def _applyMultisiteThread(component, context, template_content, generic_links, netcfg):
logger = ContextLoggerChild(context, component)
lock_manager = component.core.lock_manager
use_template = bool(template_content)
config = component.config
use_nufw = (config['global']['firewall_type'] == NUFW_GATEWAY)
last_ruleset = lastRulesetApplied()
ruleset_name = last_ruleset.get('ruleset')
# Create transactions
transactions = []
if use_template:
# Write the new multisite template content
write_template = WriteTemplate(logger, MULTISITE_TEMPLATE_FILENAME, template_content)
transactions.append(write_template)
transactions.append(WriteGenericLinks(generic_links, logger))
if use_template and (not ruleset_name):
# There is not production ruleset:
# create an empty ruleset using the template
create_empty = CreateEmptyRuleset(logger, component, netcfg)
transactions.append(create_empty)
else:
create_empty = None
# Replace the template in all existing rulesets
replace = replaceTemplateTransactions(logger, component, netcfg,
MULTISITE_TEMPLATE_NAME, use_template)
transactions.append(replace)
# Reapply the ruleset
apply = ApplyRuleset(logger, component, context, netcfg,
ruleset_name, use_nufw)
transactions.append(apply)
if create_empty:
create_empty.name_callbacks.append(apply.setRuleset)
# The new ruleset is now the production ruleset
save = SaveRuleset(None, use_nufw)
transactions.append(save)
create_empty.name_callbacks.append(save.setRuleset)
if (not use_template) and exists(MULTISITE_TEMPLATE_FILENAME):
# Remove the multisite template
remove = RemoveTemplate(logger, MULTISITE_TEMPLATE_FILENAME)
transactions.append(remove)
lock_manager.acquire(context, LOCK_RULESET)
try:
executeTransactions(logger, transactions)
finally:
lock_manager.release(context, LOCK_RULESET)
def applyRulesThread(logger, rules_file):
name = rules_file.name
filter_ipv4 = WriteRules('filter', name, rules_file.ipv4_filter_rules, False, logger)
mangle_ipv4 = WriteRules('mangle', name, rules_file.ipv4_mangle_rules, False, logger)
nat_ipv4 = WriteRules('nat', name, rules_file.ipv4_nat_rules, False, logger)
transactions = [filter_ipv4, mangle_ipv4, nat_ipv4]
if USE_IPV6:
filter_ipv6 = WriteRules('filter', name, rules_file.ipv6_filter_rules, True, logger)
transactions.append(filter_ipv6)
mangle_ipv6 = WriteRules('mangle', name, rules_file.ipv6_mangle_rules, True, logger)
transactions.append(mangle_ipv6)
nat_ipv6 = WriteRules('nat', name, rules_file.ipv6_nat_rules, True, logger)
transactions.append(nat_ipv6)
executeTransactions(logger, transactions)
def _applyRulesThread(self):
if self.only_consistency:
self.consistencyEngine()
return self.result.exportXMLRPC()
elif not self.result.ignore_consistency_error:
self.consistencyEngine()
if self.result.consistency_errors:
return self.result.exportXMLRPC()
options = IptablesOptions()
options.nufw = self.use_nufw
if self.ruleset_name:
self.logger.critical("Apply rules: rule set %r" % self.ruleset_name)
else:
self.logger.critical("Apply rules: no rule set (only localfw rules)")
write_ldap = WriteLdapRules(self.logger, self.config['ldap'])
ufwi_ruleset_rules = {
'use_ipv6': self.use_ipv6,
'use_nufw': self.use_nufw,
'is_gateway': self.config.isGateway(),
}
if self.use_nufw:
ufwi_ruleset_rules['ldap_config'] = self.config['ldap']
if self.use_ipv6:
acls = itertools.chain(self.acls_ipv4, self.acls_ipv6)
else:
acls = self.acls_ipv4
ufwi_ruleset_rules['ldap_rules'] = write_ldap.createRules(acls)
# TODO: disable IP forward at the beginning
# TODO: FORWARD and INPUT: set policy to DROP
# LDAP
transactions = []
if self.use_nufw:
filename = self.config['nufw']['periods_filename']
periods = TimeRangeFileTransaction(filename, self.acls_ipv4, self.acls_ipv6)
transactions.append(periods)
# iptables
options.ipv6 = False
write_iptables_ipv4 = WriteIptablesRules(
self.logger, self.config, self.ipv4_default_decisions,
self.acls_ipv4, self.nats, self.custom_rules,
options, self.result)
transactions.append(write_iptables_ipv4)
ipv6_options = deepcopy(options)
ipv6_options.ipv6 = True
ipv6_options.deny_all = (not self.use_ipv6)
write_iptables_ipv6 = WriteIptablesRules(
self.logger, self.config, self.ipv6_default_decisions,
self.acls_ipv6, None, self.custom_rules,
ipv6_options, self.result)
transactions.append(write_iptables_ipv6)
# TODO: reload nuauth caches
# TODO: reload nuauth periods
# TODO: FORWARD and INPUT: set policy to ACCEPT
write = WriteRules(self.logger, ufwi_ruleset_rules)
transactions.append(write)
script = RulesetScript(self.context, self.logger)
transactions.append(script)
save_ruleset = SaveRuleset(self.ruleset_name, self.use_nufw)
transactions.append(save_ruleset)
if self.ruleset \
and (self.ruleset.filename != PRODUCTION_RULESET):
production = ProductionRuleset(self.ruleset.filename)
transactions.append(production)
executeTransactions(self.logger, transactions)
self.result.applied = True
return self.result.exportXMLRPC()
