def policy_writer(policy, path=None):
_path = path if path else policy.path
if policy.filename:
name = "%s/%s" % (_path, policy.filename)
else:
name = "%s/%s.xml" % (_path, policy.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start policy element
attrs = {}
if policy.version and policy.version != "":
attrs["version"] = policy.version
if policy.priority != policy.priority_default:
attrs["priority"] = str(policy.priority)
attrs["target"] = policy.target
handler.startElement("policy", attrs)
handler.ignorableWhitespace("\n")
common_writer(policy, handler)
# ingress-zones
for zone in uniqify(policy.ingress_zones):
handler.ignorableWhitespace(" ")
handler.simpleElement("ingress-zone", {"name": zone})
handler.ignorableWhitespace("\n")
# egress-zones
for zone in uniqify(policy.egress_zones):
handler.ignorableWhitespace(" ")
handler.simpleElement("egress-zone", {"name": zone})
handler.ignorableWhitespace("\n")
# end policy element
handler.endElement("policy")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def ipset_writer(ipset, path=None):
_path = path if path else ipset.path
if ipset.filename:
name = "%s/%s" % (_path, ipset.filename)
else:
name = "%s/%s.xml" % (_path, ipset.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start ipset element
attrs = { "type": ipset.type }
if ipset.version and ipset.version != "":
attrs["version"] = ipset.version
handler.startElement("ipset", attrs)
handler.ignorableWhitespace("\n")
# short
if ipset.short and ipset.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(ipset.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if ipset.description and ipset.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(ipset.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# options
for key,value in ipset.options.items():
handler.ignorableWhitespace(" ")
if value != "":
handler.simpleElement("option", { "name": key, "value": value })
else:
handler.simpleElement("option", { "name": key })
handler.ignorableWhitespace("\n")
# entries
for entry in ipset.entries:
handler.ignorableWhitespace(" ")
handler.startElement("entry", { })
handler.characters(entry)
handler.endElement("entry")
handler.ignorableWhitespace("\n")
# end ipset element
handler.endElement('ipset')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def service_writer(service, path=None):
_path = path if path else service.path
if service.filename:
name = "%s/%s" % (_path, service.filename)
else:
name = "%s/%s.xml" % (_path, service.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start service element
attrs = {}
if service.version and service.version != "":
attrs["version"] = service.version
handler.startElement("service", attrs)
handler.ignorableWhitespace("\n")
# short
if service.short and service.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(service.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if service.description and service.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(service.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in service.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", {"port": port[0], "protocol": port[1]})
handler.ignorableWhitespace("\n")
# protocols
for protocol in service.protocols:
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", {"value": protocol})
handler.ignorableWhitespace("\n")
# source ports
for port in service.source_ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", {
"port": port[0],
"protocol": port[1]
})
handler.ignorableWhitespace("\n")
# modules
for module in service.modules:
handler.ignorableWhitespace(" ")
handler.simpleElement("module", {"name": module})
handler.ignorableWhitespace("\n")
# destination
if len(service.destination) > 0:
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", service.destination)
handler.ignorableWhitespace("\n")
# includes
for include in service.includes:
handler.ignorableWhitespace(" ")
handler.simpleElement("include", {"service": include})
handler.ignorableWhitespace("\n")
# helpers
for helper in service.helpers:
handler.ignorableWhitespace(" ")
handler.simpleElement("helper", {"name": helper})
handler.ignorableWhitespace("\n")
# end service element
handler.endElement('service')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
# short
if zone.short and zone.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", {"ipset": source[6:]})
else:
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", {"name": service})
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(zone.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", {"port": port[0], "protocol": port[1]})
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(zone.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", {"value": protocol})
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", {})
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(zone.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", {"name": icmp})
handler.ignorableWhitespace("\n")
# masquerade
if zone.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", {})
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(zone.forward_ports):
handler.ignorableWhitespace(" ")
attrs = {"port": forward[0], "protocol": forward[1]}
if forward[2] and forward[2] != "":
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "":
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# source-ports
for port in uniqify(zone.source_ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", {
"port": port[0],
"protocol": port[1]
})
handler.ignorableWhitespace("\n")
# rules
for rule in zone.rules:
attrs = {}
if rule.family:
attrs["family"] = rule.family
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = {}
if rule.source.addr:
attrs["address"] = rule.source.addr
if rule.source.mac:
attrs["mac"] = rule.source.mac
if rule.source.ipset:
attrs["ipset"] = rule.source.ipset
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = {"address": rule.destination.addr}
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = {}
if type(rule.element) == rich.Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == rich.Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == rich.Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == rich.Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_IcmpType:
element = "icmp-type"
attrs["name"] = rule.element.name
elif type(rule.element) == rich.Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
elif type(rule.element) == rich.Rich_SourcePort:
element = "source-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
else:
raise FirewallError(
errors.INVALID_OBJECT,
"Unknown element '%s' in zone_writer" % type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = {}
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit", {"value": rule.log.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", {})
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.audit.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = {}
if type(rule.action) == rich.Rich_Accept:
action = "accept"
elif type(rule.action) == rich.Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == rich.Rich_Drop:
action = "drop"
elif type(rule.action) == rich.Rich_Mark:
action = "mark"
attrs["set"] = rule.action.set
else:
log.warning("Unknown action '%s'", type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{"value": rule.action.limit.value})
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" %
(self.filename, msg))
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
f = io.open(self.filename, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start whitelist element
handler.startElement("direct", {})
handler.ignorableWhitespace("\n")
# chains
for key in self.chains:
(ipv, table) = key
for chain in self.chains[key]:
handler.ignorableWhitespace(" ")
handler.simpleElement("chain", {
"ipv": ipv,
"table": table,
"chain": chain
})
handler.ignorableWhitespace("\n")
# rules
for key in self.rules:
(ipv, table, chain) = key
for (priority, args) in self.rules[key]:
if len(args) < 1:
continue
handler.ignorableWhitespace(" ")
handler.startElement(
"rule", {
"ipv": ipv,
"table": table,
"chain": chain,
"priority": "%d" % priority
})
handler.ignorableWhitespace(sax.saxutils.escape(
joinArgs(args)))
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# passthroughs
for ipv in self.passthroughs:
for args in self.passthroughs[ipv]:
if len(args) < 1:
continue
handler.ignorableWhitespace(" ")
handler.startElement("passthrough", {"ipv": ipv})
handler.ignorableWhitespace(sax.saxutils.escape(
joinArgs(args)))
handler.endElement("passthrough")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("direct")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def ipset_writer(ipset, path=None):
_path = path if path else ipset.path
if ipset.filename:
name = "%s/%s" % (_path, ipset.filename)
else:
name = "%s/%s.xml" % (_path, ipset.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start ipset element
attrs = { "type": ipset.type }
if ipset.version and ipset.version != "":
attrs["version"] = ipset.version
handler.startElement("ipset", attrs)
handler.ignorableWhitespace("\n")
# short
if ipset.short and ipset.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(ipset.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if ipset.description and ipset.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(ipset.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# options
for key,value in ipset.options.items():
handler.ignorableWhitespace(" ")
if value != "":
handler.simpleElement("option", { "name": key, "value": value })
else:
handler.simpleElement("option", { "name": key })
handler.ignorableWhitespace("\n")
# entries
for entry in ipset.entries:
handler.ignorableWhitespace(" ")
handler.startElement("entry", { })
handler.characters(entry)
handler.endElement("entry")
handler.ignorableWhitespace("\n")
# end ipset element
handler.endElement('ipset')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def service_writer(service, path=None):
_path = path if path else service.path
if service.filename:
name = "%s/%s" % (_path, service.filename)
else:
name = "%s/%s.xml" % (_path, service.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start service element
attrs = {}
if service.version and service.version != "":
attrs["version"] = service.version
handler.startElement("service", attrs)
handler.ignorableWhitespace("\n")
# short
if service.short and service.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(service.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if service.description and service.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(service.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in service.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# protocols
for protocol in service.protocols:
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", { "value": protocol })
handler.ignorableWhitespace("\n")
# source ports
for port in service.source_ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", { "port": port[0],
"protocol": port[1] })
handler.ignorableWhitespace("\n")
# modules
for module in service.modules:
handler.ignorableWhitespace(" ")
handler.simpleElement("module", { "name": module })
handler.ignorableWhitespace("\n")
# destination
if len(service.destination) > 0:
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", service.destination)
handler.ignorableWhitespace("\n")
# end service element
handler.endElement('service')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" %
(self.filename, msg))
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
f = io.open(self.filename, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start whitelist element
handler.startElement("whitelist", {})
handler.ignorableWhitespace("\n")
# commands
for command in uniqify(self.commands):
handler.ignorableWhitespace(" ")
handler.simpleElement("command", {"name": command})
handler.ignorableWhitespace("\n")
for uid in uniqify(self.uids):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", {"id": str(uid)})
handler.ignorableWhitespace("\n")
for user in uniqify(self.users):
handler.ignorableWhitespace(" ")
handler.simpleElement("user", {"name": user})
handler.ignorableWhitespace("\n")
# for gid in uniqify(self.gids):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("user", { "id": str(gid) })
# handler.ignorableWhitespace("\n")
# for group in uniqify(self.groups):
# handler.ignorableWhitespace(" ")
# handler.simpleElement("group", { "name": group })
# handler.ignorableWhitespace("\n")
for context in uniqify(self.contexts):
handler.ignorableWhitespace(" ")
handler.simpleElement("selinux", {"context": context})
handler.ignorableWhitespace("\n")
# end whitelist element
handler.endElement("whitelist")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def helper_writer(helper, path=None):
_path = path if path else helper.path
if helper.filename:
name = "%s/%s" % (_path, helper.filename)
else:
name = "%s/%s.xml" % (_path, helper.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start helper element
attrs = {}
attrs["module"] = helper.module
if helper.version and helper.version != "":
attrs["version"] = helper.version
if helper.family and helper.family != "":
attrs["family"] = helper.family
handler.startElement("helper", attrs)
handler.ignorableWhitespace("\n")
# short
if helper.short and helper.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(helper.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if helper.description and helper.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(helper.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in helper.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# end helper element
handler.endElement('helper')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def helper_writer(helper, path=None):
_path = path if path else helper.path
if helper.filename:
name = "%s/%s" % (_path, helper.filename)
else:
name = "%s/%s.xml" % (_path, helper.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start helper element
attrs = {}
attrs["module"] = helper.module
if helper.version and helper.version != "":
attrs["version"] = helper.version
if helper.family and helper.family != "":
attrs["family"] = helper.family
handler.startElement("helper", attrs)
handler.ignorableWhitespace("\n")
# short
if helper.short and helper.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(helper.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if helper.description and helper.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(helper.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# ports
for port in helper.ports:
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# end helper element
handler.endElement('helper')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def icmptype_writer(icmptype, path=None):
_path = path if path else icmptype.path
if icmptype.filename:
name = "%s/%s" % (_path, icmptype.filename)
else:
name = "%s/%s.xml" % (_path, icmptype.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start icmptype element
attrs = {}
if icmptype.version and icmptype.version != "":
attrs["version"] = icmptype.version
handler.startElement("icmptype", attrs)
handler.ignorableWhitespace("\n")
# short
if icmptype.short and icmptype.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(icmptype.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if icmptype.description and icmptype.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(icmptype.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# destination
if icmptype.destination:
handler.ignorableWhitespace(" ")
attrs = {}
for x in icmptype.destination:
attrs[x] = "yes"
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# end icmptype element
handler.endElement('icmptype')
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(
config.ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
common_writer(zone, handler)
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", {"name": interface})
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", {"ipset": source[6:]})
else:
handler.simpleElement("source", {"address": source})
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", {})
handler.ignorableWhitespace("\n")
# forward
if zone.forward:
handler.ignorableWhitespace(" ")
handler.simpleElement("forward", {})
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def zone_writer(zone, path=None):
_path = path if path else zone.path
if zone.filename:
name = "%s/%s" % (_path, zone.filename)
else:
name = "%s/%s.xml" % (_path, zone.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" % (name, msg))
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start zone element
attrs = {}
if zone.version and zone.version != "":
attrs["version"] = zone.version
if zone.target != DEFAULT_ZONE_TARGET:
attrs["target"] = zone.target
handler.startElement("zone", attrs)
handler.ignorableWhitespace("\n")
# short
if zone.short and zone.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", { })
handler.characters(zone.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if zone.description and zone.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", { })
handler.characters(zone.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# interfaces
for interface in uniqify(zone.interfaces):
handler.ignorableWhitespace(" ")
handler.simpleElement("interface", { "name": interface })
handler.ignorableWhitespace("\n")
# source
for source in uniqify(zone.sources):
handler.ignorableWhitespace(" ")
if "ipset:" in source:
handler.simpleElement("source", { "ipset": source[6:] })
else:
handler.simpleElement("source", { "address": source })
handler.ignorableWhitespace("\n")
# services
for service in uniqify(zone.services):
handler.ignorableWhitespace(" ")
handler.simpleElement("service", { "name": service })
handler.ignorableWhitespace("\n")
# ports
for port in uniqify(zone.ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("port", { "port": port[0], "protocol": port[1] })
handler.ignorableWhitespace("\n")
# protocols
for protocol in uniqify(zone.protocols):
handler.ignorableWhitespace(" ")
handler.simpleElement("protocol", { "value": protocol })
handler.ignorableWhitespace("\n")
# icmp-block-inversion
if zone.icmp_block_inversion:
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block-inversion", { })
handler.ignorableWhitespace("\n")
# icmp-blocks
for icmp in uniqify(zone.icmp_blocks):
handler.ignorableWhitespace(" ")
handler.simpleElement("icmp-block", { "name": icmp })
handler.ignorableWhitespace("\n")
# masquerade
if zone.masquerade:
handler.ignorableWhitespace(" ")
handler.simpleElement("masquerade", { })
handler.ignorableWhitespace("\n")
# forward-ports
for forward in uniqify(zone.forward_ports):
handler.ignorableWhitespace(" ")
attrs = { "port": forward[0], "protocol": forward[1] }
if forward[2] and forward[2] != "" :
attrs["to-port"] = forward[2]
if forward[3] and forward[3] != "" :
attrs["to-addr"] = forward[3]
handler.simpleElement("forward-port", attrs)
handler.ignorableWhitespace("\n")
# source-ports
for port in uniqify(zone.source_ports):
handler.ignorableWhitespace(" ")
handler.simpleElement("source-port", { "port": port[0],
"protocol": port[1] })
handler.ignorableWhitespace("\n")
# rules
for rule in zone.rules:
attrs = { }
if rule.family:
attrs["family"] = rule.family
handler.ignorableWhitespace(" ")
handler.startElement("rule", attrs)
handler.ignorableWhitespace("\n")
# source
if rule.source:
attrs = { }
if rule.source.addr:
attrs["address"] = rule.source.addr
if rule.source.mac:
attrs["mac"] = rule.source.mac
if rule.source.ipset:
attrs["ipset"] = rule.source.ipset
if rule.source.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("source", attrs)
handler.ignorableWhitespace("\n")
# destination
if rule.destination:
attrs = { "address": rule.destination.addr }
if rule.destination.invert:
attrs["invert"] = "True"
handler.ignorableWhitespace(" ")
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# element
if rule.element:
element = ""
attrs = { }
if type(rule.element) == Rich_Service:
element = "service"
attrs["name"] = rule.element.name
elif type(rule.element) == Rich_Port:
element = "port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
elif type(rule.element) == Rich_Protocol:
element = "protocol"
attrs["value"] = rule.element.value
elif type(rule.element) == Rich_Masquerade:
element = "masquerade"
elif type(rule.element) == Rich_IcmpBlock:
element = "icmp-block"
attrs["name"] = rule.element.name
elif type(rule.element) == Rich_ForwardPort:
element = "forward-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
if rule.element.to_port != "":
attrs["to-port"] = rule.element.to_port
if rule.element.to_address != "":
attrs["to-addr"] = rule.element.to_address
elif type(rule.element) == Rich_SourcePort:
element = "source-port"
attrs["port"] = rule.element.port
attrs["protocol"] = rule.element.protocol
else:
log.warning("Unknown element '%s'", type(rule.element))
handler.ignorableWhitespace(" ")
handler.simpleElement(element, attrs)
handler.ignorableWhitespace("\n")
# rule.element
# log
if rule.log:
attrs = { }
if rule.log.prefix:
attrs["prefix"] = rule.log.prefix
if rule.log.level:
attrs["level"] = rule.log.level
if rule.log.limit:
handler.ignorableWhitespace(" ")
handler.startElement("log", attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.log.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("log")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("log", attrs)
handler.ignorableWhitespace("\n")
# audit
if rule.audit:
attrs = {}
if rule.audit.limit:
handler.ignorableWhitespace(" ")
handler.startElement("audit", { })
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.audit.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement("audit")
else:
handler.ignorableWhitespace(" ")
handler.simpleElement("audit", attrs)
handler.ignorableWhitespace("\n")
# action
if rule.action:
action = ""
attrs = { }
if type(rule.action) == Rich_Accept:
action = "accept"
elif type(rule.action) == Rich_Reject:
action = "reject"
if rule.action.type:
attrs["type"] = rule.action.type
elif type(rule.action) == Rich_Drop:
action = "drop"
elif type(rule.action) == Rich_Mark:
action = "mark"
attrs["set"] = rule.action.set
else:
log.warning("Unknown action '%s'", type(rule.action))
if rule.action.limit:
handler.ignorableWhitespace(" ")
handler.startElement(action, attrs)
handler.ignorableWhitespace("\n ")
handler.simpleElement("limit",
{ "value": rule.action.limit.value })
handler.ignorableWhitespace("\n ")
handler.endElement(action)
else:
handler.ignorableWhitespace(" ")
handler.simpleElement(action, attrs)
handler.ignorableWhitespace("\n")
handler.ignorableWhitespace(" ")
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("zone")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def write(self):
if os.path.exists(self.filename):
try:
shutil.copy2(self.filename, "%s.old" % self.filename)
except Exception as msg:
raise IOError("Backup of '%s' failed: %s" % (self.filename, msg))
if not os.path.exists(config.ETC_FIREWALLD):
os.mkdir(config.ETC_FIREWALLD, 0o750)
f = io.open(self.filename, mode='wt', encoding='UTF-8')
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start whitelist element
handler.startElement("direct", { })
handler.ignorableWhitespace("\n")
# chains
for key in self.chains:
(ipv, table) = key
for chain in self.chains[key]:
handler.ignorableWhitespace(" ")
handler.simpleElement("chain", { "ipv": ipv, "table": table,
"chain": chain })
handler.ignorableWhitespace("\n")
# rules
for key in self.rules:
(ipv, table, chain) = key
for (priority, args) in self.rules[key]:
if len(args) < 1:
continue
handler.ignorableWhitespace(" ")
handler.startElement("rule", { "ipv": ipv, "table": table,
"chain": chain,
"priority": "%d" % priority })
handler.ignorableWhitespace(sax.saxutils.escape(joinArgs(args)))
handler.endElement("rule")
handler.ignorableWhitespace("\n")
# passthroughs
for ipv in self.passthroughs:
for args in self.passthroughs[ipv]:
if len(args) < 1:
continue
handler.ignorableWhitespace(" ")
handler.startElement("passthrough", { "ipv": ipv })
handler.ignorableWhitespace(sax.saxutils.escape(joinArgs(args)))
handler.endElement("passthrough")
handler.ignorableWhitespace("\n")
# end zone element
handler.endElement("direct")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
def icmptype_writer(icmptype, path=None):
_path = path if path else icmptype.path
if icmptype.filename:
name = "%s/%s" % (_path, icmptype.filename)
else:
name = "%s/%s.xml" % (_path, icmptype.name)
if os.path.exists(name):
try:
shutil.copy2(name, "%s.old" % name)
except Exception as msg:
log.error("Backup of file '%s' failed: %s", name, msg)
dirpath = os.path.dirname(name)
if dirpath.startswith(ETC_FIREWALLD) and not os.path.exists(dirpath):
if not os.path.exists(ETC_FIREWALLD):
os.mkdir(ETC_FIREWALLD, 0o750)
os.mkdir(dirpath, 0o750)
f = io.open(name, mode="wt", encoding="UTF-8")
handler = IO_Object_XMLGenerator(f)
handler.startDocument()
# start icmptype element
attrs = {}
if icmptype.version and icmptype.version != "":
attrs["version"] = icmptype.version
handler.startElement("icmptype", attrs)
handler.ignorableWhitespace("\n")
# short
if icmptype.short and icmptype.short != "":
handler.ignorableWhitespace(" ")
handler.startElement("short", {})
handler.characters(icmptype.short)
handler.endElement("short")
handler.ignorableWhitespace("\n")
# description
if icmptype.description and icmptype.description != "":
handler.ignorableWhitespace(" ")
handler.startElement("description", {})
handler.characters(icmptype.description)
handler.endElement("description")
handler.ignorableWhitespace("\n")
# destination
if icmptype.destination:
handler.ignorableWhitespace(" ")
attrs = {}
for x in icmptype.destination:
attrs[x] = "yes"
handler.simpleElement("destination", attrs)
handler.ignorableWhitespace("\n")
# end icmptype element
handler.endElement("icmptype")
handler.ignorableWhitespace("\n")
handler.endDocument()
f.close()
del handler
