def build_zone_forward_port_rules(self, enable, zone, filter_chain, port,
protocol, toport, toaddr, mark_id):
add_del = { True: "-A", False: "-D" }[enable]
mark_str = "0x%x" % mark_id
mark = [ "-m", "mark", "--mark", mark_str ]
to = ""
if toaddr:
if check_single_address("ipv6", toaddr):
to += "[%s]" % toaddr
else:
to += toaddr
if toport and toport != "":
to += ":%s" % portStr(toport, "-")
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
rules = []
rules.append([ add_del, "%s_allow" % (target), "-t", "mangle",
"-p", protocol, "--dport", portStr(port),
"-j", "MARK", "--set-mark", mark_str ])
# local and remote
rules.append([ add_del, "%s_allow" % (target), "-t", "nat",
"-p", protocol ] + mark +
[ "-j", "DNAT", "--to-destination", to ])
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain],
zone=zone)
rules.append([ add_del, "%s_allow" % (target),
"-t", "filter", "-m", "conntrack",
"--ctstate", "NEW" ] +
mark + [ "-j", "ACCEPT" ])
return rules
def build_zone_masquerade_rules(self, enable, zone, rich_rule=None):
add_del = {True: "-A", False: "-D"}[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"],
zone=zone)
rule_fragment = []
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(
rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rules = []
rules.append([add_del, "%s_allow" % (target), "-t", "nat"] +
rule_fragment + ["!", "-o", "lo", "-j", "MASQUERADE"])
# FORWARD_OUT
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"],
zone=zone)
rule_fragment = []
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(
rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rules.append([add_del, "%s_allow" %
(target), "-t", "filter"] + rule_fragment +
["-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT"])
return rules
def build_zone_forward_port_rules(self,
enable,
zone,
filter_chain,
port,
protocol,
toport,
toaddr,
mark_id,
rich_rule=None):
add_del = {True: "-A", False: "-D"}[enable]
mark_str = "0x%x" % mark_id
mark = ["-m", "mark", "--mark", mark_str]
to = ""
if toaddr:
if check_single_address("ipv6", toaddr):
to += "[%s]" % toaddr
else:
to += toaddr
if toport and toport != "":
to += ":%s" % portStr(toport, "-")
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
rule_fragment = ["-p", protocol, "--dport", portStr(port)]
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(
rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rules = []
if rich_rule:
rules.append(
self._rich_rule_log(rich_rule, enable, "mangle", target,
rule_fragment))
rules.append([add_del, "%s_allow" % (target), "-t", "mangle"] +
rule_fragment + ["-j", "MARK", "--set-mark", mark_str])
# local and remote
rules.append(
[add_del,
"%s_allow" % (target), "-t", "nat", "-p", protocol] + mark +
["-j", "DNAT", "--to-destination", to])
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain],
zone=zone)
rules.append([
add_del,
"%s_allow" %
(target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW"
] + mark + ["-j", "ACCEPT"])
return rules
def build_zone_masquerade_rule(self, enable, zone):
add_del = { True: "-A", False: "-D" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"],
zone=zone)
rules = []
rules.append([ add_del, "%s_allow" % (target), "!", "-o", "lo",
"-t", "nat", "-j", "MASQUERADE" ])
# FORWARD_OUT
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"],
zone=zone)
rules.append([ add_del, "%s_allow" % (target), "-t", "filter",
"-m", "conntrack", "--ctstate", "NEW", "-j", "ACCEPT" ])
return rules
def _rich_rule_action(self, zone, rich_rule, enable, table, target,
rule_fragment):
if not rich_rule.action:
return []
add_del = {True: "-A", False: "-D"}[enable]
if type(rich_rule.action) == Rich_Accept:
chain = "%s_allow" % target
rule_action = ["-j", "ACCEPT"]
elif type(rich_rule.action) == Rich_Reject:
chain = "%s_deny" % target
rule_action = ["-j", "REJECT"]
if rich_rule.action.type:
rule_action += ["--reject-with", rich_rule.action.type]
elif type(rich_rule.action) == Rich_Drop:
chain = "%s_deny" % target
rule_action = ["-j", "DROP"]
elif type(rich_rule.action) == Rich_Mark:
chain = "%s_allow" % target
table = "mangle"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
rule_action = ["-j", "MARK", "--set-xmark", rich_rule.action.set]
else:
raise FirewallError(INVALID_RULE,
"Unknown action %s" % type(rich_rule.action))
rule = [add_del, chain, "-t", table]
rule += rule_fragment + rule_action
rule += self._rule_limit(rich_rule.action.limit)
return rule
def build_zone_source_interface(self, enable, zone, zone_target, interface,
table, chain, append=False):
# handle all zones in the same way here, now
# trust and block zone targets are handled now in __chain
opt = {
"PREROUTING": "-i",
"POSTROUTING": "-o",
"INPUT": "-i",
"FORWARD_IN": "-i",
"FORWARD_OUT": "-o",
"OUTPUT": "-o",
}[chain]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
if zone_target == DEFAULT_ZONE_TARGET:
action = "-g"
else:
action = "-j"
if enable and not append:
rule = [ "-I", "%s_ZONES" % chain, "1" ]
elif enable:
rule = [ "-A", "%s_ZONES" % chain ]
else:
rule = [ "-D", "%s_ZONES" % chain ]
rule += [ "-t", table, opt, interface, action, target ]
return rule
def build_zone_icmp_block_rules(self, enable, zone, icmp):
add_del = {True: "-A", False: "-D"}[enable]
if self.ipv == "ipv4":
proto = ["-p", "icmp"]
match = ["-m", "icmp", "--icmp-type", icmp]
else:
proto = ["-p", "ipv6-icmp"]
match = ["-m", "icmp6", "--icmpv6-type", icmp]
rules = []
for chain in ["INPUT", "FORWARD_IN"]:
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
final_chain = "%s_allow" % target
final_target = "ACCEPT"
else:
final_chain = "%s_deny" % target
final_target = "%%REJECT%%"
if self._fw.get_log_denied() != "off" and final_target != "ACCEPT":
rules.append([add_del, final_chain, "-t", "filter"] + proto +
match + [
"%%LOGTYPE%%", "-j", "LOG", "--log-prefix",
"\"%s_ICMP_BLOCK: \"" % zone
])
rules.append([
add_del,
final_chain,
"-t",
"filter",
] + proto + match + ["-j", final_target])
return rules
def build_zone_icmp_block_inversion_rules(self, enable, zone):
table = "filter"
rules = []
for chain in ["INPUT", "FORWARD_IN"]:
rule_idx = 4
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
ibi_target = "%%REJECT%%"
if self._fw.get_log_denied() != "off":
if enable:
rule = ["-I", _zone, str(rule_idx)]
else:
rule = ["-D", _zone]
rule = rule + [
"-t", table, "-p", "%%ICMP%%", "%%LOGTYPE%%", "-j",
"LOG", "--log-prefix",
"\"%s_ICMP_BLOCK: \"" % _zone
]
rules.append(rule)
rule_idx += 1
else:
ibi_target = "ACCEPT"
if enable:
rule = ["-I", _zone, str(rule_idx)]
else:
rule = ["-D", _zone]
rule = rule + ["-t", table, "-p", "%%ICMP%%", "-j", ibi_target]
rules.append(rule)
return rules
def build_zone_source_interface_rules(self,
enable,
zone,
zone_target,
interface,
table,
chain,
append=False):
# handle all zones in the same way here, now
# trust and block zone targets are handled now in __chain
opt = {
"PREROUTING": "-i",
"POSTROUTING": "-o",
"INPUT": "-i",
"FORWARD_IN": "-i",
"FORWARD_OUT": "-o",
"OUTPUT": "-o",
}[chain]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
if zone_target == DEFAULT_ZONE_TARGET:
action = "-g"
else:
action = "-j"
if enable and not append:
rule = ["-I", "%s_ZONES" % chain, "1"]
elif enable:
rule = ["-A", "%s_ZONES" % chain]
else:
rule = ["-D", "%s_ZONES" % chain]
rule += ["-t", table, opt, interface, action, target]
return [rule]
def build_zone_icmp_block_inversion_rules(self, enable, zone):
rule_idx = 4
table = "filter"
rules = []
for chain in [ "INPUT", "FORWARD_IN" ]:
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
ibi_target = "%%REJECT%%"
if self._fw.get_log_denied() != "off":
if enable:
rule = [ "-I", _zone, str(rule_idx) ]
else:
rule = [ "-D", _zone ]
rule = rule + [ "-t", table, "-p", "%%ICMP%%",
"%%LOGTYPE%%",
"-j", "LOG", "--log-prefix",
"\"%s_ICMP_BLOCK: \"" % _zone ]
rules.append(rule)
rule_idx += 1
else:
ibi_target = "ACCEPT"
if enable:
rule = [ "-I", _zone, str(rule_idx) ]
else:
rule = [ "-D", _zone ]
rule = rule + [ "-t", table, "-p", "%%ICMP%%", "-j", ibi_target ]
rules.append(rule)
return rules
def build_zone_icmp_block_rules(self, enable, zone, icmp):
add_del = { True: "-A", False: "-D" }[enable]
if self.ipv == "ipv4":
proto = [ "-p", "icmp" ]
match = [ "-m", "icmp", "--icmp-type", icmp ]
else:
proto = [ "-p", "ipv6-icmp" ]
match = [ "-m", "icmp6", "--icmpv6-type", icmp ]
rules = []
for chain in ["INPUT", "FORWARD_IN"]:
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
final_chain = "%s_allow" % target
final_target = "ACCEPT"
else:
final_chain = "%s_deny" % target
final_target = "%%REJECT%%"
if self._fw.get_log_denied() != "off" and final_target != "ACCEPT":
rules.append([ add_del, final_chain, "-t", "filter" ]
+ proto + match +
[ "%%LOGTYPE%%", "-j", "LOG",
"--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ])
rules.append([ add_del, final_chain, "-t", "filter", ]
+ proto + match +
[ "-j", final_target ])
return rules
def build_zone_source_ports_rules(self, enable, zone, proto, port,
destination=None, rich_rule=None):
add_del = { True: "-A", False: "-D" }[enable]
table = "filter"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone)
rule_fragment = [ "-p", proto ]
if port:
rule_fragment += [ "--sport", "%s" % portStr(port) ]
if destination:
rule_fragment += [ "-d", destination ]
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
if not rich_rule or rich_rule.action != Rich_Mark:
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW" ]
rules = []
if rich_rule:
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
else:
rules.append([add_del, "%s_allow" % (target), "-t", table] +
rule_fragment + [ "-j", "ACCEPT" ])
return rules
def build_zone_protocol_rule(self, enable, zone, protocol):
add_del = { True: "-A", False: "-D" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone)
rule = [ add_del, "%s_allow" % (target),
"-t", "filter", "-p", protocol,
"-m", "conntrack", "--ctstate", "NEW",
"-j", "ACCEPT" ]
return rule
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None):
table = "filter"
add_del = {True: "-A", False: "-D"}[enable]
if self.ipv == "ipv4":
proto = ["-p", "icmp"]
match = ["-m", "icmp", "--icmp-type", ict.name]
else:
proto = ["-p", "ipv6-icmp"]
match = ["-m", "icmp6", "--icmpv6-type", ict.name]
rules = []
for chain in ["INPUT", "FORWARD_IN"]:
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
zone=zone)
if self._fw.zone.query_icmp_block_inversion(zone):
final_chain = "%s_allow" % target
final_target = "ACCEPT"
else:
final_chain = "%s_deny" % target
final_target = "%%REJECT%%"
rule_fragment = []
if rich_rule:
rule_fragment += self._rich_rule_destination_fragment(
rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(
rich_rule.source)
rule_fragment += proto + match
if rich_rule:
rules.append(
self._rich_rule_log(rich_rule, enable, table, target,
rule_fragment))
rules.append(
self._rich_rule_audit(rich_rule, enable, table, target,
rule_fragment))
if rich_rule.action:
rules.append(
self._rich_rule_action(zone, rich_rule, enable, table,
target, rule_fragment))
else:
rules.append(
[add_del, "%s_deny" % target, "-t", table] +
rule_fragment + ["-j", "%%REJECT%%"])
else:
if self._fw.get_log_denied(
) != "off" and final_target != "ACCEPT":
rules.append(
[add_del, final_chain, "-t", table] + rule_fragment + [
"%%LOGTYPE%%", "-j", "LOG", "--log-prefix",
"\"%s_ICMP_BLOCK: \"" % zone
])
rules.append([add_del, final_chain, "-t", table] +
rule_fragment + ["-j", final_target])
return rules
def build_zone_masquerade_rule(self, enable, zone):
add_del = {True: "-A", False: "-D"}[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"],
zone=zone)
rules = []
rules.append([
add_del,
"%s_allow" % (target), "!", "-o", "lo", "-t", "nat", "-j",
"MASQUERADE"
])
# FORWARD_OUT
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"],
zone=zone)
rules.append([
add_del,
"%s_allow" % (target), "-t", "filter", "-m", "conntrack",
"--ctstate", "NEW", "-j", "ACCEPT"
])
return rules
def build_zone_protocol_rule(self, enable, zone, protocol):
add_del = {True: "-A", False: "-D"}[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
zone=zone)
rule = [
add_del,
"%s_allow" % (target), "-t", "filter", "-p", protocol, "-m",
"conntrack", "--ctstate", "NEW", "-j", "ACCEPT"
]
return rule
def build_zone_ports_rule(self, enable, zone, proto, port, destination=None):
add_del = { True: "-A", False: "-D" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone)
rule = [ add_del, "%s_allow" % (target), "-t", "filter", "-p", proto ]
if port:
rule += [ "--dport", "%s" % portStr(port) ]
if destination:
rule += [ "-d", destination ]
rule += [ "-m", "conntrack", "--ctstate", "NEW" ]
rule += [ "-j", "ACCEPT" ]
return rule
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
destination, helper_name):
add_del = {True: "-A", False: "-D"}[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
rule = [add_del, "%s_allow" % (target), "-t", "raw", "-p", proto]
if port:
rule += ["--dport", "%s" % portStr(port)]
if destination:
rule += ["-d", destination]
rule += ["-j", "CT", "--helper", helper_name]
return [rule]
def build_zone_helper_ports_rule(self, enable, zone, proto, port,
destination, helper_name):
add_del = { True: "-A", False: "-D" }[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
zone=zone)
rule = [ add_del, "%s_allow" % (target), "-t", "raw", "-p", proto ]
if port:
rule += [ "--dport", "%s" % portStr(port) ]
if destination:
rule += [ "-d", destination ]
rule += [ "-j", "CT", "--helper", helper_name ]
return rule
def build_zone_source_address_rules(self, enable, zone, zone_target,
address, table, chain):
add_del = {True: "-A", False: "-D"}[enable]
opt = {
"PREROUTING": "-s",
"POSTROUTING": "-d",
"INPUT": "-s",
"FORWARD_IN": "-s",
"FORWARD_OUT": "-d",
"OUTPUT": "-d",
}[chain]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
if zone_target == DEFAULT_ZONE_TARGET:
action = "-g"
else:
action = "-j"
if address.startswith("ipset:"):
name = address[6:]
if opt == "-d":
opt = "dst"
else:
opt = "src"
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
rule = [
add_del,
"%s_ZONES_SOURCE" % chain, "-t", table, "-m", "set",
"--match-set", name, flags, action, target
]
else:
if check_mac(address):
# outgoing can not be set
if opt == "-d":
return ""
rule = [
add_del,
"%s_ZONES_SOURCE" % chain, "-t", table, "-m", "mac",
"--mac-source",
address.upper(), action, target
]
else:
rule = [
add_del,
"%s_ZONES_SOURCE" % chain, "-t", table, opt, address,
action, target
]
return [rule]
def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule):
table = "filter"
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
zone=zone)
rule_fragment = []
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
rules = []
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
return rules
def build_zone_chain_rules(self, zone, table, chain):
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
OUR_CHAINS[table].update(
set([
_zone,
"%s_log" % _zone,
"%s_deny" % _zone,
"%s_allow" % _zone
]))
rules = []
rules.append(["-N", _zone, "-t", table])
rules.append(["-N", "%s_log" % _zone, "-t", table])
rules.append(["-N", "%s_deny" % _zone, "-t", table])
rules.append(["-N", "%s_allow" % _zone, "-t", table])
rules.append(["-I", _zone, "1", "-t", table, "-j", "%s_log" % _zone])
rules.append(["-I", _zone, "2", "-t", table, "-j", "%s_deny" % _zone])
rules.append(["-I", _zone, "3", "-t", table, "-j", "%s_allow" % _zone])
# Handle trust, block and drop zones:
# Add an additional rule with the zone target (accept, reject
# or drop) to the base zone only in the filter table.
# Otherwise it is not be possible to have a zone with drop
# target, that is allowing traffic that is locally initiated
# or that adds additional rules. (RHBZ#1055190)
target = self._fw.zone._zones[zone].target
if table == "filter" and \
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
rules.append(["-I", _zone, "4", "-t", table, "-j", target])
if self._fw.get_log_denied() != "off":
if table == "filter" and \
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
if target in ["REJECT", "%%REJECT%%"]:
rules.append([
"-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j",
"LOG", "--log-prefix",
"\"%s_REJECT: \"" % _zone
])
if target == "DROP":
rules.append([
"-I", _zone, "4", "-t", table, "%%LOGTYPE%%", "-j",
"LOG", "--log-prefix",
"\"%s_DROP: \"" % _zone
])
return rules
def build_zone_source_ports_rule(self,
enable,
zone,
proto,
port,
destination=None):
add_del = {True: "-A", False: "-D"}[enable]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
zone=zone)
rule = [add_del, "%s_allow" % (target), "-t", "filter", "-p", proto]
if port:
rule += ["--sport", "%s" % portStr(port)]
if destination:
rule += ["-d", destination]
rule += ["-m", "conntrack", "--ctstate", "NEW"]
rule += ["-j", "ACCEPT"]
return rule
def build_zone_source_address(self, enable, zone, zone_target, address,
table, chain):
add_del = { True: "-A", False: "-D" }[enable]
opt = {
"PREROUTING": "-s",
"POSTROUTING": "-d",
"INPUT": "-s",
"FORWARD_IN": "-s",
"FORWARD_OUT": "-d",
"OUTPUT": "-d",
}[chain]
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
if zone_target == DEFAULT_ZONE_TARGET:
action = "-g"
else:
action = "-j"
if address.startswith("ipset:"):
name = address[6:]
if opt == "-d":
opt = "dst"
else:
opt = "src"
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
rule = [ add_del,
"%s_ZONES_SOURCE" % chain, "-t", table,
"-m", "set", "--match-set", name,
flags, action, target ]
else:
if check_mac(address):
# outgoing can not be set
if opt == "-d":
return ""
rule = [ add_del,
"%s_ZONES_SOURCE" % chain, "-t", table,
"-m", "mac", "--mac-source", address.upper(),
action, target ]
else:
rule = [ add_del,
"%s_ZONES_SOURCE" % chain, "-t", table,
opt, address, action, target ]
return rule
def build_zone_chain_rules(self, zone, table, chain):
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
OUR_CHAINS[table].update(set([_zone,
"%s_log" % _zone,
"%s_deny" % _zone,
"%s_allow" % _zone]))
rules = []
rules.append([ "-N", _zone, "-t", table ])
rules.append([ "-N", "%s_log" % _zone, "-t", table ])
rules.append([ "-N", "%s_deny" % _zone, "-t", table ])
rules.append([ "-N", "%s_allow" % _zone, "-t", table ])
rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_log" % _zone ])
rules.append([ "-I", _zone, "2", "-t", table, "-j", "%s_deny" % _zone ])
rules.append([ "-I", _zone, "3", "-t", table, "-j", "%s_allow" % _zone ])
# Handle trust, block and drop zones:
# Add an additional rule with the zone target (accept, reject
# or drop) to the base zone only in the filter table.
# Otherwise it is not be possible to have a zone with drop
# target, that is allowing traffic that is locally initiated
# or that adds additional rules. (RHBZ#1055190)
target = self._fw.zone._zones[zone].target
if table == "filter" and \
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
rules.append([ "-I", _zone, "4", "-t", table, "-j", target ])
if self._fw.get_log_denied() != "off":
if table == "filter" and \
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
if target in [ "REJECT", "%%REJECT%%" ]:
rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%",
"-j", "LOG", "--log-prefix",
"\"%s_REJECT: \"" % _zone ])
if target == "DROP":
rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%",
"-j", "LOG", "--log-prefix",
"\"%s_DROP: \"" % _zone ])
return rules
