c`c@sgdZdddgZddljZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZdd lmZmZdd lmZmZmZmZdd l m!Z!dd lm"Z"dd l#m$Z$defdYZ%defdYZ&dZ'e(dZ)dS(s$ipset io XML handler, reader, writertIPSett ipset_readert ipset_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt u2b_if_py2t check_mact check_porttcheckInterfacet checkProtocol(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(t IPSET_TYPEStIPSET_CREATE_OPTIONS(tcheck_icmp_nametcheck_icmp_typetcheck_icmpv6_nametcheck_icmpv6_type(tlog(terrors(t FirewallErrorcBseZdddddidd6fddgffZdZdd d d gZidd6dd6dgd 6d gd6dd6Zidgd 6dgd6ZdZdZ dZ e dZ dZ dZRS(tversionttshortt descriptionttypetoptionstentriess (ssssa{ss}as)t_t-t:t.tipsettnametoptiontentrytvaluecCsVtt|jd|_d|_d|_d|_g|_i|_t |_ dS(NR( tsuperRt__init__RRRRR RtFalsetapplied(tself((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR+Cs      cCsEd|_d|_d|_d|_|j2|jjt|_dS(NR( RRRRR RtclearR,R-(R.((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytcleanupMs     cCst|j|_t|j|_t|j|_t|j|_d|jjD|_g|jD]}t|^qn|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSs+i|]!\}}t|t|qS((R(t.0tktv((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pys ^s N(RRRRRRtitemsR (R.te((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytencode_stringsVsc Csd}d|kr.|ddkr.d}q.n|jdsVttjd|n|djd}|jd}t|t|kst|d krttjd ||fnx'tt|D]}||}||}|d krd |kr|dkr|d kr@ttjd |||fn|jd } t| dkrttjd||||fnx| D]]} |dkrt|  s|dkrt |  rttjd| |||fqqWq|dkrL|dkr.ttjd||||fn|dkrCt } qRt} nt } | |sttjd||||fqq|dkrbd |kr|jd } t| dkrttjd||||fn|dkrt| d s|dkrGt | d rGttjd| d|||fn|dkrdt | d  s|dkr_t | d  r_ttjd| d |||fq_q|j dr|dko|dko|dksttjd||||fqn|dkr!t | s:|dkrt | rttjd||||fqq|dkrt | s|dkrttjd||fqq|dkrd|kr{|jd} t| dkrttjd|n| ddkr~|dkr6ttjd||fnt| d  rxt| d  rxttjd| d |fqxq| dd1kr|dkrttjd||fnt| d  rxt| d  rxttjd!| d |fqxq| dd2krEt| d rEttjd&| d|fqt| d sttjd'| d |fqqt|sttjd(||fqq|d)kr|jd*r yt|d+} WqJtk rttjd,||fqJXn@yt|} Wn-tk rIttjd,||fnX| dksb| d-krttjd,||fqq|d.krt| st|d/krttjd0||fqqttjd|qWdS(3Ntipv4tfamilytinet6tipv6shash:sipset type '%s' not usableit,is)entry '%s' does not match ipset type '%s'tipR"s invalid address '%s' in '%s'[%d]is.invalid address range '%s' in '%s' for %s (%s)s(invalid address '%s' in '%s' for %s (%s)s0.0.0.0itnets/0shash:net,ifacetmacs00:00:00:00:00:00s invalid mac address '%s' in '%s'tportR#sinvalid port '%s'ticmps(invalid protocol for family '%s' in '%s'sinvalid icmp type '%s' in '%s'ticmpv6s ipv6-icmps invalid icmpv6 type '%s' in '%s'ttcptsctptudptudplitesinvalid protocol '%s' in '%s'sinvalid port '%s'in '%s'sinvalid port '%s' in '%s'tmarkt0xisinvalid mark '%s' in '%s'Itifaceisinvalid interface '%s' in '%s'(RAs ipv6-icmp(RBRCRDRE(t startswithRRt INVALID_IPSETtsplittlent INVALID_ENTRYtrangeRRRRtendswithR RRRRR R tintt ValueErrorR ( R(Rt ipset_typeR8tflagsR4titflagtitemtsplitst_splittip_checktint_val((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt check_entrybs@   *                            cCs>|dkr4|tkr4ttjd|q4n|dkr:x|jD]}|tkrxttjd|n|dkryt||}Wn1tk rttj d|||fnX|d kr3ttj d |||fq3qM|d krM||dkrMttj ||qMqMWndS(NRs'%s' is not valid ipset typeRsipset invalid option '%s'ttimeoutthashsizetmaxelems)Option '%s': Value '%s' is not an integeris#Option '%s': Value '%s' is negativeR8tinetR9(R\R]R^(R_sinet6( RRRt INVALID_TYPEtkeysRRJRPRQt INVALID_VALUEtINVALID_FAMILY(R.RRVtkeyt int_value((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt _check_configs2          cCsd|dkrO|dddkrOt|ddkrOttjqOnx-|dD]!}tj||d|dqZWtt|j|dS(NR\it0iii(RLRRtIPSET_WITH_TIMEOUTRR[R*t import_config(R.RR(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRi3s $(sversionR(sshortR(s descriptionR(stypeRN(t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSR+R0R6t staticmethodR[RfRi(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR,s.       tipset_ContentHandlercBseZdZdZRS(cCstj||||jj|||dkrd|kr~|dtkrkttjd|dn|d|j_nd|kr|d|j_ qn|dkrn|dkrn|dkrd}d |kr|d }n|d dkrttj d|d n|jjdkra|d dkrattj d|d |jjfn|d dkr| rttj d|d n|d dkryt |}Wn1t k rttj d|d |fnX|dkrttj d|d |fqn|d d krL|dkrLttj|n|d |jjkry||jj|d sd         "  cCs9tj|||dkr5|jjj|jndS(NR((Rt endElementRVR tappendt_element(R.R&((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRyus (RjRkRtRy(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRs=s 7c Cst}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~d|jkr|jddkrt|jd krtj d |j|j2nd } t!} x| t|jkru|j| | krtj d |j| |jj"| qy$|j#|j| |j|j$Wn3tk rS} tj d | |jj"| qX| j%|j| | d 7} qW~ t&r|j'n|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid ipset file: %sR\Rgis6ipset '%s': timeout option is set, entries are ignoredsEntry %s already set, ignoring.s %s, ignoring.i((RRORRt INVALID_NAMER&t check_nametfilenametpathRIRt ETC_FIREWALLDR,tTruetbuiltintdefaultRstsaxt make_parsertsetContentHandlertopent InputSourceRot setByteStreamtparsetSAXParseExceptionRJt getExceptionRRLR RRwtsettpopR[RtaddR R6( RRR%thandlertparserR&tftsourcetmsgRTt entries_setR5((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRzs^     !      "    $ c Csg|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji|jd 6}|jr{|jd kr{|j|d s$   @""= 5