def service_applyRules(self, context, consistency_error, use_nufw): """ Apply ACLs to iptables and LDAP. Arguments: - consistency_error (bool): if True, block on consistency error - use_nufw (bool): if True, create LDAP rules and use authentication. If False, don't create LDAP rules and ignore all NuFW filtres (user group, time, etc.) Return is a dictionary with keys: - applied (boolean): True if rules are correctly applied - errors (list of messages): error messages - warnings (list of messages): warning messages - consistency_error (boolean): True if the apply failed because of the consistency engine A message is a tuple (format, arguments), to display it, use: :: format % arguments """ if EDENWALL \ and (self.core.getMultisiteType() == MULTISITE_MASTER): raise RulesetError( tr("Can not apply rules from a multisite master.")) use_nufw = getBoolean(use_nufw) consistency_error = getBoolean(consistency_error) ruleset = self.getRuleset(context) return applyRulesDefer(context, self, ruleset, use_nufw, consistency_error)
def service_setFusion(self, context, enabled): """ Enable or disable the fusion. """ fusion = getBoolean(enabled) client = self.getClient(context) ruleset = self.getRuleset(context, raise_error=False) return client.setFusion(fusion, ruleset)
def service_iptablesRules(self, context, rule_type, identifiers, use_nufw): """ iptablesRules(rule_type, identifiers, use_nufw) Create iptables rules for ACLs: - identifiers: ACL identifiers (list of integers) - address_type: "IPv4" or "IPv6" Use an empty list as identifiers to generate rules of all ACLs. Result is a list of Unicode strings (without "iptables " prefix). """ rule_type = getUnicode(rule_type) identifiers = getIntegerList(identifiers) use_nufw = getBoolean(use_nufw) ruleset = self.getRuleset(context) return iptablesRules(context, self, ruleset, rule_type, identifiers, use_nufw)
def service_addNatIptable(self, context, ipv6, iptable): """ Add a NAT rule. Arguments: - ipv6: boolean - iptable: unicode string Example: (False, '-A PREROUTING -p tcp --dport 80 -s $NET -j SOME_CHAIN') is similar to 'iptables -t nat -A PREROUTING -p tcp --dport 80 -s $NET -j SOME_CHAIN' The rule will be added before the ruleset rules. """ if getBoolean(ipv6): address_type = IPV6_ADDRESS else: address_type = IPV4_ADDRESS rules = self.getRulesFile(context) rule = IptableRule(address_type, iptable) rules.addNatRule(rule)
def service_addMangleIptable(self, context, ipv6, iptable): """ Add a mangle rule. Arguments: - ipv6: boolean - iptable: unicode string Example: (False, '-A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff') is similar to 'iptables -t mangle -A POSTROUTING -m mark --mark 0x20000/0x20000 -j MARK --and-mark 0xfffdffff' The rule will be added before the ruleset rules. """ if getBoolean(ipv6): address_type = IPV6_ADDRESS else: address_type = IPV4_ADDRESS rules = self.getRulesFile(context) rule = IptableRule(address_type, iptable) rules.addMangleRule(rule)
def service_addFilterIptable(self, context, ipv6, iptable): """ Add a filter rule. Arguments: - ipv6: boolean - iptable: unicode string Example: (False, '-A FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS') is similar to 'iptables -t filter -A FORWARD -m mark ! --mark 0x20000/0x20000 -j IPS_NETS' The rule will be added before the ruleset rules. """ if getBoolean(ipv6): address_type = IPV6_ADDRESS else: address_type = IPV4_ADDRESS rules = self.getRulesFile(context) rule = IptableRule(address_type, iptable) rules.addFilterRule(rule)
def getFusion(self, context, fusion): if fusion is None: client = self.getClient(context) return client.fusion else: return getBoolean(fusion)
def _setUseNND(self, use_nnd): self.use_nnd = getBoolean(use_nnd) self.debug("Use NND: %s" % self.use_nnd) storage = VariablesStore() storage['use_nnd'] = self.use_nnd storage.save(STORAGE_FILENAME)