a è ihöã@s0ddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZddlmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!ddl"m#Z#ddl$Z$d Z%gd ¢d d ggd ¢gd¢gd ¢dœZ&dddœZ'dddœZ(dd„Z)dd„Z*dd„Z+Gdd„de,ƒZ-Gdd„de-ƒZ.dS)éN)ÚrunProg)Úlog)ÚtempFileÚreadfileÚ splitArgsÚ check_macÚportStrÚcheck_single_addressÚ check_addressÚ normalizeIP6)Úconfig)Ú FirewallErrorÚINVALID_PASSTHROUGHÚ INVALID_RULEÚ UNKNOWN_ERRORÚ INVALID_ADDR) Ú Rich_AcceptÚ Rich_RejectÚ Rich_DropÚ Rich_MarkÚ Rich_NFLogÚRich_MasqueradeÚRich_ForwardPortÚRich_IcmpBlockÚRich_Tcp_Mss_Clamp)ÚDEFAULT_ZONE_TARGETÚ)ÚINPUTÚOUTPUTÚFORWARDÚ PREROUTINGr)r Ú POSTROUTINGrrr)r r!r)ÚsecurityÚrawÚmangleÚnatÚfilterzicmp-host-prohibitedzicmp6-adm-prohibited©Úipv4Úipv6Úicmpú ipv6-icmpc Csœdddddddœ}|dd…}|D]t}z| |¡}WntyJYq"Yn0|dvrŠzt||dƒWntyzYn0| |d¡||||<q"|S) z Inverse valid rule ú-Dú--deleteú-Xú--delete-chain©ú-Aú--appendú-Iú--insertú-Nz --new-chainN©r3r4é)ÚindexÚ ExceptionÚintÚpop)ÚargsÚ replace_argsÚret_argsÚargÚidx©rAú;/usr/lib/python3.9/site-packages/firewall/core/ipXtables.pyÚcommon_reverse_rule:s*÷    rCc Cs¬dddddddœ}|dd…}|D]z}z| |¡}WntyJYq"Yn0|dvrŠzt||dƒWntyzYn0| |d¡||||<|Sttd ƒ‚dS) z Reverse valid passthough rule r,r-r.r/r0Nr6r7úno '-A', '-I' or '-N' arg)r8Ú ValueErrorr:r;r r)r<r=r>Úxr@rArArBÚcommon_reverse_passthrough_s0÷     ÿrGcCsht|ƒ}tgd¢ƒ}t||@ƒdkr>ttdt||@ƒdƒ‚tgd¢ƒ}t||@ƒdkrdttdƒ‚dS)zZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) )z-Cz--checkr,r-z-Rz --replaceú-Lz--listz-Sz --list-rulesú-Fz--flushú-Zz--zeror.r/ú-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedr0rDN)ÚsetÚlenr rÚlist)r<Z not_allowedZneededrArArBÚcommon_check_passthrough‰s ÿÿ ÿrOc@sÂeZdZdZdZdZdd„Zdd„Zdd„Zd d „Z d d „Z d d„Z dd„Z dd„Z dd„Zdd„Zdd„Zdd„Zdd„Zdd„Zdd „Zdjd"d#„Zd$d%„Zd&d'„Zd(d)„Zd*d+„Zdkd,d-„Zd.d/„Zdld1d2„Zd3d4„Zd5d6„Zdmd8d9„Zdnd:d;„Z dd?„Z"d@dA„Z#dBdC„Z$dDdE„Z%dFdG„Z&dHdI„Z'dJdK„Z(dLdM„Z)dNdO„Z*dPdQ„Z+dodRdS„Z,dpdTdU„Z-dqdVdW„Z.drdXdY„Z/dZd[„Z0dsd\d]„Z1dtd^d_„Z2dud`da„Z3dvdbdc„Z4ddde„Z5dfdg„Z6dhdi„Z7d!S)wÚ ip4tablesr(TcCsd||_tj|j|_tjd|j|_| ¡|_| ¡|_ |  ¡g|_ i|_ i|_ g|_i|_dS)Nz %s-restore)Ú_fwr ZCOMMANDSÚipvÚ_commandÚ_restore_commandÚ_detect_wait_optionÚ wait_optionÚ_detect_restore_wait_optionÚrestore_wait_optionÚ fill_existsÚavailable_tablesÚrich_rule_priority_countsÚpolicy_priority_countsÚzone_source_index_cacheÚ our_chains)ÚselfÚfwrArArBÚ__init__®s  zip4tables.__init__cCs$tj |j¡|_tj |j¡|_dS©N)ÚosÚpathÚexistsrSZcommand_existsrTZrestore_command_exists©r_rArArBrY»szip4tables.fill_existscCs†|jr(|j|vr(|jgdd„|Dƒ}ndd„|Dƒ}t d|j|jd |¡¡t|j|ƒ\}}|dkr‚td|jd |¡|fƒ‚|S)NcSsg|] }d|‘qS©ú%srA©Ú.0ÚitemrArArBÚ Âóz#ip4tables.__run..cSsg|] }d|‘qSrgrArirArArBrlÄrmú %s: %s %sú rú'%s %s' failed: %s)rVrÚdebug2Ú __class__rSÚjoinrrE)r_r<Ú_argsÚstatusÚretrArArBZ__run¿s ÿzip4tables.__runcCs<z| |¡}Wnty"YdS0||||d…<dSdS)NFéT)r8rE)r_ÚruleÚpatternZ replacementÚirArArBÚ _rule_replaceÌs  zip4tables._rule_replacecCs|tvo|t|vSrb)ÚBUILT_IN_CHAINS)r_rRÚtableÚchainrArArBÚis_chain_builtinÕs ÿzip4tables.is_chain_builtincCs2d|g}|r| d¡n | d¡| |¡|gS)Nú-tr5r.)Úappend)r_Úaddr}r~rxrArArBÚbuild_chain_rulesÙs    zip4tables.build_chain_rulescCs8d|g}|r |d|t|ƒg7}n |d|g7}||7}|S)Nr€r3r,)Ústr)r_r‚r}r~r8r<rxrArArBÚ build_ruleâs  zip4tables.build_rulecCst|ƒSrb)rC©r_r<rArArBÚ reverse_ruleëszip4tables.reverse_rulecCs t|ƒdSrb)rOr†rArArBÚcheck_passthroughîszip4tables.check_passthroughcCst|ƒSrb)rGr†rArArBÚreverse_passthroughñszip4tables.reverse_passthroughc Cs–d}z| d¡}Wnty$Yn0t|ƒ|dkrB||d}d}dD]B}z| |¡}WntynYqJ0t|ƒ|dkrJ||d}qJ||fS)Nr&r€rwr0)r8rErM)r_r<r}rzr~ÚoptrArArBÚpassthrough_parse_table_chainôs    z'ip4tables.passthrough_parse_table_chainc Cs zH| d¡}| |¡| |¡}d|dkr:||df}n ||df}WnFtyŽz| d¡}| |¡d}WntyˆYYdS0Yn0d}|dd vr¤d }|rÀ|sÀ||vr¾| |¡n\|r|rø||vrì| |¡|jd d „d | |¡}nt|ƒ}d|d<| dd|d¡dS)Nú%%ZONE_SOURCE%%ú-méééú%%ZONE_INTERFACE%%Tr©r,r-FcSs|dS)NrrA)rFrArArBÚ'rmz4ip4tables._run_replace_zone_source..)Úkeyr3r7ú%drw)r8r;rEÚremoverÚsortrMÚinsert)r_rxr]rzÚzoneZ zone_sourceÚrule_addr8rArArBÚ_run_replace_zone_source s:            z"ip4tables._run_replace_zone_sourcec Csz| |¡}Wnty"Ynê0d}d}d}| |¡| |¡}t|ƒtkrZttdƒ‚d} dD]B} z| | ¡} Wnty†Yqb0t|ƒ| dkrb|| d} qbdD]Z} z| | ¡}WntyÎYqª0t|ƒ|dkrì||d} | d vrød}| d vrªd}qª| | f} |s^| |vs>||| vs>|| |d krHttd ƒ‚|| |d8<n®| |vrpi|| <||| vrŠd || |<d} t ||   ¡ƒD]<}||kr¸|r¸qÜ| || |7} ||kržqÜqž|| |d7<d ||<|  |dd| ¡dS)a Change something like -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123 or -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321 into -t filter -I public_IN 4 or -t filter -I public_IN TFéÿÿÿÿz%priority must be followed by a numberr&©r€z--tablerw)r1r2r3r4r,r-r6r’rz*nonexistent or underflow of priority countr3r7r•N) r8rEr;Útyper:r rrMrÚsortedÚkeysr˜)r_rxZpriority_countsÚtokenrzršr˜Zinsert_add_indexÚpriorityr}rŠÚjr~r8ÚprArArBÚ_set_rule_replace_priority0sj           ÿþ     z$ip4tables._set_rule_replace_priorityc Cstƒ}i}t |j¡}t |j¡}t |j¡}|D]x}|dd…} | | dddt|jg¡| | dt |jg¡z|   d¡} Wnt y”Yn80|dkr q2|dvrÂdd d |g| | | d …<n |   | ¡|  | |d ¡|  | |d ¡| | |¡d} dD]L} z|   | ¡} Wnt y"Yqü0t| ƒ| d krü|   | ¡|   | ¡} qüt| ƒD]F\} } tjD]4}|| vr`|  d¡r†|  d¡s`d| | | <q`qR| | g¡ | ¡q2|D]F} || }| d| ¡|D]} | d | ¡d¡qÐ| d¡q²| ¡t |j¡}t d|j|j d|j|j!f¡g}|j"rF| |j"¡| d¡t#|j ||jd\}}t $¡dkrÒt%|jƒ}|durÒd } |D]@}tj&d| |fd dd| d¡sÆtj&dd d| d 7} qt '|j¡|dkrt d |j d |¡|fƒ‚||_||_||_dS)!Nú %%REJECT%%ÚREJECTú --reject-withú%%ICMP%%ú %%LOGTYPE%%Úoff©ÚunicastÚ broadcastZ multicastrÚpkttypeú --pkt-typerwú%%RICH_RULE_PRIORITY%%ú%%POLICY_PRIORITY%%r&rú"z"%s"z*%s roÚ zCOMMIT rnz%s: %dú-n©Ústdinr7z%8d: %sr)ÚnofmtÚnlr)r¸rp)(rÚcopyÚdeepcopyr[r\r]r{ÚDEFAULT_REJECT_TYPErRÚICMPr8rEr;r¥r›rMÚ enumerateÚstringZ whitespaceÚ startswithÚendswithÚ setdefaultrÚwritersÚclosercÚstatÚnamerrqrrrTÚst_sizerXrZgetDebugLogLevelrÚdebug3Úunlink)r_ÚrulesÚ log_deniedÚ temp_fileZ table_rulesr[r\r]Z_rulerxrzr}rŠÚelementÚcrÅr<rurvÚlinesÚlinerArArBÚ set_rules€s”     ÿ      ÿ ÿ  ÿ        ÿzip4tables.set_rulescCsö| |dddt|jg¡| |dt|jg¡z| d¡}WntyPYn:0|dkr^dS|dvr€d d d |g|||d …<n | |¡t |j ¡}t |j ¡}t |j ¡}|  ||d ¡|  ||d¡|  ||¡| |¡}||_ ||_ ||_ |S)Nr¦r§r¨r©rªr«rr¬rr¯r°rwr±r²)r{r¼rRr½r8rEr;rºr»r[r\r]r¥r›Ú_ip4tables__run)r_rxrËrzr[r\r]ÚoutputrArArBÚset_ruleás0ÿ       zip4tables.set_ruleNc CsŽg}|r|gnt ¡}|D]n}||jvr4| |¡qz,| d|ddg¡|j |¡| |¡Wqty†t d|j|f¡Yq0q|S)Nr€rHrµzA%s table '%s' does not exist (or not enough permission to check).) r|r rZrrÒrErÚdebug1rR)r_r}rvZtablesrArArBÚget_available_tabless    zip4tables.get_available_tablesc Csœd}t|jgd¢ƒ}t d|j|jd|d|d¡|ddkr˜d}t|jgd¢ƒ}t d|j|jd|d|d¡|ddkr„d}t d |j|j|¡|S) Nr)ú-wrHrµú7%s: %s: probe for wait option (%s): ret=%u, output="%s"r×rrw)ú-w10rHrµrÙú%s: %s will be using %s option.)rrSrrÈrrrq)r_rVrvrArArBrUs    zip4tables._detect_wait_optionc Csªtƒ}| d¡| ¡d}dD]d}t|j|g|jd}t d|j|j ||d|d¡|ddkr d|dvr d |dvr |}q†q t  d |j|j|¡t   |j¡|S) Nz#foor)r×z--wait=2r¶rØrrwzinvalid optionzunrecognized optionrÚ) rrÃrÄrrTrÆrrÈrrrSrqrcrÉ)r_rÌrVZ test_optionrvrArArBrW"s   ÿ z%ip4tables._detect_restore_wait_optioncCsNi|_i|_g|_g}t ¡D]*}| |¡s.qdD]}| d||g¡q2q|S)N)rIr.rJr€)r[r\r]r|r rÖr)r_rÊr}ÚflagrArArBÚbuild_flush_rules6s  zip4tables.build_flush_rulesc Cs–g}|dkrdn|}t ¡D]t}| |¡s,q|dkr6qt|D]P}|dkrv||}|dkrz| d|d|ddg¡d}n|}| d|d ||g¡q>q|S) NZPANICÚDROPr%r&r§r€r1ú-jrK)r|r rÖr)r_ÚpolicyZpolicy_detailsrÊÚ_policyr}r~r¤rArArBÚbuild_set_policy_rulesEs    z ip4tables.build_set_policy_rulesc Csg}d}z"| d|jdkrdnddg¡}WnLtyv}z4|jdkrTt d|¡nt d|¡WYd }~n d }~00| ¡}d }|D]Œ}|ræ| ¡ ¡}| ¡}|D]<} |   d ¡rÎ|   d ¡rÎ| d d…} n| } | |vr¨|  | ¡q¨|jdkrü|  d¡s|jdkrˆ|  d¡rˆd}qˆ|S)zQReturn ICMP types that are supported by the iptables/ip6tables command and kernelrú-pr(r*r+z--helpziptables error: %szip6tables error: %sNFú(ú)rwrœzValid ICMP Types:r)zValid ICMPv6 Types:T) rÒrRrErrÕÚ splitlinesÚstripÚlowerÚsplitrÀrÁr) r_rRrvrÓÚexrÏZin_typesrÐZsplitsrèrFrArArBÚsupported_icmp_typesXs<þ  $  ÿÿzip4tables.supported_icmp_typescCsgSrbrArfrArArBÚbuild_default_tablesyszip4tables.build_default_tablesr«cCs i}| d¡rlg|d<tƒ|jd<tdD]@}|d d|¡|d d||f¡|jd d|¡q*| d¡r@g|d<tƒ|jd<tdD]ª}|d d|¡|d d||f¡|jd d|¡|dkr”dD]8}|d d||f¡|jd td ||fgƒ¡qàd D]}|d d |||f¡qq”| d ¡rg|d <tƒ|jd <td D]°}|d  d|¡|d  d||f¡|jd  d|¡|dkrhdD]:}|d  d||f¡|jd  td ||fgƒ¡q¶d D]}|d  d |||f¡qöqh| d ¡rPg|d <tƒ|jd <td D] }|d  d|¡|d  d||f¡|jd  d|¡|dvrèdD]R}|d  d||f¡|jd  td ||fgƒ¡|d  d |||f¡q’nddD]:}|d  d||f¡|jd  td ||fgƒ¡qìd D]}|d  d |||f¡q,qBg|d<tƒ|jd<|d d¡|d d¡|dkr˜|d d¡|d d¡|d d¡|d d¡|jd tdƒ¡dD]0}|d d|¡|jd td|ƒ¡qÚd D]}|d d|¡q|dkrB|d d¡|d d¡|d d¡|d d¡|dkr„|d d ¡|d d!¡|d d"¡|d d#¡|jd td$ƒ¡d%D]0}|d d&|¡|jd td'|ƒ¡qÆd D]B}|d d&|¡|d d(|¡|jd td'|ƒ¡qüd)D]0}|d d&|¡|jd td'|ƒ¡qD|dkrŽ|d d*¡|d d+¡|dgd,¢7<|jd td-ƒ¡d%D]B}|d d.|¡|d d/|¡|jd td0|ƒ¡qÈd)D]B}|d d.|¡|d d/|¡|jd td0|ƒ¡qg}|D]>}|| ¡vrrq\||D]}| d1|gt|ƒ¡qzq\|S)2Nr"z -N %s_directz-A %s -j %s_directz %s_directr#r )Ú POLICIES_preÚZONESÚ POLICIES_postz-N %s_%sú%s_%s)ríz-A %s -j %s_%sr$r%)r)rìrîr&zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTr«z^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz-N INPUT_directz-A INPUT -j INPUT_directZ INPUT_directz -N INPUT_%szINPUT_%sz-A INPUT -j INPUT_%sz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_direct)rìz -N FORWARD_%sz FORWARD_%sz-A FORWARD -j FORWARD_%s)rîz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%)z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ OUTPUT_directz -N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz OUTPUT_%sr€)rÖrLr^r|rr‚Úupdater)r_rËZ default_rulesr~Zdispatch_suffixZfinal_default_rulesr}rxrArArBÚbuild_default_rules}sÖ           "    "       zip4tables.build_default_rulescCsd|dkrddhS|dkr*d| ¡vr*dhS|dkrFd| ¡vrFddhS|dkr`d| ¡vr`dhSiS) Nr&rrr$r r%r!r#)rÖ)r_r}rArArBÚget_zone_table_chainsþs   zip4tables.get_zone_table_chainsc sÄ|jj |¡‰ˆjdkrdnd‰ˆdkr4ˆdkr4dnd} |jj |ˆt| ¡‰g} g} |D]} |  d| g¡qX|D]} |  d | g¡qp|D]8} |jj | ¡}|d vr®|  |¡s®qˆ|  |  d | ¡¡qˆ|D]J} |jj | ¡}|d vrì|  |¡sìqÆt | ƒrþˆd vrþqÆ|  |  d | ¡¡qƇ‡‡‡‡‡fdd„}g}| r|| D]B}| r^| D]}| |||ƒ¡qDn|rfn| ||dƒ¡q6nD|r„n<| r¨| D]}| |d|ƒ¡qŽn|r°n| |ddƒ¡|S)NrÚpreÚpostr%r!TFú-iú-or'ú-s©r!rrú-dcsVdddœˆ}dˆ|dˆˆfdˆjg}|r6| |¡|rD| |¡| dˆg¡|S)Nr1r,©TFr€z%s_POLICIES_%sr²rÞ)r¢Úextend)Úingress_fragmentÚegress_fragmentÚadd_delrx©ràr~Ú chain_suffixÚenableÚp_objr}rArBÚ_generate_policy_dispatch_rule*sÿ  zSip4tables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) rQrßÚ get_policyr¢Úpolicy_base_chain_nameÚPOLICY_CHAIN_PREFIXrr™Ú check_sourceÚis_ipv_supportedÚ_rule_addr_fragmentr)r_rrßr}r~Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesÚisSNATZingress_fragmentsZegress_fragmentsÚ interfaceÚaddrrRrrÊrürýrArÿrBÚ!build_policy_ingress_egress_rules sR z+ip4tables.build_policy_ingress_egress_rulesFc Cs¤|dkr|dkrdnd}|jjj||t|d} ddddddœ|} d } |r^|s^d d |d g} n,|rpd d |g} ndd |g} |sŠ| d g7} | d|| || | g7} | gS)Nr%r!TF©r rõrö©r r!rrrú-gr3ú%s_ZONESr‘r1r,r€)rQrßrr) r_rr™rßr r}r~rr ràrŠÚactionrxrArArBÚ!build_zone_source_interface_rulesZs(ûú  z+ip4tables.build_zone_source_interface_rulescCsÆ| d¡rP|dd…}|dkr$d}nd}d |g|jj |¡¡}ddd ||gSt|ƒrz|dkrjttd ƒ‚dd d | ¡gSt d |ƒrŽt |ƒ}n,t d |ƒrº|  d¡}t |dƒd|d}||gSdS)Nzipset:érùÚdstÚsrcú,rrLú --match-setzCan't match a destination MAC.Úmacú --mac-sourcer)ú/rrw) rÀrsrQÚipsetZ get_dimensionrr rÚupperr r r rè)r_rŠÚaddressÚinvertrÆÚflagsÚ addr_splitrArArBr ss"       zip4tables._rule_addr_fragmentc Csždddœ|}|dkr"|dkr"dnd}|jjj||t|d} d d d d d d œ|} t|ƒrd|d vrdgS|d |d|d|g} |  | | |¡¡|  d| g¡| gS)Nr3r,rúr%r!TFrr÷rùrrørrŒr€r)rQrßrrrrûr ) r_rr™rßrr}r~rþr ràrŠrxrArArBÚbuild_zone_source_address_rules‰s"ûú z)ip4tables.build_zone_source_address_rulesc Cs¾dddœ|}dddœ|}|dkr0|dkr0dnd }|jjj||t|d }|jj |¡} |j| t|d |d |d |d|d|gƒ¡g} |  ||d|g¡|  |d |d|g¡|  |d |d|g¡|  |d |d|g¡|  |d|d|g¡|  |d|d|g¡| j r6|  ||d|dd|dfg¡|  ||d|dd |g¡|  ||d|dd |g¡|  ||d|dd |g¡|  ||d|dd|g¡|  ||d|dd|g¡| j rÞ|  ||d|dd|dfg¡|jjj |j } |j  ¡dkrb|dkrb| t ddfvr8|  ||d|ddddd|g ¡| dkrb|  ||d|ddddd|g ¡|dkr¬| t ddddfvr¬| t fvr’d} n| } |  ||d|d| g¡|sº|  ¡| S) Nr5r.rúr1r,r%r!TFrz%s_logú%s_denyz%s_prez%s_postú%s_allowr€rÞrïrìrîr«r&r§r¦rªÚLOGú --log-prefixz %s_REJECT: rÝz %s_DROP: ÚACCEPT)rQrßrrrr^rðrLrZderived_from_zoneZ _policiesÚtargetÚget_log_deniedrÚreverse) r_rrßr}r~Z add_del_chainZ add_del_ruler ràrrÊr(Ú_targetrArArBÚbuild_policy_chain_rules¡sfû þ þ ÿ z"ip4tables.build_policy_chain_rulescCs|rddd|jgSgS)NrÚlimitz--limit)Úvalue)r_r-rArArBÚ _rule_limitÚszip4tables._rule_limitcCsÆt|jƒttttfvrn<|jrJt|jƒttt t fvrTt t dt|jƒƒ‚n t t dƒ‚|j dkr°t|jƒtttfvs„t|jƒtt fvrˆdSt|jƒtfvsªt|jƒtt fvrÂdSn|j dkr¾dSdSdS)NúUnknown action %szNo rule action specified.rÚallowZdenyrórô)ržrÍrrrrrrrrrr rr¢©r_Ú rich_rulerArArBÚ_rich_rule_chain_suffixßs$  ÿÿ z!ip4tables._rich_rule_chain_suffixcCs:|js|jsttdƒ‚|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrrórô)rÚauditr rr¢r2rArArBÚ _rich_rule_chain_suffix_from_logõs    z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrr±)r¢r2rArArBÚ_rich_rule_priority_fragments z&ip4tables._rich_rule_priority_fragmentc Cs"|js gS|jj ||t¡}dddœ|}| |¡}d||d||fg} | | |¡7} t|jƒtkrÂ| |ddg7} |jj rŒ| d|jj g7} |jj r¨| d d |jj g7} |jj rÀ| d |jj g7} nJ| |dd g7} |jj rî| d d |jj g7} |jj r | dd |jj g7} | |  |jj¡7} | S)Nr1r,rúr€rïrÞZNFLOGz --nflog-groupz--nflog-prefixrhz--nflog-thresholdr%r&z --log-level)rrQrßrrr6r7ržrÚgroupÚprefixZ thresholdÚlevelr/r-) r_rßr3rr}Ú rule_fragmentràrþrrxrArArBÚ_rich_rule_logs,  zip4tables._rich_rule_logc CsÄ|js gSdddœ|}|jj ||t¡}| |¡}d||d||fg} | | |¡7} | |7} t|jƒt krrd} n,t|jƒt kr†d} nt|jƒt kršd} nd } | d d d | g7} | |  |jj ¡7} | S) Nr1r,rúr€rïZacceptZrejectZdropÚunknownrÞZAUDITz--type)r5rQrßrrr6r7ržrrrrr/r-) r_rßr3rr}r;rþràrrxZ_typerArArBÚ_rich_rule_audit"s$ zip4tables._rich_rule_auditc Cs2|js gSdddœ|}|jj ||t¡}| |¡}d||f} t|jƒtkrXddg} nžt|jƒtkrˆddg} |jjrö| d|jjg7} nnt|jƒt kr dd g} nVt|jƒt krâd }|jj ||t¡}d||f} dd d |jj g} nt t d t|jƒƒ‚d||| g} | | |¡7} | || 7} | | |jj¡7} | S)Nr1r,rúrïrÞr'r§r¨rÝr$ÚMARKz --set-xmarkr0r€)rrQrßrrr4ržrrrrrLr rr7r/r-) r_rßr3rr}r;rþràrr~Z rule_actionrxrArArBÚ_rich_rule_action;s6      ÿ  zip4tables._rich_rule_actioncCsÔ|sgSg}|jrŒ|jr"| d¡td|jƒrB|dt|jƒg7}qÐtd|jƒr||j d¡}|dt|dƒd|dg7}qÐ|d|jg7}nD|jrÐ|ddg7}|jr®| d¡|jj   |jd ¡}|d |j|g7}|S) Nú!r)rùrrrwrrLrr) r rrr r r rèrrQr™Ú_ipset_match_flags)r_Z rich_destr;r!r rArArBÚ_rich_rule_destination_fragment]s&    "  z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jrŒ|jr"| d¡td|jƒrB|dt|jƒg7}nHtd|jƒr||j d¡}|dt|dƒd|dg7}n|d|jg7}nŽt|dƒrÈ|jrÈ|ddg7}|jr¸| d¡|d |jg7}nRt|d ƒr|j r|dd g7}|jrø| d¡|j j   |j d ¡}|d |j |g7}|S)NrAr)r÷rrrwrrrrrLrr) r rrr r r rèÚhasattrrrrQr™rB)r_Z rich_sourcer;r!r rArArBÚ_rich_rule_source_fragmentus0    "    z$ip4tables._rich_rule_source_fragmentc Csðdddœ|}d}|jj ||t¡} d|g} |rD| ddt|ƒg7} |rT| d|g7} |rx| | |j¡7} | | |j¡7} g} |rÊ|   |  ||||| ¡¡|   |  ||||| ¡¡|   |  ||||| ¡¡n"|   |d | d |g| d d g¡| S) Nr1r,rúr&râú--dportrhrùr$r€rÞr'© rQrßrrrrCÚ destinationrEÚsourcerr<r>r@© r_rrßÚprotoÚportrHr3rþr}ràr;rÊrArArBÚbuild_policy_ports_rules’s, ÿÿz"ip4tables.build_policy_ports_rulesc CsØdddœ|}d}|jj ||t¡}d|g} |r<| d|g7} |r`| | |j¡7} | | |j¡7} g} |r²|  |  ||||| ¡¡|  |  ||||| ¡¡|  |  ||||| ¡¡n"|  |d|d|g| d d g¡| S) Nr1r,rúr&rârùr$r€rÞr') rQrßrrrCrHrErIrr<r>r@) r_rrßÚprotocolrHr3rþr}ràr;rÊrArArBÚbuild_policy_protocol_rules«s( ÿÿz%ip4tables.build_policy_protocol_rulesc Cs´d}d}|jj ||t¡}dddœ|} gd¢} |rl| |¡}| | |¡7} | | |j¡7} | | |j ¡7} |dks||durŠ| gd¢7} n| d d d |g7} d d| d ||fg| gS)Nr1r&r1r,rú)râZtcpz --tcp-flagszSYN,RSTZSYNZpmtu)rÞÚTCPMSSz--clamp-mss-to-pmturÞrPz --set-mssr€rï) rQrßrrr4r7rCrHrErI) r_rrßZtcp_mss_clamp_valuerHr3rr}ràrþr;rArArBÚ build_policy_tcp_mss_clamp_rulesÂs z*ip4tables.build_policy_tcp_mss_clamp_rulesc Csðdddœ|}d}|jj ||t¡} d|g} |rD| ddt|ƒg7} |rT| d|g7} |rx| | |j¡7} | | |j¡7} g} |rÊ|   |  ||||| ¡¡|   |  ||||| ¡¡|   |  ||||| ¡¡n"|   |d | d |g| d d g¡| S) Nr1r,rúr&râz--sportrhrùr$r€rÞr'rGrJrArArBÚbuild_policy_source_ports_rulesÖs, ÿÿz)ip4tables.build_policy_source_ports_rulesc Csvd}|jj ||t¡} dddœ|} | d| ddd|g} |rP| dd t|ƒg7} |r`| d |g7} | d d d |g7} | gS)Nr#r1r,rúr$r€rârFrhrùrÞZCTz--helper)rQrßrrr) r_rrßrKrLrHZ helper_nameZmodule_short_namer}ràrþrxrArArBÚbuild_policy_helper_ports_rulesðs z)ip4tables.build_policy_helper_ports_rulesc Cs‚dddœ|}|jj ||t¡}g} |rH|  dd|d|d|dd g¡n6t|ƒrTgS|  dd|d|g| d |¡dd g¡| S) Nr1r,rúr€r&r$rörÞr'rù)rQrßrrrrr ) r_rr™rßr}r rIrþràrÊrArArBÚbuild_zone_forward_rulesÿsÿ ÿþz"ip4tables.build_zone_forward_rulesc Csœd}|jjj||tdd}dddœ|}g}|rj| |¡}|| |¡7}|| |j¡7}|| |j ¡7}nd}g} |   dd|d ||fg|gd ¢¡| S) Nr%Trr1r,rúr1r€rï)rAröÚlorÞZ MASQUERADE) rQrßrrr4r7rCrHrErIr) r_rrßr3r}ràrþr;rrÊrArArBÚbuild_policy_masquerade_ruless" ÿþz'ip4tables.build_policy_masquerade_rulesc Cs d}|jj ||t¡} dddœ|} d} |rPtd|ƒrH| dt|ƒ7} n| |7} |rn|dkrn| dt|d ƒ7} g} |r¬| |¡} | |¡} | |  |j ¡7} | |  |j ¡7} nd } g}|rÐ|  | |||d| ¡¡|  d d| d | | fg| d |dt|ƒddd| g¡|S)Nr%r1r,rúrr)z[%s]z:%sú-r1r€rïrârFrÞZDNATz--to-destination)rQrßrrr r rr4r7rCrHrErIrr<)r_rrßrLrNZtoportZtoaddrr3r}ràrþÚtor;rrÊrArArBÚbuild_policy_forward_port_rules's8    ÿ ÿþz)ip4tables.build_policy_forward_port_rulesc Cs´d}|jj ||t¡}dddœ|}|jdkrFddg}ddd |jg} ndd g}dd d |jg} g} |jj |¡r|d |} d} n d|} d} g} |r°| | |j¡7} | |  |j ¡7} | || 7} |rP|   |  ||||| ¡¡|   |  ||||| ¡¡|jr|   | ||||| ¡¡n:| |¡}|   d||d||fg| |¡| ddg¡n`|j ¡dkr’| dkr’|   || d|g| ddddd|g¡|   || d|g| d| g¡| S)Nr&r1r,rúr(râr*rz --icmp-typer+Zicmp6z --icmpv6-typer$r'r#r¦r€rïrÞr«rªr%r&ú%s_ICMP_BLOCK: )rQrßrrrRrÆÚquery_icmp_block_inversionrCrHrErIrr<r>rr@r4r7r))r_rrßZictr3r}ràrþrKÚmatchrÊZ final_chainZ final_targetr;rrArArBÚbuild_policy_icmp_block_rulesIs\   ÿþýÿÿþÿþz'ip4tables.build_policy_icmp_block_rulesc CsÎd}|jj ||t¡}g}d}|jj |¡rŒd}|j ¡dkr|rRd|t|ƒg}nd|g}|d|dd d d d d d|g }| |¡|d7}nd}|r¤d|t|ƒg}nd|g}|d|dd d |g}| |¡|S)Nr&ér¦r«r3r,r€râr©rªrÞr%r&rZrwr')rQrßrrr[r)r„r) r_rrßr}ràrÊZrule_idxZ ibi_targetrxrArArBÚ'build_policy_icmp_block_inversion_ruleszs0 ý   z1ip4tables.build_policy_icmp_block_inversion_rulesc Csxd}g}|| |j¡7}|| |j¡7}g}| | |||||¡¡| | |||||¡¡| | |||||¡¡|S)Nr&)rCrHrErIrr<r>r@)r_rrßr3r}r;rÊrArArBÚ*build_policy_rich_source_destination_rulesœsz4ip4tables.build_policy_rich_source_destination_rulescCs ||jkSrb)rR)r_rRrArArBrªszip4tables.is_ipv_supported)N)N)r«)F)F)NN)NN)NN)NN)NN)N)N)N)8Ú__name__Ú __module__Ú __qualname__rRrÆZpolicies_supportedrarYrÒr{rrƒr…r‡rˆr‰r‹r›r¥rÑrÔrÖrUrWrÜrárêrërñròr rr r"r,r/r4r6r7r<r>r@rCrErMrOrQrRrSrTrVrYr]r_r`rrArArArBrP©sr     &Pa#  ! Nÿ  9 "   ÿ   ÿ " 1"rPc@s&eZdZdZdZddd„Zdd„ZdS) Ú ip6tablesr)FcCs~g}gd¢}|jjdkr"|dg7}| gd¢|ddg¡|dkr^| gd¢|gd¢¡| gd ¢¡| gd ¢¡|S) N)rZrpfilterz--invertz --validmarkZloosez--loose)r3r r€r$rÞrÝr«)rÞr%r&zrpfilter_DROP: ) r3r r€r$râr+z$--icmpv6-type=neighbour-solicitationrÞr') r3r r€r$râr+z"--icmpv6-type=router-advertisementrÞr')rQZ_ipv6_rpfilterr)r_rËrÊZrpfilter_fragmentrArArBÚbuild_rpfilter_rules±s$   ÿþ ÿþzip6tables.build_rpfilter_rulesc CsÊgd¢}d}|jd |¡g}| ddd|g¡|D]L}| ddd|d|dd d d g ¡|jjd vr6| ddd|d|dd ddg ¡q6| dddddd|g¡| dddd|j ¡dkrºdndd|g¡|S)N) z ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19Z RFC3964_IPv4r&r€r5r3rùrÞr§r¨z addr-unreach)r­Úallr%r&zRFC3964_IPv4_REJECT: rÚ4rr«Ú6Ú5)r^r‚rrQZ _log_deniedr))r_Z daddr_listZ chain_namerÊZdaddrrArArBÚbuild_rfc3964_ipv4_rulesÉs.   þ  þÿ þz"ip6tables.build_rfc3964_ipv4_rulesN)F)rarbrcrRrÆrerjrArArArBrd­s rd)/Zos.pathrcrºZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr r r Zfirewallr Zfirewall.errorsr rrrrZfirewall.core.richrrrrrrrrrZfirewall.core.baserr¿rr|r¼r½rCrGrOÚobjectrPrdrArArArBÚsJ  ( , û þþ%*