a «°i×õã@sDddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZmZmZm Z m!Z!m"Z"ddl#m$Z$dd l%m&Z&m'Z'ddl(Z(d Z)gd ¢d d ggd¢gd¢gd ¢dœZ*dddœZ+dddœZ,dd„Z-dd„Z.dd„Z/Gdd„de0ƒZ1Gdd„de1ƒZ2dS) éN)ÚrunProg)Úlog)ÚtempFileÚreadfileÚ splitArgsÚ check_macÚportStrÚcheck_single_addressÚ check_addressÚ normalizeIP6)Úconfig)Ú FirewallErrorÚINVALID_PASSTHROUGHÚ INVALID_RULEÚ UNKNOWN_ERRORÚ INVALID_ADDRÚINVALID_ICMPTYPE) Ú Rich_AcceptÚ Rich_RejectÚ Rich_DropÚ Rich_MarkÚ Rich_NFLogÚRich_MasqueradeÚRich_ForwardPortÚRich_IcmpBlockÚRich_Tcp_Mss_Clamp)ÚDEFAULT_ZONE_TARGET)Ú ICMP_TYPESÚ ICMPV6_TYPESÚ)ÚINPUTÚOUTPUTÚFORWARDÚ PREROUTINGr!)r#Ú POSTROUTINGr r!r")r#r$r!)ÚsecurityÚrawÚmangleÚnatÚfilterzicmp-host-prohibitedzicmp6-adm-prohibited©Úipv4Úipv6Úicmpú ipv6-icmpc Csœdddddddœ}|dd…}|D]t}z| |¡}WntyJYq"Yn0|dvrŠzt||dƒWntyzYn0| |d¡||||<q"|S) z Inverse valid rule ú-Dú--deleteú-Xú--delete-chain©ú-Aú--appendú-Iú--insertú-Nz --new-chainN©r6r7é)ÚindexÚ ExceptionÚintÚpop)ÚargsÚ replace_argsÚret_argsÚargÚidx©rDú;/usr/lib/python3.9/site-packages/firewall/core/ipXtables.pyÚcommon_reverse_rule<s*÷    rFc Cs¬dddddddœ}|dd…}|D]z}z| |¡}WntyJYq"Yn0|dvrŠzt||dƒWntyzYn0| |d¡||||<|Sttd ƒ‚dS) z Reverse valid passthough rule r/r0r1r2r3Nr9r:úno '-A', '-I' or '-N' arg)r;Ú ValueErrorr=r>r r)r?r@rAÚxrCrDrDrEÚcommon_reverse_passthroughas0÷     ÿrJcCsht|ƒ}tgd¢ƒ}t||@ƒdkr>ttdt||@ƒdƒ‚tgd¢ƒ}t||@ƒdkrdttdƒ‚dS)zZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) )z-Cz--checkr/r0z-Rz --replaceú-Lz--listz-Sz --list-rulesú-Fz--flushú-Zz--zeror1r2ú-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedr3rGN)ÚsetÚlenr rÚlist)r?Z not_allowedZneededrDrDrEÚcommon_check_passthrough‹s ÿÿ ÿrRc@sÊeZdZdZdZdZdd„Zdd„Zdd„Zd d „Z d d „Z d d„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd „Zdld"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zdmd,d-„Zd.d/„Zdnd1d2„Zd3d4„Zd5d6„Zdod8d9„Zdpd:d;„Z dd?„Z"d@dA„Z#dBdC„Z$dDdE„Z%dFdG„Z&dHdI„Z'dJdK„Z(dLdM„Z)dNdO„Z*dPdQ„Z+dqdRdS„Z,drdTdU„Z-dsdVdW„Z.dtdXdY„Z/dZd[„Z0dud\d]„Z1dvd^d_„Z2dwd`da„Z3dbdc„Z4dxddde„Z5dfdg„Z6dhdi„Z7djdk„Z8d!S)yÚ ip4tablesr+TcCsd||_tj|j|_tjd|j|_| ¡|_| ¡|_ |  ¡g|_ i|_ i|_ g|_i|_dS)Nz %s-restore)Ú_fwr ZCOMMANDSÚipvÚ_commandÚ_restore_commandÚ_detect_wait_optionÚ wait_optionÚ_detect_restore_wait_optionÚrestore_wait_optionÚ fill_existsÚavailable_tablesÚrich_rule_priority_countsÚpolicy_priority_countsÚzone_source_index_cacheÚ our_chains)ÚselfÚfwrDrDrEÚ__init__°s  zip4tables.__init__cCs$tj |j¡|_tj |j¡|_dS©N)ÚosÚpathÚexistsrVZcommand_existsrWZrestore_command_exists©rbrDrDrEr\½szip4tables.fill_existscCs†|jr(|j|vr(|jgdd„|Dƒ}ndd„|Dƒ}t d|j|jd |¡¡t|j|ƒ\}}|dkr‚td|jd |¡|fƒ‚|S)NcSsg|] }d|‘qS©ú%srD©Ú.0ÚitemrDrDrEÚ Äóz#ip4tables.__run..cSsg|] }d|‘qSrjrDrlrDrDrEroÆrpú %s: %s %sú rú'%s %s' failed: %s)rYrÚdebug2Ú __class__rVÚjoinrrH)rbr?Ú_argsÚstatusÚretrDrDrEZ__runÁs ÿzip4tables.__runcCs<z| |¡}Wnty"YdS0||||d…<dSdS)NFéT)r;rH)rbÚruleÚpatternZ replacementÚirDrDrEÚ _rule_replaceÎs  zip4tables._rule_replacecCs|tvo|t|vSre)ÚBUILT_IN_CHAINS)rbrUÚtableÚchainrDrDrEÚis_chain_builtin×s ÿzip4tables.is_chain_builtincCs2d|g}|r| d¡n | d¡| |¡|gS)Nú-tr8r1)Úappend)rbÚaddr€rr{rDrDrEÚbuild_chain_rulesÛs    zip4tables.build_chain_rulescCs8d|g}|r |d|t|ƒg7}n |d|g7}||7}|S)Nrƒr6r/)Ústr)rbr…r€rr;r?r{rDrDrEÚ build_ruleäs  zip4tables.build_rulecCst|ƒSre)rF©rbr?rDrDrEÚ reverse_ruleíszip4tables.reverse_rulecCs t|ƒdSre)rRr‰rDrDrEÚcheck_passthroughðszip4tables.check_passthroughcCst|ƒSre)rJr‰rDrDrEÚreverse_passthroughószip4tables.reverse_passthroughc Cs–d}z| d¡}Wnty$Yn0t|ƒ|dkrB||d}d}dD]B}z| |¡}WntynYqJ0t|ƒ|dkrJ||d}qJ||fS)Nr)rƒrzr3)r;rHrP)rbr?r€r}rÚoptrDrDrEÚpassthrough_parse_table_chainös    z'ip4tables.passthrough_parse_table_chainc Cs zH| d¡}| |¡| |¡}d|dkr:||df}n ||df}WnFtyŽz| d¡}| |¡d}WntyˆYYdS0Yn0d}|dd vr¤d }|rÀ|sÀ||vr¾| |¡n\|r|rø||vrì| |¡|jd d „d | |¡}nt|ƒ}d|d<| dd|d¡dS)Nú%%ZONE_SOURCE%%ú-méééú%%ZONE_INTERFACE%%Tr©r/r0FcSs|dS)NrrD)rIrDrDrEÚ)rpz4ip4tables._run_replace_zone_source..)Úkeyr6r:ú%drz)r;r>rHÚremover„ÚsortrPÚinsert)rbr{r`r}ÚzoneZ zone_sourceÚrule_addr;rDrDrEÚ_run_replace_zone_source s:            z"ip4tables._run_replace_zone_sourcec Csz| |¡}Wnty"Ynê0d}d}d}| |¡| |¡}t|ƒtkrZttdƒ‚d} dD]B} z| | ¡} Wnty†Yqb0t|ƒ| dkrb|| d} qbdD]Z} z| | ¡}WntyÎYqª0t|ƒ|dkrì||d} | d vrød}| d vrªd}qª| | f} |s^| |vs>||| vs>|| |d krHttd ƒ‚|| |d8<n®| |vrpi|| <||| vrŠd || |<d} t ||   ¡ƒD]<}||kr¸|r¸qÜ| || |7} ||kržqÜqž|| |d7<d ||<|  |dd| ¡dS)a Change something like -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123 or -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321 into -t filter -I public_IN 4 or -t filter -I public_IN TFéÿÿÿÿz%priority must be followed by a numberr)©rƒz--tablerz)r4r5r6r7r/r0r9r•rz*nonexistent or underflow of priority countr6r:r˜N) r;rHr>Útyper=r rrPrÚsortedÚkeysr›)rbr{Zpriority_countsÚtokenr}rr›Zinsert_add_indexÚpriorityr€rÚjrr;ÚprDrDrEÚ_set_rule_replace_priority2sj           ÿþ     z$ip4tables._set_rule_replace_priorityc Cstƒ}i}t |j¡}t |j¡}t |j¡}|D]x}|dd…} | | dddt|jg¡| | dt |jg¡z|   d¡} Wnt y”Yn80|dkr q2|dvrÂdd d |g| | | d …<n |   | ¡|  | |d ¡|  | |d ¡| | |¡d} dD]L} z|   | ¡} Wnt y"Yqü0t| ƒ| d krü|   | ¡|   | ¡} qüt| ƒD]F\} } tjD]4}|| vr`|  d¡r†|  d¡s`d| | | <q`qR| | g¡ | ¡q2|D]F} || }| d| ¡|D]} | d | ¡d¡qÐ| d¡q²| ¡t |j¡}t d|j|j d|j|j!f¡g}|j"rF| |j"¡| d¡t#|j ||jd\}}t $¡dkrÒt%|jƒ}|durÒd } |D]@}tj&d| |fd dd| d¡sÆtj&dd d| d 7} qt '|j¡|dkrt d |j d |¡|fƒ‚||_||_||_dS)!Nú %%REJECT%%ÚREJECTú --reject-withú%%ICMP%%ú %%LOGTYPE%%Úoff©ÚunicastÚ broadcastZ multicastrÚpkttypeú --pkt-typerzú%%RICH_RULE_PRIORITY%%ú%%POLICY_PRIORITY%%r)r ú"z"%s"z*%s rrÚ zCOMMIT rqz%s: %dú-n©Ústdinr:z%8d: %sr)ÚnofmtÚnlr)r»rs)(rÚcopyÚdeepcopyr^r_r`r~ÚDEFAULT_REJECT_TYPErUÚICMPr;rHr>r¨ržrPÚ enumerateÚstringZ whitespaceÚ startswithÚendswithÚ setdefaultr„ÚwritervÚcloserfÚstatÚnamerrtrurWÚst_sizer[rZgetDebugLogLevelrÚdebug3Úunlink)rbÚrulesÚ log_deniedÚ temp_fileZ table_rulesr^r_r`Z_ruler{r}r€rÚelementÚcrÈr?rxryÚlinesÚlinerDrDrEÚ set_rules‚s”     ÿ      ÿ ÿ  ÿ        ÿzip4tables.set_rulescCsö| |dddt|jg¡| |dt|jg¡z| d¡}WntyPYn:0|dkr^dS|dvr€d d d |g|||d …<n | |¡t |j ¡}t |j ¡}t |j ¡}|  ||d ¡|  ||d¡|  ||¡| |¡}||_ ||_ ||_ |S)Nr©rªr«r¬r­r®rr¯rr²r³rzr´rµ)r~r¿rUrÀr;rHr>r½r¾r^r_r`r¨ržÚ_ip4tables__run)rbr{rÎr}r^r_r`ÚoutputrDrDrEÚset_ruleãs0ÿ       zip4tables.set_ruleNc CsŽg}|r|gnt ¡}|D]n}||jvr4| |¡qz,| d|ddg¡|j |¡| |¡Wqty†t d|j|f¡Yq0q|S)NrƒrKr¸zA%s table '%s' does not exist (or not enough permission to check).) rr£r]r„rÕrHrZdebug1rU)rbr€ryZtablesrDrDrEÚget_available_tabless    zip4tables.get_available_tablesc Csœd}t|jgd¢ƒ}t d|j|jd|d|d¡|ddkr˜d}t|jgd¢ƒ}t d|j|jd|d|d¡|ddkr„d}t d |j|j|¡|S) Nr)ú-wrKr¸ú7%s: %s: probe for wait option (%s): ret=%u, output="%s"rÙrrz)ú-w10rKr¸rÛú%s: %s will be using %s option.)rrVrrËrurt)rbrYryrDrDrErXs    zip4tables._detect_wait_optionc Csªtƒ}| d¡| ¡d}dD]d}t|j|g|jd}t d|j|j ||d|d¡|ddkr d|dvr d |dvr |}q†q t  d |j|j|¡t   |j¡|S) Nz#foor)rÙz--wait=2r¹rÚrrzzinvalid optionzunrecognized optionrÜ) rrÆrÇrrWrÉrrËrurVrtrfrÌ)rbrÏrYZ test_optionryrDrDrErZ$s   ÿ z%ip4tables._detect_restore_wait_optioncCsNi|_i|_g|_g}t ¡D]*}| |¡s.qdD]}| d||g¡q2q|S)N)rLr1rMrƒ)r^r_r`rr£rØr„)rbrÍr€ÚflagrDrDrEÚbuild_flush_rules8s  zip4tables.build_flush_rulesc Cs–g}|dkrdn|}t ¡D]t}| |¡s,q|dkr6qt|D]P}|dkrv||}|dkrz| d|d|ddg¡d}n|}| d|d ||g¡q>q|S) NZPANICÚDROPr(r)rªrƒr4ú-jrN)rr£rØr„)rbÚpolicyZpolicy_detailsrÍÚ_policyr€rr§rDrDrEÚbuild_set_policy_rulesGs    z ip4tables.build_set_policy_rulescCsNtƒ}|dus|jdkr&| t ¡¡|dus8|jdkrF| t ¡¡t|ƒS)Nr+r,)rOrUÚupdaterr£rrQ)rbrUZ supportedrDrDrEÚsupported_icmp_typesZs zip4tables.supported_icmp_typescCsgSrerDrirDrDrEÚbuild_default_tablesdszip4tables.build_default_tablesr®cCs i}| d¡rlg|d<tƒ|jd<tdD]@}|d d|¡|d d||f¡|jd d|¡q*| d¡r@g|d<tƒ|jd<tdD]ª}|d d|¡|d d||f¡|jd d|¡|dkr”dD]8}|d d||f¡|jd td ||fgƒ¡qàd D]}|d d |||f¡qq”| d ¡rg|d <tƒ|jd <td D]°}|d  d|¡|d  d||f¡|jd  d|¡|dkrhdD]:}|d  d||f¡|jd  td ||fgƒ¡q¶d D]}|d  d |||f¡qöqh| d ¡rPg|d <tƒ|jd <td D] }|d  d|¡|d  d||f¡|jd  d|¡|dvrèdD]R}|d  d||f¡|jd  td ||fgƒ¡|d  d |||f¡q’nddD]:}|d  d||f¡|jd  td ||fgƒ¡qìd D]}|d  d |||f¡q,qBg|d<tƒ|jd<|d d¡|d d¡|dkr˜|d d¡|d d¡|d d¡|d d¡|jd tdƒ¡dD]0}|d d|¡|jd td|ƒ¡qÚd D]}|d d|¡q|dkrB|d d¡|d d¡|d d¡|d d¡|dkr„|d d ¡|d d!¡|d d"¡|d d#¡|jd td$ƒ¡d%D]0}|d d&|¡|jd td'|ƒ¡qÆd D]B}|d d&|¡|d d(|¡|jd td'|ƒ¡qüd)D]0}|d d&|¡|jd td'|ƒ¡qD|dkrŽ|d d*¡|d d+¡|dgd,¢7<|jd td-ƒ¡d%D]B}|d d.|¡|d d/|¡|jd td0|ƒ¡qÈd)D]B}|d d.|¡|d d/|¡|jd td0|ƒ¡qg}|D]>}|| ¡vrrq\||D]}| d1|gt|ƒ¡qzq\|S)2Nr%z -N %s_directz-A %s -j %s_directz %s_directr&r#)Ú POLICIES_preÚZONESÚ POLICIES_postz-N %s_%sú%s_%s)rèz-A %s -j %s_%sr'r()r!)rçrér)zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTr®z^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz-N INPUT_directz-A INPUT -j INPUT_directZ INPUT_directz -N INPUT_%szINPUT_%sz-A INPUT -j INPUT_%sz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_direct)rçz -N FORWARD_%sz FORWARD_%sz-A FORWARD -j FORWARD_%s)réz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%)z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ OUTPUT_directz -N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz OUTPUT_%srƒ)rØrOrarr„r…rär)rbrÎZ default_rulesrZdispatch_suffixZfinal_default_rulesr€r{rDrDrEÚbuild_default_ruleshsÖ           "    "       zip4tables.build_default_rulescCsd|dkrddhS|dkr*d| ¡vr*dhS|dkrFd| ¡vrFddhS|dkr`d| ¡vr`dhSiS) Nr)r r"r'r#r(r$r&)rØ)rbr€rDrDrEÚget_zone_table_chainsés   zip4tables.get_zone_table_chainsc sÄ|jj |¡‰ˆjdkrdnd‰ˆdkr4ˆdkr4dnd} |jj |ˆt| ¡‰g} g} |D]} |  d| g¡qX|D]} |  d | g¡qp|D]8} |jj | ¡}|d vr®|  |¡s®qˆ|  |  d | ¡¡qˆ|D]J} |jj | ¡}|d vrì|  |¡sìqÆt | ƒrþˆd vrþqÆ|  |  d | ¡¡qƇ‡‡‡‡‡fdd„}g}| r|| D]B}| r^| D]}| |||ƒ¡qDn|rfn| ||dƒ¡q6nD|r„n<| r¨| D]}| |d|ƒ¡qŽn|r°n| |ddƒ¡|S)NrÚpreÚpostr(r$TFú-iú-or*ú-s©r$r"r!ú-dcsVdddœˆ}dˆ|dˆˆfdˆjg}|r6| |¡|rD| |¡| dˆg¡|S)Nr4r/©TFrƒz%s_POLICIES_%srµrà)r¥Úextend)Úingress_fragmentÚegress_fragmentÚadd_delr{©rârÚ chain_suffixÚenableÚp_objr€rDrEÚ_generate_policy_dispatch_rulesÿ  zSip4tables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) rTráÚ get_policyr¥Úpolicy_base_chain_nameÚPOLICY_CHAIN_PREFIXr„rœÚ check_sourceÚis_ipv_supportedÚ_rule_addr_fragmentr)rbrûrár€rZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesÚisSNATZingress_fragmentsZegress_fragmentsÚ interfaceÚaddrrUrýrÍrör÷rDrùrEÚ!build_policy_ingress_egress_rulesøsR z+ip4tables.build_policy_ingress_egress_rulesFc Cs¤|dkr|dkrdnd}|jjj||t|d} ddddddœ|} d } |r^|s^d d |d g} n,|rpd d |g} ndd |g} |sŠ| d g7} | d|| || | g7} | gS)Nr(r$TF©rrïrð©r#r$r r"r!ú-gr6ú%s_ZONESr”r4r/rƒ)rTrárÿr) rbrûrœrárr€rr„rrârÚactionr{rDrDrEÚ!build_zone_source_interface_rulesEs(ûú  z+ip4tables.build_zone_source_interface_rulescCsÆ| d¡rP|dd…}|dkr$d}nd}d |g|jj |¡¡}ddd ||gSt|ƒrz|dkrjttd ƒ‚dd d | ¡gSt d |ƒrŽt |ƒ}n,t d |ƒrº|  d¡}t |dƒd|d}||gSdS)Nzipset:éróÚdstÚsrcú,rrOú --match-setzCan't match a destination MAC.Úmacú --mac-sourcer,ú/rrz) rÃrvrTÚipsetZ get_dimensionrr rÚupperr r r Úsplit)rbrÚaddressÚinvertrÉÚflagsÚ addr_splitrDrDrEr^s"       zip4tables._rule_addr_fragmentc Csždddœ|}|dkr"|dkr"dnd}|jjj||t|d} d d d d d d œ|} t|ƒrd|d vrdgS|d |d|d|g} |  | | |¡¡|  d| g¡| gS)Nr6r/rôr(r$TFrrñrór ròr rrƒr )rTrárÿrrrõr) rbrûrœrárr€rrørrârr{rDrDrEÚbuild_zone_source_address_rulests"ûú z)ip4tables.build_zone_source_address_rulesc Cs¾dddœ|}dddœ|}|dkr0|dkr0dnd }|jjj||t|d }|jj |¡} |j| t|d |d |d |d|d|gƒ¡g} |  ||d|g¡|  |d |d|g¡|  |d |d|g¡|  |d |d|g¡|  |d|d|g¡|  |d|d|g¡| j r6|  ||d|dd|dfg¡|  ||d|dd |g¡|  ||d|dd |g¡|  ||d|dd |g¡|  ||d|dd|g¡|  ||d|dd|g¡| j rÞ|  ||d|dd|dfg¡|jjj |j } |j  ¡dkrb|dkrb| t ddfvr8|  ||d|ddddd|g ¡| dkrb|  ||d|ddddd|g ¡|dkr¬| t ddddfvr¬| t fvr’d} n| } |  ||d|d| g¡|sº|  ¡| S) Nr8r1rôr4r/r(r$TFrz%s_logú%s_denyz%s_prez%s_postú%s_allowrƒràrêrçrér®r)rªr©r­ÚLOGú --log-prefixz %s_REJECT: rßz %s_DROP: ÚACCEPT)rTrárÿrrþrarärOr„Zderived_from_zoneZ _policiesÚtargetÚget_log_deniedrÚreverse) rbrûrár€rZ add_del_chainZ add_del_rulerrârürÍr#Ú_targetrDrDrEÚbuild_policy_chain_rulesŒsfû þ þ ÿ z"ip4tables.build_policy_chain_rulescCs|rddd|jgSgS)NrÚlimitz--limit)Úvalue)rbr(rDrDrEÚ _rule_limitÅszip4tables._rule_limitcCsÆt|jƒttttfvrn<|jrJt|jƒttt t fvrTt t dt|jƒƒ‚n t t dƒ‚|j dkr°t|jƒtttfvs„t|jƒtt fvrˆdSt|jƒtfvsªt|jƒtt fvrÂdSn|j dkr¾dSdSdS)NúUnknown action %szNo rule action specified.rÚallowZdenyrírî)r¡rÐrrrrr rrrrr rr¥©rbÚ rich_rulerDrDrEÚ_rich_rule_chain_suffixÊs$  ÿÿ z!ip4tables._rich_rule_chain_suffixcCs:|js|jsttdƒ‚|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrrírî)rÚauditr rr¥r-rDrDrEÚ _rich_rule_chain_suffix_from_logàs    z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrr´)r¥r-rDrDrEÚ_rich_rule_priority_fragmentës z&ip4tables._rich_rule_priority_fragmentc Cs"|js gS|jj ||t¡}dddœ|}| |¡}d||d||fg} | | |¡7} t|jƒtkrÂ| |ddg7} |jj rŒ| d|jj g7} |jj r¨| d d |jj g7} |jj rÀ| d |jj g7} nJ| |dd g7} |jj rî| d d |jj g7} |jj r | dd |jj g7} | |  |jj¡7} | S)Nr4r/rôrƒrêràZNFLOGz --nflog-groupz--nflog-prefixrkz--nflog-thresholdr r!z --log-level)rrTrárÿrr1r2r¡rÚgroupÚprefixZ thresholdÚlevelr*r() rbrár.rûr€Ú rule_fragmentrârørúr{rDrDrEÚ_rich_rule_logðs,  zip4tables._rich_rule_logc CsÄ|js gSdddœ|}|jj ||t¡}| |¡}d||d||fg} | | |¡7} | |7} t|jƒt krrd} n,t|jƒt kr†d} nt|jƒt kršd} nd } | d d d | g7} | |  |jj ¡7} | S) Nr4r/rôrƒrêZacceptZrejectZdropÚunknownràZAUDITz--type)r0rTrárÿrr1r2r¡r rrrr*r() rbrár.rûr€r6rørârúr{Ú_typerDrDrEÚ_rich_rule_audit s$ zip4tables._rich_rule_auditc Cs2|js gSdddœ|}|jj ||t¡}| |¡}d||f} t|jƒtkrXddg} nžt|jƒtkrˆddg} |jjrö| d|jjg7} nnt|jƒt kr dd g} nVt|jƒt krâd }|jj ||t¡}d||f} dd d |jj g} nt t d t|jƒƒ‚d||| g} | | |¡7} | || 7} | | |jj¡7} | S)Nr4r/rôrêràr"rªr«rßr'ÚMARKz --set-xmarkr+rƒ)r rTrárÿrr/r¡rrrrrOr rr2r*r() rbrár.rûr€r6rørârúrZ rule_actionr{rDrDrEÚ_rich_rule_action&s6      ÿ  zip4tables._rich_rule_actioncCsÔ|sgSg}|jrŒ|jr"| d¡td|jƒrB|dt|jƒg7}qÐtd|jƒr||j d¡}|dt|dƒd|dg7}qÐ|d|jg7}nD|jrÐ|ddg7}|jr®| d¡|jj   |jd ¡}|d |j|g7}|S) Nú!r,rórrrzrrOrr) rrr„r r r rrrTrœÚ_ipset_match_flags)rbZ rich_destr6rrrDrDrEÚ_rich_rule_destination_fragmentHs&    "  z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jrŒ|jr"| d¡td|jƒrB|dt|jƒg7}nHtd|jƒr||j d¡}|dt|dƒd|dg7}n|d|jg7}nŽt|dƒrÈ|jrÈ|ddg7}|jr¸| d¡|d |jg7}nRt|d ƒr|j r|dd g7}|jrø| d¡|j j   |j d ¡}|d |j |g7}|S)Nr=r,rñrrrzrrrrrOrr) rrr„r r r rÚhasattrrrrTrœr>)rbZ rich_sourcer6rrrDrDrEÚ_rich_rule_source_fragment`s0    "    z$ip4tables._rich_rule_source_fragmentc Csðdddœ|}d}|jj ||t¡} d|g} |rD| ddt|ƒg7} |rT| d|g7} |rx| | |j¡7} | | |j¡7} g} |rÊ|   |  ||||| ¡¡|   |  ||||| ¡¡|   |  ||||| ¡¡n"|   |d | d |g| d d g¡| S) Nr4r/rôr)ú-pú--dportrkrórrƒràr"© rTrárÿrrr?Ú destinationrAÚsourcer„r7r:r<© rbrûráÚprotoÚportrEr.rør€râr6rÍrDrDrEÚbuild_policy_ports_rules}s, ÿÿz"ip4tables.build_policy_ports_rulesc CsØdddœ|}d}|jj ||t¡}d|g} |r<| d|g7} |r`| | |j¡7} | | |j¡7} g} |r²|  |  ||||| ¡¡|  |  ||||| ¡¡|  |  ||||| ¡¡n"|  |d|d|g| d d g¡| S) Nr4r/rôr)rBrórrƒràr") rTrárÿrr?rErArFr„r7r:r<) rbrûráÚprotocolrEr.rør€râr6rÍrDrDrEÚbuild_policy_protocol_rules–s( ÿÿz%ip4tables.build_policy_protocol_rulesc Cs´d}d}|jj ||t¡}dddœ|} gd¢} |rl| |¡}| | |¡7} | | |j¡7} | | |j ¡7} |dks||durŠ| gd¢7} n| d d d |g7} d d| d ||fg| gS)Nr,r)r4r/rô)rBZtcpz --tcp-flagszSYN,RSTZSYNZpmtu)ràÚTCPMSSz--clamp-mss-to-pmturàrMz --set-mssrƒrê) rTrárÿrr/r2r?rErArF) rbrûráZtcp_mss_clamp_valuerEr.rúr€rârør6rDrDrEÚ build_policy_tcp_mss_clamp_rules­s z*ip4tables.build_policy_tcp_mss_clamp_rulesc Csðdddœ|}d}|jj ||t¡} d|g} |rD| ddt|ƒg7} |rT| d|g7} |rx| | |j¡7} | | |j¡7} g} |rÊ|   |  ||||| ¡¡|   |  ||||| ¡¡|   |  ||||| ¡¡n"|   |d | d |g| d d g¡| S) Nr4r/rôr)rBz--sportrkrórrƒràr"rDrGrDrDrEÚbuild_policy_source_ports_rulesÁs, ÿÿz)ip4tables.build_policy_source_ports_rulesc Csvd}|jj ||t¡} dddœ|} | d| ddd|g} |rP| dd t|ƒg7} |r`| d |g7} | d d d |g7} | gS)Nr&r4r/rôrrƒrBrCrkróràZCTz--helper)rTrárÿrr) rbrûrárHrIrEZ helper_nameZmodule_short_namer€rârør{rDrDrEÚbuild_policy_helper_ports_rulesÛs z)ip4tables.build_policy_helper_ports_rulesc Cs‚dddœ|}|jj ||t¡}g} |rH|  dd|d|d|dd g¡n6t|ƒrTgS|  dd|d|g| d |¡dd g¡| S) Nr4r/rôrƒr)rrðràr"ró)rTrárÿrr„rr) rbrûrœrár€rrFrørârÍrDrDrEÚbuild_zone_forward_rulesêsÿ ÿþz"ip4tables.build_zone_forward_rulesc Csœd}|jjj||tdd}dddœ|}g}|rj| |¡}|| |¡7}|| |j¡7}|| |j ¡7}nd}g} |   dd|d ||fg|gd ¢¡| S) Nr(Trr4r/rôr,rƒrê)r=rðÚloràZ MASQUERADE) rTrárÿrr/r2r?rErArFr„) rbrûrár.r€rârør6rúrÍrDrDrEÚbuild_policy_masquerade_rulesüs" ÿþz'ip4tables.build_policy_masquerade_rulesc Cs d}|jj ||t¡} dddœ|} d} |rPtd|ƒrH| dt|ƒ7} n| |7} |rn|dkrn| dt|d ƒ7} g} |r¬| |¡} | |¡} | |  |j ¡7} | |  |j ¡7} nd } g}|rÐ|  | |||d| ¡¡|  d d| d | | fg| d |dt|ƒddd| g¡|S)Nr(r4r/rôrr,z[%s]z:%sú-r,rƒrêrBrCràZDNATz--to-destination)rTrárÿrr r rr/r2r?rErArFr„r7)rbrûrárIrKZtoportZtoaddrr.r€rârøÚtor6rúrÍrDrDrEÚbuild_policy_forward_port_ruless8    ÿ ÿþz)ip4tables.build_policy_forward_port_rulescCs´|jdkrL|tvrLt|\}}}|r,t|ƒnt|ƒdt|ƒ}ddd|gS|jdkr˜|tvr˜t|\}}}|rxt|ƒnt|ƒdt|ƒ}ddd|gSttd |›d |j›ƒ‚dS) Nr+rrr-z --icmp-typer,Zicmp6z --icmpv6-typez ICMP type z not supported by )rUrr‡rr rrÉ)rbZ icmp_typer9Ú_codeZ _omit_codeZ _type_strrDrDrEÚ_icmp_types_fragment4s    ÿzip4tables._icmp_types_fragmentc Cs°d}|jj ||t¡}dddœ|}|jdkrDddg}| |j¡} nddg}| |j¡} g} |jj |¡rxd |} d } n d |} d } g} |r¬| | |j ¡7} | |  |j ¡7} | || 7} |rL|   |  ||||| ¡¡|   | ||||| ¡¡|jr|   | ||||| ¡¡n:| |¡}|   d ||d||fg| |¡| dd g¡n`|j ¡dkrŽ| d krŽ|   || d |g| ddddd|g¡|   || d |g| d| g¡| S)Nr)r4r/rôr+rBr-r.rr"rr©rƒrêràr®r­r r!ú%s_ICMP_BLOCK: )rTrárÿrrUrXrÉÚquery_icmp_block_inversionr?rErArFr„r7r:r r<r/r2r$)rbrûráZictr.r€rârørHÚmatchrÍZ final_chainZ final_targetr6rúrDrDrEÚbuild_policy_icmp_block_rulesBs\    ÿþýÿÿþÿþz'ip4tables.build_policy_icmp_block_rulesc CsÎd}|jj ||t¡}g}d}|jj |¡rŒd}|j ¡dkr|rRd|t|ƒg}nd|g}|d|dd d d d d d|g }| |¡|d7}nd}|r¤d|t|ƒg}nd|g}|d|dd d |g}| |¡|S)Nr)ér©r®r6r/rƒrBr¬r­ràr r!rYrzr")rTrárÿrrZr$r‡r„) rbrûrár€rârÍZrule_idxZ ibi_targetr{rDrDrEÚ'build_policy_icmp_block_inversion_rulesss0 ý   z1ip4tables.build_policy_icmp_block_inversion_rulesc Csxd}g}|| |j¡7}|| |j¡7}g}| | |||||¡¡| | |||||¡¡| | |||||¡¡|S)Nr))r?rErArFr„r7r:r<)rbrûrár.r€r6rÍrDrDrEÚ*build_policy_rich_source_destination_rules•sz4ip4tables.build_policy_rich_source_destination_rulescCs ||jkSre)rU)rbrUrDrDrEr£szip4tables.is_ipv_supported)N)N)r®)F)F)NN)NN)NN)NN)NN)N)N)N)9Ú__name__Ú __module__Ú __qualname__rUrÉZpolicies_supportedrdr\rÕr~r‚r†rˆrŠr‹rŒrŽržr¨rÔr×rØrXrZrÞrãrårærërìrr rrr'r*r/r1r2r7r:r<r?rArJrLrNrOrPrQrSrVrXr\r^r_rrDrDrDrErS«st     &Pa#   Nÿ  9 "   ÿ   ÿ " 1"rSc@s&eZdZdZdZddd„Zdd„ZdS) Ú ip6tablesr,FcCs~g}gd¢}|jjdkr"|dg7}| gd¢|ddg¡|dkr^| gd¢|gd¢¡| gd ¢¡| gd ¢¡|S) N)rZrpfilterz--invertz --validmarkZloosez--loose)r6r#rƒr'ràrßr®)ràr r!zrpfilter_DROP: ) r6r#rƒr'rBr.z$--icmpv6-type=neighbour-solicitationràr") r6r#rƒr'rBr.z"--icmpv6-type=router-advertisementràr")rTZ_ipv6_rpfilterr„)rbrÎrÍZrpfilter_fragmentrDrDrEÚbuild_rpfilter_rulesªs$   ÿþ ÿþzip6tables.build_rpfilter_rulesc CsÊgd¢}d}|jd |¡g}| ddd|g¡|D]L}| ddd|d|dd d d g ¡|jjd vr6| ddd|d|dd ddg ¡q6| dddddd|g¡| dddd|j ¡dkrºdndd|g¡|S)N) z ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19Z RFC3964_IPv4r)rƒr8r6róràrªr«z addr-unreach)r°Úallr r!zRFC3964_IPv4_REJECT: r!Ú4r"r®Ú6Ú5)rar…r„rTZ _log_deniedr$)rbZ daddr_listZ chain_namerÍZdaddrrDrDrEÚbuild_rfc3964_ipv4_rulesÂs.   þ  þÿ þz"ip6tables.build_rfc3964_ipv4_rulesN)F)r`rarbrUrÉrdrirDrDrDrErc¦s rc)3Zos.pathrfr½Zfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr r r Zfirewallr Zfirewall.errorsr rrrrrZfirewall.core.richrrrrrrrrrZfirewall.core.baserZfirewall.core.icmprrrÂrrr¿rÀrFrJrRÚobjectrSrcrDrDrDrEÚsL  (  , û þþ%*