw_is_incompatible(self, addr, node):
         """Check if the fw is compatible with this GUI.
@@ -290,7 +342,7 @@ def fw_is_incompatible(self, addr, node):
             if self.isHidden() == False and self.change_fw(addr, node_cfg):
                     node_cfg['Firewall'] = "nftables"
                     self.sliderFwEnable.setEnabled(True)
-                    self.enable_fw(True)
+                    self.enable_fw(addr, True)
                     self._change_fw_backend(addr, node_cfg)
                     return False
             incompatible = True
@@ -321,7 +373,7 @@ def change_fw(self, addr, node_cfg):
 
         return False
 
-    def enable_fw(self, enable):
+    def enable_fw(self, addr, enable):
         try:
             self._disable_widgets(not enable)
             if enable:
@@ -357,30 +409,31 @@ def enable_fw(self, enable):
                         )
                         return
 
-            for addr in self._nodes.get():
-                # FIXME:
-                # Due to how the daemon reacts to events when the fw configuration
-                # is modified, changing the policy + disabling the fw doesn't work
-                # as expected.
-                # The daemon detects that the fw is disabled, and it never changes
-                # the policy.
-                # As a workaround to this problem, we send 2 fw changes:
-                # - one for changing the policy
-                # - another one for disabling the fw
+            # FIXME:
+            # Due to how the daemon reacts to events when the fw configuration
+            # is modified, changing the policy + disabling the fw doesn't work
+            # as expected.
+            # The daemon detects that the fw is disabled, and it never changes
+            # the policy.
+            # As a workaround to this problem, we send 2 fw changes:
+            # - one for changing the policy
+            # - another one for disabling the fw
 
-                fwcfg = self._nodes.get_node(addr)['firewall']
-                self.send_notification(addr, fwcfg)
-                time.sleep(0.5)
-                fwcfg.Enabled = True if enable else False
-                self.send_notification(addr, fwcfg)
+            fwcfg = self._nodes.get_node(addr)['firewall']
+            self.send_notification(addr, fwcfg)
+            time.sleep(0.5)
+            fwcfg.Enabled = True if enable else False
+            self.send_notification(addr, fwcfg)
 
             self.lblStatusIcon.setEnabled(enable)
             self.policiesBox.setEnabled(enable)
 
             time.sleep(0.5)
 
         except Exception as e:
-            QC.translate("firewall", "Error: {0}".format(e))
+            self._set_status_error(
+                QC.translate("firewall", "Error: {0}".format(e))
+            )
 
     def load_rule(self, addr, uuid):
         self._fwrule_dialog.load(addr, uuid)
@@ -416,9 +469,16 @@ def _reset_status_message(self):
     def _reset_fields(self):
         self._reset_status_message()
 
+    def block_combo_signals(self, state=True):
+        self.comboInput.blockSignals(state)
+        self.comboOutput.blockSignals(state)
+        self.comboNodes.blockSignals(state)
+        self.comboProfile.blockSignals(state)
+
     def _disable_widgets(self, disable=True):
         self.comboInput.setEnabled(not disable)
         self.comboOutput.setEnabled(not disable)
         self.cmdNewRule.setEnabled(not disable)
         self.cmdAllowOUTService.setEnabled(not disable)
         self.cmdAllowINService.setEnabled(not disable)
+        self.comboNodes.setEnabled(not disable)