def build_zone_forward_port_rules(self, enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id): add_del = { True: "-A", False: "-D" }[enable] mark_str = "0x%x" % mark_id mark = [ "-m", "mark", "--mark", mark_str ] to = "" if toaddr: if check_single_address("ipv6", toaddr): to += "[%s]" % toaddr else: to += toaddr if toport and toport != "": to += ":%s" % portStr(toport, "-") target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rules = [] rules.append([ add_del, "%s_allow" % (target), "-t", "mangle", "-p", protocol, "--dport", portStr(port), "-j", "MARK", "--set-mark", mark_str ]) # local and remote rules.append([ add_del, "%s_allow" % (target), "-t", "nat", "-p", protocol ] + mark + [ "-j", "DNAT", "--to-destination", to ]) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain], zone=zone) rules.append([ add_del, "%s_allow" % (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW" ] + mark + [ "-j", "ACCEPT" ]) return rules
def build_zone_masquerade_rules(self, enable, zone, rich_rule=None): add_del = {True: "-A", False: "-D"}[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment( rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append([add_del, "%s_allow" % (target), "-t", "nat"] + rule_fragment + ["!", "-o", "lo", "-j", "MASQUERADE"]) # FORWARD_OUT target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment( rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules.append([add_del, "%s_allow" % (target), "-t", "filter"] + rule_fragment + ["-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT"]) return rules
def build_zone_forward_port_rules(self, enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id, rich_rule=None): add_del = {True: "-A", False: "-D"}[enable] mark_str = "0x%x" % mark_id mark = ["-m", "mark", "--mark", mark_str] to = "" if toaddr: if check_single_address("ipv6", toaddr): to += "[%s]" % toaddr else: to += toaddr if toport and toport != "": to += ":%s" % portStr(toport, "-") target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule_fragment = ["-p", protocol, "--dport", portStr(port)] if rich_rule: rule_fragment += self._rich_rule_destination_fragment( rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] if rich_rule: rules.append( self._rich_rule_log(rich_rule, enable, "mangle", target, rule_fragment)) rules.append([add_del, "%s_allow" % (target), "-t", "mangle"] + rule_fragment + ["-j", "MARK", "--set-mark", mark_str]) # local and remote rules.append( [add_del, "%s_allow" % (target), "-t", "nat", "-p", protocol] + mark + ["-j", "DNAT", "--to-destination", to]) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain], zone=zone) rules.append([ add_del, "%s_allow" % (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW" ] + mark + ["-j", "ACCEPT"]) return rules
def build_zone_masquerade_rule(self, enable, zone): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"], zone=zone) rules = [] rules.append([ add_del, "%s_allow" % (target), "!", "-o", "lo", "-t", "nat", "-j", "MASQUERADE" ]) # FORWARD_OUT target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"], zone=zone) rules.append([ add_del, "%s_allow" % (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT" ]) return rules
def _rich_rule_action(self, zone, rich_rule, enable, table, target, rule_fragment): if not rich_rule.action: return [] add_del = {True: "-A", False: "-D"}[enable] if type(rich_rule.action) == Rich_Accept: chain = "%s_allow" % target rule_action = ["-j", "ACCEPT"] elif type(rich_rule.action) == Rich_Reject: chain = "%s_deny" % target rule_action = ["-j", "REJECT"] if rich_rule.action.type: rule_action += ["--reject-with", rich_rule.action.type] elif type(rich_rule.action) == Rich_Drop: chain = "%s_deny" % target rule_action = ["-j", "DROP"] elif type(rich_rule.action) == Rich_Mark: chain = "%s_allow" % target table = "mangle" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule_action = ["-j", "MARK", "--set-xmark", rich_rule.action.set] else: raise FirewallError(INVALID_RULE, "Unknown action %s" % type(rich_rule.action)) rule = [add_del, chain, "-t", table] rule += rule_fragment + rule_action rule += self._rule_limit(rich_rule.action.limit) return rule
def build_zone_source_interface(self, enable, zone, zone_target, interface, table, chain, append=False): # handle all zones in the same way here, now # trust and block zone targets are handled now in __chain opt = { "PREROUTING": "-i", "POSTROUTING": "-o", "INPUT": "-i", "FORWARD_IN": "-i", "FORWARD_OUT": "-o", "OUTPUT": "-o", }[chain] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if zone_target == DEFAULT_ZONE_TARGET: action = "-g" else: action = "-j" if enable and not append: rule = [ "-I", "%s_ZONES" % chain, "1" ] elif enable: rule = [ "-A", "%s_ZONES" % chain ] else: rule = [ "-D", "%s_ZONES" % chain ] rule += [ "-t", table, opt, interface, action, target ] return rule
def build_zone_icmp_block_rules(self, enable, zone, icmp): add_del = {True: "-A", False: "-D"}[enable] if self.ipv == "ipv4": proto = ["-p", "icmp"] match = ["-m", "icmp", "--icmp-type", icmp] else: proto = ["-p", "ipv6-icmp"] match = ["-m", "icmp6", "--icmpv6-type", icmp] rules = [] for chain in ["INPUT", "FORWARD_IN"]: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): final_chain = "%s_allow" % target final_target = "ACCEPT" else: final_chain = "%s_deny" % target final_target = "%%REJECT%%" if self._fw.get_log_denied() != "off" and final_target != "ACCEPT": rules.append([add_del, final_chain, "-t", "filter"] + proto + match + [ "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ]) rules.append([ add_del, final_chain, "-t", "filter", ] + proto + match + ["-j", final_target]) return rules
def build_zone_icmp_block_inversion_rules(self, enable, zone): table = "filter" rules = [] for chain in ["INPUT", "FORWARD_IN"]: rule_idx = 4 _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): ibi_target = "%%REJECT%%" if self._fw.get_log_denied() != "off": if enable: rule = ["-I", _zone, str(rule_idx)] else: rule = ["-D", _zone] rule = rule + [ "-t", table, "-p", "%%ICMP%%", "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % _zone ] rules.append(rule) rule_idx += 1 else: ibi_target = "ACCEPT" if enable: rule = ["-I", _zone, str(rule_idx)] else: rule = ["-D", _zone] rule = rule + ["-t", table, "-p", "%%ICMP%%", "-j", ibi_target] rules.append(rule) return rules
def build_zone_source_interface_rules(self, enable, zone, zone_target, interface, table, chain, append=False): # handle all zones in the same way here, now # trust and block zone targets are handled now in __chain opt = { "PREROUTING": "-i", "POSTROUTING": "-o", "INPUT": "-i", "FORWARD_IN": "-i", "FORWARD_OUT": "-o", "OUTPUT": "-o", }[chain] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if zone_target == DEFAULT_ZONE_TARGET: action = "-g" else: action = "-j" if enable and not append: rule = ["-I", "%s_ZONES" % chain, "1"] elif enable: rule = ["-A", "%s_ZONES" % chain] else: rule = ["-D", "%s_ZONES" % chain] rule += ["-t", table, opt, interface, action, target] return [rule]
def build_zone_icmp_block_inversion_rules(self, enable, zone): rule_idx = 4 table = "filter" rules = [] for chain in [ "INPUT", "FORWARD_IN" ]: _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): ibi_target = "%%REJECT%%" if self._fw.get_log_denied() != "off": if enable: rule = [ "-I", _zone, str(rule_idx) ] else: rule = [ "-D", _zone ] rule = rule + [ "-t", table, "-p", "%%ICMP%%", "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % _zone ] rules.append(rule) rule_idx += 1 else: ibi_target = "ACCEPT" if enable: rule = [ "-I", _zone, str(rule_idx) ] else: rule = [ "-D", _zone ] rule = rule + [ "-t", table, "-p", "%%ICMP%%", "-j", ibi_target ] rules.append(rule) return rules
def build_zone_icmp_block_rules(self, enable, zone, icmp): add_del = { True: "-A", False: "-D" }[enable] if self.ipv == "ipv4": proto = [ "-p", "icmp" ] match = [ "-m", "icmp", "--icmp-type", icmp ] else: proto = [ "-p", "ipv6-icmp" ] match = [ "-m", "icmp6", "--icmpv6-type", icmp ] rules = [] for chain in ["INPUT", "FORWARD_IN"]: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): final_chain = "%s_allow" % target final_target = "ACCEPT" else: final_chain = "%s_deny" % target final_target = "%%REJECT%%" if self._fw.get_log_denied() != "off" and final_target != "ACCEPT": rules.append([ add_del, final_chain, "-t", "filter" ] + proto + match + [ "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ]) rules.append([ add_del, final_chain, "-t", "filter", ] + proto + match + [ "-j", final_target ]) return rules
def build_zone_source_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [ "-p", proto ] if port: rule_fragment += [ "--sport", "%s" % portStr(port) ] if destination: rule_fragment += [ "-d", destination ] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) if not rich_rule or rich_rule.action != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW" ] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "%s_allow" % (target), "-t", table] + rule_fragment + [ "-j", "ACCEPT" ]) return rules
def build_zone_protocol_rule(self, enable, zone, protocol): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule = [ add_del, "%s_allow" % (target), "-t", "filter", "-p", protocol, "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT" ] return rule
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None): table = "filter" add_del = {True: "-A", False: "-D"}[enable] if self.ipv == "ipv4": proto = ["-p", "icmp"] match = ["-m", "icmp", "--icmp-type", ict.name] else: proto = ["-p", "ipv6-icmp"] match = ["-m", "icmp6", "--icmpv6-type", ict.name] rules = [] for chain in ["INPUT", "FORWARD_IN"]: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): final_chain = "%s_allow" % target final_target = "ACCEPT" else: final_chain = "%s_deny" % target final_target = "%%REJECT%%" rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment( rich_rule.destination) rule_fragment += self._rich_rule_source_fragment( rich_rule.source) rule_fragment += proto + match if rich_rule: rules.append( self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append( self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) if rich_rule.action: rules.append( self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append( [add_del, "%s_deny" % target, "-t", table] + rule_fragment + ["-j", "%%REJECT%%"]) else: if self._fw.get_log_denied( ) != "off" and final_target != "ACCEPT": rules.append( [add_del, final_chain, "-t", table] + rule_fragment + [ "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ]) rules.append([add_del, final_chain, "-t", table] + rule_fragment + ["-j", final_target]) return rules
def build_zone_masquerade_rule(self, enable, zone): add_del = {True: "-A", False: "-D"}[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"], zone=zone) rules = [] rules.append([ add_del, "%s_allow" % (target), "!", "-o", "lo", "-t", "nat", "-j", "MASQUERADE" ]) # FORWARD_OUT target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"], zone=zone) rules.append([ add_del, "%s_allow" % (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT" ]) return rules
def build_zone_protocol_rule(self, enable, zone, protocol): add_del = {True: "-A", False: "-D"}[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule = [ add_del, "%s_allow" % (target), "-t", "filter", "-p", protocol, "-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT" ] return rule
def build_zone_ports_rule(self, enable, zone, proto, port, destination=None): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule = [ add_del, "%s_allow" % (target), "-t", "filter", "-p", proto ] if port: rule += [ "--dport", "%s" % portStr(port) ] if destination: rule += [ "-d", destination ] rule += [ "-m", "conntrack", "--ctstate", "NEW" ] rule += [ "-j", "ACCEPT" ] return rule
def build_zone_helper_ports_rules(self, enable, zone, proto, port, destination, helper_name): add_del = {True: "-A", False: "-D"}[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule = [add_del, "%s_allow" % (target), "-t", "raw", "-p", proto] if port: rule += ["--dport", "%s" % portStr(port)] if destination: rule += ["-d", destination] rule += ["-j", "CT", "--helper", helper_name] return [rule]
def build_zone_helper_ports_rule(self, enable, zone, proto, port, destination, helper_name): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule = [ add_del, "%s_allow" % (target), "-t", "raw", "-p", proto ] if port: rule += [ "--dport", "%s" % portStr(port) ] if destination: rule += [ "-d", destination ] rule += [ "-j", "CT", "--helper", helper_name ] return rule
def build_zone_source_address_rules(self, enable, zone, zone_target, address, table, chain): add_del = {True: "-A", False: "-D"}[enable] opt = { "PREROUTING": "-s", "POSTROUTING": "-d", "INPUT": "-s", "FORWARD_IN": "-s", "FORWARD_OUT": "-d", "OUTPUT": "-d", }[chain] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if zone_target == DEFAULT_ZONE_TARGET: action = "-g" else: action = "-j" if address.startswith("ipset:"): name = address[6:] if opt == "-d": opt = "dst" else: opt = "src" flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, "-m", "set", "--match-set", name, flags, action, target ] else: if check_mac(address): # outgoing can not be set if opt == "-d": return "" rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, "-m", "mac", "--mac-source", address.upper(), action, target ] else: rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, opt, address, action, target ] return [rule]
def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule): table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) return rules
def build_zone_chain_rules(self, zone, table, chain): _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) OUR_CHAINS[table].update( set([ _zone, "%s_log" % _zone, "%s_deny" % _zone, "%s_allow" % _zone ])) rules = [] rules.append(["-N", _zone, "-t", table]) rules.append(["-N", "%s_log" % _zone, "-t", table]) rules.append(["-N", "%s_deny" % _zone, "-t", table]) rules.append(["-N", "%s_allow" % _zone, "-t", table]) rules.append(["-I", _zone, "1", "-t", table, "-j", "%s_log" % _zone]) rules.append(["-I", _zone, "2", "-t", table, "-j", "%s_deny" % _zone]) rules.append(["-I", _zone, "3", "-t", table, "-j", "%s_allow" % _zone]) # Handle trust, block and drop zones: # Add an additional rule with the zone target (accept, reject # or drop) to the base zone only in the filter table. # Otherwise it is not be possible to have a zone with drop # target, that is allowing traffic that is locally initiated # or that adds additional rules. (RHBZ#1055190) target = self._fw.zone._zones[zone].target if table == "filter" and \ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: rules.append(["-I", _zone, "4", "-t", table, "-j", target]) if self._fw.get_log_denied() != "off": if table == "filter" and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: if target in ["REJECT", "%%REJECT%%"]: rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_REJECT: \"" % _zone ]) if target == "DROP": rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_DROP: \"" % _zone ]) return rules
def build_zone_source_ports_rule(self, enable, zone, proto, port, destination=None): add_del = {True: "-A", False: "-D"}[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule = [add_del, "%s_allow" % (target), "-t", "filter", "-p", proto] if port: rule += ["--sport", "%s" % portStr(port)] if destination: rule += ["-d", destination] rule += ["-m", "conntrack", "--ctstate", "NEW"] rule += ["-j", "ACCEPT"] return rule
def build_zone_source_address(self, enable, zone, zone_target, address, table, chain): add_del = { True: "-A", False: "-D" }[enable] opt = { "PREROUTING": "-s", "POSTROUTING": "-d", "INPUT": "-s", "FORWARD_IN": "-s", "FORWARD_OUT": "-d", "OUTPUT": "-d", }[chain] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if zone_target == DEFAULT_ZONE_TARGET: action = "-g" else: action = "-j" if address.startswith("ipset:"): name = address[6:] if opt == "-d": opt = "dst" else: opt = "src" flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, "-m", "set", "--match-set", name, flags, action, target ] else: if check_mac(address): # outgoing can not be set if opt == "-d": return "" rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, "-m", "mac", "--mac-source", address.upper(), action, target ] else: rule = [ add_del, "%s_ZONES_SOURCE" % chain, "-t", table, opt, address, action, target ] return rule
def build_zone_chain_rules(self, zone, table, chain): _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) OUR_CHAINS[table].update(set([_zone, "%s_log" % _zone, "%s_deny" % _zone, "%s_allow" % _zone])) rules = [] rules.append([ "-N", _zone, "-t", table ]) rules.append([ "-N", "%s_log" % _zone, "-t", table ]) rules.append([ "-N", "%s_deny" % _zone, "-t", table ]) rules.append([ "-N", "%s_allow" % _zone, "-t", table ]) rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_log" % _zone ]) rules.append([ "-I", _zone, "2", "-t", table, "-j", "%s_deny" % _zone ]) rules.append([ "-I", _zone, "3", "-t", table, "-j", "%s_allow" % _zone ]) # Handle trust, block and drop zones: # Add an additional rule with the zone target (accept, reject # or drop) to the base zone only in the filter table. # Otherwise it is not be possible to have a zone with drop # target, that is allowing traffic that is locally initiated # or that adds additional rules. (RHBZ#1055190) target = self._fw.zone._zones[zone].target if table == "filter" and \ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: rules.append([ "-I", _zone, "4", "-t", table, "-j", target ]) if self._fw.get_log_denied() != "off": if table == "filter" and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: if target in [ "REJECT", "%%REJECT%%" ]: rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_REJECT: \"" % _zone ]) if target == "DROP": rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_DROP: \"" % _zone ]) return rules