3 @)f@sdgZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%m&Z&ddl'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2m3Z3ddl4m5Z5ddl6m7Z7ddl8m9Z9ddl:m;Z;ddlmZ>Gd!dde?Z@dS)"FirewallN)config) functions) ipXtables)ebtables)nftables)ipset)modules)FirewallIcmpType)FirewallService) FirewallZone)FirewallDirect)FirewallConfig)FirewallPolicies) FirewallIPSet)FirewallTransaction)FirewallHelper)FirewallPolicy)nm_get_bus_namenm_get_interfaces_in_zone)log)firewalld_conf)Direct)service_reader)icmptype_reader) zone_readerZone) ipset_reader) IPSET_TYPES) helper_reader) policy_reader)errors) FirewallErrorc@seZdZdeddZddZddZdd Zd d Zdfd d ZddZ dgddZ ddZ ddZ ddZ ddZddZddZddZd d!Zd"d#Zd$d%Zd&d'Zdhd)d*Zdid+d,Zd-d.Zdjd/d0Zdkd1d2Zdld3d4Zd5d6Zd7d8Zd9d:Zd;d<Zd=d>Z d?d@Z!dAdBZ"dCdDZ#dEdFZ$dGdHZ%dIdJZ&dKdLZ'dMdNZ(dmdOdPZ)dQdRZ*dSdTZ+dUdVZ,dWdXZ-dYdZZ.d[d\Z/d]d^Z0d_d`Z1dadbZ2dcddZ3d(S)nrFcCsttj|_||_|jr>d|_d|_d|_d|_t |_ d|_ nrt j ||_d|_g|_t j||_d|_g|_tj|_d|_tj|_d|_g|_ tj||_d|_ tj|_t||_t||_t||_ t!||_"t#||_t$|_%t&||_t'||_(t)||_*|j+dS)NFT),rrFIREWALLD_CONF_firewalld_conf_offlineip4tables_enabledip6tables_enabledebtables_enabled ipset_enabledripset_supported_typesnftables_enabledr ip4tablesip4tables_backendipv4_supported_icmp_types ip6tablesip6tables_backendipv6_supported_icmp_typesrebtables_backendr ipset_backendrnftables_backendr modules_backendr icmptyper servicer zoner directrrpoliciesrrhelperrpolicy_Firewall__init_vars)selfZoffliner?/usr/lib/python3.6/fw.py__init__CsB               zFirewall.__init__cCsDd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |jfS)Nz:%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)) __class__r&r'r(_state_panic _default_zone_module_refcount_markscleanup_on_exitcleanup_modules_on_exitipv6_rpfilter_enabledr)_individual_calls _log_denied)r>r?r?r@__repr__ks   zFirewall.__repr__cCsjd|_d|_d|_i|_g|_tj|_tj|_ tj |_ tj |_ tj|_tj|_tj|_tj|_tj|_dS)NZINITF)rCrDrErFrGrZFALLBACK_CLEANUP_ON_EXITrHZ FALLBACK_CLEANUP_MODULES_ON_EXITrIZFALLBACK_IPV6_RPFILTERrJZFALLBACK_INDIVIDUAL_CALLSrKZFALLBACK_LOG_DENIEDrLZFALLBACK_FIREWALL_BACKEND_firewall_backendZFALLBACK_FLUSH_ALL_ON_RELOAD_flush_all_on_reloadZFALLBACK_RFC3964_IPV4 _rfc3964_ipv4ZFALLBACK_ALLOW_ZONE_DRIFTING_allow_zone_drifting)r>r?r?r@Z __init_varstszFirewall.__init_varscCs|jr$d|jjkr$tjdd|_|jrHd|jjkrHtjdd|_|jrld|jjkrltjdd|_|j r|j r|j rtj dt j ddS)Nfilterziptables is not usable.Fzip6tables is not usable.zebtables is not usable.zNo IPv4 and IPv6 firewall.) r&r-get_available_tablesrinfo1r'r0r(r2r+fatalsysexit)r>r?r?r@ _check_tabless     zFirewall._check_tablesc Cszy|jjWn*tk r8tjdd|_g|_YnX|jj|_|jj |jj s||jj rltjdntjdd|_ |j r|jjd|_n|j r|jj|_ng|_|jj |jj s|jj rtjdntjdd|_|j r|jjd|_n|jr|jj|_ng|_|jj |jj sN|jj r>tjd ntjd d|_|jrv|j rv|jj rvtjd dS) Nz4ipset not usable, disabling ipset usage in firewall.FzFiptables-restore is missing, using individual calls for IPv4 firewall.zCiptables-restore and iptables are missing, disabling IPv4 firewall.ipv4zGip6tables-restore is missing, using individual calls for IPv6 firewall.zEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.ipv6zHebtables-restore is missing, using individual calls for bridge firewall.zEebtables-restore and ebtables are missing, disabling bridge firewall.zSebtables-restore is not supporting the --noflush option, will therefore not be used)r3Zset_list ValueErrorrwarningr)r*Zset_supported_typesr-Z fill_existsrestore_command_existsZcommand_existsr&r+r4Zsupported_icmp_typesr.r0r'r1r2r(rKrestore_noflush_optiondebug1)r>r?r?r@ _start_checksL               zFirewall._start_checkc>Cstj}tjdtjy|jjWn8tk rZ}ztj|tjdWYdd}~Xn"X|jj drt|jj d}|jj dr|jj d}|dk r|j dBkrd|_ tjd|j |jj d r|jj d }|dk r|j dCkrd |_ |dk r|j dDkrd|_ tjd |j |jj drv|jj d}|dk rv|j dEkrvtjdy|j jWntk rtYnX|jj dr|jj d}|dk r|j dFkrd|_|j dGkrd |_|jrtjdn tjd|jj dr"|jj d}|dk r"|j dHkr"tjdd |_|jj drt|jj d}|dksT|j dkr\d|_n|j |_tjd|j|jj dr|jj d|_tjd|j|jj dr|jj d}|j dIkrd|_nd |_tjd|j|jj dr&|jj d}|j dJkrd|_nd |_tjd|j|jj dr||jj d}|j dKkrVd|_nd |_|jsntjdtjd |j|jjtj|j|j|j|js|jtjd!y|j jjWnZtk r }z<|j jrtjd"|j jj |ntjd"|j jj |WYdd}~XnX|jj!tj|j |j"tj#d#|j"tj$d#|j"tj%d$|j"tj&d$t'|j(j)d%krtjd&|j"tj*d'|j"tj+d'|j"tj,d(|j"tj-d(t'|j.j/d%krtjd)|j"tj0d*|j"tj1d*t'|j2j3d%kr&tj4d+t5j6d,|j"tj7d-|j"tj8d-d}x.dLD]&}||j2j3krLtj4d1|d }qLW|rt5j6d,||j2j3krd2|j2j3krd2}nd3|j2j3krd3}nd.}tjd4|||}n tjd5|t9tj:} t;jj?| |jj@tj| |jA||_B|jrdS|jCtjDd%krtEjE} tF|} |s|jG| d8|r|s|jHr|jIjJr| jKd | jL|r|rtjd9|jMjN|jO| d8| jKd | jL|jHrX|jIjJrXtjd:|jIjPtjd;|jQ| d8tjd<|j2jR| d8|j2jSd|jB| d8tjd=|jTjU| d8| jKd | jL|j>jVrVtjd>|j>jW| y| jKd | jLWnXtk r>} z$t| jXd?| jYr&| jYnd@WYdd} ~ Xntk rTYnX~ tjDd,krtEjE} tjZdA| | dS)MNz"Loading firewalld config file '%s'z0Using fallback firewalld configuration settings. DefaultZoneZ CleanupOnExitnofalseFzCleanupOnExit is set to '%s'ZCleanupModulesOnExityestrueTz#CleanupModulesOnExit is set to '%s'ZLockdownzLockdown is enabledZ IPv6_rpfilterzIPv6 rpfilter is enabledzIPV6 rpfilter is disabledZIndividualCallszIndividualCalls is enabled LogDeniedZoffzLogDenied is set to '%s'ZFirewallBackendzFirewallBackend is set to '%s'ZFlushAllOnReloadzFlushAllOnReload is set to '%s'Z RFC3964_IPv4zRFC3964_IPv4 is set to '%s'ZAllowZoneDriftingzAllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.z AllowZoneDrifting is set to '%s'zLoading lockdown whitelistz*Failed to load lockdown whitelist '%s': %srr6rzNo icmptypes found.r;r7zNo services found.r8zNo zones found.rTr<blockdroptrustedzZone '%s' is not available.ZpublicZexternalz+Default zone '%s' is not valid. Using '%s'.zUsing default zone '%s'zLoading direct rules file '%s'z)Failed to load direct rules file '%s': %s)use_transactionzUnloading firewall moduleszApplying ipsetszApplying default rule setzApplying used zoneszApplying used policiesz2Applying direct chains rules and passthrough rulesz Direct: %srNz%Flushing and applying took %f seconds)rdre)rfrg)rdre)rfrg)rdre)rfrg)rfrg)rdre)rdre)rdre)rirjrk)[rZ FALLBACK_ZONErrar#r$read Exceptionr^getlowerrHrIr:Zenable_lockdownr"rJrKrLrOrPrQrRr%Zset_firewalld_confcopydeepcopy_select_firewall_backendrbZlockdown_whitelistZquery_lockdownerrorfilenameZ set_policies_loaderZFIREWALLD_IPSETSZETC_FIREWALLD_IPSETSZFIREWALLD_ICMPTYPESZETC_FIREWALLD_ICMPTYPESlenr6 get_icmptypesZFIREWALLD_HELPERSZETC_FIREWALLD_HELPERSZFIREWALLD_SERVICESZETC_FIREWALLD_SERVICESr7 get_servicesZFIREWALLD_ZONESZETC_FIREWALLD_ZONESr8 get_zonesrWrXrYZFIREWALLD_POLICIESZETC_FIREWALLD_POLICIESrZFIREWALLD_DIRECTospathexistsr9Zset_permanent_configZ set_direct check_zonerErZZgetDebugLogLeveltimerflushr)rZ has_ipsetsexecuteclearr5unload_firewall_modulesapply_default_tablesZ apply_ipsetsapply_default_rulesZ apply_zoneschange_default_zoner<Zapply_policiesZhas_configurationZ apply_directcodemsgZdebug2)r>reloadcomplete_reloadZ default_zonervaluertzr8objZtm1 transactioneZtm2r?r?r@_startst                                                           .zFirewall._startc CsHy |jWn&tk r2d|_|jdYnXd|_|jddS)NFAILEDACCEPTRUNNING)rrnrC set_policy)r>r?r?r@starts  zFirewall.startc Cshtjj|sdS|rZ|jtjrV|dkrVt}tjj||_|j |j||_d|_ nd}x|t tj |D]h}|j ds|jtjrl|dkrltjjd||frl|jd||f|ddqld||f}tjd||y|dkrt||}|j|jjkr8|jj|j}tjd ||j|j|j|jj|jn|jjtjrNd|_ y|jj|Wn<tk r} ztjd |jt| fWYdd} ~ XnX|jjtj|n|d krFt||}|j|jjkr|jj |j}tjd ||j|j|j|jj!|jn|jjtjr$d|_ |jj"||jj"tj|n.|dkrnt#|||d }|rdtjj|tjj|d df|_|j |jtj|} |j|j$j%kr|j$j&|j}|j$j'|j|j(rtjd||j|||j)|ntjd ||j|j|jn|jjtjr,d|_ d| _ |jj*| |r^tjd||j|||j)|n |j$j*|n|dkrDt+||}|j|j,j-kr|j,j.|j}tjd ||j|j|j|j,j/|jn|jjtjrd|_ y|j,j0|Wn<tk r,} ztj1d |jt| fWYdd} ~ XnX|jj0tj|n0|dkrt2||}|j|j3j4kr|j3j5|j}tjd ||j|j|j|j3j6|jn|jjtjrd|_ |j3j7||jj7tj|n|dkrht8||}|j|j9j:kr2|j9j;|j}tjd ||j|j|j|j9j<|jn|jjtjrHd|_ |j9j=||jj>tj|n tj?d|Wqltk r} ztj@d||| WYdd} ~ XqltAk rtj@d||tjBYqlXqlW|rd|j(rd|j|j$j%krX|j$j&|j}tjd||j|j|jy|j$j'|jWntAk rHYnX|jjC|j|j$j*|dS)Nr8Fz.xmlz%s/%sT)combinezLoading %s file '%s'r6z Overloads %s '%s' ('%s/%s')z%s: %s, ignoring for run-time.r7)Z no_check_namerz Combining %s '%s' ('%s/%s')rr;r<zUnknown reader type %szFailed to load %s file '%s': %szFailed to load %s file '%s':z0 Overloading and deactivating %s '%s' ('%s/%s'))Dr{r|isdir startswithrZ ETC_FIREWALLDrbasenamenameZ check_namedefaultsortedlistdirendswithrvrrarr6rxZ get_icmptyperuZremove_icmptypeZ add_icmptyper"rVstrrqrrrr7ryZ get_serviceZremove_serviceZ add_servicerr8rzZget_zoneZ remove_zonecombinedrZadd_zonerr get_ipsets get_ipsetZ remove_ipset add_ipsetr^rr;Z get_helpersZ get_helperZ remove_helperZ add_helperr r< get_policiesZ get_policyZ remove_policyZ add_policyZadd_policy_objectrWrtrnZ exceptionZ forget_zone) r>r|Z reader_typerZ combined_zonerurrZorig_objrtZ config_objrr?r?r@rvs       $             $       zFirewall._loadercCsp|jj|jj|jj|jj|jj|jj|jj|jj|j j|j j|j dS)N) r6cleanupr7r8rr;rr9r:r<r$r=)r>r?r?r@rs          zFirewall.cleanupcCsN|jsB|jr(|j|jj|jd|jrBtjd|jj |j dS)Nrz!Unloading firewall kernel modules) r%rHrrrrIrrar5rr)r>r?r?r@stops    z Firewall.stopc Csd}d}xt|D]\}}|r0|jj|\}}n$|j|dkrDd}n|jj|\}}|dkrn|d7}||7}q|r|jj|d|j|d7<q||jkr|j|d8<|j|dkr|j|=qW||fS)NrrNrT) enumerater5 load_modulerFZ unload_module setdefault) r>Z_modulesenableZ num_failedZ error_msgsimoduleZstatusrr?r?r@handle_moduless(  zFirewall.handle_modulescCs|dkrd|_dS)NrF)r+)r>backendr?r?r@rssz!Firewall._select_firewall_backendcCs4x|jD]}|j|kr |Sq Wttjd|dS)Nz'%s' backend does not exist) all_backendsrr"r!Z UNKNOWN_ERROR)r>rrr?r?r@get_backend_by_names  zFirewall.get_backend_by_namecCs\|jr |jS|dkr |jr |jS|dkr4|jr4|jS|dkrH|jrH|jStt j d|dS)Nr[r\ebz-'%s' is not a valid backend or is unavailable) r+r4r&r-r'r0r(r2r"r! INVALID_IPV)r>ipvr?r?r@get_backend_by_ipvszFirewall.get_backend_by_ipvcCsP|dkr|jr|jS|dkr(|jr(|jS|dkr<|jr<|jSttjd|dS)Nr[r\rz-'%s' is not a valid backend or is unavailable) r&r-r'r0r(r2r"r!r)r>rr?r?r@get_direct_backend_by_ipvsz"Firewall.get_direct_backend_by_ipvcCs<|dkr|jS|dkr|jS|dkr*|jS|dkr8|jSdS)Nr,r/rrF)r&r'r(r+)r>rr?r?r@is_backend_enabledszFirewall.is_backend_enabledcCs8|jr dS|dkr|jS|dkr&|jS|dkr4|jSdS)NTr[r\rF)r+r&r'r()r>rr?r?r@is_ipv_enabledszFirewall.is_ipv_enabledcCsRg}|jr|j|jn6|jr*|j|j|jr<|j|j|jrN|j|j|S)N) r+appendr4r&r-r'r0r(r2)r>backendsr?r?r@enabled_backends s   zFirewall.enabled_backendscCsPg}|jr|j|j|jr(|j|j|jr:|j|j|jrL|j|j|S)N) r&rr-r'r0r(r2r+r4)r>rr?r?r@rs    zFirewall.all_backendsNcCsN|dkrt|}n|}x |jD]}|j||jq W|dkrJ|jddS)NT)rr add_rulesZbuild_default_tablesr)r>rlrrr?r?r@r$s zFirewall.apply_default_tablescCs|dkrt|}n|}x(|jD]}|j|j}|j||q W|jdr~|jd}d|jkr~|jr~|j |j}|j|||jdr|j r|j }|j|||dkr|j ddS)Nr\rawT) rrZbuild_default_rulesrLrrrrUrJZbuild_rpfilter_rulesrQZbuild_rfc3964_ipv4_rulesr)r>rlrrrulesZ ipv6_backendr?r?r@r0s"        zFirewall.apply_default_rulescCs|jr|jj rdSdS)NTF)r+r9Zhas_runtime_configuration)r>r?r?r@may_skip_flush_direct_backendsHsz'Firewall.may_skip_flush_direct_backendscCs`|dkrt|}n|}x2|jD]&}||jkr2q |j}|j||q W|dkr\|jddS)NT)rrrbuild_flush_rulesrr)r>rlrrrr?r?r@flush_direct_backendsNs  zFirewall.flush_direct_backendscCsp|dkrt|}n|}tjd|js4|j|dx$|jD]}|j}|j||q>W|dkrl|jddS)NzFlushing rule set)rlT) rrrarrrrrr)r>rlrrrr?r?r@r]s   zFirewall.flushcCs`|dkrt|}n|}tjd|x&|jD]}|j|}|j||q,W|dkr\|jddS)NzSetting policy to '%s'T)rrrarZbuild_set_policy_rulesrr)r>r<rlrrrr?r?r@ros   zFirewall.set_policycCsB|sdS|j|}|s&ttjd||j|s4dS|j||jS)NrNz'%s' is not a valid backend)rr"r!rrset_rulerL)r> backend_namerulerr?r?r@rs   z Firewall.rulecCs"ttd|}|j|}|s,ttjd||j|s:dS|js\|j s\|dkoX|j j rxt |D]\}}y|j ||j Wqftk r}zjtjtjtj|xFt|d|D]2}y|j |j||j Wqtk rYqXqW|WYdd}~XqfXqfWn|j||j dS)Nz'%s' is not a valid backendr)listrSrr"r!rrrKr_r2r`rrrLrnrra traceback format_excrtreversedZ reverse_ruleZ set_rules)r>rrZ_rulesrrrrr?r?r@rs.     zFirewall.rulescCs|jrttjdS)N)rDr"r!Z PANIC_MODE)r>r?r?r@ check_panicszFirewall.check_paniccCs"|}||jjkrttj||S)N)r<rr"r!ZINVALID_POLICY)r>r<Z_policyr?r?r@ check_policys zFirewall.check_policycCs8|}| s|dkr|j}||jjkr4ttj||S)NrN)get_default_zoner8rzr"r!Z INVALID_ZONE)r>r8_zoner?r?r@r~s  zFirewall.check_zonecCstj|sttj|dS)N)rZcheckInterfacer"r!ZINVALID_INTERFACE)r> interfacer?r?r@check_interfaces zFirewall.check_interfacecCs|jj|dS)N)r7 check_service)r>r7r?r?r@rszFirewall.check_servicecCstj|sttj|dS)N)r check_portr"r!Z INVALID_PORT)r>Zportr?r?r@rs zFirewall.check_portcCs*|sttj|dkr&ttjd|dS)Ntcpudpsctpdccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})rrrr)r"r!ZMISSING_PROTOCOLZINVALID_PROTOCOL)r>Zprotocolr?r?r@ check_tcpudps  zFirewall.check_tcpudpcCstj|sttj|dS)N)rZcheckIPr"r! INVALID_ADDR)r>Zipr?r?r@check_ips zFirewall.check_ipcCsP|dkr tj|sLttj|n,|dkr@tj|sLttj|n ttjddS)Nr[r\z'%s' not in {'ipv4'|'ipv6'})rZ checkIPnMaskr"r!rZ checkIP6nMaskr)r>rsourcer?r?r@ check_addresss  zFirewall.check_addresscCs|jj|dS)N)r6check_icmptype)r>Zicmpr?r?r@rszFirewall.check_icmptypecCs>t|tstd|t|ft|dkr:ttjd|dS)Nz%s is %s, expected intrz#timeout '%d' is not positive number) isinstanceint TypeErrortyper"r! INVALID_VALUE)r>Ztimeoutr?r?r@ check_timeouts   zFirewall.check_timeoutc Cs`|j}|j}|sNi}x&|jjD]}|jj|d||<q W|jj}|j}g}x$|jj D]} |j |jj | q^W|s|j d|j |jd} y|jd|dWn&tk r} z | } WYdd} ~ XnX|r(xL|D]D} |jj| jsx0|jjD]"} | jdkrq| j| jqWqW|s|j}||kr||krRi||<xFt||jD]2\}}|drd||||||<|||=qdWxb|jjD]T}||krx.||D]"}|jj|||||dqW||=n tjd|qWt|d kr6x(t|jD]}tjd |||=qW~x|D]} |jj| jrxx| jD]R}y|jj| j|Wn6tk r}z|jt j!kr|WYdd}~XnXqZWn|jj"| |jj#| jq>W|jj$|t%}|r,x@|jjd gD],}x$t&|D]}|jj|||d q WqW||_|jsD|j d | rVd|_'| nd|_'dS)N interfacesZDROPT)rrr __default__senderzNew zone '%s'.rz(Lost zone '%s', zone interfaces dropped.rN)rrrr)(rDrPr8rz get_settingsr9Zget_runtime_configrrrrrrrrrrnZ query_ipsetrrZ set_destroyritemschange_zone_of_interfacerrVrwkeysZentriesZ add_entryr"rr!ALREADY_ENABLEDrZ apply_ipsetZ set_configrrrC)r>rrDZ flush_allZ_zone_interfacesr8Z_direct_config_old_dzZ _ipset_objs_nameZstart_exceptionrrrZ_new_dzifacesettingsZ interface_identryrZ nm_bus_namerr?r?r@rs                zFirewall.reloadcCs|jS)N)rC)r>r?r?r@ get_stateaszFirewall.get_statecCsZ|jrttjdy|jdWn.tk rN}zttj|WYdd}~XnXd|_dS)Nzpanic mode already enabledZPANICT)rDr"r!rrrnCOMMAND_FAILED)r>rr?r?r@enable_panic_modefszFirewall.enable_panic_modecCsZ|jsttjdy|jdWn.tk rN}zttj|WYdd}~XnXd|_dS)Nzpanic mode is not enabledrF)rDr"r!Z NOT_ENABLEDrrnr)r>rr?r?r@disable_panic_modeqszFirewall.disable_panic_modecCs|jS)N)rD)r>r?r?r@query_panic_mode|szFirewall.query_panic_modecCs|jS)N)rL)r>r?r?r@get_log_deniedszFirewall.get_log_deniedcCsb|tjkr&ttjd|djtjf||jkrR||_|jj d||jj n ttj |dS)Nz'%s', choose from '%s'z','rh) rZLOG_DENIED_VALUESr"r!rjoinrrLr$setwriteZ ALREADY_SET)r>rr?r?r@set_log_denieds   zFirewall.set_log_deniedcCs|jS)N)rE)r>r?r?r@rszFirewall.get_default_zonecCs|j|}||jkr|j}||_|jjd||jj|jj|||jj|}x@t|dj D]\}}|drd|jj d|qdWn t t j |dS)NrcrrrN)r~rEr$rrr8rrrrrr"r!ZZONE_ALREADY_SET)r>r8rrZ_old_dz_settingsrrr?r?r@set_default_zones    zFirewall.set_default_zonecCsH|j}x:|jD].\}}|s(t|tr2|||<q||kr||=qW|S)N)rqrrbool)r>Z permanentZruntimerkeyrr?r?r@'combine_runtime_with_permanent_settingss  z0Firewall.combine_runtime_with_permanent_settingscCsi}i}xt|jt|jBD]}||kr"t||trt||krN||ng}tt|||||<t|t||A|@||<q"t||tst||tr|| r||rd||<q||r|| rd||<q"ttjdj t |||q"W||fS)NTFz Unhandled setting type {} key {}) rrrrrrr"r!ZINVALID_SETTINGformatr)r>Z old_settingsZ new_settingsZ add_settingsZremove_settingsroldr?r?r@get_added_and_removed_settingss   z'Firewall.get_added_and_removed_settings)F)FF)F)N)N)N)N)N)F)4__name__ __module__ __qualname__rArMr=rZrbrrrvrrrrsrrrrrrrrrrrrrrrrrr~rrrrrrrrrrrrrrrrrrrr?r?r?r@rBsh ( ;                s  )A__all__Zos.pathr{rXrqrrZfirewallrrZ firewall.corerrrrr Zfirewall.core.fw_icmptyper Zfirewall.core.fw_servicer Zfirewall.core.fw_zoner Zfirewall.core.fw_directr Zfirewall.core.fw_configrZfirewall.core.fw_policiesrZfirewall.core.fw_ipsetrZfirewall.core.fw_transactionrZfirewall.core.fw_helperrZfirewall.core.fw_policyrZfirewall.core.fw_nmrrZfirewall.core.loggerrZfirewall.core.io.firewalld_confrZfirewall.core.io.directrZfirewall.core.io.servicerZfirewall.core.io.icmptyperZfirewall.core.io.zonerrZfirewall.core.io.ipsetrZfirewall.core.ipsetrZfirewall.core.io.helperrZfirewall.core.io.policyr r!Zfirewall.errorsr"objectrr?r?r?r@sH