def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name)
self.item.parser_check_element_attrs(name, attrs)
if name == "service":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'" %
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
elif name == "short":
pass
elif name == "description":
pass
elif name == "port":
self.item.ports.append((attrs["port"], attrs["protocol"]))
elif name == "destination":
for x in ["ipv4", "ipv6"]:
if x in attrs:
if not check_address(x, attrs[x]):
raise FirewallError(
INVALID_ADDR,
"'%s' is not valid %s address" % (attrs[x], x))
self.item.destination[x] = attrs[x]
elif name == "module":
self.item.modules.append(attrs["name"])
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_tcpudp(port[1])
else:
# only protocol
if not checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
if item == "protocols":
for proto in config:
if not checkProtocol(proto):
raise FirewallError(INVALID_PROTOCOL, proto)
elif item == "destination":
for destination in config:
if destination not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_DESTINATION,
"'%s' not in {'ipv4'|'ipv6'}" % destination)
if not check_address(destination, config[destination]):
raise FirewallError(INVALID_ADDR,
"'%s' is not valid %s address" % \
(config[destination], destination))
elif item == "modules":
for module in config:
if not module.startswith("nf_conntrack_"):
raise FirewallError(INVALID_MODULE, module)
elif len(module.replace("nf_conntrack_", "")) < 1:
raise FirewallError(INVALID_MODULE, module)
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_protocol(port[1])
else:
# only protocol
if not checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
elif item == "destination":
for destination in config:
if destination not in ["ipv4", "ipv6"]:
raise FirewallError(
INVALID_DESTINATION,
"'%s' not in {'ipv4'|'ipv6'}" % destination)
if not check_address(destination, config[destination]):
raise FirewallError(INVALID_ADDR,
"'%s' is not valid %s address" % \
(config[destination], destination))
elif item == "modules":
for module in config:
if not module.startswith("nf_conntrack_"):
raise FirewallError(INVALID_MODULE, module)
elif len(module.replace("nf_conntrack_", "")) < 1:
raise FirewallError(INVALID_MODULE, module)
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name)
self.item.parser_check_element_attrs(name, attrs)
if name == "service":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'" %
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
elif name == "short":
pass
elif name == "description":
pass
elif name == "port":
if attrs["port"] != "":
self.item.ports.append((attrs["port"], attrs["protocol"]))
else:
self.item.protocols.append(attrs["protocol"])
elif name == "protocol":
self.item.protocols.append(attrs["value"])
elif name == "destination":
for x in [ "ipv4", "ipv6" ]:
if x in attrs:
if not check_address(x, attrs[x]):
raise FirewallError(INVALID_ADDR,
"'%s' is not valid %s address" % (attrs[x], x))
self.item.destination[x] = attrs[x]
elif name == "module":
self.item.modules.append(attrs["name"])
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name)
self.item.parser_check_element_attrs(name, attrs)
if name == "service":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'",
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
elif name == "short":
pass
elif name == "description":
pass
elif name == "port":
if attrs["port"] != "":
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.ports:
self.item.ports.append(entry)
else:
log.warning("Port '%s/%s' already set, ignoring.",
attrs["port"], attrs["protocol"])
else:
if attrs["protocol"] not in self.item.protocols:
self.item.protocols.append(attrs["protocol"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["protocol"])
elif name == "protocol":
if attrs["value"] not in self.item.protocols:
self.item.protocols.append(attrs["value"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["value"])
elif name == "destination":
for x in [ "ipv4", "ipv6" ]:
if x in attrs:
if not check_address(x, attrs[x]):
raise FirewallError(INVALID_ADDR,
"'%s' is not valid %s address" % (attrs[x], x))
if x in self.item.destination:
log.warning("Destination address for '%s' already set, ignoring",
x)
else:
self.item.destination[x] = attrs[x]
elif name == "module":
if attrs["name"].startswith("nf_conntrack_") and \
len(attrs["name"].replace("nf_conntrack_", "")) > 0:
if attrs["name"] not in self.item.modules:
self.item.modules.append(attrs["name"])
else:
log.warning("Module '%s' already set, ignoring.",
attrs["name"])
else:
log.warning("Invalid module '%s'", attrs["name"])
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_protocol(port[1])
else:
# only protocol
if not functions.checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
elif item == "destination":
for destination in config:
if destination not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_DESTINATION, destination)
if not functions.check_address(destination, config[destination]):
raise FirewallError(INVALID_ADDRESS, config[destination])
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_protocol(port[1])
else:
# only protocol
if not functions.checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
elif item == "destination":
for destination in config:
if destination not in ["ipv4", "ipv6"]:
raise FirewallError(INVALID_DESTINATION, destination)
if not functions.check_address(destination,
config[destination]):
raise FirewallError(INVALID_ADDRESS, config[destination])
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if self.source is not None or self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.addr is None or \
not functions.check_address(self.family,
self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.destination is not None:
raise FirewallError(INVALID_RULE, "masquerade and destination")
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_address(ipv, addr):
if not functions.check_address(ipv, addr):
raise FirewallError(errors.INVALID_ADDR,
"'%s' is not valid %s address" % (addr, ipv))
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.priority < self.priority_min or self.priority > self.priority_max:
raise FirewallError(errors.INVALID_PRIORITY, "'priority' attribute must be between %d and %d." \
% (self.priority_min, self.priority_max))
if self.element is None and \
(self.log is None or (self.log is not None and self.priority == 0)):
if self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no element, no action")
if self.source is None and self.destination is None and self.priority == 0:
raise FirewallError(errors.INVALID_RULE,
"no element, no source, no destination")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade,
Rich_Tcp_Mss_Clamp
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE,
"address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC,
str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.destination.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.ipset is not None:
raise FirewallError(errors.INVALID_DESTINATION,
"address and ipset")
if not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.destination.addr))
elif self.destination.ipset is not None:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.destination.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid destination")
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE,
str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE,
"icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR,
self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"forward-port and action")
# source-port
elif type(self.element) == Rich_SourcePort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# tcp-mss-clamp
elif type(self.element) == Rich_Tcp_Mss_Clamp:
if self.action is not None:
raise FirewallError(
errors.INVALID_RULE,
"tcp-mss-clamp and %s are mutually exclusive" %
self.action)
if self.element.value:
if not functions.checkTcpMssClamp(self.element.value):
raise FirewallError(errors.INVALID_RULE,
self.element.value)
# other element and not empty?
elif self.element is not None:
raise FirewallError(errors.INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
self.log.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(errors.INVALID_AUDIT_TYPE,
type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
elif type(self.action) == Rich_Mark:
self.action.check()
if self.action.limit is not None:
self.action.limit.check()
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(INVALID_RULE, "address and mac")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if not functions.check_mac(self.source.mac):
raise FirewallError(INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not functions.check_ipset(self.source.ipset):
raise FirewallError(INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE, "Unknown element %s" %
type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_address(ipv, addr):
if not functions.check_address(ipv, addr):
raise FirewallError(errors.INVALID_ADDR,
"'%s' is not valid %s address" % (addr, ipv))
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(errors.INVALID_RULE, "no element, no action")
if self.source is None and self.destination is None:
raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.addr is not None and self.destination.ipset is not None
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if self.destination.ipset is None:
if self.destination.addr is None or not functions.check_address(self.family,
self.destination.addr)):
raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
else:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE, "icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "forward-port and action")
