}Zc@sDddlZddlmZmZmZddlmZddlmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZmZmZmZmZmZmZmZmZddlmZddlm Z m!Z!ddl"m#Z#dd l$m%Z%dd l&m'Z'dd l(m)Z)d e*fd YZ+dS(iN(t SHORTCUTStDEFAULT_ZONE_TARGETtZONE_SOURCE_IPSET_TYPES(tlog(tportStrt checkIPnMaskt checkIP6nMaskt checkProtocoltenable_ip_forwardingtcheck_single_addresst check_mac( t Rich_Rulet Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_ForwardPorttRich_SourcePorttRich_IcmpBlockt Rich_IcmpType(t OUR_CHAINS(tFirewallTransactiontFirewallZoneTransaction(tifcfg_set_zone_of_interface(terrors(t FirewallError(tLastUpdatedOrderedDictt FirewallZonecBseZdZdZdZdZdZdZdZdZ dZ d Z d Z d Z ed Zd ZdZedZdZdZedZdZdZedZedZedZdZdZdZdZdZe edZ!eedZ"dZ#ed Z$ed!Z%ed"Z&d#Z'd$Z(d%Z)d&Z*d'Z+d(Z,d)Z-d*Z.d+Z/d,Z0d-Z1ed.Z2eed/Z3d0Z4ed1Z5ed2Z6d3Z7d4Z8d5Z9d6Z:d7Z;d8Z<d9Z=d:Z>d;Z?d<Z@d=ZAd>ZBd?ZCed@ZDdAeedBZEdCZFedDZGdEZHdFZIdGZJdHZKdIZLedJZMdAeedKZNdLZOedMZPdNZQdOZRdPZSdQZTdRZUdSZVedTZWdAeedUZXdVZYedWZZdXZ[dYZ\dZZ]d[Z^d\Z_ed]Z`dAeed^Zad_Zbed`ZcdaZddbZedcZfddZgedeZhdAeedfZidgZjedhZkdiZldjZmdkZndlZoedmZpdAeednZqdoZredpZsdqZtdrZueedsZveedtZweeeeduZxeedAeedvZydwZzeeedxZ{dyZ|eedzZ}d{Z~d|Zd}Zed~ZdAeedZdZedZdZdZdZdZedZeedZdZdZedZdZdZRS(cs||_i|_i|_|jjd}|jjd}g}d|kra|jdnd|kr}|jdng}d|kr|jdnd|kr|jdng}d|kr|jdnd|kr|jdnd|kr|jdnd|kr1|jdniiddgd6ddgd6ddgd6d 6i|d 6|d 6d6i|d 6d6i|d 6d6|_id d 6d d 6d d6d d6d d6d d6|_idd 6dd 6fd|jjD|_ dS(Ntipv4tipv6tmangletrawtnattINPUTt FORWARD_INt FORWARD_OUTtfiltert PREROUTINGt POSTROUTINGs-is-otOUTPUTs-ss-dcs#i|]\}}||qS(((t.0tkeytval(ttbl(s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pys is ( t_fwt_chainst_zonestget_available_tablestappendtremovet zone_chainstinterface_zone_optstitemstsource_zone_opts(tselftfwtip4tables_tablestip6tables_tablesR"R#R$((R/s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__init__)s\                  cCsd|j|j|jfS(Ns %s(%r, %r)(t __class__R1R2(R:((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__repr__lscCs|jj|jjdS(N(R1tclearR2(R:((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcleanupos cCs t|jS(N(RR0(R:((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_transactionuscCst|j|S(N(RR0(R:tzone((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytnew_zone_transactionxscCst|jjS(N(tsortedR2tkeys(R:((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt get_zones}scCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Nt interfaces(t_FirewallZone__interface_idR2tsettingstNone(R:t interfacet interface_idRD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_interfaces cCsE|j|}x/|jD]$}||j|jdkr|SqWdS(Ntsources(t_FirewallZone__source_idR2RKRL(R:tsourcet source_idRD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zone_of_sources cCs|jj|}|j|S(N(R0t check_zoneR2(R:RDtz((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytget_zonescOsQy||||Wn6tk rL}t|}tjd||fnXdS(Ns%s: %s(RtstrRtwarning(R:tftnametargstkwargsterrortmsg((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt_error2warnings  c CsHddddddddd d d d g D|_||j|js RIRPtservicestportst masqueradet forward_portst source_portst icmp_blockstrulest protocolsticmp_block_inversion(RKR2R[(R:tobj((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytadd_zonescCsA|j|}|jr&|j|n|jj|j|=dS(N(R2tappliedtunapply_zone_settingsRKRA(R:RDRk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt remove_zones    c Cs|dkr|j}n|}x|jD]}|j|}|j|}|jrx|j|j|jd|nt |j dkst |j dkrt |_ ntjd|jx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qWx0|jD]%}|j|j|j|d|q1Wx0|jD]%}|j|j|jd||qdWx0|jD]%}|j|j|j|d|qWx0|jD]%}|j|j|jd||qW|jr|j|j|jd|nx0|jD]%}|j|j|j|d|q%Wx0|j D]%}|j|j |j|d|qXWx0|j D]%}|j|j!|j|d|qW|j r.|j|j"t |jd|q.q.W|dkr|j#t ndS(Ntuse_zone_transactionisApplying zone '%s'($RLRCRHR2tzone_transactionRjR`tadd_icmp_block_inversionR[tlenRIRPtTrueRmRtdebug1Rgtadd_icmp_blockRetadd_forward_portRbt add_serviceRctadd_portRit add_protocolRftadd_source_portRdtadd_masqueradeRhtadd_rulet add_interfacet add_sourcet#_FirewallZone__icmp_block_inversiontexecute(R:tuse_transactiont transactionRDRkRqR\((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt apply_zoness`    *            cCs|j|}||_dS(N(R2Rm(R:RDRmRk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytset_zone_applieds cCsd|krdS|jd}t|dkr5dSd}x+tD]#}|dt|krB|}qBqBW|dk r|d|jkrdSt|dkst|dkr|dd kr|d|fSndS( Nt_iiiiRtdenytallow(slogRR(RLtsplitRsRRH(R:tchaintsplitst_chainRa((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytzone_from_chains     "c Cs|dkr|j|}|dk r|\}}|dkrN|j}n|}|j|t||fg||dkr|jtqqndS(NR R!(sipv4sipv6(RRLRCtgen_chain_rulesRtR( R:tipvttableRRRat_zoneRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcreate_zone_base_by_chains     c Csx|D]y\}}|r[||jkr||j|kr||j||krqqn?||jks||j|ks||j||krqntjdt|d|}g}||jjdkr|jdn||jjdkr |jdnxE|D]=} t|jt |d|d|d|g|j | d|d |g|j | dd|d |g|j | dd|d |g|j | dd|d |g|j | d |d d |d d|g|j | d |d d |d d|g|j | d |dd |d d|g|j |j } |dkr| dkr|d kr|j | d |dd |d | gn|jj dkr|dkrP|d!krP| d"kr |j | d |dd |dd ddd|g n| dkrM|j | d |dd |dd ddd|g qMqPqqW|j||||j|j|||qWdS(#NRRDR R!s%s_logs%s_denys%s_allows-Ns-ts-It1s-jt2t3R(tACCEPTtREJECTs %%REJECT%%tDROPR%R&R'R+t4toffs %%LOGTYPE%%tLOGs --log-prefixs "%s_REJECT: "s "%s_DROP: "(RRs %%REJECT%%R(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(sINPUTs FORWARD_INs FORWARD_OUTsOUTPUT(Rs %%REJECT%%(R1RtformatRR0R3R4RtupdatetsetR}R2ttargettget_log_deniedt_FirewallZone__register_chainstadd_fail( R:RDtcreatetchainsRRRRtipvsRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRsn               cCsx|D]\}}|rD|jj|ij|gj|q|j||j|t|j||dkr|j||=nt|j|dkr|j|=qqWdS(Ni(R1t setdefaultR4R5Rs(R:RDRRRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__register_chainsas+cCs8itjd6|d6|d6}|r4||d|dkro|j||d|| ntjd||| Wqtk r} tjt| qXqWqW|r|jt|jd|n|dkr|j|ndS(NRgRpRjReRtmark_idRbRcRiRfRdRhRRIRPs3Zone '%s': Unknown setting '%s:%s', unable to apply(R0RUR2RmRtRLRERt_FirewallZone__icmp_blockRKt_FirewallZone__forward_portt_FirewallZone__servicet_FirewallZone__portt_FirewallZone__protocolt_FirewallZone__source_portt_FirewallZone__masqueradet_FirewallZone__ruleR t_FirewallZone__interfacet_FirewallZone__sourceRRYRRXRR[R( R:tenableRDRpRRkRqRKR-R\RR_((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__zone_settingssp                              cCs|jt||dS(N(t_FirewallZone__zone_settingsRt(R:RDRp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytapply_zone_settingsscCs|jt||dS(N(RtFalse(R:RDRp((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRnscCsK|j|}t|jdkrGt|jdkrG|j|ndS(Ni(R2RsRIRPRn(R:RDRk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytunapply_zone_settings_if_unuseds *cCst|j|j}|dtkr8d|ds:          cCsC|jd||jd|<| p-|dk|jd|d|S|dk r]|j||n|j|||}|S(N(R0RRORURLtremove_interfaceR~(R:RDRMRt _old_zonet _new_zoneR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRps   c Cs|jj|dkr(|j}n|}|j|}|j|||jt|ddtd||dk r|dkr|j|}|jt|ddtd|n|dkr|j tndS(Nt+R4RpR( R0RRLRCRqRRRtRR(R:told_zonetnew_zoneRRRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytchange_default_zones    c Cs"|jj|j|}|dkrAttjd|n|dkrS|n|jj|}||krttjd|||fn|dkr|j |}n|}|j |}|j |}|j t ||d||j|j|||dkr|jtn|S(Ns'%s' is not in any zoneRs"remove_interface(%s, %s): zoi='%s'Rp(R0RRORLRRtUNKNOWN_INTERFACERURRER2RJRRRRRRt( R:RDRMRptzoiRRqRRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs,   $     cCs(||jdkr$|jd|=ndS(NRI(RK(R:RRN((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_interfacescCs |j||j|dkS(NRI(RJR(R:RDRM((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytquery_interfacescCs|j|djS(NRI(RRG(R:RD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRscCs2|jjj|dkrdS|jjj|S(Nshash:mac(R0tipsettget_typeRLt get_family(R:R[((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt ipset_familyscCs|jjj|S(N(R0RR(R:R[((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt ipset_typescCs|jjj|S(N(R0Rt get_dimension(R:R[((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytipset_dimensionscCs#dj|g|jjj|S(Nt,(tjoinR0RR(R:R[tflag((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytipset_match_flagsscCs|jjj|S(N(R0Rt check_applied(R:R[((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcheck_ipset_appliedscCs>|j|}|tkr:ttjd||fndS(Ns.ipset '%s' with type '%s' not usable as source(RRRRt INVALID_IPSET(R:R[t_type((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pytcheck_ipset_type_for_sources  cCst|rdSt|r dSt|r0dS|jdrr|j|d|j|d|j|dSttj |dS(NR R!Rsipset:i( RRR t startswithRRRRRt INVALID_ADDR(R:RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_sources   cCs|j|}||fS(N(R(R:RRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __source_idscCsI|dkr|j|}n|}t|r?|j}nidt6dt6|}|dkso|dkrxddgD]W}xN|jD]C}x:|j|D]+} |r|j|| n|j|j t krd} nd} t j dt | d |} |j | } |jd r|d } | d kr;d } nd} |j| | }|d| d|ddd| || | g }n:| d krqn|d| d|ddd|| | g }|j||qWqWq|WnOxL|jD]A}x8|j|D])} |r|j|| n|j|j t kr6d} nd} t j dt | d |} |j | } |d| d|g}|jd r|d } | d krd } nd} |j| | }|d| d|ddd| || | g }n"|d| d|| || | g}|j||qWqW|dkrE|j|ndS(Ns-As-DRR R!s-gs-jRRDsipset:is-dtdsttsrcs%s_ZONES_SOURCEs-ts-mRs --match-settmacs --mac-source(RLRER tupperRtRR6RR2RRRRR9RRR}R(R:RRDRRRRpRqtadd_delRRRRRt_nametflagsR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__sources|                       c Cs|jj|jj|}|j|}t|rG|j}n|j|}||jdkrtt j d||fn|j |dk rtt j d|n|dkr|j|}n|}|js|j|d||j|j|tn|jt||d|dd||j|||||j|j|||dkr{|jtn|S(NRPs'%s' already bound to '%s's'%s' already bound to a zoneRpii(R0RRUR2R R RQRKRRRRTRLRRERmRRRRRRtt_FirewallZone__register_sourcet _FirewallZone__unregister_sourceR( R:RDRRRRpRRRSRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyROs6         cCsC|jd||jd|<| p-|dk|jd|d|St|rY|j}n|dk rx|j||n|j|||}|S(N( R0RRTRUR R RLt remove_sourceR(R:RDRRRRRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR|s    c CsH|jjt|r(|j}n|j|}|dkr\ttjd|n|dkrn|n|jj |}||krttj d|||fn|dkr|j |}n|}|j |}|j |}|jt||d|dd||j|j|||dkrD|jtn|S(Ns'%s' is not in any zoneRsremove_source(%s, %s): zos='%s'iiRp(R0RR R RTRLRRtUNKNOWN_SOURCERURRER2RQRRRRRRt( R:RDRRRptzosRRqRRS((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRs0    $     cCs(||jdkr$|jd|=ndS(NRP(RK(R:RRS((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__unregister_sourcescCs;t|r|j}n|j||j|dkS(NRP(R R RQR(R:RDRR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt query_sources cCs.g|j|djD]}|d^qS(NRPi(RRG(R:RDtk((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRscCs|jdS(N(tcheck(R:R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt check_rulescCs|j|t|S(N(RRX(R:R((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_ids cCs|s dS|jr<t|jr&dSt|jrdSndt|drX|jrXdSt|dr|jr|j|j|j|j|j |jSdS(NR R!R RR( RLtaddrRRthasattrR RRRR(R:RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rule_source_ipvs cCs |r|jr>|jr(|jdn|d|jg7}qt|dr|jr|ddg7}|jr|jdn|d|jg7}qt|dr|jr|ddg7}|jr|jdn|j|jd}|d |j|g7}qndS( Nt!s-sR s-ms --mac-sourceRRR s --match-set(RtinvertR4RR RR(R:RRtcommandR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_sources     cCs9|r5|jr|jdn|d|jg7}ndS(NRs-d(R R4R(R:t destinationR!((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rule_destinations cCs|rddd|jgSgS(Ns-mtlimits--limit(tvalue(R:R%((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_limitsc Cs|js dSd|}|} | ddg7} |jjrW| dd|jjg7} n|jjr| dd|jjg7} n| |j|jj7} idt6dt6|} | |d |g} | | 7} |j|| dS( Ns%s_logs-jRs --log-prefixs"%s"s --log-levels-As-Ds-t(Rtprefixtlevelt_FirewallZone__rule_limitR%RtRR}( R:RRRRRR!RqRt_commandR t_rule((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_logs     c Cs|js dSd|}|} t|jtkr<d} nBt|jtkrZd} n$t|jtkrxd} nd} | ddd| g7} | |j|jj7} id t6d t 6|} | |d |g} | | 7} |j || dS( Ns%s_logtaccepttrejecttdroptunknowns-jtAUDITs--types-As-Ds-t( tauditttypeRR R RR*R%RtRR}( R:RRRRRR!RqRR+RR R,((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_audits"      c Cs|js dS|} t|jtkrFd|} | ddg7} n!t|jtkrd|} | ddg7} |jjrg| d|jjg7} qgnt|jtkrd|} | ddg7} nt|jtkrH|r|jdd nd}tjd t d d |}d|} | dd d |jj g7} nt t j dt|j| |j|jj7} idt6dt6|} | | d|g} | | 7} |j|| dS(Ns%s_allows-jRs%s_denyRs --reject-withRR"R)RRDtMARKs --set-xmarksUnknown action %ss-As-Ds-t(RR4R R RRRRRRRRRt INVALID_RULER*R%RtRR}( R:RRDRRRRR!RqR+RR R,((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __rule_actions:         c Cs}|jdk r|jg}n ddg}idt6dt6|}|j|j}|dk r|dkr|jdk r|j|krttjd||jfqq|g}nx|D]} t |j t kr|j j j|j j} t| jdkru| | jkrAttjd|j j| fn| j| dkru|jruttjd qund } |r|j| d |j jdkr|jd d qnt |jtkr|j| j|} g} x| D]}|j}|j jdkr|j|j j|krCttjd|n|jdkrg|j| krgqnxz|jD]\}}tjdtd d|}|d|dd d|g}|r|ddt|g7}n| | jkr| j| dkr|d| j| g7}n|ddd|jg7}|j |j||j!| ||j"dd}||j j#krq| j$|qqqqWq|j| kr| j$|j|jj"dd}||j j#kr| j$|qqqW|j%| ntjdtd d|}x@| jD]5\}}g}|j |j||j&|j||d|g7}|r|ddt|g7}n| | jkr| j| dkr|d| j| g7}nt |jt'kr|ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||qWx| j+D] }g}|j |j||j&|j||d|g7}| | jkr| j| dkr|d| j| g7}nt |jt'kr |ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||qaWx| j,D]5\}}g}|j |j||j&|j||d|g7}|r|ddt|g7}n| | jkr"| j| dkr"|d| j| g7}nt |jt'krP|ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||q{Wqt |j t-kr |j j.}|j j/}|j0||d } |r|j| d ntjdtd d|}g}|j |j||j&|j||d|d|dt|g7}t |jt'kr|ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||qt |j t1krD |j j2}|j3|d } |r[ |j| d ntjdtd d|}g}|j |j||j&|j||d|g7}t |jt'kr |ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||qt |j t4kr |rl t5| n|r |jdd |jd d!ntjdtd d|}g}|j |j||j&|j||d"d#d$dd%g7}|d|ddg}||7}|j!| |tjdtd!d|}g}|j |j||j&|j||dddddd&g7}|d|dd g}||7}|j!| |qt |j t6kr|j j.}|j j/}|j j7}|j j8}|j9| |||||r= t5| |j j:}n|sI d nd'}|r |jd(d |jdd |jd |nd)|}t|}d}|r ||7}n|r |dkr |d*t|d+7}ndd,d-|g}tjdtd d|}g}|j |j||j&|j||d|d|g7}|j(|| d(|||||dd.d/|g7}|d|dd(g}||7}|j!| |d|g|dd0d1|g}|d|ddg}||7}|j!| |tjdt|d|}ddddg|dd&g}|d|dd g}||7}|j!| ||su|j;|j j<|d}quqt |j t=kr|j j.}|j j/}|j0||d } |r|j| d ntjdtd d|}g}|j |j||j&|j||d|d|dt|g7}t |jt'kr|ddddg7}n|j(|| | |||||j)|| | |||||j*||| | ||||qt |j t>kst |j t?kr}|j j@jA|j j}t |j t>kr|jrt |jtkrttjd2n|jr| |jkr|jdkrqnttjd3t |j t>krd4nd5|j j| fnd } |r|j| d |j| d'n| dkrRdd6g}dd6d7|j jg}n$dd8g}dd9d:|j jg}tjdtd d|}g}|j |j||j&|j||||7}|j(|| | |||||j)|| | |||||jr8|j*||| | ||||n@|dd;g7}|d<|d| g}||7}|j!| |tjdtd'd|}g}|j |j||j&|j||||7}|j(|| | |||||j)|| | |||||jr:|j*||| | ||||qu|dd;g7}|d<|d| g}||7}|j!| |q|j dkrVd } |r|j| d ntjdtd d|}g}|j |j||j&|j||j(|| | |||||j)|| | |||||j*||| | ||||qttjd=t |j qW|S(>NR R!s-As-DRs;Source address family '%s' conflicts with rule family '%s'.is Service %s is not usable with %ss"Destination conflict with service.R(R%R#R)s'%s' not available in kernelRRDs%s_allows-ts-ps--dports%ss-ds-jtCTs--helpert conntrackR$s-ms --ctstatetNEWs--sportR*R'Rs-otlot MASQUERADERR&R"s0x%xs:%st-Rs--markR6s --set-marktDNATs--to-destinations'IcmpBlock not usable with accept actionsIcmp%s %s not usable with %stBlocktTypeticmps --icmp-types ipv6-icmpticmp6s --icmpv6-types %%REJECT%%s%s_denysUnknown element %s(BtfamilyRLRtRt_FirewallZone__rule_source_ipvRRRRR7R4telementRR0tservicet get_serviceR[RsR#Rtnf_conntrack_helper_settingRR tget_helpers_for_service_modulestmodulestmoduletnf_conntrack_helperstINVALID_HELPERRcRRRRt_FirewallZone__rule_sourceR}treplacetnf_nat_helpersR4t add_modulest_FirewallZone__rule_destinationRt_FirewallZone__rule_logt_FirewallZone__rule_auditt_FirewallZone__rule_actionRiRfRtporttprotocolt check_portRR&tcheck_protocolRRRtto_portt to_addresstcheck_forward_porttnew_markRtdel_markRRRticmptypet get_icmptype( R:RRDRRRqRR t source_ipvRtsvcRthelpersRKthelperRLRWtprotoRR,t nat_moduleR!RXttoportttoaddrt filter_chaintmark_strtport_strttoRticttmatch((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rule_prepare@s             """                                                   c Cs|dkr|j|}n|}y|j|||||}Wn,tk rq}tjt|d}nX|dkr|j|n|S(N(RLREt_FirewallZone__rule_prepareRRRYRXR( R:RRDRRRpRqRR_((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__rules    ic Cs |jj|}|jj||jj|j|}|j|}||jdkr}ttj d||fn|dkr|j |} n|} |j r|j t||dd| } nd} |j||| ||| j|j|||dkr| jtn|S(NRhs'%s' already in '%s'Rp(R0RUt check_timeoutRR2t_FirewallZone__rule_idRKRRtALREADY_ENABLEDRLRERmRRtt_FirewallZone__register_ruleRt_FirewallZone__unregister_ruleR( R:RDRRRRpRRtrule_idRqR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR}s(       cCs'|j||d||jd|scCs |j||j|dkS(NRh(RtR(R:RDR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt query_ruleBscCst|j|djS(NRh(RRRG(R:RD((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyREscCs|jj|dS(N(R0t check_service(R:RG((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR~JscCs|j||S(N(R~(R:RG((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __service_idMs cCsB|dkr|j|}n|}|jjj|}|j|j|}|r|jjdkry|jddnkg}xU|D]M} |j | j | j j dd} | |jj kr|j | qqW|j ||jddnidt6d t6|} xd d gD]} t|jdkrL| |jkrLqn|jjdkrx|D]v} | j } | j|jj| krttjd | n| j j dd} | |jj kr|j| n| jd kr| j| krqenx| jD]\}}tjdtdd|}| d|ddd|g}|rr|ddt|g7}n| |jkr|j| d kr|d|j| g7}n|ddd| jg7}|j| |q WqeWnx|jD]\}}tjdtdd|}| d|ddd|g}|rS|ddt|g7}n| |jkr|j| d kr|d|j| g7}n|ddddg7}|ddg7}|j| |qWxk|jD]`}tjdtdd|}| d|ddd|ddddddg }|j| |qWx|j D]\}}tjdtdd|}| d|ddd|g}|r|ddt|g7}n| |jkr|j| d kr|d|j| g7}n|ddddg7}|ddg7}|j| |qAWqW|dkr>|j!|ndS(NiR#R)R:R$R(R%s-As-DR R!s'%s' is not available in kernelRRRDs%s_allows-ts-ps--dports%ss-ds-jR9s--helpers-ms --ctstateR;Rs--sport("RLRER0RGRHRJRKRIRR4RLRPRQRRRtRRsR#R[RMRRRNt add_moduleRDRcRRRRR}RiRfR(R:RRDRGRpRqRcRdRKReRgR RRLRWRfRRRX((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __serviceQs   $      "       " c Cs|jj|}|jj||jj|j|}|j|}||jdkr}ttj d||fn|dkr|j |} n|} |j r|j t||d| n|j||||| j|j|||dkr| jtn|S(NRbs'%s' already in '%s'Rp(R0RURsRR2t_FirewallZone__service_idRKRRRuRLRERmRRtt_FirewallZone__register_serviceRt!_FirewallZone__unregister_serviceR( R:RDRGRRRpRRt service_idRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRxs&       cCs!|j|||jd|(RYR(R:RWRX((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __port_idsc Cs|dkr|j|}n|}|r=|jddnidt6dt6|}xzddgD]l}tjdtdd|} |j||d | d dd |d |d t |d dddddgqbW|dkr|j |ndS(NR(R%s-As-DR R!RRDs%s_allows-ts-ms-ps--dportR:s --ctstateR;s-jR( RLRERRtRRRRR}RR( R:RRDRWRXRpRqR RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__ports$        c Cs|jj|}|jj||jj|j|}|j||} | |jdkrttj d|||fn|dkr|j |} n|} |j r|j t|||d| n|j|| ||| j|j|| |dkr| jtn|S(NRcs'%s:%s' already in '%s'Rp(R0RURsRR2t_FirewallZone__port_idRKRRRuRLRERmRRtt_FirewallZone__register_portRt_FirewallZone__unregister_portR( R:RDRWRXRRRpRRtport_idRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRy4s(        cCs!|j|||jd|(RYR(R:RWRX((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__source_port_idsc Cs|dkr|j|}n|}|r=|jddnidt6dt6|}xzddgD]l}tjdtdd|} |j||d | d dd |d |d t |d dddddgqbW|dkr|j |ndS(NR(R%s-As-DR R!RRDs%s_allows-ts-ms-ps--sportR:s --ctstateR;s-jR( RLRERRtRRRRR}RR( R:RRDRWRXRpRqR RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __source_ports$        c Cs|jj|}|jj||jj|j|}|j||} | |jdkrttj d|||fn|dkr|j |} n|} |j r|j t|||d| n|j|| ||| j|j|| |dkr| jtn|S(NRfs'%s:%s' already in '%s'Rp(R0RURsRR2t_FirewallZone__source_port_idRKRRRuRLRERmRRtt#_FirewallZone__register_source_portRt%_FirewallZone__unregister_source_portR( R:RDRWRXRRRpRRRRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR{s(        cCs!|j|||jd||j |ndS(NR$R*R(R'R s-As-DRRDs%s_allowRs-oR<s-ts-jR=s-mR:s --ctstateR;R( RLRERRRRtRRRRR}R(R:RRDRpRqR RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt __masqueradePs.     c Cs|jj|}|jj||jj|j|}|j}||jdkrtttj d|n|dkr|j |}n|}|j r|j t|d|n|j|||||j|j|||dkr|jtn|S(NRds"masquerade already enabled in '%s'Rp(R0RURsRR2t_FirewallZone__masquerade_idRKRRRuRLRERmRRtt"_FirewallZone__register_masqueradeRt$_FirewallZone__unregister_masqueradeR( R:RDRRRpRRt masquerade_idRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR|ns(        cCs!|j|||jd|(R]RRX(R:RWRXRhRi((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__forward_port_idsc Cs2|dkr|j|} n|} d|} t|} d} |rS| |7} n|s_dnd} |r|dkr| dt|d7} nddd | g}|r| jd d | jd d | jd | | jtdnidt6dt6|}xdgD]}tj dt d d|}| j ||d|dd d|d| ddd| g | j ||d|dd d|g|ddd| gtj dt | d|}| j ||d|dd ddddg|ddgqW| j |j j||dkr.| j|ndS( Ns0x%xRR%R&s:%sR>s-mRs--markR"R)R$R(R s-As-DRRDs%s_allows-ts-ps--dports-jR6s --set-markR?s--to-destinationR:s --ctstateR;R(RLRERRRRRtRRRRR}RR0R_R(R:RRDRWRXRhRiRRpRqRkRlRmRjRR RR((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyt__forward_portsH           5 c  CsH|jj|} |jj||jj|j| } |j||||} | | jdkrttj d||||| fn|jj } |dkr|j | } n|} | j r|jt| ||||d| d| n|j| | ||| | j|j| | | |dkrD| jtn| S(NRes'%s:%s:%s:%s' already in '%s'RRp(R0RURsRR2t_FirewallZone__forward_port_idRKRRRuR^RLRERmRRtt$_FirewallZone__register_forward_portRt&_FirewallZone__unregister_forward_portR(R:RDRWRXRhRiRRRpRRt forward_idRRq((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyRws.        cCs'|j||d||jd|R@RBRCRERHRORTRWR`RlRoRLRRRRRRRRRRRRnRRRRRJRRR~RRRRRRRRRRRRRRRQRRRRRRRRRRtRERORSR*RTRURVRqRR}RvR{RwR}RR~RRRxRRRRRRJRYRRRyRRRRRRZRRRzRRRRRRRR{RRRRRRRR|RRRRR]RRRwRRRRRRRRRvRRRRRRRRrRRRRR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyR(s8 C           =    F   ) A       " *    %           ]'   !            "          ^                                         7  !       8        : ,   , (,Rtfirewall.core.baseRRRtfirewall.core.loggerRtfirewall.functionsRRRRRR R tfirewall.core.richR R R RRRRRRRRRRtfirewall.core.ipXtablesRtfirewall.core.fw_transactionRRtfirewall.core.fw_ifcfgRtfirewallRtfirewall.errorsRtfirewall.fw_typesRtobjectR(((s9/usr/lib/python2.7/site-packages/firewall/core/fw_zone.pyts 4X