def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_tcpudp(port[1])
else:
# only protocol
check_protocol(port[1])
elif item == "protocols":
for proto in config:
check_protocol(proto)
elif item == "source_ports":
for port in config:
check_port(port[0])
check_tcpudp(port[1])
elif item == "destination":
for destination in config:
if destination not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_DESTINATION,
"'%s' not in {'ipv4'|'ipv6'}" % \
destination)
check_address(destination, config[destination])
elif item == "modules":
for module in config:
if not module.startswith("nf_conntrack_"):
raise FirewallError(errors.INVALID_MODULE, module)
elif len(module.replace("nf_conntrack_", "")) < 1:
raise FirewallError(errors.INVALID_MODULE, module)
def _check_config(self, config, item, all_config):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_tcpudp(port[1])
else:
# only protocol
check_protocol(port[1])
elif item == "protocols":
for proto in config:
check_protocol(proto)
elif item == "source_ports":
for port in config:
check_port(port[0])
check_tcpudp(port[1])
elif item == "destination":
for destination in config:
if destination not in ["ipv4", "ipv6"]:
raise FirewallError(errors.INVALID_DESTINATION,
"'%s' not in {'ipv4'|'ipv6'}" % \
destination)
check_address(destination, config[destination])
elif item == "modules":
for module in config:
if module.startswith("nf_conntrack_"):
module = module.replace("nf_conntrack_", "")
if "_" in module:
module = module.replace("_", "-")
if len(module) < 2:
raise FirewallError(errors.INVALID_MODULE, module)
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name, attrs)
self.item.parser_check_element_attrs(name, attrs)
if name == "service":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'",
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
elif name == "short":
pass
elif name == "description":
pass
elif name == "port":
if attrs["port"] != "":
check_port(attrs["port"])
check_tcpudp(attrs["protocol"])
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.ports:
self.item.ports.append(entry)
else:
log.warning("Port '%s/%s' already set, ignoring.",
attrs["port"], attrs["protocol"])
else:
check_protocol(attrs["protocol"])
if attrs["protocol"] not in self.item.protocols:
self.item.protocols.append(attrs["protocol"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["protocol"])
elif name == "protocol":
check_protocol(attrs["value"])
if attrs["value"] not in self.item.protocols:
self.item.protocols.append(attrs["value"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["value"])
elif name == "source-port":
check_port(attrs["port"])
check_tcpudp(attrs["protocol"])
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.source_ports:
self.item.source_ports.append(entry)
else:
log.warning("SourcePort '%s/%s' already set, ignoring.",
attrs["port"], attrs["protocol"])
elif name == "destination":
for x in ["ipv4", "ipv6"]:
if x in attrs:
check_address(x, attrs[x])
if x in self.item.destination:
log.warning(
"Destination address for '%s' already set, ignoring",
x)
else:
self.item.destination[x] = attrs[x]
elif name == "module":
module = attrs["name"]
if module.startswith("nf_conntrack_"):
module = module.replace("nf_conntrack_", "")
if "_" in module:
module = module.replace("_", "-")
if module not in self.item.modules:
self.item.modules.append(module)
else:
log.warning("Module '%s' already set, ignoring.", module)
elif name == "include":
if attrs["service"] not in self.item.includes:
self.item.includes.append(attrs["service"])
else:
log.warning("Include '%s' already set, ignoring.",
attrs["service"])
elif name == "helper":
if attrs["name"] not in self.item.helpers:
self.item.helpers.append(attrs["name"])
else:
log.warning("Helper '%s' already set, ignoring.",
attrs["name"])
def startElement(self, name, attrs):
IO_Object_ContentHandler.startElement(self, name, attrs)
self.item.parser_check_element_attrs(name, attrs)
if name == "service":
if "name" in attrs:
log.warning("Ignoring deprecated attribute name='%s'",
attrs["name"])
if "version" in attrs:
self.item.version = attrs["version"]
elif name == "short":
pass
elif name == "description":
pass
elif name == "port":
if attrs["port"] != "":
check_port(attrs["port"])
check_tcpudp(attrs["protocol"])
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.ports:
self.item.ports.append(entry)
else:
log.warning("Port '%s/%s' already set, ignoring.",
attrs["port"], attrs["protocol"])
else:
check_protocol(attrs["protocol"])
if attrs["protocol"] not in self.item.protocols:
self.item.protocols.append(attrs["protocol"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["protocol"])
elif name == "protocol":
check_protocol(attrs["value"])
if attrs["value"] not in self.item.protocols:
self.item.protocols.append(attrs["value"])
else:
log.warning("Protocol '%s' already set, ignoring.",
attrs["value"])
elif name == "source-port":
check_port(attrs["port"])
check_tcpudp(attrs["protocol"])
entry = (attrs["port"], attrs["protocol"])
if entry not in self.item.source_ports:
self.item.source_ports.append(entry)
else:
log.warning("SourcePort '%s/%s' already set, ignoring.",
attrs["port"], attrs["protocol"])
elif name == "destination":
for x in [ "ipv4", "ipv6" ]:
if x in attrs:
check_address(x, attrs[x])
if x in self.item.destination:
log.warning("Destination address for '%s' already set, ignoring",
x)
else:
self.item.destination[x] = attrs[x]
elif name == "module":
if attrs["name"].startswith("nf_conntrack_") and \
len(attrs["name"].replace("nf_conntrack_", "")) > 0:
if attrs["name"] not in self.item.modules:
self.item.modules.append(attrs["name"])
else:
log.warning("Module '%s' already set, ignoring.",
attrs["name"])
else:
log.warning("Invalid module '%s'", attrs["name"])
