Module com.aoindustries.firewalld

Package com.aoindustries.firewalld

Class ServiceSet

java.lang.Object

com.aoindustries.firewalld.ServiceSet

public class ServiceSet
extends Object

A service set is one service opened on a set of specific IP and port combinations. Because each Service only supports a single <destination />, to open only the specific IP and port combinations, a set of additional services are created using the base service as a template.

The first service in the set uses the template service name. Additional services are named with "-2", "-3", ... added to the template service name.

Consider the example of opening SSH on two addresses, but leaving it closed on others. One port could be 192.0.2.14:22 while the other is 192.0.2.16:22. This would result in two services: ssh with a destination of 192.0.2.14:22 and ssh-2 with a destination of 192.0.2.16:22.

Author:

AO Industries, Inc.

Method Summary

Modifier and Type	Method	Description
static void	commit(Iterable<ServiceSet> serviceSets, Set<String> zones)	Commits multiple service sets to the system configuration, reconfiguring and reloading the firewall as necessary.
void	commit(Set<String> zones)	Commits this service set to the system configuration, reconfiguring and reloading the firewall as necessary.
static ServiceSet	createOptimizedServiceSet(Service template, Iterable<? extends Target> targets)	Creates an optimized service set for the given template and targets.
static ServiceSet	createOptimizedServiceSet(String name, Iterable<? extends Target> targets)	Creates an optimized service set for the given name and targets.
boolean	equals(Object obj)	Two service sets are equal when they have the same services.
Set<Service>	getServices()	The set of services representing this service set.
SortedSet<Target>	getTargets()	Gets the set of all targets represented by all services in this set.
Service	getTemplate()	Gets the template for this service set.
int	hashCode()
static ServiceSet	loadServiceSet(Service template)	Loads the currently configured service set for the given template.
static ServiceSet	loadServiceSet(String name)	Loads the currently configured service set for the given name.
ServiceSet	optimize()	Returns an optimized version of this set.
String	toString()

Methods inherited from class java.lang.Object

clone, finalize, getClass, notify, notifyAll, wait, wait, wait

Method Details

loadServiceSet

public static ServiceSet loadServiceSet(String name)
                                 throws IOException

Loads the currently configured service set for the given name. The system service is used as the template.

Throws:

IOException

See Also:

• Service.loadSystemService(java.lang.String)
• loadServiceSet(com.aoindustries.firewalld.Service)

loadServiceSet

public static ServiceSet loadServiceSet(Service template)
                                 throws IOException

Loads the currently configured service set for the given template.

Throws:

IOException

See Also:

• loadServiceSet(java.lang.String)

createOptimizedServiceSet

public static ServiceSet createOptimizedServiceSet(String name,
 Iterable<? extends Target> targets)
                                            throws IOException

Creates an optimized service set for the given name and targets. The system service is used as the template. The service set is not committed.

Throws:

IOException

See Also:

• Service.loadSystemService(java.lang.String)
• createOptimizedServiceSet(com.aoindustries.firewalld.Service, java.lang.Iterable)
• optimize()

createOptimizedServiceSet

public static ServiceSet createOptimizedServiceSet(Service template,
 Iterable<? extends Target> targets)

Creates an optimized service set for the given template and targets. The service set is not committed.

First, ports are coalesced into port ranges within matching destinations. Protocol-only is considered to match all ports of that protocol.

Second, destinations are combined within network prefixes when have equal port ranges. InetAddressPrefixes.UNSPECIFIED_IPV4 and InetAddressPrefixes.UNSPECIFIED_IPV6 are considered to match all addresses of the same family (this is a natural consequence of the way the unspecified prefixes are defined with prefix of zero).

Third, a set of services are generated based on the template. All fields except Service.getPorts(), Service.getProtocols(), Service.getDestinationIpv4() and Service.getDestinationIpv6() are copied from the template. The template ports, protocols, and destinations are not used.

See Also:

• createOptimizedServiceSet(java.lang.String, java.lang.Iterable)
• optimize()

toString

public String toString()

Overrides:

toString in class Object

equals

public boolean equals(Object obj)

Two service sets are equal when they have the same services. The template is not compared for equality.

Overrides:

equals in class Object

hashCode

public int hashCode()

Overrides:

hashCode in class Object

getTemplate

public Service getTemplate()

Gets the template for this service set. This will often be loaded from the system service, but may have been programmatically provided for dynamic services.

getServices

public Set<Service> getServices()

The set of services representing this service set. This may be an empty set when a template has no existing configuration.

getTargets

public SortedSet<Target> getTargets()

Gets the set of all targets represented by all services in this set. This may be an empty set when a template has no existing configuration or is modules-only (like tftp-client).

This may have overlapping destinations if the service set was not previously optimized.

See Also:

• Target.compareTo(com.aoindustries.firewalld.Target)

optimize

public ServiceSet optimize()

Returns an optimized version of this set.

Returns:

this when already optimized, or new ServiceSet when optimal form is different.

See Also:

• createOptimizedServiceSet(java.lang.String, java.lang.Iterable)
• createOptimizedServiceSet(com.aoindustries.firewalld.Service, java.lang.Iterable)

commit

public void commit(Set<String> zones)
            throws IOException

Commits this service set to the system configuration, reconfiguring and reloading the firewall as necessary.

Probably worth optimizing before committing.

Parameters:

zones - the zones that that the service set should be activated in, this can generally be just "public"

Throws:

IOException

See Also:

• commit(java.lang.Iterable, java.util.Set)

commit

public static void commit(Iterable<ServiceSet> serviceSets,
 Set<String> zones)
                   throws IOException

Commits multiple service sets to the system configuration, reconfiguring and reloading the firewall as necessary.

Probably worth optimizing before committing.

TODO: Should we use firewall-cmd --permanent --new-service-from-file=filename [--name=service] instead of manipulating service XML files directly?

Parameters:

serviceSets - the service sets to commit; iterated once; no duplicate service names allowed.

zones - the zones that that the service set should be activated in, this can generally be just "public"

Throws:

IOException

See Also:

• commit(java.util.Set)