ó Pµ$Nc@s‹ddlZddlZddlZddlmZdZdZdZeZdZ dZ dZ d e fd „ƒYZ d d d „ƒYZdS(iÿÿÿÿN(tdebugtufws/lib/ufws/usr/share/ufws/etcs/usrs/sbintUFWErrorcBs eZdZd„Zd„ZRS(s$This class represents ufw exceptionscCs ||_dS(N(tvalue(tselfR((s./usr/lib/python2.7/dist-packages/ufw/common.pyt__init__"scCs t|jƒS(N(treprR(R((s./usr/lib/python2.7/dist-packages/ufw/common.pyt__str__%s(t__name__t __module__t__doc__RR(((s./usr/lib/python2.7/dist-packages/ufw/common.pyR s tUFWRulecBsÝeZdZdddddd„Zd„Zd„Zd„Zd„Zd „Zd d „Z d „Z d „Z d„Z d„Z d„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„Zd„ZRS(s$This class represents firewall rulestanys 0.0.0.0/0tincCs t|_t|_t|_d|_d|_d|_d|_d|_t|_ d|_ d|_ d|_ d|_ d|_d|_d|_yb|j|ƒ|j|ƒ|j|ƒ|j|dƒ|j|ƒ|j|ƒ|j|ƒWntk r‚nXdS(Ntitsrc(tFalsetremovetupdatedtv6tdstRtdporttsporttprotocoltmultitdapptsapptactiontpositiontlogtypet interface_int interface_outt set_actiont set_protocoltset_porttset_srctset_dstt set_directionR(RRRRRRRt direction((s./usr/lib/python2.7/dist-packages/ufw/common.pyR+s4                      cCs |jƒS(N(t format_rule(R((s./usr/lib/python2.7/dist-packages/ufw/common.pyRIscCs=d|}x,|jD]!}|d||j|f7}qW|S(sPrint rule to stdouts'%s's, %s=%s(t__dict__(Rtrestk((s./usr/lib/python2.7/dist-packages/ufw/common.pyt _get_attribLs cCsÍt|j|jƒ}|j|_|j|_|j|_|j|_|j|_|j|_|j |_ |j |_ |j |_ |j |_ |j |_ |j|_|j|_|j|_|j|_|S(sReturn a duplicate of a rule(R RRRRRRRRRRRRRRRRR&(Rtrule((s./usr/lib/python2.7/dist-packages/ufw/common.pytdup_ruleSs"               c Cspd}|jdkr)|d|j7}n|jdkrL|d|j7}n|jdkrh|d7}nº|d|j7}|jr"|d7}|jdkrÙ|jdkrÙ|d|j7}|d7}|d |j7}q"|jdkrü|d|j7}q"|jdkr"|d |j7}q"n|jd krT|jd krT|d |j7}n|j r|jdkr|d |j7}n|jd kr³|jd kr³|d|j7}n|j rà|jdkrà|d|j7}nd}|jdkrd|j}n|j dkr%|d|7}nj|j dkra|d|7}|jdkr|d7}qn.|j dkr|d|7}n|d|7}|j dks­|j dkrfd}t j dƒ}|j dkrñ|d|jd|j ƒ7}n|j dkr|j dkr|d7}n|j dkrK|d|jd|j ƒ7}n|d 7}|d|7}n|jƒS(!sFormat rule for later parsingRs -i %ss -o %sR s -p alls -p s -m multiports --dports s --sports s 0.0.0.0/0s::/0s -d s --dport s -s s --sport t_tallows -j ACCEPT%strejects -j REJECT%sttcps --reject-with tcp-resettlimits -j LIMIT%ss -j DROP%ss-m comment --comment 't tdapp_s%20t,tsapp_t'(RRRRRRRRRRRRtretcompiletsubtstrip(Rtstrtlstrtcommentt pat_space((s./usr/lib/python2.7/dist-packages/ufw/common.pyR'hsd        cCs”|jƒjdƒ}|ddksE|ddksE|ddkrU|d|_n d|_d}t|ƒdkrƒ|d}n|j|ƒd S( sSets action of the ruleR.iR/R0R2tdenyRiN(tlowertsplitRtlent set_logtype(RRttmpR((s./usr/lib/python2.7/dist-packages/ufw/common.pyR «s0  Rc Cs×tdƒ|}|dkrn‡|dkr7|jr7no|dkrO|jrOnWtjd|ƒsstjd|ƒr‚t|ƒ‚n$|jdƒ|jdƒd kr³t|ƒ‚nó|jdƒ}t|ƒd krãt|ƒ‚nt|ƒd krt |_ nd }x–|D]Ž}tjd |ƒrÕt |_ |jdƒ}t|ƒd kr_t|ƒ‚nxA|D]9}t |ƒd kst |ƒdkrft|ƒ‚qfqfWt |dƒt |d ƒkrst|ƒ‚qsnžtjd|ƒrt |ƒd ks t |ƒdkrst|ƒ‚qsnVtjd|ƒrgyt j |ƒ}Wqstk rc} t|ƒ‚qsXn t|ƒ‚|r|dt|ƒ7}qt|ƒ}qW|}|dkrÄt|ƒ|_nt|ƒ|_dS(s:Sets port and location (destination or source) of the rules Bad port '%s'R RRs^[,:]s[,:]$R5t:iiRs ^\d+:\d+$iiÿÿis^\d+$s ^\w[\w\-]+N(R.RRR8tmatchRtcountRBRCtTrueRtinttsockett getservbynamet ExceptionR<RR( Rtporttlocterr_msgtportsREtptrantqterror((s./usr/lib/python2.7/dist-packages/ufw/common.pyR"¸sX $"    $ $  cCst|dksH|dksH|dksH|dksH|dksH|dkrT||_ntdƒ|}t|ƒ‚dS( sSets protocol of the ruleR1tudptipv6tesptahR sUnsupported protocol '%s'N(RR.R(RRRP((s./usr/lib/python2.7/dist-packages/ufw/common.pyR!ñs       cCsÜ|jrr|jr<|jdks0|jdkr<d|_n|jrØ|jdksc|jdkrØd|_qØnf|jr¥|jdks™|jdkr¥d|_n|jrØ|jdksÌ|jdkrØd|_ndS(sAdjusts src and dst based on v6R s 0.0.0.0/0s::/0N(RRR(R((s./usr/lib/python2.7/dist-packages/ufw/common.pyt _fix_anywhereþs ' '' 'cCs||_|jƒdS(sXSets whether this is ipv6 rule, and adjusts src and dst accordingly. N(RRZ(RR((s./usr/lib/python2.7/dist-packages/ufw/common.pytset_v6 s cCs`|jƒ}|dkrItjj|dƒ rItdƒ}t|ƒ‚n||_|jƒdS(sSets source address of ruleR sBad source addressN(RARtutilt valid_addressR.RRRZ(RtaddrRERP((s./usr/lib/python2.7/dist-packages/ufw/common.pyR#s  "  cCs`|jƒ}|dkrItjj|dƒ rItdƒ}t|ƒ‚n||_|jƒdS(s Sets destination address of ruleR sBad destination addressN(RARR\R]R.RRRZ(RR^RERP((s./usr/lib/python2.7/dist-packages/ufw/common.pyR$s  "  cCs¸|dkr3|dkr3tdƒ}t|ƒ‚ntjdt|ƒƒsftdƒ}t|ƒ‚ndt|ƒkr“tdƒ}t|ƒ‚n|dkr«||_n ||_dS( sSets an interface for ruleR toutsBad interface types!^[a-zA-Z][a-zA-Z0-9:]*[a-zA-Z0-9]sBad interface nameRFs/Bad interface name: can't use interface aliasesN(R.RR8RGR<RR(RttypetnameRP((s./usr/lib/python2.7/dist-packages/ufw/common.pyt set_interface&s     cCsJtjdt|ƒƒs7tdƒ|}t|ƒ‚nt|ƒ|_dS(sSets the position of the rules^[0-9]+s,Insert position '%s' is not a valid positionN(R8RGR<R.RRJR(RtnumRP((s./usr/lib/python2.7/dist-packages/ufw/common.pyt set_position9scCsb|jƒdks0|jƒdks0|dkrB|jƒ|_ntdƒ|}t|ƒ‚dS(sSets logtype of the ruletlogslog-allRsInvalid log type '%s'N(RARR.R(RRRP((s./usr/lib/python2.7/dist-packages/ufw/common.pyRD@s $ cCsD|dks|dkr$||_ntdƒ|}t|ƒ‚dS(sSets direction of the ruleR R_sUnsupported direction '%s'N(R&R.R(RR&RP((s./usr/lib/python2.7/dist-packages/ufw/common.pyR%Is cCsqt}|jriy(tjj|j|jƒ\|_}Wqitk re‚tdƒ}t|ƒ‚qiXn|r{||_ n|j rÛy(tjj|j |jƒ\|_ }WqÛtk r×tdƒ}t|ƒ‚qÛXn|j r|j j dƒ}tjj |ƒdj|ƒ|_ n|jr[|jj dƒ}tjj |ƒdj|ƒ|_n|rm||_ ndS(s&Normalize src and dst to standard forms"Could not normalize source addresss'Could not normalize destination addressR5N(RRRR\tnormalize_addressRRMR.RRRRRBt human_sorttjoinR(RtchangedRPRQ((s./usr/lib/python2.7/dist-packages/ufw/common.pyt normalizeQs8         cCs| s| rtƒ‚nd||f}|j|jkrJt|ƒdS|j|jkrjt|ƒdS|j|jkrŠt|ƒdS|j|jkrªt|ƒdS|j|jkrÊt|ƒdS|j|jkrêt|ƒdS|j|jkr t|ƒdS|j |j kr*t|ƒdS|j |j krJt|ƒdS|j |j krjt|ƒdS|j |j krŠt|ƒdS|j |j krÈ|j|jkrÈtdƒ}t|ƒdStdƒi|j d6|j d6|jd6|jd 6}t|ƒd S( s~Check if rules match Return codes: 0 match 1 no match -1 match all but action sNo match '%s' '%s'isFound exact matchis@Found non-action/non-logtype match (%(xa)s/%(ya)s %(xl)s/%(yl)s)txatyatxltyliÿÿÿÿ(t ValueErrorRRRRRRRRRRRR&RRR.(txtytdbg_msg((s./usr/lib/python2.7/dist-packages/ufw/common.pyRGtsZ            $    cCs<d„}| s| r#tƒ‚n|j|ƒdkr<dSd||j||jf}|jdkr}td|dƒdS|j|jkr°|jdkr°td |ƒdS|jdkrç||j|jƒ rçtd |ƒdS|jd krË|jd kr|j|j ƒrqà|j |j krMd |j krMtd |ƒdS|j |j kràd |j krà|j|jkràt j j |j |j |jƒ ràtd |d|j |j fƒdSn|jd kr|j|jkrtd|d|j|jfƒdSt j j |j|jƒ}|j |krnd |j krntd|d|j |fƒdS|j |kràd |j krà|j|jkràt j j ||j |jƒ ràtd|d||j fƒdS|j|jkrtd|d|j |j fƒdStd||j||jfƒdS(s®This will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. cSs†x|jdƒD]n}||kr&tSd|kr|jdƒ\}}t|ƒt|ƒkr~t|ƒt|ƒkr~tSqqWtS(s:Returns True if p is an exact match or within a multi ruleR5RF(RBRIRJR(RRtto_matchRNtlowthigh((s./usr/lib/python2.7/dist-packages/ufw/common.pyt _match_ports¸s  0 is(No fuzzy match '%s (v6=%s)' '%s (v6=%s)'R s (direction) s (not incoming)iR s (protocol) s(dport) Rt/s(dst) s ('%s' not in network '%s')s (interface) s (%s != %s)s(v6) s'(fuzzy match) '%s (v6=%s)' '%s (v6=%s)'iÿÿÿÿ(RoRGRR&RRRRt _is_anywhereRRR\t in_networktget_ip_from_if(RpRqRvRrtif_ip((s./usr/lib/python2.7/dist-packages/ufw/common.pytfuzzy_dst_match¬s\  !%!!3" !  0 " cCs |dks|dkrtStS(sCheck if address is anywheres::/0s 0.0.0.0/0(RIR(RR^((s./usr/lib/python2.7/dist-packages/ufw/common.pyRx scCsûd}|jdks$|jdkr÷d|j|j|j|jf}|jdkrzd|j|j|j|jf}n|jdkr®d|j|j|j|jf}n|jdkrÑ|d|j7}n|jdkr÷|d|j7}q÷n|S(s$Returns a tuple to identify an app rule. Tuple is: dapp dst sapp src or dport dst sapp src or dapp dst sport src All of these might have in_eth0 out_eth0 (or similar) if an interface is also defined. Rs %s %s %s %ss in_%ss out_%s(RRRRRRRR(Rttupl((s./usr/lib/python2.7/dist-packages/ufw/common.pyt get_app_tuples "(RR R RRR+R-R'R R"R!RZR[R#R$RbRdRDR%RjRGR|RxR~(((s./usr/lib/python2.7/dist-packages/ufw/common.pyR )s.    C 9     # 8 ^ ((R8RKtufw.utilRRt programNamet state_dirt share_dirt trans_dirt config_dirt prefix_dirt iptables_dirRMRR (((s./usr/lib/python2.7/dist-packages/ufw/common.pyts