def call(self, macl):
in_acl = []
out_acl = []
for ip in [self.dns_servers, self.dns_servers + self.dns_servers_old
][self.args == ['old']]:
in_acl.append(
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
macl.context.get_alias('local'),
IPv4Descriptor(ip),
dports=metacl.Ports('53'),
parent=self),
parent=self))
out_acl.append(
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
IPv4Descriptor(ip),
macl.context.get_alias('local'),
sports=metacl.Ports('53'),
parent=self),
parent=self))
macl.acl_in = in_acl + macl.acl_in
macl.acl_out = out_acl + macl.acl_out
return macl
def call(self, macl):
if self.args == ['old']:
for ip in self.dns_servers_old:
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
macl.context.get_alias('local'),
IPv4Descriptor(ip),
dports=metacl.Ports('53'),
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
IPv4Descriptor(ip),
macl.context.get_alias('local'),
sports=metacl.Ports('53'),
parent=self),
parent=self))
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
macl.context.get_alias('local'),
macl.context.get_alias('dns_server'),
dports=metacl.Ports('53'),
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(['tcp', 'udp'],
macl.context.get_alias('dns_server'),
macl.context.get_alias('local'),
sports=metacl.Ports('53'),
parent=self),
parent=self))
def call(self, macl):
local6 = macl.context.get_alias('local', ip_versions='ipv6')[0]
first = [ipaddr.IPNetwork(local6[1]), ipaddr.IPNetwork(local6[2])]
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(['udp'],
macl.context.get_alias('local'),
first,
dports=metacl.Ports('546,547'),
parent=self),
parent=self))
def call(self, macl):
# if len(self.args) == 0:
for h in self.args:
# Open only given hosts to nagios
h = metacl.string_to_ips(h, context=macl.context)
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(['ip'],
h,
macl.context.get_alias('faucam'),
parent=self),
parent=self))
macl.acl_in.insert(
1,
metacl.Rule('deny',
metacl.Filter(['ip'],
h,
macl.context.get_alias('any'),
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(['ip'],
macl.context.get_alias('faucam'),
h,
parent=self),
parent=self))
macl.acl_out.insert(
1,
metacl.Rule('deny',
metacl.Filter(['ip'],
macl.context.get_alias('any'),
h,
parent=self),
parent=self))
def call(self, macl):
local = macl.context.get_alias('local')
x = map(lambda x: metacl.string_to_ips(x, context=macl.context),
self.args)
ips = list(itertools.chain(*x))
macl.acl_out.insert(
0,
metacl.Rule('deny',
metacl.Filter(['ip'],
macl.context.get_alias('any'),
ips,
parent=self),
parent=self))
macl.acl_in.insert(
0,
metacl.Rule('deny',
metacl.Filter(['ip'],
ips,
macl.context.get_alias('any'),
parent=self),
parent=self))
def call(self, macl):
if len(self.args) == 0:
# Open whole net to nagios
macl.acl_in.insert(
0,
metacl.Rule.from_string('permit icmp,tcp,udp local $nagios',
context=macl.context,
parent=self))
macl.acl_out.insert(
0,
metacl.Rule.from_string('permit icmp,tcp,udp $nagios local',
context=macl.context,
parent=self))
else:
for h in self.args:
# Open only given hosts to nagios
h = metacl.string_to_ips(h, context=macl.context)
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(['icmp', 'tcp', 'udp'],
h,
macl.context.get_alias('nagios'),
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(['icmp', 'tcp', 'udp'],
macl.context.get_alias('nagios'),
h,
parent=self),
parent=self))
def call(self, macl):
bc = IPv4Descriptor('255.255.255.255') + \
map(lambda x: ipaddr.IPNetwork(x.broadcast),
macl.context.get_alias('local', ip_versions='ipv4'))
macl.acl_in.insert(
0,
metacl.Rule('deny',
metacl.Filter(['ip'],
macl.context.get_alias(
'any', ip_versions='ipv4'),
bc,
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('deny',
metacl.Filter(['ip'],
macl.context.get_alias(
'any', ip_versions='ipv4'),
bc,
parent=self),
parent=self))
def call(self, macl):
if len(self.args) == 0:
# Open whole net to netbackup
macl.acl_in.insert(
0,
metacl.Rule.from_string(
'permit tcp local 13782 $netbackup established',
context=macl.context,
parent=self))
macl.acl_in.insert(
0,
metacl.Rule.from_string('permit tcp local $netbackup 13782',
context=macl.context,
parent=self))
macl.acl_in.insert(
0,
metacl.Rule.from_string('permit tcp local $netbackup 13724',
context=macl.context,
parent=self))
macl.acl_in.insert(
0,
metacl.Rule.from_string('permit tcp local $netbackup 13720',
context=macl.context,
parent=self))
macl.acl_out.insert(
0,
metacl.Rule.from_string(
'permit tcp $netbackup 13782 local established',
context=macl.context,
parent=self))
macl.acl_out.insert(
0,
metacl.Rule.from_string(
'permit tcp $netbackup 13724 local established',
context=macl.context,
parent=self))
macl.acl_out.insert(
0,
metacl.Rule.from_string(
'permit tcp $netbackup 13720 local established',
context=macl.context,
parent=self))
macl.acl_out.insert(
0,
metacl.Rule.from_string('permit tcp $netbackup local 13782',
context=macl.context,
parent=self))
else:
for h in self.args:
# Open only given hosts to netbackup
h = metacl.string_to_ips(h, context=macl.context)
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(
['tcp'],
h,
macl.context.get_alias('netbackup'),
sports=metacl.Ports('13782'),
parent=self),
extensions=['established'],
parent=self))
macl.acl_in.insert(
0,
metacl.Rule('permit',
metacl.Filter(
['tcp'],
h,
macl.context.get_alias('netbackup'),
dports=metacl.Ports('13720,13724,13782'),
parent=self),
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(
['tcp'],
macl.context.get_alias('netbackup'),
h,
sports=metacl.Ports('13720,13724,13782'),
parent=self),
extensions=['established'],
parent=self))
macl.acl_out.insert(
0,
metacl.Rule('permit',
metacl.Filter(
['tcp'],
macl.context.get_alias('netbackup'),
h,
dports=metacl.Ports('13782'),
parent=self),
parent=self))
def call(self, macl):
if 'ipv6' in macl.context.ip_versions:
local6 = macl.context.get_alias('local', ip_versions='ipv6')[0]
first = [ipaddr.IPNetwork(local6[1]), ipaddr.IPNetwork(local6[2])]
macl.acl_out.insert(
0,
metacl.Rule.from_string('permit ip any fe80::/10',
context=macl.context,
parent=self))
macl.acl_out.insert(
1,
metacl.Rule('permit',
metacl.Filter(['icmp'],
macl.context.get_alias('local'),
first,
parent=self),
parent=self))
macl.acl_in.insert(
0,
metacl.Rule.from_string('permit ip fe80::/10 any',
context=macl.context,
parent=self))
macl.acl_in.insert(
1,
metacl.Rule.from_string('permit ip local fe80::/10',
context=macl.context,
parent=self))
macl.acl_in.insert(
2,
metacl.Rule('permit',
metacl.Filter(['icmp'],
macl.context.get_alias('local'),
first,
parent=self),
parent=self))
if 'ipv4' in macl.context.ip_versions:
local = macl.context.get_alias('local', ip_versions='ipv4')[0]
first = [ipaddr.IPNetwork(local[1])]
last = [ipaddr.IPNetwork(local[-3]), ipaddr.IPNetwork(local[-2])]
temp_aliases = {
'first': first,
'last': last,
'firstlast': first + last
}
# Rules to be inserted at top of IN list:
rules_in = [
'permit ip $firstlast 224.0.0.1',
'permit udp $firstlast 1985 224.0.0.2 1985',
'permit udp $firstlast 1985 224.0.0.102 1985',
'permit ip $firstlast 224.0.0.13',
'permit tcp local $firstlast established',
'permit icmp local $firstlast',
'permit udp local $ntp_server 123',
'permit udp local $first 123',
'deny ip any $firstlast',
]
# We have to reverse the order, since insertion will be done at beginning of list
rules_in.reverse()
# Injecting rules into acl_in
for r in rules_in:
macl.acl_in.insert(
0,
metacl.Rule.from_string(r,
context=macl.context,
temp_aliases=temp_aliases,
parent=self))
# Rules to be inserted at top of OUT list:
rules_out = [
'permit ip $firstlast local',
'permit icmp local $firstlast',
'permit udp $ntp_server 123 local',
'permit ip any 224.0.0.0/4',
]
# We have to reverse the order, since insertion will be done at beginning of list
rules_out.reverse()
# Injecting rules into acl_out
for r in rules_out:
macl.acl_out.insert(
0,
metacl.Rule.from_string(r,
context=macl.context,
temp_aliases=temp_aliases,
parent=self))