Decoupled firewall from translator

.ci_scripts/firewall-test/translate_profiles.sh

-#!/bin/bash
-
-## CONSTANTS
-DEVICES_DIR="$GITHUB_WORKSPACE/test/translator/devices"
-TRANSLATOR_PATH="$GITHUB_WORKSPACE/src/translator/translator.py"
-
-# Ensure globbing expands to an empty list if no matches are found
-shopt -s nullglob
-
-# Loop over devices
-NFQ_BASE_ID=0
-for DEVICE in "$DEVICES_DIR"/*/; do
-    # Call translator over device profile
-    # Arguments $1 & $2 represent the verdict mode
-    python3 $TRANSLATOR_PATH "$DEVICE"profile.yaml $NFQ_BASE_ID $1 $2
-    ((NFQ_BASE_ID=NFQ_BASE_ID+100))
-done

.ci_scripts/firewall-test/add_nft_rules.sh → .ci_scripts/native-build/add_nft_rules.sh

 EXITCODE=0
 
-for nft_script in $GITHUB_WORKSPACE/test/translator/devices/*/firewall.nft
+for nft_script in $GITHUB_WORKSPACE/test/device/firewall.nft
 do
     # Flush the ruleset before next device
     sudo nft flush ruleset

.ci_scripts/firewall-test/run_tests.sh → .ci_scripts/native-build/run_tests.sh

 EXITCODE=0
 PARSERS_DIR="$GITHUB_WORKSPACE/src/parsers"
-VALGRIND_SUPP="$GITHUB_WORKSPACE/.ci_scripts/firewall-test/valgrind.supp"
+VALGRIND_SUPP="$GITHUB_WORKSPACE/.ci_scripts/native-build/valgrind.supp"
 
 PREFIX=""
 for file in "$GITHUB_WORKSPACE"/bin/test/* "$PARSERS_DIR"/bin/test/*

.github/workflows/cross-compile.yml

-name: Verify cross-compilation on OpenWrt environment
-on: [push]
-
-
-jobs:
-
-  binary-verdict:
-    runs-on: ubuntu-latest
-    container: fdekeers/openwrt_tl-wdr4900_gha
-
-    steps:
-
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      
-      - name: Install Python packages
-        run: pip install -r $GITHUB_WORKSPACE/requirements.txt
-
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh
-
-      - name: Run cross-compilation
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE -t $GITHUB_WORKSPACE/openwrt/tl-wdr4900.cmake
-
-
-  rate-limit-verdict:
-    runs-on: ubuntu-latest
-    container: fdekeers/openwrt_tl-wdr4900_gha
-
-    steps:
-
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh -r 50
-      
-      - name: Run cross-compilation
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE -t $GITHUB_WORKSPACE/openwrt/tl-wdr4900.cmake
-
-
-  random-verdict:
-    runs-on: ubuntu-latest
-    container: fdekeers/openwrt_tl-wdr4900_gha
-
-    steps:
-
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-      
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh -p 0.5
-
-      - name: Run cross-compilation
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE -t $GITHUB_WORKSPACE/openwrt/tl-wdr4900.cmake

.github/workflows/full-test.yaml

+name: full-test
+on: [push]
+
+
+jobs:
+
+  native-build:
+    runs-on: ubuntu-latest
+    steps:
+    
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Install required packages
+        run: sudo $GITHUB_WORKSPACE/.ci_scripts/native-build/install_packages.sh
+
+      - name: Build project with CMake
+        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE
+
+      - name: Run CUnit tests
+        run: $GITHUB_WORKSPACE/.ci_scripts/native-build/run_tests.sh
+
+      - name: Run Valgrind on CUnit tests
+        run: $GITHUB_WORKSPACE/.ci_scripts/native-build/run_tests.sh valgrind
+
+      - name: Run cppcheck on source files
+        run: $GITHUB_WORKSPACE/.ci_scripts/native-build/run_cppcheck.sh
+      
+      - name: Add NFTables rules
+        run:  $GITHUB_WORKSPACE/.ci_scripts/native-build/add_nft_rules.sh
+
+      - name: Run NFQueue executables
+        run: $GITHUB_WORKSPACE/.ci_scripts/native-build/run_exec.sh
+
+
+  cross-compile:
+    runs-on: ubuntu-latest
+    container: fdekeers/openwrt_tl-wdr4900_gha
+
+    steps:
+
+      - name: Checkout repository
+        uses: actions/checkout@v4
+        with:
+          submodules: recursive
+
+      - name: Run cross-compilation
+        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE -t $GITHUB_WORKSPACE/openwrt/tl-wdr4900.cmake

.github/workflows/test-firewall.yaml

-name: Test the whole system
-on: [push]
-
-
-jobs:
-
-  binary-verdict:
-    runs-on: ubuntu-latest
-    steps:
-    
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Install required packages
-        run: sudo $GITHUB_WORKSPACE/.ci_scripts/firewall-test/install_packages.sh
-
-      - name: Install Python packages
-        run: pip install -r $GITHUB_WORKSPACE/requirements.txt
-
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh
-
-      - name: Build project with CMake
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE
-
-      - name: Run CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh
-
-      - name: Run Valgrind on CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh valgrind
-
-      - name: Run cppcheck on source files
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_cppcheck.sh
-      
-      - name: Add NFTables rules
-        run:  $GITHUB_WORKSPACE/.ci_scripts/firewall-test/add_nft_rules.sh
-
-      - name: Run NFQueue executables
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_exec.sh
-
-
-  rate-limit-verdict:
-    runs-on: ubuntu-latest
-    steps:
-    
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Install required packages
-        run: sudo $GITHUB_WORKSPACE/.ci_scripts/firewall-test/install_packages.sh
-
-      - name: Install Python packages
-        run: pip install -r $GITHUB_WORKSPACE/requirements.txt
-
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh -r 50
-
-      - name: Build project with CMake
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE
-
-      - name: Run CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh
-
-      - name: Run Valgrind on CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh valgrind
-
-      - name: Run cppcheck on source files
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_cppcheck.sh
-      
-      - name: Add nftables rules
-        run:  $GITHUB_WORKSPACE/.ci_scripts/firewall-test/add_nft_rules.sh
-      
-      - name: Run NFQueue executables
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_exec.sh
-
-
-  random-verdict:
-    runs-on: ubuntu-latest
-    steps:
-    
-      - name: Checkout repository
-        uses: actions/checkout@v3
-        with:
-          submodules: recursive
-
-      - name: Install required packages
-        run: sudo $GITHUB_WORKSPACE/.ci_scripts/firewall-test/install_packages.sh
-
-      - name: Install Python packages
-        run: pip install -r $GITHUB_WORKSPACE/requirements.txt
-
-      - name: Translate profiles
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/translate_profiles.sh -p 0.5
-
-      - name: Build project with CMake
-        run: $GITHUB_WORKSPACE/build.sh -d $GITHUB_WORKSPACE
-
-      - name: Run CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh
-
-      - name: Run Valgrind on CUnit tests
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_tests.sh valgrind
-
-      - name: Run cppcheck on source files
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_cppcheck.sh
-      
-      - name: Add nftables rules
-        run:  $GITHUB_WORKSPACE/.ci_scripts/firewall-test/add_nft_rules.sh
-
-      - name: Run NFQueue executables
-        run: $GITHUB_WORKSPACE/.ci_scripts/firewall-test/run_exec.sh

.gitignore

@@ -5,6 +5,3 @@
 # Build directories
 build
 bin
-
-# Python cache
-__pycache__

CMakeLists.txt

@@ -37,6 +37,4 @@ set(PARSERS header dns dhcp http igmp ssdp coap)
 
 # Subdirectories containing code
 add_subdirectory(src)
-IF( NOT OPENWRT_CROSSCOMPILING )
-    add_subdirectory(test)
-ENDIF()
+add_subdirectory(test)

requirements.txt

-# Libs
-PyYAML
-Jinja2
-# Custom
-pyyaml-loaders

test/CMakeLists.txt

@@ -3,8 +3,8 @@ cmake_minimum_required(VERSION 3.20)
 
 ## Test subdirectories
 # Sample profiles
-add_subdirectory(translator)
-# Unit tests for runtime code
+add_subdirectory(device)
+# Unit tests
 IF( NOT OPENWRT_CROSSCOMPILING )
-    add_subdirectory(runtime)
+    add_subdirectory(unit)
 ENDIF()

test/device/CMakeLists.txt

+# Minimum required CMake version
+cmake_minimum_required(VERSION 3.20)
+
+set(EXECUTABLE_OUTPUT_PATH ${BIN_DIR})
+
+# Nfqueue C file for device tplink-plug
+add_executable(tplink-plug nfqueues.c)
+target_link_libraries(tplink-plug pthread)
+IF( OPENWRT_CROSSCOMPILING )
+target_link_libraries(tplink-plug jansson mnl nfnetlink nftnl nftables netfilter_queue netfilter_log)
+ENDIF()
+target_link_libraries(tplink-plug nfqueue packet_utils rule_utils)
+target_link_libraries(tplink-plug header dns)
+target_include_directories(tplink-plug PRIVATE ${INCLUDE_DIR} ${INCLUDE_PARSERS_DIR})
+install(TARGETS tplink-plug DESTINATION ${EXECUTABLE_OUTPUT_PATH})
\ No newline at end of file

test/device/firewall.nft

+#!/usr/sbin/nft -f
+
+table bridge tplink-plug {
+
+    # Chain PREROUTING, entry point for all traffic
+    chain prerouting {
+        
+        # Base chain, need configuration
+        # Default policy is ACCEPT
+        type filter hook prerouting priority 0; policy accept;
+
+        # NFQueue lan-tcp-to-phone
+        meta l4proto tcp tcp sport 9999 ip saddr 192.168.1.135 ip daddr 192.168.1.222 drop
+        
+        # NFQueue lan-tcp-to-phone-backward
+        meta l4proto tcp tcp dport 9999 ip daddr 192.168.1.135 ip saddr 192.168.1.222 drop
+        
+        # NFQueue lan-udp-to-phone
+        meta l4proto udp udp sport 9999 ip saddr 192.168.1.135 ip daddr 192.168.1.222 drop
+        
+        # NFQueue lan-udp-to-phone-backward
+        meta l4proto udp udp dport 9999 ip daddr 192.168.1.135 ip saddr 192.168.1.222 drop
+        
+        # NFQueue dns-query-tplinkapi
+        meta l4proto udp udp dport 53 ip saddr 192.168.1.135 ip daddr 192.168.1.1 queue num 0
+        
+        # NFQueue dns-query-tplinkapi-backward
+        meta l4proto udp udp sport 53 ip daddr 192.168.1.135 ip saddr 192.168.1.1 queue num 1
+        
+        # NFQueue wan-https-to-domain-tplinkapi
+        meta l4proto tcp tcp dport 443 ip saddr 192.168.1.135 queue num 10
+        
+        # NFQueue wan-https-to-domain-tplinkapi-backward
+        meta l4proto tcp tcp sport 443 ip daddr 192.168.1.135 queue num 11
+        
+        
+    }
+
+}

test/translator/CMakeLists.txt

-# Minimum required CMake version
-cmake_minimum_required(VERSION 3.20)
-
-add_subdirectory(devices)

test/translator/devices/.gitignore

-# Translator's output files
-firewall.nft
-nfqueues.c
-*/CMakeLists.txt

test/translator/devices/CMakeLists.txt

-# Minimum required CMake version
-cmake_minimum_required(VERSION 3.20)
-
-# Devices
-add_subdirectory(tplink-plug)