"Fossies" - the Fresh Open Source Software Archive  

Source code changes of the file "src/firewall/core/nftables.py" between
firewalld-1.0.1.tar.gz and firewalld-1.0.2.tar.gz

About: firewalld provides a dynamically managed firewall with support for network/firewall zones to define the trust level of network connections or interfaces.

nftables.py  (firewalld-1.0.1):nftables.py  (firewalld-1.0.2)
skipping to change at line 23 skipping to change at line 23
# This program is distributed in the hope that it will be useful, # This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of # but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details. # GNU General Public License for more details.
# #
# You should have received a copy of the GNU General Public License # You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>. # along with this program. If not, see <http://www.gnu.org/licenses/>.
# #
import copy import copy
import json import json
import ipaddress
from firewall.core.logger import log from firewall.core.logger import log
from firewall.functions import check_mac, getPortRange, normalizeIP6, \ from firewall.functions import check_mac, getPortRange, normalizeIP6, \
check_single_address, check_address check_single_address, check_address
from firewall.errors import FirewallError, UNKNOWN_ERROR, INVALID_RULE, \ from firewall.errors import FirewallError, UNKNOWN_ERROR, INVALID_RULE, \
INVALID_ICMPTYPE, INVALID_TYPE, INVALID_ENTRY, \ INVALID_ICMPTYPE, INVALID_TYPE, INVALID_ENTRY, \
INVALID_PORT INVALID_PORT
from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \ from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark, \
Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock , \ Rich_Masquerade, Rich_ForwardPort, Rich_IcmpBlock , \
Rich_Tcp_Mss_Clamp Rich_Tcp_Mss_Clamp
skipping to change at line 1138 skipping to change at line 1139
def _rule_addr_fragment(self, addr_field, address, invert=False): def _rule_addr_fragment(self, addr_field, address, invert=False):
if address.startswith("ipset:"): if address.startswith("ipset:"):
return self._set_match_fragment(address[len("ipset:"):], True if "da ddr" == addr_field else False, invert) return self._set_match_fragment(address[len("ipset:"):], True if "da ddr" == addr_field else False, invert)
else: else:
if check_mac(address): if check_mac(address):
family = "ether" family = "ether"
elif check_single_address("ipv4", address): elif check_single_address("ipv4", address):
family = "ip" family = "ip"
elif check_address("ipv4", address): elif check_address("ipv4", address):
family = "ip" family = "ip"
addr_len = address.split("/") normalized_address = ipaddress.IPv4Network(address, strict=False
address = {"prefix": {"addr": addr_len[0], "len": int(addr_len[1 )
])}} address = {"prefix": {"addr": normalized_address.network_address
.compressed, "len": normalized_address.prefixlen}}
elif check_single_address("ipv6", address): elif check_single_address("ipv6", address):
family = "ip6" family = "ip6"
address = normalizeIP6(address) address = normalizeIP6(address)
else: else:
family = "ip6" family = "ip6"
addr_len = address.split("/") addr_len = address.split("/")
address = {"prefix": {"addr": normalizeIP6(addr_len[0]), "len": int(addr_len[1])}} address = {"prefix": {"addr": normalizeIP6(addr_len[0]), "len": int(addr_len[1])}}
return {"match": {"left": {"payload": {"protocol": family, return {"match": {"left": {"payload": {"protocol": family,
"field": addr_field}}, "field": addr_field}},
skipping to change at line 1516 skipping to change at line 1517
rules.append(self._rich_rule_action(policy, rich_rule, enabl e, table, expr_fragments)) rules.append(self._rich_rule_action(policy, rich_rule, enabl e, table, expr_fragments))
else: else:
chain_suffix = self._rich_rule_chain_suffix(rich_rule) chain_suffix = self._rich_rule_chain_suffix(rich_rule)
rule = {"family": "inet", rule = {"family": "inet",
"table": TABLE_NAME, "table": TABLE_NAME,
"chain": "%s_%s_%s" % (table, _policy, chain_suffix) , "chain": "%s_%s_%s" % (table, _policy, chain_suffix) ,
"expr": expr_fragments + [self._reject_fragment()]} "expr": expr_fragments + [self._reject_fragment()]}
rule.update(self._rich_rule_priority_fragment(rich_rule)) rule.update(self._rich_rule_priority_fragment(rich_rule))
rules.append({add_del: {"rule": rule}}) rules.append({add_del: {"rule": rule}})
else: else:
if self._fw.get_log_denied() != "off" and self._fw.policy.query_ icmp_block_inversion(policy): if self._fw.get_log_denied() != "off" and not self._fw.policy.qu ery_icmp_block_inversion(policy):
rules.append({add_del: {"rule": {"family": "inet", rules.append({add_del: {"rule": {"family": "inet",
"table": TABLE_NAME, "table": TABLE_NAME,
"chain": final_chain, "chain": final_chain,
"expr": (expr_fragments + "expr": (expr_fragments +
[self._pkttype_mat ch_fragment(self._fw.get_log_denied()), [self._pkttype_mat ch_fragment(self._fw.get_log_denied()),
{"log": {"prefix" : "\"%s_%s_ICMP_BLOCK: \"" % (table, policy)}}])}}}) {"log": {"prefix" : "\"%s_%s_ICMP_BLOCK: \"" % (table, policy)}}])}}})
rules.append({add_del: {"rule": {"family": "inet", rules.append({add_del: {"rule": {"family": "inet",
"table": TABLE_NAME, "table": TABLE_NAME,
"chain": final_chain, "chain": final_chain,
"expr": expr_fragments + [targe t_fragment]}}}) "expr": expr_fragments + [targe t_fragment]}}})
 End of changes. 3 change blocks. 
4 lines changed or deleted 6 lines changed or added

Home  |  About  |  Features  |  All  |  Newest  |  Dox  |  Diffs  |  RSS Feeds  |  Screenshots  |  Comments  |  Imprint  |  Privacy  |  HTTP(S)