Bug#719054: pyroman: Support IPSec protocols (ESP and AH)

Wed, 07 Aug 2013 21:21:27 -0700 

Package: pyroman
Version: 0.4.6-4
Severity: important
Tags: upstream patch


There is currently no easy way to add "esp" and "ah" protocols in a rule 
because the 
protocols are not recognized by pyroman.

This patch allows the following "add_service" definition:

    add_service("ipsec", dports="esp ah")

and if used in a rule like:

    allow(client="host1", server="vpnhost", service="ipsec")

will generate the rules properly.

I'm reporting the bug against what's installed on this system, but it should
apply to the latest version in SVN.


-- System Information:
Debian Release: 6.0.1
  APT prefers oldstable-updates
  APT policy: (500, 'oldstable-updates'), (500, 'oldstable')
Architecture: i386 (i686)

Kernel: Linux 2.6.32-5-686 (SMP w/1 CPU core)

Versions of packages pyroman depends on:
ii  iptables                1.4.8-3          administration tools for packet fi
ii  python                  2.6.6-3+squeeze7 interactive high-level object-orie
ii  python-support          1.0.10           automated rebuilding support for P

pyroman recommends no packages.

pyroman suggests no packages.

-- no debconf information

diff --git a/pyroman/port.py b/pyroman/port.py
index 1883f218..28d8acb0 100644
--- a/pyroman/port.py
+++ b/pyroman/port.py
@@ -45,7 +45,7 @@ class Port:
 	"""
 
 	# Split and verify syntax of statement
-	preg  = re.compile("^(?:([a-z0-9\-]+|[0-9]+(?:\:[0-9]+)?)(?:/))?(tcp|udp|icmp|icmpv6|ipv6-icmp)$")
+	preg  = re.compile("^(?:([a-z0-9\-]+|[0-9]+(?:\:[0-9]+)?)(?:/))?(tcp|udp|esp|ah|icmp|icmpv6|ipv6-icmp)$")
 	# verify port range
 	prreg = re.compile("^([0-9]+:)?[0-9]+$")
 
@@ -66,7 +66,7 @@ class Port:
 			self.proto = m.group(2)
 
 			# if it's a named port, verify it's resolveable...
-			if not self.prreg.match(self.port) and self.proto in ["udp", "tcp"]:
+			if self.proto in ["udp", "tcp"] and not self.prreg.match(self.port):
 				try:
 					socket.getservbyname(self.port, self.proto)
 				except socket.error:
@@ -105,6 +105,9 @@ class Port:
 				return "--icmpv6-type " + self.port
 			else:
 				return ""
+		elif self.proto in ("esp", "ah"):
+			# no port for ESP and AH
+			return ""
 		else:
 			raise PyromanException("Unknown protocol: %s" % self.proto)
 
diff --git a/pyroman/service.py b/pyroman/service.py
index 3f4d8d51..64aaf44f 100644
--- a/pyroman/service.py
+++ b/pyroman/service.py
@@ -93,7 +93,7 @@ class Service:
 						f1 = dp.get_filter_proto() + " "
 					f2 = sp.get_filter_port(dir1)
 					f3 = dp.get_filter_port(dir2)
-					if f2 != "" or f3 != "":
+					if f1.strip() or f2 != "" or f3 != "":
 						result.append( f1 + " " + f2 + " " + f3 )
 
 		for i in self.include:

Reply via email to