|
Packit |
a8ec6b |
# -*- coding: utf-8 -*-
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
# Copyright (C) 2010-2016 Red Hat, Inc.
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
# Authors:
|
|
Packit |
a8ec6b |
# Thomas Woerner <twoerner@redhat.com>
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
# This program is free software; you can redistribute it and/or modify
|
|
Packit |
a8ec6b |
# it under the terms of the GNU General Public License as published by
|
|
Packit |
a8ec6b |
# the Free Software Foundation; either version 2 of the License, or
|
|
Packit |
a8ec6b |
# (at your option) any later version.
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
# This program is distributed in the hope that it will be useful,
|
|
Packit |
a8ec6b |
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
a8ec6b |
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
a8ec6b |
# GNU General Public License for more details.
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
# You should have received a copy of the GNU General Public License
|
|
Packit |
a8ec6b |
# along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
import os.path
|
|
Packit |
a8ec6b |
import copy
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET
|
|
Packit |
a8ec6b |
from firewall.core.prog import runProg
|
|
Packit |
a8ec6b |
from firewall.core.logger import log
|
|
Packit |
a8ec6b |
from firewall.functions import tempFile, readfile, splitArgs, check_mac, portStr, \
|
|
Packit |
a8ec6b |
check_single_address, check_address, normalizeIP6
|
|
Packit |
a8ec6b |
from firewall import config
|
|
Packit |
a8ec6b |
from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE, UNKNOWN_ERROR
|
|
Packit |
a8ec6b |
from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
|
|
Packit |
a8ec6b |
Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock
|
|
Packit |
a8ec6b |
import string
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
BUILT_IN_CHAINS = {
|
|
Packit |
a8ec6b |
"security": [ "INPUT", "OUTPUT", "FORWARD" ],
|
|
Packit |
a8ec6b |
"raw": [ "PREROUTING", "OUTPUT" ],
|
|
Packit |
a8ec6b |
"mangle": [ "PREROUTING", "POSTROUTING", "INPUT", "OUTPUT", "FORWARD" ],
|
|
Packit |
a8ec6b |
"nat": [ "PREROUTING", "POSTROUTING", "OUTPUT" ],
|
|
Packit |
a8ec6b |
"filter": [ "INPUT", "OUTPUT", "FORWARD" ],
|
|
Packit |
a8ec6b |
}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
DEFAULT_REJECT_TYPE = {
|
|
Packit |
a8ec6b |
"ipv4": "icmp-host-prohibited",
|
|
Packit |
a8ec6b |
"ipv6": "icmp6-adm-prohibited",
|
|
Packit |
a8ec6b |
}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
ICMP = {
|
|
Packit |
a8ec6b |
"ipv4": "icmp",
|
|
Packit |
a8ec6b |
"ipv6": "ipv6-icmp",
|
|
Packit |
a8ec6b |
}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# ipv ebtables also uses this
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
def common_reverse_rule(args):
|
|
Packit |
a8ec6b |
""" Inverse valid rule """
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
replace_args = {
|
|
Packit |
a8ec6b |
# Append
|
|
Packit |
a8ec6b |
"-A": "-D",
|
|
Packit |
a8ec6b |
"--append": "--delete",
|
|
Packit |
a8ec6b |
# Insert
|
|
Packit |
a8ec6b |
"-I": "-D",
|
|
Packit |
a8ec6b |
"--insert": "--delete",
|
|
Packit |
a8ec6b |
# New chain
|
|
Packit |
a8ec6b |
"-N": "-X",
|
|
Packit |
a8ec6b |
"--new-chain": "--delete-chain",
|
|
Packit |
a8ec6b |
}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
ret_args = args[:]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
for arg in replace_args:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
idx = ret_args.index(arg)
|
|
Packit |
a8ec6b |
except Exception:
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if arg in [ "-I", "--insert" ]:
|
|
Packit |
a8ec6b |
# With insert rulenum, then remove it if it is a number
|
|
Packit |
a8ec6b |
# Opt at position idx, chain at position idx+1, [rulenum] at
|
|
Packit |
a8ec6b |
# position idx+2
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
int(ret_args[idx+2])
|
|
Packit |
a8ec6b |
except Exception:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
ret_args.pop(idx+2)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
ret_args[idx] = replace_args[arg]
|
|
Packit |
a8ec6b |
return ret_args
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def common_reverse_passthrough(args):
|
|
Packit |
a8ec6b |
""" Reverse valid passthough rule """
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
replace_args = {
|
|
Packit |
a8ec6b |
# Append
|
|
Packit |
a8ec6b |
"-A": "-D",
|
|
Packit |
a8ec6b |
"--append": "--delete",
|
|
Packit |
a8ec6b |
# Insert
|
|
Packit |
a8ec6b |
"-I": "-D",
|
|
Packit |
a8ec6b |
"--insert": "--delete",
|
|
Packit |
a8ec6b |
# New chain
|
|
Packit |
a8ec6b |
"-N": "-X",
|
|
Packit |
a8ec6b |
"--new-chain": "--delete-chain",
|
|
Packit |
a8ec6b |
}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
ret_args = args[:]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
for x in replace_args:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
idx = ret_args.index(x)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if x in [ "-I", "--insert" ]:
|
|
Packit |
a8ec6b |
# With insert rulenum, then remove it if it is a number
|
|
Packit |
a8ec6b |
# Opt at position idx, chain at position idx+1, [rulenum] at
|
|
Packit |
a8ec6b |
# position idx+2
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
int(ret_args[idx+2])
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
ret_args.pop(idx+2)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
ret_args[idx] = replace_args[x]
|
|
Packit |
a8ec6b |
return ret_args
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_PASSTHROUGH,
|
|
Packit |
a8ec6b |
"no '-A', '-I' or '-N' arg")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# ipv ebtables also uses this
|
|
Packit |
a8ec6b |
#
|
|
Packit |
a8ec6b |
def common_check_passthrough(args):
|
|
Packit |
a8ec6b |
""" Check if passthough rule is valid (only add, insert and new chain
|
|
Packit |
a8ec6b |
rules are allowed) """
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
args = set(args)
|
|
Packit |
a8ec6b |
not_allowed = set(["-C", "--check", # check rule
|
|
Packit |
a8ec6b |
"-D", "--delete", # delete rule
|
|
Packit |
a8ec6b |
"-R", "--replace", # replace rule
|
|
Packit |
a8ec6b |
"-L", "--list", # list rule
|
|
Packit |
a8ec6b |
"-S", "--list-rules", # print rules
|
|
Packit |
a8ec6b |
"-F", "--flush", # flush rules
|
|
Packit |
a8ec6b |
"-Z", "--zero", # zero rules
|
|
Packit |
a8ec6b |
"-X", "--delete-chain", # delete chain
|
|
Packit |
a8ec6b |
"-P", "--policy", # policy
|
|
Packit |
a8ec6b |
"-E", "--rename-chain"]) # rename chain)
|
|
Packit |
a8ec6b |
# intersection of args and not_allowed is not empty, i.e.
|
|
Packit |
a8ec6b |
# something from args is not allowed
|
|
Packit |
a8ec6b |
if len(args & not_allowed) > 0:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_PASSTHROUGH,
|
|
Packit |
a8ec6b |
"arg '%s' is not allowed" %
|
|
Packit |
a8ec6b |
list(args & not_allowed)[0])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# args need to contain one of -A, -I, -N
|
|
Packit |
a8ec6b |
needed = set(["-A", "--append",
|
|
Packit |
a8ec6b |
"-I", "--insert",
|
|
Packit |
a8ec6b |
"-N", "--new-chain"])
|
|
Packit |
a8ec6b |
# empty intersection of args and needed, i.e.
|
|
Packit |
a8ec6b |
# none from args contains any needed command
|
|
Packit |
a8ec6b |
if len(args & needed) == 0:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_PASSTHROUGH,
|
|
Packit |
a8ec6b |
"no '-A', '-I' or '-N' arg")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
class ip4tables(object):
|
|
Packit |
a8ec6b |
ipv = "ipv4"
|
|
Packit |
a8ec6b |
name = "ip4tables"
|
|
Packit |
a8ec6b |
zones_supported = True
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def __init__(self, fw):
|
|
Packit |
a8ec6b |
self._fw = fw
|
|
Packit |
a8ec6b |
self._command = config.COMMANDS[self.ipv]
|
|
Packit |
a8ec6b |
self._restore_command = config.COMMANDS["%s-restore" % self.ipv]
|
|
Packit |
a8ec6b |
self.wait_option = self._detect_wait_option()
|
|
Packit |
a8ec6b |
self.restore_wait_option = self._detect_restore_wait_option()
|
|
Packit |
a8ec6b |
self.fill_exists()
|
|
Packit |
a8ec6b |
self.available_tables = []
|
|
Packit |
a8ec6b |
self.rich_rule_priority_counts = {}
|
|
Packit |
a8ec6b |
self.zone_source_index_cache = []
|
|
Packit |
a8ec6b |
self.our_chains = {} # chains created by firewalld
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def fill_exists(self):
|
|
Packit |
a8ec6b |
self.command_exists = os.path.exists(self._command)
|
|
Packit |
a8ec6b |
self.restore_command_exists = os.path.exists(self._restore_command)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def __run(self, args):
|
|
Packit |
a8ec6b |
# convert to string list
|
|
Packit |
a8ec6b |
if self.wait_option and self.wait_option not in args:
|
|
Packit |
a8ec6b |
_args = [self.wait_option] + ["%s" % item for item in args]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
_args = ["%s" % item for item in args]
|
|
Packit |
a8ec6b |
log.debug2("%s: %s %s", self.__class__, self._command, " ".join(_args))
|
|
Packit |
a8ec6b |
(status, ret) = runProg(self._command, _args)
|
|
Packit |
a8ec6b |
if status != 0:
|
|
Packit |
a8ec6b |
raise ValueError("'%s %s' failed: %s" % (self._command,
|
|
Packit |
a8ec6b |
" ".join(_args), ret))
|
|
Packit |
a8ec6b |
return ret
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def split_value(self, rules, opts=None):
|
|
Packit |
a8ec6b |
"""Split values combined with commas for options in opts"""
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if opts is None:
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
out_rules = [ ]
|
|
Packit |
a8ec6b |
for rule in rules:
|
|
Packit |
a8ec6b |
processed = False
|
|
Packit |
a8ec6b |
for opt in opts:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index(opt)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(rule) > i and "," in rule[i+1]:
|
|
Packit |
a8ec6b |
# For all items in the comma separated list in index
|
|
Packit |
a8ec6b |
# i of the rule, a new rule is created with a single
|
|
Packit |
a8ec6b |
# item from this list
|
|
Packit |
a8ec6b |
processed = True
|
|
Packit |
a8ec6b |
items = rule[i+1].split(",")
|
|
Packit |
a8ec6b |
for item in items:
|
|
Packit |
a8ec6b |
_rule = rule[:]
|
|
Packit |
a8ec6b |
_rule[i+1] = item
|
|
Packit |
a8ec6b |
out_rules.append(_rule)
|
|
Packit |
a8ec6b |
if not processed:
|
|
Packit |
a8ec6b |
out_rules.append(rule)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return out_rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rule_replace(self, rule, pattern, replacement):
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index(pattern)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
return False
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule[i:i+1] = replacement
|
|
Packit |
a8ec6b |
return True
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def is_chain_builtin(self, ipv, table, chain):
|
|
Packit |
a8ec6b |
return table in BUILT_IN_CHAINS and \
|
|
Packit |
a8ec6b |
chain in BUILT_IN_CHAINS[table]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_chain_rules(self, add, table, chain):
|
|
Packit |
a8ec6b |
rule = [ "-t", table ]
|
|
Packit |
a8ec6b |
if add:
|
|
Packit |
a8ec6b |
rule.append("-N")
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule.append("-X")
|
|
Packit |
a8ec6b |
rule.append(chain)
|
|
Packit |
a8ec6b |
return [rule]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_rule(self, add, table, chain, index, args):
|
|
Packit |
a8ec6b |
rule = [ "-t", table ]
|
|
Packit |
a8ec6b |
if add:
|
|
Packit |
a8ec6b |
rule += [ "-I", chain, str(index) ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule += [ "-D", chain ]
|
|
Packit |
a8ec6b |
rule += args
|
|
Packit |
a8ec6b |
return rule
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def reverse_rule(self, args):
|
|
Packit |
a8ec6b |
return common_reverse_rule(args)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def check_passthrough(self, args):
|
|
Packit |
a8ec6b |
common_check_passthrough(args)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def reverse_passthrough(self, args):
|
|
Packit |
a8ec6b |
return common_reverse_passthrough(args)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def passthrough_parse_table_chain(self, args):
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = args.index("-t")
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(args) >= i+1:
|
|
Packit |
a8ec6b |
table = args[i+1]
|
|
Packit |
a8ec6b |
chain = None
|
|
Packit |
a8ec6b |
for opt in [ "-A", "--append",
|
|
Packit |
a8ec6b |
"-I", "--insert",
|
|
Packit |
a8ec6b |
"-N", "--new-chain" ]:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = args.index(opt)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(args) >= i+1:
|
|
Packit |
a8ec6b |
chain = args[i+1]
|
|
Packit |
a8ec6b |
return (table, chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _run_replace_zone_source(self, rule, zone_source_index_cache):
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index("%%ZONE_SOURCE%%")
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
zone = rule.pop(i)
|
|
Packit |
a8ec6b |
if "-m" == rule[4]: # ipset/mac
|
|
Packit |
a8ec6b |
zone_source = (zone, rule[7]) # (zone, address)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
zone_source = (zone, rule[5]) # (zone, address)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index("%%ZONE_INTERFACE%%")
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
zone_source = None
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
return
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_add = True
|
|
Packit |
a8ec6b |
if rule[0] in ["-D", "--delete"]:
|
|
Packit |
a8ec6b |
rule_add = False
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if zone_source and not rule_add:
|
|
Packit |
a8ec6b |
if zone_source in zone_source_index_cache:
|
|
Packit |
a8ec6b |
zone_source_index_cache.remove(zone_source)
|
|
Packit |
a8ec6b |
elif rule_add:
|
|
Packit |
a8ec6b |
if zone_source:
|
|
Packit |
a8ec6b |
# order source based dispatch by zone name
|
|
Packit |
a8ec6b |
if zone_source not in zone_source_index_cache:
|
|
Packit |
a8ec6b |
zone_source_index_cache.append(zone_source)
|
|
Packit |
a8ec6b |
zone_source_index_cache.sort(key=lambda x: x[0])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
index = zone_source_index_cache.index(zone_source)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if self._fw._allow_zone_drifting:
|
|
Packit |
a8ec6b |
index = 0
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
index = len(zone_source_index_cache)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule[0] = "-I"
|
|
Packit |
a8ec6b |
rule.insert(2, "%d" % (index + 1))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _set_rule_replace_rich_rule_priority(self, rule, rich_rule_priority_counts):
|
|
Packit |
a8ec6b |
"""
|
|
Packit |
a8ec6b |
Change something like
|
|
Packit |
a8ec6b |
-t filter -I public_IN %%RICH_RULE_PRIORITY%% 123
|
|
Packit |
a8ec6b |
or
|
|
Packit |
a8ec6b |
-t filter -A public_IN %%RICH_RULE_PRIORITY%% 321
|
|
Packit |
a8ec6b |
into
|
|
Packit |
a8ec6b |
-t filter -I public_IN 4
|
|
Packit |
a8ec6b |
or
|
|
Packit |
a8ec6b |
-t filter -I public_IN
|
|
Packit |
a8ec6b |
"""
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index("%%RICH_RULE_PRIORITY%%")
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule_add = True
|
|
Packit |
a8ec6b |
insert = False
|
|
Packit |
a8ec6b |
insert_add_index = -1
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
priority = rule.pop(i)
|
|
Packit |
a8ec6b |
if type(priority) != int:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_RULE, "rich rule priority must be followed by a number")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
for opt in [ "-t", "--table" ]:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
j = rule.index(opt)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(rule) >= j+1:
|
|
Packit |
a8ec6b |
table = rule[j+1]
|
|
Packit |
a8ec6b |
for opt in [ "-A", "--append",
|
|
Packit |
a8ec6b |
"-I", "--insert",
|
|
Packit |
a8ec6b |
"-D", "--delete" ]:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
insert_add_index = rule.index(opt)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(rule) >= insert_add_index+1:
|
|
Packit |
a8ec6b |
chain = rule[insert_add_index+1]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if opt in [ "-I", "--insert" ]:
|
|
Packit |
a8ec6b |
insert = True
|
|
Packit |
a8ec6b |
if opt in [ "-D", "--delete" ]:
|
|
Packit |
a8ec6b |
rule_add = False
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
chain = (table, chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# Add the rule to the priority counts. We don't need to store the
|
|
Packit |
a8ec6b |
# rule, just bump the ref count for the priority value.
|
|
Packit |
a8ec6b |
if not rule_add:
|
|
Packit |
a8ec6b |
if chain not in rich_rule_priority_counts or \
|
|
Packit |
a8ec6b |
priority not in rich_rule_priority_counts[chain] or \
|
|
Packit |
a8ec6b |
rich_rule_priority_counts[chain][priority] <= 0:
|
|
Packit |
a8ec6b |
raise FirewallError(UNKNOWN_ERROR, "nonexistent or underflow of rich rule priority count")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rich_rule_priority_counts[chain][priority] -= 1
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if chain not in rich_rule_priority_counts:
|
|
Packit |
a8ec6b |
rich_rule_priority_counts[chain] = {}
|
|
Packit |
a8ec6b |
if priority not in rich_rule_priority_counts[chain]:
|
|
Packit |
a8ec6b |
rich_rule_priority_counts[chain][priority] = 0
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# calculate index of new rule
|
|
Packit |
a8ec6b |
index = 1
|
|
Packit |
a8ec6b |
for p in sorted(rich_rule_priority_counts[chain].keys()):
|
|
Packit |
a8ec6b |
if p == priority and insert:
|
|
Packit |
a8ec6b |
break
|
|
Packit |
a8ec6b |
index += rich_rule_priority_counts[chain][p]
|
|
Packit |
a8ec6b |
if p == priority:
|
|
Packit |
a8ec6b |
break
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rich_rule_priority_counts[chain][priority] += 1
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule[insert_add_index] = "-I"
|
|
Packit |
a8ec6b |
rule.insert(insert_add_index+2, "%d" % index)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def set_rules(self, rules, log_denied):
|
|
Packit |
a8ec6b |
temp_file = tempFile()
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
table_rules = { }
|
|
Packit |
a8ec6b |
rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
|
|
Packit |
a8ec6b |
zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)
|
|
Packit |
a8ec6b |
for _rule in rules:
|
|
Packit |
a8ec6b |
rule = _rule[:]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# replace %%REJECT%%
|
|
Packit |
a8ec6b |
self._rule_replace(rule, "%%REJECT%%", \
|
|
Packit |
a8ec6b |
["REJECT", "--reject-with", DEFAULT_REJECT_TYPE[self.ipv]])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# replace %%ICMP%%
|
|
Packit |
a8ec6b |
self._rule_replace(rule, "%%ICMP%%", [ICMP[self.ipv]])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# replace %%LOGTYPE%%
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index("%%LOGTYPE%%")
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if log_denied == "off":
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
if log_denied in [ "unicast", "broadcast", "multicast" ]:
|
|
Packit |
a8ec6b |
rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)
|
|
Packit |
a8ec6b |
self._run_replace_zone_source(rule, zone_source_index_cache)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
# get table form rule
|
|
Packit |
a8ec6b |
for opt in [ "-t", "--table" ]:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index(opt)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if len(rule) >= i+1:
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
table = rule.pop(i)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# we can not use joinArgs here, because it would use "'" instead
|
|
Packit |
a8ec6b |
# of '"' for the start and end of the string, this breaks
|
|
Packit |
a8ec6b |
# iptables-restore
|
|
Packit |
a8ec6b |
for i in range(len(rule)):
|
|
Packit |
a8ec6b |
for c in string.whitespace:
|
|
Packit |
a8ec6b |
if c in rule[i] and not (rule[i].startswith('"') and
|
|
Packit |
a8ec6b |
rule[i].endswith('"')):
|
|
Packit |
a8ec6b |
rule[i] = '"%s"' % rule[i]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
table_rules.setdefault(table, []).append(rule)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
for table in table_rules:
|
|
Packit |
a8ec6b |
rules = table_rules[table]
|
|
Packit |
a8ec6b |
rules = self.split_value(rules, [ "-s", "--source" ])
|
|
Packit |
a8ec6b |
rules = self.split_value(rules, [ "-d", "--destination" ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
temp_file.write("*%s\n" % table)
|
|
Packit |
a8ec6b |
for rule in rules:
|
|
Packit |
a8ec6b |
temp_file.write(" ".join(rule) + "\n")
|
|
Packit |
a8ec6b |
temp_file.write("COMMIT\n")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
temp_file.close()
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
stat = os.stat(temp_file.name)
|
|
Packit |
a8ec6b |
log.debug2("%s: %s %s", self.__class__, self._restore_command,
|
|
Packit |
a8ec6b |
"%s: %d" % (temp_file.name, stat.st_size))
|
|
Packit |
a8ec6b |
args = [ ]
|
|
Packit |
a8ec6b |
if self.restore_wait_option:
|
|
Packit |
a8ec6b |
args.append(self.restore_wait_option)
|
|
Packit |
a8ec6b |
args.append("-n")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
(status, ret) = runProg(self._restore_command, args,
|
|
Packit |
a8ec6b |
stdin=temp_file.name)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if log.getDebugLogLevel() > 2:
|
|
Packit |
a8ec6b |
lines = readfile(temp_file.name)
|
|
Packit |
a8ec6b |
if lines is not None:
|
|
Packit |
a8ec6b |
i = 1
|
|
Packit |
a8ec6b |
for line in lines:
|
|
Packit |
a8ec6b |
log.debug3("%8d: %s" % (i, line), nofmt=1, nl=0)
|
|
Packit |
a8ec6b |
if not line.endswith("\n"):
|
|
Packit |
a8ec6b |
log.debug3("", nofmt=1)
|
|
Packit |
a8ec6b |
i += 1
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
os.unlink(temp_file.name)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if status != 0:
|
|
Packit |
a8ec6b |
raise ValueError("'%s %s' failed: %s" % (self._restore_command,
|
|
Packit |
a8ec6b |
" ".join(args), ret))
|
|
Packit |
a8ec6b |
self.rich_rule_priority_counts = rich_rule_priority_counts
|
|
Packit |
a8ec6b |
self.zone_source_index_cache = zone_source_index_cache
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def set_rule(self, rule, log_denied):
|
|
Packit |
a8ec6b |
# replace %%REJECT%%
|
|
Packit |
a8ec6b |
self._rule_replace(rule, "%%REJECT%%", \
|
|
Packit |
a8ec6b |
["REJECT", "--reject-with", DEFAULT_REJECT_TYPE[self.ipv]])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# replace %%ICMP%%
|
|
Packit |
a8ec6b |
self._rule_replace(rule, "%%ICMP%%", [ICMP[self.ipv]])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# replace %%LOGTYPE%%
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
i = rule.index("%%LOGTYPE%%")
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if log_denied == "off":
|
|
Packit |
a8ec6b |
return ""
|
|
Packit |
a8ec6b |
if log_denied in [ "unicast", "broadcast", "multicast" ]:
|
|
Packit |
a8ec6b |
rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule.pop(i)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
|
|
Packit |
a8ec6b |
zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache)
|
|
Packit |
a8ec6b |
self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)
|
|
Packit |
a8ec6b |
self._run_replace_zone_source(rule, zone_source_index_cache)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
output = self.__run(rule)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
self.rich_rule_priority_counts = rich_rule_priority_counts
|
|
Packit |
a8ec6b |
self.zone_source_index_cache = zone_source_index_cache
|
|
Packit |
a8ec6b |
return output
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def get_available_tables(self, table=None):
|
|
Packit |
a8ec6b |
ret = []
|
|
Packit |
a8ec6b |
tables = [ table ] if table else BUILT_IN_CHAINS.keys()
|
|
Packit |
a8ec6b |
for table in tables:
|
|
Packit |
a8ec6b |
if table in self.available_tables:
|
|
Packit |
a8ec6b |
ret.append(table)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
self.__run(["-t", table, "-L", "-n"])
|
|
Packit |
a8ec6b |
self.available_tables.append(table)
|
|
Packit |
a8ec6b |
ret.append(table)
|
|
Packit |
a8ec6b |
except ValueError:
|
|
Packit |
a8ec6b |
log.debug1("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return ret
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _detect_wait_option(self):
|
|
Packit |
a8ec6b |
wait_option = ""
|
|
Packit |
a8ec6b |
ret = runProg(self._command, ["-w", "-L", "-n"]) # since iptables-1.4.20
|
|
Packit |
a8ec6b |
if ret[0] == 0:
|
|
Packit |
a8ec6b |
wait_option = "-w" # wait for xtables lock
|
|
Packit |
a8ec6b |
ret = runProg(self._command, ["-w10", "-L", "-n"]) # since iptables > 1.4.21
|
|
Packit |
a8ec6b |
if ret[0] == 0:
|
|
Packit |
a8ec6b |
wait_option = "-w10" # wait max 10 seconds
|
|
Packit |
a8ec6b |
log.debug2("%s: %s will be using %s option.", self.__class__, self._command, wait_option)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return wait_option
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _detect_restore_wait_option(self):
|
|
Packit |
a8ec6b |
temp_file = tempFile()
|
|
Packit |
a8ec6b |
temp_file.write("#foo")
|
|
Packit |
a8ec6b |
temp_file.close()
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
wait_option = ""
|
|
Packit |
a8ec6b |
for test_option in ["-w", "--wait=2"]:
|
|
Packit |
a8ec6b |
ret = runProg(self._restore_command, [test_option], stdin=temp_file.name)
|
|
Packit |
a8ec6b |
if ret[0] == 0 and "invalid option" not in ret[1] \
|
|
Packit |
a8ec6b |
and "unrecognized option" not in ret[1]:
|
|
Packit |
a8ec6b |
wait_option = test_option
|
|
Packit |
a8ec6b |
break
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
os.unlink(temp_file.name)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return wait_option
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_flush_rules(self):
|
|
Packit |
a8ec6b |
self.rich_rule_priority_counts = {}
|
|
Packit |
a8ec6b |
self.zone_source_index_cache = []
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
for table in BUILT_IN_CHAINS.keys():
|
|
Packit |
a8ec6b |
if not self.get_available_tables(table):
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
# Flush firewall rules: -F
|
|
Packit |
a8ec6b |
# Delete firewall chains: -X
|
|
Packit |
a8ec6b |
# Set counter to zero: -Z
|
|
Packit |
a8ec6b |
for flag in [ "-F", "-X", "-Z" ]:
|
|
Packit |
a8ec6b |
rules.append(["-t", table, flag])
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_set_policy_rules(self, policy):
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
_policy = "DROP" if policy == "PANIC" else policy
|
|
Packit |
a8ec6b |
for table in BUILT_IN_CHAINS.keys():
|
|
Packit |
a8ec6b |
if not self.get_available_tables(table):
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
if table == "nat":
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
for chain in BUILT_IN_CHAINS[table]:
|
|
Packit |
a8ec6b |
rules.append(["-t", table, "-P", chain, _policy])
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit Service |
b435dc |
def supported_icmp_types(self, ipv=None):
|
|
Packit |
a8ec6b |
"""Return ICMP types that are supported by the iptables/ip6tables command and kernel"""
|
|
Packit |
a8ec6b |
ret = [ ]
|
|
Packit |
a8ec6b |
output = ""
|
|
Packit |
a8ec6b |
try:
|
|
Packit |
a8ec6b |
output = self.__run(["-p",
|
|
Packit |
a8ec6b |
"icmp" if self.ipv == "ipv4" else "ipv6-icmp",
|
|
Packit |
a8ec6b |
"--help"])
|
|
Packit |
a8ec6b |
except ValueError as ex:
|
|
Packit |
a8ec6b |
if self.ipv == "ipv4":
|
|
Packit |
a8ec6b |
log.debug1("iptables error: %s" % ex)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
log.debug1("ip6tables error: %s" % ex)
|
|
Packit |
a8ec6b |
lines = output.splitlines()
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
in_types = False
|
|
Packit |
a8ec6b |
for line in lines:
|
|
Packit |
a8ec6b |
#print(line)
|
|
Packit |
a8ec6b |
if in_types:
|
|
Packit |
a8ec6b |
line = line.strip().lower()
|
|
Packit |
a8ec6b |
splits = line.split()
|
|
Packit |
a8ec6b |
for split in splits:
|
|
Packit |
a8ec6b |
if split.startswith("(") and split.endswith(")"):
|
|
Packit |
a8ec6b |
x = split[1:-1]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
x = split
|
|
Packit |
a8ec6b |
if x not in ret:
|
|
Packit |
a8ec6b |
ret.append(x)
|
|
Packit |
a8ec6b |
if self.ipv == "ipv4" and line.startswith("Valid ICMP Types:") or \
|
|
Packit |
a8ec6b |
self.ipv == "ipv6" and line.startswith("Valid ICMPv6 Types:"):
|
|
Packit |
a8ec6b |
in_types = True
|
|
Packit |
a8ec6b |
return ret
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_default_tables(self):
|
|
Packit |
a8ec6b |
# nothing to do, they always exist
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_default_rules(self, log_denied="off"):
|
|
Packit |
a8ec6b |
default_rules = {}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self.get_available_tables("security"):
|
|
Packit |
a8ec6b |
default_rules["security"] = [ ]
|
|
Packit |
a8ec6b |
self.our_chains["security"] = set()
|
|
Packit |
a8ec6b |
for chain in BUILT_IN_CHAINS["security"]:
|
|
Packit |
a8ec6b |
default_rules["security"].append("-N %s_direct" % chain)
|
|
Packit |
a8ec6b |
default_rules["security"].append("-A %s -j %s_direct" % (chain, chain))
|
|
Packit |
a8ec6b |
self.our_chains["security"].add("%s_direct" % chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self.get_available_tables("raw"):
|
|
Packit |
a8ec6b |
default_rules["raw"] = [ ]
|
|
Packit |
a8ec6b |
self.our_chains["raw"] = set()
|
|
Packit |
a8ec6b |
for chain in BUILT_IN_CHAINS["raw"]:
|
|
Packit |
a8ec6b |
default_rules["raw"].append("-N %s_direct" % chain)
|
|
Packit |
a8ec6b |
default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain))
|
|
Packit |
a8ec6b |
self.our_chains["raw"].add("%s_direct" % chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if chain == "PREROUTING":
|
|
Packit |
a8ec6b |
for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
Packit |
a8ec6b |
default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self.get_available_tables("mangle"):
|
|
Packit |
a8ec6b |
default_rules["mangle"] = [ ]
|
|
Packit |
a8ec6b |
self.our_chains["mangle"] = set()
|
|
Packit |
a8ec6b |
for chain in BUILT_IN_CHAINS["mangle"]:
|
|
Packit |
a8ec6b |
default_rules["mangle"].append("-N %s_direct" % chain)
|
|
Packit |
a8ec6b |
default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain))
|
|
Packit |
a8ec6b |
self.our_chains["mangle"].add("%s_direct" % chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if chain == "PREROUTING":
|
|
Packit |
a8ec6b |
for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
Packit |
a8ec6b |
default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self.get_available_tables("nat"):
|
|
Packit |
a8ec6b |
default_rules["nat"] = [ ]
|
|
Packit |
a8ec6b |
self.our_chains["nat"] = set()
|
|
Packit |
a8ec6b |
for chain in BUILT_IN_CHAINS["nat"]:
|
|
Packit |
a8ec6b |
default_rules["nat"].append("-N %s_direct" % chain)
|
|
Packit |
a8ec6b |
default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain))
|
|
Packit |
a8ec6b |
self.our_chains["nat"].add("%s_direct" % chain)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if chain in [ "PREROUTING", "POSTROUTING" ]:
|
|
Packit |
a8ec6b |
for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
Packit |
a8ec6b |
default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix))
|
|
Packit |
a8ec6b |
self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)]))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
default_rules["filter"] = []
|
|
Packit |
a8ec6b |
self.our_chains["filter"] = set()
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -i lo -j ACCEPT")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-N INPUT_direct")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -j INPUT_direct")
|
|
Packit |
a8ec6b |
self.our_chains["filter"].update(set("INPUT_direct"))
|
|
Packit |
a8ec6b |
for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix))
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix))
|
|
Packit |
a8ec6b |
self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix)))
|
|
Packit |
a8ec6b |
if log_denied != "off":
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP")
|
|
Packit |
a8ec6b |
if log_denied != "off":
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A INPUT -j %%REJECT%%")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPT")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-N FORWARD_direct")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -j FORWARD_direct")
|
|
Packit |
a8ec6b |
self.our_chains["filter"].update(set("FORWARD_direct"))
|
|
Packit |
a8ec6b |
for direction in ["IN", "OUT"]:
|
|
Packit |
a8ec6b |
for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]:
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix))
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix))
|
|
Packit |
a8ec6b |
self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix)))
|
|
Packit |
a8ec6b |
if log_denied != "off":
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP")
|
|
Packit |
a8ec6b |
if log_denied != "off":
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '")
|
|
Packit |
a8ec6b |
default_rules["filter"].append("-A FORWARD -j %%REJECT%%")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
default_rules["filter"] += [
|
|
Packit |
a8ec6b |
"-N OUTPUT_direct",
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
"-A OUTPUT -o lo -j ACCEPT",
|
|
Packit |
a8ec6b |
"-A OUTPUT -j OUTPUT_direct",
|
|
Packit |
a8ec6b |
]
|
|
Packit |
a8ec6b |
self.our_chains["filter"].update(set("OUTPUT_direct"))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
final_default_rules = []
|
|
Packit |
a8ec6b |
for table in default_rules:
|
|
Packit |
a8ec6b |
if table not in self.get_available_tables():
|
|
Packit |
a8ec6b |
continue
|
|
Packit |
a8ec6b |
for rule in default_rules[table]:
|
|
Packit |
a8ec6b |
final_default_rules.append(["-t", table] + splitArgs(rule))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return final_default_rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def get_zone_table_chains(self, table):
|
|
Packit |
a8ec6b |
if table == "filter":
|
|
Packit |
a8ec6b |
return { "INPUT", "FORWARD_IN", "FORWARD_OUT" }
|
|
Packit |
a8ec6b |
if table == "mangle":
|
|
Packit |
a8ec6b |
if "mangle" in self.get_available_tables():
|
|
Packit |
a8ec6b |
return { "PREROUTING" }
|
|
Packit |
a8ec6b |
if table == "nat":
|
|
Packit |
a8ec6b |
if "nat" in self.get_available_tables():
|
|
Packit |
a8ec6b |
return { "PREROUTING", "POSTROUTING" }
|
|
Packit |
a8ec6b |
if table == "raw":
|
|
Packit |
a8ec6b |
if "raw" in self.get_available_tables():
|
|
Packit |
a8ec6b |
return { "PREROUTING" }
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return {}
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_source_interface_rules(self, enable, zone, interface,
|
|
Packit |
a8ec6b |
table, chain, append=False):
|
|
Packit |
a8ec6b |
# handle all zones in the same way here, now
|
|
Packit |
a8ec6b |
# trust and block zone targets are handled now in __chain
|
|
Packit |
a8ec6b |
opt = {
|
|
Packit |
a8ec6b |
"PREROUTING": "-i",
|
|
Packit |
a8ec6b |
"POSTROUTING": "-o",
|
|
Packit |
a8ec6b |
"INPUT": "-i",
|
|
Packit |
a8ec6b |
"FORWARD_IN": "-i",
|
|
Packit |
a8ec6b |
"FORWARD_OUT": "-o",
|
|
Packit |
a8ec6b |
"OUTPUT": "-o",
|
|
Packit |
a8ec6b |
}[chain]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
Packit |
a8ec6b |
action = "-g"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if enable and not append:
|
|
Packit |
a8ec6b |
rule = [ "-I", "%s_ZONES" % chain, "%%ZONE_INTERFACE%%" ]
|
|
Packit |
a8ec6b |
elif enable:
|
|
Packit |
a8ec6b |
rule = [ "-A", "%s_ZONES" % chain ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule = [ "-D", "%s_ZONES" % chain ]
|
|
Packit |
a8ec6b |
if not append:
|
|
Packit |
a8ec6b |
rule += ["%%ZONE_INTERFACE%%"]
|
|
Packit |
a8ec6b |
rule += [ "-t", table, opt, interface, action, target ]
|
|
Packit |
a8ec6b |
return [rule]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_source_address_rules(self, enable, zone,
|
|
Packit |
a8ec6b |
address, table, chain):
|
|
Packit |
a8ec6b |
add_del = { True: "-I", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
opt = {
|
|
Packit |
a8ec6b |
"PREROUTING": "-s",
|
|
Packit |
a8ec6b |
"POSTROUTING": "-d",
|
|
Packit |
a8ec6b |
"INPUT": "-s",
|
|
Packit |
a8ec6b |
"FORWARD_IN": "-s",
|
|
Packit |
a8ec6b |
"FORWARD_OUT": "-d",
|
|
Packit |
a8ec6b |
"OUTPUT": "-d",
|
|
Packit |
a8ec6b |
}[chain]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self._fw._allow_zone_drifting:
|
|
Packit |
a8ec6b |
zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
zone_dispatch_chain = "%s_ZONES" % (chain)
|
|
Packit |
a8ec6b |
|
|
Packit Service |
0249b5 |
# iptables can not match destination MAC
|
|
Packit Service |
0249b5 |
if check_mac(address) and chain in ["POSTROUTING", "FORWARD_OUT", "OUTPUT"]:
|
|
Packit Service |
0249b5 |
return []
|
|
Packit Service |
0249b5 |
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
Packit |
a8ec6b |
action = "-g"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if address.startswith("ipset:"):
|
|
Packit |
a8ec6b |
name = address[6:]
|
|
Packit |
a8ec6b |
if opt == "-d":
|
|
Packit |
a8ec6b |
opt = "dst"
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
opt = "src"
|
|
Packit |
a8ec6b |
flags = ",".join([opt] * self._fw.ipset.get_dimension(name))
|
|
Packit |
a8ec6b |
rule = [ add_del, zone_dispatch_chain,
|
|
Packit |
a8ec6b |
"%%ZONE_SOURCE%%", zone,
|
|
Packit |
a8ec6b |
"-t", table,
|
|
Packit |
a8ec6b |
"-m", "set", "--match-set", name,
|
|
Packit |
a8ec6b |
flags, action, target ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if check_mac(address):
|
|
Packit |
a8ec6b |
# outgoing can not be set
|
|
Packit |
a8ec6b |
if opt == "-d":
|
|
Packit |
a8ec6b |
return ""
|
|
Packit |
a8ec6b |
rule = [ add_del, zone_dispatch_chain,
|
|
Packit |
a8ec6b |
"%%ZONE_SOURCE%%", zone,
|
|
Packit |
a8ec6b |
"-t", table,
|
|
Packit |
a8ec6b |
"-m", "mac", "--mac-source", address.upper(),
|
|
Packit |
a8ec6b |
action, target ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if check_single_address("ipv6", address):
|
|
Packit |
a8ec6b |
address = normalizeIP6(address)
|
|
Packit |
a8ec6b |
elif check_address("ipv6", address):
|
|
Packit |
a8ec6b |
addr_split = address.split("/")
|
|
Packit |
a8ec6b |
address = normalizeIP6(addr_split[0]) + "/" + addr_split[1]
|
|
Packit |
a8ec6b |
rule = [ add_del, zone_dispatch_chain,
|
|
Packit |
a8ec6b |
"%%ZONE_SOURCE%%", zone,
|
|
Packit |
a8ec6b |
"-t", table,
|
|
Packit |
a8ec6b |
opt, address, action, target ]
|
|
Packit |
a8ec6b |
return [rule]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_chain_rules(self, zone, table, chain):
|
|
Packit |
a8ec6b |
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
self.our_chains[table].update(set([_zone,
|
|
Packit |
a8ec6b |
"%s_log" % _zone,
|
|
Packit |
a8ec6b |
"%s_deny" % _zone,
|
|
Packit |
a8ec6b |
"%s_pre" % _zone,
|
|
Packit |
a8ec6b |
"%s_post" % _zone,
|
|
Packit |
a8ec6b |
"%s_allow" % _zone]))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
rules.append([ "-N", _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-N", "%s_pre" % _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-N", "%s_log" % _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-N", "%s_deny" % _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-N", "%s_allow" % _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-N", "%s_post" % _zone, "-t", table ])
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", "%s_pre" % _zone ])
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", "%s_log" % _zone ])
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", "%s_deny" % _zone ])
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", "%s_allow" % _zone ])
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", "%s_post" % _zone ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
target = self._fw.zone._zones[zone].target
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self._fw.get_log_denied() != "off":
|
|
Packit |
a8ec6b |
if table == "filter" and \
|
|
Packit |
a8ec6b |
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
Packit |
a8ec6b |
if target in [ "REJECT", "%%REJECT%%" ]:
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "%%LOGTYPE%%",
|
|
Packit |
a8ec6b |
"-j", "LOG", "--log-prefix",
|
|
Packit |
a8ec6b |
"\"%s_REJECT: \"" % _zone ])
|
|
Packit |
a8ec6b |
if target == "DROP":
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "%%LOGTYPE%%",
|
|
Packit |
a8ec6b |
"-j", "LOG", "--log-prefix",
|
|
Packit |
a8ec6b |
"\"%s_DROP: \"" % _zone ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# Handle trust, block and drop zones:
|
|
Packit |
a8ec6b |
# Add an additional rule with the zone target (accept, reject
|
|
Packit |
a8ec6b |
# or drop) to the base zone only in the filter table.
|
|
Packit |
a8ec6b |
# Otherwise it is not be possible to have a zone with drop
|
|
Packit |
a8ec6b |
# target, that is allowing traffic that is locally initiated
|
|
Packit |
a8ec6b |
# or that adds additional rules. (RHBZ#1055190)
|
|
Packit |
a8ec6b |
if table == "filter" and \
|
|
Packit |
a8ec6b |
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
|
|
Packit |
a8ec6b |
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
Packit |
a8ec6b |
rules.append([ "-A", _zone, "-t", table, "-j", target ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rule_limit(self, limit):
|
|
Packit |
a8ec6b |
if limit:
|
|
Packit |
a8ec6b |
return [ "-m", "limit", "--limit", limit.value ]
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_chain_suffix(self, rich_rule):
|
|
Packit |
a8ec6b |
if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]:
|
|
Packit |
a8ec6b |
# These are special and don't have an explicit action
|
|
Packit |
a8ec6b |
pass
|
|
Packit |
a8ec6b |
elif rich_rule.action:
|
|
Packit |
a8ec6b |
if type(rich_rule.action) not in [Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark]:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_RULE, "Unknown action %s" % type(rich_rule.action))
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_RULE, "No rule action specified.")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if rich_rule.priority == 0:
|
|
Packit |
a8ec6b |
if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort] or \
|
|
Packit |
a8ec6b |
type(rich_rule.action) in [Rich_Accept, Rich_Mark]:
|
|
Packit |
a8ec6b |
return "allow"
|
|
Packit |
a8ec6b |
elif type(rich_rule.element) in [Rich_IcmpBlock] or \
|
|
Packit |
a8ec6b |
type(rich_rule.action) in [Rich_Reject, Rich_Drop]:
|
|
Packit |
a8ec6b |
return "deny"
|
|
Packit |
a8ec6b |
elif rich_rule.priority < 0:
|
|
Packit |
a8ec6b |
return "pre"
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
return "post"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_chain_suffix_from_log(self, rich_rule):
|
|
Packit |
a8ec6b |
if not rich_rule.log and not rich_rule.audit:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_RULE, "Not log or audit")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if rich_rule.priority == 0:
|
|
Packit |
a8ec6b |
return "log"
|
|
Packit |
a8ec6b |
elif rich_rule.priority < 0:
|
|
Packit |
a8ec6b |
return "pre"
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
return "post"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_priority_fragment(self, rich_rule):
|
|
Packit |
a8ec6b |
if rich_rule.priority == 0:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
return ["%%RICH_RULE_PRIORITY%%", rich_rule.priority]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_log(self, rich_rule, enable, table, target, rule_fragment):
|
|
Packit |
a8ec6b |
if not rich_rule.log:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix_from_log(rich_rule)
|
|
Packit |
a8ec6b |
rule = ["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
rule += self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule += rule_fragment + [ "-j", "LOG" ]
|
|
Packit |
a8ec6b |
if rich_rule.log.prefix:
|
|
Packit |
a8ec6b |
rule += [ "--log-prefix", "'%s'" % rich_rule.log.prefix ]
|
|
Packit |
a8ec6b |
if rich_rule.log.level:
|
|
Packit |
a8ec6b |
rule += [ "--log-level", "%s" % rich_rule.log.level ]
|
|
Packit |
a8ec6b |
rule += self._rule_limit(rich_rule.log.limit)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rule
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_audit(self, rich_rule, enable, table, target, rule_fragment):
|
|
Packit |
a8ec6b |
if not rich_rule.audit:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix_from_log(rich_rule)
|
|
Packit |
a8ec6b |
rule = ["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
rule += self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule += rule_fragment
|
|
Packit |
a8ec6b |
if type(rich_rule.action) == Rich_Accept:
|
|
Packit |
a8ec6b |
_type = "accept"
|
|
Packit |
a8ec6b |
elif type(rich_rule.action) == Rich_Reject:
|
|
Packit |
a8ec6b |
_type = "reject"
|
|
Packit |
a8ec6b |
elif type(rich_rule.action) == Rich_Drop:
|
|
Packit |
a8ec6b |
_type = "drop"
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
_type = "unknown"
|
|
Packit |
a8ec6b |
rule += [ "-j", "AUDIT", "--type", _type ]
|
|
Packit |
a8ec6b |
rule += self._rule_limit(rich_rule.audit.limit)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rule
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_action(self, zone, rich_rule, enable, table, target, rule_fragment):
|
|
Packit |
a8ec6b |
if not rich_rule.action:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
Packit |
a8ec6b |
chain = "%s_%s" % (target, chain_suffix)
|
|
Packit |
a8ec6b |
if type(rich_rule.action) == Rich_Accept:
|
|
Packit |
a8ec6b |
rule_action = [ "-j", "ACCEPT" ]
|
|
Packit |
a8ec6b |
elif type(rich_rule.action) == Rich_Reject:
|
|
Packit |
a8ec6b |
rule_action = [ "-j", "REJECT" ]
|
|
Packit |
a8ec6b |
if rich_rule.action.type:
|
|
Packit |
a8ec6b |
rule_action += [ "--reject-with", rich_rule.action.type ]
|
|
Packit |
a8ec6b |
elif type(rich_rule.action) == Rich_Drop:
|
|
Packit |
a8ec6b |
rule_action = [ "-j", "DROP" ]
|
|
Packit |
a8ec6b |
elif type(rich_rule.action) == Rich_Mark:
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
table = "mangle"
|
|
Packit |
a8ec6b |
chain = "%s_%s" % (target, chain_suffix)
|
|
Packit |
a8ec6b |
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
raise FirewallError(INVALID_RULE,
|
|
Packit |
a8ec6b |
"Unknown action %s" % type(rich_rule.action))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule = ["-t", table, add_del, chain]
|
|
Packit |
a8ec6b |
rule += self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule += rule_fragment + rule_action
|
|
Packit |
a8ec6b |
rule += self._rule_limit(rich_rule.action.limit)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rule
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_destination_fragment(self, rich_dest):
|
|
Packit |
a8ec6b |
if not rich_dest:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_dest.invert:
|
|
Packit |
a8ec6b |
rule_fragment.append("!")
|
|
Packit |
a8ec6b |
if check_single_address("ipv6", rich_dest.addr):
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ]
|
|
Packit |
a8ec6b |
elif check_address("ipv6", rich_dest.addr):
|
|
Packit |
a8ec6b |
addr_split = rich_dest.addr.split("/")
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", rich_dest.addr ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rule_fragment
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def _rich_rule_source_fragment(self, rich_source):
|
|
Packit |
a8ec6b |
if not rich_source:
|
|
Packit |
a8ec6b |
return []
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_source.addr:
|
|
Packit |
a8ec6b |
if rich_source.invert:
|
|
Packit |
a8ec6b |
rule_fragment.append("!")
|
|
Packit |
a8ec6b |
if check_single_address("ipv6", rich_source.addr):
|
|
Packit |
a8ec6b |
rule_fragment += [ "-s", normalizeIP6(rich_source.addr) ]
|
|
Packit |
a8ec6b |
elif check_address("ipv6", rich_source.addr):
|
|
Packit |
a8ec6b |
addr_split = rich_source.addr.split("/")
|
|
Packit |
a8ec6b |
rule_fragment += [ "-s", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-s", rich_source.addr ]
|
|
Packit |
a8ec6b |
elif hasattr(rich_source, "mac") and rich_source.mac:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-m", "mac" ]
|
|
Packit |
a8ec6b |
if rich_source.invert:
|
|
Packit |
a8ec6b |
rule_fragment.append("!")
|
|
Packit |
a8ec6b |
rule_fragment += [ "--mac-source", rich_source.mac ]
|
|
Packit |
a8ec6b |
elif hasattr(rich_source, "ipset") and rich_source.ipset:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-m", "set" ]
|
|
Packit |
a8ec6b |
if rich_source.invert:
|
|
Packit |
a8ec6b |
rule_fragment.append("!")
|
|
Packit |
a8ec6b |
flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src")
|
|
Packit |
a8ec6b |
rule_fragment += [ "--match-set", rich_source.ipset, flags ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rule_fragment
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = [ "-p", proto ]
|
|
Packit |
a8ec6b |
if port:
|
|
Packit |
a8ec6b |
rule_fragment += [ "--dport", "%s" % portStr(port) ]
|
|
Packit |
a8ec6b |
if destination:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", destination ]
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rules.append([add_del, "%s_allow" % (target), "-t", table] +
|
|
Packit |
a8ec6b |
rule_fragment + [ "-j", "ACCEPT" ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_protocol_rules(self, enable, zone, protocol, destination=None, rich_rule=None):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = [ "-p", protocol ]
|
|
Packit |
a8ec6b |
if destination:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", destination ]
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rules.append([add_del, "%s_allow" % (target), "-t", table] +
|
|
Packit |
a8ec6b |
rule_fragment + [ "-j", "ACCEPT" ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_source_ports_rules(self, enable, zone, proto, port,
|
|
Packit |
a8ec6b |
destination=None, rich_rule=None):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = [ "-p", proto ]
|
|
Packit |
a8ec6b |
if port:
|
|
Packit |
a8ec6b |
rule_fragment += [ "--sport", "%s" % portStr(port) ]
|
|
Packit |
a8ec6b |
if destination:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-d", destination ]
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
if not rich_rule or type(rich_rule.action) != Rich_Mark:
|
|
Packit |
a8ec6b |
rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rules.append([add_del, "%s_allow" % (target), "-t", table] +
|
|
Packit |
a8ec6b |
rule_fragment + [ "-j", "ACCEPT" ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_helper_ports_rules(self, enable, zone, proto, port,
|
|
Packit |
a8ec6b |
destination, helper_name, module_short_name):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
rule = [ add_del, "%s_allow" % (target), "-t", "raw", "-p", proto ]
|
|
Packit |
a8ec6b |
if port:
|
|
Packit |
a8ec6b |
rule += [ "--dport", "%s" % portStr(port) ]
|
|
Packit |
a8ec6b |
if destination:
|
|
Packit |
a8ec6b |
rule += [ "-d", destination ]
|
|
Packit |
a8ec6b |
rule += [ "-j", "CT", "--helper", module_short_name ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return [rule]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_masquerade_rules(self, enable, zone, rich_rule=None):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
chain_suffix = "allow"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
rules.append(["-t", "nat", add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
[ "!", "-o", "lo", "-j", "MASQUERADE" ])
|
|
Packit |
a8ec6b |
# FORWARD_OUT
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
chain_suffix = "allow"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
["-m", "conntrack", "--ctstate", "NEW,UNTRACKED", "-j", "ACCEPT" ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_forward_port_rules(self, enable, zone, port,
|
|
Packit |
a8ec6b |
protocol, toport, toaddr, rich_rule=None):
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
to = ""
|
|
Packit |
a8ec6b |
if toaddr:
|
|
Packit |
a8ec6b |
if check_single_address("ipv6", toaddr):
|
|
Packit |
a8ec6b |
to += "[%s]" % normalizeIP6(toaddr)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
to += toaddr
|
|
Packit |
a8ec6b |
if toport and toport != "":
|
|
Packit |
a8ec6b |
to += ":%s" % portStr(toport, "-")
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment = self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
chain_suffix = "allow"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, "nat", target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(["-t", "nat", add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
["-p", protocol, "--dport", portStr(port),
|
|
Packit |
a8ec6b |
"-j", "DNAT", "--to-destination", to])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None):
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
add_del = { True: "-A", False: "-D" }[enable]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self.ipv == "ipv4":
|
|
Packit |
a8ec6b |
proto = [ "-p", "icmp" ]
|
|
Packit |
a8ec6b |
match = [ "-m", "icmp", "--icmp-type", ict.name ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
proto = [ "-p", "ipv6-icmp" ]
|
|
Packit |
a8ec6b |
match = [ "-m", "icmp6", "--icmpv6-type", ict.name ]
|
|
Packit |
a8ec6b |
|
|
Packit Service |
793fa2 |
if rich_rule and rich_rule.action and isinstance(rich_rule.action, Rich_Mark):
|
|
Packit Service |
793fa2 |
chains = ["PREROUTING"]
|
|
Packit Service |
793fa2 |
else:
|
|
Packit Service |
793fa2 |
chains = ["INPUT", "FORWARD_IN"]
|
|
Packit Service |
793fa2 |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit Service |
793fa2 |
for chain in chains:
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
if self._fw.zone.query_icmp_block_inversion(zone):
|
|
Packit |
a8ec6b |
final_chain = "%s_allow" % target
|
|
Packit |
a8ec6b |
final_target = "ACCEPT"
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
final_chain = "%s_deny" % target
|
|
Packit |
a8ec6b |
final_target = "%%REJECT%%"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
rule_fragment += proto + match
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if rich_rule:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
if rich_rule.action:
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
Packit |
a8ec6b |
rules.append(["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
Packit |
a8ec6b |
+ self._rich_rule_priority_fragment(rich_rule)
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
[ "-j", "%%REJECT%%" ])
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
if self._fw.get_log_denied() != "off" and final_target != "ACCEPT":
|
|
Packit |
a8ec6b |
rules.append([ add_del, final_chain, "-t", table ]
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
[ "%%LOGTYPE%%", "-j", "LOG",
|
|
Packit |
a8ec6b |
"--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ])
|
|
Packit |
a8ec6b |
rules.append([ add_del, final_chain, "-t", table ]
|
|
Packit |
a8ec6b |
+ rule_fragment +
|
|
Packit |
a8ec6b |
[ "-j", final_target ])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_icmp_block_inversion_rules(self, enable, zone):
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
for chain in [ "INPUT", "FORWARD_IN" ]:
|
|
Packit |
a8ec6b |
rule_idx = 6
|
|
Packit |
a8ec6b |
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self._fw.zone.query_icmp_block_inversion(zone):
|
|
Packit |
a8ec6b |
ibi_target = "%%REJECT%%"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if self._fw.get_log_denied() != "off":
|
|
Packit |
a8ec6b |
if enable:
|
|
Packit |
a8ec6b |
rule = [ "-I", _zone, str(rule_idx) ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule = [ "-D", _zone ]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule = rule + [ "-t", table, "-p", "%%ICMP%%",
|
|
Packit |
a8ec6b |
"%%LOGTYPE%%",
|
|
Packit |
a8ec6b |
"-j", "LOG", "--log-prefix",
|
|
Packit |
a8ec6b |
"\"%s_ICMP_BLOCK: \"" % _zone ]
|
|
Packit |
a8ec6b |
rules.append(rule)
|
|
Packit |
a8ec6b |
rule_idx += 1
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
ibi_target = "ACCEPT"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
if enable:
|
|
Packit |
a8ec6b |
rule = [ "-I", _zone, str(rule_idx) ]
|
|
Packit |
a8ec6b |
else:
|
|
Packit |
a8ec6b |
rule = [ "-D", _zone ]
|
|
Packit |
a8ec6b |
rule = rule + [ "-t", table, "-p", "%%ICMP%%", "-j", ibi_target ]
|
|
Packit |
a8ec6b |
rules.append(rule)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule):
|
|
Packit |
a8ec6b |
table = "filter"
|
|
Packit |
a8ec6b |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"],
|
|
Packit |
a8ec6b |
zone=zone)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rule_fragment = []
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
Packit |
a8ec6b |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def is_ipv_supported(self, ipv):
|
|
Packit |
a8ec6b |
return ipv == self.ipv
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
class ip6tables(ip4tables):
|
|
Packit |
a8ec6b |
ipv = "ipv6"
|
|
Packit |
a8ec6b |
name = "ip6tables"
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_rpfilter_rules(self, log_denied=False):
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
rules.append([ "-I", "PREROUTING", "-t", "raw",
|
|
Packit |
a8ec6b |
"-m", "rpfilter", "--invert", "-j", "DROP" ])
|
|
Packit |
a8ec6b |
if log_denied != "off":
|
|
Packit |
a8ec6b |
rules.append([ "-I", "PREROUTING", "-t", "raw",
|
|
Packit |
a8ec6b |
"-m", "rpfilter", "--invert",
|
|
Packit |
a8ec6b |
"-j", "LOG",
|
|
Packit |
a8ec6b |
"--log-prefix", "rpfilter_DROP: " ])
|
|
Packit |
a8ec6b |
rules.append([ "-I", "PREROUTING", "-t", "raw",
|
|
Packit |
a8ec6b |
"-p", "ipv6-icmp",
|
|
Packit |
a8ec6b |
"--icmpv6-type=neighbour-solicitation",
|
|
Packit |
a8ec6b |
"-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17
|
|
Packit |
a8ec6b |
rules.append([ "-I", "PREROUTING", "-t", "raw",
|
|
Packit |
a8ec6b |
"-p", "ipv6-icmp",
|
|
Packit |
a8ec6b |
"--icmpv6-type=router-advertisement",
|
|
Packit |
a8ec6b |
"-j", "ACCEPT" ]) # RHBZ#1058505
|
|
Packit |
a8ec6b |
return rules
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
def build_rfc3964_ipv4_rules(self):
|
|
Packit |
a8ec6b |
daddr_list = [
|
|
Packit |
a8ec6b |
"::0.0.0.0/96", # IPv4 compatible
|
|
Packit |
a8ec6b |
"::ffff:0.0.0.0/96", # IPv4 mapped
|
|
Packit |
a8ec6b |
"2002:0000::/24", # 0.0.0.0/8 (the system has no address assigned yet)
|
|
Packit |
a8ec6b |
"2002:0a00::/24", # 10.0.0.0/8 (private)
|
|
Packit |
a8ec6b |
"2002:7f00::/24", # 127.0.0.0/8 (loopback)
|
|
Packit |
a8ec6b |
"2002:ac10::/28", # 172.16.0.0/12 (private)
|
|
Packit |
a8ec6b |
"2002:c0a8::/32", # 192.168.0.0/16 (private)
|
|
Packit |
a8ec6b |
"2002:a9fe::/32", # 169.254.0.0/16 (IANA Assigned DHCP link-local)
|
|
Packit |
a8ec6b |
"2002:e000::/19", # 224.0.0.0/4 (multicast), 240.0.0.0/4 (reserved and broadcast)
|
|
Packit |
a8ec6b |
]
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
chain_name = "RFC3964_IPv4"
|
|
Packit |
a8ec6b |
self.our_chains["filter"].add(chain_name)
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
rules = []
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", "-N", chain_name])
|
|
Packit |
a8ec6b |
for daddr in daddr_list:
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", "-I", chain_name,
|
|
Packit |
a8ec6b |
"-d", daddr, "-j", "REJECT", "--reject-with",
|
|
Packit |
a8ec6b |
"addr-unreach"])
|
|
Packit |
a8ec6b |
if self._fw._log_denied in ["unicast", "all"]:
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", "-I", chain_name,
|
|
Packit |
a8ec6b |
"-d", daddr, "-j", "LOG",
|
|
Packit |
a8ec6b |
"--log-prefix", "\"RFC3964_IPv4_REJECT: \""])
|
|
Packit |
a8ec6b |
|
|
Packit |
a8ec6b |
# Inject into FORWARD and OUTPUT chains
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", "-I", "OUTPUT", "3",
|
|
Packit |
a8ec6b |
"-j", chain_name])
|
|
Packit |
a8ec6b |
rules.append(["-t", "filter", "-I", "FORWARD", "4",
|
|
Packit |
a8ec6b |
"-j", chain_name])
|
|
Packit |
a8ec6b |
return rules
|