3 \l@szdZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZddZdd ZGd d d ZdS) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablescCstjj}xd0D]}|jtjj|qWxd1D]}|jtjj|q0Wxd2D]}|jtjj|qPWxd3D]}|jtjj|qpWxd4D]}|jtjj|qWxd5D]}|jtjj |qWdd!ddd"d#d$g}x2|D]*}|jtjj ||jtjj |qWt |d%krzd&}||j d'kr8d%}||j d krz||j d(krz||j |krz|j|d)t |d%ksd'|krt |d*krtd+y|j|d&d}WnTtk r}ztd,|jWYdd}~Xn$tk rtd-d.d/YnX|S)6zEParse command. Returns tuple for action, rule, ip_version and dryrun.enabledisablehelp--helpversion --versionreloadresetlistinfodefaultupdateonofflowmediumhighfullallowdenyrejectNverbosenumberedraw before-rules user-rules after-rules logging-rulesbuiltins listeningaddedlimitinsertdeleteprependz --dry-runrouteruleznot enough argsz%szInvalid syntaxF)Zdo_exit)rrr r r r r r)rrrr)rrrrrr)rrr)Nrr)rrr r!r"r#r$r%)ufwparserZ UFWParserZregister_commandZUFWCommandBasicZ UFWCommandAppZUFWCommandLoggingZUFWCommandDefaultZUFWCommandStatusZUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerr'r parse_commandrvalue Exception)argvpiZ rule_commandsidxprer>./usr/lib/python3/dist-packages/ufw/frontend.pyr5sL        & r5c&Cs\tdtjjdddddddd d d d d ddddddddddddddddddd d!d"d#d$#}|S)%zPrint help messagea  Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy ZCOMMANDZCommandsrrz default ARGz logging LEVELZLEVELz allow ARGSr-z deny ARGSz reject ARGSz limit ARGSzdelete RULE|NUMZRULEzinsert NUM RULEz prepend RULEz route RULEzroute delete RULE|NUMzroute insert NUM RULEZNUMr rstatuszstatus numberedZRULESzstatus verbosezshow ARGr zApplication profile commandszapp listzapp info PROFILEZPROFILEzapp update PROFILEzapp default ARG)#ZprognameZcommandZcommandsrrrZlogginglevelrr-rrr&r(Zuruler'r)r,z route-deletez route-insertnumberr rr@Z statusnumrulesZ statusverboseshowr Z appcommandsZapplistZappinfoprofileZ appupdateZ appdefault)_r/commonZ programName)Zhelp_msgr>r>r?get_command_help[sJ rHc@seZdZdZd,ddZddZdd Zd d Zd-d dZd.ddZ ddZ ddZ ddZ d/ddZ d0ddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd1d*d+ZdS)2 UFWFrontendZUIiptablesNc Csd|dkr6yt|||d|_WqBtk r2YqBXn td|td|_td|_td|_dS)NrJ)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr7rrFnorOyes_full)selfdryrunZ backend_typerKrLr>r>r?__init__s    zUFWFrontend.__init__c,Cs~d}d}|rd}d}|r$|jj s4| r8|jjr8d}|ry|jj|jjdd|Wn,tk r}zt|jWYdd}~XnXd}|r4y|jjWn,tk r}z|r|j}WYdd}~XnX|dkr*y|jj|jjdddWn.tk r }zt|jWYdd}~XnXt|td }nFy|jj Wn.tk rp}zt|jWYdd}~XnXtd }|S) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rQrOFTconfZENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rP is_enabledZ set_defaultfilesrrr6start_firewallrF stop_firewall)rSenabledresZ config_strZchangedr=Z error_strr>r>r? set_enabledsF    zUFWFrontend.set_enabledcCsfd}y0|jj||}|jjr2|jj|jjWn,tk r`}zt|jWYdd}~XnX|S)zSets default policy of firewallrVN)rPset_default_policyrXr[rZrrr6)rSpolicy directionr]r=r>r>r?r_s  zUFWFrontend.set_default_policycCsFd}y|jj|}Wn,tk r@}zt|jWYdd}~XnX|S)zSets log level of firewallrVN)rP set_loglevelrrr6)rSrAr]r=r>r>r?rbs zUFWFrontend.set_loglevelFcCsDy|jj||}Wn,tk r>}zt|jWYdd}~XnX|S)zShows status of firewallN)rP get_statusrrr6)rSrZ show_countoutr=r>r>r?rcs zUFWFrontend.get_statusrcCsBy|jj|}Wn,tk r<}zt|jWYdd}~XnX|S)zShows raw output of firewallN)rPZget_running_rawrrr6)rSZ rules_typerdr=r>r>r? get_show_raw s zUFWFrontend.get_show_rawcCsBd}ytjj|jj}Wn$tk r>td}t|YnX|jj}t |j }|j x|D]}|jj r|dkrqf|d|7}t ||j }|j xx|D]n}xf|||D]T} | d} | j d o| j d rd} |d |7}| d ks| d kr$|d 7}d | d} n|d| 7}tjj | } |dtjj| d7}tjjd|dd|| ddd} | j|jd| dkr| jd| | j|jj| } t| dkr|d7}xL| D]D}|dkr|dt|kr|d|tjjj||df7}qW|d7}qWqWqfW|jjs>tjjd|S)zMShows listening services and incoming rules that might affect themrVzCould not get listening statustcp6udp6z%s: Zladdrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr.inF)actionZprotocolZdportdstraforward6r r+z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))rfrg)r/utilZparse_netstat_outputrPuse_ipv6r7rFr get_rulesrkeyssort startswithZget_if_from_ipospathbasenamerGZUFWRuleset_v6endswithZ set_interfaceZ normalizeZ get_matchingr3r0r1 get_commanddebug)rSr]derr_msgrCZ protocolsprotoportsZportitemZaddrZifnamer-Zmatchingr:r>r>r?get_show_listeningsd               zUFWFrontend.get_show_listeningcCs|jj}td}t|dkr*|tdSg}xZ|jjD]L}|jrXdtjjj|}ntjj j|}||krpq:|j ||d|7}q:W|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)zroute %sz ufw %s) rPrqrFr3rlr/r0r2rzr1append)rSrCrdr%rrstrr>r>r?get_show_added[s    zUFWFrontend.get_show_addedcCsd}d}d}g}|jdkr2|jdkr2|j|ng}y|jr|dkrZ|jj|d}n|dkrr|jj|d}n||dkr|jj|d}|jj|d}xV|D]8} x2|D]*} | j} d| _| j| s| | _|j| qWqWntd|}t |t |dkrR|jj rRtd }|dkr |}n.|dkr4|d }n|dkrN|d |d }|Sxb|D]8}|j } |j| _| j |j| j|j|j| qXWn |jj|}|jdkr|jWntk rYnXd} d}td }|jjd}|jjd}x$t|D]\}} |} | j||kr>|t| jd 7}t |y|jjr@|dkr| jdkr| dkr||dkr|dnd}| j|n&| j|kr|t| jd 7}t || jd|jj| }q|dkrt| jdkr | dkr|dkrdnd}| j|nP| j|kr(| j| j|n2| jdkrZ| j|krZ|t| jd 7}t || jd|jj| }q|dkr*| j}| jd|dkr| dkr|dkrdnd}| j|nJ| j r ||kr |jj||| d}|dkr| j|n | jd|jj| }| j rD|dkrD|jjd}| j|d| jd|dkr| dkrp|dkrpdnd}| j|nV| j r| jdkr| j|kr|jj| jd}|dkr| j|| n | jd|dkr|d 7}| j r| j|kr|dkr| j| j|||jj| 7}ntd|}t |n| jdkrr| dkrd|dkrddnd}| j||dks|dkr| jd|jj| }n0|dkrtd}t |ntd|}t |Wn0t k r}z|j}d}PWYdd}~XnX| jrtd}tj |qW|s2||7}nt |dkrJt!|nd}t"t#| d}|jxx|D]p}| dkrl||rl||j }d|_y|j||Wn2tk rd}td| j$}t |YnXqlW|td7}|r|td7}n |td7}t ||S)zUpdates firewall with rulerVv4Fv6TZbothzInvalid IP version '%s'rz"Could not delete non-existent rulez (v6)rnzInvalid position ''r+zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z" Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.rrrrr)%dappsapprremoverPZget_app_rules_from_systemrmatchrFrr3rTZdup_ruleZ set_actionrjZ set_logtypeZlogtypeZget_app_rules_from_templateZpositionreverser7Zget_rules_count enumeratestrrpZ set_positionrxset_ruleZfind_other_positionr6updatedwarningsrrrrangeZ format_rule)rSr- ip_versionr]r}tmprCZtmprulesZ tmprules6xrNZprev6rcountZ set_errorZ pos_err_msgZnum_v4Znum_v6r:ZbeginZuser_posr9r=Zwarn_msgZ undo_errorZindexesjZ backout_ruler>r>r?rxs<                                                               zUFWFrontend.set_rulec Cs^y t|}Wn(tk r4td|}t|YnX|jj}|dksT|t|krhtd|}t||jj|}|std|}t|d|_d}|j rd}d}|s:|j rdt j j j|} nt j jj|} td| |j|jd } t| tjd d tjjjj} | d kr:| |jjkr:| |jjkr:d }d } |rR|j||} ntd} | S)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Trrzroute %sz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r-rOrQF)outputnewlinerNrVAborted)intr7rFrrPrqr3Zget_rule_by_numberrrrlr/r0r2rzr1rOrQrsysstdoutstdinreadliner4striprRr) rSrBforcerMr}rCr-rproceedrpromptansr]r>r>r? delete_ruleDsJ       zUFWFrontend.delete_rulec CsVd}|jdrB|jd}t|dkr4|j|d}n |jd}n|dkrX|jd}n|jdrtd }|jd }t|d krt||j|d|d }n|d kr|j|}n|dkr|j}n|dkr|jd}nr|jdr0|jd d}|dkr|j }n|dkr"|j }n |j |}n"|dkrJ|jdd}n|dkrb|j d}n|dkrz|j d}n|dkr|j jr|j d|j dtd}ntd}n|jdr|j|jd d|}nr|dks|dks|dks|dkr>|jdkry0|j j|j}||jkrB||_|j|d WnVtk r}z8|jsjt|jtjj|jstd!}t|WYd"d"}~XnX|jdkr0y0|j j|j}||jkr||_|j|d WnVtk r.}z8|jst|jtjj|jstd!}t|WYd"d"}~XnX|j||}ntd#|}t||S)$zPerform action on rule. action, rule and ip_version are usually based on return values from parse_command(). rVz logging-onrFr+rz logging-offrzdefault-zUnsupported default policy-r.r*rr@zstatus-verboseTrDr$r%zstatus-numberedFrrr zFirewall reloadedz&Firewall not enabled (skipping reload)zdelete-rrrr&rkzInvalid profile nameNzUnsupported action '%s')rtsplitr3rbrFrr_rrcrrrer^rPrXrrZfind_application_nameZset_portrrr6r/ applicationsvalid_profile_namerr) rSrjr-rrr]rr}r=r>r>r? do_actionus                              zUFWFrontend.do_actioncCsFd}y|jj|}Wn,tk r@}zt|jWYdd}~XnX|S)z+Sets default application policy of firewallrVN)rPset_default_application_policyrrr6)rSr`r]r=r>r>r?rs z*UFWFrontend.set_default_application_policycCs>t|jjj}|jtd}x|D]}|d|7}q&W|S)z*Display list of known application profileszAvailable applications:z %s)rrPprofilesrrrsrF)rSnamesrrMr>r>r?get_application_lists  z UFWFrontend.get_application_listcCsg}|dkr&t|jjj}|jn&tjj|sBtd}t ||j |d}x4|D]*}||jjksx|jj| rtd|}t |tjj ||jj|std}t ||td|7}|tdtjj |jj|7}|tdtjj |jj|7}tjj|jj|}t|d ks2d |d kr@|td 7}n |td 7}x|D]}|d|7}qRW||t|d krX|d7}qXWtjj|S)zDisplay information on profileallzInvalid profile namerVzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r+,rzPorts:zPort:z %sz -- )rrPrrrrsr/rrrFrrZverify_profileZ get_titleZget_descriptionZ get_portsr3ro wrap_text)rSZpnamerr}rnamerr9r>r>r?get_application_infosB        z UFWFrontend.get_application_infoc Csd}d}d}y|jjr$tjjr$d}Wntk r>d}YnX|dkrt|jjj}|j x^|D]4}|jj |\}}|rf|dkr|d7}||7}|}qfWn |jj |\}}|dkr|d7}|o|jj r|r y|jj Wntk rYnX|t d7}n |t d7}|S)zRefresh application profilerVTFrrnzFirewall reloadedzSkipped reloading firewall)rP do_checksr/ro under_sshr7rrrrrsZupdate_app_rulerXZ_reload_user_rulesrF) rSrErZ allow_reloadZtrigger_reloadrr9rfoundr>r>r?application_update s<    zUFWFrontend.application_updatec Csd}d}|dkr td}t||jjd}|dkrLtjjd||f|S|dkrZd}n0|d krhd }n"|d krvd }ntd |}t|d g}|jjr|jd|||g7}y t |}Wnt k rYnXd|j kr|j |j |j d|j d}n|j |j dd}|S)zRefresh application profilerVrz%Cannot specify 'all' with '--add-new'Zdefault_application_policyskipz'Policy is '%s', not adding profile '%s'ZacceptrZdroprrzUnknown policy '%s'r/z --dry-runr-Ziptype)rFrrPZdefaultsr/ror{rTrr5r7datarrj)rSrErr`r}rargsr<r>r>r?application_add7s>       zUFWFrontend.application_addcCsd}|dkr|jd}n|dkr,|jd}n|dkr@|jd}n|dkrT|jd }n|d krf|j}nz|d krz|j|}nf|d ks|d kr|j|}d}|d kr|j|}|dkr|dkr|d7}||}ntd|}t||S)zzPerform action on profile. action and profile are usually based on return values from parse_command(). rVz default-allowrz default-denyrzdefault-rejectrz default-skiprrrrzupdate-with-newrnzUnsupported action '%s')rrrrrrFr)rSrjrEr]Zstr1Zstr2r}r>r>r?do_application_actionas0          z!UFWFrontend.do_application_actioncCsrd}|jjrntjjrntd|j|jd}t|t j ddt j j j j}|dkrn||jkrn||jkrnd}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? )rOrQF)rrrN)rPrr/rorrFrOrQrrrrrr4rrR)rSrrrr>r>r?continue_under_sshszUFWFrontend.continue_under_sshcCsd}td|j|jd}|jjrBtjjrBtd|j|jd}|jjr| rttjj |t j ddt j j jj}|dkr||jkr||jkrtd}|S|jjr||jd7}|jj}|S) zReset the firewallrVzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? )rOrQzResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? F)rrrNr)rFrOrQrPrr/rorrrrrrrr4rrRrXr^r)rSrr]rrr>r>r?rs   zUFWFrontend.reset)rJNN)FF)r)F)F)F)__name__ __module__ __qualname____doc__rUr^r_rbrcrerrrrrrrrrrrrrr>r>r>r?rIs, 6  HM 1 V  .+* rI)rrurrZ ufw.commonrZufw.utilr/rrrZufw.backend_iptablesrZ ufw.parserr5rHrIr>r>r>r?s  >G