#fddZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZdZdZGdd ZdS) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablescXtj}dD]4}|tj|5dD]4}|tj|5dD]4}|tj|5dD]4}|tj|5dD]4}|tj|5dD]4}|tj |5gd}|D]f}|tj ||tj |gt|dkrd }|| d krd}|| d krP|| d kr2|| |vr||d t|dksd |vr2t|dkrtddt! ||d d}nI#t$$r!}td|jzYd}~n#d}~wt($rtddwxYw|S)zEParse command. Returns tuple for action, rule, ip_version and dryrun.) enabledisablehelpz--helpz-hversionz --versionreloadreset)listinfodefaultupdate)onofflowmediumhighfull)allowdenyreject)Nverbosenumbered)rawz before-rulesz user-rulesz after-rulesz logging-rulesbuiltins listeningadded)rlimitrrinsertdeleteprepend --dry-runrrouteruleznot enough argsF)do_exitNz%szInvalid syntax)ufwparser UFWParserregister_commandUFWCommandBasic UFWCommandAppUFWCommandLoggingUFWCommandDefaultUFWCommandStatusUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerr#r ValueError parse_commandrvalue Exception)argvpi rule_commandsidxpres ./usr/lib/python3/dist-packages/ufw/frontend.pyr<r<s> A  : : 3:55a889999388 3:33A667777<<< 3:77::;;;;)<< 3:77::;;;;+;; 3:66q99::::A99 3:44Q778888   M >> 3:44Q77888 3:99!<<==== 4yy1}} 9??   + +C 9??   ) ) 9??   ' ' 9??   - - KKV $ $ $ 4yy1}},,TQ ////ll __T!""X & &     dag  ....  IsK!! L'+L L'c tdidtjjddddddddd d d d d dddddddddddddddddddid d!d"d#d$d%d&d'd(d(d)d)d*d*d+d,d-d.d/d0d1d2d3d3d4d5d6d7d8d9d:d;dd?iz}|S)@zPrint help messagea+ Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(prepend)-31s prepend %(urule)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy prognamecommandCOMMANDcommandsCommandsr r rz default ARGloggingz logging LEVELlevelLEVELrz allow ARGSr*rz deny ARGSrz reject ARGSr"z limit ARGSr$zdelete RULE|NUMuruleRULEr#zinsert NUM RULEr%z prepend RULEr)z route RULEz route-deletezroute delete RULE|NUMz route-insertzroute insert NUM RULEnumberNUMr rstatus statusnumzstatus numberedrulesRULES statusverbosezstatus verboseshowzshow ARGr appcommandszApplication profile commandsapplistzapp listappinfozapp info PROFILEprofilePROFILE appupdatezapp update PROFILE appdefaultzapp default ARG)_r-common programName)help_msgs rFget_command_helprees>"* CJ*"* I"* Z"* 8"* I "* M "* O "* '"* ,"* "* "* ="* ,"* $"* &"* $"* N!"*"*" ,#"*$ 0%"*& 0'"*( 5)"** 8+"*, '-"*. 8/"*0 '1"*2 '3"*4 *5"*6 7"*8 I9"*: 6;"*< J="*> &?"*@ IA"*B *C"*"*D (E"*"*?A+A,A,HF ceZdZdZ ddZdZdZdZdd Zdd Z d Z d Z dZ ddZ ddZdZdZdZdZdZdZdZddZdS) UFWFrontendUIiptablesNc|dkr( t||||_n!#t$rwxYwtd|zt d|_t d|_t d|_dS)Nrj)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr>rranorpyes_full)selfdryrun backend_typerlrms rF__init__zUFWFrontend.__init__s : % % 1&':A C C C     :lKLL LC&&S66% s ,cdd}d}|rd}d}|r|jr|s|jrd}|rY |j|jjdd|n+#t$r}t |jYd}~nd}~wwxYwd}|r |jn #t$r}|r|j}Yd}~nd}~wwxYw|dkrh |j|jjdddn+#t$r}t |jYd}~nd}~wwxYwt |td }nU |j n+#t$r}t |jYd}~nd}~wwxYwtd }|S) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rrrpFTconfENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rq is_enabled set_defaultfilesrrr=start_firewallra stop_firewall)rtenabledres config_strchangedrE error_strs rF set_enabledzUFWFrontend.set_enableds5  J  DL3355   L3355 G    (();F)C)2J@@@@   ag   G ( ++---- ( ( (( !I (B#L,,T\-?-G-6>>>>###!'NNNNNNNN#i   FGGCC  **,,,,   ag EFFC s`,A33 B=BB#B== C CC$,D D9D44D9E66 FFFc0d} |j||}|jr2|j|jn+#t $r}t |jYd}~nd}~wwxYw|S)zSets default policy of firewallryN)rqset_default_policyr|rrrrr=)rtpolicy directionrrEs rFrzUFWFrontend.set_default_policys ,11&)DDC|&&(( . **,,, ++---    !'NNNNNNNN  sA&A++ B5BBcd} |j|}n+#t$r}t|jYd}~nd}~wwxYw|S)zSets log level of firewallryN)rq set_loglevelrrr=)rtrNrrEs rFrzUFWFrontend.set_loglevels` ,++E22CC    !'NNNNNNNN   AAAFc |j||}n+#t$r}t|jYd}~nd}~wwxYw|S)zShows status of firewallN)rq get_statusrrr=)rtr show_countoutrEs rFrzUFWFrontend.get_status s] ,))':>>CC    !'NNNNNNNN  s AAArc |j|}n+#t$r}t|jYd}~nd}~wwxYw|S)zShows raw output of firewallN)rqget_running_rawrrr=)rt rules_typerrEs rF get_show_rawzUFWFrontend.get_show_raws[ ,..z::CC    !'NNNNNNNN  s AAAc `d} tj|j}n,#t $rt d}t|wxYw|j}t| }| |D]=}|js|dvr!|d|zz }t|| }| |D]}|||D]} | d} | ds| dsd} |d|zz }| d ks| d kr|d z }d | dz} n'|d | zz }tj | } |dtj| dzz }tjd|dd|| dd} | |d| dkr| d| | |j| } t1| dkr[|dz }| D]S}|dkrK|dz t1|kr5|d|tjj||dz fzz }T|dz }Đא?|jstjd|S)zMShows listening services and incoming rules that might affect themryzCould not get listening status)tcp6udp6z%s: laddrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr+inF)actionprotocoldportdstrforward6r r'z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))r-utilparse_netstat_outputrquse_ipv6r>rar get_rulesrkeyssort startswithget_if_from_ipospathbasenamerbUFWRuleset_v6endswith set_interface normalize get_matchingr9r.r7 get_commanddebug)rtrderr_msgrV protocolsprotoportsportitemaddrifnamer*matchingrAs rFget_show_listeningzUFWFrontend.get_show_listeningsP $--dl.C.C.E.EFFAA $ $ $899G7## # $ &&((NN 3 $3 $E<((** u8H/H/H 7e$ $C5))E JJLLL- $- $eHTN,$,$D=D??622*$??511*$!#w~-9,, 4KC#)T']#;DD54</C%(X%<%&,&%&C t Y,$- $^|$$&& H HNNF G G G s 6;)A$c|j}td}t|dkr|tdzSg}|jD]w}|jr(dt jj|z}n$t jj |}||vrZ| ||d|zz }x|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)route %sz ufw %s) rqrrar9rr-r.r8rr7append)rtrVrr!rrstrs rFget_show_addedzUFWFrontend.get_show_addedfs &&((KLL u::??:& &'')) % %Ay @! 6BB1EEFz0<get_rules_count enumeratestrr set_positionrset_rulefind_other_positionr=updatedwarningsrrrrange format_rule)rtr* ip_versionrrtmprVtmprules tmprules6xroprev6rcount set_error pos_err_msgnum_v4num_v6rAbeginuser_posr@rEwarn_msg undo_errorindexesj backout_rules rFrzUFWFrontend.set_rules  9??tyB LL    H2 ;/(!T))#'<#I#ICG$P$P#t++#'<#I#ICG$O$O#v--#'<#I#ICG$P$P$(L$J$JCG%O%O "*77A%.77()','(wwqzz!7+0AD$,OOA$6$6$6 77#$$=">">*"M&w///8}}))$,2E) DEE%--"%CC'4//"%-CC'611"%*s"2W"????Z1__v1E1E'3qz??S+@@K"*;"7"77"l33A66#v--#$:#r>>).!! AAENN51111!" 2h.?.?!% @ @ (6 1E 94!A!AA 1uu !q 1 1 1 1!"q 1 1 1"l33A66 !x9HqLL%)\%A%A%%H%HFNN8a<888#r>>).!! AAENN51111!" 2aj1nn://!% @ @AF!H!HA 1uu !q5y 9 9 9 9!"q 1 1 1"994KC !x@AJ,?,?#r>>NN1:+>???t|44Q777"#$=">">*"M&w///zR''%*aZZFaKKQu---!T))Z6-A-A"l33A66#t++"#$>"?"?&w///"#$=">">*"M&w///   '   y (?@@ h''' $ 3JCC ZZ1__ 'NNNNJ5q>>**G OO    ' '199q9#(8#4#4#6#6L*.L'' lJ????$'''%) #$%C#D#D%&]]__$5X ' q>?? ?G I1BCCC1GHHH7## # s>EH+B(H++ H7Q/] ] ]]#`::?a<;a<cN t|}n/#t$r"td|z}t|wxYw|j}|dks|t |kr!td|z}t||j|}|s!td|z}t|d|_d}|j rd}d}|s|j r(dtj j |z} n$tj j|} td| |j|jd z} t%| t&jd t&j} | d kr<| |jkr| |jkrd }d } |r|||} ntd} | S)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Trrrz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r*rprrFoutputnewlineroryAborted)intr>rarrqrr9get_rule_by_numberrrrr-r.r8rr7rprrrsysstdoutstdinreadliner:striprsr) rtrRforcernrrVr*rproceedrpromptansrs rF delete_rulezUFWFrontend.delete_ruleOs1 $F AA $ $ $233fc d}|dr\|d}t|dkr||d}nr|d}n[|dkr|d}n>|drjt d }|d }t|d krt |||d|d }n|d kr||}n|dkr|}n|dkr|d}ni|drj|d d}|dkr| }n|dkr| }n| |}n|dkr|dd}n|dkr| d}n|dkr| d}n|dkre|j r;| d| dt d}n8t d}n'|dr1||d d|}n|dks|dks |dks|dkr|jdkr |j |j}||jkr||_||d nt#t $rg}|jst)|jt,j|jst d!}t |Yd"}~nd"}~wwxYw|jdkr |j |j}||jkr||_||d nt#t $rg}|jst)|jt,j|jst d!}t |Yd"}~nd"}~wwxYw|||}n!t d#|z}t ||S)$zPerform action on rule. action, rule and ip_version are usually based on return values from parse_command(). ryz logging-onrar'rz logging-offrzdefault-zUnsupported default policy-r+r&rrTzstatus-verboseTrYr r!zstatus-numberedFr r r Firewall reloadedz&Firewall not enabled (skipping reload)zdelete-rrrr"rInvalid profile nameNUnsupported action '%s')rsplitr9rrarrrrrrrrrqr|rrfind_application_nameset_portrrr=r- applicationsvalid_profile_namerr) rtrr*rrrrrrEs rF do_actionzUFWFrontend.do_actions   \ * *M $,,s##C3xx!||''A//''-- } $ $##E**CC   z * *E $455G,,s##C3xx1}}w'''))#a&#a&99CC w  **U##CC x  //##CC ' ' '//$''CC   v & &9 $,,s##A&Ck!!--//))++'',, ( ( (//%..CC x  ""4((CC y ""5))CC x  |&&(( B  '''  &&&+,,@AA   y ) )$ $""6<<#4#4Q#7??CC w  &F"2"2f6H6H w  yB 0,<>tyII0"#$:";";&w///00000 0yB 0,<>tyII0"#$:";";&w///00000 0--j11CC122f=G7## # s4AM O %AOO AP## R-ARRcd} |j|}n+#t$r}t|jYd}~nd}~wwxYw|S)z+Sets default application policy of firewallryN)rqset_default_application_policyrrr=)rtrrrEs rFrz*UFWFrontend.set_default_application_policys` ,==fEECC    !'NNNNNNNN  rct|jj}|t d}|D] }|d|zz } |S)z*Display list of known application profileszAvailable applications: %s)rrqprofilesrrra)rtnamesrrns rFget_application_listz UFWFrontend.get_application_lists_T\*//1122 *++ # #A HN "DD rfcg}|dkr@t|jj}|nRt j|std}t|| |d}|D]}||jjvs|jj|s!td|z}t|t j ||jj|std}t||td|zz }|tdt j |jj|zz }|tdt j |jj|zz }t j|jj|}t|d ks d |d vr|td z }n|td z }|D] }|d|zz } ||t|d z kr|dz }t j|S)zDisplay information on profileallr ryzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r',rzPorts:zPort:rz -- )rrqrrrr-rrrarrverify_profile get_titleget_description get_portsr9r wrap_text)rtpnamerrrnamerr@s rFget_application_infoz UFWFrontend.get_application_infoss E>>.335566E JJLLLL#66u== (233w''' LL    % %D4<000<(.19::dCw'''#224|$T*,, (-..w''' Ao&&$/ /D Am$$(8(B(B(, (=d(C)E)EF FD A+,,-0-=-M-M-1\-B4-H.J.JK KD$..t|/DT/JKKE5zzA~~a( #' " ' 'A&uSZZ\*** $x!!$'''rfcd}d}d} |jjr tjrd}n#t $rd}YnwxYw|dkrvt |jj}| |D]3}|j |\}}|r|dkr|dz }||z }|}4n(|j |\}}|dkr|dz }|rj|j rQ|r= |j n#t $rwxYw|tdz }n|tdz }|S)Refresh application profileryTFrrrzSkipped reloading firewall)rq do_checksr-r under_sshr>rrrrupdate_app_ruler|_reload_user_rulesra) rtr]r allow_reloadtrigger_reloadrr@rfounds rFapplication_updatezUFWFrontend.application_updates  !|% %#(*<*<*>*> %$  ! ! !!LLL  ! e  DL1668899H MMOOO + +#|;;A>> e+byyt CKD%*N  +&*\%A%A'%J%J "T>rzz   8dl5577 8 8L335555 -...6777 s,5 AA D## D/cd}d}|dkrtd}t||jjd}|dkr(tjd|d|d|S|d krd }n3|d krd }n*|d krd }n!td|z}t|dg}|jjr|d|||gz } t|}n#t$rwxYwd|j vr3| |j |j d|j d}n| |j dd}|S)r$ryrz%Cannot specify 'all' with '--add-new'default_application_policyskipz Policy is 'z', not adding profile 'racceptrdroprrzUnknown policy '%s'r-r(r*iptype)rarrqdefaultsr-rrrurr<r>datarr)rtr]rrrrargsrDs rFapplication_addzUFWFrontend.application_addBs e  ?@@G7## #,'(DE f   HNNN"FFGGG- . . .K  FF   FF  FF-..':G7## #y <  % KK $ $ $ &'## t$$BB      RW  >>")RWV_"$'("355DD>>")R44D s C!! C-cFd}|dkr|d}n|dkr|d}n|dkr|d}n|dkr|d }n|d kr|}n|d kr||}nv|d ks|d krI||}d}|d kr||}|dkr |dkr|dz }||z}n!t d|z}t ||S)zzPerform action on profile. action and profile are usually based on return values from parse_command(). ryz default-allowrz default-denyrzdefault-rejectrz default-skipr/rrrzupdate-with-newrr )rrr"r,r6rar)rtrr]rstr1str2rs rFdo_application_actionz!UFWFrontend.do_application_actionls` _ $ $55g>>CC ~ % %55f==CC ' ' '55h??CC ~ % %55f==CC v  ++--CC v  ++G44CC x  6->#>#>**733DD***++G44rzzdbjj +CC122f=G7## # rfcd}|jjrtjrt d|j|jdz}t|tj dtj }|dkr||jkr ||jkrd}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? rprrFrro)rqr%r-rr&rarprrrrrrrr:rrs)rtrrrs rFcontinue_under_sshzUFWFrontend.continue_under_sshs < ! ch&8&8&:&: CDD $88:F sz5 9 9 9 9)$$&&,,..4466CczzcTXoo#2F2Frfcd}td|j|jdz}|jjr=t jrtd|j|jdz}|jjr|stt j |tj dtj }|dkr'||jkr||jkrtd}|S|jr||dz }|j}|S) zReset the firewallryzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? r<zResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? Frror)rarprrrqr%r-rr&rrrrrrr:rrsr|rr)rtrrrrs rFrzUFWFrontend.resetsZ233 HDG446 < ! :ch&8&8&:&: :677!%88:F < ! %  ""6**3:u M M M M)$$&&,,..4466CczzcTXoo#2F2F ll < " " $ $ + 4##E** *Cl  "" rf)rjNN)FF)r)F)__name__ __module__ __qualname____doc__rwrrrrrrrrrrrrr"r,r6r:r=rrfrFrhrhsm H,6'+!!!! 444l   FFFP:JJJX////bTTTTl,(,(,(\)))V(((T@   rfrh)rBrrr ufw.commonrufw.utilr-rrrufw.backend_iptablesr ufw.parserr<rerhrCrfrFrHs--" %%%%%%%%%%333333EEEPEEEPD D D D D D D D D D rf