# -*- coding: utf-8 -*-
#
# Copyright (C) 2015-2016 Red Hat, Inc.
#
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
"""The ipset command wrapper"""
__all__ = [ "ipset", "check_ipset_name", "remove_default_create_options" ]
import os.path
from firewall import errors
from firewall.errors import FirewallError
from firewall.core.prog import runProg
from firewall.core.logger import log
from firewall.functions import tempFile, readfile
from firewall.config import COMMANDS
IPSET_MAXNAMELEN = 32
IPSET_TYPES = [
# bitmap and set types are currently not supported
# "bitmap:ip",
# "bitmap:ip,mac",
# "bitmap:port",
# "list:set",
"hash:ip",
"hash:ip,port",
"hash:ip,port,ip",
"hash:ip,port,net",
"hash:ip,mark",
"hash:net",
"hash:net,net",
"hash:net,port",
"hash:net,port,net",
"hash:net,iface",
"hash:mac",
]
IPSET_CREATE_OPTIONS = {
"family": "inet|inet6",
"hashsize": "value",
"maxelem": "value",
"timeout": "value in secs",
#"counters": None,
#"comment": None,
}
IPSET_DEFAULT_CREATE_OPTIONS = {
"family": "inet",
"hashsize": "1024",
"maxelem": "65536",
}
class ipset(object):
"""ipset command wrapper class"""
def __init__(self):
self._command = COMMANDS["ipset"]
self.name = "ipset"
def __run(self, args):
"""Call ipset with args"""
# convert to string list
_args = ["%s" % item for item in args]
log.debug2("%s: %s %s", self.__class__, self._command, " ".join(_args))
(status, ret) = runProg(self._command, _args)
if status != 0:
raise ValueError("'%s %s' failed: %s" % (self._command,
" ".join(_args), ret))
return ret
def check_name(self, name):
"""Check ipset name"""
if len(name) > IPSET_MAXNAMELEN:
raise FirewallError(errors.INVALID_NAME,
"ipset name '%s' is not valid" % name)
def set_supported_types(self):
"""Return types that are supported by the ipset command and kernel"""
ret = [ ]
output = ""
try:
output = self.__run(["--help"])
except ValueError as ex:
log.debug1("ipset error: %s" % ex)
lines = output.splitlines()
in_types = False
for line in lines:
#print(line)
if in_types:
splits = line.strip().split(None, 2)
if splits[0] not in ret and splits[0] in IPSET_TYPES:
ret.append(splits[0])
if line.startswith("Supported set types:"):
in_types = True
return ret
def check_type(self, type_name):
"""Check ipset type"""
if len(type_name) > IPSET_MAXNAMELEN or type_name not in IPSET_TYPES:
raise FirewallError(errors.INVALID_TYPE,
"ipset type name '%s' is not valid" % type_name)
def set_create(self, set_name, type_name, options=None):
"""Create an ipset with name, type and options"""
self.check_name(set_name)
self.check_type(type_name)
args = [ "create", set_name, type_name ]
if isinstance(options, dict):
for key, val in options.items():
args.append(key)
if val != "":
args.append(val)
return self.__run(args)
def set_destroy(self, set_name):
self.check_name(set_name)
return self.__run([ "destroy", set_name ])
def set_add(self, set_name, entry):
args = [ "add", set_name, entry ]
return self.__run(args)
def set_delete(self, set_name, entry):
args = [ "del", set_name, entry ]
return self.__run(args)
def test(self, set_name, entry, options=None):
args = [ "test", set_name, entry ]
if options:
args.append("%s" % " ".join(options))
return self.__run(args)
def set_list(self, set_name=None, options=None):
args = [ "list" ]
if set_name:
args.append(set_name)
if options:
args.extend(options)
return self.__run(args).split("\n")
def set_get_active_terse(self):
""" Get active ipsets (only headers) """
lines = self.set_list(options=["-terse"])
ret = { }
_name = _type = None
_options = { }
for line in lines:
if len(line) < 1:
continue
pair = [ x.strip() for x in line.split(":", 1) ]
if len(pair) != 2:
continue
elif pair[0] == "Name":
_name = pair[1]
elif pair[0] == "Type":
_type = pair[1]
elif pair[0] == "Header":
splits = pair[1].split()
i = 0
while i < len(splits):
opt = splits[i]
if opt in [ "family", "hashsize", "maxelem", "timeout",
"netmask" ]:
if len(splits) > i:
i += 1
_options[opt] = splits[i]
else:
log.error("Malformed ipset list -terse output: %s",
line)
return { }
i += 1
if _name and _type:
ret[_name] = (_type,
remove_default_create_options(_options))
_name = _type = None
_options.clear()
return ret
def save(self, set_name=None):
args = [ "save" ]
if set_name:
args.append(set_name)
return self.__run(args)
def set_restore(self, set_name, type_name, entries,
create_options=None, entry_options=None):
self.check_name(set_name)
self.check_type(type_name)
temp_file = tempFile()
if ' ' in set_name:
set_name = "'%s'" % set_name
args = [ "create", set_name, type_name, "-exist" ]
if create_options:
for key, val in create_options.items():
args.append(key)
if val != "":
args.append(val)
temp_file.write("%s\n" % " ".join(args))
temp_file.write("flush %s\n" % set_name)
for entry in entries:
if ' ' in entry:
entry = "'%s'" % entry
if entry_options:
temp_file.write("add %s %s %s\n" % \
(set_name, entry, " ".join(entry_options)))
else:
temp_file.write("add %s %s\n" % (set_name, entry))
temp_file.close()
stat = os.stat(temp_file.name)
log.debug2("%s: %s restore %s", self.__class__, self._command,
"%s: %d" % (temp_file.name, stat.st_size))
args = [ "restore" ]
(status, ret) = runProg(self._command, args,
stdin=temp_file.name)
if log.getDebugLogLevel() > 2:
try:
readfile(temp_file.name)
except Exception:
pass
else:
i = 1
for line in readfile(temp_file.name):
log.debug3("%8d: %s" % (i, line), nofmt=1, nl=0)
if not line.endswith("\n"):
log.debug3("", nofmt=1)
i += 1
os.unlink(temp_file.name)
if status != 0:
raise ValueError("'%s %s' failed: %s" % (self._command,
" ".join(args), ret))
return ret
def set_flush(self, set_name):
args = [ "flush" ]
if set_name:
args.append(set_name)
return self.__run(args)
def rename(self, old_set_name, new_set_name):
return self.__run([ "rename", old_set_name, new_set_name ])
def swap(self, set_name_1, set_name_2):
return self.__run([ "swap", set_name_1, set_name_2 ])
def version(self):
return self.__run([ "version" ])
def check_ipset_name(name):
"""Return true if ipset name is valid"""
if len(name) > IPSET_MAXNAMELEN:
return False
return True
def remove_default_create_options(options):
""" Return only non default create options """
_options = options.copy()
for opt in IPSET_DEFAULT_CREATE_OPTIONS:
if opt in _options and \
IPSET_DEFAULT_CREATE_OPTIONS[opt] == _options[opt]:
del _options[opt]
return _options
| Name | Type | Size | Permission | Actions |
|---|---|---|---|---|
| io | Folder | 0755 |
|
|
| .__init__.pyo.40009 | File | 145 B | 0644 |
|
| .base.pyo.40009 | File | 1.29 KB | 0644 |
|
| .ebtables.pyo.40009 | File | 9.04 KB | 0644 |
|
| .fw.pyo.40009 | File | 30.67 KB | 0644 |
|
| .fw_config.pyo.40009 | File | 30.69 KB | 0644 |
|
| .fw_direct.pyo.40009 | File | 14.77 KB | 0644 |
|
| .fw_helper.pyo.40009 | File | 2.57 KB | 0644 |
|
| .fw_icmptype.pyo.40009 | File | 3 KB | 0644 |
|
| .fw_ifcfg.pyo.40009 | File | 1.84 KB | 0644 |
|
| .fw_ipset.pyo.40009 | File | 9.02 KB | 0644 |
|
| .fw_nm.pyo.40009 | File | 5.93 KB | 0644 |
|
| .fw_policies.pyo.40009 | File | 2.94 KB | 0644 |
|
| .fw_service.pyo.40009 | File | 2.14 KB | 0644 |
|
| .fw_test.pyo.40009 | File | 17.45 KB | 0644 |
|
| .fw_transaction.pyo.40009 | File | 10.96 KB | 0644 |
|
| .fw_zone.pyo.40009 | File | 57.31 KB | 0644 |
|
| .helper.pyo.40009 | File | 222 B | 0644 |
|
| .icmp.pyo.40009 | File | 2.89 KB | 0644 |
|
| .ipXtables.pyo.40009 | File | 34.8 KB | 0644 |
|
| .ipset.pyo.40009 | File | 9.15 KB | 0644 |
|
| .logger.pyo.40009 | File | 27.43 KB | 0644 |
|
| .modules.pyo.40009 | File | 3.56 KB | 0644 |
|
| .nftables.pyo.40009 | File | 38.56 KB | 0644 |
|
| .prog.pyo.40009 | File | 988 B | 0644 |
|
| .rich.pyo.40009 | File | 23.73 KB | 0644 |
|
| .watcher.pyo.40009 | File | 3.55 KB | 0644 |
|
| __init__.py | File | 0 B | 0644 |
|
| __init__.pyc | File | 145 B | 0644 |
|
| __init__.pyo | File | 145 B | 0644 |
|
| base.py | File | 1.94 KB | 0644 |
|
| base.pyc | File | 1.29 KB | 0644 |
|
| base.pyo | File | 1.29 KB | 0644 |
|
| ebtables.py | File | 9.13 KB | 0644 |
|
| ebtables.pyc | File | 9.04 KB | 0644 |
|
| ebtables.pyo | File | 9.04 KB | 0644 |
|
| fw.py | File | 43.71 KB | 0644 |
|
| fw.pyc | File | 30.67 KB | 0644 |
|
| fw.pyo | File | 30.67 KB | 0644 |
|
| fw_config.py | File | 35.99 KB | 0644 |
|
| fw_config.pyc | File | 30.69 KB | 0644 |
|
| fw_config.pyo | File | 30.69 KB | 0644 |
|
| fw_direct.py | File | 20.12 KB | 0644 |
|
| fw_direct.pyc | File | 14.77 KB | 0644 |
|
| fw_direct.pyo | File | 14.77 KB | 0644 |
|
| fw_helper.py | File | 1.79 KB | 0644 |
|
| fw_helper.pyc | File | 2.57 KB | 0644 |
|
| fw_helper.pyo | File | 2.57 KB | 0644 |
|
| fw_icmptype.py | File | 2.77 KB | 0644 |
|
| fw_icmptype.pyc | File | 3 KB | 0644 |
|
| fw_icmptype.pyo | File | 3 KB | 0644 |
|
| fw_ifcfg.py | File | 2.5 KB | 0644 |
|
| fw_ifcfg.pyc | File | 1.84 KB | 0644 |
|
| fw_ifcfg.pyo | File | 1.84 KB | 0644 |
|
| fw_ipset.py | File | 8.96 KB | 0644 |
|
| fw_ipset.pyc | File | 9.02 KB | 0644 |
|
| fw_ipset.pyo | File | 9.02 KB | 0644 |
|
| fw_nm.py | File | 6.49 KB | 0644 |
|
| fw_nm.pyc | File | 5.93 KB | 0644 |
|
| fw_nm.pyo | File | 5.93 KB | 0644 |
|
| fw_policies.py | File | 2.74 KB | 0644 |
|
| fw_policies.pyc | File | 2.94 KB | 0644 |
|
| fw_policies.pyo | File | 2.94 KB | 0644 |
|
| fw_service.py | File | 1.6 KB | 0644 |
|
| fw_service.pyc | File | 2.14 KB | 0644 |
|
| fw_service.pyo | File | 2.14 KB | 0644 |
|
| fw_test.py | File | 22.06 KB | 0644 |
|
| fw_test.pyc | File | 17.45 KB | 0644 |
|
| fw_test.pyo | File | 17.45 KB | 0644 |
|
| fw_transaction.py | File | 10.54 KB | 0644 |
|
| fw_transaction.pyc | File | 10.96 KB | 0644 |
|
| fw_transaction.pyo | File | 10.96 KB | 0644 |
|
| fw_zone.py | File | 75.6 KB | 0644 |
|
| fw_zone.pyc | File | 57.31 KB | 0644 |
|
| fw_zone.pyo | File | 57.31 KB | 0644 |
|
| helper.py | File | 804 B | 0644 |
|
| helper.pyc | File | 222 B | 0644 |
|
| helper.pyo | File | 222 B | 0644 |
|
| icmp.py | File | 3.03 KB | 0644 |
|
| icmp.pyc | File | 2.89 KB | 0644 |
|
| icmp.pyo | File | 2.89 KB | 0644 |
|
| ipXtables.py | File | 47.68 KB | 0644 |
|
| ipXtables.pyc | File | 34.8 KB | 0644 |
|
| ipXtables.pyo | File | 34.8 KB | 0644 |
|
| ipset.py | File | 9.1 KB | 0644 |
|
| ipset.pyc | File | 9.15 KB | 0644 |
|
| ipset.pyo | File | 9.15 KB | 0644 |
|
| logger.py | File | 30.31 KB | 0644 |
|
| logger.pyc | File | 27.43 KB | 0644 |
|
| logger.pyo | File | 27.43 KB | 0644 |
|
| modules.py | File | 3.63 KB | 0644 |
|
| modules.pyc | File | 3.56 KB | 0644 |
|
| modules.pyo | File | 3.56 KB | 0644 |
|
| nftables.py | File | 60.55 KB | 0644 |
|
| nftables.pyc | File | 38.56 KB | 0644 |
|
| nftables.pyo | File | 38.56 KB | 0644 |
|
| prog.py | File | 1.47 KB | 0644 |
|
| prog.pyc | File | 988 B | 0644 |
|
| prog.pyo | File | 988 B | 0644 |
|
| rich.py | File | 29.34 KB | 0644 |
|
| rich.pyc | File | 23.73 KB | 0644 |
|
| rich.pyo | File | 23.73 KB | 0644 |
|
| watcher.py | File | 3.15 KB | 0644 |
|
| watcher.pyc | File | 3.55 KB | 0644 |
|
| watcher.pyo | File | 3.55 KB | 0644 |
|