Пример #1
0
    def __setup_ban(self, cmd_array, bannedIPV4, bannedMAC):

        #	Add BanTable and BanChain
        #
        ban_table = OBJ.TABLE(family=ENUM.ADDR_FAMILY.INET, name="BanTable")
        ban_ip_chain = OBJ.CHAIN(family=ban_table.family,
                                 table=ban_table.name,
                                 name="BanIpChain",
                                 type=ENUM.CHAIN_TYPE.FILTER,
                                 hook=ENUM.CHAIN_HOOK.FORWARD,
                                 prio=ENUM.CHAIN_PRIORITY.NF_IP_PRI_FILTER,
                                 policy=ENUM.CHAIN_POLICY.ACCEPT)
        ban_mac_chain = OBJ.CHAIN(family=ban_table.family,
                                  table=ban_table.name,
                                  name="BanMacChain",
                                  type=ENUM.CHAIN_TYPE.FILTER,
                                  hook=ENUM.CHAIN_HOOK.INPUT,
                                  prio=ENUM.CHAIN_PRIORITY.NF_IP_PRI_FILTER,
                                  policy=ENUM.CHAIN_POLICY.ACCEPT)
        cmd_array.append(CMD.ADD(add=ban_table))
        cmd_array.append(CMD.ADD(add=ban_ip_chain))
        cmd_array.append(CMD.ADD(add=ban_mac_chain))

        #	Add BannedIPv4 and BannedMAC sets
        #
        banned_ipv4_set = OBJ.SET(family=ban_table.family,
                                  table=ban_table.name,
                                  name="BannedIPv4",
                                  type=ENUM.SET_TYPE.IPV4_ADDR,
                                  elem=bannedIPV4)
        banned_mac_set = OBJ.SET(family=ban_table.family,
                                 table=ban_table.name,
                                 name="BannedMAC",
                                 type=ENUM.SET_TYPE.ETHER_ADDR,
                                 elem=bannedMAC)
        cmd_array.append(CMD.ADD(add=banned_ipv4_set))
        cmd_array.append(CMD.ADD(add=banned_mac_set))

        #	Add rule dropping packets with @BannedIPv4 and @BannedMAC adresses
        #
        the_payload = EXP.REFERENCE_PAYLOAD(protocol="ip", field="daddr")
        the_match = STAT.MATCH(left=the_payload,
                               right="@BannedIPv4",
                               op=ENUM.OPERATOR.EQUAL)
        cmd_array.append(
            CMD.ADD(
                add=OBJ.RULE(family=ban_table.family,
                             table=ban_table.name,
                             chain=ban_ip_chain.name,
                             expr=[the_match, STAT.VERDICT_DROP()])))
        the_payload = EXP.REFERENCE_PAYLOAD(protocol="ether", field="saddr")
        the_match = STAT.MATCH(left=the_payload,
                               right="@BannedMAC",
                               op=ENUM.OPERATOR.EQUAL)
        cmd_array.append(
            CMD.ADD(
                add=OBJ.RULE(family=ban_table.family,
                             table=ban_table.name,
                             chain=ban_mac_chain.name,
                             expr=[the_match, STAT.VERDICT_DROP()])))
Пример #2
0
 def test_CMD_execution(self):
     table_1 = OBJ.TABLE(family=ENUM.ADDR_FAMILY.INET, name="table_1")
     res = pynft.execute(CMD.ADD(add=table_1), "add_table_1")
     self.assertEqual(res['rc'], 0)
Пример #3
0
 def ban_ipv4(self, addr: str):
     cmdObj = CMD.ADD(add=OBJ.ELEMENT(family=ENUM.ADDR_FAMILY.INET,
                                      table="BanTable",
                                      name="BannedIPv4",
                                      elem=addr))
     return self.nft.execute(cmdObj, "ban_ipv4: " + addr)
Пример #4
0
 def test_type_checking(self):
     table_1 = OBJ.TABLE(family="a very illegal string", name="table_1")
     res = pynft.execute(CMD.ADD(add=table_1), "add_table_1")
     self.assertEqual(res['rc'], -1)