Your IP : 3.144.116.34


Current Path : /usr/lib/python3.6/site-packages/firewall/__pycache__/
Upload File :
Current File : //usr/lib/python3.6/site-packages/firewall/__pycache__/functions.cpython-36.pyc

3

@)�f'K�#@sdddddddddd	d
ddd
ddddddddddddddddddd d!d"g#Zd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l	m
Z
d#d&lmZm
Z
ejd'kZd(d)�ed#d*�D�Zd+d�Zd,d�ZdXd.d�Zd/d0�Zd1d2�Zd3d4�Zd5d�Zd6d�Zd7d8�Zd9d�Zd:d�Zd;d"�Zd<d�Zd=d	�Zd>d
�Z d?d�Z!d@d�Z"dAd
�Z#dBd�Z$dCd�Z%dDd�Z&dEdF�Z'dGd�Z(dHd�Z)dId�Z*dJd�Z+dKd�Z,dLd�Z-dMd!�Z.dNd�Z/dOd�Z0dPd�Z1dQd�Z2dRd�Z3dSd�Z4dTd�Z5dUd�Z6dVd�Z7dWd �Z8d$S)Y�PY2�	getPortID�getPortRange�portStr�getServiceName�checkIP�checkIP6�checkIPnMask�
checkIP6nMask�
checkProtocol�checkInterface�checkUINT32�firewalld_is_active�tempFile�readfile�	writefile�enable_ip_forwarding�
check_port�
check_address�check_single_address�	check_mac�uniqify�ppid_of_pid�max_zone_name_len�	checkUser�checkUid�checkCommand�checkContext�joinArgs�	splitArgs�b2u�u2b�
u2b_if_py2�max_policy_name_len�stripNonPrintableCharacters�N)�log)�FIREWALLD_TEMPDIR�FIREWALLD_PIDFILE�3cCs"i|]}|dko|dksd|�qS)��N�)�.0�ir+r+�/usr/lib/python3.6/functions.py�
<dictcomp>.sr/�cCstt|t�r|}nT|r|j�}yt|�}Wn:tk
rbytj|�}Wntjk
r\dSXYnX|dkrpdS|S)z� Check and Get port id from port string or port id using socket.getservbyname

    @param port port string or port id
    @return Port id if valid, -1 if port can not be found and -2 if port is too big
    �i���������)�
isinstance�int�strip�
ValueError�socketZ
getservbyname�error)�portZ_idr+r+r.r7s
cCs�t|t�st|t�r|St|t�s*|j�rDt|�}|dkr@|fS|S|jd�}t|�dkr�|dj�r�|dj�r�t|d�}t|d�}|dkr�|dkr�||kr�||fS||kr�||fS|fSg}x�tt|�dd�D]�}tdj	|d|���}dj	||d��}t|�dk�rnt|�}|dk�r�|dk�r�||k�rF|j
||f�n&||k�r`|j
||f�n|j
|f�q�|dkr�|j
|f�|t|�kr�Pq�Wt|�dk�r�dSt|�dk�r�dS|dS)aI Get port range for port range string or single port id

    @param ports an integer or port string or port range string
    @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous.
    r$�-r2r1Nr3r3)r5�tuple�listr6�isdigitr�split�len�range�join�append)ZportsZid1�splitsZid2Zmatchedr-Zport2r+r+r.rNsL
$

�:cCsX|dkrdSt|�}t|t�r*|dkr*dSt|�dkr>d|Sd|d||dfSdS)a Create port and port range string

    @param port port or port range int or [int, int]
    @param delimiter of the output string for port ranges, default ':'
    @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid
    �r$Nr1z%sz%s%s%s)rr5r6rA)r;Z	delimiter�_ranger+r+r.r�scCst|�}t|�}t|�dkr�t|�dkr@t|d�t|d�kSt|�dkr�t|d�t|d�kr�t|d�t|d�kr�dSn|t|�dkr�t|�dkr�t|d�t|d�kr�t|d�t|d�kr�t|d�t|d�kr�t|d�t|d�kr�dSdS)Nr1r$r2TF)rrAr)r;rBZ_portrHr+r+r.�portInPortRange�s000rIcCsTt|�}t|�dkr$|d|df}tt|�}ttdd�|�dd�d�}g}x�|D]�}|d|dkr�|d|dkr�|j|�qR|d|dkr�|d|dkr�|d|dkr�|j|�|d|df}qR|d|dko�|d|dko�|d|dkrR|j|�|d|df}qRWttdd�|��}|d|dk�rJ|df}|g|fS)z� Coalesce a port range with existing list of port ranges

        @param new_range tuple/list/string
        @param ranges list of tuple/list/string
        @return tuple of (list of ranges added after coalescing, list of removed original ranges)
    r1r$cSs t|�dkr|d|dfS|S)Nr1r$)rA)�xr+r+r.�<lambda>�sz#coalescePortRange.<locals>.<lambda>cSs|dS)Nr$r+)rJr+r+r.rK�s)�keycSs|d|dkr|dfS|S)Nr$r1r+)rJr+r+r.rK�s)rrA�map�sortedrDr>)Z	new_range�rangesZcoalesced_range�_ranges�removed_rangesrBr+r+r.�coalescePortRange�s*

  
 

rRcCs�t|�}t|�dkr$|d|df}tt|�}ttdd�|�dd�d�}g}g}�xJ|D�]@}|d|dkr�|d|dkr�|j|�qX|d|dkr�|d|dkr�|d|dkr�|j|�|j|dd|df�qX|d|dk�r<|d|dk�r<|d|dk�r<|j|�|j|d|ddf�qX|d|dkrX|d|dkrX|j|�|j|d|ddf�|j|dd|df�qXWttdd�|��}ttdd�|��}||fS)	z� break a port range from existing list of port ranges

        @param remove_range tuple/list/string
        @param ranges list of tuple/list/string
        @return tuple of (list of ranges added after breaking up, list of removed original ranges)
    r1r$cSs t|�dkr|d|dfS|S)Nr1r$)rA)rJr+r+r.rK�sz breakPortRange.<locals>.<lambda>cSs|dS)Nr$r+)rJr+r+r.rK�s)rLcSs|d|dkr|dfS|S)Nr$r1r+)rJr+r+r.rK�scSs|d|dkr|dfS|S)Nr$r1r+)rJr+r+r.rK�s)rrArMrNrDr>)Zremove_rangerOrPrQZadded_rangesrBr+r+r.�breakPortRange�s2
  
$
 
rScCs0ytjt|�|�}Wntjk
r*dSX|S)z� Check and Get service name from port and proto string combination using socket.getservbyport

    @param port string or id
    @param protocol string
    @return Service name if port and protocol are valid, else None
    N)r9Z
getservbyportr6r:)r;�proto�namer+r+r.r�s
cCs.ytjtj|�Wntjk
r(dSXdS)zl Check IPv4 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r9�	inet_ptonZAF_INETr:)�ipr+r+r.rs
cCs
|jd�S)z� Normalize the IPv6 address

    This is mostly about converting URL-like IPv6 address to normal ones.
    e.g. [1234::4321] --> 1234:4321
    z[])r7)rWr+r+r.�normalizeIP6srXcCs2ytjtjt|��Wntjk
r,dSXdS)zl Check IPv6 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r9rVZAF_INET6rXr:)rWr+r+r.r s
cCs�d|krN|d|jd��}||jd�dd�}t|�dksHt|�dkrVdSn|}d}t|�sbdS|r�d|krvt|�Syt|�}Wntk
r�dSX|dks�|dkr�dSdS)N�/r1F�.r$� T)�indexrArr6r8)rW�addr�maskr-r+r+r.r-s&cCs
|jt�S)N)�	translate�NOPRINT_TRANS_TABLE)Zrule_strr+r+r.r#DscCs�d|krN|d|jd��}||jd�dd�}t|�dksHt|�dkrVdSn|}d}t|�sbdS|r�yt|�}Wntk
r�dSX|dks�|dkr�dSdS)NrYr1Fr$�T)r\rArr6r8)rWr]r^r-r+r+r.r	Gs"cCs`yt|�}Wn:tk
rFytj|�Wntjk
r@dSXYnX|dksX|dkr\dSdS)NFr$�T)r6r8r9Zgetprotobynamer:)Zprotocolr-r+r+r.r
\scCs4|st|�dkrdSxdD]}||krdSqWdS)	z� Check interface string

    @param interface string
    @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False
    �F� rY�!�*T)rdrYrerf)rA)Ziface�chr+r+r.rks
cCs<yt|d�}Wntk
r"dSX|dkr8|dkr8dSdS)Nr$Fl��T)r6r8)�valrJr+r+r.r~scCs�tjjt�sdSy"ttd��}|j�}WdQRXWntk
rFdSXtjjd|�s\dSy&td|d��}|j�}WdQRXWntk
r�dSXd|kr�dSdS)zv Check if firewalld is active

    @return True if there is a firewalld pid file and the pid is used by firewalld
    F�rNz/proc/%sz/proc/%s/cmdlineZ	firewalldT)�os�path�existsr'�open�readline�	Exception)�fd�pidZcmdliner+r+r.r
�s"cCsby*tjjt�stjtd�tjddtdd�Stk
r\}ztj	d|��WYdd}~XnXdS)Ni�Zwtztemp.F)�mode�prefix�dir�deletez#Failed to create temporary file: %s)
rjrkrlr&�mkdir�tempfileZNamedTemporaryFileror%r:)�msgr+r+r.r�s
cCsXyt|d��
}|j�SQRXWn4tk
rR}ztjd||f�WYdd}~XnXdS)NrizFailed to read file "%s": %s)rm�	readlinesror%r:)�filename�f�er+r+r.r�s$cCs\y$t|d��}|j|�WdQRXWn2tk
rV}ztjd||f�dSd}~XnXdS)N�wz Failed to write to file "%s": %sFT)rm�writeror%r:)rz�liner{r|r+r+r.r�scCs(|dkrtdd�S|dkr$tdd�SdS)N�ipv4z/proc/sys/net/ipv4/ip_forwardz1
�ipv6z&/proc/sys/net/ipv6/conf/all/forwardingF)r)�ipvr+r+r.r�s


cCs|jdd�jdd�S)N�_r<z
nf-conntrack-rG)�replace)�moduler+r+r.�get_nf_conntrack_short_name�sr�cCs�t|�}|d
ks<|dks<|dks<t|�dkr�|d|dkr�|dkrTtjd|�nZ|d
krltjd|�nB|dkr�tjd|�n*t|�dkr�|d|dkr�tjd|�dSd	S)Nr2r1r$z'%s': port > 65535z'%s': port is invalidz'%s': port is ambiguousz'%s': range start >= endFTr4r3r4r3)rrAr%Zdebug2)r;rHr+r+r.r�scCs(|dkrt|�S|dkr t|�SdSdS)Nr�r�F)rr	)r��sourcer+r+r.r�s
cCs(|dkrt|�S|dkr t|�SdSdS)Nr�r�F)rr)r�r�r+r+r.r�s
cCsRt|�dkrNxdD]}||dkrdSqWxdD]}||tjkr0dSq0WdSdS)N��r2���rFFr$r1�����	�
�
�rcT�)r2r�r�r�r�)r$r1r�r�r�r�r�r�r�r�r�rc)rA�stringZ	hexdigits)Zmacr-r+r+r.r�s

cCs(g}x|D]}||kr
|j|�q
W|S)N)rD)Z_list�outputrJr+r+r.r�s

cCsHy.tjd|�}t|j�dj��}|j�Wntk
rBdSX|S)z Get parent for pid zps -o ppid -h -p %d 2>/dev/nullr$N)rj�popenr6ryr7�closero)rqr{r+r+r.r�scCsBddlm}ddlm}ttt|j���}d|t|�td�S)z�
    iptables limits length of chain to (currently) 28 chars.
    The longest chain we create is POST_<policy>_allow,
    which leaves 28 - 11 = 17 chars for <policy>.
    r$)�POLICY_CHAIN_PREFIX)�	SHORTCUTS�Z_allow)Zfirewall.core.ipXtablesr��firewall.core.baser��maxrMrA�values)r�r��longest_shortcutr+r+r.r"	scCs.ddlm}ttt|j���}d|td�S)z�
    Netfilter limits length of chain to (currently) 28 chars.
    The longest chain we create is FWDI_<zone>_allow,
    which leaves 28 - 11 = 17 chars for <zone>.
    r$)r�r�Z__allow)r�r�r�rMrAr�)r�r�r+r+r.rscCsTt|�dkst|�tjd�kr"dSx,|D]$}|tjkr(|tjkr(|d	kr(dSq(WdS)
Nr1�SC_LOGIN_NAME_MAXFrZr<r��$T)rZr<r�r�)rArj�sysconfr�Z
ascii_lettersZdigits)�user�cr+r+r.rs


cCsDt|t�r,yt|�}Wntk
r*dSX|dkr@|dkr@dSdS)	NFr$r2r)r1Tli���)r5�strr6r8)Zuidr+r+r.r(s
cCsJt|�dkst|�dkrdSxd
D]}||kr"dSq"W|ddkrFdSd	S)Nr1iF�|�
�r$rYT)r�r�r�)rA)Zcommandrgr+r+r.r2s
cCs�|jd�}t|�dkrdS|ddkr>|ddd�dkr>dS|d	dd�d
krVdS|ddd�dkrndSt|d�d	kr�dSd
S)NrFr�r�Fr$�rootr2Z_ur1Z_rZ_tr�T)r�r�r4r4r4)r@rA)�contextrEr+r+r.r<s
 cCs8dtt�kr djdd�|D��Sdjdd�|D��SdS)N�quoterdcss|]}tj|�VqdS)N)�shlexr�)r,�ar+r+r.�	<genexpr>PszjoinArgs.<locals>.<genexpr>css|]}tj|�VqdS)N)�pipesr�)r,r�r+r+r.r�Rs)rtr�rC)�argsr+r+r.rNscCs8tr*t|t�r*t|�}tj|�}tt|�Stj|�SdS)N)rr5�unicoder r�r@rMr)�_stringrEr+r+r.rTs


cCst|t�r|jdd�S|S)z bytes to unicode zUTF-8r�)r5�bytes�decode)r�r+r+r.r]s
cCst|t�s|jdd�S|S)z unicode to bytes zUTF-8r�)r5r��encode)r�r+r+r.r cs
cCstrt|t�r|jdd�S|S)z" unicode to bytes only if Python 2zUTF-8r�)rr5r�r�)r�r+r+r.r!is)rF)9�__all__r9rjZos.pathr�r�r��sysrwZfirewall.core.loggerr%Zfirewall.configr&r'�versionrrBr`rrrrIrRrSrrrXrrr#r	r
rrr
rrrrr�rrrrrrr"rrrrrrrrr r!r+r+r+r.�<module>sz

:
&+


	




	

?>