|
|
21c891 |
From ddcd5e1677c3c273e259699c3de8ef3e5f69f14c Mon Sep 17 00:00:00 2001
|
|
|
21c891 |
From: Eric Garver <e@erig.me>
|
|
|
21c891 |
Date: Fri, 30 Nov 2018 09:55:30 -0500
|
|
|
21c891 |
Subject: [PATCH 25/34] ipXtables: support rich rule priorities
|
|
|
21c891 |
|
|
|
21c891 |
(cherry picked from commit 29d657527bd24492ec269fd9ab756bb7360dd3df)
|
|
|
21c891 |
---
|
|
|
21c891 |
src/firewall/core/ipXtables.py | 214 ++++++++++++++++++++++++++++-----
|
|
|
21c891 |
1 file changed, 186 insertions(+), 28 deletions(-)
|
|
|
21c891 |
|
|
|
21c891 |
diff --git a/src/firewall/core/ipXtables.py b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
index b98ba5228e68..43ff9307a41c 100644
|
|
|
21c891 |
--- a/src/firewall/core/ipXtables.py
|
|
|
21c891 |
+++ b/src/firewall/core/ipXtables.py
|
|
|
21c891 |
@@ -20,6 +20,7 @@
|
|
|
21c891 |
#
|
|
|
21c891 |
|
|
|
21c891 |
import os.path
|
|
|
21c891 |
+import copy
|
|
|
21c891 |
|
|
|
21c891 |
from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET
|
|
|
21c891 |
from firewall.core.prog import runProg
|
|
|
21c891 |
@@ -27,8 +28,9 @@ from firewall.core.logger import log
|
|
|
21c891 |
from firewall.functions import tempFile, readfile, splitArgs, check_mac, portStr, \
|
|
|
21c891 |
check_single_address
|
|
|
21c891 |
from firewall import config
|
|
|
21c891 |
-from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE
|
|
|
21c891 |
-from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark
|
|
|
21c891 |
+from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE, UNKNOWN_ERROR
|
|
|
21c891 |
+from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
|
|
|
21c891 |
+ Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock
|
|
|
21c891 |
import string
|
|
|
21c891 |
|
|
|
21c891 |
BUILT_IN_CHAINS = {
|
|
|
21c891 |
@@ -275,6 +277,7 @@ class ip4tables(object):
|
|
|
21c891 |
self.restore_wait_option = self._detect_restore_wait_option()
|
|
|
21c891 |
self.fill_exists()
|
|
|
21c891 |
self.available_tables = []
|
|
|
21c891 |
+ self.rich_rule_priority_counts = {}
|
|
|
21c891 |
|
|
|
21c891 |
def fill_exists(self):
|
|
|
21c891 |
self.command_exists = os.path.exists(self._command)
|
|
|
21c891 |
@@ -385,10 +388,91 @@ class ip4tables(object):
|
|
|
21c891 |
chain = args[i+1]
|
|
|
21c891 |
return (table, chain)
|
|
|
21c891 |
|
|
|
21c891 |
+ def _set_rule_replace_rich_rule_priority(self, rule, rich_rule_priority_counts):
|
|
|
21c891 |
+ """
|
|
|
21c891 |
+ Change something like
|
|
|
21c891 |
+ -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123
|
|
|
21c891 |
+ or
|
|
|
21c891 |
+ -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321
|
|
|
21c891 |
+ into
|
|
|
21c891 |
+ -t filter -I public_IN 4
|
|
|
21c891 |
+ or
|
|
|
21c891 |
+ -t filter -I public_IN
|
|
|
21c891 |
+ """
|
|
|
21c891 |
+ try:
|
|
|
21c891 |
+ i = rule.index("%%RICH_RULE_PRIORITY%%")
|
|
|
21c891 |
+ except ValueError:
|
|
|
21c891 |
+ pass
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ rule_add = True
|
|
|
21c891 |
+ insert = False
|
|
|
21c891 |
+ insert_add_index = -1
|
|
|
21c891 |
+ rule.pop(i)
|
|
|
21c891 |
+ priority = rule.pop(i)
|
|
|
21c891 |
+ if type(priority) != int:
|
|
|
21c891 |
+ raise FirewallError(INVALID_RULE, "rich rule priority must be followed by a number")
|
|
|
21c891 |
+
|
|
|
21c891 |
+ table = "filter"
|
|
|
21c891 |
+ for opt in [ "-t", "--table" ]:
|
|
|
21c891 |
+ try:
|
|
|
21c891 |
+ j = rule.index(opt)
|
|
|
21c891 |
+ except ValueError:
|
|
|
21c891 |
+ pass
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ if len(rule) >= j+1:
|
|
|
21c891 |
+ table = rule[j+1]
|
|
|
21c891 |
+ for opt in [ "-A", "--append",
|
|
|
21c891 |
+ "-I", "--insert",
|
|
|
21c891 |
+ "-D", "--delete" ]:
|
|
|
21c891 |
+ try:
|
|
|
21c891 |
+ insert_add_index = rule.index(opt)
|
|
|
21c891 |
+ except ValueError:
|
|
|
21c891 |
+ pass
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ if len(rule) >= insert_add_index+1:
|
|
|
21c891 |
+ chain = rule[insert_add_index+1]
|
|
|
21c891 |
+
|
|
|
21c891 |
+ if opt in [ "-I", "--insert" ]:
|
|
|
21c891 |
+ insert = True
|
|
|
21c891 |
+ if opt in [ "-D", "--delete" ]:
|
|
|
21c891 |
+ rule_add = False
|
|
|
21c891 |
+
|
|
|
21c891 |
+ chain = (table, chain)
|
|
|
21c891 |
+
|
|
|
21c891 |
+ # Add the rule to the priority counts. We don't need to store the
|
|
|
21c891 |
+ # rule, just bump the ref count for the priority value.
|
|
|
21c891 |
+ if not rule_add:
|
|
|
21c891 |
+ if chain not in rich_rule_priority_counts or \
|
|
|
21c891 |
+ priority not in rich_rule_priority_counts[chain] or \
|
|
|
21c891 |
+ rich_rule_priority_counts[chain][priority] <= 0:
|
|
|
21c891 |
+ raise FirewallError(UNKNOWN_ERROR, "nonexistent or underflow of rich rule priority count")
|
|
|
21c891 |
+
|
|
|
21c891 |
+ rich_rule_priority_counts[chain][priority] -= 1
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ if chain not in rich_rule_priority_counts:
|
|
|
21c891 |
+ rich_rule_priority_counts[chain] = {}
|
|
|
21c891 |
+ if priority not in rich_rule_priority_counts[chain]:
|
|
|
21c891 |
+ rich_rule_priority_counts[chain][priority] = 0
|
|
|
21c891 |
+
|
|
|
21c891 |
+ # calculate index of new rule
|
|
|
21c891 |
+ index = 1
|
|
|
21c891 |
+ for p in sorted(rich_rule_priority_counts[chain].keys()):
|
|
|
21c891 |
+ if p == priority and insert:
|
|
|
21c891 |
+ break
|
|
|
21c891 |
+ index += rich_rule_priority_counts[chain][p]
|
|
|
21c891 |
+ if p == priority:
|
|
|
21c891 |
+ break
|
|
|
21c891 |
+
|
|
|
21c891 |
+ rich_rule_priority_counts[chain][priority] += 1
|
|
|
21c891 |
+
|
|
|
21c891 |
+ rule[insert_add_index] = "-I"
|
|
|
21c891 |
+ rule.insert(insert_add_index+2, "%d" % index)
|
|
|
21c891 |
+
|
|
|
21c891 |
def set_rules(self, rules, log_denied):
|
|
|
21c891 |
temp_file = tempFile()
|
|
|
21c891 |
|
|
|
21c891 |
table_rules = { }
|
|
|
21c891 |
+ rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
|
|
|
21c891 |
for _rule in rules:
|
|
|
21c891 |
rule = _rule[:]
|
|
|
21c891 |
|
|
|
21c891 |
@@ -412,6 +496,8 @@ class ip4tables(object):
|
|
|
21c891 |
else:
|
|
|
21c891 |
rule.pop(i)
|
|
|
21c891 |
|
|
|
21c891 |
+ self._set_rule_replace_rich_rule_priority(rule, rich_rule_priority_counts)
|
|
|
21c891 |
+
|
|
|
21c891 |
table = "filter"
|
|
|
21c891 |
# get table form rule
|
|
|
21c891 |
for opt in [ "-t", "--table" ]:
|
|
|
21c891 |
@@ -473,6 +559,7 @@ class ip4tables(object):
|
|
|
21c891 |
if status != 0:
|
|
|
21c891 |
raise ValueError("'%s %s' failed: %s" % (self._restore_command,
|
|
|
21c891 |
" ".join(args), ret))
|
|
|
21c891 |
+ self.rich_rule_priority_counts = rich_rule_priority_counts
|
|
|
21c891 |
return ret
|
|
|
21c891 |
|
|
|
21c891 |
def set_rule(self, rule, log_denied):
|
|
|
21c891 |
@@ -496,7 +583,11 @@ class ip4tables(object):
|
|
|
21c891 |
else:
|
|
|
21c891 |
rule.pop(i)
|
|
|
21c891 |
|
|
|
21c891 |
- return self.__run(rule)
|
|
|
21c891 |
+ rich_rule_priority_counts = copy.deepcopy(self.rich_rule_priority_counts)
|
|
|
21c891 |
+ self._set_rule_replace_rich_rule_priority(rule, self.rich_rule_priority_counts)
|
|
|
21c891 |
+ output = self.__run(rule)
|
|
|
21c891 |
+ self.rich_rule_priority_counts = rich_rule_priority_counts
|
|
|
21c891 |
+ return output
|
|
|
21c891 |
|
|
|
21c891 |
def get_available_tables(self, table=None):
|
|
|
21c891 |
ret = []
|
|
|
21c891 |
@@ -546,6 +637,7 @@ class ip4tables(object):
|
|
|
21c891 |
return wait_option
|
|
|
21c891 |
|
|
|
21c891 |
def build_flush_rules(self):
|
|
|
21c891 |
+ self.rich_rule_priority_counts = {}
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
for table in BUILT_IN_CHAINS.keys():
|
|
|
21c891 |
# Flush firewall rules: -F
|
|
|
21c891 |
@@ -712,16 +804,22 @@ class ip4tables(object):
|
|
|
21c891 |
OUR_CHAINS[table].update(set([_zone,
|
|
|
21c891 |
"%s_log" % _zone,
|
|
|
21c891 |
"%s_deny" % _zone,
|
|
|
21c891 |
+ "%s_rich_rule_pre" % _zone,
|
|
|
21c891 |
+ "%s_rich_rule_post" % _zone,
|
|
|
21c891 |
"%s_allow" % _zone]))
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
rules.append([ "-N", _zone, "-t", table ])
|
|
|
21c891 |
+ rules.append([ "-N", "%s_rich_rule_pre" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_log" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_deny" % _zone, "-t", table ])
|
|
|
21c891 |
rules.append([ "-N", "%s_allow" % _zone, "-t", table ])
|
|
|
21c891 |
- rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_log" % _zone ])
|
|
|
21c891 |
- rules.append([ "-I", _zone, "2", "-t", table, "-j", "%s_deny" % _zone ])
|
|
|
21c891 |
- rules.append([ "-I", _zone, "3", "-t", table, "-j", "%s_allow" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-N", "%s_rich_rule_post" % _zone, "-t", table ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "1", "-t", table, "-j", "%s_rich_rule_pre" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "2", "-t", table, "-j", "%s_log" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "3", "-t", table, "-j", "%s_deny" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "4", "-t", table, "-j", "%s_allow" % _zone ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "5", "-t", table, "-j", "%s_rich_rule_post" % _zone ])
|
|
|
21c891 |
|
|
|
21c891 |
# Handle trust, block and drop zones:
|
|
|
21c891 |
# Add an additional rule with the zone target (accept, reject
|
|
|
21c891 |
@@ -733,17 +831,17 @@ class ip4tables(object):
|
|
|
21c891 |
if table == "filter" and \
|
|
|
21c891 |
target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \
|
|
|
21c891 |
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
|
21c891 |
- rules.append([ "-I", _zone, "4", "-t", table, "-j", target ])
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "6", "-t", table, "-j", target ])
|
|
|
21c891 |
|
|
|
21c891 |
if self._fw.get_log_denied() != "off":
|
|
|
21c891 |
if table == "filter" and \
|
|
|
21c891 |
chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]:
|
|
|
21c891 |
if target in [ "REJECT", "%%REJECT%%" ]:
|
|
|
21c891 |
- rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%",
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "6", "-t", table, "%%LOGTYPE%%",
|
|
|
21c891 |
"-j", "LOG", "--log-prefix",
|
|
|
21c891 |
"\"%s_REJECT: \"" % _zone ])
|
|
|
21c891 |
if target == "DROP":
|
|
|
21c891 |
- rules.append([ "-I", _zone, "4", "-t", table, "%%LOGTYPE%%",
|
|
|
21c891 |
+ rules.append([ "-I", _zone, "6", "-t", table, "%%LOGTYPE%%",
|
|
|
21c891 |
"-j", "LOG", "--log-prefix",
|
|
|
21c891 |
"\"%s_DROP: \"" % _zone ])
|
|
|
21c891 |
return rules
|
|
|
21c891 |
@@ -753,13 +851,53 @@ class ip4tables(object):
|
|
|
21c891 |
return [ "-m", "limit", "--limit", limit.value ]
|
|
|
21c891 |
return []
|
|
|
21c891 |
|
|
|
21c891 |
+ def _rich_rule_chain_suffix(self, rich_rule):
|
|
|
21c891 |
+ if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock]:
|
|
|
21c891 |
+ # These are special and don't have an explicit action
|
|
|
21c891 |
+ pass
|
|
|
21c891 |
+ elif rich_rule.action:
|
|
|
21c891 |
+ if type(rich_rule.action) not in [Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark]:
|
|
|
21c891 |
+ raise FirewallError(INVALID_RULE, "Unknown action %s" % type(rich_rule.action))
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ raise FirewallError(INVALID_RULE, "No rule action specified.")
|
|
|
21c891 |
+
|
|
|
21c891 |
+ if rich_rule.priority == 0:
|
|
|
21c891 |
+ if type(rich_rule.element) in [Rich_Masquerade, Rich_ForwardPort] or \
|
|
|
21c891 |
+ type(rich_rule.action) in [Rich_Accept, Rich_Mark]:
|
|
|
21c891 |
+ return "allow"
|
|
|
21c891 |
+ elif type(rich_rule.element) in [Rich_IcmpBlock] or \
|
|
|
21c891 |
+ type(rich_rule.action) in [Rich_Reject, Rich_Drop]:
|
|
|
21c891 |
+ return "deny"
|
|
|
21c891 |
+ elif rich_rule.priority < 0:
|
|
|
21c891 |
+ return "rich_rule_pre"
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ return "rich_rule_post"
|
|
|
21c891 |
+
|
|
|
21c891 |
+ def _rich_rule_chain_suffix_from_log(self, rich_rule):
|
|
|
21c891 |
+ if not rich_rule.log and not rich_rule.audit:
|
|
|
21c891 |
+ raise FirewallError(INVALID_RULE, "Not log or audit")
|
|
|
21c891 |
+
|
|
|
21c891 |
+ if rich_rule.priority == 0:
|
|
|
21c891 |
+ return "log"
|
|
|
21c891 |
+ elif rich_rule.priority < 0:
|
|
|
21c891 |
+ return "rich_rule_pre"
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ return "rich_rule_post"
|
|
|
21c891 |
+
|
|
|
21c891 |
+ def _rich_rule_priority_fragment(self, rich_rule):
|
|
|
21c891 |
+ if rich_rule.priority == 0:
|
|
|
21c891 |
+ return []
|
|
|
21c891 |
+ return ["%%RICH_RULE_PRIORITY%%", rich_rule.priority]
|
|
|
21c891 |
+
|
|
|
21c891 |
def _rich_rule_log(self, rich_rule, enable, table, target, rule_fragment):
|
|
|
21c891 |
if not rich_rule.log:
|
|
|
21c891 |
return []
|
|
|
21c891 |
|
|
|
21c891 |
add_del = { True: "-A", False: "-D" }[enable]
|
|
|
21c891 |
|
|
|
21c891 |
- rule = [ add_del, "%s_log" % (target), "-t", table]
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix_from_log(rich_rule)
|
|
|
21c891 |
+ rule = ["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ rule += self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
rule += rule_fragment + [ "-j", "LOG" ]
|
|
|
21c891 |
if rich_rule.log.prefix:
|
|
|
21c891 |
rule += [ "--log-prefix", "'%s'" % rich_rule.log.prefix ]
|
|
|
21c891 |
@@ -775,7 +913,10 @@ class ip4tables(object):
|
|
|
21c891 |
|
|
|
21c891 |
add_del = { True: "-A", False: "-D" }[enable]
|
|
|
21c891 |
|
|
|
21c891 |
- rule = [add_del, "%s_log" % (target), "-t", table] + rule_fragment
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix_from_log(rich_rule)
|
|
|
21c891 |
+ rule = ["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ rule += self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
+ rule += rule_fragment
|
|
|
21c891 |
if type(rich_rule.action) == Rich_Accept:
|
|
|
21c891 |
_type = "accept"
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Reject:
|
|
|
21c891 |
@@ -795,28 +936,28 @@ class ip4tables(object):
|
|
|
21c891 |
|
|
|
21c891 |
add_del = { True: "-A", False: "-D" }[enable]
|
|
|
21c891 |
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
|
21c891 |
+ chain = "%s_%s" % (target, chain_suffix)
|
|
|
21c891 |
if type(rich_rule.action) == Rich_Accept:
|
|
|
21c891 |
- chain = "%s_allow" % target
|
|
|
21c891 |
rule_action = [ "-j", "ACCEPT" ]
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Reject:
|
|
|
21c891 |
- chain = "%s_deny" % target
|
|
|
21c891 |
rule_action = [ "-j", "REJECT" ]
|
|
|
21c891 |
if rich_rule.action.type:
|
|
|
21c891 |
rule_action += [ "--reject-with", rich_rule.action.type ]
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Drop:
|
|
|
21c891 |
- chain = "%s_deny" % target
|
|
|
21c891 |
rule_action = [ "-j", "DROP" ]
|
|
|
21c891 |
elif type(rich_rule.action) == Rich_Mark:
|
|
|
21c891 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"],
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
table = "mangle"
|
|
|
21c891 |
- chain = "%s_allow" % target
|
|
|
21c891 |
+ chain = "%s_%s" % (target, chain_suffix)
|
|
|
21c891 |
rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ]
|
|
|
21c891 |
else:
|
|
|
21c891 |
raise FirewallError(INVALID_RULE,
|
|
|
21c891 |
"Unknown action %s" % type(rich_rule.action))
|
|
|
21c891 |
|
|
|
21c891 |
- rule = [ add_del, chain, "-t", table ]
|
|
|
21c891 |
+ rule = ["-t", table, add_del, chain]
|
|
|
21c891 |
+ rule += self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
rule += rule_fragment + rule_action
|
|
|
21c891 |
rule += self._rule_limit(rich_rule.action.limit)
|
|
|
21c891 |
|
|
|
21c891 |
@@ -957,11 +1098,15 @@ class ip4tables(object):
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
rule_fragment = []
|
|
|
21c891 |
if rich_rule:
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
|
21c891 |
+ rule_fragment += self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
21c891 |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ chain_suffix = "allow"
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
- rules.append([ add_del, "%s_allow" % (target), "-t", "nat" ]
|
|
|
21c891 |
+ rules.append(["-t", "nat", add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ rule_fragment +
|
|
|
21c891 |
[ "!", "-o", "lo", "-j", "MASQUERADE" ])
|
|
|
21c891 |
# FORWARD_OUT
|
|
|
21c891 |
@@ -969,10 +1114,14 @@ class ip4tables(object):
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
rule_fragment = []
|
|
|
21c891 |
if rich_rule:
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
|
21c891 |
+ rule_fragment += self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
21c891 |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ chain_suffix = "allow"
|
|
|
21c891 |
|
|
|
21c891 |
- rules.append([ add_del, "%s_allow" % (target), "-t", "filter"]
|
|
|
21c891 |
+ rules.append(["-t", "filter", add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ rule_fragment +
|
|
|
21c891 |
["-m", "conntrack", "--ctstate", "NEW,UNTRACKED", "-j", "ACCEPT" ])
|
|
|
21c891 |
|
|
|
21c891 |
@@ -998,28 +1147,35 @@ class ip4tables(object):
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
|
|
|
21c891 |
rule_fragment = [ "-p", protocol, "--dport", portStr(port) ]
|
|
|
21c891 |
+ rich_rule_priority_fragment = []
|
|
|
21c891 |
if rich_rule:
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
|
21c891 |
+ rich_rule_priority_fragment = self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination)
|
|
|
21c891 |
rule_fragment += self._rich_rule_source_fragment(rich_rule.source)
|
|
|
21c891 |
+ else:
|
|
|
21c891 |
+ chain_suffix = "allow"
|
|
|
21c891 |
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
if rich_rule:
|
|
|
21c891 |
rules.append(self._rich_rule_log(rich_rule, enable, "mangle", target, rule_fragment))
|
|
|
21c891 |
- rules.append([ add_del, "%s_allow" % (target), "-t", "mangle"]
|
|
|
21c891 |
- + rule_fragment +
|
|
|
21c891 |
+ rules.append(["-t", "mangle", add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ + rich_rule_priority_fragment + rule_fragment +
|
|
|
21c891 |
[ "-j", "MARK", "--set-mark", mark_str ])
|
|
|
21c891 |
|
|
|
21c891 |
# local and remote
|
|
|
21c891 |
- rules.append([ add_del, "%s_allow" % (target), "-t", "nat",
|
|
|
21c891 |
- "-p", protocol ] + mark +
|
|
|
21c891 |
+ rules.append(["-t", "nat", add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ + rich_rule_priority_fragment +
|
|
|
21c891 |
+ ["-p", protocol ] + mark +
|
|
|
21c891 |
[ "-j", "DNAT", "--to-destination", to ])
|
|
|
21c891 |
|
|
|
21c891 |
target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain],
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
- rules.append([ add_del, "%s_allow" % (target),
|
|
|
21c891 |
- "-t", "filter", "-m", "conntrack",
|
|
|
21c891 |
- "--ctstate", "NEW,UNTRACKED" ] +
|
|
|
21c891 |
- mark + [ "-j", "ACCEPT" ])
|
|
|
21c891 |
+ rules.append(["-t", "filter", add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ + rich_rule_priority_fragment +
|
|
|
21c891 |
+ ["-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ]
|
|
|
21c891 |
+ + mark +
|
|
|
21c891 |
+ [ "-j", "ACCEPT" ])
|
|
|
21c891 |
|
|
|
21c891 |
return rules
|
|
|
21c891 |
|
|
|
21c891 |
@@ -1057,7 +1213,9 @@ class ip4tables(object):
|
|
|
21c891 |
if rich_rule.action:
|
|
|
21c891 |
rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment))
|
|
|
21c891 |
else:
|
|
|
21c891 |
- rules.append([ add_del, "%s_deny" % target, "-t", table ]
|
|
|
21c891 |
+ chain_suffix = self._rich_rule_chain_suffix(rich_rule)
|
|
|
21c891 |
+ rules.append(["-t", table, add_del, "%s_%s" % (target, chain_suffix)]
|
|
|
21c891 |
+ + self._rich_rule_priority_fragment(rich_rule)
|
|
|
21c891 |
+ rule_fragment +
|
|
|
21c891 |
[ "-j", "%%REJECT%%" ])
|
|
|
21c891 |
else:
|
|
|
21c891 |
@@ -1076,7 +1234,7 @@ class ip4tables(object):
|
|
|
21c891 |
table = "filter"
|
|
|
21c891 |
rules = []
|
|
|
21c891 |
for chain in [ "INPUT", "FORWARD_IN" ]:
|
|
|
21c891 |
- rule_idx = 4
|
|
|
21c891 |
+ rule_idx = 6
|
|
|
21c891 |
_zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain],
|
|
|
21c891 |
zone=zone)
|
|
|
21c891 |
|
|
|
21c891 |
--
|
|
|
21c891 |
2.18.0
|
|
|
21c891 |
|