3 @)f8@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z Gddde Z Gddde Z Gddde Z Gddde ZGdddeZGddde ZGddde ZGddde ZGd dde ZGd!d d e ZGd"d d e ZGd#d d e ZGd$d d e ZGd%d d e ZGd&ddeZGd'dde Zd(d)d/d1d+ZGd,dde ZGd-dde Zd.S)2 Rich_SourceRich_Destination Rich_Service Rich_Port Rich_ProtocolRich_MasqueradeRich_IcmpBlock Rich_IcmpTypeRich_SourcePortRich_ForwardPortRich_Log Rich_Audit Rich_Accept Rich_Reject Rich_Drop Rich_Mark Rich_Limit Rich_Rule) functions)check_ipset_name) REJECT_TYPES)errors) FirewallErrorc@seZdZdddZddZdS)rFcCs||_|jdkrd|_||_|jdks0|jdkr8d|_n|jdk rN|jj|_||_|jdkrdd|_||_|jdkr|jdkr|jdkrttjddS)Nzno address, mac and ipset)addrmacupperipsetinvertrr INVALID_RULE)selfrrrrr!/usr/lib/python3.6/rich.py__init__$s    zRich_Source.__init__cCsjd|jr dnd}|jdk r*|d|jS|jdk rB|d|jS|jdk rZ|d|jSttjddS)Nz source%s z NOTrz address="%s"zmac="%s"z ipset="%s"zno address, mac and ipset)rrrrrrr)r retr!r!r"__str__5s   zRich_Source.__str__N)F)__name__ __module__ __qualname__r#r%r!r!r!r"r#s c@seZdZdddZddZdS)rFcCsV||_|jdkrd|_||_|jdkr,d|_||_|jdkrR|jdkrRttjddS)Nrzno address and ipset)rrrrrr)r rrrr!r!r"r#Bs  zRich_Destination.__init__cCsRd|jr dnd}|jdk r*|d|jS|jdk rB|d|jSttjddS)Nzdestination%s z NOTrz address="%s"z ipset="%s"zno address and ipset)rrrrrr)r r$r!r!r"r%Ns  zRich_Destination.__str__N)F)r&r'r(r#r%r!r!r!r"rAs c@seZdZddZddZdS)rcCs ||_dS)N)name)r r)r!r!r"r#YszRich_Service.__init__cCs d|jS)Nzservice name="%s")r))r r!r!r"r%\szRich_Service.__str__N)r&r'r(r#r%r!r!r!r"rXsc@seZdZddZddZdS)rcCs||_||_dS)N)portprotocol)r r*r+r!r!r"r#`szRich_Port.__init__cCsd|j|jfS)Nzport port="%s" protocol="%s")r*r+)r r!r!r"r%dszRich_Port.__str__N)r&r'r(r#r%r!r!r!r"r_sc@seZdZddZdS)r cCsd|j|jfS)Nz#source-port port="%s" protocol="%s")r*r+)r r!r!r"r%hszRich_SourcePort.__str__N)r&r'r(r%r!r!r!r"r gsc@seZdZddZddZdS)rcCs ||_dS)N)value)r r,r!r!r"r#mszRich_Protocol.__init__cCs d|jS)Nzprotocol value="%s")r,)r r!r!r"r%pszRich_Protocol.__str__N)r&r'r(r#r%r!r!r!r"rlsc@seZdZddZddZdS)rcCsdS)Nr!)r r!r!r"r#tszRich_Masquerade.__init__cCsdS)N masquerader!)r r!r!r"r%wszRich_Masquerade.__str__N)r&r'r(r#r%r!r!r!r"rssc@seZdZddZddZdS)rcCs ||_dS)N)r))r r)r!r!r"r#{szRich_IcmpBlock.__init__cCs d|jS)Nzicmp-block name="%s")r))r r!r!r"r%~szRich_IcmpBlock.__str__N)r&r'r(r#r%r!r!r!r"rzsc@seZdZddZddZdS)rcCs ||_dS)N)r))r r)r!r!r"r#szRich_IcmpType.__init__cCs d|jS)Nzicmp-type name="%s")r))r r!r!r"r%szRich_IcmpType.__str__N)r&r'r(r#r%r!r!r!r"rsc@seZdZddZddZdS)r cCs<||_||_||_||_|jdkr(d|_|jdkr8d|_dS)Nr)r*r+to_port to_address)r r*r+r.r/r!r!r"r#s  zRich_ForwardPort.__init__cCs<d|j|j|jdkrd|jnd|jdkr4d|jndfS)Nz(forward-port port="%s" protocol="%s"%s%srz to-port="%s"z to-addr="%s")r*r+r.r/)r r!r!r"r%szRich_ForwardPort.__str__N)r&r'r(r#r%r!r!r!r"r s c@seZdZdddZddZdS)r NcCs||_||_||_dS)N)prefixlevellimit)r r0r1r2r!r!r"r#szRich_Log.__init__cCs>d|jrd|jnd|jr$d|jnd|jr6d|jndfS)Nz log%s%s%sz prefix="%s"rz level="%s"z %s)r0r1r2)r r!r!r"r%szRich_Log.__str__)NNN)r&r'r(r#r%r!r!r!r"r s c@seZdZdddZddZdS)r NcCs ||_dS)N)r2)r r2r!r!r"r#szRich_Audit.__init__cCsd|jrd|jndS)Nzaudit%sz %sr)r2)r r!r!r"r%szRich_Audit.__str__)N)r&r'r(r#r%r!r!r!r"r s c@seZdZdddZddZdS)r NcCs ||_dS)N)r2)r r2r!r!r"r#szRich_Accept.__init__cCsd|jrd|jndS)Nzaccept%sz %sr)r2)r r!r!r"r%szRich_Accept.__str__)N)r&r'r(r#r%r!r!r!r"r s c@s&eZdZdddZddZddZdS) rNcCs||_||_dS)N)typer2)r Z_typer2r!r!r"r#szRich_Reject.__init__cCs,d|jrd|jnd|jr$d|jndfS)Nz reject%s%sz type="%s"rz %s)r3r2)r r!r!r"r%szRich_Reject.__str__cCsT|jrP|sttjd|dkrP|jt|krPdjt|}ttjd|j|fdS)Nz9When using reject type you must specify also rule family.ipv4ipv6z, z%Wrong reject type %s. Use one of: %s.)r4r5)r3rrrrjoin)r familyZ valid_typesr!r!r"checks zRich_Reject.check)NN)r&r'r(r#r%r8r!r!r!r"rs c@seZdZddZdS)rcCsd|jrd|jndS)Nzdrop%sz %sr)r2)r r!r!r"r%szRich_Drop.__str__N)r&r'r(r%r!r!r!r"rsc@s&eZdZdddZddZddZdS) rNcCs||_||_dS)N)setr2)r Z_setr2r!r!r"r#szRich_Mark.__init__cCsd|j|jrd|jndfS)Nz mark set=%s%sz %sr)r9r2)r r!r!r"r%szRich_Mark.__str__cCs|jdk r|j}n ttjdd|krv|jd}t|dkrHttj|tj|d shtj|d rttj|ntj|sttj|dS)Nz no value set/r)r9rrZ INVALID_MARKsplitlenrZ checkUINT32)r xsplitsr!r!r"r8s      zRich_Mark.check)N)r&r'r(r#r%r8r!r!r!r"rs r<<)smhdc@seZdZdddZddZeddZejddZed d Zejd d Ze d d Z ddZ e ddZ ddZ ddZdS)rNcCs||_||_dS)N)r,burst)r r,rGr!r!r"r#szRich_Limit.__init__cCs|j|jdS)N) value_parse burst_parse)r r!r!r"r8szRich_Limit.checkcCs|jS)N)_value)r r!r!r"r,szRich_Limit.valuec Csf|dkrd|_dSy|j|\}}Wntk r<|}YnX|d|}t|dd|krb||_dS)Nr:rJ)rJ _value_parsergetattr)r r,ratedurationvr!r!r"r,s cCs|jS)N)_burst)r r!r!r"rG szRich_Limit.burstc Cs\|dkrd|_dSy|j|}Wntk r8|}Yn Xt|}t|dd|krX||_dS)NrP)rP _burst_parserstrrL)r rGbr!r!r"rGs c Csd}d|kr|jd}| s(t|dkr4ttj||\}}y t|}Wnttj|YnX|dkrv|dd}|dks|dkrttj|d t||d krttjd|f|dkr|d krttjd|f||fS)Nr:r;secondminutehourdayr<rCrDrErFi'rz %s too fastz %s too slow)rTrUrVrW)rCrDrErF)r=r>rr INVALID_LIMITintDURATION_TO_MULT)r,r@rMrNr!r!r"rKs&     zRich_Limit._value_parsecCs |j|jS)N)rKrJ)r r!r!r"rH:szRich_Limit.value_parsec CsR|dkr dSy t|}Wnttj|YnX|dksB|dkrNttj||S)Nr<i)rYrrrX)rGrSr!r!r"rQ=s  zRich_Limit._burst_parsecCs |j|jS)N)rQrP)r r!r!r"rIKszRich_Limit.burst_parsecCs,d|jd}|jdk r(|d|j7}|S)Nz limit value=""z burst=)rJrP)r rCr!r!r"r%Ns zRich_Limit.__str__)N)r&r'r(r#r8propertyr,setterrG staticmethodrKrHrQrIr%r!r!r!r"rs     c@s>eZdZdZdZdddZddZd d Zd d Zd dZ dS)riiNrcCsV|dk rt||_nd|_||_d|_d|_d|_d|_d|_d|_|rR|j |dS)N) rRr7prioritysource destinationelementlogauditaction_import_from_string)r r7rule_strr_r!r!r"r#Xs zRich_Rule.__init__cCsg}x|tj|D]n}d|krp|jd}t|dksF|d sF|d rVttjd||j|d|ddq|jd|iqW|jddi|S) z Lexical analysis =r;rr<zinternal error in _lexer(): %s) attr_name attr_valuerbEOL)rZ splitArgsr=r>rrrappend)r rgtokensrattrr!r!r"_lexeris   zRich_Rule._lexerc Cs|sttjdtj|}d|_d|_d|_d|_d|_ d|_ d|_ d|_ |j |}|rv|djddkrvttjdi}g}d}x`||jddko|dgks||jd}||jd}||jd}|r|dHkrttjd|n|dIkr|dkr|jrttjd+n|dkr<|jr|d <nBt|jd |jd |jd |jd d?|_|j|j|d2}n| dkr,|dOkr|||<nN|dPkrd>|d <n:t|jd |jd |jd d?|_|j|j|d2}n| dkrd|dkrTt||_ |jn ttjd@nv| dkr|dkrt||_ |jn ttjdAn>| dkr|dQkr|||<n0t|jd|jd|_ |j|j|d2}n| dkr&|dkrt||_ |jn ttjdBn| dkr^|dkrNt||_ |jn ttjdCn|| dkrt|_ |j|j|d2}nN| d kr|dRkr|||<n@t|jd|jd|jd|jd|_ |j|j|d2}n| d!kr@|dSkr |||<n0t|jd|jd|_ |j|j|d2}n| d"kr|dTkr^|||<nN|d(krt|jd(n8t |jd|jd|jd(|_ |j|j|d2}n*| d#kr|d(kr|jd(n(t!|jd(|_ |j|j|d2}n| d$krH|d(kr|jd(n(t"|jd(|_ |j|j|d2}n| d%kr|d(krh|jd(n(t#|jd(|_ |j|j|d2}nF| d&kr|dkr|||<nF|d(kr|jd(n0t$|jd|jd(|_ |j|j|d2}n| d'kr`|dkr|||<nF|d(kr.|jd(n0t%|jd|jd(|_ |j|j|d2}nz| d(kr|dUkr||dD|<nVdE|krttjdFt&|dE|jdG|d(<|jdEd|jdGd|j|d2}|d2}qW|j'dS)VNz empty rulerrbrkrulerirjr_r7addressrrrr,r*r+to-portto-addrr)r0r1r3r9rGzbad attribute '%s'r`raservice icmp-block icmp-typer- forward-port source-portrcrdacceptdroprejectmarkr2notNOTzmore than one 'source' elementz#more than one 'destination' elementzFmore than one element. There cannot be both '%s' and '%s' in one rule.zmore than one 'log' elementzmore than one 'audit' elementzOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.zunknown element %sr<rz0'family' outside of rule. Use 'rule family=...'.z4'priority' outside of rule. Use 'rule priority=...'.z:'%s' outside of any element. Use 'rule %s= ...'.z,'%s' outside of rule. Use 'rule ... %s ...'.r4r5zH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.z(invalid 'priority' attribute value '%s'.zdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.zDattribute '%s' outside of any element. Use 'rule %s= ...'.TFzinvalid 'protocol' elementzinvalid 'service' elementzinvalid 'icmp-block' elementzinvalid 'icmp-type' elementzlimit.z limit.valuezinvalid 'limit' elementz limit.burst)r_r7rrrrrr,r*r+rsrtr)r0r1r3r9rG)rqr`rar+rur*rvrwr-rxryrcrdrzr{r|r}r2r~rrk)r+rur*rvrwr-rxry)rzr{r|r})r4r5)rrrrr)r~r)rrrr)r~r)r*r+)r*r+rsrt)r*r+)r0r1)r,rG)(rrrrZstripNonPrintableCharactersr_r7r`rarbrcrdrerpgetr>rlrY ValueErrorINVALID_PRIORITYrpopclearrrrrrrrr r r r r rrrrr8) r rgrmZattrsZ in_elementsindexrbrirjZ in_elementZerr_msgr!r!r"rfzs    ""               *      "                          (                                            zRich_Rule._import_from_stringc Cs`|jdk r"|jd kr"ttj|j|jdkrn|jdk rB|jjdk sL|jdk rVttjt|j t krnttj|j |j ks|j |j krttjd|j |j f|j dko|jdks|jdk o|j dkr |jdkrttjd|jdko|jdko|j dkr ttjdt|j tt tgkrP|jdkrP|jdkrP|jdkrPttjd|jdk rj|jjdk r|jdkrttj|jjdk rttjd|jjdk rttjd tj|j|jjsjttjt|jjn|jjdk r,|jjdk rttjd tj|jjsjttjt|jjn>|jjdk r^t|jjsjttjt|jjn ttjd |jdk r|jjdk r|jdkrttj|jjdk rttjd tj|j|jjsttjt|jjn>|jjdk rt|jjsttjt|jjn ttjd t|j t krd|j j!dksLt"|j j!d kr`ttj#t|j j!nt|j t$krtj%|j j&sttj'|j j&|j j(d!kr`ttj)|j j(nt|j t*krtj+|j j,s`ttj)|j j,nvt|j tkr<|jdk rttjd|jdk r`|jjdk r`ttjdn$t|j tkr|j j!dkslt"|j j!d krttj-t|j j!|jr`ttjdnt|j t.kr|j j!dkst"|j j!d kr`ttj-t|j j!nt|j t krtj%|j j&sttj'|j j&|j j(d"kr.ttj)|j j(|j j/dkrZ|j j0dkrZttj'|j j/|j j/dkrtj%|j j/ rttj'|j j/|j j0dkrtj1|j|j j0 rttj|j j0|jdkrttj|jdk r`ttjdnrt|j t2kr>tj%|j j&sttj'|j j&|j j(d#kr`ttj)|j j(n"|j dk r`ttjdt|j |jdk r|jj3r|jj3d$krttj4|jj3|jj5dk r|jj5j6|jdk rt|jt7t8t9gkrttj:t|j|jj5dk r|jj5j6|jdk r\t|jt8kr(|jj6|jnt|jt;krB|jj6|jj5dk r\|jj5j6dS)%Nr4r5z/'priority' attribute must be between %d and %d.rzno element, no actionz%no element, no source, no destinationzno action, no log, no auditzaddress and maczaddress and ipsetz mac and ipsetzinvalid sourcezinvalid destinationr<tcpudpsctpdccpzmasquerade and actionzmasquerade and mac sourcezicmp-block and actionrzforward-port and actionzUnknown element %semergalertcriterrorwarningnoticeinfodebug)r4r5)rrrr)rrrr)rrrr)rrrrrrrr)ZINVALID_SERVICErZ check_portr*Z INVALID_PORTr+ZINVALID_PROTOCOLrZ checkProtocolr,ZINVALID_ICMPTYPErr.r/Zcheck_single_addressr r1ZINVALID_LOG_LEVELr2r8r rrZINVALID_AUDIT_TYPEr)r r!r!r"r8hs                                          zRich_Rule.checkcCsd}|jr|d|j7}|jr,|d|j7}|jr@|d|j7}|jrT|d|j7}|jrh|d|j7}|jr||d|j7}|jr|d|j7}|jr|d|j7}tj rtj |S|S)Nrqz priority="%d"z family="%s"z %s) r_r7r`rarbrcrdrerZPY2Zu2b)r r$r!r!r"r%s$zRich_Rule.__str__i)NNr) r&r'r(rrr#rprfr8r%r!r!r!r"rTs o-NiiiQ)__all__ZfirewallrZfirewall.core.ipsetrZfirewall.core.baserrZfirewall.errorsrobjectrrrrr rrrrr r r r rrrrZrrr!r!r!r"s@      d