Class: Yast::SuSEFirewallExpertRulesClass

Inherits:
Module
  • Object
show all
Defined in:
library/network/src/modules/SuSEFirewallExpertRules.rb

Instance Method Summary collapse

Instance Method Details

#AddNewAcceptRule(zone, params) ⇒ Boolean

Adds a new accept-rule. Possible keys for parameters are “network”, “protocol”, “dport” and “sport”. Needed are “network” and “protocol”.

Examples:

AddNewAcceptRule (
  "EXT",
  $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22",
      "options":"hitcount=3,blockseconds=60,recentname=ssh"]
) -> true

Parameters:

Returns:

  • (Boolean)

    if successful

See Also:

  • #GetListOfAcceptRules()
  • #RemoveAcceptRule()


256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 256

def AddNewAcceptRule(zone, params)
  params = deep_copy(params)
  zone = Builtins.toupper(zone)

  # Check the zone
  if !Builtins.contains(SuSEFirewall.GetKnownFirewallZones, zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  # Get all current rules
  current_rules = SuSEFirewall.GetAcceptExpertRules(zone)
  if current_rules.nil?
    Builtins.y2error(
      "Impossible to set new AcceptExpertRule for zone %1",
      zone
    )
    return false
  end

  new_rule = CreateRuleFromParams(params)

  current_rules = Ops.add(
    Ops.add(
      current_rules,
      Ops.greater_than(Builtins.size(current_rules), 0) ? " " : ""
    ),
    new_rule
  )

  SuSEFirewall.SetAcceptExpertRules(zone, current_rules)
end

#AdjustParameters(params) ⇒ Hash{String => String}

Adjusts parameters to the acceptable representation

Parameters:

Returns:



91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 91

def AdjustParameters(params)
  params = deep_copy(params)
  if Ops.get(params, "network", "") == ""
    Builtins.y2warning("No network defined, using '0/0' instead!")
    Ops.set(params, "network", "0/0")
  end
  if Ops.get(params, "protocol", "") == ""
    Builtins.y2warning("No protocol defined, using 'all' instead!")
    Ops.set(params, "protocol", "all")
  end
  Ops.set(
    params,
    "protocol",
    Builtins.tolower(Ops.get(params, "protocol", ""))
  )

  deep_copy(params)
end

#CreateRuleFromParams(params) ⇒ String

Creates a string with one rule definition as described by the given params. All the trailing commas are removed

Parameters:

Returns:

  • (String)

    rule definition



196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 196

def CreateRuleFromParams(params)
  params = deep_copy(params)
  # Adjusting params (some empty entries are replaced with $everything value)
  params = AdjustParameters(params)

  # Creating new record
  new_rule = Ops.add(
    Ops.add(
      Ops.add(
        Ops.add(
          Ops.add(
            Ops.add(
              Ops.add(
                Ops.add(Ops.get(params, "network", ""), ","),
                Ops.get(params, "protocol", "")
              ),
              ","
            ),
            Ops.get(params, "dport", "")
          ),
          ","
        ),
        Ops.get(params, "sport", "")
      ),
      ","
    ),
    Ops.get(params, "options", "")
  )

  # Cut out all the trailing commas
  while Builtins.regexpmatch(new_rule, ",+$")
    new_rule = Builtins.regexpsub(new_rule, "(.*),+$", "\\1")
  end

  if new_rule == "0/0,all"
    Builtins.y2warning(
      "Created rule '%1' that allows everything from all networks!",
      new_rule
    )
  end

  new_rule
end

#DeleteRuleID(zone, rule_id) ⇒ Boolean

Deletes Custom Rule defined by the ID of the rule. The ID is an order of list returned by GetListOfAcceptRules(). ID starts at number 0. Every time you delete some rule, the list is, of course, regenerated.

Examples:

DeleteRuleID (0) -> true

Parameters:

  • zone (String)
  • rule_id (Fixnum)

Returns:

  • (Boolean)

    if successful

See Also:

  • #GetListOfAcceptRules()


355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 355

def DeleteRuleID(zone, rule_id)
  # Check the zone
  if !Builtins.contains(SuSEFirewall.GetKnownFirewallZones, zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  current_rules = SuSEFirewall.GetAcceptExpertRules(zone)
  if current_rules.nil?
    Builtins.y2error(
      "Impossible remove any AcceptExpertRule for zone %1",
      zone
    )
    return false
  end

  current_rules_list = Builtins.splitstring(current_rules, " \n")
  if !Ops.get(current_rules_list, rule_id).nil?
    current_rules_list = Builtins.remove(current_rules_list, rule_id)
    current_rules = Builtins.mergestring(current_rules_list, " ")
    SuSEFirewall.SetAcceptExpertRules(zone, current_rules)
    return true
  else
    Builtins.y2error(
      "Cannot remove %1, such entry does not exist.",
      rule_id
    )
    return false
  end
end

#GetAllExpertRulesProtocolsArray<String>

Returns list of all protocols accepted by the expert rules.

Returns:

  • (Array<String>)

    of protocols

See Also:

  • allowed_expert_protocols


64
65
66
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 64

def GetAllExpertRulesProtocols
  deep_copy(@allowed_expert_protocols)
end

#GetListOfAcceptRules(zone) ⇒ Array<Hash{String => String>}

Returns list of rules (maps) describing protocols and ports that are allowed to be accessed from listed hosts. “network” and “protocol” are needed arguments, “dport” and “sport” are optional. Undefined values are returned as empty strings.

“network” is either an IP, IP/Netmask or IP/Netmask_Bits where the connection originates; “protocol” defines the transport protocol; “dport” is the destination port on the current host; “sport” is the source port on the client.

Port can be port number, port name, port range. Protocol can be 'tcp', 'udp', 'icmp', 'all' or 'rpc' (dport is then a RPC service name, e.g., ypbind).

*Structure:*

 This might return, e.g., [
      // All requests from 80.44.11.22 to TCP port 22
 	   $[ "network" : "80.44.11.22",   "protocol" : "tcp", "dport" : "22",  "sport" : ""   ],

 // All requests from network 80.44.11.0/24 to UDP port 53 originating on port 53
$[ "network" : "80.44.11.0/24", "protocol" : "udp", "dport" : "53",  "sport" : "53" ],

 // All requests from network 0/0 (everywhere) to TCP port 443
$[ "network" : "0/0",           "protocol" : "tcp", "dport" : "443", "sport" : ""   ],

]

Examples:

GetListOfAcceptRules("EXT") -> $[]

Parameters:

Returns:

See Also:

  • Yast::SuSEFirewallExpertRulesClass#IP#IP::CheckNetwork()


142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 142

def GetListOfAcceptRules(zone)
  zone = Builtins.toupper(zone)

  # Check the zone
  if !Builtins.contains(SuSEFirewall.GetKnownFirewallZones, zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  #
  # FW_SERVICES_ACCEPT_EXT, FW_SERVICES_ACCEPT_INT, FW_SERVICES_ACCEPT_DMZ
  # Format: space separated list of net,protocol[,dport][,sport][,other-comma-separated-options]
  #
  rules = Builtins.maplist(
    Builtins.splitstring(SuSEFirewall.GetAcceptExpertRules(zone), " +")
  ) do |one_rule|
    # comma separated
    rule_splitted = Builtins.splitstring(one_rule, ",")
    # additional options after sport (4th entry)
    options_entries_count = Ops.subtract(Builtins.size(rule_splitted), 4)
    {
      "network"  => Ops.get(rule_splitted, 0, ""),
      "protocol" => Ops.get(rule_splitted, 1, ""),
      "dport"    => Ops.get(rule_splitted, 2, ""),
      "sport"    => Ops.get(rule_splitted, 3, ""),
      # additional options if defined (offset 4 and more)
      "options"  => if Ops.greater_than(options_entries_count, 0)
                      Builtins.mergestring(
                        Builtins.sublist(rule_splitted, 4, options_entries_count),
                        ","
                      )
                    else
                      ""
                    end
    }
  end

  # filtering out empty rules
  rules = Builtins.filter(rules) do |one_rule|
    !(Ops.get(one_rule, "network", "") == "" &&
      Ops.get(one_rule, "protocol", "") == "" &&
      Ops.get(one_rule, "dport", "") == "" &&
      Ops.get(one_rule, "sport", "") == "" &&
      Ops.get(one_rule, "options", "") == "")
  end

  deep_copy(rules)
end

#IsValidNetwork(network) ⇒ Boolean

Function checks the network definition used for firewall expert rules. For backward compatibility. Use IP::CheckNetwork() instead.

Parameters:

Returns:

  • (Boolean)

    if it is a valid network definition



73
74
75
76
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 73

def IsValidNetwork(network)
  Builtins.y2internal("Deprecated, please use IP::CheckNetwork() instead")
  IP.CheckNetwork(network)
end

#mainObject



38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 38

def main
  textdomain "base"

  Yast.import "SuSEFirewall"
  Yast.import "Netmask"
  Yast.import "IP"

  # **
  # Firewall Expert Rulezz
  #
  # ATTENTION: You have to call SuSEFirewall::Read() to read the configuration
  # into the memory and call SuSEFirewall::Write() to write the configuration
  # and restart the firewall service.

  # List of all possible protocols for expert rulezz.
  # _rpc_ expects RPC service name as the destination port then.
  @allowed_expert_protocols = ["udp", "tcp", "icmp", "all", "_rpc_"]

  # used to identify the IPv4 in regexp
  @type_ip4 = "[0123456789]+.[0123456789]+.[0123456789]+.[0123456789]+"
end

#RemoveAcceptRule(zone, params) ⇒ Object

Removes a single expert firewall rule.

Examples:

RemoveAcceptRule (
  "EXT",
  $["network":"192.168.0.1/255.255.240.0", "protocol":"tcp", "sport":"22"]
) -> true

Parameters:

Returns:

  • if successful

See Also:

  • for possible keys in map
  • #AddNewAcceptRule()


303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 303

def RemoveAcceptRule(zone, params)
  params = deep_copy(params)
  zone = Builtins.toupper(zone)

  # Check the zone
  if !Builtins.contains(SuSEFirewall.GetKnownFirewallZones, zone)
    Builtins.y2error("Unknown firewall zone: %1", zone)
    return nil
  end

  current_rules = SuSEFirewall.GetAcceptExpertRules(zone)
  if current_rules.nil?
    Builtins.y2error(
      "Impossible remove any AcceptExpertRule for zone %1",
      zone
    )
    return false
  end

  current_rules_number = Builtins.size(current_rules)

  # Creating record to be removed
  remove_rule = CreateRuleFromParams(params)

  # Filtering out the record
  current_rules_list = Builtins.splitstring(current_rules, " \n")
  current_rules_list = Builtins.filter(current_rules_list) do |one_rule|
    one_rule != remove_rule && one_rule != "" && one_rule != ","
  end
  current_rules = Builtins.mergestring(current_rules_list, " ")

  SuSEFirewall.SetAcceptExpertRules(zone, current_rules)

  Ops.less_than(
    Builtins.size(SuSEFirewall.GetAcceptExpertRules(zone)),
    current_rules_number
  )
end

#ValidNetworkString

Returns string of valid network definition. Deprecated, please, use IP::ValidNetwork() instead.

Returns:

  • (String)

    describing the valid network.



82
83
84
85
# File 'library/network/src/modules/SuSEFirewallExpertRules.rb', line 82

def ValidNetwork
  Builtins.y2internal("Deprecated, please, use IP::ValidNetwork() instead")
  IP.ValidNetwork
end