def parse_forward_port(self, value, compat=False):
port = None
protocol = None
toport = None
toaddr = None
i = 0
while ("=" in value[i:]):
opt = value[i:].split("=", 1)[0]
i += len(opt) + 1
if "=" in value[i:]:
val = value[i:].split(":", 1)[0]
else:
val = value[i:]
i += len(val) + 1
if opt == "port":
port = val
elif opt == "proto":
protocol = val
elif opt == "toport":
toport = val
elif opt == "toaddr":
toaddr = val
elif opt == "if" and compat:
# ignore if option in compat mode
pass
else:
raise FirewallError(errors.INVALID_FORWARD,
"invalid forward port arg '%s'" % (opt))
if not port:
raise FirewallError(errors.INVALID_FORWARD, "missing port")
if not protocol:
raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
if not (toport or toaddr):
raise FirewallError(errors.INVALID_FORWARD, "missing destination")
if not check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL,
"'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
protocol)
if toport and not check_port(toport):
raise FirewallError(errors.INVALID_PORT, toport)
if toaddr and not check_single_address("ipv4", toaddr):
if compat or not check_single_address("ipv6", toaddr):
raise FirewallError(errors.INVALID_ADDR, toaddr)
return (port, protocol, toport, toaddr)
def parse_forward_port(self, value, compat=False):
port = None
protocol = None
toport = None
toaddr = None
i = 0
while ("=" in value[i:]):
opt = value[i:].split("=", 1)[0]
i += len(opt) + 1
if "=" in value[i:]:
val = value[i:].split(":", 1)[0]
else:
val = value[i:]
i += len(val) + 1
if opt == "port":
port = val
elif opt == "proto":
protocol = val
elif opt == "toport":
toport = val
elif opt == "toaddr":
toaddr = val
elif opt == "if" and compat:
# ignore if option in compat mode
pass
else:
raise FirewallError(errors.INVALID_FORWARD,
"invalid forward port arg '%s'" % (opt))
if not port:
raise FirewallError(errors.INVALID_FORWARD, "missing port")
if not protocol:
raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
if not (toport or toaddr):
raise FirewallError(errors.INVALID_FORWARD, "missing destination")
if not check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
if protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
"'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
protocol)
if toport and not check_port(toport):
raise FirewallError(errors.INVALID_PORT, toport)
if toaddr and not check_single_address("ipv4", toaddr):
if compat or not check_single_address("ipv6", toaddr):
raise FirewallError(errors.INVALID_ADDR, toaddr)
return (port, protocol, toport, toaddr)
def parse_port(self, value, separator="/"):
try:
(port, proto) = value.split(separator)
except ValueError:
raise FirewallError(errors.INVALID_PORT, "bad port (most likely "
"missing protocol), correct syntax is "
"portid[-portid]%sprotocol" % separator)
if not check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
if proto not in [ "tcp", "udp" ]:
raise FirewallError(errors.INVALID_PROTOCOL,
"'%s' not in {'tcp'|'udp'}" % proto)
return (port, proto)
def parse_forward_port(self, value):
port = None
protocol = None
toport = None
toaddr = None
args = value.split(":")
for arg in args:
try:
(opt, val) = arg.split("=")
if opt == "port":
port = val
elif opt == "proto":
protocol = val
elif opt == "toport":
toport = val
elif opt == "toaddr":
toaddr = val
except ValueError:
raise FirewallError(errors.INVALID_FORWARD,
"invalid forward port arg '%s'" % (arg))
if not port:
raise FirewallError(errors.INVALID_FORWARD, "missing port")
if not protocol:
raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
if not (toport or toaddr):
raise FirewallError(errors.INVALID_FORWARD, "missing destination")
if not check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL,
"'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
protocol)
if toport and not check_port(toport):
raise FirewallError(errors.INVALID_PORT, toport)
if toaddr and not check_single_address("ipv4", toaddr):
raise FirewallError(errors.INVALID_ADDR, toaddr)
return (port, protocol, toport, toaddr)
def parse_forward_port(self, value):
port = None
protocol = None
toport = None
toaddr = None
args = value.split(":")
for arg in args:
try:
(opt, val) = arg.split("=")
if opt == "port":
port = val
elif opt == "proto":
protocol = val
elif opt == "toport":
toport = val
elif opt == "toaddr":
toaddr = val
except ValueError:
raise FirewallError(errors.INVALID_FORWARD,
"invalid forward port arg '%s'" % (arg))
if not port:
raise FirewallError(errors.INVALID_FORWARD, "missing port")
if not protocol:
raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
if not (toport or toaddr):
raise FirewallError(errors.INVALID_FORWARD, "missing destination")
if not check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
if protocol not in [ "tcp", "udp" ]:
raise FirewallError(errors.INVALID_PROTOCOL,
"'%s' not in {'tcp'|'udp'}" % protocol)
if toport and not check_port(toport):
raise FirewallError(errors.INVALID_PORT, toport)
if toaddr and not check_single_address("ipv4", toaddr):
raise FirewallError(errors.INVALID_ADDR, toaddr)
return (port, protocol, toport, toaddr)
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if self.source is not None or self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.addr is None or \
not functions.check_address(self.family,
self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.destination is not None:
raise FirewallError(INVALID_RULE, "masquerade and destination")
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_port(self, port):
if not functions.check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.priority < self.priority_min or self.priority > self.priority_max:
raise FirewallError(errors.INVALID_PRIORITY, "'priority' attribute must be between %d and %d." \
% (self.priority_min, self.priority_max))
if self.element is None and \
(self.log is None or (self.log is not None and self.priority == 0)):
if self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no element, no action")
if self.source is None and self.destination is None and self.priority == 0:
raise FirewallError(errors.INVALID_RULE,
"no element, no source, no destination")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade,
Rich_Tcp_Mss_Clamp
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE,
"address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC,
str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.destination.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.ipset is not None:
raise FirewallError(errors.INVALID_DESTINATION,
"address and ipset")
if not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.destination.addr))
elif self.destination.ipset is not None:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.destination.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid destination")
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE,
str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE,
"icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR,
self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"forward-port and action")
# source-port
elif type(self.element) == Rich_SourcePort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# tcp-mss-clamp
elif type(self.element) == Rich_Tcp_Mss_Clamp:
if self.action is not None:
raise FirewallError(
errors.INVALID_RULE,
"tcp-mss-clamp and %s are mutually exclusive" %
self.action)
if self.element.value:
if not functions.checkTcpMssClamp(self.element.value):
raise FirewallError(errors.INVALID_RULE,
self.element.value)
# other element and not empty?
elif self.element is not None:
raise FirewallError(errors.INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
self.log.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(errors.INVALID_AUDIT_TYPE,
type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
elif type(self.action) == Rich_Mark:
self.action.check()
if self.action.limit is not None:
self.action.limit.check()
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(INVALID_RULE, "address and mac")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if not functions.check_mac(self.source.mac):
raise FirewallError(INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not functions.check_ipset(self.source.ipset):
raise FirewallError(INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE, "Unknown element %s" %
type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_entry(entry, options, ipset_type):
family = "ipv4"
if "family" in options:
if options["family"] == "inet6":
family = "ipv6"
if not ipset_type.startswith("hash:"):
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
flags = ipset_type[5:].split(",")
items = entry.split(",")
if len(flags) != len(items) or len(flags) < 1:
raise FirewallError(
errors.INVALID_ENTRY,
"entry '%s' does not match ipset type '%s'" % \
(entry, ipset_type))
for i in range(len(flags)):
flag = flags[i]
item = items[i]
if flag == "ip":
if "-" in item and family == "ipv4":
# IP ranges only with plain IPs, no masks
if i > 1:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s'[%d]" % \
(item, entry, i))
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
for _split in splits:
if (family == "ipv4" and not checkIP(_split)) or \
(family == "ipv6" and not checkIP6(_split)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(_split, entry, ipset_type, family))
else:
# IPs with mask only allowed in the first
# position of the type
if family == "ipv4":
if item == "0.0.0.0":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if i == 0:
ip_check = checkIPnMask
else:
ip_check = checkIP
else:
ip_check = checkIP6
if not ip_check(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "net":
if "-" in item:
# IP ranges only with plain IPs, no masks
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
# First part can only be a plain IP
if (family == "ipv4" and not checkIP(splits[0])) or \
(family == "ipv6" and not checkIP6(splits[0])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[0], entry, ipset_type, family))
# Second part can also have a mask
if (family == "ipv4" and not checkIPnMask(splits[1])) or \
(family == "ipv6" and not checkIP6nMask(splits[1])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[1], entry, ipset_type, family))
else:
# IPs with mask allowed in all positions, but no /0
if item.endswith("/0"):
if not (family == "ipv6" and i == 0 and
ipset_type == "hash:net,iface"):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if (family == "ipv4" and not checkIPnMask(item)) or \
(family == "ipv6" and not checkIP6nMask(item)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "mac":
# ipset does not allow to add 00:00:00:00:00:00
if not check_mac(item) or item == "00:00:00:00:00:00":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mac address '%s' in '%s'" % (item, entry))
elif flag == "port":
if ":" in item:
splits = item.split(":")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'" % (item))
if splits[0] == "icmp":
if family != "ipv4":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmp_name(splits[1]) and not \
check_icmp_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmp type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] in [ "icmpv6", "ipv6-icmp" ]:
if family != "ipv6":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmpv6_name(splits[1]) and not \
check_icmpv6_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmpv6 type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] not in [ "tcp", "sctp", "udp", "udplite" ] \
and not checkProtocol(splits[0]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol '%s' in '%s'" % (splits[0],
entry))
elif not check_port(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'in '%s'" % (splits[1], entry))
else:
if not check_port(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s' in '%s'" % (item, entry))
elif flag == "mark":
if item.startswith("0x"):
try:
int_val = int(item, 16)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
else:
try:
int_val = int(item)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
if int_val < 0 or int_val > 4294967295:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
elif flag == "iface":
if not checkInterface(item) or len(item) > 15:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid interface '%s' in '%s'" % (item, entry))
else:
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
def check_port(self, port):
if not functions.check_port(port):
raise FirewallError(errors.INVALID_PORT, port)
def check_entry(entry, options, ipset_type):
family = "ipv4"
if "family" in options:
if options["family"] == "inet6":
family = "ipv6"
if not ipset_type.startswith("hash:"):
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
flags = ipset_type[5:].split(",")
items = entry.split(",")
if len(flags) != len(items) or len(flags) < 1:
raise FirewallError(
errors.INVALID_ENTRY,
"entry '%s' does not match ipset type '%s'" % \
(entry, ipset_type))
for i in range(len(flags)):
flag = flags[i]
item = items[i]
if flag == "ip":
if "-" in item and family == "ipv4":
# IP ranges only with plain IPs, no masks
if i > 1:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s'[%d]" % \
(item, entry, i))
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
for _split in splits:
if (family == "ipv4" and not checkIP(_split)) or \
(family == "ipv6" and not checkIP6(_split)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(_split, entry, ipset_type, family))
else:
# IPs with mask only allowed in the first
# position of the type
if family == "ipv4":
if item == "0.0.0.0":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if i == 0:
ip_check = checkIPnMask
else:
ip_check = checkIP
else:
ip_check = checkIP6
if not ip_check(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "net":
if "-" in item:
# IP ranges only with plain IPs, no masks
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
# First part can only be a plain IP
if (family == "ipv4" and not checkIP(splits[0])) or \
(family == "ipv6" and not checkIP6(splits[0])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[0], entry, ipset_type, family))
# Second part can also have a mask
if (family == "ipv4" and not checkIPnMask(splits[1])) or \
(family == "ipv6" and not checkIP6nMask(splits[1])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[1], entry, ipset_type, family))
else:
# IPs with mask allowed in all positions, but no /0
if item.endswith("/0"):
if not (family == "ipv6" and i == 0 and
ipset_type == "hash:net,iface"):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if (family == "ipv4" and not checkIPnMask(item)) or \
(family == "ipv6" and not checkIP6nMask(item)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "mac":
# ipset does not allow to add 00:00:00:00:00:00
if not check_mac(item) or item == "00:00:00:00:00:00":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mac address '%s' in '%s'" % (item, entry))
elif flag == "port":
if ":" in item:
splits = item.split(":")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'" % (item))
if splits[0] == "icmp":
if family != "ipv4":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmp_name(splits[1]) and not \
check_icmp_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmp type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] in [ "icmpv6", "ipv6-icmp" ]:
if family != "ipv6":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmpv6_name(splits[1]) and not \
check_icmpv6_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmpv6 type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] not in [ "tcp", "sctp", "udp", "udplite" ] \
and not checkProtocol(splits[0]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol '%s' in '%s'" % (splits[0],
entry))
elif not check_port(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'in '%s'" % (splits[1], entry))
else:
if not check_port(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s' in '%s'" % (item, entry))
elif flag == "mark":
if item.startswith("0x"):
try:
int_val = int(item, 16)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
else:
try:
int_val = int(item)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
if int_val < 0 or int_val > 4294967295:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
elif flag == "iface":
if not checkInterface(item) or len(item) > 15:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid interface '%s' in '%s'" % (item, entry))
else:
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(errors.INVALID_RULE, "no element, no action")
if self.source is None and self.destination is None:
raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.addr is not None and self.destination.ipset is not None
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if self.destination.ipset is None:
if self.destination.addr is None or not functions.check_address(self.family,
self.destination.addr)):
raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
else:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE, "icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "forward-port and action")
class Rich_Rule(object):
def __init__(self, family=None, rule_str=None):
if family is not None:
self.family = str(family)
else:
self.family = None
self.source = None
self.destination = None
self.element = None
self.log = None
self.audit = None
self.action = None
if rule_str:
self._import_from_string(rule_str)
def _lexer(self, rule_str):
""" Lexical analysis """
tokens = []
for r in functions.splitArgs(rule_str):
if "=" in r:
attr = r.split('=')
if len(attr) != 2 or not attr[0] or not attr[1]:
raise FirewallError(errors.INVALID_RULE,
'internal error in _lexer(): %s' % r)
tokens.append({'attr_name':attr[0], 'attr_value':attr[1]})
else:
tokens.append({'element':r})
tokens.append({'element':'EOL'})
return tokens
def _import_from_string(self, rule_str):
if not rule_str:
raise FirewallError(errors.INVALID_RULE, 'empty rule')
self.family = None
self.source = None
self.destination = None
self.element = None
self.log = None
self.audit = None
self.action = None
tokens = self._lexer(rule_str)
if tokens and tokens[0].get('element') == 'EOL':
raise FirewallError(errors.INVALID_RULE, 'empty rule')
attrs = {} # attributes of elements
in_elements = [] # stack with elements we are in
index = 0 # index into tokens
while not (tokens[index].get('element') == 'EOL' and in_elements == ['rule']):
element = tokens[index].get('element')
attr_name = tokens[index].get('attr_name')
attr_value = tokens[index].get('attr_value')
#print ("in_elements: ", in_elements)
#print ("index: %s, element: %s, attribute: %s=%s" % (index, element, attr_name, attr_value))
if attr_name: # attribute
if attr_name not in ['family', 'address', 'mac', 'ipset',
'invert', 'value',
'port', 'protocol', 'to-port', 'to-addr',
'name', 'prefix', 'level', 'type',
'set']:
raise FirewallError(errors.INVALID_RULE, "bad attribute '%s'" % attr_name)
else: # element
if element in ['rule', 'source', 'destination', 'protocol',
'service', 'port', 'icmp-block', 'icmp-type', 'masquerade',
'forward-port', 'source-port', 'log', 'audit',
'accept', 'drop', 'reject', 'mark', 'limit', 'not', 'NOT', 'EOL']:
if element == 'source' and self.source:
raise FirewallError(errors.INVALID_RULE, "more than one 'source' element")
elif element == 'destination' and self.destination:
raise FirewallError(errors.INVALID_RULE, "more than one 'destination' element")
elif element in ['protocol', 'service', 'port',
'icmp-block', 'icmp-type',
'masquerade', 'forward-port',
'source-port'] and self.element:
raise FirewallError(errors.INVALID_RULE, "more than one element. There cannot be both '%s' and '%s' in one rule." % (element, self.element))
elif element == 'log' and self.log:
raise FirewallError(errors.INVALID_RULE, "more than one 'log' element")
elif element == 'audit' and self.audit:
raise FirewallError(errors.INVALID_RULE, "more than one 'audit' element")
elif element in ['accept', 'drop', 'reject', 'mark'] and self.action:
raise FirewallError(errors.INVALID_RULE, "more than one 'action' element. There cannot be both '%s' and '%s' in one rule." % (element, self.action))
else:
raise FirewallError(errors.INVALID_RULE, "unknown element %s" % element)
in_element = in_elements[len(in_elements)-1] if len(in_elements) > 0 else ''
if in_element == '':
if not element and attr_name:
if attr_name == 'family':
raise FirewallError(errors.INVALID_RULE, "'family' outside of rule. Use 'rule family=...'.")
else:
raise FirewallError(errors.INVALID_RULE, "'%s' outside of any element. Use 'rule <element> %s= ...'." % (attr_name, attr_name))
elif 'rule' not in element:
raise FirewallError(errors.INVALID_RULE, "'%s' outside of rule. Use 'rule ... %s ...'." % (element, element))
else:
in_elements.append('rule') # push into stack
elif in_element == 'rule':
if attr_name == 'family':
if attr_value not in ['ipv4', 'ipv6']:
raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value)
self.family = attr_value
elif attr_name:
if attr_name == 'protocol':
err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'."
else:
err_msg = "attribute '%s' outside of any element. Use 'rule <element> %s= ...'." % (attr_name, attr_name)
raise FirewallError(errors.INVALID_RULE, err_msg)
else:
in_elements.append(element) # push into stack
elif in_element == 'source':
if attr_name in ['address', 'mac', 'ipset', 'invert']:
attrs[attr_name] = attr_value
elif element in ['not', 'NOT']:
attrs['invert'] = True
else:
self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert'))
in_elements.pop() # source
attrs.clear()
index = index -1 # return token to input
elif in_element == 'destination':
if attr_name in ['address', 'ipset', 'invert']:
attrs[attr_name] = attr_value
elif element in ['not', 'NOT']:
attrs['invert'] = True
else:
self.destination = Rich_Destination(attrs.get('address'), attrs.get('ipset'), attrs.get('invert'))
in_elements.pop() # destination
attrs.clear()
index = index -1 # return token to input
elif in_element == 'protocol':
if attr_name == 'value':
self.element = Rich_Protocol(attr_value)
in_elements.pop() # protocol
else:
raise FirewallError(errors.INVALID_RULE, "invalid 'protocol' element")
elif in_element == 'service':
if attr_name == 'name':
self.element = Rich_Service(attr_value)
in_elements.pop() # service
else:
raise FirewallError(errors.INVALID_RULE, "invalid 'service' element")
elif in_element == 'port':
if attr_name in ['port', 'protocol']:
attrs[attr_name] = attr_value
else:
self.element = Rich_Port(attrs.get('port'), attrs.get('protocol'))
in_elements.pop() # port
attrs.clear()
index = index -1 # return token to input
elif in_element == 'icmp-block':
if attr_name == 'name':
self.element = Rich_IcmpBlock(attr_value)
in_elements.pop() # icmp-block
else:
raise FirewallError(errors.INVALID_RULE, "invalid 'icmp-block' element")
elif in_element == 'icmp-type':
if attr_name == 'name':
self.element = Rich_IcmpType(attr_value)
in_elements.pop() # icmp-type
else:
raise FirewallError(errors.INVALID_RULE, "invalid 'icmp-type' element")
elif in_element == 'masquerade':
self.element = Rich_Masquerade()
in_elements.pop()
attrs.clear()
index = index -1 # return token to input
elif in_element == 'forward-port':
if attr_name in ['port', 'protocol', 'to-port', 'to-addr']:
attrs[attr_name] = attr_value
else:
self.element = Rich_ForwardPort(attrs.get('port'), attrs.get('protocol'), attrs.get('to-port'), attrs.get('to-addr'))
in_elements.pop() # forward-port
attrs.clear()
index = index -1 # return token to input
elif in_element == 'source-port':
if attr_name in ['port', 'protocol']:
attrs[attr_name] = attr_value
else:
self.element = Rich_SourcePort(attrs.get('port'), attrs.get('protocol'))
in_elements.pop() # source-port
attrs.clear()
index = index -1 # return token to input
elif in_element == 'log':
if attr_name in ['prefix', 'level']:
attrs[attr_name] = attr_value
elif element == 'limit':
in_elements.append('limit')
else:
self.log = Rich_Log(attrs.get('prefix'), attrs.get('level'), attrs.get('limit'))
in_elements.pop() # log
attrs.clear()
index = index -1 # return token to input
elif in_element == 'audit':
if element == 'limit':
in_elements.append('limit')
else:
self.audit = Rich_Audit(attrs.get('limit'))
in_elements.pop() # audit
attrs.clear()
index = index -1 # return token to input
elif in_element == 'accept':
if element == 'limit':
in_elements.append('limit')
else:
self.action = Rich_Accept(attrs.get('limit'))
in_elements.pop() # accept
attrs.clear()
index = index -1 # return token to input
elif in_element == 'drop':
if element == 'limit':
in_elements.append('limit')
else:
self.action = Rich_Drop(attrs.get('limit'))
in_elements.pop() # drop
attrs.clear()
index = index -1 # return token to input
elif in_element == 'reject':
if attr_name == 'type':
attrs[attr_name] = attr_value
elif element == 'limit':
in_elements.append('limit')
else:
self.action = Rich_Reject(attrs.get('type'), attrs.get('limit'))
in_elements.pop() # accept
attrs.clear()
index = index -1 # return token to input
elif in_element == 'mark':
if attr_name == 'set':
attrs[attr_name] = attr_value
elif element == 'limit':
in_elements.append('limit')
else:
self.action = Rich_Mark(attrs.get('set'),
attrs.get('limit'))
in_elements.pop() # accept
attrs.clear()
index = index -1 # return token to input
elif in_element == 'limit':
if attr_name == 'value':
attrs['limit'] = Rich_Limit(attr_value)
in_elements.pop() # limit
else:
raise FirewallError(errors.INVALID_RULE, "invalid 'limit' element")
index = index + 1
self.check()
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(errors.INVALID_RULE, "no element, no action")
if self.source is None and self.destination is None:
raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.addr is not None and self.destination.ipset is not None
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if self.destination.ipset is None:
if self.destination.addr is None or not functions.check_address(self.family,
self.destination.addr)):
raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
else:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE, "icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "forward-port and action")
# source-port
elif type(self.element) == Rich_SourcePort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
