a è iàã@sædgZddlZddlZddlZddlZddlZddlmZmZddl m Z ddl m Z ddl m Z ddl mZddl mZdd l mZdd l mZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddlm?Z?dd!l@mAZAdd"lBmCZCdd#l mDZDdd$lEmFZFGd%d„deGƒZHdS)&ÚFirewalléN)ÚDictÚList)Úconfig)Ú functions)Ú ipXtables)Úebtables)Únftables)Úipset)Úmodules)ÚFirewallIcmpType)ÚFirewallService)Ú FirewallZone)ÚFirewallDirect)ÚFirewallConfig)ÚFirewallPolicies)Ú FirewallIPSet)ÚFirewallTransaction)ÚFirewallHelper)ÚFirewallPolicy)Únm_get_bus_nameÚnm_get_interfaces_in_zone)Úlog)Ú IO_Object)Úfirewalld_conf)ÚDirect)Úservice_reader)Úicmptype_reader)Ú zone_readerÚZone)Ú ipset_reader)Ú IPSET_TYPES)Ú helper_reader)Ú policy_reader)Úcheck_on_disk_config)Ú Rich_Rule)Úerrors)Ú FirewallErrorc@sZeZdZdŒdd„Zdd„Zdd„Zdd „Zifeee e fd œd d „Z d d„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zddd„Zdd „Zd!d"„ZdŽd#d$„Zdd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zd1d2„Zd3d4„Zdd5d6„Z d7d8„Z!d9d:„Z"d;d<„Z#d=d>„Z$d?d@„Z%dAdB„Z&dCdD„Z'dEdF„Z(dGdH„Z)dIdJ„Z*dKdL„Z+d‘dNdO„Z,d’dPdQ„Z-dRdS„Z.d“dTdU„Z/d”dVdW„Z0d•dXdY„Z1d–dZd[„Z2d\d]„Z3d^d_„Z4d`da„Z5dbdc„Z6ddde„Z7dfdg„Z8dhdi„Z9djdk„Z:dldm„Z;dndo„Zdtdu„Z?d—dvdw„Z@dxdy„ZAdzd{„ZBd|d}„ZCd~d„ZDd€d„ZEd‚dƒ„ZFd„d…„ZGd†d‡„ZHdˆd‰„ZIdŠd‹„ZJdMS)˜rFcCs¼ttjƒ|_||_|sXt |¡|_t |¡|_ t   ¡|_ t   ¡|_ t |¡|_t ¡|_t|ƒ|_t|ƒ|_t|ƒ|_t|ƒ|_t|ƒ|_tƒ|_t|ƒ|_ t|ƒ|_t |ƒ|_!| "¡dS©N)#rrÚFIREWALLD_CONFÚ_firewalld_confÚ_offlinerÚ ip4tablesÚip4tables_backendÚ ip6tablesÚip6tables_backendrÚebtables_backendr Ú ipset_backendr Únftables_backendr Úmodules_backendr Úicmptyper ÚservicerÚzonerÚdirectrrÚpoliciesrrÚhelperrÚpolicyÚ_Firewall__init_vars)ÚselfZoffline©r=ú4/usr/lib/python3.9/site-packages/firewall/core/fw.pyÚ__init__Gs&               zFirewall.__init__cCsDd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |jfS)Nz:%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r))Ú __class__Úip4tables_enabledÚip6tables_enabledÚebtables_enabledÚ_stateÚ_panicÚ _default_zoneÚ_module_refcountÚ_marksÚcleanup_on_exitÚcleanup_modules_on_exitÚ_ipv6_rpfilterÚ ipset_enabledÚ_individual_callsÚ _log_denied©r<r=r=r>Ú__repr___s   ûÿzFirewall.__repr__cCsÜd|_d|_tj|_g|_g|_i|_g|_tj |_ tj |_ tj |_tj|_tj|_tj|_tj|_tj|_tj|_tj|_|jr¨d|_d|_d|_ d|_!t"|_#d|_$n0d|_g|_%d|_g|_&d|_ d|_!t"|_#d|_$dS)NZINITFT)'rDrErZ FALLBACK_ZONErFÚ_default_zone_interfacesZ_nm_assigned_interfacesrGrHZFALLBACK_CLEANUP_ON_EXITrIZ FALLBACK_CLEANUP_MODULES_ON_EXITrJZFALLBACK_IPV6_RPFILTERrKZFALLBACK_INDIVIDUAL_CALLSrMZFALLBACK_LOG_DENIEDrNZFALLBACK_FIREWALL_BACKENDÚ_firewall_backendZFALLBACK_FLUSH_ALL_ON_RELOADÚ_flush_all_on_reloadZFALLBACK_RFC3964_IPV4Ú _rfc3964_ipv4ZFALLBACK_ALLOW_ZONE_DRIFTINGZ_allow_zone_driftingZFALLBACK_NFTABLES_TABLE_OWNERÚ_nftables_table_ownerr+rArBrCrLr!Zipset_supported_typesÚnftables_enabledÚipv4_supported_icmp_typesÚipv6_supported_icmp_typesrOr=r=r>Z __init_varshs@zFirewall.__init_varscsÒi}‡fdd„ˆj ¡Dƒ|d<‡fdd„ˆj ¡Dƒ|d<‡fdd„ˆj ¡Dƒ|d<‡fdd„ˆj ¡Dƒ|d <‡fd d„ˆj  ¡Dƒ|d <‡fd d„ˆj   ¡Dƒ|d <i|d<ˆj   d¡|dd<i|d<i|dd<tˆj ¡ƒ tˆj ¡ƒ¡D]}ˆj |¡|dd|<qútˆj ¡ƒ tˆj ¡ƒ¡D]–}|ˆjvsR|ˆjvr6t ˆj |¡¡|dd|<g|dd|_|ˆjvr¦|dd|j d¡|ˆjvr6|dd|j d¡q6|S)zH Returns a dict of dicts of all runtime config objects. csi|]}|ˆj |¡“qSr=)r Ú get_ipset)Ú.0Ú_ipsetrOr=r>Ú ’óz4Firewall.get_all_io_objects_dict..Úipsetscsi|]}|ˆj |¡“qSr=)r9Ú get_helper)rZr9rOr=r>r\“r]Úhelperscsi|]}|ˆj |¡“qSr=)r4Ú get_icmptype)rZr4rOr=r>r\”r]Ú icmptypescsi|]}|ˆj |¡“qSr=)r5Ú get_service)rZr5rOr=r>r\•r]Úservicescsi|]}|ˆj |¡“qSr=)r6Úget_zone)rZr6rOr=r>r\–r]Úzonescsi|]}|ˆj |¡“qSr=)r:Z get_policy)rZr:rOr=r>r\—r]r8ZconfÚFirewallBackendÚruntimeZicmptypes_unsupportedÚipv4Úipv6)r Ú get_ipsetsr9Ú get_helpersr4Ú get_icmptypesr5Ú get_servicesr6Ú get_zonesr:Z"get_policies_not_derived_from_zoner*ÚgetÚsetrÚ differenceraÚ intersectionrWrXÚcopyZ destinationÚappend)r<Z conf_dictr4r=rOr>Úget_all_io_objects_dicts8   ÿ ÿ ÿ  z Firewall.get_all_io_objects_dict)Úextra_io_objectsc Csn| ¡}|D] }||D]}||||j<qq gd¢}|D].}||}| ¡D]\}} |  |  ¡|¡qNq:dS)N)r^r`rbrdrfr8)rvÚnameÚitemsZcheck_config_dictZexport_config_dict) r<rwZall_io_objectsZtype_keyÚobjÚorderZ io_obj_typeZio_objsrxZio_objr=r=r>Úfull_check_config·s zFirewall.full_check_configcCsŽ|jr$d|j ¡vr$t d¡d|_|jrHd|j ¡vrHt d¡d|_|jrld|j ¡vrlt d¡d|_|jsŠ|jsŠ|j sŠt t j dƒ‚dS)NÚfilterziptables is not usable.Fzip6tables is not usable.zebtables is not usable.zNo IPv4 and IPv6 firewall.) rAr-Úget_available_tablesrÚinfo1rBr/rCr0rVr'r&Ú UNKNOWN_ERRORrOr=r=r>Ú_start_check_tablesÆs& ÿ  ÿ  ÿ  ÿzFirewall._start_check_tablescCsŒ|j ¡|jjsH|jjr&t d¡n"|jr8t d¡n t d¡d|_|jr^|j   d¡|_ n|jrr|j  ¡|_ ng|_ |j  ¡|j jsÀ|j jržt d¡n"|jr°t d¡n t d¡d|_ |jrÖ|j   d ¡|_n|j rê|j   ¡|_ng|_|j ¡|jjs>|jjrt d ¡n$|jr.t d ¡n t d ¡d|_|jrb|jsb|jjsbt d ¡|j  ¡|jrˆ|j jsˆt d¡dS)NzFiptables-restore is missing, using individual calls for IPv4 firewall.zMiptables-restore and iptables are missing, IPv4 direct rules won't be usable.zCiptables-restore and iptables are missing, disabling IPv4 firewall.FrizGip6tables-restore is missing, using individual calls for IPv6 firewall.zOip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.zEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.rjzHebtables-restore is missing, using individual calls for bridge firewall.zKebtables-restore and ebtables are missing, eb direct rules won't be usable.zEebtables-restore and ebtables are missing, disabling bridge firewall.zSebtables-restore is not supporting the --noflush option, will therefore not be usedzpConfiguration has NftablesTableOwner=True, but it's not supported by nftables. Table ownership will be disabled.)r-Z fill_existsÚrestore_command_existsZcommand_existsrÚwarningrVrrAr2Zsupported_icmp_typesrWr/rBrXr0rCrMÚrestore_noflush_optionÚdebug1Z probe_supportrUZsupports_table_ownerrOr=r=r>Ú_start_probe_backendsÜs\              ÿ  ÿþÿzFirewall._start_probe_backendsc Cs˜t dtj¡z|j ¡Wn:tyV}z"t |¡t d¡WYd}~n2d}~00|j d¡rr|j d¡|_ |j d¡r²|j d¡}|dur¤|  ¡dvr¤d|_ t d|j ¡|j d¡rò|j d¡}|durä|  ¡d vräd |_ t d |j ¡|j d ¡rR|j d ¡}|durR|  ¡d vrRt d ¡z|j  ¡WntyPYn0|j d¡rö|j d¡}|durâ|  ¡dvrŒd|_nV|  ¡dvr¢d|_n@|  ¡dvr¸d|_n*|  ¡dvrÎd|_n|  ¡dvrâd|_t d|j›d¡|j d¡r8|j d¡}|dur8|  ¡d vr8t d¡d |_|j d¡rŠ|j d¡}|dusj|  ¡dkrrd|_n|  ¡|_t d|j¡|j d¡r´|j d¡|_t d |j¡|j d!¡rø|j d!¡}|  ¡dvräd|_nd |_t d"|j¡|j d#¡r<|j d#¡}|  ¡dvr(d|_nd |_t d$|j¡|j d%¡r€|j d%¡}|  ¡dvrld|_nd |_t d&|j¡|j t |j¡¡dS)'Nz"Loading firewalld config file '%s'z0Using fallback firewalld configuration settings.Ú DefaultZoneZ CleanupOnExit)ÚnoZfalseFzCleanupOnExit is set to '%s'ZCleanupModulesOnExit)ÚyesÚtrueTz#CleanupModulesOnExit is set to '%s'ZLockdownzLockdown is enabledZ IPv6_rpfilterrˆ)r‰rŠÚstrictr‹)ÚlooserŒ)ú loose-forwardr)ústrict-forwardrŽzIPv6_rpfilter is set to 'ú'ZIndividualCallszIndividualCalls is enabledÚ LogDeniedZoffzLogDenied is set to '%s'rgzFirewallBackend is set to '%s'ZFlushAllOnReloadzFlushAllOnReload is set to '%s'Z RFC3964_IPv4zRFC3964_IPv4 is set to '%s'ZNftablesTableOwnerz!NftablesTableOwner is set to '%s')rr…rr)r*ÚreadÚ ExceptionrƒrprFÚlowerrIrJr8Zenable_lockdownr'rKrMrNrRrSrTrUÚset_firewalld_confrtÚdeepcopy)r<ÚmsgÚvaluer=r=r>Ú_start_load_firewalld_conf#sª "   ÿ  ÿ        ÿ ÿ ÿ ÿz#Firewall._start_load_firewalld_confc CsŒt d¡z|jj ¡WnXtyr}z@|j ¡rJt d|jjj|¡nt d|jjj|¡WYd}~n d}~00|j   t   |j¡¡dS)NzLoading lockdown whitelistz*Failed to load lockdown whitelist '%s': %s) rr…r8Zlockdown_whitelistr‘r’Zquery_lockdownÚerrorÚfilenamerZ set_policiesrtr•©r<r–r=r=r>Ú_start_load_lockdown_whitelist‡s   ÿ ÿz'Firewall._start_load_lockdown_whitelistcCsL| tj¡| tj¡| tj¡| tj¡|  tj ¡|  tj ¡dSr() Ú_loader_ipsetsrZFIREWALLD_IPSETSÚ_loader_icmptypesZFIREWALLD_ICMPTYPESÚ_loader_helpersZFIREWALLD_HELPERSÚ_loader_servicesZFIREWALLD_SERVICESÚ _loader_zonesZFIREWALLD_ZONESÚ_loader_policiesZFIREWALLD_POLICIESrOr=r=r>Ú_start_load_stock_config—s      z!Firewall._start_load_stock_configcCsL| tj¡| tj¡| tj¡| tj¡|  tj ¡|  tj ¡dSr() rrZETC_FIREWALLD_IPSETSržZETC_FIREWALLD_ICMPTYPESrŸZETC_FIREWALLD_HELPERSr ZETC_FIREWALLD_SERVICESr¡ZETC_FIREWALLD_ZONESr¢ZETC_FIREWALLD_POLICIESrOr=r=r>Ú_start_load_user_configŸs      z Firewall._start_load_user_configc CsÄ|j ¡D]}|j t |j |¡¡¡q |j ¡D]}|j  t |j  |¡¡¡q4|j  ¡D]}|j   t |j |¡¡¡q^|j ¡D]}|j t |j |¡¡¡qˆ|j ¡D]}|j t |j |¡¡¡q²|j t |j ¡¡¡i}|j ¡D]ª}|j |¡}d|jvr0|j t |j |¡¡¡qøtj  !|j ¡} | |vr|t"ƒ} | | _|  #| j¡|j | _ d| _$d| _%| || <t& 'd| |j tj(|j)¡||  *|¡qø|D]}|j ||¡q¨dS)Nú/Fz"Combining zone '%s' using '%s%s%s')+rrkr Ú add_ipsetrtr•rYrmr4Ú add_icmptyperarlr9Ú add_helperr_rnr5Ú add_servicercÚget_policy_objectsr:Z add_policyÚget_policy_objectr7Zset_permanent_configZ get_directrorerxr6Úadd_zoneÚosÚpathÚbasenamerÚ check_nameÚdefaultZforwardrr…ÚsepršÚcombine) r<r[r4r9r5r:Zcombined_zonesr6Zz_objZ combined_nameZ combined_zoner=r=r>Ú_start_copy_config_to_runtime§s\ÿÿÿÿÿÿ  ÿ  ÿz&Firewall._start_copy_config_to_runtimec Cszttjƒ}tj tj¡rjt dtj¡z | ¡Wn4t yh}zt  dtj|¡WYd}~n d}~00|j  |¡dS)NzLoading direct rules file '%s'z)Failed to load direct rules file '%s': %s) rrZFIREWALLD_DIRECTr­r®Úexistsrr…r‘r’r™Z set_direct)r<rzr–r=r=r>Ú_start_load_direct_rules×s ÿ ÿz!Firewall._start_load_direct_rulescCst|ƒ}|s|j|d|r |s4|j ¡rF|j ¡rF| d¡| ¡|rb|rbt d¡|j   ¡|j |d| d¡| ¡|j ¡r¨|j ¡r¨t d¡|j  ¡t d¡|j |dt d¡|jj|d|jjd|j|dt d¡|jj|d| d¡| ¡dS)N©Úuse_transactionTzUnloading firewall moduleszApplying ipsetszApplying default rule setzApplying used zoneszApplying used policies)rÚflushr ÚbackendsZ has_ipsetsÚexecuteÚclearrr…r3Úunload_firewall_modulesÚapply_default_tablesZ apply_ipsetsÚapply_default_rulesr6Z apply_zonesÚchange_default_zonerFr:Zapply_policies)r<ÚreloadÚcomplete_reloadÚ transactionr=r=r>Ú_start_apply_objectsäs< ÿÿ           ÿ  zFirewall._start_apply_objectsc Cs¨t|ƒ}|j ¡r’t d¡|j |¡z| d¡| ¡WnRty~}z(t|j d|j rb|j ndƒ‚WYd}~nd}~0t y‚Yn0| d¡| ¡dS)Nz2Applying direct chains rules and passthrough rulesTz Direct: %sÚ) rr7Zhas_configurationrr…Z apply_directr»r¼r'Úcoder–r’)r<rÃÚer=r=r>Ú_start_apply_direct_ruless     0  z"Firewall._start_apply_direct_rulescCsÚdD]$}||j ¡vrttjd |¡ƒ‚q|j|j ¡vr~d|j ¡vrNd}nd|j ¡vrbd}nd}t d|j|¡||_nt  d|j¡|j sÖ|  ¡|  ¡|j dkr²d }n|j }| |¡sÖttjd  |j ¡ƒ‚dS) N)ÚblockZdropZtrustedzZone '{}' is not available.ZpublicZexternalrÉz+Default zone '%s' is not valid. Using '%s'.zUsing default zone '%s'Ziptablesr,z'Firewall backend '{}' is not available.)r6ror'r&Ú INVALID_ZONEÚformatrFrr™r…r+r|rrRÚis_backend_enabledr€)r<Úzr6Zbackend_to_checkr=r=r>Ú _start_check's4ÿ  ÿÿzFirewall._start_checkcCs°| ¡| ¡| |j¡|js*| ¡| ¡| ¡| ¡|  ¡|  ¡|jr\dSt   ¡dkrpt   ¡}|j||d| ¡t   ¡dkr¬t   ¡}t  d||¡dS)Nr©rÁrÂéz%Flushing and applying took %f seconds)r˜rœÚ_select_firewall_backendrRr+r†r£r¤r¶r´rÎrZgetDebugLogLevelÚtimerÄrÈZdebug2)r<rÁrÂZtm1Ztm2r=r=r>Ú_startJs&   zFirewall._startcCst| ¡|j ¡|j t |j¡¡| |j¡|j s@|  ¡|  ¡|  ¡|  ¡|j rbdS|j||ddS)zó This is basically _start() with at least the following differences: - built-in defaults for firewalld.conf - no lockdown list - no user config (/etc/firewalld) - no direct rules NrÏ)Úcleanupr*Ú set_defaultsrr”rtr•rÑrRr+r†r£r´rÎrÄ)r<rÁrÂr=r=r>Ú_start_failsafeis  zFirewall._start_failsafecCsèz | ¡WnÆtyÒ}z®t d¡z| ¡d|_| d¡Wnvty¸}z^t |¡t ¡t |¡t d¡z | ¡Wnty–Yn0t   t j ¡WYd}~n d}~00|‚WYd}~nd}~00d|_| d¡dS)NzLFailed to load user configuration. Falling back to full stock configuration.ÚFAILEDÚACCEPTz©Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.ÚRUNNING) rÓr’rr™rÖrDÚ set_policyÚ exceptionr¹ÚsysÚexitr&r€)r<Z original_exZnew_exr=r=r>Ústartƒs*       "zFirewall.startccs:tj |¡sdStt |¡ƒD]}| d¡s.q|VqdS)Nú.xml)r­r®ÚisdirÚsortedÚlistdirÚendswith)r<r®ršr=r=r>Ú_loader_config_file_generator¡s   z&Firewall._loader_config_file_generatorcCs†| |¡D]v}t d|tj|¡t||ƒ}|j|j ¡vr`|j  |j¡}t d|j tj|j ¡n|j   tj ¡rtd|_|j |¡q dS)NzLoading service file '%s%s%s'úOverrides '%s%s%s'T)rärr…r­r²rrxrrnrcr®ršÚ startswithÚ ETC_FIREWALLDr±r©©r<r®ršrzÚorig_objr=r=r>r ªs  ÿzFirewall._loader_servicescCs†| |¡D]v}t d|tj|¡t||ƒ}|j|j ¡vr`|j  |j¡}t d|j tj|j ¡n|j   tj ¡rtd|_|j |¡q dS)NzLoading ipset file '%s%s%s'råT)rärr…r­r²r rxrrkrYr®ršrærçr±r¦rèr=r=r>r¸s  ÿzFirewall._loader_ipsetscCs†| |¡D]v}t d|tj|¡t||ƒ}|j|j ¡vr`|j  |j¡}t d|j tj|j ¡n|j   tj ¡rtd|_|j |¡q dS)NzLoading helper file '%s%s%s'råT)rärr…r­r²r"rxrrlr_r®ršrærçr±r¨rèr=r=r>rŸÆs  ÿzFirewall._loader_helperscCs†| |¡D]v}t d|tj|¡t||ƒ}|j|j ¡vr`|j  |j¡}t d|j tj|j ¡n|j   tj ¡rtd|_|j |¡q dS)NzLoading policy file '%s%s%s'råT)rärr…r­r²r#rxrrªr«r®ršrærçr±Zadd_policy_objectrèr=r=r>r¢Ôs  ÿzFirewall._loader_policiescCs†| |¡D]v}t d|tj|¡t||ƒ}|j|j ¡vr`|j  |j¡}t d|j tj|j ¡n|j   tj ¡rtd|_|j |¡q dS)NzLoading icmptype file '%s%s%s'råT)rärr…r­r²rrxrrmrar®ršrærçr±r§rèr=r=r>ržâs  ÿzFirewall._loader_icmptypescCstj |¡sdStt |¡ƒD]ú}| d¡sd| tj¡rtj d||f¡r|j d||fddqd||f}t   d|¡t |||d}|rÀdtj  |¡tj  |¡dd…f|_| |j¡|j|j ¡vrö|j |j¡}t   d |jtj|j¡n|j tj¡r d|_|j |¡qdS) Nrßz%s/%sT)r³zLoading zone file '%s')Z no_check_nameréüÿÿÿrå)r­r®ràrárârãrærrçr¡rr…rr¯rxr°rorer²ršr±r¬)r<r®r³ršrxrzrér=r=r>r¡ðs4   ÿ   þ  ÿzFirewall._loader_zonescCsp|j ¡|j ¡|j ¡|j ¡|j ¡|j ¡|j ¡|j ¡|j  ¡|j  ¡|  ¡dSr() r4rÔr5r6r r9rr7r8r:r*r;rOr=r=r>rÔs          zFirewall.cleanupcCsN|jsB|jr(| ¡|j ¡| d¡|jrBt d¡|j  ¡|  ¡dS)NrØz!Unloading firewall kernel modules) r+rIr¹r rÚrJrr…r3r½rÔrOr=r=r>Ústops    z Firewall.stopc CsÎd}d}t|ƒD]´\}}|r.|j |¡\}}n$|j|dkrBd}n|j |¡\}}|dkrl|d7}||7}q|r’|j |d¡|j|d7<q||jvr|j|d8<|j|dkr|j|=q||fS)NrrÅrÐ)Ú enumerater3Ú load_modulerGZ unload_moduleÚ setdefault) r<Z_modulesÚenableZ num_failedZ error_msgsÚiÚmoduleÚstatusr–r=r=r>Úhandle_modules.s(  zFirewall.handle_modulescCs|dkrd|_dS)Nr F)rV)r<Úbackendr=r=r>rÑHsz!Firewall._select_firewall_backendcCs4| ¡D]}|j|kr|Sqttjd|ƒ‚dS)Nz'%s' backend does not exist)Ú all_backendsrxr'r&r€)r<rxrôr=r=r>Úget_backend_by_nameNs    ÿzFirewall.get_backend_by_namecCs\|jr |jS|dkr |jr |jS|dkr4|jr4|jS|dkrH|jrH|jStt j d|ƒ‚dS©NrirjÚebz-'%s' is not a valid backend or is unavailable) rVr2rAr-rBr/rCr0r'r&Ú INVALID_IPV©r<Úipvr=r=r>Úget_backend_by_ipvUsÿzFirewall.get_backend_by_ipvcCsP|dkr|jr|jS|dkr(|jr(|jS|dkr<|jr<|jSttjd|ƒ‚dSr÷) rAr-rBr/rCr0r'r&rùrúr=r=r>Úget_direct_backend_by_ipvasÿz"Firewall.get_direct_backend_by_ipvcCs<|dkr|jS|dkr|jS|dkr*|jS|dkr8|jSdS)Nr,r.rr F)rArBrCrV)r<rxr=r=r>rÌkszFirewall.is_backend_enabledcCs8|jr dS|dkr|jS|dkr&|jS|dkr4|jSdS)NTrirjrøF)rVrArBrCrúr=r=r>Úis_ipv_enabledvszFirewall.is_ipv_enabledcCsRg}|jr| |j¡n6|jr*| |j¡|jr<| |j¡|jrN| |j¡|Sr() rVrur2rAr-rBr/rCr0©r<rºr=r=r>Úenabled_backendss   zFirewall.enabled_backendscCsPg}|jr| |j¡|jr(| |j¡|jr:| |j¡|jrL| |j¡|Sr() rArur-rBr/rCr0rVr2rÿr=r=r>rõŽs    zFirewall.all_backendsNcCsJ|durt|ƒ}n|}| ¡D]}| || ¡¡q|durF| d¡dS©NT)rrÚ add_rulesZbuild_default_tablesr»)r<r¸rÃrôr=r=r>r¾šs  zFirewall.apply_default_tablescCs¸|durt|ƒ}n|}| ¡D]}| |j¡}| ||¡q| d¡r~| d¡}d| ¡vr~|jdkr~|  |j¡}| ||¡| d¡r¢|j r¢|  ¡}| ||¡|dur´|  d¡dS)NrjÚrawrˆT) rrZbuild_default_rulesrNrrþrür~rKZbuild_rpfilter_rulesrTZbuild_rfc3964_ipv4_rulesr»)r<r¸rÃrôÚrulesZ ipv6_backendr=r=r>r¿¦s"          zFirewall.apply_default_rulescCs|jr|j ¡sdSdS)NTF)rVr7Zhas_runtime_configurationrOr=r=r>Úmay_skip_flush_direct_backends¾sz'Firewall.may_skip_flush_direct_backendscCs\|durt|ƒ}n|}| ¡D]&}|| ¡vr0q| ¡}| ||¡q|durX| d¡dSr)rrõrÚbuild_flush_rulesrr»©r<r¸rÃrôrr=r=r>Úflush_direct_backendsÄs   zFirewall.flush_direct_backendscCsl|durt|ƒ}n|}t d¡| ¡s4|j|d| ¡D]}| ¡}| ||¡q<|durh| d¡dS)NzFlushing rule setr·T) rrr…rrrrrr»rr=r=r>r¹Ós    zFirewall.flushcCs<|dvs J‚|dur0|dkr dnd}|||dœ}| ||¡S)N)rØÚDROPÚPANICrØr )ZINPUTZOUTPUTZFORWARD)Zbuild_set_policy_rules)r<rôr:Úpolicy_detailsZdpr=r=r>Ú_set_policy_build_rulesås ýz Firewall._set_policy_build_rulescCs||durt|ƒ}n|}t d||dkr8dt |¡›dnd¡| ¡D]}| |||¡}| ||¡qF|durx| d¡dS)NzSetting policy to '%s'%sr z (ReloadPolicy=ú)rÅT) rrr…rZ_unparse_reload_policyrr rr»)r<r:r r¸rÃrôrr=r=r>rÚðs ÿû zFirewall.set_policycCsB|sdS| |¡}|s&ttjd|ƒ‚| |¡s4dS| ||j¡S)NrÅú'%s' is not a valid backend)rör'r&rùrÌÚset_rulerN)r<Ú backend_nameÚrulerôr=r=r>rs ÿ z Firewall.rulec Csttd|ƒƒ}| |¡}|s,ttjd|ƒ‚| |¡s:dS|jsZ|jrZ|dkr|j j st |ƒD]ž\}}z|  ||j ¡Wqbtyþ}zjt t ¡¡t |¡t|d|…ƒD]0}z|  | |¡|j ¡Wq´tyâYq´0q´|‚WYd}~qbd}~00qbn| ||j ¡dS)Nrr)Úlistr}rör'r&rùrÌrMr‚r0r„rìrrNr’rr…Ú tracebackÚ format_excr™ÚreversedZ reverse_ruleZ set_rules) r<rrZ_rulesrôrðrr–Zrruler=r=r>rs8 ÿ ÿþþ  zFirewall.rulescCs|jrttjƒ‚dSr()rEr'r&Z PANIC_MODErOr=r=r>Ú check_panic5szFirewall.check_paniccCs"|}||j ¡vrttj|ƒ‚|Sr()r:Z get_policiesr'r&ZINVALID_POLICY)r<r:Z_policyr=r=r>Ú check_policy9s zFirewall.check_policycCs6|}|r|dkr| ¡}||j ¡vr2ttj|ƒ‚|S)NrÅ)Úget_default_zoner6ror'r&rÊ)r<r6Ú_zoner=r=r>Ú check_zone?s   zFirewall.check_zonecCst |¡sttj|ƒ‚dSr()rZcheckInterfacer'r&ZINVALID_INTERFACE)r<Ú interfacer=r=r>Úcheck_interfaceGs zFirewall.check_interfacecCs|j |¡dSr()r5Ú check_service)r<r5r=r=r>rKszFirewall.check_servicecCst |¡sttj|ƒ‚dSr()rÚ check_portr'r&Z INVALID_PORT)r<Úportr=r=r>rNs zFirewall.check_portcCs*|sttjƒ‚|dvr&ttjd|ƒ‚dS)N)ZtcpZudpZsctpZdccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})r'r&ZMISSING_PROTOCOLZINVALID_PROTOCOL)r<Zprotocolr=r=r>Ú check_tcpudpRs ÿÿzFirewall.check_tcpudpcCst |¡sttj|ƒ‚dSr()rZcheckIPr'r&Ú INVALID_ADDR)r<Úipr=r=r>Úcheck_ipZs zFirewall.check_ipcCsP|dkr t |¡sLttj|ƒ‚n,|dkr@t |¡sLttj|ƒ‚n ttjdƒ‚dS)Nrirjz'%s' not in {'ipv4'|'ipv6'})rZ checkIPnMaskr'r&r!Z checkIP6nMaskrù)r<rûÚsourcer=r=r>Ú check_address^s  ÿzFirewall.check_addresscCs|j |¡dSr()r4Úcheck_icmptype)r<Zicmpr=r=r>r&iszFirewall.check_icmptypecCs>t|tƒstd|t|ƒfƒ‚t|ƒdkr:ttjd|ƒ‚dS)Nz%s is %s, expected intrz#timeout '%d' is not positive number)Ú isinstanceÚintÚ TypeErrorÚtyper'r&Ú INVALID_VALUE)r<Útimeoutr=r=r>Ú check_timeoutls   ÿzFirewall.check_timeoutc CsÔt|ƒ|j}|j ¡}|j}|j}|s`i}|j ¡D]}|j |¡j ||<q6|j   ¡}|  ¡} g} |j  ¡D]} |  |j | ¡¡qn|sªt |j d¡¡} |jd| d| ¡| ¡d} z|jd|dWn(tyø}z|} WYd}~n d}~00|r8| D]2}|j |j¡s|jr|s|j |j¡q|sÀ|  ¡}|| krœ||vrbi||<|| D]0}||jvrj|| ||||<|| |=qj|j ¡D]B}||vrÚ||D]}|j ||¡q¼||=n t  !d|¡q¦t"|ƒdkrt#| $¡ƒD]}t  !d|¡||=q~| D]Ž}|j |j¡r–|j%D]T}z|j &|j|¡Wn8t'yŽ}z|j(t)j*krz|‚WYd}~n d}~00q>n|j +|¡|j ,|j¡q$|j  -|¡t.ƒ}|r|j ¡d gD](}t/|ƒD]}|jj|||d qèqÜ||_|js| d ¡|js¸||jkr¸|d krd| 0|j1d ¡D]}|j1 2||j3¡qJnT| 0|j4d ¡D]}|j4 2||j3¡qr|j5r¸| 0|j6d ¡D]}|j6 2||j3¡q | rÊd |_7| ‚nd|_7dS)NZ ReloadPolicyr )r TrÏzNew zone '%s'.rz(Lost zone '%s', zone interfaces dropped.rÅ)ZsenderrØr r×rÙ)8r$rEr Zomit_native_ipsetrRrSr6roreÚ interfacesr7Zget_runtime_configrrkrurYrZ_parse_reload_policyr*rprÚr¹rÔrÓr’Z query_ipsetrxrLr1Z set_destroyrQÚchange_zone_of_interfacerrÚlenrÚkeysÚentriesZ add_entryr'rÆr&ÚALREADY_ENABLEDr¦Z apply_ipsetZ set_configrrr r2rrNr-rBr/rD)r<rërEZ_omit_native_ipsetZold_firewall_backendZ flush_allZ_zone_interfacesr6Z_direct_configÚ_old_dzZ _ipset_objsÚ_nameZ reload_policyZstart_exceptionrÇrzZ_new_dzÚifaceZ interface_idÚentryr–Z nm_bus_namerrr=r=r>rÁus´   ÿ     ÿ            ÿÿÿzFirewall.reloadcCs|jSr()rDrOr=r=r>Ú get_stateszFirewall.get_statec Cs\|jrttjdƒ‚z| d¡Wn0tyP}zttj|ƒ‚WYd}~n d}~00d|_dS)Nzpanic mode already enabledr T)rEr'r&r3rÚr’ÚCOMMAND_FAILEDr›r=r=r>Úenable_panic_modesÿ"zFirewall.enable_panic_modec Cs\|jsttjdƒ‚z| d¡Wn0tyP}zttj|ƒ‚WYd}~n d}~00d|_dS)Nzpanic mode is not enabledrØF)rEr'r&Z NOT_ENABLEDrÚr’r9r›r=r=r>Údisable_panic_modesÿ"zFirewall.disable_panic_modecCs|jSr()rErOr=r=r>Úquery_panic_modeszFirewall.query_panic_modecCs|jSr()rNrOr=r=r>Úget_log_denied!szFirewall.get_log_deniedcCsb|tjvr&ttjd|d tj¡fƒ‚|| ¡krR||_|j  d|¡|j  ¡n ttj |ƒ‚dS)Nz'%s', choose from '%s'z','r) rZLOG_DENIED_VALUESr'r&r+Újoinr=rNr*rqÚwriteZ ALREADY_SET)r<r—r=r=r>Úset_log_denied$s ÿÿ  zFirewall.set_log_deniedcCs|jSr()rFrOr=r=r>r3szFirewall.get_default_zonecCsŽ| |¡}||jkr~|j}||_|j d|¡|j ¡|jrBdS|j ||¡|j |¡j D]}||j vr^|j  d|¡q^n t t j|ƒ‚dS)Nr‡rÅ)rrFr*rqr?r+r6rÀrer.rQr/r'r&ZZONE_ALREADY_SET)r<r6rr4r6r=r=r>Úset_default_zone6s    zFirewall.set_default_zonecCsD| ¡}| ¡D].\}}|s&t|tƒr0|||<q||vr||=q|Sr()rtryr'Úbool)r<Z permanentrhZcombinedÚkeyr—r=r=r>Ú'combine_runtime_with_permanent_settingsMs z0Firewall.combine_runtime_with_permanent_settingscCs,dD]"}||vrdd„||Dƒ||<qi}i}t| ¡ƒt| ¡ƒBD]Ú}||vrHt||tƒr°t||vrt||ngƒ}tt||ƒ|ƒ||<t|t||ƒA|@ƒ||<qHt||tƒsÎt||tƒr||sè||rèd||<n||r"||s"d||<qHttjd  t ||ƒ|¡ƒ‚qH||fS)N)Z rich_rulesZ rules_strcSsg|]}tt|dƒ‘qS))Úrule_str)Ústrr%)rZrEr=r=r>Ú _r]z;Firewall.get_added_and_removed_settings..TFz Unhandled setting type {} key {}) rqr1r'rrBr(r'r&ZINVALID_SETTINGrËr*)r<Z old_settingsZ new_settingsZrich_keyZ add_settingsZremove_settingsrCÚoldr=r=r>Úget_added_and_removed_settings[s$  z'Firewall.get_added_and_removed_settings)F)FF)FF)FF)F)N)N)N)N)N)NN)F)KÚ__name__Ú __module__Ú __qualname__r?rPr;rvrrFrrr|rr†r˜rœr£r¤r´r¶rÄrÈrÎrÓrÖrÞrär rrŸr¢ržr¡rÔrërórÑrörürýrÌrþrrõr¾r¿rrr¹r rÚrrrrrrrrr r#r%r&r-rÁr8r:r;r<r=r@rrArDrIr=r=r=r>rFsŠ  %*Gd0 .#    "                )IÚ__all__r­rÜrtrÒrÚtypingrrZfirewallrrZ firewall.corerrr r r Zfirewall.core.fw_icmptyper Zfirewall.core.fw_servicer Zfirewall.core.fw_zonerZfirewall.core.fw_directrZfirewall.core.fw_configrZfirewall.core.fw_policiesrZfirewall.core.fw_ipsetrZfirewall.core.fw_transactionrZfirewall.core.fw_helperrZfirewall.core.fw_policyrZfirewall.core.fw_nmrrZfirewall.core.loggerrZfirewall.core.io.io_objectrZfirewall.core.io.firewalld_confrZfirewall.core.io.directrZfirewall.core.io.servicerZfirewall.core.io.icmptyperZfirewall.core.io.zonerrZfirewall.core.io.ipsetr Zfirewall.core.ipsetr!Zfirewall.core.io.helperr"Zfirewall.core.io.policyr#Zfirewall.core.io.functionsr$Zfirewall.core.richr%r&Zfirewall.errorsr'Úobjectrr=r=r=r>ÚsP