Current File : //lib/python3.9/site-packages/firewall/core/__pycache__/nftables.cpython-39.pyc
a

���gɆ�%@s�ddlZddlZddlZddlmZddlmZmZmZm	Z	m
Z
ddlmZm
Z
mZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlmZddlm Z dZ!e!d	d
Z"e!d	dZ#dZ$d
Z%iddde%fidde%fdde%fdde%fd�dde%fdde%fdde%fdde%fd�d�Z&dEdd�Z'e'ddd�e'dd�e'dd�e'dd �e'ddd!�e'ddd"�e'ddd
�e'dd#d$�e'ddd%�e'ddd$�e'dd&d$�e'ddd'�e'dd#d�e'ddd(�e'ddd�e'dd&�e'ddd)�e'ddd*�e'ddd+�e'dd#�e'dd&d$�e'dd,�e'dd-�e'dd.�e'ddd/�e'dd0�e'dd1�e'dd2�e'dd#d)�e'ddd3�e'dd#d+�e'ddd4�e'dd0d$�e'dd0d�d5�"e'd6dd)�e'd6d&d�e'd6dd+�e'd6dd$�e'd6d�e'd6d�e'd6d �e'd6dd/�e'd6d7�e'd6d8�e'd6d9�e'd6d:�e'd6d;�e'd6d<�e'd6dd�e'd6d=�e'd6d&�e'd6dd!�e'd6d>�e'd6dd(�e'd6d?�e'd6d@�e'd6d0�e'd6d0d$�e'd6d0d�e'd6d&d$�e'd6d&d+�dA�dB�Z(GdCdD�dDe)�Z*dS)F�N)�log)�	check_mac�getPortRange�normalizeIP6�check_single_address�
check_address)�
FirewallError�
UNKNOWN_ERROR�INVALID_RULE�INVALID_ICMPTYPE�INVALID_TYPE�
INVALID_ENTRY�INVALID_PORT)	�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock�Rich_Tcp_Mss_Clamp�
Rich_NFLog)�DEFAULT_ZONE_TARGET)�NftablesZ	firewalld�_Zpolicy_dropZprobeZpolicy_�
�
PREROUTING�
preroutingij���i����Zpostrouting�d�output)r�POSTROUTING�OUTPUT�inputZforward)r�INPUT�FORWARDr!)�raw�mangle�nat�filtercCsHdd|dd�id|d�ig}|durD|�dd|dd�id|d�i�|S)N�match�payload�type��protocol�field�==��left�op�right�code)�append)r-r+r4�	fragments�r7�:/usr/lib/python3.9/site-packages/firewall/core/nftables.py�_icmp_types_fragmentsTs�
�
r9�icmp�destination-unreachable�
�
echo-reply�echo-request���redirect���parameter-problem������router-advertisement�router-solicitation�
source-quench��
time-exceeded�timestamp-reply�timestamp-request��)"�communication-prohibitedr;r=r>zfragmentation-neededzhost-precedence-violation�host-prohibitedz
host-redirectzhost-unknown�host-unreachablez
ip-header-badznetwork-prohibitedznetwork-redirectznetwork-unknownznetwork-unreachablerD�port-unreachablezprecedence-cutoffzprotocol-unreachablerAzrequired-option-missingrJrKrLzsource-route-failedrNrOrPztos-host-redirectztos-host-unreachableztos-network-redirectztos-network-unreachable�ttl-zero-during-reassembly�ttl-zero-during-transit�icmpv6�mld-listener-done�mld-listener-query�mld-listener-report�mld2-listener-reportznd-neighbor-advert�nd-neighbor-solicit�packet-too-bigznd-redirect�nd-router-advertznd-router-solicit)zaddress-unreachablez
bad-headerzbeyond-scoperSr;r=r>z
failed-policyrZr[r\r]zneighbour-advertisementzneighbour-solicitation�no-router_rDrVrAzreject-routerJrKrNrWrXzunknown-header-typezunknown-option��ipv4�ipv6c@sheZdZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Z	dd
�Z
dd�Zdd�Zdd�Z
d�dd�Zdd�Zdd�Zdd�Zdd�Zdd �Zd�d!d"�Zd#d$�Zd�d&d'�Zd(d)�Zd*d+�Zd�d-d.�Zd/d0�Zd1d2�Zd3d4�Zd5d6�Zd7d8�Zd9d:�Zd;d<�Z d=d>�Z!d?d@�Z"dAdB�Z#dCdD�Z$dEdF�Z%dGdH�Z&dIdJ�Z'dKdL�Z(dMdN�Z)d�dOdP�Z*dQdR�Z+dSdT�Z,dUdV�Z-dWdX�Z.d�dYdZ�Z/d�d[d\�Z0d�d]d^�Z1d�d_d`�Z2dadb�Z3d�dcdd�Z4d�dedf�Z5d�dgdh�Z6didj�Z7d�dkdl�Z8dmdn�Z9d�dodp�Z:dqdr�Z;dsdt�Z<dudv�Z=dwdx�Z>d�dydz�Z?d�d{d|�Z@d}d~�ZAd�dd��ZBd�d��ZCd�d��ZDd�d��ZEd�d��ZFd�d��ZGd�d��ZHd�d��ZId�d�d��ZJdS)��nftablesTcCsZ||_d|_d|_g|_i|_i|_i|_i|_i|_t	�|_
|j
�d�|j
�d�dS)NTF)
�_fwZrestore_command_exists�supports_table_ownerZavailable_tables�rule_to_handle�rule_ref_count�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cacherre�set_echo_outputZset_handle_output)�self�fwr7r7r8�__init__�sznftables.__init__cCsz�ddddiidddtdd	gd
�iigi}|j�|�\}}}|rHtd��ddddiidddtd
�iigi}|j�d�|j�|�\}}}|j�d�|dddd}|�dddtd
�ii|j���d|vs�d	|vr�td��t�	d�d|_
Wnt�	d�d|_
Yn0dS)Nre�metainfo�json_schema_versionrB�add�table�inet�owner�persist)�family�name�flagsz!nftables probe table owner failed�list�rxryFTrz�deletez3nftables: probe_support(): owner flag is supported.z7nftables: probe_support(): owner flag is NOT supported.)�TABLE_NAME_PROBEre�json_cmd�
ValueErrorrm�set_rulerf�get_log_deniedr�debug2rg)rn�rules�rcrrrzr7r7r8�_probe_support_table_owner�sH
�����
���


z#nftables._probe_support_table_ownercCs|��dS�N)r��rnr7r7r8�
probe_support�sznftables.probe_supportcCsxdD]}||vrqqd||dvr^||ddd||dddf}||dd=n(d||dvr�d}||dd=ndS||dd}|r�|dkr�||vr�|||vr�||�|�n�|dk�rt||vr�g||<|�r&|||v�r||�|�||jd	d
�d�||�|�}nt||�}||}||=|dk�rT||d
<n |d8}||d<||ddd<dS)N�rs�insertr}�%%ZONE_SOURCE%%�rule�zone�address�%%ZONE_INTERFACE%%rxr}cSs|dS)Nrr7)�xr7r7r8�<lambda>	�z3nftables._run_replace_zone_source.<locals>.<lambda>)�keyrr�rBrs�index)�remover5�sortr��len)rnr�rl�verbZzone_sourcerxr��
_verb_snippetr7r7r8�_run_replace_zone_source�sD�
�


z!nftables._run_replace_zone_sourcecCsBd|vrdt�|d�iSd|vr4dt�|d�iSttd��dS)Nr�r}rszFailed to reverse rule)�copy�deepcopyrr	)rn�dictr7r7r8�reverse_rules
znftables.reverse_rulec
Cs�dD]}||vrqq|||dv�r�||d|}||d|=t|�tkr\ttd��||dd||ddf}|dkr�||vs�|||vs�|||dkr�ttd��|||d	8<n�||vr�i||<|||vr�d|||<d}t||���D]J}||k�r"|d
k�r"�qP||||7}||k�r|dk�r�qP�q|||d	7<||}	||=|dk�r�|	|d
<n |d	8}|	|d<||ddd<dS)
Nr�r�z%priority must be followed by a numberrx�chainr}rz*nonexistent or underflow of priority countrBr�rsr�)r+�intrr
r	�sorted�keys)
rnr�Zpriority_counts�tokenr��priorityr�r��pr�r7r7r8�_set_rule_replace_priority sH
 
��



z#nftables._set_rule_replace_prioritycCsbdD]X}||vrd||vrt�||d�}dD]}||vr2||=q2tj|dd�}|SqdS)Nr�r�)r��handleZpositionT)Z	sort_keys)r�r��json�dumps)rnr�r��rule_keyZnon_keyr7r7r8�
_get_rule_keyNs
znftables._get_rule_keycCsXgd�}gd�}g}g}t�|j�}t�|j�}t�|j�}	|j��}
|D�]�}t|�tkrjtt	d|��|D]}||vrnq�qn||vr�tt
d|��|�|�}
|
|
v�r4t�
d|j|
|
|
�|dkr�|
|
d7<qJnV|
|
dkr�|
|
d8<qJn6|
|
dk�r|
|
d8<ntt	d|
|
|
f��n|
�rL|dk�rLd|
|
<|�|�t�|�}|
�r�ttd||d	d
��||d	d
<|�||d�|�||d�|�||	�|dk�r�dd	|dd	d
|dd	d|dd	d|j|
d�ii}|�|�qJddddiig|i}t��dk�rDt�d|jt�|��|j�|�\}}}|dk�rxtdd|t�|�f��||_||_|	|_|
|_d}|D]�}|d7}|�|�}
|
�s��q�d|v�r�|j|
=|j|
=�q�|D]}||d|v�r��q��q�||d|v�r�q�t|d||d	dk�r2�q�|d||d	d|j|
<�q�dS)N)rsr�r}�flush�replace)rsr�r�z#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %sr}rBz)rule ref count bug: rule_key '%s', cnt %dr��expr�%%RICH_RULE_PRIORITY%%�%%POLICY_PRIORITY%%rxrtr�)rxrtr�r�rerqrrrGz.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s
JSON blob:
%szpython-nftablesr�)r�r�rjrkrlrir+r�rr	r
r�rr��	__class__r5r{r(r�r�rhZgetDebugLogLevelZdebug3r�r�rerr��TABLE_NAME_POLICY)rnr��
log_deniedZ_valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesrjrkrlrir�r�r�Z_ruleZ	json_blobr�r�errorr�r7r7r8�	set_rules\s�




�
�

&
�

�



znftables.set_rulescCs|�|g|�dS)N�)r�)rnr�r�r7r7r8r��sznftables.set_ruleNcCs|r
|gSt��Sr�)�IPTABLES_TO_NFT_HOOKr��rnrtr7r7r8�get_available_tables�sznftables.get_available_tablescCsBddd|d�ii}|tkr<|jjr<|jr<ddg|ddd<|gS)Nrsrtrur|rvrwrz)�
TABLE_NAMErfZ_nftables_table_ownerrg)rnrtr�r7r7r8�_build_add_table_rules�s���znftables._build_add_table_rulescCs|�|�ddd|d�iigS)Nr}rtrur|)r�r�r7r7r8�_build_delete_table_rules�s�z"nftables._build_delete_table_rulescCs(i|_i|_i|_i|_i|_|�t�Sr�)rhrirjrkrlr�r�r�r7r7r8�build_flush_rules�sznftables.build_flush_rulescCsPddd�|}|ddtdd|fdd	d
diidd
ddgid�iddigd�iiS)Nrsr}�TFr�ru�%s_%sr(r)�ctr��state�in�set�established�relatedr0�accept�rxrtr�r�)r�)rn�enable�hook�add_delr7r7r8�_build_set_policy_rules_ct_rule�s

���z(nftables._build_set_policy_rules_ct_rulec
Cs\g}|dkrZ|�|�t��dD]6}|�dddtdd|fd|d	td
dd�ii�q n�|d
k�r4|�|�t��dD]�}||}|dvs�J�|��}d|��}|�dddt|d|dtd
dd�ii�|�|�d|��|dkr�ddi}n"|d
k�rddi}ndddd�i}|�dddt||gd�ii�qxn$|dk�rN||�t�7}n
tt	d��|S)NZPANIC)rrrsr�rur�r%r(i���rB�drop)rxrtryr+r��prio�policy�DROP)r#r$r!)�ACCEPT�REJECTr�Zfilter_rTr�r��reject�icmpx�admin-prohibited�r+r�r�r�znot implemented)
�extendr�r�r5�NFT_HOOK_OFFSET�lowerr�r�rr	)rnr�Zpolicy_detailsr�r�Zd_policyZ
chain_nameZ
expr_fragmentr7r7r8�build_set_policy_rules�sb


�



�



�����

znftables.build_set_policy_rulescCs8t�}|r|gnt��D]}|�t|���qt|�Sr�)r��ICMP_TYPES_FRAGMENTSr��updater{)rn�ipvZ	supportedZ_ipvr7r7r8�supported_icmp_types5sznftables.supported_icmp_typescCs
|�t�Sr�)r�r�r�r7r7r8�build_default_tables?sznftables.build_default_tables�offcCs"g}td��D]�}|�dddtd|ddtd|dtd|d	d
�ii�dD]&}|�dddtd||fd
�ii�qXdD]6}|�dddtd|ddd||fiigd�ii�q�qtd��D�]}|�dddtd|ddtd|dtd|d	d
�ii�|dv�r|dD]Z}|�dddtd||fd
�ii�|�dddtd|ddd||fiigd�ii��qq�dD](}|�dddtd||fd
�ii��q�dD]8}|�dddtd|ddd||fiigd�ii��q�q�td��D]F}|�dddtd|ddtd|dtd|d	d
�ii��q�|�dddtddddddiiddd d!gid"�id#digd�ii�|�dddtdddddd$iidd%d"�id#digd�ii�|�dddtdddd&dd'iid(d)d"�id#digd�ii�|d*k�rR|�dddtddddddiiddd+gid"�i|�|�d,d-d.iigd�ii�|�dddtddddddiiddd+gid"�id/digd�ii�dD](}|�dddtd0d|fd
�ii��q�dD]8}|�dddtddddd0d|fiigd�ii��q�|d*k�r<|�dddtdd|�|�d,d-d1iigd�ii�|�dddtddd2d3d4d5�igd�ii�|�dddtdd6ddddiiddd d!gid"�id#digd�ii�|�dddtdd6dddd$iidd%d"�id#digd�ii�|�dddtdd6dd&dd'iid(d)d"�id#digd�ii�|d*k�r||�dddtdd6ddddiiddd+gid"�i|�|�d,d-d.iigd�ii�|�dddtdd6ddddiiddd+gid"�id/digd�ii�d7D](}|�dddtd0d6|fd
�ii��q�dD]Z}|�dddtd0d6|fd
�ii�|�dddtdd6ddd0d6|fiigd�ii��q�d8D](}|�dddtd0d6|fd
�ii��qP|d*k�r�|�dddtdd6|�|�d,d-d1iigd�ii�|�dddtdd6d2d3d4d5�igd�ii�|�dddtdd9ddddiiddd d!gid"�id#digd�ii�|�dddtd:dd&dd;iid(d)d"�id#digd�ii�d7D]Z}|�dddtd0d9|fd
�ii�|�dddtdd9ddd0d9|fiigd�ii��qbd8D]Z}|�dddtd0d9|fd
�ii�|�dddtdd9ddd0d9|fiigd�ii��q�|S)<Nr&rsr�ruz	mangle_%sr(�%srrB)rxrtryr+r�r�)�POLICIES_pre�ZONES�
POLICIES_postzmangle_%s_%s�rxrtry)r�r��jump�targetr�r'znat_%s)r!)r�r��	nat_%s_%sz	filter_%sr#r)r�r�r�r�r�r�r�r0r��status�dnat�meta�iifnamer/�lor�Zinvalidr�prefixzSTATE_INVALID_DROP: r��filter_%s_%szFINAL_REJECT: r�r�r�r�r$)r�)r�r!�
filter_OUTPUT�oifname)r�r�r5r��_pkttype_match_fragment)rnr�Z
default_rulesr�Zdispatch_suffixr7r7r8�build_default_rulesBs
�

�
�
�


�
�

�
�
�

���
���
���

�
��
���

�
�


��
�

���
���
���

�
��
���

�

�
�

�


��
�

���
���

�
�

�
�znftables.build_default_rulescCs2|dkrddgS|dkrdgS|dkr.ddgSgS)Nr(r#r$r&rr'r r7r�r7r7r8�get_zone_table_chainssznftables.get_zone_table_chainsc	
sJ�jj�|���jdkrdnd��dkr4�dkr4dnd}	�jj�|�t|	��g}
g}g}g}
|D]V}|t|�dd	kr�|
�d
ddd
iid|dt|�d�dd�i�q`|�|�q`|D]X}|t|�dd	k�r
|�d
dddiid|dt|�d�dd�i�q�|
�|�q�|�r>|
�d
ddd
iidd|id�i�|
�rf|�d
dddiidd|
id�i�|�r�|D]}|
���d|���qp|�r�|D]}|���d|���q��������fdd�}g}|
�r|
D]:}|�r�|D]}|�|||���q�n|�||d���q�n4|�r6|D]}|�|d|���qn|�|dd��|S)Nr�pre�postr'r TFrB�+r)r�r�r�r/�*r0r�r��saddr�daddrcs�|rT|rTd|ddvrTd|ddvrT|dddd|ddddkrTdSg}|rf|�|�|rt|�|�|�ddd��fii�dtd	���f|d
�}|�������r�dd|iiSd
d|iiSdS)Nr*r)r1r-r�r�r�ruz%s_%s_POLICIES_%sr�rsr�r})r5r�r��_policy_priority_fragment)�ingress_fragment�egress_fragment�expr_fragmentsr���_policyr��chain_suffixr��p_objrnrtr7r8�_generate_policy_dispatch_ruleRs0���

�zRnftables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)	rfr��
get_policyr��policy_base_chain_name�POLICY_CHAIN_PREFIXr�r5�_rule_addr_fragment)rnr�r�rtr�Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sources�isSNATZingress_fragmentsZegress_fragmentsZ$ingress_interfaces_without_wildcardsZ#egress_interfaces_without_wildcardsZingress_interfaceZegress_interface�src�dstrr�r�r�r7r�r8�!build_policy_ingress_egress_rules!sf���
�
z*nftables.build_policy_ingress_egress_rulesFcCsN|dkr|dkrdnd}|jjj||t|d�}	dddddd�|}
|t|�d	d
krn|dt|�d	�d}d}|dkr�|d
d||	fiig}n,ddd|
iid|d�i|d
d||	fiig}|r�|s�d}
dtd||f|d�}|�|���nP|�rd}
dtd||f|d�}n.d}
dtd||f|d�}|�s@|�|���|
d|iigS)Nr'r TF�rr�r��rr r#r$r!rBr�r��gotor�r�r)r�r�r/r0r�ru�%s_%s_ZONESr�rsr}r�)rfr�rrr�r�r��_zone_interface_fragment)rnr�r�r��	interfacertr�r5rr�opt�actionr�r�r�r7r7r8�!build_zone_source_interface_rules�sZ����
�
�
�z*nftables.build_zone_source_interface_rulesc
	Cs�|dkr|dkrdnd}|jjj||t|d�}ddd�|}	d	d
d	d	d
d�|}
d}d
td||f|�|
|�|dd||fiigd�}|�|�||��|	d|iigS)Nr'r TFrr�r}r�r�r�r
rrurr�r�r�r�)rfr�rrr�rr��_zone_source_fragment)
rnr�r�r�r�rtr�rrr�rrr�r7r7r8�build_zone_source_address_rules�s*��

��z(nftables.build_zone_source_address_rulescCspddd�|}|dkr"|dkr"dnd}|jjj||t|d�}|jj�|�}g}	|	�|d	d
td||fd�ii�d
D](}
|	�|d	d
td|||
fd�ii�qt|jr�|	�ddd
td||fddd||dfiigd�ii�d
D]<}
|	�|dd
td||fddd|||
fiigd�ii�q�|j�r^|	�ddd
td||fddd||dfiigd�ii�|jjj|j	}|j�
�dk�r�|dk�r�|tdddfv�r�|}|tdfv�r�d}|	�|dd
td||f|�|j�
��ddd||fiigd�ii�|dk�r^|tddddfv�r^|tddfv�r,|�
�}
n|��di}
|	�|dd
td||f|
gd�ii�|�sl|	��|	S)Nrsr}r�r'r TFrr�rur�r�)r�r�deny�allowr��%s_%s_%sr�r�r�r�r�r�r�r(r�z
%%REJECT%%r�rr�zfilter_%s_%s: r�)rfr�rrrr5r�Zderived_from_zoneZ	_policiesr�r�rr��_reject_fragmentr��reverse)rnr�r�rtr�r�rrrr�rr�Z
log_suffix�target_fragmentr7r7r8�build_policy_chain_rules�sx

�
�

�

�

�


��
�


�z!nftables.build_policy_chain_rulescCs<|dkriS|dvr,ddddiid|d�iSttd	|��dS)
N�all)�unicast�	broadcastZ	multicastr)r�r��pkttyper/r0zInvalid pkttype "%s"�rr
)rnr!r7r7r8r�s�z nftables._pkttype_match_fragmentcCsdddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�iddd	d�iddd	d�iddd
d�iddd
d�iddd
d�idddd�idddd�iddd
d�iddd
d�idddd�idddd�idddiidddiid�}||S)Nr�r:rTr�znet-prohibitedr�rYznet-unreachablerUrVr�zprot-unreachablezaddr-unreachablerar+z	tcp reset)zicmp-host-prohibitedzhost-prohibzicmp-net-prohibitedz
net-prohibzicmp-admin-prohibitedzadmin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachableznet-unreachzicmp-host-unreachablezhost-unreachzicmp-port-unreachablezicmp6-port-unreachablezport-unreachzicmp-proto-unreachablez
proto-unreachzicmp6-addr-unreachable�addr-unreachzicmp6-no-routeraz	tcp-resetztcp-rstr7)rnZreject_typeZfragsr7r7r8�_reject_types_fragments2

�znftables._reject_types_fragmentcCsdddd�iS)Nr�r�r�r�r7r�r7r7r8r9s�znftables._reject_fragmentcCs ddddiiddddgid	�iS)
Nr)r�r��l4protor/r�r:rYr0r7r�r7r7r8�_icmp_match_fragment=s
�znftables._icmp_match_fragmentcCsn|siSddddd�}z|j�d�}WntyBttd��Yn0dt|jd	|��||j|d
d�iS)N�secondZminuteZhourZday)�s�m�h�d�/zExpected '/' in limit�limitrrB)ZrateZper)�valuer�r�rr
r�)rnr-Zrich_to_nft�ir7r7r8�_rich_rule_limit_fragmentBs��z"nftables._rich_rule_limit_fragmentcCs�t|j�ttttfvrn<|jrJt|j�ttt	t
fvrTttdt|j���n
ttd��|j
dkr�t|j�tttfvs�t|j�tt
fvr�dSt|j�tfvs�t|j�tt	fvr�dSn|j
dkr�dSdSdS)N�Unknown action %szNo rule action specified.rrrr�r�)r+�elementrrrrrrrrrrr
r��rn�	rich_ruler7r7r8�_rich_rule_chain_suffixUs$

��
z nftables._rich_rule_chain_suffixcCs:|js|jsttd��|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrr�r�)r�auditrr
r�r3r7r7r8� _rich_rule_chain_suffix_from_logks


z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nr�r7r�r7r7r8rvsz!nftables._zone_interface_fragmentcCsNtd|�rt|�}n,td|�r@|�d�}t|d�d|d}d||d�iS)Nrdr,rrBr�)r�r�)rrr�split)rnr�r�Z
addr_splitr7r7r8rys



znftables._zone_source_fragmentcCs
d|jiS)Nr��r�)rnr�r7r7r8r��sz"nftables._policy_priority_fragmentcCs|r|jdkriSd|jiS)Nrr�r9r3r7r7r8�_rich_rule_priority_fragment�sz%nftables._rich_rule_priority_fragmentcCs
|js
iS|jj�||t�}ddd�|}|�|�}i}	t|j�tkr||jjrZt	|jj�nd|	d<|jj
r�t	|jj
�|	d<n,|jjr�d|jjkr�dn|jj}
d	|
|	d
<|jjr�d	|jj|	d<dt
d
|||f||�|jj�d|	igd�}|�|�|��|d|iiS)Nrsr}r�r�groupzqueue-thresholdZwarning�warnr��levelr�rurrr�r�)rrfr�rrr7r+rr;r�Z	thresholdr=r�r�r0r-r�r:)rnr�r4r�rtr�rr�rZlog_optionsr=r�r7r7r8�_rich_rule_log�s4
���znftables._rich_rule_logc
Cs�|js
iS|jj�||t�}ddd�|}|�|�}dtd|||f||�|jj�dddiigd	�}	|	�	|�
|��|d
|	iiS)Nrsr}r�rurrr=r6r�r�)r6rfr�rrr7r�r0r-r�r:)
rnr�r4r�rtr�rr�rr�r7r7r8�_rich_rule_audit�s 

���znftables._rich_rule_auditc
Cs�|js
iS|jj�||t�}ddd�|}|�|�}d|||f}	t|j�tkr\ddi}
�nt|j�tkr�|jjr�|�	|jj�}
nddi}
n�t|j�t
kr�ddi}
n�t|j�tk�rHd}|jj�||t�}d|||f}	|jj�
d	�}t|�d
k�r,dddd
iiddddd
ii|d
gi|dgid�i}
ndddd
ii|dd�i}
nttdt|j���dt|	||�|jj�|
gd�}|�|�|��|d|iiS)Nrsr}r�rr�r�r�r&r,rBr�r��mark�^�&r�r�r.r1rur�r�)rrfr�rrr5r+rrr$rrr�r8r�rr
r�r0r-r�r:)
rnr�r4r�rtr�rr�rr�Zrule_actionr.r�r7r7r8�_rich_rule_action�sL


"�
�
���znftables._rich_rule_actioncCs�|�d�r0|�|td�d�d|kr(dnd|�St|�r>d}n�td|�rNd}nvtd|�r�d}tj|dd�}d	|jj	|j
d
�i}nDtd|�r�d}t|�}n,d}|�d
�}d	t|d�t
|d�d
�i}dd||d�i|r�dnd|d�iSdS)N�ipset:r�TF�etherrc�ip)�strictr���addrr�rd�ip6r,rrBr)r*r,�!=r/r0)�
startswith�_set_match_fragmentr�rrr�	ipaddress�IPv4Network�network_address�
compressed�	prefixlenrr8r�)rnZ
addr_fieldr��invertrxZnormalized_addressZaddr_lenr7r7r8r�s,
&




�
�znftables._rule_addr_fragmentcCs6|siS|dvrttd|��ddddiid|d�iS)	NrbzInvalid familyr)r�r��nfprotor/r0r")rnZrich_familyr7r7r8�_rich_rule_family_fragment�s��z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jd�S)NrEr��rT)rJ�ipsetrrT)rnZ	rich_destr�r7r7r8�_rich_rule_destination_fragment
s
z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|d�r.|jr.|j}nt|d�rH|jrHd|j}|jd||jd�S)N�macrXrEr�rW)rJ�hasattrrZrXrrT)rnZrich_sourcer�r7r7r8�_rich_rule_source_fragments
z#nftables._rich_rule_source_fragmentcCsPt|�}t|t�r$|dkr$tt��n(t|�dkr8|dSd|d|dgiSdS)NrrB�range)r�
isinstancer�rrr�)rn�portr]r7r7r8�_port_fragment!s
znftables._port_fragmentc
Cs&ddd�|}d}|jj�||t�}	g}
|r>|
�|�|j��|rT|
�|�d|��|r||
�|�|j	��|
�|�
|j��|
�dd|dd	�id
|�|�d�i�g}|r�|�|�
|||||
��|�|�|||||
��|�|�|||||
��n.|�|dd
td||	f|
ddigd�ii�|S)Nrsr}r�r(r�r)r*�dportr,r/r0r�ru�%s_%s_allowr�r��rfr�rrr5rVrxrrY�destinationr\�sourcer`r>r?rDr��rnr�r��protor_rdr4r�rtrr�r�r7r7r8�build_policy_ports_rules*s8
��


�z!nftables.build_policy_ports_rulesc
Csddd�|}d}|jj�||t�}g}	|r>|	�|�|j��|rT|	�|�d|��|r||	�|�|j	��|	�|�
|j��|	�dddd	iid
|d�i�g}
|r�|
�|�|||||	��|
�|�
|||||	��|
�|�|||||	��n.|
�|dd
td||f|	ddigd�ii�|
S)Nrsr}r�r(r�r)r�r�r%r/r0r�rurbr�r�)rfr�rrr5rVrxrrYrdr\rer>r?rDr�)rnr�r�r-rdr4r�rtrr�r�r7r7r8�build_policy_protocol_rulesJs4�


�z$nftables.build_policy_protocol_rulescCs�d}d}|jj�||t�}ddd�|}	g}
|r^|
�|�|j��|
�|�|j��|�	|�}|
�dddd	d
d�idd
�i�|dks�|dur�|
�ddddd�idddiid�i�n|
�ddddd�i|d�i�|	ddt
d||f|
d�iigS)Nrr(rsr}r�r)r�r*�tcprzr,Zsyn)r2r1r3Zpmtur&z
tcp optionZmaxseg�size)ryr.Zrtr�ZmturCr�rur�r�)rfr�rrr5rYrdr\rer5r�)rnr�r�Ztcp_mss_clamp_valuerdr4rrtrr�r�r7r7r8� build_policy_tcp_mss_clamp_rulesis2
�

��

�z)nftables.build_policy_tcp_mss_clamp_rulesc
Cs&ddd�|}d}|jj�||t�}	g}
|r>|
�|�|j��|rT|
�|�d|��|r||
�|�|j	��|
�|�
|j��|
�dd|dd	�id
|�|�d�i�g}|r�|�|�
|||||
��|�|�|||||
��|�|�|||||
��n.|�|dd
td||	f|
ddigd�ii�|S)Nrsr}r�r(r�r)r*�sportr,r/r0r�rurbr�r�rcrfr7r7r8�build_policy_source_ports_rules�s8
��


�z(nftables.build_policy_source_ports_rulesc

Cs�d}|jj�||t�}	ddd�|}
g}|rR|�dddtd||f||d�ii�g}|rl|�|�d	|��|�d
d|dd
�id|�|�d�i�|�dd||fi�|�|
ddtd|	|d�ii�|S)Nr(rsr}r�z	ct helperruzhelper-%s-%s)rxrtryr+r-r�r)r*rar,r/r0r��filter_%s_allowr�)rfr�rrr5r�rr`)
rnr�r�rgr_rdZhelper_nameZmodule_short_namertrr�r�r�r7r7r8�build_policy_helper_ports_rules�s6

�
��

�z(nftables.build_policy_helper_ports_rulescCs�ddd�|}|jj�||t�}g}	|rv|t|�ddkrT|dt|�d�d}ddd	d
iid|d�id
dig}
n|�d|�d
dig}
dtd||
d�}|	�|d|ii�|	S)Nrsr}r�rBr�r�r)r�r�r�r/r0r�r�ruror�r�)rfr�rrr�rr�r5)rnr�r�r�rtrrer�rr�r�r�r7r7r8�build_zone_forward_rules�s(���z!nftables.build_zone_forward_rulesc	Cs�ddd�|}g}g}|r\|�|�|j��|�|�|j��|�|�|j��|�|�}n"|�ddddiidd	d
�i�d}d}|jj	j
||td
d�}	dtd|	|f|ddddiiddd
�iddigd�}
|
�
|�|��|�|d|
ii�|S)Nrsr}r�r)r�r�rUr/rcr0rr'Trrur�r�rLr�Z
masquerader�r�)r5rVrxrYrdr\rer5rfr�rrr�r�r:)rnr�r�r4r�r�r�rrtrr�r7r7r8�build_policy_masquerade_rules�s<�

����z&nftables.build_policy_masquerade_rulescCspd}|jj�||t�}	ddd�|}
g}|rn|�|�|j��|�|�|j��|�|�	|j
��|�|�}n8d}
|r�td|�r�d}
|�ddd	d
iid|
d�i�d
}|�dd|dd�id|�
|�d�i�|�r$td|�r�t|�}|�r|dk�r|�d||�
|�d�i�n|�dd|ii�n|�dd|�
|�ii�dtd|	|f|d�}|�|�|��|
d|iigS)Nr'rsr}r�rcrdr)r�r�rUr/r0rr*rar,r�r�)rJr_rJrAr_rur�r�r�)rfr�rrr5rVrxrYrdr\rer5rr`rr�r�r:)rnr�r�r_r-ZtoportZtoaddrr4rtrr�r�rrUr�r7r7r8�build_policy_forward_port_rules�sJ�

��


�z(nftables.build_policy_forward_port_rulescCs2|t|vrt||Sttd||j|f��dS)Nz)ICMP type '%s' not supported by %s for %s)r�rrry)rnr�Z	icmp_typer7r7r8�_icmp_types_to_nft_fragments(s
�z%nftables._icmp_types_to_nft_fragmentscCs:d}|jj�||t�}ddd�|}|r6|jr6|j}n<|jrjg}d|jvrT|�d�d|jvrr|�d�nddg}g}	|D�]�}
|jj�|�r�d||f}ddi}nd	||f}|��}g}
|r�|
�|�	|j
��|
�|�|j��|
�|�|j
��|
�|�|
|j��|�r�|	�|�|||||
��|	�|�|||||
��|j�rb|	�|�|||||
��nN|�|�}d
td|||f|
|��gd�}|�|�|��|	�|d
|ii�qz|j��dk�r|jj�|��s|	�|d
d
t||
|�|j���ddd||fiigd�ii�|	�|d
d
t||
|gd�ii�qz|	S)Nr(rsr}r�rcrdrbr�z
%s_%s_denyrurr�r�r�rr��%s_%s_ICMP_BLOCK: )rfr�rr�ipvsrdr5�query_icmp_block_inversionrrVrxrYr\rer�rtryr>r?rrDr5r�r�r:r�r�)rnr�r�Zictr4rtrr�rvr�r�Zfinal_chainrr�rr�r7r7r8�build_policy_icmp_block_rules/sl






� 
���
�z&nftables.build_policy_icmp_block_rulescCs�d}|jj�||t�}g}ddd�|}|jj�|�r@|��}nddi}|�|ddtd||fd	|��|gd
�ii�|j�	�dkr�|jj�|�r�|�|ddtd||fd	|��|�
|j�	��dd
d||fiigd
�ii�|S)Nr(rsr}r�r�r�rur�rF�rxrtr�r�r�r�rr�ru)rfr�rrrwrr5r�r&r�r�)rnr�r�rtrr�r�rr7r7r8�'build_policy_icmp_block_inversion_rulesks4


��

��z0nftables.build_policy_icmp_block_inversion_rulesc
Cs$g}d}|jjdkrddg}n<|jjdkr8ddg}d}n"|jjdkrRgd�}d}ngd�}d	d
ddiid
dd�id	d|dd�id
dd�ig}|dkr�|�dddii�|�ddi�|�dddt||d�ii�|jjdv�r |�dddt|d	ddd d!�id
d"d#d$gid�id%digd�ii�|S)&NZfilter_PREROUTINGZlooser�r@�
loose-forward�filter_FORWARD�strict-forward)r�r@Ziifr)r�r�rUr/rdr0ZfibZoif)rz�resultFr�rr�zrpfilter_DROP: r�r�r�rur��r{r}r*rYr+r,r�r`r^r�)rf�_ipv6_rpfilterr5r�)rnr�r�Zrpfilter_chainZ	fib_flagsr�r7r7r8�build_rpfilter_rules�sX
����
�
�
���znftables.build_rpfilter_rulesc
Cs�gd�}dd�|D�}ddddd�id	d
|id�ig}|jjdvrT|�d
ddii�|�|�d��g}|�dddtdd|d�ii�d}|j��dkr�|d7}|jjdvr�|d7}|�dddtd||d�ii�|S)N)	z::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|�d�dt|�d�d�d�i�qS)r�r,rrBrI)r8r�)�.0r�r7r7r8�
<listcomp>�r�z5nftables.build_rfc3964_ipv4_rules.<locals>.<listcomp>r)r*rKr�r,r/r�r0)rrrr�zRFC3964_IPv4_REJECT: r#rsr�rur�rBryrGr�rr|)rfZ_log_deniedr5r$r�r�r�)rnZ	daddr_setr�r�Z
forward_indexr7r7r8�build_rfc3964_ipv4_rules�s<
��

�
�z!nftables.build_rfc3964_ipv4_rulesc	Cs�d}g}|�|�|j��|�|�|j��|�|�|j��g}|�|�|||||��|�|�|||||��|�|�	|||||��|S)Nr()
r5rVrxrYrdr\rer>r?rD)rnr�r�r4rtr�r�r7r7r8�*build_policy_rich_source_destination_rules�sz3nftables.build_policy_rich_source_destination_rulescCs|dvrdSdS)N)rcrdZebTFr7)rnr�r7r7r8�is_ipv_supported�sznftables.is_ipv_supportedc
Cs�ddd�}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd	�}||vr�||Sttd
|��dS)NZ	ipv4_addrZ	ipv6_addrrbZ
inet_protoZinet_servicer@ZifnameZ
ether_addr)zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,iface�hash:macz!ipset type name '%s' is not valid)rr)rnr�r+Zipv_addr�typesr7r7r8�_set_type_list�s(�

��znftables._set_type_listcCs�|rd|vr|ddkrd}nd}dt||�||�d�}|�d�d�d	�D]}|d
vrLdg|d<qhqL|r�d
|vr�t|d
�|d
<d|vr�t|d�|d<dd|iigS)Nrx�inet6rdrcru)rxrtryr+�:rB�,)rG�netr_�intervalrz�timeoutZmaxelemrkrsr�)r�r�r8r�)rnryr+�optionsr�Zset_dict�tr7r7r8�build_set_create_ruless$
�
znftables.build_set_create_rulescCs$|�|||�}|�||j���dSr�)r�r�rfr�)rnryr+r�r�r7r7r8�
set_create$sznftables.set_createcCs*dddt|d�ii}|�||j���dS)Nr}r�rur�)r�r�rfr�)rnryr�r7r7r8�set_destroy(s
�
znftables.set_destroycCs|jj�|�j�d�d�d�}g}|D]�}|dkrd|�dddii�|�dd	|rVd
ndd�i�q(|d
vr�|�d|�|�|r�dndd�i�q(|dkr�|�dd|r�dndii�q(|dkr�|�dddii�q(ttd|��q(dt	|�dkr�d|in|d|�rdndd|d�iS)Nr�rBr�r_r�r�r%r*�thrarmr,)rGr�rZr�r�Zifacer�r�r@z-Unsupported ipset type for match fragment: %sr)�concatrrLr/�@r0)
rfrX�	get_ipsetr+r8r5�_set_get_familyrrr�)rnryZ
match_destrT�type_formatr6�formatr7r7r8rN.s* 
�
��znftables._set_match_fragmentc	Cs8|jj�|�}|j�d�d�d�}|�d�}t|�t|�krHttd��g}t|�D�]�\}}|dk�rz||�	d�}	Wn$t
y�|�d�||}
Yn,0|�||d|	��|||	dd�}
z|
�	d�}	Wnt
y�|�|
�Yn(0|�d|
d|	�|
|	dd�gi�qT|d	v�rd||v�rP|�d||�d�i�n�z||�	d
�}	WnJt
�y�||}d|jv�r�|jddk�r�t
|�}|�|�Yn^0||d|	�}d|jv�r�|jddk�r�t
|�}|�d
|t|||	dd��d�i�qT|�||�qTt|�dk�r4d|igS|S)Nr�rBr�z+Number of values does not match ipset type.r_rj�-r])rGr�r,rxr�r�rIr�)rfrXr�r+r8r�rr
�	enumerater�r�r5r�rr�)rnry�entry�objr�Zentry_tokens�fragmentr/r�r�Zport_strrJr7r7r8�_set_entry_fragmentEsP
�

(
�znftables._set_entry_fragmentc	Cs0g}|�||�}|�dddt||d�ii�|S)Nrsr2ru�rxrtry�elem)r�r5r�)rnryr�r�r2r7r7r8�build_set_add_rulesys
�znftables.build_set_add_rulescCs"|�||�}|�||j���dSr�)r�r�rfr�)rnryr�r�r7r7r8�set_add�sznftables.set_addcCs8|�||�}dddt||d�ii}|�||j���dS)Nr}r2rur�)r�r�r�rfr�)rnryr�r2r�r7r7r8�
set_delete�s�
znftables.set_deletecCsdddt|d�iigS)Nr�r�rur�)r�)rnryr7r7r8�build_set_flush_rules�s�znftables.build_set_flush_rulescCs |�|�}|�||j���dSr�)r�r�rfr�)rnryr�r7r7r8�	set_flush�s
znftables.set_flushcCsJ|jj�|�}|jdkrd}n(|jrBd|jvrB|jddkrBd}nd}|S)Nr�rFrxr�rKrG)rfrXr�r+r�)rnryrXrxr7r7r8r��s
�znftables._set_get_familyc	Cs�g}|�|�|||��|�|�|��d}|D]D}|�|�||��|d7}|dkr0|�||j���|��d}q0|�||j���dS)NrrBi�)r�r�r�r�r�rfr��clear)	rnZset_name�	type_name�entriesZcreate_optionsZ
entry_optionsr��chunkr�r7r7r8�set_restore�sznftables.set_restore)N)N)r�)F)F)NN)NN)NN)NN)NN)N)N)N)F)N)N)F)NN)K�__name__�
__module__�__qualname__ryZpolicies_supportedrpr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrrr�r$rr&r0r5r7rrr�r:r>r?rDrrVrYr\r`rhrirlrnrprqrrrsrtrxrzr�r�r�r�r�r�r�r�rNr�r�r�r�r�r�r�r�r7r7r7r8re�s�0,.e

	
C


V
c�
2B
  +


	
 
 �
�
!

!�
+
<
+(


4	�re)N)+r�r�rOZfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsrr	r
rrr
rZfirewall.core.richrrrrrrrrrZfirewall.core.baserZnftables.nftablesrr�r�r~rr�r�r9r��objectrer7r7r7r8�<module>s�$,�


�



��























�&











��E