def __apply_default_rules(self, ipv, transaction):
default_rules = {}
if ipv in ["ipv4", "ipv6"]:
x = ipXtables
else:
x = ebtables
for table in x.DEFAULT_RULES:
default_rules[table] = x.DEFAULT_RULES[table][:]
if self._log_denied != "off":
for table in x.LOG_RULES:
default_rules.setdefault(table, []).extend(x.LOG_RULES[table])
for table in default_rules:
if table not in self.get_available_tables(ipv):
continue
prefix = ["-t", table]
for rule in default_rules[table]:
if type(rule) == list:
_rule = prefix + rule
else:
_rule = prefix + functions.splitArgs(rule)
#if self._individual_calls or \
# (ipv == "eb" and not
# self.ebtables_backend.restore_noflush_option):
# self.rule(ipv, _rule)
#else:
# transaction.add_rule(ipv, _rule)
transaction.add_rule(ipv, _rule)
def __apply_default_rules(self, ipv, transaction):
default_rules = { }
if ipv in [ "ipv4", "ipv6" ]:
x = ipXtables
else:
x = ebtables
for table in x.DEFAULT_RULES:
default_rules[table] = x.DEFAULT_RULES[table][:]
if self._log_denied != "off":
for table in x.LOG_RULES:
default_rules.setdefault(table, []).extend(x.LOG_RULES[table])
for table in default_rules:
if table not in self.get_available_tables(ipv):
continue
prefix = [ "-t", table ]
for rule in default_rules[table]:
if type(rule) == list:
_rule = prefix + rule
else:
_rule = prefix + functions.splitArgs(rule)
#if self._individual_calls or \
# (ipv == "eb" and not
# self.ebtables_backend.restore_noflush_option):
# self.rule(ipv, _rule)
#else:
# transaction.add_rule(ipv, _rule)
transaction.add_rule(ipv, _rule)
def __apply_default_rules(self, ipv):
default_rules = { }
if ipv in [ "ipv4", "ipv6" ]:
x = ipXtables
else:
x = ebtables
for table in x.DEFAULT_RULES:
default_rules[table] = x.DEFAULT_RULES[table][:]
if self._log_denied != "off":
for table in x.LOG_RULES:
default_rules.setdefault(table, []).extend(x.LOG_RULES[table])
rules = { }
for table in default_rules:
if not self.is_table_available(ipv, table):
continue
prefix = [ "-t", table ]
for rule in default_rules[table]:
if type(rule) == list:
_rule = prefix + rule
else:
_rule = prefix + functions.splitArgs(rule)
if self._individual_calls or \
(ipv == "eb" and not self._ebtables.restore_noflush_option):
self.rule(ipv, _rule)
else:
rules.setdefault(ipv, []).append(_rule)
for ipv in rules:
self.rules(ipv, rules[ipv])
def endElement(self, name):
IO_Object_ContentHandler.endElement(self, name)
if name == "rule":
if self._element:
# add arguments
self._rule.append([ u2b_if_py2(x) for x in splitArgs(self._element) ])
self.item.add_rule(*self._rule)
else:
log.error("Error: rule does not have any arguments, ignoring.")
self._rule = None
elif name == "passthrough":
if self._element:
# add arguments
self._passthrough.append([ u2b_if_py2(x) for x in splitArgs(self._element) ])
self.item.add_passthrough(*self._passthrough)
else:
log.error("Error: passthrough does not have any arguments, " +
"ignoring.")
self._passthrough = None
def endElement(self, name):
IO_Object_ContentHandler.endElement(self, name)
if name == "rule":
if self._element:
# add arguments
self._rule.append(splitArgs(self._element))
self.item.add_rule(*self._rule)
else:
log.error("Error: rule does not have any arguments, ignoring.")
self._rule = None
elif name == "passthrough":
if self._element:
# add arguments
self._passthrough.append(splitArgs(self._element))
self.item.add_passthrough(*self._passthrough)
else:
log.error("Error: passthrough does not have any arguments, " +
"ignoring.")
self._passthrough = None
def apply_default_rules(self, transaction, log_denied="off"):
for table in DEFAULT_RULES:
if table not in self.available_tables():
continue
default_rules = DEFAULT_RULES[table][:]
if log_denied != "off" and table in LOG_RULES:
default_rules.extend(LOG_RULES[table])
prefix = ["-t", table]
for rule in default_rules:
if type(rule) == list:
_rule = prefix + rule
else:
_rule = prefix + splitArgs(rule)
transaction.add_rule(self.ipv, _rule)
def apply_default_rules(self, transaction, log_denied="off"):
for table in DEFAULT_RULES:
if table not in self.get_available_tables():
continue
default_rules = DEFAULT_RULES[table][:]
if log_denied != "off" and table in LOG_RULES:
default_rules.extend(LOG_RULES[table])
prefix = [ "-t", table ]
for rule in default_rules:
if type(rule) == list:
_rule = prefix + rule
else:
_rule = prefix + splitArgs(rule)
transaction.add_rule(self.ipv, _rule)
def build_default_rules(self, log_denied="off"):
default_rules = []
for table in DEFAULT_RULES:
if table not in self.get_available_tables():
continue
_default_rules = DEFAULT_RULES[table][:]
if log_denied != "off" and table in LOG_RULES:
_default_rules.extend(LOG_RULES[table])
prefix = [ "-t", table ]
for rule in _default_rules:
if type(rule) == list:
default_rules.append(prefix + rule)
else:
default_rules.append(prefix + splitArgs(rule))
return default_rules
def _lexer(self, rule_str):
""" Lexical analysis """
tokens = []
for r in functions.splitArgs(rule_str):
if "=" in r:
attr = r.split('=')
if len(attr) != 2 or not attr[0] or not attr[1]:
raise FirewallError(INVALID_RULE, 'internal error in _lexer(): %s' % r)
tokens.append({'attr_name':attr[0], 'attr_value':attr[1]})
else:
tokens.append({'element':r})
tokens.append({'element':'EOL'})
return tokens
def _lexer(self, rule_str):
""" Lexical analysis """
tokens = []
for r in functions.splitArgs(rule_str):
if "=" in r:
attr = r.split("=")
if len(attr) != 2 or not attr[0] or not attr[1]:
raise FirewallError(INVALID_RULE, "internal error in _lexer(): %s" % r)
tokens.append({"attr_name": attr[0], "attr_value": attr[1]})
else:
tokens.append({"element": r})
tokens.append({"element": "EOL"})
return tokens
def _lexer(self, rule_str):
""" Lexical analysis """
tokens = []
for r in functions.splitArgs(rule_str):
if "=" in r:
attr = r.split('=')
if len(attr) != 2 or not attr[0] or not attr[1]:
raise FirewallError(INVALID_RULE,
'internal error in _lexer(): %s' % r)
tokens.append({'attr_name': attr[0], 'attr_value': attr[1]})
else:
tokens.append({'element': r})
tokens.append({'element': 'EOL'})
return tokens
def configure_directs(jconfig,
errors=None,
changes=None,
apply_retry=0,
**kwargs):
if errors is None:
errors = []
if changes is None:
changes = []
msg = 'Activating direct rules'
log.info(msg)
for rule in jconfig.get('direct', []):
try:
drule = rule.split(None, 4)
if len(drule) != 5:
raise ValueError(
'{0} is not formatted as a direct rule'.format(rule))
rule_chunk = get_direct_chunks([drule])[0]
# cache can be a source of errors, if we are retrying we
# skip cache
if apply_retry > 0:
rules = get_directs(cache=False)
else:
rules = get_directs()
rules_chunks = get_direct_chunks(rules)
if rule_chunk not in rules_chunks:
rules = get_directs()
rules_chunks = get_direct_chunks(rules)
if rule_chunk not in rules_chunks:
msg = ' - Add direct rule {0}'.format(rule)
log.info(msg)
changes.append(msg)
fw().addRule(drule[0], drule[1], drule[2], int(drule[3]),
splitArgs(drule[4]))
else:
msg = ' - Already activated: {0}'.format(rule)
log.info(msg)
except (Exception) as ex:
trace = traceback.format_exc()
errors.append({
'trace': trace,
'type': 'directs/rule',
'id': "directs/rule/{0}".format(rule),
'exception': ex
})
