a iɆ%@sddlZddlZddlZddlmZddlmZmZmZm Z m Z ddl m Z m Z mZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlmZddlm Z dZ!e!d d Z"e!d d Z#d Z$d Z%iddde%fidde%fdde%fdde%fddde%fdde%fdde%fdde%fddZ&dEddZ'e'ddde'dde'dde'dd e'ddd!e'ddd"e'ddd e'dd#d$e'ddd%e'ddd$e'dd&d$e'ddd'e'dd#de'ddd(e'ddde'dd&e'ddd)e'ddd*e'ddd+e'dd#e'dd&d$e'dd,e'dd-e'dd.e'ddd/e'dd0e'dd1e'dd2e'dd#d)e'ddd3e'dd#d+e'ddd4e'dd0d$e'dd0dd5"e'd6dd)e'd6d&de'd6dd+e'd6dd$e'd6de'd6de'd6d e'd6dd/e'd6d7e'd6d8e'd6d9e'd6d:e'd6d;e'd6d<e'd6dde'd6d=e'd6d&e'd6dd!e'd6d>e'd6dd(e'd6d?e'd6d@e'd6d0e'd6d0d$e'd6d0de'd6d&d$e'd6d&d+dAdBZ(GdCdDdDe)Z*dS)FN)log) check_mac getPortRange normalizeIP6check_single_address check_address) FirewallError UNKNOWN_ERROR INVALID_RULEINVALID_ICMPTYPE INVALID_TYPE INVALID_ENTRY INVALID_PORT) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlockRich_Tcp_Mss_Clamp Rich_NFLog)DEFAULT_ZONE_TARGET)NftablesZ firewalld_Z policy_dropZprobeZpolicy_ PREROUTING preroutingijiZ postroutingdoutput)r POSTROUTINGOUTPUTinputZforward)rINPUTFORWARDr!)rawmanglenatfiltercCsHdd|ddid|dig}|durD|dd|ddid|di|S)Nmatchpayloadtypeprotocolfield==leftoprightcode)append)r-r+r4 fragmentsr7:/usr/lib/python3.9/site-packages/firewall/core/nftables.py_icmp_types_fragmentsTs  r9icmpdestination-unreachable echo-reply echo-requestredirectparameter-problemrouter-advertisementrouter-solicitation source-quench time-exceededtimestamp-replytimestamp-request )"communication-prohibitedr;r=r>zfragmentation-neededzhost-precedence-violationhost-prohibitedz host-redirectz host-unknownhost-unreachablez ip-header-badznetwork-prohibitedznetwork-redirectznetwork-unknownznetwork-unreachablerDport-unreachablezprecedence-cutoffzprotocol-unreachablerAzrequired-option-missingrJrKrLzsource-route-failedrNrOrPztos-host-redirectztos-host-unreachableztos-network-redirectztos-network-unreachablettl-zero-during-reassemblyttl-zero-during-transiticmpv6mld-listener-donemld-listener-querymld-listener-reportmld2-listener-reportznd-neighbor-advertnd-neighbor-solicitpacket-too-bigz nd-redirectnd-router-advertznd-router-solicit)zaddress-unreachablez bad-headerz beyond-scoperSr;r=r>z failed-policyrZr[r\r]zneighbour-advertisementzneighbour-solicitationno-router_rDrVrAz reject-routerJrKrNrWrXzunknown-header-typezunknown-optionipv4ipv6c@sheZdZdZdZddZddZddZdd Zd d Z d d Z ddZ ddZ ddZ dddZddZddZddZddZdd Zdd!d"Zd#d$Zdd&d'Zd(d)Zd*d+Zdd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Z d=d>Z!d?d@Z"dAdBZ#dCdDZ$dEdFZ%dGdHZ&dIdJZ'dKdLZ(dMdNZ)ddOdPZ*dQdRZ+dSdTZ,dUdVZ-dWdXZ.ddYdZZ/dd[d\Z0dd]d^Z1dd_d`Z2dadbZ3ddcddZ4ddedfZ5ddgdhZ6didjZ7ddkdlZ8dmdnZ9ddodpZ:dqdrZ;dsdtZddydzZ?dd{d|Z@d}d~ZAdddZBddZCddZDddZEddZFddZGddZHddZIdddZJdS)nftablesTcCsZ||_d|_d|_g|_i|_i|_i|_i|_i|_t |_ |j d|j ddS)NTF) _fwZrestore_command_existssupports_table_ownerZavailable_tablesrule_to_handlerule_ref_countrich_rule_priority_countspolicy_priority_countszone_source_index_cacherreset_echo_outputZset_handle_output)selffwr7r7r8__init__s znftables.__init__cCszddddiidddtdd gd iigi}|j|\}}}|rHtd ddddiid ddtd iigi}|jd|j|\}}}|jd|dddd}|dddtd ii|jd|vsd |vrtd t dd|_ Wnt dd|_ Yn0dS)Nremetainfojson_schema_versionrBaddtableinetownerpersist)familynameflagsz!nftables probe table owner failedlistrxryFTrzdeletez3nftables: probe_support(): owner flag is supported.z7nftables: probe_support(): owner flag is NOT supported.) TABLE_NAME_PROBErejson_cmd ValueErrorrmset_rulerfget_log_deniedrdebug2rg)rnrulesrcrrrzr7r7r8_probe_support_table_ownersH       z#nftables._probe_support_table_ownercCs |dSN)rrnr7r7r8 probe_supportsznftables.probe_supportcCsxdD]}||vrqqd||dvr^||ddd||dddf}||dd=n(d||dvrd}||dd=ndS||dd}|r|dkr||vr|||vr|||n|dkrt||vrg||<|r&|||vr|||||jd d d |||}n t||}||}||=|d krT||d <n |d8}||d<||ddd<dS)Nrsinsertr}%%ZONE_SOURCE%%rulezoneaddress%%ZONE_INTERFACE%%rxr}cSs|dS)Nrr7)xr7r7r8 z3nftables._run_replace_zone_source..)keyrrrBrsindex)remover5sortrlen)rnrrlverbZ zone_sourcerxr _verb_snippetr7r7r8_run_replace_zone_sourcesD      z!nftables._run_replace_zone_sourcecCsBd|vrdt|diSd|vr4dt|diSttddS)Nrr}rszFailed to reverse rule)copydeepcopyrr )rndictr7r7r8 reverse_rules znftables.reverse_rulec CsdD]}||vrqq|||dvr||d|}||d|=t|tkr\ttd||dd||ddf}|dkr||vs|||vs|||dkrttd|||d 8<n||vri||<|||vrd|||<d}t||D]J}||kr"|d kr"qP||||7}||kr|d krqPq|||d 7<||} ||=|dkr| |d <n |d 8}| |d <||d dd <dS) Nrrz%priority must be followed by a numberrxchainr}rz*nonexistent or underflow of priority countrBrrsr)r+intrr r sortedkeys) rnrZpriority_countstokenrpriorityrrprr7r7r8_set_rule_replace_priority sH          z#nftables._set_rule_replace_prioritycCsbdD]X}||vrd||vrt||d}dD]}||vr2||=q2tj|dd}|SqdS)Nrr)rhandleZpositionT)Z sort_keys)rrjsondumps)rnrrrule_keyZnon_keyr7r7r8 _get_rule_keyNs znftables._get_rule_keycCsXgd}gd}g}g}t|j}t|j}t|j} |j} |D]} t| tkrjtt d| |D]} | | vrnqqn| | vrtt d| | | } | | vr4t d|j| | | | dkr| | d7<qJnV| | dkr| | d8<qJn6| | dkr| | d8<ntt d| | | fn| rL| dkrLd| | <|| t| }| rttd|| d d || d d <|||d |||d ||| | dkrdd |dd d |dd d|dd d|j| dii}||qJddddiig|i}t dkrDt d|jt||j|\}}}|dkrxtdd|t|f||_||_| |_| |_d}|D]} |d7}| | } | sqd| vr|j| =|j| =q|D]} | |d|vrqq| |d|vrqt|d|| d dkr2q|d|| d d|j| <qdS)N)rsrr}flushreplace)rsrrz#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %sr}rBz)rule ref count bug: rule_key '%s', cnt %drexpr%%RICH_RULE_PRIORITY%%%%POLICY_PRIORITY%%rxrtr)rxrtrrrerqrrrGz.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s JSON blob: %szpython-nftablesr)rrrjrkrlrir+rrr r rrr __class__r5r{r(rrrhZgetDebugLogLevelZdebug3rrrerrTABLE_NAME_POLICY)rnr log_deniedZ _valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesrjrkrlrirrrZ_ruleZ json_blobrrerrorrr7r7r8 set_rules\s             &         znftables.set_rulescCs||g|dS)N)r)rnrrr7r7r8rsznftables.set_ruleNcCs|r |gStSr)IPTABLES_TO_NFT_HOOKrrnrtr7r7r8get_available_tablessznftables.get_available_tablescCsBddd|dii}|tkr<|jjr<|jr| d d d d iidd| idi| rf| d d d diidd| idi|r|D]}| d|qp|r|D]}| d|qfdd}g}| r| D]:}| r| D]}||||qn|||dqn4| r6| D]}||d|qn||dd|S)Nrprepostr'r TFrB+r)rrrr/*r0rrsaddrdaddrcs|rT|rTd|ddvrTd|ddvrT|dddd|ddddkrTdSg}|rf|||rt|||dddfiidtd f|d }|rd d |iiSd d |iiSdS)Nr*r)r1r-rrrruz%s_%s_POLICIES_%srrsrr})r5rr_policy_priority_fragment)ingress_fragmentegress_fragmentexpr_fragmentsr_policyr chain_suffixrp_objrnrtr7r8_generate_policy_dispatch_ruleRs0    zRnftables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) rfr get_policyrpolicy_base_chain_namePOLICY_CHAIN_PREFIXrr5_rule_addr_fragment)rnrrrtrZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesisSNATZingress_fragmentsZegress_fragmentsZ$ingress_interfaces_without_wildcardsZ#egress_interfaces_without_wildcardsZingress_interfaceZegress_interfacesrcdstrrrrr7rr8!build_policy_ingress_egress_rules!sf      z*nftables.build_policy_ingress_egress_rulesFcCsN|dkr|dkrdnd}|jjj||t|d} dddddd|} |t|d d krn|dt|d d }d } |d kr| d d|| fiig} n,ddd| iid|di| d d|| fiig} |r|sd} dtd||f| d}||nP|rd} dtd||f| d}n.d} dtd||f| d}|s@||| d|iigS)Nr'r TFrrrrr r#r$r!rBrrgotorrr)rrr/r0rru %s_%s_ZONESrrsr}r)rfrrrrrr_zone_interface_fragment)rnrrr interfacertrr5rroptactionrrrr7r7r8!build_zone_source_interface_rulessZ    z*nftables.build_zone_source_interface_rulesc Cs|dkr|dkrdnd}|jjj||t|d}ddd|} d d d d d d |} d } d td||f|| || dd||fiigd} | |||| d| iigS)Nr'r TFr rr}rrrr rrurrrrr)rfrrrrrr_zone_source_fragment) rnrrrrrtrrrrrrrr7r7r8build_zone_source_address_ruless*  z(nftables.build_zone_source_address_rulescCspddd|}|dkr"|dkr"dnd}|jjj||t|d}|jj|}g} | |d d td ||fd iid D](} | |d d td||| fd iiqt|jr| ddd td ||fddd||dfiigdiid D]<} | |dd td ||fddd||| fiigdiiq|jr^| ddd td ||fddd||dfiigdii|jjj|j } |j dkr|dkr| t dddfvr| } | t dfvrd} | |dd td ||f| |j ddd|| fiigdii|dkr^| t ddddfvr^| t ddfvr,| } n | di} | |dd td ||f| gdii|sl| | S)Nrsr}rr'r TFr rrurr)rrdenyallowr%s_%s_%srrrrrrrr(rz %%REJECT%%rrrzfilter_%s_%s: r)rfrrrrr5rZderived_from_zoneZ _policiesrrrr_reject_fragmentrreverse)rnrrrtrrrrrrrrZ log_suffixtarget_fragmentr7r7r8build_policy_chain_rulessx                      z!nftables.build_policy_chain_rulescCs<|dkr iS|dvr,ddddiid|diSttd |dS) Nall)unicast broadcastZ multicastr)rrpkttyper/r0zInvalid pkttype "%s"rr )rnr!r7r7r8rs z nftables._pkttype_match_fragmentcCsddddiddddiddddiddddiddddiddddiddddiddddiddddiddddiddd diddd diddd diddd didd d diddd diddd diddd diddd diddddiddddidddiidddiid}||S)Nrr:rTrznet-prohibitedrrYznet-unreachablerUrVrzprot-unreachablezaddr-unreachablerar+z tcp reset)zicmp-host-prohibitedz host-prohibzicmp-net-prohibitedz net-prohibzicmp-admin-prohibitedz admin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachablez net-unreachzicmp-host-unreachablez host-unreachzicmp-port-unreachablezicmp6-port-unreachablez port-unreachzicmp-proto-unreachablez proto-unreachzicmp6-addr-unreachable addr-unreachzicmp6-no-routeraz tcp-resetztcp-rstr7)rnZ reject_typeZfragsr7r7r8_reject_types_fragments2                       znftables._reject_types_fragmentcCsddddiS)Nrrrrr7rr7r7r8r9sznftables._reject_fragmentcCs ddddiiddddgid iS) Nr)rrl4protor/rr:rYr0r7rr7r7r8_icmp_match_fragment=s  znftables._icmp_match_fragmentcCsn|siSddddd}z|jd}WntyBttdYn0dt|jd |||j|d d iS) NsecondZminuteZhourZday)smhd/zExpected '/' in limitlimitrrB)ZrateZper)valuerrrr r)rnr-Z rich_to_nftir7r7r8_rich_rule_limit_fragmentBs z"nftables._rich_rule_limit_fragmentcCst|jttttfvrn<|jrJt|jttt t fvrTt t dt|jn t t d|j dkrt|jtttfvst|jtt fvrdSt|jtfvst|jtt fvrdSn|j dkrdSdSdS)NUnknown action %szNo rule action specified.rrrrr)r+elementrrrrrrrrrrr rrn rich_ruler7r7r8_rich_rule_chain_suffixUs$   z nftables._rich_rule_chain_suffixcCs:|js|jsttd|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrrr)rauditrr rr3r7r7r8 _rich_rule_chain_suffix_from_logks    z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nrr7rr7r7r8rvsz!nftables._zone_interface_fragmentcCsNtd|rt|}n,td|r@|d}t|dd|d}d||diS)Nrdr,rrBr)rr)rrrsplit)rnrrZ addr_splitr7r7r8rys     znftables._zone_source_fragmentcCs d|jiS)Nrr)rnrr7r7r8rsz"nftables._policy_priority_fragmentcCs|r|jdkriSd|jiS)Nrrr9r3r7r7r8_rich_rule_priority_fragmentsz%nftables._rich_rule_priority_fragmentc Cs |js iS|jj||t}ddd|}||}i} t|jtkr||jjrZt |jjnd| d<|jj rt |jj | d<n,|jj rd|jj krdn|jj } d | | d <|jj rd |jj | d <d t d |||f|||jjd| igd} | |||d| iiS)Nrsr}rrgroupzqueue-thresholdZwarningwarnrlevelrrurrrr)rrfrrrr7r+rr;rZ thresholdr=rrr0r-rr:) rnrr4rrtrrrrZ log_optionsr=rr7r7r8_rich_rule_logs4    znftables._rich_rule_logc Cs|js iS|jj||t}ddd|}||}dtd|||f|||jjdddiigd } | | ||d | iiS) Nrsr}rrurrr=r6rr) r6rfrrrr7rr0r-rr:) rnrr4rrtrrrrrr7r7r8_rich_rule_audits     znftables._rich_rule_auditc Cs|js iS|jj||t}ddd|}||}d|||f} t|jtkr\ddi} nt|jtkr|jjr| |jj} nddi} nt|jt krddi} nt|jt krHd}|jj||t}d|||f} |jj d } t| d kr,dd d d iiddd d d ii| d gi| dgidi} ndd d d ii| ddi} nttdt|jdt| |||jj| gd} | |||d| iiS)Nrsr}rrrrrr&r,rBrrmark^&rrr.r1rurr)rrfrrrr5r+rrr$rrrr8rrr rr0r-rr:) rnrr4rrtrrrrrZ rule_actionr.rr7r7r8_rich_rule_actionsL     "    znftables._rich_rule_actioncCs|dr0||tddd|kr(dnd|St|r>d}ntd|rNd}nvtd|rd}tj|dd}d |jj |j d i}nDtd |rd }t |}n,d }| d }d t |dt |dd i}dd||di|rdnd|diSdS)Nipset:rTFetherrcip)strictraddrrrdip6r,rrBr)r*r,!=r/r0) startswith_set_match_fragmentrrrr ipaddress IPv4Networknetwork_address compressed prefixlenrr8r)rnZ addr_fieldrinvertrxZnormalized_addressZaddr_lenr7r7r8rs, &      znftables._rule_addr_fragmentcCs6|siS|dvrttd|ddddiid|diS) NrbzInvalid familyr)rrnfprotor/r0r")rnZ rich_familyr7r7r8_rich_rule_family_fragments z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jdS)NrErrT)rJipsetrrT)rnZ rich_destrr7r7r8_rich_rule_destination_fragment s z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|dr.|jr.|j}nt|drH|jrHd|j}|jd||jdS)NmacrXrErrW)rJhasattrrZrXrrT)rnZ rich_sourcerr7r7r8_rich_rule_source_fragments z#nftables._rich_rule_source_fragmentcCsPt|}t|tr$|dkr$ttn(t|dkr8|dSd|d|dgiSdS)NrrBrange)r isinstancerrrr)rnportr]r7r7r8_port_fragment!s   znftables._port_fragmentc Cs&ddd|}d}|jj||t} g} |r>| ||j|rT| |d||r|| ||j | | |j | dd|dd id | |d ig} |r| | ||||| | |||||| | |||||| n.| |d d td|| f| ddigdii| S)Nrsr}rr(rr)r*dportr,r/r0rru %s_%s_allowrrrfrrrr5rVrxrrY destinationr\sourcer`r>r?rDr rnrrprotor_rdr4rrtrrrr7r7r8build_policy_ports_rules*s8     z!nftables.build_policy_ports_rulesc Csddd|}d}|jj||t}g} |r>| ||j|rT| |d||r|| ||j | | |j | dddd iid |d ig} |r| | ||||| | | ||||| | |||||| n.| |d d td||f| ddigdii| S)Nrsr}rr(rr)rrr%r/r0rrurbrr)rfrrrr5rVrxrrYrdr\rer>r?rDr) rnrrr-rdr4rrtrrrr7r7r8build_policy_protocol_rulesJs4    z$nftables.build_policy_protocol_rulesc Csd}d}|jj||t}ddd|} g} |r^| ||j| ||j| |}| dddd d d id d i|dks|dur| dddddidddiidin| dddddi|di| ddt d||f| diigS)Nrr(rsr}rr)rr*tcprzr,Zsyn)r2r1r3Zpmtur&z tcp optionZmaxsegsize)ryr.ZrtrZmturCrrurr) rfrrrr5rYrdr\rer5r) rnrrZtcp_mss_clamp_valuerdr4rrtrrrr7r7r8 build_policy_tcp_mss_clamp_rulesis2      z)nftables.build_policy_tcp_mss_clamp_rulesc Cs&ddd|}d}|jj||t} g} |r>| ||j|rT| |d||r|| ||j | | |j | dd|dd id | |d ig} |r| | ||||| | |||||| | |||||| n.| |d d td|| f| ddigdii| S)Nrsr}rr(rr)r*sportr,r/r0rrurbrrrcrfr7r7r8build_policy_source_ports_ruless8     z(nftables.build_policy_source_ports_rulesc Csd}|jj||t} ddd|} g} |rR| dddtd||f||diig} |rl| |d || d d |d d id||di| dd||fi| | ddtd| | dii| S)Nr(rsr}rz ct helperruz helper-%s-%s)rxrtryr+r-rr)r*rar,r/r0rfilter_%s_allowr)rfrrrr5rrr`) rnrrrgr_rdZ helper_nameZmodule_short_namertrrrrr7r7r8build_policy_helper_ports_ruless6       z(nftables.build_policy_helper_ports_rulesc Csddd|}|jj||t}g} |rv|t|ddkrT|dt|dd}ddd d iid |d id dig} n|d|d dig} dtd|| d} | |d| ii| S)Nrsr}rrBrrr)rrrr/r0rrrurorr)rfrrrrrrr5) rnrrrrtrrerrrrrr7r7r8build_zone_forward_ruless( z!nftables.build_zone_forward_rulesc Csddd|}g}g}|r\|||j|||j|||j||}n"|ddddiidd d id }d }|jj j ||t d d} dt d| |f|ddddiiddd iddigd} | ||||d| ii|S)Nrsr}rr)rrrUr/rcr0rr'Tr rurrrLrZ masqueraderr)r5rVrxrYrdr\rer5rfrrrrrr:) rnrrr4rrrrrtrrr7r7r8build_policy_masquerade_ruless<    z&nftables.build_policy_masquerade_rulescCspd}|jj||t} ddd|} g} |rn| ||j| ||j| | |j | |} n8d} |rt d|rd} | ddd d iid | d id } | dd|ddid | |d i|r$t d|rt|}|r|dkr| d|| |din| dd|iin| dd| |iidtd| | f| d}|||| d|iigS)Nr'rsr}rrcrdr)rrrUr/r0rr*rar,rr)rJr_rJrAr_rurrr)rfrrrr5rVrxrYrdr\rer5rr`rrrr:)rnrrr_r-ZtoportZtoaddrr4rtrrrrrUrr7r7r8build_policy_forward_port_rulessJ      z(nftables.build_policy_forward_port_rulescCs2|t|vrt||Sttd||j|fdS)Nz)ICMP type '%s' not supported by %s for %s)rrr ry)rnrZ icmp_typer7r7r8_icmp_types_to_nft_fragments(s   z%nftables._icmp_types_to_nft_fragmentscCs:d}|jj||t}ddd|}|r6|jr6|j}n<|jrjg}d|jvrT|dd|jvrr|dnddg}g} |D]} |jj|rd||f} ddi} nd ||f} |} g} |r| | |j | | |j| | |j | || |j|r| |||||| | |||||| |jrb| |||||| nN||}d td |||f| |gd }|||| |d |iiqz|jdkr|jj|s| |d d t| | ||jddd||fiigd ii| |d d t| | | gd iiqz| S)Nr(rsr}rrcrdrbrz %s_%s_denyrurrrrrr%s_%s_ICMP_BLOCK: )rfrrripvsrdr5query_icmp_block_inversionrrVrxrYr\rerrtryr>r?rrDr5rrr:rr)rnrrZictr4rtrrrvrrZ final_chainrrrrr7r7r8build_policy_icmp_block_rules/sl                z&nftables.build_policy_icmp_block_rulescCsd}|jj||t}g}ddd|}|jj|r@|}nddi}||ddtd||fd ||gd ii|j d kr|jj|r||ddtd||fd || |j d d d||fiigd ii|S)Nr(rsr}rrrrurrFrxrtrrrrrrru) rfrrrrwrr5rr&rr)rnrrrtrrrrr7r7r8'build_policy_icmp_block_inversion_rulesks4       z0nftables.build_policy_icmp_block_inversion_rulesc Cs$g}d}|jjdkrddg}n<|jjdkr8ddg}d}n"|jjdkrRgd}d}ngd}d d d d iid ddid d|ddid ddig}|dkr|dddii|ddi|dddt||dii|jjdvr |dddt|d ddd d!id d"d#d$gidid%digdii|S)&NZfilter_PREROUTINGZlooserr@ loose-forwardfilter_FORWARDstrict-forward)rr@Ziifr)rrrUr/rdr0ZfibZoif)rzresultFrrrzrpfilter_DROP: rrrrurr{r}r*rYr+r,rr`r^r)rf_ipv6_rpfilterr5r)rnrrZrpfilter_chainZ fib_flagsrr7r7r8build_rpfilter_rulessX          znftables.build_rpfilter_rulesc Csgd}dd|D}dddddid d |id ig}|jjd vrT|d ddii||dg}|dddtdd|diid}|jdkr|d7}|jjdvr|d7}|dddtd||dii|S)N) z ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|ddt|dddiqS)rr,rrBrI)r8r).0rr7r7r8 rz5nftables.build_rfc3964_ipv4_rules..r)r*rKrr,r/rr0)rrrrzRFC3964_IPv4_REJECT: r#rsrrurrBryrGrrr|)rfZ _log_deniedr5r$rrr)rnZ daddr_setrrZ forward_indexr7r7r8build_rfc3964_ipv4_ruless<        z!nftables.build_rfc3964_ipv4_rulesc Csd}g}|||j|||j|||jg}|||||||||||||||| ||||||S)Nr() r5rVrxrYrdr\rer>r?rD)rnrrr4rtrrr7r7r8*build_policy_rich_source_destination_rulessz3nftables.build_policy_rich_source_destination_rulescCs|dvr dSdS)N)rcrdZebTFr7)rnrr7r7r8is_ipv_supportedsznftables.is_ipv_supportedc Csddd}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd }||vr||Sttd |dS) NZ ipv4_addrZ ipv6_addrrbZ inet_protoZ inet_servicer@ZifnameZ ether_addr) zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacehash:macz!ipset type name '%s' is not valid)rr )rnrr+Zipv_addrtypesr7r7r8_set_type_lists(    znftables._set_type_listcCs|rd|vr|ddkrd}nd}dt||||d}|ddd D]}|d vrLd g|d <qhqL|rd |vrt|d |d <d|vrt|d|d<dd|iigS)Nrxinet6rdrcru)rxrtryr+:rB,)rGnetr_intervalrztimeoutZmaxelemrkrsr)rrr8r)rnryr+optionsrZset_dicttr7r7r8build_set_create_rules s$  znftables.build_set_create_rulescCs$||||}|||jdSr)rrrfr)rnryr+rrr7r7r8 set_create$sznftables.set_createcCs*dddt|dii}|||jdS)Nr}rrur)rrrfr)rnryrr7r7r8 set_destroy(s  znftables.set_destroycCs|jj|jddd}g}|D]}|dkrd|dddii|dd |rVd nd d iq(|d vr|d|||rdndd iq(|dkr|dd|rdndiiq(|dkr|dddiiq(ttd|q(dt |dkrd|in|d|rdndd|diS)NrrBrr_rrr%r*thrarmr,)rGrrZrrZifacerrr@z-Unsupported ipset type for match fragment: %sr)concatrrLr/@r0) rfrX get_ipsetr+r8r5_set_get_familyrr r)rnryZ match_destrT type_formatr6formatr7r7r8rN.s*    znftables._set_match_fragmentc Cs8|jj|}|jddd}|d}t|t|krHttdg}t|D]\}}|dkrz|| d} Wn$t y| d||} Yn,0| ||d| ||| dd} z| d} Wnt y| | Yn(0| d| d| | | ddgiqT|d vr d||vrP| d||dinz|| d } WnJt y||} d |j vr|j d d krt | } | | Yn^0||d| } d |j vr|j d d krt | } | d | t||| dddiqT| ||qTt|dkr4d|igS|S)NrrBrz+Number of values does not match ipset type.r_rj-r])rGrr,rxrrrIr)rfrXrr+r8rrr enumeraterrr5rrr) rnryentryobjrZ entry_tokensfragmentr/rrZport_strrJr7r7r8_set_entry_fragmentEsP     (  znftables._set_entry_fragmentc Cs0g}|||}|dddt||dii|S)Nrsr2rurxrtryelem)rr5r)rnryrrr2r7r7r8build_set_add_rulesys   znftables.build_set_add_rulescCs"|||}|||jdSr)rrrfr)rnryrrr7r7r8set_adds znftables.set_addcCs8|||}dddt||dii}|||jdS)Nr}r2rur)rrrrfr)rnryrr2rr7r7r8 set_deletes  znftables.set_deletecCsdddt|diigS)Nrrrur)r)rnryr7r7r8build_set_flush_rulessznftables.build_set_flush_rulescCs ||}|||jdSr)rrrfr)rnryrr7r7r8 set_flushs znftables.set_flushcCsJ|jj|}|jdkrd}n(|jrBd|jvrB|jddkrBd}nd}|S)NrrFrxrrKrG)rfrXrr+r)rnryrXrxr7r7r8rs  znftables._set_get_familyc Csg}||||||||d}|D]D}|||||d7}|dkr0|||j|d}q0|||jdS)NrrBi)rrrrrrfrclear) rnZset_name type_nameentriesZcreate_optionsZ entry_optionsrchunkrr7r7r8 set_restoresznftables.set_restore)N)N)r)F)F)NN)NN)NN)NN)NN)N)N)N)F)N)N)F)NN)K__name__ __module__ __qualname__ryZpolicies_supportedrprrrrrrrrrrrrrrrrrrr rrrrr$rr&r0r5r7rrrr:r>r?rDrrVrYr\r`rhrirlrnrprqrrrsrtrxrzrrrrrrrrrNrrrrrrrrr7r7r7r8res0,.e     C  V c 2B    +      !  ! + < +(   4 re)N)+rrrOZfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsrr r r r r rZfirewall.core.richrrrrrrrrrZfirewall.core.baserZnftables.nftablesrrrr~rrrr9robjectrer7r7r7r8s $,                                     &            E