self.file.write("\n") self.file.write("# Call bypass-rules chain from PREROUTING chain to forward traffic" + "\n") self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -m comment --comment \"Bypass rules\" -j bypass-rules >/dev/null 2>&1" + "\n") self.file.write("${IPTABLES} -t filter -A FORWARD -m conntrack --ctstate NEW -m comment --comment \"Bypass rules\" -j bypass-rules" + "\n") self.file.write("\n") self.file.write("# Bypass all packets and sessions to the local server" + "\n") self.file.write("${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound packets\"" % self.bypass_mark_mask + "\n") self.file.write("${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound sessions\"" % self.bypass_mark_mask + "\n") self.file.write("\n") self.file.write("# Bypass all packets and sessions from the local server" + "\n") self.file.write("${IPTABLES} -A output-set-marks -t mangle -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound packets\"" % self.bypass_mark_mask + "\n") self.file.write("${IPTABLES} -A output-set-marks -t mangle -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound sessions\"" % self.bypass_mark_mask + "\n") self.file.write("\n") self.write_restore_bypass_mark(settings) self.write_set_bypass_mark(settings) self.write_bypass_rules(settings) self.file.flush() self.file.close() print("BypassRulesManager: Wrote %s" % self.filename) return registrar.register_manager(BypassRuleManager())
file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") file.write('TMPFILE="/tmp/shadow"\n') file.write('/bin/sed -e \'s|^\\(root:\\)[^:]*:[^:]*\\(:.*\\)$|\\1') file.write(phash.replace("$", r"\$")) file.write(':\\2|\' /etc/shadow > $TMPFILE\n') file.write('\n') file.write( 'if ! diff /etc/shadow $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/shadow ; fi\n' ) file.write('\n') file.write('rm -f $TMPFILE') file.write('\n') file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("AccountsManager: Wrote %s" % filename) return registrar.register_manager(AccountsManager())
self.file.write("# If its local and port 80 and hasnt already been handled in this chain, block it\n") self.file.write("${IPTABLES} -t nat -A port-forward-rules -p tcp -m addrtype --dst-type local --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\"" + "\n") self.file.write("\n") # write a rule to protect http port for primary address when coming from a bridged interface # add rule to block at the end. If that point is reached then it hasn't been protected or port forwarded # The block rule exists so that when the port is changed from the default the original port won't still work # This is for bridged cases. If the primary IP of external is 1.2.3.4 we want to reserve 1.2.3.4:80 for http, but ONLY from the inside so that port forwards work externally. for intf in settings.get('interfaces'): if intf.get('configType') == 'ADDRESSED' and intf.get('isWan'): # now find all interfaces bridged to this WAN for sub_intf in settings.get('interfaces'): if sub_intf.get('configType') == 'BRIDGED' and sub_intf.get('bridgedTo') == intf.get('interfaceId'): self.file.write("# don't allow port forwarding of http port of primary IP of WAN from bridged interface %i.\n" % sub_intf.get('interfaceId')) self.file.write("ADDR=\"`ip addr show %s | awk '/^ *inet.*scope global/ { interface = $2 ; sub( \"/.*\", \"\", interface ) ; print interface ; exit }'`\"\n" % intf.get('symbolicDev')) self.file.write("if [ ! -z \"${ADDR}\" ] ; then" + "\n") self.file.write("\t${IPTABLES} -t nat -I port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port %i -j DNAT --to-destination ${ADDR}:80 -m comment --comment \"Reserve port 80 on ${ADDR} for blockpages\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask, http_port) + "\n") self.file.write("\t${IPTABLES} -t nat -A port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask) + "\n") self.file.write("fi" + "\n") self.file.write("\n") self.file.write("\n\n") self.file.flush() self.file.close() print("PortForwardManager: Wrote %s" % self.filename) registrar.register_manager(PortForwardManager())
class SettingsManager: def initialize(self): pass def sanitize_settings(self, settings): pass def validate_settings(self, settings): fixup_settings(settings) cleanup_settings(settings) def sync_settings(self, settings, prefix, delete_list): pass registrar.register_manager(SettingsManager()) def fixup_settings(json_obj): """ Fixes JSON serialization oddities in the JSON object """ if isinstance(json_obj, dict): for key in list(json_obj.keys()): value = json_obj.get(key) if isinstance(value, dict): if value.get('list') != None and value.get('javaClass') != None and "List" in value.get('javaClass'): # Java serializes list objects as: # "foo": { "javaClass": "java.util.LinkedList", "list": [] }, # This will change it to this for simplicity: # "foo": [] new_value = value.get('list')
# Instead manually kill all process with ddclient in name pgrep ddclient | while read pid ; do kill $pid ; done fi """) else: file.write(r""" # ddclient process changes its own name, no "pidof ddclient" does not work DDCLIENT_PID="`pgrep ddclient`" # Restart ddclient if it isnt found # Or if ddclient.conf orhas been written since ddclient was started if [ -z "$DDCLIENT_PID" ] ; then systemctl --no-block restart ddclient # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! /etc/ddclient.conf -ot /proc/$DDCLIENT_PID ] ; then systemctl --no-block restart ddclient fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("DdclientManager: Wrote %s" % filename) return registrar.register_manager(DdclientManager())
# file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 6667 -j CT --helper irc" + "\n"); # file.write("\n"); # # XXX - in testing it seems this PPTP helper does not work # # The GRE session does not get redirected # # the nf_nat_pptp and associated GRE plugin do work correctly, but is deprecated in newer kernels # file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 1723 -j CT --helper pptp" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 69 -j CT --helper tftp" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 137 -j CT --helper netbios-ns" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 161 -j CT --helper snmp" + "\n"); # file.write("\n"); # file.write("fi" + "\n"); # file.write("\n"); file.flush() file.close() print("IptablesManager: Wrote %s" % filename) registrar.register_manager(IptablesManager())
def sync_settings(self, settings, prefix, delete_list): """syncs settings""" # Add all /etc/config/nftables-rules.d/2.* files to the delete_list # Remove all the files that we write later # This ensures that all the existing /etc/config/nftables-rules.d/2* that we don't # write get removed for (dirpath, _, filenames) in os.walk("/etc/config/nftables-rules.d/"): for filename in filenames: if filename.startswith("2"): full_name = dirpath + filename delete_list.append(full_name) # Write all the /etc/config/nftables-rules.d/2.* files self.write_files(settings, prefix, delete_list) registrar.register_manager(TableManager()) def write_file(filename, table_settings, prefix): """write_file writes the specified file""" file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n")
def validate_settings(self, settings): """validates settings""" pass def create_settings(self, settings, prefix, delete_list, filename): """creates settings""" print("%s: Initializing settings" % self.__class__.__name__) settings['reports'] = default_reports_settings() settings['dashboard'] = default_dashboard_settings() def sync_settings(self, settings, prefix, delete_list): """syncs settings""" pass registrar.register_manager(ReportsManager()) def default_reports_settings(): """default reports settings""" return { "entries": [] } def default_dashboard_settings(): """default dashboard settings""" return { "widgets": [{ "name": "Interface Usage", "interval": 30 }, {
file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") file.write("# Force send ARP to the gateways to update MAC table" + "\n") file.write("# This is necessary for malfunctioning ISP routers that have permanent ARP caches" + "\n") file.write("\n") for intf in settings['interfaces']: if intf.get('v4ConfigType') == 'STATIC': if 'v4StaticGateway' in intf and 'v4StaticAddress' in intf: file.write("# Static IP of interface %i\n" % intf.get('interfaceId')) file.write("arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), intf.get('v4StaticAddress'), intf.get('v4StaticGateway'))) if intf.get('v4Aliases') != None: for alias in intf.get('v4Aliases'): file.write("# Alias IPs of interface %i\n" % intf.get('interfaceId')) file.write("arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), alias.get('staticAddress'), intf.get('v4StaticGateway'))) file.write("\n\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("ArpManager: Wrote %s" % filename) return registrar.register_manager(ArpManager())
file.write("\ttrue" + "\n") else: # And should not be loaded - unload it! file.write("\techo Unloading nf_conntrack_sip kernel module..." + "\n") file.write("\tmodprobe -r nf_conntrack_sip" + "\n") file.write("else" + "\n") # Its not loaded if settings.get('enableSipNatHelper'): # And should be loaded - load it! file.write("\techo Loading nf_conntrack_sip kernel module..." + "\n") file.write("\tmodprobe nf_conntrack_sip" + "\n") else: # And should not be loaded - do nothing! file.write("\ttrue" + "\n") file.write("fi" + "\n") file.write("fi" + "\n") file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("KernelManager: Wrote %s" % filename) registrar.register_manager(KernelManager())
def write_resolve_file(self, settings, prefix): if 'hostName' not in settings: print("ERROR: Missing hostname setting") return filename = prefix + self.resolv_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n") file.write("nameserver 127.0.0.1" + "\n") if settings.get('domainName') != None: file.write("search %s" % settings.get('domainName') + "\n") file.write("\n") file.flush() file.close() print("HostsManager: Wrote %s" % filename) return registrar.register_manager(HostsManager())
file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n") file.write(r""" RADVD_PID="`pidof radvd`" # Start radvd if it isnt found and is needed (config file is non-zero) # Restart radvd if it is found and but is outdated and is needed (config file is non-zero) # Stop if radvd is found, but no longer needed (config file is zero size) # The reason we don't just stop and then start if needed if to avoid doing anything if nothing is required. if [ -z "$RADVD_PID" ] && [ -s /etc/radvd.conf ] ; then systemctl --no-block start radvd elif [ /etc/radvd.conf -nt /proc/$RADVD_PID ] && [ -s /etc/radvd.conf ] ; then systemctl --no-block restart radvd elif [ ! -z "$RADVD_PID" ] && [ ! -s /etc/radvd.conf ] ; then systemctl --no-block stop radvd fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("RadvdManager: Wrote %s" % filename) return registrar.register_manager(RadvdManager())
(self.SERVER_INTERFACE_MASK, (interface_id << self.SERVER_INTERFACE_SHIFT), self.CLIENT_TYPE_MASK_INVERSE, interface_type << self.CLIENT_TYPE_SHIFT)) file.write("# if ct mark client interface is X then set the mark server interface to X\n") file.write("nft add rule inet interface-marks restore-interface-marks-reply ct mark and 0x%x == 0x%x mark set mark and 0x%x or 0x%x\n" % (self.CLIENT_INTERFACE_MASK, (interface_id << self.CLIENT_INTERFACE_SHIFT), self.SERVER_INTERFACE_MASK_INVERSE, interface_id << self.SERVER_INTERFACE_SHIFT)) file.write("# if ct mark client interface is X then set the mark server type to Xs type\n") file.write("nft add rule inet interface-marks restore-interface-marks-reply ct mark and 0x%x == 0x%x mark set mark and 0x%x or 0x%x\n" % (self.CLIENT_INTERFACE_MASK, (interface_id << self.CLIENT_INTERFACE_SHIFT), self.SERVER_TYPE_MASK_INVERSE, interface_type << self.SERVER_TYPE_SHIFT)) file.write("# restore original direction interface marks\n") file.write("nft add rule inet interface-marks restore-interface-marks-original mark set ct mark and 0x%x\n" % (self.ALL_MASK)) file.write("nft add rule inet interface-marks check-src-interface-mark mark and 0x%x == 0 iifname != lo log prefix \\\"WARNING: Unknown src intf: \\\"\n" % (self.SRC_INTERFACE_MASK)) file.write("nft add rule inet interface-marks check-dst-interface-mark mark and 0x%x == 0 oifname != lo log prefix \\\"WARNING: Unknown dst intf: \\\"\n" % (self.DST_INTERFACE_MASK)) # We could just have static rules in restore-interface-marks-reply that just apply the original marks but shifted around a bit # However This would require something like: # mark set mark or ct mark and 0xff << 8 # However nft won't let you do this: # Error: Right hand side of binary operation (|) must be constant # So we have to use a ton of rules to do the same thing above file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("InterfaceManager: Wrote %s" % filename) return registrar.register_manager(InterfaceManager())
The miniupnp packaging calls these scripts in the postinst We must overwrite them so they don't fail with an error """ filename = prefix + self.iptables_init_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh\n") file.write("exit 0\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("UpnpManager: Wrote %s" % filename) filename = prefix + self.ip6tables_init_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh\n") file.write("exit 0\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("UpnpManager: Wrote %s" % filename) return registrar.register_manager(UpnpManager())
else: file.write("\toption mode 'sta'\n") file.write("\toption ssid '%s'\n" % intf.get('wirelessSsid')) if intf.get('wirelessEncryption') == 'NONE': file.write("\toption encryption 'none'\n") elif intf.get('wirelessEncryption') == 'WPA1': file.write("\toption encryption 'psk'\n") file.write("\toption key '%s'\n" % intf.get('wirelessPassword')) elif intf.get('wirelessEncryption') == 'WPA12': file.write("\toption encryption 'psk-mixed+tkip+ccmp'\n") file.write("\toption key '%s'\n" % intf.get('wirelessPassword')) else: file.write("\toption encryption 'psk2'\n") file.write("\toption key '%s'\n" % intf.get('wirelessPassword')) self.write_macaddr(file, intf.get('macaddr')) file.write("\n") devidx += 1 file.flush() file.close() print("%s: Wrote %s" % (self.__class__.__name__, filename)) def enabled_wifi(intf): """returns true if the interface is an enabled wifi interface""" if intf.get('configType') != 'DISABLED' and intf.get('type') == 'WIFI': return True return False registrar.register_manager(WirelessManager())
PPPOE_UPLINK_INDEX=`echo ${CONNECTION_FILE} | sed -e 's/connection\.intf//'` /bin/echo -e "[DEBUG: `date`] Interface index: ${PPPOE_UPLINK_INDEX}" if [ -z "${PPPOE_UPLINK_INDEX}" ]; then /bin/echo -e "[DEBUG: `date`] Unknown interface index! Quitting..." return fi make_resolv_conf /usr/share/untangle-sync-settings/bin/add-uplink.sh ${PPP_IFACE} ${PPP_REMOTE} "uplink.${PPPOE_UPLINK_INDEX}" -4 /usr/share/untangle-sync-settings/bin/add-source-route.sh ${PPP_LOCAL} "uplink.${PPPOE_UPLINK_INDEX}" -4 write_status_file ${PPP_IFACE} ${PPPOE_UPLINK_INDEX} # XXX - should we run this here? # run-parts /etc/untangle/post-network-hook.d true """) file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("PPPoEManager: Wrote %s" % filename) registrar.register_manager(PPPoEManager())
# Instead manually kill all process with ddclient in name pgrep ddclient | while read pid ; do kill $pid ; done fi """) else: file.write(r""" # ddclient process changes its own name, no "pidof ddclient" does not work DDCLIENT_PID="`pgrep ddclient`" # Restart ddclient if it isnt found # Or if ddclient.conf orhas been written since ddclient was started if [ -z "$DDCLIENT_PID" ] ; then systemctl --no-block restart ddclient # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! /etc/ddclient.conf -ot /proc/$DDCLIENT_PID ] ; then systemctl --no-block restart ddclient fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("DdclientManager: Wrote %s" % filename) return registrar.register_manager(DdclientManager())
if qos_settings['dnsPriority'] != None and qos_settings['dnsPriority'] != 0: file.write("# Dns Priority " + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -p udp --dport 53 -g qos-class%i -m comment --comment \"set DNS priority\"" % qos_settings['dnsPriority'] + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -p tcp --dport 53 -g qos-class%i -m comment --comment \"set DNS priority\"" % qos_settings['dnsPriority'] + "\n") file.write("\n") if qos_settings['openvpnPriority'] != None and qos_settings['openvpnPriority'] != 0: file.write("# Openvpn Priority " + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -p udp --dport 1194 -g qos-class%i -m comment --comment \"set openvpn priority\"" % qos_settings['openvpnPriority'] + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -p tcp --dport 1194 -g qos-class%i -m comment --comment \"set openvpn priority\"" % qos_settings['openvpnPriority'] + "\n") file.write("\n") self.write_qos_custom_rules(qos_settings) if qos_settings['defaultPriority'] != None and qos_settings['defaultPriority'] != 0: file.write("# Default Priority " + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -m mark --mark 0/0x000F0000 -g qos-class%i -m comment --comment \"set default priority if unset\"" % qos_settings['defaultPriority'] + "\n") file.write("${IPTABLES} -t mangle -A qos-rules -m connmark --mark 0/0x000F0000 -g qos-class%i -m comment --comment \"set default priority if unset\"" % qos_settings['defaultPriority'] + "\n") file.write("\n") file.flush() file.close() print("QosManager: Wrote %s" % filename) return registrar.register_manager(QosManager())
self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n") self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -m comment --comment \"block traffic to NATd interfaces\" -j nat-reverse-filter >/dev/null 2>&1" + "\n") self.file.write("${IPTABLES} -t filter -A FORWARD -m conntrack --ctstate NEW -m comment --comment \"block traffic to NATd interfaces\" -j nat-reverse-filter" + "\n") self.file.write("\n") self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n") self.file.write("${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN >/dev/null 2>&1" + "\n") self.file.write("${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN" + "\n") self.file.write("\n") self.file.write("# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n") self.file.write("${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN >/dev/null 2>&1" + "\n") self.file.write("${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN" + "\n") self.file.write("\n") self.write_nat_rules(settings) self.write_interface_nat_options(settings) self.write_implicit_nat_rules(settings) self.write_lxc_nat_rules(settings) self.file.flush() self.file.close() print("NatRulesManager: Wrote %s" % self.filename) return registrar.register_manager(NatRulesManager())
self.file.write( "${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate RELATED -m comment --comment \"Allow RELATED traffic\" -j RETURN" + "\n") self.file.write("\n") self.file.write( "# Call nat-reverse-filter chain from FORWARD chain to block traffic to NATd interface from \"outside\" " + "\n") self.file.write( "${IPTABLES} -t filter -D nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN >/dev/null 2>&1" + "\n") self.file.write( "${IPTABLES} -t filter -A nat-reverse-filter -m conntrack --ctstate DNAT -m comment --comment \"Allow port forwarded traffic\" -j RETURN" + "\n") self.file.write("\n") self.write_nat_rules(settings) self.write_interface_nat_options(settings) self.write_implicit_nat_rules(settings) self.write_lxc_nat_rules(settings) self.file.flush() self.file.close() print("NatRulesManager: Wrote %s" % self.filename) return registrar.register_manager(NatRulesManager())
for intf in interfaces: if not intf.get('enabled'): continue if intf.get('natEgress'): # FIXME - this should be a rule based on mark instead of netfilterDev # The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now file.write("# NAT Egress traffic to interface %i\n" % intf.get('interfaceId')) file.write( "add rule ip nat-sys nat-rules-sys oifname %s masquerade\n" % intf.get('netfilterDev')) if intf.get('natIngress'): # FIXME - this should be a rule based on mark instead of netfilterDev # The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now file.write("# NAT Ingress traffic from interface %i\n" % intf.get('interfaceId')) file.write( "add rule ip nat-sys nat-rules-sys iifname %s masquerade\n" % intf.get('netfilterDev')) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("NatManager: Wrote %s" % filename) return registrar.register_manager(NatManager())
file.write("flush table inet qos\n") file.write("add chain inet qos restore-priority-mark\n") file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x40000 ct mark set ct mark and 0xff00ffff or 0x40000 ip dscp set cs1 counter\n") file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x30000 ct mark set ct mark and 0xff00ffff or 0x30000 ip dscp set cs0 counter\n") file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x20000 ct mark set ct mark and 0xff00ffff or 0x20000 ip dscp set cs2 counter\n") file.write("add rule inet qos restore-priority-mark meta mark and 0xff0000 == 0x10000 ct mark set ct mark and 0xff00ffff or 0x10000 ip dscp set cs7 counter\n") file.write("add chain inet qos postrouting-qos { type filter hook postrouting priority 50 ; }\n") file.write("add rule inet qos postrouting-qos jump restore-priority-mark\n") except: print("ERROR:") traceback.print_exc() finally: file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("QosManager: Wrote %s" % filename) def sync_settings(self, settings, prefix, delete_list): """syncs settings""" self.write_qos_rules_sys_file(settings, prefix) for (dirpath, _, filenames) in os.walk(self.qos_file_path + "/"): for filename in filenames: full_name = dirpath + filename delete_list.append(full_name) # Write all the /etc/config/qos.d/* files self.write_qos_files(settings, prefix, delete_list) registrar.register_manager(QosManager())
file.write( "find /proc/sys/net/ipv4/conf -type f -name 'arp_announce' | while read f ; do" + "\n") file.write(" echo 2 > ${f}" + "\n") file.write("done" + "\n") file.write("\n") else: file.write("# set default ARP mode (arp flux)" + "\n") file.write( "find /proc/sys/net/ipv4/conf -type f -name 'arp_ignore' | while read f ; do" + "\n") file.write(" echo 0 > ${f}" + "\n") file.write("done" + "\n") file.write( "find /proc/sys/net/ipv4/conf -type f -name 'arp_announce' | while read f ; do" + "\n") file.write(" echo 0 > ${f}" + "\n") file.write("done" + "\n") file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("SysctlManager: Wrote %s" % filename) return registrar.register_manager(SysctlManager())
file.write( "# Delete the main table, we do this because some routes may have been removed\n" ) file.write("# All routes will be recreated later\n") file.write("ip route flush table main \n") file.write("\n") file.write("# Delete the old routing priorities\n") file.write( "ip rule ls | grep -E '^36[5-6][0-9]{3}:' | awk -F: '{print $1}' | while read i ; do ip rule delete priority $i ; done\n" ) file.write("\n") file.write("# Delete source route rules\n") file.write( """ip -4 rule show | awk -v min_priority=50000 -v max_priority=59999 '{ sub( ":", "" ) ; if (( $1 >= min_priority ) && ( $1 < max_priority ) ) print $1 }' | while read prio ; do ip rule delete priority $prio ; done""" + "\n") file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("RouteManager: Wrote %s" % filename) return registrar.register_manager(RouteManager())
if parsed_uri.host is not None: server = parsed_uri.host line = "{config_option}{server}\n".format( config_option=match.group(1), server=server) match = re.search(self.pyconnector_defaults_port, line) if match: default_server = match.group(1) port = default_port if parsed_uri.port is not None: port = parsed_uri.port line = "{config_option}{port}\n".format( config_option=match.group(1), port=port) if write_line == True: self.out_file.write(line) # Write the next line unless overidden by an updater. write_line = True self.out_file.flush() self.out_file.close() if self.in_file_name.endswith(".last"): os.remove(self.in_file_name) os.chmod(self.out_file_name, os.stat(self.out_file_name).st_mode | stat.S_IEXEC) print("PyconnectorManager: Wrote %s" % self.out_file_name) return registrar.register_manager(PyconnectorManager())
os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") for intf in interfaces: if 'ethAutoneg' in intf and 'ethSpeed' in intf and 'ethDuplex' in intf: autoneg = 'on' if intf['ethAutoneg'] else 'off' if autoneg is 'off': file.write( "/usr/sbin/ethtool -s {} speed {} duplex {} autoneg {}\n" .format(intf['device'], intf['ethSpeed'], intf['ethDuplex'], autoneg)) else: file.write("/usr/sbin/ethtool -s {} autoneg {}\n".format( intf['device'], autoneg)) file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("SystemManager: Wrote %s" % filename) registrar.register_manager(SystemManager())
"${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound packets\"" % self.bypass_mark_mask + "\n") self.file.write( "${IPTABLES} -A input-set-marks -t mangle ! -i utun -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local inbound sessions\"" % self.bypass_mark_mask + "\n") self.file.write("\n") self.file.write( "# Bypass all packets and sessions from the local server" + "\n") self.file.write( "${IPTABLES} -A output-set-marks -t mangle -j MARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound packets\"" % self.bypass_mark_mask + "\n") self.file.write( "${IPTABLES} -A output-set-marks -t mangle -m conntrack --ctstate NEW -j CONNMARK --or-mark 0x%X -m comment --comment \"Set bypass bit on all local outbound sessions\"" % self.bypass_mark_mask + "\n") self.file.write("\n") self.write_restore_bypass_mark(settings) self.write_set_bypass_mark(settings) self.write_bypass_rules(settings) self.file.flush() self.file.close() print("BypassRulesManager: Wrote %s" % self.filename) return registrar.register_manager(BypassRuleManager())
class SettingsManager(Manager): def initialize(self): registrar.register_settings_file("*", self) pass def validate_settings(self, settings_file): fixup_settings(settings_file.settings) cleanup_settings(settings_file) def sync_settings(self, settings, prefix, delete_list): pass registrar.register_manager(SettingsManager()) def fixup_settings(json_obj): """ Fixes JSON serialization oddities in the JSON object """ if isinstance(json_obj, dict): for key in list(json_obj.keys()): value = json_obj.get(key) if isinstance(value, dict): if value.get('list') != None and value.get( 'javaClass') != None and "List" in value.get( 'javaClass'): # Java serializes list objects as: # "foo": { "javaClass": "java.util.LinkedList", "list": [] },
file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n") file.write(r""" DNSMASQ_PID="`pidof dnsmasq`" # Restart dnsmasq if it isnt found # Or if dnsmasq.conf or hosts.dnsmasq has been written since dnsmasq was started if [ -z "$DNSMASQ_PID" ] ; then systemctl --no-block restart dnsmasq # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! /etc/dnsmasq.conf -ot /proc/$DNSMASQ_PID ] ; then systemctl --no-block restart dnsmasq # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! /etc/hosts.dnsmasq -ot /proc/$DNSMASQ_PID ] ; then systemctl --no-block restart dnsmasq fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("DnsMasqManager: Wrote %s" % filename) return registrar.register_manager(DnsMasqManager())
deviceSettings.get('deviceName'), "100-full-duplex") + "\n") elif duplexString == "M100_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "100-half-duplex") + "\n") elif duplexString == "M10_FULL_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-full-duplex") + "\n") elif duplexString == "M10_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-half-duplex") + "\n") else: print("ERROR: Unknown duplex: %s" % duplexString) file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("EthernetManager: Wrote %s" % filename) return registrar.register_manager(EthernetManager())
for rule in new_rules: self.out_file.write(' ' + rule + "\n") self.out_file.write('fi' + "\n") self.out_file.flush() self.out_file.close() os.chmod(self.out_file_name, os.stat(self.out_file_name).st_mode | stat.S_IEXEC) print("WireguardManager: Wrote %s" % self.out_file_name) def create_new_rule(self, rule, format_map): """ Create a new (add or insert) iptables rule """ template = self.add_rule_template if 'new' in rule and rule['new'] == 'insert': template = self.insert_rule_template if 'index' in rule: format_map['index'] = rule['index'] else: format_map['index'] = '' new_rule = template.format_map(format_map) if 'index' in rule: del rule['index'] return new_rule registrar.register_manager(WireguardManager())
else: for daemon in ['zebra', 'bgpd', 'ospfd']: if daemon_enableds[daemon] is False: file.write(r""" systemctl --no-block stop {0} """.format(daemon)) else: file.write(r""" {0}_PID="`pidof {1}`" # Restart quagga if it isnt found # Or if zebra.conf or has been written since quagga was started if [ -z "${0}_PID" ] ; then systemctl --no-block restart {1} # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! {2} -ot /proc/${0}_PID ] ; then systemctl --no-block restart {1} fi """.format(daemon.upper(), daemon, self.daemons_conf_filename)) file.write("\n") file.flush() file.close() os.system("chmod a+x %s" % filename) print("DynamicRoutingManager: Wrote %s" % filename) return registrar.register_manager(DynamicRoutingManager())
match = re.search(self.bdadmserver_conf_update_url_antivirus, line) if match: config_option = match.group(1) path = "/" + match.group(3) for uri in settings_file.settings['uriTranslations']: if uri['uri'] == self.update_uri: new_uri = copy.deepcopy(uri) uri['path'] = path new_uri = UriUtil.build_uri(self.update_uri, uri) line = "{config_option}{new_uri}\n".format( config_option=config_option, new_uri=new_uri) if write_line == True: self.out_file.write(line) # Write the next line unless overidden by an updater. write_line = True self.out_file.flush() self.out_file.close() if self.in_file_name.endswith(".last"): os.remove(self.in_file_name) os.chmod(self.out_file_name, os.stat(self.out_file_name).st_mode | stat.S_IEXEC) print("BdamserverManager: Wrote %s" % self.out_file_name) return registrar.register_manager(BdamserverManager())
if hostname != None: file.write("send host-name \"%s\";" % hostname + "\n") file.flush() file.close() print("DhcpManager: Wrote %s" % filename) def write_dhcp_ddclient_file(self, settings, prefix=""): filename = prefix + self.ddclient_hook_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") file.write("# The dhcp exit hook packaged with ddclient has syntax error" + "\n") file.write("# Since the DHCP hooks are sources, syntax erros break DHCP" + "\n") file.write("# This blank script is written to replace it" + "\n") file.flush() file.close() print("DhcpManager: Wrote %s" % filename) registrar.register_manager(DhcpManager())
os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") file.write('TMPFILE="/tmp/shadow"\n') file.write('/bin/sed -e \'s|^\\(root:\\)[^:]*:[^:]*\\(:.*\\)$|\\1') file.write(phash.replace("$", r"\$")) file.write(':\\2|\' /etc/shadow > $TMPFILE\n') file.write('\n') file.write('if ! diff /etc/shadow $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/shadow ; fi\n') file.write('\n') file.write('rm -f $TMPFILE') file.write('\n') file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("AccountsManager: Wrote %s" % filename) return registrar.register_manager(AccountsManager())
file.close() return uid def write_bctid_file(self, settings, prefix): "write the bctid file" filename = prefix + self.bctid_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) # grab the 'stock' bcti.cfg stock = open("/usr/share/untangle-bctid/bcti.cfg", "r") contents = stock.read() stock.close() # Add this device UID contents = contents.replace('UID=XXX', 'UID=' + self.get_uid()) # write it to /etc/config file = open(filename, "w+") file.write(contents) file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("ThreatPreventionManager: Wrote %s" % filename) return registrar.register_manager(ThreatPreventionManager())
# And should not be loaded - unload it! file.write("\techo Unloading nf_conntrack_sip kernel module..." + "\n") file.write("\tmodprobe -r nf_conntrack_sip" + "\n") file.write("else" + "\n") # Its not loaded if settings.get('enableSipNatHelper'): # And should be loaded - load it! file.write("\techo Loading nf_conntrack_sip kernel module..." + "\n") file.write("\tmodprobe nf_conntrack_sip" + "\n") else: # And should not be loaded - do nothing! file.write("\ttrue" + "\n") file.write("fi" + "\n") file.write("fi" + "\n") file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("KernelManager: Wrote %s" % filename) registrar.register_manager(KernelManager())
def validate_settings(self, settings): """validates settings""" pass def create_settings(self, settings, prefix, delete_list, filename): """creates settings""" print("%s: Initializing settings" % self.__class__.__name__) settings['reports'] = default_reports_settings() settings['dashboard'] = default_dashboard_settings() def sync_settings(self, settings, prefix, delete_list): """syncs settings""" pass registrar.register_manager(ReportsManager()) def default_reports_settings(): """default reports settings""" return {"entries": []} def default_dashboard_settings(): """default dashboard settings""" # { # "name": "Map Distribution", # "isReport": False, # "interval": 30 # }
file.write("[ -z \"$INTERFACE\" ] && {\n") file.write("\tupdate_default_route\n") file.write("}\n\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("%s: Wrote %s" % (self.__class__.__name__, filename)) def get_number_of_wans(settings): """returns number of enabled wan interfaces""" wans = 0 interfaces = settings.get('network').get('interfaces') for intf in interfaces: if enabled_wan(intf): wans += 1 return wans def enabled_wan(intf): """returns true if the interface is an enabled wan""" if intf is None: return False if intf.get('configType') != 'DISABLED' and intf.get('wan'): return True return False registrar.register_manager(RouteManager())
self.write_access_rules(settings) self.write_filter_rules(settings) self.file.write("\n") self.file.write("${IPTABLES} -t filter -D FORWARD -m conntrack --ctstate NEW -j DROP -m comment --comment \"drop sessions during restart\" >/dev/null 2>&1\n") self.file.write("${IPTABLES} -t filter -D INPUT -m conntrack --ctstate NEW -j DROP -m comment --comment \"drop sessions during restart\" >/dev/null 2>&1\n") self.file.write("\n") # self.file.write("# Flush IPv6 Rules" + "\n"); #self.file.write("${IP6TABLES} -t filter -F FORWARD -m comment --comment \"Flush IPv6 rules\" >/dev/null 2>&1" + "\n"); # if settings.get('blockIpv6Forwarding'): # self.file.write("# Block IPv6 Fowarding" + "\n"); # self.file.write("${IP6TABLES} -t filter -A FORWARD -j DROP -m comment --comment \"Do not allow IPv6 forwarding\" >/dev/null 2>&1" + "\n"); # self.file.write("\n"); # self.file.write("# Block IPv6 Input" + "\n"); #self.file.write("${IP6TABLES} -t filter -F INPUT -m comment --comment \"Flush IPv6 filter rules\" >/dev/null 2>&1" + "\n"); #self.file.write("${IP6TABLES} -t filter -A INPUT -p icmpv6 -j RETURN -m comment --comment \"Allow IPv6 icmp RA, solicitions, ping etc\" >/dev/null 2>&1" + "\n"); #self.file.write("${IP6TABLES} -t filter -A INPUT -j DROP -m comment --comment \"Do not allow IPv6 input\" >/dev/null 2>&1" + "\n"); # self.file.write("\n"); self.file.flush() self.file.close() print("FilterRulesManager: Wrote %s" % self.filename) return registrar.register_manager(FilterRulesManager())
file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n") file.write(r""" RADVD_PID="`pidof radvd`" # Start radvd if it isnt found and is needed (config file is non-zero) # Restart radvd if it is found and but is outdated and is needed (config file is non-zero) # Stop if radvd is found, but no longer needed (config file is zero size) # The reason we don't just stop and then start if needed if to avoid doing anything if nothing is required. if [ -z "$RADVD_PID" ] && [ -s /etc/radvd.conf ] ; then systemctl --no-block start radvd elif [ /etc/radvd.conf -nt /proc/$RADVD_PID ] && [ -s /etc/radvd.conf ] ; then systemctl --no-block restart radvd elif [ ! -z "$RADVD_PID" ] && [ ! -s /etc/radvd.conf ] ; then systemctl --no-block stop radvd fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("RadvdManager: Wrote %s" % filename) return registrar.register_manager(RadvdManager())
self.wpasupplicantConfFile.write("}\n") self.wpasupplicantConfFile.flush() self.wpasupplicantConfFile.close() print("WirelessManager: Wrote " + filename) def write_crda_file(self, settings, prefix=""): crdaFilename = prefix + self.crda_default_filename for filename in [crdaFilename]: file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) # FIXME need to get regulatory domain from the UI self.crdaDefaultFile = open(crdaFilename, "w+") self.crdaDefaultFile.write("## Auto Generated\n") self.crdaDefaultFile.write( "## DO NOT EDIT. Changes will be overwritten.\n") self.crdaDefaultFile.write("REGDOMAIN=US\n") self.crdaDefaultFile.flush() self.crdaDefaultFile.close() print("WirelessManager: Wrote " + crdaFilename) return registrar.register_manager(WirelessManager())
if settings_file.id == "uris": match = re.search(self.geoip_update_untangle_source, line) if match: config_option = match.group(1) current_uri = match.group(2) for uri in settings_file.settings['uriTranslations']: if uri['uri'] == self.update_uri: new_uri = copy.deepcopy(uri) # Use current URI to preserve existing auth new_uri = UriUtil.build_uri(current_uri, uri) line = "{config_option}{new_uri}\n".format( config_option=config_option, new_uri=new_uri) if write_line == True: self.out_file.write(line) # Write the next line unless overidden by an updater. write_line = True self.out_file.flush() self.out_file.close() if self.in_file_name.endswith(".last"): os.remove(self.in_file_name) os.chmod(self.out_file_name, os.stat(self.out_file_name).st_mode | stat.S_IEXEC) print("GeoipManager: Wrote %s" % self.out_file_name) return registrar.register_manager(GeoIpManager())
else: for daemon in ['zebra', 'bgpd', 'ospfd']: if daemon_enableds[daemon] is False: file.write(r""" systemctl --no-block stop {0} """.format(daemon)) else: file.write(r""" {0}_PID="`pidof {1}`" # Restart quagga if it isnt found # Or if zebra.conf or has been written since quagga was started if [ -z "${0}_PID" ] ; then systemctl --no-block restart {1} # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! {2} -ot /proc/${0}_PID ] ; then systemctl --no-block restart {1} fi """.format(daemon.upper(), daemon, self.daemons_conf_filename)) file.write("\n") file.flush() file.close() os.system("chmod a+x %s" % filename) print("DynamicRoutingManager: Wrote %s" % filename) return registrar.register_manager(DynamicRoutingManager())
nft add chain ip nat-sys filter-rules-nat "{ type filter hook forward priority -5 ; }" """) interfaces = settings.get('network').get('interfaces') for intf in interfaces: if intf.get('configType') == 'DISABLED': continue if intf.get('natEgress'): # FIXME - this should be a rule based on mark instead of netfilterDev # The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now file.write("# NAT Egress traffic to interface %i\n" % intf.get('interfaceId')) file.write("nft add rule ip nat-sys nat-rules-sys oifname %s masquerade\n" % intf.get('netfilterDev')) if intf.get('natIngress'): # FIXME - this should be a rule based on mark instead of netfilterDev # The mark rules don't exist yet, so just write the NAT rules using netfilterDev for now file.write("# NAT Ingress traffic from interface %i\n" % intf.get('interfaceId')) file.write("nft add rule ip nat-sys nat-rules-sys iifname %s masquerade\n" % intf.get('netfilterDev')) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("NatManager: Wrote %s" % filename) return registrar.register_manager(NatManager())
file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n") file.write('TMPFILE="/tmp/system"\n') file.write(r'''/bin/sed -e "s/option timezone .*/option timezone '%s'/" /etc/config/system > $TMPFILE''' % time_zone) file.write('\n\n') file.write('if ! diff /etc/config/system $TMPFILE >/dev/null 2>&1 ; then cp $TMPFILE /etc/config/system ; fi\n') file.write('\n') file.write('rm -f $TMPFILE') file.write('\n') file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("SystemManager: Wrote %s" % filename) return registrar.register_manager(SystemManager())
file.close() print("%s: Wrote %s" % (self.__class__.__name__, filename)) def write_relay_options(file, isWan): file.write("\toption dhcpv6 'relay'\n") file.write("\toption ra 'relay'\n") file.write("\toption ndp 'relay'\n") if isWan: file.write("\toption master '1'\n") def calc_dhcp_range_start(ip, prefix, start): """calucale a good dhcp range start""" ip_int = int(ipaddress.IPv4Address(ip)) netmask_int = int( ipaddress.IPv4Address(network_util.ipv4_prefix_to_netmask(prefix))) start_int = int(ipaddress.IPv4Address(start)) return start_int - (ip_int & netmask_int) def calc_dhcp_range_limit(start, end): """calucale a good dhcp range limit""" start_int = int(ipaddress.IPv4Address(start)) end_int = int(ipaddress.IPv4Address(end)) return end_int - start_int + 1 registrar.register_manager(DhcpManager())
if intf.get('v4ConfigType') == 'STATIC': if 'v4StaticGateway' in intf and 'v4StaticAddress' in intf: file.write("# Static IP of interface %i\n" % intf.get('interfaceId')) file.write( "arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), intf.get('v4StaticAddress'), intf.get('v4StaticGateway'))) if intf.get('v4Aliases') != None: for alias in intf.get('v4Aliases'): file.write("# Alias IPs of interface %i\n" % intf.get('interfaceId')) file.write( "arping -U -c 1 -I %s -s %s %s >/dev/null &\n" % (intf.get('systemDev'), alias.get('staticAddress'), intf.get('v4StaticGateway'))) file.write("\n\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("ArpManager: Wrote %s" % filename) return registrar.register_manager(ArpManager())
The miniupnp packaging calls these scripts in the postinst We must overwrite them so they don't fail with an error """ filename = prefix + self.iptables_init_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh\n") file.write("exit 0\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("UpnpManager: Wrote %s" % filename) filename = prefix + self.ip6tables_init_filename file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh\n") file.write("exit 0\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("UpnpManager: Wrote %s" % filename) return registrar.register_manager(UpnpManager())
# file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 6667 -j CT --helper irc" + "\n"); # file.write("\n"); # # XXX - in testing it seems this PPTP helper does not work # # The GRE session does not get redirected # # the nf_nat_pptp and associated GRE plugin do work correctly, but is deprecated in newer kernels # file.write("\t${IPTABLES} -t raw -A helpers -p tcp --dport 1723 -j CT --helper pptp" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 69 -j CT --helper tftp" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 137 -j CT --helper netbios-ns" + "\n"); # file.write("\n"); # file.write("\t${IPTABLES} -t raw -A helpers -p udp --dport 161 -j CT --helper snmp" + "\n"); # file.write("\n"); # file.write("fi" + "\n"); # file.write("\n"); file.flush() file.close() print("IptablesManager: Wrote %s" % filename) registrar.register_manager(IptablesManager())
# Stop softflowd if running if [ ! -z "$SOFTFLOWD_PID" ] ; then systemctl --no-block stop softflowd fi """) else: file.write(r""" SOFTFLOWD_PID="`pidof softflowd`" # Restart softflowd if it isnt found # Or if /etc/default/softflowd has been written since softflowd was started if [ ! -z "$SOFTFLOWD_PID" ] ; then systemctl --no-block restart softflowd # use not older than (instead of newer than) because it compares seconds and we want an equal value to still do a restart elif [ ! /etc/default/softflowd -ot /proc/$SOFTFLOWD_PID ] ; then systemctl --no-block restart softflowd fi """) file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("NetflowManager: Wrote %s" % filename) return registrar.register_manager(NetflowManager())
# Add all /etc/config/nftables-rules.d/2.* files to the delete_list # Remove all the files that we write later # This ensures that all the existing /etc/config/nftables-rules.d/2* that we don't # write get removed for (dirpath, _, filenames) in os.walk("/etc/config/nftables-rules.d/"): for filename in filenames: if filename.startswith("2"): full_name = dirpath + filename delete_list.append(full_name) # Write all the /etc/config/nftables-rules.d/2.* files self.write_files(settings, prefix, delete_list) registrar.register_manager(TableManager()) def write_file(filename, table_settings, prefix): """write_file writes the specified file""" file_dir = os.path.dirname(filename) if not os.path.exists(file_dir): os.makedirs(file_dir) file = open(filename, "w+") file.write("#!/bin/sh") file.write("\n\n") file.write("## Auto Generated\n") file.write("## DO NOT EDIT. Changes will be overwritten.\n") file.write("\n\n")
% (self.DST_INTERFACE_MASK)) # We could just have static rules in restore-interface-marks-reply that just apply the original marks but shifted around a bit # However This would require something like: # mark set mark or ct mark and 0xff << 8 # However nft won't let you do this: # Error: Right hand side of binary operation (|) must be constant # So we have to use a ton of rules to do the same thing above file.write("\n") file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("InterfaceManager: Wrote %s" % filename) return def sanitize_settings(self, settings_file): # Upgrade 2 -> 3, Add speed/duplex/negotiation options. Default to auto negotiation. if settings_file.settings['version'] < 3: interfaces = settings_file.settings.get('network').get( 'interfaces') for intf in interfaces: if intf["type"] == "NIC": intf['ethSpeed'] = 1000 intf['ethDuplex'] = "full" intf['ethAutoneg'] = True registrar.register_manager(InterfaceManager())
if sub_intf.get( 'configType') == 'BRIDGED' and sub_intf.get( 'bridgedTo') == intf.get('interfaceId'): self.file.write( "# don't allow port forwarding of http port of primary IP of WAN from bridged interface %i.\n" % sub_intf.get('interfaceId')) self.file.write( "ADDR=\"`ip addr show %s | awk '/^ *inet.*scope global/ { interface = $2 ; sub( \"/.*\", \"\", interface ) ; print interface ; exit }'`\"\n" % intf.get('symbolicDev')) self.file.write("if [ ! -z \"${ADDR}\" ] ; then" + "\n") self.file.write( "\t${IPTABLES} -t nat -I port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port %i -j DNAT --to-destination ${ADDR}:80 -m comment --comment \"Reserve port 80 on ${ADDR} for blockpages\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask, http_port) + "\n") self.file.write( "\t${IPTABLES} -t nat -A port-forward-rules -p tcp -m mark --mark 0x%04X/0x%04X --destination ${ADDR} --destination-port 80 -j REDIRECT --to-ports 0 -m comment --comment \"Drop local HTTP traffic that hasn't been handled earlier in chain\"" % (sub_intf.get('interfaceId'), self.src_interface_mark_mask) + "\n") self.file.write("fi" + "\n") self.file.write("\n") self.file.write("\n\n") self.file.flush() self.file.close() print("PortForwardManager: Wrote %s" % self.filename) registrar.register_manager(PortForwardManager())
file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "auto") + "\n") elif duplexString == "M10000_FULL_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10000-full-duplex") + "\n") elif duplexString == "M10000_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10000-half-duplex") + "\n") elif duplexString == "M1000_FULL_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "1000-full-duplex") + "\n") elif duplexString == "M1000_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "1000-half-duplex") + "\n") elif duplexString == "M100_FULL_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "100-full-duplex") + "\n") elif duplexString == "M100_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "100-half-duplex") + "\n") elif duplexString == "M10_FULL_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-full-duplex") + "\n") elif duplexString == "M10_HALF_DUPLEX": file.write("%s %s %s" % (self.set_link_media_script, deviceSettings.get('deviceName'), "10-half-duplex") + "\n") else: print("ERROR: Unknown duplex: %s" % duplexString) file.flush() file.close() os.chmod(filename, os.stat(filename).st_mode | stat.S_IEXEC) print("EthernetManager: Wrote %s" % filename) return registrar.register_manager(EthernetManager())