Current File : //lib/python3.9/site-packages/firewall/core/__pycache__/rich.cpython-39.pyc
a

���gK��@s�gd�ZddlmZddlmZddlmZddlmZddlm	Z	Gdd�de
�ZGd	d
�d
e
�ZGdd�de
�Z
Gd
d�de
�ZGdd�de�ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd�de
�ZGdd �d e
�ZGd!d"�d"e
�ZGd#d$�d$e
�ZGd%d&�d&e
�ZGd'd(�d(e�ZGd)d*�d*e
�ZGd+d,�d,e
�ZGd-d.�d.e
�Zd/S)0)�Rich_Source�Rich_Destination�Rich_Service�	Rich_Port�
Rich_Protocol�Rich_Masquerade�Rich_IcmpBlock�
Rich_IcmpType�Rich_SourcePort�Rich_ForwardPort�Rich_Log�
Rich_NFLog�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�
Rich_Audit�
Rich_Limit�	Rich_Rule�Rich_Tcp_Mss_Clamp�)�	functions)�check_ipset_name)�REJECT_TYPES)�errors)�
FirewallErrorc@seZdZddd�Zdd�ZdS)rFcCs�||_|jdkrd|_||_|jdks0|jdur8d|_n|jdurN|j��|_||_|jdkrdd|_||_|jdur�|jdur�|jdur�ttjd��dS)N��no address, mac and ipset)�addr�mac�upper�ipset�invertrr�INVALID_RULE)�selfrrr r!�r$�6/usr/lib/python3.9/site-packages/firewall/core/rich.py�__init__$s 


�zRich_Source.__init__cCsjd|jrdnd}|jdur*|d|jS|jdurB|d|jS|jdurZ|d|jSttjd��dS)Nz	source%s � NOTr�address="%s"zmac="%s"�
ipset="%s"r)r!rrr rrr"�r#�retr$r$r%�__str__5s


�zRich_Source.__str__N)F��__name__�
__module__�__qualname__r&r,r$r$r$r%r#s
rc@seZdZddd�Zdd�ZdS)rFcCsV||_|jdkrd|_||_|jdkr,d|_||_|jdurR|jdurRttjd��dS)Nr�no address and ipset)rr r!rrr")r#rr r!r$r$r%r&As

�zRich_Destination.__init__cCsRd|jrdnd}|jdur*|d|jS|jdurB|d|jSttjd��dS)Nzdestination%s r'rr(r)r1)r!rr rrr"r*r$r$r%r,Ms

�zRich_Destination.__str__N)Fr-r$r$r$r%r@s
rc@seZdZdd�Zdd�ZdS)rcCs
||_dS�N��name�r#r4r$r$r%r&WszRich_Service.__init__cCs
d|jS)Nzservice name="%s"r3�r#r$r$r%r,ZszRich_Service.__str__Nr-r$r$r$r%rVsrc@seZdZdd�Zdd�ZdS)rcCs||_||_dSr2��port�protocol)r#r8r9r$r$r%r&^szRich_Port.__init__cCsd|j|jfS)Nzport port="%s" protocol="%s"r7r6r$r$r%r,bszRich_Port.__str__Nr-r$r$r$r%r]src@seZdZdd�ZdS)r	cCsd|j|jfS)Nz#source-port port="%s" protocol="%s"r7r6r$r$r%r,fs�zRich_SourcePort.__str__N�r.r/r0r,r$r$r$r%r	esr	c@seZdZdd�Zdd�ZdS)rcCs
||_dSr2��value�r#r<r$r$r%r&kszRich_Protocol.__init__cCs
d|jS)Nzprotocol value="%s"r;r6r$r$r%r,nszRich_Protocol.__str__Nr-r$r$r$r%rjsrc@seZdZdd�Zdd�ZdS)rcCsdSr2r$r6r$r$r%r&rszRich_Masquerade.__init__cCsdS)N�
masquerader$r6r$r$r%r,uszRich_Masquerade.__str__Nr-r$r$r$r%rqsrc@seZdZdd�Zdd�ZdS)rcCs
||_dSr2r3r5r$r$r%r&yszRich_IcmpBlock.__init__cCs
d|jS)Nzicmp-block name="%s"r3r6r$r$r%r,|szRich_IcmpBlock.__str__Nr-r$r$r$r%rxsrc@seZdZdd�Zdd�ZdS)rcCs
||_dSr2r3r5r$r$r%r&�szRich_IcmpType.__init__cCs
d|jS)Nzicmp-type name="%s"r3r6r$r$r%r,�szRich_IcmpType.__str__Nr-r$r$r$r%rsrc@seZdZdd�Zdd�ZdS)rcCs
||_dSr2r;r=r$r$r%r&�szRich_Tcp_Mss_Clamp.__init__cCs|jrd|jSdSdS)Nztcp-mss-clamp value="%s"�
tcp-mss-clampr;r6r$r$r%r,�s
zRich_Tcp_Mss_Clamp.__str__Nr-r$r$r$r%r�src@seZdZdd�Zdd�ZdS)r
cCs<||_||_||_||_|jdur(d|_|jdur8d|_dS�Nr�r8r9�to_port�
to_address)r#r8r9rBrCr$r$r%r&�s

zRich_ForwardPort.__init__cCs<d|j|j|jdkrd|jnd|jdkr4d|jndfS)Nz(forward-port port="%s" protocol="%s"%s%srz
 to-port="%s"z
 to-addr="%s"rAr6r$r$r%r,�s��zRich_ForwardPort.__str__Nr-r$r$r$r%r
�sr
c@s&eZdZddd�Zdd�Zdd�ZdS)	rNcCs||_||_||_dSr2��prefix�level�limit)r#rErFrGr$r$r%r&�szRich_Log.__init__cCs>d|jrd|jnd|jr$d|jnd|jr6d|jndfS)Nz	log%s%s%s� prefix="%s"rz level="%s"� %srDr6r$r$r%r,�s��zRich_Log.__str__cCsV|jr t|j�dkr ttjd��|jr>|jdvr>ttj|j��|jdurR|j��dS)N��+maximum accepted length of 'prefix' is 127.)ZemergZalertZcrit�errorZwarningZnotice�info�debug)	rE�lenrr�INVALID_LOG_PREFIXrFZINVALID_LOG_LEVELrG�checkr6r$r$r%rQ�s�
zRich_Log.check)NNN�r.r/r0r&r,rQr$r$r$r%r�s
rc@s&eZdZddd�Zdd�Zdd�ZdS)	rNcCs||_||_||_||_dSr2��grouprE�	thresholdrG)r#rTrEZ
queue_sizerGr$r$r%r&�szRich_NFLog.__init__cCsPd|jrd|jnd|jr$d|jnd|jr6d|jnd|jrHd|jndfS)Nz
nflog%s%s%s%sz group="%s"rrHz queue-size="%s"rIrSr6r$r$r%r,�s��zRich_NFLog.__str__cCst|jrt�|j�sttjd��|jr>t|j�dkr>ttjd��|j	r\t�|j	�s\ttj
d��|jdurp|j��dS)Nz5nflog 'group' must be an integer between 0 and 65535.rJrKz:nflog 'queue-size' must be an integer between 0 and 65535.)
rTrZcheckUINT16rrZINVALID_NFLOG_GROUPrErOrPrUZINVALID_NFLOG_QUEUErGrQr6r$r$r%rQ�s
zRich_NFLog.check)NNNNrRr$r$r$r%r�s
rc@seZdZddd�Zdd�ZdS)rNcCs
||_dSr2�rG�r#rGr$r$r%r&�szRich_Audit.__init__cCsd|jrd|jndS)Nzaudit%srIrrVr6r$r$r%r,�szRich_Audit.__str__)Nr-r$r$r$r%r�s
rc@seZdZddd�Zdd�ZdS)r
NcCs
||_dSr2rVrWr$r$r%r&�szRich_Accept.__init__cCsd|jrd|jndS)Nzaccept%srIrrVr6r$r$r%r,�szRich_Accept.__str__)Nr-r$r$r$r%r
�s
r
c@s&eZdZddd�Zdd�Zdd�ZdS)	rNcCs||_||_dSr2��typerG)r#Z_typerGr$r$r%r&�szRich_Reject.__init__cCs,d|jrd|jnd|jr$d|jndfS)Nz
reject%s%sz
 type="%s"rrIrXr6r$r$r%r,�s�zRich_Reject.__str__cCsT|jrP|sttjd��|dvrP|jt|vrPd�t|�}ttjd|j|f��dS)Nz9When using reject type you must specify also rule family.�Zipv4Zipv6z, z%Wrong reject type %s.
Use one of: %s.)rYrrr"r�join)r#�familyZvalid_typesr$r$r%rQ�s�zRich_Reject.check)NNrRr$r$r$r%r�s
rc@seZdZdd�ZdS)rcCsd|jrd|jndS)Nzdrop%srIrrVr6r$r$r%r,�szRich_Drop.__str__Nr:r$r$r$r%r�src@s&eZdZddd�Zdd�Zdd�ZdS)	rNcCs||_||_dSr2��setrG)r#Z_setrGr$r$r%r&�szRich_Mark.__init__cCsd|j|jrd|jndfS)Nz
mark set=%s%srIrr]r6r$r$r%r,s�zRich_Mark.__str__cCs�|jdur|j}nttjd��d|vrr|�d�}t|�dkrHttj|��t�|d�rdt�|d�s�ttj|��nt�|�s�ttj|��dS)Nzno value set�/�r�)r^rrZINVALID_MARK�splitrOrZcheckUINT32)r#�x�splitsr$r$r%rQs

�
zRich_Mark.check)NrRr$r$r$r%r�s
rc@s,eZdZdd�Zdd�Zdd�Zdd�Zd	S)
rcCsV||_d|jvrR|j�d�}t|�dkrR|ddvrRd|d|ddd�f|_dS)Nr_r`ra)�secondZminuteZhourZdayz%s/%sr)r<rbrO)r#r<rdr$r$r%r&s

�zRich_Limit.__init__cCsd}d|jvr|j�d�}|r*t|�dkr8ttj|j��|\}}zt|�}Wnttj|j��Yn0|dksx|dvr�ttj|j��d}|dkr�d}n(|dkr�d}n|dkr�d	}n|d
kr�d}d||d
kr�ttjd|j��|dk�r|d
k�rttjd|j��dS)Nr_r`ra)�s�m�h�drfrg�<rhirii�Qi'rz%s too fastz%s too slow)r<rbrOrrZ
INVALID_LIMIT�int)r#rdZrateZdurationZmultr$r$r%rQ!s:
��zRich_Limit.checkcCs
d|jS)Nzlimit value="%s"r;r6r$r$r%r,CszRich_Limit.__str__cCsdSr@r$r6r$r$r%�commandFszRich_Limit.commandN)r.r/r0r&rQr,rlr$r$r$r%rs"rc@s>eZdZdZdZddd�Zdd�Zd	d
�Zdd�Zd
d�Z	dS)ri���i�NrcCsV|durt|�|_nd|_||_d|_d|_d|_d|_d|_d|_|rR|�	|�dSr2)
�strr\�priority�source�destination�element�log�audit�action�_import_from_string)r#r\�rule_strrnr$r$r%r&MszRich_Rule.__init__cCs�g}t�|�D]j}d|vrj|�d�}t|�dks@|dr@|dsPttjd|��|�|d|dd��q|�d|i�q|�ddi�|S)	z Lexical analysis �=r`rrazinternal error in _lexer(): %s)�	attr_name�
attr_valuerq�EOL)rZ	splitArgsrbrOrrr"�append)r#rv�tokens�r�attrr$r$r%�_lexer^s
�zRich_Rule._lexercCs`	|sttjd��t�|�}d|_d|_d|_d|_d|_	d|_
d|_d|_|�
|�}|rv|d�d�dkrvttjd��i}g}d}||�d�dkr�|dgk�	sT||�d�}||�d�}||�d�}|r�|dvr�ttjd	|��n�|d
v�r�|dk�r|j�rttjd��n�|d
k�r2|j�r2ttjd��n�|dv�r\|j	�r\ttjd||j	f��nh|dv�r||j
�r|ttjd��nH|dk�r�|j�r�ttjd��n(|dv�r�|j�r�ttjd||jf��nttjd|��t|�dk�r�|t|�dnd}	|	dk�r�|�sT|�rT|dk�r&ttjd��n,|dk�r>ttjd��nttjd||f��n*d|v�rtttjd||f��n
|�d��n�|	dk�r6|dk�r�|d v�r�ttjd!|��||_nz|dk�r�zt|�|_Wn$t�y�ttjd"|��Yn0n:|�r(|d#k�rd$}
nd%||f}
ttj|
��n
|�|��n|	dk�r�|d&v�rT|||<nV|d'v�rhd(|d)<nBt|�d*�|�d+�|�d,�|�d)d-��|_|��|��|d}�n�|	d
k�r|d.v�r�|||<nN|d'v�r�d(|d)<n:t|�d*�|�d,�|�d)d-��|_|��|��|d}�n,|	d#k�rV|d/k�rFt|�|_	|��nttjd0���n�|	d1k�r�|d/k�rt|||<n(t|�d/��|_	|��|��|d}�n�|	d2k�r�|d3k�r�t|�|_	|��nttjd4���nr|	d5k�r*|d6v�r�|||<n0t|�d5�|�d#��|_	|��|��|d}�n |	d7k�rb|d3k�rRt|�|_	|��nttjd8���n�|	d9k�r�|d3k�r�t|�|_	|��nttjd:���n�|	d;k�r�t�|_	|��|��|d}�n�|	d<k�r*|d=v�r�|||<n@t|�d5�|�d#�|�d>�|�d?��|_	|��|��|d}�n |	d@k�r||d6v�rH|||<n0t |�d5�|�d#��|_	|��|��|d}�n�|	dAk�r�|dBv�r�|||<nN|dCk�r�|�dC�n8t!|�dD�|�dE�|�dC��|_
|��|��|d}�n^|	dFk�rd|dGv�r
|||<nV|dCk�r |�dC�n@t"|�dH�|�dD�|�dI�|�dC��|_
|��|��|d}�n�|	dk�r�|dCk�r�|�dC�n(t#|�dC��|_|��|��|d}�n�|	dJk�r�|dCk�r�|�dC�n(t$|�dC��|_|��|��|d}�nN|	dKk�rH|dCk�r|�dC�n(t%|�dC��|_|��|��|d}�n|	dLk�r�|dMk�rf|||<nF|dCk�r||�dC�n0t&|�dM�|�dC��|_|��|��|d}n�|	dNk�	r|dOk�r�|||<nF|dCk�r�|�dC�n0t'|�dO�|�dC��|_|��|��|d}n6|	dCk�	rJ|d/k�	r>t(|�|dC<|��nttjdP��|d}q�|�)�dS)QNz
empty rulerrqrz�rulerxry)rnr\�addressrr r!r<r8r9�to-port�to-addrr4rTrErF�
queue-sizerYr^zbad attribute '%s')r�rorpr9�servicer8�
icmp-block�	icmp-typer>�forward-port�source-portrr�nflogrs�accept�drop�reject�markrG�not�NOTrzr?rozmore than one 'source' elementrpz#more than one 'destination' element)r9r�r8r�r�r>r�r�zFmore than one element. There cannot be both '%s' and '%s' in one rule.)rrr�zmore than one logging elementrszmore than one 'audit' element)r�r�r�r�zOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.zunknown element %srarr\z0'family' outside of rule. Use 'rule family=...'.rnz4'priority' outside of rule. Use 'rule priority=...'.z:'%s' outside of any element. Use 'rule <element> %s= ...'.z,'%s' outside of rule. Use 'rule ... %s ...'.rZzH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.z(invalid 'priority' attribute value '%s'.r9zdwrong 'protocol' usage. Use either 'rule protocol value=...' or  'rule [forward-]port protocol=...'.zDattribute '%s' outside of any element. Use 'rule <element> %s= ...'.)r�rr r!)r�r�Tr!r�rr F)r�r r!r<zinvalid 'protocol' elementr?r�r4zinvalid 'service' elementr8r7r�zinvalid 'icmp-block' elementr�zinvalid 'icmp-type' elementr>r�)r8r9r�r�r�r�r�rr)rErFrGrErFr�)rTrEr�rTr�r�r�r�rYr�r^zinvalid 'limit' element)*rrr"rZstripNonPrintableCharactersrnr\rorprqrrrsrtr�getrOr{rk�
ValueError�INVALID_PRIORITYr�pop�clearrrrrrrrrr
r	rrrr
rrrrrQ)r#rvr|�attrsZin_elements�indexrqrxryZ
in_element�err_msgr$r$r%ruos�



�"













*




"

























(






 



(















�




zRich_Rule._import_from_stringcCs�|jdur"|jdvr"ttj|j��|jdurn|jdurB|jjdusL|jdurVttj��t|j	�t
krnttj��|j|jks�|j|j
kr�ttjd|j|j
f��|j	du�r|jdus�|jdu�r|jdk�r|jdur�ttjd��|jdu�r|jdu�r|jdk�rttjd��t|j	�tt
ttfv�rZ|jdu�rZ|jdu�rZ|jdu�rZttjd��|jdu�rt|jjdu�r�|jdu�r�ttj��|jjdu�r�ttjd��|jjdu�r�ttjd��t�|j|jj��stttjt|jj���n�|jjdu�r6|jjdu�rttjd	��t�|jj��stttjt|jj���n>|jjdu�rht|jj��stttjt|jj���nttjd
��|jdu�r&|jjdu�r�|jdu�r�ttj��|jjdu�r�ttj d��t�|j|jj��s&ttjt|jj���n>|jjdu�rt|jj��s&ttjt|jj���nttjd��t|j	�t!k�rn|j	j"du�sVt#|j	j"�dk�r�ttj$t|j	j"����nRt|j	�t%k�r�t�&|j	j'��s�ttj(|j	j'��|j	j)d
v�r�ttj*|j	j)���nt|j	�t+k�r�t�,|j	j-��s�ttj*|j	j-���n�t|j	�tk�rF|jdu�rttjd��|jdu�r�|jjdu�r�ttjd���nzt|j	�tk�r�|j	j"du�svt#|j	j"�dk�r�ttj.t|j	j"���|j�r�ttjd���nt|j	�t/k�r�|j	j"du�s�t#|j	j"�dk�r�ttj.t|j	j"����n�t|j	�t
k�r�t�&|j	j'��sttj(|j	j'��|j	j)d
v�r8ttj*|j	j)��|j	j0dk�rd|j	j1dk�rdttj(|j	j0��|j	j0dk�r�t�&|j	j0��s�ttj(|j	j0��|j	j1dk�r�t�2|j|j	j1��s�ttj|j	j1��|jdu�r�ttj��|jdu�r�ttjd��n�t|j	�t3k�rDt�&|j	j'��s$ttj(|j	j'��|j	j)d
v�r�ttj*|j	j)��n|t|j	�tk�r�|jdu�rrttjd|j��|j	j-�r�t�4|j	j-��s�ttj|j	j-��n"|j	du�r�ttjdt|j	���|jdu�r�|j�5�|jdu�r$t|j�t6t7t8fv�r
ttj9t|j���|jj:du�r$|jj:�5�|jdu�r�t|j�t7k�rP|j�5|j�nt|j�t;k�rj|j�5�|jj:du�r�|jj:�5�dS)NrZz/'priority' attribute must be between %d and %d.rzno element, no actionz%no element, no source, no destinationzno action, no log, no auditzaddress and maczaddress and ipsetz
mac and ipsetzinvalid sourcezinvalid destinationra)ZtcpZudpZsctpZdccpzmasquerade and actionzmasquerade and mac sourcezicmp-block and actionrzforward-port and actionz+tcp-mss-clamp and %s are mutually exclusivezUnknown element %s)<r\rrZINVALID_FAMILYrorrpZMISSING_FAMILYrYrqr
rn�priority_min�priority_maxr�rrrtr"rrrrsrr rZ
check_addressZINVALID_ADDRrmZ	check_macZINVALID_MACrZ
INVALID_IPSETZINVALID_DESTINATIONrr4rOZINVALID_SERVICErZ
check_portr8ZINVALID_PORTr9ZINVALID_PROTOCOLrZ
checkProtocolr<ZINVALID_ICMPTYPErrBrCZcheck_single_addressr	ZcheckTcpMssClamprQr
rrZINVALID_AUDIT_TYPErGrr6r$r$r%rQfs
�


����
$
��

   ���

�

zRich_Rule.checkcCs�d}|jr|d|j7}|jr,|d|j7}|jr@|d|j7}|jrT|d|j7}|jrh|d|j7}|jr||d|j7}|jr�|d|j7}|jr�|d|j7}|S)Nr�z priority="%d"z family="%s"rI)rnr\rorprqrrrsrtr*r$r$r%r,s$zRich_Rule.__str__)NNr)
r.r/r0r�r�r&rrurQr,r$r$r$r%rIs
x0rN)�__all__ZfirewallrZfirewall.core.ipsetrZfirewall.core.baserrZfirewall.errorsr�objectrrrrr	rrrrrr
rrrr
rrrrrr$r$r$r%�<module>s2
1