def service_applyRules(self, context, consistency_error, use_nufw):
"""
Apply ACLs to iptables and LDAP. Arguments:
- consistency_error (bool): if True, block on consistency error
- use_nufw (bool): if True, create LDAP rules and use authentication.
If False, don't create LDAP rules and ignore all NuFW filtres (user
group, time, etc.)
Return is a dictionary with keys:
- applied (boolean): True if rules are correctly applied
- errors (list of messages): error messages
- warnings (list of messages): warning messages
- consistency_error (boolean): True if the apply failed because of the
consistency engine
A message is a tuple (format, arguments), to display it, use: ::
format % arguments
"""
if EDENWALL \
and (self.core.getMultisiteType() == MULTISITE_MASTER):
raise RulesetError(
tr("Can not apply rules from a multisite master."))
use_nufw = getBoolean(use_nufw)
consistency_error = getBoolean(consistency_error)
ruleset = self.getRuleset(context)
return applyRulesDefer(context, self, ruleset, use_nufw, consistency_error)
def service_setFusion(self, context, enabled):
"""
Enable or disable the fusion.
"""
fusion = getBoolean(enabled)
client = self.getClient(context)
ruleset = self.getRuleset(context, raise_error=False)
return client.setFusion(fusion, ruleset)
def service_iptablesRules(self, context, rule_type, identifiers, use_nufw):
"""
iptablesRules(rule_type, identifiers, use_nufw)
Create iptables rules for ACLs:
- identifiers: ACL identifiers (list of integers)
- address_type: "IPv4" or "IPv6"
Use an empty list as identifiers to generate rules of all ACLs.
Result is a list of Unicode strings (without "iptables " prefix).
"""
rule_type = getUnicode(rule_type)
identifiers = getIntegerList(identifiers)
use_nufw = getBoolean(use_nufw)
ruleset = self.getRuleset(context)
return iptablesRules(context, self, ruleset, rule_type, identifiers, use_nufw)
def service_addNatIptable(self, context, ipv6, iptable):
"""
Add a NAT rule. Arguments:
- ipv6: boolean
- iptable: unicode string
Example: (False, '-A PREROUTING -p tcp --dport 80 -s $NET -j SOME_CHAIN')
is similar to 'iptables -t nat -A PREROUTING -p tcp --dport 80 -s $NET -j SOME_CHAIN'
The rule will be added before the ruleset rules.
"""
if getBoolean(ipv6):
address_type = IPV6_ADDRESS
else:
address_type = IPV4_ADDRESS
rules = self.getRulesFile(context)
rule = IptableRule(address_type, iptable)
rules.addNatRule(rule)
def service_addMangleIptable(self, context, ipv6, iptable):
"""
Add a mangle rule. Arguments:
- ipv6: boolean
- iptable: unicode string
Example: (False, '-A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff')
is similar to 'iptables -t mangle -A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff'
The rule will be added before the ruleset rules.
"""
if getBoolean(ipv6):
address_type = IPV6_ADDRESS
else:
address_type = IPV4_ADDRESS
rules = self.getRulesFile(context)
rule = IptableRule(address_type, iptable)
rules.addMangleRule(rule)
def service_addFilterIptable(self, context, ipv6, iptable):
"""
Add a filter rule. Arguments:
- ipv6: boolean
- iptable: unicode string
Example: (False, '-A FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS')
is similar to 'iptables -t filter -A FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS'
The rule will be added before the ruleset rules.
"""
if getBoolean(ipv6):
address_type = IPV6_ADDRESS
else:
address_type = IPV4_ADDRESS
rules = self.getRulesFile(context)
rule = IptableRule(address_type, iptable)
rules.addFilterRule(rule)
def getFusion(self, context, fusion):
if fusion is None:
client = self.getClient(context)
return client.fusion
else:
return getBoolean(fusion)
def _setUseNND(self, use_nnd):
self.use_nnd = getBoolean(use_nnd)
self.debug("Use NND: %s" % self.use_nnd)
storage = VariablesStore()
storage['use_nnd'] = self.use_nnd
storage.save(STORAGE_FILENAME)
