diff --git a/ansible/roles/firewall/tasks/main.yml b/ansible/roles/firewall/tasks/main.yml index f6ef3513..3482d865 100644 --- a/ansible/roles/firewall/tasks/main.yml +++ b/ansible/roles/firewall/tasks/main.yml @@ -44,3 +44,10 @@ src: "{{ role_path }}/templates/quic/main.conf.j2" dest: /opt/tsg/sapp/conf/quic/main.conf tags: template + +- name: "Template the /opt/tsg/sapp/plug/business/firewall/firewall.inf" + template: + src: "{{ role_path }}/templates/firewall.inf.j2.j2" + dest: /opt/tsg/tsg-os-provision/templates/firewall.inf.j2 + tags: template + when: runtime_env != 'TSG-X-P0906' diff --git a/ansible/roles/firewall/templates/firewall.inf.j2.j2 b/ansible/roles/firewall/templates/firewall.inf.j2.j2 new file mode 100644 index 00000000..24fcf4a6 --- /dev/null +++ b/ansible/roles/firewall/templates/firewall.inf.j2.j2 @@ -0,0 +1,55 @@ +[PLUGINFO] +PLUGNAME=FIREWEALL +SO_PATH=./plug/business/firewall/firewall.so +INIT_FUNC=firewall_init +DESTROY_FUNC=firewall_destroy + +[HTTP] +FUNC_FLAG=ALL +FUNC_NAME=fw_http_plug_entry + +[SSL] +FUNC_FLAG=SSL_CLIENT_HELLO,SSL_SERVER_HELLO,SSL_APPLICATION_DATA,SSL_CERTIFICATE_DETAIL +FUNC_NAME=fw_ssl_plug_entry + +[DNS] +FUNC_FLAG=ALL +FUNC_NAME=fw_dns_plug_entry + +[MAIL] +FUNC_FLAG=ALL +FUNC_NAME=fw_mail_plug_entry + +[RTP] +FUNC_FLAG=ALL +FUNC_NAME=fw_rtp_plug_entry + +{% raw %}{% if firewall.enable_sip == 1 %} +[SIP] +FUNC_FLAG=ALL +FUNC_NAME=fw_sip_plug_entry +{% endif %} +{% endraw %} + +[FTP] +FUNC_FLAG=ALL +FUNC_NAME=fw_ftp_plug_entry + +[QUIC] +FUNC_FLAG=QUIC_CLIENT_HELLO,QUIC_SERVER_HELLO,QUIC_CACHED_CERT,QUIC_COMM_CERT,QUIC_CERT_CHAIN,QUIC_VERSION,QUIC_APPLICATION_DATA +FUNC_NAME=fw_quic_plug_entry + +{% raw %}{% if firewall.enable_dtls == 1 %} +[DTLS] +FUNC_FLAG=DTLS_CLIENT_HELLO,DTLS_SERVER_HELLO,DTLS_HELLO_VERIFY_REQUEST,DTLS_CLIENT_EXTENSION +FUNC_NAME=fw_dtls_plug_entry +{% endif %} +{% endraw %} + +[UDP] +FUNC_FLAG=ALL +FUNC_NAME=fw_udp_plug_entry + +[TCP] +FUNC_FLAG=ALL +FUNC_NAME=fw_tcp_plug_entry diff --git a/ansible/roles/firewall/templates/main.conf.j2.j2 b/ansible/roles/firewall/templates/main.conf.j2.j2 index 2e156437..214771f6 100644 --- a/ansible/roles/firewall/templates/main.conf.j2.j2 +++ b/ansible/roles/firewall/templates/main.conf.j2.j2 @@ -108,6 +108,17 @@ DEVICE_SEQ_IN_DATA_CENTER={{ session_id_generator.snowflake_worker_id_offset }} FEATURE_TAMPER=1 GENERATE_JA3_FINGERPRINT=1 +{% raw %}{% if firewall.enable_dtls == 1 and firewall.enable_sip == 1 %} +IDENTIFY_PROTO_NAME="DNS;QUIC;HTTP;MAIL;FTP;SSL;RTP;SIP;SSH;RADIUS;SOCKS;STRATUM;RDP;DTLS;GTPC;" +{% elif firewall.enable_dtls == 1 %} +IDENTIFY_PROTO_NAME="DNS;QUIC;HTTP;MAIL;FTP;SSL;RTP;SSH;RADIUS;SOCKS;STRATUM;RDP;DTLS;GTPC;" +{% elif firewall.enable_sip == 1 %} +IDENTIFY_PROTO_NAME="DNS;QUIC;HTTP;MAIL;FTP;SSL;RTP;SIP;SSH;RADIUS;SOCKS;STRATUM;RDP;GTPC;" +{% else %} +IDENTIFY_PROTO_NAME="DNS;QUIC;HTTP;MAIL;FTP;SSL;RTP;SSH;RADIUS;SOCKS;STRATUM;RDP;GTPC;" +{% endif %} +{% endraw %} + [FIREWALL] CYCLE=30 #TELEGRAF_PORT=8500 diff --git a/ansible/roles/firewall/templates/session_record.inf.j2.j2 b/ansible/roles/firewall/templates/session_record.inf.j2.j2 index fd8bd293..41b7353c 100644 --- a/ansible/roles/firewall/templates/session_record.inf.j2.j2 +++ b/ansible/roles/firewall/templates/session_record.inf.j2.j2 @@ -43,9 +43,12 @@ FUNC_NAME=session_record_rtp_entry {% endif %} {% endraw %} +{% raw %}{% if firewall.enable_sip == 1 %} [SIP] FUNC_FLAG=ALL FUNC_NAME=session_record_sip_entry +{% endif %} +{% endraw %} [FTP] FUNC_FLAG=ALL @@ -67,10 +70,16 @@ FUNC_NAME=session_record_stratum_entry FUNC_FLAG=ALL FUNC_NAME=session_record_rdp_entry +{% raw %}{% if firewall.enable_bgp == 1 %} [BGP] FUNC_FLAG=ALL FUNC_NAME=session_record_bgp_entry +{% endif %} +{% endraw %} +{% raw %}{% if firewall.enable_dtls == 1 %} [DTLS] FUNC_FLAG=DTLS_CLIENT_HELLO,DTLS_SERVER_HELLO,DTLS_HELLO_VERIFY_REQUEST,DTLS_CLIENT_EXTENSION -FUNC_NAME=session_record_dtls_entry \ No newline at end of file +FUNC_NAME=session_record_dtls_entry +{% endif %} +{% endraw %} \ No newline at end of file diff --git a/ansible/roles/sapp/templates/conflist.inf.j2.j2 b/ansible/roles/sapp/templates/conflist.inf.j2.j2 index e5571648..be5ba892 100644 --- a/ansible/roles/sapp/templates/conflist.inf.j2.j2 +++ b/ansible/roles/sapp/templates/conflist.inf.j2.j2 @@ -27,7 +27,10 @@ [protocol] ./plug/protocol/deal_socks/deal_socks.inf +{% raw %}{% if firewall.enable_sip == 1 %} ./plug/protocol/sip/sip.inf +{% endif %} +{% endraw %} ./plug/protocol/rtp/rtp.inf ./plug/protocol/ssl/ssl.inf ./plug/protocol/http/http.inf @@ -41,8 +44,14 @@ ./plug/protocol/ssh/ssh.inf ./plug/protocol/stratum/stratum.inf ./plug/protocol/rdp/rdp.inf +{% raw %}{% if firewall.enable_bgp == 1 %} ./plug/protocol/bgp/bgp.inf +{% endif %} +{% endraw %} +{% raw %}{% if firewall.enable_dtls == 1 %} ./plug/protocol/dtls/dtls.inf +{% endif %} +{% endraw %} [business] {% raw %}{% if firewall.enable == 1 %} diff --git a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.7400MCN0P01R01 b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.7400MCN0P01R01 index d812dcfc..85b97cba 100644 --- a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.7400MCN0P01R01 +++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.7400MCN0P01R01 @@ -10,6 +10,9 @@ firewall: proxy: enable: 1 enable_hos: 1 + enable_dtls: 1 + enable_sip: 1 + enable_bgp: 1 sessionrecord: enable: 1 diff --git a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.9000NPBP01R01 b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.9000NPBP01R01 index bd45d46a..95e728e6 100644 --- a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.9000NPBP01R01 +++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.9000NPBP01R01 @@ -9,6 +9,9 @@ firewall: proxy: enable: 1 enable_hos: 1 + enable_dtls: 1 + enable_sip: 1 + enable_bgp: 1 sessionrecord: enable: 1 diff --git a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804 b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804 index f1a0356c..fde5984a 100644 --- a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804 +++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P0804 @@ -6,6 +6,10 @@ firewall: enable: 1 enable_hos: 1 rapidjson_chunk_capacity: 2048 + enable_dtls: 1 + enable_sip: 1 + enable_bgp: 1 + proxy: enable: 1 diff --git a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P1403 b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P1403 index 819de4c9..476ae7b4 100644 --- a/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P1403 +++ b/ansible/roles/tsg-os-provision/files/config_sample/provision.default.yml.TSGXNXR620G40R01P1403 @@ -6,6 +6,9 @@ firewall: enable: 1 enable_hos: 1 rapidjson_chunk_capacity: 2048 + enable_dtls: 1 + enable_sip: 1 + enable_bgp: 1 proxy: enable: 0 diff --git a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.7400MCN0P01R01 b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.7400MCN0P01R01 index 80bcc4e3..469b3737 100644 --- a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.7400MCN0P01R01 +++ b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.7400MCN0P01R01 @@ -159,6 +159,12 @@ dest: /opt/tsg/sapp/plug/business/session_record/session_record.inf tags: firewall + - name: "tsg-os-provision: Template the firewall.inf" + template: + src: "../templates/firewall.inf.j2" + dest: /opt/tsg/sapp/plug/business/firewall/firewall.inf + tags: firewall + - name: "tsg-os-provision: Template the sapp.toml" template: src: "../templates/sapp.toml.j2" diff --git a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.9000NPBP01R01 b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.9000NPBP01R01 index 02e04fb0..23e2bf11 100644 --- a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.9000NPBP01R01 +++ b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.9000NPBP01R01 @@ -109,6 +109,12 @@ dest: /opt/tsg/sapp/plug/business/session_record/session_record.inf tags: firewall + - name: "tsg-os-provision: Template the firewall.inf" + template: + src: "../templates/firewall.inf.j2" + dest: /opt/tsg/sapp/plug/business/firewall/firewall.inf + tags: firewall + - name: "tsg-os-provision: Template the sapp.toml" template: src: "../templates/sapp.toml.j2" diff --git a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0804 b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0804 index 9994d50b..538f1cd4 100644 --- a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0804 +++ b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P0804 @@ -165,6 +165,12 @@ dest: /opt/tsg/sapp/plug/business/session_record/session_record.inf tags: firewall + - name: "tsg-os-provision: Template the firewall.inf" + template: + src: "../templates/firewall.inf.j2" + dest: /opt/tsg/sapp/plug/business/firewall/firewall.inf + tags: firewall + - name: "tsg-os-provision: Template the sapp.toml" template: src: "../templates/sapp.toml.j2" diff --git a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P1403 b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P1403 index 8c86b4f3..a2e2c6d9 100644 --- a/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P1403 +++ b/ansible/roles/tsg-os-provision/files/tasks/provision.yml.TSGXNXR620G40R01P1403 @@ -78,6 +78,12 @@ dest: /opt/tsg/sapp/plug/business/session_record/session_record.inf tags: firewall + - name: "tsg-os-provision: Template the firewall.inf" + template: + src: "../templates/firewall.inf.j2" + dest: /opt/tsg/sapp/plug/business/firewall/firewall.inf + tags: firewall + - name: "tsg-os-provision: Template the sapp.toml" template: src: "../templates/sapp.toml.j2"