a iI@sgdZddlmZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZddlmZmZddlmZmZmZddlmZmZmZmZddlmZdd lmZdd lmZdd l m!Z!Gd d d eZ"GdddeZ#dddZ$dddZ%dS))Zone zone_reader zone_writerN)config) checkIPnMask checkIP6nMaskcheckInterfaceuniqifymax_zone_name_len check_mac)DEFAULT_ZONE_TARGET ZONE_TARGETS) IO_ObjectIO_Object_ContentHandlerIO_Object_XMLGenerator)common_startElementcommon_endElementcommon_check_config common_writer)rich)log)errors) FirewallErrorcsXeZdZdZdddddddgfd d gfd dgfd d dgfddgfddgfddgfddgfdd gfddfZgdZddddgddgdgdgdddgdgddddgddgdddddddgdgddZgddgd d!gd"d#ggd$gd%d&d'ggd(d)gdgd* Zed+d,Z fd-d.Z d/d0Z fd1d2Z fd3d4Z d5d6Zfd7d8Zd9d:ZZS);rz Zone class )version)shortr) descriptionr)UNUSEDF)targetrservicesrports)rr icmp_blocks) masqueradeF forward_ports)rrrr interfacessources rules_str protocols source_ports)icmp_block_inversionF)forwardT)_-/Nnameportprotocolvalueset)rrzoneservicer/z icmp-blockz icmp-typer* forward-port interfacerulesource destinationr0z source-portrnflogauditZacceptrejectZdropZmarklimiticmp-block-inversion)r. immutablerrZenabledzto-portzto-addrfamilypriority)addressmacinvertr@ipset)rBrDrEprefixlevel)grouprFz queue-sizetype) r3r"r5r7r8r9rr:r<z tcp-mss-clampcCs8ttjD]\}\}}||kr |Sq ttjddS)Nz index_of()) enumeraterIMPORT_EXPORT_STRUCTURErrZ UNKNOWN_ERROR)elementielZdummyrO9/usr/lib/python3.9/site-packages/firewall/core/io/zone.pyindex_offs z Zone.index_ofcstt|d|_d|_d|_d|_t|_g|_ g|_ g|_ g|_ d|_ d|_g|_g|_g|_g|_g|_g|_d|_d|_d|_dSNrFT)superr__init__rrrrr rrr r'r!r*r"r#r(r$r%rulesr&r)combinedappliedself __class__rOrPrTms*z Zone.__init__cCsd|_d|_d|_d|_t|_|jdd=|jdd=|jdd=|j dd=d|_ d|_ |j dd=|j dd=|jdd=|jdd=|jdd=|jdd=d|_d|_d|_dSrR)rrrrr rrr r'r!r*r"r#r(r$r%rUr&r)rVrWrXrOrOrPcleanups(          z Zone.cleanupcsN|dkr8dd|D|_tt||dd|jDntt|||dS)Nr&cSsg|]}tj|dqS))Zrule_str)rZ Rich_Rule.0srOrOrP z$Zone.__setattr__..cSsg|] }t|qSrO)strr]rOrOrPr`ra)rUrSr __setattr__)rYr.r1rZrOrPrcs zZone.__setattr__cstt|}|d=|S)Nr)rSrexport_config_dict)rYZconfrZrOrPrdszZone.export_config_dictc Csvt||||||j|dvr2ttjd|j|dkr\|tvrXttjd|j|n|dkr|D]f}t|sttj d|j||dD]:}||jkrq||d|j vrttj d|j||qqhn|d krr|D]}t |s$t |s$t |s$|d s$ttjd |j||dD]B}||jkr@q,||d|jvr,ttjd |j||q,qdS) NZpoliciesz0Zone '{}': Can't have the same name as a policy.rzZone '{}': invalid target '{}'r$z!Zone '{}': invalid interface '{}'Zzonesz4Zone '{}': interface '{}' already bound to zone '{}'r%ipset:zZone '{}': invalid source '{}'z1Zone '{}': source '{}' already bound to zone '{}')rr.rrZ NAME_CONFLICTformatr INVALID_TARGETrZINVALID_INTERFACEr$rrr startswith INVALID_ADDRr%)rYritemZ all_configZall_io_objectsr6r3r8rOrOrP _check_configsT          zZone._check_configcstt|||dr.ttjd|n|drLttjd|nl| ddkrnttjd|nJd|vr|d| d}n|}t |t krttjd|t |t dS)Nr-z$Zone '{}': name can't start with '/'z"Zone '{}': name can't end with '/'z%Zone '{}': name has more than one '/'z'Zone '{}': name has {} chars, max is {}) rSr check_namerhrr INVALID_NAMErfendswithcountfindlenr )rYr.Z checked_namerZrOrPrms,   zZone.check_namec Csd|_d|_d|_d|_d|_|jD]}||jvr$|j|q$|jD]}||jvrF|j|qF|jD]}||jvrh|j|qh|j D]}||j vr|j |q|j D]}||j vr|j |q|j D]}||j vr|j |q|j rd|_ |j rd|_ |jD]}||jvr |j|q |jD]}||jvr0|j|q0|jD]"} |j| |jt| qV|jrd|_dS)NTr)rVfilenamerrrr$appendr%rr r'r!r*r"r#r(rUr&rbr)) rYr3r6r8r4r/protoZicmpr*r7rOrOrPcombinesL                  z Zone.combine)__name__ __module__ __qualname____doc__rKZADDITIONAL_ALNUM_CHARSZPARSER_REQUIRED_ELEMENT_ATTRSZPARSER_OPTIONAL_ELEMENT_ATTRS staticmethodrQrTr\rcrdrkrmrv __classcell__rOrOrZrPr(s     % rc@s$eZdZddZddZddZdS)zone_ContentHandlercCs"t||d|_d|_d|_dS)NF)rrT_rule _rule_errorZ _limit_ok)rYrjrOrOrPrT s zzone_ContentHandler.__init__c Cst||||jrdS|j||t|||r6dS|dkrd|vrVtd|dd|vrj|d|j_d|vrtd|dd|vr|d}|t vrt t j ||dkr|t kr||j_n|d kr|jjrtd nd |j_n|d krh|jrtd d |_dSd|vr.tdd |_dS|d|jjvrT|jj|dntd|dn2|dkr`|jr |jjrtdt|jd |_dSd}d|vr|ddvrd }d}}}d|vr|d}d|vr|d}d|vr|d}tj||||d|j_dSd|vrBd|vrBtddSd|vrdd|vrdtddSd|vr~td|dd|vrtddSd|vrt|dst|dst|dst t j|dd|vrd|d}||jjvr|jj|ntd|dd|vr|d}||jjvrN|jj|ntd|dn:|d kr|jjrtd!nd |j_ntd"|dSdS)#Nr3r.z'Ignoring deprecated attribute name='%s'rr?z,Ignoring deprecated attribute immutable='%s'rrr*zForward already set, ignoring.Tr6z$Invalid rule: interface use in rule.z Invalid interface: Name missing.z%Interface '%s' already set, ignoring.r8z:Invalid rule: More than one source in rule '%s', ignoring.FrD)ZyestruerBrCrE)rDz$Invalid source: No address no ipset.z"Invalid source: Address and ipset.r@z)Ignoring deprecated attribute family='%s'z+Invalid source: Invertion not allowed here.zipset:%sz"Source '%s' already set, ignoring.r>z+Icmp-Block-Inversion already set, ignoring.zUnknown XML element '%s')r startElementrrjZparser_check_element_attrsrrZwarningrr rrrgr rr*r~r$rtr8rblowerrZ Rich_Sourcerrr rir%r)) rYr.attrsrrDaddrrCrEentryrOrOrPrs                                   z zone_ContentHandler.startElementcCst||t||dS)N)r endElementr)rYr.rOrOrPrs zzone_ContentHandler.endElementN)rwrxryrTrrrOrOrOrPr} spr}Fc Cs&t}|ds ttjd||dd|_|s>||j||_||_| t j rZdnd|_ |j |_ d|_t|}t}||d||f}t|dn}td}||z||Wn:tjy} z ttjd| WYd} ~ n d} ~ 00Wdn1s0Y~~|S) Nz.xmlz'%s' is missing .xml suffixFT%s/%srbznot a valid zone file: %s)rrorrrnr.rmrspathrhr ETC_FIREWALLDZbuiltindefaultr*r}saxZ make_parserZsetContentHandleropenZ InputSourceZ setByteStreamparseZSAXParseExceptionZ INVALID_ZONEZ getException) rsrZ no_check_namer3handlerparserr.fr8msgrOrOrPrs>       :rc CsT|r|n|j}|jr$d||jf}nd||jf}tj|rzt|d|Wn2ty}zt d||WYd}~n d}~00tj |}| t j rtj|stjt j stt j dt|dtj|ddd}t|}|i}|jr|jd kr|j|d <|jtkr*|j|d <|d ||d t||t|jD]*} |d|dd| i|d qTt|jD]N} |dd| vr|dd| ddin|dd| i|d q|jr|d|di|d |jr*|d|di|d |d |d | |!~dS)Nrz %s/%s.xmlz%s.oldzBackup of file '%s' failed: %siZwtzUTF-8)modeencodingrrrr3 z r6r.rer8rErBr>r*)"rrsr.osexistsshutilcopy2 ExceptionrerrordirnamerhrrmkdiriorrZ startDocumentrrr rZignorableWhitespacerr r$Z simpleElementr%r)r*rZ endDocumentclose) r3r_pathr.rdirpathrrrr6r8rOrOrPrs` $                   r)F)N)&__all__Zxml.saxrrrrZfirewallrZfirewall.functionsrrrr r r Zfirewall.core.baser r Zfirewall.core.io.io_objectrrrZfirewall.core.io.policyrrrrZ firewall.corerZfirewall.core.loggerrrZfirewall.errorsrrr}rrrOrOrOrPs$       e| !