def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""):
"""create and return a rule (or two if no proto given).
name can be any string
target is a string saying what to do, like
"ACCEPT", "DENY", "DROP", "LOG"
proto (if not defined, is assumed both udp and tcp)
src is a realm in the form XXX.XXX.XXX.XXX/YY
sport is source port. Currently ignored
dst is a realm in the same form as src
dport is destination port
siface is the source interface
diface is the destination interface
"""
#print("adding rule %s" % name)
if (dport or sport) and not proto:
return [ self.create_rule(name,
target,
dst,
dport,
src,
sport,
proto,
siface,
diface) for proto in ("tcp", "udp") ]
rule = Rule()
rule.create_target(target)
if dst:
rule.dst = dst
if dport:
proto_match = rule.create_match(proto)
proto_match.dport = str(dport)
rule.protocol = proto
if diface:
rule.in_interface = diface
if src:
if src.count("-"):
iprange_match = rule.create_match("iprange")
iprange_match.src_range = src
rule.add_match(iprange_match)
else:
rule.src = src
if sport:
proto_match = rule.create_match(proto)
proto_match.sport = str(sport)
rule.protocol = proto
if siface:
rule.out_interface = siface
# Add a signature as a comment.
comment_match = rule.create_match("comment")
comment_match.comment = self.identifier + ":" + name
rule.final_check()
return rule
def _get_base_rule(self, match):
rule = Rule()
rule.protocol = match.ip_proto_num
rule.dst = "%s/%s" % (match.dst_ip, match.netmask)
if match.dst_port != 0:
ipt_match = IPT_Match(rule,
self._prot_port_supp[match.ip_proto_num])
ipt_match.dport = str(match.dst_port)
rule.add_match(ipt_match)
return rule
