a

���_���@szdZd
dl
Z
d
dlZd
dlZd
dlmZ
d
dlZd
dlmZm	Z	m
Z

d
dlmZ
d
dl
Zdd�Zdd	�ZGd
d�d�ZdS)z'frontend.py: frontend interface for ufw�N)
�UFWError)�error�warn�msg)
�UFWBackendIptablesc

Cs�
tj
��}
d
D]}|
�tj
�|�
�

qdD]}|
�tj
�|�
�

q*dD]}|
�tj
�|�
�

qFdD]}|
�tj
�|�
�

qbdD]}|
�tj
�|�
�

q~dD]}|
�tj
�	|�
�

q�gd�
}|D](}|
�tj
�
|�
�

|
�tj
�|�
�

q�t|�
dk�
rRd	}||�
�d
k�
rd}||�
�dk�
rR||�
�dk�
rR||�
�|v�
rR|�|d
�
t|�
dk�
sxd
|v�
r�t|�
dk�
r�td�

z|
�|d	d��
}WnTt�
y�
}
ztd|j�

WYd}~n*d}~0t�
y�


tddd�
�Yn0|S)zEParse command. Returns tuple for action, rule, ip_version and dryrun.)�enable�disable�helpz--help�versionz	--version�reload�reset)�list�info�default�update)�on�offZlowZmediumZhighZfull)�allow�deny�reject)N�verboseZnumbered)�rawzbefore-rulesz
user-ruleszafter-rulesz
logging-rules�builtins�	listening�added)r�limitrr�insert�delete�prepend��
�	--dry-runr�route�rule�znot enough argsNz%szInvalid syntaxF)
Zdo_exit)�ufw�parserZ	UFWParserZregister_commandZUFWCommandBasicZ
UFWCommandAppZUFWCommandLoggingZUFWCommandDefaultZUFWCommandStatusZUFWCommandShow�UFWCommandRule�UFWCommandRouteRule�len�lowerrr�
parse_commandr�value�	Exception)�argv�
p�
iZ
rule_commands�idx�pr�
e�r4�./usr/lib/python3/dist-packages/ufw/frontend.pyr+sJ











��&



"


r+c
&Cs\td
t
jjdddddddd	d
ddd
ddddddddddddddddddd d!d"d#d$�#�
}|S)%zPrint help messagea+
Usage: %(progname)s %(command)s

%(commands)s:
 %(enable)-31s enables the firewall
 %(disable)-31s disables the firewall
 %(default)-31s set default policy
 %(logging)-31s set logging to %(level)s
 %(allow)-31s add allow %(rule)s
 %(deny)-31s add deny %(rule)s
 %(reject)-31s add reject %(rule)s
 %(limit)-31s add limit %(rule)s
 %(delete)-31s delete %(urule)s
 %(insert)-31s insert %(urule)s at %(number)s
 %(prepend)-31s prepend %(urule)s
 %(route)-31s add route %(urule)s
 %(route-delete)-31s delete route %(urule)s
 %(route-insert)-31s insert route %(urule)s at %(number)s
 %(reload)-31s reload firewall
 %(reset)-31s reset firewall
 %(status)-31s show firewall status
 %(statusnum)-31s show firewall status as numbered list of %(rules)s
 %(statusverbose)-31s show verbose firewall status
 %(show)-31s show firewall report
 %(version)-31s display version information

%(appcommands)s:
 %(applist)-31s list application profiles
 %(appinfo)-31s show information on %(profile)s
 %(appupdate)-31s update %(profile)s
 %(appdefault)-31s set default application policy
ZCOMMANDZCommandsrrzdefault ARGz
logging LEVELZLEVELz
allow ARGSr#z	deny ARGSzreject ARGSz
limit ARGSzdelete RULE|NUMZRULEzinsert NUM RULEzprepend RULEz
route RULEzroute delete RULE|NUMzroute insert NUM RULEZNUMrr�statuszstatus numberedZRULESzstatus verbosezshow ARGr
zApplication profile commandszapp listzapp info PROFILEZPROFILEzapp update PROFILEzapp default ARG)#ZprognameZcommandZcommandsrrrZlogging�levelrr#rrrrZurulerrr"zroute-deletezroute-insert�numberrrr6Z	statusnum�rulesZ
statusverbose�showr
ZappcommandsZapplistZappinfo�profileZ	appupdateZ
appdefault)�
_r%�common�programName)
Zhelp_msgr4r4r5�get_command_help[sN

































��Cr?c@s�eZ
dZd
Zd,dd�
Zdd�Zdd	�Zd
d�Zd-d
d�
Zd.dd�
Z	dd�Z
dd�Zdd�Zd/dd�
Z
d0dd�
Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd1d*d+�
ZdS)2�UFWFrontendZUI�iptablesNcCsb|d
kr4zt|
||d�|_
Wq@ty0


�Yq@0ntd|�
�
td�
|_td�
|_td�
|_dS)NrA)�rootdir�datadirzUnsupported backend type '%s'�
n�
y�yes)r�backendr-rr<�norF�yes_full)�self�dryrunZbackend_typerBrCr4r4r5�__init__�s


�





zUFWFrontend.__init__c
Cs�
d
}d}|
rd}d}|
r"|j�
�r0|
s4|j�
�r4d}|r�z|j�|jjdd|�
Wn.ty�
}
zt|j�

WYd}~n
d}~00d
}|
�
r6z|j��
Wn.ty�
}
z|r�|j}WYd}~n
d}~00|d
k�
r,z|j�|jjddd�
Wn0t�
y"
}
zt|j�

WYd}~n
d}~00t|�

td	�
}nHz|j�	�
Wn0t�
yt
}
zt|j�

WYd}~n
d}~00td
�
}|S)zlToggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
           stops running firewall.
        �rHrFFTZconfZENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup)
rG�
is_enabledZset_default�filesrrr,�start_firewallr<�
stop_firewall)rJZenabled�resZ
config_strZchangedr3Z	error_strr4r4r5�set_enabled�sP



�
�


�
 








�
 



 zUFWFrontend.set_enabledc
Cshd
}z0|j�
|
|�}|j��r2|j��
|j��
Wn.tyb
}
zt|j�

WYd}~n
d}~00|S)zSets default policy of firewallrMN)rG�set_default_policyrNrQrPrrr,)rJ�policy�	directionrRr3r4r4r5rT�s








 zUFWFrontend.set_default_policyc
CsHd
}z|j�
|
�
}Wn.tyB
}
zt|j�

WYd}~n
d}~00|S)zSets log level of firewallrMN)rG�set_loglevelrrr,)rJr7rRr3r4r4r5rW�s



 zUFWFrontend.set_loglevelFc
CsFz|j�
|
|�}Wn.ty@
}
zt|j�

WYd
}~n
d
}~00|S)zShows status of firewallN)rG�
get_statusrrr,)rJrZ
show_count�outr3r4r4r5rX
s



 zUFWFrontend.get_statusrc
CsDz|j�
|
�
}Wn.ty>
}
zt|j�

WYd
}~n
d
}~00|S)zShows raw output of firewallN)rGZget_running_rawrrr,)rJZ
rules_typerYr3r4r4r5�get_show_raw
s



 zUFWFrontend.get_show_rawc
Cs"d
}
ztj
�|j���
}Wn"ty<


td�
}t|�
�
Yn0|j��}t	|�
��
}|��
|D�
]�}|j��sz|dvrzq`|
d|7}
t	||�
��
}|��
|D�
]^}|||D�
]J}	|	d}
|
�d�
s�|
�d�
s�d
}|
d|7}
|
d	ks�|
d
k�
r|
d7}
d|	d}
n|
d
|
7}
tj
�
|
�
}|
dtj�|	d�
7}
tjjd|dd�||
ddd�}|�|�d�
�

|d
k�
r�|�d|�
|��
|j�|�
}
t|
�
dk�
r�|
d7}
|
D]D}|dk�
r�|dt|�
k�
r�|
d|tjj�||d�
f7}
�
q�|
d7}
q�q�q`|j���stj
�d�

|
S)zMShows listening services and incoming rules that might affect
           themrMzCould not get listening status)Ztcp6Zudp6z%s:
Zladdrz127.z::1z  %s z0.0.0.0z::z* z%s/0z%s z(%s)ZexerNr$ZinF)�actionZprotocolZdport�dstrV�forward�
6r
�

r z   [%2d] %s
z)Skipping tcp6 and udp6 (IPv6 is disabled))r%�utilZparse_netstat_outputrG�use_ipv6r-r<r�	get_rulesr
�keys�sort�
startswithZget_if_from_ip�os�path�basenamer=ZUFWRule�set_v6�endswithZ
set_interfaceZ	normalizeZget_matchingr)r&r'�get_command�debug)rJrR�
d�err_msgr9Z	protocolsZproto�portsZport�itemZaddrZifnamer#Zmatchingr0r4r4r5�get_show_listening
sl




















�










�








��
zUFWFrontend.get_show_listeningc
Cs�|j�
�}
td
�
}t|
�
dkr*|td�
Sg}|j�
�D]L}|jrVdtjj�|�
}ntjj	�|�
}||vrnq8|�
|�

|d|7}q8|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):r
z
(None)�route %sz
ufw %s)rGrbr<r)r]r%r&r(rkr'�append)rJr9rYr�
r�rstrr4r4r5�get_show_added\
s 





�


zUFWFrontend.get_show_addedcCsd
}d
}d
}g}|
jd
kr2|
j
d
kr2|�|
�

�
n�g}�
zt|
j�
r�|dkrZ|j�|
d�}n�|dkrr|j�|
d�}nt|dkr�|j�|
d�}|j�|
d�}|D]4}	|D]*}
|
j}d|
_|	�|
�
s�||
_|�|
�

q�q�ntd�
|}t	|�
�
t
|�
dk�
rJ|jj�
sJtd	�
}|dk�
r|}n.|dk�
r*|d
}n|dk�
rD|d|d
}|WS|D]8}|��}|
j|_|�
|
j�

|�|
j�

|�|�

�
qNn |j�|
�
}|
jdk�
r�|��
Wnt�
y�


�Yn0d}
d}td�
}|j�d�
}|j�d�
}t|�
D�]\}}|}
|j||k�r,|t|j�
d
7}t	|�
�
�z�|j���r&|dk�r�|jdk�rz|
dk�rj|dk�rjdnd}|�|�

n&|j|k�r�|t|j�
d
7}t	|�
�
|�d�

|j�|�
}�q�|dk�rb|jdk�r�|
dk�r�|dk�r�dnd}|�|�

nP|j|k�r|�|j|�

n2|jdk�rH|j|k
�rH|t|j�
d
7}t	|�
�
|�d�

|j�|�
}�q�|dk�r|j}|�d�

|dk�r�|
dk�r�|dk�r�dnd}|�|�

nH|j�s�||k�r�|j�|||
d�}|dk�r�|�|�

n
|�d�

|j�|�
}|j�s.|dk�r.|j�d�
}|�|d�

|�d�

|dk�rj|
dk�rZ|dk�rZdnd}|�|�

nT|j�s�|jdk�r�|j|k
�r�|j�|jd�}|dk�r�|�||
�

n
|�d�

|d
k�r�|d7}|j�s�|j|k�r�|dk�r�|�|j|�

||j�|�
7}ntd�
|}t	|�
�
n�|jdk�rX|
dk�rJ|dk�rJdnd}|�|�

|dk�sl|dk�r�|�d�

|j�|�
}n0|dk�r�td�
}t	|�
�
ntd�
|}t	|�
�
Wn@t	�y�
}
z&|j}d}WYd}~
�qWYd}~n
d}~00|j�
r�td�
}t� |�

�
q�|�s&||7}n�t
|�
dk�r>t!|�

n�d}t"t#|
d�
�
}|��
|D]n}|
dk�r^||�r^||��}d|_z|�||�
Wn0t�y�


d}td�
|�$�}t |�

Yn0�q^|td�
7}|�r�|td�
7}n|td�
7}t	|�
�
|S)zUpdates firewall with rulerM�v4F�v6TZbothzInvalid IP version '%s'r
z"Could not delete non-existent rulez (v6)r_zInvalid position '�
'���r zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z"
Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.)%�dapp�sapprs�removerGZget_app_rules_from_systemrxZmatchr<rr)rKZdup_ruleZ
set_actionr[Zset_logtypeZlogtypeZget_app_rules_from_templateZposition�reverser-Zget_rules_count�	enumerate�strraZset_positionri�set_ruleZfind_other_positionr,Zupdated�warningsrrr
�rangeZformat_rule)rJr#�
ip_versionrRrn�tmpr9ZtmprulesZ	tmprules6�
xrEZprev6rt�countZ	set_errorZpos_err_msgZnum_v4Znum_v6r0ZbeginZuser_posr/r3Zwarn_msgZ
undo_errorZindexes�
jZbackout_ruler4r4r5r�y
sN









�

�

�
�









































































�












�

�





�


















&















�

zUFWFrontend.set_rulec
Cs\
zt|
�
}Wn&t
y2


td
�
|
}t|�
�
Yn0|j��}|dk
sR|t|�
krftd�
|}t|�
�
|j�|�
}|s�td�
|}t|�
�
d|_d}|j	r�d}d}|�
s8|j
r�dtjj
�|�
}	ntjj�|�
}	td�
|	|j|jd	�}
t|
tjd
d�
tj������}|dk�
r8||j��k�
r8||j��k�
r8d
}d
}|�
rP|�||�}ntd�
}|S)zDelete rulezCould not find rule '%s'r
zCould not find rule '%d'Trwrxrrz=Deleting:
 %(rule)s
Proceed with operation (%(yes)s|%(no)s)? )r#rFrHF��outputZnewlinerErM�Aborted)�intr-r<rrGrbr)Zget_rule_by_numberr}rxr]r%r&r(rkr'rFrHr�sys�stdout�stdin�readliner*�striprIr�)
rJr8�forcerDrnr9r#r��proceedru�prompt�ansrRr4r4r5�delete_ruleEsR
















�



��


�

zUFWFrontend.delete_rulec	
CsZd
}|
�d�
rB|
�
d�
}t|�
dkr4|�|d�
}n
|�d�
}�n|
dkrX|�d�
}�n�|
�d�
r�td	�
}|
�
d
�
}t|�
dkr�t|�
�
|�|d|d�}�n�|
d
kr�|�|�
}�n�|
dkr�|��}�n�|
dkr�|�d�
}�nv|
�d�
�
r0|
�
d
�
d}|dk�
r|�	�}n|dk�
r"|�
�}n
|�|�
}�n&|
dk�
rJ|�dd�}�n|
dk�
rb|�d�
}�
n�|
dk�
rz|�d�
}�
n�|
dk�
r�|j
���
r�|�d�

|�d�

td�
}ntd�
}�
n�|
�d�
�
r�|�|
�
d
�
d|�}�
nv|
dk�s|
dk�s|
dk�s|
dk�rB|jd
k�r�z0|j
�|j�
}||jk�rB||_|�|d �
WnXt�y�
}
z>|j�sht|j�

tj�|j�
�s�td!�
}t|�
�
WYd"}~n
d"}~00|jd
k�r4z0|j
�|j�
}||jk�r�||_|�|d �
WnXt�y2
}
z>|j�s�t|j�

tj�|j�
�std!�
}t|�
�
WYd"}~n
d"}~00|�||�}ntd#�
|
}t|�
�
|S)$z�Perform action on rule. action, rule and ip_version are usually
           based on return values from parse_command().
        rMz
logging-onr<r rzlogging-offrzdefault-zUnsupported default policy�
-r$rrr6zstatus-verboseTr:rrzstatus-numberedFrrr�Firewall reloadedz&Firewall not enabled (skipping reload)zdelete-rrrrr\�Invalid profile nameN�Unsupported action '%s')re�splitr)rWr<rrTrrXrqrvrZrSrGrNr�r{Zfind_application_nameZset_portr}rr,r%�applications�valid_profile_namer|r�)	rJr[r#r�r�rRr�rnr3r4r4r5�	do_actionvs�





















































�






















zUFWFrontend.do_actionc
CsHd
}z|j�
|
�
}Wn.tyB
}
zt|j�

WYd}~n
d}~00|S)z+Sets default application policy of firewallrMN)rG�set_default_application_policyrrr,)rJrUrRr3r4r4r5r��s



 z*UFWFrontend.set_default_application_policyc
Cs:t|j
j���
}
|
��
td
�
}|
D]}|d|7}q$|S)z*Display list of known application profileszAvailable applications:�
  %s)r
rG�profilesrcrdr<)rJ�namesrurDr4r4r5�get_application_list�s




z UFWFrontend.get_application_listcCs�
g}|
d
kr&t|j
j���
}|��
n&tj�|
�
sBtd�
}t	|�
�
|�
|
�

d}|D�
]$}||j
jv
sr|j
j|s�td�
|}t	|�
�
tj�||j
j|�s�td�
}t	|�
�
|td�
|7}|td�
tj�|j
j|�
7}|td�
tj�
|j
j|�
7}tj�|j
j|�
}t|�
d	k�
s,d
|dv�
r:|td�
7}n|td
�
7}|D]}|d|7}�
qJ||t|�
d	krT|d7}qTtj�|�
S)zDisplay information on profile�allr�rMzCould not find profile '%s'zInvalid profilezProfile: %s
z
Title: %s
zDescription: %s

r �
,r
zPorts:zPort:r�z

--

)r
rGr�rcrdr%r�r�r<rrsZverify_profileZ	get_titleZget_descriptionZ	get_portsr)r`�	wrap_text)rJZpnamer�rnru�nameror/r4r4r5�get_application_info�sL












�


�



�


��




z UFWFrontend.get_application_infoc	Cs
d
}d}d}z|jj
r$tj��r$d}Wnty<


d}Yn0|
dkr�t|jj���
}|�	�
|D]4}|j�
|�
\}}|rb|d
kr�|d7}||7}|}qbn |j�
|
�
\}}|d
kr�|d7}|�
r|j���
r|�
rz|j��
Wnty�


�Yn0|t
d�
7}n|t
d�
7}|S)�Refresh application profilerMTFr�r_r�zSkipped reloading firewall)rG�	do_checksr%r`�	under_sshr-r
r�rcrdZupdate_app_rulerNZ_reload_user_rulesr<)	rJr;ruZallow_reloadZtrigger_reloadr�r/r�Zfoundr4r4r5�application_update
s<





















zUFWFrontend.application_updatecCs
d
}d
}|
dkr td�
}t
|�
�
|jjd}|dkrLtj�d||
f�

|S|dkrZd}n0|d	krhd
}n"|dkrvd}ntd�
|}t
|�
�
d
g
}|jjr�|�d�

|||
g7}zt	|�
}Wnt
y�


�Yn0d|jvr�|�|j
|jd|jd�}n|�|j
d
d
�}|S)r�rMr�z%Cannot specify 'all' with '--add-new'Zdefault_application_policy�skipz'Policy is '%s', not adding profile '%s'ZacceptrZdroprrzUnknown policy '%s'r%r!r#�iptype)r<rrG�defaultsr%r`rlrKrsr+r-�datar�r[)rJr;rurUrnr�argsr2r4r4r5�application_add8sB





�
















�zUFWFrontend.application_addcCs�d
}|
dkr|�d�
}n�|
dkr,|�d�
}n�|
dkr@|�d�
}n�|
dkrT|�d	�
}n�|
d
krf|�
�}nz|
dkrz|�|�
}nf|
dks�|
d
kr�|�|�
}d
}|
d
kr�|�|�
}|d
kr�|d
kr�|d7}||}ntd�
|
}t|�
�
|S)zzPerform action on profile. action and profile are usually based on
           return values from parse_command().
        rMz
default-allowrzdefault-denyrzdefault-rejectrzdefault-skipr�r
rrzupdate-with-newr_r�)r�r�r�r�r�r<r)rJr[r;rRZstr1Zstr2rnr4r4r5�do_application_actionbs0























z!UFWFrontend.do_application_actionc
Csrd
}
|jj
rntj��rntd�
|j|jd�}t|t	j
dd�
t	j���
���}|dkrn||jkrn||jkrnd}
|
S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? �rFrHFr�rE)rGr�r%r`r�r<rFrHrr�r�r�r�r*r�rI)rJr�r�r�r4r4r5�continue_under_ssh�s

�


zUFWFrontend.continue_under_sshcCs�d
}td�
|j
|jd�}|jjrBtj��rBtd�
|j
|jd�}|jjr�|
s�ttj�	|�
t
jdd�
t
j�
�����}|dkr�||j
kr�||jkr�td�
}|S|j��r�||�d�
7}|j��}|S)	zReset the firewallrMzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? r�zResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? Fr�rEr�)r<rFrHrGr�r%r`r�rr�r�r�r�r�r*r�rIrNrSr)rJr�rRr�r�r4r4r5r�s$
�
�








zUFWFrontend.reset)rANN)FF)
r)
F)
F)
F)�__name__�
__module__�__qualname__�__doc__rLrSrTrWrXrZrqrvr�r�r�r�r�r�r�r�r�r�rr4r4r4r5r@�s.


�
6


	
	HM
1
V
	.+* r@)r�rfr�r��
ufw.commonr�ufw.utilr%rrrZufw.backend_iptablesrZ
ufw.parserr+r?r@r4r4r4r5�<module>
s





>H