Commit e75d2b7d authored by Brad Cable's avatar Brad Cable

Created conf.d file structure. Cleaned up IPTables comment module parsing,...

Created conf.d file structure.  Cleaned up IPTables comment module parsing, and also escaped the strings.  Restructured test config into etc_sopeq.
parent 2a08ee64
......@@ -10,4 +10,4 @@ Sopeq is about to become a modular project I will maintain as production quality
I know I said 3-4 weeks in August, but I'm on schedule for 1 year past when I originally declared the final date. This is pretty common for me when I'm dealing with full-time school and full-time work, and anyone who has been paying attention would know this since this is what I've been doing for the last 15 years :).
The previous syntax is completely incorrect as to what it ended up being, so take a look at sopeq.rules to see what it is now.
The previous syntax is completely incorrect as to what it ended up being, so take a look at etc_sopeq to see what it is now.
......@@ -8,8 +8,8 @@ from collections import OrderedDict
from configparser import ConfigParser
from copy import deepcopy
from os import getgid, getuid
from os.path import exists
from os import getgid, getuid, listdir
from os.path import exists, isdir, join
from re import sub
from subprocess import Popen, PIPE
from sys import argv, exit, stdout
......@@ -24,8 +24,17 @@ from pool import pool
from service import service
from traffic import traffic
SOPEQ_CONFIG = "/etc/sopeq.conf"
SOPEQ_RULES = "/etc/sopeq.rules" # TODO: conf.d structure
SOPEQ_CONFIG = "/etc/sopeq/sopeq.conf"
SOPEQ_RULES_PATHS = [
"/etc/sopeq/templates.conf",
"/etc/sopeq/templates.conf.d",
"/etc/sopeq/pools.conf",
"/etc/sopeq/pools.conf.d",
"/etc/sopeq/services.conf",
"/etc/sopeq/services.conf.d",
"/etc/sopeq/rules.conf",
"/etc/sopeq/rules.conf.d"
]
IPTABLES_RESTORE_PATH = ["/usr/bin/env", "iptables-restore"]
IPTABLES_SAVE_PATH = ["/usr/bin/env", "iptables-save"]
......@@ -276,7 +285,7 @@ class controller(object):
def get_service(self, service_name):
return controller.get_obj(self._services, service_name)
def load_rules(self, filename):
def initial_rules(self):
self._services = []
self._services_used = []
self._pools = []
......@@ -324,6 +333,7 @@ class controller(object):
"-A OUTPUT -m state --state ESTABLISHED -j ACCEPT"
))
def load_rules(self, filename):
fd = open(filename, "rb")
for line in fd.readlines():
ret_obj = line_parser(self, line).parse()
......@@ -503,8 +513,16 @@ if __name__ == "__main__":
control = controller()
control.reset_defaults()
control.initial_rules()
control.load_config(SOPEQ_CONFIG)
control.load_rules(SOPEQ_RULES)
for rules_path in SOPEQ_RULES_PATHS:
if exists(rules_path):
if not isdir(rules_path):
control.load_rules(rules_path)
else:
for conf_file in listdir(rules_path):
control.load_rules(join(rules_path, conf_file))
if len(argv) > 1 and argv[1] == "-d":
control.enforce(write=False)
......
# TEST comment
service.in:ssh -p tcp --dport 22
service.out:ssh -p tcp --sport 22
#incoming.accept:ssh eth0,10.1.1.1/32 eth1,10.0.0.0/8
#incoming.drop:ssh p4p1,10.1.1.1 10.1.1.2
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5 # IPTables comment
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5 [IPTables LOG PREFIX] # IPTables comment
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5 [IPTables'" LOG PREFIX] # IPTables comment
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5 [IPTables\'\" LOG PREFIX] # IPTables comment
incoming.accept:ssh wlp2s0,192.168.5.14 wlp2s0,192.168.23.5 [IPTables\\'\\" LOG PREFIX] # IPTables comment
# TEST comment
#incoming.accept:ssh eth0,10.1.1.1/32 eth1,10.0.0.0/8
#incoming.drop:ssh p4p1,10.1.1.1 10.1.1.2
service.in:ssh -p tcp --dport 22
service.out:ssh -p tcp --sport 22
......@@ -7,7 +7,7 @@
# log_level = warning
# egress = True
# skip_standard_rules = False
# include_related = False
include_related = False
#[policies]
# filter_OUTPUT = DROP
......@@ -4,13 +4,16 @@
# License: GPLv2
# Author: Brad Cable
def ipt_escape(string):
return string.replace("\\", "\\\\").replace("\"", "\\\"")
def ipt_construct_log(log_level, log_prefix=None):
#log_ret = " -j LOG --log-tcp-options --log-ip-options --log-uid "
log_ret = " -j LOG "
if log_prefix is not None:
log_ret += "--log-level {} --log-prefix \"{}: \"".format(
log_level, log_prefix
log_level, ipt_escape(log_prefix)
)
else:
log_ret += "--log-level {}".format(log_level)
......@@ -18,7 +21,7 @@ def ipt_construct_log(log_level, log_prefix=None):
return log_ret
def ipt_construct_comment(rule_comment):
return " -m comment --comment \"{}\"".format(rule_comment)
return " -m comment --comment \"{}\"".format(ipt_escape(rule_comment))
def ipt_clean(iptables_output):
clean = sub(b"^#[^\n]+\n", b"", iptables_output)
......
......@@ -17,6 +17,7 @@ class service(rule_generator):
_forwarding = None
_chains = None
_rules = None
_cache_construct_comment = None
def __init__(self,
controller, direction, name, rule, log_prefix, rule_comment
......@@ -35,11 +36,23 @@ class service(rule_generator):
def rules(self):
return self._rules
def append_rule(self, rule):
if self._cache_construct_comment is not None:
if self._rule_comment is not None:
self._cache_construct_comment = \
ipt_construct_comment(self._rule_comment)
else:
self._cache_construct_comment = ""
rule += self._cache_construct_comment
self._rules.append(("filter", rule))
def generate(self, *args, **kwargs):
super().generate(*args, **kwargs)
rules = []
chains = []
self._rules = []
self._chains = []
if self.direction == "in":
new_chain = "{}_IN".format(self.service_name)
......@@ -55,13 +68,7 @@ class service(rule_generator):
else:
raise Exception # TODO
chains.append(("filter", new_chain))
if self._rule_comment is not None:
comment_append = ipt_construct_comment(self._rule_comment)
else:
comment_append = None
self._chains.append(("filter", new_chain))
if self._log_prefix is not None:
log_append = ipt_construct_log(
......@@ -77,27 +84,17 @@ class service(rule_generator):
rules.append(("filter", cur_rule))
cur_rule = "-A {} {} -j {}".format(
self.append_rule("-A {} {} -j {}".format(
direction_table, self._rule, new_chain
)
if comment_append is not None:
cur_rule += comment_append
rules.append(("filter", cur_rule))
))
if self._forwarding:
if self._log_prefix is not None:
cur_rule = "-A FORWARD {}".format(log_append)
if comment_append is not None:
cur_rule += comment_append
rules.append(("filter", cur_rule))
self.append_rule("-A FORWARD {}".format(log_append))
cur_rule = "-A FORWARD {} -j {}".format(self._rule, new_chain)
if comment_append is not None:
cur_rule += comment_append
rules.append(("filter", cur_rule))
self._chains = chains
self._rules = rules
self.append_rule(
"-A FORWARD {} -j {}".format(self._rule, new_chain)
)
if __name__ == "__main__":
ssh = service("in", "ssh", "-p tcp --dport 22")
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment