Mr.X

a

��is�	@s`ddlmZddlZddlZddlZddlmZddlmZm	Z	m
Z
mZmZddl
mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlm Z ddl!m"Z"m#Z#dd	l$m%Z%d
Z&e&ddZ'e&dd
Z(dZ)dZ*iddde*fidde*fdde*fdde*fd�dde*fdde*fdde*fdde*fd�d�Z+Gdd�de,�Z-dS)�)�GLibN)�log)�	check_mac�getPortRange�normalizeIP6�check_single_address�
check_address)�
FirewallError�
UNKNOWN_ERROR�INVALID_RULE�INVALID_ICMPTYPE�INVALID_TYPE�
INVALID_ENTRY�INVALID_PORT)	�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock�Rich_Tcp_Mss_Clamp�
Rich_NFLog)�DEFAULT_ZONE_TARGET)�
ICMP_TYPES�ICMPV6_TYPES)�NftablesZ	firewalld�_Zpolicy_dropZprobeZpolicy_�
�
PREROUTING�
preroutingij���i����Zpostrouting�d�output)r�POSTROUTING�OUTPUT�inputZforward)r�INPUT�FORWARDr$)�raw�mangle�nat�filterc@sreZdZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Z	dd
�Z
dd�Zdd�Zdd�Z
d�dd�Zdd�Zdd�Zdd�Zdd�Zdd �Zd�d!d"�Zd#d$�Zd�d&d'�Zd(d)�Zd*d+�Zd�d-d.�Zd/d0�Zd1d2�Zd3d4�Zd5d6�Zd7d8�Zd9d:�Zd;d<�Z d=d>�Z!d?d@�Z"dAdB�Z#dCdD�Z$dEdF�Z%dGdH�Z&dIdJ�Z'dKdL�Z(dMdN�Z)d�dOdP�Z*dQdR�Z+dSdT�Z,dUdV�Z-dWdX�Z.d�dYdZ�Z/d�d[d\�Z0d�d]d^�Z1d�d_d`�Z2dadb�Z3d�dcdd�Z4d�dedf�Z5d�dgdh�Z6d�didj�Z7dkdl�Z8d�dmdn�Z9dodp�Z:d�dqdr�Z;dsdt�Z<dudv�Z=dwdx�Z>dydz�Z?d�d{d|�Z@d�d}d~�ZAdd��ZBd�d�d��ZCd�d��ZDd�d��ZEd�d��ZFd�d��ZGd�d��ZHd�d��ZId�d��ZJd�d�d��ZKdS)��nftablesTcCsZ||_d|_d|_g|_i|_i|_i|_i|_i|_t	�|_
|j
�d�|j
�d�dS)NTF)
�_fwZrestore_command_exists�supports_table_ownerZavailable_tables�rule_to_handle�rule_ref_count�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cacherr,�set_echo_outputZset_handle_output)�self�fw�r7�:/usr/lib/python3.9/site-packages/firewall/core/nftables.py�__init__\sznftables.__init__cCsz�ddddiidddtdd	gd
�iigi}|j�|�\}}}|rHtd��ddddiidddtd
�iigi}|j�d�|j�|�\}}}|j�d�|dddd}|�dddtd
�ii|j���d|vs�d	|vr�td��t�	d�d|_
Wnt�	d�d|_
Yn0dS)Nr,�metainfo�json_schema_version��add�table�inet�owner�persist)�family�name�flagsz!nftables probe table owner failed�list�rBrCFTrD�deletez3nftables: probe_support(): owner flag is supported.z7nftables: probe_support(): owner flag is NOT supported.)�TABLE_NAME_PROBEr,�json_cmd�
ValueErrorr4�set_ruler-�get_log_deniedr�debug2r.)r5�rules�rcr"rrDr7r7r8�_probe_support_table_ownerksH
�����
���


z#nftables._probe_support_table_ownercCs|��dS�N)rP�r5r7r7r8�
probe_support�sznftables.probe_supportcCsxdD]}||vrqqd||dvr^||ddd||dddf}||dd=n(d||dvr�d}||dd=ndS||dd}|r�|dkr�||vr�|||vr�||�|�n�|dk�rt||vr�g||<|�r&|||v�r||�|�||jd	d
�d�||�|�}nt||�}||}||=|dk�rT||d
<n |d8}||d<||ddd<dS)N�r=�insertrG�%%ZONE_SOURCE%%�rule�zone�address�%%ZONE_INTERFACE%%rBrGcSs|dS)Nrr7��xr7r7r8�<lambda>��z3nftables._run_replace_zone_source.<locals>.<lambda>)�keyrrUr<r=�index)�remove�append�sortr`�len)r5rWr3�verbZzone_sourcerBr`�
_verb_snippetr7r7r8�_run_replace_zone_source�sD�
�


z!nftables._run_replace_zone_sourcecCsBd|vrdt�|d�iSd|vr4dt�|d�iSttd��dS)NrUrGr=zFailed to reverse rule)�copy�deepcopyr	r
)r5�dictr7r7r8�reverse_rule�s
znftables.reverse_rulec
Cs�dD]}||vrqq|||dv�r�||d|}||d|=t|�tkr\ttd��||dd||ddf}|dkr�||vs�|||vs�|||dkr�ttd��|||d	8<n�||vr�i||<|||vr�d|||<d}t||���D]J}||k�r"|d
k�r"�qP||||7}||k�r|dk�r�qP�q|||d	7<||}	||=|dk�r�|	|d
<n |d	8}|	|d<||ddd<dS)
NrTrWz%priority must be followed by a numberrB�chainrGrz*nonexistent or underflow of priority countr<rUr=r`)�type�intr	rr
�sorted�keys)
r5rWZpriority_counts�tokenre�priorityrlr`�prfr7r7r8�_set_rule_replace_priority�sH
 
��



z#nftables._set_rule_replace_prioritycCsbdD]X}||vrd||vrt�||d�}dD]}||vr2||=q2tj|dd�}|SqdS)NrTrW)r`�handleZpositionT)Z	sort_keys)rhri�json�dumps)r5rWre�rule_keyZnon_keyr7r7r8�
_get_rule_keys
znftables._get_rule_keycCsXgd�}gd�}g}g}t�|j�}t�|j�}t�|j�}	|j��}
|D�]�}t|�tkrjtt	d|��|D]}||vrnq�qn||vr�tt
d|��|�|�}
|
|
v�r4t�
d|j|
|
|
�|dkr�|
|
d7<qJnV|
|
dkr�|
|
d8<qJn6|
|
dk�r|
|
d8<ntt	d|
|
|
f��n|
�rL|dk�rLd|
|
<|�|�t�|�}|
�r�ttd||d	d
��||d	d
<|�||d�|�||d�|�||	�|dk�r�dd	|dd	d
|dd	d|dd	d|j|
d�ii}|�|�qJddddiig|i}t��dk�rDt�d|jt�|��|j�|�\}}}|dk�rxtdd|t�|�f��||_||_|	|_|
|_d}|D]�}|d7}|�|�}
|
�s��q�d|v�r�|j|
=|j|
=�q�|D]}||d|v�r��q��q�||d|v�r�q�t|d||d	dk�r2�q�|d||d	d|j|
<�q�dS)N)r=rUrG�flush�replace)r=rUr{z#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %srGr<z)rule ref count bug: rule_key '%s', cnt %drW�expr�%%RICH_RULE_PRIORITY%%�%%POLICY_PRIORITY%%rBr>rl)rBr>rlrur,r:r;�z.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s
JSON blob:
%szpython-nftablesru)rhrir1r2r3r0rmrjr	r
rryrrM�	__class__rbrEr+rtrgr/ZgetDebugLogLevelZdebug3rvrwr,rIrJ�TABLE_NAME_POLICY)r5rN�
log_deniedZ_valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesr1r2r3r0rWrerxZ_ruleZ	json_blobrOr"�errorr`r7r7r8�	set_ruless�




�
�

&
�

�



znftables.set_rulescCs|�|g|�dS)N�)r�)r5rWr�r7r7r8rKssznftables.set_ruleNcCs|r
|gSt��SrQ)�IPTABLES_TO_NFT_HOOKrp�r5r>r7r7r8�get_available_tableswsznftables.get_available_tablescCsBddd|d�ii}|tkr<|jjr<|jr<ddg|ddd<|gS)Nr=r>r?rFr@rArD)�
TABLE_NAMEr-Z_nftables_table_ownerr.)r5r>rWr7r7r8�_build_add_table_rules{s���znftables._build_add_table_rulescCs|�|�ddd|d�iigS)NrGr>r?rF)r�r�r7r7r8�_build_delete_table_rules�s�z"nftables._build_delete_table_rulescCs(i|_i|_i|_i|_i|_|�t�SrQ)r/r0r1r2r3r�r�rRr7r7r8�build_flush_rules�sznftables.build_flush_rulescCsPddd�|}|ddtdd|fdd	d
diidd
ddgid�iddigd�iiS)Nr=rG�TFrWr?�%s_%sr+�match�ctr_�state�in�set�established�related��left�op�right�accept�rBr>rlr|)r�)r5�enable�hook�add_delr7r7r8�_build_set_policy_rules_ct_rule�s

���z(nftables._build_set_policy_rules_ct_rulec
Cs\g}|dkrZ|�|�t��dD]6}|�dddtdd|fd|d	td
dd�ii�q n�|d
k�r4|�|�t��dD]�}||}|dvs�J�|��}d|��}|�dddt|d|dtd
dd�ii�|�|�d|��|dkr�ddi}n"|d
k�rddi}ndddd�i}|�dddt||gd�ii�qxn$|dk�rN||�t�7}n
tt	d��|S)NZPANIC)r r"r=rlr?r�r(r+i���r<�drop)rBr>rCrmr��prio�policy�DROP)r&r'r$)�ACCEPT�REJECTr�Zfilter_rTr�r��reject�icmpx�admin-prohibited�rmr|rWr�znot implemented)
�extendr�r�rb�NFT_HOOK_OFFSET�lowerr�r�r	r
)r5r�Zpolicy_detailsrNr�Zd_policyZ
chain_nameZ
expr_fragmentr7r7r8�build_set_policy_rules�sb


�



�



�����

znftables.build_set_policy_rulescCsJt�}|dus|dkr$|�t���|dus4|dkrB|�t���t|�S)N�ipv4�ipv6)r��updaterrprrE)r5�ipvZ	supportedr7r7r8�supported_icmp_types�sznftables.supported_icmp_typescCs
|�t�SrQ)r�r�rRr7r7r8�build_default_tables�sznftables.build_default_tables�offcCs"g}td��D]�}|�dddtd|ddtd|dtd|d	d
�ii�dD]&}|�dddtd||fd
�ii�qXdD]6}|�dddtd|ddd||fiigd�ii�q�qtd��D�]}|�dddtd|ddtd|dtd|d	d
�ii�|dv�r|dD]Z}|�dddtd||fd
�ii�|�dddtd|ddd||fiigd�ii��qq�dD](}|�dddtd||fd
�ii��q�dD]8}|�dddtd|ddd||fiigd�ii��q�q�td��D]F}|�dddtd|ddtd|dtd|d	d
�ii��q�|�dddtddddddiiddd d!gid"�id#digd�ii�|�dddtdddddd$iidd%d"�id#digd�ii�|�dddtdddd&dd'iid(d)d"�id#digd�ii�|d*k�rR|�dddtddddddiiddd+gid"�i|�|�d,d-d.iigd�ii�|�dddtddddddiiddd+gid"�id/digd�ii�dD](}|�dddtd0d|fd
�ii��q�dD]8}|�dddtddddd0d|fiigd�ii��q�|d*k�r<|�dddtdd|�|�d,d-d1iigd�ii�|�dddtddd2d3d4d5�igd�ii�|�dddtdd6ddddiiddd d!gid"�id#digd�ii�|�dddtdd6dddd$iidd%d"�id#digd�ii�|�dddtdd6dd&dd'iid(d)d"�id#digd�ii�|d*k�r||�dddtdd6ddddiiddd+gid"�i|�|�d,d-d.iigd�ii�|�dddtdd6ddddiiddd+gid"�id/digd�ii�d7D](}|�dddtd0d6|fd
�ii��q�dD]Z}|�dddtd0d6|fd
�ii�|�dddtdd6ddd0d6|fiigd�ii��q�d8D](}|�dddtd0d6|fd
�ii��qP|d*k�r�|�dddtdd6|�|�d,d-d1iigd�ii�|�dddtdd6d2d3d4d5�igd�ii�|�dddtdd9ddddiiddd d!gid"�id#digd�ii�|�dddtd:dd&dd;iid(d)d"�id#digd�ii�d7D]Z}|�dddtd0d9|fd
�ii�|�dddtdd9ddd0d9|fiigd�ii��qbd8D]Z}|�dddtd0d9|fd
�ii�|�dddtdd9ddd0d9|fiigd�ii��q�|S)<Nr)r=rlr?z	mangle_%sr+�%srr<)rBr>rCrmr�r�)�POLICIES_pre�ZONES�
POLICIES_postzmangle_%s_%s�rBr>rC)r�rW�jump�targetr�r*znat_%s)r$)r�r��	nat_%s_%sz	filter_%sr&r�r�r_r�r�r�r�r�r�r��status�dnat�meta�iifname�==�lor�Zinvalidr�prefixzSTATE_INVALID_DROP: r��filter_%s_%szFINAL_REJECT: r�r�r�r�r')r�)r�r$�
filter_OUTPUT�oifname)r�rprbr��_pkttype_match_fragment)r5r�Z
default_rulesrlZdispatch_suffixr7r7r8�build_default_rules�s
�

�
�
�


�
�

�
�
�

���
���
���

�
��
���

�
�


��
�

���
���
���

�
��
���

�

�
�

�


��
�

���
���

�
�

�
�znftables.build_default_rulescCs2|dkrddgS|dkrdgS|dkr.ddgSgS)Nr+r&r'r)rr*r#r7r�r7r7r8�get_zone_table_chains�sznftables.get_zone_table_chainsc	
sJ�jj�|���jdkrdnd��dkr4�dkr4dnd}	�jj�|�t|	��g}
g}g}g}
|D]V}|t|�dd	kr�|
�d
ddd
iid|dt|�d�dd�i�q`|�|�q`|D]X}|t|�dd	k�r
|�d
dddiid|dt|�d�dd�i�q�|
�|�q�|�r>|
�d
ddd
iidd|id�i�|
�rf|�d
dddiidd|
id�i�|�r�|D]}|
���d|���qp|�r�|D]}|���d|���q��������fdd�}g}|
�r|
D]:}|�r�|D]}|�|||���q�n|�||d���q�n4|�r6|D]}|�|d|���qn|�|dd��|S)Nr�pre�postr*r#TFr<�+r�r�r_r�r��*r�r�r��saddr�daddrcs�|rT|rTd|ddvrTd|ddvrT|dddd|ddddkrTdSg}|rf|�|�|rt|�|�|�ddd��fii�dtd	���f|d
�}|�������r�dd|iiSd
d|iiSdS)N�payloadr�r��protocolr�r�r�r?z%s_%s_POLICIES_%sr�r=rWrG)rbr�r��_policy_priority_fragment)�ingress_fragment�egress_fragment�expr_fragmentsrW��_policyrl�chain_suffixr��p_objr5r>r7r8�_generate_policy_dispatch_rules0���

�zRnftables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)	r-r��
get_policyrr�policy_base_chain_name�POLICY_CHAIN_PREFIXrdrb�_rule_addr_fragment)r5r�r�r>rlZingress_interfacesZegress_interfacesZingress_sourcesZegress_sources�isSNATZingress_fragmentsZegress_fragmentsZ$ingress_interfaces_without_wildcardsZ#egress_interfaces_without_wildcardsZingress_interfaceZegress_interface�src�dstr�rNr�r�r7r�r8�!build_policy_ingress_egress_rules�sf���
�
z*nftables.build_policy_ingress_egress_rulesFcCsN|dkr|dkrdnd}|jjj||t|d�}	dddddd�|}
|t|�d	d
krn|dt|�d	�d}d}|dkr�|d
d||	fiig}n,ddd|
iid|d�i|d
d||	fiig}|r�|s�d}
dtd||f|d�}|�|���nP|�rd}
dtd||f|d�}n.d}
dtd||f|d�}|�s@|�|���|
d|iigS)Nr*r#TF�r�r�r��rr#r&r'r$r<r�r��gotor�r�r�r�r_r�r�rUr?�%s_%s_ZONESr�r=rGrW)r-r�r�r�rdr�r��_zone_interface_fragment)r5r�rXr��	interfacer>rlrbr�r��opt�actionr�rerWr7r7r8�!build_zone_source_interface_rules5sZ����
�
�
�z*nftables.build_zone_source_interface_rulesc
	Cs�|dkr|dkrdnd}|jjj||t|d�}ddd�|}	d	d
d	d	d
d�|}
d}d
td||f|�|
|�|dd||fiigd�}|�|�||��|	d|iigS)Nr*r#TFr�rUrGr�r�r�r�r�r?r�r�r�r�rW)r-r�r�r�r�r�r��_zone_source_fragment)
r5r�rXr�rYr>rlr�r�r�r�r�rWr7r7r8�build_zone_source_address_rulesgs*��

��z(nftables.build_zone_source_address_rulescCspddd�|}|dkr"|dkr"dnd}|jjj||t|d�}|jj�|�}g}	|	�|d	d
td||fd�ii�d
D](}
|	�|d	d
td|||
fd�ii�qt|jr�|	�ddd
td||fddd||dfiigd�ii�d
D]<}
|	�|dd
td||fddd|||
fiigd�ii�q�|j�r^|	�ddd
td||fddd||dfiigd�ii�|jjj|j	}|j�
�dk�r�|dk�r�|tdddfv�r�|}|tdfv�r�d}|	�|dd
td||f|�|j�
��ddd||fiigd�ii�|dk�r^|tddddfv�r^|tddfv�r,|�
�}
n|��di}
|	�|dd
td||f|
gd�ii�|�sl|	��|	S)Nr=rGr�r*r#TFr�rlr?r�r�)r�r�deny�allowr��%s_%s_%srWr�r�r�r�r�r�r+r�z
%%REJECT%%r�rr�zfilter_%s_%s: r�)r-r�r�r�r�rbr�Zderived_from_zoneZ	_policiesr�rLrr��_reject_fragmentr��reverse)r5r�r�r>rlr�r�r�r�rNr�r�Z
log_suffix�target_fragmentr7r7r8�build_policy_chain_rulessx

�
�

�

�

�


��
�


�z!nftables.build_policy_chain_rulescCs<|dkriS|dvr,ddddiid|d�iSttd	|��dS)
N�all)�unicast�	broadcastZ	multicastr�r�r_�pkttyper�r�zInvalid pkttype "%s"�r	r)r5r�r7r7r8r��s�z nftables._pkttype_match_fragmentcCsdddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�iddd	d�iddd	d�iddd
d�iddd
d�iddd
d�idddd�idddd�iddd
d�iddd
d�idddd�idddd�idddiidddiid�}||S)Nr��icmpzhost-prohibitedr�znet-prohibitedr��icmpv6znet-unreachablezhost-unreachablezport-unreachabler�zprot-unreachablezaddr-unreachable�no-routermz	tcp reset)zicmp-host-prohibitedzhost-prohibzicmp-net-prohibitedz
net-prohibzicmp-admin-prohibitedzadmin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachableznet-unreachzicmp-host-unreachablezhost-unreachzicmp-port-unreachablezicmp6-port-unreachablezport-unreachzicmp-proto-unreachablez
proto-unreachzicmp6-addr-unreachable�addr-unreachzicmp6-no-router�z	tcp-resetztcp-rstr7)r5Zreject_typeZfragsr7r7r8�_reject_types_fragment�s2

�znftables._reject_types_fragmentcCsdddd�iS)Nr�r�r�r�r7rRr7r7r8r��s�znftables._reject_fragmentcCs ddddiiddddgid	�iS)
Nr�r�r_�l4protor�r�r�r�r�r7rRr7r7r8�_icmp_match_fragment�s
�znftables._icmp_match_fragmentcCsn|siSddddd�}z|j�d�}WntyBttd��Yn0dt|jd	|��||j|d
d�iS)N�secondZminuteZhourZday)�s�m�h�d�/zExpected '/' in limit�limitrr<)ZrateZper)�valuer`rJr	rrn)r5rZrich_to_nft�ir7r7r8�_rich_rule_limit_fragment�s��z"nftables._rich_rule_limit_fragmentcCs�t|j�ttttfvrn<|jrJt|j�ttt	t
fvrTttdt|j���n
ttd��|j
dkr�t|j�tttfvs�t|j�tt
fvr�dSt|j�tfvs�t|j�tt	fvr�dSn|j
dkr�dSdSdS)N�Unknown action %szNo rule action specified.rr�r�r�r�)rm�elementrrrrr�rrrrr	rrr�r5�	rich_ruler7r7r8�_rich_rule_chain_suffixs$

��
z nftables._rich_rule_chain_suffixcCs:|js|jsttd��|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrr�r�)r�auditr	rrrr
r7r7r8� _rich_rule_chain_suffix_from_logs


z)nftables._rich_rule_chain_suffix_from_logcCsddiS)NrZr7rRr7r7r8r�(sz!nftables._zone_interface_fragmentcCsNtd|�rt|�}n,td|�r@|�d�}t|d�d|d}d||d�iS)Nr�rrr<rV)rXrY)rrr�split)r5rXrYZ
addr_splitr7r7r8r�+s



znftables._zone_source_fragmentcCs
d|jiS)Nr~�rr)r5r�r7r7r8r�3sz"nftables._policy_priority_fragmentcCs|r|jdkriSd|jiS)Nrr}rr
r7r7r8�_rich_rule_priority_fragment6sz%nftables._rich_rule_priority_fragmentcCs
|js
iS|jj�||t�}ddd�|}|�|�}i}	t|j�tkr||jjrZt	|jj�nd|	d<|jj
r�t	|jj
�|	d<n,|jjr�d|jjkr�dn|jj}
d	|
|	d
<|jjr�d	|jj|	d<dt
d
|||f||�|jj�d|	igd�}|�|�|��|d|iiS)Nr=rGr�r�groupzqueue-thresholdZwarning�warnr��levelr�r?r�rr�rW)rr-r�r�r�rrmrrrnZ	thresholdrr�r�r
rr�r)r5r�rr�r>r�r�r�r�Zlog_optionsrrWr7r7r8�_rich_rule_log;s4
���znftables._rich_rule_logc
Cs�|js
iS|jj�||t�}ddd�|}|�|�}dtd|||f||�|jj�dddiigd	�}	|	�	|�
|��|d
|	iiS)Nr=rGr�r?r�rrrr�rW)rr-r�r�r�rr�r
rr�r)
r5r�rr�r>r�r�r�r�rWr7r7r8�_rich_rule_audit[s 

���znftables._rich_rule_auditc
Cs�|js
iS|jj�||t�}ddd�|}|�|�}d|||f}	t|j�tkr\ddi}
�nt|j�tkr�|jjr�|�	|jj�}
nddi}
n�t|j�t
kr�ddi}
n�t|j�tk�rHd}|jj�||t�}d|||f}	|jj�
d	�}t|�d
k�r,dddd
iiddddd
ii|d
gi|dgid�i}
ndddd
ii|dd�i}
nttdt|j���dt|	||�|jj�|
gd�}|�|�|��|d|iiS)Nr=rGr�r�r�r�r�r)rr<r�r_�mark�^�&r�r_rrr?r�rW)r�r-r�r�r�rrmrrr�rrr�rrdr	rr�r
rr�r)
r5r�rr�r>r�r�r�r�rlZrule_actionrrWr7r7r8�_rich_rule_actionmsL


"�
�
���znftables._rich_rule_actioncCs�|�d�r0|�|td�d�d|kr(dnd|�St|�r>d}n�td|�rNd}nvtd|�r�d}tj|dd�}d	|jj	|j
d
�i}nDtd|�r�d}t|�}n,d}|�d
�}d	t|d�t
|d�d
�i}dd||d�i|r�dnd|d�iSdS)N�ipset:r�TF�etherr��ip)�strictr���addrrdr��ip6rrr<r�r��r��field�!=r�r�)�
startswith�_set_match_fragmentrdrrr�	ipaddress�IPv4Network�network_address�
compressed�	prefixlenrrrn)r5Z
addr_fieldrY�invertrBZnormalized_addressZaddr_lenr7r7r8r��s,
&




�
�znftables._rule_addr_fragmentcCs6|siS|dvrttd|��ddddiid|d�iS)	N�r�r�zInvalid familyr�r�r_�nfprotor�r�r�)r5Zrich_familyr7r7r8�_rich_rule_family_fragment�s��z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jd�S)Nrr��r0)r$�ipsetr�r0)r5Z	rich_destrYr7r7r8�_rich_rule_destination_fragment�s
z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|d�r.|jr.|j}nt|d�rH|jrHd|j}|jd||jd�S)N�macr5rr�r4)r$�hasattrr7r5r�r0)r5Zrich_sourcerYr7r7r8�_rich_rule_source_fragment�s
z#nftables._rich_rule_source_fragmentcCsPt|�}t|t�r$|dkr$tt��n(t|�dkr8|dSd|d|dgiSdS)Nrr<�range)r�
isinstancernr	rrd)r5�portr:r7r7r8�_port_fragment�s
znftables._port_fragmentc
Cs&ddd�|}d}|jj�||t�}	g}
|r>|
�|�|j��|rT|
�|�d|��|r||
�|�|j	��|
�|�
|j��|
�dd|dd	�id
|�|�d�i�g}|r�|�|�
|||||
��|�|�|||||
��|�|�|||||
��n.|�|dd
td||	f|
ddigd�ii�|S)Nr=rGr�r+r�r�r��dportr&r�r�rWr?�%s_%s_allowr�r��r-r�r�r�rbr3rBr�r6�destinationr9�sourcer=rrrr��r5r�r��protor<rArr�r>r�r�rNr7r7r8�build_policy_ports_rules�s8
��


�z!nftables.build_policy_ports_rulesc
Csddd�|}d}|jj�||t�}g}	|r>|	�|�|j��|rT|	�|�d|��|r||	�|�|j	��|	�|�
|j��|	�dddd	iid
|d�i�g}
|r�|
�|�|||||	��|
�|�
|||||	��|
�|�|||||	��n.|
�|dd
td||f|	ddigd�ii�|
S)Nr=rGr�r+r�r�r�r_r�r�r�rWr?r?r�r�)r-r�r�r�rbr3rBr�r6rAr9rBrrrr�)r5r�r�r�rArr�r>r�r�rNr7r7r8�build_policy_protocol_rules�s4�


�z$nftables.build_policy_protocol_rulescCs�d}d}|jj�||t�}ddd�|}	g}
|r^|
�|�|j��|
�|�|j��|�	|�}|
�dddd	d
d�idd
�i�|dks�|dur�|
�ddddd�idddiid�i�n|
�ddddd�i|d�i�|	ddt
d||f|
d�iigS)Nr�r+r=rGr�r�r�r��tcprDr&Zsyn)r�r�r�Zpmtur)z
tcp optionZmaxseg�size)rCr'Zrtr_ZmturrWr?r�r�)r-r�r�r�rbr6rAr9rBrr�)r5r�r�Ztcp_mss_clamp_valuerArr�r>r�r�r�r7r7r8� build_policy_tcp_mss_clamp_ruless2
�

��

�z)nftables.build_policy_tcp_mss_clamp_rulesc
Cs&ddd�|}d}|jj�||t�}	g}
|r>|
�|�|j��|rT|
�|�d|��|r||
�|�|j	��|
�|�
|j��|
�dd|dd	�id
|�|�d�i�g}|r�|�|�
|||||
��|�|�|||||
��|�|�|||||
��n.|�|dd
td||	f|
ddigd�ii�|S)Nr=rGr�r+r�r�r��sportr&r�r�rWr?r?r�r�r@rCr7r7r8�build_policy_source_ports_rules8s8
��


�z(nftables.build_policy_source_ports_rulesc

Cs�d}|jj�||t�}	ddd�|}
g}|rR|�dddtd||f||d�ii�g}|rl|�|�d	|��|�d
d|dd
�id|�|�d�i�|�dd||fi�|�|
ddtd|	|d�ii�|S)Nr+r=rGr�z	ct helperr?zhelper-%s-%s)rBr>rCrmr�r�r�r�r>r&r�r�rW�filter_%s_allowr�)r-r�r�r�rbr�r�r=)
r5r�r�rDr<rAZhelper_nameZmodule_short_namer>r�r�rNr�r7r7r8�build_policy_helper_ports_rulesYs6

�
��

�z(nftables.build_policy_helper_ports_rulescCs�ddd�|}|jj�||t�}g}	|rv|t|�ddkrT|dt|�d�d}ddd	d
iid|d�id
dig}
n|�d|�d
dig}
dtd||
d�}|	�|d|ii�|	S)Nr=rGr�r<r�r�r�r�r_r�r�r�r�r�r?rLr�rW)r-r�r�r�rdr�r�rb)r5r�rXr�r>r�rBr�r�rNr|rWr7r7r8�build_zone_forward_rulesvs(���z!nftables.build_zone_forward_rulesc	Cs�ddd�|}g}g}|r\|�|�|j��|�|�|j��|�|�|j��|�|�}n"|�ddddiidd	d
�i�d}d}|jj	j
||td
d�}	dtd|	|f|ddddiiddd
�iddigd�}
|
�
|�|��|�|d|
ii�|S)Nr=rGr�r�r�r_r2r�r�r�r�r*Tr�r?r�r�r(r�Z
masquerader�rW)rbr3rBr6rAr9rBrr-r�r�r�r�r�r)r5r�r�rr�rNr�r�r>r�rWr7r7r8�build_policy_masquerade_rules�s<�

����z&nftables.build_policy_masquerade_rulescCspd}|jj�||t�}	ddd�|}
g}|rn|�|�|j��|�|�|j��|�|�	|j
��|�|�}n8d}
|r�td|�r�d}
|�ddd	d
iid|
d�i�d
}|�dd|dd�id|�
|�d�i�|�r$td|�r�t|�}|�r|dk�r|�d||�
|�d�i�n|�dd|ii�n|�dd|�
|�ii�dtd|	|f|d�}|�|�|��|
d|iigS)Nr*r=rGr�r�r�r�r�r_r2r�r�r�r�r>r&r�r�)r$r<r$Zredirectr<r?r�r�rW)r-r�r�r�rbr3rBr6rAr9rBrrr=rr�r�r)r5r�r�r<r�ZtoportZtoaddrrr>r�r�r�r�r2rWr7r7r8�build_policy_forward_port_rules�sJ�

��


�z(nftables.build_policy_forward_port_rulescCsHdd|dd�id|d�ig}|durD|�dd|dd�id|d�i�|S)Nr�r�rmr&r�r��code)rb)r5r�rmrQ�	fragmentsr7r7r8�_icmp_types_fragments�s�
�
znftables._icmp_types_fragmentscCs�|dkr4|tvr4t|\}}}|�d||r.dn|�S|dkrh|tvrht|\}}}|�d||rbdn|�Sttd||j|f��dS)Nr�r�r�r�z)ICMP type '%s' not supported by %s for %s)rrSrr	rrC)r5r�Z	icmp_typeZ_type�_codeZ
_omit_coder7r7r8�_icmp_types_to_nft_fragments�s���z%nftables._icmp_types_to_nft_fragmentscCs:d}|jj�||t�}ddd�|}|r6|jr6|j}n<|jrjg}d|jvrT|�d�d|jvrr|�d�nddg}g}	|D�]�}
|jj�|�r�d||f}ddi}nd	||f}|��}g}
|r�|
�|�	|j
��|
�|�|j��|
�|�|j
��|
�|�|
|j��|�r�|	�|�|||||
��|	�|�|||||
��|j�rb|	�|�|||||
��nN|�|�}d
td|||f|
|��gd�}|�|�|��|	�|d
|ii�qz|j��dk�r|jj�|��s|	�|d
d
t||
|�|j���ddd||fiigd�ii�|	�|d
d
t||
|gd�ii�qz|	S)Nr+r=rGr�r�r�r?r�z
%s_%s_denyr?r�r�rWr�rr��%s_%s_ICMP_BLOCK: )r-r�r�r��ipvsrArb�query_icmp_block_inversionr�r3rBr6r9rBr�rUrCrrr�rrr�r�rrLr�)r5r�r�Zictrr>r�r�rWrNr�Zfinal_chainr�r�r�rWr7r7r8�build_policy_icmp_block_rules�sl






� 
���
�z&nftables.build_policy_icmp_block_rulescCs�d}|jj�||t�}g}ddd�|}|jj�|�r@|��}nddi}|�|ddtd||fd	|��|gd
�ii�|j�	�dkr�|jj�|�r�|�|ddtd||fd	|��|�
|j�	��dd
d||fiigd
�ii�|S)Nr+r=rGr�r�rWr?r���rBr>rlr`r|r�rr�rV)r-r�r�r�rXr�rbr�rrLr�)r5r�r�r>r�rNr�r�r7r7r8�'build_policy_icmp_block_inversion_rules/s4


��

��z0nftables.build_policy_icmp_block_inversion_rulesc
Cs$g}d}|jjdkrddg}n<|jjdkr8ddg}d}n"|jjdkrRgd�}d}ngd�}d	d
ddiid
dd�id	d|dd�id
dd�ig}|dkr�|�dddii�|�ddi�|�dddt||d�ii�|jjdv�r |�dddt|d	ddd d!�id
d"d#d$gid�id%digd�ii�|S)&NZfilter_PREROUTINGZlooser�r�
loose-forward�filter_FORWARD�strict-forward)r�rZiifr�r�r_r2r�r�r�ZfibZoif)rD�resultFr�rr�zrpfilter_DROP: r�rUrWr?r��r]r_r�r�rmr&r�znd-router-advertznd-neighbor-solicitr�)r-�_ipv6_rpfilterrbr�)r5r�rNZrpfilter_chainZ	fib_flagsr�r7r7r8�build_rpfilter_rulesNsX
����
�
�
���znftables.build_rpfilter_rulesc
Cs�gd�}dd�|D�}ddddd�id	d
|id�ig}|jjdvrT|�d
ddii�|�|�d��g}|�dddtdd|d�ii�d}|j��dkr�|d7}|jjdvr�|d7}|�dddtd||d�ii�|S)N)	z::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|�d�dt|�d�d�d�i�qS)r�rrr<r#)rrn)�.0r\r7r7r8�
<listcomp>�r^z5nftables.build_rfc3964_ipv4_rules.<locals>.<listcomp>r�r�r%r�r&r�r�r�)r�r�rr�zRFC3964_IPv4_REJECT: r�r=rWr?r�r<r[rr�rar^)r-Z_log_deniedrbr�r�rLrb)r5Z	daddr_setr�rNZ
forward_indexr7r7r8�build_rfc3964_ipv4_rulesys<
��

�
�z!nftables.build_rfc3964_ipv4_rulesc	Cs�d}g}|�|�|j��|�|�|j��|�|�|j��g}|�|�|||||��|�|�|||||��|�|�	|||||��|S)Nr+)
rbr3rBr6rAr9rBrrr)r5r�r�rr>r�rNr7r7r8�*build_policy_rich_source_destination_rules�sz3nftables.build_policy_rich_source_destination_rulescCs|dvrdSdS)N)r�r�ZebTFr7)r5r�r7r7r8�is_ipv_supported�sznftables.is_ipv_supportedc
Cs�ddd�}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd	�}||vr�||Sttd
|��dS)NZ	ipv4_addrZ	ipv6_addrr1Z
inet_protoZinet_servicerZifnameZ
ether_addr)zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,iface�hash:macz!ipset type name '%s' is not valid)r	r
)r5r�rmZipv_addr�typesr7r7r8�_set_type_list�s(�

��znftables._set_type_listcCs�|rd|vr|ddkrd}nd}dt||�||�d�}|�d�d�d	�D]}|d
vrLdg|d<qhqL|r�d
|vr�t|d
�|d
<d|vr�t|d�|d<dd|iigS)NrB�inet6r�r�r?)rBr>rCrm�:r<�,)r!�netr<�intervalrD�timeoutZmaxelemrHr=r�)r�rkrrn)r5rCrm�optionsr�Zset_dict�tr7r7r8�build_set_create_rules�s$
�
znftables.build_set_create_rulescCs$|�|||�}|�||j���dSrQ)rtr�r-rL)r5rCrmrrrNr7r7r8�
set_create�sznftables.set_createcCs*dddt|d�ii}|�||j���dS)NrGr�r?r�)r�rKr-rL)r5rCrWr7r7r8�set_destroy�s
�
znftables.set_destroycCs|jj�|�j�d�d�d�}g}|D]�}|dkrd|�dddii�|�dd	|rVd
ndd�i�q(|d
vr�|�d|�|�|r�dndd�i�q(|dkr�|�dd|r�dndii�q(|dkr�|�dddii�q(ttd|��q(dt	|�dkr�d|in|d|�rdndd|d�iS)Nrmr<rnr<r�r_r�r��thr>rJr&)r!ror7r�r�Zifacer�r�rz-Unsupported ipset type for match fragment: %sr��concatrr(r��@r�)
r-r5�	get_ipsetrmrrb�_set_get_familyr	r
rd)r5rCZ
match_destr0�type_formatrR�formatr7r7r8r*�s* 
�
��znftables._set_match_fragmentc	Cs8|jj�|�}|j�d�d�d�}|�d�}t|�t|�krHttd��g}t|�D�]�\}}|dk�rz||�	d�}	Wn$t
y�|�d�||}
Yn,0|�||d|	��|||	dd�}
z|
�	d�}	Wnt
y�|�|
�Yn(0|�d|
d|	�|
|	dd�gi�qT|d	v�rd||v�rP|�d||�d�i�n�z||�	d
�}	WnJt
�y�||}d|jv�r�|jddk�r�t
|�}|�|�Yn^0||d|	�}d|jv�r�|jddk�r�t
|�}|�d
|t|||	dd��d�i�qT|�||�qTt|�dk�r4d|igS|S)Nrmr<rnz+Number of values does not match ipset type.r<rG�-r:)r!rorrBrlr�r#rx)r-r5rzrmrrdr	r�	enumerater`rJrbrrrrn)r5rC�entry�objr|Zentry_tokens�fragmentr	r}r`Zport_strr$r7r7r8�_set_entry_fragment	sP
�

(
�znftables._set_entry_fragmentc	Cs0g}|�||�}|�dddt||d�ii�|S)Nr=rr?�rBr>rC�elem)r�rbr�)r5rCr�rNrr7r7r8�build_set_add_rules=s
�znftables.build_set_add_rulescCs"|�||�}|�||j���dSrQ)r�r�r-rL)r5rCr�rNr7r7r8�set_addFsznftables.set_addcCs8|�||�}dddt||d�ii}|�||j���dS)NrGrr?r�)r�r�rKr-rL)r5rCr�rrWr7r7r8�
set_deleteJs�
znftables.set_deletecCsdddt|d�iigS)Nrzr�r?r�)r�)r5rCr7r7r8�build_set_flush_rulesRs�znftables.build_set_flush_rulescCs |�|�}|�||j���dSrQ)r�r�r-rL)r5rCrNr7r7r8�	set_flushWs
znftables.set_flushcCsJ|jj�|�}|jdkrd}n(|jrBd|jvrB|jddkrBd}nd}|S)Nrir rBrlr%r!)r-r5rzrmrr)r5rCr5rBr7r7r8r{[s
�znftables._set_get_familyc	s�g}|���|||��|���|����|�j����fdd��d}g}|D]B}|���||��|d7}|dkrRt��fdd�|�g}d}qRt��fdd�|�dS)	Nc
sTz��|�j���Wn8tyN}z t�d�t�|�WYd}~n
d}~00dS)Nz;While restoring ipset entries the following Error occurred:)r�r-rL�	Exceptionrr�)rN�erRr7r8�_idle_set_add_entriesos

z3nftables.set_restore.<locals>._idle_set_add_entriesrr<i�cs�|�SrQr7r[�r�r7r8r]�r^z&nftables.set_restore.<locals>.<lambda>cs�|�SrQr7r[r�r7r8r]�r^)	r�rtr�r�r-rLr�rZidle_add)	r5Zset_name�	type_name�entriesZcreate_optionsZ
entry_optionsrN�chunkr�r7)r�r5r8�set_restorehsznftables.set_restore)N)N)r�)F)F)NN)NN)NN)NN)NN)N)N)N)N)F)N)N)F)NN)L�__name__�
__module__�__qualname__rCZpolicies_supportedr9rPrSrgrkrtryr�rKr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rr
rrr�r�r�rrrrr�r3r6r9r=rErFrIrKrMrNrOrPrSrUrYr\rcrfrgrhrkrtrurvr*r�r�r�r�r�r�r{r�r7r7r7r8r,Xs�0,.e

	
C


V
c�
2B
  +


	
 
 �
�
!

!�
+


<
+(


4	�r,).Z
gi.repositoryrrhrvr+Zfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr	r
rrr
rrZfirewall.core.richrrrrrrrrrZfirewall.core.baserZfirewall.core.icmprrZnftables.nftablesrr�r�rHr�r�r��objectr,r7r7r7r8�<module>s:$,�


�



��
Name	Type	Size	Permission
__init__.cpython-39.opt-1.pyc	File	149 B	0644
__init__.cpython-39.pyc	File	149 B	0644
base.cpython-39.opt-1.pyc	File	1.09 KB	0644
base.cpython-39.pyc	File	1.09 KB	0644
ebtables.cpython-39.opt-1.pyc	File	7.22 KB	0644
ebtables.cpython-39.pyc	File	7.22 KB	0644
fw.cpython-39.opt-1.pyc	File	34.37 KB	0644
fw.cpython-39.pyc	File	34.4 KB	0644
fw_config.cpython-39.opt-1.pyc	File	32.8 KB	0644
fw_config.cpython-39.pyc	File	32.8 KB	0644
fw_direct.cpython-39.opt-1.pyc	File	12.91 KB	0644
fw_direct.cpython-39.pyc	File	12.91 KB	0644
fw_helper.cpython-39.opt-1.pyc	File	2.01 KB	0644
fw_helper.cpython-39.pyc	File	2.01 KB	0644
fw_icmptype.cpython-39.opt-1.pyc	File	2.17 KB	0644
fw_icmptype.cpython-39.pyc	File	2.17 KB	0644
fw_ifcfg.cpython-39.opt-1.pyc	File	1.4 KB	0644
fw_ifcfg.cpython-39.pyc	File	1.4 KB	0644
fw_ipset.cpython-39.opt-1.pyc	File	7.6 KB	0644
fw_ipset.cpython-39.pyc	File	7.6 KB	0644
fw_nm.cpython-39.opt-1.pyc	File	5.04 KB	0644
fw_nm.cpython-39.pyc	File	5.04 KB	0644
fw_policies.cpython-39.opt-1.pyc	File	2.33 KB	0644
fw_policies.cpython-39.pyc	File	2.33 KB	0644
fw_policy.cpython-39.opt-1.pyc	File	46.81 KB	0644
fw_policy.cpython-39.pyc	File	46.81 KB	0644
fw_service.cpython-39.opt-1.pyc	File	1.68 KB	0644
fw_service.cpython-39.pyc	File	1.68 KB	0644
fw_transaction.cpython-39.opt-1.pyc	File	4.62 KB	0644
fw_transaction.cpython-39.pyc	File	4.62 KB	0644
fw_zone.cpython-39.opt-1.pyc	File	29.81 KB	0644
fw_zone.cpython-39.pyc	File	29.81 KB	0644
helper.cpython-39.opt-1.pyc	File	210 B	0644
helper.cpython-39.pyc	File	210 B	0644
icmp.cpython-39.opt-1.pyc	File	3.01 KB	0644
icmp.cpython-39.pyc	File	3.01 KB	0644
ipXtables.cpython-39.opt-1.pyc	File	34 KB	0644
ipXtables.cpython-39.pyc	File	34 KB	0644
ipset.cpython-39.opt-1.pyc	File	8.05 KB	0644
ipset.cpython-39.pyc	File	8.05 KB	0644
logger.cpython-39.opt-1.pyc	File	22.3 KB	0644
logger.cpython-39.pyc	File	22.3 KB	0644
modules.cpython-39.opt-1.pyc	File	2.85 KB	0644
modules.cpython-39.pyc	File	2.85 KB	0644
nftables.cpython-39.opt-1.pyc	File	41.78 KB	0644
nftables.cpython-39.pyc	File	41.81 KB	0644
prog.cpython-39.opt-1.pyc	File	746 B	0644
prog.cpython-39.pyc	File	746 B	0644
rich.cpython-39.opt-1.pyc	File	20.8 KB	0644
rich.cpython-39.pyc	File	20.8 KB	0644
watcher.cpython-39.opt-1.pyc	File	2.74 KB	0644
watcher.cpython-39.pyc	File	2.74 KB	0644
Upload:

Command:

Filemanager

Server Info

System Info
