ó  c‰`c@sjdddgZddljZddlZddlZddlZddlmZddlm Z m Z m Z m Z m Z mZmZmZmZmZddlmZmZddlmZmZmZmZmZmZmZdd lmZdd l m!Z!dd lm"Z"dd l#m$Z$defd „ƒYZ%defd„ƒYZ&e'd„Z(e)d„Z*dS(tZonet zone_readert zone_writeriÿÿÿÿN(tconfig( tcheckIPtcheckIP6t checkIPnMaskt checkIP6nMasktcheckInterfacetuniqifytmax_zone_name_lent u2b_if_py2t check_mactportStr(tDEFAULT_ZONE_TARGETt ZONE_TARGETS(tPY2t IO_ObjecttIO_Object_ContentHandlertIO_Object_XMLGeneratort check_portt check_tcpudptcheck_protocol(trich(tlog(terrors(t FirewallErrorcBsEeZdZdAdBdCdefdDddgfddEgfd dgfd efd dFgfd dgfd dgfddgfddgfddGgfdeffZdZdddgZidHd6dHd6dHd6dgd6ddgd6dgd6dgd6ddgd6dgd6dHd6dHd 6d!gd"6d#gd6ddgd$6dHd%6dHd&6dHd'6dHd(6dHd)6d*gd+6d#gd,6dHd-6Zidd.ddgd6d/gd 6d0d1gd6d2gd6d!d3d4d2d5gd 6d4gd"6d6d7gd%6d8gd(6Z e d9„ƒZ d:„Z d;„Z d<„Zd=„Zd>„Zd?„Zd@„ZRS(Is Zone class tversionttshortt descriptiontUNUSEDttargettservicestportst icmp_blockst masqueradet forward_portst interfacestsourcest rules_strt protocolst source_portsticmp_block_inversions&(sssbsasa(ss)asba(ssss)asasasasa(ss)b)t_t-t/tzonetnametservicetporttprotocols icmp-blocks icmp-types forward-portt interfacetruletsourcetaddresst destinationtvalues source-portRtaudittaccepttrejecttdroptsettmarktlimitsicmp-block-inversiont immutabletenabledsto-portsto-addrtfamilytmactinverttipsettprefixtlevelttypecCsLx3ttjƒD]"\}\}}||kr|SqWttjdƒ‚dS(Ns index_of()(t enumerateRtIMPORT_EXPORT_STRUCTURERRt UNKNOWN_ERROR(telementtiteltdummy((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytindex_ofbs" cCsËtt|ƒjƒd|_d|_d|_t|_t|_ g|_ g|_ g|_ g|_ t|_g|_g|_g|_g|_d|_g|_g|_t|_t|_t|_dS(NR(tsuperRt__init__RRRtFalseRRR R!R"R)R#R$R%R*R&R'tNonet fw_configtrulesR(R+tcombinedtapplied(tself((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRSis*                   cCs¤d|_d|_d|_t|_t|_|j2|j2|j 2|j 2t|_ |j 2|j 2|j2|j2d|_|j2|j2t|_t|_t|_dS(NR(RRRRTRRR R!R"R)R#R$R%R*R&R'RURVRWR(R+RXRY(RZ((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcleanup€s(         c Cs t|jƒ|_t|jƒ|_t|jƒ|_t|jƒ|_g|jD]}t|ƒ^qR|_g|jD]$\}}t|ƒt|ƒf^qw|_g|jD]}t|ƒ^q®|_g|jD]}t|ƒ^qÓ|_g|j D]<\}}}}t|ƒt|ƒt|ƒt|ƒf^qø|_ g|j D]$\}}t|ƒt|ƒf^qG|_ g|j D]}t|ƒ^q~|_ g|j D]}t|ƒ^q£|_ g|j D]}t|ƒ^qÈ|_ g|jD]}t|ƒ^qí|_dS(s» HACK. I haven't been able to make sax parser return strings encoded (because of python 2) instead of in unicode. Get rid of it once we throw out python 2 support.N(R RRRR R!R"R)R#R%R*R&R'RWR(( RZtstpotprRNtp1tp2tp3tp4((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytencode_strings–s%7%%O4%%%cCs‰|dkrlg|D]}tjd|ƒ^q|_tt|ƒj|g|jD]}t|ƒ^qPƒntt|ƒj||ƒdS(NR(trule_str(Rt Rich_RuleRWRRRt __setattr__tstr(RZR0R9R\((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRfªs (8c Cs?|dkr]|jr]|jjƒ}x|D]+}||kr+ttjd|ƒ‚q+q+WnÞ|dkr™xÏ|D]"}t|dƒt|dƒqpWn¢|dkrÃx“|D]}t|ƒq¬Wnx|dkr |jr |jjƒ}xQ|D]+}||krîttj d|ƒ‚qîqîWn|d kròx |D]¸} t| dƒt| dƒ| d  r„| d  r„ttj d | ƒ‚n| d rŸt| d ƒn| d r3t | d ƒ rët | d ƒ rëttj d | d ƒ‚qëq3q3WnI|dkr.x:|D]"}t|dƒt|dƒqWn |dkr^|tkr;ttj|ƒ‚q;nÝ|dkrŸxÎ|D]'} t| ƒsqttj| ƒ‚qqqqWnœ|dkr x|D]R} t| ƒ r²t| ƒ r²t| ƒ r²| jdƒ r²ttj | ƒ‚q²q²Wn0|dkr;x!|D]} tjd| ƒqWndS(NR!s '%s' not among existing servicesR"iiR)R#s"'%s' not among existing icmp typesR%iis$'%s' is missing to-port AND to-addr s#to-addr '%s' is not a valid addressR*R R&R'sipset:R(Rd(RVt get_servicesRRtINVALID_SERVICERRRt get_icmptypestINVALID_ICMPTYPEtINVALID_FORWARDRRt INVALID_ADDRRtINVALID_TARGETRtINVALID_INTERFACERRR t startswithRRe( RZRtitemtexisting_servicesR1R2tprototexisting_icmptypesticmptypetfwd_portR4R6R5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyt _check_config²sn              "           cCstt|ƒj|ƒ|jdƒr>ttjd|ƒ‚nÄ|jdƒrfttjd|ƒ‚nœ|jdƒdkr”ttjd|ƒ‚nnd|kr¶||j dƒ }n|}t |ƒt ƒkrttjd|t |ƒt ƒ|j fƒ‚ndS(NR.s'%s' can't start with '/'s'%s' can't end with '/'ismore than one '/' in '%s's'Zone of '%s' has %d chars, max is %d %s( RRRt check_nameRpRRt INVALID_NAMEtendswithtcounttfindtlenR RX(RZR0t checked_name((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRxës&      c CsEt|_d|_d|_d|_d|_x3|jD](}||jkr7|jj|ƒq7q7Wx3|j D](}||j krm|j j|ƒqmqmWx3|j D](}||j kr£|j j|ƒq£q£Wx3|j D](}||j krÙ|j j|ƒqÙqÙWx3|j D](}||j kr|j j|ƒqqWx3|j D](}||j krE|j j|ƒqEqEW|jr†t|_nx3|jD](}||jkr|jj|ƒqqWx3|jD](}||jkrÆ|jj|ƒqÆqÆWx7|jD],} |jj| ƒ|jjt| ƒƒqüW|jrAt|_ndS(NR(tTrueRXRUtfilenameRRRR&tappendR'R!R"R)R#R$R%R*RWR(RgR+( RZR/R4R6R1R2RsticmptforwardR5((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pytcombinesH        (sversionR(sshortR(s descriptionR(stargetR(RR(RRRR(RRN(t__name__t __module__t__doc__RTRKtDBUS_SIGNATUREtADDITIONAL_ALNUM_CHARSRUtPARSER_REQUIRED_ELEMENT_ATTRStPARSER_OPTIONAL_ELEMENT_ATTRSt staticmethodRQRSR[RcRfRwRxR„(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR(sv                                  9 tzone_ContentHandlercBs#eZd„Zd„Zd„ZRS(cCs/tj||ƒd|_t|_d|_dS(N(RRSRUt_ruleRTt _rule_errort _limit_ok(RZRq((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRS,s  c Cswtj|||ƒ|jr dS|jj||ƒ|dkrd|krbtjd|dƒnd|kr|d|j_nd|kr¤tjd|dƒnd|krs|d}|tkrÛt t j |ƒ‚n|dkr|t kr||j_ qqsnk|d krn\|d kr&nM|d krÑ|jrŠ|jjrmtjd t|jƒƒt|_dStj|dƒ|j_dS|d|jjkrº|jjj|dƒqstjd |dƒn¢ |dkr»|jr<|jjrtjd t|jƒƒt|_dStj|d|dƒ|j_dSt|dƒt|dƒt|ddƒ|df}||jjkr|jjj|ƒqstjd|d|dƒn¸ |dkrs|jr|jjrtjd t|jƒƒt|_dStj|dƒ|j_qst|dƒ|d|jjkr\|jjj|dƒqstjd|dƒn |dkr|jr×|jjrºtjd t|jƒƒt|_dStj|dƒ|j_dS|d|jjkr|jjj|dƒqstjd|dƒnU |dkr™|jr‚|jjretjd t|jƒƒt|_dStj |dƒ|j_dStjd|dƒnÚ |dkrZd|krß|dj!ƒd`krßtjd|dƒdS|jr/|jjrtjd t|jƒƒt|_dStj"ƒ|j_qs|jj#rKtjdƒqst|j_#n |dkrd}d|kr…|d}nd}d |kr¤|d }n|jr |jjrßtjd t|jƒƒt|_dStj$|d|d||ƒ|j_dSt|dƒt|dƒ|r8t|ƒn|rtt%|ƒ rtt&|ƒ rtt t j'd!|ƒ‚qtnt|ddƒ|dt|dƒt|ƒf}||jj(krÎ|jj(j|ƒqstjd"|d|d|rõd#|nd|rd$|ndƒna|d%krü|jr}|jjrYtjd t|jƒƒt|_dStj)|d|dƒ|j_dSt|dƒt|dƒt|ddƒ|df}||jj*krÞ|jj*j|ƒqstjd&|d|dƒnw|d'kr˜|jr+tjd(ƒt|_dSd|krQtjd)ƒt|_dS|d|jj+kr|jj+j|dƒqstjd*|dƒnÛ|d+kr, |jrŽ |jj,rßtjd,t|jƒƒt|_dSt-}d-|kr |d-j!ƒdakr t}nd}} } d0|kr7 |d0}nd1|krP |d1} nd2|kri |d2} ntj/|| | d-|ƒ|j_,dSd0|kr· d2|kr· tjd3ƒdSd0|krà d2|krà tjd4ƒdSd5|kr tjd6|d5ƒnd-|kr tjd7ƒdSd0|kr{ t0|d0ƒ r{ t1|d0ƒ r{ t2|d0ƒ r{ t t j'|d0ƒ‚q{ nd2|krÔ d8|d2}||jj3kr½ |jj3j|ƒqÔ tjd9|d0ƒnd0|krs|d0}||jj3kr |jj3j|ƒq) tjd9|d0ƒqsnG|d:krÔ |js[ tjd;ƒt|_dS|jj4r„ tjd<t|jƒƒdSt-}d-|krµ |d-j!ƒdbkrµ t}ntj5|d0|ƒ|j_4nŸ|dckrî |js tjdAƒt|_dS|jj6r) tjdBƒt|_dS|d=krJ tj7ƒ|j_6n’|d>kr d} dC|kru |dC} ntj8| ƒ|j_6nO|d?kr® tj9ƒ|j_6n.|d@krÜ |dD} tj:| ƒ|j_6n|jj6|_;n…|dEkr¼ |js tjdFƒdS|jjr1 tjdGƒdSd} dH|krv |dH} | ddkrv tjdQƒt|_dSndR|krŒ |dRnd}tj<|| ƒ|j_|jj|_;n·|dSkr8|jsâ tjdTƒdS|jj=rtjdUt|jƒƒt|_dStj>ƒ|j_=|jj=|_;n;|dVkr¥d}d5|kr|d5}|dekrtjdY|d5ƒt|_dSntj?|ƒ|_nÎ|dZkr(|j;sÔtjd[ƒt|_dS|j;j@rtjd\t|jƒƒt|_dS|d}tjA|ƒ|j;_@nK|d]kr_|jjBrPtjd^ƒqst|j_Bntjd_|ƒdSdS(fNR/R0s'Ignoring deprecated attribute name='%s'RRAs,Ignoring deprecated attribute immutable='%s'R RRRR1s;Invalid rule: More than one element in rule '%s', ignoring.s#Service '%s' already set, ignoring.R2R3R-s#Port '%s/%s' already set, ignoring.R9s$Protocol '%s' already set, ignoring.s icmp-blocks&icmp-block '%s' already set, ignoring.s icmp-types-Invalid rule: icmp-block '%s' outside of ruleR$RBtnotfalses*Ignoring deprecated attribute enabled='%s's!Masquerade already set, ignoring.s forward-portsto-portsto-addrs#to-addr '%s' is not a valid addresss-Forward port %s/%s%s%s already set, ignoring.s >%ss @%ss source-ports*Source port '%s/%s' already set, ignoring.R4s$Invalid rule: interface use in rule.s Invalid interface: Name missing.s%Interface '%s' already set, ignoring.R6s:Invalid rule: More than one source in rule '%s', ignoring.REtyesttrueR7RDRFs$Invalid source: No address no ipset.s"Invalid source: Address and ipset.RCs)Ignoring deprecated attribute family='%s's+Invalid source: Invertion not allowed here.sipset:%ss"Source '%s' already set, ignoring.R8s)Invalid rule: Destination outside of rules?Invalid rule: More than one destination in rule '%s', ignoring.R;R<R=R?s$Invalid rule: Action outside of rules"Invalid rule: More than one actionRIR>Rs!Invalid rule: Log outside of rulesInvalid rule: More than one logRHtemergtalerttcritterrortwarningtnoticetinfotdebugsInvalid rule: Invalid log levelRGR:s#Invalid rule: Audit outside of rules9Invalid rule: More than one audit in rule '%s', ignoring.R5tipv4tipv6s&Invalid rule: Rule family "%s" invalidR@s4Invalid rule: Limit outside of action, log and audits9Invalid rule: More than one limit in rule '%s', ignoring.sicmp-block-inversions+Icmp-Block-Inversion already set, ignoring.sUnknown XML element '%s'(R‘R’(syesR”(syesR”(sacceptsrejectsdropsmark(R•R–R—serrorswarningRšsinfosdebug(RRž(CRt startElementRRqtparser_check_element_attrsRR™RRRRRnRR RŽRMRgRRt Rich_ServiceR!Rt Rich_PortRRR R"t Rich_ProtocolRR)tRich_IcmpBlockR#t Rich_IcmpTypetlowertRich_MasqueradeR$tRich_ForwardPortRRRmR%tRich_SourcePortR*R&R6RTRUt Rich_SourceRRR R'R8tRich_Destinationtactiont Rich_Acceptt Rich_Rejectt Rich_Dropt Rich_MarkRtRich_LogR:t Rich_AuditReR@t Rich_LimitR+(RZR0tattrsR tentrytto_porttto_addrREtaddrRDRFt_typet_setRHRGRCR9((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRŸ2st                                                                                                                                                                 cCstj||ƒ|dkré|jsÔy|jjƒWn/tk rg}tjd|t|jƒƒqÔXt|jƒ|j j kr¸|j j j |jƒ|j j j t|jƒƒqÔtjdt|jƒƒnd|_t|_n|d krd|_ndS( NR5s%s: %ss Rule '%s' already set, ignoring.R;R<R=R?RR:(sacceptsrejectsdropsmarkslogsaudit(Rt endElementRRŽtcheckt ExceptionRR™RgRqR(RWRRURTR(RZR0te((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR»•s        (R…R†RSRŸR»(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyR+s  ÿdc Csbtƒ}|jdƒs1ttjd|ƒ‚n|d |_|sW|j|jƒn||_||_|j t j ƒrt nt |_|j|_t|ƒ}tjƒ}|j|ƒd||f}t|dƒi}tjdƒ}|j|ƒy|j|ƒWn2tjk r>} ttjd| jƒƒ‚nXWdQX~~tr^|jƒn|S(Ns.xmls'%s' is missing .xml suffixiüÿÿÿs%s/%strbsnot a valid zone file: %s(RRzRRRyR0RxR€tpathRpRt ETC_FIREWALLDRTRtbuiltintdefaultRtsaxt make_parsertsetContentHandlertopent InputSourceRUt setByteStreamtparsetSAXParseExceptiont INVALID_ZONEt getExceptionRRc( R€RÀt no_check_nameR/thandlertparserR0tfR6tmsg((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRªs:     !       c Cs% |r |n|j}|jr4d||jf}nd||jf}tjj|ƒrytj|d|ƒWqtk r™}tj d||ƒqXntjj |ƒ}|j t j ƒrtjj|ƒ rtjjt j ƒsÿtjt j dƒntj|dƒntj|dddd ƒ}t|ƒ}|jƒi}|jrq|jd krq|j|d d kr{ |j0j>|d%t1|jGƒƒ|jGjEr˜ |jd-ƒ|j||ƒ|jd4ƒ|jd5i|jGjEj8d6ƒ|jd6ƒ|j|ƒn|jd-ƒ|j||ƒ|jdƒn|jdƒ|jd)ƒ|jdƒqòW|jd ƒ|jdƒ|jNƒ|jOƒ~dS(?Ns%s/%ss %s/%s.xmls%s.oldsBackup of file '%s' failed: %siètmodetwttencodingsUTF-8RRR R/s s RRR4R0sipset:R6iRFR7R1R2iiR3R9sicmp-block-inversions icmp-blockR$isto-portisto-addrs forward-ports source-portRCR5RDRREs R8s icmp-types#Unknown element '%s' in zone_writerRGRHRs R@s R:R;R<RIR=R?R>sUnknown action '%s'(PRÀR€R0tostexiststshutiltcopy2R½RR˜tdirnameRpRRÁtmkdirtioRÇRt startDocumentRR RRŸtignorableWhitespaceRt charactersR»RR R&t simpleElementR'R!R"R)R+R#R$R%R*RWRCR6R¸RDRFRER8RMRIRR¡R¢R2R3R£R9R§R¤R¥R¨R¶t to_addressR©RRtINVALID_OBJECTRGRHR@R:R¬R­R®R¯R°R>R™t endDocumenttclose(R/RÀt_pathR0RÒtdirpathRÑRÏR´R4R6R1R2R3R‚RƒR5RMR¬((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyRÉs¬ %            &                                                         (+t__all__txml.saxRÄRÖRÜRØtfirewallRtfirewall.functionsRRRRRR R R R R tfirewall.core.baseRRtfirewall.core.io.io_objectRRRRRRRt firewall.coreRtfirewall.core.loggerRRtfirewall.errorsRRRRTRRUR(((s9/usr/lib/python2.7/site-packages/firewall/core/io/zone.pyts$   F4ÿÿ€