rules_builder

Author: Athanasios Gkaraliakos email: a.gkaraliakos@gmail.com email: athanasios.gkaraliakos@cern.ch

The script is written on python >=2.6

class iptables_manager_modules.rules_builder.FirewallRuleBuilder

Here we create the actual rules to be added to the final list.

check_ipset(iptype, ipset_name)

This method checks if an ipset is present in memory

Parameters:

• iptype – ipv4 or ipv6
• ipset_name – name of the ipset we want to check

Returns:

Message with the state of the check

static handle_log_chain(command_list, jump_chain)

This is a static method and is used to handle the LOG chain. It adds parameters to a rule(list) this jumps to the LOG chain

Parameters:

• command_list – list that represents one command
• jump_chain – extra parameter to add the rule(list)

Returns:

the created rule(list) to be added to the rule list

manage_custom_chain(action, chain_name, iptype, new_chain_name=None, simul=False)

This method is managing user defined chains. Create, Delete, Rename

Parameters:

• action – create, delete, rename
• chain_name – name of the chain
• iptype – ipv4 or ipv6 (iptables or ip6tables)
• new_chain_name – name of the chain in case you rename
• simul – flag to print the commands instead of applying

Returns:

exit code and the actual command if simulate flag is True

static manage_ipset(action=None, iptype=None, settype=None, port=None, setname=None, cern_networks=None, hostnames=None, ips=None, cern_set_list=None, simul=False, generate_files=False, file_override=False, set_names=None)

This method calls the scripts that manages all the operations regarding ipsets and pass all the arguments to other script in order to create/update/destroy an ipset.

Parameters:

• action – create or update or destroy
• iptype – ipv4 or ipv6
• settype – (e.g. hash:ip)
• port – port number or ‘direct’ –> mostly used. Direct tell to the script that the ports are provided in the ips,hostnames
• setname – the custom name that the set will take
• cern_networks – Name of the CERN LanDB set
• hostnames – list of hostnames to be resolved via DNS
• ips – list of ips to be added into the ipset
• cern_set_list – list of names with CERN LanDB network sets
• simul – flag whether to print or apply the actions
• generate_files – flag to generate the ipset.gen file to be user by the restore command
• file_override – flag used to tell the script to override the generated file or not
• set_names – list of names to be added inside a list:set ipset

Returns:

the response of the ipset_a

manage_rule(iptype, chain_name, jump_chain, comment, protocol=None, nic=None, modules=None)

This method is used to create an iptables rule.

Parameters:

• iptype – ipv4 or ipv6
• chain_name – the chain that this rule will be added to
• jump_chain – the chain that this rule will jump to
• comment – comment on the rule
• protocol – protocol of the rule
• nic – network interface that the rule will be applied on
• modules – the modules to be added on the rule

Returns:

a fully created rule

static module_load_handler(command_list, module_list)

This is a static method and is used to add all the parameters to each rule extracting them from module_list

Parameters:

• command_list – list that represents one command
• module_list – list of modules to be added to the command(rule)

Returns:

the full command(rule/list) to be added to the rules list

static read_config_file(parameter)

This method is static and is used to read the ‘configuration_info.cfg’ file that provides the paths of the OS commands we use to create the rules. If the file is not present the method tries to “guess” distro version so to run the appropriate command

Parameters:parameter – Parameter you want to extract from the file e.g.(iptables_script) Returns:The value of the provided parameter e.g.(/etc/init.d/iptables)

static sys_process_executor(command)

This method is static and is used to run OS commands across the other files. It tries to run all commands using system path($PATH). If the command/script is not in $PATH it tries to find it in its local helpers/ folder.

Parameters:command – A list that represents an OS command Returns:Response, Error, exit code from piping standard output and standard error