def translate_addr_rule(addr, addr_type, addr_table, port_op, port_from, port_to, proto, addr_iface, af): """Parses fields given in the pfweb form to a pf.PFRuleAddr object""" pfaddr = False if addr_type == "addrmask" and af != socket.AF_UNSPEC: # Validate IP address pfaddr = translate_addrmask(af, addr) elif addr_type == "table": # Set addr to a table if not addr_table: return "Table cannot be empty" pfaddr = pf.PFAddr("<{}>".format(addr_table)) elif addr_type == "dynif": # Set addr to an interface if not addr_iface: return "Interface cannot be empty" pfaddr = pf.PFAddr("({})".format(addr_iface), af) # Do not set if ANY or proto is ICMP port = False if int( port_op ) != pf.PF_OP_NONE and proto != socket.IPPROTO_ICMP and proto != socket.IPPROTO_ICMPV6: # Confirm port op if int(port_op) not in PFWEB_PORT_OPS: return "Invalid port op" # port from pfport_from = 0 try: # Confirm input is a number if port_from != '': pfport_from = int(port_from) except ValueError: return "Invalid port number" pfport_to = 0 # Set range if int(port_op) == pf.PF_OP_RRG or int(port_op) == pf.PF_OP_IRG or int( port_op) == pf.PF_OP_XRG: # Port to try: if port_to != '': pfport_to = int(port_to) except ValueError: return "Invalid port number" port = pf.PFPort((pfport_from, pfport_to), proto, int(port_op)) # Create and set the PFRuleAddr rule_addr = pf.PFRuleAddr() if pfaddr: rule_addr.addr = pfaddr if port: rule_addr.port = port return rule_addr
def translate_pool_rule(trans_type, addr, addr_type, addr_table, port_from, port_to, proto, addr_iface, af): """Parses fields given in the pfweb form to a pf.PFPool object""" pfaddr = False if addr_type == 'addrmask': pfaddr = translate_addrmask(af, addr) elif addr_type == 'table': if not addr_table: return "Table cannot be empty" pfaddr = pf.PFAddr("<{}>".format(addr_table)) elif addr_type == 'dynif': if trans_type.lower() == 'rdr': return "Cannot RDR to an interface" if not addr_iface: return "Interface cannot be empty" # Set PFAddr to interface and IPv4 pfaddr = pf.PFAddr("({})".format(addr_iface), af) pool_id = pf.PF_POOL_NAT port = False if trans_type.lower() == 'rdr' and (proto == socket.IPPROTO_TCP or proto == socket.IPPROTO_UDP): # Set ports to 0 if they were left blank if port_from == '': port_from = 0 port_to = 0 if port_to == '': port_to = 0 pool_id = pf.PF_POOL_RDR try: port = pf.PFPort((int(port_from), int(port_to))) except ValueError: # The user didn't give us a valid number return "Invalid port number" elif trans_type.lower() == 'rdr' and not (proto == socket.IPPROTO_TCP or proto == socket.IPPROTO_UDP): return "TCP or UDP must be used for RDR" pool = pf.PFPool(pool_id, pfaddr) if port: pool.proxy_port = port return pool
def pfDrop(IP): import pf import socket filter = pf.PacketFilter() blockip = pf.PFAddr(IP) try: filter.enable() ext_if = pf.PFAddr(type=pf.PF_ADDR_DYNIFTL, ifname=options.interface) ruling = pf.PFRule(action=pf.PF_DROP, direction=pf.PF_IN, af=socket.AF_INET, quick=True, src=pf.PFRuleAddr(blockip)) #rs = pf.PFRuleset() rs = filter.get_ruleset() rs.append(ruling) # Load rules #filter = pf.PacketFilter() filter.load_ruleset(rs) except: print "Unexpected error (pf):", sys.exc_info()[0] return
def translate_addrmask(af, addr): """Validate IP address""" addr_mask = addr.split("/") try: socket.inet_pton(af, addr_mask[0]) except socket.error: raise BadRequestError("Invalid IP address") # Test v4 or v6 mask max_cidr_prefix = 32 if af == socket.AF_INET else 128 if len(addr_mask) == 2 and int( addr_mask[1]) and (int(addr_mask[1]) < 0 or int(addr_mask[1]) > max_cidr_prefix): raise BadRequestError("Invalid CIDR prefix") return pf.PFAddr(addr)
def test_load_ruleset(self): iface = pf.PFAddr(type=pf.PF_ADDR_DYNIFTL, ifname=self.testif) tables = [pf.PFTable("web_srv", "10.0.1.20", "10.0.1.21", "10.0.1.22")] rules = [ # match out on $ifname inet from !($ifname) to any nat-to ($ifname) pf.PFRule(action=pf.PF_MATCH, direction=pf.PF_OUT, ifname=self.testif, af=AF_INET, src=pf.PFRuleAddr(iface, neg=True), nat=pf.PFPool(pf.PF_POOL_NAT, iface)), # pass out quick pf.PFRule(action=pf.PF_PASS, direction=pf.PF_OUT, quick=True, flags="S", flagset="SA", keep_state=pf.PF_STATE_NORMAL), # anchor "test_anchor" pf.PFRuleset("test_anchor"), # pass in on $ifname inet proto tcp from any to $ifname port ssh pf.PFRule(action=pf.PF_PASS, direction=pf.PF_IN, ifname=self.testif, af=AF_INET, proto=IPPROTO_TCP, dst=pf.PFRuleAddr(iface, pf.PFPort("ssh", IPPROTO_TCP)), flags="S", flagset="SA", keep_state=pf.PF_STATE_NORMAL), # pass in on $ifname inet proto tcp to $ifname port www \ # rdr-to <web_srv> round-robin sticky-address pf.PFRule(action=pf.PF_PASS, direction=pf.PF_IN, ifname=self.testif, af=AF_INET, proto=IPPROTO_TCP, dst=pf.PFRuleAddr(iface, pf.PFPort("www", IPPROTO_TCP)), flags="S", flagset="SA", keep_state=pf.PF_STATE_NORMAL, rdr=pf.PFPool(pf.PF_POOL_RDR, pf.PFAddr("<web_srv>"), opts=(pf.PF_POOL_ROUNDROBIN| pf.PF_POOL_STICKYADDR))), # pass out on $ifname inet proto tcp to port 80 \ # divert-packet port 700 pf.PFRule(action=pf.PF_PASS, direction=pf.PF_OUT, ifname=self.testif, af=AF_INET, proto=IPPROTO_TCP, dst=pf.PFRuleAddr(port=pf.PFPort("www", IPPROTO_TCP)), divert=pf.PFDivert(pf.PF_DIVERT_PACKET, port=700)), # pass in inet proto icmp all icmp-type echoreq max-pkt-rate 100/10 pf.PFRule(action=pf.PF_PASS, direction=pf.PF_IN, af=AF_INET, proto=IPPROTO_ICMP, type=pf.ICMP_ECHO+1, keep_state=pf.PF_STATE_NORMAL, pktrate=pf.PFThreshold(100, 10))] rules[2].append( pf.PFTable("spammers", flags=pf.PFR_TFLAG_PERSIST), # pass in on $ifname inet proto tcp from ! <spammers> \ # to $ifname port 25 rdr-to 10.0.1.23 pf.PFRule(action=pf.PF_PASS, direction=pf.PF_IN, ifname=self.testif, af=AF_INET, proto=IPPROTO_TCP, src=pf.PFRuleAddr(pf.PFAddr("<spammers>"), neg=True), dst=pf.PFRuleAddr(iface, pf.PFPort(25, IPPROTO_TCP)), flags="S", flagset="SA", keep_state=pf.PF_STATE_NORMAL, rdr=pf.PFPool(pf.PF_POOL_RDR, pf.PFAddr("10.0.1.23")))) self.pf.clear_rules() rs = pf.PFRuleset() rs.append(*tables) rs.append(*rules) self.pf.load_ruleset(rs) self.assertEqual(len(self.pf.get_ruleset().rules), len(rules))
def states(): """Show all contents of the state table and allow a state to be removed""" if request.method == 'POST': # Remove individual state if request.form.get('action') == 'remove': # Make sure correct parameters were sent if request.form.get('src') and request.form.get('dst'): if '[' in request.form.get( 'src') or '.' not in request.form.get('src'): # Handle IPv6 addresses src_addr_port = request.form.get('src').split('[') dst_addr_port = request.form.get('dst').split('[') # Make sure there was a port set if len(src_addr_port) == 2: src_addr_port[1] = src_addr_port[1].split(']')[0] else: src_addr_port.append(0) if len(dst_addr_port) == 2: dst_addr_port[1] = dst_addr_port[1].split(']')[0] else: dst_addr_port.append(0) else: # IPv4 address and port src_addr_port = request.form.get('src').split(':') dst_addr_port = request.form.get('dst').split(':') # Create PFRuleAddr object from address and ports src_addr = pf.PFRuleAddr( pf.PFAddr(src_addr_port[0]), pf.PFPort(src_addr_port[1], 0, pf.PF_OP_EQ)) dst_addr = pf.PFRuleAddr( pf.PFAddr(dst_addr_port[0]), pf.PFPort(dst_addr_port[1], 0, pf.PF_OP_EQ)) packetfilter.kill_states(src=src_addr, dst=dst_addr) # Return a JSON object of just the src and dst we removed return jsonify({ 'src': "{}".format(request.form.get('src')), 'dst': "{}".format(request.form.get('dst')) }) else: # Return a simple 400 response when src or dst were not provided message = {'status': 400, 'message': 'Invalid parameters'} resp = jsonify(message) resp.status_code = 400 return resp else: # Return a simple 400 response the wrong action provided message = {'status': 400, 'message': 'Unknown action'} resp = jsonify(message) resp.status_code = 400 return resp states = list() for state in packetfilter.get_states(): # Set direction for src and dst (src, dst) = (1, 0) if state.direction == pf.PF_OUT else (0, 1) # Set the source address and port. Only set port if it is not 0 src_line = "{}".format(state.nk.addr[src]) if str(state.nk.port[src]): src_line += (":{}" if state.af == socket.AF_INET else "[{}]").format(state.nk.port[src]) # Show and NAT (or rdr) address if (state.nk.addr[src] != state.sk.addr[src] or state.nk.port[src] != state.sk.port[src]): src_line += " ({}".format(state.sk.addr[src]) if str(state.sk.port[src]): src_line += (":{})" if state.af == socket.AF_INET else "[{}])").format(state.sk.port[src]) # Repeat for destination dst_line = "{}".format(state.nk.addr[dst]) if str(state.nk.port[dst]): dst_line += (":{}" if state.af == socket.AF_INET else "[{}]").format(state.nk.port[dst]) if (state.nk.addr[dst] != state.sk.addr[dst] or state.nk.port[dst] != state.sk.port[dst]): dst_line += " ({}".format(state.sk.addr[dst]) if str(state.sk.port[dst]): dst_line += (":{})" if state.af == socket.AF_INET else "[{}])").format(state.sk.port[dst]) state_desc = "" if state.proto == socket.IPPROTO_TCP: state_desc = "{}:{}".format(PFWEB_TCP_STATES[state.src.state], PFWEB_TCP_STATES[state.dst.state]) elif state.proto == socket.IPPROTO_UDP: state_desc = "{}:{}".format(PFWEB_UDP_STATES[state.src.state], PFWEB_UDP_STATES[state.dst.state]) else: state_desc = "{}:{}".format(PFWEB_OTHER_STATES[state.src.state], PFWEB_OTHER_STATES[state.dst.state]) state_struct = { 'ifname': state.ifname, 'proto': PFWEB_IPPROTO[state.proto], 'src': src_line, 'dst': dst_line, 'state': state_desc, 'packets': [ int(sum(state.packets)), "TX: {}<br/>RX: {}".format( sizeof_fmt(state.packets[0], num_type='int'), sizeof_fmt(state.packets[1], num_type='int')) ], 'bytes': [ int(sum(state.bytes)), "TX: {}<br/>RX: {}".format(sizeof_fmt(state.bytes[0]), sizeof_fmt(state.bytes[1])) ], 'expires': [int(state.expire), timedelta(seconds=state.expire)] } states.append(state_struct) return render_template('states.html', logged_in=flask_login.current_user.get_id(), status_tab='active', states=states)
def xml_to_pfrule(data): print "starting translation" print data xml_datas = [] xml_rules = xmltodict.parse( data, dict_constructor=dict )["mspl-set"]["it-resource"]["configuration"]["rule"] if isinstance(xml_rules, list): for xml_rule in xml_rules: xml_datas.append(xml_rule) else: xml_datas.append(xml_rules) rate_limit = None rules = pf.PFRuleset() for xml_data in xml_datas: print xml_data rule = pf.PFRule() if settings.quick_rules == "True": rule.quick = True Addrs = None Addrd = None Ports = None Portd = None xml_src = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "source-address") if xml_src is not None: Addrs = pf.PFAddr(xml_src) xml_dst = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "destination-address") if xml_dst is not None: Addrd = pf.PFAddr(xml_dst) xml_proto = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "protocol") if xml_proto is not None: if xml_proto.lower() == "tcp": rule.proto = socket.IPPROTO_TCP elif xml_proto.lower() == "udp": rule.proto = socket.IPPROTO_UDP xml_direction = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "direction") if xml_direction is not None: if xml_direction.lower() == "inbound": rule.direction = pf.PF_IN elif xml_direction.lower() == "outbound": rule.direction = pf.PF_OUT xml_interface = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "interface") if xml_interface is not None: rule.ifname = xml_interface.replace("eth", "vtnet") xml_sport = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "source-port") xml_dport = getValIfKeyExists( xml_data["condition"]["packet-filter-condition"], "destination-port") # Retrieve default target from MSPL default_target = getValIfKeyExists(xml_data, "action").upper() if default_target is not None: if default_target == "ACCEPT": rule.action = pf.PF_PASS rule.keep_state = pf.PF_STATE_NORMAL elif default_target == "DROP": rule.action = pf.PF_DROP elif default_target == "REJECT": rule.action = pf.PF_DROP rule.rule_flag = pf.PFRULE_RETURN elif default_target == "SCRUB": rule.action = pf.PF_SCRUB # In case of packets/sec rate limit: if getValIfKeyExists( xml_data["condition"], "traffic-flow-condition") is not None: # It is a number of allowed packets or bits per unit of time # (seconds, minutes, hours or days). # -m limit --limit <rate-limit> --limit-burst <limit-burst> \ # -j ACCEPT # rate_limit = getValIfKeyExists( # xml_data["condition"]["traffic-flow-condition"], # "rate-limit") # The maximum number of connections per host. max_connections = getValIfKeyExists( xml_data["condition"]["traffic-flow-condition"], "max-connections") # If the action is DROP or REJECT the rule will fire an error # if max_src_conn is setted if max_connections is not None and default_target == "ACCEPT": # rule.max_src_nodes = max_connections rule.max_src_conn = max_connections rule.rule_flag = pf.PFRULE_SRCTRACK # Connections rate limit connections_rate = getValIfKeyExists( xml_data["condition"]["traffic-flow-condition"], "connections-rate") # If the action is DROP or REJECT the rule will fire an error # if max_src_conn_rate is setted if connections_rate is not None and default_target == "ACCEPT": splitted = connections_rate.split('/') # rule.max_src_nodes = max_connections limit = splitted[0] seconds = splitted[1] rule.max_src_conn_rate = (limit, seconds) rule.rule_flag = pf.PFRULE_SRCTRACK # In case of specified ports, ports can be applied only # if protocol is specified: if xml_sport is not None: if xml_proto is not None: if xml_proto.lower() == "tcp": Ports = pf.PFPort(xml_sport, socket.IPPROTO_TCP) elif xml_proto.lower() == "udp": Ports = pf.PFPort(xml_sport, socket.IPPROTO_UDP) else: Ports = pf.PFPort(xml_sport) if xml_dport is not None: if xml_proto is not None: if xml_proto.lower() == "tcp": Portd = pf.PFPort(xml_dport, socket.IPPROTO_TCP) elif xml_proto.lower() == "udp": Portd = pf.PFPort(xml_dport, socket.IPPROTO_UDP) else: print xml_dport Portd = pf.PFPort(xml_dport) # TODO: Manage Priority priority = getValIfKeyExists(xml_data, "priority") if Addrs is not None and Ports is not None: rule.src = pf.PFRuleAddr(Addrs, Ports) elif Addrs is not None: rule.src = pf.PFRuleAddr(Addrs) elif Ports is not None: rule.src = pf.PFRuleAddr(pf.PFAddr(), Ports) if Addrd is not None and Portd is not None: rule.dst = pf.PFRuleAddr(Addrd, Portd) elif Addrd is not None: rule.dst = pf.PFRuleAddr(Addrd) elif Portd is not None: rule.dst = pf.PFRuleAddr(pf.PFAddr(), Portd) # Append rule rules.append(rule) return rules