def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_tcpudp(port[1])
else:
# only protocol
if not checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
if item == "protocols":
for proto in config:
if not checkProtocol(proto):
raise FirewallError(INVALID_PROTOCOL, proto)
elif item == "destination":
for destination in config:
if destination not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_DESTINATION,
"'%s' not in {'ipv4'|'ipv6'}" % destination)
if not check_address(destination, config[destination]):
raise FirewallError(INVALID_ADDR,
"'%s' is not valid %s address" % \
(config[destination], destination))
elif item == "modules":
for module in config:
if not module.startswith("nf_conntrack_"):
raise FirewallError(INVALID_MODULE, module)
elif len(module.replace("nf_conntrack_", "")) < 1:
raise FirewallError(INVALID_MODULE, module)
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_protocol(port[1])
else:
# only protocol
if not functions.checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
elif item == "destination":
for destination in config:
if destination not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_DESTINATION, destination)
if not functions.check_address(destination, config[destination]):
raise FirewallError(INVALID_ADDRESS, config[destination])
def _check_config(self, config, item):
if item == "ports":
for port in config:
if port[0] != "":
check_port(port[0])
check_protocol(port[1])
else:
# only protocol
if not functions.checkProtocol(port[1]):
raise FirewallError(INVALID_PROTOCOL, port[1])
elif item == "destination":
for destination in config:
if destination not in ["ipv4", "ipv6"]:
raise FirewallError(INVALID_DESTINATION, destination)
if not functions.check_address(destination,
config[destination]):
raise FirewallError(INVALID_ADDRESS, config[destination])
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if self.source is not None or self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.addr is None or \
not functions.check_address(self.family,
self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.destination is not None:
raise FirewallError(INVALID_RULE, "masquerade and destination")
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if not self.element.protocol in ["tcp", "udp"]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_protocol(protocol):
if not checkProtocol(protocol):
raise FirewallError(INVALID_PROTOCOL, protocol)
def check_protocol(protocol):
if not functions.checkProtocol(protocol):
raise FirewallError(errors.INVALID_PROTOCOL, protocol)
def check(self):
if self.family is not None and self.family not in ["ipv4", "ipv6"]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.priority < self.priority_min or self.priority > self.priority_max:
raise FirewallError(errors.INVALID_PRIORITY, "'priority' attribute must be between %d and %d." \
% (self.priority_min, self.priority_max))
if self.element is None and \
(self.log is None or (self.log is not None and self.priority == 0)):
if self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no element, no action")
if self.source is None and self.destination is None and self.priority == 0:
raise FirewallError(errors.INVALID_RULE,
"no element, no source, no destination")
if type(self.element) not in [
Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade,
Rich_Tcp_Mss_Clamp
]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE,
"no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE,
"address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC,
str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.destination.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.ipset is not None:
raise FirewallError(errors.INVALID_DESTINATION,
"address and ipset")
if not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(errors.INVALID_ADDR,
str(self.destination.addr))
elif self.destination.ipset is not None:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET,
str(self.destination.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid destination")
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE,
str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE,
"masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE,
"icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE,
str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR,
self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE,
"forward-port and action")
# source-port
elif type(self.element) == Rich_SourcePort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
raise FirewallError(errors.INVALID_PROTOCOL,
self.element.protocol)
# tcp-mss-clamp
elif type(self.element) == Rich_Tcp_Mss_Clamp:
if self.action is not None:
raise FirewallError(
errors.INVALID_RULE,
"tcp-mss-clamp and %s are mutually exclusive" %
self.action)
if self.element.value:
if not functions.checkTcpMssClamp(self.element.value):
raise FirewallError(errors.INVALID_RULE,
self.element.value)
# other element and not empty?
elif self.element is not None:
raise FirewallError(errors.INVALID_RULE,
"Unknown element %s" % type(self.element))
# log
if self.log is not None:
self.log.check()
# audit
if self.audit is not None:
if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
raise FirewallError(errors.INVALID_AUDIT_TYPE,
type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
elif type(self.action) == Rich_Mark:
self.action.check()
if self.action.limit is not None:
self.action.limit.check()
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(INVALID_RULE, "no element, no action")
if self.source is None:
raise FirewallError(INVALID_RULE, "no element, no source")
if self.destination is not None:
raise FirewallError(INVALID_RULE, "destination action")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(INVALID_RULE, "address and mac")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if not functions.check_mac(self.source.mac):
raise FirewallError(INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not functions.check_ipset(self.source.ipset):
raise FirewallError(INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.destination.addr is None or \
not functions.check_address(self.family,
self.destination.addr):
raise FirewallError(INVALID_ADDR, str(self.destination.addr))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(INVALID_RULE, "icmp-block and action")
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp" ]:
raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(INVALID_FAMILY)
if self.action is not None:
raise FirewallError(INVALID_RULE, "forward-port and action")
# other element and not empty?
elif self.element is not None:
raise FirewallError(INVALID_RULE, "Unknown element %s" %
type(self.element))
# log
if self.log is not None:
if self.log.level and \
self.log.level not in [ "emerg", "alert", "crit", "error",
"warning", "notice", "info", "debug" ]:
raise FirewallError(INVALID_LOG_LEVEL, self.log.level)
if self.log.limit is not None:
self.log.limit.check()
# audit
if self.audit is not None:
if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]:
raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))
if self.audit.limit is not None:
self.audit.limit.check()
# action
if self.action is not None:
if type(self.action) == Rich_Reject:
self.action.check(self.family)
if self.action.limit is not None:
self.action.limit.check()
def check_entry(entry, options, ipset_type):
family = "ipv4"
if "family" in options:
if options["family"] == "inet6":
family = "ipv6"
if not ipset_type.startswith("hash:"):
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
flags = ipset_type[5:].split(",")
items = entry.split(",")
if len(flags) != len(items) or len(flags) < 1:
raise FirewallError(
errors.INVALID_ENTRY,
"entry '%s' does not match ipset type '%s'" % \
(entry, ipset_type))
for i in range(len(flags)):
flag = flags[i]
item = items[i]
if flag == "ip":
if "-" in item and family == "ipv4":
# IP ranges only with plain IPs, no masks
if i > 1:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s'[%d]" % \
(item, entry, i))
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
for _split in splits:
if (family == "ipv4" and not checkIP(_split)) or \
(family == "ipv6" and not checkIP6(_split)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(_split, entry, ipset_type, family))
else:
# IPs with mask only allowed in the first
# position of the type
if family == "ipv4":
if item == "0.0.0.0":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if i == 0:
ip_check = checkIPnMask
else:
ip_check = checkIP
else:
ip_check = checkIP6
if not ip_check(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "net":
if "-" in item:
# IP ranges only with plain IPs, no masks
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
# First part can only be a plain IP
if (family == "ipv4" and not checkIP(splits[0])) or \
(family == "ipv6" and not checkIP6(splits[0])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[0], entry, ipset_type, family))
# Second part can also have a mask
if (family == "ipv4" and not checkIPnMask(splits[1])) or \
(family == "ipv6" and not checkIP6nMask(splits[1])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[1], entry, ipset_type, family))
else:
# IPs with mask allowed in all positions, but no /0
if item.endswith("/0"):
if not (family == "ipv6" and i == 0 and
ipset_type == "hash:net,iface"):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if (family == "ipv4" and not checkIPnMask(item)) or \
(family == "ipv6" and not checkIP6nMask(item)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "mac":
# ipset does not allow to add 00:00:00:00:00:00
if not check_mac(item) or item == "00:00:00:00:00:00":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mac address '%s' in '%s'" % (item, entry))
elif flag == "port":
if ":" in item:
splits = item.split(":")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'" % (item))
if splits[0] == "icmp":
if family != "ipv4":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmp_name(splits[1]) and not \
check_icmp_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmp type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] in [ "icmpv6", "ipv6-icmp" ]:
if family != "ipv6":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmpv6_name(splits[1]) and not \
check_icmpv6_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmpv6 type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] not in [ "tcp", "sctp", "udp", "udplite" ] \
and not checkProtocol(splits[0]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol '%s' in '%s'" % (splits[0],
entry))
elif not check_port(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'in '%s'" % (splits[1], entry))
else:
if not check_port(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s' in '%s'" % (item, entry))
elif flag == "mark":
if item.startswith("0x"):
try:
int_val = int(item, 16)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
else:
try:
int_val = int(item)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
if int_val < 0 or int_val > 4294967295:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
elif flag == "iface":
if not checkInterface(item) or len(item) > 15:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid interface '%s' in '%s'" % (item, entry))
else:
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
def check_protocol(protocol):
if not functions.checkProtocol(protocol):
raise FirewallError(errors.INVALID_PROTOCOL, protocol)
def check_entry(entry, options, ipset_type):
family = "ipv4"
if "family" in options:
if options["family"] == "inet6":
family = "ipv6"
if not ipset_type.startswith("hash:"):
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
flags = ipset_type[5:].split(",")
items = entry.split(",")
if len(flags) != len(items) or len(flags) < 1:
raise FirewallError(
errors.INVALID_ENTRY,
"entry '%s' does not match ipset type '%s'" % \
(entry, ipset_type))
for i in range(len(flags)):
flag = flags[i]
item = items[i]
if flag == "ip":
if "-" in item and family == "ipv4":
# IP ranges only with plain IPs, no masks
if i > 1:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s'[%d]" % \
(item, entry, i))
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
for _split in splits:
if (family == "ipv4" and not checkIP(_split)) or \
(family == "ipv6" and not checkIP6(_split)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(_split, entry, ipset_type, family))
else:
# IPs with mask only allowed in the first
# position of the type
if family == "ipv4":
if item == "0.0.0.0":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if i == 0:
ip_check = checkIPnMask
else:
ip_check = checkIP
else:
ip_check = checkIP6
if not ip_check(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "net":
if "-" in item:
# IP ranges only with plain IPs, no masks
splits = item.split("-")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address range '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
# First part can only be a plain IP
if (family == "ipv4" and not checkIP(splits[0])) or \
(family == "ipv6" and not checkIP6(splits[0])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[0], entry, ipset_type, family))
# Second part can also have a mask
if (family == "ipv4" and not checkIPnMask(splits[1])) or \
(family == "ipv6" and not checkIP6nMask(splits[1])):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(splits[1], entry, ipset_type, family))
else:
# IPs with mask allowed in all positions, but no /0
if item.endswith("/0"):
if not (family == "ipv6" and i == 0 and
ipset_type == "hash:net,iface"):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
if (family == "ipv4" and not checkIPnMask(item)) or \
(family == "ipv6" and not checkIP6nMask(item)):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid address '%s' in '%s' for %s (%s)" % \
(item, entry, ipset_type, family))
elif flag == "mac":
# ipset does not allow to add 00:00:00:00:00:00
if not check_mac(item) or item == "00:00:00:00:00:00":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mac address '%s' in '%s'" % (item, entry))
elif flag == "port":
if ":" in item:
splits = item.split(":")
if len(splits) != 2:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'" % (item))
if splits[0] == "icmp":
if family != "ipv4":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmp_name(splits[1]) and not \
check_icmp_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmp type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] in [ "icmpv6", "ipv6-icmp" ]:
if family != "ipv6":
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol for family '%s' in '%s'" % \
(family, entry))
if not check_icmpv6_name(splits[1]) and not \
check_icmpv6_type(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid icmpv6 type '%s' in '%s'" % \
(splits[1], entry))
elif splits[0] not in [ "tcp", "sctp", "udp", "udplite" ] \
and not checkProtocol(splits[0]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid protocol '%s' in '%s'" % (splits[0],
entry))
elif not check_port(splits[1]):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s'in '%s'" % (splits[1], entry))
else:
if not check_port(item):
raise FirewallError(
errors.INVALID_ENTRY,
"invalid port '%s' in '%s'" % (item, entry))
elif flag == "mark":
if item.startswith("0x"):
try:
int_val = int(item, 16)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
else:
try:
int_val = int(item)
except ValueError:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
if int_val < 0 or int_val > 4294967295:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid mark '%s' in '%s'" % (item, entry))
elif flag == "iface":
if not checkInterface(item) or len(item) > 15:
raise FirewallError(
errors.INVALID_ENTRY,
"invalid interface '%s' in '%s'" % (item, entry))
else:
raise FirewallError(errors.INVALID_IPSET,
"ipset type '%s' not usable" % ipset_type)
def check(self):
if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
raise FirewallError(errors.INVALID_FAMILY, self.family)
if self.family is None:
if (self.source is not None and self.source.addr is not None) or \
self.destination is not None:
raise FirewallError(errors.MISSING_FAMILY)
if type(self.element) == Rich_ForwardPort:
raise FirewallError(errors.MISSING_FAMILY)
if self.element is None:
if self.action is None:
raise FirewallError(errors.INVALID_RULE, "no element, no action")
if self.source is None and self.destination is None:
raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination")
if type(self.element) not in [ Rich_IcmpBlock,
Rich_ForwardPort,
Rich_Masquerade ]:
if self.log is None and self.audit is None and \
self.action is None:
raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit")
# source
if self.source is not None:
if self.source.addr is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "address and mac")
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if not functions.check_address(self.family, self.source.addr):
raise FirewallError(errors.INVALID_ADDR, str(self.source.addr))
elif self.source.mac is not None:
if self.source.ipset is not None:
raise FirewallError(errors.INVALID_RULE, "mac and ipset")
if not functions.check_mac(self.source.mac):
raise FirewallError(errors.INVALID_MAC, str(self.source.mac))
elif self.source.ipset is not None:
if not check_ipset_name(self.source.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset))
else:
raise FirewallError(errors.INVALID_RULE, "invalid source")
# destination
if self.destination is not None:
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.destination.addr is not None and self.destination.ipset is not None
raise FirewallError(errors.INVALID_RULE, "address and ipset")
if self.destination.ipset is None:
if self.destination.addr is None or not functions.check_address(self.family,
self.destination.addr)):
raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr))
else:
if not check_ipset_name(self.destination.ipset):
raise FirewallError(errors.INVALID_IPSET, str(self.destination.ipset))
# service
if type(self.element) == Rich_Service:
# service availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_SERVICE, str(self.element.name))
# port
elif type(self.element) == Rich_Port:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
# protocol
elif type(self.element) == Rich_Protocol:
if not functions.checkProtocol(self.element.value):
raise FirewallError(errors.INVALID_PROTOCOL, self.element.value)
# masquerade
elif type(self.element) == Rich_Masquerade:
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and action")
if self.source is not None and self.source.mac is not None:
raise FirewallError(errors.INVALID_RULE, "masquerade and mac source")
# icmp-block
elif type(self.element) == Rich_IcmpBlock:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
if self.action:
raise FirewallError(errors.INVALID_RULE, "icmp-block and action")
# icmp-type
elif type(self.element) == Rich_IcmpType:
# icmp type availability needs to be checked in Firewall, here is no
# knowledge about this, therefore only simple check
if self.element.name is None or len(self.element.name) < 1:
raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name))
# forward-port
elif type(self.element) == Rich_ForwardPort:
if not functions.check_port(self.element.port):
raise FirewallError(errors.INVALID_PORT, self.element.port)
if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol)
if self.element.to_port == "" and self.element.to_address == "":
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_port != "" and \
not functions.check_port(self.element.to_port):
raise FirewallError(errors.INVALID_PORT, self.element.to_port)
if self.element.to_address != "" and \
not functions.check_single_address(self.family,
self.element.to_address):
raise FirewallError(errors.INVALID_ADDR, self.element.to_address)
if self.family is None:
raise FirewallError(errors.INVALID_FAMILY)
if self.action is not None:
raise FirewallError(errors.INVALID_RULE, "forward-port and action")
def check_protocol(protocol):
if not checkProtocol(protocol):
raise FirewallError(INVALID_PROTOCOL, protocol)