3 YjBu @s6ddlmZddlZddlZddlZddlmZddlmZm Z m Z m Z m Z ddl mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZddlmZmZddl m!Z!d Z"e"d d Z#d Z$d Z%iddde%fidde%fdde%fddde%fdde%fdde%fdde%fddZ&Gddde'Z(dS))absolute_importN)log) check_mac getPortRange normalizeIP6check_single_address check_address) FirewallError UNKNOWN_ERROR INVALID_RULEINVALID_ICMPTYPE INVALID_TYPE INVALID_ENTRY INVALID_PORT) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlock) ICMP_TYPES ICMPV6_TYPES)NftablesZ firewalld_Z policy_dropZpolicy_ PREROUTING preroutingdZ postrouting)r POSTROUTINGinputforwardoutput)rINPUTFORWARDOUTPUT)rawmanglenatfilterc@sjeZdZdZdZddZddZddZdd Zd d Z d d Z ddZ dddZ ddZ ddZddZddZdddZddZdd d!Zd"d#Zdd%d&Zdd(d)Zdd*d+Zdd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zd:d;Zdd?Z!d@dAZ"dBdCZ#dDdEZ$dFdGZ%dHdIZ&ddJdKZ'dLdMZ(dNdOZ)dPdQZ*dRdSZ+ddTdUZ,ddVdWZ-ddXdYZ.dZd[Z/dd\d]Z0dd^d_Z1dd`daZ2ddbdcZ3ddddeZ4ddfdgZ5dhdiZ6ddjdkZ7dldmZ8ddndoZ9dpdqZ:drdsZ;dtduZddzd{Z?d|d}Z@dd~dZAddZBddZCddZDddZEddZFddZGddZHdddZIdS)nftablesTcCsb||_d|_g|_i|_i|_i|_i|_i|_gggd|_t |_ |j j d|j j ddS)NT)inetipip6) _fwZrestore_command_existsZavailable_tablesrule_to_handlerule_ref_countrich_rule_priority_countspolicy_priority_countszone_source_index_cachecreated_tablesrr+Zset_echo_outputZset_handle_output)selffwr8/usr/lib/python3.6/nftables.py__init__Xs znftables.__init__cCsxdD]}||krPqWd||dkr`||ddd||dddf}||dd=n(d||dkrd}||dd=ndS||dd }|r|dkr||kr|||kr||j|n|dkr||krg||<|r(|||kr||j|||jd d d ||j|}n|jjr8d }n t||}||}||=|d krf||d<n |d8}||d<||ddd<dS)Naddinsertdeletez%%ZONE_SOURCE%%rulezoneaddressz%%ZONE_INTERFACE%%familycSs|dS)Nrr8)xr8r8r9sz3nftables._run_replace_zone_source..)keyrindex)r;r<r=)removeappendsortrFr/_allow_zone_driftinglen)r6r>r4verbZ zone_sourcerArF _verb_snippetr8r8r9_run_replace_zone_sourcegsD        z!nftables._run_replace_zone_sourcecCsBd|krdtj|diSd|kr4dtj|diSttddS)Nr<r=r;zFailed to reverse rule)copydeepcopyr r )r6dictr8r8r9 reverse_rules znftables.reverse_rulec Csxd D]}||krPqW|||dkr||d|}||d|=t|tkr^ttd||dd||ddf}|dkr||ks|||ks|||dkrttd |||d 8<n||kri||<|||krd|||<d}xVt||jD]B}||kr"|dkr"P||||7}||kr|dkrPqW|||d 7<||} ||=|dkr| |d<n |d 8}| |d<||ddd <dS) Nr;r<r=r>z%priority must be followed by a numberrAchainrz*nonexistent or underflow of priority countrErF)r;r<r=)typeintr r r sortedkeys) r6r>Zpriority_countstokenrLpriorityrSrFprMr8r8r9_set_rule_replace_prioritysD          z#nftables._set_rule_replace_prioritycCsfx`d D]X}||krd||krtj||d}xd D]}||kr6||=q6Wtj|dd }|SqWdS) Nr;r<r=r>rFhandlepositionT)Z sort_keys)r;r<r=)rFr\r])rOrPjsondumps)r6r>rLrule_keyZnon_keyr8r8r9 _get_rule_keys   znftables._get_rule_keycCsLdddddg}dddg}g}g}tj|j}tj|j}tj|j} |jj} x|D]} t| tkrvtt d| x|D]} | | kr|Pq|W| | krtt d| |j | } | | krDt j d|j| | | | dkr| | d 7<qVnX| | d kr | | d 8<qVn6| | d kr,| | d 8<ntt d | | | fn| r\| dkr\d | | <|j| tj| }| rttd|| d d || d d <|j||d |j||d|j|| | dkrdd |dd d|dd d|dd d|j| dii}|j|qVWdddd iig|i}t jdkrVt jd|jtj||jj|\}}}|dkrtdd|tj|f||_||_| |_| |_d}x|D]} |d 7}|j | } | s̐qd| kr|j| =|j| =qx"|D]} | |d|krPqW| |d|kr$q|d|| d d|j| <qWdS)Nr;r<r=flushreplacez#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %srEz)rule ref count bug: rule_key '%s', cnt %dr>exprz%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%rAtablerS)rArerSr\r+ZmetainfoZjson_schema_versionz.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s JSON blob: %szpython-nftablesr\)rOrPr2r3r4r1rTrQr r r rarZdebug2 __class__rHlistr*r[rNr0ZgetDebugLogLevelZdebug3r^r_r+Zjson_cmd ValueError)r6rules log_deniedZ _valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesr2r3r4r1r>rLr`Z_ruleZ json_blobZrcr#errorrFr8r8r9 set_ruless             &         znftables.set_rulescCs|j|g|dS)N)rm)r6r>rkr8r8r9set_rule:sznftables.set_ruleNcCs|r |gStjS)N)IPTABLES_TO_NFT_HOOKrW)r6rer8r8r9get_available_tables>sznftables.get_available_tablescCsFg}x policy_keyrAr8r8r9build_flush_rulesPs    znftables.build_flush_rulesc Cslddd|}g}xTdD]L}|j|ddtd d |fd d d diiddddgididdigdiiqW|S)Nr;r=)TFr!r"r#r>r,z%s_%sr*matchctrDstateinset establishedrelated)leftoprightaccept)rArerSrd)r!r"r#)rHTABLE_NAME_POLICY)r6enableadd_delrjhookr8r8r9rtgs    z)nftables._build_set_policy_rules_ct_rulesc Cstg}|dkrt|jdddtdii|jdjtx>dD]6}|jdddtd d |fd |dtd ddiiq:W|dkr|jdddtdii|jdjtx>dD]6}|jdddtd d |fd |dtd ddiiqW||jd7}nz|dkrfx4|jdD]&}|j|}||jkr |j|q W||jt7}t|jdkrp|jdjtn t t d|S)NZPANICr;rer,)rArrrr#rSz%s_%sr'r*i,rEdrop)rArerrrTrpriopolicyDROPr!r"rTACCEPTFznot implemented)rr#i)r!r"r#) rHrr5NFT_HOOK_OFFSETrtrar0rsrGr r )r6rrjrr>rvr8r8r9build_set_policy_rulestsH               znftables.build_set_policy_rulescCsJt}|dks|dkr$|jtj|dks4|dkrB|jtjt|S)Nipv4ipv6)r|updaterrWrrh)r6ipvZ supportedr8r8r9supported_icmp_typess znftables.supported_icmp_typescCs>g}x4dD],}|jdd|tdii|j|jtq W|S)Nr,r-r.r;re)rArr)r,r-r.)rHrur5)r6Zdefault_tablesrAr8r8r9build_default_tabless   znftables.build_default_tablesoffcCsg}xtdjD]}|jdddtd|ddtd|dtd|d d iixz|jjrld d d dgnd d dgD]X}|jdddtd||fdii|jdddtd|ddd||fiigdiiqvWqWxd?D]}xtdjD]}|jdd|td|ddtd|dtd|d d iix~|jjrJd d d dgnd d dgD]Z}|jdd|td||fdii|jdd|td|ddd||fiigdiiqTWqWqWxVtdjD]F}|jdddtd|ddtd|dtd|d d iiqW|jdddtddddddiid d!d"d#gid$id%digdii|jdddtdddddd&iid d'd$id%digdii|jdddtdddd(dd)iid*d+d$id%digdiix~|jjrd d d dgnd d dgD]Z}|jdddtd,d|fdii|jdddtddddd,d|fiigdiiqW|d-kr|jdddtddddddiid d!d.gid$i|j|d/d0d1iigdii|jdddtddddddiid d!d.gid$id2digdii|d-kr$|jdddtdd|j|d/d0d3iigdii|jdddtddd4d5d6d7igdii|jdddtdd8ddddiid d!d"d#gid$id%digdii|jdddtdd8dddd&iid d'd$id%digdii|jdddtdd8dd(dd)iid*d+d$id%digdiixbd@D]Z}|jdddtd,d8|fdii|jdddtdd8ddd,d8|fiigdiiqWxdAD]}xz|jjrd d gnd gD]^}|jdddtd;d8||fdii|jdddtdd8ddd;d8||fiigdiiqWqvWxbdBD]Z}|jdddtd,d8|fdii|jdddtdd8ddd,d8|fiigdiiqW|d-kr|jdddtdd8ddddiid d!d.gid$i|j|d/d0d1iigdii|jdddtdd8ddddiid d!d.gid$id2digdii|d-kr6|jdddtdd8|j|d/d0d3iigdii|jdddtdd8d4d5d6d7igdii|jdddtdd<ddddiid d!d"d#gid$id%digdii|jdddtd=dd(dd>iid*d+d$id%digdiixbdCD]Z}|jdddtd,d<|fdii|jdddtdd<ddd,d<|fiigdiiqWxbdDD]Z}|jdddtd,d<|fdii|jdddtdd<ddd,d<|fiigdiiqHW|S)ENr(r;rSr,z mangle_%sr*z%srrE)rArerrrTrr POLICIES_preZ ZONES_SOURCEZZONES POLICIES_postz mangle_%s_%s)rArerrr>jumptarget)rArerSrdr-r.r)znat_%sz nat_%s_%sz filter_%sr$rxryrDrzr{r|r}r~)rrrrZstatusdnatmetaiifnamez==loz filter_%s_%srZinvalidrprefixzSTATE_INVALID_DROP: rzFINAL_REJECT: rejecticmpxzadmin-prohibited)rTrdr%INOUTzfilter_%s_%s_%sr& filter_OUTPUToifname)r-r.)r)rr)r)r)r)rprWrHrur/rJ_pkttype_match_fragment)r6rkZ default_rulesrSZdispatch_suffixrA directionr8r8r9build_default_ruless $  (  &  .        &  &                 &   .   &               &   &znftables.build_default_rulescCs4|dkrdddgS|dkr dgS|dkr0ddgSgS) Nr*r$ FORWARD_IN FORWARD_OUTr(rr)r r8)r6rer8r8r9get_zone_table_chainss znftables.get_zone_table_chainsr,c  sdkr\dkr\g} | jj|||||dd | jj|||||dd | Sjjj|jdkrxdnddkrd krd nd } jjj|t| g} g} |r| jd d ddiiddt |idi|r| jd d ddiiddt |ididdd}|rlxT|D]L}dkrTjj j |}||krT||krTq| jj d|qW|rxT|D]L}dkrjj j |}||kr||krqx| jj d|qxWfdd}g} | rHx| D]P}| rxB| D]}| j|||qWn"dkr0|r0n| j||dqWn\dkrZ|rZnJ| rxB| D]}| j|d|qfWn"dkr|rn| j|dd| S)Nr)r,r-)rAr.rprepostr TFrxrrDrz==r|)rrrr)rrsaddrdaddrcsg}|r|j||r |j||jdddfiitdf|d}|jjrrdd|iiSdd|iiSdS) Nrrz%s_%sz%s_%s_POLICIES_%s)rArerSrdr;r>r=)rHrur_policy_priority_fragment)ingress_fragmentegress_fragmentexpr_fragmentsr>)_policyrS chain_suffixrrAp_objr6rer8r9_generate_policy_dispatch_rules    zRnftables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) extend!build_policy_ingress_egress_rulesr/rZ get_policyrYpolicy_base_chain_namePOLICY_CHAIN_PREFIXrHrhr?Z check_source_rule_addr_fragment)r6rrrerSZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesrArjisSNATZingress_fragmentsZegress_fragmentsZ ipv_to_familysrcrdstrrrr8)rrSrrrArr6rer9rsv          z*nftables.build_policy_ingress_egress_rulesFc  Cs|dkrT|dkrTg} | j|j|||||||d| j|j|||||||d| S|dkrh|dkrhdnd} |jjj||t| d} d d d d d d d |} |t|d d kr|dt|d d}d} |dkr| dd|| fiig}n,ddd| iid|di| dd|| fiig}|rL| rLd}|td||f|d}|j|j nP|rnd}|td||f|d}n.d}|td||f|d}|s|j|j |d|iigS)Nr)r,r-r.r TF)rrr)rr r$rrr&rE+*gotorz%s_%srxrrDz==)rrrr<z %s_%s_ZONES)rArerSrdr;r=r>) r!build_zone_source_interface_rulesr/rrrrKrur_zone_interface_fragment)r6rr?r interfacererSrHrArjrroptactionrrLr>r8r8r9rs\     z*nftables.build_zone_source_interface_rulesc Csn|dkr|dkrg}|jdr6|j|tdd} nd} td|sTt|sT| dkrp|j|j||||||dtd|st|s| dkr|j|j||||||d|S|dkr|dkrd nd } |jjj ||t | d } d d d|} ddddddd|} |jj rd||f}n d||f}d}|t ||j | ||dd|| fiigd}|j|j||| d|iigS)Nr)r,zipset:rr-rr.r TF)rr<r=)TFrr)rr r$rrr&z%s_%s_ZONES_SOURCEz %s_%s_ZONESrrz%s_%s)rArerSrdr>) startswith_set_get_familyrKrrrbuild_zone_source_address_rulesr/rrrrJrurr_zone_source_fragment)r6rr?rr@rerSrArjZ ipset_familyrrrrZzone_dispatch_chainrr>r8r8r9r<sB    z(nftables.build_zone_source_address_rulesc Cs|dkrH|dkrHg}|j|j||||d|j|j||||d|Sddd|}|dkrj|dkrjd nd }|jjj||t|d } g}|j|d |td || fdiix0d!D](} |j|d |td|| | fdiiqWxDd"D]<} |j|d|td || fddd|| | fiigdiiqW|jjj|j } |jj dkr|dkr| d#kr| } | dkrhd} |j|d|td || f|j |jj ddd| | fiigdii|dkr| d$kr| d%kr|j } n | j di} |j|d|td || f| gdii|s|j|S)&Nr)r,r-r.r;r=)TFr TF)rrSz%s_%s)rArerrrrdenyallowrz%s_%s_%sr>rr)rArerSrdrr*REJECT %%REJECT%%rrz"filter_%s_%s: "r)rrrrr)rrrrr)rrr)rrrr)rr)rbuild_policy_chain_rulesr/rrrrHruZ _policiesrget_log_deniedr_reject_fragmentlowerreverse)r6rrrerSrArjrrrrrZ log_suffixtarget_fragmentr8r8r9rjsZ      &             z!nftables.build_policy_chain_rulescCs<|dkr iS|d kr,ddddiid |d iSttd |dS) Nallunicast broadcast multicastrxrrDpkttypez==)rrrzInvalid pkttype "%s")rrr)r r )r6rr8r8r9rs  z nftables._pkttype_match_fragmentcCsddddiddddiddddiddddiddddiddddiddddiddddiddddiddddiddd diddd diddd diddd didd d diddd diddd diddd diddd diddddiddddidddiidddiid}||S)Nricmpzhost-prohibited)rTrdznet-prohibitedzadmin-prohibitedicmpv6znet-unreachablezhost-unreachablezport-unreachablerzprot-unreachablezaddr-unreachablezno-routerTz tcp reset)zicmp-host-prohibitedz host-prohibzicmp-net-prohibitedz net-prohibzicmp-admin-prohibitedz admin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachablez net-unreachzicmp-host-unreachablez host-unreachzicmp-port-unreachablezicmp6-port-unreachablez port-unreachzicmp-proto-unreachablez proto-unreachzicmp6-addr-unreachablez addr-unreachzicmp6-no-routezno-routez tcp-resetztcp-rstr8)r6Z reject_typeZfragsr8r8r9_reject_types_fragments0                      znftables._reject_types_fragmentcCsddddiS)Nrrzadmin-prohibited)rTrdr8)r6r8r8r9rsznftables._reject_fragmentcCs ddddiiddddgid iS) NrxrrDl4protoz==r|rr)rrrr8)r6r8r8r9_icmp_match_fragments znftables._icmp_match_fragmentcCsP|siSddddd}|j\}}|||d}|j}|dk rH||d<d|iS) NsecondZminuteZhourZday)smhd)rateZperburstlimit)Z value_parseZ burst_parse)r6rZ rich_to_nftrZdurationrrr8r8r9_rich_rule_limit_fragments  z"nftables._rich_rule_limit_fragmentcCst|jtttgkrn<|jrHt|jtttt gkrRt t dt|jn t t d|j dkrt|jttgkst|jtt gkrdSt|jtgkst|jttgkrdSn|j dkrdSdSdS)NzUnknown action %szNo rule action specified.rrrrr) rTelementrrrrrrrrr r rY)r6 rich_ruler8r8r9_rich_rule_chain_suffixs    z nftables._rich_rule_chain_suffixcCs>|j r|j rttd|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrrr)rauditr r rY)r6rr8r8r9 _rich_rule_chain_suffix_from_logs   z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nz%%ZONE_INTERFACE%%r8)r6r8r8r9rsz!nftables._zone_interface_fragmentcCsNtd|rt|}n,td|r@|jd}t|dd|d}d||diS)Nr/rrEz%%ZONE_SOURCE%%)r?r@)rrrsplit)r6r?r@Z addr_splitr8r8r9rs     znftables._zone_source_fragmentcCs d|jiS)Nz%%POLICY_PRIORITY%%)rY)r6rr8r8r9rsz"nftables._policy_priority_fragmentcCs| s|jdkriSd|jiS)Nrz%%RICH_RULE_PRIORITY%%)rY)r6rr8r8r9_rich_rule_priority_fragmentsz%nftables._rich_rule_priority_fragmentc Cs|js iS|jjj||t}ddd|}|j|}i} |jjrPd|jj| d<|jjr|d|jjkrhdn|jj} d| | d<d td |||f||j |jj d | igd } | j |j ||d | iiS)Nr;r=)TFz%srZwarningwarnlevelr,z%s_%s_%sr)rArerSrdr>) rr/rrrrrrrurrrr) r6rrrrerrrrZ log_optionsrr>r8r8r9_rich_rule_log"s&    znftables._rich_rule_logc Cs|js iS|jjj||t}ddd|}|j|}dtd|||f||j|jjdddiigd } | j |j ||d | iiS) Nr;r=)TFr,z%s_%s_%srrr)rArerSrdr>) rr/rrrrrurrrr) r6rrrrerrrrr>r8r8r9_rich_rule_audit<s   znftables._rich_rule_auditc Cs|js iS|jjj||t}ddd|}|j|}d|||f} t|jtkr\ddi} nt|jtkr|jjr|j |jj} nddi} nt|jt krddi} nt|jt krHd}|jjj||t}d|||f} |jj j d } t| d kr,dd d d iiddd d d ii| d gi| dgidi} ndd d d ii| ddi} nttdt|jdt| ||j|jj| gd} | j|j||d| iiS)Nr;r=)TFz%s_%s_%srrrr(rrErrDmark^&r)rDvaluezUnknown action %sr,)rArerSrdr>)rr/rrrrrTrrrrrr|rrKr r rurrrr) r6rrrrerrrrrSZ rule_actionrr>r8r8r9_rich_rule_actionNsB     , znftables._rich_rule_actioncCs|jdr0|j|tddd|kr(dnd|St|r>d}ntd|rNd}nvtd|rd}tj|dd}d |jj |j d i}nDtd |rd }t |}n,d }|j d }d t |dt |dd i}dd||di|rdnd|diSdS)Nzipset:rTFetherrr-)strictr)addrrKrr.rrrErxpayload)protocolfieldz!=z==)rrr)r_set_match_fragmentrKrrr ipaddressZ IPv4NetworkZnetwork_addressZ compressedZ prefixlenrrrU)r6Z addr_fieldr@invertrAZnormalized_addressZaddr_lenr8r8r9rys( &      znftables._rule_addr_fragmentcCs6|siS|d krttd|ddddiid|d iS) NrrzInvalid familyrxrrDnfprotoz==)rrr)rr)r r )r6Z rich_familyr8r8r9_rich_rule_family_fragments  z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jdS)Nzipset:r)r)ripsetrr)r6Z rich_destr@r8r8r9_rich_rule_destination_fragments z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|dr.|jr.|j}nt|drH|jrHd|j}|jd||jdS)Nmacrzipset:r)r)rhasattrrrrr)r6Z rich_sourcer@r8r8r9_rich_rule_source_fragments z#nftables._rich_rule_source_fragmentcCsPt|}t|tr$|dkr$ttn(t|dkr8|dSd|d|dgiSdS)NrrErange)r isinstancerUr rrK)r6portrr8r8r9_port_fragments   znftables._port_fragmentc Csbddd|}d}|jjj||t} g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdd|dd id |j |d i| st |jtkr| jdd d diiddddgid ig} |r0| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd|| f| ddigdii| S)Nr;r=)TFr*rrxrdport)rrz==)rrrryrDrzr{r|new untrackedr>r,z %s_%s_allowr)rArerSrd)r/rrrrHrrArr destinationrsourcer rTrrrrrru) r6rrprotor rrrrerrrjr8r8r9build_policy_ports_ruless:   z!nftables.build_policy_ports_rulesc CsZddd|}d}|jjj||t}g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdddd iid |d i| st |j tkr| jdd dd iiddddgid ig} |r(| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd||f| ddigdii| S)Nr;r=)TFr*rrxrrDrz==)rrrryrzr{r|r rr>r,z %s_%s_allowr)rArerSrd)r/rrrrHrrArrrrrrTrrrrrru) r6rrrrrrrerrrjr8r8r9build_policy_protocol_ruless8   z$nftables.build_policy_protocol_rulesc Csbddd|}d}|jjj||t} g} |r>| j|j|j|rT| j|jd||r|| j|j|j | j|j |j | jdd|dd id |j |d i| st |jtkr| jdd d diiddddgid ig} |r0| j|j||||| | j|j||||| | j|j||||| n.| j|ddtd|| f| ddigdii| S)Nr;r=)TFr*rrxrsport)rrz==)rrrryrDrzr{r|r rr>r,z %s_%s_allowr)rArerSrd)r/rrrrHrrArrrrrr rTrrrrrru) r6rrrr rrrrerrrjr8r8r9build_policy_source_ports_ruless:   z(nftables.build_policy_source_ports_rulesc Csd}|jjj||t} ddd|} g} |rR| jdddtd||f||diig} |rl| j|jd || jd d |d d id|j|di| jdd||fi| j| ddtd| | dii| S)Nr*r;r=)TFz ct helperr,z helper-%s-%s)rArerrrTrrrxrr )rrz==)rrrr>zfilter_%s_allow)rArerSrd)r/rrrrHrurr ) r6rrrr rZ helper_nameZmodule_short_namererrrjrr8r8r9build_policy_helper_ports_rules)s.    z(nftables.build_policy_helper_ports_rulesc Csddd|}|jjj||t}g} |rv|t|ddkrT|dt|dd}ddd d iid |d id dig} n|jd|d dig} dtd|| d} | j|d| ii| S)Nr;r=)TFrErrrxrrDrz==)rrrrrr,zfilter_%s_allow)rArerSrdr>)r/rrrrKrrurH) r6rr?rrerrrrrjrdr>r8r8r9build_zone_forward_rulesFs"  z!nftables.build_zone_forward_rulesc Csd}|jjj||tdd}ddd|}g}|r`|j|j|j|j|j|j|j |} nd} |t d|| f|d d d d iid ddiddigd} | j |j ||d| iigS)Nr)T)rr;r=)TFrz nat_%s_%srxrrDrz!=r)rrrZ masquerade)rArerSrdr>) r/rrrrHrrrrrrurr) r6rrrArrerrrrr>r8r8r9"_build_policy_masquerade_nat_rules_s&   z+nftables._build_policy_masquerade_nat_rulesc Cs^g}|rD|jr|jdks,|jrDtd|jjrD|j|j||d|nV|r|jrX|jdksl|jrtd|jjr|j|j||d|n|j|j||d|d}|jjj||t }ddd|}g}|r|j |j |j |j |j |j|j|} nd } d td || f|d d ddiiddddgididdigd} | j|j||j |d| ii|S)Nrr.rr-r*r;r=)TFrr,z filter_%s_%srxryrDrzr{r|r r)rrrr)rArerSrdr>)rArrrrrr/rrrrHrrrrrurr) r6rrrrjrerrrrr>r8r8r9build_policy_masquerade_rulesxs8   z&nftables.build_policy_masquerade_rulesc Cs$d} |jjj|| t} ddd|} g} |r\| j|j|j| j|j|j|j |} nd} | jdd|dd id |j |d i|rt d |rt |}|r|d kr| jd||j |diq| jdd|iin| jdd|j |ii|t d| | f| d}|j|j|| d|iigS)Nr)r;r=)TFrrxrr )rrz==)rrrrrnr)rr rZredirectr z nat_%s_%s)rArerSrdr>)r/rrrrHrrrrrr rrrurr)r6rrr rtoaddrtoportrArrerrrrr>r8r8r9$_build_policy_forward_port_nat_ruless4     z-nftables._build_policy_forward_port_nat_rulesc Csg}|rF|jr|jdks&|rFtd|rF|j|j||||||d|n|r|jrZ|jdksh|rtd|r|j|j||||||d|nL|rtd|r|j|j||||||d|n|j|j||||||d||S)Nrr.rr-)rArrr) r6rrr rrrrrjr8r8r9build_policy_forward_port_ruless    z(nftables.build_policy_forward_port_rulescCsHdd|ddid|dig}|dk rD|jdd|ddid|di|S)NrxrrT)rrz==)rrrcode)rH)r6rrTr fragmentsr8r8r9_icmp_types_fragmentss  znftables._icmp_types_fragmentscCs|dkr4|tkr4t|\}}}|jd||r.dn|S|dkrh|tkrht|\}}}|jd||rbdn|Sttd||j|fdS)Nrrrrz)ICMP type '%s' not supported by %s for %s)rr rr r rr)r6rZ icmp_typeZ_type_codeZ _omit_coder8r8r9_icmp_types_to_nft_fragmentssz%nftables._icmp_types_to_nft_fragmentscCsBd}|jjj||t}ddd|}|r6|jr6|j}n<|jrjg}d|jkrT|jdd|jkrr|jdnddg}g} x|D]} |jjj|rd||f} ddi} nd ||f} |j} g} |r| j|j |j | j|j |j| j|j |j | j|j| |j|r| j|j||||| | j|j||||| |jrf| j|j||||| nN|j|}d td |||f| |jgd }|j|j|| j|d |iiq~|jjdkr|jjj| r| j|d d t| | |j|jjddd||fiigd ii| j|d d t| | | gd iiq~W| S)Nr*r;r=)TFrrz %s_%s_allowrz %s_%s_denyr,z%s_%s_%s)rArerSrdr>rrrz"%s_%s_ICMP_BLOCK: ")r/rrripvsrrHquery_icmp_block_inversionrrrArrrrr"rrrrrrrrurrrr)r6rrZictrrerrr#rjrZ final_chainrrrr>r8r8r9build_policy_icmp_block_rulessb          " " z&nftables.build_policy_icmp_block_rulescCsd}|jjj||t}g}ddd|}|jjj|r@|j}nddi}|j|ddtd||fd |j|gd ii|jj d kr|jjj|r|j|ddtd||fd |j|j |jj d d d||fiigd ii|S)Nr*r;r=)TFrr>r,z%s_%s)rArerSrFrdrrrz%s_%s_ICMP_BLOCK: ) r/rrrr$rrHrurrr)r6rrrerrjrrr8r8r9'build_policy_icmp_block_inversion_rules(s,      z0nftables.build_policy_icmp_block_inversion_rulesc Csg}ddddiidddiddd d d gd d idddig}|dkrV|jdddii|jddi|jdddtd|dii|jdddtddddddiddddgidid digdii|S)!NrxrrDrz==r)rrrZfibrZiifrZoif)flagsresultFrrrzrpfilter_DROP: rr<r>r,Zfilter_PREROUTING)rArerSrdrrrT)rrr|znd-router-advertznd-neighbor-solicitr)rHru)r6rkrjrr8r8r9build_rpfilter_rulesGs0     znftables.build_rpfilter_rulesc Csddddddddd g }d d |D}d d dddidd|idig}|jjd"krb|jdddii|j|jdg}|jdddtdd|dii|jdddtd d!|dii|S)#Nz ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|jddt|jdddiqS)rrrrE)rrK)rrU).0rBr8r8r9 nsz5nftables.build_rfc3964_ipv4_rules..rxrr.r)rrz==r|)rrrrrrrzRFC3964_IPv4_REJECT: z addr-unreachr;r>r,rrE)rArerSrFrdZfilter_FORWARD)rr)r/Z _log_deniedrHrru)r6Z daddr_setrrjr8r8r9build_rfc3964_ipv4_rulescs:   z!nftables.build_rfc3964_ipv4_rulescCsd}g}|j|j|j|j|j|j|j|j|jg}|j|j||||||j|j||||||j|j ||||||S)Nr*) rHrrArrrrrrr)r6rrrrerrjr8r8r9*build_policy_rich_source_destination_rulessz3nftables.build_policy_rich_source_destination_rulescCs|dkr dSdS)NrrebTF)rrr0r8)r6rr8r8r9is_ipv_supportedsznftables.is_ipv_supportedc Csddd}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd }||kr||Sttd |dS) NZ ipv4_addrZ ipv6_addr)rrZ inet_protoZ inet_servicerZifnameZ ether_addr) zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz!ipset type name '%s' is not valid)r r )r6rrTZipv_addrtypesr8r8r9_set_type_lists"    znftables._set_type_listc Cs|rd|kr|ddkrd}nd}t||j||d}x0|jddjdD]}|dkrLd g|d <PqLW|rd|kr|d|d<d|kr|d|d<g}x0dD](}d|i} | j||jdd| iiqW|S)NrAinet6rr)rerrrT:rE,r-netr Zintervalr(ZtimeoutZmaxelemsizer,r.r;r|)r-r7r )r,r-r.)rur3rrrH) r6rrrToptionsrZset_dicttrjrAZ rule_dictr8r8r9build_set_create_ruless*     znftables.build_set_create_rulescCs$|j|||}|j||jjdS)N)r;rmr/r)r6rrrTr9rjr8r8r9 set_createsznftables.set_createcCs8x2dD]*}dd|t|dii}|j||jjqWdS)Nr,r-r.r=r|)rArerr)r,r-r.)ruror/r)r6rrrAr>r8r8r9 set_destroys   znftables.set_destroycCs6|jjj|jjddjd}g}xtt|D]}||dkrr|jdddii|jdd |rdd nd d iq2||dkr|jd|j||rdndd iq2||dkr|jdd|rdndiiq2||dkr|jdddiiq2t d||q2Wdt|dkrd|in|d|r&dndd|diS)Nr5rEr6r rrDrrZthr r)rrr-r7rrrZifacerrrz-Unsupported ipset type for match fragment: %srxconcatrz!=z==@)rrr)r-r7r) r/r get_ipsetrTrrrKrHrr )r6rrZ match_destr type_formatrir8r8r9rs$      znftables._set_match_fragmentc CsN|jjj|}|jjddjd}|jd}t|t|krHttdg}xtt|D]}||dkr,y||j d}Wn&t k r|j d||} Yn,X|j ||d||||dd} y| j d}Wn t k r|j | Yn(X|j d| d|| |ddgiq\||dkr d||krb|j d||jdiny||j d }WnLt k r||} d |j kr|j d d krt | } |j | Yn^X||d|} d |j kr|j d d krt | } |j d| t|||dddiq\|j ||q\Wt|dkrJd|igS|S)Nr5rEr6z+Number of values does not match ipset type.r Ztcp-rr-r7rrAr4r)rrKr>)r-r7)r/rr@rTrrKr rrrFrirHr9rrU) r6rrentryobjrAZ entry_tokensZfragmentrBrFZport_strrr8r8r9_set_entry_fragmentsL  ("znftables._set_entry_fragmentc Csjg}g}t|ttfs|g}x|D]}|j|j||q"Wx(dD] }|jdd|t||diiqBW|S)Nr,r-r.r;r)rArerrelem)r,r-r.)r rhtuplerrFrHru)r6rrentriesrjelementsrrAr8r8r9build_set_add_rules(s   znftables.build_set_add_rulescCs"|j||}|j||jjdS)N)rKrmr/r)r6rrrDrjr8r8r9set_add7s znftables.set_addcCsF|j||}x4dD],}dd|t||dii}|j||jjqWdS)Nr,r-r.r=r)rArerrrG)r,r-r.)rFruror/r)r6rrrDrrAr>r8r8r9 set_delete;s   znftables.set_deletecCs4g}x*dD]"}dd|t|dii}|j|q W|S)Nr,r-r.rbr|)rArerr)r,r-r.)rurH)r6rrrjrAr>r8r8r9build_set_flush_rulesDs  znftables.build_set_flush_rulescCs |j|}|j||jjdS)N)rNrmr/r)r6rrrjr8r8r9 set_flushMs znftables.set_flushcCsJ|jjj|}|jdkrd}n(|jrBd|jkrB|jddkrBd}nd}|S)Nzhash:macrrAr4r.r-)r/rr@rTr9)r6rrrrAr8r8r9rQs znftables._set_get_familycCsg}|j|j||||j|j|xbtdt|dD]<}|j|j||||d|j||jj|j q:W|j||jjdS)Nri) rr;rNrrKrKrmr/rclear)r6Zset_nameZ type_namerIZcreate_optionsZ entry_optionsrjrBr8r8r9 set_restore^s znftables.set_restore)N)N)r)r,)Fr,)r,)r,)F)NN)NN)NN)NN)N)N)N)N)N)N)F)N)N)F)NN)J__name__ __module__ __qualname__rrZpolicies_supportedr:rNrRr[rarmrorqrsrwrtrrrrrrrrrrrrrrrrrrrrrrrrrrrr rrrrrrrrrr r"r%r'r*r.r/r1r3r;r<r=rrFrKrLrMrNrOrrQr8r8r8r9r+Ts/.`  4  R i ; - 9   +     $ $ $   ' $   < #   4  r+iji))Z __future__rrOr^rZfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr r r r r rrZfirewall.core.richrrrrrrrZfirewall.core.icmprrZnftables.nftablesrrurrrrpobjectr+r8r8r8r9s,  $$