ExternalMirrors
/
ufw-formula
mirror of https://github.com/saltstack-formulas/ufw-formula
Watch 1
Star 0
Fork 1
Code Issues 0 Releases 12 Wiki Activity
Saltstack Official UFW Formula
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
20 Commits
1 Branch
Tree: c60bc71357
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from 'c60bc71357'
${ noResults }
ufw-formula/_states/ufw.py

172 lines
5.0KB
Raw Blame History 

  1. from salt.exceptions import CommandExecutionError, CommandNotFoundError

  2. import re

  3. import socket

  4. 

  5. 

  6. def _unchanged(name, msg):

  7.     return {'name': name, 'result': True, 'comment': msg, 'changes': {}}

  8. 

  9. 

  10. def _test(name, msg):

  11.     return {'name': name, 'result': None, 'comment': msg, 'changes': {}}

  12. 

  13. 

  14. def _error(name, msg):

  15.     return {'name': name, 'result': False, 'comment': msg, 'changes': {}}

  16. 

  17. 

  18. def _changed(name, msg, **changes):

  19.     return {'name': name, 'result': True, 'comment': msg, 'changes': changes}

  20. 

  21. 

  22. def _resolve(host):

  23.     # let's just see if it starts with a number or a colon, for simplicity

  24.     if re.match(r'^[0-9:]', host):

  25.         return host

  26. 

  27.     return socket.gethostbyname(host)

  28. 

  29. 

  30. def _as_rule(method, app, interface, protocol, from_addr, from_port, to_addr, to_port, comment):

  31.     cmd = [method]

  32.     if app is not None:

  33.       cmd.append("from")

  34.       if from_addr is not None:

  35.         cmd.append(from_addr)

  36.       else:

  37.         cmd.append("any")

  38. 

  39.       cmd.append("to")

  40.       if to_addr is not None:

  41.         cmd.append(to_addr)

  42.       else:

  43.         cmd.append("any")

  44. 

  45.       cmd.append("app")

  46.       cmd.append(app)

  47.     elif interface is not None:

  48.     	cmd.append("in")

  49.     	cmd.append("on")

  50.     	cmd.append(interface)

  51.     else:

  52.         if protocol is not None:

  53.             cmd.append("proto")

  54.             cmd.append(protocol)

  55. 

  56.         cmd.append("from")

  57.         if from_addr is not None:

  58.             cmd.append(_resolve(from_addr))

  59.         else:

  60.             cmd.append("any")

  61. 

  62.         if from_port is not None:

  63.             cmd.append("port")

  64.             cmd.append(_resolve(from_port))

  65. 

  66.         cmd.append("to")

  67.         if to_addr is not None:

  68.             cmd.append(to_addr)

  69.         else:

  70.             cmd.append("any")

  71. 

  72.         if to_port is not None:

  73.             cmd.append("port")

  74.             cmd.append(to_port)

  75. 

  76.     if comment is not None:

  77.         cmd.append("comment")

  78.         cmd.append(comment)

  79.     real_cmd = ' '.join(cmd)

  80.     return real_cmd

  81. 

  82. 

  83. def enabled(name, **kwargs):

  84.     if __salt__['ufw.is_enabled']():

  85.         return _unchanged(name, "UFW is already enabled")

  86. 

  87.     try:

  88.         __salt__['ufw.set_enabled'](True)

  89.     except (CommandExecutionError, CommandNotFoundError) as e:

  90.         return _error(name, e.message)

  91. 

  92.     if __opts__['test']:

  93.         return _test(name, "UFW would have been enabled")

  94.     else:

  95.         return _changed(name, "UFW is enabled", enabled=True)

  96. 

  97. 

  98. def default_incoming(name, default):

  99.     rule = "default {0} incoming".format(default)

  100.     if __opts__['test']:

  101.         return _test(name, "{0}: {1}".format(name, rule))

  102. 

  103.     current = __salt__['ufw.get_default_incoming']()

  104. 

  105.     if default != current:

  106.         try:

  107.             out = __salt__['ufw.add_rule'](rule)

  108.         except (CommandExecutionError, CommandNotFoundError) as e:

  109.             return _error(name, e.message)

  110. 

  111.         for line in out.split('\n'):

  112.             if line.startswith("Default incoming policy changed to"):

  113.                 return _changed(name, "{0} set to {1}".format(name, default), rule=rule)

  114.             return _error(name, line)

  115. 

  116.     return _unchanged(name, "{0} was already set to {1}".format(name, default))

  117. 

  118. 

  119. def default_outgoing(name, default):

  120.     rule = "default {0} outgoing".format(default)

  121.     if __opts__['test']:

  122.         return _test(name, "{0}: {1}".format(name, rule))

  123. 

  124.     current = __salt__['ufw.get_default_outgoing']()

  125. 

  126.     if default != current:

  127.         try:

  128.             out = __salt__['ufw.add_rule'](rule)

  129.         except (CommandExecutionError, CommandNotFoundError) as e:

  130.             return _error(name, e.message)

  131. 

  132.         for line in out.split('\n'):

  133.             if line.startswith("Default outgoing policy changed to"):

  134.                 return _changed(name, "{0} set to {1}".format(name, default), rule=rule)

  135.             return _error(name, line)

  136. 

  137.     return _unchanged(name, "{0} was already set to {1}".format(name, default))

  138. 

  139. 

  140. def allowed(name, app=None, interface=None, protocol=None,

  141.             from_addr=None, from_port=None, to_addr=None, to_port=None, comment=None):

  142. 

  143.     rule = _as_rule("allow", app=app, interface=interface, protocol=protocol,

  144.                    from_addr=from_addr, from_port=from_port, to_addr=to_addr, to_port=to_port, comment=comment)

  145. 

  146.     try:

  147.         out = __salt__['ufw.add_rule'](rule)

  148.     except (CommandExecutionError, CommandNotFoundError) as e:

  149.         return _error(name, e.message)

  150. 

  151.     changes = False

  152.     for line in out.split('\n'):

  153.         if line.startswith("Skipping"):

  154.             if __opts__['test']:

  155.                 return _unchanged(name, "{0} was already allowed".format(name))

  156.                 break

  157.             else:

  158.                 continue

  159.         if line.startswith("Rule added") or line.startswith("Rules updated"):

  160.             changes = True

  161.             break

  162.         if __opts__['test']:

  163.             return _test(name, "{0} would have been allowed".format(name))

  164.             break

  165.         return _error(name, line)

  166. 

  167.     if changes:

  168.         return _changed(name, "{0} allowed".format(name), rule=rule)

  169.     else:

  170.         return _unchanged(name, "{0} was already allowed".format(name))