eXvdZddlZddlZddlZddlmZdZdZdZeZ dZ dZ d Z d Z Gd d eZGd dZy)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz /usr/sbinTceZdZdZdZdZy)UFWErrorz$This class represents ufw exceptionsc||_yN)value)selfr s ,/usr/lib/python3/dist-packages/ufw/common.py__init__zUFWError.__init__#s  c,t|jSr)reprr r s r __str__zUFWError.__str__&sDJJr N)__name__ __module__ __qualname____doc__r rr r rr!s. r rceZdZdZ ddZdZdZdZdZdZ ddZ d Z d Z d Z d Zd ZdZdZdZdZdZdZdZdZdZdZdZdZy)UFWRulez$This class represents firewall rulesc >d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_d|_ |j'||j)||j+||j+|d|j-||j/||j1||j3| y#t4$rwxYw)NFrsrc)removeupdatedv6dstrdportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforwardcomment set_action set_protocolset_portset_srcset_dst set_direction set_commentr) r r&r"r rr!rr+r,r-s r r zUFWRule.__init__,s                OOF #   h ' MM% MM% ' LL  LL    y )   W %   s B D Dc"|jSr) format_rulers r rzUFWRule.__str__Os!!r cd|z}t|j}|j|D]}|d|d|j|z }|S)zPrint rule to stdoutz'%s'z, =)list__dict__sort)r reskeysks r _get_attribzUFWRule._get_attribRsNoDMM"  5A 4==#34 4C 5 r ct|j|j}|j|_|j|_|j |_|j |_|j|_|j|_|j|_ |j|_ |j|_ |j|_ |j|_ |j|_|j|_|j |_|j"|_|j$|_|j&|_|S)zReturn a duplicate of a rule)rr&r"rrrrrr r!r#r$r%r'r(r)r*r+r,r-)r rules r dup_rulezUFWRule.dup_rule[st{{DMM2kk || ''8888ZZ ZZ ZZ II II   ||  --!//|| ||  r c:d}|jdk7r|d|jzz }|jdk7r|d|jzz }|jdk(r|dz }n|d|jzz }|jr|dz }|jdk7r9|j dk7r*|d|jzz }|dz }|d |j zz }nC|jdk7r|d|jzz }n!|j dk7r|d |j zz }|j d k7r!|j d k7r|d |j zz }|js!|jdk7r|d |jzz }|jd k7r!|jd k7r|d|jzz }|js!|j dk7r|d|j zz }d}|jdk7rd|jz}|jdk(r |d|zz }nL|jdk(r|d|zz }|jdk(r&|dz }n |jdk(r |d|zz }n|d|zz }|jdk7s|jdk7rd}tjd}|jdk7r"|d|jd|jzz }|jdk7r|jdk7r|dz }|jdk7r"|d|jd|jzz }|d z }|d|zz }|jS)!zFormat rule for later parsingrz -i %sz -o %sanyz -p allz -p z -m multiportz --dports z --sports 0.0.0.0/0::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%stcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' dapp_z%20,sapp_')r)r*r"r#r r!rrr(r&r$r%recompilesubstrip)r rule_strlstrr- pat_spaces r r6zUFWRule.format_rulers    " D$5$56 6H    # D$6$67 7H ==E !  !H . .HzzO+::&4::+> tzz 99H/H tzz 99HZZ5( tzz 99HZZ5( tzz 99H 88{ "txx6'9 ) )HzzdjjE1  djj0 0H 88{ "txx6'9 ) )HzzdjjE1  djj0 0H <<2 %D ;;' ! $/ /H [[H $ $/ /H}}%66 [[G #  . .H  - -H 99?dii2o.G 3IyyB7Y]]5$))%DDDyyB499?3yyB7Y]]5$))%DDD sNG g %H~~r c|jjd}|ddk(s|ddk(s|ddk(r |d|_nd|_d}t|dkDr|d}|j |y ) zSets action of the rulerGrrHrIrKdenyrN)lowersplitr&len set_logtype)r r&tmpr(s r r.zUFWRule.set_actionsslln""3' q6W A( 2c!f6Ga&DK DK s8a<!fG !r c^td|z}|dk(rn|dk(r|jrn|dk(r|jrntjd|stjd|r t ||j d|j dzd kDr t ||jd}t|d kDrd |_ d }|D]}tjd |rnd |_ |jd}|D])}t|d kst|dkDs t |t|dt|d k\rt |tjd|r't|d kst|dkDrCt |tjd|r tj|}n t ||r|dt|zz }t|}|}|dk(rt||_yt||_y#t$r t |wxYw)z:Sets port and location (destination or source) of the rulez Bad port '%s'rDrrz^[,:]z[,:]$rN:rZTrz ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)rGr$r%rQmatchrcountr\r]r#intsocket getservbyname Exceptionstrr!r ) r portlocerr_msgportsr_pranqs r r0zUFWRule.set_portsO$- 5=  E\dii  E\dii  XXh %(D)A7# #jjo 3/2 57# #JJsOE5zA~! C !88L!,!%DJ''#,C 4q6A:Q%"*7"3343q6{c#a&k1&w//XXh*1vzSVe^&w//XXmQ/0"003#7++3Q<'Ca&C1 !4D %<TDJTDJ%0&w//0s *HH,c|tjjdgzvr||_yt d|z}t |)zSets protocol of the rulerDzUnsupported protocol '%s'N)rutilsupported_protocolsr"rGr)r r"rls r r/zUFWRule.set_protocols= sxx33ug= =$DM34AG7# #r c|jre|jr%|jdk(s|jdk(rd|_|jr'|jdk(s|jdk(rd|_yyy|jr%|jdk(s|jdk(rd|_|jr'|jdk(s|jdk(rd|_yyy)zAdjusts src and dst based on v6rDrErFN)rrrrs r _fix_anywherezUFWRule._fix_anywheres 77xxTXX.$((k2I!xxTXX.$((k2I!3JxxxTXX.$((f2D&xxTXX.$((f2D&3Exr c2||_|jy)zXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N)rru)r rs r set_v6zUFWRule.set_v6 s r c|j}|dk7r6tjj|dst d}t |||_|jy)zSets source address of rulerDzBad source addressN)r[rrr valid_addressrGrrrur addrr_rls r r1zUFWRule.set_srcsPjjl %< 6 6sE B,-G7# # r c|j}|dk7r6tjj|dst d}t |||_|jy)z Sets destination address of rulerDzBad destination addressN)r[rrrryrGrrrurzs r r2zUFWRule.set_dstsPjjl %< 6 6sE B12G7# # r cz|dk7r|dk7rtd}t|dt|vrtd}t|dt|vrtd}t|t|dk(st|d k(rtd }t|tt|d k(rtd }t|tt|d kDrtd}t|t j dt|std}t||dk(r||_y||_y)zSets an interface for ruleinoutzBad interface type!z+Bad interface name: reserved character: '!'raz/Bad interface name: can't use interface aliases.z..z)Bad interface name: can't use '.' or '..'rz+Bad interface name: interface name is emptyz+Bad interface name: interface name too longz^[a-zA-Z0-9_\-\.\+,=%@]+$zBad interface nameN)rGrrir]rQrcr)r*)r if_typenamerls r set_interfacezUFWRule.set_interface's) d?w%/,-G7# # #d) EFG7# # #d) IJG7# # t9 s4yD0CDG7# # D Na EFG7# # D NR EFG7# #xx4c$i@,-G7# # d? $D !%D r ct|dk7r8tjdt|std|z}t |t ||_y)zSets the position of the rulez-1z^[0-9]+z,Insert position '%s' is not a valid positionN)rirQrcrGrrer')r numrls r set_positionzUFWRule.set_positionWsG s8t BHHZS$BFG3OG7# #C r c|jdk(s|jdk(s|dk(r|j|_ytd|z}t|)zSets logtype of the rulelogzlog-allrzInvalid log type '%s'N)r[r(rGr)r r(rls r r^zUFWRule.set_logtypeasL ==?e #w}})'C b="==?DL/0G 'N 55AEE> 'N 44144< 'N 66QVV  'N 66QVV  'N >>Q^^ + 'N ??aoo - 'N ;;!++ % 'N 99 ! 'N 88qxx AII$: QYY&+,G 'N 88qxx AII$: QYY&>?G 'NFGHHAHHIIQYYIIQYY89 gr c >d}|r|s t|j|dk(ryd|d|jd|d|jd }|jdk7rt d|zd zy |j |j k7rt |d zy |j |j k7r|j d k7rt d |zy |jd k7r,||j|jst d|zy |jdk(r|jdk(r|j|jrn>|j|jk7rd|jvrt d|zy |j|jk7rd|jvr|j|jk(rtjj|j|j|jst d|zd|jd|jdzy |jdk7rF|j|jk7r-t d|zd|jd|jdzy tjj|j|j}|j|k7r1d|jvr#t d|zd|jd|dzy |j|k7rd|jvrq|j|jk(rXtjj||j|js#t d|zd|d|jdzy |j|jk7r-t d|zd|jd|jdzy t d|d|jd|d|jd y#t$r!t d|zd|jzzYy wxYw)aThis will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. cd|vsd|vr||k(ryy|jdD]S}||k(ryd|vs|jd\}}t|t|k\s;t|t|ksSyy)z:Returns True if p is an exact match or within a multi rulerNraTF)r\re)test_pto_matchrjlowhighs r _match_portsz-UFWRule.fuzzy_dst_match.._match_portss~f}v X% s+ $T>$;"&**S/KS$6{c#h.3v;#d)3K#  $r rzNo fuzzy match 'z (v6=z)' 'z)'r~z (direction) z (not incoming)rZz (forward does not match)rDz (protocol) z(dport) r/z(dst) z ('z' not in network 'z')z (interface) z (z != )z %s does not existz(v6) z(fuzzy match) 'r)rrcrr+rr,r"r r) _is_anywhererrrr in_networkget_ip_from_ifIOError)rrrrif_ips r fuzzy_dst_matchzUFWRule.fuzzy_dst_matchsH ",  771:? qttQ& ;;$  .7*->> ? 99 ! '77 8 :: # e(; -') * 77e L!''$B *w& ' >>R ~~#quu(=!%%Cquu$4h()!%%C155LQTTQTT\88&&quuaeeQTT:h(uuaee,%%& ~~#!..(Hnw.~~q~~2778 //E uu~#QUU"2nw.uue2%%&%C155LQTTQTT\88&&uaeeQTT:nw.7T[0r cd}|jdk7s|jdk7r1|jd|jd|jd|j}|jdk(r5|jd|jd|jd|j}|jdk(r5|jd|jd|j d|j}|j dk(r#|jdk(r|d|jzz }|S|j dk7r|d|j zz }|jdk7r|d|jzz }|S)aReturns a tuple to identify an app rule. Tuple is: dapp dst sapp src direction_iface|direction or dport dst sapp src direction_iface|direction or dapp dst sport src direction_iface|direction where direction_iface is of form 'in_eth0', 'out_eth0' or 'in_eth0 out_eth0' (ie, both interfaces used). If no interfaces are specified, then tuple ends with the direction instead. rrLz %sz in_%sz out_%s) r$r%rrr r!r)r*r+)r tupls r get_app_tuplezUFWRule.get_app_tupleTs 99?dii2o$(IItxxDHHMDyyB(, DHHdii)-3yyB(, 488TZZ)-3  B&4+=+=+C00 $$*H(9(9::D%%+I););<!]],w''': 8r N)rDrErDrEr~Fr)r)rrrrr rr?rBr6r.r0r/rurwr1r2rrr^r3rr4rrcrrrrrr r rr*s.:EGL!F".A F "3#j$ '.&`!$$1!)FAFl\ D(r r)rrQrfufw.utilrr programName state_dir share_dir trans_dir config_dir prefix_dir iptables_dir do_checksrhrrrr r rsV'"          y ` (` (r