a

��\���@s�dZd
dl
Z
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlmZm	Z	
d
dl
mZmZm
Z
mZmZmZ
d
dlZGdd�dejj�ZdS)z-backend_iptables.py: iptables backend for ufw�N)�UFWError�UFWRule)�warn�debug�msg�cmd�cmd_pipe�	_findpathc@s�eZ
dZd
Zd+dd�
Zdd�Zdd�Zd	d
�Zd,dd
�
Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zd-dd�
Zd.dd �
Zd!d"�Zd/d#d$�
Zd%d&�Zd'd(�Zd)d*�ZdS)0�UFWBackendIptableszInstance class for UFWBackendNcCs�
d
tj
jd|_||_||_i}ttj
j|�}ttj
j|�}t	j
�|d�|d<t	j
�|d�|d<t	j
�|d�|d<t	j
�|d	�|d
<t	j
�|d�|d<t	j
�|d
�|d<t	j
�|d�|d<tjj
j|d|
|||d�
ggggd�|_dD]�}d}|dk�
r|���
r||7}n|dk�
rq�dD]0}	dD]$}
d||	|
f}|j|	�|�

�
q(�
q |jd�|d�

|jd�|d�

q�gd�
|_d|_dS) z!UFWBackendIptables initializationz# z
_comment #zufw/user.rules�ruleszufw/before.rulesZbefore_ruleszufw/after.rules�after_ruleszufw/user6.rules�rules6zufw/before6.rulesZ
before6_ruleszufw/after6.rules�after6_ruleszufw-init�init�iptables)�rootdir�datadir)�before�user�after�misc)�
4�
6�ufwr)rrr��input�output�forwardz%s-%s-logging-%srz
-logging-denyz-logging-allow)�-m�limit�--limitz3/minute�-j�LOG�--log-prefixz[UFW LIMIT BLOCK]N)r�common�programName�comment_strrrr	�
config_dir�	state_dir�os�path�join�backend�
UFWBackend�__init__�chains�use_ipv6�append�ufw_user_limit_log�ufw_user_limit_log_text)�self�dryrunrr�filesr'r(�ver�chain_prefix�loc�target�chain�r<�6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr. s@










�
















zUFWBackendIptables.__init__c
Cs\td
�
}
|j
ddkr |
d7}
n8|j
ddkr8|
d7}
n |j
ddkrP|
d7}
n|
d	7}
|
S)
zGet current policyz
New profiles:�default_application_policy�acceptz allow�dropz deny�rejectz rejectz skip)�
_�defaults)r4�rstrr<r<r=�get_default_application_policyLs








z1UFWBackendIptables.get_default_application_policyc
	Cs4|j�s|
d
kr4|
dkr4|
dkr4t
d�
|
}t|�
�
|dkr`|dkr`|dkr`t
d�
|}t|�
�
d	}|dkrrd
}n|dkr~d}d}d}|
d
kr�z|�|jd
d|d�
Wnty�


�Yn0d}d}n�|
dk�
rz|�|jd
d|d�
Wnt�
y


�Yn0d}d}n<z|�|jd
d|d�
Wnt�
yD


�Yn0d}d}t�d|�
}|jd|jdfD]�}ztj	�
|�
}	Wnt�
y�


�Yn0|	d}
|	dD]8}|�|�
�
r�tj	�|
|�
||��
ntj	�|
|�
�
q�ztj	�|	�

Wnt�y


�Yn0�
qpt
d�
||
d�}|t
d�
7}|S)zSets default policy of firewall�allow�denyrAzUnsupported policy '%s'ZincomingZoutgoing�routedz%Unsupported policy for direction '%s'�INPUT�OUTPUT�FORWARD�rCzDEFAULT_%s_POLICYz"ACCEPT"z	UFW BLOCKz	UFW ALLOWz"REJECT"z"DROP"rr�tmp�origz5Default %(direction)s policy changed to '%(policy)s'
)�	direction�policyz*(be sure to update your rules accordingly))r5rBr�set_defaultr6�	Exception�re�compiler�util�
open_files�search�
write_to_file�sub�close_files)
r4rPrO�err_msgr;Zold_log_strZnew_log_str�pat�
f�fns�fd�linerDr<r<r=�set_default_policyZs�



�
�









�








�





�














�z%UFWBackendIptables.set_default_policycCs�|jr&d
t
d�
}|d
t
d�
7}|S|��
gd�
}g}g}|
dkrd|�d�

gd�
}gd�
}�n|
d	kr�d
D] }|�d|�

|�d|�

qpdD] }|�d
|�

|�d
|�

q�dD] }|�d|�

|�d|�

q�dD]}|�d|�

q�
nx|
dk�
r0dD]"}|�d|�

|�d|�

�
q�
nB|
dk�
r�dD]"}|�d|�

|�d|�

�
q>|jdd�
r�|�d�

|�d�

|jdd�rr|�d�

|�d�

n�|
d k�
r�dD]"}|�d!|�

|�d"|�

�
q�n�|
d#k�rrdD]Z}|�d$|�

|�d%|�

|�d&|�

|�d'|�

|�d(|�

|�d)|�

�
q�|�d*�

|�d+�

|�d,�

|�d-�

d.|
}|D]�}d/|v�r�|�d/�
\}	}|d0|	7}t|jg
||d|	g�
\}
}nt|jg
||g
�
\}
}||7}|
dk�r�|d17}|
d2k�r~t|�
�
�q~|
dk�s$|�	��r�|d37}|D]�}d/|v�rx|�d/�
\}	}|d0|	7}t|jg
||d|	g�
\}
}nt|j
g
||g
�
\}
}||7}|
dk�r�|d17}|
d2k�r0t|�
�
�q0|S)4z'Show current running status of firewall�> zChecking raw iptables
zChecking raw ip6tables
)�-nz-vz-x�-L�rawz-t)�filterZnat�manglere)rfrgre�builtins)rIrKrJz	filter:%s)�
PREROUTINGrIrKrJ�POSTROUTINGz	mangle:%s)rirJzraw:%s)rirjrJznat:%sr)rrrz
ufw-before-%szufw6-before-%sr�ufw-user-%s�ufw6-user-%srrzufw-user-limit-accept�ufw-user-limitrzufw6-user-limit-accept�ufw6-user-limitrzufw-after-%sz
ufw6-after-%s�loggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyzIPV4 (%s):
�
:z(%s) �

r
z

IPV6:
)r5rB�initcapsr1�caps�splitrrrr0�	ip6tables)r4�
rules_type�out�args�itemsZitems6�
c�
b�
i�
t�rcrMr<r<r=�get_running_raw�s�


































































 













 






z"UFWBackendIptables.get_running_rawFc$Cs�d
}|jr2dt
d�
}|��r.|dt
d�
7}|St
d�
}dD]�}t|jdd|d	g�
\}}|d
krpt
d�

S|dkr�t|d
|�
�
|��r>t|jdd|d	g�
\}}|dkr>t|d�
�
q>d
}d
}	d
}
|j|j}d
}i}
|D�]L}d
}i}d
}d}|
�
sF|j	d
k�
s|j
d
k�
rFd}|��}||
v�
r>td|�

q�nd|
|<dD�]�}d
||<d
}d
}|dk�
r�|j
}|
�
s�|j	d
k�
r�|j	}|j�
r�|dk�
r�|d7}n|j}n@|j}|
�
s�|j
d
k�
r�|j
}|j�
r�|dk�
r�|d7}n|j}|dk�r|dk�r|||<|dk�r(||d
k�r*|||<n||d|7<|�rf|jdk�rf||d|j7<|
�r(|dk�r�|j	d
k�r�||d|j	7<|j�r�|dk�r�||d7<||d7<|dk�r(|j
d
k�r(||d|j
7<|j�r|dk�r||d7<||d7<|dk�r�|dk�sF|dk�r�d||<|�r�|jdk�r�|j
|jk�r�|j|jk�r�||d|j7<|dk�r�||d7<n6|�r$|jdk�r$|j|jk�r$||d|j7<n>|j�r$|jdk�r$|j
dk�r$d||v
�r$||d7<|j�r�|dk�rX|jd
k�rX||d|j7<|dk�r�|jd
k�r�||d|j7<nX|dk�r�|jd
k�r�||d|j7<|dk�
rJ|jd
k�
rJ||d|j7<�
qJg}d
}|j�s|j��d k�rT|j�r|�|j���

|�r8|jd k�r8|�|j�

t|�
dk�rTd!d"�|�
}|�rf|d#|7}|j��}|j�r|d$}|jd%k�r�|j�s�|
�s�|�s�d
}d
}|jd
k�r�d&|��}|d'|dd�|j��|g�
|d||f7}|�r�||7}n0|j�r|
|7}
n|jd k�r"|	|7}	n||7}|d
7}q�|d
k�sR|	d
k�sR|
d
k�rHd(}|�rd|d)7}t
d*�
}t
d+�
}t
d,�
}d-}||||f}|�r�|d)7}||d.t|�
d.t|�
d.t|�
f7}||7}|d
k�r�||7}|d
k�r|	d
k�r|t
d/�
7}|	d
k�r||	7}|d
k�r2|
d
k�r2|t
d/�
7}|
d
k�rD||
7}|}|
�r�|� �\} }!t
d0�
|�!�|�!d1�
|�!d2d�d3�}"|�"�}#t
d4�
|!|"|#|d5�St
d6�
|Sd7S)8zShow ufw managed rulesrLrbzChecking iptables
zChecking ip6tables
�problem runningrrdrkrc�
zStatus: inactiver
z iptables: %s
rl�
 ip6tablesTFzSkipping found tuple '%s')�dst�srcr�z::/0� (v6)z	0.0.0.0/0�any�
 �
/z (%s�
)r�ZAnywherez on %srwz (%s)z, z[%2d] ZFWD�inz # %sz%-26s %-12s%-26s%s%s
z

z     ZToZFromZActionz%-26s %-12s%s
�
-rqzCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)rr)r�rwrHz0Status: active
%(log)s
%(pol)s
%(app)s%(status)s)�logZpol�app�statuszStatus: active%sN)#r5rBr0rrrrurr
�dapp�sapp�
get_app_tuplerr��v6�dportr��sport�protocolr�interface_in�
interface_out�logtyperO�lowerr1�lenr+�upper�comment�get_comment�actionZget_loglevel�_get_default_policyrE)$r4�verbose�
show_countrwr[rOr~Zout6�
sZstr_outZstr_rter�count�	app_rules�
rZtmp_str�location�tuplZ
show_protor9�portrMZattribsZ
attrib_strZdir_strr&Zfull_strZstr_toZstr_fromZ
str_actionZrules_header_fmtZrules_header�levelZlogging_strZ
policy_strZapp_policy_strr<r<r=�
get_status
sv







�





�























































�

�



�
 

�


















�
�





�
�
























��
















���


��zUFWBackendIptables.get_statusc
Cs�|jrt
d
td�
�

n�g}
|
�|jd�

|jdu
rl|jdu
rl|
�d�

|
�|j�

|
�d�

|
�|j�

|
�d�

t|
�
\}}|dkr�td	|�
}t|�
�
dS)
zStop the firewallrb�running ufw-initrN�	--rootdir�	--datadirz
force-stopr
�problem running ufw-init
%s)	r5rrBr1r6rrrr�r4rxr~rwr[r<r<r=�
stop_firewall�
s














z UFWBackendIptables.stop_firewallc
Cs4
|jrt
d
td�
�

�
ng}
|
�|jd�

|jdu
rn|jdu
rn|
�d�

|
�|j�

|
�d�

|
�|j�

|
�d�

t|
�
\}}|dkr�td	|�
}t|�
�
d
|j	v
s�|j	d
t
|j���
v
r�z|�
d�

Wn"ty�


td�
}t|�
�
Yn0n:z|�|j	d
�

Wn$t�
y.


td
�
}t|�
�
Yn0dS)zStart the firewallrbr�rNr�r��startr
r��loglevel�lowzCould not set LOGLEVELzCould not load logging rules)r5rrBr1r6rrrrrC�list�	loglevels�keys�set_loglevelrR�update_loggingr�r<r<r=�start_firewall�
s6
















�







z!UFWBackendIptables.start_firewallcCs�|jr
d
S|�
�
d}|j}|
r*d}|j}dD]p}|dksB|dkrl|
rX|jddsXq.n|
sl|jddslq.t|d	d
|d|g�
\}}|dkr.td
�


dSq.d
S)zCheck if all chains existFr�ufw6)rrrr�limit-acceptrr�rrrcrdz-user-r
z_need_reload: forcing reloadT)r5rrrrursrr)r4r��prefix�exer;r~rwr<r<r=�_need_reloads&












zUFWBackendIptables._need_reloadc
Cs�td
�
}
|j
r(td�

|��r�td�

n�|��r�z4|jdD]$}|�|d|g�
|�|d|g�
q<Wnty~


t|
�
�
Yn0t	d|j
dg|jd	g�\}}|d
kr�t|
d�
�
|��r�t	d|j
dg|jd	g�\}}|d
kr�t|
d
�
�
dS)zReload firewall rules filer�z> | iptables-restorez> | ip6tables-restorer�-F�-Z�catrrcr
z	 iptablesr
r�N)
rBr5rr0�
is_enabledr/�
_chain_cmdrRrrr6Ziptables_restoreZip6tables_restore)r4r[rzr~rwr<r<r=�_reload_user_rules6s.











�


�
z%UFWBackendIptables._reload_user_rulescCs@g}t�
d
�
}t�
d�
}t�
d�
}|�|
�
r�|�|
�
r�|�|
�
r\|�|�d|�d|
���

n|�|�d|
��

|�|�d|
��

q�|�|�d|
��

n
|�|
�

t�
d�
}t�
d	�
}	t�
d
�
}
d}t|�
D]�\}}
|�|
�
r�|�d|
���}|��d
k�
rd}n|��dk�
rd}nd}d||f}|	�|
�
�
s8d|}|�d|
�||<|�||�d|d||
��
|�||
�d|d||�d|
���
|�||
�d|d||�d||
���
q�t�
d�
}t|�
D]j\}}
|�|
�
�
r�|�d|
�}|�d|d|
�}|�d|d|
�}|||<|�||�
|�||�
�
q�|S) z5Return list of iptables rules appropriate for sendingz-p all zport z-j (REJECT(_log(-all)?)?)z-p tcp z-j \1 --reject-with tcp-resetz-p udp rLz(.*)-j ([A-Z]+)_log(-all)?(.*)z-j [A-Z]+_log-allz(-A|-D) ([a-zA-Z0-9\-]+)z'-m limit --limit 3/min --limit-burst 10�\2r?ZALLOWrZLIMITZBLOCKz"%s -j LOG --log-prefix "[UFW %s] "z-m conntrack --ctstate NEW z	\1-j \2\4z\1-j z-user-logging-z\1 z\1-j RETURN�\1z	 -j LIMITz+ -m conntrack --ctstate NEW -m recent --setzL -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j z-user-limitz -j z-user-limit-accept)	rSrTrWr1rY�	enumerate�stripr��insert)r4�fruler��suffix�snippetsZ	pat_protoZpat_portZ
pat_reject�pat_logZ
pat_logallZ	pat_chain�
limit_argsr|r�rP�lstrZ	pat_limitZtmp1Ztmp2Ztmp3r<r<r=�_get_rules_from_formattedRs�














��
















�



�
�
�
�
�
��
�
��




����


z,UFWBackendIptables._get_rules_from_formattedc	Cs�g}|�|
||�}t
�d
�
}t|�
D]p\}}|�|�d|����

|�|�
r$||�d�

||�|�d|��dd��

|||�d|���7<q$|S)z_Return list of iptables rules appropriate for sending as arguments
           to cmd()
        z(.*) --log-prefix (".* ")(.*)r�r#r��
"rLz\3)	r�rSrTr�r1rYrt�match�replace)	r4r�r�r�r�Zstr_snippetsr\r|r�r<r<r=�_get_lists_from_formatted�s








z,UFWBackendIptables._get_lists_from_formattedc
Cs�|jd
g
}
|�
�r$|
�|jd�

|
D�]r}ztj�|�
}Wn&tyd


td�
|}t|�
�
Yn0t	�
d�
}t	�
d�
}t	�
d�
}|D�]}|}	d}
d|vr�|�d�
\}	}|��}
|�
|	�
r�|�d|	�}t	�d	|���}
t|
�
d
ks�t|
�
dk�
rtd�
|}t|�

q�q�d
}d}d}t|
�
dk�
s4t|
�
dk�rtd�
|}|
d�d�
d}d|
dv�rd|
dv�
r�|�|
d�
�
r�|�|
d�
�
r�|
d�d�
d�d�
d}|
d�d�
d�d�
d}nR|
d�d�
�
r�|
d�d�
d}n.|
d�d�
�r|
d�d�
d}n
t|�

q��
z
|
d}d}d|v�rFd}|�d�
d}t|
�
dk�r�t||
d|
d|
d|
d|
d|||
�	}nvt||
d|
d|
d|
d|
d|||
�	}t	�
d�
}|
d
d k�r�|�d!|
d
�|_|
dd k�r�|�d!|
d�|_|dk�r|�d
|�
|dk�r$|�d"|�
Wn,t�yR


td#�
|}t|�

Yq�Yn0||jdk�r||�d�

|j�|�

q�|�d�

|j�|�

q�|��
q(d$S)%z$Read in rules that were added by ufwrr
zCouldn't open '%s' for readingz^### tuple ###\s*zin_\w+zout_\w+rLz	 comment=z\s+��	z)Skipping malformed tuple (bad length): %sr��z$Skipping malformed tuple (iface): %s���rBr
�
!�r�Zin_Zout_FrpT�����%20r�r�rwzSkipping malformed tuple: %sN)r6r0r1rrU�open_file_readrRrBrrSrTrtr�r�rYr�rrW�	partition�
startswithrr�r��
set_interface�set_v6r
r�close)r4Zrfnsr]rNr[Z	pat_tupleZpat_iface_inZ
pat_iface_outZ	orig_liner`r��hexr�rMZwmsgZdtyper�r�r�r�rule�	pat_space�warn_msgr<r<r=�_read_rules�s�























�





�


����











�

�












�







zUFWBackendIptables._read_rulescCs2|jd
}|
r|jd}t
�|t
j�s:td|�
}t|�
�
ztj�|�
}Wnt	y^


�Yn0|�
�
d}|j}|
r�d}|j}|j
r�tj��}n|d}tj�|d�
tj�|d|d	�
tj�|d|d
�
tj�|d|d�
tj�|d|d�
tj�|d|d
�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
tj�|d|d�
|dk�
r�|jdd�s|dk�r<|jdd�r<tj�|d|d�
tj�|d|d�
tj�|d�
|D�]}|j}	|j�rld|j}	|jdk�r�|	d|j7}	d}
|jdk�r�|jdk�r�|j}
n`|jdk�r�|jdk�r�d |j|jf}
n6|jdk�r�|
d!|j|jf7}
n|
d!|j|jf7}
|jdk�rp|jdk�rpd"|	|j|j|j|j|j|
f}|j dk�r\|d#|j 7}tj�||d$�
n�t!�"d%�
}d&}
|j�r�|�#d'|j�}
d&}|j�r�|�#d'|j�}d(|	|j|j|j|j|j|
||
f	}|j dk�r�|d#|j 7}tj�||d$�
d)}|j�rd*}n|jd+k�r d,}d-||f}d.||�$�f}|�%|||�D]}tj�||�
�qJ�qNtj�|d/�
tj�|d0�
z|�&|j'd1�
}Wnt	�y�


�Yn0|D]d\}}}t(|�
d2k�r�|d2d3k�rڐq�|�)|d&�
�r�tj�|d%�*|�
�+d4d5��+d6d7�d$�
�q�tj�|d8�
|dk�r>|jdd�sX|dk�r�|jdd�r�tj�|d9�
|j'd1d:k�r�tj�|d;|d<d%�*|j,�
d=|j-d>�
tj�|d;|d?�
tj�|d;|d@�
tj�|dA�
tj�|dB�
z(|j
�rtj�.|dC�
ntj�.|�

Wnt	�y,


�Yn0dDS)Ez.Write out new rules to file to user chain filerr
z'%s' is not writablerr�rMz*filter
rpz-user-input - [0:0]
z-user-output - [0:0]
z-user-forward - [0:0]
z-before-logging-input - [0:0]
z-before-logging-output - [0:0]
z -before-logging-forward - [0:0]
z-user-logging-input - [0:0]
z-user-logging-output - [0:0]
z-user-logging-forward - [0:0]
z-after-logging-input - [0:0]
z-after-logging-output - [0:0]
z-after-logging-forward - [0:0]
z-logging-deny - [0:0]
z-logging-allow - [0:0]
rrrz-user-limit - [0:0]
z-user-limit-accept - [0:0]
z### RULES ###
zroute:rLrBzin_%s!out_%sz%s_%sz#
### tuple ### %s %s %s %s %s %s %sz comment=%srqr�r�r�z)
### tuple ### %s %s %s %s %s %s %s %s %srrrwr�
%s-user-%sz	-A %s %s
z
### END RULES ###
z
### LOGGING ###
r�r
�-D�
[z"[z] z] "z### END LOGGING ###
z
### RATE LIMITING ###
�offz-A z-user-limit z "z "
z-user-limit -j REJECT
z-user-limit-accept -j ACCEPT
z### END RATE LIMITING ###
zCOMMIT
FN)/r6r)�access�W_OKrBrrrUrVrRrrrr
r5�sys�stdout�filenorXrsr�rr�r�r�rOr�r�r�r�r�r�r�r�rSrTrY�format_ruler��_get_logging_rulesrCr�r�r+r�r2r3rZ)r4r�Z
rules_filer[r^r8rr_r�r�ZifacesZtstrr�r�r��chain_suffixr;�rule_strr�Zlrules_trz�
qr<r<r=�_write_rules
sV

















�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�
�













��











��








�










��
�
�



�
�
����
�
�



zUFWBackendIptables._write_rulesTc	CsN|��
d
}|
j
rR|��s*td�
}t|�
�
|
jdkrx|jddsxtd�
|
jSn&|
jdkrx|jddsxtd�
|
jS|
jr�|
jdkr�|
jd	kr�td
�
}t|�
�
g}d}d}|j	}|
j
}	|
j
r�|jdkr�|
jd
ks�|
j
d
kr�td
�
S|j}|	dk�
s|	t|�
k�
rtd�
|	}t|�
�
|	dk�
r:|
j�
r:td�
}t|�
�
|	t|�
k�
r\td�
|	}t|�
�
z|
��
Wnt�
y~


�Yn0d}
d}d}d}
|D�
]n}z|��
Wnt�
y�


�Yn0|j|j|j|j
f}|
|	k�rH|
dd
k�r|
dd
k�r|
dk�s(|dd
k�r|dd
k�s(|
|k�r@d}|�|
���

d}
n|	d7}	|}
|
d7}
t�||
�}|dk�rr|d7}|dk�r�|�s�|�s�d}|
j�s|�|
���

n^|dk�r�|
j�r�|
jd
k�r�d}n:|dk�r�|
j�s�|�s�d}d}|�|
���

n
|�|�

�
q�|�r4|dk�r�td�
}|
j
�r.|d7}|Sn~|�sP|
j�sP|�|
���

|�s�|
j�r�|j�s�td�
}|
j
�r~|d7}|S|�r�|
j�s�|�s�td�
}|
j
�r�|d7}|S|
j
�r�||_n||_	z|�|
j
�

Wn8t�y�


�Yn$t�y


td�
}t|�

Yn0td�
}|
j
�r*td�
}|���rJ|j�sJd
}|�sZ|�|
j
�
�sZ|�r�d
}|�rr|td�
7}n|td �
7}|
j
�r�|d7}|�r�z|��
Wnt�y�


�Yn0n|td!�
7}n<|�r�|
j�r�d"}td#�
}n |�s|�s|
j�sd$}td%�
}|d
k�rJ|j}d&}|
j
�r2|j }d'}|d7}d(}|
j!�rDd)}n|
j"d*k�rTd+}d,||f}td-�
}t#|d.|d/g�
\}}|dk�r�t|�
�
d0|||
�$�f}t%�&d1�
}|�'|||�D]�}t#|g
|�
\}}|dk�r�t(|t)j*�
t|�

|d$k�r�|�+d2�,|�
�
�r�|�-d3d2�,|�
�}t#|d"|d4d5g�
\}}|dk�r�t.d6|�

�q�|S)7aX
Updates firewall with rule by:
        * appending the rule to the chain if new rule and firewall enabled
        * deleting the rule from the chain if found and firewall enabled
        * inserting the rule if possible and firewall enabled
        * updating user rules file
        * reloading the user rules file if rule is modified
        rLz)Adding IPv6 rule failed: IPv6 not enabledrrz#Skipping unsupported IPv6 '%s' rulerz#Skipping unsupported IPv4 '%s' rule�udp�tcpz/Must specify 'tcp' or 'udp' with multiple portsFz1.4z:Skipping IPv6 application rule. Need at least iptables 1.4r
zInvalid position '%d'z Cannot specify insert and deletez#Cannot insert rule at position '%d'r�)rLrLrLrLr�r�T���z Skipping inserting existing ruler�z"Could not delete non-existent rulezSkipping adding existing rulezCouldn't update rules filez
Rules updatedzRules updated (v6)z
Rule insertedzRule updatedz (skipped reloading firewall)r�zRule deleted�-Az
Rule addedrr�rrrwrr��!Could not update running firewallrdrcz%s %s %sz(-A +)(ufw6?-user-[a-z\-]+)(.*)r�r�r!�RETURNzFAILOK: -D %s -j RETURN)/rrr�r0rBrr�rs�multir�r�positionZiptables_versionr�r�r
r��remove�	normalizerRr�r�r1�dup_rulerr�r�r5r�r�r�r�rrurrOrr�rSrTr�rr��stderrrWr+rYr)r4r��allow_reloadrDr[Znewrules�foundZmodifiedrr

r�ZinsertedZmatches�lastr��currentZret�flagr�r8r�r;r~rwr�r�r�rzr<r<r=�set_rule�s@













�





















&

�

��














































































�








zUFWBackendIptables.set_rulec
Cstg}g}|r|j}n|j
}|
��}|�|�

|��
|��}|D].}|��}|��
|��}	|	|kr@|�|�

q@|S)
z@Return a list of UFWRules from the system based on template rule)r
rr
r�r
r�r1)
r4�templater�rr��normr�r�rMZ	tmp_tupler<r<r=�get_app_rules_from_system�s 










z,UFWBackendIptables.get_app_rules_from_systemcCsZ|j}|
�
d
�
r|j}t|g
|�
\}}|dkrVtd|�
}|rNtd|�

nt|�
�
dS)zPerform command on chainr�r
zCould not perform '%s'zFAILOK: N)rr�rurrBrr)r4r;rx�fail_okr�r~rwr[r<r<r=r��s







zUFWBackendIptables._chain_cmdc		Cs�|jr
d
S|�
�
g}z|�|
�
}Wnty8


�Yn0z|jdd�

|jdd�

Wn4tyj


�Yn"ty�


td�
}t|�

Yn0|��s�d
Std�
}|jd|jd|jd	|jd
D]6}z|�	|d|dg�
Wq�ty�


t|�
�
Yq�0q�zJ|jd|jd	|jd
D]&}|�	|d
|g�
|�	|d|g�
�
q Wnt�
yf


t|�
�
Yn0|D]�\}}}d}t
|�
dk�
r�|ddk�
r�d}zH|dk�
r�t
|�
dk�
r�|j	|dg
|dd
�dd�
|�	|||�
Wnt�
y�


t|�
�
Yn0�
qldD]�}|jdd�r&|dk�s@|jdd�r|dk�r|j	|d|g|j|j
dg
dd�
|jddk�r|j	|d|g|j|j
dg
dd�
�qd
S)z#Update loglevel of running firewallNF)
r�Tz&Couldn't update rules file for loggingr�rrrrrdrcr�r�r
r��delete_firstr�)
r
)rmrnrrrmrrnr�r�r��-I)r5rrr�rRr�rrBr�r/r�r�rsr2r3rC)	r4r��rules_tr[rzr�r�r
r;r<r<r=r��s�














�
�




�













�
�
�
��

�
��z!UFWBackendIptables.update_loggingc	Cs�g}|
t|j
���
v
r*td
�
|
}t|�
�
|
dkr^|jdD]}|�|d|ddgdg�

q<|S|jdD]}|�|d|ddgd	g�

qhgd
�
}|j
|
|j
dk�r8g}|j
|
|j
dkr�|}|jd
D]�}dD]�}|�|�
r�|�|�
dk�
s|�|�
dk�
r&d}|�|d|ddd|g|d	g�

q�|j
|
|j
dkr�d}|�|d|ddd|g|d	g�

q�q�g}|j
|
|j
dk�
r�|}|jdD]�}|�d�
�
r�d}nt|�d�
�rd}|j
|
|j
dk�
r�|�|d|ddddddg|d	g�

n(|�|d|ddddddddg
|d	g�

|�|d|ddd|g|d	g�

�
q�|j
|
|j
dk�r�g}|j
|
|j
dk�rl|}|j
|
|j
dk�r�gd�
|}d }|jd!D]&}|�|d|ddd|g|d	g�

�q�|S)"z%Get rules for specified logging levelzInvalid log level '%s'r�rr
r!r�r
r�rL)rrr z3/minz
--limit-burstZ10r��highrrrArGz[UFW BLOCK] r�r"r#�mediumz[UFW ALLOW] rrFr�	conntrack�	--ctstateZINVALIDz[UFW AUDIT INVALID] �full)rr
r
�NEWz[UFW AUDIT] r)	r�r�r�rBrr/r1�endswithr�)	r4r�r
r[rzr�Zlargsr}r�r<r<r=r��s�











�

���


���








���



���
�
�
�





�
�
�
z%UFWBackendIptables._get_logging_rulesc

Cs�
d
}
tt
jj|j�}g}|jD]d}|j|�d�
s4q|�|j|�

tj	�
|dtj	�|j|�
�}tj	�|�
st
d�
|}t|�
�
qt�d�
}|D]0}d||f}tj	�|�
r�t
d�
|}t|�
�
q�|D]:}d||f}|
t
d�
tj	�|�
|d	�7}
t�||�
q�|D]�}d||f}t�tj	�
|dtj	�|�
�tj	�|�
�
t�||�
zt�|�
}	|	tj}
Wn.t�
y�


t
d
�
|}t|�

Y�
qYn0|
tj@�
r�|
t
d�
|7}
n|
tj@�
r|
t
d�
|7}
�
q|
S)
zReset the firewallrLz.rulesrzCould not find '%s'. Abortingz
%Y%m%d_%H%M%Sz%s.%sz'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s'
)�old�newzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r	rr$�	share_dirrr6r
r1r)r*r+�basename�isfilerBr�time�strftime�exists�rename�shutil�copy�dirname�copymode�stat�ST_MODErRr�S_IWOTH�S_IROTH)r4�resr
Zallfilesr|�fnr[�extr
Zstatinfo�moder�r<r<r=�resetYsZ








�











�



�
�









zUFWBackendIptables.reset)NN)FF)
F)
T)
F)�__name__�
__module__�__qualname__�__doc__r.rErarr�r�r�r�r�r�r�r�r�r
r
r�r�r�r/
r<r<r<r=r
s.


,K]
f!De
*
[

JZr
)r3
r)rSr#
r'
r�r
�
ufw.commonrr�ufw.utilrrrrrr	Zufw.backendrr,r-r
r<r<r<r=�<module>
s