3 YjU@sdZdddgZddljZddlZddlZddlZddlmZddl m Z m Z m Z m Z mZmZmZmZmZddlmZmZmZmZdd lmZmZdd lmZmZmZmZdd l m!Z!dd lm"Z"dd l#m$Z$GdddeZ%GdddeZ&ddZ'dddZ(dS)z$ipset io XML handler, reader, writerIPSet ipset_reader ipset_writerN)config) checkIPcheckIP6 checkIPnMask checkIP6nMask u2b_if_py2 check_mac check_portcheckInterface checkProtocol)PY2 IO_ObjectIO_Object_ContentHandlerIO_Object_XMLGenerator) IPSET_TYPESIPSET_CREATE_OPTIONS)check_icmp_namecheck_icmp_type_codecheck_icmpv6_namecheck_icmpv6_type_code)log)errors) FirewallErrorcseZdZddd d!dddifddgffZdZd d d d gZd d dgdgd dZdgdgdZfddZddZ ddZ e ddZ ddZ fddZZS)"rversionshort descriptiontypeoptionsentriesz (ssssa{ss}as)_-:.Nname)rripsetoptionentryvalue)r(r)cs<tt|jd|_d|_d|_d|_g|_i|_d|_ dS)NrF) superr__init__rrrr r"r!applied)self) __class__/usr/lib/python3.6/ipset.pyr-CszIPSet.__init__cCs8d|_d|_d|_d|_|jdd=|jjd|_dS)NrF)rrrr r"r!clearr.)r/r1r1r2cleanupMs  z IPSet.cleanupcCs\t|j|_t|j|_t|j|_t|j|_dd|jjD|_dd|jD|_dS)z HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.cSsi|]\}}t|t|qSr1)r ).0kvr1r1r2 ^sz(IPSet.encode_strings..cSsg|] }t|qSr1)r )r5er1r1r2 `sz(IPSet.encode_strings..N)r rrrr r!itemsr")r/r1r1r2encode_stringsVs    zIPSet.encode_stringscCsrd}d|kr|ddkrd}|jds6ttjd||ddjd}|jd}t|t|ksnt|d krttjd ||fxtt|D]}||}||}|d krd |ko|dkrh|d krttjd |||f|jd } t| dkrttjd||||fx| D]J} |dkr2t|  sH|dkrt |  rttjd| |||fqWnh|dkr|dkrttjd||||f|dkrt } nt} nt } | |sjttjd||||fq|dkr@d |kr|jd } t| dkrttjd||||f|dkr0t| d sJ|dkrft | d rfttjd| d|||f|dkrt | d  s|dkr>t | d  r>ttjd| d |||fn|j dr|dko|dko|dksttjd||||f|dkrt | s&|dkrjt | rjttjd||||fq|dkrvt | s`|dkrjttjd||fq|dkrld|krL|jd} t| dkrttjd|| ddkrP|dkrttjd||ft| d  rd| d krttjd| d |fn6| d jd\} } t| | sJttjd| d |fqj| dd2kr|dkr|ttjd||ft| d  rd| d krttjd"| d |fn6| d jd\} } t| | sJttjd"| d |fn^| dd3kr$t| d r$ttjd'| d|fn&t| d sjttjd(| d |fnt|sjttjd)||fq|d*kr |jd+ryt|d,}Wn*tk rttjd-||fYnXn8y t|}Wn*tk rttjd-||fYnX|dks |d.krjttjd-||fq|d/krZt| sDt|d0krjttjd1||fqttjd|qWdS)4NZipv4familyinet6Zipv6zhash:zipset type '%s' not usable,z)entry '%s' does not match ipset type '%s'Zipr$z invalid address '%s' in '%s'[%d]z.invalid address range '%s' in '%s' for %s (%s)z(invalid address '%s' in '%s' for %s (%s)z0.0.0.0rZnetz/0zhash:net,ifaceZmacz00:00:00:00:00:00z invalid mac address '%s' in '%s'Zportr%zinvalid port '%s'Zicmpz(invalid protocol for family '%s' in '%s'/zinvalid icmp type '%s' in '%s'icmpv6 ipv6-icmpz invalid icmpv6 type '%s' in '%s'tcpsctpudpudplitezinvalid protocol '%s' in '%s'zinvalid port '%s'in '%s'zinvalid port '%s' in '%s'ZmarkZ0xzinvalid mark '%s' in '%s'lZifacezinvalid interface '%s' in '%s')rDrE)rFrGrHrI) startswithrr INVALID_IPSETsplitlenZ INVALID_ENTRYrangerrrr endswithr rrrrrr int ValueErrorr )r*r!Z ipset_typer=flagsr;iflagitemZsplitsZ_splitZip_checkZ_type_codeZint_valr1r1r2 check_entrybsT                                  zIPSet.check_entrycCs|dkr |tkr ttjd||dkrx|jD]}|tkrNttjd||dkryt||}Wn,tk rttj d|||fYnX|d krttj d |||fq2|d kr2||dkr2ttj ||q2WdS)Nr z'%s' is not valid ipset typer!zipset invalid option '%s'timeouthashsizemaxelemz)Option '%s': Value '%s' is not an integerrz#Option '%s': Value '%s' is negativer=inetr>)rZr[r\)r]r>) rrr INVALID_TYPEkeysrrMrRrS INVALID_VALUEINVALID_FAMILY)r/rrWZ all_configkey int_valuer1r1r2 _check_config&s2   zIPSet._check_configcsrd|dkr6|dddkr6t|ddkr6ttjx&|dD]}tj||d|dq@Wtt|j|dS)NrZ0r?r)rOrrZIPSET_WITH_TIMEOUTrrYr, import_config)r/rr*)r0r1r2rhAs  zIPSet.import_config)rr)rr)rr)r r)__name__ __module__ __qualname__ZIMPORT_EXPORT_STRUCTUREZDBUS_SIGNATUREZADDITIONAL_ALNUM_CHARSZPARSER_REQUIRED_ELEMENT_ATTRSZPARSER_OPTIONAL_ELEMENT_ATTRSr-r4r< staticmethodrYrdrh __classcell__r1r1)r0r2r,s,       Ec@seZdZddZddZdS)ipset_ContentHandlerc Cstj||||jj|||dkrpd|krX|dtkrLttjd|d|d|j_d|krl|d|j_ nz|dkr|nn|dkrnb|dkrd}d |kr|d }|d dkrttj d|d |jjdko|d dkrttj d|d |jjf|d dkr&| r&ttj d|d |d dkry t |}Wn.t k rnttj d|d |fYnX|dkrttj d|d |f|d d kr|dkrttj||d |jjkr||jj|d <ntjd|d dS)Nr(r z%srrrr)rr+r'r=rZr[r\zUnknown option '%s'zhash:macz%Unsupported option '%s' for type '%s'z&Missing mandatory value of option '%s'z)Option '%s': Value '%s' is not an integerrz#Option '%s': Value '%s' is negativer]r>z Option %s already set, ignoring.)r=rZr[r\)r=)r=rZr[r\)rZr[r\)r]r>)r startElementrWZparser_check_element_attrsrrrr^r rZINVALID_OPTIONrRrSr`rar!rwarning)r/r'attrsr+rcr1r1r2roLsd      z!ipset_ContentHandler.startElementcCs(tj|||dkr$|jjj|jdS)Nr*)r endElementrWr"appendZ_element)r/r'r1r1r2rrs zipset_ContentHandler.endElementN)rirjrkrorrr1r1r1r2rnKs7rnc %Cst}|jds ttjd||dd|_|j|j||_||_|j t j rVdnd|_ |j |_ t|}tj}|j|d||f}t|db}tjd}|j|y|j|Wn8tjk r}zttjd|jWYdd}~XnXWdQRX~~d |jkrF|jd d krFt|jd krFtjd |j|jdd=d } t} x| t|jkr|j| | krtjd |j| |jj| nry|j |j| |j|j!Wn<tk r} ztjd| |jj| WYdd} ~ XnX| j"|j| | d7} qRW~ t#r|j$|S)Nz.xmlz'%s' is missing .xml suffixreFTz%s/%srbznot a valid ipset file: %srZrfrz6ipset '%s': timeout option is set, entries are ignoredzEntry %s already set, ignoring.z %s, ignoring.rA)%rrQrrZ INVALID_NAMEr'Z check_namefilenamepathrLr ETC_FIREWALLDZbuiltindefaultrnsaxZ make_parserZsetContentHandleropenZ InputSourceZ setByteStreamparseZSAXParseExceptionrMZ getExceptionr!rOr"rrpsetpoprYr addrr<) rvrwr(handlerparserr'fsourcemsgrUZ entries_setr9r1r1r2rs^        (  c Cs|r|n|j}|jr$d||jf}nd||jf}tjj|rytj|d|Wn0tk r}ztj d||WYdd}~XnXtjj |}|j t j rtjj| rtjjt j stjt j dtj|dtj|ddd}t|}|jd |ji}|jr|jd kr|j|d <|jd ||jd |jrz|jd krz|jd|jdi|j|j|jd|jd |jr|jd kr|jd|jdi|j|j|jd|jd xZ|jjD]L\} } |jd| d kr|jd| | dn|jdd| i|jd qWxD|jD]:} |jd|jdi|j| |jd|jd q(W|jd |jd |j|j ~dS)Nz%s/%sz %s/%s.xmlz%s.oldzBackup of file '%s' failed: %siZwtzUTF-8)modeencodingr rrr( z rrr))r'r+r'r*)!rwrvr'osexistsshutilZcopy2 ExceptionrerrordirnamerLrrxmkdirior{rZ startDocumentr rroZignorableWhitespacerZ charactersrrrr!r;Z simpleElementr"Z endDocumentclose) r(rw_pathr'rdirpathrrrqrbr+r*r1r1r2rsf                           )N))__doc____all__Zxml.saxrzrrrZfirewallrZfirewall.functionsrrrr r r r r rZfirewall.core.io.io_objectrrrrZfirewall.core.ipsetrrZfirewall.core.icmprrrrZfirewall.core.loggerrrZfirewall.errorsrrrnrrr1r1r1r2s&   ,   !=5