%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /lib/python2.7/site-packages/salt/states/
Upload File :
Create Path :
Current File : //lib/python2.7/site-packages/salt/states/iptables.pyc

�
���^c@@s�dZddlmZmZmZddlmZd�Zddd�Z	ddd�Z
ddd	�Zddd
�Zddd�Z
ddd�Zddd
�Zd�ZdS(u�
Management of iptables
======================

This is an iptables-specific module designed to manage Linux firewalls. It is
expected that this state module, and other system-specific firewall states, may
at some point be deprecated in favor of a more generic ``firewall`` state.

.. code-block:: yaml

    httpd:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match:
            - state
            - comment
        - comment: "Allow HTTP"
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match:
            - state
            - comment
        - comment: "Allow HTTP"
        - connstate: NEW
        - source: '127.0.0.1'
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    .. Invert Rule
    httpd:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match:
            - state
            - comment
        - comment: "Allow HTTP"
        - connstate: NEW
        - source: '! 127.0.0.1'
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match:
            - state
            - comment
        - comment: "Allow HTTP"
        - connstate: NEW
        - source: 'not 127.0.0.1'
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.append:
        - table: filter
        - family: ipv6
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.append:
        - table: filter
        - family: ipv4
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dports:
            - 80
            - 443
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.insert:
        - position: 1
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.insert:
        - position: 1
        - table: filter
        - family: ipv6
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.delete:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.delete:
        - position: 1
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    httpd:
      iptables.delete:
        - table: filter
        - family: ipv6
        - chain: INPUT
        - jump: ACCEPT
        - match: state
        - connstate: NEW
        - dport: 80
        - protocol: tcp
        - sport: 1025:65535
        - save: True

    default to accept:
      iptables.set_policy:
        - chain: INPUT
        - policy: ACCEPT

.. note::

    Whereas iptables will accept ``-p``, ``--proto[c[o[l]]]`` as synonyms of
    ``--protocol``, if ``--proto`` appears in an iptables command after the
    appearance of ``-m policy``, it is interpreted as the ``--proto`` option of
    the policy extension (see the iptables-extensions(8) man page).

Example rules for IPSec policy:

.. code-block:: yaml

    accept_esp_in:
      iptables.append:
        - table: filter
        - chain: INPUT
        - jump: ACCEPT
        - source: 10.20.0.0/24
        - destination: 10.10.0.0/24
        - in-interface: eth0
        - match: policy
        - dir: in
        - pol: ipsec
        - reqid: 1
        - proto: esp
    accept_esp_forward_in:
      iptables.append:
        - use:
          - iptables: accept_esp_in
        - chain: FORWARD

    accept_esp_out:
      iptables.append:
        - table: filter
        - chain: OUTPUT
        - jump: ACCEPT
        - source: 10.10.0.0/24
        - destination: 10.20.0.0/24
        - out-interface: eth0
        - match: policy
        - dir: out
        - pol: ipsec
        - reqid: 1
        - proto: esp
    accept_esp_forward_out:
      iptables.append:
        - use:
          - iptables: accept_esp_out
        - chain: FORWARD

.. note::

    Various functions of the ``iptables`` module use the ``--check`` option. If
    the version of ``iptables`` on the target system does not include this
    option, an alternate version of this check will be performed using the
    output of iptables-save. This may have unintended consequences on legacy
    releases of ``iptables``.
i(tabsolute_importtunicode_literalstprint_function(tSTATE_INTERNAL_KEYWORDScC@s
dtkS(uA
    Only load if the locale module is available in __salt__
    uiptables.version(t__salt__(((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyt__virtual__�sufilteruipv4cC@s i|d6id6dd6dd6}td|||�}|tkrkt|d<dj|||�|d<|Stdr�d	j|||�|d<|Std
|||�}|tkr�i|d6|d<t|d<dj|||�|d<|St|d<d
j|||j�|�|d<|SdS(u�
    .. versionadded:: 2014.1.0

    Verify the chain is exist.

    name
        A user-defined chain name.

    table
        The table to own the chain.

    family
        Networking family, either ipv4 or ipv6
    unameuchangesuresultuucommentuiptables.check_chainu8iptables {0} chain is already exist in {1} table for {2}utestu7iptables {0} chain in {1} table needs to be set for {2}uiptables.new_chainulocaleu6iptables {0} chain in {1} table create success for {2}u4Failed to create {0} chain in {1} table: {2} for {3}N(tNoneRtTruetformatt__opts__tFalsetstrip(tnamettabletfamilytrettchain_checktcommand((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyt
chain_presents<






	
cC@s`i|d6id6dd6dd6}td|||�}|set|d<dj|||�|d<|Stdr�d	j|||�|d<|Std
|||�}|s0td|||�}|tkri|d6|d<t|d<d
j|||�|d<q\t|d<dj|||j�|�|d<n,t|d<dj|||j�|�|d<|S(u�
    .. versionadded:: 2014.1.0

    Verify the chain is absent.

    table
        The table to remove the chain from

    family
        Networking family, either ipv4 or ipv6
    unameuchangesuresultuucommentuiptables.check_chainu9iptables {0} chain is already absent in {1} table for {2}utestu7iptables {0} chain in {1} table needs to be removed {2}uiptables.flushuiptables.delete_chainulocaleu6iptables {0} chain in {1} table delete success for {2}u4Failed to delete {0} chain in {1} table: {2} for {3}u3Failed to flush {0} chain in {1} table: {2} for {3}N(RRRRR	R
R(RR
RRRtflush_chainR((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pytchain_absent4sD







	
c	K@s�i|d6id6dd6dd6}d|kr�g|dd<g}t}x�|dD]�}d|kro|d=nd|kr�|d=nd	|kr�|d	r�t}|d	tk	r�|d	}nt}t|d	<nt|�}	d|	dkr
|ddj|	dd�n|j|	d�|	d|d<qSW|rb|tkrKd}ntd
|d|�n|dds~|dd=ndj|�|d<|Sx$tD]}
|
|kr�||
=q�q�W||d<||d
<tdd||�}tdddd|dd|�}td||d||�tkr�t|d<dj||j�|�|d<d	|kr�|d	r�|d	tk	r�|d	}nd}tdd|�}
tdd|�}g}xA|D]9}x0||D]$}|j|||j	d��q�Wq�Wg}xA|
D]9}x0|
|D]$}|j|
||j	d��qWq
W||kr�td
|d|�}|dcdj|||j�|�7<q�n|St
dr�dj||j�|�|d<|Std||d||�r�i|d6|d<t|d<dj||j�|�|d<d	|kr�|d	r�|d	tk	rR|d	}nd}td
|d|�}dj|||j�|�|d<q�n|St|d<dj||j�|�|d<|SdS( u�
    .. versionadded:: 0.17.0

    Add a rule to the end of the specified chain.

    name
        A user-defined name to call this rule by in another part of a state or
        formula. This should not be an actual rule.

    table
        The table that owns the chain which should be modified

    family
        Network family, ipv4 or ipv6.

    All other arguments are passed in with the same name as the long option
    that would normally be used for iptables, with one exception: ``--state`` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).

    Jump options that doesn't take arguments should be passed in with an empty
    string.
    unameuchangesuresultuucommenturulesulocaleu__agg__usaveu
iptables.saveRu
utableuiptables.build_ruletfulluTrueRuAuiptables.checkuchainu/iptables rule for {0} already set ({1}) for {2}uiptables.get_saved_rulesuiptables.get_rulesu(
Saved iptables rule {0} for {1}
{2}
{3}utestu3iptables rule for {0} needs to be set ({1}) for {2}uiptables.appendu)Set iptables rule for {0} to: {1} for {2}u/Set and saved iptables rule {0} for {1}
{2}
{3}uCFailed to set iptables rule for {0}.
Attempted rule was {1} for {2}N(RR
RtappendRtjoint_STATE_INTERNAL_KEYWORDSRRtgetR	(RR
RtkwargsRtcommentstsavetrulet	save_filet_rettignoreRtfilenametsaved_rulest_rulest__rulestchaint
__saved_rulestout((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyRis�





 	


"

	


&
&
	

	


"
c	K@s�i|d6id6d d6dd6}d|kr�g|dd<g}t}x�|dD]�}d|kro|d=nd|kr�|d=nd	|kr�|d	r�t}|d	tk	r�|d	}nt}t|d	<nt|�}	d|	dkr
|ddj|	dd�n|j|	d�|	d|d<qSW|rb|tkrKd }ntd
|d|�n|dds~|dd=ndj|�|d<|Sx$tD]}
|
|kr�||
=q�q�W||d<||d
<tdd||�}tddtd|dd|�}td||d||�tkr�t|d<dj|||j	��|d<d	|kr�|d	r�|d	tk	r�|d	}nd }tdd|�}
tdd|�}g}xA|D]9}x0||D]$}|j|||j
d��q�Wq�Wg}xA|
D]9}x0|
|D]$}|j|
||j
d��qWq
W||kr�td
|d|�}|dcdj|||j	�|�7<q�n|Stdr�dj|||j	��|d<|Std||d|d||�s�i|d6|d<t|d<dj||j	�|�|d<d	|kr}|d	r}td
dd d|�}dj|||j	�|�|d<q}n|St|d<dj||j	��|d<|Sd S(!uL
    .. versionadded:: 2014.1.0

    Insert a rule into a chain

    name
        A user-defined name to call this rule by in another part of a state or
        formula. This should not be an actual rule.

    table
        The table that owns the chain that should be modified

    family
        Networking family, either ipv4 or ipv6

    position
        The numerical representation of where the rule should be inserted into
        the chain. Note that ``-1`` is not a supported position value.

    All other arguments are passed in with the same name as the long option
    that would normally be used for iptables, with one exception: ``--state`` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).

    Jump options that doesn't take arguments should be passed in with an empty
    string.
    unameuchangesuresultuucommenturulesulocaleu__agg__usaveu
iptables.saveRu
utableuiptables.build_ruleRRuIuiptables.checkuchainu/iptables rule for {0} already set for {1} ({2})uiptables.get_saved_rulesuiptables.get_rulesu(
Saved iptables rule {0} for {1}
{2}
{3}utestu3iptables rule for {0} needs to be set for {1} ({2})uiptables.insertupositionu)Set iptables rule for {0} to: {1} for {2}R!u/Set and saved iptables rule {0} for {1}
{2}
{3}u;Failed to set iptables rule for {0}.
Attempted rule was {1}N(RR
RtinsertRRRRRRRR	(RR
RRRRRRRRR RR!R"R#R$R%R&R'((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyR(�s�





 	


"



&
&
$
	

"
cK@s�i|d6id6dd6dd6}d|kr�g|dd<g}t}x�|dD]�}d|kro|d=nd|kr�|d=nd	|kr�|d	r�|d	tk	r�|d	}nt}t|d	<nt|�}	d|	dkr|ddj|	dd�n|j|	d�|	d|d<qSW|r\|tkrEd}ntd
|d|�n|ddsx|dd=ndj|�|d<|Sx$tD]}
|
|kr�||
=q�q�W||d<||d
<tdd||�}tddtd|dd|�}td||d||�tk	rad|krat|d<dj|||j	��|d<|Snt
dr�dj|||j	��|d<|Sd|kr�td||dd|d|d�}n#td||dd|d|�}|si|d6|d<t|d<dj||j	��|d<d	|kr{|d	r{td
ddd|�}
dj|||j	�|
�|d<q{n|St|d<dj||j	��|d<|SdS( u�
    .. versionadded:: 2014.1.0

    Delete a rule to a chain

    name
        A user-defined name to call this rule by in another part of a state or
        formula. This should not be an actual rule.

    table
        The table that owns the chain that should be modified

    family
        Networking family, either ipv4 or ipv6

    All other arguments are passed in with the same name as the long option
    that would normally be used for iptables, with one exception: ``--state`` is
    specified as `connstate` instead of `state` (not to be confused with
    `ctstate`).

    Jump options that doesn't take arguments should be passed in with an empty
    string.
    unameuchangesuresultuucommenturulesulocaleu__agg__usaveu
iptables.saveRu
utableuiptables.build_ruleRRuDuiptables.checkuchainupositionu2iptables rule for {0} already absent for {1} ({2})utestu7iptables rule for {0} needs to be deleted for {1} ({2})uiptables.deletetpositionRu Delete iptables rule for {0} {1}R!u3Deleted and saved iptables rule {0} for {1}
{2}
{3}u>Failed to delete iptables rule for {0}.
Attempted rule was {1}N(RR
RtdeleteRRRRRRR	(RR
RRRRRRRRR RtresultR'((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyR*is�





 	


"




	

"
cK@s�i|d6id6dd6dd6}x$tD]}||kr)||=q)q)Wtd||d|�|dkr�t|d<d	j|d|||d�|d<|Std
r�dj|d|||d�|d<|Std||d|d|�s�i|d
6|d<t|d<dj|d|d|�|d<d|kr�|dr�tdddd|�dj|d|d|�|d<q�n|St|d<d|d<|SdS(u
    .. versionadded:: 2014.1.0

    Sets the default policy for iptables firewall tables

    table
        The table that owns the chain that should be modified

    family
        Networking family, either ipv4 or ipv6

    policy
        The requested table policy

    unameuchangesuresultuucommentuiptables.get_policyuchainupolicyuMiptables default policy for chain {0} on table {1} for {2} already set to {3}utestuQiptables default policy for chain {0} on table {1} for {2} needs to be set to {3}uiptables.set_policyulocaleu,Set default policy for {0} to {1} family {2}usaveu
iptables.saveR!Ru6Set and saved default policy for {0} to {1} family {2}u%Failed to set iptables default policyN(RRRRRR	R
(RR
RRRR ((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyt
set_policy�sX




	




cK@s�i|d6id6d
d6dd6}x$tD]}||kr)||=q)q)Wd|krbd|d<ntdr�dj|||�|d<|Std	||d|�s�i|d
6|d<t|d<dj||d|�|d<|St|d<d|d<|Sd
S(u�
    .. versionadded:: 2014.1.0

    Flush current iptables state

    table
        The table that owns the chain that should be modified

    family
        Networking family, either ipv4 or ipv6

    unameuchangesuresultuucommentuchainutestuDiptables rules in {0} table {1} chain {2} family needs to be flusheduiptables.flushulocaleu6Flush iptables rules in {0} table {1} chain {2} familyuFailed to flush iptables rulesN(RRR	RRRR
(RR
RRRR ((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pytflush#s4









cC@s	g}ddg}|jd�|kr+|Sx�|D]�}td|�}||krZq2n|jd�dkr2d|kr�q2n|jd�|jd�kr�q2n||kr�|j|�t|d<q�q2q2W|rd|kr�|dj|�q||d<n|S(	u�
    The mod_aggregate function which looks up all rules in the available
    low chunks and merges them into a single rules ref in the present low data
    uappenduinsertufunu
state.gen_tagustateuiptablesu__agg__urules(Rt	__utils__RRtextend(tlowtchunkstrunningtrulestagg_enabledtchunkttag((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyt
mod_aggregatePs,	


N(t__doc__t
__future__RRRt
salt.stateRRRRRRR(R*R,R-R7(((s8/usr/lib/python2.7/site-packages/salt/states/iptables.pyt<module>�s	45��vD-

Zerion Mini Shell 1.0