def test_add_rules(self):
fwrulefile = os.tempnam(None, 'tmprulefile')
rule1 = Rules.Rule('FORWARD -o eth1 -i eth0 ACCEPT')
rule2 = Rules.Rule('OUTPUT ACCEPT')
ManagementLogic._write_rules([rule1, rule2], fwrulefile)
lines = open(fwrulefile).readlines()
self.assertEqual(lines[0], 'FORWARD -i eth0 -o eth1 ACCEPT\n')
self.assertEqual(lines[1], 'OUTPUT ACCEPT\n')
rule3 = Rules.Rule('FORWARD -i eth1 -o eth0 ACCEPT')
rules = ManagementLogic._list_rules(fwrulefile)
rules.append(rule3)
ManagementLogic._write_rules(rules, fwrulefile)
lines = open(fwrulefile).readlines()
self.assertEqual(lines[0], 'FORWARD -i eth0 -o eth1 ACCEPT\n')
self.assertEqual(lines[1], 'OUTPUT ACCEPT\n')
self.assertEqual(lines[2], 'FORWARD -i eth1 -o eth0 ACCEPT\n')
def test_list_rules(self):
# TODO: make the RuntimeWarning go away
fwrulefile = os.tempnam(None, 'tmprulefile')
f = open(fwrulefile, 'w')
f.write('INPUT -i eth0 ACCEPT\n')
f.write('FORWARD -o lo DROP\n')
f.write('\n')
f.write('OUTPUT -state NEW --verify_responder -type ! CLOSE ACCEPT\n')
f.close()
results = ManagementLogic._list_rules(fwrulefile)
assert len(results) == 3
assert results[0].to_text() == 'INPUT -i eth0 ACCEPT'
assert results[1].to_xml() == \
''.join(('<rule hook="FORWARD" target="DROP">',
'<out_iface not="0" iface="lo"/>',
'</rule>'))
os.unlink(fwrulefile)
newrule = Rules.Rule('INPUT -i eth0 ACCEPT')
assert newrule in results
newrule = Rules.Rule('OUTPUT -o lo ACCEPT')
assert newrule not in results
def do_org_new_host_apply(self):
"""Logic part: Sample of an organization-customized page for adding a new host to the network."""
msg = ''
errmsg = ''
ok = True
src_hit = None
name = None
keytype = None
key = None
roadwarrior = False
if self.form.has_key('src_hit'):
src_hit = self.form['src_hit'].value.strip()
if not src_hit:
errmsg = '<p><b color="red">Missing hit!</b></p>'
ok = False
#if self.form.has_key('name'):
# name = self.form['name'].value.strip().replace(' ', '_')
#if not name:
# errmsg = '<p><b color="red">Missing hostname!</b></p>'
# ok = False
#if self.form.has_key('keytype'):
# keytype = self.form['keytype'].value.strip()
#if not keytype or keytype not in ('dsa', 'rsa'):
# errmsg = '<p><b color="red">Invalid keytype!</b></p>'
# ok = False
#if self.form.has_key('key'):
# key = self.form['key'].value.lstrip()
#if not key:
# errmsg = '<p><b color="red">Missing key!</b></p>'
# ok = False
#if self.form.has_key('roadwarrior'):
# roadwarrior = True
if ok:
#keyname = '%s_%s_key.pub' % (name, keytype)
in_rule = Rules.Rule('INPUT -src_hit %s ACCEPT' % src_hit)
fwd_rule = Rules.Rule('FORWARD -src_hit %s ACCEPT' % src_hit)
webserver_rule = Rules.Rule('INPUT -src_hit %s -dst_hit 4078:4163:62c8:897:f60e:7d69:bd6a:4e0e ACCEPT'
% src_hit)
hosts = self.get_hosts()
for host in hosts:
self.wanna_configure(host)
#self.servers[host].upload_key(keyname, key)
#msg = msg + 'key to %s; ' % host
if 'gateway' in host:
self.servers[host].prepend_rules([webserver_rule, fwd_rule])
else:
self.servers[host].prepend_rules([in_rule])
msg = msg + 'rules to %s; ' % host
self.servers[host].commit()
msg = msg + 'commit %s;' % host
for host in hosts:
self.servers[host].process_replies()
msg = msg + 'replies %s;' % host
msg = "Access granted for a new host."
return self.do_default(errmsg, msg)
return self.do_org_new_host(errmsg, msg)
def do_show_rules(self):
"""Page for listing and manipulating the rules."""
self.print_headers()
errmsg = ''
if self.form.has_key('host'):
host = self.form['host'].value
else:
return self.do_default("No host specified for show_rules!")
if not self.servers.has_key(host):
return self.do_default("Invalid firewall host: %s!" % host)
client = self.servers[host]
if self.form.has_key('empty_rules'):
client.empty_rules()
if self.form.has_key('delrule'):
client.remove_rules([Rules.Rule(self.form['delrule'].value)])
if self.form.has_key('add_rule'):
hook = None
target = None
cond = ''
ok = True
if self.form.has_key('rulehook'):
hook = self.form['rulehook'].value
if hook not in ('INPUT', 'OUTPUT', 'FORWARD'):
errmsg = '<p><b color="red">Invalid hook %s, failed to add!</b></p>' \
% cgi.escape(str(hook))
ok = False
if self.form.has_key('ruletarget'):
target = self.form['ruletarget'].value
if target not in ('ACCEPT', 'DROP'):
errmsg = '<p><b color="red">Invalid target %s, failed to add!</b></p>' \
% cgi.escape(str(target))
ok = False
#if self.form.has_key('rulecond'):
# cond = self.form['rulecond'].value
# if '\n' in cond or '\r' in cond:
# errmsg = '<p><b color="red">Invalid rule, failed to add!</b></p>'
# ok = False
rulecond = []
if self.form.has_key('src_hi'):
rulecond.append('--hi')
if self.form.has_key('src_hi_not'): rulecond.append('!')
rulecond.append(self.form['src_hi'].value)
if self.form.has_key('src_hit'):
rulecond.append('-src_hit')
if self.form.has_key('src_hit_not'): rulecond.append('!')
rulecond.append(self.form['src_hit'].value)
if self.form.has_key('dst_hit'):
rulecond.append('-dst_hit')
if self.form.has_key('dst_hit_not'): rulecond.append('!')
rulecond.append(self.form['dst_hit'].value)
if self.form.has_key('in_iface'):
rulecond.append('-i')
if self.form.has_key('in_iface_not'): rulecond.append('!')
rulecond.append(self.form['in_iface'].value)
if self.form.has_key('out_iface'):
rulecond.append('-o')
if self.form.has_key('out_iface_not'): rulecond.append('!')
rulecond.append(self.form['out_iface'].value)
if self.form.has_key('pkt_type'):
rulecond.append('-type')
if self.form.has_key('pkt_type_not'): rulecond.append('!')
rulecond.append(self.form['pkt_type'].value)
if self.form.has_key('state'):
rulecond.append('-state')
if self.form.has_key('state_not'): rulecond.append('!')
rulecond.append(self.form['state'].value)
if self.form.has_key('vrfy_responder'):
rulecond.append('--verify_responder')
if self.form.has_key('acpt_mobile'):
rulecond.append('--accept_mobile')
cond = ' '.join(rulecond)
if ok:
try:
rule = Rules.Rule('%s %s %s' % (hook, cond, target))
except StandardError:
errmsg = '<p><b color="red">Invalid rule, failed to add!</b></p>'
else:
client.add_rules([rule])
client.list_rules()
client.list_keys()
client.commit()
client.process_replies()
def visualize_rule(rule):
"""Create a html table-row presentation about a single rule."""
return ('<tr><td>%s</td><td>%s</td><td>%s</td>'
'<td><button type="submit" name="delrule" value="%s">'
'Remove</button></td>'
'</tr>'
) % (cgi.escape(rule.hook),
cgi.escape(rule.target),
cgi.escape(rule.conditions_to_text(True)),
cgi.escape(rule.to_text()),
)
print """<html><head><title>Firewall host: %(server)s</title></head>
<body>
<h1>Firewall host: %(server)s</h1>
<p>Choose <a href="ManagementConsole.cgi">another host</a>.</p>
<h2>Current HIP firewall rules</h2>
%(errmsg)s
<form action="ManagementConsole.cgi" method="POST">
<input type="hidden" name="do" value="show_rules">
<input type="hidden" name="host" value="%(server)s">
<table border="1">
<thead>
<tr>
<td><b>Hook</b></td> <td><b>Action</b></td> <td><b>Conditions</b></td>
<td></td>
</tr>
</thead>
<tbody>
%(rules)s
</tbody>
</table>
<p>
<input type="submit" name="refresh" value="Refresh list">
</p>
<hr>
<p>
New rule:<br>
On <select name="rulehook">
<option value="INPUT">INPUT</option>
<option value="OUTPUT">OUTPUT</option>
<option forward="FORWARD">FORWARD</option>
</select>
do <select name="ruletarget">
<option value="ACCEPT">ACCEPT</option>
<option value="DROP">DROP</option>
</select><br>
If conditions match:
<!-- TODO: separate this field into parts -->
<!-- TODOING: <input type="text" size="50" maxsize="200" name="rulecond"> -->
<table border="0" cellpadding="4">
<tbody>
<tr>
<td align="right">Source HIT:</td>
<td><input type="text" size="40" name="src_hit"></td>
<td><input type="checkbox" name="src_hit_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">Destination HIT:</td>
<td><input type="text" size="40" name="dst_hit"></td>
<td><input type="checkbox" name="dst_hit_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">Source Host Identity:</td>
<td>
<select name="src_hi">
<option value="">Any</option>
%(hi_options)s
</select>
</td>
<td><input type="checkbox" name="src_hi_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">Incoming interface:</td>
<td><input type="text" size="10" name="in_iface"></td>
<td><input type="checkbox" name="in_iface_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">Outgoing interface:</td>
<td><input type="text" size="10" name="out_iface"></td>
<td><input type="checkbox" name="out_iface_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">Packet type:</td>
<td>
<select name="pkt_type">
<option value="">Any</option>
<option value="I1" value="I1">I1</option>
<option value="R1" value="R1">R1</option>
<option value="I2" value="I2">I2</option>
<option value="R2" value="R2">R2</option>
<option value="CER" value="CER">CER</option>
<option value="UPDATE" value="UPDATE">UPDATE</option>
<option value="NOTIFY" value="NOTIFY">NOTIFY</option>
<option value="CLOSE" value="CLOSE">CLOSE</option>
<option value="CLOSE_ACK" value="CLOSE_ACK">CLOSE_ACK</option>
</select>
</td>
<td><input type="checkbox" name="pkt_type_not" value="1">Reverse condition</td>
</tr>
<tr>
<td align="right">HIP Association's state:</td>
<td>
<select name="state">
<option value="">Any</option>
<option value="NEW">NEW</option>
<option value="ESTABLISHED">ESTABLISHED</option>
</select>
<input type="checkbox" name="vrfy_responder" value="1">Verify responder
<input type="checkbox" name="acpt_mobile" value="1">Accept mobile
</td>
<td><input type="checkbox" name="state_not" value="1">Reverse condition</td>
</tr>
</tbody>
</table>
<br>
<input type="submit" name="add_rule" value="Add new rule">
</p>
<hr>
<p>
<input type="submit" name="empty_rules" value="Flush rules">
</p>
</form>
<hr>
<p>
<a href="ManagementConsole.cgi?host=%(server)s&do=keystore">
Manage stored keys
</a>
</p>
</body></html>
""" % {
'server': host,
'rules': '\n'.join([visualize_rule(rule)
for rule in client.rules]),
'hi_options': '\n'.join([('<option name="%s">%s</option>\n' %
(s, s)) for s in client.keys]),
'errmsg': errmsg,
}