a i^@sfdZdgZddlZddlmZddlmZddlmZddl m Z m Z m Z m Z mZGdddeZdS) zZd?d@Z dgdAfdBdCZ!dgfdDdEZ"dgfdFdGZ#dHdIZ$dJdKZ%dLdMZ&dNdOZ'dPdQZ(dRdSZ)dTdUZ*dVdWZ+dXdYZ,dZd[Z-dS)nrFcCs||_||_d|_d|_dSNT)quietverbose'_FirewallCommand__use_exception_handlerfw)selfr r r4/usr/lib/python3.9/site-packages/firewall/command.py__init__#szFirewallCommand.__init__cCs ||_dSN)r)rrrrrset_fw)szFirewallCommand.set_fwcCs ||_dSrr rflagrrr set_quiet,szFirewallCommand.set_quietcCs|jSrrrrrr get_quiet/szFirewallCommand.get_quietcCs ||_dSrr rrrr set_verbose2szFirewallCommand.set_verbosecCs|jSrrrrrr get_verbose5szFirewallCommand.get_verboseNcCs"|dur|jstj|ddSN )r sysstdoutwritermsgrrr print_msg8szFirewallCommand.print_msgcCs"|dur|jstj|ddSr)r r!stderrr#r$rrrprint_error_msg<szFirewallCommand.print_error_msgcCs,d}d}tjr|||}||dS)Nzz)r!r'isattyr()rr%ZFAILZENDrrr print_warning@s   zFirewallCommand.print_warningrcCs,|dkr||n ||t|dS)N)r*r&r!exit)rr%Z exit_coderrrprint_and_exitGs  zFirewallCommand.print_and_exitcCs||ddS)Nr-r$rrrfailRszFirewallCommand.failcCs"|dur|jrtj|ddSr)r r!r"r#r$rrrprint_if_verboseUsz FirewallCommand.print_if_verbosec  Cs|jdur|jg} d} g} |D]} |durz || } Wnty}zltt|}t|dkrv|d|n|d|||| vr| || d7} WYd}~q$WYd}~n d}~00| | q$| D]d} g}|dur||7}t | t st | t s| | n|| 7}|dur*||7}| z ||Wnttfy.}zt |trx|||}nt|}t|}|tjtjtjtjfvrd}t|dkr|d|n8|dkr|d|WYd}~dS|d|||| vr| || d7} WYd}~n d}~00|q| st|| ksXd| vr\dSt| dkrzt| dnt| dkrttjdS)Nrr+ Warning: %s Error: %s)rZ authorizeAll Exceptionrget_codestrlenr*r-append isinstancelisttupledeactivate_exception_handlerrfail_if_not_authorized get_dbus_nameget_dbus_messagerALREADY_ENABLED NOT_ENABLEDZONE_ALREADY_SET ALREADY_SETactivate_exception_handlerr!r,Z UNKNOWN_ERROR)rZcmd_typeoption action_method query_method parse_methodmessage start_argsend_argsno_exititems_errorsZ _error_codesitemr%code call_itemrrrZ__cmd_sequenceYst     "             zFirewallCommand.__cmd_sequencec Cs|jd||||||ddS)NaddrL_FirewallCommand__cmd_sequencerrErFrGrHrIrLrrr add_sequences zFirewallCommand.add_sequencec Cs |jd||||||g|ddS)NrRrJrLrTrxrErFrGrHrIrLrrrx_add_sequences zFirewallCommand.x_add_sequencec Cs$|jd||||||g|g|d dS)NrR)rJrKrLrT) rzonerErFrGrHrItimeoutrLrrrzone_add_timeout_sequences z)FirewallCommand.zone_add_timeout_sequencec Cs|jd||||||ddS)NremoverSrTrVrrrremove_sequences zFirewallCommand.remove_sequencec Cs |jd||||||g|ddS)Nr_rXrTrYrrrx_remove_sequences z!FirewallCommand.x_remove_sequencec Cs*g}|D]}|durz ||}Wnjty} zRt|dkrX|d| WYd} ~ qntt| } |d| | WYd} ~ n d} ~ 00||q|D]v}g} |dur| |7} t|t st|t s| |n| |7} | z || } Wnt yv} zj| | t| } t|dkrN|d| WYd} ~ qn|d| | WYd} ~ njd} ~ 0ty} zHtt| } t|dkr|d| n|d| | WYd} ~ n d} ~ 00|t|dkr |d||d| fq|| q|s&tddS)Nr+r2r3z%s: %s)noyesr)r4r7r*rr5r6r-r8r9r:r;r<rr=r>r?rDr&print_query_resultr!r,) rrErGrHrIrJrLrMrOr%rPrQresrrrZ__query_sequencesT  &    & z FirewallCommand.__query_sequencecCs|j|||||ddS)NrS _FirewallCommand__query_sequence)rrErGrHrIrLrrrquery_sequences zFirewallCommand.query_sequencecCs|j|||||g|ddS)NrXrf)rrZrErGrHrIrLrrrx_query_sequences z FirewallCommand.x_query_sequencecCsBt|s>t|s>t|s>|dr.t|dks>ttjd||S)Nzipset:z8'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset)rrr startswithr7rr INVALID_ADDRrvaluerrr parse_sources zFirewallCommand.parse_source/cCsjz||\}}Wn"ty4ttjd|Yn0t|sJttj||dvrbttjd|||fS)NzTbad port (most likely missing protocol), correct syntax is portid[-portid]%sprotocolZtcpZudpZsctpZdccp''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})split ValueErrorrr INVALID_PORTr INVALID_PROTOCOL)rrn separatorportprotorrr parse_ports   zFirewallCommand.parse_portc Csd}d}d}d}d}d||dvr||dddd}|t|d7}d||dvrv||dddd} n ||d} |t| d7}|dkr| }q|dkr| }q|dkr| }q|dkr| }q|d kr|rqttjd |q|sttjd |s ttjd |s$|s$ttjd t|s:ttj||dvrTttjd||rpt|spttj||rtd|s|std|sttj |||||fS)Nr=r+:rxrytoporttoaddrifzinvalid forward port arg '%s'z missing portzmissing protocolzmissing destinationrqrripv4ipv6) rsr7rrZINVALID_FORWARDr rurvr rl) rrncompatrxZprotocolr}r~ioptvalrrrparse_forward_portsZ           z"FirewallCommand.parse_forward_portcCsF|d}t|dkr"|ddfSt|dkr2|Sttjd|dS)Nr{r+rr.zinvalid ipset option '%s')rsr7rrZINVALID_OPTION)rrnargsrrrparse_ipset_optionHs    z"FirewallCommand.parse_ipset_optioncCs.ddg}||vr*ttjd|d|f|S)Nrr'invalid argument: %s (choose from '%s')', 'rrZ INVALID_IPVjoinrrnZipvsrrrcheck_destination_ipvRs z%FirewallCommand.check_destination_ipvcCsBz|dd\}}Wnty2ttjdYn0|||fS)Nr|r+z(destination syntax is ipv:address[/mask])rsrtrrZINVALID_DESTINATIONr)rrnZipvZ destinationrrrparse_service_destinationZs  z)FirewallCommand.parse_service_destinationcCs.gd}||vr*ttjd|d|f|S)N)rrZebrrrrrrr check_ipvbs zFirewallCommand.check_ipvcCs.gd}||vr*ttjd|d|f|S)N)rrrrrrrrrrcheck_helper_familyjs z#FirewallCommand.check_helper_familycCsB|dsttjd|t|dddkr>ttjd||S)NZ nf_conntrack_z('%s' does not start with 'nf_conntrack_'rr+zModule name '%s' too short)rkrrZINVALID_MODULEr7replacermrrr check_modulers zFirewallCommand.check_moduleTc Cs|}|}|}|} |} |} |} |} |}| }| }|rv| }| }| }n,|}tt||}|}|}dd}g}|dur||kr|d|s|s|s|r|r|r|d|r|dd|}|||jr0|d||d||rH|d t||d ||st|d |rld nd |r|dd||dd|n(|dd||dd||ddt||dddd|D|ddt| |s8|d|r0d nd |d| rHd nd |d| r`dndddd| D|dddd| D|d d| |d!|rdnddt||d"dS)#NcSsdd}d}z||}Wnty(Yn80|t|7}t|||||dddd}|S)Nrz priority= "r)indexrtr7intr)ZrulepriorityZ search_strrrrrrich_rule_sorted_keys  *zDFirewallCommand.print_zone_policy_info..rich_rule_sorted_keydefaultZactivez (%s)z, summary:  description: z priority: z target: z icmp-block-inversion: %srcrbz ingress-zones: rz egress-zones: z interfaces: z sources: z services: ports: cSs g|]}d|d|dfqSz%s/%srr+r.0rxrrr sz:FirewallCommand.print_zone_policy_info.. protocols: z forward: %sz masquerade: %sz forward-ports: z rcSs$g|]\}}}}d||||fqS)z$port=%s:proto=%s:toport=%s:toaddr=%sr)rrxryr}r~rrrrs   source-ports: cSs g|]}d|d|dfqSrrrrrrrsz icmp-blocks: z rich rules: )key)Z getTargetZ getServicesgetPorts getProtocolsZ getMasqueradeZgetForwardPortsgetSourcePortsZ getIcmpBlocksZ getRichRulesgetDescriptiongetShortZgetIngressZonesZgetEgressZonesZ getPriorityZgetIcmpBlockInversionsortedsetZ getInterfacesZ getSourcesZ getForwardr8rr&r r6)rr\settings default_zoneextra_interfacesisPolicytargetZservicesports protocolsZ masqueradeZ forward_ports source_portsZ icmp_blocksZrules descriptionshort_descriptionZ ingress_zonesZ egress_zonesrZicmp_block_inversionZ interfacesZsourcesZforwardrZ attributesrrrprint_zone_policy_info|s          z&FirewallCommand.print_zone_policy_infocCs|j||||dddS)NFrrrr)rr\rrrrrrprint_zone_infoszFirewallCommand.print_zone_infocCs|j||||dddS)NTrr)rZpolicyrrrrrrprint_policy_infosz!FirewallCommand.print_policy_infoc Cs.|}|}|}|}|}|}|} |} |} | ||j rt| d| | d|| dd dd|D| dd || dd d d|D| d d || d d d d| D| d d t | | dd t | dS)NrrrrcSs g|]}d|d|dfqSrrrrrrrsz6FirewallCommand.print_service_info..rrcSs g|]}d|d|dfqSrrrrrrrsz modules:  destination: cSsg|]\}}d||fqS)z%s:%srrkvrrrrsz includes: z helpers: )rrrZ getModulesrgetDestinationsrZ getIncludesZ getHelpersr&r rrMr) rZservicerrrrmodulesr destinationsrZincludesZhelpersrrrprint_service_infos<    z"FirewallCommand.print_service_infocCsp|}|}|}t|dkr,ddg}|||jrX|d||d||dd|dS)Nrrrrrrr)rrrr7r&r r)rZicmptyperrrrrrrprint_icmptype_infos  z#FirewallCommand.print_icmptype_infocCs|}|}|}|}|}|||jrT|d||d||d||dddd|D|dd|dS) Nrrz type: z options: rcSs$g|]\}}|rd||fn|qS)z%s=%srrrrrrsz4FirewallCommand.print_ipset_info..z entries: ) ZgetTypeZ getOptionsZ getEntriesrrr&r rrM)rZipsetrZ ipset_typeoptionsentriesrrrrrprint_ipset_infos  z FirewallCommand.print_ipset_infocCs|}|}|}|}|}|||jrT|d||d||d||d||dddd|DdS) Nrrz family: z module: rrcSs g|]}d|d|dfqSrrrrrrrsz5FirewallCommand.print_helper_info..)rZ getModuleZ getFamilyrrr&r r)rhelperrrmoduleZfamilyrrrrrprint_helper_infos z!FirewallCommand.print_helper_infocCs |r|dn |dddS)Nrcrbr+r/rmrrrrds z"FirewallCommand.print_query_resultcCs\|js||tt|}|tjtjtjtj fvrH| d|n| d||dS)Nr2r3) rr=rr5r6rr@rArBrCr*r-)rexception_messagerPrrrexception_handlers  z!FirewallCommand.exception_handlercCsd|vrd}||tjdS)NZNotAuthorizedExceptionz`Authorization failed. Make sure polkit agent is running or run the application as superuser.)r-rZNOT_AUTHORIZED)rrr%rrrr='sz&FirewallCommand.fail_if_not_authorizedcCs d|_dS)NFrrrrrr<-sz,FirewallCommand.deactivate_exception_handlercCs d|_dSr rrrrrrD0sz*FirewallCommand.activate_exception_handlercCsng}t}t|}|D]J}|s"qb|}t|dks|ddvrDq||vr||||q||S)Nr+r)#;)ropenstripr7r8rRclose)rfilenamerZ entries_setflinerrrget_ipset_entries_from_file3s  z+FirewallCommand.get_ipset_entries_from_file)FF)N)N)N)Nr)N)N)NNF)F)F)F)F)F)NF)F)F)rp)F).__name__ __module__ __qualname__rrrrrrr&r(r*r-r0r1rUrWr[r^r`rargrhrirorzrrrrrrrrrrrrrrrdrr=r<rDrrrrrr"sj       L      3    2  O  )__doc____all__r!ZfirewallrZfirewall.errorsrZdbus.exceptionsrZfirewall.functionsrrrr r objectrrrrrs