extend plugin-docs

Author: superstes

docs/meta/sitemap.xml

@@ -7,6 +7,10 @@
    <url><loc>https://ftf.oxl.app/usage/3_run.html</loc></url>
    <url><loc>https://ftf.oxl.app/usage/4_config.html</loc></url>
 
+   <url><loc>https://ftf.oxl.app/plugins/firewall_netfilter.html</loc></url>
+   <url><loc>https://ftf.oxl.app/plugins/firewall_opnsense.html</loc></url>
+   <url><loc>https://ftf.oxl.app/plugins/os_linux.html</loc></url>
+
    <url><loc>https://ftf.oxl.app/dev/1_intro.html</loc></url>
    <url><loc>https://ftf.oxl.app/dev/2_plugins.html</loc></url>
 </urlset>

docs/source/plugins/firewall_netfilter.rst

@@ -0,0 +1,77 @@
+.. _plugins_fw_netfilter:
+
+.. include:: ../_include/head.rst
+
+====================
+Firewall - Netfilter
+====================
+
+Config Export
+#############
+
+You have to simply run this command:
+
+.. code-block:: bash
+
+    sudo nft -j list ruleset > ruleset.json
+
+Optional: To get a more readable JSON-output, you can use the :code:`jq` tool to format it:
+
+.. code-block:: bash
+
+    sudo apt install jq  # json-query
+
+    sudo nft -j list ruleset | jq > ruleset.json
+
+
+----
+
+Source Code
+###########
+
+* **System Config**: `system/system_linux_netfilter.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/system_linux_netfilter.py>`_
+
+* **Config Parsing**: `translate/netfilter/ <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/netfilter>`_
+
+* **Traffic Matching**: `system/firewall_netfilter.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/firewall_netfilter.py>`_
+
+----
+
+Config-Parsing
+##############
+
+The current implementation focused on supporting the most widely used rule matches like:
+
+* Layer 3 Protocol (IPv4/IPv6)
+* Layer 4 Protocol (tcp/udp/icmp)
+* Source- and Destination-IP filters
+* Source- and Destination-Port filters
+* Source- and Destination-NAT (including masquerade)
+* Inbound- and Outbound-Network-Interfaces
+* CT-State
+
+The main match-parsing logic can be found here: `translate/netfilter/elements.py NftMatch & NftRule <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/netfilter/elements.py>`_
+
+If we were not able to parse any match from the rule-config - the rule will be skipped.
+
+If this happens you will see a warning at runtime! (:code:`Unsupported rule`)
+
+Unsupported Expressions
+=======================
+
+Rules only containing unsupported expressions will be skipped for now.
+
+If this happens you will see a warning at runtime! (:code:`Unsupported rule-expression`)
+
+These rule-expressions are unsupported for now:
+
+* :code:`log`
+* :code:`comment`
+* :code:`limit`
+* :code:`set` (*static sets are supported - but dynamic ones like meters are not!*)
+* :code:`vmap`
+* :code:`counter`
+* :code:`xt` (*only SNAT-masquerade is currently supported*)
+* :code:`ct helper`
+* :code:`&`
+* TCP flags

docs/source/plugins/firewall_opnsense.rst

@@ -0,0 +1,30 @@
+.. _plugins_fw_opnsense:
+
+.. include:: ../_include/head.rst
+
+===================
+Firewall - OPNsense
+===================
+
+.. warning::
+
+    This plugin is still in early development!
+
+Config Export
+#############
+
+1. `Download a Config-Backup <https://docs.opnsense.org/manual/backups.html>`_
+
+2. `Supply the runtime routes manually <https://docs.opnsense.org/manual/routes.html#status>`_ or `query them via API <https://docs.opnsense.org/development/api/core/diagnostics.html#id6>`_
+
+----
+
+Source Code
+###########
+
+* **System Config**: `system/system_opnsense.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/system_opnsense.py>`_
+
+* **Config Parsing**: `translate/opnsense/ <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/opnsense>`_
+
+* **Traffic Matching**: `system/firewall_opnsense.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/firewall_opnsense.py>`_
+

docs/source/plugins/system_linux.rst

@@ -0,0 +1,39 @@
+.. _plugins_sys_linux:
+
+.. include:: ../_include/head.rst
+
+==============
+System - Linux
+==============
+
+Config Export
+#############
+
+This plugin only supports `iproute2 <https://wiki.linuxfoundation.org/networking/iproute2>`_!
+
+You have to simply run these commands:
+
+.. code-block:: bash
+
+    ip -j address show > interfaces.json
+    ip -j route show table all > routes.json
+    ip -j rule show > route-rules.jso
+
+Optional: To get a more readable JSON-output, you can use the :code:`jq` tool to format it:
+
+.. code-block:: bash
+
+    sudo apt install jq  # json-query
+
+    ip -j address show | jq > interfaces.json
+    ip -j route show table all | jq > routes.json
+    ip -j rule show | jq > route-rules.jso
+
+----
+
+Source Code
+###########
+
+* **System Config**: `system/system_linux_netfilter.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/system_linux_netfilter.py>`_
+
+* **Config Parsing**: `translate/linux.py <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/linux.py>`_

docs/source/usage/2_system_support.rst

@@ -35,37 +35,30 @@ For Firewall-Ruleset parsing.
 
     - Support
 
-    - Config-Export Command
-
-    - Source Code
+    - Plugin Docs
 
   * - `Netfilter <https://www.netfilter.org/>`_ on Linux
 
     - `NFTables <https://www.netfilter.org/projects/nftables/index.html>`_ or `IPTables <https://www.netfilter.org/projects/iptables/index.html>`_
 
     - Experimental
 
-    - :code:`sudo nft -j list ruleset > ruleset.json`
+    - :ref:`Plugins - Firewall Netfilter <plugins_fw_netfilter>`
 
-    - `system/firewall_netfilter.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/firewall_netfilter.py>`_,
-      `translate/netfilter/ <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/netfilter>`_
 
   * - `OPNsense <https://opnsense.org/>`_
 
     - \-
 
     - Development
 
-    - `Download a Config-Backup <https://docs.opnsense.org/manual/backups.html>`_, `Querying runtime routes via API <https://docs.opnsense.org/development/api/core/diagnostics.html#id6>`_
+    - :ref:`Plugins - Firewall OPNsense <plugins_fw_opnsense>`
 
-    - `system/firewall_opnsense.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/firewall_opnsense.py>`_,
-      `system/system_opnsense.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/system_opnsense.py>`_,
-      `translate/opnsense/ <https://github.com/O-X-L/firewall-testing-framework/tree/latest/src/firewall_test/plugins/translate/opnsense>`_
 
 ----
 
-Operating System Support
-########################
+Networking System Support
+#########################
 
 For Routing- and Network-Interface parsing.
 
@@ -74,23 +67,18 @@ For Routing- and Network-Interface parsing.
   :widths: 10 10 10 45 25
   :header-rows: 1
 
-  * - OS
+  * - System
 
     - Description
 
     - Support
 
-    - Config-Export Command
-
-    - Source Code
+    - Plugin Docs
 
   * - Linux
 
-    - iproute2
+    - `iproute2 <https://wiki.linuxfoundation.org/networking/iproute2>`_
 
     - Yes
 
-    - :code:`ip -j address show > interfaces.json && ip -j route show table all > routes.json && ip -j rule show > route-rules.json`
-
-    - `system/system_linux_netfilter.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/system/system_linux_netfilter.py>`_,
-      `translate/linux.py <https://github.com/O-X-L/firewall-testing-framework/blob/latest/src/firewall_test/plugins/translate/linux.py>`_
+    - :ref:`Plugins - System Linux <plugins_sys_linux>`

src/firewall_test/plugins/translate/netfilter/elements.py

@@ -377,7 +377,7 @@ def __init__(self, table: NftTable, chain: NftChain, raw: dict, seq: int, sets:
                     e in expression for e in IGNORE_RULE_EXPRESSIONS
                 )
                 if not ignored:
-                    log_warn('Firewall Plugin', f'Got unsupported rule-expression: "{expression}"')
+                    log_warn('Firewall Plugin', f'Unsupported rule-expression: "{expression}"')
 
         for match in self.matches:
             if match.value_is_set: