def _run_modules(callbacks, outdir, modules_to_run, diff, no_write, no_exec, no_git): for module_name, callback in callbacks: if module_name not in modules_to_run: logger.debug("No action: skipping %s" % module_name) else: logger.info("Running module %s..." % module_name) callback(outdir, diff, no_write, no_exec, no_git)
def check_wildcard(a): if a is None: return None if '*' in util.flatten(a): logger.debug("Emptying address list because it has a wildcard: %s" % a) return [] return a
def _load_virtual_server_group(config): virtual_server_group = [] virtual_server = [] for group_name in sorted(config.keys()): group_config = config[group_name] vs = {} vs['hostips'] = [util.HostIPPort(x) for x in group_config.pop('virtual_server')] vs['ipv4'] = sorted(util.flatten([hostip.ipv4 for hostip in vs['hostips']])) vs['ipv6'] = sorted(util.flatten([hostip.ipv6 for hostip in vs['hostips']])) rs = {} rs['hostips'] = [util.HostIPPort(x) for x in group_config.pop('real_server')] rs['ipv4'] = sorted(util.flatten([hostip.ipv4 for hostip in rs['hostips']])) rs['ipv6'] = sorted(util.flatten([hostip.ipv6 for hostip in rs['hostips']])) drain = {} if 'drain' in group_config: drain['hostip'] = util.HostIPPort(group_config.pop('drain', [])) drain['ipv4'] = drain['hostip'].ipv4 drain['ipv6'] = drain['hostip'].ipv6 for l3proto in ('ipv4', 'ipv6'): invalid_drains = set(drain[l3proto]) - set(rs[l3proto]) if len(invalid_drains) > 0: raise Exception("Drain IP not a real_server: %s" % ','.join(map(str, invalid_drains))) else: drain['hostip'] = [] drain['ipv4'] = [] drain['ipv6'] = [] for l7proto in util.flatten(group_config.pop('proto')): port = port_by_l7proto[l7proto] for l3proto in ('ipv4', 'ipv6'): for l4proto in l4proto_by_l7proto[l7proto]: name = '%s_%s_%s_%s' % (group_name, l3proto, l4proto, l7proto) if len(vs[l3proto]) == 0: logger.debug("Ignoring %s, no virtual ips!" % name) continue if len(rs[l3proto]) == 0: logger.debug("Ignoring %s, no real ips!" % name) continue virtual_server_group.append(VirtualServerGroup(name, vs[l3proto], l3proto, l4proto, l7proto, port)) virtual_server.append(VirtualServer(name, l3proto, l4proto, l7proto, port, rs[l3proto], drain[l3proto])) return virtual_server_group, virtual_server
def load(config): logger.trace("config: %s" % config) icmp_stateful = config.pop('icmp_stateful', True) ipv6_nat = config.pop('ipv6_nat', False) interfaces = _expand_interfaces(config.pop('interfaces', {})) input_ssh_from = check_wildcard(config.pop('input_ssh_from', [])) input_munin_from = check_wildcard(config.pop('input_munin_from', None)) input_nrpe_from = check_wildcard(config.pop('input_nrpe_from', None)) input_dns_from = check_wildcard(config.pop('input_dns_from', None)) input_dns_notrack = config.pop('input_dns_notrack', False) input_http_from = check_wildcard(config.pop('input_http_from', None)) input_http_port = check_wildcard(config.pop('input_http_port', [80, 443])) input_http_notrack = config.pop('input_http_notrack', False) input_smtp_from = check_wildcard(config.pop('input_smtp_from', None)) input_postgresql_from = check_wildcard(config.pop('input_postgresql_from', None)) input_xmpp_c2s_from = check_wildcard(config.pop('input_xmpp_c2s_from', None)) input_nsca_from = check_wildcard(config.pop('input_nsca_from', None)) output_dns_to = check_wildcard(config.pop('output_dns_to', [])) output_ntp_to = check_wildcard(config.pop('output_ntp_to', [])) output_http_to = check_wildcard(config.pop('output_http_to', None)) output_http_port = check_wildcard(config.pop('output_http_port', [80, 443])) output_smtp_to = check_wildcard(config.pop('output_smtp_to', [])) output_munin_to = check_wildcard(config.pop('output_munin_to', None)) output_nsca_to = check_wildcard(config.pop('output_nsca_to', None)) output_postgresql_to = check_wildcard(config.pop('output_postgresql_to', None)) output_xmpp_c2s_to = check_wildcard(config.pop('output_xmpp_c2s_to', None)) output_user = config.pop('output_user', None) output_group = config.pop('output_group', None) xmpp_s2s_fromto = check_wildcard(config.pop('xmpp_s2s_fromto', None)) gre_peers = check_wildcard(config.pop('gre_peers', None)) if any([input_dns_notrack, input_http_notrack]): logger.debug("notrack option set, early accepting icmp") icmp_stateful = False input_tcp = config.pop('input_tcp', []) input_udp = config.pop('input_udp', []) output_tcp = config.pop('output_tcp', []) output_udp = config.pop('output_udp', []) custom = _custom_rules(config.pop('custom', {}), interfaces) input_log_ignore = config.pop('input_log_ignore', None) input_log_limit = config.pop('input_log_limit', None) input_log_burst = config.pop('input_log_burst', None) output_log_ignore = config.pop('output_log_ignore', None) output_log_limit = config.pop('output_log_limit', None) output_log_burst = config.pop('output_log_burst', None) forwarding = False stateful_forward = config.pop('stateful_forward', True) customer_ipsec_gateway = util.flatten(config.pop('customer_ipsec_gateway', [])) if len(customer_ipsec_gateway) > 0: logger.debug("customer ipsec gateway set, enabling forwarding") forwarding = True fh = IPTablesHostsAllow() fh.fw.enable_ipv6_nat(ipv6_nat) logger.debug("creating rules for early phase") fh.add(libow.early_lo()) if input_dns_from is not None and input_dns_notrack is True: fh.add(libow.input_dns(input_dns_from, input_dns_notrack)) if input_http_from is not None and input_http_notrack is True: fh.add(libow.input_http(input_http_from, input_http_port, input_http_notrack)) fh.add(custom['early'].values()) logger.debug("creating rules for start phase") if icmp_stateful is False: fh.add(libow.input_icmp()) fh.add(libow.output_icmp()) fh.add(libow.start('INPUT')) fh.add(libow.start('OUTPUT')) if icmp_stateful is True: fh.add(libow.stateful_input_icmp()) fh.add(libow.output_icmp()) if forwarding is True: if stateful_forward is True: fh.add(libow.start('FORWARD')) fh.add(libow.forward_icmp()) fh.add(custom['start'].values()) logger.debug("creating rules for middle phase") if input_ssh_from is not None: fh.add(libow.input_ssh(input_ssh_from)) if input_munin_from is not None: fh.add(libow.input_tcp(input_munin_from, 4949)) if input_nrpe_from is not None: fh.add(libow.input_nrpe(input_nrpe_from)) if input_dns_from is not None and input_dns_notrack is False: fh.add(libow.input_dns(input_dns_from, input_dns_notrack)) if input_http_from is not None and input_http_notrack is False: fh.add(libow.input_http(input_http_from, input_http_port, input_http_notrack)) if input_smtp_from is not None: fh.add(libow.input_tcp(input_smtp_from, 25)) if input_postgresql_from is not None: fh.add(libow.input_tcp(input_postgresql_from, 5432)) if input_xmpp_c2s_from is not None: fh.add(libow.input_tcp(input_xmpp_c2s_from, 5222)) fh.add(libow.input_tcp([], 7777)) # XXX: unfiltered? for rule in input_tcp: comment = rule.get('comment', None) s = check_wildcard(rule.get('from', [])) port = rule.get('port', None) fh.add(libow.input_tcp(comment=comment, s=s, port=port)) for rule in input_udp: comment = rule.get('comment', None) s = check_wildcard(rule.get('from', [])) port = rule.get('port', None) fh.add(libow.input_udp(comment=comment, s=s, port=port)) if input_nsca_from is not None: fh.add(libow.input_tcp(input_nsca_from, 5667)) if xmpp_s2s_fromto is not None: fh.add(libow.input_tcp(xmpp_s2s_fromto, 5269)) if gre_peers is not None: fh.add(libow.input_gre(gre_peers)) if output_dns_to is not None: fh.add(libow.output_dns(output_dns_to)) if output_ntp_to is not None: fh.add(libow.output_udp(output_ntp_to, 123, uid='ntp')) if output_http_to is not None: fh.add(libow.output_http(output_http_to, output_http_port)) if output_smtp_to is not None: fh.add(libow.output_tcp(output_smtp_to, 25, uid='postfix')) if output_munin_to is not None: fh.add(libow.output_tcp(output_munin_to, 4949, uid='munin')) if output_nsca_to is not None: fh.add(libow.output_tcp(output_nsca_to, 5667)) if output_postgresql_to is not None: fh.add(libow.output_tcp(output_postgresql_to, 5432)) if output_xmpp_c2s_to is not None: fh.add(libow.output_tcp(output_xmpp_c2s_to, 5222)) if xmpp_s2s_fromto is not None: fh.add(libow.output_tcp(xmpp_s2s_fromto, 5269, uid='ejabberd')) if gre_peers is not None: fh.add(libow.output_gre(gre_peers)) for rule in output_tcp: comment = rule.get('comment', None) d = check_wildcard(rule.get('to', [])) port = rule.get('port', None) uid = rule.get('uid', None) fh.add(libow.output_tcp(comment=comment, d=d, port=port, uid=uid)) for rule in output_udp: comment = rule.get('comment', None) d = check_wildcard(rule.get('to', [])) port = rule.get('port', None) uid = rule.get('uid', None) fh.add(libow.output_udp(comment=comment, d=d, port=port, uid=uid)) if output_user is not None: output_user = util.flatten(output_user) for user in output_user: if isinstance(user, str): fh.add(libow.output_tcp(d=[], uid=user)) elif isinstance(user, int): fh.add(libow.output_tcp(d=[], uid=str(user))) else: raise Exception("don't understand output_user %s" % user) if output_group is not None: output_group = util.flatten(output_group) for group in output_group: if isinstance(group, str): fh.add(libow.output_tcp(d=[], gid=group)) elif isinstance(group, int): fh.add(libow.output_tcp(d=[], gid=str(group))) else: raise Exception("don't understand output_group %s" % group) if len(customer_ipsec_gateway) > 0: for cig in customer_ipsec_gateway: fh.add(libow.customer_ipsec_gateway( remote_endpoint=cig['remote_endpoint'], remote_subnets=cig['remote_subnets'], local_subnets=cig['local_subnets'], allow_incoming_traffic=cig.get('allow_incoming_traffic', False), snat=cig.get('snat', None) )) fh.add(custom['middle'].values()) logger.debug("creating rules for end phase") fh.add(libow.input_traceroute()) fh.add(libow.output_beheer_root()) fh.add(custom['end'].values()) logger.debug("creating rules for late phase") fh.add(libow.log('INPUT', input_log_ignore, input_log_limit, input_log_burst)) fh.add(libow.log('OUTPUT', output_log_ignore, output_log_limit, output_log_burst)) fh.add(custom['late'].values()) for hosts_allow in config.pop('hosts_allow', []): daemon = hosts_allow.pop('daemon') s = hosts_allow.pop('from', None) if '*' in util.flatten(s): s = 'all' if len(hosts_allow) > 0: logger.warn("Unrecognized options in hosts_allow rule: %s" % hosts_allow) fh.add(libow.hosts_allow(daemon, s)) firewall_lines = fh.fw.get_iptables_restore_script(4).splitlines() firewall6_lines = fh.fw.get_iptables_restore_script(6).splitlines() hosts_allow_lines = fh.ha.get_hosts_allow_content().splitlines() additional_config = None def run(outdir, diff, no_write, no_exec, no_git): if any([ util.write_file(outdir, 'network/firewall', firewall_lines, no_write, diff), util.write_file(outdir, 'network/firewall6', firewall6_lines, no_write, diff), util.write_file(outdir, 'hosts.allow', hosts_allow_lines, no_write, diff), ]): if os.geteuid() == 0: if no_exec is True: util.cmd(('/sbin/iptables-restore', '-t'), dry_run=False, stdin=firewall_lines) util.cmd(('/sbin/ip6tables-restore', '-t'), dry_run=False, stdin=firewall6_lines) else: util.cmd(('/sbin/iptables-restore'), dry_run=False, stdin=firewall_lines) util.cmd(('/sbin/ip6tables-restore'), dry_run=False, stdin=firewall6_lines) util.git_commit(outdir, ['network/firewall', 'network/firewall6', 'hosts.allow'], no_git, 'firewall') return run, additional_config