-
Notifications
You must be signed in to change notification settings - Fork 2
/
iprule.py
238 lines (189 loc) · 6.36 KB
/
iprule.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
from netaddr import *
class Match(object):
def __init__(self, name, rule=None):
self.name = name
self.rule = rule
def __getattr__(self, name):
try:
return super(Match, self).__getattribute__(name)
except KeyError:
raise AttributeError
def __setattr__(self, key, value):
key = key.replace("-", "_")
super(Match, self).__setattr__(key, value)
class Rule(object):
""" Rules are entries in chains
"""
def __init__(self, chain=None):
self.chain = chain
self._matches = []
self._target = None
self._proto = None
self._src = None
self._dst = None
def create_match(self, name):
match = Match(name)
self.add_match(match)
return match
def add_match(self, match):
match.rule = self
self._matches.append(match)
def remove_match(self, match):
self._matches.remove(match)
def _get_target(self):
return self._target
def _set_target(self, target):
self._target = target
target = property(_get_target, _set_target)
def _get_proto(self):
return self._proto
def _set_proto(self, protocol):
self._proto = protocol
protocol = property(_get_proto, _set_proto)
def get_src(self):
return self._src
def set_src(self, src):
self._src = src
src = property(get_src, set_src)
def get_dst(self):
return self._dst
def set_dst(self, dst):
self._dst = dst
dst = property(get_dst, set_dst)
class Chain(object):
_cache = dict()
def __new__(cls, table, name):
obj = Chain._cache.get(table.name + "." + name, None)
if not obj:
obj = object.__new__(cls)
obj.__init__(table, name)
Chain._cache[table.name + "." + name] = obj
obj._rules = []
return obj
def __init__(self, table, name):
self.name = name
self.table = table
table.add_chain(self)
#self._rules = []
def append_rule(self, rule):
self._rules.append(rule)
rule.chain = self
def insert_rule(self, rule, position=0):
self._rules.insert(position, rule)
rule.chain = self
def replace_rule(self, rule, position=0):
self._rules[position] = rule
rule.chain = self
def get_rule(self, position=0):
return self._rules[position]
def delete_rule(self, position=-1):
if position < 0:
print "wrong position"
return
del self._rules[position]
class Table(object):
FILTER = "filter"
"""This is the constant for the filter table."""
MANGLE = "mangle"
"""This is the constant for the mangle table."""
RAW = "raw"
"""This is the constant for the raw table."""
NAT = "nat"
"""This is the constant for the nat table."""
ALL = ["filter", "mangle", "raw", "nat"]
_cache = dict()
def __new__(cls, name):
obj = Table._cache.get(name, None)
if not obj:
obj = object.__new__(cls)
obj.__init__(name)
Table._cache[name] = obj
obj.chains = dict()
return obj
def __init__(self, name):
self.name = name
#self.chains = dict()
def add_chain(self, chain):
if chain.name not in self.chains:
self.chains[chain.name] = chain
#else :
# raise ValueError("chain already exist")
def get_chain(self, chain_name):
return self.chains[chain_name]
def delete_chain(self, chain):
if chain.name not in self.chians:
raise ValueError("nothing to delete")
else:
del self.chains[chain.name]
class Comparison(object):
def __init__(self, table):
self.table = table
def portMatch(self, portnum, portRange):
ports = [int(s) for s in portRange]
if len(ports) == 0 or portnum == -1:
return True
elif len(ports) == 1:
if portnum == ports[0]:
return True
else:
if portnum >= ports[0] and portnum <= ports[1]:
return True
return False
# ipMatch1 is used to test -s with ip subnet
def ipMatch1(self, ip, cmpIP):
if cmpIP == None or cmpIP == '0.0.0.0/0.0.0.0':
return True
if ip ==None:
return False
if '/' in cmpIP:
ipset = IPSet([cmpIP])
if ip in ipset:
return True
else:
if ip == cmpIP:
return True
return False
#ipMatch2 is used to test ipRange
def ipMatch2(self, ip, ipRange):
if len(ipRange) == 0:
return True
if ip == None:
return False
if len(ipRange) == 2:
iprange = IPRange(ipRange[0], ipRange[1])
if ip in iprange:
return True
elif ip == ipRange[0]:
return True
return False
def compare(self, proto, tsIp=None, tdIp=None, tsPort=-1, tdPort=-1):
matched_rule = {}
for key in self.table.chains:
chain = self.table.chains[key]
for rule in chain._rules:
dport = []
sport = []
srange = []
drange = []
src = rule.src
dst = rule.dst
if proto != rule.protocol:
continue
for match in rule._matches:
if 'dport' in dir(match):
dport = match.dport.split(':')
if 'sport' in dir(match):
sport = match.sport.split(':')
if 'src_range' in dir(match):
srange = match.src_range.split('-')
if 'dst_range' in dir(match):
drange = match.dst_range.split('-')
if self.ipMatch1(tsIp, src) and self.ipMatch1(tdIp, dst) \
and self.portMatch(tsPort, sport) and self.portMatch(tdPort, dport) \
and self.ipMatch2(tsIp, srange) and self.ipMatch2(tdIp, drange):
matched_rule['src'] = tsIp
matched_rule['dst'] = tdIp
matched_rule['proto'] = rule.protocol
matched_rule['target'] = rule.target
return matched_rule
return matched_rule