Viewing File: /usr/lib/python3.6/site-packages/firewall/core/__pycache__/fw_policy.cpython-36.opt-1.pyc

3

��g=V�@s�ddlZddlZddlmZddlmZmZmZmZm	Z	m
Z
mZmZm
Z
mZddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZddlm Z ddl!m"Z"dd	l#m$Z$Gd
d�de%�Z&dS)�N)�log)
�portStr�checkIPnMask�
checkIP6nMask�
checkProtocol�enable_ip_forwarding�check_single_address�portInPortRange�get_nf_conntrack_short_name�coalescePortRange�breakPortRange)�	Rich_Rule�Rich_Accept�Rich_Service�	Rich_Port�
Rich_Protocol�Rich_Masquerade�Rich_ForwardPort�Rich_SourcePort�Rich_IcmpBlock�
Rich_IcmpType�	Rich_Mark)�FirewallTransaction)�errors)�
FirewallError)�LastUpdatedOrderedDict)�SOURCE_IPSET_TYPESc@s�eZdZdd�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�Zdd�Z
�ddd�Zdd�Zdd�Zdd�Z�dd d!�Z�d
d"d#�Z�dd$d%�Zd&d'�Zd(d)�Zd*d+�Zd,d-�Z�dd0d1�Zd2d3�Z�dd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Zd>d?�Z �dd@dA�Z!dBdC�Z"�ddDdE�Z#dFdG�Z$dHdI�Z%dJdK�Z&dLdM�Z'dNdO�Z(dPdQ�Z)dRdS�Z*�ddTdU�Z+dVdW�Z,�ddXdY�Z-dZd[�Z.d\d]�Z/d^d_�Z0d`da�Z1dbdc�Z2�dddde�Z3dfdg�Z4�ddhdi�Z5djdk�Z6dldm�Z7dndo�Z8dpdq�Z9drds�Z:dtdu�Z;dvdw�Z<�ddxdy�Z=dzd{�Z>�dd|d}�Z?d~d�Z@d�d��ZAd�d��ZBd�d��ZCd�d��ZD�dd�d��ZEd�d��ZF�dd�d��ZGd�d��ZHd�d��ZId�d��ZJd�d��ZK�dd�d��ZLd�d��ZM�dd�d��ZNd�d��ZOd�d��ZPd�d��ZQd�d��ZR�dd�d��ZSd�d��ZT�dd�d��ZUd�d��ZVd�d��ZW�dd�d��ZX�d d�d��ZY�d!d�d��ZZd�d��Z[�d"d�d��Z\d�d��Z]�d#d�d��Z^d�d��Z_d�d��Z`d�d��Za�d$d�dÄZbd�dńZc�d%d�dDŽZdd�dɄZed�d˄Zfd�d̈́Zgd�dτZh�d&d�dфZid�dӄZjd�dՄZk�d'd�dׄZld�dلZmd�dۄZnd�d݄Zod�d߄Zpd�d�Zqd�d�Zrd�d�Zsd�d�Ztd�d�Zu�d(d�d�Zv�d)d�d�Zwd�d�Zxd�d�Zyd�d�Zzd�d��Z{�d*d�d��Z|d�d��Z}d�d��Z~d�d��Zd�d��Z��d�d�Z��d�d�Z��d�d�Z��d�d�Z��d+�d	�d
�Z�dS(,�FirewallPolicycCs||_i|_i|_dS)N)�_fw�_chains�	_policies)�self�fw�r#�/usr/lib/python3.6/fw_policy.py�__init__szFirewallPolicy.__init__cCsd|j|j|jfS)Nz
%s(%r, %r))�	__class__rr )r!r#r#r$�__repr__szFirewallPolicy.__repr__cCs|jj�|jj�dS)N)r�clearr )r!r#r#r$�cleanups
zFirewallPolicy.cleanupcCs
t|j�S)N)rr)r!r#r#r$�new_transaction$szFirewallPolicy.new_transactioncCst|jj��S)N)�sortedr �keys)r!r#r#r$�get_policies)szFirewallPolicy.get_policiescCs8g}x*|j�D]}|j|�}|js|j|�qWt|�S)N)r-�
get_policy�derived_from_zone�appendr+)r!Zpolicies�p�p_objr#r#r$�"get_policies_not_derived_from_zone,s
z1FirewallPolicy.get_policies_not_derived_from_zonecCs~g}xt|j�D]h}|j|�}t|d�t|jjj��tddg�B@rt|d�t|jjj��tddg�B@r|j|�qW|S)N�
ingress_zones�HOST�ANY�egress_zones)r3�get_settings�setr�zoneZget_active_zonesr0)r!Zactive_policies�policy�settingsr#r#r$�)get_active_policies_not_derived_from_zone4s
((z8FirewallPolicy.get_active_policies_not_derived_from_zonecCs|jj|�}|j|S)N)r�check_policyr )r!r;r1r#r#r$r.>szFirewallPolicy.get_policycCs,dd�dD�|_||j|j<|j|j�dS)NcSsi|]}t�|�qSr#)r)�.0�xr#r#r$�
<dictcomp>Csz-FirewallPolicy.add_policy.<locals>.<dictcomp>�services�ports�
masquerade�
forward_ports�source_ports�icmp_blocks�rules�	protocols�icmp_block_inversionr4r7)rBrCrDrErFrGrHrIrJr4r7)r<r �name�copy_permanent_to_runtime)r!�objr#r#r$�
add_policyBs
zFirewallPolicy.add_policycCs0|j|}|jr|j|�|jj�|j|=dS)N)r �applied�unapply_policy_settingsr<r()r!r;rMr#r#r$�
remove_policyNs



zFirewallPolicy.remove_policycCs�|j|}|jrdSx|jD]}|j||dd�qWx|jD]}|j||dd�q<Wx|jD]}|j||�q\Wx|jD]}|j	|f|��qxWx|j
D]}|j||�q�Wxf|jD]\}y|j
|f|��Wq�tk
�r}z$|jtjgkr�tj|�n|�WYdd}~Xq�Xq�Wx|jD]}|j||��qWxj|jD]`}y|j|f|��WnDtk
�r�}z&|jtjgk�r�tj|�n|�WYdd}~XnX�q:Wx|jD]}|j||��q�W|j�r�|j|�dS)NF)�allow_apply)r rOr4�add_ingress_zoner7�add_egress_zonerG�add_icmp_blockrE�add_forward_portrB�add_servicerC�add_portr�coder�ALREADY_ENABLEDr�warningrI�add_protocolrF�add_source_portrH�add_rulerD�add_masquerade)r!r;rM�args�errorr#r#r$rLUsB
z(FirewallPolicy.copy_permanent_to_runtimeNcCsNxH|j�D]<}|j|}|jr q
||j�kr
tjd|�|j||d�q
WdS)NzApplying policy '%s')�use_transaction)r-r r/r=rZdebug1�apply_policy_settings)r!rbr;r2r#r#r$�apply_policies|s
zFirewallPolicy.apply_policiescCs|j|}||_dS)N)r rO)r!r;rOrMr#r#r$�set_policy_applied�s
z!FirewallPolicy.set_policy_appliedcCstj�||d�}|S)N)Zdate�sender�timeout)�time)r!rgrf�retr#r#r$Z__gen_settings�szFirewallPolicy.__gen_settingscCs|j|�jS)N)r.r<)r!r;r#r#r$r8�szFirewallPolicy.get_settingscCsj|jj|�}|j|}|r |js.|r2|jr2dS|r<d|_|dkrN|j�}n|}|r�x8|jsh|j|�n|j|�D]\}}|j|d|||�qrW|j	|�}	|js�|j
|||��xV|	D�]L}
�xD|	|
D�]6}|
dkr�|j||||�q�|
dkr�q�q�|
dk�r|j|||f|��q�|
dk�r0|j
||||�q�|
dk�rV|j|||d|d|�q�|
d	k�rr|j||||�q�|
d
k�r�|j|||d|d|�q�|
dk�r�|j|||�q�|
dk�r�|j||t|d
�|�q�|
dk�r�q�q�|
dk�r�q�q�tjd||
|�q�Wq�W|�sRx<|j�s"|j|�n|j|�D]\}}|j|d|||��q,Wd|_|dk�rf|j|�dS)NTrGrJrErBrCr�rIrFrDrH)�rule_strr4r7z5Policy '%s': Unknown setting '%s:%s', unable to applyF)rr>r rOr*r/�%_get_table_chains_for_policy_dispatch�#_get_table_chains_for_zone_dispatch�gen_chain_rulesr8�_ingress_egress_zones�_icmp_block�
_forward_port�_service�_port�	_protocol�_source_port�_masquerade�_FirewallPolicy__ruler
rr[�execute)r!�enabler;rb�_policyrM�transaction�table�chainr<�keyr`r#r#r$�_policy_settings�sj













zFirewallPolicy._policy_settingscCs|jd||d�dS)NT)rb)r)r!r;rbr#r#r$rc�sz$FirewallPolicy.apply_policy_settingscCs|jd||d�dS)NF)rb)r)r!r;rbr#r#r$rP�sz&FirewallPolicy.unapply_policy_settingscCsr|j|�j�}|j|�|j|�|j|�|j|�|j|�|j|�|j|�|j	|�|j
|�|j|�d�
}|jj
||�S)zH
        :return: exported config updated with runtime settings
        )
rBrCrGrDrE�
rich_rulesrIrFr4r7)r.Zexport_config_dict�
list_services�
list_ports�list_icmp_blocks�query_masquerade�list_forward_ports�
list_rules�list_protocols�list_source_ports�list_ingress_zones�list_egress_zonesrZ'combine_runtime_with_permanent_settings)r!r;Z	permanentZruntimer#r#r$�get_config_with_settings_dict�sz,FirewallPolicy.get_config_with_settings_dictcs�ddlm�d
��fdd�	}��fdd�}�j�jf�j�jf�j�jf�j�j	f�j
�jf||f�j�j
f�j�jf�j�jf�j�jfd�
}�j|�}�jj||�\}}	xt|	D]l}
t|	|
t��rxV|	|
D]8}t|t�r�||
d|f|��q�||
d||�q�Wq�||
d|�q�Wx�|D]�}
t||
t��r�xn||
D]J}t|t��rv||
d|f|�d|d	��n||
d||d|d	��qFWn||
d|d|d	��q(WdS)Nr)r
cs�j|�|d�d|d�dS)N)rkr)rgrf)r^)r;rkrgrf)r
r!r#r$�add_rule_wrapper�szFFirewallPolicy.set_config_with_settings_dict.<locals>.add_rule_wrappercs�j|�|d��dS)N)rk)�remove_rule)r;rk)r
r!r#r$�remove_rule_wrapper�szIFirewallPolicy.set_config_with_settings_dict.<locals>.remove_rule_wrapper)
rBrCrGrDrEr�rIrFr4r7rj)rgrf)rN)�firewall.core.richr
rW�remove_servicerX�remove_portrU�remove_icmp_blockr_�remove_masqueraderV�remove_forward_portr\�remove_protocolr]�remove_source_portrS�remove_ingress_zonerT�remove_egress_zoner�rZget_added_and_removed_settings�
isinstance�list�tuple)r!r;r<rfr�r�Z
setting_to_fnZold_settingsZadd_settingsZremove_settingsr~r`r#)r
r!r$�set_config_with_settings_dict�s:











  z,FirewallPolicy.set_config_with_settings_dictcCs&|sttj��|dkr"|jj|�dS)Nr5r6)r5r6)rr�INVALID_ZONEr�
check_zone)r!r:r#r#r$�check_ingress_zones
z!FirewallPolicy.check_ingress_zonecCs|j|�|S)N)r�)r!r:r#r#r$Z__ingress_zone_id"s
z FirewallPolicy.__ingress_zone_idrTcCs�|jj|�}|jj|�|jj�|j|}|j|�}	|	|jdkrXttj	d||f��d|jdks�d|jdks�|dkr�|jdr�ttj
d��|dkr�d|jdkr�ttj
d��|dkr�|j�}
n|}
|�rJ|jr�|j
d||
�|j||	||�|
j|j||	�|j�s:||j�k�rH|j||
d	�|
j|j|d�n|j
d
||
�n |j||	||�|
j|j||	�|dk�r~|
jd
�dS)Nr4z'%s' already in '%s'r6r5zI'ingress-zones' may only contain one of: many regular zones, ANY, or HOSTr7zF'HOST' can only appear in either ingress or egress zones, but not bothF)rbT)r6r5)rr>�
check_timeout�check_panicr � _FirewallPolicy__ingress_zone_idr<rrrZr�r*rOro�&_FirewallPolicy__register_ingress_zone�add_fail�(_FirewallPolicy__unregister_ingress_zoner=rcrerx)r!r;r:rgrfrbrRrz�_obj�zone_idr{r#r#r$rS&s<




zFirewallPolicy.add_ingress_zonecCs|j||�|jd|<dS)Nr4)�_FirewallPolicy__gen_settingsr<)r!r�r�rgrfr#r#r$Z__register_ingress_zoneSsz&FirewallPolicy.__register_ingress_zonecCs�|jj|�}|jj�|j|}|j|�}||jdkrLttjd||f��|dkr^|j	�}n|}|j
r�t|jd�dkr�|j||�n|j
d||�|j||�|j|j||dd�||j�kr�|j
d||�n|j|j||�|dkr�|jd�|S)Nr4z'%s' not in '%s'rjFT)rr>r�r r�r<rr�NOT_ENABLEDr*rO�lenrPror�r�r�r=�add_postrx)r!r;r:rbrzr�r�r{r#r#r$r�Vs,




z"FirewallPolicy.remove_ingress_zonecCs||jdkr|jd|=dS)Nr4)r<)r!r�r�r#r#r$Z__unregister_ingress_zoneysz(FirewallPolicy.__unregister_ingress_zonecCs|j|�|j|�dkS)Nr4)r�r8)r!r;r:r#r#r$�query_ingress_zone}sz!FirewallPolicy.query_ingress_zonecCst|j|�dj��S)Nr4)r�r8r,)r!r;r#r#r$r��sz!FirewallPolicy.list_ingress_zonescCs&|sttj��|dkr"|jj|�dS)Nr5r6)r5r6)rrr�rr�)r!r:r#r#r$�check_egress_zone�s
z FirewallPolicy.check_egress_zonecCs|j|�|S)N)r�)r!r:r#r#r$Z__egress_zone_id�s
zFirewallPolicy.__egress_zone_idcCs�|jj|�}|jj|�|jj�|j|}|j|�}	|	|jdkrXttj	d||f��d|jdks�d|jdks�|dkr�|jdr�ttj
d��|dkr�d|jdkr�ttj
d��|dkr�|j�}
n|}
|�rJ|jr�|j
d||
�|j||	||�|
j|j||	�|j�s:||j�k�rH|j||
d	�|
j|j|d�n|j
d
||
�n |j||	||�|
j|j||	�|dk�r~|
jd
�dS)Nr7z'%s' already in '%s'r6r5zH'egress-zones' may only contain one of: many regular zones, ANY, or HOSTr4zF'HOST' can only appear in either ingress or egress zones, but not bothF)rbT)r6r5)rr>r�r�r �_FirewallPolicy__egress_zone_idr<rrrZr�r*rOro�%_FirewallPolicy__register_egress_zoner��'_FirewallPolicy__unregister_egress_zoner=rcrerx)r!r;r:rgrfrbrRrzr�r�r{r#r#r$rT�s<




zFirewallPolicy.add_egress_zonecCs|j||�|jd|<dS)Nr7)r�r<)r!r�r�rgrfr#r#r$Z__register_egress_zone�sz%FirewallPolicy.__register_egress_zonecCs�|jj|�}|jj�|j|}|j|�}||jdkrLttjd||f��|dkr^|j	�}n|}|j
r�t|jd�dkr�|j||�n|j
d||�|j||�|j|j||dd�||j�kr�|j
d||�n|j|j||�|dkr�|jd�|S)Nr7z'%s' not in '%s'rjFT)rr>r�r r�r<rrr�r*rOr�rPror�r�r�r=r�rx)r!r;r:rbrzr�r�r{r#r#r$r��s,




z!FirewallPolicy.remove_egress_zonecCs||jdkr|jd|=dS)Nr7)r<)r!r�r�r#r#r$Z__unregister_egress_zone�sz'FirewallPolicy.__unregister_egress_zonecCs|j|�|j|�dkS)Nr7)r�r8)r!r;r:r#r#r$�query_egress_zone�sz FirewallPolicy.query_egress_zonecCst|j|�dj��S)Nr7)r�r8r,)r!r;r#r#r$r��sz FirewallPolicy.list_egress_zonescCs|j�dS)N)Zcheck)r!�ruler#r#r$�
check_rule�szFirewallPolicy.check_rulecCs|j|�t|�S)N)r��str)r!r�r#r#r$Z	__rule_id�s
zFirewallPolicy.__rule_idcCsx|sdS|jr,t|j�rdSt|j�rtdSnHt|d�r@|jr@dSt|d�rt|jrt|j|j�|j|j�|j|j�SdS)N�ipv4�ipv6�mac��ipset)	Zaddrrr�hasattrr�r��_check_ipset_type_for_source�_check_ipset_applied�
_ipset_family)r!�sourcer#r#r$�_rule_source_ipv�s

zFirewallPolicy._rule_source_ipvcCs|j||||�dS)N)�
_rule_prepare)r!ryr;r�r{r#r#r$Z__ruleszFirewallPolicy.__rulecCsL|jj|�}|jj|�|jj�|j|}|j|�}||jdkrh|jrP|jn|}	tt	j
d||	f��|j�s�|jr�t|jt
�r�d|jdkr�tt	jd��d|jdkr�tt	jd��x6|jdD](}
|
dkr�q�|jjj|
�r�tt	jd	��q�W|j�r�t|jt��r�d|jdk�r,|jj�r�tt	jd
��nb|jd�r�|jj�sNtt	jd��x>|jdD]0}
|
dk�rl�qZ|jjj|
��rZtt	jd���qZW|j�r�t|jt��r�x>|jdD]0}
|
dk�rq�|jjj|
��r�tt	jd
���q�W|dk�r�|j�}n|}|j�r|jd|||�|j||||�|j|j||�|dk�rH|jd�|S)NrHz'%s' already in '%s'r5r7z.'masquerade' is invalid for egress zone 'HOST'r4z/'masquerade' is invalid for ingress zone 'HOST'r6zR'masquerade' cannot be used in a policy if an ingress zone has assigned interfaceszAA 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'zC'forward-port' requires 'to-addr' if egress zone is 'ANY' or a zonezS'forward-port' cannot be used in a policy if an egress zone has assigned interfaceszR'mark' action cannot be used in a policy if an egress zone has assigned interfacesT)r6r5)rr>r�r�r �_FirewallPolicy__rule_idr<r/rrrZ�elementr�rr�r:�list_interfacesr�
to_address�INVALID_FORWARD�actionrr*rOrw�_FirewallPolicy__register_ruler�� _FirewallPolicy__unregister_rulerx)r!r;r�rgrfrbrzr��rule_id�_namer:r{r#r#r$r^
s`










zFirewallPolicy.add_rulecCs|j||�|jd|<dS)NrH)r�r<)r!r�r�rgrfr#r#r$Z__register_ruleEszFirewallPolicy.__register_rulec	Cs�|jj|�}|jj�|j|}|j|�}||jdkr\|jrD|jn|}ttj	d||f��|dkrn|j
�}n|}|jr�|jd|||�|j
|j||�|dkr�|jd�|S)NrHz'%s' not in '%s'FT)rr>r�r r�r<r/rrr�r*rOrwr�r�rx)	r!r;r�rbrzr�r�r�r{r#r#r$r�Is"




zFirewallPolicy.remove_rulecCs||jdkr|jd|=dS)NrH)r<)r!r�r�r#r#r$Z__unregister_ruledsz FirewallPolicy.__unregister_rulecCs|j|�|j|�dkS)NrH)r�r8)r!r;r�r#r#r$�
query_rulehszFirewallPolicy.query_rulecCst|j|�dj��S)NrH)r�r8r,)r!r;r#r#r$r�kszFirewallPolicy.list_rulescCs|jj|�dS)N)r�
check_service)r!�servicer#r#r$r�pszFirewallPolicy.check_servicecCs|j|�|S)N)r�)r!r�r#r#r$Z__service_idss
zFirewallPolicy.__service_idcCs�|jj|�}|jj|�|jj�|j|}|j|�}||jdkrh|jrP|jn|}	tt	j
d||	f��|dkrz|j�}
n|}
|jr�|j
d|||
�|j||||�|
j|j||�|dkr�|
jd�|S)NrBz'%s' already in '%s'T)rr>r�r�r �_FirewallPolicy__service_idr<r/rrrZr*rOrr�!_FirewallPolicy__register_servicer��#_FirewallPolicy__unregister_servicerx)r!r;r�rgrfrbrzr��
service_idr�r{r#r#r$rWws&




zFirewallPolicy.add_servicecCs|j||�|jd|<dS)NrB)r�r<)r!r�r�rgrfr#r#r$Z__register_service�sz!FirewallPolicy.__register_servicec	Cs�|jj|�}|jj�|j|}|j|�}||jdkr\|jrD|jn|}ttj	d||f��|dkrn|j
�}n|}|jr�|jd|||�|j
|j||�|dkr�|jd�|S)NrBz'%s' not in '%s'FT)rr>r�r r�r<r/rrr�r*rOrrr�r�rx)	r!r;r�rbrzr�r�r�r{r#r#r$r��s"




zFirewallPolicy.remove_servicecCs||jdkr|jd|=dS)NrB)r<)r!r�r�r#r#r$Z__unregister_service�sz#FirewallPolicy.__unregister_servicecCs|j|�|j|�dkS)NrB)r�r8)r!r;r�r#r#r$�
query_service�szFirewallPolicy.query_servicecCs|j|�dj�S)NrB)r8r,)r!r;r#r#r$r��szFirewallPolicy.list_servicescCsTg}xJ|D]B}y|jjj|�}Wn tk
r@ttj|��YnX|j|�q
W|S)N)r�helper�
get_helperrr�INVALID_HELPERr0)r!�helpers�_helpersr��_helperr#r#r$�get_helpers_for_service_helpers�s
z.FirewallPolicy.get_helpers_for_service_helperscCs�g}x�|D]�}y|jjj|�}Wn tk
r@ttj|��YnXt|j�dkr�t|j	�}y|jjj|�}|j
|�Wq�tk
r�|r�tjd|�w
Yq�Xq
|j
|�q
W|S)NrjzHelper '%s' is not available)
rr�r�rrr�r�rCr
�moduler0rr[)r!�modulesryr�r�r��_module_short_namer�r#r#r$�get_helpers_for_service_modules�s"


z.FirewallPolicy.get_helpers_for_service_modulescCs|jj|�|jj|�dS)N)r�
check_port�check_tcpudp)r!�port�protocolr#r#r$r��szFirewallPolicy.check_portcCs|j||�t|d�|fS)N�-)r�r)r!r�r�r#r#r$Z	__port_id�szFirewallPolicy.__port_idcs�|jj|�}|jj|�|jj�|j|}tt�fdd�|jd��}	x@|	D]8}
t||
d�rN|j	rl|j	n|}t
tjd|�|f��qNWt
|dd�|	D��\}}
|dkr�|j�}n|}|j�rx$|D]}|jd|t|d	��|�q�Wx$|
D]}|jd
|t|d	��|�q�Wx:|D]2}|j|��}
|j||
||�|j|j||
��qWx*|
D]"}|j|��}
|j|j||
��qNW|dk�r�|jd�|S)Ncs|d�kS)Nrjr#)r@)r�r#r$�<lambda>�sz)FirewallPolicy.add_port.<locals>.<lambda>rCrz'%s:%s' already in '%s'cSsg|]\}}|�qSr#r#)r?rsrtr#r#r$�
<listcomp>�sz+FirewallPolicy.add_port.<locals>.<listcomp>Tr�F)rr>r�r�r r��filterr<r	r/rrrZrr*rOrsr�_FirewallPolicy__port_id�_FirewallPolicy__register_portr�� _FirewallPolicy__unregister_portr�rx)r!r;r�r�rgrfrbrzr��existing_port_ids�port_idr��added_ranges�removed_rangesr{�ranger#)r�r$rX�s:









zFirewallPolicy.add_portcCs|j||�|jd|<dS)NrC)r�r<)r!r�r�rgrfr#r#r$Z__register_portszFirewallPolicy.__register_portcs�|jj|�}|jj�|j|}tt�fdd�|jd��}xB|D]}t||d�rBPqBW|jrf|jn|}	t	t
jd|�|	f��t|dd�|D��\}
}|dkr�|j
�}n|}|j�rx$|
D]}
|jd|t|
d	��|�q�Wx$|D]}
|jd
|t|
d	��|�q�Wx:|
D]2}
|j|
��}|j||dd�|j|j||��qWx*|D]"}
|j|
��}|j|j||��qDW|dk�r~|jd�|S)Ncs|d�kS)Nrjr#)r@)r�r#r$r�sz,FirewallPolicy.remove_port.<locals>.<lambda>rCrz'%s:%s' not in '%s'cSsg|]\}}|�qSr#r#)r?rsrtr#r#r$r�#sz.FirewallPolicy.remove_port.<locals>.<listcomp>Tr�F)rr>r�r r�r�r<r	r/rrr�rr*rOrsrr�r�r�r�r�rx)r!r;r�r�rbrzr�r�r�r�r�r�r{r�r#)r�r$r�s:









zFirewallPolicy.remove_portcCs||jdkr|jd|=dS)NrC)r<)r!r�r�r#r#r$Z__unregister_port=sz FirewallPolicy.__unregister_portcCs6x0|j|�dD]\}}t||�r||krdSqWdS)NrCTF)r8r	)r!r;r�r�rsrtr#r#r$�
query_portAszFirewallPolicy.query_portcCst|j|�dj��S)NrC)r�r8r,)r!r;r#r#r$r�HszFirewallPolicy.list_portscCst|�sttj|��dS)N)rrrZINVALID_PROTOCOL)r!r�r#r#r$�check_protocolMszFirewallPolicy.check_protocolcCs|j|�|S)N)r�)r!r�r#r#r$Z
__protocol_idQs
zFirewallPolicy.__protocol_idcCs�|jj|�}|jj|�|jj�|j|}|j|�}||jdkrh|jrP|jn|}	tt	j
d||	f��|dkrz|j�}
n|}
|jr�|j
d|||
�|j||||�|
j|j||�|dkr�|
jd�|S)NrIz'%s' already in '%s'T)rr>r�r�r �_FirewallPolicy__protocol_idr<r/rrrZr*rOrt�"_FirewallPolicy__register_protocolr��$_FirewallPolicy__unregister_protocolrx)r!r;r�rgrfrbrzr��protocol_idr�r{r#r#r$r\Us&




zFirewallPolicy.add_protocolcCs|j||�|jd|<dS)NrI)r�r<)r!r�r�rgrfr#r#r$Z__register_protocolrsz"FirewallPolicy.__register_protocolc	Cs�|jj|�}|jj�|j|}|j|�}||jdkr\|jrD|jn|}ttj	d||f��|dkrn|j
�}n|}|jr�|jd|||�|j
|j||�|dkr�|jd�|S)NrIz'%s' not in '%s'FT)rr>r�r r�r<r/rrr�r*rOrtr�r�rx)	r!r;r�rbrzr�r�r�r{r#r#r$r�vs$





zFirewallPolicy.remove_protocolcCs||jdkr|jd|=dS)NrI)r<)r!r�r�r#r#r$Z__unregister_protocol�sz$FirewallPolicy.__unregister_protocolcCs|j|�|j|�dkS)NrI)r�r8)r!r;r�r#r#r$�query_protocol�szFirewallPolicy.query_protocolcCst|j|�dj��S)NrI)r�r8r,)r!r;r#r#r$r��szFirewallPolicy.list_protocolscCs|j||�t|d�|fS)Nr�)r�r)r!r�r�r#r#r$Z__source_port_id�szFirewallPolicy.__source_port_idcs�|jj|�}|jj|�|jj�|j|}tt�fdd�|jd��}	x@|	D]8}
t||
d�rN|j	rl|j	n|}t
tjd|�|f��qNWt
|dd�|	D��\}}
|dkr�|j�}n|}|j�rx$|D]}|jd|t|d	��|�q�Wx$|
D]}|jd
|t|d	��|�q�Wx:|D]2}|j|��}
|j||
||�|j|j||
��qWx*|
D]"}|j|��}
|j|j||
��qNW|dk�r�|jd�|S)Ncs|d�kS)Nrjr#)r@)r�r#r$r��sz0FirewallPolicy.add_source_port.<locals>.<lambda>rFrz'%s:%s' already in '%s'cSsg|]\}}|�qSr#r#)r?rsrtr#r#r$r��sz2FirewallPolicy.add_source_port.<locals>.<listcomp>Tr�F)rr>r�r�r r�r�r<r	r/rrrZrr*rOrur�_FirewallPolicy__source_port_id�%_FirewallPolicy__register_source_portr��'_FirewallPolicy__unregister_source_portr�rx)r!r;r�r�rgrfrbrzr�r�r�r�r�r�r{r�r#)r�r$r]�s:









zFirewallPolicy.add_source_portcCs|j||�|jd|<dS)NrF)r�r<)r!r�r�rgrfr#r#r$Z__register_source_port�sz%FirewallPolicy.__register_source_portcs�|jj|�}|jj�|j|}tt�fdd�|jd��}xB|D]}t||d�rBPqBW|jrf|jn|}	t	t
jd|�|	f��t|dd�|D��\}
}|dkr�|j
�}n|}|j�rx$|
D]}
|jd|t|
d	��|�q�Wx$|D]}
|jd
|t|
d	��|�q�Wx:|
D]2}
|j|
��}|j||dd�|j|j||��qWx*|D]"}
|j|
��}|j|j||��qDW|dk�r~|jd�|S)Ncs|d�kS)Nrjr#)r@)r�r#r$r��sz3FirewallPolicy.remove_source_port.<locals>.<lambda>rFrz'%s:%s' not in '%s'cSsg|]\}}|�qSr#r#)r?rsrtr#r#r$r��sz5FirewallPolicy.remove_source_port.<locals>.<listcomp>Tr�F)rr>r�r r�r�r<r	r/rrr�rr*rOrurr�r�r�r�r�rx)r!r;r�r�rbrzr�r�r�r�r�r�r{r�r#)r�r$r��s:









z!FirewallPolicy.remove_source_portcCs||jdkr|jd|=dS)NrF)r<)r!r�r�r#r#r$Z__unregister_source_port�sz'FirewallPolicy.__unregister_source_portcCs6x0|j|�dD]\}}t||�r||krdSqWdS)NrFTF)r8r	)r!r;r�r�rsrtr#r#r$�query_source_port�sz FirewallPolicy.query_source_portcCst|j|�dj��S)NrF)r�r8r,)r!r;r#r#r$r�sz FirewallPolicy.list_source_portscCsdS)NTr#)r!r#r#r$Z__masquerade_idszFirewallPolicy.__masquerade_idcCs8|jj|�}|jj|�|jj�|j|}|j�}||jdkrb|jrN|jn|}tt	j
d|��|js�d|jdkr�tt	jd��d|jdkr�tt	jd��x6|jdD](}	|	dkr�q�|jjj
|	�r�tt	jd	��q�W|dkr�|j�}
n|}
|j�r|jd
||
�|j||||�|
j|j||�|dk�r4|
jd
�|S)NrDz"masquerade already enabled in '%s'r5r7z.'masquerade' is invalid for egress zone 'HOST'r4z/'masquerade' is invalid for ingress zone 'HOST'r6zR'masquerade' cannot be used in a policy if an ingress zone has assigned interfacesT)rr>r�r�r �_FirewallPolicy__masquerade_idr<r/rrrZr�r:r�r*rOrv�$_FirewallPolicy__register_masquerader��&_FirewallPolicy__unregister_masqueraderx)r!r;rgrfrbrzr��
masquerade_idr�r:r{r#r#r$r_
s:





zFirewallPolicy.add_masqueradecCs|j||�|jd|<dS)NrD)r�r<)r!r�r�rgrfr#r#r$Z__register_masquerade2sz$FirewallPolicy.__register_masqueradecCs�|jj|�}|jj�|j|}|j�}||jdkrV|jrB|jn|}ttj	d|��|dkrh|j
�}n|}|jr�|jd||�|j
|j||�|dkr�|jd�|S)NrDzmasquerade not enabled in '%s'FT)rr>r�r r�r<r/rrr�r*rOrvr�r�rx)r!r;rbrzr�r�r�r{r#r#r$r�6s"




z FirewallPolicy.remove_masqueradecCs||jdkr|jd|=dS)NrD)r<)r!r�r�r#r#r$Z__unregister_masqueradePsz&FirewallPolicy.__unregister_masqueradecCs|j�|j|�dkS)NrD)r�r8)r!r;r#r#r$r�TszFirewallPolicy.query_masqueradecCs^|jj|�|jj|�|r(|jj|�|rBt||�sBttj|��|rZ|rZttjd��dS)Nz.port-forwarding is missing to-port AND to-addr)rr�r�rrrZINVALID_ADDRr�)r!�ipvr�r��toport�toaddrr#r#r$�check_forward_portYs
z!FirewallPolicy.check_forward_portcCsLtd|�r|jd||||�n|jd||||�t|d�|t|d�t|�fS)Nr�r�r�)rrrr�)r!r�r�r�r�r#r#r$Z__forward_port_idfs


z FirewallPolicy.__forward_port_idc	CsZ|jj|�}	|jj|�|jj�|j|	}
|j||||�}||
jdkrt|
jrV|
jn|	}tt	j
d|||||f��|
js�d|
jdkr�|r�tt	jd��nR|
jdr�|s�tt	jd��x6|
jdD](}
|
dkr�q�|jjj
|
�r�tt	jd��q�W|dk�r|j�}n|}|
j�r"|jd	|	|||||�|j|
|||�|j|j|
|�|dk�rV|jd	�|	S)
NrEz'%s:%s:%s:%s' already in '%s'r5r7zAA 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'zC'forward-port' requires 'to-addr' if egress zone is 'ANY' or a zoner6zS'forward-port' cannot be used in a policy if an egress zone has assigned interfacesT)rr>r�r�r � _FirewallPolicy__forward_port_idr<r/rrrZr�r:r�r�r*rOrq�&_FirewallPolicy__register_forward_portr��(_FirewallPolicy__unregister_forward_portrx)r!r;r�r�r�r�rgrfrbrzr��
forward_idr�r:r{r#r#r$rVnsB






zFirewallPolicy.add_forward_portcCs|j||�|jd|<dS)NrE)r�r<)r!r�rrgrfr#r#r$Z__register_forward_port�sz&FirewallPolicy.__register_forward_portcCs�|jj|�}|jj�|j|}|j||||�}	|	|jdkrh|jrJ|jn|}
ttj	d|||||
f��|dkrz|j
�}n|}|jr�|jd||||||�|j
|j||	�|dkr�|jd�|S)NrEz'%s:%s:%s:%s' not in '%s'FT)rr>r�r rr<r/rrr�r*rOrqr�rrx)r!r;r�r�r�r�rbrzr�rr�r{r#r#r$r��s&



z"FirewallPolicy.remove_forward_portcCs||jdkr|jd|=dS)NrE)r<)r!r�rr#r#r$Z__unregister_forward_port�sz(FirewallPolicy.__unregister_forward_portcCs"|j||||�}||j|�dkS)NrE)rr8)r!r;r�r�r�r�rr#r#r$�query_forward_port�sz!FirewallPolicy.query_forward_portcCst|j|�dj��S)NrE)r�r8r,)r!r;r#r#r$r��sz!FirewallPolicy.list_forward_portscCs|jj|�dS)N)rZcheck_icmptype)r!�icmpr#r#r$�check_icmp_block�szFirewallPolicy.check_icmp_blockcCs|j|�|S)N)r)r!rr#r#r$Z__icmp_block_id�s
zFirewallPolicy.__icmp_block_idcCs�|jj|�}|jj|�|jj�|j|}|j|�}||jdkrh|jrP|jn|}	tt	j
d||	f��|dkrz|j�}
n|}
|jr�|j
d|||
�|j||||�|
j|j||�|dkr�|
jd�|S)NrGz'%s' already in '%s'T)rr>r�r�r �_FirewallPolicy__icmp_block_idr<r/rrrZr*rOrp�$_FirewallPolicy__register_icmp_blockr��&_FirewallPolicy__unregister_icmp_blockrx)r!r;rrgrfrbrzr��icmp_idr�r{r#r#r$rU�s&




zFirewallPolicy.add_icmp_blockcCs|j||�|jd|<dS)NrG)r�r<)r!r�rrgrfr#r#r$Z__register_icmp_block�sz$FirewallPolicy.__register_icmp_blockc	Cs�|jj|�}|jj�|j|}|j|�}||jdkr\|jrD|jn|}ttj	d||f��|dkrn|j
�}n|}|jr�|jd|||�|j
|j||�|dkr�|jd�|S)NrGz'%s' not in '%s'FT)rr>r�r rr<r/rrr�r*rOrpr�r
rx)	r!r;rrbrzr�rr�r{r#r#r$r��s"




z FirewallPolicy.remove_icmp_blockcCs||jdkr|jd|=dS)NrG)r<)r!r�rr#r#r$Z__unregister_icmp_blocksz&FirewallPolicy.__unregister_icmp_blockcCs|j|�|j|�dkS)NrG)rr8)r!r;rr#r#r$�query_icmp_blockszFirewallPolicy.query_icmp_blockcCs|j|�dj�S)NrG)r8r,)r!r;r#r#r$r�szFirewallPolicy.list_icmp_blockscCsdS)NTr#)r!r#r#r$Z__icmp_block_inversion_idsz(FirewallPolicy.__icmp_block_inversion_idc
Cs|jj|�}|jj�|j|}|j�}||jdkrV|jrB|jn|}ttj	d|��|dkrh|j
�}n|}|jr�x&|j|�dD]}	|j
d||	|�q�W|jd||�|j|||�|j|j|||�|j�rx&|j|�dD]}	|j
d||	|�q�W|jd||�|dk�r|jd�|S)NrJz,icmp-block-inversion already enabled in '%s'rGFT)rr>r�r �(_FirewallPolicy__icmp_block_inversion_idr<r/rrrZr*rOr8rp�_icmp_block_inversion�._FirewallPolicy__register_icmp_block_inversionr��*_FirewallPolicy__undo_icmp_block_inversionrx)
r!r;rfrbrzr��icmp_block_inversion_idr�r{r`r#r#r$�add_icmp_block_inversions6





z'FirewallPolicy.add_icmp_block_inversioncCs|jd|�|jd|<dS)NrrJ)r�r<)r!r�rrfr#r#r$Z__register_icmp_block_inversionEsz.FirewallPolicy.__register_icmp_block_inversioncCs�|j�}|jr6x&|j|�dD]}|jd|||�qW||jdkrP|jd|=|jr~x&|j|�dD]}|jd|||�qfW|jd�dS)NrGFrJT)r*rOr8rpr<rx)r!rzr�rr{r`r#r#r$Z__undo_icmp_block_inversionJsz*FirewallPolicy.__undo_icmp_block_inversionc	Cs|jj|�}|jj�|j|}|j�}||jdkrV|jrB|jn|}ttj	d|��|dkrh|j
�}n|}|jr�x&|j|�dD]}|j
d|||�q�W|jd||�|j||�|j|j||d�|j�rx&|j|�dD]}|j
d|||�q�W|jd||�|dk�r|jd�|S)NrJz(icmp-block-inversion not enabled in '%s'rGFT)rr>r�r r
r<r/rrr�r*rOr8rpr�0_FirewallPolicy__unregister_icmp_block_inversionr�rrx)	r!r;rbrzr�rr�r{r`r#r#r$�remove_icmp_block_inversion\s6






z*FirewallPolicy.remove_icmp_block_inversioncCs||jdkr|jd|=dS)NrJ)r<)r!r�rr#r#r$Z!__unregister_icmp_block_inversion�sz0FirewallPolicy.__unregister_icmp_block_inversioncCs|j�|j|�dkS)NrJ)r
r8)r!r;r#r#r$�query_icmp_block_inversion�sz)FirewallPolicy.query_icmp_block_inversionc
Cs�|jjj|�}|jr*|jjj|jd}n|}|rT||jkrt||f|j|krtdSn ||jksp||f|j|krtdSx@|jj�D]2}|jr�||j	�kr�|j
||||�}	|j||	�q�W|j||||fg�|j
|j||||fg�dS)Nr)rr;r.r/r:Z_zone_policiesr�enabled_backends�policies_supportedZget_available_tablesZbuild_policy_chain_rules�	add_rules�_register_chainsr�)
r!r;�creater|r}r{rMZtracking_policy�backendrHr#r#r$rn�s$

zFirewallPolicy.gen_chain_rulescCsbx\|D]T\}}|r,|jj|g�j||f�q|j|j||f�t|j|�dkr|j|=qWdS)Nr)r�
setdefaultr0�remover�)r!r;rZtablesr|r}r#r#r$r�szFirewallPolicy._register_chainscCs$|jjj|�dkrdS|jjj|�S)Nzhash:mac)rr��get_typeZ
get_family)r!rKr#r#r$r��szFirewallPolicy._ipset_familycCs|jjj|�S)N)rr�r)r!rKr#r#r$Z__ipset_type�szFirewallPolicy.__ipset_typecCsdj|g|jjj|��S)N�,)�joinrr�Z
get_dimension)r!rK�flagr#r#r$�_ipset_match_flags�sz!FirewallPolicy._ipset_match_flagscCs|jjj|�S)N)rr�Z
check_applied)r!rKr#r#r$r��sz#FirewallPolicy._check_ipset_appliedcCs*|j|�}|tkr&ttjd||f��dS)Nz.ipset '%s' with type '%s' not usable as source)�_FirewallPolicy__ipset_typerrrZ
INVALID_IPSET)r!rKZ_typer#r#r$r��s
z+FirewallPolicy._check_ipset_type_for_sourcecs�t|j�tkr��jjj|jj�}|dkr2|jjg}xR|jD]H}||krHq:�j|�|j	|�t
j|�}||j_�j|||||d�q:Wg}	|j
r�|j
g}	nH|jr�t|jt�s�t|jt�r�jjj|jj���jr�fdd�dD�}	�j|j�}
|
�r&|j
�r |j
|
k�r&ttjd|
|j
f��n|
g}	|	�s4ddg}	�fdd�|	D�}	|	|_�x2t�fdd�|	D��D�]}t|j�tk�r��jjj|jj�}g}t|j�d	k�r�|j�r�ttjd
��xB|	D].}
|
|jk�r�|j|
��r�|j	|j|
��q�Wn
|j	d��x~|D�]�}t|j�tk�r�j|j |�}|�j!|j"�7}t#t|�dd�d
�}g}x�|D]�}|j$}t%|�}|j&dd�}|j	|�|j
dk�r�|j|j
��r��qTt|j'�dk�r�|j	|�n:x8|j'D].\}}|j(||||||j|�}|j)||��q�W�qTW|j*|�x4|j'D]*\}}|j+||||||�}|j)||��q
Wx.|j,D]$}|j-|||||�}|j)||��q@Wx4|j.D]*\}}|j/||||||�}|j)||��qpW�qW�qft|j�t0k�r�|jj1}|jj2}�j3||�|j+||||d|�}|j)||��qft|j�t4k�r<|jj5}�j6|�|j-|||d|�}|j)||��qft|j�t7k�r�|�rzx&|	D]}
|j|
��rX|j8t9|
��qXW|j:|||�}|j)||��qft|j�t;k�r4|jj1}|jj2}|jj<}|jj=}xD|	D]<}
|j|
��r�j>|
||||�|�r�|�r�|j8t9|
��q�W|j?|||||||�}|j)||��qft|j�t@k�r�|jj1}|jj2}�j3||�|j/||||d|�}|j)||�n�t|j�tk�s�t|j�tk�r>�jjj|jj��|j
�r�j�r�|j
�jk�r�ttjAd|j
|jjf��t|j�tk�r |j�r t|j�tk�r ttjd��|jB||�|�}|j)||�n>|jdk�rf|jC|||�}|j)||�nttjdt|j����qfWdS)N)�included_servicescsg|]}|�jkr|�qSr#)�destination)r?r�)�ictr#r$r��sz0FirewallPolicy._rule_prepare.<locals>.<listcomp>r�r�z;Source address family '%s' conflicts with rule family '%s'.csg|]}�jj|�r|�qSr#)r�is_ipv_enabled)r?r�)r!r#r$r��scsg|]}�jj|��qSr#)r�get_backend_by_ipv)r?r@)r!r#r$r��srz"Destination conflict with service.cSs|jS)N)rK)r@r#r#r$r�sz.FirewallPolicy._rule_prepare.<locals>.<lambda>)r~�	conntrack�natr�rjz3rich rule family '%s' conflicts with icmp type '%s'z'IcmpBlock not usable with accept actionzUnknown element %s)r�r�)D�typer�rrr��get_servicerK�includesr�r0�copy�deepcopyr��familyr�rr�config�get_icmptyper%r�r�rrZINVALID_RULE�ipvsr9r��is_ipv_supportedr�rr�r�r�r�r+r�r
�replacerC�build_policy_helper_ports_rulesrZadd_modules�build_policy_ports_rulesrI�build_policy_protocol_rulesrF�build_policy_source_ports_rulesrr�r�r�r�valuer�rr�r�build_policy_masquerade_rulesrZto_portr�r�build_policy_forward_port_rulesrZINVALID_ICMPTYPE�build_policy_icmp_block_rulesZ*build_policy_rich_source_destination_rules)r!ryr;r�r{r$�svc�includeZ_ruler3Z
source_ipvrZdestinationsr�r%r�r�r�r�r��
nat_moduler��protorHr�r�r�r#)r&r!r$r��s




 









zFirewallPolicy._rule_preparecCsb|jjj|�}|j|j|�}||j|j�7}tt|�dd�d�}|dkrN|g}x@|j	D]6}||krdqV|j
|�|j|�|j|||||d�qVWg}	xndD]f}
|jj
|
�s�q�|jj|
�}t|j�dkr�|
|jkr�|	j||j|
f�q�|df|	kr�|	j|df�q�W�xV|	D�]L\}}x�|D]�}
|
j}t|�}|
jjdd	�}|j|�|
jd
k�rf|j|
j��rf�qt|
j�dk�r�|j|�n:x8|
jD].\}}|j||||||
j|�}|j||��q�W�qWx2|jD](\}}|j|||||�}|j||��q�Wx,|jD]"}|j||||�}|j||��q�Wx2|jD](\}}|j|||||�}|j||��q,W�qWdS)
NcSs|jS)N)rK)r@r#r#r$r��sz)FirewallPolicy._service.<locals>.<lambda>)r~)r$r�r�rr)r*r�rj)r�r�) rr�r,r�r�r�r�r+r9r-r�r0rrr'r(r�r%r�r
r5Z
add_moduler0r4rCr6rKrr7rIr8rFr9)r!ryr;r�r{r$r>r�r?Zbackends_ipvr�rr%r�r�r�r@r�rArHr�r#r#r$rr�sb






zFirewallPolicy._servicecCs<x6|jj�D](}|jsq|j||||�}|j||�qWdS)N)rrrr7r)r!ryr;r�r�r{rrHr#r#r$rs�s
zFirewallPolicy._portcCs:x4|jj�D]&}|jsq|j|||�}|j||�qWdS)N)rrrr8r)r!ryr;r�r{rrHr#r#r$rt�s
zFirewallPolicy._protocolcCs<x6|jj�D](}|jsq|j||||�}|j||�qWdS)N)rrrr9r)r!ryr;r�r�r{rrHr#r#r$ru�s
zFirewallPolicy._source_portcCs8d}|jt|�|jj|�}|j||�}|j||�dS)Nr�)r�rrr(r;r)r!ryr;r{r�rrHr#r#r$rv�s
zFirewallPolicy._masqueradecCsXtd|�rd}nd}|r(|r(|jt|�|jj|�}	|	j||||||�}
|j|	|
�dS)Nr�r�)rr�rrr(r<r)r!ryr;r{r�r�r�r�r�rrHr#r#r$rq�s

zFirewallPolicy._forward_portc
Cs�|jjj|�}xl|jj�D]^}|js&qd}|jrXx&dD]}||jkr6|j|�s6d}Pq6W|r^q|j|||�}	|j||	�qWdS)NFr�r�T)r�r�)	rr1r2rrr%r4r=r)
r!ryr;rr{r&rZskip_backendr�rHr#r#r$rp�s


zFirewallPolicy._icmp_blockcCsh|j|j}|dkrdS|j|�r0|dkr0dSx2|jj�D]$}|jsHq<|j||�}|j||�q<WdS)N�DROP�
%%REJECT%%�REJECTZACCEPT)rBrCrD)r �targetrrrrZ'build_policy_icmp_block_inversion_rulesr)r!ryr;r{rErrHr#r#r$rsz$FirewallPolicy._icmp_block_inversionc	Cs�x|D]}|j|�qWx|D]}|j|�qWd|ks@d|krXt|�dkrXttjd��d|kshd|kr�t|�dkr�ttjd��|s�|r�|r�|r�d|kr�d|kr�ttjd|��|s�|r�|r�|r�d|kr�d|kr�ttjd|��dS)Nr6r5rjzI'ingress-zones' may only contain one of: many regular zones, ANY, or HOSTzH'egress-zones' may only contain one of: many regular zones, ANY, or HOSTzpolicy "%s" has no ingresszpolicy "%s" has no egress)r�r�r�rrr�)	r!r;r4r7�ingress_interfaces�egress_interfaces�ingress_sources�egress_sourcesr:r#r#r$�check_ingress_egress"s$

z#FirewallPolicy.check_ingress_egressc

Cs�|dkr&|dkr�|r�ttjd|��n�|dkrtd|krFttjd|��d|kr^ttjd|��|r�ttjd|��n||d	kr�d|kr�ttjd|��d|kr�ttjd|��nB|d
kr�d|kr�ttjd|��n |dkr�d|kr�ttjd
|��dS)N�
PREROUTING�rawzFpolicy "%s" egress-zones may not include a zone with added interfaces.�POSTROUTINGr5z/policy "%s" ingress-zones may not include HOST.z.policy "%s" egress-zones may not include HOST.zGpolicy "%s" ingress-zones may not include a zone with added interfaces.�FORWARD�INPUTz0policy "%s" egress-zones must include only HOST.�OUTPUTz1policy "%s" ingress-zones must include only HOST.)rrr�)
r!r;r|r}r4r7rFrGrHrIr#r#r$�check_ingress_egress_chain<s,z)FirewallPolicy.check_ingress_egress_chaincCs$|j�}|j|||�|jd�dS)NT)r*rorx)r!ryr;r{r#r#r$�!_ingress_egress_zones_transactionYsz0FirewallPolicy._ingress_egress_zones_transactioncCsL|j|}|jd}|jd}t�}t�}t�}	t�}
xB|D]:}|dkrJq<|t|jjj|��O}|	t|jjj|��O}	q<WxB|D]:}|dkr�q�|t|jjj|��O}|
t|jjj|��O}
q�W|j||||||	|
�xr|jj�D]d}|j	s�q�xV|j
|�D]H\}
}|j||
||||||	|
�	|j|||
||||	|
�}|j
||��q�Wq�WdS)Nr4r7r6r5)r6r5)r6r5)r r<r9rr:r�Zlist_sourcesrJrrrlrQZ!build_policy_ingress_egress_rulesr)r!ryr;r{rMr4r7rFrGrHrIr:rr|r}rHr#r#r$ro^s@






z$FirewallPolicy._ingress_egress_zonescCs6|j|}d|jdkrFd|jdkrFdddg}|jjsB|jd�|Sd|jdkrpdg}|jjsl|jd�|Sd|jdkr�dgSd|jdko�d|jdk�r�ddddg}|jj�s�|jd�|Sd|jdk�r.dddg}|jj�s�|jd�x4|jdD]}|jjj|�d�rP�qW|jd �|Sd|jdk�r�d!d"g}|jj�sZ|jd#�x>|jdD]}|jjj|�d�rfP�qfW|jd$�|jd%�|Sd&g}|jj�s�|jd'�x4|jdD]}|jjj|�d�r�P�q�W|jd(�x>|jdD]}|jjj|�d�r�P�q�W|jd)�|jd*�|SdS)+z:Create a list of (table, chain) needed for policy dispatchr6r4r5r7r�rOr*rK�manglerLrPrNrMZ
interfacesN)r�rO)r*rK)rSrK)rLrK)r�rO)rLrK)r�rP)r�rN)r*rK)r*rM)rSrK)rLrK)r�rN)r*rK)rSrK)rLrK)r*rM)r�rN)r*rM)rLrK)r*rK)rSrK)r�rN)rLrK)r*rM)r*rK)rSrK)r r<r�nftables_enabledr0r:r8)r!r;rM�tcr:r#r#r$rl�sj
















z4FirewallPolicy._get_table_chains_for_policy_dispatchcCsr|j|}d|jdkr4dg}|jjs0|jd�|Sd|jdkrLdddgSd|jdkrbddgStd|�SdS)z8Create a list of (table, chain) needed for zone dispatchr5r7r�rOrLrKr6�
FORWARD_INr*rSr4�FORWARD_OUTrMzInvalid policy: %sN)r�rO)rLrK)r�rV)r*rK)rSrK)r�rW)r*rM)r r<rrTr0r)r!r;rMrUr#r#r$rm�s

z2FirewallPolicy._get_table_chains_for_zone_dispatchFcCs�|jjj|�}|jr|j}n||}d|jdkrl|dkrBd|S|dkrRd|S|jsh|dkrhd|S�nJd|jd	kr�|js�|dkr�d
|S�n"d|jdk�r�|dkr�|jr�d|Sd
|Sn0|dkr�|r�d|Sd|Sn|dk�r�d|Sn�d|jd	k�rh|dk�r*|j�r d|Sd
|Sn<|dk�rL|�rBd|Sd|Sn|dk�r�|j�s�d|SnN|j�s�|dk�r�d
|S|dk�r�|�r�d|Sd|Sn|dk�r�d|Std|||f�S)Nr5r7r�ZIN_rLZPRE_rSr*r4ZOUT_r6ZFWDI_ZFWD_ZPOST_ZFWDO_z.Can't convert policy to chain name: %s, %s, %s)rSr*)rSrL)rSrL)rSrL)rr;r.r/r<r)r!r;r|Z
policy_prefixZisSNATrM�suffixr#r#r$�policy_base_chain_name�sb













z%FirewallPolicy.policy_base_chain_name)N)N)N)N)rNNT)N)rNNT)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)NN)NN)NNrNN)NNN)NN)rNN)N)NN)N)N)N)NN)F)��__name__�
__module__�__qualname__r%r'r)r*r-r3r=r.rNrQrLrdrer�r8rrcrPr�r�r�r�rSr�r�r�r�r�r�r�rTr�r�r�r�r�r�r�r�rwr^r�r�r�r�r�r�r�rWr�r�r�r�r�r�r�r�r�rXr�r�r�r�r�r�r�r\r�r�r�r�r�r�r]r�r�r�r�r�r�r_r�r�r�r�rrrVrr�rrr�rrrUr	r�r
rr�r
rrrrrrrnrr�r#r"r�r�r�rrrsrtrurvrqrprrJrQrRrorlrmrYr#r#r#r$rs$
'	?.,#,#:
'('('
+))@@		(Pr)'rhr.Zfirewall.core.loggerrZfirewall.functionsrrrrrrr	r
rrr�r
rrrrrrrrrrZfirewall.core.fw_transactionrZfirewallrZfirewall.errorsrZfirewall.fw_typesrZfirewall.core.baser�objectrr#r#r#r$�<module>s04
Back to Directory File Manager
<