HEX
Server: Apache/2.4.65 (Debian)
System: Linux kubikelcreative 5.10.0-35-amd64 #1 SMP Debian 5.10.237-1 (2025-05-19) x86_64
User: www-data (33)
PHP: 8.4.13
Disabled: NONE
$ pwd: /usr/lib/python3/dist-packages/ufw/__pycache__/
Upload Files
File: //usr/lib/python3/dist-packages/ufw/__pycache__/util.cpython-39.pyc
a

���_�@sFdZddlmZddlZddlZddlZddlZddlZddlZddl	Z	ddl
Z
ddlZddlZddl
Z
ddlZddlZddlmZddlmZmZdZdZgd�Zgd�Zd	d
gZdd�Zd
d�Zdd�Zdd�Zdd�Zdhdd�Zdd�Z dd�Z!dd�Z"dd�Z#did!d"�Z$d#d$�Z%d%d&�Z&d'd(�Z'djd)d*�Z(d+d,�Z)ej*d fd-d.�Z+d/d0�Z,d1d2�Z-d3d4�Z.d5d6�Z/e	�0�fd7d8�Z1e	�0�fd9d:�Z2d;d<�Z3d=d>�Z4d?d@�Z5dAdB�Z6dCdD�Z7dEdF�Z8dGdH�Z9dIdJ�Z:dkdKdL�Z;dldMdN�Z<dOdP�Z=dmdQdR�Z>dSdT�Z?dUdV�Z@dWdX�ZAdYdZ�ZBd[d\�ZCd]d^�ZDd_d`�ZEdadb�ZFdnddde�ZGdfdg�ZHdS)oz"util.py: utility functions for ufw�)�print_functionN)�reduce)�mkstemp�mktempF)�tcp�udp�ipv6�esp�ah�igmp�gre)rr	r
rrrrcCs�d}zt�|�Wnty&�Yn0zt�|d�d}WntyNYn0z"t�|d�|dkrld}nd}Wnty�Yn0|S)z8Get the protocol for a specified port from /etc/services�rr�any)�socket�
getservbyname�	Exception)�port�proto�r�*/usr/lib/python3/dist-packages/ufw/util.py�get_services_proto.s$rcCs~d}d}|�d�}t|�dkr,|d}d}nJt|�dkrf|d}|d}|tvrvtd|�}t|��ntd�}t|��||fS)	zParse port or port and protocolr
�/�rr�zInvalid port with protocol '%s'zBad port)�split�len�portless_protocols�_�
ValueError)Zp_strrr�tmp�err_msgrrr�parse_port_protoHs

r!cCs�tjstd�dSt|�dks*t�d|�s.dS|�d�}zt�tj|d�Wnt	ybYdS0t|�dkrtdSt|�dkr�t
|dd	�s�dSd	S)
zVerifies if valid IPv6 addressz"python does not have IPv6 support.F�+z^[a-fA-F0-9:\./]+$rrrrT)r�has_ipv6�warnr�re�matchr�	inet_pton�AF_INET6r�_valid_cidr_netmask��addr�netrrr�valid_address6\s 
r-cCs�t|�dkst�d|�sdS|�d�}z*t�tj|d�t|dd�sNWdSWntydYdS0t|�dkrvdSt|�dkr�t	|dd�s�dSdS)	zVerifies if valid IPv4 address�z^[0-9\./]+$FrrrrT)
rr%r&rrr'�AF_INET�_valid_dotted_quadsr�
valid_netmaskr*rrr�valid_address4vs

r2cCst||�pt||�S)z(Verifies if valid cidr or dotted netmask)r)r0)�nm�v6rrrr1�sr1rcCs@|dkrt|�S|dkr t|�S|dkr8t|�p6t|�St�dS)zValidate IP addresses�6�4rN)r-r2r)r+�versionrrr�
valid_address�sr8c	Csfg}d}d}tj}|r d}tj}d|vrn|�d�}|rJ|ddkrJ|d=qx|sx|ddksf|ddkrx|d=n
|�|�|s�t|�d	kr�t|d|�r�zt|d|�|d<Wnty�Yn0|d
}t�	|t�
||��}||d
kr�d}t|�d	k�r>|d|d7}|�s>t|�}||k�r>d||f}t|�|}d}t
||��s^d
|}t|�t�||fS)z�Convert address to standard form. Use no netmask for IP addresses. If
       netmask is specified and not all 1's, for IPv4 use cidr if possible,
       otherwise dotted netmask and for IPv6, use cidr.
    Fr6r5rrZ128Z32z255.255.255.255rrTzUsing '%s' for address '%s'zInvalid address '%s')rr/r(r�appendrr0�_dotted_netmask_to_cidrr�	inet_ntopr'�_address4_to_network�debugr8r)	�origr4r,�changedr7Zs_typer+�network�dbg_msgrrr�normalize_address�sJ


rBcCs(zt|d�}Wnty"�Yn0|S)z"Opens the specified file read-only�r)�openr)�fnr>rrr�open_file_read�s
rFcCs\zt|�}Wnty �Yn0zt�\}}WntyL|���Yn0||||d�S)z=Opens the specified file read-only and a tempfile read-write.)r>�orignamer�tmpname)rFrr�close)rEr>rrHrrr�
open_files�srJcCs�|dkrdS|sttjd��tr<|tj��kr<t�|�dSd}tjddkrbt	�|t
|d��}nt	�||�}|dkr�ttjd��dS)	z~Write to the file descriptor and error out of 0 bytes written. Intended
       to be used with open_files() and close_files().r
NzNot a valid file descriptor���r��asciiz"Could not write to file descriptor)�OSError�errno�ENOENT�
msg_output�sys�stdout�fileno�write�version_info�os�bytesZEIO)�fd�out�rcrrr�
write_to_file�s
r\TcCs�|d��t�|d�|r`z,t�|d|d�t�|d|d�Wnty^�Yn0zt�|d�Wnty��Yn0dS)zuCloses the specified files (as returned by open_files), and update
       original file with the temporary file.
    r>rrGrHN)rIrW�shutilZcopystat�copyr�unlinkrN)Zfns�updaterrr�close_filessrac
Csnt|�ztj|tjtjdd�}Wn0tyR}zdt|�gWYd}~Sd}~00|��d}|jt|�gS)z!Try to execute the given command.T)rS�stderrZuniversal_newlines�Nr)	r=�
subprocess�Popen�PIPEZSTDOUTrN�str�communicate�
returncode)�commandZsp�exrZrrr�cmd$s
�
"rlc
Cspz$tj|tjd�}tj||jd�}Wn0tyT}zdt|�gWYd}~Sd}~00|��d}|jt|�gS)z#Try to pipe command1 into command2.)rS)�stdinrcNr)rdrerfrSrNrgrhri)Zcommand1Zcommand2Zsp1Zsp2rkrZrrr�cmd_pipe2s"rncCs�z
|j}Wnty |}Yn0z|�dd�}WntyH|}Yn0trft�tj�rf|�|�n|�t	|��|�
�dS)zQImplement our own print statement that will output utf-8 when
       appropriate.�utf-8�ignoreN)�bufferr�encoderQ�inspectZisclass�io�StringIOrUrX�flush)�output�s�writerrZrrr�_print@s


rzcCs:zttjd|�Wnty&Yn0|r6t�d�dS)zPrint error message and exitz
ERROR: %s
rN)rzrRrb�IOError�exit)rZ�do_exitrrr�errorUsr~cCs,zttjd|�Wnty&Yn0dS)zPrint warning messagez	WARN: %s
N)rzrRrbr{�rZrrrr$`sr$cCsPtr|tjkrt}z&|r(t|d|�nt|d|�WntyJYn0dS)z
Print messagez%s
z%sN)rQrRrSrzr{)rZrw�newlinerrr�msghsr�cCs0tr,zttjd|�Wnty*Yn0dS)zPrint debug messagez
DEBUG: %s
N)�	DEBUGGINGrzrRrbr{rrrrr=vs
r=cCst|fdd�|�d��S)z�
    A word-wrap function that preserves existing line breaks
    and most spaces in the text. Expects that existing line
    breaks are posix newlines (
).
    c	Ss<d|dt|�|�d�dt|�dd�d�|k|fS)Nz%s%s%sz 
�
rr)r�rfindr)�lineZword�widthrrr�<lambda>�s����zword_wrap.<locals>.<lambda>� )rr)�textr�rrr�	word_wraps�r�cCs
t|d�S)zWord wrap to a specific width�K)r�)r�rrr�	wrap_text�sr�cs dd��|j�fdd�d�dS)a$Sorts list of strings into numeric order, with text case-insensitive.
       Modifies list in place.

       Eg:
       [ '80', 'a222', 'a32', 'a2', 'b1', '443', 'telnet', '3', 'http', 'ZZZ']

       sorts to:
       ['3', '80', '443', 'a2', 'a32', 'a222', 'b1', 'http', 'telnet', 'ZZZ']
    cSs|��rt|�S|��S)N)�isdigit�int�lower)�trrrr���zhuman_sort.<locals>.<lambda>cs�fdd�t�d|�D�S)Ncsg|]}�|��qSrr)�.0�c�Znormrr�
<listcomp>�r�z0human_sort.<locals>.<lambda>.<locals>.<listcomp>z([0-9]+))r%r)�kr�rrr��r�)�keyN)�sort)�lstrr�r�
human_sort�s
r�cCs�zt|�}Wnty&td��Yn0tj�dt|�d�}tj�|�sTtd|��z&t	|��
�d�d�d��d}Wnty��Yn0t|�S)zdFinds parent process id for pid based on /proc/<pid>/stat. See
       'man 5 proc' for details.
    zpid must be an integer�/proc�stat�Couldn't find '%s'r�)r)r�rrrW�path�joinrg�isfiler{rD�	readlinesr)Zmypid�pid�name�ppidrrr�get_ppid�s&r�cCszt|�}WnLty0td�}t|�YdStyXtd�t|�}t|��Yn0|dksj|dkrndStj�	dt|�d�}tj�
|�s�td�|}t|��zt|���d�
�d}Wn&ty�td	�|}t|��Yn0td
|�|dk�rdSt|�Sd
S)z1Determine if current process is running under sshz%Couldn't find pid (is /proc mounted?)Fz!Couldn't find parent pid for '%s'rr�r�r�rz"Could not find executable for '%s'zunder_ssh: exe is '%s'z(sshd)TN)r�r{rr$rrgrrWr�r�r�rDr�rr=�	under_ssh)r�r��warn_msgr r��exerrrr��s0
r�cCs8d}|rd}t�d|�r0t|�dks0t|�|kr4dSdS)zVerifies cidr netmasks� ��^[0-9]+$rFT)r%r&r�)r3r4�numrrrr)�s$r)cCsf|rdSt�d|�r^t�d|�}t|�dkr0dS|D]&}|rTt|�dksTt|�dkr4dSq4ndSdS)z.Verifies dotted quad ip addresses and netmasksFz^[0-9]+\.[0-9\.]+$z\.�r�T)r%r&rrr�)r3r4Zquads�qrrrr0�s
r0c
Cs�d}|rt�n�t||�st�d}ztt�dt�|��d�}Wn,tyjtt�dt�|��d�}Yn0d}t	d�D]0}||?d@dkr�d}qx|r�d}q�qx|d7}qx|dkr�|dkr�t
d|�}t||�s�t�|S)	z@Convert netmask to cidr. IPv6 dotted netmasks are not supported.r
r�>LFr�rTrK)rr0�long�struct�unpackr�	inet_aton�	NameErrorr��rangergr))r3r4�cidrZmbits�bitsZ	found_one�nrrrr:s.
 

r:cCs�d}|rt�nnt||�st�ztd�}Wnty>d}Yn0td�D] }|t|�krH|dd|>O}qHt�t�	d|��}t
||�s�t�|S)z<Convert cidr to netmask. IPv6 dotted netmasks not supported.r
rr�rr.r�)rr)r�r�r�r�r�	inet_ntoar��packr0)r�r4r3r�r�rrr�_cidr_to_dotted_netmask3s 


r�c	
Cs
d|vrtd�|S|�d�}t|�dks8t|dd�s<t�|d}|d}|}t|d�rdt|d�}z8tt�	dt
�|��d�}tt�	dt
�|��d�}WnFty�t
t�	dt
�|��d�}t
t�	dt
�|��d�}Yn0||@}t
�t�d|��}d||fS)	z8Convert an IPv4 address and netmask to a network addressrz8_address4_to_network: skipping address without a netmaskrrFrr��%s/%s)r=rrr0rr)r�r�r�r�rr�r�r�r�r�)	r+r�hostZorig_nmr3�	host_bits�nm_bitsZnetwork_bitsr@rrrr<Ps(


 r<cCs�dd�}d|vrtd�|S|�d�}t|�dks@t|dd�sDt�|d}|d}t�d	t�tj	|��}zt
d�}Wnty�d}Yn0td
�D]D}|||d�}td�D](}	|dt
||	�@d|	|d>O}q�q�zt
d�}
Wnty�d}
Yn0td
�D]$}|t
|�k�r|
dd|>O}
�q||
@}g}td
�D]0}|�t
||d
�|d|dd�d���qBt�tj	t�d	|d|d|d|d|d|d|d|d�	�}
d|
|fS)z8Convert an IPv6 address and netmask to a network addresscs$d��fdd�t|ddd�D��S)zDecimal to binaryr
csg|]}t�|?d@��qS)r)rg)r��y�r�rrr�wr�z9_address6_to_network.<locals>.dec2bin.<locals>.<listcomp>rrK)r�r�)r��countrr�r�dec2binusz%_address6_to_network.<locals>.dec2binrz8_address6_to_network: skipping address without a netmaskrrTrz>8H��rcr�rLr����r�)r=rrr1rr�r�rr'r(r�r�r�r�r9r;r�)r+r�r�	orig_host�netmaskZunpackedr��ir��jr�r,r�r@rrr�_address6_to_networkssL
�
(
.��r�c	CsZ|�d�}t|�dks$t|d|�s(t�|d}|d}|dksH|dkrLdS|}d|vr�|�d�}t|�dks|t|d|�s�t�|d}|dks�|dkr�dS|r�t|�r�t|�s�t�nt|�r�t|�s�t�t||�r�|s�t||�}|�rtd||f��d�d}td||f��d�d}n4t	d||f��d�d}t	d||f��d�d}||kS)	z&Determine if address x is in network yrrrrz0.0.0.0z::Tr�)
rrr1rr-r2r)r�r�r<)	Z
tested_addZ
tested_netr4rr�r��addressZorig_networkr@rrr�
in_network�sh


������������r�cCsJd}dD](}tj�|d�}tj�|�r,q2qd}q|dkrFttjd��|S)Nr
)z/sbinz/binz	/usr/sbinz/usr/binz/usr/local/sbinz/usr/local/bin�iptableszCould not find iptables)rWr�r��existsrNrOrP)r��drrr�_find_system_iptables�sr�cCsT|durt�}t|dg�\}}|dkr6ttjd|��t�d|�}t�dd|d�S)	zReturn iptables versionNz-VrzError running '%s'z\sz^vr
r)r�rlrNrOrPr%r�sub)r�r[rZrrrr�get_iptables_version�sr�cCs�dd�}|r$t��dkr$ttjd��|dur2t�}g}d}|�d�rHd}|td	d	d
�7}t|d|g�\}}|dkr~ttj	|��|||gd��r�|�
d
�|||gd��r�|�
d�t|d|g�t|d|g�\}}|dkr�ttj	|��|S)z[Return capabilities set for netfilter to support new features. Callers
       must be root.cSs*|d|g}t||�\}}|dkr&dSdS)Nz-ArTF)rl)r��chain�rule�argsr[rZrrr�test_caps

z,get_netfilter_capabilities.<locals>.test_caprzMust be rootNz
ufw-caps-testZ	ip6tableszufw6-caps-testr
)�prefix�dirz-N)�-m�	conntrack�	--ctstate�NEWr��recentz--setz
recent-set)r�r�r�r�r�r�z--updatez	--secondsZ30z
--hitcountr5z
recent-updatez-Fz-X)rW�getuidrNrOZEPERMr��endswithrrlrPr9)r��	do_checksr�Zcapsr�r[rZrrr�get_netfilter_capabilities�s,


r�cCst|�}t�}|��D�]}|�d�s2|�d�s2q|��}|d}|d�d�d}t�}d�|d�d�dd��|d<|d	|d
<|d�d�d|d
<|d
dkr�|d
|d<n|d�d�d|d<||vr�t�||<g|||<n|||v�rg|||<|||�|�q|S)z:Get and parse netstat the output from get_netstat_output()rrrr�:rKN�laddrrL�uidr�rr��-r�)�get_netstat_output�dict�
splitlines�
startswithrr�r9)r4Znetstat_outputr�r�rrr�itemrrr�parse_netstat_output6s, 
r�cs*d}|r�d}tj�|�s(ttjd|��t|���D]j}|���|�dkr4d�	�fdd�t
dt�d�d	�D��}�d
��dkr4d|t
�d
��d
�f}q4|dkr�ttjd��nft�tjtj�}z4t�t�|��dt�d|dd���dd��}Wn t�yttjd��Yn0t||�dS)zGet IP address for interfacer
�/proc/net/if_inet6�'%s' does not existr�r�cs g|]}�d||d��qS�rr�r�r�r��rrrr�jr�z"get_ip_from_if.<locals>.<listcomp>rr�r�80r�r��No such devicei�Z256sN���)rWr�r�rNrOrPrDr�rr�r�rr�r�r{�ENODEVrr/�
SOCK_DGRAMr��fcntlZioctlrTr�r�rrB)�ifnamer4r+�procr�rxrr�r�get_ip_from_if\s2 ���
rc	s^d}d}t|�rd}d}nt|�s.ttjd��tj�|�sJttj	d|��d}|r�t
|���D]�}|����d�
�}d	��fd
d�tdt�d�d
�D��}�d��dkr�d|t�d��d�f}||ks�d|vr^t||d�r^|}q�q^njt
|���D]\}d	|v�rq�|�d	�d�
�}zt|d�}Wnt�yDYq�Yn0||kr�|}�qZq�|S)zGet interface for IP addressFz
/proc/net/devTr�r�r�r
r�r�cs g|]}�d||d��qSr�rr�r�rrr��r�z"get_if_from_ip.<locals>.<listcomp>rr�rr�r�r�r)r-r2r{rOr�rWr�r�rNrPrDr�r�stripr�r�rr�r�r�r)r+r4r�Zmatchedr�r�Ztmp_addrZiprr�r�get_if_from_ip|sL ��
�

rc	
Cst�d�}|��t�d�}t�}|D]�}|�|�s6q&tj�d|d�}t�	|tj
tjB�s\q&d}zt�tj�d|d��}Wnt
y�Yn0zt�|�}Wnt
y�Yq&Yn0|D]P}zt�tj�||��d}Wnt
y�Yq�Yn0d|tj�|�f||<q�q&|S)zGet inodes of files in /procr�r�rYr�r�rr�)rW�listdirr�r%�compiler�r&r�r��access�F_OK�R_OK�readlinkrr��basename)	Z
proc_filesZpat�inodesr�Zfd_pathZexe_path�dirsr��inoderrr�_get_proc_inodes�s4




r
cCsddddddddd	d
dd�}d
dddd�}tj�d|�}t�|tjtjB�sPt�g}d}t|���}|D]�}|�	�}|s~d}qh|t
||dd�}	|�d�r�d}	n|�d�r�|	d
kr�qh||d�	d�\}
}||d}||d}
|�|
t
|d�||
|	f�qh|S)z=Read /proc/net/(tcp|udp)[6] file and return a list of tuples ZESTABLISHEDZSYN_SENTZSYN_RECVZ	FIN_WAIT1Z	FIN_WAIT2Z	TIME_WAITZCLOSEZ
CLOSE_WAITZLAST_ACKZLISTENZCLOSING)rrrLr�r�r�r�r��	�
�rrLr�r)�
local_addr�stater�rz	/proc/netFTrr�rZNArrr�r�r)
rWr�r�rrrrrDr�rr�r�r9)�protocolZ
tcp_statesZproc_net_fieldsrEr�Z
skipped_first�linesr�Zfieldsrr�rr�rrrr�_read_proc_net_protocol�sL�
�
rc	s�d}t��dkr~d�tddd�D],}�d��fdd�t|d|d�D��7�q td��fd	d�tdt��d
�D��d�d}nLg��fdd�tddd�D�D]}��tt|d
���q�td���d�d}|S)zDConvert an address from /proc/net/(tcp|udp)* to a normalized addressr
r�rr�csg|]}�|d|��qS�rr�r�r���paddrrrr�r�z(convert_proc_address.<locals>.<listcomp>���r�cs g|]}�||d����qS)r�)r�rr�rrr�r�r�Tcsg|]}�|d|��qSrrrrrrr�r�r��.F)rr�r�rBr9rgr�)rZ	convertedr�r)rrr�convert_proc_address�s"*���rc
Cs�t�}ddg}|r|ddg7}|D]@}zt|�||<Wq"ty`td|�}t|�Yq"Yq"0q"t�}t|���}|��d}|D]`}||D]R\}}	}
}}t	|�}
d}t
|�|vr�|t
|�}|d|d	|
|	f||
||f7}q�q�|S)
z5netstat-style output, without IPv6 address truncationrr�tcp6�udp6z!Could not get statistics for '%s'r
r�z%-5s %-46s %-11s %-5s %-11s %s
z%s:%s)r�rrrr$r
�list�keysr�rr�)r4Z
proc_net_datar�pr�r
�	protocolsrxr�rr�rrr+r�rrrr�s4
�r�cCsR|dur|S|�d�r@t|�dkr(|}qNtj�||dd��}ntj�||�}|S)zAdd prefix to dirNrrr)r�rrWr�r�)r�r�Znewdirrrr�	_findpath5s
r#cCs4tjddkrt�|d�St�|jddd���d�S)z,Take a string and convert it to a hex stringrrL�hexrorp)�errorsrM)rRrV�codecsrr�binasciiZhexlify�decode)rxrrr�
hex_encodeCsr)cCs0tjddkr |jdd��d�St�|��d�S)z,Take a hex string and convert it to a stringrrLr$)�encodingro)rRrVr(r'Z	unhexlify)�hrrr�
hex_decodeLsr,�
/run/ufw.lockcCs$d}|s t|d�}t�|tj�|S)zCreate a blocking lockfileN�w)rDr��lockfZLOCK_EX)�lockfile�dryrun�lockrrr�create_lockSs

r3cCs>|durdSzt�|tj�|��Wnty8Yn0dS)z(Free lockfile created with create_lock()N)r�r/ZLOCK_UNrIr)r2rrr�release_lock\sr4)r)T)T)N)NT)F)r-F)I�__doc__�
__future__rr'r&rOr�rtrsrWr%r]rr�rdrR�	functoolsrZtempfilerrr�rQ�supported_protocolsr�ipv4_only_protocolsrr!r-r2r1r8rBrFrJr\rarlrnrzr~r$rSr�r=r�r�r��getpidr�r�r)r0r:r�r<r�r�r�r�r�r�rrr
rrr�r#r)r,r3r4rrrr�<module>s�
7


	'.#:4

9&
 /%/#	
@ Telegram