a è iµ/ã@sÊdZgd¢ZddlZddlZddlmZddlmZddl m Z ddl m Z ddl mZmZdd lmZd Zgd ¢Zd d d ddœZddddœZGdd„deƒZdd„Zdd„Zdd„Zdd„Zdd„ZdS) zThe ipset command wrapper)ÚipsetÚcheck_ipset_nameÚremove_default_create_optionséN)Úerrors)Ú FirewallError)ÚrunProg)Úlog)ÚtempFileÚreadfile)ÚCOMMANDSé ) zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz inet|inet6Úvaluez value in secs)ÚfamilyÚhashsizeÚmaxelemÚtimeoutZinetZ1024Z65536)rrrc@s¢eZdZdZdd„Zdd„Zdd„Zdd „Zd%d d „Zd d„Z dd„Z dd„Z d&dd„Z d'dd„Z dd„Zd(dd„Zd)dd„Zdd„Zdd „Zd!d"„Zd#d$„Zd S)*rzipset command wrapper classcCstd|_d|_dS)Nr)r Ú_commandÚname©Úself©rú7/usr/lib/python3.9/site-packages/firewall/core/ipset.pyÚ__init__Ks zipset.__init__cCs^dd„|Dƒ}t d|j|jd |¡¡t|j|ƒ\}}|dkrZtd|jd |¡|fƒ‚|S)zCall ipset with argscSsg|] }d|‘qS)ú%sr)Ú.0ÚitemrrrÚ Rózipset.__run..z %s: %s %sú rú'%s %s' failed: %s)rÚdebug2Ú __class__rÚjoinrÚ ValueError)rÚargsÚ_argsÚstatusÚretrrrZ__runOs ÿz ipset.__runcCs t|ƒtkrttjd|ƒ‚dS)zCheck ipset namezipset name '%s' is not validN)ÚlenÚIPSET_MAXNAMELENrrZ INVALID_NAME)rrrrrÚ check_nameZs ÿzipset.check_namecCs(t|ƒtks|tvr$ttjd|ƒ‚dS)zCheck ipset typez!ipset type name '%s' is not validN)r(r)Ú IPSET_TYPESrrZ INVALID_TYPE)rÚ type_namerrrÚ check_type`sÿzipset.check_typeNcCs`| |¡| |¡d||g}t|tƒrV| ¡D]$\}}| |¡|dkr0| |¡q0| |¡S)z+Create an ipset with name, type and optionsÚcreateÚ)r*r-Ú isinstanceÚdictÚitemsÚappendÚ _ipset__run)rÚset_namer,Úoptionsr$ÚkeyÚvalrrrÚ set_createfs      zipset.set_createcCs| |¡| d|g¡S)NZdestroy)r*r4)rr5rrrÚ set_destroyss zipset.set_destroycCsd||g}| |¡S)NÚadd©r4©rr5Úentryr$rrrÚset_addws z ipset.set_addcCsd||g}| |¡S)NÚdelr<r=rrrÚ set_delete{s zipset.set_deletecCs,d||g}|r"| dd |¡¡| |¡S)NÚtestrr)r3r"r4)rr5r>r6r$rrrrBs z ipset.testcCs2dg}|r| |¡|r"| |¡| |¡ d¡S)NÚlistÚ )r3Úextendr4Úsplit)rr5r6r$rrrÚset_list…s   zipset.set_listc Cs4|jdgd}i}d}}i}|D] }t|ƒdkr6q"dd„| dd¡Dƒ}t|ƒdkr\q"q"|d d krr|d}q"|d d krˆ|d}q"|d d kr"|d ¡}d } | t|ƒkr|| } | d vrøt|ƒ| krä| d7} || || <nt d|¡iS| d7} q¤|r|r|t|ƒf||<d}}| ¡q"|S)z" Get active ipsets (only headers) z-terse)r6NécSsg|] }| ¡‘qSr)Ústrip©rÚxrrrr—rz.ipset.set_get_active_terse..ú:érÚNameÚTypeZHeader)rrrrÚnetmaskz&Malformed ipset list -terse output: %s)rGr(rFrÚerrorrÚclear) rÚlinesr'Ú_nameZ_typeÚ_optionsÚlineZpairZsplitsÚiÚoptrrrÚset_get_active_tersesF          ÿ  ÿ zipset.set_get_active_tersecCsdg}|r| |¡| |¡S)NÚsave©r3r4©rr5r$rrrrZ´s z ipset.savec CsÜ| |¡| |¡tƒ}d|vr*d|}d||dg}|rh| ¡D]$\}} | |¡| dkrB| | ¡qB| dd |¡¡| d|¡|D]F} d| vr¢d| } |rÂ| d|| d |¡f¡qŽ| d || f¡qŽ| ¡t  |j ¡} t   d |j |jd |j | jf¡d g}t|j||j d \} } t  ¡dkr¨zt|j ƒWntyVYnR0d}t|j ƒD]@}t jd||fddd| d¡sœt jddd|d7}qft |j ¡| dkrØtd|jd |¡| fƒ‚| S)Nrz'%s'r.z-existr/z%s z flush %s z add %s %s %s z add %s %s z%s: %s restore %sz%s: %dZrestore)ÚstdinrMrHz%8d: %sr)ÚnofmtÚnlrD)r^r)r*r-r r2r3Úwriter"ÚcloseÚosÚstatrrr r!rÚst_sizerZgetDebugLogLevelr Ú ExceptionZdebug3ÚendswithÚunlinkr#)rr5r,ÚentriesZcreate_optionsZ entry_optionsZ temp_filer$r7r8r>rcr&r'rWrVrrrÚ set_restoreºs^     ÿ ÿÿ      ÿzipset.set_restorecCsdg}|r| |¡| |¡S)NÚflushr[r\rrrÚ set_flushòs zipset.set_flushcCs| d||g¡S)NÚrenamer<)rZ old_set_nameZ new_set_namerrrrløsz ipset.renamecCs| d||g¡S)NÚswapr<)rZ set_name_1Z set_name_2rrrrmûsz ipset.swapcCs | dg¡S)NÚversionr<rrrrrnþsz ipset.version)N)N)NN)N)NN)Ú__name__Ú __module__Ú __qualname__Ú__doc__rr4r*r-r9r:r?rArBrGrYrZrirkrlrmrnrrrrrHs&    ' ÿ 8rcCst|ƒtkrdSdS)z"Return true if ipset name is validFT)r(r))rrrrrs rcCs4| ¡}tD]"}||vr t|||kr ||=q |S)z( Return only non default create options )ÚcopyÚIPSET_DEFAULT_CREATE_OPTIONS)r6rUrXrrrrsÿrc Csbg}| d¡D]H}z&| d¡| ttj|ddƒ¡WqtyT| |¡Yq0qd |¡S)z! Normalize IP addresses in entry ú,ú/F©Ústrict)rFÚindexr3ÚstrÚ ipaddressÚ ip_networkr#r")r>Z_entryZ_partrrrÚnormalize_ipset_entrys  r}cCstt| d¡ƒdkrdSztj|dd}Wnty<YdS0|D],}| tj|dd¡rBttjd  ||¡ƒ‚qBdS)z: Check if entry overlaps any entry in the list of entries rurHNFrwz,Entry '{}' overlaps with existing entry '{}') r(rFr{r|r#ÚoverlapsrrÚ INVALID_ENTRYÚformat)r>rhZ entry_networkÚitrrrrÚcheck_entry_overlaps_existings r‚cCszzdd„|Dƒ}Wnty&YdS0t|ƒdkr8dS| ¡| d¡}|D]&}| |¡rpttjd ||¡ƒ‚|}qNdS)z> Check if any entry overlaps any entry in the list of entries cSsg|]}tj|dd‘qS)Frw)r{r|rJrrrr0rz1check_for_overlapping_entries..NrzEntry '{}' overlaps entry '{}') r#r(ÚsortÚpopr~rrrr€)rhZ prev_networkZcurrent_networkrrrÚcheck_for_overlapping_entries-s  2  r…)rrÚ__all__Zos.pathrbr{ZfirewallrZfirewall.errorsrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsr r Zfirewall.configr r)r+ZIPSET_CREATE_OPTIONSrtÚobjectrrrr}r‚r…rrrrÚs6     ü ý;