ó }”ĶZc@sadddgZddljZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZddlmZmZddlmZmZmZmZmZmZmZdd lmZdd lm Z dd l!m"Z"dd l#m$Z$defd „ƒYZ%defd„ƒYZ&d„Z'e(d„Z)dS(tZonet zone_readert zone_writeri’’’’N(t ETC_FIREWALLD( tcheckIPt checkIPnMaskt checkIP6nMasktcheckInterfacetuniqifytmax_zone_name_lent u2b_if_py2t check_mactportStr(tDEFAULT_ZONE_TARGETt ZONE_TARGETS(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocol(trich(tlog(terrors(t FirewallErrorcBsNeZdZdBdCdDdefdEddgfddFgfd dgfd efd dGgfd dgfd dgfddgfddgfddHgfdeffZdZdddgZidId6dId6dId6dgd6ddgd6dgd6dgd6ddgd6dgd6dId6dId 6d!gd"6d#gd6ddgd$6dId%6dId&6dId'6dId(6dId)6d*gd+6d#gd,6dId-6Zidd.ddgd6d/gd 6d0d1gd6d2gd6d!d3d4d2d5gd 6d4gd"6d6d7gd%6d8gd(6Z e d9„ƒZ d:„Z d;„Z d<„Zd=„Zd>„Zd?„Zd@„ZdA„ZRS(Js Zone class tversionttshortt descriptiontUNUSEDttargettservicestportst icmp_blockst masqueradet forward_portst interfacestsourcest rules_strt protocolst source_portsticmp_block_inversions&(sssbsasa(ss)asba(ssss)asasasasa(ss)b)t_t-t/tzonetnametservicetporttprotocols icmp-blocks icmp-types forward-portt interfacetruletsourcetaddresst destinationtvalues source-portRtaudittaccepttrejecttdroptsettmarktlimitsicmp-block-inversiont immutabletenabledsto-portsto-addrtfamilytmactinverttipsettprefixtlevelttypecCsLx3ttjƒD]"\}\}}||kr|SqWttjdƒ‚dS(Ns index_of()(t enumerateRtIMPORT_EXPORT_STRUCTURERRt UNKNOWN_ERROR(telementtiteltdummy((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytindex_ofbs" cCsĀtt|ƒjƒd|_d|_d|_t|_t|_ g|_ g|_ g|_ g|_ t|_g|_g|_g|_g|_d|_g|_t|_t|_t|_dS(NR(tsuperRt__init__RRRtFalseRR RR R!R(R"R#R$R)R%R&tNonet fw_configtrulesR*tcombinedtapplied(tself((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRRis(                  cCsd|_d|_d|_t|_t|_|j2|j2|j 2|j 2t|_ |j 2|j 2|j2|j2d|_|j2t|_t|_t|_dS(NR(RRRRSRR RR R!R(R"R#R$R)R%R&RTRURVR*RWRX(RY((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcleanups&         c Csēt|jƒ|_t|jƒ|_t|jƒ|_t|jƒ|_g|jD]}t|ƒ^qR|_g|jD]$\}}t|ƒt|ƒf^qw|_g|jD]}t|ƒ^q®|_g|jD]}t|ƒ^qÓ|_g|j D]<\}}}}t|ƒt|ƒt|ƒt|ƒf^qų|_ g|j D]$\}}t|ƒt|ƒf^qG|_ g|j D]}t|ƒ^q~|_ g|j D]}t|ƒ^q£|_ g|j D]}t|ƒ^qČ|_ dS(s» HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R RRRRR R!R(R"R$R)R%R&RV( RYtstpotprRMtp1tp2tp3tp4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytencode_strings”s%7%%O4%%cCsL|dkr2g|jD]}t|ƒ^q}|Stt|ƒj|ƒSdS(NR'(RVtstrRQRt __getattr__(RYR/R4R'((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRd§s "cCsT|dkr7g|D]}tjd|ƒ^q|_ntt|ƒj||ƒdS(NR'trule_str(Rt Rich_RuleRVRQRt __setattr__(RYR/R8R[((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRg®s +c Cs-|dkr]|jr]|jjƒ}x|D]+}||kr+ttjd|ƒ‚q+q+WnĢ|dkr™x½|D]"}t|dƒt|dƒqpWn|dkrĆx|D]}t|ƒq¬Wnf|dkr |jr |jjƒ}x?|D]+}||krīttj d|ƒ‚qīqīWn |d krąxś|D]¦} t| dƒt| dƒ| d  r„| d  r„ttj d | ƒ‚n| d rŸt| d ƒn| d r3t | d ƒsŁttj d | d ƒ‚qŁq3q3WnI|dkrx:|D]"}t|dƒt|dƒqóWn |dkrL|t kr)ttj|ƒ‚q)nŻ|dkrxĪ|D]'} t| ƒs_ttj| ƒ‚q_q_Wnœ|dkrłx|D]R} t| ƒ r t| ƒ r t| ƒ r | jdƒ r ttj | ƒ‚q q Wn0|dkr)x!|D]} tjd| ƒq WndS(NR s '%s' not among existing servicesR!iiR(R"s"'%s' not among existing icmp typesR$iis$'%s' is missing to-port AND to-addr s#to-addr '%s' is not a valid addressR)RR%R&sipset:R'Re(RUt get_servicesRRtINVALID_SERVICERRRt get_icmptypestINVALID_ICMPTYPEtINVALID_FORWARDRt INVALID_ADDRRtINVALID_TARGETRtINVALID_INTERFACERRR t startswithRRf( RYtconfigtitemtexisting_servicesR0R1tprototexisting_icmptypesticmptypetfwd_portR3R5R4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyt _check_config“sn                         cCsŲtt|ƒj|ƒ|jdƒr>ttjd|ƒ‚n–|jdƒrfttjd|ƒ‚nn|jdƒdkr”ttjd|ƒ‚n@t |ƒt ƒkrŌttjd|t |ƒt ƒfƒ‚ndS(NR-s'%s' can't start with '/'s'%s' can't end with '/'ismore than one '/' in '%s's'%s' has %d chars, max is %d( RQRt check_nameRpRRt INVALID_NAMEtendswithtcounttlenR (RYR/((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRyķs   c Cs/t|_d|_d|_d|_d|_x3|jD](}||jkr7|jj|ƒq7q7Wx3|j D](}||j krm|j j|ƒqmqmWx3|j D](}||j kr£|j j|ƒq£q£Wx3|j D](}||j krŁ|j j|ƒqŁqŁWx3|j D](}||j kr|j j|ƒqqWx3|j D](}||j krE|j j|ƒqEqEW|jr†t|_nx3|jD](}||jkr|jj|ƒqqWx3|jD](}||jkrĘ|jj|ƒqĘqĘWx!|jD]} |jj| ƒqüW|jr+t|_ndS(NR(tTrueRWRTtfilenameRRRR%tappendR&R R!R(R"R#R$R)RVR*( RYR.R3R5R0R1RtticmptforwardR4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcombinežsF        (sversionR(sshortR(s descriptionR(stargetR(RR(RRRR(RRN(t__name__t __module__t__doc__RSRJtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSRTtPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSt staticmethodRPRRRZRbRdRgRxRyRƒ(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR(sx                                   9 tzone_ContentHandlercBs#eZd„Zd„Zd„ZRS(cCs/tj||ƒd|_t|_d|_dS(N(RRRRTt_ruleRSt _rule_errort _limit_ok(RYRr((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRR's  c Csitj|||ƒ|jr dS|jj||ƒ|dkrd|krbtjd|dƒnd|kr|d|j_nd|kr¤tjd|dƒnd|kre|d}|tkrŪt t j |ƒ‚n|dkr|t kr||j_ qqen]|d krnN|d kr&n?|d krŃ|jrŠ|jjrmtjd t|jƒƒt|_dStj|dƒ|j_dS|d|jjkrŗ|jjj|dƒqetjd |dƒn” |dkr»|jr<|jjrtjd t|jƒƒt|_dStj|d|dƒ|j_dSt|dƒt|dƒt|ddƒ|df}||jjkr|jjj|ƒqetjd|d|dƒnŖ |dkrs|jr|jjrtjd t|jƒƒt|_dStj|dƒ|j_qet|dƒ|d|jjkr\|jjj|dƒqetjd|dƒnņ |dkr|jr×|jjrŗtjd t|jƒƒt|_dStj|dƒ|j_dS|d|jjkr|jjj|dƒqetjd|dƒnG |dkr™|jr‚|jjretjd t|jƒƒt|_dStj |dƒ|j_dStjd|dƒnĢ |dkrZd|krß|dj!ƒd`krßtjd|dƒdS|jr/|jjrtjd t|jƒƒt|_dStj"ƒ|j_qe|jj#rKtjdƒqet|j_#n |dkrd}d|kr…|d}nd}d |kr¤|d }n|jr |jjrßtjd t|jƒƒt|_dStj$|d|d||ƒ|j_dSt|dƒt|dƒ|r8t|ƒn|rft%|ƒsft t j&d!|ƒ‚qfnt|ddƒ|dt|dƒt|ƒf}||jj'krĄ|jj'j|ƒqetjd"|d|d|rēd#|nd|rśd$|ndƒna|d%krī|jro|jjrKtjd t|jƒƒt|_dStj(|d|dƒ|j_dSt|dƒt|dƒt|ddƒ|df}||jj)krŠ|jj)j|ƒqetjd&|d|dƒnw|d'krŠ|jrtjd(ƒt|_dSd|krCtjd)ƒt|_dS|d|jj*krs|jj*j|dƒqetjd*|dƒnŪ|d+kr |jr€ |jj+rŃtjd,t|jƒƒt|_dSt,}d-|kr |d-j!ƒdakr t}nd}} } d0|kr) |d0}nd1|krB |d1} nd2|kr[ |d2} ntj.|| | d-|ƒ|j_+dSd0|kr© d2|kr© tjd3ƒdSd0|krŅ d2|krŅ tjd4ƒdSd5|krõ tjd6|d5ƒnd-|kr tjd7ƒdSd0|krm t/|d0ƒ rm t0|d0ƒ rm t1|d0ƒ rm t t j&|d0ƒ‚qm nd2|krĘ d8|d2}||jj2krÆ |jj2j|ƒqĘ tjd9|d0ƒnd0|kre|d0}||jj2kr |jj2j|ƒq tjd9|d0ƒqenG|d:krĘ |jsM tjd;ƒt|_dS|jj3rv tjd<t|jƒƒdSt,}d-|kr§ |d-j!ƒdbkr§ t}ntj4|d0|ƒ|j_3nŸ|dckrą |jsõ tjdAƒt|_dS|jj5r tjdBƒt|_dS|d=kr< tj6ƒ|j_5n’|d>kr d} dC|krg |dC} ntj7| ƒ|j_5nO|d?kr  tj8ƒ|j_5n.|d@krĪ |dD} tj9| ƒ|j_5n|jj5|_:n…|dEkr® |js tjdFƒdS|jjr# tjdGƒdSd} dH|krh |dH} | ddkrh tjdQƒt|_dSndR|kr~ |dRnd}tj;|| ƒ|j_|jj|_:n·|dSkr*|jsŌ tjdTƒdS|jj<rtjdUt|jƒƒt|_dStj=ƒ|j_<|jj<|_:n;|dVkr—d}d5|kr‚|d5}|dekr‚tjdY|d5ƒt|_dSntj>|ƒ|_nĪ|dZkr|j:sĘtjd[ƒt|_dS|j:j?rųtjd\t|jƒƒt|_dS|d}tj@|ƒ|j:_?nK|d]krQ|jjArBtjd^ƒqet|j_Antjd_|ƒdSdS(fNR.R/s'Ignoring deprecated attribute name='%s'RR@s,Ignoring deprecated attribute immutable='%s'RRRRR0s;Invalid rule: More than one element in rule '%s', ignoring.s#Service '%s' already set, ignoring.R1R2R,s#Port '%s/%s' already set, ignoring.R8s$Protocol '%s' already set, ignoring.s icmp-blocks&icmp-block '%s' already set, ignoring.s icmp-types-Invalid rule: icmp-block '%s' outside of ruleR#RAtnotfalses*Ignoring deprecated attribute enabled='%s's!Masquerade already set, ignoring.s forward-portsto-portsto-addrs#to-addr '%s' is not a valid addresss-Forward port %s/%s%s%s already set, ignoring.s >%ss @%ss source-ports*Source port '%s/%s' already set, ignoring.R3s$Invalid rule: interface use in rule.s Invalid interface: Name missing.s%Interface '%s' already set, ignoring.R5s:Invalid rule: More than one source in rule '%s', ignoring.RDtyesttrueR6RCREs$Invalid source: No address no ipset.s"Invalid source: Address and ipset.RBs)Ignoring deprecated attribute family='%s's+Invalid source: Invertion not allowed here.sipset:%ss"Source '%s' already set, ignoring.R7s)Invalid rule: Destination outside of rules?Invalid rule: More than one destination in rule '%s', ignoring.R:R;R<R>s$Invalid rule: Action outside of rules"Invalid rule: More than one actionRHR=Rs!Invalid rule: Log outside of rulesInvalid rule: More than one logRGtemergtalerttcritterrortwarningtnoticetinfotdebugsInvalid rule: Invalid log levelRFR9s#Invalid rule: Audit outside of rules9Invalid rule: More than one audit in rule '%s', ignoring.R4tipv4tipv6s&Invalid rule: Rule family "%s" invalidR?s4Invalid rule: Limit outside of action, log and audits9Invalid rule: More than one limit in rule '%s', ignoring.sicmp-block-inversions+Icmp-Block-Inversion already set, ignoring.sUnknown XML element '%s'(RR‘(syesR“(syesR“(sacceptsrejectsdropsmark(R”R•R–serrorswarningR™sinfosdebug(RœR(BRt startElementRŽRrtparser_check_element_attrsRR˜RRRRRnR RRRLRcR~Rt Rich_ServiceR R€t Rich_PortRRR R!t Rich_ProtocolRR(tRich_IcmpBlockR"t Rich_IcmpTypetlowertRich_MasqueradeR#tRich_ForwardPortRRmR$tRich_SourcePortR)R%R5RSRTt Rich_SourceRRR R&R7tRich_Destinationtactiont Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarkRtRich_LogR9t Rich_AuditRfR?t Rich_LimitR*(RYR/tattrsRtentrytto_porttto_addrRDtaddrRCREt_typet_setRGRFRBR8((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRž-st                                                                                                                                                                  cCstj||ƒ|dkrę|jsŃy|jjƒWn/tk rg}tjd|t|jƒƒqŃXt|jƒg|j j D]}t|ƒ^qkrµ|j j j |jƒqŃtjdt|jƒƒnd|_t |_n|d kržd|_ndS( NR4s%s: %ss Rule '%s' already set, ignoring.R:R;R<R>RR9(sacceptsrejectsdropsmarkslogsaudit(Rt endElementRŽRtcheckt ExceptionRR˜RcRrRVR€RTRSR(RYR/tetx((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRŗs     (    (R„R…RRRžRŗ(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRŒ&s  ’dc Cs:tƒ}|jdƒs1ttjd|ƒ‚n|d |_|j|jƒ||_||_|j t ƒrut nt |_ |j |_t|ƒ}tjƒ}|j|ƒd||f}t|dƒM}y|j|ƒWn2tjk r}ttjd|jƒƒ‚nXWdQX~~tr6|jƒn|S(Ns.xmls'%s' is missing .xml suffixiü’’’s%s/%strsnot a valid zone file: %s(RR{RRRzR/RyRtpathRpRRSR~tbuiltintdefaultRŒtsaxt make_parsertsetContentHandlertopentparsetSAXParseExceptiont INVALID_ZONEt getExceptionRRb(RRĄR.thandlertparserR/tftmsg((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR„s4           c Cs |r |n|j}|jr4d||jf}nd||jf}tjj|ƒrytj|d|ƒWqtk r™}tj d||ƒqXntjj |ƒ}|j t ƒr tjj|ƒ r tjjt ƒsötj t dƒntj |dƒntj|dddd ƒ}t|ƒ}|jƒi}|jrh|jd krh|j|d krS d'}|j/j4|d<|j/j5|dt0|jFƒƒ|jFjDr |jd-ƒ|j||ƒ|jd4ƒ|jd5i|jFjDj7d6ƒ|jd6ƒ|j|ƒn|jd-ƒ|j||ƒ|jdƒn|jdƒ|jd)ƒ|jdƒqéW|jd ƒ|jdƒ|jMƒ|jNƒ~dS(?Ns%s/%ss %s/%s.xmls%s.oldsBackup of file '%s' failed: %sičtmodetwttencodingsUTF-8RRRR.s s RRR3R/sipset:R5iRER6R0R1iiR2R8sicmp-block-inversions icmp-blockR#isto-portisto-addrs forward-ports source-portRBR4RCR~RDs R7s icmp-types#Unknown element '%s' in zone_writerRFRGRs R?s R9R:R;RHR<R>R=sUnknown action '%s'(ORĄRR/tostexiststshutiltcopy2R¼RR—tdirnameRpRtmkdirtioRĘRt startDocumentRRR RžtignorableWhitespaceRt charactersRŗRRR%t simpleElementR&R R!R(R*R"R#R$R)RVRBR5R·RCRERDR7RLRHRR R”R1R2R¢R8R¦R£R¤R§Rµt to_addressRØRRtINVALID_OBJECTRFRGR?R9R«R¬R­R®RÆR=R˜t endDocumenttclose(R.RĄt_pathR/RĪtdirpathRĶRĖR³R3R5R0R1R2RR‚R4RLR«((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRĮs¬ "            &                                                         (*t__all__txml.saxRĆRŅRŲRŌtfirewall.configRtfirewall.functionsRRRRRR R R R tfirewall.core.baseR Rtfirewall.core.io.io_objectRRRRRRRt firewall.coreRtfirewall.core.loggerRtfirewallRtfirewall.errorsRRRŒRRTR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyts"   @4ž’€