def set_entries(self, ipset, entries, sender=None):
obj = self.get_ipset(ipset)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(IPSET_WITH_TIMEOUT, ipset)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
for entry in obj.entries:
try:
self._fw._ipset.remove(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
obj.entries.clear()
for entry in entries:
try:
self._fw._ipset.add(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
obj.entries.append(entry)
def set_entries(self, name, entries):
obj = self.get_ipset(name, applied=True)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
if "timeout" not in obj.options or obj.options["timeout"] == "0":
# no entries visible for ipsets with timeout
obj.entries = entries
try:
for backend in self.backends():
backend.set_flush(obj.name)
except Exception as msg:
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
try:
for backend in self.backends():
if self._fw.individual_calls() \
or backend.name == "nftables":
for entry in obj.entries:
backend.set_add(obj.name, entry)
else:
backend.set_restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
return
def set_entries(self, ipset, entries, sender=None):
obj = self.get_ipset(ipset)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(IPSET_WITH_TIMEOUT, ipset)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
for entry in obj.entries:
try:
self._fw._ipset.remove(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
obj.entries.clear()
for entry in entries:
try:
self._fw._ipset.add(obj.name, entry)
except Exception as msg:
log.error("Failed to remove entry '%s' from ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
obj.entries.append(entry)
def set_entries(self, name, entries):
obj = self.get_ipset(name, applied=True)
if "timeout" in obj.options and obj.options["timeout"] != "0":
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
obj.entries = entries
if self._fw.individual_calls():
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
for entry in obj.entries:
try:
self._fw.ipset_backend.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
try:
self._fw.ipset_backend.restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
return
def set_entries(self, name, entries):
obj = self.get_ipset(name)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(errors.IPSET_WITH_TIMEOUT, name)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
obj.entries = entries
if self._fw.individual_calls():
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
for entry in obj.entries:
try:
self._fw.ipset_backend.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
try:
self._fw.ipset_backend.flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
try:
self._fw.ipset_backend.restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
return
def add_entry(self, name, entry):
obj = self.get_ipset(name, applied=True)
IPSet.check_entry(entry, obj.options, obj.type)
if entry in obj.entries:
raise FirewallError(errors.ALREADY_ENABLED,
"'%s' already is in '%s'" % (entry, name))
try:
for backend in self.backends():
backend.set_add(obj.name, entry)
except Exception as msg:
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
if "timeout" not in obj.options or obj.options["timeout"] == "0" \
and entry not in obj.entries:
# no entries visible for ipsets with timeout
obj.entries.append(entry)
def new_ipset(self, name, conf):
if name in self._ipsets or name in self._builtin_ipsets:
raise FirewallError(errors.NAME_CONFLICT,
"new_ipset(): '%s'" % name)
x = IPSet()
x.check_name(name)
x.import_config(conf)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_IPSETS
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
ipset_writer(x)
self.add_ipset(x)
return x
def add_entry(self, name, entry):
obj = self.get_ipset(name, applied=True)
IPSet.check_entry(entry, obj.options, obj.type)
if entry in obj.entries:
raise FirewallError(errors.ALREADY_ENABLED,
"'%s' already is in '%s'" % (entry, name))
try:
self._fw.ipset_backend.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
if "timeout" not in obj.options or obj.options["timeout"] == "0":
# no entries visible for ipsets with timeout
obj.entries.append(entry)
def new_ipset(self, name, config):
try:
self.get_ipset(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, "new_ipset(): '%s'" % name)
x = IPSet()
x.check_name(name)
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_IPSETS
x.default = False
ipset_writer(x)
self.add_ipset(x)
return x
def new_ipset(self, name, config):
try:
self.get_ipset(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, "new_ipset(): '%s'" % name)
x = IPSet()
x.check_name(name)
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_IPSETS
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
ipset_writer(x)
self.add_ipset(x)
return x
def add_entry(self, ipset, entry, sender=None):
obj = self.get_ipset(ipset)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(IPSET_WITH_TIMEOUT, ipset)
IPSet.check_entry(entry, obj.options, obj.type)
if entry in obj.entries:
raise FirewallError(ALREADY_ENABLED,
"'%s' already is in '%s'" % (entry, ipset))
try:
self._fw._ipset.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
if "timeout" not in obj.options:
# no entries visible for ipsets with timeout
obj.entries.append(entry)
def add_entry(self, ipset, entry, sender=None):
obj = self.get_ipset(ipset)
if "timeout" in obj.options:
# no entries visible for ipsets with timeout
raise FirewallError(IPSET_WITH_TIMEOUT, ipset)
IPSet.check_entry(entry, obj.options, obj.type)
if entry in obj.entries:
raise FirewallError(ALREADY_ENABLED,
"'%s' already is in '%s'" % (entry, ipset))
try:
self._fw._ipset.add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
if "timeout" not in obj.options:
# no entries visible for ipsets with timeout
obj.entries.append(entry)
def set_entries(self, name, entries):
obj = self.get_ipset(name, applied=True)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
if "timeout" not in obj.options or obj.options["timeout"] == "0":
# no entries visible for ipsets with timeout
obj.entries = entries
for backend in self.backends():
try:
backend.set_flush(obj.name)
except Exception as msg:
log.error("Failed to flush ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
if self._fw.individual_calls() \
or backend.name == "nftables":
for entry in obj.entries:
try:
backend.set_add(obj.name, entry)
except Exception as msg:
log.error("Failed to add entry '%s' to ipset '%s'" % \
(entry, obj.name))
log.error(msg)
else:
try:
backend.set_restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
log.error("Failed to create ipset '%s'" % obj.name)
log.error(msg)
else:
obj.applied = True
return
def new_ipset(self, name, config):
try:
self.get_ipset(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, "new_ipset(): '%s'" % name)
x = IPSet()
x.check_name(name)
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_IPSETS
x.default = False
ipset_writer(x)
self.add_ipset(x)
return x
def set_entries(self, name, entries):
obj = self.get_ipset(name, applied=True)
_entries = set()
for _entry in entries:
check_entry_overlaps_existing(_entry, _entries)
_entries.add(normalize_ipset_entry(_entry))
entries = list(_entries)
for entry in entries:
IPSet.check_entry(entry, obj.options, obj.type)
if "timeout" not in obj.options or obj.options["timeout"] == "0":
# no entries visible for ipsets with timeout
obj.entries = entries
try:
for backend in self.backends():
backend.set_flush(obj.name)
except Exception as msg:
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
try:
for backend in self.backends():
if self._fw._individual_calls:
for entry in obj.entries:
backend.set_add(obj.name, entry)
else:
backend.set_restore(obj.name, obj.type, obj.entries,
obj.options, None)
except Exception as msg:
raise FirewallError(errors.COMMAND_FAILED, msg)
else:
obj.applied = True
return
def new_ipset(self, name, conf):
if name in self._ipsets or name in self._builtin_ipsets:
raise FirewallError(errors.NAME_CONFLICT,
"new_ipset(): '%s'" % name)
x = IPSet()
x.check_name(name)
x.import_config(conf)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_IPSETS
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
ipset_writer(x)
self.add_ipset(x)
return x
