U
    Ld`                     @   sV  d Z ddlmZ ddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddlZddlZddlZddlmZ ddlmZmZ dZdZddd	d
dddgZd	d
dddgZd	dgZdd Zdd Zdd Zdd Zdd ZdkddZdd Z dd Z!dd  Z"d!d" Z#dld$d%Z$d&d' Z%d(d) Z&d*d+ Z'dmd,d-Z(d.d/ Z)ej*d#fd0d1Z+d2d3 Z,d4d5 Z-d6d7 Z.d8d9 Z/e	0 fd:d;Z1e	0 fd<d=Z2d>d? Z3d@dA Z4dBdC Z5dDdE Z6dFdG Z7dHdI Z8dJdK Z9dLdM Z:dndNdOZ;dodPdQZ<dRdS Z=dpdTdUZ>dVdW Z?dXdY Z@dZd[ ZAd\d] ZBd^d_ ZCd`da ZDdbdc ZEddde ZFdqdgdhZGdidj ZHdS )rz"util.py: utility functions for ufw    )print_functionN)reduce)mkstempmktempFtcpudpZipv6ZespZahZigmpZgrec                 C   s   d}zt |  W n tk
r(    Y nX zt | d d}W n tk
rR   Y nX z"t | d |dkrpd}nd}W n tk
r   Y nX |S )z8Get the protocol for a specified port from /etc/services r   r   any)socketZgetservbyname	Exception)portproto r   */usr/lib/python3/dist-packages/ufw/util.pyget_services_proto.   s$    r   c                 C   s~   d}d}|  d}t|dkr,|d }d}nJt|dkrf|d }|d }|tkrvtd| }t|ntd}t|||fS )	zParse port or port and protocolr   /   r   r	      zInvalid port with protocol '%s'zBad port)splitlenportless_protocols_
ValueError)Zp_strr   r   tmperr_msgr   r   r   parse_port_protoH   s    

r   c                 C   s   t jstd dS t| dks*td| s.dS | d}zt t j|d  W n t	k
rd   Y dS X t|dkrvdS t|dkrt
|d d	sdS d	S )
zVerifies if valid IPv6 addressz"python does not have IPv6 support.F+   z^[a-fA-F0-9:\./]+$r   r   r   r   T)r
   Zhas_ipv6warnr   rematchr   	inet_ptonAF_INET6r   _valid_cidr_netmaskaddrnetr   r   r   valid_address6\   s     
r&   c                 C   s   t | dkstd| sdS | d}z*ttj|d  t|d dsNW dS W n tk
rf   Y dS X t |dkrxdS t |dkrt	|d dsdS dS )	zVerifies if valid IPv4 address   z^[0-9\./]+$Fr   r   r   r   T)
r   r   r   r   r
   r    AF_INET_valid_dotted_quadsr   valid_netmaskr#   r   r   r   valid_address4v   s    

r+   c                 C   s   t | |pt| |S )z(Verifies if valid cidr or dotted netmask)r"   r)   )nmv6r   r   r   r*      s    r*   r	   c                 C   s@   |dkrt | S |dkr t| S |dkr8t| p6t | S tdS )zValidate IP addresses64r	   N)r&   r+   r   )r$   versionr   r   r   valid_address   s    r1   c           	      C   sh  g }d}d}t j}|r d}t j}d| krn| d}|rJ|d dkrJ|d= qx|sx|d dksf|d dkrx|d= n
||  |st|d	krt|d |rzt|d ||d< W n tk
r   Y nX |d
 }t 	|t 
||}||d
 krd}t|d	kr@|d|d  7 }|s@t|}||kr@d||f }t| |}d}t||s`d| }t| t||fS )zConvert address to standard form. Use no netmask for IP addresses. If
       netmask is specified and not all 1's, for IPv4 use cidr if possible,
       otherwise dotted netmask and for IPv6, use cidr.
    Fr/   r.   r   r   Z128Z32z255.255.255.255r   r   TzUsing '%s' for address '%s'zInvalid address '%s')r
   r(   r!   r   appendr   r)   _dotted_netmask_to_cidrr   	inet_ntopr    _address4_to_networkdebugr1   r   )	origr-   r%   Zchangedr0   Zs_typer$   networkZdbg_msgr   r   r   normalize_address   sJ    


r9   c                 C   s*   zt | d}W n tk
r$    Y nX |S )z"Opens the specified file read-onlyr)openr   )fnr7   r   r   r   open_file_read   s
    r=   c                 C   s`   zt | }W n tk
r"    Y nX zt \}}W n tk
rP   |   Y nX || ||dS )z=Opens the specified file read-only and a tempfile read-write.)r7   orignamer   tmpname)r=   r   r   close)r<   r7   r   r?   r   r   r   
open_files   s    rA   c                 C   s   |dkrdS | st tjdtr<| tj kr<t| dS d}tjd dkrbt	| t
|d}nt	| |}|dkrt tjddS )	z~Write to the file descriptor and error out of 0 bytes written. Intended
       to be used with open_files() and close_files().r   NzNot a valid file descriptorr      asciiz"Could not write to file descriptor)OSErrorerrnoENOENT
msg_outputsysstdoutfilenowriteversion_infoosbytesZEIO)fdoutrcr   r   r   write_to_file   s    
rS   Tc                 C   s   | d    t | d  |rbz,t| d | d  t| d | d  W n tk
r`    Y nX zt| d  W n tk
r    Y nX dS )zuCloses the specified files (as returned by open_files), and update
       original file with the temporary file.
    r7   r   r>   r?   N)r@   rN   shutilZcopystatcopyr   unlinkrE   )Zfnsupdater   r   r   close_files  s    rX   c              
   C   sp   t |  ztj| tjtjdd}W n2 tk
rT } zdt|g W Y S d}~X Y nX | d }|jt|gS )z!Try to execute the given command.T)rJ   stderrZuniversal_newlines   Nr   )	r6   
subprocessPopenPIPEZSTDOUTrE   strcommunicate
returncode)ZcommandZspexrQ   r   r   r   cmd$  s    

"rb   c              
   C   sr   z$t j| t jd}t j||jd}W n2 tk
rV } zdt|g W Y S d}~X Y nX | d }|jt|gS )z#Try to pipe command1 into command2.)rJ   )stdinrZ   Nr   )r[   r\   r]   rJ   rE   r^   r_   r`   )Zcommand1Zcommand2Zsp1Zsp2ra   rQ   r   r   r   cmd_pipe2  s    "rd   c                 C   s   z
| j }W n tk
r"   | }Y nX z|dd}W n tk
rL   |}Y nX trjttjrj|| n|t	| | 
  dS )zQImplement our own print statement that will output utf-8 when
       appropriate.utf-8ignoreN)bufferr   encoderH   inspectZisclassioStringIOrL   rO   flush)outputswriterrQ   r   r   r   _print@  s    


rp   c                 C   s<   zt tjd|   W n tk
r(   Y nX |r8td dS )zPrint error message and exitz
ERROR: %s
r   N)rp   rI   rY   IOErrorexit)rQ   Zdo_exitr   r   r   errorU  s    rs   c                 C   s.   zt tjd|   W n tk
r(   Y nX dS )zPrint warning messagez	WARN: %s
N)rp   rI   rY   rq   rQ   r   r   r   r   `  s    r   c                 C   sR   t r|tjkrt }z&|r(t|d|   nt|d|   W n tk
rL   Y nX dS )zPrint messagez%s
z%sN)rH   rI   rJ   rp   rq   )rQ   rm   newliner   r   r   msgh  s    rv   c                 C   s2   t r.zttjd|   W n tk
r,   Y nX dS )zPrint debug messagez
DEBUG: %s
N)	DEBUGGINGrp   rI   rY   rq   rt   r   r   r   r6   v  s
    r6   c                 C   s   t |fdd| dS )z
    A word-wrap function that preserves existing line breaks
    and most spaces in the text. Expects that existing line
    breaks are posix newlines (
).
    c              	   S   s<   d| dt | | d d t |ddd  |k |f S )Nz%s%s%sz 

r   r   )r   rfindr   )lineZwordwidthr   r   r   <lambda>  s   zword_wrap.<locals>.<lambda> )r   r   )textr{   r   r   r   	word_wrap  s    r   c                 C   s
   t | dS )zWord wrap to a specific widthK   )r   )r~   r   r   r   	wrap_text  s    r   c                    s    dd  | j  fddd dS )a$  Sorts list of strings into numeric order, with text case-insensitive.
       Modifies list in place.

       Eg:
       [ '80', 'a222', 'a32', 'a2', 'b1', '443', 'telnet', '3', 'http', 'ZZZ']

       sorts to:
       ['3', '80', '443', 'a2', 'a32', 'a222', 'b1', 'http', 'telnet', 'ZZZ']
    c                 S   s   |   rt| S |  S )N)isdigitintlower)tr   r   r   r|         zhuman_sort.<locals>.<lambda>c                    s    fddt d| D S )Nc                    s   g | ]} |qS r   r   ).0cZnormr   r   
<listcomp>  s     z0human_sort.<locals>.<lambda>.<locals>.<listcomp>z([0-9]+))r   r   )kr   r   r   r|     r   )keyN)sort)lstr   r   r   
human_sort  s    
r   c                 C   s   zt | }W n tk
r(   tdY nX tjdt|d}tj|sVtd| z(t	|
 d ddd  d }W n tk
r    Y nX t |S )zdFinds parent process id for pid based on /proc/<pid>/stat. See
       'man 5 proc' for details.
    zpid must be an integer/procstatCouldn't find '%s'r   )r   )r   r   r   rN   pathjoinr^   isfilerq   r;   	readlinesrsplitr   )Zmypidpidnameppidr   r   r   get_ppid  s    (r   c                 C   s  zt | }W nP tk
r2   td}t| Y dS  tk
r\   tdt|  }t|Y nX | dksn|dkrrdS tj	dt|d}tj
|std| }t|zt| d  d }W n( tk
r   td	| }t|Y nX td
|  |dkrdS t|S dS )z1Determine if current process is running under sshz%Couldn't find pid (is /proc mounted?)Fz!Couldn't find parent pid for '%s'r   r   r   r   r   z"Could not find executable for '%s'zunder_ssh: exe is '%s'z(sshd)TN)r   rq   r   r   r   r^   r   rN   r   r   r   r;   r   r   r6   	under_ssh)r   r   warn_msgr   r   exer   r   r   r     s0    
r   c                 C   s8   d}|rd}t d| r0t| dk s0t| |kr4dS dS )zVerifies cidr netmasks       ^[0-9]+$r   FT)r   r   r   )r,   r-   numr   r   r   r"     s    $r"   c                 C   sf   |rdS t d| r^t d| }t|dkr0dS |D ]&}|rTt|dk sTt|dkr4 dS q4ndS dS )z.Verifies dotted quad ip addresses and netmasksFz^[0-9]+\.[0-9\.]+$z\.   r      T)r   r   r   r   r   )r,   r-   Zquadsqr   r   r   r)     s    
r)   c              
   C   s   d}|rt nt| |st d}zttdt| d }W n. tk
rl   ttdt| d }Y nX d}t	dD ]0}||? d@ dkrd}qz|rd} qqz|d7 }qz|dkr|dkrt
d| }t||st |S )	z@Convert netmask to cidr. IPv6 dotted netmasks are not supported.r   r   >LFr   r   TrB   )r   r)   longstructunpackr
   	inet_aton	NameErrorr   ranger^   r"   )r,   r-   cidrZmbitsbitsZ	found_onenr   r   r   r3     s.    
 

r3   c                 C   s   d}|rt npt| |st ztd}W n tk
r@   d}Y nX tdD ] }|t| k rJ|dd| > O }qJtt	d|}t
||st |S )z<Convert cidr to netmask. IPv6 dotted netmasks not supported.r   r   r   r   r'   r   )r   r"   r   r   r   r   r
   	inet_ntoar   packr)   )r   r-   r,   r   r   r   r   r   _cidr_to_dotted_netmask5  s     


r   c           	   
   C   s  d| krt d | S | d}t|dks8t|d ds<t|d }|d }|}t|drdt|d}z8tt	dt
|d }tt	dt
|d }W nH tk
r   tt	dt
|d }tt	dt
|d }Y nX ||@ }t
td|}d||f S )	z8Convert an IPv4 address and netmask to a network addressr   z8_address4_to_network: skipping address without a netmaskr   r   Fr   r   %s/%s)r6   r   r   r)   r   r"   r   r   r   r   r
   r   r   r   r   r   )	r$   r   ZhostZorig_nmr,   	host_bitsnm_bitsZnetwork_bitsr8   r   r   r   r5   R  s(    


 r5   c                 C   s  dd }d| krt d | S | d}t|dks@t|d dsDt|d }|d }td	ttj	|}zt
d}W n tk
r   d}Y nX td
D ]D}||| d}tdD ](}	|dt||	 @ d|	 |d  > O }qqzt
d}
W n tk
r   d}
Y nX tdD ]$}|t|k r|
dd| > O }
q||
@ }g }td
D ]0}|t||d|d |d d  d qHttj	td	|d |d |d |d |d |d |d |d 	}d||f S )z8Convert an IPv6 address and netmask to a network addressc                    s$   d  fddt|d ddD S )zDecimal to binaryr   c                    s   g | ]}t  |? d @ qS )r   )r^   )r   yr   r   r   r   y  s     z9_address6_to_network.<locals>.dec2bin.<locals>.<listcomp>r   rB   )r   r   )r   countr   r   r   dec2binw  s    z%_address6_to_network.<locals>.dec2binr   z8_address6_to_network: skipping address without a netmaskr   r   Tr   z>8H      rZ   r   rC   r            r   )r6   r   r   r*   r   r   r   r
   r    r!   r   r   r   r   r2   r4   r   )r$   r   r   	orig_hostnetmaskZunpackedr   ir   jr   r%   r   r8   r   r   r   _address6_to_networku  sT    

(
.    r   c           	      C   sZ  | d}t|dks$t|d |s(t|d }|d }|dksH|dkrLdS | }d|kr| d}t|dks|t|d |st|d }|dks|dkrdS |rt|rt|stnt|rt|stt||r|st||}|rtd||f  dd }td||f  dd }n4t	d||f  dd }t	d||f  dd }||kS )	z&Determine if address x is in network yr   r   r   r   z0.0.0.0z::Tr   )
r   r   r*   r   r&   r+   r"   r   r   r5   )	Z
tested_addZ
tested_netr-   r   r   r   ZaddressZorig_networkr8   r   r   r   
in_network  sh    


r   c                  C   sJ   d} dD ](}t j|d} t j| r, q2qd} q| dkrFttjd| S )Nr   )z/sbinz/binz	/usr/sbinz/usr/binz/usr/local/sbinz/usr/local/binZiptableszCould not find iptables)rN   r   r   existsrE   rF   rG   )r   dr   r   r   _find_system_iptables  s    r   c                 C   sT   | dkrt  } t| dg\}}|dkr6ttjd|  td|}tdd|d S )	zReturn iptables versionNz-Vr   zError running '%s'z\sz^vr   r   )r   rb   rE   rF   rG   r   r   sub)r   rR   rQ   r   r   r   r   get_iptables_version  s    r   c                 C   s  dd }|r$t  dkr$ttjd| dkr2t } g }d}| drHd}|td	d	d
7 }t| d|g\}}|dkr~ttj	||| |dddddddgr|
d || |dddddddddddgr|
d t| d|g t| d|g\}}|dkrttj	||S )z[Return capabilities set for netfilter to support new features. Callers
       must be root.c                 S   s*   | d|g}t || \}}|dkr&dS dS )Nz-Ar   TF)rb   )r   chainZruleargsrR   rQ   r   r   r   test_cap  s
    
z,get_netfilter_capabilities.<locals>.test_capr   zMust be rootNzufw-caps-testZ	ip6tableszufw6-caps-testr   )prefixdirz-Nz-mZ	conntrackz	--ctstateZNEWZrecentz--setz
recent-setz--updatez	--secondsZ30z
--hitcountr.   zrecent-updatez-Fz-X)rN   getuidrE   rF   ZEPERMr   endswithr   rb   rG   r2   )r   Z	do_checksr   Zcapsr   rR   rQ   r   r   r   get_netfilter_capabilities  sD    
  
    

r   c                 C   s  t | }t }| D ] }|ds2|ds2q| }|d }|d dd }t }d|d ddd |d< |d	 |d
< |d dd |d< |d dkr|d |d< n|d dd |d< ||krt ||< g || |< n||| krg || |< || | | q|S )z:Get and parse netstat the output from get_netstat_output()r   r   r   r   :rB   NladdrrC   uidr   r   r   -r   )get_netstat_outputdict
splitlines
startswithr   r   r2   )r-   Znetstat_outputr   rz   r   r   r   itemr   r   r   parse_netstat_output8  s,     
r   c                    s,  d}|rd}t j|s(ttjd| t| D ]j}|  |  d kr4d	 fddt
dt d d	D } d
  dkr4d|t d
  df }q4|dkrttjdnhttjtj}z4tt| dtd| dd dd }W n" tk
r   ttjdY nX t||d S )zGet IP address for interfacer   /proc/net/if_inet6'%s' does not existr   r   c                    s    g | ]} d  ||d  qS r   r   r   r   r   r   r   r   r   l  s     z"get_ip_from_if.<locals>.<listcomp>r   r   r   80r   r   No such devicei  Z256sN         )rN   r   r   rE   rF   rG   r;   r   r   r   r   r   r   r   rq   ENODEVr
   r(   Z
SOCK_DGRAMr   fcntlZioctlrK   r   r   r   r9   )ifnamer-   r$   procrz   rn   r   r   r   get_ip_from_if^  s4      r   c              	      s`  d}d}t | rd}d}nt| s.ttjdtj|sJttj	d| d}|rt
| D ]}|   d  }d	 fd
dtdt d dD } d  dkrd|t d  df }| |ksd|kr^t| |dr^|} qq^nlt
| D ]^}d	|krq|d	d  }zt|d}W n tk
rF   Y qY nX || kr|} q\q|S )zGet interface for IP addressFz/proc/net/devTr   r   r   r   r   r   c                    s    g | ]} d  ||d  qS r   r   r   r   r   r   r     s     z"get_if_from_ip.<locals>.<listcomp>r   r   r   r   r   r   r   )r&   r+   rq   rF   r   rN   r   r   rE   rG   r;   r   r   stripr   r   r   r   r   r   r   )r$   r-   r   Zmatchedrz   r   Ztmp_addrZipr   r   r   get_if_from_ip~  sL     


r   c            	   
   C   s  t d} |   td}t }| D ]}||s6q&t jd|d}t 	|t j
t jB s\q&d}zt t jd|d}W n tk
r   Y nX zt |}W n tk
r   Y q&Y nX |D ]R}zt t j||d }W n tk
r   Y qY nX d|t j|f ||< qq&|S )zGet inodes of files in /procr   r   rP   r   r   r   r   )rN   listdirr   r   compiler   r   r   r   accessF_OKR_OKreadlinkr   r   basename)	Z
proc_filesZpatinodesr   Zfd_pathZexe_pathdirsr   inoder   r   r   _get_proc_inodes  s4    




r   c                 C   s  ddddddddd	d
dd}ddddd}t jd| }t |t jt jB sPtg }d}t| }|D ]}|	 }|s~d}qh|t
||d  d }	| drd}	n| dr|	d
krqh||d  	d\}
}||d  }||d  }||
t
|d|||	f qh|S )z=Read /proc/net/(tcp|udp)[6] file and return a list of tuples ZESTABLISHEDZSYN_SENTZSYN_RECVZ	FIN_WAIT1Z	FIN_WAIT2Z	TIME_WAITZCLOSEZ
CLOSE_WAITZLAST_ACKZLISTENZCLOSING)r   r   rC   r   r   r   r   r   	   
      r   rC   r   r   )
local_addrstater   r   z	/proc/netFTr   r   r   ZNAr   r   r   r   r   )rN   r   r   r   r   r   r   r;   r   r   r   r   r2   )ZprotocolZ
tcp_statesZproc_net_fieldsr<   r   Zskipped_firstlinesrz   Zfieldsr   r   r   r   r   r   r   r   _read_proc_net_protocol  sL    
r   c              	      s   d}t  dkr~dtdddD ],}d fddt|d |dD 7 q tdfd	dtdt d
D dd }nLg  fddtdddD D ]}tt|d qtddd }|S )zDConvert an address from /proc/net/(tcp|udp)* to a normalized addressr   r   r   r   c                    s   g | ]} |d  | qS r   r   r   r   paddrr   r   r     s     z(convert_proc_address.<locals>.<listcomp>r   c                    s    g | ]} ||d     qS )r   )r   r  r   r   r   r   	  s     r   Tc                    s   g | ]} |d  | qS r   r   r  r  r   r   r     s     r   .F)r   r   r   r9   r2   r^   r   )r  Z	convertedr   r   )r  r   r   convert_proc_address  s"    *r  c              
   C   s   t  }ddg}| r|ddg7 }|D ]B}zt|||< W q" tk
rb   td| }t| Y q"Y q"X q"t }t| }|  d}|D ]`}|| D ]R\}}	}
}}t	|}d}t
||kr|t
| }|d|d	||	f ||
||f 7 }qq|S )
z5netstat-style output, without IPv6 address truncationr   r   Ztcp6Zudp6z!Could not get statistics for '%s'r   r   z%-5s %-46s %-11s %-5s %-11s %s
z%s:%s)r   r   r   r   r   r   listkeysr   r  r   )r-   Zproc_net_datar   pr   r   Z	protocolsrn   r   r   r   r   r   r$   r   r   r   r   r     s:    
   r   c                 C   sR   |dkr| S |  dr@t| dk r(|}qNtj|| dd }ntj|| }|S )zAdd prefix to dirNr   r   r   )r   r   rN   r   r   )r   r   Znewdirr   r   r   	_findpath7  s    
r
  c                 C   s4   t jd dk rt| dS t| jddddS )z,Take a string and convert it to a hex stringr   rC   hexre   rf   )errorsrD   )rI   rM   codecsrh   binasciiZhexlifydecode)rn   r   r   r   
hex_encodeE  s    r  c                 C   s0   t jd dk r | jdddS t| dS )z,Take a hex string and convert it to a stringr   rC   r  )encodingre   )rI   rM   r  r  Z	unhexlify)hr   r   r   
hex_decodeN  s    r  /run/ufw.lockc                 C   s$   d}|s t | d}t|tj |S )zCreate a blocking lockfileNw)r;   r   lockfZLOCK_EX)ZlockfileZdryrunlockr   r   r   create_lockU  s
    
r  c                 C   s@   | dkrdS zt | t j |   W n tk
r:   Y nX dS )z(Free lockfile created with create_lock()N)r   r  ZLOCK_UNr@   r   )r  r   r   r   release_lock^  s    r  )r	   )T)T)N)NT)F)r  F)I__doc__Z
__future__r   r  r  rF   r   rj   ri   rN   r   rT   r
   r   r[   rI   	functoolsr   Ztempfiler   r   rw   rH   Zsupported_protocolsr   Zipv4_only_protocolsr   r   r&   r+   r*   r1   r9   r=   rA   rS   rX   rb   rd   rp   rs   r   rJ   rv   r6   r   r   r   getpidr   r   r"   r)   r3   r   r5   r   r   r   r   r   r   r   r   r   r   r  r   r
  r  r  r  r  r   r   r   r   <module>   s   
7


	'.#:4

9&
 /%/#	
	