def __init__(self, resources, values, loader_context=None):
Group.__init__(self, resources, values, loader_context)
ResourcesContainer.__init__(self, resources)
self.interface = getFirst(self.objects).interface
self.parent = self.interface
self.allow_child = False
self.type = GROUP_RESTYPE
def getFirstProtocol(objects):
return getFirst(flattenProtocolList(objects))
def getFirstNetwork(objects):
return getFirst(flattenNetworkList(objects))
def getFirstObject(objects):
return getFirst(flattenObjectList(objects))
def checkConsistency(self, loader_context=None):
if len(self.destinations) == 0 and len(self.sources) == 0:
raise RulesetError(tr("A NAT rule requires at least one source or one destination."))
for source in flattenObjectList(self.sources):
if isinstance(source, Platform):
raise RulesetError(tr('Platforms can not be used'
' in NAT rules'))
for source in flattenObjectList(self.sources):
if isinstance(source, Platform):
raise RulesetError(tr('Platforms can not be used'
' in NAT rules'))
if self.type == NAT_TRANSLATE:
if len(self.nated_destinations) == 0 and len(self.nated_sources) == 0:
raise RulesetError(tr("A NAT rule requires at least one translated source or destination."))
if len(self.nated_sources) != 0 and len(self.sources) == 0:
raise RulesetError(tr("You need to specify a source to be able to translate it."))
if len(self.nated_destinations) != 0 and len(self.destinations) == 0:
raise RulesetError(tr("You need to specify a destination to be able to translate it."))
if len(self.nated_filters) != 0 and len(self.nated_destinations) == 0:
raise RulesetError(tr("You need to translate the destination address to be able to translate the protocol."))
if len(self.nated_sources) > 1 or len(self.nated_destinations) > 1 or len(self.nated_filters) > 1 :
raise RulesetError(tr("You can not create a NAT rule comprising more than one translated source, destination or protocol."))
if len(self.nated_sources) != 0 and (len(self.nated_destinations) != 0 or len(self.nated_filters) != 0):
raise RulesetError(tr("You can not set a translated source at the same time as a translated destination or protocol."))
if len(self.nated_sources):
nated_src = getFirst(self.nated_sources)
if not isinstance(nated_src, (HostResource, HostnameResource,
NetworkResource, IPsecNetworkResource, FirewallResource)):
raise RulesetError(tr("The translated source must be a host, a network or the firewall interface."))
if self.chain == 'POSTROUTING':
for src in self.sources:
if not isinstance(src, InterfaceResource):
continue
raise RulesetError(tr("A source NAT rule can not use an interface in sources."))
if len(self.nated_destinations):
nated_dst = getFirst(self.nated_destinations)
if not isinstance(nated_dst, (HostResource, HostnameResource,
NetworkResource, IPsecNetworkResource)):
raise RulesetError(tr("The translated destination must be a host or a network."))
if self.chain == 'PREROUTING':
for dst in self.destinations:
if not isinstance(dst, InterfaceResource):
continue
raise RulesetError(tr("A destination NAT rule can not use an interface in destinations."))
if len(self.nated_filters) and not len(self.filters):
raise RulesetError(tr("You have to specify at least one protocol to filter to translate it to another protocol."))
if len(self.nated_filters):
proto = getFirst(self.nated_filters)
if proto.layer4 != u'tcp' and proto.layer4 != u'udp':
raise RulesetError(tr("Translated port can only be TCP or UDP."))
for obj in flattenObjectList(self.filters):
if obj.layer4 != proto.layer4:
raise RulesetError(
tr("The translated port needs to use the same transport protocol (TCP/UDP) as the filtered port. "
"The %s protocol does not use the same transport protocol as the translated port.")
% proto.formatID())
if (not proto.dport) or (proto.dport.first != proto.dport.last):
raise RulesetError(tr("The translated port must be an unique port number."))
for protocol in chain(self.filters, self.nated_filters):
if IPV4_ADDRESS not in protocol.getAddressTypes():
raise RulesetError(
tr("The %s protocol can not be used in IPv4!"),
protocol.formatID())
def __init__(self, library, values, loader_context=None):
self.library = library
Object.__init__(self, values, loader_context)
self.update_domain = getFirst(self.objects).update_domain
def iptableRules(iptables, nat, empty_line, apply_rules):
ruleset = nat.ruleset
if iptables.options.format == "iptables":
prefix = Arguments("iptables", "-t", "nat")
else:
prefix = Arguments()
# Create header (title and comment)
title = unicode(nat)
if not nat.enabled:
title += u' (disabled)'
for line in comment(title, extra=nat.comment, empty_line=empty_line):
yield line
# Create source and destination parameters
chain = nat.createChainKey()
# Create protocols
protocols = list(flattenObjectList(nat.filters))
if not protocols:
protocols = (None,)
# Get nated sources
if len(nat.nated_sources):
nated_src = getFirst(nat.nated_sources)
else:
nated_src = None
# Get nated destinations
if len(nat.nated_destinations):
nated_dst = getFirst(nat.nated_destinations)
else:
nated_dst = None
if nat.type != NAT_TRANSLATE:
suffix = Arguments('-j', 'ACCEPT')
elif chain == u'POSTROUTING' and isinstance(nated_src, FirewallResource):
suffix = Arguments('-j', 'MASQUERADE')
elif chain == u'POSTROUTING':
source = getFirstAddress(nat, nated_src, apply_rules)
if isinstance(nated_src, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', source)
else:
suffix = Arguments('-j', 'SNAT', '--to-source', source)
elif chain == u'PREROUTING':
dest = getFirstAddress(nat, nated_dst, apply_rules)
if len(nat.nated_filters):
newproto = getFirst(nat.nated_filters)
dest += u':%s' % newproto.dport
if isinstance(nated_dst, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', dest)
else:
suffix = Arguments('-j', 'DNAT', '--to-destination', dest)
rule_number = 1
for network_args in formatSrcDst(ruleset.resources, nat, chain):
for proto in protocols:
iptable_rule = prefix
if not nat.enabled:
iptable_rule += Arguments("#")
iptable_rule += Arguments('-A', chain)
iptable_rule += network_args
if proto:
iptable_rule += formatProtocol(proto, chain)
iptable_rule += suffix
if iptables.options.format != "iptables":
iptable_rule += iptables.ruleComment(nat, rule_number)
rule_number += 1
yield iptable_rule
def netAbstract(net):
if net.ip_addrs:
ip = getFirst(net.ip_addrs)
return "%s/%s" % (unicode(ip), net.net.prefixlen())
return "<i>%s</i>" % net.label
