|
Packit Service |
84cb3c |
#!@PYTHON@
|
|
Packit Service |
84cb3c |
# -*- coding: utf-8 -*-
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
# Copyright (C) 2009-2016 Red Hat, Inc.
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
# Authors:
|
|
Packit Service |
84cb3c |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit Service |
84cb3c |
# Jiri Popelka <jpopelka@redhat.com>
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
# This program is free software; you can redistribute it and/or modify
|
|
Packit Service |
84cb3c |
# it under the terms of the GNU General Public License as published by
|
|
Packit Service |
84cb3c |
# the Free Software Foundation; either version 2 of the License, or
|
|
Packit Service |
84cb3c |
# (at your option) any later version.
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
# This program is distributed in the hope that it will be useful,
|
|
Packit Service |
84cb3c |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit Service |
84cb3c |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit Service |
84cb3c |
# GNU General Public License for more details.
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
# You should have received a copy of the GNU General Public License
|
|
Packit Service |
84cb3c |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit Service |
84cb3c |
#
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
from gi.repository import GObject
|
|
Packit Service |
84cb3c |
import sys
|
|
Packit Service |
84cb3c |
sys.modules['gobject'] = GObject
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
import argparse
|
|
Packit Service |
84cb3c |
import os
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
from firewall.client import FirewallClientIPSetSettings, \
|
|
Packit Service |
84cb3c |
FirewallClientZoneSettings, FirewallClientServiceSettings, \
|
|
Packit Service |
84cb3c |
FirewallClientIcmpTypeSettings, FirewallClientHelperSettings
|
|
Packit Service |
84cb3c |
from firewall.errors import FirewallError
|
|
Packit Service |
84cb3c |
from firewall import config
|
|
Packit Service |
84cb3c |
from firewall.core.fw import Firewall
|
|
Packit Service |
84cb3c |
from firewall.functions import joinArgs, splitArgs
|
|
Packit Service |
84cb3c |
from firewall.core.io.functions import check_config
|
|
Packit Service |
84cb3c |
from firewall.core.io.zone import zone_reader
|
|
Packit Service |
84cb3c |
from firewall.core.io.service import service_reader
|
|
Packit Service |
84cb3c |
from firewall.core.io.ipset import ipset_reader
|
|
Packit Service |
84cb3c |
from firewall.core.io.icmptype import icmptype_reader
|
|
Packit Service |
84cb3c |
from firewall.core.io.helper import helper_reader
|
|
Packit Service |
84cb3c |
from firewall.command import FirewallCommand
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# check for root user
|
|
Packit Service |
84cb3c |
def assert_root():
|
|
Packit Service |
84cb3c |
if os.getuid() != 0:
|
|
Packit Service |
84cb3c |
sys.stderr.write("You need to be root to run %s.\n" % sys.argv[0])
|
|
Packit Service |
84cb3c |
sys.exit(-1)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
SYSTEM_CONFIG_FIREWALL = config.SYSCONFIGDIR + '/system-config-firewall'
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
def __usage():
|
|
Packit Service |
84cb3c |
sys.stdout.write("""
|
|
Packit Service |
84cb3c |
Usage: firewall-offline-cmd [OPTIONS...]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
If no options are given, configuration from '%s' will be migrated.
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
General Options
|
|
Packit Service |
84cb3c |
-h, --help Prints a short help text and exists
|
|
Packit Service |
84cb3c |
-V, --version Print the version string of firewalld
|
|
Packit Service |
84cb3c |
-q, --quiet Do not print status messages
|
|
Packit Service |
84cb3c |
--system-config Path to firewalld system configuration
|
|
Packit Service |
84cb3c |
--default-config Path to firewalld default configuration
|
|
Packit Service |
84cb3c |
--check-config Check system and default configuration
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Lokkit Compatibility Options
|
|
Packit Service |
84cb3c |
--migrate-system-config-firewall=<file>
|
|
Packit Service |
84cb3c |
Import configuration data from the given configuration
|
|
Packit Service |
84cb3c |
file.
|
|
Packit Service |
84cb3c |
--enabled Enable firewall (default)
|
|
Packit Service |
84cb3c |
--disabled Disable firewall
|
|
Packit Service |
84cb3c |
--addmodule=<module> Ignored option, was used to enable an iptables module
|
|
Packit Service |
84cb3c |
--removemodule=<module>
|
|
Packit Service |
84cb3c |
Ignored option, was used to disable an iptables module
|
|
Packit Service |
84cb3c |
-s <service>, --service=<service>
|
|
Packit Service |
84cb3c |
Enable a service in the default zone (example: ssh)
|
|
Packit Service |
84cb3c |
--remove-service=<service>
|
|
Packit Service |
84cb3c |
Disable a service in the default zone (example: ssh)
|
|
Packit Service |
84cb3c |
-p <port>[-<port>]:<protocol>, --port=<port>[-<port>]:<protocol>
|
|
Packit Service |
84cb3c |
Enable a port in the default zone (example: ssh:tcp)
|
|
Packit Service |
84cb3c |
-t <interface>, --trust=<interface>
|
|
Packit Service |
84cb3c |
Bind an interface to the trusted zone
|
|
Packit Service |
84cb3c |
-m <interface>, --masq=<interface>
|
|
Packit Service |
84cb3c |
Enables masquerading in the default zone, interface
|
|
Packit Service |
84cb3c |
argument is ignored. This is IPv4 only.
|
|
Packit Service |
84cb3c |
--custom-rules=[<type>:][:]<filename>
|
|
Packit Service |
84cb3c |
Ignored option. Was used to add custom rules to the
|
|
Packit Service |
84cb3c |
firewall (Example:
|
|
Packit Service |
84cb3c |
ipv4:filter:%s/ipv4_filter_addon)
|
|
Packit Service |
84cb3c |
--forward-port=if=<interface>:port=<port>:proto=<protocol>[:toport=<destination port>][:toaddr=<destination address>]
|
|
Packit Service |
84cb3c |
Forward the port with protocol for the interface to
|
|
Packit Service |
84cb3c |
either another local destination port (no destination
|
|
Packit Service |
84cb3c |
address given) or to an other destination address with
|
|
Packit Service |
84cb3c |
an optional destination port. This will be added to
|
|
Packit Service |
84cb3c |
the default zone. This is IPv4 only.
|
|
Packit Service |
84cb3c |
--block-icmp=<icmp type>
|
|
Packit Service |
84cb3c |
Block this ICMP type in the default zone. The default
|
|
Packit Service |
84cb3c |
is to accept all ICMP types.
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Log Denied Options
|
|
Packit Service |
84cb3c |
--get-log-denied Print the log denied value
|
|
Packit Service |
84cb3c |
--set-log-denied=<value>
|
|
Packit Service |
84cb3c |
Set log denied value
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Automatic Helpers Options
|
|
Packit Service |
84cb3c |
--get-automatic-helpers
|
|
Packit Service |
84cb3c |
Print the automatic helpers value
|
|
Packit Service |
84cb3c |
--set-automatic-helpers=<value>
|
|
Packit Service |
84cb3c |
Set automatic helpers value
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Zone Options
|
|
Packit Service |
84cb3c |
--get-default-zone Print default zone for connections and interfaces
|
|
Packit Service |
84cb3c |
--set-default-zone=<zone>
|
|
Packit Service |
84cb3c |
Set default zone
|
|
Packit Service |
84cb3c |
--get-zones Print predefined zones
|
|
Packit Service |
84cb3c |
--get-services Print predefined services
|
|
Packit Service |
84cb3c |
--get-icmptypes Print predefined icmptypes
|
|
Packit Service |
84cb3c |
--get-zone-of-interface=<interface>
|
|
Packit Service |
84cb3c |
Print name of the zone the interface is bound to
|
|
Packit Service |
84cb3c |
--get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
|
|
Packit Service |
84cb3c |
Print name of the zone the source is bound to
|
|
Packit Service |
84cb3c |
--list-all-zones List everything added for or enabled in all zones
|
|
Packit Service |
84cb3c |
--new-zone=<zone> Add a new empty zone
|
|
Packit Service |
84cb3c |
--new-zone-from-file=<filename> [--name=<zone>]
|
|
Packit Service |
84cb3c |
Add a new zone from file with optional name override [P only]
|
|
Packit Service |
84cb3c |
--delete-zone=<zone> Delete an existing zone
|
|
Packit Service |
84cb3c |
--load-zone-defaults=<zone>
|
|
Packit Service |
84cb3c |
Load zone default settings [Z]
|
|
Packit Service |
84cb3c |
--zone=<zone> Use this zone to set or query options, else default zone
|
|
Packit Service |
84cb3c |
Usable for options marked with [Z]
|
|
Packit Service |
84cb3c |
--set-description=<description>
|
|
Packit Service |
84cb3c |
Set new description to zone
|
|
Packit Service |
84cb3c |
--get-description Print description for zone
|
|
Packit Service |
84cb3c |
--get-target Get the zone target
|
|
Packit Service |
84cb3c |
--set-target=<target>
|
|
Packit Service |
84cb3c |
Set the zone target
|
|
Packit Service |
84cb3c |
--info-zone=<zone> Print information about a zone
|
|
Packit Service |
84cb3c |
--path-zone=<zone> Print file path of a zone
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
IPSet Options
|
|
Packit Service |
84cb3c |
--new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
|
|
Packit Service |
84cb3c |
Add a new empty ipset
|
|
Packit Service |
84cb3c |
--new-ipset-from-file=<filename> [--name=<ipset>]
|
|
Packit Service |
84cb3c |
Add a new ipset from file with optional name override [P only]
|
|
Packit Service |
84cb3c |
--delete-ipset=<ipset>
|
|
Packit Service |
84cb3c |
Delete an existing ipset
|
|
Packit Service |
84cb3c |
--load-ipset-defaults=<ipset>
|
|
Packit Service |
84cb3c |
Load ipset default settings
|
|
Packit Service |
84cb3c |
--info-ipset=<ipset> Print information about an ipset
|
|
Packit Service |
84cb3c |
--path-ipset=<ipset> Print file path of an ipset
|
|
Packit Service |
84cb3c |
--get-ipsets Print predefined ipsets
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --set-description=<description>
|
|
Packit Service |
84cb3c |
Set new description to ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --get-description
|
|
Packit Service |
84cb3c |
Print description for ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --set-short=<description>
|
|
Packit Service |
84cb3c |
Set new short description to ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --get-short
|
|
Packit Service |
84cb3c |
Print short description for ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --add-entry=<entry>
|
|
Packit Service |
84cb3c |
Add a new entry to an ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --remove-entry=<entry>
|
|
Packit Service |
84cb3c |
Remove an entry from an ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --query-entry=<entry>
|
|
Packit Service |
84cb3c |
Return whether ipset has an entry
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --get-entries
|
|
Packit Service |
84cb3c |
List entries of an ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --add-entries-from-file=<entry>
|
|
Packit Service |
ed5fd0 |
Add a new entries to an ipset
|
|
Packit Service |
84cb3c |
--ipset=<ipset> --remove-entries-from-file=<entry>
|
|
Packit Service |
ed5fd0 |
Remove entries from an ipset
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
IcmpType Options
|
|
Packit Service |
84cb3c |
--new-icmptype=<icmptype>
|
|
Packit Service |
84cb3c |
Add a new empty icmptype
|
|
Packit Service |
84cb3c |
--new-icmptype-from-file=<filename> [--name=<icmptype>]
|
|
Packit Service |
84cb3c |
Add a new icmptype from file with optional name override [P only]
|
|
Packit Service |
84cb3c |
--delete-icmptype=<icmptype>
|
|
Packit Service |
84cb3c |
Delete an existing icmptype
|
|
Packit Service |
84cb3c |
--load-icmptype-defaults=<icmptype>
|
|
Packit Service |
84cb3c |
Load icmptype default settings
|
|
Packit Service |
84cb3c |
--info-icmptype=<icmptype>
|
|
Packit Service |
84cb3c |
Print information about an icmptype
|
|
Packit Service |
84cb3c |
--path-icmptype=<icmptype>
|
|
Packit Service |
84cb3c |
Print file path of an icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --set-description=<description>
|
|
Packit Service |
84cb3c |
Set new description to icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --get-description
|
|
Packit Service |
84cb3c |
Print description for icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --set-short=<description>
|
|
Packit Service |
84cb3c |
Set new short description to icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --get-short
|
|
Packit Service |
84cb3c |
Print short description for icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --add-destination=<ipv>
|
|
Packit Service |
84cb3c |
Enable destination for ipv in icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --remove-destination=<ipv>
|
|
Packit Service |
84cb3c |
Disable destination for ipv in icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --query-destination=<ipv>
|
|
Packit Service |
84cb3c |
Return whether destination ipv is enabled in icmptype
|
|
Packit Service |
84cb3c |
--icmptype=<icmptype> --get-destinations
|
|
Packit Service |
84cb3c |
List destinations in icmptype
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Service Options
|
|
Packit Service |
84cb3c |
--new-service=<service>
|
|
Packit Service |
84cb3c |
Add a new empty service
|
|
Packit Service |
84cb3c |
--new-service-from-file=<filename> [--name=<service>]
|
|
Packit Service |
84cb3c |
Add a new service from file with optional name override [P only]
|
|
Packit Service |
84cb3c |
--delete-service=<service>
|
|
Packit Service |
84cb3c |
Delete an existing service
|
|
Packit Service |
84cb3c |
--load-service-defaults=<service>
|
|
Packit Service |
84cb3c |
Load icmptype default settings
|
|
Packit Service |
84cb3c |
--info-service=<service>
|
|
Packit Service |
84cb3c |
Print information about a service
|
|
Packit Service |
84cb3c |
--path-service=<service>
|
|
Packit Service |
84cb3c |
Print file path of a service
|
|
Packit Service |
84cb3c |
--service=<service> --set-description=<description>
|
|
Packit Service |
84cb3c |
Set new description to service
|
|
Packit Service |
84cb3c |
--service=<service> --get-description
|
|
Packit Service |
84cb3c |
Print description for service
|
|
Packit Service |
84cb3c |
--service=<service> --set-short=<description>
|
|
Packit Service |
84cb3c |
Set new short description to service
|
|
Packit Service |
84cb3c |
--service=<service> --get-short
|
|
Packit Service |
84cb3c |
Print short description for service
|
|
Packit Service |
84cb3c |
--service=<service> --add-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Add a new port to service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Remove a port from service
|
|
Packit Service |
84cb3c |
--service=<service> --query-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Return whether the port has been added for service
|
|
Packit Service |
84cb3c |
--service=<service> --get-ports
|
|
Packit Service |
84cb3c |
List ports of service
|
|
Packit Service |
84cb3c |
--service=<service> --add-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Add a new protocol to service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Remove a protocol from service
|
|
Packit Service |
84cb3c |
--service=<service> --query-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Return whether the protocol has been added for service
|
|
Packit Service |
84cb3c |
--service=<service> --get-protocols
|
|
Packit Service |
84cb3c |
List protocols of service
|
|
Packit Service |
84cb3c |
--service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Add a new source port to service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Remove a source port from service
|
|
Packit Service |
84cb3c |
--service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Return whether the source port has been added for service [P only]
|
|
Packit Service |
84cb3c |
--service=<service> --get-source-ports
|
|
Packit Service |
84cb3c |
List source ports of service
|
|
Packit Service |
84cb3c |
--service=<service> --add-helper=<helper>
|
|
Packit Service |
84cb3c |
Add a new helper to service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-helper=<helper>
|
|
Packit Service |
84cb3c |
Remove a helper from service
|
|
Packit Service |
84cb3c |
--service=<service> --query-helper=<helper>
|
|
Packit Service |
84cb3c |
Return whether the helper has been added for service
|
|
Packit Service |
84cb3c |
--service=<service> --get-service-helpers
|
|
Packit Service |
84cb3c |
List helpers of service
|
|
Packit Service |
84cb3c |
--service=<service> --set-destination=<ipv>:<address>[/<mask>]
|
|
Packit Service |
84cb3c |
Set destination for ipv to address in service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-destination=<ipv>
|
|
Packit Service |
84cb3c |
Disable destination for ipv i service
|
|
Packit Service |
84cb3c |
--service=<service> --query-destination=<ipv>:<address>[/<mask>]
|
|
Packit Service |
84cb3c |
Return whether destination ipv is set for service
|
|
Packit Service |
84cb3c |
--service=<service> --get-destinations
|
|
Packit Service |
84cb3c |
List destinations in service
|
|
Packit Service |
84cb3c |
--service=<service> --add-include=<service>
|
|
Packit Service |
84cb3c |
Add a new include to service
|
|
Packit Service |
84cb3c |
--service=<service> --remove-include=<service>
|
|
Packit Service |
84cb3c |
Remove a include from service
|
|
Packit Service |
84cb3c |
--service=<service> --query-include=<service>
|
|
Packit Service |
84cb3c |
Return whether the include has been added for service
|
|
Packit Service |
84cb3c |
--service=<service> --get-includes
|
|
Packit Service |
84cb3c |
List includes of service
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Options to Adapt and Query Zones
|
|
Packit Service |
84cb3c |
--list-all List everything added for or enabled in a zone [Z]
|
|
Packit Service |
84cb3c |
--list-services List services added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-service=<service>
|
|
Packit Service |
84cb3c |
Add a service for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-service-from-zone=<service>
|
|
Packit Service |
84cb3c |
Remove a service from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-service=<service>
|
|
Packit Service |
84cb3c |
Return whether service has been added for a zone [Z]
|
|
Packit Service |
84cb3c |
--list-ports List ports added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Add the port for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Remove the port from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Return whether the port has been added for zone [Z]
|
|
Packit Service |
84cb3c |
--list-protocols List protocols added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Add the protocol for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Remove the protocol from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-protocol=<protocol>
|
|
Packit Service |
84cb3c |
Return whether the protocol has been added for zone [Z]
|
|
Packit Service |
84cb3c |
--list-source-ports List source ports added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Add the source port for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Remove the source port from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-source-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Return whether the source port has been added for zone [Z]
|
|
Packit Service |
84cb3c |
--list-icmp-blocks List Internet ICMP type blocks added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-icmp-block=<icmptype>
|
|
Packit Service |
84cb3c |
Add an ICMP block for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-icmp-block=<icmptype>
|
|
Packit Service |
84cb3c |
Remove the ICMP block from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-icmp-block=<icmptype>
|
|
Packit Service |
84cb3c |
Return whether an ICMP block has been added for a zone
|
|
Packit Service |
84cb3c |
[Z]
|
|
Packit Service |
84cb3c |
--add-icmp-block-inversion
|
|
Packit Service |
84cb3c |
Enable inversion of icmp blocks for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-icmp-block-inversion
|
|
Packit Service |
84cb3c |
Disable inversion of icmp blocks for a zone [Z]
|
|
Packit Service |
84cb3c |
--query-icmp-block-inversion
|
|
Packit Service |
84cb3c |
Return whether inversion of icmp blocks has been enabled
|
|
Packit Service |
84cb3c |
for a zone [Z]
|
|
Packit Service |
84cb3c |
--list-forward-ports List IPv4 forward ports added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
|
|
Packit Service |
84cb3c |
Add the IPv4 forward port for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
|
|
Packit Service |
84cb3c |
Remove the IPv4 forward port from a zone [Z]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
--query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
|
|
Packit Service |
84cb3c |
Return whether the IPv4 forward port has been added for
|
|
Packit Service |
84cb3c |
a zone [Z]
|
|
Packit Service |
84cb3c |
--add-masquerade Enable IPv4 masquerade for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-masquerade Disable IPv4 masquerade for a zone [Z]
|
|
Packit Service |
84cb3c |
--query-masquerade Return whether IPv4 masquerading has been enabled for a
|
|
Packit Service |
84cb3c |
zone [Z]
|
|
Packit Service |
84cb3c |
--list-rich-rules List rich language rules added for a zone [Z]
|
|
Packit Service |
84cb3c |
--add-rich-rule=<rule>
|
|
Packit Service |
84cb3c |
Add rich language rule 'rule' for a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-rich-rule=<rule>
|
|
Packit Service |
84cb3c |
Remove rich language rule 'rule' from a zone [Z]
|
|
Packit Service |
84cb3c |
--query-rich-rule=<rule>
|
|
Packit Service |
84cb3c |
Return whether a rich language rule 'rule' has been
|
|
Packit Service |
84cb3c |
added for a zone [Z]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Options to Handle Bindings of Interfaces
|
|
Packit Service |
84cb3c |
--list-interfaces List interfaces that are bound to a zone [Z]
|
|
Packit Service |
84cb3c |
--add-interface=<interface>
|
|
Packit Service |
84cb3c |
Bind the <interface> to a zone [Z]
|
|
Packit Service |
84cb3c |
--change-interface=<interface>
|
|
Packit Service |
84cb3c |
Change zone the <interface> is bound to [Z]
|
|
Packit Service |
84cb3c |
--query-interface=<interface>
|
|
Packit Service |
84cb3c |
Query whether <interface> is bound to a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-interface=<interface>
|
|
Packit Service |
84cb3c |
Remove binding of <interface> from a zone [Z]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Options to Handle Bindings of Sources
|
|
Packit Service |
84cb3c |
--list-sources List sources that are bound to a zone [Z]
|
|
Packit Service |
84cb3c |
--add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
|
|
Packit Service |
84cb3c |
Bind the source to a zone [Z]
|
|
Packit Service |
84cb3c |
--change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
|
|
Packit Service |
84cb3c |
Change zone the source is bound to [Z]
|
|
Packit Service |
84cb3c |
--query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
|
|
Packit Service |
84cb3c |
Query whether the source is bound to a zone [Z]
|
|
Packit Service |
84cb3c |
--remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
|
|
Packit Service |
84cb3c |
Remove binding of the source from a zone [Z]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Helper Options
|
|
Packit Service |
84cb3c |
--new-helper=<helper> --module=<module> [--family=<family>]
|
|
Packit Service |
84cb3c |
Add a new helper
|
|
Packit Service |
84cb3c |
--new-helper-from-file=<filename> [--name=<helper>]
|
|
Packit Service |
84cb3c |
Add a new helper from file with optional name
|
|
Packit Service |
84cb3c |
--delete-helper=<helper>
|
|
Packit Service |
84cb3c |
Delete an existing helper
|
|
Packit Service |
84cb3c |
--load-helper-defaults=<helper>
|
|
Packit Service |
84cb3c |
Load helper default settings
|
|
Packit Service |
84cb3c |
--info-helper=<helper> Print information about an helper
|
|
Packit Service |
84cb3c |
--path-helper=<helper> Print file path of an helper
|
|
Packit Service |
84cb3c |
--get-helpers Print predefined helpers
|
|
Packit Service |
84cb3c |
--helper=<helper> --set-description=<description>
|
|
Packit Service |
84cb3c |
Set new description to helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --get-description
|
|
Packit Service |
84cb3c |
Print description for helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --set-short=<description>
|
|
Packit Service |
84cb3c |
Set new short description to helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --get-short
|
|
Packit Service |
84cb3c |
Print short description for helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Add a new port to helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Remove a port from helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
|
|
Packit Service |
84cb3c |
Return whether the port has been added for helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --get-ports
|
|
Packit Service |
84cb3c |
List ports of helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --set-module=<module>
|
|
Packit Service |
84cb3c |
Set module to helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --get-module
|
|
Packit Service |
84cb3c |
Get module from helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --set-family={ipv4|ipv6|}
|
|
Packit Service |
84cb3c |
Set family for helper
|
|
Packit Service |
84cb3c |
--helper=<helper> --get-family
|
|
Packit Service |
84cb3c |
Get module from helper
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Direct Options
|
|
Packit Service |
84cb3c |
--direct First option for all direct options
|
|
Packit Service |
84cb3c |
--get-all-chains
|
|
Packit Service |
84cb3c |
Get all chains
|
|
Packit Service |
84cb3c |
--get-chains {ipv4|ipv6|eb}
|
|
Packit Service |
84cb3c |
Get all chains added to the table
|
|
Packit Service |
84cb3c |
--add-chain {ipv4|ipv6|eb} <chain>
|
|
Packit Service |
84cb3c |
Add a new chain to the table
|
|
Packit Service |
84cb3c |
--remove-chain {ipv4|ipv6|eb} <chain>
|
|
Packit Service |
84cb3c |
Remove the chain from the table
|
|
Packit Service |
84cb3c |
--query-chain {ipv4|ipv6|eb} <chain>
|
|
Packit Service |
84cb3c |
Return whether the chain has been added to the table
|
|
Packit Service |
84cb3c |
--get-all-rules
|
|
Packit Service |
84cb3c |
Get all rules
|
|
Packit Service |
84cb3c |
--get-rules {ipv4|ipv6|eb} <chain>
|
|
Packit Service |
84cb3c |
Get all rules added to chain in table
|
|
Packit Service |
84cb3c |
--add-rule {ipv4|ipv6|eb} <chain> <priority> <arg>...
|
|
Packit Service |
84cb3c |
Add rule to chain in table
|
|
Packit Service |
84cb3c |
--remove-rule {ipv4|ipv6|eb} <chain> <priority> <arg>...
|
|
Packit Service |
84cb3c |
Remove rule with priority from chain in table
|
|
Packit Service |
84cb3c |
--remove-rules {ipv4|ipv6|eb} <chain>
|
|
Packit Service |
84cb3c |
Remove rules from chain in table
|
|
Packit Service |
84cb3c |
--query-rule {ipv4|ipv6|eb} <chain> <priority> <arg>...
|
|
Packit Service |
84cb3c |
Return whether a rule with priority has been added to
|
|
Packit Service |
84cb3c |
chain in table
|
|
Packit Service |
84cb3c |
--get-all-passthroughs
|
|
Packit Service |
84cb3c |
Get all passthrough rules
|
|
Packit Service |
84cb3c |
--get-passthroughs {ipv4|ipv6|eb} <arg>...
|
|
Packit Service |
84cb3c |
Get passthrough rules
|
|
Packit Service |
84cb3c |
--add-passthrough {ipv4|ipv6|eb} <arg>...
|
|
Packit Service |
84cb3c |
Add a new passthrough rule
|
|
Packit Service |
84cb3c |
--remove-passthrough {ipv4|ipv6|eb} <arg>...
|
|
Packit Service |
84cb3c |
Remove a passthrough rule
|
|
Packit Service |
84cb3c |
--query-passthrough {ipv4|ipv6|eb} <arg>...
|
|
Packit Service |
84cb3c |
Return whether the passthrough rule has been added
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Lockdown Options
|
|
Packit Service |
84cb3c |
--lockdown-on Enable lockdown.
|
|
Packit Service |
84cb3c |
--lockdown-off Disable lockdown.
|
|
Packit Service |
84cb3c |
--query-lockdown Query whether lockdown is enabled
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Lockdown Whitelist Options
|
|
Packit Service |
84cb3c |
--list-lockdown-whitelist-commands
|
|
Packit Service |
84cb3c |
List all command lines that are on the whitelist
|
|
Packit Service |
84cb3c |
--add-lockdown-whitelist-command=<command>
|
|
Packit Service |
84cb3c |
Add the command to the whitelist
|
|
Packit Service |
84cb3c |
--remove-lockdown-whitelist-command=<command>
|
|
Packit Service |
84cb3c |
Remove the command from the whitelist
|
|
Packit Service |
84cb3c |
--query-lockdown-whitelist-command=<command>
|
|
Packit Service |
84cb3c |
Query whether the command is on the whitelist
|
|
Packit Service |
84cb3c |
--list-lockdown-whitelist-contexts
|
|
Packit Service |
84cb3c |
List all contexts that are on the whitelist
|
|
Packit Service |
84cb3c |
--add-lockdown-whitelist-context=<context>
|
|
Packit Service |
84cb3c |
Add the context context to the whitelist
|
|
Packit Service |
84cb3c |
--remove-lockdown-whitelist-context=<context>
|
|
Packit Service |
84cb3c |
Remove the context from the whitelist
|
|
Packit Service |
84cb3c |
--query-lockdown-whitelist-context=<context>
|
|
Packit Service |
84cb3c |
Query whether the context is on the whitelist
|
|
Packit Service |
84cb3c |
--list-lockdown-whitelist-uids
|
|
Packit Service |
84cb3c |
List all user ids that are on the whitelist
|
|
Packit Service |
84cb3c |
--add-lockdown-whitelist-uid=<uid>
|
|
Packit Service |
84cb3c |
Add the user id uid to the whitelist
|
|
Packit Service |
84cb3c |
--remove-lockdown-whitelist-uid=<uid>
|
|
Packit Service |
84cb3c |
Remove the user id uid from the whitelist
|
|
Packit Service |
84cb3c |
--query-lockdown-whitelist-uid=<uid>
|
|
Packit Service |
84cb3c |
Query whether the user id uid is on the whitelist
|
|
Packit Service |
84cb3c |
--list-lockdown-whitelist-users
|
|
Packit Service |
84cb3c |
List all user names that are on the whitelist
|
|
Packit Service |
84cb3c |
--add-lockdown-whitelist-user=<user>
|
|
Packit Service |
84cb3c |
Add the user name user to the whitelist
|
|
Packit Service |
84cb3c |
--remove-lockdown-whitelist-user=<user>
|
|
Packit Service |
84cb3c |
Remove the user name user from the whitelist
|
|
Packit Service |
84cb3c |
--query-lockdown-whitelist-user=<user>
|
|
Packit Service |
84cb3c |
Query whether the user name user is on the whitelist
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
Polkit Options
|
|
Packit Service |
84cb3c |
--policy-server Change Polkit actions to 'server' (more restricted)
|
|
Packit Service |
84cb3c |
--policy-desktop Change Polkit actions to 'desktop' (less restricted)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
""" % (SYSTEM_CONFIG_FIREWALL, config.SYSCONFIGDIR))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
def parse_port_lokkit(value):
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
(port, proto) = value.split(":")
|
|
Packit Service |
84cb3c |
except Exception:
|
|
Packit Service |
84cb3c |
cmd.fail("bad port (most likely missing protocol), correct syntax is portid[-portid]:protocol")
|
|
Packit Service |
84cb3c |
return (port, proto)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
def pk_symlink(product='server'):
|
|
Packit Service |
84cb3c |
_PK_DIR = '/usr/share/polkit-1/actions/'
|
|
Packit Service |
84cb3c |
_PK_NAME = 'org.fedoraproject.FirewallD1.'
|
|
Packit Service |
84cb3c |
os.chdir(_PK_DIR)
|
|
Packit Service |
84cb3c |
if os.path.isfile(_PK_NAME+product+'.policy.choice'):
|
|
Packit Service |
84cb3c |
if os.path.isfile(_PK_NAME+'policy'):
|
|
Packit Service |
84cb3c |
os.remove(_PK_NAME+'policy')
|
|
Packit Service |
84cb3c |
os.symlink(_PK_NAME+product+'.policy.choice', _PK_NAME+'policy')
|
|
Packit Service |
84cb3c |
cmd.print_and_exit('symlink '+_PK_DIR+_PK_NAME+product+'.policy.choice -> '+_PK_NAME+'policy')
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.fail('no such file '+_PK_DIR+_PK_NAME+product+'.policy.choice')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# system-config-firewall
|
|
Packit Service |
84cb3c |
def read_sysconfig_args(config_file=SYSTEM_CONFIG_FIREWALL):
|
|
Packit Service |
84cb3c |
filename = None
|
|
Packit Service |
84cb3c |
if os.path.exists(config_file) and os.path.isfile(config_file):
|
|
Packit Service |
84cb3c |
filename = config_file
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
f = open(filename, 'r')
|
|
Packit Service |
84cb3c |
except Exception:
|
|
Packit Service |
84cb3c |
return None
|
|
Packit Service |
84cb3c |
argv = [ ]
|
|
Packit Service |
84cb3c |
for line in f:
|
|
Packit Service |
84cb3c |
if not line:
|
|
Packit Service |
84cb3c |
break
|
|
Packit Service |
84cb3c |
line = line.strip()
|
|
Packit Service |
84cb3c |
if len(line) < 1 or line[0] == '#':
|
|
Packit Service |
84cb3c |
continue
|
|
Packit Service |
84cb3c |
argv.append(line)
|
|
Packit Service |
84cb3c |
f.close()
|
|
Packit Service |
84cb3c |
return argv
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser = argparse.ArgumentParser(usage="see firewall-offline-cmd man page",
|
|
Packit Service |
84cb3c |
add_help=False)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_output = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_group_output.add_argument("-v", "--verbose", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_output.add_argument("-q", "--quiet", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_lokkit = parser.add_argument_group()
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--enabled", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--disabled", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--addmodule", metavar="<module>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--removemodule", metavar="<module>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--service", "-s", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--remove-service", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--port", "-p", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--trust", "-t", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--masq", "-m", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--custom-rules", metavar="<filename>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--forward-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lokkit.add_argument("--block-icmp", metavar="<icmptype>", action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--system-config", metavar="path")
|
|
Packit Service |
84cb3c |
parser.add_argument("--default-config", metavar="path")
|
|
Packit Service |
84cb3c |
parser.add_argument("--check-config", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_standalone = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("-h", "--help",
|
|
Packit Service |
84cb3c |
action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("-V", "--version", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-log-denied", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--set-log-denied", metavar="<value>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-automatic-helpers", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--set-automatic-helpers", metavar="<value>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--policy-server", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--policy-desktop", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--lockdown-on", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--lockdown-off", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--query-lockdown", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-default-zone", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-zones", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-services", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-icmptypes", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--list-all-zones", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--info-zone", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--info-service", metavar="<service>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--info-icmptype", metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--info-ipset", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
parser_group_standalone.add_argument("--info-helper", metavar="<helper>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_config = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-icmptype-from-file", metavar="<filename>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--load-icmptype-defaults",
|
|
Packit Service |
84cb3c |
metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-service", metavar="<service>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-service-from-file", metavar="<filename>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--delete-service", metavar="<service>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--load-service-defaults", metavar="<service>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-zone", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-zone-from-file", metavar="<filename>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--delete-zone", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--load-zone-defaults", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-ipset", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-ipset-from-file", metavar="<filename>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--delete-ipset", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--load-ipset-defaults", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-helper", metavar="<helper>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--new-helper-from-file", metavar="<filename>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--delete-helper", metavar="<helper>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--load-helper-defaults", metavar="<helper>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--path-zone", metavar="<zone>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--path-service", metavar="<service>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--path-icmptype", metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--path-ipset", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
parser_group_config.add_argument("--path-helper", metavar="<helper>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--name", default="", metavar="<name>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>", action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>", action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>", action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--zone", default="", metavar="<zone>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_group_zone = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-interface", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-interface", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-interface", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-interfaces", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-source", metavar="<source>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-source", metavar="<source>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-source", metavar="<source>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--change-source", metavar="<source>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-sources", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-service", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-service-from-zone", metavar="<zone>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-service", metavar="<zone>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-protocol", metavar="<protocol>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-protocol", metavar="<protocol>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-protocol", metavar="<protocol>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-source-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-source-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-source-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-masquerade", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-masquerade", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-masquerade", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-icmp-block-inversion", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-icmp-block-inversion", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-icmp-block-inversion", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--query-forward-port", metavar="<port>", action='append')
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-rich-rules", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-services", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-protocols", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-icmp-blocks", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-forward-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-source-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--list-all", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--get-target", action="store_true")
|
|
Packit Service |
84cb3c |
parser_group_zone.add_argument("--set-target", metavar="<target>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--option", metavar="<key>[=<value>]", action='append')
|
|
Packit Service |
84cb3c |
parser.add_argument("--type", metavar="<ipsettype>")
|
|
Packit Service |
84cb3c |
parser.add_argument("--ipset", metavar="<ipset>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_ipset = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
#parser_ipset.add_argument("--add-option", metavar="<key>[=<value>]")
|
|
Packit Service |
84cb3c |
#parser_ipset.add_argument("--remove-option", metavar="<key>[=<value>]")
|
|
Packit Service |
84cb3c |
#parser_ipset.add_argument("--query-option", metavar="<key>[=<value>]")
|
|
Packit Service |
84cb3c |
#parser_ipset.add_argument("--get-options", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--get-ipsets", action="store_true")
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--add-entry", metavar="<entry>", action='append')
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--remove-entry", metavar="<entry>", action='append')
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--query-entry", metavar="<entry>", action='append')
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--get-entries", action="store_true")
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--add-entries-from-file", metavar="<filename>", action='append')
|
|
Packit Service |
84cb3c |
parser_ipset.add_argument("--remove-entries-from-file", metavar="<filename>", action='append')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--icmptype", metavar="<icmptype>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_icmptype = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_icmptype.add_argument("--add-destination", metavar="<ipv>", action='append')
|
|
Packit Service |
84cb3c |
parser_icmptype.add_argument("--remove-destination", metavar="<ipv>", action='append')
|
|
Packit Service |
84cb3c |
parser_icmptype.add_argument("--query-destination", metavar="<ipv>", action='append')
|
|
Packit Service |
84cb3c |
parser_icmptype.add_argument("--get-destinations", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-source-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-protocols", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--add-module", metavar="<module>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--remove-module", metavar="<module>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--query-module", metavar="<module>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-modules", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--add-helper", metavar="<helper>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--remove-helper", metavar="<helper>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--query-helper", metavar="<helper>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-service-helpers", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--add-include", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--remove-include", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--query-include", metavar="<service>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-includes", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--set-destination", metavar="<destination>", action='append')
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-destination", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--set-description", metavar="<description>")
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-description", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--set-short", metavar="<description>")
|
|
Packit Service |
84cb3c |
parser_service.add_argument("--get-short", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--helper", metavar="<helper>")
|
|
Packit Service |
84cb3c |
parser.add_argument("--family", metavar="<family>")
|
|
Packit Service |
84cb3c |
parser.add_argument("--module", metavar="<module>")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser_helper = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
#parser_helper.add_argument("--get-ports", action="store_true")
|
|
Packit Service |
84cb3c |
parser_helper.add_argument("--get-helpers", action="store_true")
|
|
Packit Service |
84cb3c |
parser_helper.add_argument("--set-module", metavar="<module>")
|
|
Packit Service |
84cb3c |
parser_helper.add_argument("--get-module", action="store_true")
|
|
Packit Service |
84cb3c |
#parser_helper.add_argument("--query-module", metavar="<module>")
|
|
Packit Service |
84cb3c |
parser_helper.add_argument("--set-family", metavar="<family>|''", nargs="*")
|
|
Packit Service |
84cb3c |
parser_helper.add_argument("--get-family", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
parser.add_argument("--direct", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# not possible to have sequences of options here
|
|
Packit Service |
84cb3c |
parser_direct = parser.add_mutually_exclusive_group()
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-passthroughs", nargs=1,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-all-passthroughs", action="store_true")
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--add-chain", nargs=3,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "", "<chain>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--remove-chain", nargs=3,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "", "<chain>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--query-chain", nargs=3,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "", "<chain>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-all-chains", action="store_true")
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-chains", nargs=2,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", ""))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", " <chain> <priority> <args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", " <chain> <priority> <args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--remove-rules", nargs=3,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", " <chain>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", " <chain> <priority> <args>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-rules", nargs=3,
|
|
Packit Service |
84cb3c |
metavar=("{ ipv4 | ipv6 | eb }", "", "<chain>"))
|
|
Packit Service |
84cb3c |
parser_direct.add_argument("--get-all-rules", action="store_true")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
##############################################################################
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd = FirewallCommand()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
def myexcepthook(exctype, value, traceback):
|
|
Packit Service |
84cb3c |
cmd.exception_handler(str(value))
|
|
Packit Service |
84cb3c |
sys.excepthook = myexcepthook
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if len(sys.argv) > 1 and \
|
|
Packit Service |
84cb3c |
any('--migrate-system-config-firewall' in arg for arg in sys.argv):
|
|
Packit Service |
84cb3c |
args = sys.argv[1:]
|
|
Packit Service |
84cb3c |
migration_parser = argparse.ArgumentParser(
|
|
Packit Service |
84cb3c |
usage="see firewall-offline-cmd man page", add_help=False)
|
|
Packit Service |
84cb3c |
migration_parser.add_argument("-h", "--help", action="store_true")
|
|
Packit Service |
84cb3c |
migration_parser.add_argument("-v", "--verbose", action="store_true")
|
|
Packit Service |
84cb3c |
migration_parser.add_argument("-q", "--quiet", action="store_true")
|
|
Packit Service |
84cb3c |
migration_parser.add_argument("--migrate-system-config-firewall",
|
|
Packit Service |
84cb3c |
metavar="<file>", action='store')
|
|
Packit Service |
84cb3c |
a,unknown = migration_parser.parse_known_args(args)
|
|
Packit Service |
84cb3c |
cmd.set_quiet(a.quiet)
|
|
Packit Service |
84cb3c |
cmd.set_verbose(a.verbose)
|
|
Packit Service |
84cb3c |
if a.help:
|
|
Packit Service |
84cb3c |
__usage()
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
assert_root()
|
|
Packit Service |
84cb3c |
if a.quiet:
|
|
Packit Service |
84cb3c |
# it makes no sense to use --quiet with these options
|
|
Packit Service |
84cb3c |
a.quiet = False
|
|
Packit Service |
84cb3c |
cmd.set_quiet(a.quiet)
|
|
Packit Service |
84cb3c |
cmd.fail("-q/--quiet can't be used with this option(s)")
|
|
Packit Service |
84cb3c |
if a.migrate_system_config_firewall:
|
|
Packit Service |
84cb3c |
args = read_sysconfig_args(a.migrate_system_config_firewall)
|
|
Packit Service |
84cb3c |
if not args:
|
|
Packit Service |
84cb3c |
cmd.fail("Opening of '%s' failed, exiting." % \
|
|
Packit Service |
84cb3c |
a.migrate_system_config_firewall)
|
|
Packit Service |
84cb3c |
args += unknown
|
|
Packit Service |
84cb3c |
elif len(sys.argv) > 1:
|
|
Packit Service |
84cb3c |
i = -1
|
|
Packit Service |
84cb3c |
args = sys.argv[1:]
|
|
Packit Service |
84cb3c |
if '--add-passthrough' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--add-passthrough') + 1
|
|
Packit Service |
84cb3c |
elif '--remove-passthrough' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--remove-passthrough') + 1
|
|
Packit Service |
84cb3c |
elif '--query-passthrough' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--query-passthrough') + 1
|
|
Packit Service |
84cb3c |
elif '--add-rule' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--add-rule') + 4
|
|
Packit Service |
84cb3c |
elif '--remove-rule' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--remove-rule') + 4
|
|
Packit Service |
84cb3c |
elif '--query-rule' in args:
|
|
Packit Service |
84cb3c |
i = args.index('--query-rule') + 4
|
|
Packit Service |
84cb3c |
# join <args> into one argument to prevent parser from parsing each iptables
|
|
Packit Service |
84cb3c |
# option, because they can conflict with firewall-cmd options
|
|
Packit Service |
84cb3c |
# # e.g. --delete (iptables) and --delete-* (firewall-cmd)
|
|
Packit Service |
84cb3c |
if (i > -1) and (i < len(args) - 1):
|
|
Packit Service |
84cb3c |
aux_args = args[:]
|
|
Packit Service |
84cb3c |
args = aux_args[:i+1] # all but not <args>
|
|
Packit Service |
84cb3c |
args.append(joinArgs(aux_args[i+1:])) # add <args> as one arg
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
assert_root()
|
|
Packit Service |
84cb3c |
# migrate configuration from SYSTEM_CONFIG_FIREWALL
|
|
Packit Service |
84cb3c |
args = read_sysconfig_args()
|
|
Packit Service |
84cb3c |
if not args:
|
|
Packit Service |
84cb3c |
cmd.fail("Opening of '%s' failed, exiting." % SYSTEM_CONFIG_FIREWALL)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
a = parser.parse_args(args)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_lokkit = a.enabled or a.disabled or a.addmodule or a.removemodule or \
|
|
Packit Service |
84cb3c |
a.trust or a.masq or a.custom_rules or \
|
|
Packit Service |
84cb3c |
a.service or a.remove_service or a.port or \
|
|
Packit Service |
84cb3c |
a.trust or a.masq or a.forward_port or a.block_icmp
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_standalone = a.help or a.version or \
|
|
Packit Service |
84cb3c |
a.policy_server or a.policy_desktop or \
|
|
Packit Service |
84cb3c |
a.lockdown_on or a.lockdown_off or a.query_lockdown or \
|
|
Packit Service |
84cb3c |
a.get_default_zone or a.set_default_zone or \
|
|
Packit Service |
84cb3c |
a.get_log_denied or a.set_log_denied or \
|
|
Packit Service |
84cb3c |
a.get_automatic_helpers or a.set_automatic_helpers
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_desc_xml_file = a.set_description or a.get_description or \
|
|
Packit Service |
84cb3c |
a.set_short or a.get_short
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_lockdown_whitelist = \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \
|
|
Packit Service |
84cb3c |
a.remove_lockdown_whitelist_command or \
|
|
Packit Service |
84cb3c |
a.query_lockdown_whitelist_command or \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \
|
|
Packit Service |
84cb3c |
a.remove_lockdown_whitelist_context or \
|
|
Packit Service |
84cb3c |
a.query_lockdown_whitelist_context or \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid is not None or \
|
|
Packit Service |
84cb3c |
a.remove_lockdown_whitelist_uid is not None or \
|
|
Packit Service |
84cb3c |
a.query_lockdown_whitelist_uid is not None or \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \
|
|
Packit Service |
84cb3c |
a.remove_lockdown_whitelist_user or \
|
|
Packit Service |
84cb3c |
a.query_lockdown_whitelist_user
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_config = a.get_zones or a.get_services or a.get_icmptypes or \
|
|
Packit Service |
84cb3c |
options_lockdown_whitelist or a.list_all_zones or \
|
|
Packit Service |
84cb3c |
a.get_zone_of_interface or a.get_zone_of_source or \
|
|
Packit Service |
84cb3c |
a.info_zone or a.info_icmptype or a.info_service or \
|
|
Packit Service |
84cb3c |
a.info_ipset or a.get_ipsets or a.info_helper or \
|
|
Packit Service |
84cb3c |
a.get_helpers
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_zone_action_action = \
|
|
Packit Service |
84cb3c |
a.add_service or a.remove_service_from_zone or a.query_service or \
|
|
Packit Service |
84cb3c |
a.add_port or a.remove_port or a.query_port or \
|
|
Packit Service |
84cb3c |
a.add_protocol or a.remove_protocol or a.query_protocol or \
|
|
Packit Service |
84cb3c |
a.add_source_port or a.remove_source_port or a.query_source_port or \
|
|
Packit Service |
84cb3c |
a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \
|
|
Packit Service |
84cb3c |
a.add_forward_port or a.remove_forward_port or a.query_forward_port
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_zone_interfaces_sources = \
|
|
Packit Service |
84cb3c |
a.list_interfaces or a.change_interface or \
|
|
Packit Service |
84cb3c |
a.add_interface or a.remove_interface or a.query_interface or \
|
|
Packit Service |
84cb3c |
a.list_sources or a.change_source or \
|
|
Packit Service |
84cb3c |
a.add_source or a.remove_source or a.query_source
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_zone_adapt_query = \
|
|
Packit Service |
84cb3c |
a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \
|
|
Packit Service |
84cb3c |
a.add_masquerade or a.remove_masquerade or a.query_masquerade or \
|
|
Packit Service |
84cb3c |
a.list_services or a.list_ports or a.list_protocols or \
|
|
Packit Service |
84cb3c |
a.list_source_ports or \
|
|
Packit Service |
84cb3c |
a.list_icmp_blocks or a.list_forward_ports or a.list_rich_rules or \
|
|
Packit Service |
84cb3c |
a.add_icmp_block_inversion or a.remove_icmp_block_inversion or \
|
|
Packit Service |
84cb3c |
a.query_icmp_block_inversion or \
|
|
Packit Service |
84cb3c |
a.list_all or a.get_target or a.set_target
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_zone_ops = options_zone_interfaces_sources or \
|
|
Packit Service |
84cb3c |
options_zone_action_action or options_zone_adapt_query
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_zone = a.zone or options_zone_ops or options_desc_xml_file
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_ipset = a.add_entry or a.remove_entry or a.query_entry or \
|
|
Packit Service |
84cb3c |
a.get_entries or a.add_entries_from_file or \
|
|
Packit Service |
84cb3c |
a.remove_entries_from_file or options_desc_xml_file
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_icmptype = a.add_destination or a.remove_destination or \
|
|
Packit Service |
84cb3c |
a.query_destination or a.get_destinations or \
|
|
Packit Service |
84cb3c |
options_desc_xml_file
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_service = a.add_port or a.remove_port or a.query_port or \
|
|
Packit Service |
84cb3c |
a.get_ports or \
|
|
Packit Service |
84cb3c |
a.add_protocol or a.remove_protocol or a.query_protocol or \
|
|
Packit Service |
84cb3c |
a.get_protocols or \
|
|
Packit Service |
84cb3c |
a.add_source_port or a.remove_source_port or \
|
|
Packit Service |
84cb3c |
a.query_source_port or a.get_source_ports or \
|
|
Packit Service |
84cb3c |
a.add_module or a.remove_module or a.query_module or \
|
|
Packit Service |
84cb3c |
a.get_modules or \
|
|
Packit Service |
84cb3c |
a.set_destination or a.remove_destination or \
|
|
Packit Service |
84cb3c |
a.query_destination or a.get_destinations or \
|
|
Packit Service |
84cb3c |
options_desc_xml_file or \
|
|
Packit Service |
84cb3c |
a.add_include or a.remove_include or a.query_include or \
|
|
Packit Service |
84cb3c |
a.get_includes or \
|
|
Packit Service |
84cb3c |
a.add_helper or a.remove_helper or a.query_helper or \
|
|
Packit Service |
84cb3c |
a.get_service_helpers
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_helper = a.add_port or a.remove_port or a.query_port or \
|
|
Packit Service |
84cb3c |
a.get_ports or a.set_module or a.get_module or \
|
|
Packit Service |
84cb3c |
a.set_family or a.get_family or \
|
|
Packit Service |
84cb3c |
options_desc_xml_file
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_permanent = options_config or options_zone or \
|
|
Packit Service |
84cb3c |
a.new_icmptype or a.delete_icmptype or \
|
|
Packit Service |
84cb3c |
a.new_icmptype_from_file or \
|
|
Packit Service |
84cb3c |
a.load_icmptype_defaults or \
|
|
Packit Service |
84cb3c |
a.new_service or a.delete_service or \
|
|
Packit Service |
84cb3c |
a.new_service_from_file or \
|
|
Packit Service |
84cb3c |
a.load_service_defaults or \
|
|
Packit Service |
84cb3c |
a.new_zone or a.delete_zone or \
|
|
Packit Service |
84cb3c |
a.new_zone_from_file or \
|
|
Packit Service |
84cb3c |
a.load_zone_defaults or \
|
|
Packit Service |
84cb3c |
a.new_helper or a.delete_helper or \
|
|
Packit Service |
84cb3c |
a.new_helper_from_file or \
|
|
Packit Service |
84cb3c |
a.load_helper_defaults or \
|
|
Packit Service |
84cb3c |
a.new_ipset or a.delete_ipset or \
|
|
Packit Service |
84cb3c |
a.new_ipset_from_file or \
|
|
Packit Service |
84cb3c |
a.load_ipset_defaults or \
|
|
Packit Service |
84cb3c |
a.ipset or options_ipset or \
|
|
Packit Service |
84cb3c |
(a.icmptype and options_icmptype) or \
|
|
Packit Service |
84cb3c |
(a.service and options_service) or \
|
|
Packit Service |
84cb3c |
(a.helper and options_helper) or \
|
|
Packit Service |
84cb3c |
a.path_zone or a.path_icmptype or a.path_service or \
|
|
Packit Service |
84cb3c |
a.path_ipset or a.path_helper
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
options_direct = \
|
|
Packit Service |
84cb3c |
a.add_chain or a.remove_chain or a.query_chain or \
|
|
Packit Service |
84cb3c |
a.get_chains or a.get_all_chains or \
|
|
Packit Service |
84cb3c |
a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \
|
|
Packit Service |
84cb3c |
a.get_rules or a.get_all_rules or \
|
|
Packit Service |
84cb3c |
a.add_passthrough or a.remove_passthrough or a.query_passthrough or \
|
|
Packit Service |
84cb3c |
a.get_passthroughs or a.get_all_passthroughs
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# these are supposed to only write out some output
|
|
Packit Service |
84cb3c |
options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
|
|
Packit Service |
84cb3c |
a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
|
|
Packit Service |
84cb3c |
a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
|
|
Packit Service |
84cb3c |
a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
|
|
Packit Service |
84cb3c |
a.list_sources or a.get_default_zone or \
|
|
Packit Service |
84cb3c |
a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
|
|
Packit Service |
84cb3c |
a.get_services or a.get_icmptypes or a.get_target or \
|
|
Packit Service |
84cb3c |
a.info_zone or a.info_icmptype or a.info_service or \
|
|
Packit Service |
84cb3c |
a.info_ipset or a.get_ipsets or a.get_entries or \
|
|
Packit Service |
84cb3c |
a.info_helper or a.get_helpers or \
|
|
Packit Service |
84cb3c |
a.get_destinations or a.get_description
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# Set quiet and verbose
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.set_quiet(a.quiet)
|
|
Packit Service |
84cb3c |
cmd.set_verbose(a.verbose)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# Check various impossible combinations of options
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if not (options_standalone or options_ipset or \
|
|
Packit Service |
84cb3c |
options_lokkit or \
|
|
Packit Service |
84cb3c |
options_icmptype or options_service or options_helper or \
|
|
Packit Service |
84cb3c |
options_permanent or options_direct or options_desc_xml_file or \
|
|
Packit Service |
84cb3c |
a.check_config):
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No option specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_lokkit and (options_standalone or \
|
|
Packit Service |
84cb3c |
options_permanent or options_direct) and \
|
|
Packit Service |
84cb3c |
not (options_service and a.service):
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() +
|
|
Packit Service |
84cb3c |
"Can't use lokkit options with other options.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_standalone and (options_permanent or \
|
|
Packit Service |
84cb3c |
options_direct or options_ipset):
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() +
|
|
Packit Service |
84cb3c |
"Can't use stand-alone options with other options.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_ipset and not options_desc_xml_file and not a.ipset:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No ipset specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if (options_icmptype and not a.icmptype) and \
|
|
Packit Service |
84cb3c |
not (options_service and a.service) and not options_desc_xml_file:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No icmptype specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_service and a.service and len(a.service) > 0:
|
|
Packit Service |
84cb3c |
if len(a.service) > 1:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "More than one service specified.")
|
|
Packit Service |
84cb3c |
# use the first entry in the array only
|
|
Packit Service |
84cb3c |
a.service = a.service[0]
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if (options_helper and not a.helper) and \
|
|
Packit Service |
84cb3c |
not (options_service and a.service) and \
|
|
Packit Service |
84cb3c |
not options_zone and not options_desc_xml_file:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No helper specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_direct and options_zone:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() +
|
|
Packit Service |
84cb3c |
"Can't use 'direct' options with other options.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if (a.direct and not options_direct) or (options_direct and not a.direct):
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() +
|
|
Packit Service |
84cb3c |
"Wrong usage of 'direct' options.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name and not (a.new_zone_from_file or a.new_service_from_file or \
|
|
Packit Service |
84cb3c |
a.new_ipset_from_file or a.new_icmptype_from_file or \
|
|
Packit Service |
84cb3c |
a.new_helper_from_file):
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "Wrong usage of '--name' option.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if options_config and options_zone:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() +
|
|
Packit Service |
84cb3c |
"Wrong usage of --get-zones | --get-services | --get-icmptypes.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.quiet and options_list_get:
|
|
Packit Service |
84cb3c |
# it makes no sense to use --quiet with these options
|
|
Packit Service |
84cb3c |
a.quiet = False
|
|
Packit Service |
84cb3c |
cmd.set_quiet(a.quiet)
|
|
Packit Service |
84cb3c |
cmd.fail("-q/--quiet can't be used with this option(s)")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.help:
|
|
Packit Service |
84cb3c |
__usage()
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
assert_root()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.system_config:
|
|
Packit Service |
84cb3c |
config.set_system_config_paths(a.system_config)
|
|
Packit Service |
84cb3c |
if a.default_config:
|
|
Packit Service |
84cb3c |
config.set_default_config_paths(a.default_config)
|
|
Packit Service |
84cb3c |
if a.check_config:
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
fw = Firewall(offline=True)
|
|
Packit Service |
84cb3c |
fw.start()
|
|
Packit Service |
84cb3c |
check_config(fw)
|
|
Packit Service |
84cb3c |
except FirewallError as error:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Configuration error: %s" % error, error.code)
|
|
Packit Service |
84cb3c |
except Exception as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Configuration error: %s" % msg)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
zone = a.zone
|
|
Packit Service |
84cb3c |
fw = Firewall(offline=True)
|
|
Packit Service |
84cb3c |
fw.start()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
# Lokkit Compatibility Options
|
|
Packit Service |
84cb3c |
if options_lokkit and not (options_service and a.service):
|
|
Packit Service |
84cb3c |
trusted_zone = "trusted"
|
|
Packit Service |
84cb3c |
default_zone = fw.get_default_zone()
|
|
Packit Service |
84cb3c |
fw_zone = fw.config.get_zone(default_zone)
|
|
Packit Service |
84cb3c |
fw_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(fw_zone)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.enabled:
|
|
Packit Service |
84cb3c |
# Enable firewall (default)
|
|
Packit Service |
84cb3c |
os.system("systemctl enable firewalld.service")
|
|
Packit Service |
84cb3c |
if a.disabled:
|
|
Packit Service |
84cb3c |
# Disable firewall
|
|
Packit Service |
84cb3c |
os.system("systemctl disable firewalld.service")
|
|
Packit Service |
84cb3c |
if a.addmodule:
|
|
Packit Service |
84cb3c |
for m in a.addmodule:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Ignoring addmodule '%s'" % m)
|
|
Packit Service |
84cb3c |
if a.removemodule:
|
|
Packit Service |
84cb3c |
for m in a.removemodule:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Ignoring removemodule '%s'" % m)
|
|
Packit Service |
84cb3c |
if a.custom_rules:
|
|
Packit Service |
84cb3c |
for c in a.custom_rules:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Ignoring custom-rule '%s'" % c)
|
|
Packit Service |
84cb3c |
if a.service:
|
|
Packit Service |
84cb3c |
for s in a.service:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Adding service '%s' to default zone." % s)
|
|
Packit Service |
84cb3c |
if not fw_settings.queryService(s):
|
|
Packit Service |
84cb3c |
fw_settings.addService(s)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % s)
|
|
Packit Service |
84cb3c |
if a.remove_service:
|
|
Packit Service |
84cb3c |
for s in a.remove_service:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Removing service '%s' from default zone." % s)
|
|
Packit Service |
84cb3c |
if fw_settings.queryService(s):
|
|
Packit Service |
84cb3c |
fw_settings.removeService(s)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("NOT_ENABLED: %s" % s)
|
|
Packit Service |
84cb3c |
if a.port:
|
|
Packit Service |
84cb3c |
for port_proto in a.port:
|
|
Packit Service |
84cb3c |
(port, proto) = parse_port_lokkit(port_proto)
|
|
Packit Service |
84cb3c |
cmd.print_msg("Adding port '%s/%s' to default zone." % (port, proto))
|
|
Packit Service |
84cb3c |
if not fw_settings.queryPort(port, proto):
|
|
Packit Service |
84cb3c |
fw_settings.addPort(port, proto)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % port_proto)
|
|
Packit Service |
84cb3c |
if a.trust:
|
|
Packit Service |
84cb3c |
if default_zone != trusted_zone:
|
|
Packit Service |
84cb3c |
fw_trusted = fw.config.get_zone("trusted")
|
|
Packit Service |
84cb3c |
fw_trusted_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(fw_trusted)))
|
|
Packit Service |
84cb3c |
# Bind an interface to the trusted zone
|
|
Packit Service |
84cb3c |
for i in a.trust:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Interface '%s' will be bound to zone '%s'." % \
|
|
Packit Service |
84cb3c |
(i, trusted_zone))
|
|
Packit Service |
84cb3c |
if not fw_trusted_settings.queryInterface(i):
|
|
Packit Service |
84cb3c |
fw_trusted_settings.addInterface(i)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % i)
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(fw_trusted, fw_trusted_settings.settings)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
for i in a.trust:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Interface '%s' will be bound to zone '%s'." % \
|
|
Packit Service |
84cb3c |
(i, trusted_zone))
|
|
Packit Service |
84cb3c |
if not fw_settings.queryInterface(i):
|
|
Packit Service |
84cb3c |
fw_settings.addInterface(i)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % i)
|
|
Packit Service |
84cb3c |
if a.masq:
|
|
Packit Service |
84cb3c |
# Enables masquerading in the default zone, interface argument is ignored
|
|
Packit Service |
84cb3c |
cmd.print_msg("Enabling masquerade for the default zone.")
|
|
Packit Service |
84cb3c |
fw_settings.setMasquerade(True)
|
|
Packit Service |
84cb3c |
if a.forward_port:
|
|
Packit Service |
84cb3c |
for fp in a.forward_port:
|
|
Packit Service |
84cb3c |
(port, protocol, toport, toaddr) = cmd.parse_forward_port(
|
|
Packit Service |
84cb3c |
fp, compat=True)
|
|
Packit Service |
84cb3c |
cmd.print_msg("Adding forward port %s:%s:%s:%s to default zone." % \
|
|
Packit Service |
84cb3c |
(port, protocol, toport, toaddr))
|
|
Packit Service |
84cb3c |
if not fw_settings.queryForwardPort(port, protocol, toport,
|
|
Packit Service |
84cb3c |
toaddr):
|
|
Packit Service |
84cb3c |
fw_settings.addForwardPort(port, protocol, toport, toaddr)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % fp)
|
|
Packit Service |
84cb3c |
if a.block_icmp:
|
|
Packit Service |
84cb3c |
for ib in a.block_icmp:
|
|
Packit Service |
84cb3c |
cmd.print_msg("Adding icmpblock '%s' to default zone." % ib)
|
|
Packit Service |
84cb3c |
if not fw_settings.queryIcmpBlock(ib):
|
|
Packit Service |
84cb3c |
fw_settings.addIcmpBlock(ib)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_msg("ALREADY_ENABLED: %s" % ib)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(fw_zone, fw_settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.version:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(config.VERSION)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_log_denied:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw.get_log_denied())
|
|
Packit Service |
84cb3c |
elif a.set_log_denied:
|
|
Packit Service |
84cb3c |
fw.set_log_denied(a.set_log_denied)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_automatic_helpers:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw.get_automatic_helpers())
|
|
Packit Service |
84cb3c |
elif a.set_automatic_helpers:
|
|
Packit Service |
84cb3c |
fw.set_automatic_helpers(a.set_automatic_helpers)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.policy_server:
|
|
Packit Service |
84cb3c |
pk_symlink('server')
|
|
Packit Service |
84cb3c |
elif a.policy_desktop:
|
|
Packit Service |
84cb3c |
pk_symlink('desktop')
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# options from firewall-cmd
|
|
Packit Service |
84cb3c |
elif a.get_default_zone:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw.get_default_zone())
|
|
Packit Service |
84cb3c |
elif a.set_default_zone:
|
|
Packit Service |
84cb3c |
fw.set_default_zone(a.set_default_zone)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# lockdown
|
|
Packit Service |
84cb3c |
elif a.lockdown_on:
|
|
Packit Service |
84cb3c |
fw.enable_lockdown()
|
|
Packit Service |
84cb3c |
elif a.lockdown_off:
|
|
Packit Service |
84cb3c |
fw.disable_lockdown()
|
|
Packit Service |
84cb3c |
elif a.query_lockdown:
|
|
Packit Service |
84cb3c |
cmd.print_query_result(fw.policies.query_lockdown())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# zones
|
|
Packit Service |
84cb3c |
elif a.get_zones:
|
|
Packit Service |
84cb3c |
zones = fw.config.get_zones()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(zones))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_zone:
|
|
Packit Service |
84cb3c |
fw.config.new_zone(a.new_zone, FirewallClientZoneSettings().settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_zone_from_file:
|
|
Packit Service |
84cb3c |
filename = os.path.basename(a.new_zone_from_file)
|
|
Packit Service |
84cb3c |
dirname = os.path.dirname(a.new_zone_from_file)
|
|
Packit Service |
84cb3c |
if dirname == "":
|
|
Packit Service |
84cb3c |
dirname = "./"
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
obj = zone_reader(filename, dirname)
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Failed to load zone file '%s': %s" % \
|
|
Packit Service |
84cb3c |
(a.new_zone_from_file, msg), msg.code)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Failed to load zone file: %s" % msg)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name:
|
|
Packit Service |
84cb3c |
obj.name = a.name
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.new_zone(obj.name, obj.export_config())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.delete_zone:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_zone(a.delete_zone)
|
|
Packit Service |
84cb3c |
fw.config.remove_zone(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.load_zone_defaults:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_zone(a.load_zone_defaults)
|
|
Packit Service |
84cb3c |
fw.config.load_zone_defaults(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.info_zone:
|
|
Packit Service |
84cb3c |
zone = fw.config.get_zone(a.info_zone)
|
|
Packit Service |
84cb3c |
settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(zone)))
|
|
Packit Service |
84cb3c |
cmd.print_zone_info(a.info_zone, settings, True)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.path_zone:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_zone(a.path_zone)
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s/%s" % (obj.path, obj.filename))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# services
|
|
Packit Service |
84cb3c |
elif a.get_services:
|
|
Packit Service |
84cb3c |
services = fw.config.get_services()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(services))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_service:
|
|
Packit Service |
84cb3c |
fw.config.new_service_dict(a.new_service,
|
|
Packit Service |
84cb3c |
FirewallClientServiceSettings().getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_service_from_file:
|
|
Packit Service |
84cb3c |
filename = os.path.basename(a.new_service_from_file)
|
|
Packit Service |
84cb3c |
dirname = os.path.dirname(a.new_service_from_file)
|
|
Packit Service |
84cb3c |
if dirname == "":
|
|
Packit Service |
84cb3c |
dirname = "./"
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
obj = service_reader(filename, dirname)
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Failed to load service file '%s': %s" % \
|
|
Packit Service |
84cb3c |
(a.new_service_from_file, msg), msg.code)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Failed to load service file: %s" % msg)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name:
|
|
Packit Service |
84cb3c |
obj.name = a.name
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.new_service(obj.name, obj.export_config())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.delete_service:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_service(a.delete_service)
|
|
Packit Service |
84cb3c |
fw.config.remove_service(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# remove service from all zones
|
|
Packit Service |
84cb3c |
zones = fw.config.get_zones()
|
|
Packit Service |
84cb3c |
for zone in zones:
|
|
Packit Service |
84cb3c |
_zone = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(_zone)))
|
|
Packit Service |
84cb3c |
if _settings.queryService(a.delete_service):
|
|
Packit Service |
84cb3c |
_settings.removeService(a.delete_service)
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(_zone, _settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.load_service_defaults:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_service(a.load_service_defaults)
|
|
Packit Service |
84cb3c |
fw.config.load_service_defaults(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.info_service:
|
|
Packit Service |
84cb3c |
service = fw.config.get_service(a.info_service)
|
|
Packit Service |
84cb3c |
settings = FirewallClientServiceSettings(
|
|
Packit Service |
84cb3c |
fw.config.get_service_config_dict(service))
|
|
Packit Service |
84cb3c |
cmd.print_service_info(a.info_service, settings)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.path_service:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_service(a.path_service)
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s/%s" % (obj.path, obj.filename))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# icmptypes
|
|
Packit Service |
84cb3c |
elif a.get_icmptypes:
|
|
Packit Service |
84cb3c |
icmptypes = fw.config.get_icmptypes()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(icmptypes))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_icmptype:
|
|
Packit Service |
84cb3c |
fw.config.new_icmptype(a.new_icmptype,
|
|
Packit Service |
84cb3c |
FirewallClientIcmpTypeSettings().settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_icmptype_from_file:
|
|
Packit Service |
84cb3c |
filename = os.path.basename(a.new_icmptype_from_file)
|
|
Packit Service |
84cb3c |
dirname = os.path.dirname(a.new_icmptype_from_file)
|
|
Packit Service |
84cb3c |
if dirname == "":
|
|
Packit Service |
84cb3c |
dirname = "./"
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
obj = icmptype_reader(filename, dirname)
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Failed to load icmptype file '%s': %s" % \
|
|
Packit Service |
84cb3c |
(a.new_icmptype_from_file, msg), msg.code)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Failed to load icmptype file: %s" % msg)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name:
|
|
Packit Service |
84cb3c |
obj.name = a.name
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.new_icmptype(obj.name, obj.export_config())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.delete_icmptype:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_icmptype(a.delete_icmptype)
|
|
Packit Service |
84cb3c |
fw.config.remove_icmptype(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# remove icmpyte from all zones
|
|
Packit Service |
84cb3c |
zones = fw.config.get_zones()
|
|
Packit Service |
84cb3c |
for zone in zones:
|
|
Packit Service |
84cb3c |
_zone = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(_zone)))
|
|
Packit Service |
84cb3c |
if _settings.queryIcmpBlock(a.delete_icmptype):
|
|
Packit Service |
84cb3c |
_settings.removeIcmpBlock(a.delete_icmptype)
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(_zone, _settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.load_icmptype_defaults:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_icmptype(a.load_icmptype_defaults)
|
|
Packit Service |
84cb3c |
fw.config.load_icmptype_defaults(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.info_icmptype:
|
|
Packit Service |
84cb3c |
icmptype = fw.config.get_icmptype(a.info_icmptype)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIcmpTypeSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_icmptype_config(icmptype)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_icmptype_info(a.info_icmptype, settings)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.path_icmptype:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_icmptype(a.path_icmptype)
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s/%s" % (obj.path, obj.filename))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.icmptype and options_icmptype:
|
|
Packit Service |
84cb3c |
icmptype = fw.config.get_icmptype(a.icmptype)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIcmpTypeSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_icmptype_config(icmptype)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.add_destination:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_destination, settings.addDestination,
|
|
Packit Service |
84cb3c |
settings.queryDestination,
|
|
Packit Service |
84cb3c |
cmd.check_destination_ipv, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_icmptype_config(icmptype, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_destination:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_destination,
|
|
Packit Service |
84cb3c |
settings.removeDestination,
|
|
Packit Service |
84cb3c |
settings.queryDestination,
|
|
Packit Service |
84cb3c |
cmd.check_destination_ipv, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_icmptype_config(icmptype, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_destination:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_destination, settings.queryDestination,
|
|
Packit Service |
84cb3c |
cmd.check_destination_ipv , "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_destinations:
|
|
Packit Service |
84cb3c |
l = settings.getDestinations()
|
|
Packit Service |
84cb3c |
if len(l) == 0:
|
|
Packit Service |
84cb3c |
l = [ "ipv4", "ipv6" ]
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_description:
|
|
Packit Service |
84cb3c |
settings.setDescription(a.set_description)
|
|
Packit Service |
84cb3c |
fw.config.set_icmptype_config(icmptype, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_description:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getDescription())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_short:
|
|
Packit Service |
84cb3c |
settings.setShort(a.set_short)
|
|
Packit Service |
84cb3c |
fw.config.set_icmptype_config(icmptype, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_short:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getShort())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "Unknown option")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("success")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.service and options_service:
|
|
Packit Service |
84cb3c |
service = fw.config.get_service(a.service)
|
|
Packit Service |
84cb3c |
settings = FirewallClientServiceSettings(
|
|
Packit Service |
84cb3c |
fw.config.get_service_config_dict(service))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.add_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_port, settings.addPort,
|
|
Packit Service |
84cb3c |
settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_port, settings.removePort,
|
|
Packit Service |
84cb3c |
settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_port, settings.queryPort,
|
|
Packit Service |
84cb3c |
cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_ports:
|
|
Packit Service |
84cb3c |
l = settings.getPorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_protocol:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_protocol, settings.addProtocol,
|
|
Packit Service |
84cb3c |
settings.queryProtocol, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_protocol:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_protocol, settings.removeProtocol,
|
|
Packit Service |
84cb3c |
settings.queryProtocol, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_protocol:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_protocol, settings.queryProtocol,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_protocols:
|
|
Packit Service |
84cb3c |
l = settings.getProtocols()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s" % protocol for protocol in l]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_source_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_source_port, settings.addSourcePort,
|
|
Packit Service |
84cb3c |
settings.querySourcePort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_source_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_source_port, settings.removeSourcePort,
|
|
Packit Service |
84cb3c |
settings.querySourcePort, cmd.parse_port,
|
|
Packit Service |
84cb3c |
"%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_source_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_source_port, settings.querySourcePort,
|
|
Packit Service |
84cb3c |
cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_source_ports:
|
|
Packit Service |
84cb3c |
l = settings.getSourcePorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_module:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_module, settings.addModule,
|
|
Packit Service |
84cb3c |
settings.queryModule, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_module:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_module, settings.removeModule,
|
|
Packit Service |
84cb3c |
settings.queryModule, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_module:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_module, settings.queryModule,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_modules:
|
|
Packit Service |
84cb3c |
l = settings.getModules()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s" % module for module in l]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_destination:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.set_destination, settings.setDestination,
|
|
Packit Service |
84cb3c |
settings.queryDestination,
|
|
Packit Service |
84cb3c |
cmd.parse_service_destination, "%s:%s")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_destination:
|
|
Packit Service |
84cb3c |
# special case for removeDestination: Only ipv, no address
|
|
Packit Service |
84cb3c |
for ipv in a.remove_destination:
|
|
Packit Service |
84cb3c |
cmd.check_destination_ipv(ipv)
|
|
Packit Service |
84cb3c |
if ipv not in settings.getDestinations():
|
|
Packit Service |
84cb3c |
if len(a.remove_destination) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning("Warning: NOT_ENABLED: '%s'" % ipv)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
code = FirewallError.get_code("NOT_ENABLED")
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Error: NOT_ENABLED: '%s'" % ipv,
|
|
Packit Service |
84cb3c |
code)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
settings.removeDestination(ipv)
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_destination:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_destination, settings.queryDestination,
|
|
Packit Service |
84cb3c |
cmd.parse_service_destination, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_destinations:
|
|
Packit Service |
84cb3c |
l = settings.getDestinations()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s:%s" % (dest[0], dest[1]) for dest in l.items()]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_include:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_include, settings.addInclude,
|
|
Packit Service |
84cb3c |
settings.queryInclude, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_include:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_include, settings.removeInclude,
|
|
Packit Service |
84cb3c |
settings.queryInclude, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_include:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_include, settings.queryInclude,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_includes:
|
|
Packit Service |
84cb3c |
l = settings.getIncludes()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s" % include for include in sorted(l)]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_helper:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_helper, settings.addHelper,
|
|
Packit Service |
84cb3c |
settings.queryHelper, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_helper:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_helper, settings.removeHelper,
|
|
Packit Service |
84cb3c |
settings.queryHelper, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_helper:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_helper, settings.queryHelper,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_service_helpers:
|
|
Packit Service |
84cb3c |
l = settings.getHelpers()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s" % helper for helper in sorted(l)]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_description:
|
|
Packit Service |
84cb3c |
settings.setDescription(a.set_description)
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_description:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getDescription())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_short:
|
|
Packit Service |
84cb3c |
settings.setShort(a.set_short)
|
|
Packit Service |
84cb3c |
fw.config.set_service_config_dict(service, settings.getSettingsDict())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_short:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getShort())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "Unknown option")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("success")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# ipsets
|
|
Packit Service |
84cb3c |
if a.get_ipsets:
|
|
Packit Service |
84cb3c |
ipsets = fw.config.get_ipsets()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(sorted(ipsets)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_ipset:
|
|
Packit Service |
84cb3c |
if not a.type:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No type specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
f3d363 |
if a.type=='hash:mac' and a.family:
|
|
Packit Service |
f3d363 |
cmd.fail(parser.format_usage() + "--family is not compatible with the hash:mac type")
|
|
Packit Service |
f3d363 |
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings()
|
|
Packit Service |
84cb3c |
settings.setType(a.type)
|
|
Packit Service |
84cb3c |
if a.option:
|
|
Packit Service |
84cb3c |
for opt in a.option:
|
|
Packit Service |
84cb3c |
settings.addOption(*cmd.parse_ipset_option(opt))
|
|
Packit Service |
84cb3c |
fw.config.new_ipset(a.new_ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_ipset_from_file:
|
|
Packit Service |
84cb3c |
filename = os.path.basename(a.new_ipset_from_file)
|
|
Packit Service |
84cb3c |
dirname = os.path.dirname(a.new_ipset_from_file)
|
|
Packit Service |
84cb3c |
if dirname == "":
|
|
Packit Service |
84cb3c |
dirname = "./"
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
obj = ipset_reader(filename, dirname)
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Failed to load ipset file '%s': %s" % \
|
|
Packit Service |
84cb3c |
(a.new_ipset_from_file, msg), msg.code)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Failed to load ipset file: %s" % msg)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name:
|
|
Packit Service |
84cb3c |
obj.name = a.name
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.new_ipset(obj.name, obj.export_config())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.delete_ipset:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.delete_ipset)
|
|
Packit Service |
84cb3c |
fw.config.remove_ipset(ipset)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.load_ipset_defaults:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_ipset(a.load_ipset_defaults)
|
|
Packit Service |
84cb3c |
fw.config.load_ipset_defaults(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.info_ipset:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.info_ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
cmd.print_ipset_info(a.info_ipset, settings)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.path_ipset:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_ipset(a.path_ipset)
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s/%s" % (obj.path, obj.filename))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.ipset:
|
|
Packit Service |
84cb3c |
if a.add_entry:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_entry, settings.addEntry,
|
|
Packit Service |
84cb3c |
settings.queryEntry, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_entry:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_entry, settings.removeEntry,
|
|
Packit Service |
84cb3c |
settings.queryEntry, None, "'%s'")
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_entry:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_entry, settings.queryEntry, None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_entries:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
l = settings.getEntries()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_entries_from_file:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
changed = False
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
for filename in a.add_entries_from_file:
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
entries = cmd.get_ipset_entries_from_file(filename)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
message = "Failed to read file '%s': %s" % (filename,
|
|
Packit Service |
84cb3c |
msg)
|
|
Packit Service |
84cb3c |
if len(a.add_entries_from_file) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning(message)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(message)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
old_entries = settings.getEntries()
|
|
Packit Service |
84cb3c |
entries_set = set()
|
|
Packit Service |
84cb3c |
for entry in old_entries:
|
|
Packit Service |
84cb3c |
entries_set.add(entry)
|
|
Packit Service |
84cb3c |
for entry in entries:
|
|
Packit Service |
84cb3c |
if entry not in entries_set:
|
|
Packit Service |
84cb3c |
old_entries.append(entry)
|
|
Packit Service |
84cb3c |
entries_set.add(entry)
|
|
Packit Service |
84cb3c |
changed = True
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_if_verbose(
|
|
Packit Service |
84cb3c |
"Warning: ALREADY_ENABLED: %s" % entry)
|
|
Packit Service |
84cb3c |
if changed:
|
|
Packit Service |
84cb3c |
settings.setEntries(old_entries)
|
|
Packit Service |
84cb3c |
if changed:
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_entries_from_file:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
changed = False
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
for filename in a.remove_entries_from_file:
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
entries = cmd.get_ipset_entries_from_file(filename)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
message = "Failed to read file '%s': %s" % (filename, msg)
|
|
Packit Service |
84cb3c |
if len(a.remove_entries_from_file) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning(message)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(message)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
old_entries = settings.getEntries()
|
|
Packit Service |
84cb3c |
entries_set = set()
|
|
Packit Service |
84cb3c |
for entry in old_entries:
|
|
Packit Service |
84cb3c |
entries_set.add(entry)
|
|
Packit Service |
84cb3c |
for entry in entries:
|
|
Packit Service |
84cb3c |
if entry in entries_set:
|
|
Packit Service |
84cb3c |
old_entries.remove(entry)
|
|
Packit Service |
84cb3c |
entries_set.discard(entry)
|
|
Packit Service |
84cb3c |
changed = True
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % \
|
|
Packit Service |
84cb3c |
entry)
|
|
Packit Service |
84cb3c |
if changed:
|
|
Packit Service |
84cb3c |
settings.setEntries(old_entries)
|
|
Packit Service |
84cb3c |
if changed:
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_description:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
settings.setDescription(a.set_description)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_description:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getDescription())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_short:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
settings.setShort(a.set_short)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_ipset_config(ipset, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_short:
|
|
Packit Service |
84cb3c |
ipset = fw.config.get_ipset(a.ipset)
|
|
Packit Service |
84cb3c |
settings = FirewallClientIPSetSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_ipset_config(ipset)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getShort())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "Unknown option")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("success")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# helper
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_helpers:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(sorted(fw.config.get_helpers())))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_helper:
|
|
Packit Service |
84cb3c |
if not a.module:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "No module specified.")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
settings = FirewallClientHelperSettings()
|
|
Packit Service |
84cb3c |
settings.setModule(a.module)
|
|
Packit Service |
84cb3c |
if a.family:
|
|
Packit Service |
84cb3c |
settings.setFamily(a.family)
|
|
Packit Service |
84cb3c |
fw.config.new_helper(a.new_helper, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.new_helper_from_file:
|
|
Packit Service |
84cb3c |
filename = os.path.basename(a.new_helper_from_file)
|
|
Packit Service |
84cb3c |
dirname = os.path.dirname(a.new_helper_from_file)
|
|
Packit Service |
84cb3c |
if dirname == "":
|
|
Packit Service |
84cb3c |
dirname = "./"
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
obj = helper_reader(filename, dirname)
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("Failed to load helper file '%s': %s" % \
|
|
Packit Service |
84cb3c |
(a.new_helper_from_file, msg), msg.code)
|
|
Packit Service |
84cb3c |
except IOError as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("Failed to load helper file: %s" % msg)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.name:
|
|
Packit Service |
84cb3c |
obj.name = a.name
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.new_helper(obj.name, obj.export_config())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.delete_helper:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_helper(a.delete_helper)
|
|
Packit Service |
84cb3c |
fw.config.remove_helper(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.load_helper_defaults:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_helper(a.load_helper_defaults)
|
|
Packit Service |
84cb3c |
fw.config.load_helper_defaults(obj)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.info_helper:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_helper(a.info_helper)
|
|
Packit Service |
84cb3c |
settings = FirewallClientHelperSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_helper_config(obj)))
|
|
Packit Service |
84cb3c |
cmd.print_helper_info(a.info_helper, settings)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.path_helper:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_helper(a.path_helper)
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s/%s" % (obj.path, obj.filename))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.helper:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_helper(a.helper)
|
|
Packit Service |
84cb3c |
settings = FirewallClientHelperSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_helper_config(obj)))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.add_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_port, settings.addPort,
|
|
Packit Service |
84cb3c |
settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_port, settings.removePort,
|
|
Packit Service |
84cb3c |
settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.query_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_port, settings.queryPort,
|
|
Packit Service |
84cb3c |
cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_ports:
|
|
Packit Service |
84cb3c |
l = settings.getPorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_module:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getModule())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_module:
|
|
Packit Service |
84cb3c |
settings.setModule(cmd.check_module(a.set_module))
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_family:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getFamily())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_family:
|
|
Packit Service |
84cb3c |
settings.setFamily(cmd.check_helper_family(a.set_family[0]))
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_description:
|
|
Packit Service |
84cb3c |
settings.setDescription(a.set_description)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_description:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getDescription())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_short:
|
|
Packit Service |
84cb3c |
settings.setShort(a.set_short)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_helper_config(obj, settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_short:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(settings.getShort())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.fail(parser.format_usage() + "Unknown option")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# lockdown whitelist
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif options_lockdown_whitelist:
|
|
Packit Service |
84cb3c |
whitelist = fw.config.get_policies().lockdown_whitelist
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# commands
|
|
Packit Service |
84cb3c |
if a.list_lockdown_whitelist_commands:
|
|
Packit Service |
84cb3c |
l = whitelist.get_commands()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
elif a.add_lockdown_whitelist_command:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_lockdown_whitelist_command,
|
|
Packit Service |
84cb3c |
whitelist.add_command,
|
|
Packit Service |
84cb3c |
whitelist.has_command, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_lockdown_whitelist_command:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_lockdown_whitelist_command,
|
|
Packit Service |
84cb3c |
whitelist.remove_command,
|
|
Packit Service |
84cb3c |
whitelist.has_command, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_lockdown_whitelist_command:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_lockdown_whitelist_command,
|
|
Packit Service |
84cb3c |
whitelist.has_command, None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# contexts
|
|
Packit Service |
84cb3c |
elif a.list_lockdown_whitelist_contexts:
|
|
Packit Service |
84cb3c |
l = whitelist.get_contexts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
elif a.add_lockdown_whitelist_context:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_lockdown_whitelist_context,
|
|
Packit Service |
84cb3c |
whitelist.add_context,
|
|
Packit Service |
84cb3c |
whitelist.has_context, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_lockdown_whitelist_context:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_lockdown_whitelist_context,
|
|
Packit Service |
84cb3c |
whitelist.remove_context,
|
|
Packit Service |
84cb3c |
whitelist.has_context, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_lockdown_whitelist_context:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_lockdown_whitelist_context,
|
|
Packit Service |
84cb3c |
whitelist.has_context, None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# uids
|
|
Packit Service |
84cb3c |
elif a.list_lockdown_whitelist_uids:
|
|
Packit Service |
84cb3c |
l = whitelist.get_uids()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(map(str, l)))
|
|
Packit Service |
84cb3c |
elif a.add_lockdown_whitelist_uid:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_lockdown_whitelist_uid,
|
|
Packit Service |
84cb3c |
whitelist.add_uid,
|
|
Packit Service |
84cb3c |
whitelist.has_uid, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_lockdown_whitelist_uid:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_lockdown_whitelist_uid,
|
|
Packit Service |
84cb3c |
whitelist.remove_uid,
|
|
Packit Service |
84cb3c |
whitelist.has_uid, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_lockdown_whitelist_uid:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_lockdown_whitelist_uid,
|
|
Packit Service |
84cb3c |
whitelist.has_uid, None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# users
|
|
Packit Service |
84cb3c |
elif a.list_lockdown_whitelist_users:
|
|
Packit Service |
84cb3c |
l = whitelist.get_users()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
elif a.add_lockdown_whitelist_user:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_lockdown_whitelist_user,
|
|
Packit Service |
84cb3c |
whitelist.add_user,
|
|
Packit Service |
84cb3c |
whitelist.has_user, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_lockdown_whitelist_user:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_lockdown_whitelist_user,
|
|
Packit Service |
84cb3c |
whitelist.remove_user,
|
|
Packit Service |
84cb3c |
whitelist.has_user, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_lockdown_whitelist_user:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_lockdown_whitelist_user,
|
|
Packit Service |
84cb3c |
whitelist.has_user, None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# apply whitelist changes
|
|
Packit Service |
84cb3c |
whitelist.write()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif options_direct:
|
|
Packit Service |
84cb3c |
obj = fw.config.get_direct()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
if a.add_passthrough:
|
|
Packit Service |
84cb3c |
if len(a.add_passthrough) < 2:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>")
|
|
Packit Service |
84cb3c |
cmd.print_msg(
|
|
Packit Service |
84cb3c |
obj.add_passthrough(cmd.check_ipv(a.add_passthrough[0]),
|
|
Packit Service |
84cb3c |
splitArgs(a.add_passthrough[1])))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.remove_passthrough:
|
|
Packit Service |
84cb3c |
if len(a.remove_passthrough) < 2:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>")
|
|
Packit Service |
84cb3c |
obj.remove_passthrough(cmd.check_ipv(a.remove_passthrough[0]),
|
|
Packit Service |
84cb3c |
splitArgs(a.remove_passthrough[1]))
|
|
Packit Service |
84cb3c |
elif a.query_passthrough:
|
|
Packit Service |
84cb3c |
if len(a.query_passthrough) < 2:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>")
|
|
Packit Service |
84cb3c |
cmd.print_query_result(
|
|
Packit Service |
84cb3c |
obj.query_passthrough(cmd.check_ipv(a.query_passthrough[0]),
|
|
Packit Service |
84cb3c |
splitArgs(a.query_passthrough[1])))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_passthroughs:
|
|
Packit Service |
84cb3c |
rules = obj.get_passthroughs(cmd.check_ipv(a.get_passthroughs[0]))
|
|
Packit Service |
84cb3c |
for rule in rules:
|
|
Packit Service |
84cb3c |
cmd.print_msg(joinArgs(rule))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_all_passthroughs:
|
|
Packit Service |
84cb3c |
rules = obj.get_all_passthroughs()
|
|
Packit Service |
84cb3c |
for ipv in rules:
|
|
Packit Service |
84cb3c |
for rule in rules[ipv]:
|
|
Packit Service |
84cb3c |
cmd.print_msg("%s %s" % (ipv, joinArgs(rule)))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_chain:
|
|
Packit Service |
84cb3c |
obj.add_chain(cmd.check_ipv(a.add_chain[0]),
|
|
Packit Service |
84cb3c |
a.add_chain[1], a.add_chain[2])
|
|
Packit Service |
84cb3c |
elif a.remove_chain:
|
|
Packit Service |
84cb3c |
obj.remove_chain(cmd.check_ipv(a.remove_chain[0]),
|
|
Packit Service |
84cb3c |
a.remove_chain[1], a.remove_chain[2])
|
|
Packit Service |
84cb3c |
elif a.query_chain:
|
|
Packit Service |
84cb3c |
cmd.print_query_result(
|
|
Packit Service |
84cb3c |
obj.query_chain(cmd.check_ipv(a.query_chain[0]),
|
|
Packit Service |
84cb3c |
a.query_chain[1], a.query_chain[2]))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_chains:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(
|
|
Packit Service |
84cb3c |
" ".join(obj.get_chains(cmd.check_ipv(a.get_chains[0]),
|
|
Packit Service |
84cb3c |
a.get_chains[1])))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_all_chains:
|
|
Packit Service |
84cb3c |
chains = obj.get_all_chains()
|
|
Packit Service |
84cb3c |
for (ipv, table) in chains:
|
|
Packit Service |
84cb3c |
for chain in chains[(ipv, table)]:
|
|
Packit Service |
84cb3c |
cmd.print_msg("%s %s %s" % (ipv, table, chain))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.add_rule:
|
|
Packit Service |
84cb3c |
if len(a.add_rule) < 5:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
priority = int(a.add_rule[3])
|
|
Packit Service |
84cb3c |
except ValueError:
|
|
Packit Service |
84cb3c |
cmd.fail("wrong priority\nusage: --direct --add-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
obj.add_rule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1],
|
|
Packit Service |
84cb3c |
a.add_rule[2], priority, splitArgs(a.add_rule[4]))
|
|
Packit Service |
84cb3c |
elif a.remove_rule:
|
|
Packit Service |
84cb3c |
if len(a.remove_rule) < 5:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
priority = int(a.remove_rule[3])
|
|
Packit Service |
84cb3c |
except ValueError:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
obj.remove_rule(cmd.check_ipv(a.remove_rule[0]), a.remove_rule[1],
|
|
Packit Service |
84cb3c |
a.remove_rule[2], priority, splitArgs(a.remove_rule[4]))
|
|
Packit Service |
84cb3c |
elif a.remove_rules:
|
|
Packit Service |
84cb3c |
if len(a.remove_rules) < 3:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <chain>")
|
|
Packit Service |
84cb3c |
obj.remove_rules(cmd.check_ipv(a.remove_rules[0]),
|
|
Packit Service |
84cb3c |
a.remove_rules[1], a.remove_rules[2])
|
|
Packit Service |
84cb3c |
elif a.query_rule:
|
|
Packit Service |
84cb3c |
if len(a.query_rule) < 5:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
try:
|
|
Packit Service |
84cb3c |
priority = int(a.query_rule[3])
|
|
Packit Service |
84cb3c |
except ValueError:
|
|
Packit Service |
84cb3c |
cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <chain> <priority> <args>")
|
|
Packit Service |
84cb3c |
cmd.print_query_result(
|
|
Packit Service |
84cb3c |
obj.query_rule(cmd.check_ipv(a.query_rule[0]),
|
|
Packit Service |
84cb3c |
a.query_rule[1], a.query_rule[2],
|
|
Packit Service |
84cb3c |
priority, splitArgs(a.query_rule[4])))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_rules:
|
|
Packit Service |
84cb3c |
rules = obj.get_rules(cmd.check_ipv(a.get_rules[0]),
|
|
Packit Service |
84cb3c |
a.get_rules[1], a.get_rules[2])
|
|
Packit Service |
84cb3c |
for (priority, rule) in rules:
|
|
Packit Service |
84cb3c |
cmd.print_msg("%d %s" % (priority, joinArgs(rule)))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
elif a.get_all_rules:
|
|
Packit Service |
84cb3c |
rules = obj.get_all_rules()
|
|
Packit Service |
84cb3c |
for (ipv, table, chain) in rules:
|
|
Packit Service |
84cb3c |
for (priority, rule) in rules[(ipv, table, chain)]:
|
|
Packit Service |
84cb3c |
cmd.print_msg("%s %s %s %d %s" % \
|
|
Packit Service |
84cb3c |
(ipv, table, chain, priority,
|
|
Packit Service |
84cb3c |
joinArgs(rule)))
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
obj.write()
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
if zone == "":
|
|
Packit Service |
84cb3c |
zone = fw.get_default_zone()
|
|
Packit Service |
84cb3c |
fw_zone = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
fw_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
list(fw.config.get_zone_config(fw_zone))) # convert to list, for setMasquerade
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# interface
|
|
Packit Service |
84cb3c |
if a.list_interfaces:
|
|
Packit Service |
84cb3c |
l = fw_settings.getInterfaces()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(l))
|
|
Packit Service |
84cb3c |
elif a.get_zone_of_interface:
|
|
Packit Service |
84cb3c |
for interface in a.get_zone_of_interface:
|
|
Packit Service |
84cb3c |
ret = [ ]
|
|
Packit Service |
84cb3c |
for zone in fw.config.get_zones():
|
|
Packit Service |
84cb3c |
obj = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
if interface in obj.interfaces:
|
|
Packit Service |
84cb3c |
ret.append(obj.name)
|
|
Packit Service |
84cb3c |
if len(ret) > 1:
|
|
Packit Service |
84cb3c |
# Even it shouldn't happen, it's actually possible that
|
|
Packit Service |
84cb3c |
# the same interface is in several zone XML files
|
|
Packit Service |
84cb3c |
cmd.print_warning(" ".join(ret) + " (ERROR: interface '%s' is in %s zone XML files, can be only in one)" % (interface, len(ret)))
|
|
Packit Service |
84cb3c |
if len(ret) == 1:
|
|
Packit Service |
84cb3c |
if len(a.get_zone_of_interface) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning("%s: %s" % (interface, ret[0]))
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(ret[0])
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
if len(a.get_zone_of_interface) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning("%s: no zone" % interface)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("no zone", 2)
|
|
Packit Service |
84cb3c |
elif a.change_interface:
|
|
Packit Service |
84cb3c |
for interface in a.change_interface:
|
|
Packit Service |
84cb3c |
for old_zone in fw.config.get_zones():
|
|
Packit Service |
84cb3c |
old_zone_obj = fw.config.get_zone(old_zone)
|
|
Packit Service |
84cb3c |
if interface in old_zone_obj.interfaces:
|
|
Packit Service |
84cb3c |
if old_zone_obj.name != zone:
|
|
Packit Service |
84cb3c |
old_zone_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
fw.config.get_zone_config(old_zone_obj))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
old_zone_settings.removeInterface(interface) # remove from old
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
|
|
Packit Service |
84cb3c |
fw_settings.addInterface(interface) # add to new
|
|
Packit Service |
84cb3c |
elif a.add_interface:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_interface, fw_settings.addInterface,
|
|
Packit Service |
84cb3c |
fw_settings.queryInterface, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_interface:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_interface, fw_settings.removeInterface,
|
|
Packit Service |
84cb3c |
fw_settings.queryInterface, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_interface:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_interface, fw_settings.queryInterface,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# source
|
|
Packit Service |
84cb3c |
if a.list_sources:
|
|
Packit Service |
84cb3c |
sources = fw_settings.getSources()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(sources))
|
|
Packit Service |
84cb3c |
elif a.get_zone_of_source:
|
|
Packit Service |
84cb3c |
for source in a.get_zone_of_source:
|
|
Packit Service |
84cb3c |
ret = [ ]
|
|
Packit Service |
84cb3c |
for zone in fw.config.get_zones():
|
|
Packit Service |
84cb3c |
obj = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
if source in obj.sources:
|
|
Packit Service |
84cb3c |
ret.append(obj.name)
|
|
Packit Service |
84cb3c |
if len(ret) > 1:
|
|
Packit Service |
84cb3c |
# Even it shouldn't happen, it's actually possible that
|
|
Packit Service |
84cb3c |
# the same source is in several zone XML files
|
|
Packit Service |
84cb3c |
cmd.print_warning(" ".join(ret) + " (ERROR: source '%s' is in %s zone XML files, can be only in one)" % (source, len(ret)))
|
|
Packit Service |
84cb3c |
if len(ret) == 1:
|
|
Packit Service |
84cb3c |
if len(a.get_zone_of_source) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning("%s: %s" % (source, ret[0]))
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(ret[0])
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
if len(a.get_zone_of_source) > 1:
|
|
Packit Service |
84cb3c |
cmd.print_warning("%s: no zone" % source)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("no zone", 2)
|
|
Packit Service |
84cb3c |
elif a.change_source:
|
|
Packit Service |
84cb3c |
for source in a.change_source:
|
|
Packit Service |
84cb3c |
for old_zone in fw.config.get_zones():
|
|
Packit Service |
84cb3c |
old_zone_obj = fw.config.get_zone(old_zone)
|
|
Packit Service |
84cb3c |
if source in old_zone_obj.sources:
|
|
Packit Service |
84cb3c |
if old_zone_obj.name != zone:
|
|
Packit Service |
84cb3c |
old_zone_settings = FirewallClientZoneSettings(
|
|
Packit Service |
84cb3c |
fw.config.get_zone_config(old_zone_obj))
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
old_zone_settings.removeSource(source) # remove from old
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(old_zone_obj, old_zone_settings.settings)
|
|
Packit Service |
84cb3c |
fw_settings.addSource(source) # add to new
|
|
Packit Service |
84cb3c |
elif a.add_source:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_source, fw_settings.addSource,
|
|
Packit Service |
84cb3c |
fw_settings.querySource, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_source:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_source, fw_settings.removeSource,
|
|
Packit Service |
84cb3c |
fw_settings.querySource, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_source:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_source, fw_settings.querySource,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# rich rules
|
|
Packit Service |
84cb3c |
if a.list_rich_rules:
|
|
Packit Service |
84cb3c |
l = fw_settings.getRichRules()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(l))
|
|
Packit Service |
84cb3c |
elif a.add_rich_rule:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_rich_rule, fw_settings.addRichRule,
|
|
Packit Service |
84cb3c |
fw_settings.queryRichRule, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_rich_rule:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_rich_rule, fw_settings.removeRichRule,
|
|
Packit Service |
84cb3c |
fw_settings.queryRichRule, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_rich_rule:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_rich_rule, fw_settings.queryRichRule,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# service
|
|
Packit Service |
84cb3c |
if a.list_services:
|
|
Packit Service |
84cb3c |
l = fw_settings.getServices()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(sorted(l)))
|
|
Packit Service |
84cb3c |
elif a.add_service:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_service, fw_settings.addService,
|
|
Packit Service |
84cb3c |
fw_settings.queryService, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_service_from_zone:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_service_from_zone,
|
|
Packit Service |
84cb3c |
fw_settings.removeService,
|
|
Packit Service |
84cb3c |
fw_settings.queryService, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_service:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_service, fw_settings.queryService,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# port
|
|
Packit Service |
84cb3c |
elif a.list_ports:
|
|
Packit Service |
84cb3c |
l = fw_settings.getPorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
|
|
Packit Service |
84cb3c |
elif a.add_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_port, fw_settings.addPort,
|
|
Packit Service |
84cb3c |
fw_settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
elif a.remove_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_port, fw_settings.removePort,
|
|
Packit Service |
84cb3c |
fw_settings.queryPort, cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
elif a.query_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_port, fw_settings.queryPort,
|
|
Packit Service |
84cb3c |
cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# protocol
|
|
Packit Service |
84cb3c |
elif a.list_protocols:
|
|
Packit Service |
84cb3c |
l = fw_settings.getProtocols()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(sorted(l)))
|
|
Packit Service |
84cb3c |
elif a.add_protocol:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_protocol, fw_settings.addProtocol,
|
|
Packit Service |
84cb3c |
fw_settings.queryProtocol, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_protocol:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_protocol, fw_settings.removeProtocol,
|
|
Packit Service |
84cb3c |
fw_settings.queryProtocol, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_protocol:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_protocol, fw_settings.queryProtocol,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# source port
|
|
Packit Service |
84cb3c |
elif a.list_source_ports:
|
|
Packit Service |
84cb3c |
l = fw_settings.getSourcePorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
|
|
Packit Service |
84cb3c |
elif a.add_source_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_source_port, fw_settings.addSourcePort,
|
|
Packit Service |
84cb3c |
fw_settings.querySourcePort, cmd.parse_port,
|
|
Packit Service |
84cb3c |
"%s/%s")
|
|
Packit Service |
84cb3c |
elif a.remove_source_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_source_port,
|
|
Packit Service |
84cb3c |
fw_settings.removeSourcePort,
|
|
Packit Service |
84cb3c |
fw_settings.querySourcePort, cmd.parse_port,
|
|
Packit Service |
84cb3c |
"%s/%s")
|
|
Packit Service |
84cb3c |
elif a.query_source_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_source_port, fw_settings.querySourcePort,
|
|
Packit Service |
84cb3c |
cmd.parse_port, "%s/%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# masquerade
|
|
Packit Service |
84cb3c |
elif a.add_masquerade:
|
|
Packit Service |
84cb3c |
fw_settings.setMasquerade(True)
|
|
Packit Service |
84cb3c |
elif a.remove_masquerade:
|
|
Packit Service |
84cb3c |
fw_settings.setMasquerade(False)
|
|
Packit Service |
84cb3c |
elif a.query_masquerade:
|
|
Packit Service |
84cb3c |
cmd.print_query_result(fw_settings.getMasquerade())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# forward port
|
|
Packit Service |
84cb3c |
elif a.list_forward_ports:
|
|
Packit Service |
84cb3c |
l = fw_settings.getForwardPorts()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (_port, _protocol, _toport, _toaddr) for (_port, _protocol, _toport, _toaddr) in l]))
|
|
Packit Service |
84cb3c |
elif a.add_forward_port:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_forward_port, fw_settings.addForwardPort,
|
|
Packit Service |
84cb3c |
fw_settings.queryForwardPort,
|
|
Packit Service |
84cb3c |
cmd.parse_forward_port,
|
|
Packit Service |
84cb3c |
"port=%s:proto=%s:toport=%s:toaddr=%s")
|
|
Packit Service |
84cb3c |
elif a.remove_forward_port:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_forward_port,
|
|
Packit Service |
84cb3c |
fw_settings.removeForwardPort,
|
|
Packit Service |
84cb3c |
fw_settings.queryForwardPort,
|
|
Packit Service |
84cb3c |
cmd.parse_forward_port,
|
|
Packit Service |
84cb3c |
"port=%s:proto=%s:toport=%s:toaddr=%s")
|
|
Packit Service |
84cb3c |
elif a.query_forward_port:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_forward_port,
|
|
Packit Service |
84cb3c |
fw_settings.queryForwardPort,
|
|
Packit Service |
84cb3c |
cmd.parse_forward_port,
|
|
Packit Service |
84cb3c |
"port=%s:proto=%s:toport=%s:toaddr=%s")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# block icmp
|
|
Packit Service |
84cb3c |
elif a.list_icmp_blocks:
|
|
Packit Service |
84cb3c |
l = fw_settings.getIcmpBlocks()
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(" ".join(l))
|
|
Packit Service |
84cb3c |
elif a.add_icmp_block:
|
|
Packit Service |
84cb3c |
cmd.add_sequence(a.add_icmp_block, fw_settings.addIcmpBlock,
|
|
Packit Service |
84cb3c |
fw_settings.queryIcmpBlock, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.remove_icmp_block:
|
|
Packit Service |
84cb3c |
cmd.remove_sequence(a.remove_icmp_block,
|
|
Packit Service |
84cb3c |
fw_settings.removeIcmpBlock,
|
|
Packit Service |
84cb3c |
fw_settings.queryIcmpBlock, None, "'%s'")
|
|
Packit Service |
84cb3c |
elif a.query_icmp_block:
|
|
Packit Service |
84cb3c |
cmd.query_sequence(a.query_icmp_block, fw_settings.queryIcmpBlock,
|
|
Packit Service |
84cb3c |
None, "'%s'")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# icmp block inversion
|
|
Packit Service |
84cb3c |
elif a.add_icmp_block_inversion:
|
|
Packit Service |
84cb3c |
fw_settings.addIcmpBlockInversion()
|
|
Packit Service |
84cb3c |
elif a.remove_icmp_block_inversion:
|
|
Packit Service |
84cb3c |
fw_settings.removeIcmpBlockInversion()
|
|
Packit Service |
84cb3c |
elif a.query_icmp_block_inversion:
|
|
Packit Service |
84cb3c |
cmd.print_query_result(fw_settings.queryIcmpBlockInversion())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# zone target
|
|
Packit Service |
84cb3c |
elif a.get_target:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw_settings.getTarget())
|
|
Packit Service |
84cb3c |
elif a.set_target:
|
|
Packit Service |
84cb3c |
fw_settings.setTarget(a.set_target)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# list all zone settings
|
|
Packit Service |
84cb3c |
elif a.list_all:
|
|
Packit Service |
84cb3c |
cmd.print_zone_info(zone if zone else fw.get_default_zone(),
|
|
Packit Service |
84cb3c |
fw_settings)
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
# list everything
|
|
Packit Service |
84cb3c |
elif a.list_all_zones:
|
|
Packit Service |
84cb3c |
zones = fw.config.get_zones()
|
|
Packit Service |
84cb3c |
for zone in zones:
|
|
Packit Service |
84cb3c |
fw_zone = fw.config.get_zone(zone)
|
|
Packit Service |
84cb3c |
fw_settings = FirewallClientZoneSettings(list(fw.config.get_zone_config(fw_zone)))
|
|
Packit Service |
84cb3c |
cmd.print_zone_info(zone, fw_settings)
|
|
Packit Service |
84cb3c |
cmd.print_msg("")
|
|
Packit Service |
84cb3c |
sys.exit(0)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_description:
|
|
Packit Service |
84cb3c |
fw_settings.setDescription(a.set_description)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_description:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw_settings.getDescription())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.set_short:
|
|
Packit Service |
84cb3c |
fw_settings.setShort(a.set_short)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
elif a.get_short:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit(fw_settings.getShort())
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
fw.config.set_zone_config(fw_zone, fw_settings.settings)
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("success")
|
|
Packit Service |
84cb3c |
|
|
Packit Service |
84cb3c |
except FirewallError as msg:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("%s" % msg, msg.code)
|
|
Packit Service |
84cb3c |
except Exception as msg:
|
|
Packit Service |
84cb3c |
cmd.fail("%s" % msg)
|
|
Packit Service |
84cb3c |
else:
|
|
Packit Service |
84cb3c |
cmd.print_and_exit("success")
|