def objectsOverlap(objects_a, objects_b): """ Return True if at least one object of objects_a overlaps an object of objects_b, otherwise return False. """ for obja in flattenObjectList(objects_a): for objb in flattenObjectList(objects_b): if obja.overlaps(objb): return True return False
def objectsMatch(objects_a, objects_b): """ Return True if at least one object of objects_a matchs an object of objects_b, otherwise return False. """ for obja in flattenObjectList(objects_a): for objb in flattenObjectList(objects_b): if obja.match(objb): return True return False
def checkUserGroups(self): require_group_name = self.config['nufw']['require_group_name'] user_groups = set() for rule in itertools.chain(self.acls_ipv4, self.acls_ipv6): user_groups |= set(flattenObjectList(rule.user_groups)) for user_group in user_groups: self._checkUserGroup(require_group_name, user_group)
def listAllProtocols(self): """return a list containing all protocols used by the rule return (None,) if no protocol are used""" if self.protocols: protocols = list(flattenObjectList(self.protocols)) protocols.sort(key=lambda protocol: protocol.sortKey()) else: if self.source_platforms: protocols = list(flattenProtocolList(self.source_platforms)) elif self.destination_platforms: protocols = list(flattenProtocolList(self.destination_platforms)) else: protocols = (None,) return protocols
def generateRules(self, rule_number): if self.acl.source_platforms or self.acl.destination_platforms: if self.acl.source_platforms: platforms = self.acl.source_platforms else: platforms = self.acl.destination_platforms for platform in platforms: for item in platform.items: protocols = list(flattenObject(item.protocol)) protocols.sort(key=lambda protocol: protocol.sortKey()) networks = self.formatPlatformSrcDst(flattenObject(item.network)) for rule in self.aclRule(networks, protocols, rule_number): yield rule rule_number += 1 else: protocols = list(flattenObjectList(self.acl.protocols)) protocols.sort(key=lambda protocol: protocol.sortKey()) networks = self.formatSrcDst() for rule in self.aclRule(networks, protocols, rule_number): yield rule rule_number += 1
def aclRules(self, acl, acl_index): flags = 0 if not acl.log: flags |= ACL_FLAGS_NOLOG # TODO: if acl.transparent_proxy: # TODO: flags |= ACL_FLAGS_SYNC | ACL_FLAGS_STRICT decision = DECISIONS[acl.decision] common_attr = { 'AclFlags': flags, 'Decision': decision, 'objectClass': (u'top', u'NuAccessControlList'), 'AclWeight': acl_index, } if not acl.input.name.endswith('+'): common_attr['InDev'] = acl.input.name if not acl.output.name.endswith('+'): common_attr['OutDev'] = acl.output.name common_attr['description'] = acl.logPrefix(ldap=True) # TODO: PhysInDev PhysOutDev timeranges = set(acl.durations) timeranges.update(acl.periodicities) # if acl.source_platforms: # destinations = self.addressList(acl.destinations, acl.address_type) # for destination in destinations: # for platform in acl.source_platforms: # for item in platform.items: # sources = self.addressList(flattenObject(item.network), acl.address_type) # protocols = flattenObject(item.protocol) # for rule in self.aclRule(acl, common_attr, sources, [destination], protocols, timeranges): # yield rule # elif acl.destination_platforms: # sources = self.addressList(acl.sources, acl.address_type) # for source in sources: # for platform in acl.destination_platforms: # for item in platform.items: # destinations = self.addressList(flattenObject(item.network), acl.address_type) # protocols = flattenObject(item.protocol) # for rule in self.aclRule(acl, common_attr, [source], destinations, protocols, timeranges): # yield rule if not acl.source_platforms and not acl.destination_platforms: # Create source and destination addresses protocols = list(flattenObjectList(acl.protocols)) protocols.sort(key=lambda protocol: protocol.sortKey()) for rule in self.aclRule(acl, common_attr, acl.sources, acl.destinations, protocols, timeranges): yield rule else: if acl.source_platforms: platforms = acl.source_platforms networks = acl.destinations else: platforms = acl.destination_platforms networks = acl.sources for network in networks: for platform in platforms: for item in platform.items: platform_networks = flattenObject(item.network) protocols = flattenObject(item.protocol) if acl.source_platforms: for rule in self.aclRule(acl, common_attr, platform_networks, [network], protocols, timeranges): yield rule else: for rule in self.aclRule(acl, common_attr, [network], platform_networks, protocols, timeranges): yield rule
def checkConsistency(self, loader_context=None): if len(self.destinations) == 0 and len(self.sources) == 0: raise RulesetError(tr("A NAT rule requires at least one source or one destination.")) for source in flattenObjectList(self.sources): if isinstance(source, Platform): raise RulesetError(tr('Platforms can not be used' ' in NAT rules')) for source in flattenObjectList(self.sources): if isinstance(source, Platform): raise RulesetError(tr('Platforms can not be used' ' in NAT rules')) if self.type == NAT_TRANSLATE: if len(self.nated_destinations) == 0 and len(self.nated_sources) == 0: raise RulesetError(tr("A NAT rule requires at least one translated source or destination.")) if len(self.nated_sources) != 0 and len(self.sources) == 0: raise RulesetError(tr("You need to specify a source to be able to translate it.")) if len(self.nated_destinations) != 0 and len(self.destinations) == 0: raise RulesetError(tr("You need to specify a destination to be able to translate it.")) if len(self.nated_filters) != 0 and len(self.nated_destinations) == 0: raise RulesetError(tr("You need to translate the destination address to be able to translate the protocol.")) if len(self.nated_sources) > 1 or len(self.nated_destinations) > 1 or len(self.nated_filters) > 1 : raise RulesetError(tr("You can not create a NAT rule comprising more than one translated source, destination or protocol.")) if len(self.nated_sources) != 0 and (len(self.nated_destinations) != 0 or len(self.nated_filters) != 0): raise RulesetError(tr("You can not set a translated source at the same time as a translated destination or protocol.")) if len(self.nated_sources): nated_src = getFirst(self.nated_sources) if not isinstance(nated_src, (HostResource, HostnameResource, NetworkResource, IPsecNetworkResource, FirewallResource)): raise RulesetError(tr("The translated source must be a host, a network or the firewall interface.")) if self.chain == 'POSTROUTING': for src in self.sources: if not isinstance(src, InterfaceResource): continue raise RulesetError(tr("A source NAT rule can not use an interface in sources.")) if len(self.nated_destinations): nated_dst = getFirst(self.nated_destinations) if not isinstance(nated_dst, (HostResource, HostnameResource, NetworkResource, IPsecNetworkResource)): raise RulesetError(tr("The translated destination must be a host or a network.")) if self.chain == 'PREROUTING': for dst in self.destinations: if not isinstance(dst, InterfaceResource): continue raise RulesetError(tr("A destination NAT rule can not use an interface in destinations.")) if len(self.nated_filters) and not len(self.filters): raise RulesetError(tr("You have to specify at least one protocol to filter to translate it to another protocol.")) if len(self.nated_filters): proto = getFirst(self.nated_filters) if proto.layer4 != u'tcp' and proto.layer4 != u'udp': raise RulesetError(tr("Translated port can only be TCP or UDP.")) for obj in flattenObjectList(self.filters): if obj.layer4 != proto.layer4: raise RulesetError( tr("The translated port needs to use the same transport protocol (TCP/UDP) as the filtered port. " "The %s protocol does not use the same transport protocol as the translated port.") % proto.formatID()) if (not proto.dport) or (proto.dport.first != proto.dport.last): raise RulesetError(tr("The translated port must be an unique port number.")) for protocol in chain(self.filters, self.nated_filters): if IPV4_ADDRESS not in protocol.getAddressTypes(): raise RulesetError( tr("The %s protocol can not be used in IPv4!"), protocol.formatID())
def iptableRules(iptables, nat, empty_line, apply_rules): ruleset = nat.ruleset if iptables.options.format == "iptables": prefix = Arguments("iptables", "-t", "nat") else: prefix = Arguments() # Create header (title and comment) title = unicode(nat) if not nat.enabled: title += u' (disabled)' for line in comment(title, extra=nat.comment, empty_line=empty_line): yield line # Create source and destination parameters chain = nat.createChainKey() # Create protocols protocols = list(flattenObjectList(nat.filters)) if not protocols: protocols = (None,) # Get nated sources if len(nat.nated_sources): nated_src = getFirst(nat.nated_sources) else: nated_src = None # Get nated destinations if len(nat.nated_destinations): nated_dst = getFirst(nat.nated_destinations) else: nated_dst = None if nat.type != NAT_TRANSLATE: suffix = Arguments('-j', 'ACCEPT') elif chain == u'POSTROUTING' and isinstance(nated_src, FirewallResource): suffix = Arguments('-j', 'MASQUERADE') elif chain == u'POSTROUTING': source = getFirstAddress(nat, nated_src, apply_rules) if isinstance(nated_src, (NetworkResource, IPsecNetworkResource)): suffix = Arguments('-j', 'NETMAP', '--to', source) else: suffix = Arguments('-j', 'SNAT', '--to-source', source) elif chain == u'PREROUTING': dest = getFirstAddress(nat, nated_dst, apply_rules) if len(nat.nated_filters): newproto = getFirst(nat.nated_filters) dest += u':%s' % newproto.dport if isinstance(nated_dst, (NetworkResource, IPsecNetworkResource)): suffix = Arguments('-j', 'NETMAP', '--to', dest) else: suffix = Arguments('-j', 'DNAT', '--to-destination', dest) rule_number = 1 for network_args in formatSrcDst(ruleset.resources, nat, chain): for proto in protocols: iptable_rule = prefix if not nat.enabled: iptable_rule += Arguments("#") iptable_rule += Arguments('-A', chain) iptable_rule += network_args if proto: iptable_rule += formatProtocol(proto, chain) iptable_rule += suffix if iptables.options.format != "iptables": iptable_rule += iptables.ruleComment(nat, rule_number) rule_number += 1 yield iptable_rule