S9L@sdZddlZddlZddlZddlmZdZdZdZeZ dZ dZ d Z d Z Gd d d eZGd ddZdS)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz/sbinTc@s.eZdZdZddZddZdS)UFWErrorz$This class represents ufw exceptionscCs ||_dS)N)value)selfrr,/usr/lib/python3/dist-packages/ufw/common.py__init__"szUFWError.__init__cCs t|jS)N)reprr)rrrr__str__%szUFWError.__str__N)__name__ __module__ __qualname____doc__r r rrrrr s  rc@s'eZdZdZddddddddZdd Zd d Zd d ZddZddZ dddZ ddZ ddZ ddZ ddZddZdd Zd!d"Zd#d$Zd%d&Zd'd(Zd)d*Zd+d,Zd-d.Zd/d0Zd1S)2UFWRulez$This class represents firewall rulesanyz 0.0.0.0/0inFc Cs d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_yb|j||j||j||j|d|j||j||j|Wntk rYnXdS)NFrsrc)removeupdatedv6dstrdportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforward set_action set_protocolset_portset_srcset_dst set_directionr) rrrrrrrr$r%rrrr +s8                        zUFWRule.__init__cCs |jS)N) format_rule)rrrrr KszUFWRule.__str__cCsSd|}t|j}|jx)|D]!}|d||j|f7}q*W|S)zPrint rule to stdoutz'%s'z, %s=%s)list__dict__sort)rreskeyskrrr _get_attribNs    zUFWRule._get_attribcCst|j|j}|j|_|j|_|j|_|j|_|j|_|j|_|j |_ |j |_ |j |_ |j |_ |j |_ |j|_|j|_|j|_|j|_|j|_|S)zReturn a duplicate of a rule)rrrrrrrrrrrrrr r!r"r#r$r%)rZrulerrrdup_ruleWs$                zUFWRule.dup_rulecCspd}|jdkr)|d|j7}n|jdkrL|d|j7}n|jdkrh|d7}n|d|j7}|jr"|d7}|jdkr|jdkr|d|j7}|d7}|d |j7}q"|jdkr|d|j7}q"|jdkr"|d |j7}q"n|jd krT|jd krT|d |j7}n|j r|jdkr|d |j7}n|jd kr|jd kr|d|j7}n|j r|jdkr|d|j7}nd}|jdkrd|j}n|j dkr%|d|7}nj|j dkra|d|7}|jdkr|d7}qn.|j dkr|d|7}n|d|7}|j dks|j dkrfd}t j d}|j dkr|d|jd|j 7}n|j dkr|j dkr|d7}n|j dkrK|d|jd|j 7}n|d 7}|d|7}n|jS)!zFormat rule for later parsingrz -i %sz -o %srz -p allz -p z -m multiportz --dports z --sports z 0.0.0.0/0z::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%stcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' Zdapp_z%20,Zsapp_')r"r#rrrrrrr!rrrrecompilesubstrip)rZrule_strZlstrZcommentZ pat_spacerrrr,msd        zUFWRule.format_rulecCs|jjd}|ddksE|ddksE|ddkrU|d|_n d|_d}t|dkr|d}n|j|d S) zSets action of the ruler5rr6r7r9ZdenyrN)lowersplitrlen set_logtype)rrtmpr!rrrr&s0  zUFWRule.set_actionrc Cstd|}|dkrnD|dkr7|jr7n,|dkrO|jrOntjd|sstjd|rt|n|jd|jdd krt|n|jd}t|d krd |_ nd }xt|D]l}tjd |rd |_ |jd}xA|D]9}t |d ksNt |dkr$t|q$q$Wt |dt |d kr0t|q0ntjd|rt |d kst |dkr0t|q0nUtjd|r$yt j |}Wq0t k r t|Yq0Xn t||rM|dt|7}qt|}qW|}|dkrt||_nt||_dS)z:Sets port and location (destination or source) of the rulez Bad port '%s'rrrz^[,:]z[,:]$r;:rATrz ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)r5rrr=matchrcountrCrDrintsocketZ getservbyname Exceptionstrrr) rportlocerr_msgportsrFpZranqrrrr(sP $"    $ $   zUFWRule.set_portcCst|dksH|dksH|dksH|dksH|dksH|dkrT||_ntd|}t|dS) zSets protocol of the ruler8ZudpZipv6ZespZahrzUnsupported protocol '%s'N)rr5r)rrrQrrrr's       zUFWRule.set_protocolcCs|jrr|jr<|jdks0|jdkr<d|_n|jr|jdksc|jdkrd|_qnf|jr|jdks|jdkrd|_n|jr|jdks|jdkrd|_ndS)zAdjusts src and dst based on v6rz 0.0.0.0/0z::/0N)rrr)rrrr _fix_anywheres ' '' 'zUFWRule._fix_anywherecCs||_|jdS)zXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N)rrU)rrrrrset_v6 s zUFWRule.set_v6cCs`|j}|dkrItjj|d rItd}t|n||_|jdS)zSets source address of rulerzBad source addressN)rBrutil valid_addressr5rrrU)raddrrFrQrrrr)s  "  zUFWRule.set_srccCs`|j}|dkrItjj|d rItd}t|n||_|jdS)z Sets destination address of rulerzBad destination addressN)rBrrWrXr5rrrU)rrYrFrQrrrr*s  "  zUFWRule.set_dstcCs|dkr3|dkr3td}t|ndt|kr`td}t|ntjdt|std}t|ndt|krtd }t|n|dkr||_n ||_d S) zSets an interface for ruleroutzBad interface type!z+Bad interface name: reserved character: '!'z!^[a-zA-Z][a-zA-Z0-9:]*[a-zA-Z0-9]zBad interface namerGz/Bad interface name: can't use interface aliasesN)r5rrNr=rIr"r#)rZif_typenamerQrrr set_interface's      zUFWRule.set_interfacecCsJtjdt|s7td|}t|nt||_dS)zSets the position of the rulez^[0-9]+z,Insert position '%s' is not a valid positionN)r=rIrNr5rrKr )rZnumrQrrr set_position>szUFWRule.set_positioncCsb|jdks0|jdks0|dkrB|j|_ntd|}t|dS)zSets logtype of the rulelogzlog-allrzInvalid log type '%s'N)rBr!r5r)rr!rQrrrrEEs $ zUFWRule.set_logtypecCsD|dks|dkr$||_ntd|}t|dS)zSets direction of the rulerrZzUnsupported direction '%s'N)r$r5r)rr$rQrrrr+Ns zUFWRule.set_directioncCspd}|jryy(tjj|j|j\|_}Wn*tk rctd}t|YnX|ry||_qyn|j ry(tjj|j |j\|_ }Wn*tk rtd}t|YnX|r||_qn|j r,|j j d}tjj |dj ||_ n|jrl|jj d}tjj |dj ||_ndS)z&Normalize src and dst to standard formFz"Could not normalize source addressz'Could not normalize destination addressr;N)rrrWZnormalize_addressrrMr5rrrrrCZ human_sortjoinr)rZchangedrQrRrrr normalizeVs6        zUFWRule.normalizecCs.| s| rtnd||f}|j|jkrJt|dS|j|jkrjt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkr t|dS|j |j kr*t|dS|j |j krJt|dS|j |j krjt|dS|j |j krt|dS|j |j krt|dS|j|jkr|j|jkrtd}t|dStdi|jd6|jd6|jd6|jd 6}t|d S) z~Check if rules match Return codes: 0 match 1 no match -1 match all but action zNo match '%s' '%s'rAzFound exact matchrz@Found non-action/non-logtype match (%(xa)s/%(ya)s %(xl)s/%(yl)s)ZxaZyaZxlZyl) ValueErrorrrrrrrrrrr"r#r$r%rr!r5)xydbg_msgrrrrIys`             $    z UFWRule.matchcCsdd}| s| r&tn|j|dkr?dSd||j||jf}|jdkrtd|ddS|j|jkrt|d dS|j|jkr|jd krtd |dS|jd kr||j|j rtd |dS|jd kr|jd krA|j |j rAq=|j |j krtd|j krttd|dS|j |j kr=d|j kr=|j|jkr=t j j |j |j |j r=td|d|j |j fdSnK|jd kr9|j|jkr9td|d|j|jfdSyt j j|j|j}Wn/tk rtd|d|jdSYnX|j |krd|j krtd|d|j |fdS|j |kr=d|j kr=|j|jkr=t j j ||j |j r=td|d||j fdS|j|jkrutd|d|j |j fdStd||j||jfdS)aThis will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. cSsd|ksd|kr,||kr(dSdSx|jdD]n}||krRdSd|kr<|jd\}}t|t|krt|t|krdSq<q<WdS)z:Returns True if p is an exact match or within a multi ruler;rGTF)rCrK)Ztest_pZto_matchrOZlowZhighrrr _match_portss   0 z-UFWRule.fuzzy_dst_match.._match_portsrz(No fuzzy match '%s (v6=%s)' '%s (v6=%s)'rz (direction) z (not incoming)rAz (forward does not match)rz (protocol) z(dport) r/z(dst) z ('%s' not in network '%s')z (interface) z (%s != %s)z %s does not existz(v6) z'(fuzzy match) '%s (v6=%s)' '%s (v6=%s)'rb)rcrIrr$rr%rrr" _is_anywhererrrWZ in_networkZget_ip_from_ifIOError)rdrergrfZif_iprrrfuzzy_dst_matchsl  !%!!3" !      0 " zUFWRule.fuzzy_dst_matchcCs |dks|dkrdSdS)zCheck if address is anywherez::/0z 0.0.0.0/0TFr)rrYrrrri"szUFWRule._is_anywherecCsd}|jdks$|jdkrd|j|j|j|jf}|jdkrzd|j|j|j|jf}n|jdkrd|j|j|j|jf}n|jdkr|d|j7}n|jdkr|d|j7}qn|S)a$Returns a tuple to identify an app rule. Tuple is: dapp dst sapp src or dport dst sapp src or dapp dst sport src All of these might have in_eth0 out_eth0 (or similar) if an interface is also defined. rz %s %s %s %sz in_%sz out_%s)rrrrrrr"r#)rZtuplrrr get_app_tuple(s "zUFWRule.get_app_tupleN)r r rrr r r3r4r,r&r(r'rUrVr)r*r]r^rEr+rarIrkrirlrrrrr)s.    C 5     # ; n r)rr=rLZufw.utilrrZ programNameZ state_dirZ share_dirZ trans_dirZ config_dirZ prefix_dirZ iptables_dirZ do_checksrMrrrrrrs