def aclRule(self, networks, protocols, rule_number):
for network_args in networks:
for protocol in protocols:
params = Arguments()
if not self.acl.enabled:
params += Arguments("#")
if self.program:
params += Arguments(self.program)
params += self.dispatch
params += network_args
if protocol:
params += formatProtocol(protocol, self.chain)
if self.acl.log and (not self.use_auth):
yield self.logRule(params, rule_number)
rule_number += 1
params += Arguments("-j", self.decision)
params += self.iptables.ruleComment(self.acl, rule_number)
yield params
rule_number += 1
def iptableRules(iptables, nat, empty_line, apply_rules):
ruleset = nat.ruleset
if iptables.options.format == "iptables":
prefix = Arguments("iptables", "-t", "nat")
else:
prefix = Arguments()
# Create header (title and comment)
title = unicode(nat)
if not nat.enabled:
title += u' (disabled)'
for line in comment(title, extra=nat.comment, empty_line=empty_line):
yield line
# Create source and destination parameters
chain = nat.createChainKey()
# Create protocols
protocols = list(flattenObjectList(nat.filters))
if not protocols:
protocols = (None,)
# Get nated sources
if len(nat.nated_sources):
nated_src = getFirst(nat.nated_sources)
else:
nated_src = None
# Get nated destinations
if len(nat.nated_destinations):
nated_dst = getFirst(nat.nated_destinations)
else:
nated_dst = None
if nat.type != NAT_TRANSLATE:
suffix = Arguments('-j', 'ACCEPT')
elif chain == u'POSTROUTING' and isinstance(nated_src, FirewallResource):
suffix = Arguments('-j', 'MASQUERADE')
elif chain == u'POSTROUTING':
source = getFirstAddress(nat, nated_src, apply_rules)
if isinstance(nated_src, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', source)
else:
suffix = Arguments('-j', 'SNAT', '--to-source', source)
elif chain == u'PREROUTING':
dest = getFirstAddress(nat, nated_dst, apply_rules)
if len(nat.nated_filters):
newproto = getFirst(nat.nated_filters)
dest += u':%s' % newproto.dport
if isinstance(nated_dst, (NetworkResource, IPsecNetworkResource)):
suffix = Arguments('-j', 'NETMAP', '--to', dest)
else:
suffix = Arguments('-j', 'DNAT', '--to-destination', dest)
rule_number = 1
for network_args in formatSrcDst(ruleset.resources, nat, chain):
for proto in protocols:
iptable_rule = prefix
if not nat.enabled:
iptable_rule += Arguments("#")
iptable_rule += Arguments('-A', chain)
iptable_rule += network_args
if proto:
iptable_rule += formatProtocol(proto, chain)
iptable_rule += suffix
if iptables.options.format != "iptables":
iptable_rule += iptables.ruleComment(nat, rule_number)
rule_number += 1
yield iptable_rule