3 D\}V@sjdZddlZddlZddlZddlmZdZdZdZeZ dZ dZ d Z d Z Gd d d eZGd ddZdS)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz/sbinTc@s eZdZdZddZddZdS)UFWErrorz$This class represents ufw exceptionscCs ||_dS)N)value)selfrr,/usr/lib/python3/dist-packages/ufw/common.py__init__#szUFWError.__init__cCs t|jS)N)reprr)rrrr__str__&szUFWError.__str__N)__name__ __module__ __qualname____doc__r r rrrrr!src@seZdZdZd9ddZd d Zd d Zd dZddZddZ d:ddZ ddZ ddZ ddZ ddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8S);UFWRulez$This class represents firewall rulesany 0.0.0.0/0inFc Csd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_d|_yV|j||j||j||j|d|j||j||j||j| Wntk rYnXdS)NFrrsrc)removeupdatedv6dstrdportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforwardcomment set_action set_protocolset_portset_srcset_dst set_direction set_commentr) rr rrrrrr%r&r'rrrr ,s<       zUFWRule.__init__cCs|jS)N) format_rule)rrrrr OszUFWRule.__str__cCsBd|}t|j}|jx"|D]}|d||j|f7}q W|S)zPrint rule to stdoutz'%s'z, %s=%s)list__dict__sort)rreskeyskrrr _get_attribRs   zUFWRule._get_attribcCst|j|j}|j|_|j|_|j|_|j|_|j|_|j|_|j |_ |j |_ |j |_ |j |_ |j |_ |j|_|j|_|j|_|j|_|j|_|j|_|S)zReturn a duplicate of a rule)rr rrrrrrrrrrrr!r"r#r$r%r&r')rZrulerrrdup_rule[s&zUFWRule.dup_rulecCsd}|jdkr|d|j7}|jdkr4|d|j7}|jdkrH|d7}n|d|j7}|jr|d7}|jdkr|jdkr|d|j7}|d7}|d |j7}n2|jdkr|d|j7}n|jdkr|d |j7}|jd kr|jd kr|d |j7}|j r|jdkr|d |j7}|jd kr<|jd kr<|d|j7}|j r`|jdkr`|d|j7}d}|jdkrzd|j}|j dkr|d|7}nT|j dkr|d|7}|jdkr|d7}n&|j dkr|d|7}n |d|7}|j dks|j dkrd}t j d}|j dkr0|d|jd|j 7}|j dkrP|j dkrP|d7}|j dkrr|d|jd|j 7}|d 7}|d|7}|jS)!zFormat rule for later parsingrz -i %sz -o %srz -p allz -p z -m multiportz --dports z --sports z 0.0.0.0/0z::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%sZtcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' Zdapp_z%20,Zsapp_')r#r$rrrrrrr"r rrrecompilesubstrip)rZrule_strZlstrr'Z pat_spacerrrr/rsd                   zUFWRule.format_rulecCsj|jjd}|ddks2|ddks2|ddkr>|d|_nd|_d}t|dkr\|d}|j|d S) zSets action of the ruler8rr9r:r;ZdenyrN)lowersplitr len set_logtype)rr tmpr"rrrr(s$  zUFWRule.set_actionrc Cstd|}|dkrn|dkr*|jr*n|dkr<|jr<ntjd|sTtjd|r`t|nd|jd|jdd krt|n@|jd}t|d krd |_ d }x|D]}tjd |r"d |_ |jd}x,|D]$}t |d kst |dkrt|qWt |dt |d krt|nztjd|rVt |d ksLt |dkrt|nFtjd|ryt j |}Wnt k rt|YnXnt||r|dt|7}qt|}qW|}|dkrt||_n t||_dS)z:Sets port and location (destination or source) of the rulez Bad port '%s'rrrz^[,:]z[,:]$r=:rCTrz ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)r8rrr?matchrcountrErFrintsocketZ getservbyname Exceptionstrrr) rportlocerr_msgportsrHpZranqrrrr*sP             zUFWRule.set_portcCs2|tjjdgkr||_ntd|}t|dS)zSets protocol of the rulerzUnsupported protocol '%s'N)rutilZsupported_protocolsrr8r)rrrSrrrr)s zUFWRule.set_protocolcCs|jrH|jr&|jdks |jdkr&d|_|jr|jdks@|jdkrd|_n@|jrh|jdksb|jdkrhd|_|jr|jdks|jdkrd|_dS)zAdjusts src and dst based on v6rz 0.0.0.0/0z::/0N)rrr)rrrr _fix_anywhereszUFWRule._fix_anywherecCs||_|jdS)zXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N)rrX)rrrrrset_v6 szUFWRule.set_v6cCsB|j}|dkr0tjj|d r0td}t|||_|jdS)zSets source address of rulerzBad source addressN)rDrrW valid_addressr8rrrX)raddrrHrSrrrr+s zUFWRule.set_srccCsB|j}|dkr0tjj|d r0td}t|||_|jdS)z Sets destination address of rulerzBad destination addressN)rDrrWrZr8rrrX)rr[rHrSrrrr,s zUFWRule.set_dstcCs|dkr |dkr td}t|dt|kr._match_portsrz(No fuzzy match '%s (v6=%s)' '%s (v6=%s)'rz (direction) z (not incoming)rCz (forward does not match)rz (protocol) z(dport) r/z(dst) z ('%s' not in network '%s')z (interface) z (%s != %s)z %s does not existz(v6) z'(fuzzy match) '%s (v6=%s)' '%s (v6=%s)'ri)rjrKrr%rr&rrr# _is_anywhererrrWZ in_networkZget_ip_from_ifIOError)rkrlrnrmZif_iprrrfuzzy_dst_matchsl         (     &zUFWRule.fuzzy_dst_matchcCs|dks|dkrdSdS)zCheck if address is anywherez::/0z 0.0.0.0/0TFr)rr[rrrrpNszUFWRule._is_anywherecCsd}|jdks|jdkrd|j|j|j|jf}|jdkrRd|j|j|j|jf}|jdkrtd|j|j|j|jf}|jdkr|d|j7}|jdkr|d|j7}|S)a$Returns a tuple to identify an app rule. Tuple is: dapp dst sapp src or dport dst sapp src or dapp dst sport src All of these might have in_eth0 out_eth0 (or similar) if an interface is also defined. rz %s %s %s %sz in_%sz out_%s)rrrrrrr#r$)rZtuplrrr get_app_tupleTs       zUFWRule.get_app_tuplecCs|jdkr4|jdks|jdkr4td|j}t||jtjjkr`|dkr`td|j}t||jtjjkr|j dks|j dkrtd|j}t|dS)z Verify rulerrz3Improper rule syntax ('%s' specified with app rule)rz'Invalid IPv6 address with protocol '%s'zInvalid port with protocol '%s'N) rrrr8rrrWZipv4_only_protocolsZportless_protocolsrr)rZ rule_iptyperSrrrverifyqs zUFWRule.verifyN)rrrrrFr)r)r r rrr r r6r7r/r(r*r)rXrYr+r,rarbrGr-rdr.rfrKrrrprsrtrrrrr*s6 ! C 5   0  #Cnr)rr?rNZufw.utilrrZ programNameZ state_dirZ share_dirZ trans_dirZ config_dirZ prefix_dirZ iptables_dirZ do_checksrOrrrrrrs