o

bhAbO��@s�
dg
Zd
dl
Zd
dlZd
dlZd
dlZd
dlZd
dlmZm	Z	
d
dl
mZ
d
dl
mZ
d
dl
mZ
d
dl
mZ
d
dl
mZ
d
d	l
mZ
d
d
l
mZ
d
dlmZ
d
dlmZ
d
d
lmZ
d
dlmZ
d
dlmZ
d
dlmZ
d
dlm Z 
d
dl!m"Z"
d
dl#m$Z$
d
dl%m&Z&
d
dl'm(Z(m)Z)
d
dl*m+Z+
d
dl,m-Z-
d
dl.m/Z/
d
dl0m1Z1
d
dl2m3Z3
d
dl4m5Z5
d
dl6m7Z7m8Z8
d
dl9m:Z:
d
dl;m<Z<
d
dl=m>Z>
d
d l?m@Z@
d
d!lAmBZB
d
d"l
mCZC
d
d#lDmEZE
Gd$d�deF�ZGdS)%�Firewall�N)�Dict�List)
�config)
�	functions)
�	ipXtables)
�ebtables)
�nftables)
�ipset)
�modules)
�FirewallIcmpType)
�FirewallService)
�FirewallZone)
�FirewallDirect)
�FirewallConfig)
�FirewallPolicies)
�
FirewallIPSet)
�FirewallTransaction)
�FirewallHelper)
�FirewallPolicy)�nm_get_bus_name�nm_get_interfaces_in_zone)
�log)
�	IO_Object)
�firewalld_conf)
�Direct)
�service_reader)
�icmptype_reader)�zone_reader�Zone)
�ipset_reader)
�IPSET_TYPES)
�
helper_reader)
�
policy_reader)
�	Rich_Rule)
�errors)
�
FirewallErrorc@s�
eZ
dZdfdd�
Zdd�Zdd�Zdd	�Zif
d
eee	e
ffdd�Zd
d�Zdd�Z
dgdd�
Zdd�Zdfdd�
Zdd�Zdd�Zdd�Zdd�Zdd �Zd!d"�Zd#d$�Zd%d&�Zd'd(�Zd)d*�Zd+d,�Zdhd.d/�
Zdhd0d1�
Zdhd2d3�
Zdhd4d5�
Zd6d7�Z d8d9�Z!d:d;�Z"d<d=�Z#d>d?�Z$d@dA�Z%dBdC�Z&dDdE�Z'dFdG�Z(dHdI�Z)dJdK�Z*dLdM�Z+dNdO�Z,dfdPdQ�
Z-dRdS�Z.dTdU�Z/dVdW�Z0dXdY�Z1dZd[�Z2d\d]�Z3d^d_�Z4d`da�Z5dbdc�Z6ddde�Z7d-S)ir
FcCs
tt
j�
|_|
|_|jrd
|_d
|_d
|_d
|_t	|_
d
|_n9t�
|�
|_d|_g|_t�|�
|_d|_g|_t��|_d|_t��|_d|_t	|_
t�|�
|_d|_t��|_t|�
|_t|�
|_t|�
|_ t!|�
|_"t#|�
|_
t$�|_%t&|�
|_t'|�
|_(t)|�
|_*|�+�
dS)NFT),rr�FIREWALLD_CONF�_firewalld_conf�_offline�ip4tables_enabled�ip6tables_enabled�ebtables_enabled�
ipset_enabledr!�ipset_supported_types�nftables_enabledr�	ip4tables�ip4tables_backend�ipv4_supported_icmp_types�	ip6tables�ip6tables_backend�ipv6_supported_icmp_typesr�ebtables_backendr
�
ipset_backendr	�nftables_backendr�modules_backendr�icmptyper
�servicer�zoner�directrr�policiesrr�helperr�policy�_Firewall__init_vars)�self�offline�rD�2/usr/lib/python3/dist-packages/firewall/core/fw.py�__init__FsB






































zFirewall.__init__c

CsDd
|j|j
|j|j|j|j|j|j|j|j	|j
|j|j|j
|jfS)Nz:%s(%r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r, %r))�	__class__r*r+r,�_state�_panic�
_default_zone�_module_refcount�_marks�cleanup_on_exit�cleanup_modules_on_exit�ipv6_rpfilter_enabledr-�_individual_calls�_log_denied�
rBrDrDrE�__repr__ns






��zFirewall.__repr__c

Csvd
|_d|_
d|_g|_g|_i|_g|_tj|_	tj
|_tj|_
tj|_tj|_tj|_tj|_tj|_tj|_dS)N�INITF�)rHrIrJ�_default_zone_interfaces�_nm_assigned_interfacesrKrLr�FALLBACK_CLEANUP_ON_EXITrM� FALLBACK_CLEANUP_MODULES_ON_EXITrN�FALLBACK_IPV6_RPFILTERrO�FALLBACK_INDIVIDUAL_CALLSrP�FALLBACK_LOG_DENIEDrQ�FALLBACK_FIREWALL_BACKEND�_firewall_backend�FALLBACK_FLUSH_ALL_ON_RELOAD�_flush_all_on_reload�FALLBACK_RFC3964_IPV4�
_rfc3964_ipv4�FALLBACK_ALLOW_ZONE_DRIFTING�_allow_zone_driftingrRrDrDrE�__init_varsws 














zFirewall.__init_varsc
s�
i}
�f
d
d��j�
�D�
|
d<�f
dd��j��D�
|
d<�f
dd��j��D�
|
d<�f
dd��j��D�
|
d	<�f
d
d��j�	�D�
|
d<�f
dd��j
��D�
|
d
<i|
d<t�j
���
�t�j���
�
D]}�j
�|�
|
d|<qit�j
���
�t�j���
�
D]>}|�jv
s�|�jv
r�t��j
�|�
�
|
d|<g|
d|_|�jv
r�|
d|j�d�

|�jv
r�|
d|j�d�

q�|
S)zH
        Returns a dict of dicts of all runtime config objects.
        c
�i|]	}
|
�j�
|
�
�qSrD)r
�	get_ipset)�.0�_ipsetrRrDrE�
<dictcomp>��z4Firewall.get_all_io_objects_dict.<locals>.<dictcomp>�ipsetsc
rfrD)r?�
get_helper)rhr?rRrDrErj�rk�helpersc
rfrD)r:�get_icmptype)rhr:rRrDrErj�rk�	icmptypesc
rfrD)r;�get_service)rhr;rRrDrErj�rk�servicesc
rfrD)r<�get_zone)rhr<rRrDrErj�rk�zonesc
rfrD)r@�
get_policy)rhr@rRrDrErj�rkr>�icmptypes_unsupported�ipv4�ipv6)r
�
get_ipsetsr?�get_helpersr:�
get_icmptypesr;�get_servicesr<�	get_zonesr@�"get_policies_not_derived_from_zone�setr�
differencero�intersectionr2r5�copy�destination�append)rB�	conf_dictr:rDrRrE�get_all_io_objects_dict�s2





	

�
�










�z Firewall.get_all_io_objects_dict�extra_io_objectsc
Csn|��}|
D]}|
|D]	}||||j
<qqgd
�
}|D]}||}|��D]\}}	|	�|	��|�
q'qdS)N)rlrnrprrrtr>)r��name�items�check_config_dict�export_config_dict)
rBr��all_io_objects�type_key�obj�order�io_obj_type�io_objsr��io_objrDrDrE�full_check_config�s


�



��zFirewall.full_check_configc

Cs�|jrd
|j
��v
rt�d�

d|_|jr$d
|j��v
r$t�d�

d|_|jr6d
|j��v
r6t�d�

d|_|jsK|jsM|j	sOt�
d�

t�d�

dSdSdSdS)N�filterziptables is not usable.Fzip6tables is not usable.zebtables is not usable.zNo IPv4 and IPv6 firewall.�
)
r*r1�get_available_tablesr�info1r+r4r,r6r/�fatal�sys�exitrRrDrDrE�
_check_tables�s$












�

�zFirewall._check_tablesc

Cs�
z|j�
�
Wnty$


|jrt�d
�

nt�d�

g|_d|_Ynw|j�	�|_|j
��
|j
jsO|j
j
r>t�d�

n|jrGt�d�

nt�d�

d|_|jrZ|j�d�
|_n
|jrd|j
��|_ng|_|j��
|jjs�|jj
rzt�d�

n|jr�t�d	�

nt�d
�

d|_|jr�|j�d�
|_n
|jr�|j��|_ng|_|j��
|jjs�|jj
r�t�d�

n|jr�t�d
�

nt�d�

d|_|jr�|js�|jjs�t�d�

dSdSdSdS)Nzaipset not usable, disabling ipset usage in firewall. Other set backends (nftables) remain usable.z4ipset not usable, disabling ipset usage in firewall.FzFiptables-restore is missing, using individual calls for IPv4 firewall.zMiptables-restore and iptables are missing, IPv4 direct rules won't be usable.zCiptables-restore and iptables are missing, disabling IPv4 firewall.rwzGip6tables-restore is missing, using individual calls for IPv6 firewall.zOip6tables-restore and ip6tables are missing, IPv6 direct rules won't be usable.zEip6tables-restore and ip6tables are missing, disabling IPv6 firewall.rxzHebtables-restore is missing, using individual calls for bridge firewall.zKebtables-restore and ebtables are missing, eb direct rules won't be usable.zEebtables-restore and ebtables are missing, disabling bridge firewall.zSebtables-restore is not supporting the --noflush option, will therefore not be used)r7�set_list�
ValueErrorr/rr��warningr.r-�set_supported_typesr1�fill_exists�restore_command_exists�command_existsr*r8�supported_icmp_typesr2r4r+r5r6r,rP�restore_noflush_option�debug1rRrDrDrE�_start_check�sb







�



























��zFirewall._start_checkc
Cs�tj
}t�d
tj�
z|j��
Wnty.
}
zt�|�

t�d�

WYd}~�
nMd}~w
w|j�	d�
r;|j�	d�
}|j�	d�
r[|j�	d�
}|du
rT|�
�dvrTd|_t�d|j�
|j�	d�
r{|j�	d�
}|du
rt|�
�d	vrtd
|_t�d|j�
|j�	d�
r�|j�	d�
}|du
r�|�
�d	vr�t�d
�

z|j
��
Wn	ty�


Yn
w|j�	d�
r�|j�	d�
}|du
r�|�
�dvr�d|_|�
�d	vr�d
|_|jr�t�d�

nt�d�

|j�	d�
r�|j�	d�
}|du
r�|�
�d	vr�t�d�

d
|_|j�	d�
�
r|j�	d�
}|du�
s|�
�dk�
rd|_n|�
�|_t�d|j�
|j�	d�
�
r3|j�	d�
|_t�d|j�
|j�	d�
�
rU|j�	d�
}|�
�dv�
rKd|_nd
|_t�d|j�
|j�	d�
�
rw|j�	d�
}|�
�dv�
rmd|_nd
|_t�d|j�
|j�t�|j�
�

|�|j�

|j�
s�|��
t�d�

z|j
j��
Wn.t�
y�
}
z!|j
���
r�t�d|j
jj|�
n
t�d|j
jj|�
WYd}~nd}~w
w|j� t�|j
�
�

|�!tj"d�
|�!tj#d�
|�!tj$d �
|�!tj%d �
t&|j'�(��
d!k�rt�d"�

|�!tj)d#�
|�!tj*d#�
|�!tj+d$�
|�!tj,d$�
t&|j-�.��
d!k�r+t�d%�

|�!tj/d&�
|�!tj0d&�
t&|j1�2��
d!k�rMt�3d'�

t4�5d(�

|�!tj6d)�
|�!tj7d)�
d}d*D]}||j1�2�v
�rqt�3d+|�
d
}�q_|�r{t4�5d(�

||j1�2�v
�r�d,|j1�2�v�r�d,}n
d-|j1�2�v�r�d-}nd.}t�d/||�
|}nt�d0|�
t8tj9�
}	t:j;�<tj9�
�r�t�d1tj9�

z|	��
Wnt�y�
}
zt�d2tj9|�
WYd}~nd}~w
w|j=�>|	�

|j�?t�|	�
�

|�@|�
|_A|j�r�dS|�B�
t�C�d!k�rtD�D�}
tE|�
}|jF|d3�

|
�r|�s(|jG�H��r1|jG�I��r1|�Jd
�

|�K�
|
�rA|�rAt�d4�

|jL�M�
|jN|d3�

|�Jd
�

|�K�
|jG�H��rf|jG�I��rft�d5�

|jG�O�
t�d6�

|jP|d3�

t�d7�

|j1jQ|d3�

|j1jRd|jA|d3�
t�d8�

|jSjT|d3�

|�Jd
�

|�K�
|j=�U��r�t�d9�

|j=�V|�

z|�Jd
�

|�K�
Wn&t�y�
}
zt|jWd:|jX�r�|jX��
d;��
d}~w
t�y�


�w~t�C�d(k�r�tD�D�}
t�Yd<|
|
�

dSdS)=Nz"Loading firewalld config file '%s'z0Using fallback firewalld configuration settings.�DefaultZone�
CleanupOnExit)�no�falseFzCleanupOnExit is set to '%s'�CleanupModulesOnExit)�yes�trueTz#CleanupModulesOnExit is set to '%s'�LockdownzLockdown is enabled�
IPv6_rpfilterzIPv6 rpfilter is enabledzIPV6 rpfilter is disabled�IndividualCallszIndividualCalls is enabled�	LogDeniedr��offzLogDenied is set to '%s'�FirewallBackendzFirewallBackend is set to '%s'�FlushAllOnReloadzFlushAllOnReload is set to '%s'�RFC3964_IPv4zRFC3964_IPv4 is set to '%s'zLoading lockdown whitelistz*Failed to load lockdown whitelist '%s': %sr
r:rzNo icmptypes found.r?r;zNo services found.r<zNo zones found.r�r@)�block�drop�trustedzZone '%s' is not available.�public�externalr�z+Default zone '%s' is not valid. Using '%s'.zUsing default zone '%s'zLoading direct rules file '%s'z)Failed to load direct rules file '%s': %s)
�use_transactionzUnloading firewall moduleszApplying ipsetszApplying default rule setzApplying used zoneszApplying used policiesz2Applying direct chains rules and passthrough rulesz
Direct: %srUz%Flushing and applying took %f seconds)Zr�
FALLBACK_ZONErr�r'r(�read�	Exceptionr��get�lowerrMrNr>�enable_lockdownr&rOrPrQr^r`rb�set_firewalld_confr��deepcopy�_select_firewall_backendr)r��lockdown_whitelist�query_lockdown�error�filename�set_policies�_loader�FIREWALLD_IPSETS�ETC_FIREWALLD_IPSETS�FIREWALLD_ICMPTYPES�ETC_FIREWALLD_ICMPTYPES�lenr:r{�FIREWALLD_HELPERS�ETC_FIREWALLD_HELPERS�FIREWALLD_SERVICES�ETC_FIREWALLD_SERVICESr;r|�FIREWALLD_ZONES�ETC_FIREWALLD_ZONESr<r}r�r�r��FIREWALLD_POLICIES�ETC_FIREWALLD_POLICIESr�FIREWALLD_DIRECT�os�path�existsr=�set_permanent_config�
set_direct�
check_zonerJr��getDebugLogLevel�timer�flushr
�backends�
has_ipsets�execute�clearr9�unload_firewall_modules�apply_default_tables�apply_ipsets�apply_default_rules�apply_zones�change_default_zoner@�apply_policies�has_configuration�apply_direct�code�msg�debug2)rB�reload�complete_reload�default_zoner��valuer��
zr<r��tm1�transaction�
e�tm2rDrDrE�_start 
s�






��





�




�






�





















�




�




�








�

���	

















�







�



�



���


�
�

















�









"
�

�
�zFirewall._startc

CsBz|��
Wnt
y


d
|_|�d�

�wd|_|�d�

dS)N�FAILED�ACCEPT�RUNNING)r�r�rH�
set_policyrRrDrDrE�start-s






�
zFirewall.startcCsbtj
�|
�
sdS|r-|
�tj�
r+|d
kr+t�}tj
�|
�
|_|�	|j�

|
|_
d|_
nd}tt�|
�
�
D�]�}|�
d�
s]|
�tj�
r\|d
kr\tj
�d|
|f�
r\|jd|
|f|dd�
q4d|
|f}t�d||�
�zL|dkr�t||
�}|j|j��vr�|j�|j�
}t�d	||j|j
|j�
|j�|j�

n
|j
�tj�
r�d|_
z|j�|�

Wnty�
}	
zt�d
|jt|	�
f�

WYd}	~	nd}	~	w
w|j�t�|�
�

�
n�|dk�
rt||
�}|j|j��v�
r|j� |j�
}t�d	||j|j
|j�
|j�!|j�

n|j
�tj�
�
r
d|_
|j�"|�

|j�"t�|�
�

�
n�|d
k�
r�t#||
|d�}|�
rFdtj
�|
�
tj
�|�
d
d�f|_|�	|j�

t�|�
}
|j|j$�%�v�
r�|j$�&|j�
}|j$�'|j�

|j(�
rvt�d||j|
|�
|�)|�

nt�d	||j|j
|j�
n|j
�tj�
�
r�d|_
d|
_
|j�*|
�

|�
r�t�d||j|
|�
|�)|�

�
n|j$�*|�

�
n|dk�rt+||
�}|j|j,�-�v�
r�|j,�.|j�
}t�d	||j|j
|j�
|j,�/|j�

n|j
�tj�
�
r�d|_
z|j,�0|�

Wnt�y
}	
zt�1d
|jt|	�
f�

WYd}	~	nd}	~	w
w|j�0t�|�
�

n�|dk�rgt2||
�}|j|j3�4�v�rL|j3�5|j�
}t�d	||j|j
|j�
|j3�6|j�

n|j
�tj�
�rWd|_
|j3�7|�

|j�7t�|�
�

nO|dk�r�t8||
�}|j|j9�:�v�r�|j9�;|j�
}t�d	||j|j
|j�
|j9�<|j�

n|j
�tj�
�r�d|_
|j9�=|�

|j�>t�|�
�

nt�?d|�
Wq4t�y�
}
zt�@d|||�
WYd}~q4d}~w
tA�y�


t�@d||�
t�B�
Yq4w|�r-|j(�r/|j|j$�%�v�r%|j$�&|j�
}t�d||j|j
|j�
z	|j$�'|j�

Wn
tA�y


Yn
w|j�C|j�

|j$�*|�

dSdSdS)Nr<Fz.xmlz%s/%sT)
�combinezLoading %s file '%s'r:z  Overloads %s '%s' ('%s/%s')z%s: %s, ignoring for run-time.r;)
�
no_check_namer���z  Combining %s '%s' ('%s/%s')r
r?r@zUnknown reader type %szFailed to load %s file '%s': %szFailed to load %s file '%s':z0  Overloading and deactivating %s '%s' ('%s/%s'))Dr�r��isdir�
startswithr�
ETC_FIREWALLDr�basenamer��
check_name�default�sorted�listdir�endswithr�rr�rr:r{ror��remove_icmptype�add_icmptyper&r��strr�r�rr;r|rq�remove_service�add_servicerr<r}rs�remove_zone�combinedr

�add_zoner r
ryrg�remove_ipset�	add_ipsetr�r"r?rzrm�
remove_helper�
add_helperr#r@�get_policiesru�
remove_policy�
add_policy�add_policy_objectr�r�r��	exception�forget_zone)rBr��reader_typer

�
combined_zoner�r�r��orig_objr��
config_objr�rDrDrEr�8sD












�
�









�






���








�









�







�


�






�








�






���








�











�


�


��

�





�


�
�zFirewall._loaderc

Csp|j�
�
|j�
�
|j�
�
|j�
�
|j�
�
|j�
�
|j�
�
|j�
�
|j	�
�
|j
�
�
|��
dS�
N)r:�cleanupr;r<r
r?rr=r>r@r(rArRrDrDrEr$
�s




















zFirewall.cleanupc

CsN|js!|j
r|��
|j��
|�d
�

|jr!t�d�

|j�	�
|�
�
dS)Nr�z!Unloading firewall kernel modules)r)rMr�r
r�rNrr�r9r�r$
rRrDrDrE�stop�s










z
Firewall.stopc	Cs�d
}d}t|
�
D]Z\}}|r|j
�|�
\}}n|j|dkr!d
}n|j
�|�
\}}|d
kr6|d7}||7}q|rI|j�|d
�
|j|d7<q||jvrb|j|d8<|j|d
krb|j|=q||fS)NrrUr�)�	enumerater9�load_modulerK�
unload_module�
setdefault)	rB�_modules�enable�
num_failed�
error_msgs�
i�module�statusr�rDrDrE�handle_modules�s*















�
zFirewall.handle_modulescCs|
d
kr	d|_dSdS)Nr	F)
r/)rB�backendrDrDrEr�
s


�z!Firewall._select_firewall_backendcCs0|��D]}|j
|
kr|
Sqttjd
|
��
)Nz'%s' backend does not exist)�all_backendsr�r&r%�
UNKNOWN_ERROR)rBr�r2
rDrDrE�get_backend_by_names



�
�zFirewall.get_backend_by_namecCsX|jr|j
S|
d
kr|jr|jS|
dkr|jr|jS|
dkr$|jr$|jStt	j
d|
��
�Nrwrx�ebz-'%s' is not a valid backend or is unavailable)r/r8r*r1r+r4r,r6r&r%�INVALID_IPV�rB�ipvrDrDrE�get_backend_by_ipvs









�zFirewall.get_backend_by_ipvcCsL|
d
kr
|jr
|j
S|
dkr|jr|jS|
dkr|jr|jSttjd|
��
r6
)	r*r1r+r4r,r6r&r%r8
r9
rDrDrE�get_direct_backend_by_ipv#s







�z"Firewall.get_direct_backend_by_ipvcCs<|
d
kr|jS|
dkr|j
S|
dkr|jS|
dkr|jSdS)Nr0r3rr	F)r*r+r,r/)rBr�rDrDrE�is_backend_enabled-s








zFirewall.is_backend_enabledcCs8|jrd
S|
dkr|j
S|
dkr|jS|
dkr|jSdS)NTrwrxr7
F)r/r*r+r,r9
rDrDrE�is_ipv_enabled8s








zFirewall.is_ipv_enabledc
CsTg}
|jr
|
�
|j�

|
S|jr|
�
|j�

|jr|
�
|j�

|jr(|
�
|j�

|
Sr#
)	r/r�r8r*r1r+r4r,r6�rBr�rDrDrE�enabled_backendsCs


�





zFirewall.enabled_backendsc
CsPg}
|jr|
�
|j�

|jr|
�
|j�

|jr|
�
|j�

|jr&|
�
|j�

|
Sr#
)	r*r�r1r+r4r,r6r/r8r?
rDrDrEr3
Ps









zFirewall.all_backendsNcCsN|
dur	t|�
}n|
}|�
�D]
}|�||���
q|
dur%|�d
�

dSdS)NT)rr@
�	add_rules�build_default_tablesr�)rBr�r�r2
rDrDrEr�\s




�zFirewall.apply_default_tablescCs�|
dur	t|�
}n|
}|�
�D]}|�|j�
}|�||�
q|�d
�
r=|�d
�
}d|��vr=|jr=|�	|j�
}|�||�
|�d
�
rO|j
rO|��}|�||�
|
durZ|�d�

dSdS)Nrx�rawT)
rr@
�build_default_rulesrQrA
r>
r;
r�rO�build_rpfilter_rulesrb�build_rfc3964_ipv4_rulesr�)rBr�r�r2
�rules�ipv6_backendrDrDrEr�hs$














�zFirewall.apply_default_rulescCs\|
dur	t|�
}n|
}t
�d
�

|��D]}|��}|�||�
q|
dur,|�d�

dSdS)NzFlushing rule setT)rrr�r3
�build_flush_rulesrA
r�)rBr�r�r2
rG
rDrDrEr��s






�zFirewall.flushcCs`|dur	t|�
}n|}t
�d
|
�
|��D]
}|�|
�
}|�||�
q|dur.|�d�

dSdS)NzSetting policy to '%s'T)rrr�r@
�build_set_policy_rulesrA
r�)rBr@r�r�r2
rG
rDrDrEr��s






�zFirewall.set_policycCsB|sd
S|�|
�
}|st
tjd|
��
|�|
�
sd
S|�||j�S)NrU�'%s' is not a valid backend)r5
r&r%r8
r=
�set_rulerQ)rB�backend_name�ruler2
rDrDrErN
�s





�

z
Firewall.rulec
Cs
tt
d|��
}|�|
�
}|sttjd
|
��
|�|
�
sdS|js+|jr+|
dkry|j	j
syt|�
D]G\}}z	|�||j
�
Wq/tyv
}
z.t�t���

t�|�

t|d|��
D]}z|�|�|�
|j
�
WqXtyo


YqXw|�
d}~w
wdS|�||j
�
dS)NrK
r)�listr�r5
r&r%r8
r=
rPr�r6r�r&
rL
rQr�rr��	traceback�
format_excr��reversed�reverse_rule�	set_rules)rBrM
rG
�_rulesr2
r.
rN
r�rDrDrErG
�s:




�


�










����zFirewall.rulesc

Cs|jrt
tj�
�
dSr#
)rIr&r%�
PANIC_MODErRrDrDrE�check_panic�s


�zFirewall.check_paniccCs"|
}||j�
�v
rttj|��
|Sr#
)r@r
r&r%�INVALID_POLICY)rBr@�_policyrDrDrE�check_policy�s



zFirewall.check_policycCs6|
}|r|d
kr|��}||j
��v
rttj|��
|S)NrU)�get_default_zoner<r}r&r%�INVALID_ZONE)rBr<�_zonerDrDrEr��s





zFirewall.check_zonecC�t�
|
�
sttj|
��
dSr#
)r�checkInterfacer&r%�INVALID_INTERFACE)rB�	interfacerDrDrE�check_interface��


�zFirewall.check_interfacecC�|j�
|
�

dSr#
)r;�
check_service)rBr;rDrDrEre
��
zFirewall.check_servicecCr^
r#
)r�
check_portr&r%�INVALID_PORT)rB�portrDrDrErg
�rc
zFirewall.check_portcCs*|
stt
j�
�
|
d
v
rtt
jd|
��
dS)N)�tcp�udp�sctp�dccpz''%s' not in {'tcp'|'udp'|'sctp'|'dccp'})r&r%�MISSING_PROTOCOL�INVALID_PROTOCOL)rB�protocolrDrDrE�check_tcpudp�s






���zFirewall.check_tcpudpcCr^
r#
)r�checkIPr&r%�INVALID_ADDR)rB�iprDrDrE�check_ip�rc
zFirewall.check_ipcCsP|
d
krt�
|�
sttj|��
dS|
dkr"t�|�
s ttj|��
dSttjd��
)Nrwrxz'%s' not in {'ipv4'|'ipv6'})r�checkIPnMaskr&r%rs
�
checkIP6nMaskr8
)rBr:
�sourcerDrDrE�
check_address�s



�


�
�zFirewall.check_addresscCrd
r#
)r:�check_icmptype)rB�icmprDrDrErz
rf
zFirewall.check_icmptypecCs>t|
t
�std
|
t|
�
f�
�
t
|
�
dkrttjd|
��
dS)Nz%s is %s, expected intrz#timeout '%d' is not positive number)�
isinstance�int�	TypeError�typer&r%�
INVALID_VALUE)rB�timeoutrDrDrE�
check_timeouts





��zFirewall.check_timeoutcCs�|j}|j
}|s$i}|j��D]}|j�|�
j||<q|j��}|��}g}|j	�
�D]}	|�|j	�|	�
�

q+|s>|�
d
�

|��
d}
z	|jd|
d�
Wntya
}
z|}
WYd}~nd}~w
w|r�|D]}|j	�|j�
s�|j	��D]}
|
jdkr|qt|
�|j�

qtqf|�
s<|��}||kr�||v
r�i||<||D]}||jvr�||||||<|||=q�|j��D]}||vr�||D]	}|j�||�
q�||=q�t�d|�
q�t|�
dkr�t|���
D]}t�d|�
||=q�~|D]D}|j	�|j�
�
r(|jD](}z
|j	�|j|�
Wq�t�
y&
}
z|jt j!k�
r|�
WYd}~q�d}~w
wq�|j	�"|�

|j	�#|j�

q�|j�$|�

t%�}|�
r_|j��dg
D]}t&|�
D]}|jj|||d	�
�
qP�
qJ||_|j�
sk|�
d
�

|
�
rsd|_'|
�
d|_'dS)
N�DROPT)r�r�r	zNew zone '%s'.rz(Lost zone '%s', zone interfaces dropped.rU)
�senderr�r�r�)(rIr`r<r}rs�
interfacesr=�get_runtime_configr[
r
ryr�rgr�r$
r�r��query_ipsetr�r��set_destroyrV�change_zone_of_interfacerr�r�rO
�keys�entries�	add_entryr&r�r%�ALREADY_ENABLEDr
�apply_ipset�
set_configrrrH)rBr%
rI�	flush_all�_zone_interfacesr<�_direct_config�_old_dz�_ipset_objs�_name�start_exceptionr�r�r2
�_new_dz�iface�interface_id�entryr��nm_bus_namera
rDrDrEr�s�











��





�





�
�














����




�





zFirewall.reloadc


C�|jSr#
)
rHrRrDrDrE�	get_state��
zFirewall.get_statec

CsP|jr	t
tjd
��
z|�d�

Wnty"
}

zt
tj|
��
d}
~
w
wd|_dS)Nzpanic mode already enabled�PANICT)rIr&r%r�
r�r��COMMAND_FAILED�rBr�rDrDrE�enable_panic_mode��


�


��
zFirewall.enable_panic_modec

CsP|js	t
tjd
��
z|�d�

Wnty"
}

zt
tj|
��
d}
~
w
wd|_dS)Nzpanic mode is not enabledr�F)rIr&r%�NOT_ENABLEDr�r�r�
r�
rDrDrE�disable_panic_mode�r�
zFirewall.disable_panic_modec


Cr�
r#
)
rIrRrDrDrE�query_panic_mode�r�
zFirewall.query_panic_modec


Cr�
r#
)
rQrRrDrDrE�get_log_denied�r�
zFirewall.get_log_deniedcCs`|
tj
v
rttjd
|
d�tj
�
f��
|
|��kr*|
|_|j�	d|
�
|j�
�
dSttj|
��
)Nz'%s', choose from '%s'z','r�)r�LOG_DENIED_VALUESr&r%r�
�joinr�
rQr(r�write�ALREADY_SET)rBr�rDrDrE�set_log_denied�s




��


zFirewall.set_log_deniedc


Cr�
r#
)
rJrRrDrDrEr[
�r�
zFirewall.get_default_zonecCs�|�|
�
}||j
kr@|j
}||_
|j�d
|�
|j��
|jr!dS|j�||�
|j�|�
j	D]}||j
vr=|j�d|�
q/dStt
j|��
)Nr�rU)r�rJr(rr�
r)r<r�rsr�
rVr�
r&r%�ZONE_ALREADY_SET)rBr<r]
r�
r�
rDrDrE�set_default_zone�s











��zFirewall.set_default_zonecCsD|
��}|�
�D]\}}|st|t�r|||<q||vr||=q|Sr#
)r�r�r|
�bool)rB�	permanent�runtimer
�keyr�rDrDrE�'combine_runtime_with_permanent_settings�s



�z0Firewall.combine_runtime_with_permanent_settingscCs&
d
D]}||vrdd�||D�
||<qi}i}t|
�
��
t|�
��
BD]j}||vr�t||t�rXt||
vr:|
|n
g�
}tt||�
|�
||<t|t||�
A|@�
||<q$t||t�sft||t�r�|
|ss||rsd||<q$|
|r||sd||<q$ttjd�	t
||�
|���
q$||fS)N)�
rich_rules�	rules_strc
Ssg|]	}
tt
|
d�
�
�qS)
)
�rule_str)r
r$)rhr�
rDrDrE�
<listcomp>�rkz;Firewall.get_added_and_removed_settings.<locals>.<listcomp>TFz Unhandled setting type {} key {})rr�
r|
rO
r�
r}
r&r%�INVALID_SETTING�formatr
)rB�old_settings�new_settings�rich_key�add_settings�remove_settingsr�
�oldrDrDrE�get_added_and_removed_settings�s*

�











��z'Firewall.get_added_and_removed_settings)
F)FFr#
)8�__name__�
__module__�__qualname__rFrSrAr�rr
rrr�r�r�r�r
r�r$
r%
r1
r�r5
r;
r<
r=
r>
r@
r3
r�r�r�r�rN
rG
rW
rZ
r�rb
re
rg
rq
ru
ry
rz
r�
r�r�
r�
r�
r�
r�
r�
r[
r�
r�
r�
rDrDrDrEr
Esj

(	&
J






 
	r)H�__all__�os.pathr�r�r�r�rP
�typingrr�firewallrr�
firewall.corerrr	r
r�firewall.core.fw_icmptyper�firewall.core.fw_servicer
�firewall.core.fw_zoner�firewall.core.fw_directr�firewall.core.fw_configr�firewall.core.fw_policiesr�firewall.core.fw_ipsetr�firewall.core.fw_transactionr�firewall.core.fw_helperr�firewall.core.fw_policyr�firewall.core.fw_nmrr�firewall.core.loggerr�firewall.core.io.io_objectr�firewall.core.io.firewalld_confr�firewall.core.io.directr�firewall.core.io.servicer�firewall.core.io.icmptyper�firewall.core.io.zonerr�firewall.core.io.ipsetr �firewall.core.ipsetr!�firewall.core.io.helperr"�firewall.core.io.policyr#�firewall.core.richr$r%�firewall.errorsr&�objectr
rDrDrDrE�<module>
sP