def __str__(self):
"""Render config output from this term object."""
ret_str = []
# Create a new term
ret_str.append('\n# term %s' % self.term.name)
# append comments to output
for line in self.term.comment:
if not line:
continue
ret_str.append('# %s' % str(line))
# if terms does not specify action, use filter default action
if not self.term.action:
self.term.action[0].value = self.default_action
if str(self.term.action[0]) not in self._ACTION_TABLE:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s %s' % ('\n', self.term.name, self.term.action[0],
'action not currently supported.'))
# protocol
if self.term.protocol:
protocol = self.term.protocol
else:
protocol = []
if self.term.protocol_except:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s' %
('\n', self.term.name,
'protocol_except logic not currently supported.'))
# source address
term_saddrs = self._CheckAddressAf(self.term.source_address)
if not term_saddrs:
logging.warn(
self.NO_AF_LOG_FORMAT.substitute(term=self.term.name,
direction='source',
af=self.af))
return ''
term_saddr = self._GenerateAddrStatement(
term_saddrs, self.term.source_address_exclude)
# destination address
term_daddrs = self._CheckAddressAf(self.term.destination_address)
if not term_daddrs:
logging.warn(
self.NO_AF_LOG_FORMAT.substitute(term=self.term.name,
direction='destination',
af=self.af))
return ''
term_daddr = self._GenerateAddrStatement(
term_daddrs, self.term.destination_address_exclude)
# ports
source_port = []
destination_port = []
if self.term.source_port:
source_port = self._GeneratePortStatement(self.term.source_port)
if self.term.destination_port:
destination_port = self._GeneratePortStatement(
self.term.destination_port)
# icmp-type
icmp_types = ['']
if self.term.icmp_type:
if self.af != 'mixed':
af = self.af
elif protocol == ['icmp']:
af = 'inet'
elif protocol == ['icmp6']:
af = 'inet6'
else:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s' %
('\n', self.term.name,
'icmp protocol is not defined or not supported.'))
icmp_types = self.NormalizeIcmpTypes(self.term.icmp_type, protocol,
af)
# options
opts = [str(x) for x in self.term.option]
tcp_flags = []
for next_opt in opts:
# Iterate through flags table, and create list of tcp-flags to append
for next_flag in self._TCP_FLAGS_TABLE:
if next_opt.find(next_flag) == 0:
tcp_flags.append(self._TCP_FLAGS_TABLE.get(next_flag))
ret_str.extend(
self._FormatPart(
self._ACTION_TABLE.get(str(self.term.action[0])),
self.term.logging,
self.af,
protocol,
term_saddr,
source_port,
term_daddr,
destination_port,
tcp_flags,
icmp_types,
self.options,
))
return '\n'.join(str(v) for v in ret_str if v is not '')
def _TranslatePolicy(self, pol, exp_info):
self.pf_policies = []
self.address_book = {}
current_date = datetime.date.today()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
good_afs = ['inet', 'inet6', 'mixed']
good_options = ['in', 'out', 'nostate']
all_protocols_stateful = True
for header, terms in pol.filters:
filter_type = None
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
direction = ''
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_afs + good_options:
raise aclgenerator.UnsupportedTargetOption('%s %s %s %s' % (
'\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
# pf will automatically add 'keep state flags S/SA' to all TCP connections
# by default.
if 'nostate' in filter_options:
all_protocols_stateful = False
if 'in' in filter_options:
direction = 'in'
elif 'out' in filter_options:
direction = 'out'
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\nMay only specify one of', good_afs, 'in filter options:',
filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name)
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
for source_addr in term.source_address:
if source_addr.parent_token not in self.address_book:
self.address_book[source_addr.parent_token] = set([source_addr])
else:
self.address_book[source_addr.parent_token].add(source_addr)
for dest_addr in term.destination_address:
if dest_addr.parent_token not in self.address_book:
self.address_book[dest_addr.parent_token] = set([dest_addr])
else:
self.address_book[dest_addr.parent_token].add(dest_addr)
if not term:
continue
if term.expiration:
if term.expiration <= exp_info_date:
logging.info('INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn('WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
new_terms.append(self._TERM(term, filter_name, all_protocols_stateful,
filter_type, direction))
shortened_deduped_list = {}
for key in self.address_book:
if len(key) > 31:
name = key[:31]
else:
name = key
if name in shortened_deduped_list.keys():
raise DuplicateShortenedTableName(
'The shortened name %s has a collision.', name)
else:
shortened_deduped_list[name] = self.address_book[key]
self.address_book = shortened_deduped_list
self.pf_policies.append((header, filter_name, filter_type, new_terms))
def _TranslatePolicy(self, pol, exp_info):
self.pf_policies = []
current_date = datetime.date.today()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
good_afs = ['inet', 'inet6', 'mixed']
good_options = []
filter_type = None
for header, terms in pol.filters:
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_afs + good_options:
raise UnsupportedTargetOption(
'%s %s %s %s' %
('\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s %s' %
('\nMay only specify one of', good_afs,
'in filter options:', filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'mixed'
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name)
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
term_names.add(term.name)
if not term:
continue
if term.expiration:
if term.expiration <= exp_info_date:
logging.info(
'INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
new_terms.append(self._TERM(term, filter_name, filter_type))
self.pf_policies.append(
(header, filter_name, filter_type, new_terms))
def __str__(self):
"""Render config output from this term object."""
# Verify platform specific terms. Skip whole term if platform does not
# match.
if self.term.platform:
if self._PLATFORM not in self.term.platform:
return ''
if self.term.platform_exclude:
if self._PLATFORM in self.term.platform_exclude:
return ''
ret_str = []
self._SetDefaultAction()
# Create a new term
ret_str.append('\n# term %s' % self.term.name)
comments = aclgenerator.WrapWords(self.term.comment, 80)
# append comments to output
if comments and comments[0]:
for line in comments:
ret_str.append('# %s' % str(line))
if str(self.term.action[0]) not in self._ACTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.action[0],
'action not currently supported.'))
if self.direction and str(self.direction) not in self._DIRECTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.direction,
'direction not currently supported.'))
# protocol
if self.term.protocol:
protocol = self.term.protocol
else:
protocol = []
if self.term.protocol_except:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'protocol_except logic not currently supported.'))
# source address
term_saddrs = self._CheckAddressAf(self.term.source_address)
if not term_saddrs:
logging.debug(self.NO_AF_LOG_ADDR.substitute(term=self.term.name,
direction='source',
af=self.af))
return ''
term_saddr = self._GenerateAddrStatement(
term_saddrs, self.term.source_address_exclude)
# destination address
term_daddrs = self._CheckAddressAf(self.term.destination_address)
if not term_daddrs:
logging.debug(self.NO_AF_LOG_ADDR.substitute(term=self.term.name,
direction='destination',
af=self.af))
return ''
term_daddr = self._GenerateAddrStatement(
term_daddrs, self.term.destination_address_exclude)
# ports
source_port = []
destination_port = []
if self.term.source_port:
source_port = self._GeneratePortStatement(self.term.source_port)
if self.term.destination_port:
destination_port = self._GeneratePortStatement(self.term.destination_port)
# icmp-type
icmp_types = ['']
if self.term.icmp_type:
if self.af != 'mixed':
af = self.af
elif protocol == ['icmp']:
af = 'inet'
elif protocol == ['icmpv6']:
af = 'inet6'
else:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'icmp protocol is not defined or not supported.'))
icmp_types = self.NormalizeIcmpTypes(
self.term.icmp_type, protocol, af)
# options
tcp_flags_set = []
tcp_flags_check = []
for next_opt in [str(x) for x in self.term.option]:
for next_flag in self._TCP_FLAGS_TABLE:
if next_opt.find(next_flag) == 0:
if protocol != ['tcp']:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'tcp flags may only be specified with tcp protocol.'))
tcp_flags_set.append(self._TCP_FLAGS_TABLE.get(next_flag))
tcp_flags_check.append(self._TCP_FLAGS_TABLE.get(next_flag))
# If tcp-established is set, override any of the flags above with the
# S/SA flags. Issue an error if flags are specified with 'established'.
for opt in [str(x) for x in self.term.option]:
if opt == 'established' or opt == 'tcp-established':
if tcp_flags_set or tcp_flags_check:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'tcp flags may not be specified with tcp-established.'))
# We need to set 'flags A/A' for established regardless of whether or
# not we're stateful:
# - if we stateful, the default is 'flags S/SA' which prevent writing
# rules for reply packets.
# - if we're stateless, this is the only way to do it.
if not protocol or 'tcp' in protocol:
tcp_flags_set.append(self._TCP_FLAGS_TABLE.get('ack'))
tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('ack'))
# The default behavior of pf is 'keep state flags S/SA'. If we're not
# stateless, and if flags have not been specified explicitly via options,
# append that here. Note that pf allows appending flags for udp and icmp;
# they are just ignored, as long as TCP is in the proto. This lets you
# doing things like 'proto { tcp udp icmp } flags S/SA' and have the flags
# only applied to the tcp bits that match. However, the policy description
# language prohibits setting flags on non-TCP, since it doesn't make sense
# on all platforms.
if ((not protocol or protocol == ['tcp']) and self.stateful
and not tcp_flags_set and not tcp_flags_check):
tcp_flags_set.append(self._TCP_FLAGS_TABLE.get('syn'))
tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('syn'))
tcp_flags_check.append(self._TCP_FLAGS_TABLE.get('ack'))
ret_str.extend(self._FormatPart(
self.term.action[0],
self.direction,
self.term.logging,
self.af,
protocol,
term_saddr,
source_port,
term_daddr,
destination_port,
tcp_flags_set,
tcp_flags_check,
icmp_types,
self.options,
self.stateful,))
return '\n'.join(str(v) for v in ret_str if v is not '')