#fddZddlZddlZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZddlZGddejjZdS)z-backend_iptables.py: iptables backend for ufwN)UFWErrorUFWRule)warndebugmsgcmdcmd_pipe _findpathceZdZdZddZdZdZdZddZd Z d Z d Z d Z d Z dZdZddZddZdZddZdZdZdZdS)UFWBackendIptableszInstance class for UFWBackendNcdtjjzdz|_||_||_i}t tjj|}tj |d|d<tj |d|d<tj |d|d<tj |d |d <tj |d |d <tj |d |d<tj t tjj |d|d<tj j |d||||ggggd|_dD]}d}|dkr!|r||z }n|dkr+dD]1}dD],} |d|d| } |j|| -2|jd|dz|jd|dzgd|_d|_d S)!z!UFWBackendIptables initializationz# z _comment #zufw/user.rulesruleszufw/before.rules before_ruleszufw/after.rules after_ruleszufw/user6.rulesrules6zufw/before6.rules before6_ruleszufw/after6.rules after6_ruleszufw-initinitiptables)rootdirdatadir)beforeuseraftermisc)46ufwr)rrrinputoutputforward-z -logging-rz -logging-denyz-logging-allow)-mlimit--limitz3/minute-jLOG --log-prefixz[UFW LIMIT BLOCK]N)rcommon programName comment_strrrr config_dirospathjoin state_dirbackend UFWBackend__init__chainsuse_ipv6appendufw_user_limit_logufw_user_limit_log_text) selfdryrunrrfilesr-ver chain_prefixloctargetchains 6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr4zUFWBackendIptables.__init__ s`#*"88<G  sz4g>> j2BCCg " Z9K L Ln!w||J8IJJm',,z3DEEh!#j:M!N!No " Z9K L Ln  Ysz/CW%M%M%/11f  ''j&%07 ( J J J"$R"bII  H HC Lczz==?? C'LLCZZ2 3 3<33F2>,,VVLEK$++E22223 K  & &|o'E F F F K  & &|6F'F G G G G#3#3#3(;$$$ctd}|jddkr|dz }n3|jddkr|dz }n|jddkr|dz }n|d z }|S) zGet current policyz New profiles:default_application_policyacceptz allowdropz denyrejectz rejectz skip)_defaults)r:rstrs rBget_default_application_policyz1UFWBackendIptables.get_default_application_policyPsy!! =5 6( B B H DD ]7 8F B B GODD ]7 8H D D I DD GOD rCc |jsI|dkr-|dkr'|dkr!td|z}t||dkr-|dkr'|dkr!td|z}t|d }|dkrd }n|dkrd }d }d }|dkr; ||jd d|zdn#t $rwxYwd}d}n{|dkr; ||jd d|zdn#t $rwxYwd}d}n: ||jd d|zdn#t $rwxYwd}d}t jd |z}|jd|jdfD]} tj |} n#t $rwxYw| d} | dD]l} | | r5tj | | || Ltj | | m tj | #t $rwxYwtd||dz} | tdz } | S)zSets default policy of firewallallowdenyrHzUnsupported policy '%s'incomingoutgoingroutedz%Unsupported policy for direction '%s'INPUTOUTPUTFORWARDrJzDEFAULT_%s_POLICYz"ACCEPT"z UFW BLOCKz UFW ALLOWz"REJECT"z"DROP"rrtmporigz5Default %(direction)s policy changed to '%(policy)s' ) directionpolicyz*(be sure to update your rules accordingly))r;rIr set_defaultr< Exceptionrecompilerutil open_filessearch write_to_filesub close_files) r:rZrYerr_msgrA old_log_str new_log_strpatffnsfdlinerKs rBset_default_policyz%UFWBackendIptables.set_default_policy^sV{A   Vv%5%5&H:L:L566&Aw'''J&&9 +B+BH$$CDD&(w'''EJ&& h&&!KK  $$TZ %;,?5,I,8::::!) ) 8##$$TZ %;,?5,I,8::::!) ) $$TZ %;,?5,I,68888!) ) *S;.//Cj/N1KL  (--a00CC ZK99Dzz$''9..r377;3M3MNNNN..r48888H((---- IJJ )V<<> >??? s< %B33 B?%C44 D %D// D;6F F"#I Ic2 |jr)dtdz}|dtdzz }|S|gd}g}g}|dkr|dgd}gd}n|d krd D]2}|d |z|d |z3d D]2}|d |z|d |z3dD]2}|d|z|d|z3dD]}|d|zn|dkr7dD]2}|d|z|d|z3n|dkrdD]2}|d|z|d|z3|jddr*|d|d|jddr*|d|dn+|d kr6dD]2}|d!|z|d"|z3n|d#krdD]}|d$|z|d%|z|d&|z|d'|z|d(|z|d)|z|d*|d+|d,|d-d.|z}|D]}d/|vrB|d/\} }|d0| zz }t |jg|z|d| gz\} } nt |jg|z|gz\} } || z }|dkr|d1z }| d2krt||dks| r|d3z }|D]}d/|vrB|d/\} }|d0| zz }t |jg|z|d| gz\} } nt |j g|z|gz\} } || z }|dkr|d1z }| d2krt||S)4z'Show current running status of firewall> zChecking raw iptables zChecking raw ip6tables )-nz-vz-x-Lrawz-t)filternatmanglerr)rsrurrbuiltins)rSrUrTz filter:%s) PREROUTINGrSrUrT POSTROUTINGz mangle:%s)rwrTzraw:%s)rwrxrTznat:%sr)r r"r!z ufw-before-%szufw6-before-%sr ufw-user-%s ufw6-user-%sr%rzufw-user-limit-acceptufw-user-limitrzufw6-user-limit-acceptufw6-user-limitrz ufw-after-%sz ufw6-after-%sloggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyz IPV4 (%s): :z(%s)  rz IPV6: ) r;rIinitcapsr7capssplitrrrr6 ip6tables) r: rules_typeoutargsitemsitems6cbitrcrWs rBget_running_rawz"UFWBackendIptables.get_running_raws ; 4555C 4!6777 7CJ '''    KK   666E000FF : % %3 / / [1_--- kAo....% / / [1_--- kAo....- , , X\*** hl++++< + + X\**** + 8 # #3 4 4 _q0111 .23333 46 ! !3 2 2 ]Q./// nq01111y!#& / 4555 -...y!#& 1 6777 /000 7 " "3 3 3 ^a/000 o12222 39 $ $3 ; ; 4q8999 6:;;; 2Q6777 4q8999 3a7888 59:::: LL, - - - LL+ , , , MM. / / / MM- . . . + $ $AaxxAw!}$$ 6!T1 EFF SS$ 6! <== S 3JCU""t Qwwsmm#   $--//  = C ( (!88WWS\\FQ7a=(C #T]Od$:aq\$I J JIR #T^$4t$;qc$A B BIRs &&4KC77"3--' rCFc dd}|jr=dtdz}|r|dtdzz }|Std}dD]}t|jdd|zd g\}}|d krtd cS|d krt |d |zz|r6t|jdd|zd g\}}|d krt |dzd}d} d} |j|jz} d } i} | D]}d}i}d}d}|sH|j dks |j dkr2d}| }|| vrtd|zPd| |<dD]}d||<d}d}|dkr6|j }|s%|j dkr|j }|jr |dkr|dz }n=|j}n5|j}|s%|j dkr|j }|jr |dkr|dz }n|j}|dkr |dkr|||<|dkr||dkr|||<n||xxd|zz cc<|r#|jdkr||xxd|jzz cc<|r|dkrP|j dkrE||xxd|j zz cc<|jr|dkr||xxdz cc<||xxdz cc<|dkrP|j dkrE||xxd|j zz cc<|jr|dkr||xxdz cc<||xxdz cc<|dkr|dks|dkrad||<|rC|jdkr8|j |jkr(|j|jkr||xxd|jzz cc<|dkr||xxdz cc<nm|r3|jdkr(|j|jkr||xxd|jzz cc<n7|jr0|jdkr%|j dkrd||vr||xxdz cc<|jrT|dkr#|jdkr||xxd|jzz cc<|dkr#|jdkr||xxd|jzz cc<|dkr#|jdkr||xxd|jzz cc<|dkr#|jdkr||xxd|jzz cc<g}d}|js|jd kr|jr,||j|r%|jd kr||jt5|d krd!d"|z}|r|d#| zz }|j}|jrd$}|jd%kr |js|s|sd}d}|jdkrd&|z}||dd'dd|j|gd(|dd'||d)z }|r||z }n#|jr| |z } n|jd kr| |z } n||z }| d z } |dks | dks| dkrd*}|r|d+z }td,}td-}td.}d/}||||fz}|r|d+z }||d0t5|zd0t5|zd0t5|zfzz }||z }|dkr||z }|dkr| dkr|td)z }| dkr|| z }|dkr| dkr|td)z }| dkr|| z }|}|r| \} }!td1|!|!d2|!d3dd4z}"|"}#td5|!|"|#|d6zStd7|zS)8zShow ufw managed rulesrVrozChecking iptables zChecking ip6tables problem runningrrqryrpzStatus: inactiverz iptables: %s rz ip6tablesTFzSkipping found tuple '%s')dstsrcrz::/0 (v6)z 0.0.0.0/0any /z (%s)rAnywherez on %srz (%s)z, z[%2d] FWDinz # %s2612rz z ToFromActionz%-26s %-12s%s r#zCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)r!r")rrrRz0Status: active %(log)s %(pol)s %(app)s%(status)s)logpolappstatuszStatus: active%s)#r;rIr6rrrrrrdappsapp get_app_tuplerrv6dportrsportprotocolr" interface_in interface_outlogtyperYlowerr7lenr0uppercomment get_commentaction get_loglevel_get_default_policyrL)$r:verbose show_countrrerYrout6sstr_outstr_rtercount app_rulesrtmp_strlocationtupl show_protor?portrWattribs attrib_strdir_strr,full_strstr_tostr_from str_actionrules_header_fmt rules_headerlevel logging_str policy_strapp_policy_strs$ rB get_statuszUFWBackendIptables.get_statuss  ; 0111C}} 8ta 67777J%&&7 ; ;IT]D)Y7?@@IRQww+,,,,,qw):c)BBCCC}} ; $.$!/9!=t"EFF T77"7\#9:::  T[( T T AGHDJ +" " " ((9$$5>???&*IdO'X FX F " %<<%C"'qv|| v4,C6MM GOD w%C"'qv|| v4,C6MM GOD w+%%#--$'HSM5==}**(,   t3 !:ajE&9&9  qz)99  1%<>MMM t9v (  8 $SMMMS0MMM%<>MMM t9v (  8 $SMMMS0MMM5==k))SF]](2 &>!**=*=5AE>>ag.@.@$SMMMS1:-==MMM&==$SMMMW4MMM&>!**=*=7ag--$SMMMS1:-==MMMT-aevoo!%6//hsm33SMMMW,MMM9 Fe||"(<(<  Q^)DD e||2(=(=  Q_)EE e||"(<(<  Q^)DD e||2(=(=  Q_)EE GJy @AK--//58896NN19??#4#45550!+"6"6NN1;///w<,>!?J .8u--k''))Gy {d""19"##-#KyB% 7 8E????03!(..:J:J:A:C1D1D1D1D080; = =G !W 9!w&GG[E))w&GGLA QJEE 77gmmw"}}H $G#tWWFyyH8J0 +vz8.LLL (' , 3v;;. 3z??2 3x==022 2L  $HBwwA Bww7b==AdGG#"}}G#Bww7b==AdGG#"}}G#A  /#'#4#4#6#6 UK122&*%=%=%?%?&*&>&>x&H&H)-)A)A)BF*H*HIIJJ"@@BBNJKK)*,;;< <'((A. .rCc|jr!tdtdzdSg}||jd|je|j^|d||j|d||j|dt|\}}|dkr!td |z}t|dS) zStop the firewallrorunning ufw-initrN --rootdir --datadirz force-stoprproblem running ufw-init %s) r;rrIr7r<rrrrr:rrrres rB stop_firewallz UFWBackendIptables.stop_firewalls ; ( q+,,, - - - - -D KK 6* + + +|'DL,D K((( DL))) K((( DL))) KK % % %D IRQww:S@AAw'''wrCc|jr!tdtdzdSg}||jd|je|j^|d||j|d||j|dt|\}}|dkr!td |z}t|d |j vs3|j d t|j vrD | d dS#t$rtd }t|wxYw ||j d dS#t$rtd }t|wxYw)zStart the firewallrorrNrrstartrrloglevellowzCould not set LOGLEVELzCould not load logging rules)r;rrIr7r<rrrrrJlist loglevelskeys set_loglevelr\update_loggingrs rBstart_firewallz!UFWBackendIptables.start_firewalls ; , q+,,, - - - - -D KK 6* + + +|'DL,D K((( DL))) K((( DL))) KK D IRQww:S@AAw'''..}Z(T^5H5H5J5J0K0KKK,%%e,,,,, ,,, 899G"7+++,,'' j(ABBBBB ,,, >??G"7+++,sE)F F(()GcJ|jrdS|d}|j}|r d}|j}dD]n}|dks|dkr,|r|jdds$|s|jdds:t |d d |d z|zg\}}|d krt d dSodS)zCheck if all chains existFrufw6)r r!r"r% limit-acceptr%rrrrprq-user-rz_need_reload: forcing reloadT)r;rrrrrr)r:rprefixexerArrs rB _need_reloadzUFWBackendIptables._need_reloads ; 5 m  !F.CN  E5N#:#:di05DIg$6s$;S$fx.?%.GHIIIRQww4555tturCctd}|jr6td|rtddSdS|r |jdD]2}||d|g||d|g3n#t$rt|wxYwtd|j dg|j d g\}}|d krt|d z|rAtd|j d g|j d g\}}|d krt|d zdSdSdS)zReload firewall rules filerz> | iptables-restorez> | ip6tables-restorer-F-Zcatrrprz iptablesrrN) rIr;rr6 is_enabledr5 _chain_cmdr\rr r<iptables_restoreip6tables_restore)r:rerrrs rB_reload_user_rulesz%UFWBackendIptables._reload_user_rules:s%&& ; ; & ' ' '}} -+,,,,, - - __   ; (V,22AOOAay111OOAay11112 ( ( (w''' (!%G)@@IRQwww4555}} ;$eTZ-A%B&*&||d|d|n)||d|||d|n?||d|n||tjd}tjd } tjd } d } t |D]{\} } || r_|d | }|d krd}n|dkrd}nd}| d|d}| | sd|z}|d| || <|| |d|zdz|z| || | d|zdz|z|d| || | d|zdz|z|d|z| }tjd}t |D]\} } || r|d| }|d|zdz| }|d|zd z| }||| <|| ||| ||S)!z5Return list of iptables rules appropriate for sendingz-p all zport z-j (REJECT(_log(-all)?)?)z-p tcp z-j \1 --reject-with tcp-resetz-p udp rVz(.*)-j ([A-Z]+)_log(-all)?(.*)z-j [A-Z]+_log-allz(-A|-D) ([a-zA-Z0-9\-]+)z'-m limit --limit 3/min --limit-burst 10\2rFALLOWr%LIMITBLOCKz -j LOG --log-prefix "[UFW ] "z-m conntrack --ctstate NEW z \1-j \2\4z\1-j z-user-logging-z\1 z \1-j RETURN\1z -j LIMITz+ -m conntrack --ctstate NEW -m recent --setzL -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j z -user-limitz -j z-user-limit-accept) r]r^rar7rc enumeratestriprinsert)r:frulersuffixsnippets pat_protopat_port pat_rejectpat_log pat_logall pat_chain limit_argsrrrZlstr pat_limittmp1tmp2tmp3s rB_get_rules_from_formattedz,UFWBackendIptables._get_rules_from_formattedVsJz** :h''Z <==   E " " #u%% :$$U++EOOIMM)"'G% % !!!!OOIMM)U$C$CDDD i ? ?@@@@ b% 8 89999 OOE " " "*>??Z 455 J:;; > h'' P PDAq~~a   P UA..4466<<>>X--$FF\\^^w..$FF$F?Izzvv!((++@84?D%kk,:: 7;;x&/@/?0@BH0IJK$M$MNNN9==&1A2BDJ2K18^122424$5$56669==&1A2BDJ2K18UT\11M1M$O$OPPP J|,, h'' ) )DAq"" ) }}%R%&(( }}&,.4&57D&EFGII!}}Vf_7K%KQOO" 4(((4(((rCcRg}||||}tjd}t|D]\}}||d|||r||d|||d|dd||xx|d|z cc<|S)z_Return list of iptables rules appropriate for sending as arguments to cmd() z(.*) --log-prefix (".* ")(.*)rr)r"rVz\3) rr]r^rr7rcrmatchreplace) r:rrrr str_snippetsrhrrs rB_get_lists_from_formattedz,UFWBackendIptables._get_lists_from_formatteds55eVVLL j9::l++ 9 9DAq OOCGGE1--3355 6 6 6yy|| 9 "">222 ""3775!#4#4#<#>#/#6#6s2w#?#?$2#0#7#7B#@#@$2 ),B c(:(:1(=(G(G(L(LQ(O%1),B c(:(:1(=(G(G(L(LQ(O%2M%(W%7%7%>%>!-36r73D3DS3I3I!3LLL%(W%7%7%?%?!-47G4E4Ec4J4J14MMM$(JJJ$,%%(VF&+G"f}}*.)/c):):1)="3xx!||'.vs1vs1vs1v/21vs1vug/6(8(8(/vs1vs1vs1v/21vs1vug/6(8(8-/Ju,=,= #&q6S==09 c3q60J0JDI#&q6S==09 c3q60J0JDI+r11 $ 2 24 F F F,22 $ 2 25- H H H'%%%'()G'H'H)-(/H NNN$H %  8 444 KK--- K..t4444 KK... J--d333 JJLLLL{] ] s A)),BER$$+SSc|jd}|r |jd}tj|tjs!t d|z}t | t j|}n#t$rwxYw| d}|j }|r d}|j }|j rtj}n|d}t j|dt j|d|zd zt j|d|zd zt j|d|zd zt j|d|zd zt j|d|zd zt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdzt j|d|zdz|dkr|jdds|dkr_|jddrLt j|d|zdzt j|d|zdzt j|d|D]t}|j} |jr d|jz} |jdkr | d|jzz } d} |jdkr|jdkr|j} n]|jdkr|jdkrd |jd!|j} n4|jdkr| |jd|jz } n| |jd|jz } |jdkrw|jdkrld"| d#|jd#|jd#|jd#|jd#|jd#| } |j dkr | d$|j zz } t j|| d%zntCj"d#} d&} |jr| #d'|j} d&}|jr| #d'|j}d"| d#|jd#|jd#|jd#|jd#|jd#| d#|d#| } |j dkr | d$|j zz } t j|| d%zd(}|jrd)}n |jd*krd+}|d,|}d-|d#|$d%}|%|||D]"}t j||#vt j|d.t j|d/ |&|j'd0}n#t$rwxYw|D]\}}}tQ|d1kr |d1d2kr&|)|d&zr^t j|d#*|+d3d4+d5d6d%zt j|d7|dkr|jdds|dkr|jddrt j|d8|j'd0d9krOt j|d-|zd:zd#*|j,zd;z|j-zdzt j|d?t j|d@ |j r"t j.|dAdBSt j.|dBS#t$rwxYw)Cz.Write out new rules to file to user chain filerrz'%s' is not writablerrrWz*filter r~z-user-input - [0:0] z-user-output - [0:0] z-user-forward - [0:0] z-before-logging-input - [0:0] z-before-logging-output - [0:0] z -before-logging-forward - [0:0] z-user-logging-input - [0:0] z-user-logging-output - [0:0] z-user-logging-forward - [0:0] z-after-logging-input - [0:0] z-after-logging-output - [0:0] z-after-logging-forward - [0:0] z-logging-deny - [0:0] z-logging-allow - [0:0] r%rrz-user-limit - [0:0] z-user-limit-accept - [0:0] z### RULES ### zroute:rVrIrz!out_z ### tuple ### rz comment=%srr#r"r r"rr!rz-A z ### END RULES ### z ### LOGGING ### rr-D[z"[z] rz### END LOGGING ### z ### RATE LIMITING ### offz -user-limit z "z " z-user-limit -j REJECT z-user-limit-accept -j ACCEPT z### END RATE LIMITING ### zCOMMIT FN)/r<r.accessW_OKrIrrr_r`r\rrrr;sysstdoutfilenorbrrr"rrrrYrrrrrrrrr]r^rc format_ruler_get_logging_rulesrJrr%r0rr8r9rd)r:r rules_filererjr>rrkrrifaceststrr2rr chain_suffixrArule_strrlrules_trqs rB _write_ruleszUFWBackendIptables._write_ruless Z(  .H-JyRW-- $.*=>>G7## # (%%j11CC          !LKE ; ""$$BBUB r;/// r3#58O#OPPP r3#5)A$B C C C r3#5)B$C D D D r3#5)J$K L L L r3#5)K$L M M M r3#5)L$M N N N r3#5)H$I J J J r3#5)I$J K K K r3#5)J$K L L L r3#5)I$J K K K r3#5)J$K L L L r3#5)K$L M M M r3#5)B$C D D D r3#5)C$D E E E E ! !di&8&= ! F " "ty'9#'> " H " "2s\'9-D(E F F F H " "2s\'9-K(L M M M r#45553 .3 .AXFy -!AH,yB# /)F~##2(=(=2%%!/R*?*?*?+,>>>1??K>R''annEEFFaooFFFv||" ffajjj!'''1555!'''1555f9??MAI55D&&r4$;7777JsOO 68$==77D68$==77D AGGGQUUUAGGGQUUUdddFF,9??MAI55D&&r4$;777"Ly (( %%' $0LL,,?EE',uuammoooo>H33Hl4@BB . .&&r1---- . r#:;;; r#8999 ..t}Z/HIIHH       GAq!1vvzzaddll||L3.// &&rHHQKK''T22::4GG r#:;;; E ! !di&8&= ! F " "ty'9#'> " H " "2'B C C C}Z(E11&&r5%,&(6,7$"9::,;,"&!=,>AH,HIII H " "2u|';2(3 4 4 4 H " "2u|';9(: ; ; ; H " "2'D E E E r:... { *$$S%00000$$S)))))     s*A>> B . Z Z'c&c&& c2Tc|d}|jrh|std}t ||jdkr*|jddstd|jzSn5|jdkr*|jddstd|jzS|jr4|jdkr)|jd krtd }t |g}d }d }|j }|j } |jr7|j d kr%|j dks |j dkrtd S|j}| dks| t|kr!td| z}t || dkr%|jrtd}t | |n#t$$rwxYwd} d } d} d} |D]} |n#t$$rwxYw|j|j|j |j f}| | krm| ddkr| ddkr| dks|ddkr |ddks| |kr,d} ||d} n| dz } |} | dz } t/j||}|dkr| dz } |dkr6|s4| s2d}|js'|||dkr|jr|jdkrd}4|dkr6|js/| s-d}d}||p||| r$| dkrtd}|jr|dz }|Sn|s.|js'|||s+|jr$|jstd}|jr|dz }|S|r&|js|std}|jr|dz }|S|jr||_n||_ ||jn8#t$rt$$r!td}t |YnwxYwtd}|jrtd}|r|jsd}|s||js| rod}| r|tdz }n|tdz }|jr|dz }|r% |n#t$$rwxYw|td z }n|ra|jrZd!}td"}|jr|dz }|r( |n#t$$rwxYwd}n/|td z }n|s|s|jsd#}td$}|dkr|j}d%}|jr|j }d&}|dz }d'}|j!rd(}n |j"d)krd*}|d+|}td,}tG|d-|d.g\}}|dkrt ||d/|d/|$}tKj&d0}|'|||D]}tG|g|z\}}|dkr)tQ|tRj*t ||d#kr|+d/,|rX|-d1d/,|}tG|d!|d2d3g\}}|dkrt]d4|z|S)5aXUpdates firewall with rule by: * appending the rule to the chain if new rule and firewall enabled * deleting the rule from the chain if found and firewall enabled * inserting the rule if possible and firewall enabled * updating user rules file * reloading the user rules file if rule is modified rVz)Adding IPv6 rule failed: IPv6 not enabledr%rz#Skipping unsupported IPv6 '%s' rulerz#Skipping unsupported IPv4 '%s' ruleudptcpz/Must specify 'tcp' or 'udp' with multiple portsFz1.4z:Skipping IPv6 application rule. Need at least iptables 1.4rzInvalid position '%d'z Cannot specify insert and deleter)rVrVrVrVrrTz Skipping inserting existing rulerz"Could not delete non-existent rulezSkipping adding existing rulezCouldn't update rules filez Rules updatedzRules updated (v6)z Rule insertedz Rule updatedz (skipped reloading firewall)r6z Rule deleted-Az Rule addedrrr r"rr!r!Could not update running firewallrqrprz(-A +)(ufw6?-user-[a-z\-]+)(.*)rr'RETURNzFAILOK: -D %s -j RETURN)/rrr6rIrrrmultirrpositioniptables_versionrrrrremove normalizer\rrr7dup_rulerrrr;rGrrrrrr"rYrr>r]r^rrr;stderrrar0rcr)r:r1 allow_reloadrKrenewrulesfoundmodifiedrrPrinsertedmatcheslastrcurrentretflagrr>rCrArrrDrrrs rBset_rulezUFWBackendIptables.set_rules  7 P==?? (GHHw'''{g%%di.@.E%>??4;OO{g%%di.@.E%>??4;OO : $$-500T]e5K5KIJJG7## # = 7 $u,,$)r//26)r//UVVVKE a<<8c%jj00/00H=G7## # a<>7$GOD  t{ 8 8997$GOD 7 ""DKK!DJ    dg & & & &       455G W       !! 7 +)**D ??  J CT[J CD# '4,,TW55# '# '.Ao...DDAn---D7$GOD?//1111$A=>>>DD '4; '((7$GOD?//1111$DDA=>>>DD '8 'DK 'rzzm$ 7$.C#)LGOD& <,#,LL^u,,#+L(4 llC?@@dE4 899 S77"7+++)-uuud6F6F6H6H6HI*%GHH778D8DFF C CA!$SEAIIRQwwC,,, )))t||sxx{{(C(C|#KKsxx{{;;$'dAtX(F$G$G S77!";q"ABBB sB.G G G55 H%Q2Q54Q5T'' T32V Vcg}g}|r|j}n|j}|}||||}|D]Y}|}||} | |kr||Z|S)z@Return a list of UFWRules from the system based on template rule)rrrTr'rSrr7) r:templaterrrnormrrrW tmp_tuples rBget_app_rules_from_systemz,UFWBackendIptables.get_app_rules_from_systems  KEEJE  "" B !!## & &A**,,C MMOOO))++ID    %%%rCc|j}|dr|j}t|g|z\}}|dkr7t d|z}|rt d|zdSt |dS)zPerform command on chainrrzCould not perform '%s'zFAILOK: N)rr%rrrIrr)r:rArfail_okrrrres rBrzUFWBackendIptables._chain_cmdsm   F # # !.C %% S 770D9::G (j7*+++++w''' 7rCc|jrdS|g} ||}n#t$rwxYw |d|dn8#t $rt$r!t d}t |YnwxYw|sdSt d}|jd|jdz|jd z|jd zD]9} | |d |d g#t$rt |wxYw |jd|jd z|jd zD]2}| |d |g| |d|g3n#t$rt |wxYw|D]\}}}d}t|dkr|ddkrd} |dkr7t|dkr$| |dg|ddzd| |||#t$rt |wxYwdD]}|j ddr|dks|j ddrs|dkrm| |d|g|j z|j dzgzd|jddkr.| |d|g|j z|j dzgzddS)z#Update loglevel of running firewallNF)rTz&Couldn't update rules file for loggingrMrrrrrqrprrrr6 delete_firstr)rg)r{r|r%rr{rr|rrr8-I)r;rr?r\rGrrIrr5rrrr8r9rJ) r:rrules_trerrrFrgrAs rBrz!UFWBackendIptables.update_loggings ;  F  --e44GG           ' ' '     & & & &       @AAG W           F788X&V)<< ;w  "&+f"56 ( (A (D!T?3333 ( ( (w''' ( $[*T[-AA{6"# . .D!9---D!9---- . $ $ $7## # $ ( (GAq!G1vvzzaddll (&&3q66A::OOAv!""~tODDD1g.... ( ( (w''' ( ; 2 2E '"3' 2E5E,E,E '"3'-F,15F,F,Fe} $ 7(8!%!=!C D(E)- ...=,55OOED%=$($;,<%)%AC%G$H,I-1$222 2 2sA7 A,A442B)(B) D%%D?AF F:)AH>>IcJg}|t|jvr!td|z}t ||dkr.|jdD]}||d|ddgdg|S|jdD]}||d|ddgd ggd }|j||jd krg}|j||jd kr|}|jd D]}dD]}||r||dks||dkr$d}||d|ddd|g|zd gm|j||jdkr#d}||d|ddd|g|zd gg}|j||jd kr|}|jdD]}|drd}n||drgd}|j||jdkr$||d|ddddddg|zd gn%||d|ddddddddg |zd g||d|ddd|g|zd g|j||jdkrvg}|j||jdkr|}|j||jd krgd|z}d }|jd!D]#}||d|ddd|g|zd g$|S)"z%Get rules for specified logging levelzInvalid log level '%s'r8rrjr'rNrir6rV)r$r%r&z3/minz --limit-burst10rhighrrrHrOz [UFW BLOCK] rLr(r)mediumz [UFW ALLOW] rrNr$ conntrack --ctstateINVALIDz[UFW AUDIT INVALID] full)r$rprqNEWz [UFW AUDIT] r) rrrrIrr5r7endswithr) r:rrkrerrlargsrrs rBr?z%UFWBackendIptables._get_logging_rulessh T^002233 3 3011U;G7## # E>>[( O OD!T8#% DN5$9 9 9E~e$t~f'==="[) < <7 < 0H050679,;<<<<"^E2dnX6NNN%3F#NNAau0>0H050679,;<<< <E~e$t~f'==="[( J J::g&&4+FFZZ'' 4+F~e,t~h/GGGD!T;,7,0(,<>C,DEG(IJJJJ D!T;,7,0%,:,B ,D ). ,. 02 (3444 D!T5$2F$<>C$DEG IJJJJ >% DN8$< < <E~e$t~f'==="~e$t~f'===???*L#F[* J JD!T5$2F$<>C$DEG IJJJJrCc d}ttjj|j}g}|jD]}|j|ds#||j|tj |dtj |j|}tj |s!td|z}t|tjd}|D]I}|d|}tj |r!td|z}t|J|D]S}|d|}|tdtj ||d zz }tj||T|D]0}|d|}t'jtj |dtj |tj |t'j|| tj|} | t.j} n1#t2$r$td |z} t5| YwxYw| t.jzr|td |zz } | t.jzr|td |zz }2|S) zReset the firewallrVz.rulesrzCould not find '%s'. Abortingz %Y%m%d_%H%M%S.z'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s' )oldnewzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r rr* share_dirrr<rur7r.r/r0basenameisfilerIrtimestrftimeexistsrenameshutilcopydirnamecopymodestatST_MODEr\rS_IWOTHS_IROTH) r:resr{allfilesrfnreextrystatinfomoder3s rBresetzUFWBackendIptables.resethscj2DLAA  ( (A:a=))(33  OODJqM * * *i g..tz!}==??B7>>"%% (;<<Cw''' (mO,,  ( (AAAss#Bw~~b!! (;<<Cw''' (   AAAss#B 1:;;W--a00<<> >C Ia     ? ?AQQ$C K Y %'W%5%5a%8%8::** , , , OC # # # 71:: -   122a8X  dl" ?q788A>> $ ?q788A>> s&I**+JJ)NN)FF)F)T)__name__ __module__ __qualname____doc__r4rLrmrrrrrrrrr4rGr`rerrr?rrCrBr r sy''.;.;.;.;`   IIIV[[[zc/c/c/c/J((($,,,B8;;;8BBBH$cccJggggRccccJ0 ( ( ( (H2H2H2TXXXt88888rCr )rr.r]rrr;r~ ufw.commonrrufw.utilrrrrr r ufw.backendrr2r3r rrCrBrs33" ((((((((????????????????BBBBB/BBBBBrC