#fd$"dZddlmZddlZddlZddlZddlZddlZddlZddl Z ddl Z ddl Z ddl Z ddl Z ddlZddlZddlmZddlmZmZdZdZgdZgdZd d gZd Zd Zd ZdZdZd;dZdZ dZ!dZ"dZ#dd-Zd0Z?d1Z@d2ZAd3ZBd4ZCd5ZDd6ZEd7ZFd@d9ZGd:ZHdS)Az"util.py: utility functions for ufw)print_functionN)reduce)mkstempmktempF)tcpudpipv6espahigmpgrevrrp)r r r r r rr r c d} tj|n#t$rwxYw tj|dd}n#t$rYnwxYw tj|d|dkrd}nd}n#t$rYnwxYw|S)z8Get the protocol for a specified port from /etc/servicesrrany)socket getservbyname Exception)portprotos */usr/lib/python3/dist-packages/ufw/util.pyget_services_protor.s ET""""   T5)))       T5))) E>>EEE       Ls+ %A A A A33 B?BcPd}d}|d}t|dkr |d}d}nlt|dkr;|d}|d}|tvr!td|z}t |ntd}t |||fS) zParse port or port and protocolr/rrzInvalid port with protocol '%s'zBad port)splitlenportless_protocols_ ValueError)p_strrrtmperr_msgs rparse_port_protor%Hs D E ++c  C 3xx1}}1v SQ1vA & & &9EABBGW%% % 'J--!!! %=ctjstddSt|dkst jd|sdS|d} tjtj|dn#t$rYdSwxYwt|dkrdSt|dkrt|dd sdSd S) zVerifies if valid IPv6 addressz"python does not have IPv6 support.F+z^[a-fA-F0-9:\./]+$rrrrT) rhas_ipv6warnrrematchr inet_ptonAF_INET6r_valid_cidr_netmaskaddrnets rvalid_address6r3\s ? 1222u 4yy2~~RX&;TBB~u **S//C#a&1111 uu 3xx!||u SQ"3q6400 5 4s%B BBct|dkstjd|sdS|d} t jtj|dt|ddsdSn#t$rYdSwxYwt|dkrdSt|dkrt|ddsdSdS) zVerifies if valid IPv4 addressz ^[0-9\./]+$FrrrrT) rr+r,rrr-AF_INET_valid_dotted_quadsr valid_netmaskr0s rvalid_address4r9vs 4yy2~~RXnd;;~u **S//CQ000"3q6511 5  uu 3xx!||u SQSVU++ 5 4s;A?? B  B cBt||pt||S)z(Verifies if valid cidr or dotted netmask)r/r7)nmv6s rr8r8s" r2 & & E*=b"*E*EEr&rc|dkrt|S|dkrt|S|dkrt|pt|St)zValidate IP addresses64r)r3r9r!)r1versions r valid_addressrAs\#~~d### Cd### E  d##;~d';';; r&c0g}d}d}tj}|rd}tj}d|vrE|d}|r|ddkr|d=n3|s|ddks |ddkr|d=n|||sTt |d krAt |d|r+ t|d||d<n#t$rYnwxYw|d }tj |tj ||}||d krd }t |d krA|d|dzz }|s1t|}||krd |d |d}t||}d }t||sd|z}t|t||fS)zConvert address to standard form. Use no netmask for IP addresses. If netmask is specified and not all 1's, for IPv4 use cidr if possible, otherwise dotted netmask and for IPv6, use cidr. Fr?r>rr12832z255.255.255.255rrTzUsing 'z' for address ''zInvalid address '%s')rr6r.rappendrr7_dotted_netmask_to_cidrr inet_ntopr-_address4_to_networkdebugrAr!) origr<r2changedr@s_typer1networkdbg_msgs rnormalize_addressrPs CGG ^F ! d{{jjoo  #a&E//A Q43q65F+F+FA 4 #c((a--$7A$C$C- ,SVR88CFF    D  q6D  FF$4VT$B$B C CD s1v~~ 3xx1}} c!f  *400G$;B77DDDIg w ' '(D1 g '?s-C CCc"t|dS)z"Opens the specified file read-onlyr)open)fns ropen_file_readrUs C==r&ct|} t\}}n##t$r|wxYw||||dS)z=Opens the specified file read-only and a tempfile read-write.)rKorignamer#tmpname)rUrrclose)rTrKr#rXs r open_filesrZsb "  D gg   r#' K KKs # Ac|dkrdS|sttjdtr>|tjkrt|dSd}tjddkr$tj|t|d}ntj||}|dkrttj ddS) z~Write to the file descriptor and error out of 0 bytes written. Intended to be used with open_files() and close_files().rNzNot a valid file descriptorrasciiz"Could not write to file descriptor) OSErrorerrnoENOENT msg_outputsysstdoutfilenowrite version_infoosbytesEIO)fdoutrcs r write_to_filerns byy Cel$ABBBbCJ--//// B a Xb%W-- . . Xb#   Qwwei!EFFFwr&Tc*|dtj|d|rBtj|d|dtj|d|dtj|ddS)zuCloses the specified files (as returned by open_files), and update original file with the temporary file. rKr#rWrXN)rYrhshutilcopystatcopyunlink)fnsupdates r close_filesrvsKHSZ 5JY888 C NC O444Ic)nr&c,t| tj|tjtjd}n(#t $r}dt |gcYd}~Sd}~wwxYw|d}|jt |gS)z!Try to execute the given command.T)rdstderruniversal_newlinesNr) rJ subprocessPopenPIPESTDOUTr_str communicate returncode)commandspexrls rcmdrs 'NNN  gjo%/%615777 SWW~ ..  1 C M3s88 $$s,> A#AA#A#c, tj|tj}tj||j}n(#t$r}dt |gcYd}~Sd}~wwxYw|d}|jt |gS)z#Try to pipe command1 into command2.)rd)stdinrzNr)r{r|r}rdr_rrr)command1command2sp1sp2rrls rcmd_piper$sx @@@xsz::: SWW~ //  A C NCHH %%s;> A#AA#A#cr |j}n#t$r|}YnwxYw |dd}n#t$r|}YnwxYwtr4t jt jr||n"|t|| dS)zQImplement our own print statement that will output utf-8 when appropriate.utf-8ignoreN) bufferrencoderbinspectisclassioStringIOrfriflush)outputswriterrls r_printr2s hhw)) !gobk22! Q U3ZZ    LLNNNNNs 4 AAc ttjd|zn#t$rYnwxYw|rtjddSdS)zPrint error message and exitz ERROR: %s rN)rrcrxIOErrorexit)rldo_exits rerrorrGsf sz=3.////        s  --cd ttjd|zdS#t$rYdSwxYw)zPrint warning messagez WARN: %s N)rrcrxrrls rr*r*RsF sz<#-.....      s ! //ctr|tjkrt} |rt|d|zdSt|d|zdS#t$rYdSwxYw)z Print messagez%s %sN)rbrcrdrr)rlrnewlines rmsgrZs~f **  ' 66C< ( ( ( ( ( 64#: & & & & &      sA A AAcvtr1 ttjd|zdS#t$rYdSwxYwdS)zPrint debug messagez DEBUG: %s N) DEBUGGINGrrcrxrrs rrJrJhsX  3:}s2 3 3 3 3 3    DD s ( 66cNt|fd|dS)z A word-wrap function that preserves existing line breaks and most spaces in the text. Expects that existing line breaks are posix newlines ( ). c |dt||dz dz t|dddz|k|S)Nz  rr)rrfindr)linewordwidths rzword_wrap..wsk4#d))DJJt$4$44q8djjq11!45569>?AA4 3r& )rr)textrs r word_wraprqs6 5 **S//   r&c"t|dS)zWord wrap to a specific widthK)r)rs r wrap_textrs T2  r&c@d|fddS)a$Sorts list of strings into numeric order, with text case-insensitive. Modifies list in place. Eg: [ '80', 'a222', 'a32', 'a2', 'b1', '443', 'telnet', '3', 'http', 'ZZZ'] sorts to: ['3', '80', '443', 'a2', 'a32', 'a222', 'b1', 'http', 'telnet', 'ZZZ'] cp|rt|n|SN)isdigitintlower)ts rrzhuman_sort..s%qyy{{9SVVV r&cFfdtjd|DS)Nc&g|] }|Sr).0cnorms r z0human_sort....s!FFFTT!WWFFFr&z([0-9]+))r+r)krs rrzhuman_sort..s(FFFFbhz1.E.EFFFr&)keyN)sort)lstrs @r human_sortrs1 : 9DHHFFFFHGGGGGr&c t|}n#t$rtdwxYwtjdt |d}tj|std|zt| d ddd d}t|S)zdFinds parent process id for pid based on /proc//stat. See 'man 5 proc' for details. zpid must be an integer/procstatCouldn't find '%s'r)r) rrr!rhpathjoinrisfilerrS readlinesrsplitr)mypidpidnameppids rget_ppidrs3%jj 33312223 7<<S6 2 2D 7>>$  5*d3444 ::   ! !! $ + +C 3 3A 6 < < > >q AD t99s,c t|}nf#t$r"td}t|YdSt$r/tdt |z}t |wxYw|dks|dkrdStj dt |d}tj |s!td|z}t | t| d d}n/#t$r"td |z}t |wxYwtd |z|d krd St|S) z1Determine if current process is running under sshz%Couldn't find pid (is /proc mounted?)Fz!Couldn't find parent pid for '%s'rrrrrz"Could not find executable for '%s'zunder_ssh: exe is '%s'z(sshd)T)rrr r*rrr!rhrrrrSrrrJ under_ssh)rrwarn_msgr$rexes rrrs"}} <== Xuu """788CHHE!!!"  axx4199u 7<<TF 3 3D 7>>$  "())T2!!!"4jj""$$Q'--//2 """899TB!!!" "c *+++ hts(A58A55?D55,E!cd}|rd}tjd|r&t|dkst||krdSdS)zVerifies cidr netmasks ^[0-9]+$rFT)r+r,r)r;r<nums rr/r/sN C  8K $ $B! s2ww}}u 4r&c|rdStjd|r[tjd|}t|dkrdS|D]-}|r&t |dkst |dkrdS.ndSdS)z.Verifies dotted quad ip addresses and netmasksFz^[0-9]+\.[0-9\.]+$z\.rT)r+r,rrr)r;r<quadsqs rr7r7s u 8)2 . . HT2&&E5zzQu ! !!CFFQJJ#a&&3,, 55+7 !5 4r&c  d}|rtt||std} ttjdt j|d}nJ#t$r=ttjdt j|d}YnwxYwd}tdD]}||z dzdkrd}|rd}n|dz }|dkr|dkrtd|z }t||st|S) z@Convert netmask to cidr. IPv6 dotted netmasks are not supported.rr>LFrrTr\) r!r7longstructunpackr inet_aton NameErrorrrangerr/)r;r<cidrmbitsbits found_onens rrGrGs? D #"2r**    E dF,>} q6D!fG B2u%%0 $R / /DtV-=d-C-CDDQGHH v}T6+;B+?+?@@CDD DDD dF,*>??BCCDw&Lv{4>>??Gggww ''sA4DA>FFctd}d|vrtd|S|d}t|dkst|ddst|d}|d}t jdtjtj |} td}n#t$rd}YnwxYwtd D]M}|||d }td D])} |dt|| zd | z |d zz zz}*N td} n#t$rd} YnwxYwtd D] }|t|kr | dd |z zz} !|| z} g} td D]@}| t|| d |d z|d zd zdAtjtj t jd| d| d| d| d | d| d| d| d } | d|S)z8Convert an IPv6 address and netmask to a network addresscjdfdt|dz ddDS)zDecimal to binaryrc:g|]}t|z dzS)r)r)ryrs rrz9_address6_to_network..dec2bin..hs)LLLSAXN++LLLr&rr\)rr)rcounts` rdec2binz%_address6_to_network..dec2binfs:wwLLLLU57B5K5KLLLMMMr&rz8_address6_to_network: skipping address without a netmaskrrTrz>8Hrzrr]r)rJrrr8r!rrrr-r.rrrrrFrHr)r1rr# orig_hostnetmaskunpackedrirjrr2rrNs r_address6_to_networkr dsNNN $ HIII **S//C 3xx1}}M#a&$77}AI!fG}UF$4V_5>%@%@AAHGG  1XX99 GHQK $ $r 9 9A !c!A$ii-SU1R4Z8 8II 9q'' 3ZZ** s7||   qWM) )G g C C 1XX<< 3wwsC((2ad2g6::;;;;v%{5#a&#a&+.q63q63q6+.q63q63q6 C CDDG ggww ''s$!B11 C?C!D11 E?Ec|d}t|dkst|d|st|d}|d}|dks|dkrdS|}d|vrM|d}t|dkst|d|st|d}|dks|dkrdS|r&t |rt |stn%t |rt |stt ||r|st||}|r[t|d|dd}t|d|dd}nZt|d|dd}t|d|dd}||kS)z&Determine if address x is in network yrrrrz0.0.0.0z::T) rrr8r!r3r9r/rr rI) tested_add tested_netr<r#rr address orig_networkrNs r in_networkrs:   3  C 3xx1}}M#a&"55}AI!fGId!2!2tG g~~mmC   s88q== c!fb 9 9= a&)w$t g&& nY.G.G   g&& nY.G.G  7B''77)'266 I+-6YY-ABBBG%**QP &(/(:;;;@5::aI,-6YY-ABBBG%**QP &(/(:;;;@5::aI l ""r&cd}dD]E}tj|d}tj|rnd}F|dkrt t jd|S)Nr)z/sbinz/binz /usr/sbinz/usr/binz/usr/local/sbinz/usr/local/biniptableszCould not find iptables)rhrrexistsr_r`ra)rds r_find_system_iptablesrsr C3gll1j)) 7>>#    ECC byyel$=>>> Jr&c|t}t|dg\}}|dkrttjd|zt jd|}t jdd|dS) zReturn iptables versionNz-VrzError running '%s'z\sz^vrr)rrr_r`rar+rsub)rrmrlr#s rget_iptables_versionrsq {#%%S$K  IR Qwwel$8C$@AAA (4  C 6$CF # ##r&cxd}|r1tjdkrttjd|t }g}d}|drd}|tdd z }t|d |g\}}|dkrttj ||||gd r| d |||gd r| dt|d|gt|d|g\}}|dkrttj ||S)z[Return capabilities set for netfilter to support new features. Callers must be root.cJ|d|g}t||z\}}|dkrdSdS)Nz-ArTF)r)rchainruleargsrmrls rtest_capz,get_netfilter_capabilities..test_caps6T5!t $$ S 774ur&rz Must be rootNz ufw-caps-test ip6tableszufw6-caps-testr)prefixdirz-N)-m conntrack --ctstateNEWr%recentz--setz recent-set) r%r&r'r(r%r)z--updatez --seconds30z --hitcountr>z recent-updatez-Fz-X) rhgetuidr_r`EPERMrendswithrrrarF)r do_checksr!capsrrmrls rget_netfilter_capabilitiesr0s3RY[[A%%ek>222 {#%% D E ||K  !   V22 & & &&ES$&''IR QwwelC((( xU66677" L!!!xU00011% O$$$dES$&''IR QwwelC((( Kr&cTt|}t}|D]t}|ds|ds.|}|d}|ddd}t}d|dddd|d<|d |d <|d d d|d <|d dkr |d |d<n$|d d d|d<||vrt||<g|||<n|||vr g|||<||||v|S)z:Get and parse netstat the output from get_netstat_output()rrrr:r\Nladdrr]uidrrr-r)get_netstat_outputdict splitlines startswithrrrF)r<netstat_outputrrr#rritems rparse_netstat_outputr<'s (++N A))++$$u%% dooe.D.D  jjllA1v||C  $vvQc!2!23B3!788W !fU !fll3''*U ;#  u+DKKa&,,s++A.DK >>vvAeHAeHTNN1U8##!#% %d#### Hr&c d}|r1d}tj|sttjd|zt |D]}||dkrd fdtdtddD}d  d kr-|d td  d }|dkrttjd nt!jt jt j} t!jt)j|dt/jd|dddd}n(#t2$rttjd wxYwt5||dS)zGet IP address for interfacer/proc/net/if_inet6'%s' does not existrr2c6g|]}d||dzSrrrrr r#s rrz"get_ip_from_if..[)LLLaCF1QqS5MLLLr&rrr80rrNo such devicei256sN)rhrrr_r`rarSrrrrrrrrENODEVrr6 SOCK_DGRAMrfcntlioctlrerrrrP)ifnamer<r1procrrr#s @rget_ip_from_ifrPMs D :#w~~d## F%,(=(DEE EJJ((** E ED**,,CQxxLLLL5CAKK3K3KLLLNNq6<<>>T))&*ddCA ,C,C,CDD 2::%,(899 9  M&.&*; < < :#EK F$*Kss $D$D%F%FFHe%MNNDD : : :%,(899 9 : T2 & &q ))s "AG%G%c d}d}t|rd}d}n)t|sttjdt j|sttj d|zd}|rt| D]}| d }d fd td t!d d D}d dkr-|dt%d d}||ksd|vrt'||dr|}nnt| D]`}d |vr| d d  } t)|d}n#t$rYRwxYw||kr|}na|S)zGet interface for IP addressFz /proc/net/devTr>rEr?rrr2c6g|]}d||dzSrArrBs rrz"get_if_from_ip..rCr&rrrrDrr)r3r9rr`rJrhrrr_rarSrrstriprrrrrrrP) r1r<rOmatchedrrNtmp_addripr#s @rget_if_from_iprWms B Dd6 # D ! !6el$4555 7>>$  Bel$9D$@AAAG JJ((**  D**,,CV\\^^FxxLLLL5CAKK3K3KLLLNNH1v||~~%%&.hhCFLLNNB0G0G0GHxxJtXt$D$D JJ((**  D$ZZ__Q'--//F #FE22    Tzz  NsG++ G87G8c6tjd}|tjd}t }|D]J}||stjd|d}tj |tj tj zsgd} tj tjd|d}n#t$rYnwxYw tj|}n#t$rYwxYw|D]s} tjtj||d}n#t$rYHwxYw|dtj|||<tL|S)zGet inodes of files in /procrrrkr5rrr)rhlistdirrr+compiler7r,rraccessF_OKR_OKreadlinkrrbasename) proc_filespatinodesr fd_pathexe_pathdirsr inodes r_get_proc_inodesrgsG$$JOO *[ ! !C VVF FFyy||  ',,w400y"'BG"344   {27<<E#B#BCCHH    D  :g&&DD    H  F FA  Wa 8 899!<    '(qq"'*:*:8*D*D*DEF5MM  F Ms673C++ C87C8<D DD&8E E,+E,c ddddddddd d d d }d dddd}tjd|}tj|tjtjzst g}d}t|}|D]}| }|sd}|t||dd} | drd} n| dr| d krq||d d\} } ||d} ||d} | | t| d| | | f|S)z=Read /proc/net/(tcp|udp)[6] file and return a list of tuples ESTABLISHEDSYN_SENTSYN_RECV FIN_WAIT1 FIN_WAIT2 TIME_WAITCLOSE CLOSE_WAITLAST_ACKLISTENCLOSING) rrr]rrrrr rr]rrt) local_addrstater4rfz /proc/netFTrxrrNArrwr2r4rf) rhrrr[r\r]r!rSrrrr9rF)protocol tcp_statesproc_net_fieldsrTr skipped_firstlinesrfieldsrxr3rr4rfs r_read_proc_net_protocolrs#  !!!"    J'(!" !"O k8 , ,B 9R27* + + CM HH   E > >  M 3vog&>?DDE   u % % EE   ' ' EX,=,= _\:;AA#FF t_U+,w/0 E3tR==#ue<==== Jr&c fd}tdkrdtdddD]8}dfdt|dz|dDz 9tdfdtdtd Dd d}n{gfd tdddDD]2}t t |d 3td dd}|S)zDConvert an address from /proc/net/(tcp|udp)* to a normalized addressrrrrc*g|]}|dz |Srrrr paddrs rrz(convert_proc_address..s%FFFaU1Q3q5\FFFr&r2cNg|]!}||dz"S)r)r)rr r#s rrz(convert_proc_address..s1BBBqAacE   ""BBBr&rTc*g|]}|dz |Srrrs rrz(convert_proc_address..s%:::A51Q<:::r&r.F)rrrrPrFrr)r convertedr r#s` @rconvert_proc_addressrsGI 5zzA~~q"a H HA 277FFFF51a3D3DFFFGG GCC%chhBBBBE!SXXq,A,ABBB'D'D ::::q!R::: ( (A JJs3q":: ' ' ' '%chhsmmU;;A> r&c4t}ddg}|r|ddgz }|D]F} t|||<#t$r$td|z}t |YCwxYwt }t |}|d}|D]k}||D]`\}} } } } t|} d}t| |vr|t| }||dd | d | d d | d d | dd | d d |d z }al|S)z5netstat-style output, without IPv6 address truncationrrtcp6udp6z!Could not get statistics for '%s'rr55rr24611r) r7rrr r*rglistkeysrrr)r< proc_net_datarprrb protocolsrr3rr4rfrxr1rs rr6r6sFFM ENE " &&!!  6q99M!     <BCCH NNN H    F]''))**I NN A  O O0=a0@ O O ,UD#ue'..DC5zzV##SZZ( qqqqBF$$7M7M7M7M7> ? ? F Fw O OOr&ctjddkr)|ddStjdt |dzr |dd n|zdd S) z,Take a hex string and convert it to a stringrr]r)encodingrrrNr\backslashreplace)rcrgrr unhexlifyr)hs r hex_decoder=s Qxxx''..w777  dA &AaffB C C J J#  r& /run/ufw.lockcld}|s/t|d}tj|tj|S)zCreate a blocking lockfileNw)rSrLlockfLOCK_EX)lockfiledryrunlocks r create_lockrLs7 D )Hc"" D%-((( Kr&c|dS tj|tj|dS#t$rYdSwxYw)z(Free lockfile created with create_lock()N)rLrLOCK_UNrYr!)rs r release_lockrUsZ |  D%-(((      s3; A A )r)Tr)NT)F)rF)I__doc__ __future__rrrr`rLrrrhr+rprrr{rc functoolsrtempfilerrrrbsupported_protocolsripv4_only_protocolsrr%r3r9r8rArPrUrZrnrvrrrrr*rdrrJrrrgetpidrrr/r7rGrrIr rrrr0r<rPrWrgrrr6rrrrrrr&rrs(("&%%%%%   $$$$$$$$   QPPAAAv&4(42FFF    444n L L LGGG2     % % % & & &*   J         H H H29;;.")++!!!!N   2$$$\: ( ( (F7(7(7(t,#,#,#h    $ $ $ $6666r# # # L****@,,,^"""J,,,^&    F   PPP         r&