Current File : //proc/self/root/kunden/lib/python3.9/site-packages/firewall/core/__pycache__/fw.cpython-39.pyc
a

���gs��@s�dgZddlZddlZddlZddlZddlZddlmZmZddl	m
Z
ddl	mZddlm
Z
ddlmZddlmZdd	lmZdd
lmZddlmZddlmZdd
lmZddlmZddlmZddlmZddlmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'm(Z(ddl)m*Z*ddl+m,Z,ddl-m.Z.ddl/m0Z0ddl1m2Z2ddl3m4Z4ddl5m6Z6m7Z7ddl8m9Z9ddl:m;Z;ddl<m=Z=dd l>m?Z?dd!l@mAZAdd"lBmCZCdd#l	mDZDdd$lEmFZFGd%d�deG�ZHdS)&�Firewall�N)�Dict�List)�config)�	functions)�	ipXtables)�ebtables)�nftables)�ipset)�modules)�FirewallIcmpType)�FirewallService)�FirewallZone)�FirewallDirect)�FirewallConfig)�FirewallPolicies)�
FirewallIPSet)�FirewallTransaction)�FirewallHelper)�FirewallPolicy)�nm_get_bus_name�nm_get_interfaces_in_zone)�log)�	IO_Object)�firewalld_conf)�Direct)�service_reader)�icmptype_reader)�zone_reader�Zone)�ipset_reader)�IPSET_TYPES)�
helper_reader)�
policy_reader)�check_on_disk_config)�	Rich_Rule)�errors)�
FirewallErrorc@sZeZdZd�dd�Zdd�Zdd�Zdd	�Zifeee	e
fd
�dd�Zd
d�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zd�dd�Zdd �Zd!d"�Zd�d#d$�Zd�d%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Zd3d4�Zd�d5d6�Z d7d8�Z!d9d:�Z"d;d<�Z#d=d>�Z$d?d@�Z%dAdB�Z&dCdD�Z'dEdF�Z(dGdH�Z)dIdJ�Z*dKdL�Z+d�dNdO�Z,d�dPdQ�Z-dRdS�Z.d�dTdU�Z/d�dVdW�Z0d�dXdY�Z1d�dZd[�Z2d\d]�Z3d^d_�Z4d`da�Z5dbdc�Z6ddde�Z7dfdg�Z8dhdi�Z9djdk�Z:dldm�Z;dndo�Z<dpdq�Z=drds�Z>dtdu�Z?d�dvdw�Z@dxdy�ZAdzd{�ZBd|d}�ZCd~d�ZDd�d��ZEd�d��ZFd�d��ZGd�d��ZHd�d��ZId�d��ZJdMS)�rFcCs�ttj�|_||_|sXt�|�|_t�|�|_	t
�
�|_t��|_
t�|�|_t��|_t|�|_t|�|_t|�|_t|�|_t|�|_t�|_t|�|_t|�|_t |�|_!|�"�dS�N)#rr�FIREWALLD_CONF�_firewalld_conf�_offliner�	ip4tables�ip4tables_backend�	ip6tables�ip6tables_backendr�ebtables_backendr
�
ipset_backendr	�nftables_backendr�modules_backendr�icmptyper
�servicer�zoner�directrr�policiesrr�helperr�policy�_Firewall__init_vars)�selfZoffline�r=�4/usr/lib/python3.9/site-packages/firewall/core/fw.py�__init__Gs&










zFirewall.__init__cCsDd|j|j|j|j|j|j|j|j|j|j	|j
|j|j|j
|jfS)Nz:%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r))�	__class__�ip4tables_enabled�ip6tables_enabled�ebtables_enabled�_state�_panic�
_default_zone�_module_refcount�_marks�cleanup_on_exit�cleanup_modules_on_exit�_ipv6_rpfilter�
ipset_enabled�_individual_calls�_log_denied�r<r=r=r>�__repr___s��zFirewall.__repr__cCs�d|_d|_tj|_g|_g|_i|_g|_tj	|_
tj|_tj
|_tj|_tj|_tj|_tj|_tj|_tj|_tj|_|jr�d|_d|_d|_ d|_!t"|_#d|_$n0d|_g|_%d|_g|_&d|_ d|_!t"|_#d|_$dS)NZINITFT)'rDrErZ
FALLBACK_ZONErF�_default_zone_interfacesZ_nm_assigned_interfacesrGrHZFALLBACK_CLEANUP_ON_EXITrIZ FALLBACK_CLEANUP_MODULES_ON_EXITrJZFALLBACK_IPV6_RPFILTERrKZFALLBACK_INDIVIDUAL_CALLSrMZFALLBACK_LOG_DENIEDrNZFALLBACK_FIREWALL_BACKEND�_firewall_backendZFALLBACK_FLUSH_ALL_ON_RELOAD�_flush_all_on_reloadZFALLBACK_RFC3964_IPV4�
_rfc3964_ipv4ZFALLBACK_ALLOW_ZONE_DRIFTINGZ_allow_zone_driftingZFALLBACK_NFTABLES_TABLE_OWNER�_nftables_table_ownerr+rArBrCrLr!�ipset_supported_types�nftables_enabled�ipv4_supported_icmp_types�ipv6_supported_icmp_typesrOr=r=r>Z__init_varshs@zFirewall.__init_varscs�i}�fdd��j��D�|d<�fdd��j��D�|d<�fdd��j��D�|d<�fdd��j��D�|d	<�fd
d��j�	�D�|d<�fdd��j
��D�|d
<i|d<�j�
d�|dd<i|d<i|dd<t�j����t�j����D]}�j�|�|dd|<q�t�j����t�j����D]�}|�jv�sR|�jv�r6t��j�|��|dd|<g|dd|_|�jv�r�|dd|j�d�|�jv�r6|dd|j�d��q6|S)zH
        Returns a dict of dicts of all runtime config objects.
        csi|]}|�j�|��qSr=)r
�	get_ipset)�.0�_ipsetrOr=r>�
<dictcomp>��z4Firewall.get_all_io_objects_dict.<locals>.<dictcomp>�ipsetscsi|]}|�j�|��qSr=)r9�
get_helper)r[r9rOr=r>r]�r^�helperscsi|]}|�j�|��qSr=)r4�get_icmptype)r[r4rOr=r>r]�r^�	icmptypescsi|]}|�j�|��qSr=)r5�get_service)r[r5rOr=r>r]�r^�servicescsi|]}|�j�|��qSr=)r6�get_zone)r[r6rOr=r>r]�r^�zonescsi|]}|�j�|��qSr=)r:Z
get_policy)r[r:rOr=r>r]�r^r8Zconf�FirewallBackend�runtimeZicmptypes_unsupported�ipv4�ipv6)r
�
get_ipsetsr9�get_helpersr4�
get_icmptypesr5�get_servicesr6�	get_zonesr:Z"get_policies_not_derived_from_zoner*�get�setr�
differencerb�intersectionrXrY�copyZdestination�append)r<Z	conf_dictr4r=rOr>�get_all_io_objects_dict�s8	���z Firewall.get_all_io_objects_dict)�extra_io_objectsc
Csn|��}|D] }||D]}||||j<qqgd�}|D].}||}|��D]\}}	|	�|	��|�qNq:dS)N)r_rarcrergr8)rw�name�itemsZcheck_config_dictZexport_config_dict)
r<rxZall_io_objectsZtype_key�obj�orderZio_obj_typeZio_objsryZio_objr=r=r>�full_check_config�szFirewall.full_check_configcCs�|jr$d|j��vr$t�d�d|_|jrHd|j��vrHt�d�d|_|jrld|j��vrlt�d�d|_|js�|js�|j	s�t
tjd��dS)N�filterziptables is not usable.Fzip6tables is not usable.zebtables is not usable.zNo IPv4 and IPv6 firewall.)
rAr-�get_available_tablesr�info1rBr/rCr0rWr'r&�
UNKNOWN_ERRORrOr=r=r>�_start_check_tables�s&�
�
�
�zFirewall._start_check_tablescCs�z|j��Wn:tyH|jr.t�d�nt�d�g|_d|_Yn0|j�	�|_|j
��|j
js�|j
j
r|t�d�n"|jr�t�d�n
t�d�d|_|jr�|j�d�|_n|jr�|j
��|_ng|_|j��|jj�s|jj
r�t�d�n$|j�r
t�d	�n
t�d
�d|_|j�r2|j�d�|_n|j�rH|j��|_ng|_|j��|jj�s�|jj
�rxt�d�n$|j�r�t�d
�n
t�d�d|_|j�r�|j�s�|jj�s�t�d�|j��|j�r�|jj�s�t�d�dS)Nzaipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.z4ipset not usable, disabling ipset usage in firewall.FzFiptables-restore is missing, using individual calls for IPv4 firewall.zMiptables-restore and iptables are missing, IPv4 direct rules won't be usable.zCiptables-restore and iptables are missing, disabling IPv4 firewall.rjzGip6tables-restore is missing, using individual calls for IPv6 firewall.zOip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.zEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.rkzHebtables-restore is missing, using individual calls for bridge firewall.zKebtables-restore and ebtables are missing, eb direct rules won't be usable.zEebtables-restore and ebtables are missing, disabling bridge firewall.zSebtables-restore is not supporting the --noflush option, will therefore not be usedzpConfiguration has NftablesTableOwner=True, but it's not supported by nftables. Table ownership will be disabled.)r1Zset_list�
ValueErrorrWrr��warningrVrLZset_supported_typesr-Zfill_exists�restore_command_existsZcommand_existsrAr2Zsupported_icmp_typesrXr/rBrYr0rCrM�restore_noflush_option�debug1Z
probe_supportrUZsupports_table_ownerrOr=r=r>�_start_probe_backends�sn









�

���zFirewall._start_probe_backendsc
Cs�t�dtj�z|j��Wn:tyV}z"t�|�t�d�WYd}~�n2d}~00|j�d�rr|j�d�|_	|j�d�r�|j�d�}|dur�|�
�dvr�d|_t�d|j�|j�d�r�|j�d�}|dur�|�
�d	vr�d
|_t�d|j�|j�d��rR|j�d�}|du�rR|�
�d	v�rRt�d
�z|j
��Wnt�yPYn0|j�d��r�|j�d�}|du�r�|�
�dv�r�d|_nV|�
�dv�r�d|_n@|�
�dv�r�d|_n*|�
�dv�r�d|_n|�
�dv�r�d|_t�d|j�d��|j�d��r8|j�d�}|du�r8|�
�d	v�r8t�d�d
|_|j�d��r�|j�d�}|du�sj|�
�dk�rrd|_n|�
�|_t�d|j�|j�d��r�|j�d�|_t�d |j�|j�d!��r�|j�d!�}|�
�dv�r�d|_nd
|_t�d"|j�|j�d#��r<|j�d#�}|�
�dv�r(d|_nd
|_t�d$|j�|j�d%��r�|j�d%�}|�
�dv�rld|_nd
|_t�d&|j�|j�t�|j��dS)'Nz"Loading firewalld config file '%s'z0Using fallback firewalld configuration settings.�DefaultZoneZ
CleanupOnExit)�noZfalseFzCleanupOnExit is set to '%s'ZCleanupModulesOnExit)�yes�trueTz#CleanupModulesOnExit is set to '%s'ZLockdownzLockdown is enabledZ
IPv6_rpfilterr�)r�r��strictr�)�looser�)�
loose-forwardr�)�strict-forwardr�zIPv6_rpfilter is set to '�'ZIndividualCallszIndividualCalls is enabled�	LogDeniedZoffzLogDenied is set to '%s'rhzFirewallBackend is set to '%s'ZFlushAllOnReloadzFlushAllOnReload is set to '%s'ZRFC3964_IPv4zRFC3964_IPv4 is set to '%s'ZNftablesTableOwnerz!NftablesTableOwner is set to '%s')rr�rr)r*�read�	Exceptionr�rqrF�lowerrIrJr8Zenable_lockdownr'rKrMrNrRrSrTrU�set_firewalld_confru�deepcopy)r<�msg�valuer=r=r>�_start_load_firewalld_conf1s�
"��



����z#Firewall._start_load_firewalld_confc
Cs�t�d�z|jj��WnXtyr}z@|j��rJt�d|jjj|�nt�d|jjj|�WYd}~n
d}~00|j	�
t�|j��dS)NzLoading lockdown whitelistz*Failed to load lockdown whitelist '%s': %s)
rr�r8Zlockdown_whitelistr�r�Zquery_lockdown�error�filenamerZset_policiesrur��r<r�r=r=r>�_start_load_lockdown_whitelist�s


�
�z'Firewall._start_load_lockdown_whitelistcCsL|�tj�|�tj�|�tj�|�tj�|�	tj
�|�tj�dSr()
�_loader_ipsetsrZFIREWALLD_IPSETS�_loader_icmptypesZFIREWALLD_ICMPTYPES�_loader_helpersZFIREWALLD_HELPERS�_loader_servicesZFIREWALLD_SERVICES�
_loader_zonesZFIREWALLD_ZONES�_loader_policiesZFIREWALLD_POLICIESrOr=r=r>�_start_load_stock_config�sz!Firewall._start_load_stock_configcCsL|�tj�|�tj�|�tj�|�tj�|�	tj
�|�tj�dSr()
r�rZETC_FIREWALLD_IPSETSr�ZETC_FIREWALLD_ICMPTYPESr�ZETC_FIREWALLD_HELPERSr�ZETC_FIREWALLD_SERVICESr�ZETC_FIREWALLD_ZONESr�ZETC_FIREWALLD_POLICIESrOr=r=r>�_start_load_user_config�sz Firewall._start_load_user_configcCs�|j��D]}|j�t�|j�|���q
|j��D]}|j�	t�|j�
|���q4|j��D]}|j�
t�|j�|���q^|j��D]}|j�t�|j�|���q�|j��D]}|j�t�|j�|���q�|j�t�|j����i}|j��D]�}|j�|�}d|jv�r0|j�t�|j�|���q�tj �!|j �}	|	|v�r|t"�}
|	|
_|
�#|
j�|j |
_ d|
_$d|
_%|
||	<t&�'d|	|j tj(|j)�||	�*|�q�|D]}|j�||��q�dS)N�/Fz"Combining zone '%s' using '%s%s%s')+rrlr
�	add_ipsetrur�rZrnr4�add_icmptyperbrmr9�
add_helperr`ror5�add_servicerd�get_policy_objectsr:Z
add_policy�get_policy_objectr7Zset_permanent_configZ
get_directrprfryr6�add_zone�os�path�basenamer�
check_name�defaultZforwardrr��sepr��combine)r<r\r4r9r5r:Zcombined_zonesr6Zz_objZ
combined_nameZ
combined_zoner=r=r>�_start_copy_config_to_runtime�s\�������
�z&Firewall._start_copy_config_to_runtimec
Cszttj�}tj�tj�rjt�dtj�z|��Wn4t	yh}zt�
dtj|�WYd}~n
d}~00|j�|�dS)NzLoading direct rules file '%s'z)Failed to load direct rules file '%s': %s)rrZFIREWALLD_DIRECTr�r��existsrr�r�r�r�Z
set_direct)r<r{r�r=r=r>�_start_load_direct_rules�s
��z!Firewall._start_load_direct_rulescCst|�}|s|j|d�|r |s4|j��rF|j��rF|�d�|��|rb|rbt�d�|j	�
�|j|d�|�d�|��|j��r�|j��r�t�d�|j��t�d�|j
|d�t�d�|jj|d�|jjd|j|d�t�d�|jj|d�|�d�|��dS)N��use_transactionTzUnloading firewall moduleszApplying ipsetszApplying default rule setzApplying used zoneszApplying used policies)r�flushr
�backendsZ
has_ipsets�execute�clearrr�r3�unload_firewall_modules�apply_default_tablesZapply_ipsets�apply_default_rulesr6Zapply_zones�change_default_zonerFr:Zapply_policies)r<�reload�complete_reload�transactionr=r=r>�_start_apply_objects�s<��







�

zFirewall._start_apply_objectsc
Cs�t|�}|j��r�t�d�|j�|�z|�d�|��WnRty~}z(t|j	d|j
rb|j
nd��WYd}~nd}~0ty��Yn0|�d�|��dS)Nz2Applying direct chains rules and passthrough rulesTz
Direct: %s�)rr7Zhas_configurationrr�Zapply_directr�r�r'�coder�r�)r<r��er=r=r>�_start_apply_direct_rules s


0
z"Firewall._start_apply_direct_rulescCs�dD]$}||j��vrttjd�|���q|j|j��vr~d|j��vrNd}nd|j��vrbd}nd}t�d|j|�||_nt�	d|j�|j
s�|��|��|j
dkr�d	}n|j
}|�|�s�ttjd
�|j
���dS)N)�blockZdropZtrustedzZone '{}' is not available.ZpublicZexternalr�z+Default zone '%s' is not valid. Using '%s'.zUsing default zone '%s'Ziptablesr,z'Firewall backend '{}' is not available.)r6rpr'r&�INVALID_ZONE�formatrFrr�r�r+r}r�rR�is_backend_enabledr�)r<�zr6Zbackend_to_checkr=r=r>�_start_check5s4�

��zFirewall._start_checkcCs�|��|��|�|j�|js*|��|��|��|��|�	�|�
�|jr\dSt��dkrpt
�
�}|j||d�|��t��dkr�t
�
�}t�d||�dS)Nr�r�r��z%Flushing and applying took %f seconds)r�r��_select_firewall_backendrRr+r�r�r�r�r�r�rZgetDebugLogLevel�timer�r�Zdebug2)r<r�r�Ztm1Ztm2r=r=r>�_startXs&zFirewall._startcCst|��|j��|j�t�|j��|�|j�|j	s@|�
�|��|��|�
�|j	rbdS|j||d�dS)z�
        This is basically _start() with at least the following differences:
            - built-in defaults for firewalld.conf
            - no lockdown list
            - no user config (/etc/firewalld)
            - no direct rules
        Nr�)�cleanupr*�set_defaultsrr�rur�r�rRr+r�r�r�r�r�)r<r�r�r=r=r>�_start_failsafews
zFirewall._start_failsafecCs�z|��Wn�ty�}z�t�d�z|��d|_|�d�Wnvty�}z^t�|�t��t�|�t�d�z|��Wnty�Yn0t	�
tj�WYd}~n
d}~00|�WYd}~nd}~00d|_|�d�dS)NzLFailed to load user configuration. Falling back to full stock configuration.�FAILED�ACCEPTz�Failed to load full stock configuration. This likely indicates a system level issue, e.g. the firewall backend (nftables, iptables) is broken. All hope is lost. Exiting.�RUNNING)
r�r�rr�r�rD�
set_policy�	exceptionr��sys�exitr&r�)r<Zoriginal_exZnew_exr=r=r>�start�s*



"zFirewall.startccs:tj�|�sdStt�|��D]}|�d�s.q|VqdS)N�.xml)r�r��isdir�sorted�listdir�endswith)r<r�r�r=r=r>�_loader_config_file_generator�s
z&Firewall._loader_config_file_generatorcCs�|�|�D]v}t�d|tj|�t||�}|j|j��vr`|j�	|j�}t�d|j
tj|j�n|j
�tj
�rtd|_|j�|�q
dS)NzLoading service file '%s%s%s'�Overrides '%s%s%s'T)r�rr�r�r�rryrrordr�r��
startswith�
ETC_FIREWALLDr�r��r<r�r�r{�orig_objr=r=r>r��s
�zFirewall._loader_servicescCs�|�|�D]v}t�d|tj|�t||�}|j|j��vr`|j�	|j�}t�d|j
tj|j�n|j
�tj
�rtd|_|j�|�q
dS)NzLoading ipset file '%s%s%s'r�T)r�rr�r�r�r ryrrlrZr�r�r�r�r�r�r�r=r=r>r��s
�zFirewall._loader_ipsetscCs�|�|�D]v}t�d|tj|�t||�}|j|j��vr`|j�	|j�}t�d|j
tj|j�n|j
�tj
�rtd|_|j�|�q
dS)NzLoading helper file '%s%s%s'r�T)r�rr�r�r�r"ryrrmr`r�r�r�r�r�r�r�r=r=r>r��s
�zFirewall._loader_helperscCs�|�|�D]v}t�d|tj|�t||�}|j|j��vr`|j�	|j�}t�d|j
tj|j�n|j
�tj
�rtd|_|j�|�q
dS)NzLoading policy file '%s%s%s'r�T)r�rr�r�r�r#ryrr�r�r�r�r�r�r�Zadd_policy_objectr�r=r=r>r��s
�zFirewall._loader_policiescCs�|�|�D]v}t�d|tj|�t||�}|j|j��vr`|j�	|j�}t�d|j
tj|j�n|j
�tj
�rtd|_|j�|�q
dS)NzLoading icmptype file '%s%s%s'r�T)r�rr�r�r�rryrrnrbr�r�r�r�r�r�r�r=r=r>r��s
�zFirewall._loader_icmptypescCstj�|�sdStt�|��D]�}|�d�sd|�tj�rtj�d||f�r|j	d||fdd�qd||f}t
�d|�t|||d�}|r�dtj�
|�tj�
|�dd�f|_|�|j�|j|j��vr�|j�|j�}t
�d	|jtj|j�n|j�tj��rd|_|j�|�qdS)
Nr�z%s/%sT)r�zLoading zone file '%s')Z
no_check_namer���r�)r�r�r�r�r�r�r�rr�r�rr�rr�ryr�rprfr�r�r�r�)r<r�r�r�ryr{r�r=r=r>r��s4
�
��zFirewall._loader_zonescCsp|j��|j��|j��|j��|j��|j��|j��|j��|j	��|j
��|��dSr()r4r�r5r6r
r9rr7r8r:r*r;rOr=r=r>r� s









zFirewall.cleanupcCsN|jsB|jr(|��|j��|�d�|jrBt�d�|j�	�|�
�dS)Nr�z!Unloading firewall kernel modules)r+rIr�r
r�rJrr�r3r�r�rOr=r=r>�stop-s



z
Firewall.stopc	Cs�d}d}t|�D]�\}}|r.|j�|�\}}n$|j|dkrBd}n|j�|�\}}|dkrl|d7}||7}q|r�|j�|d�|j|d7<q||jvr|j|d8<|j|dkr|j|=q||fS)Nrr�r�)�	enumerater3�load_modulerGZ
unload_module�
setdefault)	r<Z_modules�enableZ
num_failedZ
error_msgs�i�module�statusr�r=r=r>�handle_modules<s(

zFirewall.handle_modulescCs|dkrd|_dS)Nr	F)rW)r<�backendr=r=r>r�Vsz!Firewall._select_firewall_backendcCs4|��D]}|j|kr|Sqttjd|��dS)Nz'%s' backend does not exist)�all_backendsryr'r&r�)r<ryr�r=r=r>�get_backend_by_name\s

�zFirewall.get_backend_by_namecCs\|jr|jS|dkr |jr |jS|dkr4|jr4|jS|dkrH|jrH|jStt	j
d|��dS�Nrjrk�ebz-'%s' is not a valid backend or is unavailable)rWr2rAr-rBr/rCr0r'r&�INVALID_IPV�r<�ipvr=r=r>�get_backend_by_ipvcs�zFirewall.get_backend_by_ipvcCsP|dkr|jr|jS|dkr(|jr(|jS|dkr<|jr<|jSttjd|��dSr�)	rAr-rBr/rCr0r'r&r�r�r=r=r>�get_direct_backend_by_ipvos�z"Firewall.get_direct_backend_by_ipvcCs<|dkr|jS|dkr|jS|dkr*|jS|dkr8|jSdS)Nr,r.rr	F)rArBrCrW)r<ryr=r=r>r�yszFirewall.is_backend_enabledcCs8|jr
dS|dkr|jS|dkr&|jS|dkr4|jSdS)NTrjrkr�F)rWrArBrCr�r=r=r>�is_ipv_enabled�szFirewall.is_ipv_enabledcCsRg}|jr|�|j�n6|jr*|�|j�|jr<|�|j�|jrN|�|j�|Sr()	rWrvr2rAr-rBr/rCr0�r<r�r=r=r>�enabled_backends�szFirewall.enabled_backendscCsPg}|jr|�|j�|jr(|�|j�|jr:|�|j�|jrL|�|j�|Sr()	rArvr-rBr/rCr0rWr2rr=r=r>r��szFirewall.all_backendsNcCsJ|durt|�}n|}|��D]}|�||���q|durF|�d�dS�NT)rr�	add_rulesZbuild_default_tablesr�)r<r�r�r�r=r=r>r��s
zFirewall.apply_default_tablescCs�|durt|�}n|}|��D]}|�|j�}|�||�q|�d�r~|�d�}d|��vr~|jdkr~|�	|j�}|�||�|�d�r�|j
r�|��}|�||�|dur�|�d�dS)Nrk�rawr�T)
rrZbuild_default_rulesrNrrr�rrKZbuild_rpfilter_rulesrTZbuild_rfc3964_ipv4_rulesr�)r<r�r�r��rulesZipv6_backendr=r=r>r��s"



zFirewall.apply_default_rulescCs|jr|j��sdSdS)NTF)rWr7Zhas_runtime_configurationrOr=r=r>�may_skip_flush_direct_backends�sz'Firewall.may_skip_flush_direct_backendscCs\|durt|�}n|}|��D]&}||��vr0q|��}|�||�q|durX|�d�dSr)rr�r�build_flush_rulesrr��r<r�r�r�rr=r=r>�flush_direct_backends�s
zFirewall.flush_direct_backendscCsl|durt|�}n|}t�d�|��s4|j|d�|��D]}|��}|�||�q<|durh|�d�dS)NzFlushing rule setr�T)	rrr�rr
rrrr�r	r=r=r>r��s

zFirewall.flushcCs<|dvsJ�|dur0|dkr dnd}|||d�}|�||�S)N)r��DROP�PANICr�r)ZINPUTZOUTPUTZFORWARD)Zbuild_set_policy_rules)r<r�r:�policy_detailsZdpr=r=r>�_set_policy_build_rules�s�z Firewall._set_policy_build_rulescCs||durt|�}n|}t�d||dkr8dt�|��d�nd�|��D]}|�|||�}|�||�qF|durx|�d�dS)NzSetting policy to '%s'%srz (ReloadPolicy=�)r�T)	rrr�rZ_unparse_reload_policyrrrr�)r<r:r
r�r�r�rr=r=r>r��s
��zFirewall.set_policycCsB|sdS|�|�}|s&ttjd|��|�|�s4dS|�||j�S)Nr��'%s' is not a valid backend)r�r'r&r�r��set_rulerN)r<�backend_name�ruler�r=r=r>rs
�
z
Firewall.rulec	
Csttd|��}|�|�}|s,ttjd|��|�|�s:dS|jsZ|jrZ|dk�r|j	j
�st|�D]�\}}z|�||j
�Wqbty�}zjt�t���t�|�t|d|��D]0}z|�|�|�|j
�Wq�ty�Yq�0q�|�WYd}~qbd}~00qbn|�||j
�dS)Nrr)�listr~r�r'r&r�r�rMr�r0r�r�rrNr�rr��	traceback�
format_excr��reversedZreverse_ruleZ	set_rules)	r<rrZ_rulesr�r�rr�Zrruler=r=r>r#s8
�
���
zFirewall.rulescCs|jrttj��dSr()rEr'r&Z
PANIC_MODErOr=r=r>�check_panicCszFirewall.check_paniccCs"|}||j��vrttj|��|Sr()r:Zget_policiesr'r&ZINVALID_POLICY)r<r:Z_policyr=r=r>�check_policyGszFirewall.check_policycCs6|}|r|dkr|��}||j��vr2ttj|��|S)Nr�)�get_default_zoner6rpr'r&r�)r<r6�_zoner=r=r>�
check_zoneMszFirewall.check_zonecCst�|�sttj|��dSr()rZcheckInterfacer'r&ZINVALID_INTERFACE)r<�	interfacer=r=r>�check_interfaceUs
zFirewall.check_interfacecCs|j�|�dSr()r5�
check_service)r<r5r=r=r>rYszFirewall.check_servicecCst�|�sttj|��dSr()r�
check_portr'r&ZINVALID_PORT)r<�portr=r=r>r \s
zFirewall.check_portcCs*|sttj��|dvr&ttjd|��dS)N)ZtcpZudpZsctpZdccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})r'r&ZMISSING_PROTOCOLZINVALID_PROTOCOL)r<Zprotocolr=r=r>�check_tcpudp`s
��zFirewall.check_tcpudpcCst�|�sttj|��dSr()rZcheckIPr'r&�INVALID_ADDR)r<�ipr=r=r>�check_iphs
zFirewall.check_ipcCsP|dkr t�|�sLttj|��n,|dkr@t�|�sLttj|��nttjd��dS)Nrjrkz'%s' not in {'ipv4'|'ipv6'})rZcheckIPnMaskr'r&r#Z
checkIP6nMaskr�)r<r��sourcer=r=r>�
check_addressls

�zFirewall.check_addresscCs|j�|�dSr()r4�check_icmptype)r<Zicmpr=r=r>r(wszFirewall.check_icmptypecCs>t|t�std|t|�f��t|�dkr:ttjd|��dS)Nz%s is %s, expected intrz#timeout '%d' is not positive number)�
isinstance�int�	TypeError�typer'r&�
INVALID_VALUE)r<�timeoutr=r=r>�
check_timeoutzs
�zFirewall.check_timeoutcCs�t|�|j}|j��}|j}|j}|s`i}|j��D]}|j�|�j	||<q6|j
��}|��}	g}
|j�
�D]}|
�|j�|��qn|s�t�|j�d��}|jd|d�|��|��d}
z|jd|d�Wn(ty�}z|}
WYd}~n
d}~00|�r8|
D]2}|j�|j��s|j�r|�s|j�|j��q|�s�|��}||	k�r�||v�rbi||<||	D]0}||jv�rj||	||||<||	|=�qj|j��D]B}||v�r�||D]}|j�||��q�||=nt �!d|��q�t"|�dk�rt#|�$��D]}t �!d|�||=�q~|
D]�}|j�|j��r�|j%D]T}z|j�&|j|�Wn8t'�y�}z|j(t)j*k�rz|�WYd}~n
d}~00�q>n|j�+|�|j�,|j��q$|j
�-|�t.�}|�r|j��d	gD](}t/|�D]}|jj|||d
��q�q�||_|j�s|�d�|j�s�||jk�r�|dk�rd|�0|j1d�D]}|j1�2||j3��qJnT|�0|j4d�D]}|j4�2||j3��qr|j5�r�|�0|j6d�D]}|j6�2||j3��q�|
�r�d
|_7|
�nd|_7dS)NZReloadPolicyr)r
Tr�zNew zone '%s'.rz(Lost zone '%s', zone interfaces dropped.r�)Zsenderr�r	r�r�)8r$rEr
Zomit_native_ipsetrRrSr6rprf�
interfacesr7Zget_runtime_configrrlrvrZrZ_parse_reload_policyr*rqr�r�r�r�r�Zquery_ipsetryrLr1Zset_destroyrQ�change_zone_of_interfacerr��lenr�keys�entriesZ	add_entryr'r�r&�ALREADY_ENABLEDr�Zapply_ipsetZ
set_configrrrr2rrNr-rBr/rD)r<r�rEZ_omit_native_ipsetZold_firewall_backendZ	flush_allZ_zone_interfacesr6Z_direct_config�_old_dzZ_ipset_objs�_nameZ
reload_policyZstart_exceptionr�r{Z_new_dz�ifaceZinterface_id�entryr�Znm_bus_namerrr=r=r>r��s�


�


�



 

���zFirewall.reloadcCs|jSr()rDrOr=r=r>�	get_stateszFirewall.get_statec
Cs\|jrttjd��z|�d�Wn0tyP}zttj|��WYd}~n
d}~00d|_dS)Nzpanic mode already enabledrT)rEr'r&r5r�r��COMMAND_FAILEDr�r=r=r>�enable_panic_modes�"zFirewall.enable_panic_modec
Cs\|jsttjd��z|�d�Wn0tyP}zttj|��WYd}~n
d}~00d|_dS)Nzpanic mode is not enabledr�F)rEr'r&ZNOT_ENABLEDr�r�r;r�r=r=r>�disable_panic_modes�"zFirewall.disable_panic_modecCs|jSr()rErOr=r=r>�query_panic_mode*szFirewall.query_panic_modecCs|jSr()rNrOr=r=r>�get_log_denied/szFirewall.get_log_deniedcCsb|tjvr&ttjd|d�tj�f��||��krR||_|j�	d|�|j�
�nttj|��dS)Nz'%s', choose from '%s'z','r�)rZLOG_DENIED_VALUESr'r&r-�joinr?rNr*rr�writeZALREADY_SET)r<r�r=r=r>�set_log_denied2s
��zFirewall.set_log_deniedcCs|jSr()rFrOr=r=r>rAszFirewall.get_default_zonecCs�|�|�}||jkr~|j}||_|j�d|�|j��|jrBdS|j�||�|j�|�j	D]}||j
vr^|j�d|�q^ntt
j|��dS)Nr�r�)rrFr*rrrAr+r6r�rfr0rQr1r'r&ZZONE_ALREADY_SET)r<r6rr6r8r=r=r>�set_default_zoneDs



zFirewall.set_default_zonecCsD|��}|��D].\}}|s&t|t�r0|||<q||vr||=q|Sr()rurzr)�bool)r<Z	permanentriZcombined�keyr�r=r=r>�'combine_runtime_with_permanent_settings[s
z0Firewall.combine_runtime_with_permanent_settingscCs,dD]"}||vrdd�||D�||<qi}i}t|���t|���BD]�}||vrHt||t�r�t||vrt||ng�}tt||�|�||<t|t||�A|@�||<qHt||t�s�t||t��r||s�||r�d||<n||�r"||�s"d||<qHttjd�	t
||�|���qH||fS)N)Z
rich_rulesZ	rules_strcSsg|]}tt|d���qS))�rule_str)�strr%)r[rGr=r=r>�
<listcomp>mr^z;Firewall.get_added_and_removed_settings.<locals>.<listcomp>TFz Unhandled setting type {} key {})rrr3r)rrDr*r'r&ZINVALID_SETTINGr�r,)r<Zold_settingsZnew_settingsZrich_keyZadd_settingsZremove_settingsrE�oldr=r=r>�get_added_and_removed_settingsis$

z'Firewall.get_added_and_removed_settings)F)FF)FF)FF)F)N)N)N)N)N)NN)F)K�__name__�
__module__�__qualname__r?rPr;rwrrHrrr}r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrr�r�r�rr
r�rr�rrrrrrrr r"r%r'r(r/r�r:r<r=r>r?rBrrCrFrKr=r=r=r>rFs�
	%*Ud0
.#

	
"








 	

)I�__all__r�r�rur�r�typingrrZfirewallrrZ
firewall.corerrr	r
rZfirewall.core.fw_icmptyperZfirewall.core.fw_servicer
Zfirewall.core.fw_zonerZfirewall.core.fw_directrZfirewall.core.fw_configrZfirewall.core.fw_policiesrZfirewall.core.fw_ipsetrZfirewall.core.fw_transactionrZfirewall.core.fw_helperrZfirewall.core.fw_policyrZfirewall.core.fw_nmrrZfirewall.core.loggerrZfirewall.core.io.io_objectrZfirewall.core.io.firewalld_confrZfirewall.core.io.directrZfirewall.core.io.servicerZfirewall.core.io.icmptyperZfirewall.core.io.zonerrZfirewall.core.io.ipsetr Zfirewall.core.ipsetr!Zfirewall.core.io.helperr"Zfirewall.core.io.policyr#Zfirewall.core.io.functionsr$Zfirewall.core.richr%r&Zfirewall.errorsr'�objectrr=r=r=r>�<module>sP