def run(self):
ruleset = set(Iptables.read_simple_rules())
while True:
modify, rule, directives = self.cmd_queue.get()
try:
rule_exists = rule in ruleset
log.debug('{} rule_exists: {}'.format(rule, rule_exists))
# check for duplicates, apply rule
if modify == 'I':
if rule_exists:
log.warn("Trying to insert existing rule: {}. Command ignored.".format(rule))
else:
Iptables.exe_rule(modify, rule)
# schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now)
self.schedule_expiry(rule, directives)
ruleset.add(rule)
elif modify == 'D':
if rule_exists:
#TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense
Iptables.exe_rule(modify, rule)
ruleset.discard(rule)
else:
log.warn("Trying to delete not existing rule: {}. Command ignored.".format(rule))
elif modify == 'L':
#TODO rereading the iptables?
pass
finally:
self.cmd_queue.task_done()
def run(self):
ruleset = set(Iptables.read_simple_rules())
while True:
modify, rule, directives = self.cmd_queue.get()
try:
rule_exists = rule in ruleset
log.debug('{} rule_exists: {}'.format(rule, rule_exists))
# check for duplicates, apply rule
if modify == 'I':
if rule_exists:
log.warn(
"Trying to insert existing rule: {}. Command ignored."
.format(rule))
else:
Iptables.exe_rule(modify, rule)
# schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now)
self.schedule_expiry(rule, directives)
ruleset.add(rule)
elif modify == 'D':
if rule_exists:
#TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense
Iptables.exe_rule(modify, rule)
ruleset.discard(rule)
else:
log.warn(
"Trying to delete not existing rule: {}. Command ignored."
.format(rule))
elif modify == 'L':
#TODO rereading the iptables?
pass
finally:
self.cmd_queue.task_done()
def process(handler, modify, urlpath):
# modify should be 'D' for Delete or 'I' for Insert understood as -D and -I iptables flags
assert modify in ['D', 'I', 'L']
try:
action, rule, directives = cmdparse.parse_command(urlpath)
# log.debug('\nAction: {}\nRule: {}\nDirectives: {}'.format(action, rule, directives))
if modify == 'L':
if action == 'help':
resp = 'TODO usage'
return handler.http_resp(200, resp)
elif action == 'list':
chain = rule
rules = Iptables.read_simple_rules(chain)
log.debug('List rfw rules: %s', rules)
list_of_dict = map(iptables.Rule._asdict, rules)
resp = json.dumps(list_of_dict)
return handler.http_resp(200, resp)
elif rfwconf.is_non_restful():
mod = directives.get('modify')
if not mod:
raise Exception('Unrecognized command. Non-restful enabled, you need to provide modify parameter.'.format(action))
if mod == 'insert':
modify = 'I'
elif mod == 'delete':
modify = 'D'
else:
raise Exception('Unrecognized command. Modify parameter can be "insert" or "delete".')
else:
raise Exception('Unrecognized command. Non-restful disabled.')
if modify in ['D', 'I'] and action.upper() in iptables.RULE_TARGETS:
# eliminate ignored/whitelisted IP related commands early to prevent propagating them to expiry queue
check_whitelist_conflict(rule.source, rfwconf.whitelist())
check_whitelist_conflict(rule.destination, rfwconf.whitelist())
ctup = (modify, rule, directives)
log.debug('PUT to Cmd Queue. Tuple: {}'.format(ctup))
cmd_queue.put_nowait(ctup)
# Make these rules persistent on file
import os.path
if os.path.isfile("/etc/init.d/iptables-persistent"):
save_command = "/etc/init.d/iptables-persistent save"
else:
raise Exception('No iptables-persistent command is installed. Please install it first!')
if save_command is not None:
subprocess.call(save_command, shell=True)
return handler.http_resp(200, ctup)
else:
raise Exception('Unrecognized command.')
except Exception, e:
msg = 'ERROR: {}'.format(e.message)
# logging as error disabled - bad client request is not an error
# log.exception(msg)
log.info(msg)
return handler.http_resp(400, msg) # Bad Request
def process(handler, modify, urlpath):
# modify should be 'D' for Delete or 'I' for Insert understood as -D and -I iptables flags
assert modify in ['D', 'I', 'L']
log.debug('process {} urlpath: {}'.format(modify, urlpath))
try:
action, rule, directives = cmdparse.parse_command(urlpath)
log.debug('\nAction: {}\nRule: {}\nDirectives: {}'.format(
action, rule, directives))
if modify == 'L':
if action == 'help':
resp = 'TODO usage'
return handler.http_resp(200, resp)
elif action == 'list':
chain = rule
rules = Iptables.read_simple_rules(chain)
log.debug('List rfw rules: %s', rules)
list_of_dict = map(iptables.Rule._asdict, rules)
resp = json.dumps(list_of_dict)
return handler.http_resp(200, resp)
elif rfwconf.is_non_restful():
mod = directives.get('modify')
if not mod:
raise Exception(
'Unrecognized command. Non-restful enabled, you need to provide modify parameter.'
.format(action))
if mod == 'insert':
modify = 'I'
elif mod == 'delete':
modify = 'D'
else:
raise Exception(
'Unrecognized command. Modify parameter can be "insert" or "delete".'
)
else:
raise Exception(
'Unrecognized command. Non-restful disabled.')
if modify in ['D', 'I'
] and action.upper() in iptables.RULE_TARGETS:
# eliminate ignored/whitelisted IP related commands early to prevent propagating them to expiry queue
check_whitelist_conflict(rule.source, rfwconf.whitelist())
check_whitelist_conflict(rule.destination, rfwconf.whitelist())
ctup = (modify, rule, directives)
log.debug('PUT to Cmd Queue. Tuple: {}'.format(ctup))
cmd_queue.put_nowait(ctup)
return handler.http_resp(200, ctup)
else:
raise Exception('Unrecognized command.')
except Exception, e:
msg = 'ERROR: {}'.format(e.message)
# logging as error disabled - bad client request is not an error
# log.exception(msg)
log.info(msg)
return handler.http_resp(400, msg) # Bad Request
def run(self):
Iptables.read_chains()
ruleset = set(Iptables.read_simple_rules(matching_num=False))
while True:
modify, rule, directives = self.cmd_queue.get()
try:
# Modify the rule to nullify parameters which need not to be included in the search
if rule.target != 'CREATE':
rule_exists = rule in ruleset
else:
if ':' in rule.chain:
new_chain = rule.chain.split(':')[1]
rule_exists = new_chain in iptables.RULE_CHAINS
else:
rule_exists = rule.chain in iptables.RULE_CHAINS
log.debug('{} rule_exists: {}'.format(rule, rule_exists))
# check for duplicates, apply rule
if modify == 'I':
if rule_exists:
log.warn("Trying to insert existing rule: {}. Command ignored.".format(rule))
else:
if rule.target == 'CREATE':
modify = 'N'
if ':' in rule.chain: # renaming a chain
modify = 'E'
Iptables.exe_rule(modify, rule)
# schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now)
self.schedule_expiry(rule, directives)
if rule.target != 'CREATE':
ruleset.add(rule)
else:
if ':' in rule.chain:
old_chain = rule.chain.split(':')[0]
new_chain = rule.chain.split(':')[1]
iptables.RULE_CHAINS.remove(old_chain)
iptables.RULE_CHAINS.add(new_chain)
iptables.RULE_TARGETS.add(rule.chain)
else:
iptables.RULE_CHAINS.add(rule.chain)
iptables.RULE_TARGETS.add(rule.chain)
elif modify == 'D':
if rule_exists:
if rule.target == 'CREATE':
modify = 'X'
#TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense
Iptables.exe_rule(modify, rule)
if rule.target != 'CREATE':
ruleset.discard(rule)
else:
iptables.RULE_TARGETS.remove(rule.chain)
iptables.RULE_CHAINS.remove(rule.chain)
else:
print("non existing rule")
log.warn("Trying to delete not existing rule: {}. Command ignored.".format(rule))
elif modify == 'L':
#TODO rereading the iptables?
pass
# Hack to prevent this exception to reach the threading code, preventing this thread from running more than this
except Exception:
pass
finally:
self.cmd_queue.task_done()
