3 @)f@sdddlmZddlZeejd<ddlZddlZddlZddlZddl Zddl m Z ddl m Z ddlmZddlmZddlmZmZmZdd lmZdd lmZdd lmZdd lmZdd lmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2m3Z3ddl m4Z4ddl5m6Z6Gdddejj7j8Z9dS))GObjectNZgobject)config)DEFAULT_ZONE_TARGET)Watcher)log)handle_exceptionsdbus_handle_exceptionsdbus_service_method)FirewallDConfigIcmpType)FirewallDConfigService)FirewallDConfigZone)FirewallDConfigPolicy)FirewallDConfigIPSet)FirewallDConfigHelper)IcmpType)IPSet)Helper)LockdownWhitelist)Direct)dbus_to_pythoncommand_of_sendercontext_of_sender uid_of_sender user_of_uid%dbus_introspection_prepare_properties!dbus_introspection_add_properties)errors) FirewallErrorcs@ eZdZdZdZejjZe fddZ e ddZ e ddZ e d d Z e d d Ze d dZe ddZe ddZe ddZe ddZe ddZe ddZe ddZe ddZe dd Ze d!d"Ze d#d$Ze d%d&Ze d'd(Ze d)d*Ze d+d,Ze d-d.Ze d/d0Z e!d1d2Z"e!d3d4Z#e!d5d6Z$e%ej&d7d8d9e!dd;d<Z'e%ej&d=d>d9e!dd?d@Z(e)jj*j+ejje%ej&dAdBe!ddCdDZ,ej-j.ej&dEdFdGdHZ/e)jj*j+ejj0e%ej1d=dIe!dfdJdK Z2e%ejj3e4j5dIe!ddLdMZ6e%ejj3e4j5dBe!ddNdOZ7ej-j.ejj3e!dPdQZ8e%ejj3d=dBe!ddRdSZ9e%ejj3d=dBe!ddTdUZ:e%ejj3d=dVd9e!ddWdXZ;e%ejj3dYdIe!ddZd[Ze%ejj3d=dVd9e!dd`daZ?e%ejj3dYdIe!ddbdcZ@e%ejj3d=dBe!ddddeZAe%ejj3d=dBe!ddfdgZBe%ejj3d=dVd9e!ddhdiZCe%ejj3dYdIe!ddjdkZDe%ejj3dldBe!ddmdnZEe%ejj3dldBe!ddodpZFe%ejj3dldVd9e!ddqdrZGe%ejj3dsdIe!ddtduZHe%ejjIdvdIe!ddwdxZJe%ejjIdYdIe!ddydzZKe%ejjId=d{d9e!dd|d}ZLe%ejjId=eMj5d{d9e!dd~dZNej-j.ejjId=dFe!ddZOe%ejjIdvdIe!dddZPe%ejjIdYdIe!d ddZQe%ejjId=d{d9e!d ddZRe%ejjId=eSj5d{d9e!d ddZTej-j.ejjId=dFe!ddZUe%ejjIdvdIe!d ddZVe%ejjIdYdIe!d ddZWe%ejjId=d{d9e!dddZXe%ejjIdd{d9e!dddZYe%ejjIdd{d9e!dddZZej-j.ejjId=dFe!ddZ[e%ejjIdvdIe!dddZ\e%ejjIdYdIe!dddZ]e%ejjId=d{d9e!dddZ^e%ejjId=d=d9e!dddZ_e%ejjId=d=d9e!dddZ`e%ejjIdd{d9e!dddZae%ejjIdd{d9e!dddZbej-j.ejjId=dFe!ddZce%ejjIdvdIe!dddZde%ejjIdYdIe!dddZee%ejjId=d{d9e!dddZfe%ejjIdd{d9e!dddZgej-j.ejjId=dFe!ddZhe%ejjIdvdIe!dddZie%ejjIdYdIe!dddZje%ejjId=d{d9e!dddZke%ejjId=elj5d{d9e!dddZmej-j.ejjId=dFe!ddZne%ejjoepj5dIe!d ddZqe%ejjoepj5dBe!d!dd„Zrej-j.ejjoe!ddĄZse%ejjoddBe!d"ddDŽZte%ejjoddBe!d#ddɄZue%ejjoddVd9e!d$dd˄Zve%ejjod7dYd9e!d%dd̈́Zwe%ejjoddd9e!d&ddфZxe%ejjoddBe!d'ddԄZye%ejjoddBe!d(ddքZze%ejjoddVd9e!d)dd؄Z{e%ejjoddBe!d*ddڄZ|e%ejjoddd9e!d+dd݄Z}e%ejjoddd9e!d,ddZ~e%ejjoddBe!d-ddZe%ejjoddBe!d.ddZe%ejjoddVd9e!d/ddZe%ejjod=dd9e!d0ddZe%ejjoddIe!d1ddZZS(2FirewallDConfigzFirewallD main classTcstt|j||||_|d|_|d|_|jt|jd|_ |j j tj |j j tj |j j tj |j j tj|j j tj|j j tj|j j tj|j j tj|j j tj|j j tj|j j tj|j j tjtjjtjr>xBttjtjD].}dtj|f}tjj|r |j j |q W|j jtj|j jtj|j jtjt |tj!j"ddddddddddddd dS)Nrz%s/%sZ readwrite) CleanupOnExitCleanupModulesOnExit IPv6_rpfilterLockdown MinimalMarkIndividualCalls LogDeniedAutomaticHelpersFirewallBackendFlushAllOnReload RFC3964_IPv4AllowZoneDrifting)#superr__init__rbusnamepath _init_varsr watch_updaterwatcher add_watch_dirFIREWALLD_IPSETSETC_FIREWALLD_IPSETSFIREWALLD_ICMPTYPESETC_FIREWALLD_ICMPTYPESFIREWALLD_HELPERSETC_FIREWALLD_HELPERSFIREWALLD_SERVICESETC_FIREWALLD_SERVICESFIREWALLD_ZONESETC_FIREWALLD_ZONESFIREWALLD_POLICIESETC_FIREWALLD_POLICIESosexistssortedlistdirisdirZadd_watch_fileLOCKDOWN_WHITELISTFIREWALLD_DIRECTFIREWALLD_CONFrdbusDBUS_INTERFACE_CONFIG)selfZconfargskwargsfilenamer0) __class__/usr/lib/python3.6/config.pyr.FsP  zFirewallDConfig.__init__cCs2g|_d|_g|_d|_g|_d|_g|_d|_g|_d|_ g|_ d|_ x$|j j D]}|j|j j|qTWx$|j jD]}|j|j j|qzWx$|j jD]}|j|j j|qWx$|j jD]}|j|j j|qWx$|j jD]}|j|j j|qWx&|j jD]}|j|j j|qWdS)Nr)ipsets ipset_idx icmptypes icmptype_idxservices service_idxzoneszone_idxhelpers helper_idxpolicy_objectspolicy_object_idxrZ get_ipsets _addIPSetZ get_ipsetZ get_icmptypes _addIcmpTypeZ get_icmptypeZ get_services _addServiceZ get_serviceZ get_zones_addZoneZget_zoneZ get_helpers _addHelperZ get_helperZget_policy_objects _addPolicyZget_policy_object)rKipseticmptypeservicezonehelperpolicyrPrPrQr1ts0zFirewallDConfig._init_varscCsdS)NrP)rKrPrPrQ__del__szFirewallDConfig.__del__cCsx&t|jdkr&|jj}|j~qWx&t|jdkrN|jj}|j~q*Wx&t|jdkrv|jj}|j~qRWx&t|jdkr|jj}|j~qzWx&t|jdkr|jj}|j~qWx&t|jdkr|jj}|j~qW|j dS)Nr) lenrRpop unregisterrTrVrXrZr\r1)rKitemrPrPrQreloads2      zFirewallDConfig.reloadc CsJ|tjkr|jtjj}tjdtjy|jjWn2tk rf}ztj d||fdSd}~XnX|jtjjj }x2t |j D]"}||kr||||kr||=qWt |dkr|jtjj|gdS|jtjs|jtjo|jdry|jj|\}}Wn4tk r<}ztj d||fdSd}~XnX|dkrT|j|n*|dkrj|j|n|dkrF|j|n|jtjs|jtjr8|jdr8y|jj|\}}Wn4tk r}ztj d ||fdSd}~XnX|dkr |j|n*|dkr |j|n|dkrF|j|n|jtjsT|jtjrr|jdry|jj|\}}Wn4tk r}ztj d ||fdSd}~XnX|dkr|j |n*|dkr|j!|n|dkrn|j"|n|jtjrF|j#tjd j$d }t |d ks&d |kr*dSt%j&j'|rT|j(j)|sn|j(j*|n|j(j)|rF|j(j+|n|jtj,s|jtj-r(|jdr(y|jj.|\}}Wn4tk r}ztj d||fdSd}~XnX|dkr|j/|n*|dkr|j0|n|dkrF|j1|n|jtj2sD|jtj3r|jdry|jj4|\}}Wn4tk r}ztj d||fdSd}~XnX|dkr|j5|n*|dkr|j6|n|dkrF|j7|nh|tj8kr:y|jj9Wn4tk r,}ztj d||fdSd}~XnX|j:n |tj;kry|jj<Wn4tk r}ztj d||fdSd}~XnX|j=n|jtj>s|jtj?rF|jdrFy|jj@|\}}Wn4tk r}ztj d||fdSd}~XnX|dkr|jA|n*|dkr2|jB|n|dkrF|jC|dS)Nz,config: Reloading firewalld config file '%s'z+Failed to load firewalld.conf file '%s': %srz.xmlz%Failed to load icmptype file '%s': %snewremoveupdatez$Failed to load service file '%s': %sz!Failed to load zone file '%s': %s/rz"Failed to load ipset file '%s': %sz#Failed to load helper file '%s': %sz/Failed to load lockdown whitelist file '%s': %sz)Failed to load direct rules file '%s': %sz#Failed to load policy file '%s': %s)DrrHGetAllrIrJrdebug1Zupdate_firewalld_conf ExceptionerrorcopylistkeysrkPropertiesChanged startswithr7r8endswithZupdate_icmptype_from_pathr_removeIcmpType_updateIcmpTyper;r<Zupdate_service_from_pathr` removeService_updateServicer=r>Zupdate_zone_from_pathra removeZone _updateZonereplacestriprAr0rEr3Z has_watchr4Z remove_watchr5r6Zupdate_ipset_from_pathr^ removeIPSet _updateIPSetr9r:Zupdate_helper_from_pathrb removeHelper _updateHelperrFZupdate_lockdown_whitelistLockdownWhitelistUpdatedrGZ update_directUpdatedr?r@Zupdate_policy_object_from_pathrc removePolicy _updatePolicy) rKnameZ old_propsmsgZpropskeyZwhatobj_namerPrPrQr2s                                                    zFirewallDConfig.watch_updaterc CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) r rrUr/rIZDBUS_PATH_CONFIG_ICMPTYPErTappend IcmpTypeAddedr)rKrconfig_icmptyperPrPrQr_As   zFirewallDConfig._addIcmpTypecCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)rTrrr0rNr)rKrrerPrPrQrMs  zFirewallDConfig._updateIcmpTypecCsd}xT|jD]J}|j}|j||kr ||j|j|jj|j||_|j|jjq Wx\|jD]R}|j}d|krb|j|dkrb|dj|j|jj |j||_|j|jjqbWx:|j D]0}|j|kr|j |j|j |j j|~qWdS)NZ icmp_blocks) rX getSettingsrrqrset_zone_configrrr\set_policy_object_config_dictrTRemovedrm)rKrindexrgsettingsrirerPrPrQrVs&      zFirewallDConfig.removeIcmpTypec CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) r rrWr/rIZDBUS_PATH_CONFIG_SERVICErVr ServiceAddedr)rKrconfig_servicerPrPrQr`ps  zFirewallDConfig._addServicecCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)rVrrr0rNr)rKrrfrPrPrQr{s  zFirewallDConfig._updateServicecCsd}xT|jD]J}|j}|j||kr ||j|j|jj|j||_|j|jjq Wx\|jD]R}|j}d|krb|j|dkrb|dj|j|jj |j||_|j|jjqbWx:|j D]0}|j|kr|j |j|j |j j|~qWdS)Nr rV) rXrrrqrrrrr\rrVrrm)rKrrrgrrirfrPrPrQrs&      zFirewallDConfig.removeServicec CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) r rrYr/rIZDBUS_PATH_CONFIG_ZONErXr ZoneAddedr)rKr config_zonerPrPrQras  zFirewallDConfig._addZonecCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)rXrrr0rNr)rKrrgrPrPrQrs  zFirewallDConfig._updateZonecCs@x:|jD]0}|j|kr|j|j|j|jj|~qWdS)N)rXrrrrmrq)rKrrgrPrPrQrs     zFirewallDConfig.removeZonec CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) r rr]r/rIZDBUS_PATH_CONFIG_POLICYr\r PolicyAddedr)rKr config_policyrPrPrQrcs  zFirewallDConfig._addPolicycCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)r\rrr0rNr)rKrrirPrPrQrs  zFirewallDConfig._updatePolicycCs@x:|jD]0}|j|kr|j|j|j|jj|~qWdS)N)r\rrrrmrq)rKrrirPrPrQrs     zFirewallDConfig.removePolicyc CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) rrrSr/rIZDBUS_PATH_CONFIG_IPSETrRr IPSetAddedr)rKr config_ipsetrPrPrQr^s  zFirewallDConfig._addIPSetcCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)rRrrr0rNr)rKrrdrPrPrQrs  zFirewallDConfig._updateIPSetcCs@x:|jD]0}|j|kr|j|j|j|jj|~qWdS)N)rRrrrrmrq)rKrrdrPrPrQrs     zFirewallDConfig.removeIPSetc CsPt||j||j|jdtjj|jf}|jj||jd7_|j|j |S)Nz%s/%dr) rrr[r/rIZDBUS_PATH_CONFIG_HELPERrZr HelperAddedr)rKr config_helperrPrPrQrbs  zFirewallDConfig._addHelpercCsPxJ|jD]@}|jj|jkr|jj|jkr|jj|jkr||_|j|jqWdS)N)rZrrr0rNr)rKrrhrPrPrQrs  zFirewallDConfig._updateHelpercCs@x:|jD]0}|j|kr|j|j|j|jj|~qWdS)N)rZrrrrmrq)rKrrhrPrPrQrs     zFirewallDConfig.removeHelpercCs|jjr|dkr tjddStj}t||}|jjd|rDdSt||}|jjd|r`dSt |}|jjd|rzdSt ||}|jjd|rdSt t j ddS)Nz&Lockdown not possible, sender not set.contextuidusercommandzlockdown is enabled)rZlockdown_enabledrrxrIZ SystemBusrZ access_checkrrrrrZ ACCESS_DENIED)rKsenderZbusrrrrrPrPrQ accessChecks$     zFirewallDConfig.accessCheckcCsF|dkrtjjd||jjj|}|dkrH|dkr>tj}tj|S|dkrr|dkr`tj}nt |}tj |S|dkr|dkrtj rdnd}tj|S|dkr|dkrtj rdnd}tj|S|dkr|dkrtj rdnd}tj|S|dkr|dkrtjrdnd}tj|S|dkrL|dkrBtjr>dnd}tj|S|dkrp|dkrftj}tj|S|d kr|dkrtj}tj|S|d kr|dkrtj}tj|S|d kr|dkrtjrdnd}tj|S|d kr|dkr tjrdnd}tj|S|d krB|dkr8tjr4dnd}tj|SdS)N DefaultZoner%r!r"r$r#r&r'r(r)r*r+r,zDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existyesno) rr%r!r"r$r#r&r'r(r)r*r+r,)rI exceptions DBusExceptionrget_firewalld_confgetZ FALLBACK_ZONEStringZFALLBACK_MINIMAL_MARKintInt32ZFALLBACK_CLEANUP_ON_EXITZ FALLBACK_CLEANUP_MODULES_ON_EXITZFALLBACK_LOCKDOWNZFALLBACK_IPV6_RPFILTERZFALLBACK_INDIVIDUAL_CALLSZFALLBACK_LOG_DENIEDZFALLBACK_AUTOMATIC_HELPERSZFALLBACK_FIREWALL_BACKENDZFALLBACK_FLUSH_ALL_ON_RELOADZFALLBACK_RFC3964_IPV4ZFALLBACK_ALLOW_ZONE_DRIFTING)rKpropvaluerPrPrQ _get_property+s|                              zFirewallDConfig._get_propertycCsT|dkrtj|j|S|dkr0tj|j|S|dkrHtj|j|S|dkr`tj|j|S|dkrxtj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|d krtj|j|S|d krtj|j|S|d kr tj|j|S|d kr&tj|j|S|d kr@tj|j|Stjjd|dS)Nrr%r!r"r$r#r&r'r(r)r*r+r,zDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist)rIrrrrr)rKrrPrPrQ_get_dbus_propertyos:    z"FirewallDConfig._get_dbus_propertyZssv) in_signature out_signatureNcCsxt|t}t|t}tjd|||tjjkr8|j|S|tjjtjj gkr^tj j d|ntj j d||j|S)Nzconfig.Get('%s', '%s')zDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existzJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist) rstrrrvrrIrJrDBUS_INTERFACE_CONFIG_DIRECTDBUS_INTERFACE_CONFIG_POLICIESrr)rKinterface_name property_namerrPrPrQGets      zFirewallDConfig.Getsza{sv}c Csxt|t}tjd|i}|tjjkrDxBdD]}|j|||<q,Wn&|tjjtjj gkrZntj j d|tj |ddS)Nzconfig.GetAll('%s')rr%r!r"r$r#r&r'r(r)r*r+r,zJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not existZsv) signature) rr%r!r"r$r#r&r'r(r)r*r+r,) rrrrvrrIrJrrrrrZ Dictionary)rKrrretxrPrPrQrus"    zFirewallDConfig.GetAllZssv)rc Cst|t}t|t}t|}tjd||||j||tjjkr|dkrz|dkrv|jdkrvt t j d||f|dkr|tj krt t j d||f|dkr|tj krt t j d||f|d kr|jdkrt t j d||f|d kr|jdkrt t j d||f|d krF|jdkrFt t j d||f|jjj|||jjj|j|||ign|dkrntjjd|n8|tjjtjjgkrtjjd|ntjjd|dS)Nzconfig.Set('%s', '%s', '%s')r!r$r"r#r&r'r)r*r+r,rrtruefalsez '%s' for %sr%r(zDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existzJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist) r!r$r"r#r&r'r)r*r+r,)r!r$r"r#r&)rrrr)rrrr)rrrr)rrrr)r%r()rrrrvrrrIrJlowerrrZ INVALID_VALUEZLOG_DENIED_VALUESZFIREWALL_BACKEND_VALUESrsetwriter|rrrr)rKrrZ new_valuerrPrPrQSetsz                 zFirewallDConfig.Setzsa{sv}as)rcCs.t|t}t|}t|}tjd|||dS)Nz*config.PropertiesChanged('%s', '%s', '%s'))rrrrv)rKrZchanged_propertiesZinvalidated_propertiesrPrPrQr|s  z!FirewallDConfig.PropertiesChanged)rcs4tjdtt|j|j|jj}t||t j j S)Nzconfig.Introspect()) rZdebug2r-r Introspectr0r/Zget_busrrrIrJ)rKrdata)rOrPrQrs   zFirewallDConfig.IntrospectcCstjd|jjjjS)Nz&config.policies.getLockdownWhitelist())rrvr get_policieslockdown_whitelist export_config)rKrrPrPrQgetLockdownWhitelists z$FirewallDConfig.getLockdownWhitelistcCs@tjdt|}|jjjj||jjjj|jdS)Nz)config.policies.setLockdownWhitelist(...)) rrvrrrr import_configrr)rKrrrPrPrQsetLockdownWhitelist&s  z$FirewallDConfig.setLockdownWhitelistcCstjddS)Nz*config.policies.LockdownWhitelistUpdated())rrv)rKrPrPrQr0sz(FirewallDConfig.LockdownWhitelistUpdatedcCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz1config.policies.addLockdownWhitelistCommand('%s')r) rrrvrrzrrrALREADY_ENABLEDrr)rKrrrrPrPrQaddLockdownWhitelistCommand7s     z+FirewallDConfig.addLockdownWhitelistCommandcCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz4config.policies.removeLockdownWhitelistCommand('%s')r) rrrvrrzrrr NOT_ENABLEDrqr)rKrrrrPrPrQremoveLockdownWhitelistCommandDs    z.FirewallDConfig.removeLockdownWhitelistCommandbcCs$t|}tjd|||jdkS)Nz3config.policies.queryLockdownWhitelistCommand('%s')r)rrrvr)rKrrrPrPrQqueryLockdownWhitelistCommandRsz-FirewallDConfig.queryLockdownWhitelistCommandascCstjd|jdS)Nz.config.policies.getLockdownWhitelistCommands()r)rrvr)rKrrPrPrQgetLockdownWhitelistCommands[s z,FirewallDConfig.getLockdownWhitelistCommandscCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz1config.policies.addLockdownWhitelistContext('%s')r) rrrvrrzrrrrrr)rKrrrrPrPrQaddLockdownWhitelistContextds     z+FirewallDConfig.addLockdownWhitelistContextcCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz4config.policies.removeLockdownWhitelistContext('%s')r) rrrvrrzrrrrrqr)rKrrrrPrPrQremoveLockdownWhitelistContextqs    z.FirewallDConfig.removeLockdownWhitelistContextcCs$t|}tjd|||jdkS)Nz3config.policies.queryLockdownWhitelistContext('%s')r)rrrvr)rKrrrPrPrQqueryLockdownWhitelistContextsz-FirewallDConfig.queryLockdownWhitelistContextcCstjd|jdS)Nz.config.policies.getLockdownWhitelistContexts()r)rrvr)rKrrPrPrQgetLockdownWhitelistContextss z,FirewallDConfig.getLockdownWhitelistContextscCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz.config.policies.addLockdownWhitelistUser('%s')) rrrvrrzrrrrrr)rKrrrrPrPrQaddLockdownWhitelistUsers     z(FirewallDConfig.addLockdownWhitelistUsercCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz1config.policies.removeLockdownWhitelistUser('%s')r) rrrvrrzrrrrrqr)rKrrrrPrPrQremoveLockdownWhitelistUsers     z+FirewallDConfig.removeLockdownWhitelistUsercCs$t|}tjd|||jdkS)Nz0config.policies.queryLockdownWhitelistUser('%s')r)rrrvr)rKrrrPrPrQqueryLockdownWhitelistUsers z*FirewallDConfig.queryLockdownWhitelistUsercCstjd|jdS)Nz+config.policies.getLockdownWhitelistUsers()r)rrvr)rKrrPrPrQgetLockdownWhitelistUserss z)FirewallDConfig.getLockdownWhitelistUsersicCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz+config.policies.addLockdownWhitelistUid(%d)) rrrvrrzrrrrrr)rKrrrrPrPrQaddLockdownWhitelistUids     z'FirewallDConfig.addLockdownWhitelistUidcCs^t|}tjd||j|t|j}||dkrBttj||dj ||j |dS)Nz.config.policies.removeLockdownWhitelistUid(%d)r) rrrvrrzrrrrrqr)rKrrrrPrPrQremoveLockdownWhitelistUids     z*FirewallDConfig.removeLockdownWhitelistUidcCs$t|}tjd|||jdkS)Nz-config.policies.queryLockdownWhitelistUid(%d)r)rrrvr)rKrrrPrPrQqueryLockdownWhitelistUids z)FirewallDConfig.queryLockdownWhitelistUidZaicCstjd|jdS)Nz*config.policies.getLockdownWhitelistUids()r)rrvr)rKrrPrPrQgetLockdownWhitelistUidss z(FirewallDConfig.getLockdownWhitelistUidsZaocCstjd|jS)z"list ipsets objects paths zconfig.listIPSets())rrvrR)rKrrPrPrQ listIPSetss zFirewallDConfig.listIPSetscCs4tjdg}x|jD]}|j|jjqWt|S)zget ipset names zconfig.getIPSetNames())rrvrRrrrrC)rKrrRrrPrPrQ getIPSetNamess   zFirewallDConfig.getIPSetNamesocCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z-object path of ipset with given name zconfig.getIPSetByName('%s')N) rrrrvrRrrrrZ INVALID_IPSET)rKrdrrrPrPrQgetIPSetByNames     zFirewallDConfig.getIPSetByNamecCsDt|t}t|}tjd||j||jj||}|j|}|S)z/add ipset with given name and settings zconfig.addIPSet('%s'))rrrrvrrZ new_ipsetr^)rKrdrrrrrPrPrQaddIPSet s    zFirewallDConfig.addIPSetcCst|t}tjd|dS)Nzconfig.IPSetAdded('%s'))rrrrv)rKrdrPrPrQrs zFirewallDConfig.IPSetAddedcCstjd|jS)z%list icmptypes objects paths zconfig.listIcmpTypes())rrvrT)rKrrPrPrQ listIcmpTypes s zFirewallDConfig.listIcmpTypescCs4tjdg}x|jD]}|j|jjqWt|S)zget icmptype names zconfig.getIcmpTypeNames())rrvrTrrrrC)rKrrTrrPrPrQgetIcmpTypeNames(s   z FirewallDConfig.getIcmpTypeNamescCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z0object path of icmptype with given name zconfig.getIcmpTypeByName('%s')N) rrrrvrTrrrrZINVALID_ICMPTYPE)rKrerrrPrPrQgetIcmpTypeByName3s     z!FirewallDConfig.getIcmpTypeByNamecCsDt|t}t|}tjd||j||jj||}|j|}|S)z2add icmptype with given name and settings zconfig.addIcmpType('%s'))rrrrvrrZ new_icmptyper_)rKrerrrrrPrPrQ addIcmpType@s    zFirewallDConfig.addIcmpTypecCstjd|dS)Nzconfig.IcmpTypeAdded('%s'))rrv)rKrerPrPrQrOszFirewallDConfig.IcmpTypeAddedcCstjd|jS)z$list services objects paths zconfig.listServices())rrvrV)rKrrPrPrQ listServicesVs zFirewallDConfig.listServicescCs4tjdg}x|jD]}|j|jjqWt|S)zget service names zconfig.getServiceNames())rrvrVrrrrC)rKrrVrrPrPrQgetServiceNames^s   zFirewallDConfig.getServiceNamescCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z/object path of service with given name zconfig.getServiceByName('%s')N) rrrrvrVrrrrZINVALID_SERVICE)rKrfrrrPrPrQgetServiceByNameis     z FirewallDConfig.getServiceByNamezs(sssa(ss)asa{ss}asa(ss))cCsDt|t}t|}tjd||j||jj||}|j|}|S)z1add service with given name and settings zconfig.addService('%s'))rrrrvrrZ new_servicer`)rKrfrrrrrPrPrQ addServicevs    zFirewallDConfig.addServicezsa{sv}cCsDt|t}t|}tjd||j||jj||}|j|}|S)z1add service with given name and settings zconfig.addService2('%s'))rrrrvrrZnew_service_dictr`)rKrfrrrrrPrPrQ addService2s    zFirewallDConfig.addService2cCstjd|dS)Nzconfig.ServiceAdded('%s'))rrv)rKrfrPrPrQrszFirewallDConfig.ServiceAddedcCstjd|jS)z!list zones objects paths zconfig.listZones())rrvrX)rKrrPrPrQ listZoness zFirewallDConfig.listZonescCs4tjdg}x|jD]}|j|jjqWt|S)zget zone names zconfig.getZoneNames())rrvrXrrrrC)rKrrXrrPrPrQ getZoneNamess   zFirewallDConfig.getZoneNamescCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z,object path of zone with given name zconfig.getZoneByName('%s')N) rrrrvrXrrrrZ INVALID_ZONE)rKrgrrrPrPrQ getZoneByNames     zFirewallDConfig.getZoneByNamecCszt|t}tjd|g}x(|jD]}||jjkr"|j|jjq"Wt |dkrjdj |d|t |fS|rv|dSdS)z4name of zone the given interface belongs to zconfig.getZoneOfInterface('%s')r zE (ERROR: interface '%s' is in %s zone XML files, can be only in one)rrs) rrrrvrXrZ interfacesrrrkjoin)rKZifacerrrrPrPrQgetZoneOfInterfaces     z"FirewallDConfig.getZoneOfInterfacecCszt|t}tjd|g}x(|jD]}||jjkr"|j|jjq"Wt |dkrjdj |d|t |fS|rv|dSdS)z1name of zone the given source belongs to zconfig.getZoneOfSource('%s')rrzB (ERROR: source '%s' is in %s zone XML files, can be only in one)rrs) rrrrvrXrZsourcesrrrkr)rKsourcerrrrPrPrQgetZoneOfSources     zFirewallDConfig.getZoneOfSourcez's(sssbsasa(ss)asba(ssss)asasasasa(ss)b)cCsht|t}t|}tjd||j||ddkrLt|}t|d<t|}|jj ||}|j |}|S)z.add zone with given name and settings zconfig.addZone('%s')default) rrrrvrrzrtuplerZnew_zonera)rKrgrrZ _settingsrrrPrPrQaddZones     zFirewallDConfig.addZonecCs`t|t}t|}tjd||j|d|krD|ddkrDt|d<|jj||}|j|}|S)z.add zone with given name and settings zconfig.addZone('%s')targetr) rrrrvrrrZ new_zone_dictra)rKrgrrrrrPrPrQaddZone2s    zFirewallDConfig.addZone2cCstjd|dS)Nzconfig.ZoneAdded('%s'))rrv)rKrgrPrPrQrszFirewallDConfig.ZoneAddedcCstjd|jS)z$list policies objects paths zconfig.listPolicies())rrvr\)rKrrPrPrQ listPoliciess zFirewallDConfig.listPoliciescCs4tjdg}x|jD]}|j|jjqWt|S)zget policy names zconfig.getPolicyNames())rrvr\rrrrC)rKrZpoliciesrrPrPrQgetPolicyNamess   zFirewallDConfig.getPolicyNamescCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z.object path of policy with given name zconfig.getPolicyByName('%s')N) rrrrvr\rrrrZINVALID_POLICY)rKrirrrPrPrQgetPolicyByName"s     zFirewallDConfig.getPolicyByNamecCsDt|t}t|}tjd||j||jj||}|j|}|S)z0add policy with given name and settings zconfig.addPolicy('%s'))rrrrvrrZnew_policy_object_dictrc)rKrirrrrrPrPrQ addPolicy/s    zFirewallDConfig.addPolicycCstjd|dS)Nzconfig.PolicyAdded('%s'))rrv)rKrirPrPrQr>szFirewallDConfig.PolicyAddedcCstjd|jS)z#list helpers objects paths zconfig.listHelpers())rrvrZ)rKrrPrPrQ listHelpersGs zFirewallDConfig.listHelperscCs4tjdg}x|jD]}|j|jjqWt|S)zget helper names zconfig.getHelperNames())rrvrZrrrrC)rKrrZrrPrPrQgetHelperNamesOs   zFirewallDConfig.getHelperNamescCsFt|t}tjd|x|jD]}|jj|kr|SqWttj |dS)z.object path of helper with given name zconfig.getHelperByName('%s')N) rrrrvrZrrrrZINVALID_HELPER)rKrhrrrPrPrQgetHelperByNameZs     zFirewallDConfig.getHelperByNamecCsDt|t}t|}tjd||j||jj||}|j|}|S)z0add helper with given name and settings zconfig.addHelper('%s'))rrrrvrrZ new_helperrb)rKrhrrrrrPrPrQ addHelpergs    zFirewallDConfig.addHelpercCst|t}tjd|dS)Nzconfig.HelperAdded('%s'))rrrrv)rKrhrPrPrQrvs zFirewallDConfig.HelperAddedcCstjd|jjjS)Nzconfig.direct.getSettings())rrvr get_directr)rKrrPrPrQrs zFirewallDConfig.getSettingscCs<tjdt|}|jjj||jjj|jdS)Nzconfig.direct.update())rrvrrrrrr)rKrrrPrPrQrrs  zFirewallDConfig.updatecCstjddS)Nzconfig.direct.Updated())rrv)rKrPrPrQrszFirewallDConfig.UpdatedZssscCst|}t|}t|}tjd|||f|j|t|||f}t|j}||dkrrttj d|||f|dj ||j |dS)Nz(config.direct.addChain('%s', '%s', '%s')rz chain '%s' already is in '%s:%s') rrrvrrrzrrrrrrr)rKipvtablechainridxrrPrPrQaddChains   zFirewallDConfig.addChaincCst|}t|}t|}tjd|||f|j|t|||f}t|j}||dkrrttj d|||f|dj ||j |dS)Nz+config.direct.removeChain('%s', '%s', '%s')rzchain '%s' is not in '%s:%s') rrrvrrrzrrrrrqrr)rKrrrrrrrPrPrQ removeChains    zFirewallDConfig.removeChaincCsJt|}t|}t|}tjd|||ft|||f}||jdkS)Nz*config.direct.queryChain('%s', '%s', '%s')r)rrrvrr)rKrrrrrrPrPrQ queryChainszFirewallDConfig.queryChaincCsft|}t|}tjd||fg}x:|jdD]*}|d|kr4|d|kr4|j|dq4W|S)Nz#config.direct.getChains('%s', '%s')rrr)rrrvrr)rKrrrrrrPrPrQ getChainsszFirewallDConfig.getChainsrsza(sss)cCstjd|jdS)Nzconfig.direct.getAllChains()r)rrvr)rKrrPrPrQ getAllChainss zFirewallDConfig.getAllChainsZsssiasc Cst|}t|}t|}t|}t|}tjd||||dj|f|j||||||f}t|j}||dkrttj d||||f|dj ||j t |dS)Nz1config.direct.addRule('%s', '%s', '%s', %d, '%s')z','rz"rule '%s' already is in '%s:%s:%s') rrrvrrrzrrrrrrrr) rKrrrpriorityrLrrrrPrPrQaddRules    zFirewallDConfig.addRulec Cst|}t|}t|}t|}t|}tjd||||dj|f|j||||||f}t|j}||dkrttj d||||f|dj ||j t |dS)Nz4config.direct.removeRule('%s', '%s', '%s', %d, '%s')z','rzrule '%s' is not in '%s:%s:%s') rrrvrrrzrrrrrqrrr) rKrrrrrLrrrrPrPrQ removeRules    zFirewallDConfig.removeRulecCsdt|}t|}t|}t|}t|}tjd||||dj|f|||||f}||jdkS)Nz3config.direct.queryRule('%s', '%s', '%s', %d, '%s')z','r)rrrvrr)rKrrrrrLrrrPrPrQ queryRule szFirewallDConfig.queryRulecCst|}t|}t|}tjd|||f|j|t|j}xF|dddD]2}|||f|d|d|dfkrT|dj|qTW|jt|dS)Nz+config.direct.removeRules('%s', '%s', '%s')rrr) rrrvrrzrrqrrr)rKrrrrrZrulerPrPrQ removeRuless   zFirewallDConfig.removeRulesza(ias)cCst|}t|}t|}tjd|||fg}xN|jdD]>}|d|kr>|d|kr>|d|kr>|j|d|dfq>W|S)Nz(config.direct.getRules('%s', '%s', '%s')rrrrr)rrrvrr)rKrrrrrrrPrPrQgetRules)s$zFirewallDConfig.getRulesz a(sssias)cCstjd|jdS)Nzconfig.direct.getAllRules()r)rrvr)rKrrPrPrQ getAllRules8s zFirewallDConfig.getAllRulesZsascCst|}t|}tjd|dj|f|j|||f}t|j}||dkrfttj d||f|dj ||j |dS)Nz(config.direct.addPassthrough('%s', '%s')z','rzpassthrough '%s', '%s') rrrvrrrzrrrrrrr)rKrrLrrrrPrPrQaddPassthroughAs   zFirewallDConfig.addPassthroughcCst|}t|}tjd|dj|f|j|||f}t|j}||dkrfttj d||f|dj ||j |dS)Nz+config.direct.removePassthrough('%s', '%s')z','rzpassthrough '%s', '%s') rrrvrrrzrrrrrqrr)rKrrLrrrrPrPrQremovePassthroughSs   z!FirewallDConfig.removePassthroughcCs@t|}t|}tjd|dj|f||f}||jdkS)Nz*config.direct.queryPassthrough('%s', '%s')z','r)rrrvrr)rKrrLrrrPrPrQqueryPassthroughds z FirewallDConfig.queryPassthroughZaascCsNt|}tjd|g}x.|jdD]}|d|kr(|j|dq(W|S)Nz#config.direct.getPassthroughs('%s')rrr)rrrvrr)rKrrrrrPrPrQgetPassthroughsos zFirewallDConfig.getPassthroughsza(sas)cCstjd|jdS)Nz"config.direct.getAllPassthroughs()r)rrvr)rKrrPrPrQgetAllPassthroughs{s z"FirewallDConfig.getAllPassthroughs)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)N)__name__ __module__ __qualname____doc__Z persistentrrIZPK_ACTION_CONFIGZdefault_polkit_auth_requiredrr.r1rjror2r_rrr`rrrarrrcrrr^rrrbrrrrrrr ZPROPERTIES_IFACErruslipZpolkitZ require_authrrfsignalr|ZPK_ACTION_INFOZINTROSPECTABLE_IFACErrrZDBUS_SIGNATURErrrrrrrrrrrrrrrrrrrrJrrrrrrrrrrrrrrrrrrrrrrrrr rr r r r rrrrrrrrrrrrrrrrrrrrrr r!r"r#r$r%r&r' __classcell__rPrP)rOrQr>sv.            D ! D                                     r):Z gi.repositoryrsysmodulesrArIZ dbus.serviceZ slip.dbusr,Zslip.dbus.serviceZfirewallrZfirewall.core.baserZfirewall.core.watcherrZfirewall.core.loggerrZfirewall.server.decoratorsrrr Zfirewall.server.config_icmptyper Zfirewall.server.config_servicer Zfirewall.server.config_zoner Zfirewall.server.config_policyr Zfirewall.server.config_ipsetrZfirewall.server.config_helperrZfirewall.core.io.icmptyperZfirewall.core.io.ipsetrZfirewall.core.io.helperrZ#firewall.core.io.lockdown_whitelistrZfirewall.core.io.directrZfirewall.dbus_utilsrrrrrrrrZfirewall.errorsrrfZObjectrrPrPrPrQs6                 $