def iptablesRules(context, component, ruleset, rule_type, identifiers, use_nufw): logger = ContextLoggerChild(context, component) result = ApplyRulesResult(logger) # Not NAT rules in IPv6! if rule_type == 'nats': rules = ruleset.nats use_ipv6 = False default_decisions = None elif rule_type == 'acls-ipv6': rules = ruleset.acls_ipv6 use_ipv6 = True default_decisions = rules.default_decisions else: rules = ruleset.acls_ipv4 use_ipv6 = False default_decisions = rules.default_decisions if identifiers: rules = [ rules[id] for id in identifiers ] else: rules = rules options = IptablesOptions() options.format = "iptables" options.ipv6 = use_ipv6 options.nufw = use_nufw with TemplateInstanciation(ruleset): rules = filterRules(result, rules) # Create iptables rules iptables = IptablesGenerator(logger, default_decisions, options, component.config, result) if rule_type != 'nats': lines = aclsRules(iptables, rules) else: lines = natsRules(iptables, rules, result) xmlrpc = result.exportXMLRPC() xmlrpc['iptables'] = [unicode(line) for line in lines] return xmlrpc
def _applyRulesThread(self): if self.only_consistency: self.consistencyEngine() return self.result.exportXMLRPC() elif not self.result.ignore_consistency_error: self.consistencyEngine() if self.result.consistency_errors: return self.result.exportXMLRPC() options = IptablesOptions() options.nufw = self.use_nufw if self.ruleset_name: self.logger.critical("Apply rules: rule set %r" % self.ruleset_name) else: self.logger.critical("Apply rules: no rule set (only localfw rules)") write_ldap = WriteLdapRules(self.logger, self.config['ldap']) ufwi_ruleset_rules = { 'use_ipv6': self.use_ipv6, 'use_nufw': self.use_nufw, 'is_gateway': self.config.isGateway(), } if self.use_nufw: ufwi_ruleset_rules['ldap_config'] = self.config['ldap'] if self.use_ipv6: acls = itertools.chain(self.acls_ipv4, self.acls_ipv6) else: acls = self.acls_ipv4 ufwi_ruleset_rules['ldap_rules'] = write_ldap.createRules(acls) # TODO: disable IP forward at the beginning # TODO: FORWARD and INPUT: set policy to DROP # LDAP transactions = [] if self.use_nufw: filename = self.config['nufw']['periods_filename'] periods = TimeRangeFileTransaction(filename, self.acls_ipv4, self.acls_ipv6) transactions.append(periods) # iptables options.ipv6 = False write_iptables_ipv4 = WriteIptablesRules( self.logger, self.config, self.ipv4_default_decisions, self.acls_ipv4, self.nats, self.custom_rules, options, self.result) transactions.append(write_iptables_ipv4) ipv6_options = deepcopy(options) ipv6_options.ipv6 = True ipv6_options.deny_all = (not self.use_ipv6) write_iptables_ipv6 = WriteIptablesRules( self.logger, self.config, self.ipv6_default_decisions, self.acls_ipv6, None, self.custom_rules, ipv6_options, self.result) transactions.append(write_iptables_ipv6) # TODO: reload nuauth caches # TODO: reload nuauth periods # TODO: FORWARD and INPUT: set policy to ACCEPT write = WriteRules(self.logger, ufwi_ruleset_rules) transactions.append(write) script = RulesetScript(self.context, self.logger) transactions.append(script) save_ruleset = SaveRuleset(self.ruleset_name, self.use_nufw) transactions.append(save_ruleset) if self.ruleset \ and (self.ruleset.filename != PRODUCTION_RULESET): production = ProductionRuleset(self.ruleset.filename) transactions.append(production) executeTransactions(self.logger, transactions) self.result.applied = True return self.result.exportXMLRPC()