c`c@s$ddlZddlmZmZmZddlmZddlmZm Z m Z m Z m Z m Z mZmZmZddlmZmZmZmZmZmZmZmZmZmZmZddlmZmZddl m!Z!ddl"m#Z#dd l$m%Z%d e&fd YZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGETtZONE_SOURCE_IPSET_TYPES(tlog( tportStrt checkIPnMaskt checkIP6nMaskt checkProtocoltenable_ip_forwardingtcheck_single_addresst check_mactportInPortRangetget_nf_conntrack_short_name( t Rich_Rulet Rich_Acceptt Rich_Markt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_ForwardPorttRich_SourcePorttRich_IcmpBlockt Rich_IcmpType(tFirewallTransactiontFirewallZoneTransaction(terrors(t FirewallError(tLastUpdatedOrderedDictt FirewallZonecBsxeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z dd Zd ZdZddZdZddZdZdZddZddZddZdZdZdZdZdZdddZdZ ddZ!ddZ"dd Z#d!Z$d"Z%d#Z&d$Z'd%Z(ddd&Z)d'Z*dd(Z+dd)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1ddd2Z4d3Z5dd4Z6dd5Z7d6Z8d7Z9d8Z:d9Z;d1ddd:Z<d;Z=dd<Z>d=Z?d>Z@d?ZAd@ZBdAZCdBZDd1dddCZEdDZFddEZGdFZHdGZIdHZJdIZKdJZLd1dddKZMdLZNddMZOdNZPdOZQdPZRdQZSd1dddRZTdSZUddTZVdUZWdVZXdWZYdXZZd1dddYZ[dZZ\dd[Z]d\Z^d]Z_ddd^Z`ddd_Zaddd1ddd`ZbdaZcddddbZddcZeddddZfdeZgdfZhdgZid1dddhZjdiZkddjZldkZmdlZndmZodnZpdddoZqdpZrdqZsddrZtdsZudtZvduZwexdvZydwZzdxZ{dyZ|dzZ}d{Z~d|Zd}Zd~ZdZdZdZdZddddZdZdZRS(cCs||_i|_i|_dS(N(t_fwt_chainst_zones(tselftfw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__init__(s  cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__repr__-scCs|jj|jjdS(N(RtclearR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcleanup0s cCs t|jS(N(RR(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_transaction6scCst|j|S(N(RR(R!tzone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_zone_transaction9scCst|jjS(N(tsortedR tkeys(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt get_zones>scCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Nt interfaces(t_FirewallZone__interface_idR tsettingstNone(R!t interfacet interface_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_interfaceAs cCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Ntsources(t_FirewallZone__source_idR R0R1(R!tsourcet source_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_sourceIs cCs|jj|}|j|S(N(Rt check_zoneR (R!R)tz((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zoneQscOsQy||||Wn6tk rL}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(R!tftnametargstkwargsterrortmsg((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_error2warningUs  c CsHddddddddd d d d g D|_||j|j^s R.R5tservicestportst masqueradet forward_portst source_portst icmp_blockstrulest protocolsticmp_block_inversion(R0R R@(R!tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytadd_zone]scCsA|j|}|jr&|j|n|jj|j|=dS(N(R tappliedtunapply_zone_settingsR0R&(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt remove_zonehs    c Cs|dkr|j}n|}x|jD]}|j|}|j|}|jrx|j|j|jd|nt |j dkst |j dkrt |_ ntjd|jx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qWx0|jD]%}|j|j|j|d|q1Wx0|jD]%}|j|j|jd||qdWx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qW|jr|j|j|jd|nx0|jD]%}|j|j|j|d|q%Wx0|j D]%}|j|j |j|d|qXWx0|j D]%}|j|j!|j|d|qW|j r.|j|j"t |j|q.q.W|dkr|j#t ndS(Ntuse_zone_transactionisApplying zone '%s'($R1R(R-R tzone_transactionRPREtadd_icmp_block_inversionR@tlenR.R5tTrueRSRtdebug1RMtadd_icmp_blockRKtadd_forward_portRHt add_serviceRItadd_portROt add_protocolRLtadd_source_portRJtadd_masqueradeRNtadd_rulet add_interfacet add_sourcet_icmp_block_inversiontexecute(R!tuse_transactiont transactionR)RQRWRA((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt apply_zonesos^    *           cCs|j|}||_dS(N(R RS(R!R)RSRQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytset_zone_applieds cCsd|krdS|jd}t|dkr5dSd}x+tD]#}|dt|krB|}qBqBW|dk r|d|jkrdSt|dkst|dkr|dd kr|d|fSndS( Nt_iiiiRtdenytallow(slogRmRn(R1tsplitRYRR-(R!tchaintsplitst_chainRG((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytzone_from_chains     "c Cs|dkr|j|}|dk r|\}}|dkrN|j}n|}|j|t||fg||dkr|jtqqndS(Ntipv4tipv6(RtRu(RsR1R(tgen_chain_rulesRZRg( R!tipvttableRpRhRGt_zoneRrRi((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcreate_zone_base_by_chains     cCsx|D]\}}|rD|jj|ij|gj|q|j||j|t|j||dkr|j||=nt|j|dkr|j|=qqWdS(Ni(Rt setdefaulttappendtremoveRY(R!R)tcreatetchainsRxRp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_register_chainss+cCs8itjd6|d6|d6}|r4||dRR=(R!R)R0t_objtkeyRARD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt set_settingss@             (c Cs.|jj|}|j|}|r.|js?| rC|j rCdS|rUt|_n|dkrs|j|}n|}|j|}xd|D]\}xS||D]G} y|dkr|j||| |n|dkrwn|dkr |j d| d} |j |||d| | n|dkrE|j ||| |nx|dkru|j ||| d| d |nH|d kr|j ||| |n#|d kr|j||| d| d |n|d kr|j|||n|d krRd|j d | kr'|j d | d} nd} |j||td| | |nk|dkrw|j||| |nF|dkr|j||| d| d |ntjd||| Wqtk r} tjt| qXqWqW|r|jt|j|n|dkr*|j|ndS(NRMRPRKRtmark_idRHRIiiRORLRJRNRR.R5s3Zone '%s': Unknown setting '%s:%s', unable to apply(RR:R RSRZR1R*Rt _icmp_blockR0t _forward_portt_servicet_portt _protocolt _source_portt _masqueradet_FirewallZone__ruleR t _interfacet_sourceRR>RR=RfR@Rg( R!tenableR)RVRyRQRWR0RRARRD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__zone_settings sj                        cCs|jt||dS(N(t_FirewallZone__zone_settingsRZ(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytapply_zone_settings_scCs|jt||dS(N(RtFalse(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRTbscCsK|j|}t|jdkrGt|jdkrG|j|ndS(Ni(R RYR.R5RT(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytunapply_zone_settings_if_unusedes *cCst|j|j}|dtkr8d|d|S|dk r]|j||n|j|||}|S(N(RRR4R:R1tremove_interfaceRd(R!R)R2Rt _old_zonet _new_zoneRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs   cCs|jj|dkr(|j}n|}|j|}|j|||jt|d|dt|dk r|dkr|j|}|jt|d|dtn|dkr|j tndS(Nt+R|R( RRR1R(RWRRRZRRg(R!told_zonetnew_zoneRhRiRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytchange_default_zones   c Cs|jj|j|}|dkrAttjd|n|dkrS|n|jj|}||krttjd|||fn|dkr|j |}n|}|j |}|j |}|j t ||||j|j|||dkr|jtn|S(Ns'%s' is not in any zoneRs"remove_interface(%s, %s): zoi='%s'(RRR4R1RRtUNKNOWN_INTERFACER:RR*R R/RRtadd_postRRgRZ( R!R)R2RVtzoiRyRWRR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs*   $     cCs(||jdkr$|jd|=ndS(NR.(R0(R!RR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_interfacescCs |j||j|dkS(NR.(R/R(R!R)R2((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytquery_interfacescCs|j|djS(NR.(RR,(R!R)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR scCst|rdSt|r dSt|r0dS|jdrr|j|d|j|d|j|dSttj |dS(NRtRuRsipset:i( RRR t startswitht_check_ipset_type_for_sourcet_check_ipset_appliedt _ipset_familyRRt INVALID_ADDR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_sources   cCs|j|}||fS(N(R(R!R7Rw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __source_idsc Cs||jj|jj|}|j|}t|rG|j}n|j|}||jdkrtt j d||fn|j |dk rtt j d|n|dkr|j|}n|}|js|j|d||j|j|tn|jt||d|d||j|||||j|j|||dkrx|jtn|S(NR5s'%s' already bound to '%s's'%s' already bound to a zoneRVii(RRR:R R tupperR6R0RRRR9R1RR*RSRRRkRRRZt_FirewallZone__register_sourcet _FirewallZone__unregister_sourceRg( R!R)R7RRVRyRR8RW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRe s4        ! cCsC|jd||jd|<| p-|dk|jd|d|St|rY|j}n|dk rx|j||n|j|||}|S(N( RRR9R:R RR1t remove_sourceRe(R!R)R7RRRRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRLs    c CsE|jjt|r(|j}n|j|}|dkr\ttjd|n|dkrn|n|jj |}||krttj d|||fn|dkr|j |}n|}|j |}|j |}|jt||d|d||j|j|||dkrA|jtn|S(Ns'%s' is not in any zoneRsremove_source(%s, %s): zos='%s'ii(RRR RR9R1RRtUNKNOWN_SOURCER:RR*R R6RRRRRgRZ( R!R)R7RVtzosRyRWRR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR^s.    $    ! cCs(||jdkr$|jd|=ndS(NR5(R0(R!RR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_sourcescCs;t|r|j}n|j||j|dkS(NR5(R RR6R(R!R)R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt query_sources cCs.g|j|djD]}|d^qS(NR5i(RR,(R!R)tk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRscCs|jdS(N(tcheck(R!trule((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_rulescCs|j|t|S(N(RR=(R!R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_ids cCs|s dS|jr<t|jr&dSt|jrdSndt|drX|jrXdSt|dr|jr|j|j|j|j|j |jSdS(NRtRutmacRtipset( R1taddrRRthasattrRRRRR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_rule_source_ipvs cCs|j|||||dS(N(t _rule_prepare(R!RR)RRRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rulesic CsE|jj|}|jj||jj|j|}|j|}||jdkr}ttj d||fn|dkr|j |} n|} t |j tkr|jj} nd} |jr|jt||| | n|j||| ||| j|j||| |dkrA| jtn|S(NRNs'%s' already in '%s'(RR:t check_timeoutRR t_FirewallZone__rule_idR0RRtALREADY_ENABLEDR1R*ttypetelementRtnew_markRSRRZt_FirewallZone__register_ruleRt_FirewallZone__unregister_ruleRg( R!R)RRRRVRyRtrule_idRWR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRcs*      cCs'|j||d||jd|(R!tmodulesRt_helpersRRt_module_short_namet_helper((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_helpers_for_service_modulesGs$    cCs$|jj||jj|dS(N(Rt check_portt check_tcpudp(R!tporttprotocol((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR ascCs#|j||t|d|fS(Nt-(R R(R!R R ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __port_idesc Cs|jj|}|jj||jj|j|}|j||} | |jdkrttj d|||fn|dkr|j |} n|} |j r|j t|||| n|j|| ||| j|j|| |dkr| jtn|S(NRIs'%s:%s' already in '%s'(RR:RRR t_FirewallZone__port_idR0RRRR1R*RSRRZt_FirewallZone__register_portRt_FirewallZone__unregister_portRg( R!R)R R RRRVRyRtport_idRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR_is&       cCs!|j|||jd||j|}|tkr:ttjd||fndS(Ns.ipset '%s' with type '%s' not usable as source(t_FirewallZone__ipset_typeRRRt INVALID_IPSET(R!R@t_type((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs  c Csx|r|jj|gn |jjD]}|js@q+nxr|jD]d}x[|j|D]J}|r|j||n|j|||||} |j|| qcWqMWq+WdS(N( Rtget_backend_by_ipvRVRWRXR\R]tbuild_zone_source_address_rulesRZ( R!RR)RwR7RWR[RxRpRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs1  cCs |jdk r|jg}n1gddgD]}|jj|r+|^q+}|j|j}|dk r|dkr|jdk r|j|krttjd||jfqq|g}n||_ x t g|D]} |jj | ^qD] } t |j tkr|jjj|j j} g} t| jdkr|jrlttjdnxS|D];}|| jkrs| j|rs| j| j|qsqsWn | jdx| D]} |r |jdd|jjdkr |jd d q nt |jtkr|j| j|}g}x6|D].}|j}t|}|jjdkr.|jd d }|j||jdkr| j|j rqDnt|jd kr|j|qrx|jD]@\}}| j ||||| |j|}|j!| |qWqD|j|krD|j|j|jjd d }|j|qDqDW|j"|nxs| jD]h\}}|rt |jt#kr|jdd n| j$||||| |}|j!| |qWxj| j%D]_}|r:t |jt#kr:|jdd n| j&|||| |}|j!| |qWxs| j'D]h\}}|rt |jt#kr|jdd n| j(||||| |}|j!| |qsWqWqt |j t)kr|j j*}|j j+}|j,|||r<|jddn|rjt |jt#krj|jdd n| j$||||d|}|j!| |qt |j t-kr>|j j.}|j/||r|jddn|rt |jt#kr|jdd n| j&|||d|}|j!| |qt |j t0kr|r|jd d|jddx3|D](}| j|r|j1t2|qqWn| j3|||}|j!| |qt |j t4kr|j j*}|j j+}|j j5}|j j6}xX|D]P}| j|rT|j7|||||n|r#|r#|j1t2|q#q#W|sdnd}|r|jdd |jd d |jd|n| j8||||||||| }|j!| |qt |j t9kr|j j*}|j j+}|j,|||rR|jddn|rt |jt#kr|jdd n| j(||||d|}|j!| |qt |j t:kst |j t;kr |jj<j=|j j}t |j t:kr> |jr> t |jtkr> ttjdn|jr xv|D]k}||jkrN | j| rN ttjdt |j t:kr dnd|j j| jfqN qN Wnd}|r |j|d|j|dn| j>||||}|j!| |q|j dkr |rB |jddn|rp t |jt#krp |jdd n| j?|||}|j!| |qttjdt |j qW|S(NRtRuRs;Source address family '%s' conflicts with rule family '%s'.is"Destination conflict with service.tfiltertINPUTtrawt PREROUTINGt conntracktnatitmanglet POSTROUTINGt FORWARD_OUTt FORWARD_INs'IcmpBlock not usable with accept actionsIcmp%s %s not usable with %stBlocktTypesUnknown element %s(@tfamilyR1Rtis_ipv_enabledRR7RRt INVALID_RULEtipvstsetRkRRRRt get_serviceR@RYt destinationtis_ipv_supportedR|R]RtactionRR RRR treplaceRItbuild_zone_helper_ports_rulesRZt add_modulesRtbuild_zone_ports_rulesROtbuild_zone_protocol_rulesRLtbuild_zone_source_ports_rulesRR R R RtvalueRRRRtbuild_zone_masquerade_rulesRtto_portt to_addressR6tbuild_zone_forward_port_rulesRRRticmptypet get_icmptypetbuild_zone_icmp_block_rulest(build_zone_rich_source_destination_rules(R!RR)RRRWR|Rwt source_ipvRGR[tsvct destinationsRthelpersRRRRt nat_moduleR tprotoRNR R4R5t filter_chaintictRx((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsH1   2            "                   # c CsJ|jjj|}|j|j|}|r|jjdkrU|jddnVg}x@|D]8}|j|j|jj dd} |j| qbW|j ||jddng} xdd gD]} |jj | sqn|jj | } t |jdkrE| |jkrm| j| |j| fqmq| df| kr| j| dfqqWx| D]\} } |jjdkr|x|D]}|j}t|}|jj dd} |j| |jd kr| j|j rqnt |jd kr'|j|qxK|jD]@\}}| j||||| |j|}|j| |q1WqWnxB|jD]7\}}| j||||| }|j| |qWx9|jD].}| j|||| }|j| |qWxB|jD]7\}}| j||||| }|j| |qWqxWdS( NiRoRpRqRrRmRnRtRuRi(RRR~R RRR]R|RRRRzRkRYRR1R t add_moduleRyRRIRR@RZRRORRLR(R!RR)RRWRRRRRt backends_ipvRwR[RRRR RRNR ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsd       "  cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR3s  cCsk|r|jddnxK|jjD]:}|js>q)n|j|||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR?s cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRJs cCsw|r)|jdd|jddnd}|jt||jj|}|j||}|j||dS(NRrRtRmRuRt(R]RRRRkRRZ(R!RR)RWRwR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRUsc Cstd|rd} nd} |s*dnd} |ri|jdd|jdd|jd| n|r|r|jt| n|jj| } | j||| |||||} |j| | dS( NRuRtRnRvRsRpRrRm(R R]RRRRkRRZ( R!RR)RWR R R4R5RRwRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRas   c Cs|jjj|}|r>|jdd|jddnx|jjD]}|jscqNnt}|jrxBddgD]1}||jkr|j|st }PqqqWn|rqNn|j |||} |j || qNWdS(NRmRnRvRtRu( RRRR]RVRWRRRRZRRZ( R!RR)RARWRR[t skip_backendRwRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRws$  cCs|j|j}|dkr dS|j| r@|dkr@dS|jdd|jdd|r|j||jnxH|jjD]7}|jsqn|j ||}|j ||qWdS( NtDROPs %%REJECT%%tREJECTtACCEPTRmRnRv(Rs %%REJECT%%R( R ttargetRR]RgR&RRVRWt%build_zone_icmp_block_inversion_rulesRZ(R!RR)RWRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRfs    N(t__name__t __module__R#R%R'R(R*R-R4R9R<RERRRUR1RjRkRsRzRRRRRRRTRRRRR/RdRRRRRRRRR6ReRRRRRRRRRRRcRRRRRRRR^RRRRRR R RR_RRRRRRRR`RR RR"RR$RaR%R(R&R*RR,RbR-R1R.RR6R8R]R9R=R:R?RRBRDR\RERIRFRKRRMRXRNRORTRSRRvRRRRhRfRRRRRRRRRRRRf(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR's$            <      ) ?       '         &                                                                   (   (           A  ((Rtfirewall.core.baseRRRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R R tfirewall.core.richR RRRRRRRRRRtfirewall.core.fw_transactionRRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyts @L