def run(self): ruleset = set(Iptables.read_simple_rules()) while True: modify, rule, directives = self.cmd_queue.get() try: rule_exists = rule in ruleset log.debug('{} rule_exists: {}'.format(rule, rule_exists)) # check for duplicates, apply rule if modify == 'I': if rule_exists: log.warn("Trying to insert existing rule: {}. Command ignored.".format(rule)) else: Iptables.exe_rule(modify, rule) # schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now) self.schedule_expiry(rule, directives) ruleset.add(rule) elif modify == 'D': if rule_exists: #TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense Iptables.exe_rule(modify, rule) ruleset.discard(rule) else: log.warn("Trying to delete not existing rule: {}. Command ignored.".format(rule)) elif modify == 'L': #TODO rereading the iptables? pass finally: self.cmd_queue.task_done()
def run(self): ruleset = set(Iptables.read_simple_rules()) while True: modify, rule, directives = self.cmd_queue.get() try: rule_exists = rule in ruleset log.debug('{} rule_exists: {}'.format(rule, rule_exists)) # check for duplicates, apply rule if modify == 'I': if rule_exists: log.warn( "Trying to insert existing rule: {}. Command ignored." .format(rule)) else: Iptables.exe_rule(modify, rule) # schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now) self.schedule_expiry(rule, directives) ruleset.add(rule) elif modify == 'D': if rule_exists: #TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense Iptables.exe_rule(modify, rule) ruleset.discard(rule) else: log.warn( "Trying to delete not existing rule: {}. Command ignored." .format(rule)) elif modify == 'L': #TODO rereading the iptables? pass finally: self.cmd_queue.task_done()
def process(handler, modify, urlpath): # modify should be 'D' for Delete or 'I' for Insert understood as -D and -I iptables flags assert modify in ['D', 'I', 'L'] try: action, rule, directives = cmdparse.parse_command(urlpath) # log.debug('\nAction: {}\nRule: {}\nDirectives: {}'.format(action, rule, directives)) if modify == 'L': if action == 'help': resp = 'TODO usage' return handler.http_resp(200, resp) elif action == 'list': chain = rule rules = Iptables.read_simple_rules(chain) log.debug('List rfw rules: %s', rules) list_of_dict = map(iptables.Rule._asdict, rules) resp = json.dumps(list_of_dict) return handler.http_resp(200, resp) elif rfwconf.is_non_restful(): mod = directives.get('modify') if not mod: raise Exception('Unrecognized command. Non-restful enabled, you need to provide modify parameter.'.format(action)) if mod == 'insert': modify = 'I' elif mod == 'delete': modify = 'D' else: raise Exception('Unrecognized command. Modify parameter can be "insert" or "delete".') else: raise Exception('Unrecognized command. Non-restful disabled.') if modify in ['D', 'I'] and action.upper() in iptables.RULE_TARGETS: # eliminate ignored/whitelisted IP related commands early to prevent propagating them to expiry queue check_whitelist_conflict(rule.source, rfwconf.whitelist()) check_whitelist_conflict(rule.destination, rfwconf.whitelist()) ctup = (modify, rule, directives) log.debug('PUT to Cmd Queue. Tuple: {}'.format(ctup)) cmd_queue.put_nowait(ctup) # Make these rules persistent on file import os.path if os.path.isfile("/etc/init.d/iptables-persistent"): save_command = "/etc/init.d/iptables-persistent save" else: raise Exception('No iptables-persistent command is installed. Please install it first!') if save_command is not None: subprocess.call(save_command, shell=True) return handler.http_resp(200, ctup) else: raise Exception('Unrecognized command.') except Exception, e: msg = 'ERROR: {}'.format(e.message) # logging as error disabled - bad client request is not an error # log.exception(msg) log.info(msg) return handler.http_resp(400, msg) # Bad Request
def process(handler, modify, urlpath): # modify should be 'D' for Delete or 'I' for Insert understood as -D and -I iptables flags assert modify in ['D', 'I', 'L'] log.debug('process {} urlpath: {}'.format(modify, urlpath)) try: action, rule, directives = cmdparse.parse_command(urlpath) log.debug('\nAction: {}\nRule: {}\nDirectives: {}'.format( action, rule, directives)) if modify == 'L': if action == 'help': resp = 'TODO usage' return handler.http_resp(200, resp) elif action == 'list': chain = rule rules = Iptables.read_simple_rules(chain) log.debug('List rfw rules: %s', rules) list_of_dict = map(iptables.Rule._asdict, rules) resp = json.dumps(list_of_dict) return handler.http_resp(200, resp) elif rfwconf.is_non_restful(): mod = directives.get('modify') if not mod: raise Exception( 'Unrecognized command. Non-restful enabled, you need to provide modify parameter.' .format(action)) if mod == 'insert': modify = 'I' elif mod == 'delete': modify = 'D' else: raise Exception( 'Unrecognized command. Modify parameter can be "insert" or "delete".' ) else: raise Exception( 'Unrecognized command. Non-restful disabled.') if modify in ['D', 'I' ] and action.upper() in iptables.RULE_TARGETS: # eliminate ignored/whitelisted IP related commands early to prevent propagating them to expiry queue check_whitelist_conflict(rule.source, rfwconf.whitelist()) check_whitelist_conflict(rule.destination, rfwconf.whitelist()) ctup = (modify, rule, directives) log.debug('PUT to Cmd Queue. Tuple: {}'.format(ctup)) cmd_queue.put_nowait(ctup) return handler.http_resp(200, ctup) else: raise Exception('Unrecognized command.') except Exception, e: msg = 'ERROR: {}'.format(e.message) # logging as error disabled - bad client request is not an error # log.exception(msg) log.info(msg) return handler.http_resp(400, msg) # Bad Request
def run(self): Iptables.read_chains() ruleset = set(Iptables.read_simple_rules(matching_num=False)) while True: modify, rule, directives = self.cmd_queue.get() try: # Modify the rule to nullify parameters which need not to be included in the search if rule.target != 'CREATE': rule_exists = rule in ruleset else: if ':' in rule.chain: new_chain = rule.chain.split(':')[1] rule_exists = new_chain in iptables.RULE_CHAINS else: rule_exists = rule.chain in iptables.RULE_CHAINS log.debug('{} rule_exists: {}'.format(rule, rule_exists)) # check for duplicates, apply rule if modify == 'I': if rule_exists: log.warn("Trying to insert existing rule: {}. Command ignored.".format(rule)) else: if rule.target == 'CREATE': modify = 'N' if ':' in rule.chain: # renaming a chain modify = 'E' Iptables.exe_rule(modify, rule) # schedule expiry timeout if present. Only for Insert rules and only if the rule didn't exist before (so it was added now) self.schedule_expiry(rule, directives) if rule.target != 'CREATE': ruleset.add(rule) else: if ':' in rule.chain: old_chain = rule.chain.split(':')[0] new_chain = rule.chain.split(':')[1] iptables.RULE_CHAINS.remove(old_chain) iptables.RULE_CHAINS.add(new_chain) iptables.RULE_TARGETS.add(rule.chain) else: iptables.RULE_CHAINS.add(rule.chain) iptables.RULE_TARGETS.add(rule.chain) elif modify == 'D': if rule_exists: if rule.target == 'CREATE': modify = 'X' #TODO delete rules in the loop to delete actual iptables duplicates. It's to satisfy idempotency and plays well with common sense Iptables.exe_rule(modify, rule) if rule.target != 'CREATE': ruleset.discard(rule) else: iptables.RULE_TARGETS.remove(rule.chain) iptables.RULE_CHAINS.remove(rule.chain) else: print("non existing rule") log.warn("Trying to delete not existing rule: {}. Command ignored.".format(rule)) elif modify == 'L': #TODO rereading the iptables? pass # Hack to prevent this exception to reach the threading code, preventing this thread from running more than this except Exception: pass finally: self.cmd_queue.task_done()