Пример #1
0
    def parse_forward_port(self, value, compat=False):
        port = None
        protocol = None
        toport = None
        toaddr = None
        i = 0
        while ("=" in value[i:]):
            opt = value[i:].split("=", 1)[0]
            i += len(opt) + 1
            if "=" in value[i:]:
                val = value[i:].split(":", 1)[0]
            else:
                val = value[i:]
            i += len(val) + 1

            if opt == "port":
                port = val
            elif opt == "proto":
                protocol = val
            elif opt == "toport":
                toport = val
            elif opt == "toaddr":
                toaddr = val
            elif opt == "if" and compat:
                # ignore if option in compat mode
                pass
            else:
                raise FirewallError(errors.INVALID_FORWARD,
                                    "invalid forward port arg '%s'" % (opt))
        if not port:
            raise FirewallError(errors.INVALID_FORWARD, "missing port")
        if not protocol:
            raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
        if not (toport or toaddr):
            raise FirewallError(errors.INVALID_FORWARD, "missing destination")

        if not check_port(port):
            raise FirewallError(errors.INVALID_PORT, port)
        if protocol not in ["tcp", "udp", "sctp", "dccp"]:
            raise FirewallError(errors.INVALID_PROTOCOL,
                                "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
                                protocol)
        if toport and not check_port(toport):
            raise FirewallError(errors.INVALID_PORT, toport)
        if toaddr and not check_single_address("ipv4", toaddr):
            if compat or not check_single_address("ipv6", toaddr):
                raise FirewallError(errors.INVALID_ADDR, toaddr)

        return (port, protocol, toport, toaddr)
Пример #2
0
    def parse_forward_port(self, value, compat=False):
        port = None
        protocol = None
        toport = None
        toaddr = None
        i = 0
        while ("=" in value[i:]):
            opt = value[i:].split("=", 1)[0]
            i += len(opt) + 1
            if "=" in value[i:]:
                val = value[i:].split(":", 1)[0]
            else:
                val = value[i:]
            i += len(val) + 1

            if opt == "port":
                port = val
            elif opt == "proto":
                protocol = val
            elif opt == "toport":
                toport = val
            elif opt == "toaddr":
                toaddr = val
            elif opt == "if" and compat:
                # ignore if option in compat mode
                pass
            else:
                raise FirewallError(errors.INVALID_FORWARD,
                                    "invalid forward port arg '%s'" % (opt))
        if not port:
            raise FirewallError(errors.INVALID_FORWARD, "missing port")
        if not protocol:
            raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
        if not (toport or toaddr):
            raise FirewallError(errors.INVALID_FORWARD, "missing destination")

        if not check_port(port):
            raise FirewallError(errors.INVALID_PORT, port)
        if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
            raise FirewallError(errors.INVALID_PROTOCOL,
                                "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
                                protocol)
        if toport and not check_port(toport):
            raise FirewallError(errors.INVALID_PORT, toport)
        if toaddr and not check_single_address("ipv4", toaddr):
            if compat or not check_single_address("ipv6", toaddr):
                raise FirewallError(errors.INVALID_ADDR, toaddr)

        return (port, protocol, toport, toaddr)
Пример #3
0
    def build_zone_forward_port_rules(self, enable, zone, filter_chain, port,
                                      protocol, toport, toaddr, mark_id):
        add_del = { True: "-A", False: "-D" }[enable]

        mark_str = "0x%x" % mark_id
        mark = [ "-m", "mark", "--mark", mark_str ]

        to = ""
        if toaddr:
            if check_single_address("ipv6", toaddr):
                to += "[%s]" % toaddr
            else:
                to += toaddr
        if toport and toport != "":
            to += ":%s" % portStr(toport, "-")

        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
                                            zone=zone)
        rules = []
        rules.append([ add_del, "%s_allow" % (target), "-t", "mangle",
                     "-p", protocol, "--dport", portStr(port),
                     "-j", "MARK", "--set-mark", mark_str ])
        # local and remote
        rules.append([ add_del, "%s_allow" % (target), "-t", "nat",
                     "-p", protocol ] + mark +
                     [ "-j", "DNAT", "--to-destination", to ])

        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain],
                                            zone=zone)
        rules.append([ add_del, "%s_allow" % (target),
                     "-t", "filter", "-m", "conntrack",
                     "--ctstate", "NEW" ] +
                     mark + [ "-j", "ACCEPT" ])

        return rules
Пример #4
0
    def build_zone_forward_port_rules(self,
                                      enable,
                                      zone,
                                      filter_chain,
                                      port,
                                      protocol,
                                      toport,
                                      toaddr,
                                      mark_id,
                                      rich_rule=None):
        add_del = {True: "-A", False: "-D"}[enable]

        mark_str = "0x%x" % mark_id
        mark = ["-m", "mark", "--mark", mark_str]

        to = ""
        if toaddr:
            if check_single_address("ipv6", toaddr):
                to += "[%s]" % toaddr
            else:
                to += toaddr
        if toport and toport != "":
            to += ":%s" % portStr(toport, "-")

        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
                                            zone=zone)

        rule_fragment = ["-p", protocol, "--dport", portStr(port)]
        if rich_rule:
            rule_fragment += self._rich_rule_destination_fragment(
                rich_rule.destination)
            rule_fragment += self._rich_rule_source_fragment(rich_rule.source)

        rules = []
        if rich_rule:
            rules.append(
                self._rich_rule_log(rich_rule, enable, "mangle", target,
                                    rule_fragment))
        rules.append([add_del, "%s_allow" % (target), "-t", "mangle"] +
                     rule_fragment + ["-j", "MARK", "--set-mark", mark_str])

        # local and remote
        rules.append(
            [add_del,
             "%s_allow" % (target), "-t", "nat", "-p", protocol] + mark +
            ["-j", "DNAT", "--to-destination", to])

        target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain],
                                            zone=zone)
        rules.append([
            add_del,
            "%s_allow" %
            (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW"
        ] + mark + ["-j", "ACCEPT"])

        return rules
Пример #5
0
    def parse_forward_port(self, value):
        port = None
        protocol = None
        toport = None
        toaddr = None
        args = value.split(":")
        for arg in args:
            try:
                (opt, val) = arg.split("=")
                if opt == "port":
                    port = val
                elif opt == "proto":
                    protocol = val
                elif opt == "toport":
                    toport = val
                elif opt == "toaddr":
                    toaddr = val
            except ValueError:
                raise FirewallError(errors.INVALID_FORWARD,
                                    "invalid forward port arg '%s'" % (arg))
        if not port:
            raise FirewallError(errors.INVALID_FORWARD, "missing port")
        if not protocol:
            raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
        if not (toport or toaddr):
            raise FirewallError(errors.INVALID_FORWARD, "missing destination")

        if not check_port(port):
            raise FirewallError(errors.INVALID_PORT, port)
        if protocol not in [ "tcp", "udp", "sctp", "dccp" ]:
            raise FirewallError(errors.INVALID_PROTOCOL,
                                "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \
                                protocol)
        if toport and not check_port(toport):
            raise FirewallError(errors.INVALID_PORT, toport)
        if toaddr and not check_single_address("ipv4", toaddr):
            raise FirewallError(errors.INVALID_ADDR, toaddr)

        return (port, protocol, toport, toaddr)
Пример #6
0
    def parse_forward_port(self, value):
        port = None
        protocol = None
        toport = None
        toaddr = None
        args = value.split(":")
        for arg in args:
            try:
                (opt, val) = arg.split("=")
                if opt == "port":
                    port = val
                elif opt == "proto":
                    protocol = val
                elif opt == "toport":
                    toport = val
                elif opt == "toaddr":
                    toaddr = val
            except ValueError:
                raise FirewallError(errors.INVALID_FORWARD,
                                    "invalid forward port arg '%s'" % (arg))
        if not port:
            raise FirewallError(errors.INVALID_FORWARD, "missing port")
        if not protocol:
            raise FirewallError(errors.INVALID_FORWARD, "missing protocol")
        if not (toport or toaddr):
            raise FirewallError(errors.INVALID_FORWARD, "missing destination")

        if not check_port(port):
            raise FirewallError(errors.INVALID_PORT, port)
        if protocol not in [ "tcp", "udp" ]:
            raise FirewallError(errors.INVALID_PROTOCOL,
                                "'%s' not in {'tcp'|'udp'}" % protocol)
        if toport and not check_port(toport):
            raise FirewallError(errors.INVALID_PORT, toport)
        if toaddr and not check_single_address("ipv4", toaddr):
            raise FirewallError(errors.INVALID_ADDR, toaddr)

        return (port, protocol, toport, toaddr)
Пример #7
0
    def check(self):
        if self.family is not None and self.family not in ["ipv4", "ipv6"]:
            raise FirewallError(INVALID_FAMILY, self.family)
        if self.family is None:
            if self.source is not None or self.destination is not None:
                raise FirewallError(MISSING_FAMILY)
            if type(self.element) == Rich_ForwardPort:
                raise FirewallError(MISSING_FAMILY)

        if self.element is None:
            if self.action is None:
                raise FirewallError(INVALID_RULE, "no element, no action")
            if self.source is None:
                raise FirewallError(INVALID_RULE, "no element, no source")
            if self.destination is not None:
                raise FirewallError(INVALID_RULE, "destination action")

        if type(self.element) not in [
                Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade
        ]:
            if self.log is None and self.audit is None and \
                    self.action is None:
                raise FirewallError(INVALID_RULE,
                                    "no action, no log, no audit")

        # source
        if self.source is not None:
            if self.family is None:
                raise FirewallError(INVALID_FAMILY)
            if self.source.addr is None or \
                    not functions.check_address(self.family,
                                                self.source.addr):
                raise FirewallError(INVALID_ADDR, str(self.source.addr))

        # destination
        if self.destination is not None:
            if self.family is None:
                raise FirewallError(INVALID_FAMILY)
            if self.destination.addr is None or \
                    not functions.check_address(self.family,
                                                self.destination.addr):
                raise FirewallError(INVALID_ADDR, str(self.destination.addr))

        # service
        if type(self.element) == Rich_Service:
            # service availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(INVALID_SERVICE, str(self.element.name))

        # port
        elif type(self.element) == Rich_Port:
            if not functions.check_port(self.element.port):
                raise FirewallError(INVALID_PORT, self.element.port)
            if not self.element.protocol in ["tcp", "udp"]:
                raise FirewallError(INVALID_PROTOCOL, self.element.protocol)

        # protocol
        elif type(self.element) == Rich_Protocol:
            if not functions.checkProtocol(self.element.value):
                raise FirewallError(INVALID_PROTOCOL, self.element.value)

        # masquerade
        elif type(self.element) == Rich_Masquerade:
            if self.destination is not None:
                raise FirewallError(INVALID_RULE, "masquerade and destination")
            if self.action is not None:
                raise FirewallError(INVALID_RULE, "masquerade and action")

        # icmp-block
        elif type(self.element) == Rich_IcmpBlock:
            # icmp type availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
            if self.action:
                raise FirewallError(INVALID_RULE, "icmp-block and action")

        # forward-port
        elif type(self.element) == Rich_ForwardPort:
            if not functions.check_port(self.element.port):
                raise FirewallError(INVALID_PORT, self.element.port)
            if not self.element.protocol in ["tcp", "udp"]:
                raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
            if self.element.to_port == "" and self.element.to_address == "":
                raise FirewallError(INVALID_PORT, self.element.to_port)
            if self.element.to_port != "" and \
                    not functions.check_port(self.element.to_port):
                raise FirewallError(INVALID_PORT, self.element.to_port)
            if self.element.to_address != "" and \
                    not functions.check_single_address(self.family,
                                                       self.element.to_address):
                raise FirewallError(INVALID_ADDR, self.element.to_address)
            if self.family is None:
                raise FirewallError(INVALID_FAMILY)
            if self.action is not None:
                raise FirewallError(INVALID_RULE, "forward-port and action")

        # other element and not empty?
        elif self.element is not None:
            raise FirewallError(INVALID_RULE,
                                "Unknown element %s" % type(self.element))

        # log
        if self.log is not None:
            if self.log.level and \
               self.log.level not in [ "emerg", "alert", "crit", "error",
                                       "warning", "notice", "info", "debug" ]:
                raise FirewallError(INVALID_LOG_LEVEL, self.log.level)

            if self.log.limit is not None:
                self.log.limit.check()

        # audit
        if self.audit is not None:
            if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
                raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))

            if self.audit.limit is not None:
                self.audit.limit.check()

        # action
        if self.action is not None:
            if type(self.action) == Rich_Reject:
                self.action.check(self.family)

            if self.action.limit is not None:
                self.action.limit.check()
Пример #8
0
    def check(self):
        if self.family is not None and self.family not in ["ipv4", "ipv6"]:
            raise FirewallError(errors.INVALID_FAMILY, self.family)
        if self.family is None:
            if (self.source is not None and self.source.addr is not None) or \
               self.destination is not None:
                raise FirewallError(errors.MISSING_FAMILY)
            if type(self.element) == Rich_ForwardPort:
                raise FirewallError(errors.MISSING_FAMILY)

        if self.priority < self.priority_min or self.priority > self.priority_max:
            raise FirewallError(errors.INVALID_PRIORITY, "'priority' attribute must be between %d and %d." \
                                                         % (self.priority_min, self.priority_max))

        if self.element is None and \
           (self.log is None or (self.log is not None and self.priority == 0)):
            if self.action is None:
                raise FirewallError(errors.INVALID_RULE,
                                    "no element, no action")
            if self.source is None and self.destination is None and self.priority == 0:
                raise FirewallError(errors.INVALID_RULE,
                                    "no element, no source, no destination")

        if type(self.element) not in [
                Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade,
                Rich_Tcp_Mss_Clamp
        ]:
            if self.log is None and self.audit is None and \
                    self.action is None:
                raise FirewallError(errors.INVALID_RULE,
                                    "no action, no log, no audit")

        # source
        if self.source is not None:
            if self.source.addr is not None:
                if self.family is None:
                    raise FirewallError(errors.INVALID_FAMILY)
                if self.source.mac is not None:
                    raise FirewallError(errors.INVALID_RULE, "address and mac")
                if self.source.ipset is not None:
                    raise FirewallError(errors.INVALID_RULE,
                                        "address and ipset")
                if not functions.check_address(self.family, self.source.addr):
                    raise FirewallError(errors.INVALID_ADDR,
                                        str(self.source.addr))

            elif self.source.mac is not None:
                if self.source.ipset is not None:
                    raise FirewallError(errors.INVALID_RULE, "mac and ipset")
                if not functions.check_mac(self.source.mac):
                    raise FirewallError(errors.INVALID_MAC,
                                        str(self.source.mac))

            elif self.source.ipset is not None:
                if not check_ipset_name(self.source.ipset):
                    raise FirewallError(errors.INVALID_IPSET,
                                        str(self.source.ipset))

            else:
                raise FirewallError(errors.INVALID_RULE, "invalid source")

        # destination
        if self.destination is not None:
            if self.destination.addr is not None:
                if self.family is None:
                    raise FirewallError(errors.INVALID_FAMILY)
                if self.destination.ipset is not None:
                    raise FirewallError(errors.INVALID_DESTINATION,
                                        "address and ipset")
                if not functions.check_address(self.family,
                                               self.destination.addr):
                    raise FirewallError(errors.INVALID_ADDR,
                                        str(self.destination.addr))

            elif self.destination.ipset is not None:
                if not check_ipset_name(self.destination.ipset):
                    raise FirewallError(errors.INVALID_IPSET,
                                        str(self.destination.ipset))

            else:
                raise FirewallError(errors.INVALID_RULE, "invalid destination")

        # service
        if type(self.element) == Rich_Service:
            # service availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(errors.INVALID_SERVICE,
                                    str(self.element.name))

        # port
        elif type(self.element) == Rich_Port:
            if not functions.check_port(self.element.port):
                raise FirewallError(errors.INVALID_PORT, self.element.port)
            if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
                raise FirewallError(errors.INVALID_PROTOCOL,
                                    self.element.protocol)

        # protocol
        elif type(self.element) == Rich_Protocol:
            if not functions.checkProtocol(self.element.value):
                raise FirewallError(errors.INVALID_PROTOCOL,
                                    self.element.value)

        # masquerade
        elif type(self.element) == Rich_Masquerade:
            if self.action is not None:
                raise FirewallError(errors.INVALID_RULE,
                                    "masquerade and action")
            if self.source is not None and self.source.mac is not None:
                raise FirewallError(errors.INVALID_RULE,
                                    "masquerade and mac source")

        # icmp-block
        elif type(self.element) == Rich_IcmpBlock:
            # icmp type availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(errors.INVALID_ICMPTYPE,
                                    str(self.element.name))
            if self.action:
                raise FirewallError(errors.INVALID_RULE,
                                    "icmp-block and action")

        # icmp-type
        elif type(self.element) == Rich_IcmpType:
            # icmp type availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(errors.INVALID_ICMPTYPE,
                                    str(self.element.name))

        # forward-port
        elif type(self.element) == Rich_ForwardPort:
            if not functions.check_port(self.element.port):
                raise FirewallError(errors.INVALID_PORT, self.element.port)
            if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
                raise FirewallError(errors.INVALID_PROTOCOL,
                                    self.element.protocol)
            if self.element.to_port == "" and self.element.to_address == "":
                raise FirewallError(errors.INVALID_PORT, self.element.to_port)
            if self.element.to_port != "" and \
                    not functions.check_port(self.element.to_port):
                raise FirewallError(errors.INVALID_PORT, self.element.to_port)
            if self.element.to_address != "" and \
                    not functions.check_single_address(self.family,
                                                       self.element.to_address):
                raise FirewallError(errors.INVALID_ADDR,
                                    self.element.to_address)
            if self.family is None:
                raise FirewallError(errors.INVALID_FAMILY)
            if self.action is not None:
                raise FirewallError(errors.INVALID_RULE,
                                    "forward-port and action")

        # source-port
        elif type(self.element) == Rich_SourcePort:
            if not functions.check_port(self.element.port):
                raise FirewallError(errors.INVALID_PORT, self.element.port)
            if self.element.protocol not in ["tcp", "udp", "sctp", "dccp"]:
                raise FirewallError(errors.INVALID_PROTOCOL,
                                    self.element.protocol)

        # tcp-mss-clamp
        elif type(self.element) == Rich_Tcp_Mss_Clamp:
            if self.action is not None:
                raise FirewallError(
                    errors.INVALID_RULE,
                    "tcp-mss-clamp and %s are mutually exclusive" %
                    self.action)
            if self.element.value:
                if not functions.checkTcpMssClamp(self.element.value):
                    raise FirewallError(errors.INVALID_RULE,
                                        self.element.value)

        # other element and not empty?
        elif self.element is not None:
            raise FirewallError(errors.INVALID_RULE,
                                "Unknown element %s" % type(self.element))

        # log
        if self.log is not None:
            self.log.check()

        # audit
        if self.audit is not None:
            if type(self.action) not in [Rich_Accept, Rich_Reject, Rich_Drop]:
                raise FirewallError(errors.INVALID_AUDIT_TYPE,
                                    type(self.action))

            if self.audit.limit is not None:
                self.audit.limit.check()

        # action
        if self.action is not None:
            if type(self.action) == Rich_Reject:
                self.action.check(self.family)
            elif type(self.action) == Rich_Mark:
                self.action.check()

            if self.action.limit is not None:
                self.action.limit.check()
Пример #9
0
    def check(self):
        if self.family is not None and self.family not in [ "ipv4", "ipv6" ]:
            raise FirewallError(INVALID_FAMILY, self.family)
        if self.family is None:
            if (self.source is not None and self.source.addr is not None) or \
               self.destination is not None:
                raise FirewallError(MISSING_FAMILY)
            if type(self.element) == Rich_ForwardPort:
                raise FirewallError(MISSING_FAMILY)

        if self.element is None:
            if self.action is None:
                raise FirewallError(INVALID_RULE, "no element, no action")
            if self.source is None:
                raise FirewallError(INVALID_RULE, "no element, no source")
            if self.destination is not None:
                raise FirewallError(INVALID_RULE, "destination action")

        if type(self.element) not in [ Rich_IcmpBlock,
                                       Rich_ForwardPort,
                                       Rich_Masquerade ]:
            if self.log is None and self.audit is None and \
                    self.action is None:
                raise FirewallError(INVALID_RULE, "no action, no log, no audit")

        # source
        if self.source is not None:
            if self.source.addr is not None:
                if self.family is None:
                    raise FirewallError(INVALID_FAMILY)
                if self.source.mac is not None:
                    raise FirewallError(INVALID_RULE, "address and mac")
                if not functions.check_address(self.family, self.source.addr):
                    raise FirewallError(INVALID_ADDR, str(self.source.addr))

            elif self.source.mac is not None:
                if not functions.check_mac(self.source.mac):
                    raise FirewallError(INVALID_MAC, str(self.source.mac))

            elif self.source.ipset is not None:
                if not functions.check_ipset(self.source.ipset):
                    raise FirewallError(INVALID_IPSET, str(self.source.ipset))

            else:
                raise FirewallError(INVALID_RULE, "invalid source")

        # destination
        if self.destination is not None:
            if self.family is None:
                raise FirewallError(INVALID_FAMILY)
            if self.destination.addr is None or \
                    not functions.check_address(self.family,
                                                self.destination.addr):
                raise FirewallError(INVALID_ADDR, str(self.destination.addr))

        # service
        if type(self.element) == Rich_Service:
            # service availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(INVALID_SERVICE, str(self.element.name))

        # port
        elif type(self.element) == Rich_Port:
            if not functions.check_port(self.element.port):
                raise FirewallError(INVALID_PORT, self.element.port)
            if self.element.protocol not in [ "tcp", "udp" ]:
                raise FirewallError(INVALID_PROTOCOL, self.element.protocol)

        # protocol
        elif type(self.element) == Rich_Protocol:
            if not functions.checkProtocol(self.element.value):
                raise FirewallError(INVALID_PROTOCOL, self.element.value)

        # masquerade
        elif type(self.element) == Rich_Masquerade:
            if self.action is not None:
                raise FirewallError(INVALID_RULE, "masquerade and action")
            if self.source is not None and self.source.mac is not None:
                raise FirewallError(INVALID_RULE, "masquerade and mac source")

        # icmp-block
        elif type(self.element) == Rich_IcmpBlock:
            # icmp type availability needs to be checked in Firewall, here is no
            # knowledge about this, therefore only simple check
            if self.element.name is None or len(self.element.name) < 1:
                raise FirewallError(INVALID_ICMPTYPE, str(self.element.name))
            if self.action:
                raise FirewallError(INVALID_RULE, "icmp-block and action")

        # forward-port
        elif type(self.element) == Rich_ForwardPort:
            if not functions.check_port(self.element.port):
                raise FirewallError(INVALID_PORT, self.element.port)
            if self.element.protocol not in [ "tcp", "udp" ]:
                raise FirewallError(INVALID_PROTOCOL, self.element.protocol)
            if self.element.to_port == "" and self.element.to_address == "":
                raise FirewallError(INVALID_PORT, self.element.to_port)
            if self.element.to_port != "" and \
                    not functions.check_port(self.element.to_port):
                raise FirewallError(INVALID_PORT, self.element.to_port)
            if self.element.to_address != "" and \
                    not functions.check_single_address(self.family,
                                                       self.element.to_address):
                raise FirewallError(INVALID_ADDR, self.element.to_address)
            if self.family is None:
                raise FirewallError(INVALID_FAMILY)
            if self.action is not None:
                raise FirewallError(INVALID_RULE, "forward-port and action")

        # other element and not empty?
        elif self.element is not None:
            raise FirewallError(INVALID_RULE, "Unknown element %s" % 
                                type(self.element))

        # log
        if self.log is not None:
            if self.log.level and \
               self.log.level not in [ "emerg", "alert", "crit", "error",
                                       "warning", "notice", "info", "debug" ]:
                raise FirewallError(INVALID_LOG_LEVEL, self.log.level)

            if self.log.limit is not None:
                self.log.limit.check()

        # audit
        if self.audit is not None:
            if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]:
                raise FirewallError(INVALID_AUDIT_TYPE, type(self.action))

            if self.audit.limit is not None:
                self.audit.limit.check()

        # action
        if self.action is not None:
            if type(self.action) == Rich_Reject:
                self.action.check(self.family)

            if self.action.limit is not None:
                self.action.limit.check()