3 Y�j8��@s�dddddddddd d ddd ddddgZddlmZddlmZddlmZddlmZddlm Z Gdd�de �ZGdd�de �ZGdd�de �Z Gdd�de �ZGdd�de�ZGdd�de �ZGdd�de �ZGdd�de �ZGd d�de �ZGd!d �d e �ZGd"d �d e �ZGd#d�de �ZGd$d�de �ZGd%d �d e �ZGd&d�de�ZGd'd�de �Zd(d)d/d1d+�ZGd,d�de �ZGd-d�de �Zd.S)2�Rich_Source�Rich_Destination�Rich_Service� Rich_Port� Rich_Protocol�Rich_Masquerade�Rich_IcmpBlock� Rich_IcmpType�Rich_SourcePort�Rich_ForwardPort�Rich_Log� Rich_Audit�Rich_Accept�Rich_Reject� Rich_Drop� Rich_Mark� Rich_Limit� Rich_Rule�)� functions)�check_ipset_name)�REJECT_TYPES)�errors)� FirewallErrorc@seZdZddd�Zdd�ZdS)rFcCs�||_|jdkrd|_||_|jdks0|jdkr8d|_n|jdk rN|jj�|_||_|jdkrdd|_||_|jdkr�|jdkr�|jdkr�ttjd��dS)N�zno address, mac and ipset)�addr�mac�upper�ipset�invertrr�INVALID_RULE)�selfrrrr�r!�/usr/lib/python3.6/rich.py�__init__$s zRich_Source.__init__cCsjd|jrdnd}|jdk r*|d|jS|jdk rB|d|jS|jdk rZ|d|jSttjd��dS)Nz source%s z NOTrzaddress="%s"zmac="%s"z ipset="%s"zno address, mac and ipset)rrrrrrr)r �retr!r!r"�__str__5s zRich_Source.__str__N)F)�__name__� __module__�__qualname__r#r%r!r!r!r"r#s c@seZdZddd�Zdd�ZdS)rFcCsV||_|jdkrd|_||_|jdkr,d|_||_|jdkrR|jdkrRttjd��dS)Nrzno address and ipset)rrrrrr)r rrrr!r!r"r#Bs zRich_Destination.__init__cCsRd|jrdnd}|jdk r*|d|jS|jdk rB|d|jSttjd��dS)Nzdestination%s z NOTrzaddress="%s"z ipset="%s"zno address and ipset)rrrrrr)r r$r!r!r"r%Ns zRich_Destination.__str__N)F)r&r'r(r#r%r!r!r!r"rAs c@seZdZdd�Zdd�ZdS)rcCs ||_dS)N)�name)r r)r!r!r"r#YszRich_Service.__init__cCs d|jS)Nzservice name="%s")r))r r!r!r"r%\szRich_Service.__str__N)r&r'r(r#r%r!r!r!r"rXsc@seZdZdd�Zdd�ZdS)rcCs||_||_dS)N)�port�protocol)r r*r+r!r!r"r#`szRich_Port.__init__cCsd|j|jfS)Nzport port="%s" protocol="%s")r*r+)r r!r!r"r%dszRich_Port.__str__N)r&r'r(r#r%r!r!r!r"r_sc@seZdZdd�ZdS)r cCsd|j|jfS)Nz#source-port port="%s" protocol="%s")r*r+)r r!r!r"r%hszRich_SourcePort.__str__N)r&r'r(r%r!r!r!r"r gsc@seZdZdd�Zdd�ZdS)rcCs ||_dS)N)�value)r r,r!r!r"r#mszRich_Protocol.__init__cCs d|jS)Nzprotocol value="%s")r,)r r!r!r"r%pszRich_Protocol.__str__N)r&r'r(r#r%r!r!r!r"rlsc@seZdZdd�Zdd�ZdS)rcCsdS)Nr!)r r!r!r"r#tszRich_Masquerade.__init__cCsdS)N� masquerader!)r r!r!r"r%wszRich_Masquerade.__str__N)r&r'r(r#r%r!r!r!r"rssc@seZdZdd�Zdd�ZdS)rcCs ||_dS)N)r))r r)r!r!r"r#{szRich_IcmpBlock.__init__cCs d|jS)Nzicmp-block name="%s")r))r r!r!r"r%~szRich_IcmpBlock.__str__N)r&r'r(r#r%r!r!r!r"rzsc@seZdZdd�Zdd�ZdS)rcCs ||_dS)N)r))r r)r!r!r"r#�szRich_IcmpType.__init__cCs d|jS)Nzicmp-type name="%s")r))r r!r!r"r%�szRich_IcmpType.__str__N)r&r'r(r#r%r!r!r!r"r�sc@seZdZdd�Zdd�ZdS)r cCs<||_||_||_||_|jdkr(d|_|jdkr8d|_dS)Nr)r*r+�to_port� to_address)r r*r+r.r/r!r!r"r#�s zRich_ForwardPort.__init__cCs<d|j|j|jdkrd|jnd|jdkr4d|jndfS)Nz(forward-port port="%s" protocol="%s"%s%srz to-port="%s"z to-addr="%s")r*r+r.r/)r r!r!r"r%�szRich_ForwardPort.__str__N)r&r'r(r#r%r!r!r!r"r �sc@seZdZddd�Zdd�ZdS)rNcCs||_||_||_dS)N)�prefix�level�limit)r r0r1r2r!r!r"r#�szRich_Log.__init__cCs>d|jrd|jnd|jr$d|jnd|jr6d|jndfS)Nz log%s%s%sz prefix="%s"rz level="%s"z %s)r0r1r2)r r!r!r"r%�szRich_Log.__str__)NNN)r&r'r(r#r%r!r!r!r"r�s c@seZdZddd�Zdd�ZdS)rNcCs ||_dS)N)r2)r r2r!r!r"r#�szRich_Audit.__init__cCsd|jrd|jndS)Nzaudit%sz %sr)r2)r r!r!r"r%�szRich_Audit.__str__)N)r&r'r(r#r%r!r!r!r"r�s c@seZdZddd�Zdd�ZdS)r NcCs ||_dS)N)r2)r r2r!r!r"r#�szRich_Accept.__init__cCsd|jrd|jndS)Nzaccept%sz %sr)r2)r r!r!r"r%�szRich_Accept.__str__)N)r&r'r(r#r%r!r!r!r"r �s c@s&eZdZddd�Zdd�Zdd�ZdS) rNcCs||_||_dS)N)�typer2)r Z_typer2r!r!r"r#�szRich_Reject.__init__cCs,d|jrd|jnd|jr$d|jndfS)Nz reject%s%sz type="%s"rz %s)r3r2)r r!r!r"r%�szRich_Reject.__str__cCsT|jrP|sttjd��|dkrP|jt|krPdjt|�}ttjd|j|f��dS)Nz9When using reject type you must specify also rule family.�ipv4�ipv6z, z%Wrong reject type %s. Use one of: %s.)r4r5)r3rrrr�join)r �familyZvalid_typesr!r!r"�check�szRich_Reject.check)NN)r&r'r(r#r%r8r!r!r!r"r�s c@seZdZdd�ZdS)rcCsd|jrd|jndS)Nzdrop%sz %sr)r2)r r!r!r"r%�szRich_Drop.__str__N)r&r'r(r%r!r!r!r"r�sc@s&eZdZddd�Zdd�Zdd�ZdS) rNcCs||_||_dS)N)�setr2)r Z_setr2r!r!r"r#�szRich_Mark.__init__cCsd|j|jrd|jndfS)Nz mark set=%s%sz %sr)r9r2)r r!r!r"r%�szRich_Mark.__str__cCs�|jdk r|j}nttjd��d|krv|jd�}t|�dkrHttj|��tj|d�shtj|d�r�ttj|��ntj|�s�ttj|��dS)Nzno value set�/�r�)r9rrZINVALID_MARK�split�lenrZcheckUINT32)r �x�splitsr!r!r"r8�s zRich_Mark.check)N)r&r'r(r#r%r8r!r!r!r"r�s r<�<�)�s�m�h�dc@s�eZdZddd�Zdd�Zedd��Zejdd��Zed d ��Zejdd ��Ze dd ��Z dd�Ze dd��Zdd�Z dd�ZdS)rNcCs||_||_dS)N)r,�burst)r r,rGr!r!r"r#�szRich_Limit.__init__cCs|j�|j�dS)N)�value_parse�burst_parse)r r!r!r"r8�szRich_Limit.checkcCs|jS)N)�_value)r r!r!r"r,�szRich_Limit.valuecCsf|dkrd|_dSy|j|�\}}Wntk r<|}YnX|�d|��}t|dd�|krb||_dS)Nr:rJ)rJ�_value_parser�getattr)r r,�rate�duration�vr!r!r"r,�s cCs|jS)N)�_burst)r r!r!r"rGszRich_Limit.burstcCs\|dkrd|_dSy|j|�}Wntk r8|}Yn Xt|�}t|dd�|krX||_dS)NrP)rP�_burst_parser�strrL)r rG�br!r!r"rGs cCs�d}d|kr|jd�}|s(t|�dkr4ttj|��|\}}yt|�}Wnttj|��YnX|dkrv|dd�}|dks�|dkr�ttj|��dt||d kr�ttjd|f��|dkr�|dkr�ttjd|f��||fS)Nr:r;�second�minute�hour�dayr<rCrDrErFi'rz%s too fastz%s too slow)rTrUrVrW)rCrDrErF)r=r>rr� INVALID_LIMIT�int�DURATION_TO_MULT)r,r@rMrNr!r!r"rKs& zRich_Limit._value_parsecCs|j|j�S)N)rKrJ)r r!r!r"rH:szRich_Limit.value_parsec CsR|dkrdSyt|�}Wnttj|��YnX|dksB|dkrNttj|��|S)Nr<i��)rYrrrX)rGrSr!r!r"rQ=szRich_Limit._burst_parsecCs|j|j�S)N)rQrP)r r!r!r"rIKszRich_Limit.burst_parsecCs,d|j�d�}|jdk r(|d|j��7}|S)Nz limit value="�"z burst=)rJrP)r rCr!r!r"r%Ns zRich_Limit.__str__)N)r&r'r(r#r8�propertyr,�setterrG�staticmethodrKrHrQrIr%r!r!r!r"r�s c@s>eZdZdZdZddd�Zdd�Zd d �Zdd�Zd d�Z dS)ri�i�NrcCsV|dk rt|�|_nd|_||_d|_d|_d|_d|_d|_d|_|rR|j |�dS)N) rRr7�priority�source�destination�element�log�audit�action�_import_from_string)r r7�rule_strr_r!r!r"r#XszRich_Rule.__init__cCs�g}x|tj|�D]n}d|krp|jd�}t|�dksF|dsF|drVttjd|��|j|d|dd��q|jd|i�qW|jddi�|S) z Lexical analysis �=r;rr<zinternal error in _lexer(): %s)� attr_name� attr_valuerb�EOL)rZ splitArgsr=r>rrr�append)r rg�tokens�r�attrr!r!r"�_lexeris zRich_Rule._lexercCs�|sttjd��tj|�}d|_d|_d|_d|_d|_ d|_ d|_d|_|j |�}|rv|djd�dkrvttjd��i}g}d}�x`||jd�dko�|dgk�s�||jd�}||jd�}||jd�}|�r�|dHk�r�ttjd|��n�|dIk�r�|dk�r|j�rttjd+��n�|dk�r<|j�r|d <nBt|jd �|jd�|jd�|jd d?��|_|j�|j�|d2}�n| dk�r,|dOk�r�|||<nN|dPk�r�d>|d <n:t|jd �|jd�|jd d?��|_|j�|j�|d2}�n�| dk�rd|dk�rTt|�|_ |j�nttjd@��nv| dk�r�|dk�r�t|�|_ |j�nttjdA��n>| dk�r�|dQk�r�|||<n0t|jd�|jd��|_ |j�|j�|d2}�n�| dk�r&|dk�rt|�|_ |j�nttjdB��n�| dk�r^|dk�rNt|�|_ |j�nttjdC��n|| dk�r�t�|_ |j�|j�|d2}�nN| d k�r�|dRk�r�|||<n@t|jd�|jd�|jd�|jd��|_ |j�|j�|d2}�n�| d!k�r@|dSk�r|||<n0t|jd�|jd��|_ |j�|j�|d2}�n�| d"k�r�|dTk�r^|||<nN|d(k�rt|jd(�n8t |jd�|jd�|jd(��|_ |j�|j�|d2}�n*| d#k�r�|d(k�r�|jd(�n(t!|jd(��|_|j�|j�|d2}�n�| d$k�rH|d(k�r|jd(�n(t"|jd(��|_|j�|j�|d2}�n�| d%k�r�|d(k�rh|jd(�n(t#|jd(��|_|j�|j�|d2}�nF| d&k�r�|dk�r�|||<nF|d(k�r�|jd(�n0t$|jd�|jd(��|_|j�|j�|d2}n�| d'k�r`|dk�r|||<nF|d(k�r.|jd(�n0t%|jd�|jd(��|_|j�|j�|d2}nz| d(k�r�|dUk�r�||dD|��<nVdE|k�r�ttjdF��t&|dE|jdG��|d(<|jdEd�|jdGd�|j�|d2}|d2}q�W|j'�dS)VNz empty rulerrbrk�rulerirjr_r7�addressrrrr,r*r+�to-port�to-addrr)r0r1r3r9rGzbad attribute '%s'r`ra�service� icmp-block� icmp-typer-�forward-port�source-portrcrd�accept�drop�reject�markr2�not�NOTzmore than one 'source' elementz#more than one 'destination' elementzFmore than one element. There cannot be both '%s' and '%s' in one rule.zmore than one 'log' elementzmore than one 'audit' elementzOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.zunknown element %sr<rz0'family' outside of rule. Use 'rule family=...'.z4'priority' outside of rule. Use 'rule priority=...'.z:'%s' outside of any element. Use 'rule %s= ...'.z,'%s' outside of rule. Use 'rule ... %s ...'.r4r5zH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.z(invalid 'priority' attribute value '%s'.zdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.zDattribute '%s' outside of any element. Use 'rule %s= ...'.TFzinvalid 'protocol' elementzinvalid 'service' elementzinvalid 'icmp-block' elementzinvalid 'icmp-type' elementzlimit.zlimit.valuezinvalid 'limit' elementzlimit.burst)r_r7rrrrrr,r*r+rsrtr)r0r1r3r9rG)rqr`rar+rur*rvrwr-rxryrcrdrzr{r|r}r2r~rrk)r+rur*rvrwr-rxry)rzr{r|r})r4r5)rrrrr)r~r)rrrr)r~r)r*r+)r*r+rsrt)r*r+)r0r1)r,rG)(rrrrZstripNonPrintableCharactersr_r7r`rarbrcrdrerp�getr>rlrY� ValueError�INVALID_PRIORITYr�pop�clearrrrrrrrr r rrr rrrrr8)r rgrmZattrsZin_elements�indexrbrirjZ in_elementZerr_msgr!r!r"rfzs� "" * " ( zRich_Rule._import_from_stringc Cs`|jdk r"|jd kr"ttj|j��|jdkrn|jdk rB|jjdk sL|jdk rVttj��t|j �t krnttj��|j|jks�|j|j kr�ttjd|j|j f��|j dko�|jdks�|jdk o�|jdk�r |jdkr�ttjd��|jdko�|jdko�|jdk�r ttjd��t|j �tt tgk�rP|jdk�rP|jdk�rP|jdk�rPttjd��|jdk �rj|jjdk �r�|jdk�r�ttj��|jjdk �r�ttjd��|jjdk �r�ttjd ��tj|j|jj��sjttjt|jj��n�|jjdk �r,|jjdk �rttjd ��tj|jj��sjttjt|jj��n>|jjdk �r^t|jj��sjttjt|jj��nttjd��|jdk �r|jjdk �r�|jdk�r�ttj��|jjdk �r�ttjd ��tj|j|jj��sttjt|jj��n>|jjdk �rt|jj��sttjt|jj��nttjd��t|j �t k�rd|j j!dk�sLt"|j j!�d k�r`ttj#t|j j!��n�t|j �t$k�r�tj%|j j&��s�ttj'|j j&��|j j(d!k�r`ttj)|j j(��n�t|j �t*k�r�tj+|j j,��s`ttj)|j j,��nvt|j �tk�r<|jdk �rttjd��|jdk �r`|jjdk �r`ttjd��n$t|j �tk�r�|j j!dk�slt"|j j!�d k�r�ttj-t|j j!��|j�r`ttjd��n�t|j �t.k�r�|j j!dk�s�t"|j j!�d k�r`ttj-t|j j!��n�t|j �t k�r�tj%|j j&��sttj'|j j&��|j j(d"k�r.ttj)|j j(��|j j/dk�rZ|j j0dk�rZttj'|j j/��|j j/dk�r�tj%|j j/��r�ttj'|j j/��|j j0dk�r�tj1|j|j j0��r�ttj|j j0��|jdk�r�ttj��|jdk �r`ttjd��nrt|j �t2k�r>tj%|j j&��sttj'|j j&��|j j(d#k�r`ttj)|j j(��n"|j dk �r`ttjdt|j ��|jdk �r�|jj3�r�|jj3d$k�r�ttj4|jj3��|jj5dk �r�|jj5j6�|jdk �r�t|j�t7t8t9gk�r�ttj:t|j��|jj5dk �r�|jj5j6�|jdk �r\t|j�t8k�r(|jj6|j�nt|j�t;k�rB|jj6�|jj5dk �r\|jj5j6�dS)%Nr4r5z/'priority' attribute must be between %d and %d.rzno element, no actionz%no element, no source, no destinationzno action, no log, no auditzaddress and maczaddress and ipsetz mac and ipsetzinvalid sourcezinvalid destinationr<�tcp�udp�sctp�dccpzmasquerade and actionzmasquerade and mac sourcezicmp-block and actionrzforward-port and actionzUnknown element %s�emerg�alert�crit�error�warning�notice�info�debug)r4r5)r�r�r�r�)r�r�r�r�)r�r�r�r�)r�r�r�r�r�r�r�r�)ZINVALID_SERVICErZ check_portr*ZINVALID_PORTr+ZINVALID_PROTOCOLrZ checkProtocolr,ZINVALID_ICMPTYPErr.r/Zcheck_single_addressr r1ZINVALID_LOG_LEVELr2r8r rrZINVALID_AUDIT_TYPEr)r r!r!r"r8hs� zRich_Rule.checkcCs�d}|jr|d|j7}|jr,|d|j7}|jr@|d|j7}|jrT|d|j7}|jrh|d|j7}|jr||d|j7}|jr�|d|j7}|jr�|d|j7}tj r�tj |�S|S)Nrqz priority="%d"z family="%s"z %s)r_r7r`rarbrcrdrerZPY2Zu2b)r r$r!r!r"r%s$zRich_Rule.__str__i��)NNr) r&r'r(r�r�r#rprfr8r%r!r!r!r"rTs o-Nii�i�Q)�__all__ZfirewallrZfirewall.core.ipsetrZfirewall.core.baserrZfirewall.errorsr�objectrrrrr rrrrr rrr rrrrZrrr!r!r!r"�s@ d