def _apply_default_rules(self): for ipv in [ "ipv4", "ipv6", "eb" ]: self.__apply_default_rules(ipv) if self.ipv6_rpfilter_enabled and \ self.is_table_available("ipv6", "raw"): # here is no check for ebtables.restore_noflush_option needed # as ebtables is not used in here rules = [ ("ipv6", [ "PREROUTING", 1, "-t", "raw", "-p", "icmpv6", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]), # RHBZ#1058505 ("ipv6", [ "PREROUTING", 2, "-t", "raw", "-m", "rpfilter", "--invert", "-j", "DROP" ]), ] if self._log_denied != "off": rules.append(("ipv6", [ "PREROUTING", 2, "-t", "raw", "-m", "rpfilter", "--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: " ])) # handle rules ret = self.handle_rules(rules, True, insert=True) if ret: (cleanup_rules, msg) = ret self.handle_rules(cleanup_rules, False) log.error(msg)
def readfile(filename): try: with open(filename, "r") as f: return f.readlines() except Exception as e: log.error('Failed to read file "%s": %s' % (filename, e)) return None
def handle_rules2(self, rules, enable, insert=False): if insert: append_delete = { True: "-I", False: "-D", } else: append_delete = { True: "-A", False: "-D", } # appends rules # returns None if all worked, else (cleanup rules, error message) for i,value in enumerate(rules): if len(value) == 5: (ipv, table, chain, rule, insert) = value else: (ipv, table, chain, rule) = value # drop insert rule number if it exists if insert and not enable and isinstance(rule[1], int): rule.pop(1) if not self.is_table_available(ipv, table): if ((ipv == "ipv4" and self.ip4tables_enabled) or (ipv == "ipv6" and self.ip6tables_enabled)): log.error("Unable to add %s into %s %s" % (rule, ipv, table)) continue # run try: self.rule(ipv, [ "-t", table, append_delete[enable], chain, ] + rule) except Exception as msg: log.error(msg) return (rules[:i], msg) # cleanup rules and error message return None
def read(self): self.clear() try: f = open(self.filename, "r") except Exception as msg: log.error("Failed to load '%s': %s", self.filename, msg) raise for line in f: if not line: break line = line.strip() if len(line) < 1 or line[0] in ['#', ';']: continue # get key/value pair pair = [ x.strip() for x in line.split("=", 1) ] if len(pair) != 2: log.warning("%: Invalid option definition: '%s'", self.filename, line.strip()) continue elif pair[1] == '': continue elif self._config.get(pair[0]) is not None: log.warning("%s: Duplicate option definition: '%s'", self.filename, line.strip()) continue self._config[pair[0]] = pair[1] f.close()
def run_server(debug_gc=False): """ Main function for firewall server. Handles D-Bus and GLib mainloop. """ service = None if debug_gc: from pprint import pformat import gc gc.enable() gc.set_debug(gc.DEBUG_LEAK) gc_timeout = 10 def gc_collect(): gc.collect() if len(gc.garbage) > 0: print("\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n") print("GARBAGE OBJECTS (%d):\n" % len(gc.garbage)) for x in gc.garbage: print(type(x),"\n ",) print(pformat(x)) print("\n<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n") id = GLib.timeout_add_seconds(gc_timeout, gc_collect) try: dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) bus = dbus.SystemBus() name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus) service = FirewallD(name, config.dbus.DBUS_PATH) mainloop = GLib.MainLoop() slip.dbus.service.set_mainloop(mainloop) if debug_gc: id = GLib.timeout_add_seconds(gc_timeout, gc_collect) # use unix_signal_add if available, else unix_signal_add_full if hasattr(GLib, 'unix_signal_add'): unix_signal_add = GLib.unix_signal_add else: unix_signal_add = GLib.unix_signal_add_full unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGHUP, sighup, service) unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGTERM, sigterm, mainloop) mainloop.run() except KeyboardInterrupt as e: log.debug1("Stopping..") except SystemExit as e: log.error("Raising SystemExit in run_server") except Exception as e: log.error("Exception %s: %s", e.__class__.__name__, str(e)) if service: service.stop()
def tempFile(): try: return tempfile.NamedTemporaryFile(mode='wt', prefix="temp.", dir=FIREWALLD_TEMPDIR, delete=False) except Exception as msg: log.error("Failed to create temporary file: %s" % msg) raise return None
def remove_ipset(self, name): obj = self._ipsets[name] try: self._fw._ipset.destroy(name) except Exception as msg: log.error("Failed to destroy ipset '%s'" % name) log.error(msg) del self._ipsets[name]
def writefile(filename, line): try: with open(filename, "w") as f: f.write(line) except Exception as e: log.error('Failed to write to file "%s": %s' % (filename, e)) return False return True
def post(self): log.debug4("%s.post()" % type(self)) for (func, args) in self.post_funcs: try: func(*args) except Exception as msg: log.error("Calling post func %s(%s) failed: %s" % \ (func, args, msg))
def handle_exceptions(func, *args, **kwargs): """Decorator to handle exceptions and log them. Used if not conneced to D-Bus. """ try: return func(*args, **kwargs) except FirewallError as error: log.error(error) except Exception as msg: log.exception()
def remove_ipset(self, name, keep=False): obj = self._ipsets[name] if obj.applied and not keep: try: self._fw.ipset_backend.destroy(name) except Exception as msg: log.error("Failed to destroy ipset '%s'" % name) log.error(msg) else: log.debug1("Keeping ipset '%s' because of timeout option", name) del self._ipsets[name]
def _start_check(self): try: x = self.ipset_backend.list() except: log.error("ipset not usable, disabling ipset usage in firewall.") # ipset is not usable, no supported types self.ipset_enabled = False self.ipset_supported_types = [ ] else: # ipset is usable, get all supported types self.ipset_supported_types = self.ipset_backend.supported_types()
def tempFile(): try: if not os.path.exists(FIREWALLD_TEMPDIR): os.mkdir(FIREWALLD_TEMPDIR, 0o750) return tempfile.NamedTemporaryFile(mode='wt', prefix="temp.", dir=FIREWALLD_TEMPDIR, delete=False) except Exception as msg: log.error("Failed to create temporary file: %s" % msg) raise return None
def available_tables(self, table=None): ret = [] tables = [ table ] if table else CHAINS.keys() for table in tables: try: self.__run(["-t", table, "-L"]) ret.append(table) except ValueError: log.error("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table)) return ret
def handle_chains(self, rules, enable): new_delete = { True: "-N", False: "-X" } # appends chains # returns None if all worked, else (cleanup chains, error message) for i,(ipv, rule) in enumerate(rules): try: self.rule(ipv, [ new_delete[enable], ] + rule) except Exception as msg: log.error(msg) return (rules[:i], msg) # cleanup chains and error message return None
def set_entries(self, ipset, entries, sender=None): obj = self.get_ipset(ipset) if "timeout" in obj.options: # no entries visible for ipsets with timeout raise FirewallError(IPSET_WITH_TIMEOUT, ipset) for entry in entries: IPSet.check_entry(entry, obj.options, obj.type) for entry in obj.entries: try: self._fw._ipset.remove(obj.name, entry) except Exception as msg: log.error("Failed to remove entry '%s' from ipset '%s'" % \ (entry, obj.name)) log.error(msg) obj.entries.clear() for entry in entries: try: self._fw._ipset.add(obj.name, entry) except Exception as msg: log.error("Failed to remove entry '%s' from ipset '%s'" % \ (entry, obj.name)) log.error(msg) else: obj.entries.append(entry)
def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "direct": if self.direct: raise FirewallError(errors.PARSE_ERROR, "More than one direct tag.") self.direct = True elif name == "chain": if not self.direct: log.error("Parse Error: chain outside of direct") return ipv = attrs["ipv"] table = attrs["table"] chain = attrs["chain"] self.item.add_chain(u2b_if_py2(ipv), u2b_if_py2(table), u2b_if_py2(chain)) elif name == "rule": if not self.direct: log.error("Parse Error: rule outside of direct") return ipv = attrs["ipv"] if ipv not in [ "ipv4", "ipv6", "eb" ]: raise FirewallError(errors.INVALID_IPV, "'%s' not from {'ipv4'|'ipv6'|'eb'}" % ipv) table = attrs["table"] chain = attrs["chain"] try: priority = int(attrs["priority"]) except ValueError: log.error("Parse Error: %s is not a valid priority" % attrs["priority"]) return self._rule = [ u2b_if_py2(ipv), u2b_if_py2(table), u2b_if_py2(chain), priority ] elif name == "passthrough": if not self.direct: log.error("Parse Error: command outside of direct") return ipv = attrs["ipv"] self._passthrough = [ u2b_if_py2(ipv) ] else: log.error('Unknown XML element %s' % name) return
def flush(self, transaction=None): tables = self.used_tables() for table in tables: # Flush firewall rules: -F # Delete firewall chains: -X # Set counter to zero: -Z msgs = {"-F": "flush", "-X": "delete chains", "-Z": "zero counters"} for flag in ["-F", "-X", "-Z"]: if transaction is not None: transaction.add_rule(self.ipv, ["-t", table, flag]) else: try: self.__run(["-t", table, flag]) except Exception as msg: log.error("Failed to %s %s: %s", msgs[flag], self.ipv, msg)
def set_policy(self, policy, which="used", transaction=None): if which == "used": tables = self.used_tables() else: tables = list(BUILT_IN_CHAINS.keys()) for table in tables: for chain in BUILT_IN_CHAINS[table]: if transaction is not None: transaction.add_rule(self.ipv, ["-t", table, "-P", chain, policy]) else: try: self.__run(["-t", table, "-P", chain, policy]) except Exception as msg: log.error("Failed to set policy for %s: %s", self.ipv, msg)
def set_policy(self, policy, which="used", use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction log.debug1("Setting policy to '%s'", policy) for ipv in self.enabled_backends(): try: self.get_ipv_backend(ipv).set_policy(policy, which, transaction) except Exception as e: log.error("Failed to set policy of %s firewall: %s" % (ipv, e)) if use_transaction is None: transaction.execute(True)
def flush(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction log.debug1("Flushing rule set") for ipv in self.enabled_backends(): try: self.get_ipv_backend(ipv).flush(transaction) except Exception as e: log.error("Failed to flush %s firewall: %s" % (ipv, e)) if use_transaction is None: transaction.execute(True)
def _remove_service(self, obj): if obj.name not in self._services: raise FirewallError(errors.INVALID_SERVICE, obj.name) if obj.path != config.ETC_FIREWALLD_SERVICES: raise FirewallError(errors.INVALID_DIRECTORY, "'%s' != '%s'" % \ (obj.path, config.ETC_FIREWALLD_SERVICES)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._services[obj.name]
def _remove_zone(self, obj): if obj.name not in self._zones: raise FirewallError(errors.INVALID_ZONE, obj.name) if not obj.path.startswith(config.ETC_FIREWALLD_ZONES): raise FirewallError(errors.INVALID_DIRECTORY, "'%s' doesn't start with '%s'" % \ (obj.path, config.ETC_FIREWALLD_ZONES)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._zones[obj.name]
def endElement(self, name): IO_Object_ContentHandler.endElement(self, name) if name == "rule": if not self._rule_error: try: self._rule.check() except Exception as e: log.error("%s: %s" % (e, str(self._rule))) self._rule_error = True if self._rule_error and self._rule in self.item.rules: self.item.rules.remove(self._rule) self._rule = None self._rule_error = False elif name in [ "accept", "reject", "drop", "log", "audit" ]: self._limit_ok = None
def dbus_handle_exceptions(func, *args, **kwargs): """Decorator to handle exceptions, log and report them into D-Bus :Raises DBusException: on a firewall error code problems. """ try: return func(*args, **kwargs) except FirewallError as error: log.error(str(error)) raise FirewallDBusException(str(error)) except DBusException as e: # only log DBusExceptions once raise e except Exception as e: log.exception() raise FirewallDBusException(str(e))
def _check_tables(self): # check if iptables, ip6tables and ebtables are usable, else disable if "filter" not in ipXtables.ip4tables_available_tables: log.warning("iptables not usable, disabling IPv4 firewall.") self.ip4tables_enabled = False if "filter" not in ipXtables.ip6tables_available_tables: log.warning("ip6tables not usable, disabling IPv6 firewall.") self.ip6tables_enabled = False if "filter" not in ebtables.ebtables_available_tables: log.error("ebtables not usable, disabling ethernet bridge firewall.") self.ebtables_enabled = False if not self.ip4tables_enabled and not self.ip6tables_enabled: log.fatal("No IPv4 and IPv6 firewall.") sys.exit(1)
def prepare(self, enable, rules=None, modules=None): log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) rules, modules = super(FirewallTransaction, self).prepare( enable, rules, modules) for zone in self.zone_transactions: try: self.zone_transactions[zone].prepare(enable, rules) for module in self.zone_transactions[zone].modules: if module not in modules: modules.append(module) except FirewallError as msg: log.error("Failed to prepare transaction rules for zone '%s'", str(msg)) return rules, modules
def set_policy(self, policy, which="used", individual=False): if which == "used": tables = self.used_tables() else: tables = list(BUILT_IN_CHAINS.keys()) rules = [ ] for table in tables: for chain in BUILT_IN_CHAINS[table]: if individual: try: self.__run([ "-t", table, "-P", chain, policy ]) except Exception as msg: log.error("Failed to set policy for %s: %s", ipv, msg) else: rules.append([ "-t", table, "-P", chain, policy ]) if len(rules) > 0: self.set_rules(rules)
def startElement(self, name, attrs): self.item.parser_check_element_attrs(name, attrs) if name == "direct": if self.direct: raise FirewallError(PARSE_ERROR, "More than one direct tag.") self.direct = True elif name == "chain": if not self.direct: log.error("Parse Error: chain outside of direct") return ipv = str(attrs["ipv"]) table = str(attrs["table"]) chain = str(attrs["chain"]) self.item.add_chain(ipv, table, chain) elif name == "rule": if not self.direct: log.error("Parse Error: rule outside of direct") return ipv = str(attrs["ipv"]) if ipv not in [ "ipv4", "ipv6", "eb" ]: raise FirewallError(INVALID_IPV, ipv) table = str(attrs["table"]) chain = str(attrs["chain"]) try: priority = int(str(attrs["priority"])) except: log.error("Parse Error: %s is not a valid priority" % attrs["priority"]) return self._rule = [ipv, table, chain, priority] elif name == "passthrough": if not self.direct: log.error("Parse Error: command outside of direct") return ipv = str(attrs["ipv"]) self._passthrough = [ipv] else: log.error('Unknown XML element %s' % name) return
def accessCheck(self, sender): if self.config.lockdown_enabled(): if sender is None: log.error("Lockdown not possible, sender not set.") return bus = dbus.SystemBus() context = context_of_sender(bus, sender) if self.config.access_check("context", context): return uid = uid_of_sender(bus, sender) if self.config.access_check("uid", uid): return user = user_of_uid(uid) if self.config.access_check("user", user): return command = command_of_sender(bus, sender) if self.config.access_check("command", command): return raise FirewallError(ACCESS_DENIED, "lockdown is enabled")
def execute(self, enable): log.debug4("%s.execute(%s)" % (type(self), enable)) rules, modules = self.prepare(enable) # pre self.pre() # stage 1: apply rules error = False errorMsg = "" done = [] for backend_name in rules: try: self.fw.rules(backend_name, rules[backend_name]) except Exception as msg: error = True errorMsg = msg log.debug1(traceback.format_exc()) log.error(msg) else: done.append(backend_name) # stage 2: load modules if not error: module_return = self.fw.handle_modules(modules, enable) if module_return: # Debug log about issues loading modules, but don't error. The # modules may be builtin or CONFIG_MODULES=n, in which case # modprobe will fail. Or we may be running inside a container # that doesn't have sufficient privileges. Unfortunately there # is no way for us to know. (status, msg) = module_return if status: log.debug1(msg) # error case: revert rules if error: undo_rules = {} for backend_name in done: undo_rules[backend_name] = [] for rule in reversed(rules[backend_name]): undo_rules[backend_name].append( self.fw.get_backend_by_name(backend_name).reverse_rule( rule)) for backend_name in undo_rules: try: self.fw.rules(backend_name, undo_rules[backend_name]) except Exception as msg: log.debug1(traceback.format_exc()) log.error(msg) # call failure functions for (func, args) in self.fail_funcs: try: func(*args) except Exception as msg: log.debug1(traceback.format_exc()) log.error("Calling fail func %s(%s) failed: %s" % \ (func, args, msg)) raise FirewallError(errors.COMMAND_FAILED, errorMsg) # post self.post()
def helper_writer(helper, path=None): _path = path if path else helper.path if helper.filename: name = "%s/%s" % (_path, helper.filename) else: name = "%s/%s.xml" % (_path, helper.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(ETC_FIREWALLD): os.mkdir(ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start helper element attrs = {} attrs["module"] = helper.module if helper.version and helper.version != "": attrs["version"] = helper.version if helper.family and helper.family != "": attrs["family"] = helper.family handler.startElement("helper", attrs) handler.ignorableWhitespace("\n") # short if helper.short and helper.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(helper.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if helper.description and helper.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(helper.description) handler.endElement("description") handler.ignorableWhitespace("\n") # ports for port in helper.ports: handler.ignorableWhitespace(" ") handler.simpleElement("port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # end helper element handler.endElement('helper') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler
def _start(self, reload=False, complete_reload=False): # initialize firewall default_zone = config.FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception as msg: log.warning(msg) log.warning("Using fallback firewalld configuration settings.") else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value is not None and value.lower() in ["no", "false"]: self.cleanup_on_exit = False log.debug1("CleanupOnExit is set to '%s'", self.cleanup_on_exit) if self._firewalld_conf.get("CleanupModulesOnExit"): value = self._firewalld_conf.get("CleanupModulesOnExit") if value is not None and value.lower() in ["yes", "true"]: self.cleanup_modules_on_exit = True log.debug1("CleanupModulesOnExit is set to '%s'", self.cleanup_modules_on_exit) if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value is not None and value.lower() in ["yes", "true"]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass if self._firewalld_conf.get("IPv6_rpfilter"): value = self._firewalld_conf.get("IPv6_rpfilter") if value is not None: if value.lower() in ["no", "false"]: self.ipv6_rpfilter_enabled = False if value.lower() in ["yes", "true"]: self.ipv6_rpfilter_enabled = True if self.ipv6_rpfilter_enabled: log.debug1("IPv6 rpfilter is enabled") else: log.debug1("IPV6 rpfilter is disabled") if self._firewalld_conf.get("IndividualCalls"): value = self._firewalld_conf.get("IndividualCalls") if value is not None and value.lower() in ["yes", "true"]: log.debug1("IndividualCalls is enabled") self._individual_calls = True if self._firewalld_conf.get("LogDenied"): value = self._firewalld_conf.get("LogDenied") if value is None or value.lower() == "no": self._log_denied = "off" else: self._log_denied = value.lower() log.debug1("LogDenied is set to '%s'", self._log_denied) if self._firewalld_conf.get("FirewallBackend"): self._firewall_backend = self._firewalld_conf.get( "FirewallBackend") log.debug1("FirewallBackend is set to '%s'", self._firewall_backend) if self._firewalld_conf.get("FlushAllOnReload"): value = self._firewalld_conf.get("FlushAllOnReload") if value.lower() in ["no", "false"]: self._flush_all_on_reload = False else: self._flush_all_on_reload = True log.debug1("FlushAllOnReload is set to '%s'", self._flush_all_on_reload) if self._firewalld_conf.get("RFC3964_IPv4"): value = self._firewalld_conf.get("RFC3964_IPv4") if value.lower() in ["no", "false"]: self._rfc3964_ipv4 = False else: self._rfc3964_ipv4 = True log.debug1("RFC3964_IPv4 is set to '%s'", self._rfc3964_ipv4) if self._firewalld_conf.get("AllowZoneDrifting"): value = self._firewalld_conf.get("AllowZoneDrifting") if value.lower() in ["no", "false"]: self._allow_zone_drifting = False else: self._allow_zone_drifting = True if not self._offline: log.warning( "AllowZoneDrifting is enabled. This is considered " "an insecure configuration option. It will be " "removed in a future release. Please consider " "disabling it now.") log.debug1("AllowZoneDrifting is set to '%s'", self._allow_zone_drifting) self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) self._select_firewall_backend(self._firewall_backend) if not self._offline: self._start_check() # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: if self.policies.query_lockdown(): log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) else: log.debug1("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load ipset files self._loader(config.FIREWALLD_IPSETS, "ipset") self._loader(config.ETC_FIREWALLD_IPSETS, "ipset") # load icmptype files self._loader(config.FIREWALLD_ICMPTYPES, "icmptype") self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load helper files self._loader(config.FIREWALLD_HELPERS, "helper") self._loader(config.ETC_FIREWALLD_HELPERS, "helper") # load service files self._loader(config.FIREWALLD_SERVICES, "service") self._loader(config.ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(config.FIREWALLD_ZONES, "zone") self._loader(config.ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # load policy files self._loader(config.FIREWALLD_POLICIES, "policy") self._loader(config.ETC_FIREWALLD_POLICIES, "policy") # check minimum required zones error = False for z in ["block", "drop", "trusted"]: if z not in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) # load direct rules obj = Direct(config.FIREWALLD_DIRECT) if os.path.exists(config.FIREWALLD_DIRECT): log.debug1("Loading direct rules file '%s'" % \ config.FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.error("Failed to load direct rules file '%s': %s", config.FIREWALLD_DIRECT, msg) self.direct.set_permanent_config(obj) self.config.set_direct(copy.deepcopy(obj)) self._default_zone = self.check_zone(default_zone) if self._offline: return # check if needed tables are there self._check_tables() if log.getDebugLogLevel() > 0: # get time before flushing and applying tm1 = time.time() # Start transaction transaction = FirewallTransaction(self) # flush rules self.flush(use_transaction=transaction) # If modules need to be unloaded in complete reload or if there are # ipsets to get applied, limit the transaction to flush. # # Future optimization for the ipset case in reload: The transaction # only needs to be split here if there are conflicting ipset types in # exsting ipsets and the configuration in firewalld. if (reload and complete_reload) or \ (self.ipset_enabled and self.ipset.has_ipsets()): transaction.execute(True) transaction.clear() # complete reload: unload modules also if reload and complete_reload: log.debug1("Unloading firewall modules") self.modules_backend.unload_firewall_modules() self.apply_default_tables(use_transaction=transaction) transaction.execute(True) transaction.clear() # apply settings for loaded ipsets while reloading here if self.ipset_enabled and self.ipset.has_ipsets(): log.debug1("Applying ipsets") self.ipset.apply_ipsets() # Start or continue with transaction # apply default rules log.debug1("Applying default rule set") self.apply_default_rules(use_transaction=transaction) # apply settings for loaded zones log.debug1("Applying used zones") self.zone.apply_zones(use_transaction=transaction) self.zone.change_default_zone(None, self._default_zone, use_transaction=transaction) # apply policies log.debug1("Applying used policies") self.policy.apply_policies(use_transaction=transaction) # Execute transaction transaction.execute(True) # Start new transaction for direct rules transaction.clear() # apply direct chains, rules and passthrough rules if self.direct.has_configuration(): log.debug1("Applying direct chains rules and passthrough rules") self.direct.apply_direct(transaction) # since direct rules are easy to make syntax errors lets highlight # the cause if the transaction fails. try: transaction.execute(True) transaction.clear() except FirewallError as e: raise FirewallError(e.code, "Direct: %s" % (e.msg if e.msg else "")) except Exception: raise del transaction if log.getDebugLogLevel() > 1: # get time after flushing and applying tm2 = time.time() log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1))
def write(self): if len(self._config) < 1: # no changes: nothing to do return # handled keys done = [] try: (temp_file, temp) = tempfile.mkstemp( prefix="%s." % os.path.basename(self.filename), dir=os.path.dirname(self.filename)) except Exception as msg: log.error("Failed to open temporary file: %s" % msg) raise modified = False empty = False try: f = open(self.filename, "r") except Exception as msg: if os.path.exists(self.filename): log.error("Failed to open '%s': %s" % (self.filename, msg)) raise else: f = None else: for line in f.xreadlines(): if not line: break # remove newline line = line.strip("\n") if len(line) < 1: if not empty: os.write(temp_file, "\n") empty = True elif line[0] == '#': empty = False os.write(temp_file, line) os.write(temp_file, "\n") else: p = line.split("=") if len(p) != 2: empty = False os.write(temp_file, line + "\n") continue key = p[0].strip() value = p[1].strip() # check for modified key/value pairs if key not in done: if (key in self._config and \ self._config[key] != value): empty = False os.write(temp_file, '%s=%s\n' \ % (key, self._config[key])) modified = True elif key in self._deleted: modified = True else: empty = False os.write(temp_file, line + "\n") done.append(key) else: modified = True # write remaining key/value pairs if len(self._config) > 0: for (key, value) in self._config.items(): if key in done: continue if not empty: os.write(temp_file, "\n") empty = True os.write(temp_file, '%s=%s\n' % (key, value)) modified = True if f: f.close() os.close(temp_file) if not modified: # not modified: remove tempfile os.remove(temp) return # make backup if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.old" % self.filename) except Exception as msg: os.remove(temp) raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) # copy tempfile try: shutil.move(temp, self.filename) except Exception as msg: os.remove(temp) raise IOError("Failed to create '%s': %s" % (self.filename, msg)) else: os.chmod(self.filename, 0600)
def _start(self, reload=False, complete_reload=False): # initialize firewall default_zone = config.FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception: log.warning("Using fallback firewalld configuration settings.") else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("MinimalMark"): self._min_mark = int(self._firewalld_conf.get("MinimalMark")) if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value is not None and value.lower() in ["no", "false"]: self.cleanup_on_exit = False if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value is not None and value.lower() in ["yes", "true"]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass if self._firewalld_conf.get("IPv6_rpfilter"): value = self._firewalld_conf.get("IPv6_rpfilter") if value is not None: if value.lower() in ["no", "false"]: self.ipv6_rpfilter_enabled = False if value.lower() in ["yes", "true"]: self.ipv6_rpfilter_enabled = True if self.ipv6_rpfilter_enabled: log.debug1("IPv6 rpfilter is enabled") else: log.debug1("IPV6 rpfilter is disabled") if self._firewalld_conf.get("IndividualCalls"): value = self._firewalld_conf.get("IndividualCalls") if value is not None and value.lower() in ["yes", "true"]: log.debug1("IndividualCalls is enabled") self._individual_calls = True if self._firewalld_conf.get("LogDenied"): value = self._firewalld_conf.get("LogDenied") if value is None or value.lower() == "no": self._log_denied = "off" else: self._log_denied = value.lower() log.debug1("LogDenied is set to '%s'", self._log_denied) if self._firewalld_conf.get("AutomaticHelpers"): value = self._firewalld_conf.get("AutomaticHelpers") if value is not None: if value.lower() in ["no", "false"]: self._automatic_helpers = "no" elif value.lower() in ["yes", "true"]: self._automatic_helpers = "yes" else: self._automatic_helpers = value.lower() log.debug1("AutomaticHelpers is set to '%s'", self._automatic_helpers) self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: if self.policies.query_lockdown(): log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) else: log.debug1("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load ipset files self._loader(config.FIREWALLD_IPSETS, "ipset") self._loader(config.ETC_FIREWALLD_IPSETS, "ipset") # load icmptype files self._loader(config.FIREWALLD_ICMPTYPES, "icmptype") self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load helper files self._loader(config.FIREWALLD_HELPERS, "helper") self._loader(config.ETC_FIREWALLD_HELPERS, "helper") # load service files self._loader(config.FIREWALLD_SERVICES, "service") self._loader(config.ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(config.FIREWALLD_ZONES, "zone") self._loader(config.ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # check minimum required zones error = False for z in ["block", "drop", "trusted"]: if z not in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) # load direct rules obj = Direct(config.FIREWALLD_DIRECT) if os.path.exists(config.FIREWALLD_DIRECT): log.debug1("Loading direct rules file '%s'" % \ config.FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.error("Failed to load direct rules file '%s': %s", config.FIREWALLD_DIRECT, msg) self.config.set_direct(copy.deepcopy(obj)) self._default_zone = self.check_zone(default_zone) self._state = "RUNNING"
def apply_ipsets(self): active = self._fw.ipset_backend.get_active_terse() for name in self.get_ipsets(): obj = self._ipsets[name] obj.applied = False if name in active and ("timeout" not in obj.options or \ obj.options["timeout"] == "0" or \ obj.type != active[name][0] or \ rm_def_cr_opts(obj.options) != \ active[name][1]): try: self._fw.ipset_backend.destroy(name) except Exception as msg: log.error("Failed to destroy ipset '%s'" % name) log.error(msg) if self._fw.individual_calls(): try: self._fw.ipset_backend.create(obj.name, obj.type, obj.options) except Exception as msg: log.error("Failed to create ipset '%s'" % obj.name) log.error(msg) else: obj.applied = True if "timeout" not in obj.options or \ obj.options["timeout"] != "0": # no entries visible for ipsets with timeout continue for entry in obj.entries: try: self._fw.ipset_backend.add(obj.name, entry) except Exception as msg: log.error("Failed to add entry '%s' to ipset '%s'" % \ (entry, obj.name)) log.error(msg) else: try: self._fw.ipset_backend.restore(obj.name, obj.type, obj.entries, obj.options, None) except Exception as msg: log.error("Failed to create ipset '%s'" % obj.name) log.error(msg) else: obj.applied = True
def zone_writer(zone, path=None): _path = path if path else zone.path if zone.filename: name = "%s/%s" % (_path, zone.filename) else: name = "%s/%s.xml" % (_path, zone.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith( config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start zone element attrs = {} if zone.version and zone.version != "": attrs["version"] = zone.version if zone.target != DEFAULT_ZONE_TARGET: attrs["target"] = zone.target handler.startElement("zone", attrs) handler.ignorableWhitespace("\n") common_writer(zone, handler) # interfaces for interface in uniqify(zone.interfaces): handler.ignorableWhitespace(" ") handler.simpleElement("interface", {"name": interface}) handler.ignorableWhitespace("\n") # source for source in uniqify(zone.sources): handler.ignorableWhitespace(" ") if "ipset:" in source: handler.simpleElement("source", {"ipset": source[6:]}) else: handler.simpleElement("source", {"address": source}) handler.ignorableWhitespace("\n") # icmp-block-inversion if zone.icmp_block_inversion: handler.ignorableWhitespace(" ") handler.simpleElement("icmp-block-inversion", {}) handler.ignorableWhitespace("\n") # forward if zone.forward: handler.ignorableWhitespace(" ") handler.simpleElement("forward", {}) handler.ignorableWhitespace("\n") # end zone element handler.endElement("zone") handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler
def write(self): if len(self._config) < 1: # no changes: nothing to do return # handled keys done = [ ] if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) try: temp_file = tempfile.NamedTemporaryFile(mode='wt', prefix="%s." % os.path.basename(self.filename), dir=os.path.dirname(self.filename), delete=False) except Exception as msg: log.error("Failed to open temporary file: %s" % msg) raise modified = False empty = False try: f= io.open(self.filename, mode='rt', encoding='UTF-8') except Exception as msg: if os.path.exists(self.filename): log.error("Failed to open '%s': %s" % (self.filename, msg)) raise else: f = None else: for line in f: if not line: break # remove newline line = line.strip("\n") if len(line) < 1: if not empty: temp_file.write(u"\n") empty = True elif line[0] == '#': empty = False temp_file.write(line) temp_file.write(u"\n") else: p = line.split("=") if len(p) != 2: empty = False temp_file.write(line+u"\n") continue key = p[0].strip() value = p[1].strip() # check for modified key/value pairs if key not in done: if (key in self._config and \ self._config[key] != value): empty = False temp_file.write(u'%s=%s\n' % (key, self._config[key])) modified = True elif key in self._deleted: modified = True else: empty = False temp_file.write(line+u"\n") done.append(key) else: modified = True # write remaining key/value pairs if len(self._config) > 0: for (key,value) in self._config.items(): if key in done: continue if key in ["MinimalMark", "AutomaticHelpers"]: # omit deprecated from new config continue if not empty: temp_file.write(u"\n") empty = True temp_file.write(u'%s=%s\n' % (key, value)) modified = True if f: f.close() temp_file.close() if not modified: # not modified: remove tempfile os.remove(temp_file.name) return # make backup if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.old" % self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) # copy tempfile try: shutil.move(temp_file.name, self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Failed to create '%s': %s" % (self.filename, msg)) else: os.chmod(self.filename, 0o600)
def rules(self, ipv, rules): _rules = [ ] for rule in rules: # replace %%REJECT%% try: i = rule.index("%%REJECT%%") except ValueError: pass else: if ipv in [ "ipv4", "ipv6" ]: rule[i:i+1] = [ "REJECT", "--reject-with", ipXtables.DEFAULT_REJECT_TYPE[ipv] ] else: raise FirewallError(errors.EBTABLES_NO_REJECT, "'%s' not in {'ipv4'|'ipv6'}" % ipv) # replace %%ICMP%% try: i = rule.index("%%ICMP%%") except ValueError: pass else: if ipv in [ "ipv4", "ipv6" ]: rule[i] = ipXtables.ICMP[ipv] else: raise FirewallError(errors.INVALID_IPV, "'%s' not in {'ipv4'|'ipv6'}" % ipv) # replace %%LOGTYPE%% try: i = rule.index("%%LOGTYPE%%") except ValueError: pass else: if self._log_denied == "off": continue if ipv not in [ "ipv4", "ipv6" ]: raise FirewallError(errors.INVALID_IPV, "'%s' not in {'ipv4'|'ipv6'}" % ipv) if self._log_denied in [ "unicast", "broadcast", "multicast" ]: rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", self._log_denied ] else: rule.pop(i) _rules.append(rule) backend = None if ipv == "ipv4": if self.ip4tables_enabled: # do not call if disabled backend = self.ip4tables_backend elif ipv == "ipv6": if self.ip6tables_enabled: # do not call if disabled backend = self.ip6tables_backend elif ipv == "eb": if self.ebtables_enabled: # do not call if disabled backend = self.ebtables_backend else: raise FirewallError(errors.INVALID_IPV, "'%s' not in {'ipv4'|'ipv6'|'eb'}" % ipv) if not backend: return "" if self._individual_calls or \ not backend.restore_command_exists or \ (ipv == "eb" and not self.ebtables_backend.restore_noflush_option): for i,rule in enumerate(_rules): # remove leading and trailing '"' for use with execve j = 0 while j < len(rule): x = rule[j] if len(x) > 2 and x[0] == '"' and x[-1] == '"': rule[j] = x[1:-1] j += 1 try: backend.set_rule(rule) except Exception as msg: log.error("Failed to apply rules. A firewall reload might solve the issue if the firewall has been modified using ip*tables or ebtables.") log.error(msg) for rule in reversed(_rules[:i]): try: backend.set_rule(reverse_rule(rule)) except Exception: # ignore errors here pass return False return True else: return backend.set_rules(_rules)
def _loader(self, path, reader_type, combine=False): # combine: several zone files are getting combined into one obj if not os.path.isdir(path): return if combine: if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone": combined_zone = Zone() combined_zone.name = os.path.basename(path) combined_zone.check_name(combined_zone.name) combined_zone.path = path combined_zone.default = False else: combine = False for filename in sorted(os.listdir(path)): if not filename.endswith(".xml"): if path.startswith(config.ETC_FIREWALLD) and \ reader_type == "zone" and \ os.path.isdir("%s/%s" % (path, filename)): self._loader("%s/%s" % (path, filename), reader_type, combine=True) continue name = "%s/%s" % (path, filename) log.debug1("Loading %s file '%s'", reader_type, name) try: if reader_type == "icmptype": obj = icmptype_reader(filename, path) if obj.name in self.icmptype.get_icmptypes(): orig_obj = self.icmptype.get_icmptype(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.icmptype.remove_icmptype(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True try: self.icmptype.add_icmptype(obj) except FirewallError as error: log.warning("%s: %s, ignoring for run-time." % \ (obj.name, str(error))) # add a deep copy to the configuration interface self.config.add_icmptype(copy.deepcopy(obj)) elif reader_type == "service": obj = service_reader(filename, path) if obj.name in self.service.get_services(): orig_obj = self.service.get_service(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.service.remove_service(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.service.add_service(obj) # add a deep copy to the configuration interface self.config.add_service(copy.deepcopy(obj)) elif reader_type == "zone": obj = zone_reader(filename, path) if combine: # Change name for permanent configuration obj.name = "%s/%s" % ( os.path.basename(path), os.path.basename(filename)[0:-4]) obj.check_name(obj.name) # Copy object before combine config_obj = copy.deepcopy(obj) if obj.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(obj.name) self.zone.remove_zone(orig_obj.name) if orig_obj.combined: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, obj.name, path, filename) obj.combine(orig_obj) else: log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True config_obj.default = True self.config.add_zone(config_obj) if combine: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, combined_zone.name, path, filename) combined_zone.combine(obj) else: self.zone.add_zone(obj) elif reader_type == "ipset": obj = ipset_reader(filename, path) if obj.name in self.ipset.get_ipsets(): orig_obj = self.ipset.get_ipset(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.ipset.remove_ipset(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True try: self.ipset.add_ipset(obj) except FirewallError as error: log.warning("%s: %s, ignoring for run-time." % \ (obj.name, str(error))) # add a deep copy to the configuration interface self.config.add_ipset(copy.deepcopy(obj)) elif reader_type == "helper": obj = helper_reader(filename, path) if obj.name in self.helper.get_helpers(): orig_obj = self.helper.get_helper(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.helper.remove_helper(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.helper.add_helper(obj) # add a deep copy to the configuration interface self.config.add_helper(copy.deepcopy(obj)) else: log.fatal("Unknown reader type %s", reader_type) except FirewallError as msg: log.error("Failed to load %s file '%s': %s", reader_type, name, msg) except Exception as msg: log.error("Failed to load %s file '%s':", reader_type, name) log.exception() if combine and combined_zone.combined: if combined_zone.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(combined_zone.name) log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) try: self.zone.remove_zone(combined_zone.name) except Exception: pass self.config.forget_zone(combined_zone.name) self.zone.add_zone(combined_zone)
def _start(self, reload=False, complete_reload=False): # initialize firewall default_zone = config.FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception as msg: log.warning(msg) log.warning("Using fallback firewalld configuration settings.") else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("MinimalMark"): self._min_mark = int(self._firewalld_conf.get("MinimalMark")) if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value is not None and value.lower() in [ "no", "false" ]: self.cleanup_on_exit = False if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass if self._firewalld_conf.get("IPv6_rpfilter"): value = self._firewalld_conf.get("IPv6_rpfilter") if value is not None: if value.lower() in [ "no", "false" ]: self.ipv6_rpfilter_enabled = False if value.lower() in [ "yes", "true" ]: self.ipv6_rpfilter_enabled = True if self.ipv6_rpfilter_enabled: log.debug1("IPv6 rpfilter is enabled") else: log.debug1("IPV6 rpfilter is disabled") if self._firewalld_conf.get("IndividualCalls"): value = self._firewalld_conf.get("IndividualCalls") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("IndividualCalls is enabled") self._individual_calls = True if self._firewalld_conf.get("LogDenied"): value = self._firewalld_conf.get("LogDenied") if value is None or value.lower() == "no": self._log_denied = "off" else: self._log_denied = value.lower() log.debug1("LogDenied is set to '%s'", self._log_denied) if self._firewalld_conf.get("AutomaticHelpers"): value = self._firewalld_conf.get("AutomaticHelpers") if value is not None: if value.lower() in [ "no", "false" ]: self._automatic_helpers = "no" elif value.lower() in [ "yes", "true" ]: self._automatic_helpers = "yes" else: self._automatic_helpers = value.lower() log.debug1("AutomaticHelpers is set to '%s'", self._automatic_helpers) self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) self._start_check() # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: if self.policies.query_lockdown(): log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) else: log.debug1("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load ipset files self._loader(config.FIREWALLD_IPSETS, "ipset") self._loader(config.ETC_FIREWALLD_IPSETS, "ipset") # load icmptype files self._loader(config.FIREWALLD_ICMPTYPES, "icmptype") self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load helper files self._loader(config.FIREWALLD_HELPERS, "helper") self._loader(config.ETC_FIREWALLD_HELPERS, "helper") # load service files self._loader(config.FIREWALLD_SERVICES, "service") self._loader(config.ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(config.FIREWALLD_ZONES, "zone") self._loader(config.ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # check minimum required zones error = False for z in [ "block", "drop", "trusted" ]: if z not in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) # load direct rules obj = Direct(config.FIREWALLD_DIRECT) if os.path.exists(config.FIREWALLD_DIRECT): log.debug1("Loading direct rules file '%s'" % \ config.FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.debug1("Failed to load direct rules file '%s': %s", config.FIREWALLD_DIRECT, msg) self.direct.set_permanent_config(obj) self.config.set_direct(copy.deepcopy(obj)) # automatic helpers if self._automatic_helpers != "system": functions.set_nf_conntrack_helper_setting(self._automatic_helpers == "yes") self.nf_conntrack_helper_setting = \ functions.get_nf_conntrack_helper_setting() # check if needed tables are there self._check_tables() if log.getDebugLogLevel() > 0: # get time before flushing and applying tm1 = time.time() # Start transaction transaction = FirewallTransaction(self) if reload: self.set_policy("DROP", use_transaction=transaction) # flush rules self.flush(use_transaction=transaction) # If modules need to be unloaded in complete reload or if there are # ipsets to get applied, limit the transaction to set_policy and flush. # # Future optimization for the ipset case in reload: The transaction # only needs to be split here if there are conflicting ipset types in # exsting ipsets and the configuration in firewalld. if (reload and complete_reload) or \ (self.ipset_enabled and self.ipset.has_ipsets()): transaction.execute(True) transaction.clear() # complete reload: unload modules also if reload and complete_reload: log.debug1("Unloading firewall modules") self.modules_backend.unload_firewall_modules() # apply settings for loaded ipsets while reloading here if self.ipset_enabled and self.ipset.has_ipsets(): log.debug1("Applying ipsets") self.ipset.apply_ipsets() # Start or continue with transaction # apply default rules log.debug1("Applying default rule set") self.apply_default_rules(use_transaction=transaction) # apply settings for loaded zones log.debug1("Applying used zones") self.zone.apply_zones(use_transaction=transaction) self._default_zone = self.check_zone(default_zone) self.zone.change_default_zone(None, self._default_zone, use_transaction=transaction) # Execute transaction transaction.execute(True) # Start new transaction for direct rules transaction.clear() # apply direct chains, rules and passthrough rules if self.direct.has_configuration(): transaction.enable_generous_mode() log.debug1("Applying direct chains rules and passthrough rules") self.direct.apply_direct(transaction) # Execute transaction transaction.execute(True) transaction.disable_generous_mode() transaction.clear() del transaction if log.getDebugLogLevel() > 1: # get time after flushing and applying tm2 = time.time() log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1)) self._state = "RUNNING"
def service_writer(service, path=None): _path = path if path else service.path if service.filename: name = "%s/%s" % (_path, service.filename) else: name = "%s/%s.xml" % (_path, service.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith( config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start service element attrs = {} if service.version and service.version != "": attrs["version"] = service.version handler.startElement("service", attrs) handler.ignorableWhitespace("\n") # short if service.short and service.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", {}) handler.characters(service.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if service.description and service.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", {}) handler.characters(service.description) handler.endElement("description") handler.ignorableWhitespace("\n") # ports for port in service.ports: handler.ignorableWhitespace(" ") handler.simpleElement("port", {"port": port[0], "protocol": port[1]}) handler.ignorableWhitespace("\n") # protocols for protocol in service.protocols: handler.ignorableWhitespace(" ") handler.simpleElement("protocol", {"value": protocol}) handler.ignorableWhitespace("\n") # source ports for port in service.source_ports: handler.ignorableWhitespace(" ") handler.simpleElement("source-port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # modules for module in service.modules: handler.ignorableWhitespace(" ") handler.simpleElement("module", {"name": module}) handler.ignorableWhitespace("\n") # destination if len(service.destination) > 0: handler.ignorableWhitespace(" ") handler.simpleElement("destination", service.destination) handler.ignorableWhitespace("\n") # end service element handler.endElement('service') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler
def update_policy_object_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path.startswith(config.ETC_FIREWALLD_POLICIES): # removed custom policy_object for x in self._policy_objects.keys(): obj = self._policy_objects[x] if obj.filename == filename: del self._policy_objects[x] if obj.name in self._builtin_policy_objects: return ("update", self._builtin_policy_objects[obj.name]) return ("remove", obj) else: # removed builtin policy_object for x in self._builtin_policy_objects.keys(): obj = self._builtin_policy_objects[x] if obj.filename == filename: del self._builtin_policy_objects[x] if obj.name not in self._policy_objects: # update dbus policy_object return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # policy_object not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading policy file '%s'", name) try: obj = policy_reader(filename, path) except Exception as msg: log.error("Failed to load policy file '%s': %s", filename, msg) return (None, None) if path.startswith(config.ETC_FIREWALLD_POLICIES) and \ len(path) > len(config.ETC_FIREWALLD_POLICIES): # custom combined policy_object part obj.name = "%s/%s" % (os.path.basename(path), os.path.basename(filename)[0:-4]) # new policy_object if obj.name not in self._builtin_policy_objects and obj.name not in self._policy_objects: self.add_policy_object(obj) return ("new", obj) # updated policy_object if path.startswith(config.ETC_FIREWALLD_POLICIES): # custom policy_object update if obj.name in self._policy_objects: obj.default = self._policy_objects[obj.name].default self._policy_objects[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_policy_objects: # builtin policy_object update del self._builtin_policy_objects[obj.name] self._builtin_policy_objects[obj.name] = obj if obj.name not in self._policy_objects: # update dbus policy_object return ("update", obj) else: # builtin hidden, no update needed return (None, None) # policy_object not known to firewalld, yet (timeout, ..) return (None, None)
def set_entries(self, name, entries): obj = self.get_ipset(name) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) for entry in entries: IPSet.check_entry(entry, obj.options, obj.type) obj.entries = entries if self._fw.individual_calls(): try: self._fw.ipset_backend.flush(obj.name) except Exception as msg: log.error("Failed to flush ipset '%s'" % obj.name) log.error(msg) else: obj.applied = True for entry in obj.entries: try: self._fw.ipset_backend.add(obj.name, entry) except Exception as msg: log.error("Failed to add entry '%s' to ipset '%s'" % \ (entry, obj.name)) log.error(msg) else: try: self._fw.ipset_backend.flush(obj.name) except Exception as msg: log.error("Failed to flush ipset '%s'" % obj.name) log.error(msg) else: obj.applied = True try: self._fw.ipset_backend.restore(obj.name, obj.type, obj.entries, obj.options, None) except Exception as msg: log.error("Failed to create ipset '%s'" % obj.name) log.error(msg) else: obj.applied = True return
attrs["value"] = rule.element.value elif type(rule.element) == Rich_Masquerade: element = "masquerade" elif type(rule.element) == Rich_IcmpBlock: element = "icmp-block" attrs["name"] = rule.element.name elif type(rule.element) == Rich_ForwardPort: element = "forward-port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol if rule.element.to_port != "": attrs["to-port"] = rule.element.to_port if rule.element.to_address != "": attrs["to-addr"] = rule.element.to_address else: log.error('Unknown element "%s"' % type(rule.element)) handler.ignorableWhitespace(" ") handler.simpleElement(element, attrs) handler.ignorableWhitespace("\n") # rule.element # log if rule.log: attrs = {} if rule.log.prefix: attrs["prefix"] = rule.log.prefix if rule.log.level: attrs["level"] = rule.log.level if rule.log.limit:
def update_zone_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path.startswith(config.ETC_FIREWALLD_ZONES): # removed custom zone for x in self._zones.keys(): obj = self._zones[x] if obj.filename == filename: del self._zones[x] if obj.name in self._builtin_zones: return ("update", self._builtin_zones[obj.name]) return ("remove", obj) else: # removed builtin zone for x in self._builtin_zones.keys(): obj = self._builtin_zones[x] if obj.filename == filename: del self._builtin_zones[x] if obj.name not in self._zones: # update dbus zone return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # zone not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading zone file '%s'", name) try: obj = zone_reader(filename, path) except Exception as msg: log.error("Failed to load zone file '%s': %s", filename, msg) return (None, None) obj.fw_config = self if path.startswith(config.ETC_FIREWALLD_ZONES) and \ len(path) > len(config.ETC_FIREWALLD_ZONES): # custom combined zone part obj.name = "%s/%s" % (os.path.basename(path), os.path.basename(filename)[0:-4]) # new zone if obj.name not in self._builtin_zones and obj.name not in self._zones: self.add_zone(obj) return ("new", obj) # updated zone if path.startswith(config.ETC_FIREWALLD_ZONES): # custom zone update if obj.name in self._zones: obj.default = self._zones[obj.name].default self._zones[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_zones: # builtin zone update del self._builtin_zones[obj.name] self._builtin_zones[obj.name] = obj if obj.name not in self._zones: # update dbus zone return ("update", obj) else: # builtin hidden, no update needed return (None, None) # zone not known to firewalld, yet (timeout, ..) return (None, None)
def execute(self, enable): log.debug4("%s.execute(%s)" % (type(self), enable)) rules, modules = self.prepare(enable) # pre self.pre() # stage 1: apply rules error = False done = [] for ipv in rules: try: self.fw.rules(ipv, rules[ipv]) except Exception as msg: error = True if not self.generous_mode: log.warning(msg) else: done.append(ipv) if error and self.generous_mode: for ipv in rules: if ipv in done: continue for rule in rules[ipv]: try: self.fw.rule(ipv, rule) except Exception as msg: log.warning(msg) done.append(ipv) error = False # stage 2: load modules if not error: module_return = self.fw.handle_modules(modules, enable) if module_return: (cleanup_modules, msg) = module_return if cleanup_modules is not None: error = True self.fw.handle_modules(cleanup_modules, not enable) # error case: revert rules if error: undo_rules = {} for ipv in done: undo_rules[ipv] = [] for rule in reversed(rules[ipv]): undo_rules[ipv].append(reverse_rule(rule)) for ipv in undo_rules: try: self.fw.rules(ipv, undo_rules[ipv]) except Exception as msg: log.error(msg) # call failure functions for (func, args) in self.fail_funcs: try: func(*args) except Exception as msg: log.error("Calling fail func %s(%s) failed: %s" % \ (func, args, msg)) raise FirewallError(errors.COMMAND_FAILED) # post self.post()
def _start(self): # initialize firewall default_zone = FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception as msg: log.error("Failed to open firewalld config file '%s': %s", FIREWALLD_CONF, msg) else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("MinimalMark"): mark = self._firewalld_conf.get("MinimalMark") if mark != None: try: self._min_mark = int(mark) except Exception as msg: log.error( "MinimalMark %s is not valid, using default " "value %d", mark, self._min_mark) if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value != None and value.lower() in ["no", "false"]: self.cleanup_on_exit = False if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value != None and value.lower() in ["yes", "true"]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) # apply default rules self._apply_default_rules() # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load icmptype files self._loader(FIREWALLD_ICMPTYPES, "icmptype") self._loader(ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load service files self._loader(FIREWALLD_SERVICES, "service") self._loader(ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(FIREWALLD_ZONES, "zone") self._loader(ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # check minimum required zones error = False for z in ["block", "drop", "trusted"]: if not z in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # load direct rules log.debug1("Loading direct rules file '%s'" % FIREWALLD_DIRECT) obj = Direct(FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.debug1("Failed to load direct rules file '%s': %s", FIREWALLD_DIRECT, msg) else: self.direct.set_config((obj.get_all_chains(), obj.get_all_rules())) for ipv, args in obj.get_all_passthroughs().items(): for arg in args: try: self.direct.passthrough(ipv, arg) except FirewallError as error: log.warning(str(error)) # TODO: copy obj into config interface self.config.set_direct(copy.deepcopy(obj)) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) self._default_zone = self.check_zone(default_zone) self.zone.change_default_zone(None, self._default_zone) self._state = "RUNNING"
def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "whitelist": if self.whitelist: raise FirewallError(errors.PARSE_ERROR, "More than one whitelist.") self.whitelist = True elif name == "command": if not self.whitelist: log.error("Parse Error: command outside of whitelist") return command = attrs["name"] self.item.add_command(command) elif name == "user": if not self.whitelist: log.error("Parse Error: user outside of whitelist") return if "id" in attrs: try: uid = int(attrs["id"]) except ValueError: log.error("Parse Error: %s is not a valid uid" % attrs["id"]) return self.item.add_uid(uid) elif "name" in attrs: self.item.add_user(attrs["name"]) elif name == "selinux": if not self.whitelist: log.error("Parse Error: selinux outside of whitelist") return if "context" not in attrs: log.error("Parse Error: no context") return self.item.add_context(attrs["context"]) else: log.error('Unknown XML element %s' % name) return
def _loader(self, path, reader_type, combine=False): # combine: several zone files are getting combined into one obj if not os.path.isdir(path): return if combine == True: if path.startswith(ETC_FIREWALLD) and reader_type == "zone": combined_zone = Zone() combined_zone.name = os.path.basename(path) combined_zone.check_name(combined_zone.name) combined_zone.path = path combined_zone.default = False else: combine = False for filename in sorted(os.listdir(path)): if not filename.endswith(".xml"): if path.startswith(ETC_FIREWALLD) and \ reader_type == "zone" and \ os.path.isdir("%s/%s" % (path, filename)): self._loader("%s/%s" % (path, filename), reader_type, combine=True) continue name = "%s/%s" % (path, filename) log.debug1("Loading %s file '%s'", reader_type, name) try: if reader_type == "icmptype": obj = icmptype_reader(filename, path) if obj.name in self.icmptype.get_icmptypes(): orig_obj = self.icmptype.get_icmptype(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.icmptype.remove_icmptype(orig_obj.name) self.icmptype.add_icmptype(obj) # add a deep copy to the configuration interface self.config.add_icmptype(copy.deepcopy(obj)) elif reader_type == "service": obj = service_reader(filename, path) if obj.name in self.service.get_services(): orig_obj = self.service.get_service(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.service.remove_service(orig_obj.name) self.service.add_service(obj) # add a deep copy to the configuration interface self.config.add_service(copy.deepcopy(obj)) elif reader_type == "zone": obj = zone_reader(filename, path) if not combine: if obj.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(obj.name) if orig_obj.combined: raise FirewallError(NOT_OVERLOADABLE, "%s is a combined zone" % \ obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.zone.remove_zone(orig_obj.name) self.zone.add_zone(obj) # add a deep copy to the configuration interface self.config.add_zone(copy.deepcopy(obj)) else: combined_zone.combine(obj) else: log.fatal("Unknown reader type %s", reader_type) except FirewallError as msg: log.error("Failed to load %s file '%s': %s", reader_type, name, msg) except Exception as msg: log.error("Failed to load %s file '%s':", reader_type, name) log.exception() if combine == True and combined_zone.combined == True: if combined_zone.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(combined_zone.name) log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) try: self.zone.remove_zone(combined_zone.name) except: pass self.config.forget_zone(combined_zone.name) self.zone.add_zone(combined_zone)
def icmptype_writer(icmptype, path=None): _path = path if path else icmptype.path if icmptype.filename: name = "%s/%s" % (_path, icmptype.filename) else: name = "%s/%s.xml" % (_path, icmptype.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith( config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start icmptype element attrs = {} if icmptype.version and icmptype.version != "": attrs["version"] = icmptype.version handler.startElement("icmptype", attrs) handler.ignorableWhitespace("\n") # short if icmptype.short and icmptype.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", {}) handler.characters(icmptype.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if icmptype.description and icmptype.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", {}) handler.characters(icmptype.description) handler.endElement("description") handler.ignorableWhitespace("\n") # destination if icmptype.destination: handler.ignorableWhitespace(" ") attrs = {} for x in icmptype.destination: attrs[x] = "yes" handler.simpleElement("destination", attrs) handler.ignorableWhitespace("\n") # end icmptype element handler.endElement('icmptype') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler
def read(self): self.clear() try: f = open(self.filename, "r") except Exception as msg: log.error("Failed to load '%s': %s", self.filename, msg) self.set("DefaultZone", config.FALLBACK_ZONE) self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK)) self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no") self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no") self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") self.set("LogDenied", config.FALLBACK_LOG_DENIED) self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS) self.set("FirewallBackend", config.FALLBACK_FIREWALL_BACKEND) self.set("FlushAllOnReload", "yes" if config.FALLBACK_FLUSH_ALL_ON_RELOAD else "no") self.set("RFC3964_IPv4", "yes" if config.FALLBACK_RFC3964_IPV4 else "no") raise for line in f: if not line: break line = line.strip() if len(line) < 1 or line[0] in ['#', ';']: continue # get key/value pair pair = [ x.strip() for x in line.split("=") ] if len(pair) != 2: log.error("Invalid option definition: '%s'", line.strip()) continue elif pair[0] not in valid_keys: log.error("Invalid option: '%s'", line.strip()) continue elif pair[1] == '': log.error("Missing value: '%s'", line.strip()) continue elif self._config.get(pair[0]) is not None: log.error("Duplicate option definition: '%s'", line.strip()) continue self._config[pair[0]] = pair[1] f.close() # check default zone if not self.get("DefaultZone"): log.error("DefaultZone is not set, using default value '%s'", config.FALLBACK_ZONE) self.set("DefaultZone", str(config.FALLBACK_ZONE)) # check minimal mark value = self.get("MinimalMark") try: int(value) except (ValueError, TypeError): if value is not None: log.warning("MinimalMark '%s' is not valid, using default " "value '%d'", value if value else '', config.FALLBACK_MINIMAL_MARK) self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK)) # check cleanup on exit value = self.get("CleanupOnExit") if not value or value.lower() not in [ "no", "false", "yes", "true" ]: if value is not None: log.warning("CleanupOnExit '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_CLEANUP_ON_EXIT) self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") # check lockdown value = self.get("Lockdown") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("Lockdown '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_LOCKDOWN) self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no") # check ipv6_rpfilter value = self.get("IPv6_rpfilter") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("IPv6_rpfilter '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_IPV6_RPFILTER) self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no") # check individual calls value = self.get("IndividualCalls") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("IndividualCalls '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_INDIVIDUAL_CALLS) self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") # check log denied value = self.get("LogDenied") if not value or value not in config.LOG_DENIED_VALUES: if value is not None: log.warning("LogDenied '%s' is invalid, using default value '%s'", value, config.FALLBACK_LOG_DENIED) self.set("LogDenied", str(config.FALLBACK_LOG_DENIED)) # check automatic helpers value = self.get("AutomaticHelpers") if not value or value.lower() not in config.AUTOMATIC_HELPERS_VALUES: if value is not None: log.warning("AutomaticHelpers '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_AUTOMATIC_HELPERS) self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS)) value = self.get("FirewallBackend") if not value or value.lower() not in config.FIREWALL_BACKEND_VALUES: if value is not None: log.warning("FirewallBackend '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_FIREWALL_BACKEND) self.set("FirewallBackend", str(config.FALLBACK_FIREWALL_BACKEND)) value = self.get("FlushAllOnReload") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("FlushAllOnReload '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_FLUSH_ALL_ON_RELOAD) self.set("FlushAllOnReload", str(config.FALLBACK_FLUSH_ALL_ON_RELOAD)) value = self.get("RFC3964_IPv4") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("RFC3964_IPv4 '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_RFC3964_IPV4) self.set("RFC3964_IPv4", str(config.FALLBACK_RFC3964_IPV4))
def zone_writer(zone, path=None): _path = path if path else zone.path if zone.filename: name = "%s/%s" % (_path, zone.filename) else: name = "%s/%s.xml" % (_path, zone.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(ETC_FIREWALLD): os.mkdir(ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start zone element attrs = {} if zone.version and zone.version != "": attrs["version"] = zone.version if zone.target != DEFAULT_ZONE_TARGET: attrs["target"] = zone.target handler.startElement("zone", attrs) handler.ignorableWhitespace("\n") # short if zone.short and zone.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(zone.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if zone.description and zone.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(zone.description) handler.endElement("description") handler.ignorableWhitespace("\n") # interfaces for interface in uniqify(zone.interfaces): handler.ignorableWhitespace(" ") handler.simpleElement("interface", { "name": interface }) handler.ignorableWhitespace("\n") # source for source in uniqify(zone.sources): handler.ignorableWhitespace(" ") if "ipset:" in source: handler.simpleElement("source", { "ipset": source[6:] }) else: handler.simpleElement("source", { "address": source }) handler.ignorableWhitespace("\n") # services for service in uniqify(zone.services): handler.ignorableWhitespace(" ") handler.simpleElement("service", { "name": service }) handler.ignorableWhitespace("\n") # ports for port in uniqify(zone.ports): handler.ignorableWhitespace(" ") handler.simpleElement("port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # protocols for protocol in uniqify(zone.protocols): handler.ignorableWhitespace(" ") handler.simpleElement("protocol", { "value": protocol }) handler.ignorableWhitespace("\n") # icmp-block-inversion if zone.icmp_block_inversion: handler.ignorableWhitespace(" ") handler.simpleElement("icmp-block-inversion", { }) handler.ignorableWhitespace("\n") # icmp-blocks for icmp in uniqify(zone.icmp_blocks): handler.ignorableWhitespace(" ") handler.simpleElement("icmp-block", { "name": icmp }) handler.ignorableWhitespace("\n") # masquerade if zone.masquerade: handler.ignorableWhitespace(" ") handler.simpleElement("masquerade", { }) handler.ignorableWhitespace("\n") # forward-ports for forward in uniqify(zone.forward_ports): handler.ignorableWhitespace(" ") attrs = { "port": forward[0], "protocol": forward[1] } if forward[2] and forward[2] != "" : attrs["to-port"] = forward[2] if forward[3] and forward[3] != "" : attrs["to-addr"] = forward[3] handler.simpleElement("forward-port", attrs) handler.ignorableWhitespace("\n") # source-ports for port in uniqify(zone.source_ports): handler.ignorableWhitespace(" ") handler.simpleElement("source-port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # rules for rule in zone.rules: attrs = { } if rule.family: attrs["family"] = rule.family handler.ignorableWhitespace(" ") handler.startElement("rule", attrs) handler.ignorableWhitespace("\n") # source if rule.source: attrs = { } if rule.source.addr: attrs["address"] = rule.source.addr if rule.source.mac: attrs["mac"] = rule.source.mac if rule.source.ipset: attrs["ipset"] = rule.source.ipset if rule.source.invert: attrs["invert"] = "True" handler.ignorableWhitespace(" ") handler.simpleElement("source", attrs) handler.ignorableWhitespace("\n") # destination if rule.destination: attrs = { "address": rule.destination.addr } if rule.destination.invert: attrs["invert"] = "True" handler.ignorableWhitespace(" ") handler.simpleElement("destination", attrs) handler.ignorableWhitespace("\n") # element if rule.element: element = "" attrs = { } if type(rule.element) == rich.Rich_Service: element = "service" attrs["name"] = rule.element.name elif type(rule.element) == rich.Rich_Port: element = "port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol elif type(rule.element) == rich.Rich_Protocol: element = "protocol" attrs["value"] = rule.element.value elif type(rule.element) == rich.Rich_Masquerade: element = "masquerade" elif type(rule.element) == rich.Rich_IcmpBlock: element = "icmp-block" attrs["name"] = rule.element.name elif type(rule.element) == rich.Rich_ForwardPort: element = "forward-port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol if rule.element.to_port != "": attrs["to-port"] = rule.element.to_port if rule.element.to_address != "": attrs["to-addr"] = rule.element.to_address elif type(rule.element) == rich.Rich_SourcePort: element = "source-port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol else: log.warning("Unknown element '%s'", type(rule.element)) handler.ignorableWhitespace(" ") handler.simpleElement(element, attrs) handler.ignorableWhitespace("\n") # rule.element # log if rule.log: attrs = { } if rule.log.prefix: attrs["prefix"] = rule.log.prefix if rule.log.level: attrs["level"] = rule.log.level if rule.log.limit: handler.ignorableWhitespace(" ") handler.startElement("log", attrs) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.log.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement("log") else: handler.ignorableWhitespace(" ") handler.simpleElement("log", attrs) handler.ignorableWhitespace("\n") # audit if rule.audit: attrs = {} if rule.audit.limit: handler.ignorableWhitespace(" ") handler.startElement("audit", { }) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.audit.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement("audit") else: handler.ignorableWhitespace(" ") handler.simpleElement("audit", attrs) handler.ignorableWhitespace("\n") # action if rule.action: action = "" attrs = { } if type(rule.action) == rich.Rich_Accept: action = "accept" elif type(rule.action) == rich.Rich_Reject: action = "reject" if rule.action.type: attrs["type"] = rule.action.type elif type(rule.action) == rich.Rich_Drop: action = "drop" elif type(rule.action) == rich.Rich_Mark: action = "mark" attrs["set"] = rule.action.set else: log.warning("Unknown action '%s'", type(rule.action)) if rule.action.limit: handler.ignorableWhitespace(" ") handler.startElement(action, attrs) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.action.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement(action) else: handler.ignorableWhitespace(" ") handler.simpleElement(action, attrs) handler.ignorableWhitespace("\n") handler.ignorableWhitespace(" ") handler.endElement("rule") handler.ignorableWhitespace("\n") # end zone element handler.endElement("zone") handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler
def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name) if self._rule_error: return self.item.parser_check_element_attrs(name, attrs) if name == "zone": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'" % attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] if "immutable" in attrs: log.warning("Ignoring deprecated attribute immutable='%s'" % attrs["immutable"]) if "target" in attrs: target = attrs["target"] if target not in ZONE_TARGETS: raise FirewallError(INVALID_TARGET, target) if target != "" and target != DEFAULT_ZONE_TARGET: self.item.target = target elif name == "short": pass elif name == "description": pass elif name == "service": if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_Service(attrs["name"]) return if attrs["name"] not in self.item.services: self.item.services.append(attrs["name"]) elif name == "port": if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_Port(attrs["port"], attrs["protocol"]) return # TODO: fix port string according to fw_zone.__port_id() entry = (attrs["port"], attrs["protocol"]) if entry not in self.item.ports: self.item.ports.append(entry) elif name == "protocol": if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_Protocol(attrs["value"]) else: log.error('Protocol allowed only in rule.') if attrs["value"] not in self.item.protocols: self.item.protocols.append(attrs["value"]) elif name == "icmp-block": if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_IcmpBlock(attrs["name"]) return if attrs["name"] not in self.item.icmp_blocks: self.item.icmp_blocks.append(attrs["name"]) elif name == "masquerade": if "enabled" in attrs: log.warning("Ignoring deprecated attribute enabled='%s'" % attrs["enabled"]) if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_Masquerade() else: self.item.masquerade = True elif name == "forward-port": to_port = "" if "to-port" in attrs: to_port = attrs["to-port"] to_addr = "" if "to-addr" in attrs: to_addr = attrs["to-addr"] if self._rule: if self._rule.element: log.error('Invalid rule: More than one element, ignoring.') self._rule_error = True return self._rule.element = Rich_ForwardPort(attrs["port"], attrs["protocol"], to_port, to_addr) return # TODO: fix port string according to fw_zone.__forward_port_id() entry = (attrs["port"], attrs["protocol"], to_port, to_addr) if entry not in self.item.forward_ports: self.item.forward_ports.append(entry) elif name == "interface": if self._rule: log.error('Invalid rule: interface use in rule.') self._rule_error = True return # zone bound to interface if "name" not in attrs: log.error('Invalid interface: Name missing.') self._rule_error = True return name = attrs["name"] if name not in self.item.interfaces: self.item.interfaces.append(name) elif name == "source": if self._rule: if self._rule.source: log.error('Invalid rule: More than one source') self._rule_error = True return invert = False if "invert" in attrs and \ attrs["invert"].lower() in [ "yes", "true" ]: invert = True self._rule.source = Rich_Source(attrs["address"], invert) return # zone bound to source if "address" not in attrs: log.error('Invalid source: Address missing.') return if "family" in attrs: log.warning("Ignoring deprecated attribute family='%s'" % attrs["family"]) if "invert" in attrs: log.error('Invalid source: Invertion not allowed here.') return entry = attrs["address"] if entry not in self.item.sources: self.item.sources.append(entry) elif name == "destination": if not self._rule: log.error('Invalid rule: Destination outside of rule') self._rule_error = True return if self._rule.destination: log.error('Invalid rule: More than one destination') return invert = False if "invert" in attrs and \ attrs["invert"].lower() in [ "yes", "true" ]: invert = True self._rule.destination = Rich_Destination(attrs["address"], invert) elif name in ["accept", "reject", "drop"]: if not self._rule: log.error('Invalid rule: Action outside of rule') self._rule_error = True return if self._rule.action: log.error('Invalid rule: More than one action') self._rule_error = True return if name == "accept": self._rule.action = Rich_Accept() if name == "reject": _type = None if "type" in attrs: _type = attrs["type"] self._rule.action = Rich_Reject(_type) if name == "drop": self._rule.action = Rich_Drop() self._limit_ok = self._rule.action elif name == "log": if not self._rule: log.error('Invalid rule: Log outside of rule') return if self._rule.log: log.error('Invalid rule: More than one log') return level = None if "level" in attrs: level = attrs["level"] if level not in [ "emerg", "alert", "crit", "error", "warning", "notice", "info", "debug" ]: log.error('Invalid rule: Invalid log level') self._rule_error = True return prefix = attrs["prefix"] if "prefix" in attrs else None self._rule.log = Rich_Log(prefix, level) self._limit_ok = self._rule.log elif name == "audit": if not self._rule: log.error('Invalid rule: Audit outside of rule') return if self._rule.audit: log.error('Invalid rule: More than one audit') self._rule_error = True return self._rule.audit = Rich_Audit() self._limit_ok = self._rule.audit elif name == "rule": family = None if "family" in attrs: family = attrs["family"] if family not in ["ipv4", "ipv6"]: log.error('Invalid rule: Rule family "%s" invalid' % attrs["family"]) self._rule_error = True return self._rule = Rich_Rule(family) self.item.rules.append(self._rule) elif name == "limit": if not self._limit_ok: log.error( 'Invalid rule: Limit outside of action, log and audit') self._rule_error = True return if self._limit_ok.limit: log.error('Invalid rule: More than one limit') self._rule_error = True return value = attrs["value"] self._limit_ok.limit = Rich_Limit(value) else: log.error('Unknown XML element %s' % name) return
def update_service_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path == config.ETC_FIREWALLD_SERVICES: # removed custom service for x in self._services.keys(): obj = self._services[x] if obj.filename == filename: del self._services[x] if obj.name in self._builtin_services: return ("update", self._builtin_services[obj.name]) return ("remove", obj) else: # removed builtin service for x in self._builtin_services.keys(): obj = self._builtin_services[x] if obj.filename == filename: del self._builtin_services[x] if obj.name not in self._services: # update dbus service return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # service not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading service file '%s'", name) try: obj = service_reader(filename, path) except Exception as msg: log.error("Failed to load service file '%s': %s", filename, msg) return (None, None) # new service if obj.name not in self._builtin_services and obj.name not in self._services: self.add_service(obj) return ("new", obj) # updated service if path == config.ETC_FIREWALLD_SERVICES: # custom service update if obj.name in self._services: obj.default = self._services[obj.name].default self._services[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_services: # builtin service update del self._builtin_services[obj.name] self._builtin_services[obj.name] = obj if obj.name not in self._services: # update dbus service return ("update", obj) else: # builtin hidden, no update needed return (None, None) # service not known to firewalld, yet (timeout, ..) return (None, None)
def execute(self, enable): log.debug4("%s.execute(%s)" % (type(self), enable)) rules, modules = self.prepare(enable) # pre self.pre() # stage 1: apply rules error = False errorMsg = "" done = [] for backend_name in rules: try: self.fw.rules(backend_name, rules[backend_name]) except Exception as msg: error = True errorMsg = msg log.debug1(traceback.format_exc()) log.error(msg) else: done.append(backend_name) # stage 2: load modules if not error: module_return = self.fw.handle_modules(modules, enable) if module_return: (cleanup_modules, msg) = module_return if cleanup_modules is not None: error = True errorMsg = msg self.fw.handle_modules(cleanup_modules, not enable) # error case: revert rules if error: undo_rules = {} for backend_name in done: undo_rules[backend_name] = [] for rule in reversed(rules[backend_name]): undo_rules[backend_name].append( self.fw.get_backend_by_name(backend_name).reverse_rule( rule)) for backend_name in undo_rules: try: self.fw.rules(backend_name, undo_rules[backend_name]) except Exception as msg: log.debug1(traceback.format_exc()) log.error(msg) # call failure functions for (func, args) in self.fail_funcs: try: func(*args) except Exception as msg: log.debug1(traceback.format_exc()) log.error("Calling fail func %s(%s) failed: %s" % \ (func, args, msg)) raise FirewallError(errors.COMMAND_FAILED, errorMsg) # post self.post()
def ipset_writer(ipset, path=None): _path = path if path else ipset.path if ipset.filename: name = "%s/%s" % (_path, ipset.filename) else: name = "%s/%s.xml" % (_path, ipset.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith( config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start ipset element attrs = {"type": ipset.type} if ipset.version and ipset.version != "": attrs["version"] = ipset.version handler.startElement("ipset", attrs) handler.ignorableWhitespace("\n") # short if ipset.short and ipset.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", {}) handler.characters(ipset.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if ipset.description and ipset.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", {}) handler.characters(ipset.description) handler.endElement("description") handler.ignorableWhitespace("\n") # options for key, value in ipset.options.items(): handler.ignorableWhitespace(" ") if value != "": handler.simpleElement("option", {"name": key, "value": value}) else: handler.simpleElement("option", {"name": key}) handler.ignorableWhitespace("\n") # entries for entry in ipset.entries: handler.ignorableWhitespace(" ") handler.startElement("entry", {}) handler.characters(entry) handler.endElement("entry") handler.ignorableWhitespace("\n") # end ipset element handler.endElement('ipset') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler