a iK@sgdZddlmZddlmZddlmZddlmZddlm Z Gddde Z Gd d d e Z Gd d d e Z Gd dde ZGdddeZGddde ZGddde ZGddde ZGddde ZGddde ZGddde ZGddde ZGdd d e ZGd!d"d"e ZGd#d$d$e ZGd%d&d&e ZGd'd(d(eZGd)d*d*e ZGd+d,d,e ZGd-d.d.e Zd/S)0) Rich_SourceRich_Destination Rich_Service Rich_Port Rich_ProtocolRich_MasqueradeRich_IcmpBlock Rich_IcmpTypeRich_SourcePortRich_ForwardPortRich_Log Rich_NFLog Rich_Accept Rich_Reject Rich_Drop Rich_Mark Rich_Audit Rich_Limit Rich_RuleRich_Tcp_Mss_Clamp) functions)check_ipset_name) REJECT_TYPES)errors) FirewallErrorc@seZdZdddZddZdS)rFcCs||_|jdkrd|_||_|jdks0|jdur8d|_n|jdurN|j|_||_|jdkrdd|_||_|jdur|jdur|jdurttjddS)Nno address, mac and ipset)addrmacupperipsetinvertrr INVALID_RULE)selfrrr r!r$6/usr/lib/python3.9/site-packages/firewall/core/rich.py__init__$s     zRich_Source.__init__cCsjd|jr dnd}|jdur*|d|jS|jdurB|d|jS|jdurZ|d|jSttjddS)Nz source%s  NOTr address="%s"zmac="%s" ipset="%s"r)r!rrr rrr"r#retr$r$r%__str__5s   zRich_Source.__str__N)F__name__ __module__ __qualname__r&r,r$r$r$r%r#s rc@seZdZdddZddZdS)rFcCsV||_|jdkrd|_||_|jdkr,d|_||_|jdurR|jdurRttjddS)Nrno address and ipset)rr r!rrr")r#rr r!r$r$r%r&As  zRich_Destination.__init__cCsRd|jr dnd}|jdur*|d|jS|jdurB|d|jSttjddS)Nzdestination%s r'rr(r)r1)r!rr rrr"r*r$r$r%r,Ms  zRich_Destination.__str__N)Fr-r$r$r$r%r@s rc@seZdZddZddZdS)rcCs ||_dSNnamer#r4r$r$r%r&WszRich_Service.__init__cCs d|jS)Nzservice name="%s"r3r#r$r$r%r,ZszRich_Service.__str__Nr-r$r$r$r%rVsrc@seZdZddZddZdS)rcCs||_||_dSr2portprotocol)r#r8r9r$r$r%r&^szRich_Port.__init__cCsd|j|jfS)Nzport port="%s" protocol="%s"r7r6r$r$r%r,bszRich_Port.__str__Nr-r$r$r$r%r]src@seZdZddZdS)r cCsd|j|jfS)Nz#source-port port="%s" protocol="%s"r7r6r$r$r%r,fszRich_SourcePort.__str__Nr.r/r0r,r$r$r$r%r esr c@seZdZddZddZdS)rcCs ||_dSr2valuer#r<r$r$r%r&kszRich_Protocol.__init__cCs d|jS)Nzprotocol value="%s"r;r6r$r$r%r,nszRich_Protocol.__str__Nr-r$r$r$r%rjsrc@seZdZddZddZdS)rcCsdSr2r$r6r$r$r%r&rszRich_Masquerade.__init__cCsdS)N masquerader$r6r$r$r%r,uszRich_Masquerade.__str__Nr-r$r$r$r%rqsrc@seZdZddZddZdS)rcCs ||_dSr2r3r5r$r$r%r&yszRich_IcmpBlock.__init__cCs d|jS)Nzicmp-block name="%s"r3r6r$r$r%r,|szRich_IcmpBlock.__str__Nr-r$r$r$r%rxsrc@seZdZddZddZdS)rcCs ||_dSr2r3r5r$r$r%r&szRich_IcmpType.__init__cCs d|jS)Nzicmp-type name="%s"r3r6r$r$r%r,szRich_IcmpType.__str__Nr-r$r$r$r%rsrc@seZdZddZddZdS)rcCs ||_dSr2r;r=r$r$r%r&szRich_Tcp_Mss_Clamp.__init__cCs|jrd|jSdSdS)Nztcp-mss-clamp value="%s" tcp-mss-clampr;r6r$r$r%r,s zRich_Tcp_Mss_Clamp.__str__Nr-r$r$r$r%rsrc@seZdZddZddZdS)r cCs<||_||_||_||_|jdur(d|_|jdur8d|_dSNrr8r9to_port to_address)r#r8r9rBrCr$r$r%r&s  zRich_ForwardPort.__init__cCs<d|j|j|jdkrd|jnd|jdkr4d|jndfS)Nz(forward-port port="%s" protocol="%s"%s%srz to-port="%s"z to-addr="%s"rAr6r$r$r%r,s zRich_ForwardPort.__str__Nr-r$r$r$r%r s r c@s&eZdZdddZddZddZdS) r NcCs||_||_||_dSr2prefixlevellimit)r#rErFrGr$r$r%r&szRich_Log.__init__cCs>d|jrd|jnd|jr$d|jnd|jr6d|jndfS)Nz log%s%s%s prefix="%s"rz level="%s" %srDr6r$r$r%r,s zRich_Log.__str__cCsV|jr t|jdkr ttjd|jr>|jdvr>ttj|j|jdurR|jdS)N+maximum accepted length of 'prefix' is 127.)ZemergZalertZcriterrorZwarningZnoticeinfodebug) rElenrrINVALID_LOG_PREFIXrFZINVALID_LOG_LEVELrGcheckr6r$r$r%rQs  zRich_Log.check)NNNr.r/r0r&r,rQr$r$r$r%r s r c@s&eZdZdddZddZddZdS) r NcCs||_||_||_||_dSr2grouprE thresholdrG)r#rTrEZ queue_sizerGr$r$r%r&szRich_NFLog.__init__cCsPd|jrd|jnd|jr$d|jnd|jr6d|jnd|jrHd|jndfS)Nz nflog%s%s%s%sz group="%s"rrHz queue-size="%s"rIrSr6r$r$r%r,szRich_NFLog.__str__cCst|jrt|jsttjd|jr>t|jdkr>ttjd|j r\t|j s\ttj d|j durp|j dS)Nz5nflog 'group' must be an integer between 0 and 65535.rJrKz:nflog 'queue-size' must be an integer between 0 and 65535.) rTrZ checkUINT16rrZINVALID_NFLOG_GROUPrErOrPrUZINVALID_NFLOG_QUEUErGrQr6r$r$r%rQs    zRich_NFLog.check)NNNNrRr$r$r$r%r s r c@seZdZdddZddZdS)rNcCs ||_dSr2rGr#rGr$r$r%r&szRich_Audit.__init__cCsd|jrd|jndS)Nzaudit%srIrrVr6r$r$r%r,szRich_Audit.__str__)Nr-r$r$r$r%rs rc@seZdZdddZddZdS)r NcCs ||_dSr2rVrWr$r$r%r&szRich_Accept.__init__cCsd|jrd|jndS)Nzaccept%srIrrVr6r$r$r%r,szRich_Accept.__str__)Nr-r$r$r$r%r s r c@s&eZdZdddZddZddZdS) rNcCs||_||_dSr2typerG)r#Z_typerGr$r$r%r&szRich_Reject.__init__cCs,d|jrd|jnd|jr$d|jndfS)Nz reject%s%sz type="%s"rrIrXr6r$r$r%r,szRich_Reject.__str__cCsT|jrP|sttjd|dvrP|jt|vrPdt|}ttjd|j|fdS)Nz9When using reject type you must specify also rule family.Zipv4Zipv6z, z%Wrong reject type %s. Use one of: %s.)rYrrr"rjoin)r#familyZ valid_typesr$r$r%rQs  zRich_Reject.check)NNrRr$r$r$r%rs rc@seZdZddZdS)rcCsd|jrd|jndS)Nzdrop%srIrrVr6r$r$r%r,szRich_Drop.__str__Nr:r$r$r$r%rsrc@s&eZdZdddZddZddZdS) rNcCs||_||_dSr2setrG)r#Z_setrGr$r$r%r&szRich_Mark.__init__cCsd|j|jrd|jndfS)Nz mark set=%s%srIrr]r6r$r$r%r,szRich_Mark.__str__cCs|jdur|j}n ttjdd|vrr|d}t|dkrHttj|t|drdt|dsttj|nt|sttj|dS)Nz no value set/r)r^rrZ INVALID_MARKsplitrOrZ checkUINT32)r#xsplitsr$r$r%rQs       zRich_Mark.check)NrRr$r$r$r%rs rc@s,eZdZddZddZddZddZd S) rcCsV||_d|jvrR|jd}t|dkrR|ddvrRd|d|dddf|_dS)Nr_r`ra)secondZminuteZhourZdayz%s/%sr)r<rbrO)r#r<rdr$r$r%r&s    zRich_Limit.__init__cCs d}d|jvr|jd}|r*t|dkr8ttj|j|\}}z t|}Wnttj|jYn0|dksx|dvrttj|jd}|dkrd}n(|dkrd}n|dkrd }n |d krd }d ||d krttjd|j|dkr|d krttjd|jdS)Nr_r`ra)smhdrfrg<rhiriiQi'rz %s too fastz %s too slow)r<rbrOrrZ INVALID_LIMITint)r#rdZrateZdurationZmultr$r$r%rQ!s:   zRich_Limit.checkcCs d|jS)Nzlimit value="%s"r;r6r$r$r%r,CszRich_Limit.__str__cCsdSr@r$r6r$r$r%commandFszRich_Limit.commandN)r.r/r0r&rQr,rlr$r$r$r%rs"rc@s>eZdZdZdZdddZddZd d Zd d Zd dZ dS)riiNrcCsV|durt||_nd|_||_d|_d|_d|_d|_d|_d|_|rR| |dSr2) strr\prioritysource destinationelementlogauditaction_import_from_string)r#r\rule_strrnr$r$r%r&Ms zRich_Rule.__init__cCsg}t|D]j}d|vrj|d}t|dks@|dr@|dsPttjd|||d|ddq|d|iq|ddi|S) z Lexical analysis =r`rrazinternal error in _lexer(): %s) attr_name attr_valuerqEOL)rZ splitArgsrbrOrrr"append)r#rvtokensrattrr$r$r%_lexer^s zRich_Rule._lexerc Cs` |sttjdt|}d|_d|_d|_d|_d|_ d|_ d|_ d|_ | |}|rv|dddkrvttjdi}g}d}||ddkr|dgk sT||d}||d}||d}|r|dvrttjd |n|d vr|d kr|jrttjd n|d kr2|jr2ttjdn|dvr\|j r\ttjd||j fnh|dvr||j r|ttjdnH|dkr|j rttjdn(|dvr|j rttjd||j fnttjd|t|dkr|t|dnd} | dkr|sT|rT|dkr&ttjdn,|dkr>ttjdnttjd||fn*d|vrtttjd||fn |dn| dkr6|dkr|d vrttjd!|||_nz|dkrzt||_Wn$tyttjd"|Yn0n:|r(|d#krd$} n d%||f} ttj| n ||n| d kr|d&vrT|||<nV|d'vrhd(|d)<nBt|d*|d+|d,|d)d-|_|||d}n| d kr|d.vr|||<nN|d'vrd(|d)<n:t|d*|d,|d)d-|_|||d}n,| d#krV|d/krFt||_ |n ttjd0n| d1kr|d/krt|||<n(t|d/|_ |||d}n| d2kr|d3krt||_ |n ttjd4nr| d5kr*|d6vr|||<n0t|d5|d#|_ |||d}n | d7krb|d3krRt||_ |n ttjd8n| d9kr|d3krt||_ |n ttjd:n| d;krt|_ |||d}n| d|d?|_ |||d}n | d@kr||d6vrH|||<n0t |d5|d#|_ |||d}n| dAkr|dBvr|||<nN|dCkr|dCn8t!|dD|dE|dC|_ |||d}n^| dFkrd|dGvr |||<nV|dCkr |dCn@t"|dH|dD|dI|dC|_ |||d}n| dkr|dCkr|dCn(t#|dC|_ |||d}n| dJkr|dCkr|dCn(t$|dC|_ |||d}nN| dKkrH|dCkr|dCn(t%|dC|_ |||d}n| dLkr|dMkrf|||<nF|dCkr||dCn0t&|dM|dC|_ |||d}n| dNk r|dOkr|||<nF|dCkr|dCn0t'|dO|dC|_ |||d}n6| dCk rJ|d/k r>t(||dC<|n ttjdP|d}q|)dS)QNz empty rulerrqrzrulerxry)rnr\addressrr r!r<r8r9to-portto-addrr4rTrErF queue-sizerYr^zbad attribute '%s')rrorpr9servicer8 icmp-block icmp-typer> forward-port source-portrrnflogrsacceptdroprejectmarkrGnotNOTrzr?rozmore than one 'source' elementrpz#more than one 'destination' element)r9rr8rrr>rrzFmore than one element. There cannot be both '%s' and '%s' in one rule.)rrrzmore than one logging elementrszmore than one 'audit' element)rrrrzOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.zunknown element %srarr\z0'family' outside of rule. Use 'rule family=...'.rnz4'priority' outside of rule. Use 'rule priority=...'.z:'%s' outside of any element. Use 'rule %s= ...'.z,'%s' outside of rule. Use 'rule ... %s ...'.rZzH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.z(invalid 'priority' attribute value '%s'.r9zdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.zDattribute '%s' outside of any element. Use 'rule %s= ...'.)rrr r!)rrTr!rrr F)rr r!r<zinvalid 'protocol' elementr?rr4zinvalid 'service' elementr8r7rzinvalid 'icmp-block' elementrzinvalid 'icmp-type' elementr>r)r8r9rrrrrrr)rErFrGrErFr)rTrErrTrrrrrYrr^zinvalid 'limit' element)*rrr"rZstripNonPrintableCharactersrnr\rorprqrrrsrtrgetrOr{rk ValueErrorINVALID_PRIORITYrpopclearrrrrrrrrr r r r rr rrrrrQ) r#rvr|attrsZ in_elementsindexrqrxryZ in_elementerr_msgr$r$r%ruos      "                *      "                              (                 (                                zRich_Rule._import_from_stringcCs|jdur"|jdvr"ttj|j|jdurn|jdurB|jjdusL|jdurVttjt|j t krnttj|j |j ks|j |j krttjd|j |j f|j dur|jdus|jdur|j dkr|jdurttjd|jdur|jdur|j dkrttjdt|j tt ttfvrZ|jdurZ|jdurZ|jdurZttjd|jdurt|jjdur|jdurttj|jjdurttjd|jjdurttjdt|j|jjstttjt|jjn|jjdur6|jjdurttjd t|jjstttjt|jjn>|jjdurht|jjstttjt|jjn ttjd |jdur&|jjdur|jdurttj|jjdurttj dt|j|jjs&ttjt|jjn>|jjdurt|jjs&ttjt|jjn ttjd t|j t!krn|j j"dusVt#|j j"d krttj$t|j j"nRt|j t%krt&|j j'sttj(|j j'|j j)d vrttj*|j j)nt|j t+krt,|j j-sttj*|j j-nt|j tkrF|jdurttjd|jdur|jjdurttjdnzt|j tkr|j j"dusvt#|j j"d krttj.t|j j"|jrttjdnt|j t/kr|j j"dust#|j j"d krttj.t|j j"nt|j t krt&|j j'sttj(|j j'|j j)d vr8ttj*|j j)|j j0dkrd|j j1dkrdttj(|j j0|j j0dkrt&|j j0sttj(|j j0|j j1dkrt2|j|j j1sttj|j j1|jdurttj|jdurttjdnt|j t3krDt&|j j's$ttj(|j j'|j j)d vrttj*|j j)n|t|j tkr|jdurrttjd|j|j j-rt4|j j-sttj|j j-n"|j durttjdt|j |jdur|j5|jdur$t|jt6t7t8fvr ttj9t|j|jj:dur$|jj:5|jdurt|jt7krP|j5|jnt|jt;krj|j5|jj:dur|jj:5dS)NrZz/'priority' attribute must be between %d and %d.rzno element, no actionz%no element, no source, no destinationzno action, no log, no auditzaddress and maczaddress and ipsetz mac and ipsetzinvalid sourcezinvalid destinationra)ZtcpZudpZsctpZdccpzmasquerade and actionzmasquerade and mac sourcezicmp-block and actionrzforward-port and actionz+tcp-mss-clamp and %s are mutually exclusivezUnknown element %s)s2      1