def create_rule(self, name, target, dst="", dport="", src="", sport="", proto="", siface="", diface=""): """create and return a rule (or two if no proto given). name can be any string target is a string saying what to do, like "ACCEPT", "DENY", "DROP", "LOG" proto (if not defined, is assumed both udp and tcp) src is a realm in the form XXX.XXX.XXX.XXX/YY sport is source port. Currently ignored dst is a realm in the same form as src dport is destination port siface is the source interface diface is the destination interface """ #print("adding rule %s" % name) if (dport or sport) and not proto: return [ self.create_rule(name, target, dst, dport, src, sport, proto, siface, diface) for proto in ("tcp", "udp") ] rule = Rule() rule.create_target(target) if dst: rule.dst = dst if dport: proto_match = rule.create_match(proto) proto_match.dport = str(dport) rule.protocol = proto if diface: rule.in_interface = diface if src: if src.count("-"): iprange_match = rule.create_match("iprange") iprange_match.src_range = src rule.add_match(iprange_match) else: rule.src = src if sport: proto_match = rule.create_match(proto) proto_match.sport = str(sport) rule.protocol = proto if siface: rule.out_interface = siface # Add a signature as a comment. comment_match = rule.create_match("comment") comment_match.comment = self.identifier + ":" + name rule.final_check() return rule
def _get_base_rule(self, match): rule = Rule() rule.protocol = match.ip_proto_num rule.dst = "%s/%s" % (match.dst_ip, match.netmask) if match.dst_port != 0: ipt_match = IPT_Match(rule, self._prot_port_supp[match.ip_proto_num]) ipt_match.dport = str(match.dst_port) rule.add_match(ipt_match) return rule