a ¼Y”iANã@sDddlZddlTddlZddlZdZGdd„dƒZGdd„dƒZdS)éN)Ú*z0.1c@s eZdZdZdd„Zdd„ZdS)ÚSchemaValidatorz+Libnftables JSON validator using jsonschemacCs^tj tj t¡d¡}t|dƒ}t |¡|_Wdƒn1sB0Yddl }||_ dS)Nz schema.jsonÚrr) ÚosÚpathÚjoinÚdirnameÚ__file__ÚopenÚjsonÚloadÚschemaÚ jsonschema)ÚselfZ schema_pathZ schema_filer©rú5/usr/lib/python3.9/site-packages/nftables/nftables.pyÚ__init__s  *zSchemaValidator.__init__cCs|jj||jddS)N)Úinstancer )rÚvalidater )rr rrrr"szSchemaValidator.validateN)Ú__name__Ú __module__Ú __qualname__Ú__doc__rrrrrrrsrc @s²eZdZdZdddœZddddddd d œZddddddd d d d dddœ ZdZdkdd„Zdd„Z dd„Z dd„Z dd„Z dd„Z dd „Zd!d"„Zd#d$„Zd%d&„Zd'd(„Zd)d*„Zd+d,„Zd-d.„Zd/d0„Zd1d2„Zd3d4„Zd5d6„Zd7d8„Zd9d:„Zd;d<„Zd=d>„Zd?d@„ZdAdB„ZdCdD„Z dEdF„Z!dGdH„Z"dIdJ„Z#dKdL„Z$dMdN„Z%dOdP„Z&dQdR„Z'dSdT„Z(dUdV„Z)dWdX„Z*dYdZ„Z+d[d\„Z,d]d^„Z-d_d`„Z.dadb„Z/dcdd„Z0dedf„Z1dgdh„Z2didj„Z3dS)lÚNftablesz*A class representing libnftables interfaceéé)zno-dnsr éééé é@)ÚscannerÚparserÚevalZnetlinkZmnlz proto-ctxZsegtreeé€éiii) Ú reversednsÚserviceÚ statelessÚhandler ÚechoÚguidÚ numeric_protoÚ numeric_prioÚnumeric_symbolÚ numeric_timeÚterseNúlibnftables.so.1cCs d|_t |¡}|j|_t|j_tg|j_|j|_t |j_tg|j_|j |_ t |j _tt g|j _|j |_ t |j _tg|j _|j |_ tt g|j _|j |_ t|j _tg|j _|j|_ttg|j_|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_tg|j_|j|_t|j_ttg|j_|j|_t|j_ttg|j_|j|_t|j_ttg|j_|j|_tg|j_|j|_t|j_tg|j_|j|_ttg|j_|j|_t|j_ttg|j_|j|_tg|j_|j|_tg|j_| d¡|_| |j¡| |j¡dS)alInstantiate a new Nftables class object. Accepts a shared object file to open, by default standard search path is searched for a file named 'libnftables.so'. After loading the library using ctypes module, a new nftables context is requested from the library and buffering of output and error streams is turned on. Nr)Ú_Nftables__ctxZcdllZ LoadLibraryZ nft_ctx_newZc_void_pZrestypeZc_intÚargtypesÚnft_ctx_input_get_flagsZc_uintÚnft_ctx_input_set_flagsÚnft_ctx_output_get_flagsÚnft_ctx_output_set_flagsÚnft_ctx_output_get_debugÚnft_ctx_output_set_debugZnft_ctx_buffer_outputÚnft_ctx_get_output_bufferZc_char_pZnft_ctx_buffer_errorÚnft_ctx_get_error_bufferÚnft_run_cmd_from_bufferÚnft_run_cmd_from_filenameÚnft_ctx_add_include_pathÚnft_ctx_clear_include_pathsÚnft_ctx_get_dry_runZc_boolÚnft_ctx_set_dry_runÚnft_ctx_add_varÚnft_ctx_clear_varsÚ nft_ctx_free)rZsofileÚlibrrrrHsv                        zNftables.__init__cCs |jdur| |j¡d|_dS©N)r2rD©rrrrÚ__del__§s  zNftables.__del__cCsDg}| ¡D]$\}}||@r | |¡||M}q |r@| |¡|SrF)ÚitemsÚappend)rÚ flags_dictÚvalÚnamesÚnÚvrrrÚ_flags_from_numeric¬s   zNftables._flags_from_numericcCs€t|ttfƒr|f}d}|D]^}t|tƒrF| |¡}|durrtdƒ‚n,t|tƒrj|dks`|dkrrtdƒ‚ntdƒ‚||O}q|S)NrzInvalid argumentlÿÿzNot a valid flag)Ú isinstanceÚstrÚintÚgetÚ ValueErrorÚ TypeError)rrKÚvaluesrLrOrrrÚ_flags_to_numeric¶s      zNftables._flags_to_numericcCs| |j¡}| |j|¡S)zsGet currently active input flags. Returns a set of flag names. See set_input_flags() for details. )r4r2rPÚ input_flags©rrLrrrÚget_input_flagsÉs zNftables.get_input_flagscCs*| |j|¡}| |j|¡}| |j|¡S)aSet input flags. Resets all input flags to values. Accepts either a single flag or a list of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- "no-dns" | 0x1 "json" | 0x2 "no-dns" disables blocking address lookup. "json" enables JSON mode for input. Returns a set of previously active input flags, as returned by get_input_flags() method. )rXrYr5r2rP©rrWrLÚoldrrrÚset_input_flagsÑszNftables.set_input_flagscCs|j|}| |j¡|@dkS©Nr)Ú output_flagsr6r2)rÚnameÚflagrrrZ__get_output_flagçs zNftables.__get_output_flagcCsH|j|}| |j¡}|r$||B}n ||@}| |j|¡||@dkSr_)r`r6r2r7)rrarLrbÚflagsZ new_flagsrrrZ__set_output_flagës    zNftables.__set_output_flagcCs | d¡S)z©Get the current state of reverse DNS output. Returns a boolean indicating whether reverse DNS lookups are performed for IP addresses in output. r&©Ú_Nftables__get_output_flagrGrrrÚget_reversedns_outputõszNftables.get_reversedns_outputcCs | d|¡S)zŸEnable or disable reverse DNS output. Accepts a boolean turning reverse DNS lookups in output on or off. Returns the previous value. r&©Ú_Nftables__set_output_flagrZrrrÚset_reversedns_outputýszNftables.set_reversedns_outputcCs | d¡S)z¦Get the current state of service name output. Returns a boolean indicating whether service names are used for port numbers in output or not. r'rdrGrrrÚget_service_outputszNftables.get_service_outputcCs | d|¡S)z³Enable or disable service name output. Accepts a boolean turning service names for port numbers in output on or off. Returns the previous value. r'rgrZrrrÚset_service_outputszNftables.set_service_outputcCs | d¡S)z„Get the current state of stateless output. Returns a boolean indicating whether stateless output is active or not. r(rdrGrrrÚget_stateless_outputszNftables.get_stateless_outputcCs | d|¡S)z—Enable or disable stateless output. Accepts a boolean turning stateless output either on or off. Returns the previous value. r(rgrZrrrÚset_stateless_outputszNftables.set_stateless_outputcCs | d¡S)z~Get the current state of handle output. Returns a boolean indicating whether handle output is active or not. r)rdrGrrrÚget_handle_output(szNftables.get_handle_outputcCs | d|¡S)zŠEnable or disable handle output. Accepts a boolean turning handle output on or off. Returns the previous value. r)rgrZrrrÚset_handle_output/szNftables.set_handle_outputcCs | d¡S)zzGet the current state of JSON output. Returns a boolean indicating whether JSON output is active or not. r rdrGrrrÚget_json_output8szNftables.get_json_outputcCs | d|¡S)zEnable or disable JSON output. Accepts a boolean turning JSON output either on or off. Returns the previous value. r rgrZrrrÚset_json_output?szNftables.set_json_outputcCs | d¡S)zzGet the current state of echo output. Returns a boolean indicating whether echo output is active or not. r*rdrGrrrÚget_echo_outputHszNftables.get_echo_outputcCs | d|¡S)z†Enable or disable echo output. Accepts a boolean turning echo output on or off. Returns the previous value. r*rgrZrrrÚset_echo_outputOszNftables.set_echo_outputcCs | d¡S)z›Get the current state of GID/UID output. Returns a boolean indicating whether names for group/user IDs are used in output or not. r+rdrGrrrÚget_guid_outputXszNftables.get_guid_outputcCs | d|¡S)z–Enable or disable GID/UID output. Accepts a boolean turning names for group/user IDs on or off. Returns the previous value. r+rgrZrrrÚset_guid_output`szNftables.set_guid_outputcCs | d¡S)ztGet current status of numeric protocol output flag. Returns a boolean value indicating the status. r,rdrGrrrÚget_numeric_proto_outputisz!Nftables.get_numeric_proto_outputcCs | d|¡S)zœSet numeric protocol output flag. Accepts a boolean turning numeric protocol output either on or off. Returns the previous value. r,rgrZrrrÚset_numeric_proto_outputpsz!Nftables.set_numeric_proto_outputcCs | d¡S)zzGet current status of numeric chain priority output flag. Returns a boolean value indicating the status. r-rdrGrrrÚget_numeric_prio_outputysz Nftables.get_numeric_prio_outputcCs | d|¡S)z°Set numeric chain priority output flag. Accepts a boolean turning numeric chain priority output either on or off. Returns the previous value. r-rgrZrrrÚset_numeric_prio_output€sz Nftables.set_numeric_prio_outputcCs | d¡S)zsGet current status of numeric symbols output flag. Returns a boolean value indicating the status. r.rdrGrrrÚget_numeric_symbol_outputŠsz"Nftables.get_numeric_symbol_outputcCs | d|¡S)zÂSet numeric symbols output flag. Accepts a boolean turning numeric representation of symbolic constants in output either on or off. Returns the previous value. r.rgrZrrrÚset_numeric_symbol_output‘sz"Nftables.set_numeric_symbol_outputcCs | d¡S)zqGet current status of numeric times output flag. Returns a boolean value indicating the status. r/rdrGrrrÚget_numeric_time_output›sz Nftables.get_numeric_time_outputcCs | d|¡S)z¹Set numeric times output flag. Accepts a boolean turning numeric representation of time values in output either on or off. Returns the previous value. r/rgrZrrrÚset_numeric_time_output¢sz Nftables.set_numeric_time_outputcCs | d¡S)z|Get the current state of terse output. Returns a boolean indicating whether terse output is active or not. r0rdrGrrrÚget_terse_output¬szNftables.get_terse_outputcCs | d|¡S)zEnable or disable terse output. Accepts a boolean turning terse output either on or off. Returns the previous value. r0rgrZrrrÚset_terse_output³szNftables.set_terse_outputcCs| |j¡}| |j|¡S)zmGet currently active debug flags. Returns a set of flag names. See set_debug() for details. )r8r2rPÚ debug_flagsrZrrrÚ get_debug¼s zNftables.get_debugcCs(| |j|¡}| ¡}| |j|¡|S)aSet debug output flags. Accepts either a single flag or a set of flags. Each flag might be given either as string or integer value as shown in the following table: Name | Value (hex) ----------------------- scanner | 0x1 parser | 0x2 eval | 0x4 netlink | 0x8 mnl | 0x10 proto-ctx | 0x20 segtree | 0x40 Returns a set of previously active debug flags, as returned by get_debug() method. )rXr€rr9r2r\rrrÚ set_debugÄszNftables.set_debugcCsdd}t|tƒsd}| d¡}| |j|¡}| |j¡}| |j¡}|rZ| d¡}| d¡}|||fS)aÁRun a simple nftables command via libnftables. Accepts a string containing an nftables command just like what one would enter into an interactive nftables (nft -i) session. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() fuction output -- a string containing output written to stdout error -- a string containing output written to stderr FTúutf-8)rQÚbytesÚencoder<r2r:r;Údecode)rZcmdlineZcmdline_is_unicodeÚrcÚoutputÚerrorrrrÚcmdÝs       z Nftables.cmdcCsJ| d¡}| t |¡¡\}}}|s.| |¡t|ƒr@t |¡}|||fS)aiRun an nftables command in JSON syntax via libnftables. Accepts a hash object as input. Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_buffer() function output -- a hash object containing library standard output error -- a string containing output written to stderr T)rqrŠr ÚdumpsÚlenÚloads)rÚ json_rootZ json_out_oldr‡rˆr‰rrrÚjson_cmdõs   zNftables.json_cmdcCs|jstƒ|_|j |¡dS)z©Validate JSON object against libnftables schema. Accepts a hash object as input. Returns True if JSON is valid, raises an exception otherwise. T)Ú validatorrr)rrŽrrrÚ json_validates zNftables.json_validatecCsld}t|tƒs$d}t|ƒ}| d¡}| |j|¡}| |j¡}| |j¡}|rb| d¡}| d¡}|||fS)aVRun a nftables command set from a file filename can be a str or a Path Returns a tuple (rc, output, error): rc -- return code as returned by nft_run_cmd_from_filename() function output -- a string containing output written to stdout error -- a string containing output written to stderr FTrƒ) rQr„rRr…r=r2r:r;r†)rÚfilenameZfilename_is_unicoder‡rˆr‰rrrÚ cmd_from_files       zNftables.cmd_from_filecCs2t|tƒst|ƒ}| d¡}| |j|¡}|dkS)zªAdd a path to the include file list The default list includes the built-in default one Returns True on success, False if memory allocation fails rƒr)rQr„rRr…r>r2)rr’r‡rrrÚadd_include_path+s   zNftables.add_include_pathcCs| |j¡dS)zSClear include path list Will also remove the built-in default one N)r?r2rGrrrÚclear_include_paths7szNftables.clear_include_pathscCs | |j¡S)zHGet dry run state Returns True if set, False otherwise )r@r2rGrrrÚ get_dry_run>szNftables.get_dry_runcCs| ¡}| |j|¡|S)zG Set dry run state Returns the previous dry run state )r–rAr2)rZonoffr]rrrÚ set_dry_runEszNftables.set_dry_runcCs*t|tƒs| d¡}| |j|¡}|dkS)z\Add a variable to the variable list Returns True if added, False otherwise rƒr)rQr„r…rBr2)rÚvarr‡rrrÚadd_varOs  zNftables.add_varcCs| |j¡dS)zClear variable list N)rCr2rGrrrÚ clear_varsYszNftables.clear_vars)r1)4rrrrrYr€r`rrrHrPrXr[r^rerhrfrirjrkrlrmrnrorprqrrrsrtrurvrwrxryrzr{r|r}r~rrr‚rŠrr‘r“r”r•r–r—r™ršrrrrr%sŒþù ô _                  r)r ZctypesÚsysrZNFTABLES_VERSIONrrrrrrÚs