}Zc@sdgZddlZddlZddlZddlZddlmZddlmZddl m Z ddl m Z ddl m Z ddl m Z dd lmZdd lmZdd lmZdd lmZdd lmZddlmZddlmZddlmZmZddlm Z ddl!m"Z"ddl#m$Z$ddl%m&Z&ddl'm(Z(ddl)m*Z*ddl+m,Z,m-Z-ddl.m/Z/ddl0m1Z1ddlm2Z2ddl3m4Z4de5fdYZ6dS(tFirewalliN(tconfig(t functions(t ipXtables(tebtables(tipset(tmodules(tFirewallIcmpType(tFirewallService(t FirewallZone(tFirewallDirect(tFirewallConfig(tFirewallPolicies(t FirewallIPSet(tFirewallTransactiont reverse_rule(tFirewallHelper(tlog(tfirewalld_conf(tDirect(tservice_reader(ticmptype_reader(t zone_readertZone(t ipset_reader(t helper_reader(terrors(t FirewallErrorcBseZdZdZdZdZdZdZeedZ dZ edZ d Z d Z d Zd Zd ZdZdZd+dZd+dZdd+dZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"ed Z#d!Z$d"Z%d#Z&d$Z'd%Z(d&Z)d'Z*d(Z+d)Z,d*Z-RS(,cCsjttj|_tj|_t|_g|_ tj |_ t|_ g|_ tj|_t|_tj|_t|_g|_i|_|jj|jd<|j j|jd<|jj|jd%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r)(t __class__R$R(R+t_statet_panict _default_zonet_module_refcountt_markst _min_marktcleanup_on_exittipv6_rpfilter_enabledR-t_individual_callst _log_deniedt_automatic_helpers(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt__repr__]scCsd|_t|_d|_i|_g|_tj|_tj |_ tj |_ tj |_tj|_tj|_d|_i|_i|_dS(NtINITti(R;tFalseR<R=R>R?RtFALLBACK_MINIMAL_MARKR@tFALLBACK_CLEANUP_ON_EXITRAtFALLBACK_IPV6_RPFILTERRBtFALLBACK_INDIVIDUAL_CALLSRCtFALLBACK_LOG_DENIEDRDtFALLBACK_AUTOMATIC_HELPERSREtnf_conntrack_helper_settingtnf_conntrack_helperstnf_nat_helpers(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt __init_varsfs             cCs|jS(N(RC(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytindividual_callswscCs|jr7d|jdkr7tjdt|_n|jrnd|jdkrntjdt|_n|jrd|jdkrtjdt|_n|j r|j rtjdtj d ndS( NtfilterRs-iptables not usable, disabling IPv4 firewall.Rs.ip6tables not usable, disabling IPv6 firewall.Rs8ebtables not usable, disabling ethernet bridge firewall.sNo IPv4 and IPv6 firewall.i( R$tget_available_tablesRtwarningRIR(R+tfataltsystexit(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _check_tableszs          cCsy|jjWn0tk rCtjdt|_g|_nX|jj|_|j j |j j s|j j rtjdqtjdt|_ n|j r|j j|_n g|_|jj |jj s|jj rtjdqtjdt|_n|jr7|jj|_n g|_|jj |jj s|jj rutjdqtjdt|_n|jr|j r|jj rtjdntjjtjd rtj|_t |jd krGtjd xI|jj!D](\}}tjd |d j"|qWn tjdtj#|_$t |j$d krtjdxI|j$j!D](\}}tjd |d j"|qWqtjdni|_i|_$tjddS(Ns4ipset not usable, disabling ipset usage in firewall.sFiptables-restore is missing, using individual calls for IPv4 firewall.sCiptables-restore and iptables are missing, disabling IPv4 firewall.sGip6tables-restore is missing, using individual calls for IPv6 firewall.sEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.sHebtables-restore is missing, using individual calls for bridge firewall.sEebtables-restore and ebtables are missing, disabling bridge firewall.sSebtables-restore is not supporting the --noflush option, will therefore not be usedtmodinfois*Conntrack helpers supported by the kernel:s %s: %ss, s-No conntrack helpers supported by the kernel.s$NAT helpers supported by the kernel:s'No NAT helpers supported by the kernel.sAmodinfo command is missing, not able to detect conntrack helpers.(%R,tlistt ValueErrorRRWRIR-R.tsupported_typesR"t fill_existstrestore_command_existstcommand_existsR$tsupported_icmp_typesR%R'R(R)R*R+RCtrestore_noflush_optiontdebug1tostpathtexistsRtCOMMANDSRtget_nf_conntrack_helpersRQtlentitemstjointget_nf_nat_helpersRR(R8tkeytvalues((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt _start_checksd                         #  #  c Csh tj}tjdtjy|jjWn-tk r\}tj|tjdn X|jj dr|jj d}n|jj drt |jj d|_ n|jj dr|jj d}|dk r|j d6krt|_qn|jj dr|jj d}|dk r|j d7krtjd y|jjWq|tk rxq|Xqn|jj d r|jj d }|dk r|j d8krt|_n|j d9krt|_qqn|jr tjd n tjd|jj dru|jj d}|dk ru|j d:krutjdt|_qun|jj dr|jj d}|dks|j dkrd|_q|j |_tjd|jn|jj dr||jj d}|dk r||j d;kr6d|_n-|j d<krTd |_n|j |_tjd|jq|n|jjtj|j|jtjdy|jjjWn]tk r"}|jjrtjd|jjj|q#tjd|jjj|nX|jj tj|j|j!tj"d|j!tj#d|j!tj$d|j!tj%dt&|j'j(dkrtjdn|j!tj)d|j!tj*d|j!tj+d|j!tj,dt&|j-j.dkr-tjdn|j!tj/d|j!tj0dt&|j1j2dkrtj3d t4j5d!nt}xEd"d#d$gD]4}||j1j2krtj3d%|t}qqW|rt4j5d!n||j1j2krbd&|j1j2kr"d&}n$d'|j1j2kr@d'}nd"}tjd(|||}ntjd)|t6tj7} t8j9j:tj7rtjd*tj7y| jWqtk r}tjd+tj7|qXn|j;j<| |jj=tj| |jd,kr8t>j?|jd knt>j@|_A|jBtjCdkrrtDjD} ntE|} |r|jFd-d.| n|jGd.| |r|s|jHr|jIjJr| jKt| jLn|r|rtjd/|jMjNn|jHrF|jIjJrFtjd0|jIjOntjd1|jPd.| tjd2|j1jQd.| |jR||_S|j1jTd|jSd.| | jKt| jL|j;jUr" | jVtjd3|j;jW| | jKt| jX| jLn~ tjCd!kr[ tDjD} tjYd4| | nd5|_ZdS(=Ns"Loading firewalld config file '%s's0Using fallback firewalld configuration settings.t DefaultZonet MinimalMarkt CleanupOnExittnotfalsetLockdowntyesttruesLockdown is enabledt IPv6_rpfiltersIPv6 rpfilter is enabledsIPV6 rpfilter is disabledtIndividualCallssIndividualCalls is enabledt LogDeniedtoffsLogDenied is set to '%s'tAutomaticHelperssAutomaticHelpers is set to '%s'sLoading lockdown whitelists*Failed to load lockdown whitelist '%s': %sRR1isNo icmptypes found.R6R2sNo services found.R3sNo zones found.itblocktdropttrustedsZone '%s' is not available.tpublictexternals+Default zone '%s' is not valid. Using '%s'.sUsing default zone '%s'sLoading direct rules file '%s's)Failed to load direct rules file '%s': %stsystemtDROPtuse_transactionsUnloading firewall modulessApplying ipsetssApplying default rule setsApplying used zoness2Applying direct chains rules and passthrough ruless%Flushing and applying took %f secondstRUNNING(RuRv(syesRy(RuRv(syesRy(syesRy(RuRv(syesRy([Rt FALLBACK_ZONERReRR treadt ExceptionRWtgettintR@tNonetlowerRIRAR5tenable_lockdownRRBR#RCRDREtset_firewalld_conftcopytdeepcopyRqtlockdown_whitelisttquery_lockdownterrortfilenamet set_policiest_loadertFIREWALLD_IPSETStETC_FIREWALLD_IPSETStFIREWALLD_ICMPTYPEStETC_FIREWALLD_ICMPTYPESRkR1t get_icmptypestFIREWALLD_HELPERStETC_FIREWALLD_HELPERStFIREWALLD_SERVICEStETC_FIREWALLD_SERVICESR2t get_servicestFIREWALLD_ZONEStETC_FIREWALLD_ZONESR3t get_zonesRXRYRZRtFIREWALLD_DIRECTRfRgRhR4tset_permanent_configt set_directRtset_nf_conntrack_helper_settingtget_nf_conntrack_helper_settingRPR[tgetDebugLogLevelttimeRt set_policytflushR-Rt has_ipsetstexecutetclearR0tunload_firewall_modulest apply_ipsetstapply_default_rulest apply_zonest check_zoneR=tchange_default_zonethas_configurationtenable_generous_modet apply_directtdisable_generous_modetdebug2R;( R8treloadtcomplete_reloadt default_zonetmsgtvalueRtzR3tobjttm1t transactionttm2((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt_starts0                                               cCs|j|jddS(NtACCEPT(RR(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstarts c Cstjj|sdS|r|jtjr}|dkr}t}tjj||_|j |j||_t |_ qt }nxWt tj |D]@}|jds|jtjr|dkrtjjd||fr|jd||f|dtqqnd||f}tjd||yJ|dkrAt||}|j|jjkr|jj|j}tjd||j|j|j|jj|jn!|jjtjrt|_ ny|jj|Wn3tk r$} tjd|jt| fnX|jjtj|n?|d krt||}|j|j j!kr|j j"|j}tjd||j|j|j|j j#|jn!|jjtjrt|_ n|j j$||jj$tj|nr|dkrt%||}|rtdtjj|tjj|d d !f|_|j |jntj|} |j|j&j'kr|j&j(|j}|j&j)|j|j*rtjd ||j|||j+|qGtjd||j|j|jn*|jjtjrGt|_ t| _ n|jj,| |rtjd ||j|||j+|q|j&j,|n|d krt-||}|j|j.j/kr|j.j0|j}tjd||j|j|j|j.j1|jn!|jjtjr=t|_ ny|j.j2|Wn3tk r} tj3d|jt| fnX|jj2tj|n|dkrpt4||}|j|j5j6kr#|j5j7|j}tjd||j|j|j|j5j8|jn!|jjtjrDt|_ n|j5j9||jj9tj|ntj:d|Wqtk r} tj;d||| qt<k r} tj;d||tj=qXqW|r|j*r|j|j&j'kr|j&j(|j}tjd||j|j|jy|j&j)|jWnt<k rhnX|jj>|jn|j&j,|ndS(NR3s.xmls%s/%stcombinesLoading %s file '%s'R1s Overloads %s '%s' ('%s/%s')s%s: %s, ignoring for run-time.R2iis Combining %s '%s' ('%s/%s')RR6sUnknown reader type %ssFailed to load %s file '%s': %ssFailed to load %s file '%s':s0 Overloading and deactivating %s '%s' ('%s/%s')(?RfRgtisdirt startswithRt ETC_FIREWALLDRtbasenametnamet check_nameRItdefaulttsortedtlistdirtendswithRR#RReRR1Rt get_icmptypeRtremove_icmptypet add_icmptypeRtinfo1tstrRRRR2Rt get_servicetremove_servicet add_serviceRR3Rtget_zonet remove_zonetcombinedRtadd_zoneRRt get_ipsetst get_ipsett remove_ipsett add_ipsetRWRR6t get_helperst get_helpert remove_helpert add_helperRXRRt exceptiont forget_zone( R8Rgt reader_typeRt combined_zoneRRRtorig_objRt config_objR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRs                                               cCs|dkr|j|SgS(NRRR(sipv4sipv6seb(R/(R8tipv((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRV`s  cCs|jj|jj|jj|jj|jj|jj|jj|jj|j j|j dS(N( R1tcleanupR2R3RR6RR4R5R R7(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRes         cCs>|jr0|j|jd|jjn|jdS(NR(RARRR0RR(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytstopqs    cCs=|j}x||jkr(|d7}q W|jj||S(Ni(R@R?tappend(R8ti((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytnew_mark{s  cCs|jj|dS(N(R?tremove(R8tmark((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytdel_markscCs xt|D]\}}|r:|jj|\}}n4|j|dkrVd}n|jj|\}}|dkr|r|| |fSn|r|jj|d|j|cd7t unload_modulet setdefaultR(R8t_modulestenableRtmoduletstatusR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pythandle_moduless"  c Cs i}|dkrt}nt}x#|jD]}|j||||dkrY|jro|jj|Snttjd|d S(Ns %%REJECT%%RRtREJECTs --reject-withis'%s' not in {'ipv4'|'ipv6'}s%%ICMP%%s %%LOGTYPE%%R}RHtunicastt broadcastt multicasts-mtpkttypes --pkt-typeiit"iRs '%s' not in {'ipv4'|'ipv6'|'eb'}(sipv4sipv6(sipv4sipv6(sipv4sipv6(RRR(tindexR^RtDEFAULT_REJECT_TYPERRtEBTABLES_NO_REJECTtICMPt INVALID_IPVRDtpopRkR$R"tset_ruleR(R'R+R*(R8RR RR((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR )s`              2        c Csg}x|D]}}y|jd}Wntk r9nGX|dkrjddtj|g|||d+nttjd|y|jd}Wntk rn7X|dkrtj|||ttjd|n|j dkrpddd|j g|||d+n |j ||j |q Wd}|dkr|j r|j}qn^|dkr|jr|j}qn:|dkr|jr|j}qnttjd||s dS|jsL|j sL|dkrn|jj rnxt|D] \}}d}xp|t|kr||}t|dkr|ddkr|ddkr|dd!||       #    cCs|jS(N(R;(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyt get_stateIscCsg|jrttjdny|jddWn%tk rY}ttj|nXt|_dS(Nspanic mode already enabledRtall(R<RRtALREADY_ENABLEDRRtCOMMAND_FAILEDR#(R8R((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyRWNs   cCsg|jsttjdny|jddWn%tk rY}ttj|nXt|_dS(Nspanic mode is not enabledRR_(R<RRt NOT_ENABLEDRRRaRI(R8R((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytdisable_panic_modeZs   cCs|jS(N(R<(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytquery_panic_modefscCs|jS(N(RD(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytget_log_deniedkscCs|tjkr:ttjd|djtjfn||jkrx||_|jj d||jj nttj |dS(Ns'%s', choose from '%s's','R|( RtLOG_DENIED_VALUESRRRMRmReRDR tsettwritet ALREADY_SET(R8R((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytset_log_deniedns  cCs|jS(N(RE(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytget_automatic_helpers}scCs|tjkr:ttjd|djtjfn||jkrx||_|jj d||jj nttj |dS(Ns'%s', choose from '%s's','R~( RtAUTOMATIC_HELPERS_VALUESRRRMRmRkRER RgRhRi(R8R((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytset_automatic_helperss  cCs|jS(N(R=(R8((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR.scCs|j|}||jkr|j}||_|jjd||jj|jj|||jj|}xYt|dj D],\}}|dr|jj d|qqWnt t j |dS(NRrRPRQRH(RR=R RgRhR3RRRR]Rltchange_zone_of_interfaceRRtZONE_ALREADY_SET(R8R3R0RZt_old_dz_settingsR\R]((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pytset_default_zones   # N(.t__name__t __module__R9RFR7RTR[RqRIRRRRVRRRRRRRRRRR R(R-RR4R5R6R@RDRHRIRORR^RWRcRdReRjRkRmR.Rq(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyR;sT !    M       0  E c         >       (7t__all__tos.pathRfRYRRtfirewallRRt firewall.coreRRRRtfirewall.core.fw_icmptypeRtfirewall.core.fw_serviceRtfirewall.core.fw_zoneR tfirewall.core.fw_directR tfirewall.core.fw_configR tfirewall.core.fw_policiesR tfirewall.core.fw_ipsetR tfirewall.core.fw_transactionRRtfirewall.core.fw_helperRtfirewall.core.loggerRtfirewall.core.io.firewalld_confRtfirewall.core.io.directRtfirewall.core.io.serviceRtfirewall.core.io.icmptypeRtfirewall.core.io.zoneRRtfirewall.core.io.ipsetRtfirewall.core.io.helperRRtfirewall.errorsRtobjectR(((s4/usr/lib/python2.7/site-packages/firewall/core/fw.pyts: