ó }”ÍZc@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z de fd„ƒYZ de fd„ƒYZ de fd„ƒYZ de fd„ƒYZdefd„ƒYZde fd„ƒYZde fd„ƒYZde fd„ƒYZde fd „ƒYZd e fd!„ƒYZd e fd"„ƒYZd e fd#„ƒYZd e fd$„ƒYZd e fd%„ƒYZdefd&„ƒYZde fd'„ƒYZde fd(„ƒYZde fd)„ƒYZd*S(+t Rich_SourcetRich_Destinationt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_IcmpBlockt Rich_IcmpTypetRich_SourcePorttRich_ForwardPorttRich_Logt Rich_Auditt Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Limitt Rich_Ruleiÿÿÿÿ(t functions(tcheck_ipset_name(t REJECT_TYPES(terrors(t FirewallErrorcBseZed„Zd„ZRS(cCs¬||_|jdkr$d|_n||_|jdksK|jdkrWd|_n$|jdk r{|jjƒ|_n||_|jdkrŸd|_n||_dS(Nt(taddrtNonetmactuppertipsettinvert(tselfRRRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__init__$s      cCsh|jrd|j}n2|jr2d|j}n|jrKd|j}nd|jr]dnd|fS(Ns address="%s"s mac="%s"s ipset="%s"s source%s%ss NOTR(RRRR(Rtx((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__str__2s   (t__name__t __module__tFalseRR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR#s cBseZed„Zd„ZRS(cCs||_||_dS(N(RR(RRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR<s cCs d|jrdnd|jfS(Nsdestination %saddress="%s"snot R(RR(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!@s(R"R#R$RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR;s cBseZd„Zd„ZRS(cCs ||_dS(N(tname(RR%((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyREscCs d|jS(Nsservice name="%s"(R%(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!Hs(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRDs cBseZd„Zd„ZRS(cCs||_||_dS(N(tporttprotocol(RR&R'((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRLs cCsd|j|jfS(Nsport port="%s" protocol="%s"(R&R'(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!Ps(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRKs cBseZd„ZRS(cCsd|j|jfS(Ns#source-port port="%s" protocol="%s"(R&R'(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!Ts (R"R#R!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRSscBseZd„Zd„ZRS(cCs ||_dS(N(tvalue(RR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRYscCs d|jS(Nsprotocol value="%s"(R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!\s(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRXs cBseZd„Zd„ZRS(cCsdS(N((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR`scCsdS(Nt masquerade((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!cs(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR_s cBseZd„Zd„ZRS(cCs ||_dS(N(R%(RR%((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRgscCs d|jS(Nsicmp-block name="%s"(R%(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!js(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRfs cBseZd„Zd„ZRS(cCs ||_dS(N(R%(RR%((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRnscCs d|jS(Nsicmp-type name="%s"(R%(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!qs(R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRms cBseZd„Zd„ZRS(cCs^||_||_||_||_|jdkr?d|_n|jdkrZd|_ndS(NR(R&R'tto_portt to_addressR(RR&R'R*R+((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRus     cCsRd|j|j|jdkr+d|jnd|jdkrJd|jndfS(Ns(forward-port port="%s" protocol="%s"%s%sRs to-port="%s"s to-addr="%s"(R&R'R*R+(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!€s (R"R#RR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ts cBs#eZdddd„Zd„ZRS(cCs||_||_||_dS(N(tprefixtleveltlimit(RR,R-R.((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR‡s  cCsSd|jrd|jnd|jr2d|jnd|jrKd|jndfS(Ns log%s%s%ss prefix="%s"Rs level="%s"s %s(R,R-R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!sN(R"R#RRR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR †scBseZdd„Zd„ZRS(cCs ||_dS(N(R.(RR.((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR”scCsd|jrd|jndS(Nsaudit%ss %sR(R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!˜sN(R"R#RRR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR “s cBseZdd„Zd„ZRS(cCs ||_dS(N(R.(RR.((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRœscCsd|jrd|jndS(Nsaccept%ss %sR(R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!ŸsN(R"R#RRR!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ›s cBs)eZddd„Zd„Zd„ZRS(cCs||_||_dS(N(ttypeR.(Rt_typeR.((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR£s cCs:d|jrd|jnd|jr2d|jndfS(Ns reject%s%ss type="%s"Rs %s(R/R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!§scCs|jr{|s$ttjdƒ‚n|dkr{|jt|kr{djt|ƒ}ttjd|j|fƒ‚q{ndS(Ns9When using reject type you must specify also rule family.tipv4tipv6s, s%Wrong reject type %s. Use one of: %s.(R1R2(R/RRt INVALID_RULERtjoin(Rtfamilyt valid_types((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcheck«s  N(R"R#RRR!R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ¢s cBseZd„ZRS(cCsd|jrd|jndS(Nsdrop%ss %sR(R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!µs(R"R#R!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR´scBs&eZdd„Zd„Zd„ZRS(cCs||_||_dS(N(tsetR.(Rt_setR.((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRºs cCs'd|j|jrd|jndfS(Ns mark set=%s%ss %sR(R8R.(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!¾s cCs×|jdk r|j}nttjdƒ‚d|kr¯|jdƒ}t|ƒdkrottj|ƒ‚ntj|dƒ s—tj|dƒ rÓttj|ƒ‚qÓn$tj|ƒsÓttj|ƒ‚ndS(Ns no value sett/iii( R8RRRt INVALID_MARKtsplittlenRt checkUINT32(RR tsplits((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7Âs  N(R"R#RRR!R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR¹s  cBs,eZd„Zd„Zd„Zd„ZRS(cCsu||_d|jkrq|jjdƒ}t|ƒdkrq|dd krqd|d |dd f|_qqndS( NR:iitsecondtminutethourtdays%s/%si(R@RARBRC(R(R<R=(RR(R?((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRÖs  cCsˆd}d|jkr*|jjdƒ}n| sCt|ƒdkr[ttj|jƒ‚n|\}}yt|ƒ}Wnttj|jƒ‚nX|dks®|dkrÆttj|jƒ‚nd}|dkrád}n?|dkröd}n*|dkr d}n|dkr d}nd ||d krPttjd |jƒ‚n|dkr„|dkr„ttjd |jƒ‚ndS(NR:iitstmthtdi<ii'is %s too fasts %s too slow(RDRERFRGii i€Q(RR(R<R=RRt INVALID_LIMITtint(RR?tratetdurationtmult((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7Þs6           cCs d|jS(Nslimit value="%s"(R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!scCsdS(NR((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcommands(R"R#RR7R!RM(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRÕs  " cBs;eZddd„Zd„Zd„Zd„Zd„ZRS(cCsw|dk rt|ƒ|_n d|_d|_d|_d|_d|_d|_d|_|rs|j |ƒndS(N( RtstrR5tsourcet destinationtelementtlogtaudittactiont_import_from_string(RR5trule_str((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs        cCsÎg}x­tj|ƒD]œ}d|krž|jdƒ}t|ƒdks_|d s_|d rxttjd|ƒ‚n|ji|dd6|dd6ƒq|ji|d6ƒqW|jid d6ƒ|S( s Lexical analysis t=iiisinternal error in _lexer(): %st attr_namet attr_valueRQtEOL(Rt splitArgsR<R=RRR3tappend(RRVttokenstrtattr((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt_lexers ( &c CsÍ |sttjdƒ‚nd|_d|_d|_d|_d|_d|_ d|_ |j |ƒ}|r|dj dƒdkrttjdƒ‚ni}g}d}x ||j dƒdko×|dgks¾ ||j dƒ}||j dƒ}||j dƒ}|rA|d?kr|ttjd|ƒ‚q|n;|d@krf|dkrw|jrwttjd)ƒ‚q||dkr¡|jr¡ttjd*ƒ‚q||dAkrØ|jrØttjd+||jfƒ‚q||d kr|jrttjd,ƒ‚q||d!kr,|j r,ttjd-ƒ‚q||dBkr||j r|ttjd.||j fƒ‚q|nttjd/|ƒ‚t |ƒdkr¢|t |ƒd0nd1} | d1kr<| r|r|dkrâttjd2ƒ‚q9ttjd3||fƒ‚q± d|kr,ttjd4||fƒ‚q± |jdƒnu| dkrÕ|dkr…|dCkryttjd7|ƒ‚n||_q± |rÅ|dkr d8} nd9||f} ttj| ƒ‚q± |j|ƒnÜ| dkrp|dDkrú|||ƒ‚n|d0}q²W|j#ƒdS(LNs empty ruleiRQRZtruleRXRYR5taddressRRRR(R&R'sto-portsto-addrR%R,R-R/R8sbad attribute '%s'RORPtservices icmp-blocks icmp-typeR)s forward-ports source-portRRRStaccepttdroptrejecttmarkR.tnottNOTsmore than one 'source' elements#more than one 'destination' elementsFmore than one element. There cannot be both '%s' and '%s' in one rule.smore than one 'log' elementsmore than one 'audit' elementsOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.sunknown element %siRs0'family' outside of rule. Use 'rule family=...'.s:'%s' outside of any element. Use 'rule %s= ...'.s,'%s' outside of rule. Use 'rule ... %s ...'.R1R2sH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.sdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.sDattribute '%s' outside of any element. Use 'rule %s= ...'.sinvalid 'protocol' elementsinvalid 'service' elementsinvalid 'icmp-block' elementsinvalid 'icmp-type' elementsinvalid 'limit' element(sfamilyRbsmacsipsetsinvertsvaluesportsprotocolsto-portsto-addrsnamesprefixslevelstypesset(Rassources destinationsprotocolRcsports icmp-blocks icmp-types masquerades forward-ports source-portslogsauditRdReRfsmarkslimitRhRisEOL(sprotocolRcsports icmp-blocks icmp-types masquerades forward-ports source-port(RdReRfsmark(sipv4sipv6(Rbsmacsipsetsinvert(RhRi(Rbsinvert(RhRi(sportsprotocol(sportsprotocolsto-portsto-addr(sportsprotocol(sprefixslevel($RRR3RR5RORPRQRRRSRTR`tgetR=R\tTrueRtpoptclearRRRRRRRR RR R R RR RRR7( RRVR]tattrst in_elementstindexRQRXRYt in_elementterr_msg((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRU(st       +  "%,               <        $            $                 <      $       0                      $             cCs^ |jdk r6|jdkr6ttj|jƒ‚n|jdkr±|jdk rf|jjdk su|jdk r‡ttjƒ‚nt |j ƒt kr±ttjƒ‚q±n|j dkr|j dkrättj dƒ‚n|jdkr|jdkrttj dƒ‚qnt |j ƒtt tgkr}|jdkr}|jdkr}|j dkr}ttj dƒ‚q}n|jdk rÍ|jjdk r%|jdkr¿ttjƒ‚n|jjdk rættj dƒ‚ntj|j|jjƒsÊttjt|jjƒƒ‚qÊqÍ|jjdk rptj|jjƒsÊttjt|jjƒƒ‚qÊqÍ|jjdk r¸t|jjƒsÊttjt|jjƒƒ‚qÊqÍttj dƒ‚n|jdk rO|jdkrýttjƒ‚n|jjdks+tj|j|jjƒ rOttjt|jjƒƒ‚qOnt |j ƒtkr²|j jdksŽt|j jƒdkrðttjt|j jƒƒ‚qðn>t |j ƒt kr'tj!|j j"ƒs÷ttj#|j j"ƒ‚n|j j$dkrðttj%|j j$ƒ‚qðnÉt |j ƒt&krotj'|j j(ƒsðttj%|j j(ƒ‚qðnt |j ƒtkrá|j dk r¨ttj d ƒ‚n|jdk rð|jjdk rðttj dƒ‚qðnt |j ƒtkrb|j jdks t|j jƒdkrAttj)t|j jƒƒ‚n|j rðttj dƒ‚qðnŽt |j ƒt*krÅ|j jdks¡t|j jƒdkrðttj)t|j jƒƒ‚qðn+t |j ƒt krJtj!|j j"ƒs ttj#|j j"ƒ‚n|j j$dkr7ttj%|j j$ƒ‚n|j j+dkrv|j j,dkrvttj#|j j+ƒ‚n|j j+dkr¹tj!|j j+ƒ r¹ttj#|j j+ƒ‚n|j j,dkrtj-|j|j j,ƒ rttj|j j,ƒ‚n|jdkr#ttjƒ‚n|j dk rðttj dƒ‚qðn¦t |j ƒt.kr¿tj!|j j"ƒsttj#|j j"ƒ‚n|j j$dkrðttj%|j j$ƒ‚qðn1|j dk rðttj dt |j ƒƒ‚n|jdk r`|jj/r8|jj/dkr8ttj0|jj/ƒ‚n|jj1dk r`|jj1j2ƒq`n|jdk rÓt |j ƒt3t4t5gkr«ttj6t |j ƒƒ‚n|jj1dk rÓ|jj1j2ƒqÓn|j dk rZ t |j ƒt4kr |j j2|jƒn%t |j ƒt7kr2 |j j2ƒn|j j1dk rZ |j j1j2ƒqZ ndS( NR1R2sno element, no actions%no element, no source, no destinationsno action, no log, no auditsaddress and macsinvalid sourceittcptudptsctptdccpsmasquerade and actionsmasquerade and mac sourcesicmp-block and actionRsforward-port and actionsUnknown element %stemergtalerttcritterrortwarningtnoticetinfotdebug(sipv4sipv6(RsRtRuRv(RsRtRuRv(RsRtRuRv(RwRxRyserrorR{R|sinfosdebug(8R5RRRtINVALID_FAMILYRORRPtMISSING_FAMILYR/RQR RTR3RRRRRSRRt check_addresst INVALID_ADDRRNt check_mact INVALID_MACRRt INVALID_IPSETRR%R=tINVALID_SERVICERt check_portR&t INVALID_PORTR'tINVALID_PROTOCOLRt checkProtocolR(tINVALID_ICMPTYPERR*R+tcheck_single_addressRR-tINVALID_LOG_LEVELR.R7R R RtINVALID_AUDIT_TYPER(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7sÜ! $$$ $*$!*! *$$     cCsëd}|jr#|d|j7}n|jr@|d|j7}n|jr]|d|j7}n|jrz|d|j7}n|jr—|d|j7}n|jr´|d|j7}n|jrÑ|d|j7}ntjrçtj |ƒS|S(NRas family="%s"s %s( R5RORPRQRRRSRTRtPY2tu2b(Rtret((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR!žs        N(R"R#RRR`RUR7R!(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRs   Û ›N(t__all__tfirewallRtfirewall.core.ipsetRtfirewall.core.baseRRtfirewall.errorsRtobjectRRRRRRRRRR R R R R RRRR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyts8       1