c`c@sdgZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddl m Z ddl mZdd l mZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0ddl1m2Z2ddlm3Z3ddl4m5Z5de6fdYZ7dS(tFirewalliN(tconfig(t functions(t ipXtables(tebtables(tnftables(tipset(tmodules(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallTransaction(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t helper_reader(terrors(t FirewallErrorcBseZdZdZdZdZdZdZeedZ dZ edZ d Z d Z d Zd Zd ZdZdZdZdZdZdZdZdZedZedZedZedZdZdZdZ dZ!dZ"dZ#d Z$d!Z%d"Z&d#Z'd$Z(d%Z)ed&Z*d'Z+d(Z,d)Z-d*Z.d+Z/d,Z0d-Z1d.Z2d/Z3d0Z4RS(1cCs@ttj|_tj||_t|_g|_ tj ||_ t|_ g|_ tj|_t|_tj|_t|_g|_tj||_t|_tj|_t||_t||_t||_t ||_!t"||_t#|_$t%||_t&||_'|j(dS(N()RRtFIREWALLD_CONFt_firewalld_confRt ip4tablestip4tables_backendtTruetip4tables_enabledtip4tables_supported_icmp_typest ip6tablestip6tables_backendtip6tables_enabledtip6tables_supported_icmp_typesRtebtables_backendtebtables_enabledRt ipset_backendt ipset_enabledtipset_supported_typesRtnftables_backendtnftables_enabledRtmodules_backendRticmptypeR tserviceR tzoneR tdirectR R tpoliciesRRthelpert_Firewall__init_vars(tself((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__init__?s0         cCshd|j|j|j|j|j|j|j|j|j|j |j |j |j |j |j|jfS(Ns>%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__R!R%R(t_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledR*t_individual_callst _log_deniedt_automatic_helpers(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__repr__]scCsd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_tj|_d|_tj|_dS(NtINITti(R9tFalseR:R;R<R=RtFALLBACK_MINIMAL_MARKR>tFALLBACK_CLEANUP_ON_EXITR?tFALLBACK_IPV6_RPFILTERR@tFALLBACK_INDIVIDUAL_CALLSRAtFALLBACK_LOG_DENIEDRBtFALLBACK_AUTOMATIC_HELPERSRCtFALLBACK_FIREWALL_BACKENDt_firewall_backendtnf_conntrack_helper_settingtFALLBACK_ALLOW_ZONE_DRIFTINGt_allow_zone_drifting(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt __init_varsfs             cCs|jS(N(RA(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytindividual_callswscCs|jr=d|jdjkr=tjdt|_n|jrzd|jdjkrztjdt|_n|jrd|jdjkrtjdt|_n|j r|j r|j rtj dt j d ndS( Ntfiltertipv4s-iptables not usable, disabling IPv4 firewall.tipv6s.ip6tables not usable, disabling IPv6 firewall.tebs8ebtables not usable, disabling ethernet bridge firewall.sNo IPv4 and IPv6 firewall.i( R!tget_backend_by_ipvtget_available_tablesRtwarningRGR%R(R-tfataltsystexit(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _check_tableszs            cCsy|jjWn0tk rCtjdt|_g|_nX|jj|_|j j |j j s|j j rtjdqtjdt|_ n|j r|j j|_n g|_|jj |jj s|jj rtjdqtjdt|_n|jr7|jj|_n g|_|jj |jj s|jj rutjdqtjdt|_n|jr|j r|jj rtjdndS( Ns4ipset not usable, disabling ipset usage in firewall.sFiptables-restore is missing, using individual calls for IPv4 firewall.sCiptables-restore and iptables are missing, disabling IPv4 firewall.sGip6tables-restore is missing, using individual calls for IPv6 firewall.sEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.sHebtables-restore is missing, using individual calls for bridge firewall.sEebtables-restore and ebtables are missing, disabling bridge firewall.sSebtables-restore is not supporting the --noflush option, will therefore not be used(R)tset_listt ValueErrorRR[RGR*R+tset_supported_typesRt fill_existstrestore_command_existstcommand_existsR!tsupported_icmp_typesR"R$R%R&R'R(RAtrestore_noflush_optiontdebug1(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _start_checksD                        cCsw tj}tjdtjy|jjWn-tk r\}tj|tjdnX|jj dr|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d<krt|_ntjd|jn|jj d r|jj d }|dk r|j d=krtjd y|jjWqtk rqXqn|jj d r|jj d }|dk r|j d>krt|_n|j d?krt|_qqn|jrtjdn tjd|jj dr|jj d}|dk r|j d@krtjdt|_qn|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj dr|jj d}|dk r|j dAkrId|_n-|j dBkrgd |_n|j |_tjd|jqn|jj dr|jj d}|j dCkrt|_nt|_tjdtjd|jn|jjtj|j|j|j|jtjdy|jjjWn]tk r}|jj rtj!d|jjj"|qtjd|jjj"|nX|jj#tj|j|j$tj%d|j$tj&d|j$tj'd|j$tj(dt)|j*j+dkrGtj!dn|j$tj,d |j$tj-d |j$tj.d!|j$tj/d!t)|j0j1dkrtj!d"n|j$tj2d#|j$tj3d#t)|j4j5dkrtj6d$t7j8d%nt}xEd&d'd(gD]4}||j4j5kr2tj6d)|t}q2q2W|rt7j8d%n||j4j5krd*|j4j5krd*}n$d+|j4j5krd+}nd&}tj!d,|||}ntjd-|t9tj:} t;j<j=tj:rxtjd.tj:y| jWqxtk rt}tj!d/tj:|qxXn|j>j?| |jj@tj| |jAd0gt\} }| dkrtjd1|n|jd2krtBjC|jd kntBjD|_E|jFtjGdkr>tHjH} ntI|} |jJd3| |rf|s~|jKr|jLjMr| jNt| jOn|r|rtjd4|jPjQn|jRd3| | jNt| jO|jKr |jLjMr tjd5|jLjSntjd6|jTd3| tjd7|j4jUd3| |jV||_W|j4jXd|jWd3| | jNt| jO|j>jYr: tjd8|j>jZ| y| jNt| jOWq: tk r# } t| j[d9| j\r | j\nd:q: tk r6 q: Xn~ tjGd%krs tHjH}tj]d;|| ndS(DNs"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsesCleanupOnExit is set to '%s'tLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'tAllowZoneDriftingsAllowZoneDrifting is enabled. This is considered an insecure configuration option. It will be removed in a future release. Please consider disabling it now.s AllowZoneDrifting is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sRR/isNo icmptypes found.R4R0sNo services found.R1sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %st nf_conntracks&Failed to load nf_conntrack module: %stsystemtuse_transactionsUnloading firewall modulessApplying ipsetssApplying default rule setsApplying used zoness2Applying direct chains rules and passthrough ruless Direct: %sRFs%Flushing and applying took %f seconds(RmRn(syesRq(RmRn(syesRq(syesRq(RmRn(syesRq(RmRn(^Rt FALLBACK_ZONERRhRRtreadt ExceptionR[tgettintR>tNonetlowerRGR?R3tenable_lockdownRR@R RARBRCRRtset_firewalld_conftcopytdeepcopyt_select_firewall_backendRORitlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPEStlenR/t get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR0t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR1t get_zonesR\R]R^RtFIREWALLD_DIRECTtostpathtexistsR2tset_permanent_configt set_directthandle_modulesRtset_nf_conntrack_helper_settingtget_nf_conntrack_helper_settingRPR_tgetDebugLogLevelttimeRtflushR*Rt has_ipsetstexecutetclearR.tunload_firewall_modulestapply_default_tablest apply_ipsetstapply_default_rulest apply_zonest check_zoneR;tchange_default_zonethas_configurationt apply_directtcodetmsgtdebug2(R6treloadtcomplete_reloadt default_zoneRtvalueRtzR1tobjtstatusttm1t transactiontettm2((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt_startsR                                                      +   cCsUy|jWn*tk r:d|_|jdnXd|_|jddS(NtFAILEDtACCEPTtRUNNING(RRR9t set_policy(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstarts    c Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nx[t tj |D]D}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||yP|dkrAt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ ny|jj|Wn3tk r$} tjd|jt| fnX|jjtj|nE|d krt||}|j|j j!kr|j j"|j}tjd||j|j|j|j j#|jn!|jjtjrt|_ n|j j$||jj$tj|nx|dkrt%||d |}|rzdtjj|tjj|d d !f|_|j |jntj|} |j|j&j'kr#|j&j(|j}|j&j)|j|j*rtjd ||j|||j+|qMtjd||j|j|jn*|jjtjrMt|_ t| _ n|jj,| |rtjd ||j|||j+|q|j&j,|n|dkrt-||}|j|j.j/kr"|j.j0|j}tjd||j|j|j|j.j1|jn!|jjtjrCt|_ ny|j.j2|Wn3tk r} tj3d|jt| fnX|jj2tj|n|dkrvt4||}|j|j5j6kr)|j5j7|j}tjd||j|j|j|j5j8|jn!|jjtjrJt|_ n|j5j9||jj9tj|ntj:d|Wqtk r} tj;d||| qt<k rtj;d||tj=qXqW|r|j*r|j|j&j'kr|j&j(|j}tjd||j|j|jy|j&j)|jWnt<k rlnX|jj>|jn|j&j,|ndS(NR1s.xmls%s/%stcombinesLoading %s file '%s'R/s Overloads %s '%s' ('%s/%s')s%s: %s, ignoring for run-time.R0t no_check_nameiis Combining %s '%s' ('%s/%s')RR4sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(?RRtisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRGtdefaulttsortedtlistdirtendswithRR RRhRR/Rt get_icmptypeRtremove_icmptypet add_icmptypeRtinfo1tstrRRRR0Rt get_servicetremove_servicet add_serviceRR1Rtget_zonet remove_zonetcombinedRtadd_zoneRRt get_ipsetst get_ipsett remove_ipsett add_ipsetR[RR4t get_helperst get_helpert remove_helpert add_helperR\RRt exceptiont forget_zone( R6Rt reader_typeRt combined_zoneRRRtorig_objRt config_objR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs                                                cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( R/tcleanupR0R1RR4RR2R3RR5(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRls         cCs>|jr0|j|jd|jjn|jdS(NR(R?RRR.RR(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstopxs    cCs=|j}x||jkr(|d7}q W|jj||S(Ni(R>R=tappend(R6ti((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytnew_marks  cCs|jj|dS(N(R=tremove(R6tmark((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytdel_marksc Cs"d}d}x t|D]\}}|rF|jj|\}}n4|j|dkrbd}n|jj|\}}|dkr|d7}||7}qn|r|jj|d|j|cd7|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R-RR,R!RR%R$R(R'(R6tbackends((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytenabled_backendss    cCszg}|jr"|j|jn|jr>|j|jn|jrZ|j|jn|jrv|j|jn|S(N( R!RRR%R$R(R'R-R,(R6R ((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs    cCsn|dkrt|}n|}x*|jD]}|j||jq.W|dkrj|jtndS(N(RRR t add_rulestbuild_default_tablesRR (R6RRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs  cCs3|dkrt|}n|}x6|jD](}|j|j}|j||q.W|jdr|jd}|jrd|j kr|j t |j |j |j}|j||y|j t Wn#tk r}tjd|nX|j qn|dkr/|j t ndS(NRWtraws+Applying rules for ipv6_rpfilter failed: %s(RRR tbuild_default_rulesRBRR RYR@RZRR Rtbuild_rpfilter_rulesRRR[(R6RRRtrulest ipv6_backendR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs*     cCs|dkrt|}n|}tjdx0|jD]"}|j}|j||q;W|dkr}|jtndS(NsFlushing rule set( RRRRhRtbuild_flush_rulesRRR (R6RRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+s    cCs|dkrt|}n|}tjd|x3|jD]%}|j|}|j||q>W|dkr|jtndS(NsSetting policy to '%s'( RRRRhR tbuild_set_policy_rulesRRR (R6tpolicyRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR:s  cCs^|s dS|j|}|s8ttjd|n|j|sKdS|j||jS(NRFs'%s' is not a valid backend(RRRRR tset_ruleRB(R6t backend_nametruleR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRKs c Cs\ttd|}|j|}|sCttjd|n|j|sVdS|js|j s|dkrE|j j rExt |D]\}}y|j ||jWqtk r<}tjtjtj|xLt|| D]:}y |j |j||jWqtk r.qXqW|qXqWtS|j||jSdS(Ns'%s' is not a valid backendRFR(tlistRURRRRRR RARdR'RgRRRBRRRht tracebackt format_excRtreversedt reverse_ruleR t set_rules(R6RRt_rulesRRRR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRYs0      cCs|jrttjndS(N(R:RRt PANIC_MODE(R6((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_paniczs cCsV|}| s|dkr(|j}n||jjkrRttj|n|S(NRF(tget_default_zoneR1RRRt INVALID_ZONE(R6R1t_zone((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR~s cCs(tj|s$ttj|ndS(N(RtcheckInterfaceRRtINVALID_INTERFACE(R6t interface((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_interfacescCs|jj|dS(N(R0t check_service(R6R0((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR+scCs(tj|s$ttj|ndS(N(Rt check_portRRt INVALID_PORT(R6tport((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR,scCsA|sttjn|dkr=ttjd|ndS(Nttcptudptsctptdccps''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}(R/R0R1R2(RRtMISSING_PROTOCOLtINVALID_PROTOCOL(R6tprotocol((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_tcpudps   cCs(tj|s$ttj|ndS(N(RtcheckIPRRt INVALID_ADDR(R6tip((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytcheck_ipscCs||dkr3tj|sxttj|qxnE|dkrftj|sxttj|qxnttjddS(NRVRWs'%s' not in {'ipv4'|'ipv6'}(Rt checkIPnMaskRRR8t checkIP6nMaskR(R6Rtsource((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_addresss   cCs|jj|dS(N(R/tcheck_icmptype(R6ticmp((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR?scCs]t|ts.td|t|fnt|dkrYttjd|ndS(Ns%s is %s, expected intis#timeout '%d' is not positive number(t isinstanceRt TypeErrorttypeRRt INVALID_VALUE(R6ttimeout((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt check_timeouts  c Cs9|j}i}x1|jjD] }|jj|d||R?RFRRXRPR\R]R^RdReRgR$Rk(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR>sd     7      $    !         K       (8t__all__tos.pathRR]RRRtfirewallRRt firewall.coreRRRRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceR tfirewall.core.fw_zoneR tfirewall.core.fw_directR tfirewall.core.fw_configR tfirewall.core.fw_policiesR tfirewall.core.fw_ipsetRtfirewall.core.fw_transactionRtfirewall.core.fw_helperRtfirewall.core.loggerRtfirewall.core.io.firewalld_confRtfirewall.core.io.directRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyts@