def test_add_removeRule(self): self.fw_direct.addRule("ipv4", "filter", "direct_foo1", 0, [ "-m", "tcp", "-p", "tcp", "--dport", "332", "-j", "ACCEPT" ]) self.fw_direct.addRule("ipv4", "filter", "direct_foo1", 0, [ "-m", "tcp", "-p", "tcp", "--dport", "333", "-j", "ACCEPT" ]) self.fw_direct.addRule("ipv4", "filter", "direct_foo1", 1, [ "-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT" ]) self.fw_direct.addRule("ipv4", "filter", "direct_foo1", -5, [ "-m", "tcp", "-p", "tcp", "--dport", "331", "-j", "ACCEPT" ]) self.fw_direct.addRule("ipv4", "filter", "direct_foo1", -10, [ "-m", "tcp", "-p", "tcp", "--dport", "330", "-j", "ACCEPT" ]) self.fw_direct.addRule("ipv4", "filter", "direct_foo1", -5, [ "-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT" ]) # Re-adding self.assertRaisesRegexp(Exception, 'ALREADY_ENABLED', self.fw_direct.addRule, "ipv4", "filter", "direct_foo1", -5, [ "-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT" ]) ret = self.fw_direct.queryRule("ipv4", "filter", "direct_foo1", -5, [ "-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT" ]) self.assertFalse(dbus_to_python(ret)) ret = self.fw_direct.getRules("ipv4", "filter", "direct_foo1") self.assertTrue(len(ret) == 6) #pprint (dbus_to_python(ret)) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", -10, [ "-m", "tcp", "-p", "tcp", "--dport", "330", "-j", "ACCEPT" ]) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", -5, [ "-m", "tcp", "-p", "tcp", "--dport", "331", "-j", "ACCEPT" ]) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", -5, [ "-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT" ]) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", 0, [ "-m", "tcp", "-p", "tcp", "--dport", "332", "-j", "ACCEPT" ]) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", 0, [ "-m", "tcp", "-p", "tcp", "--dport", "333", "-j", "ACCEPT" ]) self.fw_direct.removeRule("ipv4", "filter", "direct_foo1", 1, [ "-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT" ]) # Re-removing self.assertRaisesRegexp(Exception, 'NOT_ENABLED', self.fw_direct.removeRule, "ipv4", "filter", "direct_foo1", 1, [ "-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT" ]) ret = self.fw_direct.queryRule("ipv4", "filter", "direct_foo1", 1, [ "-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT" ]) self.assertFalse(dbus_to_python(ret)) ret = self.fw_direct.getRules("ipv4", "filter", "direct_foo1") self.assertTrue(ret == [])
def Get(self, interface_name, property_name, sender=None): # get a property interface_name = dbus_to_python(interface_name) property_name = dbus_to_python(property_name) log.debug1("config.service.%d.Get('%s', '%s')", self.id, interface_name, property_name) if interface_name != DBUS_INTERFACE_CONFIG_SERVICE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "FirewallD does not implement %s" % interface_name) if property_name == "name": return self.obj.name elif property_name == "filename": return self.obj.filename elif property_name == "path": return self.obj.path elif property_name == "default": return self.obj.default elif property_name == "builtin": return self.config.is_builtin_service(self.obj) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.AccessDenied: " "Property '%s' isn't exported (or may not exist)" % \ property_name)
def queryPassthrough(self, ipv, args, sender=None): ipv = dbus_to_python(ipv) args = dbus_to_python(args) log.debug1("config.direct.queryPassthrough('%s', '%s')" % \ (ipv, "','".join(args))) idx = (ipv, args) return idx in self.getSettings()[2]
def queryOption(self, key, value, sender=None): # pylint: disable=W0613 key = dbus_to_python(key, str) value = dbus_to_python(value, str) log.debug1("%s.queryOption('%s', '%s')", self._log_prefix, key, value) settings = list(self.getSettings()) return (key in settings[4] and settings[4][key] == value)
def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties)
def queryOption(self, key, value, sender=None): key = dbus_to_python(key, str) value = dbus_to_python(value, str) log.debug1("config.ipset.%d.queryOption('%s', '%s')", self.id, key, value) settings = list(self.getSettings()) return (key in settings[4] and settings[4][key] == value)
def queryDestination(self, family, address, sender=None): family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("config.service.%d.queryDestination('%s', '%s')", self.id, family, address) settings = self.getSettings() return (family in settings[5] and address == settings[5][family])
def queryChain(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.queryChain('%s', '%s', '%s')" % \ (ipv, table, chain)) idx = tuple((ipv, table, chain)) return idx in self.getSettings()[0]
def queryDestination(self, family, address, sender=None): # pylint: disable=W0613 family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("%s.queryDestination('%s', '%s')", self._log_prefix, family, address) settings = self.getSettings() return (family in settings[5] and address == settings[5][family])
def getChains(self, ipv, table, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) log.debug1("config.direct.getChains('%s', '%s')" % (ipv, table)) ret = [ ] for idx in self.getSettings()[0]: if idx[0] == ipv and idx[1] == table: ret.append(idx[2]) return ret
def queryForwardPort(self, port, protocol, toport, toaddr, sender=None): # pylint: disable=W0613, R0913 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("%s.queryForwardPort('%s', '%s', '%s', '%s')", self._log_prefix, port, protocol, toport, toaddr) fwp_id = (port, protocol, str(toport), str(toaddr)) return fwp_id in self.getSettings()[9]
def addIPSet(self, ipset, settings, sender=None): """add ipset with given name and settings """ ipset = dbus_to_python(ipset, str) settings = dbus_to_python(settings) log.debug1("config.addIPSet('%s')", ipset) self.accessCheck(sender) obj = self.config.new_ipset(ipset, settings) config_ipset = self._addIPSet(obj) return config_ipset
def queryForwardPort(self, port, protocol, toport, toaddr, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("config.zone.%d.queryForwardPort('%s', '%s', '%s', '%s')", self.id, port, protocol, toport, toaddr) fwp_id = (portStr(port, "-"), protocol, portStr(toport, "-"), str(toaddr)) return fwp_id in self.getSettings()[9]
def addIcmpType(self, icmptype, settings, sender=None): """add icmptype with given name and settings """ icmptype = dbus_to_python(icmptype, str) settings = dbus_to_python(settings) log.debug1("config.addIcmpType('%s')", icmptype) self.accessCheck(sender) obj = self.config.new_icmptype(icmptype, settings) config_icmptype = self._addIcmpType(obj) return config_icmptype
def addZone(self, zone, settings, sender=None): """add zone with given name and settings """ zone = dbus_to_python(zone) settings = dbus_to_python(settings) log.debug1("config.addZone('%s')", zone) self.accessCheck(sender) obj = self.config.new_zone(zone, settings) config_zone = self._addZone(obj) return config_zone
def addService(self, service, settings, sender=None): """add service with given name and settings """ service = dbus_to_python(service, str) settings = dbus_to_python(settings) log.debug1("config.addService('%s')", service) self.accessCheck(sender) obj = self.config.new_service(service, settings) config_service = self._addService(obj) return config_service
def queryRule(self, ipv, table, chain, priority, args, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) priority = dbus_to_python(priority) args = dbus_to_python(args) log.debug1("config.direct.queryRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) idx = (ipv, table, chain, priority, args) return idx in self.getSettings()[1]
def removeRules(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.removeRules('%s', '%s', '%s')" % (ipv, table, chain, )) self.accessCheck(sender) settings = list(self.getSettings()) settings[1] = [] self.update(tuple(settings))
def addOption(self, key, value, sender=None): key = dbus_to_python(key, str) value = dbus_to_python(value, str) log.debug1("config.ipset.%d.addOption('%s', '%s')", self.id, key, value) self.parent.accessCheck(sender) settings = list(self.getSettings()) if key in settings[4] and settings[4][key] == value: raise FirewallError(ALREADY_ENABLED, "'%s': '%s'" % (key, value)) settings[4][key] = value self.update(settings)
def setDestination(self, family, address, sender=None): family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("config.service.%d.setDestination('%s', '%s')", self.id, family, address) self.parent.accessCheck(sender) settings = list(self.getSettings()) if family in settings[5]: raise FirewallError(ALREADY_ENABLED, family) settings[5][family] = address self.update(settings)
def removeSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removeSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[7]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[7].remove((port,protocol)) self.update(settings)
def removePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("config.service.%d.removePort('%s', '%s')", self.id, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[3]: raise FirewallError(NOT_ENABLED, "%s:%s" % (port, protocol)) settings[3].remove((port,protocol)) self.update(settings)
def getRules(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.getRules('%s', '%s', '%s')" % \ (ipv, table, chain)) ret = [ ] for idx in self.getSettings()[1]: if idx[0] == ipv and idx[1] == table and idx[2] == chain: ret.append((idx[3], idx[4])) return ret
def addPort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("config.zone.%d.addPort('%s', '%s')", self.id, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[6]: raise FirewallError(ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[6].append((port,protocol)) self.update(settings)
def setDestination(self, family, address, sender=None): family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("%s.setDestination('%s', '%s')", self._log_prefix, family, address) self.parent.accessCheck(sender) settings = list(self.getSettings()) if family in settings[5] and settings[5][family] == address: raise FirewallError(errors.ALREADY_ENABLED, "'%s': '%s'" % (family, address)) settings[5][family] = address self.update(settings)
def Get(self, interface_name, property_name, sender=None): # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("config.Get('%s', '%s')", interface_name, property_name) if interface_name != DBUS_INTERFACE_CONFIG: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "FirewallD does not implement %s" % interface_name) return self._get_property(property_name)
def addSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[14]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[14].append((port,protocol)) self.update(settings)
def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name)
def removePassthrough(self, ipv, args, sender=None): ipv = dbus_to_python(ipv) args = dbus_to_python(args) log.debug1("config.direct.removePassthrough('%s', '%s')" % \ (ipv, "','".join(args))) self.accessCheck(sender) idx = (ipv, args) settings = list(self.getSettings()) if idx not in settings[2]: raise FirewallError(NOT_ENABLED, "passthrough '%s', '%s'" % (ipv, args)) settings[2].remove(idx) self.update(settings)
def removeChain(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.removeChain('%s', '%s', '%s')" % \ (ipv, table, chain)) self.accessCheck(sender) idx = tuple((ipv, table, chain)) settings = list(self.getSettings()) if idx not in settings[0]: raise FirewallError(NOT_ENABLED, "chain '%s' is not in '%s:%s'" % (chain, ipv, table)) settings[0].remove(idx) self.update(settings)
def queryModule(self, module, sender=None): module = dbus_to_python(module, str) log.debug1("config.service.%d.queryModule('%s')", self.id, module) return module in self.getSettings()[4]
def queryInterface(self, interface, sender=None): interface = dbus_to_python(interface, str) log.debug1("config.zone.%d.queryInterface('%s')", self.id, interface) return interface in self.getSettings()[10]
def querySource(self, source, sender=None): source = dbus_to_python(source, str) log.debug1("config.zone.%d.querySource('%s')", self.id, source) return source in self.getSettings()[11]
def queryDestination(self, destination, sender=None): # pylint: disable=W0613 destination = dbus_to_python(destination, str) log.debug1("%s.queryDestination('%s')", self._log_prefix, destination) settings = self.getSettings() # empty means all return (not settings[3] or destination in settings[3])
def IPSetAdded(self, ipset): ipset = dbus_to_python(ipset, str) log.debug1("config.IPSetAdded('%s')" % (ipset))
def queryLockdownWhitelistUid(self, uid, sender=None): uid = dbus_to_python(uid) log.debug1("config.policies.queryLockdownWhitelistUid(%d)", uid) return uid in self.getLockdownWhitelist()[3]
def queryProtocol(self, protocol, sender=None): # pylint: disable=W0613 protocol = dbus_to_python(protocol, str) log.debug1("%s.queryProtocol(%s')", self._log_prefix, protocol) return protocol in self.getSettings()[6]
def queryFamily(self, ipv, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv, str) log.debug1("%s.queryFamily('%s')", self._log_prefix, ipv) settings = self.getSettings() return (settings[3] == ipv)
def queryPort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("config.service.%d.queryPort('%s', '%s')", self.id, port, protocol) return (port,protocol) in self.getSettings()[3]
def queryLockdownWhitelistContext(self, context, sender=None): context = dbus_to_python(context) log.debug1("config.policies.queryLockdownWhitelistContext('%s')", context) return context in self.getLockdownWhitelist()[1]
def test_add_removeRule(self): self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", 0, ["-m", "tcp", "-p", "tcp", "--dport", "332", "-j", "ACCEPT"]) self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", 0, ["-m", "tcp", "-p", "tcp", "--dport", "333", "-j", "ACCEPT"]) self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", 1, ["-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT"]) self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", -5, ["-m", "tcp", "-p", "tcp", "--dport", "331", "-j", "ACCEPT"]) self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", -10, ["-m", "tcp", "-p", "tcp", "--dport", "330", "-j", "ACCEPT"]) self.fw_direct.addRule( "ipv4", "filter", "direct_foo1", -5, ["-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT"]) # Re-adding self.assertRaisesRegexp( Exception, 'ALREADY_ENABLED', self.fw_direct.addRule, "ipv4", "filter", "direct_foo1", -5, ["-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT"]) ret = self.fw_direct.queryRule( "ipv4", "filter", "direct_foo1", -5, ["-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT"]) self.assertTrue(dbus_to_python(ret)) ret = self.fw_direct.getRules("ipv4", "filter", "direct_foo1") self.assertTrue(len(ret) == 6) #pprint (dbus_to_python(ret)) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", -10, ["-m", "tcp", "-p", "tcp", "--dport", "330", "-j", "ACCEPT"]) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", -5, ["-m", "tcp", "-p", "tcp", "--dport", "331", "-j", "ACCEPT"]) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", -5, ["-m", "udp", "-p", "udp", "--dport", "331", "-j", "ACCEPT"]) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", 0, ["-m", "tcp", "-p", "tcp", "--dport", "332", "-j", "ACCEPT"]) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", 0, ["-m", "tcp", "-p", "tcp", "--dport", "333", "-j", "ACCEPT"]) self.fw_direct.removeRule( "ipv4", "filter", "direct_foo1", 1, ["-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT"]) # Re-removing self.assertRaisesRegexp( Exception, 'NOT_ENABLED', self.fw_direct.removeRule, "ipv4", "filter", "direct_foo1", 1, ["-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT"]) ret = self.fw_direct.queryRule( "ipv4", "filter", "direct_foo1", 1, ["-m", "tcp", "-p", "tcp", "--dport", "334", "-j", "ACCEPT"]) self.assertFalse(dbus_to_python(ret)) ret = self.fw_direct.getRules("ipv4", "filter", "direct_foo1") self.assertTrue(ret == [])
def querySource(self, source, sender=None): # pylint: disable=W0613 source = dbus_to_python(source, str) log.debug1("%s.querySource('%s')", self._log_prefix, source) return source in self.getSettings()[11]
def queryProtocol(self, protocol, sender=None): protocol = dbus_to_python(protocol, str) log.debug1("config.service.%d.queryProtocol(%s')", self.id, protocol) return protocol in self.getSettings()[6]
def queryModule(self, module, sender=None): # pylint: disable=W0613 module = dbus_to_python(module, str) log.debug1("%s.queryModule('%s')", self._log_prefix, module) return module in self.getSettings()[4]
def querySourcePort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.querySourcePort('%s', '%s')", self._log_prefix, port, protocol) return (port,protocol) in self.getSettings()[7]
def queryIcmpBlock(self, icmptype, sender=None): # pylint: disable=W0613 icmptype = dbus_to_python(icmptype, str) log.debug1("%s.queryIcmpBlock('%s')", self._log_prefix, icmptype) return icmptype in self.getSettings()[7]
def queryIcmpBlock(self, icmptype, sender=None): icmptype = dbus_to_python(icmptype, str) log.debug1("config.zone.%d.removeIcmpBlock('%s')", self.id, icmptype) return icmptype in self.getSettings()[7]
def queryRichRule(self, rule, sender=None): # pylint: disable=W0613 rule = dbus_to_python(rule, str) log.debug1("%s.queryRichRule('%s')", self._log_prefix, rule) rule_str = str(Rich_Rule(rule_str=rule)) return rule_str in self.getSettings()[12]
def queryInterface(self, interface, sender=None): # pylint: disable=W0613 interface = dbus_to_python(interface, str) log.debug1("%s.queryInterface('%s')", self._log_prefix, interface) return interface in self.getSettings()[10]
def queryLockdownWhitelistCommand(self, command, sender=None): command = dbus_to_python(command) log.debug1("config.policies.queryLockdownWhitelistCommand('%s')", command) return command in self.getLockdownWhitelist()[0]
def queryLockdownWhitelistUser(self, user, sender=None): user = dbus_to_python(user) log.debug1("config.policies.queryLockdownWhitelistUser('%s')", user) return user in self.getLockdownWhitelist()[2]
def test_zone_getZones(self): z = self.fw_zone.getZones() print("\nZones:") pprint(dbus_to_python(z))
def queryRichRule(self, rule, sender=None): rule = dbus_to_python(rule, str) log.debug1("config.zone.%d.queryRichRule('%s')", self.id, rule) rule_str = str(Rich_Rule(rule_str=rule)) return rule_str in self.getSettings()[12]
def setLockdownWhitelist(self, settings, sender=None): log.debug1("config.policies.setLockdownWhitelist(...)") settings = dbus_to_python(settings) self.config.get_policies().lockdown_whitelist.import_config(settings) self.config.get_policies().lockdown_whitelist.write() self.LockdownWhitelistUpdated()
def queryEntry(self, entry, sender=None): entry = dbus_to_python(entry, str) log.debug1("config.ipset.%d.queryEntry('%s')", self.id, entry) return entry in self.getSettings()[5]