#fddZddlZddlZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZddlZGddej&j(Zy)z-backend_iptables.py: iptables backend for ufwN)UFWErrorUFWRule)warndebugmsgcmdcmd_pipe _findpathceZdZdZddZdZdZdZddZdZ d Z d Z d Z d Z d ZdZddZddZdZddZdZdZdZy)UFWBackendIptableszInstance class for UFWBackendNcdtjjzdz|_||_||_i}t tjj|}tjj|d|d<tjj|d|d<tjj|d|d<tjj|d |d <tjj|d |d <tjj|d |d<tjjt tjj|d|d<tjjj|d||||ggggd|_dD]}d}|dk(r|j!r||z }n|dk(r&dD]1}dD]*} |d|d| } |j|j#| ,3|jdj#|dz|jdj#|dzgd|_d|_y )!z!UFWBackendIptables initializationz# z _comment #zufw/user.rulesruleszufw/before.rules before_ruleszufw/after.rules after_ruleszufw/user6.rulesrules6zufw/before6.rules before6_ruleszufw/after6.rules after6_ruleszufw-initinitiptables)rootdirdatadir)beforeuseraftermisc)46ufwr)rrrinputoutputforward-z -logging-rz -logging-denyz-logging-allow)-mlimit--limitz3/minute-jLOG --log-prefixz[UFW LIMIT BLOCK]N)rcommon programName comment_strrrr config_dirospathjoin state_dirbackend UFWBackend__init__chainsuse_ipv6appendufw_user_limit_logufw_user_limit_log_text) selfdryrunrrfilesr-ver chain_prefixloctargetchains 6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr4zUFWBackendIptables.__init__ s#**"8"88<G  szz44g> j2BCg " Z9K Ln!ww||J8IJm'',,z3DEh!#j:M!No " Z9K Ln  Yszz/C/CW%M%/1f  ''j&%07 ( J"$R"bI  HC Lcz==? C'LCZ2 3<3F2>VLEKK$++E23 3 KK  & &|o'E F KK  & &|6F'F G H"#3(;$ctd}|jddk(r|dz }|S|jddk(r|dz }|S|jddk(r|dz }|S|d z }|S) zGet current policyz New profiles:default_application_policyacceptz allowdropz denyrejectz rejectz skip)_defaults)r:rstrs rBget_default_application_policyz1UFWBackendIptables.get_default_application_policyPs! ==5 6( B H D ]]7 8F B GOD  ]]7 8H D I D  GOD rCc |js|dk7r#|dk7r|dk7rtd|z}t||dk7r#|dk7r|dk7rtd|z}t|d }|dk(rd }n|dk(rd }d }d }|dk(r) |j|jd d|zdd}d}nV|dk(r) |j|jd d|zdd}d}n( |j|jd d|zdd}d}t jd |z}|jd|jdfD]} tjj|} | d} | dD]d} |j| r1tjj| |j|| Etjj| | f tjj| td||dz} | tdz } | S#t $rwxYw#t $rwxYw#t $rwxYw#t $rwxYw#t $rwxYw)zSets default policy of firewallallowdenyrHzUnsupported policy '%s'incomingoutgoingroutedz%Unsupported policy for direction '%s'INPUTOUTPUTFORWARDrJzDEFAULT_%s_POLICYz"ACCEPT"z UFW BLOCKz UFW ALLOWz"REJECT"z"DROP"rrtmporigz5Default %(direction)s policy changed to '%(policy)s' ) directionpolicyz*(be sure to update your rules accordingly))r;rIr set_defaultr< Exceptionrecompilerutil open_filessearch write_to_filesub close_files) r:rZrYerr_msgrA old_log_str new_log_strpatffnsfdlinerKs rBset_default_policyz%UFWBackendIptables.set_default_policy^s{{ Vv%5&H:L56&Aw''J&9 +BH$CD&(w''EJ& h&!KK $$TZZ %;,?5,I,8: * ) 8#$$TZZ %;,?5,I,8: * ) $$TZZ %;,?5,I,68 * ) **S;./Cjj/N1KL ((--a0CZK9Dzz$'..r377;3MN..r48 9 HH((- $IJ )V<> >?? _!!!!!s<9#H'#H#H 1H.H< H H H+. H9< Ic2|jr!dtdz}|dtdzz }|S|jgd}g}g}|dk(r|jdgd}gd}n|d k(rd D]*}|jd |z|jd |z,d D]*}|jd |z|jd |z,dD]*}|jd|z|jd|z,dD]}|jd|zn|dk(r1dD]*}|jd|z|jd|z,n|dk(rdD]*}|jd|z|jd|z,|jddr"|jd|jd|jddr |jd|jdn|d k(r0dD]*}|jd!|z|jd"|z,n|d#k(rdD]z}|jd$|z|jd%|z|jd&|z|jd'|z|jd(|z|jd)|z||jd*|jd+|jd,|jd-d.|z}|D]}d/|vr?|j d/\} }|d0| zz }t |jg|z|d| gz\} } n t |jg|z|gz\} } || z }|dk7r|d1z }| d2k7s{t||dk(s|jr|d3z }|D]}d/|vr?|j d/\} }|d0| zz }t |jg|z|d| gz\} } n t |jg|z|gz\} } || z }|dk7r|d1z }| d2k7s{t||S)4z'Show current running status of firewall> zChecking raw iptables zChecking raw ip6tables )-nz-vz-x-Lrawz-t)filternatmanglerr)rsrurrbuiltins)rSrUrTz filter:%s) PREROUTINGrSrUrT POSTROUTINGz mangle:%s)rwrTzraw:%s)rwrxrTznat:%sr)r r"r!z ufw-before-%szufw6-before-%sr ufw-user-%s ufw6-user-%sr%rzufw-user-limit-acceptufw-user-limitrzufw6-user-limit-acceptufw6-user-limitrz ufw-after-%sz ufw6-after-%sloggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyz IPV4 (%s): :z(%s)  rz IPV6: ) r;rIinitcapsr7capssplitrrrr6 ip6tables) r: rules_typeoutargsitemsitems6cbitrcrWs rBget_running_rawz"UFWBackendIptables.get_running_raws\ ;;455C 4!677 7CJ '   KK 6E0F : %3 / [1_- kAo. /% / [1_- kAo. /. , X\* hl+ ,= + X\* + 8 #3 4 _q01 .23 46 !3 2 ]Q./ nq01 2yy!#& 45 -.yy!#& 67 /0 7 "3 3 ^a/0 o12 39 $3 ; 4q89 6:; 2Q67 4q89 3a78 59:  ; LL, - LL+ , MM. / MM- . + $AaxAw!}$$ 6!T1 EF S$ 6! <= S 3JCU"t Qwsm# $  $--/ = C (!8WWS\FQ7a=(C #T]]Od$:aq\$I JIR #T^^$4t$;qc$A BIRs &4KC7"3-' ( rCc d}|jr1dtdz}|jr|dtdzz }|Std}dD]}t|jdd|zd g\}}|d k(r td cS|d k7rt |d |zz|js[t|j dd|zd g\}}|d k7st |dzd}d} d} |j|jz} d } i} | D]}d}i}d}d}|sH|jdk7s|jdk7r*d}|j}|| vrtd|zQd| |<dD]}d||<d}d}|dk(rM|j}|s2|jdk7r#|j}|jrd|dk(r_|dz }nY|j}nL|j }|s2|jdk7r#|j}|jr|dk(r|dz }n |j"}|dk7r |dk7r|||<|dk7r||dk(r|||<n||xxd|zz cc<|r)|j$dk7r||xxd|j$zz cc<|r|dk(rT|jdk7rE||xxd|jzz cc<|jr|dk(r ||xxdz cc<||xxdz cc<|dk(rT|jdk7rE||xxd|jzz cc<|jr|dk(r ||xxdz cc<||xxdz cc<|dk(r|dk(s|dk(rud||<|r[|j$dk7rL|j|j k(r3|j|j"k(r||xxd|j$zz cc<|dk(r||xxdz cc<n|r|j$dk7rr|j|j"k(rY||xxd|j$zz cc<n>|jr2|j dk(r#|jdk(rd||vr ||xxdz cc<|j&rb|dk(r)|j(dk7r||xxd|j(zz cc<|dk(s|j*dk7s||xxd|j*zz cc<1|dk(r)|j(dk7r||xxd|j(zz cc<|dk(sf|j*dk7sw||xxd|j*zz cc<g}d}|j,s|j.j1d k(r|j,r)|j3|j,j1|r*|j.d k(r|j3|j.t5|d kDrd!d"j7|z}|r|d#| zz }|j.j9}|j&rd$}|j.d%k(r|j&s|s|sd}d}|j:dk7rd&|j=z}||dd'ddj7|j>j9|gd(|dd'||d)z }|r||z }n,|j&r| |z } n|j.d k(r| |z } n||z }| d z } |dk7s | dk7s| dk7rd*}|r|d+z }td,}td-}td.}d/}||||fz}|r|d+z }||d0t5|zd0t5|zd0t5|zfzz }||z }|dk7r||z }|dk7r| dk7r|td)z }| dk7r|| z }|dk7r| dk7r|td)z }| dk7r|| z }|}|ru|jA\} }!td1|jC|jCd2|jCd3dd4z}"|jE}#td5|!|"|#|d6zStd7|zS)8zShow ufw managed rulesrVrozChecking iptables zChecking ip6tables problem runningrrqryrpzStatus: inactiverz iptables: %s rz ip6tablesTFzSkipping found tuple '%s')dstsrcrz::/0 (v6)z 0.0.0.0/0any /z (%s)rAnywherez on %srz (%s)z, z[%2d] FWDinz # %s2612rz z ToFromActionz%-26s %-12s%s r#zCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)r!r")rrrRz0Status: active %(log)s %(pol)s %(app)s%(status)s)logpolappstatuszStatus: active%s)#r;rIr6rrrrrrdappsapp get_app_tuplerrv6dportrsportprotocolr" interface_in interface_outlogtyperYlowerr7lenr0uppercomment get_commentaction get_loglevel_get_default_policyrL)$r:verbose show_countrrerYrout6sstr_outstr_rtercount app_rulesrtmp_strlocationtupl show_protor?portrWattribs attrib_strdir_strr,full_strstr_tostr_from str_actionrules_header_fmt rules_headerlevel logging_str policy_strapp_policy_strs$ rB get_statuszUFWBackendIptables.get_statuss ;;011C}}ta 6777J%&7 ;IT]]D)Y7?@IRQw+,,qw):c)BBCC}} $..$!/9!=t"EF T7"7\#9:: ;  T[[( T AGHDJ" " " (9$5>?&*IdO'X F " %<%%C"qvv| vv44C6M GOD ww%%C"qvv| vv44C6M GOD ww+%#-$'HSM5=}*(,   t3 !ajjE&9  qzz)99 %>M ttv (  8 $SMS0M%>M ttv (  8 $SMS0M5=k)SF](2 &!***=55AEE>agg.@$SMS1::-==M&=$SMW4M&!***=77agg-$SMS1::-==MTTaeevo!%%6/hsm3SMW,M99e|"(<  Q^^)DD e|2(=  Q__)EE e|"(<  Q^^)DD e|2(=  Q__)EE qX FtGJyyAKK--/5899NN199??#45!++"6NN1;;/w!?J8u--kk'')Gyy{{d"199:KyyB% 7 8E?03!((..:J:A:C1D080; = =GW 99w&G[[E)w&GLA QJEiT l 7gmw"}HG#tWFyH8J0 +vz8.LLL' , 3v;. 3z?2 3x=022 2L  $HBwA Bw7b=AdG#"}G#Bw7b=AdG#"}G#A #'#4#4#6 UK12&*%=%=%?&*&>&>x&H)-)A)A)BF*HIJJ"@@BNJK)*,;< <'(A. .rCc|jrtdtdzyg}|j|jd|j d|j X|jd|j|j |jd|j|j |jdt|\}}|dk7rtd |z}t|y) zStop the firewallrorunning ufw-initrN --rootdir --datadirz force-stoprproblem running ufw-init %s) r;rrIr7r<rrrrr:rrrres rB stop_firewallz UFWBackendIptables.stop_firewalls ;; q+,, -D KK 6* +||'DLL,D K( DLL) K( DLL) KK %D IRQw:S@Aw''rCcV|jrtdtdzyg}|j|jd|j d|j X|jd|j|j |jd|j|j |jdt|\}}|dk7rtd |z}t|d |jvs2|jd t|jjvr |jd y |j|jd y#t$rtd }t|wxYw#t$rtd }t|wxYw)zStart the firewallrorrNrrstartrrloglevellowzCould not set LOGLEVELzCould not load logging rules)r;rrIr7r<rrrrrJlist loglevelskeys set_loglevelr\update_loggingrs rBstart_firewallz!UFWBackendIptables.start_firewallsg ;; q+,, -D KK 6* +||'DLL,D K( DLL) K( DLL) KK D IRQw:S@Aw''.}}Z(T^^5H5H5J0KK,%%e, ,'' j(AB !, 89G"7++, !, >?G"7++,s3E%F% F F(cD|jry|jd}|j}|rd}|j}dD]`}|dk(s|dk(r*|r|jdds"|s|jdds7t |d d |d z|zg\}}|d k7sUt d yy)zCheck if all chains existFrufw6)r r!r"r% limit-acceptr%rrrrprq-user-rz_need_reload: forcing reloadT)r;rrrrrr)r:rprefixexerArrs rB _need_reloadzUFWBackendIptables._need_reloads ;; mm F..CN E5N#:dii05DIIg$6s$;S$fx.?%.GHIIRQw45 rCcftd}|jr(td|jr tdyy|j r |j dD]*}|j |d|g|j |d|g, td|jdg|jd g\}}|d k7rt|d z|jr>td|jd g|jd g\}}|d k7rt|d zyyy#t$r t|wxYw)zReload firewall rules filerz> | iptables-restorez> | ip6tables-restorer-F-Zcatrrprz iptablesrrN) rIr;rr6 is_enabledr5 _chain_cmdr\rr r<iptables_restoreip6tables_restore)r:rerrrs rB_reload_user_rulesz%UFWBackendIptables._reload_user_rules:s=%& ;; & '}}+, __  (V,2AOOAay1OOAay12!%G)@IRQww455}}$eTZZ-A%B&*&<&?ZZ 45 JJ:; > h' PDAq~~a  UA.446<<>X-$F\\^w.$F$F?I!((+84?D%kk,: 7;;x&/@/?0@BH0IJK$MN9==&1A2BDJ2K18^1224$569==&1A2BDJ2K18UT\11M$OP+ P4JJ|, h' )DAq" }}%R%&( }}&,.4&57D&EFGI!}}Vf_7K%KQO" 4(4( )rCcg}|j|||}tjd}t|D]\}}|j |j d|j |j|sG||j d||j |j d|jdd||xx|j d|j z cc<|S)z_Return list of iptables rules appropriate for sending as arguments to cmd() z(.*) --log-prefix (".* ")(.*)rr)r"rVz\3) rr]r^rr7rcrmatchreplace) r:rrrr str_snippetsrhrrs rB_get_lists_from_formattedz,UFWBackendIptables._get_lists_from_formatteds55eVVL jj9:l+ 9DAq OOCGGE1-335 6yy| "">2 ""3775!#4#<##/#6#6s2w#?#0#7#7B#@),B c(:1(=(G(G(LQ(O%1),B c(:1(=(G(G(LQ(O%2%(W%7%7%>36r73D3DS3I!3LL%(W%7%7%?47G4E4Ec4J14MM$(J$,%%(VF&+G"f}*.)/c):1)="3x!|'.vs1vs1vs1v/21vs1vug/6(8(/vs1vs1vs1v/21vs1vug/6(8-/JJu,= #&q6S=09 c3q60JDI#&q6S=09 c3q60JDI+r1 $ 2 24 F,2 $ 2 25- H 8 44 KK- KK..t4 KK. JJ--d3cQ 4f JJL{]  (<=Cw'' (\ (%'()G'H)-(/H N$ %sP  C;P/ #P,/"QQc"|jd}|r|jd}tj|tjst d|z}t | t jj|}|jd}|j}|rd}|j}|jrtjj!}n|d}t jj#|dt jj#|d|zd zt jj#|d|zd zt jj#|d|zd zt jj#|d|zd zt jj#|d|zd zt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdzt jj#|d|zdz|dk(r|j$dds|dk(r^|j$ddrLt jj#|d|zdzt jj#|d|zdzt jj#|d|D]}|j&} |j(rd|j&z} |j*dk7r| d|j*zz } d} |j,dk(r|j.dk(r |j0} n|j,dk7r,|j.dk7rd |j,d!|j.} nL|j,dk7r| |j0d|j,z } n| |j0d|j.z } |j2dk(r|j4dk(rd"| d#|j6d#|j8d#|j:d#|j<d#|j>d#| } |j@dk7r| d$|j@zz } t jj#|| d%zntCjDd#} d&} |j2r| jGd'|j2} d&}|j4r| jGd'|j4}d"| d#|j6d#|j8d#|j:d#|j<d#|j>d#| d#|d#| } |j@dk7r| d$|j@zz } t jj#|| d%zd(}|j(rd)}n|j0d*k(rd+}|d,|}d-|d#|jId%}|jK|||D]"}t jj#||$"t jj#|d.t jj#|d/ |jM|jNd0}|D]\}}}tQ|d1kDr |d1d2k(r|jS|d&zs3t jj#|d#jU|jWd3d4jWd5d6d%zt jj#|d7|dk(r|j$dds|dk(r|j$ddrt jj#|d8|jNd0d9k7rUt jj#|d-|zd:zd#jU|jXzd;z|jZzdzt jj#|d?t jj#|d@ |jr!t jj]|dAyBt jj]|yB#t$rwxYw#t$rwxYw#t$rwxYw)Cz.Write out new rules to file to user chain filerrz'%s' is not writablerrrWz*filter r~z-user-input - [0:0] z-user-output - [0:0] z-user-forward - [0:0] z-before-logging-input - [0:0] z-before-logging-output - [0:0] z -before-logging-forward - [0:0] z-user-logging-input - [0:0] z-user-logging-output - [0:0] z-user-logging-forward - [0:0] z-after-logging-input - [0:0] z-after-logging-output - [0:0] z-after-logging-forward - [0:0] z-logging-deny - [0:0] z-logging-allow - [0:0] r%rrz-user-limit - [0:0] z-user-limit-accept - [0:0] z### RULES ### zroute:rVrIrz!out_z ### tuple ### rz comment=%srr#r"r r"rr!rz-A z ### END RULES ### z ### LOGGING ### rr-D[z"[z] rz### END LOGGING ### z ### RATE LIMITING ### offz -user-limit z "z " z-user-limit -j REJECT z-user-limit-accept -j ACCEPT z### END RATE LIMITING ### zCOMMIT FN)/r<r.accessW_OKrIrrr_r`r\rrrr;sysstdoutfilenorbrrr"rrrrYrrrrrrrrr]r^rc format_ruler_get_logging_rulesrJrr%r0rr8r9rd)r:r rules_filererjr>rrkrrifaceststrr2rr chain_suffixrArule_strrlrules_trqs rB _write_ruleszUFWBackendIptables._write_rulessVZZ( H-JyyRWW-.*=>G7# # ((%%j1C    !LKKE ;;""$BUB r;/ r3#58O#OP r3#5)A$B C r3#5)B$C D r3#5)J$K L r3#5)K$L M r3#5)L$M N r3#5)H$I J r3#5)I$J K r3#5)J$K L r3#5)I$J K r3#5)J$K L r3#5)K$L M r3#5)B$C D r3#5)C$D E E !dii&8&= F "tyy'9#'> HH " "2s\'9-D(E F HH " "2s\'9-K(L M r#453 .AXXFyy!AHH,yyB# /)F~~#2(=2%!//R*?+,>>1??K>>R'annEEFaooFFFvv|" ajj!''155!''15599?MAII55D&&r4$;7JJsO 66$==7D66$==7D AGGQUUAGGQUUdF,99?MAII55D&&r4$;7"Lyy( %' $0,?E',ammo>H33Hl4@B .&&r1- .c3 .l r#:; r#89 ..t}}Z/HIH  GAq!1vzaddl||L3./&&rHHQK''T2::4G   r#:; E !dii&8&= F "tyy'9#'> HH " "2'B C}}Z(E1&&r5%,&(6,7$"9"9:,;,"&!=!=,>AH,HI HH " "2u|';2(3 4 HH " "2u|';9(: ; HH " "2'D E r:. {{$$S%0$$S)o   n   B   s*e'e5,ff' e25 f fcd|jd}|jr_|jstd}t ||j dk(rc|j ddsQtd|j zS|j dk(r*|j ddstd|j zS|jr4|jdk7r%|jd k7rtd }t |g}d }d }|j}|j} |jrD|jd kr)|jdk7s|jdk7r td S|j}| dks| t|kDrtd| z}t || dkDr"|j rtd}t | |j#d} d } d} d} |D]f} |j#|j&|j(|j|jf}| | k(rS| ddk(r | ddk(r| dkDs|ddk(r|ddk(s| |k7r$d} |j+|j-d} n| dz } |} | dz } t/j0||}|dkr| dz } |dk(r3|s1| s/d}|j r|j+|j-|dk(r|j r|j2dk(rd}|dkr3|j s'| s%d}d}|j+|j-V|j+|i| r#| dkDrtd}|jr|dz }|S|s+|j s|j+|j-|s6|j r*|j4std}|jr|dz }|S|r,|j s |std}|jr|dz }|S|jr||_n||_ |j7|jtd}|jr td}|j9rj|j4s]d}|s|j;|js| rUd}| r|tdz }n|tdz }|jr|dz }|r |j=n}|td z }nn|rO|j rCd!}td"}|jr|dz }|r |j=d}n,|td z }n|s|s|j s d#}td$}|dk7rs|j>}d%}|jr|j@}d&}|dz }d'}|jBrd(}n|jDd)k(rd*}|d+|}td,}tG|d-|d.g\}}|dk7r t ||d/|d/|jI}tKjLd0}|jO|||D]}tG|g|z\}}|dk7r%tQ|tRjTt ||d#k(sE|jWd/jY|sf|j[d1d/jY|}tG|d!|d2d3g\}}|dk7st]d4|z|S#t$$rwxYw#t$$rwxYw#t$rt$$rtd}t |YwxYw#t$$rwxYw#t$$rwxYw)5aXUpdates firewall with rule by: * appending the rule to the chain if new rule and firewall enabled * deleting the rule from the chain if found and firewall enabled * inserting the rule if possible and firewall enabled * updating user rules file * reloading the user rules file if rule is modified rVz)Adding IPv6 rule failed: IPv6 not enabledr%rz#Skipping unsupported IPv6 '%s' rulerz#Skipping unsupported IPv4 '%s' ruleudptcpz/Must specify 'tcp' or 'udp' with multiple portsFz1.4z:Skipping IPv6 application rule. Need at least iptables 1.4rzInvalid position '%d'z Cannot specify insert and deleter)rVrVrVrVrrTz Skipping inserting existing rulerz"Could not delete non-existent rulezSkipping adding existing rulezCouldn't update rules filez Rules updatedzRules updated (v6)z Rule insertedz Rule updatedz (skipped reloading firewall)r6z Rule deleted-Az Rule addedrrr r"rr!r!Could not update running firewallrqrprz(-A +)(ufw6?-user-[a-z\-]+)(.*)rr'RETURNzFAILOK: -D %s -j RETURN)/rrr6rIrrrmultirrpositioniptables_versionrrrrremove normalizer\rrr7dup_rulerrrr;rGrrrrrr"rYrr>r]r^rrr;stderrrar0rcr)r:r1 allow_reloadrKrenewrulesfoundmodifiedrrPrinsertedmatcheslastrcurrentretflagrr>rCrArrrDrrrs rBset_rulezUFWBackendIptables.set_rules  77==?GHw''{{g%dii.@.E>?4;;OO{{g%dii.@.E>?4;;OO ::$--50T]]e5KIJG7# # == 77$$u,$))r/26))r/UVVKKE a<8c%j0/0H=G7# # a77GOD t{{88977GOD 77"DK!DJ    dgg &! 77)*D ?? T[[D4,,TWW5Ao..DAn--D77GOD//1A=>>D4;;(77GOD//1DA=>>D8DKKrzmm$ 77..C#)LGOD& <<#,L^^u,#+L(4lC?@dE4 89 S7"7++)-ud6F6F6HI**%GH778D8DF CA!$SEAIIRQwC, )t|sxx{(C#KKsxx{;$'dAtX(F$G S7!";q"AB C [     T   45G W  2% %sB9[ [['\\$ [ [$'(\\ \!$ \/cbg}g}|r |j}n |j}|j}|j||j |j }|D]I}|j}|j |j } | |k(s9|j |K|S)z@Return a list of UFWRules from the system based on template rule)rrrTr'rSrr7) r:templaterrrnormrrrW tmp_tuples rBget_app_rules_from_systemz,UFWBackendIptables.get_app_rules_from_systems KKEJJE  " B !!# &A**,C MMO))+ID   %  &rCc|j}|jdr |j}t|g|z\}}|dk7r*t d|z}|rt d|zyt |y)zPerform command on chainrrzCould not perform '%s'zFAILOK: N)rr%rrrIrr)r:rArfail_okrrrres rBrzUFWBackendIptables._chain_cmdsmmm   F #..C % S 70D9:Gj7*+w'' rCc|jry|jg} |j|} |j d|j d|jsyt d}|jd|jdz|jd z|jd zD]} |j|d |d g |jd|jd z|jd zD]*}|j|d |g|j|d|g, |D]b\}}}d}t|dkDr |ddk(rd} |dk(r)t|dkDr|j|dg|ddzd|j|||ddD]}|jddr|dk(s|jdds-|dk(s3|j|d|g|jz|jdzgzd|jddk7sz|j|d|g|jz|jdzgzdy#t$rwxYw#t $rt$rt d}t |Y'wxYw#t$r t |wxYw#t$r t |wxYw#t$r t |wxYw)z#Update loglevel of running firewallNF)rTz&Couldn't update rules file for loggingrMrrrrrqrprrrr6 delete_firstr)rg)r{r|r%rr{rr|rrr8-I)r;rr?r\rGrrIrr5rrrr8r9rJ) r:rrules_trerrrFrgrAs rBrz!UFWBackendIptables.update_loggings  ;;   --e4G       '     & 78X&V)<< ;;w  "&++f"56 (A (D!T?3 ( $[[*T[[-AA{{6"# .D!9-D!9- . (GAq!G1vzaddl (&3q6A:OOAv!"~tOD1g. (; 2E '"3'E5E,E '"3'E5F,Fe} $ 7 7(8!%!=!=!C D(E)- .==,5OOED%=$($;$;,<%)%A%AC%G$H,I-1$2 2e      @AG W   (w'' ( $7# # $ (w'' (sBI$I6JAJAJ2 I(I?>I?JJ/2Kc&g}|t|jjvrtd|z}t ||dk(r.|j dD]}|j |d|ddgdg|S|j dD]}|j |d|ddgd ggd }|j||jd k\rg}|j||jd kr|}|j d D]}dD]}|j|s|j|dk(s|j|dk(r d}|j |d|ddd|g|zd g]|j||jdk\s}d}|j |d|ddd|g|zd gg}|j||jd kr|}|j dD]}|jdrd}ns|jdrbd}|j||jdkr |j |d|ddddddg|zd gn!|j |d|ddddddddg |zd g|j |d|dddg|zd g|j||jdk\r|g}|j||jdkr|}|j||jd krgd|z}d }|j d!D]}|j |d|ddd|g|zd g!|S)"z%Get rules for specified logging levelzInvalid log level '%s'r8rrjr'rNrir6rV)r$r%r&z3/minz --limit-burst10rhighrrrHrOz [UFW BLOCK] rLr(r)mediumz [UFW ALLOW] rrNr$ conntrack --ctstateINVALIDz[UFW AUDIT INVALID] full)r$rprqNEWz [UFW AUDIT] r) rrrrIrr5r7endswithr) r:rrkrerrlargsrrs rBr?z%UFWBackendIptables._get_logging_ruless T^^0023 301U;G7# # E>[[( OD!T8#>% DNN5$9 9E~~e$t~~f'=="[[) <7 0H050679,;<"^^E2dnnX6NN%3F#NNAau0>0H050679,;< < < E~~e$t~~f'=="[[( J::g&+FZZ'+F~~e,t~~h/GGD!T;,7,0(,<>C,DEG(IJ D!T;,7,0%,:,B ,D ). ,. 02 (34 D!T5$2F$<>C$DEG IJ# J* >>% DNN8$< <E~~e$t~~f'=="~~e$t~~f'==?*L#F[[* JD!T5$2F$<>C$DEG IJ JrCc d}ttjj|j}g}|j D]}|j |j ds"|j|j |tjj|dtjj|j |}tjj|rtd|z}t|tj d}|D]A}|d|}tjj#|s*td|z}t||D]P}|d|}|tdtjj||d zz }tj$||R|D]}|d|}t'j(tjj|dtjj|tjj+|t'j,|| tj.|} | t.j0} | t.j6zr|td |zz }| t.j8zs|td |zz }|S#t2$rtd |z} t5| Y-wxYw) zReset the firewallrVz.rulesrzCould not find '%s'. Abortingz %Y%m%d_%H%M%S.z'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s' )oldnewzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r rr* share_dirrr<rur7r.r/r0basenameisfilerIrtimestrftimeexistsrenameshutilcopydirnamecopymodestatST_MODEr\rS_IWOTHS_IROTH) r:resr{allfilesrfnreextrystatinfomoder3s rBresetzUFWBackendIptables.resethspcjj22DLLA  (A::a=))(3 OODJJqM *i gg..tzz!}=?B77>>"%;<Cw'' (mmO,  (As#Bww~~b!;<Cw''  ( As#B 1:;WW--a0<> >C IIa    ?A$C KK Y %'WW%5%5a%8:* , OOC # 771: - dll"q78A>> $q78A>>% ?(  12a8X s(J>>"K$#K$)NN)FF)F)T)__name__ __module__ __qualname____doc__r4rLrmrrrrrrrrr4rGr`rerrr?rrCrBr r sx'.;` IV[zc/J($,B8;8BH$cJgRcJ0 (H2TXt8rCr )rr.r]rrr;r~ ufw.commonrrufw.utilrrrrr r ufw.backendrr2r3r rrCrBrs@3" (??B//BrC