def _checkDuplicateInterfacesSources(self, settings):
"""Assignment of interfaces/sources to zones is different from other
zone settings in the sense that particular interface/zone can be
part of only one zone. So make sure added interfaces/sources have
not already been bound to another zone."""
old_settings = self.config.get_zone_config_dict(self.obj)
old_ifaces = set(old_settings["interfaces"]
) if "interfaces" in old_settings else set()
old_sources = set(
old_settings["sources"]) if "sources" in old_settings else set()
if isinstance(settings, tuple):
added_ifaces = set(
settings[Zone.index_of("interfaces")]) - old_ifaces
added_sources = set(
settings[Zone.index_of("sources")]) - old_sources
else: # dict
new_ifaces = set(
settings["interfaces"]) if "interfaces" in settings else set()
new_sources = set(
settings["sources"]) if "sources" in settings else set()
added_ifaces = new_ifaces - old_ifaces
added_sources = new_sources - old_sources
for iface in added_ifaces:
if self.parent.getZoneOfInterface(iface):
raise FirewallError(errors.ZONE_CONFLICT,
iface) # or move to new zone ?
for source in added_sources:
if self.parent.getZoneOfSource(source):
raise FirewallError(errors.ZONE_CONFLICT,
source) # or move to new zone ?
def _checkDuplicateInterfacesSources(self, settings):
"""Assignment of interfaces/sources to zones is different from other
zone settings in the sense that particular interface/zone can be
part of only one zone. So make sure added interfaces/sources have
not already been bound to another zone."""
old_settings = self.config.get_zone_config(self.obj)
idx_i = Zone.index_of("interfaces")
idx_s = Zone.index_of("sources")
added_ifaces = set(settings[idx_i]) - set(old_settings[idx_i])
added_sources = set(settings[idx_s]) - set(old_settings[idx_s])
for iface in added_ifaces:
if self.parent.getZoneOfInterface(iface):
raise FirewallError(ZONE_CONFLICT) # or move to new zone ?
for source in added_sources:
if self.parent.getZoneOfSource(source):
raise FirewallError(ZONE_CONFLICT) # or move to new zone ?
def _checkDuplicateInterfacesSources(self, settings):
"""Assignment of interfaces/sources to zones is different from other
zone settings in the sense that particular interface/zone can be
part of only one zone. So make sure added interfaces/sources have
not already been bound to another zone."""
old_settings = self.config.get_zone_config(self.obj)
idx_i = Zone.index_of("interfaces")
idx_s = Zone.index_of("sources")
added_ifaces = set(settings[idx_i]) - set(old_settings[idx_i])
added_sources = set(settings[idx_s]) - set(old_settings[idx_s])
for iface in added_ifaces:
if self.parent.getZoneOfInterface(iface):
raise FirewallError(errors.ZONE_CONFLICT, iface) # or move to new zone ?
for source in added_sources:
if self.parent.getZoneOfSource(source):
raise FirewallError(errors.ZONE_CONFLICT, source) # or move to new zone ?
def new_zone(self, name, config):
try:
self.get_zone(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, "new_zone(): '%s'" % name)
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_ZONES
x.default = False
zone_writer(x)
self.add_zone(x)
return x
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine:
if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(config.ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename),
reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.icmptype.add_icmptype(obj)
except FirewallError as error:
log.info1("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path, no_check_name=combine)
if combine:
# Change name for permanent configuration
obj.name = "%s/%s" % (os.path.basename(path),
os.path.basename(filename)[0:-4])
obj.check_name(obj.name)
# Copy object before combine
config_obj = copy.deepcopy(obj)
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
self.zone.remove_zone(orig_obj.name)
if orig_obj.combined:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, obj.name, path, filename)
obj.combine(orig_obj)
else:
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name,
orig_obj.path, orig_obj.filename)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
config_obj.default = True
self.config.add_zone(config_obj)
if combine:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, combined_zone.name, path,
filename)
combined_zone.combine(obj)
else:
self.zone.add_zone(obj)
elif reader_type == "ipset":
obj = ipset_reader(filename, path)
if obj.name in self.ipset.get_ipsets():
orig_obj = self.ipset.get_ipset(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.ipset.remove_ipset(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.ipset.add_ipset(obj)
except FirewallError as error:
log.warning("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_ipset(copy.deepcopy(obj))
elif reader_type == "helper":
obj = helper_reader(filename, path)
if obj.name in self.helper.get_helpers():
orig_obj = self.helper.get_helper(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.helper.remove_helper(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.helper.add_helper(obj)
# add a deep copy to the configuration interface
self.config.add_helper(copy.deepcopy(obj))
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type, name,
msg)
except Exception:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine and combined_zone.combined:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except Exception:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine:
if path.startswith(ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename), reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
self.icmptype.add_icmptype(obj)
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path)
if combine:
# Change name for permanent configuration
obj.name = "%s/%s" % (
os.path.basename(path),
os.path.basename(filename)[0:-4])
obj.check_name(obj.name)
# Copy object before combine
config_obj = copy.deepcopy(obj)
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
self.zone.remove_zone(orig_obj.name)
if orig_obj.combined:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, obj.name,
path, filename)
obj.combine(orig_obj)
else:
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.config.add_zone(config_obj)
if combine:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, combined_zone.name,
path, filename)
combined_zone.combine(obj)
else:
self.zone.add_zone(obj)
elif reader_type == "ipset":
obj = ipset_reader(filename, path)
if obj.name in self.ipset.get_ipsets():
orig_obj = self.ipset.get_ipset(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.ipset.remove_ipset(orig_obj.name)
self.ipset.add_ipset(obj)
# add a deep copy to the configuration interface
self.config.add_ipset(copy.deepcopy(obj))
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type,
name, msg)
except Exception as msg:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine and combined_zone.combined:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def new_zone(self, name, config):
try:
self.get_zone(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, name)
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_ZONES
x.default = False
zone_writer(x)
self.add_zone(x)
return x
def new_zone(self, name, conf):
if name in self._zones or name in self._builtin_zones:
raise FirewallError(errors.NAME_CONFLICT,
"new_zone(): '%s'" % name)
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config(conf)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_ZONES
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
zone_writer(x)
self.add_zone(x)
return x
def new_zone(self, name, conf):
if name in self._zones or name in self._builtin_zones:
raise FirewallError(errors.NAME_CONFLICT, "new_zone(): '%s'" % name)
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config(conf)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_ZONES
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
zone_writer(x)
self.add_zone(x)
return x
def new_zone(self, name, config):
try:
self.get_zone(name)
except:
pass
else:
raise FirewallError(NAME_CONFLICT, "new_zone(): '%s'" % name)
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config(config)
x.name = name
x.filename = "%s.xml" % name
x.path = ETC_FIREWALLD_ZONES
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
zone_writer(x)
self.add_zone(x)
return x
def new_zone(self, name, conf):
if name in self._zones or name in self._builtin_zones:
raise FirewallError(errors.NAME_CONFLICT,
"new_zone(): '%s'" % name)
conf_dict = {}
for i, value in enumerate(conf):
conf_dict[Zone.IMPORT_EXPORT_STRUCTURE[i][0]] = value
x = Zone()
x.check_name(name)
x.fw_config = self
x.import_config_dict(conf_dict)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_ZONES
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
zone_writer(x)
self.add_zone(x)
return x
def new_zone_dict(self, name, conf):
if name in self._zones or name in self._builtin_zones:
raise FirewallError(errors.NAME_CONFLICT,
"new_zone(): '%s'" % name)
x = Zone()
x.check_name(name)
x.name = name
x.filename = "%s.xml" % name
x.path = config.ETC_FIREWALLD_ZONES
# It is not possible to add a new one with a name of a buitin
x.builtin = False
x.default = True
x.import_config_dict(conf, self.get_all_io_objects_dict())
self.full_check_config({"zones": [x]})
self.add_zone(x)
zone_writer(x)
return x
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine == True:
if path.startswith(ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename),
reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
self.icmptype.add_icmptype(obj)
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path)
if not combine:
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
if orig_obj.combined:
raise FirewallError(NOT_OVERLOADABLE,
"%s is a combined zone" % \
obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name,
orig_obj.path, orig_obj.filename)
self.zone.remove_zone(orig_obj.name)
self.zone.add_zone(obj)
# add a deep copy to the configuration interface
self.config.add_zone(copy.deepcopy(obj))
else:
combined_zone.combine(obj)
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type, name,
msg)
except Exception as msg:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine == True and combined_zone.combined == True:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
