3

��g�^�@sfdZd
g
Z
ddlZddlmZ
ddlmZ
ddlmZ
ddl	m
Z
mZmZm
Z
mZ
Gdd
�d
e�ZdS)	z<FirewallCommand class for command line client simplification�FirewallCommand�N)
�errors)
�
FirewallError)
�
DBusException)�checkIPnMask�
checkIP6nMask�	check_mac�
check_port�check_single_addressc@s�
eZ
dZd\dd�
Zdd�Zdd�Zdd	�Zd
d�Zdd
�Zd]dd�
Z	d^dd�
Z
d_dd�
Zd`dd�
Zdadd�
Z
dbdd�
Zdcdd�
Zdddd�
Zded d!�
Zdfd"d#�
Zdgd$d%�
Zdhd&d'�
Zdid(d)�
Zdjd*d+�
Zdkd,d-�
Zd.d/�Zdld1d2�
Zdmd3d4�
Zd5d6�Zd7d8�Zd9d:�Zd;d<�Zd=d>�Zd?d@�Z dgdAfdBdC�
Z!dgfdDdE�
Z"dgfdFdG�
Z#dHdI�Z$dJdK�Z%dLdM�Z&dNdO�Z'dPdQ�Z(dRdS�Z)dTdU�Z*dVdW�Z+dXdY�Z,dZd[�Z-dS)nr
FcCs|
|_||_
d
|_d|_dS)NT)�quiet�verbose�'_FirewallCommand__use_exception_handler�fw)�selfrr�r�/usr/lib/python3.6/command.py�__init__#s



zFirewallCommand.__init__cCs
|
|_dS)
N)
r)rrrrr�set_fw)s
zFirewallCommand.set_fwcCs
|
|_dS)
N)
r)r�flagrrr�	set_quiet,s
zFirewallCommand.set_quietc


Cs|jS)
N)
r)
rrrr�	get_quiet/s
zFirewallCommand.get_quietcCs
|
|_dS)
N)
r)rrrrr�set_verbose2s
zFirewallCommand.set_verbosec


Cs|jS)
N)
r)
rrrr�get_verbose5s
zFirewallCommand.get_verboseNcCs$|
dk	r |jr t
jj|
d
�

dS)N�

)r�sys�stdout�write)r�msgrrr�	print_msg8s

zFirewallCommand.print_msgcCs$|
dk	r |jr t
jj|
d
�

dS)Nr)rr�stderrr)rrrrr�print_error_msg<s

zFirewallCommand.print_error_msgcCs,d
}d}tj
j�r||
|}
|j|
�

dS)Nzz)rr�isattyr )rrZFAILZENDrrr�
print_warning@s






zFirewallCommand.print_warningrcCs,|d
kr|j|
�

n
|j
|
�

tj|�

dS)N�
)r"rr�exit)rrZ	exit_coderrr�print_and_exitGs


zFirewallCommand.print_and_exitcCs|j|
d
�
dS)N�)
r%)rrrrr�failRs
zFirewallCommand.failcCs"|
dk	r|jrt
jj|
d
�

dS)Nr)rrrr)rrrrr�print_if_verboseUs

z FirewallCommand.print_if_verbosec
Cs�|jdk	r|jj
�
g}
d
}g}x�|D]�}
|dk	r�y||
�
}
Wnxtk
r�
}
z\tjt|�
�
}t|�
dkrz|jd|�

n|jd||�
||kr�|j	|�

|d7}w&WYdd}~XnX|
j	|
�

q&W�
xb|
D�
]X}
g}|dk	r�||7}t
|
t�o�t
|
t��
r|j	|
�

n||
7}|dk	�
r(||7}|j
�
y||�
Wn�ttfk
�r
}
z�t
|t��
rx|j|j��

|j�}nt|�
}tj|�
}|tjtjtjtjgk�
r�d
}t|�
dk�
r�|jd|�

n,|d
k�
r�|jd|�

dS|jd||�
||k�r|j	|�

|d7}WYdd}~XnX|j�
q�W|	�s�t|�
|k�sJd
|k�rNdSt|�
dk�rltj|d
�

nt|�
dk�r�tjtj�

dS)Nrr#zWarning: %sz	Error: %s)rZauthorizeAll�	Exceptionr�get_code�str�lenr"r%�append�
isinstance�list�tuple�deactivate_exception_handlerr�fail_if_not_authorized�
get_dbus_name�get_dbus_messager�ALREADY_ENABLED�NOT_ENABLED�ZONE_ALREADY_SET�ALREADY_SET�activate_exception_handlerrr$Z
UNKNOWN_ERROR)rZcmd_type�option�
action_method�query_method�parse_method�message�
start_args�end_args�no_exit�itemsZ_errorsZ_error_codes�itemr�code�	call_itemrrrZ__cmd_sequenceYsr
























































zFirewallCommand.__cmd_sequencec	Cs|jd
|
|||||d�
dS)N�add)
rA)
�_FirewallCommand__cmd_sequence)rr:r;r<r=r>rArrr�add_sequence�s
zFirewallCommand.add_sequencec
Cs |jd
||||||
g
|d�
dS)NrF)r?rA)
rG)r�
xr:r;r<r=r>rArrr�x_add_sequence�s

zFirewallCommand.x_add_sequencec		Cs$|jd
||||||
g
|g
|d�	
dS)NrF)r?r@rA)
rG)	r�zoner:r;r<r=r>ZtimeoutrArrr�zone_add_timeout_sequence�s

z)FirewallCommand.zone_add_timeout_sequencec	Cs|jd
|
|||||d�
dS)N�remove)
rA)
rG)rr:r;r<r=r>rArrr�remove_sequence�s
zFirewallCommand.remove_sequencec
Cs |jd
||||||
g
|d�
dS)NrM)r?rA)
rG)rrIr:r;r<r=r>rArrr�x_remove_sequence�s

z!FirewallCommand.x_remove_sequencec
Csg}x�|
D]�}|dk	r�y||�
}Wn^tk
r�
}	
zBt
|
�
d
krR|jd|	�

w
ntjt|	�
�
}
|jd|	|
�
WYdd}	~	XnX|j|�

q
W�
xv|D�
]l}g}|dk	r�||7}t|t	�r�t|t
�r�|j|�

n||7}|j�
y||�}Wn�tk
�
rj
}	
zZ|j
|	j��

tj|	j��
}
t
|
�
d
k�
rF|jd|	j��

w�n|jd|	j�|
�
WYdd}	~	Xn`tk
�
r�
}	
zBtjt|	�
�
}
t
|
�
d
k�
r�|jd|	�

n|jd|	|
�
WYdd}	~	XnX|j�
t
|
�
d
k�
r�|jd||d|f�

q�|j|�

q�W|�stjd�

dS)	Nr#zWarning: %sz	Error: %sz%s: %s�no�yesr)rPrQ)r)r,r"rr*r+r%r-r.r/r0r1rr2r3r4r9r�print_query_resultrr$)
rr:r<r=r>r?rArBrCrrDrE�resrrrZ__query_sequence�sR









"



















"




z FirewallCommand.__query_sequencecCs|j|
||||d
�
dS)N)
rA)
� _FirewallCommand__query_sequence)rr:r<r=r>rArrr�query_sequence�s

zFirewallCommand.query_sequencecCs|j|||||
g
|d
�
dS)N)r?rA)
rT)rrIr:r<r=r>rArrr�x_query_sequence�s

z FirewallCommand.x_query_sequencecCsJt|
�
rFt
|
�
rFt|
�
rF|
jd
�
o2t|
�
dkrFttjd|
��
|
S)Nzipset:�z8'%s' is no valid IPv4, IPv6 or MAC address, nor an ipset)rrr�
startswithr,rr�INVALID_ADDR)r�valuerrr�parse_source�s







zFirewallCommand.parse_source�
/c
Csly|
j|�
\}}Wn$t
k
r6


ttjd
|��
YnXt|�
sLttj|��
|dkrdttjd|��
||fS)NzTbad port (most likely missing protocol), correct syntax is portid[-portid]%sprotocol�tcp�udp�sctp�dccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})r]r^r_r`)�split�
ValueErrorrr�INVALID_PORTr	�INVALID_PROTOCOL)rrZZ	separator�port�protorrr�
parse_port
s










zFirewallCommand.parse_portc
Cs�
d}d}d}d}d
}x�d|
|d�kr�|
|d�jdd�d
}|t
|�
d7}d|
|d�krx|
|d�jdd�d
}	n|
|d�}	|t
|	�
d7}|dkr�|	}q|dkr�|	}q|dkr�|	}q|dkr�|	}q|d	kr�|r�qttjd
|��
qW|�
sttjd��
|�
sttjd��
|�
p|�
s*ttjd
��
t|�
�
s@ttj|��
|dk�
rZttjd|��
|�
rxt|�
�
rxttj|��
|�
r�td|��
r�|�
s�td|��
r�ttj	|��
||||fS)Nr�
=r#�
:rerf�toport�toaddr�ifzinvalid forward port arg '%s'zmissing portzmissing protocolzmissing destinationr]r^r_r`z''%s' not in {'tcp'|'udp'|'sctp'|'dccp'}�ipv4�ipv6)r]r^r_r`)
rar,rrZINVALID_FORWARDr	rcrdr
rY)
rrZ�compatreZprotocolrjrk�
i�opt�valrrr�parse_forward_port
sT





































z"FirewallCommand.parse_forward_portcCsF|
jd
�
}t
|�
dkr"|ddfSt
|�
dkr2|Sttjd|
��
dS)Nrhr#r�r&zinvalid ipset option '%s')rar,rrZINVALID_OPTION)rrZ�argsrrr�parse_ipset_optionH
s






z"FirewallCommand.parse_ipset_optioncCs.d
dg}|
|kr*tt
jd|
dj|�
f��
|
S)Nrmrnz'invalid argument: %s (choose from '%s')z', ')rr�INVALID_IPV�join)rrZ�ipvsrrr�check_destination_ipvR
s





z%FirewallCommand.check_destination_ipvcCsDy|
jd
d�\}}Wn t
k
r4


ttjd��
YnX|j|�
|fS)Nrir#z(destination syntax is ipv:address[/mask])rarbrrZINVALID_DESTINATIONrz)rrZZipvZdestinationrrr�parse_service_destinationZ
s





z)FirewallCommand.parse_service_destinationcCs0d
ddg}|
|kr,tt
jd|
dj|�
f��
|
S)NrmrnZebz'invalid argument: %s (choose from '%s')z', ')rrrwrx)rrZryrrr�	check_ipvb
s






zFirewallCommand.check_ipvcCs0d
ddg}|
|kr,tt
jd|
dj|�
f��
|
S)Nrtrmrnz'invalid argument: %s (choose from '%s')z', ')rrrwrx)rrZryrrr�check_helper_familyj
s






z#FirewallCommand.check_helper_familycCsB|
jd
�
st
tjd|
��
t|
jd
d��
dkr>t
tjd|
��
|
S)NZ
nf_conntrack_z('%s' does not start with 'nf_conntrack_'rtr#zModule name '%s' too short)rXrrZINVALID_MODULEr,�replace)rrZrrr�check_moduler
s










zFirewallCommand.check_moduleTcCs�|j�}|j
�}|j�}|j�}	|j�}
|j�}|j�}|j�}
|j�}|j	�}|j
�}|rv|j�}|j�}|j
�}n,|j�}tt|j�|�
�
}|j�}|j�}d
d�}g}|dk	r�|
|kr�|jd�

|r�|s�|s�|r�|r�|r�|jd�

|�
r|
ddj|�
}
|j|
�

|j�
r2|jd|�

|jd|�

|�
rJ|jd	t|�
�

|jd
|�

|�
sv|jd|�
rndnd
�

|�
r�|jddj|�
�

|jddj|�
�

n(|jddj|�
�

|jddj|�
�

|jddjt|�
�
�

|jddjdd�|D�
�
�

|jddjt|	�
�
�

|�s:|jd|�r2dnd
�

|jd|
�rJdnd
�

|jd|�rbdnddjdd�|D�
�
�

|jddjdd�|D�
�
�

|jd dj|
�
�

|jd!|�r�dnddjt||d"��
�

dS)#Nc
Ssfd
}
d}y|j|�
}Wnt
k
r*


Yn8X|t|�
7}t|||||d�jd�
�jdd��
}
|
S)Nrz	priority=�
 �
"rt)�indexrbr,�intr~)Zrule�priorityZ
search_strrprrr�rich_rule_sorted_key�
s






*zDFirewallCommand.print_zone_policy_info.<locals>.rich_rule_sorted_key�defaultZactivez (%s)z, z  summary: z  description: z  priority: z
  target: z  icmp-block-inversion: %srQrPz  ingress-zones: r�z  egress-zones: z  interfaces: z  sources: z  services: z	  ports: c
Ss g|]}
d|
d
|
df�qS)z%s/%srr#r)�.0rerrr�
<listcomp>�
s
z:FirewallCommand.print_zone_policy_info.<locals>.<listcomp>z
  protocols: z
  forward: %sz  masquerade: %sz  forward-ports: z
	rtc
Ss$g|]\}
}}}d|
|||f�qS)
z$port=%s:proto=%s:toport=%s:toaddr=%sr)r�rerfrjrkrrrr��
sz  source-ports: c
Ss g|]}
d|
d
|
df�qS)z%s/%srr#r)r�rerrrr��
s
z  icmp-blocks: z  rich rules: )
�key)Z	getTargetZgetServices�getPorts�getProtocolsZ
getMasqueradeZgetForwardPorts�getSourcePortsZ
getIcmpBlocksZgetRichRules�getDescription�getShortZgetIngressZonesZgetEgressZonesZgetPriorityZgetIcmpBlockInversion�sorted�setZ
getInterfacesZ
getSourcesZ
getForwardr-rxrrr+)rrK�settings�default_zone�extra_interfaces�isPolicy�targetZservices�ports�	protocolsZ
masqueradeZ
forward_ports�source_portsZicmp_blocksZrules�description�short_descriptionZ
ingress_zonesZegress_zonesr�Zicmp_block_inversionZ
interfacesZsourcesZforwardr�Z
attributesrrr�print_zone_policy_info|
sx





























































z&FirewallCommand.print_zone_policy_infocCs|j|
|||d
d�
dS)NF)r�r�r�)
r�)rrKr�r�r�rrr�print_zone_info�
s
zFirewallCommand.print_zone_infocCs|j|
|||d
d�
dS)NT)r�r�r�)
r�)rZpolicyr�r�r�rrr�print_policy_info�
s
z!FirewallCommand.print_policy_infocCs.
|j�}|j
�}|j�}|j�}|j�}|j�}|j�}	|j�}
|j�}|j	|
�

|j
rt|j	d
|	�

|j	d|�

|j	ddjdd�|D�
�
�

|j	ddj|�
�

|j	ddjd	d�|D�
�
�

|j	d
dj|�
�

|j	ddjdd�|j�D�
�
�

|j	d
djt
|
�
�
�

|j	ddjt
|�
�
�

dS)Nz  summary: z  description: z	  ports: r�c
Ss g|]}
d|
d
|
df�qS)z%s/%srr#r)r�rerrrr��
s
z6FirewallCommand.print_service_info.<locals>.<listcomp>z
  protocols: z  source-ports: c
Ss g|]}
d|
d
|
df�qS)z%s/%srr#r)r�rerrrr��
s
z  modules: z  destination: c
Ssg|]\}
}d|
|f�qS)
z%s:%sr)r��
k�
vrrrr��
s
z  includes: z  helpers: )r�r�r�Z
getModulesr��getDestinationsr�ZgetIncludesZ
getHelpersrrrxrBr�)rZservicer�r�r�r��modulesr��destinationsr�ZincludesZhelpersrrr�print_service_info�
s2



























z"FirewallCommand.print_service_infocCsp|j�}|j
�}|j�}t|�
d
kr,ddg}|j|
�

|jrX|jd|�

|jd|�

|jddj|�
�

dS)Nrrmrnz  summary: z  description: z  destination: r�)r�r�r�r,rrrx)rZicmptyper�r�r�r�rrr�print_icmptype_info�
s










z#FirewallCommand.print_icmptype_infocCs�|j�}|j
�}|j�}|j�}|j�}|j|
�

|jrT|jd
|�

|jd|�

|jd|�

|jddjdd�|j�D�
�
�

|jddj|�
�

dS)	Nz  summary: z  description: z  type: z  options: r�c
Ss$g|]\}
}|rd|
|fn|
�qS)
z%s=%sr)r�r�r�rrrr�s
z4FirewallCommand.print_ipset_info.<locals>.<listcomp>z  entries: )	ZgetTypeZ
getOptionsZ
getEntriesr�r�rrrxrB)rZipsetr�Z
ipset_typeZoptions�entriesr�r�rrr�print_ipset_info�
s













z FirewallCommand.print_ipset_infocCs�|j�}|j
�}|j�}|j�}|j�}|j|
�

|jrT|jd
|�

|jd|�

|jd|�

|jd|�

|jddjdd�|D�
�
�

dS)	Nz  summary: z  description: z
  family: z
  module: z	  ports: r�c
Ss g|]}
d|
d
|
df�qS)z%s/%srr#r)r�rerrrr�s
z5FirewallCommand.print_helper_info.<locals>.<listcomp>)r�Z	getModuleZ	getFamilyr�r�rrrx)r�helperr�r��moduleZfamilyr�r�rrr�print_helper_infos













z!FirewallCommand.print_helper_infocCs |
r|jd
�

n|jdd�
dS)NrQrPr#)
r%)rrZrrrrRs

z"FirewallCommand.print_query_resultcCs\|js�|j
|
�

tjt|
�
�
}|tjtjtjtj	gkrH|j
d
|
�

n|jd|
|�
dS)NzWarning: %sz	Error: %s)r
r2rr*r+rr5r6r7r8r"r%)r�exception_messagerDrrr�exception_handlers








z!FirewallCommand.exception_handlercCsd
|
krd}|j|t
j�
dS)NZNotAuthorizedExceptionz`Authorization failed.
    Make sure polkit agent is running or run the application as superuser.)r%rZNOT_AUTHORIZED)rr�rrrrr2's

z&FirewallCommand.fail_if_not_authorizedc

Cs
d
|_dS)NF)
r
)
rrrrr1-s
z,FirewallCommand.deactivate_exception_handlerc

Cs
d
|_dS)NT)
r
)
rrrrr90s
z*FirewallCommand.activate_exception_handlercCspg}t�}t
|
�
}xP|D]H}|s"P|j�}t|�
d
ks|ddkrDq||kr|j|�

|j|�

qW|j�
|S)Nr#r�
#�
;)r�r�)r��open�stripr,r-rF�close)r�filenamer�Zentries_set�
f�linerrr�get_ipset_entries_from_file3s















z+FirewallCommand.get_ipset_entries_from_file)FF)
N)
N)
N)Nr)
N)
N)NNF)
F)
F)
F)
F)
F)NF)
F)
F)
r\)
F).�__name__�
__module__�__qualname__rrrrrrrr r"r%r'r(rGrHrJrLrNrOrTrUrVr[rgrsrvrzr{r|r}rr�r�r�r�r�r�r�rRr�r2r1r9r�rrrrr
"sX









J





2



2

O)�__doc__�__all__rZfirewallrZfirewall.errorsrZdbus.exceptionsrZfirewall.functionsrrrr	r
�objectr
rrrr�<module>s