WWWWWW

Current Directory: /usr/lib/python2.7/site-packages/firewall/core
Viewing File: /usr/lib/python2.7/site-packages/firewall/core/nftables.pyo
�
�c�`c@s~ddlZddlZddlmZmZddlmZddlm	Z	ddl
mZmZm
Z
mZmZddlmZddlmZmZmZmZmZmZddlmZmZmZmZd	Zd
Ziiddefd
6d6iddefd
6d6iddefd
6ddefd6d6iddefd6ddefd6d6Z iid6id6id6Z!ii"dd d!dd"d#gd$6dd d!gd!6dd d%gd%6dd d&gd&6dd d!dd"d'gd(6dd d!dd"d)gd*6dd d!dd"d+gd,6dd d-dd"d.gd/6dd d!dd"d0gd16dd d!dd"d.gd26dd d3dd"d.gd46dd d!dd"d5gd66dd d-dd"d7gd86dd d!dd"d9gd:6dd d!dd"d7gd;6dd d3gd36dd d!dd"d<gd=6dd d!dd"d>gd?6dd d!dd"d@gdA6dd d-gd-6dd d3dd"d.gdB6dd dCgdC6dd dDgdD6dd dEgdE6dd d!dd"dFgdG6dd dHgdH6dd dIgdI6dd dJgdJ6dd d-dd"d<gdK6dd d!dd"dLgdM6dd d-dd"d@gdN6dd d!dd"dOgdP6dd dHdd"d.gdQ6dd dHdd"d7gdR6dS6idTd d!dTd"d<gdU6dTd d3dTd"d7gdV6dTd d!dTd"d@gdW6dTd d!dTd"d.gd$6dTd d!gd!6dTd d%gd%6dTd d&gd&6dTd d!dTd"dFgdX6dTd dYgdZ6dTd d[gd\6dTd d!dTd"d7gd]6dTd d^gd^6dTd d3gd36dTd d!dTd"d'gd=6dTd d_gd-6dTd d!dTd"d9gd`6dTd dagdC6dTd dbgdD6dTd dHgdH6dTd dHdTd"d.gdQ6dTd dHdTd"d7gdR6dTd d3dTd"d.gdc6dTd d3dTd"d@gdd6de6Z"dfe#fdg��YZ$dS(hi����N(t	SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(t	splitArgst	check_mactportStrtcheck_single_addresst
check_address(tconfig(t
FirewallErrort
UNKNOWN_ERRORtINVALID_RULEtINVALID_ICMPTYPEtINVALID_TYPEt
INVALID_ENTRY(tRich_AccepttRich_Rejectt	Rich_Dropt	Rich_Markt	firewalldi
t
preroutingi���t
PREROUTINGtrawij���tmanglei����tpostroutingidtPOSTROUTINGtnattinputitINPUTtforwardtFORWARDtfiltertinettiptip6ticmpttypesdestination-unreachabletcodet13scommunication-prohibiteds
echo-replysecho-requestt4sfragmentation-neededt14shost-precedence-violationt10shost-prohibitedtredirectt1s
host-redirectt7shost-unknownshost-unreachablesparameter-problems
ip-header-badt8snetwork-prohibitedt0snetwork-redirectt6snetwork-unknownsnetwork-unreachablet3sport-unreachablet15sprecedence-cutofft2sprotocol-unreachablesrequired-option-missingsrouter-advertisementsrouter-solicitations
source-quencht5ssource-route-faileds
time-exceededstimestamp-replystimestamp-requeststos-host-redirectt12stos-host-unreachablestos-network-redirectt11stos-network-unreachablesttl-zero-during-reassemblysttl-zero-during-transittipv4ticmpv6saddress-unreachables
bad-headersbeyond-scopes
failed-policysnd-neighbor-advertsneighbour-advertisementsnd-neighbor-solicitsneighbour-solicitationsno-routespacket-too-bigsnd-redirectsreject-routesnd-router-advertsnd-router-solicitsunknown-header-typesunknown-optiontipv6tnftablescBs�eZdZeZd�Zd�Zd�Zd�Zd�Z	d�Z
d�Zd�Zd3d	�Zd
�Zd�Zd�Zd
�Zdd�Zd�Zedd�Zdd�Zdd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Z d3d3d�Z!d3d3d�Z"d3d3d�Z#d �Z$d3d!�Z%d3d"�Z&d#�Z'd3d$�Z(d%�Z)d3d&�Z*d'�Z+ed(�Z,d)�Z-d*�Z.d+�Z/d3d,�Z0d-�Z1d.�Z2d/�Z3d0�Z4d1�Z5d2�Z6RS(4R:cCsK||_tjd|_|j�g|_i|_i|_i|_dS(Ntnft(	t_fwR	tCOMMANDSt_commandtfill_existstavailable_tablestrule_to_handletrule_ref_counttzone_source_index_cache(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__init__�s	
			cCs%tjj|j�|_t|_dS(N(tostpathtexistsR>tcommand_existstFalsetrestore_command_exists(RD((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR?�sc	Cs�y?|jd�}|j|�|j|�}||df}WnLtk
r�y&|jd�}|j|�d}Wq�tk
r�dSXnX|d}|r�|r�||kr�|||kr�||j|�q�n�|r�||kr�g||<n|rN|||kr8||j|�||jdd��n||j|�}n%|jjrcd}nt	||�}|dkr�d|d<q�|d	8}d
|d<|j
|d�|j
|d	d|�ndS(
Ns%%ZONE_SOURCE%%is%%ZONE_INTERFACE%%itkeycSs|dS(Ni((tx((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt<lambda>�sitinsertitaddtindexs%d(RRtpopt
ValueErrortNonetremovetappendtsortR<t_allow_zone_driftingtlenRP(	RDtrule_addtruleRCtitzonetzone_sourcetfamilyRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_run_replace_zone_source�sD



	


	

c
Cs�ddg}|}|ddkrs|ddkrs|}d|d<t|j||�\}}|dkrsdSnd}|ddkr|ddkrt}|d}|d
dkryt|d�Wn tk
r�ttd��qX|jd
�|jd
�ndj	|�}nB|ddkr_|ddkr_t
}|d}dj	|�}n||jkr7|r�|j|cd7<dS|r�|j|dkr�|j|cd8<dS|j|dkr�|j|cd8<n ttd||j|f��t
jd|j|j||jdj	|��n|retj|j�}	|j|||	�n|s�|r�|j|dks�|r�||jkr�|r�|r�ddg|dd!d|j|g}ndj	|�}
t
jd|j|j|
�t|j||�\}}|dkrEtd|j|
|f��n|rW|	|_n|r�|r�d}|j|�t|�}||j�|j|<d|j|<q�|j|=|j|=q�n|S(Ns--echos--handleitdeleteittabletlisttRQRPR\iitpositionisposition without a numbert s)rule ref count bug: rule_key '%s', cnt %ds%s: rule ref cnt %d, %s %sithandles	%s: %s %ss'%s %s' failed: %ss	# handle (saddsinsert(Rb(RR>RUtTruetintt	ExceptionR
RRStjoinRKRBRRtdebug2t	__class__tcopytdeepcopyRCRaRARTRRRZtstrip(
RDtargstnft_optst_argst
_args_testtstatustoutputtrule_keyR[RCt	_args_strtstrtoffset((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__run�s| 
 


 
	#!

cCsAy|j|�}Wntk
r'tSX||||d+tSdS(Ni(RRRTRKRi(RDR\tpatterntreplacementR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
_rule_replace,s
cCs|}d|d<|S(NRbi((RDRrtret_args((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytreverse_rule5s
cCsttd��dS(Nsnot implemented(R
R(RDtrulest
log_denied((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt	set_rules:scCsd}d|ks*d|ks*d|kr3d}n-d|ksWd|ksWd|kr`d}n|j|dd	d
|ddg�|j|d
dddg�y|jd�}Wntk
r�nDX|dkr�dS|dkr�d|g|||d+n
|j|�|j|�S(NticmpxR7R"R$R9R#R8s
%%REJECT%%trejecttwithR%sadmin-prohibiteds%%ICMP%%tmetatl4protos{icmp, icmpv6}s%%LOGTYPE%%toffRetunicastt	broadcastt	multicasttpkttypei(R�R�R�(RRRRTRSt_nftables__run(RDR\R�ticmp_keywordR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_ruleCs$$	$	

cCs|r
|gStj�S(N(tIPTABLES_TO_NFT_HOOKtkeys(RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_available_tablesbscCsYi|_i|_i|_g}x1tj�D]#}|jdd|dtg�q.W|S(NRbRcs%s(RARBRCt
OUR_CHAINSR�RWt
TABLE_NAME(RDR�R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_flush_rulesfs			!cCs�tdd}g}|dkr�|jddd|g�x�ddgD]:}d	|d
||dtdf}|jt|��qFWn5|d
kr�|jddd|g�n
ttd�|S(Nt_tpolicy_droptDROPRQRcR!RRwsMadd chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'Ri���itACCEPTRbsnot implemented(R�RWtNFT_HOOK_OFFSETRR
R(RDtpolicyt
table_nameR�thookt
_add_chain((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_set_policy_rulesps
cCsAt�}x+tj�D]}|jt|j��qWt|�S(N(tsettICMP_TYPES_FRAGMENTR�tupdateRd(RDt	supportedtipv((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytsupported_icmp_types�s	cCsAg}x+tj�D]}|jd|tf�qWtt|�S(Nsadd table %s %s(R�R�RWR�tmapR(RDtdefault_tablesR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_tables�sR�c
Cs�g}t�tdd<x�tdj�D]�}|jdt|td|dtd|df�x�|jjr~ddgndgD]e}|jdt||f�|jd	t|||f�tddjtd
||fg��q�Wq(Wt�tdd<x�tdj�D]�}|jdt|td|dtd|df�x�|jjrjddgndgD]e}|jd
t||f�|jdt|||f�tddjtd
||fg��qqWqWt�tdd<t�tdd<x�ddgD]�}x�tdj�D]�}|jd|t|td|dtd|df�x�|jjr}ddgndgD]k}|jd|t||f�|jd|t|||f�t|djtd
||fg��q�Wq$Wq
Wt�tdd<xMtdj�D];}|jdt|td|dtd|df�qW|jdtdf�|jdtdf�x`|jjr�ddgndgD]=}|jdtd|f�|jdtdd|f�q�W|dkr|jdtdf�n|jdtdf�|dkrP|jdtdf�n|jd tdf�|jd!td"f�|jdtd"f�|jdtd"f�x}d#d$gD]o}xf|jjr�ddgndgD]C}|jd%td"||f�|jd&td"d"||f�q�Wq�W|dkrR|jdtd"f�n|jdtd"f�|dkr�|jdtd"f�n|jd td"f�td'd(d)d*d+d,g�tdd<t	t
|�S(-NR!Rs@add chain inet %s raw_%s '{ type filter hook %s priority %d ; }'iitZONES_SOURCEtZONESsadd chain inet %s raw_%s_%ss&add rule inet %s raw_%s jump raw_%s_%ss%s_%sRsCadd chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'sadd chain inet %s mangle_%s_%ss,add rule inet %s mangle_%s jump mangle_%s_%sR"RR#s;add chain %s %s nat_%s '{ type nat hook %s priority %d ; }'sadd chain %s %s nat_%s_%ss$add rule %s %s nat_%s jump nat_%s_%sR sCadd chain inet %s filter_%s '{ type filter hook %s priority %d ; }'s>add rule inet %s filter_%s ct state established,related acceptRs,add rule inet %s filter_%s iifname lo acceptsadd chain inet %s filter_%s_%ss,add rule inet %s filter_%s jump filter_%s_%sR�s_add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '"STATE_INVALID_DROP: "'s0add rule inet %s filter_%s ct state invalid dropsHadd rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '"FINAL_REJECT: "'sBadd rule inet %s filter_%s reject with icmpx type admin-prohibiteds$add chain inet %s filter_%s_IN_ZONESRtINtOUTs!add chain inet %s filter_%s_%s_%ss/add rule inet %s filter_%s jump filter_%s_%s_%stINPUT_ZONES_SOURCEtINPUT_ZONEStFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONES(R�R�R�R�RWR�R<RYR�R�R(RDR�t
default_rulestchaintdispatch_suffixR`t	direction((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_rules�s�	(0	(0		( 4	(!((cCsY|dkrdddgS|dkr,dgS|dkrBddgS|d	krUdgSiS(
NR Rt
FORWARD_INtFORWARD_OUTRRRRR((RDRc((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_zone_table_chains�s

R!c

Cs�|dkrr|dkrrg}|j|j||||||d��|j|j||||||d��|Sidd6dd6dd	6dd
6dd6dd6|}	|t|�d
dkr�|t|�d
 d}ntjdt|d|�}
d}|r3|r3dd|dtd||fdg}ne|r_dd|dtd||fg}n9dd|dtd||fg}|s�|dg7}n|dkr�||d||
fg7}n(||	d|d|d||
fg7}|gS(NRR!R"R#tiifnameRtoifnameRRR�R�tOUTPUTit+t*R�R^tgotoRPR\s%ss%s_%s_ZONESs%%ZONE_INTERFACE%%RQRbs%s_%ss"(textendt!build_zone_source_interface_rulesRZRtformatRR�(
RDtenableR^t	interfaceRcR�RWR`R�toptttargettactionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR��s>
&#(cCsK|dkr�|dkr�g}|jd�rI|j|td��}nd}td|�svt|�sv|dkr�|j|j|||||d��ntd|�s�t|�s�|dkr�|j|j|||||d��n|Sidt6d	t	6|}	id
d6dd
6d
d6d
d6dd6dd6|}
|j
jr\d||f}nd||f}tj
dt|d|�}d}
|jd�r�|td�}|j|�}d|}nCt|�r�|
dkr�dSd}ntd|�rd}nd}|	d|dt|d|||
||
d||fg}|gS(NRR!sipset:R7R"R9R#RPRbtsaddrRtdaddrRRR�R�R�s%s_%s_ZONES_SOURCEs%s_%s_ZONESR�R^R�t@RetetherR\s%ss%%ZONE_SOURCE%%s%s_%s(t
startswitht_set_get_familyRZRURRR�tbuild_zone_source_address_rulesRiRKR<RYRR�RR�(RDR�R^taddressRcR�R`R�tipset_familytadd_delR�tzone_dispatch_chainR�R�tipsettrule_familyR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR�$sT''
		c	Cs.|dkr`|dkr`g}|j|j|||d��|j|j|||d��|Stjdt|d|�}t||jt|d|d|d	|g��g}|jd
d|dt	d||fg�|jd
d|dt	d
||fg�|jd
d|dt	d||fg�|jd
d|dt	d||fg�|jd
d|dt	d||fdd
||fg�|jd
d|dt	d||fdd||fg�|jd
d|dt	d||fdd||fg�|j
jj|j
}|j
j�dkr�|dkr�|d kr�|d!kr�|}|dkrud}n|jd
d|dt	d||fdddd||fg	�q�q�n|dkr*|d"kr*|d#kr*|jd
d|dt	d||f|dkr|j�ndg�n|S($NRR!R"R#R�R^s%s_logs%s_denys%s_allowRQs%ss%s_%ss	%s_%s_logs
%s_%s_denys%s_%s_allowR\tjumpR�R RR�R�R�tREJECTs
%%REJECT%%R�s%%LOGTYPE%%Rtprefixs"filter_%s_%s: "R�(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(R�s
%%REJECT%%sDROP(sACCEPTR�s
%%REJECT%%sDROP(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(R�tbuild_zone_chain_rulesRR�RR�R�R�RWR�R<R^t_zonesR�tget_log_deniedtlower(	RDR^RcR�R`R�t_zoneR�t
log_suffix((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR�^s^


	
%cCs�iddddgd6ddddgd6ddddgd6ddddgd	6dddd
gd6dddd
gd6dd
dd
gd6dd
dd
gd6ddddgd6ddddgd6ddddgd6ddddgd6ddddgd6dd
ddgd6ddddgd6ddddgd6ddddgd6dd
ddgd6dd
ddgd 6dd
dd!gd"6dd
dd!gd!6dd#d$gd%6dd#d$gd&6}||S('NR�R$R%shost-prohibitedsicmp-host-prohibitedshost-prohibsnet-prohibitedsicmp-net-prohibiteds
net-prohibsadmin-prohibitedsicmp-admin-prohibitedsadmin-prohibR8sicmp6-adm-prohibitedsadm-prohibitedsnet-unreachablesicmp-net-unreachablesnet-unreachshost-unreachablesicmp-host-unreachableshost-unreachsport-unreachablesicmp-port-unreachablesicmp6-port-unreachableR�sport-unreachsprot-unreachablesicmp-proto-unreachables
proto-unreachsaddr-unreachablesicmp6-addr-unreachablesaddr-unreachsno-routesicmp6-no-routettcptresets	tcp-resetstcp-rst((RDtreject_typetfrags((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_reject_types_fragment�s2cCs�|s
gSidd6dd6dd6dd6}y|jjd	�}Wn tk
rdttd
��nXdd|jd
|!d	||j|dgS(Ntsecondtstminutetmthourthtdaytdt/sExpected '/' in limittlimittrateii(tvalueRRRTR
R(RDR�trich_to_nftR]((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_limit_fragment�s

cCs�|js
gSidt6dt6|}|dddtd||fg}||dg7}|jjr�|dd	|jjg7}n|jjr�|d
d	|jjg7}n||j|jj�7}|S(NRQRbR\R!s%ss	%s_%s_logRR�s"%s"tlevel(RRiRKR�R�R�R�R�(RDt	rich_ruleR�RcR�t
rule_fragmentR�R\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_log�s	cCs||js
gSidt6dt6|}|dddtd||fg}||ddd	g7}||j|jj�7}|S(
NRQRbR\R!s%ss	%s_%s_logRR�taudit(R�RiRKR�R�R�(RDR�R�RcR�R�R�R\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_audit�s	cCs�|js
gSidt6dt6|}t|j�tkrVd||f}dg}	nt|j�tkr�d||f}dg}	|jjr^|	|j|jj�7}	q^n�t|j�tkr�d||f}dg}	n~t|j�tkrBt	j
dtd	d
|�}d}d||f}dd
d|jjg}	nt
tdt|j���|dddt|g}
|
|7}
|
|j|jj�7}
|
|	7}
|
S(NRQRbs%s_%s_allowtaccepts
%s_%s_denyR�tdropR�RR^RR�tmarkR�sUnknown action %sR\R!s%s(R�RiRKR%RRR�RRRR�RR�R
RR�R�R�(RDR^R�R�RcR�R�R�R�trule_actionR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_action�s6			

cCsS|s
gS|dkr#dddgS|dkr<dddgSttd|��dS(NR7R�tnfprotoR9sInvalid family(R
R(RDtrich_family((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_family_fragments

cCsx|s
gSg}td|j�r2|dg7}n
|dg7}|jra|dd|jg7}n|d|jg7}|S(NR7R"R#R�s!=(Rtaddrtinvert(RDt	rich_destR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_destination_fragments
	cCsJ|s
gSg}|jr�td|j�r;|dg7}n
|dg7}|jrj|dd|jg7}qF|d|jg7}n�t|d�r�|jr�|jr�|ddd|jg7}qF|dd|jg7}npt|d�rF|jrF|j|j�}|jr)||ddd	|jg7}qF||dd	|jg7}n|S(
NR7R"R#R�s!=tmacR�R�R�(RRRthasattrRR�R�(RDtrich_sourceR�R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_source_fragment,s(	
			 c	Cs�idt6dt6|}d}tjdtdd|�}	g}
|r_|
|j|j�7}
n|r�td|�r�|
dg7}
n
|
d	g7}
|
d
|g7}
n|r�|
|j|j	�7}
|
|j
|j�7}
n|
|ddt|d
�g7}
|st
|j�tkr+|
dddg7}
ng}|r�|j|j||||	|
��|j|j||||	|
��|j|j|||||	|
��n5|j|dddtd||	fg|
dg�|S(NRQRbR R�RR^R7R"R#R�tdports%st-tcttstates
new,untrackedR\R!s%s_%s_allowR�(RiRKRR�RRR`RRtdestinationR	tsourceRR%R�RRWR�R�R�R�(RDR�R^tprototportRR�R�RcR�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_ports_rulesIs2
 ""(/c	Cs�idt6dt6|}d}tjdtdd|�}g}	|r_|	|j|j�7}	n|r�td|�r�|	dg7}	n
|	d	g7}	|	d
|g7}	n|r�|	|j|j�7}	|	|j|j	�7}	|	|j
|j�7}	ndd|g}	|st|j
�tkr0|	d
ddg7}	ng}
|r�|
j|j|||||	��|
j|j|||||	��|
j|j||||||	��n/|
j|dddtd|g|	dg�|
S(NRQRbR R�RR^R7R"R#R�R�R�RR
s
new,untrackedR\R!s%ssfilter_%s_allowR�(RiRKRR�RRR`RRRR	RR%R�RRWR�R�R�R�(RDR�R^tprotocolRR�R�RcR�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_protocol_rulesjs4
""()c	Cs�idt6dt6|}d}tjdtdd|�}	g}
|r_|
|j|j�7}
n|r�td|�r�|
dg7}
n
|
d	g7}
|
d
|g7}
n|r�|
|j|j	�7}
|
|j
|j�7}
n|
|ddt|d
�g7}
|st
|j�tkr+|
dddg7}
ng}|r�|j|j||||	|
��|j|j||||	|
��|j|j|||||	|
��n5|j|dddtd||	fg|
dg�|S(NRQRbR R�RR^R7R"R#R�tsports%sRRR
s
new,untrackedR\R!s%s_%s_allowR�(RiRKRR�RRR`RRRR	RRR%R�RRWR�R�R�R�(RDR�R^RRRR�R�RcR�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_source_ports_rules�s2
 ""(/cCsidt6dt6|}tjdtdd|�}	|dddtd	|	g}
|r�td
|�rv|
dg7}
n
|
dg7}
|
d
|g7}
n|
|ddt|d�g7}
|
dddd||fg7}
dddtd||fddd|d|ddg}||
gS(NRQRbR�RR^R\R!s%ssfilter_%s_allowR7R"R#R�R
RRthelperR�s"helper-%s-%s"shelper-%s-%st{R%s"%s"Rt;t}(RiRKRR�RR�RR(RDR�R^RRRthelper_nametmodule_short_nameR�R�R\t
helper_object((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_helper_ports_rules�s"	

  
cCs�idt6dt6|}tjdtdd|�}g}|ro||j|j�7}||j|j�7}n|d|dt	d|g|d	d
ddggS(
NRQRbR�RR^R\s%ssnat_%s_allowR�s!=tlot
masquerade(
RiRKRR�RRRR	RR�(RDR�R^R`R�R�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _build_zone_masquerade_nat_rules�s	cCs�g}|rd|jr$|jdksB|jrdtd|jj�rd|j|j||d|��n}|r�|jr�|jdks�|jr�td|jj�r�|j|j||d|��n|j|j||d|��idt6dt6|}tj	dt
dd	|�}g}|rP||j|j�7}||j
|j�7}n|j|d
ddtd
|g|ddddg�|S(NR9R#R7R"RQRbR�R�R^R\R!s%ssfilter_%s_allowRR
s
new,untrackedR�(R`RRRR�R!RiRKRR�RRRR	RWR�(RDR�R^R�R�R�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_masquerade_rules�s$""	2c	Cs�idt6dt6|}tjdtdd|�}	g}
|rV|
dd|g7}
n|
ddg7}
|r�|d	kr�|
d
t|d�g7}
n|d|d
td|	dd|g||
gS(NRQRbR�RR^tdnatttoR+Res:%sRR\s%ssnat_%s_allowR�R�(RiRKRR�RRR�(RDR�R^Rt
mark_fragmentttoaddrttoportR`R�R�t
dnat_fragment((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt"_build_zone_forward_port_nat_rules�s	c
Csaidt6dt6|}
d|}dd|g}tjdtdd|�}
g}|	r�||j|	j�7}||j|	j�7}||j	|	j
�7}ng}|j|
d	d
dtd|
g||d
|ddd|g�|	rC|	jr|	jdks|rCt
d|�rC|j|j||||||d��n�|	r�|	jra|	jdksv|r�t
d|�r�|j|j||||||d��nh|r�t
d|�r�|j|j||||||d��n(|j|j||||||d��tjdt|d|�}
|j|
d	d
dtd|
dddg|dg�|S(NRQRbs0x%xR�R�R�RR^R\R!s%ssmangle_%s_allowR
R�R9R#R7R"sfilter_%s_allowRR
s
new,untrackedR�(RiRKRR�RRR`RRR	RRWR�RR�R)(RDR�R^tfilter_chainRRR'R&tmark_idR�R�tmark_strR%R�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_forward_port_ruless@
		2cCs<|t|krt||Sttd||jf��dS(Ns"ICMP type '%s' not supported by %s(R�R
R
tname(RDR�t	icmp_type((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_icmp_types_to_nft_fragment/scCs�d}idt6dt6|}|r9|jr9|j}n\|jr�g}d|jkrg|jd�nd|jkr�|jd�q�nddg}g}x/|D]'}	xddgD]}
tjdt|
d	|�}|jj	j
|�rd
||f}d}
nd||f}d
}
g}|rl||j|j�7}||j
|j�7}||j|j�7}n||j|	|j�7}|r8|j|j|||||��|j|j|||||��|jr|j|j||||||��q�|j|dddtd||fg|d
g�q�|jj�dkr�|
dkr�|j|dddt|g|dddd||fg�n|j|dddt|g||
g�q�Wq�W|S(NR RQRbR7R9RR�R�R^s%s_%s_allowR�s
%s_%s_denys
%%REJECT%%R\R!s%sR�s%%LOGTYPE%%RR�s"%s_%s_ICMP_BLOCK: "(RiRKtipvsRRWRR�RR<R^tquery_icmp_block_inversionRR`RR	RR0R.R�R�R�R�R�R�(RDR�R^tictR�RcR�R1R�R�R�R�tfinal_chaintfinal_targetR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_icmp_block_rules6sT	
		""	(2!	-c	Cs�d}g}x�ddgD]�}tjdt|d|�}djddtd	||fd
d||fg�}|j|}|jjj|�r�d}	nd
}	|r�ddddtd	||fd|g}
n#ddddtd	||fg}
|
d|	g7}
|j	|
�|jjj|�r|jj
�dkr�|rpddddtd	||fd|g}
n#ddddtd	||fg}
|
ddddd||fg7}
|j	|
�q�qqW|S(NR RR�R�R^RgR!s%ss%s_%sR�s%s_%s_allows
%%REJECT%%R�RQR\RfRbs%%ICMP%%R�s%%LOGTYPE%%RR�s"%s_%s_ICMP_BLOCK: "(RR�RRlR�RAR<R^R2RWR�(RDR�R^RcR�R�R�Rxtrule_handlet
ibi_targetR\((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt%build_zone_icmp_block_inversion_rulesls<	


	
cCs�g}|jddddtdddd	d
ddd
dddg�|dkr�|jddddtdddd	d
ddd
dddddg�n|jddddtdddddg	�|S(NRPR\R!s%ssraw_%sRR�R�R9tfibR�t.tiiftoiftmissingR�R�RR�s"rpfilter_DROP: "R8R%s){ nd-router-advert, nd-neighbor-solicit }R�traw_PREROUTINGR?R?(RWR�(RDR�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_rpfilter_rules�s	
cCs�d}tjdtdd|�}g}||j|j�7}||j|j�7}||j|j�7}g}|j	|j
|||||��|j	|j|||||��|j	|j||||||��|S(NR R�RR^(
RR�RRR`RRR	RRWR�R�R�(RDR�R^R�RcR�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt(build_zone_rich_source_destination_rules�s	""%cCs|dkrtStS(NR7R9teb(sipv4sipv6RB(RiRK(RDR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytis_ipv_supported�scCs;idd6dd6}i||gd6||ddgd6||dd	||gd
6||dd	||gd6||dgd
6||gd6||ddgd6||dd	||gd6||dd	||gd6||dgd6dgd6}ydg||dgSWn$tk
r6ttd|��nXdS(Nt	ipv4_addrR7t	ipv6_addrR9shash:ips. inet_protos. inet_serviceshash:ip,ports. inet_service .shash:ip,port,ipshash:ip,port,nets. markshash:ip,markshash:nets
hash:net,portshash:net,port,ipshash:net,port,nets. ifnameshash:net,ifacet
ether_addrshash:macR%Rs!ipset type name '%s' is not valid(tKeyErrorR
R(RDR�R%tipv_addrttypes((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_type_fragment�s(


c
Cs)|r+d|kr+|ddkr+d}nd}|dg}||j||�7}|r�d|kr�|d|dddg7}nd	|kr�|d
|d	dg7}q�n|s�d|kr�d|kr�|dd
dg7}n|dg7}x4dddgD]#}|jdd|tg|�q�WdS(NR`tinet6R9R7RttimeoutR�Rtmaxelemtsizet,tflagstintervalRR!R"R#RQR�(RJR�R�(RDR.R%toptionsR�tcmdR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
set_create�s "	
cCs:x3dddgD]"}|jdd|t|g�qWdS(NR!R"R#RbR�(R�R�(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_destroy�scCs)|jjj|�jd�djd�}|jd�}t|�t|�krdttd��ng}x�tt|��D]�}||dkr�y||jd�}Wn(t	k
r�|dd||g7}qX|||| d|||dg7}n|j
||�|j
d�q}W|d S(	Nt:iROs+Number of values does not match ipset type.RR�R;i����(R<R�tget_typetsplitRZR
RtrangeRRRTRW(RDR.tentryttype_formattentry_tokenstfragmentR]RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_entry_fragment�s +
*cCsTxMdddgD]<}|jdd|t|dg|j||�dg�qWdS(NR!R"R#RQtelementRR(R�R�R^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_addscCsTxMdddgD]<}|jdd|t|dg|j||�dg�qWdS(NR!R"R#RbR_RR(R�R�R^(RDR.RZR`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
set_deletescCs:x3dddgD]"}|jdd|t|g�qWdS(NR!R"R#tflushR�(R�R�(RDR.R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt	set_flushscCsk|jjj|�}|jdkr-d}n:|jrad|jkra|jddkrad}nd}|S(Nshash:macR�R`RKR#R"(R<R�t	get_ipsetR%RR(RDR.R�R`((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR�!s		N(7t__name__t
__module__R.Ritzones_supportedRFR?RaR�RR�R�R�RUR�R�R�R�R�R�R�RKR�R�R�R�R�R�R�R�RRR	RRRRR!R"R)R-R0R6R9R@RARCRJRTRUR^R`RaRcR�(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR:�sf				-	U							
		
	T	
+9@	 			
	"	
		!#!		,	6	2								(%tos.pathRGRotfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRtfirewallR	tfirewall.errorsR
RRR
RRtfirewall.core.richRRRRR�R�R�R�R�tobjectR:(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt<module>s�(."
 
F1l3 Manager
