def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name) self.item.parser_check_element_attrs(name, attrs) if name == "service": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'" % attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "port": self.item.ports.append((attrs["port"], attrs["protocol"])) elif name == "destination": for x in ["ipv4", "ipv6"]: if x in attrs: if not check_address(x, attrs[x]): raise FirewallError( INVALID_ADDR, "'%s' is not valid %s address" % (attrs[x], x)) self.item.destination[x] = attrs[x] elif name == "module": self.item.modules.append(attrs["name"])
def _check_config(self, config, item): if item == "ports": for port in config: if port[0] != "": check_port(port[0]) check_tcpudp(port[1]) else: # only protocol if not checkProtocol(port[1]): raise FirewallError(INVALID_PROTOCOL, port[1]) if item == "protocols": for proto in config: if not checkProtocol(proto): raise FirewallError(INVALID_PROTOCOL, proto) elif item == "destination": for destination in config: if destination not in [ "ipv4", "ipv6" ]: raise FirewallError(INVALID_DESTINATION, "'%s' not in {'ipv4'|'ipv6'}" % destination) if not check_address(destination, config[destination]): raise FirewallError(INVALID_ADDR, "'%s' is not valid %s address" % \ (config[destination], destination)) elif item == "modules": for module in config: if not module.startswith("nf_conntrack_"): raise FirewallError(INVALID_MODULE, module) elif len(module.replace("nf_conntrack_", "")) < 1: raise FirewallError(INVALID_MODULE, module)
def _check_config(self, config, item): if item == "ports": for port in config: if port[0] != "": check_port(port[0]) check_protocol(port[1]) else: # only protocol if not checkProtocol(port[1]): raise FirewallError(INVALID_PROTOCOL, port[1]) elif item == "destination": for destination in config: if destination not in ["ipv4", "ipv6"]: raise FirewallError( INVALID_DESTINATION, "'%s' not in {'ipv4'|'ipv6'}" % destination) if not check_address(destination, config[destination]): raise FirewallError(INVALID_ADDR, "'%s' is not valid %s address" % \ (config[destination], destination)) elif item == "modules": for module in config: if not module.startswith("nf_conntrack_"): raise FirewallError(INVALID_MODULE, module) elif len(module.replace("nf_conntrack_", "")) < 1: raise FirewallError(INVALID_MODULE, module)
def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name) self.item.parser_check_element_attrs(name, attrs) if name == "service": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'" % attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "port": if attrs["port"] != "": self.item.ports.append((attrs["port"], attrs["protocol"])) else: self.item.protocols.append(attrs["protocol"]) elif name == "protocol": self.item.protocols.append(attrs["value"]) elif name == "destination": for x in [ "ipv4", "ipv6" ]: if x in attrs: if not check_address(x, attrs[x]): raise FirewallError(INVALID_ADDR, "'%s' is not valid %s address" % (attrs[x], x)) self.item.destination[x] = attrs[x] elif name == "module": self.item.modules.append(attrs["name"])
def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name) self.item.parser_check_element_attrs(name, attrs) if name == "service": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'", attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "port": if attrs["port"] != "": entry = (attrs["port"], attrs["protocol"]) if entry not in self.item.ports: self.item.ports.append(entry) else: log.warning("Port '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) else: if attrs["protocol"] not in self.item.protocols: self.item.protocols.append(attrs["protocol"]) else: log.warning("Protocol '%s' already set, ignoring.", attrs["protocol"]) elif name == "protocol": if attrs["value"] not in self.item.protocols: self.item.protocols.append(attrs["value"]) else: log.warning("Protocol '%s' already set, ignoring.", attrs["value"]) elif name == "destination": for x in [ "ipv4", "ipv6" ]: if x in attrs: if not check_address(x, attrs[x]): raise FirewallError(INVALID_ADDR, "'%s' is not valid %s address" % (attrs[x], x)) if x in self.item.destination: log.warning("Destination address for '%s' already set, ignoring", x) else: self.item.destination[x] = attrs[x] elif name == "module": if attrs["name"].startswith("nf_conntrack_") and \ len(attrs["name"].replace("nf_conntrack_", "")) > 0: if attrs["name"] not in self.item.modules: self.item.modules.append(attrs["name"]) else: log.warning("Module '%s' already set, ignoring.", attrs["name"]) else: log.warning("Invalid module '%s'", attrs["name"])
def _check_config(self, config, item): if item == "ports": for port in config: if port[0] != "": check_port(port[0]) check_protocol(port[1]) else: # only protocol if not functions.checkProtocol(port[1]): raise FirewallError(INVALID_PROTOCOL, port[1]) elif item == "destination": for destination in config: if destination not in [ "ipv4", "ipv6" ]: raise FirewallError(INVALID_DESTINATION, destination) if not functions.check_address(destination, config[destination]): raise FirewallError(INVALID_ADDRESS, config[destination])
def _check_config(self, config, item): if item == "ports": for port in config: if port[0] != "": check_port(port[0]) check_protocol(port[1]) else: # only protocol if not functions.checkProtocol(port[1]): raise FirewallError(INVALID_PROTOCOL, port[1]) elif item == "destination": for destination in config: if destination not in ["ipv4", "ipv6"]: raise FirewallError(INVALID_DESTINATION, destination) if not functions.check_address(destination, config[destination]): raise FirewallError(INVALID_ADDRESS, config[destination])
def check(self): if self.family is not None and self.family not in ["ipv4", "ipv6"]: raise FirewallError(INVALID_FAMILY, self.family) if self.family is None: if self.source is not None or self.destination is not None: raise FirewallError(MISSING_FAMILY) if type(self.element) == Rich_ForwardPort: raise FirewallError(MISSING_FAMILY) if self.element is None: if self.action is None: raise FirewallError(INVALID_RULE, "no element, no action") if self.source is None: raise FirewallError(INVALID_RULE, "no element, no source") if self.destination is not None: raise FirewallError(INVALID_RULE, "destination action") if type(self.element) not in [ Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade ]: if self.log is None and self.audit is None and \ self.action is None: raise FirewallError(INVALID_RULE, "no action, no log, no audit") # source if self.source is not None: if self.family is None: raise FirewallError(INVALID_FAMILY) if self.source.addr is None or \ not functions.check_address(self.family, self.source.addr): raise FirewallError(INVALID_ADDR, str(self.source.addr)) # destination if self.destination is not None: if self.family is None: raise FirewallError(INVALID_FAMILY) if self.destination.addr is None or \ not functions.check_address(self.family, self.destination.addr): raise FirewallError(INVALID_ADDR, str(self.destination.addr)) # service if type(self.element) == Rich_Service: # service availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(INVALID_SERVICE, str(self.element.name)) # port elif type(self.element) == Rich_Port: if not functions.check_port(self.element.port): raise FirewallError(INVALID_PORT, self.element.port) if not self.element.protocol in ["tcp", "udp"]: raise FirewallError(INVALID_PROTOCOL, self.element.protocol) # protocol elif type(self.element) == Rich_Protocol: if not functions.checkProtocol(self.element.value): raise FirewallError(INVALID_PROTOCOL, self.element.value) # masquerade elif type(self.element) == Rich_Masquerade: if self.destination is not None: raise FirewallError(INVALID_RULE, "masquerade and destination") if self.action is not None: raise FirewallError(INVALID_RULE, "masquerade and action") # icmp-block elif type(self.element) == Rich_IcmpBlock: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(INVALID_ICMPTYPE, str(self.element.name)) if self.action: raise FirewallError(INVALID_RULE, "icmp-block and action") # forward-port elif type(self.element) == Rich_ForwardPort: if not functions.check_port(self.element.port): raise FirewallError(INVALID_PORT, self.element.port) if not self.element.protocol in ["tcp", "udp"]: raise FirewallError(INVALID_PROTOCOL, self.element.protocol) if self.element.to_port == "" and self.element.to_address == "": raise FirewallError(INVALID_PORT, self.element.to_port) if self.element.to_port != "" and \ not functions.check_port(self.element.to_port): raise FirewallError(INVALID_PORT, self.element.to_port) if self.element.to_address != "" and \ not functions.check_single_address(self.family, self.element.to_address): raise FirewallError(INVALID_ADDR, self.element.to_address) if self.family is None: raise FirewallError(INVALID_FAMILY) if self.action is not None: raise FirewallError(INVALID_RULE, "forward-port and action") # other element and not empty? elif self.element is not None: raise FirewallError(INVALID_RULE, "Unknown element %s" % type(self.element)) # log if self.log is not None: if self.log.level and \ self.log.level not in [ "emerg", "alert", "crit", "error", "warning", "notice", "info", "debug" ]: raise FirewallError(INVALID_LOG_LEVEL, self.log.level) if self.log.limit is not None: self.log.limit.check() # audit if self.audit is not None: if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]: raise FirewallError(INVALID_AUDIT_TYPE, type(self.action)) if self.audit.limit is not None: self.audit.limit.check() # action if self.action is not None: if type(self.action) == Rich_Reject: self.action.check(self.family) if self.action.limit is not None: self.action.limit.check()
def check_address(ipv, addr): if not functions.check_address(ipv, addr): raise FirewallError(errors.INVALID_ADDR, "'%s' is not valid %s address" % (addr, ipv))
def check(self): if self.family is not None and self.family not in ["ipv4", "ipv6"]: raise FirewallError(errors.INVALID_FAMILY, self.family) if self.family is None: if (self.source is not None and self.source.addr is not None) or \ self.destination is not None: raise FirewallError(errors.MISSING_FAMILY) if type(self.element) == Rich_ForwardPort: raise FirewallError(errors.MISSING_FAMILY) if self.priority < self.priority_min or self.priority > self.priority_max: raise FirewallError(errors.INVALID_PRIORITY, "'priority' attribute must be between %d and %d." \ % (self.priority_min, self.priority_max)) if self.element is None and \ (self.log is None or (self.log is not None and self.priority == 0)): if self.action is None: raise FirewallError(errors.INVALID_RULE, "no element, no action") if self.source is None and self.destination is None and self.priority == 0: raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination") if type(self.element) not in [ Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade, Rich_Tcp_Mss_Clamp ]: if self.log is None and self.audit is None and \ self.action is None: raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit") # source if self.source is not None: if self.source.addr is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "address and mac") if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "address and ipset") if not functions.check_address(self.family, self.source.addr): raise FirewallError(errors.INVALID_ADDR, str(self.source.addr)) elif self.source.mac is not None: if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "mac and ipset") if not functions.check_mac(self.source.mac): raise FirewallError(errors.INVALID_MAC, str(self.source.mac)) elif self.source.ipset is not None: if not check_ipset_name(self.source.ipset): raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset)) else: raise FirewallError(errors.INVALID_RULE, "invalid source") # destination if self.destination is not None: if self.destination.addr is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.destination.ipset is not None: raise FirewallError(errors.INVALID_DESTINATION, "address and ipset") if not functions.check_address(self.family, self.destination.addr): raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr)) elif self.destination.ipset is not None: if not check_ipset_name(self.destination.ipset): raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset)) else: raise FirewallError(errors.INVALID_RULE, "invalid destination") # service if type(self.element) == Rich_Service: # service availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_SERVICE, str(self.element.name)) # port elif type(self.element) == Rich_Port: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) # protocol elif type(self.element) == Rich_Protocol: if not functions.checkProtocol(self.element.value): raise FirewallError(errors.INVALID_PROTOCOL, self.element.value) # masquerade elif type(self.element) == Rich_Masquerade: if self.action is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and action") if self.source is not None and self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and mac source") # icmp-block elif type(self.element) == Rich_IcmpBlock: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) if self.action: raise FirewallError(errors.INVALID_RULE, "icmp-block and action") # icmp-type elif type(self.element) == Rich_IcmpType: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) # forward-port elif type(self.element) == Rich_ForwardPort: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) if self.element.to_port == "" and self.element.to_address == "": raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_port != "" and \ not functions.check_port(self.element.to_port): raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_address != "" and \ not functions.check_single_address(self.family, self.element.to_address): raise FirewallError(errors.INVALID_ADDR, self.element.to_address) if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.action is not None: raise FirewallError(errors.INVALID_RULE, "forward-port and action") # source-port elif type(self.element) == Rich_SourcePort: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) # tcp-mss-clamp elif type(self.element) == Rich_Tcp_Mss_Clamp: if self.action is not None: raise FirewallError( errors.INVALID_RULE, "tcp-mss-clamp and %s are mutually exclusive" % self.action) if self.element.value: if not functions.checkTcpMssClamp(self.element.value): raise FirewallError(errors.INVALID_RULE, self.element.value) # other element and not empty? elif self.element is not None: raise FirewallError(errors.INVALID_RULE, "Unknown element %s" % type(self.element)) # log if self.log is not None: self.log.check() # audit if self.audit is not None: if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]: raise FirewallError(errors.INVALID_AUDIT_TYPE, type(self.action)) if self.audit.limit is not None: self.audit.limit.check() # action if self.action is not None: if type(self.action) == Rich_Reject: self.action.check(self.family) elif type(self.action) == Rich_Mark: self.action.check() if self.action.limit is not None: self.action.limit.check()
def check(self): if self.family is not None and self.family not in [ "ipv4", "ipv6" ]: raise FirewallError(INVALID_FAMILY, self.family) if self.family is None: if (self.source is not None and self.source.addr is not None) or \ self.destination is not None: raise FirewallError(MISSING_FAMILY) if type(self.element) == Rich_ForwardPort: raise FirewallError(MISSING_FAMILY) if self.element is None: if self.action is None: raise FirewallError(INVALID_RULE, "no element, no action") if self.source is None: raise FirewallError(INVALID_RULE, "no element, no source") if self.destination is not None: raise FirewallError(INVALID_RULE, "destination action") if type(self.element) not in [ Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade ]: if self.log is None and self.audit is None and \ self.action is None: raise FirewallError(INVALID_RULE, "no action, no log, no audit") # source if self.source is not None: if self.source.addr is not None: if self.family is None: raise FirewallError(INVALID_FAMILY) if self.source.mac is not None: raise FirewallError(INVALID_RULE, "address and mac") if not functions.check_address(self.family, self.source.addr): raise FirewallError(INVALID_ADDR, str(self.source.addr)) elif self.source.mac is not None: if not functions.check_mac(self.source.mac): raise FirewallError(INVALID_MAC, str(self.source.mac)) elif self.source.ipset is not None: if not functions.check_ipset(self.source.ipset): raise FirewallError(INVALID_IPSET, str(self.source.ipset)) else: raise FirewallError(INVALID_RULE, "invalid source") # destination if self.destination is not None: if self.family is None: raise FirewallError(INVALID_FAMILY) if self.destination.addr is None or \ not functions.check_address(self.family, self.destination.addr): raise FirewallError(INVALID_ADDR, str(self.destination.addr)) # service if type(self.element) == Rich_Service: # service availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(INVALID_SERVICE, str(self.element.name)) # port elif type(self.element) == Rich_Port: if not functions.check_port(self.element.port): raise FirewallError(INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp" ]: raise FirewallError(INVALID_PROTOCOL, self.element.protocol) # protocol elif type(self.element) == Rich_Protocol: if not functions.checkProtocol(self.element.value): raise FirewallError(INVALID_PROTOCOL, self.element.value) # masquerade elif type(self.element) == Rich_Masquerade: if self.action is not None: raise FirewallError(INVALID_RULE, "masquerade and action") if self.source is not None and self.source.mac is not None: raise FirewallError(INVALID_RULE, "masquerade and mac source") # icmp-block elif type(self.element) == Rich_IcmpBlock: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(INVALID_ICMPTYPE, str(self.element.name)) if self.action: raise FirewallError(INVALID_RULE, "icmp-block and action") # forward-port elif type(self.element) == Rich_ForwardPort: if not functions.check_port(self.element.port): raise FirewallError(INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp" ]: raise FirewallError(INVALID_PROTOCOL, self.element.protocol) if self.element.to_port == "" and self.element.to_address == "": raise FirewallError(INVALID_PORT, self.element.to_port) if self.element.to_port != "" and \ not functions.check_port(self.element.to_port): raise FirewallError(INVALID_PORT, self.element.to_port) if self.element.to_address != "" and \ not functions.check_single_address(self.family, self.element.to_address): raise FirewallError(INVALID_ADDR, self.element.to_address) if self.family is None: raise FirewallError(INVALID_FAMILY) if self.action is not None: raise FirewallError(INVALID_RULE, "forward-port and action") # other element and not empty? elif self.element is not None: raise FirewallError(INVALID_RULE, "Unknown element %s" % type(self.element)) # log if self.log is not None: if self.log.level and \ self.log.level not in [ "emerg", "alert", "crit", "error", "warning", "notice", "info", "debug" ]: raise FirewallError(INVALID_LOG_LEVEL, self.log.level) if self.log.limit is not None: self.log.limit.check() # audit if self.audit is not None: if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]: raise FirewallError(INVALID_AUDIT_TYPE, type(self.action)) if self.audit.limit is not None: self.audit.limit.check() # action if self.action is not None: if type(self.action) == Rich_Reject: self.action.check(self.family) if self.action.limit is not None: self.action.limit.check()
def check(self): if self.family is not None and self.family not in [ "ipv4", "ipv6" ]: raise FirewallError(errors.INVALID_FAMILY, self.family) if self.family is None: if (self.source is not None and self.source.addr is not None) or \ self.destination is not None: raise FirewallError(errors.MISSING_FAMILY) if type(self.element) == Rich_ForwardPort: raise FirewallError(errors.MISSING_FAMILY) if self.element is None: if self.action is None: raise FirewallError(errors.INVALID_RULE, "no element, no action") if self.source is None and self.destination is None: raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination") if type(self.element) not in [ Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade ]: if self.log is None and self.audit is None and \ self.action is None: raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit") # source if self.source is not None: if self.source.addr is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "address and mac") if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "address and ipset") if not functions.check_address(self.family, self.source.addr): raise FirewallError(errors.INVALID_ADDR, str(self.source.addr)) elif self.source.mac is not None: if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "mac and ipset") if not functions.check_mac(self.source.mac): raise FirewallError(errors.INVALID_MAC, str(self.source.mac)) elif self.source.ipset is not None: if not check_ipset_name(self.source.ipset): raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset)) else: raise FirewallError(errors.INVALID_RULE, "invalid source") # destination if self.destination is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.destination.addr is not None and self.destination.ipset is not None raise FirewallError(errors.INVALID_RULE, "address and ipset") if self.destination.ipset is None: if self.destination.addr is None or not functions.check_address(self.family, self.destination.addr)): raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr)) else: if not check_ipset_name(self.destination.ipset): raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset)) # service if type(self.element) == Rich_Service: # service availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_SERVICE, str(self.element.name)) # port elif type(self.element) == Rich_Port: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) # protocol elif type(self.element) == Rich_Protocol: if not functions.checkProtocol(self.element.value): raise FirewallError(errors.INVALID_PROTOCOL, self.element.value) # masquerade elif type(self.element) == Rich_Masquerade: if self.action is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and action") if self.source is not None and self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and mac source") # icmp-block elif type(self.element) == Rich_IcmpBlock: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) if self.action: raise FirewallError(errors.INVALID_RULE, "icmp-block and action") # icmp-type elif type(self.element) == Rich_IcmpType: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) # forward-port elif type(self.element) == Rich_ForwardPort: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) if self.element.to_port == "" and self.element.to_address == "": raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_port != "" and \ not functions.check_port(self.element.to_port): raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_address != "" and \ not functions.check_single_address(self.family, self.element.to_address): raise FirewallError(errors.INVALID_ADDR, self.element.to_address) if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.action is not None: raise FirewallError(errors.INVALID_RULE, "forward-port and action")