U LdX@sjdZddlZddlZddlZddlmZdZdZdZeZ dZ dZ d Z d Z Gd d d eZGd ddZdS)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz /usr/sbinTc@s eZdZdZddZddZdS)UFWErrorz$This class represents ufw exceptionscCs ||_dSN)value)selfrr,/usr/lib/python3/dist-packages/ufw/common.py__init__#szUFWError.__init__cCs t|jSr)reprrrrrr __str__&szUFWError.__str__N)__name__ __module__ __qualname____doc__r r rrrr r!src@seZdZdZd9ddZd d Zd d Zd dZddZddZ d:ddZ ddZ ddZ ddZ ddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zd,d-Zd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8S);UFWRulez$This class represents firewall rulesany 0.0.0.0/0inFc Csd|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_d|_zV||||||||d|||||||| Wntk rYnXdS)NFrrsrc)removeupdatedv6dstrdportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforwardcomment set_action set_protocolset_portset_srcset_dst set_direction set_commentr) rr"rrrrrr'r(r)rrr r ,s<       zUFWRule.__init__cCs|Sr) format_ruler rrr r OszUFWRule.__str__cCs>d|}t|j}||D]}|d||j|f7}q|S)zPrint rule to stdoutz'%s'z, %s=%s)list__dict__sort)rreskeyskrrr _get_attribRs  zUFWRule._get_attribcCst|j|j}|j|_|j|_|j|_|j|_|j|_|j|_|j |_ |j |_ |j |_ |j |_ |j |_ |j|_|j|_|j|_|j|_|j|_|j|_|S)zReturn a duplicate of a rule)rr"rrrrrrrrrr r!r#r$r%r&r'r(r))rZrulerrr dup_rule[s&zUFWRule.dup_rulecCsd}|jdkr|d|j7}|jdkr4|d|j7}|jdkrH|d7}n|d|j7}|jr|d7}|jdkr|jdkr|d|j7}|d7}|d |j7}n2|jdkr|d|j7}n|jdkr|d |j7}|jd kr|jd kr|d |j7}|js|jdkr|d |j7}|jd kr:|jd kr:|d|j7}|js\|jdkr\|d|j7}d}|jdkrvd|j}|j dkr|d|7}nT|j dkr|d|7}|jdkr|d7}n&|j dkr|d|7}n |d|7}|j dks|j dkrd}t d}|j dkr,|d|d|j 7}|j dkrL|j dkrL|d7}|j dkrn|d|d|j 7}|d 7}|d|7}|S)!zFormat rule for later parsingrz -i %sz -o %srz -p allz -p z -m multiportz --dports z --sports r::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%sZtcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' Zdapp_z%20,Zsapp_')r%r&rrrrrrr$r"r r!recompilesubstrip)rZrule_strZlstrr)Z pat_spacerrr r1rsd                   zUFWRule.format_rulecCsj|d}|ddks2|ddks2|ddkr>|d|_nd|_d}t|dkr\|d}||d S) zSets action of the ruler;rr<r=r>ZdenyrN)lowersplitr"len set_logtype)rr"tmpr$rrr r*s$  zUFWRule.set_actionrc Cstd|}|dkrn|dkr*|jr*n|dkr<|jr<n~td|sTtd|r`t|nZ|d|dd krt|n6|d}t|d krd |_ d }|D] }td |rd |_ |d}|D]$}t |d kst |dkrt|qt |dt |d krt|nztd|rNt |d ksDt |dkrt|nFtd|rzt |}Wnt k rt|YnXnt||r|dt|7}qt|}q|}|dkrt||_n t||_dS)z:Sets port and location (destination or source) of the rulez Bad port '%s'rrrz^[,:]z[,:]$r@:rFTrz ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)r;r r!rBmatchrcountrHrIrintsocketZ getservbyname Exceptionstrrr) rportZlocerr_msgportsrKpZranqrrr r,sP             zUFWRule.set_portcCs2|tjjdgkr||_ntd|}t|dS)zSets protocol of the rulerzUnsupported protocol '%s'N)rutilZsupported_protocolsrr;r)rrrUrrr r+s zUFWRule.set_protocolcCs|jrH|jr&|jdks |jdkr&d|_|jr|jdks@|jdkrd|_n@|jrh|jdksb|jdkrhd|_|jr|jdks|jdkrd|_dS)zAdjusts src and dst based on v6rrr:N)rrrr rrr _fix_anywhereszUFWRule._fix_anywherecCs||_|dS)zXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N)rrZ)rrrrr set_v6 szUFWRule.set_v6cCs@|}|dkr.tj|ds.td}t|||_|dS)zSets source address of rulerzBad source addressN)rGrrY valid_addressr;rrrZraddrrKrUrrr r-s zUFWRule.set_srccCs@|}|dkr.tj|ds.td}t|||_|dS)z Sets destination address of rulerzBad destination addressN)rGrrYr\r;rrrZr]rrr r.s zUFWRule.set_dstcCs|dkr |dkr td}t|dt|krt|dkr0tdt|s0td|}t|t||_dS)zSets the position of the rulez-1z^[0-9]+z,Insert position '%s' is not a valid positionN)rSrBrNr;rrPr#)rZnumrUrrr set_positionWs zUFWRule.set_positioncCsD|dks |dks |dkr,||_ntd|}t|dS)zSets logtype of the rulelogzlog-allrzInvalid log type '%s'N)rGr$r;r)rr$rUrrr rJas   zUFWRule.set_logtypecCs0|dks|dkr||_ntd|}t|dS)zSets direction of the rulerr_zUnsupported direction '%s'N)r'r;r)rr'rUrrr r/js zUFWRule.set_directioncCstj|jS)zGet decoded comment of the rule)rrYZ hex_decoder)r rrr get_commentrszUFWRule.get_commentcCs ||_dS)zSets comment of the ruleN)r))rr)rrr r0vszUFWRule.set_commentcCsd}|jrVztj|j|j\|_}Wn$tk rJtd}t|YnX|rV||_|j rztj|j |j\|_ }Wn$tk rtd}t|YnX|r||_|j r|j d}tj |d ||_ |jr|j d}tj |d ||_dS)z&Normalize src and dst to standard formFz"Could not normalize source addressz'Could not normalize destination addressr@N)rrrYZnormalize_addressrrRr;rrrrrHZ human_sortjoinr)rZchangedrUrVrrr normalizezs:       zUFWRule.normalizecCs|r|std||f}|j|jkr2t|dS|j|jkrJt|dS|j|jkrbt|dS|j|jkrzt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j |j krt|dS|j |j krt|dS|j |j kr t|dS|j |j kr&t|dS|j |j kr@t|dS|j|jkr~|j|jkr~|j|jkr~td}t|dS|j|jkr|j|jkr|j|jkrtd}t|dStd|j|j|j|j|j|jd}t|d S) zCheck if rules match Return codes: 0 match 1 no match -1 match all but action, log-type and/or comment -2 match all but comment zNo match '%s' '%s'rFzFound exact matchrz$Found exact match, excepting commentzZFound non-action/non-logtype/comment match (%(xa)s/%(ya)s/'%(xc)s' %(xl)s/%(yl)s/'%(yc)s'))ZxaZyaZxlZylZxcZyc) ValueErrorrrrrrrrr r!r%r&r'r(r"r$r)r;)xydbg_msgrrr rNsz            z UFWRule.matchcCsdd}|r|st||dkr(dSd||j||jf}|jdkrZtd|ddS|j|jkrvt|d dS|j|jkr|jd krtd |dS|jd kr||j|jstd |dS|jd krv|jd kr| |j rn|j |j krd|j krtd|dS|j |j krd|j kr|j|jkrt j |j |j |jstd|d|j |j fdSn|jd kr|j|jkrtd|d|j|jfdSzt j |j|j}Wn.tk rtd|d|jYdSX|j |kr,d|j kr,td|d|j |fdS|j |krd|j kr|j|jkrt j ||j |jstd|d||j fdS|j|jkrtd|d|j |j fdStd||j||jfdS)aThis will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. cSs~d|ksd|kr ||krdSdS|dD]N}||kr<dSd|kr*|d\}}t|t|kr*t|t|kr*dSq*dS)z:Returns True if p is an exact match or within a multi ruler@rLTF)rHrP)Ztest_pZto_matchrTZlowZhighrrr _match_portss z-UFWRule.fuzzy_dst_match.._match_portsrz(No fuzzy match '%s (v6=%s)' '%s (v6=%s)'rz (direction) z (not incoming)rFz (forward does not match)rz (protocol) z(dport) r/z(dst) z ('%s' not in network '%s')z (interface) z (%s != %s)z %s does not existz(v6) z'(fuzzy match) '%s (v6=%s)' '%s (v6=%s)'rk)rlrNrr'rr(rrr% _is_anywhererrrYZ in_networkZget_ip_from_ifIOError)rmrnrproZif_iprrr fuzzy_dst_matchs|        (      & zUFWRule.fuzzy_dst_matchcCs|dks|dkrdSdS)zCheck if address is anywherer:rTFr)rr^rrr rrNszUFWRule._is_anywherecCsd}|jdks|jdkrd|j|j|j|jf}|jdkrRd|j|j|j|jf}|jdkrtd|j|j|j|jf}|jdkr|jdkr|d|j7}n0|jdkr|d|j7}|jdkr|d|j7}|S)aReturns a tuple to identify an app rule. Tuple is: dapp dst sapp src direction_iface|direction or dport dst sapp src direction_iface|direction or dapp dst sport src direction_iface|direction where direction_iface is of form 'in_eth0', 'out_eth0' or 'in_eth0 out_eth0' (ie, both interfaces used). If no interfaces are specified, then tuple ends with the direction instead. rz %s %s %s %sz %sz in_%sz out_%s) r r!rrrrr%r&r')rZtuplrrr get_app_tupleTs$     zUFWRule.get_app_tuplecCs|jdkr4|jdks|jdkr4td|j}t||jtjjkr`|dkr`td|j}t||jtjjkr|j dks|j dkrtd|j}t|dS)z Verify rulerrz3Improper rule syntax ('%s' specified with app rule)rz'Invalid IPv6 address with protocol '%s'zInvalid port with protocol '%s'N) rr!r r;rrrYZipv4_only_protocolsZportless_protocolsrr)rZ rule_iptyperUrrr verifyvs, zUFWRule.verifyN)rrrrrFr)r)rrrrr r r8r9r1r*r,r+rZr[r-r.rdrerJr/rgr0rirNrtrrrurvrrrr r*s> # C 5   0  #Cn"r)rrBrQZufw.utilrrZ programNameZ state_dirZ share_dirZ trans_dirZ config_dirZ prefix_dirZ iptables_dirZ do_checksrRrrrrrr s