def _apply_default_rules(self):
for ipv in [ "ipv4", "ipv6", "eb" ]:
self.__apply_default_rules(ipv)
if self.ipv6_rpfilter_enabled and \
self.is_table_available("ipv6", "raw"):
# here is no check for ebtables.restore_noflush_option needed
# as ebtables is not used in here
rules = [
("ipv6", [ "PREROUTING", 1, "-t", "raw",
"-p", "icmpv6", "--icmpv6-type=router-advertisement",
"-j", "ACCEPT" ]), # RHBZ#1058505
("ipv6", [ "PREROUTING", 2, "-t", "raw",
"-m", "rpfilter", "--invert", "-j", "DROP" ]),
]
if self._log_denied != "off":
rules.append(("ipv6", [ "PREROUTING", 2, "-t", "raw",
"-m", "rpfilter", "--invert",
"-j", "LOG",
"--log-prefix", "rpfilter_DROP: " ]))
# handle rules
ret = self.handle_rules(rules, True, insert=True)
if ret:
(cleanup_rules, msg) = ret
self.handle_rules(cleanup_rules, False)
log.error(msg)
def readfile(filename):
try:
with open(filename, "r") as f:
return f.readlines()
except Exception as e:
log.error('Failed to read file "%s": %s' % (filename, e))
return None
def handle_rules2(self, rules, enable, insert=False):
if insert:
append_delete = { True: "-I", False: "-D", }
else:
append_delete = { True: "-A", False: "-D", }
# appends rules
# returns None if all worked, else (cleanup rules, error message)
for i,value in enumerate(rules):
if len(value) == 5:
(ipv, table, chain, rule, insert) = value
else:
(ipv, table, chain, rule) = value
# drop insert rule number if it exists
if insert and not enable and isinstance(rule[1], int):
rule.pop(1)
if not self.is_table_available(ipv, table):
if ((ipv == "ipv4" and self.ip4tables_enabled) or
(ipv == "ipv6" and self.ip6tables_enabled)):
log.error("Unable to add %s into %s %s" % (rule, ipv, table))
continue
# run
try:
self.rule(ipv, [ "-t", table,
append_delete[enable], chain, ] + rule)
except Exception as msg:
log.error(msg)
return (rules[:i], msg) # cleanup rules and error message
return None
def read(self):
self.clear()
try:
f = open(self.filename, "r")
except Exception as msg:
log.error("Failed to load '%s': %s", self.filename, msg)
raise
for line in f:
if not line:
break
line = line.strip()
if len(line) < 1 or line[0] in ['#', ';']:
continue
# get key/value pair
pair = [ x.strip() for x in line.split("=", 1) ]
if len(pair) != 2:
log.warning("%: Invalid option definition: '%s'", self.filename, line.strip())
continue
elif pair[1] == '':
continue
elif self._config.get(pair[0]) is not None:
log.warning("%s: Duplicate option definition: '%s'", self.filename, line.strip())
continue
self._config[pair[0]] = pair[1]
f.close()
def run_server(debug_gc=False):
""" Main function for firewall server. Handles D-Bus and GLib mainloop.
"""
service = None
if debug_gc:
from pprint import pformat
import gc
gc.enable()
gc.set_debug(gc.DEBUG_LEAK)
gc_timeout = 10
def gc_collect():
gc.collect()
if len(gc.garbage) > 0:
print("\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n")
print("GARBAGE OBJECTS (%d):\n" % len(gc.garbage))
for x in gc.garbage:
print(type(x),"\n ",)
print(pformat(x))
print("\n<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<"
"<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n")
id = GLib.timeout_add_seconds(gc_timeout, gc_collect)
try:
dbus.mainloop.glib.DBusGMainLoop(set_as_default=True)
bus = dbus.SystemBus()
name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus)
service = FirewallD(name, config.dbus.DBUS_PATH)
mainloop = GLib.MainLoop()
slip.dbus.service.set_mainloop(mainloop)
if debug_gc:
id = GLib.timeout_add_seconds(gc_timeout, gc_collect)
# use unix_signal_add if available, else unix_signal_add_full
if hasattr(GLib, 'unix_signal_add'):
unix_signal_add = GLib.unix_signal_add
else:
unix_signal_add = GLib.unix_signal_add_full
unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGHUP,
sighup, service)
unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGTERM,
sigterm, mainloop)
mainloop.run()
except KeyboardInterrupt as e:
log.debug1("Stopping..")
except SystemExit as e:
log.error("Raising SystemExit in run_server")
except Exception as e:
log.error("Exception %s: %s", e.__class__.__name__, str(e))
if service:
service.stop()
def tempFile():
try:
return tempfile.NamedTemporaryFile(mode='wt', prefix="temp.",
dir=FIREWALLD_TEMPDIR, delete=False)
except Exception as msg:
log.error("Failed to create temporary file: %s" % msg)
raise
return None
def remove_ipset(self, name):
obj = self._ipsets[name]
try:
self._fw._ipset.destroy(name)
except Exception as msg:
log.error("Failed to destroy ipset '%s'" % name)
log.error(msg)
del self._ipsets[name]
def writefile(filename, line):
try:
with open(filename, "w") as f:
f.write(line)
except Exception as e:
log.error('Failed to write to file "%s": %s' % (filename, e))
return False
return True
def post(self):
log.debug4("%s.post()" % type(self))
for (func, args) in self.post_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling post func %s(%s) failed: %s" % \
(func, args, msg))
def handle_exceptions(func, *args, **kwargs):
"""Decorator to handle exceptions and log them. Used if not conneced
to D-Bus.
"""
try:
return func(*args, **kwargs)
except FirewallError as error:
log.error(error)
except Exception as msg:
log.exception()
def remove_ipset(self, name, keep=False):
obj = self._ipsets[name]
if obj.applied and not keep:
try:
self._fw.ipset_backend.destroy(name)
except Exception as msg:
log.error("Failed to destroy ipset '%s'" % name)
log.error(msg)
else:
log.debug1("Keeping ipset '%s' because of timeout option", name)
del self._ipsets[name]
def _start_check(self):
try:
x = self.ipset_backend.list()
except:
log.error("ipset not usable, disabling ipset usage in firewall.")
# ipset is not usable, no supported types
self.ipset_enabled = False
self.ipset_supported_types = [ ]
else:
# ipset is usable, get all supported types
self.ipset_supported_types = self.ipset_backend.supported_types()
def tempFile():
try:
if not os.path.exists(FIREWALLD_TEMPDIR):
os.mkdir(FIREWALLD_TEMPDIR, 0o750)
return tempfile.NamedTemporaryFile(mode='wt', prefix="temp.",
dir=FIREWALLD_TEMPDIR, delete=False)
except Exception as msg:
log.error("Failed to create temporary file: %s" % msg)
raise
return None
def available_tables(self, table=None):
ret = []
tables = [ table ] if table else CHAINS.keys()
for table in tables:
try:
self.__run(["-t", table, "-L"])
ret.append(table)
except ValueError:
log.error("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table))
return ret
def handle_chains(self, rules, enable):
new_delete = { True: "-N", False: "-X" }
# appends chains
# returns None if all worked, else (cleanup chains, error message)
for i,(ipv, rule) in enumerate(rules):
try:
self.rule(ipv, [ new_delete[enable], ] + rule)
except Exception as msg:
log.error(msg)
return (rules[:i], msg) # cleanup chains and error message
return None
def set_entries(self, ipset, entries, sender=None):
obj = self.get_ipset(ipset)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(IPSET_WITH_TIMEOUT, ipset)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
for entry in obj.entries:
try:
self._fw._ipset.remove(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
obj.entries.clear()
for entry in entries:
try:
self._fw._ipset.add(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
obj.entries.append(entry)
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name, attrs)
self.item.parser_check_element_attrs(name, attrs)
if name == "direct":
if self.direct:
raise FirewallError(errors.PARSE_ERROR,
"More than one direct tag.")
self.direct = True
elif name == "chain":
if not self.direct:
log.error("Parse Error: chain outside of direct")
return
ipv = attrs["ipv"]
table = attrs["table"]
chain = attrs["chain"]
self.item.add_chain(u2b_if_py2(ipv), u2b_if_py2(table),
u2b_if_py2(chain))
elif name == "rule":
if not self.direct:
log.error("Parse Error: rule outside of direct")
return
ipv = attrs["ipv"]
if ipv not in [ "ipv4", "ipv6", "eb" ]:
raise FirewallError(errors.INVALID_IPV,
"'%s' not from {'ipv4'|'ipv6'|'eb'}" % ipv)
table = attrs["table"]
chain = attrs["chain"]
try:
priority = int(attrs["priority"])
except ValueError:
log.error("Parse Error: %s is not a valid priority" %
attrs["priority"])
return
self._rule = [ u2b_if_py2(ipv), u2b_if_py2(table),
u2b_if_py2(chain), priority ]
elif name == "passthrough":
if not self.direct:
log.error("Parse Error: command outside of direct")
return
ipv = attrs["ipv"]
self._passthrough = [ u2b_if_py2(ipv) ]
else:
log.error('Unknown XML element %s' % name)
return
def flush(self, transaction=None):
tables = self.used_tables()
for table in tables:
# Flush firewall rules: -F
# Delete firewall chains: -X
# Set counter to zero: -Z
msgs = {"-F": "flush", "-X": "delete chains", "-Z": "zero counters"}
for flag in ["-F", "-X", "-Z"]:
if transaction is not None:
transaction.add_rule(self.ipv, ["-t", table, flag])
else:
try:
self.__run(["-t", table, flag])
except Exception as msg:
log.error("Failed to %s %s: %s", msgs[flag], self.ipv, msg)
def set_policy(self, policy, which="used", transaction=None):
if which == "used":
tables = self.used_tables()
else:
tables = list(BUILT_IN_CHAINS.keys())
for table in tables:
for chain in BUILT_IN_CHAINS[table]:
if transaction is not None:
transaction.add_rule(self.ipv, ["-t", table, "-P", chain, policy])
else:
try:
self.__run(["-t", table, "-P", chain, policy])
except Exception as msg:
log.error("Failed to set policy for %s: %s", self.ipv, msg)
def set_policy(self, policy, which="used", use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
log.debug1("Setting policy to '%s'", policy)
for ipv in self.enabled_backends():
try:
self.get_ipv_backend(ipv).set_policy(policy, which, transaction)
except Exception as e:
log.error("Failed to set policy of %s firewall: %s" % (ipv, e))
if use_transaction is None:
transaction.execute(True)
def flush(self, use_transaction=None):
if use_transaction is None:
transaction = FirewallTransaction(self)
else:
transaction = use_transaction
log.debug1("Flushing rule set")
for ipv in self.enabled_backends():
try:
self.get_ipv_backend(ipv).flush(transaction)
except Exception as e:
log.error("Failed to flush %s firewall: %s" % (ipv, e))
if use_transaction is None:
transaction.execute(True)
def _remove_service(self, obj):
if obj.name not in self._services:
raise FirewallError(errors.INVALID_SERVICE, obj.name)
if obj.path != config.ETC_FIREWALLD_SERVICES:
raise FirewallError(errors.INVALID_DIRECTORY,
"'%s' != '%s'" % \
(obj.path, config.ETC_FIREWALLD_SERVICES))
name = "%s/%s.xml" % (obj.path, obj.name)
try:
shutil.move(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
os.remove(name)
del self._services[obj.name]
def _remove_zone(self, obj):
if obj.name not in self._zones:
raise FirewallError(errors.INVALID_ZONE, obj.name)
if not obj.path.startswith(config.ETC_FIREWALLD_ZONES):
raise FirewallError(errors.INVALID_DIRECTORY,
"'%s' doesn't start with '%s'" % \
(obj.path, config.ETC_FIREWALLD_ZONES))
name = "%s/%s.xml" % (obj.path, obj.name)
try:
shutil.move(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
os.remove(name)
del self._zones[obj.name]
def endElement(self, name):
IO_Object_ContentHandler.endElement(self, name)
if name == "rule":
if not self._rule_error:
try:
self._rule.check()
except Exception as e:
log.error("%s: %s" % (e, str(self._rule)))
self._rule_error = True
if self._rule_error and self._rule in self.item.rules:
self.item.rules.remove(self._rule)
self._rule = None
self._rule_error = False
elif name in [ "accept", "reject", "drop", "log", "audit" ]:
self._limit_ok = None
def dbus_handle_exceptions(func, *args, **kwargs):
"""Decorator to handle exceptions, log and report them into D-Bus
:Raises DBusException: on a firewall error code problems.
"""
try:
return func(*args, **kwargs)
except FirewallError as error:
log.error(str(error))
raise FirewallDBusException(str(error))
except DBusException as e:
# only log DBusExceptions once
raise e
except Exception as e:
log.exception()
raise FirewallDBusException(str(e))
def _check_tables(self):
# check if iptables, ip6tables and ebtables are usable, else disable
if "filter" not in ipXtables.ip4tables_available_tables:
log.warning("iptables not usable, disabling IPv4 firewall.")
self.ip4tables_enabled = False
if "filter" not in ipXtables.ip6tables_available_tables:
log.warning("ip6tables not usable, disabling IPv6 firewall.")
self.ip6tables_enabled = False
if "filter" not in ebtables.ebtables_available_tables:
log.error("ebtables not usable, disabling ethernet bridge firewall.")
self.ebtables_enabled = False
if not self.ip4tables_enabled and not self.ip6tables_enabled:
log.fatal("No IPv4 and IPv6 firewall.")
sys.exit(1)
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules, modules = super(FirewallTransaction, self).prepare(
enable, rules, modules)
for zone in self.zone_transactions:
try:
self.zone_transactions[zone].prepare(enable, rules)
for module in self.zone_transactions[zone].modules:
if module not in modules:
modules.append(module)
except FirewallError as msg:
log.error("Failed to prepare transaction rules for zone '%s'",
str(msg))
return rules, modules
def set_policy(self, policy, which="used", individual=False):
if which == "used":
tables = self.used_tables()
else:
tables = list(BUILT_IN_CHAINS.keys())
rules = [ ]
for table in tables:
for chain in BUILT_IN_CHAINS[table]:
if individual:
try:
self.__run([ "-t", table, "-P", chain, policy ])
except Exception as msg:
log.error("Failed to set policy for %s: %s", ipv, msg)
else:
rules.append([ "-t", table, "-P", chain, policy ])
if len(rules) > 0:
self.set_rules(rules)
def startElement(self, name, attrs):
self.item.parser_check_element_attrs(name, attrs)
if name == "direct":
if self.direct:
raise FirewallError(PARSE_ERROR, "More than one direct tag.")
self.direct = True
elif name == "chain":
if not self.direct:
log.error("Parse Error: chain outside of direct")
return
ipv = str(attrs["ipv"])
table = str(attrs["table"])
chain = str(attrs["chain"])
self.item.add_chain(ipv, table, chain)
elif name == "rule":
if not self.direct:
log.error("Parse Error: rule outside of direct")
return
ipv = str(attrs["ipv"])
if ipv not in [ "ipv4", "ipv6", "eb" ]:
raise FirewallError(INVALID_IPV, ipv)
table = str(attrs["table"])
chain = str(attrs["chain"])
try:
priority = int(str(attrs["priority"]))
except:
log.error("Parse Error: %s is not a valid priority" %
attrs["priority"])
return
self._rule = [ipv, table, chain, priority]
elif name == "passthrough":
if not self.direct:
log.error("Parse Error: command outside of direct")
return
ipv = str(attrs["ipv"])
self._passthrough = [ipv]
else:
log.error('Unknown XML element %s' % name)
return
def accessCheck(self, sender):
if self.config.lockdown_enabled():
if sender is None:
log.error("Lockdown not possible, sender not set.")
return
bus = dbus.SystemBus()
context = context_of_sender(bus, sender)
if self.config.access_check("context", context):
return
uid = uid_of_sender(bus, sender)
if self.config.access_check("uid", uid):
return
user = user_of_uid(uid)
if self.config.access_check("user", user):
return
command = command_of_sender(bus, sender)
if self.config.access_check("command", command):
return
raise FirewallError(ACCESS_DENIED, "lockdown is enabled")
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
errorMsg = ""
done = []
for backend_name in rules:
try:
self.fw.rules(backend_name, rules[backend_name])
except Exception as msg:
error = True
errorMsg = msg
log.debug1(traceback.format_exc())
log.error(msg)
else:
done.append(backend_name)
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
# Debug log about issues loading modules, but don't error. The
# modules may be builtin or CONFIG_MODULES=n, in which case
# modprobe will fail. Or we may be running inside a container
# that doesn't have sufficient privileges. Unfortunately there
# is no way for us to know.
(status, msg) = module_return
if status:
log.debug1(msg)
# error case: revert rules
if error:
undo_rules = {}
for backend_name in done:
undo_rules[backend_name] = []
for rule in reversed(rules[backend_name]):
undo_rules[backend_name].append(
self.fw.get_backend_by_name(backend_name).reverse_rule(
rule))
for backend_name in undo_rules:
try:
self.fw.rules(backend_name, undo_rules[backend_name])
except Exception as msg:
log.debug1(traceback.format_exc())
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.debug1(traceback.format_exc())
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
# post
self.post()
def helper_writer(helper, path=None):
_path = path if path else helper.path
if helper.filename:
name = "%s/%s" % (_path, helper.filename)
else:
name = "%s/%s.xml" % (_path, helper.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start helper element
attrs = {}
attrs["module"] = helper.module
if helper.version and helper.version != "":
attrs["version"] = helper.version
if helper.family and helper.family != "":
attrs["family"] = helper.family
handler.startElement("helper", attrs)
handler.ignorableWhitespace("\n")
# short
if helper.short and helper.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(helper.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if helper.description and helper.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(helper.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in helper.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# end helper element
handler.endElement('helper')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def _start(self, reload=False, complete_reload=False):
# initialize firewall
default_zone = config.FALLBACK_ZONE
# load firewalld config
log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF)
try:
self._firewalld_conf.read()
except Exception as msg:
log.warning(msg)
log.warning("Using fallback firewalld configuration settings.")
else:
if self._firewalld_conf.get("DefaultZone"):
default_zone = self._firewalld_conf.get("DefaultZone")
if self._firewalld_conf.get("CleanupOnExit"):
value = self._firewalld_conf.get("CleanupOnExit")
if value is not None and value.lower() in ["no", "false"]:
self.cleanup_on_exit = False
log.debug1("CleanupOnExit is set to '%s'",
self.cleanup_on_exit)
if self._firewalld_conf.get("CleanupModulesOnExit"):
value = self._firewalld_conf.get("CleanupModulesOnExit")
if value is not None and value.lower() in ["yes", "true"]:
self.cleanup_modules_on_exit = True
log.debug1("CleanupModulesOnExit is set to '%s'",
self.cleanup_modules_on_exit)
if self._firewalld_conf.get("Lockdown"):
value = self._firewalld_conf.get("Lockdown")
if value is not None and value.lower() in ["yes", "true"]:
log.debug1("Lockdown is enabled")
try:
self.policies.enable_lockdown()
except FirewallError:
# already enabled, this is probably reload
pass
if self._firewalld_conf.get("IPv6_rpfilter"):
value = self._firewalld_conf.get("IPv6_rpfilter")
if value is not None:
if value.lower() in ["no", "false"]:
self.ipv6_rpfilter_enabled = False
if value.lower() in ["yes", "true"]:
self.ipv6_rpfilter_enabled = True
if self.ipv6_rpfilter_enabled:
log.debug1("IPv6 rpfilter is enabled")
else:
log.debug1("IPV6 rpfilter is disabled")
if self._firewalld_conf.get("IndividualCalls"):
value = self._firewalld_conf.get("IndividualCalls")
if value is not None and value.lower() in ["yes", "true"]:
log.debug1("IndividualCalls is enabled")
self._individual_calls = True
if self._firewalld_conf.get("LogDenied"):
value = self._firewalld_conf.get("LogDenied")
if value is None or value.lower() == "no":
self._log_denied = "off"
else:
self._log_denied = value.lower()
log.debug1("LogDenied is set to '%s'", self._log_denied)
if self._firewalld_conf.get("FirewallBackend"):
self._firewall_backend = self._firewalld_conf.get(
"FirewallBackend")
log.debug1("FirewallBackend is set to '%s'",
self._firewall_backend)
if self._firewalld_conf.get("FlushAllOnReload"):
value = self._firewalld_conf.get("FlushAllOnReload")
if value.lower() in ["no", "false"]:
self._flush_all_on_reload = False
else:
self._flush_all_on_reload = True
log.debug1("FlushAllOnReload is set to '%s'",
self._flush_all_on_reload)
if self._firewalld_conf.get("RFC3964_IPv4"):
value = self._firewalld_conf.get("RFC3964_IPv4")
if value.lower() in ["no", "false"]:
self._rfc3964_ipv4 = False
else:
self._rfc3964_ipv4 = True
log.debug1("RFC3964_IPv4 is set to '%s'", self._rfc3964_ipv4)
if self._firewalld_conf.get("AllowZoneDrifting"):
value = self._firewalld_conf.get("AllowZoneDrifting")
if value.lower() in ["no", "false"]:
self._allow_zone_drifting = False
else:
self._allow_zone_drifting = True
if not self._offline:
log.warning(
"AllowZoneDrifting is enabled. This is considered "
"an insecure configuration option. It will be "
"removed in a future release. Please consider "
"disabling it now.")
log.debug1("AllowZoneDrifting is set to '%s'",
self._allow_zone_drifting)
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._select_firewall_backend(self._firewall_backend)
if not self._offline:
self._start_check()
# load lockdown whitelist
log.debug1("Loading lockdown whitelist")
try:
self.policies.lockdown_whitelist.read()
except Exception as msg:
if self.policies.query_lockdown():
log.error("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
else:
log.debug1("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
# copy policies to config interface
self.config.set_policies(copy.deepcopy(self.policies))
# load ipset files
self._loader(config.FIREWALLD_IPSETS, "ipset")
self._loader(config.ETC_FIREWALLD_IPSETS, "ipset")
# load icmptype files
self._loader(config.FIREWALLD_ICMPTYPES, "icmptype")
self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype")
if len(self.icmptype.get_icmptypes()) == 0:
log.error("No icmptypes found.")
# load helper files
self._loader(config.FIREWALLD_HELPERS, "helper")
self._loader(config.ETC_FIREWALLD_HELPERS, "helper")
# load service files
self._loader(config.FIREWALLD_SERVICES, "service")
self._loader(config.ETC_FIREWALLD_SERVICES, "service")
if len(self.service.get_services()) == 0:
log.error("No services found.")
# load zone files
self._loader(config.FIREWALLD_ZONES, "zone")
self._loader(config.ETC_FIREWALLD_ZONES, "zone")
if len(self.zone.get_zones()) == 0:
log.fatal("No zones found.")
sys.exit(1)
# load policy files
self._loader(config.FIREWALLD_POLICIES, "policy")
self._loader(config.ETC_FIREWALLD_POLICIES, "policy")
# check minimum required zones
error = False
for z in ["block", "drop", "trusted"]:
if z not in self.zone.get_zones():
log.fatal("Zone '%s' is not available.", z)
error = True
if error:
sys.exit(1)
# check if default_zone is a valid zone
if default_zone not in self.zone.get_zones():
if "public" in self.zone.get_zones():
zone = "public"
elif "external" in self.zone.get_zones():
zone = "external"
else:
zone = "block" # block is a base zone, therefore it has to exist
log.error("Default zone '%s' is not valid. Using '%s'.",
default_zone, zone)
default_zone = zone
else:
log.debug1("Using default zone '%s'", default_zone)
# load direct rules
obj = Direct(config.FIREWALLD_DIRECT)
if os.path.exists(config.FIREWALLD_DIRECT):
log.debug1("Loading direct rules file '%s'" % \
config.FIREWALLD_DIRECT)
try:
obj.read()
except Exception as msg:
log.error("Failed to load direct rules file '%s': %s",
config.FIREWALLD_DIRECT, msg)
self.direct.set_permanent_config(obj)
self.config.set_direct(copy.deepcopy(obj))
self._default_zone = self.check_zone(default_zone)
if self._offline:
return
# check if needed tables are there
self._check_tables()
if log.getDebugLogLevel() > 0:
# get time before flushing and applying
tm1 = time.time()
# Start transaction
transaction = FirewallTransaction(self)
# flush rules
self.flush(use_transaction=transaction)
# If modules need to be unloaded in complete reload or if there are
# ipsets to get applied, limit the transaction to flush.
#
# Future optimization for the ipset case in reload: The transaction
# only needs to be split here if there are conflicting ipset types in
# exsting ipsets and the configuration in firewalld.
if (reload and complete_reload) or \
(self.ipset_enabled and self.ipset.has_ipsets()):
transaction.execute(True)
transaction.clear()
# complete reload: unload modules also
if reload and complete_reload:
log.debug1("Unloading firewall modules")
self.modules_backend.unload_firewall_modules()
self.apply_default_tables(use_transaction=transaction)
transaction.execute(True)
transaction.clear()
# apply settings for loaded ipsets while reloading here
if self.ipset_enabled and self.ipset.has_ipsets():
log.debug1("Applying ipsets")
self.ipset.apply_ipsets()
# Start or continue with transaction
# apply default rules
log.debug1("Applying default rule set")
self.apply_default_rules(use_transaction=transaction)
# apply settings for loaded zones
log.debug1("Applying used zones")
self.zone.apply_zones(use_transaction=transaction)
self.zone.change_default_zone(None,
self._default_zone,
use_transaction=transaction)
# apply policies
log.debug1("Applying used policies")
self.policy.apply_policies(use_transaction=transaction)
# Execute transaction
transaction.execute(True)
# Start new transaction for direct rules
transaction.clear()
# apply direct chains, rules and passthrough rules
if self.direct.has_configuration():
log.debug1("Applying direct chains rules and passthrough rules")
self.direct.apply_direct(transaction)
# since direct rules are easy to make syntax errors lets highlight
# the cause if the transaction fails.
try:
transaction.execute(True)
transaction.clear()
except FirewallError as e:
raise FirewallError(e.code,
"Direct: %s" % (e.msg if e.msg else ""))
except Exception:
raise
del transaction
if log.getDebugLogLevel() > 1:
# get time after flushing and applying
tm2 = time.time()
log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1))
def write(self):
if len(self._config) < 1:
# no changes: nothing to do
return
# handled keys
done = []
try:
(temp_file, temp) = tempfile.mkstemp(
prefix="%s." % os.path.basename(self.filename),
dir=os.path.dirname(self.filename))
except Exception as msg:
log.error("Failed to open temporary file: %s" % msg)
raise
modified = False
empty = False
try:
f = open(self.filename, "r")
except Exception as msg:
if os.path.exists(self.filename):
log.error("Failed to open '%s': %s" % (self.filename, msg))
raise
else:
f = None
else:
for line in f.xreadlines():
if not line:
break
# remove newline
line = line.strip("\n")
if len(line) < 1:
if not empty:
os.write(temp_file, "\n")
empty = True
elif line[0] == '#':
empty = False
os.write(temp_file, line)
os.write(temp_file, "\n")
else:
p = line.split("=")
if len(p) != 2:
empty = False
os.write(temp_file, line + "\n")
continue
key = p[0].strip()
value = p[1].strip()
# check for modified key/value pairs
if key not in done:
if (key in self._config and \
self._config[key] != value):
empty = False
os.write(temp_file, '%s=%s\n' \
% (key, self._config[key]))
modified = True
elif key in self._deleted:
modified = True
else:
empty = False
os.write(temp_file, line + "\n")
done.append(key)
else:
modified = True
# write remaining key/value pairs
if len(self._config) > 0:
for (key, value) in self._config.items():
if key in done:
continue
if not empty:
os.write(temp_file, "\n")
empty = True
os.write(temp_file, '%s=%s\n' % (key, value))
modified = True
if f:
f.close()
os.close(temp_file)
if not modified: # not modified: remove tempfile
os.remove(temp)
return
# make backup
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
os.remove(temp)
raise IOError("Backup of '%s' failed: %s" %
(self.filename, msg))
# copy tempfile
try:
shutil.move(temp, self.filename)
except Exception as msg:
os.remove(temp)
raise IOError("Failed to create '%s': %s" % (self.filename, msg))
else:
os.chmod(self.filename, 0600)
def _start(self, reload=False, complete_reload=False):
# initialize firewall
default_zone = config.FALLBACK_ZONE
# load firewalld config
log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF)
try:
self._firewalld_conf.read()
except Exception:
log.warning("Using fallback firewalld configuration settings.")
else:
if self._firewalld_conf.get("DefaultZone"):
default_zone = self._firewalld_conf.get("DefaultZone")
if self._firewalld_conf.get("MinimalMark"):
self._min_mark = int(self._firewalld_conf.get("MinimalMark"))
if self._firewalld_conf.get("CleanupOnExit"):
value = self._firewalld_conf.get("CleanupOnExit")
if value is not None and value.lower() in ["no", "false"]:
self.cleanup_on_exit = False
if self._firewalld_conf.get("Lockdown"):
value = self._firewalld_conf.get("Lockdown")
if value is not None and value.lower() in ["yes", "true"]:
log.debug1("Lockdown is enabled")
try:
self.policies.enable_lockdown()
except FirewallError:
# already enabled, this is probably reload
pass
if self._firewalld_conf.get("IPv6_rpfilter"):
value = self._firewalld_conf.get("IPv6_rpfilter")
if value is not None:
if value.lower() in ["no", "false"]:
self.ipv6_rpfilter_enabled = False
if value.lower() in ["yes", "true"]:
self.ipv6_rpfilter_enabled = True
if self.ipv6_rpfilter_enabled:
log.debug1("IPv6 rpfilter is enabled")
else:
log.debug1("IPV6 rpfilter is disabled")
if self._firewalld_conf.get("IndividualCalls"):
value = self._firewalld_conf.get("IndividualCalls")
if value is not None and value.lower() in ["yes", "true"]:
log.debug1("IndividualCalls is enabled")
self._individual_calls = True
if self._firewalld_conf.get("LogDenied"):
value = self._firewalld_conf.get("LogDenied")
if value is None or value.lower() == "no":
self._log_denied = "off"
else:
self._log_denied = value.lower()
log.debug1("LogDenied is set to '%s'", self._log_denied)
if self._firewalld_conf.get("AutomaticHelpers"):
value = self._firewalld_conf.get("AutomaticHelpers")
if value is not None:
if value.lower() in ["no", "false"]:
self._automatic_helpers = "no"
elif value.lower() in ["yes", "true"]:
self._automatic_helpers = "yes"
else:
self._automatic_helpers = value.lower()
log.debug1("AutomaticHelpers is set to '%s'",
self._automatic_helpers)
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
# load lockdown whitelist
log.debug1("Loading lockdown whitelist")
try:
self.policies.lockdown_whitelist.read()
except Exception as msg:
if self.policies.query_lockdown():
log.error("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
else:
log.debug1("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
# copy policies to config interface
self.config.set_policies(copy.deepcopy(self.policies))
# load ipset files
self._loader(config.FIREWALLD_IPSETS, "ipset")
self._loader(config.ETC_FIREWALLD_IPSETS, "ipset")
# load icmptype files
self._loader(config.FIREWALLD_ICMPTYPES, "icmptype")
self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype")
if len(self.icmptype.get_icmptypes()) == 0:
log.error("No icmptypes found.")
# load helper files
self._loader(config.FIREWALLD_HELPERS, "helper")
self._loader(config.ETC_FIREWALLD_HELPERS, "helper")
# load service files
self._loader(config.FIREWALLD_SERVICES, "service")
self._loader(config.ETC_FIREWALLD_SERVICES, "service")
if len(self.service.get_services()) == 0:
log.error("No services found.")
# load zone files
self._loader(config.FIREWALLD_ZONES, "zone")
self._loader(config.ETC_FIREWALLD_ZONES, "zone")
if len(self.zone.get_zones()) == 0:
log.fatal("No zones found.")
sys.exit(1)
# check minimum required zones
error = False
for z in ["block", "drop", "trusted"]:
if z not in self.zone.get_zones():
log.fatal("Zone '%s' is not available.", z)
error = True
if error:
sys.exit(1)
# check if default_zone is a valid zone
if default_zone not in self.zone.get_zones():
if "public" in self.zone.get_zones():
zone = "public"
elif "external" in self.zone.get_zones():
zone = "external"
else:
zone = "block" # block is a base zone, therefore it has to exist
log.error("Default zone '%s' is not valid. Using '%s'.",
default_zone, zone)
default_zone = zone
else:
log.debug1("Using default zone '%s'", default_zone)
# load direct rules
obj = Direct(config.FIREWALLD_DIRECT)
if os.path.exists(config.FIREWALLD_DIRECT):
log.debug1("Loading direct rules file '%s'" % \
config.FIREWALLD_DIRECT)
try:
obj.read()
except Exception as msg:
log.error("Failed to load direct rules file '%s': %s",
config.FIREWALLD_DIRECT, msg)
self.config.set_direct(copy.deepcopy(obj))
self._default_zone = self.check_zone(default_zone)
self._state = "RUNNING"
def apply_ipsets(self):
active = self._fw.ipset_backend.get_active_terse()
for name in self.get_ipsets():
obj = self._ipsets[name]
obj.applied = False
if name in active and ("timeout" not in obj.options or \
obj.options["timeout"] == "0" or \
obj.type != active[name][0] or \
rm_def_cr_opts(obj.options) != \
active[name][1]):
try:
self._fw.ipset_backend.destroy(name)
except Exception as msg:
log.error("Failed to destroy ipset '%s'" % name)
log.error(msg)
if self._fw.individual_calls():
try:
self._fw.ipset_backend.create(obj.name, obj.type,
obj.options)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
if "timeout" not in obj.options or \
obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
continue
for entry in obj.entries:
try:
self._fw.ipset_backend.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
try:
self._fw.ipset_backend.restore(obj.name, obj.type,
obj.entries, obj.options,
None)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
common_writer(zone, handler)
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", {"ipset": source[6:]})
else:
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", {})
handler.ignorableWhitespace("\n")
# forward
if zone.forward:
handler.ignorableWhitespace(" ")
handler.simpleElement("forward", {})
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def write(self):
if len(self._config) < 1:
# no changes: nothing to do
return
# handled keys
done = [ ]
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
try:
temp_file = tempfile.NamedTemporaryFile(mode='wt',
prefix="%s." % os.path.basename(self.filename),
dir=os.path.dirname(self.filename), delete=False)
except Exception as msg:
log.error("Failed to open temporary file: %s" % msg)
raise
modified = False
empty = False
try:
f= io.open(self.filename, mode='rt', encoding='UTF-8')
except Exception as msg:
if os.path.exists(self.filename):
log.error("Failed to open '%s': %s" % (self.filename, msg))
raise
else:
f = None
else:
for line in f:
if not line:
break
# remove newline
line = line.strip("\n")
if len(line) < 1:
if not empty:
temp_file.write(u"\n")
empty = True
elif line[0] == '#':
empty = False
temp_file.write(line)
temp_file.write(u"\n")
else:
p = line.split("=")
if len(p) != 2:
empty = False
temp_file.write(line+u"\n")
continue
key = p[0].strip()
value = p[1].strip()
# check for modified key/value pairs
if key not in done:
if (key in self._config and \
self._config[key] != value):
empty = False
temp_file.write(u'%s=%s\n' %
(key, self._config[key]))
modified = True
elif key in self._deleted:
modified = True
else:
empty = False
temp_file.write(line+u"\n")
done.append(key)
else:
modified = True
# write remaining key/value pairs
if len(self._config) > 0:
for (key,value) in self._config.items():
if key in done:
continue
if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config
continue
if not empty:
temp_file.write(u"\n")
empty = True
temp_file.write(u'%s=%s\n' % (key, value))
modified = True
if f:
f.close()
temp_file.close()
if not modified: # not modified: remove tempfile
os.remove(temp_file.name)
return
# make backup
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
os.remove(temp_file.name)
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
# copy tempfile
try:
shutil.move(temp_file.name, self.filename)
except Exception as msg:
os.remove(temp_file.name)
raise IOError("Failed to create '%s': %s" % (self.filename, msg))
else:
os.chmod(self.filename, 0o600)
def rules(self, ipv, rules):
_rules = [ ]
for rule in rules:
# replace %%REJECT%%
try:
i = rule.index("%%REJECT%%")
except ValueError:
pass
else:
if ipv in [ "ipv4", "ipv6" ]:
rule[i:i+1] = [ "REJECT", "--reject-with",
ipXtables.DEFAULT_REJECT_TYPE[ipv] ]
else:
raise FirewallError(errors.EBTABLES_NO_REJECT,
"'%s' not in {'ipv4'|'ipv6'}" % ipv)
# replace %%ICMP%%
try:
i = rule.index("%%ICMP%%")
except ValueError:
pass
else:
if ipv in [ "ipv4", "ipv6" ]:
rule[i] = ipXtables.ICMP[ipv]
else:
raise FirewallError(errors.INVALID_IPV,
"'%s' not in {'ipv4'|'ipv6'}" % ipv)
# replace %%LOGTYPE%%
try:
i = rule.index("%%LOGTYPE%%")
except ValueError:
pass
else:
if self._log_denied == "off":
continue
if ipv not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_IPV,
"'%s' not in {'ipv4'|'ipv6'}" % ipv)
if self._log_denied in [ "unicast", "broadcast",
"multicast" ]:
rule[i:i+1] = [ "-m", "pkttype", "--pkt-type",
self._log_denied ]
else:
rule.pop(i)
_rules.append(rule)
backend = None
if ipv == "ipv4":
if self.ip4tables_enabled:
# do not call if disabled
backend = self.ip4tables_backend
elif ipv == "ipv6":
if self.ip6tables_enabled:
# do not call if disabled
backend = self.ip6tables_backend
elif ipv == "eb":
if self.ebtables_enabled:
# do not call if disabled
backend = self.ebtables_backend
else:
raise FirewallError(errors.INVALID_IPV,
"'%s' not in {'ipv4'|'ipv6'|'eb'}" % ipv)
if not backend:
return ""
if self._individual_calls or \
not backend.restore_command_exists or \
(ipv == "eb" and not self.ebtables_backend.restore_noflush_option):
for i,rule in enumerate(_rules):
# remove leading and trailing '"' for use with execve
j = 0
while j < len(rule):
x = rule[j]
if len(x) > 2 and x[0] == '"' and x[-1] == '"':
rule[j] = x[1:-1]
j += 1
try:
backend.set_rule(rule)
except Exception as msg:
log.error("Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.")
log.error(msg)
for rule in reversed(_rules[:i]):
try:
backend.set_rule(reverse_rule(rule))
except Exception:
# ignore errors here
pass
return False
return True
else:
return backend.set_rules(_rules)
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine:
if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(config.ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename), reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.icmptype.add_icmptype(obj)
except FirewallError as error:
log.warning("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path)
if combine:
# Change name for permanent configuration
obj.name = "%s/%s" % (
os.path.basename(path),
os.path.basename(filename)[0:-4])
obj.check_name(obj.name)
# Copy object before combine
config_obj = copy.deepcopy(obj)
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
self.zone.remove_zone(orig_obj.name)
if orig_obj.combined:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, obj.name,
path, filename)
obj.combine(orig_obj)
else:
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
config_obj.default = True
self.config.add_zone(config_obj)
if combine:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, combined_zone.name,
path, filename)
combined_zone.combine(obj)
else:
self.zone.add_zone(obj)
elif reader_type == "ipset":
obj = ipset_reader(filename, path)
if obj.name in self.ipset.get_ipsets():
orig_obj = self.ipset.get_ipset(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.ipset.remove_ipset(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.ipset.add_ipset(obj)
except FirewallError as error:
log.warning("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_ipset(copy.deepcopy(obj))
elif reader_type == "helper":
obj = helper_reader(filename, path)
if obj.name in self.helper.get_helpers():
orig_obj = self.helper.get_helper(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.helper.remove_helper(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.helper.add_helper(obj)
# add a deep copy to the configuration interface
self.config.add_helper(copy.deepcopy(obj))
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type,
name, msg)
except Exception as msg:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine and combined_zone.combined:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except Exception:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def _start(self, reload=False, complete_reload=False):
# initialize firewall
default_zone = config.FALLBACK_ZONE
# load firewalld config
log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF)
try:
self._firewalld_conf.read()
except Exception as msg:
log.warning(msg)
log.warning("Using fallback firewalld configuration settings.")
else:
if self._firewalld_conf.get("DefaultZone"):
default_zone = self._firewalld_conf.get("DefaultZone")
if self._firewalld_conf.get("MinimalMark"):
self._min_mark = int(self._firewalld_conf.get("MinimalMark"))
if self._firewalld_conf.get("CleanupOnExit"):
value = self._firewalld_conf.get("CleanupOnExit")
if value is not None and value.lower() in [ "no", "false" ]:
self.cleanup_on_exit = False
if self._firewalld_conf.get("Lockdown"):
value = self._firewalld_conf.get("Lockdown")
if value is not None and value.lower() in [ "yes", "true" ]:
log.debug1("Lockdown is enabled")
try:
self.policies.enable_lockdown()
except FirewallError:
# already enabled, this is probably reload
pass
if self._firewalld_conf.get("IPv6_rpfilter"):
value = self._firewalld_conf.get("IPv6_rpfilter")
if value is not None:
if value.lower() in [ "no", "false" ]:
self.ipv6_rpfilter_enabled = False
if value.lower() in [ "yes", "true" ]:
self.ipv6_rpfilter_enabled = True
if self.ipv6_rpfilter_enabled:
log.debug1("IPv6 rpfilter is enabled")
else:
log.debug1("IPV6 rpfilter is disabled")
if self._firewalld_conf.get("IndividualCalls"):
value = self._firewalld_conf.get("IndividualCalls")
if value is not None and value.lower() in [ "yes", "true" ]:
log.debug1("IndividualCalls is enabled")
self._individual_calls = True
if self._firewalld_conf.get("LogDenied"):
value = self._firewalld_conf.get("LogDenied")
if value is None or value.lower() == "no":
self._log_denied = "off"
else:
self._log_denied = value.lower()
log.debug1("LogDenied is set to '%s'", self._log_denied)
if self._firewalld_conf.get("AutomaticHelpers"):
value = self._firewalld_conf.get("AutomaticHelpers")
if value is not None:
if value.lower() in [ "no", "false" ]:
self._automatic_helpers = "no"
elif value.lower() in [ "yes", "true" ]:
self._automatic_helpers = "yes"
else:
self._automatic_helpers = value.lower()
log.debug1("AutomaticHelpers is set to '%s'",
self._automatic_helpers)
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
self._start_check()
# load lockdown whitelist
log.debug1("Loading lockdown whitelist")
try:
self.policies.lockdown_whitelist.read()
except Exception as msg:
if self.policies.query_lockdown():
log.error("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
else:
log.debug1("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
# copy policies to config interface
self.config.set_policies(copy.deepcopy(self.policies))
# load ipset files
self._loader(config.FIREWALLD_IPSETS, "ipset")
self._loader(config.ETC_FIREWALLD_IPSETS, "ipset")
# load icmptype files
self._loader(config.FIREWALLD_ICMPTYPES, "icmptype")
self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype")
if len(self.icmptype.get_icmptypes()) == 0:
log.error("No icmptypes found.")
# load helper files
self._loader(config.FIREWALLD_HELPERS, "helper")
self._loader(config.ETC_FIREWALLD_HELPERS, "helper")
# load service files
self._loader(config.FIREWALLD_SERVICES, "service")
self._loader(config.ETC_FIREWALLD_SERVICES, "service")
if len(self.service.get_services()) == 0:
log.error("No services found.")
# load zone files
self._loader(config.FIREWALLD_ZONES, "zone")
self._loader(config.ETC_FIREWALLD_ZONES, "zone")
if len(self.zone.get_zones()) == 0:
log.fatal("No zones found.")
sys.exit(1)
# check minimum required zones
error = False
for z in [ "block", "drop", "trusted" ]:
if z not in self.zone.get_zones():
log.fatal("Zone '%s' is not available.", z)
error = True
if error:
sys.exit(1)
# check if default_zone is a valid zone
if default_zone not in self.zone.get_zones():
if "public" in self.zone.get_zones():
zone = "public"
elif "external" in self.zone.get_zones():
zone = "external"
else:
zone = "block" # block is a base zone, therefore it has to exist
log.error("Default zone '%s' is not valid. Using '%s'.",
default_zone, zone)
default_zone = zone
else:
log.debug1("Using default zone '%s'", default_zone)
# load direct rules
obj = Direct(config.FIREWALLD_DIRECT)
if os.path.exists(config.FIREWALLD_DIRECT):
log.debug1("Loading direct rules file '%s'" % \
config.FIREWALLD_DIRECT)
try:
obj.read()
except Exception as msg:
log.debug1("Failed to load direct rules file '%s': %s",
config.FIREWALLD_DIRECT, msg)
self.direct.set_permanent_config(obj)
self.config.set_direct(copy.deepcopy(obj))
# automatic helpers
if self._automatic_helpers != "system":
functions.set_nf_conntrack_helper_setting(self._automatic_helpers == "yes")
self.nf_conntrack_helper_setting = \
functions.get_nf_conntrack_helper_setting()
# check if needed tables are there
self._check_tables()
if log.getDebugLogLevel() > 0:
# get time before flushing and applying
tm1 = time.time()
# Start transaction
transaction = FirewallTransaction(self)
if reload:
self.set_policy("DROP", use_transaction=transaction)
# flush rules
self.flush(use_transaction=transaction)
# If modules need to be unloaded in complete reload or if there are
# ipsets to get applied, limit the transaction to set_policy and flush.
#
# Future optimization for the ipset case in reload: The transaction
# only needs to be split here if there are conflicting ipset types in
# exsting ipsets and the configuration in firewalld.
if (reload and complete_reload) or \
(self.ipset_enabled and self.ipset.has_ipsets()):
transaction.execute(True)
transaction.clear()
# complete reload: unload modules also
if reload and complete_reload:
log.debug1("Unloading firewall modules")
self.modules_backend.unload_firewall_modules()
# apply settings for loaded ipsets while reloading here
if self.ipset_enabled and self.ipset.has_ipsets():
log.debug1("Applying ipsets")
self.ipset.apply_ipsets()
# Start or continue with transaction
# apply default rules
log.debug1("Applying default rule set")
self.apply_default_rules(use_transaction=transaction)
# apply settings for loaded zones
log.debug1("Applying used zones")
self.zone.apply_zones(use_transaction=transaction)
self._default_zone = self.check_zone(default_zone)
self.zone.change_default_zone(None, self._default_zone,
use_transaction=transaction)
# Execute transaction
transaction.execute(True)
# Start new transaction for direct rules
transaction.clear()
# apply direct chains, rules and passthrough rules
if self.direct.has_configuration():
transaction.enable_generous_mode()
log.debug1("Applying direct chains rules and passthrough rules")
self.direct.apply_direct(transaction)
# Execute transaction
transaction.execute(True)
transaction.disable_generous_mode()
transaction.clear()
del transaction
if log.getDebugLogLevel() > 1:
# get time after flushing and applying
tm2 = time.time()
log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1))
self._state = "RUNNING"
def service_writer(service, path=None):
_path = path if path else service.path
if service.filename:
name = "%s/%s" % (_path, service.filename)
else:
name = "%s/%s.xml" % (_path, service.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start service element
attrs = {}
if service.version and service.version != "":
attrs["version"] = service.version
handler.startElement("service", attrs)
handler.ignorableWhitespace("\n")
# short
if service.short and service.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(service.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if service.description and service.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(service.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in service.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", {"port": port[0], "protocol": port[1]})
handler.ignorableWhitespace("\n")
# protocols
for protocol in service.protocols:
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", {"value": protocol})
handler.ignorableWhitespace("\n")
# source ports
for port in service.source_ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", {
"port": port[0],
"protocol": port[1]
})
handler.ignorableWhitespace("\n")
# modules
for module in service.modules:
handler.ignorableWhitespace(" ")
handler.simpleElement("module", {"name": module})
handler.ignorableWhitespace("\n")
# destination
if len(service.destination) > 0:
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", service.destination)
handler.ignorableWhitespace("\n")
# end service element
handler.endElement('service')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def update_policy_object_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path.startswith(config.ETC_FIREWALLD_POLICIES):
# removed custom policy_object
for x in self._policy_objects.keys():
obj = self._policy_objects[x]
if obj.filename == filename:
del self._policy_objects[x]
if obj.name in self._builtin_policy_objects:
return ("update",
self._builtin_policy_objects[obj.name])
return ("remove", obj)
else:
# removed builtin policy_object
for x in self._builtin_policy_objects.keys():
obj = self._builtin_policy_objects[x]
if obj.filename == filename:
del self._builtin_policy_objects[x]
if obj.name not in self._policy_objects:
# update dbus policy_object
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# policy_object not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
log.debug1("Loading policy file '%s'", name)
try:
obj = policy_reader(filename, path)
except Exception as msg:
log.error("Failed to load policy file '%s': %s", filename, msg)
return (None, None)
if path.startswith(config.ETC_FIREWALLD_POLICIES) and \
len(path) > len(config.ETC_FIREWALLD_POLICIES):
# custom combined policy_object part
obj.name = "%s/%s" % (os.path.basename(path),
os.path.basename(filename)[0:-4])
# new policy_object
if obj.name not in self._builtin_policy_objects and obj.name not in self._policy_objects:
self.add_policy_object(obj)
return ("new", obj)
# updated policy_object
if path.startswith(config.ETC_FIREWALLD_POLICIES):
# custom policy_object update
if obj.name in self._policy_objects:
obj.default = self._policy_objects[obj.name].default
self._policy_objects[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_policy_objects:
# builtin policy_object update
del self._builtin_policy_objects[obj.name]
self._builtin_policy_objects[obj.name] = obj
if obj.name not in self._policy_objects:
# update dbus policy_object
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# policy_object not known to firewalld, yet (timeout, ..)
return (None, None)
def set_entries(self, name, entries):
obj = self.get_ipset(name)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
obj.entries = entries
if self._fw.individual_calls():
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
for entry in obj.entries:
try:
self._fw.ipset_backend.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
try:
self._fw.ipset_backend.restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
return
attrs["value"] = rule.element.value
elif type(rule.element) == Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
else:
log.error('Unknown element "%s"' % type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = {}
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
def update_zone_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path.startswith(config.ETC_FIREWALLD_ZONES):
# removed custom zone
for x in self._zones.keys():
obj = self._zones[x]
if obj.filename == filename:
del self._zones[x]
if obj.name in self._builtin_zones:
return ("update", self._builtin_zones[obj.name])
return ("remove", obj)
else:
# removed builtin zone
for x in self._builtin_zones.keys():
obj = self._builtin_zones[x]
if obj.filename == filename:
del self._builtin_zones[x]
if obj.name not in self._zones:
# update dbus zone
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# zone not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
log.debug1("Loading zone file '%s'", name)
try:
obj = zone_reader(filename, path)
except Exception as msg:
log.error("Failed to load zone file '%s': %s", filename, msg)
return (None, None)
obj.fw_config = self
if path.startswith(config.ETC_FIREWALLD_ZONES) and \
len(path) > len(config.ETC_FIREWALLD_ZONES):
# custom combined zone part
obj.name = "%s/%s" % (os.path.basename(path),
os.path.basename(filename)[0:-4])
# new zone
if obj.name not in self._builtin_zones and obj.name not in self._zones:
self.add_zone(obj)
return ("new", obj)
# updated zone
if path.startswith(config.ETC_FIREWALLD_ZONES):
# custom zone update
if obj.name in self._zones:
obj.default = self._zones[obj.name].default
self._zones[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_zones:
# builtin zone update
del self._builtin_zones[obj.name]
self._builtin_zones[obj.name] = obj
if obj.name not in self._zones:
# update dbus zone
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# zone not known to firewalld, yet (timeout, ..)
return (None, None)
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
done = []
for ipv in rules:
try:
self.fw.rules(ipv, rules[ipv])
except Exception as msg:
error = True
if not self.generous_mode:
log.warning(msg)
else:
done.append(ipv)
if error and self.generous_mode:
for ipv in rules:
if ipv in done:
continue
for rule in rules[ipv]:
try:
self.fw.rule(ipv, rule)
except Exception as msg:
log.warning(msg)
done.append(ipv)
error = False
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
(cleanup_modules, msg) = module_return
if cleanup_modules is not None:
error = True
self.fw.handle_modules(cleanup_modules, not enable)
# error case: revert rules
if error:
undo_rules = {}
for ipv in done:
undo_rules[ipv] = []
for rule in reversed(rules[ipv]):
undo_rules[ipv].append(reverse_rule(rule))
for ipv in undo_rules:
try:
self.fw.rules(ipv, undo_rules[ipv])
except Exception as msg:
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED)
# post
self.post()
def _start(self):
# initialize firewall
default_zone = FALLBACK_ZONE
# load firewalld config
log.debug1("Loading firewalld config file '%s'", FIREWALLD_CONF)
try:
self._firewalld_conf.read()
except Exception as msg:
log.error("Failed to open firewalld config file '%s': %s",
FIREWALLD_CONF, msg)
else:
if self._firewalld_conf.get("DefaultZone"):
default_zone = self._firewalld_conf.get("DefaultZone")
if self._firewalld_conf.get("MinimalMark"):
mark = self._firewalld_conf.get("MinimalMark")
if mark != None:
try:
self._min_mark = int(mark)
except Exception as msg:
log.error(
"MinimalMark %s is not valid, using default "
"value %d", mark, self._min_mark)
if self._firewalld_conf.get("CleanupOnExit"):
value = self._firewalld_conf.get("CleanupOnExit")
if value != None and value.lower() in ["no", "false"]:
self.cleanup_on_exit = False
if self._firewalld_conf.get("Lockdown"):
value = self._firewalld_conf.get("Lockdown")
if value != None and value.lower() in ["yes", "true"]:
log.debug1("Lockdown is enabled")
try:
self.policies.enable_lockdown()
except FirewallError:
# already enabled, this is probably reload
pass
self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf))
# apply default rules
self._apply_default_rules()
# load lockdown whitelist
log.debug1("Loading lockdown whitelist")
try:
self.policies.lockdown_whitelist.read()
except Exception as msg:
log.error("Failed to load lockdown whitelist '%s': %s",
self.policies.lockdown_whitelist.filename, msg)
# copy policies to config interface
self.config.set_policies(copy.deepcopy(self.policies))
# load icmptype files
self._loader(FIREWALLD_ICMPTYPES, "icmptype")
self._loader(ETC_FIREWALLD_ICMPTYPES, "icmptype")
if len(self.icmptype.get_icmptypes()) == 0:
log.error("No icmptypes found.")
# load service files
self._loader(FIREWALLD_SERVICES, "service")
self._loader(ETC_FIREWALLD_SERVICES, "service")
if len(self.service.get_services()) == 0:
log.error("No services found.")
# load zone files
self._loader(FIREWALLD_ZONES, "zone")
self._loader(ETC_FIREWALLD_ZONES, "zone")
if len(self.zone.get_zones()) == 0:
log.fatal("No zones found.")
sys.exit(1)
# check minimum required zones
error = False
for z in ["block", "drop", "trusted"]:
if not z in self.zone.get_zones():
log.fatal("Zone '%s' is not available.", z)
error = True
if error:
sys.exit(1)
# load direct rules
log.debug1("Loading direct rules file '%s'" % FIREWALLD_DIRECT)
obj = Direct(FIREWALLD_DIRECT)
try:
obj.read()
except Exception as msg:
log.debug1("Failed to load direct rules file '%s': %s",
FIREWALLD_DIRECT, msg)
else:
self.direct.set_config((obj.get_all_chains(), obj.get_all_rules()))
for ipv, args in obj.get_all_passthroughs().items():
for arg in args:
try:
self.direct.passthrough(ipv, arg)
except FirewallError as error:
log.warning(str(error))
# TODO: copy obj into config interface
self.config.set_direct(copy.deepcopy(obj))
# check if default_zone is a valid zone
if default_zone not in self.zone.get_zones():
if "public" in self.zone.get_zones():
zone = "public"
elif "external" in self.zone.get_zones():
zone = "external"
else:
zone = "block" # block is a base zone, therefore it has to exist
log.error("Default zone '%s' is not valid. Using '%s'.",
default_zone, zone)
default_zone = zone
else:
log.debug1("Using default zone '%s'", default_zone)
self._default_zone = self.check_zone(default_zone)
self.zone.change_default_zone(None, self._default_zone)
self._state = "RUNNING"
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name, attrs)
self.item.parser_check_element_attrs(name, attrs)
if name == "whitelist":
if self.whitelist:
raise FirewallError(errors.PARSE_ERROR,
"More than one whitelist.")
self.whitelist = True
elif name == "command":
if not self.whitelist:
log.error("Parse Error: command outside of whitelist")
return
command = attrs["name"]
self.item.add_command(command)
elif name == "user":
if not self.whitelist:
log.error("Parse Error: user outside of whitelist")
return
if "id" in attrs:
try:
uid = int(attrs["id"])
except ValueError:
log.error("Parse Error: %s is not a valid uid" %
attrs["id"])
return
self.item.add_uid(uid)
elif "name" in attrs:
self.item.add_user(attrs["name"])
elif name == "selinux":
if not self.whitelist:
log.error("Parse Error: selinux outside of whitelist")
return
if "context" not in attrs:
log.error("Parse Error: no context")
return
self.item.add_context(attrs["context"])
else:
log.error('Unknown XML element %s' % name)
return
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine == True:
if path.startswith(ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename),
reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
self.icmptype.add_icmptype(obj)
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path)
if not combine:
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
if orig_obj.combined:
raise FirewallError(NOT_OVERLOADABLE,
"%s is a combined zone" % \
obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name,
orig_obj.path, orig_obj.filename)
self.zone.remove_zone(orig_obj.name)
self.zone.add_zone(obj)
# add a deep copy to the configuration interface
self.config.add_zone(copy.deepcopy(obj))
else:
combined_zone.combine(obj)
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type, name,
msg)
except Exception as msg:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine == True and combined_zone.combined == True:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def icmptype_writer(icmptype, path=None):
_path = path if path else icmptype.path
if icmptype.filename:
name = "%s/%s" % (_path, icmptype.filename)
else:
name = "%s/%s.xml" % (_path, icmptype.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start icmptype element
attrs = {}
if icmptype.version and icmptype.version != "":
attrs["version"] = icmptype.version
handler.startElement("icmptype", attrs)
handler.ignorableWhitespace("\n")
# short
if icmptype.short and icmptype.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(icmptype.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if icmptype.description and icmptype.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(icmptype.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# destination
if icmptype.destination:
handler.ignorableWhitespace(" ")
attrs = {}
for x in icmptype.destination:
attrs[x] = "yes"
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# end icmptype element
handler.endElement('icmptype')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def read(self):
self.clear()
try:
f = open(self.filename, "r")
except Exception as msg:
log.error("Failed to load '%s': %s", self.filename, msg)
self.set("DefaultZone", config.FALLBACK_ZONE)
self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
self.set("LogDenied", config.FALLBACK_LOG_DENIED)
self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS)
self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND)
self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no")
self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no")
raise
for line in f:
if not line:
break
line = line.strip()
if len(line) < 1 or line[0] in ['#', ';']:
continue
# get key/value pair
pair = [ x.strip() for x in line.split("=") ]
if len(pair) != 2:
log.error("Invalid option definition: '%s'", line.strip())
continue
elif pair[0] not in valid_keys:
log.error("Invalid option: '%s'", line.strip())
continue
elif pair[1] == '':
log.error("Missing value: '%s'", line.strip())
continue
elif self._config.get(pair[0]) is not None:
log.error("Duplicate option definition: '%s'", line.strip())
continue
self._config[pair[0]] = pair[1]
f.close()
# check default zone
if not self.get("DefaultZone"):
log.error("DefaultZone is not set, using default value '%s'",
config.FALLBACK_ZONE)
self.set("DefaultZone", str(config.FALLBACK_ZONE))
# check minimal mark
value = self.get("MinimalMark")
try:
int(value)
except (ValueError, TypeError):
if value is not None:
log.warning("MinimalMark '%s' is not valid, using default "
"value '%d'", value if value else '',
config.FALLBACK_MINIMAL_MARK)
self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK))
# check cleanup on exit
value = self.get("CleanupOnExit")
if not value or value.lower() not in [ "no", "false", "yes", "true" ]:
if value is not None:
log.warning("CleanupOnExit '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_CLEANUP_ON_EXIT)
self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no")
# check lockdown
value = self.get("Lockdown")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
log.warning("Lockdown '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_LOCKDOWN)
self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no")
# check ipv6_rpfilter
value = self.get("IPv6_rpfilter")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
log.warning("IPv6_rpfilter '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_IPV6_RPFILTER)
self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no")
# check individual calls
value = self.get("IndividualCalls")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
log.warning("IndividualCalls '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_INDIVIDUAL_CALLS)
self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no")
# check log denied
value = self.get("LogDenied")
if not value or value not in config.LOG_DENIED_VALUES:
if value is not None:
log.warning("LogDenied '%s' is invalid, using default value '%s'",
value, config.FALLBACK_LOG_DENIED)
self.set("LogDenied", str(config.FALLBACK_LOG_DENIED))
# check automatic helpers
value = self.get("AutomaticHelpers")
if not value or value.lower() not in config.AUTOMATIC_HELPERS_VALUES:
if value is not None:
log.warning("AutomaticHelpers '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_AUTOMATIC_HELPERS)
self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS))
value = self.get("FirewallBackend")
if not value or value.lower() not in config.FIREWALL_BACKEND_VALUES:
if value is not None:
log.warning("FirewallBackend '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_FIREWALL_BACKEND)
self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND))
value = self.get("FlushAllOnReload")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
log.warning("FlushAllOnReload '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_FLUSH_ALL_ON_RELOAD)
self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD))
value = self.get("RFC3964_IPv4")
if not value or value.lower() not in [ "yes", "true", "no", "false" ]:
if value is not None:
log.warning("RFC3964_IPv4 '%s' is not valid, using default "
"value %s", value if value else '',
config.FALLBACK_RFC3964_IPV4)
self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4))
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
# short
if zone.short and zone.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", { "name": interface })
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", { "ipset": source[6:] })
else:
handler.simpleElement("source", { "address": source })
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", { "name": service })
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(zone.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(zone.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", { "value": protocol })
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", { })
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(zone.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", { "name": icmp })
handler.ignorableWhitespace("\n")
# masquerade
if zone.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", { })
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(zone.forward_ports):
handler.ignorableWhitespace(" ")
attrs = { "port": forward[0], "protocol": forward[1] }
if forward[2] and forward[2] != "" :
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "" :
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# source-ports
for port in uniqify(zone.source_ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", { "port": port[0],
"protocol": port[1] })
handler.ignorableWhitespace("\n")
# rules
for rule in zone.rules:
attrs = { }
if rule.family:
attrs["family"] = rule.family
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = { }
if rule.source.addr:
attrs["address"] = rule.source.addr
if rule.source.mac:
attrs["mac"] = rule.source.mac
if rule.source.ipset:
attrs["ipset"] = rule.source.ipset
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = { "address": rule.destination.addr }
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = { }
if type(rule.element) == rich.Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == rich.Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == rich.Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
elif type(rule.element) == rich.Rich_SourcePort:
element = "source-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
else:
log.warning("Unknown element '%s'", type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = { }
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.log.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", { })
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.audit.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = { }
if type(rule.action) == rich.Rich_Accept:
action = "accept"
elif type(rule.action) == rich.Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == rich.Rich_Drop:
action = "drop"
elif type(rule.action) == rich.Rich_Mark:
action = "mark"
attrs["set"] = rule.action.set
else:
log.warning("Unknown action '%s'", type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.action.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name)
if self._rule_error:
return
self.item.parser_check_element_attrs(name, attrs)
if name == "zone":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'" %
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
if "immutable" in attrs:
log.warning("Ignoring deprecated attribute immutable='%s'" %
attrs["immutable"])
if "target" in attrs:
target = attrs["target"]
if target not in ZONE_TARGETS:
raise FirewallError(INVALID_TARGET, target)
if target != "" and target != DEFAULT_ZONE_TARGET:
self.item.target = target
elif name == "short":
pass
elif name == "description":
pass
elif name == "service":
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_Service(attrs["name"])
return
if attrs["name"] not in self.item.services:
self.item.services.append(attrs["name"])
elif name == "port":
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_Port(attrs["port"],
attrs["protocol"])
return
# TODO: fix port string according to fw_zone.__port_id()
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.ports:
self.item.ports.append(entry)
elif name == "protocol":
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_Protocol(attrs["value"])
else:
log.error('Protocol allowed only in rule.')
if attrs["value"] not in self.item.protocols:
self.item.protocols.append(attrs["value"])
elif name == "icmp-block":
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_IcmpBlock(attrs["name"])
return
if attrs["name"] not in self.item.icmp_blocks:
self.item.icmp_blocks.append(attrs["name"])
elif name == "masquerade":
if "enabled" in attrs:
log.warning("Ignoring deprecated attribute enabled='%s'" %
attrs["enabled"])
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_Masquerade()
else:
self.item.masquerade = True
elif name == "forward-port":
to_port = ""
if "to-port" in attrs:
to_port = attrs["to-port"]
to_addr = ""
if "to-addr" in attrs:
to_addr = attrs["to-addr"]
if self._rule:
if self._rule.element:
log.error('Invalid rule: More than one element, ignoring.')
self._rule_error = True
return
self._rule.element = Rich_ForwardPort(attrs["port"],
attrs["protocol"],
to_port, to_addr)
return
# TODO: fix port string according to fw_zone.__forward_port_id()
entry = (attrs["port"], attrs["protocol"], to_port, to_addr)
if entry not in self.item.forward_ports:
self.item.forward_ports.append(entry)
elif name == "interface":
if self._rule:
log.error('Invalid rule: interface use in rule.')
self._rule_error = True
return
# zone bound to interface
if "name" not in attrs:
log.error('Invalid interface: Name missing.')
self._rule_error = True
return
name = attrs["name"]
if name not in self.item.interfaces:
self.item.interfaces.append(name)
elif name == "source":
if self._rule:
if self._rule.source:
log.error('Invalid rule: More than one source')
self._rule_error = True
return
invert = False
if "invert" in attrs and \
attrs["invert"].lower() in [ "yes", "true" ]:
invert = True
self._rule.source = Rich_Source(attrs["address"], invert)
return
# zone bound to source
if "address" not in attrs:
log.error('Invalid source: Address missing.')
return
if "family" in attrs:
log.warning("Ignoring deprecated attribute family='%s'" %
attrs["family"])
if "invert" in attrs:
log.error('Invalid source: Invertion not allowed here.')
return
entry = attrs["address"]
if entry not in self.item.sources:
self.item.sources.append(entry)
elif name == "destination":
if not self._rule:
log.error('Invalid rule: Destination outside of rule')
self._rule_error = True
return
if self._rule.destination:
log.error('Invalid rule: More than one destination')
return
invert = False
if "invert" in attrs and \
attrs["invert"].lower() in [ "yes", "true" ]:
invert = True
self._rule.destination = Rich_Destination(attrs["address"], invert)
elif name in ["accept", "reject", "drop"]:
if not self._rule:
log.error('Invalid rule: Action outside of rule')
self._rule_error = True
return
if self._rule.action:
log.error('Invalid rule: More than one action')
self._rule_error = True
return
if name == "accept":
self._rule.action = Rich_Accept()
if name == "reject":
_type = None
if "type" in attrs:
_type = attrs["type"]
self._rule.action = Rich_Reject(_type)
if name == "drop":
self._rule.action = Rich_Drop()
self._limit_ok = self._rule.action
elif name == "log":
if not self._rule:
log.error('Invalid rule: Log outside of rule')
return
if self._rule.log:
log.error('Invalid rule: More than one log')
return
level = None
if "level" in attrs:
level = attrs["level"]
if level not in [
"emerg", "alert", "crit", "error", "warning", "notice",
"info", "debug"
]:
log.error('Invalid rule: Invalid log level')
self._rule_error = True
return
prefix = attrs["prefix"] if "prefix" in attrs else None
self._rule.log = Rich_Log(prefix, level)
self._limit_ok = self._rule.log
elif name == "audit":
if not self._rule:
log.error('Invalid rule: Audit outside of rule')
return
if self._rule.audit:
log.error('Invalid rule: More than one audit')
self._rule_error = True
return
self._rule.audit = Rich_Audit()
self._limit_ok = self._rule.audit
elif name == "rule":
family = None
if "family" in attrs:
family = attrs["family"]
if family not in ["ipv4", "ipv6"]:
log.error('Invalid rule: Rule family "%s" invalid' %
attrs["family"])
self._rule_error = True
return
self._rule = Rich_Rule(family)
self.item.rules.append(self._rule)
elif name == "limit":
if not self._limit_ok:
log.error(
'Invalid rule: Limit outside of action, log and audit')
self._rule_error = True
return
if self._limit_ok.limit:
log.error('Invalid rule: More than one limit')
self._rule_error = True
return
value = attrs["value"]
self._limit_ok.limit = Rich_Limit(value)
else:
log.error('Unknown XML element %s' % name)
return
def update_service_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path == config.ETC_FIREWALLD_SERVICES:
# removed custom service
for x in self._services.keys():
obj = self._services[x]
if obj.filename == filename:
del self._services[x]
if obj.name in self._builtin_services:
return ("update", self._builtin_services[obj.name])
return ("remove", obj)
else:
# removed builtin service
for x in self._builtin_services.keys():
obj = self._builtin_services[x]
if obj.filename == filename:
del self._builtin_services[x]
if obj.name not in self._services:
# update dbus service
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# service not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
log.debug1("Loading service file '%s'", name)
try:
obj = service_reader(filename, path)
except Exception as msg:
log.error("Failed to load service file '%s': %s", filename, msg)
return (None, None)
# new service
if obj.name not in self._builtin_services and obj.name not in self._services:
self.add_service(obj)
return ("new", obj)
# updated service
if path == config.ETC_FIREWALLD_SERVICES:
# custom service update
if obj.name in self._services:
obj.default = self._services[obj.name].default
self._services[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_services:
# builtin service update
del self._builtin_services[obj.name]
self._builtin_services[obj.name] = obj
if obj.name not in self._services:
# update dbus service
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# service not known to firewalld, yet (timeout, ..)
return (None, None)
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
errorMsg = ""
done = []
for backend_name in rules:
try:
self.fw.rules(backend_name, rules[backend_name])
except Exception as msg:
error = True
errorMsg = msg
log.debug1(traceback.format_exc())
log.error(msg)
else:
done.append(backend_name)
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
(cleanup_modules, msg) = module_return
if cleanup_modules is not None:
error = True
errorMsg = msg
self.fw.handle_modules(cleanup_modules, not enable)
# error case: revert rules
if error:
undo_rules = {}
for backend_name in done:
undo_rules[backend_name] = []
for rule in reversed(rules[backend_name]):
undo_rules[backend_name].append(
self.fw.get_backend_by_name(backend_name).reverse_rule(
rule))
for backend_name in undo_rules:
try:
self.fw.rules(backend_name, undo_rules[backend_name])
except Exception as msg:
log.debug1(traceback.format_exc())
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.debug1(traceback.format_exc())
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
# post
self.post()
def ipset_writer(ipset, path=None):
_path = path if path else ipset.path
if ipset.filename:
name = "%s/%s" % (_path, ipset.filename)
else:
name = "%s/%s.xml" % (_path, ipset.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start ipset element
attrs = {"type": ipset.type}
if ipset.version and ipset.version != "":
attrs["version"] = ipset.version
handler.startElement("ipset", attrs)
handler.ignorableWhitespace("\n")
# short
if ipset.short and ipset.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(ipset.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if ipset.description and ipset.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(ipset.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# options
for key, value in ipset.options.items():
handler.ignorableWhitespace(" ")
if value != "":
handler.simpleElement("option", {"name": key, "value": value})
else:
handler.simpleElement("option", {"name": key})
handler.ignorableWhitespace("\n")
# entries
for entry in ipset.entries:
handler.ignorableWhitespace(" ")
handler.startElement("entry", {})
handler.characters(entry)
handler.endElement("entry")
handler.ignorableWhitespace("\n")
# end ipset element
handler.endElement('ipset')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
