3 Y�jq2�@s�dZdddgZddlZddlZddlmZddlmZddl m Z dd lmZdd l mZmZddlmZdZd ddddddddddgZddddd�Zdddd�ZGd d�de�Zd!d�Zd"d�Zd#d$�Zd%d&�Zd'd(�ZdS))zThe ipset command wrapper�ipset�check_ipset_name�remove_default_create_options�N)�errors)� FirewallError)�runProg)�log)�tempFile�readfile)�COMMANDS� zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz inet|inet6�valuez value in secs)�family�hashsize�maxelem�timeoutZinetZ1024Z65536)rrrc@s�eZdZdZdd�Zdd�Zdd�Zdd �Zd d�Zd'd d�Z dd�Z dd�Zdd�Zd(dd�Z d)dd�Zdd�Zd*dd�Zd+dd�Zdd �Zd!d"�Zd#d$�Zd%d&�ZdS),rzipset command wrapper classcCstd|_d|_dS)Nr)r�_command�name)�self�r�/usr/lib/python3.6/ipset.py�__init__Ks zipset.__init__cCs^dd�|D�}tjd|j|jdj|��t|j|�\}}|dkrZtd|jdj|�|f��|S)zCall ipset with argscSsg|]}d|�qS)z%sr)�.0�itemrrr� Rszipset.__run..z %s: %s %s� rz'%s %s' failed: %s)r�debug2� __class__r�joinr� ValueError)r�argsZ_args�status�retrrrZ__runOszipset.__runcCs t|�tkrttjd|��dS)zCheck ipset namezipset name '%s' is not validN)�len�IPSET_MAXNAMELENrrZINVALID_NAME)rrrrr� check_nameZszipset.check_namecCs�g}d}y|jdg�}Wn0tk rH}ztjd|�WYdd}~XnX|j�}d}xT|D]L}|r�|j�jdd�}|d|kr�|dtkr�|j|d�|j d�r\d }q\W|S) z?Return types that are supported by the ipset command and kernel�z--helpzipset error: %sNF�rzSupported set types:T) �_ipset__runrrZdebug1� splitlines�strip�split�IPSET_TYPES�append� startswith)rr"�outputZex�linesZin_types�line�splitsrrr�set_supported_types`s zipset.set_supported_typescCs(t|�tks|tkr$ttjd|��dS)zCheck ipset typez!ipset type name '%s' is not validN)r#r$r,rrZINVALID_TYPE)r� type_namerrr� check_typeuszipset.check_typeNcCsd|j|�|j|�d||g}t|t�rZx0|j�D]$\}}|j|�|dkr2|j|�q2W|j|�S)z+Create an ipset with name, type and options�creater&)r%r5� isinstance�dict�itemsr-r()r�set_namer4�optionsr �key�valrrr� set_create{s zipset.set_createcCs|j|�|jd|g�S)NZdestroy)r%r()rr:rrr�set_destroy�s zipset.set_destroycCsd||g}|j|�S)N�add)r()rr:�entryr rrr�set_add�s z ipset.set_addcCsd||g}|j|�S)N�del)r()rr:rAr rrr� set_delete�s zipset.set_deletecCs,d||g}|r"|jddj|��|j|�S)N�testz%sr)r-rr()rr:rAr;r rrrrE�s z ipset.testcCs2dg}|r|j|�|r"|j|�|j|�jd�S)N�list� )r-�extendr(r+)rr:r;r rrr�set_list�s zipset.set_listcCs<|jdgd�}i}d}}i}�x|D�]}t|�dkr:q&dd�|jdd�D�}t|�dkr`q&q&|d d krv|d}q&|d dkr�|d}q&|d dkr&|dj�}d } x^| t|�k�r|| } | dk�r�t|�| kr�| d7} || || <ntjd|�iS| d7} q�W|�r$|�r$|t|�f||<d}}|j�q&W|S)z" Get active ipsets (only headers) z-terse)r;N�cSsg|]}|j��qSr)r*)r�xrrrr�sz.ipset.set_get_active_terse..�:r'r�NameZTypeZHeaderrrrr�netmaskz&Malformed ipset list -terse output: %s)rrrrrN)rIr#r+r�errorr�clear)rr0r"�_nameZ_type�_optionsr1Zpairr2�i�optrrr�set_get_active_terse�sD zipset.set_get_active_tersecCsdg}|r|j|�|j|�S)N�save)r-r()rr:r rrrrV�s z ipset.savecCs�|j|�|j|�t�}d|kr*d|}d||dg}|rlx0|j�D]$\}} |j|�| dkrD|j| �qDW|jddj|��|jd|�xN|D]F} d| kr�d| } |r�|jd|| dj|�f�q�|jd || f�q�W|j�tj |j �}tjd |j |jd|j |jf�dg}t|j||j d �\}} tj�dk�r�yt|j �Wntk �r`YnVXd}xNt|j �D]@}tjd||fddd�|jd��s�tjddd�|d7}�qrWtj|j �|dk�r�td|jdj|�| f��| S)Nrz'%s'r6z-existr&z%s z flush %s z add %s %s %s z add %s %s z%s: %s restore %sz%s: %dZrestore)�stdinr'rJz%8d: %sr)�nofmt�nlrG)rXz'%s %s' failed: %s)r%r5r r9r-�writer�close�os�statrrrrr�st_sizerZgetDebugLogLevelr � ExceptionZdebug3�endswith�unlinkr)rr:r4�entriesZcreate_optionsZ entry_optionsZ temp_filer r<r=rAr]r!r"rSr1rrr�set_restore�sV zipset.set_restorecCsdg}|r|j|�|j|�S)N�flush)r-r()rr:r rrr� set_flushs zipset.set_flushcCs|jd||g�S)N�rename)r()rZold_set_nameZnew_set_namerrrrf szipset.renamecCs|jd||g�S)N�swap)r()rZ set_name_1Z set_name_2rrrrgsz ipset.swapcCs|jdg�S)N�version)r()rrrrrhsz ipset.version)N)N)NN)N)NN)�__name__� __module__�__qualname__�__doc__rr(r%r3r5r>r?rBrDrErIrUrVrcrerfrgrhrrrrrHs& ' 7cCst|�tkrdSdS)z"Return true if ipset name is validFT)r#r$)rrrrrscCs8|j�}x*tD]"}||krt|||kr||=qW|S)z( Return only non default create options )�copy�IPSET_DEFAULT_CREATE_OPTIONS)r;rRrTrrrrs c Cshg}xX|jd�D]J}y&|jd�|jttj|dd��Wqtk rX|j|�YqXqWdj|�S)z! Normalize IP addresses in entry �,�/F)�strict)r+�indexr-�str� ipaddress� ip_networkrr)rAZ_entryZ_partrrr�normalize_ipset_entry&s rvcCsxt|jd��dkrdSytj|dd�}Wntk r<dSXx4|D],}|jtj|dd��rDttjdj ||��qDWdS)z: Check if entry overlaps any entry in the list of entries rorJNF)rqz,Entry '{}' overlaps with existing entry '{}') r#r+rtrur�overlapsrr� INVALID_ENTRY�format)rArbZ entry_networkZitrrrr�check_entry_overlaps_existing2s rzcCs~ydd�|D�}Wntk r&dSXt|�dkr8dS|j�|jd�}x.|D]&}|j|�rrttjdj||��|}qPWdS)z> Check if any entry overlaps any entry in the list of entries cSsg|]}tj|dd��qS)F)rq)rtru)rrKrrrrEsz1check_for_overlapping_entries..NrzEntry '{}' overlaps entry '{}') rr#�sort�poprwrrrxry)rbZprev_networkZcurrent_networkrrr�check_for_overlapping_entriesBs2 r})rl�__all__Zos.pathr\rtZfirewallrZfirewall.errorsrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsr r Zfirewall.configrr$r,ZIPSET_CREATE_OPTIONSrn�objectrrrrvrzr}rrrr�sF P