def parse_file(fh):
lineno=0
count=0
words=[]
for i in fh:
lineno+=1
lexer = shlex.shlex(i)
lexer.infile=fh.name
lexer.lineno=lineno
lexer.whitespace_split=True
lexer.wordchars += "._-"
line = list(lexer)
for j in line:
if j=="{":
count=count+1
elif j=="}":
count=count-1
if words == []:
words = line
else:
words += [";"]+line
if count == 0:
yield words
words=[]
if count != 0:
error("Missing } in %r" % fh.fname)
if words != []:
yield words
def validate_chains(rules,table):
for chain in rules[table]:
for rule in rules[table][chain]:
if rule[0].upper() == rule[0]:
continue
if rule[0] not in rules[table]:
error("Unknown target %s" % rule[0])
def cmd_ruleset(table,chain,chainmapping,acceptmapping,rule):
name = rule[0]
if os.path.exists(os.path.join(fwall.iptables.MATCHES_DIR,name+".ruleset")):
fh = open(os.path.join(fwall.iptables.MATCHES_DIR,name+".ruleset"),"r")
elif os.path.exists(os.path.join(fwall.iptables.MATCHES_DIR,name+".sruleset")):
fh = os.popen(os.path.join(fwall.iptables.MATCHES_DIR,name+".sruleset"),"r")
else:
error("Unknown ruleset %r" % name)
for i in parse_file(fh):
if i == []:
continue
cmd = i.pop(0)
if cmd=="policy":
cmd_policy(table,chain,chainmapping,acceptmapping,i)
else:
error("Only policy commands allowed in ruleset %r, not %r" % (rule[0],cmd))
def cmd_set(name,value):
if name in fwall.expandos.loaded_expandos:
error("Redefinition of expando %s" % name)
fwall.expandos.loaded_expandos[name]=[value]
def parse_rulesfile(fname, ifname, chainmapping, acceptmapping):
table,chain=None,None
for i in parse_file(open(fname,"r")):
if i==[]:
continue
cmd = i.pop(0)
if cmd == "chain":
try:
table,chain = i
except:
error("Invalid chain command: %r" % " ".join(i))
elif cmd == 'policy':
if table not in chainmapping:
error("Unknown %r table %r" % (ifname,table))
if chain not in chainmapping[table]:
error("Unknown %r chain %r in table %r" % (chain,table))
cmd_policy(table,chain,chainmapping,acceptmapping,i)
elif cmd == 'ruleset':
if table not in chainmapping:
error("Unknown %r table %r" % (ifname,table))
if chain not in chainmapping[table]:
error("Unknown %r chain %r in table %r" % (ifname,chain,table))
cmd_ruleset(table,chain,chainmapping,acceptmapping,i)
elif cmd == "if4_feature":
cmd_if4_feature(ifname,i[0],i[1])
elif cmd == "if6_feature":
cmd_if6_feature(ifname,i[0],i[1])
elif cmd == "neigh4_feature":
cmd_neigh4_feature(ifname,i[0],i[1])
elif cmd == "neigh6_feature":
cmd_neigh6_feature(ifname,i[0],i[1])
elif cmd == "ip4_feature":
cmd_ip4_feature(i[0],i[1])
elif cmd == "tcp_feature":
cmd_tcp_feature(i[0],i[1])
elif cmd == "icmp_feature":
cmd_icmp_feature(i[0],i[1])
elif cmd == "set":
cmd_set(i[0],i[1:])
elif cmd == "ingress":
cmd_ingress(ifname,i[1:])
elif cmd == "egress":
cmd_egress(ifname,i[1:])
else:
error("Unknown command %r in %r" % (cmd,fname))
