U Ld`@sVdZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdZdZddd d d d d gZd d d d d gZd d gZddZddZddZddZddZdkddZddZ ddZ!dd Z"d!d"Z#dld$d%Z$d&d'Z%d(d)Z&d*d+Z'dmd,d-Z(d.d/Z)ej*d#fd0d1Z+d2d3Z,d4d5Z-d6d7Z.d8d9Z/e 0fd:d;Z1e 0fdd?Z3d@dAZ4dBdCZ5dDdEZ6dFdGZ7dHdIZ8dJdKZ9dLdMZ:dndNdOZ;dodPdQZdVdWZ?dXdYZ@dZd[ZAd\d]ZBd^d_ZCd`daZDdbdcZEdddeZFdqdgdhZGdidjZHdS)rz"util.py: utility functions for ufw)print_functionN)reduce)mkstempmktempFtcpudpZipv6ZespZahZigmpZgrecCsd}zt|Wntk r(YnXzt|dd}Wntk rRYnXz"t|d|dkrpd}nd}Wntk rYnX|S)z8Get the protocol for a specified port from /etc/servicesrrany)socketZ getservbyname Exception)portprotor*/usr/lib/python3/dist-packages/ufw/util.pyget_services_proto.s$  rcCs~d}d}|d}t|dkr,|d}d}nJt|dkrf|d}|d}|tkrvtd|}t|ntd}t|||fS) zParse port or port and protocolr/rr zInvalid port with protocol '%s'zBad port)splitlenportless_protocols_ ValueError)Zp_strr r tmperr_msgrrrparse_port_protoHs     rcCstjstddSt|dks*td|s.dS|d}zttj|dWnt k rdYdSXt|dkrvdSt|dkrt |dd sdSd S) zVerifies if valid IPv6 addressz"python does not have IPv6 support.F+z^[a-fA-F0-9:\./]+$rrrrT) r Zhas_ipv6warnrrematchr inet_ptonAF_INET6r _valid_cidr_netmaskaddrnetrrrvalid_address6\s    r&cCst|dkstd|sdS|d}z*ttj|dt|ddsNWdSWntk rfYdSXt|dkrxdSt|dkrt |ddsdSdS) zVerifies if valid IPv4 addressz ^[0-9\./]+$FrrrrT) rrrrr r AF_INET_valid_dotted_quadsr valid_netmaskr#rrrvalid_address4vs    r+cCst||pt||S)z(Verifies if valid cidr or dotted netmask)r"r))nmv6rrrr*sr*r cCs@|dkrt|S|dkr t|S|dkr8t|p6t|StdS)zValidate IP addresses64r N)r&r+r)r$versionrrr valid_addresssr1c Cshg}d}d}tj}|r d}tj}d|krn|d}|rJ|ddkrJ|d=qx|sx|ddksf|ddkrx|d=n |||st|d krt|d|rzt|d||d<Wntk rYnX|d }t |t ||}||d krd }t|d kr@|d|d7}|s@t |}||kr@d ||f}t ||}d }t ||s`d |}t |t||fS)zConvert address to standard form. Use no netmask for IP addresses. If netmask is specified and not all 1's, for IPv4 use cidr if possible, otherwise dotted netmask and for IPv6, use cidr. Fr/r.rrZ128Z32z255.255.255.255rrTzUsing '%s' for address '%s'zInvalid address '%s')r r(r!rappendrr)_dotted_netmask_to_cidrr inet_ntopr _address4_to_networkdebugr1r) origr-r%Zchangedr0Zs_typer$networkZdbg_msgrrrnormalize_addresssJ      r9cCs*zt|d}Wntk r$YnX|S)z"Opens the specified file read-onlyr)openr )fnr7rrropen_file_reads r=cCs`z t|}Wntk r"YnXzt\}}Wntk rP|YnX||||dS)z=Opens the specified file read-only and a tempfile read-write.)r7orignamertmpname)r=r rclose)r<r7rr?rrr open_filess rAcCs|dkr dS|sttjdtr<|tjkrr?N)r@rNshutilZcopystatcopyr unlinkrE)Zfnsupdaterrr close_filess rXc Cspt|ztj|tjtjdd}Wn2tk rT}zdt|gWYSd}~XYnX|d}|jt|gS)z!Try to execute the given command.T)rJstderrZuniversal_newlinesNr) r6 subprocessPopenPIPEZSTDOUTrEstr communicate returncode)ZcommandZspexrQrrrcmd$s  " rbc Csrz$tj|tjd}tj||jd}Wn2tk rV}zdt|gWYSd}~XYnX|d}|jt|gS)z#Try to pipe command1 into command2.)rJ)stdinrZNr)r[r\r]rJrEr^r_r`)Zcommand1Zcommand2Zsp1Zsp2rarQrrrcmd_pipe2s" rdcCsz |j}Wntk r"|}YnXz|dd}Wntk rL|}YnXtrjttjrj||n|t || dS)zQImplement our own print statement that will output utf-8 when appropriate.utf-8ignoreN) bufferr encoderHinspectZisclassioStringIOrLrOflush)outputswriterrQrrr_print@s    rpcCs<zttjd|Wntk r(YnX|r8tddS)zPrint error message and exitz ERROR: %s rN)rprIrYIOErrorexit)rQZdo_exitrrrerrorUs rscCs.zttjd|Wntk r(YnXdS)zPrint warning messagez WARN: %s N)rprIrYrqrQrrrr`srcCsRtr|tjkrt}z&|r(t|d|nt|d|Wntk rLYnXdS)z Print messagez%s z%sN)rHrIrJrprq)rQrmnewlinerrrmsghsrvcCs2tr.zttjd|Wntk r,YnXdS)zPrint debug messagez DEBUG: %s N) DEBUGGINGrprIrYrqrtrrrr6vs r6cCst|fdd|dS)z A word-wrap function that preserves existing line breaks and most spaces in the text. Expects that existing line breaks are posix newlines ( ). c Ss<d|dt||ddt|ddd|k|fS)Nz%s%s%sz  rr)rrfindr)lineZwordwidthrrrszword_wrap.. )rr)textr{rrr word_wraps rcCs t|dS)zWord wrap to a specific widthK)r)r~rrr wrap_textsrcs dd|jfddddS)a$Sorts list of strings into numeric order, with text case-insensitive. Modifies list in place. Eg: [ '80', 'a222', 'a32', 'a2', 'b1', '443', 'telnet', '3', 'http', 'ZZZ'] sorts to: ['3', '80', '443', 'a2', 'a32', 'a222', 'b1', 'http', 'telnet', 'ZZZ'] cSs|rt|S|S)N)isdigitintlower)trrrr|zhuman_sort..csfddtd|DS)Ncsg|] }|qSrr).0cZnormrr sz0human_sort....z([0-9]+))rr)krrrr|r)keyN)sort)lstrrr human_sorts rcCsz t|}Wntk r(tdYnXtjdt|d}tj|sVtd|z(t | d ddd d}Wntk rYnXt|S)zdFinds parent process id for pid based on /proc//stat. See 'man 5 proc' for details. zpid must be an integer/procstatCouldn't find '%s'r)r) rr rrNpathjoinr^isfilerqr; readlinesrsplitr)Zmypidpidnameppidrrrget_ppids   (rcCsz t|}WnPtk r2td}t|YdStk r\tdt|}t|YnX|dksn|dkrrdStj dt|d}tj |std|}t|zt | d d}Wn(tk rtd |}t|YnXtd ||d krd St|Sd S)z1Determine if current process is running under sshz%Couldn't find pid (is /proc mounted?)Fz!Couldn't find parent pid for '%s'rrrrrz"Could not find executable for '%s'zunder_ssh: exe is '%s'z(sshd)TN)rrqrrr r^rrNrrrr;rrr6 under_ssh)rrwarn_msgrrexerrrrs0      rcCs8d}|r d}td|r0t|dks0t||kr4dSdS)zVerifies cidr netmasks ^[0-9]+$rFT)rrr)r,r-numrrrr"s $r"cCsf|rdStd|r^td|}t|dkr0dS|D]&}|rTt|dksTt|dkr4dSq4ndSdS)z.Verifies dotted quad ip addresses and netmasksFz^[0-9]+\.[0-9\.]+$z\.rT)rrrrr)r,r-Zquadsqrrrr)s    r)c Csd}|rtnt||std}zttdt|d}Wn.tk rlttdt|d}YnXd}t dD]0}||?d@dkrd}qz|rd}qqz|d7}qz|dkr|dkrt d|}t ||st|S) z@Convert netmask to cidr. IPv6 dotted netmasks are not supported.rr>LFrrTrB) rr)longstructunpackr inet_aton NameErrorrranger^r")r,r-cidrZmbitsbitsZ found_onenrrrr3s.      r3cCsd}|rtnpt||stz td}Wntk r@d}YnXtdD] }|t|krJ|dd|>O}qJtt d|}t ||st|S)zO}qqz t d} Wnt k rd} YnXt d D]$}|t |kr| dd |>O} q|| @} g} t d D]0}| t || d |d |d d dqHttj td | d| d| d| d| d| d| d| d } d| |fS)z8Convert an IPv6 address and netmask to a network addresscs$dfddt|dddDS)zDecimal to binaryrcsg|]}t|?d@qS)r)r^)ryrrrrysz9_address6_to_network..dec2bin..rrB)rr)rcountrrrdec2binwsz%_address6_to_network..dec2binrz8_address6_to_network: skipping address without a netmaskrrTrz>8HrZrrCrr)r6rrr*rrrr r r!rrrrr2r4r)r$rr orig_hostnetmaskZunpackedrirjrr%rr8rrr_address6_to_networkusT     (    .rc CsZ|d}t|dks$t|d|s(t|d}|d}|dksH|dkrLdS|}d|kr|d}t|dks|t|d|st|d}|dks|dkrdS|rt|rt|stnt|rt|stt||r|st||}|rtd||fdd}td||fdd}n4t d||fdd}t d||fdd}||kS) z&Determine if address x is in network yrrrrz0.0.0.0z::Tr) rrr*rr&r+r"rrr5) Z tested_addZ tested_netr-rrrZaddressZ orig_networkr8rrr in_networksh   rcCsJd}dD](}tj|d}tj|r,q2qd}q|dkrFttjd|S)Nr)z/sbinz/binz /usr/sbinz/usr/binz/usr/local/sbinz/usr/local/binZiptableszCould not find iptables)rNrrexistsrErFrG)rdrrr_find_system_iptabless  rcCsT|dkrt}t|dg\}}|dkr6ttjd|td|}tdd|dS) zReturn iptables versionNz-VrzError running '%s'z\sz^vrr)rrbrErFrGrrsub)rrRrQrrrrget_iptables_versions rcCsdd}|r$tdkr$ttjd|dkr2t}g}d}|drHd}|td d d 7}t|d |g\}}|dkr~ttj ||||d d ddd ddgr| d|||d d ddd ddddddg r| dt|d|gt|d|g\}}|dkrttj ||S)z[Return capabilities set for netfilter to support new features. Callers must be root.cSs*|d|g}t||\}}|dkr&dSdS)Nz-ArTF)rb)rchainZruleargsrRrQrrrtest_caps  z,get_netfilter_capabilities..test_caprz Must be rootNz ufw-caps-testZ ip6tableszufw6-caps-testr)prefixdirz-Nz-mZ conntrackz --ctstateZNEWZrecentz--setz recent-setz--updatez --secondsZ30z --hitcountr.z recent-updatez-Fz-X) rNgetuidrErFZEPERMrendswithrrbrGr2)rZ do_checksrZcapsrrRrQrrrget_netfilter_capabilitiessD       rcCst|}t}|D]}|ds2|ds2q|}|d}|ddd}t}d|dddd|d<|d |d <|d d d|d <|d dkr|d |d<n|d d d|d<||krt||<g|||<n|||krg|||<||||q|S)z:Get and parse netstat the output from get_netstat_output()rrrr:rBNladdrrCuidrrr-r)get_netstat_outputdict splitlines startswithrrr2)r-Znetstat_outputrrzrr r itemrrrparse_netstat_output8s,     rc s,d}|rd}tj|s(ttjd|t|D]j}||dkr4d fddt dt dd D}d  d kr4d |t d  d f}q4|dkrttjdnhttjtj}z4tt|dtd|dddd}Wn"tk rttjdYnXt||dS)zGet IP address for interfacer/proc/net/if_inet6'%s' does not existrrcs g|]}d||dqSrrrrrrrrrlsz"get_ip_from_if..rrr80rrNo such deviceiZ256sN)rNrrrErFrGr;rrrrrrrrqENODEVr r(Z SOCK_DGRAMrfcntlZioctlrKrrr r9)ifnamer-r$procrzrnrrrget_ip_from_if^s4    rc s`d}d}t|rd}d}nt|s.ttjdtj|sJttj d|d}|rt | D]}| d }d fd d td td d D}ddkrd|tddf}||ksd|kr^t||dr^|}qq^nlt | D]^}d |kr q| d d  }zt|d}Wntk rFYqYnX||kr|}q\q|S)zGet interface for IP addressFz /proc/net/devTrrrrrrcs g|]}d||dqSrrrrrrrsz"get_if_from_ip..rrrrrrr)r&r+rqrFrrNrrrErGr;rrstriprrrrrrr)r$r-rZmatchedrzrZtmp_addrZiprrrget_if_from_ip~sL       rc Cstd}|td}t}|D]}||s6q&tjd|d}t |tj tj Bs\q&d}zt tjd|d}Wnt k rYnXzt|}Wnt k rYq&YnX|D]R}zttj||d}Wnt k rYqYnXd|tj|f||<qq&|S)zGet inodes of files in /procrrrPrrrr)rNlistdirrrcompilerrrraccessF_OKR_OKreadlinkr rbasename) Z proc_filesZpatinodesrZfd_pathZexe_pathdirsrinoderrr_get_proc_inodess4     rc Csddddddddd d d d }d dddd}tjd|}t|tjtjBsPtg}d}t|}|D]}| }|s~d}qh|t ||dd} | drd} n| dr| d krqh||d d\} } ||d} ||d} | | t | d| | | fqh|S)z=Read /proc/net/(tcp|udp)[6] file and return a list of tuples Z ESTABLISHEDZSYN_SENTZSYN_RECVZ FIN_WAIT1Z FIN_WAIT2Z TIME_WAITZCLOSEZ CLOSE_WAITZLAST_ACKZLISTENZCLOSING) rrrCrrrrr rrCrr) local_addrstaterrz /proc/netFTrrrZNArrrrr) rNrrrrrrr;rrrrr2)ZprotocolZ tcp_statesZproc_net_fieldsr<rZ skipped_firstlinesrzZfieldsrrr rrrrr_read_proc_net_protocolsL     rc sd}tdkr~dtdddD],}dfddt|d|dD7q tdfd dtdtd Dd d}nLgfd dtdddDD]}tt|d qtddd}|S)zDConvert an address from /proc/net/(tcp|udp)* to a normalized addressrrrrcsg|]}|d|qSrrrrpaddrrrrsz(convert_proc_address..rcs g|]}||dqS)r)rrrrrr srTcsg|]}|d|qSrrrrrrr sr.F)rrrr9r2r^r)rZ convertedrr)rrrconvert_proc_addresss" *rc Cst}ddg}|r|ddg7}|D]B}zt|||<Wq"tk rbtd|}t|Yq"Yq"Xq"t}t|}|d}|D]`}||D]R\}} } } } t |} d}t | |kr|t | }|d|d | | f| | | |f7}qq|S) z5netstat-style output, without IPv6 address truncationrrZtcp6Zudp6z!Could not get statistics for '%s'rrz%-5s %-46s %-11s %-5s %-11s %s z%s:%s) rrr rrrlistkeysrrr)r-Z proc_net_datar prrZ protocolsrnrr rrrr$rrrrrs:        rcCsR|dkr |S|dr@t|dkr(|}qNtj||dd}ntj||}|S)zAdd prefix to dirNrrr)rrrNrr)rrZnewdirrrr _findpath7s  r cCs4tjddkrt|dSt|jddddS)z,Take a string and convert it to a hex stringrrChexrerf)errorsrD)rIrMcodecsrhbinasciiZhexlifydecode)rnrrr hex_encodeEs rcCs0tjddkr |jdddSt|dS)z,Take a hex string and convert it to a stringrrCr )encodingre)rIrMrrZ unhexlify)hrrr hex_decodeNsr /run/ufw.lockcCs$d}|s t|d}t|tj|S)zCreate a blocking lockfileNw)r;rlockfZLOCK_EX)ZlockfileZdryrunlockrrr create_lockUs  rcCs@|dkr dSzt|tj|Wntk r:YnXdS)z(Free lockfile created with create_lock()N)rrZLOCK_UNr@r)rrrr release_lock^s r)r )T)T)N)NT)F)rF)I__doc__Z __future__rrr rFrrjrirNrrTr rr[rI functoolsrZtempfilerrrwrHZsupported_protocolsrZipv4_only_protocolsrrr&r+r*r1r9r=rArSrXrbrdrprsrrJrvr6rrrgetpidrrr"r)r3rr5rrrrrrrrrrrrr rrrrrrrrs   7    ' .#:4 9& /%/#