def installFirewall(self): """install firewall""" log.debug1("%s.installFirewall()", self._log_prefix) # are there any firewall settings to apply? if len(self._settings["firewall"]["services"]) + \ len(self._settings["firewall"]["ports"]) < 1: return # create firewall client fw = FirewallClient() log.debug2("TRACE: Firewall client created") # Make sure firewalld is running by getting the # default zone try: default_zone = fw.getDefaultZone() except DBusException: # firewalld is not running log.error("Firewalld is not running or rolekit cannot access it") raise # save changes to the firewall try: fw_changes = self._settings["firewall-changes"] except KeyError: fw_changes = { } log.debug2("TRACE: Checking for zones: {}".format(self._settings)) try: zones = self._settings["firewall_zones"] except KeyError: zones = [] # if firewall_zones setting is empty, use default zone if len(zones) < 1: zones = [ default_zone ] log.debug2("TRACE: default zone {}".format(zones[0])) for zone in zones: log.debug2("TRACE: Processing zone {0}".format(zone)) # get permanent zone settings, run-time settings do not need a # special treatment z_perm = fw.config().getZoneByName(zone).getSettings() for service in self._settings["firewall"]["services"]: try: fw.addService(zone, service, 0) except Exception as e: if not "ALREADY_ENABLED" in str(e): raise else: fw_changes.setdefault(zone, {}).setdefault("services", {}).setdefault(service, []).append("runtime") if not z_perm.queryService(service): z_perm.addService(service) fw_changes.setdefault(zone, {}).setdefault("services", {}).setdefault(service, []).append("permanent") for port_proto in self._settings["firewall"]["ports"]: port, proto = port_proto.split("/") try: fw.addPort(zone, port, proto, 0) except Exception as e: if not "ALREADY_ENABLED" in str(e): raise else: fw_changes.setdefault(zone, {}).setdefault("ports", {}).setdefault(port_proto, []).append("runtime") if not z_perm.queryPort(port, proto): z_perm.addPort(port, proto) fw_changes.setdefault(zone, {}).setdefault("ports", {}).setdefault(port_proto, []).append("permanent") fw.config().getZoneByName(zone).update(z_perm) self._settings["firewall-changes"] = fw_changes self._settings.write()
def main(): module = AnsibleModule(argument_spec=dict( service=dict(required=False, type='list', default=[]), port=dict(required=False, type='list', default=[]), trust=dict(required=False, type='list', default=[]), trust_by_mac=dict(required=False, type='list', default=[]), masq=dict(required=False, type='list', default=[]), masq_by_mac=dict(required=False, type='list', default=[]), forward_port=dict(required=False, type='list', default=[]), forward_port_by_mac=dict(required=False, type='list', default=[]), state=dict(choices=['enabled', 'disabled'], required=True), ), required_one_of=([ 'service', 'port', 'trust', 'trust_by_mac', 'masq', 'masq_by_mac', 'forward_prot' ], ), supports_check_mode=True) if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL: module.fail_json(msg='No firewall backend could be imported.') service = module.params['service'] port = [] for port_proto in module.params['port']: _port, _protocol = port_proto.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') port.append((_port, _protocol)) trust = module.params['trust'] trust_by_mac = [] for item in module.params['trust_by_mac']: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg='MAC address not found %s' % item) trust_by_mac.append(_interface) masq = module.params['masq'] masq_by_mac = [] for item in module.params['masq_by_mac']: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg='MAC address not found %s' % item) masq_by_mac.append(_interface) forward_port = [] for item in module.params['forward_port']: args = item.split(";") if len(args) != 4: module.fail_json(msg='improper forward_port format: %s' % item) _interface, __port, _to_port, _to_addr = args _port, _protocol = __port.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None forward_port.append((_interface, _port, _protocol, _to_port, _to_addr)) forward_port_by_mac = [] for item in module.params['forward_port_by_mac']: args = item.split(";") if len(args) != 4: module.fail_json(msg='improper forward_port_by_mac format') _mac_addr, __port, _to_port, _to_addr = args _port, _protocol = __port.split('/') if _protocol is None: module.fail_json(msg='improper port format (missing protocol?)') if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None _interface = get_device_for_mac(_mac_addr) if _interface is None: module.fail_json(msg='MAC address not found %s' % _mac_addr) forward_port_by_mac.append( (_interface, _port, _protocol, _to_port, _to_addr)) desired_state = module.params['state'] if HAS_FIREWALLD: fw = FirewallClient() def exception_handler(exception_message): module.fail_json(msg=exception_message) fw.setExceptionHandler(exception_handler) if not fw.connected: module.fail_json(msg='firewalld service must be running') trusted_zone = "trusted" external_zone = "external" default_zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(default_zone) fw_settings = fw_zone.getSettings() changed = False changed_zones = {} # service for item in service: if desired_state == "enabled": if not fw.queryService(default_zone, item): fw.addService(default_zone, item) changed = True if not fw_settings.queryService(item): fw_settings.addService(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryService(default_zone, item): fw.removeService(default_zone, item) if fw_settings.queryService(item): fw_settings.removeService(item) changed = True changed_zones[fw_zone] = fw_settings # port for _port, _protocol in port: if desired_state == "enabled": if not fw.queryPort(default_zone, _port, _protocol): fw.addPort(default_zone, _port, _protocol) changed = True if not fw_settings.queryPort(_port, _protocol): fw_settings.addPort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryPort(default_zone, _port, _protocol): fw.removePort(default_zone, _port, _protocol) changed = True if fw_settings.queryPort(_port, _protocol): fw_settings.removePort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) if default_zone != trusted_zone: fw_zone = fw.config().getZoneByName(trusted_zone) fw_settings = fw_zone.getSettings() for item in items: if desired_state == "enabled": if try_set_zone_of_interface(trusted_zone, item): changed = True else: if not fw.queryInterface(trusted_zone, item): fw.changeZoneOfInterface(trusted_zone, item) changed = True if not fw_settings.queryInterface(item): fw_settings.addInterface(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(trusted_zone, item): fw.removeInterface(trusted_zone, item) changed = True if fw_settings.queryInterface(item): fw_settings.removeInterface(item) changed = True changed_zones[fw_zone] = fw_settings # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) if default_zone != external_zone: fw_zone = fw.config().getZoneByName(external_zone) fw_settings = fw_zone.getSettings() for item in items: if desired_state == "enabled": if try_set_zone_of_interface(external_zone, item): changed = True else: if not fw.queryInterface(external_zone, item): fw.changeZoneOfInterface(external_zone, item) changed = True if not fw_settings.queryInterface(item): fw_settings.addInterface(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(external_zone, item): fw.removeInterface(external_zone, item) changed = True if fw_settings.queryInterface(item): fw_settings.removeInterface(item) changed = True changed_zones[fw_zone] = fw_settings # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: if _interface != "": _zone = fw.getZoneOfInterface(_interface) if _zone != "" and _zone != default_zone: fw_zone = fw.config().getZoneByName(_zone) fw_settings = fw_zone.getSettings() if desired_state == "enabled": if not fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.addForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if not fw_settings.queryForwardPort( _port, _protocol, _to_port, _to_addr): fw_settings.addForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.removeForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if fw_settings.queryForwardPort(_port, _protocol, _to_port, _to_addr): fw_settings.removeForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[fw_zone] = fw_settings # apply changes if changed: for _zone in changed_zones: _zone.update(changed_zones[_zone]) if module.check_mode: module.exit_json(changed=True) elif HAS_SYSTEM_CONFIG_FIREWALL: (config, old_config, _) = fw_lokkit.loadConfig(args=[], dbus_parser=True) changed = False # service for item in service: if config.services is None: config.services = [] if desired_state == "enabled": if item not in config.services: config.services.append(item) changed = True elif desired_state == "disabled": if item in config.services: config.services.remove(item) changed = True # port for _port, _protocol in port: if config.ports is None: config.ports = [] _range = getPortRange(_port) if _range < 0: module.fail_json(msg='invalid port definition %s' % _port) elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range %s' % _port) port_proto = (_range, _protocol) if desired_state == "enabled": if port_proto not in config.ports: config.ports.append(port_proto) changed = True elif desired_state == "disabled": if port_proto in config.ports: config.ports.remove(port_proto) changed = True # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: if config.trust is None: config.trust = [] items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) for item in items: if desired_state == "enabled": if item not in config.trust: config.trust.append(item) changed = True elif desired_state == "disabled": if item in config.trust: config.trust.remove(item) changed = True # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: if config.masq is None: config.masq = [] items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) for item in items: if desired_state == "enabled": if item not in config.masq: config.masq.append(item) changed = True elif desired_state == "disabled": if item in config.masq: config.masq.remove(item) changed = True # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: if config.forward_port is None: config.forward_port = [] items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: _range = getPortRange(_port) if _range < 0: module.fail_json(msg='invalid port definition') elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range') fwd_port = { "if": _interface, "port": _range, "proto": _protocol } if _to_port is not None: _range = getPortRange(_to_port) if _range < 0: module.fail_json(msg='invalid port definition %s' % \ _to_port) elif _range is None: module.fail_json(msg='port _range is not unique.') elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg='invalid port range') fwd_port["toport"] = _range if _to_addr is not None: fwd_port["toaddr"] = _to_addr if desired_state == "enabled": if fwd_port not in config.forward_port: config.forward_port.append(fwd_port) changed = True elif desired_state == "disabled": if fwd_port in config.forward_port: config.forward_port.remove(fwd_port) changed = True # apply changes if changed: fw_lokkit.updateFirewall(config, old_config) if module.check_mode: module.exit_json(changed=True) else: module.fail_json(msg='No firewalld and system-config-firewall') module.exit_json(changed=False)
def main(): module = AnsibleModule( argument_spec=dict( service=dict(required=False, type="list", default=[]), port=dict(required=False, type="list", default=[]), trust=dict(required=False, type="list", default=[]), trust_by_mac=dict(required=False, type="list", default=[]), masq=dict(required=False, type="list", default=[]), masq_by_mac=dict(required=False, type="list", default=[]), forward_port=dict(required=False, type="list", default=[]), forward_port_by_mac=dict(required=False, type="list", default=[]), zone=dict(required=False, type="str", default=None), state=dict(choices=["enabled", "disabled"], required=True), ), required_one_of=([ "service", "port", "trust", "trust_by_mac", "masq", "masq_by_mac", "forward_prot", ], ), supports_check_mode=True, ) if not HAS_FIREWALLD and not HAS_SYSTEM_CONFIG_FIREWALL: module.fail_json(msg="No firewall backend could be imported.") service = module.params["service"] port = [] for port_proto in module.params["port"]: _port, _protocol = port_proto.split("/") if _protocol is None: module.fail_json(msg="improper port format (missing protocol?)") port.append((_port, _protocol)) trust = module.params["trust"] trust_by_mac = [] for item in module.params["trust_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) trust_by_mac.append(_interface) masq = module.params["masq"] masq_by_mac = [] for item in module.params["masq_by_mac"]: _interface = get_device_for_mac(item) if _interface is None: module.fail_json(msg="MAC address not found %s" % item) masq_by_mac.append(_interface) forward_port = [] for item in module.params["forward_port"]: args = item.split(";") if len(args) == 4: _interface, __port, _to_port, _to_addr = args elif len(args) == 3: _interface = "" __port, _to_port, _to_addr = args else: module.fail_json(msg="improper forward_port format: %s" % item) _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward port format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None forward_port.append((_interface, _port, _protocol, _to_port, _to_addr)) forward_port_by_mac = [] for item in module.params["forward_port_by_mac"]: args = item.split(";") if len(args) != 4: module.fail_json(msg="improper forward_port_by_mac format") _mac_addr, __port, _to_port, _to_addr = args _port, _protocol = __port.split("/") if _protocol is None: module.fail_json( msg="improper forward_port_by_mac format (missing protocol?)") if _to_port == "": _to_port = None if _to_addr == "": _to_addr = None _interface = get_device_for_mac(_mac_addr) if _interface is None: module.fail_json(msg="MAC address not found %s" % _mac_addr) forward_port_by_mac.append( (_interface, _port, _protocol, _to_port, _to_addr)) zone = module.params["zone"] if HAS_SYSTEM_CONFIG_FIREWALL and zone is not None: module.fail_json( msg="Zone can not be used with system-config-firewall/lokkit.") desired_state = module.params["state"] if HAS_FIREWALLD: fw = FirewallClient() def exception_handler(exception_message): module.fail_json(msg=exception_message) fw.setExceptionHandler(exception_handler) if not fw.connected: module.fail_json(msg="firewalld service must be running") trusted_zone = "trusted" external_zone = "external" if zone is not None: if zone not in fw.getZones(): module.fail_json(msg="Runtime zone '%s' does not exist." % zone) if zone not in fw.config().getZoneNames(): module.fail_json(msg="Permanent zone '%s' does not exist." % zone) else: zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(zone) fw_settings = fw_zone.getSettings() changed = False changed_zones = {} # service for item in service: if desired_state == "enabled": if not fw.queryService(zone, item): fw.addService(zone, item) changed = True if not fw_settings.queryService(item): fw_settings.addService(item) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryService(zone, item): fw.removeService(zone, item) if fw_settings.queryService(item): fw_settings.removeService(item) changed = True changed_zones[fw_zone] = fw_settings # port for _port, _protocol in port: if desired_state == "enabled": if not fw.queryPort(zone, _port, _protocol): fw.addPort(zone, _port, _protocol) changed = True if not fw_settings.queryPort(_port, _protocol): fw_settings.addPort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings elif desired_state == "disabled": if fw.queryPort(zone, _port, _protocol): fw.removePort(zone, _port, _protocol) changed = True if fw_settings.queryPort(_port, _protocol): fw_settings.removePort(_port, _protocol) changed = True changed_zones[fw_zone] = fw_settings # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) if zone != trusted_zone: _fw_zone = fw.config().getZoneByName(trusted_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(trusted_zone, item): changed = True else: if not fw.queryInterface(trusted_zone, item): fw.changeZoneOfInterface(trusted_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(trusted_zone, item): fw.removeInterface(trusted_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) if zone != external_zone: _fw_zone = fw.config().getZoneByName(external_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings for item in items: if desired_state == "enabled": if try_set_zone_of_interface(external_zone, item): changed = True else: if not fw.queryInterface(external_zone, item): fw.changeZoneOfInterface(external_zone, item) changed = True if not _fw_settings.queryInterface(item): _fw_settings.addInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if try_set_zone_of_interface("", item): if module.check_mode: module.exit_json(changed=True) else: if fw.queryInterface(external_zone, item): fw.removeInterface(external_zone, item) changed = True if _fw_settings.queryInterface(item): _fw_settings.removeInterface(item) changed = True changed_zones[_fw_zone] = _fw_settings # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: if _interface != "": _zone = fw.getZoneOfInterface(_interface) else: _zone = zone if _zone != "" and _zone != zone: _fw_zone = fw.config().getZoneByName(_zone) if _fw_zone in changed_zones: _fw_settings = changed_zones[_fw_zone] else: _fw_settings = _fw_zone.getSettings() else: _fw_zone = fw_zone _fw_settings = fw_settings if desired_state == "enabled": if not fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.addForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if not _fw_settings.queryForwardPort( _port, _protocol, _to_port, _to_addr): _fw_settings.addForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings elif desired_state == "disabled": if fw.queryForwardPort(_zone, _port, _protocol, _to_port, _to_addr): fw.removeForwardPort(_zone, _port, _protocol, _to_port, _to_addr) changed = True if _fw_settings.queryForwardPort(_port, _protocol, _to_port, _to_addr): _fw_settings.removeForwardPort(_port, _protocol, _to_port, _to_addr) changed = True changed_zones[_fw_zone] = _fw_settings # apply changes if changed: for _zone in changed_zones: _zone.update(changed_zones[_zone]) module.exit_json(changed=True) elif HAS_SYSTEM_CONFIG_FIREWALL: (config, old_config, _) = fw_lokkit.loadConfig(args=[], dbus_parser=True) changed = False # service for item in service: if config.services is None: config.services = [] if desired_state == "enabled": if item not in config.services: config.services.append(item) changed = True elif desired_state == "disabled": if item in config.services: config.services.remove(item) changed = True # port for _port, _protocol in port: if config.ports is None: config.ports = [] _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range %s" % _port) port_proto = (_range, _protocol) if desired_state == "enabled": if port_proto not in config.ports: config.ports.append(port_proto) changed = True elif desired_state == "disabled": if port_proto in config.ports: config.ports.remove(port_proto) changed = True # trust, trust_by_mac if len(trust) > 0 or len(trust_by_mac) > 0: if config.trust is None: config.trust = [] items = trust if len(trust_by_mac) > 0: items.extend(trust_by_mac) for item in items: if desired_state == "enabled": if item not in config.trust: config.trust.append(item) changed = True elif desired_state == "disabled": if item in config.trust: config.trust.remove(item) changed = True # masq, masq_by_mac if len(masq) > 0 or len(masq_by_mac) > 0: if config.masq is None: config.masq = [] items = masq if len(masq_by_mac) > 0: items.extend(masq_by_mac) for item in items: if desired_state == "enabled": if item not in config.masq: config.masq.append(item) changed = True elif desired_state == "disabled": if item in config.masq: config.masq.remove(item) changed = True # forward_port, forward_port_by_mac if len(forward_port) > 0 or len(forward_port_by_mac) > 0: if config.forward_port is None: config.forward_port = [] items = forward_port if len(forward_port_by_mac) > 0: items.extend(forward_port_by_mac) for _interface, _port, _protocol, _to_port, _to_addr in items: _range = getPortRange(_port) if _range < 0: module.fail_json(msg="invalid port definition") elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port = { "if": _interface, "port": _range, "proto": _protocol } if _to_port is not None: _range = getPortRange(_to_port) if _range < 0: module.fail_json(msg="invalid port definition %s" % _to_port) elif _range is None: module.fail_json(msg="port _range is not unique.") elif len(_range) == 2 and _range[0] >= _range[1]: module.fail_json(msg="invalid port range") fwd_port["toport"] = _range if _to_addr is not None: fwd_port["toaddr"] = _to_addr if desired_state == "enabled": if fwd_port not in config.forward_port: config.forward_port.append(fwd_port) changed = True elif desired_state == "disabled": if fwd_port in config.forward_port: config.forward_port.remove(fwd_port) changed = True # apply changes if changed: fw_lokkit.updateFirewall(config, old_config) if module.check_mode: module.exit_json(changed=True) else: module.fail_json(msg="No firewalld and system-config-firewall") module.exit_json(changed=False)
class FirewallWrapper: NETWORKBLOCK_IPSET4 = 'networkblock4' NETWORKBLOCK_IPSET6 = 'networkblock6' NETWORKBLOCK_IPSET_BASE_NAME = 'networkblock' def __init__(self): self.fw = FirewallClient() self.config = self.fw.config() if not self.config: log.warning('FirewallD is not running attempting to start...') import subprocess import time subprocess.check_output( ['systemctl', 'enable', '--now', 'firewalld']) # firewall-cmd synchronously waits for FirewallD startup subprocess.check_output(['firewall-cmd', '--state']) self.fw = FirewallClient() self.config = self.fw.config() def get_create_set(self, name, family='inet'): if name in self.config.getIPSetNames(): return self.config.getIPSetByName(name) settings = FirewallClientIPSetSettings() settings.setType('hash:net') settings.setOptions({ 'maxelem': '1000000', 'family': family, 'hashsize': '4096' }) return self.config.addIPSet(name, settings) def get_block_ipset4(self, name=None): if not name: name = FirewallWrapper.NETWORKBLOCK_IPSET_BASE_NAME name = name + '4' if name in self.config.getIPSetNames(): return self.config.getIPSetByName(name) settings = FirewallClientIPSetSettings() settings.setType('hash:net') settings.setOptions({ 'maxelem': '1000000', 'family': 'inet', 'hashsize': '4096' }) return self.config.addIPSet(name, settings) def get_block_ipset6(self, name=None): if not name: name = FirewallWrapper.NETWORKBLOCK_IPSET_BASE_NAME name = name + '6' if name in self.config.getIPSetNames(): return self.config.getIPSetByName(name) settings = FirewallClientIPSetSettings() settings.setType('hash:net') settings.setOptions({ 'maxelem': '1000000', 'family': 'inet6', 'hashsize': '4096' }) return self.config.addIPSet(name, settings) def get_block_ipset_for_ip(self, ip, name=None): if ip.version == 4: return self.get_block_ipset4(name) if ip.version == 6: return self.get_block_ipset6(name) return None @do_maybe_already_enabled def ensure_ipset_entries(self, ipset, entries): return ipset.setEntries(entries) @do_maybe_already_enabled def ensure_entry_in_ipset(self, ipset, entry): return ipset.addEntry(str(entry)) @do_maybe_already_enabled def ensure_entry_not_in_ipset(self, ipset, entry): return ipset.removeEntry(str(entry)) @do_maybe_already_enabled def ensure_block_ipset_in_drop_zone(self, ipset): # ensure that the block ipset is in drop zone: drop_zone = self.config.getZoneByName('drop') # self.config.getIPSetNames return drop_zone.addSource('ipset:{}'.format( ipset.get_property('name'))) @do_maybe_already_enabled def add_service(self, name, zone='public'): self.fw.addService(zone, name) self.fw.runtimeToPermanent() @do_maybe_already_enabled def block_ip(self, ip, ipset_name=None, reload=True): block_ipset = self.get_block_ipset_for_ip(ip, ipset_name) if not block_ipset: # TODO err: unsupported protocol raise Exception('Unsupported protocol') self.ensure_block_ipset_in_drop_zone(block_ipset) log.info('Adding IP address {} to block set {}'.format( ip, block_ipset.get_property('name'))) try: from aggregate6 import aggregate entries = [] for entry in block_ipset.getEntries(): entries.append(str(entry)) entries.append(str(ip)) block_ipset.setEntries(aggregate(entries)) except ImportError: block_ipset.addEntry(str(ip)) if reload: log.info('Reloading FirewallD to apply permanent configuration') self.fw.reload() log.info('Breaking connection with {}'.format(ip)) from subprocess import CalledProcessError, check_output, STDOUT try: check_output(["/sbin/conntrack", "-D", "-s", str(ip)], stderr=STDOUT) except CalledProcessError as e: pass def get_blocked_ips4(self, name=None): block_ipset4 = self.get_block_ipset4(name) return block_ipset4.getEntries() def get_blocked_ips6(self, name=None): block_ipset6 = self.get_block_ipset6(name) return block_ipset6.getEntries() @do_maybe_not_enabled def remove_ipset_from_zone(self, zone, ipset_name): # drop_zone.removeSource('ipset:') zone.removeSource('ipset:{}'.format(ipset_name)) @do_maybe_invalid_ipset def clear_ipset_by_name(self, ipset_name): try: # does not work: ipset.setEntries([]) self.fw.setEntries(ipset_name, []) except dbus.exceptions.DBusException: pass @do_maybe_invalid_ipset def destroy_ipset_by_name(self, name): log.info('Destroying IPSet {}'.format(name)) # firewalld up to this commit # https://github.com/firewalld/firewalld/commit/f5ed30ce71755155493e78c13fd9036be8f70fc4 # does not delete runtime ipsets, so we have to clear them :( # they are not removed from runtime as still reported by ipset -L # although they *are* removed from FirewallD if name not in self.fw.getIPSets(): return ipset = self.config.getIPSetByName(name) if ipset: self.clear_ipset_by_name(name) ipset.remove() def get_blocked_countries(self): blocked_countries = [] all_ipsets = self.fw.getIPSets() from .Countries import Countries countries = Countries() for ipset_name in all_ipsets: if ipset_name.startswith('fds-'): country_code = ipset_name.split('-')[1] if country_code in countries.names_by_code: blocked_countries.append( countries.names_by_code[country_code]) return blocked_countries def update_ipsets(self): need_reload = False all_ipsets = self.fw.getIPSets() from .Countries import Countries countries = Countries() is_tor_blocked = False for ipset_name in all_ipsets: if ipset_name.startswith('fds-tor-'): is_tor_blocked = True elif ipset_name.startswith('fds-'): country_code = ipset_name.split('-')[1] if country_code in countries.names_by_code: country_name = countries.names_by_code[country_code] country = countries.get_by_name(country_name) self.block_country(country, reload=False) need_reload = True if is_tor_blocked: self.block_tor(reload=False) need_reload = True if need_reload: self.fw.reload() return True def reset(self): drop_zone = self.config.getZoneByName('drop') self.remove_ipset_from_zone(drop_zone, self.NETWORKBLOCK_IPSET4) self.destroy_ipset_by_name(self.NETWORKBLOCK_IPSET4) self.remove_ipset_from_zone(drop_zone, self.NETWORKBLOCK_IPSET6) self.destroy_ipset_by_name(self.NETWORKBLOCK_IPSET6) all_ipsets = self.fw.getIPSets() # get any ipsets prefixed with "fds-" for ipset_name in all_ipsets: if ipset_name.startswith('fds-'): self.remove_ipset_from_zone(drop_zone, ipset_name) self.destroy_ipset_by_name(ipset_name) self.fw.reload() def block_tor(self, reload=True): log.info('Blocking Tor exit nodes') w = WebClient() tor4_exits = w.get_tor_exits(family=4) tor6_exits = w.get_tor_exits(family=6) tor4_ipset = self.get_create_set('fds-tor-4') self.ensure_ipset_entries(tor4_ipset, tor4_exits) tor6_ipset = self.get_create_set('fds-tor-6', family='inet6') self.ensure_ipset_entries(tor6_ipset, tor6_exits) self.ensure_block_ipset_in_drop_zone(tor4_ipset) self.ensure_block_ipset_in_drop_zone(tor6_ipset) if reload: log.info('Reloading FirewallD...') self.fw.reload() log.info('Done!') # while cron will do "sync" behavior" def block_country(self, country, reload=True): # print('address/netmask is invalid: %s' % sys.argv[1]) # parse out as a country log.info('Blocking {} {}'.format(country.name, country.getFlag())) # print("\N{grinning face}") # TODO get aggregated zone file, save as cache, # do diff to know which stuff was changed and add/remove blocks # https://docs.python.org/2/library/difflib.html # TODO persist info on which countries were blocked (in the config file) # then sync zones via "fds cron" # TODO conditional get test on getpagespeed.com w = WebClient() country_networks = w.get_country_networks(country=country) ipset = self.get_create_set(country.get_set_name()) self.ensure_ipset_entries(ipset, country_networks) # this is slow. setEntries is a lot faster # for network in tqdm(country_networks, unit='network', # desc='Adding {} networks to IPSet {}'.format(c.getNation(), c.get_set_name())): # log.debug(network) # fw.ensure_entry_in_ipset(ipset=ipset, entry=network) # TODO retry, timeout # this action re-adds all entries entirely # there should be "fds-<country.code>-<family>" ip set self.ensure_block_ipset_in_drop_zone(ipset) if reload: log.info('Reloading FirewallD...') self.fw.reload() log.info('Done!') # while cron will do "sync" behavior" def unblock_country(self, ip_or_country_name): # print('address/netmask is invalid: %s' % sys.argv[1]) # parse out as a country from .Countries import Countries countries = Countries() c = countries.get_by_name(ip_or_country_name) if not c: log.error( '{} does not look like a correct IP or a country name'.format( ip_or_country_name)) return False drop_zone = self.config.getZoneByName('drop') log.info('Unblocking {} {}'.format(c.name, c.getFlag())) self.remove_ipset_from_zone(drop_zone, c.get_set_name()) self.destroy_ipset_by_name(c.get_set_name()) log.info('Reloading FirewallD...') self.fw.reload() log.info('Done!') # while cron will do "sync" behavior" def unblock_ip(self, ip_or_country_name): block_ipset = self.get_block_ipset_for_ip(ip_or_country_name) if not block_ipset: # TODO err: unsupported protocol raise Exception('Unsupported protocol') log.info('Removing {} from block set {}'.format( ip_or_country_name, block_ipset.get_property('name'))) self.ensure_entry_not_in_ipset(block_ipset, ip_or_country_name) log.info('Reloading FirewallD to apply permanent configuration') self.fw.reload()