Add possibility to insert iptables rule (#98)

polinaag · lukas-bednar · commit 75b37dadb20b · 2018-01-16T12:45:19.000+01:00
* Added possibility to give rule number for insert_rule method
* added comments and fixed flake8 line length
* fixed edit_chain brackets in  a new line
* fixed  pep8 violations
diff --git a/rrmngmnt/firewall.py b/rrmngmnt/firewall.py
@@ -64,7 +64,7 @@ def __init__(self, host, chain_name):
 
     def edit_chain(
         self, action, chain_name, address_type, dest, target, protocol='all',
-        ports=None
+        ports=None, rule_num=None
     ):
         """
         Changes firewall configuration
@@ -79,6 +79,8 @@ def edit_chain(
            target (str): target rule to apply
            protocol (str): affected network protocol, Default is 'all'
            ports (list): list of ports to configure
+           rule_num (str): the number given after the chain name indicates the
+           position where the rule will be inserted
 
        Returns:
            bool: True if configuration change succeeded, False otherwise
@@ -89,16 +91,28 @@ def edit_chain(
 
        Example:
            edit_chain(
-                action='--append',chain='OUTPUT', address_type='--destination',
-                dest={'address': nfs_server}, target='DROP'
+                action='--append',chain='OUTPUT',
+                rule_num='1',
+                address_type='--destination',
+                dest={'address': nfs_server},
+                target='DROP'
             )
         """
-        dest = ",".join(dest['address'])
         cmd = [
-            self.firewall_service, action, chain_name, address_type, dest,
-            '--jump', target.upper(), '--protocol', protocol
+            self.firewall_service, action, chain_name
         ]
 
+        if rule_num:
+            cmd.extend([rule_num])
+
+        dest = ",".join(dest['address'])
+        cmd.extend(
+            [
+                address_type, dest, '--jump', target.upper(),
+                '--protocol', protocol
+            ]
+        )
+
         if ports:
             # Iptables multiport module accepts up to 15 ports
             if len(ports) > 15:
@@ -144,6 +158,29 @@ def add_rule(self, dest, target, protocol='all', ports=None):
             protocol, ports
         )
 
+    def insert_rule(self, dest, target, protocol='all', ports=None,
+                    rule_num=None):
+        """
+        Insert new firewall rule to a specific chain
+
+        Args:
+            dest (dict): 'address' key and value containing destination host or
+               list of destination hosts
+            target (str): Target rule to apply
+            protocol (str): affected network protocol, Default is 'all'
+            ports (list): list of ports to configure
+            rule_num (str): the number given after the chain name indicates
+            the position where the rule will be inserted. If the rule_num is
+            not given , the new rule is inserted in the line 1.
+
+        Returns:
+            bool: False if inserting new rule failed, True if it succeeded
+        """
+        return self.edit_chain(
+            '--insert', self.chain_name, self.address_type, dest, target,
+            protocol, ports, rule_num
+        )
+
     def delete_rule(self, dest, target, protocol='all', ports=None):
         """
         Delete existing firewall rule from a specific chain
diff --git a/tests/test_firewall.py b/tests/test_firewall.py
@@ -59,6 +59,10 @@ class TestChain(object):
         '--protocol all': (0, '', ''),
         'iptables --append INPUT --source 2.2.2.2 --jump DROP '
         '--protocol all': (0, '', ''),
+        'iptables --insert OUTPUT --destination 2.2.2.2 --jump DROP '
+        '--protocol all': (0, '', ''),
+        'iptables --insert INPUT --source 2.2.2.2 --jump DROP '
+        '--protocol all': (0, '', ''),
         'iptables --delete OUTPUT --destination 2.2.2.2 --jump DROP '
         '--protocol all': (0, '', ''),
         'iptables --delete INPUT --source 2.2.2.2 --jump DROP '
@@ -102,6 +106,16 @@ def test_add_incoming_rule(self):
             self.destination_host, 'DROP'
         )
 
+    def test_insert_outgoing_rule(self):
+        assert get_host().firewall.chain('OUTPUT').insert_rule(
+            self.destination_host, 'DROP'
+        )
+
+    def test_insert_incoming_rule(self):
+        assert get_host().firewall.chain('INPUT').insert_rule(
+            self.destination_host, 'DROP'
+        )
+
     def test_delete_outgoing_rule(self):
         assert get_host().firewall.chain('OUTPUT').delete_rule(
             self.destination_host, 'DROP'
