def _applyMultisiteThread(component, context, template_content, generic_links, netcfg): logger = ContextLoggerChild(context, component) lock_manager = component.core.lock_manager use_template = bool(template_content) config = component.config use_nufw = (config['global']['firewall_type'] == NUFW_GATEWAY) last_ruleset = lastRulesetApplied() ruleset_name = last_ruleset.get('ruleset') # Create transactions transactions = [] if use_template: # Write the new multisite template content write_template = WriteTemplate(logger, MULTISITE_TEMPLATE_FILENAME, template_content) transactions.append(write_template) transactions.append(WriteGenericLinks(generic_links, logger)) if use_template and (not ruleset_name): # There is not production ruleset: # create an empty ruleset using the template create_empty = CreateEmptyRuleset(logger, component, netcfg) transactions.append(create_empty) else: create_empty = None # Replace the template in all existing rulesets replace = replaceTemplateTransactions(logger, component, netcfg, MULTISITE_TEMPLATE_NAME, use_template) transactions.append(replace) # Reapply the ruleset apply = ApplyRuleset(logger, component, context, netcfg, ruleset_name, use_nufw) transactions.append(apply) if create_empty: create_empty.name_callbacks.append(apply.setRuleset) # The new ruleset is now the production ruleset save = SaveRuleset(None, use_nufw) transactions.append(save) create_empty.name_callbacks.append(save.setRuleset) if (not use_template) and exists(MULTISITE_TEMPLATE_FILENAME): # Remove the multisite template remove = RemoveTemplate(logger, MULTISITE_TEMPLATE_FILENAME) transactions.append(remove) lock_manager.acquire(context, LOCK_RULESET) try: executeTransactions(logger, transactions) finally: lock_manager.release(context, LOCK_RULESET)
def applyRulesThread(logger, rules_file): name = rules_file.name filter_ipv4 = WriteRules('filter', name, rules_file.ipv4_filter_rules, False, logger) mangle_ipv4 = WriteRules('mangle', name, rules_file.ipv4_mangle_rules, False, logger) nat_ipv4 = WriteRules('nat', name, rules_file.ipv4_nat_rules, False, logger) transactions = [filter_ipv4, mangle_ipv4, nat_ipv4] if USE_IPV6: filter_ipv6 = WriteRules('filter', name, rules_file.ipv6_filter_rules, True, logger) transactions.append(filter_ipv6) mangle_ipv6 = WriteRules('mangle', name, rules_file.ipv6_mangle_rules, True, logger) transactions.append(mangle_ipv6) nat_ipv6 = WriteRules('nat', name, rules_file.ipv6_nat_rules, True, logger) transactions.append(nat_ipv6) executeTransactions(logger, transactions)
def _applyRulesThread(self): if self.only_consistency: self.consistencyEngine() return self.result.exportXMLRPC() elif not self.result.ignore_consistency_error: self.consistencyEngine() if self.result.consistency_errors: return self.result.exportXMLRPC() options = IptablesOptions() options.nufw = self.use_nufw if self.ruleset_name: self.logger.critical("Apply rules: rule set %r" % self.ruleset_name) else: self.logger.critical("Apply rules: no rule set (only localfw rules)") write_ldap = WriteLdapRules(self.logger, self.config['ldap']) ufwi_ruleset_rules = { 'use_ipv6': self.use_ipv6, 'use_nufw': self.use_nufw, 'is_gateway': self.config.isGateway(), } if self.use_nufw: ufwi_ruleset_rules['ldap_config'] = self.config['ldap'] if self.use_ipv6: acls = itertools.chain(self.acls_ipv4, self.acls_ipv6) else: acls = self.acls_ipv4 ufwi_ruleset_rules['ldap_rules'] = write_ldap.createRules(acls) # TODO: disable IP forward at the beginning # TODO: FORWARD and INPUT: set policy to DROP # LDAP transactions = [] if self.use_nufw: filename = self.config['nufw']['periods_filename'] periods = TimeRangeFileTransaction(filename, self.acls_ipv4, self.acls_ipv6) transactions.append(periods) # iptables options.ipv6 = False write_iptables_ipv4 = WriteIptablesRules( self.logger, self.config, self.ipv4_default_decisions, self.acls_ipv4, self.nats, self.custom_rules, options, self.result) transactions.append(write_iptables_ipv4) ipv6_options = deepcopy(options) ipv6_options.ipv6 = True ipv6_options.deny_all = (not self.use_ipv6) write_iptables_ipv6 = WriteIptablesRules( self.logger, self.config, self.ipv6_default_decisions, self.acls_ipv6, None, self.custom_rules, ipv6_options, self.result) transactions.append(write_iptables_ipv6) # TODO: reload nuauth caches # TODO: reload nuauth periods # TODO: FORWARD and INPUT: set policy to ACCEPT write = WriteRules(self.logger, ufwi_ruleset_rules) transactions.append(write) script = RulesetScript(self.context, self.logger) transactions.append(script) save_ruleset = SaveRuleset(self.ruleset_name, self.use_nufw) transactions.append(save_ruleset) if self.ruleset \ and (self.ruleset.filename != PRODUCTION_RULESET): production = ProductionRuleset(self.ruleset.filename) transactions.append(production) executeTransactions(self.logger, transactions) self.result.applied = True return self.result.exportXMLRPC()