c`c@sjdddgZddljZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZddlmZmZmZmZmZmZmZdd lmZdd l m!Z!dd lm"Z"dd l#m$Z$defd YZ%defdYZ&e'dZ(e)dZ*dS(tZonet zone_readert zone_writeriN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMasktcheckInterfacetuniqifytmax_zone_name_lent u2b_if_py2t check_mactportStr(tDEFAULT_ZONE_TARGETt ZONE_TARGETS(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocol(trich(tlog(terrors(t FirewallErrorcBsEeZdZdAdBdCdefdDddgfddEgfd dgfd efd dFgfd dgfd dgfddgfddgfddGgfdeffZdZdddgZidHd6dHd6dHd6dgd6ddgd6dgd6dgd6ddgd6dgd6dHd6dHd 6d!gd"6d#gd6ddgd$6dHd%6dHd&6dHd'6dHd(6dHd)6d*gd+6d#gd,6dHd-6Zidd.ddgd6d/gd 6d0d1gd6d2gd6d!d3d4d2d5gd 6d4gd"6d6d7gd%6d8gd(6Z e d9Z d:Z d;Z d<Zd=Zd>Zd?Zd@ZRS(Is Zone class tversionttshortt descriptiontUNUSEDttargettservicestportst icmp_blockst masqueradet forward_portst interfacestsourcest rules_strt protocolst source_portsticmp_block_inversions&(sssbsasa(ss)asba(ssss)asasasasa(ss)b)t_t-t/tzonetnametservicetporttprotocols icmp-blocks icmp-types forward-portt interfacetruletsourcetaddresst destinationtvalues source-portRtaudittaccepttrejecttdroptsettmarktlimitsicmp-block-inversiont immutabletenabledsto-portsto-addrtfamilytmactinverttipsettprefixtlevelttypecCsLx3ttjD]"\}\}}||kr|SqWttjddS(Ns index_of()(t enumerateRtIMPORT_EXPORT_STRUCTURERRt UNKNOWN_ERROR(telementtiteltdummy((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytindex_ofbs" cCstt|jd|_d|_d|_t|_t|_ g|_ g|_ g|_ g|_ t|_g|_g|_g|_g|_d|_g|_g|_t|_t|_t|_dS(NR(tsuperRt__init__RRRtFalseRRR R!R"R)R#R$R%R*R&R'tNonet fw_configtrulesR(R+tcombinedtapplied(tself((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRSis*                   cCsd|_d|_d|_t|_t|_|j2|j2|j 2|j 2t|_ |j 2|j 2|j2|j2d|_|j2|j2t|_t|_t|_dS(NR(RRRRTRRR R!R"R)R#R$R%R*R&R'RURVRWR(R+RXRY(RZ((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcleanups(         c Cs t|j|_t|j|_t|j|_t|j|_g|jD]}t|^qR|_g|jD]$\}}t|t|f^qw|_g|jD]}t|^q|_g|jD]}t|^q|_g|j D]<\}}}}t|t|t|t|f^q|_ g|j D]$\}}t|t|f^qG|_ g|j D]}t|^q~|_ g|j D]}t|^q|_ g|j D]}t|^q|_ g|jD]}t|^q|_dS(s HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R RRRR R!R"R)R#R%R*R&R'RWR(( RZtstpotprRNtp1tp2tp3tp4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytencode_stringss%7%%O4%%%cCs|dkrlg|D]}tjd|^q|_tt|j|g|jD]}t|^qPntt|j||dS(NR(trule_str(Rt Rich_RuleRWRRRt __setattr__tstr(RZR0R9R\((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRfs (8c Cs?|dkr]|jr]|jj}x|D]+}||kr+ttjd|q+q+Wn|dkrx|D]"}t|dt|dqpWn|dkrx|D]}t|qWnx|dkr |jr |jj}xQ|D]+}||krttj d|qqWn|d krx |D]} t| dt| d| d  r| d  rttj d | n| d rt| d n| d r3t | d  rt | d  rttj d | d qq3q3WnI|dkr.x:|D]"}t|dt|dqWn |dkr^|tkr;ttj|q;n|dkrx|D]'} t| sqttj| qqqqWn|dkr x|D]R} t|  rt|  rt|  r| jd rttj | qqWn0|dkr;x!|D]} tjd| qWndS(NR!s '%s' not among existing servicesR"iiR)R#s"'%s' not among existing icmp typesR%iis$'%s' is missing to-port AND to-addr s#to-addr '%s' is not a valid addressR*R R&R'sipset:R(Rd(RVt get_servicesRRtINVALID_SERVICERRRt get_icmptypestINVALID_ICMPTYPEtINVALID_FORWARDRRt INVALID_ADDRRtINVALID_TARGETRtINVALID_INTERFACERRR t startswithRRe( RZRtitemtexisting_servicesR1R2tprototexisting_icmptypesticmptypetfwd_portR4R6R5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyt _check_configsn              "           cCstt|j||jdr>ttjd|n|jdrfttjd|n|jddkrttjd|nnd|kr||j d }n|}t |t krttjd|t |t |j fndS(NR.s'%s' can't start with '/'s'%s' can't end with '/'ismore than one '/' in '%s's'Zone of '%s' has %d chars, max is %d %s( RRRt check_nameRpRRt INVALID_NAMEtendswithtcounttfindtlenR RX(RZR0t checked_name((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRxs&      c CsEt|_d|_d|_d|_d|_x3|jD](}||jkr7|jj|q7q7Wx3|j D](}||j krm|j j|qmqmWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j kr|j j|qqWx3|j D](}||j krE|j j|qEqEW|jrt|_nx3|jD](}||jkr|jj|qqWx3|jD](}||jkr|jj|qqWx7|jD],} |jj| |jjt| qW|jrAt|_ndS(NR(tTrueRXRUtfilenameRRRR&tappendR'R!R"R)R#R$R%R*RWR(RgR+( RZR/R4R6R1R2RsticmptforwardR5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcombinesH        (sversionR(sshortR(s descriptionR(stargetR(RR(RRRR(RRN(t__name__t __module__t__doc__RTRKtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSRUtPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSt staticmethodRQRSR[RcRfRwRxR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR(sv                                  9 tzone_ContentHandlercBs#eZdZdZdZRS(cCs/tj||d|_t|_d|_dS(N(RRSRUt_ruleRTt _rule_errort _limit_ok(RZRq((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRS,s  c Cswtj||||jr dS|jj|||dkrd|krbtjd|dnd|kr|d|j_nd|krtjd|dnd|krs|d}|tkrt t j |n|dkr|t kr||j_ qqsnk|d krn\|d kr&nM|d kr|jr|jjrmtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd |dn |dkr|jr<|jjrtjd t|jt|_dStj|d|d|j_dSt|dt|dt|dd|df}||jjkr|jjj|qstjd|d|dn |dkrs|jr|jjrtjd t|jt|_dStj|d|j_qst|d|d|jjkr\|jjj|dqstjd|dn |dkr|jr|jjrtjd t|jt|_dStj|d|j_dS|d|jjkr|jjj|dqstjd|dnU |dkr|jr|jjretjd t|jt|_dStj |d|j_dStjd|dn |dkrZd|kr|dj!d`krtjd|ddS|jr/|jjrtjd t|jt|_dStj"|j_qs|jj#rKtjdqst|j_#n |dkrd}d|kr|d}nd}d |kr|d }n|jr |jjrtjd t|jt|_dStj$|d|d|||j_dSt|dt|d|r8t|n|rtt%| rtt&| rtt t j'd!|qtnt|dd|dt|dt|f}||jj(kr|jj(j|qstjd"|d|d|rd#|nd|rd$|ndna|d%kr|jr}|jjrYtjd t|jt|_dStj)|d|d|j_dSt|dt|dt|dd|df}||jj*kr|jj*j|qstjd&|d|dnw|d'kr|jr+tjd(t|_dSd|krQtjd)t|_dS|d|jj+kr|jj+j|dqstjd*|dn|d+kr, |jr |jj,rtjd,t|jt|_dSt-}d-|kr |d-j!dakr t}nd}} } d0|kr7 |d0}nd1|krP |d1} nd2|kri |d2} ntj/|| | d-||j_,dSd0|kr d2|kr tjd3dSd0|kr d2|kr tjd4dSd5|kr tjd6|d5nd-|kr tjd7dSd0|kr{ t0|d0 r{ t1|d0 r{ t2|d0 r{ t t j'|d0q{ nd2|kr d8|d2}||jj3kr |jj3j|q tjd9|d0nd0|krs|d0}||jj3kr |jj3j|q) tjd9|d0qsnG|d:kr |js[ tjd;t|_dS|jj4r tjd<t|jdSt-}d-|kr |d-j!dbkr t}ntj5|d0||j_4n|dckr |js tjdAt|_dS|jj6r) tjdBt|_dS|d=krJ tj7|j_6n|d>kr d} dC|kru |dC} ntj8| |j_6nO|d?kr tj9|j_6n.|d@kr |dD} tj:| |j_6n|jj6|_;n|dEkr |js tjdFdS|jjr1 tjdGdSd} dH|krv |dH} | ddkrv tjdQt|_dSndR|kr |dRnd}tj<|| |j_|jj|_;n|dSkr8|js tjdTdS|jj=rtjdUt|jt|_dStj>|j_=|jj=|_;n;|dVkrd}d5|kr|d5}|dekrtjdY|d5t|_dSntj?||_n|dZkr(|j;stjd[t|_dS|j;j@rtjd\t|jt|_dS|d}tjA||j;_@nK|d]kr_|jjBrPtjd^qst|j_Bntjd_|dSdS(fNR/R0s'Ignoring deprecated attribute name='%s'RRAs,Ignoring deprecated attribute immutable='%s'R RRRR1s;Invalid rule: More than one element in rule '%s', ignoring.s#Service '%s' already set, ignoring.R2R3R-s#Port '%s/%s' already set, ignoring.R9s$Protocol '%s' already set, ignoring.s icmp-blocks&icmp-block '%s' already set, ignoring.s icmp-types-Invalid rule: icmp-block '%s' outside of ruleR$RBtnotfalses*Ignoring deprecated attribute enabled='%s's!Masquerade already set, ignoring.s forward-portsto-portsto-addrs#to-addr '%s' is not a valid addresss-Forward port %s/%s%s%s already set, ignoring.s >%ss @%ss source-ports*Source port '%s/%s' already set, ignoring.R4s$Invalid rule: interface use in rule.s Invalid interface: Name missing.s%Interface '%s' already set, ignoring.R6s:Invalid rule: More than one source in rule '%s', ignoring.REtyesttrueR7RDRFs$Invalid source: No address no ipset.s"Invalid source: Address and ipset.RCs)Ignoring deprecated attribute family='%s's+Invalid source: Invertion not allowed here.sipset:%ss"Source '%s' already set, ignoring.R8s)Invalid rule: Destination outside of rules?Invalid rule: More than one destination in rule '%s', ignoring.R;R<R=R?s$Invalid rule: Action outside of rules"Invalid rule: More than one actionRIR>Rs!Invalid rule: Log outside of rulesInvalid rule: More than one logRHtemergtalerttcritterrortwarningtnoticetinfotdebugsInvalid rule: Invalid log levelRGR:s#Invalid rule: Audit outside of rules9Invalid rule: More than one audit in rule '%s', ignoring.R5tipv4tipv6s&Invalid rule: Rule family "%s" invalidR@s4Invalid rule: Limit outside of action, log and audits9Invalid rule: More than one limit in rule '%s', ignoring.sicmp-block-inversions+Icmp-Block-Inversion already set, ignoring.sUnknown XML element '%s'(RR(syesR(syesR(sacceptsrejectsdropsmark(RRRserrorswarningRsinfosdebug(RR(CRt startElementRRqtparser_check_element_attrsRRRRRRRnRR RRMRgRRt Rich_ServiceR!Rt Rich_PortRRR R"t Rich_ProtocolRR)tRich_IcmpBlockR#t Rich_IcmpTypetlowertRich_MasqueradeR$tRich_ForwardPortRRRmR%tRich_SourcePortR*R&R6RTRUt Rich_SourceRRR R'R8tRich_Destinationtactiont Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarkRtRich_LogR:t Rich_AuditReR@t Rich_LimitR+(RZR0tattrsR tentrytto_porttto_addrREtaddrRDRFt_typet_setRHRGRCR9((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR2st                                                                                                                                                                 cCstj|||dkr|jsy|jjWn/tk rg}tjd|t|jqXt|j|j j kr|j j j |j|j j j t|jqtjdt|jnd|_t|_n|d krd|_ndS( NR5s%s: %ss Rule '%s' already set, ignoring.R;R<R=R?RR:(sacceptsrejectsdropsmarkslogsaudit(Rt endElementRRtcheckt ExceptionRRRgRqR(RWRRURTR(RZR0te((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs        (RRRSRR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR+s  dc Csbt}|jds1ttjd|n|d |_|sW|j|jn||_||_|j t j rt nt |_|j|_t|}tj}|j|d||f}t|di}tjd}|j|y|j|Wn2tjk r>} ttjd| jnXWdQX~~tr^|jn|S(Ns.xmls'%s' is missing .xml suffixis%s/%strbsnot a valid zone file: %s(RRzRRRyR0RxRtpathRpRt ETC_FIREWALLDRTRtbuiltintdefaultRtsaxt make_parsertsetContentHandlertopent InputSourceRUt setByteStreamtparsetSAXParseExceptiont INVALID_ZONEt getExceptionRRc( RRt no_check_nameR/thandlertparserR0tfR6tmsg((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs:     !       c Cs% |r |n|j}|jr4d||jf}nd||jf}tjj|rytj|d|Wqtk r}tj d||qXntjj |}|j t j rtjj| rtjjt j stjt j dntj|dntj|dddd }t|}|ji}|jrq|jd krq|j|d d kr{ |j0j>|d%t1|jG|jGjEr |jd-|j|||jd4|jd5i|jGjEj8d6|jd6|j|n|jd-|j|||jdn|jd|jd)|jdqW|jd |jd|jN|jO~dS(?Ns%s/%ss %s/%s.xmls%s.oldsBackup of file '%s' failed: %sitmodetwttencodingsUTF-8RRR R/s s RRR4R0sipset:R6iRFR7R1R2iiR3R9sicmp-block-inversions icmp-blockR$isto-portisto-addrs forward-ports source-portRCR5RDRREs R8s icmp-types#Unknown element '%s' in zone_writerRGRHRs R@s R:R;R<RIR=R?R>sUnknown action '%s'(PRRR0tostexiststshutiltcopy2RRRtdirnameRpRRtmkdirtioRRt startDocumentRR RRtignorableWhitespaceRt charactersRRR R&t simpleElementR'R!R"R)R+R#R$R%R*RWRCR6RRDRFRER8RMRIRRRR2R3RR9RRRRRt to_addressRRRtINVALID_OBJECTRGRHR@R:RRRRRR>Rt endDocumenttclose(R/Rt_pathR0RtdirpathRRRR4R6R1R2R3RRR5RMR((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRs %            &                                                         (+t__all__txml.saxRRRRtfirewallRtfirewall.functionsRRRRRR R R R R tfirewall.core.baseRRtfirewall.core.io.io_objectRRRRRRRt firewall.coreRtfirewall.core.loggerRRtfirewall.errorsRRRRTRRUR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyts$   F4