a i P@sdZgdZddlmZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZddlmZmZmZddlmZmZddlmZmZmZmZdd lmZdd lm Z dd l!m"Z"Gd d d eZ#GdddeZ$ddZ%dddZ&dS)z$ipset io XML handler, reader, writer)IPSet ipset_reader ipset_writerN)config)checkIPcheckIP6 checkIPnMask checkIP6nMask check_mac check_portcheckInterface checkProtocol) IO_ObjectIO_Object_ContentHandlerIO_Object_XMLGenerator) IPSET_TYPESIPSET_CREATE_OPTIONS)check_icmp_namecheck_icmp_typecheck_icmpv6_namecheck_icmpv6_type)log)errors) FirewallErrorcseZdZdddddddifddgffZdZgd Zd d d gd gd d ZdgdgdZfddZddZ e ddZ ddZ fddZ ZS)r)version)shortr) descriptionr)typeroptionsrentriesz (ssssa{ss}as))_-:.Nrname)rripsetoptionentryrvalue)r&r'cs<tt|d|_d|_d|_d|_g|_i|_d|_ dSNrF) superr__init__rrrrr rappliedself __class__:/usr/lib/python3.9/site-packages/firewall/core/io/ipset.pyr,CszIPSet.__init__cCs8d|_d|_d|_d|_|jdd=|jd|_dSr*)rrrrr rclearr-r.r2r2r3cleanupMs  z IPSet.cleanupc Csd}d|vr|ddkrd}|ds6ttjd||ddd}|d}t|t|ksnt|d krttjd ||ft|D]@\}}||}|d krd |vrV|dkrV|d krttjd |||f|d } t| dkrttjd||||f| D]F} |dkr$t| r8|dkr t | s ttjd| |||fq nh|dkr|dkrttjd||||f|dkrt } nt} nt } | |sttjd||||fq|dkr"d |vr|d } t| dkrttjd||||f|dkrt| dr4|dkrPt | dsPttjd| d|||f|dkrht | d r|dkr t | d s ttjd| d |||fn| dr|dkr|dkr|dksttjd||||f|dkrt |r|dkrt |sttjd||||fq|dkrVt |r@|dkrttjd||fq|dkrd|vr|d} t| dkrttjd|| ddkr|dkrttjd||ft| d st| d sttjd| d |fn| ddvrV|dkr ttjd||ft| d st| d sttjd | d |fn\| dd!vrt| dsttjd"| d|fn&t| d sttjd#| d |fnt|sttjd$||fq|d%kr|d&r$zt|d'} Wn(ty ttjd(||fYn0n6z t|} Wn(tyXttjd(||fYn0| dksn| d)krttjd(||fq|d*krt|rt|d+krttjd,||fqttjd|qdS)-NZipv4familyinet6Zipv6zhash:zipset type '%s' not usable,z)entry '%s' does not match ipset type '%s'ipr"z invalid address '%s' in '%s'[%d]z.invalid address range '%s' in '%s' for %s (%s)z(invalid address '%s' in '%s' for %s (%s)z0.0.0.0rnetz/0zhash:net,ifaceZmacz00:00:00:00:00:00z invalid mac address '%s' in '%s'portr#zinvalid port '%s'Zicmpz(invalid protocol for family '%s' in '%s'zinvalid icmp type '%s' in '%s')Zicmpv6z ipv6-icmpz invalid icmpv6 type '%s' in '%s')ZtcpZsctpZudpZudplitezinvalid protocol '%s' in '%s'zinvalid port '%s'in '%s'zinvalid port '%s' in '%s'Zmark0xzinvalid mark '%s' in '%s'lZifacezinvalid interface '%s' in '%s') startswithrr INVALID_IPSETsplitlenZ INVALID_ENTRY enumeraterrrr endswithr rrrrr r int ValueErrorr ) r(rZ ipset_typer6flagsitemsiflagitemZsplitsZ_splitZip_checkZint_valr2r2r3 check_entryVs                                             zIPSet.check_entryc Cs|dkr |tvr ttjd||dkr|D]}|tvrLttjd||dvrzt||}Wn*tyttj d|||fYn0|dkrttj d|||fq0|d kr0||d vr0ttj ||q0dS) Nrz'%s' is not valid ipset typerzipset invalid option '%s'timeouthashsizemaxelem)Option '%s': Value '%s' is not an integerr#Option '%s': Value '%s' is negativer6Zinetr7) rrr INVALID_TYPEkeysrrCrHrI INVALID_VALUEINVALID_FAMILY)r/rrNZ all_configall_io_objectskey int_valuer2r2r3 _check_config s@      zIPSet._check_configcspd|dvr6|dddkr6t|ddkr6ttj|dD]}t||d|dq>tt|||dS)NrQ0r8r)rErrZIPSET_WITH_TIMEOUTrrOr+ import_config)r/rr[r(r0r2r3rb&s   zIPSet.import_config)__name__ __module__ __qualname__ZIMPORT_EXPORT_STRUCTUREZDBUS_SIGNATUREZADDITIONAL_ALNUM_CHARSZPARSER_REQUIRED_ELEMENT_ATTRSZPARSER_OPTIONAL_ELEMENT_ATTRSr,r5 staticmethodrOr^rb __classcell__r2r2r0r3r,s2    5rc@seZdZddZddZdS)ipset_ContentHandlercCst||||j|||dkrpd|vrX|dtvrLttjd|d|d|j_d|vrl|d|j_ nt|dkr|nh|dkrn\|dkrd}d |vr|d }|d d vrttj d |d |jjd kr|d dvrttj d|d |jjf|d d vr"|s"ttj d|d |d dvrz t |}Wn,t yhttj d|d |fYn0|dkrttj d|d |f|d dkr|dvrttj||d |jjvr||jj|d <ntd|d dS)Nr&rz%srrrr'rr)r%)r6rQrRrSzUnknown option '%s'zhash:mac)r6z%Unsupported option '%s' for type '%s'z&Missing mandatory value of option '%s'rPrTrrUr6rVz Option %s already set, ignoring.)r startElementrNZparser_check_element_attrsrrrrWrrZINVALID_OPTIONrHrIrYrZrrwarning)r/r%attrsr)r]r2r2r3ri1sx           z!ipset_ContentHandler.startElementcCs(t|||dkr$|jj|jdS)Nr()r endElementrNr appendZ_element)r/r%r2r2r3rlhs zipset_ContentHandler.endElementN)rcrdrerirlr2r2r2r3rh0s7rhc Cs&t}|ds ttjd||dd|_||j||_||_| t j rVdnd|_ |j |_ t|}t}||d||f}t|dn}td}||z||Wn:tjy}z ttjd|WYd}~n d}~00Wdn1s 0Y~~d |jvr^|jd d kr^t|jd kr^td |j|jdd=d } t} | t|jkr |j| | vrtd |j| |j| ntz| |j| |j|j!Wn>ty} z$td| |j| WYd} ~ n"d} ~ 00| "|j| | d7} qh~ |S)Nz.xmlz'%s' is missing .xml suffixFT%s/%srbznot a valid ipset file: %srQr`rz6ipset '%s': timeout option is set, entries are ignoredzEntry %s already set, ignoring.z %s, ignoring.r:)#rrGrrZ INVALID_NAMEr%Z check_namefilenamepathrBr ETC_FIREWALLDZbuiltindefaultrhsaxZ make_parserZsetContentHandleropenZ InputSourceZ setByteStreamparseZSAXParseExceptionrCZ getExceptionrrEr rrjsetpoprOradd) rqrrr&handlerparserr%fsourcemsgrLZ entries_seter2r2r3rmsd       :   " rc Cs|r|n|j}|jr$d||jf}nd||jf}tj|rzt|d|Wn2ty}zt d||WYd}~n d}~00tj |}| t j rtj|stjt j stt j dt|dtj|ddd}t|}|d |ji}|jr|jd kr|j|d <|d ||d |jrz|jd krz|d|di||j|d|d |jr|jd kr|d|di||j|d|d |jD]L\} } |d| d kr|d| | dn|dd| i|d q|jD]:} |d|di|| |d|d q"|d |d || ~dS)Nroz %s/%s.xmlz%s.oldzBackup of file '%s' failed: %siZwtzUTF-8)modeencodingrrrr& z rrr')r%r)r%r()!rrrqr%osexistsshutilcopy2 ExceptionrerrordirnamerBrrsmkdiriorvrZ startDocumentrrriZignorableWhitespacerZ charactersrlrrrKZ simpleElementr Z endDocumentclose) r&rr_pathr%rdirpathr}r{rkr\r)r(r2r2r3rsf $                         r)N)'__doc____all__Zxml.saxrurrrZfirewallrZfirewall.functionsrrrr r r r r Zfirewall.core.io.io_objectrrrZfirewall.core.ipsetrrZfirewall.core.icmprrrrZfirewall.core.loggerrrZfirewall.errorsrrrhrrr2r2r2r3s&  (   =3