3 Yj%@s<ddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZmZmZm Z ddl!m"Z"m#Z#ddl$Z$d Z%d d d gd d gd dd d d gd dd gd d d gdZ&dddZ'dddZ(ddZ)ddZ*ddZ+Gddde,Z-Gddde-Z.dS)N)runProg)log)tempFilereadfile splitArgs check_macportStrcheck_single_address check_address normalizeIP6)config) FirewallErrorINVALID_PASSTHROUGH INVALID_RULE UNKNOWN_ERROR INVALID_ADDRINVALID_ICMPTYPE) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlock) ICMP_TYPES ICMPV6_TYPESINPUTOUTPUTFORWARD PREROUTING POSTROUTING)securityrawmanglenatfilterzicmp-host-prohibitedzicmp6-adm-prohibited)ipv4ipv6icmpz ipv6-icmpcCsddddddd}|dd}x~|D]v}y|j|}Wntk rLw$YnX|d kryt||d Wntk r~YnX|j|d ||||<q$W|S) z Inverse valid rule z-Dz--deletez-Xz--delete-chain)z-Az--appendz-Iz--insertz-Nz --new-chainN-I--insert)r*r+)index Exceptionintpop)args replace_argsret_argsargidxr6/usr/lib/python3.6/ipXtables.pycommon_reverse_rule;s(  r8cCsddddddd}|dd}x|D]x}y|j|}Wntk rLw$YnX|d kryt||d Wntk r~YnX|j|d ||||<|SWttd dS) z Reverse valid passthough rule z-Dz--deletez-Xz--delete-chain)z-Az--appendz-Iz--insertz-Nz --new-chainN-I--insertr,zno '-A', '-I' or '-N' arg)r9r:)r- ValueErrorr/r0r r)r1r2r3xr5r6r6r7common_reverse_passthrough`s,   r=cCst|}tddddddddd d d d d dddddddg}t||@dkrbttdt||@dtddddddg}t||@dkrttddS)zZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) z-Cz--checkz-Dz--deletez-Rz --replacez-Lz--listz-Sz --list-rulesz-Fz--flushz-Zz--zeroz-Xz--delete-chainz-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedz-Az--appendz-Iz--insertz-Nz --new-chainzno '-A', '-I' or '-N' argN)setlenr rlist)r1Z not_allowedZneededr6r6r7common_check_passthroughs*  rAc@seZdZdZdZdZddZddZddZd d Z d d Z d dZ ddZ ddZ ddZddZddZddZddZddZdd Zdjd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zdkd,d-Zd.d/Zdld1d2Zd3d4Zd5d6Zdmd8d9Zdnd:d;Z dd?Z"d@dAZ#dBdCZ$dDdEZ%dFdGZ&dHdIZ'dJdKZ(dLdMZ)dNdOZ*dPdQZ+dodRdSZ,dpdTdUZ-dqdVdWZ.dXdYZ/drdZd[Z0dsd\d]Z1dtd^d_Z2d`daZ3dudbdcZ4dddeZ5dfdgZ6dhdiZ7d!S)v ip4tablesr'TcCsd||_tj|j|_tjd|j|_|j|_|j|_ |j g|_ i|_ i|_ g|_i|_dS)Nz %s-restore)_fwr ZCOMMANDSipv_command_restore_command_detect_wait_option wait_option_detect_restore_wait_optionrestore_wait_option fill_existsavailable_tablesrich_rule_priority_countspolicy_priority_countszone_source_index_cache our_chains)selffwr6r6r7__init__s  zip4tables.__init__cCs$tjj|j|_tjj|j|_dS)N)ospathexistsrEZcommand_existsrFZrestore_command_exists)rQr6r6r7rKszip4tables.fill_existscCs|jr(|j|kr(|jgdd|D}ndd|D}tjd|j|jdj|t|j|\}}|dkrtd|jdj||f|S)NcSsg|] }d|qS)z%sr6).0itemr6r6r7 sz#ip4tables.__run..cSsg|] }d|qS)z%sr6)rWrXr6r6r7rYsz %s: %s %s rz'%s %s' failed: %s)rHrdebug2 __class__rEjoinrr;)rQr1Z_argsstatusretr6r6r7Z__runszip4tables.__runc Cs<y|j|}Wntk r"dSX||||d<dSdS)NFT)r-r;)rQrulepatternZ replacementir6r6r7 _rule_replaces zip4tables._rule_replacecCs|tko|t|kS)N)BUILT_IN_CHAINS)rQrDtablechainr6r6r7is_chain_builtinszip4tables.is_chain_builtincCs2d|g}|r|jdn |jd|j||gS)Nz-tz-Nz-X)append)rQaddrfrgrar6r6r7build_chain_ruless    zip4tables.build_chain_rulescCs8d|g}|r |d|t|g7}n |d|g7}||7}|S)Nz-tz-Iz-D)str)rQrjrfrgr-r1rar6r6r7 build_rules  zip4tables.build_rulecCst|S)N)r8)rQr1r6r6r7 reverse_ruleszip4tables.reverse_rulecCs t|dS)N)rA)rQr1r6r6r7check_passthroughszip4tables.check_passthroughcCst|S)N)r=)rQr1r6r6r7reverse_passthroughszip4tables.reverse_passthroughcCsd}y|jd}Wntk r&YnXt||dkrD||d}d}xLd D]D}y|j|}Wntk rtYqNXt||dkrN||d}qNW||fS) Nr&z-tr`-A--append-I--insert-N --new-chain)rqrrrsrtrurv)r-r;r?)rQr1rfrcrgoptr6r6r7passthrough_parse_table_chains$ z'ip4tables.passthrough_parse_table_chaincCs4yH|jd}|j||j|}d|dkr:||df}n ||df}WnFtk ry|jd}|j|d}Wntk rdSXYnXd}|ddkrd }|r| r||kr|j|nn|r0|r||kr|j||jd d d|j|}n|jjr d}nt|}d|d<|j dd|ddS)Nz%%ZONE_SOURCE%%z-mz%%ZONE_INTERFACE%%Tr-D--deleteFcSs|dS)Nrr6)r<r6r6r7(sz4ip4tables._run_replace_zone_source..)keyz-Ir,z%dr`)r|r}) r-r0r;removerisortrC_allow_zone_driftingr?insert)rQrarOrczoneZ zone_sourcerule_addr-r6r6r7_run_replace_zone_source s>             z"ip4tables._run_replace_zone_sourcecCsy|j|}Wntk r$YnXd}d}d}|j||j|}t|tkr\ttdd} xLdD]D} y|j| } Wntk rYqfXt|| dkrf|| d} qfWxhdD]`} y|j| }Wntk rYqXt||dkr||d} | dkrd}| dkrd}qW| | f} |sp| |ksP||| ksP|| |dkrZttd|| |d8<n| |kri|| <||| krd|| |<d} xHt || j D]4}||kr|rP| || |7} ||krPqW|| |d7<d ||<|j |dd| dS)a Change something like -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123 or -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321 into -t filter -I public_IN 4 or -t filter -I public_IN TFr`z%priority must be followed by a numberr&-t--table-A--append-I--insert-D--deleterz*nonexistent or underflow of priority countr,z%dN)rr)rrrrrr)rr)rr) r-r;r0typer/r rr?rsortedkeysr)rQraZpriority_countstokenrcrrZinsert_add_indexpriorityrfrwjrgr-pr6r6r7_set_rule_replace_priority4sj             z$ip4tables._set_rule_replace_prioritycCsPt}i}tj|j}tj|j}tj|j}x|D]}|dd} |j| dddt|jg|j| dt |jgy| j d} Wnt k rYn8X|dkrq6|d$krd d d |g| | | d <n | j | |j | |d|j | |d|j| |d} xZd%D]R} y| j | } Wnt k r,Yn(Xt| | d kr| j | | j | } qWxhtt| D]X} xPtjD]F} | | | krt| | jdo| | jd rtd| | | | <qtWqhW|j| gj| q6WxR|D]J} || }|jd| x"|D]} |jdj| dqW|jdqW|jtj|j}tjd|j|j d|j|j!fg}|j"rz|j|j"|jdt#|j ||jd\}}tj$dkr t%|j}|dk r d } xH|D]@}tj&d| |fd dd |jdstj&d!d d"| d 7} qWtj'|j|dkr:t d#|j dj||f||_||_||_dS)&Nz %%REJECT%%REJECTz --reject-withz%%ICMP%%z %%LOGTYPE%%offunicast broadcast multicastz-mpkttypez --pkt-typer`z%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%r&-t--table"z"%s"z*%s rZ zCOMMIT z %s: %s %sz%s: %dz-n)stdinr,z%8d: %sr)nofmtnlr)rz'%s %s' failed: %s)rrr)rr)(rcopydeepcopyrMrNrOrdDEFAULT_REJECT_TYPErDICMPr-r;r0rrr?rangestringZ whitespace startswithendswith setdefaultriwriter]closerTstatnamerr[r\rFst_sizerJrZgetDebugLogLevelrZdebug3unlink)rQrules log_denied temp_fileZ table_rulesrMrNrOZ_rulerarcrfrwcrr1r^r_linesliner6r6r7 set_ruless                    zip4tables.set_rulesc Cs|j|dddt|jg|j|dt|jgy|jd}Wntk rRYn:X|dkr`dS|dkrd d d |g|||d<n |j|tj|j }tj|j }tj|j }|j ||d|j ||d|j |||j|}||_ ||_ ||_ |S)Nz %%REJECT%%rz --reject-withz%%ICMP%%z %%LOGTYPE%%rrrrrz-mrz --pkt-typer`z%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%)rrr)rdrrDrr-r;r0rrrMrNrOrr_ip4tables__run)rQrarrcrMrNrOoutputr6r6r7set_rules.      zip4tables.set_ruleNc Csg}|r|gntj}xx|D]p}||jkr6|j|qy,|jd|ddg|jj||j|Wqtk rtjd|j|fYqXqW|S)Nz-tz-Lz-nzA%s table '%s' does not exist (or not enough permission to check).) rerrLrirr;rZdebug1rD)rQrfr_Ztablesr6r6r7get_available_tabless    zip4tables.get_available_tablescCs`d}t|jdddg}|ddkr\d}t|jdddg}|ddkrHd}tjd|j|j||S)Nrz-wz-Lz-nrz-w10z%s: %s will be using %s option.)rrErr[r\)rQrHr_r6r6r7rGs  zip4tables._detect_wait_optioncCst}|jd|jd}xJd D]B}t|j|g|jd}|ddkr"d|dkr"d |dkr"|}Pq"Wtjd |j|j|t j |j|S) Nz#foor-w--wait=2)rrzinvalid optionr`zunrecognized optionz%s: %s will be using %s option.)rr) rrrrrFrrr[r\rTr)rQrrHZ test_optionr_r6r6r7rI$s    z%ip4tables._detect_restore_wait_optioncCsVi|_i|_g|_g}x:tjD].}|j|s0q xdD]}|jd||gq6Wq W|S)N-F-X-Zz-t)rrr)rMrNrOrerrri)rQrrfflagr6r6r7build_flush_rules7s  zip4tables.build_flush_rulescCsfg}|dkrdn|}xLtjD]@}|j|s.q|dkr8qx$t|D]}|jd|d||gqBWqW|S)NZPANICDROPr%z-tz-P)rerrri)rQpolicyr_policyrfrgr6r6r7build_set_policy_rulesFs z ip4tables.build_set_policy_rulescCsNt}|dks|jdkr&|jtj|dks8|jdkrF|jtjt|S)Nr'r()r>rDupdaterrrr@)rQrDZ supportedr6r6r7supported_icmp_typesRs zip4tables.supported_icmp_typescCsgS)Nr6)rQr6r6r7build_default_tables\szip4tables.build_default_tablesrc Csi}|jdrpg|d<t|jd<xLtdD]@}|djd||djd||f|jdjd|q,W|jdr\g|d<t|jd<xtdD]}|djd||djd||f|jdjd||dkrxt|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqW|jdrNg|d<t|jd<xtdD]}|djd||djd||f|jdjd||dkrxv|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqW|jdr@g|d<t|jd<xtdD]}|djd||djd||f|jdjd||d9krxxv|jjrddd d gndd d gD]R}|djd ||f|djd |||f|jdjtd ||fgqWqxWg|d<t|jd<|djd|djd|djd|djd|jdjtdxf|jjrddd d gndd d gD]B}|djd||djd||jdjtd|qW|dkr |djd|djd|dkrF|djd|djd|djd|djd |djd!|djd"|jdjtd#xJd:D]B}|djd$||djd%||jdjtd&|qWxzd;D]r}xj|jjr dd gnd gD]N}|djd)||f|djd*||f|jdjtd+||fqWqWxJdD]B}|djd5||djd6||jdjtd7|q~Wg}xJ|D]B}||jkrqx(||D]}|jd8|gt |qWqW|S)?Nr"z -N %s_directz-A %s -j %s_directz %s_directr#r POLICIES_preZ ZONES_SOURCEZZONES POLICIES_postz-N %s_%sz-A %s -j %s_%sz%s_%sr$r%r!r&zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTz-N INPUT_directz-A INPUT -j INPUT_directZ INPUT_directz -N INPUT_%sz-A INPUT -j INPUT_%szINPUT_%srz^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_directz -N FORWARD_%sz-A FORWARD -j FORWARD_%sz FORWARD_%sINOUTz-N FORWARD_%s_%sz-A FORWARD -j FORWARD_%s_%sz FORWARD_%s_%sz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ OUTPUT_directz -N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz OUTPUT_%sz-t)r r!)r)rr)r)r)r) rr>rPrerirjrCrrr) rQrZ default_rulesrgZdispatch_suffix directionZfinal_default_rulesrfrar6r6r7build_default_rules`s    $(   &*   &* &    (       "zip4tables.build_default_rulescCsf|dkrdddhS|dkr,d|jkr,dhS|dkrHd|jkrHddhS|d krbd |jkrbdhSiS) Nr&r FORWARD_IN FORWARD_OUTr$r r%r!r#)r)rQrfr6r6r7get_zone_table_chainss    zip4tables.get_zone_table_chainsc s|jjj|jdkrdnddkr4dkr4dnd} |jjj|t| g} g} x|D]} | jd| gqZWx|D]} | jd | gqvWxB|D]:} |jjj| }|dkr|j | rq| j|j d | qWx\|D]T} |jjj| }|dkr|j | rqt | rdkrq| j|j d| qWfdd}g}| rx| D]F}| rx8| D]}|j|||qdWn|rn|j||dqTWnH|rn@| rx8| D]}|j|d|qWn|rn|j|dd|S)Nrprepostr%r!TFz-iz-or'r(z-srrz-dcsVddd}d|dfdjg}|r6|j||rD|j||jdg|S)Nz-Az-D)TFz-tz%s_POLICIES_%sz%%POLICY_PRIORITY%%z-j)rextend)ingress_fragmentegress_fragmentadd_delra)rrg chain_suffixenablep_objrfr6r7_generate_policy_dispatch_rules   zSip4tables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule)r'r()r'r()r!rr) rCrZ get_policyrpolicy_base_chain_namePOLICY_CHAIN_PREFIXrirZ check_sourceis_ipv_supported_rule_addr_fragmentr)rQrrrfrgZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesisSNATZingress_fragmentsZegress_fragments interfaceaddrrDrrrrr6)rrgrrrrfr7!build_policy_ingress_egress_rulessR        z+ip4tables.build_policy_ingress_egress_rulesFc Cs|dkr|dkrdnd}|jjj||t|d} ddddddd|} d } |rb| rbd d |d g} n,|rtd d |g} ndd |g} |s| d g7} | d|| || | g7} | gS)Nr%r!TF)rz-iz-o)r r!rrrrz-gz-Iz%s_ZONESz%%ZONE_INTERFACE%%z-Az-Dz-t)rCrrr) rQrrrrrfrgrirrrwactionrar6r6r7!build_zone_source_interface_rules6s&   z+ip4tables.build_zone_source_interface_rulescCs|jdrP|dd}|dkr$d}nd}dj|g|jjj|}ddd ||gSt|rz|dkrjttd dd d |jgSt d |rt |}n,t d |r|j d}t |dd|d}||gSdS)Nzipset:z-ddstsrc,z-mr>z --match-setzCan't match a destination MAC.macz --mac-sourcer(/rr`) rr]rCipsetZ get_dimensionrr rupperr r r split)rQrwaddressinvertrflags addr_splitr6r6r7rPs"       zip4tables._rule_addr_fragmentc Csddd|}|dkr"|dkr"dnd}|jjj||t|d} d d d d d d d |} |jjrdd |} nd |} t|r|dkrgS|| d|d|g} | j|j| || jd| g| gS)Nz-Iz-D)TFr%r!TF)rz-sz-d)r r!rrrrz%s_ZONES_SOURCEz%s_ZONESrrz%%ZONE_SOURCE%%z-tz-g)r!rr)rCrrrrrrr) rQrrrrrfrgrrrrwZzone_dispatch_chainrar6r6r7build_zone_source_address_rulesfs& z)ip4tables.build_zone_source_address_rulesc Cs>ddd|}ddd|}|dkr0|dkr0dnd }|jjj||t|d }|j|jt|d |d |d |d|d|gg} | j||d|g| j|d |d|g| j|d |d|g| j|d |d|g| j|d|d|g| j|d|d|g| j||d|dd |g| j||d|dd |g| j||d|dd |g| j||d|dd|g| j||d|dd|g|jjj|j } |jj dkr|dkr| dkr| j||d|ddddd|g | dkr| j||d|ddddd|g |dkr,| dkr,| j||d|d| g|s:| j | S)Nz-Nz-X)TFz-Az-Dr%r!TF)rz%s_logz%s_denyz%s_prez%s_postz%s_allowz-tz-jrr&r %%REJECT%%z %%LOGTYPE%%LOGz --log-prefixz "%s_REJECT: "rz "%s_DROP: "ACCEPT)rr)rrrr) rCrrrrPrr>riZ _policiestargetget_log_deniedreverse) rQrrrfrgZ add_del_chainZ add_del_rulerrrrr6r6r7build_policy_chain_rulessN       z"ip4tables.build_policy_chain_rulescCs2|sgSddd|jg}|jdk r.|d|jg7}|S)Nz-mlimitz--limitz --limit-burst)valueZburst)rQrsr6r6r7 _rule_limits  zip4tables._rule_limitcCst|jtttgkrn<|jrHt|jtttt gkrRt t dt|jn t t d|j dkrt|jttgkst|jtt gkrdSt|jtgkst|jttgkrdSn|j dkrdSdSdS)NzUnknown action %szNo rule action specified.rallowZdenyrr) relementrrrrrrrrr rr)rQ rich_ruler6r6r7_rich_rule_chain_suffixs    z!ip4tables._rich_rule_chain_suffixcCs>|j r|j rttd|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrrr)rauditr rr)rQrr6r6r7 _rich_rule_chain_suffix_from_logs   z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrz%%RICH_RULE_PRIORITY%%)r)rQrr6r6r7_rich_rule_priority_fragments z&ip4tables._rich_rule_priority_fragmentc Cs|js gS|jjj||t}ddd|}|j|}d||d||fg} | |j|7} | |ddg7} |jjr| dd |jjg7} |jjr| d d |jjg7} | |j |jj 7} | S) Nz-Az-D)TFz-tz%s_%sz-jrz --log-prefixz'%s'z --log-levelz%s) rrCrrrrr prefixlevelrr) rQrrrrf rule_fragmentrrrrar6r6r7_rich_rule_logs zip4tables._rich_rule_logc Cs|js gSddd|}|jjj||t}|j|}d||d||fg} | |j|7} | |7} t|jt krrd} n,t|jt krd} nt|jt krd} nd } | d d d | g7} | |j |jj 7} | S) Nz-Az-D)TFz-tz%s_%sZacceptZrejectZdropunknownz-jZAUDITz--type)rrCrrrrr rrrrrrr) rQrrrrfr rrrra_typer6r6r7_rich_rule_audits$ zip4tables._rich_rule_auditc Cs2|js gSddd|}|jjj||t}|j|}d||f} t|jtkrXddg} nt|jtkrddg} |jjr| d|jjg7} nnt|jt krdd g} nVt|jt krd }|jjj||t}d||f} dd d |jj g} nt t d t|jd||| g} | |j|7} | || 7} | |j|jj7} | S)Nz-Az-D)TFz%s_%sz-jrrz --reject-withrr$MARKz --set-xmarkzUnknown action %sz-t)rrCrrrrrrrrrr>r rr rr) rQrrrrfr rrrrgZ rule_actionrar6r6r7_rich_rule_actions4       zip4tables._rich_rule_actioncCs|sgSg}|jr|jr"|jdtd|jrB|dt|jg7}qtd|jr||jjd}|dt|dd|dg7}q|d|jg7}nD|jr|ddg7}|jr|jd|jj j |jd }|d |j|g7}|S) N!r(z-drrr`z-mr>rz --match-set) rrrir r r rrrCr_ipset_match_flags)rQZ rich_destr rrr6r6r7_rich_rule_destination_fragment1s&    "  z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jr|jr"|jdtd|jrB|dt|jg7}nHtd|jr||jjd}|dt|dd|dg7}n|d|jg7}nt|dr|jr|ddg7}|jr|jd|d |jg7}nPt|d o|j r|dd g7}|jr|jd|j j j |j d }|d |j |g7}|S)Nrr(z-srrr`rz-mz --mac-sourcerr>rz --match-set) rrrir r r rhasattrrrrCrr)rQZ rich_sourcer rrr6r6r7_rich_rule_source_fragmentIs0    "    z$ip4tables._rich_rule_source_fragmentc Csddd|}d}|jjj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| |j|j7} | |j|j7} | st |j t kr| d d d d g7} g} |r| j |j ||||| | j |j||||| | j |j||||| n"| j |d | d|g| ddg| S)Nz-Az-D)TFr&z-pz--dportz%sz-dz-m conntrackz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)rCrrrrr destinationrsourcerrrrir rr) rQrrprotoportrrrrfrr rr6r6r7build_policy_ports_rulesfs* z"ip4tables.build_policy_ports_rulesc Csddd|}d}|jjj||t}d|g} |r<| d|g7} |r`| |j|j7} | |j|j7} | stt|j t kr| ddd d g7} g} |r| j |j ||||| | j |j ||||| | j |j||||| n"| j |d |d |g| d dg| S)Nz-Az-D)TFr&z-pz-dz-mrz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)rCrrrrrrrrrrrir rr) rQrrprotocolrrrrfrr rr6r6r7build_policy_protocol_ruless& z%ip4tables.build_policy_protocol_rulesc Csddd|}d}|jjj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| |j|j7} | |j|j7} | st |j t kr| d d d d g7} g} |r| j |j ||||| | j |j||||| | j |j||||| n"| j |d | d|g| ddg| S)Nz-Az-D)TFr&z-pz--sportz%sz-dz-mrz --ctstatez NEW,UNTRACKEDz%s_allowz-tz-jr)rCrrrrrrrrrrrrir rr) rQrrrrrrrrfrr rr6r6r7build_policy_source_ports_ruless* z)ip4tables.build_policy_source_ports_rulesc Csvd}|jjj||t} ddd|} | d| ddd|g} |rP| dd t|g7} |r`| d |g7} | d d d |g7} | gS)Nr#z-Az-D)TFz%s_allowz-tz-pz--dportz%sz-dz-jZCTz--helper)rCrrrr) rQrrrrrZ helper_nameZmodule_short_namerfrrrar6r6r7build_policy_helper_ports_ruless z)ip4tables.build_policy_helper_ports_rulesc Csddd|}|jjj||t}g} |rH| jdd|d|d|dd gn6t|rTgS| jdd|d|g|jd |dd g| S) Nz-Az-D)TFz-tr&z%s_allowz-oz-jrz-d)rCrrrrirr) rQrrrrfrrrrrr6r6r7build_zone_forward_ruless z"ip4tables.build_zone_forward_rulesc Cs,d}|jjj||tdd}ddd|}g}|rj|j|}||j|7}||j|j7}||j|j 7}nd}g} | j dd|d ||fg|d d d d dgg}|r|j|}||j|7}||j|j7}||j|j 7}nd}d}|jjj||t}| j dd|d ||fg|ddddd dg| S)Nr%T)rz-Az-D)TFrz-tz%s_%srz-oloz-jZ MASQUERADEr&z-mrz --ctstatez NEW,UNTRACKEDr) rCrrrrr rrrrri) rQrrrrfrrr rrr6r6r7build_policy_masquerade_ruless6  z'ip4tables.build_policy_masquerade_rulesc Cs d}|jjj||t} ddd|} d} |rPtd|rH| dt|7} n| |7} |rn|dkrn| dt|d 7} g} |r|j|} |j|} | |j |j 7} | |j |j 7} nd } g}|r|j |j|||d| |j d d| d | | fg| d |dt|ddd| g|S)Nr%z-Az-D)TFrr(z[%s]z:%s-rz-tz%s_%sz-pz--dportz-jZDNATz--to-destination)rCrrrr r rrr rrrrrir )rQrrrrZtoportZtoaddrrrfrrZtor rrr6r6r7build_policy_forward_port_ruless2     z)ip4tables.build_policy_forward_port_rulescCs|jdkrL|tkrLt|\}}}|r,t|nt|dt|}ddd|gS|jdkr|tkrt|\}}}|rxt|nt|dt|}ddd|gSttd |d |jdS) Nr'rz-mr)z --icmp-typer(Zicmp6z --icmpv6-typez ICMP type z not supported by )rDrrlrr rr)rQZ icmp_typer_codeZ _omit_codeZ _type_strr6r6r7_icmp_types_fragments    zip4tables._icmp_types_fragmentcCsd}|jjj||t}ddd|}|jdkrDddg}|j|j} nddg}|j|j} g} |jjj|rxd |} d } n d |} d } g} |r| |j|j 7} | |j |j 7} | || 7} |rL| j |j ||||| | j |j||||| |jr| j |j||||| n:|j|}| j d ||d||fg|j|| dd gn`|jjdkr| d kr| j || d |g| ddddd|g| j || d |g| d| g| S)Nr&z-Az-D)TFr'z-pr)z ipv6-icmpz%s_allowrz%s_denyz %%REJECT%%z-tz%s_%sz-jrz %%LOGTYPE%%rz --log-prefixz"%s_ICMP_BLOCK: ")rCrrrrDr(rquery_icmp_block_inversionrrrrrir rrrrr r)rQrrZictrrfrrrmatchrZ final_chainZ final_targetr rr6r6r7build_policy_icmp_block_rules,sJ      z'ip4tables.build_policy_icmp_block_rulesc Csd}|jjj||t}g}d}|jjj|rd}|jjdkr|rRd|t|g}nd|g}|d|dd d d d d d|g }|j||d7}nd}|rd|t|g}nd|g}|d|dd d |g}|j||S)Nr&rz %%REJECT%%rz-Iz-Dz-tz-pz%%ICMP%%z %%LOGTYPE%%z-jrz --log-prefixz"%s_ICMP_BLOCK: "r`r)rCrrrr)rrlri) rQrrrfrrZrule_idxZ ibi_targetrar6r6r7'build_policy_icmp_block_inversion_rules]s.     z1ip4tables.build_policy_icmp_block_inversion_rulescCsxd}g}||j|j7}||j|j7}g}|j|j||||||j|j||||||j|j||||||S)Nr&)rrrrrir rr)rQrrrrfr rr6r6r7*build_policy_rich_source_destination_rulessz4ip4tables.build_policy_rich_source_destination_rulescCs ||jkS)N)rD)rQrDr6r6r7rszip4tables.is_ipv_supported)N)N)r)F)F)NN)NN)NN)NN)N)N)N)8__name__ __module__ __qualname__rDrZpolicies_supportedrSrKrrdrhrkrmrnrorprxrrrrrrGrIrrrrrrrrrrrrrrr r rrrrrrr r!r"r$r&r(r+r,r-rr6r6r6r7rBsj     )Pa#    zN  0 "     & ! 1"rBc@s&eZdZdZdZdddZddZdS) ip6tablesr(Fc Csg}|jddddddddd d g |d krL|jddddddddd d d dg |jdddddddd dg |jdddddddd dg |S)Nz-Ir z-tr$z-mZrpfilterz--invertz --validmarkz-jrrrz --log-prefixzrpfilter_DROP: z-pz ipv6-icmpz$--icmpv6-type=neighbour-solicitationrz"--icmpv6-type=router-advertisement)ri)rQrrr6r6r7build_rpfilter_ruless$        zip6tables.build_rpfilter_rulesc Csddddddddd g }d }|jd j|g}|jd d d |gxT|D]L}|jd d d|d|ddddg |jjdkrF|jd d d|d|ddddg qFW|jd d dddd|g|jd d dddd|g|S)Nz ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19Z RFC3964_IPv4r&z-tz-Nz-Iz-dz-jrz --reject-withz addr-unreachrallrz --log-prefixz"RFC3964_IPv4_REJECT: "r4r)rr3)rPrjrirCZ _log_denied)rQZ daddr_listZ chain_namerZdaddrr6r6r7build_rfc3964_ipv4_ruless4       z"ip6tables.build_rfc3964_ipv4_rulesN)F)r.r/r0rDrr2r5r6r6r6r7r1s r1)/Zos.pathrTrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr r r Zfirewallr Zfirewall.errorsr rrrrrZfirewall.core.richrrrrrrrZfirewall.core.icmprrrrrerrr8r=rAobjectrBr1r6r6r6r7sB  (  $ %* o