def post(self):
log.debug4("%s.post()" % type(self))
super(FirewallTransaction, self).post()
for zone in self.zone_transactions:
self.zone_transactions[zone].post()
def post(self):
log.debug4("%s.post()" % type(self))
super(FirewallTransaction, self).post()
for zone in self.zone_transactions:
self.zone_transactions[zone].post()
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
errorMsg = ""
done = []
for backend_name in rules:
try:
self.fw.rules(backend_name, rules[backend_name])
except Exception as msg:
error = True
errorMsg = msg
log.error(msg)
else:
done.append(backend_name)
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
(cleanup_modules, msg) = module_return
if cleanup_modules is not None:
error = True
errorMsg = msg
self.fw.handle_modules(cleanup_modules, not enable)
# error case: revert rules
if error:
undo_rules = {}
for backend_name in done:
undo_rules[backend_name] = []
for rule in reversed(rules[backend_name]):
undo_rules[backend_name].append(
self.fw.get_backend_by_name(backend_name).reverse_rule(
rule))
for backend_name in undo_rules:
try:
self.fw.rules(backend_name, undo_rules[backend_name])
except Exception as msg:
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
# post
self.post()
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
errorMsg = ""
done = [ ]
for ipv in rules:
try:
self.fw.rules(ipv, rules[ipv])
except Exception as msg:
error = True
errorMsg = msg
log.error(msg)
else:
done.append(ipv)
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
(cleanup_modules, msg) = module_return
if cleanup_modules is not None:
error = True
errorMsg = msg
self.fw.handle_modules(cleanup_modules, not enable)
# error case: revert rules
if error:
undo_rules = { }
for ipv in done:
undo_rules[ipv] = [ ]
for rule in reversed(rules[ipv]):
undo_rules[ipv].append(
self.fw.get_ipv_backend(ipv).reverse_rule(rule))
for ipv in undo_rules:
try:
self.fw.rules(ipv, undo_rules[ipv])
except Exception as msg:
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
# post
self.post()
def post(self):
log.debug4("%s.post()" % type(self))
for (func, args) in self.post_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling post func %s(%s) failed: %s" % \
(func, args, msg))
def post(self):
log.debug4("%s.post()" % type(self))
for (func, args) in self.post_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling post func %s(%s) failed: %s" % \
(func, args, msg))
def pre(self):
log.debug4("%s.pre()" % type(self))
for (func, args) in self.pre_funcs:
try:
func(*args)
except Exception as msg:
log.debug1(traceback.format_exc())
log.error("Calling pre func %s(%s) failed: %s" % \
(func, args, msg))
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules, modules = super(FirewallZoneTransaction, self).prepare(
enable, rules, modules)
for module in self.modules:
if module not in modules:
modules.append(module)
return rules, modules
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules, modules = super(FirewallZoneTransaction, self).prepare(
enable, rules, modules)
for module in self.modules:
if module not in modules:
modules.append(module)
return rules, modules
def prepare(self, enable):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules = { }
if not enable:
# reverse rule order for cleanup
for backend_name in self.rules:
for rule in reversed(self.rules[backend_name]):
rules.setdefault(backend_name, [ ]).append(
self.fw.get_backend_by_name(backend_name).reverse_rule(rule))
else:
for backend_name in self.rules:
rules.setdefault(backend_name, [ ]).extend(self.rules[backend_name])
return rules, self.modules
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules, modules = super(FirewallTransaction, self).prepare(
enable, rules, modules)
for zone in self.zone_transactions:
try:
self.zone_transactions[zone].prepare(enable, rules)
for module in self.zone_transactions[zone].modules:
if module not in modules:
modules.append(module)
except FirewallError as msg:
log.error("Failed to prepare transaction rules for zone '%s'",
str(msg))
return rules, modules
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
rules, modules = super(FirewallTransaction, self).prepare(
enable, rules, modules)
for zone in self.zone_transactions:
try:
self.zone_transactions[zone].prepare(enable, rules)
for module in self.zone_transactions[zone].modules:
if module not in modules:
modules.append(module)
except FirewallError as msg:
log.error("Failed to prepare transaction rules for zone '%s'",
str(msg))
return rules, modules
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
if rules is None:
rules = { }
if modules is None:
modules = [ ]
if not enable:
# reverse rule order for cleanup
for ipv in self.rules:
for rule in reversed(self.rules[ipv]):
rules.setdefault(ipv, [ ]).append(reverse_rule(rule))
else:
for ipv in self.rules:
rules.setdefault(ipv, [ ]).extend(self.rules[ipv])
return rules, modules
def prepare(self, enable, rules=None, modules=None):
log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "..."))
if rules is None:
rules = { }
if modules is None:
modules = [ ]
if not enable:
# reverse rule order for cleanup
for ipv in self.rules:
for rule in reversed(self.rules[ipv]):
rules.setdefault(ipv, [ ]).append(reverse_rule(rule))
else:
for ipv in self.rules:
rules.setdefault(ipv, [ ]).extend(self.rules[ipv])
return rules, modules
def post(self):
log.debug4("%s.post()" % type(self))
for (func, args) in self.post_funcs:
func(*args)
def pre(self):
log.debug4("%s.pre()" % type(self))
for (func, args) in self.pre_funcs:
func(*args)
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
errorMsg = ""
done = []
for backend_name in rules:
try:
self.fw.rules(backend_name, rules[backend_name])
except Exception as msg:
error = True
errorMsg = msg
log.debug1(traceback.format_exc())
log.error(msg)
else:
done.append(backend_name)
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
# Debug log about issues loading modules, but don't error. The
# modules may be builtin or CONFIG_MODULES=n, in which case
# modprobe will fail. Or we may be running inside a container
# that doesn't have sufficient privileges. Unfortunately there
# is no way for us to know.
(status, msg) = module_return
if status:
log.debug1(msg)
# error case: revert rules
if error:
undo_rules = {}
for backend_name in done:
undo_rules[backend_name] = []
for rule in reversed(rules[backend_name]):
undo_rules[backend_name].append(
self.fw.get_backend_by_name(backend_name).reverse_rule(
rule))
for backend_name in undo_rules:
try:
self.fw.rules(backend_name, undo_rules[backend_name])
except Exception as msg:
log.debug1(traceback.format_exc())
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.debug1(traceback.format_exc())
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED, errorMsg)
# post
self.post()
def execute(self, enable):
log.debug4("%s.execute(%s)" % (type(self), enable))
rules, modules = self.prepare(enable)
# pre
self.pre()
# stage 1: apply rules
error = False
done = []
for ipv in rules:
try:
self.fw.rules(ipv, rules[ipv])
except Exception as msg:
error = True
if not self.generous_mode:
log.warning(msg)
else:
done.append(ipv)
if error and self.generous_mode:
for ipv in rules:
if ipv in done:
continue
for rule in rules[ipv]:
try:
self.fw.rule(ipv, rule)
except Exception as msg:
log.warning(msg)
done.append(ipv)
error = False
# stage 2: load modules
if not error:
module_return = self.fw.handle_modules(modules, enable)
if module_return:
(cleanup_modules, msg) = module_return
if cleanup_modules is not None:
error = True
self.fw.handle_modules(cleanup_modules, not enable)
# error case: revert rules
if error:
undo_rules = {}
for ipv in done:
undo_rules[ipv] = []
for rule in reversed(rules[ipv]):
undo_rules[ipv].append(reverse_rule(rule))
for ipv in undo_rules:
try:
self.fw.rules(ipv, undo_rules[ipv])
except Exception as msg:
log.error(msg)
# call failure functions
for (func, args) in self.fail_funcs:
try:
func(*args)
except Exception as msg:
log.error("Calling fail func %s(%s) failed: %s" % \
(func, args, msg))
raise FirewallError(errors.COMMAND_FAILED)
# post
self.post()
