3 Yj=V@sddlZddlZddlmZddlmZmZmZmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZddlm Z ddl!m"Z"dd l#m$Z$Gd d d e%Z&dS) N)log) portStr checkIPnMask checkIP6nMask checkProtocolenable_ip_forwardingcheck_single_addressportInPortRangeget_nf_conntrack_short_namecoalescePortRangebreakPortRange) Rich_Rule Rich_Accept Rich_Service Rich_Port Rich_ProtocolRich_MasqueradeRich_ForwardPortRich_SourcePortRich_IcmpBlock Rich_IcmpType Rich_Mark)FirewallTransaction)errors) FirewallError)LastUpdatedOrderedDict)SOURCE_IPSET_TYPESc@seZdZddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ ddZ d ddZddZddZddZd d d!Zd d"d#Zdd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zdd0d1Zd2d3Zdd4d5Zd6d7Zd8d9Zd:d;Zdd?Z dd@dAZ!dBdCZ"ddDdEZ#dFdGZ$dHdIZ%dJdKZ&dLdMZ'dNdOZ(dPdQZ)dRdSZ*ddTdUZ+dVdWZ,ddXdYZ-dZd[Z.d\d]Z/d^d_Z0d`daZ1dbdcZ2ddddeZ3dfdgZ4ddhdiZ5djdkZ6dldmZ7dndoZ8dpdqZ9drdsZ:dtduZ;dvdwZ<ddxdyZ=dzd{Z>dd|d}Z?d~dZ@ddZAddZBddZCddZDdddZEddZFdddZGddZHddZIddZJddZKdddZLddZMdddZNddZOddZPddZQddZRdddZSddZTdddZUddZVddZWdddZXd ddZYd!ddZZddZ[d"ddZ\ddZ]d#ddZ^ddZ_ddZ`ddZad$ddÄZbddńZcd%ddDŽZdddɄZedd˄Zfdd̈́ZgddτZhd&ddфZiddӄZjddՄZkd'ddׄZlddلZmddۄZndd݄Zodd߄ZpddZqddZrddZsddZtddZud(ddZvd)ddZwddZxddZyddZzddZ{d*ddZ|ddZ}ddZ~ddZddZddZddZddZddZd+d d ZdS(,FirewallPolicycCs||_i|_i|_dS)N)_fw_chains _policies)selffwr#/usr/lib/python3.6/fw_policy.py__init__szFirewallPolicy.__init__cCsd|j|j|jfS)Nz %s(%r, %r)) __class__rr )r!r#r#r$__repr__szFirewallPolicy.__repr__cCs|jj|jjdS)N)rclearr )r!r#r#r$cleanups zFirewallPolicy.cleanupcCs t|jS)N)rr)r!r#r#r$new_transaction$szFirewallPolicy.new_transactioncCst|jjS)N)sortedr keys)r!r#r#r$ get_policies)szFirewallPolicy.get_policiescCs8g}x*|jD]}|j|}|js|j|qWt|S)N)r- get_policyderived_from_zoneappendr+)r!Zpoliciespp_objr#r#r$"get_policies_not_derived_from_zone,s  z1FirewallPolicy.get_policies_not_derived_from_zonecCs~g}xt|jD]h}|j|}t|dt|jjjtddgB@rt|dt|jjjtddgB@r|j|qW|S)N ingress_zonesHOSTANY egress_zones)r3 get_settingssetrzoneZget_active_zonesr0)r!Zactive_policiespolicysettingsr#r#r$)get_active_policies_not_derived_from_zone4s ((z8FirewallPolicy.get_active_policies_not_derived_from_zonecCs|jj|}|j|S)N)r check_policyr )r!r;r1r#r#r$r.>s zFirewallPolicy.get_policyc Cs,dddD|_||j|j<|j|jdS)NcSsi|] }t|qSr#)r).0xr#r#r$ Csz-FirewallPolicy.add_policy..servicesports masquerade forward_ports source_ports icmp_blocksrules protocolsicmp_block_inversionr4r7) rBrCrDrErFrGrHrIrJr4r7)r<r namecopy_permanent_to_runtime)r!objr#r#r$ add_policyBs  zFirewallPolicy.add_policycCs0|j|}|jr|j||jj|j|=dS)N)r appliedunapply_policy_settingsr<r()r!r;rMr#r#r$ remove_policyNs    zFirewallPolicy.remove_policycCs|j|}|jrdSx|jD]}|j||ddqWx|jD]}|j||ddqr rOr*r/%_get_table_chains_for_policy_dispatch#_get_table_chains_for_zone_dispatchgen_chain_rulesr8_ingress_egress_zones _icmp_block _forward_port_service_port _protocol _source_port _masquerade_FirewallPolicy__ruler rr[execute) r!enabler;rb_policyrM transactiontablechainr<keyr`r#r#r$_policy_settingssj                zFirewallPolicy._policy_settingscCs|jd||ddS)NT)rb)r)r!r;rbr#r#r$rcsz$FirewallPolicy.apply_policy_settingscCs|jd||ddS)NF)rb)r)r!r;rbr#r#r$rPsz&FirewallPolicy.unapply_policy_settingsc Csr|j|j}|j||j||j||j||j||j||j||j ||j ||j |d }|j j ||S)zH :return: exported config updated with runtime settings ) rBrCrGrDrE rich_rulesrIrFr4r7)r.Zexport_config_dict list_services list_portslist_icmp_blocksquery_masqueradelist_forward_ports list_ruleslist_protocolslist_source_portslist_ingress_zoneslist_egress_zonesrZ'combine_runtime_with_permanent_settings)r!r;Z permanentZruntimer#r#r$get_config_with_settings_dictsz,FirewallPolicy.get_config_with_settings_dictc sddlmd fdd }fdd}jjfjjfjjfjj fj j f||fj j fjjfjjfjjfd }j|}jj||\}} xt| D]l} t| | trxV| | D]8} t| tr|| d|f| q|| d|| qWq|| d|qWx|D]} t|| trxn|| D]J} t| trv|| d|f| d|d n|| d|| d|d qFWn|| d|d|d q(WdS) Nr)r csj||dd|ddS)N)rkr)rgrf)r^)r;rkrgrf)r r!r#r$add_rule_wrapperszFFirewallPolicy.set_config_with_settings_dict..add_rule_wrappercsj||ddS)N)rk) remove_rule)r;rk)r r!r#r$remove_rule_wrapperszIFirewallPolicy.set_config_with_settings_dict..remove_rule_wrapper) rBrCrGrDrErrIrFr4r7rj)rgrf)rN)firewall.core.richr rWremove_servicerX remove_portrUremove_icmp_blockr_remove_masqueraderVremove_forward_portr\remove_protocolr]remove_source_portrSremove_ingress_zonerTremove_egress_zonerrZget_added_and_removed_settings isinstancelisttuple) r!r;r<rfrrZ setting_to_fnZ old_settingsZ add_settingsZremove_settingsr~r`r#)r r!r$set_config_with_settings_dicts:                z,FirewallPolicy.set_config_with_settings_dictcCs&|sttj|dkr"|jj|dS)Nr5r6)r5r6)rr INVALID_ZONEr check_zone)r!r:r#r#r$check_ingress_zones z!FirewallPolicy.check_ingress_zonecCs|j||S)N)r)r!r:r#r#r$Z__ingress_zone_id"s z FirewallPolicy.__ingress_zone_idrTc Cs|jj|}|jj||jj|j|}|j|} | |jdkrXttj d||fd|jdksd|jdks|d kr|jdrttj d|dkrd|jdkrttj d|dkr|j } n|} |rJ|j r|j d|| |j|| ||| j|j|| |j s:||jkrH|j|| d | j|j|dn|j d || n |j|| ||| j|j|| |dkr~| jd dS) Nr4z'%s' already in '%s'r6r5zI'ingress-zones' may only contain one of: many regular zones, ANY, or HOSTr7zF'HOST' can only appear in either ingress or egress zones, but not bothF)rbT)r6r5)rr> check_timeout check_panicr _FirewallPolicy__ingress_zone_idr<rrrZrr*rOro&_FirewallPolicy__register_ingress_zoneadd_fail(_FirewallPolicy__unregister_ingress_zoner=rcrerx) r!r;r:rgrfrbrRrz_objzone_idr{r#r#r$rS&s<         zFirewallPolicy.add_ingress_zonecCs|j|||jd|<dS)Nr4)_FirewallPolicy__gen_settingsr<)r!rrrgrfr#r#r$Z__register_ingress_zoneSsz&FirewallPolicy.__register_ingress_zonecCs|jj|}|jj|j|}|j|}||jdkrLttjd||f|dkr^|j }n|}|j rt |jddkr|j ||n|j d|||j|||j|j||dd||jkr|j d||n|j|j|||dkr|jd|S)Nr4z'%s' not in '%s'rjFT)rr>rr rr<rr NOT_ENABLEDr*rOlenrProrrrr=add_postrx)r!r;r:rbrzrrr{r#r#r$rVs,        z"FirewallPolicy.remove_ingress_zonecCs||jdkr|jd|=dS)Nr4)r<)r!rrr#r#r$Z__unregister_ingress_zoneysz(FirewallPolicy.__unregister_ingress_zonecCs|j||j|dkS)Nr4)rr8)r!r;r:r#r#r$query_ingress_zone}sz!FirewallPolicy.query_ingress_zonecCst|j|djS)Nr4)rr8r,)r!r;r#r#r$rsz!FirewallPolicy.list_ingress_zonescCs&|sttj|dkr"|jj|dS)Nr5r6)r5r6)rrrrr)r!r:r#r#r$check_egress_zones z FirewallPolicy.check_egress_zonecCs|j||S)N)r)r!r:r#r#r$Z__egress_zone_ids zFirewallPolicy.__egress_zone_idc Cs|jj|}|jj||jj|j|}|j|} | |jdkrXttj d||fd|jdksd|jdks|d kr|jdrttj d|dkrd|jdkrttj d|dkr|j } n|} |rJ|j r|j d|| |j|| ||| j|j|| |j s:||jkrH|j|| d | j|j|dn|j d || n |j|| ||| j|j|| |dkr~| jd dS) Nr7z'%s' already in '%s'r6r5zH'egress-zones' may only contain one of: many regular zones, ANY, or HOSTr4zF'HOST' can only appear in either ingress or egress zones, but not bothF)rbT)r6r5)rr>rrr _FirewallPolicy__egress_zone_idr<rrrZrr*rOro%_FirewallPolicy__register_egress_zoner'_FirewallPolicy__unregister_egress_zoner=rcrerx) r!r;r:rgrfrbrRrzrrr{r#r#r$rTs<         zFirewallPolicy.add_egress_zonecCs|j|||jd|<dS)Nr7)rr<)r!rrrgrfr#r#r$Z__register_egress_zonesz%FirewallPolicy.__register_egress_zonecCs|jj|}|jj|j|}|j|}||jdkrLttjd||f|dkr^|j }n|}|j rt |jddkr|j ||n|j d|||j|||j|j||dd||jkr|j d||n|j|j|||dkr|jd|S)Nr7z'%s' not in '%s'rjFT)rr>rr rr<rrrr*rOrrProrrrr=rrx)r!r;r:rbrzrrr{r#r#r$rs,        z!FirewallPolicy.remove_egress_zonecCs||jdkr|jd|=dS)Nr7)r<)r!rrr#r#r$Z__unregister_egress_zonesz'FirewallPolicy.__unregister_egress_zonecCs|j||j|dkS)Nr7)rr8)r!r;r:r#r#r$query_egress_zonesz FirewallPolicy.query_egress_zonecCst|j|djS)Nr7)rr8r,)r!r;r#r#r$rsz FirewallPolicy.list_egress_zonescCs |jdS)N)Zcheck)r!ruler#r#r$ check_ruleszFirewallPolicy.check_rulecCs|j|t|S)N)rstr)r!rr#r#r$Z __rule_ids zFirewallPolicy.__rule_idcCsx|sdS|jr,t|jrdSt|jrtdSnHt|dr@|jr@dSt|drt|jrt|j|j|j|j|j|jSdS)Nipv4ipv6macipset) Zaddrrrhasattrrr_check_ipset_type_for_source_check_ipset_applied _ipset_family)r!sourcer#r#r$_rule_source_ipvs     zFirewallPolicy._rule_source_ipvcCs|j||||dS)N) _rule_prepare)r!ryr;rr{r#r#r$Z__ruleszFirewallPolicy.__rulec CsL|jj|}|jj||jj|j|}|j|}||jdkrh|jrP|jn|} tt j d|| f|js|j rt |j t rd|jdkrtt jdd|jdkrtt jdx6|jdD](} | dkrq|jjj| rtt jd qW|j rt |j trd|jdkr,|j jrtt jd nb|jdr|j jsNtt jd x>|jdD]0} | dkrlqZ|jjj| rZtt jd qZW|jrt |jtrx>|jdD]0} | dkrq|jjj| rtt jd qW|dkr|j} n|} |jr|jd||| |j||||| j|j|||dkrH| jd|S)NrHz'%s' already in '%s'r5r7z.'masquerade' is invalid for egress zone 'HOST'r4z/'masquerade' is invalid for ingress zone 'HOST'r6zR'masquerade' cannot be used in a policy if an ingress zone has assigned interfaceszAA 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'zC'forward-port' requires 'to-addr' if egress zone is 'ANY' or a zonezS'forward-port' cannot be used in a policy if an egress zone has assigned interfaceszR'mark' action cannot be used in a policy if an egress zone has assigned interfacesT)r6r5)rr>rrr _FirewallPolicy__rule_idr<r/rrrZelementrrrr:list_interfacesr to_addressINVALID_FORWARDactionrr*rOrw_FirewallPolicy__register_ruler _FirewallPolicy__unregister_rulerx) r!r;rrgrfrbrzrrule_id_namer:r{r#r#r$r^ s`                 zFirewallPolicy.add_rulecCs|j|||jd|<dS)NrH)rr<)r!rrrgrfr#r#r$Z__register_ruleEszFirewallPolicy.__register_rulec Cs|jj|}|jj|j|}|j|}||jdkr\|jrD|jn|}ttj d||f|dkrn|j }n|}|j r|j d||||j |j|||dkr|jd|S)NrHz'%s' not in '%s'FT)rr>rr rr<r/rrrr*rOrwrrrx) r!r;rrbrzrrrr{r#r#r$rIs"      zFirewallPolicy.remove_rulecCs||jdkr|jd|=dS)NrH)r<)r!rrr#r#r$Z__unregister_ruledsz FirewallPolicy.__unregister_rulecCs|j||j|dkS)NrH)rr8)r!r;rr#r#r$ query_rulehszFirewallPolicy.query_rulecCst|j|djS)NrH)rr8r,)r!r;r#r#r$rkszFirewallPolicy.list_rulescCs|jj|dS)N)r check_service)r!servicer#r#r$rpszFirewallPolicy.check_servicecCs|j||S)N)r)r!rr#r#r$Z __service_idss zFirewallPolicy.__service_idc Cs|jj|}|jj||jj|j|}|j|}||jdkrh|jrP|jn|} tt j d|| f|dkrz|j } n|} |j r|j d||| |j||||| j|j|||dkr| jd|S)NrBz'%s' already in '%s'T)rr>rrr _FirewallPolicy__service_idr<r/rrrZr*rOrr!_FirewallPolicy__register_servicer#_FirewallPolicy__unregister_servicerx) r!r;rrgrfrbrzr service_idrr{r#r#r$rWws&       zFirewallPolicy.add_servicecCs|j|||jd|<dS)NrB)rr<)r!rrrgrfr#r#r$Z__register_servicesz!FirewallPolicy.__register_servicec Cs|jj|}|jj|j|}|j|}||jdkr\|jrD|jn|}ttj d||f|dkrn|j }n|}|j r|j d||||j |j|||dkr|jd|S)NrBz'%s' not in '%s'FT)rr>rr rr<r/rrrr*rOrrrrrx) r!r;rrbrzrrrr{r#r#r$rs"      zFirewallPolicy.remove_servicecCs||jdkr|jd|=dS)NrB)r<)r!rrr#r#r$Z__unregister_servicesz#FirewallPolicy.__unregister_servicecCs|j||j|dkS)NrB)rr8)r!r;rr#r#r$ query_serviceszFirewallPolicy.query_servicecCs|j|djS)NrB)r8r,)r!r;r#r#r$rszFirewallPolicy.list_servicesc CsTg}xJ|D]B}y|jjj|}Wn tk r@ttj|YnX|j|q W|S)N)rhelper get_helperrrINVALID_HELPERr0)r!helpers_helpersr_helperr#r#r$get_helpers_for_service_helperss z.FirewallPolicy.get_helpers_for_service_helperscCsg}x|D]}y|jjj|}Wn tk r@ttj|YnXt|jdkrt|j }y|jjj|}|j |Wqtk r|rt j d|w YqXq |j |q W|S)NrjzHelper '%s' is not available) rrrrrrrrCr moduler0rr[)r!modulesryrrr_module_short_namerr#r#r$get_helpers_for_service_moduless"   z.FirewallPolicy.get_helpers_for_service_modulescCs|jj||jj|dS)N)r check_port check_tcpudp)r!portprotocolr#r#r$rs zFirewallPolicy.check_portcCs|j||t|d|fS)N-)rr)r!rrr#r#r$Z __port_ids zFirewallPolicy.__port_idcs|jj|}|jj||jj|j|}ttfdd|jd} x@| D]8} t|| drN|j rl|j n|} t t j d|| fqNWt |dd| D\} } |dkr|j}n|}|jr x$| D]}|jd|t|d |qWx$| D]}|jd |t|d |qWx:| D]2}|j|} |j|| |||j|j|| qWx*| D]"}|j|} |j|j|| qNW|dkr|jd|S) Ncs |dkS)Nrjr#)r@)rr#r$sz)FirewallPolicy.add_port..rCrz'%s:%s' already in '%s'cSsg|] \}}|qSr#r#)r?rsrtr#r#r$ sz+FirewallPolicy.add_port..TrF)rr>rrr rfilterr<r r/rrrZr r*rOrsr_FirewallPolicy__port_id_FirewallPolicy__register_portr _FirewallPolicy__unregister_portrrx)r!r;rrrgrfrbrzrexisting_port_idsport_idr added_rangesremoved_rangesr{ranger#)rr$rXs:              zFirewallPolicy.add_portcCs|j|||jd|<dS)NrC)rr<)r!rrrgrfr#r#r$Z__register_portszFirewallPolicy.__register_portcs|jj|}|jj|j|}ttfdd|jd}xB|D]}t||drBPqBW|jrf|jn|} t t j d|| ft |dd|D\} } |dkr|j } n|} |jrx$| D]} |jd|t| d | qWx$| D]} |jd |t| d | qWx:| D]2} |j| }|j||dd| j|j||qWx*| D]"} |j| }| j|j||qDW|dkr~| jd|S) Ncs |dkS)Nrjr#)r@)rr#r$rsz,FirewallPolicy.remove_port..rCrz'%s:%s' not in '%s'cSsg|] \}}|qSr#r#)r?rsrtr#r#r$r#sz.FirewallPolicy.remove_port..TrF)rr>rr rrr<r r/rrrr r*rOrsrrrrrrrx)r!r;rrrbrzrrrrrrr{rr#)rr$rs:             zFirewallPolicy.remove_portcCs||jdkr|jd|=dS)NrC)r<)r!rrr#r#r$Z__unregister_port=sz FirewallPolicy.__unregister_portcCs6x0|j|dD]\}}t||r||krdSqWdS)NrCTF)r8r )r!r;rrrsrtr#r#r$ query_portAszFirewallPolicy.query_portcCst|j|djS)NrC)rr8r,)r!r;r#r#r$rHszFirewallPolicy.list_portscCst|sttj|dS)N)rrrZINVALID_PROTOCOL)r!rr#r#r$check_protocolMszFirewallPolicy.check_protocolcCs|j||S)N)r)r!rr#r#r$Z __protocol_idQs zFirewallPolicy.__protocol_idc Cs|jj|}|jj||jj|j|}|j|}||jdkrh|jrP|jn|} tt j d|| f|dkrz|j } n|} |j r|j d||| |j||||| j|j|||dkr| jd|S)NrIz'%s' already in '%s'T)rr>rrr _FirewallPolicy__protocol_idr<r/rrrZr*rOrt"_FirewallPolicy__register_protocolr$_FirewallPolicy__unregister_protocolrx) r!r;rrgrfrbrzr protocol_idrr{r#r#r$r\Us&       zFirewallPolicy.add_protocolcCs|j|||jd|<dS)NrI)rr<)r!rrrgrfr#r#r$Z__register_protocolrsz"FirewallPolicy.__register_protocolc Cs|jj|}|jj|j|}|j|}||jdkr\|jrD|jn|}ttj d||f|dkrn|j }n|}|j r|j d||||j |j|||dkr|jd|S)NrIz'%s' not in '%s'FT)rr>rr rr<r/rrrr*rOrtrrrx) r!r;rrbrzrrrr{r#r#r$rvs$       zFirewallPolicy.remove_protocolcCs||jdkr|jd|=dS)NrI)r<)r!rrr#r#r$Z__unregister_protocolsz$FirewallPolicy.__unregister_protocolcCs|j||j|dkS)NrI)rr8)r!r;rr#r#r$query_protocolszFirewallPolicy.query_protocolcCst|j|djS)NrI)rr8r,)r!r;r#r#r$rszFirewallPolicy.list_protocolscCs|j||t|d|fS)Nr)rr)r!rrr#r#r$Z__source_port_ids zFirewallPolicy.__source_port_idcs|jj|}|jj||jj|j|}ttfdd|jd} x@| D]8} t|| drN|j rl|j n|} t t j d|| fqNWt |dd| D\} } |dkr|j}n|}|jr x$| D]}|jd|t|d |qWx$| D]}|jd |t|d |qWx:| D]2}|j|} |j|| |||j|j|| qWx*| D]"}|j|} |j|j|| qNW|dkr|jd|S) Ncs |dkS)Nrjr#)r@)rr#r$rsz0FirewallPolicy.add_source_port..rFrz'%s:%s' already in '%s'cSsg|] \}}|qSr#r#)r?rsrtr#r#r$rsz2FirewallPolicy.add_source_port..TrF)rr>rrr rrr<r r/rrrZr r*rOrur_FirewallPolicy__source_port_id%_FirewallPolicy__register_source_portr'_FirewallPolicy__unregister_source_portrrx)r!r;rrrgrfrbrzrrrrrrr{rr#)rr$r]s:              zFirewallPolicy.add_source_portcCs|j|||jd|<dS)NrF)rr<)r!rrrgrfr#r#r$Z__register_source_portsz%FirewallPolicy.__register_source_portcs|jj|}|jj|j|}ttfdd|jd}xB|D]}t||drBPqBW|jrf|jn|} t t j d|| ft |dd|D\} } |dkr|j } n|} |jrx$| D]} |jd|t| d | qWx$| D]} |jd |t| d | qWx:| D]2} |j| }|j||dd| j|j||qWx*| D]"} |j| }| j|j||qDW|dkr~| jd|S) Ncs |dkS)Nrjr#)r@)rr#r$rsz3FirewallPolicy.remove_source_port..rFrz'%s:%s' not in '%s'cSsg|] \}}|qSr#r#)r?rsrtr#r#r$rsz5FirewallPolicy.remove_source_port..TrF)rr>rr rrr<r r/rrrr r*rOrurrrrrrrx)r!r;rrrbrzrrrrrrr{rr#)rr$rs:             z!FirewallPolicy.remove_source_portcCs||jdkr|jd|=dS)NrF)r<)r!rrr#r#r$Z__unregister_source_portsz'FirewallPolicy.__unregister_source_portcCs6x0|j|dD]\}}t||r||krdSqWdS)NrFTF)r8r )r!r;rrrsrtr#r#r$query_source_portsz FirewallPolicy.query_source_portcCst|j|djS)NrF)rr8r,)r!r;r#r#r$rsz FirewallPolicy.list_source_portscCsdS)NTr#)r!r#r#r$Z__masquerade_idszFirewallPolicy.__masquerade_idc Cs8|jj|}|jj||jj|j|}|j}||jdkrb|jrN|jn|}tt j d||jsd|jdkrtt j dd|jdkrtt j dx6|jdD](} | dkrq|jj j | rtt j d qW|dkr|j} n|} |jr|jd || |j||||| j|j|||dkr4| jd |S) NrDz"masquerade already enabled in '%s'r5r7z.'masquerade' is invalid for egress zone 'HOST'r4z/'masquerade' is invalid for ingress zone 'HOST'r6zR'masquerade' cannot be used in a policy if an ingress zone has assigned interfacesT)rr>rrr _FirewallPolicy__masquerade_idr<r/rrrZrr:rr*rOrv$_FirewallPolicy__register_masquerader&_FirewallPolicy__unregister_masqueraderx) r!r;rgrfrbrzr masquerade_idrr:r{r#r#r$r_ s:          zFirewallPolicy.add_masqueradecCs|j|||jd|<dS)NrD)rr<)r!rrrgrfr#r#r$Z__register_masquerade2sz$FirewallPolicy.__register_masqueradecCs|jj|}|jj|j|}|j}||jdkrV|jrB|jn|}ttj d||dkrh|j }n|}|j r|j d|||j |j|||dkr|jd|S)NrDzmasquerade not enabled in '%s'FT)rr>rr rr<r/rrrr*rOrvrrrx)r!r;rbrzrrrr{r#r#r$r6s"      z FirewallPolicy.remove_masqueradecCs||jdkr|jd|=dS)NrD)r<)r!rrr#r#r$Z__unregister_masqueradePsz&FirewallPolicy.__unregister_masqueradecCs|j|j|dkS)NrD)rr8)r!r;r#r#r$rTszFirewallPolicy.query_masqueradecCs^|jj||jj||r(|jj||rBt||sBttj|| rZ| rZttjddS)Nz.port-forwarding is missing to-port AND to-addr)rrrrrrZ INVALID_ADDRr)r!ipvrrtoporttoaddrr#r#r$check_forward_portYs      z!FirewallPolicy.check_forward_portcCsLtd|r|jd||||n|jd||||t|d|t|dt|fS)Nrrr)rrrr)r!rrrrr#r#r$Z__forward_port_idfs   z FirewallPolicy.__forward_port_idc CsZ|jj|} |jj||jj|j| } |j||||} | | jdkrt| jrV| jn| } tt j d||||| f| jsd| jdkr|rtt j dnR| jdr|stt j dx6| jdD](} | dkrq|jj j | rtt jdqW|dkr|j}n|}| jr"|jd | ||||||j| | |||j|j| | |dkrV|jd | S) NrEz'%s:%s:%s:%s' already in '%s'r5r7zAA 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'zC'forward-port' requires 'to-addr' if egress zone is 'ANY' or a zoner6zS'forward-port' cannot be used in a policy if an egress zone has assigned interfacesT)rr>rrr _FirewallPolicy__forward_port_idr<r/rrrZrr:rrr*rOrq&_FirewallPolicy__register_forward_portr(_FirewallPolicy__unregister_forward_portrx)r!r;rrrrrgrfrbrzr forward_idrr:r{r#r#r$rVnsB          zFirewallPolicy.add_forward_portcCs|j|||jd|<dS)NrE)rr<)r!rrrgrfr#r#r$Z__register_forward_portsz&FirewallPolicy.__register_forward_portc Cs|jj|}|jj|j|}|j||||} | |jdkrh|jrJ|jn|} ttj d||||| f|dkrz|j } n|} |j r|j d|| ||||| j |j|| |dkr| jd|S)NrEz'%s:%s:%s:%s' not in '%s'FT)rr>rr rr<r/rrrr*rOrqrrrx) r!r;rrrrrbrzrrrr{r#r#r$rs&     z"FirewallPolicy.remove_forward_portcCs||jdkr|jd|=dS)NrE)r<)r!rrr#r#r$Z__unregister_forward_portsz(FirewallPolicy.__unregister_forward_portcCs"|j||||}||j|dkS)NrE)rr8)r!r;rrrrrr#r#r$query_forward_portsz!FirewallPolicy.query_forward_portcCst|j|djS)NrE)rr8r,)r!r;r#r#r$rsz!FirewallPolicy.list_forward_portscCs|jj|dS)N)rZcheck_icmptype)r!icmpr#r#r$check_icmp_blockszFirewallPolicy.check_icmp_blockcCs|j||S)N)r)r!rr#r#r$Z__icmp_block_ids zFirewallPolicy.__icmp_block_idc Cs|jj|}|jj||jj|j|}|j|}||jdkrh|jrP|jn|} tt j d|| f|dkrz|j } n|} |j r|j d||| |j||||| j|j|||dkr| jd|S)NrGz'%s' already in '%s'T)rr>rrr _FirewallPolicy__icmp_block_idr<r/rrrZr*rOrp$_FirewallPolicy__register_icmp_blockr&_FirewallPolicy__unregister_icmp_blockrx) r!r;rrgrfrbrzricmp_idrr{r#r#r$rUs&       zFirewallPolicy.add_icmp_blockcCs|j|||jd|<dS)NrG)rr<)r!rr rgrfr#r#r$Z__register_icmp_blocksz$FirewallPolicy.__register_icmp_blockc Cs|jj|}|jj|j|}|j|}||jdkr\|jrD|jn|}ttj d||f|dkrn|j }n|}|j r|j d||||j |j|||dkr|jd|S)NrGz'%s' not in '%s'FT)rr>rr rr<r/rrrr*rOrprr rx) r!r;rrbrzrr rr{r#r#r$rs"      z FirewallPolicy.remove_icmp_blockcCs||jdkr|jd|=dS)NrG)r<)r!rr r#r#r$Z__unregister_icmp_block sz&FirewallPolicy.__unregister_icmp_blockcCs|j||j|dkS)NrG)rr8)r!r;rr#r#r$query_icmp_blockszFirewallPolicy.query_icmp_blockcCs|j|djS)NrG)r8r,)r!r;r#r#r$rszFirewallPolicy.list_icmp_blockscCsdS)NTr#)r!r#r#r$Z__icmp_block_inversion_idsz(FirewallPolicy.__icmp_block_inversion_idc Cs|jj|}|jj|j|}|j}||jdkrV|jrB|jn|}ttj d||dkrh|j }n|}|j rx&|j |dD]} |j d|| |qW|jd|||j||||j|j||||j rx&|j |dD]} |j d|| |qW|jd|||dkr|jd|S)NrJz,icmp-block-inversion already enabled in '%s'rGFT)rr>rr (_FirewallPolicy__icmp_block_inversion_idr<r/rrrZr*rOr8rp_icmp_block_inversion._FirewallPolicy__register_icmp_block_inversionr*_FirewallPolicy__undo_icmp_block_inversionrx) r!r;rfrbrzricmp_block_inversion_idrr{r`r#r#r$add_icmp_block_inversions6        z'FirewallPolicy.add_icmp_block_inversioncCs|jd||jd|<dS)NrrJ)rr<)r!rrrfr#r#r$Z__register_icmp_block_inversionEsz.FirewallPolicy.__register_icmp_block_inversioncCs|j}|jr6x&|j|dD]}|jd|||qW||jdkrP|jd|=|jr~x&|j|dD]}|jd|||qfW|jddS)NrGFrJT)r*rOr8rpr<rx)r!rzrrr{r`r#r#r$Z__undo_icmp_block_inversionJs z*FirewallPolicy.__undo_icmp_block_inversionc Cs|jj|}|jj|j|}|j}||jdkrV|jrB|jn|}ttj d||dkrh|j }n|}|j rx&|j |dD]}|j d|||qW|jd|||j|||j|j||d|j rx&|j |dD]}|j d|||qW|jd|||dkr|jd|S)NrJz(icmp-block-inversion not enabled in '%s'rGFT)rr>rr r r<r/rrrr*rOr8rpr0_FirewallPolicy__unregister_icmp_block_inversionrrrx) r!r;rbrzrrrr{r`r#r#r$remove_icmp_block_inversion\s6        z*FirewallPolicy.remove_icmp_block_inversioncCs||jdkr|jd|=dS)NrJ)r<)r!rrr#r#r$Z!__unregister_icmp_block_inversionsz0FirewallPolicy.__unregister_icmp_block_inversioncCs|j|j|dkS)NrJ)r r8)r!r;r#r#r$query_icmp_block_inversionsz)FirewallPolicy.query_icmp_block_inversionc Cs|jjj|}|jr*|jjj|jd}n|}|rT||jkrt||f|j|krtdSn ||jksp||f|j|krtdSx@|jjD]2}|jr||j kr|j ||||} |j || qW|j ||||fg|j |j || ||fgdS)Nr)rr;r.r/r:Z_zone_policiesrenabled_backendspolicies_supportedZget_available_tablesZbuild_policy_chain_rules add_rules_register_chainsr) r!r;creater|r}r{rMZtracking_policybackendrHr#r#r$rns$   zFirewallPolicy.gen_chain_rulescCsbx\|D]T\}}|r,|jj|gj||fq|j|j||ft|j|dkr|j|=qWdS)Nr)r setdefaultr0remover)r!r;rZtablesr|r}r#r#r$rs zFirewallPolicy._register_chainscCs$|jjj|dkrdS|jjj|S)Nzhash:mac)rrget_typeZ get_family)r!rKr#r#r$rszFirewallPolicy._ipset_familycCs|jjj|S)N)rrr)r!rKr#r#r$Z __ipset_typeszFirewallPolicy.__ipset_typecCsdj|g|jjj|S)N,)joinrrZ get_dimension)r!rKflagr#r#r$_ipset_match_flagssz!FirewallPolicy._ipset_match_flagscCs|jjj|S)N)rrZ check_applied)r!rKr#r#r$rsz#FirewallPolicy._check_ipset_appliedcCs*|j|}|tkr&ttjd||fdS)Nz.ipset '%s' with type '%s' not usable as source)_FirewallPolicy__ipset_typerrrZ INVALID_IPSET)r!rKZ_typer#r#r$rs  z+FirewallPolicy._check_ipset_type_for_sourcec st|jtkrjjj|jj}|dkr2|jjg}xR|jD]H}||krHq:j||j |t j |}||j_j |||||dq:Wg} |j r|j g} nH|jrt|jtst|jtrjjj|jjjrfdddD} j|j} | r&|j r |j | kr&ttjd| |j fn| g} | s4ddg} fdd| D} | |_x2tfdd| DD]} t|jtkrjjj|jj}g} t|jd kr|jrttjd xB| D].} | |jkr| j| r| j |j| qWn | j dx~| D]}t|jtkrj|j |}|j!|j"7}t#t|d d d }g}x|D]}|j$}t%|}|j&dd}|j ||j dkr| j|j  rqTt|j'dkr|j |n:x8|j'D].\}}| j(||||||j|}|j)| |qWqTW|j*|x4|j'D]*\}}| j+||||||}|j)| |q Wx.|j,D]$}| j-|||||}|j)| |q@Wx4|j.D]*\}}| j/||||||}|j)| |qpWqWqft|jt0kr|jj1}|jj2}j3||| j+||||d|}|j)| |qft|jt4kr<|jj5}j6|| j-|||d|}|j)| |qft|jt7kr|rzx&| D]} | j| rX|j8t9| qXW| j:|||}|j)| |qft|jt;kr4|jj1}|jj2}|jj<}|jj=}xD| D]<} | j| rj>| |||||r|r|j8t9| qW| j?|||||||}|j)| |qft|jt@kr|jj1}|jj2}j3||| j/||||d|}|j)| |nt|jtkst|jtkr>jjj|jj|j rjr|j jkrttjAd|j |jjft|jtkr |jr t|jtkr ttjd| jB|||}|j)| |n>|jdkrf| jC|||}|j)| |nttjdt|jqfWdS)N)included_servicescsg|]}|jkr|qSr#) destination)r?r)ictr#r$rsz0FirewallPolicy._rule_prepare..rrz;Source address family '%s' conflicts with rule family '%s'.csg|]}jj|r|qSr#)ris_ipv_enabled)r?r)r!r#r$rscsg|]}jj|qSr#)rget_backend_by_ipv)r?r@)r!r#r$rsrz"Destination conflict with service.cSs|jS)N)rK)r@r#r#r$rsz.FirewallPolicy._rule_prepare..)r~ conntracknatrrjz3rich rule family '%s' conflicts with icmp type '%s'z'IcmpBlock not usable with accept actionzUnknown element %s)rr)Dtyperrrr get_servicerKincludesrr0copydeepcopyrfamilyrrrconfig get_icmptyper%rrrrZ INVALID_RULEipvsr9ris_ipv_supportedrrrrrrr+rr replacerCbuild_policy_helper_ports_rulesrZ add_modulesbuild_policy_ports_rulesrIbuild_policy_protocol_rulesrFbuild_policy_source_ports_rulesrrrrrvaluerrrrbuild_policy_masquerade_rulesrZto_portrrbuild_policy_forward_port_rulesrZINVALID_ICMPTYPEbuild_policy_icmp_block_rulesZ*build_policy_rich_source_destination_rules)r!ryr;rr{r$svcincludeZ_ruler3Z source_ipvrZ destinationsrr%rrrrr nat_modulerprotorHrrrr#)r&r!r$rs                             zFirewallPolicy._rule_preparec Csb|jjj|}|j|j|}||j|j7}tt|ddd}|dkrN|g}x@|j D]6}||krdqV|j ||j ||j |||||dqVWg} xnd D]f} |jj | sq|jj| } t|jdkr| |jkr| j | |j| fq| df| kr| j | dfqWxV| D]L\} } x|D]} | j}t|}| jjdd }|j|| jd krf| j| j rfqt| jd kr|j|n:x8| jD].\}}| j||||| | j|}|j| |qWqWx2|jD](\}}| j||||| }|j| |qWx,|jD]"}| j|||| }|j| |qWx2|jD](\}}| j||||| }|j| |q,Wq WdS) NcSs|jS)N)rK)r@r#r#r$rsz)FirewallPolicy._service..)r~)r$rrrr)r*rrj)rr) rrr,rrrrr+r9r-rr0rrr'r(rr%rr r5Z add_moduler0r4rCr6rKrr7rIr8rFr9)r!ryr;rr{r$r>rr?Z backends_ipvrrr%rrrr@rrArHrr#r#r$rrsb               zFirewallPolicy._servicecCs<x6|jjD](}|jsq |j||||}|j||q WdS)N)rrrr7r)r!ryr;rrr{rrHr#r#r$rss  zFirewallPolicy._portcCs:x4|jjD]&}|jsq |j|||}|j||q WdS)N)rrrr8r)r!ryr;rr{rrHr#r#r$rts zFirewallPolicy._protocolcCs<x6|jjD](}|jsq |j||||}|j||q WdS)N)rrrr9r)r!ryr;rrr{rrHr#r#r$rus zFirewallPolicy._source_portcCs8d}|jt||jj|}|j||}|j||dS)Nr)rrrr(r;r)r!ryr;r{rrrHr#r#r$rvs    zFirewallPolicy._masqueradec CsXtd|rd}nd}|r(|r(|jt||jj|} | j||||||} |j| | dS)Nrr)rrrrr(r<r) r!ryr;r{rrrrrrrHr#r#r$rqs    zFirewallPolicy._forward_portc Cs|jjj|}xl|jjD]^}|js&qd}|jrXx&dD]}||jkr6|j|s6d}Pq6W|r^q|j|||} |j|| qWdS)NFrrT)rr) rr1r2rrr%r4r=r) r!ryr;rr{r&rZ skip_backendrrHr#r#r$rps   zFirewallPolicy._icmp_blockcCsh|j|j}|dkrdS|j| r0|dkr0dSx2|jjD]$}|jsHq<|j||}|j||q|jdD]}|jjj|drfPqfW|jd$|jd%|Sd&g}|jjs|jd'x4|jdD]}|jjj|drPqW|jd(x>|jdD]}|jjj|drPqW|jd)|jd*|SdS)+z:Create a list of (table, chain) needed for policy dispatchr6r4r5r7rrOr*rKmanglerLrPrNrMZ interfacesN)rrO)r*rK)rSrK)rLrK)rrO)rLrK)rrP)rrN)r*rK)r*rM)rSrK)rLrK)rrN)r*rK)rSrK)rLrK)r*rM)rrN)r*rM)rLrK)r*rK)rSrK)rrN)rLrK)r*rM)r*rK)rSrK)r r<rnftables_enabledr0r:r8)r!r;rMtcr:r#r#r$rlsj                 z4FirewallPolicy._get_table_chains_for_policy_dispatchcCsr|j|}d|jdkr4dg}|jjs0|jd|Sd|jdkrLdddgSd|jd krbddgStd|SdS)z8Create a list of (table, chain) needed for zone dispatchr5r7rrOrLrKr6 FORWARD_INr*rSr4 FORWARD_OUTrMzInvalid policy: %sN)rrO)rLrK)rrV)r*rK)rSrK)rrW)r*rM)r r<rrTr0r)r!r;rMrUr#r#r$rms  z2FirewallPolicy._get_table_chains_for_zone_dispatchFcCs|jjj|}|jr|j}n||}d|jdkrl|dkrBd|S|dkrRd|S|jsh|dkrhd|SnJd|jd kr|js|dkrd |Sn"d |jdkr|dkr|jrd |Sd |Sn0|dkr|rd|Sd|Sn|dkrd|Snd |jd krh|dkr*|jr d|Sd |Sn<|dkrL|rBd|Sd|Sn|dkr|jsd|SnN|js|dkrd |S|dkr|rd|Sd|Sn|dkrd|Std|||fS)Nr5r7rZIN_rLZPRE_rSr*r4ZOUT_r6ZFWDI_ZFWD_ZPOST_ZFWDO_z.Can't convert policy to chain name: %s, %s, %s)rSr*)rSrL)rSrL)rSrL)rr;r.r/r<r)r!r;r|Z policy_prefixZisSNATrMsuffixr#r#r$policy_base_chain_namesb                z%FirewallPolicy.policy_base_chain_name)N)N)N)N)rNNT)N)rNNT)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)NN)NN)NNrNN)NNN)NN)rNN)N)NN)N)N)N)NN)F)__name__ __module__ __qualname__r%r'r)r*r-r3r=r.rNrQrLrdrerr8rrcrPrrrrrSrrrrrrrrTrrrrrrrrrwr^rrrrrrrrWrrrrrrrrrrXrrrrrrrr\rrrrrrr]rrrrrrr_rrrrrrrVrrrrrrrrUr rr r rr rrrrrrrnrrr#r"rrrrrrsrtrurvrqrprrJrQrRrorlrmrYr#r#r#r$rs$  '  ?  . , # , # :     ' (   ' ( '   +     ) )  @ @    ( P r)'rhr.Zfirewall.core.loggerrZfirewall.functionsrrrrrrr r r r rr rrrrrrrrrrZfirewall.core.fw_transactionrZfirewallrZfirewall.errorsrZfirewall.fw_typesrZfirewall.core.baserobjectrr#r#r#r$s 04