a i@sgdZddlmZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZddlmZmZmZddlmZmZmZmZmZmZddlmZddlmZdd lm Z dd l!m"Z"d d Z#d dZ$ddZ%ddZ&GdddeZ'GdddeZ(dddZ)dddZ*dS))Policy policy_reader policy_writerN)config)checkIPcheckIP6 checkUINT16coalescePortRangemax_policy_name_lenportInPortRangeportStruniqify)DEFAULT_POLICY_TARGETPOLICY_TARGETSDEFAULT_POLICY_PRIORITY) IO_ObjectIO_Object_ContentHandlerIO_Object_XMLGenerator check_port check_tcpudpcheck_protocol)rich)log)errors) FirewallErrorc s |dkr n|dkr n|dkr|jr`|jjrJtdt|jd|_dStd|j_dSd|jj vr|jj dntdd n<|dkr|jr|jjrtdt|jd|_dSt dd |j_dSt dt d tdd d f}ttfd d |jj}|D]b}t|d |d r4t|jtrb|jjn|jj}tttjd|d d |f qԐq4t|d dd|D\}}|D]&} t| d d f} |jj| q|D]&} t| d d f} |jj | q n|d kr|jr\|jjrHtdt|jd|_dStd|j_nBtdd|jjvr|jj dntdd n2|dkr<|jr|jjrtdt|jd|_dSd} dvrddvrd} t| |j_n*d} dvr,ddd} td| n|dkr|jr|jjrttdt|jd|_dSt d|j_dSd|jj!vr|jj! dntddn|dkr&|jr|jjrtdt|jd|_dSt"d|j_dStddn|dkr|jrl|jjr^tdt|jd|_dSt#|j_n|jj$rtdnd|j_$nF|d krd} d!vrd!} d}d"vrĈd"}|jr|jjrtdt|jd|_dSt%dd | ||j_dSt dt d | r8t | |rbt&|sbt'|sbttj(d#|tdd d t| d t|f} | |jj)vr|jj) | n6td$dd | rd%| nd|rd&|ndn|d'krZ|jr2|jjrtdt|jd|_dSt*dd |j_dSt dt d tdd d f}ttfd(d |jj+}|D]b}t|d |d r~t|jtr|jjn|jj}tttjd|d d |f qԐq~t|d d)d|D\}}|D]&} t| d d f} |jj+| q|D]&} t| d d f} |jj+ | q.nz|d*kr|jstd+d|_dS|jj,rtd,t|jdSd-}d}d.vrd.}d}d/vrЈd/}d0vrd0-d1vrd}t.||||j_,n|d2vr|js,td3d|_dS|jj/rJtd4d|_dS|d5krbt0|j_/nh|d6krd}d7vrd7}t1||j_/n8|d8krt2|j_/n |d9krʈd:}t3||j_/|jj/|_4n|d;k r|jstd<dS|jj rtd=dSd}d>v rDd>}|d?v rDtd@d|_dSd}dAv rdA}| rnt5|dBk rtdCd|_dSt6|||j_|jj|_4n4|dDk r|j std<dS|jj rtd=dSd}dEv r dE}t7| s tdFd|_dSd}dAv rJdA}| r6t5|dBk rJtdGd|_dSd}dHv r~dH}t7| s~tdId|_dSt8||||j_|jj|_4n6|dJk r|j stdKdS|jj9 rtdLt|jd|_dSt:|j_9|jj9|_4n|dMk rld}d }dNv rDdN}|dOv rDtdPdNd|_dSdQv rZt;dQ}tj<||dR|_nh|dSk r|j4 stdTd|_dS|j4j= rtdUt|jd|_dSd}t>||j4_=nd-SdS)VNshort descriptionservicez;Invalid rule: More than one element in rule '%s', ignoring.Tnamez#Service '%s' already set, ignoring.portprotocol-cs|ddkSNr xattrsr$;/usr/lib/python3.9/site-packages/firewall/core/io/policy.pyEz%common_startElement..rz'%s:%s' already in '%s'cSsg|] \}}|qSr$r$.0Z_portZ _protocolr$r$r) Or+z'common_startElement..valuez$Protocol '%s' already set, ignoring. tcp-mss-clamppmtu)NNonez (value='z)'z-Invalid rule: tcp-mss-clamp%s outside of rule icmp-blockz&icmp-block '%s' already set, ignoring. icmp-typez-Invalid rule: icmp-block '%s' outside of rule masqueradez!Masquerade already set, ignoring. forward-portto-portto-addrz#to-addr '%s' is not a valid addressz-Forward port %s/%s%s%s already set, ignoring.z >%sz @%s source-portcs|ddkSr"r$r%r'r$r)r*r+cSsg|] \}}|qSr$r$r,r$r$r)r.r+ destinationz)Invalid rule: Destination outside of rulez?Invalid rule: More than one destination in rule '%s', ignoring.FaddressipsetinvertZyestrue)acceptrejectdropmarkz$Invalid rule: Action outside of rulez"Invalid rule: More than one actionrArBtyperCrDsetrz!Invalid rule: Log outside of rulezInvalid rule: More than one loglevel)ZemergZalertZcriterrorwarningZnoticeinfodebugzInvalid rule: Invalid log levelprefixz Invalid rule: Invalid log prefixnfloggroupz'Invalid rule: Invalid nflog group valuez"Invalid rule: Invalid nflog prefix queue-sizez&Invalid rule: Invalid nflog queue-sizeauditz#Invalid rule: Audit outside of rulez9Invalid rule: More than one audit in rule '%s', ignoring.rulefamily)Zipv4Zipv6z&Invalid rule: Rule family "%s" invalidpriority)rSrTlimitz4Invalid rule: Limit outside of action, log and auditz9Invalid rule: More than one limit in rule '%s', ignoring.)?_ruleelementrrIstr _rule_errorr Rich_Serviceitemservicesappend Rich_Portrrr listfilterportsr isinstancerderived_from_zonerrrZALREADY_ENABLEDr remove Rich_Protocolr protocolsRich_Tcp_Mss_ClampRich_IcmpBlock icmp_blocks Rich_IcmpTypeRich_Masquerader6Rich_ForwardPortrr INVALID_ADDR forward_portsRich_SourcePort source_portsr;lowerZRich_Destinationaction Rich_Accept Rich_Reject Rich_Drop Rich_Mark _limit_oklenRich_LogrZ Rich_NFLogrQZ Rich_Auditint Rich_RulerUZ Rich_Limit)objrr(Z new_port_idZexisting_port_idsZport_id_nameZ added_rangesZremoved_rangesZ_rangeentry_valuesto_portZto_addrr>r<r=Z_typeZ_setrGrLrO thresholdrSrTr/r$r'r)common_startElement!s                                                                                      rc Cs|dkr|jsz|jWn8tyT}z td|t|jWYd}~nTd}~00t|j|jjvr|jj |j|jj t|jntdt|jd|_d|_n|dvrd|_ dS)NrRz%s: %sz Rule '%s' already set, ignoring.F)rArBrCrDrrQ) rYrVcheck ExceptionrrIrXr[ rules_strrulesr]rw)r|rer$r$r)common_endElement|s *rc Cs*t|trdnd}|dkrXd|vrX|d}|D]$}||vr.ttjd||j|q.n|dkr|D]}t|dt|dqdn|dkr|D] } t | qn|d krd |vr|d } |D]T} | | vrttj d ||j| } | | d i d ivrt d| q| qĐn|dkr|D]} t| dt| d| dst| dstttjd||j| | drt| d| dr,t| ds,t| ds,ttjd||j| dq,nR|dkr|D]}t|dt|dqn |dvr&|D]}tj|d}|jr`d |vr`t|jtjsXt|jtjr`|d } |jj| vrttj d ||j|jj} |jj| d i d ivrt d| n| n|jr"|d |jj}|jr"|j|jvr"ttj d||j|j|jj} | d i d i |jj}|rZ|jrZ|j|jvrZt d| n| nt|jtjr|jj|dvr"ttjd||j|jjn|jr|jjr|jj|dvr"ttjd||j|jjn@|jr|jjr|jj|dvrttjd||j|jjqdS)NrZZoner\z){} '{}': '{}' not among existing servicesrarr#rfriZ icmptypesz+{} '{}': '{}' not among existing ICMP typesZruntimeZicmptypes_unsupportedz{} (unsupported)rnz-{} '{}': '{}' is missing to-port AND to-addr z,{} '{}': to-addr '{}' is not a valid addressrp)r rich_rulesZrule_strz<{} '{}': rich rule family '{}' conflicts with icmp type '{}'Zipsetsz'{} '{}': '{}' not among existing ipsets)rbrrrZINVALID_SERVICEformatrrrrZINVALID_ICMPTYPEgetrZdebug1INVALID_FORWARDrrrmrr{rWrhrjrSr;rZsourcer=Z INVALID_IPSET)r|rr[ all_configall_io_objectsZobj_typeZexisting_servicesrrprotoZexisting_icmptypesZicmptypeexfwd_portrRZobj_richZictZict_unsupportedr$r$r)common_check_configs                       rc Cs|jrF|jdkrF|d|di||j|d|d|jr|jdkr|d|di||j|d|dt|jD](}|d|dd|i|dqt|j D]2}|d|d|d |d d |dqt|j D]*}|d|d d |i|dqt|j D]*}|d|dd|i|dq>|j r|d|di|dt|j D]}|d|d |d d }|dr|ddkr|d|d<|dr|ddkr|d|d<|d||dqt|jD]4}|d|d|d |d d |dq(|jD]n}i}|jr|j|d<|jd krt|j|d<|d|d||d|jr:i}|jjr|jj|d<|jjr|jj|d<|jjr|jj|d<|jjrd|d<|d|d||d|jri}|jjr\|jj|d<|jjrr|jj|d<|jjrd|d<|d|d ||d|jrd} i}t|jtjkrd} |jj|d<nt|jtjkr d} |jj|d<|jj |d <nnt|jtj!kr2d } |jj"|d <nHt|jtj#krpd!} |jj"rz|jj"d"krz|jj"|d <n t|jtj$krd} nt|jtj%krd} |jj|d<nt|jtj&krd#} |jj|d<nt|jtj'kr4d} |jj|d<|jj |d <|jj(dkr|jj(|d<|jj)dkrz|jj)|d<nFt|jtj*krdd} |jj|d<|jj |d <nt+t,j-d$t|j|d|| ||d|j.rt|j.tj/kr\i}|j.j0r|j.j0|d%<|j.j1r|j.j1|d&<|j.j2r:|d|d'||d(|d)d |j.j2j"i|d*|d'n|d|d'||dni}|j.j3rv|j.j3|d+<|j.j0r|j.j0|d%<|j.j4r|j.j4|d,<|j.j2r|d|d-||d(|d)d |j.j2j"i|d*|d-n|d|d-||d|j5ri}|j5j2rz|d|d.i|d(|d)d |j5j2j"i|d*|d.n|d|d.||d|j6rd} i}t|j6tj7krd/} n|t|j6tj8krd0} |j6jr>|j6j|d1<nNt|j6tj9krd2} n6t|j6tj:kr,d3} |j6j;|d4<nt.z rr;r0r1r5z"Unknown element '%s' in obj_writerrLrGrz rUz rOrPrNrQrArBrErCrDrFzUnknown action '%s')=rignorableWhitespace startElementZ characters endElementrr r\ simpleElementrarfrir6rnrprrSrTrXraddrrr=r>r;rWrErrZrr^rr rer/rgrkrhrjrlr to_addressrorrZINVALID_OBJECTrryrLrGrUrOrrQrrrsrtrurvrFrI) r|handlerrrr ZicmpZforwardr(rRrWrrr$r$r) common_writers                                                                                                               rcsNeZdZdZdZeZdgZdddddd gfd d gfd d gfd ddgfdd gfdd gfdd gfddd gfdd gffZgdZ dddgdgddgdgdgdddgddddgddgdddddddgdgdgdgdZ dd gd!d"gd#d ggd$gd%d&d'ggd(d)gdgd* Z fd+d,Z d-d.Z fd/d0Zfd1d2Zd3d4Zfd5d6ZZS)7riir)versionr3)rr3)rr3)targetr3r\r3ra)r3r3ri)r6Frn)r3r3r3r3rrfrp)rTr ingress_zones egress_zones)_r!/Nrrrr r/rF)rrpolicyrrr4r5r6r7rRrr;r r:rrNrQrArBrCrDrU ingress-zone egress-zonerrTr8r9rS)r<rr>rSr=)r<r>r=rLrG)rOrLrPrE) rr7rRrr;rrNrBr0cstt|d|_d|_d|_t|_g|_g|_ g|_ g|_ d|_ d|_ g|_g|_g|_g|_d|_|j|_d|_g|_g|_dSNr3F)superr__init__rrrrrr\rarfriicmp_block_inversionr6rnrprrappliedpriority_defaultrTrcrrself __class__r$r)r's(zPolicy.__init__cCsd|_d|_d|_t|_|jdd=|jdd=|jdd=|jdd=d|_ d|_ |j dd=|j dd=|j dd=|jdd=d|_|j|_|jdd=|jdd=dSr)rrrrrr\rarfrirr6rnrprrrrrTrrrr$r$r)cleanup=s$         zPolicy.cleanupcs"|dkr|jSttt||SdS)Nr)rgetattrrrrrrr$r) __getattr__QszPolicy.__getattr__csB|dkr,dd|D|_dd|jD|_ntt|||dS)NrcSsg|]}tj|dqS)r)rr{r-rr$r$r)r.Yr+z&Policy.__setattr__..cSsg|] }t|qSr$)rXrr$r$r)r.[r+)rrrr __setattr__)rrr/rr$r)rWszPolicy.__setattr__c Cst||||||j|dvr2ttjd|j|dkr\|tvrXttjd|j|n|dkr||jvs||j ks||j krttj d|j||j |j |jnH|dvrdd gt |d }|D]}||vrttjd |j||d vrtdd gt|@s.|d vrDt|t|grDttjd |j||d kr|d krnd|vrnd |dvs|dkrd |vrd |d vrttjd|jqΐnL|dkr|rd|vrd |dvrttjd|jnd |vrd |d vrttjd|j|d D]r}|dkr(q||dvrLttjd|j||dddkr|d|jrttjd|j|qnb|dkr|D]p}tj|d}|jrt|jtjrd|vrd |dvrttjd|jnd |vr d |d vr ttjd|j|d D]r}|dkr:q(||dvr^ttjd|j||dddkr(|d|jr(ttjd|j|q(q|jrt|jtjrd|vr d |dvr|jjrttjd|jn|dr |jjsttjd|jd|dvr |dD]P}||dvrVttjd|j||d|jr.ttjd|j|q.n|jrt|jtjrd|vr|dD]^}|d vrq||dvrttjd|j||d|jrttjd|j|qqn|dkr|D]} d|vr d |dvr\| drttjd|jn|dr | dsttjd|jd|dvr |dD]P}||dvrttjd|j||d|jrttjd|j|qq dS) NZzonesz0Policy '{}': Can't have the same name as a zone.rz#Policy '{}': '{}' is invalid targetrTz^Policy '{}': {} is invalid priority. Must be in range [{}, {}]. The following are reserved: {})rrANYHOSTz*Policy '{}': '{}' not among existing zones)rrzKPolicy '{}': '{}' may only contain one of: many regular zones, ANY, or HOSTrrzSPolicy '{}': 'HOST' can only appear in either ingress or egress zones, but not bothr6z;Policy '{}': 'masquerade' is invalid for egress zone 'HOST'zr?r<rr=)r>zUnknown XML element '%s')rrrYr[Zparser_check_element_attrsrrrzrTrrrrrrr]rrIrrVrrXrqrZ Rich_Source)rrr(rr>rrr=r$r$r)rsl                z"policy_ContentHandler.startElementcCst||t||dS)N)rrrrr$r$r)r5s z policy_ContentHandler.endElementN)rrrrrrr$r$r$r)rs@rFc Cs t}|ds ttjd||dd|_|s>||j||_||_| t j rZdnd|_ |j |_ t|}t}||d||f}t|dn}td}||z||Wn:tjy} z ttjd| WYd} ~ n d} ~ 00Wdn1s0Y~~|S) Nz.xmlz'%s' is missing .xml suffixFT%s/%srbznot a valid policy file: %s)rrrrrrrfilenamepathrr ETC_FIREWALLDZbuiltindefaultrsaxZ make_parserZsetContentHandleropenZ InputSourceZ setByteStreamparseZSAXParseExceptionZINVALID_POLICYZ getException) rrZ no_check_namerrparserrfrmsgr$r$r)r:s<       :rc Cs|r|n|j}|jr$d||jf}nd||jf}tj|rzt|d|Wn2ty}zt d||WYd}~n d}~00tj |}| t j rtj|stjt j stt j dt|dtj|ddd}t|}|i}|jr|jd kr|j|d <|j|jkr0t|j|d <|j|d <|d ||dt||t|jD]*} |d|dd| i|dqdt|jD]*} |d|dd| i|dq|d |d| |!~dS)Nrz %s/%s.xmlz%s.oldzBackup of file '%s' failed: %siZwtzUTF-8)modeencodingr3rrTrrrrrrr)"rrrosexistsshutilcopy2rrrHdirnamerrrmkdiriorrZ startDocumentrrTrrXrrrrr rrrrZ endDocumentclose) rr_pathrrdirpathrrr(rr$r$r)rWsN $           r)F)N)+__all__Zxml.saxrrrrZfirewallrZfirewall.functionsrrrr r r r r Zfirewall.core.baserrrZfirewall.core.io.io_objectrrrrrrZ firewall.corerZfirewall.core.loggerrrZfirewall.errorsrrrrrrrrrr$r$r$r)s2  (      ]dwL