a

���_X�@sjdZd
dl
Z
d
dlZd
dlZd
dlmZ
dZdZdZeZ	dZ
dZd	Zd
Z
Gdd�de�ZGd
d�d�ZdS)z!common.py: common classes for ufw�N)
�debug�ufwz/lib/ufwz/usr/share/ufwz/etcz/usrz	/usr/sbinTc@s eZ
dZd
Zdd�Zdd�ZdS)�UFWErrorz$This class represents ufw exceptionscCs
|
|_dS�
N)
�value)�selfr�r�,/usr/lib/python3/dist-packages/ufw/common.py�__init__#s
zUFWError.__init__c

Cs
t|j
�
Sr)�reprr�
rrrr	�__str__&s
zUFWError.__str__N)�__name__�
__module__�__qualname__�__doc__r
r
rrrr	r!s

rc@s�eZ
dZd
Zd9dd�
Zd	d
�Zdd�Zd
d�Zdd�Zdd�Z	d:dd�
Z
dd�Zdd�Zdd�Z
dd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8S);�UFWRulez$This class represents firewall rules�any�	0.0.0.0/0�inF�c

Cs�d
|_d
|_
d
|_d|_d|_d|_d|_d|_d
|_d|_	d|_
d|_d|_d|_
d|_d|_d|_||_d|_zV|�|
�

|�|�

|�|�

|�|d�
|�|�

|�|�

|�|�

|�|	�

Wnty�


�Yn0dS)NFrr
�src)�remove�updated�v6�dstr�dport�sport�protocol�multi�dapp�sapp�action�position�logtype�interface_in�
interface_out�	direction�forward�comment�
set_action�set_protocol�set_port�set_src�set_dst�
set_direction�set_commentr)
rr"rrrrrr'r(r)rrr	r
,s<


































zUFWRule.__init__c

Cs|��Sr)
�format_rulerrrr	r
Os
zUFWRule.__str__c
Cs>d
|}
t|j
�
}|��
|D]}|
d||j
|f7}
q|
S)zPrint rule to stdoutz'%s'z, %s=%s)�list�__dict__�sort)r�res�keys�
krrr	�_get_attribRs





zUFWRule._get_attribc
Cs�t|j
|j�}
|j|
_|j|
_|j|
_|j|
_|j|
_|j|
_|j	|
_	|j
|
_
|j|
_|j|
_|j
|
_
|j|
_|j|
_|j|
_|j|
_|j|
_|j|
_|
S)
zReturn a duplicate of a rule)rr"rrrrrrrrrr r!r#r$r%r&r'r(r))r�rulerrr	�dup_rule[s&
















zUFWRule.dup_rulec
Cs�d
}
|jd
kr|
d|j7}
|j
d
kr4|
d|j
7}
|jdkrH|
d7}
n�|
d|j7}
|jr�|
d7}
|jdkr�|jdkr�|
d|j7}
|
d7}
|
d	|j7}
n2|jdkr�|
d|j7}
n|jdkr�|
d	|j7}
|jd
kr�|jdkr�|
d|j7}
|j�
s|jdk�
r|
d
|j7}
|jd
k�
r:|jdk�
r:|
d|j7}
|j�
s\|jdk�
r\|
d|j7}
d
}|jd
k�
rvd|j}|j	dk�
r�|
d|7}
nT|j	dk�
r�|
d|7}
|jdk�
r�|
d7}
n&|j	dk�
r�|
d|7}
n|
d|7}
|j
d
k�
s�|jd
k�r�d}t�
d�
}|j
d
k�r,|d|�d|j
�7}|j
d
k�rL|jd
k�rL|d7}|jd
k�rn|d|�d|j�7}|d 7}|
d|7}
|
��S)!zFormat rule for later parsingrz -i %sz -o %srz -p allz -p z
 -m multiportz
 --dports z
 --sports r�::/0z -d z	 --dport z -s z	 --sport �
_�allowz -j ACCEPT%s�rejectz -j REJECT%sZtcpz --reject-with tcp-reset�limitz -j LIMIT%sz
 -j DROP%sz-m comment --comment '�
 Zdapp_z%20�
,Zsapp_�
')r%r&rrrrrrr$r"r r!�re�compileZsub�strip)rZrule_strZlstrr)Z	pat_spacerrr	r1rsd












































zUFWRule.format_rulecCsj|
���
d
�
}|ddks2|ddks2|ddkr>|d|_nd|_d}t|�
dkr\|d}|�|�

d	S)
zSets action of the ruler<r
r=r>r?�denyr�
N)�lower�splitr"�len�set_logtype)rr"�tmpr$rrr	r*�s
$



zUFWRule.set_actionrc		Cs�
td
�
|
}|
dkr�
n�|dkr*|j
r*�
n�|dkr<|jr<�
n|t�d|
�sTt�d|
�r`t|�
�
�
nX|
�d�
|
�d�
d	kr�t|�
�
�
n4|
�d�
}t|�
d
kr�d|_	d}|D�
]}t�d
|��
rd|_	|�d�
}|D]$}t
|�
d
ks�t
|�
dkr�t|�
�
q�t
|d�
t
|d
�
k�
r�t|�
�
nxt�d|��
rNt
|�
d
k�
sDt
|�
dk�
r�t|�
�
nDt�d|��
r�zt�|�
}Wnt
�
y�


t|�
�
Yn0nt|�
�
|�
r�|dt|�
7}q�t|�
}q�|}
|dk�
r�t|
�
|_n
t|
�
|_dS)z:Sets port and location (destination or source) of the rulez
Bad port '%s'rrrz^[,:]z[,:]$rA�
:�rGTrz	^\d+:\d+$i��r
z^\d+$z
^\w[\w\-]+N)r<r r!rC�matchr�countrIrJr�int�socketZ
getservbyname�	Exception�strrr)	r�portZloc�err_msg�portsrL�
pZran�
qrrr	r,�sP




































zUFWRule.set_portcCs2|
tj
jd
g
vr|
|_ntd�
|
}t|�
�
dS)zSets protocol of the rulerzUnsupported protocol '%s'N)r�utilZsupported_protocolsrr<r)rrrVrrr	r+�s

zUFWRule.set_protocolc

Cs�|jrH|j
r&|j
d
ks |j
dkr&d|_
|jr�|jd
ks@|jdkr�d|_n@|j
rh|j
d
ksb|j
dkrhd|_
|jr�|jd
ks�|jdkr�d|_dS)zAdjusts src and dst based on v6rrr;N)rrrrrrr	�
_fix_anywhere�s






zUFWRule._fix_anywherecCs|
|_|�
�
d
S)zXSets whether this is ipv6 rule, and adjusts src and dst
           accordingly.
        N)rr[)rrrrr	�set_v6
s
zUFWRule.set_v6cCs@|
��}|d
kr.t
j�|d
�s.td�
}t|�
�
||_|��
dS)zSets source address of rulerzBad source addressN)rHrrZ�
valid_addressr<rrr[�r�addrrLrVrrr	r-
s



zUFWRule.set_srccCs@|
��}|d
kr.t
j�|d
�s.td�
}t|�
�
||_|��
dS)z Sets destination address of rulerzBad destination addressN)rHrrZr]r<rrr[r^rrr	r.
s



zUFWRule.set_dstcCs�|
d
kr |
dkr td�
}t
|�
�
dt|�
vr<td�
}t
|�
�
dt|�
vrXtd�
}t
|�
�
t|�
dkspt|�
d	kr�td
�
}t
|�
�
tt|�
�
dkr�td�
}t
|�
�
tt|�
�
d
kr�td�
}t
|�
�
t�dt|�
�s�td�
}t
|�
�
|
d
kr�||_n||_dS)zSets an interface for ruler�outzBad interface type�
!z+Bad interface name: reserved character: '!'rMz/Bad interface name: can't use interface aliases�
.z..z)Bad interface name: can't use '.' or '..'r
z+Bad interface name: interface name is empty�z+Bad interface name: interface name too longz^[a-zA-Z0-9_\-\.\+,=%@]+$zBad interface nameN)r<rrTrJrCrOr%r&)rZif_type�namerVrrr	�
set_interface'
s0















zUFWRule.set_interfacecCs>t|
�
d
kr0t
�dt|
�
�s0td�
|
}t|�
�
t|
�
|_dS)zSets the position of the rulez-1z^[0-9]+z,Insert position '%s' is not a valid positionN)rTrCrOr<rrQr#)rZnumrVrrr	�set_positionW
s


zUFWRule.set_positioncCsD|
��d
ks |
��dks |
dkr,|
��|_
ntd�
|
}t|�
�
dS)zSets logtype of the rule�logzlog-allrzInvalid log type '%s'N)rHr$r<r)rr$rVrrr	rKa
s
�
zUFWRule.set_logtypecCs0|
d
ks|
dkr|
|_nt
d�
|
}t|�
�
dS)zSets direction of the rulerr`zUnsupported direction '%s'N)r'r<r)rr'rVrrr	r/j
s

zUFWRule.set_directionc

Cstj
�|j�
S)
zGet decoded comment of the rule)rrZZ
hex_decoder)rrrr	�get_commentr
szUFWRule.get_commentcCs
|
|_d
S)zSets comment of the ruleN)
r))rr)rrr	r0v
szUFWRule.set_commentc
Cs�d
}
|jrTzt
j�|j|j�\|_}
Wn"tyH


td�
}t|�
�
Yn0|
rT|
|_|j	r�zt
j�|j	|j�\|_	}
Wn"ty�


td�
}t|�
�
Yn0|
r�|
|_|j
r�|j
�d�
}t
j�|�

d�
|�
|_
|jr�|j�d�
}t
j�|�

d�
|�
|_dS)z&Normalize src and dst to standard formFz"Could not normalize source addressz'Could not normalize destination addressrAN)rrrZZnormalize_addressrrSr<rrrrrIZ
human_sort�joinr)r�changedrVrWrrr	�	normalizez
s:




�






�








zUFWRule.normalizecCs�
|r|
st��
d
||
f}|j
|
j
kr2t|�

dS|j|
jkrJt|�

dS|j|
jkrbt|�

dS|j|
jkrzt|�

dS|j|
jkr�t|�

dS|j|
jkr�t|�

dS|j|
jkr�t|�

dS|j	|
j	kr�t|�

dS|j
|
j
kr�t|�

dS|j|
jk�
rt|�

dS|j|
jk�
r&t|�

dS|j
|
j
k�
r@t|�

dS|j|
jk�
r~|j|
jk�
r~|j|
jk�
r~td�
}t|�

dS|j|
jk�
r�|j|
jk�
r�|j|
jk�
r�td�
}t|�

dStd�
|j|
j|j|
j|j|
jd�}t|�

d	S)
z�Check if rules match
        Return codes:
          0  match
          1  no match
         -1  match all but action, log-type and/or comment
         -2  match all but comment
        zNo match '%s' '%s'rGzFound exact matchr
z$Found exact match, excepting comment���zZFound non-action/non-logtype/comment match (%(xa)s/%(ya)s/'%(xc)s' %(xl)s/%(yl)s/'%(yc)s'))ZxaZyaZxlZylZxcZyc���)�
ValueErrorrrrrrrrr r!r%r&r'r(r"r$r)r<)�
x�
y�dbg_msgrrr	rO�
sv







































�




�



��
z
UFWRule.matchcCs�d
d�}|r|
st��
|�
|
�
dkr(dSd||j|
|
jf}|
jdkrZtd|d�

dS|
j|jkrvt|d	�

dS|j|
jkr�|
jd
kr�td|�

dS|
jd
kr�||j|
j�s�td|�

dS|
jd
k�
rv|jd
kr�|�	|j
�
r�n�|j
|
j
k�
rd|
j
v
�
rtd|�

dS|j
|
j
k�r�d|
j
v�r�|j|
jk�r�tj�
|j
|
j
|j��s�td|d|j
|
j
f�

dS�
n|jd
k�
r�|j|
jk�
r�td|d|j|
jf�

dSztj�|
j|j�}Wn,t�
y�


td|d|
j�

YdS0|
j
|k�r*d|
j
v
�r*td|d|
j
|f�

dS|
j
|k�r�d|
j
v�r�|j|
jk�r�tj�
||
j
|j��s�td|d||
j
f�

dS|j|
jk�r�td|d|j
|
j
f�

dStd||j|
|
jf�

dS)a�
This will match if x is more specific than y. Eg, for protocol if x
           is tcp and y is all or for address if y is a network and x is a
           subset of y (where x is either an address or network). Returns:

            0  match
            1  no match
           -1  fuzzy match

           This is a fuzzy destination match, so source ports or addresses
           are not considered, and (currently) only incoming.
        cSs~d
|vsd|vr ||
krdSdS|
�d
�
D]N}||kr<
dSd|vr*|�d�
\}}t
|�
t
|�
kr*t
|�
t
|�
k
r*
dSq*dS)z:Returns True if p is an exact match or within a multi rulerArMTF)rIrQ)Ztest_pZto_matchrU�low�highrrr	�_match_ports�
s







 
z-UFWRule.fuzzy_dst_match.<locals>._match_portsr
z(No fuzzy match '%s (v6=%s)' '%s (v6=%s)'rz(direction) z (not incoming)rGz (forward does not match)rz(protocol) z(dport) r�
/z(dst) z ('%s' not in network '%s')z(interface) z (%s != %s)z %s does not existz(v6) z'(fuzzy match) '%s (v6=%s)' '%s (v6=%s)'rm)rnrOrr'rr(rrr%�_is_anywhererrrZZ
in_networkZget_ip_from_if�IOError)rorprtrqZif_iprrr	�fuzzy_dst_match�
s|


�












(
�


�



�




�


�
&
�
�


zUFWRule.fuzzy_dst_matchcCs|
d
ks|
dkrdSdS)zCheck if address is anywherer;rTFr)rr_rrr	rvNs

zUFWRule._is_anywherec
Cs�d
}
|jd
ks|j
d
kr�d|j|j|j
|jf}
|jd
krRd|j|j|j
|jf}
|j
d
krtd|j|j|j|jf}
|jd
kr�|jd
kr�|
d|j7}
n0|jd
kr�|
d|j7}
|jd
kr�|
d|j7}
|
S)a�
Returns a tuple to identify an app rule. Tuple is:
             dapp dst sapp src direction_iface|direction
           or
             dport dst sapp src direction_iface|direction
           or
             dapp dst sport src direction_iface|direction

           where direction_iface is of form 'in_eth0', 'out_eth0' or
           'in_eth0 out_eth0' (ie, both interfaces used). If no interfaces are
           specified, then tuple ends with the direction instead.
        rz%s %s %s %sz %sz in_%sz out_%s)	r r!rrrrr%r&r')rZtuplrrr	�
get_app_tupleTs$





�


�





zUFWRule.get_app_tuplecCs�|jd
kr4|j
dks|jdkr4td�
|j}t|�
�
|jtjjvr`|
dkr`td�
|j}t|�
�
|jtjjvr�|j	d
ks�|j
d
kr�td�
|j}t|�
�
dS)zVerify rulerrz3Improper rule syntax ('%s' specified with app rule)rz'Invalid IPv6 address with protocol '%s'zInvalid port with protocol '%s'N)rr!r r<rrrZZipv4_only_protocolsZportless_protocolsrr)rZrule_iptyperVrrr	�verifyvs,

�
�
�
�
�


�zUFWRule.verifyN)rrrrrFr)
r)rrrrr
r
r8r:r1r*r,r+r[r\r-r.rerfrKr/rhr0rkrOrxrvryrzrrrr	r*s8



�
#	C
5


0
	#Cn"r)rrCrR�ufw.utilrr�programName�	state_dirZ	share_dir�	trans_dirZ
config_dirZ
prefix_dirZiptables_dir�	do_checksrSrrrrrr	�<module>
s