ó  c‰`c@sdddddddddd d d d d ddddgZddlmZddlmZddlmZddlmZddlm Z de fd„ƒYZ de fd„ƒYZ de fd„ƒYZ de fd„ƒYZdefd„ƒYZde fd„ƒYZde fd„ƒYZde fd„ƒYZde fd „ƒYZd e fd!„ƒYZd e fd"„ƒYZd e fd#„ƒYZd e fd$„ƒYZd e fd%„ƒYZdefd&„ƒYZde fd'„ƒYZde fd(„ƒYZde fd)„ƒYZd*S(+t Rich_SourcetRich_Destinationt Rich_Servicet Rich_Portt Rich_ProtocoltRich_MasqueradetRich_IcmpBlockt Rich_IcmpTypetRich_SourcePorttRich_ForwardPorttRich_Logt Rich_Auditt Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_Markt Rich_Limitt Rich_Ruleiÿÿÿÿ(t functions(tcheck_ipset_name(t REJECT_TYPES(terrors(t FirewallErrorcBseZed„Zd„ZRS(cCsî||_|jdkr$d|_n||_|jdksK|jdkrWd|_n$|jdk r{|jjƒ|_n||_|jdkrŸd|_n||_|jdkrê|jdkrê|jdkrêttjdƒ‚ndS(Ntsno address, mac and ipset( taddrtNonetmactuppertipsettinvertRRt INVALID_RULE(tselfRRRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__init__$s       - cCs‰d|jrdnd}|jdk r7|d|jS|jdk rU|d|jS|jdk rs|d|jSttjdƒ‚dS(Ns source%s s NOTRs address="%s"smac="%s"s ipset="%s"sno address, mac and ipset(RRRRRRRR(Rtret((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt__str__5s (t__name__t __module__tFalseR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR#s cBseZed„Zd„ZRS(cCs||_||_dS(N(RR(RRR((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Bs cCs d|jrdnd|jfS(Nsdestination %saddress="%s"snot R(RR(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Fs(R#R$R%R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRAs cBseZd„Zd„ZRS(cCs ||_dS(N(tname(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR KscCs d|jS(Nsservice name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Ns(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRJs cBseZd„Zd„ZRS(cCs||_||_dS(N(tporttprotocol(RR'R(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Rs cCsd|j|jfS(Nsport port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Vs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRQs cBseZd„ZRS(cCsd|j|jfS(Ns#source-port port="%s" protocol="%s"(R'R((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Zs (R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRYscBseZd„Zd„ZRS(cCs ||_dS(N(tvalue(RR)((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR _scCs d|jS(Nsprotocol value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"bs(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR^s cBseZd„Zd„ZRS(cCsdS(N((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR fscCsdS(Nt masquerade((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"is(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRes cBseZd„Zd„ZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR mscCs d|jS(Nsicmp-block name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ps(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRls cBseZd„Zd„ZRS(cCs ||_dS(N(R&(RR&((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR tscCs d|jS(Nsicmp-type name="%s"(R&(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"ws(R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRss cBseZd„Zd„ZRS(cCs^||_||_||_||_|jdkr?d|_n|jdkrZd|_ndS(NR(R'R(tto_portt to_addressR(RR'R(R+R,((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR {s     cCsRd|j|j|jdkr+d|jnd|jdkrJd|jndfS(Ns(forward-port port="%s" protocol="%s"%s%sRs to-port="%s"s to-addr="%s"(R'R(R+R,(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"†s (R#R$R R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR zs cBs#eZdddd„Zd„ZRS(cCs||_||_||_dS(N(tprefixtleveltlimit(RR-R.R/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s  cCsSd|jrd|jnd|jr2d|jnd|jrKd|jndfS(Ns log%s%s%ss prefix="%s"Rs level="%s"s %s(R-R.R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"“sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ŒscBseZdd„Zd„ZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR šscCsd|jrd|jndS(Nsaudit%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"žsN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ™s cBseZdd„Zd„ZRS(cCs ||_dS(N(R/(RR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ¢scCsd|jrd|jndS(Nsaccept%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"¥sN(R#R$RR R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ¡s cBs)eZddd„Zd„Zd„ZRS(cCs||_||_dS(N(ttypeR/(Rt_typeR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ©s cCs:d|jrd|jnd|jr2d|jndfS(Ns reject%s%ss type="%s"Rs %s(R0R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"­scCs|jr{|s$ttjdƒ‚n|dkr{|jt|kr{djt|ƒ}ttjd|j|fƒ‚q{ndS(Ns9When using reject type you must specify also rule family.tipv4tipv6s, s%Wrong reject type %s. Use one of: %s.(R2R3(R0RRRRtjoin(Rtfamilyt valid_types((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcheck±s  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR ¨s cBseZd„ZRS(cCsd|jrd|jndS(Nsdrop%ss %sR(R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"»s(R#R$R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRºscBs&eZdd„Zd„Zd„ZRS(cCs||_||_dS(N(tsetR/(Rt_setR/((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Às cCs'd|j|jrd|jndfS(Ns mark set=%s%ss %sR(R8R/(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"Äs cCs×|jdk r|j}nttjdƒ‚d|kr¯|jdƒ}t|ƒdkrottj|ƒ‚ntj|dƒ s—tj|dƒ rÓttj|ƒ‚qÓn$tj|ƒsÓttj|ƒ‚ndS(Ns no value sett/iii( R8RRRt INVALID_MARKtsplittlenRt checkUINT32(Rtxtsplits((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7Ès  N(R#R$RR R"R7(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR¿s  cBs,eZd„Zd„Zd„Zd„ZRS(cCsu||_d|jkrq|jjdƒ}t|ƒdkrq|dd krqd|d |dd f|_qqndS( NR:iitsecondtminutethourtdays%s/%si(RARBRCRD(R)R<R=(RR)R@((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR Üs  cCsˆd}d|jkr*|jjdƒ}n| sCt|ƒdkr[ttj|jƒ‚n|\}}yt|ƒ}Wnttj|jƒ‚nX|dks®|dkrÆttj|jƒ‚nd}|dkrád}n?|dkröd}n*|dkr d}n|dkr d}nd ||d krPttjd |jƒ‚n|dkr„|dkr„ttjd |jƒ‚ndS(NR:iitstmthtdi<ii'is %s too fasts %s too slow(RERFRGRHii i€Q(RR)R<R=RRt INVALID_LIMITtint(RR@tratetdurationtmult((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7äs6           cCs d|jS(Nslimit value="%s"(R)(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"scCsdS(NR((R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pytcommand s(R#R$R R7R"RN(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRÛs  " cBs;eZddd„Zd„Zd„Zd„Zd„ZRS(cCsw|dk rt|ƒ|_n d|_d|_d|_d|_d|_d|_d|_|rs|j |ƒndS(N( RtstrR5tsourcet destinationtelementtlogtaudittactiont_import_from_string(RR5trule_str((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s        cCsÎg}x­tj|ƒD]œ}d|krž|jdƒ}t|ƒdks_|d s_|d rxttjd|ƒ‚n|ji|dd6|dd6ƒq|ji|d6ƒqW|jid d6ƒ|S( s Lexical analysis t=iiisinternal error in _lexer(): %st attr_namet attr_valueRRtEOL(Rt splitArgsR<R=RRRtappend(RRWttokenstrtattr((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyt_lexers ( &c CsÐ |sttjdƒ‚nd|_d|_d|_d|_d|_d|_ d|_ |j |ƒ}|r|dj dƒdkrttjdƒ‚ni}g}d}x ||j dƒdko×|dgksÁ ||j dƒ}||j dƒ}||j dƒ}|rA|d?kr|ttjd|ƒ‚q|n;|d@krf|dkrw|jrwttjd)ƒ‚q||dkr¡|jr¡ttjd*ƒ‚q||dAkrØ|jrØttjd+||jfƒ‚q||d kr|jrttjd,ƒ‚q||d!kr,|j r,ttjd-ƒ‚q||dBkr||j r|ttjd.||j fƒ‚q|nttjd/|ƒ‚t |ƒdkr¢|t |ƒd0nd1} | d1kr<| r|r|dkrâttjd2ƒ‚q9ttjd3||fƒ‚q´ d|kr,ttjd4||fƒ‚q´ |jdƒnx| dkrÕ|dkr…|dCkryttjd7|ƒ‚n||_q´ |rÅ|dkr d8} nd9||f} ttj| ƒ‚q´ |j|ƒnß| dkrs|dDkrú|||ƒ‚n|d0}q²W|j$ƒdS(LNs empty ruleiRRR[truleRYRZR5taddressRRRR)R'R(sto-portsto-addrR&R-R.R0R8sbad attribute '%s'RPRQtservices icmp-blocks icmp-typeR*s forward-ports source-portRSRTtaccepttdroptrejecttmarkR/tnottNOTsmore than one 'source' elements#more than one 'destination' elementsFmore than one element. There cannot be both '%s' and '%s' in one rule.smore than one 'log' elementsmore than one 'audit' elementsOmore than one 'action' element. There cannot be both '%s' and '%s' in one rule.sunknown element %siRs0'family' outside of rule. Use 'rule family=...'.s:'%s' outside of any element. Use 'rule %s= ...'.s,'%s' outside of rule. Use 'rule ... %s ...'.R2R3sH'family' attribute cannot have '%s' value. Use 'ipv4' or 'ipv6' instead.sdwrong 'protocol' usage. Use either 'rule protocol value=...' or 'rule [forward-]port protocol=...'.sDattribute '%s' outside of any element. Use 'rule %s= ...'.sinvalid 'protocol' elementsinvalid 'service' elementsinvalid 'icmp-block' elementsinvalid 'icmp-type' elementsinvalid 'limit' element(sfamilyRcsmacsipsetsinvertsvaluesportsprotocolsto-portsto-addrsnamesprefixslevelstypesset(Rbssources destinationsprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-portslogsauditReRfRgsmarkslimitRiRjsEOL(sprotocolRdsports icmp-blocks icmp-types masquerades forward-ports source-port(ReRfRgsmark(sipv4sipv6(Rcsmacsipsetsinvert(RiRj(Rcsinvert(RiRj(sportsprotocol(sportsprotocolsto-portsto-addr(sportsprotocol(sprefixslevel(%RRRRR5RPRQRRRSRTRURatgetR=R]tTrueRR%tpoptclearRRRRRRRR RR R R RR RRR7( RRWR^tattrst in_elementstindexRRRYRZt in_elementterr_msg((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyRV.st       +  "%,               ?        $            $                 <      $       0                      $             cCs¬ |jdk r6|jdkr6ttj|jƒ‚n|jdkr±|jdk rf|jjdk su|jdk r‡ttjƒ‚nt |j ƒt kr±ttjƒ‚q±n|j dkr|j dkrättj dƒ‚n|jdkr|jdkrttj dƒ‚qnt |j ƒtt tgkr}|jdkr}|jdkr}|j dkr}ttj dƒ‚q}n|jdk r|jjdk rL|jdkr¿ttjƒ‚n|jjdk rættj dƒ‚n|jjdk r ttj dƒ‚ntj|j|jjƒsttjt|jjƒƒ‚qq|jjdk r¾|jjdk r…ttj dƒ‚ntj|jjƒsttjt|jjƒƒ‚qq|jjdk rt|jjƒsttjt|jjƒƒ‚qqttj d ƒ‚n|jdk r|jdkrKttjƒ‚n|jjdksytj|j|jjƒ rttjt|jjƒƒ‚qnt |j ƒtkr|j jdksÜt|j jƒd kr>ttjt|j jƒƒ‚q>n>t |j ƒt krutj!|j j"ƒsEttj#|j j"ƒ‚n|j j$dkr>ttj%|j j$ƒ‚q>nÉt |j ƒt&kr½tj'|j j(ƒs>ttj%|j j(ƒ‚q>nt |j ƒtkr/|j dk röttj dƒ‚n|jdk r>|jjdk r>ttj dƒ‚q>nt |j ƒtkr°|j jdksnt|j jƒd krttj)t|j jƒƒ‚n|j r>ttj dƒ‚q>nŽt |j ƒt*kr|j jdksït|j jƒd kr>ttj)t|j jƒƒ‚q>n+t |j ƒt kr˜tj!|j j"ƒsXttj#|j j"ƒ‚n|j j$dkr…ttj%|j j$ƒ‚n|j j+dkrÄ|j j,dkrÄttj#|j j+ƒ‚n|j j+dkrtj!|j j+ƒ rttj#|j j+ƒ‚n|j j,dkrPtj-|j|j j,ƒ rPttj|j j,ƒ‚n|jdkrqttjƒ‚n|j dk r>ttj dƒ‚q>n¦t |j ƒt.kr tj!|j j"ƒsÝttj#|j j"ƒ‚n|j j$d kr>ttj%|j j$ƒ‚q>n1|j dk r>ttj dt |j ƒƒ‚n|jdk r®|jj/r†|jj/d!kr†ttj0|jj/ƒ‚n|jj1dk r®|jj1j2ƒq®n|jdk r! t |j ƒt3t4t5gkrùttj6t |j ƒƒ‚n|jj1dk r! |jj1j2ƒq! n|j dk r¨ t |j ƒt4kr[ |j j2|jƒn%t |j ƒt7kr€ |j j2ƒn|j j1dk r¨ |j j1j2ƒq¨ ndS("NR2R3sno element, no actions%no element, no source, no destinationsno action, no log, no auditsaddress and macsaddress and ipsets mac and ipsetsinvalid sourceittcptudptsctptdccpsmasquerade and actionsmasquerade and mac sourcesicmp-block and actionRsforward-port and actionsUnknown element %stemergtalerttcritterrortwarningtnoticetinfotdebug(sipv4sipv6(RtRuRvRw(RtRuRvRw(RtRuRvRw(RxRyRzserrorR|R}sinfosdebug(8R5RRRtINVALID_FAMILYRPRRQtMISSING_FAMILYR0RRR RURRRRSRTRRRt check_addresst INVALID_ADDRROt check_mact INVALID_MACRt INVALID_IPSETRR&R=tINVALID_SERVICERt check_portR't INVALID_PORTR(tINVALID_PROTOCOLRt checkProtocolR)tINVALID_ICMPTYPERR+R,tcheck_single_addressRR.tINVALID_LOG_LEVELR/R7R R RtINVALID_AUDIT_TYPER(R((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR7 sä! $$$ $*$!*! *$$     cCsëd}|jr#|d|j7}n|jr@|d|j7}n|jr]|d|j7}n|jrz|d|j7}n|jr—|d|j7}n|jr´|d|j7}n|jrÑ|d|j7}ntjrçtj |ƒS|S(NRbs family="%s"s %s( R5RPRQRRRSRTRURtPY2tu2b(RR!((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR"¨s        N(R#R$RR RaRVR7R"(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyR s   Û ŸN(t__all__tfirewallRtfirewall.core.ipsetRtfirewall.core.baseRRtfirewall.errorsRtobjectRRRRRRRRRR R R R R RRRR(((s6/usr/lib/python2.7/site-packages/firewall/core/rich.pyts8       1