SSH000064400000000000147207250100005110 0ustar00INCLUDE000064400000000224147207250100005546 0ustar00iptables -I INPUT -p tcp --dport 30000:65534 -j ACCEPT iptables -I INPUT -s 187.75.119.187 -j ACCEPT iptables -I INPUT -s 177.8.172.132 -j ACCEPT OUTPUT000064400000000000147207250100005513 0ustar00conf/smtp_whitelist.conf000064400000000042147207250100011411 0ustar00users << ENDUSERS wwgoat ENDUSERS IPDROP_GLOBAL000064400000000000147207250100006470 0ustar00SMTP_WHITELIST000064400000000000147207250100006672 0ustar00INPUT000064400000000016147207250100005361 0ustar0022022 3306 22 etc/rc.d/init.d/firewall000075500000001417147207530640011100 0ustar00#!/bin/sh # description: Start/stop Firewall # chkconfig: 2345 99 99 if [[ -e /etc/csf/version.txt ]]; then echo "CSF Detected... Exiting..." exit 1 elif [[ -d /etc/apf ]]; then echo "APF Detected... Exiting..." exit 1 elif [[ -e /usr/sbin/firewalld ]]; then echo "Firewalld detected... Exiting..." exit 1 fi case "$1" in 'start') modprobe ip_conntrack_ftp bash /usr/sbin/firewall start service iptables save 2>&1 RETVAL=$? ;; 'stop') iptables -F iptables -X bash /usr/sbin/firewall stop RETVAL=$? ;; 'restart') iptables -F iptables -X modprobe ip_conntrack_ftp bash /usr/sbin/firewall stop bash /usr/sbin/firewall start service iptables save 2>&1 RETVAL=$? ;; *) echo "Usage: $0 { start | stop | restart }" RETVAL=1 ;; esac exit $RETVAL __init__.py000064400000000000147576556050006667 0ustar00functions.pyc000064400000040306147576556050007320 0ustar00 c`c#@sXdddddddddd d d d d ddddddddddddddddddd d!d"g#Zd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l m Z d#d&l m Z m Z ejd'kZd(Zd)Zd*d+Zd,Zd-Zd.Zd/Zd0Zd1Zd2Zd3Zd4Zd5Zd6Zd7Zd8Zd9Z d:Z!d;Z"d<Z#d=Z$d>Z%d?Z&d@Z'dAZ(dBZ)dCZ*dDZ+dEZ,dFZ-dGZ.dHZ/dIZ0dJZ1dKZ2dLZ3dMZ4d$S(NtPY2t getPortIDt getPortRangetportStrtgetServiceNametcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt checkProtocoltcheckInterfacet checkUINT32tfirewalld_is_activettempFiletreadfilet writefiletenable_ip_forwardingtget_nf_conntrack_helper_settingtset_nf_conntrack_helper_settingt check_portt check_addresstcheck_single_addresst check_mactuniqifyt ppid_of_pidtmax_zone_name_lent checkUsertcheckUidt checkCommandt checkContexttjoinArgst splitArgstb2utu2bt u2b_if_py2iN(tlog(tFIREWALLD_TEMPDIRtFIREWALLD_PIDFILEt3cCst|tr|}nd|r-|j}nyt|}Wn<tk r{ytj|}Wq|tjk rwdSXnX|dkrdS|S(s Check and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big iii(t isinstancetinttstript ValueErrortsockett getservbynameterror(tportt_id((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR.s    c Cs>t|ts|jr>t|}|dkr:|fS|S|jd}t|dkr|djr|djrt|d}t|d}|dkr|dkr||kr||fS||kr||fS|fSqng}xtt|ddD]}tdj|| }dj||}t|dkrt|}|dkr|dkr||kr|j||fq||kr|j||fq|j|fqq|dkr|j|f|t|krPqqqWt|dkr dSt|dkr6dS|dS(sI Get port range for port range string or single port id @param ports an integer or port string or port range string @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous. it-iiiN( R'R(tisdigitRtsplittlentrangetjointappendtNone(tportstid1tsplitstid2tmatchedtitport2((s6/usr/lib/python2.7/site-packages/firewall/functions.pyREsH  2          t:cCsr|dkrdSt|}t|tr;|dkr;dSt|dkrUd|Sd|d||dfSdS(s Create port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid tiis%ss%s%s%sN(RR'R(R7R3(R.t delimitert_range((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR{s  cCst|}t|}t|dkr>|t|dkSt|dkr|t|dkr|t|dkrtStS(Niii(RRR3tTruetFalse(R.R4t_portRB((s6/usr/lib/python2.7/site-packages/firewall/functions.pytportInPortRanges  ,cCs8ytjt||}Wntjk r3dSX|S(s Check and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None N(R+t getservbyportR(R-R7(R.tprototname((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs3ytjtj|Wntjk r.tSXtS(sl Check IPv4 address. @param ip address string @return True if address is valid, else False (R+t inet_ptontAF_INETR-RDRC(tip((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs |jdS(s Normalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 s[](R)(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyt normalizeIP6scCs9ytjtjt|Wntjk r4tSXtS(sl Check IPv6 address. @param ip address string @return True if address is valid, else False (R+RJtAF_INET6RMR-RDRC(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|rd|krt|Syt|}Wntk rtSX|dks|dkrtSntS(Nt/it.ii (tindexR3RDR7RR(R*RC(RLtaddrtmaskR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs& $    cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|ryt|}Wntk rtSX|dks|dkrtSntS(NROiii(RQR3RDR7RR(R*RC(RLRRRSR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs" $  cCsmyt|}Wn:tk rLytj|Wqitjk rHtSXnX|dkse|dkritStS(Nii(R(R*R+tgetprotobynameR-RDRC(tprotocolR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsN| st|dkrtSx*ddddgD]}||kr0tSq0WtS(s Check interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False it ROt!t*(R3RDRC(tifacetch((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsHyt|d}Wntk r'tSX|dkrD|dkrDtStS(NiI(R(R*RDRC(tvaltx((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s cCstjjtstSy(ttd}|j}WdQXWntk rRtSXtjjd|smtSy,td|d}|j}WdQXWntk rtSXd|krtStS(sv Check if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld trNs/proc/%ss/proc/%s/cmdlinet firewalld( tostpathtexistsR%RDtopentreadlinet ExceptionRC(tfdtpidtcmdline((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR !s"   c CsyyKtjjts(tjtdntjdddddtdtSWn'tk rt}t j d|nXdS( Nitmodetwttprefixstemp.tdirtdeletes#Failed to create temporary file: %s( R_R`RaR$tmkdirttempfiletNamedTemporaryFileRDRdR#R-R7(tmsg((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR >scCsWy&t|d}|jSWdQXWn*tk rR}tjd||fnXdS(NR]sFailed to read file "%s": %s(Rbt readlinesRdR#R-R7(tfilenametfte((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRJs cCs[y)t|d}|j|WdQXWn+tk rV}tjd||ftSXtS(Ntws Failed to write to file "%s": %s(RbtwriteRdR#R-RDRC(RrtlineRsRt((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRRscCs6|dkrtddS|dkr2tddStS(Ntipv4s/proc/sys/net/ipv4/ip_forwards1 tipv6s&/proc/sys/net/ipv6/conf/all/forwarding(RRD(tipv((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR[s     cCs|jddjddS(Nt_R0s nf-conntrack-R@(treplace(tmodule((s6/usr/lib/python2.7/site-packages/firewall/functions.pytget_nf_conntrack_short_namebscCs>yttddSWntk r9tjddSXdS(Ns+/proc/sys/net/netfilter/nf_conntrack_helperis3Failed to get and parse nf_conntrack_helper setting(R(RRdR#twarning(((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRes   cCstd|rdndS(Ns+/proc/sys/net/netfilter/nf_conntrack_helpers1 s0 (R(tflag((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRlscCst|}|dksV|dksV|dksVt|dkr|d|dkr|dkrvtjd|nz|dkrtjd|nZ|dkrtjd|n:t|dkr|d|dkrtjd |ntStS( Niiiiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end(RR7R3R#tdebug2RDRC(R.RB((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRps $&   &cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(Rztsource((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(RzR((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     c Csgt|dkrcx"dD]}||dkrtSqWx%dD]}||tjkr>tSq>WtStS(Ni iiii iR?iiiiiii i i iii(iiii i( iiiiiii i i i ii(R3RDtstringt hexdigitsRC(tmacR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs  cCs7g}x*|D]"}||kr |j|q q W|S(N(R6(t_listtoutputR\((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCsVy=tjd|}t|jdj}|jWntk rQdSX|S(s Get parent for pid sps -o ppid -h -p %d 2>/dev/nulliN(R_tpopenR(RqR)tcloseRdR7(RfRs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs=ddlm}ttt|j}d|tdS(s Netfilter limits length of chain to (currently) 28 chars. The longest chain we create is FWDI__allow, which leaves 28 - 11 = 17 chars for . i(t SHORTCUTSit__allow(tfirewall.core.baseRtmaxtmapR3tvalues(Rtlongest_shortcut((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRsc Cstt|dks-t|tjdkr1tSx<|D]4}|tjkr8|tjkr8|dkr8tSq8WtS(NitSC_LOGIN_NAME_MAXRPR0R{t$(RPR0R{R(R3R_tsysconfRDRt ascii_letterstdigitsRC(tusertc((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs-  cCsWt|tr7yt|}Wq7tk r3tSXn|dkrS|dkrStStS(NiiiiIi(R'tstrR(R*RDRC(tuid((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsjt|dks$t|dkr(tSx'dddgD]}||kr8tSq8W|ddkrftStS(Niit|s tiRO(R3RDRC(tcommandRZ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$ cCs|jd}t|d kr%tS|ddkrM|dddkrMtS|ddd kretS|d dd kr}tSt|d dkrtStS(NR?iiitrootit_uit_rit_ti(ii(R2R3RDRC(tcontextR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$cCsDdttkr)djd|DSdjd|DSdS(NtquoteRVcss|]}tj|VqdS(N(tshlexR(t.0ta((s6/usr/lib/python2.7/site-packages/firewall/functions.pys scss|]}tj|VqdS(N(tpipesR(RR((s6/usr/lib/python2.7/site-packages/firewall/functions.pys s(RkRR5(targs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRscCsNtr=t|tr=t|}tj|}tt|Stj|SdS(N(RR'tunicodeR!RR2RR (t_stringR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCs#t|tr|jddS|S(s bytes to unicode sUTF-8R|(R'tbytestdecode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR scCs#t|ts|jddS|S(s unicode to bytes sUTF-8R|(R'Rtencode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR!scCs)tr%t|tr%|jddS|S(s" unicode to bytes only if Python 2sUTF-8R|(RR'RR(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR"s(5t__all__R+R_tos.pathRRRtsysRntfirewall.core.loggerR#tfirewall.configR$R%tversionRRRRRFRRRMRRRR R R R R RRRR~RRRRRRRRRRRRRRRR R!R"(((s6/usr/lib/python2.7/site-packages/firewall/functions.pytsr                 6                     server/__init__.py000064400000000000147576556050010175 0ustar00server/decorators.pyo000064400000005132147576556050010775 0ustar00 c`c@sdZddddgZddlZddlZddlZddlmZddlmZdd lm Z dd l m Z dd lm Z dd l mZdejfd YZedZedZdZdS(s>This module contains decorators for use with and without D-BustFirewallDBusExceptionthandle_exceptionstdbus_handle_exceptionstdbus_service_methodiN(t DBusException(t decorator(tconfig(t FirewallError(terrors(tlogcBseZdZdejjZRS(Rs %s.Exception(t__name__t __module__t__doc__RtdbustDBUS_INTERFACEt_dbus_error_name(((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR+scOsxy|||SWn`tk rF}tjtjtj|n.tk rstjtjtjnXdS(sTDecorator to handle exceptions and log them. Used if not conneced to D-Bus. N(RR tdebug1t tracebackt format_excterrort Exceptiont exception(tfunctargstkwargsR((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR/s cOs y|||SWntk r}tjt|}|tjtjtjtjgkrrtj t|n&tj t j tj t|tt|nZtk r}|nBtk r}tj t j tjtt|nXdS(sDecorator to handle exceptions, log and report them into D-Bus :Raises DBusException: on a firewall error code problems. N(Rtget_codetstrRtALREADY_ENABLEDt NOT_ENABLEDtZONE_ALREADY_SETt ALREADY_SETR twarningRRRRRRRR(RRRRtcodetex((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR=s   cOs#|jddtjj||S(sAdd sender argument for D-Bustsender_keywordtsender(t setdefaultR tservicetmethod(RR((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyRVs(R t__all__R t dbus.serviceRtdbus.exceptionsRRtfirewallRtfirewall.errorsRRtfirewall.core.loggerR RRRR(((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyts    server/config_zone.py000064400000123464147576556050010762 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.dbus_utils import dbus_to_python, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.zone import Zone from firewall.core.fw_ifcfg import ifcfg_set_zone_of_interface from firewall.core.base import DEFAULT_ZONE_TARGET from firewall.core.rich import Rich_Rule from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall import errors from firewall.errors import FirewallError from firewall.functions import portInPortRange ############################################################################ # # class FirewallDConfig # ############################################################################ class FirewallDConfigZone(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, parent, conf, zone, item_id, *args, **kwargs): super(FirewallDConfigZone, self).__init__(*args, **kwargs) self.parent = parent self.config = conf self.obj = zone self.item_id = item_id self.busname = args[0] self.path = args[1] self._log_prefix = "config.zone.%d" % self.item_id dbus_introspection_prepare_properties( self, config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def __del__(self): pass @dbus_handle_exceptions def unregister(self): self.remove_from_connection() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, property_name): if property_name == "name": return dbus.String(self.obj.name) elif property_name == "filename": return dbus.String(self.obj.filename) elif property_name == "path": return dbus.String(self.obj.path) elif property_name == "default": return dbus.Boolean(self.obj.default) elif property_name == "builtin": return dbus.Boolean(self.obj.builtin) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("%s.GetAll('%s')", self._log_prefix, interface_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) ret = { } for x in [ "name", "filename", "path", "default", "builtin" ]: ret[x] = self._get_property(x) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("%s.Set('%s', '%s', '%s')", self._log_prefix, interface_name, property_name, new_value) self.parent.accessCheck(sender) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ZONE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("%s.Introspect()", self._log_prefix) data = super(FirewallDConfigZone, self).Introspect( self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG_ZONE) # S E T T I N G S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature=Zone.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 """get settings for zone """ log.debug1("%s.getSettings()", self._log_prefix) settings = self.config.get_zone_config(self.obj) if settings[4] == DEFAULT_ZONE_TARGET: # convert to list, fix target, convert back to tuple _settings = list(settings) _settings[4] = "default" settings = tuple(_settings) return settings def _checkDuplicateInterfacesSources(self, settings): """Assignment of interfaces/sources to zones is different from other zone settings in the sense that particular interface/zone can be part of only one zone. So make sure added interfaces/sources have not already been bound to another zone.""" old_settings = self.config.get_zone_config(self.obj) idx_i = Zone.index_of("interfaces") idx_s = Zone.index_of("sources") added_ifaces = set(settings[idx_i]) - set(old_settings[idx_i]) added_sources = set(settings[idx_s]) - set(old_settings[idx_s]) for iface in added_ifaces: if self.parent.getZoneOfInterface(iface): raise FirewallError(errors.ZONE_CONFLICT, iface) # or move to new zone ? for source in added_sources: if self.parent.getZoneOfSource(source): raise FirewallError(errors.ZONE_CONFLICT, source) # or move to new zone ? @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature=Zone.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): """update settings for zone """ settings = dbus_to_python(settings) log.debug1("%s.update('...')", self._log_prefix) self.parent.accessCheck(sender) if settings[4] == "default": # convert to list, fix target, convert back to tuple _settings = list(settings) _settings[4] = DEFAULT_ZONE_TARGET settings = tuple(_settings) self._checkDuplicateInterfacesSources(settings) self.obj = self.config.set_zone_config(self.obj, settings) self.Updated(self.obj.name) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def loadDefaults(self, sender=None): """load default settings for builtin zone """ log.debug1("%s.loadDefaults()", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.load_zone_defaults(self.obj) self.Updated(self.obj.name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, signature='s') @dbus_handle_exceptions def Updated(self, name): log.debug1("%s.Updated('%s')" % (self._log_prefix, name)) # R E M O V E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def remove(self, sender=None): """remove zone """ log.debug1("%s.removeZone()", self._log_prefix) self.parent.accessCheck(sender) self.config.remove_zone(self.obj) self.parent.removeZone(self.obj) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, signature='s') @dbus_handle_exceptions def Removed(self, name): log.debug1("%s.Removed('%s')" % (self._log_prefix, name)) # R E N A M E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def rename(self, name, sender=None): """rename zone """ name = dbus_to_python(name, str) log.debug1("%s.rename('%s')", self._log_prefix, name) self.parent.accessCheck(sender) self.obj = self.config.rename_zone(self.obj, name) self.Renamed(name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, signature='s') @dbus_handle_exceptions def Renamed(self, name): log.debug1("%s.Renamed('%s')" % (self._log_prefix, name)) # version @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='s') @dbus_handle_exceptions def getVersion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getVersion()", self._log_prefix) return self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def setVersion(self, version, sender=None): version = dbus_to_python(version, str) log.debug1("%s.setVersion('%s')", self._log_prefix, version) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[0] = version self.update(settings) # short @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='s') @dbus_handle_exceptions def getShort(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getShort()", self._log_prefix) return self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def setShort(self, short, sender=None): short = dbus_to_python(short, str) log.debug1("%s.setShort('%s')", self._log_prefix, short) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[1] = short self.update(settings) # description @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='s') @dbus_handle_exceptions def getDescription(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDescription()", self._log_prefix) return self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def setDescription(self, description, sender=None): description = dbus_to_python(description, str) log.debug1("%s.setDescription('%s')", self._log_prefix, description) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[2] = description self.update(settings) # immutable (deprecated) # settings[3] was used for 'immutable' # target @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='s') @dbus_handle_exceptions def getTarget(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getTarget()", self._log_prefix) settings = self.getSettings() return settings[4] if settings[4] != DEFAULT_ZONE_TARGET else "default" @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def setTarget(self, target, sender=None): target = dbus_to_python(target, str) log.debug1("%s.setTarget('%s')", self._log_prefix, target) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[4] = target if target != "default" else DEFAULT_ZONE_TARGET self.update(settings) # service @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getServices(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getServices()", self._log_prefix) return self.getSettings()[5] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setServices(self, services, sender=None): services = dbus_to_python(services, list) log.debug1("%s.setServices('[%s]')", self._log_prefix, ",".join(services)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[5] = services self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addService(self, service, sender=None): service = dbus_to_python(service, str) log.debug1("%s.addService('%s')", self._log_prefix, service) self.parent.accessCheck(sender) settings = list(self.getSettings()) if service in settings[5]: raise FirewallError(errors.ALREADY_ENABLED, service) settings[5].append(service) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeService(self, service, sender=None): service = dbus_to_python(service, str) log.debug1("%s.removeService('%s')", self._log_prefix, service) self.parent.accessCheck(sender) settings = list(self.getSettings()) if service not in settings[5]: raise FirewallError(errors.NOT_ENABLED, service) settings[5].remove(service) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryService(self, service, sender=None): # pylint: disable=W0613 service = dbus_to_python(service, str) log.debug1("%s.queryService('%s')", self._log_prefix, service) return service in self.getSettings()[5] # port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='a(ss)') @dbus_handle_exceptions def getPorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getPorts()", self._log_prefix) return self.getSettings()[6] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='a(ss)') @dbus_handle_exceptions def setPorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setPorts('[%s]')", self._log_prefix, ",".join("('%s, '%s')" % (port[0], port[1]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[6] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss') @dbus_handle_exceptions def addPort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addPort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[6]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[6].append((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss') @dbus_handle_exceptions def removePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[6]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[6].remove((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryPort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.queryPort('%s', '%s')", self._log_prefix, port, protocol) if (port,protocol) in self.getSettings()[6]: return True else: # It might be a single port query that is inside a range for (_port, _protocol) in self.getSettings()[6]: if portInPortRange(port, _port) and protocol == _protocol: return True return False # protocol @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getProtocols(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getProtocols()", self._log_prefix) return self.getSettings()[13] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setProtocols(self, protocols, sender=None): protocols = dbus_to_python(protocols, list) log.debug1("%s.setProtocols('[%s]')", self._log_prefix, ",".join(protocols)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[13] = protocols self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addProtocol(self, protocol, sender=None): protocol = dbus_to_python(protocol, str) log.debug1("%s.addProtocol('%s')", self._log_prefix, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if protocol in settings[13]: raise FirewallError(errors.ALREADY_ENABLED, protocol) settings[13].append(protocol) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeProtocol(self, protocol, sender=None): protocol = dbus_to_python(protocol, str) log.debug1("%s.removeProtocol('%s')", self._log_prefix, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if protocol not in settings[13]: raise FirewallError(errors.NOT_ENABLED, protocol) settings[13].remove(protocol) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryProtocol(self, protocol, sender=None): # pylint: disable=W0613 protocol = dbus_to_python(protocol, str) log.debug1("%s.queryProtocol('%s')", self._log_prefix, protocol) return protocol in self.getSettings()[13] # source port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='a(ss)') @dbus_handle_exceptions def getSourcePorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getSourcePorts()", self._log_prefix) return self.getSettings()[14] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='a(ss)') @dbus_handle_exceptions def setSourcePorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setSourcePorts('[%s]')", self._log_prefix, ",".join("('%s, '%s')" % (port[0], port[1]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[14] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss') @dbus_handle_exceptions def addSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[14]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[14].append((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss') @dbus_handle_exceptions def removeSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removeSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[14]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[14].remove((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def querySourcePort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.querySourcePort('%s', '%s')", self._log_prefix, port, protocol) return (port,protocol) in self.getSettings()[14] # icmp block @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getIcmpBlocks(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getIcmpBlocks()", self._log_prefix) return self.getSettings()[7] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setIcmpBlocks(self, icmptypes, sender=None): icmptypes = dbus_to_python(icmptypes, list) log.debug1("%s.setIcmpBlocks('[%s]')", self._log_prefix, ",".join(icmptypes)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[7] = icmptypes self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addIcmpBlock(self, icmptype, sender=None): icmptype = dbus_to_python(icmptype, str) log.debug1("%s.addIcmpBlock('%s')", self._log_prefix, icmptype) self.parent.accessCheck(sender) settings = list(self.getSettings()) if icmptype in settings[7]: raise FirewallError(errors.ALREADY_ENABLED, icmptype) settings[7].append(icmptype) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeIcmpBlock(self, icmptype, sender=None): icmptype = dbus_to_python(icmptype, str) log.debug1("%s.removeIcmpBlock('%s')", self._log_prefix, icmptype) self.parent.accessCheck(sender) settings = list(self.getSettings()) if icmptype not in settings[7]: raise FirewallError(errors.NOT_ENABLED, icmptype) settings[7].remove(icmptype) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryIcmpBlock(self, icmptype, sender=None): # pylint: disable=W0613 icmptype = dbus_to_python(icmptype, str) log.debug1("%s.queryIcmpBlock('%s')", self._log_prefix, icmptype) return icmptype in self.getSettings()[7] # icmp block inversion @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='b') @dbus_handle_exceptions def getIcmpBlockInversion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getIcmpBlockInversion()", self._log_prefix) return self.getSettings()[15] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='b') @dbus_handle_exceptions def setIcmpBlockInversion(self, flag, sender=None): flag = dbus_to_python(flag, bool) log.debug1("%s.setIcmpBlockInversion('%s')", self._log_prefix, flag) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[15] = flag self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def addIcmpBlockInversion(self, sender=None): log.debug1("%s.addIcmpBlockInversion()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) if settings[15]: raise FirewallError(errors.ALREADY_ENABLED, "icmp-block-inversion") settings[15] = True self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def removeIcmpBlockInversion(self, sender=None): log.debug1("%s.removeIcmpBlockInversion()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) if not settings[15]: raise FirewallError(errors.NOT_ENABLED, "icmp-block-inversion") settings[15] = False self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='b') @dbus_handle_exceptions def queryIcmpBlockInversion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.queryIcmpBlockInversion()", self._log_prefix) return self.getSettings()[15] # masquerade @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='b') @dbus_handle_exceptions def getMasquerade(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getMasquerade()", self._log_prefix) return self.getSettings()[8] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='b') @dbus_handle_exceptions def setMasquerade(self, masquerade, sender=None): masquerade = dbus_to_python(masquerade, bool) log.debug1("%s.setMasquerade('%s')", self._log_prefix, masquerade) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[8] = masquerade self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def addMasquerade(self, sender=None): log.debug1("%s.addMasquerade()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) if settings[8]: raise FirewallError(errors.ALREADY_ENABLED, "masquerade") settings[8] = True self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE) @dbus_handle_exceptions def removeMasquerade(self, sender=None): log.debug1("%s.removeMasquerade()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) if not settings[8]: raise FirewallError(errors.NOT_ENABLED, "masquerade") settings[8] = False self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='b') @dbus_handle_exceptions def queryMasquerade(self, sender=None): # pylint: disable=W0613 log.debug1("%s.queryMasquerade()", self._log_prefix) return self.getSettings()[8] # forward port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='a(ssss)') @dbus_handle_exceptions def getForwardPorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getForwardPorts()", self._log_prefix) return self.getSettings()[9] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='a(ssss)') @dbus_handle_exceptions def setForwardPorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setForwardPorts('[%s]')", self._log_prefix, ",".join("('%s, '%s', '%s', '%s')" % (port[0], port[1], \ port[2], port[3]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[9] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ssss') @dbus_handle_exceptions def addForwardPort(self, port, protocol, toport, toaddr, sender=None): # pylint: disable=R0913 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("%s.addForwardPort('%s', '%s', '%s', '%s')", self._log_prefix, port, protocol, toport, toaddr) self.parent.accessCheck(sender) fwp_id = (port, protocol, str(toport), str(toaddr)) settings = list(self.getSettings()) if fwp_id in settings[9]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s:%s:%s" % (port, protocol, toport, toaddr)) settings[9].append(fwp_id) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ssss') @dbus_handle_exceptions def removeForwardPort(self, port, protocol, toport, toaddr, sender=None): # pylint: disable=R0913 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("%s.removeForwardPort('%s', '%s', '%s', '%s')", self._log_prefix, port, protocol, toport, toaddr) self.parent.accessCheck(sender) fwp_id = (port, protocol, str(toport), str(toaddr)) settings = list(self.getSettings()) if fwp_id not in settings[9]: raise FirewallError(errors.NOT_ENABLED, "%s:%s:%s:%s" % (port, protocol, toport, toaddr)) settings[9].remove(fwp_id) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='ssss', out_signature='b') @dbus_handle_exceptions def queryForwardPort(self, port, protocol, toport, toaddr, sender=None): # pylint: disable=W0613, R0913 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("%s.queryForwardPort('%s', '%s', '%s', '%s')", self._log_prefix, port, protocol, toport, toaddr) fwp_id = (port, protocol, str(toport), str(toaddr)) return fwp_id in self.getSettings()[9] # interface @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getInterfaces(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getInterfaces()", self._log_prefix) return self.getSettings()[10] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setInterfaces(self, interfaces, sender=None): interfaces = dbus_to_python(interfaces, list) log.debug1("%s.setInterfaces('[%s]')", self._log_prefix, ",".join(interfaces)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[10] = interfaces self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addInterface(self, interface, sender=None): interface = dbus_to_python(interface, str) log.debug1("%s.addInterface('%s')", self._log_prefix, interface) self.parent.accessCheck(sender) settings = list(self.getSettings()) if interface in settings[10]: raise FirewallError(errors.ALREADY_ENABLED, interface) settings[10].append(interface) self.update(settings) ifcfg_set_zone_of_interface(self.obj.name, interface) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeInterface(self, interface, sender=None): interface = dbus_to_python(interface, str) log.debug1("%s.removeInterface('%s')", self._log_prefix, interface) self.parent.accessCheck(sender) settings = list(self.getSettings()) if interface not in settings[10]: raise FirewallError(errors.NOT_ENABLED, interface) settings[10].remove(interface) self.update(settings) ifcfg_set_zone_of_interface("", interface) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryInterface(self, interface, sender=None): # pylint: disable=W0613 interface = dbus_to_python(interface, str) log.debug1("%s.queryInterface('%s')", self._log_prefix, interface) return interface in self.getSettings()[10] # source @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getSources(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getSources()", self._log_prefix) return self.getSettings()[11] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setSources(self, sources, sender=None): sources = dbus_to_python(sources, list) log.debug1("%s.setSources('[%s]')", self._log_prefix, ",".join(sources)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[11] = sources self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addSource(self, source, sender=None): source = dbus_to_python(source, str) log.debug1("%s.addSource('%s')", self._log_prefix, source) self.parent.accessCheck(sender) settings = list(self.getSettings()) if source in settings[11]: raise FirewallError(errors.ALREADY_ENABLED, source) settings[11].append(source) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeSource(self, source, sender=None): source = dbus_to_python(source, str) log.debug1("%s.removeSource('%s')", self._log_prefix, source) self.parent.accessCheck(sender) settings = list(self.getSettings()) if source not in settings[11]: raise FirewallError(errors.NOT_ENABLED, source) settings[11].remove(source) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def querySource(self, source, sender=None): # pylint: disable=W0613 source = dbus_to_python(source, str) log.debug1("%s.querySource('%s')", self._log_prefix, source) return source in self.getSettings()[11] # rich rule @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, out_signature='as') @dbus_handle_exceptions def getRichRules(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getRichRules()", self._log_prefix) return self.getSettings()[12] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='as') @dbus_handle_exceptions def setRichRules(self, rules, sender=None): rules = dbus_to_python(rules, list) log.debug1("%s.setRichRules('[%s]')", self._log_prefix, ",".join(rules)) self.parent.accessCheck(sender) settings = list(self.getSettings()) rules = [ str(Rich_Rule(rule_str=r)) for r in rules ] settings[12] = rules self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def addRichRule(self, rule, sender=None): rule = dbus_to_python(rule, str) log.debug1("%s.addRichRule('%s')", self._log_prefix, rule) self.parent.accessCheck(sender) settings = list(self.getSettings()) rule_str = str(Rich_Rule(rule_str=rule)) if rule_str in settings[12]: raise FirewallError(errors.ALREADY_ENABLED, rule) settings[12].append(rule_str) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s') @dbus_handle_exceptions def removeRichRule(self, rule, sender=None): rule = dbus_to_python(rule, str) log.debug1("%s.removeRichRule('%s')", self._log_prefix, rule) self.parent.accessCheck(sender) settings = list(self.getSettings()) rule_str = str(Rich_Rule(rule_str=rule)) if rule_str not in settings[12]: raise FirewallError(errors.NOT_ENABLED, rule) settings[12].remove(rule_str) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryRichRule(self, rule, sender=None): # pylint: disable=W0613 rule = dbus_to_python(rule, str) log.debug1("%s.queryRichRule('%s')", self._log_prefix, rule) rule_str = str(Rich_Rule(rule_str=rule)) return rule_str in self.getSettings()[12] server/firewalld.pyo000064400000252442147576556050010611 0ustar00 c`c@sdgZddlmZmZddlZeejdejjjejj-eejj*d dd d edd5Z?ejjjejj-eejj*d dd d'edd6Z@ejjejj*dded7ZAejjejj*dded8ZBejjjejj)eejj*d dd dedd9ZCejjjejj)eejj*d dd dedd:ZDejjjejj-eejj*d dd d edd;ZEejjjejj-eejj*d dd d'edd<ZFejjejj*dded=ZGejjejj*dded>ZHejjjejjeejj#d dd dedd?ZIejjjejjeejj#d dd dedd@ZJejjjejj eejj#d dd d eddAZKejjejj#ddedBZLejjejj#ddedCZMejjjejjNeejj#d dd eOjPeddDZQejjjejj eejj#d dd d'eddEZRejjjejjNeejj#d dd eSjPeddFZTejjjejj eejj#d dd d'eddGZUejjjejjNeejj#d dd eVjPeddHZWejjjejjNeejj#d dd deddIZXejjjejjeejj#d dd deddJZYejjejj#ddedKZZejjjejjNeejj#d dd deddLZ[ejjjejjeejj#d dd deddMZ\ejjejj#ddedNZ]ejjjejj eejj#d dd deddOZ^ejjjejjeejj#d dd deddPZ_ejjejj#ddedQZ`ejjjejj eejjad dd d'eddRZbejjjejj eejjad dd dSeddTZcejjjejj eejjad dd deddUZdejjjejj eejjad dd deddVZeejjjejjNeejjad dd d eddWZfejjjejjeejjad d d deddXZgejjjejjeejjad d d deddYZhejjjejjeejjad d d deddZZiejjjejjeejjad d d dedd[ZjejjjejjNeejjad d d d edd\ZkejjjejjNeejjad dd d'edd]Zlejjejjadd ed^Zmejjejjadd ed_Znejjejjadd ed`Zoejjejjadd edaZpejjjejjeejjad d d deddbZqejjjejjeejjad d d deddcZrejjjejjeejjad d d dedddZsejjjejjNeejjad d d d eddeZtejjjejjNeejjad dd d'eddfZuejjejjadd edgZvejjejjadd edhZwejjejjadd ediZxedjZyejjjejjeejjad dkd deddlZzejjjejjeejjad d d deddmZ{ejjjejjNeejjad d d d eddnZ|ejjjejjNeejjad dd d'eddoZ}ejjejjaddkedpZ~ejjejjadd edqZedrZejjjejjeejjad dkd deddsZejjjejjeejjad d d deddtZejjjejjNeejjad d d d edduZejjjejjNeejjad dd d'eddvZejjejjaddkedwZejjejjadd edxZedyZejjjejjeejjad dzd dedd{Zejjjejjeejjad d|d dedd}ZejjjejjNeejjad d|d d edd~ZejjjejjNeejjad dd deddZejjejjaddzeddZejjejjadd|edZedZejjjejjeejjad dkd deddZejjjejjeejjad d d deddZejjjejjNeejjad d d d eddZejjjejjNeejjad dd d'eddZejjejjaddkeddZejjejjadd edZedZejjjejjeejjad dzd deddZejjjejjeejjad d|d deddZejjjejjNeejjad d|d d eddZejjjejjNeejjad dd deddZejjejjaddzeddZejjejjadd|edZedZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjejjaddeddZejjejjaddedZedZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjjejjNeejjad dd deddZejjejjaddeddZejjejjaddedZedZejjjejjeejjad dkd deddZejjjejjeejjad d d deddZejjjejjNeejjad d d d eddZejjjejjNeejjad dd d'eddZejjejjaddkeddZejjejjadd edZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjejjaddedZejjejjaddedZejjjejjeejjd d|d deddZejjjejjeejjd d|d deddZejjjejjeejjd d|d d eddZejjjejjeejjd d d d'eddZejjjejjeejjd dd deddZejjejjdd|edZejjejjdd|edZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd d|d deddZejjjejjeejjd dd d eddZejjjejjeejjd d|d deddZejjjejjeejjd dd deddZejjejjddedZejjejjddedZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd d eddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjejjddedZejjejjddedZejjjejjeejj#d dd deddZejjjejj eejjd dd d eddZejjjejj eejjd dd d'eddZejjjejjNeejjd dd ejPeddZejjjejjeejjd d d deddZejjjejjeejjd d d deddZejjjejj eejjd d d d eddZejjjejj eejjd dd d'eddZejjjejjeejjd deddZejjejjdd edZejjejjdd edZejjjejj eejj#d dd d'eddZejjjejjNeejj#d dd ejPeddZRS(sFirewallD main classcOstt|j||t|_|d|_|d|_|jt|t j j t |jj |jt j j |_ dS(Nii(tsuperRt__init__RtfwtbusnametpathtstartRRtdbustDBUS_INTERFACER tDBUS_PATH_CONFIG(tselftargstkwargs((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR"Js    cCs|jdS(N(tstop(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt__del__UscCs#tjdi|_|jjS(Nsstart()(Rtdebug1t _timeoutsR#R&(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR&Xs  cCstjd|jjS(Nsstop()(RR/R#R-(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR-`s cCs|jjjr|dkr/tjddStj}t||}|jjj d|rfdSt ||}|jjj d|rdSt |}|jjj d|rdSt ||}|jjj d|rdSt tjdndS(Ns&Lockdown not possible, sender not set.tcontexttuidtusertcommandslockdown is enabled(R#tpoliciestquery_lockdowntNoneRterrorR't SystemBusRt access_checkRRRR Rt ACCESS_DENIED(R*tsendertbusR1R2R3R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt accessCheckis$    cCs4||jkri|j|RR'R(RfRgRoRpRqRr(R*RsRtt new_valueR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytSets:             Rvssa{sv}ascCsAt|t}t|}t|}tjd|||dS(Ns#PropertiesChanged('%s', '%s', '%s')(RRnRR/(R*Rstchanged_propertiestinvalidated_properties((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytPropertiesChangeds    cCsJtjdtt|j|j|jj}t||t j j S(Ns Introspect()( Rtdebug2R!Rt IntrospectR%R$tget_busRRR'R((R*R<tdata((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR's   tcCs5tjd|jj|jj|jdS(s#Reload the firewall rules. sreload()N(RR/R#treloadRtReloaded(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR5s   cCs8tjd|jjt|jj|jdS(sCompletely reload the firewall. Completely reload the firewall: Stops firewall, unloads modules and starts the firewall again. scompleteReload()N(RR/R#RtTrueRR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytcompleteReloadDs  cCstjddS(Ns Reloaded()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRTscCstjdt|jdS(s&Check permanent configuration scheckPermanentConfig()N(RR/RR#(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytcheckPermanentConfigYs c Csotjdt}|jj}x|jjjD]}|j|}y||kr|jj |}|j |krtjd||j |qtjd|n$tjd||jj ||Wq5t k r }tjd||ft}q5Xq5W|jj}x|jjjD]}|j|}y||kr|jj|}|j |krtjd||j |qtjd|n$tjd||jj||Wq0t k r}tjd ||ft}q0Xq0W|jj}x|jjjD]}y|j|}||kr|jj|}|j |krtjd ||j |qtjd |n$tjd ||jj||Wq+t k r}tjd ||ft}q+Xq+W|jj}t}x |jjjD]}|j |}t!|} |dk rBt} x_| j#D]Q} |jjj$|| |krotjd|| f| j%| t} qoqoWxc| j#D]U} y;t&| } | rt'|| r| j%| t} nWqt k r%qXqW| rB~| j(}qBnx!| j#D]} t)|| qOWy||kr|jj*|}|j |krtjd||j |qtjd|n$tjd||jj+||Wq/t k r%}tjd||ft}q/Xq/W|jj,}x|jj-j.D]}|j/|}y||kr|jj0|}|j |krtjd||j |qtjd|n$tjd||jj1||WqLt k r }tjd||ft}qLXqLW|jj2j3|jj2j4|jj2j5f}yF|jj |krtjd|jj |n tjdWn*t k r}tjd|t}nX|jj6j7j8}yF|jj |krtjd|jj9|n tjdWn*t k rR}tjd|t}nX|rkt:t;j<ndS(s-Make runtime configuration permanent scopyRuntimeToPermanent()sCopying service '%s' settingss$Service '%s' is identical, ignoring.sCreating service '%s's/Runtime To Permanent failed on service '%s': %ssCopying icmptype '%s' settingss%IcmpType '%s' is identical, ignoring.sCreating icmptype '%s's0Runtime To Permanent failed on icmptype '%s': %ssCopying ipset '%s' settingss"IPSet '%s' is identical, ignoring.sCreating ipset '%s's-Runtime To Permanent failed on ipset '%s': %ssEZone '%s': interface binding for '%s' has been added by NM, ignoring.sCopying zone '%s' settingss!Zone '%s' is identical, ignoring.sCreating zone '%s's,Runtime To Permanent failed on zone '%s': %ssCopying helper '%s' settingss#Helper '%s' is identical, ignoring.sCreating helper '%s's.Runtime To Permanent failed on helper '%s': %ssCopying direct configurations,Direct configuration is identical, ignoring.s7Runtime To Permanent failed on direct configuration: %ssCopying policies configurations.Policies configuration is identical, ignoring.s9Runtime To Permanent failed on policies configuration: %sN(=RR/tFalseRtgetServiceNamesR#tservicet get_servicestgetServiceSettingstgetServiceByNamet getSettingstupdatet addServicet ExceptiontwarningRtgetIcmpTypeNamesticmptypet get_icmptypestgetIcmpTypeSettingstgetIcmpTypeByNamet addIcmpTypet getIPSetNamestipsett get_ipsetstgetIPSetSettingstgetIPSetByNametaddIPSett getZoneNamesRR?t get_zonestgetZoneSettingsRR7t getInterfacestinterface_get_sendertremoveInterfaceRRtsettingsRt getZoneByNametaddZonetgetHelperNamesthelpert get_helperstgetHelperSettingstgetHelperByNamet addHelpertdirecttget_all_chainst get_all_rulestget_all_passthroughsR5tlockdown_whitelistt export_configtsetLockdownWhitelistR RtRT_TO_PERM_FAILED( R*R<R8t config_namestnametconftconf_objtet nm_bus_nameRtchangedt interfacet connection((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytruntimeToPermanentes                     cCs8tjd|j||jjj|jdS(s!Enable lockdown policies spolicies.enableLockdown()N(RR/R>R#R5tenable_lockdowntLockdownEnabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytenableLockdown$s  cCs8tjd|j||jjj|jdS(s"Disable lockdown policies spolicies.disableLockdown()N(RR/R>R#R5tdisable_lockdowntLockdownDisabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableLockdown0s  tbcCstjd|jjjS(s+Retuns True if lockdown is enabled spolicies.queryLockdown()(RR/R#R5R6(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryLockdown<s cCstjddS(NsLockdownEnabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRGscCstjddS(NsLockdownDisabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRLscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown command s*policies.addLockdownWhitelistCommand('%s')N( RRnRR/R>R#R5Rt add_commandtLockdownWhitelistCommandAdded(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistCommandUs  cCsTt|t}tjd||j||jjjj||j |dS(s Remove lockdown command s-policies.removeLockdownWhitelistCommand('%s')N( RRnRR/R>R#R5Rtremove_commandtLockdownWhitelistCommandRemoved(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistCommandbs  cCs6t|t}tjd||jjjj|S(sQuery lockdown command s,policies.queryLockdownWhitelistCommand('%s')(RRnRR/R#R5Rt has_command(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistCommandostascCs tjd|jjjjS(sAdd lockdown command s'policies.getLockdownWhitelistCommands()(RR/R#R5Rt get_commands(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistCommands{s cCstjd|dS(Ns#LockdownWhitelistCommandAdded('%s')(RR/(R*R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns%LockdownWhitelistCommandRemoved('%s')(RR/(R*R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRsticCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown uid s&policies.addLockdownWhitelistUid('%s')N( RtintRR/R>R#R5Rtadd_uidtLockdownWhitelistUidAdded(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistUids  cCsTt|t}tjd||j||jjjj||j |dS(sRemove lockdown uid s)policies.removeLockdownWhitelistUid('%s')N( RRRR/R>R#R5Rt remove_uidtLockdownWhitelistUidRemoved(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistUids  cCs6t|t}tjd||jjjj|S(sQuery lockdown uid s(policies.queryLockdownWhitelistUid('%s')(RRRR/R#R5Rthas_uid(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistUidstaicCs tjd|jjjjS(sAdd lockdown uid s#policies.getLockdownWhitelistUids()(RR/R#R5Rtget_uids(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistUidss cCstjd|dS(NsLockdownWhitelistUidAdded(%d)(RR/(R*R2((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(NsLockdownWhitelistUidRemoved(%d)(RR/(R*R2((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown user s'policies.addLockdownWhitelistUser('%s')N( RRnRR/R>R#R5Rtadd_usertLockdownWhitelistUserAdded(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistUsers  cCsTt|t}tjd||j||jjjj||j |dS(sRemove lockdown user s*policies.removeLockdownWhitelistUser('%s')N( RRnRR/R>R#R5Rt remove_usertLockdownWhitelistUserRemoved(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistUsers  cCs6t|t}tjd||jjjj|S(sQuery lockdown user s)policies.queryLockdownWhitelistUser('%s')(RRnRR/R#R5Rthas_user(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistUserscCs tjd|jjjjS(sAdd lockdown user s$policies.getLockdownWhitelistUsers()(RR/R#R5Rt get_users(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistUserss cCstjd|dS(Ns LockdownWhitelistUserAdded('%s')(RR/(R*R3((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns"LockdownWhitelistUserRemoved('%s')(RR/(R*R3((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown context s*policies.addLockdownWhitelistContext('%s')N( RRnRR/R>R#R5Rt add_contexttLockdownWhitelistContextAdded(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistContext s  cCsTt|t}tjd||j||jjjj||j |dS(s Remove lockdown context s-policies.removeLockdownWhitelistContext('%s')N( RRnRR/R>R#R5Rtremove_contexttLockdownWhitelistContextRemoved(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistContexts  cCs6t|t}tjd||jjjj|S(sQuery lockdown context s,policies.queryLockdownWhitelistContext('%s')(RRnRR/R#R5Rt has_context(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistContext&scCs tjd|jjjjS(sAdd lockdown context s'policies.getLockdownWhitelistContexts()(RR/R#R5Rt get_contexts(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistContexts2s cCstjd|dS(Ns#LockdownWhitelistContextAdded('%s')(RR/(R*R1((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR=scCstjd|dS(Ns%LockdownWhitelistContextRemoved('%s')(RR/(R*R1((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRBscCs5tjd|j||jj|jdS(snEnable panic mode. All ingoing and outgoing connections and packets will be blocked. senablePanicMode()N(RR/R>R#tenable_panic_modetPanicModeEnabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytenablePanicModeKs   cCs5tjd|j||jj|jdS(sDisable panic mode. Enables normal mode: Allowed ingoing and outgoing connections will not be blocked anymore sdisablePanicMode()N(RR/R>R#tdisable_panic_modetPanicModeDisabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisablePanicModeYs   cCstjd|jjS(NsqueryPanicMode()(RR/R#tquery_panic_mode(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryPanicModehs cCstjddS(NsPanicModeEnabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRqscCstjddS(NsPanicModeDisabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRvscCs2t|t}tjd||jjj|S(NsgetZoneSettings(%s)(RRnRR/R#R?tget_config_with_settings(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(NslistServices()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt listServicess cCs8t|t}tjd||jjj|jS(NsgetServiceSettings(%s)(RRnRR/R#Rt get_serviceR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(NslistIcmpTypes()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt listIcmpTypess cCs8t|t}tjd||jjj|jS(NsgetIcmpTypeSettings(%s)(RRnRR/R#Rt get_icmptypeR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjS(NsgetLogDenied()(RR/R#tget_log_denied(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getLogDenieds cCsrt|t}tjd||j||jj||j||jj|j j|j dS(NssetLogDenied('%s')( RRnRR/R>R#tset_log_deniedtLogDeniedChangedRRR(R*tvalueR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt setLogDenieds    cCstjd|dS(NsLogDeniedChanged('%s')(RR/(R*R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjS(NsgetAutomaticHelpers()(RR/R#tget_automatic_helpers(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetAutomaticHelperss cCsrt|t}tjd||j||jj||j||jj|j j|j dS(NssetAutomaticHelpers('%s')( RRnRR/R>R#tset_automatic_helperstAutomaticHelpersChangedRRR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytsetAutomaticHelperss    cCstjd|dS(NsAutomaticHelpersChanged('%s')(RR/(R*R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR scCstjd|jjS(NsgetDefaultZone()(RR/R#tget_default_zone(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetDefaultZones cCsNt|t}tjd||j||jj||j|dS(NssetDefaultZone('%s')(RRnRR/R>R#tset_default_zonetDefaultZoneChanged(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytsetDefaultZones  cCstjd|dS(NsDefaultZoneChanged('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(Nszone.getZones()(RR/R#R?R(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetZoness s a{sa{sas}}cCstjdi}x|jjjD]}|jjj|}|jjj|}t|t|dkr&i||R#R?t add_interfacetInterfaceAdded(R*R?RR<t_zone((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addInterfaceds cCs1t|t}t|t}|j|||S(sChange a zone an interface is part of. If zone is empty, use default zone. This function is deprecated, use changeZoneOfInterface instead (RRntchangeZoneOfInterface(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt changeZoneus cCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(s[Change a zone an interface is part of. If zone is empty, use default zone. s&zone.changeZoneOfInterface('%s', '%s')( RRnRR/R>R#R?tchange_zone_of_interfacetZoneOfInterfaceChanged(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR%s cCsnt|t}t|t}tjd||f|j||jjj||}|j|||S(skRemove interface from a zone. If zone is empty, remove from zone the interface belongs to. s zone.removeInterface('%s', '%s')( RRnRR/R>R#R?tremove_interfacetInterfaceRemoved(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCsKt|t}t|t}tjd||f|jjj||S(s^Return true if an interface is in a zone. If zone is empty, use default zone. szone.queryInterface('%s', '%s')(RRnRR/R#R?tquery_interface(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryInterfacescCs3t|t}tjd||jjj|S(s]Return the list of interfaces of a zone. If zone is empty, use default zone. szone.getInterfaces('%s')(RRnRR/R#R?R(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCstjd||fdS(Nszone.InterfaceAdded('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR"scCstjd||fdS(s, This signal is deprecated. szone.ZoneChanged('%s', '%s')N(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt ZoneChangedscCs+tjd||f|j||dS(Ns'zone.ZoneOfInterfaceChanged('%s', '%s')(RR/R-(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR(s  cCstjd||fdS(Ns!zone.InterfaceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR*scCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(sLAdd a source to a zone. If zone is empty, use default zone. szone.addSource('%s', '%s')( RRnRR/R>R#R?t add_sourcet SourceAdded(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addSources cCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(sXChange a zone an source is part of. If zone is empty, use default zone. s#zone.changeZoneOfSource('%s', '%s')( RRnRR/R>R#R?tchange_zone_of_sourcetZoneOfSourceChanged(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytchangeZoneOfSources cCsnt|t}t|t}tjd||f|j||jjj||}|j|||S(seRemove source from a zone. If zone is empty, remove from zone the source belongs to. szone.removeSource('%s', '%s')( RRnRR/R>R#R?t remove_sourcet SourceRemoved(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeSources cCsKt|t}t|t}tjd||f|jjj||S(s[Return true if an source is in a zone. If zone is empty, use default zone. szone.querySource('%s', '%s')(RRnRR/R#R?t query_source(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt querySourcescCs3t|t}tjd||jjj|S(sZReturn the list of sources of a zone. If zone is empty, use default zone. szone.getSources('%s')(RRnRR/R#R?R(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getSourcess cCstjd||fdS(Nszone.SourceAdded('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR/+scCstjd||fdS(Ns$zone.ZoneOfSourceChanged('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR20scCstjd||fdS(Nszone.SourceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR55scCs^tjd||f|j||=td|}|jjj|||j||dS(Ns%zone.disableTimedRichRule('%s', '%s')trule_str(RR/R0RR#R?t remove_ruletRichRuleRemoved(R*R?truletobj((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedRichRule>s tssicCst|t}t|t}t|t}tjd||ftd|}|jjj|||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.addRichRule('%s', '%s')R:i(RRnRRR/RR#R?tadd_ruleRttimeout_add_secondsR?RBt RichRuleAdded(R*R?R=ttimeoutR<R>R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addRichRuleFs  cCst|t}t|t}tjd||ftd|}|jjj||}|j|||j |||S(Nszone.removeRichRule('%s', '%s')R:( RRnRR/RR#R?R;RDR<(R*R?R=R<R>R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveRichRuleZscCsZt|t}t|t}tjd||ftd|}|jjj||S(Nszone.queryRichRule('%s', '%s')R:(RRnRR/RR#R?t query_rule(R*R?R=R<R>((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryRichRulehs cCs3t|t}tjd||jjj|S(Nszone.getRichRules('%s')(RRnRR/R#R?t list_rules(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getRichRulessscCstjd|||fdS(Ns"zone.RichRuleAdded('%s', '%s', %d)(RR/(R*R?R=RD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRCscCstjd||fdS(Ns zone.RichRuleRemoved('%s', '%s')(RR/(R*R?R=((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR<scCsOtjd||f|j||=|jjj|||j||dS(Ns$zone.disableTimedService('%s', '%s')(RR/R0R#R?tremove_servicetServiceRemoved(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedServicescCst|t}t|t}t|t}tjd|||f|j||jjj||||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.addService('%s', '%s', %d)i(RRnRRR/R>R#R?t add_serviceRRBRMRBt ServiceAdded(R*R?RRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs   cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Nszone.removeService('%s', '%s')( RRnRR/R>R#R?RKRDRL(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeServices cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryService('%s', '%s')(RRnRR/R#R?t query_service(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryServicescCs3t|t}tjd||jjj|S(Nszone.getServices('%s')(RRnRR/R#R?t list_services(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getServicesscCstjd|||fdS(Ns!zone.ServiceAdded('%s', '%s', %d)(RR/(R*R?RRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyROs cCstjd||fdS(Nszone.ServiceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRLscCs^tjd|||f|j|||f=|jjj||||j|||dS(Ns'zone.disableTimedPort('%s', '%s', '%s')(RR/R0R#R?t remove_portt PortRemoved(R*R?tporttprotocol((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedPorts  tsssicCst|t}t|t}t|t}t|t}tjd|||f|j||jjj|||||}|dkrt j ||j |||}|j |||f|n|j |||||S(Nszone.addPort('%s', '%s', '%s')i(RRnRRR/R>R#R?tadd_portRRBRYRBt PortAdded(R*R?RWRXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddPorts  ! tssscCst|t}t|t}t|t}tjd|||f|j||jjj|||}|j|||f|j ||||S(Ns!zone.removePort('%s', '%s', '%s')( RRnRR/R>R#R?RURDRV(R*R?RWRXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removePorts  cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns zone.queryPort('%s', '%s', '%s')(RRnRR/R#R?t query_port(R*R?RWRXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryPorts taascCs3t|t}tjd||jjj|S(Nszone.getPorts('%s')(RRnRR/R#R?t list_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetPortssicCs!tjd||||fdS(Ns$zone.PortAdded('%s', '%s', '%s', %d)(RR/(R*R?RWRXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR\*s cCstjd|||fdS(Ns"zone.PortRemoved('%s', '%s', '%s')(RR/(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRV0s cCsOtjd||f|j||=|jjj|||j||dS(Ns%zone.disableTimedProtocol('%s', '%s')(RR/R0R#R?tremove_protocoltProtocolRemoved(R*R?RX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedProtocol:scCst|t}t|t}t|t}tjd||f|j||jjj||||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.enableProtocol('%s', '%s')i(RRnRRR/R>R#R?t add_protocolRRBRgRBt ProtocolAdded(R*R?RXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addProtocolAs   cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Nszone.removeProtocol('%s', '%s')( RRnRR/R>R#R?ReRDRf(R*R?RXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveProtocolVs cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryProtocol('%s', '%s')(RRnRR/R#R?tquery_protocol(R*R?RXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryProtocolfscCs3t|t}tjd||jjj|S(Nszone.getProtocols('%s')(RRnRR/R#R?tlist_protocols(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getProtocolsqscCstjd|||fdS(Ns"zone.ProtocolAdded('%s', '%s', %d)(RR/(R*R?RXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRi}s cCstjd||fdS(Ns zone.ProtocolRemoved('%s', '%s')(RR/(R*R?RX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRfscCsatjd|||f|j|d||f=|jjj||||j|||dS(Ns-zone.disableTimedSourcePort('%s', '%s', '%s')tsport(RR/R0R#R?tremove_source_porttSourcePortRemoved(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedSourcePorts  cCst|t}t|t}t|t}t|t}tjd|||f|j||jjj|||||}|dkrt j ||j |||}|j |d||f|n|j |||||S(Ns$zone.addSourcePort('%s', '%s', '%s')iRp(RRnRRR/R>R#R?tadd_source_portRRBRsRBtSourcePortAdded(R*R?RWRXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addSourcePorts    cCst|t}t|t}t|t}tjd|||f|j||jjj|||}|j|d||f|j ||||S(Ns'zone.removeSourcePort('%s', '%s', '%s')Rp( RRnRR/R>R#R?RqRDRr(R*R?RWRXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveSourcePorts  cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns&zone.querySourcePort('%s', '%s', '%s')(RRnRR/R#R?tquery_source_port(R*R?RWRXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytquerySourcePorts  cCs3t|t}tjd||jjj|S(Nszone.getSourcePorts('%s')(RRnRR/R#R?tlist_source_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetSourcePortsscCs!tjd||||fdS(Ns*zone.SourcePortAdded('%s', '%s', '%s', %d)(RR/(R*R?RWRXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRus cCstjd|||fdS(Ns(zone.SourcePortRemoved('%s', '%s', '%s')(RR/(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRrscCs2|j|d=|jjj||j|dS(Nt masquerade(R0R#R?tremove_masqueradetMasqueradeRemoved(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedMasqueradestsicCst|t}t|t}tjd||j||jjj|||}|dkrt j ||j |}|j |d|n|j |||S(Nszone.addMasquerade('%s')iR|(RRnRRR/R>R#R?tadd_masqueradeRRBRRBtMasqueradeAdded(R*R?RDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addMasquerades   cCsct|t}tjd||j||jjj|}|j|d|j ||S(Nszone.removeMasquerade('%s')R|( RRnRR/R>R#R?R}RDR~(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveMasquerades  cCs3t|t}tjd||jjj|S(Nszone.queryMasquerade('%s')(RRnRR/R#R?tquery_masquerade(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryMasqueradescCstjd||fdS(Nszone.MasqueradeAdded('%s', %d)(RR/(R*R?RD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Nszone.MasqueradeRemoved('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR~scCsV|j|||||f=|jjj||||||j|||||dS(N(R0R#R?tremove_forward_porttForwardPortRemoved(R*R?RWRXttoportttoaddr((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisable_forward_port(stsssssic Cs t|t}t|t}t|t}t|t}t|t}t|t}tjd|||||f|j||jjj|||||||}|dkrt j ||j |||||} |j |||||f| n|j |||||||S(Ns1zone.addForwardPort('%s', '%s', '%s', '%s', '%s')i(RRnRRR/R>R#R?tadd_forward_portRRBRRBtForwardPortAdded( R*R?RWRXRRRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddForwardPort.s&      "tssssscCst|t}t|t}t|t}t|t}t|t}tjd|||||f|j||jjj|||||}|j|||||f|j ||||||S(Ns4zone.removeForwardPort('%s', '%s', '%s', '%s', '%s')( RRnRR/R>R#R?RRDR(R*R?RWRXRRR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveForwardPortKs   cCst|t}t|t}t|t}t|t}t|t}tjd|||||f|jjj|||||S(Ns3zone.queryForwardPort('%s', '%s', '%s', '%s', '%s')(RRnRR/R#R?tquery_forward_port(R*R?RWRXRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryForwardPortas cCs3t|t}tjd||jjj|S(Nszone.getForwardPorts('%s')(RRnRR/R#R?tlist_forward_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetForwardPortsrscCs'tjd||||||fdS(Ns7zone.ForwardPortAdded('%s', '%s', '%s', '%s', '%s', %d)(RR/(R*R?RWRXRRRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR~s cCs$tjd|||||fdS(Ns5zone.ForwardPortRemoved('%s', '%s', '%s', '%s', '%s')(RR/(R*R?RWRXRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCsOtjd||f|j||=|jjj|||j||dS(Ns&zone.disableTimedIcmpBlock('%s', '%s')(RR/R0R#R?tremove_icmp_blocktIcmpBlockRemoved(R*R?ticmpR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedIcmpBlockscCst|t}t|t}t|t}tjd||f|j||jjj||||}|dkrt j ||j |||}|j |||n|j ||||S(Ns zone.enableIcmpBlock('%s', '%s')i(RRnRRR/R>R#R?tadd_icmp_blockRRBRRBtIcmpBlockAdded(R*R?RRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addIcmpBlocks  cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Ns zone.removeIcmpBlock('%s', '%s')( RRnRR/R>R#R?RRDR(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveIcmpBlocks cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryIcmpBlock('%s', '%s')(RRnRR/R#R?tquery_icmp_block(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryIcmpBlockscCs3t|t}tjd||jjj|S(Nszone.getIcmpBlocks('%s')(RRnRR/R#R?tlist_icmp_blocks(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getIcmpBlocksscCstjd|||fdS(Ns#zone.IcmpBlockAdded('%s', '%s', %d)(RR/(R*R?RRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCstjd||fdS(Ns!zone.IcmpBlockRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsVt|t}tjd||j||jjj||}|j||S(Ns zone.addIcmpBlockInversion('%s')( RRnRR/R>R#R?tadd_icmp_block_inversiontIcmpBlockInversionAdded(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddIcmpBlockInversions   cCsSt|t}tjd||j||jjj|}|j||S(Ns#zone.removeIcmpBlockInversion('%s')( RRnRR/R>R#R?tremove_icmp_block_inversiontIcmpBlockInversionRemoved(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveIcmpBlockInversions   cCs3t|t}tjd||jjj|S(Ns"zone.queryIcmpBlockInversion('%s')(RRnRR/R#R?tquery_icmp_block_inversion(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryIcmpBlockInversionscCstjd|dS(Ns"zone.IcmpBlockInversionAdded('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns$zone.IcmpBlockInversionRemoved('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR scCst|t}t|t}t|t}tjd|||f|j||jjj||||j|||dS(Ns!direct.addChain('%s', '%s', '%s')( RRnRR/R>R#Rt add_chaint ChainAdded(R*tipvttabletchainR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddChains cCst|t}t|t}t|t}tjd|||f|j||jjj||||j|||dS(Ns$direct.removeChain('%s', '%s', '%s')( RRnRR/R>R#Rt remove_chaint ChainRemoved(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeChain%s cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns#direct.queryChain('%s', '%s', '%s')(RRnRR/R#Rt query_chain(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryChain3s cCsKt|t}t|t}tjd||f|jjj||S(Nsdirect.getChains('%s', '%s')(RRnRR/R#Rt get_chains(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getChains?ssa(sss)cCstjd|jjjS(Nsdirect.getAllChains()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getAllChainsJs cCstjd|||fdS(Ns#direct.ChainAdded('%s', '%s', '%s')(RR/(R*RRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRSscCstjd|||fdS(Ns%direct.ChainRemoved('%s', '%s', '%s')(RR/(R*RRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRXstsssiascCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|j||jj j ||||||j |||||dS(Ncss|]}t|tVqdS(N(RRn(t.0R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys lss*direct.addRule('%s', '%s', '%s', %d, '%s')s','( RRnRttupleRR/tjoinR>R#RRAt RuleAdded(R*RRRtpriorityR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddRulebs   cCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|j||jj j ||||||j |||||dS(Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys }ss-direct.removeRule('%s', '%s', '%s', %d, '%s')s','( RRnRRRR/RR>R#RR;t RuleRemoved(R*RRRRR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeRuless   cCst|t}t|t}t|t}tjd|||f|j|xa|jjj|||D]D\}}|jjj||||||j |||||qpWdS(Ns$direct.removeRules('%s', '%s', '%s')( RRnRR/R>R#Rt get_rulesR;R(R*RRRR<RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeRuless (cCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|jjj |||||S(Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss,direct.queryRule('%s', '%s', '%s', %d, '%s')s','( RRnRRRR/RR#RRG(R*RRRRR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryRules  sa(ias)cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns!direct.getRules('%s', '%s', '%s')(RRnRR/R#RR(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetRuless s a(sssias)cCstjd|jjjS(Nsdirect.getAllRules()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getAllRuless cCs-tjd||||dj|fdS(Ns,direct.RuleAdded('%s', '%s', '%s', %d, '%s')s','(RR/R(R*RRRRR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCs-tjd||||dj|fdS(Ns.direct.RuleRemoved('%s', '%s', '%s', %d, '%s')s','(RR/R(R*RRRRR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs RTcCst|t}td|D}tjd|dj|f|j|y|jjj ||SWnt k r}|d krt dddd g}nt dd g}t|}|j t jkrtt ||@d krtj|nt|nnXdS( Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ssdirect.passthrough('%s', '%s')s','tipv4tipv6s-Cs--checks-Ls--listi(RR(RRnRRR/RR>R#Rt passthroughR tsettcodeRtCOMMAND_FAILEDRRR (R*RR+R<R8t query_argstmsg((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs"     cCsyt|}td|D}tjd|dj|f|j||jjj|||j ||dS(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss!direct.addPassthrough('%s', '%s')s','( RRRR/RR>R#Rtadd_passthroughtPassthroughAdded(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddPassthroughs   cCsyt|}td|D}tjd|dj|f|j||jjj|||j ||dS(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss$direct.removePassthrough('%s', '%s')s','( RRRR/RR>R#Rtremove_passthroughtPassthroughRemoved(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremovePassthroughs   cCsXt|}td|D}tjd|dj|f|jjj||S(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys  ss#direct.queryPassthrough('%s', '%s')s','(RRRR/RR#Rtquery_passthrough(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryPassthroughs   sa(sas)cCstjd|jjjS(Nsdirect.getAllPassthroughs()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetAllPassthroughs s cCs;tjdx't|jD]}|j|q WdS(Nsdirect.removeAllPassthroughs()(RR/treversedRR(R*R<R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveAllPassthroughs s cCs/t|}tjd||jjj|S(Nsdirect.getPassthroughs('%s')(RRR/R#Rtget_passthroughs(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetPassthroughs s cCs$tjd|dj|fdS(Ns#direct.PassthroughAdded('%s', '%s')s','(RR/R(R*RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR( s cCs$tjd|dj|fdS(Ns%direct.PassthroughRemoved('%s', '%s')s','(RR/R(R*RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR. s cCsdS(s PK_ACTION_ALL implies all other actions, i.e. once a subject is authorized for PK_ACTION_ALL it's also authorized for any other action. Use-case is GUI (RHBZ#994729). N((R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt authorizeAll6 s cCs0t|}tjd||jjj|S(Nsipset.queryIPSet('%s')(RRR/R#Rt query_ipset(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryIPSetE s cCstjd|jjjS(Nsipsets.getIPSets()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getIPSetsO s cCs8t|t}tjd||jjj|jS(NsgetIPSetSettings(%s)(RRnRR/R#Rt get_ipsetR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRX scCsft|}t|}tjd||f|j||jjj|||j||dS(Nsipset.addEntry('%s', '%s')(RRR/R>R#Rt add_entryt EntryAdded(R*RtentryR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddEntryd s    cCsft|}t|}tjd||f|j||jjj|||j||dS(Nsipset.removeEntry('%s', '%s')(RRR/R>R#Rt remove_entryt EntryRemoved(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeEntryq s    cCsEt|}t|}tjd||f|jjj||S(Nsipset.queryEntry('%s', '%s')(RRR/R#Rt query_entry(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryEntry~ s  cCs0t|}tjd||jjj|S(Nsipset.getEntries('%s')(RRR/R#Rt get_entries(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getEntries s cCst|}t|t}tjd|dj||jjj|}|jjj||t |}t |}x"||D]}|j ||qWx"||D]}|j ||qWdS(Nsipset.setEntries('%s', '[%s]')t,( RtlistRR/RR#RRt set_entriesRRR(R*RtentriesR<t old_entriestold_entries_sett entries_setR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt setEntries s   cCs3t|}t|}tjd||fdS(Nsipset.EntryAdded('%s', '%s')(RRR/(R*RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR s  cCs3t|}t|}tjd||fdS(Nsipset.EntryRemoved('%s', '%s')(RRR/(R*RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR s  cCstjd|jjjS(Nshelpers.getHelpers()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getHelpers s cCs8t|t}tjd||jjj|jS(NsgetHelperSettings(%s)(RRnRR/R#Rt get_helperR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR sN(t__name__t __module__t__doc__Rt persistentRR'tPK_ACTION_CONFIGtdefault_polkit_auth_requiredR R"R.R&R-R R>RBRDRFRiR tPROPERTIES_IFACER7RuRytsliptpolkitt require_authR|RtsignalRtPK_ACTION_INFOtINTROSPECTABLE_IFACERR(RRRRRtPK_ACTION_POLICIESRqRRtPK_ACTION_POLICIES_INFORRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRtPK_ACTION_CONFIG_INFORtDBUS_SIGNATURERRRRRRRRRRR R R RRRRoRRRRR R$R&R%RR,RR"R-R(R*R0R3R6R8R9R/R2R5R?RERFRHRJRCR<RMRRPRRRTRORLRYR]R_RaRdR\RVRgRjRkRmRoRiRfRsRvRwRyR{RuRrRRRRRR~RRRRRRRRRRRRRRRRRRRtPK_ACTION_DIRECTRpRRtPK_ACTION_DIRECT_INFORRRRRRRRRRRRRRRRRRRRRRt PK_ACTION_ALLRRrRRRRRRRRRRRRRR(((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRBs    0"$                                                                 (<t__all__t gi.repositoryRRtsystmodulesR't dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.core.fwRtfirewall.core.richRtfirewall.core.loggerRtfirewall.clientRtfirewall.server.decoratorsR R R R tfirewall.server.configR tfirewall.dbus_utilsRRRRRRRtfirewall.core.io.functionsRtfirewall.core.io.zoneRtfirewall.core.io.ipsetRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.helperRtfirewall.core.fw_nmRRRtfirewall.core.fw_ifcfgRRtfirewall.errorsR RtObjectR(((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyts4       "4server/config_icmptype.pyo000064400000031701147576556050012010 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sC/usr/lib/python2.7/site-packages/firewall/server/config_icmptype.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sC/usr/lib/python2.7/site-packages/firewall/server/config_icmptype.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||s      server/config_ipset.pyo000064400000037616147576556050011315 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR!R"RtBooleanR#R$t exceptionst DBusException(Rt property_name((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyt _get_propertyRs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR'R(R*(Rtinterface_nameR)tsender((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pytGetcs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||tservicetsignalRAtPK_ACTION_INFOtINTROSPECTABLE_IFACERCRRtDBUS_SIGNATURERGRKRMRIRPRQRTRSRURXRYR[R\R^R_RbRcRgRkRmRoRqRxR{R|R}(((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyR1s  $                   (t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.ipsetRtfirewall.core.ipsetRtfirewall.core.loggerRtfirewall.server.decoratorsR R R R tfirewall.errorsR RtObjectR(((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyts      server/config_helper.py000064400000042212147576556050011255 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.dbus_utils import dbus_to_python, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.helper import Helper from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallDConfig # ############################################################################ class FirewallDConfigHelper(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, parent, conf, helper, item_id, *args, **kwargs): super(FirewallDConfigHelper, self).__init__(*args, **kwargs) self.parent = parent self.config = conf self.obj = helper self.item_id = item_id self.busname = args[0] self.path = args[1] self._log_prefix = "config.helper.%d" % self.item_id dbus_introspection_prepare_properties( self, config.dbus.DBUS_INTERFACE_CONFIG_HELPER) @dbus_handle_exceptions def __del__(self): pass @dbus_handle_exceptions def unregister(self): self.remove_from_connection() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, property_name): if property_name == "name": return dbus.String(self.obj.name) elif property_name == "filename": return dbus.String(self.obj.filename) elif property_name == "path": return dbus.String(self.obj.path) elif property_name == "default": return dbus.Boolean(self.obj.default) elif property_name == "builtin": return dbus.Boolean(self.obj.builtin) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("%s.GetAll('%s')", self._log_prefix, interface_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) ret = { } for x in [ "name", "filename", "path", "default", "builtin" ]: ret[x] = self._get_property(x) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("%s.Set('%s', '%s', '%s')", self._log_prefix, interface_name, property_name, new_value) self.parent.accessCheck(sender) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_HELPER: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("%s.Introspect()", self._log_prefix) data = super(FirewallDConfigHelper, self).Introspect( self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG_HELPER) # S E T T I N G S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature=Helper.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 """get settings for helper """ log.debug1("%s.getSettings()", self._log_prefix) return self.config.get_helper_config(self.obj) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature=Helper.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): """update settings for helper """ settings = dbus_to_python(settings) log.debug1("%s.update('...')", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.set_helper_config(self.obj, settings) self.Updated(self.obj.name) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER) @dbus_handle_exceptions def loadDefaults(self, sender=None): """load default settings for builtin helper """ log.debug1("%s.loadDefaults()", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.load_helper_defaults(self.obj) self.Updated(self.obj.name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, signature='s') @dbus_handle_exceptions def Updated(self, name): log.debug1("%s.Updated('%s')" % (self._log_prefix, name)) # R E M O V E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER) @dbus_handle_exceptions def remove(self, sender=None): """remove helper """ log.debug1("%s.removeHelper()", self._log_prefix) self.parent.accessCheck(sender) self.config.remove_helper(self.obj) self.parent.removeHelper(self.obj) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, signature='s') @dbus_handle_exceptions def Removed(self, name): log.debug1("%s.Removed('%s')" % (self._log_prefix, name)) # R E N A M E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def rename(self, name, sender=None): """rename helper """ name = dbus_to_python(name, str) log.debug1("%s.rename('%s')", self._log_prefix, name) self.parent.accessCheck(sender) self.obj = self.config.rename_helper(self.obj, name) self.Renamed(name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, signature='s') @dbus_handle_exceptions def Renamed(self, name): log.debug1("%s.Renamed('%s')" % (self._log_prefix, name)) # version @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='s') @dbus_handle_exceptions def getVersion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getVersion()", self._log_prefix) return self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def setVersion(self, version, sender=None): version = dbus_to_python(version, str) log.debug1("%s.setVersion('%s')", self._log_prefix, version) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[0] = version self.update(settings) # short @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='s') @dbus_handle_exceptions def getShort(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getShort()", self._log_prefix) return self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def setShort(self, short, sender=None): short = dbus_to_python(short, str) log.debug1("%s.setShort('%s')", self._log_prefix, short) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[1] = short self.update(settings) # description @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='s') @dbus_handle_exceptions def getDescription(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDescription()", self._log_prefix) return self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def setDescription(self, description, sender=None): description = dbus_to_python(description, str) log.debug1("%s.setDescription('%s')", self._log_prefix, description) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[2] = description self.update(settings) # family @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='s') @dbus_handle_exceptions def getFamily(self, sender=None): log.debug1("%s.getFamily()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) return settings[3] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def setFamily(self, ipv, sender=None): ipv = dbus_to_python(ipv, str) log.debug1("%s.setFamily('%s')", self._log_prefix, ipv) self.parent.accessCheck(sender) settings = list(self.getSettings()) if settings[3] == ipv: raise FirewallError(errors.ALREADY_ENABLED, "'%s'" % ipv) settings[3] = ipv self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryFamily(self, ipv, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv, str) log.debug1("%s.queryFamily('%s')", self._log_prefix, ipv) settings = self.getSettings() return (settings[3] == ipv) # module @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='s') @dbus_handle_exceptions def getModule(self, sender=None): log.debug1("%s.getModule()", self._log_prefix) self.parent.accessCheck(sender) settings = list(self.getSettings()) return settings[4] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s') @dbus_handle_exceptions def setModule(self, module, sender=None): module = dbus_to_python(module, str) log.debug1("%s.setModule('%s')", self._log_prefix, module) self.parent.accessCheck(sender) settings = list(self.getSettings()) if settings[4] == module: raise FirewallError(errors.ALREADY_ENABLED, "'%s'" % module) settings[4] = module self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryModule(self, module, sender=None): # pylint: disable=W0613 module = dbus_to_python(module, str) log.debug1("%s.queryModule('%s')", self._log_prefix, module) settings = self.getSettings() return (settings[4] == module) # port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, out_signature='a(ss)') @dbus_handle_exceptions def getPorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getPorts()", self._log_prefix) return self.getSettings()[5] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='a(ss)') @dbus_handle_exceptions def setPorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setPorts('[%s]')", self._log_prefix, ",".join("('%s, '%s')" % (port[0], port[1]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[5] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='ss') @dbus_handle_exceptions def addPort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addPort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[5]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[5].append((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='ss') @dbus_handle_exceptions def removePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[5]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[5].remove((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryPort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.queryPort('%s', '%s')", self._log_prefix, port, protocol) return (port,protocol) in self.getSettings()[5] server/config_zone.pyo000064400000111062147576556050011130 0ustar00 c`c@sDddlmZddlZeejdeejjdd e d`d4Z?eejjdd dd)e d`d5Z@eejjdd+e d`d6ZAeejjdd+e d`d7ZBeejjdde d`d8ZCeejjdde d`d9ZDeejjdddd)e d`d:ZEeejjdd$e d`d;ZFeejjdd$e d`d<ZGeejjdd e d`d=ZHeejjdd e d`d>ZIeejjdd dd)e d`d?ZJeejjdd)e d`d@ZKeejjdd)e d`dAZLeejje d`dBZMeejje d`dCZNeejjdd)e d`dDZOeejjdd)e d`dEZPeejjdd)e d`dFZQeejje d`dGZReejje d`dHZSeejjdd)e d`dIZTeejjddJe d`dKZUeejjddJe d`dLZVeejjddMe d`dNZWeejjddMe d`dOZXeejjddMdd)e d`dPZYeejjdd$e d`dQZZeejjdd$e d`dRZ[eejjdd e d`dSZ\eejjdd e d`dTZ]eejjdd dd)e d`dUZ^eejjdd$e d`dVZ_eejjdd$e d`dWZ`eejjdd e d`dXZaeejjdd e d`dYZbeejjdd dd)e d`dZZceejjdd$e d`d[Zdeejjdd$e d`d\Zeeejjdd e d`d]Zfeejjdd e d`d^Zgeejjdd dd)e d`d_ZhRS(asFirewallD main classcOs~tt|j||||_||_||_||_|d|_|d|_d|j|_ t |tj j dS(Niisconfig.zone.%d( tsuperRt__init__tparentRtobjtitem_idtbusnametpatht _log_prefixRtdbustDBUS_INTERFACE_CONFIG_ZONE(tselfRtconftzoneRtargstkwargs((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyR<s      cCsdS(N((R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt__del__IscCs|jdS(N(tremove_from_connection(R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt unregisterMscCs|dkrtj|jjS|dkr>tj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR$R%RtBooleanR&R't exceptionst DBusException(Rt property_name((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt _get_propertyUs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrR tdebug1RRRRR*R+R-(Rtinterface_nameR,tsender((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytGetfs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||si( RRJt isinstanceR}RKR R3RRyRR?RNR`(RtportsR5t_portsRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetPortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRtprotocolR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddPorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt removePortscCst|t}t|t}tjd|j||||f|jdkrWtSx=|jdD]+\}}t||rh||krhtSqhWtS(Ns%s.queryPort('%s', '%s')i( RR2R R3RRNtTrueRtFalse(RRRR5t_portt _protocol((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryPortscCs!tjd|j|jdS(Ns%s.getProtocols()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getProtocolsscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setProtocols('[%s]')Rxi ( RRJR R3RRyRR?RNR`(Rt protocolsR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setProtocolss cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addProtocol('%s')i (RR2R R3RRR?RJRNRRR|R}R`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addProtocolscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeProtocol('%s')i (RR2R R3RRR?RJRNRRRReR`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveProtocolscCs9t|t}tjd|j|||jdkS(Ns%s.queryProtocol('%s')i (RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryProtocol scCs!tjd|j|jdS(Ns%s.getSourcePorts()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetSourcePorts*scCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setSourcePorts('[%s]')Rxcss'|]}d|d|dfVqdS(s ('%s, '%s')iiN((RR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pys >si( RRJRR}RKR R3RRyRR?RNR`(RRR5RRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetSourcePorts1s cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addSourcePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addSourcePortDs cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removeSourcePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveSourcePortTscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.querySourcePort('%s', '%s')i(RR2R R3RRN(RRRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytquerySourcePortcs cCs!tjd|j|jdS(Ns%s.getIcmpBlocks()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getIcmpBlocksoscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setIcmpBlocks('[%s]')Rxi( RRJR R3RRyRR?RNR`(Rt icmptypesR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setIcmpBlocksvs cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addIcmpBlock('%s')i(RR2R R3RRR?RJRNRRR|R}R`(RticmptypeR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addIcmpBlockscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeIcmpBlock('%s')i(RR2R R3RRR?RJRNRRRReR`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveIcmpBlockscCs9t|t}tjd|j|||jdkS(Ns%s.queryIcmpBlock('%s')i(RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryIcmpBlockscCs!tjd|j|jdS(Ns%s.getIcmpBlockInversion()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetIcmpBlockInversionscCsbt|t}tjd|j||jj|t|j}||d<|j |dS(Ns%s.setIcmpBlockInversion('%s')i( RtboolR R3RRR?RJRNR`(RtflagR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetIcmpBlockInversions  cCsotjd|j|jj|t|j}|drTttj dnt |d<|j |dS(Ns%s.addIcmpBlockInversion()isicmp-block-inversion( R R3RRR?RJRNRRR|RR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddIcmpBlockInversions  cCsotjd|j|jj|t|j}|dsTttj dnt |d<|j |dS(Ns%s.removeIcmpBlockInversion()isicmp-block-inversion( R R3RRR?RJRNRRRRR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveIcmpBlockInversions  cCs!tjd|j|jdS(Ns%s.queryIcmpBlockInversion()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryIcmpBlockInversionscCs!tjd|j|jdS(Ns%s.getMasquerade()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getMasqueradescCsbt|t}tjd|j||jj|t|j}||d<|j |dS(Ns%s.setMasquerade('%s')i( RRR R3RRR?RJRNR`(Rt masqueradeR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setMasquerades  cCsotjd|j|jj|t|j}|drTttj dnt |d<|j |dS(Ns%s.addMasquerade()iR( R R3RRR?RJRNRRR|RR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addMasquerades  cCsotjd|j|jj|t|j}|dsTttj dnt |d<|j |dS(Ns%s.removeMasquerade()iR( R R3RRR?RJRNRRRRR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveMasquerades  cCs!tjd|j|jdS(Ns%s.queryMasquerade()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryMasqueradessa(ssss)cCs!tjd|j|jdS(Ns%s.getForwardPorts()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetForwardPortsscCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setForwardPorts('[%s]')Rxcss5|]+}d|d|d|d|dfVqdS(s('%s, '%s', '%s', '%s')iiiiN((RR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pys si ( RRJRR}RKR R3RRyRR?RNR`(RRR5RRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetForwardPortss  tsssscCst|t}t|t}t|t}t|t}tjd|j|||||jj|||t|t|f}t|j}||dkrt t j d||||fn|dj ||j |dS(Ns)%s.addForwardPort('%s', '%s', '%s', '%s')i s %s:%s:%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRRttoportttoaddrR5tfwp_idRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddForwardPort#s   cCst|t}t|t}t|t}t|t}tjd|j|||||jj|||t|t|f}t|j}||dkrt t j d||||fn|dj ||j |dS(Ns,%s.removeForwardPort('%s', '%s', '%s', '%s')i s %s:%s:%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRRRR5RRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveForwardPort7s   cCst|t}t|t}t|t}t|t}tjd|j||||||t|t|f}||jdkS(Ns+%s.queryForwardPort('%s', '%s', '%s', '%s')i (RR2R R3RRN(RRRRRR5R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryForwardPortKs cCs!tjd|j|jdS(Ns%s.getInterfaces()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getInterfaces[scCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setInterfaces('[%s]')Rxi ( RRJR R3RRyRR?RNR`(RROR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setInterfacesbs cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |t|jj|dS(Ns%s.addInterface('%s')i (RR2R R3RRR?RJRNRRR|R}R`RRR$(Rt interfaceR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addInterfacens cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |td|dS(Ns%s.removeInterface('%s')i t(RR2R R3RRR?RJRNRRRReR`R(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveInterface}s cCs9t|t}tjd|j|||jdkS(Ns%s.queryInterface('%s')i (RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryInterfacescCs!tjd|j|jdS(Ns%s.getSources()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getSourcesscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setSources('[%s]')Rxi ( RRJR R3RRyRR?RNR`(RRPR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setSourcess cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addSource('%s')i (RR2R R3RRR?RJRNRRR|R}R`(RR\R5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addSourcescCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeSource('%s')i (RR2R R3RRR?RJRNRRRReR`(RR\R5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt removeSourcescCs9t|t}tjd|j|||jdkS(Ns%s.querySource('%s')i (RR2R R3RRN(RR\R5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt querySourcescCs!tjd|j|jdS(Ns%s.getRichRules()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getRichRulesscCst|t}tjd|jdj||jj|t|j}g|D]}t t d|^qW}||d<|j |dS(Ns%s.setRichRules('[%s]')Rxtrule_stri ( RRJR R3RRyRR?RNR2R R`(RtrulesR5RLtr((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setRichRuless( cCst|t}tjd|j||jj|t|j}tt d|}||dkrt t j |n|dj ||j|dS(Ns%s.addRichRule('%s')Ri (RR2R R3RRR?RJRNR RRR|R}R`(RtruleR5RLR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addRichRulescCst|t}tjd|j||jj|t|j}tt d|}||dkrt t j |n|dj ||j|dS(Ns%s.removeRichRule('%s')Ri (RR2R R3RRR?RJRNR RRRReR`(RRR5RLR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveRichRulescCsNt|t}tjd|j|ttd|}||jdkS(Ns%s.queryRichRule('%s')Ri (RR2R R3RR RN(RRR5R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryRichRulesN(it__name__t __module__t__doc__Rt persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredR RR R!R#R-R tPROPERTIES_IFACEtNoneR6R=tsliptpolkitt require_authRAR~tsignalRDtPK_ACTION_INFOtINTROSPECTABLE_IFACERFRRtDBUS_SIGNATURERNR]R`RbR_ReRfRiRhRjRlRmRoRpRrRsRuRwR{RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyR4sV  $                                             (%t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.zoneRtfirewall.core.fw_ifcfgRtfirewall.core.baseRtfirewall.core.richR tfirewall.core.loggerR tfirewall.server.decoratorsR R R Rtfirewall.errorsRtfirewall.functionsRR~tObjectR(((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyts$      server/__init__.pyc000064400000000223147576556050010347 0ustar00 c`c@sdS(N((((s</usr/lib/python2.7/site-packages/firewall/server/__init__.pytsserver/config.pyo000064400000140122147576556050010074 0ustar00 c`c@sddlmZddlZeejde"ejj1ddedvd3Z?e"ejj1ddedvd4Z@e"ejj1dddd+edvd5ZAe"ejj1dd-edvd6ZBe"ejj1dd7edvd8ZCe"ejj1dd7edvd9ZDe"ejj1dd7dd+edvd:ZEe"ejj1dd;edvd<ZFe"ejjGdd=edvd>ZHe"ejjGdd-edvd?ZIe"ejjGdddd@edvdAZJe"ejjGddeKj3dd@edvdBZLej+j,ejjGd"dedCZMe"ejjGdd=edvdDZNe"ejjGdd-edvdEZOe"ejjGdddd@edvdFZPe"ejjGddeQj3dd@edvdGZRej+j,ejjGd"dedHZSe"ejjGdd=edvdIZTe"ejjGdd-edvdJZUe"ejjGdddd@edvdKZVe"ejjGddeWj3dd@edvdLZXej+j,ejjGd"dedMZYe"ejjGdd=edvdNZZe"ejjGdd-edvdOZ[e"ejjGdddd@edvdPZ\e"ejjGddddedvdQZ]e"ejjGddddedvdRZ^e"ejjGdde_j3dd@edvdSZ`ej+j,ejjGd"dedTZae"ejjGdd=edvdUZbe"ejjGdd-edvdVZce"ejjGdddd@edvdWZde"ejjGddeej3dd@edvdXZfej+j,ejjGd"dedYZge"ejjhdeij3edvdZZje"ejjhdeij3edvd[Zkej+j,ejjhed\Zle"ejjhdd]edvd^Zme"ejjhdd]edvd_Zne"ejjhdd]dd+edvd`Zoe"ejjhdddd-edvdaZpe"ejjhddbddcedvddZqe"ejjhddeedvdfZre"ejjhddeedvdgZse"ejjhddedd+edvdhZte"ejjhdd]edvdiZue"ejjhdd]ddjedvdkZve"ejjhddbddledvdmZwe"ejjhddnedvdoZxe"ejjhddnedvdpZye"ejjhddndd+edvdqZze"ejjhddddredvdsZ{e"ejjhddtedvduZ|RS(wsFirewallD main classcOstt|j||||_|d|_|d|_|jt|jd|_ |j j tj |j j tj |j j tj |j j tj|j j tj|j j tj|j j tj|j j tj|j j tj|j j tjtjjtjrx[ttjtjD]>}dtj|f}tjj|rG|j j |qGqGWn|j jtj|j jtj|j jtjt|tjj idd6dd6dd6dd 6dd 6dd 6dd 6dd 6dS(Niiis%s/%st readwritet CleanupOnExitt IPv6_rpfiltertLockdownt MinimalMarktIndividualCallst LogDeniedtAutomaticHelperstAllowZoneDrifting(!tsuperRt__init__Rtbusnametpatht _init_varsRt watch_updatertwatchert add_watch_dirtFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICEStFIREWALLD_ZONEStETC_FIREWALLD_ZONEStostexiststsortedtlistdirtisdirtadd_watch_filetLOCKDOWN_WHITELISTtFIREWALLD_DIRECTtFIREWALLD_CONFRtdbustDBUS_INTERFACE_CONFIG(tselftconftargstkwargstfilenameR+((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR)GsD      cCs]g|_d|_g|_d|_g|_d|_g|_d|_g|_d|_ x0|j j D]}|j |j j |qjWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|q6WdS(Ni(tipsetst ipset_idxt icmptypest icmptype_idxtservicest service_idxtzonestzone_idxthelperst helper_idxRt get_ipsetst _addIPSett get_ipsett get_icmptypest _addIcmpTypet get_icmptypet get_servicest _addServicet get_servicet get_zonest_addZonetget_zonet get_helperst _addHelpert get_helper(REtipsetticmptypetservicetzonethelper((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR,os(          cCsdS(N((RE((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt__del__scCs&x5t|jdkr7|jj}|j~qWx5t|jdkro|jj}|j~q;Wx5t|jdkr|jj}|j~qsWx5t|jdkr|jj}|j~qWx5t|jdkr|jj}|j~qW|jdS(Ni( tlenRJtpopt unregisterRLRNRPRRR,(REtitem((s:/usr/lib/python2.7/site-packages/firewall/server/config.pytreloads*     c Cs|tjkr |jtjj}tjdtjy|jjWn+tk ru}tj d||fdSX|jtjjj }xDt |j D]0}||kr||||kr||=qqWt |dkr|jtjj|gndS|jtjs.|jtjr|jdry|jj|\}}Wn+tk r}tj d||fdSX|dkr|j|q|dkr|j|q|dkr|j|qn|jtjs|jtjr|jdry|jj|\}}Wn+tk rZ}tj d ||fdSX|dkrw|j|q|dkr|j|q|dkr|j|qn|jtjs|jtjr=|jdry|jj|\}}Wn+tk r.}tj d ||fdSX|dkrK|j |q:|dkrg|j!|q:|dkr:|j"|q:q|jtjr|j#tjd j$d }t |d ksd |krdSt%j&j'|r|j(j)|s7|j(j*|q7q:|j(j)|r:|j(j+|q:qn^|jtj,sa|jtj-r|jdry|jj.|\}}Wn+tk r}tj d||fdSX|dkr|j/|q|dkr|j0|q|dkr|j1|qn|jtj2s5|jtj3r|jdry|jj4|\}}Wn+tk r}tj d||fdSX|dkr|j5|q|dkr|j6|q|dkr|j7|qn|tj8kr@y|jj9Wn+tk r2}tj d||fdSX|j:n[|tj;kry|jj<Wn+tk r}tj d||fdSX|j=ndS(Ns,config: Reloading firewalld config file '%s's+Failed to load firewalld.conf file '%s': %sis.xmls%Failed to load icmptype file '%s': %stnewtremovetupdates$Failed to load service file '%s': %ss!Failed to load zone file '%s': %stt/is"Failed to load ipset file '%s': %ss#Failed to load helper file '%s': %ss/Failed to load lockdown whitelist file '%s': %ss)Failed to load direct rules file '%s': %s(>RRBtGetAllRCRDRtdebug1tupdate_firewalld_conft ExceptionterrortcopytlisttkeysRitPropertiesChangedt startswithR2R3tendswithtupdate_icmptype_from_pathRXtremoveIcmpTypet_updateIcmpTypeR6R7tupdate_service_from_pathR[t removeServicet_updateServiceR8R9tupdate_zone_from_pathR^t removeZonet _updateZonetreplacetstripR:R+R>R.t has_watchR/t remove_watchR0R1tupdate_ipset_from_pathRUt removeIPSett _updateIPSetR4R5tupdate_helper_from_pathRat removeHelpert _updateHelperR@tupdate_lockdown_whitelisttLockdownWhitelistUpdatedRAt update_directtUpdated( REtnamet old_propstmsgtpropstkeytwhattobjt_name((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR-s                            c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRMR*RCtDBUS_PATH_CONFIG_ICMPTYPERLtappendt IcmpTypeAddedR(RERtconfig_icmptype((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRX&s cCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RLRRR+RIR(RERRd((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR2s  cCsd}xu|jD]j}|j}|j||kr||j|j|jj|j||_|j|jjqqWxP|jD]E}|j|kr|j |j|j |jj|~qqWdS(Ni( RPt getSettingsRRoRtset_zone_configRRRLtRemovedRk(RERtindexRftsettingsRd((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR;s  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RROR*RCtDBUS_PATH_CONFIG_SERVICERNRt ServiceAddedR(RERtconfig_service((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR[MscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RNRRR+RIR(RERRe((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRXs  cCsd}xu|jD]j}|j}|j||kr||j|j|jj|j||_|j|jjqqWxP|jD]E}|j|kr|j |j|j |jj|~qqWdS(Ni( RPRRRoRRRRRNRRk(RERRRfRRe((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRas  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRQR*RCtDBUS_PATH_CONFIG_ZONERPRt ZoneAddedR(RERt config_zone((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR^sscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RPRRR+RIR(RERRf((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR~s * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RPRRRRkRo(RERRf((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRKR*RCtDBUS_PATH_CONFIG_IPSETRJRt IPSetAddedR(RERt config_ipset((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRUscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RJRRR+RIR(RERRc((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RJRRRRkRo(RERRc((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRSR*RCtDBUS_PATH_CONFIG_HELPERRRRt HelperAddedR(RERt config_helper((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRascCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RRRRR+RIR(RERRg((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RRRRRRkRo(RERRg((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  cCs|jjr|dkr,tjddStj}t||}|jjd|r`dSt ||}|jjd|rdSt |}|jjd|rdSt ||}|jjd|rdSt t jdndS(Ns&Lockdown not possible, sender not set.tcontexttuidtusertcommandslockdown is enabled(Rtlockdown_enabledtNoneRRwRCt SystemBusRt access_checkRRRRRt ACCESS_DENIED(REtsendertbusRRRR((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt accessChecks$    c CsB|d kr%tjjd |n|jjj|}|dkrn|dkratj}ntj|S|dkr|dkrtj }n t |}tj |S|dkr|dkrtj rd nd }ntj|S|dkr%|dkrtj rd nd }ntj|S|dkrb|dkrUtjrLd nd }ntj|S|dkr|dkrtjrd nd }ntj|S|dkr|dkrtj}ntj|S|dkr|dkrtj}ntj|S|d kr>|dkr1tjr(d nd }ntj|SdS(Nt DefaultZoneR#R R"R!R$R%R&R'sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existtyestno( Rs MinimalMarks CleanupOnExitsLockdowns IPv6_rpfiltersIndividualCallss LogDeniedsAutomaticHelperssAllowZoneDrifting(RCt exceptionst DBusExceptionRtget_firewalld_conftgetRt FALLBACK_ZONEtStringtFALLBACK_MINIMAL_MARKtinttInt32tFALLBACK_CLEANUP_ON_EXITtFALLBACK_LOCKDOWNtFALLBACK_IPV6_RPFILTERtFALLBACK_INDIVIDUAL_CALLStFALLBACK_LOG_DENIEDtFALLBACK_AUTOMATIC_HELPERStFALLBACK_ALLOW_ZONE_DRIFTING(REtproptvalue((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt _get_propertysX                                  cCsL|dkr"tj|j|S|dkrDtj|j|S|dkrftj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|d kr2tj|j|Stjjd |dS( NRR#R R"R!R$R%R&R'sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist(RCRRRRR(RER((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt_get_dbus_propertys*          t in_signaturetsst out_signaturetvcCst|t}t|t}tjd|||tjjkrP|j|S|tjjtjj gkrtj j d|ntj j d||j|S(Nsconfig.Get('%s', '%s')sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existsJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRRtRRCRDRtDBUS_INTERFACE_CONFIG_DIRECTtDBUS_INTERFACE_CONFIG_POLICIESRR(REtinterface_namet property_nameR((s:/usr/lib/python2.7/site-packages/firewall/server/config.pytGet/s      tssa{sv}c Cst|t}tjd|i}|tjjkryxvdddddddd d g D]}|j|||RRRRRpRRERFRGRHRIRLRMRNRPRQRRRTRURVRXRY(((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR?s8 (          2A$                                                   (<t gi.repositoryRtsystmodulesR:RCt dbus.servicet slip.dbusRbtslip.dbus.servicetfirewallRtfirewall.core.baseRtfirewall.core.watcherRtfirewall.core.loggerRtfirewall.server.decoratorsRRRtfirewall.server.config_icmptypeR tfirewall.server.config_serviceR tfirewall.server.config_zoneR tfirewall.server.config_ipsetR tfirewall.server.config_helperR tfirewall.core.io.zoneRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.ipsetRtfirewall.core.io.helperRt#firewall.core.io.lockdown_whitelistRtfirewall.core.io.directRtfirewall.dbus_utilsRRRRRRRRtfirewall.errorsRRetObjectR(((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyts8       4server/firewalld.pyc000064400000252442147576556050010575 0ustar00 c`c@sdgZddlmZmZddlZeejdejjjejj-eejj*d dd d edd5Z?ejjjejj-eejj*d dd d'edd6Z@ejjejj*dded7ZAejjejj*dded8ZBejjjejj)eejj*d dd dedd9ZCejjjejj)eejj*d dd dedd:ZDejjjejj-eejj*d dd d edd;ZEejjjejj-eejj*d dd d'edd<ZFejjejj*dded=ZGejjejj*dded>ZHejjjejjeejj#d dd dedd?ZIejjjejjeejj#d dd dedd@ZJejjjejj eejj#d dd d eddAZKejjejj#ddedBZLejjejj#ddedCZMejjjejjNeejj#d dd eOjPeddDZQejjjejj eejj#d dd d'eddEZRejjjejjNeejj#d dd eSjPeddFZTejjjejj eejj#d dd d'eddGZUejjjejjNeejj#d dd eVjPeddHZWejjjejjNeejj#d dd deddIZXejjjejjeejj#d dd deddJZYejjejj#ddedKZZejjjejjNeejj#d dd deddLZ[ejjjejjeejj#d dd deddMZ\ejjejj#ddedNZ]ejjjejj eejj#d dd deddOZ^ejjjejjeejj#d dd deddPZ_ejjejj#ddedQZ`ejjjejj eejjad dd d'eddRZbejjjejj eejjad dd dSeddTZcejjjejj eejjad dd deddUZdejjjejj eejjad dd deddVZeejjjejjNeejjad dd d eddWZfejjjejjeejjad d d deddXZgejjjejjeejjad d d deddYZhejjjejjeejjad d d deddZZiejjjejjeejjad d d dedd[ZjejjjejjNeejjad d d d edd\ZkejjjejjNeejjad dd d'edd]Zlejjejjadd ed^Zmejjejjadd ed_Znejjejjadd ed`Zoejjejjadd edaZpejjjejjeejjad d d deddbZqejjjejjeejjad d d deddcZrejjjejjeejjad d d dedddZsejjjejjNeejjad d d d eddeZtejjjejjNeejjad dd d'eddfZuejjejjadd edgZvejjejjadd edhZwejjejjadd ediZxedjZyejjjejjeejjad dkd deddlZzejjjejjeejjad d d deddmZ{ejjjejjNeejjad d d d eddnZ|ejjjejjNeejjad dd d'eddoZ}ejjejjaddkedpZ~ejjejjadd edqZedrZejjjejjeejjad dkd deddsZejjjejjeejjad d d deddtZejjjejjNeejjad d d d edduZejjjejjNeejjad dd d'eddvZejjejjaddkedwZejjejjadd edxZedyZejjjejjeejjad dzd dedd{Zejjjejjeejjad d|d dedd}ZejjjejjNeejjad d|d d edd~ZejjjejjNeejjad dd deddZejjejjaddzeddZejjejjadd|edZedZejjjejjeejjad dkd deddZejjjejjeejjad d d deddZejjjejjNeejjad d d d eddZejjjejjNeejjad dd d'eddZejjejjaddkeddZejjejjadd edZedZejjjejjeejjad dzd deddZejjjejjeejjad d|d deddZejjjejjNeejjad d|d d eddZejjjejjNeejjad dd deddZejjejjaddzeddZejjejjadd|edZedZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjejjaddeddZejjejjaddedZedZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjjejjNeejjad dd deddZejjejjaddeddZejjejjaddedZedZejjjejjeejjad dkd deddZejjjejjeejjad d d deddZejjjejjNeejjad d d d eddZejjjejjNeejjad dd d'eddZejjejjaddkeddZejjejjadd edZejjjejjeejjad dd deddZejjjejjeejjad dd deddZejjjejjNeejjad dd d eddZejjejjaddedZejjejjaddedZejjjejjeejjd d|d deddZejjjejjeejjd d|d deddZejjjejjeejjd d|d d eddZejjjejjeejjd d d d'eddZejjjejjeejjd dd deddZejjejjdd|edZejjejjdd|edZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd d|d deddZejjjejjeejjd dd d eddZejjjejjeejjd d|d deddZejjjejjeejjd dd deddZejjejjddedZejjejjddedZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd d eddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjjejjeejjd dd deddZejjejjddedZejjejjddedZejjjejjeejj#d dd deddZejjjejj eejjd dd d eddZejjjejj eejjd dd d'eddZejjjejjNeejjd dd ejPeddZejjjejjeejjd d d deddZejjjejjeejjd d d deddZejjjejj eejjd d d d eddZejjjejj eejjd dd d'eddZejjjejjeejjd deddZejjejjdd edZejjejjdd edZejjjejj eejj#d dd d'eddZejjjejjNeejj#d dd ejPeddZRS(sFirewallD main classcOstt|j||t|_|d|_|d|_|jt|t j j t |jj |jt j j |_ dS(Nii(tsuperRt__init__RtfwtbusnametpathtstartRRtdbustDBUS_INTERFACER tDBUS_PATH_CONFIG(tselftargstkwargs((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR"Js    cCs|jdS(N(tstop(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt__del__UscCs#tjdi|_|jjS(Nsstart()(Rtdebug1t _timeoutsR#R&(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR&Xs  cCstjd|jjS(Nsstop()(RR/R#R-(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR-`s cCs|jjjr|dkr/tjddStj}t||}|jjj d|rfdSt ||}|jjj d|rdSt |}|jjj d|rdSt ||}|jjj d|rdSt tjdndS(Ns&Lockdown not possible, sender not set.tcontexttuidtusertcommandslockdown is enabled(R#tpoliciestquery_lockdowntNoneRterrorR't SystemBusRt access_checkRRRR Rt ACCESS_DENIED(R*tsendertbusR1R2R3R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt accessCheckis$    cCs4||jkri|j|RR'R(RfRgRoRpRqRr(R*RsRtt new_valueR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytSets:             Rvssa{sv}ascCsAt|t}t|}t|}tjd|||dS(Ns#PropertiesChanged('%s', '%s', '%s')(RRnRR/(R*Rstchanged_propertiestinvalidated_properties((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytPropertiesChangeds    cCsJtjdtt|j|j|jj}t||t j j S(Ns Introspect()( Rtdebug2R!Rt IntrospectR%R$tget_busRRR'R((R*R<tdata((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR's   tcCs5tjd|jj|jj|jdS(s#Reload the firewall rules. sreload()N(RR/R#treloadRtReloaded(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR5s   cCs8tjd|jjt|jj|jdS(sCompletely reload the firewall. Completely reload the firewall: Stops firewall, unloads modules and starts the firewall again. scompleteReload()N(RR/R#RtTrueRR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytcompleteReloadDs  cCstjddS(Ns Reloaded()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRTscCstjdt|jdS(s&Check permanent configuration scheckPermanentConfig()N(RR/RR#(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytcheckPermanentConfigYs c Csotjdt}|jj}x|jjjD]}|j|}y||kr|jj |}|j |krtjd||j |qtjd|n$tjd||jj ||Wq5t k r }tjd||ft}q5Xq5W|jj}x|jjjD]}|j|}y||kr|jj|}|j |krtjd||j |qtjd|n$tjd||jj||Wq0t k r}tjd ||ft}q0Xq0W|jj}x|jjjD]}y|j|}||kr|jj|}|j |krtjd ||j |qtjd |n$tjd ||jj||Wq+t k r}tjd ||ft}q+Xq+W|jj}t}x |jjjD]}|j |}t!|} |dk rBt} x_| j#D]Q} |jjj$|| |krotjd|| f| j%| t} qoqoWxc| j#D]U} y;t&| } | rt'|| r| j%| t} nWqt k r%qXqW| rB~| j(}qBnx!| j#D]} t)|| qOWy||kr|jj*|}|j |krtjd||j |qtjd|n$tjd||jj+||Wq/t k r%}tjd||ft}q/Xq/W|jj,}x|jj-j.D]}|j/|}y||kr|jj0|}|j |krtjd||j |qtjd|n$tjd||jj1||WqLt k r }tjd||ft}qLXqLW|jj2j3|jj2j4|jj2j5f}yF|jj |krtjd|jj |n tjdWn*t k r}tjd|t}nX|jj6j7j8}yF|jj |krtjd|jj9|n tjdWn*t k rR}tjd|t}nX|rkt:t;j<ndS(s-Make runtime configuration permanent scopyRuntimeToPermanent()sCopying service '%s' settingss$Service '%s' is identical, ignoring.sCreating service '%s's/Runtime To Permanent failed on service '%s': %ssCopying icmptype '%s' settingss%IcmpType '%s' is identical, ignoring.sCreating icmptype '%s's0Runtime To Permanent failed on icmptype '%s': %ssCopying ipset '%s' settingss"IPSet '%s' is identical, ignoring.sCreating ipset '%s's-Runtime To Permanent failed on ipset '%s': %ssEZone '%s': interface binding for '%s' has been added by NM, ignoring.sCopying zone '%s' settingss!Zone '%s' is identical, ignoring.sCreating zone '%s's,Runtime To Permanent failed on zone '%s': %ssCopying helper '%s' settingss#Helper '%s' is identical, ignoring.sCreating helper '%s's.Runtime To Permanent failed on helper '%s': %ssCopying direct configurations,Direct configuration is identical, ignoring.s7Runtime To Permanent failed on direct configuration: %ssCopying policies configurations.Policies configuration is identical, ignoring.s9Runtime To Permanent failed on policies configuration: %sN(=RR/tFalseRtgetServiceNamesR#tservicet get_servicestgetServiceSettingstgetServiceByNamet getSettingstupdatet addServicet ExceptiontwarningRtgetIcmpTypeNamesticmptypet get_icmptypestgetIcmpTypeSettingstgetIcmpTypeByNamet addIcmpTypet getIPSetNamestipsett get_ipsetstgetIPSetSettingstgetIPSetByNametaddIPSett getZoneNamesRR?t get_zonestgetZoneSettingsRR7t getInterfacestinterface_get_sendertremoveInterfaceRRtsettingsRt getZoneByNametaddZonetgetHelperNamesthelpert get_helperstgetHelperSettingstgetHelperByNamet addHelpertdirecttget_all_chainst get_all_rulestget_all_passthroughsR5tlockdown_whitelistt export_configtsetLockdownWhitelistR RtRT_TO_PERM_FAILED( R*R<R8t config_namestnametconftconf_objtet nm_bus_nameRtchangedt interfacet connection((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytruntimeToPermanentes                     cCs8tjd|j||jjj|jdS(s!Enable lockdown policies spolicies.enableLockdown()N(RR/R>R#R5tenable_lockdowntLockdownEnabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytenableLockdown$s  cCs8tjd|j||jjj|jdS(s"Disable lockdown policies spolicies.disableLockdown()N(RR/R>R#R5tdisable_lockdowntLockdownDisabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableLockdown0s  tbcCstjd|jjjS(s+Retuns True if lockdown is enabled spolicies.queryLockdown()(RR/R#R5R6(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryLockdown<s cCstjddS(NsLockdownEnabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRGscCstjddS(NsLockdownDisabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRLscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown command s*policies.addLockdownWhitelistCommand('%s')N( RRnRR/R>R#R5Rt add_commandtLockdownWhitelistCommandAdded(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistCommandUs  cCsTt|t}tjd||j||jjjj||j |dS(s Remove lockdown command s-policies.removeLockdownWhitelistCommand('%s')N( RRnRR/R>R#R5Rtremove_commandtLockdownWhitelistCommandRemoved(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistCommandbs  cCs6t|t}tjd||jjjj|S(sQuery lockdown command s,policies.queryLockdownWhitelistCommand('%s')(RRnRR/R#R5Rt has_command(R*R4R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistCommandostascCs tjd|jjjjS(sAdd lockdown command s'policies.getLockdownWhitelistCommands()(RR/R#R5Rt get_commands(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistCommands{s cCstjd|dS(Ns#LockdownWhitelistCommandAdded('%s')(RR/(R*R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns%LockdownWhitelistCommandRemoved('%s')(RR/(R*R4((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRsticCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown uid s&policies.addLockdownWhitelistUid('%s')N( RtintRR/R>R#R5Rtadd_uidtLockdownWhitelistUidAdded(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistUids  cCsTt|t}tjd||j||jjjj||j |dS(sRemove lockdown uid s)policies.removeLockdownWhitelistUid('%s')N( RRRR/R>R#R5Rt remove_uidtLockdownWhitelistUidRemoved(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistUids  cCs6t|t}tjd||jjjj|S(sQuery lockdown uid s(policies.queryLockdownWhitelistUid('%s')(RRRR/R#R5Rthas_uid(R*R2R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistUidstaicCs tjd|jjjjS(sAdd lockdown uid s#policies.getLockdownWhitelistUids()(RR/R#R5Rtget_uids(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistUidss cCstjd|dS(NsLockdownWhitelistUidAdded(%d)(RR/(R*R2((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(NsLockdownWhitelistUidRemoved(%d)(RR/(R*R2((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown user s'policies.addLockdownWhitelistUser('%s')N( RRnRR/R>R#R5Rtadd_usertLockdownWhitelistUserAdded(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistUsers  cCsTt|t}tjd||j||jjjj||j |dS(sRemove lockdown user s*policies.removeLockdownWhitelistUser('%s')N( RRnRR/R>R#R5Rt remove_usertLockdownWhitelistUserRemoved(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistUsers  cCs6t|t}tjd||jjjj|S(sQuery lockdown user s)policies.queryLockdownWhitelistUser('%s')(RRnRR/R#R5Rthas_user(R*R3R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistUserscCs tjd|jjjjS(sAdd lockdown user s$policies.getLockdownWhitelistUsers()(RR/R#R5Rt get_users(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistUserss cCstjd|dS(Ns LockdownWhitelistUserAdded('%s')(RR/(R*R3((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns"LockdownWhitelistUserRemoved('%s')(RR/(R*R3((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsTt|t}tjd||j||jjjj||j |dS(sAdd lockdown context s*policies.addLockdownWhitelistContext('%s')N( RRnRR/R>R#R5Rt add_contexttLockdownWhitelistContextAdded(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddLockdownWhitelistContext s  cCsTt|t}tjd||j||jjjj||j |dS(s Remove lockdown context s-policies.removeLockdownWhitelistContext('%s')N( RRnRR/R>R#R5Rtremove_contexttLockdownWhitelistContextRemoved(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveLockdownWhitelistContexts  cCs6t|t}tjd||jjjj|S(sQuery lockdown context s,policies.queryLockdownWhitelistContext('%s')(RRnRR/R#R5Rt has_context(R*R1R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryLockdownWhitelistContext&scCs tjd|jjjjS(sAdd lockdown context s'policies.getLockdownWhitelistContexts()(RR/R#R5Rt get_contexts(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetLockdownWhitelistContexts2s cCstjd|dS(Ns#LockdownWhitelistContextAdded('%s')(RR/(R*R1((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR=scCstjd|dS(Ns%LockdownWhitelistContextRemoved('%s')(RR/(R*R1((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRBscCs5tjd|j||jj|jdS(snEnable panic mode. All ingoing and outgoing connections and packets will be blocked. senablePanicMode()N(RR/R>R#tenable_panic_modetPanicModeEnabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytenablePanicModeKs   cCs5tjd|j||jj|jdS(sDisable panic mode. Enables normal mode: Allowed ingoing and outgoing connections will not be blocked anymore sdisablePanicMode()N(RR/R>R#tdisable_panic_modetPanicModeDisabled(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisablePanicModeYs   cCstjd|jjS(NsqueryPanicMode()(RR/R#tquery_panic_mode(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryPanicModehs cCstjddS(NsPanicModeEnabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRqscCstjddS(NsPanicModeDisabled()(RR/(R*((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRvscCs2t|t}tjd||jjj|S(NsgetZoneSettings(%s)(RRnRR/R#R?tget_config_with_settings(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(NslistServices()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt listServicess cCs8t|t}tjd||jjj|jS(NsgetServiceSettings(%s)(RRnRR/R#Rt get_serviceR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(NslistIcmpTypes()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt listIcmpTypess cCs8t|t}tjd||jjj|jS(NsgetIcmpTypeSettings(%s)(RRnRR/R#Rt get_icmptypeR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjS(NsgetLogDenied()(RR/R#tget_log_denied(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getLogDenieds cCsrt|t}tjd||j||jj||j||jj|j j|j dS(NssetLogDenied('%s')( RRnRR/R>R#tset_log_deniedtLogDeniedChangedRRR(R*tvalueR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt setLogDenieds    cCstjd|dS(NsLogDeniedChanged('%s')(RR/(R*R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjS(NsgetAutomaticHelpers()(RR/R#tget_automatic_helpers(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetAutomaticHelperss cCsrt|t}tjd||j||jj||j||jj|j j|j dS(NssetAutomaticHelpers('%s')( RRnRR/R>R#tset_automatic_helperstAutomaticHelpersChangedRRR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytsetAutomaticHelperss    cCstjd|dS(NsAutomaticHelpersChanged('%s')(RR/(R*R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR scCstjd|jjS(NsgetDefaultZone()(RR/R#tget_default_zone(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetDefaultZones cCsNt|t}tjd||j||jj||j|dS(NssetDefaultZone('%s')(RRnRR/R>R#tset_default_zonetDefaultZoneChanged(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytsetDefaultZones  cCstjd|dS(NsDefaultZoneChanged('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|jjjS(Nszone.getZones()(RR/R#R?R(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetZoness s a{sa{sas}}cCstjdi}x|jjjD]}|jjj|}|jjj|}t|t|dkr&i||R#R?t add_interfacetInterfaceAdded(R*R?RR<t_zone((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addInterfaceds cCs1t|t}t|t}|j|||S(sChange a zone an interface is part of. If zone is empty, use default zone. This function is deprecated, use changeZoneOfInterface instead (RRntchangeZoneOfInterface(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt changeZoneus cCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(s[Change a zone an interface is part of. If zone is empty, use default zone. s&zone.changeZoneOfInterface('%s', '%s')( RRnRR/R>R#R?tchange_zone_of_interfacetZoneOfInterfaceChanged(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR%s cCsnt|t}t|t}tjd||f|j||jjj||}|j|||S(skRemove interface from a zone. If zone is empty, remove from zone the interface belongs to. s zone.removeInterface('%s', '%s')( RRnRR/R>R#R?tremove_interfacetInterfaceRemoved(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCsKt|t}t|t}tjd||f|jjj||S(s^Return true if an interface is in a zone. If zone is empty, use default zone. szone.queryInterface('%s', '%s')(RRnRR/R#R?tquery_interface(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryInterfacescCs3t|t}tjd||jjj|S(s]Return the list of interfaces of a zone. If zone is empty, use default zone. szone.getInterfaces('%s')(RRnRR/R#R?R(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCstjd||fdS(Nszone.InterfaceAdded('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR"scCstjd||fdS(s, This signal is deprecated. szone.ZoneChanged('%s', '%s')N(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt ZoneChangedscCs+tjd||f|j||dS(Ns'zone.ZoneOfInterfaceChanged('%s', '%s')(RR/R-(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR(s  cCstjd||fdS(Ns!zone.InterfaceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR*scCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(sLAdd a source to a zone. If zone is empty, use default zone. szone.addSource('%s', '%s')( RRnRR/R>R#R?t add_sourcet SourceAdded(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addSources cCsqt|t}t|t}tjd||f|j||jjj|||}|j|||S(sXChange a zone an source is part of. If zone is empty, use default zone. s#zone.changeZoneOfSource('%s', '%s')( RRnRR/R>R#R?tchange_zone_of_sourcetZoneOfSourceChanged(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytchangeZoneOfSources cCsnt|t}t|t}tjd||f|j||jjj||}|j|||S(seRemove source from a zone. If zone is empty, remove from zone the source belongs to. szone.removeSource('%s', '%s')( RRnRR/R>R#R?t remove_sourcet SourceRemoved(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeSources cCsKt|t}t|t}tjd||f|jjj||S(s[Return true if an source is in a zone. If zone is empty, use default zone. szone.querySource('%s', '%s')(RRnRR/R#R?t query_source(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt querySourcescCs3t|t}tjd||jjj|S(sZReturn the list of sources of a zone. If zone is empty, use default zone. szone.getSources('%s')(RRnRR/R#R?R(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getSourcess cCstjd||fdS(Nszone.SourceAdded('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR/+scCstjd||fdS(Ns$zone.ZoneOfSourceChanged('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR20scCstjd||fdS(Nszone.SourceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR55scCs^tjd||f|j||=td|}|jjj|||j||dS(Ns%zone.disableTimedRichRule('%s', '%s')trule_str(RR/R0RR#R?t remove_ruletRichRuleRemoved(R*R?truletobj((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedRichRule>s tssicCst|t}t|t}t|t}tjd||ftd|}|jjj|||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.addRichRule('%s', '%s')R:i(RRnRRR/RR#R?tadd_ruleRttimeout_add_secondsR?RBt RichRuleAdded(R*R?R=ttimeoutR<R>R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addRichRuleFs  cCst|t}t|t}tjd||ftd|}|jjj||}|j|||j |||S(Nszone.removeRichRule('%s', '%s')R:( RRnRR/RR#R?R;RDR<(R*R?R=R<R>R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveRichRuleZscCsZt|t}t|t}tjd||ftd|}|jjj||S(Nszone.queryRichRule('%s', '%s')R:(RRnRR/RR#R?t query_rule(R*R?R=R<R>((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryRichRulehs cCs3t|t}tjd||jjj|S(Nszone.getRichRules('%s')(RRnRR/R#R?t list_rules(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getRichRulessscCstjd|||fdS(Ns"zone.RichRuleAdded('%s', '%s', %d)(RR/(R*R?R=RD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRCscCstjd||fdS(Ns zone.RichRuleRemoved('%s', '%s')(RR/(R*R?R=((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR<scCsOtjd||f|j||=|jjj|||j||dS(Ns$zone.disableTimedService('%s', '%s')(RR/R0R#R?tremove_servicetServiceRemoved(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedServicescCst|t}t|t}t|t}tjd|||f|j||jjj||||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.addService('%s', '%s', %d)i(RRnRRR/R>R#R?t add_serviceRRBRMRBt ServiceAdded(R*R?RRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs   cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Nszone.removeService('%s', '%s')( RRnRR/R>R#R?RKRDRL(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeServices cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryService('%s', '%s')(RRnRR/R#R?t query_service(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryServicescCs3t|t}tjd||jjj|S(Nszone.getServices('%s')(RRnRR/R#R?t list_services(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getServicesscCstjd|||fdS(Ns!zone.ServiceAdded('%s', '%s', %d)(RR/(R*R?RRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyROs cCstjd||fdS(Nszone.ServiceRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRLscCs^tjd|||f|j|||f=|jjj||||j|||dS(Ns'zone.disableTimedPort('%s', '%s', '%s')(RR/R0R#R?t remove_portt PortRemoved(R*R?tporttprotocol((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedPorts  tsssicCst|t}t|t}t|t}t|t}tjd|||f|j||jjj|||||}|dkrt j ||j |||}|j |||f|n|j |||||S(Nszone.addPort('%s', '%s', '%s')i(RRnRRR/R>R#R?tadd_portRRBRYRBt PortAdded(R*R?RWRXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddPorts  ! tssscCst|t}t|t}t|t}tjd|||f|j||jjj|||}|j|||f|j ||||S(Ns!zone.removePort('%s', '%s', '%s')( RRnRR/R>R#R?RURDRV(R*R?RWRXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removePorts  cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns zone.queryPort('%s', '%s', '%s')(RRnRR/R#R?t query_port(R*R?RWRXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryPorts taascCs3t|t}tjd||jjj|S(Nszone.getPorts('%s')(RRnRR/R#R?t list_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetPortssicCs!tjd||||fdS(Ns$zone.PortAdded('%s', '%s', '%s', %d)(RR/(R*R?RWRXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR\*s cCstjd|||fdS(Ns"zone.PortRemoved('%s', '%s', '%s')(RR/(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRV0s cCsOtjd||f|j||=|jjj|||j||dS(Ns%zone.disableTimedProtocol('%s', '%s')(RR/R0R#R?tremove_protocoltProtocolRemoved(R*R?RX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedProtocol:scCst|t}t|t}t|t}tjd||f|j||jjj||||}|dkrt j ||j ||}|j |||n|j ||||S(Nszone.enableProtocol('%s', '%s')i(RRnRRR/R>R#R?t add_protocolRRBRgRBt ProtocolAdded(R*R?RXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addProtocolAs   cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Nszone.removeProtocol('%s', '%s')( RRnRR/R>R#R?ReRDRf(R*R?RXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveProtocolVs cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryProtocol('%s', '%s')(RRnRR/R#R?tquery_protocol(R*R?RXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryProtocolfscCs3t|t}tjd||jjj|S(Nszone.getProtocols('%s')(RRnRR/R#R?tlist_protocols(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getProtocolsqscCstjd|||fdS(Ns"zone.ProtocolAdded('%s', '%s', %d)(RR/(R*R?RXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRi}s cCstjd||fdS(Ns zone.ProtocolRemoved('%s', '%s')(RR/(R*R?RX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRfscCsatjd|||f|j|d||f=|jjj||||j|||dS(Ns-zone.disableTimedSourcePort('%s', '%s', '%s')tsport(RR/R0R#R?tremove_source_porttSourcePortRemoved(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedSourcePorts  cCst|t}t|t}t|t}t|t}tjd|||f|j||jjj|||||}|dkrt j ||j |||}|j |d||f|n|j |||||S(Ns$zone.addSourcePort('%s', '%s', '%s')iRp(RRnRRR/R>R#R?tadd_source_portRRBRsRBtSourcePortAdded(R*R?RWRXRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addSourcePorts    cCst|t}t|t}t|t}tjd|||f|j||jjj|||}|j|d||f|j ||||S(Ns'zone.removeSourcePort('%s', '%s', '%s')Rp( RRnRR/R>R#R?RqRDRr(R*R?RWRXR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveSourcePorts  cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns&zone.querySourcePort('%s', '%s', '%s')(RRnRR/R#R?tquery_source_port(R*R?RWRXR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytquerySourcePorts  cCs3t|t}tjd||jjj|S(Nszone.getSourcePorts('%s')(RRnRR/R#R?tlist_source_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetSourcePortsscCs!tjd||||fdS(Ns*zone.SourcePortAdded('%s', '%s', '%s', %d)(RR/(R*R?RWRXRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRus cCstjd|||fdS(Ns(zone.SourcePortRemoved('%s', '%s', '%s')(RR/(R*R?RWRX((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRrscCs2|j|d=|jjj||j|dS(Nt masquerade(R0R#R?tremove_masqueradetMasqueradeRemoved(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedMasqueradestsicCst|t}t|t}tjd||j||jjj|||}|dkrt j ||j |}|j |d|n|j |||S(Nszone.addMasquerade('%s')iR|(RRnRRR/R>R#R?tadd_masqueradeRRBRRBtMasqueradeAdded(R*R?RDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addMasquerades   cCsct|t}tjd||j||jjj|}|j|d|j ||S(Nszone.removeMasquerade('%s')R|( RRnRR/R>R#R?R}RDR~(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveMasquerades  cCs3t|t}tjd||jjj|S(Nszone.queryMasquerade('%s')(RRnRR/R#R?tquery_masquerade(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryMasqueradescCstjd||fdS(Nszone.MasqueradeAdded('%s', %d)(RR/(R*R?RD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Nszone.MasqueradeRemoved('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR~scCsV|j|||||f=|jjj||||||j|||||dS(N(R0R#R?tremove_forward_porttForwardPortRemoved(R*R?RWRXttoportttoaddr((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisable_forward_port(stsssssic Cs t|t}t|t}t|t}t|t}t|t}t|t}tjd|||||f|j||jjj|||||||}|dkrt j ||j |||||} |j |||||f| n|j |||||||S(Ns1zone.addForwardPort('%s', '%s', '%s', '%s', '%s')i(RRnRRR/R>R#R?tadd_forward_portRRBRRBtForwardPortAdded( R*R?RWRXRRRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddForwardPort.s&      "tssssscCst|t}t|t}t|t}t|t}t|t}tjd|||||f|j||jjj|||||}|j|||||f|j ||||||S(Ns4zone.removeForwardPort('%s', '%s', '%s', '%s', '%s')( RRnRR/R>R#R?RRDR(R*R?RWRXRRR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveForwardPortKs   cCst|t}t|t}t|t}t|t}t|t}tjd|||||f|jjj|||||S(Ns3zone.queryForwardPort('%s', '%s', '%s', '%s', '%s')(RRnRR/R#R?tquery_forward_port(R*R?RWRXRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryForwardPortas cCs3t|t}tjd||jjj|S(Nszone.getForwardPorts('%s')(RRnRR/R#R?tlist_forward_ports(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetForwardPortsrscCs'tjd||||||fdS(Ns7zone.ForwardPortAdded('%s', '%s', '%s', '%s', '%s', %d)(RR/(R*R?RWRXRRRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR~s cCs$tjd|||||fdS(Ns5zone.ForwardPortRemoved('%s', '%s', '%s', '%s', '%s')(RR/(R*R?RWRXRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCsOtjd||f|j||=|jjj|||j||dS(Ns&zone.disableTimedIcmpBlock('%s', '%s')(RR/R0R#R?tremove_icmp_blocktIcmpBlockRemoved(R*R?ticmpR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytdisableTimedIcmpBlockscCst|t}t|t}t|t}tjd||f|j||jjj||||}|dkrt j ||j |||}|j |||n|j ||||S(Ns zone.enableIcmpBlock('%s', '%s')i(RRnRRR/R>R#R?tadd_icmp_blockRRBRRBtIcmpBlockAdded(R*R?RRDR<R#RA((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt addIcmpBlocks  cCs~t|t}t|t}tjd||f|j||jjj||}|j|||j |||S(Ns zone.removeIcmpBlock('%s', '%s')( RRnRR/R>R#R?RRDR(R*R?RR<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveIcmpBlocks cCsKt|t}t|t}tjd||f|jjj||S(Nszone.queryIcmpBlock('%s', '%s')(RRnRR/R#R?tquery_icmp_block(R*R?RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryIcmpBlockscCs3t|t}tjd||jjj|S(Nszone.getIcmpBlocks('%s')(RRnRR/R#R?tlist_icmp_blocks(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getIcmpBlocksscCstjd|||fdS(Ns#zone.IcmpBlockAdded('%s', '%s', %d)(RR/(R*R?RRD((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCstjd||fdS(Ns!zone.IcmpBlockRemoved('%s', '%s')(RR/(R*R?R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCsVt|t}tjd||j||jjj||}|j||S(Ns zone.addIcmpBlockInversion('%s')( RRnRR/R>R#R?tadd_icmp_block_inversiontIcmpBlockInversionAdded(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddIcmpBlockInversions   cCsSt|t}tjd||j||jjj|}|j||S(Ns#zone.removeIcmpBlockInversion('%s')( RRnRR/R>R#R?tremove_icmp_block_inversiontIcmpBlockInversionRemoved(R*R?R<R#((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveIcmpBlockInversions   cCs3t|t}tjd||jjj|S(Ns"zone.queryIcmpBlockInversion('%s')(RRnRR/R#R?tquery_icmp_block_inversion(R*R?R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryIcmpBlockInversionscCstjd|dS(Ns"zone.IcmpBlockInversionAdded('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRscCstjd|dS(Ns$zone.IcmpBlockInversionRemoved('%s')(RR/(R*R?((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR scCst|t}t|t}t|t}tjd|||f|j||jjj||||j|||dS(Ns!direct.addChain('%s', '%s', '%s')( RRnRR/R>R#Rt add_chaint ChainAdded(R*tipvttabletchainR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddChains cCst|t}t|t}t|t}tjd|||f|j||jjj||||j|||dS(Ns$direct.removeChain('%s', '%s', '%s')( RRnRR/R>R#Rt remove_chaint ChainRemoved(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeChain%s cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns#direct.queryChain('%s', '%s', '%s')(RRnRR/R#Rt query_chain(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryChain3s cCsKt|t}t|t}tjd||f|jjj||S(Nsdirect.getChains('%s', '%s')(RRnRR/R#Rt get_chains(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getChains?ssa(sss)cCstjd|jjjS(Nsdirect.getAllChains()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getAllChainsJs cCstjd|||fdS(Ns#direct.ChainAdded('%s', '%s', '%s')(RR/(R*RRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRSscCstjd|||fdS(Ns%direct.ChainRemoved('%s', '%s', '%s')(RR/(R*RRR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRXstsssiascCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|j||jj j ||||||j |||||dS(Ncss|]}t|tVqdS(N(RRn(t.0R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys lss*direct.addRule('%s', '%s', '%s', %d, '%s')s','( RRnRttupleRR/tjoinR>R#RRAt RuleAdded(R*RRRtpriorityR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddRulebs   cCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|j||jj j ||||||j |||||dS(Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys }ss-direct.removeRule('%s', '%s', '%s', %d, '%s')s','( RRnRRRR/RR>R#RR;t RuleRemoved(R*RRRRR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeRuless   cCst|t}t|t}t|t}tjd|||f|j|xa|jjj|||D]D\}}|jjj||||||j |||||qpWdS(Ns$direct.removeRules('%s', '%s', '%s')( RRnRR/R>R#Rt get_rulesR;R(R*RRRR<RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeRuless (cCst|t}t|t}t|t}t|t}td|D}tjd||||dj|f|jjj |||||S(Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss,direct.queryRule('%s', '%s', '%s', %d, '%s')s','( RRnRRRR/RR#RRG(R*RRRRR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryRules  sa(ias)cCs`t|t}t|t}t|t}tjd|||f|jjj|||S(Ns!direct.getRules('%s', '%s', '%s')(RRnRR/R#RR(R*RRRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetRuless s a(sssias)cCstjd|jjjS(Nsdirect.getAllRules()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getAllRuless cCs-tjd||||dj|fdS(Ns,direct.RuleAdded('%s', '%s', '%s', %d, '%s')s','(RR/R(R*RRRRR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs cCs-tjd||||dj|fdS(Ns.direct.RuleRemoved('%s', '%s', '%s', %d, '%s')s','(RR/R(R*RRRRR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs RTcCst|t}td|D}tjd|dj|f|j|y|jjj ||SWnt k r}|d krt dddd g}nt dd g}t|}|j t jkrtt ||@d krtj|nt|nnXdS( Ncss|]}t|tVqdS(N(RRn(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ssdirect.passthrough('%s', '%s')s','tipv4tipv6s-Cs--checks-Ls--listi(RR(RRnRRR/RR>R#Rt passthroughR tsettcodeRtCOMMAND_FAILEDRRR (R*RR+R<R8t query_argstmsg((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRs"     cCsyt|}td|D}tjd|dj|f|j||jjj|||j ||dS(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss!direct.addPassthrough('%s', '%s')s','( RRRR/RR>R#Rtadd_passthroughtPassthroughAdded(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddPassthroughs   cCsyt|}td|D}tjd|dj|f|j||jjj|||j ||dS(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys ss$direct.removePassthrough('%s', '%s')s','( RRRR/RR>R#Rtremove_passthroughtPassthroughRemoved(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremovePassthroughs   cCsXt|}td|D}tjd|dj|f|jjj||S(Ncss|]}t|VqdS(N(R(RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pys  ss#direct.queryPassthrough('%s', '%s')s','(RRRR/RR#Rtquery_passthrough(R*RR+R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytqueryPassthroughs   sa(sas)cCstjd|jjjS(Nsdirect.getAllPassthroughs()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetAllPassthroughs s cCs;tjdx't|jD]}|j|q WdS(Nsdirect.removeAllPassthroughs()(RR/treversedRR(R*R<R((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytremoveAllPassthroughs s cCs/t|}tjd||jjj|S(Nsdirect.getPassthroughs('%s')(RRR/R#Rtget_passthroughs(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytgetPassthroughs s cCs$tjd|dj|fdS(Ns#direct.PassthroughAdded('%s', '%s')s','(RR/R(R*RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR( s cCs$tjd|dj|fdS(Ns%direct.PassthroughRemoved('%s', '%s')s','(RR/R(R*RR+((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR. s cCsdS(s PK_ACTION_ALL implies all other actions, i.e. once a subject is authorized for PK_ACTION_ALL it's also authorized for any other action. Use-case is GUI (RHBZ#994729). N((R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt authorizeAll6 s cCs0t|}tjd||jjj|S(Nsipset.queryIPSet('%s')(RRR/R#Rt query_ipset(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryIPSetE s cCstjd|jjjS(Nsipsets.getIPSets()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getIPSetsO s cCs8t|t}tjd||jjj|jS(NsgetIPSetSettings(%s)(RRnRR/R#Rt get_ipsetR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRX scCsft|}t|}tjd||f|j||jjj|||j||dS(Nsipset.addEntry('%s', '%s')(RRR/R>R#Rt add_entryt EntryAdded(R*RtentryR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pytaddEntryd s    cCsft|}t|}tjd||f|j||jjj|||j||dS(Nsipset.removeEntry('%s', '%s')(RRR/R>R#Rt remove_entryt EntryRemoved(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt removeEntryq s    cCsEt|}t|}tjd||f|jjj||S(Nsipset.queryEntry('%s', '%s')(RRR/R#Rt query_entry(R*RRR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt queryEntry~ s  cCs0t|}tjd||jjj|S(Nsipset.getEntries('%s')(RRR/R#Rt get_entries(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getEntries s cCst|}t|t}tjd|dj||jjj|}|jjj||t |}t |}x"||D]}|j ||qWx"||D]}|j ||qWdS(Nsipset.setEntries('%s', '[%s]')t,( RtlistRR/RR#RRt set_entriesRRR(R*RtentriesR<t old_entriestold_entries_sett entries_setR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt setEntries s   cCs3t|}t|}tjd||fdS(Nsipset.EntryAdded('%s', '%s')(RRR/(R*RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR s  cCs3t|}t|}tjd||fdS(Nsipset.EntryRemoved('%s', '%s')(RRR/(R*RR((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR s  cCstjd|jjjS(Nshelpers.getHelpers()(RR/R#RR(R*R<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyt getHelpers s cCs8t|t}tjd||jjj|jS(NsgetHelperSettings(%s)(RRnRR/R#Rt get_helperR(R*RR<((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyR sN(t__name__t __module__t__doc__Rt persistentRR'tPK_ACTION_CONFIGtdefault_polkit_auth_requiredR R"R.R&R-R R>RBRDRFRiR tPROPERTIES_IFACER7RuRytsliptpolkitt require_authR|RtsignalRtPK_ACTION_INFOtINTROSPECTABLE_IFACERR(RRRRRtPK_ACTION_POLICIESRqRRtPK_ACTION_POLICIES_INFORRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRtPK_ACTION_CONFIG_INFORtDBUS_SIGNATURERRRRRRRRRRR R R RRRRoRRRRR R$R&R%RR,RR"R-R(R*R0R3R6R8R9R/R2R5R?RERFRHRJRCR<RMRRPRRRTRORLRYR]R_RaRdR\RVRgRjRkRmRoRiRfRsRvRwRyR{RuRrRRRRRR~RRRRRRRRRRRRRRRRRRRtPK_ACTION_DIRECTRpRRtPK_ACTION_DIRECT_INFORRRRRRRRRRRRRRRRRRRRRRt PK_ACTION_ALLRRrRRRRRRRRRRRRRR(((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyRBs    0"$                                                                 (<t__all__t gi.repositoryRRtsystmodulesR't dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.core.fwRtfirewall.core.richRtfirewall.core.loggerRtfirewall.clientRtfirewall.server.decoratorsR R R R tfirewall.server.configR tfirewall.dbus_utilsRRRRRRRtfirewall.core.io.functionsRtfirewall.core.io.zoneRtfirewall.core.io.ipsetRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.helperRtfirewall.core.fw_nmRRRtfirewall.core.fw_ifcfgRRtfirewall.errorsR RtObjectR(((s=/usr/lib/python2.7/site-packages/firewall/server/firewalld.pyts4       "4server/config_ipset.py000064400000043761147576556050011134 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2015-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.dbus_utils import dbus_to_python, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.ipset import IPSet from firewall.core.ipset import IPSET_TYPES from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallDConfigIPSet # ############################################################################ class FirewallDConfigIPSet(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, parent, conf, ipset, item_id, *args, **kwargs): super(FirewallDConfigIPSet, self).__init__(*args, **kwargs) self.parent = parent self.config = conf self.obj = ipset self.item_id = item_id self.busname = args[0] self.path = args[1] self._log_prefix = "config.ipset.%d" % self.item_id dbus_introspection_prepare_properties( self, config.dbus.DBUS_INTERFACE_CONFIG_IPSET) @dbus_handle_exceptions def __del__(self): pass @dbus_handle_exceptions def unregister(self): self.remove_from_connection() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, property_name): if property_name == "name": return dbus.String(self.obj.name) elif property_name == "filename": return dbus.String(self.obj.filename) elif property_name == "path": return dbus.String(self.obj.path) elif property_name == "default": return dbus.Boolean(self.obj.default) elif property_name == "builtin": return dbus.Boolean(self.obj.builtin) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("%s.GetAll('%s')", self._log_prefix, interface_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) ret = { } for x in [ "name", "filename", "path", "default", "builtin" ]: ret[x] = self._get_property(x) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("%s.Set('%s', '%s', '%s')", self._log_prefix, interface_name, property_name, new_value) self.parent.accessCheck(sender) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_IPSET: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("%s.Introspect()", self._log_prefix) data = super(FirewallDConfigIPSet, self).Introspect( self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG_IPSET) # S E T T I N G S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature=IPSet.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 """get settings for ipset """ log.debug1("%s.getSettings()", self._log_prefix) return self.config.get_ipset_config(self.obj) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature=IPSet.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): """update settings for ipset """ settings = dbus_to_python(settings) log.debug1("%s.update('...')", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.set_ipset_config(self.obj, settings) self.Updated(self.obj.name) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET) @dbus_handle_exceptions def loadDefaults(self, sender=None): """load default settings for builtin ipset """ log.debug1("%s.loadDefaults()", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.load_ipset_defaults(self.obj) self.Updated(self.obj.name) #self.PropertiesChanged(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, # { "default": True }, [ ]) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, signature='s') @dbus_handle_exceptions def Updated(self, name): log.debug1("%s.Updated('%s')" % (self._log_prefix, name)) # R E M O V E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET) @dbus_handle_exceptions def remove(self, sender=None): """remove ipset """ log.debug1("%s.remove()", self._log_prefix) self.parent.accessCheck(sender) self.config.remove_ipset(self.obj) self.parent.removeIPSet(self.obj) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, signature='s') @dbus_handle_exceptions def Removed(self, name): log.debug1("%s.Removed('%s')" % (self._log_prefix, name)) # R E N A M E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def rename(self, name, sender=None): """rename ipset """ name = dbus_to_python(name, str) log.debug1("%s.rename('%s')", self._log_prefix, name) self.parent.accessCheck(sender) self.obj = self.config.rename_ipset(self.obj, name) self.Renamed(name) #self.PropertiesChanged(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, # { "name": name }, [ ]) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, signature='s') @dbus_handle_exceptions def Renamed(self, name): log.debug1("%s.Renamed('%s')" % (self._log_prefix, name)) # version @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='s') @dbus_handle_exceptions def getVersion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getVersion()", self._log_prefix) return self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def setVersion(self, version, sender=None): version = dbus_to_python(version, str) log.debug1("%s.setVersion('%s')", self._log_prefix, version) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[0] = version self.update(settings) # short @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='s') @dbus_handle_exceptions def getShort(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getShort()", self._log_prefix) return self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def setShort(self, short, sender=None): short = dbus_to_python(short, str) log.debug1("%s.setShort('%s')", self._log_prefix, short) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[1] = short self.update(settings) # description @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='s') @dbus_handle_exceptions def getDescription(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDescription()", self._log_prefix) return self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def setDescription(self, description, sender=None): description = dbus_to_python(description, str) log.debug1("%s.setDescription('%s')", self._log_prefix, description) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[2] = description self.update(settings) # type @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='s') @dbus_handle_exceptions def getType(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getType()", self._log_prefix) return self.getSettings()[3] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def setType(self, ipset_type, sender=None): ipset_type = dbus_to_python(ipset_type, str) log.debug1("%s.setType('%s')", self._log_prefix, ipset_type) self.parent.accessCheck(sender) if ipset_type not in IPSET_TYPES: raise FirewallError(errors.INVALID_TYPE, ipset_type) settings = list(self.getSettings()) settings[3] = ipset_type self.update(settings) # options @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='a{ss}') @dbus_handle_exceptions def getOptions(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getOptions()", self._log_prefix) return self.getSettings()[4] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='a{ss}') @dbus_handle_exceptions def setOptions(self, options, sender=None): options = dbus_to_python(options, dict) log.debug1("%s.setOptions('[%s]')", self._log_prefix, repr(options)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[4] = options self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='ss') @dbus_handle_exceptions def addOption(self, key, value, sender=None): key = dbus_to_python(key, str) value = dbus_to_python(value, str) log.debug1("%s.addOption('%s', '%s')", self._log_prefix, key, value) self.parent.accessCheck(sender) settings = list(self.getSettings()) if key in settings[4] and settings[4][key] == value: raise FirewallError(errors.ALREADY_ENABLED, "'%s': '%s'" % (key, value)) settings[4][key] = value self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def removeOption(self, key, sender=None): key = dbus_to_python(key, str) log.debug1("%s.removeOption('%s')", self._log_prefix, key) self.parent.accessCheck(sender) settings = list(self.getSettings()) if key not in settings[4]: raise FirewallError(errors.NOT_ENABLED, key) del settings[4][key] self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryOption(self, key, value, sender=None): # pylint: disable=W0613 key = dbus_to_python(key, str) value = dbus_to_python(value, str) log.debug1("%s.queryOption('%s', '%s')", self._log_prefix, key, value) settings = list(self.getSettings()) return (key in settings[4] and settings[4][key] == value) # entries @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, out_signature='as') @dbus_handle_exceptions def getEntries(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getEntries()", self._log_prefix) return self.getSettings()[5] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='as') @dbus_handle_exceptions def setEntries(self, entries, sender=None): entries = dbus_to_python(entries, list) log.debug1("%s.setEntries('[%s]')", self._log_prefix, ",".join(entries)) self.parent.accessCheck(sender) settings = list(self.getSettings()) if "timeout" in settings[4] and settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) settings[5] = entries self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def addEntry(self, entry, sender=None): entry = dbus_to_python(entry, str) log.debug1("%s.addEntry('%s')", self._log_prefix, entry) self.parent.accessCheck(sender) settings = list(self.getSettings()) if "timeout" in settings[4] and settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) if entry in settings[5]: raise FirewallError(errors.ALREADY_ENABLED, entry) settings[5].append(entry) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s') @dbus_handle_exceptions def removeEntry(self, entry, sender=None): entry = dbus_to_python(entry, str) log.debug1("%s.removeEntry('%s')", self._log_prefix, entry) self.parent.accessCheck(sender) settings = list(self.getSettings()) if "timeout" in settings[4] and settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) if entry not in settings[5]: raise FirewallError(errors.NOT_ENABLED, entry) settings[5].remove(entry) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryEntry(self, entry, sender=None): # pylint: disable=W0613 entry = dbus_to_python(entry, str) log.debug1("%s.queryEntry('%s')", self._log_prefix, entry) settings = list(self.getSettings()) if "timeout" in settings[4] and settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) return entry in settings[5] server/config_service.pyo000064400000055557147576556050011635 0ustar00 c`c@sddlmZddlZeejdeejjdd(e d?d4Z?eejjdd e d?d5Z@eejjdd e d?d6ZAeejjdd dd&e d?d7ZBeejjdd8e d?d9ZCeejjdd8e d?d:ZDeejjdd dd e d?d;ZEeejjdde d?d<ZFeejjdd e d?d=ZGeejjdddd&e d?d>ZHRS(@sFirewallD main classcOs~tt|j||||_||_||_||_|d|_|d|_d|j|_ t |tj j dS(Niisconfig.service.%d( tsuperR t__init__tparentRtobjtitem_idtbusnametpatht _log_prefixRtdbustDBUS_INTERFACE_CONFIG_SERVICE(tselfRtconftserviceRtargstkwargs((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyR8s      cCsdS(N((R((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt__del__EscCs|jdS(N(tremove_from_connection(R((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt unregisterIscCs|dkrtj|jjS|dkr>tj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||Msi( RRUt isinstancetappendttupleRR/RtjoinRR;RFRJ(RtportsR1t_portsRaRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetPorts@s cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R tALREADY_ENABLEDRcRJ(RRatprotocolR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytaddPortSs cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R t NOT_ENABLEDRORJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt removePortcstbcCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.queryPort('%s', '%s')i(RR.RR/RRF(RRaRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryPortrs tascCs!tjd|j|jdS(Ns%s.getProtocols()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt getProtocols~scCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setProtocols('[%s]')R_i( RRURR/RReRR;RFRJ(Rt protocolsR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt setProtocolss cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addProtocol('%s')i(RR.RR/RRR;RURFR R RiRcRJ(RRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addProtocolscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeProtocol('%s')i(RR.RR/RRR;RURFR R RlRORJ(RRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveProtocolscCs9t|t}tjd|j|||jdkS(Ns%s.queryProtocol(%s')i(RR.RR/RRF(RRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryProtocolscCs!tjd|j|jdS(Ns%s.getSourcePorts()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetSourcePortsscCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setSourcePorts('[%s]')R_css'|]}d|d|dfVqdS(s ('%s, '%s')iiN((R`Ra((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pys si( RRURbRcRdRR/RReRR;RFRJ(RRfR1RgRaRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetSourcePortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addSourcePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R RiRcRJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addSourcePorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removeSourcePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R RlRORJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveSourcePortscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.querySourcePort('%s', '%s')i(RR.RR/RRF(RRaRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytquerySourcePorts cCs!tjd|j|jdS(Ns%s.getModules()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt getModulesscCst|t}g}x`|D]X}|jdrg|jdd}d|krg|jdd}qgn|j|qW|}tjd|jdj||j j |t|j }||d<|j |dS(Nt nf_conntrack_tt_t-s%s.setModules('[%s]')R_i( RRUt startswithtreplaceRcRR/RReRR;RFRJ(RtmodulesR1t_modulestmoduleRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt setModuless   cCst|t}|jdrT|jdd}d|krT|jdd}qTntjd|j||jj|t |j }||dkrt t j |n|dj||j|dS(NR}R~RRs%s.addModule('%s')i(RR.RRRR/RRR;RURFR R RiRcRJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addModules cCst|t}|jdrT|jdd}d|krT|jdd}qTntjd|j||jj|t |j }||dkrt t j |n|dj||j|dS(NR}R~RRs%s.removeModule('%s')i(RR.RRRR/RRR;RURFR R RlRORJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt removeModule&s cCs~t|t}|jdrT|jdd}d|krT|jdd}qTntjd|j|||jdkS(NR}R~RRs%s.queryModule('%s')i(RR.RRRR/RRF(RRR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryModule7s sa{ss}cCs!tjd|j|jdS(Ns%s.getDestinations()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetDestinationsEscCswt|t}tjd|j|jd|jd|jj|t|j }||d<|j |dS(Ns*%s.setDestinations({ipv4:'%s', ipv6:'%s'})tipv4tipv6i( RtdictRR/RtgetRR;RURFRJ(Rt destinationsR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetDestinationsLs  cCsxt|t}tjd|j||jj|t|j}||dkrlt t j |n|d|S(Ns%s.getDestination('%s')i( RR.RR/RRR;RURFR R Rl(RtfamilyR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetDestinationYscCst|t}t|t}tjd|j|||jj|t|j}||dkr|d||krt t j d||fn||d|<|j |dS(Ns%s.setDestination('%s', '%s')is '%s': '%s'( RR.RR/RRR;RURFR R RiRJ(RRtaddressR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetDestinationfs $ cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|d|=|j |dS(Ns%s.removeDestination('%s')i( RR.RR/RRR;RURFR R RlRJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveDestinationvs cCset|t}t|t}tjd|j|||j}||dkod||d|kS(Ns%s.queryDestination('%s', '%s')i(RR.RR/RRF(RRRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytqueryDestinations  N(It__name__t __module__t__doc__tTruet persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredRRR RRR)R tPROPERTIES_IFACEtNoneR2R9tsliptpolkitt require_authR=RtsignalR@tPK_ACTION_INFOtINTROSPECTABLE_IFACERBRRtDBUS_SIGNATURERFRJRLRHRORPRSRRRTRWRXRZR[R]R^RhRkRmRoRqRsRtRuRvRwRxRyRzR{R|RRRRRRRRRR(((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyR 0sf  $                             (t gi.repositoryRtsysRRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.serviceRtfirewall.core.loggerRtfirewall.server.decoratorsRR R R tfirewall.errorsR RtObjectR (((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyts      server/config_icmptype.py000064400000035123147576556050011633 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.dbus_utils import dbus_to_python, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.icmptype import IcmpType from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallDConfigIcmpType # ############################################################################ class FirewallDConfigIcmpType(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, parent, conf, icmptype, item_id, *args, **kwargs): super(FirewallDConfigIcmpType, self).__init__(*args, **kwargs) self.parent = parent self.config = conf self.obj = icmptype self.item_id = item_id self.busname = args[0] self.path = args[1] self._log_prefix = "config.icmptype.%d" % self.item_id dbus_introspection_prepare_properties( self, config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE) @dbus_handle_exceptions def __del__(self): pass @dbus_handle_exceptions def unregister(self): self.remove_from_connection() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, property_name): if property_name == "name": return dbus.String(self.obj.name) elif property_name == "filename": return dbus.String(self.obj.filename) elif property_name == "path": return dbus.String(self.obj.path) elif property_name == "default": return dbus.Boolean(self.obj.default) elif property_name == "builtin": return dbus.Boolean(self.obj.builtin) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("%s.GetAll('%s')", self._log_prefix, interface_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) ret = { } for x in [ "name", "filename", "path", "default", "builtin" ]: ret[x] = self._get_property(x) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("%s.Set('%s', '%s', '%s')", self._log_prefix, interface_name, property_name, new_value) self.parent.accessCheck(sender) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("%s.Introspect()", self._log_prefix) data = super(FirewallDConfigIcmpType, self).Introspect( self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE) # S E T T I N G S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, out_signature=IcmpType.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 """get settings for icmptype """ log.debug1("%s.getSettings()", self._log_prefix) return self.config.get_icmptype_config(self.obj) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature=IcmpType.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): """update settings for icmptype """ settings = dbus_to_python(settings) log.debug1("%s.update('...')", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.set_icmptype_config(self.obj, settings) self.Updated(self.obj.name) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE) @dbus_handle_exceptions def loadDefaults(self, sender=None): """load default settings for builtin icmptype """ log.debug1("%s.loadDefaults()", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.load_icmptype_defaults(self.obj) self.Updated(self.obj.name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, signature='s') @dbus_handle_exceptions def Updated(self, name): log.debug1("%s.Updated('%s')" % (self._log_prefix, name)) # R E M O V E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE) @dbus_handle_exceptions def remove(self, sender=None): """remove icmptype """ log.debug1("%s.removeIcmpType()", self._log_prefix) self.parent.accessCheck(sender) self.config.remove_icmptype(self.obj) self.parent.removeIcmpType(self.obj) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, signature='s') @dbus_handle_exceptions def Removed(self, name): log.debug1("%s.Removed('%s')" % (self._log_prefix, name)) # R E N A M E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def rename(self, name, sender=None): """rename icmptype """ name = dbus_to_python(name, str) log.debug1("%s.rename('%s')", self._log_prefix, name) self.parent.accessCheck(sender) self.obj = self.config.rename_icmptype(self.obj, name) self.Renamed(name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, signature='s') @dbus_handle_exceptions def Renamed(self, name): log.debug1("%s.Renamed('%s')" % (self._log_prefix, name)) # version @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, out_signature='s') @dbus_handle_exceptions def getVersion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getVersion()", self._log_prefix) return self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def setVersion(self, version, sender=None): version = dbus_to_python(version, str) log.debug1("%s.setVersion('%s')", self._log_prefix, version) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[0] = version self.update(settings) # short @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, out_signature='s') @dbus_handle_exceptions def getShort(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getShort()", self._log_prefix) return self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def setShort(self, short, sender=None): short = dbus_to_python(short, str) log.debug1("%s.setShort('%s')", self._log_prefix, short) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[1] = short self.update(settings) # description @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, out_signature='s') @dbus_handle_exceptions def getDescription(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDescription()", self._log_prefix) return self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def setDescription(self, description, sender=None): description = dbus_to_python(description, str) log.debug1("%s.setDescription('%s')", self._log_prefix, description) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[2] = description self.update(settings) # destination @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, out_signature='as') @dbus_handle_exceptions def getDestinations(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDestinations()", self._log_prefix) return sorted(self.getSettings()[3]) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='as') @dbus_handle_exceptions def setDestinations(self, destinations, sender=None): destinations = dbus_to_python(destinations, list) log.debug1("%s.setDestinations('[%s]')", self._log_prefix, ",".join(destinations)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[3] = destinations self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def addDestination(self, destination, sender=None): destination = dbus_to_python(destination, str) log.debug1("%s.addDestination('%s')", self._log_prefix, destination) self.parent.accessCheck(sender) settings = list(self.getSettings()) if destination in settings[3]: raise FirewallError(errors.ALREADY_ENABLED, destination) settings[3].append(destination) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s') @dbus_handle_exceptions def removeDestination(self, destination, sender=None): destination = dbus_to_python(destination, str) log.debug1("%s.removeDestination('%s')", self._log_prefix, destination) self.parent.accessCheck(sender) settings = list(self.getSettings()) if settings[3]: if destination not in settings[3]: raise FirewallError(errors.NOT_ENABLED, destination) else: settings[3].remove(destination) else: # empty means all settings[3] = list(set(['ipv4', 'ipv6']) - set([destination])) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryDestination(self, destination, sender=None): # pylint: disable=W0613 destination = dbus_to_python(destination, str) log.debug1("%s.queryDestination('%s')", self._log_prefix, destination) settings = self.getSettings() # empty means all return (not settings[3] or destination in settings[3]) server/config_helper.pyc000064400000036712147576556050011430 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||si( RRUt isinstancetappendttupleRR/RtjoinRR;RFRJ(RtportsR1t_portsRkRI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytsetPortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R R_RmRJ(RRktprotocolR1RI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytaddPorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R t NOT_ENABLEDRORJ(RRkRsR1RI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt removePortscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.queryPort('%s', '%s')i(RR.RR/RRF(RRkRsR1((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt queryPorts N(:t__name__t __module__t__doc__tTruet persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredRRR RRR)R tPROPERTIES_IFACEtNoneR2R9tsliptpolkitt require_authR=tservicetsignalR@tPK_ACTION_INFOtINTROSPECTABLE_IFACERBRRtDBUS_SIGNATURERFRJRLRHRORPRSRRRTRWRXRZR[R]R^RaRcRdRfRgRhRrRtRvRw(((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyR 0s  $                (t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.helperRtfirewall.core.loggerRtfirewall.server.decoratorsRR R R tfirewall.errorsR RtObjectR (((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyts      server/config_service.pyc000064400000055557147576556050011621 0ustar00 c`c@sddlmZddlZeejdeejjdd(e d?d4Z?eejjdd e d?d5Z@eejjdd e d?d6ZAeejjdd dd&e d?d7ZBeejjdd8e d?d9ZCeejjdd8e d?d:ZDeejjdd dd e d?d;ZEeejjdde d?d<ZFeejjdd e d?d=ZGeejjdddd&e d?d>ZHRS(@sFirewallD main classcOs~tt|j||||_||_||_||_|d|_|d|_d|j|_ t |tj j dS(Niisconfig.service.%d( tsuperR t__init__tparentRtobjtitem_idtbusnametpatht _log_prefixRtdbustDBUS_INTERFACE_CONFIG_SERVICE(tselfRtconftserviceRtargstkwargs((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyR8s      cCsdS(N((R((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt__del__EscCs|jdS(N(tremove_from_connection(R((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt unregisterIscCs|dkrtj|jjS|dkr>tj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||Msi( RRUt isinstancetappendttupleRR/RtjoinRR;RFRJ(RtportsR1t_portsRaRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetPorts@s cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R tALREADY_ENABLEDRcRJ(RRatprotocolR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytaddPortSs cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R t NOT_ENABLEDRORJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt removePortcstbcCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.queryPort('%s', '%s')i(RR.RR/RRF(RRaRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryPortrs tascCs!tjd|j|jdS(Ns%s.getProtocols()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt getProtocols~scCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setProtocols('[%s]')R_i( RRURR/RReRR;RFRJ(Rt protocolsR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt setProtocolss cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addProtocol('%s')i(RR.RR/RRR;RURFR R RiRcRJ(RRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addProtocolscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeProtocol('%s')i(RR.RR/RRR;RURFR R RlRORJ(RRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveProtocolscCs9t|t}tjd|j|||jdkS(Ns%s.queryProtocol(%s')i(RR.RR/RRF(RRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryProtocolscCs!tjd|j|jdS(Ns%s.getSourcePorts()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetSourcePortsscCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setSourcePorts('[%s]')R_css'|]}d|d|dfVqdS(s ('%s, '%s')iiN((R`Ra((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pys si( RRURbRcRdRR/RReRR;RFRJ(RRfR1RgRaRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetSourcePortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addSourcePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R RiRcRJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addSourcePorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removeSourcePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R RlRORJ(RRaRjR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveSourcePortscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.querySourcePort('%s', '%s')i(RR.RR/RRF(RRaRjR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytquerySourcePorts cCs!tjd|j|jdS(Ns%s.getModules()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt getModulesscCst|t}g}x`|D]X}|jdrg|jdd}d|krg|jdd}qgn|j|qW|}tjd|jdj||j j |t|j }||d<|j |dS(Nt nf_conntrack_tt_t-s%s.setModules('[%s]')R_i( RRUt startswithtreplaceRcRR/RReRR;RFRJ(RtmodulesR1t_modulestmoduleRI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt setModuless   cCst|t}|jdrT|jdd}d|krT|jdd}qTntjd|j||jj|t |j }||dkrt t j |n|dj||j|dS(NR}R~RRs%s.addModule('%s')i(RR.RRRR/RRR;RURFR R RiRcRJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt addModules cCst|t}|jdrT|jdd}d|krT|jdd}qTntjd|j||jj|t |j }||dkrt t j |n|dj||j|dS(NR}R~RRs%s.removeModule('%s')i(RR.RRRR/RRR;RURFR R RlRORJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt removeModule&s cCs~t|t}|jdrT|jdd}d|krT|jdd}qTntjd|j|||jdkS(NR}R~RRs%s.queryModule('%s')i(RR.RRRR/RRF(RRR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyt queryModule7s sa{ss}cCs!tjd|j|jdS(Ns%s.getDestinations()i(RR/RRF(RR1((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetDestinationsEscCswt|t}tjd|j|jd|jd|jj|t|j }||d<|j |dS(Ns*%s.setDestinations({ipv4:'%s', ipv6:'%s'})tipv4tipv6i( RtdictRR/RtgetRR;RURFRJ(Rt destinationsR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetDestinationsLs  cCsxt|t}tjd|j||jj|t|j}||dkrlt t j |n|d|S(Ns%s.getDestination('%s')i( RR.RR/RRR;RURFR R Rl(RtfamilyR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytgetDestinationYscCst|t}t|t}tjd|j|||jj|t|j}||dkr|d||krt t j d||fn||d|<|j |dS(Ns%s.setDestination('%s', '%s')is '%s': '%s'( RR.RR/RRR;RURFR R RiRJ(RRtaddressR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytsetDestinationfs $ cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|d|=|j |dS(Ns%s.removeDestination('%s')i( RR.RR/RRR;RURFR R RlRJ(RRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytremoveDestinationvs cCset|t}t|t}tjd|j|||j}||dkod||d|kS(Ns%s.queryDestination('%s', '%s')i(RR.RR/RRF(RRRR1RI((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pytqueryDestinations  N(It__name__t __module__t__doc__tTruet persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredRRR RRR)R tPROPERTIES_IFACEtNoneR2R9tsliptpolkitt require_authR=RtsignalR@tPK_ACTION_INFOtINTROSPECTABLE_IFACERBRRtDBUS_SIGNATURERFRJRLRHRORPRSRRRTRWRXRZR[R]R^RhRkRmRoRqRsRtRuRvRwRxRyRzR{R|RRRRRRRRRR(((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyR 0sf  $                             (t gi.repositoryRtsysRRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.serviceRtfirewall.core.loggerRtfirewall.server.decoratorsRR R R tfirewall.errorsR RtObjectR (((sB/usr/lib/python2.7/site-packages/firewall/server/config_service.pyts      server/config_icmptype.pyc000064400000031701147576556050011774 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sC/usr/lib/python2.7/site-packages/firewall/server/config_icmptype.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sC/usr/lib/python2.7/site-packages/firewall/server/config_icmptype.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||s      server/server.pyc000064400000006024147576556050010123 0ustar00 c`c@sdgZddlZddlZddlmZmZeejd>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sGARBAGE OBJECTS (%d): s sP <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< (tcollecttlentgarbagettypeRttimeout_add_seconds(tx(tgct gc_collectt gc_timeoutR(s:/usr/lib/python2.7/site-packages/firewall/server/server.pyRLs tset_as_defaulttbustunix_signal_adds Stopping..s Raising SystemExit in run_serversException %s: %s(,tNonetpprintRRtenablet set_debugt DEBUG_LEAKtdbusR tglibt DBusGMainLoopRt SystemBusR tBusNameRtDBUS_INTERFACERt DBUS_PATHRtMainLooptslipt set_mainloopRthasattrRtunix_signal_add_fullt PRIORITY_HIGHtsignaltSIGHUPR tSIGTERMR truntKeyboardInterruptRtdebug1t SystemExitterrort Exceptiont __class__t__name__tstrtstop(tdebug_gcR RtnameR Rte((RRRRs:/usr/lib/python2.7/site-packages/firewall/server/server.pyRAsB           #(t__all__tsysR-t gi.repositoryRRtmodulesR t dbus.servicetdbus.mainloop.glibt slip.dbusR(tfirewallRtfirewall.core.loggerRtfirewall.server.firewalldRR R tFalseR(((s:/usr/lib/python2.7/site-packages/firewall/server/server.pyts          server/decorators.py000064400000005705147576556050010624 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2012-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . """This module contains decorators for use with and without D-Bus""" __all__ = ["FirewallDBusException", "handle_exceptions", "dbus_handle_exceptions", "dbus_service_method"] import dbus import dbus.service import traceback from dbus.exceptions import DBusException from decorator import decorator from firewall import config from firewall.errors import FirewallError from firewall import errors from firewall.core.logger import log ############################################################################ # # Exception handler decorators # ############################################################################ class FirewallDBusException(dbus.DBusException): """FirewallDBusException""" _dbus_error_name = "%s.Exception" % config.dbus.DBUS_INTERFACE @decorator def handle_exceptions(func, *args, **kwargs): """Decorator to handle exceptions and log them. Used if not conneced to D-Bus. """ try: return func(*args, **kwargs) except FirewallError as error: log.debug1(traceback.format_exc()) log.error(error) except Exception: # pylint: disable=W0703 log.debug1(traceback.format_exc()) log.exception() @decorator def dbus_handle_exceptions(func, *args, **kwargs): """Decorator to handle exceptions, log and report them into D-Bus :Raises DBusException: on a firewall error code problems. """ try: return func(*args, **kwargs) except FirewallError as error: code = FirewallError.get_code(str(error)) if code in [ errors.ALREADY_ENABLED, errors.NOT_ENABLED, errors.ZONE_ALREADY_SET, errors.ALREADY_SET ]: log.warning(str(error)) else: log.debug1(traceback.format_exc()) log.error(str(error)) raise FirewallDBusException(str(error)) except DBusException as ex: # only log DBusExceptions once raise ex except Exception as ex: log.debug1(traceback.format_exc()) log.exception() raise FirewallDBusException(str(ex)) def dbus_service_method(*args, **kwargs): """Add sender argument for D-Bus""" kwargs.setdefault("sender_keyword", "sender") return dbus.service.method(*args, **kwargs) server/server.pyo000064400000006024147576556050010137 0ustar00 c`c@sdgZddlZddlZddlmZmZeejd>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> sGARBAGE OBJECTS (%d): s sP <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<< (tcollecttlentgarbagettypeRttimeout_add_seconds(tx(tgct gc_collectt gc_timeoutR(s:/usr/lib/python2.7/site-packages/firewall/server/server.pyRLs tset_as_defaulttbustunix_signal_adds Stopping..s Raising SystemExit in run_serversException %s: %s(,tNonetpprintRRtenablet set_debugt DEBUG_LEAKtdbusR tglibt DBusGMainLoopRt SystemBusR tBusNameRtDBUS_INTERFACERt DBUS_PATHRtMainLooptslipt set_mainloopRthasattrRtunix_signal_add_fullt PRIORITY_HIGHtsignaltSIGHUPR tSIGTERMR truntKeyboardInterruptRtdebug1t SystemExitterrort Exceptiont __class__t__name__tstrtstop(tdebug_gcR RtnameR Rte((RRRRs:/usr/lib/python2.7/site-packages/firewall/server/server.pyRAsB           #(t__all__tsysR-t gi.repositoryRRtmodulesR t dbus.servicetdbus.mainloop.glibt slip.dbusR(tfirewallRtfirewall.core.loggerRtfirewall.server.firewalldRR R tFalseR(((s:/usr/lib/python2.7/site-packages/firewall/server/server.pyts          server/__init__.pyo000064400000000223147576556050010363 0ustar00 c`c@sdS(N((((s</usr/lib/python2.7/site-packages/firewall/server/__init__.pytsserver/config_zone.pyc000064400000111062147576556050011114 0ustar00 c`c@sDddlmZddlZeejdeejjdd e d`d4Z?eejjdd dd)e d`d5Z@eejjdd+e d`d6ZAeejjdd+e d`d7ZBeejjdde d`d8ZCeejjdde d`d9ZDeejjdddd)e d`d:ZEeejjdd$e d`d;ZFeejjdd$e d`d<ZGeejjdd e d`d=ZHeejjdd e d`d>ZIeejjdd dd)e d`d?ZJeejjdd)e d`d@ZKeejjdd)e d`dAZLeejje d`dBZMeejje d`dCZNeejjdd)e d`dDZOeejjdd)e d`dEZPeejjdd)e d`dFZQeejje d`dGZReejje d`dHZSeejjdd)e d`dIZTeejjddJe d`dKZUeejjddJe d`dLZVeejjddMe d`dNZWeejjddMe d`dOZXeejjddMdd)e d`dPZYeejjdd$e d`dQZZeejjdd$e d`dRZ[eejjdd e d`dSZ\eejjdd e d`dTZ]eejjdd dd)e d`dUZ^eejjdd$e d`dVZ_eejjdd$e d`dWZ`eejjdd e d`dXZaeejjdd e d`dYZbeejjdd dd)e d`dZZceejjdd$e d`d[Zdeejjdd$e d`d\Zeeejjdd e d`d]Zfeejjdd e d`d^Zgeejjdd dd)e d`d_ZhRS(asFirewallD main classcOs~tt|j||||_||_||_||_|d|_|d|_d|j|_ t |tj j dS(Niisconfig.zone.%d( tsuperRt__init__tparentRtobjtitem_idtbusnametpatht _log_prefixRtdbustDBUS_INTERFACE_CONFIG_ZONE(tselfRtconftzoneRtargstkwargs((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyR<s      cCsdS(N((R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt__del__IscCs|jdS(N(tremove_from_connection(R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt unregisterMscCs|dkrtj|jjS|dkr>tj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR$R%RtBooleanR&R't exceptionst DBusException(Rt property_name((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt _get_propertyUs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrR tdebug1RRRRR*R+R-(Rtinterface_nameR,tsender((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytGetfs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||si( RRJt isinstanceR}RKR R3RRyRR?RNR`(RtportsR5t_portsRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetPortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRtprotocolR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddPorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt removePortscCst|t}t|t}tjd|j||||f|jdkrWtSx=|jdD]+\}}t||rh||krhtSqhWtS(Ns%s.queryPort('%s', '%s')i( RR2R R3RRNtTrueRtFalse(RRRR5t_portt _protocol((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryPortscCs!tjd|j|jdS(Ns%s.getProtocols()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getProtocolsscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setProtocols('[%s]')Rxi ( RRJR R3RRyRR?RNR`(Rt protocolsR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setProtocolss cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addProtocol('%s')i (RR2R R3RRR?RJRNRRR|R}R`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addProtocolscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeProtocol('%s')i (RR2R R3RRR?RJRNRRRReR`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveProtocolscCs9t|t}tjd|j|||jdkS(Ns%s.queryProtocol('%s')i (RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryProtocol scCs!tjd|j|jdS(Ns%s.getSourcePorts()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetSourcePorts*scCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setSourcePorts('[%s]')Rxcss'|]}d|d|dfVqdS(s ('%s, '%s')iiN((RR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pys >si( RRJRR}RKR R3RRyRR?RNR`(RRR5RRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetSourcePorts1s cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addSourcePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addSourcePortDs cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removeSourcePort('%s', '%s')is%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveSourcePortTscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.querySourcePort('%s', '%s')i(RR2R R3RRN(RRRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytquerySourcePortcs cCs!tjd|j|jdS(Ns%s.getIcmpBlocks()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getIcmpBlocksoscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setIcmpBlocks('[%s]')Rxi( RRJR R3RRyRR?RNR`(Rt icmptypesR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setIcmpBlocksvs cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addIcmpBlock('%s')i(RR2R R3RRR?RJRNRRR|R}R`(RticmptypeR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addIcmpBlockscCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeIcmpBlock('%s')i(RR2R R3RRR?RJRNRRRReR`(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveIcmpBlockscCs9t|t}tjd|j|||jdkS(Ns%s.queryIcmpBlock('%s')i(RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryIcmpBlockscCs!tjd|j|jdS(Ns%s.getIcmpBlockInversion()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetIcmpBlockInversionscCsbt|t}tjd|j||jj|t|j}||d<|j |dS(Ns%s.setIcmpBlockInversion('%s')i( RtboolR R3RRR?RJRNR`(RtflagR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetIcmpBlockInversions  cCsotjd|j|jj|t|j}|drTttj dnt |d<|j |dS(Ns%s.addIcmpBlockInversion()isicmp-block-inversion( R R3RRR?RJRNRRR|RR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddIcmpBlockInversions  cCsotjd|j|jj|t|j}|dsTttj dnt |d<|j |dS(Ns%s.removeIcmpBlockInversion()isicmp-block-inversion( R R3RRR?RJRNRRRRR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveIcmpBlockInversions  cCs!tjd|j|jdS(Ns%s.queryIcmpBlockInversion()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryIcmpBlockInversionscCs!tjd|j|jdS(Ns%s.getMasquerade()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getMasqueradescCsbt|t}tjd|j||jj|t|j}||d<|j |dS(Ns%s.setMasquerade('%s')i( RRR R3RRR?RJRNR`(Rt masqueradeR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setMasquerades  cCsotjd|j|jj|t|j}|drTttj dnt |d<|j |dS(Ns%s.addMasquerade()iR( R R3RRR?RJRNRRR|RR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addMasquerades  cCsotjd|j|jj|t|j}|dsTttj dnt |d<|j |dS(Ns%s.removeMasquerade()iR( R R3RRR?RJRNRRRRR`(RR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveMasquerades  cCs!tjd|j|jdS(Ns%s.queryMasquerade()i(R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryMasqueradessa(ssss)cCs!tjd|j|jdS(Ns%s.getForwardPorts()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytgetForwardPortsscCsg}xIt|tD]8}t|trA|jt|q|j|qW|}tjd|jdjd|D|j j |t|j }||d<|j |dS(Ns%s.setForwardPorts('[%s]')Rxcss5|]+}d|d|d|d|dfVqdS(s('%s, '%s', '%s', '%s')iiiiN((RR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pys si ( RRJRR}RKR R3RRyRR?RNR`(RRR5RRRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytsetForwardPortss  tsssscCst|t}t|t}t|t}t|t}tjd|j|||||jj|||t|t|f}t|j}||dkrt t j d||||fn|dj ||j |dS(Ns)%s.addForwardPort('%s', '%s', '%s', '%s')i s %s:%s:%s:%s(RR2R R3RRR?RJRNRRR|R}R`(RRRttoportttoaddrR5tfwp_idRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytaddForwardPort#s   cCst|t}t|t}t|t}t|t}tjd|j|||||jj|||t|t|f}t|j}||dkrt t j d||||fn|dj ||j |dS(Ns,%s.removeForwardPort('%s', '%s', '%s', '%s')i s %s:%s:%s:%s(RR2R R3RRR?RJRNRRRReR`(RRRRRR5RRL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveForwardPort7s   cCst|t}t|t}t|t}t|t}tjd|j||||||t|t|f}||jdkS(Ns+%s.queryForwardPort('%s', '%s', '%s', '%s')i (RR2R R3RRN(RRRRRR5R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryForwardPortKs cCs!tjd|j|jdS(Ns%s.getInterfaces()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getInterfaces[scCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setInterfaces('[%s]')Rxi ( RRJR R3RRyRR?RNR`(RROR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setInterfacesbs cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |t|jj|dS(Ns%s.addInterface('%s')i (RR2R R3RRR?RJRNRRR|R}R`RRR$(Rt interfaceR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addInterfacens cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |td|dS(Ns%s.removeInterface('%s')i t(RR2R R3RRR?RJRNRRRReR`R(RRR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveInterface}s cCs9t|t}tjd|j|||jdkS(Ns%s.queryInterface('%s')i (RR2R R3RRN(RRR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytqueryInterfacescCs!tjd|j|jdS(Ns%s.getSources()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getSourcesscCskt|t}tjd|jdj||jj|t|j}||d<|j |dS(Ns%s.setSources('[%s]')Rxi ( RRJR R3RRyRR?RNR`(RRPR5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setSourcess cCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.addSource('%s')i (RR2R R3RRR?RJRNRRR|R}R`(RR\R5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addSourcescCst|t}tjd|j||jj|t|j}||dkrlt t j |n|dj ||j |dS(Ns%s.removeSource('%s')i (RR2R R3RRR?RJRNRRRReR`(RR\R5RL((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt removeSourcescCs9t|t}tjd|j|||jdkS(Ns%s.querySource('%s')i (RR2R R3RRN(RR\R5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt querySourcescCs!tjd|j|jdS(Ns%s.getRichRules()i (R R3RRN(RR5((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt getRichRulesscCst|t}tjd|jdj||jj|t|j}g|D]}t t d|^qW}||d<|j |dS(Ns%s.setRichRules('[%s]')Rxtrule_stri ( RRJR R3RRyRR?RNR2R R`(RtrulesR5RLtr((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt setRichRuless( cCst|t}tjd|j||jj|t|j}tt d|}||dkrt t j |n|dj ||j|dS(Ns%s.addRichRule('%s')Ri (RR2R R3RRR?RJRNR RRR|R}R`(RtruleR5RLR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt addRichRulescCst|t}tjd|j||jj|t|j}tt d|}||dkrt t j |n|dj ||j|dS(Ns%s.removeRichRule('%s')Ri (RR2R R3RRR?RJRNR RRRReR`(RRR5RLR((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pytremoveRichRulescCsNt|t}tjd|j|ttd|}||jdkS(Ns%s.queryRichRule('%s')Ri (RR2R R3RR RN(RRR5R((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyt queryRichRulesN(it__name__t __module__t__doc__Rt persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredR RR R!R#R-R tPROPERTIES_IFACEtNoneR6R=tsliptpolkitt require_authRAR~tsignalRDtPK_ACTION_INFOtINTROSPECTABLE_IFACERFRRtDBUS_SIGNATURERNR]R`RbR_ReRfRiRhRjRlRmRoRpRrRsRuRwR{RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyR4sV  $                                             (%t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.zoneRtfirewall.core.fw_ifcfgRtfirewall.core.baseRtfirewall.core.richR tfirewall.core.loggerR tfirewall.server.decoratorsR R R Rtfirewall.errorsRtfirewall.functionsRR~tObjectR(((s?/usr/lib/python2.7/site-packages/firewall/server/config_zone.pyts$      server/decorators.pyc000064400000005132147576556050010761 0ustar00 c`c@sdZddddgZddlZddlZddlZddlmZddlmZdd lm Z dd l m Z dd lm Z dd l mZdejfd YZedZedZdZdS(s>This module contains decorators for use with and without D-BustFirewallDBusExceptionthandle_exceptionstdbus_handle_exceptionstdbus_service_methodiN(t DBusException(t decorator(tconfig(t FirewallError(terrors(tlogcBseZdZdejjZRS(Rs %s.Exception(t__name__t __module__t__doc__RtdbustDBUS_INTERFACEt_dbus_error_name(((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR+scOsxy|||SWn`tk rF}tjtjtj|n.tk rstjtjtjnXdS(sTDecorator to handle exceptions and log them. Used if not conneced to D-Bus. N(RR tdebug1t tracebackt format_excterrort Exceptiont exception(tfunctargstkwargsR((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR/s cOs y|||SWntk r}tjt|}|tjtjtjtjgkrrtj t|n&tj t j tj t|tt|nZtk r}|nBtk r}tj t j tjtt|nXdS(sDecorator to handle exceptions, log and report them into D-Bus :Raises DBusException: on a firewall error code problems. N(Rtget_codetstrRtALREADY_ENABLEDt NOT_ENABLEDtZONE_ALREADY_SETt ALREADY_SETR twarningRRRRRRRR(RRRRtcodetex((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyR=s   cOs#|jddtjj||S(sAdd sender argument for D-Bustsender_keywordtsender(t setdefaultR tservicetmethod(RR((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyRVs(R t__all__R t dbus.serviceRtdbus.exceptionsRRtfirewallRtfirewall.errorsRRtfirewall.core.loggerR RRRR(((s>/usr/lib/python2.7/site-packages/firewall/server/decorators.pyts    server/config.pyc000064400000140122147576556050010060 0ustar00 c`c@sddlmZddlZeejde"ejj1ddedvd3Z?e"ejj1ddedvd4Z@e"ejj1dddd+edvd5ZAe"ejj1dd-edvd6ZBe"ejj1dd7edvd8ZCe"ejj1dd7edvd9ZDe"ejj1dd7dd+edvd:ZEe"ejj1dd;edvd<ZFe"ejjGdd=edvd>ZHe"ejjGdd-edvd?ZIe"ejjGdddd@edvdAZJe"ejjGddeKj3dd@edvdBZLej+j,ejjGd"dedCZMe"ejjGdd=edvdDZNe"ejjGdd-edvdEZOe"ejjGdddd@edvdFZPe"ejjGddeQj3dd@edvdGZRej+j,ejjGd"dedHZSe"ejjGdd=edvdIZTe"ejjGdd-edvdJZUe"ejjGdddd@edvdKZVe"ejjGddeWj3dd@edvdLZXej+j,ejjGd"dedMZYe"ejjGdd=edvdNZZe"ejjGdd-edvdOZ[e"ejjGdddd@edvdPZ\e"ejjGddddedvdQZ]e"ejjGddddedvdRZ^e"ejjGdde_j3dd@edvdSZ`ej+j,ejjGd"dedTZae"ejjGdd=edvdUZbe"ejjGdd-edvdVZce"ejjGdddd@edvdWZde"ejjGddeej3dd@edvdXZfej+j,ejjGd"dedYZge"ejjhdeij3edvdZZje"ejjhdeij3edvd[Zkej+j,ejjhed\Zle"ejjhdd]edvd^Zme"ejjhdd]edvd_Zne"ejjhdd]dd+edvd`Zoe"ejjhdddd-edvdaZpe"ejjhddbddcedvddZqe"ejjhddeedvdfZre"ejjhddeedvdgZse"ejjhddedd+edvdhZte"ejjhdd]edvdiZue"ejjhdd]ddjedvdkZve"ejjhddbddledvdmZwe"ejjhddnedvdoZxe"ejjhddnedvdpZye"ejjhddndd+edvdqZze"ejjhddddredvdsZ{e"ejjhddtedvduZ|RS(wsFirewallD main classcOstt|j||||_|d|_|d|_|jt|jd|_ |j j tj |j j tj |j j tj |j j tj|j j tj|j j tj|j j tj|j j tj|j j tj|j j tjtjjtjrx[ttjtjD]>}dtj|f}tjj|rG|j j |qGqGWn|j jtj|j jtj|j jtjt|tjj idd6dd6dd6dd 6dd 6dd 6dd 6dd 6dS(Niiis%s/%st readwritet CleanupOnExitt IPv6_rpfiltertLockdownt MinimalMarktIndividualCallst LogDeniedtAutomaticHelperstAllowZoneDrifting(!tsuperRt__init__Rtbusnametpatht _init_varsRt watch_updatertwatchert add_watch_dirtFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICEStFIREWALLD_ZONEStETC_FIREWALLD_ZONEStostexiststsortedtlistdirtisdirtadd_watch_filetLOCKDOWN_WHITELISTtFIREWALLD_DIRECTtFIREWALLD_CONFRtdbustDBUS_INTERFACE_CONFIG(tselftconftargstkwargstfilenameR+((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR)GsD      cCs]g|_d|_g|_d|_g|_d|_g|_d|_g|_d|_ x0|j j D]}|j |j j |qjWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|qWx0|j jD]}|j|j j|q6WdS(Ni(tipsetst ipset_idxt icmptypest icmptype_idxtservicest service_idxtzonestzone_idxthelperst helper_idxRt get_ipsetst _addIPSett get_ipsett get_icmptypest _addIcmpTypet get_icmptypet get_servicest _addServicet get_servicet get_zonest_addZonetget_zonet get_helperst _addHelpert get_helper(REtipsetticmptypetservicetzonethelper((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR,os(          cCsdS(N((RE((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt__del__scCs&x5t|jdkr7|jj}|j~qWx5t|jdkro|jj}|j~q;Wx5t|jdkr|jj}|j~qsWx5t|jdkr|jj}|j~qWx5t|jdkr|jj}|j~qW|jdS(Ni( tlenRJtpopt unregisterRLRNRPRRR,(REtitem((s:/usr/lib/python2.7/site-packages/firewall/server/config.pytreloads*     c Cs|tjkr |jtjj}tjdtjy|jjWn+tk ru}tj d||fdSX|jtjjj }xDt |j D]0}||kr||||kr||=qqWt |dkr|jtjj|gndS|jtjs.|jtjr|jdry|jj|\}}Wn+tk r}tj d||fdSX|dkr|j|q|dkr|j|q|dkr|j|qn|jtjs|jtjr|jdry|jj|\}}Wn+tk rZ}tj d ||fdSX|dkrw|j|q|dkr|j|q|dkr|j|qn|jtjs|jtjr=|jdry|jj|\}}Wn+tk r.}tj d ||fdSX|dkrK|j |q:|dkrg|j!|q:|dkr:|j"|q:q|jtjr|j#tjd j$d }t |d ksd |krdSt%j&j'|r|j(j)|s7|j(j*|q7q:|j(j)|r:|j(j+|q:qn^|jtj,sa|jtj-r|jdry|jj.|\}}Wn+tk r}tj d||fdSX|dkr|j/|q|dkr|j0|q|dkr|j1|qn|jtj2s5|jtj3r|jdry|jj4|\}}Wn+tk r}tj d||fdSX|dkr|j5|q|dkr|j6|q|dkr|j7|qn|tj8kr@y|jj9Wn+tk r2}tj d||fdSX|j:n[|tj;kry|jj<Wn+tk r}tj d||fdSX|j=ndS(Ns,config: Reloading firewalld config file '%s's+Failed to load firewalld.conf file '%s': %sis.xmls%Failed to load icmptype file '%s': %stnewtremovetupdates$Failed to load service file '%s': %ss!Failed to load zone file '%s': %stt/is"Failed to load ipset file '%s': %ss#Failed to load helper file '%s': %ss/Failed to load lockdown whitelist file '%s': %ss)Failed to load direct rules file '%s': %s(>RRBtGetAllRCRDRtdebug1tupdate_firewalld_conft ExceptionterrortcopytlisttkeysRitPropertiesChangedt startswithR2R3tendswithtupdate_icmptype_from_pathRXtremoveIcmpTypet_updateIcmpTypeR6R7tupdate_service_from_pathR[t removeServicet_updateServiceR8R9tupdate_zone_from_pathR^t removeZonet _updateZonetreplacetstripR:R+R>R.t has_watchR/t remove_watchR0R1tupdate_ipset_from_pathRUt removeIPSett _updateIPSetR4R5tupdate_helper_from_pathRat removeHelpert _updateHelperR@tupdate_lockdown_whitelisttLockdownWhitelistUpdatedRAt update_directtUpdated( REtnamet old_propstmsgtpropstkeytwhattobjt_name((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR-s                            c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRMR*RCtDBUS_PATH_CONFIG_ICMPTYPERLtappendt IcmpTypeAddedR(RERtconfig_icmptype((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRX&s cCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RLRRR+RIR(RERRd((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR2s  cCsd}xu|jD]j}|j}|j||kr||j|j|jj|j||_|j|jjqqWxP|jD]E}|j|kr|j |j|j |jj|~qqWdS(Ni( RPt getSettingsRRoRtset_zone_configRRRLtRemovedRk(RERtindexRftsettingsRd((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR;s  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RROR*RCtDBUS_PATH_CONFIG_SERVICERNRt ServiceAddedR(RERtconfig_service((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR[MscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RNRRR+RIR(RERRe((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRXs  cCsd}xu|jD]j}|j}|j||kr||j|j|jj|j||_|j|jjqqWxP|jD]E}|j|kr|j |j|j |jj|~qqWdS(Ni( RPRRRoRRRRRNRRk(RERRRfRRe((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRas  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRQR*RCtDBUS_PATH_CONFIG_ZONERPRt ZoneAddedR(RERt config_zone((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR^sscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RPRRR+RIR(RERRf((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR~s * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RPRRRRkRo(RERRf((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRKR*RCtDBUS_PATH_CONFIG_IPSETRJRt IPSetAddedR(RERt config_ipset((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRUscCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RJRRR+RIR(RERRc((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RJRRRRkRo(RERRc((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  c Csjt||j||j|jdtjj|jf}|jj||jd7_|j|j |S(Ns%s/%di( R RRSR*RCtDBUS_PATH_CONFIG_HELPERRRRt HelperAddedR(RERt config_helper((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRascCssxl|jD]a}|jj|jkr |jj|jkr |jj|jkr ||_|j|jq q WdS(N(RRRRR+RIR(RERRg((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs * cCsWxP|jD]E}|j|kr |j|j|j|jj|~q q WdS(N(RRRRRRkRo(RERRg((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyRs  cCs|jjr|dkr,tjddStj}t||}|jjd|r`dSt ||}|jjd|rdSt |}|jjd|rdSt ||}|jjd|rdSt t jdndS(Ns&Lockdown not possible, sender not set.tcontexttuidtusertcommandslockdown is enabled(Rtlockdown_enabledtNoneRRwRCt SystemBusRt access_checkRRRRRt ACCESS_DENIED(REtsendertbusRRRR((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt accessChecks$    c CsB|d kr%tjjd |n|jjj|}|dkrn|dkratj}ntj|S|dkr|dkrtj }n t |}tj |S|dkr|dkrtj rd nd }ntj|S|dkr%|dkrtj rd nd }ntj|S|dkrb|dkrUtjrLd nd }ntj|S|dkr|dkrtjrd nd }ntj|S|dkr|dkrtj}ntj|S|dkr|dkrtj}ntj|S|d kr>|dkr1tjr(d nd }ntj|SdS(Nt DefaultZoneR#R R"R!R$R%R&R'sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existtyestno( Rs MinimalMarks CleanupOnExitsLockdowns IPv6_rpfiltersIndividualCallss LogDeniedsAutomaticHelperssAllowZoneDrifting(RCt exceptionst DBusExceptionRtget_firewalld_conftgetRt FALLBACK_ZONEtStringtFALLBACK_MINIMAL_MARKtinttInt32tFALLBACK_CLEANUP_ON_EXITtFALLBACK_LOCKDOWNtFALLBACK_IPV6_RPFILTERtFALLBACK_INDIVIDUAL_CALLStFALLBACK_LOG_DENIEDtFALLBACK_AUTOMATIC_HELPERStFALLBACK_ALLOW_ZONE_DRIFTING(REtproptvalue((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt _get_propertysX                                  cCsL|dkr"tj|j|S|dkrDtj|j|S|dkrftj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|dkrtj|j|S|d kr2tj|j|Stjjd |dS( NRR#R R"R!R$R%R&R'sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist(RCRRRRR(RER((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyt_get_dbus_propertys*          t in_signaturetsst out_signaturetvcCst|t}t|t}tjd|||tjjkrP|j|S|tjjtjj gkrtj j d|ntj j d||j|S(Nsconfig.Get('%s', '%s')sDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existsJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRRtRRCRDRtDBUS_INTERFACE_CONFIG_DIRECTtDBUS_INTERFACE_CONFIG_POLICIESRR(REtinterface_namet property_nameR((s:/usr/lib/python2.7/site-packages/firewall/server/config.pytGet/s      tssa{sv}c Cst|t}tjd|i}|tjjkryxvdddddddd d g D]}|j|||RRRRRpRRERFRGRHRIRLRMRNRPRQRRRTRURVRXRY(((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyR?s8 (          2A$                                                   (<t gi.repositoryRtsystmodulesR:RCt dbus.servicet slip.dbusRbtslip.dbus.servicetfirewallRtfirewall.core.baseRtfirewall.core.watcherRtfirewall.core.loggerRtfirewall.server.decoratorsRRRtfirewall.server.config_icmptypeR tfirewall.server.config_serviceR tfirewall.server.config_zoneR tfirewall.server.config_ipsetR tfirewall.server.config_helperR tfirewall.core.io.zoneRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.ipsetRtfirewall.core.io.helperRt#firewall.core.io.lockdown_whitelistRtfirewall.core.io.directRtfirewall.dbus_utilsRRRRRRRRtfirewall.errorsRRetObjectR(((s:/usr/lib/python2.7/site-packages/firewall/server/config.pyts8       4server/server.py000064400000007371147576556050007766 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # signal handling and run_server derived from setroubleshoot # Copyright (C) 2006,2007,2008,2009 Red Hat, Inc. # Authors: # John Dennis # Thomas Liu # Dan Walsh __all__ = [ "run_server" ] import sys import signal # force use of pygobject3 in python-slip from gi.repository import GObject, GLib sys.modules['gobject'] = GObject import dbus import dbus.service import dbus.mainloop.glib import slip.dbus from firewall import config from firewall.core.logger import log from firewall.server.firewalld import FirewallD ############################################################################ # # signal handlers # ############################################################################ def sighup(service): service.reload() return True def sigterm(mainloop): mainloop.quit() ############################################################################ # # run_server function # ############################################################################ def run_server(debug_gc=False): """ Main function for firewall server. Handles D-Bus and GLib mainloop. """ service = None if debug_gc: from pprint import pformat import gc gc.enable() gc.set_debug(gc.DEBUG_LEAK) gc_timeout = 10 def gc_collect(): gc.collect() if len(gc.garbage) > 0: print("\n>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>\n") print("GARBAGE OBJECTS (%d):\n" % len(gc.garbage)) for x in gc.garbage: print(type(x), "\n ",) print(pformat(x)) print("\n<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<" "<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<\n") GLib.timeout_add_seconds(gc_timeout, gc_collect) try: dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) bus = dbus.SystemBus() name = dbus.service.BusName(config.dbus.DBUS_INTERFACE, bus=bus) service = FirewallD(name, config.dbus.DBUS_PATH) mainloop = GLib.MainLoop() slip.dbus.service.set_mainloop(mainloop) if debug_gc: GLib.timeout_add_seconds(gc_timeout, gc_collect) # use unix_signal_add if available, else unix_signal_add_full if hasattr(GLib, 'unix_signal_add'): unix_signal_add = GLib.unix_signal_add else: unix_signal_add = GLib.unix_signal_add_full unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGHUP, sighup, service) unix_signal_add(GLib.PRIORITY_HIGH, signal.SIGTERM, sigterm, mainloop) mainloop.run() except KeyboardInterrupt: log.debug1("Stopping..") except SystemExit: log.error("Raising SystemExit in run_server") except Exception as e: log.error("Exception %s: %s", e.__class__.__name__, str(e)) if service: service.stop() server/firewalld.py000064400000326347147576556050010440 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . __all__ = [ "FirewallD" ] from gi.repository import GLib, GObject # force use of pygobject3 in python-slip import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.core.fw import Firewall from firewall.core.rich import Rich_Rule from firewall.core.logger import log from firewall.client import FirewallClientZoneSettings from firewall.server.decorators import dbus_handle_exceptions, \ dbus_service_method, \ handle_exceptions, \ FirewallDBusException from firewall.server.config import FirewallDConfig from firewall.dbus_utils import dbus_to_python, \ command_of_sender, context_of_sender, uid_of_sender, user_of_uid, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.functions import check_config from firewall.core.io.zone import Zone from firewall.core.io.ipset import IPSet from firewall.core.io.service import Service from firewall.core.io.icmptype import IcmpType from firewall.core.io.helper import Helper from firewall.core.fw_nm import nm_get_bus_name, nm_get_connection_of_interface, \ nm_set_zone_of_connection from firewall.core.fw_ifcfg import ifcfg_set_zone_of_interface from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallD # ############################################################################ class FirewallD(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use config.dbus.PK_ACTION_CONFIG as a default """ @handle_exceptions def __init__(self, *args, **kwargs): super(FirewallD, self).__init__(*args, **kwargs) self.fw = Firewall() self.busname = args[0] self.path = args[1] self.start() dbus_introspection_prepare_properties(self, config.dbus.DBUS_INTERFACE) self.config = FirewallDConfig(self.fw.config, self.busname, config.dbus.DBUS_PATH_CONFIG) def __del__(self): self.stop() @handle_exceptions def start(self): # tests if iptables and ip6tables are usable using test functions # loads default firewall rules for iptables and ip6tables log.debug1("start()") self._timeouts = { } return self.fw.start() @handle_exceptions def stop(self): # stops firewall: unloads firewall modules, flushes chains and tables, # resets policies log.debug1("stop()") return self.fw.stop() # lockdown functions @dbus_handle_exceptions def accessCheck(self, sender): if self.fw.policies.query_lockdown(): if sender is None: log.error("Lockdown not possible, sender not set.") return bus = dbus.SystemBus() context = context_of_sender(bus, sender) if self.fw.policies.access_check("context", context): return uid = uid_of_sender(bus, sender) if self.fw.policies.access_check("uid", uid): return user = user_of_uid(uid) if self.fw.policies.access_check("user", user): return command = command_of_sender(bus, sender) if self.fw.policies.access_check("command", command): return raise FirewallError(errors.ACCESS_DENIED, "lockdown is enabled") # timeout functions @dbus_handle_exceptions def addTimeout(self, zone, x, tag): if zone not in self._timeouts: self._timeouts[zone] = { } self._timeouts[zone][x] = tag @dbus_handle_exceptions def removeTimeout(self, zone, x): if zone in self._timeouts and x in self._timeouts[zone]: GLib.source_remove(self._timeouts[zone][x]) del self._timeouts[zone][x] @dbus_handle_exceptions def cleanup_timeouts(self): # cleanup timeouts for zone in self._timeouts: for x in self._timeouts[zone]: GLib.source_remove(self._timeouts[zone][x]) self._timeouts[zone].clear() self._timeouts.clear() # property handling @dbus_handle_exceptions def _get_property(self, prop): if prop == "version": return dbus.String(config.VERSION) elif prop == "interface_version": return dbus.String("%d.%d" % (config.dbus.DBUS_INTERFACE_VERSION, config.dbus.DBUS_INTERFACE_REVISION)) elif prop == "state": return dbus.String(self.fw.get_state()) elif prop == "IPv4": return dbus.Boolean(self.fw.ip4tables_enabled) elif prop == "IPv4ICMPTypes": return dbus.Array(self.fw.ip4tables_supported_icmp_types, "s") elif prop == "IPv6": return dbus.Boolean(self.fw.ip6tables_enabled) elif prop == "IPv6_rpfilter": return dbus.Boolean(self.fw.ipv6_rpfilter_enabled) elif prop == "IPv6ICMPTypes": return dbus.Array(self.fw.ip6tables_supported_icmp_types, "s") elif prop == "BRIDGE": return dbus.Boolean(self.fw.ebtables_enabled) elif prop == "IPSet": return dbus.Boolean(self.fw.ipset_enabled) elif prop == "IPSetTypes": return dbus.Array(self.fw.ipset_supported_types, "s") elif prop == "nf_conntrack_helper_setting": return dbus.Boolean(self.fw.nf_conntrack_helper_setting == 1) elif prop == "nf_conntrack_helpers": return dbus.Dictionary({}, "sas") elif prop == "nf_nat_helpers": return dbus.Dictionary({}, "sas") else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % prop) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("Get('%s', '%s')", interface_name, property_name) if interface_name == config.dbus.DBUS_INTERFACE: return self._get_property(property_name) elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, config.dbus.DBUS_INTERFACE_DIRECT, config.dbus.DBUS_INTERFACE_POLICIES, config.dbus.DBUS_INTERFACE_IPSET ]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("GetAll('%s')", interface_name) ret = { } if interface_name == config.dbus.DBUS_INTERFACE: for x in [ "version", "interface_version", "state", "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", "nf_conntrack_helpers", "nf_nat_helpers", "IPv4ICMPTypes", "IPv6ICMPTypes" ]: ret[x] = self._get_property(x) elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, config.dbus.DBUS_INTERFACE_DIRECT, config.dbus.DBUS_INTERFACE_POLICIES, config.dbus.DBUS_INTERFACE_IPSET ]: pass else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("Set('%s', '%s', '%s')", interface_name, property_name, new_value) self.accessCheck(sender) if interface_name == config.dbus.DBUS_INTERFACE: if property_name in [ "version", "interface_version", "state", "IPv4", "IPv6", "IPv6_rpfilter", "BRIDGE", "IPSet", "IPSetTypes", "nf_conntrack_helper_setting", "nf_conntrack_helpers", "nf_nat_helpers", "IPv4ICMPTypes", "IPv6ICMPTypes" ]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) elif interface_name in [ config.dbus.DBUS_INTERFACE_ZONE, config.dbus.DBUS_INTERFACE_DIRECT, config.dbus.DBUS_INTERFACE_POLICIES, config.dbus.DBUS_INTERFACE_IPSET ]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("PropertiesChanged('%s', '%s', '%s')", interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("Introspect()") data = super(FirewallD, self).Introspect(self.path, self.busname.get_bus()) return dbus_introspection_add_properties(self, data, config.dbus.DBUS_INTERFACE) # reload @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def reload(self, sender=None): # pylint: disable=W0613 """Reload the firewall rules. """ log.debug1("reload()") self.fw.reload() self.config.reload() self.Reloaded() # complete_reload @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def completeReload(self, sender=None): # pylint: disable=W0613 """Completely reload the firewall. Completely reload the firewall: Stops firewall, unloads modules and starts the firewall again. """ log.debug1("completeReload()") self.fw.reload(True) self.config.reload() self.Reloaded() @dbus.service.signal(config.dbus.DBUS_INTERFACE) @dbus_handle_exceptions def Reloaded(self): log.debug1("Reloaded()") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def checkPermanentConfig(self, sender=None): # pylint: disable=W0613 """Check permanent configuration """ log.debug1("checkPermanentConfig()") check_config(self.fw) # runtime to permanent @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def runtimeToPermanent(self, sender=None): # pylint: disable=W0613 """Make runtime configuration permanent """ log.debug1("copyRuntimeToPermanent()") error = False # Services or icmptypes can not be modified in runtime, but they can # be removed or modified in permanent environment. Therefore copying # of services and icmptypes to permanent is also needed. # services config_names = self.config.getServiceNames() for name in self.fw.service.get_services(): conf = self.getServiceSettings(name) try: if name in config_names: conf_obj = self.config.getServiceByName(name) if conf_obj.getSettings() != conf: log.debug1("Copying service '%s' settings" % name) conf_obj.update(conf) else: log.debug1("Service '%s' is identical, ignoring." % name) else: log.debug1("Creating service '%s'" % name) self.config.addService(name, conf) except Exception as e: log.warning( "Runtime To Permanent failed on service '%s': %s" % \ (name, e)) error = True # icmptypes config_names = self.config.getIcmpTypeNames() for name in self.fw.icmptype.get_icmptypes(): conf = self.getIcmpTypeSettings(name) try: if name in config_names: conf_obj = self.config.getIcmpTypeByName(name) if conf_obj.getSettings() != conf: log.debug1("Copying icmptype '%s' settings" % name) conf_obj.update(conf) else: log.debug1("IcmpType '%s' is identical, ignoring." % name) else: log.debug1("Creating icmptype '%s'" % name) self.config.addIcmpType(name, conf) except Exception as e: log.warning( "Runtime To Permanent failed on icmptype '%s': %s" % \ (name, e)) error = True # ipsets config_names = self.config.getIPSetNames() for name in self.fw.ipset.get_ipsets(): try: conf = self.getIPSetSettings(name) if name in config_names: conf_obj = self.config.getIPSetByName(name) if conf_obj.getSettings() != conf: log.debug1("Copying ipset '%s' settings" % name) conf_obj.update(conf) else: log.debug1("IPSet '%s' is identical, ignoring." % name) else: log.debug1("Creating ipset '%s'" % name) self.config.addIPSet(name, conf) except Exception as e: log.warning( "Runtime To Permanent failed on ipset '%s': %s" % \ (name, e)) error = True # zones config_names = self.config.getZoneNames() nm_bus_name = nm_get_bus_name() for name in self.fw.zone.get_zones(): conf = self.getZoneSettings(name) settings = FirewallClientZoneSettings(conf) if nm_bus_name is not None: changed = False for interface in settings.getInterfaces(): if self.fw.zone.interface_get_sender(name, interface) == nm_bus_name: log.debug1("Zone '%s': interface binding for '%s' has been added by NM, ignoring." % (name, interface)) settings.removeInterface(interface) changed = True # For the remaining interfaces, attempt to let NM manage them for interface in settings.getInterfaces(): try: connection = nm_get_connection_of_interface(interface) if connection and nm_set_zone_of_connection(name, connection): settings.removeInterface(interface) changed = True except Exception: pass if changed: del conf conf = settings.settings # For the remaining try to update the ifcfg files for interface in settings.getInterfaces(): ifcfg_set_zone_of_interface(name, interface) try: if name in config_names: conf_obj = self.config.getZoneByName(name) if conf_obj.getSettings() != conf: log.debug1("Copying zone '%s' settings" % name) conf_obj.update(conf) else: log.debug1("Zone '%s' is identical, ignoring." % name) else: log.debug1("Creating zone '%s'" % name) self.config.addZone(name, conf) except Exception as e: log.warning( "Runtime To Permanent failed on zone '%s': %s" % \ (name, e)) error = True # helpers config_names = self.config.getHelperNames() for name in self.fw.helper.get_helpers(): conf = self.getHelperSettings(name) try: if name in config_names: conf_obj = self.config.getHelperByName(name) if conf_obj.getSettings() != conf: log.debug1("Copying helper '%s' settings" % name) conf_obj.update(conf) else: log.debug1("Helper '%s' is identical, ignoring." % name) else: log.debug1("Creating helper '%s'" % name) self.config.addHelper(name, conf) except Exception as e: log.warning( "Runtime To Permanent failed on helper '%s': %s" % \ (name, e)) error = True # direct # rt_config = self.fw.direct.get_config() conf = ( self.fw.direct.get_all_chains(), self.fw.direct.get_all_rules(), self.fw.direct.get_all_passthroughs() ) try: if self.config.getSettings() != conf: log.debug1("Copying direct configuration") self.config.update(conf) else: log.debug1("Direct configuration is identical, ignoring.") except Exception as e: log.warning( "Runtime To Permanent failed on direct configuration: %s" % e) error = True # policies conf = self.fw.policies.lockdown_whitelist.export_config() try: if self.config.getSettings() != conf: log.debug1("Copying policies configuration") self.config.setLockdownWhitelist(conf) else: log.debug1("Policies configuration is identical, ignoring.") except Exception as e: log.warning( "Runtime To Permanent failed on policies configuration: %s" % \ e) error = True if error: raise FirewallError(errors.RT_TO_PERM_FAILED) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # POLICIES # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # lockdown @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='') @dbus_handle_exceptions def enableLockdown(self, sender=None): """Enable lockdown policies """ log.debug1("policies.enableLockdown()") self.accessCheck(sender) self.fw.policies.enable_lockdown() self.LockdownEnabled() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='') @dbus_handle_exceptions def disableLockdown(self, sender=None): """Disable lockdown policies """ log.debug1("policies.disableLockdown()") self.accessCheck(sender) self.fw.policies.disable_lockdown() self.LockdownDisabled() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='b') @dbus_handle_exceptions def queryLockdown(self, sender=None): # pylint: disable=W0613 """Retuns True if lockdown is enabled """ log.debug1("policies.queryLockdown()") # no access check here return self.fw.policies.query_lockdown() @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='') @dbus_handle_exceptions def LockdownEnabled(self): log.debug1("LockdownEnabled()") @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='') @dbus_handle_exceptions def LockdownDisabled(self): log.debug1("LockdownDisabled()") # lockdown whitelist # command @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def addLockdownWhitelistCommand(self, command, sender=None): """Add lockdown command """ command = dbus_to_python(command, str) log.debug1("policies.addLockdownWhitelistCommand('%s')" % command) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.add_command(command) self.LockdownWhitelistCommandAdded(command) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def removeLockdownWhitelistCommand(self, command, sender=None): """Remove lockdown command """ command = dbus_to_python(command, str) log.debug1("policies.removeLockdownWhitelistCommand('%s')" % command) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.remove_command(command) self.LockdownWhitelistCommandRemoved(command) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistCommand(self, command, sender=None): # pylint: disable=W0613 """Query lockdown command """ command = dbus_to_python(command, str) log.debug1("policies.queryLockdownWhitelistCommand('%s')" % command) # no access check here return self.fw.policies.lockdown_whitelist.has_command(command) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistCommands(self, sender=None): # pylint: disable=W0613 """Add lockdown command """ log.debug1("policies.getLockdownWhitelistCommands()") # no access check here return self.fw.policies.lockdown_whitelist.get_commands() @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistCommandAdded(self, command): log.debug1("LockdownWhitelistCommandAdded('%s')" % command) @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistCommandRemoved(self, command): log.debug1("LockdownWhitelistCommandRemoved('%s')" % command) # uid @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='i', out_signature='') @dbus_handle_exceptions def addLockdownWhitelistUid(self, uid, sender=None): """Add lockdown uid """ uid = dbus_to_python(uid, int) log.debug1("policies.addLockdownWhitelistUid('%s')" % uid) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.add_uid(uid) self.LockdownWhitelistUidAdded(uid) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='i', out_signature='') @dbus_handle_exceptions def removeLockdownWhitelistUid(self, uid, sender=None): """Remove lockdown uid """ uid = dbus_to_python(uid, int) log.debug1("policies.removeLockdownWhitelistUid('%s')" % uid) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.remove_uid(uid) self.LockdownWhitelistUidRemoved(uid) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='i', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistUid(self, uid, sender=None): # pylint: disable=W0613 """Query lockdown uid """ uid = dbus_to_python(uid, int) log.debug1("policies.queryLockdownWhitelistUid('%s')" % uid) # no access check here return self.fw.policies.lockdown_whitelist.has_uid(uid) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='ai') @dbus_handle_exceptions def getLockdownWhitelistUids(self, sender=None): # pylint: disable=W0613 """Add lockdown uid """ log.debug1("policies.getLockdownWhitelistUids()") # no access check here return self.fw.policies.lockdown_whitelist.get_uids() @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='i') @dbus_handle_exceptions def LockdownWhitelistUidAdded(self, uid): log.debug1("LockdownWhitelistUidAdded(%d)" % uid) @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='i') @dbus_handle_exceptions def LockdownWhitelistUidRemoved(self, uid): log.debug1("LockdownWhitelistUidRemoved(%d)" % uid) # user @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def addLockdownWhitelistUser(self, user, sender=None): """Add lockdown user """ user = dbus_to_python(user, str) log.debug1("policies.addLockdownWhitelistUser('%s')" % user) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.add_user(user) self.LockdownWhitelistUserAdded(user) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def removeLockdownWhitelistUser(self, user, sender=None): """Remove lockdown user """ user = dbus_to_python(user, str) log.debug1("policies.removeLockdownWhitelistUser('%s')" % user) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.remove_user(user) self.LockdownWhitelistUserRemoved(user) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistUser(self, user, sender=None): # pylint: disable=W0613 """Query lockdown user """ user = dbus_to_python(user, str) log.debug1("policies.queryLockdownWhitelistUser('%s')" % user) # no access check here return self.fw.policies.lockdown_whitelist.has_user(user) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistUsers(self, sender=None): # pylint: disable=W0613 """Add lockdown user """ log.debug1("policies.getLockdownWhitelistUsers()") # no access check here return self.fw.policies.lockdown_whitelist.get_users() @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistUserAdded(self, user): log.debug1("LockdownWhitelistUserAdded('%s')" % user) @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistUserRemoved(self, user): log.debug1("LockdownWhitelistUserRemoved('%s')" % user) # context @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def addLockdownWhitelistContext(self, context, sender=None): """Add lockdown context """ context = dbus_to_python(context, str) log.debug1("policies.addLockdownWhitelistContext('%s')" % context) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.add_context(context) self.LockdownWhitelistContextAdded(context) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='') @dbus_handle_exceptions def removeLockdownWhitelistContext(self, context, sender=None): """Remove lockdown context """ context = dbus_to_python(context, str) log.debug1("policies.removeLockdownWhitelistContext('%s')" % context) self.accessCheck(sender) self.fw.policies.lockdown_whitelist.remove_context(context) self.LockdownWhitelistContextRemoved(context) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistContext(self, context, sender=None): # pylint: disable=W0613 """Query lockdown context """ context = dbus_to_python(context, str) log.debug1("policies.queryLockdownWhitelistContext('%s')" % context) # no access check here return self.fw.policies.lockdown_whitelist.has_context(context) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_POLICIES_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_POLICIES, in_signature='', out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistContexts(self, sender=None): # pylint: disable=W0613 """Add lockdown context """ log.debug1("policies.getLockdownWhitelistContexts()") # no access check here return self.fw.policies.lockdown_whitelist.get_contexts() @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistContextAdded(self, context): log.debug1("LockdownWhitelistContextAdded('%s')" % context) @dbus.service.signal(config.dbus.DBUS_INTERFACE_POLICIES, signature='s') @dbus_handle_exceptions def LockdownWhitelistContextRemoved(self, context): log.debug1("LockdownWhitelistContextRemoved('%s')" % context) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # PANIC @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def enablePanicMode(self, sender=None): """Enable panic mode. All ingoing and outgoing connections and packets will be blocked. """ log.debug1("enablePanicMode()") self.accessCheck(sender) self.fw.enable_panic_mode() self.PanicModeEnabled() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def disablePanicMode(self, sender=None): """Disable panic mode. Enables normal mode: Allowed ingoing and outgoing connections will not be blocked anymore """ log.debug1("disablePanicMode()") self.accessCheck(sender) self.fw.disable_panic_mode() self.PanicModeDisabled() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='b') @dbus_handle_exceptions def queryPanicMode(self, sender=None): # pylint: disable=W0613 # returns True if in panic mode log.debug1("queryPanicMode()") return self.fw.query_panic_mode() @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='') @dbus_handle_exceptions def PanicModeEnabled(self): log.debug1("PanicModeEnabled()") @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='') @dbus_handle_exceptions def PanicModeDisabled(self): log.debug1("PanicModeDisabled()") # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # list functions @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature=Zone.DBUS_SIGNATURE) @dbus_handle_exceptions def getZoneSettings(self, zone, sender=None): # pylint: disable=W0613 # returns zone settings for zone zone = dbus_to_python(zone, str) log.debug1("getZoneSettings(%s)", zone) return self.fw.zone.get_config_with_settings(zone) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='as') @dbus_handle_exceptions def listServices(self, sender=None): # pylint: disable=W0613 # returns the list of services # TODO: should be renamed to getServices() # because is called by firewall-cmd --get-services log.debug1("listServices()") return self.fw.service.get_services() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature=Service.DBUS_SIGNATURE) @dbus_handle_exceptions def getServiceSettings(self, service, sender=None): # pylint: disable=W0613 # returns service settings for service service = dbus_to_python(service, str) log.debug1("getServiceSettings(%s)", service) return self.fw.service.get_service(service).export_config() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='as') @dbus_handle_exceptions def listIcmpTypes(self, sender=None): # pylint: disable=W0613 # returns the list of services # TODO: should be renamed to getIcmptypes() # because is called by firewall-cmd --get-icmptypes log.debug1("listIcmpTypes()") return self.fw.icmptype.get_icmptypes() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature=IcmpType.DBUS_SIGNATURE) @dbus_handle_exceptions def getIcmpTypeSettings(self, icmptype, sender=None): # pylint: disable=W0613 # returns icmptype settings for icmptype icmptype = dbus_to_python(icmptype, str) log.debug1("getIcmpTypeSettings(%s)", icmptype) return self.fw.icmptype.get_icmptype(icmptype).export_config() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # LOG DENIED @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='s') @dbus_handle_exceptions def getLogDenied(self, sender=None): # pylint: disable=W0613 # returns the log denied value log.debug1("getLogDenied()") return self.fw.get_log_denied() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature='') @dbus_handle_exceptions def setLogDenied(self, value, sender=None): # set the log denied value value = dbus_to_python(value, str) log.debug1("setLogDenied('%s')" % value) self.accessCheck(sender) self.fw.set_log_denied(value) self.LogDeniedChanged(value) # must reload the firewall as well self.fw.reload() self.config.reload() self.Reloaded() @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') @dbus_handle_exceptions def LogDeniedChanged(self, value): log.debug1("LogDeniedChanged('%s')" % (value)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # AUTOMATIC HELPER ASSIGNMENT @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='s') @dbus_handle_exceptions def getAutomaticHelpers(self, sender=None): # pylint: disable=W0613 # returns the automatic helpers value log.debug1("getAutomaticHelpers()") return self.fw.get_automatic_helpers() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature='') @dbus_handle_exceptions def setAutomaticHelpers(self, value, sender=None): # set the automatic helpers value value = dbus_to_python(value, str) log.debug1("setAutomaticHelpers('%s')" % value) self.accessCheck(sender) self.fw.set_automatic_helpers(value) self.AutomaticHelpersChanged(value) # must reload the firewall as well self.fw.reload() self.config.reload() self.Reloaded() @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') @dbus_handle_exceptions def AutomaticHelpersChanged(self, value): log.debug1("AutomaticHelpersChanged('%s')" % (value)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DEFAULT ZONE @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='s') @dbus_handle_exceptions def getDefaultZone(self, sender=None): # pylint: disable=W0613 # returns the system default zone log.debug1("getDefaultZone()") return self.fw.get_default_zone() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature='') @dbus_handle_exceptions def setDefaultZone(self, zone, sender=None): # set the system default zone zone = dbus_to_python(zone, str) log.debug1("setDefaultZone('%s')" % zone) self.accessCheck(sender) self.fw.set_default_zone(zone) self.DefaultZoneChanged(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE, signature='s') @dbus_handle_exceptions def DefaultZoneChanged(self, zone): log.debug1("DefaultZoneChanged('%s')" % (zone)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ZONE INTERFACE # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ZONES @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) # TODO: shouldn't this be in DBUS_INTERFACE instead of DBUS_INTERFACE_ZONE ? @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='', out_signature='as') @dbus_handle_exceptions def getZones(self, sender=None): # pylint: disable=W0613 # returns the list of zones log.debug1("zone.getZones()") return self.fw.zone.get_zones() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='', out_signature='a{sa{sas}}') @dbus_handle_exceptions def getActiveZones(self, sender=None): # pylint: disable=W0613 # returns the list of active zones log.debug1("zone.getActiveZones()") zones = { } for zone in self.fw.zone.get_zones(): interfaces = self.fw.zone.list_interfaces(zone) sources = self.fw.zone.list_sources(zone) if len(interfaces) + len(sources) > 0: zones[zone] = { } if len(interfaces) > 0: zones[zone]["interfaces"] = interfaces if len(sources) > 0: zones[zone]["sources"] = sources return zones @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='s') @dbus_handle_exceptions def getZoneOfInterface(self, interface, sender=None): # pylint: disable=W0613 """Return the zone an interface belongs to. :Parameters: `interface` : str Name of the interface :Returns: str. The name of the zone. """ interface = dbus_to_python(interface, str) log.debug1("zone.getZoneOfInterface('%s')" % interface) zone = self.fw.zone.get_zone_of_interface(interface) if zone: return zone return "" @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='s') @dbus_handle_exceptions def getZoneOfSource(self, source, sender=None): # pylint: disable=W0613 #Return the zone an source belongs to. source = dbus_to_python(source, str) log.debug1("zone.getZoneOfSource('%s')" % source) zone = self.fw.zone.get_zone_of_source(source) if zone: return zone return "" @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def isImmutable(self, zone, sender=None): # pylint: disable=W0613 # no immutable zones anymore return False # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # INTERFACES @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def addInterface(self, zone, interface, sender=None): """Add an interface to a zone. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) interface = dbus_to_python(interface, str) log.debug1("zone.addInterface('%s', '%s')" % (zone, interface)) self.accessCheck(sender) _zone = self.fw.zone.add_interface(zone, interface, sender) self.InterfaceAdded(_zone, interface) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def changeZone(self, zone, interface, sender=None): """Change a zone an interface is part of. If zone is empty, use default zone. This function is deprecated, use changeZoneOfInterface instead """ zone = dbus_to_python(zone, str) interface = dbus_to_python(interface, str) return self.changeZoneOfInterface(zone, interface, sender) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def changeZoneOfInterface(self, zone, interface, sender=None): """Change a zone an interface is part of. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) interface = dbus_to_python(interface, str) log.debug1("zone.changeZoneOfInterface('%s', '%s')" % (zone, interface)) self.accessCheck(sender) _zone = self.fw.zone.change_zone_of_interface(zone, interface, sender) self.ZoneOfInterfaceChanged(_zone, interface) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeInterface(self, zone, interface, sender=None): """Remove interface from a zone. If zone is empty, remove from zone the interface belongs to. """ zone = dbus_to_python(zone, str) interface = dbus_to_python(interface, str) log.debug1("zone.removeInterface('%s', '%s')" % (zone, interface)) self.accessCheck(sender) _zone = self.fw.zone.remove_interface(zone, interface) self.InterfaceRemoved(_zone, interface) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryInterface(self, zone, interface, sender=None): # pylint: disable=W0613 """Return true if an interface is in a zone. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) interface = dbus_to_python(interface, str) log.debug1("zone.queryInterface('%s', '%s')" % (zone, interface)) return self.fw.zone.query_interface(zone, interface) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getInterfaces(self, zone, sender=None): # pylint: disable=W0613 """Return the list of interfaces of a zone. If zone is empty, use default zone. """ # TODO: should be renamed to listInterfaces() # because is called by firewall-cmd --zone --list-interfaces zone = dbus_to_python(zone, str) log.debug1("zone.getInterfaces('%s')" % (zone)) return self.fw.zone.list_interfaces(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def InterfaceAdded(self, zone, interface): log.debug1("zone.InterfaceAdded('%s', '%s')" % (zone, interface)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def ZoneChanged(self, zone, interface): """ This signal is deprecated. """ log.debug1("zone.ZoneChanged('%s', '%s')" % (zone, interface)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def ZoneOfInterfaceChanged(self, zone, interface): log.debug1("zone.ZoneOfInterfaceChanged('%s', '%s')" % (zone, interface)) self.ZoneChanged(zone, interface) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def InterfaceRemoved(self, zone, interface): log.debug1("zone.InterfaceRemoved('%s', '%s')" % (zone, interface)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # SOURCES @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def addSource(self, zone, source, sender=None): """Add a source to a zone. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) source = dbus_to_python(source, str) log.debug1("zone.addSource('%s', '%s')" % (zone, source)) self.accessCheck(sender) _zone = self.fw.zone.add_source(zone, source, sender) self.SourceAdded(_zone, source) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def changeZoneOfSource(self, zone, source, sender=None): """Change a zone an source is part of. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) source = dbus_to_python(source, str) log.debug1("zone.changeZoneOfSource('%s', '%s')" % (zone, source)) self.accessCheck(sender) _zone = self.fw.zone.change_zone_of_source(zone, source, sender) self.ZoneOfSourceChanged(_zone, source) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeSource(self, zone, source, sender=None): """Remove source from a zone. If zone is empty, remove from zone the source belongs to. """ zone = dbus_to_python(zone, str) source = dbus_to_python(source, str) log.debug1("zone.removeSource('%s', '%s')" % (zone, source)) self.accessCheck(sender) _zone = self.fw.zone.remove_source(zone, source) self.SourceRemoved(_zone, source) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def querySource(self, zone, source, sender=None): # pylint: disable=W0613 """Return true if an source is in a zone. If zone is empty, use default zone. """ zone = dbus_to_python(zone, str) source = dbus_to_python(source, str) log.debug1("zone.querySource('%s', '%s')" % (zone, source)) return self.fw.zone.query_source(zone, source) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getSources(self, zone, sender=None): # pylint: disable=W0613 """Return the list of sources of a zone. If zone is empty, use default zone. """ # TODO: should be renamed to listSources() # because is called by firewall-cmd --zone --list-sources zone = dbus_to_python(zone, str) log.debug1("zone.getSources('%s')" % (zone)) return self.fw.zone.list_sources(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def SourceAdded(self, zone, source): log.debug1("zone.SourceAdded('%s', '%s')" % (zone, source)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def ZoneOfSourceChanged(self, zone, source): log.debug1("zone.ZoneOfSourceChanged('%s', '%s')" % (zone, source)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def SourceRemoved(self, zone, source): log.debug1("zone.SourceRemoved('%s', '%s')" % (zone, source)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # RICH RULES @dbus_handle_exceptions def disableTimedRichRule(self, zone, rule): log.debug1("zone.disableTimedRichRule('%s', '%s')" % (zone, rule)) del self._timeouts[zone][rule] obj = Rich_Rule(rule_str=rule) self.fw.zone.remove_rule(zone, obj) self.RichRuleRemoved(zone, rule) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ssi', out_signature='s') @dbus_handle_exceptions def addRichRule(self, zone, rule, timeout, sender=None): # pylint: disable=W0613 zone = dbus_to_python(zone, str) rule = dbus_to_python(rule, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addRichRule('%s', '%s')" % (zone, rule)) obj = Rich_Rule(rule_str=rule) _zone = self.fw.zone.add_rule(zone, obj, timeout) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedRichRule, _zone, rule) self.addTimeout(_zone, rule, tag) self.RichRuleAdded(_zone, rule, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeRichRule(self, zone, rule, sender=None): # pylint: disable=W0613 zone = dbus_to_python(zone, str) rule = dbus_to_python(rule, str) log.debug1("zone.removeRichRule('%s', '%s')" % (zone, rule)) obj = Rich_Rule(rule_str=rule) _zone = self.fw.zone.remove_rule(zone, obj) self.removeTimeout(_zone, rule) self.RichRuleRemoved(_zone, rule) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryRichRule(self, zone, rule, sender=None): # pylint: disable=W0613 zone = dbus_to_python(zone, str) rule = dbus_to_python(rule, str) log.debug1("zone.queryRichRule('%s', '%s')" % (zone, rule)) obj = Rich_Rule(rule_str=rule) return self.fw.zone.query_rule(zone, obj) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getRichRules(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled rich rules for zone # TODO: should be renamed to listRichRules() # because is called by firewall-cmd --zone --list-rich-rules zone = dbus_to_python(zone, str) log.debug1("zone.getRichRules('%s')" % (zone)) return self.fw.zone.list_rules(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ssi') @dbus_handle_exceptions def RichRuleAdded(self, zone, rule, timeout): log.debug1("zone.RichRuleAdded('%s', '%s', %d)" % (zone, rule, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def RichRuleRemoved(self, zone, rule): log.debug1("zone.RichRuleRemoved('%s', '%s')" % (zone, rule)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # SERVICES @dbus_handle_exceptions def disableTimedService(self, zone, service): log.debug1("zone.disableTimedService('%s', '%s')" % (zone, service)) del self._timeouts[zone][service] self.fw.zone.remove_service(zone, service) self.ServiceRemoved(zone, service) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ssi', out_signature='s') @dbus_handle_exceptions def addService(self, zone, service, timeout, sender=None): # enables service if not enabled already for zone zone = dbus_to_python(zone, str) service = dbus_to_python(service, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addService('%s', '%s', %d)" % (zone, service, timeout)) self.accessCheck(sender) _zone = self.fw.zone.add_service(zone, service, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedService, _zone, service) self.addTimeout(_zone, service, tag) self.ServiceAdded(_zone, service, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeService(self, zone, service, sender=None): # disables service for zone zone = dbus_to_python(zone, str) service = dbus_to_python(service, str) log.debug1("zone.removeService('%s', '%s')" % (zone, service)) self.accessCheck(sender) _zone = self.fw.zone.remove_service(zone, service) self.removeTimeout(_zone, service) self.ServiceRemoved(_zone, service) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryService(self, zone, service, sender=None): # pylint: disable=W0613 # returns true if a service is enabled for zone zone = dbus_to_python(zone, str) service = dbus_to_python(service, str) log.debug1("zone.queryService('%s', '%s')" % (zone, service)) return self.fw.zone.query_service(zone, service) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getServices(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled services for zone # TODO: should be renamed to listServices() # because is called by firewall-cmd --zone --list-services zone = dbus_to_python(zone, str) log.debug1("zone.getServices('%s')" % (zone)) return self.fw.zone.list_services(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ssi') @dbus_handle_exceptions def ServiceAdded(self, zone, service, timeout): log.debug1("zone.ServiceAdded('%s', '%s', %d)" % \ (zone, service, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def ServiceRemoved(self, zone, service): log.debug1("zone.ServiceRemoved('%s', '%s')" % (zone, service)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # PORTS @dbus_handle_exceptions def disableTimedPort(self, zone, port, protocol): log.debug1("zone.disableTimedPort('%s', '%s', '%s')" % \ (zone, port, protocol)) del self._timeouts[zone][(port, protocol)] self.fw.zone.remove_port(zone, port, protocol) self.PortRemoved(zone, port, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sssi', out_signature='s') @dbus_handle_exceptions def addPort(self, zone, port, protocol, timeout, sender=None): # pylint: disable=R0913 # adds port if not enabled already to zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addPort('%s', '%s', '%s')" % \ (zone, port, protocol)) self.accessCheck(sender) _zone = self.fw.zone.add_port(zone, port, protocol, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedPort, _zone, port, protocol) self.addTimeout(_zone, (port, protocol), tag) self.PortAdded(_zone, port, protocol, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sss', out_signature='s') @dbus_handle_exceptions def removePort(self, zone, port, protocol, sender=None): # pylint: disable=R0913 # removes port if enabled from zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.removePort('%s', '%s', '%s')" % \ (zone, port, protocol)) self.accessCheck(sender) _zone= self.fw.zone.remove_port(zone, port, protocol) self.removeTimeout(_zone, (port, protocol)) self.PortRemoved(_zone, port, protocol) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sss', out_signature='b') @dbus_handle_exceptions def queryPort(self, zone, port, protocol, sender=None): # pylint: disable=W0613, R0913 # returns true if a port is enabled for zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.queryPort('%s', '%s', '%s')" % (zone, port, protocol)) return self.fw.zone.query_port(zone, port, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='aas') @dbus_handle_exceptions def getPorts(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled ports # TODO: should be renamed to listPorts() # because is called by firewall-cmd --zone --list-ports zone = dbus_to_python(zone, str) log.debug1("zone.getPorts('%s')" % (zone)) return self.fw.zone.list_ports(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sssi') @dbus_handle_exceptions def PortAdded(self, zone, port, protocol, timeout=0): log.debug1("zone.PortAdded('%s', '%s', '%s', %d)" % \ (zone, port, protocol, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sss') @dbus_handle_exceptions def PortRemoved(self, zone, port, protocol): log.debug1("zone.PortRemoved('%s', '%s', '%s')" % \ (zone, port, protocol)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # PROTOCOLS @dbus_handle_exceptions def disableTimedProtocol(self, zone, protocol): log.debug1("zone.disableTimedProtocol('%s', '%s')" % (zone, protocol)) del self._timeouts[zone][(protocol)] self.fw.zone.remove_protocol(zone, protocol) self.ProtocolRemoved(zone, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ssi', out_signature='s') @dbus_handle_exceptions def addProtocol(self, zone, protocol, timeout, sender=None): # adds protocol if not enabled already to zone zone = dbus_to_python(zone, str) protocol = dbus_to_python(protocol, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.enableProtocol('%s', '%s')" % (zone, protocol)) self.accessCheck(sender) _zone = self.fw.zone.add_protocol(zone, protocol, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedProtocol, _zone, protocol) self.addTimeout(_zone, protocol, tag) self.ProtocolAdded(_zone, protocol, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeProtocol(self, zone, protocol, sender=None): # removes protocol if enabled from zone zone = dbus_to_python(zone, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.removeProtocol('%s', '%s')" % (zone, protocol)) self.accessCheck(sender) _zone= self.fw.zone.remove_protocol(zone, protocol) self.removeTimeout(_zone, protocol) self.ProtocolRemoved(_zone, protocol) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryProtocol(self, zone, protocol, sender=None): # pylint: disable=W0613 # returns true if a protocol is enabled for zone zone = dbus_to_python(zone, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.queryProtocol('%s', '%s')" % (zone, protocol)) return self.fw.zone.query_protocol(zone, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getProtocols(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled protocols # TODO: should be renamed to listProtocols() # because is called by firewall-cmd --zone --list-protocols zone = dbus_to_python(zone, str) log.debug1("zone.getProtocols('%s')" % (zone)) return self.fw.zone.list_protocols(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ssi') @dbus_handle_exceptions def ProtocolAdded(self, zone, protocol, timeout=0): log.debug1("zone.ProtocolAdded('%s', '%s', %d)" % \ (zone, protocol, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def ProtocolRemoved(self, zone, protocol): log.debug1("zone.ProtocolRemoved('%s', '%s')" % (zone, protocol)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # SOURCE PORTS @dbus_handle_exceptions def disableTimedSourcePort(self, zone, port, protocol): log.debug1("zone.disableTimedSourcePort('%s', '%s', '%s')" % \ (zone, port, protocol)) del self._timeouts[zone][("sport", port, protocol)] self.fw.zone.remove_source_port(zone, port, protocol) self.SourcePortRemoved(zone, port, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sssi', out_signature='s') @dbus_handle_exceptions def addSourcePort(self, zone, port, protocol, timeout, sender=None): # pylint: disable=R0913 # adds source port if not enabled already to zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addSourcePort('%s', '%s', '%s')" % (zone, port, protocol)) self.accessCheck(sender) _zone = self.fw.zone.add_source_port(zone, port, protocol, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedSourcePort, _zone, port, protocol) self.addTimeout(_zone, ("sport", port, protocol), tag) self.SourcePortAdded(_zone, port, protocol, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sss', out_signature='s') @dbus_handle_exceptions def removeSourcePort(self, zone, port, protocol, sender=None): # pylint: disable=R0913 # removes source port if enabled from zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.removeSourcePort('%s', '%s', '%s')" % (zone, port, protocol)) self.accessCheck(sender) _zone= self.fw.zone.remove_source_port(zone, port, protocol) self.removeTimeout(_zone, ("sport", port, protocol)) self.SourcePortRemoved(_zone, port, protocol) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sss', out_signature='b') @dbus_handle_exceptions def querySourcePort(self, zone, port, protocol, sender=None): # pylint: disable=W0613, R0913 # returns true if a source port is enabled for zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("zone.querySourcePort('%s', '%s', '%s')" % (zone, port, protocol)) return self.fw.zone.query_source_port(zone, port, protocol) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='aas') @dbus_handle_exceptions def getSourcePorts(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled source ports # TODO: should be renamed to listSourcePorts() # because is called by firewall-cmd --zone --list-source-ports zone = dbus_to_python(zone, str) log.debug1("zone.getSourcePorts('%s')" % (zone)) return self.fw.zone.list_source_ports(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sssi') @dbus_handle_exceptions def SourcePortAdded(self, zone, port, protocol, timeout=0): log.debug1("zone.SourcePortAdded('%s', '%s', '%s', %d)" % \ (zone, port, protocol, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sss') @dbus_handle_exceptions def SourcePortRemoved(self, zone, port, protocol): log.debug1("zone.SourcePortRemoved('%s', '%s', '%s')" % (zone, port, protocol)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # MASQUERADE @dbus_handle_exceptions def disableTimedMasquerade(self, zone): del self._timeouts[zone]["masquerade"] self.fw.zone.remove_masquerade(zone) self.MasqueradeRemoved(zone) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='si', out_signature='s') @dbus_handle_exceptions def addMasquerade(self, zone, timeout, sender=None): # adds masquerade if not added already zone = dbus_to_python(zone, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addMasquerade('%s')" % (zone)) self.accessCheck(sender) _zone = self.fw.zone.add_masquerade(zone, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedMasquerade, _zone) self.addTimeout(_zone, "masquerade", tag) self.MasqueradeAdded(_zone, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='s') @dbus_handle_exceptions def removeMasquerade(self, zone, sender=None): # removes masquerade zone = dbus_to_python(zone, str) log.debug1("zone.removeMasquerade('%s')" % (zone)) self.accessCheck(sender) _zone = self.fw.zone.remove_masquerade(zone) self.removeTimeout(_zone, "masquerade") self.MasqueradeRemoved(_zone) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryMasquerade(self, zone, sender=None): # pylint: disable=W0613 # returns true if a masquerade is added zone = dbus_to_python(zone, str) log.debug1("zone.queryMasquerade('%s')" % (zone)) return self.fw.zone.query_masquerade(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='si') @dbus_handle_exceptions def MasqueradeAdded(self, zone, timeout=0): log.debug1("zone.MasqueradeAdded('%s', %d)" % (zone, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='s') @dbus_handle_exceptions def MasqueradeRemoved(self, zone): log.debug1("zone.MasqueradeRemoved('%s')" % (zone)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # FORWARD PORT @dbus_handle_exceptions def disable_forward_port(self, zone, port, protocol, toport, toaddr): # pylint: disable=R0913 del self._timeouts[zone][(port, protocol, toport, toaddr)] self.fw.zone.remove_forward_port(zone, port, protocol, toport, toaddr) self.ForwardPortRemoved(zone, port, protocol, toport, toaddr) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sssssi', out_signature='s') @dbus_handle_exceptions def addForwardPort(self, zone, port, protocol, toport, toaddr, timeout, sender=None): # pylint: disable=R0913 # add forward port if not enabled already for zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.addForwardPort('%s', '%s', '%s', '%s', '%s')" % \ (zone, port, protocol, toport, toaddr)) self.accessCheck(sender) _zone = self.fw.zone.add_forward_port(zone, port, protocol, toport, toaddr, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disable_forward_port, _zone, port, protocol, toport, toaddr) self.addTimeout(_zone, (port, protocol, toport, toaddr), tag) self.ForwardPortAdded(_zone, port, protocol, toport, toaddr, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sssss', out_signature='s') @dbus_handle_exceptions def removeForwardPort(self, zone, port, protocol, toport, toaddr, sender=None): # pylint: disable=R0913 # remove forward port from zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("zone.removeForwardPort('%s', '%s', '%s', '%s', '%s')" % \ (zone, port, protocol, toport, toaddr)) self.accessCheck(sender) _zone = self.fw.zone.remove_forward_port(zone, port, protocol, toport, toaddr) self.removeTimeout(_zone, (port, protocol, toport, toaddr)) self.ForwardPortRemoved(_zone, port, protocol, toport, toaddr) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='sssss', out_signature='b') @dbus_handle_exceptions def queryForwardPort(self, zone, port, protocol, toport, toaddr, sender=None): # pylint: disable=W0613, R0913 # returns true if a forward port is enabled for zone zone = dbus_to_python(zone, str) port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) toport = dbus_to_python(toport, str) toaddr = dbus_to_python(toaddr, str) log.debug1("zone.queryForwardPort('%s', '%s', '%s', '%s', '%s')" % \ (zone, port, protocol, toport, toaddr)) return self.fw.zone.query_forward_port(zone, port, protocol, toport, toaddr) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='aas') @dbus_handle_exceptions def getForwardPorts(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled ports for zone # TODO: should be renamed to listForwardPorts() # because is called by firewall-cmd --zone --list-forward-ports zone = dbus_to_python(zone, str) log.debug1("zone.getForwardPorts('%s')" % (zone)) return self.fw.zone.list_forward_ports(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sssssi') @dbus_handle_exceptions def ForwardPortAdded(self, zone, port, protocol, toport, toaddr, timeout=0): # pylint: disable=R0913 log.debug1("zone.ForwardPortAdded('%s', '%s', '%s', '%s', '%s', %d)" % \ (zone, port, protocol, toport, toaddr, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='sssss') @dbus_handle_exceptions def ForwardPortRemoved(self, zone, port, protocol, toport, toaddr): # pylint: disable=R0913 log.debug1("zone.ForwardPortRemoved('%s', '%s', '%s', '%s', '%s')" % \ (zone, port, protocol, toport, toaddr)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ICMP BLOCK @dbus_handle_exceptions def disableTimedIcmpBlock(self, zone, icmp, sender): # pylint: disable=W0613 log.debug1("zone.disableTimedIcmpBlock('%s', '%s')" % (zone, icmp)) del self._timeouts[zone][icmp] self.fw.zone.remove_icmp_block(zone, icmp) self.IcmpBlockRemoved(zone, icmp) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ssi', out_signature='s') @dbus_handle_exceptions def addIcmpBlock(self, zone, icmp, timeout, sender=None): # add icmpblock if not enabled already for zone zone = dbus_to_python(zone, str) icmp = dbus_to_python(icmp, str) timeout = dbus_to_python(timeout, int) log.debug1("zone.enableIcmpBlock('%s', '%s')" % (zone, icmp)) self.accessCheck(sender) _zone = self.fw.zone.add_icmp_block(zone, icmp, timeout, sender) if timeout > 0: tag = GLib.timeout_add_seconds(timeout, self.disableTimedIcmpBlock, _zone, icmp, sender) self.addTimeout(_zone, icmp, tag) self.IcmpBlockAdded(_zone, icmp, timeout) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='s') @dbus_handle_exceptions def removeIcmpBlock(self, zone, icmp, sender=None): # removes icmpBlock from zone zone = dbus_to_python(zone, str) icmp = dbus_to_python(icmp, str) log.debug1("zone.removeIcmpBlock('%s', '%s')" % (zone, icmp)) self.accessCheck(sender) _zone = self.fw.zone.remove_icmp_block(zone, icmp) self.removeTimeout(_zone, icmp) self.IcmpBlockRemoved(_zone, icmp) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryIcmpBlock(self, zone, icmp, sender=None): # pylint: disable=W0613 # returns true if a icmp is enabled for zone zone = dbus_to_python(zone, str) icmp = dbus_to_python(icmp, str) log.debug1("zone.queryIcmpBlock('%s', '%s')" % (zone, icmp)) return self.fw.zone.query_icmp_block(zone, icmp) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='as') @dbus_handle_exceptions def getIcmpBlocks(self, zone, sender=None): # pylint: disable=W0613 # returns the list of enabled icmpblocks # TODO: should be renamed to listIcmpBlocks() # because is called by firewall-cmd --zone --list-icmp-blocks zone = dbus_to_python(zone, str) log.debug1("zone.getIcmpBlocks('%s')" % (zone)) return self.fw.zone.list_icmp_blocks(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ssi') @dbus_handle_exceptions def IcmpBlockAdded(self, zone, icmp, timeout=0): log.debug1("zone.IcmpBlockAdded('%s', '%s', %d)" % \ (zone, icmp, timeout)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='ss') @dbus_handle_exceptions def IcmpBlockRemoved(self, zone, icmp): log.debug1("zone.IcmpBlockRemoved('%s', '%s')" % (zone, icmp)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # ICMP BLOCK INVERSION @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='s') @dbus_handle_exceptions def addIcmpBlockInversion(self, zone, sender=None): # adds icmpBlockInversion if not added already zone = dbus_to_python(zone, str) log.debug1("zone.addIcmpBlockInversion('%s')" % (zone)) self.accessCheck(sender) _zone = self.fw.zone.add_icmp_block_inversion(zone, sender) self.IcmpBlockInversionAdded(_zone) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='s') @dbus_handle_exceptions def removeIcmpBlockInversion(self, zone, sender=None): # removes icmpBlockInversion zone = dbus_to_python(zone, str) log.debug1("zone.removeIcmpBlockInversion('%s')" % (zone)) self.accessCheck(sender) _zone = self.fw.zone.remove_icmp_block_inversion(zone) self.IcmpBlockInversionRemoved(_zone) return _zone @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_ZONE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryIcmpBlockInversion(self, zone, sender=None): # pylint: disable=W0613 # returns true if a icmpBlockInversion is added zone = dbus_to_python(zone, str) log.debug1("zone.queryIcmpBlockInversion('%s')" % (zone)) return self.fw.zone.query_icmp_block_inversion(zone) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='s') @dbus_handle_exceptions def IcmpBlockInversionAdded(self, zone): log.debug1("zone.IcmpBlockInversionAdded('%s')" % (zone)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_ZONE, signature='s') @dbus_handle_exceptions def IcmpBlockInversionRemoved(self, zone): log.debug1("zone.IcmpBlockInversionRemoved('%s')" % (zone)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DIRECT INTERFACE # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DIRECT CHAIN @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss', out_signature='') @dbus_handle_exceptions def addChain(self, ipv, table, chain, sender=None): # inserts direct chain ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) log.debug1("direct.addChain('%s', '%s', '%s')" % (ipv, table, chain)) self.accessCheck(sender) self.fw.direct.add_chain(ipv, table, chain) self.ChainAdded(ipv, table, chain) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss', out_signature='') @dbus_handle_exceptions def removeChain(self, ipv, table, chain, sender=None): # removes direct chain ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) log.debug1("direct.removeChain('%s', '%s', '%s')" % (ipv, table, chain)) self.accessCheck(sender) self.fw.direct.remove_chain(ipv, table, chain) self.ChainRemoved(ipv, table, chain) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss', out_signature='b') @dbus_handle_exceptions def queryChain(self, ipv, table, chain, sender=None): # pylint: disable=W0613 # returns true if a chain is enabled ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) log.debug1("direct.queryChain('%s', '%s', '%s')" % (ipv, table, chain)) return self.fw.direct.query_chain(ipv, table, chain) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='ss', out_signature='as') @dbus_handle_exceptions def getChains(self, ipv, table, sender=None): # pylint: disable=W0613 # returns list of added chains ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) log.debug1("direct.getChains('%s', '%s')" % (ipv, table)) return self.fw.direct.get_chains(ipv, table) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='', out_signature='a(sss)') @dbus_handle_exceptions def getAllChains(self, sender=None): # pylint: disable=W0613 # returns list of added chains log.debug1("direct.getAllChains()") return self.fw.direct.get_all_chains() @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sss') @dbus_handle_exceptions def ChainAdded(self, ipv, table, chain): log.debug1("direct.ChainAdded('%s', '%s', '%s')" % (ipv, table, chain)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sss') @dbus_handle_exceptions def ChainRemoved(self, ipv, table, chain): log.debug1("direct.ChainRemoved('%s', '%s', '%s')" % (ipv, table, chain)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DIRECT RULE @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sssias', out_signature='') @dbus_handle_exceptions def addRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=R0913 # inserts direct rule ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) priority = dbus_to_python(priority, int) args = tuple( dbus_to_python(i, str) for i in args ) log.debug1("direct.addRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) self.accessCheck(sender) self.fw.direct.add_rule(ipv, table, chain, priority, args) self.RuleAdded(ipv, table, chain, priority, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sssias', out_signature='') @dbus_handle_exceptions def removeRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=R0913 # removes direct rule ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) priority = dbus_to_python(priority, int) args = tuple( dbus_to_python(i, str) for i in args ) log.debug1("direct.removeRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) self.accessCheck(sender) self.fw.direct.remove_rule(ipv, table, chain, priority, args) self.RuleRemoved(ipv, table, chain, priority, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss', out_signature='') @dbus_handle_exceptions def removeRules(self, ipv, table, chain, sender=None): # removes direct rule ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) log.debug1("direct.removeRules('%s', '%s', '%s')" % (ipv, table, chain)) self.accessCheck(sender) for (priority, args) in self.fw.direct.get_rules(ipv, table, chain): self.fw.direct.remove_rule(ipv, table, chain, priority, args) self.RuleRemoved(ipv, table, chain, priority, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sssias', out_signature='b') @dbus_handle_exceptions def queryRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=W0613, R0913 # returns true if a rule is enabled ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) priority = dbus_to_python(priority, int) args = tuple( dbus_to_python(i, str) for i in args ) log.debug1("direct.queryRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) return self.fw.direct.query_rule(ipv, table, chain, priority, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sss', out_signature='a(ias)') @dbus_handle_exceptions def getRules(self, ipv, table, chain, sender=None): # pylint: disable=W0613 # returns list of added rules ipv = dbus_to_python(ipv, str) table = dbus_to_python(table, str) chain = dbus_to_python(chain, str) log.debug1("direct.getRules('%s', '%s', '%s')" % (ipv, table, chain)) return self.fw.direct.get_rules(ipv, table, chain) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='', out_signature='a(sssias)') @dbus_handle_exceptions def getAllRules(self, sender=None): # pylint: disable=W0613 # returns list of added rules log.debug1("direct.getAllRules()") return self.fw.direct.get_all_rules() @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sssias') @dbus_handle_exceptions def RuleAdded(self, ipv, table, chain, priority, args): # pylint: disable=R0913 log.debug1("direct.RuleAdded('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sssias') @dbus_handle_exceptions def RuleRemoved(self, ipv, table, chain, priority, args): # pylint: disable=R0913 log.debug1("direct.RuleRemoved('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DIRECT PASSTHROUGH (untracked) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='s') @dbus_handle_exceptions def passthrough(self, ipv, args, sender=None): # inserts direct rule ipv = dbus_to_python(ipv, str) args = tuple( dbus_to_python(i, str) for i in args ) log.debug1("direct.passthrough('%s', '%s')" % (ipv, "','".join(args))) self.accessCheck(sender) try: return self.fw.direct.passthrough(ipv, args) except FirewallError as error: if ipv in ["ipv4", "ipv6"]: query_args = set(["-C", "--check", "-L", "--list"]) else: query_args = set(["-L", "--list"]) msg = str(error) if error.code == errors.COMMAND_FAILED: if len(set(args) & query_args) <= 0: log.warning(msg) raise FirewallDBusException(msg) raise # DIRECT PASSTHROUGH (tracked) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions def addPassthrough(self, ipv, args, sender=None): # inserts direct passthrough ipv = dbus_to_python(ipv) args = tuple( dbus_to_python(i) for i in args ) log.debug1("direct.addPassthrough('%s', '%s')" % \ (ipv, "','".join(args))) self.accessCheck(sender) self.fw.direct.add_passthrough(ipv, args) self.PassthroughAdded(ipv, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='') @dbus_handle_exceptions def removePassthrough(self, ipv, args, sender=None): # removes direct passthrough ipv = dbus_to_python(ipv) args = tuple( dbus_to_python(i) for i in args ) log.debug1("direct.removePassthrough('%s', '%s')" % \ (ipv, "','".join(args))) self.accessCheck(sender) self.fw.direct.remove_passthrough(ipv, args) self.PassthroughRemoved(ipv, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='sas', out_signature='b') @dbus_handle_exceptions def queryPassthrough(self, ipv, args, sender=None): # pylint: disable=W0613 # returns true if a passthrough is enabled ipv = dbus_to_python(ipv) args = tuple( dbus_to_python(i) for i in args ) log.debug1("direct.queryPassthrough('%s', '%s')" % \ (ipv, "','".join(args))) return self.fw.direct.query_passthrough(ipv, args) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='', out_signature='a(sas)') @dbus_handle_exceptions def getAllPassthroughs(self, sender=None): # pylint: disable=W0613 # returns list of all added passthroughs log.debug1("direct.getAllPassthroughs()") return self.fw.direct.get_all_passthroughs() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='', out_signature='') @dbus_handle_exceptions def removeAllPassthroughs(self, sender=None): # pylint: disable=W0613 # remove all passhroughs log.debug1("direct.removeAllPassthroughs()") # remove in reverse order to avoid removing non-empty chains for passthrough in reversed(self.getAllPassthroughs()): self.removePassthrough(*passthrough) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_DIRECT_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_DIRECT, in_signature='s', out_signature='aas') @dbus_handle_exceptions def getPassthroughs(self, ipv, sender=None): # pylint: disable=W0613 # returns list of all added passthroughs with ipv ipv = dbus_to_python(ipv) log.debug1("direct.getPassthroughs('%s')", ipv) return self.fw.direct.get_passthroughs(ipv) @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sas') @dbus_handle_exceptions def PassthroughAdded(self, ipv, args): log.debug1("direct.PassthroughAdded('%s', '%s')" % \ (ipv, "','".join(args))) @dbus.service.signal(config.dbus.DBUS_INTERFACE_DIRECT, signature='sas') @dbus_handle_exceptions def PassthroughRemoved(self, ipv, args): log.debug1("direct.PassthroughRemoved('%s', '%s')" % \ (ipv, "','".join(args))) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_ALL) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='') @dbus_handle_exceptions def authorizeAll(self, sender=None): # pylint: disable=W0613 """ PK_ACTION_ALL implies all other actions, i.e. once a subject is authorized for PK_ACTION_ALL it's also authorized for any other action. Use-case is GUI (RHBZ#994729). """ pass # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # IPSETS # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryIPSet(self, ipset, sender=None): # pylint: disable=W0613 # returns true if a set with the name exists ipset = dbus_to_python(ipset) log.debug1("ipset.queryIPSet('%s')" % (ipset)) return self.fw.ipset.query_ipset(ipset) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='', out_signature='as') @dbus_handle_exceptions def getIPSets(self, sender=None): # pylint: disable=W0613 # returns list of added sets log.debug1("ipsets.getIPSets()") return self.fw.ipset.get_ipsets() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='s', out_signature=IPSet.DBUS_SIGNATURE) @dbus_handle_exceptions def getIPSetSettings(self, ipset, sender=None): # pylint: disable=W0613 # returns ipset settings for ipset ipset = dbus_to_python(ipset, str) log.debug1("getIPSetSettings(%s)", ipset) return self.fw.ipset.get_ipset(ipset).export_config() # set entries # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions def addEntry(self, ipset, entry, sender=None): # adds ipset entry ipset = dbus_to_python(ipset) entry = dbus_to_python(entry) log.debug1("ipset.addEntry('%s', '%s')" % (ipset, entry)) self.accessCheck(sender) self.fw.ipset.add_entry(ipset, entry) self.EntryAdded(ipset, entry) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='') @dbus_handle_exceptions def removeEntry(self, ipset, entry, sender=None): # removes ipset entry ipset = dbus_to_python(ipset) entry = dbus_to_python(entry) log.debug1("ipset.removeEntry('%s', '%s')" % (ipset, entry)) self.accessCheck(sender) self.fw.ipset.remove_entry(ipset, entry) self.EntryRemoved(ipset, entry) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryEntry(self, ipset, entry, sender=None): # pylint: disable=W0613 # returns true if the entry exists in the ipset ipset = dbus_to_python(ipset) entry = dbus_to_python(entry) log.debug1("ipset.queryEntry('%s', '%s')" % (ipset, entry)) return self.fw.ipset.query_entry(ipset, entry) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='s', out_signature='as') @dbus_handle_exceptions def getEntries(self, ipset, sender=None): # pylint: disable=W0613 # returns list of added entries for the ipset ipset = dbus_to_python(ipset) log.debug1("ipset.getEntries('%s')" % ipset) return self.fw.ipset.get_entries(ipset) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(config.dbus.DBUS_INTERFACE_IPSET, in_signature='sas') @dbus_handle_exceptions def setEntries(self, ipset, entries, sender=None): # pylint: disable=W0613 # returns list of added entries for the ipset ipset = dbus_to_python(ipset) entries = dbus_to_python(entries, list) log.debug1("ipset.setEntries('%s', '[%s]')", ipset, ",".join(entries)) old_entries = self.fw.ipset.get_entries(ipset) self.fw.ipset.set_entries(ipset, entries) old_entries_set = set(old_entries) entries_set = set(entries) for entry in entries_set - old_entries_set: self.EntryAdded(ipset, entry) for entry in old_entries_set - entries_set: self.EntryRemoved(ipset, entry) @dbus.service.signal(config.dbus.DBUS_INTERFACE_IPSET, signature='ss') @dbus_handle_exceptions def EntryAdded(self, ipset, entry): ipset = dbus_to_python(ipset) entry = dbus_to_python(entry) log.debug1("ipset.EntryAdded('%s', '%s')" % (ipset, entry)) @dbus.service.signal(config.dbus.DBUS_INTERFACE_IPSET, signature='ss') @dbus_handle_exceptions def EntryRemoved(self, ipset, entry): ipset = dbus_to_python(ipset) entry = dbus_to_python(entry) log.debug1("ipset.EntryRemoved('%s', '%s')" % (ipset, entry)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # HELPERS # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='', out_signature='as') @dbus_handle_exceptions def getHelpers(self, sender=None): # pylint: disable=W0613 # returns list of added sets log.debug1("helpers.getHelpers()") return self.fw.helper.get_helpers() @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG_INFO) @dbus_service_method(config.dbus.DBUS_INTERFACE, in_signature='s', out_signature=Helper.DBUS_SIGNATURE) @dbus_handle_exceptions def getHelperSettings(self, helper, sender=None): # pylint: disable=W0613 # returns helper settings for helper helper = dbus_to_python(helper, str) log.debug1("getHelperSettings(%s)", helper) return self.fw.helper.get_helper(helper).export_config() server/config_ipset.pyc000064400000037616147576556050011301 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR!R"RtBooleanR#R$t exceptionst DBusException(Rt property_name((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyt _get_propertyRs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR'R(R*(Rtinterface_nameR)tsender((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pytGetcs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||tservicetsignalRAtPK_ACTION_INFOtINTROSPECTABLE_IFACERCRRtDBUS_SIGNATURERGRKRMRIRPRQRTRSRURXRYR[R\R^R_RbRcRgRkRmRoRqRxR{R|R}(((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyR1s  $                   (t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.ipsetRtfirewall.core.ipsetRtfirewall.core.loggerRtfirewall.server.decoratorsR R R R tfirewall.errorsR RtObjectR(((s@/usr/lib/python2.7/site-packages/firewall/server/config_ipset.pyts      server/config_service.py000064400000064303147576556050011443 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.dbus_utils import dbus_to_python, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall.core.io.service import Service from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallDConfig # ############################################################################ class FirewallDConfigService(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, parent, conf, service, item_id, *args, **kwargs): super(FirewallDConfigService, self).__init__(*args, **kwargs) self.parent = parent self.config = conf self.obj = service self.item_id = item_id self.busname = args[0] self.path = args[1] self._log_prefix = "config.service.%d" % self.item_id dbus_introspection_prepare_properties( self, config.dbus.DBUS_INTERFACE_CONFIG_SERVICE) @dbus_handle_exceptions def __del__(self): pass @dbus_handle_exceptions def unregister(self): self.remove_from_connection() # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, property_name): if property_name == "name": return dbus.String(self.obj.name) elif property_name == "filename": return dbus.String(self.obj.filename) elif property_name == "path": return dbus.String(self.obj.path) elif property_name == "default": return dbus.Boolean(self.obj.default) elif property_name == "builtin": return dbus.Boolean(self.obj.builtin) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("%s.Get('%s', '%s')", self._log_prefix, interface_name, property_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("%s.GetAll('%s')", self._log_prefix, interface_name) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) ret = { } for x in [ "name", "filename", "path", "default", "builtin" ]: ret[x] = self._get_property(x) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("%s.Set('%s', '%s', '%s')", self._log_prefix, interface_name, property_name, new_value) self.parent.accessCheck(sender) if interface_name != config.dbus.DBUS_INTERFACE_CONFIG_SERVICE: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.PropertyReadOnly: " "Property '%s' is read-only" % property_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("%s.PropertiesChanged('%s', '%s', '%s')", self._log_prefix, interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("%s.Introspect()", self._log_prefix) data = super(FirewallDConfigService, self).Introspect( self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG_SERVICE) # S E T T I N G S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature=Service.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 """get settings for service """ log.debug1("%s.getSettings()", self._log_prefix) return self.config.get_service_config(self.obj) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature=Service.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): """update settings for service """ settings = dbus_to_python(settings) log.debug1("%s.update('...')", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.set_service_config(self.obj, settings) self.Updated(self.obj.name) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE) @dbus_handle_exceptions def loadDefaults(self, sender=None): """load default settings for builtin service """ log.debug1("%s.loadDefaults()", self._log_prefix) self.parent.accessCheck(sender) self.obj = self.config.load_service_defaults(self.obj) self.Updated(self.obj.name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, signature='s') @dbus_handle_exceptions def Updated(self, name): log.debug1("%s.Updated('%s')" % (self._log_prefix, name)) # R E M O V E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE) @dbus_handle_exceptions def remove(self, sender=None): """remove service """ log.debug1("%s.removeService()", self._log_prefix) self.parent.accessCheck(sender) self.config.remove_service(self.obj) self.parent.removeService(self.obj) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, signature='s') @dbus_handle_exceptions def Removed(self, name): log.debug1("%s.Removed('%s')" % (self._log_prefix, name)) # R E N A M E @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def rename(self, name, sender=None): """rename service """ name = dbus_to_python(name, str) log.debug1("%s.rename('%s')", self._log_prefix, name) self.parent.accessCheck(sender) self.obj = self.config.rename_service(self.obj, name) self.Renamed(name) @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, signature='s') @dbus_handle_exceptions def Renamed(self, name): log.debug1("%s.Renamed('%s')" % (self._log_prefix, name)) # version @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='s') @dbus_handle_exceptions def getVersion(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getVersion()", self._log_prefix) return self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def setVersion(self, version, sender=None): version = dbus_to_python(version, str) log.debug1("%s.setVersion('%s')", self._log_prefix, version) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[0] = version self.update(settings) # short @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='s') @dbus_handle_exceptions def getShort(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getShort()", self._log_prefix) return self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def setShort(self, short, sender=None): short = dbus_to_python(short, str) log.debug1("%s.setShort('%s')", self._log_prefix, short) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[1] = short self.update(settings) # description @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='s') @dbus_handle_exceptions def getDescription(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDescription()", self._log_prefix) return self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def setDescription(self, description, sender=None): description = dbus_to_python(description, str) log.debug1("%s.setDescription('%s')", self._log_prefix, description) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[2] = description self.update(settings) # port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='a(ss)') @dbus_handle_exceptions def getPorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getPorts()", self._log_prefix) return self.getSettings()[3] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='a(ss)') @dbus_handle_exceptions def setPorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setPorts('[%s]')", self._log_prefix, ",".join("('%s, '%s')" % (port[0], port[1]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[3] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss') @dbus_handle_exceptions def addPort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addPort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[3]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[3].append((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss') @dbus_handle_exceptions def removePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[3]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[3].remove((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryPort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.queryPort('%s', '%s')", self._log_prefix, port, protocol) return (port,protocol) in self.getSettings()[3] # protocol @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='as') @dbus_handle_exceptions def getProtocols(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getProtocols()", self._log_prefix) return self.getSettings()[6] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='as') @dbus_handle_exceptions def setProtocols(self, protocols, sender=None): protocols = dbus_to_python(protocols, list) log.debug1("%s.setProtocols('[%s]')", self._log_prefix, ",".join(protocols)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[6] = protocols self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def addProtocol(self, protocol, sender=None): protocol = dbus_to_python(protocol, str) log.debug1("%s.addProtocol('%s')", self._log_prefix, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if protocol in settings[6]: raise FirewallError(errors.ALREADY_ENABLED, protocol) settings[6].append(protocol) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def removeProtocol(self, protocol, sender=None): protocol = dbus_to_python(protocol, str) log.debug1("%s.removeProtocol('%s')", self._log_prefix, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if protocol not in settings[6]: raise FirewallError(errors.NOT_ENABLED, protocol) settings[6].remove(protocol) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryProtocol(self, protocol, sender=None): # pylint: disable=W0613 protocol = dbus_to_python(protocol, str) log.debug1("%s.queryProtocol(%s')", self._log_prefix, protocol) return protocol in self.getSettings()[6] # source port @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='a(ss)') @dbus_handle_exceptions def getSourcePorts(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getSourcePorts()", self._log_prefix) return self.getSettings()[7] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='a(ss)') @dbus_handle_exceptions def setSourcePorts(self, ports, sender=None): _ports = [ ] # convert embedded lists to tuples for port in dbus_to_python(ports, list): if isinstance(port, list): _ports.append(tuple(port)) else: _ports.append(port) ports = _ports log.debug1("%s.setSourcePorts('[%s]')", self._log_prefix, ",".join("('%s, '%s')" % (port[0], port[1]) for port in ports)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[7] = ports self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss') @dbus_handle_exceptions def addSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.addSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) in settings[7]: raise FirewallError(errors.ALREADY_ENABLED, "%s:%s" % (port, protocol)) settings[7].append((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss') @dbus_handle_exceptions def removeSourcePort(self, port, protocol, sender=None): port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.removeSourcePort('%s', '%s')", self._log_prefix, port, protocol) self.parent.accessCheck(sender) settings = list(self.getSettings()) if (port,protocol) not in settings[7]: raise FirewallError(errors.NOT_ENABLED, "%s:%s" % (port, protocol)) settings[7].remove((port,protocol)) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def querySourcePort(self, port, protocol, sender=None): # pylint: disable=W0613 port = dbus_to_python(port, str) protocol = dbus_to_python(protocol, str) log.debug1("%s.querySourcePort('%s', '%s')", self._log_prefix, port, protocol) return (port,protocol) in self.getSettings()[7] # module @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='as') @dbus_handle_exceptions def getModules(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getModules()", self._log_prefix) return self.getSettings()[4] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='as') @dbus_handle_exceptions def setModules(self, modules, sender=None): modules = dbus_to_python(modules, list) _modules = [ ] for module in modules: if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") _modules.append(module) modules = _modules log.debug1("%s.setModules('[%s]')", self._log_prefix, ",".join(modules)) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[4] = modules self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def addModule(self, module, sender=None): module = dbus_to_python(module, str) if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") log.debug1("%s.addModule('%s')", self._log_prefix, module) self.parent.accessCheck(sender) settings = list(self.getSettings()) if module in settings[4]: raise FirewallError(errors.ALREADY_ENABLED, module) settings[4].append(module) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def removeModule(self, module, sender=None): module = dbus_to_python(module, str) if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") log.debug1("%s.removeModule('%s')", self._log_prefix, module) self.parent.accessCheck(sender) settings = list(self.getSettings()) if module not in settings[4]: raise FirewallError(errors.NOT_ENABLED, module) settings[4].remove(module) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryModule(self, module, sender=None): # pylint: disable=W0613 module = dbus_to_python(module, str) if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") log.debug1("%s.queryModule('%s')", self._log_prefix, module) return module in self.getSettings()[4] # destination @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, out_signature='a{ss}') @dbus_handle_exceptions def getDestinations(self, sender=None): # pylint: disable=W0613 log.debug1("%s.getDestinations()", self._log_prefix) return self.getSettings()[5] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='a{ss}') @dbus_handle_exceptions def setDestinations(self, destinations, sender=None): destinations = dbus_to_python(destinations, dict) log.debug1("%s.setDestinations({ipv4:'%s', ipv6:'%s'})", self._log_prefix, destinations.get('ipv4'), destinations.get('ipv6')) self.parent.accessCheck(sender) settings = list(self.getSettings()) settings[5] = destinations self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s', out_signature='s') @dbus_handle_exceptions def getDestination(self, family, sender=None): family = dbus_to_python(family, str) log.debug1("%s.getDestination('%s')", self._log_prefix, family) self.parent.accessCheck(sender) settings = list(self.getSettings()) if family not in settings[5]: raise FirewallError(errors.NOT_ENABLED, family) return settings[5][family] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss') @dbus_handle_exceptions def setDestination(self, family, address, sender=None): family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("%s.setDestination('%s', '%s')", self._log_prefix, family, address) self.parent.accessCheck(sender) settings = list(self.getSettings()) if family in settings[5] and settings[5][family] == address: raise FirewallError(errors.ALREADY_ENABLED, "'%s': '%s'" % (family, address)) settings[5][family] = address self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='s') @dbus_handle_exceptions def removeDestination(self, family, sender=None): family = dbus_to_python(family, str) log.debug1("%s.removeDestination('%s')", self._log_prefix, family) self.parent.accessCheck(sender) settings = list(self.getSettings()) if family not in settings[5]: raise FirewallError(errors.NOT_ENABLED, family) del settings[5][family] self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, in_signature='ss', out_signature='b') @dbus_handle_exceptions def queryDestination(self, family, address, sender=None): # pylint: disable=W0613 family = dbus_to_python(family, str) address = dbus_to_python(address, str) log.debug1("%s.queryDestination('%s', '%s')", self._log_prefix, family, address) settings = self.getSettings() return (family in settings[5] and address == settings[5][family]) server/config_helper.pyo000064400000036712147576556050011444 0ustar00 c`c@sddlmZddlZeejdtj|jjS|dkr]tj|jjS|dkr|tj|jjS|dkrtj|jjStj j d|dS(NtnametfilenameRtdefaulttbuiltinsDorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not exist( RtStringRR R!RtBooleanR"R#t exceptionst DBusException(Rt property_name((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt _get_propertyQs      t in_signaturetsst out_signaturetvcCsot|t}t|t}tjd|j|||tjjkrbtjj d|n|j |S(Ns%s.Get('%s', '%s')sJorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist( RtstrRtdebug1RRRRR&R'R)(Rtinterface_nameR(tsender((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytGetbs   tssa{sv}cCst|t}tjd|j||tjjkrPtjj d|ni}x0dddddgD]}|j |||si( RRUt isinstancetappendttupleRR/RtjoinRR;RFRJ(RtportsR1t_portsRkRI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytsetPortss cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.addPort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R R_RmRJ(RRktprotocolR1RI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pytaddPorts cCst|t}t|t}tjd|j|||jj|t|j}||f|dkrt t j d||fn|dj ||f|j |dS(Ns%s.removePort('%s', '%s')is%s:%s(RR.RR/RRR;RURFR R t NOT_ENABLEDRORJ(RRkRsR1RI((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt removePortscCsQt|t}t|t}tjd|j||||f|jdkS(Ns%s.queryPort('%s', '%s')i(RR.RR/RRF(RRkRsR1((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyt queryPorts N(:t__name__t __module__t__doc__tTruet persistentRRtPK_ACTION_CONFIGtdefault_polkit_auth_requiredRRR RRR)R tPROPERTIES_IFACEtNoneR2R9tsliptpolkitt require_authR=tservicetsignalR@tPK_ACTION_INFOtINTROSPECTABLE_IFACERBRRtDBUS_SIGNATURERFRJRLRHRORPRSRRRTRWRXRZR[R]R^RaRcRdRfRgRhRrRtRvRw(((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyR 0s  $                (t gi.repositoryRtsystmodulesRt dbus.servicet slip.dbusRtslip.dbus.servicetfirewallRtfirewall.dbus_utilsRRRtfirewall.core.io.helperRtfirewall.core.loggerRtfirewall.server.decoratorsRR R R tfirewall.errorsR RtObjectR (((sA/usr/lib/python2.7/site-packages/firewall/server/config_helper.pyts      server/config.py000064400000171213147576556050007722 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # force use of pygobject3 in python-slip from gi.repository import GObject import sys sys.modules['gobject'] = GObject import os import dbus import dbus.service import slip.dbus import slip.dbus.service from firewall import config from firewall.core.base import DEFAULT_ZONE_TARGET from firewall.core.watcher import Watcher from firewall.core.logger import log from firewall.server.decorators import handle_exceptions, \ dbus_handle_exceptions, dbus_service_method from firewall.server.config_icmptype import FirewallDConfigIcmpType from firewall.server.config_service import FirewallDConfigService from firewall.server.config_zone import FirewallDConfigZone from firewall.server.config_ipset import FirewallDConfigIPSet from firewall.server.config_helper import FirewallDConfigHelper from firewall.core.io.zone import Zone from firewall.core.io.service import Service from firewall.core.io.icmptype import IcmpType from firewall.core.io.ipset import IPSet from firewall.core.io.helper import Helper from firewall.core.io.lockdown_whitelist import LockdownWhitelist from firewall.core.io.direct import Direct from firewall.dbus_utils import dbus_to_python, \ command_of_sender, context_of_sender, uid_of_sender, user_of_uid, \ dbus_introspection_prepare_properties, \ dbus_introspection_add_properties from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class FirewallDConfig # ############################################################################ class FirewallDConfig(slip.dbus.service.Object): """FirewallD main class""" persistent = True """ Make FirewallD persistent. """ default_polkit_auth_required = config.dbus.PK_ACTION_CONFIG """ Use config.dbus.PK_ACTION_INFO as a default """ @handle_exceptions def __init__(self, conf, *args, **kwargs): super(FirewallDConfig, self).__init__(*args, **kwargs) self.config = conf self.busname = args[0] self.path = args[1] self._init_vars() self.watcher = Watcher(self.watch_updater, 5) self.watcher.add_watch_dir(config.FIREWALLD_IPSETS) self.watcher.add_watch_dir(config.ETC_FIREWALLD_IPSETS) self.watcher.add_watch_dir(config.FIREWALLD_ICMPTYPES) self.watcher.add_watch_dir(config.ETC_FIREWALLD_ICMPTYPES) self.watcher.add_watch_dir(config.FIREWALLD_HELPERS) self.watcher.add_watch_dir(config.ETC_FIREWALLD_HELPERS) self.watcher.add_watch_dir(config.FIREWALLD_SERVICES) self.watcher.add_watch_dir(config.ETC_FIREWALLD_SERVICES) self.watcher.add_watch_dir(config.FIREWALLD_ZONES) self.watcher.add_watch_dir(config.ETC_FIREWALLD_ZONES) # Add watches for combined zone directories if os.path.exists(config.ETC_FIREWALLD_ZONES): for filename in sorted(os.listdir(config.ETC_FIREWALLD_ZONES)): path = "%s/%s" % (config.ETC_FIREWALLD_ZONES, filename) if os.path.isdir(path): self.watcher.add_watch_dir(path) self.watcher.add_watch_file(config.LOCKDOWN_WHITELIST) self.watcher.add_watch_file(config.FIREWALLD_DIRECT) self.watcher.add_watch_file(config.FIREWALLD_CONF) dbus_introspection_prepare_properties(self, config.dbus.DBUS_INTERFACE_CONFIG, { "CleanupOnExit": "readwrite", "IPv6_rpfilter": "readwrite", "Lockdown": "readwrite", "MinimalMark": "readwrite", "IndividualCalls": "readwrite", "LogDenied": "readwrite", "AutomaticHelpers": "readwrite", "AllowZoneDrifting": "readwrite", }) @handle_exceptions def _init_vars(self): self.ipsets = [ ] self.ipset_idx = 0 self.icmptypes = [ ] self.icmptype_idx = 0 self.services = [ ] self.service_idx = 0 self.zones = [ ] self.zone_idx = 0 self.helpers = [ ] self.helper_idx = 0 for ipset in self.config.get_ipsets(): self._addIPSet(self.config.get_ipset(ipset)) for icmptype in self.config.get_icmptypes(): self._addIcmpType(self.config.get_icmptype(icmptype)) for service in self.config.get_services(): self._addService(self.config.get_service(service)) for zone in self.config.get_zones(): self._addZone(self.config.get_zone(zone)) for helper in self.config.get_helpers(): self._addHelper(self.config.get_helper(helper)) @handle_exceptions def __del__(self): pass @handle_exceptions def reload(self): while len(self.ipsets) > 0: item = self.ipsets.pop() item.unregister() del item while len(self.icmptypes) > 0: item = self.icmptypes.pop() item.unregister() del item while len(self.services) > 0: item = self.services.pop() item.unregister() del item while len(self.zones) > 0: item = self.zones.pop() item.unregister() del item while len(self.helpers) > 0: item = self.helpers.pop() item.unregister() del item self._init_vars() @handle_exceptions def watch_updater(self, name): if name == config.FIREWALLD_CONF: old_props = self.GetAll(config.dbus.DBUS_INTERFACE_CONFIG) log.debug1("config: Reloading firewalld config file '%s'", config.FIREWALLD_CONF) try: self.config.update_firewalld_conf() except Exception as msg: log.error("Failed to load firewalld.conf file '%s': %s" % \ (name, msg)) return props = self.GetAll(config.dbus.DBUS_INTERFACE_CONFIG).copy() for key in list(props.keys()): if key in old_props and old_props[key] == props[key]: del props[key] if len(props) > 0: self.PropertiesChanged(config.dbus.DBUS_INTERFACE_CONFIG, props, []) return if (name.startswith(config.FIREWALLD_ICMPTYPES) or \ name.startswith(config.ETC_FIREWALLD_ICMPTYPES)) and \ name.endswith(".xml"): try: (what, obj) = self.config.update_icmptype_from_path(name) except Exception as msg: log.error("Failed to load icmptype file '%s': %s" % (name, msg)) return if what == "new": self._addIcmpType(obj) elif what == "remove": self.removeIcmpType(obj) elif what == "update": self._updateIcmpType(obj) elif (name.startswith(config.FIREWALLD_SERVICES) or \ name.startswith(config.ETC_FIREWALLD_SERVICES)) and \ name.endswith(".xml"): try: (what, obj) = self.config.update_service_from_path(name) except Exception as msg: log.error("Failed to load service file '%s': %s" % (name, msg)) return if what == "new": self._addService(obj) elif what == "remove": self.removeService(obj) elif what == "update": self._updateService(obj) elif name.startswith(config.FIREWALLD_ZONES) or \ name.startswith(config.ETC_FIREWALLD_ZONES): if name.endswith(".xml"): try: (what, obj) = self.config.update_zone_from_path(name) except Exception as msg: log.error("Failed to load zone file '%s': %s" % (name, msg)) return if what == "new": self._addZone(obj) elif what == "remove": self.removeZone(obj) elif what == "update": self._updateZone(obj) elif name.startswith(config.ETC_FIREWALLD_ZONES): # possible combined zone base directory _name = name.replace(config.ETC_FIREWALLD_ZONES, "").strip("/") if len(_name) < 1 or "/" in _name: # if there is a / in x, then it is a sub sub directory # ignore it return if os.path.isdir(name): if not self.watcher.has_watch(name): self.watcher.add_watch_dir(name) elif self.watcher.has_watch(name): self.watcher.remove_watch(name) elif (name.startswith(config.FIREWALLD_IPSETS) or \ name.startswith(config.ETC_FIREWALLD_IPSETS)) and \ name.endswith(".xml"): try: (what, obj) = self.config.update_ipset_from_path(name) except Exception as msg: log.error("Failed to load ipset file '%s': %s" % (name, msg)) return if what == "new": self._addIPSet(obj) elif what == "remove": self.removeIPSet(obj) elif what == "update": self._updateIPSet(obj) elif (name.startswith(config.FIREWALLD_HELPERS) or \ name.startswith(config.ETC_FIREWALLD_HELPERS)) and \ name.endswith(".xml"): try: (what, obj) = self.config.update_helper_from_path(name) except Exception as msg: log.error("Failed to load helper file '%s': %s" % (name, msg)) return if what == "new": self._addHelper(obj) elif what == "remove": self.removeHelper(obj) elif what == "update": self._updateHelper(obj) elif name == config.LOCKDOWN_WHITELIST: try: self.config.update_lockdown_whitelist() except Exception as msg: log.error("Failed to load lockdown whitelist file '%s': %s" % \ (name, msg)) return self.LockdownWhitelistUpdated() elif name == config.FIREWALLD_DIRECT: try: self.config.update_direct() except Exception as msg: log.error("Failed to load direct rules file '%s': %s" % (name, msg)) return self.Updated() @handle_exceptions def _addIcmpType(self, obj): # TODO: check for idx overflow config_icmptype = FirewallDConfigIcmpType( self, self.config, obj, self.icmptype_idx, self.busname, "%s/%d" % (config.dbus.DBUS_PATH_CONFIG_ICMPTYPE, self.icmptype_idx)) self.icmptypes.append(config_icmptype) self.icmptype_idx += 1 self.IcmpTypeAdded(obj.name) return config_icmptype @handle_exceptions def _updateIcmpType(self, obj): for icmptype in self.icmptypes: if icmptype.obj.name == obj.name and \ icmptype.obj.path == obj.path and \ icmptype.obj.filename == obj.filename: icmptype.obj = obj icmptype.Updated(obj.name) @handle_exceptions def removeIcmpType(self, obj): index = 7 # see IMPORT_EXPORT_STRUCTURE in class Zone(IO_Object) for zone in self.zones: settings = zone.getSettings() # if this IcmpType is used in a zone remove it from that zone first if obj.name in settings[index]: settings[index].remove(obj.name) zone.obj = self.config.set_zone_config(zone.obj, settings) zone.Updated(zone.obj.name) for icmptype in self.icmptypes: if icmptype.obj == obj: icmptype.Removed(obj.name) icmptype.unregister() self.icmptypes.remove(icmptype) del icmptype @handle_exceptions def _addService(self, obj): # TODO: check for idx overflow config_service = FirewallDConfigService( self, self.config, obj, self.service_idx, self.busname, "%s/%d" % (config.dbus.DBUS_PATH_CONFIG_SERVICE, self.service_idx)) self.services.append(config_service) self.service_idx += 1 self.ServiceAdded(obj.name) return config_service @handle_exceptions def _updateService(self, obj): for service in self.services: if service.obj.name == obj.name and \ service.obj.path == obj.path and \ service.obj.filename == obj.filename: service.obj = obj service.Updated(obj.name) @handle_exceptions def removeService(self, obj): index = 5 # see IMPORT_EXPORT_STRUCTURE in class Zone(IO_Object) for zone in self.zones: settings = zone.getSettings() # if this Service is used in a zone remove it from that zone first if obj.name in settings[index]: settings[index].remove(obj.name) zone.obj = self.config.set_zone_config(zone.obj, settings) zone.Updated(zone.obj.name) for service in self.services: if service.obj == obj: service.Removed(obj.name) service.unregister() self.services.remove(service) del service @handle_exceptions def _addZone(self, obj): # TODO: check for idx overflow config_zone = FirewallDConfigZone( self, self.config, obj, self.zone_idx, self.busname, "%s/%d" % (config.dbus.DBUS_PATH_CONFIG_ZONE, self.zone_idx)) self.zones.append(config_zone) self.zone_idx += 1 self.ZoneAdded(obj.name) return config_zone @handle_exceptions def _updateZone(self, obj): for zone in self.zones: if zone.obj.name == obj.name and zone.obj.path == obj.path and \ zone.obj.filename == obj.filename: zone.obj = obj zone.Updated(obj.name) @handle_exceptions def removeZone(self, obj): for zone in self.zones: if zone.obj == obj: zone.Removed(obj.name) zone.unregister() self.zones.remove(zone) del zone @handle_exceptions def _addIPSet(self, obj): # TODO: check for idx overflow config_ipset = FirewallDConfigIPSet( self, self.config, obj, self.ipset_idx, self.busname, "%s/%d" % (config.dbus.DBUS_PATH_CONFIG_IPSET, self.ipset_idx)) self.ipsets.append(config_ipset) self.ipset_idx += 1 self.IPSetAdded(obj.name) return config_ipset @handle_exceptions def _updateIPSet(self, obj): for ipset in self.ipsets: if ipset.obj.name == obj.name and ipset.obj.path == obj.path and \ ipset.obj.filename == obj.filename: ipset.obj = obj ipset.Updated(obj.name) @handle_exceptions def removeIPSet(self, obj): for ipset in self.ipsets: if ipset.obj == obj: ipset.Removed(obj.name) ipset.unregister() self.ipsets.remove(ipset) del ipset # access check @handle_exceptions def _addHelper(self, obj): # TODO: check for idx overflow config_helper = FirewallDConfigHelper( self, self.config, obj, self.helper_idx, self.busname, "%s/%d" % (config.dbus.DBUS_PATH_CONFIG_HELPER, self.helper_idx)) self.helpers.append(config_helper) self.helper_idx += 1 self.HelperAdded(obj.name) return config_helper @handle_exceptions def _updateHelper(self, obj): for helper in self.helpers: if helper.obj.name == obj.name and helper.obj.path == obj.path and \ helper.obj.filename == obj.filename: helper.obj = obj helper.Updated(obj.name) @handle_exceptions def removeHelper(self, obj): for helper in self.helpers: if helper.obj == obj: helper.Removed(obj.name) helper.unregister() self.helpers.remove(helper) del helper # access check @dbus_handle_exceptions def accessCheck(self, sender): if self.config.lockdown_enabled(): if sender is None: log.error("Lockdown not possible, sender not set.") return bus = dbus.SystemBus() context = context_of_sender(bus, sender) if self.config.access_check("context", context): return uid = uid_of_sender(bus, sender) if self.config.access_check("uid", uid): return user = user_of_uid(uid) if self.config.access_check("user", user): return command = command_of_sender(bus, sender) if self.config.access_check("command", command): return raise FirewallError(errors.ACCESS_DENIED, "lockdown is enabled") # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # P R O P E R T I E S @dbus_handle_exceptions def _get_property(self, prop): if prop not in [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", "IPv6_rpfilter", "IndividualCalls", "LogDenied", "AutomaticHelpers", "AllowZoneDrifting"]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % prop) value = self.config.get_firewalld_conf().get(prop) if prop == "DefaultZone": if value is None: value = config.FALLBACK_ZONE return dbus.String(value) elif prop == "MinimalMark": if value is None: value = config.FALLBACK_MINIMAL_MARK else: value = int(value) return dbus.Int32(value) elif prop == "CleanupOnExit": if value is None: value = "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no" return dbus.String(value) elif prop == "Lockdown": if value is None: value = "yes" if config.FALLBACK_LOCKDOWN else "no" return dbus.String(value) elif prop == "IPv6_rpfilter": if value is None: value = "yes" if config.FALLBACK_IPV6_RPFILTER else "no" return dbus.String(value) elif prop == "IndividualCalls": if value is None: value = "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no" return dbus.String(value) elif prop == "LogDenied": if value is None: value = config.FALLBACK_LOG_DENIED return dbus.String(value) elif prop == "AutomaticHelpers": if value is None: value = config.FALLBACK_AUTOMATIC_HELPERS return dbus.String(value) elif prop == "AllowZoneDrifting": if value is None: value = "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no" return dbus.String(value) @dbus_handle_exceptions def _get_dbus_property(self, prop): if prop == "DefaultZone": return dbus.String(self._get_property(prop)) elif prop == "MinimalMark": return dbus.Int32(self._get_property(prop)) elif prop == "CleanupOnExit": return dbus.String(self._get_property(prop)) elif prop == "Lockdown": return dbus.String(self._get_property(prop)) elif prop == "IPv6_rpfilter": return dbus.String(self._get_property(prop)) elif prop == "IndividualCalls": return dbus.String(self._get_property(prop)) elif prop == "LogDenied": return dbus.String(self._get_property(prop)) elif prop == "AutomaticHelpers": return dbus.String(self._get_property(prop)) elif prop == "AllowZoneDrifting": return dbus.String(self._get_property(prop)) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % prop) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ss', out_signature='v') @dbus_handle_exceptions def Get(self, interface_name, property_name, sender=None): # pylint: disable=W0613 # get a property interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) log.debug1("config.Get('%s', '%s')", interface_name, property_name) if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: return self._get_dbus_property(property_name) elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return self._get_dbus_property(property_name) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='s', out_signature='a{sv}') @dbus_handle_exceptions def GetAll(self, interface_name, sender=None): # pylint: disable=W0613 interface_name = dbus_to_python(interface_name, str) log.debug1("config.GetAll('%s')", interface_name) ret = { } if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: for x in [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", "IPv6_rpfilter", "IndividualCalls", "LogDenied", "AutomaticHelpers", "AllowZoneDrifting" ]: ret[x] = self._get_property(x) elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: pass else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) return dbus.Dictionary(ret, signature="sv") @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_CONFIG) @dbus_service_method(dbus.PROPERTIES_IFACE, in_signature='ssv') @dbus_handle_exceptions def Set(self, interface_name, property_name, new_value, sender=None): interface_name = dbus_to_python(interface_name, str) property_name = dbus_to_python(property_name, str) new_value = dbus_to_python(new_value) log.debug1("config.Set('%s', '%s', '%s')", interface_name, property_name, new_value) self.accessCheck(sender) if interface_name == config.dbus.DBUS_INTERFACE_CONFIG: if property_name in [ "MinimalMark", "CleanupOnExit", "Lockdown", "IPv6_rpfilter", "IndividualCalls", "LogDenied", "AutomaticHelpers", "AllowZoneDrifting" ]: if property_name == "MinimalMark": try: int(new_value) except ValueError: raise FirewallError(errors.INVALID_MARK, new_value) try: new_value = str(new_value) except: raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ (new_value, property_name)) if property_name in [ "CleanupOnExit", "Lockdown", "IPv6_rpfilter", "IndividualCalls" ]: if new_value.lower() not in [ "yes", "no", "true", "false" ]: raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ (new_value, property_name)) if property_name == "LogDenied": if new_value not in config.LOG_DENIED_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ (new_value, property_name)) if property_name == "AutomaticHelpers": if new_value not in config.AUTOMATIC_HELPERS_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ (new_value, property_name)) if property_name == "AllowZoneDrifting": if new_value.lower() not in ["yes", "true", "no", "false"]: raise FirewallError(errors.INVALID_VALUE, "'%s' for %s" % \ (new_value, property_name)) self.config.get_firewalld_conf().set(property_name, new_value) self.config.get_firewalld_conf().write() self.PropertiesChanged(interface_name, { property_name: new_value }, [ ]) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) elif interface_name in [ config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.InvalidArgs: " "Property '%s' does not exist" % property_name) else: raise dbus.exceptions.DBusException( "org.freedesktop.DBus.Error.UnknownInterface: " "Interface '%s' does not exist" % interface_name) @dbus.service.signal(dbus.PROPERTIES_IFACE, signature='sa{sv}as') def PropertiesChanged(self, interface_name, changed_properties, invalidated_properties): interface_name = dbus_to_python(interface_name, str) changed_properties = dbus_to_python(changed_properties) invalidated_properties = dbus_to_python(invalidated_properties) log.debug1("config.PropertiesChanged('%s', '%s', '%s')", interface_name, changed_properties, invalidated_properties) @slip.dbus.polkit.require_auth(config.dbus.PK_ACTION_INFO) @dbus_service_method(dbus.INTROSPECTABLE_IFACE, out_signature='s') @dbus_handle_exceptions def Introspect(self, sender=None): # pylint: disable=W0613 log.debug2("config.Introspect()") data = super(FirewallDConfig, self).Introspect(self.path, self.busname.get_bus()) return dbus_introspection_add_properties( self, data, config.dbus.DBUS_INTERFACE_CONFIG) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # policies @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, out_signature=LockdownWhitelist.DBUS_SIGNATURE) @dbus_handle_exceptions def getLockdownWhitelist(self, sender=None): # pylint: disable=W0613 log.debug1("config.policies.getLockdownWhitelist()") return self.config.get_policies().lockdown_whitelist.export_config() @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature=LockdownWhitelist.DBUS_SIGNATURE) @dbus_handle_exceptions def setLockdownWhitelist(self, settings, sender=None): # pylint: disable=W0613 log.debug1("config.policies.setLockdownWhitelist(...)") settings = dbus_to_python(settings) self.config.get_policies().lockdown_whitelist.import_config(settings) self.config.get_policies().lockdown_whitelist.write() self.LockdownWhitelistUpdated() @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES) @dbus_handle_exceptions def LockdownWhitelistUpdated(self): log.debug1("config.policies.LockdownWhitelistUpdated()") # command @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def addLockdownWhitelistCommand(self, command, sender=None): command = dbus_to_python(command) log.debug1("config.policies.addLockdownWhitelistCommand('%s')", command) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if command in settings[0]: raise FirewallError(errors.ALREADY_ENABLED, command) settings[0].append(command) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def removeLockdownWhitelistCommand(self, command, sender=None): command = dbus_to_python(command) log.debug1("config.policies.removeLockdownWhitelistCommand('%s')", command) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if command not in settings[0]: raise FirewallError(errors.NOT_ENABLED, command) settings[0].remove(command) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistCommand(self, command, sender=None): # pylint: disable=W0613 command = dbus_to_python(command) log.debug1("config.policies.queryLockdownWhitelistCommand('%s')", command) return command in self.getLockdownWhitelist()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistCommands(self, sender=None): # pylint: disable=W0613 log.debug1("config.policies.getLockdownWhitelistCommands()") return self.getLockdownWhitelist()[0] # context @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def addLockdownWhitelistContext(self, context, sender=None): context = dbus_to_python(context) log.debug1("config.policies.addLockdownWhitelistContext('%s')", context) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if context in settings[1]: raise FirewallError(errors.ALREADY_ENABLED, context) settings[1].append(context) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def removeLockdownWhitelistContext(self, context, sender=None): context = dbus_to_python(context) log.debug1("config.policies.removeLockdownWhitelistContext('%s')", context) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if context not in settings[1]: raise FirewallError(errors.NOT_ENABLED, context) settings[1].remove(context) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistContext(self, context, sender=None): # pylint: disable=W0613 context = dbus_to_python(context) log.debug1("config.policies.queryLockdownWhitelistContext('%s')", context) return context in self.getLockdownWhitelist()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistContexts(self, sender=None): # pylint: disable=W0613 log.debug1("config.policies.getLockdownWhitelistContexts()") return self.getLockdownWhitelist()[1] # user @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def addLockdownWhitelistUser(self, user, sender=None): user = dbus_to_python(user) log.debug1("config.policies.addLockdownWhitelistUser('%s')", user) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if user in settings[2]: raise FirewallError(errors.ALREADY_ENABLED, user) settings[2].append(user) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s') @dbus_handle_exceptions def removeLockdownWhitelistUser(self, user, sender=None): user = dbus_to_python(user) log.debug1("config.policies.removeLockdownWhitelistUser('%s')", user) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if user not in settings[2]: raise FirewallError(errors.NOT_ENABLED, user) settings[2].remove(user) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='s', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistUser(self, user, sender=None): # pylint: disable=W0613 user = dbus_to_python(user) log.debug1("config.policies.queryLockdownWhitelistUser('%s')", user) return user in self.getLockdownWhitelist()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, out_signature='as') @dbus_handle_exceptions def getLockdownWhitelistUsers(self, sender=None): # pylint: disable=W0613 log.debug1("config.policies.getLockdownWhitelistUsers()") return self.getLockdownWhitelist()[2] # uid @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='i') @dbus_handle_exceptions def addLockdownWhitelistUid(self, uid, sender=None): uid = dbus_to_python(uid) log.debug1("config.policies.addLockdownWhitelistUid(%d)", uid) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if uid in settings[3]: raise FirewallError(errors.ALREADY_ENABLED, uid) settings[3].append(uid) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='i') @dbus_handle_exceptions def removeLockdownWhitelistUid(self, uid, sender=None): uid = dbus_to_python(uid) log.debug1("config.policies.removeLockdownWhitelistUid(%d)", uid) self.accessCheck(sender) settings = list(self.getLockdownWhitelist()) if uid not in settings[3]: raise FirewallError(errors.NOT_ENABLED, uid) settings[3].remove(uid) self.setLockdownWhitelist(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, in_signature='i', out_signature='b') @dbus_handle_exceptions def queryLockdownWhitelistUid(self, uid, sender=None): # pylint: disable=W0613 uid = dbus_to_python(uid) log.debug1("config.policies.queryLockdownWhitelistUid(%d)", uid) return uid in self.getLockdownWhitelist()[3] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_POLICIES, out_signature='ai') @dbus_handle_exceptions def getLockdownWhitelistUids(self, sender=None): # pylint: disable=W0613 log.debug1("config.policies.getLockdownWhitelistUids()") return self.getLockdownWhitelist()[3] # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # I P S E T S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='ao') @dbus_handle_exceptions def listIPSets(self, sender=None): # pylint: disable=W0613 """list ipsets objects paths """ log.debug1("config.listIPSets()") return self.ipsets @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='as') @dbus_handle_exceptions def getIPSetNames(self, sender=None): # pylint: disable=W0613 """get ipset names """ log.debug1("config.getIPSetNames()") ipsets = [ ] for obj in self.ipsets: ipsets.append(obj.obj.name) return sorted(ipsets) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='o') @dbus_handle_exceptions def getIPSetByName(self, ipset, sender=None): # pylint: disable=W0613 """object path of ipset with given name """ ipset = dbus_to_python(ipset, str) log.debug1("config.getIPSetByName('%s')", ipset) for obj in self.ipsets: if obj.obj.name == ipset: return obj raise FirewallError(errors.INVALID_IPSET, ipset) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s'+IPSet.DBUS_SIGNATURE, out_signature='o') @dbus_handle_exceptions def addIPSet(self, ipset, settings, sender=None): """add ipset with given name and settings """ ipset = dbus_to_python(ipset, str) settings = dbus_to_python(settings) log.debug1("config.addIPSet('%s')", ipset) self.accessCheck(sender) obj = self.config.new_ipset(ipset, settings) config_ipset = self._addIPSet(obj) return config_ipset @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s') @dbus_handle_exceptions def IPSetAdded(self, ipset): ipset = dbus_to_python(ipset, str) log.debug1("config.IPSetAdded('%s')" % (ipset)) # I C M P T Y P E S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='ao') @dbus_handle_exceptions def listIcmpTypes(self, sender=None): # pylint: disable=W0613 """list icmptypes objects paths """ log.debug1("config.listIcmpTypes()") return self.icmptypes @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='as') @dbus_handle_exceptions def getIcmpTypeNames(self, sender=None): # pylint: disable=W0613 """get icmptype names """ log.debug1("config.getIcmpTypeNames()") icmptypes = [ ] for obj in self.icmptypes: icmptypes.append(obj.obj.name) return sorted(icmptypes) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='o') @dbus_handle_exceptions def getIcmpTypeByName(self, icmptype, sender=None): # pylint: disable=W0613 """object path of icmptype with given name """ icmptype = dbus_to_python(icmptype, str) log.debug1("config.getIcmpTypeByName('%s')", icmptype) for obj in self.icmptypes: if obj.obj.name == icmptype: return obj raise FirewallError(errors.INVALID_ICMPTYPE, icmptype) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s'+IcmpType.DBUS_SIGNATURE, out_signature='o') @dbus_handle_exceptions def addIcmpType(self, icmptype, settings, sender=None): """add icmptype with given name and settings """ icmptype = dbus_to_python(icmptype, str) settings = dbus_to_python(settings) log.debug1("config.addIcmpType('%s')", icmptype) self.accessCheck(sender) obj = self.config.new_icmptype(icmptype, settings) config_icmptype = self._addIcmpType(obj) return config_icmptype @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s') @dbus_handle_exceptions def IcmpTypeAdded(self, icmptype): log.debug1("config.IcmpTypeAdded('%s')" % (icmptype)) # S E R V I C E S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='ao') @dbus_handle_exceptions def listServices(self, sender=None): # pylint: disable=W0613 """list services objects paths """ log.debug1("config.listServices()") return self.services @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='as') @dbus_handle_exceptions def getServiceNames(self, sender=None): # pylint: disable=W0613 """get service names """ log.debug1("config.getServiceNames()") services = [ ] for obj in self.services: services.append(obj.obj.name) return sorted(services) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='o') @dbus_handle_exceptions def getServiceByName(self, service, sender=None): # pylint: disable=W0613 """object path of service with given name """ service = dbus_to_python(service, str) log.debug1("config.getServiceByName('%s')", service) for obj in self.services: if obj.obj.name == service: return obj raise FirewallError(errors.INVALID_SERVICE, service) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s'+Service.DBUS_SIGNATURE, out_signature='o') @dbus_handle_exceptions def addService(self, service, settings, sender=None): """add service with given name and settings """ service = dbus_to_python(service, str) settings = dbus_to_python(settings) log.debug1("config.addService('%s')", service) self.accessCheck(sender) obj = self.config.new_service(service, settings) config_service = self._addService(obj) return config_service @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s') @dbus_handle_exceptions def ServiceAdded(self, service): log.debug1("config.ServiceAdded('%s')" % (service)) # Z O N E S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='ao') @dbus_handle_exceptions def listZones(self, sender=None): # pylint: disable=W0613 """list zones objects paths """ log.debug1("config.listZones()") return self.zones @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='as') @dbus_handle_exceptions def getZoneNames(self, sender=None): # pylint: disable=W0613 """get zone names """ log.debug1("config.getZoneNames()") zones = [ ] for obj in self.zones: zones.append(obj.obj.name) return sorted(zones) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='o') @dbus_handle_exceptions def getZoneByName(self, zone, sender=None): # pylint: disable=W0613 """object path of zone with given name """ zone = dbus_to_python(zone, str) log.debug1("config.getZoneByName('%s')", zone) for obj in self.zones: if obj.obj.name == zone: return obj raise FirewallError(errors.INVALID_ZONE, zone) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='s') @dbus_handle_exceptions def getZoneOfInterface(self, iface, sender=None): # pylint: disable=W0613 """name of zone the given interface belongs to """ iface = dbus_to_python(iface, str) log.debug1("config.getZoneOfInterface('%s')", iface) ret = [] for obj in self.zones: if iface in obj.obj.interfaces: ret.append(obj.obj.name) if len(ret) > 1: # Even it shouldn't happen, it's actually possible that # the same interface is in several zone XML files return " ".join(ret) + \ " (ERROR: interface '%s' is in %s zone XML files, can be only in one)" % \ (iface, len(ret)) return ret[0] if ret else "" @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='s') @dbus_handle_exceptions def getZoneOfSource(self, source, sender=None): # pylint: disable=W0613 """name of zone the given source belongs to """ source = dbus_to_python(source, str) log.debug1("config.getZoneOfSource('%s')", source) ret = [] for obj in self.zones: if source in obj.obj.sources: ret.append(obj.obj.name) if len(ret) > 1: # Even it shouldn't happen, it's actually possible that # the same source is in several zone XML files return " ".join(ret) + \ " (ERROR: source '%s' is in %s zone XML files, can be only in one)" % \ (source, len(ret)) return ret[0] if ret else "" @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s'+Zone.DBUS_SIGNATURE, out_signature='o') @dbus_handle_exceptions def addZone(self, zone, settings, sender=None): """add zone with given name and settings """ zone = dbus_to_python(zone, str) settings = dbus_to_python(settings) log.debug1("config.addZone('%s')", zone) self.accessCheck(sender) if settings[4] == "default": # convert to list, fix target, convert back to tuple _settings = list(settings) _settings[4] = DEFAULT_ZONE_TARGET settings = tuple(_settings) obj = self.config.new_zone(zone, settings) config_zone = self._addZone(obj) return config_zone @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s') @dbus_handle_exceptions def ZoneAdded(self, zone): log.debug1("config.ZoneAdded('%s')" % (zone)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # H E L P E R S @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='ao') @dbus_handle_exceptions def listHelpers(self, sender=None): # pylint: disable=W0613 """list helpers objects paths """ log.debug1("config.listHelpers()") return self.helpers @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, out_signature='as') @dbus_handle_exceptions def getHelperNames(self, sender=None): # pylint: disable=W0613 """get helper names """ log.debug1("config.getHelperNames()") helpers = [ ] for obj in self.helpers: helpers.append(obj.obj.name) return sorted(helpers) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s', out_signature='o') @dbus_handle_exceptions def getHelperByName(self, helper, sender=None): # pylint: disable=W0613 """object path of helper with given name """ helper = dbus_to_python(helper, str) log.debug1("config.getHelperByName('%s')", helper) for obj in self.helpers: if obj.obj.name == helper: return obj raise FirewallError(errors.INVALID_HELPER, helper) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG, in_signature='s'+Helper.DBUS_SIGNATURE, out_signature='o') @dbus_handle_exceptions def addHelper(self, helper, settings, sender=None): """add helper with given name and settings """ helper = dbus_to_python(helper, str) settings = dbus_to_python(settings) log.debug1("config.addHelper('%s')", helper) self.accessCheck(sender) obj = self.config.new_helper(helper, settings) config_helper = self._addHelper(obj) return config_helper @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG, signature='s') @dbus_handle_exceptions def HelperAdded(self, helper): helper = dbus_to_python(helper, str) log.debug1("config.HelperAdded('%s')" % (helper)) # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # # DIRECT @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, out_signature=Direct.DBUS_SIGNATURE) @dbus_handle_exceptions def getSettings(self, sender=None): # pylint: disable=W0613 # returns list ipv, table, list of chains log.debug1("config.direct.getSettings()") return self.config.get_direct().export_config() @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature=Direct.DBUS_SIGNATURE) @dbus_handle_exceptions def update(self, settings, sender=None): # pylint: disable=W0613 # returns list ipv, table, list of chains log.debug1("config.direct.update()") settings = dbus_to_python(settings) self.config.get_direct().import_config(settings) self.config.get_direct().write() self.Updated() @dbus.service.signal(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT) @dbus_handle_exceptions def Updated(self): log.debug1("config.direct.Updated()") # chain @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss') @dbus_handle_exceptions def addChain(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.addChain('%s', '%s', '%s')" % \ (ipv, table, chain)) self.accessCheck(sender) idx = tuple((ipv, table, chain)) settings = list(self.getSettings()) if idx in settings[0]: raise FirewallError(errors.ALREADY_ENABLED, "chain '%s' already is in '%s:%s'" % \ (chain, ipv, table)) settings[0].append(idx) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss') @dbus_handle_exceptions def removeChain(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.removeChain('%s', '%s', '%s')" % \ (ipv, table, chain)) self.accessCheck(sender) idx = tuple((ipv, table, chain)) settings = list(self.getSettings()) if idx not in settings[0]: raise FirewallError(errors.NOT_ENABLED, "chain '%s' is not in '%s:%s'" % (chain, ipv, table)) settings[0].remove(idx) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss', out_signature='b') @dbus_handle_exceptions def queryChain(self, ipv, table, chain, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.queryChain('%s', '%s', '%s')" % \ (ipv, table, chain)) idx = tuple((ipv, table, chain)) return idx in self.getSettings()[0] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='ss', out_signature='as') @dbus_handle_exceptions def getChains(self, ipv, table, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv) table = dbus_to_python(table) log.debug1("config.direct.getChains('%s', '%s')" % (ipv, table)) ret = [ ] for idx in self.getSettings()[0]: if idx[0] == ipv and idx[1] == table: ret.append(idx[2]) return ret @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='', out_signature='a(sss)') @dbus_handle_exceptions def getAllChains(self, sender=None): # pylint: disable=W0613 log.debug1("config.direct.getAllChains()") return self.getSettings()[0] # rule @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sssias') @dbus_handle_exceptions def addRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=R0913 ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) priority = dbus_to_python(priority) args = dbus_to_python(args) log.debug1("config.direct.addRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) self.accessCheck(sender) idx = (ipv, table, chain, priority, args) settings = list(self.getSettings()) if idx in settings[1]: raise FirewallError(errors.ALREADY_ENABLED, "rule '%s' already is in '%s:%s:%s'" % \ (args, ipv, table, chain)) settings[1].append(idx) self.update(tuple(settings)) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sssias') @dbus_handle_exceptions def removeRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=R0913 ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) priority = dbus_to_python(priority) args = dbus_to_python(args) log.debug1("config.direct.removeRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) self.accessCheck(sender) idx = (ipv, table, chain, priority, args) settings = list(self.getSettings()) if idx not in settings[1]: raise FirewallError(errors.NOT_ENABLED, "rule '%s' is not in '%s:%s:%s'" % \ (args, ipv, table, chain)) settings[1].remove(idx) self.update(tuple(settings)) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sssias', out_signature='b') @dbus_handle_exceptions def queryRule(self, ipv, table, chain, priority, args, sender=None): # pylint: disable=W0613,R0913 ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) priority = dbus_to_python(priority) args = dbus_to_python(args) log.debug1("config.direct.queryRule('%s', '%s', '%s', %d, '%s')" % \ (ipv, table, chain, priority, "','".join(args))) idx = (ipv, table, chain, priority, args) return idx in self.getSettings()[1] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss') @dbus_handle_exceptions def removeRules(self, ipv, table, chain, sender=None): ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.removeRules('%s', '%s', '%s')" % \ (ipv, table, chain, )) self.accessCheck(sender) settings = list(self.getSettings()) for rule in settings[1][:]: if (ipv, table, chain) == (rule[0], rule[1], rule[2]): settings[1].remove(rule) self.update(tuple(settings)) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sss', out_signature='a(ias)') @dbus_handle_exceptions def getRules(self, ipv, table, chain, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv) table = dbus_to_python(table) chain = dbus_to_python(chain) log.debug1("config.direct.getRules('%s', '%s', '%s')" % \ (ipv, table, chain)) ret = [ ] for idx in self.getSettings()[1]: if idx[0] == ipv and idx[1] == table and idx[2] == chain: ret.append((idx[3], idx[4])) return ret @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='', out_signature='a(sssias)') @dbus_handle_exceptions def getAllRules(self, sender=None): # pylint: disable=W0613 log.debug1("config.direct.getAllRules()") return self.getSettings()[1] # passthrough @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sas') @dbus_handle_exceptions def addPassthrough(self, ipv, args, sender=None): ipv = dbus_to_python(ipv) args = dbus_to_python(args) log.debug1("config.direct.addPassthrough('%s', '%s')" % \ (ipv, "','".join(args))) self.accessCheck(sender) idx = (ipv, args) settings = list(self.getSettings()) if idx in settings[2]: raise FirewallError(errors.ALREADY_ENABLED, "passthrough '%s', '%s'" % (ipv, args)) settings[2].append(idx) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sas') @dbus_handle_exceptions def removePassthrough(self, ipv, args, sender=None): ipv = dbus_to_python(ipv) args = dbus_to_python(args) log.debug1("config.direct.removePassthrough('%s', '%s')" % \ (ipv, "','".join(args))) self.accessCheck(sender) idx = (ipv, args) settings = list(self.getSettings()) if idx not in settings[2]: raise FirewallError(errors.NOT_ENABLED, "passthrough '%s', '%s'" % (ipv, args)) settings[2].remove(idx) self.update(settings) @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='sas', out_signature='b') @dbus_handle_exceptions def queryPassthrough(self, ipv, args, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv) args = dbus_to_python(args) log.debug1("config.direct.queryPassthrough('%s', '%s')" % \ (ipv, "','".join(args))) idx = (ipv, args) return idx in self.getSettings()[2] @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, in_signature='s', out_signature='aas') @dbus_handle_exceptions def getPassthroughs(self, ipv, sender=None): # pylint: disable=W0613 ipv = dbus_to_python(ipv) log.debug1("config.direct.getPassthroughs('%s')" % (ipv)) ret = [ ] for idx in self.getSettings()[2]: if idx[0] == ipv: ret.append(idx[1]) return ret @dbus_service_method(config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, out_signature='a(sas)') @dbus_handle_exceptions def getAllPassthroughs(self, sender=None): # pylint: disable=W0613 log.debug1("config.direct.getAllPassthroughs()") return self.getSettings()[2] functions.py000064400000034401147576556050007154 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2007,2008,2011,2012 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "PY2", "getPortID", "getPortRange", "portStr", "getServiceName", "checkIP", "checkIP6", "checkIPnMask", "checkIP6nMask", "checkProtocol", "checkInterface", "checkUINT32", "firewalld_is_active", "tempFile", "readfile", "writefile", "enable_ip_forwarding", "get_nf_conntrack_helper_setting", "set_nf_conntrack_helper_setting", "check_port", "check_address", "check_single_address", "check_mac", "uniqify", "ppid_of_pid", "max_zone_name_len", "checkUser", "checkUid", "checkCommand", "checkContext", "joinArgs", "splitArgs", "b2u", "u2b", "u2b_if_py2" ] import socket import os import os.path import shlex import pipes import string import sys import tempfile from firewall.core.logger import log from firewall.config import FIREWALLD_TEMPDIR, FIREWALLD_PIDFILE PY2 = sys.version < '3' def getPortID(port): """ Check and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big """ if isinstance(port, int): _id = port else: if port: port = port.strip() try: _id = int(port) except ValueError: try: _id = socket.getservbyname(port) except socket.error: return -1 if _id > 65535: return -2 return _id def getPortRange(ports): """ Get port range for port range string or single port id @param ports an integer or port string or port range string @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous. """ # "" case if isinstance(ports, int) or ports.isdigit(): id1 = getPortID(ports) if id1 >= 0: return (id1,) return id1 splits = ports.split("-") # "-" case if len(splits) == 2 and splits[0].isdigit() and splits[1].isdigit(): id1 = getPortID(splits[0]) id2 = getPortID(splits[1]) if id1 >= 0 and id2 >= 0: if id1 < id2: return (id1, id2) elif id1 > id2: return (id2, id1) else: # ids are the same return (id1,) # everything else "[-]" matched = [ ] for i in range(len(splits), 0, -1): id1 = getPortID("-".join(splits[:i])) port2 = "-".join(splits[i:]) if len(port2) > 0: id2 = getPortID(port2) if id1 >= 0 and id2 >= 0: if id1 < id2: matched.append((id1, id2)) elif id1 > id2: matched.append((id2, id1)) else: matched.append((id1, )) else: if id1 >= 0: matched.append((id1,)) if i == len(splits): # full match, stop here break if len(matched) < 1: return -1 elif len(matched) > 1: return None return matched[0] def portStr(port, delimiter=":"): """ Create port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid """ if port == "": return "" _range = getPortRange(port) if isinstance(_range, int) and _range < 0: return None elif len(_range) == 1: return "%s" % _range else: return "%s%s%s" % (_range[0], delimiter, _range[1]) def portInPortRange(port, range): _port = getPortID(port) _range = getPortRange(range) if len(_range) == 1: return _port == getPortID(_range[0]) if len(_range) == 2 and \ _port >= getPortID(_range[0]) and _port <= getPortID(_range[1]): return True return False def getServiceName(port, proto): """ Check and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None """ try: name = socket.getservbyport(int(port), proto) except socket.error: return None return name def checkIP(ip): """ Check IPv4 address. @param ip address string @return True if address is valid, else False """ try: socket.inet_pton(socket.AF_INET, ip) except socket.error: return False return True def normalizeIP6(ip): """ Normalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 """ return ip.strip("[]") def checkIP6(ip): """ Check IPv6 address. @param ip address string @return True if address is valid, else False """ try: socket.inet_pton(socket.AF_INET6, normalizeIP6(ip)) except socket.error: return False return True def checkIPnMask(ip): if "/" in ip: addr = ip[:ip.index("/")] mask = ip[ip.index("/")+1:] if len(addr) < 1 or len(mask) < 1: return False else: addr = ip mask = None if not checkIP(addr): return False if mask: if "." in mask: return checkIP(mask) else: try: i = int(mask) except ValueError: return False if i < 0 or i > 32: return False return True def checkIP6nMask(ip): if "/" in ip: addr = ip[:ip.index("/")] mask = ip[ip.index("/")+1:] if len(addr) < 1 or len(mask) < 1: return False else: addr = ip mask = None if not checkIP6(addr): return False if mask: try: i = int(mask) except ValueError: return False if i < 0 or i > 128: return False return True def checkProtocol(protocol): try: i = int(protocol) except ValueError: # string try: socket.getprotobyname(protocol) except socket.error: return False else: if i < 0 or i > 255: return False return True def checkInterface(iface): """ Check interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False """ if not iface or len(iface) > 16: return False for ch in [ ' ', '/', '!', '*' ]: # !:* are limits for iptables <= 1.4.5 if ch in iface: return False # disabled old iptables check #if iface == "+": # # limit for iptables <= 1.4.5 # return False return True def checkUINT32(val): try: x = int(val, 0) except ValueError: return False else: if x >= 0 and x <= 4294967295: return True return False def firewalld_is_active(): """ Check if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld """ if not os.path.exists(FIREWALLD_PIDFILE): return False try: with open(FIREWALLD_PIDFILE, "r") as fd: pid = fd.readline() except Exception: return False if not os.path.exists("/proc/%s" % pid): return False try: with open("/proc/%s/cmdline" % pid, "r") as fd: cmdline = fd.readline() except Exception: return False if "firewalld" in cmdline: return True return False def tempFile(): try: if not os.path.exists(FIREWALLD_TEMPDIR): os.mkdir(FIREWALLD_TEMPDIR, 0o750) return tempfile.NamedTemporaryFile(mode='wt', prefix="temp.", dir=FIREWALLD_TEMPDIR, delete=False) except Exception as msg: log.error("Failed to create temporary file: %s" % msg) raise return None def readfile(filename): try: with open(filename, "r") as f: return f.readlines() except Exception as e: log.error('Failed to read file "%s": %s' % (filename, e)) return None def writefile(filename, line): try: with open(filename, "w") as f: f.write(line) except Exception as e: log.error('Failed to write to file "%s": %s' % (filename, e)) return False return True def enable_ip_forwarding(ipv): if ipv == "ipv4": return writefile("/proc/sys/net/ipv4/ip_forward", "1\n") elif ipv == "ipv6": return writefile("/proc/sys/net/ipv6/conf/all/forwarding", "1\n") return False def get_nf_conntrack_short_name(module): return module.replace("_","-").replace("nf-conntrack-", "") def get_nf_conntrack_helper_setting(): try: return int(readfile("/proc/sys/net/netfilter/nf_conntrack_helper")[0]) except Exception: log.warning("Failed to get and parse nf_conntrack_helper setting") return 0 def set_nf_conntrack_helper_setting(flag): return writefile("/proc/sys/net/netfilter/nf_conntrack_helper", "1\n" if flag else "0\n") def check_port(port): _range = getPortRange(port) if _range == -2 or _range == -1 or _range is None or \ (len(_range) == 2 and _range[0] >= _range[1]): if _range == -2: log.debug2("'%s': port > 65535" % port) elif _range == -1: log.debug2("'%s': port is invalid" % port) elif _range is None: log.debug2("'%s': port is ambiguous" % port) elif len(_range) == 2 and _range[0] >= _range[1]: log.debug2("'%s': range start >= end" % port) return False return True def check_address(ipv, source): if ipv == "ipv4": return checkIPnMask(source) elif ipv == "ipv6": return checkIP6nMask(source) else: return False def check_single_address(ipv, source): if ipv == "ipv4": return checkIP(source) elif ipv == "ipv6": return checkIP6(source) else: return False def check_mac(mac): if len(mac) == 12+5: # 0 1 : 3 4 : 6 7 : 9 10 : 12 13 : 15 16 for i in (2, 5, 8, 11, 14): if mac[i] != ":": return False for i in (0, 1, 3, 4, 6, 7, 9, 10, 12, 13, 15, 16): if mac[i] not in string.hexdigits: return False return True return False def uniqify(_list): # removes duplicates from list, whilst preserving order output = [] for x in _list: if x not in output: output.append(x) return output def ppid_of_pid(pid): """ Get parent for pid """ try: f = os.popen("ps -o ppid -h -p %d 2>/dev/null" % pid) pid = int(f.readlines()[0].strip()) f.close() except Exception: return None return pid def max_zone_name_len(): """ Netfilter limits length of chain to (currently) 28 chars. The longest chain we create is FWDI__allow, which leaves 28 - 11 = 17 chars for . """ from firewall.core.base import SHORTCUTS longest_shortcut = max(map(len, SHORTCUTS.values())) return 28 - (longest_shortcut + len("__allow")) def checkUser(user): if len(user) < 1 or len(user) > os.sysconf('SC_LOGIN_NAME_MAX'): return False for c in user: if c not in string.ascii_letters and \ c not in string.digits and \ c not in [ ".", "-", "_", "$" ]: return False return True def checkUid(uid): if isinstance(uid, str): try: uid = int(uid) except ValueError: return False if uid >= 0 and uid <= 2**31-1: return True return False def checkCommand(command): if len(command) < 1 or len(command) > 1024: return False for ch in [ "|", "\n", "\0" ]: if ch in command: return False if command[0] != "/": return False return True def checkContext(context): splits = context.split(":") if len(splits) not in [4, 5]: return False # user ends with _u if not root if splits[0] != "root" and splits[0][-2:] != "_u": return False # role ends with _r if splits[1][-2:] != "_r": return False # type ends with _t if splits[2][-2:] != "_t": return False # level might also contain : if len(splits[3]) < 1: return False return True def joinArgs(args): if "quote" in dir(shlex): return " ".join(shlex.quote(a) for a in args) else: return " ".join(pipes.quote(a) for a in args) def splitArgs(_string): if PY2 and isinstance(_string, unicode): # noqa: F821 # Python2's shlex doesn't like unicode _string = u2b(_string) splits = shlex.split(_string) return map(b2u, splits) else: return shlex.split(_string) def b2u(_string): """ bytes to unicode """ if isinstance(_string, bytes): return _string.decode('UTF-8', 'replace') return _string def u2b(_string): """ unicode to bytes """ if not isinstance(_string, bytes): return _string.encode('UTF-8', 'replace') return _string def u2b_if_py2(_string): """ unicode to bytes only if Python 2""" if PY2 and isinstance(_string, unicode): # noqa: F821 return _string.encode('UTF-8', 'replace') return _string dbus_utils.py000064400000017512147576556050007325 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "command_of_pid", "pid_of_sender", "uid_of_sender", "user_of_uid", "context_of_sender", "command_of_sender", "user_of_sender", "dbus_to_python", "dbus_signature", "dbus_introspection_prepare_properties", "dbus_introspection_add_properties" ] import dbus import pwd import sys from xml.dom import minidom from firewall.core.logger import log PY2 = sys.version < '3' def command_of_pid(pid): """ Get command for pid from /proc """ try: with open("/proc/%d/cmdline" % pid, "r") as f: cmd = f.readlines()[0].replace('\0', " ").strip() except Exception: return None return cmd def pid_of_sender(bus, sender): """ Get pid from sender string using org.freedesktop.DBus.GetConnectionUnixProcessID """ dbus_obj = bus.get_object('org.freedesktop.DBus', '/org/freedesktop/DBus') dbus_iface = dbus.Interface(dbus_obj, 'org.freedesktop.DBus') try: pid = int(dbus_iface.GetConnectionUnixProcessID(sender)) except ValueError: return None return pid def uid_of_sender(bus, sender): """ Get user id from sender string using org.freedesktop.DBus.GetConnectionUnixUser """ dbus_obj = bus.get_object('org.freedesktop.DBus', '/org/freedesktop/DBus') dbus_iface = dbus.Interface(dbus_obj, 'org.freedesktop.DBus') try: uid = int(dbus_iface.GetConnectionUnixUser(sender)) except ValueError: return None return uid def user_of_uid(uid): """ Get user for uid from pwd """ try: pws = pwd.getpwuid(uid) except Exception: return None return pws[0] def context_of_sender(bus, sender): """ Get SELinux context from sender string using org.freedesktop.DBus.GetConnectionSELinuxSecurityContext """ dbus_obj = bus.get_object('org.freedesktop.DBus', '/org/freedesktop/DBus') dbus_iface = dbus.Interface(dbus_obj, 'org.freedesktop.DBus') try: context = dbus_iface.GetConnectionSELinuxSecurityContext(sender) except Exception: return None return "".join(map(chr, dbus_to_python(context))) def command_of_sender(bus, sender): """ Return command of D-Bus sender """ return command_of_pid(pid_of_sender(bus, sender)) def user_of_sender(bus, sender): return user_of_uid(uid_of_sender(bus, sender)) def dbus_to_python(obj, expected_type=None): if obj is None: python_obj = obj elif isinstance(obj, dbus.Boolean): python_obj = bool(obj) elif isinstance(obj, dbus.String): python_obj = obj.encode('utf-8') if PY2 else str(obj) elif PY2 and isinstance(obj, dbus.UTF8String): # Python3 has no UTF8String python_obj = str(obj) elif isinstance(obj, dbus.ObjectPath): python_obj = str(obj) elif isinstance(obj, dbus.Byte) or \ isinstance(obj, dbus.Int16) or \ isinstance(obj, dbus.Int32) or \ isinstance(obj, dbus.Int64) or \ isinstance(obj, dbus.UInt16) or \ isinstance(obj, dbus.UInt32) or \ isinstance(obj, dbus.UInt64): python_obj = int(obj) elif isinstance(obj, dbus.Double): python_obj = float(obj) elif isinstance(obj, dbus.Array): python_obj = [dbus_to_python(x) for x in obj] elif isinstance(obj, dbus.Struct): python_obj = tuple([dbus_to_python(x) for x in obj]) elif isinstance(obj, dbus.Dictionary): python_obj = {dbus_to_python(k): dbus_to_python(v) for k, v in obj.items()} elif isinstance(obj, bool) or \ isinstance(obj, str) or isinstance(obj, bytes) or \ isinstance(obj, int) or isinstance(obj, float) or \ isinstance(obj, list) or isinstance(obj, tuple) or \ isinstance(obj, dict): python_obj = obj else: raise TypeError("Unhandled %s" % repr(obj)) if expected_type is not None: if (expected_type == bool and not isinstance(python_obj, bool)) or \ (expected_type == str and not isinstance(python_obj, str)) or \ (expected_type == int and not isinstance(python_obj, int)) or \ (expected_type == float and not isinstance(python_obj, float)) or \ (expected_type == list and not isinstance(python_obj, list)) or \ (expected_type == tuple and not isinstance(python_obj, tuple)) or \ (expected_type == dict and not isinstance(python_obj, dict)): raise TypeError("%s is %s, expected %s" % (python_obj, type(python_obj), expected_type)) return python_obj def dbus_signature(obj): if isinstance(obj, dbus.Boolean): return 'b' elif isinstance(obj, dbus.String): return 's' elif isinstance(obj, dbus.ObjectPath): return 'o' elif isinstance(obj, dbus.Byte): return 'y' elif isinstance(obj, dbus.Int16): return 'n' elif isinstance(obj, dbus.Int32): return 'i' elif isinstance(obj, dbus.Int64): return 'x' elif isinstance(obj, dbus.UInt16): return 'q' elif isinstance(obj, dbus.UInt32): return 'u' elif isinstance(obj, dbus.UInt64): return 't' elif isinstance(obj, dbus.Double): return 'd' elif isinstance(obj, dbus.Array): if len(obj.signature) > 1: return 'a(%s)' % obj.signature else: return 'a%s' % obj.signature elif isinstance(obj, dbus.Struct): return '(%s)' % obj.signature elif isinstance(obj, dbus.Dictionary): return 'a{%s}' % obj.signature elif PY2 and isinstance(obj, dbus.UTF8String): return 's' else: raise TypeError("Unhandled %s" % repr(obj)) def dbus_introspection_prepare_properties(obj, interface, access=None): if access is None: access = { } if not hasattr(obj, "_fw_dbus_properties"): setattr(obj, "_fw_dbus_properties", { }) dip = getattr(obj, "_fw_dbus_properties") dip[interface] = { } try: _dict = obj.GetAll(interface) except Exception: _dict = { } for key,value in _dict.items(): dip[interface][key] = { "type": dbus_signature(value) } if key in access: dip[interface][key]["access"] = access[key] else: dip[interface][key]["access"] = "read" def dbus_introspection_add_properties(obj, data, interface): doc = minidom.parseString(data) if hasattr(obj, "_fw_dbus_properties"): for node in doc.getElementsByTagName("interface"): if node.hasAttribute("name") and \ node.getAttribute("name") == interface: dip = { } if getattr(obj, "_fw_dbus_properties"): dip = getattr(obj, "_fw_dbus_properties") if interface in dip: for key,value in dip[interface].items(): prop = doc.createElement("property") prop.setAttribute("name", key) prop.setAttribute("type", value["type"]) prop.setAttribute("access", value["access"]) node.appendChild(prop) log.debug10(doc.toxml()) new_data = doc.toxml() doc.unlink() return new_data client.pyc000064400000412604147576556050006572 0ustar00 c`c@s^ddlmZmZddlZeejded7Z?ed8Z@ed9ZAed:ZBed;ZCed<ZDed=ZEed>ZFed?ZGed@ZHRS(BcCsO|r||_n9dddttgggtggggggtg|_dS(Nt(tsettingsR R(tselfR#((s3/usr/lib/python2.7/site-packages/firewall/client.pyt__init__Vs cCsd|j|jfS(Ns%s(%r)(t __class__R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyt__repr__^scCs |jdS(Ni(R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getVersionbscCs||jdR?R@RBRERFRGRHRJRKRLRMRNRORPRQRRRSRURWRXRYRZR\tslipR tpolkitt enable_proxyR]R^R_R`RbRcRdReRfRgRkRlRmRnRpRrRsRtRuRwRyRzR{R|RRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR!Us        tFirewallClientConfigZonecBsceZdZejjjedZejjjedZ ejjjedZ ejjjedZ ejjjedZ ejjjedZ ejjjedZejjjedZejjjed Zejjjed Zejjjed Zejjjed Zejjjed ZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZ ejjjedZ!ejjjedZ"ejjjedZ#ejjjedZ$ejjjedZ%ejjjedZ&ejjjed Z'ejjjed!Z(ejjjed"Z)ejjjed#Z*ejjjed$Z+ejjjed%Z,ejjjed&Z-ejjjed'Z.ejjjed(Z/ejjjed)Z0ejjjed*Z1ejjjed+Z2ejjjed,Z3ejjjed-Z4ejjjed.Z5ejjjed/Z6ejjjed0Z7ejjjed1Z8ejjjed2Z9ejjjed3Z:ejjjed4Z;ejjjed5Z<ejjjed6Z=ejjjed7Z>ejjjed8Z?ejjjed9Z@ejjjed:ZAejjjed;ZBejjjed<ZCejjjed=ZDejjjed>ZEejjjed?ZFejjjed@ZGejjjedAZHejjjedBZIejjjedCZJejjjedDZKejjjedEZLejjjedFZMejjjedGZNRS(HcCsp||_||_|jjtjj||_tj|jdtjj|_ tj|jdd|_ dS(Ntdbus_interfacesorg.freedesktop.DBus.Properties( tbustpatht get_objectRR tDBUS_INTERFACEtdbus_objt InterfacetDBUS_INTERFACE_CONFIG_ZONEtfw_zonet fw_properties(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%s   cCst|jjtjj|S(N(RRtGetRR R(R$tprop((s3/usr/lib/python2.7/site-packages/firewall/client.pyt get_propertys cCst|jjtjjS(N(RRtGetAllRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytget_propertiess cCs |jjtjj||dS(N(RtSetRR R(R$Rtvalue((s3/usr/lib/python2.7/site-packages/firewall/client.pyt set_propertyscCsttt|jjS(N(R!tlistRRt getSettings(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs cCs|jjt|jdS(N(RtupdatettupleR#(R$R#((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jjdS(N(Rt loadDefaults(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jjdS(N(RR<(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR<scCs|jj|dS(N(Rtrename(R$tname((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs |jjS(N(RR((R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR(scCs|jj|dS(N(RR*(R$R)((s3/usr/lib/python2.7/site-packages/firewall/client.pyR*scCs |jjS(N(RR+(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR+scCs|jj|dS(N(RR-(R$R,((s3/usr/lib/python2.7/site-packages/firewall/client.pyR-scCs |jjS(N(RR.(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR.scCs|jj|dS(N(RR0(R$R/((s3/usr/lib/python2.7/site-packages/firewall/client.pyR0scCs |jjS(N(RR2(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR2scCs|jj|dS(N(RR4(R$R3((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4scCs |jjS(N(RR5(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR5scCs|jj|dS(N(RR7(R$R6((s3/usr/lib/python2.7/site-packages/firewall/client.pyR7scCs|jj|dS(N(RR;(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR;scCs|jj|dS(N(RR>(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR> scCs|jj|S(N(RR?(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR?scCs |jjS(N(RR@(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@scCs|jj|dS(N(RRB(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRBscCs|jj||dS(N(RRE(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRE!scCs|jj||dS(N(RRF(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF&scCs|jj||S(N(RRG(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG+scCs |jjS(N(RRH(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRH2scCs|jj|dS(N(RRJ(R$RI((s3/usr/lib/python2.7/site-packages/firewall/client.pyRJ7scCs|jj|dS(N(RRK(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK<scCs|jj|dS(N(RRL(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRLAscCs|jj|S(N(RRM(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRMFscCs |jjS(N(RRN(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNMscCs|jj|dS(N(RRO(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRORscCs|jj||dS(N(RRP(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRPWscCs|jj||dS(N(RRQ(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRQ\scCs|jj||S(N(RRR(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRascCs |jjS(N(RRS(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRShscCs|jj|dS(N(RRU(R$t icmptypes((s3/usr/lib/python2.7/site-packages/firewall/client.pyRUmscCs|jj|dS(N(RRW(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRWrscCs|jj|dS(N(RRX(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRXwscCs|jj|S(N(RRY(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY|scCs |jjS(N(RRZ(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRZscCs|jj|dS(N(RR\(R$t inversion((s3/usr/lib/python2.7/site-packages/firewall/client.pyR\scCs|jjdS(N(RR](R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR]scCs|jjdS(N(RR^(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^scCs |jjS(N(RR_(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR_scCs |jjS(N(RR`(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR`scCs|jj|dS(N(RRb(R$Ra((s3/usr/lib/python2.7/site-packages/firewall/client.pyRbscCs|jjdS(N(RRc(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRcscCs|jjdS(N(RRd(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRdscCs |jjS(N(RRe(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRescCs |jjS(N(RRf(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRfscCs|jj|dS(N(RRg(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRgscCsG|dkrd}n|dkr*d}n|jj||||dS(NR"(RhRRk(R$RCRDttoportttoaddr((s3/usr/lib/python2.7/site-packages/firewall/client.pyRks     cCsG|dkrd}n|dkr*d}n|jj||||dS(NR"(RhRRl(R$RCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRls     cCsC|dkrd}n|dkr*d}n|jj||||S(NR"(RhRRm(R$RCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRms     cCs |jjS(N(RRn(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRnscCs|jj|dS(N(RRp(R$Ro((s3/usr/lib/python2.7/site-packages/firewall/client.pyRpscCs|jj|dS(N(RRr(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRrscCs|jj|dS(N(RRs(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRsscCs|jj|S(N(RRt(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRtscCs |jjS(N(RRu(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRuscCs|jj|dS(N(RRw(R$Rv((s3/usr/lib/python2.7/site-packages/firewall/client.pyRwscCs|jj|dS(N(RRy(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRyscCs|jj|dS(N(RRz(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRz scCs|jj|S(N(RR{(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR{scCs |jjS(N(RR|(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR|scCs|jj|dS(N(RR(R$R~((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%scCs|jj|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR*s(ORRR%RR RRR RRRRRRR<RR(R*R+R-R.R0R2R4R5R7R;R>R?R@RBRERFRGRHRJRKRLRMRNRORPRQRRRSRURWRXRYRZR\R]R^R_R`RbRcRdReRfRgRkRlRmRnRpRrRsRtRuRwRyRzR{R|RRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs                                                                       tFirewallClientServiceSettingscBseZed!dZedZedZedZedZedZ edZ edZ edZ ed Z ed Zed Zed Zed ZedZedZedZedZedZedZedZedZedZedZedZedZedZedZedZ edZ!edZ"ed!dZ#ed Z$RS("cCs7|r||_n!dddggiggg|_dS(NR"(R#(R$R#((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%3s cCsd|j|jfS(Ns%s(%r)(R&R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR':scCs |jdS(Ni(R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR(>scCs||jd||jd|||jd|scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetIPSetscCs(t|jj|}t|j|S(N(RR:tgetIPSetByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(t isinstanceRR:taddIPSetRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRB s!cCst|jjS(N(RR:t getZoneNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRC scCst|jjS(N(RR:t listZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRD scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetZone scCs(t|jj|}t|j|S(N(RR:t getZoneByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jj|S(N(RR:tgetZoneOfInterface(R$tiface((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG$ scCst|jj|S(N(RR:tgetZoneOfSource(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRI) scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RAR!R:taddZoneRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRJ. s!cCst|jjS(N(RR:tgetServiceNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK9 scCst|jjS(N(RR:t listServices(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL> scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getServiceC scCs(t|jj|}t|j|S(N(RR:tgetServiceByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNH scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:R;RR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR;N s!cCst|jjS(N(RR:tgetIcmpTypeNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyROY scCst|jjS(N(RR:t listIcmpTypes(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRP^ scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getIcmpTypec scCs(t|jj|}t|j|S(N(RR:tgetIcmpTypeByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRh scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:t addIcmpTypeRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRSn s!cCs|jS(N(R;(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytpoliciesw scCs|jS(N(R<(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytdirect| scCst|jjS(N(RR:tgetHelperNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRV scCst|jjS(N(RR:t listHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRW scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getHelper scCs(t|jj|}t|j|S(N(RR:tgetHelperByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:t addHelperRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRZ s!((RRR R%RR RRRRRR=R>R?R@RBRCRDRERFRGRIRJRKRLRMRNR;RORPRQRRRSRTRURVRWRXRYRZ(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR8s                                tFirewallClientcBseZeddedZedZedZedZedZ edZ edZ edZ ed Z ed Zed Zejjjed Zejjjed ZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZ ejjjedZ!ejjjedZ"ejjjedZ#ejjjedZ$ejjjedZ%ejjjedZ&ejjjedZ'ejjjed Z(ejjjed!Z)ejjjed"Z*ejjjed#Z+ejjjed$Z,ejjjed%Z-ejjjed&Z.ejjjed'Z/ejjjed(Z0ejjjed)Z1ejjjed*Z2ejjjed+Z3ejjjed,Z4ejjjed-Z5ejjjed.Z6ejjjed/Z7ejjjed0Z8ejjjed1Z9ejjjed2Z:ejjjed3Z;ejjjed4Z<ejjjed5Z=ejjjed6Z>ejjjed7Z?ejjjed8Z@ejjjed9ZAejjjed:ZBejjjedd;ZCejjjed<ZDejjjed=ZEejjjed>ZFejjjedd?ZGejjjed@ZHejjjedAZIejjjedBZJejjjeddCZKejjjedDZLejjjedEZMejjjedFZNejjjeddGZOejjjedHZPejjjedIZQejjjedJZRejjjeddKZSejjjedLZTejjjedMZUejjjeddNZVejjjedOZWejjjedPZXejjjedQZYejjjeddRZZejjjedSZ[ejjjedTZ\ejjjedUZ]ejjjeddVZ^ejjjedWZ_ejjjedXZ`ejjjedYZaejjjedZZbejjjed[Zcejjjed\Zdejjjed]Zeejjjed^Zfejjjed_Zgejjjed`ZhejjjedaZiejjjedbZjejjjedcZkejjjeddZlejjjedeZmejjjedfZnejjjedgZoejjjedhZpejjjediZqejjjedjZrejjjedkZsejjjedlZtejjjedmZuejjjednZvejjjedoZwejjjedpZxejjjedqZyejjjedrZzejjjedsZ{ejjjedtZ|ejjjeduZ}ejjjedvZ~ejjjedwZejjjedxZejjjedyZejjjedzZejjjed{Zejjjed|Zejjjed}Zejjjed~ZejjjedZejjjedZejjjedZejjjedZRS(ic Cs|stjjjdty"tjj|_d|j_ Wqt k rytj|_Wn1tj j k r}t tj|jqXdGHqXn ||_|jjd|jdddddtjjxtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjj g D]1}|jj|j!d|d d d d d dqTWi|_"iIdd6dd6dd6dd6dd6dd6dd6dd6dd6dd6d d!6d"d#6d$d%6d&d'6d(d)6d*d+6d,d-6d.d/6d0d16d2d36d4d56d6d76d8d96d:d;6d<d=6d>d?6d@dA6dBdC6dDdE6dDdF6dGdH6dIdJ6dKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6|_#|j$||_%|dkrt&j'||j(n |j(dS(Ntset_as_defaultsNot using slip.dbusthandler_functiont signal_nametNameOwnerChangedRsorg.freedesktop.DBustarg0tinterface_keywordRqtmember_keywordtmembert path_keywordRsconnection-changedsconnection-establishedsconnection-losttLogDeniedChangedslog-denied-changedtDefaultZoneChangedsdefault-zone-changedtPanicModeEnabledspanic-mode-enabledtPanicModeDisabledspanic-mode-disabledtReloadedtreloadedt ServiceAddeds service-addedtServiceRemovedsservice-removedt PortAddeds port-addedt PortRemoveds port-removedtSourcePortAddedssource-port-addedtSourcePortRemovedssource-port-removedt ProtocolAddedsprotocol-addedtProtocolRemovedsprotocol-removedtMasqueradeAddedsmasquerade-addedtMasqueradeRemovedsmasquerade-removedtForwardPortAddedsforward-port-addedtForwardPortRemovedsforward-port-removedtIcmpBlockAddedsicmp-block-addedtIcmpBlockRemovedsicmp-block-removedtIcmpBlockInversionAddedsicmp-block-inversion-addedtIcmpBlockInversionRemovedsicmp-block-inversion-removedt RichRuleAddedsrichrule-addedtRichRuleRemovedsrichrule-removedtInterfaceAddedsinterface-addedtInterfaceRemovedsinterface-removedtZoneOfInterfaceChangeds zone-changedszone-of-interface-changedt SourceAddeds source-addedt SourceRemovedssource-removedtZoneOfSourceChangedszone-of-source-changedt EntryAddedsipset-entry-addedt EntryRemovedsipset-entry-removedt ChainAddedsdirect:chain-addedt ChainRemovedsdirect:chain-removedt RuleAddedsdirect:rule-addedt RuleRemovedsdirect:rule-removedtPassthroughAddedsdirect:passthrough-addedtPassthroughRemovedsdirect:passthrough-removedsconfig:direct:Updatedsconfig:direct:updatedtLockdownEnabledslockdown-enabledtLockdownDisabledslockdown-disabledtLockdownWhitelistCommandAddeds lockdown-whitelist-command-addedtLockdownWhitelistCommandRemoveds"lockdown-whitelist-command-removedtLockdownWhitelistContextAddeds lockdown-whitelist-context-addedtLockdownWhitelistContextRemoveds"lockdown-whitelist-context-removedtLockdownWhitelistUidAddedslockdown-whitelist-uid-addedtLockdownWhitelistUidRemovedslockdown-whitelist-uid-removedtLockdownWhitelistUserAddedslockdown-whitelist-user-addedtLockdownWhitelistUserRemovedslockdown-whitelist-user-removeds(config:policies:LockdownWhitelistUpdateds*config:policies:lockdown-whitelist-updatedsconfig:IPSetAddedsconfig:ipset-addedsconfig:IPSetUpdatedsconfig:ipset-updatedsconfig:IPSetRemovedsconfig:ipset-removedsconfig:IPSetRenamedsconfig:ipset-renamedsconfig:ZoneAddedsconfig:zone-addedsconfig:ZoneUpdatedsconfig:zone-updatedsconfig:ZoneRemovedsconfig:zone-removedsconfig:ZoneRenamedsconfig:zone-renamedsconfig:ServiceAddedsconfig:service-addedsconfig:ServiceUpdatedsconfig:service-updatedsconfig:ServiceRemovedsconfig:service-removedsconfig:ServiceRenamedsconfig:service-renamedsconfig:IcmpTypeAddedsconfig:icmptype-addedsconfig:IcmpTypeUpdatedsconfig:icmptype-updatedsconfig:IcmpTypeRemovedsconfig:icmptype-removedsconfig:IcmpTypeRenamedsconfig:icmptype-renamedsconfig:HelperAddedsconfig:helper-addedsconfig:HelperUpdatedsconfig:helper-updatedsconfig:HelperRemovedsconfig:helper-removedsconfig:HelperRenamedsconfig:helper-renamedi()R tmainlooptglibt DBusGMainLoopRRt SystemBusRRhtdefault_timeoutRRRR R t DBUS_ERRORRtadd_signal_receivert_dbus_connection_changedRRtDBUS_INTERFACE_IPSETtDBUS_INTERFACE_ZONEtDBUS_INTERFACE_DIRECTtDBUS_INTERFACE_POLICIESR9RRRRR6RRt_signal_receivert _callbackt _callbackst _init_varstquietRttimeout_add_secondst_connection_established(R$RtwaitRRRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR% s                         cCsLd|_d|_d|_d|_d|_d|_d|_t|_ dS(N( RhtfwRRRR7Rt_configR t connected(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. s       cCstS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetExceptionHandler9 scCs |adS(N(R(R$thandler((s3/usr/lib/python2.7/site-packages/firewall/client.pytsetExceptionHandler= scCstS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetNotAuthorizedLoopB scCs |adS(N(R(R$tenable((s3/usr/lib/python2.7/site-packages/firewall/client.pytsetNotAuthorizedLoopF scGs@||jkr,||f|j|j|      cCsF|j|jdddtjj|jdddtjjdS(NRcsconnection-lostRqsconnection-changed(RRRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s   c Osd|ksd|krdS|d}|d}|jtjjrRd|}n|jtjjrtd|}n|jtjjrd|}n|jtjjrd|}n|jtjjrd|}n]|tjjkrd|}n>|tjj krd |}n|tjj kr7d |}nd}xQ|j D]F}|j ||krG|j ||j krG|j |j |}qGqGW|dkrdSg|D]}t|^q}y0|d r|j|d n|d |Wntk r } | GHnXdS( NRcRqs config:Zones config:IPSetsconfig:Servicesconfig:IcmpTypes config:Helpersconfig:sconfig:policies:sconfig:direct:ii(t startswithRR RRRRRR9RR6RhRRRtextendR( R$RRtsignalRqtcbRtargtcb_argstmsg((s3/usr/lib/python2.7/site-packages/firewall/client.pyR sD            cCs|jS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(Rtreload(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtcompleteReload(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytcomplete_reload scCs|jjdS(N(RtruntimeToPermanent(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtcheckPermanentConfig(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjtjj|S(N(RRRRR R(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCst|jjtjjS(N(RRRRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCs |jjtjj||dS(N(RRRR R(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtenablePanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtdisablePanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRtqueryPanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs"ttt|jj|S(N(R!RRRtgetZoneSettings(R$tzone((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCst|jjS(N(RRt getIPSets(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs"ttt|jj|S(N(RRRRtgetIPSetSettings(R$tipset((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCs|jj||dS(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj||S(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj||dS(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRRL(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL scCs"ttt|jj|S(N(RRRRtgetServiceSettings(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR# s cCst|jjS(N(RRRP(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRP) scCs"ttt|jj|S(N(RRRRtgetIcmpTypeSettings(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. s cCst|jjS(N(RRt getHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4 scCs"ttt|jj|S(N(RRRRtgetHelperSettings(R$thelper((s3/usr/lib/python2.7/site-packages/firewall/client.pyR9 s cCst|jjS(N(RRtgetAutomaticHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRA scCs|jj|dS(N(RtsetAutomaticHelpers(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jjS(N(RRt getLogDenied(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRM scCs|jj|dS(N(Rt setLogDenied(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRR scCst|jjS(N(RRtgetDefaultZone(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY scCs|jj|dS(N(RtsetDefaultZone(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^ scCst|jjS(N(RRtgetZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRe scCst|jjS(N(RRtgetActiveZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRj scCst|jj|S(N(RRRG(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRGo scCst|jj|S(N(RRRI(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRIt scCst|jj|S(N(RRt isImmutable(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRy scCst|jj||S(N(RRRr(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRr scCst|jj||S(N(RRt changeZone(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRtchangeZoneOfInterface(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRRn(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRn scCst|jj||S(N(RRRt(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRt scCst|jj||S(N(RRRs(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs scCst|jj||S(N(RRRy(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRy scCst|jj||S(N(RRtchangeZoneOfSource(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRRu(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRu scCst|jj||S(N(RRR{(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR{ scCst|jj||S(N(RRRz(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRz scCst|jj|||S(N(RRR(R$RRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRR|(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR| scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|||S(N(RRR;(R$RR:R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR; scCst|jj|S(N(RRR5(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR5 scCst|jj||S(N(RRR?(R$RR:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR? scCst|jj||S(N(RRR>(R$RR:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR> scCst|jj||||S(N(RRRE(R$RRCRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRE scCst|jj|S(N(RRR@(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@ scCst|jj|||S(N(RRRG(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG scCst|jj|||S(N(RRRF(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jj|||S(N(RRRK(R$RRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK scCst|jj|S(N(RRRH(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRH scCst|jj||S(N(RRRM(R$RRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRM scCst|jj||S(N(RRRL(R$RRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL scCst|jj||S(N(RRRc(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRc scCst|jj|S(N(RRRe(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRe scCst|jj|S(N(RRRd(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRd scCsO|dkrd}n|dkr*d}nt|jj||||||S(NR"(RhRRRk(R$RRCRDRRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRk% s    cCst|jj|S(N(RRRf(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRf1 scCsL|dkrd}n|dkr*d}nt|jj|||||S(NR"(RhRRRm(R$RRCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRm6 s    cCsL|dkrd}n|dkr*d}nt|jj|||||S(NR"(RhRRRl(R$RRCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRlA s    cCst|jj||||S(N(RRRP(R$RRCRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRPN scCst|jj|S(N(RRRN(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNT scCst|jj|||S(N(RRRR(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRY scCst|jj|||S(N(RRRQ(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRQ^ scCst|jj|||S(N(RRRW(R$RticmpR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRWf scCst|jj|S(N(RRRS(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRSk scCst|jj||S(N(RRRY(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRYp scCst|jj||S(N(RRRX(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRXu scCst|jj|S(N(RRR](R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR]| scCst|jj|S(N(RRR_(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR_ scCst|jj|S(N(RRR^(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^ scCs|jj|||dS(N(R7R"(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR" scCs|jj|||dS(N(R7R#(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR# scCst|jj|||S(N(RR7R$(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR$ scCst|jj||S(N(RR7R(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RR7R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs |jj|||||dS(N(R7R)(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR) scCs |jj|||||dS(N(R7R*(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR* scCs|jj|||dS(N(R7R+(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR+ scCs"t|jj|||||S(N(RR7R,(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR, scCst|jj|||S(N(RR7R&(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR& scCst|jjS(N(RR7R%(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR% scCst|jj||S(N(RR7t passthrough(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RR7R-(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR- scCs|jjdS(N(R7R0(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR0 scCst|jj|S(N(RR7R1(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR1 scCs|jj||dS(N(R7R2(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR2 scCs|jj||dS(N(R7R3(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR3 scCst|jj||S(N(RR7R4(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4 scCs|jjdS(N(RtenableLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtdisableLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRt queryLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jjS(N(RRR (R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jj|S(N(RRR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR" scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR' scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR3 scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR8 scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR= scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRD scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRI scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRN scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRS scCs|jjdS(s( Authorize once for all polkit actions. N(Rt authorizeAll(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRX sN(RRR RhRR%RRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRLRRPRRRRRRRRRRRRGRIRRrRRRnRtRsRyRRuR{RzRR|RRR;R5R?R>RER@RGRFRKRHRMRLRcReRdRkRfRmRlRPRNRRRQRWRSRYRXR]R_R^R"R#R$RRR)R*R+R,R&R%RR-R0R1R2R3R4RRRR R R R R RRRRRRRRRRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR[ s  #.                                                                                                                       (.t gi.repositoryRRtsysRtdbus.mainloop.glibR t slip.dbusRRtfirewallRtfirewall.core.baseRtfirewall.dbus_utilsRtfirewall.functionsRtfirewall.core.richRR tfirewall.errorsR RRhRR RR tobjectR!RRRRRRRRRRRRR5R8R[(((s3/usr/lib/python2.7/site-packages/firewall/client.pytsF      '=cyKCzVtbmfw_types.py000064400000004221147576556050007001 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2013-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "LastUpdatedOrderedDict" ] class LastUpdatedOrderedDict(object): def __init__(self, x=None): self._dict = { } self._list = [ ] if x: self.update(x) def clear(self): del self._list[:] self._dict.clear() def update(self, x): for key,value in x.items(): self[key] = value def items(self): return [(key, self[key]) for key in self._list] def __delitem__(self, key): if key in self._dict: self._list.remove(key) del self._dict[key] def __repr__(self): return '%s([%s])' % (self.__class__.__name__, ', '.join( ['(%r, %r)' % (key, self[key]) for key in self._list])) def __setitem__(self, key, value): if key not in self._dict: self._list.append(key) self._dict[key] = value def __getitem__(self, key): if key in self._dict: return self._dict[key] else: return self._list[key] def __len__(self): return len(self._list) def copy(self): return LastUpdatedOrderedDict(self) def keys(self): return self._list[:] def values(self): return [ self[key] for key in self._list ] def setdefault(self, key, value=None): if key in self: return self[key] else: self[key] = value return value __init__.pyc000064400000000214147576556050007041 0ustar00 c`c@sdS(N((((s5/usr/lib/python2.7/site-packages/firewall/__init__.pytsdbus_utils.pyc000064400000016231147576556050007465 0ustar00 c`c @sdddddddddd d g Zd d lZd d lZd d lZd d lmZd dlmZejdkZ dZ dZ dZ dZ dZdZdZd dZdZd dZdZd S(tcommand_of_pidt pid_of_sendert uid_of_sendert user_of_uidtcontext_of_sendertcommand_of_sendertuser_of_sendertdbus_to_pythontdbus_signaturet%dbus_introspection_prepare_propertiest!dbus_introspection_add_propertiesiN(tminidom(tlogt3cCs[yBtd|d)}|jdjddj}WdQXWntk rVdSX|S(s Get command for pid from /proc s/proc/%d/cmdlinetritt N(topent readlinestreplacetstript ExceptiontNone(tpidtftcmd((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR%s , cCsV|jdd}tj|d}yt|j|}Wntk rQdSX|S(sW Get pid from sender string using org.freedesktop.DBus.GetConnectionUnixProcessID sorg.freedesktop.DBuss/org/freedesktop/DBusN(t get_objecttdbust InterfacetinttGetConnectionUnixProcessIDt ValueErrorR(tbustsendertdbus_objt dbus_ifaceR((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR.s cCsV|jdd}tj|d}yt|j|}Wntk rQdSX|S(sV Get user id from sender string using org.freedesktop.DBus.GetConnectionUnixUser sorg.freedesktop.DBuss/org/freedesktop/DBusN(RRRRtGetConnectionUnixUserRR(R R!R"R#tuid((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR;s cCs0ytj|}Wntk r'dSX|dS(s Get user for uid from pwd iN(tpwdtgetpwuidRR(R%tpws((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRHs  cCsh|jdd}tj|d}y|j|}Wntk rKdSXdjttt |S(sl Get SELinux context from sender string using org.freedesktop.DBus.GetConnectionSELinuxSecurityContext sorg.freedesktop.DBuss/org/freedesktop/DBustN( RRRt#GetConnectionSELinuxSecurityContextRRtjointmaptchrR(R R!R"R#tcontext((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRQs cCstt||S(s Return command of D-Bus sender (RR(R R!((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR_scCstt||S(N(RR(R R!((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRdsc Cs|dkr|}n}t|tjr6t|}n\t|tjrltr]|jdn t|}n&trt|tj rt|}nt|tj rt|}nt|tj s2t|tj s2t|tj s2t|tjs2t|tjs2t|tjs2t|tjrAt|}nQt|tjrbt|}n0t|tjrg|D]}t|^q{}nt|tjrtg|D]}t|^q}nt|tjrd|jD}nt|tsst|tsst|tsst|tsst|tsst|tsst|tsst|tr||}ntdt||dk r|tkrt|t sb|tkrt|t sb|tkrt|t sb|tkrt|t sb|tkr*t|t sb|tkrFt|t sb|tkrt|t rtd|t ||fqn|S(Nsutf-8cSs+i|]!\}}t|t|qS((R(t.0tktv((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pys s s Unhandled %ss%s is %s, expected %s(!Rt isinstanceRtBooleantbooltStringtPY2tencodetstrt UTF8Stringt ObjectPathtBytetInt16tInt32tInt64tUInt16tUInt32tUInt64RtDoubletfloattArrayRtStructttuplet Dictionarytitemstbytestlisttdictt TypeErrortreprttype(tobjt expected_typet python_objtx((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRgsV  $"(  %cCst|tjrdSt|tjr,dSt|tjrBdSt|tjrXdSt|tjrndSt|tjrdSt|tjrdSt|tj rdSt|tj rd St|tj rd St|tj rd St|tj r2t|jd kr$d |jSd|jSnlt|tjrOd|jSt|tjrld|jStrt|tjrdStdt|dS(NtbtstotytntiRRtqtutttdisa(%s)sa%ss(%s)sa{%s}s Unhandled %s(R2RR3R5R:R;R<R=R>R?R@RARBRDtlent signatureRERGR6R9RLRM(RO((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRsB   cCs|dkri}nt|ds7t|dint|d}i||s*          0 % dbus_utils.pyo000064400000016231147576556050007501 0ustar00 c`c @sdddddddddd d g Zd d lZd d lZd d lZd d lmZd dlmZejdkZ dZ dZ dZ dZ dZdZdZd dZdZd dZdZd S(tcommand_of_pidt pid_of_sendert uid_of_sendert user_of_uidtcontext_of_sendertcommand_of_sendertuser_of_sendertdbus_to_pythontdbus_signaturet%dbus_introspection_prepare_propertiest!dbus_introspection_add_propertiesiN(tminidom(tlogt3cCs[yBtd|d)}|jdjddj}WdQXWntk rVdSX|S(s Get command for pid from /proc s/proc/%d/cmdlinetritt N(topent readlinestreplacetstript ExceptiontNone(tpidtftcmd((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR%s , cCsV|jdd}tj|d}yt|j|}Wntk rQdSX|S(sW Get pid from sender string using org.freedesktop.DBus.GetConnectionUnixProcessID sorg.freedesktop.DBuss/org/freedesktop/DBusN(t get_objecttdbust InterfacetinttGetConnectionUnixProcessIDt ValueErrorR(tbustsendertdbus_objt dbus_ifaceR((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR.s cCsV|jdd}tj|d}yt|j|}Wntk rQdSX|S(sV Get user id from sender string using org.freedesktop.DBus.GetConnectionUnixUser sorg.freedesktop.DBuss/org/freedesktop/DBusN(RRRRtGetConnectionUnixUserRR(R R!R"R#tuid((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR;s cCs0ytj|}Wntk r'dSX|dS(s Get user for uid from pwd iN(tpwdtgetpwuidRR(R%tpws((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRHs  cCsh|jdd}tj|d}y|j|}Wntk rKdSXdjttt |S(sl Get SELinux context from sender string using org.freedesktop.DBus.GetConnectionSELinuxSecurityContext sorg.freedesktop.DBuss/org/freedesktop/DBustN( RRRt#GetConnectionSELinuxSecurityContextRRtjointmaptchrR(R R!R"R#tcontext((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRQs cCstt||S(s Return command of D-Bus sender (RR(R R!((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyR_scCstt||S(N(RR(R R!((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRdsc Cs|dkr|}n}t|tjr6t|}n\t|tjrltr]|jdn t|}n&trt|tj rt|}nt|tj rt|}nt|tj s2t|tj s2t|tj s2t|tjs2t|tjs2t|tjs2t|tjrAt|}nQt|tjrbt|}n0t|tjrg|D]}t|^q{}nt|tjrtg|D]}t|^q}nt|tjrd|jD}nt|tsst|tsst|tsst|tsst|tsst|tsst|tsst|tr||}ntdt||dk r|tkrt|t sb|tkrt|t sb|tkrt|t sb|tkrt|t sb|tkr*t|t sb|tkrFt|t sb|tkrt|t rtd|t ||fqn|S(Nsutf-8cSs+i|]!\}}t|t|qS((R(t.0tktv((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pys s s Unhandled %ss%s is %s, expected %s(!Rt isinstanceRtBooleantbooltStringtPY2tencodetstrt UTF8Stringt ObjectPathtBytetInt16tInt32tInt64tUInt16tUInt32tUInt64RtDoubletfloattArrayRtStructttuplet Dictionarytitemstbytestlisttdictt TypeErrortreprttype(tobjt expected_typet python_objtx((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRgsV  $"(  %cCst|tjrdSt|tjr,dSt|tjrBdSt|tjrXdSt|tjrndSt|tjrdSt|tjrdSt|tj rdSt|tj rd St|tj rd St|tj rd St|tj r2t|jd kr$d |jSd|jSnlt|tjrOd|jSt|tjrld|jStrt|tjrdStdt|dS(NtbtstotytntiRRtqtutttdisa(%s)sa%ss(%s)sa{%s}s Unhandled %s(R2RR3R5R:R;R<R=R>R?R@RARBRDtlent signatureRERGR6R9RLRM(RO((s7/usr/lib/python2.7/site-packages/firewall/dbus_utils.pyRsB   cCs|dkri}nt|ds7t|dint|d}i||s*          0 % core/logger.py000064400000074476147576556050007373 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2005-2007,2012 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "LogTarget", "FileLog", "Logger", "log" ] import sys import types import time import inspect import fnmatch import syslog import traceback import fcntl import os.path import os # --------------------------------------------------------------------------- # abstract class for logging targets class LogTarget(object): """ Abstract class for logging targets. """ def __init__(self): self.fd = None def write(self, data, level, logger, is_debug=0): raise NotImplementedError("LogTarget.write is an abstract method") def flush(self): raise NotImplementedError("LogTarget.flush is an abstract method") def close(self): raise NotImplementedError("LogTarget.close is an abstract method") # --------------------------------------------------------------------------- # private class for stdout class _StdoutLog(LogTarget): def __init__(self): LogTarget.__init__(self) self.fd = sys.stdout def write(self, data, level, logger, is_debug=0): # ignore level self.fd.write(data) self.flush() def close(self): self.flush() def flush(self): self.fd.flush() # --------------------------------------------------------------------------- # private class for stderr class _StderrLog(_StdoutLog): def __init__(self): _StdoutLog.__init__(self) self.fd = sys.stderr # --------------------------------------------------------------------------- # private class for syslog class _SyslogLog(LogTarget): def __init__(self): # Only initialize LogTarget here as fs should be None LogTarget.__init__(self) # # Derived from: https://github.com/canvon/firewalld/commit/af0edfee1cc1891b7b13f302ca5911b24e9b0f13 # # Work around Python issue 27875, "Syslogs /usr/sbin/foo as /foo # instead of as foo" # (but using openlog explicitly might be better anyway) # # Set ident to basename, log PID as well, and log to facility "daemon". syslog.openlog(os.path.basename(sys.argv[0]), syslog.LOG_PID, syslog.LOG_DAEMON) def write(self, data, level, logger, is_debug=0): priority = None if is_debug: priority = syslog.LOG_DEBUG else: if level >= logger.INFO1: priority = syslog.LOG_INFO elif level == logger.WARNING: priority = syslog.LOG_WARNING elif level == logger.ERROR: priority = syslog.LOG_ERR elif level == logger.FATAL: priority = syslog.LOG_CRIT if data.endswith("\n"): data = data[:len(data)-1] if len(data) > 0: if priority is None: syslog.syslog(data) else: syslog.syslog(priority, data) def close(self): syslog.closelog() def flush(self): pass # --------------------------------------------------------------------------- class FileLog(LogTarget): """ FileLog class. File will be opened on the first write. """ def __init__(self, filename, mode="w"): LogTarget.__init__(self) self.filename = filename self.mode = mode def open(self): if self.fd: return flags = os.O_CREAT | os.O_WRONLY if self.mode.startswith('a'): flags |= os.O_APPEND self.fd = os.open(self.filename, flags, 0o640) # Make sure that existing file has correct perms os.fchmod(self.fd, 0o640) # Make it an object self.fd = os.fdopen(self.fd, self.mode) fcntl.fcntl(self.fd, fcntl.F_SETFD, fcntl.FD_CLOEXEC) def write(self, data, level, logger, is_debug=0): if not self.fd: self.open() self.fd.write(data) self.fd.flush() def close(self): if not self.fd: return self.fd.close() self.fd = None def flush(self): if not self.fd: return self.fd.flush() # --------------------------------------------------------------------------- class Logger(object): r""" Format string: %(class)s Calling class the function belongs to, else empty %(date)s Date using Logger.date_format, see time module %(domain)s Full Domain: %(module)s.%(class)s.%(function)s %(file)s Filename of the module %(function)s Function name, empty in __main__ %(label)s Label according to log function call from Logger.label %(level)d Internal logging level %(line)d Line number in module %(module)s Module name %(message)s Log message Standard levels: FATAL Fatal error messages ERROR Error messages WARNING Warning messages INFOx, x in [1..5] Information DEBUGy, y in [1..10] Debug messages NO_INFO No info output NO_DEBUG No debug output INFO_MAX Maximum info level DEBUG_MAX Maximum debug level x and y depend on info_max and debug_max from Logger class initialization. See __init__ function. Default logging targets: stdout Logs to stdout stderr Logs to stderr syslog Logs to syslog Additional arguments for logging functions (fatal, error, warning, info and debug): nl Disable newline at the end with nl=0, default is nl=1. fmt Format string for this logging entry, overloads global format string. Example: fmt="%(file)s:%(line)d %(message)s" nofmt Only output message with nofmt=1. The nofmt argument wins over the fmt argument. Example: from logger import log log.setInfoLogLevel(log.INFO1) log.setDebugLogLevel(log.DEBUG1) for i in range(1, log.INFO_MAX+1): log.setInfoLogLabel(i, "INFO%d: " % i) log.setFormat("%(date)s %(module)s:%(line)d [%(domain)s] %(label)s: " "%(level)d %(message)s") log.setDateFormat("%Y-%m-%d %H:%M:%S") fl = FileLog("/tmp/log", "a") log.addInfoLogging("*", fl) log.addDebugLogging("*", fl) log.addInfoLogging("*", log.syslog, fmt="%(label)s%(message)s") log.debug3("debug3") log.debug2("debug2") log.debug1("debug1") log.info2("info2") log.info1("info1") log.warning("warning\n", nl=0) log.error("error\n", nl=0) log.fatal("fatal") log.info(log.INFO1, "nofmt info", nofmt=1) """ ALL = -5 NOTHING = -4 FATAL = -3 TRACEBACK = -2 ERROR = -1 WARNING = 0 # Additional levels are generated in class initilization stdout = _StdoutLog() stderr = _StderrLog() syslog = _SyslogLog() def __init__(self, info_max=5, debug_max=10): """ Logger class initialization """ self._level = { } self._debug_level = { } self._format = "" self._date_format = "" self._label = { } self._debug_label = { } self._logging = { } self._debug_logging = { } self._domains = { } self._debug_domains = { } # INFO1 is required for standard log level if info_max < 1: raise ValueError("Logger: info_max %d is too low" % info_max) if debug_max < 0: raise ValueError("Logger: debug_max %d is too low" % debug_max) self.NO_INFO = self.WARNING # = 0 self.INFO_MAX = info_max self.NO_DEBUG = 0 self.DEBUG_MAX = debug_max self.setInfoLogLabel(self.FATAL, "FATAL ERROR: ") self.setInfoLogLabel(self.TRACEBACK, "") self.setInfoLogLabel(self.ERROR, "ERROR: ") self.setInfoLogLabel(self.WARNING, "WARNING: ") # generate info levels and infox functions for _level in range(1, self.INFO_MAX+1): setattr(self, "INFO%d" % _level, _level) self.setInfoLogLabel(_level, "") setattr(self, "info%d" % (_level), (lambda self, x: lambda message, *args, **kwargs: self.info(x, message, *args, **kwargs))(self, _level)) # pylint: disable=E0602 # generate debug levels and debugx functions for _level in range(1, self.DEBUG_MAX+1): setattr(self, "DEBUG%d" % _level, _level) self.setDebugLogLabel(_level, "DEBUG%d: " % _level) setattr(self, "debug%d" % (_level), (lambda self, x: lambda message, *args, **kwargs: self.debug(x, message, *args, **kwargs))(self, _level)) # pylint: disable=E0602 # set initial log levels, formats and targets self.setInfoLogLevel(self.INFO1) self.setDebugLogLevel(self.NO_DEBUG) self.setFormat("%(label)s%(message)s") self.setDateFormat("%d %b %Y %H:%M:%S") self.setInfoLogging("*", self.stderr, [ self.FATAL, self.ERROR, self.WARNING ]) self.setInfoLogging("*", self.stdout, [ i for i in range(self.INFO1, self.INFO_MAX+1) ]) self.setDebugLogging("*", self.stdout, [ i for i in range(1, self.DEBUG_MAX+1) ]) def close(self): """ Close all logging targets """ for level in range(self.FATAL, self.DEBUG_MAX+1): if level not in self._logging: continue for (dummy, target, dummy) in self._logging[level]: target.close() def getInfoLogLevel(self, domain="*"): """ Get info log level. """ self._checkDomain(domain) if domain in self._level: return self._level[domain] return self.NOTHING def setInfoLogLevel(self, level, domain="*"): """ Set log level [NOTHING .. INFO_MAX] """ self._checkDomain(domain) if level < self.NOTHING: level = self.NOTHING if level > self.INFO_MAX: level = self.INFO_MAX self._level[domain] = level def getDebugLogLevel(self, domain="*"): """ Get debug log level. """ self._checkDomain(domain) if domain in self._debug_level: return self._debug_level[domain] + self.NO_DEBUG return self.NO_DEBUG def setDebugLogLevel(self, level, domain="*"): """ Set debug log level [NO_DEBUG .. DEBUG_MAX] """ self._checkDomain(domain) if level < 0: level = 0 if level > self.DEBUG_MAX: level = self.DEBUG_MAX self._debug_level[domain] = level - self.NO_DEBUG def getFormat(self): return self._format def setFormat(self, _format): self._format = _format def getDateFormat(self): return self._date_format def setDateFormat(self, _format): self._date_format = _format def setInfoLogLabel(self, level, label): """ Set log label for level. Level can be a single level or an array of levels. """ levels = self._getLevels(level) for level in levels: self._checkLogLevel(level, min_level=self.FATAL, max_level=self.INFO_MAX) self._label[level] = label def setDebugLogLabel(self, level, label): """ Set log label for level. Level can be a single level or an array of levels. """ levels = self._getLevels(level, is_debug=1) for level in levels: self._checkLogLevel(level, min_level=self.INFO1, max_level=self.DEBUG_MAX) self._debug_label[level] = label def setInfoLogging(self, domain, target, level=ALL, fmt=None): """ Set info log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._setLogging(domain, target, level, fmt, is_debug=0) def setDebugLogging(self, domain, target, level=ALL, fmt=None): """ Set debug log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._setLogging(domain, target, level, fmt, is_debug=1) def addInfoLogging(self, domain, target, level=ALL, fmt=None): """ Add info log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._addLogging(domain, target, level, fmt, is_debug=0) def addDebugLogging(self, domain, target, level=ALL, fmt=None): """ Add debg log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._addLogging(domain, target, level, fmt, is_debug=1) def delInfoLogging(self, domain, target, level=ALL, fmt=None): """ Delete info log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._delLogging(domain, target, level, fmt, is_debug=0) def delDebugLogging(self, domain, target, level=ALL, fmt=None): """ Delete debug log target for domain and level. Level can be a single level or an array of levels. Use level ALL to set for all levels. If no format is specified, the default format will be used. """ self._delLogging(domain, target, level, fmt, is_debug=1) def isInfoLoggingHere(self, level): """ Is there currently any info logging for this log level (and domain)? """ return self._isLoggingHere(level, is_debug=0) def isDebugLoggingHere(self, level): """ Is there currently any debug logging for this log level (and domain)? """ return self._isLoggingHere(level, is_debug=1) ### log functions def fatal(self, _format, *args, **kwargs): """ Fatal error log. """ self._checkKWargs(kwargs) kwargs["is_debug"] = 0 self._log(self.FATAL, _format, *args, **kwargs) def error(self, _format, *args, **kwargs): """ Error log. """ self._checkKWargs(kwargs) kwargs["is_debug"] = 0 self._log(self.ERROR, _format, *args, **kwargs) def warning(self, _format, *args, **kwargs): """ Warning log. """ self._checkKWargs(kwargs) kwargs["is_debug"] = 0 self._log(self.WARNING, _format, *args, **kwargs) def info(self, level, _format, *args, **kwargs): """ Information log using info level [1..info_max]. There are additional infox functions according to info_max from __init__""" self._checkLogLevel(level, min_level=1, max_level=self.INFO_MAX) self._checkKWargs(kwargs) kwargs["is_debug"] = 0 self._log(level+self.NO_INFO, _format, *args, **kwargs) def debug(self, level, _format, *args, **kwargs): """ Debug log using debug level [1..debug_max]. There are additional debugx functions according to debug_max from __init__""" self._checkLogLevel(level, min_level=1, max_level=self.DEBUG_MAX) self._checkKWargs(kwargs) kwargs["is_debug"] = 1 self._log(level, _format, *args, **kwargs) def exception(self): self._log(self.TRACEBACK, traceback.format_exc(), args=[], kwargs={}) ### internal functions def _checkLogLevel(self, level, min_level, max_level): if level < min_level or level > max_level: raise ValueError("Level %d out of range, should be [%d..%d]." % \ (level, min_level, max_level)) def _checkKWargs(self, kwargs): if not kwargs: return for key in kwargs.keys(): if key not in [ "nl", "fmt", "nofmt" ]: raise ValueError("Key '%s' is not allowed as argument for logging." % key) def _checkDomain(self, domain): if not domain or domain == "": raise ValueError("Domain '%s' is not valid." % domain) def _getLevels(self, level, is_debug=0): """ Generate log level array. """ if level != self.ALL: if isinstance(level, list) or isinstance(level, tuple): levels = level else: levels = [ level ] for level in levels: if is_debug: self._checkLogLevel(level, min_level=1, max_level=self.DEBUG_MAX) else: self._checkLogLevel(level, min_level=self.FATAL, max_level=self.INFO_MAX) else: if is_debug: levels = [ i for i in range(self.DEBUG1, self.DEBUG_MAX) ] else: levels = [ i for i in range(self.FATAL, self.INFO_MAX) ] return levels def _getTargets(self, target): """ Generate target array. """ if isinstance(target, list) or isinstance(target, tuple): targets = target else: targets = [ target ] for _target in targets: if not issubclass(_target.__class__, LogTarget): raise ValueError("'%s' is no valid logging target." % \ _target.__class__.__name__) return targets def _genDomains(self, is_debug=0): # private method for self._domains array creation, speeds up """ Generate dict with domain by level. """ if is_debug: _domains = self._debug_domains _logging = self._debug_logging _range = ( 1, self.DEBUG_MAX+1 ) else: _domains = self._domains _logging = self._logging _range = ( self.FATAL, self.INFO_MAX+1 ) if len(_domains) > 0: _domains.clear() for level in range(_range[0], _range[1]): if level not in _logging: continue for (domain, dummy, dummy) in _logging[level]: if domain not in _domains: _domains.setdefault(level, [ ]).append(domain) def _setLogging(self, domain, target, level=ALL, fmt=None, is_debug=0): self._checkDomain(domain) levels = self._getLevels(level, is_debug) targets = self._getTargets(target) if is_debug: _logging = self._debug_logging else: _logging = self._logging for level in levels: for target in targets: _logging[level] = [ (domain, target, fmt) ] self._genDomains(is_debug) def _addLogging(self, domain, target, level=ALL, fmt=None, is_debug=0): self._checkDomain(domain) levels = self._getLevels(level, is_debug) targets = self._getTargets(target) if is_debug: _logging = self._debug_logging else: _logging = self._logging for level in levels: for target in targets: _logging.setdefault(level, [ ]).append((domain, target, fmt)) self._genDomains(is_debug) def _delLogging(self, domain, target, level=ALL, fmt=None, is_debug=0): self._checkDomain(domain) levels = self._getLevels(level, is_debug) targets = self._getTargets(target) if is_debug: _logging = self._debug_logging else: _logging = self._logging for _level in levels: for target in targets: if _level not in _logging: continue if (domain, target, fmt) in _logging[_level]: _logging[_level].remove( (domain, target, fmt) ) if len(_logging[_level]) == 0: del _logging[_level] continue if level != self.ALL: raise ValueError("No mathing logging for " \ "level %d, domain %s, target %s and format %s." % \ (_level, domain, target.__class__.__name__, fmt)) self._genDomains(is_debug) def _isLoggingHere(self, level, is_debug=0): _dict = self._genDict(level, is_debug) if not _dict: return False point_domain = _dict["domain"] + "." if is_debug: _logging = self._debug_logging else: _logging = self._logging # do we need to log? for (domain, dummy, dummy) in _logging[level]: if domain == "*" or \ point_domain.startswith(domain) or \ fnmatch.fnmatchcase(_dict["domain"], domain): return True return False def _getClass(self, frame): """ Function to get calling class. Returns class or None. """ # get class by first function argument, if there are any if frame.f_code.co_argcount > 0: selfname = frame.f_code.co_varnames[0] if selfname in frame.f_locals: _self = frame.f_locals[selfname] obj = self._getClass2(_self.__class__, frame.f_code) if obj: return obj module = inspect.getmodule(frame.f_code) code = frame.f_code # function in module? if code.co_name in module.__dict__: if hasattr(module.__dict__[code.co_name], "func_code") and \ module.__dict__[code.co_name].__code__ == code: return None # class in module for (dummy, obj) in module.__dict__.items(): if isinstance(obj, types.ClassType): if hasattr(obj, code.co_name): value = getattr(obj, code.co_name) if isinstance(value, types.FunctionType): if value.__code__ == code: return obj # nothing found return None def _getClass2(self, obj, code): """ Internal function to get calling class. Returns class or None. """ for value in obj.__dict__.values(): if isinstance(value, types.FunctionType): if value.__code__ == code: return obj for base in obj.__bases__: _obj = self._getClass2(base, code) if _obj: return _obj return None # internal log class def _log(self, level, _format, *args, **kwargs): is_debug = 0 if "is_debug" in kwargs: is_debug = kwargs["is_debug"] nl = 1 if "nl" in kwargs: nl = kwargs["nl"] nofmt = 0 if "nofmt" in kwargs: nofmt = kwargs["nofmt"] _dict = self._genDict(level, is_debug) if not _dict: return if len(args) > 1: _dict['message'] = _format % args elif len(args) == 1: # needed for _format % _dict _dict['message'] = _format % args[0] else: _dict['message'] = _format point_domain = _dict["domain"] + "." if is_debug: _logging = self._debug_logging else: _logging = self._logging used_targets = [ ] # log to target(s) for (domain, target, _format) in _logging[level]: if target in used_targets: continue if domain == "*" \ or point_domain.startswith(domain+".") \ or fnmatch.fnmatchcase(_dict["domain"], domain): if not _format: _format = self._format if "fmt" in kwargs: _format = kwargs["fmt"] if nofmt: target.write(_dict["message"], level, self, is_debug) else: target.write(_format % _dict, level, self, is_debug) if nl: # newline target.write("\n", level, self, is_debug) used_targets.append(target) # internal function to generate the dict, needed for logging def _genDict(self, level, is_debug=0): """ Internal function. """ check_domains = [ ] simple_match = False if is_debug: _dict = self._debug_level _domains = self._debug_domains _label = self._debug_label else: _dict = self._level _domains = self._domains _label = self._label # no debug for domain in _dict: if domain == "*": # '*' matches everything: simple match if _dict[domain] >= level: simple_match = True if len(check_domains) > 0: check_domains = [ ] break else: if _dict[domain] >= level: check_domains.append(domain) if not simple_match and len(check_domains) < 1: return None if level not in _domains: return None f = inspect.currentframe() # go outside of logger module as long as there is a lower frame while f and f.f_back and f.f_globals["__name__"] == self.__module__: f = f.f_back if not f: raise ValueError("Frame information not available.") # get module name module_name = f.f_globals["__name__"] # simple module match test for all entries of check_domain point_module = module_name + "." for domain in check_domains: if point_module.startswith(domain): # found domain in module name check_domains = [ ] break # get code co = f.f_code # optimization: bail out early if domain can not match at all _len = len(module_name) for domain in _domains[level]: i = domain.find("*") if i == 0: continue elif i > 0: d = domain[:i] else: d = domain if _len >= len(d): if not module_name.startswith(d): return None else: if not d.startswith(module_name): return None # generate _dict for format output level_str = "" if level in _label: level_str = _label[level] _dict = { 'file': co.co_filename, 'line': f.f_lineno, 'module': module_name, 'class': '', 'function': co.co_name, 'domain': '', 'label' : level_str, 'level' : level, 'date' : time.strftime(self._date_format, time.localtime()) } if _dict["function"] == "?": _dict["function"] = "" # domain match needed? domain_needed = False for domain in _domains[level]: # standard domain, matches everything if domain == "*": continue # domain is needed domain_needed = True break # do we need to get the class object? if self._format.find("%(domain)") >= 0 or \ self._format.find("%(class)") >= 0 or \ domain_needed or \ len(check_domains) > 0: obj = self._getClass(f) if obj: _dict["class"] = obj.__name__ # build domain string _dict["domain"] = "" + _dict["module"] if _dict["class"] != "": _dict["domain"] += "." + _dict["class"] if _dict["function"] != "": _dict["domain"] += "." + _dict["function"] if len(check_domains) < 1: return _dict point_domain = _dict["domain"] + "." for domain in check_domains: if point_domain.startswith(domain) or \ fnmatch.fnmatchcase(_dict["domain"], domain): return _dict return None # --------------------------------------------------------------------------- # Global logging object. log = Logger() # --------------------------------------------------------------------------- """ # Example if __name__ == '__main__': log.setInfoLogLevel(log.INFO2) log.setDebugLogLevel(log.DEBUG5) for i in range(log.INFO1, log.INFO_MAX+1): log.setInfoLogLabel(i, "INFO%d: " % i) for i in range(log.DEBUG1, log.DEBUG_MAX+1): log.setDebugLogLabel(i, "DEBUG%d: " % i) log.setFormat("%(date)s %(module)s:%(line)d %(label)s" "%(message)s") log.setDateFormat("%Y-%m-%d %H:%M:%S") fl = FileLog("/tmp/log", "a") log.addInfoLogging("*", fl) log.delDebugLogging("*", log.stdout) log.setDebugLogging("*", log.stdout, [ log.DEBUG1, log.DEBUG2 ] ) log.addDebugLogging("*", fl) # log.addInfoLogging("*", log.syslog, fmt="%(label)s%(message)s") # log.addDebugLogging("*", log.syslog, fmt="%(label)s%(message)s") log.debug10("debug10") log.debug9("debug9") log.debug8("debug8") log.debug7("debug7") log.debug6("debug6") log.debug5("debug5") log.debug4("debug4") log.debug3("debug3") log.debug2("debug2", fmt="%(file)s:%(line)d %(message)s") log.debug1("debug1", nofmt=1) log.info5("info5") log.info4("info4") log.info3("info3") log.info2("info2") log.info1("info1") log.warning("warning\n", nl=0) log.error("error ", nl=0) log.error("error", nofmt=1) log.fatal("fatal") log.info(log.INFO1, "nofmt info", nofmt=1) log.info(log.INFO2, "info2 fmt", fmt="%(file)s:%(line)d %(message)s") try: a = b except Exception as e: log.exception() """ # vim:ts=4:sw=4:showmatch:expandtab core/nftables.py000064400000171062147576556050007677 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2018 Red Hat, Inc. # # Authors: # Eric Garver # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os.path import copy from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET from firewall.core.prog import runProg from firewall.core.logger import log from firewall.functions import splitArgs, check_mac, portStr, \ check_single_address, check_address from firewall import config from firewall.errors import FirewallError, UNKNOWN_ERROR, INVALID_RULE, \ INVALID_ICMPTYPE, INVALID_TYPE, INVALID_ENTRY from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark TABLE_NAME = "firewalld" # Map iptables (table, chain) to hooks and priorities. # These are well defined by NF_IP_PRI_* defines in netfilter. # # This is analogous to ipXtables.BUILT_IN_CHAINS, but we omit the chains that # are only used for direct rules. # # Note: All hooks use their standard position + NFT_HOOK_OFFSET. This means # iptables will have DROP precedence. It also means that even if iptables # ACCEPTs a packet it may still be dropped later by firewalld's rules. # NFT_HOOK_OFFSET = 10 IPTABLES_TO_NFT_HOOK = { #"security": { # "INPUT": ("input", 50 + NFT_HOOK_OFFSET), # "OUTPUT": ("output", 50 + NFT_HOOK_OFFSET), # "FORWARD": ("forward", 50 + NFT_HOOK_OFFSET), #}, "raw": { "PREROUTING": ("prerouting", -300 + NFT_HOOK_OFFSET), # "OUTPUT": ("output", -300 + NFT_HOOK_OFFSET), }, "mangle": { "PREROUTING": ("prerouting", -150 + NFT_HOOK_OFFSET), # "POSTROUTING": ("postrouting", -150 + NFT_HOOK_OFFSET), # "INPUT": ("input", -150 + NFT_HOOK_OFFSET), # "OUTPUT": ("output", -150 + NFT_HOOK_OFFSET), # "FORWARD": ("forward", -150 + NFT_HOOK_OFFSET), }, "nat": { "PREROUTING": ("prerouting", -100 + NFT_HOOK_OFFSET), "POSTROUTING": ("postrouting", 100 + NFT_HOOK_OFFSET), # "INPUT": ("input", 100 + NFT_HOOK_OFFSET), # "OUTPUT": ("output", -100 + NFT_HOOK_OFFSET), }, "filter": { "INPUT": ("input", 0 + NFT_HOOK_OFFSET), "FORWARD": ("forward", 0 + NFT_HOOK_OFFSET), # "OUTPUT": ("output", 0 + NFT_HOOK_OFFSET), }, } OUR_CHAINS = { # chains created by firewalld # family: { chains ...} "inet": {}, "ip": {}, "ip6": {}, } # Most ICMP types are provided by nft, but for the codes we have to use numeric # values. # ICMP_TYPES_FRAGMENT = { "ipv4" : { "communication-prohibited" : ["icmp", "type", "destination-unreachable", "icmp", "code", "13"], "destination-unreachable" : ["icmp", "type", "destination-unreachable"], "echo-reply" : ["icmp", "type", "echo-reply"], "echo-request" : ["icmp", "type", "echo-request"], "fragmentation-needed" : ["icmp", "type", "destination-unreachable", "icmp", "code", "4"], "host-precedence-violation" : ["icmp", "type", "destination-unreachable", "icmp", "code", "14"], "host-prohibited" : ["icmp", "type", "destination-unreachable", "icmp", "code", "10"], "host-redirect" : ["icmp", "type", "redirect", "icmp", "code", "1"], "host-unknown" : ["icmp", "type", "destination-unreachable", "icmp", "code", "7"], "host-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "1"], "ip-header-bad" : ["icmp", "type", "parameter-problem", "icmp", "code", "1"], "network-prohibited" : ["icmp", "type", "destination-unreachable", "icmp", "code", "8"], "network-redirect" : ["icmp", "type", "redirect", "icmp", "code", "0"], "network-unknown" : ["icmp", "type", "destination-unreachable", "icmp", "code", "6"], "network-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "0"], "parameter-problem" : ["icmp", "type", "parameter-problem"], "port-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "3"], "precedence-cutoff" : ["icmp", "type", "destination-unreachable", "icmp", "code", "15"], "protocol-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "2"], "redirect" : ["icmp", "type", "redirect"], "required-option-missing" : ["icmp", "type", "parameter-problem", "icmp", "code", "1"], "router-advertisement" : ["icmp", "type", "router-advertisement"], "router-solicitation" : ["icmp", "type", "router-solicitation"], "source-quench" : ["icmp", "type", "source-quench"], "source-route-failed" : ["icmp", "type", "destination-unreachable", "icmp", "code", "5"], "time-exceeded" : ["icmp", "type", "time-exceeded"], "timestamp-reply" : ["icmp", "type", "timestamp-reply"], "timestamp-request" : ["icmp", "type", "timestamp-request"], "tos-host-redirect" : ["icmp", "type", "redirect", "icmp", "code", "3"], "tos-host-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "12"], "tos-network-redirect" : ["icmp", "type", "redirect", "icmp", "code", "2"], "tos-network-unreachable" : ["icmp", "type", "destination-unreachable", "icmp", "code", "11"], "ttl-zero-during-reassembly" : ["icmp", "type", "time-exceeded", "icmp", "code", "1"], "ttl-zero-during-transit" : ["icmp", "type", "time-exceeded", "icmp", "code", "0"], }, "ipv6" : { "address-unreachable" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "3"], "bad-header" : ["icmpv6", "type", "parameter-problem", "icmpv6", "code", "0"], "beyond-scope" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "2"], "communication-prohibited" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "1"], "destination-unreachable" : ["icmpv6", "type", "destination-unreachable"], "echo-reply" : ["icmpv6", "type", "echo-reply"], "echo-request" : ["icmpv6", "type", "echo-request"], "failed-policy" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "5"], "neighbour-advertisement" : ["icmpv6", "type", "nd-neighbor-advert"], "neighbour-solicitation" : ["icmpv6", "type", "nd-neighbor-solicit"], "no-route" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "0"], "packet-too-big" : ["icmpv6", "type", "packet-too-big"], "parameter-problem" : ["icmpv6", "type", "parameter-problem"], "port-unreachable" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "4"], "redirect" : ["icmpv6", "type", "nd-redirect"], "reject-route" : ["icmpv6", "type", "destination-unreachable", "icmpv6", "code", "6"], "router-advertisement" : ["icmpv6", "type", "nd-router-advert"], "router-solicitation" : ["icmpv6", "type", "nd-router-solicit"], "time-exceeded" : ["icmpv6", "type", "time-exceeded"], "ttl-zero-during-reassembly" : ["icmpv6", "type", "time-exceeded", "icmpv6", "code", "1"], "ttl-zero-during-transit" : ["icmpv6", "type", "time-exceeded", "icmpv6", "code", "0"], "unknown-header-type" : ["icmpv6", "type", "parameter-problem", "icmpv6", "code", "1"], "unknown-option" : ["icmpv6", "type", "parameter-problem", "icmpv6", "code", "2"], } } class nftables(object): name = "nftables" zones_supported = True def __init__(self, fw): self._fw = fw self._command = config.COMMANDS["nft"] self.fill_exists() self.available_tables = [] self.rule_to_handle = {} self.rule_ref_count = {} self.zone_source_index_cache = {} def fill_exists(self): self.command_exists = os.path.exists(self._command) self.restore_command_exists = False def _run_replace_zone_source(self, rule_add, rule, zone_source_index_cache): try: i = rule.index("%%ZONE_SOURCE%%") rule.pop(i) zone = rule.pop(i) zone_source = (zone, rule[7]) # (zone, address) except ValueError: try: i = rule.index("%%ZONE_INTERFACE%%") rule.pop(i) zone_source = None except ValueError: return family = rule[2] if zone_source and not rule_add: if family in zone_source_index_cache and \ zone_source in zone_source_index_cache[family]: zone_source_index_cache[family].remove(zone_source) elif rule_add: if family not in zone_source_index_cache: zone_source_index_cache[family] = [] if zone_source: # order source based dispatch by zone name if zone_source not in zone_source_index_cache[family]: zone_source_index_cache[family].append(zone_source) zone_source_index_cache[family].sort(key=lambda x: x[0]) index = zone_source_index_cache[family].index(zone_source) else: if self._fw._allow_zone_drifting: index = 0 else: index = len(zone_source_index_cache[family]) if index == 0: rule[0] = "insert" else: index -= 1 # point to the rule before insertion point rule[0] = "add" rule.insert(i, "index") rule.insert(i+1, "%d" % index) def __run(self, args): nft_opts = ["--echo", "--handle"] _args = args[:] # If we're deleting a table (i.e. build_flush_rules()) # then check if its exist first to avoid nft throwing an error if _args[0] == "delete" and _args[1] == "table": _args_test = _args[:] _args_test[0] = "list" (status, output) = runProg(self._command, nft_opts + _args_test) if status != 0: return "" rule_key = None if _args[0] in ["add", "insert"] and _args[1] == "rule": rule_add = True rule_key = _args[2:] if rule_key[3] == "position": # strip "position #" # "insert rule family table chain position " # ^^ rule_key starts here try: int(rule_key[4]) except Exception: raise FirewallError(INVALID_RULE, "position without a number") else: rule_key.pop(3) rule_key.pop(3) rule_key = " ".join(rule_key) elif _args[0] in ["delete"] and _args[1] == "rule": rule_add = False rule_key = _args[2:] rule_key = " ".join(rule_key) # rule deduplication if rule_key in self.rule_ref_count: if rule_add: self.rule_ref_count[rule_key] += 1 return "" if not rule_add and self.rule_ref_count[rule_key] > 1: self.rule_ref_count[rule_key] -= 1 return "" elif self.rule_ref_count[rule_key] == 1: self.rule_ref_count[rule_key] -= 1 else: raise FirewallError(UNKNOWN_ERROR, "rule ref count bug: rule_key '%s', cnt %d" % (rule_key, self.rule_ref_count[rule_key])) log.debug2("%s: rule ref cnt %d, %s %s", self.__class__, self.rule_ref_count[rule_key], self._command, " ".join(_args)) if rule_key: zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) self._run_replace_zone_source(rule_add, _args, zone_source_index_cache) if not rule_key or (not rule_add and self.rule_ref_count[rule_key] == 0) \ or ( rule_add and rule_key not in self.rule_ref_count): # delete using rule handle if rule_key and not rule_add: _args = ["delete", "rule"] + _args[2:5] + \ ["handle", self.rule_to_handle[rule_key]] _args_str = " ".join(_args) log.debug2("%s: %s %s", self.__class__, self._command, _args_str) (status, output) = runProg(self._command, nft_opts + _args) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, _args_str, output)) if rule_key: self.zone_source_index_cache = zone_source_index_cache # nft requires deleting rules by handle. So we must cache the rule # handle when adding/inserting rules. # if rule_key: if rule_add: str = "# handle " offset = output.index(str) + len(str) self.rule_to_handle[rule_key] = output[offset:].strip() self.rule_ref_count[rule_key] = 1 else: del self.rule_to_handle[rule_key] del self.rule_ref_count[rule_key] return output def _rule_replace(self, rule, pattern, replacement): try: i = rule.index(pattern) except ValueError: return False else: rule[i:i+1] = replacement return True def reverse_rule(self, args): ret_args = args[:] ret_args[0] = "delete" return ret_args def set_rules(self, rules, log_denied): # We can't support using "nft -f" because we need to retrieve the # handles for each rules so we can delete them later on. # See also: self.restore_command_exists # # We can implement this once libnftables in ready. # raise FirewallError(UNKNOWN_ERROR, "not implemented") def set_rule(self, rule, log_denied): # replace %%REJECT%% # # HACK: work around nft bug in which icmpx does not work if the rule # has qualified the ip family. icmp_keyword = "icmpx" if "ipv4" in rule or "ip" in rule or "icmp" in rule: icmp_keyword = "icmp" elif "ipv6" in rule or "ip6" in rule or "icmpv6" in rule: icmp_keyword = "icmpv6" self._rule_replace(rule, "%%REJECT%%", ["reject", "with", icmp_keyword, "type", "admin-prohibited"]) # replace %%ICMP%% self._rule_replace(rule, "%%ICMP%%", ["meta", "l4proto", "{icmp, icmpv6}"]) # replace %%LOGTYPE%% try: i = rule.index("%%LOGTYPE%%") except ValueError: pass else: if log_denied == "off": return "" if log_denied in ["unicast", "broadcast", "multicast"]: rule[i:i+1] = ["pkttype", log_denied] else: rule.pop(i) return self.__run(rule) def get_available_tables(self, table=None): # Tables always exist in nftables return [table] if table else IPTABLES_TO_NFT_HOOK.keys() def build_flush_rules(self): self.rule_to_handle = {} self.rule_ref_count = {} self.zone_source_index_cache = {} rules = [] for family in OUR_CHAINS.keys(): rules.append(["delete", "table", family, "%s" % TABLE_NAME]) return rules def build_set_policy_rules(self, policy): # Policy is not exposed to the user. It's only to make sure we DROP # packets while initially starting and for panic mode. As such, using # hooks with a higher priority than our base chains is sufficient. # table_name = TABLE_NAME + "_" + "policy_drop" rules = [] if policy == "DROP": rules.append(["add", "table", "inet", table_name]) # To drop everything we need to use the "raw" priority. These occur # before conntrack, mangle, nat, etc for hook in ["prerouting", "output"]: _add_chain = "add chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'" % \ (table_name, "raw", hook, hook, -300 + NFT_HOOK_OFFSET - 1) rules.append(splitArgs(_add_chain)) elif policy == "ACCEPT": rules.append(["delete", "table", "inet", table_name]) else: FirewallError(UNKNOWN_ERROR, "not implemented") return rules def supported_icmp_types(self): # nftables supports any icmp_type via arbitrary type/code matching. # We just need a translation for it in ICMP_TYPES_FRAGMENT. supported = set() for ipv in ICMP_TYPES_FRAGMENT.keys(): supported.update(ICMP_TYPES_FRAGMENT[ipv].keys()) return list(supported) def build_default_tables(self): default_tables = [] for family in OUR_CHAINS.keys(): default_tables.append("add table %s %s" % (family, TABLE_NAME)) return map(splitArgs, default_tables) def build_default_rules(self, log_denied="off"): default_rules = [] OUR_CHAINS["inet"]["raw"] = set() for chain in IPTABLES_TO_NFT_HOOK["raw"].keys(): default_rules.append("add chain inet %s raw_%s '{ type filter hook %s priority %d ; }'" % (TABLE_NAME, chain, IPTABLES_TO_NFT_HOOK["raw"][chain][0], IPTABLES_TO_NFT_HOOK["raw"][chain][1])) for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules.append("add chain inet %s raw_%s_%s" % (TABLE_NAME, chain, dispatch_suffix)) default_rules.append("add rule inet %s raw_%s jump raw_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix)) OUR_CHAINS["inet"]["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)])) OUR_CHAINS["inet"]["mangle"] = set() for chain in IPTABLES_TO_NFT_HOOK["mangle"].keys(): default_rules.append("add chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'" % (TABLE_NAME, chain, IPTABLES_TO_NFT_HOOK["mangle"][chain][0], IPTABLES_TO_NFT_HOOK["mangle"][chain][1])) for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules.append("add chain inet %s mangle_%s_%s" % (TABLE_NAME, chain, dispatch_suffix)) default_rules.append("add rule inet %s mangle_%s jump mangle_%s_%s" % (TABLE_NAME, chain, chain, dispatch_suffix)) OUR_CHAINS["inet"]["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)])) OUR_CHAINS["ip"]["nat"] = set() OUR_CHAINS["ip6"]["nat"] = set() for family in ["ip", "ip6"]: for chain in IPTABLES_TO_NFT_HOOK["nat"].keys(): default_rules.append("add chain %s %s nat_%s '{ type nat hook %s priority %d ; }'" % (family, TABLE_NAME, chain, IPTABLES_TO_NFT_HOOK["nat"][chain][0], IPTABLES_TO_NFT_HOOK["nat"][chain][1])) for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules.append("add chain %s %s nat_%s_%s" % (family, TABLE_NAME, chain, dispatch_suffix)) default_rules.append("add rule %s %s nat_%s jump nat_%s_%s" % (family, TABLE_NAME, chain, chain, dispatch_suffix)) OUR_CHAINS[family]["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)])) OUR_CHAINS["inet"]["filter"] = set() for chain in IPTABLES_TO_NFT_HOOK["filter"].keys(): default_rules.append("add chain inet %s filter_%s '{ type filter hook %s priority %d ; }'" % (TABLE_NAME, chain, IPTABLES_TO_NFT_HOOK["filter"][chain][0], IPTABLES_TO_NFT_HOOK["filter"][chain][1])) # filter, INPUT default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "INPUT")) for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules.append("add chain inet %s filter_%s_%s" % (TABLE_NAME, "INPUT", dispatch_suffix)) default_rules.append("add rule inet %s filter_%s jump filter_%s_%s" % (TABLE_NAME, "INPUT", "INPUT", dispatch_suffix)) if log_denied != "off": default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "INPUT")) if log_denied != "off": default_rules.append("add rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '\"FINAL_REJECT: \"'" % (TABLE_NAME, "INPUT")) default_rules.append("add rule inet %s filter_%s reject with icmpx type admin-prohibited" % (TABLE_NAME, "INPUT")) # filter, FORWARD default_rules.append("add chain inet %s filter_%s_IN_ZONES" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s ct state established,related accept" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s iifname lo accept" % (TABLE_NAME, "FORWARD")) for direction in ["IN", "OUT"]: for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules.append("add chain inet %s filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", direction, dispatch_suffix)) default_rules.append("add rule inet %s filter_%s jump filter_%s_%s_%s" % (TABLE_NAME, "FORWARD", "FORWARD", direction, dispatch_suffix)) if log_denied != "off": default_rules.append("add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '\"STATE_INVALID_DROP: \"'" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s ct state invalid drop" % (TABLE_NAME, "FORWARD")) if log_denied != "off": default_rules.append("add rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '\"FINAL_REJECT: \"'" % (TABLE_NAME, "FORWARD")) default_rules.append("add rule inet %s filter_%s reject with icmpx type admin-prohibited" % (TABLE_NAME, "FORWARD")) OUR_CHAINS["inet"]["filter"] = set(["INPUT_ZONES_SOURCE", "INPUT_ZONES", "FORWARD_IN_ZONES_SOURCE", "FORWARD_IN_ZONES", "FORWARD_OUT_ZONES_SOURCE", "FORWARD_OUT_ZONES"]) return map(splitArgs, default_rules) def get_zone_table_chains(self, table): if table == "filter": return ["INPUT", "FORWARD_IN", "FORWARD_OUT"] if table == "mangle": return ["PREROUTING"] if table == "nat": return ["PREROUTING", "POSTROUTING"] if table == "raw": return ["PREROUTING"] return {} def build_zone_source_interface_rules(self, enable, zone, interface, table, chain, append=False, family="inet"): # nat tables needs to use ip/ip6 family if table == "nat" and family == "inet": rules = [] rules.extend(self.build_zone_source_interface_rules(enable, zone, interface, table, chain, append, "ip")) rules.extend(self.build_zone_source_interface_rules(enable, zone, interface, table, chain, append, "ip6")) return rules # handle all zones in the same way here, now # trust and block zone targets are handled now in __chain opt = { "PREROUTING": "iifname", "POSTROUTING": "oifname", "INPUT": "iifname", "FORWARD_IN": "iifname", "FORWARD_OUT": "oifname", "OUTPUT": "oifname", }[chain] if interface[len(interface)-1] == "+": interface = interface[:len(interface)-1] + "*" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) action = "goto" if enable and not append: rule = ["insert", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain), "%%ZONE_INTERFACE%%"] elif enable: rule = ["add", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)] else: rule = ["delete", "rule", family, "%s" % TABLE_NAME, "%s_%s_ZONES" % (table, chain)] if not append: rule += ["%%ZONE_INTERFACE%%"] if interface == "*": rule += [action, "%s_%s" % (table, target)] else: rule += [opt, "\"" + interface + "\"", action, "%s_%s" % (table, target)] return [rule] def build_zone_source_address_rules(self, enable, zone, address, table, chain, family="inet"): # nat tables needs to use ip/ip6 family if table == "nat" and family == "inet": rules = [] if address.startswith("ipset:"): ipset_family = self._set_get_family(address[len("ipset:"):]) else: ipset_family = None if check_address("ipv4", address) or check_mac(address) or ipset_family == "ip": rules.extend(self.build_zone_source_address_rules(enable, zone, address, table, chain, "ip")) if check_address("ipv6", address) or check_mac(address) or ipset_family == "ip6": rules.extend(self.build_zone_source_address_rules(enable, zone, address, table, chain, "ip6")) return rules add_del = { True: "insert", False: "delete" }[enable] opt = { "PREROUTING": "saddr", "POSTROUTING": "daddr", "INPUT": "saddr", "FORWARD_IN": "saddr", "FORWARD_OUT": "daddr", "OUTPUT": "daddr", }[chain] if self._fw._allow_zone_drifting: zone_dispatch_chain = "%s_%s_ZONES_SOURCE" % (table, chain) else: zone_dispatch_chain = "%s_%s_ZONES" % (table, chain) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) action = "goto" if address.startswith("ipset:"): ipset = address[len("ipset:"):] rule_family = self._set_get_family(ipset) address = "@" + ipset else: if check_mac(address): # outgoing can not be set if opt == "daddr": return "" rule_family = "ether" elif check_address("ipv4", address): rule_family = "ip" else: rule_family = "ip6" rule = [add_del, "rule", family, "%s" % TABLE_NAME, zone_dispatch_chain, "%%ZONE_SOURCE%%", zone, rule_family, opt, address, action, "%s_%s" % (table, target)] return [rule] def build_zone_chain_rules(self, zone, table, chain, family="inet"): # nat tables needs to use ip/ip6 family if table == "nat" and family == "inet": rules = [] rules.extend(self.build_zone_chain_rules(zone, table, chain, "ip")) rules.extend(self.build_zone_chain_rules(zone, table, chain, "ip6")) return rules _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) OUR_CHAINS[family][table].update(set([_zone, "%s_log" % _zone, "%s_deny" % _zone, "%s_allow" % _zone])) rules = [] rules.append(["add", "chain", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone)]) rules.append(["add", "chain", family, "%s" % TABLE_NAME, "%s_%s_log" % (table, _zone)]) rules.append(["add", "chain", family, "%s" % TABLE_NAME, "%s_%s_deny" % (table, _zone)]) rules.append(["add", "chain", family, "%s" % TABLE_NAME, "%s_%s_allow" % (table, _zone)]) rules.append(["add", "rule", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "jump", "%s_%s_log" % (table, _zone)]) rules.append(["add", "rule", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "jump", "%s_%s_deny" % (table, _zone)]) rules.append(["add", "rule", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "jump", "%s_%s_allow" % (table, _zone)]) target = self._fw.zone._zones[zone].target if self._fw.get_log_denied() != "off": if table == "filter" and \ chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]: if target in ["REJECT", "%%REJECT%%", "DROP"]: log_suffix = target if target == "%%REJECT%%": log_suffix = "REJECT" rules.append(["add", "rule", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "%%LOGTYPE%%", "log", "prefix", "\"filter_%s_%s: \"" % (_zone, log_suffix)]) # Handle trust, block and drop zones: # Add an additional rule with the zone target (accept, reject # or drop) to the base zone only in the filter table. # Otherwise it is not be possible to have a zone with drop # target, that is allowing traffic that is locally initiated # or that adds additional rules. (RHBZ#1055190) if table == "filter" and \ target in ["ACCEPT", "REJECT", "%%REJECT%%", "DROP"] and \ chain in ["INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT"]: rules.append(["add", "rule", family, "%s" % TABLE_NAME, "%s_%s" % (table, _zone), target.lower() if target != "%%REJECT%%" else "%%REJECT%%"]) return rules def _reject_types_fragment(self, reject_type): frags = { # REJECT_TYPES : "icmp-host-prohibited" : ["with", "icmp", "type", "host-prohibited"], "host-prohib" : ["with", "icmp", "type", "host-prohibited"], "icmp-net-prohibited" : ["with", "icmp", "type", "net-prohibited"], "net-prohib" : ["with", "icmp", "type", "net-prohibited"], "icmp-admin-prohibited" : ["with", "icmp", "type", "admin-prohibited"], "admin-prohib" : ["with", "icmp", "type", "admin-prohibited"], "icmp6-adm-prohibited" : ["with", "icmpv6", "type", "admin-prohibited"], "adm-prohibited" : ["with", "icmpv6", "type", "admin-prohibited"], "icmp-net-unreachable" : ["with", "icmp", "type", "net-unreachable"], "net-unreach" : ["with", "icmp", "type", "net-unreachable"], "icmp-host-unreachable" : ["with", "icmp", "type", "host-unreachable"], "host-unreach" : ["with", "icmp", "type", "host-unreachable"], "icmp-port-unreachable" : ["with", "icmp", "type", "port-unreachable"], "icmp6-port-unreachable" : ["with", "icmpv6", "type", "port-unreachable"], "port-unreach" : ["with", "icmpx", "type", "port-unreachable"], "icmp-proto-unreachable" : ["with", "icmp", "type", "prot-unreachable"], "proto-unreach" : ["with", "icmp", "type", "prot-unreachable"], "icmp6-addr-unreachable" : ["with", "icmpv6", "type", "addr-unreachable"], "addr-unreach" : ["with", "icmpv6", "type", "addr-unreachable"], "icmp6-no-route" : ["with", "icmpv6", "type", "no-route"], "no-route" : ["with", "icmpv6", "type", "no-route"], "tcp-reset" : ["with", "tcp", "reset"], "tcp-rst" : ["with", "tcp", "reset"], } return frags[reject_type] def _rich_rule_limit_fragment(self, limit): if not limit: return [] rich_to_nft = { "s" : "second", "m" : "minute", "h" : "hour", "d" : "day", } try: i = limit.value.index("/") except ValueError: raise FirewallError(INVALID_RULE, "Expected '/' in limit") return ["limit", "rate", limit.value[0:i], "/", rich_to_nft[limit.value[i+1]]] def _rich_rule_log(self, rich_rule, enable, table, target, rule_fragment): if not rich_rule.log: return [] add_del = { True: "add", False: "delete" }[enable] rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, "%s_%s_log" % (table, target)] rule += rule_fragment + ["log"] if rich_rule.log.prefix: rule += ["prefix", "\"%s\"" % rich_rule.log.prefix] if rich_rule.log.level: rule += ["level", '"%s"' % rich_rule.log.level] rule += self._rich_rule_limit_fragment(rich_rule.log.limit) return rule def _rich_rule_audit(self, rich_rule, enable, table, target, rule_fragment): if not rich_rule.audit: return [] add_del = { True: "add", False: "delete" }[enable] rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, "%s_%s_log" % (table, target)] rule += rule_fragment + ["log", "level", "audit"] rule += self._rich_rule_limit_fragment(rich_rule.audit.limit) return rule def _rich_rule_action(self, zone, rich_rule, enable, table, target, rule_fragment): if not rich_rule.action: return [] add_del = { True: "add", False: "delete" }[enable] if type(rich_rule.action) == Rich_Accept: chain = "%s_%s_allow" % (table, target) rule_action = ["accept"] elif type(rich_rule.action) == Rich_Reject: chain = "%s_%s_deny" % (table, target) rule_action = ["reject"] if rich_rule.action.type: rule_action += self._reject_types_fragment(rich_rule.action.type) elif type(rich_rule.action) == Rich_Drop: chain = "%s_%s_deny" % (table, target) rule_action = ["drop"] elif type(rich_rule.action) == Rich_Mark: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) table = "mangle" chain = "%s_%s_allow" % (table, target) rule_action = ["meta", "mark", "set", rich_rule.action.set] else: raise FirewallError(INVALID_RULE, "Unknown action %s" % type(rich_rule.action)) rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, chain] rule += rule_fragment rule += self._rich_rule_limit_fragment(rich_rule.action.limit) rule += rule_action return rule def _rich_rule_family_fragment(self, rich_family): if not rich_family: return [] if rich_family == "ipv4": return ["meta", "nfproto", "ipv4"] if rich_family == "ipv6": return ["meta", "nfproto", "ipv6"] raise FirewallError(INVALID_RULE, "Invalid family" % rich_family) def _rich_rule_destination_fragment(self, rich_dest): if not rich_dest: return [] rule_fragment = [] if check_address("ipv4", rich_dest.addr): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] if rich_dest.invert: rule_fragment += ["daddr", "!=", rich_dest.addr] else: rule_fragment += ["daddr", rich_dest.addr] return rule_fragment def _rich_rule_source_fragment(self, rich_source): if not rich_source: return [] rule_fragment = [] if rich_source.addr: if check_address("ipv4", rich_source.addr): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] if rich_source.invert: rule_fragment += ["saddr", "!=", rich_source.addr] else: rule_fragment += ["saddr", rich_source.addr] elif hasattr(rich_source, "mac") and rich_source.mac: if rich_source.invert: rule_fragment += ["ether", "saddr", "!=", rich_source.mac] else: rule_fragment += ["ether", "saddr", rich_source.mac] elif hasattr(rich_source, "ipset") and rich_source.ipset: family = self._set_get_family(rich_source.ipset) if rich_source.invert: rule_fragment += [family, "saddr", "!=", "@" + rich_source.ipset] else: rule_fragment += [family, "saddr", "@" + rich_source.ipset] return rule_fragment def build_zone_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None): add_del = { True: "add", False: "delete" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] rule_fragment += ["daddr", destination] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += [proto, "dport", "%s" % portStr(port, "-")] if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "%s_%s_allow" % (table, target)] + rule_fragment + ["accept"]) return rules def build_zone_protocol_rules(self, enable, zone, protocol, destination=None, rich_rule=None): add_del = { True: "add", False: "delete" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] rule_fragment += ["daddr", destination] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment = ["meta", "l4proto", protocol] if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "filter_%s_allow" % (target)] + rule_fragment + ["accept"]) return rules def build_zone_source_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None): add_del = { True: "add", False: "delete" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) if destination: if check_address("ipv4", destination): rule_fragment += ["ip"] else: rule_fragment += ["ip6"] rule_fragment += ["daddr", destination] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += [proto, "sport", "%s" % portStr(port, "-")] if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += ["ct", "state", "new,untracked"] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "%s_%s_allow" % (table, target)] + rule_fragment + ["accept"]) return rules def build_zone_helper_ports_rules(self, enable, zone, proto, port, destination, helper_name, module_short_name): add_del = { True: "add", False: "delete" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule = [add_del, "rule", "inet", "%s" % TABLE_NAME, "filter_%s_allow" % (target)] if destination: if check_address("ipv4", destination): rule += ["ip"] else: rule += ["ip6"] rule += ["daddr", destination] rule += [proto, "dport", "%s" % portStr(port, "-")] rule += ["ct", "helper", "set", "\"helper-%s-%s\"" % (helper_name, proto)] helper_object = ["ct", "helper", "inet", TABLE_NAME, "helper-%s-%s" % (helper_name, proto), "{", "type", "\"%s\"" % (module_short_name), "protocol", proto, ";", "}"] return [helper_object, rule] def _build_zone_masquerade_nat_rules(self, enable, zone, family, rich_rule=None): add_del = { True: "add", False: "delete" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) return [[add_del, "rule", family, "%s" % TABLE_NAME, "nat_%s_allow" % (target)] + rule_fragment + ["oifname", "!=", "lo", "masquerade"]] def build_zone_masquerade_rules(self, enable, zone, rich_rule=None): # nat tables needs to use ip/ip6 family rules = [] if rich_rule and (rich_rule.family and rich_rule.family == "ipv6" or rich_rule.source and check_address("ipv6", rich_rule.source.addr)): rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip6", rich_rule)) elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" or rich_rule.source and check_address("ipv4", rich_rule.source.addr)): rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule)) else: rules.extend(self._build_zone_masquerade_nat_rules(enable, zone, "ip", rich_rule)) add_del = { True: "add", False: "delete" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "filter_%s_allow" % (target)] + rule_fragment + ["ct", "state", "new,untracked", "accept"]) return rules def _build_zone_forward_port_nat_rules(self, enable, zone, protocol, mark_fragment, toaddr, toport, family): add_del = { True: "add", False: "delete" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) dnat_fragment = [] if toaddr: dnat_fragment += ["dnat", "to", toaddr] else: dnat_fragment += ["redirect", "to"] if toport and toport != "": dnat_fragment += [":%s" % portStr(toport, "-")] return [[add_del, "rule", family, "%s" % TABLE_NAME, "nat_%s_allow" % (target), "meta", "l4proto", protocol] + mark_fragment + dnat_fragment] def build_zone_forward_port_rules(self, enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id, rich_rule=None): add_del = { True: "add", False: "delete" }[enable] mark_str = "0x%x" % mark_id mark_fragment = ["meta", "mark", mark_str] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "mangle_%s_allow" % (target)] + rule_fragment + [protocol, "dport", port, "meta", "mark", "set", mark_str]) if rich_rule and (rich_rule.family and rich_rule.family == "ipv6" or toaddr and check_single_address("ipv6", toaddr)): rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, protocol, mark_fragment, toaddr, toport, "ip6")) elif rich_rule and (rich_rule.family and rich_rule.family == "ipv4" or toaddr and check_single_address("ipv4", toaddr)): rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, protocol, mark_fragment, toaddr, toport, "ip")) else: if toaddr and check_single_address("ipv6", toaddr): rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, protocol, mark_fragment, toaddr, toport, "ip6")) else: rules.extend(self._build_zone_forward_port_nat_rules(enable, zone, protocol, mark_fragment, toaddr, toport, "ip")) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain], zone=zone) rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "filter_%s_allow" % (target), "ct", "state", "new,untracked"] + mark_fragment + ["accept"]) return rules def _icmp_types_to_nft_fragment(self, ipv, icmp_type): if icmp_type in ICMP_TYPES_FRAGMENT[ipv]: return ICMP_TYPES_FRAGMENT[ipv][icmp_type] else: raise FirewallError(INVALID_ICMPTYPE, "ICMP type '%s' not supported by %s" % (icmp_type, self.name)) def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None): table = "filter" add_del = { True: "add", False: "delete" }[enable] if rich_rule and rich_rule.ipvs: ipvs = rich_rule.ipvs elif ict.destination: ipvs = [] if "ipv4" in ict.destination: ipvs.append("ipv4") if "ipv6" in ict.destination: ipvs.append("ipv6") else: ipvs = ["ipv4", "ipv6"] rules = [] for ipv in ipvs: for chain in ["INPUT", "FORWARD_IN"]: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): final_chain = "%s_%s_allow" % (table, target) final_target = "accept" else: final_chain = "%s_%s_deny" % (table, target) final_target = "%%REJECT%%" rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_family_fragment(rich_rule.family) rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += self._icmp_types_to_nft_fragment(ipv, ict.name) if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) if rich_rule.action: rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, "%s_%s_deny" % (table, target)] + rule_fragment + ["%%REJECT%%"]) else: if self._fw.get_log_denied() != "off" and final_target != "accept": rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, final_chain] + rule_fragment + ["%%LOGTYPE%%", "log", "prefix", "\"%s_%s_ICMP_BLOCK: \"" % (table, zone)]) rules.append([add_del, "rule", "inet", "%s" % TABLE_NAME, final_chain] + rule_fragment + [final_target]) return rules def build_zone_icmp_block_inversion_rules(self, enable, zone): table = "filter" rules = [] for chain in ["INPUT", "FORWARD_IN"]: _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) # HACK: nft position is actually a handle, so we need to lookup the # handle of the rule we want to insert this after. # # This must be kept in sync with build_zone_chain_rules() # # WARN: This does not work if we haven't executed the transaction # yet, because we don't have a handle for our rule_key!! As such, # we execute transactions before calling this function. # rule_key = " ".join(["inet", "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "jump", "%s_%s_allow" % (table, _zone)]) rule_handle = self.rule_to_handle[rule_key] if self._fw.zone.query_icmp_block_inversion(zone): ibi_target = "%%REJECT%%" else: ibi_target = "accept" if enable: # FIXME: can we get rid of position ? rule = ["add", "rule", "inet", "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "position", rule_handle] else: rule = ["delete", "rule", "inet", "%s" % TABLE_NAME, "%s_%s" % (table, _zone)] rule += ["%%ICMP%%", ibi_target] rules.append(rule) if self._fw.zone.query_icmp_block_inversion(zone): if self._fw.get_log_denied() != "off": if enable: # FIXME: can we get rid of position ? rule = ["add", "rule", "inet", "%s" % TABLE_NAME, "%s_%s" % (table, _zone), "position", rule_handle] else: rule = ["delete", "rule", "inet", "%s" % TABLE_NAME, "%s_%s" % (table, _zone)] rule += ["%%ICMP%%", "%%LOGTYPE%%", "log", "prefix", "\"%s_%s_ICMP_BLOCK: \"" % (table, _zone)] rules.append(rule) return rules def build_rpfilter_rules(self, log_denied=False): rules = [] rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME, "raw_%s" % "PREROUTING", "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif", "oif", "missing", "drop"]) if log_denied != "off": rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME, "raw_%s" % "PREROUTING", "meta", "nfproto", "ipv6", "fib", "saddr", ".", "iif", "oif", "missing", "log", "prefix", "\"rpfilter_DROP: \""]) rules.append(["insert", "rule", "inet", "%s" % TABLE_NAME, "raw_%s" % "PREROUTING", "icmpv6", "type", "{ nd-router-advert, nd-neighbor-solicit }", "accept"]) # RHBZ#1058505, RHBZ#1575431 (bug in kernel 4.16-4.17) return rules def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule): table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] rule_fragment += self._rich_rule_family_fragment(rich_rule.family) rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) return rules def is_ipv_supported(self, ipv): if ipv in ["ipv4", "ipv6", "eb"]: return True return False def _set_type_fragment(self, ipv, type): ipv_addr = { "ipv4" : "ipv4_addr", "ipv6" : "ipv6_addr", } types = { "hash:ip" : [ipv_addr[ipv]], "hash:ip,port" : [ipv_addr[ipv], ". inet_proto", ". inet_service"], "hash:ip,port,ip" : [ipv_addr[ipv], ". inet_proto", ". inet_service .", ipv_addr[ipv]], "hash:ip,port,net" : [ipv_addr[ipv], ". inet_proto", ". inet_service .", ipv_addr[ipv]], "hash:ip,mark" : [ipv_addr[ipv], ". mark"], "hash:net" : [ipv_addr[ipv]], "hash:net,port" : [ipv_addr[ipv], ". inet_proto", ". inet_service"], "hash:net,port,ip" : [ipv_addr[ipv], ". inet_proto", ". inet_service .", ipv_addr[ipv]], "hash:net,port,net" : [ipv_addr[ipv], ". inet_proto", ". inet_service .", ipv_addr[ipv]], "hash:net,iface" : [ipv_addr[ipv], ". ifname"], "hash:mac" : ["ether_addr"], } try: return ["type"] + types[type] + [";"] except KeyError: raise FirewallError(INVALID_TYPE, "ipset type name '%s' is not valid" % type) def set_create(self, name, type, options=None): if options and "family" in options and options["family"] == "inet6": ipv = "ipv6" else: ipv = "ipv4" cmd = [name, "{"] cmd += self._set_type_fragment(ipv, type) if options: if "timeout" in options: cmd += ["timeout", options["timeout"]+ "s", ";"] if "maxelem" in options: cmd += ["size", options["maxelem"], ";"] # flag "interval" currently does not work with timeouts or # concatenations. See rhbz 1576426, 1576430. if (not options or "timeout" not in options) \ and "," not in type: # e.g. hash:net,port cmd += ["flags", "interval", ";"] cmd += ["}"] for family in ["inet", "ip", "ip6"]: self.__run(["add", "set", family, TABLE_NAME] + cmd) def set_destroy(self, name): for family in ["inet", "ip", "ip6"]: self.__run(["delete", "set", family, TABLE_NAME, name]) def _set_entry_fragment(self, name, entry): # convert something like # 1.2.3.4,sctp:8080 (type hash:ip,port) # to # 1.2.3.4 . sctp . 8080 type_format = self._fw.ipset.get_type(name).split(":")[1].split(",") entry_tokens = entry.split(",") if len(type_format) != len(entry_tokens): raise FirewallError(INVALID_ENTRY, "Number of values does not match ipset type.") fragment = [] for i in range(len(type_format)): if type_format[i] == "port": try: index = entry_tokens[i].index(":") except ValueError: # no protocol means default tcp fragment += ["tcp", ".", entry_tokens[i]] else: fragment += [entry_tokens[i][:index], ".", entry_tokens[i][index+1:]] else: fragment.append(entry_tokens[i]) fragment.append(".") return fragment[:-1] # snip last concat operator def set_add(self, name, entry): for family in ["inet", "ip", "ip6"]: self.__run(["add", "element", family, TABLE_NAME, name, "{"] + self._set_entry_fragment(name, entry) + ["}"]) def set_delete(self, name, entry): for family in ["inet", "ip", "ip6"]: self.__run(["delete", "element", family, TABLE_NAME, name, "{"] + self._set_entry_fragment(name, entry) + ["}"]) def set_flush(self, name): for family in ["inet", "ip", "ip6"]: self.__run(["flush", "set", family, TABLE_NAME, name]) def _set_get_family(self, name): ipset = self._fw.ipset.get_ipset(name) if ipset.type == "hash:mac": family = "ether" elif ipset.options and "family" in ipset.options \ and ipset.options["family"] == "inet6": family = "ip6" else: family = "ip" return family core/modules.pyo000064400000007100147576556050007717 0ustar00 c`c@sYdZdgZddlmZddlmZddlmZdefdYZ dS(smodules backendtmodulesi(trunProg(tlog(tCOMMANDScBsPeZdZdZdZdZdZdZdZdZ RS(cCstd|_td|_dS(Ntmodprobetrmmod(Rt _load_commandt_unload_command(tself((s9/usr/lib/python2.7/site-packages/firewall/core/modules.pyt__init__s cCs d|jS(Ns%s(t __class__(R((s9/usr/lib/python2.7/site-packages/firewall/core/modules.pyt__repr__$sc Csg}i}tdd}x|D]y}|s5Pn|j}|j}|j|d|ddkr|djdd ||ds  core/__init__.py000064400000000000147576556050007617 0ustar00core/fw_helper.pyo000064400000005110147576556050010221 0ustar00 c`c@sIdZdgZddlmZddlmZdefdYZdS(shelper backendtFirewallHelperi(terrors(t FirewallErrorcBsbeZdZdZdZdZdZdZdZdZ dZ d Z RS( cCs||_i|_dS(N(t_fwt_helpers(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt__repr__"scCs|jjdS(N(Rtclear(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pytcleanup'scCs+||jkr'ttj|ndS(N(t get_helpersRRtINVALID_HELPER(Rtname((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt check_helper*scCs||jkS(N(R (RR((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt query_helper.scCst|jjS(N(tsortedRtkeys(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyR 1scCst|jdkS(Ni(tlenR(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt has_helpers4scCs|j||j|S(N(RR(RR((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt get_helper7s cCs||j|js( t__name__t __module__RR R RRR RRRR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyRs         N(t__doc__t__all__tfirewallRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyts core/fw_helper.pyc000064400000005110147576556050010205 0ustar00 c`c@sIdZdgZddlmZddlmZdefdYZdS(shelper backendtFirewallHelperi(terrors(t FirewallErrorcBsbeZdZdZdZdZdZdZdZdZ dZ d Z RS( cCs||_i|_dS(N(t_fwt_helpers(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt__repr__"scCs|jjdS(N(Rtclear(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pytcleanup'scCs+||jkr'ttj|ndS(N(t get_helpersRRtINVALID_HELPER(Rtname((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt check_helper*scCs||jkS(N(R (RR((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt query_helper.scCst|jjS(N(tsortedRtkeys(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyR 1scCst|jdkS(Ni(tlenR(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt has_helpers4scCs|j||j|S(N(RR(RR((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyt get_helper7s cCs||j|js( t__name__t __module__RR R RRR RRRR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyRs         N(t__doc__t__all__tfirewallRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_helper.pyts core/fw_service.pyo000064400000004224147576556050010407 0ustar00 c`c@sCdgZddlmZddlmZdefdYZdS(tFirewallServicei(terrors(t FirewallErrorcBsPeZdZdZdZdZdZdZdZdZ RS(cCs||_i|_dS(N(t_fwt _services(tselftfw((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt__repr__ scCs|jjdS(N(Rtclear(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pytcleanup#scCst|jjS(N(tsortedRtkeys(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt get_services(scCs(||jkr$ttj|ndS(N(RRRtINVALID_SERVICE(Rtservice((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt check_service+scCs|j||j|S(N(RR(RR((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt get_service/s cCs||j|js core/fw_transaction.py000064400000025050147576556050011115 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Transaction classes for firewalld""" __all__ = [ "FirewallTransaction", "FirewallZoneTransaction" ] from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError from firewall.fw_types import LastUpdatedOrderedDict class SimpleFirewallTransaction(object): """Base class for FirewallTransaction and FirewallZoneTransaction""" def __init__(self, fw): self.fw = fw self.rules = { } # [ ( backend.name, [ rule,.. ] ),.. ] self.pre_funcs = [ ] # [ (func, args),.. ] self.post_funcs = [ ] # [ (func, args),.. ] self.fail_funcs = [ ] # [ (func, args),.. ] def clear(self): self.rules.clear() del self.pre_funcs[:] del self.post_funcs[:] del self.fail_funcs[:] def add_rule(self, backend, rule): self.rules.setdefault(backend.name, [ ]).append(rule) def add_rules(self, backend, rules): for rule in rules: self.add_rule(backend, rule) def query_rule(self, backend, rule): return backend.name in self.rules and rule in self.rules[backend.name] def remove_rule(self, backend, rule): if backend.name in self.rules and rule in self.rules[backend.name]: self.rules[backend.name].remove(rule) def add_pre(self, func, *args): self.pre_funcs.append((func, args)) def add_post(self, func, *args): self.post_funcs.append((func, args)) def add_fail(self, func, *args): self.fail_funcs.append((func, args)) def prepare(self, enable, rules=None, modules=None): log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) if rules is None: rules = { } if modules is None: modules = [ ] if not enable: # reverse rule order for cleanup for backend_name in self.rules: for rule in reversed(self.rules[backend_name]): rules.setdefault(backend_name, [ ]).append( self.fw.get_backend_by_name(backend_name).reverse_rule(rule)) else: for backend_name in self.rules: rules.setdefault(backend_name, [ ]).extend(self.rules[backend_name]) return rules, modules def execute(self, enable): log.debug4("%s.execute(%s)" % (type(self), enable)) rules, modules = self.prepare(enable) # pre self.pre() # stage 1: apply rules error = False errorMsg = "" done = [ ] for backend_name in rules: try: self.fw.rules(backend_name, rules[backend_name]) except Exception as msg: error = True errorMsg = msg log.error(msg) else: done.append(backend_name) # stage 2: load modules if not error: module_return = self.fw.handle_modules(modules, enable) if module_return: # Debug log about issues loading modules, but don't error. The # modules may be builtin or CONFIG_MODULES=n, in which case # modprobe will fail. Or we may be running inside a container # that doesn't have sufficient privileges. Unfortunately there # is no way for us to know. (status, msg) = module_return if status: log.debug1(msg) # error case: revert rules if error: undo_rules = { } for backend_name in done: undo_rules[backend_name] = [ ] for rule in reversed(rules[backend_name]): undo_rules[backend_name].append( self.fw.get_backend_by_name(backend_name).reverse_rule(rule)) for backend_name in undo_rules: try: self.fw.rules(backend_name, undo_rules[backend_name]) except Exception as msg: log.error(msg) # call failure functions for (func, args) in self.fail_funcs: try: func(*args) except Exception as msg: log.error("Calling fail func %s(%s) failed: %s" % \ (func, args, msg)) raise FirewallError(errors.COMMAND_FAILED, errorMsg) # post self.post() def pre(self): log.debug4("%s.pre()" % type(self)) for (func, args) in self.pre_funcs: try: func(*args) except Exception as msg: log.error("Calling pre func %s(%s) failed: %s" % \ (func, args, msg)) def post(self): log.debug4("%s.post()" % type(self)) for (func, args) in self.post_funcs: try: func(*args) except Exception as msg: log.error("Calling post func %s(%s) failed: %s" % \ (func, args, msg)) # class FirewallTransaction class FirewallTransaction(SimpleFirewallTransaction): """General FirewallTransaction, contains also zone transactions""" def __init__(self, fw): super(FirewallTransaction, self).__init__(fw) self.zone_transactions = LastUpdatedOrderedDict() # { zone: transaction, .. } def clear(self): super(FirewallTransaction, self).clear() self.zone_transactions.clear() def zone_transaction(self, zone): if zone not in self.zone_transactions: self.zone_transactions[zone] = FirewallZoneTransaction( self.fw, zone, self) return self.zone_transactions[zone] def prepare(self, enable, rules=None, modules=None): log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) rules, modules = super(FirewallTransaction, self).prepare( enable, rules, modules) for zone in self.zone_transactions: try: self.zone_transactions[zone].prepare(enable, rules) for module in self.zone_transactions[zone].modules: if module not in modules: modules.append(module) except FirewallError as msg: log.error("Failed to prepare transaction rules for zone '%s'", str(msg)) return rules, modules def pre(self): log.debug4("%s.pre()" % type(self)) super(FirewallTransaction, self).pre() for zone in self.zone_transactions: self.zone_transactions[zone].pre() def post(self): log.debug4("%s.post()" % type(self)) super(FirewallTransaction, self).post() for zone in self.zone_transactions: self.zone_transactions[zone].post() # class FirewallZoneTransaction class FirewallZoneTransaction(SimpleFirewallTransaction): """Zone transaction with additional chain and module interface""" def __init__(self, fw, zone, fw_transaction=None): super(FirewallZoneTransaction, self).__init__(fw) self.zone = zone self.fw_transaction = fw_transaction self.chains = [ ] # [ (table, chain),.. ] self.modules = [ ] # [ module,.. ] def clear(self): # calling clear on a zone_transaction that was spawned from a # FirewallTransaction needs to clear the fw_transaction and all the # other zones otherwise we end up with a partially cleared transaction. if self.fw_transaction: super(FirewallTransaction, self.fw_transaction).clear() for zone in self.fw_transaction.zone_transactions.keys(): super(FirewallZoneTransaction, self.fw_transaction.zone_transactions[zone]).clear() del self.fw_transaction.zone_transactions[zone].chains[:] del self.fw_transaction.zone_transactions[zone].modules[:] else: super(FirewallZoneTransaction, self).clear() del self.chains[:] del self.modules[:] def prepare(self, enable, rules=None, modules=None): log.debug4("%s.prepare(%s, %s)" % (type(self), enable, "...")) rules, modules = super(FirewallZoneTransaction, self).prepare( enable, rules, modules) for module in self.modules: if module not in modules: modules.append(module) return rules, modules def execute(self, enable): # calling execute on a zone_transaction that was spawned from a # FirewallTransaction should execute the FirewallTransaction as it may # have prerequisite rules if self.fw_transaction: self.fw_transaction.execute(enable) else: super(FirewallZoneTransaction, self).execute(enable) def add_chain(self, table, chain): table_chain = (table, chain) if table_chain not in self.chains: self.fw.zone.gen_chain_rules(self.zone, True, [table_chain], self) self.chains.append(table_chain) def remove_chain(self, table, chain): table_chain = (table, chain) if table_chain in self.chains: self.chains.remove(table_chain) def add_chains(self, chains): for table_chain in chains: if table_chain not in self.chains: self.add_chain(table_chain[0], table_chain[1]) def remove_chains(self, chains): for table_chain in chains: if table_chain in self.chains: self.chains.remove(table_chain) def add_module(self, module): if module not in self.modules: self.modules.append(module) def remove_module(self, module): if module in self.modules: self.modules.remove(module) def add_modules(self, modules): for module in modules: self.add_module(module) def remove_modules(self, modules): for module in modules: self.remove_module(module) core/helper.pyc000064400000000336147576556050007516 0ustar00 c`c@sdZdZdS(sThe helper maxnameleni N(t__doc__tHELPER_MAXNAMELEN(((s8/usr/lib/python2.7/site-packages/firewall/core/helper.pytscore/fw_config.py000064400000107766147576556050010054 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "FirewallConfig" ] import copy import os import os.path import shutil from firewall import config from firewall.core.logger import log from firewall.core.io.icmptype import IcmpType, icmptype_reader, icmptype_writer from firewall.core.io.service import Service, service_reader, service_writer from firewall.core.io.zone import Zone, zone_reader, zone_writer from firewall.core.io.ipset import IPSet, ipset_reader, ipset_writer from firewall.core.io.helper import Helper, helper_reader, helper_writer from firewall import errors from firewall.errors import FirewallError class FirewallConfig(object): def __init__(self, fw): self._fw = fw self.__init_vars() def __repr__(self): return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \ (self.__class__, self._ipsets, self._icmptypes, self._services, self._zones, self._helpers, self._builtin_ipsets, self._builtin_icmptypes, self._builtin_services, self._builtin_zones, self._builtin_helpers, self._firewalld_conf, self._policies, self._direct) def __init_vars(self): self._ipsets = { } self._icmptypes = { } self._services = { } self._zones = { } self._helpers = { } self._builtin_ipsets = { } self._builtin_icmptypes = { } self._builtin_services = { } self._builtin_zones = { } self._builtin_helpers = { } self._firewalld_conf = None self._policies = None self._direct = None def cleanup(self): for x in list(self._builtin_ipsets.keys()): self._builtin_ipsets[x].cleanup() del self._builtin_ipsets[x] for x in list(self._ipsets.keys()): self._ipsets[x].cleanup() del self._ipsets[x] for x in list(self._builtin_icmptypes.keys()): self._builtin_icmptypes[x].cleanup() del self._builtin_icmptypes[x] for x in list(self._icmptypes.keys()): self._icmptypes[x].cleanup() del self._icmptypes[x] for x in list(self._builtin_services.keys()): self._builtin_services[x].cleanup() del self._builtin_services[x] for x in list(self._services.keys()): self._services[x].cleanup() del self._services[x] for x in list(self._builtin_zones.keys()): self._builtin_zones[x].cleanup() del self._builtin_zones[x] for x in list(self._zones.keys()): self._zones[x].cleanup() del self._zones[x] for x in list(self._builtin_helpers.keys()): self._builtin_helpers[x].cleanup() del self._builtin_helpers[x] for x in list(self._helpers.keys()): self._helpers[x].cleanup() del self._helpers[x] if self._firewalld_conf: self._firewalld_conf.cleanup() del self._firewalld_conf self._firewalld_conf = None if self._policies: self._policies.cleanup() del self._policies self._policies = None if self._direct: self._direct.cleanup() del self._direct self._direct = None self.__init_vars() # access check def lockdown_enabled(self): return self._fw.policies.query_lockdown() def access_check(self, key, value): return self._fw.policies.access_check(key, value) # firewalld_conf def set_firewalld_conf(self, conf): self._firewalld_conf = conf def get_firewalld_conf(self): return self._firewalld_conf def update_firewalld_conf(self): if not os.path.exists(config.FIREWALLD_CONF): self._firewalld_conf.clear() else: self._firewalld_conf.read() # policies def set_policies(self, policies): self._policies = policies def get_policies(self): return self._policies def update_lockdown_whitelist(self): if not os.path.exists(config.LOCKDOWN_WHITELIST): self._policies.lockdown_whitelist.cleanup() else: self._policies.lockdown_whitelist.read() # direct def set_direct(self, direct): self._direct = direct def get_direct(self): return self._direct def update_direct(self): if not os.path.exists(config.FIREWALLD_DIRECT): self._direct.cleanup() else: self._direct.read() # ipset def get_ipsets(self): return sorted(set(list(self._ipsets.keys()) + \ list(self._builtin_ipsets.keys()))) def add_ipset(self, obj): if obj.builtin: self._builtin_ipsets[obj.name] = obj else: self._ipsets[obj.name] = obj def get_ipset(self, name): if name in self._ipsets: return self._ipsets[name] elif name in self._builtin_ipsets: return self._builtin_ipsets[name] raise FirewallError(errors.INVALID_IPSET, name) def load_ipset_defaults(self, obj): if obj.name not in self._ipsets: raise FirewallError(errors.NO_DEFAULTS, obj.name) elif self._ipsets[obj.name] != obj: raise FirewallError(errors.NO_DEFAULTS, "self._ipsets[%s] != obj" % obj.name) elif obj.name not in self._builtin_ipsets: raise FirewallError(errors.NO_DEFAULTS, "'%s' not a built-in ipset" % obj.name) self._remove_ipset(obj) return self._builtin_ipsets[obj.name] def get_ipset_config(self, obj): return obj.export_config() def set_ipset_config(self, obj, conf): if obj.builtin: x = copy.copy(obj) x.import_config(conf) x.path = config.ETC_FIREWALLD_IPSETS x.builtin = False if obj.path != x.path: x.default = False self.add_ipset(x) ipset_writer(x) return x else: obj.import_config(conf) ipset_writer(obj) return obj def new_ipset(self, name, conf): if name in self._ipsets or name in self._builtin_ipsets: raise FirewallError(errors.NAME_CONFLICT, "new_ipset(): '%s'" % name) x = IPSet() x.check_name(name) x.import_config(conf) x.name = name x.filename = "%s.xml" % name x.path = config.ETC_FIREWALLD_IPSETS # It is not possible to add a new one with a name of a buitin x.builtin = False x.default = True ipset_writer(x) self.add_ipset(x) return x def update_ipset_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path == config.ETC_FIREWALLD_IPSETS: # removed custom ipset for x in self._ipsets.keys(): obj = self._ipsets[x] if obj.filename == filename: del self._ipsets[x] if obj.name in self._builtin_ipsets: return ("update", self._builtin_ipsets[obj.name]) return ("remove", obj) else: # removed builtin ipset for x in self._builtin_ipsets.keys(): obj = self._builtin_ipsets[x] if obj.filename == filename: del self._builtin_ipsets[x] if obj.name not in self._ipsets: # update dbus ipset return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # ipset not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading ipset file '%s'", name) try: obj = ipset_reader(filename, path) except Exception as msg: log.error("Failed to load ipset file '%s': %s", filename, msg) return (None, None) # new ipset if obj.name not in self._builtin_ipsets and obj.name not in self._ipsets: self.add_ipset(obj) return ("new", obj) # updated ipset if path == config.ETC_FIREWALLD_IPSETS: # custom ipset update if obj.name in self._ipsets: obj.default = self._ipsets[obj.name].default self._ipsets[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_ipsets: # builtin ipset update del self._builtin_ipsets[obj.name] self._builtin_ipsets[obj.name] = obj if obj.name not in self._ipsets: # update dbus ipset return ("update", obj) else: # builtin hidden, no update needed return (None, None) # ipset not known to firewalld, yet (timeout, ..) return (None, None) def _remove_ipset(self, obj): if obj.name not in self._ipsets: raise FirewallError(errors.INVALID_IPSET, obj.name) if obj.path != config.ETC_FIREWALLD_IPSETS: raise FirewallError(errors.INVALID_DIRECTORY, "'%s' != '%s'" % (obj.path, config.ETC_FIREWALLD_IPSETS)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._ipsets[obj.name] def check_builtin_ipset(self, obj): if obj.builtin or not obj.default: raise FirewallError(errors.BUILTIN_IPSET, "'%s' is built-in ipset" % obj.name) def remove_ipset(self, obj): self.check_builtin_ipset(obj) self._remove_ipset(obj) def rename_ipset(self, obj, name): self.check_builtin_ipset(obj) new_ipset = self._copy_ipset(obj, name) self._remove_ipset(obj) return new_ipset def _copy_ipset(self, obj, name): return self.new_ipset(name, obj.export_config()) # icmptypes def get_icmptypes(self): return sorted(set(list(self._icmptypes.keys()) + \ list(self._builtin_icmptypes.keys()))) def add_icmptype(self, obj): if obj.builtin: self._builtin_icmptypes[obj.name] = obj else: self._icmptypes[obj.name] = obj def get_icmptype(self, name): if name in self._icmptypes: return self._icmptypes[name] elif name in self._builtin_icmptypes: return self._builtin_icmptypes[name] raise FirewallError(errors.INVALID_ICMPTYPE, name) def load_icmptype_defaults(self, obj): if obj.name not in self._icmptypes: raise FirewallError(errors.NO_DEFAULTS, obj.name) elif self._icmptypes[obj.name] != obj: raise FirewallError(errors.NO_DEFAULTS, "self._icmptypes[%s] != obj" % obj.name) elif obj.name not in self._builtin_icmptypes: raise FirewallError(errors.NO_DEFAULTS, "'%s' not a built-in icmptype" % obj.name) self._remove_icmptype(obj) return self._builtin_icmptypes[obj.name] def get_icmptype_config(self, obj): return obj.export_config() def set_icmptype_config(self, obj, conf): if obj.builtin: x = copy.copy(obj) x.import_config(conf) x.path = config.ETC_FIREWALLD_ICMPTYPES x.builtin = False if obj.path != x.path: x.default = False self.add_icmptype(x) icmptype_writer(x) return x else: obj.import_config(conf) icmptype_writer(obj) return obj def new_icmptype(self, name, conf): if name in self._icmptypes or name in self._builtin_icmptypes: raise FirewallError(errors.NAME_CONFLICT, "new_icmptype(): '%s'" % name) x = IcmpType() x.check_name(name) x.import_config(conf) x.name = name x.filename = "%s.xml" % name x.path = config.ETC_FIREWALLD_ICMPTYPES # It is not possible to add a new one with a name of a buitin x.builtin = False x.default = True icmptype_writer(x) self.add_icmptype(x) return x def update_icmptype_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path == config.ETC_FIREWALLD_ICMPTYPES: # removed custom icmptype for x in self._icmptypes.keys(): obj = self._icmptypes[x] if obj.filename == filename: del self._icmptypes[x] if obj.name in self._builtin_icmptypes: return ("update", self._builtin_icmptypes[obj.name]) return ("remove", obj) else: # removed builtin icmptype for x in self._builtin_icmptypes.keys(): obj = self._builtin_icmptypes[x] if obj.filename == filename: del self._builtin_icmptypes[x] if obj.name not in self._icmptypes: # update dbus icmptype return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # icmptype not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading icmptype file '%s'", name) try: obj = icmptype_reader(filename, path) except Exception as msg: log.error("Failed to load icmptype file '%s': %s", filename, msg) return (None, None) # new icmptype if obj.name not in self._builtin_icmptypes and obj.name not in self._icmptypes: self.add_icmptype(obj) return ("new", obj) # updated icmptype if path == config.ETC_FIREWALLD_ICMPTYPES: # custom icmptype update if obj.name in self._icmptypes: obj.default = self._icmptypes[obj.name].default self._icmptypes[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_icmptypes: # builtin icmptype update del self._builtin_icmptypes[obj.name] self._builtin_icmptypes[obj.name] = obj if obj.name not in self._icmptypes: # update dbus icmptype return ("update", obj) else: # builtin hidden, no update needed return (None, None) # icmptype not known to firewalld, yet (timeout, ..) return (None, None) def _remove_icmptype(self, obj): if obj.name not in self._icmptypes: raise FirewallError(errors.INVALID_ICMPTYPE, obj.name) if obj.path != config.ETC_FIREWALLD_ICMPTYPES: raise FirewallError(errors.INVALID_DIRECTORY, "'%s' != '%s'" % \ (obj.path, config.ETC_FIREWALLD_ICMPTYPES)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._icmptypes[obj.name] def check_builtin_icmptype(self, obj): if obj.builtin or not obj.default: raise FirewallError(errors.BUILTIN_ICMPTYPE, "'%s' is built-in icmp type" % obj.name) def remove_icmptype(self, obj): self.check_builtin_icmptype(obj) self._remove_icmptype(obj) def rename_icmptype(self, obj, name): self.check_builtin_icmptype(obj) new_icmptype = self._copy_icmptype(obj, name) self._remove_icmptype(obj) return new_icmptype def _copy_icmptype(self, obj, name): return self.new_icmptype(name, obj.export_config()) # services def get_services(self): return sorted(set(list(self._services.keys()) + \ list(self._builtin_services.keys()))) def add_service(self, obj): if obj.builtin: self._builtin_services[obj.name] = obj else: self._services[obj.name] = obj def get_service(self, name): if name in self._services: return self._services[name] elif name in self._builtin_services: return self._builtin_services[name] raise FirewallError(errors.INVALID_SERVICE, "get_service(): '%s'" % name) def load_service_defaults(self, obj): if obj.name not in self._services: raise FirewallError(errors.NO_DEFAULTS, obj.name) elif self._services[obj.name] != obj: raise FirewallError(errors.NO_DEFAULTS, "self._services[%s] != obj" % obj.name) elif obj.name not in self._builtin_services: raise FirewallError(errors.NO_DEFAULTS, "'%s' not a built-in service" % obj.name) self._remove_service(obj) return self._builtin_services[obj.name] def get_service_config(self, obj): return obj.export_config() def set_service_config(self, obj, conf): if obj.builtin: x = copy.copy(obj) x.import_config(conf) x.path = config.ETC_FIREWALLD_SERVICES x.builtin = False if obj.path != x.path: x.default = False self.add_service(x) service_writer(x) return x else: obj.import_config(conf) service_writer(obj) return obj def new_service(self, name, conf): if name in self._services or name in self._builtin_services: raise FirewallError(errors.NAME_CONFLICT, "new_service(): '%s'" % name) x = Service() x.check_name(name) x.import_config(conf) x.name = name x.filename = "%s.xml" % name x.path = config.ETC_FIREWALLD_SERVICES # It is not possible to add a new one with a name of a buitin x.builtin = False x.default = True service_writer(x) self.add_service(x) return x def update_service_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path == config.ETC_FIREWALLD_SERVICES: # removed custom service for x in self._services.keys(): obj = self._services[x] if obj.filename == filename: del self._services[x] if obj.name in self._builtin_services: return ("update", self._builtin_services[obj.name]) return ("remove", obj) else: # removed builtin service for x in self._builtin_services.keys(): obj = self._builtin_services[x] if obj.filename == filename: del self._builtin_services[x] if obj.name not in self._services: # update dbus service return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # service not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading service file '%s'", name) try: obj = service_reader(filename, path) except Exception as msg: log.error("Failed to load service file '%s': %s", filename, msg) return (None, None) # new service if obj.name not in self._builtin_services and obj.name not in self._services: self.add_service(obj) return ("new", obj) # updated service if path == config.ETC_FIREWALLD_SERVICES: # custom service update if obj.name in self._services: obj.default = self._services[obj.name].default self._services[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_services: # builtin service update del self._builtin_services[obj.name] self._builtin_services[obj.name] = obj if obj.name not in self._services: # update dbus service return ("update", obj) else: # builtin hidden, no update needed return (None, None) # service not known to firewalld, yet (timeout, ..) return (None, None) def _remove_service(self, obj): if obj.name not in self._services: raise FirewallError(errors.INVALID_SERVICE, obj.name) if obj.path != config.ETC_FIREWALLD_SERVICES: raise FirewallError(errors.INVALID_DIRECTORY, "'%s' != '%s'" % \ (obj.path, config.ETC_FIREWALLD_SERVICES)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._services[obj.name] def check_builtin_service(self, obj): if obj.builtin or not obj.default: raise FirewallError(errors.BUILTIN_SERVICE, "'%s' is built-in service" % obj.name) def remove_service(self, obj): self.check_builtin_service(obj) self._remove_service(obj) def rename_service(self, obj, name): self.check_builtin_service(obj) new_service = self._copy_service(obj, name) self._remove_service(obj) return new_service def _copy_service(self, obj, name): return self.new_service(name, obj.export_config()) # zones def get_zones(self): return sorted(set(list(self._zones.keys()) + \ list(self._builtin_zones.keys()))) def add_zone(self, obj): if obj.builtin: self._builtin_zones[obj.name] = obj else: self._zones[obj.name] = obj def forget_zone(self, name): if name in self._builtin_zones: del self._builtin_zones[name] if name in self._zones: del self._zones[name] def get_zone(self, name): if name in self._zones: return self._zones[name] elif name in self._builtin_zones: return self._builtin_zones[name] raise FirewallError(errors.INVALID_ZONE, "get_zone(): %s" % name) def load_zone_defaults(self, obj): if obj.name not in self._zones: raise FirewallError(errors.NO_DEFAULTS, obj.name) elif self._zones[obj.name] != obj: raise FirewallError(errors.NO_DEFAULTS, "self._zones[%s] != obj" % obj.name) elif obj.name not in self._builtin_zones: raise FirewallError(errors.NO_DEFAULTS, "'%s' not a built-in zone" % obj.name) self._remove_zone(obj) return self._builtin_zones[obj.name] def get_zone_config(self, obj): return obj.export_config() def set_zone_config(self, obj, conf): if obj.builtin: x = copy.copy(obj) x.fw_config = self x.import_config(conf) x.path = config.ETC_FIREWALLD_ZONES x.builtin = False if obj.path != x.path: x.default = False self.add_zone(x) zone_writer(x) return x else: obj.fw_config = self obj.import_config(conf) zone_writer(obj) return obj def new_zone(self, name, conf): if name in self._zones or name in self._builtin_zones: raise FirewallError(errors.NAME_CONFLICT, "new_zone(): '%s'" % name) x = Zone() x.check_name(name) x.fw_config = self x.import_config(conf) x.name = name x.filename = "%s.xml" % name x.path = config.ETC_FIREWALLD_ZONES # It is not possible to add a new one with a name of a buitin x.builtin = False x.default = True zone_writer(x) self.add_zone(x) return x def update_zone_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path.startswith(config.ETC_FIREWALLD_ZONES): # removed custom zone for x in self._zones.keys(): obj = self._zones[x] if obj.filename == filename: del self._zones[x] if obj.name in self._builtin_zones: return ("update", self._builtin_zones[obj.name]) return ("remove", obj) else: # removed builtin zone for x in self._builtin_zones.keys(): obj = self._builtin_zones[x] if obj.filename == filename: del self._builtin_zones[x] if obj.name not in self._zones: # update dbus zone return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # zone not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading zone file '%s'", name) try: obj = zone_reader(filename, path) except Exception as msg: log.error("Failed to load zone file '%s': %s", filename, msg) return (None, None) obj.fw_config = self if path.startswith(config.ETC_FIREWALLD_ZONES) and \ len(path) > len(config.ETC_FIREWALLD_ZONES): # custom combined zone part obj.name = "%s/%s" % (os.path.basename(path), os.path.basename(filename)[0:-4]) # new zone if obj.name not in self._builtin_zones and obj.name not in self._zones: self.add_zone(obj) return ("new", obj) # updated zone if path.startswith(config.ETC_FIREWALLD_ZONES): # custom zone update if obj.name in self._zones: obj.default = self._zones[obj.name].default self._zones[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_zones: # builtin zone update del self._builtin_zones[obj.name] self._builtin_zones[obj.name] = obj if obj.name not in self._zones: # update dbus zone return ("update", obj) else: # builtin hidden, no update needed return (None, None) # zone not known to firewalld, yet (timeout, ..) return (None, None) def _remove_zone(self, obj): if obj.name not in self._zones: raise FirewallError(errors.INVALID_ZONE, obj.name) if not obj.path.startswith(config.ETC_FIREWALLD_ZONES): raise FirewallError(errors.INVALID_DIRECTORY, "'%s' doesn't start with '%s'" % \ (obj.path, config.ETC_FIREWALLD_ZONES)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._zones[obj.name] def check_builtin_zone(self, obj): if obj.builtin or not obj.default: raise FirewallError(errors.BUILTIN_ZONE, "'%s' is built-in zone" % obj.name) def remove_zone(self, obj): self.check_builtin_zone(obj) self._remove_zone(obj) def rename_zone(self, obj, name): self.check_builtin_zone(obj) new_zone = self._copy_zone(obj, name) self._remove_zone(obj) return new_zone def _copy_zone(self, obj, name): return self.new_zone(name, obj.export_config()) # helper def get_helpers(self): return sorted(set(list(self._helpers.keys()) + \ list(self._builtin_helpers.keys()))) def add_helper(self, obj): if obj.builtin: self._builtin_helpers[obj.name] = obj else: self._helpers[obj.name] = obj def get_helper(self, name): if name in self._helpers: return self._helpers[name] elif name in self._builtin_helpers: return self._builtin_helpers[name] raise FirewallError(errors.INVALID_HELPER, name) def load_helper_defaults(self, obj): if obj.name not in self._helpers: raise FirewallError(errors.NO_DEFAULTS, obj.name) elif self._helpers[obj.name] != obj: raise FirewallError(errors.NO_DEFAULTS, "self._helpers[%s] != obj" % obj.name) elif obj.name not in self._builtin_helpers: raise FirewallError(errors.NO_DEFAULTS, "'%s' not a built-in helper" % obj.name) self._remove_helper(obj) return self._builtin_helpers[obj.name] def get_helper_config(self, obj): return obj.export_config() def set_helper_config(self, obj, conf): if obj.builtin: x = copy.copy(obj) x.import_config(conf) x.path = config.ETC_FIREWALLD_HELPERS x.builtin = False if obj.path != x.path: x.default = False self.add_helper(x) helper_writer(x) return x else: obj.import_config(conf) helper_writer(obj) return obj def new_helper(self, name, conf): if name in self._helpers or name in self._builtin_helpers: raise FirewallError(errors.NAME_CONFLICT, "new_helper(): '%s'" % name) x = Helper() x.check_name(name) x.import_config(conf) x.name = name x.filename = "%s.xml" % name x.path = config.ETC_FIREWALLD_HELPERS # It is not possible to add a new one with a name of a buitin x.builtin = False x.default = True helper_writer(x) self.add_helper(x) return x def update_helper_from_path(self, name): filename = os.path.basename(name) path = os.path.dirname(name) if not os.path.exists(name): # removed file if path == config.ETC_FIREWALLD_HELPERS: # removed custom helper for x in self._helpers.keys(): obj = self._helpers[x] if obj.filename == filename: del self._helpers[x] if obj.name in self._builtin_helpers: return ("update", self._builtin_helpers[obj.name]) return ("remove", obj) else: # removed builtin helper for x in self._builtin_helpers.keys(): obj = self._builtin_helpers[x] if obj.filename == filename: del self._builtin_helpers[x] if obj.name not in self._helpers: # update dbus helper return ("remove", obj) else: # builtin hidden, no update needed return (None, None) # helper not known to firewalld, yet (timeout, ..) return (None, None) # new or updated file log.debug1("Loading helper file '%s'", name) try: obj = helper_reader(filename, path) except Exception as msg: log.error("Failed to load helper file '%s': %s", filename, msg) return (None, None) # new helper if obj.name not in self._builtin_helpers and obj.name not in self._helpers: self.add_helper(obj) return ("new", obj) # updated helper if path == config.ETC_FIREWALLD_HELPERS: # custom helper update if obj.name in self._helpers: obj.default = self._helpers[obj.name].default self._helpers[obj.name] = obj return ("update", obj) else: if obj.name in self._builtin_helpers: # builtin helper update del self._builtin_helpers[obj.name] self._builtin_helpers[obj.name] = obj if obj.name not in self._helpers: # update dbus helper return ("update", obj) else: # builtin hidden, no update needed return (None, None) # helper not known to firewalld, yet (timeout, ..) return (None, None) def _remove_helper(self, obj): if obj.name not in self._helpers: raise FirewallError(errors.INVALID_HELPER, obj.name) if obj.path != config.ETC_FIREWALLD_HELPERS: raise FirewallError(errors.INVALID_DIRECTORY, "'%s' != '%s'" % (obj.path, config.ETC_FIREWALLD_HELPERS)) name = "%s/%s.xml" % (obj.path, obj.name) try: shutil.move(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) os.remove(name) del self._helpers[obj.name] def check_builtin_helper(self, obj): if obj.builtin or not obj.default: raise FirewallError(errors.BUILTIN_HELPER, "'%s' is built-in helper" % obj.name) def remove_helper(self, obj): self.check_builtin_helper(obj) self._remove_helper(obj) def rename_helper(self, obj, name): self.check_builtin_helper(obj) new_helper = self._copy_helper(obj, name) self._remove_helper(obj) return new_helper def _copy_helper(self, obj, name): return self.new_helper(name, obj.export_config()) core/fw_nm.py000064400000014772147576556050007213 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Functions for NetworkManager interaction""" __all__ = [ "check_nm_imported", "nm_is_imported", "nm_get_zone_of_connection", "nm_set_zone_of_connection", "nm_get_connections", "nm_get_connection_of_interface", "nm_get_bus_name", "nm_get_dbus_interface" ] import gi from gi.repository import GLib try: gi.require_version('NM', '1.0') except ValueError: _nm_imported = False else: try: from gi.repository import NM _nm_imported = True except (ImportError, ValueError, GLib.Error): _nm_imported = False _nm_client = None from firewall import errors from firewall.errors import FirewallError from firewall.core.logger import log import dbus def check_nm_imported(): """Check function to raise a MISSING_IMPORT error if the import of NM failed """ if not _nm_imported: raise FirewallError(errors.MISSING_IMPORT, "gi.repository.NM = 1.0") def nm_is_imported(): """Returns true if NM has been properly imported @return True if import was successful, False otherwirse """ return _nm_imported def nm_get_client(): """Returns the NM client object or None if the import of NM failed @return NM.Client instance if import was successful, None otherwise """ global _nm_client if not _nm_client: _nm_client = NM.Client.new(None) return _nm_client def nm_get_zone_of_connection(connection): """Get zone of connection from NM @param connection name @return zone string setting of connection, empty string if not set, None if connection is unknown """ check_nm_imported() con = nm_get_client().get_connection_by_uuid(connection) if con is None: return None setting_con = con.get_setting_connection() if setting_con is None: return None try: if con.get_flags() & (NM.SettingsConnectionFlags.NM_GENERATED | NM.SettingsConnectionFlags.NM_VOLATILE): return "" except AttributeError: # Prior to NetworkManager 1.12, we can only guess # that a connection was generated/volatile. if con.get_unsaved(): return "" zone = setting_con.get_zone() if zone is None: zone = "" return zone def nm_set_zone_of_connection(zone, connection): """Set the zone for a connection @param zone name @param connection name @return True if zone was set, else False """ check_nm_imported() con = nm_get_client().get_connection_by_uuid(connection) if con is None: return False setting_con = con.get_setting_connection() if setting_con is None: return False if zone == "": zone = None setting_con.set_property("zone", zone) return con.commit_changes(True, None) def nm_get_connections(connections, connections_name): """Get active connections from NM @param connections return dict @param connections_name return dict """ connections.clear() connections_name.clear() check_nm_imported() active_connections = nm_get_client().get_active_connections() for active_con in active_connections: # ignore vpn devices for now if active_con.get_vpn(): continue name = active_con.get_id() uuid = active_con.get_uuid() devices = active_con.get_devices() connections_name[uuid] = name for dev in devices: connections[dev.get_iface()] = uuid def nm_get_interfaces(): """Get active interfaces from NM @returns list of interface names """ check_nm_imported() active_interfaces = [] for active_con in nm_get_client().get_active_connections(): # ignore vpn devices for now if active_con.get_vpn(): continue try: con = active_con.get_connection() if con.get_flags() & (NM.SettingsConnectionFlags.NM_GENERATED | NM.SettingsConnectionFlags.NM_VOLATILE): continue except AttributeError: # Prior to NetworkManager 1.12, we can only guess # that a connection was generated/volatile. if con.get_unsaved(): continue for dev in active_con.get_devices(): active_interfaces.append(dev.get_iface()) return active_interfaces def nm_get_interfaces_in_zone(zone): interfaces = [] for interface in nm_get_interfaces(): conn = nm_get_connection_of_interface(interface) if zone == nm_get_zone_of_connection(conn): interfaces.append(interface) return interfaces def nm_get_connection_of_interface(interface): """Get connection from NM that is using the interface @param interface name @returns connection that is using interface or None """ check_nm_imported() device = nm_get_client().get_device_by_iface(interface) if device is None: return None active_con = device.get_active_connection() if active_con is None: return None try: con = active_con.get_connection() if con.get_flags() & NM.SettingsConnectionFlags.NM_GENERATED: return None except AttributeError: # Prior to NetworkManager 1.12, we can only guess # that a connection was generated. if con.get_unsaved(): return None return active_con.get_uuid() def nm_get_bus_name(): if not _nm_imported: return None try: bus = dbus.SystemBus() obj = bus.get_object(NM.DBUS_INTERFACE, NM.DBUS_PATH) name = obj.bus_name del obj, bus return name except Exception: log.debug2("Failed to get bus name of NetworkManager") return None def nm_get_dbus_interface(): if not _nm_imported: return "" return NM.DBUS_INTERFACE core/ipset.pyo000064400000022232147576556050007376 0ustar00 c`c @sdZdddgZddlZddlmZddlmZddlm Z dd l m Z dd l m Z mZdd lmZd Zd ddddddddddg Zidd6dd6dd6dd6Zidd6d d6d!d6Zdefd"YZd#Zd$ZdS(%sThe ipset command wrappertipsettcheck_ipset_nametremove_default_create_optionsiN(terrors(t FirewallError(trunProg(tlog(ttempFiletreadfile(tCOMMANDSi shash:ips hash:ip,portshash:ip,port,ipshash:ip,port,nets hash:ip,markshash:nets hash:net,nets hash:net,portshash:net,port,netshash:net,ifaceshash:macs inet|inet6tfamilytvaluethashsizetmaxelems value in secsttimeouttinett1024t65536cBseZdZdZdZdZdZdZddZ dZ dZ d Z dd Z ddd Zd Zdd ZdddZdZdZdZdZRS(sipset command wrapper classcCstd|_d|_dS(NR(R t_commandtname(tself((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt__init__Js cCsg|D]}d|^q}tjd|j|jdj|t|j|\}}|dkrtd|jdj||fn|S(sCall ipset with argss%ss %s: %s %st is'%s %s' failed: %s(Rtdebug2t __class__RtjoinRt ValueError(Rtargstitemt_argststatustret((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt__runNs%  cCs/t|tkr+ttjd|ndS(sCheck ipset namesipset name '%s' is not validN(tlentIPSET_MAXNAMELENRRt INVALID_NAME(RR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt check_nameYs cCsg}d}y|jdg}Wn$tk rH}tjd|nX|j}t}x{|D]s}|r|jjdd}|d|kr|dt kr|j |dqn|j drbt }qbqbW|S(s?Return types that are supported by the ipset command and kernelts--helpsipset error: %siisSupported set types:N( t _ipset__runRRtdebug1t splitlinestFalsetstriptsplittNonet IPSET_TYPEStappendt startswithtTrue(RRtoutputtextlinestin_typestlinetsplits((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_supported_types_s     cCs;t|tks|tkr7ttjd|ndS(sCheck ipset types!ipset type name '%s' is not validN(R!R"R-RRt INVALID_TYPE(Rt type_name((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt check_typets cCs|j||j|d||g}t|trxF|jD]5\}}|j||dkrE|j|qEqEWn|j|S(s+Create an ipset with name, type and optionstcreateR%(R$R:t isinstancetdicttitemsR.R&(Rtset_nameR9toptionsRtkeytval((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_createzs    cCs |j||jd|gS(Ntdestroy(R$R&(RR?((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_destroys cCsd||g}|j|S(Ntadd(R&(RR?tentryR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_addscCsd||g}|j|S(Ntdel(R&(RR?RGR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_deletescCs?d||g}|r2|jddj|n|j|S(Nttests%sR(R.RR&(RR?RGR@R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRKscCsKdg}|r|j|n|r5|j|n|j|jdS(Ntlists (R.textendR&R+(RR?R@R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_lists  c Cs|jddg}i}d}}i}x|D]z}t|dkrPq2ng|jddD]}|j^qc}t|dkrq2q2|ddkr|d}q2|ddkr|d}q2|dd kr2|dj} d} xz| t| kro| | } | dkrbt| | krK| d7} | | || R.twriteRtclosetoststatRRRRRtst_sizeRtgetDebugLogLevelRt Exceptiontdebug3tendswithtunlinkR(RR?R9tentriestcreate_optionst entry_optionst temp_fileRRARBRGRfRRR[R5((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_restoresV              #  cCs,dg}|r|j|n|j|S(Ntflush(R.R&(RR?R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_flushs cCs|jd||gS(Ntrename(R&(Rt old_set_namet new_set_name((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRt scCs|jd||gS(Ntswap(R&(Rt set_name_1t set_name_2((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRwscCs|jdgS(Ntversion(R&(R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRzsN(t__name__t __module__t__doc__RR&R$R7R:R,RCRERHRJRKRNR]R^RqRsRtRwRz(((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRGs&         ' 7   cCst|tkrtStS(s"Return true if ipset name is valid(R!R"R)R0(R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRscCsK|j}x8tD]0}||krt|||kr||=qqW|S(s( Return only non default create options (tcopytIPSET_DEFAULT_CREATE_OPTIONS(R@RXR\((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRs    (R}t__all__tos.pathRetfirewallRtfirewall.errorsRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRtfirewall.configR R"R-tIPSET_CREATE_OPTIONSRtobjectRRR(((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyts@     core/fw_nm.pyc000064400000013667147576556050007360 0ustar00 c`c@sWdZddddddddgZd d lZd d lmZyejd d Wnek rmeZnAXyd dlm Z e ZWn#e eej fk reZnXd ad dlmZd dlmZd dlmZd d lZdZdZdZdZdZdZdZdZdZdZdZ d S(s(Functions for NetworkManager interactiontcheck_nm_importedtnm_is_importedtnm_get_zone_of_connectiontnm_set_zone_of_connectiontnm_get_connectionstnm_get_connection_of_interfacetnm_get_bus_nametnm_get_dbus_interfaceiN(tGLibtNMs1.0(R (terrors(t FirewallError(tlogcCststtjdndS(sNCheck function to raise a MISSING_IMPORT error if the import of NM failed sgi.repository.NM = 1.0N(t _nm_importedR R tMISSING_IMPORT(((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyR0scCstS(snReturns true if NM has been properly imported @return True if import was successful, False otherwirse (R (((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyR6scCststjjdantS(sReturns the NM client object or None if the import of NM failed @return NM.Client instance if import was successful, None otherwise N(t _nm_clientR tClienttnewtNone(((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyt nm_get_client<scCsttj|}|dkr)dS|j}|dkrEdSy(|jtjjtjj B@rldSWn!t k r|j rdSnX|j }|dkrd}n|S(sGet zone of connection from NM @param connection name @return zone string setting of connection, empty string if not set, None if connection is unknown tN( RRtget_connection_by_uuidRtget_setting_connectiont get_flagsR tSettingsConnectionFlagst NM_GENERATEDt NM_VOLATILEtAttributeErrort get_unsavedtget_zone(t connectiontcont setting_contzone((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyREs$        cCszttj|}|dkr)tS|j}|dkrEtS|dkrZd}n|jd||jtdS(sSet the zone for a connection @param zone name @param connection name @return True if zone was set, else False RR!N( RRRRtFalseRt set_propertytcommit_changestTrue(R!RRR ((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyRcs     cCs|j|jttj}xo|D]g}|jrIq1n|j}|j}|j}|||s>               core/ebtables.pyc000064400000022045147576556050010021 0ustar00 c`c@sdgZddlZddlmZddlmZddlmZm Z m Z ddl m Z ddl mZddlmZmZddlZid gd 6d d d gd6dd dgd6ZiZiZiZxejD]Zgees0      core/fw_icmptype.py000064400000005430147576556050010422 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "FirewallIcmpType" ] import copy from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class FirewallIcmpType(object): def __init__(self, fw): self._fw = fw self._icmptypes = { } def __repr__(self): return '%s(%r)' % (self.__class__, self._icmptypes) def cleanup(self): self._icmptypes.clear() # zones def get_icmptypes(self): return sorted(self._icmptypes.keys()) def check_icmptype(self, icmptype): if icmptype not in self._icmptypes: raise FirewallError(errors.INVALID_ICMPTYPE, icmptype) def get_icmptype(self, icmptype): self.check_icmptype(icmptype) return self._icmptypes[icmptype] def add_icmptype(self, obj): orig_ipvs = obj.destination if len(orig_ipvs) == 0: orig_ipvs = [ "ipv4", "ipv6" ] ipvs = orig_ipvs[:] for ipv in orig_ipvs: if ipv == "ipv4": if not self._fw.ip4tables_enabled: continue supported_icmps = self._fw.ip4tables_supported_icmp_types elif ipv == "ipv6": if not self._fw.ip6tables_enabled: continue supported_icmps = self._fw.ip6tables_supported_icmp_types else: supported_icmps = [ ] if obj.name.lower() not in supported_icmps: log.info1("ICMP type '%s' is not supported by the kernel for %s." % (obj.name, ipv)) ipvs.remove(ipv) if len(ipvs) != len(orig_ipvs): if len(ipvs) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, "No supported ICMP type.") new_obj = copy.deepcopy(obj) new_obj.destination = ipvs self._icmptypes[obj.name] = new_obj else: self._icmptypes[obj.name] = obj def remove_icmptype(self, icmptype): self.check_icmptype(icmptype) del self._icmptypes[icmptype] core/ebtables.py000064400000022203147576556050007652 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "ebtables" ] import os.path from firewall.core.prog import runProg from firewall.core.logger import log from firewall.functions import tempFile, readfile, splitArgs from firewall.config import COMMANDS from firewall.core import ipXtables # some common stuff lives there from firewall.errors import FirewallError, INVALID_IPV import string BUILT_IN_CHAINS = { "broute": [ "BROUTING" ], "nat": [ "PREROUTING", "POSTROUTING", "OUTPUT" ], "filter": [ "INPUT", "OUTPUT", "FORWARD" ], } DEFAULT_RULES = { } LOG_RULES = { } OUR_CHAINS = {} # chains created by firewalld for table in BUILT_IN_CHAINS.keys(): DEFAULT_RULES[table] = [ ] OUR_CHAINS[table] = set() for chain in BUILT_IN_CHAINS[table]: DEFAULT_RULES[table].append("-N %s_direct" % chain) DEFAULT_RULES[table].append("-I %s 1 -j %s_direct" % (chain, chain)) DEFAULT_RULES[table].append("-I %s_direct 1 -j RETURN" % chain) OUR_CHAINS[table].add("%s_direct" % chain) class ebtables(object): ipv = "eb" name = "ebtables" zones_supported = False # ebtables only supported with direct interface def __init__(self): self._command = COMMANDS[self.ipv] self._restore_command = COMMANDS["%s-restore" % self.ipv] self.restore_noflush_option = self._detect_restore_noflush_option() self.concurrent_option = self._detect_concurrent_option() self.fill_exists() self.available_tables = [] def fill_exists(self): self.command_exists = os.path.exists(self._command) self.restore_command_exists = os.path.exists(self._restore_command) def _detect_concurrent_option(self): # Do not change any rules, just try to use the --concurrent option # with -L concurrent_option = "" ret = runProg(self._command, ["--concurrent", "-L"]) if ret[0] == 0: concurrent_option = "--concurrent" # concurrent for ebtables lock return concurrent_option def _detect_restore_noflush_option(self): # Do not change any rules, just try to use the restore command # with --noflush rules = [ ] try: self.set_rules(rules, "off") except ValueError: return False return True def __run(self, args): # convert to string list _args = [ ] if self.concurrent_option and self.concurrent_option not in args: _args.append(self.concurrent_option) _args += ["%s" % item for item in args] log.debug2("%s: %s %s", self.__class__, self._command, " ".join(_args)) (status, ret) = runProg(self._command, _args) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, " ".join(args), ret)) return ret def _rule_validate(self, rule): for str in ["%%REJECT%%", "%%ICMP%%", "%%LOGTYPE%%"]: if str in rule: raise FirewallError(INVALID_IPV, "'%s' invalid for ebtables" % str) def is_chain_builtin(self, ipv, table, chain): return table in BUILT_IN_CHAINS and \ chain in BUILT_IN_CHAINS[table] def build_chain_rules(self, add, table, chain): rules = [] if add: rules.append([ "-t", table, "-N", chain ]) rules.append([ "-t", table, "-I", chain, "1", "-j", "RETURN" ]) else: rules.append([ "-t", table, "-X", chain ]) return rules def build_rule(self, add, table, chain, index, args): rule = [ "-t", table ] if add: rule += [ "-I", chain, str(index) ] else: rule += [ "-D", chain ] rule += args return rule def reverse_rule(self, args): return ipXtables.common_reverse_rule(args) def check_passthrough(self, args): ipXtables.common_check_passthrough(args) def reverse_passthrough(self, args): return ipXtables.common_reverse_passthrough(args) def set_rules(self, rules, log_denied): temp_file = tempFile() table = "filter" table_rules = { } for _rule in rules: rule = _rule[:] self._rule_validate(rule) # get table form rule for opt in [ "-t", "--table" ]: try: i = rule.index(opt) except ValueError: pass else: if len(rule) >= i+1: rule.pop(i) table = rule.pop(i) # we can not use joinArgs here, because it would use "'" instead # of '"' for the start and end of the string, this breaks # iptables-restore for i in range(len(rule)): for c in string.whitespace: if c in rule[i] and not (rule[i].startswith('"') and rule[i].endswith('"')): rule[i] = '"%s"' % rule[i] table_rules.setdefault(table, []).append(rule) for table in table_rules: temp_file.write("*%s\n" % table) for rule in table_rules[table]: temp_file.write(" ".join(rule) + "\n") temp_file.close() stat = os.stat(temp_file.name) log.debug2("%s: %s %s", self.__class__, self._restore_command, "%s: %d" % (temp_file.name, stat.st_size)) args = [ ] args.append("--noflush") (status, ret) = runProg(self._restore_command, args, stdin=temp_file.name) if log.getDebugLogLevel() > 2: lines = readfile(temp_file.name) if lines is not None: i = 1 for line in lines: log.debug3("%8d: %s" % (i, line), nofmt=1, nl=0) if not line.endswith("\n"): log.debug3("", nofmt=1) i += 1 os.unlink(temp_file.name) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._restore_command, " ".join(args), ret)) return ret def set_rule(self, rule, log_denied): self._rule_validate(rule) return self.__run(rule) def get_available_tables(self, table=None): ret = [] tables = [ table ] if table else BUILT_IN_CHAINS.keys() for table in tables: if table in self.available_tables: ret.append(table) else: try: self.__run(["-t", table, "-L"]) self.available_tables.append(table) ret.append(table) except ValueError: log.debug1("ebtables table '%s' does not exist." % table) return ret def get_zone_table_chains(self, table): return {} def build_flush_rules(self): rules = [] for table in BUILT_IN_CHAINS.keys(): if table not in self.get_available_tables(): continue # Flush firewall rules: -F # Delete firewall chains: -X # Set counter to zero: -Z for flag in [ "-F", "-X", "-Z" ]: rules.append(["-t", table, flag]) return rules def build_set_policy_rules(self, policy): rules = [] for table in BUILT_IN_CHAINS.keys(): if table not in self.get_available_tables(): continue for chain in BUILT_IN_CHAINS[table]: rules.append(["-t", table, "-P", chain, policy]) return rules def build_default_tables(self): # nothing to do, they always exist return [] def build_default_rules(self, log_denied="off"): default_rules = [] for table in DEFAULT_RULES: if table not in self.get_available_tables(): continue _default_rules = DEFAULT_RULES[table][:] if log_denied != "off" and table in LOG_RULES: _default_rules.extend(LOG_RULES[table]) prefix = [ "-t", table ] for rule in _default_rules: if type(rule) == list: default_rules.append(prefix + rule) else: default_rules.append(prefix + splitArgs(rule)) return default_rules def is_ipv_supported(self, ipv): return ipv == self.ipv core/logger.pyc000064400000066667147576556050007541 0ustar00 c`c@sddddgZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z de fdYZ de fdYZ d e fd YZd e fd YZde fd YZde fdYZeZdS(t LogTargettFileLogtLoggertlogiNcBs5eZdZdZddZdZdZRS(s% Abstract class for logging targets. cCs d|_dS(N(tNonetfd(tself((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt__init__(sicCstddS(Ns%LogTarget.write is an abstract method(tNotImplementedError(Rtdatatleveltloggertis_debug((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytwrite+scCstddS(Ns%LogTarget.flush is an abstract method(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytflush.scCstddS(Ns%LogTarget.close is an abstract method(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytclose1s(t__name__t __module__t__doc__RR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR&s    t _StdoutLogcBs/eZdZddZdZdZRS(cCstj|tj|_dS(N(RRtsyststdoutR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR8s icCs|jj||jdS(N(RR R(RR R R R ((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR <scCs|jdS(N(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRAscCs|jjdS(N(RR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRDs(RRRR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR7s   t _StderrLogcBseZdZRS(cCstj|tj|_dS(N(RRRtstderrR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRKs (RRR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRJst _SyslogLogcBs/eZdZddZdZdZRS(cCs=tj|tjtjjtjdtj tj dS(Ni( RRtsyslogtopenlogtostpathtbasenameRtargvtLOG_PIDt LOG_DAEMON(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRSs icCsd}|rtj}nl||jkr3tj}nQ||jkrNtj}n6||jkritj}n||j krtj }n|j dr|t |d }nt |dkr|dkrtj|qtj||ndS(Ns ii( RRt LOG_DEBUGtINFO1tLOG_INFOtWARNINGt LOG_WARNINGtERRORtLOG_ERRtFATALtLOG_CRITtendswithtlen(RR R R R tpriority((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR as"      cCstjdS(N(Rtcloselog(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRwscCsdS(N((R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRzs(RRRR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRRs   cBsAeZdZddZdZddZdZdZRS(s< FileLog class. File will be opened on the first write. twcCs#tj|||_||_dS(N(RRtfilenametmode(RR/R0((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs  cCs|jr dStjtjB}|jjdr?|tjO}ntj|j|d|_tj |jdtj |j|j|_t j |jt j t j dS(Ntai(RRtO_CREATtO_WRONLYR0t startswithtO_APPENDtopenR/tfchmodtfdopentfcntltF_SETFDt FD_CLOEXEC(Rtflags((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR6s icCs7|js|jn|jj||jjdS(N(RR6R R(RR R R R ((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR s  cCs'|js dS|jjd|_dS(N(RRR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs  cCs|js dS|jjdS(N(RR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs (RRRRR6R RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs    cBseZdZdZdZdZdZdZdZe Z e Z e Zddd Zd Zd d Zd d Zd dZd dZdZdZdZdZdZdZed2dZed2dZed2dZed2dZed2dZ ed2dZ!dZ"dZ#dZ$dZ%d Z&d!Z'd"Z(d#Z)d$Z*d%Z+d&Z,dd'Z-d(Z.dd)Z/ed2dd*Z0ed2dd+Z1ed2dd,Z2dd-Z3d.Z4d/Z5d0Z6dd1Z7RS(3sL Format string: %(class)s Calling class the function belongs to, else empty %(date)s Date using Logger.date_format, see time module %(domain)s Full Domain: %(module)s.%(class)s.%(function)s %(file)s Filename of the module %(function)s Function name, empty in __main__ %(label)s Label according to log function call from Logger.label %(level)d Internal logging level %(line)d Line number in module %(module)s Module name %(message)s Log message Standard levels: FATAL Fatal error messages ERROR Error messages WARNING Warning messages INFOx, x in [1..5] Information DEBUGy, y in [1..10] Debug messages NO_INFO No info output NO_DEBUG No debug output INFO_MAX Maximum info level DEBUG_MAX Maximum debug level x and y depend on info_max and debug_max from Logger class initialization. See __init__ function. Default logging targets: stdout Logs to stdout stderr Logs to stderr syslog Logs to syslog Additional arguments for logging functions (fatal, error, warning, info and debug): nl Disable newline at the end with nl=0, default is nl=1. fmt Format string for this logging entry, overloads global format string. Example: fmt="%(file)s:%(line)d %(message)s" nofmt Only output message with nofmt=1. The nofmt argument wins over the fmt argument. Example: from logger import log log.setInfoLogLevel(log.INFO1) log.setDebugLogLevel(log.DEBUG1) for i in range(1, log.INFO_MAX+1): log.setInfoLogLabel(i, "INFO%d: " % i) log.setFormat("%(date)s %(module)s:%(line)d [%(domain)s] %(label)s: " "%(level)d %(message)s") log.setDateFormat("%Y-%m-%d %H:%M:%S") fl = FileLog("/tmp/log", "a") log.addInfoLogging("*", fl) log.addDebugLogging("*", fl) log.addInfoLogging("*", log.syslog, fmt="%(label)s%(message)s") log.debug3("debug3") log.debug2("debug2") log.debug1("debug1") log.info2("info2") log.info1("info1") log.warning("warning\n", nl=0) log.error("error\n", nl=0) log.fatal("fatal") log.info(log.INFO1, "nofmt info", nofmt=1) iiiiiiii cCsi|_i|_d|_d|_i|_i|_i|_i|_i|_i|_ |dkryt d|n|dkrt d|n|j |_ ||_ d|_||_|j|jd|j|jd|j|jd|j|j dxbtd|j dD]J}t|d |||j|dt|d |d ||q"Wxftd|jdD]N}t|d |||j|d |t|d|d||qW|j|j|j|j|jd|jd|jd|j|j|j|j g|jd|jgt|j|j dD] }|^qd|jd|jgtd|jdD] }|^qdS(s Logger class initialization tisLogger: info_max %d is too lowisLogger: debug_max %d is too lows FATAL ERROR: sERROR: s WARNING: sINFO%dsinfo%dcsfdS(Ncsj|||S(N(tinfo(tmessagetargstkwargs(Rtx(s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt s((RRB((RRBs8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRCssDEBUG%ds DEBUG%d: sdebug%dcsfdS(Ncsj|||S(N(tdebug(R?R@RA(RRB(s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRC)s((RRB((RRBs8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRC(ss%(label)s%(message)ss%d %b %Y %H:%M:%St*N( t_levelt _debug_levelt_formatt _date_formatt_labelt _debug_labelt_loggingt_debug_loggingt_domainst_debug_domainst ValueErrorR$tNO_INFOtINFO_MAXtNO_DEBUGt DEBUG_MAXtsetInfoLogLabelR(t TRACEBACKR&trangetsetattrtsetDebugLogLabeltsetInfoLogLevelR"tsetDebugLogLevelt setFormatt setDateFormattsetInfoLoggingRRtsetDebugLogging(Rtinfo_maxt debug_maxRFti((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRsX                     -cCshxat|j|jdD]F}||jkr5qnx(|j|D]\}}}|jqCWqWdS(s Close all logging targets iN(RWR(RTRLR(RR tdummyttarget((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR8s  REcCs.|j|||jkr'|j|S|jS(s Get info log level. (t _checkDomainRFtNOTHING(Rtdomain((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytgetInfoLogLevel@s  cCsT|j|||jkr(|j}n||jkrC|j}n||j|s  cOsM|j|ddd|j|j|d|d<|j||||dS(s Debug log using debug level [1..debug_max]. There are additional debugx functions according to debug_max from __init__RliRmR N(RoRTR}R~(RR RHR@RA((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRDs  cCs)|j|jtjdgdidS(NR@RA(R~RVt tracebackt format_exc(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt exceptionscCs8||ks||kr4td|||fndS(Ns*Level %d out of range, should be [%d..%d].(RP(RR RlRm((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRoscCsD|s dSx3|jD]%}|dkrtd|qqWdS(NtnlRstnofmts0Key '%s' is not allowed as argument for logging.(snlsfmtsnofmt(tkeysRP(RRAtkey((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR}s  cCs*| s|dkr&td|ndS(NR=sDomain '%s' is not valid.(RP(RRg((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRescCs||jkrt|ts-t|tr6|}n |g}x|D]J}|rq|j|ddd|jqF|j|d|jd|jqFWnY|rgt|j |jD] }|^q}n(gt|j|jD] }|^q}|S(s Generate log level array. RliRm( tALLt isinstancetlistttupleRoRTR(RRRWtDEBUG1(RR R RqRb((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRns    +(cCspt|tst|tr'|}n |g}x9|D]1}t|jts7td|jjq7q7W|S(s Generate target array. s '%s' is no valid logging target.(RRRt issubclasst __class__RRPR(RRdttargetst_target((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt _getTargetss   cCs|r.|j}|j}d|jdf}n(|j}|j}|j|jdf}t|dkru|jnxwt |d|dD]^}||krqnxC||D]7\}}}||kr|j |gj |qqWqWdS(s% Generate dict with domain by level. iiN( RORMRTRNRLR(RRR+tclearRWt setdefaulttappend(RR RNRLt_rangeR RgRc((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt _genDomainss       c Cs|j||j||}|j|}|r@|j}n |j}x5|D]-}x$|D]}|||fg|||SqqWx-|jD]"}|j||}|rL|SqLWdS(s@ Internal function to get calling class. Returns class or None. N( RtvaluesRRRRt __bases__RR(RRRRtbaset_obj((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs cOsd}d|kr|d}nd}d|kr>|d}nd}d|kr]|d}n|j||}|sydSt|dkr|||dRDRRoR}ReRnRRRrRtRwRzRRR~R(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRsdG   ;                      4(t__all__RRRRRRRR9tos.pathRtobjectRRRRRRR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyts(          -( 4core/rich.pyc000064400000057354147576556050007200 0ustar00 c`c@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z de fdYZ de fdYZ de fdYZ de fdYZdefdYZde fdYZde fdYZde fdYZde fd YZd e fd!YZd e fd"YZd e fd#YZd e fd$YZd e fd%YZdefd&YZde fd'YZde fd(YZde fd)YZd*S(+t Rich_SourcetRich_Destinationt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_IcmpBlockt Rich_IcmpTypetRich_SourcePorttRich_ForwardPorttRich_Logt Rich_Auditt Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Limitt Rich_Rulei(t functions(tcheck_ipset_name(t REJECT_TYPES(terrors(t FirewallErrorcBseZedZdZRS(cCs||_|jdkr$d|_n||_|jdksK|jdkrWd|_n$|jdk r{|jj|_n||_|jdkrd|_n||_|jdkr|jdkr|jdkrttjdndS(Ntsno address, mac and ipset( taddrtNonetmactuppertipsettinvertRRt INVALID_RULE(tselfRRRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__init__$s       - cCsd|jrdnd}|jdk r7|d|jS|jdk rU|d|jS|jdk rs|d|jSttjddS(Ns source%s s NOTRs address="%s"smac="%s"s ipset="%s"sno address, mac and ipset(RRRRRRRR(Rtret((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__str__5s (t__name__t __module__tFalseR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR#s cBseZedZdZRS(cCs||_||_dS(N(RR(RRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Bs cCs d|jrdnd|jfS(Nsdestination %saddress="%s"snot R(RR(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Fs(R#R$R%R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRAs cBseZdZdZRS(cCs ||_dS(N(tname(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR KscCs d|jS(Nsservice name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Ns(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRJs cBseZdZdZRS(cCs||_||_dS(N(tporttprotocol(RR'R(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Rs cCsd|j|jfS(Nsport port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Vs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRQs cBseZdZRS(cCsd|j|jfS(Ns#source-port port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Zs (R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRYscBseZdZdZRS(cCs ||_dS(N(tvalue(RR)((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR _scCs d|jS(Nsprotocol value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"bs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR^s cBseZdZdZRS(cCsdS(N((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR fscCsdS(Nt masquerade((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"is(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRes cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR mscCs d|jS(Nsicmp-block name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ps(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRls cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR tscCs d|jS(Nsicmp-type name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ws(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRss cBseZdZdZRS(cCs^||_||_||_||_|jdkr?d|_n|jdkrZd|_ndS(NR(R'R(tto_portt to_addressR(RR'R(R+R,((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR {s     cCsRd|j|j|jdkr+d|jnd|jdkrJd|jndfS(Ns(forward-port port="%s" protocol="%s"%s%sRs to-port="%s"s to-addr="%s"(R'R(R+R,(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s (R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR zs cBs#eZddddZdZRS(cCs||_||_||_dS(N(tprefixtleveltlimit(RR-R.R/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsSd|jrd|jnd|jr2d|jnd|jrKd|jndfS(Ns log%s%s%ss prefix="%s"Rs level="%s"s %s(R-R.R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaudit%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaccept%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBs)eZdddZdZdZRS(cCs||_||_dS(N(ttypeR/(Rt_typeR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs:d|jrd|jnd|jr2d|jndfS(Ns reject%s%ss type="%s"Rs %s(R0R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCs|jr{|s$ttjdn|dkr{|jt|kr{djt|}ttjd|j|fq{ndS(Ns9When using reject type you must specify also rule family.tipv4tipv6s, s%Wrong reject type %s. Use one of: %s.(R2R3(R0RRRRtjoin(Rtfamilyt valid_types((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytchecks  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZdZRS(cCsd|jrd|jndS(Nsdrop%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s(R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRscBs&eZddZdZdZRS(cCs||_||_dS(N(tsetR/(Rt_setR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs'd|j|jrd|jndfS(Ns mark set=%s%ss %sR(R8R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s cCs|jdk r|j}nttjdd|kr|jd}t|dkrottj|ntj|d stj|d rttj|qn$tj|sttj|ndS(Ns no value sett/iii( R8RRRt INVALID_MARKtsplittlenRt checkUINT32(Rtxtsplits((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  cBs,eZdZdZdZdZRS(cCsu||_d|jkrq|jjd}t|dkrq|dd krqd|d |dd f|_qqndS( NR:iitsecondtminutethourtdays%s/%si(RARBRCRD(R)R<R=(RR)R@((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsd}d|jkr*|jjd}n| sCt|dkr[ttj|jn|\}}yt|}Wnttj|jnX|dks|dkrttj|jnd}|dkrd}n?|dkrd}n*|dkr d}n|dkr d}nd ||d krPttjd |jn|dkr|dkrttjd |jndS(NR:iitstmthtdi<ii'is %s too fasts %s too slow(RERFRGRHiiiQ(RR)R<R=RRt INVALID_LIMITtint(RR@tratetdurationtmult((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s6           cCs d|jS(Nslimit value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCsdS(NR((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcommand s(R#R$R R7R"RN(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  " cBs;eZdddZdZdZdZdZRS(cCsw|dk rt||_n d|_d|_d|_d|_d|_d|_d|_|rs|j |ndS(N( RtstrR5tsourcet destinationtelementtlogtaudittactiont_import_from_string(RR5trule_str((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s        cCsg}xtj|D]}d|kr|jd}t|dks_|d s_|d rxttjd|n|ji|dd6|dd6q|ji|d6qW|jid d6|S( s Lexical analysis t=iiisinternal error in _lexer(): %st attr_namet attr_valueRRtEOL(Rt splitArgsR<R=RRRtappend(RRWttokenstrtattr((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt_lexers ( &c Cs |sttjdnd|_d|_d|_d|_d|_d|_ d|_ |j |}|r|dj ddkrttjdni}g}d}x ||j ddko|dgks ||j d}||j d}||j d}|rA|d?kr|ttjd|q|n;|d@krf|dkrw|jrwttjd)q||dkr|jrttjd*q||dAkr|jrttjd+||jfq||d kr|jrttjd,q||d!kr,|j r,ttjd-q||dBkr||j r|ttjd.||j fq|nttjd/|t |dkr|t |d0nd1} | d1kr<| r|r|dkrttjd2q9ttjd3||fq d|kr,ttjd4||fq |jdnx| dkr|dkr|dCkryttjd7|n||_q |r|dkrd8} nd9||f} ttj| q |j|n| dkrs|dDkr|||n|d0}qW|j$dS(LNs empty ruleiRRR[truleRYRZR5taddressRRRR)R'R(sto-portsto-addrR&R-R.R0R8sbad attribute '%s'RPRQtservices icmp-blocks icmp-typeR*s forward-ports source-portRSRTtaccepttdroptrejecttmarkR/tnottNOTsmore than one 'source' elements#more than one 'destination' elementsFmore than one element. There cannot be both '%s' and '%s' in one rule.smore than one 'log' elementsmore than one 'audit' elementsOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.sunknown element %siRs0'family' outside of rule. Use 'rule family=...'.s:'%s' outside of any element. Use 'rule %s= ...'.s,'%s' outside of rule. Use 'rule ... %s ...'.R2R3sH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.sdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.sDattribute '%s' outside of any element. Use 'rule %s= ...'.sinvalid 'protocol' elementsinvalid 'service' elementsinvalid 'icmp-block' elementsinvalid 'icmp-type' elementsinvalid 'limit' element(sfamilyRcsmacsipsetsinvertsvaluesportsprotocolsto-portsto-addrsnamesprefixslevelstypesset(Rbssources destinationsprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-portslogsauditReRfRgsmarkslimitRiRjsEOL(sprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-port(ReRfRgsmark(sipv4sipv6(Rcsmacsipsetsinvert(RiRj(Rcsinvert(RiRj(sportsprotocol(sportsprotocolsto-portsto-addr(sportsprotocol(sprefixslevel(%RRRRR5RPRQRRRSRTRURatgetR=R]tTrueRR%tpoptclearRRRRRRRR RR R R RR RRR7( RRWR^tattrst in_elementstindexRRRYRZt in_elementterr_msg((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRV.st       +  "%,               ?        $            $                 <      $       0                      $             cCs |jdk r6|jdkr6ttj|jn|jdkr|jdk rf|jjdk su|jdk rttjnt |j t krttjqn|j dkr|j dkrttj dn|jdkr|jdkrttj dqnt |j tt tgkr}|jdkr}|jdkr}|j dkr}ttj dq}n|jdk r|jjdk rL|jdkrttjn|jjdk rttj dn|jjdk r ttj dntj|j|jjsttjt|jjqq|jjdk r|jjdk rttj dntj|jjsttjt|jjqq|jjdk rt|jjsttjt|jjqqttj d n|jdk r|jdkrKttjn|jjdksytj|j|jj rttjt|jjqnt |j tkr|j jdkst|j jd kr>ttjt|j jq>n>t |j t krutj!|j j"sEttj#|j j"n|j j$dkr>ttj%|j j$q>nt |j t&krtj'|j j(s>ttj%|j j(q>nt |j tkr/|j dk rttj dn|jdk r>|jjdk r>ttj dq>nt |j tkr|j jdksnt|j jd krttj)t|j jn|j r>ttj dq>nt |j t*kr|j jdkst|j jd kr>ttj)t|j jq>n+t |j t krtj!|j j"sXttj#|j j"n|j j$dkrttj%|j j$n|j j+dkr|j j,dkrttj#|j j+n|j j+dkrtj!|j j+ rttj#|j j+n|j j,dkrPtj-|j|j j, rPttj|j j,n|jdkrqttjn|j dk r>ttj dq>nt |j t.kr tj!|j j"sttj#|j j"n|j j$d kr>ttj%|j j$q>n1|j dk r>ttj dt |j n|jdk r|jj/r|jj/d!krttj0|jj/n|jj1dk r|jj1j2qn|jdk r! t |j t3t4t5gkrttj6t |j n|jj1dk r! |jj1j2q! n|j dk r t |j t4kr[ |j j2|jn%t |j t7kr |j j2n|j j1dk r |j j1j2q ndS("NR2R3sno element, no actions%no element, no source, no destinationsno action, no log, no auditsaddress and macsaddress and ipsets mac and ipsetsinvalid sourceittcptudptsctptdccpsmasquerade and actionsmasquerade and mac sourcesicmp-block and actionRsforward-port and actionsUnknown element %stemergtalerttcritterrortwarningtnoticetinfotdebug(sipv4sipv6(RtRuRvRw(RtRuRvRw(RtRuRvRw(RxRyRzserrorR|R}sinfosdebug(8R5RRRtINVALID_FAMILYRPRRQtMISSING_FAMILYR0RRR RURRRRSRTRRRt check_addresst INVALID_ADDRROt check_mact INVALID_MACRt INVALID_IPSETRR&R=tINVALID_SERVICERt check_portR't INVALID_PORTR(tINVALID_PROTOCOLRt checkProtocolR)tINVALID_ICMPTYPERR+R,tcheck_single_addressRR.tINVALID_LOG_LEVELR/R7R R RtINVALID_AUDIT_TYPER(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7 s! $$$ $*$!*! *$$     cCsd}|jr#|d|j7}n|jr@|d|j7}n|jr]|d|j7}n|jrz|d|j7}n|jr|d|j7}n|jr|d|j7}n|jr|d|j7}ntjrtj |S|S(NRbs family="%s"s %s( R5RPRQRRRSRTRURtPY2tu2b(RR!((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s        N(R#R$RR RaRVR7R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s   N(t__all__tfirewallRtfirewall.core.ipsetRtfirewall.core.baseRRtfirewall.errorsRtobjectRRRRRRRRRR R R R R RRRR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyts8       1core/helper.py000064400000001444147576556050007354 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """The helper maxnamelen""" HELPER_MAXNAMELEN = 32 core/fw_zone.pyo000064400000162474147576556050007736 0ustar00 c`c@s$ddlZddlmZmZmZddlmZddlmZm Z m Z m Z m Z m Z mZmZmZddlmZmZmZmZmZmZmZmZmZmZmZddlmZmZddl m!Z!ddl"m#Z#dd l$m%Z%d e&fd YZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGETtZONE_SOURCE_IPSET_TYPES(tlog( tportStrt checkIPnMaskt checkIP6nMaskt checkProtocoltenable_ip_forwardingtcheck_single_addresst check_mactportInPortRangetget_nf_conntrack_short_name( t Rich_Rulet Rich_Acceptt Rich_Markt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_ForwardPorttRich_SourcePorttRich_IcmpBlockt Rich_IcmpType(tFirewallTransactiontFirewallZoneTransaction(terrors(t FirewallError(tLastUpdatedOrderedDictt FirewallZonecBsxeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z dd Zd ZdZddZdZddZdZdZddZddZddZdZdZdZdZdZdddZdZ ddZ!ddZ"dd Z#d!Z$d"Z%d#Z&d$Z'd%Z(ddd&Z)d'Z*dd(Z+dd)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1ddd2Z4d3Z5dd4Z6dd5Z7d6Z8d7Z9d8Z:d9Z;d1ddd:Z<d;Z=dd<Z>d=Z?d>Z@d?ZAd@ZBdAZCdBZDd1dddCZEdDZFddEZGdFZHdGZIdHZJdIZKdJZLd1dddKZMdLZNddMZOdNZPdOZQdPZRdQZSd1dddRZTdSZUddTZVdUZWdVZXdWZYdXZZd1dddYZ[dZZ\dd[Z]d\Z^d]Z_ddd^Z`ddd_Zaddd1ddd`ZbdaZcddddbZddcZeddddZfdeZgdfZhdgZid1dddhZjdiZkddjZldkZmdlZndmZodnZpdddoZqdpZrdqZsddrZtdsZudtZvduZwexdvZydwZzdxZ{dyZ|dzZ}d{Z~d|Zd}Zd~ZdZdZdZdZddddZdZdZRS(cCs||_i|_i|_dS(N(t_fwt_chainst_zones(tselftfw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__init__(s  cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__repr__-scCs|jj|jjdS(N(RtclearR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcleanup0s cCs t|jS(N(RR(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_transaction6scCst|j|S(N(RR(R!tzone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_zone_transaction9scCst|jjS(N(tsortedR tkeys(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt get_zones>scCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Nt interfaces(t_FirewallZone__interface_idR tsettingstNone(R!t interfacet interface_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_interfaceAs cCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Ntsources(t_FirewallZone__source_idR R0R1(R!tsourcet source_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_sourceIs cCs|jj|}|j|S(N(Rt check_zoneR (R!R)tz((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zoneQscOsQy||||Wn6tk rL}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(R!tftnametargstkwargsterrortmsg((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_error2warningUs  c CsHddddddddd d d d g D|_||j|j^s R.R5tservicestportst masqueradet forward_portst source_portst icmp_blockstrulest protocolsticmp_block_inversion(R0R R@(R!tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytadd_zone]scCsA|j|}|jr&|j|n|jj|j|=dS(N(R tappliedtunapply_zone_settingsR0R&(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt remove_zonehs    c Cs|dkr|j}n|}x|jD]}|j|}|j|}|jrx|j|j|jd|nt |j dkst |j dkrt |_ ntjd|jx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qWx0|jD]%}|j|j|j|d|q1Wx0|jD]%}|j|j|jd||qdWx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qW|jr|j|j|jd|nx0|jD]%}|j|j|j|d|q%Wx0|j D]%}|j|j |j|d|qXWx0|j D]%}|j|j!|j|d|qW|j r.|j|j"t |j|q.q.W|dkr|j#t ndS(Ntuse_zone_transactionisApplying zone '%s'($R1R(R-R tzone_transactionRPREtadd_icmp_block_inversionR@tlenR.R5tTrueRSRtdebug1RMtadd_icmp_blockRKtadd_forward_portRHt add_serviceRItadd_portROt add_protocolRLtadd_source_portRJtadd_masqueradeRNtadd_rulet add_interfacet add_sourcet_icmp_block_inversiontexecute(R!tuse_transactiont transactionR)RQRWRA((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt apply_zonesos^    *           cCs|j|}||_dS(N(R RS(R!R)RSRQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytset_zone_applieds cCsd|krdS|jd}t|dkr5dSd}x+tD]#}|dt|krB|}qBqBW|dk r|d|jkrdSt|dkst|dkr|dd kr|d|fSndS( Nt_iiiiRtdenytallow(slogRmRn(R1tsplitRYRR-(R!tchaintsplitst_chainRG((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytzone_from_chains     "c Cs|dkr|j|}|dk r|\}}|dkrN|j}n|}|j|t||fg||dkr|jtqqndS(Ntipv4tipv6(RtRu(RsR1R(tgen_chain_rulesRZRg( R!tipvttableRpRhRGt_zoneRrRi((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcreate_zone_base_by_chains     cCsx|D]\}}|rD|jj|ij|gj|q|j||j|t|j||dkr|j||=nt|j|dkr|j|=qqWdS(Ni(Rt setdefaulttappendtremoveRY(R!R)tcreatetchainsRxRp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_register_chainss+cCs8itjd6|d6|d6}|r4||dRR=(R!R)R0t_objtkeyRARD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt set_settingss@             (c Cs.|jj|}|j|}|r.|js?| rC|j rCdS|rUt|_n|dkrs|j|}n|}|j|}xd|D]\}xS||D]G} y|dkr|j||| |n|dkrwn|dkr |j d| d} |j |||d| | n|dkrE|j ||| |nx|dkru|j ||| d| d |nH|d kr|j ||| |n#|d kr|j||| d| d |n|d kr|j|||n|d krRd|j d | kr'|j d | d} nd} |j||td| | |nk|dkrw|j||| |nF|dkr|j||| d| d |ntjd||| Wqtk r} tjt| qXqWqW|r|jt|j|n|dkr*|j|ndS(NRMRPRKRtmark_idRHRIiiRORLRJRNRR.R5s3Zone '%s': Unknown setting '%s:%s', unable to apply(RR:R RSRZR1R*Rt _icmp_blockR0t _forward_portt_servicet_portt _protocolt _source_portt _masqueradet_FirewallZone__ruleR t _interfacet_sourceRR>RR=RfR@Rg( R!tenableR)RVRyRQRWR0RRARRD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__zone_settings sj                        cCs|jt||dS(N(t_FirewallZone__zone_settingsRZ(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytapply_zone_settings_scCs|jt||dS(N(RtFalse(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRTbscCsK|j|}t|jdkrGt|jdkrG|j|ndS(Ni(R RYR.R5RT(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytunapply_zone_settings_if_unusedes *cCst|j|j}|dtkr8d|d|S|dk r]|j||n|j|||}|S(N(RRR4R:R1tremove_interfaceRd(R!R)R2Rt _old_zonet _new_zoneRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs   cCs|jj|dkr(|j}n|}|j|}|j|||jt|d|dt|dk r|dkr|j|}|jt|d|dtn|dkr|j tndS(Nt+R|R( RRR1R(RWRRRZRRg(R!told_zonetnew_zoneRhRiRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytchange_default_zones   c Cs|jj|j|}|dkrAttjd|n|dkrS|n|jj|}||krttjd|||fn|dkr|j |}n|}|j |}|j |}|j t ||||j|j|||dkr|jtn|S(Ns'%s' is not in any zoneRs"remove_interface(%s, %s): zoi='%s'(RRR4R1RRtUNKNOWN_INTERFACER:RR*R R/RRtadd_postRRgRZ( R!R)R2RVtzoiRyRWRR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs*   $     cCs(||jdkr$|jd|=ndS(NR.(R0(R!RR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_interfacescCs |j||j|dkS(NR.(R/R(R!R)R2((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytquery_interfacescCs|j|djS(NR.(RR,(R!R)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR scCst|rdSt|r dSt|r0dS|jdrr|j|d|j|d|j|dSttj |dS(NRtRuRsipset:i( RRR t startswitht_check_ipset_type_for_sourcet_check_ipset_appliedt _ipset_familyRRt INVALID_ADDR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_sources   cCs|j|}||fS(N(R(R!R7Rw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __source_idsc Cs||jj|jj|}|j|}t|rG|j}n|j|}||jdkrtt j d||fn|j |dk rtt j d|n|dkr|j|}n|}|js|j|d||j|j|tn|jt||d|d||j|||||j|j|||dkrx|jtn|S(NR5s'%s' already bound to '%s's'%s' already bound to a zoneRVii(RRR:R R tupperR6R0RRRR9R1RR*RSRRRkRRRZt_FirewallZone__register_sourcet _FirewallZone__unregister_sourceRg( R!R)R7RRVRyRR8RW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRe s4        ! cCsC|jd||jd|<| p-|dk|jd|d|St|rY|j}n|dk rx|j||n|j|||}|S(N( RRR9R:R RR1t remove_sourceRe(R!R)R7RRRRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRLs    c CsE|jjt|r(|j}n|j|}|dkr\ttjd|n|dkrn|n|jj |}||krttj d|||fn|dkr|j |}n|}|j |}|j |}|jt||d|d||j|j|||dkrA|jtn|S(Ns'%s' is not in any zoneRsremove_source(%s, %s): zos='%s'ii(RRR RR9R1RRtUNKNOWN_SOURCER:RR*R R6RRRRRgRZ( R!R)R7RVtzosRyRWRR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR^s.    $    ! cCs(||jdkr$|jd|=ndS(NR5(R0(R!RR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_sourcescCs;t|r|j}n|j||j|dkS(NR5(R RR6R(R!R)R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt query_sources cCs.g|j|djD]}|d^qS(NR5i(RR,(R!R)tk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRscCs|jdS(N(tcheck(R!trule((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_rulescCs|j|t|S(N(RR=(R!R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_ids cCs|s dS|jr<t|jr&dSt|jrdSndt|drX|jrXdSt|dr|jr|j|j|j|j|j |jSdS(NRtRutmacRtipset( R1taddrRRthasattrRRRRR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_rule_source_ipvs cCs|j|||||dS(N(t _rule_prepare(R!RR)RRRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rulesic CsE|jj|}|jj||jj|j|}|j|}||jdkr}ttj d||fn|dkr|j |} n|} t |j tkr|jj} nd} |jr|jt||| | n|j||| ||| j|j||| |dkrA| jtn|S(NRNs'%s' already in '%s'(RR:t check_timeoutRR t_FirewallZone__rule_idR0RRtALREADY_ENABLEDR1R*ttypetelementRtnew_markRSRRZt_FirewallZone__register_ruleRt_FirewallZone__unregister_ruleRg( R!R)RRRRVRyRtrule_idRWR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRcs*      cCs'|j||d||jd|(R!tmodulesRt_helpersRRt_module_short_namet_helper((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_helpers_for_service_modulesGs$    cCs$|jj||jj|dS(N(Rt check_portt check_tcpudp(R!tporttprotocol((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR ascCs#|j||t|d|fS(Nt-(R R(R!R R ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __port_idesc Cs|jj|}|jj||jj|j|}|j||} | |jdkrttj d|||fn|dkr|j |} n|} |j r|j t|||| n|j|| ||| j|j|| |dkr| jtn|S(NRIs'%s:%s' already in '%s'(RR:RRR t_FirewallZone__port_idR0RRRR1R*RSRRZt_FirewallZone__register_portRt_FirewallZone__unregister_portRg( R!R)R R RRRVRyRtport_idRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR_is&       cCs!|j|||jd||j|}|tkr:ttjd||fndS(Ns.ipset '%s' with type '%s' not usable as source(t_FirewallZone__ipset_typeRRRt INVALID_IPSET(R!R@t_type((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs  c Csx|r|jj|gn |jjD]}|js@q+nxr|jD]d}x[|j|D]J}|r|j||n|j|||||} |j|| qcWqMWq+WdS(N( Rtget_backend_by_ipvRVRWRXR\R]tbuild_zone_source_address_rulesRZ( R!RR)RwR7RWR[RxRpRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs1  cCs |jdk r|jg}n1gddgD]}|jj|r+|^q+}|j|j}|dk r|dkr|jdk r|j|krttjd||jfqq|g}n||_ x t g|D]} |jj | ^qD] } t |j tkr|jjj|j j} g} t| jdkr|jrlttjdnxS|D];}|| jkrs| j|rs| j| j|qsqsWn | jdx| D]} |r |jdd|jjdkr |jd d q nt |jtkr|j| j|}g}x6|D].}|j}t|}|jjdkr.|jd d }|j||jdkr| j|j rqDnt|jd kr|j|qrx|jD]@\}}| j ||||| |j|}|j!| |qWqD|j|krD|j|j|jjd d }|j|qDqDW|j"|nxs| jD]h\}}|rt |jt#kr|jdd n| j$||||| |}|j!| |qWxj| j%D]_}|r:t |jt#kr:|jdd n| j&|||| |}|j!| |qWxs| j'D]h\}}|rt |jt#kr|jdd n| j(||||| |}|j!| |qsWqWqt |j t)kr|j j*}|j j+}|j,|||r<|jddn|rjt |jt#krj|jdd n| j$||||d|}|j!| |qt |j t-kr>|j j.}|j/||r|jddn|rt |jt#kr|jdd n| j&|||d|}|j!| |qt |j t0kr|r|jd d|jddx3|D](}| j|r|j1t2|qqWn| j3|||}|j!| |qt |j t4kr|j j*}|j j+}|j j5}|j j6}xX|D]P}| j|rT|j7|||||n|r#|r#|j1t2|q#q#W|sdnd}|r|jdd |jd d |jd|n| j8||||||||| }|j!| |qt |j t9kr|j j*}|j j+}|j,|||rR|jddn|rt |jt#kr|jdd n| j(||||d|}|j!| |qt |j t:kst |j t;kr |jj<j=|j j}t |j t:kr> |jr> t |jtkr> ttjdn|jr xv|D]k}||jkrN | j| rN ttjdt |j t:kr dnd|j j| jfqN qN Wnd}|r |j|d|j|dn| j>||||}|j!| |q|j dkr |rB |jddn|rp t |jt#krp |jdd n| j?|||}|j!| |qttjdt |j qW|S(NRtRuRs;Source address family '%s' conflicts with rule family '%s'.is"Destination conflict with service.tfiltertINPUTtrawt PREROUTINGt conntracktnatitmanglet POSTROUTINGt FORWARD_OUTt FORWARD_INs'IcmpBlock not usable with accept actionsIcmp%s %s not usable with %stBlocktTypesUnknown element %s(@tfamilyR1Rtis_ipv_enabledRR7RRt INVALID_RULEtipvstsetRkRRRRt get_serviceR@RYt destinationtis_ipv_supportedR|R]RtactionRR RRR treplaceRItbuild_zone_helper_ports_rulesRZt add_modulesRtbuild_zone_ports_rulesROtbuild_zone_protocol_rulesRLtbuild_zone_source_ports_rulesRR R R RtvalueRRRRtbuild_zone_masquerade_rulesRtto_portt to_addressR6tbuild_zone_forward_port_rulesRRRticmptypet get_icmptypetbuild_zone_icmp_block_rulest(build_zone_rich_source_destination_rules(R!RR)RRRWR|Rwt source_ipvRGR[tsvct destinationsRthelpersRRRRt nat_moduleR tprotoRNR R4R5t filter_chaintictRx((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsH1   2            "                   # c CsJ|jjj|}|j|j|}|r|jjdkrU|jddnVg}x@|D]8}|j|j|jj dd} |j| qbW|j ||jddng} xdd gD]} |jj | sqn|jj | } t |jdkrE| |jkrm| j| |j| fqmq| df| kr| j| dfqqWx| D]\} } |jjdkr|x|D]}|j}t|}|jj dd} |j| |jd kr| j|j rqnt |jd kr'|j|qxK|jD]@\}}| j||||| |j|}|j| |q1WqWnxB|jD]7\}}| j||||| }|j| |qWx9|jD].}| j|||| }|j| |qWxB|jD]7\}}| j||||| }|j| |qWqxWdS( NiRoRpRqRrRmRnRtRuRi(RRR~R RRR]R|RRRRzRkRYRR1R t add_moduleRyRRIRR@RZRRORRLR(R!RR)RRWRRRRRt backends_ipvRwR[RRRR RRNR ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsd       "  cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR3s  cCsk|r|jddnxK|jjD]:}|js>q)n|j|||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR?s cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRJs cCsw|r)|jdd|jddnd}|jt||jj|}|j||}|j||dS(NRrRtRmRuRt(R]RRRRkRRZ(R!RR)RWRwR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRUsc Cstd|rd} nd} |s*dnd} |ri|jdd|jdd|jd| n|r|r|jt| n|jj| } | j||| |||||} |j| | dS( NRuRtRnRvRsRpRrRm(R R]RRRRkRRZ( R!RR)RWR R R4R5RRwRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRas   c Cs|jjj|}|r>|jdd|jddnx|jjD]}|jscqNnt}|jrxBddgD]1}||jkr|j|st }PqqqWn|rqNn|j |||} |j || qNWdS(NRmRnRvRtRu( RRRR]RVRWRRRRZRRZ( R!RR)RARWRR[t skip_backendRwRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRws$  cCs|j|j}|dkr dS|j| r@|dkr@dS|jdd|jdd|r|j||jnxH|jjD]7}|jsqn|j ||}|j ||qWdS( NtDROPs %%REJECT%%tREJECTtACCEPTRmRnRv(Rs %%REJECT%%R( R ttargetRR]RgR&RRVRWt%build_zone_icmp_block_inversion_rulesRZ(R!RR)RWRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRfs    N(t__name__t __module__R#R%R'R(R*R-R4R9R<RERRRUR1RjRkRsRzRRRRRRRTRRRRR/RdRRRRRRRRR6ReRRRRRRRRRRRcRRRRRRRR^RRRRRR R RR_RRRRRRRR`RR RR"RR$RaR%R(R&R*RR,RbR-R1R.RR6R8R]R9R=R:R?RRBRDR\RERIRFRKRRMRXRNRORTRSRRvRRRRhRfRRRRRRRRRRRRf(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR's$            <      ) ?       '         &                                                                   (   (           A  ((Rtfirewall.core.baseRRRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R R tfirewall.core.richR RRRRRRRRRRtfirewall.core.fw_transactionRRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyts @Lcore/__init__.pyc000064400000000221147576556050007767 0ustar00 c`c@sdS(N((((s:/usr/lib/python2.7/site-packages/firewall/core/__init__.pytscore/icmp.pyc000064400000005623147576556050007173 0ustar00 c`c@sddddgZi"dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d/d16d2d36d4d56d6d76d8d96d:d;6d<d=6d>d?6d@dA6dBdC6dDdE6ZidFdG6dHd 6dIdJ6dKd6dLdM6dd76d d96d%dN6dOdP6dQdR6dSd06dSd16dTd6dTd6dUd56dVd36dWdX6dWdY6dZd[6dZd\6d]d^6Zd_Zd`ZdaZdbZdcS(dt ICMP_TYPESt ICMPV6_TYPEStcheck_icmp_typetcheck_icmpv6_types0/0s echo-replytpongs3/0snetwork-unreachables3/1shost-unreachables3/2sprotocol-unreachables3/3sport-unreachables3/4sfragmentation-neededs3/5ssource-route-faileds3/6snetwork-unknowns3/7s host-unknowns3/9snetwork-prohibiteds3/10shost-prohibiteds3/11sTOS-network-unreachables3/12sTOS-host-unreachables3/13scommunication-prohibiteds3/14shost-precedence-violations3/15sprecedence-cutoffs4/0s source-quenchs5/0snetwork-redirects5/1s host-redirects5/2sTOS-network-redirects5/3sTOS-host-redirects8/0s echo-requesttpings9/0srouter-advertisements10/0srouter-solicitations11/0sttl-zero-during-transits11/1sttl-zero-during-reassemblys12/0s ip-header-bads12/1srequired-option-missings13/0stimestamp-requests14/0stimestamp-replys17/0saddress-mask-requests18/0saddress-mask-replys1/0sno-routes1/1s1/3saddress-unreachables1/4s2/0spacket-too-bigs bad-headers4/1sunknown-header-types4/2sunknown-options128/0s129/0s133/0s134/0s135/0sneighbour-solicitationsneigbour-solicitations136/0sneighbour-advertisementsneigbour-advertisements137/0tredirectcCs|tkrtStS(N(RtTruetFalse(t_name((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pytcheck_icmp_nameVs cCs|tjkrtStS(N(RtvaluesRR(t_type((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyR[scCs|tkrtStS(N(RRR(R ((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pytcheck_icmpv6_name`s cCs|tjkrtStS(N(RR RR(R ((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyResN(t__all__RRR RR R(((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyts|      core/fw_zone.pyc000064400000162474147576556050007722 0ustar00 c`c@s$ddlZddlmZmZmZddlmZddlmZm Z m Z m Z m Z m Z mZmZmZddlmZmZmZmZmZmZmZmZmZmZmZddlmZmZddl m!Z!ddl"m#Z#dd l$m%Z%d e&fd YZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGETtZONE_SOURCE_IPSET_TYPES(tlog( tportStrt checkIPnMaskt checkIP6nMaskt checkProtocoltenable_ip_forwardingtcheck_single_addresst check_mactportInPortRangetget_nf_conntrack_short_name( t Rich_Rulet Rich_Acceptt Rich_Markt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_ForwardPorttRich_SourcePorttRich_IcmpBlockt Rich_IcmpType(tFirewallTransactiontFirewallZoneTransaction(terrors(t FirewallError(tLastUpdatedOrderedDictt FirewallZonecBsxeZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z dd Zd ZdZddZdZddZdZdZddZddZddZdZdZdZdZdZdddZdZ ddZ!ddZ"dd Z#d!Z$d"Z%d#Z&d$Z'd%Z(ddd&Z)d'Z*dd(Z+dd)Z,d*Z-d+Z.d,Z/d-Z0d.Z1d/Z2d0Z3d1ddd2Z4d3Z5dd4Z6dd5Z7d6Z8d7Z9d8Z:d9Z;d1ddd:Z<d;Z=dd<Z>d=Z?d>Z@d?ZAd@ZBdAZCdBZDd1dddCZEdDZFddEZGdFZHdGZIdHZJdIZKdJZLd1dddKZMdLZNddMZOdNZPdOZQdPZRdQZSd1dddRZTdSZUddTZVdUZWdVZXdWZYdXZZd1dddYZ[dZZ\dd[Z]d\Z^d]Z_ddd^Z`ddd_Zaddd1ddd`ZbdaZcddddbZddcZeddddZfdeZgdfZhdgZid1dddhZjdiZkddjZldkZmdlZndmZodnZpdddoZqdpZrdqZsddrZtdsZudtZvduZwexdvZydwZzdxZ{dyZ|dzZ}d{Z~d|Zd}Zd~ZdZdZdZdZddddZdZdZRS(cCs||_i|_i|_dS(N(t_fwt_chainst_zones(tselftfw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__init__(s  cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__repr__-scCs|jj|jjdS(N(RtclearR (R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcleanup0s cCs t|jS(N(RR(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_transaction6scCst|j|S(N(RR(R!tzone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_zone_transaction9scCst|jjS(N(tsortedR tkeys(R!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt get_zones>scCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Nt interfaces(t_FirewallZone__interface_idR tsettingstNone(R!t interfacet interface_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_interfaceAs cCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Ntsources(t_FirewallZone__source_idR R0R1(R!tsourcet source_idR)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_sourceIs cCs|jj|}|j|S(N(Rt check_zoneR (R!R)tz((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zoneQscOsQy||||Wn6tk rL}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(R!tftnametargstkwargsterrortmsg((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_error2warningUs  c CsHddddddddd d d d g D|_||j|j^s R.R5tservicestportst masqueradet forward_portst source_portst icmp_blockstrulest protocolsticmp_block_inversion(R0R R@(R!tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytadd_zone]scCsA|j|}|jr&|j|n|jj|j|=dS(N(R tappliedtunapply_zone_settingsR0R&(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt remove_zonehs    c Cs|dkr|j}n|}x|jD]}|j|}|j|}|jrx|j|j|jd|nt |j dkst |j dkrt |_ ntjd|jx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qWx0|jD]%}|j|j|j|d|q1Wx0|jD]%}|j|j|jd||qdWx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qW|jr|j|j|jd|nx0|jD]%}|j|j|j|d|q%Wx0|j D]%}|j|j |j|d|qXWx0|j D]%}|j|j!|j|d|qW|j r.|j|j"t |j|q.q.W|dkr|j#t ndS(Ntuse_zone_transactionisApplying zone '%s'($R1R(R-R tzone_transactionRPREtadd_icmp_block_inversionR@tlenR.R5tTrueRSRtdebug1RMtadd_icmp_blockRKtadd_forward_portRHt add_serviceRItadd_portROt add_protocolRLtadd_source_portRJtadd_masqueradeRNtadd_rulet add_interfacet add_sourcet_icmp_block_inversiontexecute(R!tuse_transactiont transactionR)RQRWRA((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt apply_zonesos^    *           cCs|j|}||_dS(N(R RS(R!R)RSRQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytset_zone_applieds cCsd|krdS|jd}t|dkr5dSd}x+tD]#}|dt|krB|}qBqBW|dk r|d|jkrdSt|dkst|dkr|dd kr|d|fSndS( Nt_iiiiRtdenytallow(slogRmRn(R1tsplitRYRR-(R!tchaintsplitst_chainRG((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytzone_from_chains     "c Cs|dkr|j|}|dk r|\}}|dkrN|j}n|}|j|t||fg||dkr|jtqqndS(Ntipv4tipv6(RtRu(RsR1R(tgen_chain_rulesRZRg( R!tipvttableRpRhRGt_zoneRrRi((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcreate_zone_base_by_chains     cCsx|D]\}}|rD|jj|ij|gj|q|j||j|t|j||dkr|j||=nt|j|dkr|j|=qqWdS(Ni(Rt setdefaulttappendtremoveRY(R!R)tcreatetchainsRxRp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_register_chainss+cCs8itjd6|d6|d6}|r4||dRR=(R!R)R0t_objtkeyRARD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt set_settingss@             (c Cs.|jj|}|j|}|r.|js?| rC|j rCdS|rUt|_n|dkrs|j|}n|}|j|}xd|D]\}xS||D]G} y|dkr|j||| |n|dkrwn|dkr |j d| d} |j |||d| | n|dkrE|j ||| |nx|dkru|j ||| d| d |nH|d kr|j ||| |n#|d kr|j||| d| d |n|d kr|j|||n|d krRd|j d | kr'|j d | d} nd} |j||td| | |nk|dkrw|j||| |nF|dkr|j||| d| d |ntjd||| Wqtk r} tjt| qXqWqW|r|jt|j|n|dkr*|j|ndS(NRMRPRKRtmark_idRHRIiiRORLRJRNRR.R5s3Zone '%s': Unknown setting '%s:%s', unable to apply(RR:R RSRZR1R*Rt _icmp_blockR0t _forward_portt_servicet_portt _protocolt _source_portt _masqueradet_FirewallZone__ruleR t _interfacet_sourceRR>RR=RfR@Rg( R!tenableR)RVRyRQRWR0RRARRD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__zone_settings sj                        cCs|jt||dS(N(t_FirewallZone__zone_settingsRZ(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytapply_zone_settings_scCs|jt||dS(N(RtFalse(R!R)RV((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRTbscCsK|j|}t|jdkrGt|jdkrG|j|ndS(Ni(R RYR.R5RT(R!R)RQ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytunapply_zone_settings_if_unusedes *cCst|j|j}|dtkr8d|d|S|dk r]|j||n|j|||}|S(N(RRR4R:R1tremove_interfaceRd(R!R)R2Rt _old_zonet _new_zoneRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs   cCs|jj|dkr(|j}n|}|j|}|j|||jt|d|dt|dk r|dkr|j|}|jt|d|dtn|dkr|j tndS(Nt+R|R( RRR1R(RWRRRZRRg(R!told_zonetnew_zoneRhRiRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytchange_default_zones   c Cs|jj|j|}|dkrAttjd|n|dkrS|n|jj|}||krttjd|||fn|dkr|j |}n|}|j |}|j |}|j t ||||j|j|||dkr|jtn|S(Ns'%s' is not in any zoneRs"remove_interface(%s, %s): zoi='%s'(RRR4R1RRtUNKNOWN_INTERFACER:RR*R R/RRtadd_postRRgRZ( R!R)R2RVtzoiRyRWRR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs*   $     cCs(||jdkr$|jd|=ndS(NR.(R0(R!RR3((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_interfacescCs |j||j|dkS(NR.(R/R(R!R)R2((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytquery_interfacescCs|j|djS(NR.(RR,(R!R)((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR scCst|rdSt|r dSt|r0dS|jdrr|j|d|j|d|j|dSttj |dS(NRtRuRsipset:i( RRR t startswitht_check_ipset_type_for_sourcet_check_ipset_appliedt _ipset_familyRRt INVALID_ADDR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_sources   cCs|j|}||fS(N(R(R!R7Rw((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __source_idsc Cs||jj|jj|}|j|}t|rG|j}n|j|}||jdkrtt j d||fn|j |dk rtt j d|n|dkr|j|}n|}|js|j|d||j|j|tn|jt||d|d||j|||||j|j|||dkrx|jtn|S(NR5s'%s' already bound to '%s's'%s' already bound to a zoneRVii(RRR:R R tupperR6R0RRRR9R1RR*RSRRRkRRRZt_FirewallZone__register_sourcet _FirewallZone__unregister_sourceRg( R!R)R7RRVRyRR8RW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRe s4        ! cCsC|jd||jd|<| p-|dk|jd|d|St|rY|j}n|dk rx|j||n|j|||}|S(N( RRR9R:R RR1t remove_sourceRe(R!R)R7RRRRy((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRLs    c CsE|jjt|r(|j}n|j|}|dkr\ttjd|n|dkrn|n|jj |}||krttj d|||fn|dkr|j |}n|}|j |}|j |}|jt||d|d||j|j|||dkrA|jtn|S(Ns'%s' is not in any zoneRsremove_source(%s, %s): zos='%s'ii(RRR RR9R1RRtUNKNOWN_SOURCER:RR*R R6RRRRRgRZ( R!R)R7RVtzosRyRWRR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR^s.    $    ! cCs(||jdkr$|jd|=ndS(NR5(R0(R!RR8((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_sourcescCs;t|r|j}n|j||j|dkS(NR5(R RR6R(R!R)R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt query_sources cCs.g|j|djD]}|d^qS(NR5i(RR,(R!R)tk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRscCs|jdS(N(tcheck(R!trule((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_rulescCs|j|t|S(N(RR=(R!R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_ids cCs|s dS|jr<t|jr&dSt|jrdSndt|drX|jrXdSt|dr|jr|j|j|j|j|j |jSdS(NRtRutmacRtipset( R1taddrRRthasattrRRRRR(R!R7((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_rule_source_ipvs cCs|j|||||dS(N(t _rule_prepare(R!RR)RRRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rulesic CsE|jj|}|jj||jj|j|}|j|}||jdkr}ttj d||fn|dkr|j |} n|} t |j tkr|jj} nd} |jr|jt||| | n|j||| ||| j|j||| |dkrA| jtn|S(NRNs'%s' already in '%s'(RR:t check_timeoutRR t_FirewallZone__rule_idR0RRtALREADY_ENABLEDR1R*ttypetelementRtnew_markRSRRZt_FirewallZone__register_ruleRt_FirewallZone__unregister_ruleRg( R!R)RRRRVRyRtrule_idRWR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRcs*      cCs'|j||d||jd|(R!tmodulesRt_helpersRRt_module_short_namet_helper((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_helpers_for_service_modulesGs$    cCs$|jj||jj|dS(N(Rt check_portt check_tcpudp(R!tporttprotocol((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR ascCs#|j||t|d|fS(Nt-(R R(R!R R ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __port_idesc Cs|jj|}|jj||jj|j|}|j||} | |jdkrttj d|||fn|dkr|j |} n|} |j r|j t|||| n|j|| ||| j|j|| |dkr| jtn|S(NRIs'%s:%s' already in '%s'(RR:RRR t_FirewallZone__port_idR0RRRR1R*RSRRZt_FirewallZone__register_portRt_FirewallZone__unregister_portRg( R!R)R R RRRVRyRtport_idRW((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR_is&       cCs!|j|||jd||j|}|tkr:ttjd||fndS(Ns.ipset '%s' with type '%s' not usable as source(t_FirewallZone__ipset_typeRRRt INVALID_IPSET(R!R@t_type((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs  c Csx|r|jj|gn |jjD]}|js@q+nxr|jD]d}x[|j|D]J}|r|j||n|j|||||} |j|| qcWqMWq+WdS(N( Rtget_backend_by_ipvRVRWRXR\R]tbuild_zone_source_address_rulesRZ( R!RR)RwR7RWR[RxRpRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs1  cCs |jdk r|jg}n1gddgD]}|jj|r+|^q+}|j|j}|dk r|dkr|jdk r|j|krttjd||jfqq|g}n||_ x t g|D]} |jj | ^qD] } t |j tkr|jjj|j j} g} t| jdkr|jrlttjdnxS|D];}|| jkrs| j|rs| j| j|qsqsWn | jdx| D]} |r |jdd|jjdkr |jd d q nt |jtkr|j| j|}g}x6|D].}|j}t|}|jjdkr.|jd d }|j||jdkr| j|j rqDnt|jd kr|j|qrx|jD]@\}}| j ||||| |j|}|j!| |qWqD|j|krD|j|j|jjd d }|j|qDqDW|j"|nxs| jD]h\}}|rt |jt#kr|jdd n| j$||||| |}|j!| |qWxj| j%D]_}|r:t |jt#kr:|jdd n| j&|||| |}|j!| |qWxs| j'D]h\}}|rt |jt#kr|jdd n| j(||||| |}|j!| |qsWqWqt |j t)kr|j j*}|j j+}|j,|||r<|jddn|rjt |jt#krj|jdd n| j$||||d|}|j!| |qt |j t-kr>|j j.}|j/||r|jddn|rt |jt#kr|jdd n| j&|||d|}|j!| |qt |j t0kr|r|jd d|jddx3|D](}| j|r|j1t2|qqWn| j3|||}|j!| |qt |j t4kr|j j*}|j j+}|j j5}|j j6}xX|D]P}| j|rT|j7|||||n|r#|r#|j1t2|q#q#W|sdnd}|r|jdd |jd d |jd|n| j8||||||||| }|j!| |qt |j t9kr|j j*}|j j+}|j,|||rR|jddn|rt |jt#kr|jdd n| j(||||d|}|j!| |qt |j t:kst |j t;kr |jj<j=|j j}t |j t:kr> |jr> t |jtkr> ttjdn|jr xv|D]k}||jkrN | j| rN ttjdt |j t:kr dnd|j j| jfqN qN Wnd}|r |j|d|j|dn| j>||||}|j!| |q|j dkr |rB |jddn|rp t |jt#krp |jdd n| j?|||}|j!| |qttjdt |j qW|S(NRtRuRs;Source address family '%s' conflicts with rule family '%s'.is"Destination conflict with service.tfiltertINPUTtrawt PREROUTINGt conntracktnatitmanglet POSTROUTINGt FORWARD_OUTt FORWARD_INs'IcmpBlock not usable with accept actionsIcmp%s %s not usable with %stBlocktTypesUnknown element %s(@tfamilyR1Rtis_ipv_enabledRR7RRt INVALID_RULEtipvstsetRkRRRRt get_serviceR@RYt destinationtis_ipv_supportedR|R]RtactionRR RRR treplaceRItbuild_zone_helper_ports_rulesRZt add_modulesRtbuild_zone_ports_rulesROtbuild_zone_protocol_rulesRLtbuild_zone_source_ports_rulesRR R R RtvalueRRRRtbuild_zone_masquerade_rulesRtto_portt to_addressR6tbuild_zone_forward_port_rulesRRRticmptypet get_icmptypetbuild_zone_icmp_block_rulest(build_zone_rich_source_destination_rules(R!RR)RRRWR|Rwt source_ipvRGR[tsvct destinationsRthelpersRRRRt nat_moduleR tprotoRNR R4R5t filter_chaintictRx((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsH1   2            "                   # c CsJ|jjj|}|j|j|}|r|jjdkrU|jddnVg}x@|D]8}|j|j|jj dd} |j| qbW|j ||jddng} xdd gD]} |jj | sqn|jj | } t |jdkrE| |jkrm| j| |j| fqmq| df| kr| j| dfqqWx| D]\} } |jjdkr|x|D]}|j}t|}|jj dd} |j| |jd kr| j|j rqnt |jd kr'|j|qxK|jD]@\}}| j||||| |j|}|j| |q1WqWnxB|jD]7\}}| j||||| }|j| |qWx9|jD].}| j|||| }|j| |qWxB|jD]7\}}| j||||| }|j| |qWqxWdS( NiRoRpRqRrRmRnRtRuRi(RRR~R RRR]R|RRRRzRkRYRR1R t add_moduleRyRRIRR@RZRRORRLR(R!RR)RRWRRRRRt backends_ipvRwR[RRRR RRNR ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsd       "  cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR3s  cCsk|r|jddnxK|jjD]:}|js>q)n|j|||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR?s cCsn|r|jddnxN|jjD]=}|js>q)n|j||||}|j||q)WdS(NRmRn(R]RRVRWRRZ(R!RR)R R RWR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRJs cCsw|r)|jdd|jddnd}|jt||jj|}|j||}|j||dS(NRrRtRmRuRt(R]RRRRkRRZ(R!RR)RWRwR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRUsc Cstd|rd} nd} |s*dnd} |ri|jdd|jdd|jd| n|r|r|jt| n|jj| } | j||| |||||} |j| | dS( NRuRtRnRvRsRpRrRm(R R]RRRRkRRZ( R!RR)RWR R R4R5RRwRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRas   c Cs|jjj|}|r>|jdd|jddnx|jjD]}|jscqNnt}|jrxBddgD]1}||jkr|j|st }PqqqWn|rqNn|j |||} |j || qNWdS(NRmRnRvRtRu( RRRR]RVRWRRRRZRRZ( R!RR)RARWRR[t skip_backendRwRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRws$  cCs|j|j}|dkr dS|j| r@|dkr@dS|jdd|jdd|r|j||jnxH|jjD]7}|jsqn|j ||}|j ||qWdS( NtDROPs %%REJECT%%tREJECTtACCEPTRmRnRv(Rs %%REJECT%%R( R ttargetRR]RgR&RRVRWt%build_zone_icmp_block_inversion_rulesRZ(R!RR)RWRR[RN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRfs    N(t__name__t __module__R#R%R'R(R*R-R4R9R<RERRRUR1RjRkRsRzRRRRRRRTRRRRR/RdRRRRRRRRR6ReRRRRRRRRRRRcRRRRRRRR^RRRRRR R RR_RRRRRRRR`RR RR"RR$RaR%R(R&R*RR,RbR-R1R.RR6R8R]R9R=R:R?RRBRDR\RERIRFRKRRMRXRNRORTRSRRvRRRRhRfRRRRRRRRRRRRf(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR's$            <      ) ?       '         &                                                                   (   (           A  ((Rtfirewall.core.baseRRRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R R tfirewall.core.richR RRRRRRRRRRtfirewall.core.fw_transactionRRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyts @Lcore/nftables.pyo000064400000115071147576556050010054 0ustar00 c`c@s~ddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZd Zd Ziid d efd 6d6id defd 6d6id defd 6ddefd6d6iddefd6ddefd6d6Z iid6id6id6Z!ii"dd d!dd"d#gd$6dd d!gd!6dd d%gd%6dd d&gd&6dd d!dd"d'gd(6dd d!dd"d)gd*6dd d!dd"d+gd,6dd d-dd"d.gd/6dd d!dd"d0gd16dd d!dd"d.gd26dd d3dd"d.gd46dd d!dd"d5gd66dd d-dd"d7gd86dd d!dd"d9gd:6dd d!dd"d7gd;6dd d3gd36dd d!dd"d<gd=6dd d!dd"d>gd?6dd d!dd"d@gdA6dd d-gd-6dd d3dd"d.gdB6dd dCgdC6dd dDgdD6dd dEgdE6dd d!dd"dFgdG6dd dHgdH6dd dIgdI6dd dJgdJ6dd d-dd"d<gdK6dd d!dd"dLgdM6dd d-dd"d@gdN6dd d!dd"dOgdP6dd dHdd"d.gdQ6dd dHdd"d7gdR6dS6idTd d!dTd"d<gdU6dTd d3dTd"d7gdV6dTd d!dTd"d@gdW6dTd d!dTd"d.gd$6dTd d!gd!6dTd d%gd%6dTd d&gd&6dTd d!dTd"dFgdX6dTd dYgdZ6dTd d[gd\6dTd d!dTd"d7gd]6dTd d^gd^6dTd d3gd36dTd d!dTd"d'gd=6dTd d_gd-6dTd d!dTd"d9gd`6dTd dagdC6dTd dbgdD6dTd dHgdH6dTd dHdTd"d.gdQ6dTd dHdTd"d7gdR6dTd d3dTd"d.gdc6dTd d3dTd"d@gdd6de6Z"dfe#fdgYZ$dS(hiN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(t splitArgst check_mactportStrtcheck_single_addresst check_address(tconfig(t FirewallErrort UNKNOWN_ERRORt INVALID_RULEtINVALID_ICMPTYPEt INVALID_TYPEt INVALID_ENTRY(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt firewalldi t preroutingit PREROUTINGtrawijtmangleit postroutingidt POSTROUTINGtnattinputitINPUTtforwardtFORWARDtfiltertinettiptip6ticmpttypesdestination-unreachabletcodet13scommunication-prohibiteds echo-replys echo-requestt4sfragmentation-neededt14shost-precedence-violationt10shost-prohibitedtredirectt1s host-redirectt7s host-unknownshost-unreachablesparameter-problems ip-header-badt8snetwork-prohibitedt0snetwork-redirectt6snetwork-unknownsnetwork-unreachablet3sport-unreachablet15sprecedence-cutofft2sprotocol-unreachablesrequired-option-missingsrouter-advertisementsrouter-solicitations source-quencht5ssource-route-faileds time-exceededstimestamp-replystimestamp-requeststos-host-redirectt12stos-host-unreachablestos-network-redirectt11stos-network-unreachablesttl-zero-during-reassemblysttl-zero-during-transittipv4ticmpv6saddress-unreachables bad-headers beyond-scopes failed-policysnd-neighbor-advertsneighbour-advertisementsnd-neighbor-solicitsneighbour-solicitationsno-routespacket-too-bigs nd-redirects reject-routesnd-router-advertsnd-router-solicitsunknown-header-typesunknown-optiontipv6tnftablescBseZdZeZdZdZdZdZdZ dZ dZ dZ d3d Zd Zd Zd Zd ZddZdZeddZddZddZdZdZdZdZdZdZdZdZ d3d3dZ!d3d3dZ"d3d3dZ#d Z$d3d!Z%d3d"Z&d#Z'd3d$Z(d%Z)d3d&Z*d'Z+ed(Z,d)Z-d*Z.d+Z/d3d,Z0d-Z1d.Z2d/Z3d0Z4d1Z5d2Z6RS(4R:cCsK||_tjd|_|jg|_i|_i|_i|_dS(Ntnft( t_fwR tCOMMANDSt_commandt fill_existstavailable_tablestrule_to_handletrule_ref_counttzone_source_index_cache(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__init__s     cCs%tjj|j|_t|_dS(N(tostpathtexistsR>tcommand_existstFalsetrestore_command_exists(RD((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR?sc Csy?|jd}|j||j|}||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnX|d}|r| r||kr|||kr||j|qn|r||krg||sitinsertitaddtindexs%d( RRtpopt ValueErrortNonetremovetappendtsortR<t_allow_zone_driftingtlenRP( RDtrule_addtruleRCtitzonet zone_sourcetfamilyRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_run_replace_zone_sourcesD                 c Csddg}|}|ddkrs|ddkrs|}d|dRUtTruetintt ExceptionR R RStjoinRKRBR Rtdebug2t __class__tcopytdeepcopyRCRaRARTRRRZtstrip( RDtargstnft_optst_argst _args_testtstatustoutputtrule_keyR[RCt _args_strtstrtoffset((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__runs|           #!     cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(RRRTRKRi(RDR\tpatternt replacementR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _rule_replace,s  cCs|}d|d<|S(NRbi((RDRrtret_args((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt reverse_rule5s cCsttddS(Nsnot implemented(R R (RDtrulest log_denied((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_rules:sc Csd}d|ks*d|ks*d|kr3d}n-d|ksWd|ksWd|kr`d}n|j|dd d |d d g|j|d dddgy|jd}Wntk rnDX|dkrdS|dkrd|g|||d+n |j||j|S(NticmpxR7R"R$R9R#R8s %%REJECT%%trejecttwithR%sadmin-prohibiteds%%ICMP%%tmetatl4protos{icmp, icmpv6}s %%LOGTYPE%%toffRetunicastt broadcastt multicasttpkttypei(RRR(RRRRTRSt_nftables__run(RDR\Rt icmp_keywordR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_ruleCs$$ $      cCs|r |gStjS(N(tIPTABLES_TO_NFT_HOOKtkeys(RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_available_tablesbscCsYi|_i|_i|_g}x1tjD]#}|jdd|dtgq.W|S(NRbRcs%s(RARBRCt OUR_CHAINSRRWt TABLE_NAME(RDRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_flush_rulesfs   !cCstdd}g}|dkr|jddd|gxddgD]:}d |d ||d td f}|jt|qFWn5|d kr|jddd|gn ttd|S(Nt_t policy_droptDROPRQRcR!RRwsMadd chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'RiitACCEPTRbsnot implemented(RRWtNFT_HOOK_OFFSETRR R (RDtpolicyt table_nameRthookt _add_chain((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_set_policy_rulesps   cCsAt}x+tjD]}|jt|jqWt|S(N(tsettICMP_TYPES_FRAGMENTRtupdateRd(RDt supportedtipv((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytsupported_icmp_typess cCsAg}x+tjD]}|jd|tfqWtt|S(Nsadd table %s %s(RRRWRtmapR(RDtdefault_tablesR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_tablessRc Csg}ttddadd rule inet %s filter_%s ct state established,related acceptRs,add rule inet %s filter_%s iifname lo acceptsadd chain inet %s filter_%s_%ss,add rule inet %s filter_%s jump filter_%s_%sRs_add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '"STATE_INVALID_DROP: "'s0add rule inet %s filter_%s ct state invalid dropsHadd rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '"FINAL_REJECT: "'sBadd rule inet %s filter_%s reject with icmpx type admin-prohibiteds$add chain inet %s filter_%s_IN_ZONESRtINtOUTs!add chain inet %s filter_%s_%s_%ss/add rule inet %s filter_%s jump filter_%s_%s_%stINPUT_ZONES_SOURCEt INPUT_ZONEStFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONES( RRRRRWRR<RYRRR(RDRt default_rulestchaintdispatch_suffixR`t direction((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_ruless (0 (0  ( 4 (!  ((  cCsY|dkrdddgS|dkr,dgS|dkrBddgS|d krUdgSiS( NR Rt FORWARD_INt FORWARD_OUTRRRRR((RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_zone_table_chainss      R!c Cs|dkrr|dkrrg}|j|j||||||d|j|j||||||d|Sidd6dd6dd 6dd 6dd 6dd 6|} |t|d dkr|t|d  d}ntjdt|d|} d} |r3| r3dd|dtd||fdg} ne|r_dd|dtd||fg} n9dd|dtd||fg} |s| dg7} n|dkr| | d|| fg7} n(| | d|d| d|| fg7} | gS(NRR!R"R#tiifnameRtoifnameRRRRtOUTPUTit+t*RR^tgotoRPR\s%ss %s_%s_ZONESs%%ZONE_INTERFACE%%RQRbs%s_%ss"(textendt!build_zone_source_interface_rulesRZRtformatRR( RDtenableR^t interfaceRcRRWR`RtoptttargettactionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyRs>  &# (cCsK|dkr|dkrg}|jdrI|j|td}nd}td|svt|sv|dkr|j|j|||||dntd|st|s|dkr|j|j|||||dn|Sidt6d t 6|} id d 6d d 6d d6d d6d d6d d6|} |j j r\d||f} nd||f} t j dt|d|} d} |jdr|td}|j|}d|}nCt|r| d krdSd}ntd|rd}nd}| d|dt| d||| || d|| fg }|gS(NRR!sipset:R7R"R9R#RPRbtsaddrRtdaddrRRRRRs%s_%s_ZONES_SOURCEs %s_%s_ZONESRR^Rt@RetetherR\s%ss%%ZONE_SOURCE%%s%s_%s(t startswitht_set_get_familyRZRURRRtbuild_zone_source_address_rulesRiRKR<RYRRRR(RDRR^taddressRcRR`Rt ipset_familytadd_delRtzone_dispatch_chainRRtipsett rule_familyR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR$sT''      c Cs.|dkr`|dkr`g}|j|j|||d|j|j|||d|Stjdt|d|}t||jt|d|d|d |gg}|jd d|d t d ||fg|jd d|d t d ||fg|jd d|d t d||fg|jd d|d t d||fg|jd d|d t d ||fdd ||fg|jd d|d t d ||fdd||fg|jd d|d t d ||fdd||fg|j j j |j }|j jdkr|dkr|d kr|d!kr|}|dkrud}n|jd d|d t d ||fdddd||fg qqn|dkr*|d"kr*|d#kr*|jd d|d t d ||f|dkr|jndgn|S($NRR!R"R#RR^s%s_logs%s_denys%s_allowRQs%ss%s_%ss %s_%s_logs %s_%s_denys %s_%s_allowR\tjumpRR RRRRtREJECTs %%REJECT%%Rs %%LOGTYPE%%Rtprefixs"filter_%s_%s: "R(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rs %%REJECT%%sDROP(sACCEPTRs %%REJECT%%sDROP(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rtbuild_zone_chain_rulesRRRRRRRWRR<R^t_zonesRtget_log_deniedtlower( RDR^RcRR`Rt_zoneRt log_suffix((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR^s^            %cCsiddddgd6ddddgd6ddddgd6ddddgd 6dddd gd 6dddd gd 6dd dd gd6dd dd gd6ddddgd6ddddgd6ddddgd6ddddgd6ddddgd6dd ddgd6ddddgd6ddddgd6ddddgd6dd ddgd6dd ddgd 6dd dd!gd"6dd dd!gd!6dd#d$gd%6dd#d$gd&6}||S('NRR$R%shost-prohibitedsicmp-host-prohibiteds host-prohibsnet-prohibitedsicmp-net-prohibiteds net-prohibsadmin-prohibitedsicmp-admin-prohibiteds admin-prohibR8sicmp6-adm-prohibitedsadm-prohibitedsnet-unreachablesicmp-net-unreachables net-unreachshost-unreachablesicmp-host-unreachables host-unreachsport-unreachablesicmp-port-unreachablesicmp6-port-unreachableRs port-unreachsprot-unreachablesicmp-proto-unreachables proto-unreachsaddr-unreachablesicmp6-addr-unreachables addr-unreachsno-routesicmp6-no-routettcptresets tcp-resetstcp-rst((RDt reject_typetfrags((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_reject_types_fragments2cCs|s gSidd6dd6dd6dd6}y|jjd }Wn tk rdttd nXd d |jd |!d ||j|dgS(Ntsecondtstminutetmthourthtdaytdt/sExpected '/' in limittlimittrateii(tvalueRRRTR R (RDRt rich_to_nftR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_limit_fragments  cCs|js gSidt6dt6|}|dddtd||fg}||dg7}|jjr|dd |jjg7}n|jjr|d d |jjg7}n||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRs"%s"tlevel(RRiRKRRRRR(RDt rich_ruleRRcRt rule_fragmentRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_logs   cCs||js gSidt6dt6|}|dddtd||fg}||ddd g7}||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRtaudit(RRiRKRRR(RDRRRcRRRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_audits c Cs|js gSidt6dt6|}t|jtkrVd||f}dg} nt|jtkrd||f}dg} |jjr^| |j|jj7} q^nt|jtkrd||f}dg} n~t|jtkrBt j dt d d |}d }d||f}d d d|jj g} nt tdt|j|dddt|g} | |7} | |j|jj7} | | 7} | S(NRQRbs %s_%s_allowtaccepts %s_%s_denyRtdropRRR^RRtmarkRsUnknown action %sR\R!s%s(RRiRKR%RRRRRRRRRR R RRR( RDR^RRRcRRRRt rule_actionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_actions6        cCsS|s gS|dkr#dddgS|dkr<dddgSttd|dS(NR7RtnfprotoR9sInvalid family(R R (RDt rich_family((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_family_fragments    cCsx|s gSg}td|jr2|dg7}n |dg7}|jra|dd|jg7}n|d|jg7}|S(NR7R"R#Rs!=(Rtaddrtinvert(RDt rich_destR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_destination_fragments  cCsJ|s gSg}|jrtd|jr;|dg7}n |dg7}|jrj|dd|jg7}qF|d|jg7}nt|dr|jr|jr|ddd|jg7}qF|dd|jg7}npt|drF|jrF|j|j}|jr)||ddd |jg7}qF||dd |jg7}n|S( NR7R"R#Rs!=tmacRRR(RRRthasattrRRR(RDt rich_sourceRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_source_fragment,s(      c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtdports%st-tcttstates new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRt destinationR tsourceRR%RRRWRRRR( RDRR^tprototportRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_ports_rulesIs2  ""(/c Csidt6dt6|}d}tjdtdd|}g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j7} | |j|j 7} | |j |j 7} nd d |g} | st |j tkr0| d ddg7} ng} |r| j|j||||| | j|j||||| | j|j|||||| n/| j|dddtd|g| dg| S(NRQRbR RRR^R7R"R#RRRR R s new,untrackedR\R!s%ssfilter_%s_allowR(RiRKRRRRR`RRRR RR%RRRWRRRR( RDRR^tprotocolRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_protocol_rulesjs4 ""()c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtsports%sR R R s new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRRR RRR%RRRWRRRR( RDRR^RRRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_source_ports_ruless2  ""(/c Csidt6dt6|}tjdtdd|} |dddtd | g} |rtd |rv| d g7} n | d g7} | d |g7} n| |ddt|dg7} | dddd||fg7} dddtd||fddd|d|ddg } | | gS(NRQRbRRR^R\R!s%ssfilter_%s_allowR7R"R#RR R R thelperRs"helper-%s-%s"s helper-%s-%st{R%s"%s"Rt;t}(RiRKRRRRRR( RDRR^RRRt helper_nametmodule_short_nameRRR\t helper_object((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_helper_ports_ruless"       cCsidt6dt6|}tjdtdd|}g}|ro||j|j7}||j|j7}n|d|dt d|g|d d d d ggS( NRQRbRRR^R\s%ss nat_%s_allowRs!=tlot masquerade( RiRKRRRRRR RR(RDRR^R`RRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _build_zone_masquerade_nat_ruless cCsg}|rd|jr$|jdksB|jrdtd|jjrd|j|j||d|n}|r|jr|jdks|jrtd|jjr|j|j||d|n|j|j||d|idt6dt6|}tj dt dd |}g}|rP||j |j 7}||j |j7}n|j|d d d td |g|ddddg|S(NR9R#R7R"RQRbRRR^R\R!s%ssfilter_%s_allowR R s new,untrackedR(R`RRRRR!RiRKRRRRRR RWR(RDRR^RRRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_masquerade_ruless$"" 2c Csidt6dt6|}tjdtdd|} g} |rV| dd|g7} n| ddg7} |r|d kr| d t|d g7} n|d |d td| dd|g|| gS(NRQRbRRR^tdnatttoR+Res:%sR R\s%ss nat_%s_allowRR(RiRKRRRRR( RDRR^Rt mark_fragmentttoaddrttoportR`RRt dnat_fragment((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt"_build_zone_forward_port_nat_ruless c Csaidt6dt6|} d|} dd| g} tjdtdd|} g}| r||j| j7}||j| j7}||j | j 7}ng}|j | d d d t d | g||d |ddd| g| rC| jr| jdks|rCt d|rC|j|j|||| ||dn| r| jra| jdksv|rt d|r|j|j|||| ||dnh|rt d|r|j|j|||| ||dn(|j|j|||| ||dtjdt|d|} |j | d d d t d| dddg| dg|S(NRQRbs0x%xRRRRR^R\R!s%ssmangle_%s_allowR RR9R#R7R"sfilter_%s_allowR R s new,untrackedR(RiRKRRRRR`RRR RRWRRRR)(RDRR^t filter_chainRRR'R&tmark_idRRtmark_strR%RRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_forward_port_ruless@   2cCs<|t|krt||Sttd||jfdS(Ns"ICMP type '%s' not supported by %s(RR R tname(RDRt icmp_type((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_icmp_types_to_nft_fragment/s c Csd}idt6dt6|}|r9|jr9|j}n\|jrg}d|jkrg|jdnd|jkr|jdqn ddg}g}x/|D]'} xddgD]} tjdt| d |} |jj j |rd || f} d } nd || f} d } g}|rl||j |j 7}||j |j7}||j|j7}n||j| |j7}|r8|j|j|||| ||j|j|||| ||jr|j|j||||| |q|j|dddtd || fg|d gq|jjdkr| d kr|j|dddt| g|dddd||fgn|j|dddt| g|| gqWqW|S(NR RQRbR7R9RRRR^s %s_%s_allowRs %s_%s_denys %%REJECT%%R\R!s%sRs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "(RiRKtipvsRRWRRRR<R^tquery_icmp_block_inversionRR`RR RR0R.RRRRRR(RDRR^tictRRcRR1RRRRt final_chaint final_targetR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_icmp_block_rules6sT      "" (2! -c Csd}g}xddgD]}tjdt|d|}djddtd ||fd d ||fg}|j|}|jjj|rd } nd } |rddddtd ||fd|g} n#ddddtd ||fg} | d| g7} |j | |jjj|r|jj dkr|rpddddtd ||fd|g} n#ddddtd ||fg} | ddddd||fg7} |j | qqqW|S(NR RRRR^RgR!s%ss%s_%sRs %s_%s_allows %%REJECT%%RRQR\RfRbs%%ICMP%%Rs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "( RRRRlRRAR<R^R2RWR( RDRR^RcRRRRxt rule_handlet ibi_targetR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt%build_zone_icmp_block_inversion_rulesls<     cCsg}|jddddtdddd d d d d dddg|dkr|jddddtdddd d d d d dddddgn|jddddtdddddg |S(NRPR\R!s%ssraw_%sRRRR9tfibRt.tiiftoiftmissingRRRRs"rpfilter_DROP: "R8R%s){ nd-router-advert, nd-neighbor-solicit }Rtraw_PREROUTINGR?R?(RWR(RDRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_rpfilter_ruless   cCsd}tjdtdd|}g}||j|j7}||j|j7}||j|j7}g}|j |j ||||||j |j ||||||j |j |||||||S(NR RRR^( RRRRR`RRR RRWRRR(RDRR^RRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt(build_zone_rich_source_destination_ruless ""%cCs|dkrtStS(NR7R9teb(sipv4sipv6RB(RiRK(RDR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytis_ipv_supporteds cCs;idd6dd6}i ||gd6||ddgd6||dd ||gd 6||dd ||gd 6||d gd 6||gd6||ddgd6||dd ||gd6||dd ||gd6||dgd6dgd6}ydg||dgSWn$tk r6ttd|nXdS(Nt ipv4_addrR7t ipv6_addrR9shash:ips . inet_protos. inet_services hash:ip,ports. inet_service .shash:ip,port,ipshash:ip,port,nets. marks hash:ip,markshash:nets hash:net,portshash:net,port,ipshash:net,port,nets. ifnameshash:net,ifacet ether_addrshash:macR%Rs!ipset type name '%s' is not valid(tKeyErrorR R(RDRR%tipv_addrttypes((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_type_fragments(   c Cs)|r+d|kr+|ddkr+d}nd}|dg}||j||7}|rd|kr|d|dddg7}nd |kr|d |d dg7}qn| sd|krd |kr|d d dg7}n|dg7}x4dddgD]#}|jdd|tg|qWdS(NR`tinet6R9R7RttimeoutRRtmaxelemtsizet,tflagstintervalRR!R"R#RQR(RJRR(RDR.R%toptionsRtcmdR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_creates "      cCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#RbR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_destroyscCs)|jjj|jddjd}|jd}t|t|krdttdng}xtt|D]}||dkry||jd}Wn(t k r|dd||g7}qX|||| d|||dg7}n|j |||j dq}W|d S( Nt:iROs+Number of values does not match ipset type.RRR;i( R<Rtget_typetsplitRZR RtrangeRRRTRW(RDR.tentryt type_formatt entry_tokenstfragmentR]RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_entry_fragments +  *cCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RQtelementRR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_addscCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RbR_RR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_deletescCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#tflushR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_flushscCsk|jjj|}|jdkr-d}n:|jrad|jkra|jddkrad}nd}|S(Nshash:macRR`RKR#R"(R<Rt get_ipsetR%RR(RDR.RR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR!s  N(7t__name__t __module__R.Ritzones_supportedRFR?RaRRRRRRURRRRRRRRKRRRRRRRRRRR RRRRR!R"R)R-R0R6R9R@RARCRJRTRUR^R`RaRcR(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR:sf  - U      T  + 9 @   "  !#!     ,  6 2          (%tos.pathRGRotfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRtfirewallR tfirewall.errorsR R R R RRtfirewall.core.richRRRRRRRRRtobjectR:(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyts  (."   core/fw_test.pyo000064400000042710147576556050007730 0ustar00 c`c@sdgZddlZddlZddlZddlmZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&ddl'm(Z(ddl)m*Z*ddlm+Z+ddl,m-Z-de.fdYZ/dS(t Firewall_testiN(tconfig(t functions(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t IPSET_TYPES(t helper_reader(terrors(t FirewallErrorcBs+eZdZdZdZdZeedZdZedZ dZ dZ d Z d Z d Zd Zd ZdZdZdZdZedZdZdZdZdZdZdZdZdZdZdZdZ dZ!RS(cCsttj|_t|_t|_t|_t|_t |_ t ||_ t ||_t||_t||_t||_t|_t||_t||_|jdS(N(R RtFIREWALLD_CONFt_firewalld_conftFalsetip4tables_enabledtip6tables_enabledtebtables_enabledt ipset_enabledRtipset_supported_typesRticmptypeRtserviceRtzoneRtdirectRRtpoliciesR tipsetR thelpert_Firewall_test__init_vars(tself((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt__init__8s      cCshd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |j|jfS(Ns>%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__RRRt_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledRt_individual_callst _log_deniedt_automatic_helpers(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt__repr__LscCsyd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_dS(NtINITt(R*RR+R,R-R.RtFALLBACK_MINIMAL_MARKR/tFALLBACK_CLEANUP_ON_EXITR0tFALLBACK_IPV6_RPFILTERR1tFALLBACK_INDIVIDUAL_CALLSR2tFALLBACK_LOG_DENIEDR3tFALLBACK_AUTOMATIC_HELPERSR4(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt __init_varsUs          cCs|jS(N(R2(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytindividual_callscsc Cstj}tjdtjy|jjWntk rMtjdn X|jj dru|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d-krt|_qn|jj drp|jj d}|dk rp|j d.krptjd y|jjWqmtk riqmXqpn|jj d r|jj d }|dk r|j d/krt|_n|j d0krt|_qqn|jrtjd n tjd|jj drf|jj d}|dk rf|j d1krftjdt|_qfn|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj drm|jj d}|dk rm|j d2kr'd|_n-|j d3krEd |_n|j |_tjd|jqmn|jjtj|jtjdy|jjjWn]tk r }|jjrtjd|jjj|q tjd|jjj|nX|jjtj|j|j tj!d|j tj"d|j tj#d|j tj$dt%|j&j'dkrtjdn|j tj(d|j tj)d|j tj*d|j tj+dt%|j,j-dkrtjdn|j tj.d|j tj/dt%|j0j1dkrrtj2d t3j4d!nt}xEd"d#d$gD]4}||j0j1krtj2d%|t}qqW|rt3j4d!n||j0j1krId&|j0j1kr d&}n$d'|j0j1kr'd'}nd"}tjd(|||}ntjd)|t5tj6} t7j8j9tj6rtjd*tj6y| jWqtk r}tjd+tj6|qXn|jj:tj| |j;||_<d,|_=dS(4Ns"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsetLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sR$RisNo icmptypes found.R%R sNo services found.R!sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %stRUNNING(RCRD(syesRG(RCRD(syesRG(syesRG(RCRD(syesRG(>Rt FALLBACK_ZONER tdebug1RRtreadt ExceptiontwarningtgettintR/tNonetlowerRR0R#tenable_lockdownRR1tTrueR2R3R4tset_firewalld_conftcopytdeepcopytlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStlenRt get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR!t get_zonestfataltsystexitR tFIREWALLD_DIRECTtostpathtexistst set_directt check_zoneR,R*( R'treloadtcomplete_reloadt default_zonetvaluetmsgRctzR!tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt_startfs                            cCs|jdS(N(R(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytstartsc Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nxt tj |D]}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||y|dkrt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ n|jj||jjtj|n |dkrt||}|j|jjkr|jj|j}tjd||j|j|j|jj |jn!|jjtjrt|_ n|jj!||jj!tj|n>|dkrht"||d |}|r@dtjj|tjj|d d !f|_|j |jntj|} |j|j#j$kr|j#j%|j}|j#j&|j|j'rtjd ||j|||j(|qtjd||j|j|jn*|jjtjrt|_ t| _ n|jj)| |rUtjd ||j|||j(|q|j#j)|n|d kr5t*||}|j|j+j,kr|j+j-|j}tjd||j|j|j|j+j.|jn!|jjtjr t|_ n|j+j/||jj/tj|n|dkrt0||}|j|j1j2kr|j1j3|j}tjd||j|j|j|j1j4|jn!|jjtjrt|_ n|j1j5||jj5tj|ntj6d|Wqt7k r>} tj8d||| qt9k rktj8d||tj:qXqW|r|j'r|j|j#j$kr|j#j%|j}tjd||j|j|jy|j#j&|jWnnX|jj;|jn|j#j)|ndS(NR!s.xmls%s/%stcombinesLoading %s file '%s'Rs Overloads %s '%s' ('%s/%s')R t no_check_nameiis Combining %s '%s' ('%s/%s')R$R%sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(<RyRztisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRtdefaulttsortedtlistdirtendswithRfR]R RTRRRlt get_icmptypeRdtremove_icmptypet add_icmptypeR_R`RR Rqt get_servicetremove_servicet add_serviceRR!Rttget_zonet remove_zonetcombinedRtadd_zoneRR$t get_ipsetst get_ipsett remove_ipsett add_ipsetRR%t get_helperst get_helpert remove_helpert add_helperRuRRcRVt exceptiont forget_zone( R'Rzt reader_typeRt combined_zoneRdRRtorig_objt config_objR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRfs                                             cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( RtcleanupR R!R$R%RR"R#RR&(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRs         cCs|jdS(N(R(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytstopscCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_panicscCsV|}| s|dkr(|j}n||jjkrRttj|n|S(NR7(tget_default_zoneR!RtRRt INVALID_ZONE(R'R!t_zone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR}s cCs(tj|s$ttj|ndS(N(RtcheckInterfaceRRtINVALID_INTERFACE(R't interface((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytcheck_interfacescCs|jj|dS(N(R t check_service(R'R ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCs tj|}|dksY|dksY|dksYt|dkr|d|dkr|dkrytjd|nz|dkrtjd|nZ|dkrtjd|n:t|dkr|d|dkrtjd |nttj|ndS( Niiiiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end( Rt getPortRangeRZRkR RTRRt INVALID_PORT(R'tporttrange((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_ports$&   &cCsA|sttjn|dkr=ttjd|ndS(Nttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(RRRR(RRtMISSING_PROTOCOLtINVALID_PROTOCOL(R'tprotocol((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_tcpudps   cCs(tj|s$ttj|ndS(N(RtcheckIPRRt INVALID_ADDR(R'tip((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytcheck_ipscCs||dkr3tj|sxttj|qxnE|dkrftj|sxttj|qxnttjddS(Ntipv4tipv6s'%s' not in {'ipv4'|'ipv6'}(Rt checkIPnMaskRRRt checkIP6nMaskt INVALID_IPV(R'tipvtsource((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_addresss   cCs|jj|dS(N(Rtcheck_icmptype(R'ticmp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCsdS(N((R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR~scCs|jS(N(R*(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt get_statescCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytenable_panic_modescCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytdisable_panic_modescCs|jS(N(R+(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytquery_panic_modescCs|jS(N(R3(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytget_log_deniedscCs|tjkr:ttjd|djtjfn||jkr||_|jj d||jj |j nttj |dS(Ns'%s', choose from '%s's','RJ( RtLOG_DENIED_VALUESRRt INVALID_VALUEtjoinRR3RtsettwriteR~t ALREADY_SET(R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_log_denieds    cCs|jS(N(R4(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytget_automatic_helpersscCs|tjkr:ttjd|djtjfn||jkr||_|jj d||jj |j nttj |dS(Ns'%s', choose from '%s's','RL( RtAUTOMATIC_HELPERS_VALUESRRRRRR4RRRR~R(R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_automatic_helperss    cCs|jS(N(R,(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCs`|j|}||jkrJ||_|jjd||jjnttj|dS(NR@(R}R,RRRRRtZONE_ALREADY_SET(R'R!R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_default_zones  cCs$|jjdd|jjdS(NRERF(RRR(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR\(scCs$|jjdd|jjdS(NRERC(RRR(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytdisable_lockdown,s("t__name__t __module__R(R5R&R?RRRRfRRRR}RRRRRRRR~RRRRRRRRRRR\R(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR7s>                        (0t__all__tos.pathRyRvR_tfirewallRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceRtfirewall.core.fw_zoneRtfirewall.core.fw_directRtfirewall.core.fw_configRtfirewall.core.fw_policiesRtfirewall.core.fw_ipsetR tfirewall.core.fw_helperR tfirewall.core.loggerR tfirewall.core.io.firewalld_confR tfirewall.core.io.directR tfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyts2    core/ipXtables.pyo000064400000105467147576556050010221 0ustar00 c`c@sddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZmZddlmZddlmZmZmZddlmZmZmZmZddlZid d d gd 6d d gd6d dd d d gd6d dd gd6d d d gd6Zidd6dd6Z idd6dd6Z!dZ"dZ#dZ$de%fdYZ&de&fdYZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(ttempFiletreadfilet splitArgst check_mactportStrtcheck_single_addresst check_addresst normalizeIP6(tconfig(t FirewallErrortINVALID_PASSTHROUGHt INVALID_RULE(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarktINPUTtOUTPUTtFORWARDtsecurityt PREROUTINGtrawt POSTROUTINGtmangletnattfiltersicmp-host-prohibitedtipv4sicmp6-adm-prohibitedtipv6ticmps ipv6-icmpcCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|d kryt||d Wntk rqX|j|d n||||W|S( s Inverse valid rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chaini(s-Is--insert(tindext Exceptiontinttpop(targst replace_argstret_argstargtidx((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_rule7s*     cCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|dkryt||d Wntk rqX|j|d n||||<|SWttd d S(s Reverse valid passthough rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chainisno '-A', '-I' or '-N' argN(s-Is--insert(R!t ValueErrorR#R$R R(R%R&R'txR)((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_passthrough\s.     cCst|}tddddddddd d d d d dddddddg}t||@dkrttdt||@dntddddddg}t||@dkrttdndS(sZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) s-Cs--checks-Ds--deletes-Rs --replaces-Ls--lists-Ss --list-ruless-Fs--flushs-Zs--zeros-Xs--delete-chains-Ps--policys-Es--rename-chainisarg '%s' is not alloweds-As--appends-Is--inserts-Ns --new-chainsno '-A', '-I' or '-N' argN(tsettlenR Rtlist(R%t not_allowedtneeded((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_check_passthroughs*   t ip4tablescBseZdZdZeZdZdZdZd.dZ dZ dZ dZ d Zd Zd Zd Zd ZdZdZdZd.dZdZdZdZdZdZdZddZdZedZ dZ!dZ"dZ#dZ$d Z%d!Z&d"Z'd#Z(d.d.d$Z)d.d.d%Z*d.d.d&Z+d'Z,d.d(Z-d.d)Z.d.d*Z/d+Z0d,Z1d-Z2RS(/RR4cCsz||_tj|j|_tjd|j|_|j|_|j|_ |j g|_ g|_ i|_ dS(Ns %s-restore(t_fwR tCOMMANDStipvt_commandt_restore_commandt_detect_wait_optiont wait_optiont_detect_restore_wait_optiontrestore_wait_optiont fill_existstavailable_tablestzone_source_index_cachet our_chains(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__init__s    cCs4tjj|j|_tjj|j|_dS(N(tostpathtexistsR8tcommand_existsR9trestore_command_exists(RB((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR>scCs|jrB|j|krB|jgg|D]}d|^q(}ng|D]}d|^qI}tjd|j|jdj|t|j|\}}|dkrtd|jdj||fn|S(Ns%ss %s: %s %st is'%s %s' failed: %s(R;Rtdebug2t __class__R8tjoinRR+(RBR%titemt_argststatustret((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__runs*%  c Cs|dkr|Sg}x|D]}t}x|D]}y|j|}Wntk r\q0Xt||kr0d||dkr0t}||djd}x3|D](} |} | | |d<|j| qWq0q0W|s|j|qqW|S(s5Split values combined with commas for options in optst,iN(tNonetFalseR!R+R/tTruetsplittappend( RBtrulestoptst out_rulestrulet processedtopttititemsRNt_rule((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt split_values(    & cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(R!R+RURV(RBR\tpatternt replacementR_((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt _rule_replaces  cCs|tko|t|kS(N(tBUILT_IN_CHAINS(RBR7ttabletchain((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_chain_builtins cCsCd|g}|r"|jdn |jd|j||gS(Ns-ts-Ns-X(RX(RBtaddRgRhR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_chain_ruless    cCsLd|g}|r.|d|t|g7}n|d|g7}||7}|S(Ns-ts-Is-D(tstr(RBRjRgRhR!R%R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt build_rules   cCs t|S(N(R*(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt reverse_rulescCst|dS(N(R3(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcheck_passthroughscCs t|S(N(R-(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_passthrough scCsd}y|jd}Wntk r,n(Xt||dkrT||d}nd}xndddddd gD]T}y|j|}Wntk rqsXt||dkrs||d}qsqsW||fS( NRs-tis-As--appends-Is--inserts-Ns --new-chain(R!R+R/RT(RBR%RgR_RhR^((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytpassthrough_parse_table_chain s$   cCsyb|jd}|j||j|}d|dkrQ||df}n||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnXt}|ddkrt}n|r| r||kr|j|qn|r|rI||kr7|j||jd d n|j|}n!|j j r^d}n t |}d |d<|j d d|dndS(Ns%%ZONE_SOURCE%%s-miiis%%ZONE_INTERFACE%%is-Ds--deletetkeycSs|dS(Ni((R,((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt@ss-Iis%di(s-Ds--delete( R!R$R+RTRVRUtremoveRXtsortR5t_allow_zone_driftingR/tinsert(RBR\R@R_tzonet zone_sourcetrule_addR!((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_run_replace_zone_source#s>               cCs#t}i}tj|j}x|D]}|}|j|dddt|jg|j|dt|jgy|jd}Wnt k rnLX|dkrq(n|d&krd d d |g|||d +n |j ||j ||d} xpddgD]b} y|j| }Wnt k r6q Xt ||d kr |j ||j |} q q Wxzt t |D]f}x]tjD]R} | ||kr||jdo||jd rd||||i}|jdrg|dRRTRbReRiRkRmRnRoRpRqR{RRRR:R<RRRRRRRURRRRRRRRRRRRR R RRR R!R"(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR4s\        ) ^    !  i   7 ,    !     , 1 # t ip6tablescBs eZdZdZedZRS(RR&c Csg}|jddddddddd g |d krk|jddddddddd d d g n|jdddddddddg |jdddddddddg |S(Ns-IRs-tRs-mtrpfilters--inverts-jRR}Rs --log-prefixsrpfilter_DROP: s-ps ipv6-icmps$--icmpv6-type=neighbour-solicitationRs"--icmpv6-type=router-advertisement(RX(RBRRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_rpfilter_ruless"    (R#R$R7RRUR((((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR&s((tos.pathRERtfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R tfirewallR tfirewall.errorsR RRtfirewall.core.richRRRRRRfRRR*R-R3tobjectR4R&(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyts<  :"     % * core/fw_direct.pyc000064400000035427147576556050010216 0ustar00 c`c@sdgZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z defd YZd S( tFirewallDirecti(tLastUpdatedOrderedDict(t ipXtables(tebtables(tFirewallTransaction(tlog(terrors(t FirewallErrorcBsdeZdZdZdZdZdZdZdZd$dZ dZ d Z d$d Z d Zd Zd ZdZd$dZd$dZdZdZdZd$dZd$dZdZdZdZdZdZdZd$dZd$dZ dZ!dZ"d Z#d!Z$d"Z%d#Z&RS(%cCs||_|jdS(N(t_fwt_FirewallDirect__init_vars(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt__init__'s cCs d|j|j|j|jfS(Ns%s(%r, %r, %r)(t __class__t_chainst_rulest_rule_priority_positions(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt__repr__+scCs1i|_i|_i|_i|_d|_dS(N(RRRt _passthroughstNonet_obj(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt __init_vars/s     cCs|jdS(N(R (R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytcleanup6scCs t|jS(N(RR(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytnew_transaction;scCs ||_dS(N(R(R tobj((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytset_permanent_config@scCs|t|jt|jt|jdkr3tSt|jjt|jjt|jjdkrxtSt S(Ni( tlenRRRtTrueRtget_all_chainst get_all_rulestget_all_passthroughstFalse(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pythas_configurationCs /%cCsu|dkr|j}n|}|j|jj|jj|jjf||dkrq|jtndS(N( RRt set_configRRRRtexecuteR(R tuse_transactiont transaction((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt apply_directLs   c Csi}i}i}xi|jD]^}|\}}xI|j|D]:}|jj|||s<|j|gj|q<q<WqWx|jD]}|\}}}xl|j|D]]\} } |jj|||| | s||krt||dddg}||kr:ttjd||fndS(Ntipv4tipv6tebs'%s' not in '%s'(RRt INVALID_IPV(R R/tipvs((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt _check_ipvs  cCsf|j||dkr(tjjn tjj}||krbttjd||fndS(NR>R?s'%s' not in '%s'(sipv4sipv6(RCRtBUILT_IN_CHAINStkeysRRRt INVALID_TABLE(R R/R0ttables((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_check_ipv_tables    cCs|dkrJtj|}|jjr.i}qd|jj|j|}ntj|}tj|}||krtt j d|n||krtt j d|n|dkr|jj j |dk rtt jd|qndS(NR>R?schain '%s' is built-in chainschain '%s' is reservedsChain '%s' is reserved(sipv4sipv6(sipv4sipv6(RRDRtnftables_enabledtget_direct_backend_by_ipvt our_chainsRt OUR_CHAINSRRt BUILTIN_CHAINtzonetzone_from_chainRt INVALID_CHAIN(R R/R0R1tbuilt_in_chainsRK((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_check_builtin_chains"            cCsc|r%|jj|gj|n:|j|j|t|j|dkr_|j|=ndS(Ni(RR'R(tremoveR(R R.R1tadd((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_register_chains cCsZ|dkr|j}n|}|jt|||||dkrV|jtndS(N(RRt_chainRR"(R R/R0R1R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR7s   cCsZ|dkr|j}n|}|jt|||||dkrV|jtndS(N(RRRVRR"R(R R/R0R1R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt remove_chains   cCsO|j|||j|||||f}||jkoN||j|kS(N(RHRRR(R R/R0R1R.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR&s  cCs:|j||||f}||jkr6|j|SgS(N(RHR(R R/R0R.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt get_chainss   cCsXg}xK|jD]@}|\}}x+|j|D]}|j|||fq0WqW|S(N(RR((R trtkeyR/R0R1((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRs  cCs`|dkr|j}n|}|jt|||||||dkr\|jtndS(N(RRt_ruleRR"(R R/R0R1R3R4R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR:s   cCs`|dkr|j}n|}|jt|||||||dkr\|jtndS(N(RRR[RR"R(R R/R0R1R3R4R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt remove_rule s   cCsE|j|||||f}||jkoD||f|j|kS(N(RHR(R R/R0R1R3R4R2((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR)scCsI|j|||||f}||jkrEt|j|jSgS(N(RHRtlistRE(R R/R0R1R2((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt get_ruless c Csmg}x`|jD]U}|\}}}x=|j|D].\}}|j||||t|fq3WqW|S(N(RR(R](R RYRZR/R0R1R3R4((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR%s *cCs|r||jkr(t|j|R?s %s_directit_directs"rule '%s' already is in '%s:%s:%s'srule '%s' is not in '%s:%s:%s'ii(sipv4sipv6(RHRRIRNtcreate_zone_base_by_chainRJtis_chain_builtinRRRtALREADY_ENABLEDt NOT_ENABLEDRtsortedRERR:t build_ruleRatadd_fail(R R`R/R0R1R3R4R$RVtbackendR2R_tindext positionstj((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR[{sL         (%% cCs"|j|||j|||||f}|r|||jkr||j|krttjd|||fqnD||jks||j|krttjd|||fn|jj|}|j ||j ||||j ||||j |j ||| dS(Ns chain '%s' already is in '%s:%s'schain '%s' is not in '%s:%s'( RHRRRRRRqRrRRJt add_rulestbuild_chain_rulesRURu(R RTR/R0R1R$R.Rv((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRVs$   c Csn|j|t|}|rc||jkr||j|krttjd||fqnA||jks||j|krttjd||fn|jj|}|r|j ||dkr|j |\}}|r|r|jj j |||qn|} n|j |} |j|| |j||||j|j||| dS(Nspassthrough '%s', '%s'R>R?(sipv4sipv6(RCRlRRRRqRrRRJtcheck_passthroughtpassthrough_parse_table_chainRNRotreverse_passthroughR:RiRu( R R`R/R4R$t tuple_argsRvR0R1t_args((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRjs0        N('t__name__t __module__R RR RRRR RR%R5R6R!RCRHRRRUR7RWR&RXRR:R\R)R^RRaRhRiR;RkR*RRmR[RVRj(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR&sH          '              _ N(t__all__tfirewall.fw_typesRt firewall.coreRRtfirewall.core.fw_transactionRtfirewall.core.loggerRtfirewallRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyts core/logger.pyo000064400000066667147576556050007555 0ustar00 c`c@sddddgZddlZddlZddlZddlZddlZddlZddlZddlZddl Z ddl Z de fdYZ de fdYZ d e fd YZd e fd YZde fd YZde fdYZeZdS(t LogTargettFileLogtLoggertlogiNcBs5eZdZdZddZdZdZRS(s% Abstract class for logging targets. cCs d|_dS(N(tNonetfd(tself((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt__init__(sicCstddS(Ns%LogTarget.write is an abstract method(tNotImplementedError(Rtdatatleveltloggertis_debug((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytwrite+scCstddS(Ns%LogTarget.flush is an abstract method(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytflush.scCstddS(Ns%LogTarget.close is an abstract method(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytclose1s(t__name__t __module__t__doc__RR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR&s    t _StdoutLogcBs/eZdZddZdZdZRS(cCstj|tj|_dS(N(RRtsyststdoutR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR8s icCs|jj||jdS(N(RR R(RR R R R ((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR <scCs|jdS(N(R(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRAscCs|jjdS(N(RR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRDs(RRRR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR7s   t _StderrLogcBseZdZRS(cCstj|tj|_dS(N(RRRtstderrR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRKs (RRR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRJst _SyslogLogcBs/eZdZddZdZdZRS(cCs=tj|tjtjjtjdtj tj dS(Ni( RRtsyslogtopenlogtostpathtbasenameRtargvtLOG_PIDt LOG_DAEMON(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRSs icCsd}|rtj}nl||jkr3tj}nQ||jkrNtj}n6||jkritj}n||j krtj }n|j dr|t |d }nt |dkr|dkrtj|qtj||ndS(Ns ii( RRt LOG_DEBUGtINFO1tLOG_INFOtWARNINGt LOG_WARNINGtERRORtLOG_ERRtFATALtLOG_CRITtendswithtlen(RR R R R tpriority((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR as"      cCstjdS(N(Rtcloselog(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRwscCsdS(N((R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRzs(RRRR RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRRs   cBsAeZdZddZdZddZdZdZRS(s< FileLog class. File will be opened on the first write. twcCs#tj|||_||_dS(N(RRtfilenametmode(RR/R0((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs  cCs|jr dStjtjB}|jjdr?|tjO}ntj|j|d|_tj |jdtj |j|j|_t j |jt j t j dS(Ntai(RRtO_CREATtO_WRONLYR0t startswithtO_APPENDtopenR/tfchmodtfdopentfcntltF_SETFDt FD_CLOEXEC(Rtflags((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR6s icCs7|js|jn|jj||jjdS(N(RR6R R(RR R R R ((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR s  cCs'|js dS|jjd|_dS(N(RRR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs  cCs|js dS|jjdS(N(RR(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs (RRRRR6R RR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs    cBseZdZdZdZdZdZdZdZe Z e Z e Zddd Zd Zd d Zd d Zd dZd dZdZdZdZdZdZdZed2dZed2dZed2dZed2dZed2dZ ed2dZ!dZ"dZ#dZ$dZ%d Z&d!Z'd"Z(d#Z)d$Z*d%Z+d&Z,dd'Z-d(Z.dd)Z/ed2dd*Z0ed2dd+Z1ed2dd,Z2dd-Z3d.Z4d/Z5d0Z6dd1Z7RS(3sL Format string: %(class)s Calling class the function belongs to, else empty %(date)s Date using Logger.date_format, see time module %(domain)s Full Domain: %(module)s.%(class)s.%(function)s %(file)s Filename of the module %(function)s Function name, empty in __main__ %(label)s Label according to log function call from Logger.label %(level)d Internal logging level %(line)d Line number in module %(module)s Module name %(message)s Log message Standard levels: FATAL Fatal error messages ERROR Error messages WARNING Warning messages INFOx, x in [1..5] Information DEBUGy, y in [1..10] Debug messages NO_INFO No info output NO_DEBUG No debug output INFO_MAX Maximum info level DEBUG_MAX Maximum debug level x and y depend on info_max and debug_max from Logger class initialization. See __init__ function. Default logging targets: stdout Logs to stdout stderr Logs to stderr syslog Logs to syslog Additional arguments for logging functions (fatal, error, warning, info and debug): nl Disable newline at the end with nl=0, default is nl=1. fmt Format string for this logging entry, overloads global format string. Example: fmt="%(file)s:%(line)d %(message)s" nofmt Only output message with nofmt=1. The nofmt argument wins over the fmt argument. Example: from logger import log log.setInfoLogLevel(log.INFO1) log.setDebugLogLevel(log.DEBUG1) for i in range(1, log.INFO_MAX+1): log.setInfoLogLabel(i, "INFO%d: " % i) log.setFormat("%(date)s %(module)s:%(line)d [%(domain)s] %(label)s: " "%(level)d %(message)s") log.setDateFormat("%Y-%m-%d %H:%M:%S") fl = FileLog("/tmp/log", "a") log.addInfoLogging("*", fl) log.addDebugLogging("*", fl) log.addInfoLogging("*", log.syslog, fmt="%(label)s%(message)s") log.debug3("debug3") log.debug2("debug2") log.debug1("debug1") log.info2("info2") log.info1("info1") log.warning("warning\n", nl=0) log.error("error\n", nl=0) log.fatal("fatal") log.info(log.INFO1, "nofmt info", nofmt=1) iiiiiiii cCsi|_i|_d|_d|_i|_i|_i|_i|_i|_i|_ |dkryt d|n|dkrt d|n|j |_ ||_ d|_||_|j|jd|j|jd|j|jd|j|j dxbtd|j dD]J}t|d |||j|dt|d |d ||q"Wxftd|jdD]N}t|d |||j|d |t|d|d||qW|j|j|j|j|jd|jd|jd|j|j|j|j g|jd|jgt|j|j dD] }|^qd|jd|jgtd|jdD] }|^qdS(s Logger class initialization tisLogger: info_max %d is too lowisLogger: debug_max %d is too lows FATAL ERROR: sERROR: s WARNING: sINFO%dsinfo%dcsfdS(Ncsj|||S(N(tinfo(tmessagetargstkwargs(Rtx(s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt s((RRB((RRBs8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRCssDEBUG%ds DEBUG%d: sdebug%dcsfdS(Ncsj|||S(N(tdebug(R?R@RA(RRB(s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRC)s((RRB((RRBs8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRC(ss%(label)s%(message)ss%d %b %Y %H:%M:%St*N( t_levelt _debug_levelt_formatt _date_formatt_labelt _debug_labelt_loggingt_debug_loggingt_domainst_debug_domainst ValueErrorR$tNO_INFOtINFO_MAXtNO_DEBUGt DEBUG_MAXtsetInfoLogLabelR(t TRACEBACKR&trangetsetattrtsetDebugLogLabeltsetInfoLogLevelR"tsetDebugLogLevelt setFormatt setDateFormattsetInfoLoggingRRtsetDebugLogging(Rtinfo_maxt debug_maxRFti((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRsX                     -cCshxat|j|jdD]F}||jkr5qnx(|j|D]\}}}|jqCWqWdS(s Close all logging targets iN(RWR(RTRLR(RR tdummyttarget((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR8s  REcCs.|j|||jkr'|j|S|jS(s Get info log level. (t _checkDomainRFtNOTHING(Rtdomain((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pytgetInfoLogLevel@s  cCsT|j|||jkr(|j}n||jkrC|j}n||j|s  cOsM|j|ddd|j|j|d|d<|j||||dS(s Debug log using debug level [1..debug_max]. There are additional debugx functions according to debug_max from __init__RliRmR N(RoRTR}R~(RR RHR@RA((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRDs  cCs)|j|jtjdgdidS(NR@RA(R~RVt tracebackt format_exc(R((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt exceptionscCs8||ks||kr4td|||fndS(Ns*Level %d out of range, should be [%d..%d].(RP(RR RlRm((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRoscCsD|s dSx3|jD]%}|dkrtd|qqWdS(NtnlRstnofmts0Key '%s' is not allowed as argument for logging.(snlsfmtsnofmt(tkeysRP(RRAtkey((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyR}s  cCs*| s|dkr&td|ndS(NR=sDomain '%s' is not valid.(RP(RRg((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRescCs||jkrt|ts-t|tr6|}n |g}x|D]J}|rq|j|ddd|jqF|j|d|jd|jqFWnY|rgt|j |jD] }|^q}n(gt|j|jD] }|^q}|S(s Generate log level array. RliRm( tALLt isinstancetlistttupleRoRTR(RRRWtDEBUG1(RR R RqRb((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRns    +(cCspt|tst|tr'|}n |g}x9|D]1}t|jts7td|jjq7q7W|S(s Generate target array. s '%s' is no valid logging target.(RRRt issubclasst __class__RRPR(RRdttargetst_target((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt _getTargetss   cCs|r.|j}|j}d|jdf}n(|j}|j}|j|jdf}t|dkru|jnxwt |d|dD]^}||krqnxC||D]7\}}}||kr|j |gj |qqWqWdS(s% Generate dict with domain by level. iiN( RORMRTRNRLR(RRR+tclearRWt setdefaulttappend(RR RNRLt_rangeR RgRc((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyt _genDomainss       c Cs|j||j||}|j|}|r@|j}n |j}x5|D]-}x$|D]}|||fg|||SqqWx-|jD]"}|j||}|rL|SqLWdS(s@ Internal function to get calling class. Returns class or None. N( RtvaluesRRRRt __bases__RR(RRRRtbaset_obj((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRs cOsd}d|kr|d}nd}d|kr>|d}nd}d|kr]|d}n|j||}|sydSt|dkr|||dRDRRoR}ReRnRRRrRtRwRzRRR~R(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyRsdG   ;                      4(t__all__RRRRRRRR9tos.pathRtobjectRRRRRRR(((s8/usr/lib/python2.7/site-packages/firewall/core/logger.pyts(          -( 4core/watcher.pyc000064400000007062147576556050007677 0ustar00 c`c@s9dgZddlmZmZdefdYZdS(tWatcheri(tGiotGLibcBskeZdZdZdZdZdZdZdZdZ dZ d Z d Z RS( cCs1||_||_i|_i|_g|_dS(N(t _callbackt_timeoutt _monitorst _timeoutst_blocked(tselftcallbackttimeout((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt__init__s     cCsOtjj|}|jtjjd|j|<|j|jd|j dS(Ntchanged( RtFilet new_for_pathtmonitor_directorytFileMonitorFlagstNONEtNoneRtconnectt_file_changed_cb(Rt directorytgfile((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt add_watch_dir"scCsOtjj|}|jtjjd|j|<|j|jd|j dS(NR ( RR Rt monitor_fileRRRRRR(RtfilenameR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytadd_watch_file(scCs |jjS(N(Rtkeys(R((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt get_watches.scCs ||jkS(N(R(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt has_watch1scCs|j|=dS(N(R(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt remove_watch4scCs&||jkr"|jj|ndS(N(Rtappend(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt block_source7scCs&||jkr"|jj|ndS(N(Rtremove(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytunblock_source;scCsBx;t|jjD]$}tj|j||j|=qWdS(N(tlistRRRt source_remove(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytclear_timeouts?scCs-||jkr|j|n|j|=dS(N(RRR(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt_call_callbackDscCs|j}||jkrO||jkrKtj|j||j|=ndS|tjjks|tjjks|tjj ks|tjj kr||jkrtj|j||j|=ntj |j |j ||j|s core/prog.pyc000064400000001734147576556050007211 0ustar00 c`c@s(ddlZdgZdddZdS(iNtrunProgc Cs|dkrg}n|g|}d}|r[t|d}|jj}WdQXnidd6}y:tj|dtjdtjdtjdtd|}Wnt k rd SX|j |\}} |j d d }|j |fS(NtrtCtLANGtstdintstderrtstdoutt close_fdstenvitsutf-8treplace(iR ( tNonetopentreadtencodet subprocesstPopentPIPEtSTDOUTtTruetOSErrort communicatetdecodet returncode( tprogtargvRtargst input_stringthandleRtprocesstoutputt err_output((s6/usr/lib/python2.7/site-packages/firewall/core/prog.pyRs$       (Rt__all__R R(((s6/usr/lib/python2.7/site-packages/firewall/core/prog.pyts  core/fw_ipset.py000064400000021727147576556050007723 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2015-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """ipset backend""" __all__ = [ "FirewallIPSet" ] from firewall.core.logger import log from firewall.core.ipset import remove_default_create_options as rm_def_cr_opts from firewall.core.io.ipset import IPSet from firewall import errors from firewall.errors import FirewallError class FirewallIPSet(object): def __init__(self, fw): self._fw = fw self._ipsets = { } def __repr__(self): return '%s(%r)' % (self.__class__, self._ipsets) # ipsets def cleanup(self): self._ipsets.clear() def check_ipset(self, name): if name not in self.get_ipsets(): raise FirewallError(errors.INVALID_IPSET, name) def query_ipset(self, name): return name in self.get_ipsets() def get_ipsets(self): return sorted(self._ipsets.keys()) def has_ipsets(self): return len(self._ipsets) > 0 def get_ipset(self, name, applied=False): self.check_ipset(name) obj = self._ipsets[name] if applied: self.check_applied_obj(obj) return obj def _error2warning(self, f, name, *args): # transform errors into warnings try: f(name, *args) except FirewallError as error: msg = str(error) log.warning("%s: %s" % (name, msg)) def backends(self): backends = [] if self._fw.nftables_enabled: backends.append(self._fw.nftables_backend) if self._fw.ipset_enabled: backends.append(self._fw.ipset_backend) return backends def add_ipset(self, obj): if obj.type not in self._fw.ipset_supported_types: raise FirewallError(errors.INVALID_TYPE, "'%s' is not supported by ipset." % obj.type) self._ipsets[obj.name] = obj def remove_ipset(self, name, keep=False): obj = self._ipsets[name] if obj.applied and not keep: try: for backend in self.backends(): backend.set_destroy(name) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: log.debug1("Keeping ipset '%s' because of timeout option", name) del self._ipsets[name] def apply_ipsets(self): for name in self.get_ipsets(): obj = self._ipsets[name] obj.applied = False log.debug1("Applying ipset '%s'" % name) for backend in self.backends(): if backend.name == "ipset": active = backend.set_get_active_terse() if name in active and ("timeout" not in obj.options or \ obj.options["timeout"] == "0" or \ obj.type != active[name][0] or \ rm_def_cr_opts(obj.options) != \ active[name][1]): try: backend.set_destroy(name) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) if self._fw.individual_calls() \ or backend.name == "nftables": try: backend.set_create(obj.name, obj.type, obj.options) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: obj.applied = True if "timeout" in obj.options and \ obj.options["timeout"] != "0": # no entries visible for ipsets with timeout continue for entry in obj.entries: try: backend.set_add(obj.name, entry) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: try: backend.set_restore(obj.name, obj.type, obj.entries, obj.options, None) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: obj.applied = True # TYPE def get_type(self, name): return self.get_ipset(name, applied=True).type # DIMENSION def get_dimension(self, name): return len(self.get_ipset(name, applied=True).type.split(",")) def check_applied(self, name): obj = self.get_ipset(name) self.check_applied_obj(obj) def check_applied_obj(self, obj): if not obj.applied: raise FirewallError( errors.NOT_APPLIED, obj.name) # OPTIONS def get_family(self, name): obj = self.get_ipset(name, applied=True) if "family" in obj.options: if obj.options["family"] == "inet6": return "ipv6" return "ipv4" # ENTRIES def __entry_id(self, entry): return entry def __entry(self, enable, name, entry): pass def add_entry(self, name, entry): obj = self.get_ipset(name, applied=True) IPSet.check_entry(entry, obj.options, obj.type) if entry in obj.entries: raise FirewallError(errors.ALREADY_ENABLED, "'%s' already is in '%s'" % (entry, name)) try: for backend in self.backends(): backend.set_add(obj.name, entry) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: if "timeout" not in obj.options or obj.options["timeout"] == "0" \ and entry not in obj.entries: # no entries visible for ipsets with timeout obj.entries.append(entry) def remove_entry(self, name, entry): obj = self.get_ipset(name, applied=True) # no entry check for removal if entry not in obj.entries: raise FirewallError(errors.NOT_ENABLED, "'%s' not in '%s'" % (entry, name)) try: for backend in self.backends(): backend.set_delete(obj.name, entry) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: if "timeout" not in obj.options or obj.options["timeout"] == "0" \ and entry not in obj.entries: # no entries visible for ipsets with timeout obj.entries.remove(entry) def query_entry(self, name, entry): obj = self.get_ipset(name, applied=True) if "timeout" in obj.options and obj.options["timeout"] != "0": # no entries visible for ipsets with timeout raise FirewallError(errors.IPSET_WITH_TIMEOUT, name) return entry in obj.entries def get_entries(self, name): obj = self.get_ipset(name, applied=True) return obj.entries def set_entries(self, name, entries): obj = self.get_ipset(name, applied=True) for entry in entries: IPSet.check_entry(entry, obj.options, obj.type) if "timeout" not in obj.options or obj.options["timeout"] == "0": # no entries visible for ipsets with timeout obj.entries = entries try: for backend in self.backends(): backend.set_flush(obj.name) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: obj.applied = True try: for backend in self.backends(): if self._fw.individual_calls() \ or backend.name == "nftables": for entry in obj.entries: backend.set_add(obj.name, entry) else: backend.set_restore(obj.name, obj.type, obj.entries, obj.options, None) except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) else: obj.applied = True return core/modules.pyc000064400000007100147576556050007703 0ustar00 c`c@sYdZdgZddlmZddlmZddlmZdefdYZ dS(smodules backendtmodulesi(trunProg(tlog(tCOMMANDScBsPeZdZdZdZdZdZdZdZdZ RS(cCstd|_td|_dS(Ntmodprobetrmmod(Rt _load_commandt_unload_command(tself((s9/usr/lib/python2.7/site-packages/firewall/core/modules.pyt__init__s cCs d|jS(Ns%s(t __class__(R((s9/usr/lib/python2.7/site-packages/firewall/core/modules.pyt__repr__$sc Csg}i}tdd}x|D]y}|s5Pn|j}|j}|j|d|ddkr|djdd ||ds  core/fw_helper.py000064400000003451147576556050010050 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2015-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """helper backend""" __all__ = [ "FirewallHelper" ] from firewall import errors from firewall.errors import FirewallError class FirewallHelper(object): def __init__(self, fw): self._fw = fw self._helpers = { } def __repr__(self): return '%s(%r)' % (self.__class__, self._helpers) # helpers def cleanup(self): self._helpers.clear() def check_helper(self, name): if name not in self.get_helpers(): raise FirewallError(errors.INVALID_HELPER, name) def query_helper(self, name): return name in self.get_helpers() def get_helpers(self): return sorted(self._helpers.keys()) def has_helpers(self): return len(self._helpers) > 0 def get_helper(self, name): self.check_helper(name) return self._helpers[name] def add_helper(self, obj): self._helpers[obj.name] = obj def remove_helper(self, name): if name not in self._helpers: raise FirewallError(errors.INVALID_HELPER, name) del self._helpers[name] core/watcher.pyo000064400000007062147576556050007713 0ustar00 c`c@s9dgZddlmZmZdefdYZdS(tWatcheri(tGiotGLibcBskeZdZdZdZdZdZdZdZdZ dZ d Z d Z RS( cCs1||_||_i|_i|_g|_dS(N(t _callbackt_timeoutt _monitorst _timeoutst_blocked(tselftcallbackttimeout((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt__init__s     cCsOtjj|}|jtjjd|j|<|j|jd|j dS(Ntchanged( RtFilet new_for_pathtmonitor_directorytFileMonitorFlagstNONEtNoneRtconnectt_file_changed_cb(Rt directorytgfile((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt add_watch_dir"scCsOtjj|}|jtjjd|j|<|j|jd|j dS(NR ( RR Rt monitor_fileRRRRRR(RtfilenameR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytadd_watch_file(scCs |jjS(N(Rtkeys(R((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt get_watches.scCs ||jkS(N(R(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt has_watch1scCs|j|=dS(N(R(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt remove_watch4scCs&||jkr"|jj|ndS(N(Rtappend(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt block_source7scCs&||jkr"|jj|ndS(N(Rtremove(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytunblock_source;scCsBx;t|jjD]$}tj|j||j|=qWdS(N(tlistRRRt source_remove(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pytclear_timeouts?scCs-||jkr|j|n|j|=dS(N(RRR(RR((s9/usr/lib/python2.7/site-packages/firewall/core/watcher.pyt_call_callbackDscCs|j}||jkrO||jkrKtj|j||j|=ndS|tjjks|tjjks|tjj ks|tjj kr||jkrtj|j||j|=ntj |j |j ||j|s core/prog.py000064400000002746147576556050007052 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import subprocess __all__ = ["runProg"] def runProg(prog, argv=None, stdin=None): if argv is None: argv = [] args = [prog] + argv input_string = None if stdin: with open(stdin, 'r') as handle: input_string = handle.read().encode() env = {'LANG': 'C'} try: process = subprocess.Popen(args, stdin=subprocess.PIPE, stderr=subprocess.STDOUT, stdout=subprocess.PIPE, close_fds=True, env=env) except OSError: return (255, '') (output, err_output) = process.communicate(input_string) output = output.decode('utf-8', 'replace') return (process.returncode, output) core/ipXtables.pyc000064400000105467147576556050010205 0ustar00 c`c@sddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZmZddlmZddlmZmZmZddlmZmZmZmZddlZid d d gd 6d d gd6d dd d d gd6d dd gd6d d d gd6Zidd6dd6Z idd6dd6Z!dZ"dZ#dZ$de%fdYZ&de&fdYZ'dS( iN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(ttempFiletreadfilet splitArgst check_mactportStrtcheck_single_addresst check_addresst normalizeIP6(tconfig(t FirewallErrortINVALID_PASSTHROUGHt INVALID_RULE(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarktINPUTtOUTPUTtFORWARDtsecurityt PREROUTINGtrawt POSTROUTINGtmangletnattfiltersicmp-host-prohibitedtipv4sicmp6-adm-prohibitedtipv6ticmps ipv6-icmpcCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|d kryt||d Wntk rqX|j|d n||||W|S( s Inverse valid rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chaini(s-Is--insert(tindext Exceptiontinttpop(targst replace_argstret_argstargtidx((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_rule7s*     cCsidd6dd6dd6dd6dd6d d 6}|}x|D]}y|j|}Wntk rmq>nX|dkryt||d Wntk rqX|j|d n||||<|SWttd d S(s Reverse valid passthough rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains --new-chainisno '-A', '-I' or '-N' argN(s-Is--insert(R!t ValueErrorR#R$R R(R%R&R'txR)((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_passthrough\s.     cCst|}tddddddddd d d d d dddddddg}t||@dkrttdt||@dntddddddg}t||@dkrttdndS(sZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) s-Cs--checks-Ds--deletes-Rs --replaces-Ls--lists-Ss --list-ruless-Fs--flushs-Zs--zeros-Xs--delete-chains-Ps--policys-Es--rename-chainisarg '%s' is not alloweds-As--appends-Is--inserts-Ns --new-chainsno '-A', '-I' or '-N' argN(tsettlenR Rtlist(R%t not_allowedtneeded((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_check_passthroughs*   t ip4tablescBseZdZdZeZdZdZdZd.dZ dZ dZ dZ d Zd Zd Zd Zd ZdZdZdZd.dZdZdZdZdZdZdZddZdZedZ dZ!dZ"dZ#dZ$d Z%d!Z&d"Z'd#Z(d.d.d$Z)d.d.d%Z*d.d.d&Z+d'Z,d.d(Z-d.d)Z.d.d*Z/d+Z0d,Z1d-Z2RS(/RR4cCsz||_tj|j|_tjd|j|_|j|_|j|_ |j g|_ g|_ i|_ dS(Ns %s-restore(t_fwR tCOMMANDStipvt_commandt_restore_commandt_detect_wait_optiont wait_optiont_detect_restore_wait_optiontrestore_wait_optiont fill_existstavailable_tablestzone_source_index_cachet our_chains(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__init__s    cCs4tjj|j|_tjj|j|_dS(N(tostpathtexistsR8tcommand_existsR9trestore_command_exists(RB((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR>scCs|jrB|j|krB|jgg|D]}d|^q(}ng|D]}d|^qI}tjd|j|jdj|t|j|\}}|dkrtd|jdj||fn|S(Ns%ss %s: %s %st is'%s %s' failed: %s(R;Rtdebug2t __class__R8tjoinRR+(RBR%titemt_argststatustret((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__runs*%  c Cs|dkr|Sg}x|D]}t}x|D]}y|j|}Wntk r\q0Xt||kr0d||dkr0t}||djd}x3|D](} |} | | |d<|j| qWq0q0W|s|j|qqW|S(s5Split values combined with commas for options in optst,iN(tNonetFalseR!R+R/tTruetsplittappend( RBtrulestoptst out_rulestrulet processedtopttititemsRNt_rule((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt split_values(    & cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(R!R+RURV(RBR\tpatternt replacementR_((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt _rule_replaces  cCs|tko|t|kS(N(tBUILT_IN_CHAINS(RBR7ttabletchain((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_chain_builtins cCsCd|g}|r"|jdn |jd|j||gS(Ns-ts-Ns-X(RX(RBtaddRgRhR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_chain_ruless    cCsLd|g}|r.|d|t|g7}n|d|g7}||7}|S(Ns-ts-Is-D(tstr(RBRjRgRhR!R%R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt build_rules   cCs t|S(N(R*(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt reverse_rulescCst|dS(N(R3(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcheck_passthroughscCs t|S(N(R-(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_passthrough scCsd}y|jd}Wntk r,n(Xt||dkrT||d}nd}xndddddd gD]T}y|j|}Wntk rqsXt||dkrs||d}qsqsW||fS( NRs-tis-As--appends-Is--inserts-Ns --new-chain(R!R+R/RT(RBR%RgR_RhR^((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytpassthrough_parse_table_chain s$   cCsyb|jd}|j||j|}d|dkrQ||df}n||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnXt}|ddkrt}n|r| r||kr|j|qn|r|rI||kr7|j||jd d n|j|}n!|j j r^d}n t |}d |d<|j d d|dndS(Ns%%ZONE_SOURCE%%s-miiis%%ZONE_INTERFACE%%is-Ds--deletetkeycSs|dS(Ni((R,((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt@ss-Iis%di(s-Ds--delete( R!R$R+RTRVRUtremoveRXtsortR5t_allow_zone_driftingR/tinsert(RBR\R@R_tzonet zone_sourcetrule_addR!((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_run_replace_zone_source#s>               cCs#t}i}tj|j}x|D]}|}|j|dddt|jg|j|dt|jgy|jd}Wnt k rnLX|dkrq(n|d&krd d d |g|||d +n |j ||j ||d} xpddgD]b} y|j| }Wnt k r6q Xt ||d kr |j ||j |} q q Wxzt t |D]f}x]tjD]R} | ||kr||jdo||jd rd||||i}|jdrg|dRRTRbReRiRkRmRnRoRpRqR{RRRR:R<RRRRRRRURRRRRRRRRRRRR R RRR R!R"(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR4s\        ) ^    !  i   7 ,    !     , 1 # t ip6tablescBs eZdZdZedZRS(RR&c Csg}|jddddddddd g |d krk|jddddddddd d d g n|jdddddddddg |jdddddddddg |S(Ns-IRs-tRs-mtrpfilters--inverts-jRR}Rs --log-prefixsrpfilter_DROP: s-ps ipv6-icmps$--icmpv6-type=neighbour-solicitationRs"--icmpv6-type=router-advertisement(RX(RBRRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_rpfilter_ruless"    (R#R$R7RRUR((((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR&s((tos.pathRERtfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRR R R tfirewallR tfirewall.errorsR RRtfirewall.core.richRRRRRRfRRR*R-R3tobjectR4R&(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyts<  :"     % * core/fw_transaction.pyc000064400000025725147576556050011271 0ustar00 c`c@sdZddgZddlmZddlmZddlmZddlm Z de fd YZ de fd YZ de fd YZ d S( s!Transaction classes for firewalldtFirewallTransactiontFirewallZoneTransactioni(tlog(terrors(t FirewallError(tLastUpdatedOrderedDicttSimpleFirewallTransactioncBseZdZdZdZdZdZdZdZdZ dZ d Z ddd Z d Zd Zd ZRS(s>Base class for FirewallTransaction and FirewallZoneTransactioncCs1||_i|_g|_g|_g|_dS(N(tfwtrulest pre_funcst post_funcst fail_funcs(tselfR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt__init__"s     cCs&|jj|j2|j2|j2dS(N(RtclearR R R (R ((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR)s cCs#|jj|jgj|dS(N(Rt setdefaulttnametappend(R tbackendtrule((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_rule/scCs%x|D]}|j||qWdS(N(R(R RRR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_rules2s cCs&|j|jko%||j|jkS(N(RR(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt query_rule6scCsF|j|jkrB||j|jkrB|j|jj|ndS(N(RRtremove(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_rule9s(cGs|jj||fdS(N(R R(R tfunctargs((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_pre=scGs|jj||fdS(N(R R(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_post@scGs|jj||fdS(N(R R(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_failCscCstjdt||df|dkr5i}n|dkrJg}n|sx|jD]R}xIt|j|D]4}|j|gj|jj |j |qtWqZWn4x1|jD]&}|j|gj |j|qW||fS(Ns%s.prepare(%s, %s)s...( Rtdebug4ttypetNoneRtreversedRRRtget_backend_by_namet reverse_ruletextend(R tenableRtmodulest backend_nameR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytprepareFs     '$cCs1tjdt||f|j|\}}|jt}d}g}xe|D]]}y|jj|||Wn,tk r}t }|}tj |qUX|j |qUW|s|jj ||} | r| \} }| rtj |qqn|r#i} xY|D]Q}g| |t||D],} | |j |jj|j| q3WqWxL| D]D}y|jj|| |Wqntk r}tj |qnXqnWxU|jD]J\} }y| |Wqtk r }tj d| ||fqXqWttj|n|jdS(Ns%s.execute(%s)ts#Calling fail func %s(%s) failed: %s(RRRR(tpretFalseRRt ExceptiontTrueterrorRthandle_modulestdebug1R!R"R#R RRtCOMMAND_FAILEDtpost(R R%RR&R.terrorMsgtdoneR'tmsgt module_returntstatust undo_rulesRRR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytexecuteZsP      $  cCsstjdt|xU|jD]J\}}y||Wq!tk rj}tjd|||fq!Xq!WdS(Ns%s.pre()s"Calling pre func %s(%s) failed: %s(RRRR R,R.(R RRR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR*s cCsstjdt|xU|jD]J\}}y||Wq!tk rj}tjd|||fq!Xq!WdS(Ns %s.post()s#Calling post func %s(%s) failed: %s(RRRR R,R.(R RRR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR2s N(t__name__t __module__t__doc__R RRRRRRRRR R(R9R*R2(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs          = cBsJeZdZdZdZdZdddZdZdZ RS(s<General FirewallTransaction, contains also zone transactionscCs&tt|j|t|_dS(N(tsuperRR Rtzone_transactions(R R((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR scCs$tt|j|jjdS(N(R=RRR>(R ((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRscCs9||jkr.t|j|||j|RR(R tzone((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytzone_transactionscCstjdt||dftt|j|||\}}x|jD]}yR|j|j||x4|j|jD]"}||kr|j|qqWWqNt k r}tj dt |qNXqNW||fS(Ns%s.prepare(%s, %s)s...s1Failed to prepare transaction rules for zone '%s'( RRRR=RR(R>R&RRR.tstr(R R%RR&R?tmoduleR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR(s   cCsStjdt|tt|jx"|jD]}|j|jq4WdS(Ns%s.pre()(RRRR=RR*R>(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR*scCsStjdt|tt|jx"|jD]}|j|jq4WdS(Ns %s.post()(RRRR=RR2R>(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR2sN( R:R;R<R RR@R R(R*R2(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs    cBseZdZd dZdZd d dZdZdZdZ dZ dZ d Z d Z d Zd ZRS(s;Zone transaction with additional chain and module interfacecCs>tt|j|||_||_g|_g|_dS(N(R=RR R?tfw_transactiontchainsR&(R RR?RC((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR s    cCs|jr~tt|jjx}|jjjD]E}tt|jj|j|jj|j2|jj|j2q2Wn!tt|j|j2|j2dS(N( RCR=RRR>tkeysRRDR&(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs cCs~tjdt||dftt|j|||\}}x-|jD]"}||krN|j|qNqNW||fS(Ns%s.prepare(%s, %s)s...(RRRR=RR(R&R(R R%RR&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR(s  cCs6|jr|jj|ntt|j|dS(N(RCR9R=R(R R%((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR9s cCsT||f}||jkrP|jjj|jt|g||jj|ndS(N(RDRR?tgen_chain_rulesR-R(R ttabletchaint table_chain((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_chains "cCs2||f}||jkr.|jj|ndS(N(RDR(R RGRHRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_chains cCs?x8|D]0}||jkr|j|d|dqqWdS(Nii(RDRJ(R RDRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_chainss cCs7x0|D](}||jkr|jj|qqWdS(N(RDR(R RDRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_chains s cCs&||jkr"|jj|ndS(N(R&R(R RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_module%scCs&||jkr"|jj|ndS(N(R&R(R RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_module)scCs"x|D]}|j|qWdS(N(RN(R R&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_modules-s cCs"x|D]}|j|qWdS(N(RO(R R&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytremove_modules1s N(R:R;R<R R RR(R9RJRKRLRMRNRORPRQ(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs         N(R<t__all__tfirewall.core.loggerRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectRRR(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyts 5core/fw_service.pyc000064400000004224147576556050010373 0ustar00 c`c@sCdgZddlmZddlmZdefdYZdS(tFirewallServicei(terrors(t FirewallErrorcBsPeZdZdZdZdZdZdZdZdZ RS(cCs||_i|_dS(N(t_fwt _services(tselftfw((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt__repr__ scCs|jjdS(N(Rtclear(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pytcleanup#scCst|jjS(N(tsortedRtkeys(R((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt get_services(scCs(||jkr$ttj|ndS(N(RRRtINVALID_SERVICE(Rtservice((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt check_service+scCs|j||j|S(N(RR(RR((s</usr/lib/python2.7/site-packages/firewall/core/fw_service.pyt get_service/s cCs||j|js core/fw_config.pyc000064400000075276147576556050010217 0ustar00 c`c@sdgZddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddl mZmZmZddlmZmZmZddlmZmZmZdd lmZmZmZdd lmZdd lmZde fd YZ!dS( tFirewallConfigiN(tconfig(tlog(tIcmpTypeticmptype_readerticmptype_writer(tServicetservice_readertservice_writer(tZonet zone_readert zone_writer(tIPSett ipset_readert ipset_writer(tHelpert helper_readert helper_writer(terrors(t FirewallErrorcBseZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(Z*d)Z+d*Z,d+Z-d,Z.d-Z/d.Z0d/Z1d0Z2d1Z3d2Z4d3Z5d4Z6d5Z7d6Z8d7Z9d8Z:d9Z;d:Z<d;Z=d<Z>d=Z?d>Z@d?ZAd@ZBdAZCdBZDdCZEdDZFdEZGdFZHdGZIdHZJdIZKdJZLdKZMdLZNdMZOdNZPdOZQdPZRRS(QcCs||_|jdS(N(t_fwt_FirewallConfig__init_vars(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt__init__'s cCs\d|j|j|j|j|j|j|j|j|j|j |j |j |j |j fS(Ns6%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__t_ipsetst _icmptypest _servicest_zonest_helperst_builtin_ipsetst_builtin_icmptypest_builtin_servicest_builtin_zonest_builtin_helperst_firewalld_conft _policiest_direct(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt__repr__+s cCsyi|_i|_i|_i|_i|_i|_i|_i|_i|_i|_ d|_ d|_ d|_ dS(N(RRRRRRR R!R"R#tNoneR$R%R&(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt __init_vars4s            cCsx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qQWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=q=Wx8t|j jD]!}|j |j|j |=qxWx8t|j jD]!}|j |j|j |=qWx8t|j jD]!}|j |j|j |=qWx8t|j jD]!}|j |j|j |=q)W|j rv|j j|` d|_ n|jr|jj|`d|_n|jr|jj|`d|_n|jdS(N(tlistRtkeystcleanupRR RR!RR"RR#RR$R(R%R&R(Rtx((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR,CsV         cCs|jjjS(N(Rtpoliciestquery_lockdown(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytlockdown_enabledzscCs|jjj||S(N(RR.t access_check(Rtkeytvalue((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR1}scCs ||_dS(N(R$(Rtconf((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytset_firewalld_confscCs|jS(N(R$(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytget_firewalld_confscCs6tjjtjs%|jjn |jjdS(N(tostpathtexistsRtFIREWALLD_CONFR$tcleartread(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytupdate_firewalld_confscCs ||_dS(N(R%(RR.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt set_policiesscCs|jS(N(R%(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_policiesscCs<tjjtjs(|jjjn|jjjdS(N( R7R8R9RtLOCKDOWN_WHITELISTR%tlockdown_whitelistR,R<(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytupdate_lockdown_whitelistscCs ||_dS(N(R&(Rtdirect((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt set_directscCs|jS(N(R&(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_directscCs6tjjtjs%|jjn |jjdS(N(R7R8R9RtFIREWALLD_DIRECTR&R,R<(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt update_directscCs2ttt|jjt|jjS(N(tsortedtsetR*RR+R(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_ipsetsscCs0|jr||j|jR?RBRDRERGRJRNRPRSRUR[R`RjRRRoRpRrRqRsRtRvRxRyR{R|R}RwRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR&s   7                  E            E            E             M            E    ("t__all__RVR7tos.pathRltfirewallRtfirewall.core.loggerRtfirewall.core.io.icmptypeRRRtfirewall.core.io.serviceRRRtfirewall.core.io.zoneR R R tfirewall.core.io.ipsetR R Rtfirewall.core.io.helperRRRRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyts     core/fw_ipset.pyo000064400000022022147576556050010067 0ustar00 c`c@sydZdgZddlmZddlmZddlmZddl m Z ddl m Z de fdYZd S( s ipset backendt FirewallIPSeti(tlog(tremove_default_create_options(tIPSet(terrors(t FirewallErrorcBseZdZdZdZdZdZdZdZe dZ dZ d Z d Z e d Zd Zd ZdZdZdZdZdZdZdZdZdZdZdZRS(cCs||_i|_dS(N(t_fwt_ipsets(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__init__!s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__repr__%scCs|jjdS(N(Rtclear(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pytcleanup*scCs+||jkr'ttj|ndS(N(t get_ipsetsRRt INVALID_IPSET(Rtname((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt check_ipset-scCs||jkS(N(R(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt query_ipset1scCst|jjS(N(tsortedRtkeys(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR4scCst|jdkS(Ni(tlenR(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt has_ipsets7scCs4|j||j|}|r0|j|n|S(N(RRtcheck_applied_obj(RRtappliedtobj((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_ipset:s   cGsNy|||Wn6tk rI}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(RtfRtargsterrortmsg((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt_error2warningAs  cCsNg}|jjr(|j|jjn|jjrJ|j|jjn|S(N(Rtnftables_enabledtappendtnftables_backendt ipset_enabledt ipset_backend(Rtbackends((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR(Is   cCsE|j|jjkr1ttjd|jn||j|jR)(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pytget_typescCs%t|j|dtjjdS(NRt,(RRR>R)tsplit(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_dimensionscCs |j|}|j|dS(N(RR(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt check_appliedscCs%|js!ttj|jndS(N(RRRt NOT_APPLIEDR(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyRs cCsB|j|dt}d|jkr>|jddkr>dSndS(NRtfamilytinet6tipv6tipv4(RR>R:(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_familys cCs|S(N((RRD((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt __entry_idscCsdS(N((RtenableRRD((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__entryscCs|j|dt}tj||j|j||jkr\ttj d||fny.x'|j D]}|j |j |qlWWn%t k r}ttj|nEXd|jks|jddkr||jkr|jj|ndS(NRs'%s' already is in '%s'R5R6(RR>Rt check_entryR:R)R?RRtALREADY_ENABLEDR(R@RR.R/R$(RRRDRR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt add_entrys "cCs|j|dt}||jkrCttjd||fny.x'|jD]}|j|j|qSWWn%t k r}ttj |nEXd|j ks|j ddkr||jkr|jj |ndS(NRs'%s' not in '%s'R5R6( RR>R?RRt NOT_ENABLEDR(t set_deleteRR.R/R:tremove(RRRDRR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt remove_entrys "cCsY|j|dt}d|jkrL|jddkrLttj|n||jkS(NRR5R6(RR>R:RRtIPSET_WITH_TIMEOUTR?(RRRDR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt query_entrys"cCs|j|dt}|jS(NR(RR>R?(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_entriessc Cs|j|dt}x'|D]}tj||j|jqWd|jksa|jddkrm||_ny+x$|jD]}|j|j q}WWn%t k r}t t j |n Xt|_yx|jD]s}|jjs|j dkr'xL|jD]}|j|j |qWq|j|j |j|j|jdqWWn%t k rx}t t j |n Xt|_dS(NRR5R6R7(RR>RRTR:R)R?R(t set_flushRR.RRR/RRR<R@RARB(RRR?RRDR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt set_entriess. "   (t__name__t __module__R R RRRRRR8RR"R(R,R3RERFRIRJRRPt_FirewallIPSet__entry_idt_FirewallIPSet__entryRVRZR\R]R_(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR s2            3          N(t__doc__t__all__tfirewall.core.loggerRtfirewall.core.ipsetRR;tfirewall.core.io.ipsetRtfirewallRtfirewall.errorsRtobjectR(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyts core/fw_ipset.pyc000064400000022022147576556050010053 0ustar00 c`c@sydZdgZddlmZddlmZddlmZddl m Z ddl m Z de fdYZd S( s ipset backendt FirewallIPSeti(tlog(tremove_default_create_options(tIPSet(terrors(t FirewallErrorcBseZdZdZdZdZdZdZdZe dZ dZ d Z d Z e d Zd Zd ZdZdZdZdZdZdZdZdZdZdZdZRS(cCs||_i|_dS(N(t_fwt_ipsets(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__init__!s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__repr__%scCs|jjdS(N(Rtclear(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pytcleanup*scCs+||jkr'ttj|ndS(N(t get_ipsetsRRt INVALID_IPSET(Rtname((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt check_ipset-scCs||jkS(N(R(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt query_ipset1scCst|jjS(N(tsortedRtkeys(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR4scCst|jdkS(Ni(tlenR(R((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt has_ipsets7scCs4|j||j|}|r0|j|n|S(N(RRtcheck_applied_obj(RRtappliedtobj((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_ipset:s   cGsNy|||Wn6tk rI}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(RtfRtargsterrortmsg((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt_error2warningAs  cCsNg}|jjr(|j|jjn|jjrJ|j|jjn|S(N(Rtnftables_enabledtappendtnftables_backendt ipset_enabledt ipset_backend(Rtbackends((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR(Is   cCsE|j|jjkr1ttjd|jn||j|jR)(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pytget_typescCs%t|j|dtjjdS(NRt,(RRR>R)tsplit(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_dimensionscCs |j|}|j|dS(N(RR(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt check_appliedscCs%|js!ttj|jndS(N(RRRt NOT_APPLIEDR(RR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyRs cCsB|j|dt}d|jkr>|jddkr>dSndS(NRtfamilytinet6tipv6tipv4(RR>R:(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_familys cCs|S(N((RRD((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt __entry_idscCsdS(N((RtenableRRD((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt__entryscCs|j|dt}tj||j|j||jkr\ttj d||fny.x'|j D]}|j |j |qlWWn%t k r}ttj|nEXd|jks|jddkr||jkr|jj|ndS(NRs'%s' already is in '%s'R5R6(RR>Rt check_entryR:R)R?RRtALREADY_ENABLEDR(R@RR.R/R$(RRRDRR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt add_entrys "cCs|j|dt}||jkrCttjd||fny.x'|jD]}|j|j|qSWWn%t k r}ttj |nEXd|j ks|j ddkr||jkr|jj |ndS(NRs'%s' not in '%s'R5R6( RR>R?RRt NOT_ENABLEDR(t set_deleteRR.R/R:tremove(RRRDRR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt remove_entrys "cCsY|j|dt}d|jkrL|jddkrLttj|n||jkS(NRR5R6(RR>R:RRtIPSET_WITH_TIMEOUTR?(RRRDR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt query_entrys"cCs|j|dt}|jS(NR(RR>R?(RRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt get_entriessc Cs|j|dt}x'|D]}tj||j|jqWd|jksa|jddkrm||_ny+x$|jD]}|j|j q}WWn%t k r}t t j |n Xt|_yx|jD]s}|jjs|j dkr'xL|jD]}|j|j |qWq|j|j |j|j|jdqWWn%t k rx}t t j |n Xt|_dS(NRR5R6R7(RR>RRTR:R)R?R(t set_flushRR.RRR/RRR<R@RARB(RRR?RRDR2R!((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyt set_entriess. "   (t__name__t __module__R R RRRRRR8RR"R(R,R3RERFRIRJRRPt_FirewallIPSet__entry_idt_FirewallIPSet__entryRVRZR\R]R_(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyR s2            3          N(t__doc__t__all__tfirewall.core.loggerRtfirewall.core.ipsetRR;tfirewall.core.io.ipsetRtfirewallRtfirewall.errorsRtobjectR(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ipset.pyts core/fw_direct.pyo000064400000035427147576556050010232 0ustar00 c`c@sdgZddlmZddlmZddlmZddlmZddlm Z ddl m Z ddl m Z defd YZd S( tFirewallDirecti(tLastUpdatedOrderedDict(t ipXtables(tebtables(tFirewallTransaction(tlog(terrors(t FirewallErrorcBsdeZdZdZdZdZdZdZdZd$dZ dZ d Z d$d Z d Zd Zd ZdZd$dZd$dZdZdZdZd$dZd$dZdZdZdZdZdZdZd$dZd$dZ dZ!dZ"d Z#d!Z$d"Z%d#Z&RS(%cCs||_|jdS(N(t_fwt_FirewallDirect__init_vars(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt__init__'s cCs d|j|j|j|jfS(Ns%s(%r, %r, %r)(t __class__t_chainst_rulest_rule_priority_positions(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt__repr__+scCs1i|_i|_i|_i|_d|_dS(N(RRRt _passthroughstNonet_obj(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt __init_vars/s     cCs|jdS(N(R (R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytcleanup6scCs t|jS(N(RR(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytnew_transaction;scCs ||_dS(N(R(R tobj((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pytset_permanent_config@scCs|t|jt|jt|jdkr3tSt|jjt|jjt|jjdkrxtSt S(Ni( tlenRRRtTrueRtget_all_chainst get_all_rulestget_all_passthroughstFalse(R ((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pythas_configurationCs /%cCsu|dkr|j}n|}|j|jj|jj|jjf||dkrq|jtndS(N( RRt set_configRRRRtexecuteR(R tuse_transactiont transaction((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt apply_directLs   c Csi}i}i}xi|jD]^}|\}}xI|j|D]:}|jj|||s<|j|gj|q<q<WqWx|jD]}|\}}}xl|j|D]]\} } |jj|||| | s||krt||dddg}||kr:ttjd||fndS(Ntipv4tipv6tebs'%s' not in '%s'(RRt INVALID_IPV(R R/tipvs((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt _check_ipvs  cCsf|j||dkr(tjjn tjj}||krbttjd||fndS(NR>R?s'%s' not in '%s'(sipv4sipv6(RCRtBUILT_IN_CHAINStkeysRRRt INVALID_TABLE(R R/R0ttables((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_check_ipv_tables    cCs|dkrJtj|}|jjr.i}qd|jj|j|}ntj|}tj|}||krtt j d|n||krtt j d|n|dkr|jj j |dk rtt jd|qndS(NR>R?schain '%s' is built-in chainschain '%s' is reservedsChain '%s' is reserved(sipv4sipv6(sipv4sipv6(RRDRtnftables_enabledtget_direct_backend_by_ipvt our_chainsRt OUR_CHAINSRRt BUILTIN_CHAINtzonetzone_from_chainRt INVALID_CHAIN(R R/R0R1tbuilt_in_chainsRK((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_check_builtin_chains"            cCsc|r%|jj|gj|n:|j|j|t|j|dkr_|j|=ndS(Ni(RR'R(tremoveR(R R.R1tadd((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt_register_chains cCsZ|dkr|j}n|}|jt|||||dkrV|jtndS(N(RRt_chainRR"(R R/R0R1R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR7s   cCsZ|dkr|j}n|}|jt|||||dkrV|jtndS(N(RRRVRR"R(R R/R0R1R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt remove_chains   cCsO|j|||j|||||f}||jkoN||j|kS(N(RHRRR(R R/R0R1R.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR&s  cCs:|j||||f}||jkr6|j|SgS(N(RHR(R R/R0R.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt get_chainss   cCsXg}xK|jD]@}|\}}x+|j|D]}|j|||fq0WqW|S(N(RR((R trtkeyR/R0R1((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRs  cCs`|dkr|j}n|}|jt|||||||dkr\|jtndS(N(RRt_ruleRR"(R R/R0R1R3R4R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR:s   cCs`|dkr|j}n|}|jt|||||||dkr\|jtndS(N(RRR[RR"R(R R/R0R1R3R4R#R$((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt remove_rule s   cCsE|j|||||f}||jkoD||f|j|kS(N(RHR(R R/R0R1R3R4R2((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR)scCsI|j|||||f}||jkrEt|j|jSgS(N(RHRtlistRE(R R/R0R1R2((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyt get_ruless c Csmg}x`|jD]U}|\}}}x=|j|D].\}}|j||||t|fq3WqW|S(N(RR(R](R RYRZR/R0R1R3R4((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR%s *cCs|r||jkr(t|j|R?s %s_directit_directs"rule '%s' already is in '%s:%s:%s'srule '%s' is not in '%s:%s:%s'ii(sipv4sipv6(RHRRIRNtcreate_zone_base_by_chainRJtis_chain_builtinRRRtALREADY_ENABLEDt NOT_ENABLEDRtsortedRERR:t build_ruleRatadd_fail(R R`R/R0R1R3R4R$RVtbackendR2R_tindext positionstj((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR[{sL         (%% cCs"|j|||j|||||f}|r|||jkr||j|krttjd|||fqnD||jks||j|krttjd|||fn|jj|}|j ||j ||||j ||||j |j ||| dS(Ns chain '%s' already is in '%s:%s'schain '%s' is not in '%s:%s'( RHRRRRRRqRrRRJt add_rulestbuild_chain_rulesRURu(R RTR/R0R1R$R.Rv((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRVs$   c Csn|j|t|}|rc||jkr||j|krttjd||fqnA||jks||j|krttjd||fn|jj|}|r|j ||dkr|j |\}}|r|r|jj j |||qn|} n|j |} |j|| |j||||j|j||| dS(Nspassthrough '%s', '%s'R>R?(sipv4sipv6(RCRlRRRRqRrRRJtcheck_passthroughtpassthrough_parse_table_chainRNRotreverse_passthroughR:RiRu( R R`R/R4R$t tuple_argsRvR0R1t_args((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyRjs0        N('t__name__t __module__R RR RRRR RR%R5R6R!RCRHRRRUR7RWR&RXRR:R\R)R^RRaRhRiR;RkR*RRmR[RVRj(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyR&sH          '              _ N(t__all__tfirewall.fw_typesRt firewall.coreRRtfirewall.core.fw_transactionRtfirewall.core.loggerRtfirewallRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_direct.pyts core/fw_test.py000064400000054071147576556050007554 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Firewall_test" ] import os.path import sys import copy from firewall import config from firewall import functions from firewall.core.fw_icmptype import FirewallIcmpType from firewall.core.fw_service import FirewallService from firewall.core.fw_zone import FirewallZone from firewall.core.fw_direct import FirewallDirect from firewall.core.fw_config import FirewallConfig from firewall.core.fw_policies import FirewallPolicies from firewall.core.fw_ipset import FirewallIPSet from firewall.core.fw_helper import FirewallHelper from firewall.core.logger import log from firewall.core.io.firewalld_conf import firewalld_conf from firewall.core.io.direct import Direct from firewall.core.io.service import service_reader from firewall.core.io.icmptype import icmptype_reader from firewall.core.io.zone import zone_reader, Zone from firewall.core.io.ipset import ipset_reader from firewall.core.ipset import IPSET_TYPES from firewall.core.io.helper import helper_reader from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class Firewall # ############################################################################ class Firewall_test(object): def __init__(self): self._firewalld_conf = firewalld_conf(config.FIREWALLD_CONF) self.ip4tables_enabled = False self.ip6tables_enabled = False self.ebtables_enabled = False self.ipset_enabled = False self.ipset_supported_types = IPSET_TYPES self.icmptype = FirewallIcmpType(self) self.service = FirewallService(self) self.zone = FirewallZone(self) self.direct = FirewallDirect(self) self.config = FirewallConfig(self) self.policies = FirewallPolicies() self.ipset = FirewallIPSet(self) self.helper = FirewallHelper(self) self.__init_vars() def __repr__(self): return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \ (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled, self.ebtables_enabled, self._state, self._panic, self._default_zone, self._module_refcount, self._marks, self._min_mark, self.cleanup_on_exit, self.ipv6_rpfilter_enabled, self.ipset_enabled, self._individual_calls, self._log_denied, self._automatic_helpers) def __init_vars(self): self._state = "INIT" self._panic = False self._default_zone = "" self._module_refcount = { } self._marks = [ ] # fallback settings will be overloaded by firewalld.conf self._min_mark = config.FALLBACK_MINIMAL_MARK self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS self._log_denied = config.FALLBACK_LOG_DENIED self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS def individual_calls(self): return self._individual_calls def _start(self, reload=False, complete_reload=False): # initialize firewall default_zone = config.FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception: log.warning("Using fallback firewalld configuration settings.") else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("MinimalMark"): self._min_mark = int(self._firewalld_conf.get("MinimalMark")) if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value is not None and value.lower() in [ "no", "false" ]: self.cleanup_on_exit = False if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass if self._firewalld_conf.get("IPv6_rpfilter"): value = self._firewalld_conf.get("IPv6_rpfilter") if value is not None: if value.lower() in [ "no", "false" ]: self.ipv6_rpfilter_enabled = False if value.lower() in [ "yes", "true" ]: self.ipv6_rpfilter_enabled = True if self.ipv6_rpfilter_enabled: log.debug1("IPv6 rpfilter is enabled") else: log.debug1("IPV6 rpfilter is disabled") if self._firewalld_conf.get("IndividualCalls"): value = self._firewalld_conf.get("IndividualCalls") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("IndividualCalls is enabled") self._individual_calls = True if self._firewalld_conf.get("LogDenied"): value = self._firewalld_conf.get("LogDenied") if value is None or value.lower() == "no": self._log_denied = "off" else: self._log_denied = value.lower() log.debug1("LogDenied is set to '%s'", self._log_denied) if self._firewalld_conf.get("AutomaticHelpers"): value = self._firewalld_conf.get("AutomaticHelpers") if value is not None: if value.lower() in [ "no", "false" ]: self._automatic_helpers = "no" elif value.lower() in [ "yes", "true" ]: self._automatic_helpers = "yes" else: self._automatic_helpers = value.lower() log.debug1("AutomaticHelpers is set to '%s'", self._automatic_helpers) self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: if self.policies.query_lockdown(): log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) else: log.debug1("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load ipset files self._loader(config.FIREWALLD_IPSETS, "ipset") self._loader(config.ETC_FIREWALLD_IPSETS, "ipset") # load icmptype files self._loader(config.FIREWALLD_ICMPTYPES, "icmptype") self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load helper files self._loader(config.FIREWALLD_HELPERS, "helper") self._loader(config.ETC_FIREWALLD_HELPERS, "helper") # load service files self._loader(config.FIREWALLD_SERVICES, "service") self._loader(config.ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(config.FIREWALLD_ZONES, "zone") self._loader(config.ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # check minimum required zones error = False for z in [ "block", "drop", "trusted" ]: if z not in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) # load direct rules obj = Direct(config.FIREWALLD_DIRECT) if os.path.exists(config.FIREWALLD_DIRECT): log.debug1("Loading direct rules file '%s'" % \ config.FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.error("Failed to load direct rules file '%s': %s", config.FIREWALLD_DIRECT, msg) self.config.set_direct(copy.deepcopy(obj)) self._default_zone = self.check_zone(default_zone) self._state = "RUNNING" def start(self): self._start() def _loader(self, path, reader_type, combine=False): # combine: several zone files are getting combined into one obj if not os.path.isdir(path): return if combine: if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone": combined_zone = Zone() combined_zone.name = os.path.basename(path) combined_zone.check_name(combined_zone.name) combined_zone.path = path combined_zone.default = False else: combine = False for filename in sorted(os.listdir(path)): if not filename.endswith(".xml"): if path.startswith(config.ETC_FIREWALLD) and \ reader_type == "zone" and \ os.path.isdir("%s/%s" % (path, filename)): self._loader("%s/%s" % (path, filename), reader_type, combine=True) continue name = "%s/%s" % (path, filename) log.debug1("Loading %s file '%s'", reader_type, name) try: if reader_type == "icmptype": obj = icmptype_reader(filename, path) if obj.name in self.icmptype.get_icmptypes(): orig_obj = self.icmptype.get_icmptype(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.icmptype.remove_icmptype(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.icmptype.add_icmptype(obj) # add a deep copy to the configuration interface self.config.add_icmptype(copy.deepcopy(obj)) elif reader_type == "service": obj = service_reader(filename, path) if obj.name in self.service.get_services(): orig_obj = self.service.get_service(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.service.remove_service(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.service.add_service(obj) # add a deep copy to the configuration interface self.config.add_service(copy.deepcopy(obj)) elif reader_type == "zone": obj = zone_reader(filename, path, no_check_name=combine) if combine: # Change name for permanent configuration obj.name = "%s/%s" % ( os.path.basename(path), os.path.basename(filename)[0:-4]) obj.check_name(obj.name) # Copy object before combine config_obj = copy.deepcopy(obj) if obj.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(obj.name) self.zone.remove_zone(orig_obj.name) if orig_obj.combined: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, obj.name, path, filename) obj.combine(orig_obj) else: log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True config_obj.default = True self.config.add_zone(config_obj) if combine: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, combined_zone.name, path, filename) combined_zone.combine(obj) else: self.zone.add_zone(obj) elif reader_type == "ipset": obj = ipset_reader(filename, path) if obj.name in self.ipset.get_ipsets(): orig_obj = self.ipset.get_ipset(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.ipset.remove_ipset(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.ipset.add_ipset(obj) # add a deep copy to the configuration interface self.config.add_ipset(copy.deepcopy(obj)) elif reader_type == "helper": obj = helper_reader(filename, path) if obj.name in self.helper.get_helpers(): orig_obj = self.helper.get_helper(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.helper.remove_helper(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.helper.add_helper(obj) # add a deep copy to the configuration interface self.config.add_helper(copy.deepcopy(obj)) else: log.fatal("Unknown reader type %s", reader_type) except FirewallError as msg: log.error("Failed to load %s file '%s': %s", reader_type, name, msg) except Exception: log.error("Failed to load %s file '%s':", reader_type, name) log.exception() if combine and combined_zone.combined: if combined_zone.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(combined_zone.name) log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) try: self.zone.remove_zone(combined_zone.name) except: pass self.config.forget_zone(combined_zone.name) self.zone.add_zone(combined_zone) def cleanup(self): self.icmptype.cleanup() self.service.cleanup() self.zone.cleanup() self.ipset.cleanup() self.helper.cleanup() self.config.cleanup() self.direct.cleanup() self.policies.cleanup() self._firewalld_conf.cleanup() self.__init_vars() def stop(self): self.cleanup() # check functions def check_panic(self): return def check_zone(self, zone): _zone = zone if not _zone or _zone == "": _zone = self.get_default_zone() if _zone not in self.zone.get_zones(): raise FirewallError(errors.INVALID_ZONE, _zone) return _zone def check_interface(self, interface): if not functions.checkInterface(interface): raise FirewallError(errors.INVALID_INTERFACE, interface) def check_service(self, service): self.service.check_service(service) def check_port(self, port): range = functions.getPortRange(port) if range == -2 or range == -1 or range is None or \ (len(range) == 2 and range[0] >= range[1]): if range == -2: log.debug1("'%s': port > 65535" % port) elif range == -1: log.debug1("'%s': port is invalid" % port) elif range is None: log.debug1("'%s': port is ambiguous" % port) elif len(range) == 2 and range[0] >= range[1]: log.debug1("'%s': range start >= end" % port) raise FirewallError(errors.INVALID_PORT, port) def check_tcpudp(self, protocol): if not protocol: raise FirewallError(errors.MISSING_PROTOCOL) if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ protocol) def check_ip(self, ip): if not functions.checkIP(ip): raise FirewallError(errors.INVALID_ADDR, ip) def check_address(self, ipv, source): if ipv == "ipv4": if not functions.checkIPnMask(source): raise FirewallError(errors.INVALID_ADDR, source) elif ipv == "ipv6": if not functions.checkIP6nMask(source): raise FirewallError(errors.INVALID_ADDR, source) else: raise FirewallError(errors.INVALID_IPV, "'%s' not in {'ipv4'|'ipv6'}") def check_icmptype(self, icmp): self.icmptype.check_icmptype(icmp) # RELOAD def reload(self, stop=False): return # STATE def get_state(self): return self._state # PANIC MODE def enable_panic_mode(self): return def disable_panic_mode(self): return def query_panic_mode(self): return self._panic # LOG DENIED def get_log_denied(self): return self._log_denied def set_log_denied(self, value): if value not in config.LOG_DENIED_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s', choose from '%s'" % \ (value, "','".join(config.LOG_DENIED_VALUES))) if value != self.get_log_denied(): self._log_denied = value self._firewalld_conf.set("LogDenied", value) self._firewalld_conf.write() # now reload the firewall self.reload() else: raise FirewallError(errors.ALREADY_SET, value) # AUTOMATIC HELPERS def get_automatic_helpers(self): return self._automatic_helpers def set_automatic_helpers(self, value): if value not in config.AUTOMATIC_HELPERS_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s', choose from '%s'" % \ (value, "','".join(config.AUTOMATIC_HELPERS_VALUES))) if value != self.get_automatic_helpers(): self._automatic_helpers = value self._firewalld_conf.set("AutomaticHelpers", value) self._firewalld_conf.write() # now reload the firewall self.reload() else: raise FirewallError(errors.ALREADY_SET, value) # DEFAULT ZONE def get_default_zone(self): return self._default_zone def set_default_zone(self, zone): _zone = self.check_zone(zone) if _zone != self._default_zone: self._default_zone = _zone self._firewalld_conf.set("DefaultZone", _zone) self._firewalld_conf.write() else: raise FirewallError(errors.ZONE_ALREADY_SET, _zone) # lockdown def enable_lockdown(self): self._firewalld_conf.set("Lockdown", "yes") self._firewalld_conf.write() def disable_lockdown(self): self._firewalld_conf.set("Lockdown", "no") self._firewalld_conf.write() core/fw_direct.py000064400000050166147576556050010050 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "FirewallDirect" ] from firewall.fw_types import LastUpdatedOrderedDict from firewall.core import ipXtables from firewall.core import ebtables from firewall.core.fw_transaction import FirewallTransaction from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class Firewall # ############################################################################ class FirewallDirect(object): def __init__(self, fw): self._fw = fw self.__init_vars() def __repr__(self): return '%s(%r, %r, %r)' % (self.__class__, self._chains, self._rules, self._rule_priority_positions) def __init_vars(self): self._chains = { } self._rules = { } self._rule_priority_positions = { } self._passthroughs = { } self._obj = None def cleanup(self): self.__init_vars() # transaction def new_transaction(self): return FirewallTransaction(self._fw) # configuration def set_permanent_config(self, obj): self._obj = obj def has_configuration(self): if len(self._chains) + len(self._rules) + len(self._passthroughs) > 0: return True if len(self._obj.get_all_chains()) + \ len(self._obj.get_all_rules()) + \ len(self._obj.get_all_passthroughs()) > 0: return True return False def apply_direct(self, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction # Apply permanent configuration and save the obj to be able to # remove permanent configuration settings within get_runtime_config # for use in firewalld reload. self.set_config((self._obj.get_all_chains(), self._obj.get_all_rules(), self._obj.get_all_passthroughs()), transaction) if use_transaction is None: transaction.execute(True) def get_runtime_config(self): # Return only runtime changes # Remove all chains, rules and passthroughs that are in self._obj # (permanent config applied in firewalld _start. chains = { } rules = { } passthroughs = { } for table_id in self._chains: (ipv, table) = table_id for chain in self._chains[table_id]: if not self._obj.query_chain(ipv, table, chain): chains.setdefault(table_id, [ ]).append(chain) for chain_id in self._rules: (ipv, table, chain) = chain_id for (priority, args) in self._rules[chain_id]: if not self._obj.query_rule(ipv, table, chain, priority, args): if chain_id not in rules: rules[chain_id] = LastUpdatedOrderedDict() rules[chain_id][(priority, args)] = priority for ipv in self._passthroughs: for args in self._passthroughs[ipv]: if not self._obj.query_passthrough(ipv, args): if ipv not in passthroughs: passthroughs[ipv] = [ ] passthroughs[ipv].append(args) return (chains, rules, passthroughs) def get_config(self): return (self._chains, self._rules, self._passthroughs) def set_config(self, conf, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction (_chains, _rules, _passthroughs) = conf for table_id in _chains: (ipv, table) = table_id for chain in _chains[table_id]: if not self.query_chain(ipv, table, chain): try: self.add_chain(ipv, table, chain, use_transaction=transaction) except FirewallError as error: log.warning(str(error)) for chain_id in _rules: (ipv, table, chain) = chain_id for (priority, args) in _rules[chain_id]: if not self.query_rule(ipv, table, chain, priority, args): try: self.add_rule(ipv, table, chain, priority, args, use_transaction=transaction) except FirewallError as error: log.warning(str(error)) for ipv in _passthroughs: for args in _passthroughs[ipv]: if not self.query_passthrough(ipv, args): try: self.add_passthrough(ipv, args, use_transaction=transaction) except FirewallError as error: log.warning(str(error)) if use_transaction is None: transaction.execute(True) def _check_ipv(self, ipv): ipvs = ['ipv4', 'ipv6', 'eb'] if ipv not in ipvs: raise FirewallError(errors.INVALID_IPV, "'%s' not in '%s'" % (ipv, ipvs)) def _check_ipv_table(self, ipv, table): self._check_ipv(ipv) tables = ipXtables.BUILT_IN_CHAINS.keys() if ipv in [ 'ipv4', 'ipv6' ] \ else ebtables.BUILT_IN_CHAINS.keys() if table not in tables: raise FirewallError(errors.INVALID_TABLE, "'%s' not in '%s'" % (table, tables)) def _check_builtin_chain(self, ipv, table, chain): if ipv in ['ipv4', 'ipv6']: built_in_chains = ipXtables.BUILT_IN_CHAINS[table] if self._fw.nftables_enabled: our_chains = {} else: our_chains = self._fw.get_direct_backend_by_ipv(ipv).our_chains[table] else: built_in_chains = ebtables.BUILT_IN_CHAINS[table] our_chains = ebtables.OUR_CHAINS[table] if chain in built_in_chains: raise FirewallError(errors.BUILTIN_CHAIN, "chain '%s' is built-in chain" % chain) if chain in our_chains: raise FirewallError(errors.BUILTIN_CHAIN, "chain '%s' is reserved" % chain) if ipv in [ "ipv4", "ipv6" ]: if self._fw.zone.zone_from_chain(chain) is not None: raise FirewallError(errors.INVALID_CHAIN, "Chain '%s' is reserved" % chain) def _register_chain(self, table_id, chain, add): if add: self._chains.setdefault(table_id, [ ]).append(chain) else: self._chains[table_id].remove(chain) if len(self._chains[table_id]) == 0: del self._chains[table_id] def add_chain(self, ipv, table, chain, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction #TODO: policy="ACCEPT" self._chain(True, ipv, table, chain, transaction) if use_transaction is None: transaction.execute(True) def remove_chain(self, ipv, table, chain, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self._chain(False, ipv, table, chain, transaction) if use_transaction is None: transaction.execute(True) def query_chain(self, ipv, table, chain): self._check_ipv_table(ipv, table) self._check_builtin_chain(ipv, table, chain) table_id = (ipv, table) return (table_id in self._chains and chain in self._chains[table_id]) def get_chains(self, ipv, table): self._check_ipv_table(ipv, table) table_id = (ipv, table) if table_id in self._chains: return self._chains[table_id] return [ ] def get_all_chains(self): r = [ ] for key in self._chains: (ipv, table) = key for chain in self._chains[key]: r.append((ipv, table, chain)) return r def add_rule(self, ipv, table, chain, priority, args, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self._rule(True, ipv, table, chain, priority, args, transaction) if use_transaction is None: transaction.execute(True) def remove_rule(self, ipv, table, chain, priority, args, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self._rule(False, ipv, table, chain, priority, args, transaction) if use_transaction is None: transaction.execute(True) def query_rule(self, ipv, table, chain, priority, args): self._check_ipv_table(ipv, table) chain_id = (ipv, table, chain) return chain_id in self._rules and \ (priority, args) in self._rules[chain_id] def get_rules(self, ipv, table, chain): self._check_ipv_table(ipv, table) chain_id = (ipv, table, chain) if chain_id in self._rules: return list(self._rules[chain_id].keys()) return [ ] def get_all_rules(self): r = [ ] for key in self._rules: (ipv, table, chain) = key for (priority, args) in self._rules[key]: r.append((ipv, table, chain, priority, list(args))) return r def _register_rule(self, rule_id, chain_id, priority, enable): if enable: if chain_id not in self._rules: self._rules[chain_id] = LastUpdatedOrderedDict() self._rules[chain_id][rule_id] = priority if chain_id not in self._rule_priority_positions: self._rule_priority_positions[chain_id] = { } if priority in self._rule_priority_positions[chain_id]: self._rule_priority_positions[chain_id][priority] += 1 else: self._rule_priority_positions[chain_id][priority] = 1 else: del self._rules[chain_id][rule_id] if len(self._rules[chain_id]) == 0: del self._rules[chain_id] self._rule_priority_positions[chain_id][priority] -= 1 # DIRECT PASSTHROUGH (untracked) def passthrough(self, ipv, args): try: return self._fw.rule(self._fw.get_direct_backend_by_ipv(ipv).name, args) except Exception as msg: log.debug2(msg) raise FirewallError(errors.COMMAND_FAILED, msg) def _register_passthrough(self, ipv, args, enable): if enable: if ipv not in self._passthroughs: self._passthroughs[ipv] = [ ] self._passthroughs[ipv].append(args) else: self._passthroughs[ipv].remove(args) if len(self._passthroughs[ipv]) == 0: del self._passthroughs[ipv] def add_passthrough(self, ipv, args, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self._passthrough(True, ipv, list(args), transaction) if use_transaction is None: transaction.execute(True) def remove_passthrough(self, ipv, args, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self._passthrough(False, ipv, list(args), transaction) if use_transaction is None: transaction.execute(True) def query_passthrough(self, ipv, args): return ipv in self._passthroughs and \ tuple(args) in self._passthroughs[ipv] def get_all_passthroughs(self): r = [ ] for ipv in self._passthroughs: for args in self._passthroughs[ipv]: r.append((ipv, list(args))) return r def get_passthroughs(self, ipv): r = [ ] if ipv in self._passthroughs: for args in self._passthroughs[ipv]: r.append(list(args)) return r def _rule(self, enable, ipv, table, chain, priority, args, transaction): self._check_ipv_table(ipv, table) # Do not create zone chains if we're using nftables. Only allow direct # rules in the built in chains. if not self._fw.nftables_enabled \ and ipv in [ "ipv4", "ipv6" ]: self._fw.zone.create_zone_base_by_chain(ipv, table, chain, transaction) _chain = chain backend = self._fw.get_direct_backend_by_ipv(ipv) # if nftables is in use, just put the direct rules in the chain # specified by the user. i.e. don't append _direct. if not self._fw.nftables_enabled \ and backend.is_chain_builtin(ipv, table, chain): _chain = "%s_direct" % (chain) elif self._fw.nftables_enabled and chain[-7:] == "_direct" \ and backend.is_chain_builtin(ipv, table, chain[:-7]): # strip _direct suffix. If we're using nftables we don't bother # creating the *_direct chains for builtin chains. _chain = chain[:-7] chain_id = (ipv, table, chain) rule_id = (priority, args) if enable: if chain_id in self._rules and \ rule_id in self._rules[chain_id]: raise FirewallError(errors.ALREADY_ENABLED, "rule '%s' already is in '%s:%s:%s'" % \ (args, ipv, table, chain)) else: if chain_id not in self._rules or \ rule_id not in self._rules[chain_id]: raise FirewallError(errors.NOT_ENABLED, "rule '%s' is not in '%s:%s:%s'" % \ (args, ipv, table, chain)) # get priority of rule priority = self._rules[chain_id][rule_id] # If a rule gets added, the initial rule index position within the # ipv, table and chain combination (chain_id) is 1. # Tf the chain_id exists in _rule_priority_positions, there are already # other rules for this chain_id. The number of rules for a priority # less or equal to the priority of the new rule will increase the # index of the new rule. The index is the ip*tables -I insert rule # number. # # Example: We have the following rules for chain_id (ipv4, filter, # INPUT) already: # ipv4, filter, INPUT, 1, -i, foo1, -j, ACCEPT # ipv4, filter, INPUT, 2, -i, foo2, -j, ACCEPT # ipv4, filter, INPUT, 2, -i, foo2_1, -j, ACCEPT # ipv4, filter, INPUT, 3, -i, foo3, -j, ACCEPT # This results in the following _rule_priority_positions structure: # _rule_priority_positions[(ipv4,filter,INPUT)][1] = 1 # _rule_priority_positions[(ipv4,filter,INPUT)][2] = 2 # _rule_priority_positions[(ipv4,filter,INPUT)][3] = 1 # The new rule # ipv4, filter, INPUT, 2, -i, foo2_2, -j, ACCEPT # has the same pritority as the second rule before and will be added # right after it. # The initial index is 1 and the chain_id is already in # _rule_priority_positions. Therefore the index will increase for # the number of rules in every rule position in # _rule_priority_positions[(ipv4,filter,INPUT)].keys() # where position is smaller or equal to the entry in keys. # With the example from above: # The priority of the new rule is 2. Therefore for all keys in # _rule_priority_positions[chain_id] where priority is 1 or 2, the # number of the rules will increase the index of the rule. # For _rule_priority_positions[chain_id][1]: index += 1 # _rule_priority_positions[chain_id][2]: index += 2 # index will be 4 in the end and the rule in the table chain # combination will be added at index 4. # If there are no rules in the table chain combination, a new rule # has index 1. index = 1 if chain_id in self._rule_priority_positions: positions = sorted(self._rule_priority_positions[chain_id].keys()) j = 0 while j < len(positions) and priority >= positions[j]: index += self._rule_priority_positions[chain_id][positions[j]] j += 1 transaction.add_rule(backend, backend.build_rule(enable, table, _chain, index, args)) self._register_rule(rule_id, chain_id, priority, enable) transaction.add_fail(self._register_rule, rule_id, chain_id, priority, not enable) def _chain(self, add, ipv, table, chain, transaction): self._check_ipv_table(ipv, table) self._check_builtin_chain(ipv, table, chain) table_id = (ipv, table) if add: if table_id in self._chains and \ chain in self._chains[table_id]: raise FirewallError(errors.ALREADY_ENABLED, "chain '%s' already is in '%s:%s'" % \ (chain, ipv, table)) else: if table_id not in self._chains or \ chain not in self._chains[table_id]: raise FirewallError(errors.NOT_ENABLED, "chain '%s' is not in '%s:%s'" % \ (chain, ipv, table)) backend = self._fw.get_direct_backend_by_ipv(ipv) transaction.add_rules(backend, backend.build_chain_rules(add, table, chain)) self._register_chain(table_id, chain, add) transaction.add_fail(self._register_chain, table_id, chain, not add) def _passthrough(self, enable, ipv, args, transaction): self._check_ipv(ipv) tuple_args = tuple(args) if enable: if ipv in self._passthroughs and \ tuple_args in self._passthroughs[ipv]: raise FirewallError(errors.ALREADY_ENABLED, "passthrough '%s', '%s'" % (ipv, args)) else: if ipv not in self._passthroughs or \ tuple_args not in self._passthroughs[ipv]: raise FirewallError(errors.NOT_ENABLED, "passthrough '%s', '%s'" % (ipv, args)) backend = self._fw.get_direct_backend_by_ipv(ipv) if enable: backend.check_passthrough(args) # try to find out if a zone chain should be used if ipv in [ "ipv4", "ipv6" ]: table, chain = backend.passthrough_parse_table_chain(args) if table and chain: self._fw.zone.create_zone_base_by_chain(ipv, table, chain) _args = args else: _args = backend.reverse_passthrough(args) transaction.add_rule(backend, _args) self._register_passthrough(ipv, tuple_args, enable) transaction.add_fail(self._register_passthrough, ipv, tuple_args, not enable) core/fw_icmptype.pyc000064400000005773147576556050010577 0ustar00 c`c@s_dgZddlZddlmZddlmZddlmZdefdYZ dS(tFirewallIcmpTypeiN(tlog(terrors(t FirewallErrorcBsPeZdZdZdZdZdZdZdZdZ RS(cCs||_i|_dS(N(t_fwt _icmptypes(tselftfw((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt__repr__"scCs|jjdS(N(Rtclear(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pytcleanup%scCst|jjS(N(tsortedRtkeys(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt get_icmptypes*scCs(||jkr$ttj|ndS(N(RRRtINVALID_ICMPTYPE(Rticmptype((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pytcheck_icmptype-scCs|j||j|S(N(RR(RR((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt get_icmptype1s cCs_|j}t|dkr*ddg}n|}x|D]}|dkrk|jjs\q8n|jj}n3|dkr|jjsq8n|jj}ng}|jj|kr8t j d|j|f|j |q8q8Wt|t|krKt|dkr t t jdntj|}||_||j|js  core/ipset.pyc000064400000022232147576556050007362 0ustar00 c`c @sdZdddgZddlZddlmZddlmZddlm Z dd l m Z dd l m Z mZdd lmZd Zd ddddddddddg Zidd6dd6dd6dd6Zidd6d d6d!d6Zdefd"YZd#Zd$ZdS(%sThe ipset command wrappertipsettcheck_ipset_nametremove_default_create_optionsiN(terrors(t FirewallError(trunProg(tlog(ttempFiletreadfile(tCOMMANDSi shash:ips hash:ip,portshash:ip,port,ipshash:ip,port,nets hash:ip,markshash:nets hash:net,nets hash:net,portshash:net,port,netshash:net,ifaceshash:macs inet|inet6tfamilytvaluethashsizetmaxelems value in secsttimeouttinett1024t65536cBseZdZdZdZdZdZdZddZ dZ dZ d Z dd Z ddd Zd Zdd ZdddZdZdZdZdZRS(sipset command wrapper classcCstd|_d|_dS(NR(R t_commandtname(tself((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt__init__Js cCsg|D]}d|^q}tjd|j|jdj|t|j|\}}|dkrtd|jdj||fn|S(sCall ipset with argss%ss %s: %s %st is'%s %s' failed: %s(Rtdebug2t __class__RtjoinRt ValueError(Rtargstitemt_argststatustret((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt__runNs%  cCs/t|tkr+ttjd|ndS(sCheck ipset namesipset name '%s' is not validN(tlentIPSET_MAXNAMELENRRt INVALID_NAME(RR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt check_nameYs cCsg}d}y|jdg}Wn$tk rH}tjd|nX|j}t}x{|D]s}|r|jjdd}|d|kr|dt kr|j |dqn|j drbt }qbqbW|S(s?Return types that are supported by the ipset command and kernelts--helpsipset error: %siisSupported set types:N( t _ipset__runRRtdebug1t splitlinestFalsetstriptsplittNonet IPSET_TYPEStappendt startswithtTrue(RRtoutputtextlinestin_typestlinetsplits((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_supported_types_s     cCs;t|tks|tkr7ttjd|ndS(sCheck ipset types!ipset type name '%s' is not validN(R!R"R-RRt INVALID_TYPE(Rt type_name((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt check_typets cCs|j||j|d||g}t|trxF|jD]5\}}|j||dkrE|j|qEqEWn|j|S(s+Create an ipset with name, type and optionstcreateR%(R$R:t isinstancetdicttitemsR.R&(Rtset_nameR9toptionsRtkeytval((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_createzs    cCs |j||jd|gS(Ntdestroy(R$R&(RR?((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_destroys cCsd||g}|j|S(Ntadd(R&(RR?tentryR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_addscCsd||g}|j|S(Ntdel(R&(RR?RGR((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_deletescCs?d||g}|r2|jddj|n|j|S(Nttests%sR(R.RR&(RR?RGR@R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRKscCsKdg}|r|j|n|r5|j|n|j|jdS(Ntlists (R.textendR&R+(RR?R@R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pytset_lists  c Cs|jddg}i}d}}i}x|D]z}t|dkrPq2ng|jddD]}|j^qc}t|dkrq2q2|ddkr|d}q2|ddkr|d}q2|dd kr2|dj} d} xz| t| kro| | } | dkrbt| | krK| d7} | | || R.twriteRtclosetoststatRRRRRtst_sizeRtgetDebugLogLevelRt Exceptiontdebug3tendswithtunlinkR(RR?R9tentriestcreate_optionst entry_optionst temp_fileRRARBRGRfRRR[R5((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_restoresV              #  cCs,dg}|r|j|n|j|S(Ntflush(R.R&(RR?R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyt set_flushs cCs|jd||gS(Ntrename(R&(Rt old_set_namet new_set_name((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRt scCs|jd||gS(Ntswap(R&(Rt set_name_1t set_name_2((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRwscCs|jdgS(Ntversion(R&(R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRzsN(t__name__t __module__t__doc__RR&R$R7R:R,RCRERHRJRKRNR]R^RqRsRtRwRz(((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRGs&         ' 7   cCst|tkrtStS(s"Return true if ipset name is valid(R!R"R)R0(R((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRscCsK|j}x8tD]0}||krt|||kr||=qqW|S(s( Return only non default create options (tcopytIPSET_DEFAULT_CREATE_OPTIONS(R@RXR\((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyRs    (R}t__all__tos.pathRetfirewallRtfirewall.errorsRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRtfirewall.configR R"R-tIPSET_CREATE_OPTIONSRtobjectRRR(((s7/usr/lib/python2.7/site-packages/firewall/core/ipset.pyts@     core/fw.pyo000064400000075261147576556050006700 0ustar00 c`c@sdgZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0ddl1m2Z2ddlm3Z3ddl4m5Z5de6fdYZ7dS(tFirewalliN(tconfig(t functions(t ipXtables(tebtables(tnftables(tipset(tmodules(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallTransaction(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t helper_reader(terrors(t FirewallErrorcBseZdZdZdZdZdZdZeedZ dZ edZ d Z d Z d Zd Zd ZdZdZdZdZdZdZdZdZedZedZedZedZdZdZdZ dZ!dZ"dZ#d Z$d!Z%d"Z&d#Z'd$Z(d%Z)ed&Z*d'Z+d(Z,d)Z-d*Z.d+Z/d,Z0d-Z1d.Z2d/Z3d0Z4RS(1cCs@ttj|_tj||_t|_g|_ tj ||_ t|_ g|_ tj|_t|_tj|_t|_g|_tj||_t|_tj|_t||_t||_t||_t ||_!t"||_t#|_$t%||_t&||_'|j(dS(N()RRtFIREWALLD_CONFt_firewalld_confRt ip4tablestip4tables_backendtTruetip4tables_enabledtip4tables_supported_icmp_typest ip6tablestip6tables_backendtip6tables_enabledtip6tables_supported_icmp_typesRtebtables_backendtebtables_enabledRt ipset_backendt ipset_enabledtipset_supported_typesRtnftables_backendtnftables_enabledRtmodules_backendRticmptypeR tserviceR tzoneR tdirectR R tpoliciesRRthelpert_Firewall__init_vars(tself((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__init__?s0         cCshd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |j|jfS(Ns>%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__R!R%R(t_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledR*t_individual_callst _log_deniedt_automatic_helpers(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__repr__]scCsd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_tj|_d|_tj|_dS(NtINITti(R9tFalseR:R;R<R=RtFALLBACK_MINIMAL_MARKR>tFALLBACK_CLEANUP_ON_EXITR?tFALLBACK_IPV6_RPFILTERR@tFALLBACK_INDIVIDUAL_CALLSRAtFALLBACK_LOG_DENIEDRBtFALLBACK_AUTOMATIC_HELPERSRCtFALLBACK_FIREWALL_BACKENDt_firewall_backendtnf_conntrack_helper_settingtFALLBACK_ALLOW_ZONE_DRIFTINGt_allow_zone_drifting(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt __init_varsfs             cCs|jS(N(RA(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytindividual_callswscCs|jr=d|jdjkr=tjdt|_n|jrzd|jdjkrztjdt|_n|jrd|jdjkrtjdt|_n|j r|j r|j rtj dt j d ndS( Ntfiltertipv4s-iptables not usable, disabling IPv4 firewall.tipv6s.ip6tables not usable, disabling IPv6 firewall.tebs8ebtables not usable, disabling ethernet bridge firewall.sNo IPv4 and IPv6 firewall.i( R!tget_backend_by_ipvtget_available_tablesRtwarningRGR%R(R-tfataltsystexit(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _check_tableszs            cCsy|jjWn0tk rCtjdt|_g|_nX|jj|_|j j |j j s|j j rtjdqtjdt|_ n|j r|j j|_n g|_|jj |jj s|jj rtjdqtjdt|_n|jr7|jj|_n g|_|jj |jj s|jj rutjdqtjdt|_n|jr|j r|jj rtjdndS( Ns4ipset not usable, disabling ipset usage in firewall.sFiptables-restore is missing, using individual calls for IPv4 firewall.sCiptables-restore and iptables are missing, disabling IPv4 firewall.sGip6tables-restore is missing, using individual calls for IPv6 firewall.sEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.sHebtables-restore is missing, using individual calls for bridge firewall.sEebtables-restore and ebtables are missing, disabling bridge firewall.sSebtables-restore is not supporting the --noflush option, will therefore not be used(R)tset_listt ValueErrorRR[RGR*R+tset_supported_typesRt fill_existstrestore_command_existstcommand_existsR!tsupported_icmp_typesR"R$R%R&R'R(RAtrestore_noflush_optiontdebug1(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _start_checksD                        cCsw tj}tjdtjy|jjWn-tk r\}tj|tjdnX|jj dr|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d<krt|_ntjd|jn|jj d r|jj d }|dk r|j d=krtjd y|jjWqtk rqXqn|jj d r|jj d }|dk r|j d>krt|_n|j d?krt|_qqn|jrtjdn tjd|jj dr|jj d}|dk r|j d@krtjdt|_qn|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj dr|jj d}|dk r|j dAkrId|_n-|j dBkrgd |_n|j |_tjd|jqn|jj dr|jj d}|j dCkrt|_nt|_tjdtjd|jn|jjtj|j|j|j|jtjdy|jjjWn]tk r}|jj rtj!d|jjj"|qtjd|jjj"|nX|jj#tj|j|j$tj%d|j$tj&d|j$tj'd|j$tj(dt)|j*j+dkrGtj!dn|j$tj,d |j$tj-d |j$tj.d!|j$tj/d!t)|j0j1dkrtj!d"n|j$tj2d#|j$tj3d#t)|j4j5dkrtj6d$t7j8d%nt}xEd&d'd(gD]4}||j4j5kr2tj6d)|t}q2q2W|rt7j8d%n||j4j5krd*|j4j5krd*}n$d+|j4j5krd+}nd&}tj!d,|||}ntjd-|t9tj:} t;j<j=tj:rxtjd.tj:y| jWqxtk rt}tj!d/tj:|qxXn|j>j?| |jj@tj| |jAd0gt\} }| dkrtjd1|n|jd2krtBjC|jd kntBjD|_E|jFtjGdkr>tHjH} ntI|} |jJd3| |rf|s~|jKr|jLjMr| jNt| jOn|r|rtjd4|jPjQn|jRd3| | jNt| jO|jKr |jLjMr tjd5|jLjSntjd6|jTd3| tjd7|j4jUd3| |jV||_W|j4jXd|jWd3| | jNt| jO|j>jYr: tjd8|j>jZ| y| jNt| jOWq: tk r# } t| j[d9| j\r | j\nd:q: tk r6 q: Xn~ tjGd%krs tHjH}tj]d;|| ndS(DNs"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsesCleanupOnExit is set to '%s'tLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'tAllowZoneDriftingsAllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.s AllowZoneDrifting is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sRR/isNo icmptypes found.R4R0sNo services found.R1sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %st nf_conntracks&Failed to load nf_conntrack module: %stsystemtuse_transactionsUnloading firewall modulessApplying ipsetssApplying default rule setsApplying used zoness2Applying direct chains rules and passthrough ruless Direct: %sRFs%Flushing and applying took %f seconds(RmRn(syesRq(RmRn(syesRq(syesRq(RmRn(syesRq(RmRn(^Rt FALLBACK_ZONERRhRRtreadt ExceptionR[tgettintR>tNonetlowerRGR?R3tenable_lockdownRR@R RARBRCRRtset_firewalld_conftcopytdeepcopyt_select_firewall_backendRORitlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStlenR/t get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR0t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR1t get_zonesR\R]R^RtFIREWALLD_DIRECTtostpathtexistsR2tset_permanent_configt set_directthandle_modulesRtset_nf_conntrack_helper_settingtget_nf_conntrack_helper_settingRPR_tgetDebugLogLevelttimeRtflushR*Rt has_ipsetstexecutetclearR.tunload_firewall_modulestapply_default_tablest apply_ipsetstapply_default_rulest apply_zonest check_zoneR;tchange_default_zonethas_configurationt apply_directtcodetmsgtdebug2(R6treloadtcomplete_reloadt default_zoneRtvalueRtzR1tobjtstatusttm1t transactiontettm2((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt_startsR                                                      +   cCsUy|jWn*tk r:d|_|jdnXd|_|jddS(NtFAILEDtACCEPTtRUNNING(RRR9t set_policy(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstarts    c Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nx[t tj |D]D}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||yP|dkrAt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ ny|jj|Wn3tk r$} tjd|jt| fnX|jjtj|nE|d krt||}|j|j j!kr|j j"|j}tjd||j|j|j|j j#|jn!|jjtjrt|_ n|j j$||jj$tj|nx|dkrt%||d |}|rzdtjj|tjj|d d !f|_|j |jntj|} |j|j&j'kr#|j&j(|j}|j&j)|j|j*rtjd ||j|||j+|qMtjd||j|j|jn*|jjtjrMt|_ t| _ n|jj,| |rtjd ||j|||j+|q|j&j,|n|dkrt-||}|j|j.j/kr"|j.j0|j}tjd||j|j|j|j.j1|jn!|jjtjrCt|_ ny|j.j2|Wn3tk r} tj3d|jt| fnX|jj2tj|n|dkrvt4||}|j|j5j6kr)|j5j7|j}tjd||j|j|j|j5j8|jn!|jjtjrJt|_ n|j5j9||jj9tj|ntj:d|Wqtk r} tj;d||| qt<k rtj;d||tj=qXqW|r|j*r|j|j&j'kr|j&j(|j}tjd||j|j|jy|j&j)|jWnt<k rlnX|jj>|jn|j&j,|ndS(NR1s.xmls%s/%stcombinesLoading %s file '%s'R/s Overloads %s '%s' ('%s/%s')s%s: %s, ignoring for run-time.R0t no_check_nameiis Combining %s '%s' ('%s/%s')RR4sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(?RRtisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRGtdefaulttsortedtlistdirtendswithRR RRhRR/Rt get_icmptypeRtremove_icmptypet add_icmptypeRtinfo1tstrRRRR0Rt get_servicetremove_servicet add_serviceRR1Rtget_zonet remove_zonetcombinedRtadd_zoneRRt get_ipsetst get_ipsett remove_ipsett add_ipsetR[RR4t get_helperst get_helpert remove_helpert add_helperR\RRt exceptiont forget_zone( R6Rt reader_typeRt combined_zoneRRRtorig_objRt config_objR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs                                                cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( R/tcleanupR0R1RR4RR2R3RR5(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRls         cCs>|jr0|j|jd|jjn|jdS(NR(R?RRR.RR(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstopxs    cCs=|j}x||jkr(|d7}q W|jj||S(Ni(R>R=tappend(R6ti((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytnew_marks  cCs|jj|dS(N(R=tremove(R6tmark((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytdel_marksc Cs"d}d}x t|D]\}}|rF|jj|\}}n4|j|dkrbd}n|jj|\}}|dkr|d7}||7}qn|r|jj|d|j|cd7|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R-RR,R!RR%R$R(R'(R6tbackends((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytenabled_backendss    cCszg}|jr"|j|jn|jr>|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R!RRR%R$R(R'R-R,(R6R ((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs    cCsn|dkrt|}n|}x*|jD]}|j||jq.W|dkrj|jtndS(N(RRR t add_rulestbuild_default_tablesRR (R6RRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs  cCs3|dkrt|}n|}x6|jD](}|j|j}|j||q.W|jdr|jd}|jrd|j kr|j t |j |j |j}|j||y|j t Wn#tk r}tjd|nX|j qn|dkr/|j t ndS(NRWtraws+Applying rules for ipv6_rpfilter failed: %s(RRR tbuild_default_rulesRBRR RYR@RZRR Rtbuild_rpfilter_rulesRRR[(R6RRRtrulest ipv6_backendR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs*     cCs|dkrt|}n|}tjdx0|jD]"}|j}|j||q;W|dkr}|jtndS(NsFlushing rule set( RRRRhRtbuild_flush_rulesRRR (R6RRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+s    cCs|dkrt|}n|}tjd|x3|jD]%}|j|}|j||q>W|dkr|jtndS(NsSetting policy to '%s'( RRRRhR tbuild_set_policy_rulesRRR (R6tpolicyRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR:s  cCs^|s dS|j|}|s8ttjd|n|j|sKdS|j||jS(NRFs'%s' is not a valid backend(RRRRR tset_ruleRB(R6t backend_nametruleR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRKs c Cs\ttd|}|j|}|sCttjd|n|j|sVdS|js|j s|dkrE|j j rExt |D]\}}y|j ||jWqtk r<}tjtjtj|xLt|| D]:}y |j |j||jWqtk r.qXqW|qXqWtS|j||jSdS(Ns'%s' is not a valid backendRFR(tlistRURRRRRR RARdR'RgRRRBRRRht tracebackt format_excRtreversedt reverse_ruleR t set_rules(R6RRt_rulesRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRYs0      cCs|jrttjndS(N(R:RRt PANIC_MODE(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_paniczs cCsV|}| s|dkr(|j}n||jjkrRttj|n|S(NRF(tget_default_zoneR1RRRt INVALID_ZONE(R6R1t_zone((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR~s cCs(tj|s$ttj|ndS(N(RtcheckInterfaceRRtINVALID_INTERFACE(R6t interface((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_interfacescCs|jj|dS(N(R0t check_service(R6R0((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+scCs(tj|s$ttj|ndS(N(Rt check_portRRt INVALID_PORT(R6tport((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR,scCsA|sttjn|dkr=ttjd|ndS(Nttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(R/R0R1R2(RRtMISSING_PROTOCOLtINVALID_PROTOCOL(R6tprotocol((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_tcpudps   cCs(tj|s$ttj|ndS(N(RtcheckIPRRt INVALID_ADDR(R6tip((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_ipscCs||dkr3tj|sxttj|qxnE|dkrftj|sxttj|qxnttjddS(NRVRWs'%s' not in {'ipv4'|'ipv6'}(Rt checkIPnMaskRRR8t checkIP6nMaskR(R6Rtsource((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_addresss   cCs|jj|dS(N(R/tcheck_icmptype(R6ticmp((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR?scCs]t|ts.td|t|fnt|dkrYttjd|ndS(Ns%s is %s, expected intis#timeout '%d' is not positive number(t isinstanceRt TypeErrorttypeRRt INVALID_VALUE(R6ttimeout((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_timeouts  c Cs9|j}i}x1|jjD] }|jj|d||R?RFRRXRPR\R]R^RdReRgR$Rk(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR>sd     7      $    !         K       (8t__all__tos.pathRR]RRRtfirewallRRt firewall.coreRRRRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceR tfirewall.core.fw_zoneR tfirewall.core.fw_directR tfirewall.core.fw_configR tfirewall.core.fw_policiesR tfirewall.core.fw_ipsetRtfirewall.core.fw_transactionRtfirewall.core.fw_helperRtfirewall.core.loggerRtfirewall.core.io.firewalld_confRtfirewall.core.io.directRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyts@      core/icmp.py000064400000006035147576556050007026 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2017 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "ICMP_TYPES", "ICMPV6_TYPES", "check_icmp_type", "check_icmpv6_type" ] ICMP_TYPES = { "echo-reply": "0/0", "pong": "0/0", "network-unreachable": "3/0", "host-unreachable": "3/1", "protocol-unreachable": "3/2", "port-unreachable": "3/3", "fragmentation-needed": "3/4", "source-route-failed": "3/5", "network-unknown": "3/6", "host-unknown": "3/7", "network-prohibited": "3/9", "host-prohibited": "3/10", "TOS-network-unreachable": "3/11", "TOS-host-unreachable": "3/12", "communication-prohibited": "3/13", "host-precedence-violation": "3/14", "precedence-cutoff": "3/15", "source-quench": "4/0", "network-redirect": "5/0", "host-redirect": "5/1", "TOS-network-redirect": "5/2", "TOS-host-redirect": "5/3", "echo-request": "8/0", "ping": "8/0", "router-advertisement": "9/0", "router-solicitation": "10/0", "ttl-zero-during-transit": "11/0", "ttl-zero-during-reassembly": "11/1", "ip-header-bad": "12/0", "required-option-missing": "12/1", "timestamp-request": "13/0", "timestamp-reply": "14/0", "address-mask-request": "17/0", "address-mask-reply": "18/0", } ICMPV6_TYPES = { "no-route": "1/0", "communication-prohibited": "1/1", "address-unreachable": "1/3", "port-unreachable": "1/4", "packet-too-big": "2/0", "ttl-zero-during-transit": "3/0", "ttl-zero-during-reassembly": "3/1", "bad-header": "4/0", "unknown-header-type": "4/1", "unknown-option": "4/2", "echo-request": "128/0", "ping": "128/0", "echo-reply": "129/0", "pong": "129/0", "router-solicitation": "133/0", "router-advertisement": "134/0", "neighbour-solicitation": "135/0", "neigbour-solicitation": "135/0", "neighbour-advertisement": "136/0", "neigbour-advertisement": "136/0", "redirect": "137/0", } def check_icmp_name(_name): if _name in ICMP_TYPES: return True return False def check_icmp_type(_type): if _type in ICMP_TYPES.values(): return True return False def check_icmpv6_name(_name): if _name in ICMP_TYPES: return True return False def check_icmpv6_type(_type): if _type in ICMPV6_TYPES.values(): return True return False core/modules.py000064400000007202147576556050007543 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """modules backend""" __all__ = [ "modules" ] from firewall.core.prog import runProg from firewall.core.logger import log from firewall.config import COMMANDS class modules(object): def __init__(self): self._load_command = COMMANDS["modprobe"] # Use rmmod instead of modprobe -r (RHBZ#1031102) self._unload_command = COMMANDS["rmmod"] def __repr__(self): return '%s' % (self.__class__) def loaded_modules(self): """ get all loaded kernel modules and their dependencies """ mods = [ ] deps = { } with open("/proc/modules", "r") as f: for line in f: if not line: break line = line.strip() splits = line.split() mods.append(splits[0]) if splits[3] != "-": deps[splits[0]] = splits[3].split(",")[:-1] else: deps[splits[0]] = [ ] return mods, deps # [loaded modules], {module:[dependants]} def load_module(self, module): log.debug2("%s: %s %s", self.__class__, self._load_command, module) return runProg(self._load_command, [ module ]) def unload_module(self, module): log.debug2("%s: %s %s", self.__class__, self._unload_command, module) return runProg(self._unload_command, [ module ]) def get_deps(self, module, deps, ret): """ get all dependants of a module """ if module not in deps: return for mod in deps[module]: self.get_deps(mod, deps, ret) if mod not in ret: ret.append(mod) if module not in ret: ret.append(module) def get_firewall_modules(self): """ get all loaded firewall-related modules """ mods = [ ] (mods2, deps) = self.loaded_modules() self.get_deps("nf_conntrack", deps, mods) # these modules don't have dependants listed in /proc/modules for bad_bad_module in ["nf_conntrack_ipv4", "nf_conntrack_ipv6"]: if bad_bad_module in mods: # move them to end of list, so we'll remove them later mods.remove(bad_bad_module) mods.insert(-1, bad_bad_module) for mod in mods2: if mod in [ "ip_tables", "ip6_tables", "ebtables" ] or \ mod.startswith("iptable_") or mod.startswith("ip6table_") or \ mod.startswith("nf_") or mod.startswith("xt_") or \ mod.startswith("ipt_") or mod.startswith("ip6t_") : self.get_deps(mod, deps, mods) return mods def unload_firewall_modules(self): """ unload all firewall-related modules """ for module in self.get_firewall_modules(): (status, ret) = self.unload_module(module) if status != 0: log.debug1("Failed to unload module '%s': %s" %(module, ret)) core/base.py000064400000003676147576556050007020 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Base firewall settings""" DEFAULT_ZONE_TARGET = "{chain}_{zone}" ZONE_TARGETS = [ "ACCEPT", "%%REJECT%%", "DROP", DEFAULT_ZONE_TARGET, "default" ] SHORTCUTS = { "PREROUTING": "PRE", "POSTROUTING": "POST", "INPUT": "IN", "FORWARD_IN": "FWDI", "FORWARD_OUT": "FWDO", "OUTPUT": "OUT", } REJECT_TYPES = { "ipv4": [ "icmp-host-prohibited", "host-prohib", "icmp-net-unreachable", "net-unreach", "icmp-host-unreachable", "host-unreach", "icmp-port-unreachable", "port-unreach", "icmp-proto-unreachable", "proto-unreach", "icmp-net-prohibited", "net-prohib", "tcp-reset", "tcp-rst", "icmp-admin-prohibited", "admin-prohib" ], "ipv6": [ "icmp6-adm-prohibited", "adm-prohibited", "icmp6-no-route", "no-route", "icmp6-addr-unreachable", "addr-unreach", "icmp6-port-unreachable", "port-unreach", "tcp-reset" ] } # ipset types that can be used as a source in zones # The match-set option will be src or src,src according to the # dimension of the ipset. ZONE_SOURCE_IPSET_TYPES = [ "hash:ip", "hash:ip,port", "hash:ip,mark", "hash:net", "hash:net,port", "hash:net,iface", "hash:mac" ] core/rich.py000064400000072530147576556050007026 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2013-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Rich_Source", "Rich_Destination", "Rich_Service", "Rich_Port", "Rich_Protocol", "Rich_Masquerade", "Rich_IcmpBlock", "Rich_IcmpType", "Rich_SourcePort", "Rich_ForwardPort", "Rich_Log", "Rich_Audit", "Rich_Accept", "Rich_Reject", "Rich_Drop", "Rich_Mark", "Rich_Limit", "Rich_Rule" ] from firewall import functions from firewall.core.ipset import check_ipset_name from firewall.core.base import REJECT_TYPES from firewall import errors from firewall.errors import FirewallError class Rich_Source(object): def __init__(self, addr, mac, ipset, invert=False): self.addr = addr if self.addr == "": self.addr = None self.mac = mac if self.mac == "" or self.mac is None: self.mac = None elif self.mac is not None: self.mac = self.mac.upper() self.ipset = ipset if self.ipset == "": self.ipset = None self.invert = invert if self.addr is None and self.mac is None and self.ipset is None: raise FirewallError(errors.INVALID_RULE, "no address, mac and ipset") def __str__(self): ret = 'source%s ' % (" NOT" if self.invert else "") if self.addr is not None: return ret + 'address="%s"' % self.addr elif self.mac is not None: return ret + 'mac="%s"' % self.mac elif self.ipset is not None: return ret + 'ipset="%s"' % self.ipset else: raise FirewallError(errors.INVALID_RULE, "no address, mac and ipset") class Rich_Destination(object): def __init__(self, addr, invert=False): self.addr = addr self.invert = invert def __str__(self): return 'destination %saddress="%s"' % ("not " if self.invert else "", self.addr) class Rich_Service(object): def __init__(self, name): self.name = name def __str__(self): return 'service name="%s"' % (self.name) class Rich_Port(object): def __init__(self, port, protocol): self.port = port self.protocol = protocol def __str__(self): return 'port port="%s" protocol="%s"' % (self.port, self.protocol) class Rich_SourcePort(Rich_Port): def __str__(self): return 'source-port port="%s" protocol="%s"' % (self.port, self.protocol) class Rich_Protocol(object): def __init__(self, value): self.value = value def __str__(self): return 'protocol value="%s"' % (self.value) class Rich_Masquerade(object): def __init__(self): pass def __str__(self): return 'masquerade' class Rich_IcmpBlock(object): def __init__(self, name): self.name = name def __str__(self): return 'icmp-block name="%s"' % (self.name) class Rich_IcmpType(object): def __init__(self, name): self.name = name def __str__(self): return 'icmp-type name="%s"' % (self.name) class Rich_ForwardPort(object): def __init__(self, port, protocol, to_port, to_address): self.port = port self.protocol = protocol self.to_port = to_port self.to_address = to_address # replace None with "" in to_port and/or to_address if self.to_port is None: self.to_port = "" if self.to_address is None: self.to_address = "" def __str__(self): return 'forward-port port="%s" protocol="%s"%s%s' % \ (self.port, self.protocol, ' to-port="%s"' % self.to_port if self.to_port != "" else '', ' to-addr="%s"' % self.to_address if self.to_address != "" else '') class Rich_Log(object): def __init__(self, prefix=None, level=None, limit=None): #TODO check default level in iptables self.prefix = prefix self.level = level self.limit = limit def __str__(self): return 'log%s%s%s' % \ (' prefix="%s"' % (self.prefix) if self.prefix else "", ' level="%s"' % (self.level) if self.level else "", " %s" % self.limit if self.limit else "") class Rich_Audit(object): def __init__(self, limit=None): #TODO check default level in iptables self.limit = limit def __str__(self): return 'audit%s' % (" %s" % self.limit if self.limit else "") class Rich_Accept(object): def __init__(self, limit=None): self.limit = limit def __str__(self): return "accept%s" % (" %s" % self.limit if self.limit else "") class Rich_Reject(object): def __init__(self, _type=None, limit=None): self.type = _type self.limit = limit def __str__(self): return "reject%s%s" % (' type="%s"' % self.type if self.type else "", " %s" % self.limit if self.limit else "") def check(self, family): if self.type: if not family: raise FirewallError(errors.INVALID_RULE, "When using reject type you must specify also rule family.") if family in ['ipv4', 'ipv6'] and \ self.type not in REJECT_TYPES[family]: valid_types = ", ".join(REJECT_TYPES[family]) raise FirewallError(errors.INVALID_RULE, "Wrong reject type %s.\nUse one of: %s." % (self.type, valid_types)) class Rich_Drop(Rich_Accept): def __str__(self): return "drop%s" % (" %s" % self.limit if self.limit else "") class Rich_Mark(object): def __init__(self, _set, limit=None): self.set = _set self.limit = limit def __str__(self): return "mark set=%s%s" % (self.set, " %s" % self.limit if self.limit else "") def check(self): if self.set is not None: x = self.set else: raise FirewallError(errors.INVALID_MARK, "no value set") if "/" in x: splits = x.split("/") if len(splits) != 2: raise FirewallError(errors.INVALID_MARK, x) if not functions.checkUINT32(splits[0]) or \ not functions.checkUINT32(splits[1]): # value and mask are uint32 raise FirewallError(errors.INVALID_MARK, x) else: if not functions.checkUINT32(x): # value is uint32 raise FirewallError(errors.INVALID_MARK, x) class Rich_Limit(object): def __init__(self, value): self.value = value if "/" in self.value: splits = self.value.split("/") if len(splits) == 2 and \ splits[1] in [ "second", "minute", "hour", "day" ]: self.value = "%s/%s" % (splits[0], splits[1][:1]) def check(self): splits = None if "/" in self.value: splits = self.value.split("/") if not splits or len(splits) != 2: raise FirewallError(errors.INVALID_LIMIT, self.value) (rate, duration) = splits try: rate = int(rate) except: raise FirewallError(errors.INVALID_LIMIT, self.value) if rate < 1 or duration not in [ "s", "m", "h", "d" ]: raise FirewallError(errors.INVALID_LIMIT, self.value) mult = 1 if duration == "s": mult = 1 elif duration == "m": mult = 60 elif duration == "h": mult = 60*60 elif duration == "d": mult = 24*60*60 if 10000 * mult / rate == 0: raise FirewallError(errors.INVALID_LIMIT, "%s too fast" % self.value) if rate == 1 and duration == "d": # iptables (v1.4.21) doesn't accept 1/d raise FirewallError(errors.INVALID_LIMIT, "%s too slow" % self.value) def __str__(self): return 'limit value="%s"' % (self.value) def command(self): return '' class Rich_Rule(object): def __init__(self, family=None, rule_str=None): if family is not None: self.family = str(family) else: self.family = None self.source = None self.destination = None self.element = None self.log = None self.audit = None self.action = None if rule_str: self._import_from_string(rule_str) def _lexer(self, rule_str): """ Lexical analysis """ tokens = [] for r in functions.splitArgs(rule_str): if "=" in r: attr = r.split('=') if len(attr) != 2 or not attr[0] or not attr[1]: raise FirewallError(errors.INVALID_RULE, 'internal error in _lexer(): %s' % r) tokens.append({'attr_name':attr[0], 'attr_value':attr[1]}) else: tokens.append({'element':r}) tokens.append({'element':'EOL'}) return tokens def _import_from_string(self, rule_str): if not rule_str: raise FirewallError(errors.INVALID_RULE, 'empty rule') self.family = None self.source = None self.destination = None self.element = None self.log = None self.audit = None self.action = None tokens = self._lexer(rule_str) if tokens and tokens[0].get('element') == 'EOL': raise FirewallError(errors.INVALID_RULE, 'empty rule') attrs = {} # attributes of elements in_elements = [] # stack with elements we are in index = 0 # index into tokens while not (tokens[index].get('element') == 'EOL' and in_elements == ['rule']): element = tokens[index].get('element') attr_name = tokens[index].get('attr_name') attr_value = tokens[index].get('attr_value') #print ("in_elements: ", in_elements) #print ("index: %s, element: %s, attribute: %s=%s" % (index, element, attr_name, attr_value)) if attr_name: # attribute if attr_name not in ['family', 'address', 'mac', 'ipset', 'invert', 'value', 'port', 'protocol', 'to-port', 'to-addr', 'name', 'prefix', 'level', 'type', 'set']: raise FirewallError(errors.INVALID_RULE, "bad attribute '%s'" % attr_name) else: # element if element in ['rule', 'source', 'destination', 'protocol', 'service', 'port', 'icmp-block', 'icmp-type', 'masquerade', 'forward-port', 'source-port', 'log', 'audit', 'accept', 'drop', 'reject', 'mark', 'limit', 'not', 'NOT', 'EOL']: if element == 'source' and self.source: raise FirewallError(errors.INVALID_RULE, "more than one 'source' element") elif element == 'destination' and self.destination: raise FirewallError(errors.INVALID_RULE, "more than one 'destination' element") elif element in ['protocol', 'service', 'port', 'icmp-block', 'icmp-type', 'masquerade', 'forward-port', 'source-port'] and self.element: raise FirewallError(errors.INVALID_RULE, "more than one element. There cannot be both '%s' and '%s' in one rule." % (element, self.element)) elif element == 'log' and self.log: raise FirewallError(errors.INVALID_RULE, "more than one 'log' element") elif element == 'audit' and self.audit: raise FirewallError(errors.INVALID_RULE, "more than one 'audit' element") elif element in ['accept', 'drop', 'reject', 'mark'] and self.action: raise FirewallError(errors.INVALID_RULE, "more than one 'action' element. There cannot be both '%s' and '%s' in one rule." % (element, self.action)) else: raise FirewallError(errors.INVALID_RULE, "unknown element %s" % element) in_element = in_elements[len(in_elements)-1] if len(in_elements) > 0 else '' if in_element == '': if not element and attr_name: if attr_name == 'family': raise FirewallError(errors.INVALID_RULE, "'family' outside of rule. Use 'rule family=...'.") else: raise FirewallError(errors.INVALID_RULE, "'%s' outside of any element. Use 'rule %s= ...'." % (attr_name, attr_name)) elif 'rule' not in element: raise FirewallError(errors.INVALID_RULE, "'%s' outside of rule. Use 'rule ... %s ...'." % (element, element)) else: in_elements.append('rule') # push into stack elif in_element == 'rule': if attr_name == 'family': if attr_value not in ['ipv4', 'ipv6']: raise FirewallError(errors.INVALID_RULE, "'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead." % attr_value) self.family = attr_value elif attr_name: if attr_name == 'protocol': err_msg = "wrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'." else: err_msg = "attribute '%s' outside of any element. Use 'rule %s= ...'." % (attr_name, attr_name) raise FirewallError(errors.INVALID_RULE, err_msg) else: in_elements.append(element) # push into stack elif in_element == 'source': if attr_name in ['address', 'mac', 'ipset', 'invert']: attrs[attr_name] = attr_value elif element in ['not', 'NOT']: attrs['invert'] = True else: self.source = Rich_Source(attrs.get('address'), attrs.get('mac'), attrs.get('ipset'), attrs.get('invert', False)) in_elements.pop() # source attrs.clear() index = index -1 # return token to input elif in_element == 'destination': if attr_name in ['address', 'invert']: attrs[attr_name] = attr_value elif element in ['not', 'NOT']: attrs['invert'] = True else: self.destination = Rich_Destination(attrs.get('address'), attrs.get('invert')) in_elements.pop() # destination attrs.clear() index = index -1 # return token to input elif in_element == 'protocol': if attr_name == 'value': self.element = Rich_Protocol(attr_value) in_elements.pop() # protocol else: raise FirewallError(errors.INVALID_RULE, "invalid 'protocol' element") elif in_element == 'service': if attr_name == 'name': self.element = Rich_Service(attr_value) in_elements.pop() # service else: raise FirewallError(errors.INVALID_RULE, "invalid 'service' element") elif in_element == 'port': if attr_name in ['port', 'protocol']: attrs[attr_name] = attr_value else: self.element = Rich_Port(attrs.get('port'), attrs.get('protocol')) in_elements.pop() # port attrs.clear() index = index -1 # return token to input elif in_element == 'icmp-block': if attr_name == 'name': self.element = Rich_IcmpBlock(attr_value) in_elements.pop() # icmp-block else: raise FirewallError(errors.INVALID_RULE, "invalid 'icmp-block' element") elif in_element == 'icmp-type': if attr_name == 'name': self.element = Rich_IcmpType(attr_value) in_elements.pop() # icmp-type else: raise FirewallError(errors.INVALID_RULE, "invalid 'icmp-type' element") elif in_element == 'masquerade': self.element = Rich_Masquerade() in_elements.pop() attrs.clear() index = index -1 # return token to input elif in_element == 'forward-port': if attr_name in ['port', 'protocol', 'to-port', 'to-addr']: attrs[attr_name] = attr_value else: self.element = Rich_ForwardPort(attrs.get('port'), attrs.get('protocol'), attrs.get('to-port'), attrs.get('to-addr')) in_elements.pop() # forward-port attrs.clear() index = index -1 # return token to input elif in_element == 'source-port': if attr_name in ['port', 'protocol']: attrs[attr_name] = attr_value else: self.element = Rich_SourcePort(attrs.get('port'), attrs.get('protocol')) in_elements.pop() # source-port attrs.clear() index = index -1 # return token to input elif in_element == 'log': if attr_name in ['prefix', 'level']: attrs[attr_name] = attr_value elif element == 'limit': in_elements.append('limit') else: self.log = Rich_Log(attrs.get('prefix'), attrs.get('level'), attrs.get('limit')) in_elements.pop() # log attrs.clear() index = index -1 # return token to input elif in_element == 'audit': if element == 'limit': in_elements.append('limit') else: self.audit = Rich_Audit(attrs.get('limit')) in_elements.pop() # audit attrs.clear() index = index -1 # return token to input elif in_element == 'accept': if element == 'limit': in_elements.append('limit') else: self.action = Rich_Accept(attrs.get('limit')) in_elements.pop() # accept attrs.clear() index = index -1 # return token to input elif in_element == 'drop': if element == 'limit': in_elements.append('limit') else: self.action = Rich_Drop(attrs.get('limit')) in_elements.pop() # drop attrs.clear() index = index -1 # return token to input elif in_element == 'reject': if attr_name == 'type': attrs[attr_name] = attr_value elif element == 'limit': in_elements.append('limit') else: self.action = Rich_Reject(attrs.get('type'), attrs.get('limit')) in_elements.pop() # accept attrs.clear() index = index -1 # return token to input elif in_element == 'mark': if attr_name == 'set': attrs[attr_name] = attr_value elif element == 'limit': in_elements.append('limit') else: self.action = Rich_Mark(attrs.get('set'), attrs.get('limit')) in_elements.pop() # accept attrs.clear() index = index -1 # return token to input elif in_element == 'limit': if attr_name == 'value': attrs['limit'] = Rich_Limit(attr_value) in_elements.pop() # limit else: raise FirewallError(errors.INVALID_RULE, "invalid 'limit' element") index = index + 1 self.check() def check(self): if self.family is not None and self.family not in [ "ipv4", "ipv6" ]: raise FirewallError(errors.INVALID_FAMILY, self.family) if self.family is None: if (self.source is not None and self.source.addr is not None) or \ self.destination is not None: raise FirewallError(errors.MISSING_FAMILY) if type(self.element) == Rich_ForwardPort: raise FirewallError(errors.MISSING_FAMILY) if self.element is None: if self.action is None: raise FirewallError(errors.INVALID_RULE, "no element, no action") if self.source is None and self.destination is None: raise FirewallError(errors.INVALID_RULE, "no element, no source, no destination") if type(self.element) not in [ Rich_IcmpBlock, Rich_ForwardPort, Rich_Masquerade ]: if self.log is None and self.audit is None and \ self.action is None: raise FirewallError(errors.INVALID_RULE, "no action, no log, no audit") # source if self.source is not None: if self.source.addr is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "address and mac") if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "address and ipset") if not functions.check_address(self.family, self.source.addr): raise FirewallError(errors.INVALID_ADDR, str(self.source.addr)) elif self.source.mac is not None: if self.source.ipset is not None: raise FirewallError(errors.INVALID_RULE, "mac and ipset") if not functions.check_mac(self.source.mac): raise FirewallError(errors.INVALID_MAC, str(self.source.mac)) elif self.source.ipset is not None: if not check_ipset_name(self.source.ipset): raise FirewallError(errors.INVALID_IPSET, str(self.source.ipset)) else: raise FirewallError(errors.INVALID_RULE, "invalid source") # destination if self.destination is not None: if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.destination.addr is None or \ not functions.check_address(self.family, self.destination.addr): raise FirewallError(errors.INVALID_ADDR, str(self.destination.addr)) # service if type(self.element) == Rich_Service: # service availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_SERVICE, str(self.element.name)) # port elif type(self.element) == Rich_Port: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) # protocol elif type(self.element) == Rich_Protocol: if not functions.checkProtocol(self.element.value): raise FirewallError(errors.INVALID_PROTOCOL, self.element.value) # masquerade elif type(self.element) == Rich_Masquerade: if self.action is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and action") if self.source is not None and self.source.mac is not None: raise FirewallError(errors.INVALID_RULE, "masquerade and mac source") # icmp-block elif type(self.element) == Rich_IcmpBlock: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) if self.action: raise FirewallError(errors.INVALID_RULE, "icmp-block and action") # icmp-type elif type(self.element) == Rich_IcmpType: # icmp type availability needs to be checked in Firewall, here is no # knowledge about this, therefore only simple check if self.element.name is None or len(self.element.name) < 1: raise FirewallError(errors.INVALID_ICMPTYPE, str(self.element.name)) # forward-port elif type(self.element) == Rich_ForwardPort: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) if self.element.to_port == "" and self.element.to_address == "": raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_port != "" and \ not functions.check_port(self.element.to_port): raise FirewallError(errors.INVALID_PORT, self.element.to_port) if self.element.to_address != "" and \ not functions.check_single_address(self.family, self.element.to_address): raise FirewallError(errors.INVALID_ADDR, self.element.to_address) if self.family is None: raise FirewallError(errors.INVALID_FAMILY) if self.action is not None: raise FirewallError(errors.INVALID_RULE, "forward-port and action") # source-port elif type(self.element) == Rich_SourcePort: if not functions.check_port(self.element.port): raise FirewallError(errors.INVALID_PORT, self.element.port) if self.element.protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, self.element.protocol) # other element and not empty? elif self.element is not None: raise FirewallError(errors.INVALID_RULE, "Unknown element %s" % type(self.element)) # log if self.log is not None: if self.log.level and \ self.log.level not in [ "emerg", "alert", "crit", "error", "warning", "notice", "info", "debug" ]: raise FirewallError(errors.INVALID_LOG_LEVEL, self.log.level) if self.log.limit is not None: self.log.limit.check() # audit if self.audit is not None: if type(self.action) not in [ Rich_Accept, Rich_Reject, Rich_Drop ]: raise FirewallError(errors.INVALID_AUDIT_TYPE, type(self.action)) if self.audit.limit is not None: self.audit.limit.check() # action if self.action is not None: if type(self.action) == Rich_Reject: self.action.check(self.family) elif type(self.action) == Rich_Mark: self.action.check() if self.action.limit is not None: self.action.limit.check() def __str__(self): ret = 'rule' if self.family: ret += ' family="%s"' % self.family if self.source: ret += " %s" % self.source if self.destination: ret += " %s" % self.destination if self.element: ret += " %s" % self.element if self.log: ret += " %s" % self.log if self.audit: ret += " %s" % self.audit if self.action: ret += " %s" % self.action return (functions.u2b(ret)) if functions.PY2 else ret #class Rich_RawRule(object): #class Rich_RuleSet(object): #class Rich_AddressList(object): core/fw_policies.py000064400000005363147576556050010404 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "FirewallPolicies" ] from firewall import config from firewall.core.logger import log from firewall.core.io.lockdown_whitelist import LockdownWhitelist from firewall import errors from firewall.errors import FirewallError class FirewallPolicies(object): def __init__(self): self._lockdown = False self.lockdown_whitelist = LockdownWhitelist(config.LOCKDOWN_WHITELIST) def __repr__(self): return '%s(%r, %r)' % (self.__class__, self._lockdown, self.lockdown_whitelist) def cleanup(self): self._lockdown = False self.lockdown_whitelist.cleanup() # lockdown def access_check(self, key, value): if key == "context": log.debug2('Doing access check for context "%s"' % value) if self.lockdown_whitelist.match_context(value): log.debug3('context matches.') return True elif key == "uid": log.debug2('Doing access check for uid %d' % value) if self.lockdown_whitelist.match_uid(value): log.debug3('uid matches.') return True elif key == "user": log.debug2('Doing access check for user "%s"' % value) if self.lockdown_whitelist.match_user(value): log.debug3('user matches.') return True elif key == "command": log.debug2('Doing access check for command "%s"' % value) if self.lockdown_whitelist.match_command(value): log.debug3('command matches.') return True return False def enable_lockdown(self): if self._lockdown: raise FirewallError(errors.ALREADY_ENABLED, "enable_lockdown()") self._lockdown = True def disable_lockdown(self): if not self._lockdown: raise FirewallError(errors.NOT_ENABLED, "disable_lockdown()") self._lockdown = False def query_lockdown(self): return self._lockdown core/base.pyc000064400000002451147576556050007151 0ustar00 c`c@sdZdZdddedgZidd6dd 6d d 6d d 6dd6dd6Ziddddddddddddddd d!gd"6d#d$d%d&d'd(d)ddg d*6Zd+d,d-d.d/d0d1gZd2S(3sBase firewall settingss{chain}_{zone}tACCEPTs %%REJECT%%tDROPtdefaulttPREt PREROUTINGtPOSTt POSTROUTINGtINtINPUTtFWDIt FORWARD_INtFWDOt FORWARD_OUTtOUTtOUTPUTsicmp-host-prohibiteds host-prohibsicmp-net-unreachables net-unreachsicmp-host-unreachables host-unreachsicmp-port-unreachables port-unreachsicmp-proto-unreachables proto-unreachsicmp-net-prohibiteds net-prohibs tcp-resetstcp-rstsicmp-admin-prohibiteds admin-prohibtipv4sicmp6-adm-prohibitedsadm-prohibitedsicmp6-no-routesno-routesicmp6-addr-unreachables addr-unreachsicmp6-port-unreachabletipv6shash:ips hash:ip,ports hash:ip,markshash:nets hash:net,portshash:net,ifaceshash:macN(t__doc__tDEFAULT_ZONE_TARGETt ZONE_TARGETSt SHORTCUTSt REJECT_TYPEStZONE_SOURCE_IPSET_TYPES(((s6/usr/lib/python2.7/site-packages/firewall/core/base.pyts,           core/fw.py000064400000127323147576556050006516 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Firewall" ] import os.path import sys import copy import time import traceback from firewall import config from firewall import functions from firewall.core import ipXtables from firewall.core import ebtables from firewall.core import nftables from firewall.core import ipset from firewall.core import modules from firewall.core.fw_icmptype import FirewallIcmpType from firewall.core.fw_service import FirewallService from firewall.core.fw_zone import FirewallZone from firewall.core.fw_direct import FirewallDirect from firewall.core.fw_config import FirewallConfig from firewall.core.fw_policies import FirewallPolicies from firewall.core.fw_ipset import FirewallIPSet from firewall.core.fw_transaction import FirewallTransaction from firewall.core.fw_helper import FirewallHelper from firewall.core.logger import log from firewall.core.io.firewalld_conf import firewalld_conf from firewall.core.io.direct import Direct from firewall.core.io.service import service_reader from firewall.core.io.icmptype import icmptype_reader from firewall.core.io.zone import zone_reader, Zone from firewall.core.io.ipset import ipset_reader from firewall.core.io.helper import helper_reader from firewall import errors from firewall.errors import FirewallError ############################################################################ # # class Firewall # ############################################################################ class Firewall(object): def __init__(self): self._firewalld_conf = firewalld_conf(config.FIREWALLD_CONF) self.ip4tables_backend = ipXtables.ip4tables(self) self.ip4tables_enabled = True self.ip4tables_supported_icmp_types = [ ] self.ip6tables_backend = ipXtables.ip6tables(self) self.ip6tables_enabled = True self.ip6tables_supported_icmp_types = [ ] self.ebtables_backend = ebtables.ebtables() self.ebtables_enabled = True self.ipset_backend = ipset.ipset() self.ipset_enabled = True self.ipset_supported_types = [ ] self.nftables_backend = nftables.nftables(self) self.nftables_enabled = True self.modules_backend = modules.modules() self.icmptype = FirewallIcmpType(self) self.service = FirewallService(self) self.zone = FirewallZone(self) self.direct = FirewallDirect(self) self.config = FirewallConfig(self) self.policies = FirewallPolicies() self.ipset = FirewallIPSet(self) self.helper = FirewallHelper(self) self.__init_vars() def __repr__(self): return '%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)' % \ (self.__class__, self.ip4tables_enabled, self.ip6tables_enabled, self.ebtables_enabled, self._state, self._panic, self._default_zone, self._module_refcount, self._marks, self._min_mark, self.cleanup_on_exit, self.ipv6_rpfilter_enabled, self.ipset_enabled, self._individual_calls, self._log_denied, self._automatic_helpers) def __init_vars(self): self._state = "INIT" self._panic = False self._default_zone = "" self._module_refcount = { } self._marks = [ ] # fallback settings will be overloaded by firewalld.conf self._min_mark = config.FALLBACK_MINIMAL_MARK self.cleanup_on_exit = config.FALLBACK_CLEANUP_ON_EXIT self.ipv6_rpfilter_enabled = config.FALLBACK_IPV6_RPFILTER self._individual_calls = config.FALLBACK_INDIVIDUAL_CALLS self._log_denied = config.FALLBACK_LOG_DENIED self._automatic_helpers = config.FALLBACK_AUTOMATIC_HELPERS self._firewall_backend = config.FALLBACK_FIREWALL_BACKEND self.nf_conntrack_helper_setting = 0 self._allow_zone_drifting = config.FALLBACK_ALLOW_ZONE_DRIFTING def individual_calls(self): return self._individual_calls def _check_tables(self): # check if iptables, ip6tables and ebtables are usable, else disable if self.ip4tables_enabled and \ "filter" not in self.get_backend_by_ipv("ipv4").get_available_tables(): log.warning("iptables not usable, disabling IPv4 firewall.") self.ip4tables_enabled = False if self.ip6tables_enabled and \ "filter" not in self.get_backend_by_ipv("ipv6").get_available_tables(): log.warning("ip6tables not usable, disabling IPv6 firewall.") self.ip6tables_enabled = False if self.ebtables_enabled and \ "filter" not in self.get_backend_by_ipv("eb").get_available_tables(): log.warning("ebtables not usable, disabling ethernet bridge firewall.") self.ebtables_enabled = False # is there at least support for ipv4 or ipv6 if not self.ip4tables_enabled and not self.ip6tables_enabled \ and not self.nftables_enabled: log.fatal("No IPv4 and IPv6 firewall.") sys.exit(1) def _start_check(self): try: self.ipset_backend.set_list() except ValueError: log.warning("ipset not usable, disabling ipset usage in firewall.") # ipset is not usable, no supported types self.ipset_enabled = False self.ipset_supported_types = [ ] else: # ipset is usable, get all supported types self.ipset_supported_types = self.ipset_backend.set_supported_types() self.ip4tables_backend.fill_exists() if not self.ip4tables_backend.restore_command_exists: if self.ip4tables_backend.command_exists: log.warning("iptables-restore is missing, using " "individual calls for IPv4 firewall.") else: log.warning("iptables-restore and iptables are missing, " "disabling IPv4 firewall.") self.ip4tables_enabled = False if self.ip4tables_enabled: self.ip4tables_supported_icmp_types = \ self.ip4tables_backend.supported_icmp_types() else: self.ip4tables_supported_icmp_types = [ ] self.ip6tables_backend.fill_exists() if not self.ip6tables_backend.restore_command_exists: if self.ip6tables_backend.command_exists: log.warning("ip6tables-restore is missing, using " "individual calls for IPv6 firewall.") else: log.warning("ip6tables-restore and ip6tables are missing, " "disabling IPv6 firewall.") self.ip6tables_enabled = False if self.ip6tables_enabled: self.ip6tables_supported_icmp_types = \ self.ip6tables_backend.supported_icmp_types() else: self.ip6tables_supported_icmp_types = [ ] self.ebtables_backend.fill_exists() if not self.ebtables_backend.restore_command_exists: if self.ebtables_backend.command_exists: log.warning("ebtables-restore is missing, using " "individual calls for bridge firewall.") else: log.warning("ebtables-restore and ebtables are missing, " "disabling bridge firewall.") self.ebtables_enabled = False if self.ebtables_enabled and not self._individual_calls and \ not self.ebtables_backend.restore_noflush_option: log.debug1("ebtables-restore is not supporting the --noflush " "option, will therefore not be used") def _start(self, reload=False, complete_reload=False): # initialize firewall default_zone = config.FALLBACK_ZONE # load firewalld config log.debug1("Loading firewalld config file '%s'", config.FIREWALLD_CONF) try: self._firewalld_conf.read() except Exception as msg: log.warning(msg) log.warning("Using fallback firewalld configuration settings.") else: if self._firewalld_conf.get("DefaultZone"): default_zone = self._firewalld_conf.get("DefaultZone") if self._firewalld_conf.get("MinimalMark"): self._min_mark = int(self._firewalld_conf.get("MinimalMark")) if self._firewalld_conf.get("CleanupOnExit"): value = self._firewalld_conf.get("CleanupOnExit") if value is not None and value.lower() in [ "no", "false" ]: self.cleanup_on_exit = False log.debug1("CleanupOnExit is set to '%s'", self.cleanup_on_exit) if self._firewalld_conf.get("Lockdown"): value = self._firewalld_conf.get("Lockdown") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("Lockdown is enabled") try: self.policies.enable_lockdown() except FirewallError: # already enabled, this is probably reload pass if self._firewalld_conf.get("IPv6_rpfilter"): value = self._firewalld_conf.get("IPv6_rpfilter") if value is not None: if value.lower() in [ "no", "false" ]: self.ipv6_rpfilter_enabled = False if value.lower() in [ "yes", "true" ]: self.ipv6_rpfilter_enabled = True if self.ipv6_rpfilter_enabled: log.debug1("IPv6 rpfilter is enabled") else: log.debug1("IPV6 rpfilter is disabled") if self._firewalld_conf.get("IndividualCalls"): value = self._firewalld_conf.get("IndividualCalls") if value is not None and value.lower() in [ "yes", "true" ]: log.debug1("IndividualCalls is enabled") self._individual_calls = True if self._firewalld_conf.get("LogDenied"): value = self._firewalld_conf.get("LogDenied") if value is None or value.lower() == "no": self._log_denied = "off" else: self._log_denied = value.lower() log.debug1("LogDenied is set to '%s'", self._log_denied) if self._firewalld_conf.get("AutomaticHelpers"): value = self._firewalld_conf.get("AutomaticHelpers") if value is not None: if value.lower() in [ "no", "false" ]: self._automatic_helpers = "no" elif value.lower() in [ "yes", "true" ]: self._automatic_helpers = "yes" else: self._automatic_helpers = value.lower() log.debug1("AutomaticHelpers is set to '%s'", self._automatic_helpers) if self._firewalld_conf.get("AllowZoneDrifting"): value = self._firewalld_conf.get("AllowZoneDrifting") if value.lower() in [ "no", "false" ]: self._allow_zone_drifting = False else: self._allow_zone_drifting = True log.warning("AllowZoneDrifting is enabled. This is considered " "an insecure configuration option. It will be " "removed in a future release. Please consider " "disabling it now.") log.debug1("AllowZoneDrifting is set to '%s'", self._allow_zone_drifting) self.config.set_firewalld_conf(copy.deepcopy(self._firewalld_conf)) self._select_firewall_backend(self._firewall_backend) self._start_check() # load lockdown whitelist log.debug1("Loading lockdown whitelist") try: self.policies.lockdown_whitelist.read() except Exception as msg: if self.policies.query_lockdown(): log.error("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) else: log.debug1("Failed to load lockdown whitelist '%s': %s", self.policies.lockdown_whitelist.filename, msg) # copy policies to config interface self.config.set_policies(copy.deepcopy(self.policies)) # load ipset files self._loader(config.FIREWALLD_IPSETS, "ipset") self._loader(config.ETC_FIREWALLD_IPSETS, "ipset") # load icmptype files self._loader(config.FIREWALLD_ICMPTYPES, "icmptype") self._loader(config.ETC_FIREWALLD_ICMPTYPES, "icmptype") if len(self.icmptype.get_icmptypes()) == 0: log.error("No icmptypes found.") # load helper files self._loader(config.FIREWALLD_HELPERS, "helper") self._loader(config.ETC_FIREWALLD_HELPERS, "helper") # load service files self._loader(config.FIREWALLD_SERVICES, "service") self._loader(config.ETC_FIREWALLD_SERVICES, "service") if len(self.service.get_services()) == 0: log.error("No services found.") # load zone files self._loader(config.FIREWALLD_ZONES, "zone") self._loader(config.ETC_FIREWALLD_ZONES, "zone") if len(self.zone.get_zones()) == 0: log.fatal("No zones found.") sys.exit(1) # check minimum required zones error = False for z in [ "block", "drop", "trusted" ]: if z not in self.zone.get_zones(): log.fatal("Zone '%s' is not available.", z) error = True if error: sys.exit(1) # check if default_zone is a valid zone if default_zone not in self.zone.get_zones(): if "public" in self.zone.get_zones(): zone = "public" elif "external" in self.zone.get_zones(): zone = "external" else: zone = "block" # block is a base zone, therefore it has to exist log.error("Default zone '%s' is not valid. Using '%s'.", default_zone, zone) default_zone = zone else: log.debug1("Using default zone '%s'", default_zone) # load direct rules obj = Direct(config.FIREWALLD_DIRECT) if os.path.exists(config.FIREWALLD_DIRECT): log.debug1("Loading direct rules file '%s'" % \ config.FIREWALLD_DIRECT) try: obj.read() except Exception as msg: log.error("Failed to load direct rules file '%s': %s", config.FIREWALLD_DIRECT, msg) self.direct.set_permanent_config(obj) self.config.set_direct(copy.deepcopy(obj)) # automatic helpers # # NOTE: must force loading of nf_conntrack to make sure the values are # available in /proc (status, msg) = self.handle_modules(["nf_conntrack"], True) if status != 0: log.warning("Failed to load nf_conntrack module: %s" % msg) if self._automatic_helpers != "system": functions.set_nf_conntrack_helper_setting(self._automatic_helpers == "yes") self.nf_conntrack_helper_setting = \ functions.get_nf_conntrack_helper_setting() # check if needed tables are there self._check_tables() if log.getDebugLogLevel() > 0: # get time before flushing and applying tm1 = time.time() # Start transaction transaction = FirewallTransaction(self) # flush rules self.flush(use_transaction=transaction) # If modules need to be unloaded in complete reload or if there are # ipsets to get applied, limit the transaction to flush. # # Future optimization for the ipset case in reload: The transaction # only needs to be split here if there are conflicting ipset types in # exsting ipsets and the configuration in firewalld. if (reload and complete_reload) or \ (self.ipset_enabled and self.ipset.has_ipsets()): transaction.execute(True) transaction.clear() # complete reload: unload modules also if reload and complete_reload: log.debug1("Unloading firewall modules") self.modules_backend.unload_firewall_modules() self.apply_default_tables(use_transaction=transaction) transaction.execute(True) transaction.clear() # apply settings for loaded ipsets while reloading here if self.ipset_enabled and self.ipset.has_ipsets(): log.debug1("Applying ipsets") self.ipset.apply_ipsets() # Start or continue with transaction # apply default rules log.debug1("Applying default rule set") self.apply_default_rules(use_transaction=transaction) # apply settings for loaded zones log.debug1("Applying used zones") self.zone.apply_zones(use_transaction=transaction) self._default_zone = self.check_zone(default_zone) self.zone.change_default_zone(None, self._default_zone, use_transaction=transaction) # Execute transaction transaction.execute(True) # Start new transaction for direct rules transaction.clear() # apply direct chains, rules and passthrough rules if self.direct.has_configuration(): log.debug1("Applying direct chains rules and passthrough rules") self.direct.apply_direct(transaction) # since direct rules are easy to make syntax errors lets highlight # the cause if the transaction fails. try: transaction.execute(True) transaction.clear() except FirewallError as e: raise FirewallError(e.code, "Direct: %s" % (e.msg if e.msg else "")) except Exception: raise del transaction if log.getDebugLogLevel() > 1: # get time after flushing and applying tm2 = time.time() log.debug2("Flushing and applying took %f seconds" % (tm2 - tm1)) def start(self): try: self._start() except Exception: self._state = "FAILED" self.set_policy("ACCEPT") raise else: self._state = "RUNNING" self.set_policy("ACCEPT") def _loader(self, path, reader_type, combine=False): # combine: several zone files are getting combined into one obj if not os.path.isdir(path): return if combine: if path.startswith(config.ETC_FIREWALLD) and reader_type == "zone": combined_zone = Zone() combined_zone.name = os.path.basename(path) combined_zone.check_name(combined_zone.name) combined_zone.path = path combined_zone.default = False else: combine = False for filename in sorted(os.listdir(path)): if not filename.endswith(".xml"): if path.startswith(config.ETC_FIREWALLD) and \ reader_type == "zone" and \ os.path.isdir("%s/%s" % (path, filename)): self._loader("%s/%s" % (path, filename), reader_type, combine=True) continue name = "%s/%s" % (path, filename) log.debug1("Loading %s file '%s'", reader_type, name) try: if reader_type == "icmptype": obj = icmptype_reader(filename, path) if obj.name in self.icmptype.get_icmptypes(): orig_obj = self.icmptype.get_icmptype(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.icmptype.remove_icmptype(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True try: self.icmptype.add_icmptype(obj) except FirewallError as error: log.info1("%s: %s, ignoring for run-time." % \ (obj.name, str(error))) # add a deep copy to the configuration interface self.config.add_icmptype(copy.deepcopy(obj)) elif reader_type == "service": obj = service_reader(filename, path) if obj.name in self.service.get_services(): orig_obj = self.service.get_service(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.service.remove_service(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.service.add_service(obj) # add a deep copy to the configuration interface self.config.add_service(copy.deepcopy(obj)) elif reader_type == "zone": obj = zone_reader(filename, path, no_check_name=combine) if combine: # Change name for permanent configuration obj.name = "%s/%s" % ( os.path.basename(path), os.path.basename(filename)[0:-4]) obj.check_name(obj.name) # Copy object before combine config_obj = copy.deepcopy(obj) if obj.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(obj.name) self.zone.remove_zone(orig_obj.name) if orig_obj.combined: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, obj.name, path, filename) obj.combine(orig_obj) else: log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True config_obj.default = True self.config.add_zone(config_obj) if combine: log.debug1(" Combining %s '%s' ('%s/%s')", reader_type, combined_zone.name, path, filename) combined_zone.combine(obj) else: self.zone.add_zone(obj) elif reader_type == "ipset": obj = ipset_reader(filename, path) if obj.name in self.ipset.get_ipsets(): orig_obj = self.ipset.get_ipset(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.ipset.remove_ipset(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True try: self.ipset.add_ipset(obj) except FirewallError as error: log.warning("%s: %s, ignoring for run-time." % \ (obj.name, str(error))) # add a deep copy to the configuration interface self.config.add_ipset(copy.deepcopy(obj)) elif reader_type == "helper": obj = helper_reader(filename, path) if obj.name in self.helper.get_helpers(): orig_obj = self.helper.get_helper(obj.name) log.debug1(" Overloads %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) self.helper.remove_helper(orig_obj.name) elif obj.path.startswith(config.ETC_FIREWALLD): obj.default = True self.helper.add_helper(obj) # add a deep copy to the configuration interface self.config.add_helper(copy.deepcopy(obj)) else: log.fatal("Unknown reader type %s", reader_type) except FirewallError as msg: log.error("Failed to load %s file '%s': %s", reader_type, name, msg) except Exception: log.error("Failed to load %s file '%s':", reader_type, name) log.exception() if combine and combined_zone.combined: if combined_zone.name in self.zone.get_zones(): orig_obj = self.zone.get_zone(combined_zone.name) log.debug1(" Overloading and deactivating %s '%s' ('%s/%s')", reader_type, orig_obj.name, orig_obj.path, orig_obj.filename) try: self.zone.remove_zone(combined_zone.name) except Exception: pass self.config.forget_zone(combined_zone.name) self.zone.add_zone(combined_zone) def cleanup(self): self.icmptype.cleanup() self.service.cleanup() self.zone.cleanup() self.ipset.cleanup() self.helper.cleanup() self.config.cleanup() self.direct.cleanup() self.policies.cleanup() self._firewalld_conf.cleanup() self.__init_vars() def stop(self): if self.cleanup_on_exit: self.flush() self.set_policy("ACCEPT") self.modules_backend.unload_firewall_modules() self.cleanup() # marks def new_mark(self): # return first unused mark i = self._min_mark while i in self._marks: i += 1 self._marks.append(i) return i def del_mark(self, mark): self._marks.remove(mark) # handle modules def handle_modules(self, _modules, enable): num_failed = 0 error_msgs = "" for i,module in enumerate(_modules): if enable: (status, msg) = self.modules_backend.load_module(module) else: if self._module_refcount[module] > 1: status = 0 # module referenced more then one, do not unload else: (status, msg) = self.modules_backend.unload_module(module) if status != 0: num_failed += 1 error_msgs += msg continue if enable: self._module_refcount.setdefault(module, 0) self._module_refcount[module] += 1 else: if module in self._module_refcount: self._module_refcount[module] -= 1 if self._module_refcount[module] == 0: del self._module_refcount[module] return (num_failed, error_msgs) def _select_firewall_backend(self, backend): if backend != "nftables": self.nftables_enabled = False # even if using nftables, the other backends are enabled for use with # the direct interface. nftables is used for the firewalld primitives. def get_backend_by_name(self, name): for backend in self.all_backends(): if backend.name == name: return backend raise FirewallError(errors.UNKNOWN_ERROR, "'%s' backend does not exist" % name) def get_backend_by_ipv(self, ipv): if self.nftables_enabled: return self.nftables_backend if ipv == "ipv4" and self.ip4tables_enabled: return self.ip4tables_backend elif ipv == "ipv6" and self.ip6tables_enabled: return self.ip6tables_backend elif ipv == "eb" and self.ebtables_enabled: return self.ebtables_backend raise FirewallError(errors.INVALID_IPV, "'%s' is not a valid backend or is unavailable" % ipv) def get_direct_backend_by_ipv(self, ipv): if ipv == "ipv4" and self.ip4tables_enabled: return self.ip4tables_backend elif ipv == "ipv6" and self.ip6tables_enabled: return self.ip6tables_backend elif ipv == "eb" and self.ebtables_enabled: return self.ebtables_backend raise FirewallError(errors.INVALID_IPV, "'%s' is not a valid backend or is unavailable" % ipv) def is_backend_enabled(self, name): if name == "ip4tables": return self.ip4tables_enabled elif name == "ip6tables": return self.ip6tables_enabled elif name == "ebtables": return self.ebtables_enabled elif name == "nftables": return self.nftables_enabled return False def is_ipv_enabled(self, ipv): if self.nftables_enabled: return True if ipv == "ipv4": return self.ip4tables_enabled elif ipv == "ipv6": return self.ip6tables_enabled elif ipv == "eb": return self.ebtables_enabled return False def enabled_backends(self): backends = [] if self.nftables_enabled: backends.append(self.nftables_backend) else: if self.ip4tables_enabled: backends.append(self.ip4tables_backend) if self.ip6tables_enabled: backends.append(self.ip6tables_backend) if self.ebtables_enabled: backends.append(self.ebtables_backend) return backends def all_backends(self): backends = [] if self.ip4tables_enabled: backends.append(self.ip4tables_backend) if self.ip6tables_enabled: backends.append(self.ip6tables_backend) if self.ebtables_enabled: backends.append(self.ebtables_backend) if self.nftables_enabled: backends.append(self.nftables_backend) return backends def apply_default_tables(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction for backend in self.enabled_backends(): transaction.add_rules(backend, backend.build_default_tables()) if use_transaction is None: transaction.execute(True) def apply_default_rules(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction for backend in self.enabled_backends(): rules = backend.build_default_rules(self._log_denied) transaction.add_rules(backend, rules) if self.is_ipv_enabled("ipv6"): ipv6_backend = self.get_backend_by_ipv("ipv6") if self.ipv6_rpfilter_enabled and \ "raw" in ipv6_backend.get_available_tables(): # Execute existing transaction transaction.execute(True) # Start new transaction transaction.clear() rules = ipv6_backend.build_rpfilter_rules(self._log_denied) transaction.add_rules(ipv6_backend, rules) # Execute ipv6_rpfilter transaction, it might fail try: transaction.execute(True) except FirewallError as msg: log.warning("Applying rules for ipv6_rpfilter failed: %s", msg) # Start new transaction transaction.clear() if use_transaction is None: transaction.execute(True) # flush and policy def flush(self, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction log.debug1("Flushing rule set") for backend in self.all_backends(): rules = backend.build_flush_rules() transaction.add_rules(backend, rules) if use_transaction is None: transaction.execute(True) def set_policy(self, policy, use_transaction=None): if use_transaction is None: transaction = FirewallTransaction(self) else: transaction = use_transaction log.debug1("Setting policy to '%s'", policy) for backend in self.enabled_backends(): rules = backend.build_set_policy_rules(policy) transaction.add_rules(backend, rules) if use_transaction is None: transaction.execute(True) # rule function used in handle_ functions def rule(self, backend_name, rule): if not rule: return "" backend = self.get_backend_by_name(backend_name) if not backend: raise FirewallError(errors.INVALID_IPV, "'%s' is not a valid backend" % backend_name) if not self.is_backend_enabled(backend_name): return "" return backend.set_rule(rule, self._log_denied) def rules(self, backend_name, rules): _rules = list(filter(None, rules)) backend = self.get_backend_by_name(backend_name) if not backend: raise FirewallError(errors.INVALID_IPV, "'%s' is not a valid backend" % backend_name) if not self.is_backend_enabled(backend_name): return "" if self._individual_calls or \ not backend.restore_command_exists or \ (backend_name == "ebtables" and not self.ebtables_backend.restore_noflush_option): for i,rule in enumerate(_rules): try: backend.set_rule(rule, self._log_denied) except Exception as msg: log.debug1(traceback.format_exc()) log.error(msg) for rule in reversed(_rules[:i]): try: backend.set_rule(backend.reverse_rule(rule), self._log_denied) except Exception: # ignore errors here pass raise msg return True else: return backend.set_rules(_rules, self._log_denied) # check functions def check_panic(self): if self._panic: raise FirewallError(errors.PANIC_MODE) def check_zone(self, zone): _zone = zone if not _zone or _zone == "": _zone = self.get_default_zone() if _zone not in self.zone.get_zones(): raise FirewallError(errors.INVALID_ZONE, _zone) return _zone def check_interface(self, interface): if not functions.checkInterface(interface): raise FirewallError(errors.INVALID_INTERFACE, interface) def check_service(self, service): self.service.check_service(service) def check_port(self, port): if not functions.check_port(port): raise FirewallError(errors.INVALID_PORT, port) def check_tcpudp(self, protocol): if not protocol: raise FirewallError(errors.MISSING_PROTOCOL) if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ protocol) def check_ip(self, ip): if not functions.checkIP(ip): raise FirewallError(errors.INVALID_ADDR, ip) def check_address(self, ipv, source): if ipv == "ipv4": if not functions.checkIPnMask(source): raise FirewallError(errors.INVALID_ADDR, source) elif ipv == "ipv6": if not functions.checkIP6nMask(source): raise FirewallError(errors.INVALID_ADDR, source) else: raise FirewallError(errors.INVALID_IPV, "'%s' not in {'ipv4'|'ipv6'}") def check_icmptype(self, icmp): self.icmptype.check_icmptype(icmp) def check_timeout(self, timeout): if not isinstance(timeout, int): raise TypeError("%s is %s, expected int" % (timeout, type(timeout))) if int(timeout) < 0: raise FirewallError(errors.INVALID_VALUE, "timeout '%d' is not positive number" % timeout) # RELOAD def reload(self, stop=False): _panic = self._panic # save zone interfaces _zone_interfaces = { } for zone in self.zone.get_zones(): _zone_interfaces[zone] = self.zone.get_settings(zone)["interfaces"] # save direct config _direct_config = self.direct.get_runtime_config() _old_dz = self.get_default_zone() self.set_policy("DROP") # stop self.cleanup() start_exception = None try: self._start(reload=True, complete_reload=stop) except Exception as e: # save the exception for later, but continue restoring interfaces, # etc. We'll re-raise it at the end. start_exception = e # handle interfaces in the default zone and move them to the new # default zone if it changed _new_dz = self.get_default_zone() if _new_dz != _old_dz: # if_new_dz has been introduced with the reload, we need to add it # https://github.com/firewalld/firewalld/issues/53 if _new_dz not in _zone_interfaces: _zone_interfaces[_new_dz] = { } # default zone changed. Move interfaces from old default zone to # the new one. for iface, settings in list(_zone_interfaces[_old_dz].items()): if settings["__default__"]: # move only those that were added to default zone # (not those that were added to specific zone same as # default) _zone_interfaces[_new_dz][iface] = \ _zone_interfaces[_old_dz][iface] del _zone_interfaces[_old_dz][iface] # add interfaces to zones again for zone in self.zone.get_zones(): if zone in _zone_interfaces: self.zone.set_settings(zone, { "interfaces": _zone_interfaces[zone] }) del _zone_interfaces[zone] else: log.info1("New zone '%s'.", zone) if len(_zone_interfaces) > 0: for zone in list(_zone_interfaces.keys()): log.info1("Lost zone '%s', zone interfaces dropped.", zone) del _zone_interfaces[zone] del _zone_interfaces # restore direct config self.direct.set_config(_direct_config) # enable panic mode again if it has been enabled before or set policy # to ACCEPT if _panic: self.enable_panic_mode() else: self.set_policy("ACCEPT") if start_exception: self._state = "FAILED" raise start_exception else: self._state = "RUNNING" # STATE def get_state(self): return self._state # PANIC MODE def enable_panic_mode(self): if self._panic: raise FirewallError(errors.ALREADY_ENABLED, "panic mode already enabled") # TODO: use rule in raw table not default chain policy try: self.set_policy("DROP") except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) self._panic = True def disable_panic_mode(self): if not self._panic: raise FirewallError(errors.NOT_ENABLED, "panic mode is not enabled") # TODO: use rule in raw table not default chain policy try: self.set_policy("ACCEPT") except Exception as msg: raise FirewallError(errors.COMMAND_FAILED, msg) self._panic = False def query_panic_mode(self): return self._panic # LOG DENIED def get_log_denied(self): return self._log_denied def set_log_denied(self, value): if value not in config.LOG_DENIED_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s', choose from '%s'" % \ (value, "','".join(config.LOG_DENIED_VALUES))) if value != self.get_log_denied(): self._log_denied = value self._firewalld_conf.set("LogDenied", value) self._firewalld_conf.write() else: raise FirewallError(errors.ALREADY_SET, value) # AUTOMATIC HELPERS def get_automatic_helpers(self): return self._automatic_helpers def set_automatic_helpers(self, value): if value not in config.AUTOMATIC_HELPERS_VALUES: raise FirewallError(errors.INVALID_VALUE, "'%s', choose from '%s'" % \ (value, "','".join(config.AUTOMATIC_HELPERS_VALUES))) if value != self.get_automatic_helpers(): self._automatic_helpers = value self._firewalld_conf.set("AutomaticHelpers", value) self._firewalld_conf.write() else: raise FirewallError(errors.ALREADY_SET, value) # DEFAULT ZONE def get_default_zone(self): return self._default_zone def set_default_zone(self, zone): _zone = self.check_zone(zone) if _zone != self._default_zone: _old_dz = self._default_zone self._default_zone = _zone self._firewalld_conf.set("DefaultZone", _zone) self._firewalld_conf.write() # remove old default zone from ZONES and add new default zone self.zone.change_default_zone(_old_dz, _zone) # Move interfaces from old default zone to the new one. _old_dz_settings = self.zone.get_settings(_old_dz) for iface, settings in list(_old_dz_settings["interfaces"].items()): if settings["__default__"]: # move only those that were added to default zone # (not those that were added to specific zone same as default) self.zone.change_zone_of_interface("", iface) else: raise FirewallError(errors.ZONE_ALREADY_SET, _zone) core/prog.pyo000064400000001734147576556050007225 0ustar00 c`c@s(ddlZdgZdddZdS(iNtrunProgc Cs|dkrg}n|g|}d}|r[t|d}|jj}WdQXnidd6}y:tj|dtjdtjdtjdtd|}Wnt k rd SX|j |\}} |j d d }|j |fS(NtrtCtLANGtstdintstderrtstdoutt close_fdstenvitsutf-8treplace(iR ( tNonetopentreadtencodet subprocesstPopentPIPEtSTDOUTtTruetOSErrort communicatetdecodet returncode( tprogtargvRtargst input_stringthandleRtprocesstoutputt err_output((s6/usr/lib/python2.7/site-packages/firewall/core/prog.pyRs$       (Rt__all__R R(((s6/usr/lib/python2.7/site-packages/firewall/core/prog.pyts  core/base.pyo000064400000002451147576556050007165 0ustar00 c`c@sdZdZdddedgZidd6dd 6d d 6d d 6dd6dd6Ziddddddddddddddd d!gd"6d#d$d%d&d'd(d)ddg d*6Zd+d,d-d.d/d0d1gZd2S(3sBase firewall settingss{chain}_{zone}tACCEPTs %%REJECT%%tDROPtdefaulttPREt PREROUTINGtPOSTt POSTROUTINGtINtINPUTtFWDIt FORWARD_INtFWDOt FORWARD_OUTtOUTtOUTPUTsicmp-host-prohibiteds host-prohibsicmp-net-unreachables net-unreachsicmp-host-unreachables host-unreachsicmp-port-unreachables port-unreachsicmp-proto-unreachables proto-unreachsicmp-net-prohibiteds net-prohibs tcp-resetstcp-rstsicmp-admin-prohibiteds admin-prohibtipv4sicmp6-adm-prohibitedsadm-prohibitedsicmp6-no-routesno-routesicmp6-addr-unreachables addr-unreachsicmp6-port-unreachabletipv6shash:ips hash:ip,ports hash:ip,markshash:nets hash:net,portshash:net,ifaceshash:macN(t__doc__tDEFAULT_ZONE_TARGETt ZONE_TARGETSt SHORTCUTSt REJECT_TYPEStZONE_SOURCE_IPSET_TYPES(((s6/usr/lib/python2.7/site-packages/firewall/core/base.pyts,           core/fw_policies.pyo000064400000005704147576556050010562 0ustar00 c`c@ssdgZddlmZddlmZddlmZddlmZddlm Z de fdYZ dS( tFirewallPoliciesi(tconfig(tlog(tLockdownWhitelist(terrors(t FirewallErrorcBsGeZdZdZdZdZdZdZdZRS(cCst|_ttj|_dS(N(tFalset _lockdownRRtLOCKDOWN_WHITELISTtlockdown_whitelist(tself((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt__init__s cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt__repr__#scCst|_|jjdS(N(RRR tcleanup(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyR's cCs|dkrCtjd||jj|r tjdtSn|dkrtjd||jj|r tjdtSn|dkrtjd||jj|r tjd tSnC|d kr tjd ||jj|r tjd tSnt S( Ntcontexts#Doing access check for context "%s"scontext matches.tuidsDoing access check for uid %ds uid matches.tusers Doing access check for user "%s"s user matches.tcommands#Doing access check for command "%s"scommand matches.( Rtdebug2R t match_contexttdebug3tTruet match_uidt match_usert match_commandR(R tkeytvalue((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt access_check-s*        cCs+|jrttjdnt|_dS(Nsenable_lockdown()(RRRtALREADY_ENABLEDR(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytenable_lockdownDs cCs+|jsttjdnt|_dS(Nsdisable_lockdown()(RRRt NOT_ENABLEDR(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytdisable_lockdownIs cCs|jS(N(R(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytquery_lockdownNs( t__name__t __module__R R RRRR R!(((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyRs      N( t__all__tfirewallRtfirewall.core.loggerRt#firewall.core.io.lockdown_whitelistRRtfirewall.errorsRtobjectR(((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyts core/__init__.pyo000064400000000221147576556050010003 0ustar00 c`c@sdS(N((((s:/usr/lib/python2.7/site-packages/firewall/core/__init__.pytscore/ipset.py000064400000022146147576556050007223 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2015-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """The ipset command wrapper""" __all__ = [ "ipset", "check_ipset_name", "remove_default_create_options" ] import os.path from firewall import errors from firewall.errors import FirewallError from firewall.core.prog import runProg from firewall.core.logger import log from firewall.functions import tempFile, readfile from firewall.config import COMMANDS IPSET_MAXNAMELEN = 32 IPSET_TYPES = [ # bitmap and set types are currently not supported # "bitmap:ip", # "bitmap:ip,mac", # "bitmap:port", # "list:set", "hash:ip", "hash:ip,port", "hash:ip,port,ip", "hash:ip,port,net", "hash:ip,mark", "hash:net", "hash:net,net", "hash:net,port", "hash:net,port,net", "hash:net,iface", "hash:mac", ] IPSET_CREATE_OPTIONS = { "family": "inet|inet6", "hashsize": "value", "maxelem": "value", "timeout": "value in secs", #"counters": None, #"comment": None, } IPSET_DEFAULT_CREATE_OPTIONS = { "family": "inet", "hashsize": "1024", "maxelem": "65536", } class ipset(object): """ipset command wrapper class""" def __init__(self): self._command = COMMANDS["ipset"] self.name = "ipset" def __run(self, args): """Call ipset with args""" # convert to string list _args = ["%s" % item for item in args] log.debug2("%s: %s %s", self.__class__, self._command, " ".join(_args)) (status, ret) = runProg(self._command, _args) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, " ".join(_args), ret)) return ret def check_name(self, name): """Check ipset name""" if len(name) > IPSET_MAXNAMELEN: raise FirewallError(errors.INVALID_NAME, "ipset name '%s' is not valid" % name) def set_supported_types(self): """Return types that are supported by the ipset command and kernel""" ret = [ ] output = "" try: output = self.__run(["--help"]) except ValueError as ex: log.debug1("ipset error: %s" % ex) lines = output.splitlines() in_types = False for line in lines: #print(line) if in_types: splits = line.strip().split(None, 2) if splits[0] not in ret and splits[0] in IPSET_TYPES: ret.append(splits[0]) if line.startswith("Supported set types:"): in_types = True return ret def check_type(self, type_name): """Check ipset type""" if len(type_name) > IPSET_MAXNAMELEN or type_name not in IPSET_TYPES: raise FirewallError(errors.INVALID_TYPE, "ipset type name '%s' is not valid" % type_name) def set_create(self, set_name, type_name, options=None): """Create an ipset with name, type and options""" self.check_name(set_name) self.check_type(type_name) args = [ "create", set_name, type_name ] if isinstance(options, dict): for key, val in options.items(): args.append(key) if val != "": args.append(val) return self.__run(args) def set_destroy(self, set_name): self.check_name(set_name) return self.__run([ "destroy", set_name ]) def set_add(self, set_name, entry): args = [ "add", set_name, entry ] return self.__run(args) def set_delete(self, set_name, entry): args = [ "del", set_name, entry ] return self.__run(args) def test(self, set_name, entry, options=None): args = [ "test", set_name, entry ] if options: args.append("%s" % " ".join(options)) return self.__run(args) def set_list(self, set_name=None, options=None): args = [ "list" ] if set_name: args.append(set_name) if options: args.extend(options) return self.__run(args).split("\n") def set_get_active_terse(self): """ Get active ipsets (only headers) """ lines = self.set_list(options=["-terse"]) ret = { } _name = _type = None _options = { } for line in lines: if len(line) < 1: continue pair = [ x.strip() for x in line.split(":", 1) ] if len(pair) != 2: continue elif pair[0] == "Name": _name = pair[1] elif pair[0] == "Type": _type = pair[1] elif pair[0] == "Header": splits = pair[1].split() i = 0 while i < len(splits): opt = splits[i] if opt in [ "family", "hashsize", "maxelem", "timeout", "netmask" ]: if len(splits) > i: i += 1 _options[opt] = splits[i] else: log.error("Malformed ipset list -terse output: %s", line) return { } i += 1 if _name and _type: ret[_name] = (_type, remove_default_create_options(_options)) _name = _type = None _options.clear() return ret def save(self, set_name=None): args = [ "save" ] if set_name: args.append(set_name) return self.__run(args) def set_restore(self, set_name, type_name, entries, create_options=None, entry_options=None): self.check_name(set_name) self.check_type(type_name) temp_file = tempFile() if ' ' in set_name: set_name = "'%s'" % set_name args = [ "create", set_name, type_name, "-exist" ] if create_options: for key, val in create_options.items(): args.append(key) if val != "": args.append(val) temp_file.write("%s\n" % " ".join(args)) temp_file.write("flush %s\n" % set_name) for entry in entries: if ' ' in entry: entry = "'%s'" % entry if entry_options: temp_file.write("add %s %s %s\n" % \ (set_name, entry, " ".join(entry_options))) else: temp_file.write("add %s %s\n" % (set_name, entry)) temp_file.close() stat = os.stat(temp_file.name) log.debug2("%s: %s restore %s", self.__class__, self._command, "%s: %d" % (temp_file.name, stat.st_size)) args = [ "restore" ] (status, ret) = runProg(self._command, args, stdin=temp_file.name) if log.getDebugLogLevel() > 2: try: readfile(temp_file.name) except Exception: pass else: i = 1 for line in readfile(temp_file.name): log.debug3("%8d: %s" % (i, line), nofmt=1, nl=0) if not line.endswith("\n"): log.debug3("", nofmt=1) i += 1 os.unlink(temp_file.name) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, " ".join(args), ret)) return ret def set_flush(self, set_name): args = [ "flush" ] if set_name: args.append(set_name) return self.__run(args) def rename(self, old_set_name, new_set_name): return self.__run([ "rename", old_set_name, new_set_name ]) def swap(self, set_name_1, set_name_2): return self.__run([ "swap", set_name_1, set_name_2 ]) def version(self): return self.__run([ "version" ]) def check_ipset_name(name): """Return true if ipset name is valid""" if len(name) > IPSET_MAXNAMELEN: return False return True def remove_default_create_options(options): """ Return only non default create options """ _options = options.copy() for opt in IPSET_DEFAULT_CREATE_OPTIONS: if opt in _options and \ IPSET_DEFAULT_CREATE_OPTIONS[opt] == _options[opt]: del _options[opt] return _options core/fw_config.pyo000064400000075276147576556050010233 0ustar00 c`c@sdgZddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddl mZmZmZddlmZmZmZddlmZmZmZdd lmZmZmZdd lmZdd lmZde fd YZ!dS( tFirewallConfigiN(tconfig(tlog(tIcmpTypeticmptype_readerticmptype_writer(tServicetservice_readertservice_writer(tZonet zone_readert zone_writer(tIPSett ipset_readert ipset_writer(tHelpert helper_readert helper_writer(terrors(t FirewallErrorcBseZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!d Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(Z*d)Z+d*Z,d+Z-d,Z.d-Z/d.Z0d/Z1d0Z2d1Z3d2Z4d3Z5d4Z6d5Z7d6Z8d7Z9d8Z:d9Z;d:Z<d;Z=d<Z>d=Z?d>Z@d?ZAd@ZBdAZCdBZDdCZEdDZFdEZGdFZHdGZIdHZJdIZKdJZLdKZMdLZNdMZOdNZPdOZQdPZRRS(QcCs||_|jdS(N(t_fwt_FirewallConfig__init_vars(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt__init__'s cCs\d|j|j|j|j|j|j|j|j|j|j |j |j |j |j fS(Ns6%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__t_ipsetst _icmptypest _servicest_zonest_helperst_builtin_ipsetst_builtin_icmptypest_builtin_servicest_builtin_zonest_builtin_helperst_firewalld_conft _policiest_direct(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt__repr__+s cCsyi|_i|_i|_i|_i|_i|_i|_i|_i|_i|_ d|_ d|_ d|_ dS(N(RRRRRRR R!R"R#tNoneR$R%R&(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt __init_vars4s            cCsx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qQWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=qWx8t|jjD]!}|j|j|j|=q=Wx8t|j jD]!}|j |j|j |=qxWx8t|j jD]!}|j |j|j |=qWx8t|j jD]!}|j |j|j |=qWx8t|j jD]!}|j |j|j |=q)W|j rv|j j|` d|_ n|jr|jj|`d|_n|jr|jj|`d|_n|jdS(N(tlistRtkeystcleanupRR RR!RR"RR#RR$R(R%R&R(Rtx((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR,CsV         cCs|jjjS(N(Rtpoliciestquery_lockdown(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytlockdown_enabledzscCs|jjj||S(N(RR.t access_check(Rtkeytvalue((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR1}scCs ||_dS(N(R$(Rtconf((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytset_firewalld_confscCs|jS(N(R$(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytget_firewalld_confscCs6tjjtjs%|jjn |jjdS(N(tostpathtexistsRtFIREWALLD_CONFR$tcleartread(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytupdate_firewalld_confscCs ||_dS(N(R%(RR.((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt set_policiesscCs|jS(N(R%(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_policiesscCs<tjjtjs(|jjjn|jjjdS(N( R7R8R9RtLOCKDOWN_WHITELISTR%tlockdown_whitelistR,R<(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pytupdate_lockdown_whitelistscCs ||_dS(N(R&(Rtdirect((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt set_directscCs|jS(N(R&(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_directscCs6tjjtjs%|jjn |jjdS(N(R7R8R9RtFIREWALLD_DIRECTR&R,R<(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt update_directscCs2ttt|jjt|jjS(N(tsortedtsetR*RR+R(R((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyt get_ipsetsscCs0|jr||j|jR?RBRDRERGRJRNRPRSRUR[R`RjRRRoRpRrRqRsRtRvRxRyR{R|R}RwRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyR&s   7                  E            E            E             M            E    ("t__all__RVR7tos.pathRltfirewallRtfirewall.core.loggerRtfirewall.core.io.icmptypeRRRtfirewall.core.io.serviceRRRtfirewall.core.io.zoneR R R tfirewall.core.io.ipsetR R Rtfirewall.core.io.helperRRRRtfirewall.errorsRtobjectR(((s;/usr/lib/python2.7/site-packages/firewall/core/fw_config.pyts     core/helper.pyo000064400000000336147576556050007532 0ustar00 c`c@sdZdZdS(sThe helper maxnameleni N(t__doc__tHELPER_MAXNAMELEN(((s8/usr/lib/python2.7/site-packages/firewall/core/helper.pytscore/fw_icmptype.pyo000064400000005773147576556050010613 0ustar00 c`c@s_dgZddlZddlmZddlmZddlmZdefdYZ dS(tFirewallIcmpTypeiN(tlog(terrors(t FirewallErrorcBsPeZdZdZdZdZdZdZdZdZ RS(cCs||_i|_dS(N(t_fwt _icmptypes(tselftfw((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt__init__s cCsd|j|jfS(Ns%s(%r)(t __class__R(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt__repr__"scCs|jjdS(N(Rtclear(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pytcleanup%scCst|jjS(N(tsortedRtkeys(R((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt get_icmptypes*scCs(||jkr$ttj|ndS(N(RRRtINVALID_ICMPTYPE(Rticmptype((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pytcheck_icmptype-scCs|j||j|S(N(RR(RR((s=/usr/lib/python2.7/site-packages/firewall/core/fw_icmptype.pyt get_icmptype1s cCs_|j}t|dkr*ddg}n|}x|D]}|dkrk|jjs\q8n|jj}n3|dkr|jjsq8n|jj}ng}|jj|kr8t j d|j|f|j |q8q8Wt|t|krKt|dkr t t jdntj|}||_||j|js  core/fw_ifcfg.pyo000064400000003532147576556050010026 0ustar00 c`c@spdZddgZddlZddlZddlmZddlmZddlm Z dZ d Z dS( s.Functions to search for and change ifcfg filestsearch_ifcfg_of_interfacetifcfg_set_zone_of_interfaceiN(tconfig(tlog(tifcfgcCstjjtjsd SxttjtjD]}|jdsMq2nx5ddddddgD]}|j |rfqfqfqfWd|krq2nt d tj|f}|j |j d |kr2|Sq2Wd tj|f}tjj|rt |}|j |Sd S( s6search ifcfg file for the interface in config.IFCFGDIRsifcfg-s.baks.origs.rpmnews.rpmorigs.rpmsaves-ranget.s%s/%stDEVICEs %s/ifcfg-%sN( tostpathtexistsRtIFCFGDIRtNonetsortedtlistdirt startswithtendswithRtreadtget(t interfacetfilenametignoredt ifcfg_file((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyR!s*      cCs|dkrd}nt|}|dk r|jd|kr|jddko`|dk rtjd||jf|jd||jndS(sYSet zone (ZONE=) in the ifcfg file that uses the interface (DEVICE=)ttZONEsSetting ZONE=%s in '%s'N(R RRRtdebug1Rtsettwrite(tzoneRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyR?s   !"( t__doc__t__all__Rtos.pathtfirewallRtfirewall.core.loggerRtfirewall.core.io.ifcfgRRR(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyts    core/nftables.pyc000064400000115071147576556050010040 0ustar00 c`c@s~ddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZd Zd Ziid d efd 6d6id defd 6d6id defd 6ddefd6d6iddefd6ddefd6d6Z iid6id6id6Z!ii"dd d!dd"d#gd$6dd d!gd!6dd d%gd%6dd d&gd&6dd d!dd"d'gd(6dd d!dd"d)gd*6dd d!dd"d+gd,6dd d-dd"d.gd/6dd d!dd"d0gd16dd d!dd"d.gd26dd d3dd"d.gd46dd d!dd"d5gd66dd d-dd"d7gd86dd d!dd"d9gd:6dd d!dd"d7gd;6dd d3gd36dd d!dd"d<gd=6dd d!dd"d>gd?6dd d!dd"d@gdA6dd d-gd-6dd d3dd"d.gdB6dd dCgdC6dd dDgdD6dd dEgdE6dd d!dd"dFgdG6dd dHgdH6dd dIgdI6dd dJgdJ6dd d-dd"d<gdK6dd d!dd"dLgdM6dd d-dd"d@gdN6dd d!dd"dOgdP6dd dHdd"d.gdQ6dd dHdd"d7gdR6dS6idTd d!dTd"d<gdU6dTd d3dTd"d7gdV6dTd d!dTd"d@gdW6dTd d!dTd"d.gd$6dTd d!gd!6dTd d%gd%6dTd d&gd&6dTd d!dTd"dFgdX6dTd dYgdZ6dTd d[gd\6dTd d!dTd"d7gd]6dTd d^gd^6dTd d3gd36dTd d!dTd"d'gd=6dTd d_gd-6dTd d!dTd"d9gd`6dTd dagdC6dTd dbgdD6dTd dHgdH6dTd dHdTd"d.gdQ6dTd dHdTd"d7gdR6dTd d3dTd"d.gdc6dTd d3dTd"d@gdd6de6Z"dfe#fdgYZ$dS(hiN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(t splitArgst check_mactportStrtcheck_single_addresst check_address(tconfig(t FirewallErrort UNKNOWN_ERRORt INVALID_RULEtINVALID_ICMPTYPEt INVALID_TYPEt INVALID_ENTRY(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt firewalldi t preroutingit PREROUTINGtrawijtmangleit postroutingidt POSTROUTINGtnattinputitINPUTtforwardtFORWARDtfiltertinettiptip6ticmpttypesdestination-unreachabletcodet13scommunication-prohibiteds echo-replys echo-requestt4sfragmentation-neededt14shost-precedence-violationt10shost-prohibitedtredirectt1s host-redirectt7s host-unknownshost-unreachablesparameter-problems ip-header-badt8snetwork-prohibitedt0snetwork-redirectt6snetwork-unknownsnetwork-unreachablet3sport-unreachablet15sprecedence-cutofft2sprotocol-unreachablesrequired-option-missingsrouter-advertisementsrouter-solicitations source-quencht5ssource-route-faileds time-exceededstimestamp-replystimestamp-requeststos-host-redirectt12stos-host-unreachablestos-network-redirectt11stos-network-unreachablesttl-zero-during-reassemblysttl-zero-during-transittipv4ticmpv6saddress-unreachables bad-headers beyond-scopes failed-policysnd-neighbor-advertsneighbour-advertisementsnd-neighbor-solicitsneighbour-solicitationsno-routespacket-too-bigs nd-redirects reject-routesnd-router-advertsnd-router-solicitsunknown-header-typesunknown-optiontipv6tnftablescBseZdZeZdZdZdZdZdZ dZ dZ dZ d3d Zd Zd Zd Zd ZddZdZeddZddZddZdZdZdZdZdZdZdZdZ d3d3dZ!d3d3dZ"d3d3dZ#d Z$d3d!Z%d3d"Z&d#Z'd3d$Z(d%Z)d3d&Z*d'Z+ed(Z,d)Z-d*Z.d+Z/d3d,Z0d-Z1d.Z2d/Z3d0Z4d1Z5d2Z6RS(4R:cCsK||_tjd|_|jg|_i|_i|_i|_dS(Ntnft( t_fwR tCOMMANDSt_commandt fill_existstavailable_tablestrule_to_handletrule_ref_counttzone_source_index_cache(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__init__s     cCs%tjj|j|_t|_dS(N(tostpathtexistsR>tcommand_existstFalsetrestore_command_exists(RD((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR?sc Csy?|jd}|j||j|}||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnX|d}|r| r||kr|||kr||j|qn|r||krg||sitinsertitaddtindexs%d( RRtpopt ValueErrortNonetremovetappendtsortR<t_allow_zone_driftingtlenRP( RDtrule_addtruleRCtitzonet zone_sourcetfamilyRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_run_replace_zone_sourcesD                 c Csddg}|}|ddkrs|ddkrs|}d|dRUtTruetintt ExceptionR R RStjoinRKRBR Rtdebug2t __class__tcopytdeepcopyRCRaRARTRRRZtstrip( RDtargstnft_optst_argst _args_testtstatustoutputtrule_keyR[RCt _args_strtstrtoffset((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__runs|           #!     cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(RRRTRKRi(RDR\tpatternt replacementR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _rule_replace,s  cCs|}d|d<|S(NRbi((RDRrtret_args((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt reverse_rule5s cCsttddS(Nsnot implemented(R R (RDtrulest log_denied((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_rules:sc Csd}d|ks*d|ks*d|kr3d}n-d|ksWd|ksWd|kr`d}n|j|dd d |d d g|j|d dddgy|jd}Wntk rnDX|dkrdS|dkrd|g|||d+n |j||j|S(NticmpxR7R"R$R9R#R8s %%REJECT%%trejecttwithR%sadmin-prohibiteds%%ICMP%%tmetatl4protos{icmp, icmpv6}s %%LOGTYPE%%toffRetunicastt broadcastt multicasttpkttypei(RRR(RRRRTRSt_nftables__run(RDR\Rt icmp_keywordR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_ruleCs$$ $      cCs|r |gStjS(N(tIPTABLES_TO_NFT_HOOKtkeys(RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_available_tablesbscCsYi|_i|_i|_g}x1tjD]#}|jdd|dtgq.W|S(NRbRcs%s(RARBRCt OUR_CHAINSRRWt TABLE_NAME(RDRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_flush_rulesfs   !cCstdd}g}|dkr|jddd|gxddgD]:}d |d ||d td f}|jt|qFWn5|d kr|jddd|gn ttd|S(Nt_t policy_droptDROPRQRcR!RRwsMadd chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'RiitACCEPTRbsnot implemented(RRWtNFT_HOOK_OFFSETRR R (RDtpolicyt table_nameRthookt _add_chain((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_set_policy_rulesps   cCsAt}x+tjD]}|jt|jqWt|S(N(tsettICMP_TYPES_FRAGMENTRtupdateRd(RDt supportedtipv((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytsupported_icmp_typess cCsAg}x+tjD]}|jd|tfqWtt|S(Nsadd table %s %s(RRRWRtmapR(RDtdefault_tablesR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_tablessRc Csg}ttddadd rule inet %s filter_%s ct state established,related acceptRs,add rule inet %s filter_%s iifname lo acceptsadd chain inet %s filter_%s_%ss,add rule inet %s filter_%s jump filter_%s_%sRs_add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '"STATE_INVALID_DROP: "'s0add rule inet %s filter_%s ct state invalid dropsHadd rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '"FINAL_REJECT: "'sBadd rule inet %s filter_%s reject with icmpx type admin-prohibiteds$add chain inet %s filter_%s_IN_ZONESRtINtOUTs!add chain inet %s filter_%s_%s_%ss/add rule inet %s filter_%s jump filter_%s_%s_%stINPUT_ZONES_SOURCEt INPUT_ZONEStFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONES( RRRRRWRR<RYRRR(RDRt default_rulestchaintdispatch_suffixR`t direction((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_ruless (0 (0  ( 4 (!  ((  cCsY|dkrdddgS|dkr,dgS|dkrBddgS|d krUdgSiS( NR Rt FORWARD_INt FORWARD_OUTRRRRR((RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_zone_table_chainss      R!c Cs|dkrr|dkrrg}|j|j||||||d|j|j||||||d|Sidd6dd6dd 6dd 6dd 6dd 6|} |t|d dkr|t|d  d}ntjdt|d|} d} |r3| r3dd|dtd||fdg} ne|r_dd|dtd||fg} n9dd|dtd||fg} |s| dg7} n|dkr| | d|| fg7} n(| | d|d| d|| fg7} | gS(NRR!R"R#tiifnameRtoifnameRRRRtOUTPUTit+t*RR^tgotoRPR\s%ss %s_%s_ZONESs%%ZONE_INTERFACE%%RQRbs%s_%ss"(textendt!build_zone_source_interface_rulesRZRtformatRR( RDtenableR^t interfaceRcRRWR`RtoptttargettactionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyRs>  &# (cCsK|dkr|dkrg}|jdrI|j|td}nd}td|svt|sv|dkr|j|j|||||dntd|st|s|dkr|j|j|||||dn|Sidt6d t 6|} id d 6d d 6d d6d d6d d6d d6|} |j j r\d||f} nd||f} t j dt|d|} d} |jdr|td}|j|}d|}nCt|r| d krdSd}ntd|rd}nd}| d|dt| d||| || d|| fg }|gS(NRR!sipset:R7R"R9R#RPRbtsaddrRtdaddrRRRRRs%s_%s_ZONES_SOURCEs %s_%s_ZONESRR^Rt@RetetherR\s%ss%%ZONE_SOURCE%%s%s_%s(t startswitht_set_get_familyRZRURRRtbuild_zone_source_address_rulesRiRKR<RYRRRR(RDRR^taddressRcRR`Rt ipset_familytadd_delRtzone_dispatch_chainRRtipsett rule_familyR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR$sT''      c Cs.|dkr`|dkr`g}|j|j|||d|j|j|||d|Stjdt|d|}t||jt|d|d|d |gg}|jd d|d t d ||fg|jd d|d t d ||fg|jd d|d t d||fg|jd d|d t d||fg|jd d|d t d ||fdd ||fg|jd d|d t d ||fdd||fg|jd d|d t d ||fdd||fg|j j j |j }|j jdkr|dkr|d kr|d!kr|}|dkrud}n|jd d|d t d ||fdddd||fg qqn|dkr*|d"kr*|d#kr*|jd d|d t d ||f|dkr|jndgn|S($NRR!R"R#RR^s%s_logs%s_denys%s_allowRQs%ss%s_%ss %s_%s_logs %s_%s_denys %s_%s_allowR\tjumpRR RRRRtREJECTs %%REJECT%%Rs %%LOGTYPE%%Rtprefixs"filter_%s_%s: "R(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rs %%REJECT%%sDROP(sACCEPTRs %%REJECT%%sDROP(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rtbuild_zone_chain_rulesRRRRRRRWRR<R^t_zonesRtget_log_deniedtlower( RDR^RcRR`Rt_zoneRt log_suffix((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR^s^            %cCsiddddgd6ddddgd6ddddgd6ddddgd 6dddd gd 6dddd gd 6dd dd gd6dd dd gd6ddddgd6ddddgd6ddddgd6ddddgd6ddddgd6dd ddgd6ddddgd6ddddgd6ddddgd6dd ddgd6dd ddgd 6dd dd!gd"6dd dd!gd!6dd#d$gd%6dd#d$gd&6}||S('NRR$R%shost-prohibitedsicmp-host-prohibiteds host-prohibsnet-prohibitedsicmp-net-prohibiteds net-prohibsadmin-prohibitedsicmp-admin-prohibiteds admin-prohibR8sicmp6-adm-prohibitedsadm-prohibitedsnet-unreachablesicmp-net-unreachables net-unreachshost-unreachablesicmp-host-unreachables host-unreachsport-unreachablesicmp-port-unreachablesicmp6-port-unreachableRs port-unreachsprot-unreachablesicmp-proto-unreachables proto-unreachsaddr-unreachablesicmp6-addr-unreachables addr-unreachsno-routesicmp6-no-routettcptresets tcp-resetstcp-rst((RDt reject_typetfrags((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_reject_types_fragments2cCs|s gSidd6dd6dd6dd6}y|jjd }Wn tk rdttd nXd d |jd |!d ||j|dgS(Ntsecondtstminutetmthourthtdaytdt/sExpected '/' in limittlimittrateii(tvalueRRRTR R (RDRt rich_to_nftR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_limit_fragments  cCs|js gSidt6dt6|}|dddtd||fg}||dg7}|jjr|dd |jjg7}n|jjr|d d |jjg7}n||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRs"%s"tlevel(RRiRKRRRRR(RDt rich_ruleRRcRt rule_fragmentRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_logs   cCs||js gSidt6dt6|}|dddtd||fg}||ddd g7}||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRtaudit(RRiRKRRR(RDRRRcRRRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_audits c Cs|js gSidt6dt6|}t|jtkrVd||f}dg} nt|jtkrd||f}dg} |jjr^| |j|jj7} q^nt|jtkrd||f}dg} n~t|jtkrBt j dt d d |}d }d||f}d d d|jj g} nt tdt|j|dddt|g} | |7} | |j|jj7} | | 7} | S(NRQRbs %s_%s_allowtaccepts %s_%s_denyRtdropRRR^RRtmarkRsUnknown action %sR\R!s%s(RRiRKR%RRRRRRRRRR R RRR( RDR^RRRcRRRRt rule_actionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_actions6        cCsS|s gS|dkr#dddgS|dkr<dddgSttd|dS(NR7RtnfprotoR9sInvalid family(R R (RDt rich_family((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_family_fragments    cCsx|s gSg}td|jr2|dg7}n |dg7}|jra|dd|jg7}n|d|jg7}|S(NR7R"R#Rs!=(Rtaddrtinvert(RDt rich_destR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_destination_fragments  cCsJ|s gSg}|jrtd|jr;|dg7}n |dg7}|jrj|dd|jg7}qF|d|jg7}nt|dr|jr|jr|ddd|jg7}qF|dd|jg7}npt|drF|jrF|j|j}|jr)||ddd |jg7}qF||dd |jg7}n|S( NR7R"R#Rs!=tmacRRR(RRRthasattrRRR(RDt rich_sourceRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_source_fragment,s(      c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtdports%st-tcttstates new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRt destinationR tsourceRR%RRRWRRRR( RDRR^tprototportRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_ports_rulesIs2  ""(/c Csidt6dt6|}d}tjdtdd|}g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j7} | |j|j 7} | |j |j 7} nd d |g} | st |j tkr0| d ddg7} ng} |r| j|j||||| | j|j||||| | j|j|||||| n/| j|dddtd|g| dg| S(NRQRbR RRR^R7R"R#RRRR R s new,untrackedR\R!s%ssfilter_%s_allowR(RiRKRRRRR`RRRR RR%RRRWRRRR( RDRR^tprotocolRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_protocol_rulesjs4 ""()c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtsports%sR R R s new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRRR RRR%RRRWRRRR( RDRR^RRRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_source_ports_ruless2  ""(/c Csidt6dt6|}tjdtdd|} |dddtd | g} |rtd |rv| d g7} n | d g7} | d |g7} n| |ddt|dg7} | dddd||fg7} dddtd||fddd|d|ddg } | | gS(NRQRbRRR^R\R!s%ssfilter_%s_allowR7R"R#RR R R thelperRs"helper-%s-%s"s helper-%s-%st{R%s"%s"Rt;t}(RiRKRRRRRR( RDRR^RRRt helper_nametmodule_short_nameRRR\t helper_object((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_helper_ports_ruless"       cCsidt6dt6|}tjdtdd|}g}|ro||j|j7}||j|j7}n|d|dt d|g|d d d d ggS( NRQRbRRR^R\s%ss nat_%s_allowRs!=tlot masquerade( RiRKRRRRRR RR(RDRR^R`RRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _build_zone_masquerade_nat_ruless cCsg}|rd|jr$|jdksB|jrdtd|jjrd|j|j||d|n}|r|jr|jdks|jrtd|jjr|j|j||d|n|j|j||d|idt6dt6|}tj dt dd |}g}|rP||j |j 7}||j |j7}n|j|d d d td |g|ddddg|S(NR9R#R7R"RQRbRRR^R\R!s%ssfilter_%s_allowR R s new,untrackedR(R`RRRRR!RiRKRRRRRR RWR(RDRR^RRRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_masquerade_ruless$"" 2c Csidt6dt6|}tjdtdd|} g} |rV| dd|g7} n| ddg7} |r|d kr| d t|d g7} n|d |d td| dd|g|| gS(NRQRbRRR^tdnatttoR+Res:%sR R\s%ss nat_%s_allowRR(RiRKRRRRR( RDRR^Rt mark_fragmentttoaddrttoportR`RRt dnat_fragment((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt"_build_zone_forward_port_nat_ruless c Csaidt6dt6|} d|} dd| g} tjdtdd|} g}| r||j| j7}||j| j7}||j | j 7}ng}|j | d d d t d | g||d |ddd| g| rC| jr| jdks|rCt d|rC|j|j|||| ||dn| r| jra| jdksv|rt d|r|j|j|||| ||dnh|rt d|r|j|j|||| ||dn(|j|j|||| ||dtjdt|d|} |j | d d d t d| dddg| dg|S(NRQRbs0x%xRRRRR^R\R!s%ssmangle_%s_allowR RR9R#R7R"sfilter_%s_allowR R s new,untrackedR(RiRKRRRRR`RRR RRWRRRR)(RDRR^t filter_chainRRR'R&tmark_idRRtmark_strR%RRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_forward_port_ruless@   2cCs<|t|krt||Sttd||jfdS(Ns"ICMP type '%s' not supported by %s(RR R tname(RDRt icmp_type((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_icmp_types_to_nft_fragment/s c Csd}idt6dt6|}|r9|jr9|j}n\|jrg}d|jkrg|jdnd|jkr|jdqn ddg}g}x/|D]'} xddgD]} tjdt| d |} |jj j |rd || f} d } nd || f} d } g}|rl||j |j 7}||j |j7}||j|j7}n||j| |j7}|r8|j|j|||| ||j|j|||| ||jr|j|j||||| |q|j|dddtd || fg|d gq|jjdkr| d kr|j|dddt| g|dddd||fgn|j|dddt| g|| gqWqW|S(NR RQRbR7R9RRRR^s %s_%s_allowRs %s_%s_denys %%REJECT%%R\R!s%sRs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "(RiRKtipvsRRWRRRR<R^tquery_icmp_block_inversionRR`RR RR0R.RRRRRR(RDRR^tictRRcRR1RRRRt final_chaint final_targetR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_icmp_block_rules6sT      "" (2! -c Csd}g}xddgD]}tjdt|d|}djddtd ||fd d ||fg}|j|}|jjj|rd } nd } |rddddtd ||fd|g} n#ddddtd ||fg} | d| g7} |j | |jjj|r|jj dkr|rpddddtd ||fd|g} n#ddddtd ||fg} | ddddd||fg7} |j | qqqW|S(NR RRRR^RgR!s%ss%s_%sRs %s_%s_allows %%REJECT%%RRQR\RfRbs%%ICMP%%Rs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "( RRRRlRRAR<R^R2RWR( RDRR^RcRRRRxt rule_handlet ibi_targetR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt%build_zone_icmp_block_inversion_rulesls<     cCsg}|jddddtdddd d d d d dddg|dkr|jddddtdddd d d d d dddddgn|jddddtdddddg |S(NRPR\R!s%ssraw_%sRRRR9tfibRt.tiiftoiftmissingRRRRs"rpfilter_DROP: "R8R%s){ nd-router-advert, nd-neighbor-solicit }Rtraw_PREROUTINGR?R?(RWR(RDRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_rpfilter_ruless   cCsd}tjdtdd|}g}||j|j7}||j|j7}||j|j7}g}|j |j ||||||j |j ||||||j |j |||||||S(NR RRR^( RRRRR`RRR RRWRRR(RDRR^RRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt(build_zone_rich_source_destination_ruless ""%cCs|dkrtStS(NR7R9teb(sipv4sipv6RB(RiRK(RDR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytis_ipv_supporteds cCs;idd6dd6}i ||gd6||ddgd6||dd ||gd 6||dd ||gd 6||d gd 6||gd6||ddgd6||dd ||gd6||dd ||gd6||dgd6dgd6}ydg||dgSWn$tk r6ttd|nXdS(Nt ipv4_addrR7t ipv6_addrR9shash:ips . inet_protos. inet_services hash:ip,ports. inet_service .shash:ip,port,ipshash:ip,port,nets. marks hash:ip,markshash:nets hash:net,portshash:net,port,ipshash:net,port,nets. ifnameshash:net,ifacet ether_addrshash:macR%Rs!ipset type name '%s' is not valid(tKeyErrorR R(RDRR%tipv_addrttypes((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_type_fragments(   c Cs)|r+d|kr+|ddkr+d}nd}|dg}||j||7}|rd|kr|d|dddg7}nd |kr|d |d dg7}qn| sd|krd |kr|d d dg7}n|dg7}x4dddgD]#}|jdd|tg|qWdS(NR`tinet6R9R7RttimeoutRRtmaxelemtsizet,tflagstintervalRR!R"R#RQR(RJRR(RDR.R%toptionsRtcmdR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_creates "      cCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#RbR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_destroyscCs)|jjj|jddjd}|jd}t|t|krdttdng}xtt|D]}||dkry||jd}Wn(t k r|dd||g7}qX|||| d|||dg7}n|j |||j dq}W|d S( Nt:iROs+Number of values does not match ipset type.RRR;i( R<Rtget_typetsplitRZR RtrangeRRRTRW(RDR.tentryt type_formatt entry_tokenstfragmentR]RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_entry_fragments +  *cCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RQtelementRR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_addscCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RbR_RR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_deletescCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#tflushR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_flushscCsk|jjj|}|jdkr-d}n:|jrad|jkra|jddkrad}nd}|S(Nshash:macRR`RKR#R"(R<Rt get_ipsetR%RR(RDR.RR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR!s  N(7t__name__t __module__R.Ritzones_supportedRFR?RaRRRRRRURRRRRRRRKRRRRRRRRRRR RRRRR!R"R)R-R0R6R9R@RARCRJRTRUR^R`RaRcR(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR:sf  - U      T  + 9 @   "  !#!     ,  6 2          (%tos.pathRGRotfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRtfirewallR tfirewall.errorsR R R R RRtfirewall.core.richRRRRRRRRRtobjectR:(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyts  (."   core/fw_policies.pyc000064400000005704147576556050010546 0ustar00 c`c@ssdgZddlmZddlmZddlmZddlmZddlm Z de fdYZ dS( tFirewallPoliciesi(tconfig(tlog(tLockdownWhitelist(terrors(t FirewallErrorcBsGeZdZdZdZdZdZdZdZRS(cCst|_ttj|_dS(N(tFalset _lockdownRRtLOCKDOWN_WHITELISTtlockdown_whitelist(tself((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt__init__s cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt__repr__#scCst|_|jjdS(N(RRR tcleanup(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyR's cCs|dkrCtjd||jj|r tjdtSn|dkrtjd||jj|r tjdtSn|dkrtjd||jj|r tjd tSnC|d kr tjd ||jj|r tjd tSnt S( Ntcontexts#Doing access check for context "%s"scontext matches.tuidsDoing access check for uid %ds uid matches.tusers Doing access check for user "%s"s user matches.tcommands#Doing access check for command "%s"scommand matches.( Rtdebug2R t match_contexttdebug3tTruet match_uidt match_usert match_commandR(R tkeytvalue((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyt access_check-s*        cCs+|jrttjdnt|_dS(Nsenable_lockdown()(RRRtALREADY_ENABLEDR(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytenable_lockdownDs cCs+|jsttjdnt|_dS(Nsdisable_lockdown()(RRRt NOT_ENABLEDR(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytdisable_lockdownIs cCs|jS(N(R(R ((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pytquery_lockdownNs( t__name__t __module__R R RRRR R!(((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyRs      N( t__all__tfirewallRtfirewall.core.loggerRt#firewall.core.io.lockdown_whitelistRRtfirewall.errorsRtobjectR(((s=/usr/lib/python2.7/site-packages/firewall/core/fw_policies.pyts core/ebtables.pyo000064400000022045147576556050010035 0ustar00 c`c@sdgZddlZddlmZddlmZddlmZm Z m Z ddl m Z ddl mZddlmZmZddlZid gd 6d d d gd6dd dgd6ZiZiZiZxejD]Zgees0      core/fw_ifcfg.pyc000064400000003532147576556050010012 0ustar00 c`c@spdZddgZddlZddlZddlmZddlmZddlm Z dZ d Z dS( s.Functions to search for and change ifcfg filestsearch_ifcfg_of_interfacetifcfg_set_zone_of_interfaceiN(tconfig(tlog(tifcfgcCstjjtjsd SxttjtjD]}|jdsMq2nx5ddddddgD]}|j |rfqfqfqfWd|krq2nt d tj|f}|j |j d |kr2|Sq2Wd tj|f}tjj|rt |}|j |Sd S( s6search ifcfg file for the interface in config.IFCFGDIRsifcfg-s.baks.origs.rpmnews.rpmorigs.rpmsaves-ranget.s%s/%stDEVICEs %s/ifcfg-%sN( tostpathtexistsRtIFCFGDIRtNonetsortedtlistdirt startswithtendswithRtreadtget(t interfacetfilenametignoredt ifcfg_file((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyR!s*      cCs|dkrd}nt|}|dk r|jd|kr|jddko`|dk rtjd||jf|jd||jndS(sYSet zone (ZONE=) in the ifcfg file that uses the interface (DEVICE=)ttZONEsSetting ZONE=%s in '%s'N(R RRRtdebug1Rtsettwrite(tzoneRR((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyR?s   !"( t__doc__t__all__Rtos.pathtfirewallRtfirewall.core.loggerRtfirewall.core.io.ifcfgRRR(((s:/usr/lib/python2.7/site-packages/firewall/core/fw_ifcfg.pyts    core/rich.pyo000064400000057354147576556050007214 0ustar00 c`c@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z de fdYZ de fdYZ de fdYZ de fdYZdefdYZde fdYZde fdYZde fdYZde fd YZd e fd!YZd e fd"YZd e fd#YZd e fd$YZd e fd%YZdefd&YZde fd'YZde fd(YZde fd)YZd*S(+t Rich_SourcetRich_Destinationt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_IcmpBlockt Rich_IcmpTypetRich_SourcePorttRich_ForwardPorttRich_Logt Rich_Auditt Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Limitt Rich_Rulei(t functions(tcheck_ipset_name(t REJECT_TYPES(terrors(t FirewallErrorcBseZedZdZRS(cCs||_|jdkr$d|_n||_|jdksK|jdkrWd|_n$|jdk r{|jj|_n||_|jdkrd|_n||_|jdkr|jdkr|jdkrttjdndS(Ntsno address, mac and ipset( taddrtNonetmactuppertipsettinvertRRt INVALID_RULE(tselfRRRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__init__$s       - cCsd|jrdnd}|jdk r7|d|jS|jdk rU|d|jS|jdk rs|d|jSttjddS(Ns source%s s NOTRs address="%s"smac="%s"s ipset="%s"sno address, mac and ipset(RRRRRRRR(Rtret((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__str__5s (t__name__t __module__tFalseR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR#s cBseZedZdZRS(cCs||_||_dS(N(RR(RRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Bs cCs d|jrdnd|jfS(Nsdestination %saddress="%s"snot R(RR(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Fs(R#R$R%R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRAs cBseZdZdZRS(cCs ||_dS(N(tname(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR KscCs d|jS(Nsservice name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Ns(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRJs cBseZdZdZRS(cCs||_||_dS(N(tporttprotocol(RR'R(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Rs cCsd|j|jfS(Nsport port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Vs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRQs cBseZdZRS(cCsd|j|jfS(Ns#source-port port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Zs (R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRYscBseZdZdZRS(cCs ||_dS(N(tvalue(RR)((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR _scCs d|jS(Nsprotocol value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"bs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR^s cBseZdZdZRS(cCsdS(N((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR fscCsdS(Nt masquerade((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"is(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRes cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR mscCs d|jS(Nsicmp-block name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ps(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRls cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR tscCs d|jS(Nsicmp-type name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ws(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRss cBseZdZdZRS(cCs^||_||_||_||_|jdkr?d|_n|jdkrZd|_ndS(NR(R'R(tto_portt to_addressR(RR'R(R+R,((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR {s     cCsRd|j|j|jdkr+d|jnd|jdkrJd|jndfS(Ns(forward-port port="%s" protocol="%s"%s%sRs to-port="%s"s to-addr="%s"(R'R(R+R,(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s (R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR zs cBs#eZddddZdZRS(cCs||_||_||_dS(N(tprefixtleveltlimit(RR-R.R/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsSd|jrd|jnd|jr2d|jnd|jrKd|jndfS(Ns log%s%s%ss prefix="%s"Rs level="%s"s %s(R-R.R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaudit%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaccept%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBs)eZdddZdZdZRS(cCs||_||_dS(N(ttypeR/(Rt_typeR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs:d|jrd|jnd|jr2d|jndfS(Ns reject%s%ss type="%s"Rs %s(R0R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCs|jr{|s$ttjdn|dkr{|jt|kr{djt|}ttjd|j|fq{ndS(Ns9When using reject type you must specify also rule family.tipv4tipv6s, s%Wrong reject type %s. Use one of: %s.(R2R3(R0RRRRtjoin(Rtfamilyt valid_types((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytchecks  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZdZRS(cCsd|jrd|jndS(Nsdrop%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s(R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRscBs&eZddZdZdZRS(cCs||_||_dS(N(tsetR/(Rt_setR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs'd|j|jrd|jndfS(Ns mark set=%s%ss %sR(R8R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s cCs|jdk r|j}nttjdd|kr|jd}t|dkrottj|ntj|d stj|d rttj|qn$tj|sttj|ndS(Ns no value sett/iii( R8RRRt INVALID_MARKtsplittlenRt checkUINT32(Rtxtsplits((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  cBs,eZdZdZdZdZRS(cCsu||_d|jkrq|jjd}t|dkrq|dd krqd|d |dd f|_qqndS( NR:iitsecondtminutethourtdays%s/%si(RARBRCRD(R)R<R=(RR)R@((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsd}d|jkr*|jjd}n| sCt|dkr[ttj|jn|\}}yt|}Wnttj|jnX|dks|dkrttj|jnd}|dkrd}n?|dkrd}n*|dkr d}n|dkr d}nd ||d krPttjd |jn|dkr|dkrttjd |jndS(NR:iitstmthtdi<ii'is %s too fasts %s too slow(RERFRGRHiiiQ(RR)R<R=RRt INVALID_LIMITtint(RR@tratetdurationtmult((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s6           cCs d|jS(Nslimit value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCsdS(NR((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcommand s(R#R$R R7R"RN(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  " cBs;eZdddZdZdZdZdZRS(cCsw|dk rt||_n d|_d|_d|_d|_d|_d|_d|_|rs|j |ndS(N( RtstrR5tsourcet destinationtelementtlogtaudittactiont_import_from_string(RR5trule_str((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s        cCsg}xtj|D]}d|kr|jd}t|dks_|d s_|d rxttjd|n|ji|dd6|dd6q|ji|d6qW|jid d6|S( s Lexical analysis t=iiisinternal error in _lexer(): %st attr_namet attr_valueRRtEOL(Rt splitArgsR<R=RRRtappend(RRWttokenstrtattr((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt_lexers ( &c Cs |sttjdnd|_d|_d|_d|_d|_d|_ d|_ |j |}|r|dj ddkrttjdni}g}d}x ||j ddko|dgks ||j d}||j d}||j d}|rA|d?kr|ttjd|q|n;|d@krf|dkrw|jrwttjd)q||dkr|jrttjd*q||dAkr|jrttjd+||jfq||d kr|jrttjd,q||d!kr,|j r,ttjd-q||dBkr||j r|ttjd.||j fq|nttjd/|t |dkr|t |d0nd1} | d1kr<| r|r|dkrttjd2q9ttjd3||fq d|kr,ttjd4||fq |jdnx| dkr|dkr|dCkryttjd7|n||_q |r|dkrd8} nd9||f} ttj| q |j|n| dkrs|dDkr|||n|d0}qW|j$dS(LNs empty ruleiRRR[truleRYRZR5taddressRRRR)R'R(sto-portsto-addrR&R-R.R0R8sbad attribute '%s'RPRQtservices icmp-blocks icmp-typeR*s forward-ports source-portRSRTtaccepttdroptrejecttmarkR/tnottNOTsmore than one 'source' elements#more than one 'destination' elementsFmore than one element. There cannot be both '%s' and '%s' in one rule.smore than one 'log' elementsmore than one 'audit' elementsOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.sunknown element %siRs0'family' outside of rule. Use 'rule family=...'.s:'%s' outside of any element. Use 'rule %s= ...'.s,'%s' outside of rule. Use 'rule ... %s ...'.R2R3sH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.sdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.sDattribute '%s' outside of any element. Use 'rule %s= ...'.sinvalid 'protocol' elementsinvalid 'service' elementsinvalid 'icmp-block' elementsinvalid 'icmp-type' elementsinvalid 'limit' element(sfamilyRcsmacsipsetsinvertsvaluesportsprotocolsto-portsto-addrsnamesprefixslevelstypesset(Rbssources destinationsprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-portslogsauditReRfRgsmarkslimitRiRjsEOL(sprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-port(ReRfRgsmark(sipv4sipv6(Rcsmacsipsetsinvert(RiRj(Rcsinvert(RiRj(sportsprotocol(sportsprotocolsto-portsto-addr(sportsprotocol(sprefixslevel(%RRRRR5RPRQRRRSRTRURatgetR=R]tTrueRR%tpoptclearRRRRRRRR RR R R RR RRR7( RRWR^tattrst in_elementstindexRRRYRZt in_elementterr_msg((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRV.st       +  "%,               ?        $            $                 <      $       0                      $             cCs |jdk r6|jdkr6ttj|jn|jdkr|jdk rf|jjdk su|jdk rttjnt |j t krttjqn|j dkr|j dkrttj dn|jdkr|jdkrttj dqnt |j tt tgkr}|jdkr}|jdkr}|j dkr}ttj dq}n|jdk r|jjdk rL|jdkrttjn|jjdk rttj dn|jjdk r ttj dntj|j|jjsttjt|jjqq|jjdk r|jjdk rttj dntj|jjsttjt|jjqq|jjdk rt|jjsttjt|jjqqttj d n|jdk r|jdkrKttjn|jjdksytj|j|jj rttjt|jjqnt |j tkr|j jdkst|j jd kr>ttjt|j jq>n>t |j t krutj!|j j"sEttj#|j j"n|j j$dkr>ttj%|j j$q>nt |j t&krtj'|j j(s>ttj%|j j(q>nt |j tkr/|j dk rttj dn|jdk r>|jjdk r>ttj dq>nt |j tkr|j jdksnt|j jd krttj)t|j jn|j r>ttj dq>nt |j t*kr|j jdkst|j jd kr>ttj)t|j jq>n+t |j t krtj!|j j"sXttj#|j j"n|j j$dkrttj%|j j$n|j j+dkr|j j,dkrttj#|j j+n|j j+dkrtj!|j j+ rttj#|j j+n|j j,dkrPtj-|j|j j, rPttj|j j,n|jdkrqttjn|j dk r>ttj dq>nt |j t.kr tj!|j j"sttj#|j j"n|j j$d kr>ttj%|j j$q>n1|j dk r>ttj dt |j n|jdk r|jj/r|jj/d!krttj0|jj/n|jj1dk r|jj1j2qn|jdk r! t |j t3t4t5gkrttj6t |j n|jj1dk r! |jj1j2q! n|j dk r t |j t4kr[ |j j2|jn%t |j t7kr |j j2n|j j1dk r |j j1j2q ndS("NR2R3sno element, no actions%no element, no source, no destinationsno action, no log, no auditsaddress and macsaddress and ipsets mac and ipsetsinvalid sourceittcptudptsctptdccpsmasquerade and actionsmasquerade and mac sourcesicmp-block and actionRsforward-port and actionsUnknown element %stemergtalerttcritterrortwarningtnoticetinfotdebug(sipv4sipv6(RtRuRvRw(RtRuRvRw(RtRuRvRw(RxRyRzserrorR|R}sinfosdebug(8R5RRRtINVALID_FAMILYRPRRQtMISSING_FAMILYR0RRR RURRRRSRTRRRt check_addresst INVALID_ADDRROt check_mact INVALID_MACRt INVALID_IPSETRR&R=tINVALID_SERVICERt check_portR't INVALID_PORTR(tINVALID_PROTOCOLRt checkProtocolR)tINVALID_ICMPTYPERR+R,tcheck_single_addressRR.tINVALID_LOG_LEVELR/R7R R RtINVALID_AUDIT_TYPER(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7 s! $$$ $*$!*! *$$     cCsd}|jr#|d|j7}n|jr@|d|j7}n|jr]|d|j7}n|jrz|d|j7}n|jr|d|j7}n|jr|d|j7}n|jr|d|j7}ntjrtj |S|S(NRbs family="%s"s %s( R5RPRQRRRSRTRURtPY2tu2b(RR!((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s        N(R#R$RR RaRVR7R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s   N(t__all__tfirewallRtfirewall.core.ipsetRtfirewall.core.baseRRtfirewall.errorsRtobjectRRRRRRRRRR R R R R RRRR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyts8       1core/watcher.py000064400000006234147576556050007534 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2012-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Watcher" ] from gi.repository import Gio, GLib class Watcher(object): def __init__(self, callback, timeout): self._callback = callback self._timeout = timeout self._monitors = { } self._timeouts = { } self._blocked = [ ] def add_watch_dir(self, directory): gfile = Gio.File.new_for_path(directory) self._monitors[directory] = gfile.monitor_directory(\ Gio.FileMonitorFlags.NONE, None) self._monitors[directory].connect("changed", self._file_changed_cb) def add_watch_file(self, filename): gfile = Gio.File.new_for_path(filename) self._monitors[filename] = gfile.monitor_file(\ Gio.FileMonitorFlags.NONE, None) self._monitors[filename].connect("changed", self._file_changed_cb) def get_watches(self): return self._monitors.keys() def has_watch(self, filename): return filename in self._monitors def remove_watch(self, filename): del self._monitors[filename] def block_source(self, filename): if filename not in self._blocked: self._blocked.append(filename) def unblock_source(self, filename): if filename in self._blocked: self._blocked.remove(filename) def clear_timeouts(self): for filename in list(self._timeouts.keys()): GLib.source_remove(self._timeouts[filename]) del self._timeouts[filename] def _call_callback(self, filename): if filename not in self._blocked: self._callback(filename) del self._timeouts[filename] def _file_changed_cb(self, monitor, gio_file, gio_other_file, event): filename = gio_file.get_parse_name() if filename in self._blocked: if filename in self._timeouts: GLib.source_remove(self._timeouts[filename]) del self._timeouts[filename] return if event == Gio.FileMonitorEvent.CHANGED or \ event == Gio.FileMonitorEvent.CREATED or \ event == Gio.FileMonitorEvent.DELETED or \ event == Gio.FileMonitorEvent.ATTRIBUTE_CHANGED: if filename in self._timeouts: GLib.source_remove(self._timeouts[filename]) del self._timeouts[filename] self._timeouts[filename] = GLib.timeout_add_seconds(\ self._timeout, self._call_callback, filename) core/fw_ifcfg.py000064400000005002147576556050007641 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Functions to search for and change ifcfg files""" __all__ = [ "search_ifcfg_of_interface", "ifcfg_set_zone_of_interface" ] import os import os.path from firewall import config from firewall.core.logger import log from firewall.core.io.ifcfg import ifcfg def search_ifcfg_of_interface(interface): """search ifcfg file for the interface in config.IFCFGDIR""" # Return quickly if config.IFCFGDIR does not exist if not os.path.exists(config.IFCFGDIR): return None for filename in sorted(os.listdir(config.IFCFGDIR)): if not filename.startswith("ifcfg-"): continue for ignored in [ ".bak", ".orig", ".rpmnew", ".rpmorig", ".rpmsave", "-range" ]: if filename.endswith(ignored): continue if "." in filename: continue ifcfg_file = ifcfg("%s/%s" % (config.IFCFGDIR, filename)) ifcfg_file.read() if ifcfg_file.get("DEVICE") == interface: return ifcfg_file # Wasn't found above, so assume filename matches the device we want filename = "%s/ifcfg-%s" % (config.IFCFGDIR, interface) if os.path.exists(filename): ifcfg_file = ifcfg(filename) ifcfg_file.read() return ifcfg_file return None def ifcfg_set_zone_of_interface(zone, interface): """Set zone (ZONE=) in the ifcfg file that uses the interface (DEVICE=)""" if zone is None: zone = "" ifcfg_file = search_ifcfg_of_interface(interface) if ifcfg_file is not None and ifcfg_file.get("ZONE") != zone and not \ (ifcfg_file.get("ZONE") is None and zone == ""): log.debug1("Setting ZONE=%s in '%s'" % (zone, ifcfg_file.filename)) ifcfg_file.set("ZONE", zone) ifcfg_file.write() core/fw.pyc000064400000075261147576556050006664 0ustar00 c`c@sdgZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0ddl1m2Z2ddlm3Z3ddl4m5Z5de6fdYZ7dS(tFirewalliN(tconfig(t functions(t ipXtables(tebtables(tnftables(tipset(tmodules(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallTransaction(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t helper_reader(terrors(t FirewallErrorcBseZdZdZdZdZdZdZeedZ dZ edZ d Z d Z d Zd Zd ZdZdZdZdZdZdZdZdZedZedZedZedZdZdZdZ dZ!dZ"dZ#d Z$d!Z%d"Z&d#Z'd$Z(d%Z)ed&Z*d'Z+d(Z,d)Z-d*Z.d+Z/d,Z0d-Z1d.Z2d/Z3d0Z4RS(1cCs@ttj|_tj||_t|_g|_ tj ||_ t|_ g|_ tj|_t|_tj|_t|_g|_tj||_t|_tj|_t||_t||_t||_t ||_!t"||_t#|_$t%||_t&||_'|j(dS(N()RRtFIREWALLD_CONFt_firewalld_confRt ip4tablestip4tables_backendtTruetip4tables_enabledtip4tables_supported_icmp_typest ip6tablestip6tables_backendtip6tables_enabledtip6tables_supported_icmp_typesRtebtables_backendtebtables_enabledRt ipset_backendt ipset_enabledtipset_supported_typesRtnftables_backendtnftables_enabledRtmodules_backendRticmptypeR tserviceR tzoneR tdirectR R tpoliciesRRthelpert_Firewall__init_vars(tself((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__init__?s0         cCshd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |j|jfS(Ns>%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__R!R%R(t_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledR*t_individual_callst _log_deniedt_automatic_helpers(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__repr__]scCsd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_tj|_d|_tj|_dS(NtINITti(R9tFalseR:R;R<R=RtFALLBACK_MINIMAL_MARKR>tFALLBACK_CLEANUP_ON_EXITR?tFALLBACK_IPV6_RPFILTERR@tFALLBACK_INDIVIDUAL_CALLSRAtFALLBACK_LOG_DENIEDRBtFALLBACK_AUTOMATIC_HELPERSRCtFALLBACK_FIREWALL_BACKENDt_firewall_backendtnf_conntrack_helper_settingtFALLBACK_ALLOW_ZONE_DRIFTINGt_allow_zone_drifting(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt __init_varsfs             cCs|jS(N(RA(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytindividual_callswscCs|jr=d|jdjkr=tjdt|_n|jrzd|jdjkrztjdt|_n|jrd|jdjkrtjdt|_n|j r|j r|j rtj dt j d ndS( Ntfiltertipv4s-iptables not usable, disabling IPv4 firewall.tipv6s.ip6tables not usable, disabling IPv6 firewall.tebs8ebtables not usable, disabling ethernet bridge firewall.sNo IPv4 and IPv6 firewall.i( R!tget_backend_by_ipvtget_available_tablesRtwarningRGR%R(R-tfataltsystexit(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _check_tableszs            cCsy|jjWn0tk rCtjdt|_g|_nX|jj|_|j j |j j s|j j rtjdqtjdt|_ n|j r|j j|_n g|_|jj |jj s|jj rtjdqtjdt|_n|jr7|jj|_n g|_|jj |jj s|jj rutjdqtjdt|_n|jr|j r|jj rtjdndS( Ns4ipset not usable, disabling ipset usage in firewall.sFiptables-restore is missing, using individual calls for IPv4 firewall.sCiptables-restore and iptables are missing, disabling IPv4 firewall.sGip6tables-restore is missing, using individual calls for IPv6 firewall.sEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.sHebtables-restore is missing, using individual calls for bridge firewall.sEebtables-restore and ebtables are missing, disabling bridge firewall.sSebtables-restore is not supporting the --noflush option, will therefore not be used(R)tset_listt ValueErrorRR[RGR*R+tset_supported_typesRt fill_existstrestore_command_existstcommand_existsR!tsupported_icmp_typesR"R$R%R&R'R(RAtrestore_noflush_optiontdebug1(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _start_checksD                        cCsw tj}tjdtjy|jjWn-tk r\}tj|tjdnX|jj dr|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d<krt|_ntjd|jn|jj d r|jj d }|dk r|j d=krtjd y|jjWqtk rqXqn|jj d r|jj d }|dk r|j d>krt|_n|j d?krt|_qqn|jrtjdn tjd|jj dr|jj d}|dk r|j d@krtjdt|_qn|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj dr|jj d}|dk r|j dAkrId|_n-|j dBkrgd |_n|j |_tjd|jqn|jj dr|jj d}|j dCkrt|_nt|_tjdtjd|jn|jjtj|j|j|j|jtjdy|jjjWn]tk r}|jj rtj!d|jjj"|qtjd|jjj"|nX|jj#tj|j|j$tj%d|j$tj&d|j$tj'd|j$tj(dt)|j*j+dkrGtj!dn|j$tj,d |j$tj-d |j$tj.d!|j$tj/d!t)|j0j1dkrtj!d"n|j$tj2d#|j$tj3d#t)|j4j5dkrtj6d$t7j8d%nt}xEd&d'd(gD]4}||j4j5kr2tj6d)|t}q2q2W|rt7j8d%n||j4j5krd*|j4j5krd*}n$d+|j4j5krd+}nd&}tj!d,|||}ntjd-|t9tj:} t;j<j=tj:rxtjd.tj:y| jWqxtk rt}tj!d/tj:|qxXn|j>j?| |jj@tj| |jAd0gt\} }| dkrtjd1|n|jd2krtBjC|jd kntBjD|_E|jFtjGdkr>tHjH} ntI|} |jJd3| |rf|s~|jKr|jLjMr| jNt| jOn|r|rtjd4|jPjQn|jRd3| | jNt| jO|jKr |jLjMr tjd5|jLjSntjd6|jTd3| tjd7|j4jUd3| |jV||_W|j4jXd|jWd3| | jNt| jO|j>jYr: tjd8|j>jZ| y| jNt| jOWq: tk r# } t| j[d9| j\r | j\nd:q: tk r6 q: Xn~ tjGd%krs tHjH}tj]d;|| ndS(DNs"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsesCleanupOnExit is set to '%s'tLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'tAllowZoneDriftingsAllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.s AllowZoneDrifting is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sRR/isNo icmptypes found.R4R0sNo services found.R1sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %st nf_conntracks&Failed to load nf_conntrack module: %stsystemtuse_transactionsUnloading firewall modulessApplying ipsetssApplying default rule setsApplying used zoness2Applying direct chains rules and passthrough ruless Direct: %sRFs%Flushing and applying took %f seconds(RmRn(syesRq(RmRn(syesRq(syesRq(RmRn(syesRq(RmRn(^Rt FALLBACK_ZONERRhRRtreadt ExceptionR[tgettintR>tNonetlowerRGR?R3tenable_lockdownRR@R RARBRCRRtset_firewalld_conftcopytdeepcopyt_select_firewall_backendRORitlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStlenR/t get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR0t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR1t get_zonesR\R]R^RtFIREWALLD_DIRECTtostpathtexistsR2tset_permanent_configt set_directthandle_modulesRtset_nf_conntrack_helper_settingtget_nf_conntrack_helper_settingRPR_tgetDebugLogLevelttimeRtflushR*Rt has_ipsetstexecutetclearR.tunload_firewall_modulestapply_default_tablest apply_ipsetstapply_default_rulest apply_zonest check_zoneR;tchange_default_zonethas_configurationt apply_directtcodetmsgtdebug2(R6treloadtcomplete_reloadt default_zoneRtvalueRtzR1tobjtstatusttm1t transactiontettm2((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt_startsR                                                      +   cCsUy|jWn*tk r:d|_|jdnXd|_|jddS(NtFAILEDtACCEPTtRUNNING(RRR9t set_policy(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstarts    c Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nx[t tj |D]D}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||yP|dkrAt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ ny|jj|Wn3tk r$} tjd|jt| fnX|jjtj|nE|d krt||}|j|j j!kr|j j"|j}tjd||j|j|j|j j#|jn!|jjtjrt|_ n|j j$||jj$tj|nx|dkrt%||d |}|rzdtjj|tjj|d d !f|_|j |jntj|} |j|j&j'kr#|j&j(|j}|j&j)|j|j*rtjd ||j|||j+|qMtjd||j|j|jn*|jjtjrMt|_ t| _ n|jj,| |rtjd ||j|||j+|q|j&j,|n|dkrt-||}|j|j.j/kr"|j.j0|j}tjd||j|j|j|j.j1|jn!|jjtjrCt|_ ny|j.j2|Wn3tk r} tj3d|jt| fnX|jj2tj|n|dkrvt4||}|j|j5j6kr)|j5j7|j}tjd||j|j|j|j5j8|jn!|jjtjrJt|_ n|j5j9||jj9tj|ntj:d|Wqtk r} tj;d||| qt<k rtj;d||tj=qXqW|r|j*r|j|j&j'kr|j&j(|j}tjd||j|j|jy|j&j)|jWnt<k rlnX|jj>|jn|j&j,|ndS(NR1s.xmls%s/%stcombinesLoading %s file '%s'R/s Overloads %s '%s' ('%s/%s')s%s: %s, ignoring for run-time.R0t no_check_nameiis Combining %s '%s' ('%s/%s')RR4sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(?RRtisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRGtdefaulttsortedtlistdirtendswithRR RRhRR/Rt get_icmptypeRtremove_icmptypet add_icmptypeRtinfo1tstrRRRR0Rt get_servicetremove_servicet add_serviceRR1Rtget_zonet remove_zonetcombinedRtadd_zoneRRt get_ipsetst get_ipsett remove_ipsett add_ipsetR[RR4t get_helperst get_helpert remove_helpert add_helperR\RRt exceptiont forget_zone( R6Rt reader_typeRt combined_zoneRRRtorig_objRt config_objR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs                                                cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( R/tcleanupR0R1RR4RR2R3RR5(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRls         cCs>|jr0|j|jd|jjn|jdS(NR(R?RRR.RR(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstopxs    cCs=|j}x||jkr(|d7}q W|jj||S(Ni(R>R=tappend(R6ti((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytnew_marks  cCs|jj|dS(N(R=tremove(R6tmark((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytdel_marksc Cs"d}d}x t|D]\}}|rF|jj|\}}n4|j|dkrbd}n|jj|\}}|dkr|d7}||7}qn|r|jj|d|j|cd7|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R-RR,R!RR%R$R(R'(R6tbackends((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytenabled_backendss    cCszg}|jr"|j|jn|jr>|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R!RRR%R$R(R'R-R,(R6R ((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs    cCsn|dkrt|}n|}x*|jD]}|j||jq.W|dkrj|jtndS(N(RRR t add_rulestbuild_default_tablesRR (R6RRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs  cCs3|dkrt|}n|}x6|jD](}|j|j}|j||q.W|jdr|jd}|jrd|j kr|j t |j |j |j}|j||y|j t Wn#tk r}tjd|nX|j qn|dkr/|j t ndS(NRWtraws+Applying rules for ipv6_rpfilter failed: %s(RRR tbuild_default_rulesRBRR RYR@RZRR Rtbuild_rpfilter_rulesRRR[(R6RRRtrulest ipv6_backendR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs*     cCs|dkrt|}n|}tjdx0|jD]"}|j}|j||q;W|dkr}|jtndS(NsFlushing rule set( RRRRhRtbuild_flush_rulesRRR (R6RRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+s    cCs|dkrt|}n|}tjd|x3|jD]%}|j|}|j||q>W|dkr|jtndS(NsSetting policy to '%s'( RRRRhR tbuild_set_policy_rulesRRR (R6tpolicyRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR:s  cCs^|s dS|j|}|s8ttjd|n|j|sKdS|j||jS(NRFs'%s' is not a valid backend(RRRRR tset_ruleRB(R6t backend_nametruleR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRKs c Cs\ttd|}|j|}|sCttjd|n|j|sVdS|js|j s|dkrE|j j rExt |D]\}}y|j ||jWqtk r<}tjtjtj|xLt|| D]:}y |j |j||jWqtk r.qXqW|qXqWtS|j||jSdS(Ns'%s' is not a valid backendRFR(tlistRURRRRRR RARdR'RgRRRBRRRht tracebackt format_excRtreversedt reverse_ruleR t set_rules(R6RRt_rulesRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRYs0      cCs|jrttjndS(N(R:RRt PANIC_MODE(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_paniczs cCsV|}| s|dkr(|j}n||jjkrRttj|n|S(NRF(tget_default_zoneR1RRRt INVALID_ZONE(R6R1t_zone((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR~s cCs(tj|s$ttj|ndS(N(RtcheckInterfaceRRtINVALID_INTERFACE(R6t interface((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_interfacescCs|jj|dS(N(R0t check_service(R6R0((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+scCs(tj|s$ttj|ndS(N(Rt check_portRRt INVALID_PORT(R6tport((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR,scCsA|sttjn|dkr=ttjd|ndS(Nttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(R/R0R1R2(RRtMISSING_PROTOCOLtINVALID_PROTOCOL(R6tprotocol((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_tcpudps   cCs(tj|s$ttj|ndS(N(RtcheckIPRRt INVALID_ADDR(R6tip((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_ipscCs||dkr3tj|sxttj|qxnE|dkrftj|sxttj|qxnttjddS(NRVRWs'%s' not in {'ipv4'|'ipv6'}(Rt checkIPnMaskRRR8t checkIP6nMaskR(R6Rtsource((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_addresss   cCs|jj|dS(N(R/tcheck_icmptype(R6ticmp((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR?scCs]t|ts.td|t|fnt|dkrYttjd|ndS(Ns%s is %s, expected intis#timeout '%d' is not positive number(t isinstanceRt TypeErrorttypeRRt INVALID_VALUE(R6ttimeout((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_timeouts  c Cs9|j}i}x1|jjD] }|jj|d||R?RFRRXRPR\R]R^RdReRgR$Rk(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR>sd     7      $    !         K       (8t__all__tos.pathRR]RRRtfirewallRRt firewall.coreRRRRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceR tfirewall.core.fw_zoneR tfirewall.core.fw_directR tfirewall.core.fw_configR tfirewall.core.fw_policiesR tfirewall.core.fw_ipsetRtfirewall.core.fw_transactionRtfirewall.core.fw_helperRtfirewall.core.loggerRtfirewall.core.io.firewalld_confRtfirewall.core.io.directRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyts@      core/ipXtables.py000064400000137267147576556050010045 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os.path import copy from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET from firewall.core.prog import runProg from firewall.core.logger import log from firewall.functions import tempFile, readfile, splitArgs, check_mac, portStr, \ check_single_address, check_address, normalizeIP6 from firewall import config from firewall.errors import FirewallError, INVALID_PASSTHROUGH, INVALID_RULE from firewall.core.rich import Rich_Accept, Rich_Reject, Rich_Drop, Rich_Mark import string BUILT_IN_CHAINS = { "security": [ "INPUT", "OUTPUT", "FORWARD" ], "raw": [ "PREROUTING", "OUTPUT" ], "mangle": [ "PREROUTING", "POSTROUTING", "INPUT", "OUTPUT", "FORWARD" ], "nat": [ "PREROUTING", "POSTROUTING", "OUTPUT" ], "filter": [ "INPUT", "OUTPUT", "FORWARD" ], } DEFAULT_REJECT_TYPE = { "ipv4": "icmp-host-prohibited", "ipv6": "icmp6-adm-prohibited", } ICMP = { "ipv4": "icmp", "ipv6": "ipv6-icmp", } # ipv ebtables also uses this # def common_reverse_rule(args): """ Inverse valid rule """ replace_args = { # Append "-A": "-D", "--append": "--delete", # Insert "-I": "-D", "--insert": "--delete", # New chain "-N": "-X", "--new-chain": "--delete-chain", } ret_args = args[:] for arg in replace_args: try: idx = ret_args.index(arg) except Exception: continue if arg in [ "-I", "--insert" ]: # With insert rulenum, then remove it if it is a number # Opt at position idx, chain at position idx+1, [rulenum] at # position idx+2 try: int(ret_args[idx+2]) except Exception: pass else: ret_args.pop(idx+2) ret_args[idx] = replace_args[arg] return ret_args def common_reverse_passthrough(args): """ Reverse valid passthough rule """ replace_args = { # Append "-A": "-D", "--append": "--delete", # Insert "-I": "-D", "--insert": "--delete", # New chain "-N": "-X", "--new-chain": "--delete-chain", } ret_args = args[:] for x in replace_args: try: idx = ret_args.index(x) except ValueError: continue if x in [ "-I", "--insert" ]: # With insert rulenum, then remove it if it is a number # Opt at position idx, chain at position idx+1, [rulenum] at # position idx+2 try: int(ret_args[idx+2]) except ValueError: pass else: ret_args.pop(idx+2) ret_args[idx] = replace_args[x] return ret_args raise FirewallError(INVALID_PASSTHROUGH, "no '-A', '-I' or '-N' arg") # ipv ebtables also uses this # def common_check_passthrough(args): """ Check if passthough rule is valid (only add, insert and new chain rules are allowed) """ args = set(args) not_allowed = set(["-C", "--check", # check rule "-D", "--delete", # delete rule "-R", "--replace", # replace rule "-L", "--list", # list rule "-S", "--list-rules", # print rules "-F", "--flush", # flush rules "-Z", "--zero", # zero rules "-X", "--delete-chain", # delete chain "-P", "--policy", # policy "-E", "--rename-chain"]) # rename chain) # intersection of args and not_allowed is not empty, i.e. # something from args is not allowed if len(args & not_allowed) > 0: raise FirewallError(INVALID_PASSTHROUGH, "arg '%s' is not allowed" % list(args & not_allowed)[0]) # args need to contain one of -A, -I, -N needed = set(["-A", "--append", "-I", "--insert", "-N", "--new-chain"]) # empty intersection of args and needed, i.e. # none from args contains any needed command if len(args & needed) == 0: raise FirewallError(INVALID_PASSTHROUGH, "no '-A', '-I' or '-N' arg") class ip4tables(object): ipv = "ipv4" name = "ip4tables" zones_supported = True def __init__(self, fw): self._fw = fw self._command = config.COMMANDS[self.ipv] self._restore_command = config.COMMANDS["%s-restore" % self.ipv] self.wait_option = self._detect_wait_option() self.restore_wait_option = self._detect_restore_wait_option() self.fill_exists() self.available_tables = [] self.zone_source_index_cache = [] self.our_chains = {} # chains created by firewalld def fill_exists(self): self.command_exists = os.path.exists(self._command) self.restore_command_exists = os.path.exists(self._restore_command) def __run(self, args): # convert to string list if self.wait_option and self.wait_option not in args: _args = [self.wait_option] + ["%s" % item for item in args] else: _args = ["%s" % item for item in args] log.debug2("%s: %s %s", self.__class__, self._command, " ".join(_args)) (status, ret) = runProg(self._command, _args) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._command, " ".join(_args), ret)) return ret def split_value(self, rules, opts=None): """Split values combined with commas for options in opts""" if opts is None: return rules out_rules = [ ] for rule in rules: processed = False for opt in opts: try: i = rule.index(opt) except ValueError: pass else: if len(rule) > i and "," in rule[i+1]: # For all items in the comma separated list in index # i of the rule, a new rule is created with a single # item from this list processed = True items = rule[i+1].split(",") for item in items: _rule = rule[:] _rule[i+1] = item out_rules.append(_rule) if not processed: out_rules.append(rule) return out_rules def _rule_replace(self, rule, pattern, replacement): try: i = rule.index(pattern) except ValueError: return False else: rule[i:i+1] = replacement return True def is_chain_builtin(self, ipv, table, chain): return table in BUILT_IN_CHAINS and \ chain in BUILT_IN_CHAINS[table] def build_chain_rules(self, add, table, chain): rule = [ "-t", table ] if add: rule.append("-N") else: rule.append("-X") rule.append(chain) return [rule] def build_rule(self, add, table, chain, index, args): rule = [ "-t", table ] if add: rule += [ "-I", chain, str(index) ] else: rule += [ "-D", chain ] rule += args return rule def reverse_rule(self, args): return common_reverse_rule(args) def check_passthrough(self, args): common_check_passthrough(args) def reverse_passthrough(self, args): return common_reverse_passthrough(args) def passthrough_parse_table_chain(self, args): table = "filter" try: i = args.index("-t") except ValueError: pass else: if len(args) >= i+1: table = args[i+1] chain = None for opt in [ "-A", "--append", "-I", "--insert", "-N", "--new-chain" ]: try: i = args.index(opt) except ValueError: pass else: if len(args) >= i+1: chain = args[i+1] return (table, chain) def _run_replace_zone_source(self, rule, zone_source_index_cache): try: i = rule.index("%%ZONE_SOURCE%%") rule.pop(i) zone = rule.pop(i) if "-m" == rule[4]: # ipset/mac zone_source = (zone, rule[7]) # (zone, address) else: zone_source = (zone, rule[5]) # (zone, address) except ValueError: try: i = rule.index("%%ZONE_INTERFACE%%") rule.pop(i) zone_source = None except ValueError: return rule_add = True if rule[0] in ["-D", "--delete"]: rule_add = False if zone_source and not rule_add: if zone_source in zone_source_index_cache: zone_source_index_cache.remove(zone_source) elif rule_add: if zone_source: # order source based dispatch by zone name if zone_source not in zone_source_index_cache: zone_source_index_cache.append(zone_source) zone_source_index_cache.sort(key=lambda x: x[0]) index = zone_source_index_cache.index(zone_source) else: if self._fw._allow_zone_drifting: index = 0 else: index = len(zone_source_index_cache) rule[0] = "-I" rule.insert(2, "%d" % (index + 1)) def set_rules(self, rules, log_denied): temp_file = tempFile() table_rules = { } zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) for _rule in rules: rule = _rule[:] # replace %%REJECT%% self._rule_replace(rule, "%%REJECT%%", \ ["REJECT", "--reject-with", DEFAULT_REJECT_TYPE[self.ipv]]) # replace %%ICMP%% self._rule_replace(rule, "%%ICMP%%", [ICMP[self.ipv]]) # replace %%LOGTYPE%% try: i = rule.index("%%LOGTYPE%%") except ValueError: pass else: if log_denied == "off": continue if log_denied in [ "unicast", "broadcast", "multicast" ]: rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ] else: rule.pop(i) self._run_replace_zone_source(rule, zone_source_index_cache) table = "filter" # get table form rule for opt in [ "-t", "--table" ]: try: i = rule.index(opt) except ValueError: pass else: if len(rule) >= i+1: rule.pop(i) table = rule.pop(i) # we can not use joinArgs here, because it would use "'" instead # of '"' for the start and end of the string, this breaks # iptables-restore for i in range(len(rule)): for c in string.whitespace: if c in rule[i] and not (rule[i].startswith('"') and rule[i].endswith('"')): rule[i] = '"%s"' % rule[i] table_rules.setdefault(table, []).append(rule) for table in table_rules: rules = table_rules[table] rules = self.split_value(rules, [ "-s", "--source" ]) rules = self.split_value(rules, [ "-d", "--destination" ]) temp_file.write("*%s\n" % table) for rule in rules: temp_file.write(" ".join(rule) + "\n") temp_file.write("COMMIT\n") temp_file.close() stat = os.stat(temp_file.name) log.debug2("%s: %s %s", self.__class__, self._restore_command, "%s: %d" % (temp_file.name, stat.st_size)) args = [ ] if self.restore_wait_option: args.append(self.restore_wait_option) args.append("-n") (status, ret) = runProg(self._restore_command, args, stdin=temp_file.name) if log.getDebugLogLevel() > 2: lines = readfile(temp_file.name) if lines is not None: i = 1 for line in lines: log.debug3("%8d: %s" % (i, line), nofmt=1, nl=0) if not line.endswith("\n"): log.debug3("", nofmt=1) i += 1 os.unlink(temp_file.name) if status != 0: raise ValueError("'%s %s' failed: %s" % (self._restore_command, " ".join(args), ret)) self.zone_source_index_cache = zone_source_index_cache return ret def set_rule(self, rule, log_denied): # replace %%REJECT%% self._rule_replace(rule, "%%REJECT%%", \ ["REJECT", "--reject-with", DEFAULT_REJECT_TYPE[self.ipv]]) # replace %%ICMP%% self._rule_replace(rule, "%%ICMP%%", [ICMP[self.ipv]]) # replace %%LOGTYPE%% try: i = rule.index("%%LOGTYPE%%") except ValueError: pass else: if log_denied == "off": return "" if log_denied in [ "unicast", "broadcast", "multicast" ]: rule[i:i+1] = [ "-m", "pkttype", "--pkt-type", log_denied ] else: rule.pop(i) zone_source_index_cache = copy.deepcopy(self.zone_source_index_cache) self._run_replace_zone_source(rule, zone_source_index_cache) output = self.__run(rule) self.zone_source_index_cache = zone_source_index_cache return output def get_available_tables(self, table=None): ret = [] tables = [ table ] if table else BUILT_IN_CHAINS.keys() for table in tables: if table in self.available_tables: ret.append(table) else: try: self.__run(["-t", table, "-L", "-n"]) self.available_tables.append(table) ret.append(table) except ValueError: log.debug1("%s table '%s' does not exist (or not enough permission to check)." % (self.ipv, table)) return ret def _detect_wait_option(self): wait_option = "" ret = runProg(self._command, ["-w", "-L", "-n"]) # since iptables-1.4.20 if ret[0] == 0: wait_option = "-w" # wait for xtables lock ret = runProg(self._command, ["-w10", "-L", "-n"]) # since iptables > 1.4.21 if ret[0] == 0: wait_option = "-w10" # wait max 10 seconds log.debug2("%s: %s will be using %s option.", self.__class__, self._command, wait_option) return wait_option def _detect_restore_wait_option(self): temp_file = tempFile() temp_file.write("#foo") temp_file.close() wait_option = "" for test_option in ["-w", "--wait=2"]: ret = runProg(self._restore_command, [test_option], stdin=temp_file.name) if ret[0] == 0 and "invalid option" not in ret[1] \ and "unrecognized option" not in ret[1]: wait_option = test_option break log.debug2("%s: %s will be using %s option.", self.__class__, self._restore_command, wait_option) os.unlink(temp_file.name) return wait_option def build_flush_rules(self): self.zone_source_index_cache = [] rules = [] for table in BUILT_IN_CHAINS.keys(): if not self.get_available_tables(table): continue # Flush firewall rules: -F # Delete firewall chains: -X # Set counter to zero: -Z for flag in [ "-F", "-X", "-Z" ]: rules.append(["-t", table, flag]) return rules def build_set_policy_rules(self, policy): rules = [] for table in BUILT_IN_CHAINS.keys(): if not self.get_available_tables(table): continue if table == "nat": continue for chain in BUILT_IN_CHAINS[table]: rules.append(["-t", table, "-P", chain, policy]) return rules def supported_icmp_types(self): """Return ICMP types that are supported by the iptables/ip6tables command and kernel""" ret = [ ] output = "" try: output = self.__run(["-p", "icmp" if self.ipv == "ipv4" else "ipv6-icmp", "--help"]) except ValueError as ex: if self.ipv == "ipv4": log.debug1("iptables error: %s" % ex) else: log.debug1("ip6tables error: %s" % ex) lines = output.splitlines() in_types = False for line in lines: #print(line) if in_types: line = line.strip().lower() splits = line.split() for split in splits: if split.startswith("(") and split.endswith(")"): x = split[1:-1] else: x = split if x not in ret: ret.append(x) if self.ipv == "ipv4" and line.startswith("Valid ICMP Types:") or \ self.ipv == "ipv6" and line.startswith("Valid ICMPv6 Types:"): in_types = True return ret def build_default_tables(self): # nothing to do, they always exist return [] def build_default_rules(self, log_denied="off"): default_rules = {} if self.get_available_tables("security"): default_rules["security"] = [ ] self.our_chains["security"] = set() for chain in BUILT_IN_CHAINS["security"]: default_rules["security"].append("-N %s_direct" % chain) default_rules["security"].append("-A %s -j %s_direct" % (chain, chain)) self.our_chains["security"].add("%s_direct" % chain) if self.get_available_tables("raw"): default_rules["raw"] = [ ] self.our_chains["raw"] = set() for chain in BUILT_IN_CHAINS["raw"]: default_rules["raw"].append("-N %s_direct" % chain) default_rules["raw"].append("-A %s -j %s_direct" % (chain, chain)) self.our_chains["raw"].add("%s_direct" % chain) if chain == "PREROUTING": for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules["raw"].append("-N %s_%s" % (chain, dispatch_suffix)) default_rules["raw"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) self.our_chains["raw"].update(set(["%s_%s" % (chain, dispatch_suffix)])) if self.get_available_tables("mangle"): default_rules["mangle"] = [ ] self.our_chains["mangle"] = set() for chain in BUILT_IN_CHAINS["mangle"]: default_rules["mangle"].append("-N %s_direct" % chain) default_rules["mangle"].append("-A %s -j %s_direct" % (chain, chain)) self.our_chains["mangle"].add("%s_direct" % chain) if chain == "PREROUTING": for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules["mangle"].append("-N %s_%s" % (chain, dispatch_suffix)) default_rules["mangle"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) self.our_chains["mangle"].update(set(["%s_%s" % (chain, dispatch_suffix)])) if self.get_available_tables("nat"): default_rules["nat"] = [ ] self.our_chains["nat"] = set() for chain in BUILT_IN_CHAINS["nat"]: default_rules["nat"].append("-N %s_direct" % chain) default_rules["nat"].append("-A %s -j %s_direct" % (chain, chain)) self.our_chains["nat"].add("%s_direct" % chain) if chain in [ "PREROUTING", "POSTROUTING" ]: for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules["nat"].append("-N %s_%s" % (chain, dispatch_suffix)) default_rules["nat"].append("-A %s -j %s_%s" % (chain, chain, dispatch_suffix)) self.our_chains["nat"].update(set(["%s_%s" % (chain, dispatch_suffix)])) default_rules["filter"] = [] self.our_chains["filter"] = set() default_rules["filter"].append("-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") default_rules["filter"].append("-A INPUT -i lo -j ACCEPT") default_rules["filter"].append("-N INPUT_direct") default_rules["filter"].append("-A INPUT -j INPUT_direct") self.our_chains["filter"].update(set("INPUT_direct")) for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules["filter"].append("-N INPUT_%s" % (dispatch_suffix)) default_rules["filter"].append("-A INPUT -j INPUT_%s" % (dispatch_suffix)) self.our_chains["filter"].update(set("INPUT_%s" % (dispatch_suffix))) if log_denied != "off": default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") default_rules["filter"].append("-A INPUT -m conntrack --ctstate INVALID -j DROP") if log_denied != "off": default_rules["filter"].append("-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '") default_rules["filter"].append("-A INPUT -j %%REJECT%%") default_rules["filter"].append("-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT") default_rules["filter"].append("-A FORWARD -i lo -j ACCEPT") default_rules["filter"].append("-N FORWARD_direct") default_rules["filter"].append("-A FORWARD -j FORWARD_direct") self.our_chains["filter"].update(set("FORWARD_direct")) for direction in ["IN", "OUT"]: for dispatch_suffix in ["ZONES_SOURCE", "ZONES"] if self._fw._allow_zone_drifting else ["ZONES"]: default_rules["filter"].append("-N FORWARD_%s_%s" % (direction, dispatch_suffix)) default_rules["filter"].append("-A FORWARD -j FORWARD_%s_%s" % (direction, dispatch_suffix)) self.our_chains["filter"].update(set("FORWARD_%s_%s" % (direction, dispatch_suffix))) if log_denied != "off": default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: '") default_rules["filter"].append("-A FORWARD -m conntrack --ctstate INVALID -j DROP") if log_denied != "off": default_rules["filter"].append("-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: '") default_rules["filter"].append("-A FORWARD -j %%REJECT%%") default_rules["filter"] += [ "-N OUTPUT_direct", "-A OUTPUT -o lo -j ACCEPT", "-A OUTPUT -j OUTPUT_direct", ] self.our_chains["filter"].update(set("OUTPUT_direct")) final_default_rules = [] for table in default_rules: if table not in self.get_available_tables(): continue for rule in default_rules[table]: final_default_rules.append(["-t", table] + splitArgs(rule)) return final_default_rules def get_zone_table_chains(self, table): if table == "filter": return { "INPUT", "FORWARD_IN", "FORWARD_OUT" } if table == "mangle": if "mangle" in self.get_available_tables() and \ "nat" in self.get_available_tables(): return { "PREROUTING" } if table == "nat": if "nat" in self.get_available_tables(): return { "PREROUTING", "POSTROUTING" } if table == "raw": if "raw" in self.get_available_tables(): return { "PREROUTING" } return {} def build_zone_source_interface_rules(self, enable, zone, interface, table, chain, append=False): # handle all zones in the same way here, now # trust and block zone targets are handled now in __chain opt = { "PREROUTING": "-i", "POSTROUTING": "-o", "INPUT": "-i", "FORWARD_IN": "-i", "FORWARD_OUT": "-o", "OUTPUT": "-o", }[chain] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) action = "-g" if enable and not append: rule = [ "-I", "%s_ZONES" % chain, "%%ZONE_INTERFACE%%" ] elif enable: rule = [ "-A", "%s_ZONES" % chain ] else: rule = [ "-D", "%s_ZONES" % chain ] if not append: rule += ["%%ZONE_INTERFACE%%"] rule += [ "-t", table, opt, interface, action, target ] return [rule] def build_zone_source_address_rules(self, enable, zone, address, table, chain): add_del = { True: "-I", False: "-D" }[enable] opt = { "PREROUTING": "-s", "POSTROUTING": "-d", "INPUT": "-s", "FORWARD_IN": "-s", "FORWARD_OUT": "-d", "OUTPUT": "-d", }[chain] if self._fw._allow_zone_drifting: zone_dispatch_chain = "%s_ZONES_SOURCE" % (chain) else: zone_dispatch_chain = "%s_ZONES" % (chain) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) action = "-g" if address.startswith("ipset:"): name = address[6:] if opt == "-d": opt = "dst" else: opt = "src" flags = ",".join([opt] * self._fw.ipset.get_dimension(name)) rule = [ add_del, zone_dispatch_chain, "%%ZONE_SOURCE%%", zone, "-t", table, "-m", "set", "--match-set", name, flags, action, target ] else: if check_mac(address): # outgoing can not be set if opt == "-d": return "" rule = [ add_del, zone_dispatch_chain, "%%ZONE_SOURCE%%", zone, "-t", table, "-m", "mac", "--mac-source", address.upper(), action, target ] else: if check_single_address("ipv6", address): address = normalizeIP6(address) elif check_address("ipv6", address): addr_split = address.split("/") address = normalizeIP6(addr_split[0]) + "/" + addr_split[1] rule = [ add_del, zone_dispatch_chain, "%%ZONE_SOURCE%%", zone, "-t", table, opt, address, action, target ] return [rule] def build_zone_chain_rules(self, zone, table, chain): _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) self.our_chains[table].update(set([_zone, "%s_log" % _zone, "%s_deny" % _zone, "%s_allow" % _zone])) rules = [] rules.append([ "-N", _zone, "-t", table ]) rules.append([ "-N", "%s_log" % _zone, "-t", table ]) rules.append([ "-N", "%s_deny" % _zone, "-t", table ]) rules.append([ "-N", "%s_allow" % _zone, "-t", table ]) rules.append([ "-A", _zone, "-t", table, "-j", "%s_log" % _zone ]) rules.append([ "-A", _zone, "-t", table, "-j", "%s_deny" % _zone ]) rules.append([ "-A", _zone, "-t", table, "-j", "%s_allow" % _zone ]) target = self._fw.zone._zones[zone].target if self._fw.get_log_denied() != "off": if table == "filter" and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: if target in [ "REJECT", "%%REJECT%%" ]: rules.append([ "-A", _zone, "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_REJECT: \"" % _zone ]) if target == "DROP": rules.append([ "-A", _zone, "-t", table, "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_DROP: \"" % _zone ]) # Handle trust, block and drop zones: # Add an additional rule with the zone target (accept, reject # or drop) to the base zone only in the filter table. # Otherwise it is not be possible to have a zone with drop # target, that is allowing traffic that is locally initiated # or that adds additional rules. (RHBZ#1055190) if table == "filter" and \ target in [ "ACCEPT", "REJECT", "%%REJECT%%", "DROP" ] and \ chain in [ "INPUT", "FORWARD_IN", "FORWARD_OUT", "OUTPUT" ]: rules.append([ "-A", _zone, "-t", table, "-j", target ]) return rules def _rule_limit(self, limit): if limit: return [ "-m", "limit", "--limit", limit.value ] return [] def _rich_rule_log(self, rich_rule, enable, table, target, rule_fragment): if not rich_rule.log: return [] add_del = { True: "-A", False: "-D" }[enable] rule = [ add_del, "%s_log" % (target), "-t", table] rule += rule_fragment + [ "-j", "LOG" ] if rich_rule.log.prefix: rule += [ "--log-prefix", "'%s'" % rich_rule.log.prefix ] if rich_rule.log.level: rule += [ "--log-level", "%s" % rich_rule.log.level ] rule += self._rule_limit(rich_rule.log.limit) return rule def _rich_rule_audit(self, rich_rule, enable, table, target, rule_fragment): if not rich_rule.audit: return [] add_del = { True: "-A", False: "-D" }[enable] rule = [add_del, "%s_log" % (target), "-t", table] + rule_fragment if type(rich_rule.action) == Rich_Accept: _type = "accept" elif type(rich_rule.action) == Rich_Reject: _type = "reject" elif type(rich_rule.action) == Rich_Drop: _type = "drop" else: _type = "unknown" rule += [ "-j", "AUDIT", "--type", _type ] rule += self._rule_limit(rich_rule.audit.limit) return rule def _rich_rule_action(self, zone, rich_rule, enable, table, target, rule_fragment): if not rich_rule.action: return [] add_del = { True: "-A", False: "-D" }[enable] if type(rich_rule.action) == Rich_Accept: chain = "%s_allow" % target rule_action = [ "-j", "ACCEPT" ] elif type(rich_rule.action) == Rich_Reject: chain = "%s_deny" % target rule_action = [ "-j", "REJECT" ] if rich_rule.action.type: rule_action += [ "--reject-with", rich_rule.action.type ] elif type(rich_rule.action) == Rich_Drop: chain = "%s_deny" % target rule_action = [ "-j", "DROP" ] elif type(rich_rule.action) == Rich_Mark: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) table = "mangle" chain = "%s_allow" % target rule_action = [ "-j", "MARK", "--set-xmark", rich_rule.action.set ] else: raise FirewallError(INVALID_RULE, "Unknown action %s" % type(rich_rule.action)) rule = [ add_del, chain, "-t", table ] rule += rule_fragment + rule_action rule += self._rule_limit(rich_rule.action.limit) return rule def _rich_rule_destination_fragment(self, rich_dest): if not rich_dest: return [] rule_fragment = [] if rich_dest.invert: rule_fragment.append("!") if check_single_address("ipv6", rich_dest.addr): rule_fragment += [ "-d", normalizeIP6(rich_dest.addr) ] elif check_address("ipv6", rich_dest.addr): addr_split = rich_dest.addr.split("/") rule_fragment += [ "-d", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ] else: rule_fragment += [ "-d", rich_dest.addr ] return rule_fragment def _rich_rule_source_fragment(self, rich_source): if not rich_source: return [] rule_fragment = [] if rich_source.addr: if rich_source.invert: rule_fragment.append("!") if check_single_address("ipv6", rich_source.addr): rule_fragment += [ "-s", normalizeIP6(rich_source.addr) ] elif check_address("ipv6", rich_source.addr): addr_split = rich_source.addr.split("/") rule_fragment += [ "-s", normalizeIP6(addr_split[0]) + "/" + addr_split[1] ] else: rule_fragment += [ "-s", rich_source.addr ] elif hasattr(rich_source, "mac") and rich_source.mac: rule_fragment += [ "-m", "mac" ] if rich_source.invert: rule_fragment.append("!") rule_fragment += [ "--mac-source", rich_source.mac ] elif hasattr(rich_source, "ipset") and rich_source.ipset: rule_fragment += [ "-m", "set" ] if rich_source.invert: rule_fragment.append("!") flags = self._fw.zone._ipset_match_flags(rich_source.ipset, "src") rule_fragment += [ "--match-set", rich_source.ipset, flags ] return rule_fragment def build_zone_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [ "-p", proto ] if port: rule_fragment += [ "--dport", "%s" % portStr(port) ] if destination: rule_fragment += [ "-d", destination ] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "%s_allow" % (target), "-t", table] + rule_fragment + [ "-j", "ACCEPT" ]) return rules def build_zone_protocol_rules(self, enable, zone, protocol, destination=None, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [ "-p", protocol ] if destination: rule_fragment += [ "-d", destination ] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "%s_allow" % (target), "-t", table] + rule_fragment + [ "-j", "ACCEPT" ]) return rules def build_zone_source_ports_rules(self, enable, zone, proto, port, destination=None, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [ "-p", proto ] if port: rule_fragment += [ "--sport", "%s" % portStr(port) ] if destination: rule_fragment += [ "-d", destination ] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) if not rich_rule or type(rich_rule.action) != Rich_Mark: rule_fragment += [ "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([add_del, "%s_allow" % (target), "-t", table] + rule_fragment + [ "-j", "ACCEPT" ]) return rules def build_zone_helper_ports_rules(self, enable, zone, proto, port, destination, helper_name, module_short_name): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule = [ add_del, "%s_allow" % (target), "-t", "raw", "-p", proto ] if port: rule += [ "--dport", "%s" % portStr(port) ] if destination: rule += [ "-d", destination ] rule += [ "-j", "CT", "--helper", module_short_name ] return [rule] def build_zone_masquerade_rules(self, enable, zone, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["POSTROUTING"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append([ add_del, "%s_allow" % (target), "-t", "nat" ] + rule_fragment + [ "!", "-o", "lo", "-j", "MASQUERADE" ]) # FORWARD_OUT target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["FORWARD_OUT"], zone=zone) rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules.append([ add_del, "%s_allow" % (target), "-t", "filter"] + rule_fragment + ["-m", "conntrack", "--ctstate", "NEW,UNTRACKED", "-j", "ACCEPT" ]) return rules def build_zone_forward_port_rules(self, enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id, rich_rule=None): add_del = { True: "-A", False: "-D" }[enable] mark_str = "0x%x" % mark_id mark = [ "-m", "mark", "--mark", mark_str ] to = "" if toaddr: if check_single_address("ipv6", toaddr): to += "[%s]" % normalizeIP6(toaddr) else: to += toaddr if toport and toport != "": to += ":%s" % portStr(toport, "-") target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["PREROUTING"], zone=zone) rule_fragment = [ "-p", protocol, "--dport", portStr(port) ] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, "mangle", target, rule_fragment)) rules.append([ add_del, "%s_allow" % (target), "-t", "mangle"] + rule_fragment + [ "-j", "MARK", "--set-mark", mark_str ]) # local and remote rules.append([ add_del, "%s_allow" % (target), "-t", "nat", "-p", protocol ] + mark + [ "-j", "DNAT", "--to-destination", to ]) target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[filter_chain], zone=zone) rules.append([ add_del, "%s_allow" % (target), "-t", "filter", "-m", "conntrack", "--ctstate", "NEW,UNTRACKED" ] + mark + [ "-j", "ACCEPT" ]) return rules def build_zone_icmp_block_rules(self, enable, zone, ict, rich_rule=None): table = "filter" add_del = { True: "-A", False: "-D" }[enable] if self.ipv == "ipv4": proto = [ "-p", "icmp" ] match = [ "-m", "icmp", "--icmp-type", ict.name ] else: proto = [ "-p", "ipv6-icmp" ] match = [ "-m", "icmp6", "--icmpv6-type", ict.name ] rules = [] for chain in ["INPUT", "FORWARD_IN"]: target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): final_chain = "%s_allow" % target final_target = "ACCEPT" else: final_chain = "%s_deny" % target final_target = "%%REJECT%%" rule_fragment = [] if rich_rule: rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rule_fragment += proto + match if rich_rule: rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) if rich_rule.action: rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) else: rules.append([ add_del, "%s_deny" % target, "-t", table ] + rule_fragment + [ "-j", "%%REJECT%%" ]) else: if self._fw.get_log_denied() != "off" and final_target != "ACCEPT": rules.append([ add_del, final_chain, "-t", table ] + rule_fragment + [ "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % zone ]) rules.append([ add_del, final_chain, "-t", table ] + rule_fragment + [ "-j", final_target ]) return rules def build_zone_icmp_block_inversion_rules(self, enable, zone): table = "filter" rules = [] for chain in [ "INPUT", "FORWARD_IN" ]: rule_idx = 4 _zone = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS[chain], zone=zone) if self._fw.zone.query_icmp_block_inversion(zone): ibi_target = "%%REJECT%%" if self._fw.get_log_denied() != "off": if enable: rule = [ "-I", _zone, str(rule_idx) ] else: rule = [ "-D", _zone ] rule = rule + [ "-t", table, "-p", "%%ICMP%%", "%%LOGTYPE%%", "-j", "LOG", "--log-prefix", "\"%s_ICMP_BLOCK: \"" % _zone ] rules.append(rule) rule_idx += 1 else: ibi_target = "ACCEPT" if enable: rule = [ "-I", _zone, str(rule_idx) ] else: rule = [ "-D", _zone ] rule = rule + [ "-t", table, "-p", "%%ICMP%%", "-j", ibi_target ] rules.append(rule) return rules def build_zone_rich_source_destination_rules(self, enable, zone, rich_rule): table = "filter" target = DEFAULT_ZONE_TARGET.format(chain=SHORTCUTS["INPUT"], zone=zone) rule_fragment = [] rule_fragment += self._rich_rule_destination_fragment(rich_rule.destination) rule_fragment += self._rich_rule_source_fragment(rich_rule.source) rules = [] rules.append(self._rich_rule_log(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_audit(rich_rule, enable, table, target, rule_fragment)) rules.append(self._rich_rule_action(zone, rich_rule, enable, table, target, rule_fragment)) return rules def is_ipv_supported(self, ipv): return ipv == self.ipv class ip6tables(ip4tables): ipv = "ipv6" name = "ip6tables" def build_rpfilter_rules(self, log_denied=False): rules = [] rules.append([ "-I", "PREROUTING", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "DROP" ]) if log_denied != "off": rules.append([ "-I", "PREROUTING", "-t", "raw", "-m", "rpfilter", "--invert", "-j", "LOG", "--log-prefix", "rpfilter_DROP: " ]) rules.append([ "-I", "PREROUTING", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=neighbour-solicitation", "-j", "ACCEPT" ]) # RHBZ#1575431, kernel bug in 4.16-4.17 rules.append([ "-I", "PREROUTING", "-t", "raw", "-p", "ipv6-icmp", "--icmpv6-type=router-advertisement", "-j", "ACCEPT" ]) # RHBZ#1058505 return rules core/fw_transaction.pyo000064400000025725147576556050011305 0ustar00 c`c@sdZddgZddlmZddlmZddlmZddlm Z de fd YZ de fd YZ de fd YZ d S( s!Transaction classes for firewalldtFirewallTransactiontFirewallZoneTransactioni(tlog(terrors(t FirewallError(tLastUpdatedOrderedDicttSimpleFirewallTransactioncBseZdZdZdZdZdZdZdZdZ dZ d Z ddd Z d Zd Zd ZRS(s>Base class for FirewallTransaction and FirewallZoneTransactioncCs1||_i|_g|_g|_g|_dS(N(tfwtrulest pre_funcst post_funcst fail_funcs(tselfR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt__init__"s     cCs&|jj|j2|j2|j2dS(N(RtclearR R R (R ((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR)s cCs#|jj|jgj|dS(N(Rt setdefaulttnametappend(R tbackendtrule((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_rule/scCs%x|D]}|j||qWdS(N(R(R RRR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_rules2s cCs&|j|jko%||j|jkS(N(RR(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt query_rule6scCsF|j|jkrB||j|jkrB|j|jj|ndS(N(RRtremove(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_rule9s(cGs|jj||fdS(N(R R(R tfunctargs((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_pre=scGs|jj||fdS(N(R R(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_post@scGs|jj||fdS(N(R R(R RR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytadd_failCscCstjdt||df|dkr5i}n|dkrJg}n|sx|jD]R}xIt|j|D]4}|j|gj|jj |j |qtWqZWn4x1|jD]&}|j|gj |j|qW||fS(Ns%s.prepare(%s, %s)s...( Rtdebug4ttypetNoneRtreversedRRRtget_backend_by_namet reverse_ruletextend(R tenableRtmodulest backend_nameR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytprepareFs     '$cCs1tjdt||f|j|\}}|jt}d}g}xe|D]]}y|jj|||Wn,tk r}t }|}tj |qUX|j |qUW|s|jj ||} | r| \} }| rtj |qqn|r#i} xY|D]Q}g| |t||D],} | |j |jj|j| q3WqWxL| D]D}y|jj|| |Wqntk r}tj |qnXqnWxU|jD]J\} }y| |Wqtk r }tj d| ||fqXqWttj|n|jdS(Ns%s.execute(%s)ts#Calling fail func %s(%s) failed: %s(RRRR(tpretFalseRRt ExceptiontTrueterrorRthandle_modulestdebug1R!R"R#R RRtCOMMAND_FAILEDtpost(R R%RR&R.terrorMsgtdoneR'tmsgt module_returntstatust undo_rulesRRR((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytexecuteZsP      $  cCsstjdt|xU|jD]J\}}y||Wq!tk rj}tjd|||fq!Xq!WdS(Ns%s.pre()s"Calling pre func %s(%s) failed: %s(RRRR R,R.(R RRR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR*s cCsstjdt|xU|jD]J\}}y||Wq!tk rj}tjd|||fq!Xq!WdS(Ns %s.post()s#Calling post func %s(%s) failed: %s(RRRR R,R.(R RRR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR2s N(t__name__t __module__t__doc__R RRRRRRRRR R(R9R*R2(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs          = cBsJeZdZdZdZdZdddZdZdZ RS(s<General FirewallTransaction, contains also zone transactionscCs&tt|j|t|_dS(N(tsuperRR Rtzone_transactions(R R((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR scCs$tt|j|jjdS(N(R=RRR>(R ((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRscCs9||jkr.t|j|||j|RR(R tzone((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytzone_transactionscCstjdt||dftt|j|||\}}x|jD]}yR|j|j||x4|j|jD]"}||kr|j|qqWWqNt k r}tj dt |qNXqNW||fS(Ns%s.prepare(%s, %s)s...s1Failed to prepare transaction rules for zone '%s'( RRRR=RR(R>R&RRR.tstr(R R%RR&R?tmoduleR5((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR(s   cCsStjdt|tt|jx"|jD]}|j|jq4WdS(Ns%s.pre()(RRRR=RR*R>(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR*scCsStjdt|tt|jx"|jD]}|j|jq4WdS(Ns %s.post()(RRRR=RR2R>(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR2sN( R:R;R<R RR@R R(R*R2(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs    cBseZdZd dZdZd d dZdZdZdZ dZ dZ d Z d Z d Zd ZRS(s;Zone transaction with additional chain and module interfacecCs>tt|j|||_||_g|_g|_dS(N(R=RR R?tfw_transactiontchainsR&(R RR?RC((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR s    cCs|jr~tt|jjx}|jjjD]E}tt|jj|j|jj|j2|jj|j2q2Wn!tt|j|j2|j2dS(N( RCR=RRR>tkeysRRDR&(R R?((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs cCs~tjdt||dftt|j|||\}}x-|jD]"}||krN|j|qNqNW||fS(Ns%s.prepare(%s, %s)s...(RRRR=RR(R&R(R R%RR&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR(s  cCs6|jr|jj|ntt|j|dS(N(RCR9R=R(R R%((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyR9s cCsT||f}||jkrP|jjj|jt|g||jj|ndS(N(RDRR?tgen_chain_rulesR-R(R ttabletchaint table_chain((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_chains "cCs2||f}||jkr.|jj|ndS(N(RDR(R RGRHRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_chains cCs?x8|D]0}||jkr|j|d|dqqWdS(Nii(RDRJ(R RDRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_chainss cCs7x0|D](}||jkr|jj|qqWdS(N(RDR(R RDRI((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_chains s cCs&||jkr"|jj|ndS(N(R&R(R RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_module%scCs&||jkr"|jj|ndS(N(R&R(R RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt remove_module)scCs"x|D]}|j|qWdS(N(RN(R R&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyt add_modules-s cCs"x|D]}|j|qWdS(N(RO(R R&RB((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pytremove_modules1s N(R:R;R<R R RR(R9RJRKRLRMRNRORPRQ(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyRs         N(R<t__all__tfirewall.core.loggerRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectRRR(((s@/usr/lib/python2.7/site-packages/firewall/core/fw_transaction.pyts 5core/fw_nm.pyo000064400000013667147576556050007374 0ustar00 c`c@sWdZddddddddgZd d lZd d lmZyejd d Wnek rmeZnAXyd dlm Z e ZWn#e eej fk reZnXd ad dlmZd dlmZd dlmZd d lZdZdZdZdZdZdZdZdZdZdZdZ d S(s(Functions for NetworkManager interactiontcheck_nm_importedtnm_is_importedtnm_get_zone_of_connectiontnm_set_zone_of_connectiontnm_get_connectionstnm_get_connection_of_interfacetnm_get_bus_nametnm_get_dbus_interfaceiN(tGLibtNMs1.0(R (terrors(t FirewallError(tlogcCststtjdndS(sNCheck function to raise a MISSING_IMPORT error if the import of NM failed sgi.repository.NM = 1.0N(t _nm_importedR R tMISSING_IMPORT(((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyR0scCstS(snReturns true if NM has been properly imported @return True if import was successful, False otherwirse (R (((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyR6scCststjjdantS(sReturns the NM client object or None if the import of NM failed @return NM.Client instance if import was successful, None otherwise N(t _nm_clientR tClienttnewtNone(((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyt nm_get_client<scCsttj|}|dkr)dS|j}|dkrEdSy(|jtjjtjj B@rldSWn!t k r|j rdSnX|j }|dkrd}n|S(sGet zone of connection from NM @param connection name @return zone string setting of connection, empty string if not set, None if connection is unknown tN( RRtget_connection_by_uuidRtget_setting_connectiont get_flagsR tSettingsConnectionFlagst NM_GENERATEDt NM_VOLATILEtAttributeErrort get_unsavedtget_zone(t connectiontcont setting_contzone((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyREs$        cCszttj|}|dkr)tS|j}|dkrEtS|dkrZd}n|jd||jtdS(sSet the zone for a connection @param zone name @param connection name @return True if zone was set, else False RR!N( RRRRtFalseRt set_propertytcommit_changestTrue(R!RRR ((s7/usr/lib/python2.7/site-packages/firewall/core/fw_nm.pyRcs     cCs|j|jttj}xo|D]g}|jrIq1n|j}|j}|j}|||s>               core/fw_zone.py000064400000227153147576556050007553 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import time from firewall.core.base import SHORTCUTS, DEFAULT_ZONE_TARGET, \ ZONE_SOURCE_IPSET_TYPES from firewall.core.logger import log from firewall.functions import portStr, checkIPnMask, checkIP6nMask, \ checkProtocol, enable_ip_forwarding, check_single_address, check_mac, \ portInPortRange, get_nf_conntrack_short_name from firewall.core.rich import Rich_Rule, Rich_Accept, \ Rich_Mark, Rich_Service, Rich_Port, Rich_Protocol, \ Rich_Masquerade, Rich_ForwardPort, Rich_SourcePort, Rich_IcmpBlock, \ Rich_IcmpType from firewall.core.fw_transaction import FirewallTransaction, \ FirewallZoneTransaction from firewall import errors from firewall.errors import FirewallError from firewall.fw_types import LastUpdatedOrderedDict class FirewallZone(object): def __init__(self, fw): self._fw = fw self._chains = { } self._zones = { } def __repr__(self): return '%s(%r, %r)' % (self.__class__, self._chains, self._zones) def cleanup(self): self._chains.clear() self._zones.clear() # transaction def new_transaction(self): return FirewallTransaction(self._fw) def new_zone_transaction(self, zone): return FirewallZoneTransaction(self._fw, zone) # zones def get_zones(self): return sorted(self._zones.keys()) def get_zone_of_interface(self, interface): interface_id = self.__interface_id(interface) for zone in self._zones: if interface_id in self._zones[zone].settings["interfaces"]: # an interface can only be part of one zone return zone return None def get_zone_of_source(self, source): source_id = self.__source_id(source) for zone in self._zones: if source_id in self._zones[zone].settings["sources"]: # a source_id can only be part of one zone return zone return None def get_zone(self, zone): z = self._fw.check_zone(zone) return self._zones[z] def _error2warning(self, f, name, *args, **kwargs): # transform errors into warnings try: f(name, *args, **kwargs) except FirewallError as error: msg = str(error) log.warning("%s: %s" % (name, msg)) def add_zone(self, obj): obj.settings = { x : LastUpdatedOrderedDict() for x in [ "interfaces", "sources", "services", "ports", "masquerade", "forward_ports", "source_ports", "icmp_blocks", "rules", "protocols", "icmp_block_inversion" ] } self._zones[obj.name] = obj def remove_zone(self, zone): obj = self._zones[zone] if obj.applied: self.unapply_zone_settings(zone) obj.settings.clear() del self._zones[zone] def apply_zones(self, use_transaction=None): if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction for zone in self.get_zones(): obj = self._zones[zone] zone_transaction = transaction.zone_transaction(zone) # register icmp block inversion setting but don't apply if obj.icmp_block_inversion: self._error2warning(self.add_icmp_block_inversion, obj.name, use_zone_transaction=zone_transaction) if len(obj.interfaces) > 0 or len(obj.sources) > 0: obj.applied = True log.debug1("Applying zone '%s'", obj.name) # load zone in case of missing services, icmptypes etc. for args in obj.icmp_blocks: self._error2warning(self.add_icmp_block, obj.name, args, use_zone_transaction=zone_transaction) for args in obj.forward_ports: self._error2warning(self.add_forward_port, obj.name, *args, use_zone_transaction=zone_transaction) for args in obj.services: self._error2warning(self.add_service, obj.name, args, use_zone_transaction=zone_transaction) for args in obj.ports: self._error2warning(self.add_port, obj.name, *args, use_zone_transaction=zone_transaction) for args in obj.protocols: self._error2warning(self.add_protocol, obj.name, args, use_zone_transaction=zone_transaction) for args in obj.source_ports: self._error2warning(self.add_source_port, obj.name, *args, use_zone_transaction=zone_transaction) if obj.masquerade: self._error2warning(self.add_masquerade, obj.name, use_zone_transaction=zone_transaction) for args in obj.rules: self._error2warning(self.add_rule, obj.name, args, use_zone_transaction=zone_transaction) for args in obj.interfaces: self._error2warning(self.add_interface, obj.name, args, use_zone_transaction=zone_transaction) for args in obj.sources: self._error2warning(self.add_source, obj.name, args, use_zone_transaction=zone_transaction) # apply icmp accept/reject rule always if obj.applied: self._error2warning(self._icmp_block_inversion, True, obj.name, zone_transaction) if use_transaction is None: transaction.execute(True) def set_zone_applied(self, zone, applied): obj = self._zones[zone] obj.applied = applied # zone from chain def zone_from_chain(self, chain): if "_" not in chain: # no zone chain return None splits = chain.split("_") if len(splits) < 2: return None _chain = None for x in SHORTCUTS: if splits[0] == SHORTCUTS[x]: _chain = x if _chain is not None: # next part needs to be zone name if splits[1] not in self.get_zones(): return None if len(splits) == 2 or \ (len(splits) == 3 and splits[2] in [ "log", "deny", "allow" ]): return (splits[1], _chain) return None def create_zone_base_by_chain(self, ipv, table, chain, use_transaction=None): # Create zone base chains if the chain is reserved for a zone if ipv in [ "ipv4", "ipv6" ]: x = self.zone_from_chain(chain) if x is not None: (_zone, _chain) = x if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction self.gen_chain_rules(_zone, True, [(table, _chain)], transaction) if use_transaction is None: transaction.execute(True) # dynamic chain handling def _register_chains(self, zone, create, chains): # this method is used by FirewallZoneTransaction for (table, chain) in chains: if create: self._chains.setdefault(zone, { }).setdefault(table, [ ]).append(chain) else: self._chains[zone][table].remove(chain) if len(self._chains[zone][table]) == 0: del self._chains[zone][table] if len(self._chains[zone]) == 0: del self._chains[zone] # settings # generate settings record with sender, timeout, mark def __gen_settings(self, timeout, sender, mark=None): ret = { "date": time.time(), "sender": sender, "timeout": timeout, } if mark: ret["mark"] = mark return ret def get_settings(self, zone): return self.get_zone(zone).settings def set_settings(self, zone, settings): _obj = self.get_zone(zone) try: for key in settings: for args in settings[key]: if args in _obj.settings[key]: # do not add things, that are already active in the # zone configuration, also do not restore date, # sender and timeout continue if key == "icmp_blocks": self.add_icmp_block(zone, args) elif key == "forward_ports": self.add_forward_port(zone, *args) elif key == "services": self.add_service(zone, args) elif key == "ports": self.add_port(zone, *args) elif key == "protocols": self.add_protocol(zone, *args) elif key == "source_ports": self.add_source_port(zone, *args) elif key == "masquerade": self.add_masquerade(zone) elif key == "rules": self.add_rule(zone, Rich_Rule(rule_str=args)) elif key == "interfaces": self.change_zone_of_interface(zone, args) elif key == "sources": self.change_zone_of_source(zone, args) else: log.warning("Zone '%s': Unknown setting '%s:%s', " "unable to restore.", zone, key, args) # restore old date, sender and timeout if args in _obj.settings[key]: _obj.settings[key][args] = settings[key][args] except FirewallError as msg: log.warning(str(msg)) def __zone_settings(self, enable, zone, use_zone_transaction=None): _zone = self._fw.check_zone(zone) obj = self._zones[_zone] if (enable and obj.applied) or (not enable and not obj.applied): return if enable: obj.applied = True if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(zone) else: zone_transaction = use_zone_transaction settings = self.get_settings(zone) for key in settings: for args in settings[key]: try: if key == "icmp_blocks": self._icmp_block(enable, _zone, args, zone_transaction) elif key == "icmp_block_inversion": continue elif key == "forward_ports": mark = obj.settings["forward_ports"][args]["mark"] self._forward_port(enable, _zone, zone_transaction, *args, mark_id=mark) elif key == "services": self._service(enable, _zone, args, zone_transaction) elif key == "ports": self._port(enable, _zone, args[0], args[1], zone_transaction) elif key == "protocols": self._protocol(enable, _zone, args, zone_transaction) elif key == "source_ports": self._source_port(enable, _zone, args[0], args[1], zone_transaction) elif key == "masquerade": self._masquerade(enable, _zone, zone_transaction) elif key == "rules": if "mark" in obj.settings["rules"][args]: mark = obj.settings["rules"][args]["mark"] else: mark = None self.__rule(enable, _zone, Rich_Rule(rule_str=args), mark, zone_transaction) elif key == "interfaces": self._interface(enable, _zone, args, zone_transaction) elif key == "sources": self._source(enable, _zone, args[0], args[1], zone_transaction) else: log.warning("Zone '%s': Unknown setting '%s:%s', " "unable to apply", zone, key, args) except FirewallError as msg: log.warning(str(msg)) if enable: # add icmp rule(s) always self._icmp_block_inversion(True, obj.name, zone_transaction) if use_zone_transaction is None: zone_transaction.execute(enable) def apply_zone_settings(self, zone, use_zone_transaction=None): self.__zone_settings(True, zone, use_zone_transaction) def unapply_zone_settings(self, zone, use_zone_transaction=None): self.__zone_settings(False, zone, use_zone_transaction) def unapply_zone_settings_if_unused(self, zone): obj = self._zones[zone] if len(obj.interfaces) == 0 and len(obj.sources) == 0: self.unapply_zone_settings(zone) def get_config_with_settings(self, zone): """ :return: exported config updated with runtime settings """ conf = list(self.get_zone(zone).export_config()) if conf[4] == DEFAULT_ZONE_TARGET: conf[4] = "default" conf[5] = self.list_services(zone) conf[6] = self.list_ports(zone) conf[7] = self.list_icmp_blocks(zone) conf[8] = self.query_masquerade(zone) conf[9] = self.list_forward_ports(zone) conf[10] = self.list_interfaces(zone) conf[11] = self.list_sources(zone) conf[12] = self.list_rules(zone) conf[13] = self.list_protocols(zone) conf[14] = self.list_source_ports(zone) conf[15] = self.query_icmp_block_inversion(zone) return tuple(conf) # INTERFACES def check_interface(self, interface): self._fw.check_interface(interface) def interface_get_sender(self, zone, interface): _zone = self._fw.check_zone(zone) _obj = self._zones[_zone] interface_id = self.__interface_id(interface) if interface_id in _obj.settings["interfaces"]: settings = _obj.settings["interfaces"][interface_id] if "sender" in settings and settings["sender"] is not None: return settings["sender"] return None def __interface_id(self, interface): self.check_interface(interface) return interface def add_interface(self, zone, interface, sender=None, use_zone_transaction=None): self._fw.check_panic() _zone = self._fw.check_zone(zone) _obj = self._zones[_zone] interface_id = self.__interface_id(interface) if interface_id in _obj.settings["interfaces"]: raise FirewallError(errors.ZONE_ALREADY_SET, "'%s' already bound to '%s'" % (interface, zone)) if self.get_zone_of_interface(interface) is not None: raise FirewallError(errors.ZONE_CONFLICT, "'%s' already bound to a zone" % interface) log.debug1("Setting zone of interface '%s' to '%s'" % (interface, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if not _obj.applied: self.apply_zone_settings(zone, use_zone_transaction=zone_transaction) zone_transaction.add_fail(self.set_zone_applied, _zone, False) self._interface(True, _zone, interface, zone_transaction) self.__register_interface(_obj, interface_id, zone, sender) zone_transaction.add_fail(self.__unregister_interface, _obj, interface_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_interface(self, _obj, interface_id, zone, sender): _obj.settings["interfaces"][interface_id] = \ self.__gen_settings(0, sender) # add information whether we add to default or specific zone _obj.settings["interfaces"][interface_id]["__default__"] = \ (not zone or zone == "") def change_zone_of_interface(self, zone, interface, sender=None): self._fw.check_panic() _old_zone = self.get_zone_of_interface(interface) _new_zone = self._fw.check_zone(zone) if _new_zone == _old_zone: return _old_zone if _old_zone is not None: self.remove_interface(_old_zone, interface) _zone = self.add_interface(zone, interface, sender) return _zone def change_default_zone(self, old_zone, new_zone, use_transaction=None): self._fw.check_panic() if use_transaction is None: transaction = self.new_transaction() else: transaction = use_transaction zone_transaction = transaction.zone_transaction(new_zone) self.apply_zone_settings(new_zone, zone_transaction) self._interface(True, new_zone, "+", zone_transaction, append=True) if old_zone is not None and old_zone != "": zone_transaction = transaction.zone_transaction(old_zone) self._interface(False, old_zone, "+", zone_transaction, append=True) if use_transaction is None: transaction.execute(True) def remove_interface(self, zone, interface, use_zone_transaction=None): self._fw.check_panic() zoi = self.get_zone_of_interface(interface) if zoi is None: raise FirewallError(errors.UNKNOWN_INTERFACE, "'%s' is not in any zone" % interface) _zone = zoi if zone == "" else self._fw.check_zone(zone) if zoi != _zone: raise FirewallError(errors.ZONE_CONFLICT, "remove_interface(%s, %s): zoi='%s'" % \ (zone, interface, zoi)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction _obj = self._zones[_zone] interface_id = self.__interface_id(interface) self._interface(False, _zone, interface, zone_transaction) zone_transaction.add_post(self.__unregister_interface, _obj, interface_id) if use_zone_transaction is None: zone_transaction.execute(True) # self.unapply_zone_settings_if_unused(_zone) return _zone def __unregister_interface(self, _obj, interface_id): if interface_id in _obj.settings["interfaces"]: del _obj.settings["interfaces"][interface_id] def query_interface(self, zone, interface): return self.__interface_id(interface) in self.get_settings(zone)["interfaces"] def list_interfaces(self, zone): return self.get_settings(zone)["interfaces"].keys() # SOURCES def check_source(self, source): if checkIPnMask(source): return "ipv4" elif checkIP6nMask(source): return "ipv6" elif check_mac(source): return "" elif source.startswith("ipset:"): self._check_ipset_type_for_source(source[6:]) self._check_ipset_applied(source[6:]) return self._ipset_family(source[6:]) else: raise FirewallError(errors.INVALID_ADDR, source) def __source_id(self, source): ipv = self.check_source(source) return (ipv, source) def add_source(self, zone, source, sender=None, use_zone_transaction=None): self._fw.check_panic() _zone = self._fw.check_zone(zone) _obj = self._zones[_zone] if check_mac(source): source = source.upper() source_id = self.__source_id(source) if source_id in _obj.settings["sources"]: raise FirewallError(errors.ZONE_ALREADY_SET, "'%s' already bound to '%s'" % (source, _zone)) if self.get_zone_of_source(source) is not None: raise FirewallError(errors.ZONE_CONFLICT, "'%s' already bound to a zone" % source) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if not _obj.applied: self.apply_zone_settings(zone, use_zone_transaction=zone_transaction) zone_transaction.add_fail(self.set_zone_applied, _zone, False) self._source(True, _zone, source_id[0], source_id[1], zone_transaction) self.__register_source(_obj, source_id, zone, sender) zone_transaction.add_fail(self.__unregister_source, _obj, source_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_source(self, _obj, source_id, zone, sender): _obj.settings["sources"][source_id] = \ self.__gen_settings(0, sender) # add information whether we add to default or specific zone _obj.settings["sources"][source_id]["__default__"] = (not zone or zone == "") def change_zone_of_source(self, zone, source, sender=None): self._fw.check_panic() _old_zone = self.get_zone_of_source(source) _new_zone = self._fw.check_zone(zone) if _new_zone == _old_zone: return _old_zone if check_mac(source): source = source.upper() if _old_zone is not None: self.remove_source(_old_zone, source) _zone = self.add_source(zone, source, sender) return _zone def remove_source(self, zone, source, use_zone_transaction=None): self._fw.check_panic() if check_mac(source): source = source.upper() zos = self.get_zone_of_source(source) if zos is None: raise FirewallError(errors.UNKNOWN_SOURCE, "'%s' is not in any zone" % source) _zone = zos if zone == "" else self._fw.check_zone(zone) if zos != _zone: raise FirewallError(errors.ZONE_CONFLICT, "remove_source(%s, %s): zos='%s'" % \ (zone, source, zos)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction _obj = self._zones[_zone] source_id = self.__source_id(source) self._source(False, _zone, source_id[0], source_id[1], zone_transaction) zone_transaction.add_post(self.__unregister_source, _obj, source_id) if use_zone_transaction is None: zone_transaction.execute(True) # self.unapply_zone_settings_if_unused(_zone) return _zone def __unregister_source(self, _obj, source_id): if source_id in _obj.settings["sources"]: del _obj.settings["sources"][source_id] def query_source(self, zone, source): if check_mac(source): source = source.upper() return self.__source_id(source) in self.get_settings(zone)["sources"] def list_sources(self, zone): return [ k[1] for k in self.get_settings(zone)["sources"].keys() ] # RICH LANGUAGE def check_rule(self, rule): rule.check() def __rule_id(self, rule): self.check_rule(rule) return str(rule) def _rule_source_ipv(self, source): if not source: return None if source.addr: if checkIPnMask(source.addr): return "ipv4" elif checkIP6nMask(source.addr): return "ipv6" elif hasattr(source, "mac") and source.mac: return "" elif hasattr(source, "ipset") and source.ipset: self._check_ipset_type_for_source(source.ipset) self._check_ipset_applied(source.ipset) return self._ipset_family(source.ipset) return None def __rule(self, enable, zone, rule, mark_id, zone_transaction): self._rule_prepare(enable, zone, rule, mark_id, zone_transaction) def add_rule(self, zone, rule, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] rule_id = self.__rule_id(rule) if rule_id in _obj.settings["rules"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s' already in '%s'" % (rule, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if type(rule.element) == Rich_ForwardPort: mark = self._fw.new_mark() else: mark = None if _obj.applied: self.__rule(True, _zone, rule, mark, zone_transaction) self.__register_rule(_obj, rule_id, mark, timeout, sender) zone_transaction.add_fail(self.__unregister_rule, _obj, rule_id, mark) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_rule(self, _obj, rule_id, mark, timeout, sender): _obj.settings["rules"][rule_id] = self.__gen_settings( timeout, sender, mark=mark) def remove_rule(self, zone, rule, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] rule_id = self.__rule_id(rule) if rule_id not in _obj.settings["rules"]: raise FirewallError(errors.NOT_ENABLED, "'%s' not in '%s'" % (rule, _zone)) if "mark" in _obj.settings["rules"][rule_id]: mark = _obj.settings["rules"][rule_id]["mark"] else: mark = None if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self.__rule(False, _zone, rule, mark, zone_transaction) zone_transaction.add_post(self.__unregister_rule, _obj, rule_id, mark) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_rule(self, _obj, rule_id, mark=None): if rule_id in _obj.settings["rules"]: del _obj.settings["rules"][rule_id] if mark: self._fw.del_mark(mark) def query_rule(self, zone, rule): return self.__rule_id(rule) in self.get_settings(zone)["rules"] def list_rules(self, zone): return list(self.get_settings(zone)["rules"].keys()) # SERVICES def check_service(self, service): self._fw.check_service(service) def __service_id(self, service): self.check_service(service) return service def add_service(self, zone, service, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] service_id = self.__service_id(service) if service_id in _obj.settings["services"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s' already in '%s'" % (service, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._service(True, _zone, service, zone_transaction) self.__register_service(_obj, service_id, timeout, sender) zone_transaction.add_fail(self.__unregister_service, _obj, service_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_service(self, _obj, service_id, timeout, sender): _obj.settings["services"][service_id] = \ self.__gen_settings(timeout, sender) def remove_service(self, zone, service, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] service_id = self.__service_id(service) if service_id not in _obj.settings["services"]: raise FirewallError(errors.NOT_ENABLED, "'%s' not in '%s'" % (service, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._service(False, _zone, service, zone_transaction) zone_transaction.add_post(self.__unregister_service, _obj, service_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_service(self, _obj, service_id): if service_id in _obj.settings["services"]: del _obj.settings["services"][service_id] def query_service(self, zone, service): return self.__service_id(service) in self.get_settings(zone)["services"] def list_services(self, zone): return self.get_settings(zone)["services"].keys() def get_helpers_for_service_modules(self, modules, enable): # If automatic helper assignment is turned off, helpers that # do not have ports defined will be replaced by the helpers # that the helper.module defines. _helpers = [ ] for module in modules: try: helper = self._fw.helper.get_helper(module) except FirewallError: raise FirewallError(errors.INVALID_HELPER, module) if self._fw.nf_conntrack_helper_setting == 0 and \ len(helper.ports) < 1: _module_short_name = get_nf_conntrack_short_name(helper.module) try: _helper = self._fw.helper.get_helper(_module_short_name) _helpers.append(_helper) except FirewallError: if enable: log.warning("Helper '%s' is not available" % _module_short_name) continue else: _helpers.append(helper) return _helpers # PORTS def check_port(self, port, protocol): self._fw.check_port(port) self._fw.check_tcpudp(protocol) def __port_id(self, port, protocol): self.check_port(port, protocol) return (portStr(port, "-"), protocol) def add_port(self, zone, port, protocol, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] port_id = self.__port_id(port, protocol) if port_id in _obj.settings["ports"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s' already in '%s'" % (port, protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._port(True, _zone, port, protocol, zone_transaction) self.__register_port(_obj, port_id, timeout, sender) zone_transaction.add_fail(self.__unregister_port, _obj, port_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_port(self, _obj, port_id, timeout, sender): _obj.settings["ports"][port_id] = \ self.__gen_settings(timeout, sender) def remove_port(self, zone, port, protocol, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] port_id = self.__port_id(port, protocol) if port_id not in _obj.settings["ports"]: raise FirewallError(errors.NOT_ENABLED, "'%s:%s' not in '%s'" % (port, protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._port(False, _zone, port, protocol, zone_transaction) zone_transaction.add_post(self.__unregister_port, _obj, port_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_port(self, _obj, port_id): if port_id in _obj.settings["ports"]: del _obj.settings["ports"][port_id] def query_port(self, zone, port, protocol): if self.__port_id(port, protocol) in self.get_settings(zone)["ports"]: return True else: # It might be a single port query that is inside a range for (_port, _protocol) in self.get_settings(zone)["ports"]: if portInPortRange(port, _port) and protocol == _protocol: return True return False def list_ports(self, zone): return list(self.get_settings(zone)["ports"].keys()) # PROTOCOLS def check_protocol(self, protocol): if not checkProtocol(protocol): raise FirewallError(errors.INVALID_PROTOCOL, protocol) def __protocol_id(self, protocol): self.check_protocol(protocol) return protocol def add_protocol(self, zone, protocol, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] protocol_id = self.__protocol_id(protocol) if protocol_id in _obj.settings["protocols"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s' already in '%s'" % (protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._protocol(True, _zone, protocol, zone_transaction) self.__register_protocol(_obj, protocol_id, timeout, sender) zone_transaction.add_fail(self.__unregister_protocol, _obj, protocol_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_protocol(self, _obj, protocol_id, timeout, sender): _obj.settings["protocols"][protocol_id] = \ self.__gen_settings(timeout, sender) def remove_protocol(self, zone, protocol, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] protocol_id = self.__protocol_id(protocol) if protocol_id not in _obj.settings["protocols"]: raise FirewallError(errors.NOT_ENABLED, "'%s' not in '%s'" % (protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._protocol(False, _zone, protocol, zone_transaction) zone_transaction.add_post(self.__unregister_protocol, _obj, protocol_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_protocol(self, _obj, protocol_id): if protocol_id in _obj.settings["protocols"]: del _obj.settings["protocols"][protocol_id] def query_protocol(self, zone, protocol): return self.__protocol_id(protocol) in self.get_settings(zone)["protocols"] def list_protocols(self, zone): return list(self.get_settings(zone)["protocols"].keys()) # SOURCE PORTS def __source_port_id(self, port, protocol): self.check_port(port, protocol) return (portStr(port, "-"), protocol) def add_source_port(self, zone, port, protocol, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] port_id = self.__source_port_id(port, protocol) if port_id in _obj.settings["source_ports"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s' already in '%s'" % (port, protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._source_port(True, _zone, port, protocol, zone_transaction) self.__register_source_port(_obj, port_id, timeout, sender) zone_transaction.add_fail(self.__unregister_source_port, _obj, port_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_source_port(self, _obj, port_id, timeout, sender): _obj.settings["source_ports"][port_id] = \ self.__gen_settings(timeout, sender) def remove_source_port(self, zone, port, protocol, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] port_id = self.__source_port_id(port, protocol) if port_id not in _obj.settings["source_ports"]: raise FirewallError(errors.NOT_ENABLED, "'%s:%s' not in '%s'" % (port, protocol, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._source_port(False, _zone, port, protocol, zone_transaction) zone_transaction.add_post(self.__unregister_source_port, _obj, port_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_source_port(self, _obj, port_id): if port_id in _obj.settings["source_ports"]: del _obj.settings["source_ports"][port_id] def query_source_port(self, zone, port, protocol): return self.__source_port_id(port, protocol) in \ self.get_settings(zone)["source_ports"] def list_source_ports(self, zone): return list(self.get_settings(zone)["source_ports"].keys()) # MASQUERADE def __masquerade_id(self): return True def add_masquerade(self, zone, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] masquerade_id = self.__masquerade_id() if masquerade_id in _obj.settings["masquerade"]: raise FirewallError(errors.ALREADY_ENABLED, "masquerade already enabled in '%s'" % _zone) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._masquerade(True, _zone, zone_transaction) self.__register_masquerade(_obj, masquerade_id, timeout, sender) zone_transaction.add_fail(self.__unregister_masquerade, _obj, masquerade_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_masquerade(self, _obj, masquerade_id, timeout, sender): _obj.settings["masquerade"][masquerade_id] = \ self.__gen_settings(timeout, sender) def remove_masquerade(self, zone, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] masquerade_id = self.__masquerade_id() if masquerade_id not in _obj.settings["masquerade"]: raise FirewallError(errors.NOT_ENABLED, "masquerade not enabled in '%s'" % _zone) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._masquerade(False, _zone, zone_transaction) zone_transaction.add_post(self.__unregister_masquerade, _obj, masquerade_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_masquerade(self, _obj, masquerade_id): if masquerade_id in _obj.settings["masquerade"]: del _obj.settings["masquerade"][masquerade_id] def query_masquerade(self, zone): return self.__masquerade_id() in self.get_settings(zone)["masquerade"] # PORT FORWARDING def check_forward_port(self, ipv, port, protocol, toport=None, toaddr=None): self._fw.check_port(port) self._fw.check_tcpudp(protocol) if toport: self._fw.check_port(toport) if toaddr: if not check_single_address(ipv, toaddr): raise FirewallError(errors.INVALID_ADDR, toaddr) if not toport and not toaddr: raise FirewallError( errors.INVALID_FORWARD, "port-forwarding is missing to-port AND to-addr") def __forward_port_id(self, port, protocol, toport=None, toaddr=None): if check_single_address("ipv6", toaddr): self.check_forward_port("ipv6", port, protocol, toport, toaddr) else: self.check_forward_port("ipv4", port, protocol, toport, toaddr) return (portStr(port, "-"), protocol, portStr(toport, "-"), str(toaddr)) def add_forward_port(self, zone, port, protocol, toport=None, toaddr=None, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] forward_id = self.__forward_port_id(port, protocol, toport, toaddr) if forward_id in _obj.settings["forward_ports"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s:%s:%s' already in '%s'" % \ (port, protocol, toport, toaddr, _zone)) mark = self._fw.new_mark() if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._forward_port(True, _zone, zone_transaction, port, protocol, toport, toaddr, mark_id=mark) self.__register_forward_port(_obj, forward_id, timeout, sender, mark) zone_transaction.add_fail(self.__unregister_forward_port, _obj, forward_id, mark) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_forward_port(self, _obj, forward_id, timeout, sender, mark): _obj.settings["forward_ports"][forward_id] = \ self.__gen_settings(timeout, sender, mark=mark) def remove_forward_port(self, zone, port, protocol, toport=None, toaddr=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] forward_id = self.__forward_port_id(port, protocol, toport, toaddr) if forward_id not in _obj.settings["forward_ports"]: raise FirewallError(errors.NOT_ENABLED, "'%s:%s:%s:%s' not in '%s'" % \ (port, protocol, toport, toaddr, _zone)) mark = _obj.settings["forward_ports"][forward_id]["mark"] if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._forward_port(False, _zone, zone_transaction, port, protocol, toport, toaddr, mark_id=mark) zone_transaction.add_post(self.__unregister_forward_port, _obj, forward_id, mark) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_forward_port(self, _obj, forward_id, mark): if forward_id in _obj.settings["forward_ports"]: del _obj.settings["forward_ports"][forward_id] self._fw.del_mark(mark) def query_forward_port(self, zone, port, protocol, toport=None, toaddr=None): forward_id = self.__forward_port_id(port, protocol, toport, toaddr) return forward_id in self.get_settings(zone)["forward_ports"] def list_forward_ports(self, zone): return list(self.get_settings(zone)["forward_ports"].keys()) # ICMP BLOCK def check_icmp_block(self, icmp): self._fw.check_icmptype(icmp) def __icmp_block_id(self, icmp): self.check_icmp_block(icmp) return icmp def add_icmp_block(self, zone, icmp, timeout=0, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_timeout(timeout) self._fw.check_panic() _obj = self._zones[_zone] icmp_id = self.__icmp_block_id(icmp) if icmp_id in _obj.settings["icmp_blocks"]: raise FirewallError(errors.ALREADY_ENABLED, "'%s' already in '%s'" % (icmp, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._icmp_block(True, _zone, icmp, zone_transaction) self.__register_icmp_block(_obj, icmp_id, timeout, sender) zone_transaction.add_fail(self.__unregister_icmp_block, _obj, icmp_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_icmp_block(self, _obj, icmp_id, timeout, sender): _obj.settings["icmp_blocks"][icmp_id] = \ self.__gen_settings(timeout, sender) def remove_icmp_block(self, zone, icmp, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] icmp_id = self.__icmp_block_id(icmp) if icmp_id not in _obj.settings["icmp_blocks"]: raise FirewallError(errors.NOT_ENABLED, "'%s' not in '%s'" % (icmp, _zone)) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: self._icmp_block(False, _zone, icmp, zone_transaction) zone_transaction.add_post(self.__unregister_icmp_block, _obj, icmp_id) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_icmp_block(self, _obj, icmp_id): if icmp_id in _obj.settings["icmp_blocks"]: del _obj.settings["icmp_blocks"][icmp_id] def query_icmp_block(self, zone, icmp): return self.__icmp_block_id(icmp) in self.get_settings(zone)["icmp_blocks"] def list_icmp_blocks(self, zone): return self.get_settings(zone)["icmp_blocks"].keys() # ICMP BLOCK INVERSION def __icmp_block_inversion_id(self): return True def add_icmp_block_inversion(self, zone, sender=None, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] icmp_block_inversion_id = self.__icmp_block_inversion_id() if icmp_block_inversion_id in _obj.settings["icmp_block_inversion"]: raise FirewallError( errors.ALREADY_ENABLED, "icmp-block-inversion already enabled in '%s'" % _zone) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: # undo icmp blocks for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(False, _zone, args, zone_transaction) self._icmp_block_inversion(False, _zone, zone_transaction) self.__register_icmp_block_inversion(_obj, icmp_block_inversion_id, sender) zone_transaction.add_fail(self.__undo_icmp_block_inversion, _zone, _obj, icmp_block_inversion_id) # redo icmp blocks if _obj.applied: for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(True, _zone, args, zone_transaction) self._icmp_block_inversion(True, _zone, zone_transaction) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __register_icmp_block_inversion(self, _obj, icmp_block_inversion_id, sender): _obj.settings["icmp_block_inversion"][icmp_block_inversion_id] = \ self.__gen_settings(0, sender) def __undo_icmp_block_inversion(self, _zone, _obj, icmp_block_inversion_id): zone_transaction = self.new_zone_transaction(_zone) # undo icmp blocks if _obj.applied: for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(False, _zone, args, zone_transaction) if icmp_block_inversion_id in _obj.settings["icmp_block_inversion"]: del _obj.settings["icmp_block_inversion"][icmp_block_inversion_id] # redo icmp blocks if _obj.applied: for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(True, _zone, args, zone_transaction) zone_transaction.execute(True) def remove_icmp_block_inversion(self, zone, use_zone_transaction=None): _zone = self._fw.check_zone(zone) self._fw.check_panic() _obj = self._zones[_zone] icmp_block_inversion_id = self.__icmp_block_inversion_id() if icmp_block_inversion_id not in _obj.settings["icmp_block_inversion"]: raise FirewallError( errors.NOT_ENABLED, "icmp-block-inversion not enabled in '%s'" % _zone) if use_zone_transaction is None: zone_transaction = self.new_zone_transaction(_zone) else: zone_transaction = use_zone_transaction if _obj.applied: # undo icmp blocks for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(False, _zone, args, zone_transaction) self._icmp_block_inversion(False, _zone, zone_transaction) self.__unregister_icmp_block_inversion(_obj, icmp_block_inversion_id) zone_transaction.add_fail(self.__register_icmp_block_inversion, _obj, icmp_block_inversion_id, None) # redo icmp blocks if _obj.applied: for args in self.get_settings(_zone)["icmp_blocks"]: self._icmp_block(True, _zone, args, zone_transaction) self._icmp_block_inversion(True, _zone, zone_transaction) if use_zone_transaction is None: zone_transaction.execute(True) return _zone def __unregister_icmp_block_inversion(self, _obj, icmp_block_inversion_id): if icmp_block_inversion_id in _obj.settings["icmp_block_inversion"]: del _obj.settings["icmp_block_inversion"][icmp_block_inversion_id] def query_icmp_block_inversion(self, zone): return self.__icmp_block_inversion_id() in \ self.get_settings(zone)["icmp_block_inversion"] # dynamic chain handling def gen_chain_rules(self, zone, create, chains, transaction): for (table, chain) in chains: if create: if zone in self._chains and \ table in self._chains[zone] and \ chain in self._chains[zone][table]: continue else: if zone not in self._chains or \ table not in self._chains[zone] or \ chain not in self._chains[zone][table]: continue for backend in self._fw.enabled_backends(): if backend.zones_supported and \ table in backend.get_available_tables(): rules = backend.build_zone_chain_rules(zone, table, chain) transaction.add_rules(backend, rules) self._register_chains(zone, create, chains) transaction.add_fail(self._register_chains, zone, create, chains) def _interface(self, enable, zone, interface, zone_transaction, append=False): for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue for table in backend.get_available_tables(): for chain in backend.get_zone_table_chains(table): # create needed chains if not done already if enable: zone_transaction.add_chain(table, chain) rules = backend.build_zone_source_interface_rules(enable, zone, interface, table, chain, append) zone_transaction.add_rules(backend, rules) # IPSETS def _ipset_family(self, name): if self._fw.ipset.get_type(name) == "hash:mac": return None return self._fw.ipset.get_family(name) def __ipset_type(self, name): return self._fw.ipset.get_type(name) def _ipset_match_flags(self, name, flag): return ",".join([flag] * self._fw.ipset.get_dimension(name)) def _check_ipset_applied(self, name): return self._fw.ipset.check_applied(name) def _check_ipset_type_for_source(self, name): _type = self.__ipset_type(name) if _type not in ZONE_SOURCE_IPSET_TYPES: raise FirewallError( errors.INVALID_IPSET, "ipset '%s' with type '%s' not usable as source" % \ (name, _type)) def _source(self, enable, zone, ipv, source, zone_transaction): # For mac source bindings ipv is an empty string, the mac source will # be added for ipv4 and ipv6 for backend in [self._fw.get_backend_by_ipv(ipv)] if ipv else self._fw.enabled_backends(): if not backend.zones_supported: continue for table in backend.get_available_tables(): for chain in backend.get_zone_table_chains(table): # create needed chains if not done already if enable: zone_transaction.add_chain(table, chain) rules = backend.build_zone_source_address_rules(enable, zone, source, table, chain) zone_transaction.add_rules(backend, rules) def _rule_prepare(self, enable, zone, rule, mark_id, zone_transaction): if rule.family is not None: ipvs = [ rule.family ] else: ipvs = [ipv for ipv in ["ipv4", "ipv6"] if self._fw.is_ipv_enabled(ipv)] source_ipv = self._rule_source_ipv(rule.source) if source_ipv is not None and source_ipv != "": if rule.family is not None: # rule family is defined by user, no way to change it if rule.family != source_ipv: raise FirewallError(errors.INVALID_RULE, "Source address family '%s' conflicts with rule family '%s'." % (source_ipv, rule.family)) else: # use the source family as rule family ipvs = [ source_ipv ] # add an element to object to allow backends to know what ipvs this applies to rule.ipvs = ipvs for backend in set([self._fw.get_backend_by_ipv(x) for x in ipvs]): # SERVICE if type(rule.element) == Rich_Service: svc = self._fw.service.get_service(rule.element.name) destinations = [] if len(svc.destination) > 0: if rule.destination: # we can not use two destinations at the same time raise FirewallError(errors.INVALID_RULE, "Destination conflict with service.") for ipv in ipvs: if ipv in svc.destination and backend.is_ipv_supported(ipv): destinations.append(svc.destination[ipv]) else: # dummy for the following for loop destinations.append(None) for destination in destinations: if enable: zone_transaction.add_chain("filter", "INPUT") if self._fw.nf_conntrack_helper_setting == 0: zone_transaction.add_chain("raw", "PREROUTING") if type(rule.action) == Rich_Accept: # only load modules for accept action helpers = self.get_helpers_for_service_modules(svc.modules, enable) modules = [ ] for helper in helpers: module = helper.module _module_short_name = get_nf_conntrack_short_name(module) if self._fw.nf_conntrack_helper_setting == 0: nat_module = module.replace("conntrack", "nat") modules.append(nat_module) if helper.family != "" and not backend.is_ipv_supported(helper.family): # no support for family ipv, continue continue if len(helper.ports) < 1: modules.append(module) else: for (port,proto) in helper.ports: rules = backend.build_zone_helper_ports_rules( enable, zone, proto, port, destination, helper.name, _module_short_name) zone_transaction.add_rules(backend, rules) else: if helper.module not in modules: modules.append(helper.module) nat_module = helper.module.replace("conntrack", "nat") modules.append(nat_module) zone_transaction.add_modules(modules) # create rules for (port,proto) in svc.ports: if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_ports_rules( enable, zone, proto, port, destination, rule) zone_transaction.add_rules(backend, rules) for proto in svc.protocols: if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_protocol_rules( enable, zone, proto, destination, rule) zone_transaction.add_rules(backend, rules) # create rules for (port,proto) in svc.source_ports: if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_source_ports_rules( enable, zone, proto, port, destination, rule) zone_transaction.add_rules(backend, rules) # PORT elif type(rule.element) == Rich_Port: port = rule.element.port protocol = rule.element.protocol self.check_port(port, protocol) if enable: zone_transaction.add_chain("filter", "INPUT") if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_ports_rules( enable, zone, protocol, port, None, rule) zone_transaction.add_rules(backend, rules) # PROTOCOL elif type(rule.element) == Rich_Protocol: protocol = rule.element.value self.check_protocol(protocol) if enable: zone_transaction.add_chain("filter", "INPUT") if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_protocol_rules( enable, zone, protocol, None, rule) zone_transaction.add_rules(backend, rules) # MASQUERADE elif type(rule.element) == Rich_Masquerade: if enable: zone_transaction.add_chain("nat", "POSTROUTING") zone_transaction.add_chain("filter", "FORWARD_OUT") for ipv in ipvs: if backend.is_ipv_supported(ipv): zone_transaction.add_post(enable_ip_forwarding, ipv) rules = backend.build_zone_masquerade_rules(enable, zone, rule) zone_transaction.add_rules(backend, rules) # FORWARD PORT elif type(rule.element) == Rich_ForwardPort: port = rule.element.port protocol = rule.element.protocol toport = rule.element.to_port toaddr = rule.element.to_address for ipv in ipvs: if backend.is_ipv_supported(ipv): self.check_forward_port(ipv, port, protocol, toport, toaddr) if toaddr and enable: zone_transaction.add_post(enable_ip_forwarding, ipv) filter_chain = "INPUT" if not toaddr else "FORWARD_IN" if enable: zone_transaction.add_chain("mangle", "PREROUTING") zone_transaction.add_chain("nat", "PREROUTING") zone_transaction.add_chain("filter", filter_chain) rules = backend.build_zone_forward_port_rules( enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id, rule) zone_transaction.add_rules(backend, rules) # SOURCE PORT elif type(rule.element) == Rich_SourcePort: port = rule.element.port protocol = rule.element.protocol self.check_port(port, protocol) if enable: zone_transaction.add_chain("filter", "INPUT") if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_source_ports_rules( enable, zone, protocol, port, None, rule) zone_transaction.add_rules(backend, rules) # ICMP BLOCK and ICMP TYPE elif type(rule.element) == Rich_IcmpBlock or \ type(rule.element) == Rich_IcmpType: ict = self._fw.icmptype.get_icmptype(rule.element.name) if type(rule.element) == Rich_IcmpBlock and \ rule.action and type(rule.action) == Rich_Accept: # icmp block might have reject or drop action, but not accept raise FirewallError(errors.INVALID_RULE, "IcmpBlock not usable with accept action") if ict.destination: for ipv in ipvs: if ipv in ict.destination \ and not backend.is_ipv_supported(ipv): raise FirewallError( errors.INVALID_RULE, "Icmp%s %s not usable with %s" % \ ("Block" if type(rule.element) == \ Rich_IcmpBlock else "Type", rule.element.name, backend.name)) table = "filter" if enable: zone_transaction.add_chain(table, "INPUT") zone_transaction.add_chain(table, "FORWARD_IN") rules = backend.build_zone_icmp_block_rules(enable, zone, ict, rule) zone_transaction.add_rules(backend, rules) elif rule.element is None: if enable: zone_transaction.add_chain("filter", "INPUT") if enable and type(rule.action) == Rich_Mark: zone_transaction.add_chain("mangle", "PREROUTING") rules = backend.build_zone_rich_source_destination_rules( enable, zone, rule) zone_transaction.add_rules(backend, rules) # EVERYTHING ELSE else: raise FirewallError(errors.INVALID_RULE, "Unknown element %s" % type(rule.element)) return mark_id def _service(self, enable, zone, service, zone_transaction): svc = self._fw.service.get_service(service) helpers = self.get_helpers_for_service_modules(svc.modules, enable) if enable: if self._fw.nf_conntrack_helper_setting == 0: zone_transaction.add_chain("raw", "PREROUTING") else: modules = [ ] for helper in helpers: modules.append(helper.module) nat_module = helper.module.replace("conntrack", "nat") modules.append(nat_module) zone_transaction.add_modules(modules) zone_transaction.add_chain("filter", "INPUT") # build a list of (backend, destination). The destination may be ipv4, # ipv6 or None # backends_ipv = [] for ipv in ["ipv4", "ipv6"]: if not self._fw.is_ipv_enabled(ipv): continue backend = self._fw.get_backend_by_ipv(ipv) if len(svc.destination) > 0: if ipv in svc.destination: backends_ipv.append((backend, svc.destination[ipv])) else: if (backend, None) not in backends_ipv: backends_ipv.append((backend, None)) for (backend,destination) in backends_ipv: if self._fw.nf_conntrack_helper_setting == 0: for helper in helpers: module = helper.module _module_short_name = get_nf_conntrack_short_name(module) nat_module = helper.module.replace("conntrack", "nat") zone_transaction.add_module(nat_module) if helper.family != "" and not backend.is_ipv_supported(helper.family): # no support for family ipv, continue continue if len(helper.ports) < 1: zone_transaction.add_module(module) else: for (port,proto) in helper.ports: rules = backend.build_zone_helper_ports_rules( enable, zone, proto, port, destination, helper.name, _module_short_name) zone_transaction.add_rules(backend, rules) for (port,proto) in svc.ports: rules = backend.build_zone_ports_rules(enable, zone, proto, port, destination) zone_transaction.add_rules(backend, rules) for protocol in svc.protocols: rules = backend.build_zone_protocol_rules( enable, zone, protocol, destination) zone_transaction.add_rules(backend, rules) for (port,proto) in svc.source_ports: rules = backend.build_zone_source_ports_rules( enable, zone, proto, port, destination) zone_transaction.add_rules(backend, rules) def _port(self, enable, zone, port, protocol, zone_transaction): if enable: zone_transaction.add_chain("filter", "INPUT") for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue rules = backend.build_zone_ports_rules(enable, zone, protocol, port) zone_transaction.add_rules(backend, rules) def _protocol(self, enable, zone, protocol, zone_transaction): if enable: zone_transaction.add_chain("filter", "INPUT") for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue rules = backend.build_zone_protocol_rules(enable, zone, protocol) zone_transaction.add_rules(backend, rules) def _source_port(self, enable, zone, port, protocol, zone_transaction): if enable: zone_transaction.add_chain("filter", "INPUT") for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue rules = backend.build_zone_source_ports_rules(enable, zone, protocol, port) zone_transaction.add_rules(backend, rules) def _masquerade(self, enable, zone, zone_transaction): if enable: zone_transaction.add_chain("nat", "POSTROUTING") zone_transaction.add_chain("filter", "FORWARD_OUT") ipv = "ipv4" zone_transaction.add_post(enable_ip_forwarding, ipv) backend = self._fw.get_backend_by_ipv(ipv) rules = backend.build_zone_masquerade_rules(enable, zone) zone_transaction.add_rules(backend, rules) def _forward_port(self, enable, zone, zone_transaction, port, protocol, toport=None, toaddr=None, mark_id=None): if check_single_address("ipv6", toaddr): ipv = "ipv6" else: ipv = "ipv4" filter_chain = "INPUT" if not toaddr else "FORWARD_IN" if enable: zone_transaction.add_chain("mangle", "PREROUTING") zone_transaction.add_chain("nat", "PREROUTING") zone_transaction.add_chain("filter", filter_chain) if toaddr and enable: zone_transaction.add_post(enable_ip_forwarding, ipv) backend = self._fw.get_backend_by_ipv(ipv) rules = backend.build_zone_forward_port_rules( enable, zone, filter_chain, port, protocol, toport, toaddr, mark_id) zone_transaction.add_rules(backend, rules) def _icmp_block(self, enable, zone, icmp, zone_transaction): ict = self._fw.icmptype.get_icmptype(icmp) if enable: zone_transaction.add_chain("filter", "INPUT") zone_transaction.add_chain("filter", "FORWARD_IN") for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue skip_backend = False if ict.destination: for ipv in ["ipv4", "ipv6"]: if ipv in ict.destination: if not backend.is_ipv_supported(ipv): skip_backend = True break if skip_backend: continue rules = backend.build_zone_icmp_block_rules(enable, zone, ict) zone_transaction.add_rules(backend, rules) def _icmp_block_inversion(self, enable, zone, zone_transaction): target = self._zones[zone].target # Do not add general icmp accept rules into a trusted, block or drop # zone. if target in [ "DROP", "%%REJECT%%", "REJECT" ]: return if not self.query_icmp_block_inversion(zone) and target == "ACCEPT": # ibi target and zone target are ACCEPT, no need to add an extra # rule return zone_transaction.add_chain("filter", "INPUT") zone_transaction.add_chain("filter", "FORWARD_IN") # To satisfy nftables backend rule lookup we must execute pending # rules. See nftables.build_zone_icmp_block_inversion_rules() if enable: zone_transaction.execute(enable) zone_transaction.clear() for backend in self._fw.enabled_backends(): if not backend.zones_supported: continue rules = backend.build_zone_icmp_block_inversion_rules(enable, zone) zone_transaction.add_rules(backend, rules) core/fw_test.pyc000064400000042710147576556050007714 0ustar00 c`c@sdgZddlZddlZddlZddlmZddlmZddlm Z ddl m Z ddl m Z ddlmZdd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#m$Z$ddl%m&Z&ddl'm(Z(ddl)m*Z*ddlm+Z+ddl,m-Z-de.fdYZ/dS(t Firewall_testiN(tconfig(t functions(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t IPSET_TYPES(t helper_reader(terrors(t FirewallErrorcBs+eZdZdZdZdZeedZdZedZ dZ dZ d Z d Z d Zd Zd ZdZdZdZdZedZdZdZdZdZdZdZdZdZdZdZdZ dZ!RS(cCsttj|_t|_t|_t|_t|_t |_ t ||_ t ||_t||_t||_t||_t|_t||_t||_|jdS(N(R RtFIREWALLD_CONFt_firewalld_conftFalsetip4tables_enabledtip6tables_enabledtebtables_enabledt ipset_enabledRtipset_supported_typesRticmptypeRtserviceRtzoneRtdirectRRtpoliciesR tipsetR thelpert_Firewall_test__init_vars(tself((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt__init__8s      cCshd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |j|jfS(Ns>%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__RRRt_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledRt_individual_callst _log_deniedt_automatic_helpers(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt__repr__LscCsyd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_dS(NtINITt(R*RR+R,R-R.RtFALLBACK_MINIMAL_MARKR/tFALLBACK_CLEANUP_ON_EXITR0tFALLBACK_IPV6_RPFILTERR1tFALLBACK_INDIVIDUAL_CALLSR2tFALLBACK_LOG_DENIEDR3tFALLBACK_AUTOMATIC_HELPERSR4(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt __init_varsUs          cCs|jS(N(R2(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytindividual_callscsc Cstj}tjdtjy|jjWntk rMtjdn X|jj dru|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d-krt|_qn|jj drp|jj d}|dk rp|j d.krptjd y|jjWqmtk riqmXqpn|jj d r|jj d }|dk r|j d/krt|_n|j d0krt|_qqn|jrtjd n tjd|jj drf|jj d}|dk rf|j d1krftjdt|_qfn|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj drm|jj d}|dk rm|j d2kr'd|_n-|j d3krEd |_n|j |_tjd|jqmn|jjtj|jtjdy|jjjWn]tk r }|jjrtjd|jjj|q tjd|jjj|nX|jjtj|j|j tj!d|j tj"d|j tj#d|j tj$dt%|j&j'dkrtjdn|j tj(d|j tj)d|j tj*d|j tj+dt%|j,j-dkrtjdn|j tj.d|j tj/dt%|j0j1dkrrtj2d t3j4d!nt}xEd"d#d$gD]4}||j0j1krtj2d%|t}qqW|rt3j4d!n||j0j1krId&|j0j1kr d&}n$d'|j0j1kr'd'}nd"}tjd(|||}ntjd)|t5tj6} t7j8j9tj6rtjd*tj6y| jWqtk r}tjd+tj6|qXn|jj:tj| |j;||_<d,|_=dS(4Ns"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsetLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sR$RisNo icmptypes found.R%R sNo services found.R!sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %stRUNNING(RCRD(syesRG(RCRD(syesRG(syesRG(RCRD(syesRG(>Rt FALLBACK_ZONER tdebug1RRtreadt ExceptiontwarningtgettintR/tNonetlowerRR0R#tenable_lockdownRR1tTrueR2R3R4tset_firewalld_conftcopytdeepcopytlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStlenRt get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR!t get_zonestfataltsystexitR tFIREWALLD_DIRECTtostpathtexistst set_directt check_zoneR,R*( R'treloadtcomplete_reloadt default_zonetvaluetmsgRctzR!tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt_startfs                            cCs|jdS(N(R(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytstartsc Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nxt tj |D]}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||y|dkrt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ n|jj||jjtj|n |dkrt||}|j|jjkr|jj|j}tjd||j|j|j|jj |jn!|jjtjrt|_ n|jj!||jj!tj|n>|dkrht"||d |}|r@dtjj|tjj|d d !f|_|j |jntj|} |j|j#j$kr|j#j%|j}|j#j&|j|j'rtjd ||j|||j(|qtjd||j|j|jn*|jjtjrt|_ t| _ n|jj)| |rUtjd ||j|||j(|q|j#j)|n|d kr5t*||}|j|j+j,kr|j+j-|j}tjd||j|j|j|j+j.|jn!|jjtjr t|_ n|j+j/||jj/tj|n|dkrt0||}|j|j1j2kr|j1j3|j}tjd||j|j|j|j1j4|jn!|jjtjrt|_ n|j1j5||jj5tj|ntj6d|Wqt7k r>} tj8d||| qt9k rktj8d||tj:qXqW|r|j'r|j|j#j$kr|j#j%|j}tjd||j|j|jy|j#j&|jWnnX|jj;|jn|j#j)|ndS(NR!s.xmls%s/%stcombinesLoading %s file '%s'Rs Overloads %s '%s' ('%s/%s')R t no_check_nameiis Combining %s '%s' ('%s/%s')R$R%sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(<RyRztisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRtdefaulttsortedtlistdirtendswithRfR]R RTRRRlt get_icmptypeRdtremove_icmptypet add_icmptypeR_R`RR Rqt get_servicetremove_servicet add_serviceRR!Rttget_zonet remove_zonetcombinedRtadd_zoneRR$t get_ipsetst get_ipsett remove_ipsett add_ipsetRR%t get_helperst get_helpert remove_helpert add_helperRuRRcRVt exceptiont forget_zone( R'Rzt reader_typeRt combined_zoneRdRRtorig_objt config_objR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRfs                                             cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( RtcleanupR R!R$R%RR"R#RR&(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRs         cCs|jdS(N(R(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytstopscCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_panicscCsV|}| s|dkr(|j}n||jjkrRttj|n|S(NR7(tget_default_zoneR!RtRRt INVALID_ZONE(R'R!t_zone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR}s cCs(tj|s$ttj|ndS(N(RtcheckInterfaceRRtINVALID_INTERFACE(R't interface((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytcheck_interfacescCs|jj|dS(N(R t check_service(R'R ((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCs tj|}|dksY|dksY|dksYt|dkr|d|dkr|dkrytjd|nz|dkrtjd|nZ|dkrtjd|n:t|dkr|d|dkrtjd |nttj|ndS( Niiiiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end( Rt getPortRangeRZRkR RTRRt INVALID_PORT(R'tporttrange((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_ports$&   &cCsA|sttjn|dkr=ttjd|ndS(Nttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(RRRR(RRtMISSING_PROTOCOLtINVALID_PROTOCOL(R'tprotocol((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_tcpudps   cCs(tj|s$ttj|ndS(N(RtcheckIPRRt INVALID_ADDR(R'tip((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytcheck_ipscCs||dkr3tj|sxttj|qxnE|dkrftj|sxttj|qxnttjddS(Ntipv4tipv6s'%s' not in {'ipv4'|'ipv6'}(Rt checkIPnMaskRRRt checkIP6nMaskt INVALID_IPV(R'tipvtsource((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt check_addresss   cCs|jj|dS(N(Rtcheck_icmptype(R'ticmp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCsdS(N((R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR~scCs|jS(N(R*(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyt get_statescCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytenable_panic_modescCsdS(N((R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytdisable_panic_modescCs|jS(N(R+(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytquery_panic_modescCs|jS(N(R3(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytget_log_deniedscCs|tjkr:ttjd|djtjfn||jkr||_|jj d||jj |j nttj |dS(Ns'%s', choose from '%s's','RJ( RtLOG_DENIED_VALUESRRt INVALID_VALUEtjoinRR3RtsettwriteR~t ALREADY_SET(R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_log_denieds    cCs|jS(N(R4(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytget_automatic_helpersscCs|tjkr:ttjd|djtjfn||jkr||_|jj d||jj |j nttj |dS(Ns'%s', choose from '%s's','RL( RtAUTOMATIC_HELPERS_VALUESRRRRRR4RRRR~R(R'R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_automatic_helperss    cCs|jS(N(R,(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyRscCs`|j|}||jkrJ||_|jjd||jjnttj|dS(NR@(R}R,RRRRRtZONE_ALREADY_SET(R'R!R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytset_default_zones  cCs$|jjdd|jjdS(NRERF(RRR(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR\(scCs$|jjdd|jjdS(NRERC(RRR(R'((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pytdisable_lockdown,s("t__name__t __module__R(R5R&R?RRRRfRRRR}RRRRRRRR~RRRRRRRRRRR\R(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyR7s>                        (0t__all__tos.pathRyRvR_tfirewallRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceRtfirewall.core.fw_zoneRtfirewall.core.fw_directRtfirewall.core.fw_configRtfirewall.core.fw_policiesRtfirewall.core.fw_ipsetR tfirewall.core.fw_helperR tfirewall.core.loggerR tfirewall.core.io.firewalld_confR tfirewall.core.io.directR tfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_test.pyts2    core/fw_service.py000064400000003147147576556050010233 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "FirewallService" ] from firewall import errors from firewall.errors import FirewallError class FirewallService(object): def __init__(self, fw): self._fw = fw self._services = { } def __repr__(self): return '%s(%r)' % (self.__class__, self._services) def cleanup(self): self._services.clear() # zones def get_services(self): return sorted(self._services.keys()) def check_service(self, service): if service not in self._services: raise FirewallError(errors.INVALID_SERVICE, service) def get_service(self, service): self.check_service(service) return self._services[service] def add_service(self, obj): self._services[obj.name] = obj def remove_service(self, service): self.check_service(service) del self._services[service] core/io/direct.pyo000064400000034713147576556050010142 0ustar00 c`c@s ddljZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddl mZmZmZddlmZddlmZddlmZdd lmZdd lmZd efd YZd efdYZdS(iN(tconfig(tLastUpdatedOrderedDict(t splitArgstjoinArgst u2b_if_py2(t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(t ipXtables(tebtables(terrors(t FirewallErrortdirect_ContentHandlercBs#eZdZdZdZRS(cCstj||t|_dS(N(Rt__init__tFalsetdirect(tselftitem((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR(scCstj||||jj|||dkr\|jrPttjdnt|_n|dkr|jst j ddS|d}|d}|d}|jj t |t |t |n+|dkr|jst j ddS|d}|dkr ttj d |n|d}|d}yt|d }Wn'tk rqt j d|d dSXt |t |t ||g|_nZ|dkr|jst j ddS|d}t |g|_nt j d|dSdS(NRsMore than one direct tag.tchains$Parse Error: chain outside of directtipvttabletrules#Parse Error: rule outside of directtipv4tipv6tebs"'%s' not from {'ipv4'|'ipv6'|'eb'}tprioritys'Parse Error: %s is not a valid priorityt passthroughs&Parse Error: command outside of directsUnknown XML element %s(RRR(Rt startElementRtparser_check_element_attrsRR R t PARSE_ERRORtTrueRterrort add_chainRt INVALID_IPVtintt ValueErrort_rulet _passthrough(RtnametattrsRRRR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR,sT                          cCstj|||dkr|jrm|jjgt|jD]}t|^q>|jj|jn t j dd|_nz|dkr|jr|j jgt|jD]}t|^q|jj |j nt j ddd|_ ndS(NRs2Error: rule does not have any arguments, ignoring.Rs0Error: passthrough does not have any arguments, s ignoring.(Rt endElementt_elementR%tappendRRRtadd_ruleRR tNoneR&tadd_passthrough(RR'tx((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR)^s    &     & (t__name__t __module__RRR)(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR 's  2tDirectcBseZdZdd(gfddddddgfgfdddgfgffZdZid)d6dd d gd 6dd d d gd 6dgd 6ZiZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZd Zd!Zd"Zd#Zd$Zd%Zd&Z d'Z!RS(*s Direct class tchainsttrulesit passthroughss(a(sss)a(sssias)a(sas))RRRRRRRcCsDtt|j||_t|_t|_t|_dS(N(tsuperR2RtfilenameRR3R5R6(RR8((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyRs    cCsdS(N((RtconfR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt _check_configsc CsNg}g}xO|jD]D}x;|j|D],}|jtt|t|gq*WqW|j|g}xe|jD]Z}xQ|j|D]B}|jt|d|d|d|dt|dfqWq{W|j|g}xH|jD]=}x4|j|D]%}|jt|t|fq WqW|j|t|S(Niii(R3R+ttupletlistR5R6(RtretR/tkeyRR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt export_configs$. % ' cCs|j|j|xt|jD]\}\}}|dkrjx"||D]}|j|qPWn|dkrx"||D]}|j|qWn|dkr'x"||D]}|j|qWq'q'WdS(NR3R5R6(tcleanupt check_configt enumeratetIMPORT_EXPORT_STRUCTURER!R,R.(RR9titelementtdummyR/((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt import_configs  "   cCs+|jj|jj|jjdS(N(R3tclearR5R6(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR@s  cCsdGHx;|jD]0}d|d|ddj|j|fGHqWdGHxe|jD]Z}d|d|d|dfGHx3|j|D]$\}}d |d j|fGHqWqRWd GHxD|jD]9}d |GHx'|j|D]}d d j|GHqWqWdS(NR3s (%s, %s): %siit,R5s (%s, %s, %s):is (%d, ('%s'))s','R6s %s:s ('%s')(R3tjoinR5R6(RR>Rtargs((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytoutputs  cCs>dddg}||kr:ttjd||fndS(NRRRs'%s' not in '%s'(R R R"(RRtipvs((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt _check_ipvs  cCsf|j||dkr(tjjn tjj}||krbttjd||fndS(NRRs'%s' not in '%s'(sipv4sipv6(RNR tBUILT_IN_CHAINStkeysR R R t INVALID_TABLE(RRRttables((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt_check_ipv_tables    cCs|j||||f}||jkr;g|j|((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR!s  cCs|j||||f}||jkr{||j|kr{|j|j|t|j|dkr|j|=qntd|||fdS(Nis4Chain '%s' with table '%s' with ipv '%s' not in list(RSR3tremovetlenR$(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_chains "cCs<|j||||f}||jko;||j|kS(N(RSR3(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt query_chains cCsP|j||||f}||jkr6|j|Std||fdS(Ns&No chains for table '%s' with ipv '%s'(RSR3R$(RRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_chainss   cCs|jS(N(R3(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytget_all_chainsscCs|j|||||f}||jkrAt|j|tvalue((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR,s'cCs|j|||||f}|t|f}||jkr||j|kr|j||=t|j|dkr|j|=qn0tddj|||fd||fdS(Nis(Rule '%s' for table '%s' and chain '%s' s',s)with ipv '%s' and priority %d not in list(RSR;R5RVR$RJ(RRRRRRKR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_rules"cCs|j|||||f}||jkrx)|j|jD]}|j||=qBWt|j|dkr|j|=qndS(Ni(RSR5RPRV(RRRRR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_rules"scCsQ|j|||||f}|t|f}||jkoP||j|kS(N(RSR;R5(RRRRRRKR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt query_rule+scCs[|j|||||f}||jkr9|j|Std||fd|dS(Ns'No rules for table '%s' and chain '%s' s with ipv '%s'(RSR5R$(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_rules1s  cCs|jS(N(R5(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_all_rules:scCs~|j|||jkr,g|j|RRRRRK((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytwriteusZ               (R4R4R4N("R0R1t__doc__RCtDBUS_SIGNATURER-tPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRR:R?RGR@RLRNRSR!RWRXRYRZR,R\R]R^R_R`R.RaRbRcRdRwR(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR2usJ                  (txml.saxRhR{RR~tfirewallRtfirewall.fw_typesRtfirewall.functionsRRRtfirewall.core.io.io_objectRRRtfirewall.core.loggerRt firewall.coreR R R tfirewall.errorsR R R2(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyts   Ncore/io/ifcfg.py000064400000014345147576556050007566 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """ifcfg file parser""" __all__ = [ "ifcfg" ] import os.path import io import tempfile import shutil from firewall.core.logger import log from firewall.functions import b2u, u2b, PY2 class ifcfg(object): def __init__(self, filename): self._config = { } self._deleted = [ ] self.filename = filename self.clear() def clear(self): self._config = { } self._deleted = [ ] def cleanup(self): self._config.clear() def get(self, key): return self._config.get(key.strip()) def set(self, key, value): _key = b2u(key.strip()) self._config[_key] = b2u(value.strip()) if _key in self._deleted: self._deleted.remove(_key) def __str__(self): s = "" for (key, value) in self._config.items(): if s: s += '\n' s += '%s=%s' % (key, value) return u2b(s) if PY2 else s # load self.filename def read(self): self.clear() try: f = open(self.filename, "r") except Exception as msg: log.error("Failed to load '%s': %s", self.filename, msg) raise for line in f: if not line: break line = line.strip() if len(line) < 1 or line[0] in ['#', ';']: continue # get key/value pair pair = [ x.strip() for x in line.split("=", 1) ] if len(pair) != 2: continue if len(pair[1]) >= 2 and \ pair[1].startswith('"') and pair[1].endswith('"'): pair[1] = pair[1][1:-1] if pair[1] == '': continue elif self._config.get(pair[0]) is not None: log.warning("%s: Duplicate option definition: '%s'", self.filename, line.strip()) continue self._config[pair[0]] = pair[1] f.close() def write(self): if len(self._config) < 1: # no changes: nothing to do return # handled keys done = [ ] try: temp_file = tempfile.NamedTemporaryFile( mode='wt', prefix="%s." % os.path.basename(self.filename), dir=os.path.dirname(self.filename), delete=False) except Exception as msg: log.error("Failed to open temporary file: %s" % msg) raise modified = False empty = False try: f = io.open(self.filename, mode='rt', encoding='UTF-8') except Exception as msg: if os.path.exists(self.filename): log.error("Failed to open '%s': %s" % (self.filename, msg)) raise else: f = None else: for line in f: if not line: break # remove newline line = line.strip("\n") if len(line) < 1: if not empty: temp_file.write(u"\n") empty = True elif line[0] == '#': empty = False temp_file.write(line) temp_file.write(u"\n") else: p = line.split("=", 1) if len(p) != 2: empty = False temp_file.write(line+u"\n") continue key = p[0].strip() value = p[1].strip() if len(value) >= 2 and \ value.startswith('"') and value.endswith('"'): value = value[1:-1] # check for modified key/value pairs if key not in done: if key in self._config and self._config[key] != value: empty = False temp_file.write(u'%s=%s\n' % (key, self._config[key])) modified = True elif key in self._deleted: modified = True else: empty = False temp_file.write(line+u"\n") done.append(key) else: modified = True # write remaining key/value pairs if len(self._config) > 0: for (key, value) in self._config.items(): if key in done: continue if not empty: empty = True temp_file.write(u'%s=%s\n' % (key, value)) modified = True if f: f.close() temp_file.close() if not modified: # not modified: remove tempfile os.remove(temp_file.name) return # make backup if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.bak" % self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) # copy tempfile try: shutil.move(temp_file.name, self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Failed to create '%s': %s" % (self.filename, msg)) else: os.chmod(self.filename, 0o600) core/io/__init__.py000064400000003074147576556050010244 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2012 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # # fix xmlplus to be compatible with the python xml sax parser and python 3 # by adding __contains__ to xml.sax.xmlreader.AttributesImpl import xml if "_xmlplus" in xml.__file__: from xml.sax.xmlreader import AttributesImpl if not hasattr(AttributesImpl, "__contains__"): # this is missing: def __AttributesImpl__contains__(self, name): return name in getattr(self, "_attrs") # add it using the name __contains__ setattr(AttributesImpl, "__contains__", __AttributesImpl__contains__) from xml.sax.saxutils import XMLGenerator if not hasattr(XMLGenerator, "_write"): # this is missing: def __XMLGenerator_write(self, text): getattr(self, "_out").write(text) # add it using the name _write setattr(XMLGenerator, "_write", __XMLGenerator_write) core/io/zone.pyo000064400000057327147576556050007651 0ustar00 c`c@sjdddgZddljZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZddlmZmZmZmZmZmZmZdd lmZdd l m!Z!dd lm"Z"dd l#m$Z$defd YZ%defdYZ&e'dZ(e)dZ*dS(tZonet zone_readert zone_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMasktcheckInterfacetuniqifytmax_zone_name_lent u2b_if_py2t check_mactportStr(tDEFAULT_ZONE_TARGETt ZONE_TARGETS(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocol(trich(tlog(terrors(t FirewallErrorcBsEeZdZdAdBdCdefdDddgfddEgfd dgfd efd dFgfd dgfd dgfddgfddgfddGgfdeffZdZdddgZidHd6dHd6dHd6dgd6ddgd6dgd6dgd6ddgd6dgd6dHd6dHd 6d!gd"6d#gd6ddgd$6dHd%6dHd&6dHd'6dHd(6dHd)6d*gd+6d#gd,6dHd-6Zidd.ddgd6d/gd 6d0d1gd6d2gd6d!d3d4d2d5gd 6d4gd"6d6d7gd%6d8gd(6Z e d9Z d:Z d;Z d<Zd=Zd>Zd?Zd@ZRS(Is Zone class tversionttshortt descriptiontUNUSEDttargettservicestportst icmp_blockst masqueradet forward_portst interfacestsourcest rules_strt protocolst source_portsticmp_block_inversions&(sssbsasa(ss)asba(ssss)asasasasa(ss)b)t_t-t/tzonetnametservicetporttprotocols icmp-blocks icmp-types forward-portt interfacetruletsourcetaddresst destinationtvalues source-portRtaudittaccepttrejecttdroptsettmarktlimitsicmp-block-inversiont immutabletenabledsto-portsto-addrtfamilytmactinverttipsettprefixtlevelttypecCsLx3ttjD]"\}\}}||kr|SqWttjddS(Ns index_of()(t enumerateRtIMPORT_EXPORT_STRUCTURERRt UNKNOWN_ERROR(telementtiteltdummy((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytindex_ofbs" cCstt|jd|_d|_d|_t|_t|_ g|_ g|_ g|_ g|_ t|_g|_g|_g|_g|_d|_g|_g|_t|_t|_t|_dS(NR(tsuperRt__init__RRRtFalseRRR R!R"R)R#R$R%R*R&R'tNonet fw_configtrulesR(R+tcombinedtapplied(tself((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRSis*                   cCsd|_d|_d|_t|_t|_|j2|j2|j 2|j 2t|_ |j 2|j 2|j2|j2d|_|j2|j2t|_t|_t|_dS(NR(RRRRTRRR R!R"R)R#R$R%R*R&R'RURVRWR(R+RXRY(RZ((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcleanups(         c Cs t|j|_t|j|_t|j|_t|j|_g|jD]}t|^qR|_g|jD]$\}}t|t|f^qw|_g|jD]}t|^q|_g|jD]}t|^q|_g|j D]<\}}}}t|t|t|t|f^q|_ g|j D]$\}}t|t|f^qG|_ g|j D]}t|^q~|_ g|j D]}t|^q|_ g|j D]}t|^q|_ g|jD]}t|^q|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R RRRR R!R"R)R#R%R*R&R'RWR(( RZtstpotprRNtp1tp2tp3tp4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytencode_stringss%7%%O4%%%cCs|dkrlg|D]}tjd|^q|_tt|j|g|jD]}t|^qPntt|j||dS(NR(trule_str(Rt Rich_RuleRWRRRt __setattr__tstr(RZR0R9R\((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRfs (8c Cs?|dkr]|jr]|jj}x|D]+}||kr+ttjd|q+q+Wn|dkrx|D]"}t|dt|dqpWn|dkrx|D]}t|qWnx|dkr |jr |jj}xQ|D]+}||krttj d|qqWn|d krx |D]} t| dt| d| d  r| d  rttj d | n| d rt| d n| d r3t | d  rt | d  rttj d | d qq3q3WnI|dkr.x:|D]"}t|dt|dqWn |dkr^|tkr;ttj|q;n|dkrx|D]'} t| sqttj| qqqqWn|dkr x|D]R} t|  rt|  rt|  r| jd rttj | qqWn0|dkr;x!|D]} tjd| qWndS(NR!s '%s' not among existing servicesR"iiR)R#s"'%s' not among existing icmp typesR%iis$'%s' is missing to-port AND to-addr s#to-addr '%s' is not a valid addressR*R R&R'sipset:R(Rd(RVt get_servicesRRtINVALID_SERVICERRRt get_icmptypestINVALID_ICMPTYPEtINVALID_FORWARDRRt INVALID_ADDRRtINVALID_TARGETRtINVALID_INTERFACERRR t startswithRRe( RZRtitemtexisting_servicesR1R2tprototexisting_icmptypesticmptypetfwd_portR4R6R5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyt _check_configsn              "           cCstt|j||jdr>ttjd|n|jdrfttjd|n|jddkrttjd|nnd|kr||j d }n|}t |t krttjd|t |t |j fndS(NR.s'%s' can't start with '/'s'%s' can't end with '/'ismore than one '/' in '%s's'Zone of '%s' has %d chars, max is %d %s( RRRt check_nameRpRRt INVALID_NAMEtendswithtcounttfindtlenR RX(RZR0t checked_name((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRxs&      c CsEt|_d|_d|_d|_d|_x3|jD](}||jkr7|jj|q7q7Wx3|j D](}||j krm|j j|qmqmWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j krE|j j|qEqEW|jrt|_nx3|jD](}||jkr|jj|qqWx3|jD](}||jkr|jj|qqWx7|jD],} |jj| |jjt| qW|jrAt|_ndS(NR(tTrueRXRUtfilenameRRRR&tappendR'R!R"R)R#R$R%R*RWR(RgR+( RZR/R4R6R1R2RsticmptforwardR5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcombinesH        (sversionR(sshortR(s descriptionR(stargetR(RR(RRRR(RRN(t__name__t __module__t__doc__RTRKtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSRUtPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSt staticmethodRQRSR[RcRfRwRxR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR(sv                                  9 tzone_ContentHandlercBs#eZdZdZdZRS(cCs/tj||d|_t|_d|_dS(N(RRSRUt_ruleRTt _rule_errort _limit_ok(RZRq((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRS,s  c Cswtj||||jr dS|jj|||dkrd|krbtjd|dnd|kr|d|j_nd|krtjd|dnd|krs|d}|tkrt t j |n|dkr|t kr||j_ qqsnk|d krn\|d kr&nM|d kr|jr|jjrmtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd |dn |dkr|jr<|jjrtjd t|jt|_dStj|d|d|j_dSt|dt|dt|dd|df}||jjkr|jjj|qstjd|d|dn |dkrs|jr|jjrtjd t|jt|_dStj|d|j_qst|d|d|jjkr\|jjj|dqstjd|dn |dkr|jr|jjrtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd|dnU |dkr|jr|jjretjd t|jt|_dStj |d|j_dStjd|dn |dkrZd|kr|dj!d`krtjd|ddS|jr/|jjrtjd t|jt|_dStj"|j_qs|jj#rKtjdqst|j_#n |dkrd}d|kr|d}nd}d |kr|d }n|jr |jjrtjd t|jt|_dStj$|d|d|||j_dSt|dt|d|r8t|n|rtt%| rtt&| rtt t j'd!|qtnt|dd|dt|dt|f}||jj(kr|jj(j|qstjd"|d|d|rd#|nd|rd$|ndna|d%kr|jr}|jjrYtjd t|jt|_dStj)|d|d|j_dSt|dt|dt|dd|df}||jj*kr|jj*j|qstjd&|d|dnw|d'kr|jr+tjd(t|_dSd|krQtjd)t|_dS|d|jj+kr|jj+j|dqstjd*|dn|d+kr, |jr |jj,rtjd,t|jt|_dSt-}d-|kr |d-j!dakr t}nd}} } d0|kr7 |d0}nd1|krP |d1} nd2|kri |d2} ntj/|| | d-||j_,dSd0|kr d2|kr tjd3dSd0|kr d2|kr tjd4dSd5|kr tjd6|d5nd-|kr tjd7dSd0|kr{ t0|d0 r{ t1|d0 r{ t2|d0 r{ t t j'|d0q{ nd2|kr d8|d2}||jj3kr |jj3j|q tjd9|d0nd0|krs|d0}||jj3kr |jj3j|q) tjd9|d0qsnG|d:kr |js[ tjd;t|_dS|jj4r tjd<t|jdSt-}d-|kr |d-j!dbkr t}ntj5|d0||j_4n|dckr |js tjdAt|_dS|jj6r) tjdBt|_dS|d=krJ tj7|j_6n|d>kr d} dC|kru |dC} ntj8| |j_6nO|d?kr tj9|j_6n.|d@kr |dD} tj:| |j_6n|jj6|_;n|dEkr |js tjdFdS|jjr1 tjdGdSd} dH|krv |dH} | ddkrv tjdQt|_dSndR|kr |dRnd}tj<|| |j_|jj|_;n|dSkr8|js tjdTdS|jj=rtjdUt|jt|_dStj>|j_=|jj=|_;n;|dVkrd}d5|kr|d5}|dekrtjdY|d5t|_dSntj?||_n|dZkr(|j;stjd[t|_dS|j;j@rtjd\t|jt|_dS|d}tjA||j;_@nK|d]kr_|jjBrPtjd^qst|j_Bntjd_|dSdS(fNR/R0s'Ignoring deprecated attribute name='%s'RRAs,Ignoring deprecated attribute immutable='%s'R RRRR1s;Invalid rule: More than one element in rule '%s', ignoring.s#Service '%s' already set, ignoring.R2R3R-s#Port '%s/%s' already set, ignoring.R9s$Protocol '%s' already set, ignoring.s icmp-blocks&icmp-block '%s' already set, ignoring.s icmp-types-Invalid rule: icmp-block '%s' outside of ruleR$RBtnotfalses*Ignoring deprecated attribute enabled='%s's!Masquerade already set, ignoring.s forward-portsto-portsto-addrs#to-addr '%s' is not a valid addresss-Forward port %s/%s%s%s already set, ignoring.s >%ss @%ss source-ports*Source port '%s/%s' already set, ignoring.R4s$Invalid rule: interface use in rule.s Invalid interface: Name missing.s%Interface '%s' already set, ignoring.R6s:Invalid rule: More than one source in rule '%s', ignoring.REtyesttrueR7RDRFs$Invalid source: No address no ipset.s"Invalid source: Address and ipset.RCs)Ignoring deprecated attribute family='%s's+Invalid source: Invertion not allowed here.sipset:%ss"Source '%s' already set, ignoring.R8s)Invalid rule: Destination outside of rules?Invalid rule: More than one destination in rule '%s', ignoring.R;R<R=R?s$Invalid rule: Action outside of rules"Invalid rule: More than one actionRIR>Rs!Invalid rule: Log outside of rulesInvalid rule: More than one logRHtemergtalerttcritterrortwarningtnoticetinfotdebugsInvalid rule: Invalid log levelRGR:s#Invalid rule: Audit outside of rules9Invalid rule: More than one audit in rule '%s', ignoring.R5tipv4tipv6s&Invalid rule: Rule family "%s" invalidR@s4Invalid rule: Limit outside of action, log and audits9Invalid rule: More than one limit in rule '%s', ignoring.sicmp-block-inversions+Icmp-Block-Inversion already set, ignoring.sUnknown XML element '%s'(RR(syesR(syesR(sacceptsrejectsdropsmark(RRRserrorswarningRsinfosdebug(RR(CRt startElementRRqtparser_check_element_attrsRRRRRRRnRR RRMRgRRt Rich_ServiceR!Rt Rich_PortRRR R"t Rich_ProtocolRR)tRich_IcmpBlockR#t Rich_IcmpTypetlowertRich_MasqueradeR$tRich_ForwardPortRRRmR%tRich_SourcePortR*R&R6RTRUt Rich_SourceRRR R'R8tRich_Destinationtactiont Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarkRtRich_LogR:t Rich_AuditReR@t Rich_LimitR+(RZR0tattrsR tentrytto_porttto_addrREtaddrRDRFt_typet_setRHRGRCR9((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR2st                                                                                                                                                                 cCstj|||dkr|jsy|jjWn/tk rg}tjd|t|jqXt|j|j j kr|j j j |j|j j j t|jqtjdt|jnd|_t|_n|d krd|_ndS( NR5s%s: %ss Rule '%s' already set, ignoring.R;R<R=R?RR:(sacceptsrejectsdropsmarkslogsaudit(Rt endElementRRtcheckt ExceptionRRRgRqR(RWRRURTR(RZR0te((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs        (RRRSRR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR+s  dc Csbt}|jds1ttjd|n|d |_|sW|j|jn||_||_|j t j rt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r>} ttjd| jnXWdQX~~tr^|jn|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid zone file: %s(RRzRRRyR0RxRtpathRpRt ETC_FIREWALLDRTRtbuiltintdefaultRtsaxt make_parsertsetContentHandlertopent InputSourceRUt setByteStreamtparsetSAXParseExceptiont INVALID_ZONEt getExceptionRRc( RRt no_check_nameR/thandlertparserR0tfR6tmsg((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs:     !       c Cs% |r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d d kr{ |j0j>|d%t1|jG|jGjEr |jd-|j|||jd4|jd5i|jGjEj8d6|jd6|j|n|jd-|j|||jdn|jd|jd)|jdqW|jd |jd|jN|jO~dS(?Ns%s/%ss %s/%s.xmls%s.oldsBackup of file '%s' failed: %sitmodetwttencodingsUTF-8RRR R/s s RRR4R0sipset:R6iRFR7R1R2iiR3R9sicmp-block-inversions icmp-blockR$isto-portisto-addrs forward-ports source-portRCR5RDRREs R8s icmp-types#Unknown element '%s' in zone_writerRGRHRs R@s R:R;R<RIR=R?R>sUnknown action '%s'(PRRR0tostexiststshutiltcopy2RRRtdirnameRpRRtmkdirtioRRt startDocumentRR RRtignorableWhitespaceRt charactersRRR R&t simpleElementR'R!R"R)R+R#R$R%R*RWRCR6RRDRFRER8RMRIRRRR2R3RR9RRRRRt to_addressRRRtINVALID_OBJECTRGRHR@R:RRRRRR>Rt endDocumenttclose(R/Rt_pathR0RtdirpathRRRR4R6R1R2R3RRR5RMR((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs %            &                                                         (+t__all__txml.saxRRRRtfirewallRtfirewall.functionsRRRRRR R R R R tfirewall.core.baseRRtfirewall.core.io.io_objectRRRRRRRt firewall.coreRtfirewall.core.loggerRRtfirewall.errorsRRRRTRRUR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyts$   F4 core/io/helper.pyc000064400000016321147576556050010126 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tHelpert helper_readert helper_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudp(tlog(terrors(t FirewallErrorcBseZdddddddgffZdZdd gZidd6dd6dgd 6Zid ddgd 6d d gd 6ZdZdZ dZ dZ dZ RS(tversionttshortt descriptiontfamilytmoduletportss (sssssa(ss))t-t.thelpertnametporttprotocolcCsMtt|jd|_d|_d|_d|_d|_g|_dS(NR( tsuperRt__init__RRRRRR(tself((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR;s     cCs8d|_d|_d|_d|_d|_|j2dS(NR(RRRRRR(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pytcleanupDs      cCst|j|_t|j|_t|j|_t|j|_t|j|_g|jD]$\}}t|t|f^qd|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(RRRRRRR(Rtpotpr((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pytencode_stringsLs cCs;ddg}||kr7ttjd||fndS(Ntipv4tipv6s'%s' not in '%s'(R R t INVALID_IPV(Rtipvtipvs((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyt check_ipvWs   cCs|dkr<x|D]"}t|dt|dqWnn|dkr|jdspttjd|nt|jdddkrttjd|qndS( NRiiRt nf_conntrack_s('%s' does not start with 'nf_conntrack_'RsModule name '%s' too short(R R t startswithR R tINVALID_MODULEtlentreplace(RRtitemR((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyt _check_config]s    (sversionR(sshortR(s descriptionR(sfamilyR(smoduleR(RRN( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRRR!R'R.(((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR&s(    thelper_ContentHandlercBseZdZRS(cCstj||||jj|||dkrd|krQ|d|j_nd|kr|jj|d|d|j_nd|kr|djdstt j d|dnt |dj dddkrtt j d |dn|d|j_ qn|d kr$n|d kr3n|d krt|d t|d |d |d f}||jjkr|jjj|qtjd|d |d ndS(NRRRRR(s('%s' does not start with 'nf_conntrack_'RisModule name '%s' too shortRRRRs#Port '%s/%s' already set, ignoring.(Rt startElementR-tparser_check_element_attrsRR'RR)R R R*R+R,RR R RtappendR twarning(RRtattrstentry((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR8ns>    "    (R/R0R8(((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR7msc CsYt}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~trU|jn|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid helper file: %s(RtendswithR R t INVALID_NAMERt check_nametfilenametpathR)Rt ETC_FIREWALLDtFalsetTruetbuiltintdefaultR7tsaxt make_parsertsetContentHandlertopent InputSourceR4t setByteStreamtparsetSAXParseExceptiontINVALID_HELPERt getExceptionRR!( RBRCRthandlertparserRtftsourcetmsg((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyRs8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|j|d <|jr~|jd kr~|j|d s   .G# core/io/ipset.pyo000064400000033010147576556050010001 0ustar00 c`c@sgdZdddgZddljZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZdd lmZmZdd lmZmZmZmZdd l m!Z!dd lm"Z"dd l#m$Z$defdYZ%defdYZ&dZ'e(dZ)dS(s$ipset io XML handler, reader, writertIPSett ipset_readert ipset_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt u2b_if_py2t check_mact check_porttcheckInterfacet checkProtocol(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(t IPSET_TYPEStIPSET_CREATE_OPTIONS(tcheck_icmp_nametcheck_icmp_typetcheck_icmpv6_nametcheck_icmpv6_type(tlog(terrors(t FirewallErrorcBseZdddddidd6fddgffZdZdd d d gZidd6dd6dgd 6d gd6dd6Zidgd 6dgd6ZdZdZ dZ e dZ dZ dZRS(tversionttshortt descriptionttypetoptionstentriess (ssssa{ss}as)t_t-t:t.tipsettnametoptiontentrytvaluecCsVtt|jd|_d|_d|_d|_g|_i|_t |_ dS(NR( tsuperRt__init__RRRRR RtFalsetapplied(tself((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR+Cs      cCsEd|_d|_d|_d|_|j2|jjt|_dS(NR( RRRRR RtclearR,R-(R.((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytcleanupMs     cCst|j|_t|j|_t|j|_t|j|_d|jjD|_g|jD]}t|^qn|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSs+i|]!\}}t|t|qS((R(t.0tktv((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pys ^s N(RRRRRRtitemsR (R.te((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytencode_stringsVsc Csd}d|kr.|ddkr.d}q.n|jdsVttjd|n|djd}|jd}t|t|kst|d krttjd ||fnx'tt|D]}||}||}|d krd |kr|dkr|d kr@ttjd |||fn|jd } t| dkrttjd||||fnx| D]]} |dkrt|  s|dkrt |  rttjd| |||fqqWq|dkrL|dkr.ttjd||||fn|dkrCt } qRt} nt } | |sttjd||||fqq|dkrbd |kr|jd } t| dkrttjd||||fn|dkrt| d s|dkrGt | d rGttjd| d|||fn|dkrdt | d  s|dkr_t | d  r_ttjd| d |||fq_q|j dr|dko|dko|dksttjd||||fqn|dkr!t | s:|dkrt | rttjd||||fqq|dkrt | s|dkrttjd||fqq|dkrd|kr{|jd} t| dkrttjd|n| ddkr~|dkr6ttjd||fnt| d  rxt| d  rxttjd| d |fqxq| dd1kr|dkrttjd||fnt| d  rxt| d  rxttjd!| d |fqxq| dd2krEt| d rEttjd&| d|fqt| d sttjd'| d |fqqt|sttjd(||fqq|d)kr|jd*r yt|d+} WqJtk rttjd,||fqJXn@yt|} Wn-tk rIttjd,||fnX| dksb| d-krttjd,||fqq|d.krt| st|d/krttjd0||fqqttjd|qWdS(3Ntipv4tfamilytinet6tipv6shash:sipset type '%s' not usableit,is)entry '%s' does not match ipset type '%s'tipR"s invalid address '%s' in '%s'[%d]is.invalid address range '%s' in '%s' for %s (%s)s(invalid address '%s' in '%s' for %s (%s)s0.0.0.0itnets/0shash:net,ifacetmacs00:00:00:00:00:00s invalid mac address '%s' in '%s'tportR#sinvalid port '%s'ticmps(invalid protocol for family '%s' in '%s'sinvalid icmp type '%s' in '%s'ticmpv6s ipv6-icmps invalid icmpv6 type '%s' in '%s'ttcptsctptudptudplitesinvalid protocol '%s' in '%s'sinvalid port '%s'in '%s'sinvalid port '%s' in '%s'tmarkt0xisinvalid mark '%s' in '%s'Itifaceisinvalid interface '%s' in '%s'(RAs ipv6-icmp(RBRCRDRE(t startswithRRt INVALID_IPSETtsplittlent INVALID_ENTRYtrangeRRRRtendswithR RRRRR R tintt ValueErrorR ( R(Rt ipset_typeR8tflagsR4titflagtitemtsplitst_splittip_checktint_val((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt check_entrybs@   *                            cCs>|dkr4|tkr4ttjd|q4n|dkr:x|jD]}|tkrxttjd|n|dkryt||}Wn1tk rttj d|||fnX|d kr3ttj d |||fq3qM|d krM||dkrMttj ||qMqMWndS(NRs'%s' is not valid ipset typeRsipset invalid option '%s'ttimeoutthashsizetmaxelems)Option '%s': Value '%s' is not an integeris#Option '%s': Value '%s' is negativeR8tinetR9(R\R]R^(R_sinet6( RRRt INVALID_TYPEtkeysRRJRPRQt INVALID_VALUEtINVALID_FAMILY(R.RRVtkeyt int_value((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt _check_configs2          cCsd|dkrO|dddkrOt|ddkrOttjqOnx-|dD]!}tj||d|dqZWtt|j|dS(NR\it0iii(RLRRtIPSET_WITH_TIMEOUTRR[R*t import_config(R.RR(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRi3s $(sversionR(sshortR(s descriptionR(stypeRN(t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSR+R0R6t staticmethodR[RfRi(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR,s.       tipset_ContentHandlercBseZdZdZRS(cCstj||||jj|||dkrd|kr~|dtkrkttjd|dn|d|j_nd|kr|d|j_ qn|dkrn|dkrn|dkrd}d |kr|d }n|d dkrttj d|d n|jjdkra|d dkrattj d|d |jjfn|d dkr| rttj d|d n|d dkryt |}Wn1t k rttj d|d |fnX|dkrttj d|d |fqn|d d krL|dkrLttj|n|d |jjkry||jj|d sd         "  cCs9tj|||dkr5|jjj|jndS(NR((Rt endElementRVR tappendt_element(R.R&((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRyus (RjRkRtRy(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRs=s 7c Cst}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~d|jkr|jddkrt|jd krtj d |j|j2nd } t!} x| t|jkru|j| | krtj d |j| |jj"| qy$|j#|j| |j|j$Wn3tk rS} tj d | |jj"| qX| j%|j| | d 7} qW~ t&r|j'n|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid ipset file: %sR\Rgis6ipset '%s': timeout option is set, entries are ignoredsEntry %s already set, ignoring.s %s, ignoring.i((RRORRt INVALID_NAMER&t check_nametfilenametpathRIRt ETC_FIREWALLDR,tTruetbuiltintdefaultRstsaxt make_parsertsetContentHandlertopent InputSourceRot setByteStreamtparsetSAXParseExceptionRJt getExceptionRRLR RRwtsettpopR[RtaddR R6( RRR%thandlertparserR&tftsourcetmsgRTt entries_setR5((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRzs^     !      "    $ c Csg|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji|jd 6}|jr{|jd kr{|j|d s$   @""= 5core/io/functions.pyc000064400000005302147576556050010654 0ustar00 c`c@sddlZddlmZddlmZddlmZddlmZddl m Z ddl m Z ddl mZdd lmZdd lmZdd lmZdd ZdS( iN(tconfig(t FirewallError(t zone_reader(tservice_reader(t ipset_reader(ticmptype_reader(t helper_reader(tDirect(tLockdownWhitelist(tfirewalld_confcCsittjtjgfd6ttjtjgfd6ttjtj gfd6t tj tj gfd6t tjtjgfd6}x#|jD]}x ||dD]}tjj|sqnxttj|D]}|jdryO||d||}|r)|dkr)|j|_n|j|jWqtk rq}t|jd ||jfqtk r}td ||fqXqqWqWqWtjjtjrTy0t tj}|j!|j|jWqTtk r%}t|jd tj|jfqTtk rP}td tj|fqTXntjjtj"ry0t#tj"}|j!|j|jWqtk r}t|jd tj"|jfqtk r}td tj"|fqXntjjtj$ryt%tj$}|j!Wqtk rh}t|jd tj$|jfqtk r}td tj$|fqXndS( Ntipsetthelperticmptypetservicetzoneis.xmlis'%s': %s(&RRtFIREWALLD_IPSETStETC_FIREWALLD_IPSETSRtFIREWALLD_HELPERStETC_FIREWALLD_HELPERSRtFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPESRtFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESRtFIREWALLD_ZONEStETC_FIREWALLD_ZONEStkeystostpathtisdirtsortedtlistdirtendswitht fw_configt check_configt export_configRtcodetmsgt ExceptiontisfiletFIREWALLD_DIRECTRtreadtLOCKDOWN_WHITELISTRtFIREWALLD_CONFR (tfwtreaderstreadertdirtfiletobjterrorR$((s>/usr/lib/python2.7/site-packages/firewall/core/io/functions.pyR!$s^") %  % %(RtfirewallRtfirewall.errorsRtfirewall.core.io.zoneRtfirewall.core.io.serviceRtfirewall.core.io.ipsetRtfirewall.core.io.icmptypeRtfirewall.core.io.helperRtfirewall.core.io.directRt#firewall.core.io.lockdown_whitelistRtfirewall.core.io.firewalld_confR tNoneR!(((s>/usr/lib/python2.7/site-packages/firewall/core/io/functions.pyts core/io/firewalld_conf.pyc000064400000017476147576556050011641 0ustar00 c`c @sddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddddd d d d d g Z defdYZdS(iN(tconfig(tlog(tb2utu2btPY2t DefaultZonet MinimalMarkt CleanupOnExittLockdownt IPv6_rpfiltertIndividualCallst LogDeniedtAutomaticHelperstAllowZoneDriftingtfirewalld_confcBsPeZdZdZdZdZdZdZdZdZ RS(cCs)i|_g|_||_|jdS(N(t_configt_deletedtfilenametclear(tselfR((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyt__init__$s   cCsi|_g|_dS(N(RR(R((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyR*s cCs|jjg|_dS(N(RRR(R((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pytcleanup.s cCs|jj|jS(N(Rtgettstrip(Rtkey((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyR2scCsQt|j}t|j|j|<||jkrM|jj|ndS(N(RRRRtremove(RRtvaluet_key((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pytset5scCsad}xD|jjD]3\}}|r5|d7}n|d||f7}qWtr]t|S|S(Nts s%s=%s(RtitemsRR(RtsRR((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyt__str__;s  c Cs|jyt|jd}Wntk r;}tjd|j||jdtj|jdt tj |jdtj rdnd|jdtj rdnd|jd tj rdnd|jd tjrdnd|jd tj|jd tj|jd tjr.dndnXxG|D]?}|sSPn|j}t|dksC|dd$krqCng|jdD]}|j^q}t|dkrtjd|jqCn|dtkr tjd|jqCnd|ddkr5tjd|jqCn8|jj|ddk rmtjd|jqCn|d|j|ds       core/io/functions.py000064400000007234147576556050010517 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2018 Red Hat, Inc. # # Authors: # Eric Garver # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os from firewall import config from firewall.errors import FirewallError from firewall.core.io.zone import zone_reader from firewall.core.io.service import service_reader from firewall.core.io.ipset import ipset_reader from firewall.core.io.icmptype import icmptype_reader from firewall.core.io.helper import helper_reader from firewall.core.io.direct import Direct from firewall.core.io.lockdown_whitelist import LockdownWhitelist from firewall.core.io.firewalld_conf import firewalld_conf def check_config(fw=None): readers = { "ipset" : (ipset_reader, [config.FIREWALLD_IPSETS, config.ETC_FIREWALLD_IPSETS]), "helper" : (helper_reader, [config.FIREWALLD_HELPERS, config.ETC_FIREWALLD_HELPERS]), "icmptype" : (icmptype_reader, [config.FIREWALLD_ICMPTYPES, config.ETC_FIREWALLD_ICMPTYPES]), "service" : (service_reader, [config.FIREWALLD_SERVICES, config.ETC_FIREWALLD_SERVICES]), "zone" : (zone_reader, [config.FIREWALLD_ZONES, config.ETC_FIREWALLD_ZONES]), } for reader in readers.keys(): for dir in readers[reader][1]: if not os.path.isdir(dir): continue for file in sorted(os.listdir(dir)): if file.endswith(".xml"): try: obj = readers[reader][0](file, dir) if fw and reader == "zone": obj.fw_config = fw.config obj.check_config(obj.export_config()) except FirewallError as error: raise FirewallError(error.code, "'%s': %s" % (file, error.msg)) except Exception as msg: raise Exception("'%s': %s" % (file, msg)) if os.path.isfile(config.FIREWALLD_DIRECT): try: obj = Direct(config.FIREWALLD_DIRECT) obj.read() obj.check_config(obj.export_config()) except FirewallError as error: raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_DIRECT, error.msg)) except Exception as msg: raise Exception("'%s': %s" % (config.FIREWALLD_DIRECT, msg)) if os.path.isfile(config.LOCKDOWN_WHITELIST): try: obj = LockdownWhitelist(config.LOCKDOWN_WHITELIST) obj.read() obj.check_config(obj.export_config()) except FirewallError as error: raise FirewallError(error.code, "'%s': %s" % (config.LOCKDOWN_WHITELIST, error.msg)) except Exception as msg: raise Exception("'%s': %s" % (config.LOCKDOWN_WHITELIST, msg)) if os.path.isfile(config.FIREWALLD_CONF): try: obj = firewalld_conf(config.FIREWALLD_CONF) obj.read() except FirewallError as error: raise FirewallError(error.code, "'%s': %s" % (config.FIREWALLD_CONF, error.msg)) except Exception as msg: raise Exception("'%s': %s" % (config.FIREWALLD_CONF, msg)) core/io/icmptype.pyo000064400000014125147576556050010515 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tIcmpTypeticmptype_readerticmptype_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(terrors(t FirewallErrorcBseZdddddgffZdZddgZidd6dd6dd6Zid dgd6d d gd6Zd Zd Z dZ dZ RS(tversionttshortt descriptiont destinations(sssas)t_t-ticmptypetnametipv4tipv6cCs;tt|jd|_d|_d|_g|_dS(NR (tsuperRt__init__R RRR(tself((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR8s    cCs&d|_d|_d|_|j2dS(NR (R RRR(R((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pytcleanup?s   cCs_t|j|_t|j|_t|j|_g|jD]}t|^q@|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(RR RRR(Rtm((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pytencode_stringsEscCsI|dkrEx6|D]+}|dkrttjd|qqWndS(NRRRs'%s' not from {'ipv4'|'ipv6'}(RR(R R tINVALID_DESTINATION(RRtitemR((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyt _check_configNs     (sversionR (sshortR (s descriptionR N( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRRRR(((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR%s"      ticmptype_ContentHandlercBseZdZRS(cCstj||||jj|||dkrxd|krVtjd|dnd|kr|d|j_qn|dkrns|dkrnd|dkrxUdd gD]D}||kr||jd kr|jjj t |qqWndS( NRRs'Ignoring deprecated attribute name='%s'R RRRRRtyesttrue(syesR*( Rt startElementRtparser_check_element_attrsR twarningR tlowerRtappendtstr(RRtattrstx((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR+Ys"        (R R!R+(((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR(Xsc CsYt}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~trU|jn|S(Ns.xmls%s is missing .xml suffixis%s/%strbsnot a valid icmptype file: %s(RtendswithR R t INVALID_NAMERt check_nametfilenametpatht startswithRt ETC_FIREWALLDtFalsetTruetbuiltintdefaultR(tsaxt make_parsertsetContentHandlertopent InputSourceR%t setByteStreamtparsetSAXParseExceptiontINVALID_ICMPTYPEt getExceptionRR( R7R8RthandlertparserRtftsourcetmsg((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyRms8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d s   "3 core/io/zone.pyc000064400000057327147576556050007635 0ustar00 c`c@sjdddgZddljZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZddlmZmZmZmZmZmZmZdd lmZdd l m!Z!dd lm"Z"dd l#m$Z$defd YZ%defdYZ&e'dZ(e)dZ*dS(tZonet zone_readert zone_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMasktcheckInterfacetuniqifytmax_zone_name_lent u2b_if_py2t check_mactportStr(tDEFAULT_ZONE_TARGETt ZONE_TARGETS(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocol(trich(tlog(terrors(t FirewallErrorcBsEeZdZdAdBdCdefdDddgfddEgfd dgfd efd dFgfd dgfd dgfddgfddgfddGgfdeffZdZdddgZidHd6dHd6dHd6dgd6ddgd6dgd6dgd6ddgd6dgd6dHd6dHd 6d!gd"6d#gd6ddgd$6dHd%6dHd&6dHd'6dHd(6dHd)6d*gd+6d#gd,6dHd-6Zidd.ddgd6d/gd 6d0d1gd6d2gd6d!d3d4d2d5gd 6d4gd"6d6d7gd%6d8gd(6Z e d9Z d:Z d;Z d<Zd=Zd>Zd?Zd@ZRS(Is Zone class tversionttshortt descriptiontUNUSEDttargettservicestportst icmp_blockst masqueradet forward_portst interfacestsourcest rules_strt protocolst source_portsticmp_block_inversions&(sssbsasa(ss)asba(ssss)asasasasa(ss)b)t_t-t/tzonetnametservicetporttprotocols icmp-blocks icmp-types forward-portt interfacetruletsourcetaddresst destinationtvalues source-portRtaudittaccepttrejecttdroptsettmarktlimitsicmp-block-inversiont immutabletenabledsto-portsto-addrtfamilytmactinverttipsettprefixtlevelttypecCsLx3ttjD]"\}\}}||kr|SqWttjddS(Ns index_of()(t enumerateRtIMPORT_EXPORT_STRUCTURERRt UNKNOWN_ERROR(telementtiteltdummy((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytindex_ofbs" cCstt|jd|_d|_d|_t|_t|_ g|_ g|_ g|_ g|_ t|_g|_g|_g|_g|_d|_g|_g|_t|_t|_t|_dS(NR(tsuperRt__init__RRRtFalseRRR R!R"R)R#R$R%R*R&R'tNonet fw_configtrulesR(R+tcombinedtapplied(tself((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRSis*                   cCsd|_d|_d|_t|_t|_|j2|j2|j 2|j 2t|_ |j 2|j 2|j2|j2d|_|j2|j2t|_t|_t|_dS(NR(RRRRTRRR R!R"R)R#R$R%R*R&R'RURVRWR(R+RXRY(RZ((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcleanups(         c Cs t|j|_t|j|_t|j|_t|j|_g|jD]}t|^qR|_g|jD]$\}}t|t|f^qw|_g|jD]}t|^q|_g|jD]}t|^q|_g|j D]<\}}}}t|t|t|t|f^q|_ g|j D]$\}}t|t|f^qG|_ g|j D]}t|^q~|_ g|j D]}t|^q|_ g|j D]}t|^q|_ g|jD]}t|^q|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R RRRR R!R"R)R#R%R*R&R'RWR(( RZtstpotprRNtp1tp2tp3tp4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytencode_stringss%7%%O4%%%cCs|dkrlg|D]}tjd|^q|_tt|j|g|jD]}t|^qPntt|j||dS(NR(trule_str(Rt Rich_RuleRWRRRt __setattr__tstr(RZR0R9R\((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRfs (8c Cs?|dkr]|jr]|jj}x|D]+}||kr+ttjd|q+q+Wn|dkrx|D]"}t|dt|dqpWn|dkrx|D]}t|qWnx|dkr |jr |jj}xQ|D]+}||krttj d|qqWn|d krx |D]} t| dt| d| d  r| d  rttj d | n| d rt| d n| d r3t | d  rt | d  rttj d | d qq3q3WnI|dkr.x:|D]"}t|dt|dqWn |dkr^|tkr;ttj|q;n|dkrx|D]'} t| sqttj| qqqqWn|dkr x|D]R} t|  rt|  rt|  r| jd rttj | qqWn0|dkr;x!|D]} tjd| qWndS(NR!s '%s' not among existing servicesR"iiR)R#s"'%s' not among existing icmp typesR%iis$'%s' is missing to-port AND to-addr s#to-addr '%s' is not a valid addressR*R R&R'sipset:R(Rd(RVt get_servicesRRtINVALID_SERVICERRRt get_icmptypestINVALID_ICMPTYPEtINVALID_FORWARDRRt INVALID_ADDRRtINVALID_TARGETRtINVALID_INTERFACERRR t startswithRRe( RZRtitemtexisting_servicesR1R2tprototexisting_icmptypesticmptypetfwd_portR4R6R5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyt _check_configsn              "           cCstt|j||jdr>ttjd|n|jdrfttjd|n|jddkrttjd|nnd|kr||j d }n|}t |t krttjd|t |t |j fndS(NR.s'%s' can't start with '/'s'%s' can't end with '/'ismore than one '/' in '%s's'Zone of '%s' has %d chars, max is %d %s( RRRt check_nameRpRRt INVALID_NAMEtendswithtcounttfindtlenR RX(RZR0t checked_name((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRxs&      c CsEt|_d|_d|_d|_d|_x3|jD](}||jkr7|jj|q7q7Wx3|j D](}||j krm|j j|qmqmWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j krE|j j|qEqEW|jrt|_nx3|jD](}||jkr|jj|qqWx3|jD](}||jkr|jj|qqWx7|jD],} |jj| |jjt| qW|jrAt|_ndS(NR(tTrueRXRUtfilenameRRRR&tappendR'R!R"R)R#R$R%R*RWR(RgR+( RZR/R4R6R1R2RsticmptforwardR5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcombinesH        (sversionR(sshortR(s descriptionR(stargetR(RR(RRRR(RRN(t__name__t __module__t__doc__RTRKtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSRUtPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSt staticmethodRQRSR[RcRfRwRxR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR(sv                                  9 tzone_ContentHandlercBs#eZdZdZdZRS(cCs/tj||d|_t|_d|_dS(N(RRSRUt_ruleRTt _rule_errort _limit_ok(RZRq((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRS,s  c Cswtj||||jr dS|jj|||dkrd|krbtjd|dnd|kr|d|j_nd|krtjd|dnd|krs|d}|tkrt t j |n|dkr|t kr||j_ qqsnk|d krn\|d kr&nM|d kr|jr|jjrmtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd |dn |dkr|jr<|jjrtjd t|jt|_dStj|d|d|j_dSt|dt|dt|dd|df}||jjkr|jjj|qstjd|d|dn |dkrs|jr|jjrtjd t|jt|_dStj|d|j_qst|d|d|jjkr\|jjj|dqstjd|dn |dkr|jr|jjrtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd|dnU |dkr|jr|jjretjd t|jt|_dStj |d|j_dStjd|dn |dkrZd|kr|dj!d`krtjd|ddS|jr/|jjrtjd t|jt|_dStj"|j_qs|jj#rKtjdqst|j_#n |dkrd}d|kr|d}nd}d |kr|d }n|jr |jjrtjd t|jt|_dStj$|d|d|||j_dSt|dt|d|r8t|n|rtt%| rtt&| rtt t j'd!|qtnt|dd|dt|dt|f}||jj(kr|jj(j|qstjd"|d|d|rd#|nd|rd$|ndna|d%kr|jr}|jjrYtjd t|jt|_dStj)|d|d|j_dSt|dt|dt|dd|df}||jj*kr|jj*j|qstjd&|d|dnw|d'kr|jr+tjd(t|_dSd|krQtjd)t|_dS|d|jj+kr|jj+j|dqstjd*|dn|d+kr, |jr |jj,rtjd,t|jt|_dSt-}d-|kr |d-j!dakr t}nd}} } d0|kr7 |d0}nd1|krP |d1} nd2|kri |d2} ntj/|| | d-||j_,dSd0|kr d2|kr tjd3dSd0|kr d2|kr tjd4dSd5|kr tjd6|d5nd-|kr tjd7dSd0|kr{ t0|d0 r{ t1|d0 r{ t2|d0 r{ t t j'|d0q{ nd2|kr d8|d2}||jj3kr |jj3j|q tjd9|d0nd0|krs|d0}||jj3kr |jj3j|q) tjd9|d0qsnG|d:kr |js[ tjd;t|_dS|jj4r tjd<t|jdSt-}d-|kr |d-j!dbkr t}ntj5|d0||j_4n|dckr |js tjdAt|_dS|jj6r) tjdBt|_dS|d=krJ tj7|j_6n|d>kr d} dC|kru |dC} ntj8| |j_6nO|d?kr tj9|j_6n.|d@kr |dD} tj:| |j_6n|jj6|_;n|dEkr |js tjdFdS|jjr1 tjdGdSd} dH|krv |dH} | ddkrv tjdQt|_dSndR|kr |dRnd}tj<|| |j_|jj|_;n|dSkr8|js tjdTdS|jj=rtjdUt|jt|_dStj>|j_=|jj=|_;n;|dVkrd}d5|kr|d5}|dekrtjdY|d5t|_dSntj?||_n|dZkr(|j;stjd[t|_dS|j;j@rtjd\t|jt|_dS|d}tjA||j;_@nK|d]kr_|jjBrPtjd^qst|j_Bntjd_|dSdS(fNR/R0s'Ignoring deprecated attribute name='%s'RRAs,Ignoring deprecated attribute immutable='%s'R RRRR1s;Invalid rule: More than one element in rule '%s', ignoring.s#Service '%s' already set, ignoring.R2R3R-s#Port '%s/%s' already set, ignoring.R9s$Protocol '%s' already set, ignoring.s icmp-blocks&icmp-block '%s' already set, ignoring.s icmp-types-Invalid rule: icmp-block '%s' outside of ruleR$RBtnotfalses*Ignoring deprecated attribute enabled='%s's!Masquerade already set, ignoring.s forward-portsto-portsto-addrs#to-addr '%s' is not a valid addresss-Forward port %s/%s%s%s already set, ignoring.s >%ss @%ss source-ports*Source port '%s/%s' already set, ignoring.R4s$Invalid rule: interface use in rule.s Invalid interface: Name missing.s%Interface '%s' already set, ignoring.R6s:Invalid rule: More than one source in rule '%s', ignoring.REtyesttrueR7RDRFs$Invalid source: No address no ipset.s"Invalid source: Address and ipset.RCs)Ignoring deprecated attribute family='%s's+Invalid source: Invertion not allowed here.sipset:%ss"Source '%s' already set, ignoring.R8s)Invalid rule: Destination outside of rules?Invalid rule: More than one destination in rule '%s', ignoring.R;R<R=R?s$Invalid rule: Action outside of rules"Invalid rule: More than one actionRIR>Rs!Invalid rule: Log outside of rulesInvalid rule: More than one logRHtemergtalerttcritterrortwarningtnoticetinfotdebugsInvalid rule: Invalid log levelRGR:s#Invalid rule: Audit outside of rules9Invalid rule: More than one audit in rule '%s', ignoring.R5tipv4tipv6s&Invalid rule: Rule family "%s" invalidR@s4Invalid rule: Limit outside of action, log and audits9Invalid rule: More than one limit in rule '%s', ignoring.sicmp-block-inversions+Icmp-Block-Inversion already set, ignoring.sUnknown XML element '%s'(RR(syesR(syesR(sacceptsrejectsdropsmark(RRRserrorswarningRsinfosdebug(RR(CRt startElementRRqtparser_check_element_attrsRRRRRRRnRR RRMRgRRt Rich_ServiceR!Rt Rich_PortRRR R"t Rich_ProtocolRR)tRich_IcmpBlockR#t Rich_IcmpTypetlowertRich_MasqueradeR$tRich_ForwardPortRRRmR%tRich_SourcePortR*R&R6RTRUt Rich_SourceRRR R'R8tRich_Destinationtactiont Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarkRtRich_LogR:t Rich_AuditReR@t Rich_LimitR+(RZR0tattrsR tentrytto_porttto_addrREtaddrRDRFt_typet_setRHRGRCR9((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR2st                                                                                                                                                                 cCstj|||dkr|jsy|jjWn/tk rg}tjd|t|jqXt|j|j j kr|j j j |j|j j j t|jqtjdt|jnd|_t|_n|d krd|_ndS( NR5s%s: %ss Rule '%s' already set, ignoring.R;R<R=R?RR:(sacceptsrejectsdropsmarkslogsaudit(Rt endElementRRtcheckt ExceptionRRRgRqR(RWRRURTR(RZR0te((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs        (RRRSRR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR+s  dc Csbt}|jds1ttjd|n|d |_|sW|j|jn||_||_|j t j rt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r>} ttjd| jnXWdQX~~tr^|jn|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid zone file: %s(RRzRRRyR0RxRtpathRpRt ETC_FIREWALLDRTRtbuiltintdefaultRtsaxt make_parsertsetContentHandlertopent InputSourceRUt setByteStreamtparsetSAXParseExceptiont INVALID_ZONEt getExceptionRRc( RRt no_check_nameR/thandlertparserR0tfR6tmsg((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs:     !       c Cs% |r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d d kr{ |j0j>|d%t1|jG|jGjEr |jd-|j|||jd4|jd5i|jGjEj8d6|jd6|j|n|jd-|j|||jdn|jd|jd)|jdqW|jd |jd|jN|jO~dS(?Ns%s/%ss %s/%s.xmls%s.oldsBackup of file '%s' failed: %sitmodetwttencodingsUTF-8RRR R/s s RRR4R0sipset:R6iRFR7R1R2iiR3R9sicmp-block-inversions icmp-blockR$isto-portisto-addrs forward-ports source-portRCR5RDRREs R8s icmp-types#Unknown element '%s' in zone_writerRGRHRs R@s R:R;R<RIR=R?R>sUnknown action '%s'(PRRR0tostexiststshutiltcopy2RRRtdirnameRpRRtmkdirtioRRt startDocumentRR RRtignorableWhitespaceRt charactersRRR R&t simpleElementR'R!R"R)R+R#R$R%R*RWRCR6RRDRFRER8RMRIRRRR2R3RR9RRRRRt to_addressRRRtINVALID_OBJECTRGRHR@R:RRRRRR>Rt endDocumenttclose(R/Rt_pathR0RtdirpathRRRR4R6R1R2R3RRR5RMR((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs %            &                                                         (+t__all__txml.saxRRRRtfirewallRtfirewall.functionsRRRRRR R R R R tfirewall.core.baseRRtfirewall.core.io.io_objectRRRRRRRt firewall.coreRtfirewall.core.loggerRRtfirewall.errorsRRRRTRRUR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyts$   F4 core/io/direct.py000064400000036726147576556050007771 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import xml.sax as sax import os import io import shutil from firewall import config from firewall.fw_types import LastUpdatedOrderedDict from firewall.functions import splitArgs, joinArgs, u2b_if_py2 from firewall.core.io.io_object import IO_Object, IO_Object_ContentHandler, \ IO_Object_XMLGenerator from firewall.core.logger import log from firewall.core import ipXtables from firewall.core import ebtables from firewall import errors from firewall.errors import FirewallError class direct_ContentHandler(IO_Object_ContentHandler): def __init__(self, item): IO_Object_ContentHandler.__init__(self, item) self.direct = False def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "direct": if self.direct: raise FirewallError(errors.PARSE_ERROR, "More than one direct tag.") self.direct = True elif name == "chain": if not self.direct: log.error("Parse Error: chain outside of direct") return ipv = attrs["ipv"] table = attrs["table"] chain = attrs["chain"] self.item.add_chain(u2b_if_py2(ipv), u2b_if_py2(table), u2b_if_py2(chain)) elif name == "rule": if not self.direct: log.error("Parse Error: rule outside of direct") return ipv = attrs["ipv"] if ipv not in [ "ipv4", "ipv6", "eb" ]: raise FirewallError(errors.INVALID_IPV, "'%s' not from {'ipv4'|'ipv6'|'eb'}" % ipv) table = attrs["table"] chain = attrs["chain"] try: priority = int(attrs["priority"]) except ValueError: log.error("Parse Error: %s is not a valid priority" % attrs["priority"]) return self._rule = [ u2b_if_py2(ipv), u2b_if_py2(table), u2b_if_py2(chain), priority ] elif name == "passthrough": if not self.direct: log.error("Parse Error: command outside of direct") return ipv = attrs["ipv"] self._passthrough = [ u2b_if_py2(ipv) ] else: log.error('Unknown XML element %s' % name) return def endElement(self, name): IO_Object_ContentHandler.endElement(self, name) if name == "rule": if self._element: # add arguments self._rule.append([ u2b_if_py2(x) for x in splitArgs(self._element) ]) self.item.add_rule(*self._rule) else: log.error("Error: rule does not have any arguments, ignoring.") self._rule = None elif name == "passthrough": if self._element: # add arguments self._passthrough.append([ u2b_if_py2(x) for x in splitArgs(self._element) ]) self.item.add_passthrough(*self._passthrough) else: log.error("Error: passthrough does not have any arguments, " + "ignoring.") self._passthrough = None class Direct(IO_Object): """ Direct class """ IMPORT_EXPORT_STRUCTURE = ( # chain: [ ipv, table, [ chain ] ] ( "chains", [ ( "", "", "" ), ], ), # a(sss) # rule: [ ipv, table, chain, [ priority, [ arg ] ] ] ( "rules", [ ( "", "", "", 0, [ "" ] ), ], ), # a(sssias) # passthrough: [ ipv, [ [ arg ] ] ] ( "passthroughs", [ ( "", [ "" ]), ], ), # a(sas) ) DBUS_SIGNATURE = '(a(sss)a(sssias)a(sas))' PARSER_REQUIRED_ELEMENT_ATTRS = { "direct": None, "chain": [ "ipv", "table", "chain" ], "rule": [ "ipv", "table", "chain", "priority" ], "passthrough": [ "ipv" ] } PARSER_OPTIONAL_ELEMENT_ATTRS = { } def __init__(self, filename): super(Direct, self).__init__() self.filename = filename self.chains = LastUpdatedOrderedDict() self.rules = LastUpdatedOrderedDict() self.passthroughs = LastUpdatedOrderedDict() def _check_config(self, conf, item): pass # check arg lists def export_config(self): ret = [ ] x = [ ] for key in self.chains: for chain in self.chains[key]: x.append(tuple(list(key) + list([chain]))) ret.append(x) x = [ ] for key in self.rules: for rule in self.rules[key]: x.append(tuple((key[0], key[1], key[2], rule[0], list(rule[1])))) ret.append(x) x = [ ] for key in self.passthroughs: for rule in self.passthroughs[key]: x.append(tuple((key, list(rule)))) ret.append(x) return tuple(ret) def import_config(self, conf): self.cleanup() self.check_config(conf) for i,(element,dummy) in enumerate(self.IMPORT_EXPORT_STRUCTURE): if element == "chains": for x in conf[i]: self.add_chain(*x) if element == "rules": for x in conf[i]: self.add_rule(*x) if element == "passthroughs": for x in conf[i]: self.add_passthrough(*x) def cleanup(self): self.chains.clear() self.rules.clear() self.passthroughs.clear() def output(self): print("chains") for key in self.chains: print(" (%s, %s): %s" % (key[0], key[1], ",".join(self.chains[key]))) print("rules") for key in self.rules: print(" (%s, %s, %s):" % (key[0], key[1], key[2])) for (priority,args) in self.rules[key]: print(" (%d, ('%s'))" % (priority, "','".join(args))) print("passthroughs") for key in self.passthroughs: print(" %s:" % (key)) for args in self.passthroughs[key]: print(" ('%s')" % ("','".join(args))) def _check_ipv(self, ipv): ipvs = ['ipv4', 'ipv6', 'eb'] if ipv not in ipvs: raise FirewallError(errors.INVALID_IPV, "'%s' not in '%s'" % (ipv, ipvs)) def _check_ipv_table(self, ipv, table): self._check_ipv(ipv) tables = ipXtables.BUILT_IN_CHAINS.keys() if ipv in ['ipv4', 'ipv6'] \ else ebtables.BUILT_IN_CHAINS.keys() if table not in tables: raise FirewallError(errors.INVALID_TABLE, "'%s' not in '%s'" % (table, tables)) # chains def add_chain(self, ipv, table, chain): self._check_ipv_table(ipv, table) key = (ipv, table) if key not in self.chains: self.chains[key] = [ ] if chain not in self.chains[key]: self.chains[key].append(chain) else: log.warning("Chain '%s' for table '%s' with ipv '%s' " % \ (chain, table, ipv) + "already in list, ignoring") def remove_chain(self, ipv, table, chain): self._check_ipv_table(ipv, table) key = (ipv, table) if key in self.chains and chain in self.chains[key]: self.chains[key].remove(chain) if len(self.chains[key]) == 0: del self.chains[key] else: raise ValueError( \ "Chain '%s' with table '%s' with ipv '%s' not in list" % \ (chain, table, ipv)) def query_chain(self, ipv, table, chain): self._check_ipv_table(ipv, table) key = (ipv, table) return (key in self.chains and chain in self.chains[key]) def get_chains(self, ipv, table): self._check_ipv_table(ipv, table) key = (ipv, table) if key in self.chains: return self.chains[key] else: raise ValueError("No chains for table '%s' with ipv '%s'" % \ (table, ipv)) def get_all_chains(self): return self.chains # rules def add_rule(self, ipv, table, chain, priority, args): self._check_ipv_table(ipv, table) key = (ipv, table, chain) if key not in self.rules: self.rules[key] = LastUpdatedOrderedDict() value = (priority, tuple(args)) if value not in self.rules[key]: self.rules[key][value] = priority else: log.warning("Rule '%s' for table '%s' and chain '%s' " % \ ("',".join(args), table, chain) + "with ipv '%s' and priority %d " % (ipv, priority) + "already in list, ignoring") def remove_rule(self, ipv, table, chain, priority, args): self._check_ipv_table(ipv, table) key = (ipv, table, chain) value = (priority, tuple(args)) if key in self.rules and value in self.rules[key]: del self.rules[key][value] if len(self.rules[key]) == 0: del self.rules[key] else: raise ValueError("Rule '%s' for table '%s' and chain '%s' " % \ ("',".join(args), table, chain) + \ "with ipv '%s' and priority %d not in list" % (ipv, priority)) def remove_rules(self, ipv, table, chain): self._check_ipv_table(ipv, table) key = (ipv, table, chain) if key in self.rules: for value in self.rules[key].keys(): del self.rules[key][value] if len(self.rules[key]) == 0: del self.rules[key] def query_rule(self, ipv, table, chain, priority, args): self._check_ipv_table(ipv, table) key = (ipv, table, chain) value = (priority, tuple(args)) return (key in self.rules and value in self.rules[key]) def get_rules(self, ipv, table, chain): self._check_ipv_table(ipv, table) key = (ipv, table, chain) if key in self.rules: return self.rules[key] else: raise ValueError("No rules for table '%s' and chain '%s' " %\ (table, chain) + "with ipv '%s'" % (ipv)) def get_all_rules(self): return self.rules # # passthrough # def add_passthrough(self, ipv, args): self._check_ipv(ipv) if ipv not in self.passthroughs: self.passthroughs[ipv] = [ ] if args not in self.passthroughs[ipv]: self.passthroughs[ipv].append(args) else: log.warning("Passthrough '%s' for ipv '%s'" % \ ("',".join(args), ipv) + "already in list, ignoring") def remove_passthrough(self, ipv, args): self._check_ipv(ipv) if ipv in self.passthroughs and args in self.passthroughs[ipv]: self.passthroughs[ipv].remove(args) if len(self.passthroughs[ipv]) == 0: del self.passthroughs[ipv] else: raise ValueError("Passthrough '%s' for ipv '%s'" % \ ("',".join(args), ipv) + "not in list") def query_passthrough(self, ipv, args): self._check_ipv(ipv) return ipv in self.passthroughs and args in self.passthroughs[ipv] def get_passthroughs(self, ipv): self._check_ipv(ipv) if ipv in self.passthroughs: return self.passthroughs[ipv] else: raise ValueError("No passthroughs for ipv '%s'" % (ipv)) def get_all_passthroughs(self): return self.passthroughs # read def read(self): self.cleanup() if not self.filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % self.filename) handler = direct_ContentHandler(self) parser = sax.make_parser() parser.setContentHandler(handler) with open(self.filename, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_TYPE, "Not a valid file: %s" % \ msg.getException()) def write(self): if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.old" % self.filename) except Exception as msg: raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) f = io.open(self.filename, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start whitelist element handler.startElement("direct", { }) handler.ignorableWhitespace("\n") # chains for key in self.chains: (ipv, table) = key for chain in self.chains[key]: handler.ignorableWhitespace(" ") handler.simpleElement("chain", { "ipv": ipv, "table": table, "chain": chain }) handler.ignorableWhitespace("\n") # rules for key in self.rules: (ipv, table, chain) = key for (priority, args) in self.rules[key]: if len(args) < 1: continue handler.ignorableWhitespace(" ") handler.startElement("rule", { "ipv": ipv, "table": table, "chain": chain, "priority": "%d" % priority }) handler.ignorableWhitespace(sax.saxutils.escape(joinArgs(args))) handler.endElement("rule") handler.ignorableWhitespace("\n") # passthroughs for ipv in self.passthroughs: for args in self.passthroughs[ipv]: if len(args) < 1: continue handler.ignorableWhitespace(" ") handler.startElement("passthrough", { "ipv": ipv }) handler.ignorableWhitespace(sax.saxutils.escape(joinArgs(args))) handler.endElement("passthrough") handler.ignorableWhitespace("\n") # end zone element handler.endElement("direct") handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/helper.py000064400000020247147576556050007765 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Helper", "helper_reader", "helper_writer" ] import xml.sax as sax import os import io import shutil from firewall import config from firewall.functions import u2b_if_py2 from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator, check_port, \ check_tcpudp from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class Helper(IO_Object): IMPORT_EXPORT_STRUCTURE = ( ( "version", "" ), # s ( "short", "" ), # s ( "description", "" ), # s ( "family", "", ), # s ( "module", "", ), # s ( "ports", [ ( "", "" ), ], ), # a(ss) ) DBUS_SIGNATURE = '(sssssa(ss))' ADDITIONAL_ALNUM_CHARS = [ "-", "." ] PARSER_REQUIRED_ELEMENT_ATTRS = { "short": None, "description": None, "helper": [ "module" ], } PARSER_OPTIONAL_ELEMENT_ATTRS = { "helper": [ "name", "version", "family" ], "port": [ "port", "protocol" ], } def __init__(self): super(Helper, self).__init__() self.version = "" self.short = "" self.description = "" self.module = "" self.family = "" self.ports = [ ] def cleanup(self): self.version = "" self.short = "" self.description = "" self.module = "" self.family = "" del self.ports[:] def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.version = u2b_if_py2(self.version) self.short = u2b_if_py2(self.short) self.description = u2b_if_py2(self.description) self.module = u2b_if_py2(self.module) self.family = u2b_if_py2(self.family) self.ports = [(u2b_if_py2(po),u2b_if_py2(pr)) for (po,pr) in self.ports] def check_ipv(self, ipv): ipvs = [ 'ipv4', 'ipv6' ] if ipv not in ipvs: raise FirewallError(errors.INVALID_IPV, "'%s' not in '%s'" % (ipv, ipvs)) def _check_config(self, config, item): if item == "ports": for port in config: check_port(port[0]) check_tcpudp(port[1]) elif item == "module": if not config.startswith("nf_conntrack_"): raise FirewallError( errors.INVALID_MODULE, "'%s' does not start with 'nf_conntrack_'" % config) if len(config.replace("nf_conntrack_", "")) < 1: raise FirewallError(errors.INVALID_MODULE, "Module name '%s' too short" % config) # PARSER class helper_ContentHandler(IO_Object_ContentHandler): def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "helper": if "version" in attrs: self.item.version = attrs["version"] if "family" in attrs: self.item.check_ipv(attrs["family"]) self.item.family = attrs["family"] if "module" in attrs: if not attrs["module"].startswith("nf_conntrack_"): raise FirewallError( errors.INVALID_MODULE, "'%s' does not start with 'nf_conntrack_'" % \ attrs["module"]) if len(attrs["module"].replace("nf_conntrack_", "")) < 1: raise FirewallError( errors.INVALID_MODULE, "Module name '%s' too short" % attrs["module"]) self.item.module = attrs["module"] elif name == "short": pass elif name == "description": pass elif name == "port": check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) entry = (attrs["port"], attrs["protocol"]) if entry not in self.item.ports: self.item.ports.append(entry) else: log.warning("Port '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) def helper_reader(filename, path): helper = Helper() if not filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % filename) helper.name = filename[:-4] helper.check_name(helper.name) helper.filename = filename helper.path = path helper.builtin = False if path.startswith(config.ETC_FIREWALLD) else True helper.default = helper.builtin handler = helper_ContentHandler(helper) parser = sax.make_parser() parser.setContentHandler(handler) name = "%s/%s" % (path, filename) with open(name, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_HELPER, "not a valid helper file: %s" % \ msg.getException()) del handler del parser if PY2: helper.encode_strings() return helper def helper_writer(helper, path=None): _path = path if path else helper.path if helper.filename: name = "%s/%s" % (_path, helper.filename) else: name = "%s/%s.xml" % (_path, helper.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start helper element attrs = {} attrs["module"] = helper.module if helper.version and helper.version != "": attrs["version"] = helper.version if helper.family and helper.family != "": attrs["family"] = helper.family handler.startElement("helper", attrs) handler.ignorableWhitespace("\n") # short if helper.short and helper.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(helper.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if helper.description and helper.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(helper.description) handler.endElement("description") handler.ignorableWhitespace("\n") # ports for port in helper.ports: handler.ignorableWhitespace(" ") handler.simpleElement("port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # end helper element handler.endElement('helper') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/__init__.pyc000064400000001662147576556050010410 0ustar00 c`c@sddlZdejkrddlmZeedsVdZeedenddlmZeedsdZ eede qndS( iNt_xmlplus(tAttributesImplt __contains__cCs|t|dkS(Nt_attrs(tgetattr(tselftname((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyt__AttributesImpl__contains__s(t XMLGeneratort_writecCst|dj|dS(Nt_out(Rtwrite(Rttext((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyt__XMLGenerator_write$s( txmlt__file__txml.sax.xmlreaderRthasattrRtsetattrtxml.sax.saxutilsRR (((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyts   core/io/icmptype.py000064400000015230147576556050010334 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "IcmpType", "icmptype_reader", "icmptype_writer" ] import xml.sax as sax import os import io import shutil from firewall import config from firewall.functions import u2b_if_py2 from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class IcmpType(IO_Object): IMPORT_EXPORT_STRUCTURE = ( ( "version", "" ), # s ( "short", "" ), # s ( "description", "" ), # s ( "destination", [ "", ], ), # as ) DBUS_SIGNATURE = '(sssas)' ADDITIONAL_ALNUM_CHARS = [ "_", "-" ] PARSER_REQUIRED_ELEMENT_ATTRS = { "short": None, "description": None, "icmptype": None, } PARSER_OPTIONAL_ELEMENT_ATTRS = { "icmptype": [ "name", "version" ], "destination": [ "ipv4", "ipv6" ], } def __init__(self): super(IcmpType, self).__init__() self.version = "" self.short = "" self.description = "" self.destination = [ ] def cleanup(self): self.version = "" self.short = "" self.description = "" del self.destination[:] def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.version = u2b_if_py2(self.version) self.short = u2b_if_py2(self.short) self.description = u2b_if_py2(self.description) self.destination = [u2b_if_py2(m) for m in self.destination] def _check_config(self, config, item): if item == "destination": for destination in config: if destination not in [ "ipv4", "ipv6" ]: raise FirewallError(errors.INVALID_DESTINATION, "'%s' not from {'ipv4'|'ipv6'}" % \ destination) # PARSER class icmptype_ContentHandler(IO_Object_ContentHandler): def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "icmptype": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'" % attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "destination": for x in [ "ipv4", "ipv6" ]: if x in attrs and \ attrs[x].lower() in [ "yes", "true" ]: self.item.destination.append(str(x)) def icmptype_reader(filename, path): icmptype = IcmpType() if not filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "%s is missing .xml suffix" % filename) icmptype.name = filename[:-4] icmptype.check_name(icmptype.name) icmptype.filename = filename icmptype.path = path icmptype.builtin = False if path.startswith(config.ETC_FIREWALLD) else True icmptype.default = icmptype.builtin handler = icmptype_ContentHandler(icmptype) parser = sax.make_parser() parser.setContentHandler(handler) name = "%s/%s" % (path, filename) with open(name, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_ICMPTYPE, "not a valid icmptype file: %s" % \ msg.getException()) del handler del parser if PY2: icmptype.encode_strings() return icmptype def icmptype_writer(icmptype, path=None): _path = path if path else icmptype.path if icmptype.filename: name = "%s/%s" % (_path, icmptype.filename) else: name = "%s/%s.xml" % (_path, icmptype.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start icmptype element attrs = {} if icmptype.version and icmptype.version != "": attrs["version"] = icmptype.version handler.startElement("icmptype", attrs) handler.ignorableWhitespace("\n") # short if icmptype.short and icmptype.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(icmptype.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if icmptype.description and icmptype.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(icmptype.description) handler.endElement("description") handler.ignorableWhitespace("\n") # destination if icmptype.destination: handler.ignorableWhitespace(" ") attrs = { } for x in icmptype.destination: attrs[x] = "yes" handler.simpleElement("destination", attrs) handler.ignorableWhitespace("\n") # end icmptype element handler.endElement('icmptype') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/firewalld_conf.pyo000064400000017476147576556050011655 0ustar00 c`c @sddlZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddddd d d d d g Z defdYZdS(iN(tconfig(tlog(tb2utu2btPY2t DefaultZonet MinimalMarkt CleanupOnExittLockdownt IPv6_rpfiltertIndividualCallst LogDeniedtAutomaticHelperstAllowZoneDriftingtfirewalld_confcBsPeZdZdZdZdZdZdZdZdZ RS(cCs)i|_g|_||_|jdS(N(t_configt_deletedtfilenametclear(tselfR((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyt__init__$s   cCsi|_g|_dS(N(RR(R((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyR*s cCs|jjg|_dS(N(RRR(R((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pytcleanup.s cCs|jj|jS(N(Rtgettstrip(Rtkey((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyR2scCsQt|j}t|j|j|<||jkrM|jj|ndS(N(RRRRtremove(RRtvaluet_key((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pytset5scCsad}xD|jjD]3\}}|r5|d7}n|d||f7}qWtr]t|S|S(Nts s%s=%s(RtitemsRR(RtsRR((sC/usr/lib/python2.7/site-packages/firewall/core/io/firewalld_conf.pyt__str__;s  c Cs|jyt|jd}Wntk r;}tjd|j||jdtj|jdt tj |jdtj rdnd|jdtj rdnd|jd tj rdnd|jd tjrdnd|jd tj|jd tj|jd tjr.dndnXxG|D]?}|sSPn|j}t|dksC|dd$krqCng|jdD]}|j^q}t|dkrtjd|jqCn|dtkr tjd|jqCnd|ddkr5tjd|jqCn8|jj|ddk rmtjd|jqCn|d|j|ds       core/io/io_object.py000064400000027710147576556050010445 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """Generic io_object handler, io specific check methods.""" __all__ = [ "PY2", "IO_Object", "IO_Object_ContentHandler", "IO_Object_XMLGenerator", "check_port", "check_tcpudp", "check_protocol", "check_address" ] import xml.sax as sax import xml.sax.saxutils as saxutils import copy import sys from firewall import functions from firewall.functions import b2u from firewall import errors from firewall.errors import FirewallError PY2 = sys.version < '3' class IO_Object(object): """ Abstract IO_Object as base for icmptype, service and zone """ IMPORT_EXPORT_STRUCTURE = ( ) DBUS_SIGNATURE = '()' ADDITIONAL_ALNUM_CHARS = [ ] # additional to alnum PARSER_REQUIRED_ELEMENT_ATTRS = { } PARSER_OPTIONAL_ELEMENT_ATTRS = { } def __init__(self): self.filename = "" self.path = "" self.name = "" self.default = False self.builtin = False def export_config(self): ret = [ ] for x in self.IMPORT_EXPORT_STRUCTURE: ret.append(copy.deepcopy(getattr(self, x[0]))) return tuple(ret) def import_config(self, conf): self.check_config(conf) for i,(element,dummy) in enumerate(self.IMPORT_EXPORT_STRUCTURE): if isinstance(conf[i], list): # remove duplicates without changing the order _conf = [ ] _set = set() for x in conf[i]: if x not in _set: _conf.append(x) _set.add(x) del _set setattr(self, element, copy.deepcopy(_conf)) else: setattr(self, element, copy.deepcopy(conf[i])) def check_name(self, name): if not isinstance(name, str): raise FirewallError(errors.INVALID_TYPE, "'%s' not of type %s, but %s" % (name, type(""), type(name))) if len(name) < 1: raise FirewallError(errors.INVALID_NAME, "name can't be empty") for char in name: if not char.isalnum() and char not in self.ADDITIONAL_ALNUM_CHARS: raise FirewallError( errors.INVALID_NAME, "'%s' is not allowed in '%s'" % ((char, name))) def check_config(self, conf): if len(conf) != len(self.IMPORT_EXPORT_STRUCTURE): raise FirewallError( errors.INVALID_TYPE, "structure size mismatch %d != %d" % \ (len(conf), len(self.IMPORT_EXPORT_STRUCTURE))) for i,(element,value) in enumerate(self.IMPORT_EXPORT_STRUCTURE): self._check_config_structure(conf[i], value) self._check_config(conf[i], element) def _check_config(self, dummy1, dummy2): # to be overloaded by sub classes return def _check_config_structure(self, conf, structure): if not type(conf) == type(structure): raise FirewallError(errors.INVALID_TYPE, "'%s' not of type %s, but %s" % \ (conf, type(structure), type(conf))) if isinstance(structure, list): # same type elements, else struct if len(structure) != 1: raise FirewallError(errors.INVALID_TYPE, "len('%s') != 1" % structure) for x in conf: self._check_config_structure(x, structure[0]) elif isinstance(structure, tuple): if len(structure) != len(conf): raise FirewallError(errors.INVALID_TYPE, "len('%s') != %d" % (conf, len(structure))) for i,value in enumerate(structure): self._check_config_structure(conf[i], value) elif isinstance(structure, dict): # only one key value pair in structure (skey, svalue) = list(structure.items())[0] for (key, value) in conf.items(): if type(key) != type(skey): raise FirewallError(errors.INVALID_TYPE, "'%s' not of type %s, but %s" % (\ key, type(skey), type(key))) if type(value) != type(svalue): raise FirewallError(errors.INVALID_TYPE, "'%s' not of type %s, but %s" % (\ value, type(svalue), type(value))) # check required elements and attributes and also optional attributes def parser_check_element_attrs(self, name, attrs): _attrs = attrs.getNames() found = False if name in self.PARSER_REQUIRED_ELEMENT_ATTRS: found = True if self.PARSER_REQUIRED_ELEMENT_ATTRS[name] is not None: for x in self.PARSER_REQUIRED_ELEMENT_ATTRS[name]: if x in _attrs: _attrs.remove(x) else: raise FirewallError( errors.PARSE_ERROR, "Missing attribute %s for %s" % (x, name)) if name in self.PARSER_OPTIONAL_ELEMENT_ATTRS: found = True for x in self.PARSER_OPTIONAL_ELEMENT_ATTRS[name]: if x in _attrs: _attrs.remove(x) if not found: raise FirewallError(errors.PARSE_ERROR, "Unexpected element %s" % name) # raise attributes[0] for x in _attrs: raise FirewallError(errors.PARSE_ERROR, "%s: Unexpected attribute %s" % (name, x)) # PARSER class UnexpectedElementError(Exception): def __init__(self, name): super(UnexpectedElementError, self).__init__() self.name = name def __str__(self): return "Unexpected element '%s'" % (self.name) class MissingAttributeError(Exception): def __init__(self, name, attribute): super(MissingAttributeError, self).__init__() self.name = name self.attribute = attribute def __str__(self): return "Element '%s': missing '%s' attribute" % \ (self.name, self.attribute) class UnexpectedAttributeError(Exception): def __init__(self, name, attribute): super(UnexpectedAttributeError, self).__init__() self.name = name self.attribute = attribute def __str__(self): return "Element '%s': unexpected attribute '%s'" % \ (self.name, self.attribute) class IO_Object_ContentHandler(sax.handler.ContentHandler): def __init__(self, item): self.item = item self._element = "" def startDocument(self): self._element = "" def startElement(self, name, attrs): self._element = "" def endElement(self, name): if name == "short": self.item.short = self._element elif name == "description": self.item.description = self._element def characters(self, content): self._element += content.replace('\n', ' ') class IO_Object_XMLGenerator(saxutils.XMLGenerator): def __init__(self, out): # fix memory leak in saxutils.XMLGenerator.__init__: # out = _gettextwriter(out, encoding) # creates unbound object results in garbage in gc # # saxutils.XMLGenerator.__init__(self, out, "utf-8") # replaced by modified saxutils.XMLGenerator.__init__ code: sax.handler.ContentHandler.__init__(self) self._write = out.write self._flush = out.flush self._ns_contexts = [{}] # contains uri -> prefix dicts self._current_context = self._ns_contexts[-1] self._undeclared_ns_maps = [] self._encoding = "utf-8" self._pending_start_element = False self._short_empty_elements = False def startElement(self, name, attrs): """ saxutils.XMLGenerator.startElement() expects name and attrs to be unicode and bad things happen if any of them is (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. """ if PY2: attrs = { b2u(name):b2u(value) for name, value in attrs.items() } saxutils.XMLGenerator.startElement(self, name, attrs) def simpleElement(self, name, attrs): """ slightly modified startElement() """ if PY2: self._write(u'<' + b2u(name)) for (name, value) in attrs.items(): self._write(u' %s=%s' % (b2u(name), saxutils.quoteattr(b2u(value)))) self._write(u'/>') else: self._write('<' + name) for (name, value) in attrs.items(): self._write(' %s=%s' % (name, saxutils.quoteattr(value))) self._write('/>') def endElement(self, name): """ saxutils.XMLGenerator.endElement() expects name to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. """ saxutils.XMLGenerator.endElement(self, b2u(name)) def characters(self, content): """ saxutils.XMLGenerator.characters() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. """ saxutils.XMLGenerator.characters(self, b2u(content)) def ignorableWhitespace(self, content): """ saxutils.XMLGenerator.ignorableWhitespace() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. """ saxutils.XMLGenerator.ignorableWhitespace(self, b2u(content)) def check_port(port): port_range = functions.getPortRange(port) if port_range == -2: raise FirewallError(errors.INVALID_PORT, "port number in '%s' is too big" % port) elif port_range == -1: raise FirewallError(errors.INVALID_PORT, "'%s' is invalid port range" % port) elif port_range is None: raise FirewallError(errors.INVALID_PORT, "port range '%s' is ambiguous" % port) elif len(port_range) == 2 and port_range[0] >= port_range[1]: raise FirewallError(errors.INVALID_PORT, "'%s' is invalid port range" % port) def check_tcpudp(protocol): if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, "'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}" % \ protocol) def check_protocol(protocol): if not functions.checkProtocol(protocol): raise FirewallError(errors.INVALID_PROTOCOL, protocol) def check_address(ipv, addr): if not functions.check_address(ipv, addr): raise FirewallError(errors.INVALID_ADDR, "'%s' is not valid %s address" % (addr, ipv)) core/io/service.pyc000064400000021633147576556050010311 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZmZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tServicetservice_readertservice_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocolt check_address(tlog(terrors(t FirewallErrorc BseZdddddgfddgfdidd6fddgfddgffZd Zd d gZidd6dd6dd 6Zid dgd 6ddgd6dgd6d gd6ddgd6ddgd6ZdZdZ dZ dZ RS(tversionttshortt descriptiontportstmodulest destinationt protocolst source_portss(sssa(ss)asa{ss}asa(ss))t_t-tservicetnametporttprotocoltvaluetmoduletipv4tipv6s source-portcCs_tt|jd|_d|_d|_g|_g|_g|_i|_ g|_ dS(NR( tsuperRt__init__RRRRRRRR(tself((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyR$As       cCsHd|_d|_d|_|j2|j2|j2|jj|j2dS(NR( RRRRRRRtclearR(R%((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pytcleanupLs    cCst|j|_t|j|_t|j|_g|jD]$\}}t|t|f^q@|_g|jD]}t|^qw|_d|jjD|_g|jD]}t|^q|_g|j D]$\}}t|t|f^q|_ dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSs+i|]!\}}t|t|qS((R(t.0tktv((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pys _s N( RRRRRRRtitemsRR(R%tpotprtm((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pytencode_stringsVs7%%cCs|dkr]x|D]C}|ddkrHt|dt|dqt|dqWnH|dkrx9|D]}t|qpWn|dkrx|D]"}t|dt|dqWn|dkrx|D]<}|dkrttjd |nt|||qWn|d krx}|D]r}|jd rw|jd d}d |krw|jd d}qwnt |dkr,ttj |q,q,WndS(NRiRiRRRR!R"s'%s' not in {'ipv4'|'ipv6'}Rt nf_conntrack_RRi(R!R"( R R R RRtINVALID_DESTINATIONR t startswithtreplacetlentINVALID_MODULE(R%RtitemRtprotoRR ((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyt _check_configds8              (sversionR(sshortR(s descriptionR(RR(RRN( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSR$R'R/R8(((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyR&s2           tservice_ContentHandlercBseZdZRS(cCsxtj||||jj|||dkrwd|krUtjd|dnd|krt|d|j_qtn|dkrn|dkrn|dkr||ddkr't|dt|d |d|d f}||jj kr |jj j |qytjd |d|d qtt |d |d |jj kre|jj j |d qttjd |d n|d krt |d |d |jj kr|jj j |d qttjd |d n|d kr_t|dt|d |d|d f}||jj krA|jj j |qttjd|d|d n|dkrxddgD]_}||krxt|||||jjkrtjd|q|||jj|t setByteStreamtparsetSAXParseExceptiontINVALID_SERVICEt getExceptionRR/( RMRNRthandlertparserRtftsourcetmsg((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyRs8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d R(((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyts   :dE core/io/ipset.pyc000064400000033010147576556050007765 0ustar00 c`c@sgdZdddgZddljZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZdd lmZmZdd lmZmZmZmZdd l m!Z!dd lm"Z"dd l#m$Z$defdYZ%defdYZ&dZ'e(dZ)dS(s$ipset io XML handler, reader, writertIPSett ipset_readert ipset_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt u2b_if_py2t check_mact check_porttcheckInterfacet checkProtocol(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(t IPSET_TYPEStIPSET_CREATE_OPTIONS(tcheck_icmp_nametcheck_icmp_typetcheck_icmpv6_nametcheck_icmpv6_type(tlog(terrors(t FirewallErrorcBseZdddddidd6fddgffZdZdd d d gZidd6dd6dgd 6d gd6dd6Zidgd 6dgd6ZdZdZ dZ e dZ dZ dZRS(tversionttshortt descriptionttypetoptionstentriess (ssssa{ss}as)t_t-t:t.tipsettnametoptiontentrytvaluecCsVtt|jd|_d|_d|_d|_g|_i|_t |_ dS(NR( tsuperRt__init__RRRRR RtFalsetapplied(tself((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR+Cs      cCsEd|_d|_d|_d|_|j2|jjt|_dS(NR( RRRRR RtclearR,R-(R.((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytcleanupMs     cCst|j|_t|j|_t|j|_t|j|_d|jjD|_g|jD]}t|^qn|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSs+i|]!\}}t|t|qS((R(t.0tktv((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pys ^s N(RRRRRRtitemsR (R.te((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pytencode_stringsVsc Csd}d|kr.|ddkr.d}q.n|jdsVttjd|n|djd}|jd}t|t|kst|d krttjd ||fnx'tt|D]}||}||}|d krd |kr|dkr|d kr@ttjd |||fn|jd } t| dkrttjd||||fnx| D]]} |dkrt|  s|dkrt |  rttjd| |||fqqWq|dkrL|dkr.ttjd||||fn|dkrCt } qRt} nt } | |sttjd||||fqq|dkrbd |kr|jd } t| dkrttjd||||fn|dkrt| d s|dkrGt | d rGttjd| d|||fn|dkrdt | d  s|dkr_t | d  r_ttjd| d |||fq_q|j dr|dko|dko|dksttjd||||fqn|dkr!t | s:|dkrt | rttjd||||fqq|dkrt | s|dkrttjd||fqq|dkrd|kr{|jd} t| dkrttjd|n| ddkr~|dkr6ttjd||fnt| d  rxt| d  rxttjd| d |fqxq| dd1kr|dkrttjd||fnt| d  rxt| d  rxttjd!| d |fqxq| dd2krEt| d rEttjd&| d|fqt| d sttjd'| d |fqqt|sttjd(||fqq|d)kr|jd*r yt|d+} WqJtk rttjd,||fqJXn@yt|} Wn-tk rIttjd,||fnX| dksb| d-krttjd,||fqq|d.krt| st|d/krttjd0||fqqttjd|qWdS(3Ntipv4tfamilytinet6tipv6shash:sipset type '%s' not usableit,is)entry '%s' does not match ipset type '%s'tipR"s invalid address '%s' in '%s'[%d]is.invalid address range '%s' in '%s' for %s (%s)s(invalid address '%s' in '%s' for %s (%s)s0.0.0.0itnets/0shash:net,ifacetmacs00:00:00:00:00:00s invalid mac address '%s' in '%s'tportR#sinvalid port '%s'ticmps(invalid protocol for family '%s' in '%s'sinvalid icmp type '%s' in '%s'ticmpv6s ipv6-icmps invalid icmpv6 type '%s' in '%s'ttcptsctptudptudplitesinvalid protocol '%s' in '%s'sinvalid port '%s'in '%s'sinvalid port '%s' in '%s'tmarkt0xisinvalid mark '%s' in '%s'Itifaceisinvalid interface '%s' in '%s'(RAs ipv6-icmp(RBRCRDRE(t startswithRRt INVALID_IPSETtsplittlent INVALID_ENTRYtrangeRRRRtendswithR RRRRR R tintt ValueErrorR ( R(Rt ipset_typeR8tflagsR4titflagtitemtsplitst_splittip_checktint_val((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt check_entrybs@   *                            cCs>|dkr4|tkr4ttjd|q4n|dkr:x|jD]}|tkrxttjd|n|dkryt||}Wn1tk rttj d|||fnX|d kr3ttj d |||fq3qM|d krM||dkrMttj ||qMqMWndS(NRs'%s' is not valid ipset typeRsipset invalid option '%s'ttimeoutthashsizetmaxelems)Option '%s': Value '%s' is not an integeris#Option '%s': Value '%s' is negativeR8tinetR9(R\R]R^(R_sinet6( RRRt INVALID_TYPEtkeysRRJRPRQt INVALID_VALUEtINVALID_FAMILY(R.RRVtkeyt int_value((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyt _check_configs2          cCsd|dkrO|dddkrOt|ddkrOttjqOnx-|dD]!}tj||d|dqZWtt|j|dS(NR\it0iii(RLRRtIPSET_WITH_TIMEOUTRR[R*t import_config(R.RR(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRi3s $(sversionR(sshortR(s descriptionR(stypeRN(t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSR+R0R6t staticmethodR[RfRi(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyR,s.       tipset_ContentHandlercBseZdZdZRS(cCstj||||jj|||dkrd|kr~|dtkrkttjd|dn|d|j_nd|kr|d|j_ qn|dkrn|dkrn|dkrd}d |kr|d }n|d dkrttj d|d n|jjdkra|d dkrattj d|d |jjfn|d dkr| rttj d|d n|d dkryt |}Wn1t k rttj d|d |fnX|dkrttj d|d |fqn|d d krL|dkrLttj|n|d |jjkry||jj|d sd         "  cCs9tj|||dkr5|jjj|jndS(NR((Rt endElementRVR tappendt_element(R.R&((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRyus (RjRkRtRy(((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRs=s 7c Cst}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~d|jkr|jddkrt|jd krtj d |j|j2nd } t!} x| t|jkru|j| | krtj d |j| |jj"| qy$|j#|j| |j|j$Wn3tk rS} tj d | |jj"| qX| j%|j| | d 7} qW~ t&r|j'n|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid ipset file: %sR\Rgis6ipset '%s': timeout option is set, entries are ignoredsEntry %s already set, ignoring.s %s, ignoring.i((RRORRt INVALID_NAMER&t check_nametfilenametpathRIRt ETC_FIREWALLDR,tTruetbuiltintdefaultRstsaxt make_parsertsetContentHandlertopent InputSourceRot setByteStreamtparsetSAXParseExceptionRJt getExceptionRRLR RRwtsettpopR[RtaddR R6( RRR%thandlertparserR&tftsourcetmsgRTt entries_setR5((s:/usr/lib/python2.7/site-packages/firewall/core/io/ipset.pyRzs^     !      "    $ c Csg|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji|jd 6}|jr{|jd kr{|j|d s$   @""= 5core/io/direct.pyc000064400000034713147576556050010126 0ustar00 c`c@s ddljZddlZddlZddlZddlmZddlmZddl m Z m Z m Z ddl mZmZmZddlmZddlmZddlmZdd lmZdd lmZd efd YZd efdYZdS(iN(tconfig(tLastUpdatedOrderedDict(t splitArgstjoinArgst u2b_if_py2(t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(t ipXtables(tebtables(terrors(t FirewallErrortdirect_ContentHandlercBs#eZdZdZdZRS(cCstj||t|_dS(N(Rt__init__tFalsetdirect(tselftitem((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR(scCstj||||jj|||dkr\|jrPttjdnt|_n|dkr|jst j ddS|d}|d}|d}|jj t |t |t |n+|dkr|jst j ddS|d}|dkr ttj d |n|d}|d}yt|d }Wn'tk rqt j d|d dSXt |t |t ||g|_nZ|dkr|jst j ddS|d}t |g|_nt j d|dSdS(NRsMore than one direct tag.tchains$Parse Error: chain outside of directtipvttabletrules#Parse Error: rule outside of directtipv4tipv6tebs"'%s' not from {'ipv4'|'ipv6'|'eb'}tprioritys'Parse Error: %s is not a valid priorityt passthroughs&Parse Error: command outside of directsUnknown XML element %s(RRR(Rt startElementRtparser_check_element_attrsRR R t PARSE_ERRORtTrueRterrort add_chainRt INVALID_IPVtintt ValueErrort_rulet _passthrough(RtnametattrsRRRR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR,sT                          cCstj|||dkr|jrm|jjgt|jD]}t|^q>|jj|jn t j dd|_nz|dkr|jr|j jgt|jD]}t|^q|jj |j nt j ddd|_ ndS(NRs2Error: rule does not have any arguments, ignoring.Rs0Error: passthrough does not have any arguments, s ignoring.(Rt endElementt_elementR%tappendRRRtadd_ruleRR tNoneR&tadd_passthrough(RR'tx((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR)^s    &     & (t__name__t __module__RRR)(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR 's  2tDirectcBseZdZdd(gfddddddgfgfdddgfgffZdZid)d6dd d gd 6dd d d gd 6dgd 6ZiZdZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZd Zd!Zd"Zd#Zd$Zd%Zd&Z d'Z!RS(*s Direct class tchainsttrulesit passthroughss(a(sss)a(sssias)a(sas))RRRRRRRcCsDtt|j||_t|_t|_t|_dS(N(tsuperR2RtfilenameRR3R5R6(RR8((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyRs    cCsdS(N((RtconfR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt _check_configsc CsNg}g}xO|jD]D}x;|j|D],}|jtt|t|gq*WqW|j|g}xe|jD]Z}xQ|j|D]B}|jt|d|d|d|dt|dfqWq{W|j|g}xH|jD]=}x4|j|D]%}|jt|t|fq WqW|j|t|S(Niii(R3R+ttupletlistR5R6(RtretR/tkeyRR((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt export_configs$. % ' cCs|j|j|xt|jD]\}\}}|dkrjx"||D]}|j|qPWn|dkrx"||D]}|j|qWn|dkr'x"||D]}|j|qWq'q'WdS(NR3R5R6(tcleanupt check_configt enumeratetIMPORT_EXPORT_STRUCTURER!R,R.(RR9titelementtdummyR/((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt import_configs  "   cCs+|jj|jj|jjdS(N(R3tclearR5R6(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR@s  cCsdGHx;|jD]0}d|d|ddj|j|fGHqWdGHxe|jD]Z}d|d|d|dfGHx3|j|D]$\}}d |d j|fGHqWqRWd GHxD|jD]9}d |GHx'|j|D]}d d j|GHqWqWdS(NR3s (%s, %s): %siit,R5s (%s, %s, %s):is (%d, ('%s'))s','R6s %s:s ('%s')(R3tjoinR5R6(RR>Rtargs((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytoutputs  cCs>dddg}||kr:ttjd||fndS(NRRRs'%s' not in '%s'(R R R"(RRtipvs((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt _check_ipvs  cCsf|j||dkr(tjjn tjj}||krbttjd||fndS(NRRs'%s' not in '%s'(sipv4sipv6(RNR tBUILT_IN_CHAINStkeysR R R t INVALID_TABLE(RRRttables((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt_check_ipv_tables    cCs|j||||f}||jkr;g|j|((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR!s  cCs|j||||f}||jkr{||j|kr{|j|j|t|j|dkr|j|=qntd|||fdS(Nis4Chain '%s' with table '%s' with ipv '%s' not in list(RSR3tremovetlenR$(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_chains "cCs<|j||||f}||jko;||j|kS(N(RSR3(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt query_chains cCsP|j||||f}||jkr6|j|Std||fdS(Ns&No chains for table '%s' with ipv '%s'(RSR3R$(RRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_chainss   cCs|jS(N(R3(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytget_all_chainsscCs|j|||||f}||jkrAt|j|tvalue((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR,s'cCs|j|||||f}|t|f}||jkr||j|kr|j||=t|j|dkr|j|=qn0tddj|||fd||fdS(Nis(Rule '%s' for table '%s' and chain '%s' s',s)with ipv '%s' and priority %d not in list(RSR;R5RVR$RJ(RRRRRRKR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_rules"cCs|j|||||f}||jkrx)|j|jD]}|j||=qBWt|j|dkr|j|=qndS(Ni(RSR5RPRV(RRRRR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt remove_rules"scCsQ|j|||||f}|t|f}||jkoP||j|kS(N(RSR;R5(RRRRRRKR>R[((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt query_rule+scCs[|j|||||f}||jkr9|j|Std||fd|dS(Ns'No rules for table '%s' and chain '%s' s with ipv '%s'(RSR5R$(RRRRR>((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_rules1s  cCs|jS(N(R5(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyt get_all_rules:scCs~|j|||jkr,g|j|RRRRRK((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pytwriteusZ               (R4R4R4N("R0R1t__doc__RCtDBUS_SIGNATURER-tPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRR:R?RGR@RLRNRSR!RWRXRYRZR,R\R]R^R_R`R.RaRbRcRdRwR(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyR2usJ                  (txml.saxRhR{RR~tfirewallRtfirewall.fw_typesRtfirewall.functionsRRRtfirewall.core.io.io_objectRRRtfirewall.core.loggerRt firewall.coreR R R tfirewall.errorsR R R2(((s;/usr/lib/python2.7/site-packages/firewall/core/io/direct.pyts   Ncore/io/icmptype.pyc000064400000014125147576556050010501 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tIcmpTypeticmptype_readerticmptype_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(terrors(t FirewallErrorcBseZdddddgffZdZddgZidd6dd6dd6Zid dgd6d d gd6Zd Zd Z dZ dZ RS(tversionttshortt descriptiont destinations(sssas)t_t-ticmptypetnametipv4tipv6cCs;tt|jd|_d|_d|_g|_dS(NR (tsuperRt__init__R RRR(tself((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR8s    cCs&d|_d|_d|_|j2dS(NR (R RRR(R((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pytcleanup?s   cCs_t|j|_t|j|_t|j|_g|jD]}t|^q@|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(RR RRR(Rtm((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pytencode_stringsEscCsI|dkrEx6|D]+}|dkrttjd|qqWndS(NRRRs'%s' not from {'ipv4'|'ipv6'}(RR(R R tINVALID_DESTINATION(RRtitemR((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyt _check_configNs     (sversionR (sshortR (s descriptionR N( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRRRR(((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR%s"      ticmptype_ContentHandlercBseZdZRS(cCstj||||jj|||dkrxd|krVtjd|dnd|kr|d|j_qn|dkrns|dkrnd|dkrxUdd gD]D}||kr||jd kr|jjj t |qqWndS( NRRs'Ignoring deprecated attribute name='%s'R RRRRRtyesttrue(syesR*( Rt startElementRtparser_check_element_attrsR twarningR tlowerRtappendtstr(RRtattrstx((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR+Ys"        (R R!R+(((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyR(Xsc CsYt}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~trU|jn|S(Ns.xmls%s is missing .xml suffixis%s/%strbsnot a valid icmptype file: %s(RtendswithR R t INVALID_NAMERt check_nametfilenametpatht startswithRt ETC_FIREWALLDtFalsetTruetbuiltintdefaultR(tsaxt make_parsertsetContentHandlertopent InputSourceR%t setByteStreamtparsetSAXParseExceptiontINVALID_ICMPTYPEt getExceptionRR( R7R8RthandlertparserRtftsourcetmsg((s=/usr/lib/python2.7/site-packages/firewall/core/io/icmptype.pyRms8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d s   "3 core/io/io_object.pyo000064400000032204147576556050010616 0ustar00 c`c@sadZddddddddgZd d ljZd d ljjZd d lZd d lZd d lm Z d d l m Z d d lm Z d dl mZejdkZdefdYZdefdYZdefdYZdefdYZdejjfdYZdejfdYZdZdZdZdZd S(s5Generic io_object handler, io specific check methods.tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocolt check_addressiN(t functions(tb2u(terrors(t FirewallErrort3cBsteZdZd ZdZgZiZiZdZdZ dZ dZ dZ dZ dZd ZRS( s; Abstract IO_Object as base for icmptype, service and zone s()cCs1d|_d|_d|_t|_t|_dS(Nt(tfilenametpathtnametFalsetdefaulttbuiltin(tself((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt__init__1s     cCsGg}x4|jD])}|jtjt||dqWt|S(Ni(tIMPORT_EXPORT_STRUCTUREtappendtcopytdeepcopytgetattrttuple(Rtrettx((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt export_config8s'cCs|j|xt|jD]\}\}}t||trg}t}x;||D]/}||kr\|j||j|q\q\W~t||t j |qt||t j ||qWdS(N( t check_configt enumerateRt isinstancetlisttsetRtaddtsetattrRR(Rtconftitelementtdummyt_conft_setR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt import_config>s "   cCst|ts=ttjd|tdt|fnt|dkrdttjdnxI|D]A}|j rk||j krkttjd||fqkqkWdS(Ns'%s' not of type %s, but %sR isname can't be emptys'%s' is not allowed in '%s'( R!tstrR R t INVALID_TYPEttypetlent INVALID_NAMEtisalnumtADDITIONAL_ALNUM_CHARS(RRtchar((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt check_nameNs  cCst|t|jkrIttjdt|t|jfnxKt|jD]:\}\}}|j||||j|||qYWdS(Ns structure size mismatch %d != %d(R0RR R R.R t_check_config_structuret _check_config(RR&R'R(tvalue((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR[s""cCsdS(N((Rtdummy1tdummy2((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR7esc Cst|t|ksFttjd|t|t|fnt|trt|dkrttjd|nx||D]}|j||dqWnWt|tr(t|t|krttjd|t|fnxt |D] \}}|j|||qWnt|t rt|j d\}}x|j D]\}}t|t|krttjd|t|t|fnt|t|kr`ttjd|t|t|fq`q`WndS(Ns'%s' not of type %s, but %sislen('%s') != 1islen('%s') != %d( R/R R R.R!R"R0R6RR tdicttitems( RR&t structureRR'R8tskeytsvaluetkey((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR6is8 "    " cCs,|j}t}||jkrt}|j|dk rxP|j|D]>}||krj|j|qHttjd||fqHWqn||j krt}x4|j |D]"}||kr|j|qqWn|sttjd|nx*|D]"}ttjd||fqWdS(NsMissing attribute %s for %ssUnexpected element %ss%s: Unexpected attribute %s( tgetNamesRtPARSER_REQUIRED_ELEMENT_ATTRStTruetNonetremoveR R t PARSE_ERRORtPARSER_OPTIONAL_ELEMENT_ATTRS(RRtattrst_attrstfoundR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pytparser_check_element_attrss,      ((t__name__t __module__t__doc__RtDBUS_SIGNATURER3RBRGRRR,R5RR7R6RK(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR(s     !tUnexpectedElementErrorcBseZdZdZRS(cCs tt|j||_dS(N(tsuperRPRR(RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRscCs d|jS(NsUnexpected element '%s'(R(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt__str__s(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRPs tMissingAttributeErrorcBseZdZdZRS(cCs)tt|j||_||_dS(N(RQRSRRt attribute(RRRT((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCsd|j|jfS(Ns$Element '%s': missing '%s' attribute(RRT(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRRs(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRSs tUnexpectedAttributeErrorcBseZdZdZRS(cCs)tt|j||_||_dS(N(RQRURRRT(RRRT((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCsd|j|jfS(Ns'Element '%s': unexpected attribute '%s'(RRT(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRRs(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRUs cBs5eZdZdZdZdZdZRS(cCs||_d|_dS(NR (titemt_element(RRV((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCs d|_dS(NR (RW(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt startDocumentscCs d|_dS(NR (RW(RRRH((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt startElementscCs@|dkr|j|j_n|dkr<|j|j_ndS(Ntshortt description(RWRVRZR[(RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt endElements  cCs|j|jdd7_dS(Ns t (RWtreplace(Rtcontent((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt characterss(RLRMRRXRYR\R`(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs     cBs>eZdZdZdZdZdZdZRS(cCsotjjj||j|_|j|_ig|_|jd|_ g|_ d|_ t |_ t |_dS(Nisutf-8(tsaxthandlertContentHandlerRtwritet_writetflusht_flusht _ns_contextst_current_contextt_undeclared_ns_mapst _encodingRt_pending_start_elementt_short_empty_elements(Rtout((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs      cCs9trd|jD}ntjj|||dS(s saxutils.XMLGenerator.startElement() expects name and attrs to be unicode and bad things happen if any of them is (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. cSs+i|]!\}}t|t|qS((R (t.0RR8((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pys s N(RR<tsaxutilst XMLGeneratorRY(RRRH((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRYscCstrv|jdt|xF|jD]8\}}|jdt|tjt|fq*W|jdn[|jd|x:|jD],\}}|jd|tj|fqW|jddS(s* slightly modified startElement() utN(RReR R<Rpt quoteattr(RRRHR8((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt simpleElements$cCstjj|t|dS(s saxutils.XMLGenerator.endElement() expects name to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqR\R (RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR\scCstjj|t|dS(s saxutils.XMLGenerator.characters() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqR`R (RR_((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR`scCstjj|t|dS(s saxutils.XMLGenerator.ignorableWhitespace() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqtignorableWhitespaceR (RR_((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRus(RLRMRRYRtR\R`Ru(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs     cCstj|}|dkr4ttjd|n|dkrYttjd|nd|dkr~ttjd|n?t|dkr|d|dkrttjd|ndS( Nisport number in '%s' is too bigis'%s' is invalid port rangesport range '%s' is ambiguousiii(Rt getPortRangeR R t INVALID_PORTRDR0(tportt port_range((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs      & cCs)|dkr%ttjd|ndS(Nttcptudptsctptdccps)'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}(RzR{R|R}(R R tINVALID_PROTOCOL(tprotocol((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR&s  cCs(tj|s$ttj|ndS(N(Rt checkProtocolR R R~(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR,scCs5tj||s1ttjd||fndS(Ns'%s' is not valid %s address(RRR R t INVALID_ADDR(tipvtaddr((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR0s ( RNt__all__txml.saxRatxml.sax.saxutilsRpRtsystfirewallRtfirewall.functionsR R tfirewall.errorsR tversionRtobjectRt ExceptionRPRSRURbRcRRqRRRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyts,     C   core/io/__init__.pyo000064400000001662147576556050010424 0ustar00 c`c@sddlZdejkrddlmZeedsVdZeedenddlmZeedsdZ eede qndS( iNt_xmlplus(tAttributesImplt __contains__cCs|t|dkS(Nt_attrs(tgetattr(tselftname((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyt__AttributesImpl__contains__s(t XMLGeneratort_writecCst|dj|dS(Nt_out(Rtwrite(Rttext((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyt__XMLGenerator_write$s( txmlt__file__txml.sax.xmlreaderRthasattrRtsetattrtxml.sax.saxutilsRR (((s=/usr/lib/python2.7/site-packages/firewall/core/io/__init__.pyts   core/io/service.pyo000064400000021633147576556050010325 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZmZmZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tServicetservice_readertservice_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocolt check_address(tlog(terrors(t FirewallErrorc BseZdddddgfddgfdidd6fddgfddgffZd Zd d gZidd6dd6dd 6Zid dgd 6ddgd6dgd6d gd6ddgd6ddgd6ZdZdZ dZ dZ RS(tversionttshortt descriptiontportstmodulest destinationt protocolst source_portss(sssa(ss)asa{ss}asa(ss))t_t-tservicetnametporttprotocoltvaluetmoduletipv4tipv6s source-portcCs_tt|jd|_d|_d|_g|_g|_g|_i|_ g|_ dS(NR( tsuperRt__init__RRRRRRRR(tself((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyR$As       cCsHd|_d|_d|_|j2|j2|j2|jj|j2dS(NR( RRRRRRRtclearR(R%((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pytcleanupLs    cCst|j|_t|j|_t|j|_g|jD]$\}}t|t|f^q@|_g|jD]}t|^qw|_d|jjD|_g|jD]}t|^q|_g|j D]$\}}t|t|f^q|_ dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSs+i|]!\}}t|t|qS((R(t.0tktv((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pys _s N( RRRRRRRtitemsRR(R%tpotprtm((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pytencode_stringsVs7%%cCs|dkr]x|D]C}|ddkrHt|dt|dqt|dqWnH|dkrx9|D]}t|qpWn|dkrx|D]"}t|dt|dqWn|dkrx|D]<}|dkrttjd |nt|||qWn|d krx}|D]r}|jd rw|jd d}d |krw|jd d}qwnt |dkr,ttj |q,q,WndS(NRiRiRRRR!R"s'%s' not in {'ipv4'|'ipv6'}Rt nf_conntrack_RRi(R!R"( R R R RRtINVALID_DESTINATIONR t startswithtreplacetlentINVALID_MODULE(R%RtitemRtprotoRR ((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyt _check_configds8              (sversionR(sshortR(s descriptionR(RR(RRN( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSR$R'R/R8(((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyR&s2           tservice_ContentHandlercBseZdZRS(cCsxtj||||jj|||dkrwd|krUtjd|dnd|krt|d|j_qtn|dkrn|dkrn|dkr||ddkr't|dt|d |d|d f}||jj kr |jj j |qytjd |d|d qtt |d |d |jj kre|jj j |d qttjd |d n|d krt |d |d |jj kr|jj j |d qttjd |d n|d kr_t|dt|d |d|d f}||jj krA|jj j |qttjd|d|d n|dkrxddgD]_}||krxt|||||jjkrtjd|q|||jj|t setByteStreamtparsetSAXParseExceptiontINVALID_SERVICEt getExceptionRR/( RMRNRthandlertparserRtftsourcetmsg((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyRs8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d R(((s</usr/lib/python2.7/site-packages/firewall/core/io/service.pyts   :dE core/io/lockdown_whitelist.py000064400000030617147576556050012424 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import xml.sax as sax import os import io import shutil from firewall import config from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator from firewall.core.logger import log from firewall.functions import uniqify, checkUser, checkUid, checkCommand, \ checkContext, u2b_if_py2 from firewall import errors from firewall.errors import FirewallError class lockdown_whitelist_ContentHandler(IO_Object_ContentHandler): def __init__(self, item): IO_Object_ContentHandler.__init__(self, item) self.whitelist = False def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "whitelist": if self.whitelist: raise FirewallError(errors.PARSE_ERROR, "More than one whitelist.") self.whitelist = True elif name == "command": if not self.whitelist: log.error("Parse Error: command outside of whitelist") return command = attrs["name"] self.item.add_command(command) elif name == "user": if not self.whitelist: log.error("Parse Error: user outside of whitelist") return if "id" in attrs: try: uid = int(attrs["id"]) except ValueError: log.error("Parse Error: %s is not a valid uid" % attrs["id"]) return self.item.add_uid(uid) elif "name" in attrs: self.item.add_user(attrs["name"]) elif name == "selinux": if not self.whitelist: log.error("Parse Error: selinux outside of whitelist") return if "context" not in attrs: log.error("Parse Error: no context") return self.item.add_context(attrs["context"]) else: log.error('Unknown XML element %s' % name) return class LockdownWhitelist(IO_Object): """ LockdownWhitelist class """ IMPORT_EXPORT_STRUCTURE = ( ( "commands", [ "" ] ), # as ( "contexts", [ "" ] ), # as ( "users", [ "" ] ), # as ( "uids", [ 0 ] ) # ai ) DBUS_SIGNATURE = '(asasasai)' ADDITIONAL_ALNUM_CHARS = [ "_" ] PARSER_REQUIRED_ELEMENT_ATTRS = { "whitelist": None, "command": [ "name" ], "user": None, # "group": None, "selinux": [ "context" ], } PARSER_OPTIONAL_ELEMENT_ATTRS = { "user": [ "id", "name" ], # "group": [ "id", "name" ], } def __init__(self, filename): super(LockdownWhitelist, self).__init__() self.filename = filename self.parser = None self.commands = [ ] self.contexts = [ ] self.users = [ ] self.uids = [ ] # self.gids = [ ] # self.groups = [ ] def _check_config(self, config, item): if item in [ "commands", "contexts", "users", "uids" ]: for x in config: self._check_config(x, item[:-1]) elif item == "command": if not checkCommand(config): raise FirewallError(errors.INVALID_COMMAND, config) elif item == "context": if not checkContext(config): raise FirewallError(errors.INVALID_CONTEXT, config) elif item == "user": if not checkUser(config): raise FirewallError(errors.INVALID_USER, config) elif item == "uid": if not checkUid(config): raise FirewallError(errors.INVALID_UID, config) def cleanup(self): del self.commands[:] del self.contexts[:] del self.users[:] del self.uids[:] # del self.gids[:] # del self.groups[:] def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.commands = [ u2b_if_py2(x) for x in self.commands ] self.contexts = [ u2b_if_py2(x) for x in self.contexts ] self.users = [ u2b_if_py2(x) for x in self.users ] # commands def add_command(self, command): if not checkCommand(command): raise FirewallError(errors.INVALID_COMMAND, command) if command not in self.commands: self.commands.append(command) else: raise FirewallError(errors.ALREADY_ENABLED, 'Command "%s" already in whitelist' % command) def remove_command(self, command): if command in self.commands: self.commands.remove(command) else: raise FirewallError(errors.NOT_ENABLED, 'Command "%s" not in whitelist.' % command) def has_command(self, command): return (command in self.commands) def match_command(self, command): for _command in self.commands: if _command.endswith("*"): if command.startswith(_command[:-1]): return True else: if _command == command: return True return False def get_commands(self): return self.commands # user ids def add_uid(self, uid): if not checkUid(uid): raise FirewallError(errors.INVALID_UID, str(uid)) if uid not in self.uids: self.uids.append(uid) else: raise FirewallError(errors.ALREADY_ENABLED, 'Uid "%s" already in whitelist' % uid) def remove_uid(self, uid): if uid in self.uids: self.uids.remove(uid) else: raise FirewallError(errors.NOT_ENABLED, 'Uid "%s" not in whitelist.' % uid) def has_uid(self, uid): return (uid in self.uids) def match_uid(self, uid): return (uid in self.uids) def get_uids(self): return self.uids # users def add_user(self, user): if not checkUser(user): raise FirewallError(errors.INVALID_USER, user) if user not in self.users: self.users.append(user) else: raise FirewallError(errors.ALREADY_ENABLED, 'User "%s" already in whitelist' % user) def remove_user(self, user): if user in self.users: self.users.remove(user) else: raise FirewallError(errors.NOT_ENABLED, 'User "%s" not in whitelist.' % user) def has_user(self, user): return (user in self.users) def match_user(self, user): return (user in self.users) def get_users(self): return self.users # # group ids # # def add_gid(self, gid): # if gid not in self.gids: # self.gids.append(gid) # # def remove_gid(self, gid): # if gid in self.gids: # self.gids.remove(gid) # else: # raise FirewallError(errors.NOT_ENABLED, # 'Gid "%s" not in whitelist.' % gid) # # def has_gid(self, gid): # return (gid in self.gids) # # def match_gid(self, gid): # return (gid in self.gids) # # def get_gids(self): # return self.gids # # groups # # def add_group(self, group): # if group not in self.groups: # self.groups.append(group) # # def remove_group(self, group): # if group in self.groups: # self.groups.remove(group) # else: # raise FirewallError(errors.NOT_ENABLED, # 'Group "%s" not in whitelist.' % group) # # def has_group(self, group): # return (group in self.groups) # # def match_group(self, group): # return (group in self.groups) # # def get_groups(self): # return self.groups # selinux contexts def add_context(self, context): if not checkContext(context): raise FirewallError(errors.INVALID_CONTEXT, context) if context not in self.contexts: self.contexts.append(context) else: raise FirewallError(errors.ALREADY_ENABLED, 'Context "%s" already in whitelist' % context) def remove_context(self, context): if context in self.contexts: self.contexts.remove(context) else: raise FirewallError(errors.NOT_ENABLED, 'Context "%s" not in whitelist.' % context) def has_context(self, context): return (context in self.contexts) def match_context(self, context): return (context in self.contexts) def get_contexts(self): return self.contexts # read and write def read(self): self.cleanup() if not self.filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % self.filename) handler = lockdown_whitelist_ContentHandler(self) parser = sax.make_parser() parser.setContentHandler(handler) try: parser.parse(self.filename) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_TYPE, "Not a valid file: %s" % \ msg.getException()) del handler del parser if PY2: self.encode_strings() def write(self): if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.old" % self.filename) except Exception as msg: raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) f = io.open(self.filename, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start whitelist element handler.startElement("whitelist", { }) handler.ignorableWhitespace("\n") # commands for command in uniqify(self.commands): handler.ignorableWhitespace(" ") handler.simpleElement("command", { "name": command }) handler.ignorableWhitespace("\n") for uid in uniqify(self.uids): handler.ignorableWhitespace(" ") handler.simpleElement("user", { "id": str(uid) }) handler.ignorableWhitespace("\n") for user in uniqify(self.users): handler.ignorableWhitespace(" ") handler.simpleElement("user", { "name": user }) handler.ignorableWhitespace("\n") # for gid in uniqify(self.gids): # handler.ignorableWhitespace(" ") # handler.simpleElement("user", { "id": str(gid) }) # handler.ignorableWhitespace("\n") # for group in uniqify(self.groups): # handler.ignorableWhitespace(" ") # handler.simpleElement("group", { "name": group }) # handler.ignorableWhitespace("\n") for context in uniqify(self.contexts): handler.ignorableWhitespace(" ") handler.simpleElement("selinux", { "context": context }) handler.ignorableWhitespace("\n") # end whitelist element handler.endElement("whitelist") handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/ipset.py000064400000051171147576556050007632 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2015-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """ipset io XML handler, reader, writer""" __all__ = [ "IPSet", "ipset_reader", "ipset_writer" ] import xml.sax as sax import os import io import shutil from firewall import config from firewall.functions import checkIP, checkIP6, checkIPnMask, \ checkIP6nMask, u2b_if_py2, check_mac, check_port, checkInterface, \ checkProtocol from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator from firewall.core.ipset import IPSET_TYPES, IPSET_CREATE_OPTIONS from firewall.core.icmp import check_icmp_name, check_icmp_type, \ check_icmpv6_name, check_icmpv6_type from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class IPSet(IO_Object): IMPORT_EXPORT_STRUCTURE = ( ( "version", "" ), # s ( "short", "" ), # s ( "description", "" ), # s ( "type", "" ), # s ( "options", { "": "", }, ), # a{ss} ( "entries", [ "" ], ), # as ) DBUS_SIGNATURE = '(ssssa{ss}as)' ADDITIONAL_ALNUM_CHARS = [ "_", "-", ":", "." ] PARSER_REQUIRED_ELEMENT_ATTRS = { "short": None, "description": None, "ipset": [ "type" ], "option": [ "name" ], "entry": None, } PARSER_OPTIONAL_ELEMENT_ATTRS = { "ipset": [ "version" ], "option": [ "value" ], } def __init__(self): super(IPSet, self).__init__() self.version = "" self.short = "" self.description = "" self.type = "" self.entries = [ ] self.options = { } self.applied = False def cleanup(self): self.version = "" self.short = "" self.description = "" self.type = "" del self.entries[:] self.options.clear() self.applied = False def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.version = u2b_if_py2(self.version) self.short = u2b_if_py2(self.short) self.description = u2b_if_py2(self.description) self.type = u2b_if_py2(self.type) self.options = { u2b_if_py2(k):u2b_if_py2(v) for k, v in self.options.items() } self.entries = [ u2b_if_py2(e) for e in self.entries ] @staticmethod def check_entry(entry, options, ipset_type): family = "ipv4" if "family" in options: if options["family"] == "inet6": family = "ipv6" if not ipset_type.startswith("hash:"): raise FirewallError(errors.INVALID_IPSET, "ipset type '%s' not usable" % ipset_type) flags = ipset_type[5:].split(",") items = entry.split(",") if len(flags) != len(items) or len(flags) < 1: raise FirewallError( errors.INVALID_ENTRY, "entry '%s' does not match ipset type '%s'" % \ (entry, ipset_type)) for i in range(len(flags)): flag = flags[i] item = items[i] if flag == "ip": if "-" in item and family == "ipv4": # IP ranges only with plain IPs, no masks if i > 1: raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s'[%d]" % \ (item, entry, i)) splits = item.split("-") if len(splits) != 2: raise FirewallError( errors.INVALID_ENTRY, "invalid address range '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) for _split in splits: if (family == "ipv4" and not checkIP(_split)) or \ (family == "ipv6" and not checkIP6(_split)): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (_split, entry, ipset_type, family)) else: # IPs with mask only allowed in the first # position of the type if family == "ipv4": if item == "0.0.0.0": raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) if i == 0: ip_check = checkIPnMask else: ip_check = checkIP else: ip_check = checkIP6 if not ip_check(item): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) elif flag == "net": if "-" in item: # IP ranges only with plain IPs, no masks splits = item.split("-") if len(splits) != 2: raise FirewallError( errors.INVALID_ENTRY, "invalid address range '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) # First part can only be a plain IP if (family == "ipv4" and not checkIP(splits[0])) or \ (family == "ipv6" and not checkIP6(splits[0])): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (splits[0], entry, ipset_type, family)) # Second part can also have a mask if (family == "ipv4" and not checkIPnMask(splits[1])) or \ (family == "ipv6" and not checkIP6nMask(splits[1])): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (splits[1], entry, ipset_type, family)) else: # IPs with mask allowed in all positions, but no /0 if item.endswith("/0"): if not (family == "ipv6" and i == 0 and ipset_type == "hash:net,iface"): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) if (family == "ipv4" and not checkIPnMask(item)) or \ (family == "ipv6" and not checkIP6nMask(item)): raise FirewallError( errors.INVALID_ENTRY, "invalid address '%s' in '%s' for %s (%s)" % \ (item, entry, ipset_type, family)) elif flag == "mac": # ipset does not allow to add 00:00:00:00:00:00 if not check_mac(item) or item == "00:00:00:00:00:00": raise FirewallError( errors.INVALID_ENTRY, "invalid mac address '%s' in '%s'" % (item, entry)) elif flag == "port": if ":" in item: splits = item.split(":") if len(splits) != 2: raise FirewallError( errors.INVALID_ENTRY, "invalid port '%s'" % (item)) if splits[0] == "icmp": if family != "ipv4": raise FirewallError( errors.INVALID_ENTRY, "invalid protocol for family '%s' in '%s'" % \ (family, entry)) if not check_icmp_name(splits[1]) and not \ check_icmp_type(splits[1]): raise FirewallError( errors.INVALID_ENTRY, "invalid icmp type '%s' in '%s'" % \ (splits[1], entry)) elif splits[0] in [ "icmpv6", "ipv6-icmp" ]: if family != "ipv6": raise FirewallError( errors.INVALID_ENTRY, "invalid protocol for family '%s' in '%s'" % \ (family, entry)) if not check_icmpv6_name(splits[1]) and not \ check_icmpv6_type(splits[1]): raise FirewallError( errors.INVALID_ENTRY, "invalid icmpv6 type '%s' in '%s'" % \ (splits[1], entry)) elif splits[0] not in [ "tcp", "sctp", "udp", "udplite" ] \ and not checkProtocol(splits[0]): raise FirewallError( errors.INVALID_ENTRY, "invalid protocol '%s' in '%s'" % (splits[0], entry)) elif not check_port(splits[1]): raise FirewallError( errors.INVALID_ENTRY, "invalid port '%s'in '%s'" % (splits[1], entry)) else: if not check_port(item): raise FirewallError( errors.INVALID_ENTRY, "invalid port '%s' in '%s'" % (item, entry)) elif flag == "mark": if item.startswith("0x"): try: int_val = int(item, 16) except ValueError: raise FirewallError( errors.INVALID_ENTRY, "invalid mark '%s' in '%s'" % (item, entry)) else: try: int_val = int(item) except ValueError: raise FirewallError( errors.INVALID_ENTRY, "invalid mark '%s' in '%s'" % (item, entry)) if int_val < 0 or int_val > 4294967295: raise FirewallError( errors.INVALID_ENTRY, "invalid mark '%s' in '%s'" % (item, entry)) elif flag == "iface": if not checkInterface(item) or len(item) > 15: raise FirewallError( errors.INVALID_ENTRY, "invalid interface '%s' in '%s'" % (item, entry)) else: raise FirewallError(errors.INVALID_IPSET, "ipset type '%s' not usable" % ipset_type) def _check_config(self, config, item): if item == "type": if config not in IPSET_TYPES: raise FirewallError(errors.INVALID_TYPE, "'%s' is not valid ipset type" % config) if item == "options": for key in config.keys(): if key not in IPSET_CREATE_OPTIONS: raise FirewallError(errors.INVALID_IPSET, "ipset invalid option '%s'" % key) if key in [ "timeout", "hashsize", "maxelem" ]: try: int_value = int(config[key]) except ValueError: raise FirewallError( errors.INVALID_VALUE, "Option '%s': Value '%s' is not an integer" % \ (key, config[key])) if int_value < 0: raise FirewallError( errors.INVALID_VALUE, "Option '%s': Value '%s' is negative" % \ (key, config[key])) elif key == "family" and \ config[key] not in [ "inet", "inet6" ]: raise FirewallError(errors.INVALID_FAMILY, config[key]) def import_config(self, config): if "timeout" in config[4] and config[4]["timeout"] != "0": if len(config[5]) != 0: raise FirewallError(errors.IPSET_WITH_TIMEOUT) for entry in config[5]: IPSet.check_entry(entry, config[4], config[3]) super(IPSet, self).import_config(config) # PARSER class ipset_ContentHandler(IO_Object_ContentHandler): def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "ipset": if "type" in attrs: if attrs["type"] not in IPSET_TYPES: raise FirewallError(errors.INVALID_TYPE, "%s" % attrs["type"]) self.item.type = attrs["type"] if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "option": value = "" if "value" in attrs: value = attrs["value"] if attrs["name"] not in \ [ "family", "timeout", "hashsize", "maxelem" ]: raise FirewallError( errors.INVALID_OPTION, "Unknown option '%s'" % attrs["name"]) if self.item.type == "hash:mac" and attrs["name"] in [ "family" ]: raise FirewallError( errors.INVALID_OPTION, "Unsupported option '%s' for type '%s'" % \ (attrs["name"], self.item.type)) if attrs["name"] in [ "family", "timeout", "hashsize", "maxelem" ] \ and not value: raise FirewallError( errors.INVALID_OPTION, "Missing mandatory value of option '%s'" % attrs["name"]) if attrs["name"] in [ "timeout", "hashsize", "maxelem" ]: try: int_value = int(value) except ValueError: raise FirewallError( errors.INVALID_VALUE, "Option '%s': Value '%s' is not an integer" % \ (attrs["name"], value)) if int_value < 0: raise FirewallError( errors.INVALID_VALUE, "Option '%s': Value '%s' is negative" % \ (attrs["name"], value)) if attrs["name"] == "family" and value not in [ "inet", "inet6" ]: raise FirewallError(errors.INVALID_FAMILY, value) if attrs["name"] not in self.item.options: self.item.options[attrs["name"]] = value else: log.warning("Option %s already set, ignoring.", attrs["name"]) # nothing to do for entry and entries here def endElement(self, name): IO_Object_ContentHandler.endElement(self, name) if name == "entry": self.item.entries.append(self._element) def ipset_reader(filename, path): ipset = IPSet() if not filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % filename) ipset.name = filename[:-4] ipset.check_name(ipset.name) ipset.filename = filename ipset.path = path ipset.builtin = False if path.startswith(config.ETC_FIREWALLD) else True ipset.default = ipset.builtin handler = ipset_ContentHandler(ipset) parser = sax.make_parser() parser.setContentHandler(handler) name = "%s/%s" % (path, filename) with open(name, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_IPSET, "not a valid ipset file: %s" % \ msg.getException()) del handler del parser if "timeout" in ipset.options and ipset.options["timeout"] != "0" and \ len(ipset.entries) > 0: # no entries visible for ipsets with timeout log.warning("ipset '%s': timeout option is set, entries are ignored", ipset.name) del ipset.entries[:] i = 0 entries_set = set() while i < len(ipset.entries): if ipset.entries[i] in entries_set: log.warning("Entry %s already set, ignoring.", ipset.entries[i]) ipset.entries.pop(i) else: try: ipset.check_entry(ipset.entries[i], ipset.options, ipset.type) except FirewallError as e: log.warning("%s, ignoring.", e) ipset.entries.pop(i) else: entries_set.add(ipset.entries[i]) i += 1 del entries_set if PY2: ipset.encode_strings() return ipset def ipset_writer(ipset, path=None): _path = path if path else ipset.path if ipset.filename: name = "%s/%s" % (_path, ipset.filename) else: name = "%s/%s.xml" % (_path, ipset.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start ipset element attrs = { "type": ipset.type } if ipset.version and ipset.version != "": attrs["version"] = ipset.version handler.startElement("ipset", attrs) handler.ignorableWhitespace("\n") # short if ipset.short and ipset.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(ipset.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if ipset.description and ipset.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(ipset.description) handler.endElement("description") handler.ignorableWhitespace("\n") # options for key,value in ipset.options.items(): handler.ignorableWhitespace(" ") if value != "": handler.simpleElement("option", { "name": key, "value": value }) else: handler.simpleElement("option", { "name": key }) handler.ignorableWhitespace("\n") # entries for entry in ipset.entries: handler.ignorableWhitespace(" ") handler.startElement("entry", { }) handler.characters(entry) handler.endElement("entry") handler.ignorableWhitespace("\n") # end ipset element handler.endElement('ipset') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/helper.pyo000064400000016321147576556050010142 0ustar00 c`c@sdddgZddljZddlZddlZddlZddlmZddlm Z ddl m Z m Z m Z mZmZmZddlmZdd lmZdd lmZde fd YZd e fd YZdZddZdS(tHelpert helper_readert helper_writeriN(tconfig(t u2b_if_py2(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudp(tlog(terrors(t FirewallErrorcBseZdddddddgffZdZdd gZidd6dd6dgd 6Zid ddgd 6d d gd 6ZdZdZ dZ dZ dZ RS(tversionttshortt descriptiontfamilytmoduletportss (sssssa(ss))t-t.thelpertnametporttprotocolcCsMtt|jd|_d|_d|_d|_d|_g|_dS(NR( tsuperRt__init__RRRRRR(tself((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR;s     cCs8d|_d|_d|_d|_d|_|j2dS(NR(RRRRRR(R((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pytcleanupDs      cCst|j|_t|j|_t|j|_t|j|_t|j|_g|jD]$\}}t|t|f^qd|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(RRRRRRR(Rtpotpr((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pytencode_stringsLs cCs;ddg}||kr7ttjd||fndS(Ntipv4tipv6s'%s' not in '%s'(R R t INVALID_IPV(Rtipvtipvs((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyt check_ipvWs   cCs|dkr<x|D]"}t|dt|dqWnn|dkr|jdspttjd|nt|jdddkrttjd|qndS( NRiiRt nf_conntrack_s('%s' does not start with 'nf_conntrack_'RsModule name '%s' too short(R R t startswithR R tINVALID_MODULEtlentreplace(RRtitemR((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyt _check_config]s    (sversionR(sshortR(s descriptionR(sfamilyR(smoduleR(RRN( t__name__t __module__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARStNonetPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRRR!R'R.(((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR&s(    thelper_ContentHandlercBseZdZRS(cCstj||||jj|||dkrd|krQ|d|j_nd|kr|jj|d|d|j_nd|kr|djdstt j d|dnt |dj dddkrtt j d |dn|d|j_ qn|d kr$n|d kr3n|d krt|d t|d |d |d f}||jjkr|jjj|qtjd|d |d ndS(NRRRRR(s('%s' does not start with 'nf_conntrack_'RisModule name '%s' too shortRRRRs#Port '%s/%s' already set, ignoring.(Rt startElementR-tparser_check_element_attrsRR'RR)R R R*R+R,RR R RtappendR twarning(RRtattrstentry((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR8ns>    "    (R/R0R8(((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyR7msc CsYt}|jds1ttjd|n|d |_|j|j||_||_|j t j rxt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r5}ttjd|jnXWdQX~~trU|jn|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid helper file: %s(RtendswithR R t INVALID_NAMERt check_nametfilenametpathR)Rt ETC_FIREWALLDtFalsetTruetbuiltintdefaultR7tsaxt make_parsertsetContentHandlertopent InputSourceR4t setByteStreamtparsetSAXParseExceptiontINVALID_HELPERt getExceptionRR!( RBRCRthandlertparserRtftsourcetmsg((s;/usr/lib/python2.7/site-packages/firewall/core/io/helper.pyRs8     !       c Cs|r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|j|d <|jr~|jd kr~|j|d s   .G# core/io/ifcfg.pyc000064400000012023147576556050007720 0ustar00 c`c@sdZdgZddlZddlZddlZddlZddlmZddl m Z m Z m Z de fdYZdS(sifcfg file parsertifcfgiN(tlog(tb2utu2btPY2cBsPeZdZdZdZdZdZdZdZdZ RS(cCs)i|_g|_||_|jdS(N(t_configt_deletedtfilenametclear(tselfR((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyt__init__#s   cCsi|_g|_dS(N(RR(R ((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyR)s cCs|jjdS(N(RR(R ((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pytcleanup-scCs|jj|jS(N(Rtgettstrip(R tkey((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyR 0scCsQt|j}t|j|j|<||jkrM|jj|ndS(N(RR RRtremove(R Rtvaluet_key((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pytset3scCsad}xD|jjD]3\}}|r5|d7}n|d||f7}qWtr]t|S|S(Nts s%s=%s(RtitemsRR(R tsRR((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyt__str__9s  cCs|jyt|jd}Wn,tk rN}tjd|j|nXxL|D]D}|sfPn|j}t|dksV|dd krqVng|jddD]}|j^q}t|dkrqVnt|ddkr1|dj d r1|dj d r1|ddd !|d|j j |ddk rtjd |j|jqVn|d|j |ds     core/io/lockdown_whitelist.pyo000064400000027175147576556050012610 0ustar00 c`c@sddljZddlZddlZddlZddlmZddlmZm Z m Z m Z ddl m Z ddlmZmZmZmZmZmZddlmZddlmZde fd YZd e fd YZdS( iN(tconfig(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(tuniqifyt checkUsertcheckUidt checkCommandt checkContextt u2b_if_py2(terrors(t FirewallErrort!lockdown_whitelist_ContentHandlercBseZdZdZRS(cCstj||t|_dS(N(Rt__init__tFalset whitelist(tselftitem((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR%scCstj||||jj|||dkr\|jrPttjdnt|_n[|dkr|jst j ddS|d}|jj |n|dkrH|jst j ddSd|kr"yt |d}Wn't k rt j d |ddSX|jj|qd|kr|jj|dqno|d kr|jsnt j d dSd |krt j d dS|jj|d nt j d|dSdS(NRsMore than one whitelist.tcommands)Parse Error: command outside of whitelisttnametusers&Parse Error: user outside of whitelisttids"Parse Error: %s is not a valid uidtselinuxs)Parse Error: selinux outside of whitelisttcontextsParse Error: no contextsUnknown XML element %s(Rt startElementRtparser_check_element_attrsRR R t PARSE_ERRORtTrueRterrort add_commandtintt ValueErrortadd_uidtadd_usert add_context(RRtattrsRtuid((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR)sJ                      (t__name__t __module__RR(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR$s tLockdownWhitelistcBsxeZdZddgfddgfddgfddgffZdZdgZid*d 6d gd 6d*d 6d gd6Zidd gd 6ZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZd Zd!Zd"Zd#Zd$Zd%Zd&Zd'Z d(Z!d)Z"RS(+s LockdownWhitelist class tcommandsttcontextstuserstuidsis (asasasai)t_RRRRRRRcCsMtt|j||_d|_g|_g|_g|_g|_ dS(N( tsuperR)RtfilenametNonetparserR*R,R-R.(RR1((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyRns     cCs|d kr4x|D]}|j||d qWn|dkrdt|sttj|qn|dkrt|sttj|qn`|dkrt|sttj|qn0|d krt |sttj |qndS( NR*R,R-R.iRRRR&(scommandsscontextssuserssuids( t _check_configR R R tINVALID_COMMANDR tINVALID_CONTEXTRt INVALID_USERRt INVALID_UID(RRRtx((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR4ys          cCs |j2|j2|j2|j2dS(N(R*R,R-R.(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytcleanupscCssg|jD]}t|^q |_g|jD]}t|^q/|_g|jD]}t|^qT|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R*R R,R-(RR9((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytencode_stringss%%cCs]t|s!ttj|n||jkrC|jj|nttjd|dS(Ns!Command "%s" already in whitelist(R R R R5R*tappendtALREADY_ENABLED(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyRs   cCs<||jkr"|jj|nttjd|dS(NsCommand "%s" not in whitelist.(R*tremoveR R t NOT_ENABLED(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytremove_commands cCs ||jkS(N(R*(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt has_commandscCsQxJ|jD]?}|jdr9|j|d rItSq ||kr tSq WtS(Nt*i(R*tendswitht startswithRR(RRt_command((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_commands cCs|jS(N(R*(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_commandsscCsct|s'ttjt|n||jkrI|jj|nttjd|dS(NsUid "%s" already in whitelist(RR R R8tstrR.R<R=(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR"s   cCs<||jkr"|jj|nttjd|dS(NsUid "%s" not in whitelist.(R.R>R R R?(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt remove_uids cCs ||jkS(N(R.(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pythas_uidscCs ||jkS(N(R.(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_uidscCs|jS(N(R.(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytget_uidsscCs]t|s!ttj|n||jkrC|jj|nttjd|dS(NsUser "%s" already in whitelist(RR R R7R-R<R=(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR#s   cCs<||jkr"|jj|nttjd|dS(NsUser "%s" not in whitelist.(R-R>R R R?(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt remove_users cCs ||jkS(N(R-(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pythas_userscCs ||jkS(N(R-(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_userscCs|jS(N(R-(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_usersscCs]t|s!ttj|n||jkrC|jj|nttjd|dS(Ns!Context "%s" already in whitelist(R R R R6R,R<R=(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR$"s   cCs<||jkr"|jj|nttjd|dS(NsContext "%s" not in whitelist.(R,R>R R R?(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytremove_context,s cCs ||jkS(N(R,(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt has_context3scCs ||jkS(N(R,(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_context6scCs|jS(N(R,(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_contexts9scCs|j|jjds8ttjd|jnt|}tj}|j |y|j |jWn2tj k r}ttj d|j nX~~tr|jndS(Ns.xmls'%s' is missing .xml suffixsNot a valid file: %s(R:R1RCR R t INVALID_NAMERtsaxt make_parsertsetContentHandlertparsetSAXParseExceptiont INVALID_TYPEt getExceptionRR;(RthandlerR3tmsg((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytread>s"      cCsHtjj|jreytj|jd|jWqetk ra}td|j|fqeXntjjtj stj tj dnt j |jdddd}t |}|j|jdi|jd xHt|jD]7}|jd |jd i|d 6|jd qWxNt|jD]=}|jd |jd it|d6|jd q<WxHt|jD]7}|jd |jd i|d 6|jd qWxHt|jD]7}|jd |jdi|d6|jd qW|jd|jd |j|j~dS(Ns%s.oldsBackup of '%s' failed: %sitmodetwttencodingsUTF-8Rs s RRRRRR(tostpathtexistsR1tshutiltcopy2t ExceptiontIOErrorRt ETC_FIREWALLDtmkdirtiotopenRt startDocumentRtignorableWhitespaceRR*t simpleElementR.RHR-R,t endElementt endDocumenttclose(RR^tfR]RR&RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytwriteQsB             N(#R'R(t__doc__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSR2tPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRR4R:R;RR@RARFRGR"RIRJRKRLR#RMRNRORPR$RQRRRSRTR_Ru(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR)WsP                   1     (txml.saxRVRcRlRftfirewallRtfirewall.core.io.io_objectRRRRtfirewall.core.loggerRtfirewall.functionsRRRR R R R tfirewall.errorsR RR)(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyts   ".3core/io/zone.py000064400000115442147576556050007463 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Zone", "zone_reader", "zone_writer" ] import xml.sax as sax import os import io import shutil from firewall import config from firewall.functions import checkIP, checkIP6, checkIPnMask, checkIP6nMask, checkInterface, uniqify, max_zone_name_len, u2b_if_py2, check_mac, portStr from firewall.core.base import DEFAULT_ZONE_TARGET, ZONE_TARGETS from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator, check_port, \ check_tcpudp, check_protocol from firewall.core import rich from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class Zone(IO_Object): """ Zone class """ IMPORT_EXPORT_STRUCTURE = ( ( "version", "" ), # s ( "short", "" ), # s ( "description", "" ), # s ( "UNUSED", False ), # b ( "target", "" ), # s ( "services", [ "", ], ), # as ( "ports", [ ( "", "" ), ], ), # a(ss) ( "icmp_blocks", [ "", ], ), # as ( "masquerade", False ), # b ( "forward_ports", [ ( "", "", "", "" ), ], ), # a(ssss) ( "interfaces", [ "" ] ), # as ( "sources", [ "" ] ), # as ( "rules_str", [ "" ] ), # as ( "protocols", [ "", ], ), # as ( "source_ports", [ ( "", "" ), ], ), # a(ss) ( "icmp_block_inversion", False ), # b ) DBUS_SIGNATURE = '(sssbsasa(ss)asba(ssss)asasasasa(ss)b)' ADDITIONAL_ALNUM_CHARS = [ "_", "-", "/" ] PARSER_REQUIRED_ELEMENT_ATTRS = { "short": None, "description": None, "zone": None, "service": [ "name" ], "port": [ "port", "protocol" ], "icmp-block": [ "name" ], "icmp-type": [ "name" ], "forward-port": [ "port", "protocol" ], "interface": [ "name" ], "rule": None, "source": None, "destination": [ "address" ], "protocol": [ "value" ], "source-port": [ "port", "protocol" ], "log": None, "audit": None, "accept": None, "reject": None, "drop": None, "mark": [ "set" ], "limit": [ "value" ], "icmp-block-inversion": None, } PARSER_OPTIONAL_ELEMENT_ATTRS = { "zone": [ "name", "immutable", "target", "version" ], "masquerade": [ "enabled" ], "forward-port": [ "to-port", "to-addr" ], "rule": [ "family" ], "source": [ "address", "mac", "invert", "family", "ipset" ], "destination": [ "invert" ], "log": [ "prefix", "level" ], "reject": [ "type" ], } @staticmethod def index_of(element): for i, (el, dummy) in enumerate(Zone.IMPORT_EXPORT_STRUCTURE): if el == element: return i raise FirewallError(errors.UNKNOWN_ERROR, "index_of()") def __init__(self): super(Zone, self).__init__() self.version = "" self.short = "" self.description = "" self.UNUSED = False self.target = DEFAULT_ZONE_TARGET self.services = [ ] self.ports = [ ] self.protocols = [ ] self.icmp_blocks = [ ] self.masquerade = False self.forward_ports = [ ] self.source_ports = [ ] self.interfaces = [ ] self.sources = [ ] self.fw_config = None # to be able to check services and a icmp_blocks self.rules = [ ] self.rules_str = [ ] self.icmp_block_inversion = False self.combined = False self.applied = False def cleanup(self): self.version = "" self.short = "" self.description = "" self.UNUSED = False self.target = DEFAULT_ZONE_TARGET del self.services[:] del self.ports[:] del self.protocols[:] del self.icmp_blocks[:] self.masquerade = False del self.forward_ports[:] del self.source_ports[:] del self.interfaces[:] del self.sources[:] self.fw_config = None # to be able to check services and a icmp_blocks del self.rules[:] del self.rules_str[:] self.icmp_block_inversion = False self.combined = False self.applied = False def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.version = u2b_if_py2(self.version) self.short = u2b_if_py2(self.short) self.description = u2b_if_py2(self.description) self.target = u2b_if_py2(self.target) self.services = [u2b_if_py2(s) for s in self.services] self.ports = [(u2b_if_py2(po),u2b_if_py2(pr)) for (po,pr) in self.ports] self.protocols = [u2b_if_py2(pr) for pr in self.protocols] self.icmp_blocks = [u2b_if_py2(i) for i in self.icmp_blocks] self.forward_ports = [(u2b_if_py2(p1),u2b_if_py2(p2),u2b_if_py2(p3),u2b_if_py2(p4)) for (p1,p2,p3,p4) in self.forward_ports] self.source_ports = [(u2b_if_py2(po),u2b_if_py2(pr)) for (po,pr) in self.source_ports] self.interfaces = [u2b_if_py2(i) for i in self.interfaces] self.sources = [u2b_if_py2(s) for s in self.sources] self.rules = [u2b_if_py2(s) for s in self.rules] self.rules_str = [u2b_if_py2(s) for s in self.rules_str] def __setattr__(self, name, value): if name == "rules_str": self.rules = [rich.Rich_Rule(rule_str=s) for s in value] # must convert back to string to get the canonical string. super(Zone, self).__setattr__(name, [str(s) for s in self.rules]) else: super(Zone, self).__setattr__(name, value) def _check_config(self, config, item): if item == "services" and self.fw_config: existing_services = self.fw_config.get_services() for service in config: if service not in existing_services: raise FirewallError(errors.INVALID_SERVICE, "'%s' not among existing services" % \ service) elif item == "ports": for port in config: check_port(port[0]) check_tcpudp(port[1]) elif item == "protocols": for proto in config: check_protocol(proto) elif item == "icmp_blocks" and self.fw_config: existing_icmptypes = self.fw_config.get_icmptypes() for icmptype in config: if icmptype not in existing_icmptypes: raise FirewallError(errors.INVALID_ICMPTYPE, "'%s' not among existing icmp types" % \ icmptype) elif item == "forward_ports": for fwd_port in config: check_port(fwd_port[0]) check_tcpudp(fwd_port[1]) if not fwd_port[2] and not fwd_port[3]: raise FirewallError( errors.INVALID_FORWARD, "'%s' is missing to-port AND to-addr " % fwd_port) if fwd_port[2]: check_port(fwd_port[2]) if fwd_port[3]: if not checkIP(fwd_port[3]) and not checkIP6(fwd_port[3]): raise FirewallError( errors.INVALID_ADDR, "to-addr '%s' is not a valid address" % fwd_port[3]) elif item == "source_ports": for port in config: check_port(port[0]) check_tcpudp(port[1]) elif item == "target": if config not in ZONE_TARGETS: raise FirewallError(errors.INVALID_TARGET, config) elif item == "interfaces": for interface in config: if not checkInterface(interface): raise FirewallError(errors.INVALID_INTERFACE, interface) elif item == "sources": for source in config: if not checkIPnMask(source) and not checkIP6nMask(source) and \ not check_mac(source) and not source.startswith("ipset:"): raise FirewallError(errors.INVALID_ADDR, source) elif item == "rules_str": for rule in config: rich.Rich_Rule(rule_str=rule) def check_name(self, name): super(Zone, self).check_name(name) if name.startswith('/'): raise FirewallError(errors.INVALID_NAME, "'%s' can't start with '/'" % name) elif name.endswith('/'): raise FirewallError(errors.INVALID_NAME, "'%s' can't end with '/'" % name) elif name.count('/') > 1: raise FirewallError(errors.INVALID_NAME, "more than one '/' in '%s'" % name) else: if "/" in name: checked_name = name[:name.find('/')] else: checked_name = name if len(checked_name) > max_zone_name_len(): raise FirewallError(errors.INVALID_NAME, "Zone of '%s' has %d chars, max is %d %s" % ( name, len(checked_name), max_zone_name_len(), self.combined)) def combine(self, zone): self.combined = True self.filename = None self.version = "" self.short = "" self.description = "" for interface in zone.interfaces: if interface not in self.interfaces: self.interfaces.append(interface) for source in zone.sources: if source not in self.sources: self.sources.append(source) for service in zone.services: if service not in self.services: self.services.append(service) for port in zone.ports: if port not in self.ports: self.ports.append(port) for proto in zone.protocols: if proto not in self.protocols: self.protocols.append(proto) for icmp in zone.icmp_blocks: if icmp not in self.icmp_blocks: self.icmp_blocks.append(icmp) if zone.masquerade: self.masquerade = True for forward in zone.forward_ports: if forward not in self.forward_ports: self.forward_ports.append(forward) for port in zone.source_ports: if port not in self.source_ports: self.source_ports.append(port) for rule in zone.rules: self.rules.append(rule) self.rules_str.append(str(rule)) if zone.icmp_block_inversion: self.icmp_block_inversion = True # PARSER class zone_ContentHandler(IO_Object_ContentHandler): def __init__(self, item): IO_Object_ContentHandler.__init__(self, item) self._rule = None self._rule_error = False self._limit_ok = None def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) if self._rule_error: return self.item.parser_check_element_attrs(name, attrs) if name == "zone": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'", attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] if "immutable" in attrs: log.warning("Ignoring deprecated attribute immutable='%s'", attrs["immutable"]) if "target" in attrs: target = attrs["target"] if target not in ZONE_TARGETS: raise FirewallError(errors.INVALID_TARGET, target) if target != "" and target != DEFAULT_ZONE_TARGET: self.item.target = target elif name == "short": pass elif name == "description": pass elif name == "service": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_Service(attrs["name"]) return if attrs["name"] not in self.item.services: self.item.services.append(attrs["name"]) else: log.warning("Service '%s' already set, ignoring.", attrs["name"]) elif name == "port": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_Port(attrs["port"], attrs["protocol"]) return check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) entry = (portStr(attrs["port"], "-"), attrs["protocol"]) if entry not in self.item.ports: self.item.ports.append(entry) else: log.warning("Port '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) elif name == "protocol": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_Protocol(attrs["value"]) else: check_protocol(attrs["value"]) if attrs["value"] not in self.item.protocols: self.item.protocols.append(attrs["value"]) else: log.warning("Protocol '%s' already set, ignoring.", attrs["value"]) elif name == "icmp-block": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_IcmpBlock(attrs["name"]) return if attrs["name"] not in self.item.icmp_blocks: self.item.icmp_blocks.append(attrs["name"]) else: log.warning("icmp-block '%s' already set, ignoring.", attrs["name"]) elif name == "icmp-type": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_IcmpType(attrs["name"]) return else: log.warning("Invalid rule: icmp-block '%s' outside of rule", attrs["name"]) elif name == "masquerade": if "enabled" in attrs and \ attrs["enabled"].lower() in [ "no", "false" ] : log.warning("Ignoring deprecated attribute enabled='%s'", attrs["enabled"]) return if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_Masquerade() else: if self.item.masquerade: log.warning("Masquerade already set, ignoring.") else: self.item.masquerade = True elif name == "forward-port": to_port = "" if "to-port" in attrs: to_port = attrs["to-port"] to_addr = "" if "to-addr" in attrs: to_addr = attrs["to-addr"] if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_ForwardPort(attrs["port"], attrs["protocol"], to_port, to_addr) return check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) if to_port: check_port(to_port) if to_addr: if not checkIP(to_addr) and not checkIP6(to_addr): raise FirewallError(errors.INVALID_ADDR, "to-addr '%s' is not a valid address" \ % to_addr) entry = (portStr(attrs["port"], "-"), attrs["protocol"], portStr(to_port, "-"), str(to_addr)) if entry not in self.item.forward_ports: self.item.forward_ports.append(entry) else: log.warning("Forward port %s/%s%s%s already set, ignoring.", attrs["port"], attrs["protocol"], " >%s" % to_port if to_port else "", " @%s" % to_addr if to_addr else "") elif name == "source-port": if self._rule: if self._rule.element: log.warning("Invalid rule: More than one element in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.element = rich.Rich_SourcePort(attrs["port"], attrs["protocol"]) return check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) entry = (portStr(attrs["port"], "-"), attrs["protocol"]) if entry not in self.item.source_ports: self.item.source_ports.append(entry) else: log.warning("Source port '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) elif name == "interface": if self._rule: log.warning('Invalid rule: interface use in rule.') self._rule_error = True return # zone bound to interface if "name" not in attrs: log.warning('Invalid interface: Name missing.') self._rule_error = True return if attrs["name"] not in self.item.interfaces: self.item.interfaces.append(attrs["name"]) else: log.warning("Interface '%s' already set, ignoring.", attrs["name"]) elif name == "source": if self._rule: if self._rule.source: log.warning("Invalid rule: More than one source in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return invert = False if "invert" in attrs and \ attrs["invert"].lower() in [ "yes", "true" ]: invert = True addr = mac = ipset = None if "address" in attrs: addr = attrs["address"] if "mac" in attrs: mac = attrs["mac"] if "ipset" in attrs: ipset = attrs["ipset"] self._rule.source = rich.Rich_Source(addr, mac, ipset, invert=invert) return # zone bound to source if "address" not in attrs and "ipset" not in attrs: log.warning('Invalid source: No address no ipset.') return if "address" in attrs and "ipset" in attrs: log.warning('Invalid source: Address and ipset.') return if "family" in attrs: log.warning("Ignoring deprecated attribute family='%s'", attrs["family"]) if "invert" in attrs: log.warning('Invalid source: Invertion not allowed here.') return if "address" in attrs: if not checkIPnMask(attrs["address"]) and \ not checkIP6nMask(attrs["address"]) and \ not check_mac(attrs["address"]): raise FirewallError(errors.INVALID_ADDR, attrs["address"]) if "ipset" in attrs: entry = "ipset:%s" % attrs["ipset"] if entry not in self.item.sources: self.item.sources.append(entry) else: log.warning("Source '%s' already set, ignoring.", attrs["address"]) if "address" in attrs: entry = attrs["address"] if entry not in self.item.sources: self.item.sources.append(entry) else: log.warning("Source '%s' already set, ignoring.", attrs["address"]) elif name == "destination": if not self._rule: log.warning('Invalid rule: Destination outside of rule') self._rule_error = True return if self._rule.destination: log.warning("Invalid rule: More than one destination in rule '%s', ignoring.", str(self._rule)) return invert = False if "invert" in attrs and \ attrs["invert"].lower() in [ "yes", "true" ]: invert = True self._rule.destination = rich.Rich_Destination(attrs["address"], invert) elif name in [ "accept", "reject", "drop", "mark" ]: if not self._rule: log.warning('Invalid rule: Action outside of rule') self._rule_error = True return if self._rule.action: log.warning('Invalid rule: More than one action') self._rule_error = True return if name == "accept": self._rule.action = rich.Rich_Accept() elif name == "reject": _type = None if "type" in attrs: _type = attrs["type"] self._rule.action = rich.Rich_Reject(_type) elif name == "drop": self._rule.action = rich.Rich_Drop() elif name == "mark": _set = attrs["set"] self._rule.action = rich.Rich_Mark(_set) self._limit_ok = self._rule.action elif name == "log": if not self._rule: log.warning('Invalid rule: Log outside of rule') return if self._rule.log: log.warning('Invalid rule: More than one log') return level = None if "level" in attrs: level = attrs["level"] if level not in [ "emerg", "alert", "crit", "error", "warning", "notice", "info", "debug" ]: log.warning('Invalid rule: Invalid log level') self._rule_error = True return prefix = attrs["prefix"] if "prefix" in attrs else None self._rule.log = rich.Rich_Log(prefix, level) self._limit_ok = self._rule.log elif name == "audit": if not self._rule: log.warning('Invalid rule: Audit outside of rule') return if self._rule.audit: log.warning("Invalid rule: More than one audit in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return self._rule.audit = rich.Rich_Audit() self._limit_ok = self._rule.audit elif name == "rule": family = None if "family" in attrs: family = attrs["family"] if family not in [ "ipv4", "ipv6" ]: log.warning('Invalid rule: Rule family "%s" invalid', attrs["family"]) self._rule_error = True return self._rule = rich.Rich_Rule(family) elif name == "limit": if not self._limit_ok: log.warning('Invalid rule: Limit outside of action, log and audit') self._rule_error = True return if self._limit_ok.limit: log.warning("Invalid rule: More than one limit in rule '%s', ignoring.", str(self._rule)) self._rule_error = True return value = attrs["value"] self._limit_ok.limit = rich.Rich_Limit(value) elif name == "icmp-block-inversion": if self.item.icmp_block_inversion: log.warning("Icmp-Block-Inversion already set, ignoring.") else: self.item.icmp_block_inversion = True else: log.warning("Unknown XML element '%s'", name) return def endElement(self, name): IO_Object_ContentHandler.endElement(self, name) if name == "rule": if not self._rule_error: try: self._rule.check() except Exception as e: log.warning("%s: %s", e, str(self._rule)) else: if str(self._rule) not in self.item.rules_str: self.item.rules.append(self._rule) self.item.rules_str.append(str(self._rule)) else: log.warning("Rule '%s' already set, ignoring.", str(self._rule)) self._rule = None self._rule_error = False elif name in [ "accept", "reject", "drop", "mark", "log", "audit" ]: self._limit_ok = None def zone_reader(filename, path, no_check_name=False): zone = Zone() if not filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % filename) zone.name = filename[:-4] if not no_check_name: zone.check_name(zone.name) zone.filename = filename zone.path = path zone.builtin = False if path.startswith(config.ETC_FIREWALLD) else True zone.default = zone.builtin handler = zone_ContentHandler(zone) parser = sax.make_parser() parser.setContentHandler(handler) name = "%s/%s" % (path, filename) with open(name, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_ZONE, "not a valid zone file: %s" % \ msg.getException()) del handler del parser if PY2: zone.encode_strings() return zone def zone_writer(zone, path=None): _path = path if path else zone.path if zone.filename: name = "%s/%s" % (_path, zone.filename) else: name = "%s/%s.xml" % (_path, zone.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start zone element attrs = {} if zone.version and zone.version != "": attrs["version"] = zone.version if zone.target != DEFAULT_ZONE_TARGET: attrs["target"] = zone.target handler.startElement("zone", attrs) handler.ignorableWhitespace("\n") # short if zone.short and zone.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(zone.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if zone.description and zone.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(zone.description) handler.endElement("description") handler.ignorableWhitespace("\n") # interfaces for interface in uniqify(zone.interfaces): handler.ignorableWhitespace(" ") handler.simpleElement("interface", { "name": interface }) handler.ignorableWhitespace("\n") # source for source in uniqify(zone.sources): handler.ignorableWhitespace(" ") if "ipset:" in source: handler.simpleElement("source", { "ipset": source[6:] }) else: handler.simpleElement("source", { "address": source }) handler.ignorableWhitespace("\n") # services for service in uniqify(zone.services): handler.ignorableWhitespace(" ") handler.simpleElement("service", { "name": service }) handler.ignorableWhitespace("\n") # ports for port in uniqify(zone.ports): handler.ignorableWhitespace(" ") handler.simpleElement("port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # protocols for protocol in uniqify(zone.protocols): handler.ignorableWhitespace(" ") handler.simpleElement("protocol", { "value": protocol }) handler.ignorableWhitespace("\n") # icmp-block-inversion if zone.icmp_block_inversion: handler.ignorableWhitespace(" ") handler.simpleElement("icmp-block-inversion", { }) handler.ignorableWhitespace("\n") # icmp-blocks for icmp in uniqify(zone.icmp_blocks): handler.ignorableWhitespace(" ") handler.simpleElement("icmp-block", { "name": icmp }) handler.ignorableWhitespace("\n") # masquerade if zone.masquerade: handler.ignorableWhitespace(" ") handler.simpleElement("masquerade", { }) handler.ignorableWhitespace("\n") # forward-ports for forward in uniqify(zone.forward_ports): handler.ignorableWhitespace(" ") attrs = { "port": forward[0], "protocol": forward[1] } if forward[2] and forward[2] != "" : attrs["to-port"] = forward[2] if forward[3] and forward[3] != "" : attrs["to-addr"] = forward[3] handler.simpleElement("forward-port", attrs) handler.ignorableWhitespace("\n") # source-ports for port in uniqify(zone.source_ports): handler.ignorableWhitespace(" ") handler.simpleElement("source-port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # rules for rule in zone.rules: attrs = { } if rule.family: attrs["family"] = rule.family handler.ignorableWhitespace(" ") handler.startElement("rule", attrs) handler.ignorableWhitespace("\n") # source if rule.source: attrs = { } if rule.source.addr: attrs["address"] = rule.source.addr if rule.source.mac: attrs["mac"] = rule.source.mac if rule.source.ipset: attrs["ipset"] = rule.source.ipset if rule.source.invert: attrs["invert"] = "True" handler.ignorableWhitespace(" ") handler.simpleElement("source", attrs) handler.ignorableWhitespace("\n") # destination if rule.destination: attrs = { "address": rule.destination.addr } if rule.destination.invert: attrs["invert"] = "True" handler.ignorableWhitespace(" ") handler.simpleElement("destination", attrs) handler.ignorableWhitespace("\n") # element if rule.element: element = "" attrs = { } if type(rule.element) == rich.Rich_Service: element = "service" attrs["name"] = rule.element.name elif type(rule.element) == rich.Rich_Port: element = "port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol elif type(rule.element) == rich.Rich_Protocol: element = "protocol" attrs["value"] = rule.element.value elif type(rule.element) == rich.Rich_Masquerade: element = "masquerade" elif type(rule.element) == rich.Rich_IcmpBlock: element = "icmp-block" attrs["name"] = rule.element.name elif type(rule.element) == rich.Rich_IcmpType: element = "icmp-type" attrs["name"] = rule.element.name elif type(rule.element) == rich.Rich_ForwardPort: element = "forward-port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol if rule.element.to_port != "": attrs["to-port"] = rule.element.to_port if rule.element.to_address != "": attrs["to-addr"] = rule.element.to_address elif type(rule.element) == rich.Rich_SourcePort: element = "source-port" attrs["port"] = rule.element.port attrs["protocol"] = rule.element.protocol else: raise FirewallError( errors.INVALID_OBJECT, "Unknown element '%s' in zone_writer" % type(rule.element)) handler.ignorableWhitespace(" ") handler.simpleElement(element, attrs) handler.ignorableWhitespace("\n") # rule.element # log if rule.log: attrs = { } if rule.log.prefix: attrs["prefix"] = rule.log.prefix if rule.log.level: attrs["level"] = rule.log.level if rule.log.limit: handler.ignorableWhitespace(" ") handler.startElement("log", attrs) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.log.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement("log") else: handler.ignorableWhitespace(" ") handler.simpleElement("log", attrs) handler.ignorableWhitespace("\n") # audit if rule.audit: attrs = {} if rule.audit.limit: handler.ignorableWhitespace(" ") handler.startElement("audit", { }) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.audit.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement("audit") else: handler.ignorableWhitespace(" ") handler.simpleElement("audit", attrs) handler.ignorableWhitespace("\n") # action if rule.action: action = "" attrs = { } if type(rule.action) == rich.Rich_Accept: action = "accept" elif type(rule.action) == rich.Rich_Reject: action = "reject" if rule.action.type: attrs["type"] = rule.action.type elif type(rule.action) == rich.Rich_Drop: action = "drop" elif type(rule.action) == rich.Rich_Mark: action = "mark" attrs["set"] = rule.action.set else: log.warning("Unknown action '%s'", type(rule.action)) if rule.action.limit: handler.ignorableWhitespace(" ") handler.startElement(action, attrs) handler.ignorableWhitespace("\n ") handler.simpleElement("limit", { "value": rule.action.limit.value }) handler.ignorableWhitespace("\n ") handler.endElement(action) else: handler.ignorableWhitespace(" ") handler.simpleElement(action, attrs) handler.ignorableWhitespace("\n") handler.ignorableWhitespace(" ") handler.endElement("rule") handler.ignorableWhitespace("\n") # end zone element handler.endElement("zone") handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/lockdown_whitelist.pyc000064400000027175147576556050012574 0ustar00 c`c@sddljZddlZddlZddlZddlmZddlmZm Z m Z m Z ddl m Z ddlmZmZmZmZmZmZddlmZddlmZde fd YZd e fd YZdS( iN(tconfig(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGenerator(tlog(tuniqifyt checkUsertcheckUidt checkCommandt checkContextt u2b_if_py2(terrors(t FirewallErrort!lockdown_whitelist_ContentHandlercBseZdZdZRS(cCstj||t|_dS(N(Rt__init__tFalset whitelist(tselftitem((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR%scCstj||||jj|||dkr\|jrPttjdnt|_n[|dkr|jst j ddS|d}|jj |n|dkrH|jst j ddSd|kr"yt |d}Wn't k rt j d |ddSX|jj|qd|kr|jj|dqno|d kr|jsnt j d dSd |krt j d dS|jj|d nt j d|dSdS(NRsMore than one whitelist.tcommands)Parse Error: command outside of whitelisttnametusers&Parse Error: user outside of whitelisttids"Parse Error: %s is not a valid uidtselinuxs)Parse Error: selinux outside of whitelisttcontextsParse Error: no contextsUnknown XML element %s(Rt startElementRtparser_check_element_attrsRR R t PARSE_ERRORtTrueRterrort add_commandtintt ValueErrortadd_uidtadd_usert add_context(RRtattrsRtuid((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR)sJ                      (t__name__t __module__RR(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR$s tLockdownWhitelistcBsxeZdZddgfddgfddgfddgffZdZdgZid*d 6d gd 6d*d 6d gd6Zidd gd 6ZdZ dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZd Zd!Zd"Zd#Zd$Zd%Zd&Zd'Z d(Z!d)Z"RS(+s LockdownWhitelist class tcommandsttcontextstuserstuidsis (asasasai)t_RRRRRRRcCsMtt|j||_d|_g|_g|_g|_g|_ dS(N( tsuperR)RtfilenametNonetparserR*R,R-R.(RR1((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyRns     cCs|d kr4x|D]}|j||d qWn|dkrdt|sttj|qn|dkrt|sttj|qn`|dkrt|sttj|qn0|d krt |sttj |qndS( NR*R,R-R.iRRRR&(scommandsscontextssuserssuids( t _check_configR R R tINVALID_COMMANDR tINVALID_CONTEXTRt INVALID_USERRt INVALID_UID(RRRtx((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR4ys          cCs |j2|j2|j2|j2dS(N(R*R,R-R.(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytcleanupscCssg|jD]}t|^q |_g|jD]}t|^q/|_g|jD]}t|^qT|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R*R R,R-(RR9((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytencode_stringss%%cCs]t|s!ttj|n||jkrC|jj|nttjd|dS(Ns!Command "%s" already in whitelist(R R R R5R*tappendtALREADY_ENABLED(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyRs   cCs<||jkr"|jj|nttjd|dS(NsCommand "%s" not in whitelist.(R*tremoveR R t NOT_ENABLED(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytremove_commands cCs ||jkS(N(R*(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt has_commandscCsQxJ|jD]?}|jdr9|j|d rItSq ||kr tSq WtS(Nt*i(R*tendswitht startswithRR(RRt_command((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_commands cCs|jS(N(R*(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_commandsscCsct|s'ttjt|n||jkrI|jj|nttjd|dS(NsUid "%s" already in whitelist(RR R R8tstrR.R<R=(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR"s   cCs<||jkr"|jj|nttjd|dS(NsUid "%s" not in whitelist.(R.R>R R R?(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt remove_uids cCs ||jkS(N(R.(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pythas_uidscCs ||jkS(N(R.(RR&((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_uidscCs|jS(N(R.(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytget_uidsscCs]t|s!ttj|n||jkrC|jj|nttjd|dS(NsUser "%s" already in whitelist(RR R R7R-R<R=(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR#s   cCs<||jkr"|jj|nttjd|dS(NsUser "%s" not in whitelist.(R-R>R R R?(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt remove_users cCs ||jkS(N(R-(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pythas_userscCs ||jkS(N(R-(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_userscCs|jS(N(R-(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_usersscCs]t|s!ttj|n||jkrC|jj|nttjd|dS(Ns!Context "%s" already in whitelist(R R R R6R,R<R=(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR$"s   cCs<||jkr"|jj|nttjd|dS(NsContext "%s" not in whitelist.(R,R>R R R?(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytremove_context,s cCs ||jkS(N(R,(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt has_context3scCs ||jkS(N(R,(RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt match_context6scCs|jS(N(R,(R((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyt get_contexts9scCs|j|jjds8ttjd|jnt|}tj}|j |y|j |jWn2tj k r}ttj d|j nX~~tr|jndS(Ns.xmls'%s' is missing .xml suffixsNot a valid file: %s(R:R1RCR R t INVALID_NAMERtsaxt make_parsertsetContentHandlertparsetSAXParseExceptiont INVALID_TYPEt getExceptionRR;(RthandlerR3tmsg((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytread>s"      cCsHtjj|jreytj|jd|jWqetk ra}td|j|fqeXntjjtj stj tj dnt j |jdddd}t |}|j|jdi|jd xHt|jD]7}|jd |jd i|d 6|jd qWxNt|jD]=}|jd |jd it|d6|jd q<WxHt|jD]7}|jd |jd i|d 6|jd qWxHt|jD]7}|jd |jdi|d6|jd qW|jd|jd |j|j~dS(Ns%s.oldsBackup of '%s' failed: %sitmodetwttencodingsUTF-8Rs s RRRRRR(tostpathtexistsR1tshutiltcopy2t ExceptiontIOErrorRt ETC_FIREWALLDtmkdirtiotopenRt startDocumentRtignorableWhitespaceRR*t simpleElementR.RHR-R,t endElementt endDocumenttclose(RR^tfR]RR&RR((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pytwriteQsB             N(#R'R(t__doc__tIMPORT_EXPORT_STRUCTUREtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSR2tPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSRR4R:R;RR@RARFRGR"RIRJRKRLR#RMRNRORPR$RQRRRSRTR_Ru(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyR)WsP                   1     (txml.saxRVRcRlRftfirewallRtfirewall.core.io.io_objectRRRRtfirewall.core.loggerRtfirewall.functionsRRRR R R R tfirewall.errorsR RR)(((sG/usr/lib/python2.7/site-packages/firewall/core/io/lockdown_whitelist.pyts   ".3core/io/io_object.pyc000064400000032204147576556050010602 0ustar00 c`c@sadZddddddddgZd d ljZd d ljjZd d lZd d lZd d lm Z d d l m Z d d lm Z d dl mZejdkZdefdYZdefdYZdefdYZdefdYZdejjfdYZdejfdYZdZdZdZdZd S(s5Generic io_object handler, io specific check methods.tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocolt check_addressiN(t functions(tb2u(terrors(t FirewallErrort3cBsteZdZd ZdZgZiZiZdZdZ dZ dZ dZ dZ dZd ZRS( s; Abstract IO_Object as base for icmptype, service and zone s()cCs1d|_d|_d|_t|_t|_dS(Nt(tfilenametpathtnametFalsetdefaulttbuiltin(tself((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt__init__1s     cCsGg}x4|jD])}|jtjt||dqWt|S(Ni(tIMPORT_EXPORT_STRUCTUREtappendtcopytdeepcopytgetattrttuple(Rtrettx((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt export_config8s'cCs|j|xt|jD]\}\}}t||trg}t}x;||D]/}||kr\|j||j|q\q\W~t||t j |qt||t j ||qWdS(N( t check_configt enumerateRt isinstancetlisttsetRtaddtsetattrRR(Rtconftitelementtdummyt_conft_setR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt import_config>s "   cCst|ts=ttjd|tdt|fnt|dkrdttjdnxI|D]A}|j rk||j krkttjd||fqkqkWdS(Ns'%s' not of type %s, but %sR isname can't be emptys'%s' is not allowed in '%s'( R!tstrR R t INVALID_TYPEttypetlent INVALID_NAMEtisalnumtADDITIONAL_ALNUM_CHARS(RRtchar((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt check_nameNs  cCst|t|jkrIttjdt|t|jfnxKt|jD]:\}\}}|j||||j|||qYWdS(Ns structure size mismatch %d != %d(R0RR R R.R t_check_config_structuret _check_config(RR&R'R(tvalue((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR[s""cCsdS(N((Rtdummy1tdummy2((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR7esc Cst|t|ksFttjd|t|t|fnt|trt|dkrttjd|nx||D]}|j||dqWnWt|tr(t|t|krttjd|t|fnxt |D] \}}|j|||qWnt|t rt|j d\}}x|j D]\}}t|t|krttjd|t|t|fnt|t|kr`ttjd|t|t|fq`q`WndS(Ns'%s' not of type %s, but %sislen('%s') != 1islen('%s') != %d( R/R R R.R!R"R0R6RR tdicttitems( RR&t structureRR'R8tskeytsvaluetkey((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR6is8 "    " cCs,|j}t}||jkrt}|j|dk rxP|j|D]>}||krj|j|qHttjd||fqHWqn||j krt}x4|j |D]"}||kr|j|qqWn|sttjd|nx*|D]"}ttjd||fqWdS(NsMissing attribute %s for %ssUnexpected element %ss%s: Unexpected attribute %s( tgetNamesRtPARSER_REQUIRED_ELEMENT_ATTRStTruetNonetremoveR R t PARSE_ERRORtPARSER_OPTIONAL_ELEMENT_ATTRS(RRtattrst_attrstfoundR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pytparser_check_element_attrss,      ((t__name__t __module__t__doc__RtDBUS_SIGNATURER3RBRGRRR,R5RR7R6RK(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR(s     !tUnexpectedElementErrorcBseZdZdZRS(cCs tt|j||_dS(N(tsuperRPRR(RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRscCs d|jS(NsUnexpected element '%s'(R(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt__str__s(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRPs tMissingAttributeErrorcBseZdZdZRS(cCs)tt|j||_||_dS(N(RQRSRRt attribute(RRRT((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCsd|j|jfS(Ns$Element '%s': missing '%s' attribute(RRT(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRRs(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRSs tUnexpectedAttributeErrorcBseZdZdZRS(cCs)tt|j||_||_dS(N(RQRURRRT(RRRT((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCsd|j|jfS(Ns'Element '%s': unexpected attribute '%s'(RRT(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRRs(RLRMRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRUs cBs5eZdZdZdZdZdZRS(cCs||_d|_dS(NR (titemt_element(RRV((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs cCs d|_dS(NR (RW(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt startDocumentscCs d|_dS(NR (RW(RRRH((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt startElementscCs@|dkr|j|j_n|dkr<|j|j_ndS(Ntshortt description(RWRVRZR[(RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt endElements  cCs|j|jdd7_dS(Ns t (RWtreplace(Rtcontent((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt characterss(RLRMRRXRYR\R`(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs     cBs>eZdZdZdZdZdZdZRS(cCsotjjj||j|_|j|_ig|_|jd|_ g|_ d|_ t |_ t |_dS(Nisutf-8(tsaxthandlertContentHandlerRtwritet_writetflusht_flusht _ns_contextst_current_contextt_undeclared_ns_mapst _encodingRt_pending_start_elementt_short_empty_elements(Rtout((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs      cCs9trd|jD}ntjj|||dS(s saxutils.XMLGenerator.startElement() expects name and attrs to be unicode and bad things happen if any of them is (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. cSs+i|]!\}}t|t|qS((R (t.0RR8((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pys s N(RR<tsaxutilst XMLGeneratorRY(RRRH((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRYscCstrv|jdt|xF|jD]8\}}|jdt|tjt|fq*W|jdn[|jd|x:|jD],\}}|jd|tj|fqW|jddS(s* slightly modified startElement() utN(RReR R<Rpt quoteattr(RRRHR8((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyt simpleElements$cCstjj|t|dS(s saxutils.XMLGenerator.endElement() expects name to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqR\R (RR((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR\scCstjj|t|dS(s saxutils.XMLGenerator.characters() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqR`R (RR_((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR`scCstjj|t|dS(s saxutils.XMLGenerator.ignorableWhitespace() expects content to be unicode and bad things happen if it's (utf-8) encoded. We override the method here to sanitize this case. Can be removed once we drop Python2 support. N(RpRqtignorableWhitespaceR (RR_((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRus(RLRMRRYRtR\R`Ru(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs     cCstj|}|dkr4ttjd|n|dkrYttjd|nd|dkr~ttjd|n?t|dkr|d|dkrttjd|ndS( Nisport number in '%s' is too bigis'%s' is invalid port rangesport range '%s' is ambiguousiii(Rt getPortRangeR R t INVALID_PORTRDR0(tportt port_range((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyRs      & cCs)|dkr%ttjd|ndS(Nttcptudptsctptdccps)'%s' not from {'tcp'|'udp'|'sctp'|'dccp'}(RzR{R|R}(R R tINVALID_PROTOCOL(tprotocol((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR&s  cCs(tj|s$ttj|ndS(N(Rt checkProtocolR R R~(R((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR,scCs5tj||s1ttjd||fndS(Ns'%s' is not valid %s address(RRR R t INVALID_ADDR(tipvtaddr((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyR0s ( RNt__all__txml.saxRatxml.sax.saxutilsRpRtsystfirewallRtfirewall.functionsR R tfirewall.errorsR tversionRtobjectRt ExceptionRPRSRURbRcRRqRRRRR(((s>/usr/lib/python2.7/site-packages/firewall/core/io/io_object.pyts,     C   core/io/firewalld_conf.py000064400000026146147576556050011470 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2012 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # import os.path import io import tempfile import shutil from firewall import config from firewall.core.logger import log from firewall.functions import b2u, u2b, PY2 valid_keys = [ "DefaultZone", "MinimalMark", "CleanupOnExit", "Lockdown", "IPv6_rpfilter", "IndividualCalls", "LogDenied", "AutomaticHelpers", "AllowZoneDrifting" ] class firewalld_conf(object): def __init__(self, filename): self._config = { } self._deleted = [ ] self.filename = filename self.clear() def clear(self): self._config = { } self._deleted = [ ] def cleanup(self): self._config.clear() self._deleted = [ ] def get(self, key): return self._config.get(key.strip()) def set(self, key, value): _key = b2u(key.strip()) self._config[_key] = b2u(value.strip()) if _key in self._deleted: self._deleted.remove(_key) def __str__(self): s = "" for (key,value) in self._config.items(): if s: s += '\n' s += '%s=%s' % (key, value) return u2b(s) if PY2 else s # load self.filename def read(self): self.clear() try: f = open(self.filename, "r") except Exception as msg: log.error("Failed to load '%s': %s", self.filename, msg) self.set("DefaultZone", config.FALLBACK_ZONE) self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK)) self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no") self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no") self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") self.set("LogDenied", config.FALLBACK_LOG_DENIED) self.set("AutomaticHelpers", config.FALLBACK_AUTOMATIC_HELPERS) self.set("AllowZoneDrifting", "yes" if config.FALLBACK_ALLOW_ZONE_DRIFTING else "no") raise for line in f: if not line: break line = line.strip() if len(line) < 1 or line[0] in ['#', ';']: continue # get key/value pair pair = [ x.strip() for x in line.split("=") ] if len(pair) != 2: log.error("Invalid option definition: '%s'", line.strip()) continue elif pair[0] not in valid_keys: log.error("Invalid option: '%s'", line.strip()) continue elif pair[1] == '': log.error("Missing value: '%s'", line.strip()) continue elif self._config.get(pair[0]) is not None: log.error("Duplicate option definition: '%s'", line.strip()) continue self._config[pair[0]] = pair[1] f.close() # check default zone if not self.get("DefaultZone"): log.error("DefaultZone is not set, using default value '%s'", config.FALLBACK_ZONE) self.set("DefaultZone", str(config.FALLBACK_ZONE)) # check minimal mark value = self.get("MinimalMark") try: int(value) except ValueError: if value is not None: log.warning("MinimalMark '%s' is not valid, using default " "value '%d'", value if value else '', config.FALLBACK_MINIMAL_MARK) self.set("MinimalMark", str(config.FALLBACK_MINIMAL_MARK)) # check cleanup on exit value = self.get("CleanupOnExit") if not value or value.lower() not in [ "no", "false", "yes", "true" ]: if value is not None: log.warning("CleanupOnExit '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_CLEANUP_ON_EXIT) self.set("CleanupOnExit", "yes" if config.FALLBACK_CLEANUP_ON_EXIT else "no") # check lockdown value = self.get("Lockdown") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("Lockdown '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_LOCKDOWN) self.set("Lockdown", "yes" if config.FALLBACK_LOCKDOWN else "no") # check ipv6_rpfilter value = self.get("IPv6_rpfilter") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("IPv6_rpfilter '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_IPV6_RPFILTER) self.set("IPv6_rpfilter","yes" if config.FALLBACK_IPV6_RPFILTER else "no") # check individual calls value = self.get("IndividualCalls") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("IndividualCalls '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_INDIVIDUAL_CALLS) self.set("IndividualCalls", "yes" if config.FALLBACK_INDIVIDUAL_CALLS else "no") # check log denied value = self.get("LogDenied") if not value or value not in config.LOG_DENIED_VALUES: if value is not None: log.warning("LogDenied '%s' is invalid, using default value '%s'", value, config.FALLBACK_LOG_DENIED) self.set("LogDenied", str(config.FALLBACK_LOG_DENIED)) # check automatic helpers value = self.get("AutomaticHelpers") if not value or value.lower() not in config.AUTOMATIC_HELPERS_VALUES: if value is not None: log.warning("AutomaticHelpers '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_AUTOMATIC_HELPERS) self.set("AutomaticHelpers", str(config.FALLBACK_AUTOMATIC_HELPERS)) value = self.get("AllowZoneDrifting") if not value or value.lower() not in [ "yes", "true", "no", "false" ]: if value is not None: log.warning("AllowZoneDrifting '%s' is not valid, using default " "value %s", value if value else '', config.FALLBACK_ALLOW_ZONE_DRIFTING) self.set("AllowZoneDrifting", str(config.FALLBACK_ALLOW_ZONE_DRIFTING)) # save to self.filename if there are key/value changes def write(self): if len(self._config) < 1: # no changes: nothing to do return # handled keys done = [ ] if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) try: temp_file = tempfile.NamedTemporaryFile(mode='wt', prefix="%s." % os.path.basename(self.filename), dir=os.path.dirname(self.filename), delete=False) except Exception as msg: log.error("Failed to open temporary file: %s" % msg) raise modified = False empty = False try: f= io.open(self.filename, mode='rt', encoding='UTF-8') except Exception as msg: if os.path.exists(self.filename): log.error("Failed to open '%s': %s" % (self.filename, msg)) raise else: f = None else: for line in f: if not line: break # remove newline line = line.strip("\n") if len(line) < 1: if not empty: temp_file.write(u"\n") empty = True elif line[0] == '#': empty = False temp_file.write(line) temp_file.write(u"\n") else: p = line.split("=") if len(p) != 2: empty = False temp_file.write(line+u"\n") continue key = p[0].strip() value = p[1].strip() # check for modified key/value pairs if key not in done: if (key in self._config and \ self._config[key] != value): empty = False temp_file.write(u'%s=%s\n' % (key, self._config[key])) modified = True elif key in self._deleted: modified = True else: empty = False temp_file.write(line+u"\n") done.append(key) else: modified = True # write remaining key/value pairs if len(self._config) > 0: for (key,value) in self._config.items(): if key in done: continue if not empty: temp_file.write(u"\n") empty = True temp_file.write(u'%s=%s\n' % (key, value)) modified = True if f: f.close() temp_file.close() if not modified: # not modified: remove tempfile os.remove(temp_file.name) return # make backup if os.path.exists(self.filename): try: shutil.copy2(self.filename, "%s.old" % self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Backup of '%s' failed: %s" % (self.filename, msg)) # copy tempfile try: shutil.move(temp_file.name, self.filename) except Exception as msg: os.remove(temp_file.name) raise IOError("Failed to create '%s': %s" % (self.filename, msg)) else: os.chmod(self.filename, 0o600) core/io/service.py000064400000027140147576556050010145 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # __all__ = [ "Service", "service_reader", "service_writer" ] import xml.sax as sax import os import io import shutil from firewall import config from firewall.functions import u2b_if_py2 from firewall.core.io.io_object import PY2, IO_Object, \ IO_Object_ContentHandler, IO_Object_XMLGenerator, check_port, \ check_tcpudp, check_protocol, check_address from firewall.core.logger import log from firewall import errors from firewall.errors import FirewallError class Service(IO_Object): IMPORT_EXPORT_STRUCTURE = ( ( "version", "" ), # s ( "short", "" ), # s ( "description", "" ), # s ( "ports", [ ( "", "" ), ], ), # a(ss) ( "modules", [ "", ], ), # as ( "destination", { "": "", }, ), # a{ss} ( "protocols", [ "", ], ), # as ( "source_ports", [ ( "", "" ), ], ), # a(ss) ) DBUS_SIGNATURE = '(sssa(ss)asa{ss}asa(ss))' ADDITIONAL_ALNUM_CHARS = [ "_", "-" ] PARSER_REQUIRED_ELEMENT_ATTRS = { "short": None, "description": None, "service": None, } PARSER_OPTIONAL_ELEMENT_ATTRS = { "service": [ "name", "version" ], "port": [ "port", "protocol" ], "protocol": [ "value" ], "module": [ "name" ], "destination": [ "ipv4", "ipv6" ], "source-port": [ "port", "protocol" ], } def __init__(self): super(Service, self).__init__() self.version = "" self.short = "" self.description = "" self.ports = [ ] self.protocols = [ ] self.modules = [ ] self.destination = { } self.source_ports = [ ] def cleanup(self): self.version = "" self.short = "" self.description = "" del self.ports[:] del self.protocols[:] del self.modules[:] self.destination.clear() del self.source_ports[:] def encode_strings(self): """ HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.""" self.version = u2b_if_py2(self.version) self.short = u2b_if_py2(self.short) self.description = u2b_if_py2(self.description) self.ports = [(u2b_if_py2(po),u2b_if_py2(pr)) for (po,pr) in self.ports] self.modules = [u2b_if_py2(m) for m in self.modules] self.destination = {u2b_if_py2(k):u2b_if_py2(v) for k,v in self.destination.items()} self.protocols = [u2b_if_py2(pr) for pr in self.protocols] self.source_ports = [(u2b_if_py2(po),u2b_if_py2(pr)) for (po,pr) in self.source_ports] def _check_config(self, config, item): if item == "ports": for port in config: if port[0] != "": check_port(port[0]) check_tcpudp(port[1]) else: # only protocol check_protocol(port[1]) elif item == "protocols": for proto in config: check_protocol(proto) elif item == "source_ports": for port in config: check_port(port[0]) check_tcpudp(port[1]) elif item == "destination": for destination in config: if destination not in [ "ipv4", "ipv6" ]: raise FirewallError(errors.INVALID_DESTINATION, "'%s' not in {'ipv4'|'ipv6'}" % \ destination) check_address(destination, config[destination]) elif item == "modules": for module in config: if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") if len(module) < 2: raise FirewallError(errors.INVALID_MODULE, module) # PARSER class service_ContentHandler(IO_Object_ContentHandler): def startElement(self, name, attrs): IO_Object_ContentHandler.startElement(self, name, attrs) self.item.parser_check_element_attrs(name, attrs) if name == "service": if "name" in attrs: log.warning("Ignoring deprecated attribute name='%s'", attrs["name"]) if "version" in attrs: self.item.version = attrs["version"] elif name == "short": pass elif name == "description": pass elif name == "port": if attrs["port"] != "": check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) entry = (attrs["port"], attrs["protocol"]) if entry not in self.item.ports: self.item.ports.append(entry) else: log.warning("Port '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) else: check_protocol(attrs["protocol"]) if attrs["protocol"] not in self.item.protocols: self.item.protocols.append(attrs["protocol"]) else: log.warning("Protocol '%s' already set, ignoring.", attrs["protocol"]) elif name == "protocol": check_protocol(attrs["value"]) if attrs["value"] not in self.item.protocols: self.item.protocols.append(attrs["value"]) else: log.warning("Protocol '%s' already set, ignoring.", attrs["value"]) elif name == "source-port": check_port(attrs["port"]) check_tcpudp(attrs["protocol"]) entry = (attrs["port"], attrs["protocol"]) if entry not in self.item.source_ports: self.item.source_ports.append(entry) else: log.warning("SourcePort '%s/%s' already set, ignoring.", attrs["port"], attrs["protocol"]) elif name == "destination": for x in [ "ipv4", "ipv6" ]: if x in attrs: check_address(x, attrs[x]) if x in self.item.destination: log.warning("Destination address for '%s' already set, ignoring", x) else: self.item.destination[x] = attrs[x] elif name == "module": module = attrs["name"] if module.startswith("nf_conntrack_"): module = module.replace("nf_conntrack_", "") if "_" in module: module = module.replace("_", "-") if module not in self.item.modules: self.item.modules.append(module) else: log.warning("Module '%s' already set, ignoring.", module) def service_reader(filename, path): service = Service() if not filename.endswith(".xml"): raise FirewallError(errors.INVALID_NAME, "'%s' is missing .xml suffix" % filename) service.name = filename[:-4] service.check_name(service.name) service.filename = filename service.path = path service.builtin = False if path.startswith(config.ETC_FIREWALLD) else True service.default = service.builtin handler = service_ContentHandler(service) parser = sax.make_parser() parser.setContentHandler(handler) name = "%s/%s" % (path, filename) with open(name, "rb") as f: source = sax.InputSource(None) source.setByteStream(f) try: parser.parse(source) except sax.SAXParseException as msg: raise FirewallError(errors.INVALID_SERVICE, "not a valid service file: %s" % \ msg.getException()) del handler del parser if PY2: service.encode_strings() return service def service_writer(service, path=None): _path = path if path else service.path if service.filename: name = "%s/%s" % (_path, service.filename) else: name = "%s/%s.xml" % (_path, service.name) if os.path.exists(name): try: shutil.copy2(name, "%s.old" % name) except Exception as msg: log.error("Backup of file '%s' failed: %s", name, msg) dirpath = os.path.dirname(name) if dirpath.startswith(config.ETC_FIREWALLD) and not os.path.exists(dirpath): if not os.path.exists(config.ETC_FIREWALLD): os.mkdir(config.ETC_FIREWALLD, 0o750) os.mkdir(dirpath, 0o750) f = io.open(name, mode='wt', encoding='UTF-8') handler = IO_Object_XMLGenerator(f) handler.startDocument() # start service element attrs = {} if service.version and service.version != "": attrs["version"] = service.version handler.startElement("service", attrs) handler.ignorableWhitespace("\n") # short if service.short and service.short != "": handler.ignorableWhitespace(" ") handler.startElement("short", { }) handler.characters(service.short) handler.endElement("short") handler.ignorableWhitespace("\n") # description if service.description and service.description != "": handler.ignorableWhitespace(" ") handler.startElement("description", { }) handler.characters(service.description) handler.endElement("description") handler.ignorableWhitespace("\n") # ports for port in service.ports: handler.ignorableWhitespace(" ") handler.simpleElement("port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # protocols for protocol in service.protocols: handler.ignorableWhitespace(" ") handler.simpleElement("protocol", { "value": protocol }) handler.ignorableWhitespace("\n") # source ports for port in service.source_ports: handler.ignorableWhitespace(" ") handler.simpleElement("source-port", { "port": port[0], "protocol": port[1] }) handler.ignorableWhitespace("\n") # modules for module in service.modules: handler.ignorableWhitespace(" ") handler.simpleElement("module", { "name": module }) handler.ignorableWhitespace("\n") # destination if len(service.destination) > 0: handler.ignorableWhitespace(" ") handler.simpleElement("destination", service.destination) handler.ignorableWhitespace("\n") # end service element handler.endElement('service') handler.ignorableWhitespace("\n") handler.endDocument() f.close() del handler core/io/ifcfg.pyo000064400000012023147576556050007734 0ustar00 c`c@sdZdgZddlZddlZddlZddlZddlmZddl m Z m Z m Z de fdYZdS(sifcfg file parsertifcfgiN(tlog(tb2utu2btPY2cBsPeZdZdZdZdZdZdZdZdZ RS(cCs)i|_g|_||_|jdS(N(t_configt_deletedtfilenametclear(tselfR((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyt__init__#s   cCsi|_g|_dS(N(RR(R ((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyR)s cCs|jjdS(N(RR(R ((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pytcleanup-scCs|jj|jS(N(Rtgettstrip(R tkey((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyR 0scCsQt|j}t|j|j|<||jkrM|jj|ndS(N(RR RRtremove(R Rtvaluet_key((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pytset3scCsad}xD|jjD]3\}}|r5|d7}n|d||f7}qWtr]t|S|S(Nts s%s=%s(RtitemsRR(R tsRR((s:/usr/lib/python2.7/site-packages/firewall/core/io/ifcfg.pyt__str__9s  cCs|jyt|jd}Wn,tk rN}tjd|j|nXxL|D]D}|sfPn|j}t|dksV|dd krqVng|jddD]}|j^q}t|dkrqVnt|ddkr1|dj d r1|dj d r1|ddd !|d|j j |ddk rtjd |j|jqVn|d|j |ds     core/io/functions.pyo000064400000005302147576556050010670 0ustar00 c`c@sddlZddlmZddlmZddlmZddlmZddl m Z ddl m Z ddl mZdd lmZdd lmZdd lmZdd ZdS( iN(tconfig(t FirewallError(t zone_reader(tservice_reader(t ipset_reader(ticmptype_reader(t helper_reader(tDirect(tLockdownWhitelist(tfirewalld_confcCsittjtjgfd6ttjtjgfd6ttjtj gfd6t tj tj gfd6t tjtjgfd6}x#|jD]}x ||dD]}tjj|sqnxttj|D]}|jdryO||d||}|r)|dkr)|j|_n|j|jWqtk rq}t|jd ||jfqtk r}td ||fqXqqWqWqWtjjtjrTy0t tj}|j!|j|jWqTtk r%}t|jd tj|jfqTtk rP}td tj|fqTXntjjtj"ry0t#tj"}|j!|j|jWqtk r}t|jd tj"|jfqtk r}td tj"|fqXntjjtj$ryt%tj$}|j!Wqtk rh}t|jd tj$|jfqtk r}td tj$|fqXndS( Ntipsetthelperticmptypetservicetzoneis.xmlis'%s': %s(&RRtFIREWALLD_IPSETStETC_FIREWALLD_IPSETSRtFIREWALLD_HELPERStETC_FIREWALLD_HELPERSRtFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPESRtFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESRtFIREWALLD_ZONEStETC_FIREWALLD_ZONEStkeystostpathtisdirtsortedtlistdirtendswitht fw_configt check_configt export_configRtcodetmsgt ExceptiontisfiletFIREWALLD_DIRECTRtreadtLOCKDOWN_WHITELISTRtFIREWALLD_CONFR (tfwtreaderstreadertdirtfiletobjterrorR$((s>/usr/lib/python2.7/site-packages/firewall/core/io/functions.pyR!$s^") %  % %(RtfirewallRtfirewall.errorsRtfirewall.core.io.zoneRtfirewall.core.io.serviceRtfirewall.core.io.ipsetRtfirewall.core.io.icmptypeRtfirewall.core.io.helperRtfirewall.core.io.directRt#firewall.core.io.lockdown_whitelistRtfirewall.core.io.firewalld_confR tNoneR!(((s>/usr/lib/python2.7/site-packages/firewall/core/io/functions.pyts core/icmp.pyo000064400000005623147576556050007207 0ustar00 c`c@sddddgZi"dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd 6d!d"6d#d$6d%d&6d'd(6d)d*6d+d,6d-d.6d/d06d/d16d2d36d4d56d6d76d8d96d:d;6d<d=6d>d?6d@dA6dBdC6dDdE6ZidFdG6dHd 6dIdJ6dKd6dLdM6dd76d d96d%dN6dOdP6dQdR6dSd06dSd16dTd6dTd6dUd56dVd36dWdX6dWdY6dZd[6dZd\6d]d^6Zd_Zd`ZdaZdbZdcS(dt ICMP_TYPESt ICMPV6_TYPEStcheck_icmp_typetcheck_icmpv6_types0/0s echo-replytpongs3/0snetwork-unreachables3/1shost-unreachables3/2sprotocol-unreachables3/3sport-unreachables3/4sfragmentation-neededs3/5ssource-route-faileds3/6snetwork-unknowns3/7s host-unknowns3/9snetwork-prohibiteds3/10shost-prohibiteds3/11sTOS-network-unreachables3/12sTOS-host-unreachables3/13scommunication-prohibiteds3/14shost-precedence-violations3/15sprecedence-cutoffs4/0s source-quenchs5/0snetwork-redirects5/1s host-redirects5/2sTOS-network-redirects5/3sTOS-host-redirects8/0s echo-requesttpings9/0srouter-advertisements10/0srouter-solicitations11/0sttl-zero-during-transits11/1sttl-zero-during-reassemblys12/0s ip-header-bads12/1srequired-option-missings13/0stimestamp-requests14/0stimestamp-replys17/0saddress-mask-requests18/0saddress-mask-replys1/0sno-routes1/1s1/3saddress-unreachables1/4s2/0spacket-too-bigs bad-headers4/1sunknown-header-types4/2sunknown-options128/0s129/0s133/0s134/0s135/0sneighbour-solicitationsneigbour-solicitations136/0sneighbour-advertisementsneigbour-advertisements137/0tredirectcCs|tkrtStS(N(RtTruetFalse(t_name((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pytcheck_icmp_nameVs cCs|tjkrtStS(N(RtvaluesRR(t_type((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyR[scCs|tkrtStS(N(RRR(R ((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pytcheck_icmpv6_name`s cCs|tjkrtStS(N(RR RR(R ((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyResN(t__all__RRR RR R(((s6/usr/lib/python2.7/site-packages/firewall/core/icmp.pyts|      command.py000064400000053505147576556050006570 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # """FirewallCommand class for command line client simplification""" __all__ = [ "FirewallCommand" ] import sys from firewall import errors from firewall.errors import FirewallError from dbus.exceptions import DBusException from firewall.functions import checkIPnMask, checkIP6nMask, check_mac, \ check_port, check_single_address class FirewallCommand(object): def __init__(self, quiet=False, verbose=False): self.quiet = quiet self.verbose = verbose self.__use_exception_handler = True self.fw = None def set_fw(self, fw): self.fw = fw def set_quiet(self, flag): self.quiet = flag def get_quiet(self): return self.quiet def set_verbose(self, flag): self.verbose = flag def get_verbose(self): return self.verbose def print_msg(self, msg=None): if msg is not None and not self.quiet: sys.stdout.write(msg + "\n") def print_error_msg(self, msg=None): if msg is not None and not self.quiet: sys.stderr.write(msg + "\n") def print_warning(self, msg=None): FAIL = '\033[91m' END = '\033[00m' if sys.stderr.isatty(): msg = FAIL + msg + END self.print_error_msg(msg) def print_and_exit(self, msg=None, exit_code=0): #OK = '\033[92m' #END = '\033[00m' if exit_code > 1: self.print_warning(msg) else: #if sys.stdout.isatty(): # msg = OK + msg + END self.print_msg(msg) sys.exit(exit_code) def fail(self, msg=None): self.print_and_exit(msg, 2) def print_if_verbose(self, msg=None): if msg is not None and self.verbose: sys.stdout.write(msg + "\n") def __cmd_sequence(self, cmd_type, option, action_method, query_method, # pylint: disable=W0613, R0913, R0914 parse_method, message, start_args=None, end_args=None, # pylint: disable=W0613 no_exit=False): if self.fw is not None: self.fw.authorizeAll() items = [ ] _errors = 0 _error_codes = [ ] for item in option: if parse_method is not None: try: item = parse_method(item) except Exception as msg: code = FirewallError.get_code(str(msg)) if len(option) > 1: self.print_warning("Warning: %s" % msg) else: self.print_and_exit("Error: %s" % msg, code) if code not in _error_codes: _error_codes.append(code) _errors += 1 continue items.append(item) for item in items: call_item = [ ] if start_args is not None: call_item += start_args if not isinstance(item, list) and not isinstance(item, tuple): call_item.append(item) else: call_item += item if end_args is not None: call_item += end_args self.deactivate_exception_handler() try: action_method(*call_item) except (DBusException, Exception) as msg: if isinstance(msg, DBusException): self.fail_if_not_authorized(msg.get_dbus_name()) msg = msg.get_dbus_message() else: msg = str(msg) code = FirewallError.get_code(msg) if code in [ errors.ALREADY_ENABLED, errors.NOT_ENABLED, errors.ZONE_ALREADY_SET, errors.ALREADY_SET ]: code = 0 if len(option) > 1: self.print_warning("Warning: %s" % msg) elif code == 0: self.print_warning("Warning: %s" % msg) return else: self.print_and_exit("Error: %s" % msg, code) if code not in _error_codes: _error_codes.append(code) _errors += 1 self.activate_exception_handler() if not no_exit: if len(option) > _errors or 0 in _error_codes: # There have been more options than errors or there # was at least one error code 0, return. return elif len(_error_codes) == 1: # Exactly one error code, use it. sys.exit(_error_codes[0]) elif len(_error_codes) > 1: # There is more than error, exit using # UNKNOWN_ERROR. This could happen within sequences # where parsing failed with different errors like # INVALID_PORT and INVALID_PROTOCOL. sys.exit(errors.UNKNOWN_ERROR) def add_sequence(self, option, action_method, query_method, parse_method, # pylint: disable=R0913 message, no_exit=False): self.__cmd_sequence("add", option, action_method, query_method, parse_method, message, no_exit=no_exit) def x_add_sequence(self, x, option, action_method, query_method, # pylint: disable=R0913 parse_method, message, no_exit=False): self.__cmd_sequence("add", option, action_method, query_method, parse_method, message, start_args=[x], no_exit=no_exit) def zone_add_timeout_sequence(self, zone, option, action_method, # pylint: disable=R0913 query_method, parse_method, message, timeout, no_exit=False): self.__cmd_sequence("add", option, action_method, query_method, parse_method, message, start_args=[zone], end_args=[timeout], no_exit=no_exit) def remove_sequence(self, option, action_method, query_method, # pylint: disable=R0913 parse_method, message, no_exit=False): self.__cmd_sequence("remove", option, action_method, query_method, parse_method, message, no_exit=no_exit) def x_remove_sequence(self, x, option, action_method, query_method, # pylint: disable=R0913 parse_method, message, no_exit=False): self.__cmd_sequence("remove", option, action_method, query_method, parse_method, message, start_args=[x], no_exit=no_exit) def __query_sequence(self, option, query_method, parse_method, message, # pylint: disable=R0913 start_args=None, no_exit=False): items = [ ] for item in option: if parse_method is not None: try: item = parse_method(item) except Exception as msg: if len(option) > 1: self.print_warning("Warning: %s" % msg) continue else: code = FirewallError.get_code(str(msg)) self.print_and_exit("Error: %s" % msg, code) items.append(item) for item in items: call_item = [ ] if start_args is not None: call_item += start_args if not isinstance(item, list) and not isinstance(item, tuple): call_item.append(item) else: call_item += item self.deactivate_exception_handler() try: res = query_method(*call_item) except DBusException as msg: self.fail_if_not_authorized(msg.get_dbus_name()) code = FirewallError.get_code(msg.get_dbus_message()) if len(option) > 1: self.print_warning("Warning: %s" % msg.get_dbus_message()) continue else: self.print_and_exit("Error: %s" % msg.get_dbus_message(), code) except Exception as msg: code = FirewallError.get_code(str(msg)) if len(option) > 1: self.print_warning("Warning: %s" % msg) else: self.print_and_exit("Error: %s" % msg, code) self.activate_exception_handler() if len(option) > 1: self.print_msg("%s: %s" % (message % item, ("no", "yes")[res])) else: self.print_query_result(res) if not no_exit: sys.exit(0) def query_sequence(self, option, query_method, parse_method, message, # pylint: disable=R0913 no_exit=False): self.__query_sequence(option, query_method, parse_method, message, no_exit=no_exit) def x_query_sequence(self, x, option, query_method, parse_method, # pylint: disable=R0913 message, no_exit=False): self.__query_sequence(option, query_method, parse_method, message, start_args=[x], no_exit=no_exit) def parse_source(self, value): if not checkIPnMask(value) and not checkIP6nMask(value) \ and not check_mac(value) and not \ (value.startswith("ipset:") and len(value) > 6): raise FirewallError(errors.INVALID_ADDR, "'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset" % value) return value def parse_port(self, value, separator="/"): try: (port, proto) = value.split(separator) except ValueError: raise FirewallError(errors.INVALID_PORT, "bad port (most likely " "missing protocol), correct syntax is " "portid[-portid]%sprotocol" % separator) if not check_port(port): raise FirewallError(errors.INVALID_PORT, port) if proto not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ proto) return (port, proto) def parse_forward_port(self, value, compat=False): port = None protocol = None toport = None toaddr = None i = 0 while ("=" in value[i:]): opt = value[i:].split("=", 1)[0] i += len(opt) + 1 if "=" in value[i:]: val = value[i:].split(":", 1)[0] else: val = value[i:] i += len(val) + 1 if opt == "port": port = val elif opt == "proto": protocol = val elif opt == "toport": toport = val elif opt == "toaddr": toaddr = val elif opt == "if" and compat: # ignore if option in compat mode pass else: raise FirewallError(errors.INVALID_FORWARD, "invalid forward port arg '%s'" % (opt)) if not port: raise FirewallError(errors.INVALID_FORWARD, "missing port") if not protocol: raise FirewallError(errors.INVALID_FORWARD, "missing protocol") if not (toport or toaddr): raise FirewallError(errors.INVALID_FORWARD, "missing destination") if not check_port(port): raise FirewallError(errors.INVALID_PORT, port) if protocol not in [ "tcp", "udp", "sctp", "dccp" ]: raise FirewallError(errors.INVALID_PROTOCOL, "'%s' not in {'tcp'|'udp'|'sctp'|'dccp'}" % \ protocol) if toport and not check_port(toport): raise FirewallError(errors.INVALID_PORT, toport) if toaddr and not check_single_address("ipv4", toaddr): if compat or not check_single_address("ipv6", toaddr): raise FirewallError(errors.INVALID_ADDR, toaddr) return (port, protocol, toport, toaddr) def parse_ipset_option(self, value): args = value.split("=") if len(args) == 1: return (args[0], "") elif len(args) == 2: return args else: raise FirewallError(errors.INVALID_OPTION, "invalid ipset option '%s'" % (value)) def check_destination_ipv(self, value): ipvs = [ "ipv4", "ipv6", ] if value not in ipvs: raise FirewallError(errors.INVALID_IPV, "invalid argument: %s (choose from '%s')" % \ (value, "', '".join(ipvs))) return value def parse_service_destination(self, value): try: (ipv, destination) = value.split(":", 1) except ValueError: raise FirewallError(errors.INVALID_DESTINATION, "destination syntax is ipv:address[/mask]") return (self.check_destination_ipv(ipv), destination) def check_ipv(self, value): ipvs = [ "ipv4", "ipv6", "eb" ] if value not in ipvs: raise FirewallError(errors.INVALID_IPV, "invalid argument: %s (choose from '%s')" % \ (value, "', '".join(ipvs))) return value def check_helper_family(self, value): ipvs = [ "", "ipv4", "ipv6" ] if value not in ipvs: raise FirewallError(errors.INVALID_IPV, "invalid argument: %s (choose from '%s')" % \ (value, "', '".join(ipvs))) return value def check_module(self, value): if not value.startswith("nf_conntrack_"): raise FirewallError( errors.INVALID_MODULE, "'%s' does not start with 'nf_conntrack_'" % value) if len(value.replace("nf_conntrack_", "")) < 1: raise FirewallError(errors.INVALID_MODULE, "Module name '%s' too short" % value) return value def print_zone_info(self, zone, settings, default_zone=None, extra_interfaces=[]): # pylint: disable=R0914 target = settings.getTarget() icmp_block_inversion = settings.getIcmpBlockInversion() interfaces = sorted(set(settings.getInterfaces() + extra_interfaces)) sources = settings.getSources() services = settings.getServices() ports = settings.getPorts() protocols = settings.getProtocols() masquerade = settings.getMasquerade() forward_ports = settings.getForwardPorts() source_ports = settings.getSourcePorts() icmp_blocks = settings.getIcmpBlocks() rules = settings.getRichRules() description = settings.getDescription() short_description = settings.getShort() attributes = [] if default_zone is not None: if zone == default_zone: attributes.append("default") if interfaces or sources: attributes.append("active") if attributes: zone = zone + " (%s)" % ", ".join(attributes) self.print_msg(zone) if self.verbose: self.print_msg(" summary: " + short_description) self.print_msg(" description: " + description) self.print_msg(" target: " + target) self.print_msg(" icmp-block-inversion: %s" % \ ("yes" if icmp_block_inversion else "no")) self.print_msg(" interfaces: " + " ".join(interfaces)) self.print_msg(" sources: " + " ".join(sources)) self.print_msg(" services: " + " ".join(sorted(services))) self.print_msg(" ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in ports])) self.print_msg(" protocols: " + " ".join(sorted(protocols))) self.print_msg(" masquerade: %s" % ("yes" if masquerade else "no")) self.print_msg(" forward-ports: " + "\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % \ (port, proto, toport, toaddr) for (port, proto, toport, toaddr) in \ forward_ports])) self.print_msg(" source-ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in source_ports])) self.print_msg(" icmp-blocks: " + " ".join(icmp_blocks)) self.print_msg(" rich rules: \n\t" + "\n\t".join(rules)) def print_service_info(self, service, settings): ports = settings.getPorts() protocols = settings.getProtocols() source_ports = settings.getSourcePorts() modules = settings.getModules() description = settings.getDescription() destinations = settings.getDestinations() short_description = settings.getShort() self.print_msg(service) if self.verbose: self.print_msg(" summary: " + short_description) self.print_msg(" description: " + description) self.print_msg(" ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in ports])) self.print_msg(" protocols: " + " ".join(protocols)) self.print_msg(" source-ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in source_ports])) self.print_msg(" modules: " + " ".join(modules)) self.print_msg(" destination: " + " ".join(["%s:%s" % (k, v) for k, v in destinations.items()])) def print_icmptype_info(self, icmptype, settings): destinations = settings.getDestinations() description = settings.getDescription() short_description = settings.getShort() if len(destinations) == 0: destinations = [ "ipv4", "ipv6" ] self.print_msg(icmptype) if self.verbose: self.print_msg(" summary: " + short_description) self.print_msg(" description: " + description) self.print_msg(" destination: " + " ".join(destinations)) def print_ipset_info(self, ipset, settings): ipset_type = settings.getType() options = settings.getOptions() entries = settings.getEntries() description = settings.getDescription() short_description = settings.getShort() self.print_msg(ipset) if self.verbose: self.print_msg(" summary: " + short_description) self.print_msg(" description: " + description) self.print_msg(" type: " + ipset_type) self.print_msg(" options: " + " ".join(["%s=%s" % (k, v) if v else k for k, v in options.items()])) self.print_msg(" entries: " + " ".join(entries)) def print_helper_info(self, helper, settings): ports = settings.getPorts() module = settings.getModule() family = settings.getFamily() description = settings.getDescription() short_description = settings.getShort() self.print_msg(helper) if self.verbose: self.print_msg(" summary: " + short_description) self.print_msg(" description: " + description) self.print_msg(" family: " + family) self.print_msg(" module: " + module) self.print_msg(" ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in ports])) def print_query_result(self, value): if value: self.print_and_exit("yes") else: self.print_and_exit("no", 1) def exception_handler(self, exception_message): if not self.__use_exception_handler: raise self.fail_if_not_authorized(exception_message) code = FirewallError.get_code(str(exception_message)) if code in [ errors.ALREADY_ENABLED, errors.NOT_ENABLED, errors.ZONE_ALREADY_SET, errors.ALREADY_SET ]: self.print_warning("Warning: %s" % exception_message) else: self.print_and_exit("Error: %s" % exception_message, code) def fail_if_not_authorized(self, exception_message): if "NotAuthorizedException" in exception_message: msg = """Authorization failed. Make sure polkit agent is running or run the application as superuser.""" self.print_and_exit(msg, errors.NOT_AUTHORIZED) def deactivate_exception_handler(self): self.__use_exception_handler = False def activate_exception_handler(self): self.__use_exception_handler = True def get_ipset_entries_from_file(self, filename): entries = [ ] entries_set = set() f = open(filename) for line in f: if not line: break line = line.strip() if len(line) < 1 or line[0] in ['#', ';']: continue if line not in entries_set: entries.append(line) entries_set.add(line) f.close() return entries config/__init__.py000064400000010771147576556050010154 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2007-2016 Red Hat, Inc. # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # from __future__ import absolute_import # translation import locale try: locale.setlocale(locale.LC_ALL, "") except locale.Error: import os os.environ['LC_ALL'] = 'C' locale.setlocale(locale.LC_ALL, "") DOMAIN = 'firewalld' import gettext gettext.install(domain=DOMAIN) from . import dbus # noqa: F401 # configuration DAEMON_NAME = 'firewalld' CONFIG_NAME = 'firewall-config' APPLET_NAME = 'firewall-applet' DATADIR = '/usr/share/' + DAEMON_NAME CONFIG_GLADE_NAME = CONFIG_NAME + '.glade' COPYRIGHT = '(C) 2010-2017 Red Hat, Inc.' VERSION = '0.6.3' AUTHORS = [ "Thomas Woerner ", "Jiri Popelka ", "Eric Garver ", ] LICENSE = gettext.gettext( "This program is free software; you can redistribute it and/or modify " "it under the terms of the GNU General Public License as published by " "the Free Software Foundation; either version 2 of the License, or " "(at your option) any later version.\n" "\n" "This program is distributed in the hope that it will be useful, " "but WITHOUT ANY WARRANTY; without even the implied warranty of " "MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the " "GNU General Public License for more details.\n" "\n" "You should have received a copy of the GNU General Public License " "along with this program. If not, see .") WEBSITE = 'http://www.firewalld.org' def set_system_config_paths(path): global ETC_FIREWALLD, FIREWALLD_CONF, ETC_FIREWALLD_ZONES, \ ETC_FIREWALLD_SERVICES, ETC_FIREWALLD_ICMPTYPES, \ ETC_FIREWALLD_IPSETS, ETC_FIREWALLD_HELPERS, \ FIREWALLD_DIRECT, LOCKDOWN_WHITELIST ETC_FIREWALLD = path FIREWALLD_CONF = path + '/firewalld.conf' ETC_FIREWALLD_ZONES = path + '/zones' ETC_FIREWALLD_SERVICES = path + '/services' ETC_FIREWALLD_ICMPTYPES = path + '/icmptypes' ETC_FIREWALLD_IPSETS = path + '/ipsets' ETC_FIREWALLD_HELPERS = path + '/helpers' FIREWALLD_DIRECT = path + '/direct.xml' LOCKDOWN_WHITELIST = path + '/lockdown-whitelist.xml' set_system_config_paths('/etc/firewalld') def set_default_config_paths(path): global USR_LIB_FIREWALLD, FIREWALLD_ZONES, FIREWALLD_SERVICES, \ FIREWALLD_ICMPTYPES, FIREWALLD_IPSETS, FIREWALLD_HELPERS USR_LIB_FIREWALLD = path FIREWALLD_ZONES = path + '/zones' FIREWALLD_SERVICES = path + '/services' FIREWALLD_ICMPTYPES = path + '/icmptypes' FIREWALLD_IPSETS = path + '/ipsets' FIREWALLD_HELPERS = path + '/helpers' set_default_config_paths('/usr/lib/firewalld') FIREWALLD_LOGFILE = '/var/log/firewalld' FIREWALLD_PIDFILE = "/var/run/firewalld.pid" FIREWALLD_TEMPDIR = '/run/firewalld' SYSCONFIGDIR = '/etc/sysconfig' IFCFGDIR = "/etc/sysconfig/network-scripts" SYSCTL_CONFIG = '/etc/sysctl.conf' # commands used by backends COMMANDS = { "ipv4": "/usr/sbin/iptables", "ipv4-restore": "/usr/sbin/iptables-restore", "ipv6": "/usr/sbin/ip6tables", "ipv6-restore": "/usr/sbin/ip6tables-restore", "eb": "/usr/sbin/ebtables", "eb-restore": "/usr/sbin/ebtables-restore", "ipset": "/usr/sbin/ipset", "modprobe": "/usr/sbin/modprobe", "rmmod": "/usr/sbin/rmmod", "nft": "@NFT@", } LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ] AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ] # fallbacks: will be overloaded by firewalld.conf FALLBACK_ZONE = "public" FALLBACK_MINIMAL_MARK = 100 FALLBACK_CLEANUP_ON_EXIT = True FALLBACK_LOCKDOWN = False FALLBACK_IPV6_RPFILTER = True FALLBACK_INDIVIDUAL_CALLS = False FALLBACK_LOG_DENIED = "off" FALLBACK_AUTOMATIC_HELPERS = "system" FALLBACK_FIREWALL_BACKEND = "iptables" FALLBACK_ALLOW_ZONE_DRIFTING = True config/dbus.pyo000064400000003120147576556050007517 0ustar00 c`c@s2dZdZdeZedZedZedZedZedZedZedZ ed Z edZ edZ edZ ed Zd eZed Zed ZedZedZedZedZdeZedZedZedZedZedZedZedZedZdS(ii sorg.fedoraproject.FirewallD%ds.zones.directs .policiess.ipsets.configs.services .icmptypes.helpers/org/fedoraproject/FirewallD%ds/configs/config/icmptypes/config/services /config/zones /config/ipsets/config/helpers.infos.allN(tDBUS_INTERFACE_VERSIONtDBUS_INTERFACE_REVISIONtDBUS_INTERFACEtDBUS_INTERFACE_ZONEtDBUS_INTERFACE_DIRECTtDBUS_INTERFACE_POLICIEStDBUS_INTERFACE_IPSETtDBUS_INTERFACE_CONFIGtDBUS_INTERFACE_CONFIG_ZONEtDBUS_INTERFACE_CONFIG_SERVICEtDBUS_INTERFACE_CONFIG_ICMPTYPEtDBUS_INTERFACE_CONFIG_POLICIEStDBUS_INTERFACE_CONFIG_DIRECTtDBUS_INTERFACE_CONFIG_IPSETtDBUS_INTERFACE_CONFIG_HELPERt DBUS_PATHtDBUS_PATH_CONFIGtDBUS_PATH_CONFIG_ICMPTYPEtDBUS_PATH_CONFIG_SERVICEtDBUS_PATH_CONFIG_ZONEtDBUS_PATH_CONFIG_IPSETtDBUS_PATH_CONFIG_HELPERt _PK_ACTIONtPK_ACTION_POLICIEStPK_ACTION_POLICIES_INFOtPK_ACTION_CONFIGtPK_ACTION_CONFIG_INFOtPK_ACTION_DIRECTtPK_ACTION_DIRECT_INFOtPK_ACTION_INFOt PK_ACTION_ALL(((s8/usr/lib/python2.7/site-packages/firewall/config/dbus.pyts<                            config/__init__.pyc000064400000010061147576556050010307 0ustar00 c`c@@sddlmZddlZyejejdWn@ejk ruddlZdejdi(tabsolute_importNttCtLC_ALLt firewalldtdomaini(tdbussfirewall-configsfirewall-applets /usr/share/s.glades(C) 2010-2017 Red Hat, Inc.s0.6.3s$Thomas Woerner s"Jiri Popelka sEric Garver scThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see .shttp://www.firewalld.orgcC@sZ|a|da|da|da|da|da|da|da|dadS( Ns/firewalld.confs/zoness /servicess /icmptypess/ipsetss/helperss /direct.xmls/lockdown-whitelist.xml( t ETC_FIREWALLDtFIREWALLD_CONFtETC_FIREWALLD_ZONEStETC_FIREWALLD_SERVICEStETC_FIREWALLD_ICMPTYPEStETC_FIREWALLD_IPSETStETC_FIREWALLD_HELPERStFIREWALLD_DIRECTtLOCKDOWN_WHITELIST(tpath((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytset_system_config_pathsBs       s/etc/firewalldcC@s<|a|da|da|da|da|dadS(Ns/zoness /servicess /icmptypess/ipsetss/helpers(tUSR_LIB_FIREWALLDtFIREWALLD_ZONEStFIREWALLD_SERVICEStFIREWALLD_ICMPTYPEStFIREWALLD_IPSETStFIREWALLD_HELPERS(R((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytset_default_config_pathsRs     s/usr/lib/firewallds/var/log/firewallds/var/run/firewalld.pids/run/firewallds/etc/sysconfigs/etc/sysconfig/network-scriptss/etc/sysctl.confs/usr/sbin/iptablestipv4s/usr/sbin/iptables-restores ipv4-restores/usr/sbin/ip6tablestipv6s/usr/sbin/ip6tables-restores ipv6-restores/usr/sbin/ebtablestebs/usr/sbin/ebtables-restores eb-restores/usr/sbin/ipsettipsets/usr/sbin/modprobetmodprobes/usr/sbin/rmmodtrmmods@NFT@tnfttalltunicastt broadcastt multicasttofftyestnotsystemtpublicidtiptables(.t __future__Rtlocalet setlocaleRtErrortostenvirontDOMAINtgettexttinstallRRt DAEMON_NAMEt CONFIG_NAMEt APPLET_NAMEtDATADIRtCONFIG_GLADE_NAMEt COPYRIGHTtVERSIONtAUTHORStLICENSEtWEBSITERRtFIREWALLD_LOGFILEtFIREWALLD_PIDFILEtFIREWALLD_TEMPDIRt SYSCONFIGDIRtIFCFGDIRt SYSCTL_CONFIGtCOMMANDStLOG_DENIED_VALUEStAUTOMATIC_HELPERS_VALUESt FALLBACK_ZONEtFALLBACK_MINIMAL_MARKtTruetFALLBACK_CLEANUP_ON_EXITtFalsetFALLBACK_LOCKDOWNtFALLBACK_IPV6_RPFILTERtFALLBACK_INDIVIDUAL_CALLStFALLBACK_LOG_DENIEDtFALLBACK_AUTOMATIC_HELPERStFALLBACK_FIREWALL_BACKENDtFALLBACK_ALLOW_ZONE_DRIFTING(((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytsr            config/dbus.pyc000064400000003120147576556050007503 0ustar00 c`c@s2dZdZdeZedZedZedZedZedZedZedZ ed Z edZ edZ edZ ed Zd eZed Zed ZedZedZedZedZdeZedZedZedZedZedZedZedZedZdS(ii sorg.fedoraproject.FirewallD%ds.zones.directs .policiess.ipsets.configs.services .icmptypes.helpers/org/fedoraproject/FirewallD%ds/configs/config/icmptypes/config/services /config/zones /config/ipsets/config/helpers.infos.allN(tDBUS_INTERFACE_VERSIONtDBUS_INTERFACE_REVISIONtDBUS_INTERFACEtDBUS_INTERFACE_ZONEtDBUS_INTERFACE_DIRECTtDBUS_INTERFACE_POLICIEStDBUS_INTERFACE_IPSETtDBUS_INTERFACE_CONFIGtDBUS_INTERFACE_CONFIG_ZONEtDBUS_INTERFACE_CONFIG_SERVICEtDBUS_INTERFACE_CONFIG_ICMPTYPEtDBUS_INTERFACE_CONFIG_POLICIEStDBUS_INTERFACE_CONFIG_DIRECTtDBUS_INTERFACE_CONFIG_IPSETtDBUS_INTERFACE_CONFIG_HELPERt DBUS_PATHtDBUS_PATH_CONFIGtDBUS_PATH_CONFIG_ICMPTYPEtDBUS_PATH_CONFIG_SERVICEtDBUS_PATH_CONFIG_ZONEtDBUS_PATH_CONFIG_IPSETtDBUS_PATH_CONFIG_HELPERt _PK_ACTIONtPK_ACTION_POLICIEStPK_ACTION_POLICIES_INFOtPK_ACTION_CONFIGtPK_ACTION_CONFIG_INFOtPK_ACTION_DIRECTtPK_ACTION_DIRECT_INFOtPK_ACTION_INFOt PK_ACTION_ALL(((s8/usr/lib/python2.7/site-packages/firewall/config/dbus.pyts<                            config/dbus.py000064400000004554147576556050007354 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2011,2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # DBUS_INTERFACE_VERSION = 1 DBUS_INTERFACE_REVISION = 12 DBUS_INTERFACE = "org.fedoraproject.FirewallD%d" % DBUS_INTERFACE_VERSION DBUS_INTERFACE_ZONE = DBUS_INTERFACE+".zone" DBUS_INTERFACE_DIRECT = DBUS_INTERFACE+".direct" DBUS_INTERFACE_POLICIES = DBUS_INTERFACE+".policies" DBUS_INTERFACE_IPSET = DBUS_INTERFACE+".ipset" DBUS_INTERFACE_CONFIG = DBUS_INTERFACE+".config" DBUS_INTERFACE_CONFIG_ZONE = DBUS_INTERFACE_CONFIG+".zone" DBUS_INTERFACE_CONFIG_SERVICE = DBUS_INTERFACE_CONFIG+".service" DBUS_INTERFACE_CONFIG_ICMPTYPE = DBUS_INTERFACE_CONFIG+".icmptype" DBUS_INTERFACE_CONFIG_POLICIES = DBUS_INTERFACE_CONFIG+".policies" DBUS_INTERFACE_CONFIG_DIRECT = DBUS_INTERFACE_CONFIG+".direct" DBUS_INTERFACE_CONFIG_IPSET = DBUS_INTERFACE_CONFIG+".ipset" DBUS_INTERFACE_CONFIG_HELPER = DBUS_INTERFACE_CONFIG+".helper" DBUS_PATH = "/org/fedoraproject/FirewallD%d" % DBUS_INTERFACE_VERSION DBUS_PATH_CONFIG = DBUS_PATH+"/config" DBUS_PATH_CONFIG_ICMPTYPE = DBUS_PATH+"/config/icmptype" DBUS_PATH_CONFIG_SERVICE = DBUS_PATH+"/config/service" DBUS_PATH_CONFIG_ZONE = DBUS_PATH+"/config/zone" DBUS_PATH_CONFIG_IPSET = DBUS_PATH+"/config/ipset" DBUS_PATH_CONFIG_HELPER = DBUS_PATH+"/config/helper" # Polkit actions _PK_ACTION = "org.fedoraproject.FirewallD%d" % DBUS_INTERFACE_VERSION PK_ACTION_POLICIES = _PK_ACTION+".policies" PK_ACTION_POLICIES_INFO = PK_ACTION_POLICIES+".info" PK_ACTION_CONFIG = _PK_ACTION+".config" PK_ACTION_CONFIG_INFO = PK_ACTION_CONFIG+".info" PK_ACTION_DIRECT = _PK_ACTION+".direct" PK_ACTION_DIRECT_INFO = PK_ACTION_DIRECT+".info" PK_ACTION_INFO = _PK_ACTION+".info" PK_ACTION_ALL = _PK_ACTION+".all" # implies all other actions config/__init__.pyo000064400000010061147576556050010323 0ustar00 c`c@@sddlmZddlZyejejdWn@ejk ruddlZdejdi(tabsolute_importNttCtLC_ALLt firewalldtdomaini(tdbussfirewall-configsfirewall-applets /usr/share/s.glades(C) 2010-2017 Red Hat, Inc.s0.6.3s$Thomas Woerner s"Jiri Popelka sEric Garver scThis program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program. If not, see .shttp://www.firewalld.orgcC@sZ|a|da|da|da|da|da|da|da|dadS( Ns/firewalld.confs/zoness /servicess /icmptypess/ipsetss/helperss /direct.xmls/lockdown-whitelist.xml( t ETC_FIREWALLDtFIREWALLD_CONFtETC_FIREWALLD_ZONEStETC_FIREWALLD_SERVICEStETC_FIREWALLD_ICMPTYPEStETC_FIREWALLD_IPSETStETC_FIREWALLD_HELPERStFIREWALLD_DIRECTtLOCKDOWN_WHITELIST(tpath((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytset_system_config_pathsBs       s/etc/firewalldcC@s<|a|da|da|da|da|dadS(Ns/zoness /servicess /icmptypess/ipsetss/helpers(tUSR_LIB_FIREWALLDtFIREWALLD_ZONEStFIREWALLD_SERVICEStFIREWALLD_ICMPTYPEStFIREWALLD_IPSETStFIREWALLD_HELPERS(R((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytset_default_config_pathsRs     s/usr/lib/firewallds/var/log/firewallds/var/run/firewalld.pids/run/firewallds/etc/sysconfigs/etc/sysconfig/network-scriptss/etc/sysctl.confs/usr/sbin/iptablestipv4s/usr/sbin/iptables-restores ipv4-restores/usr/sbin/ip6tablestipv6s/usr/sbin/ip6tables-restores ipv6-restores/usr/sbin/ebtablestebs/usr/sbin/ebtables-restores eb-restores/usr/sbin/ipsettipsets/usr/sbin/modprobetmodprobes/usr/sbin/rmmodtrmmods@NFT@tnfttalltunicastt broadcastt multicasttofftyestnotsystemtpublicidtiptables(.t __future__Rtlocalet setlocaleRtErrortostenvirontDOMAINtgettexttinstallRRt DAEMON_NAMEt CONFIG_NAMEt APPLET_NAMEtDATADIRtCONFIG_GLADE_NAMEt COPYRIGHTtVERSIONtAUTHORStLICENSEtWEBSITERRtFIREWALLD_LOGFILEtFIREWALLD_PIDFILEtFIREWALLD_TEMPDIRt SYSCONFIGDIRtIFCFGDIRt SYSCTL_CONFIGtCOMMANDStLOG_DENIED_VALUEStAUTOMATIC_HELPERS_VALUESt FALLBACK_ZONEtFALLBACK_MINIMAL_MARKtTruetFALLBACK_CLEANUP_ON_EXITtFalsetFALLBACK_LOCKDOWNtFALLBACK_IPV6_RPFILTERtFALLBACK_INDIVIDUAL_CALLStFALLBACK_LOG_DENIEDtFALLBACK_AUTOMATIC_HELPERStFALLBACK_FIREWALL_BACKENDtFALLBACK_ALLOW_ZONE_DRIFTING(((s</usr/lib/python2.7/site-packages/firewall/config/__init__.pytsr            client.pyo000064400000412604147576556050006606 0ustar00 c`c@s^ddlmZmZddlZeejded7Z?ed8Z@ed9ZAed:ZBed;ZCed<ZDed=ZEed>ZFed?ZGed@ZHRS(BcCsO|r||_n9dddttgggtggggggtg|_dS(Nt(tsettingsR R(tselfR#((s3/usr/lib/python2.7/site-packages/firewall/client.pyt__init__Vs cCsd|j|jfS(Ns%s(%r)(t __class__R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyt__repr__^scCs |jdS(Ni(R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getVersionbscCs||jdR?R@RBRERFRGRHRJRKRLRMRNRORPRQRRRSRURWRXRYRZR\tslipR tpolkitt enable_proxyR]R^R_R`RbRcRdReRfRgRkRlRmRnRpRrRsRtRuRwRyRzR{R|RRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR!Us        tFirewallClientConfigZonecBsceZdZejjjedZejjjedZ ejjjedZ ejjjedZ ejjjedZ ejjjedZ ejjjedZejjjedZejjjed Zejjjed Zejjjed Zejjjed Zejjjed ZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZ ejjjedZ!ejjjedZ"ejjjedZ#ejjjedZ$ejjjedZ%ejjjedZ&ejjjed Z'ejjjed!Z(ejjjed"Z)ejjjed#Z*ejjjed$Z+ejjjed%Z,ejjjed&Z-ejjjed'Z.ejjjed(Z/ejjjed)Z0ejjjed*Z1ejjjed+Z2ejjjed,Z3ejjjed-Z4ejjjed.Z5ejjjed/Z6ejjjed0Z7ejjjed1Z8ejjjed2Z9ejjjed3Z:ejjjed4Z;ejjjed5Z<ejjjed6Z=ejjjed7Z>ejjjed8Z?ejjjed9Z@ejjjed:ZAejjjed;ZBejjjed<ZCejjjed=ZDejjjed>ZEejjjed?ZFejjjed@ZGejjjedAZHejjjedBZIejjjedCZJejjjedDZKejjjedEZLejjjedFZMejjjedGZNRS(HcCsp||_||_|jjtjj||_tj|jdtjj|_ tj|jdd|_ dS(Ntdbus_interfacesorg.freedesktop.DBus.Properties( tbustpatht get_objectRR tDBUS_INTERFACEtdbus_objt InterfacetDBUS_INTERFACE_CONFIG_ZONEtfw_zonet fw_properties(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%s   cCst|jjtjj|S(N(RRtGetRR R(R$tprop((s3/usr/lib/python2.7/site-packages/firewall/client.pyt get_propertys cCst|jjtjjS(N(RRtGetAllRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytget_propertiess cCs |jjtjj||dS(N(RtSetRR R(R$Rtvalue((s3/usr/lib/python2.7/site-packages/firewall/client.pyt set_propertyscCsttt|jjS(N(R!tlistRRt getSettings(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs cCs|jjt|jdS(N(RtupdatettupleR#(R$R#((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jjdS(N(Rt loadDefaults(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jjdS(N(RR<(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR<scCs|jj|dS(N(Rtrename(R$tname((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs |jjS(N(RR((R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR(scCs|jj|dS(N(RR*(R$R)((s3/usr/lib/python2.7/site-packages/firewall/client.pyR*scCs |jjS(N(RR+(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR+scCs|jj|dS(N(RR-(R$R,((s3/usr/lib/python2.7/site-packages/firewall/client.pyR-scCs |jjS(N(RR.(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR.scCs|jj|dS(N(RR0(R$R/((s3/usr/lib/python2.7/site-packages/firewall/client.pyR0scCs |jjS(N(RR2(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR2scCs|jj|dS(N(RR4(R$R3((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4scCs |jjS(N(RR5(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR5scCs|jj|dS(N(RR7(R$R6((s3/usr/lib/python2.7/site-packages/firewall/client.pyR7scCs|jj|dS(N(RR;(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR;scCs|jj|dS(N(RR>(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR> scCs|jj|S(N(RR?(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR?scCs |jjS(N(RR@(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@scCs|jj|dS(N(RRB(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRBscCs|jj||dS(N(RRE(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRE!scCs|jj||dS(N(RRF(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF&scCs|jj||S(N(RRG(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG+scCs |jjS(N(RRH(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRH2scCs|jj|dS(N(RRJ(R$RI((s3/usr/lib/python2.7/site-packages/firewall/client.pyRJ7scCs|jj|dS(N(RRK(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK<scCs|jj|dS(N(RRL(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRLAscCs|jj|S(N(RRM(R$RD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRMFscCs |jjS(N(RRN(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNMscCs|jj|dS(N(RRO(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRORscCs|jj||dS(N(RRP(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRPWscCs|jj||dS(N(RRQ(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRQ\scCs|jj||S(N(RRR(R$RCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRascCs |jjS(N(RRS(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRShscCs|jj|dS(N(RRU(R$t icmptypes((s3/usr/lib/python2.7/site-packages/firewall/client.pyRUmscCs|jj|dS(N(RRW(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRWrscCs|jj|dS(N(RRX(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRXwscCs|jj|S(N(RRY(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY|scCs |jjS(N(RRZ(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRZscCs|jj|dS(N(RR\(R$t inversion((s3/usr/lib/python2.7/site-packages/firewall/client.pyR\scCs|jjdS(N(RR](R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR]scCs|jjdS(N(RR^(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^scCs |jjS(N(RR_(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR_scCs |jjS(N(RR`(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR`scCs|jj|dS(N(RRb(R$Ra((s3/usr/lib/python2.7/site-packages/firewall/client.pyRbscCs|jjdS(N(RRc(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRcscCs|jjdS(N(RRd(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRdscCs |jjS(N(RRe(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRescCs |jjS(N(RRf(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRfscCs|jj|dS(N(RRg(R$RA((s3/usr/lib/python2.7/site-packages/firewall/client.pyRgscCsG|dkrd}n|dkr*d}n|jj||||dS(NR"(RhRRk(R$RCRDttoportttoaddr((s3/usr/lib/python2.7/site-packages/firewall/client.pyRks     cCsG|dkrd}n|dkr*d}n|jj||||dS(NR"(RhRRl(R$RCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRls     cCsC|dkrd}n|dkr*d}n|jj||||S(NR"(RhRRm(R$RCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRms     cCs |jjS(N(RRn(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRnscCs|jj|dS(N(RRp(R$Ro((s3/usr/lib/python2.7/site-packages/firewall/client.pyRpscCs|jj|dS(N(RRr(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRrscCs|jj|dS(N(RRs(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRsscCs|jj|S(N(RRt(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRtscCs |jjS(N(RRu(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRuscCs|jj|dS(N(RRw(R$Rv((s3/usr/lib/python2.7/site-packages/firewall/client.pyRwscCs|jj|dS(N(RRy(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRyscCs|jj|dS(N(RRz(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRz scCs|jj|S(N(RR{(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR{scCs |jjS(N(RR|(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR|scCs|jj|dS(N(RR(R$R~((s3/usr/lib/python2.7/site-packages/firewall/client.pyRscCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%scCs|jj|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR*s(ORRR%RR RRR RRRRRRR<RR(R*R+R-R.R0R2R4R5R7R;R>R?R@RBRERFRGRHRJRKRLRMRNRORPRQRRRSRURWRXRYRZR\R]R^R_R`RbRcRdReRfRgRkRlRmRnRpRrRsRtRuRwRyRzR{R|RRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs                                                                       tFirewallClientServiceSettingscBseZed!dZedZedZedZedZedZ edZ edZ edZ ed Z ed Zed Zed Zed ZedZedZedZedZedZedZedZedZedZedZedZedZedZedZedZ edZ!edZ"ed!dZ#ed Z$RS("cCs7|r||_n!dddggiggg|_dS(NR"(R#(R$R#((s3/usr/lib/python2.7/site-packages/firewall/client.pyR%3s cCsd|j|jfS(Ns%s(%r)(R&R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR':scCs |jdS(Ni(R#(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR(>scCs||jd||jd|||jd|scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetIPSetscCs(t|jj|}t|j|S(N(RR:tgetIPSetByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(t isinstanceRR:taddIPSetRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRB s!cCst|jjS(N(RR:t getZoneNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRC scCst|jjS(N(RR:t listZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRD scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetZone scCs(t|jj|}t|j|S(N(RR:t getZoneByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jj|S(N(RR:tgetZoneOfInterface(R$tiface((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG$ scCst|jj|S(N(RR:tgetZoneOfSource(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRI) scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RAR!R:taddZoneRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRJ. s!cCst|jjS(N(RR:tgetServiceNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK9 scCst|jjS(N(RR:t listServices(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL> scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getServiceC scCs(t|jj|}t|j|S(N(RR:tgetServiceByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNH scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:R;RR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR;N s!cCst|jjS(N(RR:tgetIcmpTypeNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyROY scCst|jjS(N(RR:t listIcmpTypes(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRP^ scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getIcmpTypec scCs(t|jj|}t|j|S(N(RR:tgetIcmpTypeByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRh scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:t addIcmpTypeRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRSn s!cCs|jS(N(R;(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytpoliciesw scCs|jS(N(R<(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytdirect| scCst|jjS(N(RR:tgetHelperNames(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRV scCst|jjS(N(RR:t listHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRW scCst|j|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyt getHelper scCs(t|jj|}t|j|S(N(RR:tgetHelperByNameRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY scCs[t|tr0|jj|t|j}n|jj|t|}t|j|S(N(RARR:t addHelperRR#RR(R$RR#R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRZ s!((RRR R%RR RRRRRR=R>R?R@RBRCRDRERFRGRIRJRKRLRMRNR;RORPRQRRRSRTRURVRWRXRYRZ(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR8s                                tFirewallClientcBseZeddedZedZedZedZedZ edZ edZ edZ ed Z ed Zed Zejjjed Zejjjed ZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZejjjedZ ejjjedZ!ejjjedZ"ejjjedZ#ejjjedZ$ejjjedZ%ejjjedZ&ejjjedZ'ejjjed Z(ejjjed!Z)ejjjed"Z*ejjjed#Z+ejjjed$Z,ejjjed%Z-ejjjed&Z.ejjjed'Z/ejjjed(Z0ejjjed)Z1ejjjed*Z2ejjjed+Z3ejjjed,Z4ejjjed-Z5ejjjed.Z6ejjjed/Z7ejjjed0Z8ejjjed1Z9ejjjed2Z:ejjjed3Z;ejjjed4Z<ejjjed5Z=ejjjed6Z>ejjjed7Z?ejjjed8Z@ejjjed9ZAejjjed:ZBejjjedd;ZCejjjed<ZDejjjed=ZEejjjed>ZFejjjedd?ZGejjjed@ZHejjjedAZIejjjedBZJejjjeddCZKejjjedDZLejjjedEZMejjjedFZNejjjeddGZOejjjedHZPejjjedIZQejjjedJZRejjjeddKZSejjjedLZTejjjedMZUejjjeddNZVejjjedOZWejjjedPZXejjjedQZYejjjeddRZZejjjedSZ[ejjjedTZ\ejjjedUZ]ejjjeddVZ^ejjjedWZ_ejjjedXZ`ejjjedYZaejjjedZZbejjjed[Zcejjjed\Zdejjjed]Zeejjjed^Zfejjjed_Zgejjjed`ZhejjjedaZiejjjedbZjejjjedcZkejjjeddZlejjjedeZmejjjedfZnejjjedgZoejjjedhZpejjjediZqejjjedjZrejjjedkZsejjjedlZtejjjedmZuejjjednZvejjjedoZwejjjedpZxejjjedqZyejjjedrZzejjjedsZ{ejjjedtZ|ejjjeduZ}ejjjedvZ~ejjjedwZejjjedxZejjjedyZejjjedzZejjjed{Zejjjed|Zejjjed}Zejjjed~ZejjjedZejjjedZejjjedZejjjedZRS(ic Cs|stjjjdty"tjj|_d|j_ Wqt k rytj|_Wn1tj j k r}t tj|jqXdGHqXn ||_|jjd|jdddddtjjxtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjjtjj g D]1}|jj|j!d|d d d d d dqTWi|_"iIdd6dd6dd6dd6dd6dd6dd6dd6dd6dd6d d!6d"d#6d$d%6d&d'6d(d)6d*d+6d,d-6d.d/6d0d16d2d36d4d56d6d76d8d96d:d;6d<d=6d>d?6d@dA6dBdC6dDdE6dDdF6dGdH6dIdJ6dKdL6dMdN6dOdP6dQdR6dSdT6dUdV6dWdX6dYdZ6d[d\6d]d^6d_d`6dadb6dcdd6dedf6dgdh6didj6dkdl6dmdn6dodp6dqdr6dsdt6dudv6dwdx6dydz6d{d|6d}d~6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6dd6|_#|j$||_%|dkrt&j'||j(n |j(dS(Ntset_as_defaultsNot using slip.dbusthandler_functiont signal_nametNameOwnerChangedRsorg.freedesktop.DBustarg0tinterface_keywordRqtmember_keywordtmembert path_keywordRsconnection-changedsconnection-establishedsconnection-losttLogDeniedChangedslog-denied-changedtDefaultZoneChangedsdefault-zone-changedtPanicModeEnabledspanic-mode-enabledtPanicModeDisabledspanic-mode-disabledtReloadedtreloadedt ServiceAddeds service-addedtServiceRemovedsservice-removedt PortAddeds port-addedt PortRemoveds port-removedtSourcePortAddedssource-port-addedtSourcePortRemovedssource-port-removedt ProtocolAddedsprotocol-addedtProtocolRemovedsprotocol-removedtMasqueradeAddedsmasquerade-addedtMasqueradeRemovedsmasquerade-removedtForwardPortAddedsforward-port-addedtForwardPortRemovedsforward-port-removedtIcmpBlockAddedsicmp-block-addedtIcmpBlockRemovedsicmp-block-removedtIcmpBlockInversionAddedsicmp-block-inversion-addedtIcmpBlockInversionRemovedsicmp-block-inversion-removedt RichRuleAddedsrichrule-addedtRichRuleRemovedsrichrule-removedtInterfaceAddedsinterface-addedtInterfaceRemovedsinterface-removedtZoneOfInterfaceChangeds zone-changedszone-of-interface-changedt SourceAddeds source-addedt SourceRemovedssource-removedtZoneOfSourceChangedszone-of-source-changedt EntryAddedsipset-entry-addedt EntryRemovedsipset-entry-removedt ChainAddedsdirect:chain-addedt ChainRemovedsdirect:chain-removedt RuleAddedsdirect:rule-addedt RuleRemovedsdirect:rule-removedtPassthroughAddedsdirect:passthrough-addedtPassthroughRemovedsdirect:passthrough-removedsconfig:direct:Updatedsconfig:direct:updatedtLockdownEnabledslockdown-enabledtLockdownDisabledslockdown-disabledtLockdownWhitelistCommandAddeds lockdown-whitelist-command-addedtLockdownWhitelistCommandRemoveds"lockdown-whitelist-command-removedtLockdownWhitelistContextAddeds lockdown-whitelist-context-addedtLockdownWhitelistContextRemoveds"lockdown-whitelist-context-removedtLockdownWhitelistUidAddedslockdown-whitelist-uid-addedtLockdownWhitelistUidRemovedslockdown-whitelist-uid-removedtLockdownWhitelistUserAddedslockdown-whitelist-user-addedtLockdownWhitelistUserRemovedslockdown-whitelist-user-removeds(config:policies:LockdownWhitelistUpdateds*config:policies:lockdown-whitelist-updatedsconfig:IPSetAddedsconfig:ipset-addedsconfig:IPSetUpdatedsconfig:ipset-updatedsconfig:IPSetRemovedsconfig:ipset-removedsconfig:IPSetRenamedsconfig:ipset-renamedsconfig:ZoneAddedsconfig:zone-addedsconfig:ZoneUpdatedsconfig:zone-updatedsconfig:ZoneRemovedsconfig:zone-removedsconfig:ZoneRenamedsconfig:zone-renamedsconfig:ServiceAddedsconfig:service-addedsconfig:ServiceUpdatedsconfig:service-updatedsconfig:ServiceRemovedsconfig:service-removedsconfig:ServiceRenamedsconfig:service-renamedsconfig:IcmpTypeAddedsconfig:icmptype-addedsconfig:IcmpTypeUpdatedsconfig:icmptype-updatedsconfig:IcmpTypeRemovedsconfig:icmptype-removedsconfig:IcmpTypeRenamedsconfig:icmptype-renamedsconfig:HelperAddedsconfig:helper-addedsconfig:HelperUpdatedsconfig:helper-updatedsconfig:HelperRemovedsconfig:helper-removedsconfig:HelperRenamedsconfig:helper-renamedi()R tmainlooptglibt DBusGMainLoopRRt SystemBusRRhtdefault_timeoutRRRR R t DBUS_ERRORRtadd_signal_receivert_dbus_connection_changedRRtDBUS_INTERFACE_IPSETtDBUS_INTERFACE_ZONEtDBUS_INTERFACE_DIRECTtDBUS_INTERFACE_POLICIESR9RRRRR6RRt_signal_receivert _callbackt _callbackst _init_varstquietRttimeout_add_secondst_connection_established(R$RtwaitRRRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR% s                         cCsLd|_d|_d|_d|_d|_d|_d|_t|_ dS(N( RhtfwRRRR7Rt_configR t connected(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. s       cCstS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetExceptionHandler9 scCs |adS(N(R(R$thandler((s3/usr/lib/python2.7/site-packages/firewall/client.pytsetExceptionHandler= scCstS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytgetNotAuthorizedLoopB scCs |adS(N(R(R$tenable((s3/usr/lib/python2.7/site-packages/firewall/client.pytsetNotAuthorizedLoopF scGs@||jkr,||f|j|j|      cCsF|j|jdddtjj|jdddtjjdS(NRcsconnection-lostRqsconnection-changed(RRRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s   c Osd|ksd|krdS|d}|d}|jtjjrRd|}n|jtjjrtd|}n|jtjjrd|}n|jtjjrd|}n|jtjjrd|}n]|tjjkrd|}n>|tjj krd |}n|tjj kr7d |}nd}xQ|j D]F}|j ||krG|j ||j krG|j |j |}qGqGW|dkrdSg|D]}t|^q}y0|d r|j|d n|d |Wntk r } | GHnXdS( NRcRqs config:Zones config:IPSetsconfig:Servicesconfig:IcmpTypes config:Helpersconfig:sconfig:policies:sconfig:direct:ii(t startswithRR RRRRRR9RR6RhRRRtextendR( R$RRtsignalRqtcbRtargtcb_argstmsg((s3/usr/lib/python2.7/site-packages/firewall/client.pyR sD            cCs|jS(N(R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(Rtreload(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtcompleteReload(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pytcomplete_reload scCs|jjdS(N(RtruntimeToPermanent(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtcheckPermanentConfig(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjtjj|S(N(RRRRR R(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCst|jjtjjS(N(RRRRR R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCs |jjtjj||dS(N(RRRR R(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtenablePanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtdisablePanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRtqueryPanicMode(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs"ttt|jj|S(N(R!RRRtgetZoneSettings(R$tzone((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCst|jjS(N(RRt getIPSets(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs"ttt|jj|S(N(RRRRtgetIPSetSettings(R$tipset((s3/usr/lib/python2.7/site-packages/firewall/client.pyR s cCs|jj||dS(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|S(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj||S(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj||dS(N(RR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRRL(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL scCs"ttt|jj|S(N(RRRRtgetServiceSettings(R$R:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR# s cCst|jjS(N(RRRP(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRP) scCs"ttt|jj|S(N(RRRRtgetIcmpTypeSettings(R$RV((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. s cCst|jjS(N(RRt getHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4 scCs"ttt|jj|S(N(RRRRtgetHelperSettings(R$thelper((s3/usr/lib/python2.7/site-packages/firewall/client.pyR9 s cCst|jjS(N(RRtgetAutomaticHelpers(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRA scCs|jj|dS(N(RtsetAutomaticHelpers(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jjS(N(RRt getLogDenied(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRM scCs|jj|dS(N(Rt setLogDenied(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRR scCst|jjS(N(RRtgetDefaultZone(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRY scCs|jj|dS(N(RtsetDefaultZone(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^ scCst|jjS(N(RRtgetZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRe scCst|jjS(N(RRtgetActiveZones(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRj scCst|jj|S(N(RRRG(R$Rq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRGo scCst|jj|S(N(RRRI(R$Rx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRIt scCst|jj|S(N(RRt isImmutable(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRy scCst|jj||S(N(RRRr(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRr scCst|jj||S(N(RRt changeZone(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRtchangeZoneOfInterface(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRRn(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRn scCst|jj||S(N(RRRt(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRt scCst|jj||S(N(RRRs(R$RRq((s3/usr/lib/python2.7/site-packages/firewall/client.pyRs scCst|jj||S(N(RRRy(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRy scCst|jj||S(N(RRtchangeZoneOfSource(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRRu(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRu scCst|jj||S(N(RRR{(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyR{ scCst|jj||S(N(RRRz(R$RRx((s3/usr/lib/python2.7/site-packages/firewall/client.pyRz scCst|jj|||S(N(RRR(R$RRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRR|(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR| scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj||S(N(RRR(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|||S(N(RRR;(R$RR:R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR; scCst|jj|S(N(RRR5(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR5 scCst|jj||S(N(RRR?(R$RR:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR? scCst|jj||S(N(RRR>(R$RR:((s3/usr/lib/python2.7/site-packages/firewall/client.pyR> scCst|jj||||S(N(RRRE(R$RRCRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRE scCst|jj|S(N(RRR@(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR@ scCst|jj|||S(N(RRRG(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRG scCst|jj|||S(N(RRRF(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRF scCst|jj|||S(N(RRRK(R$RRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRK scCst|jj|S(N(RRRH(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRH scCst|jj||S(N(RRRM(R$RRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRM scCst|jj||S(N(RRRL(R$RRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRL scCst|jj||S(N(RRRc(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRc scCst|jj|S(N(RRRe(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRe scCst|jj|S(N(RRRd(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRd scCsO|dkrd}n|dkr*d}nt|jj||||||S(NR"(RhRRRk(R$RRCRDRRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRk% s    cCst|jj|S(N(RRRf(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRf1 scCsL|dkrd}n|dkr*d}nt|jj|||||S(NR"(RhRRRm(R$RRCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRm6 s    cCsL|dkrd}n|dkr*d}nt|jj|||||S(NR"(RhRRRl(R$RRCRDRR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRlA s    cCst|jj||||S(N(RRRP(R$RRCRDR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRPN scCst|jj|S(N(RRRN(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRNT scCst|jj|||S(N(RRRR(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRRY scCst|jj|||S(N(RRRQ(R$RRCRD((s3/usr/lib/python2.7/site-packages/firewall/client.pyRQ^ scCst|jj|||S(N(RRRW(R$RticmpR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRWf scCst|jj|S(N(RRRS(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRSk scCst|jj||S(N(RRRY(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRYp scCst|jj||S(N(RRRX(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyRXu scCst|jj|S(N(RRR](R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR]| scCst|jj|S(N(RRR_(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR_ scCst|jj|S(N(RRR^(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR^ scCs|jj|||dS(N(R7R"(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR" scCs|jj|||dS(N(R7R#(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR# scCst|jj|||S(N(RR7R$(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR$ scCst|jj||S(N(RR7R(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RR7R(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs |jj|||||dS(N(R7R)(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR) scCs |jj|||||dS(N(R7R*(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR* scCs|jj|||dS(N(R7R+(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR+ scCs"t|jj|||||S(N(RR7R,(R$RRR R(R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR, scCst|jj|||S(N(RR7R&(R$RRR ((s3/usr/lib/python2.7/site-packages/firewall/client.pyR& scCst|jjS(N(RR7R%(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR% scCst|jj||S(N(RR7t passthrough(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RR7R-(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR- scCs|jjdS(N(R7R0(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR0 scCst|jj|S(N(RR7R1(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR1 scCs|jj||dS(N(R7R2(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR2 scCs|jj||dS(N(R7R3(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR3 scCst|jj||S(N(RR7R4(R$RR((s3/usr/lib/python2.7/site-packages/firewall/client.pyR4 scCs|jjdS(N(RtenableLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jjdS(N(RtdisableLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jjS(N(RRt queryLockdown(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jjS(N(RRR (R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jj|S(N(RRR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCs|jj|dS(N(RR (R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR  scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR" scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR' scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR. scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyR3 scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR8 scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyR= scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRD scCst|jjS(N(RRR(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRI scCst|jj|S(N(RRR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRN scCs|jj|dS(N(RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/client.pyRS scCs|jjdS(s( Authorize once for all polkit actions. N(Rt authorizeAll(R$((s3/usr/lib/python2.7/site-packages/firewall/client.pyRX sN(RRR RhRR%RRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRLRRPRRRRRRRRRRRRGRIRRrRRRnRtRsRyRRuR{RzRR|RRR;R5R?R>RER@RGRFRKRHRMRLRcReRdRkRfRmRlRPRNRRRQRWRSRYRXR]R_R^R"R#R$RRR)R*R+R,R&R%RR-R0R1R2R3R4RRRR R R R R RRRRRRRRRRRR(((s3/usr/lib/python2.7/site-packages/firewall/client.pyR[ s  #.                                                                                                                       (.t gi.repositoryRRtsysRtdbus.mainloop.glibR t slip.dbusRRtfirewallRtfirewall.core.baseRtfirewall.dbus_utilsRtfirewall.functionsRtfirewall.core.richRR tfirewall.errorsR RRhRR RR tobjectR!RRRRRRRRRRRRR5R8R[(((s3/usr/lib/python2.7/site-packages/firewall/client.pytsF      '=cyKCzVtbmfw_types.pyc000064400000006045147576556050007152 0ustar00 c`c@s#dgZdefdYZdS(tLastUpdatedOrderedDictcBseZd dZdZdZdZdZdZdZ dZ dZ d Z d Z d Zd d ZRS(cCs,i|_g|_|r(|j|ndS(N(t_dictt_listtupdate(tselftx((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyt__init__s  cCs|j2|jjdS(N(RRtclear(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyRscCs+x$|jD]\}}|||scCs t|S(N(R(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytcopyAscCs|jS(N(R(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytkeysDscCsg|jD]}||^q S(N(R(RR ((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytvaluesGscCs&||kr||S|||<|SdS(N((RR R ((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyt setdefaultJs  N(Rt __module__tNoneRRRRR RRRRRRRR(((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyRs            N(t__all__tobjectR(((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyts command.pyo000064400000045612147576556050006747 0ustar00 c`c@sdZdgZddlZddlmZddlmZddlmZddl m Z m Z m Z m Z mZdefdYZdS( s<FirewallCommand class for command line client simplificationtFirewallCommandiN(terrors(t FirewallError(t DBusException(t checkIPnMaskt checkIP6nMaskt check_mact check_porttcheck_single_addresscBseZeedZdZdZdZdZdZd+dZ d+dZ d+dZ d+d d Z d+d Zd+d Zd+d+ed ZedZedZedZedZedZd+edZedZedZdZddZedZdZdZdZdZdZ dZ!d+gd Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(Z*d)Z+d*Z,RS(,cCs(||_||_t|_d|_dS(N(tquiettverbosetTruet'_FirewallCommand__use_exception_handlertNonetfw(tselfR R ((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__init__#s   cCs ||_dS(N(R(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytset_fw)scCs ||_dS(N(R (Rtflag((s4/usr/lib/python2.7/site-packages/firewall/command.pyt set_quiet,scCs|jS(N(R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt get_quiet/scCs ||_dS(N(R (RR((s4/usr/lib/python2.7/site-packages/firewall/command.pyt set_verbose2scCs|jS(N(R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt get_verbose5scCs1|dk r-|j r-tjj|dndS(Ns (R R tsyststdouttwrite(Rtmsg((s4/usr/lib/python2.7/site-packages/firewall/command.pyt print_msg8scCs1|dk r-|j r-tjj|dndS(Ns (R R RtstderrR(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_error_msg<scCs=d}d}tjjr,|||}n|j|dS(Nss(RRtisattyR(RRtFAILtEND((s4/usr/lib/python2.7/site-packages/firewall/command.pyt print_warning@s icCs:|dkr|j|n |j|tj|dS(Ni(R!RRtexit(RRt exit_code((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_and_exitGs  cCs|j|ddS(Ni(R$(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytfailRscCs0|dk r,|jr,tjj|dndS(Ns (R R RRR(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_if_verboseUsc Cs1|jdk r|jjng} d} g} x|D]} |dk ry|| } Wqtk r}tjt|}t|dkr|jd|n|j d|||| kr| j |n| d7} q8qXn| j | q8Wx| D]} g}|dk r(||7}nt | t  rXt | t  rX|j | n || 7}|dk r{||7}n|jy||Wnttfk r}t |tr|j|j|j}n t|}tj|}|tjtjtjtjgkr$d}nt|dkrJ|jd|n5|dkrk|jd|dS|j d|||| kr| j |n| d7} nX|jqW| s-t|| ksd| krdSt| dkrtj| dq-t| dkr-tjtjq-ndS(Niis Warning: %ss Error: %s(RR t authorizeAllt ExceptionRtget_codetstrtlenR!R$tappendt isinstancetlistttupletdeactivate_exception_handlerRtfail_if_not_authorizedt get_dbus_nametget_dbus_messageRtALREADY_ENABLEDt NOT_ENABLEDtZONE_ALREADY_SETt ALREADY_SETtactivate_exception_handlerRR"t UNKNOWN_ERROR(Rtcmd_typetoptiont action_methodt query_methodt parse_methodtmessaget start_argstend_argstno_exittitemst_errorst _error_codestitemRtcodet call_item((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__cmd_sequenceYsr                 c Cs&|jd|||||d|dS(NtaddRB(t_FirewallCommand__cmd_sequence(RR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pyt add_sequencesc Cs/|jd|||||d|gd|dS(NRJR@RB(RK(RtxR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_add_sequencesc Cs8|jd|||||d|gd|gd|dS(NRJR@RARB(RK( RtzoneR;R<R=R>R?ttimeoutRB((s4/usr/lib/python2.7/site-packages/firewall/command.pytzone_add_timeout_sequencesc Cs&|jd|||||d|dS(NtremoveRB(RK(RR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytremove_sequencesc Cs/|jd|||||d|gd|dS(NRRR@RB(RK(RRMR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_remove_sequencesc Cs|g}x|D]}|dk ry||}Wqtk r} t|dkrj|jd| q qtjt| } |jd| | qXn|j|q Wx|D]}g} |dk r| |7} nt |t  rt |t  r| j|n | |7} |j y|| } Wnt k r} |j| jtj| j} t|dkr|jd| jqq|jd| j| nbtk r} tjt| } t|dkr|jd| q|jd| | nX|jt|dkrQ|jd||d| fq|j| qW|sxtjdndS( Nis Warning: %ss Error: %ss%s: %stnotyesi(RUsyes(R R(R+R!RR)R*R$R,R-R.R/R0RR1R2R3R8Rtprint_query_resultRR"( RR;R=R>R?R@RBRCRFRRGRHtres((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__query_sequencesR          "cCs |j||||d|dS(NRB(t _FirewallCommand__query_sequence(RR;R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytquery_sequencesc Cs)|j||||d|gd|dS(NR@RB(RZ(RRMR;R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_query_sequencescCsft| rbt| rbt| rb|jdoEt|dk rbttjd|n|S(Nsipset:is8'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset(RRRt startswithR+RRt INVALID_ADDR(Rtvalue((s4/usr/lib/python2.7/site-packages/firewall/command.pyt parse_sources  " t/cCsy|j|\}}Wn'tk rBttjd|nXt|sdttj|n|dkrttjd|n||fS(NsTbad port (most likely missing protocol), correct syntax is portid[-portid]%sprotocolttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(RbRcRdRe(tsplitt ValueErrorRRt INVALID_PORTRtINVALID_PROTOCOL(RR_t separatortporttproto((s4/usr/lib/python2.7/site-packages/firewall/command.pyt parse_ports      c CsFd}d}d}d}d}x d||kr,||jddd}|t|d7}d||kr||jddd} n ||} |t| d7}|dkr| }q!|dkr| }q!|dkr| }q!|dkr| }q!|d kr|rq!ttjd |q!W|sHttjd n|scttjd n|pl|sttjd nt|sttj|n|dkrttjd|n|rt| rttj|n|r6t d| r6|st d| r6ttj |q6n||||fS(Nit=it:RkRlttoportttoaddrtifsinvalid forward port arg '%s's missing portsmissing protocolsmissing destinationRbRcRdRes''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}tipv4tipv6(stcpsudpssctpsdccp( R RfR+RRtINVALID_FORWARDRRhRiRR^( RR_tcompatRktprotocolRpRqtitopttval((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_forward_portsT               cCs_|jd}t|dkr/|ddfSt|dkrE|Sttjd|dS(NRniitisinvalid ipset option '%s'(RfR+RRtINVALID_OPTION(RR_targs((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_ipset_optionHs cCsDddg}||kr@ttjd|dj|fn|S(NRsRts'invalid argument: %s (choose from '%s')s', '(RRt INVALID_IPVtjoin(RR_tipvs((s4/usr/lib/python2.7/site-packages/firewall/command.pytcheck_destination_ipvRs    cCsUy|jdd\}}Wn#tk rAttjdnX|j||fS(NRois(destination syntax is ipv:address[/mask](RfRgRRtINVALID_DESTINATIONR(RR_tipvt destination((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_service_destinationZs    cCsGdddg}||krCttjd|dj|fn|S(NRsRttebs'invalid argument: %s (choose from '%s')s', '(RRRR(RR_R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt check_ipvbs   cCsGdddg}||krCttjd|dj|fn|S(NR|RsRts'invalid argument: %s (choose from '%s')s', '(RRRR(RR_R((s4/usr/lib/python2.7/site-packages/firewall/command.pytcheck_helper_familyjs   cCsc|jds(ttjd|nt|jdddkr_ttjd|n|S(Nt nf_conntrack_s('%s' does not start with 'nf_conntrack_'R|isModule name '%s' too short(R]RRtINVALID_MODULER+treplace(RR_((s4/usr/lib/python2.7/site-packages/firewall/command.pyt check_modulers c Cs|j}|j}tt|j|}|j}|j} |j} |j} |j } |j } |j }|j }|j }|j}|j}g}|dk r||kr|jdqn|s|r|jdn|r%|ddj|}n|j||jr`|jd||jd|n|jd||jd|rd nd |jd d j||jd d j||jdd jt| |jdd jg| D]}d|d|df^q|jdd jt| |jd| rVd nd |jddjg| D](\}}}}d||||f^qt|jdd jg|D]}d|d|df^q|jdd j||jddj|dS(Ntdefaulttactives (%s)s, s summary: s description: s target: s icmp-block-inversion: %sRVRUs interfaces: t s sources: s services: s ports: s%s/%siis protocols: s masquerade: %ss forward-ports: s s$port=%s:proto=%s:toport=%s:toaddr=%ss source-ports: s icmp-blocks: s rich rules: (t getTargettgetIcmpBlockInversiontsortedtsett getInterfacest getSourcest getServicestgetPortst getProtocolst getMasqueradetgetForwardPortstgetSourcePortst getIcmpBlockst getRichRulestgetDescriptiontgetShortR R,RRR (RROtsettingst default_zonetextra_interfacesttargetticmp_block_inversiont interfacestsourcestservicestportst protocolst masqueradet forward_portst source_portst icmp_blockstrulest descriptiontshort_descriptiont attributesRkRlRpRq((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_zone_info|sX                    -   7  -c Cs|j}|j}|j}|j}|j}|j}|j} |j||jr|jd| |jd|n|jddj g|D]} d| d| df^q|jddj ||jd dj g|D]} d| d| df^q|jd dj ||jd dj g|j D]\} } d | | f^q]dS( Ns summary: s description: s ports: Rs%s/%siis protocols: s source-ports: s modules: s destination: s%s:%s( RRRt getModulesRtgetDestinationsRRR RRC( RtserviceRRRRtmodulesRt destinationsRRktktv((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_service_infos*         -  -  cCs|j}|j}|j}t|dkrEddg}n|j||jr|jd||jd|n|jddj|dS(NiRsRts summary: s description: s destination: R(RRRR+RR R(RticmptypeRRRR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_icmptype_infos     c Cs|j}|j}|j}|j}|j}|j||jrw|jd||jd|n|jd||jddjg|jD](\}} | rd|| fn|^q|jddj|dS(Ns summary: s description: s type: s options: Rs%s=%ss entries: ( tgetTypet getOptionst getEntriesRRRR RRC( RtipsetRt ipset_typetoptionstentriesRRRR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_ipset_infos       =c Cs|j}|j}|j}|j}|j}|j||jrw|jd||jd|n|jd||jd||jddjg|D]}d|d|d f^qdS( Ns summary: s description: s family: s module: s ports: Rs%s/%sii(Rt getModulet getFamilyRRRR R( RthelperRRtmoduletfamilyRRRk((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_helper_infos       cCs*|r|jdn|jdddS(NRVRUi(R$(RR_((s4/usr/lib/python2.7/site-packages/firewall/command.pyRWscCs|jsn|j|tjt|}|tjtjtjtj gkri|j d|n|j d||dS(Ns Warning: %ss Error: %s( R R1RR)R*RR4R5R6R7R!R$(Rtexception_messageRG((s4/usr/lib/python2.7/site-packages/firewall/command.pytexception_handlers  cCs,d|kr(d}|j|tjndS(NtNotAuthorizedExceptions`Authorization failed. Make sure polkit agent is running or run the application as superuser.(R$RtNOT_AUTHORIZED(RRR((s4/usr/lib/python2.7/site-packages/firewall/command.pyR1s cCs t|_dS(N(tFalseR (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyR0scCs t|_dS(N(R R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyR8scCsg}t}t|}xu|D]m}|s2Pn|j}t|dks"|ddkrfq"n||kr"|j||j|q"q"W|j|S(Niit#t;(RR(RtopentstripR+R,RJtclose(RtfilenameRt entries_settftline((s4/usr/lib/python2.7/site-packages/firewall/command.pytget_ipset_entries_from_file s    "   N(-t__name__t __module__RRRRRRRR RRR!R$R%R&RKRLRNRQRSRTRZR[R\R`RmR{RRRRRRRRRRRRWRR1R0R8R(((s4/usr/lib/python2.7/site-packages/firewall/command.pyR"sT           J     2     2     1       (t__doc__t__all__RtfirewallRtfirewall.errorsRtdbus.exceptionsRtfirewall.functionsRRRRRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/command.pyts  (errors.pyc000064400000011145147576556050006623 0ustar00 c`c@s?dZdZdZdZdZdZdZdZdZd Z d Z d Z d Z d Z dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZd Z d!Z!d"Z"d#Z#d$Z$d%Z%d&Z&d'Z'd(Z(d)Z)d*Z*d+Z+d,Z,d-Z-d.Z.d/Z/d0Z0d1Z1d2Z2d3Z3d4Z4d5Z5d6Z6d7Z7d8Z8d9Z9d:Z:d;Z;d<Z<d=Z=d>Z>d?Z?d@Z@dAZAdBZBdCZCdDZDdEZEdFZFdGZGdHZHdIZIdJZJdKZKdLZLdMZMdNZNdOdPlOZOdQePfdRYZQeOjReQjSZTdSeUeTDeQ_VdTeQjVDeQ_WdPS(Ui i i iiiiiiiiiiiiiiiiiii i!i"i#i$i%i&idieifigihiiijikiliminioipiqirisitiuiviwixiyizi{i|i}i~iiiiiiiiiiiiiiiiiiiiiiiiiNt FirewallErrorcBs;eZddZdZdZdZeeZRS(cCsp||_|dk rctjdkrcyt|}Wq`tk r\t|jd}q`Xqcn||_dS(Nt3tunicode_escape( tcodetNonetsystversiontstrtUnicodeEncodeErrortunicodetencodetmsg(tselfRR tx((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__init__ls   cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R ((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__repr__wscCs2|jr$d|j|j|jfS|j|jS(Ns%s: %s(R terrorsR(R ((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__str__zs cCs]d|kr(|jd}|| }n|}ytj|}Wntk rXt}nX|S(Nt:(tindexRtcodestKeyErrort UNKNOWN_ERROR(R tidxtecodeR((s3/usr/lib/python2.7/site-packages/firewall/errors.pytget_codes    N(t__name__t __module__RRRRRt staticmethod(((s3/usr/lib/python2.7/site-packages/firewall/errors.pyRks    cCsMi|]C}|jd rttt|tkr|tt|qS(t_(t startswithttypetgetattrtmodtint(t.0tvarname((s3/usr/lib/python2.7/site-packages/firewall/errors.pys s cCs i|]}|tj|qS((RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/errors.pys s (XtALREADY_ENABLEDt NOT_ENABLEDtCOMMAND_FAILEDt NO_IPV6_NATt PANIC_MODEtZONE_ALREADY_SETtUNKNOWN_INTERFACEt ZONE_CONFLICTt BUILTIN_CHAINtEBTABLES_NO_REJECTtNOT_OVERLOADABLEt NO_DEFAULTSt BUILTIN_ZONEtBUILTIN_SERVICEtBUILTIN_ICMPTYPEt NAME_CONFLICTt NAME_MISMATCHt PARSE_ERRORt ACCESS_DENIEDtUNKNOWN_SOURCEtRT_TO_PERM_FAILEDtIPSET_WITH_TIMEOUTt BUILTIN_IPSETt ALREADY_SETtMISSING_IMPORTt DBUS_ERRORtBUILTIN_HELPERt NOT_APPLIEDtINVALID_ACTIONtINVALID_SERVICEt INVALID_PORTtINVALID_PROTOCOLtINVALID_INTERFACEt INVALID_ADDRtINVALID_FORWARDtINVALID_ICMPTYPEt INVALID_TABLEt INVALID_CHAINtINVALID_TARGETt INVALID_IPVt INVALID_ZONEtINVALID_PROPERTYt INVALID_VALUEtINVALID_OBJECTt INVALID_NAMEtINVALID_FILENAMEtINVALID_DIRECTORYt INVALID_TYPEtINVALID_SETTINGtINVALID_DESTINATIONt INVALID_RULEt INVALID_LIMITtINVALID_FAMILYtINVALID_LOG_LEVELtINVALID_AUDIT_TYPEt INVALID_MARKtINVALID_CONTEXTtINVALID_COMMANDt INVALID_USERt INVALID_UIDtINVALID_MODULEtINVALID_PASSTHROUGHt INVALID_MACt INVALID_IPSETt INVALID_ENTRYtINVALID_OPTIONtINVALID_HELPERt MISSING_TABLEt MISSING_CHAINt MISSING_PORTtMISSING_PROTOCOLt MISSING_ADDRt MISSING_NAMEtMISSING_SETTINGtMISSING_FAMILYtRUNNING_BUT_FAILEDt NOT_RUNNINGtNOT_AUTHORIZEDRRt ExceptionRtmodulesRR"tdirRR(((s3/usr/lib/python2.7/site-packages/firewall/errors.pyts $client.py000064400000325725147576556050006436 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2009-2016 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # from gi.repository import GLib, GObject # force use of pygobject3 in python-slip import sys sys.modules['gobject'] = GObject import dbus.mainloop.glib import slip.dbus from decorator import decorator from firewall import config from firewall.core.base import DEFAULT_ZONE_TARGET from firewall.dbus_utils import dbus_to_python from firewall.functions import b2u from firewall.core.rich import Rich_Rule from firewall import errors from firewall.errors import FirewallError import dbus import traceback exception_handler = None not_authorized_loop = False @decorator def handle_exceptions(func, *args, **kwargs): """Decorator to handle exceptions """ authorized = False while not authorized: try: return func(*args, **kwargs) except dbus.exceptions.DBusException as e: dbus_message = e.get_dbus_message() # returns unicode dbus_name = e.get_dbus_name() if not exception_handler: raise if "NotAuthorizedException" in dbus_name: exception_handler("NotAuthorizedException") elif "org.freedesktop.DBus.Error" in dbus_name: # dbus error, try again exception_handler(dbus_message) else: authorized = True if dbus_message: exception_handler(dbus_message) else: exception_handler(b2u(str(e))) except FirewallError as e: if not exception_handler: raise else: exception_handler(b2u(str(e))) except Exception: if not exception_handler: raise else: exception_handler(b2u(traceback.format_exc())) if not not_authorized_loop: break # zone config setings class FirewallClientZoneSettings(object): @handle_exceptions def __init__(self, settings = None): if settings: self.settings = settings else: self.settings = ["", "", "", False, DEFAULT_ZONE_TARGET, [], [], [], False, [], [], [], [], [], [], False] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getVersion(self): return self.settings[0] @handle_exceptions def setVersion(self, version): self.settings[0] = version @handle_exceptions def getShort(self): return self.settings[1] @handle_exceptions def setShort(self, short): self.settings[1] = short @handle_exceptions def getDescription(self): return self.settings[2] @handle_exceptions def setDescription(self, description): self.settings[2] = description # self.settings[3] was used for 'immutable' @handle_exceptions def getTarget(self): return self.settings[4] if self.settings[4] != DEFAULT_ZONE_TARGET else "default" @handle_exceptions def setTarget(self, target): self.settings[4] = target if target != "default" else DEFAULT_ZONE_TARGET @handle_exceptions def getServices(self): return self.settings[5] @handle_exceptions def setServices(self, services): self.settings[5] = services @handle_exceptions def addService(self, service): if service not in self.settings[5]: self.settings[5].append(service) else: raise FirewallError(errors.ALREADY_ENABLED, service) @handle_exceptions def removeService(self, service): if service in self.settings[5]: self.settings[5].remove(service) else: raise FirewallError(errors.NOT_ENABLED, service) @handle_exceptions def queryService(self, service): return service in self.settings[5] @handle_exceptions def getPorts(self): return self.settings[6] @handle_exceptions def setPorts(self, ports): self.settings[6] = ports @handle_exceptions def addPort(self, port, protocol): if (port,protocol) not in self.settings[6]: self.settings[6].append((port,protocol)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def removePort(self, port, protocol): if (port,protocol) in self.settings[6]: self.settings[6].remove((port,protocol)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def queryPort(self, port, protocol): return (port,protocol) in self.settings[6] @handle_exceptions def getProtocols(self): return self.settings[13] @handle_exceptions def setProtocols(self, protocols): self.settings[13] = protocols @handle_exceptions def addProtocol(self, protocol): if protocol not in self.settings[13]: self.settings[13].append(protocol) else: raise FirewallError(errors.ALREADY_ENABLED, protocol) @handle_exceptions def removeProtocol(self, protocol): if protocol in self.settings[13]: self.settings[13].remove(protocol) else: raise FirewallError(errors.NOT_ENABLED, protocol) @handle_exceptions def queryProtocol(self, protocol): return protocol in self.settings[13] @handle_exceptions def getSourcePorts(self): return self.settings[14] @handle_exceptions def setSourcePorts(self, ports): self.settings[14] = ports @handle_exceptions def addSourcePort(self, port, protocol): if (port,protocol) not in self.settings[14]: self.settings[14].append((port,protocol)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def removeSourcePort(self, port, protocol): if (port,protocol) in self.settings[14]: self.settings[14].remove((port,protocol)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def querySourcePort(self, port, protocol): return (port,protocol) in self.settings[14] @handle_exceptions def getIcmpBlocks(self): return self.settings[7] @handle_exceptions def setIcmpBlocks(self, icmpblocks): self.settings[7] = icmpblocks @handle_exceptions def addIcmpBlock(self, icmptype): if icmptype not in self.settings[7]: self.settings[7].append(icmptype) else: raise FirewallError(errors.ALREADY_ENABLED, icmptype) @handle_exceptions def removeIcmpBlock(self, icmptype): if icmptype in self.settings[7]: self.settings[7].remove(icmptype) else: raise FirewallError(errors.NOT_ENABLED, icmptype) @handle_exceptions def queryIcmpBlock(self, icmptype): return icmptype in self.settings[7] @handle_exceptions def getIcmpBlockInversion(self): return self.settings[15] @handle_exceptions def setIcmpBlockInversion(self, flag): self.settings[15] = flag @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpBlockInversion(self): if not self.settings[15]: self.settings[15] = True else: FirewallError(errors.ALREADY_ENABLED, "icmp-block-inversion") @slip.dbus.polkit.enable_proxy @handle_exceptions def removeIcmpBlockInversion(self): if self.settings[15]: self.settings[15] = False else: FirewallError(errors.NOT_ENABLED, "icmp-block-inversion") @slip.dbus.polkit.enable_proxy @handle_exceptions def queryIcmpBlockInversion(self): return self.settings[15] @handle_exceptions def getMasquerade(self): return self.settings[8] @handle_exceptions def setMasquerade(self, masquerade): self.settings[8] = masquerade @slip.dbus.polkit.enable_proxy @handle_exceptions def addMasquerade(self): if not self.settings[8]: self.settings[8] = True else: FirewallError(errors.ALREADY_ENABLED, "masquerade") @slip.dbus.polkit.enable_proxy @handle_exceptions def removeMasquerade(self): if self.settings[8]: self.settings[8] = False else: FirewallError(errors.NOT_ENABLED, "masquerade") @slip.dbus.polkit.enable_proxy @handle_exceptions def queryMasquerade(self): return self.settings[8] @handle_exceptions def getForwardPorts(self): return self.settings[9] @handle_exceptions def setForwardPorts(self, ports): self.settings[9] = ports @handle_exceptions def addForwardPort(self, port, protocol, to_port, to_addr): if to_port is None: to_port = '' if to_addr is None: to_addr = '' if (port,protocol,to_port,to_addr) not in self.settings[9]: self.settings[9].append((port,protocol,to_port,to_addr)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s:%s:%s'" % \ (port, protocol, to_port, to_addr)) @handle_exceptions def removeForwardPort(self, port, protocol, to_port, to_addr): if to_port is None: to_port = '' if to_addr is None: to_addr = '' if (port,protocol,to_port,to_addr) in self.settings[9]: self.settings[9].remove((port,protocol,to_port,to_addr)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s:%s:%s'" % \ (port, protocol, to_port, to_addr)) @handle_exceptions def queryForwardPort(self, port, protocol, to_port, to_addr): if to_port is None: to_port = '' if to_addr is None: to_addr = '' return (port,protocol,to_port,to_addr) in self.settings[9] @handle_exceptions def getInterfaces(self): return self.settings[10] @handle_exceptions def setInterfaces(self, interfaces): self.settings[10] = interfaces @handle_exceptions def addInterface(self, interface): if interface not in self.settings[10]: self.settings[10].append(interface) else: raise FirewallError(errors.ALREADY_ENABLED, interface) @handle_exceptions def removeInterface(self, interface): if interface in self.settings[10]: self.settings[10].remove(interface) else: raise FirewallError(errors.NOT_ENABLED, interface) @handle_exceptions def queryInterface(self, interface): return interface in self.settings[10] @handle_exceptions def getSources(self): return self.settings[11] @handle_exceptions def setSources(self, sources): self.settings[11] = sources @handle_exceptions def addSource(self, source): if source not in self.settings[11]: self.settings[11].append(source) else: raise FirewallError(errors.ALREADY_ENABLED, source) @handle_exceptions def removeSource(self, source): if source in self.settings[11]: self.settings[11].remove(source) else: raise FirewallError(errors.NOT_ENABLED, source) @handle_exceptions def querySource(self, source): return source in self.settings[11] @handle_exceptions def getRichRules(self): return self.settings[12] @handle_exceptions def setRichRules(self, rules): rules = [ str(Rich_Rule(rule_str=r)) for r in rules ] self.settings[12] = rules @handle_exceptions def addRichRule(self, rule): rule = str(Rich_Rule(rule_str=rule)) if rule not in self.settings[12]: self.settings[12].append(rule) else: raise FirewallError(errors.ALREADY_ENABLED, rule) @handle_exceptions def removeRichRule(self, rule): rule = str(Rich_Rule(rule_str=rule)) if rule in self.settings[12]: self.settings[12].remove(rule) else: raise FirewallError(errors.NOT_ENABLED, rule) @handle_exceptions def queryRichRule(self, rule): rule = str(Rich_Rule(rule_str=rule)) return rule in self.settings[12] # zone config class FirewallClientConfigZone(object): def __init__(self, bus, path): self.bus = bus self.path = path self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, path) self.fw_zone = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_ZONE) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') #TODO: check interface version and revision (need to match client # version) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG_ZONE, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG_ZONE)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG_ZONE, prop, value) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientZoneSettings(list(dbus_to_python(\ self.fw_zone.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_zone.update(tuple(settings.settings)) @slip.dbus.polkit.enable_proxy @handle_exceptions def loadDefaults(self): self.fw_zone.loadDefaults() @slip.dbus.polkit.enable_proxy @handle_exceptions def remove(self): self.fw_zone.remove() @slip.dbus.polkit.enable_proxy @handle_exceptions def rename(self, name): self.fw_zone.rename(name) # version @slip.dbus.polkit.enable_proxy @handle_exceptions def getVersion(self): return self.fw_zone.getVersion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setVersion(self, version): self.fw_zone.setVersion(version) # short @slip.dbus.polkit.enable_proxy @handle_exceptions def getShort(self): return self.fw_zone.getShort() @slip.dbus.polkit.enable_proxy @handle_exceptions def setShort(self, short): self.fw_zone.setShort(short) # description @slip.dbus.polkit.enable_proxy @handle_exceptions def getDescription(self): return self.fw_zone.getDescription() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDescription(self, description): self.fw_zone.setDescription(description) # target @slip.dbus.polkit.enable_proxy @handle_exceptions def getTarget(self): return self.fw_zone.getTarget() @slip.dbus.polkit.enable_proxy @handle_exceptions def setTarget(self, target): self.fw_zone.setTarget(target) # service @slip.dbus.polkit.enable_proxy @handle_exceptions def getServices(self): return self.fw_zone.getServices() @slip.dbus.polkit.enable_proxy @handle_exceptions def setServices(self, services): self.fw_zone.setServices(services) @slip.dbus.polkit.enable_proxy @handle_exceptions def addService(self, service): self.fw_zone.addService(service) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeService(self, service): self.fw_zone.removeService(service) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryService(self, service): return self.fw_zone.queryService(service) # port @slip.dbus.polkit.enable_proxy @handle_exceptions def getPorts(self): return self.fw_zone.getPorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setPorts(self, ports): self.fw_zone.setPorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addPort(self, port, protocol): self.fw_zone.addPort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePort(self, port, protocol): self.fw_zone.removePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPort(self, port, protocol): return self.fw_zone.queryPort(port, protocol) # protocol @slip.dbus.polkit.enable_proxy @handle_exceptions def getProtocols(self): return self.fw_zone.getProtocols() @slip.dbus.polkit.enable_proxy @handle_exceptions def setProtocols(self, protocols): self.fw_zone.setProtocols(protocols) @slip.dbus.polkit.enable_proxy @handle_exceptions def addProtocol(self, protocol): self.fw_zone.addProtocol(protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeProtocol(self, protocol): self.fw_zone.removeProtocol(protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryProtocol(self, protocol): return self.fw_zone.queryProtocol(protocol) # source-port @slip.dbus.polkit.enable_proxy @handle_exceptions def getSourcePorts(self): return self.fw_zone.getSourcePorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setSourcePorts(self, ports): self.fw_zone.setSourcePorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addSourcePort(self, port, protocol): self.fw_zone.addSourcePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeSourcePort(self, port, protocol): self.fw_zone.removeSourcePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def querySourcePort(self, port, protocol): return self.fw_zone.querySourcePort(port, protocol) # icmp block @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpBlocks(self): return self.fw_zone.getIcmpBlocks() @slip.dbus.polkit.enable_proxy @handle_exceptions def setIcmpBlocks(self, icmptypes): self.fw_zone.setIcmpBlocks(icmptypes) @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpBlock(self, icmptype): self.fw_zone.addIcmpBlock(icmptype) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeIcmpBlock(self, icmptype): self.fw_zone.removeIcmpBlock(icmptype) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryIcmpBlock(self, icmptype): return self.fw_zone.queryIcmpBlock(icmptype) # icmp-block-inversion @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpBlockInversion(self): return self.fw_zone.getIcmpBlockInversion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setIcmpBlockInversion(self, inversion): self.fw_zone.setIcmpBlockInversion(inversion) @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpBlockInversion(self): self.fw_zone.addIcmpBlockInversion() @slip.dbus.polkit.enable_proxy @handle_exceptions def removeIcmpBlockInversion(self): self.fw_zone.removeIcmpBlockInversion() @slip.dbus.polkit.enable_proxy @handle_exceptions def queryIcmpBlockInversion(self): return self.fw_zone.queryIcmpBlockInversion() # masquerade @slip.dbus.polkit.enable_proxy @handle_exceptions def getMasquerade(self): return self.fw_zone.getMasquerade() @slip.dbus.polkit.enable_proxy @handle_exceptions def setMasquerade(self, masquerade): self.fw_zone.setMasquerade(masquerade) @slip.dbus.polkit.enable_proxy @handle_exceptions def addMasquerade(self): self.fw_zone.addMasquerade() @slip.dbus.polkit.enable_proxy @handle_exceptions def removeMasquerade(self): self.fw_zone.removeMasquerade() @slip.dbus.polkit.enable_proxy @handle_exceptions def queryMasquerade(self): return self.fw_zone.queryMasquerade() # forward port @slip.dbus.polkit.enable_proxy @handle_exceptions def getForwardPorts(self): return self.fw_zone.getForwardPorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setForwardPorts(self, ports): self.fw_zone.setForwardPorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addForwardPort(self, port, protocol, toport, toaddr): if toport is None: toport = '' if toaddr is None: toaddr = '' self.fw_zone.addForwardPort(port, protocol, toport, toaddr) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeForwardPort(self, port, protocol, toport, toaddr): if toport is None: toport = '' if toaddr is None: toaddr = '' self.fw_zone.removeForwardPort(port, protocol, toport, toaddr) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryForwardPort(self, port, protocol, toport, toaddr): if toport is None: toport = '' if toaddr is None: toaddr = '' return self.fw_zone.queryForwardPort(port, protocol, toport, toaddr) # interface @slip.dbus.polkit.enable_proxy @handle_exceptions def getInterfaces(self): return self.fw_zone.getInterfaces() @slip.dbus.polkit.enable_proxy @handle_exceptions def setInterfaces(self, interfaces): self.fw_zone.setInterfaces(interfaces) @slip.dbus.polkit.enable_proxy @handle_exceptions def addInterface(self, interface): self.fw_zone.addInterface(interface) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeInterface(self, interface): self.fw_zone.removeInterface(interface) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryInterface(self, interface): return self.fw_zone.queryInterface(interface) # source @slip.dbus.polkit.enable_proxy @handle_exceptions def getSources(self): return self.fw_zone.getSources() @slip.dbus.polkit.enable_proxy @handle_exceptions def setSources(self, sources): self.fw_zone.setSources(sources) @slip.dbus.polkit.enable_proxy @handle_exceptions def addSource(self, source): self.fw_zone.addSource(source) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeSource(self, source): self.fw_zone.removeSource(source) @slip.dbus.polkit.enable_proxy @handle_exceptions def querySource(self, source): return self.fw_zone.querySource(source) # rich rule @slip.dbus.polkit.enable_proxy @handle_exceptions def getRichRules(self): return self.fw_zone.getRichRules() @slip.dbus.polkit.enable_proxy @handle_exceptions def setRichRules(self, rules): self.fw_zone.setRichRules(rules) @slip.dbus.polkit.enable_proxy @handle_exceptions def addRichRule(self, rule): self.fw_zone.addRichRule(rule) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRichRule(self, rule): self.fw_zone.removeRichRule(rule) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryRichRule(self, rule): return self.fw_zone.queryRichRule(rule) # service config settings class FirewallClientServiceSettings(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = ["", "", "", [], [], {}, [], []] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getVersion(self): return self.settings[0] @handle_exceptions def setVersion(self, version): self.settings[0] = version @handle_exceptions def getShort(self): return self.settings[1] @handle_exceptions def setShort(self, short): self.settings[1] = short @handle_exceptions def getDescription(self): return self.settings[2] @handle_exceptions def setDescription(self, description): self.settings[2] = description @handle_exceptions def getPorts(self): return self.settings[3] @handle_exceptions def setPorts(self, ports): self.settings[3] = ports @handle_exceptions def addPort(self, port, protocol): if (port,protocol) not in self.settings[3]: self.settings[3].append((port,protocol)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def removePort(self, port, protocol): if (port,protocol) in self.settings[3]: self.settings[3].remove((port,protocol)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def queryPort(self, port, protocol): return (port,protocol) in self.settings[3] @handle_exceptions def getProtocols(self): return self.settings[6] @handle_exceptions def setProtocols(self, protocols): self.settings[6] = protocols @handle_exceptions def addProtocol(self, protocol): if protocol not in self.settings[6]: self.settings[6].append(protocol) else: raise FirewallError(errors.ALREADY_ENABLED, protocol) @handle_exceptions def removeProtocol(self, protocol): if protocol in self.settings[6]: self.settings[6].remove(protocol) else: raise FirewallError(errors.NOT_ENABLED, protocol) @handle_exceptions def queryProtocol(self, protocol): return protocol in self.settings[6] @handle_exceptions def getSourcePorts(self): return self.settings[7] @handle_exceptions def setSourcePorts(self, ports): self.settings[7] = ports @handle_exceptions def addSourcePort(self, port, protocol): if (port,protocol) not in self.settings[7]: self.settings[7].append((port,protocol)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def removeSourcePort(self, port, protocol): if (port,protocol) in self.settings[7]: self.settings[7].remove((port,protocol)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def querySourcePort(self, port, protocol): return (port,protocol) in self.settings[7] @handle_exceptions def getModules(self): return self.settings[4] @handle_exceptions def setModules(self, modules): self.settings[4] = modules @handle_exceptions def addModule(self, module): if module not in self.settings[4]: self.settings[4].append(module) else: raise FirewallError(errors.ALREADY_ENABLED, module) @handle_exceptions def removeModule(self, module): if module in self.settings[4]: self.settings[4].remove(module) else: raise FirewallError(errors.NOT_ENABLED, module) @handle_exceptions def queryModule(self, module): return module in self.settings[4] @handle_exceptions def getDestinations(self): return self.settings[5] @handle_exceptions def setDestinations(self, destinations): self.settings[5] = destinations @handle_exceptions def setDestination(self, dest_type, address): if dest_type not in self.settings[5] or \ self.settings[5][dest_type] != address: self.settings[5][dest_type] = address else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % \ (dest_type, address)) @handle_exceptions def removeDestination(self, dest_type, address=None): if dest_type in self.settings[5]: if address is not None and self.settings[5][dest_type] != address: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % \ (dest_type, address)) del self.settings[5][dest_type] else: raise FirewallError(errors.NOT_ENABLED, "'%s'" % dest_type) @handle_exceptions def queryDestination(self, dest_type, address): return (dest_type in self.settings[5] and \ address == self.settings[5][dest_type]) # ipset config settings class FirewallClientIPSetSettings(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = ["", "", "", "", {}, []] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getVersion(self): return self.settings[0] @handle_exceptions def setVersion(self, version): self.settings[0] = version @handle_exceptions def getShort(self): return self.settings[1] @handle_exceptions def setShort(self, short): self.settings[1] = short @handle_exceptions def getDescription(self): return self.settings[2] @handle_exceptions def setDescription(self, description): self.settings[2] = description @handle_exceptions def getType(self): return self.settings[3] @handle_exceptions def setType(self, ipset_type): self.settings[3] = ipset_type @handle_exceptions def getOptions(self): return self.settings[4] @handle_exceptions def setOptions(self, options): self.settings[4] = options @handle_exceptions def addOption(self, key, value): if key not in self.settings[4] or self.settings[4][key] != value: self.settings[4][key] = value else: raise FirewallError(errors.ALREADY_ENABLED, "'%s=%s'" % (key,value) if value else key) @handle_exceptions def removeOption(self, key): if key in self.settings[4]: del self.settings[4][key] else: raise FirewallError(errors.NOT_ENABLED, key) @handle_exceptions def queryOption(self, key, value): return key in self.settings[4] and self.settings[4][key] == value @handle_exceptions def getEntries(self): return self.settings[5] @handle_exceptions def setEntries(self, entries): if "timeout" in self.settings[4] and \ self.settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) self.settings[5] = entries @handle_exceptions def addEntry(self, entry): if "timeout" in self.settings[4] and \ self.settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) if entry not in self.settings[5]: self.settings[5].append(entry) else: raise FirewallError(errors.ALREADY_ENABLED, entry) @handle_exceptions def removeEntry(self, entry): if "timeout" in self.settings[4] and \ self.settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) if entry in self.settings[5]: self.settings[5].remove(entry) else: raise FirewallError(errors.NOT_ENABLED, entry) @handle_exceptions def queryEntry(self, entry): if "timeout" in self.settings[4] and \ self.settings[4]["timeout"] != "0": raise FirewallError(errors.IPSET_WITH_TIMEOUT) return entry in self.settings[5] # ipset config class FirewallClientConfigIPSet(object): @handle_exceptions def __init__(self, bus, path): self.bus = bus self.path = path self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, path) self.fw_ipset = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_IPSET) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG_IPSET, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG_IPSET)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG_IPSET, prop, value) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientIPSetSettings(list(dbus_to_python(\ self.fw_ipset.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_ipset.update(tuple(settings.settings)) @slip.dbus.polkit.enable_proxy @handle_exceptions def loadDefaults(self): self.fw_ipset.loadDefaults() @slip.dbus.polkit.enable_proxy @handle_exceptions def remove(self): self.fw_ipset.remove() @slip.dbus.polkit.enable_proxy @handle_exceptions def rename(self, name): self.fw_ipset.rename(name) # version @slip.dbus.polkit.enable_proxy @handle_exceptions def getVersion(self): return self.fw_ipset.getVersion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setVersion(self, version): self.fw_ipset.setVersion(version) # short @slip.dbus.polkit.enable_proxy @handle_exceptions def getShort(self): return self.fw_ipset.getShort() @slip.dbus.polkit.enable_proxy @handle_exceptions def setShort(self, short): self.fw_ipset.setShort(short) # description @slip.dbus.polkit.enable_proxy @handle_exceptions def getDescription(self): return self.fw_ipset.getDescription() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDescription(self, description): self.fw_ipset.setDescription(description) # entry @slip.dbus.polkit.enable_proxy @handle_exceptions def getEntries(self): return self.fw_ipset.getEntries() @slip.dbus.polkit.enable_proxy @handle_exceptions def setEntries(self, entries): self.fw_ipset.setEntries(entries) @slip.dbus.polkit.enable_proxy @handle_exceptions def addEntry(self, entry): self.fw_ipset.addEntry(entry) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeEntry(self, entry): self.fw_ipset.removeEntry(entry) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryEntry(self, entry): return self.fw_ipset.queryEntry(entry) # helper config settings class FirewallClientHelperSettings(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = ["", "", "", "", "", [ ]] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getVersion(self): return self.settings[0] @handle_exceptions def setVersion(self, version): self.settings[0] = version @handle_exceptions def getShort(self): return self.settings[1] @handle_exceptions def setShort(self, short): self.settings[1] = short @handle_exceptions def getDescription(self): return self.settings[2] @handle_exceptions def setDescription(self, description): self.settings[2] = description @handle_exceptions def getFamily(self): return self.settings[3] @handle_exceptions def setFamily(self, ipv): if ipv is None: self.settings[3] = "" self.settings[3] = ipv @handle_exceptions def getModule(self): return self.settings[4] @handle_exceptions def setModule(self, module): self.settings[4] = module @handle_exceptions def getPorts(self): return self.settings[5] @handle_exceptions def setPorts(self, ports): self.settings[5] = ports @handle_exceptions def addPort(self, port, protocol): if (port,protocol) not in self.settings[5]: self.settings[5].append((port,protocol)) else: raise FirewallError(errors.ALREADY_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def removePort(self, port, protocol): if (port,protocol) in self.settings[5]: self.settings[5].remove((port,protocol)) else: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % (port, protocol)) @handle_exceptions def queryPort(self, port, protocol): return (port,protocol) in self.settings[5] # helper config class FirewallClientConfigHelper(object): @handle_exceptions def __init__(self, bus, path): self.bus = bus self.path = path self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, path) self.fw_helper = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_HELPER) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG_HELPER, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG_HELPER)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG_HELPER, prop, value) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientHelperSettings(list(dbus_to_python(\ self.fw_helper.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_helper.update(tuple(settings.settings)) @slip.dbus.polkit.enable_proxy @handle_exceptions def loadDefaults(self): self.fw_helper.loadDefaults() @slip.dbus.polkit.enable_proxy @handle_exceptions def remove(self): self.fw_helper.remove() @slip.dbus.polkit.enable_proxy @handle_exceptions def rename(self, name): self.fw_helper.rename(name) # version @slip.dbus.polkit.enable_proxy @handle_exceptions def getVersion(self): return self.fw_helper.getVersion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setVersion(self, version): self.fw_helper.setVersion(version) # short @slip.dbus.polkit.enable_proxy @handle_exceptions def getShort(self): return self.fw_helper.getShort() @slip.dbus.polkit.enable_proxy @handle_exceptions def setShort(self, short): self.fw_helper.setShort(short) # description @slip.dbus.polkit.enable_proxy @handle_exceptions def getDescription(self): return self.fw_helper.getDescription() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDescription(self, description): self.fw_helper.setDescription(description) # port @slip.dbus.polkit.enable_proxy @handle_exceptions def getPorts(self): return self.fw_helper.getPorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setPorts(self, ports): self.fw_helper.setPorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addPort(self, port, protocol): self.fw_helper.addPort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePort(self, port, protocol): self.fw_helper.removePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPort(self, port, protocol): return self.fw_helper.queryPort(port, protocol) # family @slip.dbus.polkit.enable_proxy @handle_exceptions def getFamily(self): return self.fw_helper.getFamily() @slip.dbus.polkit.enable_proxy @handle_exceptions def setFamily(self, ipv): if ipv is None: self.fw_helper.setFamily("") self.fw_helper.setFamily(ipv) # module @slip.dbus.polkit.enable_proxy @handle_exceptions def getModule(self): return self.fw_helper.getModule() @slip.dbus.polkit.enable_proxy @handle_exceptions def setModule(self, module): self.fw_helper.setModule(module) # service config class FirewallClientConfigService(object): @handle_exceptions def __init__(self, bus, path): self.bus = bus self.path = path self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, path) self.fw_service = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_SERVICE) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG_SERVICE)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, prop, value) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientServiceSettings(list(dbus_to_python(\ self.fw_service.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_service.update(tuple(settings.settings)) @slip.dbus.polkit.enable_proxy @handle_exceptions def loadDefaults(self): self.fw_service.loadDefaults() @slip.dbus.polkit.enable_proxy @handle_exceptions def remove(self): self.fw_service.remove() @slip.dbus.polkit.enable_proxy @handle_exceptions def rename(self, name): self.fw_service.rename(name) # version @slip.dbus.polkit.enable_proxy @handle_exceptions def getVersion(self): return self.fw_service.getVersion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setVersion(self, version): self.fw_service.setVersion(version) # short @slip.dbus.polkit.enable_proxy @handle_exceptions def getShort(self): return self.fw_service.getShort() @slip.dbus.polkit.enable_proxy @handle_exceptions def setShort(self, short): self.fw_service.setShort(short) # description @slip.dbus.polkit.enable_proxy @handle_exceptions def getDescription(self): return self.fw_service.getDescription() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDescription(self, description): self.fw_service.setDescription(description) # port @slip.dbus.polkit.enable_proxy @handle_exceptions def getPorts(self): return self.fw_service.getPorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setPorts(self, ports): self.fw_service.setPorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addPort(self, port, protocol): self.fw_service.addPort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePort(self, port, protocol): self.fw_service.removePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPort(self, port, protocol): return self.fw_service.queryPort(port, protocol) # protocol @slip.dbus.polkit.enable_proxy @handle_exceptions def getProtocols(self): return self.fw_service.getProtocols() @slip.dbus.polkit.enable_proxy @handle_exceptions def setProtocols(self, protocols): self.fw_service.setProtocols(protocols) @slip.dbus.polkit.enable_proxy @handle_exceptions def addProtocol(self, protocol): self.fw_service.addProtocol(protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeProtocol(self, protocol): self.fw_service.removeProtocol(protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryProtocol(self, protocol): return self.fw_service.queryProtocol(protocol) # source-port @slip.dbus.polkit.enable_proxy @handle_exceptions def getSourcePorts(self): return self.fw_service.getSourcePorts() @slip.dbus.polkit.enable_proxy @handle_exceptions def setSourcePorts(self, ports): self.fw_service.setSourcePorts(ports) @slip.dbus.polkit.enable_proxy @handle_exceptions def addSourcePort(self, port, protocol): self.fw_service.addSourcePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeSourcePort(self, port, protocol): self.fw_service.removeSourcePort(port, protocol) @slip.dbus.polkit.enable_proxy @handle_exceptions def querySourcePort(self, port, protocol): return self.fw_service.querySourcePort(port, protocol) # module @slip.dbus.polkit.enable_proxy @handle_exceptions def getModules(self): return self.fw_service.getModules() @slip.dbus.polkit.enable_proxy @handle_exceptions def setModules(self, modules): self.fw_service.setModules(modules) @slip.dbus.polkit.enable_proxy @handle_exceptions def addModule(self, module): self.fw_service.addModule(module) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeModule(self, module): self.fw_service.removeModule(module) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryModule(self, module): return self.fw_service.queryModule(module) # destination @slip.dbus.polkit.enable_proxy @handle_exceptions def getDestinations(self): return self.fw_service.getDestinations() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDestinations(self, destinations): self.fw_service.setDestinations(destinations) @slip.dbus.polkit.enable_proxy @handle_exceptions def getDestination(self, destination): return self.fw_service.getDestination(destination) @slip.dbus.polkit.enable_proxy @handle_exceptions def setDestination(self, destination, address): self.fw_service.setDestination(destination, address) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeDestination(self, destination, address=None): if address is not None and self.getDestination(destination) != address: raise FirewallError(errors.NOT_ENABLED, "'%s:%s'" % \ (destination, address)) self.fw_service.removeDestination(destination) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryDestination(self, destination, address): return self.fw_service.queryDestination(destination, address) # icmptype config settings class FirewallClientIcmpTypeSettings(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = ["", "", "", []] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getVersion(self): return self.settings[0] @handle_exceptions def setVersion(self, version): self.settings[0] = version @handle_exceptions def getShort(self): return self.settings[1] @handle_exceptions def setShort(self, short): self.settings[1] = short @handle_exceptions def getDescription(self): return self.settings[2] @handle_exceptions def setDescription(self, description): self.settings[2] = description @handle_exceptions def getDestinations(self): return self.settings[3] @handle_exceptions def setDestinations(self, destinations): self.settings[3] = destinations @handle_exceptions def addDestination(self, destination): # empty means all if not self.settings[3]: raise FirewallError(errors.ALREADY_ENABLED, destination) elif destination not in self.settings[3]: self.settings[3].append(destination) else: raise FirewallError(errors.ALREADY_ENABLED, destination) @handle_exceptions def removeDestination(self, destination): if destination in self.settings[3]: self.settings[3].remove(destination) # empty means all elif not self.settings[3]: self.setDestinations(list(set(['ipv4','ipv6']) - \ set([destination]))) else: raise FirewallError(errors.NOT_ENABLED, destination) @handle_exceptions def queryDestination(self, destination): # empty means all return not self.settings[3] or \ destination in self.settings[3] # icmptype config class FirewallClientConfigIcmpType(object): @handle_exceptions def __init__(self, bus, path): self.bus = bus self.path = path self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, path) self.fw_icmptype = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, prop, value) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientIcmpTypeSettings(list(dbus_to_python(\ self.fw_icmptype.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_icmptype.update(tuple(settings.settings)) @slip.dbus.polkit.enable_proxy @handle_exceptions def loadDefaults(self): self.fw_icmptype.loadDefaults() @slip.dbus.polkit.enable_proxy @handle_exceptions def remove(self): self.fw_icmptype.remove() @slip.dbus.polkit.enable_proxy @handle_exceptions def rename(self, name): self.fw_icmptype.rename(name) # version @slip.dbus.polkit.enable_proxy @handle_exceptions def getVersion(self): return self.fw_icmptype.getVersion() @slip.dbus.polkit.enable_proxy @handle_exceptions def setVersion(self, version): self.fw_icmptype.setVersion(version) # short @slip.dbus.polkit.enable_proxy @handle_exceptions def getShort(self): return self.fw_icmptype.getShort() @slip.dbus.polkit.enable_proxy @handle_exceptions def setShort(self, short): self.fw_icmptype.setShort(short) # description @slip.dbus.polkit.enable_proxy @handle_exceptions def getDescription(self): return self.fw_icmptype.getDescription() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDescription(self, description): self.fw_icmptype.setDescription(description) # destination @slip.dbus.polkit.enable_proxy @handle_exceptions def getDestinations(self): return self.fw_icmptype.getDestinations() @slip.dbus.polkit.enable_proxy @handle_exceptions def setDestinations(self, destinations): self.fw_icmptype.setDestinations(destinations) @slip.dbus.polkit.enable_proxy @handle_exceptions def addDestination(self, destination): self.fw_icmptype.addDestination(destination) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeDestination(self, destination): self.fw_icmptype.removeDestination(destination) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryDestination(self, destination): return self.fw_icmptype.queryDestination(destination) # config.policies lockdown whitelist class FirewallClientPoliciesLockdownWhitelist(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = [ [], [], [], [] ] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getCommands(self): return self.settings[0] @handle_exceptions def setCommands(self, commands): self.settings[0] = commands @handle_exceptions def addCommand(self, command): if command not in self.settings[0]: self.settings[0].append(command) @handle_exceptions def removeCommand(self, command): if command in self.settings[0]: self.settings[0].remove(command) @handle_exceptions def queryCommand(self, command): return command in self.settings[0] @handle_exceptions def getContexts(self): return self.settings[1] @handle_exceptions def setContexts(self, contexts): self.settings[1] = contexts @handle_exceptions def addContext(self, context): if context not in self.settings[1]: self.settings[1].append(context) @handle_exceptions def removeContext(self, context): if context in self.settings[1]: self.settings[1].remove(context) @handle_exceptions def queryContext(self, context): return context in self.settings[1] @handle_exceptions def getUsers(self): return self.settings[2] @handle_exceptions def setUsers(self, users): self.settings[2] = users @handle_exceptions def addUser(self, user): if user not in self.settings[2]: self.settings[2].append(user) @handle_exceptions def removeUser(self, user): if user in self.settings[2]: self.settings[2].remove(user) @handle_exceptions def queryUser(self, user): return user in self.settings[2] @handle_exceptions def getUids(self): return self.settings[3] @handle_exceptions def setUids(self, uids): self.settings[3] = uids @handle_exceptions def addUid(self, uid): if uid not in self.settings[3]: self.settings[3].append(uid) @handle_exceptions def removeUid(self, uid): if uid in self.settings[3]: self.settings[3].remove(uid) @handle_exceptions def queryUid(self, uid): return uid in self.settings[3] # config.policies class FirewallClientConfigPolicies(object): @handle_exceptions def __init__(self, bus): self.bus = bus self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, config.dbus.DBUS_PATH_CONFIG) self.fw_policies = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_POLICIES) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelist(self): return FirewallClientPoliciesLockdownWhitelist( \ list(dbus_to_python(self.fw_policies.getLockdownWhitelist()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def setLockdownWhitelist(self, settings): self.fw_policies.setLockdownWhitelist(tuple(settings.settings)) # command @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistCommand(self, command): self.fw_policies.addLockdownWhitelistCommand(command) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistCommand(self, command): self.fw_policies.removeLockdownWhitelistCommand(command) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistCommand(self, command): return dbus_to_python(self.fw_policies.queryLockdownWhitelistCommand(command)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistCommands(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistCommands()) # context @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistContext(self, context): self.fw_policies.addLockdownWhitelistContext(context) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistContext(self, context): self.fw_policies.removeLockdownWhitelistContext(context) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistContext(self, context): return dbus_to_python(self.fw_policies.queryLockdownWhitelistContext(context)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistContexts(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistContexts()) # user @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistUser(self, user): self.fw_policies.addLockdownWhitelistUser(user) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistUser(self, user): self.fw_policies.removeLockdownWhitelistUser(user) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistUser(self, user): return dbus_to_python(self.fw_policies.queryLockdownWhitelistUser(user)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistUsers(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistUsers()) # uid @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistUids(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistUids()) @slip.dbus.polkit.enable_proxy @handle_exceptions def setLockdownWhitelistUids(self, uids): self.fw_policies.setLockdownWhitelistUids(uids) @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistUid(self, uid): self.fw_policies.addLockdownWhitelistUid(uid) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistUid(self, uid): self.fw_policies.removeLockdownWhitelistUid(uid) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistUid(self, uid): return dbus_to_python(self.fw_policies.queryLockdownWhitelistUid(uid)) # config.direct class FirewallClientDirect(object): @handle_exceptions def __init__(self, settings=None): if settings: self.settings = settings else: self.settings = [ [], [], [], ] @handle_exceptions def __repr__(self): return '%s(%r)' % (self.__class__, self.settings) @handle_exceptions def getAllChains(self): return self.settings[0] @handle_exceptions def getChains(self, ipv, table): return [ entry[2] for entry in self.settings[0] \ if entry[0] == ipv and entry[1] == table ] @handle_exceptions def setAllChains(self, chains): self.settings[0] = chains @handle_exceptions def addChain(self, ipv, table, chain): idx = (ipv, table, chain) if idx not in self.settings[0]: self.settings[0].append(idx) @handle_exceptions def removeChain(self, ipv, table, chain): idx = (ipv, table, chain) if idx in self.settings[0]: self.settings[0].remove(idx) @handle_exceptions def queryChain(self, ipv, table, chain): idx = (ipv, table, chain) return idx in self.settings[0] @handle_exceptions def getAllRules(self): return self.settings[1] @handle_exceptions def getRules(self, ipv, table, chain): return [ entry[3:] for entry in self.settings[1] \ if entry[0] == ipv and entry[1] == table \ and entry[2] == chain ] @handle_exceptions def setAllRules(self, rules): self.settings[1] = rules @handle_exceptions def addRule(self, ipv, table, chain, priority, args): idx = (ipv, table, chain, priority, args) if idx not in self.settings[1]: self.settings[1].append(idx) @handle_exceptions def removeRule(self, ipv, table, chain, priority, args): idx = (ipv, table, chain, priority, args) if idx in self.settings[1]: self.settings[1].remove(idx) @handle_exceptions def removeRules(self, ipv, table, chain): for idx in list(self.settings[1]): if idx[0] == ipv and idx[1] == table and idx[2] == chain: self.settings[1].remove(idx) @handle_exceptions def queryRule(self, ipv, table, chain, priority, args): idx = (ipv, table, chain, priority, args) return idx in self.settings[1] @handle_exceptions def getAllPassthroughs(self): return self.settings[2] @handle_exceptions def setAllPassthroughs(self, passthroughs): self.settings[2] = passthroughs @handle_exceptions def removeAllPassthroughs(self): self.settings[2] = [] @handle_exceptions def getPassthroughs(self, ipv): return [ entry[1] for entry in self.settings[2] \ if entry[0] == ipv ] @handle_exceptions def addPassthrough(self, ipv, args): idx = (ipv, args) if idx not in self.settings[2]: self.settings[2].append(idx) @handle_exceptions def removePassthrough(self, ipv, args): idx = (ipv, args) if idx in self.settings[2]: self.settings[2].remove(idx) @handle_exceptions def queryPassthrough(self, ipv, args): idx = (ipv, args) return idx in self.settings[2] # config.direct class FirewallClientConfigDirect(object): @handle_exceptions def __init__(self, bus): self.bus = bus self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, config.dbus.DBUS_PATH_CONFIG) self.fw_direct = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG_DIRECT) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSettings(self): return FirewallClientDirect( \ list(dbus_to_python(self.fw_direct.getSettings()))) @slip.dbus.polkit.enable_proxy @handle_exceptions def update(self, settings): self.fw_direct.update(tuple(settings.settings)) # direct chain @slip.dbus.polkit.enable_proxy @handle_exceptions def addChain(self, ipv, table, chain): self.fw_direct.addChain(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeChain(self, ipv, table, chain): self.fw_direct.removeChain(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryChain(self, ipv, table, chain): return dbus_to_python(self.fw_direct.queryChain(ipv, table, chain)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getChains(self, ipv, table): return dbus_to_python(self.fw_direct.getChains(ipv, table)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllChains(self): return dbus_to_python(self.fw_direct.getAllChains()) # direct rule @slip.dbus.polkit.enable_proxy @handle_exceptions def addRule(self, ipv, table, chain, priority, args): self.fw_direct.addRule(ipv, table, chain, priority, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRule(self, ipv, table, chain, priority, args): self.fw_direct.removeRule(ipv, table, chain, priority, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRules(self, ipv, table, chain): self.fw_direct.removeRules(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryRule(self, ipv, table, chain, priority, args): return dbus_to_python(self.fw_direct.queryRule(ipv, table, chain, priority, args)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getRules(self, ipv, table, chain): return dbus_to_python(self.fw_direct.getRules(ipv, table, chain)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllRules(self): return dbus_to_python(self.fw_direct.getAllRules()) # tracked passthrough @slip.dbus.polkit.enable_proxy @handle_exceptions def addPassthrough(self, ipv, args): self.fw_direct.addPassthrough(ipv, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePassthrough(self, ipv, args): self.fw_direct.removePassthrough(ipv, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPassthrough(self, ipv, args): return dbus_to_python(self.fw_direct.queryPassthrough(ipv, args)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getPassthroughs(self, ipv): return dbus_to_python(self.fw_direct.getPassthroughs(ipv)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllPassthroughs(self): return dbus_to_python(self.fw_direct.getAllPassthroughs()) # config class FirewallClientConfig(object): @handle_exceptions def __init__(self, bus): self.bus = bus self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, config.dbus.DBUS_PATH_CONFIG) self.fw_config = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_CONFIG) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') self._policies = FirewallClientConfigPolicies(self.bus) self._direct = FirewallClientConfigDirect(self.bus) # properties @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE_CONFIG, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE_CONFIG)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE_CONFIG, prop, value) # ipset @slip.dbus.polkit.enable_proxy @handle_exceptions def getIPSetNames(self): return dbus_to_python(self.fw_config.getIPSetNames()) @slip.dbus.polkit.enable_proxy @handle_exceptions def listIPSets(self): return dbus_to_python(self.fw_config.listIPSets()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIPSet(self, path): return FirewallClientConfigIPSet(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIPSetByName(self, name): path = dbus_to_python(self.fw_config.getIPSetByName(name)) return FirewallClientConfigIPSet(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def addIPSet(self, name, settings): if isinstance(settings, FirewallClientIPSetSettings): path = self.fw_config.addIPSet(name, tuple(settings.settings)) else: path = self.fw_config.addIPSet(name, tuple(settings)) return FirewallClientConfigIPSet(self.bus, path) # zone @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneNames(self): return dbus_to_python(self.fw_config.getZoneNames()) @slip.dbus.polkit.enable_proxy @handle_exceptions def listZones(self): return dbus_to_python(self.fw_config.listZones()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZone(self, path): return FirewallClientConfigZone(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneByName(self, name): path = dbus_to_python(self.fw_config.getZoneByName(name)) return FirewallClientConfigZone(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneOfInterface(self, iface): return dbus_to_python(self.fw_config.getZoneOfInterface(iface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneOfSource(self, source): return dbus_to_python(self.fw_config.getZoneOfSource(source)) @slip.dbus.polkit.enable_proxy @handle_exceptions def addZone(self, name, settings): if isinstance(settings, FirewallClientZoneSettings): path = self.fw_config.addZone(name, tuple(settings.settings)) else: path = self.fw_config.addZone(name, tuple(settings)) return FirewallClientConfigZone(self.bus, path) # service @slip.dbus.polkit.enable_proxy @handle_exceptions def getServiceNames(self): return dbus_to_python(self.fw_config.getServiceNames()) @slip.dbus.polkit.enable_proxy @handle_exceptions def listServices(self): return dbus_to_python(self.fw_config.listServices()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getService(self, path): return FirewallClientConfigService(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getServiceByName(self, name): path = dbus_to_python(self.fw_config.getServiceByName(name)) return FirewallClientConfigService(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def addService(self, name, settings): if isinstance(settings, FirewallClientServiceSettings): path = self.fw_config.addService(name, tuple(settings.settings)) else: path = self.fw_config.addService(name, tuple(settings)) return FirewallClientConfigService(self.bus, path) # icmptype @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpTypeNames(self): return dbus_to_python(self.fw_config.getIcmpTypeNames()) @slip.dbus.polkit.enable_proxy @handle_exceptions def listIcmpTypes(self): return dbus_to_python(self.fw_config.listIcmpTypes()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpType(self, path): return FirewallClientConfigIcmpType(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpTypeByName(self, name): path = dbus_to_python(self.fw_config.getIcmpTypeByName(name)) return FirewallClientConfigIcmpType(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpType(self, name, settings): if isinstance(settings, FirewallClientIcmpTypeSettings): path = self.fw_config.addIcmpType(name, tuple(settings.settings)) else: path = self.fw_config.addIcmpType(name, tuple(settings)) return FirewallClientConfigIcmpType(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def policies(self): return self._policies @slip.dbus.polkit.enable_proxy @handle_exceptions def direct(self): return self._direct # helper @slip.dbus.polkit.enable_proxy @handle_exceptions def getHelperNames(self): return dbus_to_python(self.fw_config.getHelperNames()) @slip.dbus.polkit.enable_proxy @handle_exceptions def listHelpers(self): return dbus_to_python(self.fw_config.listHelpers()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getHelper(self, path): return FirewallClientConfigHelper(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def getHelperByName(self, name): path = dbus_to_python(self.fw_config.getHelperByName(name)) return FirewallClientConfigHelper(self.bus, path) @slip.dbus.polkit.enable_proxy @handle_exceptions def addHelper(self, name, settings): if isinstance(settings, FirewallClientHelperSettings): path = self.fw_config.addHelper(name, tuple(settings.settings)) else: path = self.fw_config.addHelper(name, tuple(settings)) return FirewallClientConfigHelper(self.bus, path) # class FirewallClient(object): @handle_exceptions def __init__(self, bus=None, wait=0, quiet=True): if not bus: dbus.mainloop.glib.DBusGMainLoop(set_as_default=True) try: self.bus = slip.dbus.SystemBus() self.bus.default_timeout = None except Exception: try: self.bus = dbus.SystemBus() except dbus.exceptions.DBusException as e: raise FirewallError(errors.DBUS_ERROR, e.get_dbus_message()) else: print("Not using slip.dbus") else: self.bus = bus self.bus.add_signal_receiver( handler_function=self._dbus_connection_changed, signal_name="NameOwnerChanged", dbus_interface="org.freedesktop.DBus", arg0=config.dbus.DBUS_INTERFACE) for interface in [ config.dbus.DBUS_INTERFACE, config.dbus.DBUS_INTERFACE_IPSET, config.dbus.DBUS_INTERFACE_ZONE, config.dbus.DBUS_INTERFACE_DIRECT, config.dbus.DBUS_INTERFACE_POLICIES, config.dbus.DBUS_INTERFACE_CONFIG, config.dbus.DBUS_INTERFACE_CONFIG_IPSET, config.dbus.DBUS_INTERFACE_CONFIG_ZONE, config.dbus.DBUS_INTERFACE_CONFIG_SERVICE, config.dbus.DBUS_INTERFACE_CONFIG_HELPER, config.dbus.DBUS_INTERFACE_CONFIG_DIRECT, config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE, config.dbus.DBUS_INTERFACE_CONFIG_POLICIES ]: self.bus.add_signal_receiver(self._signal_receiver, dbus_interface=interface, interface_keyword='interface', member_keyword='member', path_keyword='path') # callbacks self._callback = { } self._callbacks = { # client callbacks "connection-changed": "connection-changed", "connection-established": "connection-established", "connection-lost": "connection-lost", # firewalld callbacks "log-denied-changed": "LogDeniedChanged", "default-zone-changed": "DefaultZoneChanged", "panic-mode-enabled": "PanicModeEnabled", "panic-mode-disabled": "PanicModeDisabled", "reloaded": "Reloaded", "service-added": "ServiceAdded", "service-removed": "ServiceRemoved", "port-added": "PortAdded", "port-removed": "PortRemoved", "source-port-added": "SourcePortAdded", "source-port-removed": "SourcePortRemoved", "protocol-added": "ProtocolAdded", "protocol-removed": "ProtocolRemoved", "masquerade-added": "MasqueradeAdded", "masquerade-removed": "MasqueradeRemoved", "forward-port-added": "ForwardPortAdded", "forward-port-removed": "ForwardPortRemoved", "icmp-block-added": "IcmpBlockAdded", "icmp-block-removed": "IcmpBlockRemoved", "icmp-block-inversion-added": "IcmpBlockInversionAdded", "icmp-block-inversion-removed": "IcmpBlockInversionRemoved", "richrule-added": "RichRuleAdded", "richrule-removed": "RichRuleRemoved", "interface-added": "InterfaceAdded", "interface-removed": "InterfaceRemoved", "zone-changed": "ZoneOfInterfaceChanged", # DEPRECATED, use zone-of-interface-changed instead "zone-of-interface-changed": "ZoneOfInterfaceChanged", "source-added": "SourceAdded", "source-removed": "SourceRemoved", "zone-of-source-changed": "ZoneOfSourceChanged", # ipset callbacks "ipset-entry-added": "EntryAdded", "ipset-entry-removed": "EntryRemoved", # direct callbacks "direct:chain-added": "ChainAdded", "direct:chain-removed": "ChainRemoved", "direct:rule-added": "RuleAdded", "direct:rule-removed": "RuleRemoved", "direct:passthrough-added": "PassthroughAdded", "direct:passthrough-removed": "PassthroughRemoved", "config:direct:updated": "config:direct:Updated", # policy callbacks "lockdown-enabled": "LockdownEnabled", "lockdown-disabled": "LockdownDisabled", "lockdown-whitelist-command-added": "LockdownWhitelistCommandAdded", "lockdown-whitelist-command-removed": "LockdownWhitelistCommandRemoved", "lockdown-whitelist-context-added": "LockdownWhitelistContextAdded", "lockdown-whitelist-context-removed": "LockdownWhitelistContextRemoved", "lockdown-whitelist-uid-added": "LockdownWhitelistUidAdded", "lockdown-whitelist-uid-removed": "LockdownWhitelistUidRemoved", "lockdown-whitelist-user-added": "LockdownWhitelistUserAdded", "lockdown-whitelist-user-removed": "LockdownWhitelistUserRemoved", # firewalld.config callbacks "config:policies:lockdown-whitelist-updated": "config:policies:LockdownWhitelistUpdated", "config:ipset-added": "config:IPSetAdded", "config:ipset-updated": "config:IPSetUpdated", "config:ipset-removed": "config:IPSetRemoved", "config:ipset-renamed": "config:IPSetRenamed", "config:zone-added": "config:ZoneAdded", "config:zone-updated": "config:ZoneUpdated", "config:zone-removed": "config:ZoneRemoved", "config:zone-renamed": "config:ZoneRenamed", "config:service-added": "config:ServiceAdded", "config:service-updated": "config:ServiceUpdated", "config:service-removed": "config:ServiceRemoved", "config:service-renamed": "config:ServiceRenamed", "config:icmptype-added": "config:IcmpTypeAdded", "config:icmptype-updated": "config:IcmpTypeUpdated", "config:icmptype-removed": "config:IcmpTypeRemoved", "config:icmptype-renamed": "config:IcmpTypeRenamed", "config:helper-added": "config:HelperAdded", "config:helper-updated": "config:HelperUpdated", "config:helper-removed": "config:HelperRemoved", "config:helper-renamed": "config:HelperRenamed", } # initialize variables used for connection self._init_vars() self.quiet = quiet if wait > 0: # connect in one second GLib.timeout_add_seconds(wait, self._connection_established) else: self._connection_established() @handle_exceptions def _init_vars(self): self.fw = None self.fw_ipset = None self.fw_zone = None self.fw_helper = None self.fw_direct = None self.fw_properties = None self._config = None self.connected = False @handle_exceptions def getExceptionHandler(self): return exception_handler @handle_exceptions def setExceptionHandler(self, handler): global exception_handler exception_handler = handler @handle_exceptions def getNotAuthorizedLoop(self): return not_authorized_loop @handle_exceptions def setNotAuthorizedLoop(self, enable): global not_authorized_loop not_authorized_loop = enable @handle_exceptions def connect(self, name, callback, *args): if name in self._callbacks: self._callback[self._callbacks[name]] = (callback, args) else: raise ValueError("Unknown callback name '%s'" % name) @handle_exceptions def _dbus_connection_changed(self, name, old_owner, new_owner): if name != config.dbus.DBUS_INTERFACE: return if new_owner: # connection established self._connection_established() else: # connection lost self._connection_lost() @handle_exceptions def _connection_established(self): try: self.dbus_obj = self.bus.get_object(config.dbus.DBUS_INTERFACE, config.dbus.DBUS_PATH) self.fw = dbus.Interface(self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE) self.fw_ipset = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_IPSET) self.fw_zone = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_ZONE) self.fw_direct = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_DIRECT) self.fw_policies = dbus.Interface( self.dbus_obj, dbus_interface=config.dbus.DBUS_INTERFACE_POLICIES) self.fw_properties = dbus.Interface( self.dbus_obj, dbus_interface='org.freedesktop.DBus.Properties') except dbus.exceptions.DBusException as e: # ignore dbus errors if not self.quiet: print ("DBusException", e.get_dbus_message()) return except Exception as e: if not self.quiet: print ("Exception", e) return self._config = FirewallClientConfig(self.bus) self.connected = True self._signal_receiver(member="connection-established", interface=config.dbus.DBUS_INTERFACE) self._signal_receiver(member="connection-changed", interface=config.dbus.DBUS_INTERFACE) @handle_exceptions def _connection_lost(self): self._init_vars() self._signal_receiver(member="connection-lost", interface=config.dbus.DBUS_INTERFACE) self._signal_receiver(member="connection-changed", interface=config.dbus.DBUS_INTERFACE) @handle_exceptions def _signal_receiver(self, *args, **kwargs): if "member" not in kwargs or "interface" not in kwargs: return signal = kwargs["member"] interface = kwargs["interface"] # config signals need special treatment # pimp signal name if interface.startswith(config.dbus.DBUS_INTERFACE_CONFIG_ZONE): signal = "config:Zone" + signal elif interface.startswith(config.dbus.DBUS_INTERFACE_CONFIG_IPSET): signal = "config:IPSet" + signal elif interface.startswith(config.dbus.DBUS_INTERFACE_CONFIG_SERVICE): signal = "config:Service" + signal elif interface.startswith(config.dbus.DBUS_INTERFACE_CONFIG_ICMPTYPE): signal = "config:IcmpType" + signal elif interface.startswith(config.dbus.DBUS_INTERFACE_CONFIG_HELPER): signal = "config:Helper" + signal elif interface == config.dbus.DBUS_INTERFACE_CONFIG: signal = "config:" + signal elif interface == config.dbus.DBUS_INTERFACE_CONFIG_POLICIES: signal = "config:policies:" + signal elif interface == config.dbus.DBUS_INTERFACE_CONFIG_DIRECT: signal = "config:direct:" + signal cb = None for callback in self._callbacks: if self._callbacks[callback] == signal and \ self._callbacks[callback] in self._callback: cb = self._callback[self._callbacks[callback]] if cb is None: return # call back with args converted to python types ... cb_args = [ dbus_to_python(arg) for arg in args ] try: if cb[1]: # add call data cb_args.extend(cb[1]) # call back cb[0](*cb_args) except Exception as msg: print(msg) @slip.dbus.polkit.enable_proxy @handle_exceptions def config(self): return self._config @slip.dbus.polkit.enable_proxy @handle_exceptions def reload(self): self.fw.reload() @slip.dbus.polkit.enable_proxy @handle_exceptions def complete_reload(self): self.fw.completeReload() @slip.dbus.polkit.enable_proxy @handle_exceptions def runtimeToPermanent(self): self.fw.runtimeToPermanent() @slip.dbus.polkit.enable_proxy @handle_exceptions def checkPermanentConfig(self): self.fw.checkPermanentConfig() @slip.dbus.polkit.enable_proxy @handle_exceptions def get_property(self, prop): return dbus_to_python(self.fw_properties.Get( config.dbus.DBUS_INTERFACE, prop)) @slip.dbus.polkit.enable_proxy @handle_exceptions def get_properties(self): return dbus_to_python(self.fw_properties.GetAll( config.dbus.DBUS_INTERFACE)) @slip.dbus.polkit.enable_proxy @handle_exceptions def set_property(self, prop, value): self.fw_properties.Set(config.dbus.DBUS_INTERFACE, prop, value) # panic mode @slip.dbus.polkit.enable_proxy @handle_exceptions def enablePanicMode(self): self.fw.enablePanicMode() @slip.dbus.polkit.enable_proxy @handle_exceptions def disablePanicMode(self): self.fw.disablePanicMode() @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPanicMode(self): return dbus_to_python(self.fw.queryPanicMode()) # list functions @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneSettings(self, zone): return FirewallClientZoneSettings(list(dbus_to_python(\ self.fw.getZoneSettings(zone)))) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIPSets(self): return dbus_to_python(self.fw_ipset.getIPSets()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIPSetSettings(self, ipset): return FirewallClientIPSetSettings(list(dbus_to_python(\ self.fw_ipset.getIPSetSettings(ipset)))) @slip.dbus.polkit.enable_proxy @handle_exceptions def addEntry(self, ipset, entry): self.fw_ipset.addEntry(ipset, entry) @slip.dbus.polkit.enable_proxy @handle_exceptions def getEntries(self, ipset): return self.fw_ipset.getEntries(ipset) @slip.dbus.polkit.enable_proxy @handle_exceptions def setEntries(self, ipset, entries): return self.fw_ipset.setEntries(ipset, entries) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeEntry(self, ipset, entry): self.fw_ipset.removeEntry(ipset, entry) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryEntry(self, ipset, entry): return dbus_to_python(self.fw_ipset.queryEntry(ipset, entry)) @slip.dbus.polkit.enable_proxy @handle_exceptions def listServices(self): return dbus_to_python(self.fw.listServices()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getServiceSettings(self, service): return FirewallClientServiceSettings(list(dbus_to_python(\ self.fw.getServiceSettings(service)))) @slip.dbus.polkit.enable_proxy @handle_exceptions def listIcmpTypes(self): return dbus_to_python(self.fw.listIcmpTypes()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpTypeSettings(self, icmptype): return FirewallClientIcmpTypeSettings(list(dbus_to_python(\ self.fw.getIcmpTypeSettings(icmptype)))) @slip.dbus.polkit.enable_proxy @handle_exceptions def getHelpers(self): return dbus_to_python(self.fw.getHelpers()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getHelperSettings(self, helper): return FirewallClientHelperSettings(list(dbus_to_python(\ self.fw.getHelperSettings(helper)))) # automatic helper setting @slip.dbus.polkit.enable_proxy @handle_exceptions def getAutomaticHelpers(self): return dbus_to_python(self.fw.getAutomaticHelpers()) @slip.dbus.polkit.enable_proxy @handle_exceptions def setAutomaticHelpers(self, value): self.fw.setAutomaticHelpers(value) # log denied @slip.dbus.polkit.enable_proxy @handle_exceptions def getLogDenied(self): return dbus_to_python(self.fw.getLogDenied()) @slip.dbus.polkit.enable_proxy @handle_exceptions def setLogDenied(self, value): self.fw.setLogDenied(value) # default zone @slip.dbus.polkit.enable_proxy @handle_exceptions def getDefaultZone(self): return dbus_to_python(self.fw.getDefaultZone()) @slip.dbus.polkit.enable_proxy @handle_exceptions def setDefaultZone(self, zone): self.fw.setDefaultZone(zone) # zone @slip.dbus.polkit.enable_proxy @handle_exceptions def getZones(self): return dbus_to_python(self.fw_zone.getZones()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getActiveZones(self): return dbus_to_python(self.fw_zone.getActiveZones()) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneOfInterface(self, interface): return dbus_to_python(self.fw_zone.getZoneOfInterface(interface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getZoneOfSource(self, source): return dbus_to_python(self.fw_zone.getZoneOfSource(source)) @slip.dbus.polkit.enable_proxy @handle_exceptions def isImmutable(self, zone): return dbus_to_python(self.fw_zone.isImmutable(zone)) # interfaces @slip.dbus.polkit.enable_proxy @handle_exceptions def addInterface(self, zone, interface): return dbus_to_python(self.fw_zone.addInterface(zone, interface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def changeZone(self, zone, interface): # DEPRECATED return dbus_to_python(self.fw_zone.changeZone(zone, interface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def changeZoneOfInterface(self, zone, interface): return dbus_to_python(self.fw_zone.changeZoneOfInterface(zone, interface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getInterfaces(self, zone): return dbus_to_python(self.fw_zone.getInterfaces(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryInterface(self, zone, interface): return dbus_to_python(self.fw_zone.queryInterface(zone, interface)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeInterface(self, zone, interface): return dbus_to_python(self.fw_zone.removeInterface(zone, interface)) # sources @slip.dbus.polkit.enable_proxy @handle_exceptions def addSource(self, zone, source): return dbus_to_python(self.fw_zone.addSource(zone, source)) @slip.dbus.polkit.enable_proxy @handle_exceptions def changeZoneOfSource(self, zone, source): return dbus_to_python(self.fw_zone.changeZoneOfSource(zone, source)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSources(self, zone): return dbus_to_python(self.fw_zone.getSources(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def querySource(self, zone, source): return dbus_to_python(self.fw_zone.querySource(zone, source)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeSource(self, zone, source): return dbus_to_python(self.fw_zone.removeSource(zone, source)) # rich rules @slip.dbus.polkit.enable_proxy @handle_exceptions def addRichRule(self, zone, rule, timeout=0): return dbus_to_python(self.fw_zone.addRichRule(zone, rule, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getRichRules(self, zone): return dbus_to_python(self.fw_zone.getRichRules(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryRichRule(self, zone, rule): return dbus_to_python(self.fw_zone.queryRichRule(zone, rule)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRichRule(self, zone, rule): return dbus_to_python(self.fw_zone.removeRichRule(zone, rule)) # services @slip.dbus.polkit.enable_proxy @handle_exceptions def addService(self, zone, service, timeout=0): return dbus_to_python(self.fw_zone.addService(zone, service, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getServices(self, zone): return dbus_to_python(self.fw_zone.getServices(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryService(self, zone, service): return dbus_to_python(self.fw_zone.queryService(zone, service)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeService(self, zone, service): return dbus_to_python(self.fw_zone.removeService(zone, service)) # ports @slip.dbus.polkit.enable_proxy @handle_exceptions def addPort(self, zone, port, protocol, timeout=0): return dbus_to_python(self.fw_zone.addPort(zone, port, protocol, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getPorts(self, zone): return dbus_to_python(self.fw_zone.getPorts(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPort(self, zone, port, protocol): return dbus_to_python(self.fw_zone.queryPort(zone, port, protocol)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePort(self, zone, port, protocol): return dbus_to_python(self.fw_zone.removePort(zone, port, protocol)) # protocols @slip.dbus.polkit.enable_proxy @handle_exceptions def addProtocol(self, zone, protocol, timeout=0): return dbus_to_python(self.fw_zone.addProtocol(zone, protocol, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getProtocols(self, zone): return dbus_to_python(self.fw_zone.getProtocols(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryProtocol(self, zone, protocol): return dbus_to_python(self.fw_zone.queryProtocol(zone, protocol)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeProtocol(self, zone, protocol): return dbus_to_python(self.fw_zone.removeProtocol(zone, protocol)) # masquerade @slip.dbus.polkit.enable_proxy @handle_exceptions def addMasquerade(self, zone, timeout=0): return dbus_to_python(self.fw_zone.addMasquerade(zone, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryMasquerade(self, zone): return dbus_to_python(self.fw_zone.queryMasquerade(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeMasquerade(self, zone): return dbus_to_python(self.fw_zone.removeMasquerade(zone)) # forward ports @slip.dbus.polkit.enable_proxy @handle_exceptions def addForwardPort(self, zone, port, protocol, toport, toaddr, timeout=0): if toport is None: toport = "" if toaddr is None: toaddr = "" return dbus_to_python(self.fw_zone.addForwardPort(zone, port, protocol, toport, toaddr, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getForwardPorts(self, zone): return dbus_to_python(self.fw_zone.getForwardPorts(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryForwardPort(self, zone, port, protocol, toport, toaddr): if toport is None: toport = "" if toaddr is None: toaddr = "" return dbus_to_python(self.fw_zone.queryForwardPort(zone, port, protocol, toport, toaddr)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeForwardPort(self, zone, port, protocol, toport, toaddr): if toport is None: toport = "" if toaddr is None: toaddr = "" return dbus_to_python(self.fw_zone.removeForwardPort(zone, port, protocol, toport, toaddr)) # source ports @slip.dbus.polkit.enable_proxy @handle_exceptions def addSourcePort(self, zone, port, protocol, timeout=0): return dbus_to_python(self.fw_zone.addSourcePort(zone, port, protocol, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getSourcePorts(self, zone): return dbus_to_python(self.fw_zone.getSourcePorts(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def querySourcePort(self, zone, port, protocol): return dbus_to_python(self.fw_zone.querySourcePort(zone, port, protocol)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeSourcePort(self, zone, port, protocol): return dbus_to_python(self.fw_zone.removeSourcePort(zone, port, protocol)) # icmpblock @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpBlock(self, zone, icmp, timeout=0): return dbus_to_python(self.fw_zone.addIcmpBlock(zone, icmp, timeout)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getIcmpBlocks(self, zone): return dbus_to_python(self.fw_zone.getIcmpBlocks(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryIcmpBlock(self, zone, icmp): return dbus_to_python(self.fw_zone.queryIcmpBlock(zone, icmp)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeIcmpBlock(self, zone, icmp): return dbus_to_python(self.fw_zone.removeIcmpBlock(zone, icmp)) # icmp block inversion @slip.dbus.polkit.enable_proxy @handle_exceptions def addIcmpBlockInversion(self, zone): return dbus_to_python(self.fw_zone.addIcmpBlockInversion(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryIcmpBlockInversion(self, zone): return dbus_to_python(self.fw_zone.queryIcmpBlockInversion(zone)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeIcmpBlockInversion(self, zone): return dbus_to_python(self.fw_zone.removeIcmpBlockInversion(zone)) # direct chain @slip.dbus.polkit.enable_proxy @handle_exceptions def addChain(self, ipv, table, chain): self.fw_direct.addChain(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeChain(self, ipv, table, chain): self.fw_direct.removeChain(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryChain(self, ipv, table, chain): return dbus_to_python(self.fw_direct.queryChain(ipv, table, chain)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getChains(self, ipv, table): return dbus_to_python(self.fw_direct.getChains(ipv, table)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllChains(self): return dbus_to_python(self.fw_direct.getAllChains()) # direct rule @slip.dbus.polkit.enable_proxy @handle_exceptions def addRule(self, ipv, table, chain, priority, args): self.fw_direct.addRule(ipv, table, chain, priority, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRule(self, ipv, table, chain, priority, args): self.fw_direct.removeRule(ipv, table, chain, priority, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeRules(self, ipv, table, chain): self.fw_direct.removeRules(ipv, table, chain) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryRule(self, ipv, table, chain, priority, args): return dbus_to_python(self.fw_direct.queryRule(ipv, table, chain, priority, args)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getRules(self, ipv, table, chain): return dbus_to_python(self.fw_direct.getRules(ipv, table, chain)) @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllRules(self): return dbus_to_python(self.fw_direct.getAllRules()) # direct passthrough @slip.dbus.polkit.enable_proxy @handle_exceptions def passthrough(self, ipv, args): return dbus_to_python(self.fw_direct.passthrough(ipv, args)) # tracked passthrough @slip.dbus.polkit.enable_proxy @handle_exceptions def getAllPassthroughs(self): return dbus_to_python(self.fw_direct.getAllPassthroughs()) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeAllPassthroughs(self): self.fw_direct.removeAllPassthroughs() @slip.dbus.polkit.enable_proxy @handle_exceptions def getPassthroughs(self, ipv): return dbus_to_python(self.fw_direct.getPassthroughs(ipv)) @slip.dbus.polkit.enable_proxy @handle_exceptions def addPassthrough(self, ipv, args): self.fw_direct.addPassthrough(ipv, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def removePassthrough(self, ipv, args): self.fw_direct.removePassthrough(ipv, args) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryPassthrough(self, ipv, args): return dbus_to_python(self.fw_direct.queryPassthrough(ipv, args)) # lockdown @slip.dbus.polkit.enable_proxy @handle_exceptions def enableLockdown(self): self.fw_policies.enableLockdown() @slip.dbus.polkit.enable_proxy @handle_exceptions def disableLockdown(self): self.fw_policies.disableLockdown() @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdown(self): return dbus_to_python(self.fw_policies.queryLockdown()) # policies # lockdown white list commands @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistCommand(self, command): self.fw_policies.addLockdownWhitelistCommand(command) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistCommands(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistCommands()) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistCommand(self, command): return dbus_to_python(self.fw_policies.queryLockdownWhitelistCommand(command)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistCommand(self, command): self.fw_policies.removeLockdownWhitelistCommand(command) # lockdown white list contexts @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistContext(self, context): self.fw_policies.addLockdownWhitelistContext(context) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistContexts(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistContexts()) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistContext(self, context): return dbus_to_python(self.fw_policies.queryLockdownWhitelistContext(context)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistContext(self, context): self.fw_policies.removeLockdownWhitelistContext(context) # lockdown white list uids @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistUid(self, uid): self.fw_policies.addLockdownWhitelistUid(uid) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistUids(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistUids()) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistUid(self, uid): return dbus_to_python(self.fw_policies.queryLockdownWhitelistUid(uid)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistUid(self, uid): self.fw_policies.removeLockdownWhitelistUid(uid) # lockdown white list users @slip.dbus.polkit.enable_proxy @handle_exceptions def addLockdownWhitelistUser(self, user): self.fw_policies.addLockdownWhitelistUser(user) @slip.dbus.polkit.enable_proxy @handle_exceptions def getLockdownWhitelistUsers(self): return dbus_to_python(self.fw_policies.getLockdownWhitelistUsers()) @slip.dbus.polkit.enable_proxy @handle_exceptions def queryLockdownWhitelistUser(self, user): return dbus_to_python(self.fw_policies.queryLockdownWhitelistUser(user)) @slip.dbus.polkit.enable_proxy @handle_exceptions def removeLockdownWhitelistUser(self, user): self.fw_policies.removeLockdownWhitelistUser(user) @slip.dbus.polkit.enable_proxy @handle_exceptions def authorizeAll(self): """ Authorize once for all polkit actions. """ self.fw.authorizeAll() __init__.pyo000064400000000214147576556050007055 0ustar00 c`c@sdS(N((((s5/usr/lib/python2.7/site-packages/firewall/__init__.pytscommand.pyc000064400000045612147576556050006733 0ustar00 c`c@sdZdgZddlZddlmZddlmZddlmZddl m Z m Z m Z m Z mZdefdYZdS( s<FirewallCommand class for command line client simplificationtFirewallCommandiN(terrors(t FirewallError(t DBusException(t checkIPnMaskt checkIP6nMaskt check_mact check_porttcheck_single_addresscBseZeedZdZdZdZdZdZd+dZ d+dZ d+dZ d+d d Z d+d Zd+d Zd+d+ed ZedZedZedZedZedZd+edZedZedZdZddZedZdZdZdZdZdZ dZ!d+gd Z"d!Z#d"Z$d#Z%d$Z&d%Z'd&Z(d'Z)d(Z*d)Z+d*Z,RS(,cCs(||_||_t|_d|_dS(N(tquiettverbosetTruet'_FirewallCommand__use_exception_handlertNonetfw(tselfR R ((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__init__#s   cCs ||_dS(N(R(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytset_fw)scCs ||_dS(N(R (Rtflag((s4/usr/lib/python2.7/site-packages/firewall/command.pyt set_quiet,scCs|jS(N(R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt get_quiet/scCs ||_dS(N(R (RR((s4/usr/lib/python2.7/site-packages/firewall/command.pyt set_verbose2scCs|jS(N(R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt get_verbose5scCs1|dk r-|j r-tjj|dndS(Ns (R R tsyststdouttwrite(Rtmsg((s4/usr/lib/python2.7/site-packages/firewall/command.pyt print_msg8scCs1|dk r-|j r-tjj|dndS(Ns (R R RtstderrR(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_error_msg<scCs=d}d}tjjr,|||}n|j|dS(Nss(RRtisattyR(RRtFAILtEND((s4/usr/lib/python2.7/site-packages/firewall/command.pyt print_warning@s icCs:|dkr|j|n |j|tj|dS(Ni(R!RRtexit(RRt exit_code((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_and_exitGs  cCs|j|ddS(Ni(R$(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytfailRscCs0|dk r,|jr,tjj|dndS(Ns (R R RRR(RR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_if_verboseUsc Cs1|jdk r|jjng} d} g} x|D]} |dk ry|| } Wqtk r}tjt|}t|dkr|jd|n|j d|||| kr| j |n| d7} q8qXn| j | q8Wx| D]} g}|dk r(||7}nt | t  rXt | t  rX|j | n || 7}|dk r{||7}n|jy||Wnttfk r}t |tr|j|j|j}n t|}tj|}|tjtjtjtjgkr$d}nt|dkrJ|jd|n5|dkrk|jd|dS|j d|||| kr| j |n| d7} nX|jqW| s-t|| ksd| krdSt| dkrtj| dq-t| dkr-tjtjq-ndS(Niis Warning: %ss Error: %s(RR t authorizeAllt ExceptionRtget_codetstrtlenR!R$tappendt isinstancetlistttupletdeactivate_exception_handlerRtfail_if_not_authorizedt get_dbus_nametget_dbus_messageRtALREADY_ENABLEDt NOT_ENABLEDtZONE_ALREADY_SETt ALREADY_SETtactivate_exception_handlerRR"t UNKNOWN_ERROR(Rtcmd_typetoptiont action_methodt query_methodt parse_methodtmessaget start_argstend_argstno_exittitemst_errorst _error_codestitemRtcodet call_item((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__cmd_sequenceYsr                 c Cs&|jd|||||d|dS(NtaddRB(t_FirewallCommand__cmd_sequence(RR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pyt add_sequencesc Cs/|jd|||||d|gd|dS(NRJR@RB(RK(RtxR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_add_sequencesc Cs8|jd|||||d|gd|gd|dS(NRJR@RARB(RK( RtzoneR;R<R=R>R?ttimeoutRB((s4/usr/lib/python2.7/site-packages/firewall/command.pytzone_add_timeout_sequencesc Cs&|jd|||||d|dS(NtremoveRB(RK(RR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytremove_sequencesc Cs/|jd|||||d|gd|dS(NRRR@RB(RK(RRMR;R<R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_remove_sequencesc Cs|g}x|D]}|dk ry||}Wqtk r} t|dkrj|jd| q qtjt| } |jd| | qXn|j|q Wx|D]}g} |dk r| |7} nt |t  rt |t  r| j|n | |7} |j y|| } Wnt k r} |j| jtj| j} t|dkr|jd| jqq|jd| j| nbtk r} tjt| } t|dkr|jd| q|jd| | nX|jt|dkrQ|jd||d| fq|j| qW|sxtjdndS( Nis Warning: %ss Error: %ss%s: %stnotyesi(RUsyes(R R(R+R!RR)R*R$R,R-R.R/R0RR1R2R3R8Rtprint_query_resultRR"( RR;R=R>R?R@RBRCRFRRGRHtres((s4/usr/lib/python2.7/site-packages/firewall/command.pyt__query_sequencesR          "cCs |j||||d|dS(NRB(t _FirewallCommand__query_sequence(RR;R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytquery_sequencesc Cs)|j||||d|gd|dS(NR@RB(RZ(RRMR;R=R>R?RB((s4/usr/lib/python2.7/site-packages/firewall/command.pytx_query_sequencescCsft| rbt| rbt| rb|jdoEt|dk rbttjd|n|S(Nsipset:is8'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset(RRRt startswithR+RRt INVALID_ADDR(Rtvalue((s4/usr/lib/python2.7/site-packages/firewall/command.pyt parse_sources  " t/cCsy|j|\}}Wn'tk rBttjd|nXt|sdttj|n|dkrttjd|n||fS(NsTbad port (most likely missing protocol), correct syntax is portid[-portid]%sprotocolttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(RbRcRdRe(tsplitt ValueErrorRRt INVALID_PORTRtINVALID_PROTOCOL(RR_t separatortporttproto((s4/usr/lib/python2.7/site-packages/firewall/command.pyt parse_ports      c CsFd}d}d}d}d}x d||kr,||jddd}|t|d7}d||kr||jddd} n ||} |t| d7}|dkr| }q!|dkr| }q!|dkr| }q!|dkr| }q!|d kr|rq!ttjd |q!W|sHttjd n|scttjd n|pl|sttjd nt|sttj|n|dkrttjd|n|rt| rttj|n|r6t d| r6|st d| r6ttj |q6n||||fS(Nit=it:RkRlttoportttoaddrtifsinvalid forward port arg '%s's missing portsmissing protocolsmissing destinationRbRcRdRes''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}tipv4tipv6(stcpsudpssctpsdccp( R RfR+RRtINVALID_FORWARDRRhRiRR^( RR_tcompatRktprotocolRpRqtitopttval((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_forward_portsT               cCs_|jd}t|dkr/|ddfSt|dkrE|Sttjd|dS(NRniitisinvalid ipset option '%s'(RfR+RRtINVALID_OPTION(RR_targs((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_ipset_optionHs cCsDddg}||kr@ttjd|dj|fn|S(NRsRts'invalid argument: %s (choose from '%s')s', '(RRt INVALID_IPVtjoin(RR_tipvs((s4/usr/lib/python2.7/site-packages/firewall/command.pytcheck_destination_ipvRs    cCsUy|jdd\}}Wn#tk rAttjdnX|j||fS(NRois(destination syntax is ipv:address[/mask](RfRgRRtINVALID_DESTINATIONR(RR_tipvt destination((s4/usr/lib/python2.7/site-packages/firewall/command.pytparse_service_destinationZs    cCsGdddg}||krCttjd|dj|fn|S(NRsRttebs'invalid argument: %s (choose from '%s')s', '(RRRR(RR_R((s4/usr/lib/python2.7/site-packages/firewall/command.pyt check_ipvbs   cCsGdddg}||krCttjd|dj|fn|S(NR|RsRts'invalid argument: %s (choose from '%s')s', '(RRRR(RR_R((s4/usr/lib/python2.7/site-packages/firewall/command.pytcheck_helper_familyjs   cCsc|jds(ttjd|nt|jdddkr_ttjd|n|S(Nt nf_conntrack_s('%s' does not start with 'nf_conntrack_'R|isModule name '%s' too short(R]RRtINVALID_MODULER+treplace(RR_((s4/usr/lib/python2.7/site-packages/firewall/command.pyt check_modulers c Cs|j}|j}tt|j|}|j}|j} |j} |j} |j } |j } |j }|j }|j }|j}|j}g}|dk r||kr|jdqn|s|r|jdn|r%|ddj|}n|j||jr`|jd||jd|n|jd||jd|rd nd |jd d j||jd d j||jdd jt| |jdd jg| D]}d|d|df^q|jdd jt| |jd| rVd nd |jddjg| D](\}}}}d||||f^qt|jdd jg|D]}d|d|df^q|jdd j||jddj|dS(Ntdefaulttactives (%s)s, s summary: s description: s target: s icmp-block-inversion: %sRVRUs interfaces: t s sources: s services: s ports: s%s/%siis protocols: s masquerade: %ss forward-ports: s s$port=%s:proto=%s:toport=%s:toaddr=%ss source-ports: s icmp-blocks: s rich rules: (t getTargettgetIcmpBlockInversiontsortedtsett getInterfacest getSourcest getServicestgetPortst getProtocolst getMasqueradetgetForwardPortstgetSourcePortst getIcmpBlockst getRichRulestgetDescriptiontgetShortR R,RRR (RROtsettingst default_zonetextra_interfacesttargetticmp_block_inversiont interfacestsourcestservicestportst protocolst masqueradet forward_portst source_portst icmp_blockstrulest descriptiontshort_descriptiont attributesRkRlRpRq((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_zone_info|sX                    -   7  -c Cs|j}|j}|j}|j}|j}|j}|j} |j||jr|jd| |jd|n|jddj g|D]} d| d| df^q|jddj ||jd dj g|D]} d| d| df^q|jd dj ||jd dj g|j D]\} } d | | f^q]dS( Ns summary: s description: s ports: Rs%s/%siis protocols: s source-ports: s modules: s destination: s%s:%s( RRRt getModulesRtgetDestinationsRRR RRC( RtserviceRRRRtmodulesRt destinationsRRktktv((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_service_infos*         -  -  cCs|j}|j}|j}t|dkrEddg}n|j||jr|jd||jd|n|jddj|dS(NiRsRts summary: s description: s destination: R(RRRR+RR R(RticmptypeRRRR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_icmptype_infos     c Cs|j}|j}|j}|j}|j}|j||jrw|jd||jd|n|jd||jddjg|jD](\}} | rd|| fn|^q|jddj|dS(Ns summary: s description: s type: s options: Rs%s=%ss entries: ( tgetTypet getOptionst getEntriesRRRR RRC( RtipsetRt ipset_typetoptionstentriesRRRR((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_ipset_infos       =c Cs|j}|j}|j}|j}|j}|j||jrw|jd||jd|n|jd||jd||jddjg|D]}d|d|d f^qdS( Ns summary: s description: s family: s module: s ports: Rs%s/%sii(Rt getModulet getFamilyRRRR R( RthelperRRtmoduletfamilyRRRk((s4/usr/lib/python2.7/site-packages/firewall/command.pytprint_helper_infos       cCs*|r|jdn|jdddS(NRVRUi(R$(RR_((s4/usr/lib/python2.7/site-packages/firewall/command.pyRWscCs|jsn|j|tjt|}|tjtjtjtj gkri|j d|n|j d||dS(Ns Warning: %ss Error: %s( R R1RR)R*RR4R5R6R7R!R$(Rtexception_messageRG((s4/usr/lib/python2.7/site-packages/firewall/command.pytexception_handlers  cCs,d|kr(d}|j|tjndS(NtNotAuthorizedExceptions`Authorization failed. Make sure polkit agent is running or run the application as superuser.(R$RtNOT_AUTHORIZED(RRR((s4/usr/lib/python2.7/site-packages/firewall/command.pyR1s cCs t|_dS(N(tFalseR (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyR0scCs t|_dS(N(R R (R((s4/usr/lib/python2.7/site-packages/firewall/command.pyR8scCsg}t}t|}xu|D]m}|s2Pn|j}t|dks"|ddkrfq"n||kr"|j||j|q"q"W|j|S(Niit#t;(RR(RtopentstripR+R,RJtclose(RtfilenameRt entries_settftline((s4/usr/lib/python2.7/site-packages/firewall/command.pytget_ipset_entries_from_file s    "   N(-t__name__t __module__RRRRRRRR RRR!R$R%R&RKRLRNRQRSRTRZR[R\R`RmR{RRRRRRRRRRRRWRR1R0R8R(((s4/usr/lib/python2.7/site-packages/firewall/command.pyR"sT           J     2     2     1       (t__doc__t__all__RtfirewallRtfirewall.errorsRtdbus.exceptionsRtfirewall.functionsRRRRRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/command.pyts  (errors.py000064400000010255147576556050006461 0ustar00# -*- coding: utf-8 -*- # # Copyright (C) 2010-2012 Red Hat, Inc. # # Authors: # Thomas Woerner # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see . # ALREADY_ENABLED = 11 NOT_ENABLED = 12 COMMAND_FAILED = 13 NO_IPV6_NAT = 14 PANIC_MODE = 15 ZONE_ALREADY_SET = 16 UNKNOWN_INTERFACE = 17 ZONE_CONFLICT = 18 BUILTIN_CHAIN = 19 EBTABLES_NO_REJECT = 20 NOT_OVERLOADABLE = 21 NO_DEFAULTS = 22 BUILTIN_ZONE = 23 BUILTIN_SERVICE = 24 BUILTIN_ICMPTYPE = 25 NAME_CONFLICT = 26 NAME_MISMATCH = 27 PARSE_ERROR = 28 ACCESS_DENIED = 29 UNKNOWN_SOURCE = 30 RT_TO_PERM_FAILED = 31 IPSET_WITH_TIMEOUT = 32 BUILTIN_IPSET = 33 ALREADY_SET = 34 MISSING_IMPORT = 35 DBUS_ERROR = 36 BUILTIN_HELPER = 37 NOT_APPLIED = 38 INVALID_ACTION = 100 INVALID_SERVICE = 101 INVALID_PORT = 102 INVALID_PROTOCOL = 103 INVALID_INTERFACE = 104 INVALID_ADDR = 105 INVALID_FORWARD = 106 INVALID_ICMPTYPE = 107 INVALID_TABLE = 108 INVALID_CHAIN = 109 INVALID_TARGET = 110 INVALID_IPV = 111 INVALID_ZONE = 112 INVALID_PROPERTY = 113 INVALID_VALUE = 114 INVALID_OBJECT = 115 INVALID_NAME = 116 INVALID_FILENAME = 117 INVALID_DIRECTORY = 118 INVALID_TYPE = 119 INVALID_SETTING = 120 INVALID_DESTINATION = 121 INVALID_RULE = 122 INVALID_LIMIT = 123 INVALID_FAMILY = 124 INVALID_LOG_LEVEL = 125 INVALID_AUDIT_TYPE = 126 INVALID_MARK = 127 INVALID_CONTEXT = 128 INVALID_COMMAND = 129 INVALID_USER = 130 INVALID_UID = 131 INVALID_MODULE = 132 INVALID_PASSTHROUGH = 133 INVALID_MAC = 134 INVALID_IPSET = 135 INVALID_ENTRY = 136 INVALID_OPTION = 137 INVALID_HELPER = 138 MISSING_TABLE = 200 MISSING_CHAIN = 201 MISSING_PORT = 202 MISSING_PROTOCOL = 203 MISSING_ADDR = 204 MISSING_NAME = 205 MISSING_SETTING = 206 MISSING_FAMILY = 207 RUNNING_BUT_FAILED = 251 NOT_RUNNING = 252 NOT_AUTHORIZED = 253 UNKNOWN_ERROR = 254 import sys class FirewallError(Exception): def __init__(self, code, msg=None): self.code = code if msg is not None: # escape msg if needed if sys.version < '3': try: x = str(msg) # noqa: F841 except UnicodeEncodeError: msg = unicode(msg).encode("unicode_escape") # noqa: F821 self.msg = msg def __repr__(self): return '%s(%r, %r)' % (self.__class__, self.code, self.msg) def __str__(self): if self.msg: return "%s: %s" % (self.errors[self.code], self.msg) return self.errors[self.code] def get_code(msg): if ":" in msg: idx = msg.index(":") ecode = msg[:idx] else: ecode = msg try: code = FirewallError.codes[ecode] except KeyError: code = UNKNOWN_ERROR return code get_code = staticmethod(get_code) mod = sys.modules[FirewallError.__module__] FirewallError.errors = { getattr(mod,varname) : varname for varname in dir(mod) if not varname.startswith("_") and \ type(getattr(mod,varname)) == int } FirewallError.codes = { FirewallError.errors[code] : code for code in FirewallError.errors } errors.pyo000064400000011145147576556050006637 0ustar00 c`c@s?dZdZdZdZdZdZdZdZdZd Z d Z d Z d Z d Z dZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZdZd Z d!Z!d"Z"d#Z#d$Z$d%Z%d&Z&d'Z'd(Z(d)Z)d*Z*d+Z+d,Z,d-Z-d.Z.d/Z/d0Z0d1Z1d2Z2d3Z3d4Z4d5Z5d6Z6d7Z7d8Z8d9Z9d:Z:d;Z;d<Z<d=Z=d>Z>d?Z?d@Z@dAZAdBZBdCZCdDZDdEZEdFZFdGZGdHZHdIZIdJZJdKZKdLZLdMZMdNZNdOdPlOZOdQePfdRYZQeOjReQjSZTdSeUeTDeQ_VdTeQjVDeQ_WdPS(Ui i i iiiiiiiiiiiiiiiiiii i!i"i#i$i%i&idieifigihiiijikiliminioipiqirisitiuiviwixiyizi{i|i}i~iiiiiiiiiiiiiiiiiiiiiiiiiNt FirewallErrorcBs;eZddZdZdZdZeeZRS(cCsp||_|dk rctjdkrcyt|}Wq`tk r\t|jd}q`Xqcn||_dS(Nt3tunicode_escape( tcodetNonetsystversiontstrtUnicodeEncodeErrortunicodetencodetmsg(tselfRR tx((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__init__ls   cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__RR (R ((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__repr__wscCs2|jr$d|j|j|jfS|j|jS(Ns%s: %s(R terrorsR(R ((s3/usr/lib/python2.7/site-packages/firewall/errors.pyt__str__zs cCs]d|kr(|jd}|| }n|}ytj|}Wntk rXt}nX|S(Nt:(tindexRtcodestKeyErrort UNKNOWN_ERROR(R tidxtecodeR((s3/usr/lib/python2.7/site-packages/firewall/errors.pytget_codes    N(t__name__t __module__RRRRRt staticmethod(((s3/usr/lib/python2.7/site-packages/firewall/errors.pyRks    cCsMi|]C}|jd rttt|tkr|tt|qS(t_(t startswithttypetgetattrtmodtint(t.0tvarname((s3/usr/lib/python2.7/site-packages/firewall/errors.pys s cCs i|]}|tj|qS((RR(R$R((s3/usr/lib/python2.7/site-packages/firewall/errors.pys s (XtALREADY_ENABLEDt NOT_ENABLEDtCOMMAND_FAILEDt NO_IPV6_NATt PANIC_MODEtZONE_ALREADY_SETtUNKNOWN_INTERFACEt ZONE_CONFLICTt BUILTIN_CHAINtEBTABLES_NO_REJECTtNOT_OVERLOADABLEt NO_DEFAULTSt BUILTIN_ZONEtBUILTIN_SERVICEtBUILTIN_ICMPTYPEt NAME_CONFLICTt NAME_MISMATCHt PARSE_ERRORt ACCESS_DENIEDtUNKNOWN_SOURCEtRT_TO_PERM_FAILEDtIPSET_WITH_TIMEOUTt BUILTIN_IPSETt ALREADY_SETtMISSING_IMPORTt DBUS_ERRORtBUILTIN_HELPERt NOT_APPLIEDtINVALID_ACTIONtINVALID_SERVICEt INVALID_PORTtINVALID_PROTOCOLtINVALID_INTERFACEt INVALID_ADDRtINVALID_FORWARDtINVALID_ICMPTYPEt INVALID_TABLEt INVALID_CHAINtINVALID_TARGETt INVALID_IPVt INVALID_ZONEtINVALID_PROPERTYt INVALID_VALUEtINVALID_OBJECTt INVALID_NAMEtINVALID_FILENAMEtINVALID_DIRECTORYt INVALID_TYPEtINVALID_SETTINGtINVALID_DESTINATIONt INVALID_RULEt INVALID_LIMITtINVALID_FAMILYtINVALID_LOG_LEVELtINVALID_AUDIT_TYPEt INVALID_MARKtINVALID_CONTEXTtINVALID_COMMANDt INVALID_USERt INVALID_UIDtINVALID_MODULEtINVALID_PASSTHROUGHt INVALID_MACt INVALID_IPSETt INVALID_ENTRYtINVALID_OPTIONtINVALID_HELPERt MISSING_TABLEt MISSING_CHAINt MISSING_PORTtMISSING_PROTOCOLt MISSING_ADDRt MISSING_NAMEtMISSING_SETTINGtMISSING_FAMILYtRUNNING_BUT_FAILEDt NOT_RUNNINGtNOT_AUTHORIZEDRRt ExceptionRtmodulesRR"tdirRR(((s3/usr/lib/python2.7/site-packages/firewall/errors.pyts $fw_types.pyo000064400000006045147576556050007166 0ustar00 c`c@s#dgZdefdYZdS(tLastUpdatedOrderedDictcBseZd dZdZdZdZdZdZdZ dZ dZ d Z d Z d Zd d ZRS(cCs,i|_g|_|r(|j|ndS(N(t_dictt_listtupdate(tselftx((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyt__init__s  cCs|j2|jjdS(N(RRtclear(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyRscCs+x$|jD]\}}|||scCs t|S(N(R(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytcopyAscCs|jS(N(R(R((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytkeysDscCsg|jD]}||^q S(N(R(RR ((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pytvaluesGscCs&||kr||S|||<|SdS(N((RR R ((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyt setdefaultJs  N(Rt __module__tNoneRRRRR RRRRRRRR(((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyRs            N(t__all__tobjectR(((s5/usr/lib/python2.7/site-packages/firewall/fw_types.pyts functions.pyo000064400000040306147576556050007334 0ustar00 c`c#@sXdddddddddd d d d d ddddddddddddddddddd d!d"g#Zd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l m Z d#d&l m Z m Z ejd'kZd(Zd)Zd*d+Zd,Zd-Zd.Zd/Zd0Zd1Zd2Zd3Zd4Zd5Zd6Zd7Zd8Zd9Z d:Z!d;Z"d<Z#d=Z$d>Z%d?Z&d@Z'dAZ(dBZ)dCZ*dDZ+dEZ,dFZ-dGZ.dHZ/dIZ0dJZ1dKZ2dLZ3dMZ4d$S(NtPY2t getPortIDt getPortRangetportStrtgetServiceNametcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt checkProtocoltcheckInterfacet checkUINT32tfirewalld_is_activettempFiletreadfilet writefiletenable_ip_forwardingtget_nf_conntrack_helper_settingtset_nf_conntrack_helper_settingt check_portt check_addresstcheck_single_addresst check_mactuniqifyt ppid_of_pidtmax_zone_name_lent checkUsertcheckUidt checkCommandt checkContexttjoinArgst splitArgstb2utu2bt u2b_if_py2iN(tlog(tFIREWALLD_TEMPDIRtFIREWALLD_PIDFILEt3cCst|tr|}nd|r-|j}nyt|}Wn<tk r{ytj|}Wq|tjk rwdSXnX|dkrdS|S(s Check and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big iii(t isinstancetinttstript ValueErrortsockett getservbynameterror(tportt_id((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR.s    c Cs>t|ts|jr>t|}|dkr:|fS|S|jd}t|dkr|djr|djrt|d}t|d}|dkr|dkr||kr||fS||kr||fS|fSqng}xtt|ddD]}tdj|| }dj||}t|dkrt|}|dkr|dkr||kr|j||fq||kr|j||fq|j|fqq|dkr|j|f|t|krPqqqWt|dkr dSt|dkr6dS|dS(sI Get port range for port range string or single port id @param ports an integer or port string or port range string @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous. it-iiiN( R'R(tisdigitRtsplittlentrangetjointappendtNone(tportstid1tsplitstid2tmatchedtitport2((s6/usr/lib/python2.7/site-packages/firewall/functions.pyREsH  2          t:cCsr|dkrdSt|}t|tr;|dkr;dSt|dkrUd|Sd|d||dfSdS(s Create port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid tiis%ss%s%s%sN(RR'R(R7R3(R.t delimitert_range((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR{s  cCst|}t|}t|dkr>|t|dkSt|dkr|t|dkr|t|dkrtStS(Niii(RRR3tTruetFalse(R.R4t_portRB((s6/usr/lib/python2.7/site-packages/firewall/functions.pytportInPortRanges  ,cCs8ytjt||}Wntjk r3dSX|S(s Check and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None N(R+t getservbyportR(R-R7(R.tprototname((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs3ytjtj|Wntjk r.tSXtS(sl Check IPv4 address. @param ip address string @return True if address is valid, else False (R+t inet_ptontAF_INETR-RDRC(tip((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs |jdS(s Normalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 s[](R)(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyt normalizeIP6scCs9ytjtjt|Wntjk r4tSXtS(sl Check IPv6 address. @param ip address string @return True if address is valid, else False (R+RJtAF_INET6RMR-RDRC(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|rd|krt|Syt|}Wntk rtSX|dks|dkrtSntS(Nt/it.ii (tindexR3RDR7RR(R*RC(RLtaddrtmaskR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs& $    cCsd|kra||jd }||jdd}t|dksZt|dkrmtSn |}d}t|s}tS|ryt|}Wntk rtSX|dks|dkrtSntS(NROiii(RQR3RDR7RR(R*RC(RLRRRSR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs" $  cCsmyt|}Wn:tk rLytj|Wqitjk rHtSXnX|dkse|dkritStS(Nii(R(R*R+tgetprotobynameR-RDRC(tprotocolR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsN| st|dkrtSx*ddddgD]}||kr0tSq0WtS(s Check interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False it ROt!t*(R3RDRC(tifacetch((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsHyt|d}Wntk r'tSX|dkrD|dkrDtStS(NiI(R(R*RDRC(tvaltx((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s cCstjjtstSy(ttd}|j}WdQXWntk rRtSXtjjd|smtSy,td|d}|j}WdQXWntk rtSXd|krtStS(sv Check if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld trNs/proc/%ss/proc/%s/cmdlinet firewalld( tostpathtexistsR%RDtopentreadlinet ExceptionRC(tfdtpidtcmdline((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR !s"   c CsyyKtjjts(tjtdntjdddddtdtSWn'tk rt}t j d|nXdS( Nitmodetwttprefixstemp.tdirtdeletes#Failed to create temporary file: %s( R_R`RaR$tmkdirttempfiletNamedTemporaryFileRDRdR#R-R7(tmsg((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR >scCsWy&t|d}|jSWdQXWn*tk rR}tjd||fnXdS(NR]sFailed to read file "%s": %s(Rbt readlinesRdR#R-R7(tfilenametfte((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRJs cCs[y)t|d}|j|WdQXWn+tk rV}tjd||ftSXtS(Ntws Failed to write to file "%s": %s(RbtwriteRdR#R-RDRC(RrtlineRsRt((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRRscCs6|dkrtddS|dkr2tddStS(Ntipv4s/proc/sys/net/ipv4/ip_forwards1 tipv6s&/proc/sys/net/ipv6/conf/all/forwarding(RRD(tipv((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR[s     cCs|jddjddS(Nt_R0s nf-conntrack-R@(treplace(tmodule((s6/usr/lib/python2.7/site-packages/firewall/functions.pytget_nf_conntrack_short_namebscCs>yttddSWntk r9tjddSXdS(Ns+/proc/sys/net/netfilter/nf_conntrack_helperis3Failed to get and parse nf_conntrack_helper setting(R(RRdR#twarning(((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRes   cCstd|rdndS(Ns+/proc/sys/net/netfilter/nf_conntrack_helpers1 s0 (R(tflag((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRlscCst|}|dksV|dksV|dksVt|dkr|d|dkr|dkrvtjd|nz|dkrtjd|nZ|dkrtjd|n:t|dkr|d|dkrtjd |ntStS( Niiiiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end(RR7R3R#tdebug2RDRC(R.RB((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRps $&   &cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(Rztsource((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     cCs4|dkrt|S|dkr,t|StSdS(NRxRy(RRRD(RzR((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     c Csgt|dkrcx"dD]}||dkrtSqWx%dD]}||tjkr>tSq>WtStS(Ni iiii iR?iiiiiii i i iii(iiii i( iiiiiii i i i ii(R3RDtstringt hexdigitsRC(tmacR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs  cCs7g}x*|D]"}||kr |j|q q W|S(N(R6(t_listtoutputR\((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCsVy=tjd|}t|jdj}|jWntk rQdSX|S(s Get parent for pid sps -o ppid -h -p %d 2>/dev/nulliN(R_tpopenR(RqR)tcloseRdR7(RfRs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCs=ddlm}ttt|j}d|tdS(s Netfilter limits length of chain to (currently) 28 chars. The longest chain we create is FWDI__allow, which leaves 28 - 11 = 17 chars for . i(t SHORTCUTSit__allow(tfirewall.core.baseRtmaxtmapR3tvalues(Rtlongest_shortcut((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRsc Cstt|dks-t|tjdkr1tSx<|D]4}|tjkr8|tjkr8|dkr8tSq8WtS(NitSC_LOGIN_NAME_MAXRPR0R{t$(RPR0R{R(R3R_tsysconfRDRt ascii_letterstdigitsRC(tusertc((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs-  cCsWt|tr7yt|}Wq7tk r3tSXn|dkrS|dkrStStS(NiiiiIi(R'tstrR(R*RDRC(tuid((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs cCsjt|dks$t|dkr(tSx'dddgD]}||kr8tSq8W|ddkrftStS(Niit|s tiRO(R3RDRC(tcommandRZ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$ cCs|jd}t|d kr%tS|ddkrM|dddkrMtS|ddd kretS|d dd kr}tSt|d dkrtStS(NR?iiitrootit_uit_rit_ti(ii(R2R3RDRC(tcontextR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs$cCsDdttkr)djd|DSdjd|DSdS(NtquoteRVcss|]}tj|VqdS(N(tshlexR(t.0ta((s6/usr/lib/python2.7/site-packages/firewall/functions.pys scss|]}tj|VqdS(N(tpipesR(RR((s6/usr/lib/python2.7/site-packages/firewall/functions.pys s(RkRR5(targs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRscCsNtr=t|tr=t|}tj|}tt|Stj|SdS(N(RR'tunicodeR!RR2RR (t_stringR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs   cCs#t|tr|jddS|S(s bytes to unicode sUTF-8R|(R'tbytestdecode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR scCs#t|ts|jddS|S(s unicode to bytes sUTF-8R|(R'Rtencode(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR!scCs)tr%t|tr%|jddS|S(s" unicode to bytes only if Python 2sUTF-8R|(RR'RR(R((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR"s(5t__all__R+R_tos.pathRRRtsysRntfirewall.core.loggerR#tfirewall.configR$R%tversionRRRRRFRRRMRRRR R R R R RRRR~RRRRRRRRRRRRRRRR R!R"(((s6/usr/lib/python2.7/site-packages/firewall/functions.pytsr                 6