Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
# pf will automatically add 'keep state flags S/SA' to all TCP connections
# by default.
if 'nostate' in filter_options:
all_protocols_stateful = False
if 'in' in filter_options:
direction = 'in'
elif 'out' in filter_options:
direction = 'out'
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\nMay only specify one of', good_afs, 'in filter options:',
filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name)
if term.name in term_names:
raise DuplicateTermError(
'You have a duplicate term: %s' % term.name)
term_names.add(term.name)
def _HandleIcmpTypes(self, icmp_types, protocols):
if icmp_types:
raise aclgenerator.UnsupportedFilterError('\n%s %s %s %s' % (
'icmp types unsupported by', self._PLATFORM,
'\nError in term:', self.term.name))
return ([''], protocols)
return ''
ret_str = []
self._SetDefaultAction()
# Create a new term
ret_str.append('\n# term %s' % self.term.name)
comments = aclgenerator.WrapWords(self.term.comment, 80)
# append comments to output
if comments and comments[0]:
for line in comments:
ret_str.append('# %s' % str(line))
if str(self.term.action[0]) not in self._ACTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.action[0],
'action not currently supported.'))
if self.direction and str(self.direction) not in self._DIRECTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.direction,
'direction not currently supported.'))
# protocol
if self.term.protocol:
protocol = self.term.protocol
else:
protocol = []
# source address
term_saddrs = self._CheckAddressAf(self.term.source_address)
if not term_saddrs:
return ''
# append comments to output
ret_str.append(self._COMMENT_FORMAT.substitute(filter=self.filter,
term=self.term_name,
comment=self.term.comment))
# if terms does not specify action, use filter default action
if not self.term.action:
self.term.action[0].value = self.default_action
if self.term.action[0] == 'next':
return ''
if len(self.term.action) > 1:
raise aclgenerator.UnsupportedFilterError('\n%s %s %s %s' % (
'Multiple actions unsupported by', self._PLATFORM,
'\nError in term:', self.term.name))
# protocol
if self.term.protocol:
protocols = self.term.protocol
else:
protocols = ['any']
# addresses
src_addr = self.term.source_address
if not src_addr:
src_addr = [self._all_ips]
dst_addr = self.term.destination_address
if not dst_addr:
# Create a new term
ret_str.append('\n# term %s' % self.term.name)
comments = aclgenerator.WrapWords(self.term.comment, 80)
# append comments to output
if comments and comments[0]:
for line in comments:
ret_str.append('# %s' % str(line))
if str(self.term.action[0]) not in self._ACTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.action[0],
'action not currently supported.'))
if self.direction and str(self.direction) not in self._DIRECTION_TABLE:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\n', self.term.name, self.term.direction,
'direction not currently supported.'))
# protocol
if self.term.protocol:
protocol = self.term.protocol
else:
protocol = []
# source address
term_saddrs = self._CheckAddressAf(self.term.source_address)
if not term_saddrs:
logging.debug(self.NO_AF_LOG_ADDR.substitute(term=self.term.name,
direction='source',
af=self.af))
return ''
term_saddr = self._GenerateAddrStatement(
# pf will automatically add 'keep state flags S/SA' to all TCP connections
# by default.
if 'nostate' in filter_options:
all_protocols_stateful = False
if 'in' in filter_options:
direction = 'in'
elif 'out' in filter_options:
direction = 'out'
# Check for matching af
for address_family in good_afs:
if address_family in filter_options:
# should not specify more than one AF in options
if filter_type is not None:
raise aclgenerator.UnsupportedFilterError('%s %s %s %s' % (
'\nMay only specify one of', good_afs, 'in filter options:',
filter_options))
filter_type = address_family
if filter_type is None:
filter_type = 'inet'
# add the terms
new_terms = []
term_names = set()
for term in terms:
term.name = self.FixTermLength(term.name)
if term.name in term_names:
raise DuplicateTermError(
'You have a duplicate term: %s' % term.name)
term_names.add(term.name)
# junos options into the lexer, then we can nuke .*
# shenanigans.
if ns and '.*' not in supported_sub_tokens[el]:
err.append(' '.join(ns))
if err:
all_err.append(('%s contains unsupported keywords (%s) for target '
'%s in policy %s') % (term.name, ' '.join(err),
self._PLATFORM, pol.filename))
if warn:
all_warn.append(
('%s contains unimplemented keywords (%s) for '
'target %s in policy %s') % (term.name, ' '.join(warn),
self._PLATFORM, pol.filename))
continue
if all_err:
raise UnsupportedFilterError('\n %s' % '\n'.join(all_err))
if all_warn:
logging.debug('\n %s', '\n'.join(all_warn))
self._TranslatePolicy(pol, exp_info)
protocols: list of protocols
af: address family of this term, either numeric or text (see self.AF_MAP)
Returns:
sorted list of numeric icmp-type codes.
Raises:
UnsupportedFilterError: icmp-types specified with non-icmp protocol.
MismatchIcmpInetError: mismatch between icmp protocol and address family.
UnknownIcmpTypeError: unknown icmp-type specified
"""
if not icmp_types:
return ['']
# only protocols icmp or icmpv6 can be used with icmp-types
if protocols != ['icmp'] and protocols != ['icmpv6']:
raise UnsupportedFilterError('%s %s' % (
'icmp-types specified for non-icmp protocols in term: ',
self.term.name))
# make sure we have a numeric address family (4 or 6)
af = self.NormalizeAddressFamily(af)
# check that addr family and protocl are appropriate
if ((af != 4 and protocols == ['icmp']) or
(af != 6 and protocols == ['icmpv6'])):
raise MismatchIcmpInetError('%s %s' % (
'ICMP/ICMPv6 mismatch with address family IPv4/IPv6 in term',
self.term.name))
# ensure all icmp types are valid
for icmptype in icmp_types:
if icmptype not in self.ICMP_TYPE[af]:
raise UnknownIcmpTypeError('%s %s %s %s' % (
'\nUnrecognized ICMP-type (', icmptype,
') specified in term ', self.term.name))
af = 'inet6'
else:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'icmp protocol is not defined or not supported.'))
icmp_types = self.NormalizeIcmpTypes(
self.term.icmp_type, protocol, af)
# options
tcp_flags_set = []
tcp_flags_check = []
for next_opt in [str(x) for x in self.term.option]:
for next_flag in self._TCP_FLAGS_TABLE:
if next_opt.find(next_flag) == 0:
if protocol != ['tcp']:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'tcp flags may only be specified with tcp protocol.'))
tcp_flags_set.append(self._TCP_FLAGS_TABLE.get(next_flag))
tcp_flags_check.append(self._TCP_FLAGS_TABLE.get(next_flag))
# If tcp-established is set, override any of the flags above with the
# S/SA flags. Issue an error if flags are specified with 'established'.
for opt in [str(x) for x in self.term.option]:
if opt == 'established' or opt == 'tcp-established':
if tcp_flags_set or tcp_flags_check:
raise aclgenerator.UnsupportedFilterError('%s %s %s' % (
'\n', self.term.name,
'tcp flags may not be specified with tcp-established.'))
# We need to set 'flags A/A' for established regardless of whether or
# not we're stateful:
# - if we stateful, the default is 'flags S/SA' which prevent writing