3 @)f^@sfdZdgZddlZddlmZddlmZddlmZddl m Z m Z m Z m Z mZGdddeZdS) zZd?d@Z dgdAfdBdCZ!dgfdDdEZ"dgfdFdGZ#dHdIZ$dJdKZ%dLdMZ&dNdOZ'dPdQZ(dRdSZ)dTdUZ*dVdWZ+dXdYZ,dZd[Z-dS)nrFcCs||_||_d|_d|_dS)NT)quietverbose'_FirewallCommand__use_exception_handlerfw)selfr r r/usr/lib/python3.6/command.py__init__#szFirewallCommand.__init__cCs ||_dS)N)r)rrrrrset_fw)szFirewallCommand.set_fwcCs ||_dS)N)r )rflagrrr set_quiet,szFirewallCommand.set_quietcCs|jS)N)r )rrrr get_quiet/szFirewallCommand.get_quietcCs ||_dS)N)r )rrrrr set_verbose2szFirewallCommand.set_verbosecCs|jS)N)r )rrrr get_verbose5szFirewallCommand.get_verboseNcCs$|dk r |j r tjj|ddS)N )r sysstdoutwrite)rmsgrrr print_msg8szFirewallCommand.print_msgcCs$|dk r |j r tjj|ddS)Nr)r rstderrr)rrrrrprint_error_msg<szFirewallCommand.print_error_msgcCs,d}d}tjjr|||}|j|dS)Nzz)rrisattyr )rrZFAILZENDrrr print_warning@s   zFirewallCommand.print_warningrcCs,|dkr|j|n |j|tj|dS)N)r"rrexit)rrZ exit_coderrrprint_and_exitGs  zFirewallCommand.print_and_exitcCs|j|ddS)N)r%)rrrrrfailRszFirewallCommand.failcCs"|dk r|jrtjj|ddS)Nr)r rrr)rrrrrprint_if_verboseUsz FirewallCommand.print_if_verbosec Cs|jdk r|jjg} d} g} x|D]} |dk ry || } Wnxtk r}z\tjt|}t|dkrz|jd|n|jd|||| kr| j || d7} w&WYdd}~XnX| j | q&Wxb| D]X} g}|dk r||7}t | t  ot | t  r|j | n|| 7}|dk r(||7}|j y ||Wnttfk r}zt |trx|j|j|j}nt|}tj|}|tjtjtjtjgkrd}t|dkr|jd|n,|dkr|jd|dS|jd|||| kr| j || d7} WYdd}~XnX|jqW| st|| ksJd| krNdSt| dkrltj| dnt| dkrtjtjdS)Nrr#z Warning: %sz Error: %s)rZ authorizeAll Exceptionrget_codestrlenr"r%append isinstancelisttupledeactivate_exception_handlerrfail_if_not_authorized get_dbus_nameget_dbus_messagerALREADY_ENABLED NOT_ENABLEDZONE_ALREADY_SET ALREADY_SETactivate_exception_handlerrr$Z UNKNOWN_ERROR)rZcmd_typeoption action_method query_method parse_methodmessage start_argsend_argsno_exititemsZ_errorsZ _error_codesitemrcode call_itemrrrZ__cmd_sequenceYsr                 zFirewallCommand.__cmd_sequencec Cs|jd||||||ddS)Nadd)rA)_FirewallCommand__cmd_sequence)rr:r;r<r=r>rArrr add_sequences zFirewallCommand.add_sequencec Cs |jd||||||g|ddS)NrF)r?rA)rG)rxr:r;r<r=r>rArrrx_add_sequences zFirewallCommand.x_add_sequencec Cs$|jd||||||g|g|d dS)NrF)r?r@rA)rG) rzoner:r;r<r=r>ZtimeoutrArrrzone_add_timeout_sequences z)FirewallCommand.zone_add_timeout_sequencec Cs|jd||||||ddS)Nremove)rA)rG)rr:r;r<r=r>rArrrremove_sequences zFirewallCommand.remove_sequencec Cs |jd||||||g|ddS)NrM)r?rA)rG)rrIr:r;r<r=r>rArrrx_remove_sequences z!FirewallCommand.x_remove_sequencec Csg}x|D]}|dk ry ||}Wn^tk r} zBt|dkrR|jd| w ntjt| } |jd| | WYdd} ~ XnX|j|q Wxv|D]l}g} |dk r| |7} t|t  rt|t  r| j|n| |7} |j y || } Wnt k rj} zZ|j | jtj| j} t|dkrF|jd| jwn|jd| j| WYdd} ~ Xn`tk r} zBtjt| } t|dkr|jd| n|jd| | WYdd} ~ XnX|jt|dkr|jd||d| fq|j| qW|stjddS) Nr#z Warning: %sz Error: %sz%s: %snoyesr)rPrQ)r)r,r"rr*r+r%r-r.r/r0r1rr2r3r4r9rprint_query_resultrr$) rr:r<r=r>r?rArBrCrrDrEresrrrZ__query_sequencesR   "  "z FirewallCommand.__query_sequencecCs|j|||||ddS)N)rA) _FirewallCommand__query_sequence)rr:r<r=r>rArrrquery_sequences zFirewallCommand.query_sequencecCs|j|||||g|ddS)N)r?rA)rT)rrIr:r<r=r>rArrrx_query_sequences z FirewallCommand.x_query_sequencecCsJt| rFt| rFt| rF|jdo2t|dk rFttjd||S)Nzipset:z8'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset)rrr startswithr,rr INVALID_ADDR)rvaluerrr parse_sources   zFirewallCommand.parse_source/c Csly|j|\}}Wn$tk r6ttjd|YnXt|sLttj||dkrdttjd|||fS)NzTbad port (most likely missing protocol), correct syntax is portid[-portid]%sprotocoltcpudpsctpdccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})r]r^r_r`)split ValueErrorrr INVALID_PORTr INVALID_PROTOCOL)rrZZ separatorportprotorrr parse_ports zFirewallCommand.parse_portc Csd}d}d}d}d}xd||dkr||djddd}|t|d7}d||dkrx||djddd} n ||d} |t| d7}|dkr| }q|dkr| }q|dkr| }q|dkr| }q|d kr|rqttjd |qW|sttjd |sttjd |p|s*ttjd t|s@ttj||dkrZttjd||rxt| rxttj||rtd| r|std| rttj |||||fS)Nr=r#:rerftoporttoaddrifzinvalid forward port arg '%s'z missing portzmissing protocolzmissing destinationr]r^r_r`z''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}ipv4ipv6)r]r^r_r`) rar,rrZINVALID_FORWARDr rcrdr rY) rrZcompatreZprotocolrjrkioptvalrrrparse_forward_portsT           z"FirewallCommand.parse_forward_portcCsF|jd}t|dkr"|ddfSt|dkr2|Sttjd|dS)Nrhr#rr&zinvalid ipset option '%s')rar,rrZINVALID_OPTION)rrZargsrrrparse_ipset_optionHs    z"FirewallCommand.parse_ipset_optioncCs.ddg}||kr*ttjd|dj|f|S)Nrmrnz'invalid argument: %s (choose from '%s')z', ')rr INVALID_IPVjoin)rrZipvsrrrcheck_destination_ipvRs z%FirewallCommand.check_destination_ipvc CsDy|jdd\}}Wn tk r4ttjdYnX|j||fS)Nrir#z(destination syntax is ipv:address[/mask])rarbrrZINVALID_DESTINATIONrz)rrZZipvZ destinationrrrparse_service_destinationZs  z)FirewallCommand.parse_service_destinationcCs0dddg}||kr,ttjd|dj|f|S)NrmrnZebz'invalid argument: %s (choose from '%s')z', ')rrrwrx)rrZryrrr check_ipvbs  zFirewallCommand.check_ipvcCs0dddg}||kr,ttjd|dj|f|S)Nrtrmrnz'invalid argument: %s (choose from '%s')z', ')rrrwrx)rrZryrrrcheck_helper_familyjs  z#FirewallCommand.check_helper_familycCsB|jdsttjd|t|jdddkr>ttjd||S)NZ nf_conntrack_z('%s' does not start with 'nf_conntrack_'rtr#zModule name '%s' too short)rXrrZINVALID_MODULEr,replace)rrZrrr check_modulers   zFirewallCommand.check_moduleTcCs|j}|j}|j}|j} |j} |j} |j} |j} |j}|j }|j }|rv|j }|j }|j }n,|j}tt|j|}|j}|j}dd}g}|dk r||kr|jd| r|s|s|r|r|r|jd|r|ddj|}|j||jr2|jd||jd||rJ|jd t||jd ||sv|jd |rnd nd |r|jddj||jddj|n(|jddj||jddj||jddjt||jddjdd|D|jddjt| |s:|jd|r2d nd |jd| rJd nd |jd| rbdnddjdd| D|jddjdd| D|jd dj| |jd!|rdnddjt||d"dS)#NcSsfd}d}y|j|}Wntk r*Yn8X|t|7}t|||||djdjdd}|S)Nrz priority= "rt)indexrbr,intr~)ZrulepriorityZ search_strrprrrrich_rule_sorted_keys *zDFirewallCommand.print_zone_policy_info..rich_rule_sorted_keydefaultZactivez (%s)z, z summary: z description: z priority: z target: z icmp-block-inversion: %srQrPz ingress-zones: rz egress-zones: z interfaces: z sources: z services: z ports: cSs g|]}d|d|dfqS)z%s/%srr#r).0rerrr sz:FirewallCommand.print_zone_policy_info..z protocols: z forward: %sz masquerade: %sz forward-ports: z rtcSs$g|]\}}}}d||||fqS)z$port=%s:proto=%s:toport=%s:toaddr=%sr)rrerfrjrkrrrrsz source-ports: cSs g|]}d|d|dfqS)z%s/%srr#r)rrerrrrsz icmp-blocks: z rich rules: )key)Z getTargetZ getServicesgetPorts getProtocolsZ getMasqueradeZgetForwardPortsgetSourcePortsZ getIcmpBlocksZ getRichRulesgetDescriptiongetShortZgetIngressZonesZgetEgressZonesZ getPriorityZgetIcmpBlockInversionsortedsetZ getInterfacesZ getSourcesZ getForwardr-rxrr r+)rrKsettings default_zoneextra_interfacesisPolicytargetZservicesports protocolsZ masqueradeZ forward_ports source_portsZ icmp_blocksZrules descriptionshort_descriptionZ ingress_zonesZ egress_zonesrZicmp_block_inversionZ interfacesZsourcesZforwardrZ attributesrrrprint_zone_policy_info|sx        z&FirewallCommand.print_zone_policy_infocCs|j||||dddS)NF)rrr)r)rrKrrrrrrprint_zone_infoszFirewallCommand.print_zone_infocCs|j||||dddS)NT)rrr)r)rZpolicyrrrrrrprint_policy_infosz!FirewallCommand.print_policy_infoc Cs.|j}|j}|j}|j}|j}|j}|j} |j} |j} |j ||j rt|j d| |j d||j ddj dd|D|j ddj ||j ddj d d|D|j d dj ||j d dj d d|j D|j d dj t | |j ddj t | dS)Nz summary: z description: z ports: rcSs g|]}d|d|dfqS)z%s/%srr#r)rrerrrrsz6FirewallCommand.print_service_info..z protocols: z source-ports: cSs g|]}d|d|dfqS)z%s/%srr#r)rrerrrrsz modules: z destination: cSsg|]\}}d||fqS)z%s:%sr)rkvrrrrsz includes: z helpers: )rrrZ getModulesrgetDestinationsrZ getIncludesZ getHelpersrr rxrBr) rZservicerrrrmodulesr destinationsrZincludesZhelpersrrrprint_service_infos2   z"FirewallCommand.print_service_infocCsp|j}|j}|j}t|dkr,ddg}|j||jrX|jd||jd||jddj|dS)Nrrmrnz summary: z description: z destination: r)rrrr,rr rx)rZicmptyperrrrrrrprint_icmptype_infos  z#FirewallCommand.print_icmptype_infocCs|j}|j}|j}|j}|j}|j||jrT|jd||jd||jd||jddjdd|jD|jddj|dS) Nz summary: z description: z type: z options: rcSs$g|]\}}|rd||fn|qS)z%s=%sr)rrrrrrrsz4FirewallCommand.print_ipset_info..z entries: ) ZgetTypeZ getOptionsZ getEntriesrrrr rxrB)rZipsetrZ ipset_typeZoptionsentriesrrrrrprint_ipset_infos z FirewallCommand.print_ipset_infocCs|j}|j}|j}|j}|j}|j||jrT|jd||jd||jd||jd||jddjdd|DdS) Nz summary: z description: z family: z module: z ports: rcSs g|]}d|d|dfqS)z%s/%srr#r)rrerrrrsz5FirewallCommand.print_helper_info..)rZ getModuleZ getFamilyrrrr rx)rhelperrrmoduleZfamilyrrrrrprint_helper_infos z!FirewallCommand.print_helper_infocCs |r|jdn |jdddS)NrQrPr#)r%)rrZrrrrRs z"FirewallCommand.print_query_resultcCs\|js|j|tjt|}|tjtjtjtj gkrH|j d|n|j d||dS)Nz Warning: %sz Error: %s) r r2rr*r+rr5r6r7r8r"r%)rexception_messagerDrrrexception_handlers  z!FirewallCommand.exception_handlercCsd|krd}|j|tjdS)NZNotAuthorizedExceptionz`Authorization failed. Make sure polkit agent is running or run the application as superuser.)r%rZNOT_AUTHORIZED)rrrrrrr2'sz&FirewallCommand.fail_if_not_authorizedcCs d|_dS)NF)r )rrrrr1-sz,FirewallCommand.deactivate_exception_handlercCs d|_dS)NT)r )rrrrr90sz*FirewallCommand.activate_exception_handlercCspg}t}t|}xP|D]H}|s"P|j}t|dks|ddkrDq||kr|j||j|qW|j|S)Nr#r#;)rr)ropenstripr,r-rFclose)rfilenamerZ entries_setflinerrrget_ipset_entries_from_file3s  z+FirewallCommand.get_ipset_entries_from_file)FF)N)N)N)Nr)N)N)NNF)F)F)F)F)F)NF)F)F)r\)F).__name__ __module__ __qualname__rrrrrrrr r"r%r'r(rGrHrJrLrNrOrTrUrVr[rgrsrvrzr{r|r}rrrrrrrrrRrr2r1r9rrrrrr"sX       J      2    2  O  )__doc____all__rZfirewallrZfirewall.errorsrZdbus.exceptionsrZfirewall.functionsrrrr r objectrrrrrs