Mc@sddlZddlZddlZddlZddlZddlZddlZddlmZm Z m Z m Z m Z ddl mZmZmZmZmZddlZdejjfdYZdS(iN(tUFWErrortUFWRulet config_dirt state_dirt prefix_dir(twarntdebugtmsgtcmdtcmd_pipetUFWBackendIptablescBseZdZddZdZdZdZeedZdZ dZ d Z d Z d Z d Zd ZedZedZdZedZdZdZdZRS(cCsdtjjd|_i}tjjtd|ddddgD]-}d|||f}|j |j|qWqpW|j dj|d|j dj|dqWdd d!d"d#d$d%d&g|_d'|_dS((Ns# s _comment #s user.rulestrulessufw/before.rulest before_rulessufw/after.rulest after_ruless user6.rulestrules6sufw/before6.rulest before6_rulessufw/after6.rulest after6_rulessufw-inittinittiptablestbeforetusertaftertmisct4t6tufwtinputtoutputtforwards%s-%s-logging-%ss -logging-denys-logging-allowsufw-user-limits-mtlimits--limits3/minutes-jtLOGs --log-prefixs[UFW LIMIT BLOCK](Rtcommont programNamet comment_strtostpathtjoinRRtbackendt UFWBackendt__init__tchainstuse_ipv6tappendtufw_user_limit_logtufw_user_limit_log_text(tselftdtfilestvert chain_prefixtlocttargettchain((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyR'!s8%        RcCsrd|d}d}|j|dkr0d}n>|j|dkrLd}n"|j|dkrhd}nd }|S( sGet current policytdefault_t_policyttaccepttallowtaccept_no_tracksallow-without-trackingtrejecttdeny(tdefaults(R-tprimarytpolicytrstr((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_default_policyEs   cCsztd}|jddkr,|d7}nJ|jddkrL|d7}n*|jddkrl|d7}n |d 7}|S( sGet current policys New profiles:tdefault_application_policyR8s allowtdrops denyR;s rejects skip(t_R=(R-R@((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_default_application_policyUs     c Cs|js|dkrL|dkrL|dkrLtd|}t|n|dkr|dkrtd|}t|nd}|dkrd }nd }d }|dkry"|j|jd d |d Wntk rnXd}d}n|dkrRy"|j|jd d |dWntk rBnXd}d}nEy"|j|jd d |dWntk rnXd}d}tjd |}x|jd|jdgD]}ytj j |} Wntk rnX| d} xV| dD]J} |j | rDtj j | |j || q tj j | | q Wytj j| Wqtk rqXqWntdi|d6|d6} | td7} | S(sSets default policy of firewallR9R<R;sUnsupported policy '%s'tincomingtoutgoings%Unsupported policy for direction '%s'tINPUTtOUTPUTR7R=sDEFAULT_%s_POLICYs"ACCEPT"s UFW BLOCKs UFW ALLOWs"REJECT"s"DROP"R Rttmptorigs5Default %(direction)s policy changed to '%(policy)s' t directionR?s*(be sure to update your rules accordingly)(tdryrunRDRt set_defaultR/t ExceptiontretcompileRtutilt open_filestsearcht write_to_filetsubt close_files( R-R?RLterr_msgR4t old_log_strt new_log_strtpattftfnstfdtlineR@((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytset_default_policycst $             !  "  c Cs|jr1dtd}|dtd7}|Std}ddddg}g}g}|d kr|jd d d d d g}d d d g}n|dkrx9dddgD](}|jd||jd|qWx?dddddgD](}|jd||jd|qWx6ddgD](}|jd||jd|q/WxdddgD]}|jd|qkWn|dkrxdddgD](}|jd||jd|qWns|dkr9x9dddgD](}|jd||jd |qW|jd!|jd"n|d#krxdddgD](}|jd$||jd%|qUWn|d&krGx}dddgD]l}|jd'||jd(||jd)||jd*||jd+||jd,|qW|jd-|jd.|jd/|jd0nd1|}x|D]} d2| kr| jd2\} }|d3| 7}t|jg||d | g\} } n#t|jg|| g\} } || 7}|d kr|d47}n| d5krXt|qXqXW|d ks6|jr|d67}x|D]} d2| kr| jd2\} }|d3| 7}t|jg||d | g\} } n#t|jg|| g\} } || 7}|d kr|d47}n| d5krGt|qGqGWn|S(7s'Show current running status of firewalls> sChecking raw iptables sChecking raw ip6tables sproblem runnings-ns-vs-xs-Ltraws-ttfiltertnattmangletbuiltinsRHtFORWARDRIs filter:%st PREROUTINGt POSTROUTINGs mangle:%ssraw:%ssnat:%sRRRRs ufw-before-%ssufw6-before-%sRs ufw-user-%ss ufw6-user-%ssufw-user-limit-acceptsufw-user-limitRs ufw-after-%ss ufw6-after-%stloggingsufw-before-logging-%ssufw6-before-logging-%ssufw-user-logging-%ssufw6-user-logging-%ssufw-after-logging-%ssufw6-after-logging-%ssufw-logging-allowsufw-logging-denysufw6-logging-allowsufw6-logging-denys IPV4 (%s): t:s(%s) s is IPV6: ( RMRDR*tsplitRRRR)t ip6tables( R-tsettoutRXtargstitemstitems6tctbtitttrcRJ((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_running_raws                 ,#       ,#    c!Csd}d}|jrLdtd}|jrH|dtd7}n|Std}xddgD]}t|jdd |d g\}}|d krtd S|d krt|d|n|jret|jdd|d g\}}|d krt|dqqeqeWd}d} |j|j} d } i} x| D]} d}i}d}t }| r| j dks| j dkrt }| j }| j|rtd|qOqt | | sChecking iptables sChecking ip6tables sproblem runningRRs-Ls ufw-user-%ss-nisStatus: inactiveis iptables: %s s ufw6-user-%ss ip6tablessSkipping found tuple '%s'tdsttsrcs::/0s (v6)s 0.0.0.0/0tanyt t/s (%st)tAnywheres on %sRns (%s)s, s[%2d] tins%-26s %-12s%s%s s s tTotFromtActions%-26s %-12s%s sutf-8tignoret-s s.Default: %(in)s (incoming), %(out)s (outgoing)s0Status: active %(log)s %(pol)s %(app)s%(status)stlogtpoltapptstatussStatus: active%sN(%RMRDR)RRRRlR RtTruetdapptsapptFalset get_app_tuplethas_keyRRxtv6tdportRytsporttprotocolt interface_int interface_outtlogtypeRLtlowerR*tlenR$tuppertactiontdecodetencodet get_loglevelRARE(!R-tverboset show_countRntout6RXRLRvtststr_outR tcountt app_rulestrttmp_strtlocationttuplt show_protoR2tportRJtattribst attrib_strtdir_strtfull_strtstr_totstr_fromt str_actiont rules_headertlevelt logging_strt policy_strtapp_policy_str((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt get_statuss&           %               $             !        cCsxtd}|jr,tdtdnHt|jddg\}}|dkrtt|t|dndS( sStops the firewallsproblem runnings> srunning ufw-initRs force-stopis ufw-initN(RDRMRRR/RR(R-RXRvRn((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt stop_firewalls    cCs+td}|jr,tdtdnt|jddg\}}|dkrtt|t|dn|jjd s|jd|j j kry|j d Wq't k rtd }t|q'XnDy|j |jdWn)t k r&td }t|nXd S( sStarts the firewallsproblem runnings> srunning ufw-initRtstartis ufw-inittlogleveltlowsCould not set LOGLEVELsCould not load logging rulesN(RDRMRRR/RRR=Rt loglevelstkeyst set_loglevelROtupdate_logging(R-RXRvRn((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytstart_firewalls&        c Cs|jr tSd}|j}|r4d}|j}nxdddddgD]j}|rt|dksJ|dkrtqJnt|dd |d |g\}}|d krJtd tSqJWtS( sCheck if all chains existRtufw6RRRRs limit-accepts-ns-Ls-user-is_need_reload: forcing reload(RMRRRlRRR(R-RtprefixtexeR4RvRn((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt _need_reloads   &  cCsYtd}|jr;td|jrUtdqUn|jrUyHxA|jdD]2}|j|d|g|j|d|gqXWWntk rt|nXt d|j dg|j d g\}}|d krt|d n|jrUt d|j d g|j d g\}}|d krRt|d qRqUndS(sReload firewall rules filesproblem runnings> | iptables-restores> | ip6tables-restoreRs-Fs-ZtcatR s-nis iptablesRs ip6tablesN( RDRMRR)t _is_enabledR(t _chain_cmdRORR R/tiptables_restoretip6tables_restore(R-RXRrRvRn((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt_reload_user_ruless*         cCs,g}tjd}tjd}tjd}|j|r|j|r|j|r|j|jd|jd|n|j|jd||j|jd|q|j|jd|n |j|tjd}tjd } tjd } d } xVt|D]H\} } |j| r&|jd | j}|jd krtd}n!|jdkrd}nd}d| |f}| j| sd|}n|jd| || <|j| |jd|d|| |j| | jd|d||jd| |j| | jd|d||jd|| q&q&Wtjd}xt|D]\} } |j| r|jd| }|jddd|d| }|jd|d | }||| <|j| ||j| |qqW|S(!s5Return list of iptables rules appropriate for sendings-p all sport s-j (REJECT(_log(-all)?)?)s-p tcp s-j \1 --reject-with tcp-resets-p udp R7s(.*)-j ([A-Z]+)_log(-all)?(.*)s-j [A-Z]+_log-alls(-A|-D) ([a-zA-Z0-9\-]+)s'-m limit --limit 3/min --limit-burst 10s\2R8tALLOWRtLIMITtBLOCKs"%s -j LOG --log-prefix "[UFW %s] "s-m state --state NEW s \1-j \2\4s\1-j s-user-logging-s\1 s \1-j RETURNs\1s -j LIMITs% -m state --state NEW -m recent --sets -m state --state NEW -m recents# --update --seconds 30 --hitcount 6s -j s -user-limits-user-limit-accept( RPRQRTR*RVt enumeratetstripRtinsert(R-tfruleRtsuffixtsnippetst pat_prototpat_portt pat_rejecttpat_logt pat_logallt pat_chaint limit_argsRtRR?tlstrt pat_limitttmp1ttmp2ttmp3((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyt_get_rules_from_formattedsh        !   c Csg}|j|||}tjd}xt|D]\}}|j|jd|j|j|r7||jd||j|jd|jdd||c|jd|j7|jr>|j r>td}|jr:|d7}n|S|r{|j r{| r{td}|jrw|d7}n|S|jr||_ n ||_y|j|jWn:tk rn'tk rtd}t|nXtd}|jrtd}n|jr|j rd}|sH|j|jsH| rd}| rg|td7}n|td7}|jr|d7}n|ry|jWqtk rqXq|td7}nQ|r|jrd}td}n-| r| r|j rd}td}n|dkr|j}d}|jr_|j}d }|d7}nd!}|j d"kr}d#}nd$||f}td%}t!|d&|d'g\}}|d krt|nd(|||j"f}t#j$d)}x|j%|||D]}t!|g|\}}|d krXt&|t'j(t|n|dkr|j)d*j*|r|j+d+d*j*|}t!|d|d,d-g\}}|d krt,d.|qqqWqn|S(1sXUpdates firewall with rule by: * appending the rule to the chain if new rule and firewall enabled * deleting the rule from the chain if found and firewall enabled * inserting the rule if possible and firewall enabled * updating user rules file * reloading the user rules file if rule is modified R7s)Adding IPv6 rule failed: IPv6 not enabledRs#Skipping unsupported IPv6 '%s' ruletudpttcps/Must specify 'tcp' or 'udp' with multiple portss1.4s:Skipping IPv6 application rule. Need at least iptables 1.4isInvalid position '%d's Cannot specify insert and deletes#Cannot insert rule at position '%d'iiis Skipping inserting existing rules (v6)s"Could not delete non-existent rulesSkipping adding existing rulesCouldn't update rules files Rules updatedsRules updated (v6)s Rule inserteds Rule updateds (skipped reloading firewall)s-Ds Rule deleteds-As Rule addedRRRRnRs %s-user-%ss!Could not update running firewalls-Ls-ns%s %s %ss(-A +)(ufw6?-user-[a-z\-]+)(.*)R{s\2s-jtRETURNsFAILOK: -D %s -j RETURN(R7R7R7R7(R7R7R7R7(-RR)RDRRtmultiRRR tpositiontiptables_versionRRRRtremovet normalizeRORxRyRR*tdup_ruleRRRMRRRRRRlRLRRRPRQRRRtstderrRTR$RVR(R-Rt allow_reloadR@RXtnewrulestfoundtmodifiedtdeleteR RRtinsertedtmatchestlastRtcurrenttrettflagRR1RR4RvRnRRRRr((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytset_rule2s&   '    -       ,                                          $! c Csg}g}|r|j}n |j}|j}|j||j|j}xL|D]D}|j}|j|j} | |kr]|j|q]q]W|S(s@Return a list of UFWRules from the system based on template rule(RR R RR RR*( R-ttemplateRR RtnormRRRJt tmp_tuple((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytget_app_rules_from_systems            cCs|j}|jdr$|j}nt|g|\}}|dkrtd|}|rptd|qt|ndS(sPerform command on chainRisCould not perform '%s'sFAILOK: N(RRRlRRDRR(R-R4Rotfail_okRRvRnRX((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyRs   cCs|jr dSg}y|j|}Wntk r<nXy$|jdt|jdtWn:tk rwn'tk rtd}t|nX|jsdStd}xs|j d|j d|j d|j dD]C}y|j |d |d gWqtk r+t|qXqWy^xW|j d|j d|j dD]2}|j |d |g|j |d |gqWWWntk rt|nXx|D]\}}}t}t |d kr|d dkrt}nyY|dkr:t |dkr:|j |dg|ddtn|j |||Wqtk rmt|qXqW|j ddg|j |j dgdt|jddkr|j ddg|j |j dgdtndS(s#Update loglevel of running firewallNRs&Couldn't update rules file for loggings!Could not update running firewallRRRRs-Ls-ns-Fs-Zis-Dt delete_firstiRsufw-user-limitR{RRs-I(RMRRORRRRRDRR(RRR+R,R=(R-Rtrules_tRXRrRRR((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyR$sb       2  " $   c Csg}||jjkr:td|}t|n|dkrx7|jdD](}|j|d|ddgdgqTW|Sx7|jdD](}|j|d|ddgd gqWd d d d ddg}|j||jdkr2g}|j||jdkr|}nx|jdD]}xdddgD]}|j|r=|j|dks||j|dkrd}|j|d|ddd|g|d gq|j||jdkrd}|j|d|ddd|g|d gqq=q=Wq'Wg}|j||jdkr4|}nx|jdD]}|jdr`d}n|jdrd}|j||jdkr|j|d|d d d!d"ddg|d gq|j|d|d d d!d"dddd#g |d gn|j|d|ddd|g|d gqBWn|j||jdkrg}|j||jd$kru|}n|j||jdkrd d d!d%g|}nd&}xD|jd'D]2}|j|d|ddd|g|d gqWn|S((s%Get rules for specified logging levelsInvalid log level '%s'RRs-Is-jRRs-DR7s-mRs--limits3/mins --limit-burstt10RthighRRRRR;R<s [UFW BLOCK] s-ARs --log-prefixtmediums [UFW ALLOW] RR9tstates--statetINVALIDs[UFW AUDIT INVALID] tfulltNEWs [UFW AUDIT] R(RRRDRR(R*tendswithRA( R-RRRXRrRtlargsRuR((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyRgsv &&  %   c Csd}g}x|jD]}|j|jds8qn|j|j|tjjtjjdtjj |j|}tjj |st d|}t |qqWt jd}xO|D]G}d||f}tjj|rt d|}t |qqWx\|D]T}d||f}|t ditjj |d 6|d 67}tj||qWx|D]}d||f}tjtjjtjjdtjj |tjj|tj||y tj|}|tj} Wn.tk r/t d |} t| qynX| tj@rT|t d |7}qy| tj@ry|t d |7}qyqyW|S(sReset the firewallR7s.rulesRsCould not find '%s'. Abortings %Y%m%d_%H%M%Ss%s.%ss'%s' already exists. Abortings"Backing up '%(old)s' to '%(new)s' toldtnewsCouldn't stat '%s'sWARN: '%s' is world writablesWARN: '%s' is world readable(R/R&R*R"R#R$RRt share_dirtbasenametisfileRDRttimetstrftimetexiststrenametshutiltcopytdirnametcopymodetstattST_MODERORtS_IWOTHtS_IROTH( R-trestallRttfnRXtextR(tstatinfotmodeR((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pytresetsP   "     (t__name__t __module__R'RARER`RwRRRRRRRRRRRRRRRRR?(((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyR s( $   H X    D  >  C Y(R"RPR1R5RttempfileR-t ufw.commonRRRRRtufw.utilRRRRR t ufw.backendRR%R&R (((s8/usr/lib/python2.7/dist-packages/ufw/backend_iptables.pyts       ((