3 @)fq2 @sdZdddgZddlZddlZddlmZddlmZddl m Z dd l m Z dd l mZmZdd lmZd Zd ddddddddddg ZdddddZddddZGd ddeZd!dZd"dZd#d$Zd%d&Zd'd(ZdS))zThe ipset command wrapperipsetcheck_ipset_nameremove_default_create_optionsN)errors) FirewallError)runProg)log)tempFilereadfile)COMMANDS zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz inet|inet6valuez value in secs)familyhashsizemaxelemtimeoutZinetZ1024Z65536)rrrc@seZdZdZddZddZddZdd Zd d Zd'd dZ ddZ ddZ ddZ d(ddZ d)ddZddZd*ddZd+ddZdd Zd!d"Zd#d$Zd%d&Zd S),rzipset command wrapper classcCstd|_d|_dS)Nr)r _commandname)selfr/usr/lib/python3.6/ipset.py__init__Ks zipset.__init__cCs^dd|D}tjd|j|jdj|t|j|\}}|dkrZtd|jdj||f|S)zCall ipset with argscSsg|] }d|qS)z%sr).0itemrrr Rszipset.__run..z %s: %s %s rz'%s %s' failed: %s)rdebug2 __class__rjoinr ValueError)rargsZ_argsstatusretrrrZ__runOsz ipset.__runcCs t|tkrttjd|dS)zCheck ipset namezipset name '%s' is not validN)lenIPSET_MAXNAMELENrrZ INVALID_NAME)rrrrr check_nameZs zipset.check_namecCsg}d}y|jdg}Wn0tk rH}ztjd|WYdd}~XnX|j}d}xT|D]L}|r|jjdd}|d|kr|dtkr|j|d|j dr\d }q\W|S) z?Return types that are supported by the ipset command and kernelz--helpzipset error: %sNFrzSupported set types:T) _ipset__runrrZdebug1 splitlinesstripsplit IPSET_TYPESappend startswith)rr"outputZexlinesZin_typeslinesplitsrrrset_supported_types`s    zipset.set_supported_typescCs(t|tks|tkr$ttjd|dS)zCheck ipset typez!ipset type name '%s' is not validN)r#r$r,rrZ INVALID_TYPE)r type_namerrr check_typeuszipset.check_typeNcCsd|j||j|d||g}t|trZx0|jD]$\}}|j||dkr2|j|q2W|j|S)z+Create an ipset with name, type and optionscreater&)r%r5 isinstancedictitemsr-r()rset_namer4optionsr keyvalrrr set_create{s     zipset.set_createcCs|j||jd|gS)NZdestroy)r%r()rr:rrr set_destroys zipset.set_destroycCsd||g}|j|S)Nadd)r()rr:entryr rrrset_adds z ipset.set_addcCsd||g}|j|S)Ndel)r()rr:rAr rrr set_deletes zipset.set_deletecCs,d||g}|r"|jddj||j|S)Ntestz%sr)r-rr()rr:rAr;r rrrrEs z ipset.testcCs2dg}|r|j||r"|j||j|jdS)Nlist )r-extendr(r+)rr:r;r rrrset_lists   zipset.set_listc Cs<|jdgd}i}d}}i}x|D] }t|dkr:q&dd|jddD}t|dkr`q&q&|d d krv|d}q&|d d kr|d}q&|d d kr&|dj}d } x^| t|kr|| } | dkrt|| kr| d7} || || <ntjd|iS| d7} qW|r$|r$|t|f||<d}}|jq&W|S)z" Get active ipsets (only headers) z-terse)r;NcSsg|] }|jqSr)r*)rxrrrrsz.ipset.set_get_active_terse..:r'rNameZTypeZHeaderrrrrnetmaskz&Malformed ipset list -terse output: %s)rrrrrN)rIr#r+rerrorrclear) rr0r"_nameZ_type_optionsr1Zpairr2ioptrrrset_get_active_tersesD            zipset.set_get_active_tersecCsdg}|r|j||j|S)Nsave)r-r()rr:r rrrrVs z ipset.savecCs|j||j|t}d|kr*d|}d||dg}|rlx0|jD]$\}} |j|| dkrD|j| qDW|jddj||jd|xN|D]F} d| krd| } |r|jd|| dj|fq|jd || fqW|jtj |j } t j d |j |jd |j | jfd g}t|j||j d \} } t jdkryt|j Wntk r`YnVXd}xNt|j D]@}t jd||fddd|jdst jddd|d7}qrWtj|j | dkrtd|jdj|| f| S)Nrz'%s'r6z-existr&z%s z flush %s z add %s %s %s z add %s %s z%s: %s restore %sz%s: %dZrestore)stdinr'rJz%8d: %sr)nofmtnlrG)rXz'%s %s' failed: %s)r%r5r r9r-writercloseosstatrrrrrst_sizerZgetDebugLogLevelr ExceptionZdebug3endswithunlinkr)rr:r4entriesZcreate_optionsZ entry_optionsZ temp_filer r<r=rAr]r!r"rSr1rrr set_restoresV         zipset.set_restorecCsdg}|r|j||j|S)Nflush)r-r()rr:r rrr set_flushs zipset.set_flushcCs|jd||gS)Nrename)r()rZ old_set_nameZ new_set_namerrrrf sz ipset.renamecCs|jd||gS)Nswap)r()rZ set_name_1Z set_name_2rrrrgsz ipset.swapcCs |jdgS)Nversion)r()rrrrrhsz ipset.version)N)N)NN)N)NN)__name__ __module__ __qualname____doc__rr(r%r3r5r>r?rBrDrErIrUrVrcrerfrgrhrrrrrHs&    '  7cCst|tkrdSdS)z"Return true if ipset name is validFT)r#r$)rrrrrs cCs8|j}x*tD]"}||krt|||kr||=qW|S)z( Return only non default create options )copyIPSET_DEFAULT_CREATE_OPTIONS)r;rRrTrrrrs   c Cshg}xX|jdD]J}y&|jd|jttj|ddWqtk rX|j|YqXqWdj|S)z! Normalize IP addresses in entry ,/F)strict)r+indexr-str ipaddress ip_networkrr)rAZ_entryZ_partrrrnormalize_ipset_entry&s rvcCsxt|jddkrdSytj|dd}Wntk r<dSXx4|D],}|jtj|ddrDttjdj ||qDWdS)z: Check if entry overlaps any entry in the list of entries rorJNF)rqz,Entry '{}' overlaps with existing entry '{}') r#r+rtruroverlapsrr INVALID_ENTRYformat)rArbZ entry_networkZitrrrrcheck_entry_overlaps_existing2s rzcCs~ydd|D}Wntk r&dSXt|dkr8dS|j|jd}x.|D]&}|j|rrttjdj|||}qPWdS)z> Check if any entry overlaps any entry in the list of entries cSsg|]}tj|ddqS)F)rq)rtru)rrKrrrrEsz1check_for_overlapping_entries..NrzEntry '{}' overlaps entry '{}') rr#sortpoprwrrrxry)rbZ prev_networkZcurrent_networkrrrcheck_for_overlapping_entriesBs 2   r})rl__all__Zos.pathr\rtZfirewallrZfirewall.errorsrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsr r Zfirewall.configr r$r,ZIPSET_CREATE_OPTIONSrnobjectrrrrvrzr}rrrrsF      P