def filterRules(self, acls, forward_chains, custom_rules):
for line in longComment("filter table"):
yield line
yield "*filter"
for chain in ("INPUT", "FORWARD", "OUTPUT"):
decision = self.default_decisions.getDecision(chain)
if decision == 'REJECT':
decision = 'DROP'
yield Counters(chain, decision=decision)
for chain_obj in forward_chains:
yield chain_obj.create
if self.options.deny_all:
return
for line in self.defaultFilterRules():
yield line
for line in self.userPreRules('filter'):
yield line
for line in self.customRules(custom_rules, 'filter-pre'):
yield line
for line in comment("Dispatch FORWARD to the different chains"):
yield line
for line in dispatchRules(forward_chains):
yield line
for line in aclsRules(self, acls):
yield line
for line in self.customRules(custom_rules, 'filter-post'):
yield line
for line in self.userPostRules('filter'):
yield line
for line in self.filterDrop(forward_chains):
yield line
def iptablesRules(context, component, ruleset, rule_type, identifiers, use_nufw):
logger = ContextLoggerChild(context, component)
result = ApplyRulesResult(logger)
# Not NAT rules in IPv6!
if rule_type == 'nats':
rules = ruleset.nats
use_ipv6 = False
default_decisions = None
elif rule_type == 'acls-ipv6':
rules = ruleset.acls_ipv6
use_ipv6 = True
default_decisions = rules.default_decisions
else:
rules = ruleset.acls_ipv4
use_ipv6 = False
default_decisions = rules.default_decisions
if identifiers:
rules = [ rules[id] for id in identifiers ]
else:
rules = rules
options = IptablesOptions()
options.format = "iptables"
options.ipv6 = use_ipv6
options.nufw = use_nufw
with TemplateInstanciation(ruleset):
rules = filterRules(result, rules)
# Create iptables rules
iptables = IptablesGenerator(logger, default_decisions, options, component.config, result)
if rule_type != 'nats':
lines = aclsRules(iptables, rules)
else:
lines = natsRules(iptables, rules, result)
xmlrpc = result.exportXMLRPC()
xmlrpc['iptables'] = [unicode(line) for line in lines]
return xmlrpc
