def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine:
if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(config.ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename),
reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.icmptype.add_icmptype(obj)
except FirewallError as error:
log.info1("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path, no_check_name=combine)
if combine:
# Change name for permanent configuration
obj.name = "%s/%s" % (os.path.basename(path),
os.path.basename(filename)[0:-4])
obj.check_name(obj.name)
# Copy object before combine
config_obj = copy.deepcopy(obj)
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
self.zone.remove_zone(orig_obj.name)
if orig_obj.combined:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, obj.name, path, filename)
obj.combine(orig_obj)
else:
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name,
orig_obj.path, orig_obj.filename)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
config_obj.default = True
self.config.add_zone(config_obj)
if combine:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, combined_zone.name, path,
filename)
combined_zone.combine(obj)
else:
self.zone.add_zone(obj)
elif reader_type == "ipset":
obj = ipset_reader(filename, path)
if obj.name in self.ipset.get_ipsets():
orig_obj = self.ipset.get_ipset(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.ipset.remove_ipset(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
try:
self.ipset.add_ipset(obj)
except FirewallError as error:
log.warning("%s: %s, ignoring for run-time." % \
(obj.name, str(error)))
# add a deep copy to the configuration interface
self.config.add_ipset(copy.deepcopy(obj))
elif reader_type == "helper":
obj = helper_reader(filename, path)
if obj.name in self.helper.get_helpers():
orig_obj = self.helper.get_helper(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
self.helper.remove_helper(orig_obj.name)
elif obj.path.startswith(config.ETC_FIREWALLD):
obj.default = True
self.helper.add_helper(obj)
# add a deep copy to the configuration interface
self.config.add_helper(copy.deepcopy(obj))
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type, name,
msg)
except Exception:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine and combined_zone.combined:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except Exception:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def _loader(self, path, reader_type, combine=False):
# combine: several zone files are getting combined into one obj
if not os.path.isdir(path):
return
if combine:
if path.startswith(ETC_FIREWALLD) and reader_type == "zone":
combined_zone = Zone()
combined_zone.name = os.path.basename(path)
combined_zone.check_name(combined_zone.name)
combined_zone.path = path
combined_zone.default = False
else:
combine = False
for filename in sorted(os.listdir(path)):
if not filename.endswith(".xml"):
if path.startswith(ETC_FIREWALLD) and \
reader_type == "zone" and \
os.path.isdir("%s/%s" % (path, filename)):
self._loader("%s/%s" % (path, filename), reader_type,
combine=True)
continue
name = "%s/%s" % (path, filename)
log.debug1("Loading %s file '%s'", reader_type, name)
try:
if reader_type == "icmptype":
obj = icmptype_reader(filename, path)
if obj.name in self.icmptype.get_icmptypes():
orig_obj = self.icmptype.get_icmptype(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.icmptype.remove_icmptype(orig_obj.name)
self.icmptype.add_icmptype(obj)
# add a deep copy to the configuration interface
self.config.add_icmptype(copy.deepcopy(obj))
elif reader_type == "service":
obj = service_reader(filename, path)
if obj.name in self.service.get_services():
orig_obj = self.service.get_service(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.service.remove_service(orig_obj.name)
self.service.add_service(obj)
# add a deep copy to the configuration interface
self.config.add_service(copy.deepcopy(obj))
elif reader_type == "zone":
obj = zone_reader(filename, path)
if combine:
# Change name for permanent configuration
obj.name = "%s/%s" % (
os.path.basename(path),
os.path.basename(filename)[0:-4])
obj.check_name(obj.name)
# Copy object before combine
config_obj = copy.deepcopy(obj)
if obj.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(obj.name)
self.zone.remove_zone(orig_obj.name)
if orig_obj.combined:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, obj.name,
path, filename)
obj.combine(orig_obj)
else:
log.debug1(" Overloads %s '%s' ('%s/%s')",
reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.config.add_zone(config_obj)
if combine:
log.debug1(" Combining %s '%s' ('%s/%s')",
reader_type, combined_zone.name,
path, filename)
combined_zone.combine(obj)
else:
self.zone.add_zone(obj)
elif reader_type == "ipset":
obj = ipset_reader(filename, path)
if obj.name in self.ipset.get_ipsets():
orig_obj = self.ipset.get_ipset(obj.name)
log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type,
orig_obj.name, orig_obj.path,
orig_obj.filename)
self.ipset.remove_ipset(orig_obj.name)
self.ipset.add_ipset(obj)
# add a deep copy to the configuration interface
self.config.add_ipset(copy.deepcopy(obj))
else:
log.fatal("Unknown reader type %s", reader_type)
except FirewallError as msg:
log.error("Failed to load %s file '%s': %s", reader_type,
name, msg)
except Exception as msg:
log.error("Failed to load %s file '%s':", reader_type, name)
log.exception()
if combine and combined_zone.combined:
if combined_zone.name in self.zone.get_zones():
orig_obj = self.zone.get_zone(combined_zone.name)
log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')",
reader_type, orig_obj.name, orig_obj.path,
orig_obj.filename)
try:
self.zone.remove_zone(combined_zone.name)
except:
pass
self.config.forget_zone(combined_zone.name)
self.zone.add_zone(combined_zone)
def update_ipset_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path == config.ETC_FIREWALLD_IPSETS:
# removed custom ipset
for x in self._ipsets.keys():
obj = self._ipsets[x]
if obj.filename == filename:
del self._ipsets[x]
if obj.name in self._builtin_ipsets:
return ("update", self._builtin_ipsets[obj.name])
return ("remove", obj)
else:
# removed builtin ipset
for x in self._builtin_ipsets.keys():
obj = self._builtin_ipsets[x]
if obj.filename == filename:
del self._builtin_ipsets[x]
if obj.name not in self._ipsets:
# update dbus ipset
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
log.debug1("Loading ipset file '%s'", name)
try:
obj = ipset_reader(filename, path)
except Exception as msg:
log.error("Failed to load ipset file '%s': %s", filename, msg)
return (None, None)
# new ipset
if obj.name not in self._builtin_ipsets and obj.name not in self._ipsets:
self.add_ipset(obj)
return ("new", obj)
# updated ipset
if path == config.ETC_FIREWALLD_IPSETS:
# custom ipset update
if obj.name in self._ipsets:
obj.default = self._ipsets[obj.name].default
self._ipsets[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_ipsets:
# builtin ipset update
del self._builtin_ipsets[obj.name]
self._builtin_ipsets[obj.name] = obj
if obj.name not in self._ipsets:
# update dbus ipset
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
def update_ipset_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path == config.ETC_FIREWALLD_IPSETS:
# removed custom ipset
for x in self._ipsets.keys():
obj = self._ipsets[x]
if obj.filename == filename:
del self._ipsets[x]
if obj.name in self._builtin_ipsets:
return ("update", self._builtin_ipsets[obj.name])
return ("remove", obj)
else:
# removed builtin ipset
for x in self._builtin_ipsets.keys():
obj = self._builtin_ipsets[x]
if obj.filename == filename:
del self._builtin_ipsets[x]
if obj.name not in self._ipsets:
# update dbus ipset
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
log.debug1("Loading ipset file '%s'", name)
try:
obj = ipset_reader(filename, path)
except Exception as msg:
log.error("Failed to load ipset file '%s': %s", filename, msg)
return (None, None)
# new ipset
if obj.name not in self._builtin_ipsets and obj.name not in self._ipsets:
self.add_ipset(obj)
return ("new", obj)
# updated ipset
if path == config.ETC_FIREWALLD_IPSETS:
# custom ipset update
if obj.name in self._ipsets:
obj.default = self._ipsets[obj.name].default
self._ipsets[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_ipsets:
# builtin ipset update
del self._builtin_ipsets[obj.name]
self._builtin_ipsets[obj.name] = obj
if obj.name not in self._ipsets:
# update dbus ipset
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
def update_ipset_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path == ETC_FIREWALLD_IPSETS:
# removed custom ipset
for x in self._ipsets.keys():
obj = self._ipsets[x]
if obj.filename == filename:
del self._ipsets[x]
if obj.name in self._builtin_ipsets:
return ("update", self._builtin_ipsets[obj.name])
return ("remove", obj)
else:
# removed builtin ipset
for x in self._builtin_ipsets.keys():
obj = self._builtin_ipsets[x]
if obj.filename == filename:
del self._builtin_ipsets[x]
if obj.name not in self._ipsets:
# update dbus ipset
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
obj = ipset_reader(filename, path)
# new ipset
if obj.name not in self._builtin_ipsets and obj.name not in self._ipsets:
self.add_ipset(obj)
return ("new", obj)
# updated ipset
if path == ETC_FIREWALLD_IPSETS:
# custom ipset update
if obj.name in self._ipsets:
self._ipsets[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._builtin_ipsets:
# builtin ipset update
del self._builtin_ipsets[obj.name]
self._builtin_ipsets[obj.name] = obj
if obj.name not in self._ipsets:
# update dbus ipset
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
def update_ipset_from_path(self, name):
filename = os.path.basename(name)
path = os.path.dirname(name)
if not os.path.exists(name):
# removed file
if path == ETC_FIREWALLD_IPSETS:
# removed custom ipset
for x in self._ipsets.keys():
obj = self._ipsets[x]
if obj.filename == filename:
del self._ipsets[x]
if obj.name in self._default_ipsets:
return ("update", self._default_ipsets[obj.name])
return ("remove", obj)
else:
# removed builtin ipset
for x in self._default_ipsets.keys():
obj = self._default_ipsets[x]
if obj.filename == filename:
del self._default_ipsets[x]
if obj.name not in self._ipsets:
# update dbus ipset
return ("remove", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)
# new or updated file
obj = ipset_reader(filename, path)
# new ipset
if obj.name not in self._default_ipsets and obj.name not in self._ipsets:
self.add_ipset(obj)
return ("new", obj)
# updated ipset
if path == ETC_FIREWALLD_IPSETS:
# custom ipset update
if obj.name in self._ipsets:
self._ipsets[obj.name] = obj
return ("update", obj)
else:
if obj.name in self._default_ipsets:
# builtin ipset update
del self._default_ipsets[obj.name]
self._default_ipsets[obj.name] = obj
if obj.name not in self._ipsets:
# update dbus ipset
return ("update", obj)
else:
# builtin hidden, no update needed
return (None, None)
# ipset not known to firewalld, yet (timeout, ..)
return (None, None)