c`c@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z de fdYZ de fdYZ de fdYZ de fdYZdefdYZde fdYZde fdYZde fdYZde fd YZd e fd!YZd e fd"YZd e fd#YZd e fd$YZd e fd%YZdefd&YZde fd'YZde fd(YZde fd)YZd*S(+t Rich_SourcetRich_Destinationt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_IcmpBlockt Rich_IcmpTypetRich_SourcePorttRich_ForwardPorttRich_Logt Rich_Auditt Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Limitt Rich_Rulei(t functions(tcheck_ipset_name(t REJECT_TYPES(terrors(t FirewallErrorcBseZedZdZRS(cCs||_|jdkr$d|_n||_|jdksK|jdkrWd|_n$|jdk r{|jj|_n||_|jdkrd|_n||_|jdkr|jdkr|jdkrttjdndS(Ntsno address, mac and ipset( taddrtNonetmactuppertipsettinvertRRt INVALID_RULE(tselfRRRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__init__$s       - cCsd|jrdnd}|jdk r7|d|jS|jdk rU|d|jS|jdk rs|d|jSttjddS(Ns source%s s NOTRs address="%s"smac="%s"s ipset="%s"sno address, mac and ipset(RRRRRRRR(Rtret((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__str__5s (t__name__t __module__tFalseR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR#s cBseZedZdZRS(cCs||_||_dS(N(RR(RRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Bs cCs d|jrdnd|jfS(Nsdestination %saddress="%s"snot R(RR(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Fs(R#R$R%R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRAs cBseZdZdZRS(cCs ||_dS(N(tname(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR KscCs d|jS(Nsservice name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Ns(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRJs cBseZdZdZRS(cCs||_||_dS(N(tporttprotocol(RR'R(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Rs cCsd|j|jfS(Nsport port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Vs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRQs cBseZdZRS(cCsd|j|jfS(Ns#source-port port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Zs (R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRYscBseZdZdZRS(cCs ||_dS(N(tvalue(RR)((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR _scCs d|jS(Nsprotocol value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"bs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR^s cBseZdZdZRS(cCsdS(N((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR fscCsdS(Nt masquerade((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"is(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRes cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR mscCs d|jS(Nsicmp-block name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ps(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRls cBseZdZdZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR tscCs d|jS(Nsicmp-type name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ws(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRss cBseZdZdZRS(cCs^||_||_||_||_|jdkr?d|_n|jdkrZd|_ndS(NR(R'R(tto_portt to_addressR(RR'R(R+R,((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR {s     cCsRd|j|j|jdkr+d|jnd|jdkrJd|jndfS(Ns(forward-port port="%s" protocol="%s"%s%sRs to-port="%s"s to-addr="%s"(R'R(R+R,(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s (R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR zs cBs#eZddddZdZRS(cCs||_||_||_dS(N(tprefixtleveltlimit(RR-R.R/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsSd|jrd|jnd|jr2d|jnd|jrKd|jndfS(Ns log%s%s%ss prefix="%s"Rs level="%s"s %s(R-R.R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaudit%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZddZdZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR scCsd|jrd|jndS(Nsaccept%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBs)eZdddZdZdZRS(cCs||_||_dS(N(ttypeR/(Rt_typeR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs:d|jrd|jnd|jr2d|jndfS(Ns reject%s%ss type="%s"Rs %s(R0R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCs|jr{|s$ttjdn|dkr{|jt|kr{djt|}ttjd|j|fq{ndS(Ns9When using reject type you must specify also rule family.tipv4tipv6s, s%Wrong reject type %s. Use one of: %s.(R2R3(R0RRRRtjoin(Rtfamilyt valid_types((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytchecks  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cBseZdZRS(cCsd|jrd|jndS(Nsdrop%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s(R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRscBs&eZddZdZdZRS(cCs||_||_dS(N(tsetR/(Rt_setR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s cCs'd|j|jrd|jndfS(Ns mark set=%s%ss %sR(R8R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s cCs|jdk r|j}nttjdd|kr|jd}t|dkrottj|ntj|d stj|d rttj|qn$tj|sttj|ndS(Ns no value sett/iii( R8RRRt INVALID_MARKtsplittlenRt checkUINT32(Rtxtsplits((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  cBs,eZdZdZdZdZRS(cCsu||_d|jkrq|jjd}t|dkrq|dd krqd|d |dd f|_qqndS( NR:iitsecondtminutethourtdays%s/%si(RARBRCRD(R)R<R=(RR)R@((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsd}d|jkr*|jjd}n| sCt|dkr[ttj|jn|\}}yt|}Wnttj|jnX|dks|dkrttj|jnd}|dkrd}n?|dkrd}n*|dkr d}n|dkr d}nd ||d krPttjd |jn|dkr|dkrttjd |jndS(NR:iitstmthtdi<ii'is %s too fasts %s too slow(RERFRGRHiiiQ(RR)R<R=RRt INVALID_LIMITtint(RR@tratetdurationtmult((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7s6           cCs d|jS(Nslimit value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCsdS(NR((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcommand s(R#R$R R7R"RN(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs  " cBs;eZdddZdZdZdZdZRS(cCsw|dk rt||_n d|_d|_d|_d|_d|_d|_d|_|rs|j |ndS(N( RtstrR5tsourcet destinationtelementtlogtaudittactiont_import_from_string(RR5trule_str((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s        cCsg}xtj|D]}d|kr|jd}t|dks_|d s_|d rxttjd|n|ji|dd6|dd6q|ji|d6qW|jid d6|S( s Lexical analysis t=iiisinternal error in _lexer(): %st attr_namet attr_valueRRtEOL(Rt splitArgsR<R=RRRtappend(RRWttokenstrtattr((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt_lexers ( &c Cs |sttjdnd|_d|_d|_d|_d|_d|_ d|_ |j |}|r|dj ddkrttjdni}g}d}x ||j ddko|dgks ||j d}||j d}||j d}|rA|d?kr|ttjd|q|n;|d@krf|dkrw|jrwttjd)q||dkr|jrttjd*q||dAkr|jrttjd+||jfq||d kr|jrttjd,q||d!kr,|j r,ttjd-q||dBkr||j r|ttjd.||j fq|nttjd/|t |dkr|t |d0nd1} | d1kr<| r|r|dkrttjd2q9ttjd3||fq d|kr,ttjd4||fq |jdnx| dkr|dkr|dCkryttjd7|n||_q |r|dkrd8} nd9||f} ttj| q |j|n| dkrs|dDkr|||n|d0}qW|j$dS(LNs empty ruleiRRR[truleRYRZR5taddressRRRR)R'R(sto-portsto-addrR&R-R.R0R8sbad attribute '%s'RPRQtservices icmp-blocks icmp-typeR*s forward-ports source-portRSRTtaccepttdroptrejecttmarkR/tnottNOTsmore than one 'source' elements#more than one 'destination' elementsFmore than one element. There cannot be both '%s' and '%s' in one rule.smore than one 'log' elementsmore than one 'audit' elementsOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.sunknown element %siRs0'family' outside of rule. Use 'rule family=...'.s:'%s' outside of any element. Use 'rule %s= ...'.s,'%s' outside of rule. Use 'rule ... %s ...'.R2R3sH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.sdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.sDattribute '%s' outside of any element. Use 'rule %s= ...'.sinvalid 'protocol' elementsinvalid 'service' elementsinvalid 'icmp-block' elementsinvalid 'icmp-type' elementsinvalid 'limit' element(sfamilyRcsmacsipsetsinvertsvaluesportsprotocolsto-portsto-addrsnamesprefixslevelstypesset(Rbssources destinationsprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-portslogsauditReRfRgsmarkslimitRiRjsEOL(sprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-port(ReRfRgsmark(sipv4sipv6(Rcsmacsipsetsinvert(RiRj(Rcsinvert(RiRj(sportsprotocol(sportsprotocolsto-portsto-addr(sportsprotocol(sprefixslevel(%RRRRR5RPRQRRRSRTRURatgetR=R]tTrueRR%tpoptclearRRRRRRRR RR R R RR RRR7( RRWR^tattrst in_elementstindexRRRYRZt in_elementterr_msg((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRV.st       +  "%,               ?        $            $                 <      $       0                      $             cCs |jdk r6|jdkr6ttj|jn|jdkr|jdk rf|jjdk su|jdk rttjnt |j t krttjqn|j dkr|j dkrttj dn|jdkr|jdkrttj dqnt |j tt tgkr}|jdkr}|jdkr}|j dkr}ttj dq}n|jdk r|jjdk rL|jdkrttjn|jjdk rttj dn|jjdk r ttj dntj|j|jjsttjt|jjqq|jjdk r|jjdk rttj dntj|jjsttjt|jjqq|jjdk rt|jjsttjt|jjqqttj d n|jdk r|jdkrKttjn|jjdksytj|j|jj rttjt|jjqnt |j tkr|j jdkst|j jd kr>ttjt|j jq>n>t |j t krutj!|j j"sEttj#|j j"n|j j$dkr>ttj%|j j$q>nt |j t&krtj'|j j(s>ttj%|j j(q>nt |j tkr/|j dk rttj dn|jdk r>|jjdk r>ttj dq>nt |j tkr|j jdksnt|j jd krttj)t|j jn|j r>ttj dq>nt |j t*kr|j jdkst|j jd kr>ttj)t|j jq>n+t |j t krtj!|j j"sXttj#|j j"n|j j$dkrttj%|j j$n|j j+dkr|j j,dkrttj#|j j+n|j j+dkrtj!|j j+ rttj#|j j+n|j j,dkrPtj-|j|j j, rPttj|j j,n|jdkrqttjn|j dk r>ttj dq>nt |j t.kr tj!|j j"sttj#|j j"n|j j$d kr>ttj%|j j$q>n1|j dk r>ttj dt |j n|jdk r|jj/r|jj/d!krttj0|jj/n|jj1dk r|jj1j2qn|jdk r! t |j t3t4t5gkrttj6t |j n|jj1dk r! |jj1j2q! n|j dk r t |j t4kr[ |j j2|jn%t |j t7kr |j j2n|j j1dk r |j j1j2q ndS("NR2R3sno element, no actions%no element, no source, no destinationsno action, no log, no auditsaddress and macsaddress and ipsets mac and ipsetsinvalid sourceittcptudptsctptdccpsmasquerade and actionsmasquerade and mac sourcesicmp-block and actionRsforward-port and actionsUnknown element %stemergtalerttcritterrortwarningtnoticetinfotdebug(sipv4sipv6(RtRuRvRw(RtRuRvRw(RtRuRvRw(RxRyRzserrorR|R}sinfosdebug(8R5RRRtINVALID_FAMILYRPRRQtMISSING_FAMILYR0RRR RURRRRSRTRRRt check_addresst INVALID_ADDRROt check_mact INVALID_MACRt INVALID_IPSETRR&R=tINVALID_SERVICERt check_portR't INVALID_PORTR(tINVALID_PROTOCOLRt checkProtocolR)tINVALID_ICMPTYPERR+R,tcheck_single_addressRR.tINVALID_LOG_LEVELR/R7R R RtINVALID_AUDIT_TYPER(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7 s! $$$ $*$!*! *$$     cCsd}|jr#|d|j7}n|jr@|d|j7}n|jr]|d|j7}n|jrz|d|j7}n|jr|d|j7}n|jr|d|j7}n|jr|d|j7}ntjrtj |S|S(NRbs family="%s"s %s( R5RPRQRRRSRTRURtPY2tu2b(RR!((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"s        N(R#R$RR RaRVR7R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s   N(t__all__tfirewallRtfirewall.core.ipsetRtfirewall.core.baseRRtfirewall.errorsRtobjectRRRRRRRRRR R R R R RRRR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyts8       1