c`c@sddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZmZddlmZddlmZmZmZddlmZmZmZmZddlZid d d gd 6d d gd6d dd d d gd6d dd gd6d d d gd6Zidd6dd6Z idd6dd6Z!dZ"dZ#dZ$de%fdYZ&de&fdYZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(ttempFiletreadfilet splitArgst check_mactportStrtcheck_single_addresst check_addresst normalizeIP6(tconfig(t FirewallErrortINVALID_PASSTHROUGHt INVALID_RULE(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarktINPUTtOUTPUTtFORWARDtsecurityt PREROUTINGtrawt POSTROUTINGtmangletnattfiltersicmp-host-prohibitedtipv4sicmp6-adm-prohibitedtipv6ticmps ipv6-icmpcCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|d kryt||d Wntk rqX|j|d n||||W|S( s Inverse valid rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chaini(s-Is--insert(tindext Exceptiontinttpop(targst replace_argstret_argstargtidx((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_rule7s*     cCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|dkryt||d Wntk rqX|j|d n||||<|SWttd d S(s Reverse valid passthough rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chainisno '-A', '-I' or '-N' argN(s-Is--insert(R!t ValueErrorR#R$R R(R%R&R'txR)((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_passthrough\s.     cCst|}tddddddddd d d d d dddddddg}t||@dkrttdt||@dntddddddg}t||@dkrttdndS(sZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) s-Cs--checks-Ds--deletes-Rs --replaces-Ls--lists-Ss --list-ruless-Fs--flushs-Zs--zeros-Xs--delete-chains-Ps--policys-Es--rename-chainisarg '%s' is not alloweds-As--appends-Is--inserts-Ns --new-chainsno '-A', '-I' or '-N' argN(tsettlenR Rtlist(R%t not_allowedtneeded((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_check_passthroughs*   t ip4tablescBseZdZdZeZdZdZdZd.dZ dZ dZ dZ d Zd Zd Zd Zd ZdZdZdZd.dZdZdZdZdZdZdZddZdZedZ dZ!dZ"dZ#dZ$d Z%d!Z&d"Z'd#Z(d.d.d$Z)d.d.d%Z*d.d.d&Z+d'Z,d.d(Z-d.d)Z.d.d*Z/d+Z0d,Z1d-Z2RS(/RR4cCsz||_tj|j|_tjd|j|_|j|_|j|_ |j g|_ g|_ i|_ dS(Ns %s-restore(t_fwR tCOMMANDStipvt_commandt_restore_commandt_detect_wait_optiont wait_optiont_detect_restore_wait_optiontrestore_wait_optiont fill_existstavailable_tablestzone_source_index_cachet our_chains(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__init__s    cCs4tjj|j|_tjj|j|_dS(N(tostpathtexistsR8tcommand_existsR9trestore_command_exists(RB((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR>scCs|jrB|j|krB|jgg|D]}d|^q(}ng|D]}d|^qI}tjd|j|jdj|t|j|\}}|dkrtd|jdj||fn|S(Ns%ss %s: %s %st is'%s %s' failed: %s(R;Rtdebug2t __class__R8tjoinRR+(RBR%titemt_argststatustret((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__runs*%  c Cs|dkr|Sg}x|D]}t}x|D]}y|j|}Wntk r\q0Xt||kr0d||dkr0t}||djd}x3|D](} |} | | |d<|j| qWq0q0W|s|j|qqW|S(s5Split values combined with commas for options in optst,iN(tNonetFalseR!R+R/tTruetsplittappend( RBtrulestoptst out_rulestrulet processedtopttititemsRNt_rule((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt split_values(    & cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(R!R+RURV(RBR\tpatternt replacementR_((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt _rule_replaces  cCs|tko|t|kS(N(tBUILT_IN_CHAINS(RBR7ttabletchain((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_chain_builtins cCsCd|g}|r"|jdn |jd|j||gS(Ns-ts-Ns-X(RX(RBtaddRgRhR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_chain_ruless    cCsLd|g}|r.|d|t|g7}n|d|g7}||7}|S(Ns-ts-Is-D(tstr(RBRjRgRhR!R%R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt build_rules   cCs t|S(N(R*(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt reverse_rulescCst|dS(N(R3(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcheck_passthroughscCs t|S(N(R-(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_passthrough scCsd}y|jd}Wntk r,n(Xt||dkrT||d}nd}xndddddd gD]T}y|j|}Wntk rqsXt||dkrs||d}qsqsW||fS( NRs-tis-As--appends-Is--inserts-Ns --new-chain(R!R+R/RT(RBR%RgR_RhR^((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytpassthrough_parse_table_chain s$   cCsyb|jd}|j||j|}d|dkrQ||df}n||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnXt}|ddkrt}n|r| r||kr|j|qn|r|rI||kr7|j||jd d n|j|}n!|j j r^d}n t |}d |d<|j d d|dndS(Ns%%ZONE_SOURCE%%s-miiis%%ZONE_INTERFACE%%is-Ds--deletetkeycSs|dS(Ni((R,((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt@ss-Iis%di(s-Ds--delete( R!R$R+RTRVRUtremoveRXtsortR5t_allow_zone_driftingR/tinsert(RBR\R@R_tzonet zone_sourcetrule_addR!((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_run_replace_zone_source#s>               cCs#t}i}tj|j}x|D]}|}|j|dddt|jg|j|dt|jgy|jd}Wnt k rnLX|dkrq(n|d&krd d d |g|||d +n |j ||j ||d} xpddgD]b} y|j| }Wnt k r6q Xt ||d kr |j ||j |} q q Wxzt t |D]f}x]tjD]R} | ||kr||jdo||jd rd||||i}|jdrg|dRRTRbReRiRkRmRnRoRpRqR{RRRR:R<RRRRRRRURRRRRRRRRRRRR R RRR R!R"(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR4s\        ) ^    !  i   7 ,    !     , 1 # t ip6tablescBs eZdZdZedZRS(RR&c Csg}|jddddddddd g |d krk|jddddddddd d d g n|jdddddddddg |jdddddddddg |S(Ns-IRs-tRs-mtrpfilters--inverts-jRR}Rs --log-prefixsrpfilter_DROP: s-ps ipv6-icmps$--icmpv6-type=neighbour-solicitationRs"--icmpv6-type=router-advertisement(RX(RBRRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_rpfilter_ruless"    (R#R$R7RRUR((((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR&s((tos.pathRERtfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R tfirewallR tfirewall.errorsR RRtfirewall.core.richRRRRRRfRRR*R-R3tobjectR4R&(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyts<  :"     % *