Skip to content
Permalink
Browse files

firewall: fix booting alias resolve for #2102

While here, also honour ssl_no_verify and plug in force
usage in the right spot (currently unused but still).
  • Loading branch information
fichtner committed Jan 18, 2018
1 parent c371155 commit 947718b44bbe7509b2e9193d593603fcdaffb547
@@ -510,6 +510,14 @@ function filter_configure_sync($verbose = false)
filter_delete_states_for_down_gateways();
}

if ($verbose) {
echo '.';
flush();
}

configd_run('template reload OPNsense/Filter');
configd_run('filter refresh_aliases', true);

if ($verbose) {
echo "done.\n";
}
@@ -78,7 +78,7 @@ def __init__(self, elem, known_aliases=[], ttl=-1):
# the generated alias contents, without dependencies
self._filename_alias_content = '/var/db/aliastables/%s.self.txt' % self._name

def _parse_address(self, address):
def _parse_address(self, address, ssl_no_verify=False, timeout=120):
""" parse addresses and hostnames, yield only valid addresses and networks
:param address: address or network
:return: boolean
@@ -148,7 +148,7 @@ def _fetch_url(self, url, ssl_no_verify=False, timeout=120):
except:
syslog.syslog(syslog.LOG_ERR, 'error fetching alias url %s' % (url))

def _fetch_geo(self, geoitem):
def _fetch_geo(self, geoitem, ssl_no_verify=False, timeout=120):
""" fetch geoip addresses, if not downloaded or outdated force an update
:return: iterator
"""
@@ -217,12 +217,12 @@ def resolve(self, ssl_no_verify=False, timeout=120, force=False):
:return: string
"""
if not self._resolve_content:
if self.expired() or self.changed():
if self.expired() or self.changed() or force:
with open(self._filename_alias_content, 'w') as f_out:
for item in self.items():
address_parser = self.get_parser()
if address_parser:
for address in address_parser(item):
for address in address_parser(item, ssl_no_verify=ssl_no_verify, timeout=timeout):
if address not in self._resolve_content:
# flush new alias content (without dependencies) to disk, so progress can easliy
# be followed, large lists of domain names can take quite some resolve time.
@@ -28,6 +28,7 @@
--------------------------------------------------------------------------------------
update aliases
"""

import os
import sys
import argparse
@@ -38,6 +39,23 @@
import subprocess
from lib.alias import Alias

class SettingsParser(object):
""" Settings Parser class, reads global values
"""
def __init__(self, source_tree):
self._source_tree = source_tree
self._settings = dict()
self._settings['ssl_no_verify'] = False

def read(self):
for elem in self._source_tree.iterfind('general/ssl_no_verify'):
if elem.text == "1":
self._settings['ssl_no_verify'] = True

def get(self, name):
if name in self._settings:
return self._settings[name]
return None

class AliasParser(object):
""" Alias Parser class, encapsulates all aliases
@@ -51,7 +69,6 @@ def read(self):
self._aliases = dict()
for elem in self._source_tree.iterfind('table'):
alias = Alias(elem, known_aliases=known_aliases_list)
alias.resolve()
self._aliases[alias.get_name()] = alias

def get_alias_deps(self, alias, alias_deps=None):
@@ -101,19 +118,25 @@ def __iter__(self):
syslog.syslog(syslog.LOG_ERR, 'filter table parse error (%s) %s' % (str(e), inputargs.source_conf))
sys.exit(-1)

settings = SettingsParser(source_tree)
settings.read()

ssl_no_verify = settings.get('ssl_no_verify')

aliases = AliasParser(source_tree)
aliases.read()

for alias in aliases:
# fetch alias content including dependencies
alias_name = alias.get_name()
alias_content = alias.resolve()
alias_content = alias.resolve(ssl_no_verify=ssl_no_verify)
alias_changed_or_expired = max(alias.changed(), alias.expired())
for related_alias_name in aliases.get_alias_deps(alias_name):
if related_alias_name != alias_name:
rel_alias = aliases.get(related_alias_name)
if rel_alias:
alias_changed_or_expired = max(alias_changed_or_expired, rel_alias.changed(), rel_alias.expired())
alias_content += rel_alias.resolve()
alias_content += rel_alias.resolve(ssl_no_verify=ssl_no_verify)
# when the alias or any of it's dependencies has changed, generate new
if alias_changed_or_expired:
alias_content_txt = '\n'.join(sorted(alias_content))
@@ -4,7 +4,7 @@
<ssl_no_verify>1</ssl_no_verify>
{% endif %}
</general>
{% if helpers.exists('aliases.alias') %}}
{% if helpers.exists('aliases.alias') %}
{% for alias in helpers.toList('aliases.alias') %}
{% if alias.type.find('port') == -1 %}
<table>

0 comments on commit 947718b

Please sign in to comment.
You can’t perform that action at this time.