3 M f]8@sDddlZddlTddlZddlZdZGdddZGdddZdS)N)*z0.1c@s eZdZdZddZddZdS)SchemaValidatorz+Libnftables JSON validator using jsonschemac CsJtjjtjjtd}t|d}tj||_WdQRXddl }||_ dS)Nz schema.jsonrr) ospathjoindirname__file__openjsonloadschema jsonschema)selfZ schema_pathZ schema_filerr/usr/lib/python3.6/nftables.py__init__s  zSchemaValidator.__init__cCs|jj||jddS)N)instancer )rvalidater )rr rrrr"szSchemaValidator.validateN)__name__ __module__ __qualname____doc__rrrrrrrsrc @sPeZdZdZdddddddd ZdWdXdYdZd[d\d]d^d_d`dadbd ZdZdcddZddZddZ ddZ ddZ dd Z d!d"Z d#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Zd=d>Zd?d@ZdAdBZdCdDZdEdFZdGdHZ dIdJZ!dKdLZ"dMdNZ#dOdPZ$dQdRZ%dSdTZ&dUdVZ'dS)dNftablesz*A class representing libnftables interface @)scannerparserevalZnetlinkZmnlz proto-ctxZsegtreer ) reversednsservice statelesshandler echoguid numeric_proto numeric_prionumeric_symbol numeric_timeterseNlibnftables.so.1.1.0cCs>tj|}|j|_t|j_tg|j_|j|_t|j_tg|j_|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ ttg|j _|j |_ t|j _tg|j _|j |_ t|j _tg|j _|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_ttg|j_|j|_tg|j_|jd|_|j |j|j|jdS)alInstantiate a new Nftables class object. Accepts a shared object file to open, by default standard search path is searched for a file named 'libnftables.so'. After loading the library using ctypes module, a new nftables context is requested from the library and buffering of output and error streams is turned on. rN)ZcdllZ LoadLibraryZ nft_ctx_newZc_void_pZrestypeZc_intZargtypesnft_ctx_output_get_flagsZc_uintnft_ctx_output_set_flagsnft_ctx_output_get_debugnft_ctx_output_set_debugZnft_ctx_buffer_outputnft_ctx_get_output_bufferZc_char_pZnft_ctx_buffer_errornft_ctx_get_error_buffernft_run_cmd_from_buffer nft_ctx_free_Nftables__ctx)rZsofilelibrrrrCsD              zNftables.__init__cCs|j|jdS)N)r>r?)rrrr__del__szNftables.__del__cCs|j|}|j|j|@S)N) output_flagsr7r?)rnameflagrrrZ__get_output_flags zNftables.__get_output_flagcCsD|j|}|j|j}|r$||B}n ||@}|j|j|||@S)N)rBr7r?r8)rrCvalrDflagsZ new_flagsrrrZ__set_output_flags    zNftables.__set_output_flagcCs |jdS)zGet the current state of reverse DNS output. Returns a boolean indicating whether reverse DNS lookups are performed for IP addresses in output. r+)_Nftables__get_output_flag)rrrrget_reversedns_outputszNftables.get_reversedns_outputcCs |jd|S)zEnable or disable reverse DNS output. Accepts a boolean turning reverse DNS lookups in output on or off. Returns the previous value. r+)_Nftables__set_output_flag)rrErrrset_reversedns_outputszNftables.set_reversedns_outputcCs |jdS)zGet the current state of service name output. Returns a boolean indicating whether service names are used for port numbers in output or not. r,)rG)rrrrget_service_outputszNftables.get_service_outputcCs |jd|S)zEnable or disable service name output. Accepts a boolean turning service names for port numbers in output on or off. Returns the previous value. r,)rI)rrErrrset_service_outputszNftables.set_service_outputcCs |jdS)zGet the current state of stateless output. Returns a boolean indicating whether stateless output is active or not. r-)rG)rrrrget_stateless_outputszNftables.get_stateless_outputcCs |jd|S)zEnable or disable stateless output. Accepts a boolean turning stateless output either on or off. Returns the previous value. r-)rI)rrErrrset_stateless_outputszNftables.set_stateless_outputcCs |jdS)z~Get the current state of handle output. Returns a boolean indicating whether handle output is active or not. r.)rG)rrrrget_handle_outputszNftables.get_handle_outputcCs |jd|S)zEnable or disable handle output. Accepts a boolean turning handle output on or off. Returns the previous value. r.)rI)rrErrrset_handle_outputszNftables.set_handle_outputcCs |jdS)zzGet the current state of JSON output. Returns a boolean indicating whether JSON output is active or not. r )rG)rrrrget_json_outputszNftables.get_json_outputcCs |jd|S)zEnable or disable JSON output. Accepts a boolean turning JSON output either on or off. Returns the previous value. r )rI)rrErrrset_json_outputszNftables.set_json_outputcCs |jdS)zzGet the current state of echo output. Returns a boolean indicating whether echo output is active or not. r/)rG)rrrrget_echo_outputszNftables.get_echo_outputcCs |jd|S)zEnable or disable echo output. Accepts a boolean turning echo output on or off. Returns the previous value. r/)rI)rrErrrset_echo_outputszNftables.set_echo_outputcCs |jdS)zGet the current state of GID/UID output. Returns a boolean indicating whether names for group/user IDs are used in output or not. r0)rG)rrrrget_guid_outputszNftables.get_guid_outputcCs |jd|S)zEnable or disable GID/UID output. Accepts a boolean turning names for group/user IDs on or off. Returns the previous value. r0)rI)rrErrrset_guid_outputszNftables.set_guid_outputcCs |jdS)ztGet current status of numeric protocol output flag. Returns a boolean value indicating the status. r1)rG)rrrrget_numeric_proto_outputsz!Nftables.get_numeric_proto_outputcCs |jd|S)zSet numeric protocol output flag. Accepts a boolean turning numeric protocol output either on or off. Returns the previous value. r1)rI)rrErrrset_numeric_proto_output sz!Nftables.set_numeric_proto_outputcCs |jdS)zzGet current status of numeric chain priority output flag. Returns a boolean value indicating the status. r2)rG)rrrrget_numeric_prio_outputsz Nftables.get_numeric_prio_outputcCs |jd|S)zSet numeric chain priority output flag. Accepts a boolean turning numeric chain priority output either on or off. Returns the previous value. r2)rI)rrErrrset_numeric_prio_outputsz Nftables.set_numeric_prio_outputcCs |jdS)zsGet current status of numeric symbols output flag. Returns a boolean value indicating the status. r3)rG)rrrrget_numeric_symbol_output%sz"Nftables.get_numeric_symbol_outputcCs |jd|S)zSet numeric symbols output flag. Accepts a boolean turning numeric representation of symbolic constants in output either on or off. Returns the previous value. r3)rI)rrErrrset_numeric_symbol_output,sz"Nftables.set_numeric_symbol_outputcCs |jdS)zqGet current status of numeric times output flag. Returns a boolean value indicating the status. r4)rG)rrrrget_numeric_time_output6sz Nftables.get_numeric_time_outputcCs |jd|S)zSet numeric times output flag. Accepts a boolean turning numeric representation of time values in output either on or off. Returns the previous value. r4)rI)rrErrrset_numeric_time_output=sz Nftables.set_numeric_time_outputcCs |jdS)z|Get the current state of terse output. Returns a boolean indicating whether terse output is active or not. r5)rG)rrrrget_terse_outputGszNftables.get_terse_outputcCs |jd|S)zEnable or disable terse output. Accepts a boolean turning terse output either on or off. Returns the previous value. r5)rI)rrErrrset_terse_outputNszNftables.set_terse_outputcCsV|j|j}g}x2|jjD]$\}}||@r|j|||M}qW|rR|j||S)zmGet currently active debug flags. Returns a set of flag names. See set_debug() for details. )r9r? debug_flagsitemsappend)rrEnamesnvrrr get_debugWs   zNftables.get_debugcCs`|j}t|ttgkr|g}d}x*|D]"}t|tkrB|j|}||O}q(W|j|j||S)aSet debug output flags. Accepts either a single flag or a set of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- scanner | 0x1 parser | 0x2 eval | 0x4 netlink | 0x8 mnl | 0x10 proto-ctx | 0x20 segtree | 0x40 Returns a set of previously active debug flags, as returned by get_debug() method. r)rgtypestrintrar:r?)rvaluesoldrErfrrr set_debughs    zNftables.set_debugcCsdd}t|tsd}|jd}|j|j|}|j|j}|j|j}|rZ|jd}|jd}|||fS)aRun a simple nftables command via libnftables. Accepts a string containing an nftables command just like what one would enter into an interactive nftables (nft -i) session. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() fuction output -- a string containing output written to stdout error -- a string containing output written to stderr FTzutf-8) isinstancebytesencoder=r?r;r<decode)rZcmdlineZcmdline_is_unicodercoutputerrorrrrcmds       z Nftables.cmdcCsJ|jd}|jtj|\}}}|s.|j|t|r@tj|}|||fS)aiRun an nftables command in JSON syntax via libnftables. Accepts a hash object as input. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() function output -- a hash object containing library standard output error -- a string containing output written to stderr T)rRrur dumpslenloads)r json_rootZ json_out_oldrrrsrtrrrjson_cmds   zNftables.json_cmdcCs|jst|_|jj|dS)zValidate JSON object against libnftables schema. Accepts a hash object as input. Returns True if JSON is valid, raises an exception otherwise. T) validatorrr)rryrrr json_validates zNftables.json_validaterrrrrrr iii)r6)(rrrrrarBr{rrArGrIrHrJrKrLrMrNrOrPrQrRrSrTrUrVrWrXrYrZr[r\r]r^r_r`rgrmrurzr|rrrrr%sl <             #r)r ZctypessysrZNFTABLES_VERSIONrrrrrrs