0fdXdZddlZddlZddlZddlmZdZdZdZeZ dZ dZ d Z d Z Gd d eZGd dZdS)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz /usr/sbinTceZdZdZdZdZdS)UFWErrorz$This class represents ufw exceptionsc||_dSN)value)selfr s ,/usr/lib/python3/dist-packages/ufw/common.py__init__zUFWError.__init__#s  c*t|jSr)reprr r s r __str__zUFWError.__str__&sDJr N)__name__ __module__ __qualname____doc__r rr r rr!s8..     r rceZdZdZ d!dZdZd Zd Zd Zd Z d"dZ dZ dZ dZ dZdZdZdZdZdZdZdZdZdZdZdZdZdZd S)#UFWRulez$This class represents firewall rulesany 0.0.0.0/0inFc d|_d|_d|_d|_d|_d|_d|_d|_d|_d|_ d|_ d|_ d|_ d|_ d|_d|_d|_||_d|_ ||||||||d|||||||| dS#t4$rwxYw)NFrrsrc)removeupdatedv6dstrdportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforwardcomment set_action set_protocolset_portset_srcset_dst set_direction set_commentr) r r)r%r#r"r$rr.r/r0s r r zUFWRule.__init__,sL               OOF # # #   h ' ' ' MM% MM% ' ' ' LL    LL      y ) ) )   W % % % % %     s B)D22 D>c*|Sr) format_rulers r rzUFWRule.__str__Os!!!r cd|z}t|j}||D]}|d|d|j|z }|S)zPrint rule to stdoutz'%s'z, =)list__dict__sort)r reskeysks r _get_attribzUFWRule._get_attribRs\oDM""  5 5A C4=#3#34 4CC r ct|j|j}|j|_|j|_|j|_|j|_|j|_|j|_|j |_ |j |_ |j |_ |j |_ |j |_ |j|_|j|_|j|_|j|_|j|_|j|_|S)zReturn a duplicate of a rule)rr)r%rr r!r"rr#r$r&r'r(r*r+r,r-r.r/r0)r rules r dup_rulezUFWRule.dup_rule[st{DM22k | '88Z Z Z I I   |  -!/| |  r cd}|jdkr |d|jzz }|jdkr |d|jzz }|jdkr|dz }n|d|jzz }|jrl|dz }|jdkr+|jdkr |d|jzz }|dz }|d |jzz }n1|jdkr|d|jzz }n|jdkr |d |jzz }|jd kr|jd kr |d |jzz }|js|jdkr |d |jzz }|jd kr|jd kr |d|jzz }|js|jdkr |d|jzz }d}|jdkr d|jz}|j dkr |d|zz }n@|j dkr|d|zz }|jdkr|dz }n|j dkr |d|zz }n|d|zz }|j dks |j dkrd}tj d}|j dkr!|d|d|j zz }|j dkr|j dkr|dz }|j dkr!|d|d|j zz }|d z }|d|zz }|S)!zFormat rule for later parsingrz -i %sz -o %srz -p allz -p z -m multiportz --dports z --sports r::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%stcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' dapp_z%20,sapp_')r,r-r%r&r#r$r"rr+r)r'r(recompilesubstrip)r rule_strlstrr0 pat_spaces r r9zUFWRule.format_rulers    " " D$56 6H   # # D$67 7H =E ! !  !HH . .Hz :O+:&&4:+>+> tz 99H/H tz 99HHZ5(( tz 99HHZ5(( tz 99H 8{ " "tx6'9'9 ) )Hz 1djE11  dj0 0H 8{ " "tx6'9'9 ) )Hz 1djE11  dj0 0H <2  %D ;' ! ! $/ /HH [H $ $ $/ /H}%%66 [G # #  . .HH  - -H 9??di2oo.G 3IyB7Y]]5$)%D%DDDyB49??3yB7Y]]5$)%D%DDD sNG g %H~~r c*|d}|ddks|ddks |ddkr|d|_nd|_d}t|dkr|d}||d S) zSets action of the rulerHrrIrJrLdenyrN)lowersplitr)len set_logtype)r r)tmpr+s r r1zUFWRule.set_actionsllnn""3'' q6W  A( 2 2c!f6G6Ga&DKK DK s88a<<!fG !!!!!r r"ctd|z}|dkrn@|dkr |jrn1|dkr |jrn"tjd|stjd|rt ||d|dzd krt ||d}t|d krd |_ d }|D]t}tjd |rd |_ |d}|D]7}t|d kst|dkrt |8t|dt|d krt |ntjd|r6t|d kst|dkrt |nWtjd|r3 tj |}n,#t$rt |wxYwt ||r|dt|zz }et|}v|}|dkrt||_dSt||_dS)z:Sets port and location (destination or source) of the rulez Bad port '%s'rr"rz^[,:]z[,:]$rO:r[Trz ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)rHr'r(rRmatchrcountr]r^r&intsocket getservbyname Exceptionstrr$r#) r portlocerr_msgportsr`pranqs r r3zUFWRule.set_portsO$$- 5==  E\\di\  E\\di\  Xh % %% (D)A)A% 7## #jjoo 3/2 5 57## #JJsOOE5zzA~~! C ! !8L!,,,!%DJ''#,,C 44q66A::Q%"*7"3"33*83q6{{c#a&kk11&w///2Xgq)) ,1vvzzSVVe^^&w///&4XmQ//,0"033$000&w///0#7+++!3Q<'CCa&&CCD %<<TDJJJTDJJJs .HHc|tjjdgzvr ||_dSt d|z}t |)zSets protocol of the rulerzUnsupported protocol '%s'N)rutilsupported_protocolsr%rHr)r r%rms r r2zUFWRule.set_protocolsE sx3ug= = =$DMMM344AG7## #r cH|jrN|jr|jdks |jdkrd|_|jr|jdks |jdkr d|_dSdSdS|jr|jdks |jdkrd|_|jr|jdks |jdkr d|_dSdSdS)zAdjusts src and dst based on v6rrrGN)r!r"rrs r _fix_anywherezUFWRule._fix_anywheres 7 'x "TX..$(k2I2I!x "TX..$(k2I2I! " "2I2Ix 'TX..$(f2D2D&x 'TX..$(f2D2D& ' '2D2Dr c<||_|dS)zXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N)r!rv)r r!s r set_v6zUFWRule.set_v6 s# r c|}|dkr>tj|dst d}t |||_|dS)zSets source address of rulerzBad source addressN)r\rrs valid_addressrHrrrvr addrr`rms r r4zUFWRule.set_srcsijjll %<< 6 6sE B B<,--G7## # r c|}|dkr>tj|dst d}t |||_|dS)z Sets destination address of rulerzBad destination addressN)r\rrsrzrHrr"rvr{s r r5zUFWRule.set_dstsijjll %<< 6 6sE B B<122G7## # r cB|dkr$|dkrtd}t|dt|vrtd}t|dt|vrtd}t|t|dkst|d krtd }t|tt|d krtd }t|tt|d krtd}t|t jdt|std}t||dkr ||_dS||_dS)zSets an interface for ruleroutzBad interface type!z+Bad interface name: reserved character: '!'rbz/Bad interface name: can't use interface aliases.z..z)Bad interface name: can't use '.' or '..'rz+Bad interface name: interface name is emptyz+Bad interface name: interface name too longz^[a-zA-Z0-9_\-\.\+,=%@]+$zBad interface nameN)rHrrjr^rRrdr,r-)r if_typenamerms r set_interfacezUFWRule.set_interface's d??w%//,--G7## # #d))  EFFG7## # #d))  IJJG7## # t99  s4yyD00CDDG7## # D NNa  EFFG7## # D NNR  EFFG7## #x4c$ii@@ $,--G7## # d?? $D   !%D   r ct|dkrCtjdt|s!td|z}t |t ||_dS)zSets the position of the rulez-1z^[0-9]+z,Insert position '%s' is not a valid positionN)rjrRrdrHrrfr*)r numrms r set_positionzUFWRule.set_positionWs^ s88t  BHZS$B$B FGG3OG7## #C r c|dks|dks|dkr||_dStd|z}t|)zSets logtype of the rulelogzlog-allrzInvalid log type '%s'N)r\r+rHr)r r+rms r r_zUFWRule.set_logtypeasd ==??e # #w}})'C'C b=="==??DLLL/00G)A';2B..)Cc |r|std|d|d}|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j|jkrt|dS|j |j krt|dS|j |j krt|dS|j |j krt|dS|j |j krt|dS|j |j krt|dS|j|jkr@|j|jkr0|j|jkr t#d}t|dS|j|jkr@|j|jkr0|j|jkr t#d}t|dSt#d |j|j|j|j|j|jd z}t|d S) zCheck if rules match Return codes: 0 match 1 no match -1 match all but action, log-type and/or comment -2 match all but comment z No match 'z' 'rQr[zFound exact matchrz$Found exact match, excepting commentzZFound non-action/non-logtype/comment match (%(xa)s/%(ya)s/'%(xc)s' %(xl)s/%(yl)s/'%(yc)s'))xayaxlylxcyc) ValueErrorr#rr$r%rr"r!r'r(r,r-r.r/r)r+r0rH)xydbg_msgs r rdz UFWRule.matchs  ,,  +,!!QQQ/ 7ag   'NNN1 7ag   'NNN1 : # # 'NNN1 5AE>> 'NNN1 5AE>> 'NNN1 414<< 'NNN1 6QV   'NNN1 6QV   'NNN1 >Q^ + + 'NNN1 ?ao - - 'NNN1 ;!+ % % 'NNN1 9 ! ! 'NNN1 8qx  AI$:$: QY&&+,,G 'NNN1 8qx  AI$:$: QY&&>??G 'NNN2FGGHAHIQYIQY889 grr c d}|r|st||dkrdSd|d|jd|d|jd }|jdkrt d|zd zd S|j|jkrt |d zd S|j|jkr|jd krt d |zd S|jd kr*||j|jst d|zd S|jdkr|jdkr| |j rn|j |j krd|j vrt d|zd S|j |j krqd|j vrh|j|jkrXtj |j |j |js(t d|zd|j d|j dzd SnF|jdkr8|j|jkr(t d|zd|jd|jdzd S tj |j|j}n.#t$r!t d|zd|jzzYd SwxYw|j |kr,d|j vr#t d|zd|j d|dzd S|j |krgd|j vr^|j|jkrNtj ||j |js#t d|zd|d|j dzd S|j|jkr(t d|zd|j d|j dzd St d|d|jd|d|jd dS)aThis will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. c*d|vsd|vr ||krdSdS|dD]j}||krdSd|vr[|d\}}t|t|kr#t|t|krdSkdS)z:Returns True if p is an exact match or within a multi rulerOrbTF)r]rf)test_pto_matchrklowhighs r _match_portsz-UFWRule.fuzzy_dst_match.._match_portssf}}v X%%4u s++ $ $T>>44$;;"&**S//KS$6{{c#hh..3v;;#d))3K3K#tt5r rzNo fuzzy match 'z (v6=z)' 'z)'rz (direction) z (not incoming)r[z (forward does not match)rz (protocol) z(dport) r/z(dst) z ('z' not in network 'z')z (interface) z (z != )z %s does not existz(v6) z(fuzzy match) 'r)rrdr!r.rr/r%r#r, _is_anywherer"rrs in_networkget_ip_from_ifIOError)rrrrif_ips r fuzzy_dst_matchzUFWRule.fuzzy_dst_matchs,   "  ,,  771::??1 AAqtttQQQ& ;$   .7*->> ? ? ?1 9 ! ! '77 8 8 81 : # # e(;(; -') * * *1 7e  LL!'$B$B  *w& ' ' '1 >R  ~##qu(=(=#!%Cqu$4$4h()))q!%C15LLQTQT\\8&&quaeQT::6Bh((uuuaeee,%%&&&q ~##!.(H(Hnw..~~~q~~~277888q //EE   nw.1E~2''(((qq  u~~#QU"2"2nw..uuueee2%%&&&q%C15LLQTQT\\8&&uaeQT::6Bnw..7>T[004ur cd}|jdks |jdkr|jd|jd|jd|j}|jdkr!|jd|jd|jd|j}|jdkr!|jd|jd|jd|j}|jdkr|jdkr|d|jzz }n0|jdkr |d|jzz }|jdkr |d|jzz }|S)aReturns a tuple to identify an app rule. Tuple is: dapp dst sapp src direction_iface|direction or dport dst sapp src direction_iface|direction or dapp dst sport src direction_iface|direction where direction_iface is of form 'in_eth0', 'out_eth0' or 'in_eth0 out_eth0' (ie, both interfaces used). If no interfaces are specified, then tuple ends with the direction instead. rrMz %sz in_%sz out_%s) r'r(r"rr#r$r,r-r.)r tupls r get_app_tuplezUFWRule.get_app_tupleTs 9??di2oo$(IIItxxxDHHMDyB(, DHHHdiii)-3yB(, 4888TZZZ)-3 B&&4+=+C+C00$**H(9::D%++I);<>!],w''' 8 7&9&9r N)rrrrrFr)r")rrrrr rrBrEr9r1r3r2rvrxr4r5rrr_r6rr7rrdrrrrrr r rr*s..:EGL!!!!F""".A A A F " " "3#3#3#3#j$$$ ' ' '.&.&.&`!!!$$$$$$111!)!)!)FAAAFlll\   D(((((r r)rrRrgufw.utilrr programName state_dir share_dir trans_dir config_dir prefix_dir iptables_dir do_checksrirrrr r rs''"              y   ` (` (` (` (` (` (` (` (` (` (r