def _TranslatePolicy(self, pol, exp_info):
self.pcap_policies = []
current_date = datetime.datetime.utcnow().date()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
good_afs = ['inet', 'inet6', 'mixed']
good_options = ['in', 'out']
direction = ''
for header, terms in pol.filters:
filter_type = None
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_afs + good_options:
raise UnsupportedTargetOption(
'%s %s %s %s' %
('\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
if 'in' in filter_options:
direction = 'in'
elif 'out' in filter_options:
direction = 'out'
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s %s' %
('\nMay only specify one of', good_afs,
'in filter options:', filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'mixed'
# add the terms
accept_terms = []
deny_terms = []
term_names = set()
for term in terms:
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
if term.expiration:
if term.expiration <= exp_info_date:
logging.info(
'INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
if not term:
continue
if term.action[0] == 'accept':
accept_terms.append(
self._TERM(term, filter_name, filter_type, direction))
elif term.action[0] == 'deny' or term.action[0] == 'reject':
deny_terms.append(
self._TERM(term, filter_name, filter_type, direction))
self.pcap_policies.append(
(header, filter_name, filter_type, accept_terms, deny_terms))
def _TranslatePolicy(self, pol, exp_info):
"""Translate a policy from objects into strings."""
self.windows_policies = []
current_date = datetime.datetime.utcnow().date()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
default_action = None
good_default_actions = ['permit', 'block']
good_options = []
for header, terms in pol.filters:
filter_type = None
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_default_actions + self._GOOD_AFS + good_options:
raise aclgenerator.UnsupportedTargetOption(
'%s %s %s %s' %
('\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
# Check for matching af
for address_family in self._GOOD_AFS:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s %s' %
('\nMay only specify one of', self._GOOD_AFS,
'in filter options:', filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
# does this policy override the default filter actions?
for next_target in header.target:
if next_target.platform == self._PLATFORM:
if len(next_target.options) > 1:
for arg in next_target.options:
if arg in good_default_actions:
default_action = arg
if default_action and default_action not in good_default_actions:
raise aclgenerator.UnsupportedDefaultAction(
'%s %s %s %s %s' %
('\nOnly', ', '.join(good_default_actions),
'default filter action allowed;', default_action,
'used.'))
# add the terms
new_terms = []
term_names = set()
for term in terms:
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
term_names.add(term.name)
if term.expiration:
if term.expiration <= exp_info_date:
logging.info(
'INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
new_terms.append(
self._TERM(term, filter_name, default_action, filter_type))
self.windows_policies.append(
(header, filter_name, filter_type, default_action, new_terms))
def _TranslatePolicy(self, pol, exp_info):
"""Translate a policy from objects into strings."""
self.iptables_policies = []
current_date = datetime.datetime.utcnow().date()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
default_action = None
good_default_actions = ['ACCEPT', 'DROP']
good_afs = ['inet', 'inet6']
good_options = ['nostate', 'abbreviateterms', 'truncateterms', 'noverbose']
all_protocols_stateful = True
self.verbose = True
for header, terms in pol.filters:
filter_type = None
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
self._WarnIfCustomTarget(filter_name)
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_default_actions + good_afs + good_options:
raise UnsupportedTargetOption('%s %s %s %s' % (
'\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
# disable stateful?
if 'nostate' in filter_options:
all_protocols_stateful = False
if 'noverbose' in filter_options:
self.verbose = False
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise UnsupportedFilterError('%s %s %s %s' % (
'\nMay only specify one of', good_afs, 'in filter options:',
filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
if self._PLATFORM == 'iptables' and filter_name == 'FORWARD':
default_action = 'DROP'
# does this policy override the default filter actions?
for next_target in header.target:
if next_target.platform == self._PLATFORM:
if len(next_target.options) > 1:
for arg in next_target.options:
if arg in good_default_actions:
default_action = arg
if default_action and default_action not in good_default_actions:
raise UnsupportedDefaultAction('%s %s %s %s %s' % (
'\nOnly', ', '.join(good_default_actions),
'default filter action allowed;', default_action, 'used.'))
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name,
'abbreviateterms' in filter_options,
'truncateterms' in filter_options)
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
term_names.add(term.name)
term = self.FixHighPorts(term, af=filter_type,
all_protocols_stateful=all_protocols_stateful)
if not term:
continue
if term.expiration:
if term.expiration <= exp_info_date:
logging.info('INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn('WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
new_terms.append(self._TERM(term, filter_name, all_protocols_stateful,
default_action, filter_type, self.verbose))
self.iptables_policies.append((header, filter_name, filter_type,
default_action, new_terms))
def _TranslatePolicy(self, pol, exp_info):
self.pf_policies = []
self.address_book = {}
current_date = datetime.datetime.utcnow().date()
exp_info_date = current_date + datetime.timedelta(weeks=exp_info)
good_afs = ['inet', 'inet6', 'mixed']
good_options = ['in', 'out', 'nostate']
all_protocols_stateful = True
for header, terms in pol.filters:
filter_type = None
if self._PLATFORM not in header.platforms:
continue
filter_options = header.FilterOptions(self._PLATFORM)[1:]
filter_name = header.FilterName(self._PLATFORM)
direction = ''
# ensure all options after the filter name are expected
for opt in filter_options:
if opt not in good_afs + good_options:
raise aclgenerator.UnsupportedTargetOption(
'%s %s %s %s' %
('\nUnsupported option found in', self._PLATFORM,
'target definition:', opt))
# pf will automatically add 'keep state flags S/SA' to all TCP connections
# by default.
if 'nostate' in filter_options:
all_protocols_stateful = False
if 'in' in filter_options:
direction = 'in'
elif 'out' in filter_options:
direction = 'out'
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError(
'%s %s %s %s' %
('\nMay only specify one of', good_afs,
'in filter options:', filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name)
if term.name in term_names:
raise aclgenerator.DuplicateTermError(
'You have a duplicate term: %s' % term.name)
for source_addr in term.source_address:
if source_addr.parent_token not in self.address_book:
self.address_book[source_addr.parent_token] = set(
[source_addr])
else:
self.address_book[source_addr.parent_token].add(
source_addr)
for dest_addr in term.destination_address:
if dest_addr.parent_token not in self.address_book:
self.address_book[dest_addr.parent_token] = set(
[dest_addr])
else:
self.address_book[dest_addr.parent_token].add(
dest_addr)
if not term:
continue
if term.expiration:
if term.expiration <= exp_info_date:
logging.info(
'INFO: Term %s in policy %s expires '
'in less than two weeks.', term.name, filter_name)
if term.expiration <= current_date:
logging.warn(
'WARNING: Term %s in policy %s is expired and '
'will not be rendered.', term.name, filter_name)
continue
new_terms.append(
self._TERM(term, filter_name, all_protocols_stateful,
filter_type, direction))
shortened_deduped_list = {}
for key in self.address_book:
if len(key) > self._TABLE_NAME_MAX_LENGTH:
name = key[:self._TABLE_NAME_MAX_LENGTH]
else:
name = key
if name in shortened_deduped_list.keys():
raise DuplicateShortenedTableName(
'The shortened name %s has a collision.', name)
else:
shortened_deduped_list[name] = self.address_book[key]
self.address_book = shortened_deduped_list
self.pf_policies.append(
(header, filter_name, filter_type, new_terms))