c`c#@sXdddddddddd d d d d ddddddddddddddddddd d!d"g#Zd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l m Z d#d&l m Z m Z ejd'kZd(Zd)Zd*d+Zd,Zd-Zd.Zd/Zd0Zd1Zd2Zd3Zd4Zd5Zd6Zd7Zd8Zd9Z d:Z!d;Z"d<Z#d=Z$d>Z%d?Z&d@Z'dAZ(dBZ)dCZ*dDZ+dEZ,dFZ-dGZ.dHZ/dIZ0dJZ1dKZ2dLZ3dMZ4d$S(NtPY2t getPortIDt getPortRangetportStrtgetServiceNametcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt checkProtocoltcheckInterfacet checkUINT32tfirewalld_is_activettempFiletreadfilet writefiletenable_ip_forwardingtget_nf_conntrack_helper_settingtset_nf_conntrack_helper_settingt check_portt check_addresstcheck_single_addresst check_mactuniqifyt ppid_of_pidtmax_zone_name_lent checkUsertcheckUidt checkCommandt checkContexttjoinArgst splitArgstb2utu2bt u2b_if_py2iN(tlog(tFIREWALLD_TEMPDIRtFIREWALLD_PIDFILEt3cCst|tr|}nd|r-|j}nyt|}Wn<tk r{ytj|}Wq|tjk rwdSXnX|dkrdS|S(s Check and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big iii(t isinstancetinttstript ValueErrortsockett getservbynameterror(tportt_id((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR.s    c Cs>t|ts|jr>t|}|dkr:|fS|S|jd}t|dkr|djr|djrt|d}t|d}|dkr|dkr||kr||fS||kr||fS|fSqng}xtt|ddD]}tdj|| }dj||}t|dkrt|}|dkr|dkr||kr|j||fq||kr|j||fq|j|fqq|dkr|j|f|t|krPqqqWt|dkr dSt|dkr6dS|dS(sI Get port range for port range string or single port id @param ports an integer or port string or port range string @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous. it-iiiN( R'R(tisdigitRtsplittlentrangetjointappendtNone(tportstid1tsplitstid2tmatchedtitport2((s6/usr/lib/python2.7/site-packages/firewall/functions.pyREsH  2          t:cCsr|dkrdSt|}t|tr;|dkr;dSt|dkrUd|Sd|d||dfSdS(s Create port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid tiis%ss%s%s%sN(RR'R(R7R3(R.t delimitert_range((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR{s  cCst|}t|}t|dkr>|t|dkSt|dkr|t|dkr|t|dkrtStS(Niii(RRR3tTruetFalse(R.R4t_portRB((s6/usr/lib/python2.7/site-packages/firewall/functions.pytportInPortRanges  ,cCs8ytjt||}Wntjk r3dSX|S(s Check and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None N(R+t getservbyportR(R-R7(R.tprototname((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs3ytjtj|Wntjk r.tSXtS(sl Check IPv4 address. @param ip address string @return True if address is valid, else False (R+t inet_ptontAF_INETR-RDRC(tip((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs |jdS(s Normalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 s[](R)(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyt normalizeIP6scCs9ytjtjt|Wntjk r4tSXtS(sl Check IPv6 address. @param ip address string @return True if address is valid, else False (R+RJtAF_INET6RMR-RDRC(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|rd|krt|Syt|}Wntk rtSX|dks|dkrtSntS(Nt/it.ii (tindexR3RDR7RR(R*RC(RLtaddrtmaskR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs& $    cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|ryt|}Wntk rtSX|dks|dkrtSntS(NROiii(RQR3RDR7RR(R*RC(RLRRRSR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs" $  cCsmyt|}Wn:tk rLytj|Wqitjk rHtSXnX|dkse|dkritStS(Nii(R(R*R+tgetprotobynameR-RDRC(tprotocolR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsN| st|dkrtSx*ddddgD]}||kr0tSq0WtS(s Check interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False it ROt!t*(R3RDRC(tifacetch((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsHyt|d}Wntk r'tSX|dkrD|dkrDtStS(NiI(R(R*RDRC(tvaltx((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s cCstjjtstSy(ttd}|j}WdQXWntk rRtSXtjjd|smtSy,td|d}|j}WdQXWntk rtSXd|krtStS(sv Check if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld trNs/proc/%ss/proc/%s/cmdlinet firewalld( tostpathtexistsR%RDtopentreadlinet ExceptionRC(tfdtpidtcmdline((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR !s"   c CsyyKtjjts(tjtdntjdddddtdtSWn'tk rt}t j d|nXdS( Nitmodetwttprefixstemp.tdirtdeletes#Failed to create temporary file: %s( R_R`RaR$tmkdirttempfiletNamedTemporaryFileRDRdR#R-R7(tmsg((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR >scCsWy&t|d}|jSWdQXWn*tk rR}tjd||fnXdS(NR]sFailed to read file "%s": %s(Rbt readlinesRdR#R-R7(tfilenametfte((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRJs cCs[y)t|d}|j|WdQXWn+tk rV}tjd||ftSXtS(Ntws Failed to write to file "%s": %s(RbtwriteRdR#R-RDRC(RrtlineRsRt((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRRscCs6|dkrtddS|dkr2tddStS(Ntipv4s/proc/sys/net/ipv4/ip_forwards1 tipv6s&/proc/sys/net/ipv6/conf/all/forwarding(RRD(tipv((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR[s     cCs|jddjddS(Nt_R0s nf-conntrack-R@(treplace(tmodule((s6/usr/lib/python2.7/site-packages/firewall/functions.pytget_nf_conntrack_short_namebscCs>yttddSWntk r9tjddSXdS(Ns+/proc/sys/net/netfilter/nf_conntrack_helperis3Failed to get and parse nf_conntrack_helper setting(R(RRdR#twarning(((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRes   cCstd|rdndS(Ns+/proc/sys/net/netfilter/nf_conntrack_helpers1 s0 (R(tflag((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRlscCst|}|dksV|dksV|dksVt|dkr|d|dkr|dkrvtjd|nz|dkrtjd|nZ|dkrtjd|n:t|dkr|d|dkrtjd |ntStS( Niiiiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end(RR7R3R#tdebug2RDRC(R.RB((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRps $&   &cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(Rztsource((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(RzR((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     c Csgt|dkrcx"dD]}||dkrtSqWx%dD]}||tjkr>tSq>WtStS(Ni iiii iR?iiiiiii i i iii(iiii i( iiiiiii i i i ii(R3RDtstringt hexdigitsRC(tmacR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs  cCs7g}x*|D]"}||kr |j|q q W|S(N(R6(t_listtoutputR\((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCsVy=tjd|}t|jdj}|jWntk rQdSX|S(s Get parent for pid sps -o ppid -h -p %d 2>/dev/nulliN(R_tpopenR(RqR)tcloseRdR7(RfRs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs=ddlm}ttt|j}d|tdS(s Netfilter limits length of chain to (currently) 28 chars. The longest chain we create is FWDI__allow, which leaves 28 - 11 = 17 chars for . i(t SHORTCUTSit__allow(tfirewall.core.baseRtmaxtmapR3tvalues(Rtlongest_shortcut((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRsc Cstt|dks-t|tjdkr1tSx<|D]4}|tjkr8|tjkr8|dkr8tSq8WtS(NitSC_LOGIN_NAME_MAXRPR0R{t$(RPR0R{R(R3R_tsysconfRDRt ascii_letterstdigitsRC(tusertc((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs-  cCsWt|tr7yt|}Wq7tk r3tSXn|dkrS|dkrStStS(NiiiiIi(R'tstrR(R*RDRC(tuid((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsjt|dks$t|dkr(tSx'dddgD]}||kr8tSq8W|ddkrftStS(Niit|s tiRO(R3RDRC(tcommandRZ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$ cCs|jd}t|d kr%tS|ddkrM|dddkrMtS|ddd kretS|d dd kr}tSt|d dkrtStS(NR?iiitrootit_uit_rit_ti(ii(R2R3RDRC(tcontextR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$cCsDdttkr)djd|DSdjd|DSdS(NtquoteRVcss|]}tj|VqdS(N(tshlexR(t.0ta((s6/usr/lib/python2.7/site-packages/firewall/functions.pys scss|]}tj|VqdS(N(tpipesR(RR((s6/usr/lib/python2.7/site-packages/firewall/functions.pys s(RkRR5(targs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRscCsNtr=t|tr=t|}tj|}tt|Stj|SdS(N(RR'tunicodeR!RR2RR (t_stringR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCs#t|tr|jddS|S(s bytes to unicode sUTF-8R|(R'tbytestdecode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR scCs#t|ts|jddS|S(s unicode to bytes sUTF-8R|(R'Rtencode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR!scCs)tr%t|tr%|jddS|S(s" unicode to bytes only if Python 2sUTF-8R|(RR'RR(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR"s(5t__all__R+R_tos.pathRRRtsysRntfirewall.core.loggerR#tfirewall.configR$R%tversionRRRRRFRRRMRRRR R R R R RRRR~RRRRRRRRRRRRRRRR R!R"(((s6/usr/lib/python2.7/site-packages/firewall/functions.pytsr                 6