Current File : //lib/python3.9/site-packages/firewall/core/__pycache__/ipXtables.cpython-39.pyc
a

���gh��@s0ddlZddlZddlmZddlmZddlmZm	Z	m
Z
mZmZm
Z
mZmZddlmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!ddl"m#Z#ddl$Z$d	Z%gd
�ddggd
�gd�gd
�d�Z&ddd�Z'ddd�Z(dd�Z)dd�Z*dd�Z+Gdd�de,�Z-Gdd�de-�Z.dS)�N)�runProg)�log)�tempFile�readfile�	splitArgs�	check_mac�portStr�check_single_address�
check_address�normalizeIP6)�config)�
FirewallError�INVALID_PASSTHROUGH�INVALID_RULE�
UNKNOWN_ERROR�INVALID_ADDR)	�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�
Rich_NFLog�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock�Rich_Tcp_Mss_Clamp)�DEFAULT_ZONE_TARGET�)�INPUT�OUTPUT�FORWARD�
PREROUTINGr)r �POSTROUTINGrrr)r r!r)�security�raw�mangle�nat�filterzicmp-host-prohibitedzicmp6-adm-prohibited��ipv4�ipv6�icmp�	ipv6-icmpc	Cs�ddddddd�}|dd�}|D]t}z|�|�}WntyJYq"Yn0|dvr�zt||d�WntyzYn0|�|d�||||<q"|S)	z Inverse valid rule �-D�--delete�-X�--delete-chain��-A�--append�-I�--insert�-Nz--new-chainN�r3r4�)�index�	Exception�int�pop)�args�replace_args�ret_args�arg�idx�rA�;/usr/lib/python3.9/site-packages/firewall/core/ipXtables.py�common_reverse_rule:s*�
rCc	Cs�ddddddd�}|dd�}|D]z}z|�|�}WntyJYq"Yn0|dvr�zt||d�WntyzYn0|�|d�||||<|Sttd	��dS)
z Reverse valid passthough rule r,r-r.r/r0Nr6r7�no '-A', '-I' or '-N' arg)r8�
ValueErrorr:r;r
r)r<r=r>�xr@rArArB�common_reverse_passthrough_s0�
�rGcCsht|�}tgd��}t||@�dkr>ttdt||@�d��tgd��}t||@�dkrdttd��dS)zZ Check if passthough rule is valid (only add, insert and new chain
    rules are allowed) )z-Cz--checkr,r-z-Rz	--replace�-Lz--listz-Sz--list-rules�-Fz--flush�-Zz--zeror.r/�-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedr0rDN)�set�lenr
r�list)r<Znot_allowedZneededrArArB�common_check_passthrough�s���rOc@s�eZdZdZdZdZdd�Zdd�Zdd�Zd	d
�Z	dd�Z
d
d�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd �Zdjd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zdkd,d-�Zd.d/�Zdld1d2�Zd3d4�Zd5d6�Zdmd8d9�Zdnd:d;�Z d<d=�Z!d>d?�Z"d@dA�Z#dBdC�Z$dDdE�Z%dFdG�Z&dHdI�Z'dJdK�Z(dLdM�Z)dNdO�Z*dPdQ�Z+dodRdS�Z,dpdTdU�Z-dqdVdW�Z.drdXdY�Z/dZd[�Z0dsd\d]�Z1dtd^d_�Z2dud`da�Z3dvdbdc�Z4ddde�Z5dfdg�Z6dhdi�Z7d!S)w�	ip4tablesr(TcCsd||_tj|j|_tjd|j|_|��|_|��|_	|�
�g|_i|_i|_
g|_i|_dS)Nz
%s-restore)�_fwrZCOMMANDS�ipv�_command�_restore_command�_detect_wait_option�wait_option�_detect_restore_wait_option�restore_wait_option�fill_exists�available_tables�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cache�
our_chains)�self�fwrArArB�__init__�s

zip4tables.__init__cCs$tj�|j�|_tj�|j�|_dS�N)�os�path�existsrSZcommand_existsrTZrestore_command_exists�r_rArArBrY�szip4tables.fill_existscCs�|jr(|j|vr(|jgdd�|D�}ndd�|D�}t�d|j|jd�|��t|j|�\}}|dkr�td|jd�|�|f��|S)NcSsg|]}d|�qS��%srA��.0�itemrArArB�
<listcomp>��z#ip4tables.__run.<locals>.<listcomp>cSsg|]}d|�qSrgrArirArArBrl�rm�	%s: %s %s� r�'%s %s' failed: %s)rVr�debug2�	__class__rS�joinrrE)r_r<�_args�status�retrArArBZ__run�s
�zip4tables.__runcCs<z|�|�}Wnty"YdS0||||d�<dSdS)NF�T)r8rE)r_�rule�patternZreplacement�irArArB�
_rule_replace�szip4tables._rule_replacecCs|tvo|t|vSrb)�BUILT_IN_CHAINS)r_rR�table�chainrArArB�is_chain_builtin�s
�zip4tables.is_chain_builtincCs2d|g}|r|�d�n
|�d�|�|�|gS)N�-tr5r.)�append)r_�addr}r~rxrArArB�build_chain_rules�s

zip4tables.build_chain_rulescCs8d|g}|r |d|t|�g7}n|d|g7}||7}|S)Nr�r3r,)�str)r_r�r}r~r8r<rxrArArB�
build_rule�szip4tables.build_rulecCst|�Srb)rC�r_r<rArArB�reverse_rule�szip4tables.reverse_rulecCst|�dSrb)rOr�rArArB�check_passthrough�szip4tables.check_passthroughcCst|�Srb)rGr�rArArB�reverse_passthrough�szip4tables.reverse_passthroughc	Cs�d}z|�d�}Wnty$Yn0t|�|dkrB||d}d}dD]B}z|�|�}WntynYqJ0t|�|dkrJ||d}qJ||fS)Nr&r�rwr0)r8rErM)r_r<r}rzr~�optrArArB�passthrough_parse_table_chain�s z'ip4tables.passthrough_parse_table_chaincCs zH|�d�}|�|�|�|�}d|dkr:||df}n||df}WnFty�z|�d�}|�|�d}Wnty�YYdS0Yn0d}|dd	vr�d
}|r�|s�||vr�|�|�n\|�r|r�||vr�|�|�|jdd�d
�|�|�}nt|�}d|d<|�dd|d�dS)N�%%ZONE_SOURCE%%�-m����%%ZONE_INTERFACE%%Tr�r,r-FcSs|dS)NrrA)rFrArArB�<lambda>'rmz4ip4tables._run_replace_zone_source.<locals>.<lambda>)�keyr3r7�%drw)r8r;rE�remover��sortrM�insert)r_rxr]rz�zoneZzone_source�rule_addr8rArArB�_run_replace_zone_source
s:





z"ip4tables._run_replace_zone_sourcec	Csz|�|�}Wnty"Y�n�0d}d}d}|�|�|�|�}t|�tkrZttd��d}	dD]B}
z|�|
�}Wnty�Yqb0t|�|dkrb||d}	qbdD]Z}
z|�|
�}Wnty�Yq�0t|�|dkr�||d}|
d	vr�d}|
d
vr�d}q�|	|f}|�s^||v�s>|||v�s>|||dk�rHttd��|||d8<n�||v�rpi||<|||v�r�d|||<d}
t	||�
��D]<}||k�r�|�r��q�|
|||7}
||k�r��qܐq�|||d7<d
||<|�|dd|
�dS)a
        Change something like
          -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123
        or
          -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321
        into
          -t filter -I public_IN 4
        or
          -t filter -I public_IN
        TF���z%priority must be followed by a numberr&�r�z--tablerw)r1r2r3r4r,r-r6r�rz*nonexistent or underflow of priority countr3r7r�N)r8rEr;�typer:r
rrMr�sorted�keysr�)r_rxZpriority_counts�tokenrzr�r�Zinsert_add_index�priorityr}r��jr~r8�prArArB�_set_rule_replace_priority0sj




��



z$ip4tables._set_rule_replace_priorityc
Cst�}i}t�|j�}t�|j�}t�|j�}|D�]x}|dd�}	|�|	dddt|jg�|�|	dt	|jg�z|	�
d�}
Wnty�Yn80|dkr�q2|dvr�dd	d
|g|	|
|
d�<n
|	�|
�|�
|	|d�|�
|	|d
�|�|	|�d}dD]L}z|	�
|�}
Wnt�y"Yq�0t|	�|
dkr�|	�|
�|	�|
�}q�t|	�D]F\}
}
tjD]4}||
v�r`|
�d��r�|
�d��s`d|
|	|
<�q`�qR|�|g��|	�q2|D]F}||}|�d|�|D]}	|�d�|	�d��q�|�d��q�|��t�|j�}t�d|j|j d|j|j!f�g}|j"�rF|�|j"�|�d�t#|j ||jd�\}}t�$�dk�r�t%|j�}|du�r�d}
|D]@}tj&d|
|fddd�|�d��s�tj&ddd�|
d7}
�q�t�'|j�|dk�rtd |j d�|�|f��||_||_||_dS)!N�
%%REJECT%%�REJECT�
--reject-with�%%ICMP%%�%%LOGTYPE%%�off��unicast�	broadcastZ	multicastr��pkttype�
--pkt-typerw�%%RICH_RULE_PRIORITY%%�%%POLICY_PRIORITY%%r&r��"z"%s"z*%s
ro�
zCOMMIT
rnz%s: %d�-n��stdinr7z%8d: %sr)�nofmt�nlr)r�rp)(r�copy�deepcopyr[r\r]r{�DEFAULT_REJECT_TYPErR�ICMPr8rEr;r�r�rM�	enumerate�stringZ
whitespace�
startswith�endswith�
setdefaultr��writers�closerc�stat�namerrqrrrT�st_sizerXrZgetDebugLogLevelr�debug3�unlink)r_�rules�
log_denied�	temp_fileZtable_rulesr[r\r]Z_rulerxrzr}r��element�cr�r<rurv�lines�linerArArB�	set_rules�s�
�


��
�




�zip4tables.set_rulescCs�|�|dddt|jg�|�|dt|jg�z|�d�}WntyPYn:0|dkr^dS|dvr�d	d
d|g|||d�<n
|�|�t�|j	�}t�|j
�}t�|j�}|�||d
�|�||d�|�
||�|�|�}||_	||_
||_|S)Nr�r�r�r�r�r�rr�r�r�r�rwr�r�)r{r�rRr�r8rEr;r�r�r[r\r]r�r��_ip4tables__run)r_rxr�rzr[r\r]�outputrArArB�set_rule�s0�

zip4tables.set_ruleNc	Cs�g}|r|gnt��}|D]n}||jvr4|�|�qz,|�d|ddg�|j�|�|�|�Wqty�t�d|j|f�Yq0q|S)Nr�rHr�zA%s table '%s' does not exist (or not enough permission to check).)	r|r�rZr�r�rEr�debug1rR)r_r}rvZtablesrArArB�get_available_tabless
zip4tables.get_available_tablesc	Cs�d}t|jgd��}t�d|j|jd|d|d�|ddkr�d}t|jgd��}t�d|j|jd|d|d�|ddkr�d}t�d	|j|j|�|S)
Nr)�-wrHr��7%s: %s: probe for wait option (%s): ret=%u, output="%s"r�rrw)�-w10rHr�r��%s: %s will be using %s option.)rrSrr�rrrq)r_rVrvrArArBrUs  zip4tables._detect_wait_optionc
Cs�t�}|�d�|��d}dD]d}t|j|g|jd�}t�d|j|j	||d|d�|ddkr d|dvr d	|dvr |}q�q t�
d
|j|j|�t�|j�|S)Nz#foor)r�z--wait=2r�r�rrwzinvalid optionzunrecognized optionr�)
rr�r�rrTr�rr�rrrSrqrcr�)r_r�rVZtest_optionrvrArArBrW"s
 
�z%ip4tables._detect_restore_wait_optioncCsNi|_i|_g|_g}t��D]*}|�|�s.qdD]}|�d||g�q2q|S)N)rIr.rJr�)r[r\r]r|r�r�r�)r_r�r}�flagrArArB�build_flush_rules6s
zip4tables.build_flush_rulesc
Cs�g}|dkrdn|}t��D]t}|�|�s,q|dkr6qt|D]P}|dkrv||}|dkrz|�d|d|ddg�d}n|}|�d|d	||g�q>q|S)
NZPANIC�DROPr%r&r�r�r1�-jrK)r|r�r�r�)r_�policyZpolicy_detailsr��_policyr}r~r�rArArB�build_set_policy_rulesEs 
z ip4tables.build_set_policy_rulesc
Csg}d}z"|�d|jdkrdnddg�}WnLtyv}z4|jdkrTt�d|�nt�d|�WYd	}~n
d	}~00|��}d
}|D]�}|r�|����}|��}|D]<}	|	�	d�r�|	�
d�r�|	d
d�}
n|	}
|
|vr�|�|
�q�|jdkr�|�	d��s|jdkr�|�	d�r�d}q�|S)zQReturn ICMP types that are supported by the iptables/ip6tables command and kernelr�-pr(r*r+z--helpziptables error: %szip6tables error: %sNF�(�)rwr�zValid ICMP Types:r)zValid ICMPv6 Types:T)r�rRrErr��
splitlines�strip�lower�splitr�r�r�)r_rRrvr��exr�Zin_typesr�Zsplitsr�rFrArArB�supported_icmp_typesXs<�

$��zip4tables.supported_icmp_typescCsgSrbrArfrArArB�build_default_tablesyszip4tables.build_default_tablesr�cCs�i}|�d�rlg|d<t�|jd<tdD]@}|d�d|�|d�d||f�|jd�d|�q*|�d��r@g|d<t�|jd<tdD]�}|d�d|�|d�d||f�|jd�d|�|dkr�dD]8}|d�d||f�|jd�td	||fg��q�d
D]}|d�d|||f��qq�|�d��rg|d<t�|jd<tdD]�}|d�d|�|d�d||f�|jd�d|�|dk�rhdD]:}|d�d||f�|jd�td	||fg���q�d
D]}|d�d|||f��q��qh|�d
��rPg|d
<t�|jd
<td
D�]
}|d
�d|�|d
�d||f�|jd
�d|�|dv�r�dD]R}|d
�d||f�|jd
�td	||fg��|d
�d|||f��q�nddD]:}|d
�d||f�|jd
�td	||fg���q�d
D]}|d
�d|||f��q,�qBg|d<t�|jd<|d�d�|d�d�|dk�r�|d�d�|d�d�|d�d�|d�d�|jd�td��dD]0}|d�d|�|jd�td|���q�d
D]}|d�d|��q|dk�rB|d�d�|d�d�|d�d�|d�d�|dk�r�|d�d �|d�d!�|d�d"�|d�d#�|jd�td$��d%D]0}|d�d&|�|jd�td'|���q�d
D]B}|d�d&|�|d�d(|�|jd�td'|���q�d)D]0}|d�d&|�|jd�td'|���qD|dk�r�|d�d*�|d�d+�|dgd,�7<|jd�td-��d%D]B}|d�d.|�|d�d/|�|jd�td0|���q�d)D]B}|d�d.|�|d�d/|�|jd�td0|���qg}|D]>}||��v�rr�q\||D]}|�d1|gt|���qz�q\|S)2Nr"z-N %s_directz-A %s -j %s_directz	%s_directr#r )�POLICIES_pre�ZONES�
POLICIES_postz-N %s_%s�%s_%s)r�z-A %s -j %s_%sr$r%)r)r�r�r&zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTr�z^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz-N INPUT_directz-A INPUT -j INPUT_directZINPUT_directz-N INPUT_%szINPUT_%sz-A INPUT -j INPUT_%sz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_direct)r�z
-N FORWARD_%sz
FORWARD_%sz-A FORWARD -j FORWARD_%s)r�z;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%)z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ
OUTPUT_directz-N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz	OUTPUT_%sr�)r�rLr^r|r�r��updater)r_r�Z
default_rulesr~Zdispatch_suffixZfinal_default_rulesr}rxrArArB�build_default_rules}s�
 
" 
" 



zip4tables.build_default_rulescCsd|dkrddhS|dkr*d|��vr*dhS|dkrFd|��vrFddhS|dkr`d|��vr`dhSiS)	Nr&rrr$r r%r!r#)r�)r_r}rArArB�get_zone_table_chains�szip4tables.get_zone_table_chainsc	s�|jj�|���jdkrdnd��dkr4�dkr4dnd}	|jj�|�t|	��g}
g}|D]}|
�d|g�qX|D]}|�d	|g�qp|D]8}
|jj�|
�}|d
vr�|�	|�s�q�|
�|�
d|
��q�|D]J}
|jj�|
�}|d
vr�|�	|�s�q�t|
�r��dvr�q�|�|�
d
|
��qƇ�����fdd�}g}|
�r||
D]B}|�r^|D]}|�|||���qDn|�rfn|�||d���q6nD|�r�n<|�r�|D]}|�|d|���q�n|�r�n|�|dd��|S)Nr�pre�postr%r!TF�-i�-or'�-s�r!rr�-dcsVddd��}d�|d��fd�jg}|r6|�|�|rD|�|�|�d�g�|S)Nr1r,�TFr�z%s_POLICIES_%sr�r�)r��extend)�ingress_fragment�egress_fragment�add_delrx�r�r~�chain_suffix�enable�p_objr}rArB�_generate_policy_dispatch_rule*s�

zSip4tables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)rQr��
get_policyr��policy_base_chain_name�POLICY_CHAIN_PREFIXr�r��check_source�is_ipv_supported�_rule_addr_fragmentr)r_rr�r}r~Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sources�isSNATZingress_fragmentsZegress_fragments�	interface�addrrRrr�r�r�rAr�rB�!build_policy_ingress_egress_rules
sRz+ip4tables.build_policy_ingress_egress_rulesFc
Cs�|dkr|dkrdnd}|jjj||t|d�}	dddddd�|}
d	}|r^|s^d
d|dg}n,|rpd
d|g}ndd|g}|s�|dg7}|d||
|||	g7}|gS)Nr%r!TF�r
r�r��r r!rrr�-gr3�%s_ZONESr�r1r,r�)rQr�rr)
r_rr�r�rr}r~r�r
r�r��actionrxrArArB�!build_zone_source_interface_rulesZs(��
z+ip4tables.build_zone_source_interface_rulescCs�|�d�rP|dd�}|dkr$d}nd}d�|g|jj�|��}ddd	||gSt|�rz|dkrjttd
��ddd|��gSt	d
|�r�t
|�}n,td
|�r�|�d�}t
|d�d|d}||gSdS)Nzipset:�r��dst�src�,r�rL�--match-setzCan't match a destination MAC.�mac�--mac-sourcer)�/rrw)
r�rsrQ�ipsetZ
get_dimensionrr
r�upperr	rr
r�)r_r��address�invertr��flags�
addr_splitrArArBr	ss"





zip4tables._rule_addr_fragmentcCs�ddd�|}|dkr"|dkr"dnd}|jjj||t|d�}	d	d
d	d	d
d�|}
t|�rd|dvrdgS|d
|d|d|g}|�|�|
|��|�d|	g�|gS)Nr3r,r�r%r!TFrr�r�rr�rr�r�r)rQr�rrrr�r	)r_rr�r�rr}r~r�r
r�r�rxrArArB�build_zone_source_address_rules�s"��	z)ip4tables.build_zone_source_address_rulesc
Cs�ddd�|}ddd�|}|dkr0|dkr0dnd	}|jjj||t|d
�}|jj�|�}	|j|�t|d|d|d
|d|d|g��g}
|
�||d|g�|
�|d
|d|g�|
�|d|d|g�|
�|d|d|g�|
�|d|d|g�|
�|d|d|g�|	j	�r6|
�||d|dd|dfg�|
�||d|dd
|g�|
�||d|dd|g�|
�||d|dd|g�|
�||d|dd|g�|
�||d|dd|g�|	j	�r�|
�||d|dd|dfg�|jjj
|j}|j��dk�rb|dk�rb|t
ddfv�r8|
�||d|ddddd|g	�|dk�rb|
�||d|ddddd|g	�|dk�r�|t
ddddfv�r�|t
fv�r�d}n|}|
�||d|d|g�|�s�|
��|
S) Nr5r.r�r1r,r%r!TFrz%s_log�%s_denyz%s_prez%s_post�%s_allowr�r�r�r�r�r�r&r�r�r��LOG�--log-prefixz%s_REJECT: r�z	%s_DROP: �ACCEPT)rQr�rrrr^r�rLr�Zderived_from_zoneZ	_policies�target�get_log_deniedr�reverse)
r_rr�r}r~Z
add_del_chainZadd_del_ruler
r�rr�r(�_targetrArArB�build_policy_chain_rules�sf�
�
�
�z"ip4tables.build_policy_chain_rulescCs|rddd|jgSgS)Nr��limitz--limit)�value)r_r-rArArB�_rule_limit�szip4tables._rule_limitcCs�t|j�ttttfvrn<|jrJt|j�ttt	t
fvrTttdt|j���n
ttd��|j
dkr�t|j�tttfvs�t|j�tt
fvr�dSt|j�tfvs�t|j�tt	fvr�dSn|j
dkr�dSdSdS)N�Unknown action %szNo rule action specified.r�allowZdenyr�r�)r�r�rrrrrrrrrr
rr��r_�	rich_rulerArArB�_rich_rule_chain_suffix�s$

��
z!ip4tables._rich_rule_chain_suffixcCs:|js|jsttd��|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrr�r�)r�auditr
rr�r2rArArB� _rich_rule_chain_suffix_from_log�s


z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrr�)r�r2rArArB�_rich_rule_priority_fragments
z&ip4tables._rich_rule_priority_fragmentc
Cs"|js
gS|jj�||t�}ddd�|}|�|�}d||d||fg}	|	|�|�7}	t|j�tkr�|	|ddg7}	|jj	r�|	d|jj	g7}	|jj
r�|	d	d
|jj
g7}	|jjr�|	d|jjg7}	nJ|	|ddg7}	|jj
r�|	d
d
|jj
g7}	|jj�r|	dd
|jjg7}	|	|�
|jj�7}	|	S)Nr1r,r�r�r�r�ZNFLOGz
--nflog-groupz--nflog-prefixrhz--nflog-thresholdr%r&z--log-level)rrQr�rrr6r7r�r�group�prefixZ	threshold�levelr/r-)
r_r�r3rr}�
rule_fragmentr�r�rrxrArArB�_rich_rule_logs,

zip4tables._rich_rule_logcCs�|js
gSddd�|}|jj�||t�}|�|�}d||d||fg}	|	|�|�7}	|	|7}	t|j�t	krrd}
n,t|j�t
kr�d}
nt|j�tkr�d}
nd	}
|	d
dd|
g7}	|	|�|jj
�7}	|	S)
Nr1r,r�r�r�ZacceptZrejectZdrop�unknownr�ZAUDITz--type)r5rQr�rrr6r7r�rrrrr/r-)r_r�r3rr}r;r�r�rrxZ_typerArArB�_rich_rule_audit"s$
zip4tables._rich_rule_auditcCs2|js
gSddd�|}|jj�||t�}|�|�}d||f}	t|j�tkrXddg}
n�t|j�tkr�ddg}
|jjr�|
d|jjg7}
nnt|j�t	kr�dd	g}
nVt|j�t
kr�d
}|jj�||t�}d||f}	ddd|jjg}
ntt
d
t|j���d|||	g}||�|�7}|||
7}||�|jj�7}|S)Nr1r,r�r�r�r'r�r�r�r$�MARKz--set-xmarkr0r�)rrQr�rrr4r�rrrrrLr
rr7r/r-)r_r�r3rr}r;r�r�rr~Zrule_actionrxrArArB�_rich_rule_action;s6


�zip4tables._rich_rule_actioncCs�|sgSg}|jr�|jr"|�d�td|j�rB|dt|j�g7}q�td|j�r||j�d�}|dt|d�d|dg7}q�|d|jg7}nD|jr�|ddg7}|jr�|�d�|jj	�
|jd	�}|d
|j|g7}|S)N�!r)r�rrrwr�rLrr)rrr�r	rr
r�rrQr��_ipset_match_flags)r_Z	rich_destr;r!r rArArB�_rich_rule_destination_fragment]s&
"
z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jr�|jr"|�d�td|j�rB|dt|j�g7}nHtd|j�r||j�d�}|dt|d�d|dg7}n|d|jg7}n�t|d�r�|jr�|ddg7}|jr�|�d�|d	|jg7}nRt|d
��r|j	�r|ddg7}|jr�|�d�|j
j�|j	d�}|d
|j	|g7}|S)NrAr)r�rrrwrr�rrrLrr)
rrr�r	rr
r��hasattrrrrQr�rB)r_Zrich_sourcer;r!r rArArB�_rich_rule_source_fragmentus0
"

z$ip4tables._rich_rule_source_fragmentc	Cs�ddd�|}d}|jj�||t�}	d|g}
|rD|
ddt|�g7}
|rT|
d|g7}
|rx|
|�|j�7}
|
|�|j�7}
g}|r�|�	|�
|||||
��|�	|�|||||
��|�	|�|||||
��n"|�	|d	|	d
|g|
ddg�|S)
Nr1r,r�r&r��--dportrhr�r$r�r�r'�
rQr�rrrrC�destinationrE�sourcer�r<r>r@�r_rr��proto�portrHr3r�r}r�r;r�rArArB�build_policy_ports_rules�s,��z"ip4tables.build_policy_ports_rulesc	Cs�ddd�|}d}|jj�||t�}d|g}	|r<|	d|g7}	|r`|	|�|j�7}	|	|�|j�7}	g}
|r�|
�|�	|||||	��|
�|�
|||||	��|
�|�|||||	��n"|
�|d|d|g|	d	d
g�|
S)Nr1r,r�r&r�r�r$r�r�r')rQr�rrrCrHrErIr�r<r>r@)r_rr��protocolrHr3r�r}r�r;r�rArArB�build_policy_protocol_rules�s(��z%ip4tables.build_policy_protocol_rulescCs�d}d}|jj�||t�}ddd�|}	gd�}
|rl|�|�}|
|�|�7}
|
|�|j�7}
|
|�|j	�7}
|dks||dur�|
gd�7}
n|
d	d
d|g7}
dd|	d
||fg|
gS)Nr1r&r1r,r�)r�Ztcpz--tcp-flagszSYN,RSTZSYNZpmtu)r��TCPMSSz--clamp-mss-to-pmtur�rPz	--set-mssr�r�)
rQr�rrr4r7rCrHrErI)r_rr�Ztcp_mss_clamp_valuerHr3rr}r�r�r;rArArB� build_policy_tcp_mss_clamp_rules�s
z*ip4tables.build_policy_tcp_mss_clamp_rulesc	Cs�ddd�|}d}|jj�||t�}	d|g}
|rD|
ddt|�g7}
|rT|
d|g7}
|rx|
|�|j�7}
|
|�|j�7}
g}|r�|�	|�
|||||
��|�	|�|||||
��|�	|�|||||
��n"|�	|d	|	d
|g|
ddg�|S)
Nr1r,r�r&r�z--sportrhr�r$r�r�r'rGrJrArArB�build_policy_source_ports_rules�s,��z)ip4tables.build_policy_source_ports_rulescCsvd}|jj�||t�}	ddd�|}
|
d|	ddd|g}|rP|dd	t|�g7}|r`|d
|g7}|ddd
|g7}|gS)Nr#r1r,r�r$r�r�rFrhr�r�ZCTz--helper)rQr�rrr)r_rr�rKrLrHZhelper_nameZmodule_short_namer}r�r�rxrArArB�build_policy_helper_ports_rules�sz)ip4tables.build_policy_helper_ports_rulesc

Cs�ddd�|}|jj�||t�}g}	|rH|	�dd|d|d|dd	g�n6t|�rTgS|	�dd|d|g|�d
|�dd	g�|	S)Nr1r,r�r�r&r$r�r�r'r�)rQr�rrr�rr	)
r_rr�r�r}rrIr�r�r�rArArB�build_zone_forward_rules�s�
��z"ip4tables.build_zone_forward_rulesc
Cs�d}|jjj||tdd�}ddd�|}g}|rj|�|�}||�|�7}||�|j�7}||�|j	�7}nd}g}	|	�
dd|d	||fg|gd
��|	S)Nr%Trr1r,r�r1r�r�)rAr��lor�Z
MASQUERADE)rQr�rrr4r7rCrHrErIr�)
r_rr�r3r}r�r�r;rr�rArArB�build_policy_masquerade_ruless"
��z'ip4tables.build_policy_masquerade_rulescCs
d}|jj�||t�}	ddd�|}
d}|rPtd|�rH|dt|�7}n||7}|rn|dkrn|dt|d	�7}g}|r�|�|�}
|�|�}||�	|j
�7}||�|j�7}nd
}
g}|r�|�
|�|||d|��|�
dd|
d|	|
fg|d
|dt|�ddd|g�|S)Nr%r1r,r�rr)z[%s]z:%s�-r1r�r�r�rFr�ZDNATz--to-destination)rQr�rrr	rrr4r7rCrHrErIr�r<)r_rr�rLrNZtoportZtoaddrr3r}r�r��tor;rr�rArArB�build_policy_forward_port_rules's8


���z)ip4tables.build_policy_forward_port_rulesc	Cs�d}|jj�||t�}ddd�|}|jdkrFddg}ddd	|jg}	ndd
g}ddd|jg}	g}
|jj�|�r|d
|}d}nd|}d}g}
|r�|
|�|j�7}
|
|�	|j
�7}
|
||	7}
|�rP|
�|�|||||
��|
�|�
|||||
��|j�r|
�|�|||||
��n:|�|�}|
�d||d||fg|�|�|
ddg�n`|j��dk�r�|dk�r�|
�||d|g|
ddddd|g�|
�||d|g|
d|g�|
S)Nr&r1r,r�r(r�r*r�z--icmp-typer+Zicmp6z
--icmpv6-typer$r'r#r�r�r�r�r�r�r%r&�%s_ICMP_BLOCK: )rQr�rrrRr��query_icmp_block_inversionrCrHrErIr�r<r>rr@r4r7r))r_rr�Zictr3r}r�r�rK�matchr�Zfinal_chainZfinal_targetr;rrArArB�build_policy_icmp_block_rulesIs\

��������z'ip4tables.build_policy_icmp_block_rulesc	Cs�d}|jj�||t�}g}d}|jj�|�r�d}|j��dkr�|rRd|t|�g}nd|g}|d|dd	d
ddd
d|g	}|�|�|d7}nd}|r�d|t|�g}nd|g}|d|dd	d|g}|�|�|S)Nr&�r�r�r3r,r�r�r�r�r�r%r&rZrwr')rQr�rrr[r)r�r�)	r_rr�r}r�r�Zrule_idxZ
ibi_targetrxrArArB�'build_policy_icmp_block_inversion_ruleszs0
�


z1ip4tables.build_policy_icmp_block_inversion_rulesc	Csxd}g}||�|j�7}||�|j�7}g}|�|�|||||��|�|�|||||��|�|�|||||��|S)Nr&)rCrHrErIr�r<r>r@)r_rr�r3r}r;r�rArArB�*build_policy_rich_source_destination_rules�sz4ip4tables.build_policy_rich_source_destination_rulescCs
||jkSrb)rR)r_rRrArArBr�szip4tables.is_ipv_supported)N)N)r�)F)F)NN)NN)NN)NN)NN)N)N)N)8�__name__�
__module__�__qualname__rRr�Zpolicies_supportedrarYr�r{rr�r�r�r�r�r�r�r�r�r�r�rUrWr�r�r�r�r�r�r
rr	r"r,r/r4r6r7r<r>r@rCrErMrOrQrRrSrTrVrYr]r_r`rrArArArBrP�sr

			&Pa#

!
N�

9"


�


�
"
1"rPc@s&eZdZdZdZddd�Zdd�ZdS)	�	ip6tablesr)FcCs~g}gd�}|jjdkr"|dg7}|�gd�|ddg�|dkr^|�gd�|gd��|�gd	��|�gd
��|S)N)r�Zrpfilterz--invertz--validmarkZloosez--loose)r3r r�r$r�r�r�)r�r%r&zrpfilter_DROP: )	r3r r�r$r�r+z$--icmpv6-type=neighbour-solicitationr�r')	r3r r�r$r�r+z"--icmpv6-type=router-advertisementr�r')rQZ_ipv6_rpfilterr�)r_r�r�Zrpfilter_fragmentrArArB�build_rpfilter_rules�s$

��
��zip6tables.build_rpfilter_rulesc
Cs�gd�}d}|jd�|�g}|�ddd|g�|D]L}|�ddd|d|dd	d
dg
�|jjdvr6|�ddd|d|dd
ddg
�q6|�dddddd|g�|�dddd|j��dkr�dndd|g�|S)N)	z::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19ZRFC3964_IPv4r&r�r5r3r�r�r�r�zaddr-unreach)r��allr%r&zRFC3964_IPv4_REJECT: r�4rr��6�5)r^r�r�rQZ_log_deniedr))r_Z
daddr_listZ
chain_namer�ZdaddrrArArB�build_rfc3964_ipv4_rules�s.
����z"ip6tables.build_rfc3964_ipv4_rulesN)F)rarbrcrRr�rerjrArArArBrd�s
rd)/Zos.pathrcr�Zfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr	r
rZfirewallrZfirewall.errorsr
rrrrZfirewall.core.richrrrrrrrrrZfirewall.core.baserr�rr|r�r�rCrGrO�objectrPrdrArArArB�<module>sJ(,�	��%*