c`c@s~ddlZddlZddlmZmZddlmZddlm Z ddl m Z m Z m Z mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZd Zd Ziid d efd 6d6id defd 6d6id defd 6ddefd6d6iddefd6ddefd6d6Z iid6id6id6Z!ii"dd d!dd"d#gd$6dd d!gd!6dd d%gd%6dd d&gd&6dd d!dd"d'gd(6dd d!dd"d)gd*6dd d!dd"d+gd,6dd d-dd"d.gd/6dd d!dd"d0gd16dd d!dd"d.gd26dd d3dd"d.gd46dd d!dd"d5gd66dd d-dd"d7gd86dd d!dd"d9gd:6dd d!dd"d7gd;6dd d3gd36dd d!dd"d<gd=6dd d!dd"d>gd?6dd d!dd"d@gdA6dd d-gd-6dd d3dd"d.gdB6dd dCgdC6dd dDgdD6dd dEgdE6dd d!dd"dFgdG6dd dHgdH6dd dIgdI6dd dJgdJ6dd d-dd"d<gdK6dd d!dd"dLgdM6dd d-dd"d@gdN6dd d!dd"dOgdP6dd dHdd"d.gdQ6dd dHdd"d7gdR6dS6idTd d!dTd"d<gdU6dTd d3dTd"d7gdV6dTd d!dTd"d@gdW6dTd d!dTd"d.gd$6dTd d!gd!6dTd d%gd%6dTd d&gd&6dTd d!dTd"dFgdX6dTd dYgdZ6dTd d[gd\6dTd d!dTd"d7gd]6dTd d^gd^6dTd d3gd36dTd d!dTd"d'gd=6dTd d_gd-6dTd d!dTd"d9gd`6dTd dagdC6dTd dbgdD6dTd dHgdH6dTd dHdTd"d.gdQ6dTd dHdTd"d7gdR6dTd d3dTd"d.gdc6dTd d3dTd"d@gdd6de6Z"dfe#fdgYZ$dS(hiN(t SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(t splitArgst check_mactportStrtcheck_single_addresst check_address(tconfig(t FirewallErrort UNKNOWN_ERRORt INVALID_RULEtINVALID_ICMPTYPEt INVALID_TYPEt INVALID_ENTRY(t Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt firewalldi t preroutingit PREROUTINGtrawijtmangleit postroutingidt POSTROUTINGtnattinputitINPUTtforwardtFORWARDtfiltertinettiptip6ticmpttypesdestination-unreachabletcodet13scommunication-prohibiteds echo-replys echo-requestt4sfragmentation-neededt14shost-precedence-violationt10shost-prohibitedtredirectt1s host-redirectt7s host-unknownshost-unreachablesparameter-problems ip-header-badt8snetwork-prohibitedt0snetwork-redirectt6snetwork-unknownsnetwork-unreachablet3sport-unreachablet15sprecedence-cutofft2sprotocol-unreachablesrequired-option-missingsrouter-advertisementsrouter-solicitations source-quencht5ssource-route-faileds time-exceededstimestamp-replystimestamp-requeststos-host-redirectt12stos-host-unreachablestos-network-redirectt11stos-network-unreachablesttl-zero-during-reassemblysttl-zero-during-transittipv4ticmpv6saddress-unreachables bad-headers beyond-scopes failed-policysnd-neighbor-advertsneighbour-advertisementsnd-neighbor-solicitsneighbour-solicitationsno-routespacket-too-bigs nd-redirects reject-routesnd-router-advertsnd-router-solicitsunknown-header-typesunknown-optiontipv6tnftablescBseZdZeZdZdZdZdZdZ dZ dZ dZ d3d Zd Zd Zd Zd ZddZdZeddZddZddZdZdZdZdZdZdZdZdZ d3d3dZ!d3d3dZ"d3d3dZ#d Z$d3d!Z%d3d"Z&d#Z'd3d$Z(d%Z)d3d&Z*d'Z+ed(Z,d)Z-d*Z.d+Z/d3d,Z0d-Z1d.Z2d/Z3d0Z4d1Z5d2Z6RS(4R:cCsK||_tjd|_|jg|_i|_i|_i|_dS(Ntnft( t_fwR tCOMMANDSt_commandt fill_existstavailable_tablestrule_to_handletrule_ref_counttzone_source_index_cache(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__init__s     cCs%tjj|j|_t|_dS(N(tostpathtexistsR>tcommand_existstFalsetrestore_command_exists(RD((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR?sc Csy?|jd}|j||j|}||df}WnLtk ry&|jd}|j|d}Wqtk rdSXnX|d}|r| r||kr|||kr||j|qn|r||krg||sitinsertitaddtindexs%d( RRtpopt ValueErrortNonetremovetappendtsortR<t_allow_zone_driftingtlenRP( RDtrule_addtruleRCtitzonet zone_sourcetfamilyRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_run_replace_zone_sourcesD                 c Csddg}|}|ddkrs|ddkrs|}d|dRUtTruetintt ExceptionR R RStjoinRKRBR Rtdebug2t __class__tcopytdeepcopyRCRaRARTRRRZtstrip( RDtargstnft_optst_argst _args_testtstatustoutputtrule_keyR[RCt _args_strtstrtoffset((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__runs|           #!     cCsAy|j|}Wntk r'tSX||||d+tSdS(Ni(RRRTRKRi(RDR\tpatternt replacementR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _rule_replace,s  cCs|}d|d<|S(NRbi((RDRrtret_args((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt reverse_rule5s cCsttddS(Nsnot implemented(R R (RDtrulest log_denied((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_rules:sc Csd}d|ks*d|ks*d|kr3d}n-d|ksWd|ksWd|kr`d}n|j|dd d |d d g|j|d dddgy|jd}Wntk rnDX|dkrdS|dkrd|g|||d+n |j||j|S(NticmpxR7R"R$R9R#R8s %%REJECT%%trejecttwithR%sadmin-prohibiteds%%ICMP%%tmetatl4protos{icmp, icmpv6}s %%LOGTYPE%%toffRetunicastt broadcastt multicasttpkttypei(RRR(RRRRTRSt_nftables__run(RDR\Rt icmp_keywordR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_ruleCs$$ $      cCs|r |gStjS(N(tIPTABLES_TO_NFT_HOOKtkeys(RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_available_tablesbscCsYi|_i|_i|_g}x1tjD]#}|jdd|dtgq.W|S(NRbRcs%s(RARBRCt OUR_CHAINSRRWt TABLE_NAME(RDRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_flush_rulesfs   !cCstdd}g}|dkr|jddd|gxddgD]:}d |d ||d td f}|jt|qFWn5|d kr|jddd|gn ttd|S(Nt_t policy_droptDROPRQRcR!RRwsMadd chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'RiitACCEPTRbsnot implemented(RRWtNFT_HOOK_OFFSETRR R (RDtpolicyt table_nameRthookt _add_chain((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_set_policy_rulesps   cCsAt}x+tjD]}|jt|jqWt|S(N(tsettICMP_TYPES_FRAGMENTRtupdateRd(RDt supportedtipv((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytsupported_icmp_typess cCsAg}x+tjD]}|jd|tfqWtt|S(Nsadd table %s %s(RRRWRtmapR(RDtdefault_tablesR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_tablessRc Csg}ttddadd rule inet %s filter_%s ct state established,related acceptRs,add rule inet %s filter_%s iifname lo acceptsadd chain inet %s filter_%s_%ss,add rule inet %s filter_%s jump filter_%s_%sRs_add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '"STATE_INVALID_DROP: "'s0add rule inet %s filter_%s ct state invalid dropsHadd rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '"FINAL_REJECT: "'sBadd rule inet %s filter_%s reject with icmpx type admin-prohibiteds$add chain inet %s filter_%s_IN_ZONESRtINtOUTs!add chain inet %s filter_%s_%s_%ss/add rule inet %s filter_%s jump filter_%s_%s_%stINPUT_ZONES_SOURCEt INPUT_ZONEStFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONES( RRRRRWRR<RYRRR(RDRt default_rulestchaintdispatch_suffixR`t direction((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_ruless (0 (0  ( 4 (!  ((  cCsY|dkrdddgS|dkr,dgS|dkrBddgS|d krUdgSiS( NR Rt FORWARD_INt FORWARD_OUTRRRRR((RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_zone_table_chainss      R!c Cs|dkrr|dkrrg}|j|j||||||d|j|j||||||d|Sidd6dd6dd 6dd 6dd 6dd 6|} |t|d dkr|t|d  d}ntjdt|d|} d} |r3| r3dd|dtd||fdg} ne|r_dd|dtd||fg} n9dd|dtd||fg} |s| dg7} n|dkr| | d|| fg7} n(| | d|d| d|| fg7} | gS(NRR!R"R#tiifnameRtoifnameRRRRtOUTPUTit+t*RR^tgotoRPR\s%ss %s_%s_ZONESs%%ZONE_INTERFACE%%RQRbs%s_%ss"(textendt!build_zone_source_interface_rulesRZRtformatRR( RDtenableR^t interfaceRcRRWR`RtoptttargettactionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyRs>  &# (cCsK|dkr|dkrg}|jdrI|j|td}nd}td|svt|sv|dkr|j|j|||||dntd|st|s|dkr|j|j|||||dn|Sidt6d t 6|} id d 6d d 6d d6d d6d d6d d6|} |j j r\d||f} nd||f} t j dt|d|} d} |jdr|td}|j|}d|}nCt|r| d krdSd}ntd|rd}nd}| d|dt| d||| || d|| fg }|gS(NRR!sipset:R7R"R9R#RPRbtsaddrRtdaddrRRRRRs%s_%s_ZONES_SOURCEs %s_%s_ZONESRR^Rt@RetetherR\s%ss%%ZONE_SOURCE%%s%s_%s(t startswitht_set_get_familyRZRURRRtbuild_zone_source_address_rulesRiRKR<RYRRRR(RDRR^taddressRcRR`Rt ipset_familytadd_delRtzone_dispatch_chainRRtipsett rule_familyR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR$sT''      c Cs.|dkr`|dkr`g}|j|j|||d|j|j|||d|Stjdt|d|}t||jt|d|d|d |gg}|jd d|d t d ||fg|jd d|d t d ||fg|jd d|d t d||fg|jd d|d t d||fg|jd d|d t d ||fdd ||fg|jd d|d t d ||fdd||fg|jd d|d t d ||fdd||fg|j j j |j }|j jdkr|dkr|d kr|d!kr|}|dkrud}n|jd d|d t d ||fdddd||fg qqn|dkr*|d"kr*|d#kr*|jd d|d t d ||f|dkr|jndgn|S($NRR!R"R#RR^s%s_logs%s_denys%s_allowRQs%ss%s_%ss %s_%s_logs %s_%s_denys %s_%s_allowR\tjumpRR RRRRtREJECTs %%REJECT%%Rs %%LOGTYPE%%Rtprefixs"filter_%s_%s: "R(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rs %%REJECT%%sDROP(sACCEPTRs %%REJECT%%sDROP(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rtbuild_zone_chain_rulesRRRRRRRWRR<R^t_zonesRtget_log_deniedtlower( RDR^RcRR`Rt_zoneRt log_suffix((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR^s^            %cCsiddddgd6ddddgd6ddddgd6ddddgd 6dddd gd 6dddd gd 6dd dd gd6dd dd gd6ddddgd6ddddgd6ddddgd6ddddgd6ddddgd6dd ddgd6ddddgd6ddddgd6ddddgd6dd ddgd6dd ddgd 6dd dd!gd"6dd dd!gd!6dd#d$gd%6dd#d$gd&6}||S('NRR$R%shost-prohibitedsicmp-host-prohibiteds host-prohibsnet-prohibitedsicmp-net-prohibiteds net-prohibsadmin-prohibitedsicmp-admin-prohibiteds admin-prohibR8sicmp6-adm-prohibitedsadm-prohibitedsnet-unreachablesicmp-net-unreachables net-unreachshost-unreachablesicmp-host-unreachables host-unreachsport-unreachablesicmp-port-unreachablesicmp6-port-unreachableRs port-unreachsprot-unreachablesicmp-proto-unreachables proto-unreachsaddr-unreachablesicmp6-addr-unreachables addr-unreachsno-routesicmp6-no-routettcptresets tcp-resetstcp-rst((RDt reject_typetfrags((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_reject_types_fragments2cCs|s gSidd6dd6dd6dd6}y|jjd }Wn tk rdttd nXd d |jd |!d ||j|dgS(Ntsecondtstminutetmthourthtdaytdt/sExpected '/' in limittlimittrateii(tvalueRRRTR R (RDRt rich_to_nftR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_limit_fragments  cCs|js gSidt6dt6|}|dddtd||fg}||dg7}|jjr|dd |jjg7}n|jjr|d d |jjg7}n||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRs"%s"tlevel(RRiRKRRRRR(RDt rich_ruleRRcRt rule_fragmentRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_logs   cCs||js gSidt6dt6|}|dddtd||fg}||ddd g7}||j|jj7}|S( NRQRbR\R!s%ss %s_%s_logRRtaudit(RRiRKRRR(RDRRRcRRRR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_audits c Cs|js gSidt6dt6|}t|jtkrVd||f}dg} nt|jtkrd||f}dg} |jjr^| |j|jj7} q^nt|jtkrd||f}dg} n~t|jtkrBt j dt d d |}d }d||f}d d d|jj g} nt tdt|j|dddt|g} | |7} | |j|jj7} | | 7} | S(NRQRbs %s_%s_allowtaccepts %s_%s_denyRtdropRRR^RRtmarkRsUnknown action %sR\R!s%s(RRiRKR%RRRRRRRRRR R RRR( RDR^RRRcRRRRt rule_actionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_actions6        cCsS|s gS|dkr#dddgS|dkr<dddgSttd|dS(NR7RtnfprotoR9sInvalid family(R R (RDt rich_family((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_family_fragments    cCsx|s gSg}td|jr2|dg7}n |dg7}|jra|dd|jg7}n|d|jg7}|S(NR7R"R#Rs!=(Rtaddrtinvert(RDt rich_destR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_destination_fragments  cCsJ|s gSg}|jrtd|jr;|dg7}n |dg7}|jrj|dd|jg7}qF|d|jg7}nt|dr|jr|jr|ddd|jg7}qF|dd|jg7}npt|drF|jrF|j|j}|jr)||ddd |jg7}qF||dd |jg7}n|S( NR7R"R#Rs!=tmacRRR(RRRthasattrRRR(RDt rich_sourceRR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_source_fragment,s(      c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtdports%st-tcttstates new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRt destinationR tsourceRR%RRRWRRRR( RDRR^tprototportRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_ports_rulesIs2  ""(/c Csidt6dt6|}d}tjdtdd|}g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j7} | |j|j 7} | |j |j 7} nd d |g} | st |j tkr0| d ddg7} ng} |r| j|j||||| | j|j||||| | j|j|||||| n/| j|dddtd|g| dg| S(NRQRbR RRR^R7R"R#RRRR R s new,untrackedR\R!s%ssfilter_%s_allowR(RiRKRRRRR`RRRR RR%RRRWRRRR( RDRR^tprotocolRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_protocol_rulesjs4 ""()c Csidt6dt6|}d}tjdtdd|} g} |r_| |j|j7} n|rtd|r| dg7} n | d g7} | d |g7} n|r| |j|j 7} | |j |j 7} n| |d d t |d g7} | st |jtkr+| dddg7} ng} |r| j|j|||| | | j|j|||| | | j|j||||| | n5| j|ddd td|| fg| dg| S(NRQRbR RRR^R7R"R#Rtsports%sR R R s new,untrackedR\R!s %s_%s_allowR(RiRKRRRRR`RRRR RRR%RRRWRRRR( RDRR^RRRRRRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_source_ports_ruless2  ""(/c Csidt6dt6|}tjdtdd|} |dddtd | g} |rtd |rv| d g7} n | d g7} | d |g7} n| |ddt|dg7} | dddd||fg7} dddtd||fddd|d|ddg } | | gS(NRQRbRRR^R\R!s%ssfilter_%s_allowR7R"R#RR R R thelperRs"helper-%s-%s"s helper-%s-%st{R%s"%s"Rt;t}(RiRKRRRRRR( RDRR^RRRt helper_nametmodule_short_nameRRR\t helper_object((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_helper_ports_ruless"       cCsidt6dt6|}tjdtdd|}g}|ro||j|j7}||j|j7}n|d|dt d|g|d d d d ggS( NRQRbRRR^R\s%ss nat_%s_allowRs!=tlot masquerade( RiRKRRRRRR RR(RDRR^R`RRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _build_zone_masquerade_nat_ruless cCsg}|rd|jr$|jdksB|jrdtd|jjrd|j|j||d|n}|r|jr|jdks|jrtd|jjr|j|j||d|n|j|j||d|idt6dt6|}tj dt dd |}g}|rP||j |j 7}||j |j7}n|j|d d d td |g|ddddg|S(NR9R#R7R"RQRbRRR^R\R!s%ssfilter_%s_allowR R s new,untrackedR(R`RRRRR!RiRKRRRRRR RWR(RDRR^RRRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_masquerade_ruless$"" 2c Csidt6dt6|}tjdtdd|} g} |rV| dd|g7} n| ddg7} |r|d kr| d t|d g7} n|d |d td| dd|g|| gS(NRQRbRRR^tdnatttoR+Res:%sR R\s%ss nat_%s_allowRR(RiRKRRRRR( RDRR^Rt mark_fragmentttoaddrttoportR`RRt dnat_fragment((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt"_build_zone_forward_port_nat_ruless c Csaidt6dt6|} d|} dd| g} tjdtdd|} g}| r||j| j7}||j| j7}||j | j 7}ng}|j | d d d t d | g||d |ddd| g| rC| jr| jdks|rCt d|rC|j|j|||| ||dn| r| jra| jdksv|rt d|r|j|j|||| ||dnh|rt d|r|j|j|||| ||dn(|j|j|||| ||dtjdt|d|} |j | d d d t d| dddg| dg|S(NRQRbs0x%xRRRRR^R\R!s%ssmangle_%s_allowR RR9R#R7R"sfilter_%s_allowR R s new,untrackedR(RiRKRRRRR`RRR RRWRRRR)(RDRR^t filter_chainRRR'R&tmark_idRRtmark_strR%RRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_forward_port_ruless@   2cCs<|t|krt||Sttd||jfdS(Ns"ICMP type '%s' not supported by %s(RR R tname(RDRt icmp_type((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_icmp_types_to_nft_fragment/s c Csd}idt6dt6|}|r9|jr9|j}n\|jrg}d|jkrg|jdnd|jkr|jdqn ddg}g}x/|D]'} xddgD]} tjdt| d |} |jj j |rd || f} d } nd || f} d } g}|rl||j |j 7}||j |j7}||j|j7}n||j| |j7}|r8|j|j|||| ||j|j|||| ||jr|j|j||||| |q|j|dddtd || fg|d gq|jjdkr| d kr|j|dddt| g|dddd||fgn|j|dddt| g|| gqWqW|S(NR RQRbR7R9RRRR^s %s_%s_allowRs %s_%s_denys %%REJECT%%R\R!s%sRs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "(RiRKtipvsRRWRRRR<R^tquery_icmp_block_inversionRR`RR RR0R.RRRRRR(RDRR^tictRRcRR1RRRRt final_chaint final_targetR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_icmp_block_rules6sT      "" (2! -c Csd}g}xddgD]}tjdt|d|}djddtd ||fd d ||fg}|j|}|jjj|rd } nd } |rddddtd ||fd|g} n#ddddtd ||fg} | d| g7} |j | |jjj|r|jj dkr|rpddddtd ||fd|g} n#ddddtd ||fg} | ddddd||fg7} |j | qqqW|S(NR RRRR^RgR!s%ss%s_%sRs %s_%s_allows %%REJECT%%RRQR\RfRbs%%ICMP%%Rs %%LOGTYPE%%RRs"%s_%s_ICMP_BLOCK: "( RRRRlRRAR<R^R2RWR( RDRR^RcRRRRxt rule_handlet ibi_targetR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt%build_zone_icmp_block_inversion_rulesls<     cCsg}|jddddtdddd d d d d dddg|dkr|jddddtdddd d d d d dddddgn|jddddtdddddg |S(NRPR\R!s%ssraw_%sRRRR9tfibRt.tiiftoiftmissingRRRRs"rpfilter_DROP: "R8R%s){ nd-router-advert, nd-neighbor-solicit }Rtraw_PREROUTINGR?R?(RWR(RDRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_rpfilter_ruless   cCsd}tjdtdd|}g}||j|j7}||j|j7}||j|j7}g}|j |j ||||||j |j ||||||j |j |||||||S(NR RRR^( RRRRR`RRR RRWRRR(RDRR^RRcRRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt(build_zone_rich_source_destination_ruless ""%cCs|dkrtStS(NR7R9teb(sipv4sipv6RB(RiRK(RDR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytis_ipv_supporteds cCs;idd6dd6}i ||gd6||ddgd6||dd ||gd 6||dd ||gd 6||d gd 6||gd6||ddgd6||dd ||gd6||dd ||gd6||dgd6dgd6}ydg||dgSWn$tk r6ttd|nXdS(Nt ipv4_addrR7t ipv6_addrR9shash:ips . inet_protos. inet_services hash:ip,ports. inet_service .shash:ip,port,ipshash:ip,port,nets. marks hash:ip,markshash:nets hash:net,portshash:net,port,ipshash:net,port,nets. ifnameshash:net,ifacet ether_addrshash:macR%Rs!ipset type name '%s' is not valid(tKeyErrorR R(RDRR%tipv_addrttypes((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_type_fragments(   c Cs)|r+d|kr+|ddkr+d}nd}|dg}||j||7}|rd|kr|d|dddg7}nd |kr|d |d dg7}qn| sd|krd |kr|d d dg7}n|dg7}x4dddgD]#}|jdd|tg|qWdS(NR`tinet6R9R7RttimeoutRRtmaxelemtsizet,tflagstintervalRR!R"R#RQR(RJRR(RDR.R%toptionsRtcmdR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_creates "      cCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#RbR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_destroyscCs)|jjj|jddjd}|jd}t|t|krdttdng}xtt|D]}||dkry||jd}Wn(t k r|dd||g7}qX|||| d|||dg7}n|j |||j dq}W|d S( Nt:iROs+Number of values does not match ipset type.RRR;i( R<Rtget_typetsplitRZR RtrangeRRRTRW(RDR.tentryt type_formatt entry_tokenstfragmentR]RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_entry_fragments +  *cCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RQtelementRR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_addscCsTxMdddgD]<}|jdd|t|dg|j||dgqWdS(NR!R"R#RbR_RR(RRR^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_deletescCs:x3dddgD]"}|jdd|t|gqWdS(NR!R"R#tflushR(RR(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt set_flushscCsk|jjj|}|jdkr-d}n:|jrad|jkra|jddkrad}nd}|S(Nshash:macRR`RKR#R"(R<Rt get_ipsetR%RR(RDR.RR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR!s  N(7t__name__t __module__R.Ritzones_supportedRFR?RaRRRRRRURRRRRRRRKRRRRRRRRRRR RRRRR!R"R)R-R0R6R9R@RARCRJRTRUR^R`RaRcR(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR:sf  - U      T  + 9 @   "  !#!     ,  6 2          (%tos.pathRGRotfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRtfirewallR tfirewall.errorsR R R R RRtfirewall.core.richRRRRRRRRRtobjectR:(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyts  (."