From 2342548148763cca0579da98ed0a682d22beb49d Mon Sep 17 00:00:00 2001 From: Eric Garver Date: Fri, 1 Jun 2018 09:37:34 -0400 Subject: [PATCH 2/5] firewall/core/io/functions: add check_config() This is a utility function to run checks on all the configuration files. (cherry picked from commit 4164148b88f1882eabde4eeb4cc9a45506aff0fa) --- po/POTFILES.in | 1 + src/Makefile.am | 1 + src/firewall/core/io/functions.py | 84 +++++++++++++++++++++++++++++++++++++++ 3 files changed, 86 insertions(+) create mode 100644 src/firewall/core/io/functions.py diff --git a/po/POTFILES.in b/po/POTFILES.in index 12cdbf2c6929..2332f8acc4eb 100644 --- a/po/POTFILES.in +++ b/po/POTFILES.in @@ -70,6 +70,7 @@ src/firewall/core/prog.py src/firewall/core/watcher.py src/firewall/core/io/__init__.py src/firewall/core/io/firewalld_conf.py +src/firewall/core/io/functions.py src/firewall/core/io/icmptype.py src/firewall/core/io/io_object.py src/firewall/core/io/service.py diff --git a/src/Makefile.am b/src/Makefile.am index b249c2e5fd46..b44ae0c1eca4 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -34,6 +34,7 @@ nobase_dist_python_DATA = \ firewall/core/__init__.py \ firewall/core/io/direct.py \ firewall/core/io/firewalld_conf.py \ + firewall/core/io/functions.py \ firewall/core/io/helper.py \ firewall/core/io/icmptype.py \ firewall/core/io/ifcfg.py \ diff --git a/src/firewall/core/io/functions.py b/src/firewall/core/io/functions.py new file mode 100644 index 000000000000..7509a5390e12 --- /dev/null +++ b/src/firewall/core/io/functions.py @@ -0,0 +1,84 @@ +# -*- coding: utf-8 -*- +# +# Copyright (C) 2018 Red Hat, Inc. +# +# Authors: +# Eric Garver +# +# This program is free software; you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation; either version 2 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . +# + +import os + +from firewall import config +from firewall.errors import FirewallError + +from firewall.core.io.zone import zone_reader +from firewall.core.io.service import service_reader +from firewall.core.io.ipset import ipset_reader +from firewall.core.io.icmptype import icmptype_reader +from firewall.core.io.helper import helper_reader +from firewall.core.io.direct import Direct +from firewall.core.io.lockdown_whitelist import LockdownWhitelist +from firewall.core.io.firewalld_conf import firewalld_conf + +def check_config(fw=None): + readers = { + "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]), + "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]), + "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]), + "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]), + "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]), + } + for reader in readers.keys(): + for dir in readers[reader][1]: + if not os.path.isdir(dir): + continue + for file in sorted(os.listdir(dir)): + if file.endswith(".xml"): + try: + obj = readers[reader][0](file, dir) + if fw and reader == "zone": + obj.fw_config = fw.config + obj.check_config(obj.export_config()) + except FirewallError as error: + raise FirewallError(error.code, "'%s': %s" % (file, error.msg)) + except Exception as msg: + raise Exception("'%s': %s" % (file, msg)) + if os.path.isfile(config.FIREWALLD_DIRECT): + try: + obj = Direct(config.FIREWALLD_DIRECT) + obj.read() + obj.check_config(obj.export_config()) + except FirewallError as error: + raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg)) + except Exception as msg: + raise Exception("'%s': %s" % (config.FIREWALLD_DIRECT, msg)) + if os.path.isfile(config.LOCKDOWN_WHITELIST): + try: + obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST) + obj.read() + obj.check_config(obj.export_config()) + except FirewallError as error: + raise FirewallError(error.code, "'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg)) + except Exception as msg: + raise Exception("'%s': %s" % (config.LOCKDOWN_WHITELIST, msg)) + if os.path.isfile(config.FIREWALLD_CONF): + try: + obj = firewalld_conf(config.FIREWALLD_CONF) + obj.read() + except FirewallError as error: + raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_CONF, error.msg)) + except Exception as msg: + raise Exception("'%s': %s" % (config.FIREWALLD_CONF, msg)) -- 2.16.3