def iptablesRules(context, component, ruleset, rule_type, identifiers, use_nufw):
logger = ContextLoggerChild(context, component)
result = ApplyRulesResult(logger)
# Not NAT rules in IPv6!
if rule_type == 'nats':
rules = ruleset.nats
use_ipv6 = False
default_decisions = None
elif rule_type == 'acls-ipv6':
rules = ruleset.acls_ipv6
use_ipv6 = True
default_decisions = rules.default_decisions
else:
rules = ruleset.acls_ipv4
use_ipv6 = False
default_decisions = rules.default_decisions
if identifiers:
rules = [ rules[id] for id in identifiers ]
else:
rules = rules
options = IptablesOptions()
options.format = "iptables"
options.ipv6 = use_ipv6
options.nufw = use_nufw
with TemplateInstanciation(ruleset):
rules = filterRules(result, rules)
# Create iptables rules
iptables = IptablesGenerator(logger, default_decisions, options, component.config, result)
if rule_type != 'nats':
lines = aclsRules(iptables, rules)
else:
lines = natsRules(iptables, rules, result)
xmlrpc = result.exportXMLRPC()
xmlrpc['iptables'] = [unicode(line) for line in lines]
return xmlrpc
def _applyRulesThread(self):
if self.only_consistency:
self.consistencyEngine()
return self.result.exportXMLRPC()
elif not self.result.ignore_consistency_error:
self.consistencyEngine()
if self.result.consistency_errors:
return self.result.exportXMLRPC()
options = IptablesOptions()
options.nufw = self.use_nufw
if self.ruleset_name:
self.logger.critical("Apply rules: rule set %r" % self.ruleset_name)
else:
self.logger.critical("Apply rules: no rule set (only localfw rules)")
write_ldap = WriteLdapRules(self.logger, self.config['ldap'])
ufwi_ruleset_rules = {
'use_ipv6': self.use_ipv6,
'use_nufw': self.use_nufw,
'is_gateway': self.config.isGateway(),
}
if self.use_nufw:
ufwi_ruleset_rules['ldap_config'] = self.config['ldap']
if self.use_ipv6:
acls = itertools.chain(self.acls_ipv4, self.acls_ipv6)
else:
acls = self.acls_ipv4
ufwi_ruleset_rules['ldap_rules'] = write_ldap.createRules(acls)
# TODO: disable IP forward at the beginning
# TODO: FORWARD and INPUT: set policy to DROP
# LDAP
transactions = []
if self.use_nufw:
filename = self.config['nufw']['periods_filename']
periods = TimeRangeFileTransaction(filename, self.acls_ipv4, self.acls_ipv6)
transactions.append(periods)
# iptables
options.ipv6 = False
write_iptables_ipv4 = WriteIptablesRules(
self.logger, self.config, self.ipv4_default_decisions,
self.acls_ipv4, self.nats, self.custom_rules,
options, self.result)
transactions.append(write_iptables_ipv4)
ipv6_options = deepcopy(options)
ipv6_options.ipv6 = True
ipv6_options.deny_all = (not self.use_ipv6)
write_iptables_ipv6 = WriteIptablesRules(
self.logger, self.config, self.ipv6_default_decisions,
self.acls_ipv6, None, self.custom_rules,
ipv6_options, self.result)
transactions.append(write_iptables_ipv6)
# TODO: reload nuauth caches
# TODO: reload nuauth periods
# TODO: FORWARD and INPUT: set policy to ACCEPT
write = WriteRules(self.logger, ufwi_ruleset_rules)
transactions.append(write)
script = RulesetScript(self.context, self.logger)
transactions.append(script)
save_ruleset = SaveRuleset(self.ruleset_name, self.use_nufw)
transactions.append(save_ruleset)
if self.ruleset \
and (self.ruleset.filename != PRODUCTION_RULESET):
production = ProductionRuleset(self.ruleset.filename)
transactions.append(production)
executeTransactions(self.logger, transactions)
self.result.applied = True
return self.result.exportXMLRPC()