3 @)f%@slddlmZddlZddlZddlZddlmZddlmZm Z m Z m Z m Z ddl mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZddlmZdZed d Z d Z!d Z"id ddCe"fiddDe"fdde"fddde"fdde"fdde"fdde"fddZ#dEddZ$e$ddde$dde$dde$dde$ddde$ddd e$ddd e$dd!d"e$ddd#e$ddd"e$dd$d"e$ddd%e$dd!de$ddd&e$ddde$dd$e$ddd'e$ddd(e$ddd)e$dd!e$dd$d"e$dd*e$dd+e$dd,e$ddd-e$dd.e$dd/e$dd0e$dd!d'e$ddd1e$dd!d)e$ddd2e$dd.d"e$dd.dd3"e$d4dd'e$d4d$de$d4dd)e$d4dd"e$d4de$d4de$d4de$d4dd-e$d4d5e$d4d6e$d4d7e$d4d8e$d4d9e$d4d:e$d4dde$d4d;e$d4d$e$d4dde$d4d<e$d4dd&e$d4d=e$d4d>e$d4d.e$d4d.d"e$d4d.de$d4d$d"e$d4d$d)d?d@Z%GdAdBdBe&Z'dS)F)absolute_importN)log) check_mac getPortRange normalizeIP6check_single_address check_address) FirewallError UNKNOWN_ERROR INVALID_RULEINVALID_ICMPTYPE INVALID_TYPE INVALID_ENTRY INVALID_PORT) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlock)NftablesZ firewalld_Z policy_dropZpolicy_ PREROUTING preroutingdZ postrouting)r POSTROUTINGinputforwardoutput)rINPUTFORWARDOUTPUT)rawmanglenatfiltercCsHdd|ddid|dig}|dk rD|jdd|ddid|di|S)Nmatchpayloadtype)protocolfieldz==)leftoprightcode)append)r,r+r1 fragmentsr4/usr/lib/python3.6/nftables.py_icmp_types_fragmentsSs  r6icmpzdestination-unreachable z echo-replyz echo-requestredirectzparameter-problemzrouter-advertisementzrouter-solicitationz source-quenchz time-exceededztimestamp-replyztimestamp-request )"zcommunication-prohibitedzdestination-unreachablez echo-replyz echo-requestzfragmentation-neededzhost-precedence-violationzhost-prohibitedz host-redirectz host-unknownzhost-unreachablez ip-header-badznetwork-prohibitedznetwork-redirectznetwork-unknownznetwork-unreachablezparameter-problemzport-unreachablezprecedence-cutoffzprotocol-unreachabler;zrequired-option-missingzrouter-advertisementzrouter-solicitationz source-quenchzsource-route-failedz time-exceededztimestamp-replyztimestamp-requestztos-host-redirectztos-host-unreachableztos-network-redirectztos-network-unreachablezttl-zero-during-reassemblyzttl-zero-during-transiticmpv6zmld-listener-donezmld-listener-queryzmld-listener-reportzmld2-listener-reportznd-neighbor-advertznd-neighbor-solicitzpacket-too-bigz nd-redirectznd-router-advertznd-router-solicit)zaddress-unreachablez bad-headerz beyond-scopezcommunication-prohibitedzdestination-unreachablez echo-replyz echo-requestz failed-policyzmld-listener-donezmld-listener-queryzmld-listener-reportzmld2-listener-reportzneighbour-advertisementzneighbour-solicitationzno-routezpacket-too-bigzparameter-problemzport-unreachabler;z reject-routezrouter-advertisementzrouter-solicitationz time-exceededzttl-zero-during-reassemblyzttl-zero-during-transitzunknown-header-typezunknown-option)ipv4ipv6c@s`eZdZdZdZddZddZddZdd Zd d Z d d Z ddZ dddZ ddZ ddZddZddZdddZddZdd d!Zd"d#Zdd%d&Zdd(d)Zdd*d+Zdd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&ddJdKZ'dLdMZ(dNdOZ)dPdQZ*dRdSZ+ddTdUZ,ddVdWZ-ddXdYZ.dZd[Z/dd\d]Z0dd^d_Z1dd`daZ2ddbdcZ3ddddeZ4dfdgZ5ddhdiZ6djdkZ7ddldmZ8dndoZ9dpdqZ:drdsZ;dtduZdzd{Z?dd|d}Z@d~dZAddZBddZCddZDddZEddZFddZGdddZHdS)nftablesTcCsb||_d|_g|_i|_i|_i|_i|_i|_gggd|_t |_ |j j d|j j ddS)NT)inetipip6) _fwZrestore_command_existsZavailable_tablesrule_to_handlerule_ref_countrich_rule_priority_countspolicy_priority_countszone_source_index_cachecreated_tablesrrIZset_echo_outputZset_handle_output)selffwr4r4r5__init__s znftables.__init__cCsxdD]}||krPqWd||dkr`||ddd||dddf}||dd=n(d||dkrd}||dd=ndS||dd }|r|dkr||kr|||kr||j|n|dkr||krg||<|r(|||kr||j|||jd d d ||j|}n|jjr8d }n t||}||}||=|d krf||d<n |d8}||d<||ddd<dS)Naddinsertdeletez%%ZONE_SOURCE%%rulezoneaddressz%%ZONE_INTERFACE%%familycSs|dS)Nrr4)xr4r4r5sz3nftables._run_replace_zone_source..)keyrr<index)rWrXrY)remover2sortrarM_allow_zone_driftinglen)rTrZrRverbZ zone_sourcer]ra _verb_snippetr4r4r5_run_replace_zone_sourcesD        z!nftables._run_replace_zone_sourcecCsBd|krdtj|diSd|kr4dtj|diSttddS)NrXrYrWzFailed to reverse rule)copydeepcopyr r )rTdictr4r4r5 reverse_rules znftables.reverse_rulec Csxd D]}||krPqW|||dkr||d|}||d|=t|tkr^ttd||dd||ddf}|dkr||ks|||ks|||dkrttd |||d 8<n||kri||<|||krd|||<d}xVt||jD]B}||kr"|dkr"P||||7}||kr|dkrPqW|||d 7<||} ||=|dkr| |d<n |d 8}| |d<||ddd <dS) NrWrXrYrZz%priority must be followed by a numberr]chainrz*nonexistent or underflow of priority countr<ra)rWrXrY)r+intr r r sortedkeys) rTrZZpriority_countstokenrfpriorityrmraprgr4r4r5_set_rule_replace_prioritysD          z#nftables._set_rule_replace_prioritycCsfx`d D]X}||krd||krtj||d}xd D]}||kr6||=q6Wtj|dd }|SqWdS) NrWrXrYrZrahandlepositionT)Z sort_keys)rWrXrY)rarurv)rirjjsondumps)rTrZrfrule_keyZnon_keyr4r4r5 _get_rule_keys   znftables._get_rule_keycCsLdddddg}dddg}g}g}tj|j}tj|j}tj|j} |jj} x|D]} t| tkrvtt d| x|D]} | | kr|Pq|W| | krtt d| |j | } | | krDt j d|j| | | | dkr| | d 7<qVnX| | d kr | | d 8<qVn6| | d kr,| | d 8<ntt d | | | fn| r\| dkr\d | | <|j| tj| }| rttd|| d d || d d <|j||d |j||d|j|| | dkrdd |dd d|dd d|dd d|j| dii}|j|qVWdddd iig|i}t jdkrVt jd|jtj||jj|\}}}|dkrtdd|tj|f||_||_| |_| |_d}x|D]} |d 7}|j | } | s̐qd| kr|j| =|j| =qx"|D]} | |d|krPqW| |d|kr$q|d|| d d|j| <qWdS)NrWrXrYflushreplacez#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %sr<z)rule ref count bug: rule_key '%s', cnt %drZexprz%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%r]tablerm)r]r~rmrurIZmetainfoZjson_schema_versionr@z.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s JSON blob: %szpython-nftablesru)rirjrPrQrRrOr+rkr r r rzrZdebug2 __class__r2listr(rtrhrNZgetDebugLogLevelZdebug3rwrxrIZjson_cmd ValueError)rTrules log_deniedZ _valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesrPrQrRrOrZrfryZ_ruleZ json_blobZrcr!errorrar4r4r5 set_rules+s             &         znftables.set_rulescCs|j|g|dS)N)r)rTrZrr4r4r5set_rulesznftables.set_ruleNcCs|r |gStjS)N)IPTABLES_TO_NFT_HOOKrp)rTr~r4r4r5get_available_tablessznftables.get_available_tablescCsFg}xdD]6}|jdddtd d |fd |dtd ddiiq:W|dkr|jdddtdii|jdjtx>dD]6}|jdddtd d |fd |dtd ddiiqW||jd7}nz|dkrfx4|jdD]&}|j|}||jkr |j|q W||jt7}t|jdkrp|jdjtn t t d|S)NZPANICrWr~rJ)r]rrr!rmz%s_%sr%r(i,r<drop)r]r~rr+rpriopolicyDROPrr rTACCEPTFznot implemented)rr!i)rr r!) r2rrSNFT_HOOK_OFFSETrrzrNrrbr r )rTrrrrZrr4r4r5build_set_policy_rulessH               znftables.build_set_policy_rulescCs<t}x,|r|gntjD]}|jt|jqWt|S)N)rICMP_TYPES_FRAGMENTSrpupdater)rTipvZ supportedZ_ipvr4r4r5supported_icmp_typessznftables.supported_icmp_typescCs>g}x4dD],}|jdd|tdii|j|jtq W|S)NrJrKrLrWr~)r]r)rJrKrL)r2rrS)rTZdefault_tablesr]r4r4r5build_default_tabless   znftables.build_default_tablesoffcCsg}xtdjD]}|jdddtd|ddtd|dtd|d d iixz|jjrld d d dgnd d dgD]X}|jdddtd||fdii|jdddtd|ddd||fiigdiiqvWqWxd?D]}xtdjD]}|jdd|td|ddtd|dtd|d d iix~|jjrJd d d dgnd d dgD]Z}|jdd|td||fdii|jdd|td|ddd||fiigdiiqTWqWqWxVtdjD]F}|jdddtd|ddtd|dtd|d d iiqW|jdddtddddddiid d!d"d#gid$id%digdii|jdddtdddddd&iid d'd$id%digdii|jdddtdddd(dd)iid*d+d$id%digdiix~|jjrd d d dgnd d dgD]Z}|jdddtd,d|fdii|jdddtddddd,d|fiigdiiqW|d-kr|jdddtddddddiid d!d.gid$i|j|d/d0d1iigdii|jdddtddddddiid d!d.gid$id2digdii|d-kr$|jdddtdd|j|d/d0d3iigdii|jdddtddd4d5d6d7igdii|jdddtdd8ddddiid d!d"d#gid$id%digdii|jdddtdd8dddd&iid d'd$id%digdii|jdddtdd8dd(dd)iid*d+d$id%digdiixbd@D]Z}|jdddtd,d8|fdii|jdddtdd8ddd,d8|fiigdiiqWxdAD]}xz|jjrd d gnd gD]^}|jdddtd;d8||fdii|jdddtdd8ddd;d8||fiigdiiqWqvWxbdBD]Z}|jdddtd,d8|fdii|jdddtdd8ddd,d8|fiigdiiqW|d-kr|jdddtdd8ddddiid d!d.gid$i|j|d/d0d1iigdii|jdddtdd8ddddiid d!d.gid$id2digdii|d-kr6|jdddtdd8|j|d/d0d3iigdii|jdddtdd8d4d5d6d7igdii|jdddtdd<ddddiid d!d"d#gid$id%digdii|jdddtd=dd(dd>iid*d+d$id%digdiixbdCD]Z}|jdddtd,d<|fdii|jdddtdd<ddd,d<|fiigdiiqWxbdDD]Z}|jdddtd,d<|fdii|jdddtdd<ddd,d<|fiigdiiqHW|S)ENr&rWrmrJz mangle_%sr(z%srr<)r]r~rr+rr POLICIES_preZ ZONES_SOURCEZZONES POLICIES_postz mangle_%s_%s)r]r~rrZjumptarget)r]r~rmr}rKrLr'znat_%sz nat_%s_%sz filter_%sr"r)rr`rrrrr)r.r/r0rZstatusdnatmetaiifnamez==loz filter_%s_%srZinvalidrprefixzSTATE_INVALID_DROP: rzFINAL_REJECT: rejecticmpxzadmin-prohibited)r+r}r#INOUTzfilter_%s_%s_%sr$ filter_OUTPUToifname)rKrL)r)rr)r)r)r)rrpr2rrMrd_pkttype_match_fragment)rTrZ default_rulesrmZdispatch_suffixr] directionr4r4r5build_default_rules s $  (  &  .        &  &                 &   .   &               &   &znftables.build_default_rulescCs4|dkrdddgS|dkr dgS|dkr0ddgSgS) Nr(r" FORWARD_IN FORWARD_OUTr&rr'rr4)rTr~r4r4r5get_zone_table_chainss znftables.get_zone_table_chainsrJc  sdkr\dkr\g} | jj|||||dd | jj|||||dd | Sjjj|jdkrxdnddkrd krd nd } jjj|t| g} g} |r| jd d ddiiddt |idi|r| jd d ddiiddt |ididdd}|rlxT|D]L}dkrTjj j |}||krT||krTq| jj d|qW|rxT|D]L}dkrjj j |}||kr||krqx| jj d|qxWfdd}g} | rHx| D]P}| rxB| D]}| j|||qWn"dkr0|r0n| j||dqWn\dkrZ|rZnJ| rxB| D]}| j|d|qfWn"dkr|rn| j|dd| S)Nr'rJrK)r]rLrprepostrTFr)rr`rz==r)r.r/r0r)rGrHsaddrdaddrcsg}|r|j||r |j||jdddfiitdf|d}|jjrrdd|iiSdd|iiSdS) Nrrz%s_%sz%s_%s_POLICIES_%s)r]r~rmr}rWrZrY)r2rr_policy_priority_fragment)ingress_fragmentegress_fragmentexpr_fragmentsrZ)_policyrm chain_suffixrr]p_objrTr~r4r5_generate_policy_dispatch_rules    zRnftables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) extend!build_policy_ingress_egress_rulesrMrZ get_policyrrpolicy_base_chain_namePOLICY_CHAIN_PREFIXr2rr[Z check_source_rule_addr_fragment)rTrrr~rmZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesr]risSNATZingress_fragmentsZegress_fragmentsZ ipv_to_familysrcrdstrrrr4)rrmrrr]rrTr~r5rsv          z*nftables.build_policy_ingress_egress_rulesFc  Cs|dkrT|dkrTg} | j|j|||||||d| j|j|||||||d| S|dkrh|dkrhdnd} |jjj||t| d} d d d d d d d |} |t|d d kr|dt|d d}d} |dkr| dd|| fiig}n,ddd| iid|di| dd|| fiig}|rL| rLd}|td||f|d}|j|j nP|rnd}|td||f|d}n.d}|td||f|d}|s|j|j |d|iigS)Nr'rJrKrLrTF)rrr)rrr"rrr$r<+*gotorz%s_%sr)rr`z==)r.r/r0rXz %s_%s_ZONES)r]r~rmr}rWrYrZ) r!build_zone_source_interface_rulesrMrrrrerr_zone_interface_fragment)rTrr[r interfacer~rmr2r]rrroptactionrrfrZr4r4r5rQs\     z*nftables.build_zone_source_interface_rulesc Csn|dkr|dkrg}|jdr6|j|tdd} nd} td|sTt|sT| dkrp|j|j||||||dtd|st|s| dkr|j|j||||||d|S|dkr|dkrd nd } |jjj ||t | d } d d d|} ddddddd|} |jj rd||f}n d||f}d}|t ||j | ||dd|| fiigd}|j|j||| d|iigS)Nr'rJzipset:rGrKrHrLrTF)rrXrY)TFrr)rrr"rrr$z%s_%s_ZONES_SOURCEz %s_%s_ZONESrrz%s_%s)r]r~rmr}rZ) startswith_set_get_familyrerrrbuild_zone_source_address_rulesrMrrrrdrrr_zone_source_fragment)rTrr[rr\r~rmr]rZ ipset_familyrrrrZzone_dispatch_chainrrZr4r4r5rsB    z(nftables.build_zone_source_address_rulesc Cs|dkrH|dkrHg}|j|j||||d|j|j||||d|Sddd|}|dkrj|dkrjd nd }|jjj||t|d } g}|j|d |td || fdiix0d!D](} |j|d |td|| | fdiiqWxDd"D]<} |j|d|td || fddd|| | fiigdiiqW|jjj|j } |jj dkr|dkr| d#kr| } | dkrhd} |j|d|td || f|j |jj ddd| | fiigdii|dkr| d$kr| d%kr|j } n | j di} |j|d|td || f| gdii|s|j|S)&Nr'rJrKrLrWrY)TFrTF)rrmz%s_%s)r]r~rrrdenyallowrz%s_%s_%srZrr)r]r~rmr}rr(REJECT %%REJECT%%rrz"filter_%s_%s: "r)rrrrr)rrrrr)rrr)rrrr)rr)rbuild_policy_chain_rulesrMrrrr2rZ _policiesrget_log_deniedr_reject_fragmentlowerreverse)rTrrr~rmr]rrrrrrZ log_suffixtarget_fragmentr4r4r5rsZ      &             z!nftables.build_policy_chain_rulescCs<|dkr iS|d kr,ddddiid |d iSttd |dS) Nallunicast broadcast multicastr)rr`pkttypez==)r.r/r0zInvalid pkttype "%s")rrr)r r )rTrr4r4r5rs  z nftables._pkttype_match_fragmentcCsddddiddddiddddiddddiddddiddddiddddiddddiddddiddddiddd diddd diddd diddd didd d diddd diddd diddd diddd diddddiddddidddiidddiid}||S)Nrr7zhost-prohibited)r+r}znet-prohibitedzadmin-prohibitedrFznet-unreachablezhost-unreachablezport-unreachablerzprot-unreachablezaddr-unreachablezno-router+z tcp reset)zicmp-host-prohibitedz host-prohibzicmp-net-prohibitedz net-prohibzicmp-admin-prohibitedz admin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachablez net-unreachzicmp-host-unreachablez host-unreachzicmp-port-unreachablezicmp6-port-unreachablez port-unreachzicmp-proto-unreachablez proto-unreachzicmp6-addr-unreachablez addr-unreachzicmp6-no-routezno-routez tcp-resetztcp-rstr4)rTZ reject_typeZfragsr4r4r5_reject_types_fragments0                      znftables._reject_types_fragmentcCsddddiS)Nrrzadmin-prohibited)r+r}r4)rTr4r4r5rsznftables._reject_fragmentcCs ddddiiddddgid iS) Nr)rr`l4protoz==rr7rF)r.r/r0r4)rTr4r4r5_icmp_match_fragment"s znftables._icmp_match_fragmentcCsP|siSddddd}|j\}}|||d}|j}|dk rH||d<d|iS) NsecondZminuteZhourZday)smhd)rateZperburstlimit)Z value_parseZ burst_parse)rTrZ rich_to_nftrZdurationrrr4r4r5_rich_rule_limit_fragment's  z"nftables._rich_rule_limit_fragmentcCst|jtttgkrn<|jrHt|jtttt gkrRt t dt|jn t t d|j dkrt|jttgkst|jtt gkrdSt|jtgkst|jttgkrdSn|j dkrdSdSdS)NzUnknown action %szNo rule action specified.rrrrr) r+elementrrrrrrrrr r rr)rT rich_ruler4r4r5_rich_rule_chain_suffix?s    z nftables._rich_rule_chain_suffixcCs>|j r|j rttd|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrrr)rauditr r rr)rTrr4r4r5 _rich_rule_chain_suffix_from_logUs   z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nz%%ZONE_INTERFACE%%r4)rTr4r4r5r`sz!nftables._zone_interface_fragmentcCsNtd|rt|}n,td|r@|jd}t|dd|d}d||diS)NrH/rr<z%%ZONE_SOURCE%%)r[r\)rrrsplit)rTr[r\Z addr_splitr4r4r5rcs     znftables._zone_source_fragmentcCs d|jiS)Nz%%POLICY_PRIORITY%%)rr)rTrr4r4r5rksz"nftables._policy_priority_fragmentcCs| s|jdkriSd|jiS)Nrz%%RICH_RULE_PRIORITY%%)rr)rTrr4r4r5_rich_rule_priority_fragmentnsz%nftables._rich_rule_priority_fragmentc Cs|js iS|jjj||t}ddd|}|j|}i} |jjrPd|jj| d<|jjr|d|jjkrhdn|jj} d| | d<d td |||f||j |jj d | igd } | j |j ||d | iiS)NrWrY)TFz%srZwarningwarnlevelrJz%s_%s_%sr)r]r~rmr}rZ) rrMrrrrrrrrrrr) rTrrrr~rrrrZ log_optionsrrZr4r4r5_rich_rule_logss&    znftables._rich_rule_logc Cs|js iS|jjj||t}ddd|}|j|}dtd|||f||j|jjdddiigd } | j |j ||d | iiS) NrWrY)TFrJz%s_%s_%srrr)r]r~rmr}rZ) rrMrrrrrrrrr) rTrrrr~rrrrrZr4r4r5_rich_rule_audits   znftables._rich_rule_auditc Cs|js iS|jjj||t}ddd|}|j|}d|||f} t|jtkr\ddi} nt|jtkr|jjr|j |jj} nddi} nt|jt krddi} nt|jt krHd}|jjj||t}d|||f} |jj j d } t| d kr,dd d d iiddd d d ii| d gi| dgidi} ndd d d ii| ddi} nttdt|jdt| ||j|jj| gd} | j|j||d| iiS)NrWrY)TFz%s_%s_%srrrr&rr<rr`mark^&r)r`valuezUnknown action %srJ)r]r~rmr}rZ)rrMrrrrr+rrrrrrrrer r rrrrr) rTrrrr~rrrrrmZ rule_actionrrZr4r4r5_rich_rule_actionsB     , znftables._rich_rule_actioncCs|jdr0|j|tddd|kr(dnd|St|r>d}ntd|rNd}nvtd|rd}tj|dd}d |jj |j d i}nDtd |rd }t |}n,d }|j d }d t |dt |dd i}dd||di|rdnd|diSdS)Nzipset:rTFetherrGrK)strictr)addrrerHrLrrr<r)r*)r,r-z!=z==)r.r/r0)r_set_match_fragmentrerrr ipaddressZ IPv4NetworkZnetwork_addressZ compressedZ prefixlenrrrn)rTZ addr_fieldr\invertr]Znormalized_addressZaddr_lenr4r4r5rs( &      znftables._rule_addr_fragmentcCs6|siS|d krttd|ddddiid|d iS) NrGrHzInvalid familyr)rr`nfprotoz==)r.r/r0)rGrH)r r )rTZ rich_familyr4r4r5_rich_rule_family_fragments  z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jdS)Nzipset:r)r)r ipsetrr)rTZ rich_destr\r4r4r5_rich_rule_destination_fragments z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|dr.|jr.|j}nt|drH|jrHd|j}|jd||jdS)Nmacrzipset:r)r)r hasattrrrrr)rTZ rich_sourcer\r4r4r5_rich_rule_source_fragments z#nftables._rich_rule_source_fragmentcCsPt|}t|tr$|dkr$ttn(t|dkr8|dSd|d|dgiSdS)Nrr<range)r isinstancernr rre)rTportrr4r4r5_port_fragments   znftables._port_fragmentc Csbddd|}d}|jjj||t} g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdd|dd id |j |d i| st |jtkr| jdd d diiddddgid ig} |r0| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd|| f| ddigdii| S)NrWrY)TFr(rr)r*dport)r,r-z==)r.r/r0rr`rrrnew untrackedrZrJz %s_%s_allowr)r]r~rmr})rMrrrr2rr]rr destinationrsourcerr+rrrrrr) rTrrprotorrrrr~rrrr4r4r5build_policy_ports_ruless:   z!nftables.build_policy_ports_rulesc CsZddd|}d}|jjj||t}g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdddd iid |d i| st |j tkr| jdd dd iiddddgid ig} |r(| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd||f| ddigdii| S)NrWrY)TFr(rr)rr`rz==)r.r/r0rrrrrrrZrJz %s_%s_allowr)r]r~rmr})rMrrrr2rr]rrrrrr+rrrrrr) rTrrr,rrrr~rrrr4r4r5build_policy_protocol_rules2s8   z$nftables.build_policy_protocol_rulesc Csbddd|}d}|jjj||t} g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdd|dd id |j |d i| st |jtkr| jdd d diiddddgid ig} |r0| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd|| f| ddigdii| S)NrWrY)TFr(rr)r*sport)r,r-z==)r.r/r0rr`rrrrrrZrJz %s_%s_allowr)r]r~rmr})rMrrrr2rr]rrrrrrr+rrrrrr) rTrrrrrrrr~rrrr4r4r5build_policy_source_ports_rulesUs:   z(nftables.build_policy_source_ports_rulesc Csd}|jjj||t} ddd|} g} |rR| jdddtd||f||diig} |rl| j|jd || jd d |d d id|j|di| jdd||fi| j| ddtd| | dii| S)Nr(rWrY)TFz ct helperrJz helper-%s-%s)r]r~rr+r,rr)r*r)r,r-z==)r.r/r0rZzfilter_%s_allow)r]r~rmr})rMrrrr2rrr) rTrrrrrZ helper_nameZmodule_short_namer~rrrrr4r4r5build_policy_helper_ports_ruleszs.    z(nftables.build_policy_helper_ports_rulesc Csddd|}|jjj||t}g} |rv|t|ddkrT|dt|dd}ddd d iid |d id dig} n|jd|d dig} dtd|| d} | j|d| ii| S)NrWrY)TFr<rrr)rr`rz==)r.r/r0rrrJzfilter_%s_allow)r]r~rmr}rZ)rMrrrrerrr2) rTrr[rr~rrrrrr}rZr4r4r5build_zone_forward_ruless"  z!nftables.build_zone_forward_rulesc Csd}|jjj||tdd}ddd|}g}|r`|j|j|j|j|j|j|j |} nd} |t d|| f|d d d d iid ddiddigd} | j |j ||d| iigS)Nr'T)rrWrY)TFrz nat_%s_%sr)rr`rz!=r)r.r/r0Z masquerade)r]r~rmr}rZ) rMrrrr2rrrrrrrr) rTrrr]rr~rrrrrZr4r4r5"_build_policy_masquerade_nat_ruless&   z+nftables._build_policy_masquerade_nat_rulesc Cs^g}|rD|jr|jdks,|jrDtd|jjrD|j|j||d|nV|r|jrX|jdksl|jrtd|jjr|j|j||d|n|j|j||d|d}|jjj||t }ddd|}g}|r|j |j |j |j |j |j|j|} nd } d td || f|d d ddiiddddgididdigd} | j|j||j |d| ii|S)NrHrLrGrKr(rWrY)TFrrJz filter_%s_%sr)rr`rrrrr)r.r/r0r)r]r~rmr}rZ)r]rrr rr&rMrrrr2rrrrrrr) rTrrrrr~rrrrrZr4r4r5build_policy_masquerade_ruless8   z&nftables.build_policy_masquerade_rulesc Cs$d} |jjj|| t} ddd|} g} |r\| j|j|j| j|j|j|j |} nd} | jdd|dd id |j |d i|rt d |rt |}|r|d kr| jd||j |diq| jdd|iin| jdd|j |ii|t d| | f| d}|j|j|| d|iigS)Nr'rWrY)TFrr)r*r)r,r-z==)r.r/r0rHrr)r rr r;rz nat_%s_%s)r]r~rmr}rZ)rMrrrr2rrrrrrrrrrr)rTrrrr,toaddrtoportr]rr~rrrrrZr4r4r5$_build_policy_forward_port_nat_ruless4     z-nftables._build_policy_forward_port_nat_rulesc Csg}|rF|jr|jdks&|rFtd|rF|j|j||||||d|n|r|jrZ|jdksh|rtd|r|j|j||||||d|nL|rtd|r|j|j||||||d|n|j|j||||||d||S)NrHrLrGrK)r]rrr*) rTrrrr,r)r(rrr4r4r5build_policy_forward_port_ruless    z(nftables.build_policy_forward_port_rulescCs2|t|krt||Sttd||j|fdS)Nz)ICMP type '%s' not supported by %s for %s)rr r r)rTrZ icmp_typer4r4r5_icmp_types_to_nft_fragments(s  z%nftables._icmp_types_to_nft_fragmentscCsBd}|jjj||t}ddd|}|r6|jr6|j}n<|jrjg}d|jkrT|jdd|jkrr|jdnddg}g} x|D]} |jjj|rd||f} ddi} nd ||f} |j} g} |r| j|j |j | j|j |j| j|j |j | j|j| |j|r| j|j||||| | j|j||||| |jrf| j|j||||| nN|j|}d td |||f| |jgd }|j|j|| j|d |iiq~|jjdkr|jjj| r| j|d d t| | |j|jjddd||fiigd ii| j|d d t| | | gd iiq~W| S)Nr(rWrY)TFrGrHz %s_%s_allowrz %s_%s_denyrJz%s_%s_%s)r]r~rmr}rZrrrz"%s_%s_ICMP_BLOCK: ")rMrrripvsrr2query_icmp_block_inversionrrr]rrrrr,rrrrrrrrrrr)rTrrZictrr~rrr-rrZ final_chainrrrrZr4r4r5build_policy_icmp_block_rules/sb          " " z&nftables.build_policy_icmp_block_rulescCsd}|jjj||t}g}ddd|}|jjj|r@|j}nddi}|j|ddtd||fd |j|gd ii|jj d kr|jjj|r|j|ddtd||fd |j|j |jj d d d||fiigd ii|S)Nr(rWrY)TFrrZrJz%s_%sr9)r]r~rmrar}rrrz%s_%s_ICMP_BLOCK: ) rMrrrr.rr2rrrr)rTrrr~rrrrr4r4r5'build_policy_icmp_block_inversion_rulesks,      z0nftables.build_policy_icmp_block_inversion_rulesc Csg}ddddiidddiddd d d gd d idddig}|dkrV|jdddii|jddi|jdddtd|dii|jdddtddddddiddddgidid digdii|S)!Nr)rr`rz==rH)r.r/r0ZfibrZiifrZoif)flagsresultFrrrzrpfilter_DROP: rrXrZrJZfilter_PREROUTING)r]r~rmr}r*rFr+)r,r-rznd-router-advertznd-neighbor-solicitr)r2r)rTrrrr4r4r5build_rpfilter_ruless0     znftables.build_rpfilter_rulesc Csddddddddd g }d d |D}d d dddidd|idig}|jjd"krb|jdddii|j|jdg}|jdddtdd|dii|jdddtd d!|dii|S)#Nz ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|jddt|jdddiqS)rrrr<)r re)rrn).0r^r4r4r5 sz5nftables.build_rfc3964_ipv4_rules..r)r*rLr)r,r-z==r)r.r/r0rrrrzRFC3964_IPv4_REJECT: z addr-unreachrWrZrJrr<)r]r~rmrar}Zfilter_FORWARDrB)rr)rMZ _log_deniedr2rr)rTZ daddr_setrrr4r4r5build_rfc3964_ipv4_ruless:   z!nftables.build_rfc3964_ipv4_rulescCsd}g}|j|j|j|j|j|j|j|j|jg}|j|j||||||j|j||||||j|j ||||||S)Nr() r2rr]rrrrrrr)rTrrrr~rrr4r4r5*build_policy_rich_source_destination_rulessz3nftables.build_policy_rich_source_destination_rulescCs|dkr dSdS)NrGrHebTF)rGrHr8r4)rTrr4r4r5is_ipv_supportedsznftables.is_ipv_supportedc Csddd}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd }||kr||Sttd |dS) NZ ipv4_addrZ ipv6_addr)rGrHZ inet_protoZ inet_servicerZifnameZ ether_addr) zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz!ipset type name '%s' is not valid)r r )rTrr+Zipv_addrtypesr4r4r5_set_type_lists"    znftables._set_type_listc Cs|rd|kr|ddkrd}nd}t||j||d}x0|jddjdD]}|dkrLd g|d <PqLW|rd|kr|d|d<d|kr|d|d<g}x0dD](}d|i} | j||jdd| iiqW|S)Nr]inet6rHrG)r~rr+:r<,rKnetrZintervalr1ZtimeoutZmaxelemsizerJrLrWr)rKr?r)rJrKrL)rr;rrr2) rTrr+optionsrZset_dicttrr]Z rule_dictr4r4r5build_set_create_ruless*     znftables.build_set_create_rulescCs$|j|||}|j||jjdS)N)rCrrMr)rTrr+rArr4r4r5 set_createsznftables.set_createcCs8x2dD]*}dd|t|dii}|j||jjqWdS)NrJrKrLrYr)r]r~r)rJrKrL)rrrMr)rTrr]rZr4r4r5 set_destroys   znftables.set_destroycCs6|jjj|jjddjd}g}xtt|D]}||dkrr|jdddii|jdd |rdd nd d iq2||dkr|jd|j||rdndd iq2||dkr|jdd|rdndiiq2||dkr|jdddiiq2t d||q2Wdt|dkrd|in|d|r&dndd|diS)Nr=r<r>rrr`rr*Zthrr")r,r-rKr?rrrZifacerrrz-Unsupported ipset type for match fragment: %sr)concatrz!=z==@)r.r/r0)rKr?r) rMr get_ipsetr+rrrer2rr )rTrZ match_destr type_formatr3ir4r4r5r  s$      znftables._set_match_fragmentc CsN|jjj|}|jjddjd}|jd}t|t|krHttdg}xtt|D]}||dkr,y||j d}Wn&t k r|j d||} Yn,X|j ||d||||dd} y| j d}Wn t k r|j | Yn(X|j d| d|| |ddgiq\||dkr d||krb|j d||jdiny||j d }WnLt k r||} d |j kr|j d d krt | } |j | Yn^X||d|} d |j kr|j d d krt | } |j d| t|||dddiq\|j ||q\Wt|dkrJd|igS|S)Nr=r<r>z+Number of values does not match ipset type.rZtcp-rrKr?rr]r<r)r rerF)rKr?)rMrrHr+rrer rrrarr2rArrn) rTrentryobjrIZ entry_tokensZfragmentrJraZport_strr r4r4r5_set_entry_fragment7sL  ("znftables._set_entry_fragmentc Cs>g}|j||}x(dD] }|jdd|t||diiqW|S)NrJrKrLrWr)r]r~relem)rJrKrL)rNr2r)rTrrLrrr]r4r4r5build_set_add_rulesks   znftables.build_set_add_rulescCs"|j||}|j||jjdS)N)rPrrMr)rTrrLrr4r4r5set_addus znftables.set_addcCsF|j||}x4dD],}dd|t||dii}|j||jjqWdS)NrJrKrLrYr)r]r~rrO)rJrKrL)rNrrrMr)rTrrLrr]rZr4r4r5 set_deleteys   znftables.set_deletecCs4g}x*dD]"}dd|t|dii}|j|q W|S)NrJrKrLr{r)r]r~r)rJrKrL)rr2)rTrrr]rZr4r4r5build_set_flush_ruless  znftables.build_set_flush_rulescCs |j|}|j||jjdS)N)rSrrMr)rTrrr4r4r5 set_flushs znftables.set_flushcCsJ|jjj|}|jdkrd}n(|jrBd|jkrB|jddkrBd}nd}|S)Nzhash:macr r]r<rLrK)rMrrHr+rA)rTrrr]r4r4r5rs znftables._set_get_familyc Csg}|j|j||||j|j|d}x^|D]D}|j|j|||d7}|dkr2|j||jj|jd}q2W|j||jjdS)Nrr<i)rrCrSrPrrMrclear) rTZset_nameZ type_nameZentriesZcreate_optionsZ entry_optionsrchunkrLr4r4r5 set_restores znftables.set_restore)N)N)r)rJ)FrJ)rJ)rJ)F)NN)NN)NN)NN)N)N)N)N)N)F)N)N)F)NN)I__name__ __module__ __qualname__rZpolicies_supportedrVrhrlrtrzrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrr r!r#r$r%r&r'r*r+r,r/r0r3r6r7r9r;rCrDrEr rNrPrQrRrSrTrrWr4r4r4r5rIs/.`  4  R i ; - 9   +     $ $ $   ' $  < #   4   rIiji)N)(Z __future__rrirwr Zfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr r r r r rrZfirewall.core.richrrrrrrrZnftables.nftablesrrrrrrr6robjectrIr4r4r4r5s  $$