# # The Qubes OS Project, http://www.qubes-os.org # # Copyright (C) 2011 Tomasz Sterna # # This program is free software; you can redistribute it and/or # modify it under the terms of the GNU General Public License # as published by the Free Software Foundation; either version 2 # of the License, or (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program; if not, write to the Free Software # Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA. # # import sys import os import re import xml.etree.ElementTree from PyQt4.QtCore import * from PyQt4.QtGui import * from qubes.qubes import QubesVmCollection from qubes.qubes import QubesException from qubes.qubes import dry_run import ui_editfwrulesdlg import ui_newfwruledlg class EditFwRulesDlg (QDialog, ui_editfwrulesdlg.Ui_EditFwRulesDlg): def __init__(self, parent = None): super (EditFwRulesDlg, self).__init__(parent) self.setupUi(self) self.newRuleButton.clicked.connect(self.new_rule_button_pressed) self.editRuleButton.clicked.connect(self.edit_rule_button_pressed) self.deleteRuleButton.clicked.connect(self.delete_rule_button_pressed) self.policyAllowRadioButton.toggled.connect(self.policy_radio_toggled) self.dnsCheckBox.toggled.connect(self.dns_checkbox_toggled) self.icmpCheckBox.toggled.connect(self.icmp_checkbox_toggled) def set_model(self, model): self.__model = model self.rulesTreeView.setModel(model) self.rulesTreeView.header().setResizeMode(QHeaderView.ResizeToContents) self.rulesTreeView.header().setResizeMode(0, QHeaderView.Stretch) self.set_allow(model.allow) self.dnsCheckBox.setChecked(model.allowDns) self.icmpCheckBox.setChecked(model.allowIcmp) self.setWindowTitle(model.get_vm_name() + " firewall") def set_allow(self, allow): self.policyAllowRadioButton.setChecked(allow) self.policyDenyRadioButton.setChecked(not allow) def policy_radio_toggled(self, on): self.__model.allow = self.policyAllowRadioButton.isChecked() def dns_checkbox_toggled(self, on): self.__model.allowDns = on def icmp_checkbox_toggled(self, on): self.__model.allowIcmp = on def new_rule_button_pressed(self): dialog = NewFwRuleDlg() self.run_rule_dialog(dialog) def edit_rule_button_pressed(self): dialog = NewFwRuleDlg() dialog.set_ok_enabled(True) selected = self.rulesTreeView.selectedIndexes() if len(selected) > 0: row = self.rulesTreeView.selectedIndexes().pop().row() address = self.__model.get_column_string(0, row).replace(' ', '') dialog.addressComboBox.setItemText(0, address) dialog.addressComboBox.setCurrentIndex(0) service = self.__model.get_column_string(1, row) dialog.serviceComboBox.setItemText(0, service) dialog.serviceComboBox.setCurrentIndex(0) self.run_rule_dialog(dialog, row) def run_rule_dialog(self, dialog, row = None): if dialog.exec_(): address = str(dialog.addressComboBox.currentText()) service = str(dialog.serviceComboBox.currentText()) port = None port2 = None unmask = address.split("/", 1) if len(unmask) == 2: address = unmask[0] netmask = int(unmask[1]) else: netmask = 32 if address == "*": address = "0.0.0.0" netmask = 0 if service == "*": service = "0" try: range = service.split("-", 1) if len(range) == 2: port = int(range[0]) port2 = int(range[1]) else: port = int(service) except (TypeError, ValueError) as ex: port = self.__model.get_service_port(service) if port is not None: if port2 is not None and port2 <= port: QMessageBox.warning(None, "Invalid service ports range", "Port {0} is lower than port {1}.".format(port2, port)) else: item = QubesFirewallRuleItem(address, netmask, port, port2) if row is not None: self.__model.setChild(row, item) else: self.__model.appendChild(item) else: QMessageBox.warning(None, "Invalid service name", "Service '{0} is unknown.".format(service)) def delete_rule_button_pressed(self): for i in set([index.row() for index in self.rulesTreeView.selectedIndexes()]): self.__model.removeChild(i) class QIPAddressValidator(QValidator): def __init__(self, parent = None): super (QIPAddressValidator, self).__init__(parent) def validate(self, input, pos): hostname = str(input) if len(hostname) > 255 or len(hostname) == 0: return (QValidator.Intermediate, pos) if hostname == "*": return (QValidator.Acceptable, pos) unmask = hostname.split("/", 1) if len(unmask) == 2: hostname = unmask[0] mask = unmask[1] if mask.isdigit() or mask == "": if re.match("^([0-9]{1,3}\.){3}[0-9]{1,3}$", hostname) is None: return (QValidator.Invalid, pos) if mask != "": mask = int(unmask[1]) if mask < 0 or mask > 32: return (QValidator.Invalid, pos) else: return (QValidator.Invalid, pos) if hostname[-1:] == ".": hostname = hostname[:-1] if hostname[-1:] == "-": return (QValidator.Intermediate, pos) allowed = re.compile("(?!-)[A-Z\d-]{1,63}(?[a-z][a-z0-9-]+)\s+(?P[0-9]+)/(?P[a-z]+)", re.IGNORECASE) f = open('/etc/services', 'r') for line in f: match = pattern.match(line) if match is not None: service = match.groupdict() self.__services.append( (service["name"], int(service["port"]), service["protocol"]) ) f.close() def get_service_name(self, port): for service in self.__services: if service[1] == port: return service[0] return str(port) def get_service_port(self, name): for service in self.__services: if service[0] == name: return service[1] return None def get_column_string(self, col, row): return self.__columnValues[col](row) def set_vm(self, vm): self.__vm = vm self.clearChildren() conf = vm.get_firewall_conf() self.allow = conf["allow"] self.allowDns = conf["allowDns"] self.allowIcmp = conf["allowIcmp"] for rule in conf["rules"]: self.appendChild(QubesFirewallRuleItem( rule["address"], rule["netmask"], rule["portBegin"], rule["portEnd"] )) def get_vm_name(self): return self.__vm.name def apply_rules(self): assert self.__vm is not None conf = { "allow": self.allow, "allowDns": self.allowDns, "allowIcmp": self.allowIcmp, "rules": list() } for rule in self.children: conf["rules"].append( { "address": rule.address, "netmask": rule.netmask, "portBegin": rule.portBegin, "portEnd": rule.portEnd } ) self.__vm.write_firewall_conf(conf) qvm_collection = QubesVmCollection() qvm_collection.lock_db_for_reading() qvm_collection.load() qvm_collection.unlock_db() for vm in qvm_collection.values(): if vm.is_proxyvm(): vm.write_iptables_xenstore_entry() def index(self, row, column, parent=QModelIndex()): if not self.hasIndex(row, column, parent): return QModelIndex() return self.createIndex(row, column, self.children[row]) def parent(self, child): return QModelIndex() def rowCount(self, parent=QModelIndex()): return len(self) def columnCount(self, parent=QModelIndex()): return len(self.__columnValues) def hasChildren(self, index=QModelIndex()): parentItem = index.internalPointer() if parentItem is not None: return parentItem.hasChildren() else: return True def data(self, index, role=Qt.DisplayRole): if index.isValid() and role == Qt.DisplayRole: return self.__columnValues[index.column()](index.row()) return QVariant() def headerData(self, section, orientation, role=Qt.DisplayRole): if section < len(self.__columnNames) \ and orientation == Qt.Horizontal and role == Qt.DisplayRole: return self.__columnNames[section] return QVariant() @property def children(self): return self.__children def appendChild(self, child): row = len(self) self.beginInsertRows(QModelIndex(), row, row) self.children.append(child) self.endInsertRows() index = self.createIndex(row, 0, child) self.dataChanged.emit(index, index) def removeChild(self, i): if i >= len(self): return self.beginRemoveRows(QModelIndex(), i, i) del self.children[i] self.endRemoveRows() index = self.createIndex(i, 0) self.dataChanged.emit(index, index) def setChild(self, i, child): self.children[i] = child index = self.createIndex(i, 0, child) self.dataChanged.emit(index, index) def clearChildren(self): self.__children = list() def __len__(self): return len(self.children)