3 @)f@s(ddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZddlmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZddl Z dZ!d d d gd d gd d d d d gd d d gd d d gdZ"dddZ#dddZ$ddZ%ddZ&ddZ'Gddde(Z)Gddde)Z*dS)N)runProg)log)tempFilereadfile splitArgs check_macportStrcheck_single_address check_address normalizeIP6)config) FirewallErrorINVALID_PASSTHROUGH INVALID_RULE UNKNOWN_ERROR INVALID_ADDR) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlockINPUTOUTPUTFORWARD PREROUTING POSTROUTING)securityrawmanglenatfilterzicmp-host-prohibitedzicmp6-adm-prohibited)ipv4ipv6icmpz ipv6-icmpcCsddddddd}|dd}x~|D]v}y|j|}Wntk rLw$YnX|d kryt||d Wntk r~YnX|j|d ||||<q$W|S) z Inverse valid rule z-Dz--deletez-Xz--delete-chain)z-Az--appendz-Iz--insertz-Nz --new-chainN-I--insert)r'r()index Exceptionintpop)args replace_argsret_argsargidxr3/usr/lib/python3.6/ipXtables.pycommon_reverse_rule9s(  r5cCsddddddd}|dd}x|D]x}y|j|}Wntk rLw$YnX|d kryt||d Wntk r~YnX|j|d ||||<|SWttd dS) z Reverse valid passthough rule z-Dz--deletez-Xz--delete-chain)z-Az--appendz-Iz--insertz-Nz --new-chainN-I--insertr)zno '-A', '-I' or '-N' arg)r6r7)r* ValueErrorr,r-r r)r.r/r0xr2r3r3r4common_reverse_passthrough^s,   r:cCst|}tddddddddd d d d d dddddddg}t||@dkrbttdt||@dtddddddg}t||@dkrttddS)zZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) z-Cz--checkz-Dz--deletez-Rz --replacez-Lz--listz-Sz --list-rulesz-Fz--flushz-Zz--zeroz-Xz--delete-chainz-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedz-Az--appendz-Iz--insertz-Nz --new-chainzno '-A', '-I' or '-N' argN)setlenr rlist)r.Z not_allowedZneededr3r3r4common_check_passthroughs*  r>c@seZdZdZdZdZddZddZddZd d Z d d Z d dZ ddZ ddZ ddZddZddZddZddZddZdd Zdhd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zdid,d-Zd.d/Zdjd1d2Zd3d4Zd5d6Zdkd8d9Zdld:d;Z dd?Z"d@dAZ#dBdCZ$dDdEZ%dFdGZ&dHdIZ'dJdKZ(dLdMZ)dNdOZ*dPdQZ+dmdRdSZ,dndTdUZ-dodVdWZ.dXdYZ/dpdZd[Z0dqd\d]Z1drd^d_Z2dsd`daZ3dbdcZ4dddeZ5dfdgZ6d!S)t ip4tablesr$TcCsd||_tj|j|_tjd|j|_|j|_|j|_ |j g|_ i|_ i|_ g|_i|_dS)Nz %s-restore)_fwr ZCOMMANDSipv_command_restore_command_detect_wait_option wait_option_detect_restore_wait_optionrestore_wait_option fill_existsavailable_tablesrich_rule_priority_countspolicy_priority_countszone_source_index_cache our_chains)selffwr3r3r4__init__s  zip4tables.__init__cCs$tjj|j|_tjj|j|_dS)N)ospathexistsrBZcommand_existsrCZrestore_command_exists)rNr3r3r4rHszip4tables.fill_existscCs|jr(|j|kr(|jgdd|D}ndd|D}tjd|j|jdj|t|j|\}}|dkrtd|jdj||f|S)NcSsg|] }d|qS)z%sr3).0itemr3r3r4 sz#ip4tables.__run..cSsg|] }d|qS)z%sr3)rTrUr3r3r4rVsz %s: %s %s rz'%s %s' failed: %s)rErdebug2 __class__rBjoinrr8)rNr.Z_argsstatusretr3r3r4Z__runszip4tables.__runc Cs<y|j|}Wntk r"dSX||||d<dSdS)NFT)r*r8)rNrulepatternZ replacementir3r3r4 _rule_replaces zip4tables._rule_replacecCs|tko|t|kS)N)BUILT_IN_CHAINS)rNrAtablechainr3r3r4is_chain_builtinszip4tables.is_chain_builtincCs2d|g}|r|jdn |jd|j||gS)Nz-tz-Nz-X)append)rNaddrcrdr^r3r3r4build_chain_ruless    zip4tables.build_chain_rulescCs8d|g}|r |d|t|g7}n |d|g7}||7}|S)Nz-tz-Iz-D)str)rNrgrcrdr*r.r^r3r3r4 build_rules  zip4tables.build_rulecCst|S)N)r5)rNr.r3r3r4 reverse_ruleszip4tables.reverse_rulecCs t|dS)N)r>)rNr.r3r3r4check_passthroughszip4tables.check_passthroughcCst|S)N)r:)rNr.r3r3r4reverse_passthroughszip4tables.reverse_passthroughcCsd}y|jd}Wntk r&YnXt||dkrD||d}d}xLd D]D}y|j|}Wntk rtYqNXt||dkrN||d}qNW||fS) Nr#z-tr]-A--append-I--insert-N --new-chain)rnrorprqrrrs)r*r8r<)rNr.rcr`rdoptr3r3r4passthrough_parse_table_chains$ z'ip4tables.passthrough_parse_table_chaincCs4yH|jd}|j||j|}d|dkr:||df}n ||df}WnFtk ry|jd}|j|d}Wntk rdSXYnXd}|ddkrd }|r| r||kr|j|nn|r0|r||kr|j||jd d d|j|}n|jjr d}nt|}d|d<|j dd|ddS)Nz%%ZONE_SOURCE%%z-mz%%ZONE_INTERFACE%%Tr-D--deleteFcSs|dS)Nrr3)r9r3r3r4&sz4ip4tables._run_replace_zone_source..)keyz-Ir)z%dr])ryrz) r*r-r8removerfsortr@_allow_zone_driftingr<insert)rNr^rLr`zoneZ zone_sourcerule_addr*r3r3r4_run_replace_zone_source s>             z"ip4tables._run_replace_zone_sourcecCsy|j|}Wntk r$YnXd}d}d}|j||j|}t|tkr\ttdd} xLdD]D} y|j| } Wntk rYqfXt|| dkrf|| d} qfWxhdD]`} y|j| }Wntk rYqXt||dkr||d} | dkrd}| dkrd}qW| | f} |sp| |ksP||| ksP|| |dkrZttd|| |d8<n| |kri|| <||| krd|| |<d} xHt || j D]4}||kr|rP| || |7} ||krPqW|| |d7<d ||<|j |dd| dS)a Change something like -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123 or -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321 into -t filter -I public_IN 4 or -t filter -I public_IN TFr]z%priority must be followed by a numberr#-t--table-A--append-I--insert-D--deleterz*nonexistent or underflow of priority countr)z%dN)rr)rrrrrr)rr)rr) r*r8r-typer,r rr<rsortedkeysr)rNr^Zpriority_countstokenr`rrZinsert_add_indexpriorityrcrtjrdr*pr3r3r4_set_rule_replace_priority2sj             z$ip4tables._set_rule_replace_prioritycCsPt}i}tj|j}tj|j}tj|j}x|D]}|dd} |j| dddt|jg|j| dt |jgy| j d} Wnt k rYn8X|dkrq6|d$krd d d |g| | | d <n | j | |j | |d|j | |d|j| |d} xZd%D]R} y| j | } Wnt k r,Yn(Xt| | d kr| j | | j | } qWxhtt| D]X} xPtjD]F} | | | krt| | jdo| | jd rtd| | | | <qtWqhW|j| gj| q6WxR|D]J} || }|jd| x"|D]} |jdj| dqW|jdqW|jtj|j}tjd|j|j d|j|j!fg}|j"rz|j|j"|jdt#|j ||jd\}}tj$dkr t%|j}|dk r d } xH|D]@}tj&d| |fd dd |jdstj&d!d d"| d 7} qWtj'|j|dkr:t d#|j dj||f||_||_||_dS)&Nz %%REJECT%%REJECTz --reject-withz%%ICMP%%z %%LOGTYPE%%offunicast broadcast multicastz-mpkttypez --pkt-typer]z%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%r#-t--table"z"%s"z*%s rW zCOMMIT z %s: %s %sz%s: %dz-n)stdinr)z%8d: %sr)nofmtnlr)rz'%s %s' failed: %s)rrr)rr)(rcopydeepcopyrJrKrLraDEFAULT_REJECT_TYPErAICMPr*r8r-rrr<rangestringZ whitespace startswithendswith setdefaultrfwriterZcloserQstatnamerrXrYrCst_sizerGrZgetDebugLogLevelrZdebug3unlink)rNrules log_denied temp_fileZ table_rulesrJrKrLZ_ruler^r`rcrtcrr.r[r\linesliner3r3r4 set_ruless                    zip4tables.set_rulesc Cs|j|dddt|jg|j|dt|jgy|jd}Wntk rRYn:X|dkr`dS|dkrd d d |g|||d<n |j|tj|j }tj|j }tj|j }|j ||d|j ||d|j |||j|}||_ ||_ ||_ |S)Nz %%REJECT%%rz --reject-withz%%ICMP%%z %%LOGTYPE%%rrrrrz-mrz --pkt-typer]z%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%)rrr)rarrArr*r8r-rrrJrKrLrr_ip4tables__run)rNr^rr`rJrKrLoutputr3r3r4set_rules.      zip4tables.set_ruleNc Csg}|r|gntj}xx|D]p}||jkr6|j|qy,|jd|ddg|jj||j|Wqtk rtjd|j|fYqXqW|S)Nz-tz-Lz-nzA%s table '%s' does not exist (or not enough permission to check).) rbrrIrfrr8rdebug1rA)rNrcr\Ztablesr3r3r4get_available_tabless    zip4tables.get_available_tablescCs`d}t|jdddg}|ddkr\d}t|jdddg}|ddkrHd}tjd|j|j||S)Nrz-wz-Lz-nrz-w10z%s: %s will be using %s option.)rrBrrXrY)rNrEr\r3r3r4rDs  zip4tables._detect_wait_optioncCst}|jd|jd}xJd D]B}t|j|g|jd}|ddkr"d|dkr"d |dkr"|}Pq"Wtjd |j|j|t j |j|S) Nz#foor-w--wait=2)rrzinvalid optionr]zunrecognized optionz%s: %s will be using %s option.)rr) rrrrrCrrrXrYrQr)rNrrEZ test_optionr\r3r3r4rF"s    z%ip4tables._detect_restore_wait_optioncCsVi|_i|_g|_g}x:tjD].}|j|s0q xdD]}|jd||gq6Wq W|S)N-F-X-Zz-t)rrr)rJrKrLrbrrrf)rNrrcflagr3r3r4build_flush_rules5s  zip4tables.build_flush_rulescCsfg}|dkrdn|}xLtjD]@}|j|s.q|dkr8qx$t|D]}|jd|d||gqBWqW|S)NZPANICDROPr"z-tz-P)rbrrrf)rNpolicyr_policyrcrdr3r3r4build_set_policy_rulesDs z ip4tables.build_set_policy_rulesc Cs g}d}y"|jd|jdkrdnddg}WnJtk rt}z.|jdkrVtjd|ntjd|WYd d }~XnX|j}d }x|D]}|r|jj}|j}xD|D]<} | j d r| j d r| d d} n| } | |kr|j | qW|jdko|j ds|jdkr|j drd}qW|S)zQReturn ICMP types that are supported by the iptables/ip6tables command and kernelrz-pr$r&z ipv6-icmpz--helpziptables error: %szip6tables error: %sNF()r]zValid ICMP Types:r%zValid ICMPv6 Types:Tr) rrAr8rr splitlinesstriplowersplitrrrf) rNrAr\rZexrZin_typesrZsplitsrr9r3r3r4supported_icmp_typesPs4      zip4tables.supported_icmp_typescCsgS)Nr3)rNr3r3r4build_default_tablesqszip4tables.build_default_tablesrc Csi}|jdrpg|d<t|jd<xLtdD]@}|djd||djd||f|jdjd|q,W|jdr\g|d<t|jd<xtdD]}|djd||djd||f|jdjd||dkrxt|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqW|jdrNg|d<t|jd<xtdD]}|djd||djd||f|jdjd||dkrxv|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqW|jdr@g|d<t|jd<xtdD]}|djd||djd||f|jdjd||d9krxxv|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqxWg|d<t|jd<|djd|djd|djd|djd|jdjtdxf|jjrddd d gndd d gD]B}|djd||djd||jdjtd|qW|dkr |djd|djd|dkrF|djd|djd|djd|djd |djd!|djd"|jdjtd#xJd:D]B}|djd$||djd%||jdjtd&|qWxzd;D]r}xj|jjr dd gnd gD]N}|djd)||f|djd*||f|jdjtd+||fqWqWxJdD]B}|djd5||djd6||jdjtd7|q~Wg}xJ|D]B}||jkrqx(||D]}|jd8|gt |qWqW|S)?Nrz -N %s_directz-A %s -j %s_directz %s_directr r POLICIES_preZ ZONES_SOURCEZZONES POLICIES_postz-N %s_%sz-A %s -j %s_%sz%s_%sr!r"rr#zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTz-N INPUT_directz-A INPUT -j INPUT_directZ INPUT_directz -N INPUT_%sz-A INPUT -j INPUT_%szINPUT_%srz^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_directz -N FORWARD_%sz-A FORWARD -j FORWARD_%sz FORWARD_%sINOUTz-N FORWARD_%s_%sz-A FORWARD -j FORWARD_%s_%sz FORWARD_%s_%sz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ OUTPUT_directz -N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz OUTPUT_%sz-t)rr)r)rr)r)r)r) rr;rMrbrfrgr@rupdater) rNrZ default_rulesrdZdispatch_suffix directionZfinal_default_rulesrcr^r3r3r4build_default_rulesus    $(   &*   &* &    (       "zip4tables.build_default_rulescCsf|dkrdddhS|dkr,d|jkr,dhS|dkrHd|jkrHddhS|d krbd |jkrbdhSiS) Nr#r FORWARD_IN FORWARD_OUTr!rr"rr )r)rNrcr3r3r4get_zone_table_chainss    zip4tables.get_zone_table_chainsc s|jjj|jdkrdnddkr4dkr4dnd} |jjj|t| g} g} x|D]} | jd| gqZWx|D]} | jd | gqvWxB|D]:} |jjj| }|dkr|j | rq| j|j d | qWx\|D]T} |jjj| }|dkr|j | rqt | rdkrq| j|j d| qWfdd}g}| rx| D]F}| rx8| D]}|j|||qdWn|rn|j||dqTWnH|rn@| rx8| D]}|j|d|qWn|rn|j|dd|S)Nrprepostr"rTFz-iz-or$r%z-srrz-dcsVddd}d|dfdjg}|r6|j||rD|j||jdg|S)Nz-Az-D)TFz-tz%s_POLICIES_%sz%%POLICY_PRIORITY%%z-j)rextend)ingress_fragmentegress_fragmentadd_delr^)rrd chain_suffixenablep_objrcr3r4_generate_policy_dispatch_rules   zSip4tables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule)r$r%)r$r%)rrr) r@rZ get_policyrpolicy_base_chain_namePOLICY_CHAIN_PREFIXrfrZ check_sourceis_ipv_supported_rule_addr_fragmentr)rNrrrcrdZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesisSNATZingress_fragmentsZegress_fragments interfaceaddrrArrrrr3)rrdrrrrcr4!build_policy_ingress_egress_rulessR        z+ip4tables.build_policy_ingress_egress_rulesFc Cs|dkr|dkrdnd}|jjj||t|d} ddddddd|} d } |rb| rbd d |d g} n,|rtd d |g} ndd |g} |s| d g7} | d|| || | g7} | gS)Nr"rTF)rz-iz-o)rrrrrrz-gz-Iz%s_ZONESz%%ZONE_INTERFACE%%z-Az-Dz-t)r@rrr) rNrrrrrcrdrfrrrtactionr^r3r3r4!build_zone_source_interface_rulesKs&   z+ip4tables.build_zone_source_interface_rulescCs|jdrP|dd}|dkr$d}nd}dj|g|jjj|}ddd ||gSt|rz|dkrjttd dd d |jgSt d |rt |}n,t d |r|j d}t |dd|d}||gSdS)Nzipset:z-ddstsrc,z-mr;z --match-setzCan't match a destination MAC.macz --mac-sourcer%/rr]) rrZr@ipsetZ get_dimensionrr rupperr r r r)rNrtaddressinvertrflags addr_splitr3r3r4res"       zip4tables._rule_addr_fragmentc Csddd|}|dkr"|dkr"dnd}|jjj||t|d} d d d d d d d |} |jjrdd |} nd |} t|r|dkrgS|| d|d|g} | j|j| || jd| g| gS)Nz-Iz-D)TFr"rTF)rz-sz-d)rrrrrrz%s_ZONES_SOURCEz%s_ZONESrrz%%ZONE_SOURCE%%z-tz-g)rrr)r@rrrrrrr) rNrrrrrcrdrrrrtZzone_dispatch_chainr^r3r3r4build_zone_source_address_rules{s& z)ip4tables.build_zone_source_address_rulesc Cs>ddd|}ddd|}|dkr0|dkr0dnd }|jjj||t|d }|j|jt|d |d |d |d|d|gg} | j||d|g| j|d |d|g| j|d |d|g| j|d |d|g| j|d|d|g| j|d|d|g| j||d|dd |g| j||d|dd |g| j||d|dd |g| j||d|dd|g| j||d|dd|g|jjj|j } |jj dkr|dkr| dkr| j||d|ddddd|g | dkr| j||d|ddddd|g |dkr,| dkr,| j||d|d| g|s:| j | S)Nz-Nz-X)TFz-Az-Dr"rTF)rz%s_logz%s_denyz%s_prez%s_postz%s_allowz-tz-jrr#r %%REJECT%%z %%LOGTYPE%%LOGz --log-prefixz "%s_REJECT: "rz "%s_DROP: "ACCEPT)rr)rrrr) r@rrrrMrr;rfZ _policiestargetget_log_deniedreverse) rNrrrcrdZ add_del_chainZ add_del_rulerrrrr3r3r4build_policy_chain_rulessN       z"ip4tables.build_policy_chain_rulescCs2|sgSddd|jg}|jdk r.|d|jg7}|S)Nz-mlimitz--limitz --limit-burst)valueZburst)rNrsr3r3r4 _rule_limits  zip4tables._rule_limitcCst|jtttgkrn<|jrHt|jtttt gkrRt t dt|jn t t d|j dkrt|jttgkst|jtt gkrdSt|jtgkst|jttgkrdSn|j dkrdSdSdS)NzUnknown action %szNo rule action specified.rallowZdenyrr) relementrrrrrrrrr rr)rN rich_ruler3r3r4_rich_rule_chain_suffixs    z!ip4tables._rich_rule_chain_suffixcCs>|j r|j rttd|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrrr)rauditr rr)rNrr3r3r4 _rich_rule_chain_suffix_from_logs   z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrz%%RICH_RULE_PRIORITY%%)r)rNrr3r3r4_rich_rule_priority_fragments z&ip4tables._rich_rule_priority_fragmentc Cs|js gS|jjj||t}ddd|}|j|}d||d||fg} | |j|7} | |ddg7} |jjr| dd |jjg7} |jjr| d d |jjg7} | |j |jj 7} | S) Nz-Az-D)TFz-tz%s_%sz-jrz --log-prefixz'%s'z --log-levelz%s) rr@rrrr r prefixlevelrr) rNrrrrc rule_fragmentrrrr^r3r3r4_rich_rule_logs zip4tables._rich_rule_logc Cs|js gSddd|}|jjj||t}|j|}d||d||fg} | |j|7} | |7} t|jt krrd} n,t|jt krd} nt|jt krd} nd } | d d d | g7} | |j |jj 7} | S) Nz-Az-D)TFz-tz%s_%sZacceptZrejectZdropunknownz-jZAUDITz--type)r r@rrrr r rrrrrrr) rNrrrrcrrrrr^Z_typer3r3r4_rich_rule_audit s$ zip4tables._rich_rule_auditc Cs2|js gSddd|}|jjj||t}|j|}d||f} t|jtkrXddg} nt|jtkrddg} |jjr| d|jjg7} nnt|jt krdd g} nVt|jt krd }|jjj||t}d||f} dd d |jj g} nt t d t|jd||| g} | |j|7} | || 7} | |j|jj7} | S)Nz-Az-D)TFz%s_%sz-jrrz --reject-withrr!MARKz --set-xmarkzUnknown action %sz-t)rr@rrrr rrrrrr;r rr rr) rNrrrrcrrrrrdZ rule_actionr^r3r3r4_rich_rule_action$s4       zip4tables._rich_rule_actioncCs|sgSg}|jr|jr"|jdtd|jrB|dt|jg7}qtd|jr||jjd}|dt|dd|dg7}q|d|jg7}nD|jr|ddg7}|jr|jd|jj j |jd }|d |j|g7}|S) N!r%z-drrr]z-mr;rz --match-set) rrrfr r r rrr@r_ipset_match_flags)rNZ rich_destrrrr3r3r4_rich_rule_destination_fragmentFs&    "  z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jr|jr"|jdtd|jrB|dt|jg7}nHtd|jr||jjd}|dt|dd|dg7}n|d|jg7}nt|dr|jr|ddg7}|jr|jd|d |jg7}nPt|d o|j r|dd g7}|jr|jd|j j j |j d }|d |j |g7}|S)Nrr%z-srrr]rz-mz --mac-sourcerr;rz --match-set) rrrfr r r rhasattrrrr@rr)rNZ rich_sourcerrrr3r3r4_rich_rule_source_fragment^s0    "    z$ip4tables._rich_rule_source_fragmentc Csddd|}d}|jjj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| |j|j7} | |j|j7} | st |j t kr| d d d d g7} g} |r| j |j ||||| | j |j||||| | j |j||||| n"| j |d | d|g| ddg| S)Nz-Az-D)TFr#z-pz--dportz%sz-dz-m conntrackz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)r@rrrrr destinationrsourcerrrrfrrr) rNrrprotoportrrrrcrrrr3r3r4build_policy_ports_rules{s* z"ip4tables.build_policy_ports_rulesc Csddd|}d}|jjj||t}d|g} |r<| d|g7} |r`| |j|j7} | |j|j7} | stt|j t kr| ddd d g7} g} |r| j |j ||||| | j |j ||||| | j |j||||| n"| j |d |d |g| d dg| S)Nz-Az-D)TFr#z-pz-dz-mrz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)r@rrrrrrrrrrrfrrr) rNrrprotocolrrrrcrrrr3r3r4build_policy_protocol_ruless& z%ip4tables.build_policy_protocol_rulesc Csddd|}d}|jjj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| |j|j7} | |j|j7} | st |j t kr| d d d d g7} g} |r| j |j ||||| | j |j||||| | j |j||||| n"| j |d | d|g| ddg| S)Nz-Az-D)TFr#z-pz--sportz%sz-dz-mrz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)r@rrrrrrrrrrrrfrrr) rNrrrrrrrrcrrrr3r3r4build_policy_source_ports_ruless* z)ip4tables.build_policy_source_ports_rulesc Csvd}|jjj||t} ddd|} | d| ddd|g} |rP| dd t|g7} |r`| d |g7} | d d d |g7} | gS)Nr z-Az-D)TFz%s_allowz-tz-pz--dportz%sz-dz-jZCTz--helper)r@rrrr) rNrrrrrZ helper_nameZmodule_short_namercrrr^r3r3r4build_policy_helper_ports_ruless z)ip4tables.build_policy_helper_ports_rulesc Csddd|}|jjj||t}g} |rH| jdd|d|d|dd gn6t|rTgS| jdd|d|g|jd |dd g| S) Nz-Az-D)TFz-tr#z%s_allowz-oz-jrz-d)r@rrrrfrr) rNrrrrcrrrrrr3r3r4build_zone_forward_ruless z"ip4tables.build_zone_forward_rulesc Cs,d}|jjj||tdd}ddd|}g}|rj|j|}||j|7}||j|j7}||j|j 7}nd}g} | j dd|d ||fg|d d d d dgg}|r|j|}||j|7}||j|j7}||j|j 7}nd}d}|jjj||t}| j dd|d ||fg|ddddd dg| S)Nr"T)rz-Az-D)TFrz-tz%s_%srz-oloz-jZ MASQUERADEr#z-mrz --ctstatez NEW,UNTRACKEDr) r@rrrr r rrrrrf) rNrrrrcrrrrrr3r3r4build_policy_masquerade_ruless6  z'ip4tables.build_policy_masquerade_rulesc Cs d}|jjj||t} ddd|} d} |rPtd|rH| dt|7} n| |7} |rn|dkrn| dt|d 7} g} |r|j|} |j|} | |j |j 7} | |j |j 7} nd } g}|r|j |j|||d| |j d d| d | | fg| d |dt|ddd| g|S)Nr"z-Az-D)TFrr%z[%s]z:%s-rz-tz%s_%sz-pz--dportz-jZDNATz--to-destination)r@rrrr r rr r rrrrrfr)rNrrrr ZtoportZtoaddrrrcrrZtorrrr3r3r4build_policy_forward_port_ruless2     z)ip4tables.build_policy_forward_port_rulescCsd}|jjj||t}ddd|}|jdkrFddg}ddd |jg} ndd g}dd d |jg} g} |jjj|r|d |} d} n d|} d} g} |r| |j|j7} | |j |j 7} | || 7} |rP| j |j ||||| | j |j ||||| |jr| j |j||||| n:|j|}| j d||d||fg|j|| ddgn`|jjdkr| dkr| j || d|g| ddddd|g| j || d|g| d| g| S)Nr#z-Az-D)TFr$z-pr&z-mz --icmp-typez ipv6-icmpZicmp6z --icmpv6-typez%s_allowrz%s_denyz %%REJECT%%z-tz%s_%sz-jrz %%LOGTYPE%%rz --log-prefixz"%s_ICMP_BLOCK: ")r@rrrrArquery_icmp_block_inversionrrrrrfrrrrr r r)rNrrZictrrcrrrmatchrZ final_chainZ final_targetrrr3r3r4build_policy_icmp_block_rules3sJ     z'ip4tables.build_policy_icmp_block_rulesc Csd}|jjj||t}g}d}|jjj|rd}|jjdkr|rRd|t|g}nd|g}|d|dd d d d d d|g }|j||d7}nd}|rd|t|g}nd|g}|d|dd d |g}|j||S)Nr#rz %%REJECT%%rz-Iz-Dz-tz-pz%%ICMP%%z %%LOGTYPE%%z-jrz --log-prefixz"%s_ICMP_BLOCK: "r]r)r@rrrr)rrirf) rNrrrcrrZrule_idxZ ibi_targetr^r3r3r4'build_policy_icmp_block_inversion_rulesds.     z1ip4tables.build_policy_icmp_block_inversion_rulescCsxd}g}||j|j7}||j|j7}g}|j|j||||||j|j||||||j|j||||||S)Nr#)rrrrrfrrr)rNrrrrcrrr3r3r4*build_policy_rich_source_destination_rulessz4ip4tables.build_policy_rich_source_destination_rulescCs ||jkS)N)rA)rNrAr3r3r4rszip4tables.is_ipv_supported)N)N)r)F)F)NN)NN)NN)NN)N)N)N)7__name__ __module__ __qualname__rArZpolicies_supportedrPrHrrarerhrjrkrlrmrurrrrrrDrFrrrrrrrrrrrrr r r rrrrrrr!r"r#r$r&r(r+r,r-rr3r3r3r4r?sh     )Pa#   ! zN  0 "     & ! 1"r?c@s&eZdZdZdZdddZddZdS) ip6tablesr%Fc Csg}|jddddddddd d g |d krL|jddddddddd d d dg |jdddddddd dg |jdddddddd dg |S)Nz-Irz-tr!z-mZrpfilterz--invertz --validmarkz-jrrrz --log-prefixzrpfilter_DROP: z-pz ipv6-icmpz$--icmpv6-type=neighbour-solicitationrz"--icmpv6-type=router-advertisement)rf)rNrrr3r3r4build_rpfilter_ruless$        zip6tables.build_rpfilter_rulesc Csddddddddd g }d }|jd j|g}|jd d d |gxT|D]L}|jd d d|d|ddddg |jjdkrF|jd d d|d|ddddg qFW|jd d dddd|g|jd d dddd|g|S)Nz ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19Z RFC3964_IPv4r#z-tz-Nz-Iz-dz-jrz --reject-withz addr-unreachrallrz --log-prefixz"RFC3964_IPv4_REJECT: "r4r)rr3)rMrgrfr@Z _log_denied)rNZ daddr_listZ chain_namerZdaddrr3r3r4build_rfc3964_ipv4_ruless4       z"ip6tables.build_rfc3964_ipv4_rulesN)F)r.r/r0rArr2r5r3r3r3r4r1s r1)+Zos.pathrQrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr r r Zfirewallr Zfirewall.errorsr rrrrZfirewall.core.richrrrrrrrrrrbrrr5r:r>objectr?r1r3r3r3r4s@  ( $ %* x