Esempio n. 1
0
def objectsOverlap(objects_a, objects_b):
    """
    Return True if at least one object of objects_a overlaps an object of
    objects_b, otherwise return False.
    """
    for obja in flattenObjectList(objects_a):
        for objb in flattenObjectList(objects_b):
            if obja.overlaps(objb):
                return True
    return False
Esempio n. 2
0
def objectsMatch(objects_a, objects_b):
    """
    Return True if at least one object of objects_a matchs an object of
    objects_b, otherwise return False.
    """
    for obja in flattenObjectList(objects_a):
        for objb in flattenObjectList(objects_b):
            if obja.match(objb):
                return True
    return False
Esempio n. 3
0
 def checkUserGroups(self):
     require_group_name = self.config['nufw']['require_group_name']
     user_groups = set()
     for rule in itertools.chain(self.acls_ipv4, self.acls_ipv6):
         user_groups |= set(flattenObjectList(rule.user_groups))
     for user_group in user_groups:
         self._checkUserGroup(require_group_name, user_group)
Esempio n. 4
0
 def listAllProtocols(self):
     """return a list containing all protocols used by the rule
     return (None,) if no protocol are used"""
     if self.protocols:
         protocols = list(flattenObjectList(self.protocols))
         protocols.sort(key=lambda protocol: protocol.sortKey())
     else:
         if self.source_platforms:
             protocols = list(flattenProtocolList(self.source_platforms))
         elif self.destination_platforms:
             protocols = list(flattenProtocolList(self.destination_platforms))
         else:
             protocols = (None,)
     return protocols
Esempio n. 5
0
    def generateRules(self, rule_number):
        if self.acl.source_platforms or self.acl.destination_platforms:
            if self.acl.source_platforms:
                platforms = self.acl.source_platforms
            else:
                platforms = self.acl.destination_platforms

            for platform in platforms:
                for item in platform.items:
                    protocols = list(flattenObject(item.protocol))
                    protocols.sort(key=lambda protocol: protocol.sortKey())
                    networks = self.formatPlatformSrcDst(flattenObject(item.network))
                    for rule in self.aclRule(networks, protocols, rule_number):
                        yield rule
                        rule_number += 1
        else:
            protocols = list(flattenObjectList(self.acl.protocols))
            protocols.sort(key=lambda protocol: protocol.sortKey())
            networks = self.formatSrcDst()
            for rule in self.aclRule(networks, protocols, rule_number):
                yield rule
                rule_number += 1
Esempio n. 6
0
    def aclRules(self, acl, acl_index):

        flags = 0
        if not acl.log:
            flags |= ACL_FLAGS_NOLOG
# TODO:       if acl.transparent_proxy:
# TODO:           flags |= ACL_FLAGS_SYNC | ACL_FLAGS_STRICT
        decision = DECISIONS[acl.decision]
        common_attr = {
            'AclFlags': flags,
            'Decision': decision,
            'objectClass': (u'top', u'NuAccessControlList'),
            'AclWeight': acl_index,
        }
        if not acl.input.name.endswith('+'):
            common_attr['InDev'] = acl.input.name
        if not acl.output.name.endswith('+'):
            common_attr['OutDev'] = acl.output.name
        common_attr['description'] = acl.logPrefix(ldap=True)
        # TODO: PhysInDev PhysOutDev

        timeranges = set(acl.durations)
        timeranges.update(acl.periodicities)

#        if acl.source_platforms:
#            destinations = self.addressList(acl.destinations, acl.address_type)
#            for destination in destinations:
#                for platform in acl.source_platforms:
#                    for item in platform.items:
#                        sources = self.addressList(flattenObject(item.network), acl.address_type)
#                        protocols = flattenObject(item.protocol)
#                        for rule in self.aclRule(acl, common_attr, sources, [destination], protocols, timeranges):
#                            yield rule
#        elif acl.destination_platforms:
#            sources = self.addressList(acl.sources, acl.address_type)
#            for source in sources:
#                for platform in acl.destination_platforms:
#                    for item in platform.items:
#                        destinations = self.addressList(flattenObject(item.network), acl.address_type)
#                        protocols = flattenObject(item.protocol)
#                        for rule in self.aclRule(acl, common_attr, [source], destinations, protocols, timeranges):
#                            yield rule

        if not acl.source_platforms and not acl.destination_platforms:
            # Create source and destination addresses

            protocols = list(flattenObjectList(acl.protocols))
            protocols.sort(key=lambda protocol: protocol.sortKey())

            for rule in self.aclRule(acl, common_attr, acl.sources, acl.destinations, protocols, timeranges):
                yield rule

        else:
            if acl.source_platforms:
                platforms = acl.source_platforms
                networks = acl.destinations
            else:
                platforms = acl.destination_platforms
                networks = acl.sources

            for network in networks:
                for platform in platforms:
                    for item in platform.items:
                        platform_networks = flattenObject(item.network)
                        protocols = flattenObject(item.protocol)
                        if acl.source_platforms:
                            for rule in self.aclRule(acl, common_attr, platform_networks, [network], protocols, timeranges):
                                yield rule
                        else:
                            for rule in self.aclRule(acl, common_attr, [network], platform_networks, protocols, timeranges):
                                yield rule
Esempio n. 7
0
    def checkConsistency(self, loader_context=None):
        if len(self.destinations) == 0 and len(self.sources) == 0:
            raise RulesetError(tr("A NAT rule requires at least one source or one destination."))

        for source in flattenObjectList(self.sources):
            if isinstance(source, Platform):
                raise RulesetError(tr('Platforms can not be used'
                    ' in NAT rules'))

        for source in flattenObjectList(self.sources):
            if isinstance(source, Platform):
                raise RulesetError(tr('Platforms can not be used'
                    ' in NAT rules'))

        if self.type == NAT_TRANSLATE:
            if len(self.nated_destinations) == 0 and len(self.nated_sources) == 0:
                raise RulesetError(tr("A NAT rule requires at least one translated source or destination."))

        if len(self.nated_sources) != 0 and len(self.sources) == 0:
            raise RulesetError(tr("You need to specify a source to be able to translate it."))

        if len(self.nated_destinations) != 0 and len(self.destinations) == 0:
            raise RulesetError(tr("You need to specify a destination to be able to translate it."))

        if len(self.nated_filters) != 0 and len(self.nated_destinations) == 0:
            raise RulesetError(tr("You need to translate the destination address to be able to translate the protocol."))

        if len(self.nated_sources) > 1 or len(self.nated_destinations) > 1 or len(self.nated_filters) > 1 :
            raise RulesetError(tr("You can not create a NAT rule comprising more than one translated source, destination or protocol."))

        if len(self.nated_sources) != 0 and (len(self.nated_destinations) != 0 or len(self.nated_filters) != 0):
            raise RulesetError(tr("You can not set a translated source at the same time as a translated destination or protocol."))

        if len(self.nated_sources):
            nated_src = getFirst(self.nated_sources)
            if not isinstance(nated_src, (HostResource, HostnameResource,
            NetworkResource, IPsecNetworkResource, FirewallResource)):
                raise RulesetError(tr("The translated source must be a host, a network or the firewall interface."))

        if self.chain == 'POSTROUTING':
            for src in self.sources:
                if not isinstance(src, InterfaceResource):
                    continue
                raise RulesetError(tr("A source NAT rule can not use an interface in sources."))

        if len(self.nated_destinations):
            nated_dst = getFirst(self.nated_destinations)
            if not isinstance(nated_dst, (HostResource, HostnameResource,
            NetworkResource, IPsecNetworkResource)):
                raise RulesetError(tr("The translated destination must be a host or a network."))

        if self.chain == 'PREROUTING':
            for dst in self.destinations:
                if not isinstance(dst, InterfaceResource):
                    continue
                raise RulesetError(tr("A destination NAT rule can not use an interface in destinations."))

        if len(self.nated_filters) and not len(self.filters):
            raise RulesetError(tr("You have to specify at least one protocol to filter to translate it to another protocol."))

        if len(self.nated_filters):
            proto = getFirst(self.nated_filters)
            if proto.layer4 != u'tcp' and proto.layer4 != u'udp':
                raise RulesetError(tr("Translated port can only be TCP or UDP."))
            for obj in flattenObjectList(self.filters):
                if obj.layer4 != proto.layer4:
                    raise RulesetError(
                        tr("The translated port needs to use the same transport protocol (TCP/UDP) as the filtered port. "
                           "The %s protocol does not use the same transport protocol as the translated port.")
                        % proto.formatID())
            if (not proto.dport) or (proto.dport.first != proto.dport.last):
                raise RulesetError(tr("The translated port must be an unique port number."))

        for protocol in chain(self.filters, self.nated_filters):
            if IPV4_ADDRESS not in protocol.getAddressTypes():
                raise RulesetError(
                    tr("The %s protocol can not be used in IPv4!"),
                    protocol.formatID())
Esempio n. 8
0
def iptableRules(iptables, nat, empty_line, apply_rules):
    ruleset = nat.ruleset

    if iptables.options.format == "iptables":
        prefix = Arguments("iptables", "-t", "nat")
    else:
        prefix = Arguments()

    # Create header (title and comment)
    title = unicode(nat)
    if not nat.enabled:
        title += u' (disabled)'
    for line in comment(title, extra=nat.comment, empty_line=empty_line):
        yield line

    # Create source and destination parameters
    chain = nat.createChainKey()

    # Create protocols
    protocols = list(flattenObjectList(nat.filters))
    if not protocols:
        protocols = (None,)

    # Get nated sources
    if len(nat.nated_sources):
        nated_src = getFirst(nat.nated_sources)
    else:
        nated_src = None

    # Get nated destinations
    if len(nat.nated_destinations):
        nated_dst = getFirst(nat.nated_destinations)
    else:
        nated_dst = None

    if nat.type != NAT_TRANSLATE:
        suffix = Arguments('-j', 'ACCEPT')
    elif chain == u'POSTROUTING' and isinstance(nated_src, FirewallResource):
        suffix = Arguments('-j', 'MASQUERADE')
    elif chain == u'POSTROUTING':
        source = getFirstAddress(nat, nated_src, apply_rules)
        if isinstance(nated_src, (NetworkResource, IPsecNetworkResource)):
            suffix = Arguments('-j', 'NETMAP', '--to', source)
        else:
            suffix = Arguments('-j', 'SNAT', '--to-source', source)
    elif chain == u'PREROUTING':
        dest = getFirstAddress(nat, nated_dst, apply_rules)
        if len(nat.nated_filters):
            newproto = getFirst(nat.nated_filters)
            dest += u':%s' % newproto.dport
        if isinstance(nated_dst, (NetworkResource, IPsecNetworkResource)):
            suffix = Arguments('-j', 'NETMAP', '--to', dest)
        else:
            suffix = Arguments('-j', 'DNAT', '--to-destination', dest)

    rule_number = 1
    for network_args in formatSrcDst(ruleset.resources, nat, chain):
        for proto in protocols:
            iptable_rule = prefix

            if not nat.enabled:
                iptable_rule += Arguments("#")
            iptable_rule += Arguments('-A', chain)
            iptable_rule += network_args
            if proto:
                iptable_rule += formatProtocol(proto, chain)

            iptable_rule += suffix
            if iptables.options.format != "iptables":
                iptable_rule += iptables.ruleComment(nat, rule_number)
            rule_number += 1

            yield iptable_rule