HEX
Server: LiteSpeed
System: Linux php-prod-1.spaceapp.ru 5.15.0-157-generic #167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 x86_64
User: xnsbb3110 (1041)
PHP: 8.1.33
Disabled: NONE
$ pwd: /lib/python3/dist-packages/firewall/core/__pycache__/
Upload Files
File: //lib/python3/dist-packages/firewall/core/__pycache__/ipXtables.cpython-310.pyc
o

bhAbI��@s0ddlZddlZddlmZddlmZddlmZm	Z	m
Z
mZmZm
Z
mZmZddlmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!ddl"m#Z#ddl$Z$d	Z%gd
�ddggd
�gd�gd
�d�Z&ddd�Z'ddd�Z(dd�Z)dd�Z*dd�Z+Gdd�de,�Z-Gdd�de-�Z.dS)�N)�runProg)�log)�tempFile�readfile�	splitArgs�	check_mac�portStr�check_single_address�
check_address�normalizeIP6)�config)�
FirewallError�INVALID_PASSTHROUGH�INVALID_RULE�
UNKNOWN_ERROR�INVALID_ADDR)	�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�
Rich_NFLog�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock�Rich_Tcp_Mss_Clamp)�DEFAULT_ZONE_TARGET�)�INPUT�OUTPUT�FORWARD�
PREROUTINGr)r �POSTROUTINGrrr)r r!r)�security�raw�mangle�nat�filterzicmp-host-prohibitedzicmp6-adm-prohibited��ipv4�ipv6�icmp�	ipv6-icmpc	Cs�ddddddd�}|dd�}|D]8}z|�|�}Wn	ty#Yqw|dvrCz
t||d�Wn	ty;Ynw|�|d�||||<q|S)	z Inverse valid rule �-D�--delete�-X�--delete-chain��-A�--append�-I�--insert�-Nz--new-chainN�r3r4�)�index�	Exception�int�pop)�args�replace_args�ret_args�arg�idx�rA�9/usr/lib/python3/dist-packages/firewall/core/ipXtables.py�common_reverse_rule:s.���rCc	Cs�ddddddd�}|dd�}|D];}z|�|�}Wn	ty#Yqw|dvrCz
t||d�Wn	ty;Ynw|�|d�||||<|Sttd	��)
z Reverse valid passthough rule r,r-r.r/r0Nr6r7�no '-A', '-I' or '-N' arg)r8�
ValueErrorr:r;r
r)r<r=r>�xr@rArArB�common_reverse_passthrough_s4����rGcCsht|�}tgd��}t||@�dkrttdt||@�d��tgd��}t||@�dkr2ttd��dS)zZ Check if passthough rule is valid (only add, insert and new chain
    rules are allowed) )z-Cz--checkr,r-z-Rz	--replace�-Lz--listz-Sz--list-rules�-Fz--flush�-Zz--zeror.r/�-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedr0rDN)�set�lenr
r�list)r<�not_allowed�neededrArArB�common_check_passthrough�s����rQc@s�eZdZdZdZdZdd�Zdd�Zdd�Zd	d
�Z	dd�Z
d
d�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd�Zdd�Zdd�Zdd �Zdjd"d#�Zd$d%�Zd&d'�Zd(d)�Zd*d+�Zdjd,d-�Zd.d/�Zdkd1d2�Zd3d4�Zd5d6�Z	7dld8d9�Zdld:d;�Z d<d=�Z!d>d?�Z"d@dA�Z#dBdC�Z$dDdE�Z%dFdG�Z&dHdI�Z'dJdK�Z(dLdM�Z)dNdO�Z*dPdQ�Z+dmdRdS�Z,dmdTdU�Z-dmdVdW�Z.	!dmdXdY�Z/dZd[�Z0dmd\d]�Z1djd^d_�Z2	!djd`da�Z3djdbdc�Z4ddde�Z5dfdg�Z6dhdi�Z7d!S)n�	ip4tablesr(TcCsd||_tj|j|_tjd|j|_|��|_|��|_	|�
�g|_i|_i|_
g|_i|_dS)Nz
%s-restore)�_fwr�COMMANDS�ipv�_command�_restore_command�_detect_wait_option�wait_option�_detect_restore_wait_option�restore_wait_option�fill_exists�available_tables�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cache�
our_chains)�self�fwrArArB�__init__�s


zip4tables.__init__cCs$tj�|j�|_tj�|j�|_dS�N)�os�path�existsrV�command_existsrW�restore_command_exists�rbrArArBr\�szip4tables.fill_existscCs�|jr|j|vr|jgdd�|D�}ndd�|D�}t�d|j|jd�|��t|j|�\}}|dkrAtd|jd�|�|f��|S)NcS�g|]}d|�qS��%srA��.0�itemrArArB�
<listcomp>��z#ip4tables.__run.<locals>.<listcomp>cSrlrmrArorArArBrr�rs�	%s: %s %s� r�'%s %s' failed: %s)rYr�debug2�	__class__rV�joinrrE)rbr<�_args�status�retrArArB�__run�s
�zip4tables.__runcCs8z|�|�}Wn
tyYdSw||||d�<dS)NF�T)r8rE)rb�rule�pattern�replacement�irArArB�
_rule_replace�s�zip4tables._rule_replacecCs|tvo	|t|vSre)�BUILT_IN_CHAINS)rbrU�table�chainrArArB�is_chain_builtin�s
�zip4tables.is_chain_builtincCs2d|g}|r|�d�n|�d�|�|�|gS)N�-tr5r.��append)rb�addr�r�rrArArB�build_chain_rules�s

zip4tables.build_chain_rulescCs8d|g}|r|d|t|�g7}n|d|g7}||7}|S)Nr�r3r,)�str)rbr�r�r�r8r<rrArArB�
build_rule�szip4tables.build_rulecC�t|�Sre)rC�rbr<rArArB�reverse_rule��zip4tables.reverse_rulecCst|�dSre)rQr�rArArB�check_passthrough�szip4tables.check_passthroughcCr�re)rGr�rArArB�reverse_passthrough�r�zip4tables.reverse_passthroughc	Cs�d}z|�d�}Wn	tyYnwt|�|dkr!||d}d}dD]!}z|�|�}Wn	ty7Yq%wt|�|dkrF||d}q%||fS)Nr&r�r~r0)r8rErM)rbr<r�r�r��optrArArB�passthrough_parse_table_chain�s&���z'ip4tables.passthrough_parse_table_chaincCs(z$|�d�}|�|�|�|�}d|dkr||df}n||df}Wn#tyGz|�d�}|�|�d}WntyDYYdSwYnwd}|dd	vrRd
}|rc|sc||vra|�|�dSdS|r�|r~||vrx|�|�|jdd�d
�|�|�}nt|�}d|d<|�dd|d�dSdS)N�%%ZONE_SOURCE%%�-m����%%ZONE_INTERFACE%%Tr�r,r-FcSs|dS)NrrA)rFrArArB�<lambda>'sz4ip4tables._run_replace_zone_source.<locals>.<lambda>)�keyr3r7�%dr~)r8r;rE�remover��sortrM�insert)rbrr`r��zone�zone_source�rule_addr8rArArB�_run_replace_zone_source
sF


�

����
�z"ip4tables._run_replace_zone_sourcec	Cs�z|�|�}Wn
tyYdSwd}d}d}|�|�|�|�}t|�tkr-ttd��d}	dD]!}
z|�|
�}Wn	tyCYq1wt|�|dkrR||d}	q1dD]-}
z|�|
�}Wn	tygYqUwt|�|dkrv||d}|
d	vr|d}|
d
vr�d}qU|	|f}|s�||vs�|||vs�|||dkr�ttd��|||d8<dS||vr�i||<|||vr�d|||<d}
t	||�
��D]}||kr�|r�n|
|||7}
||kr�nq�|||d7<d
||<|�|dd|
�dS)a
        Change something like
          -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123
        or
          -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321
        into
          -t filter -I public_IN 4
        or
          -t filter -I public_IN
        TF���z%priority must be followed by a numberr&�r�z--tabler~)r1r2r3r4r,r-r6r�rz*nonexistent or underflow of priority countr3r7r�N)r8rEr;�typer:r
rrMr�sorted�keysr�)rbr�priority_counts�tokenr�r�r��insert_add_index�priorityr�r��jr�r8�prArArB�_set_rule_replace_priority0sr�


����
�z$ip4tables._set_rule_replace_priorityc
Cst�}i}t�|j�}t�|j�}t�|j�}|D]�}|dd�}	|�|	dddt|jg�|�|	dt	|jg�z|	�
d�}
Wn	tyIYnw|dkrOq|dvr`dd	d
|g|	|
|
d�<n|	�|
�|�
|	|d�|�
|	|d
�|�|	|�d}dD]%}z|	�
|�}
Wn	ty�Yq}wt|	�|
dkr�|	�|
�|	�|
�}q}tt|	��D]$}
tjD]}
|
|	|
vr�|	|
�d�r�|	|
�d�s�d|	|
|	|
<q�q�|�|g��|	�q|D]!}||}|�d|�|D]}	|�d�|	�d�q�|�d�q�|��t�|j�}t�d|j|j d|j|j!f�g}|j"�r"|�|j"�|�d�t#|j ||jd�\}}t�$�dk�rht%|j�}|du�rhd}
|D] }tj&d|
|fddd�|�d��sbtj&ddd�|
d7}
�qGt�'|j�|dk�r�td |j d�|�|f��||_||_||_dS)!N�
%%REJECT%%�REJECT�
--reject-with�%%ICMP%%�%%LOGTYPE%%�off��unicast�	broadcast�	multicastr��pkttype�
--pkt-typer~�%%RICH_RULE_PRIORITY%%�%%POLICY_PRIORITY%%r&r��"z"%s"z*%s
ru�
zCOMMIT
rtz%s: %d�-n��stdinr7z%8d: %sr)�nofmt�nlr)r�rv)(r�copy�deepcopyr^r_r`r��DEFAULT_REJECT_TYPErU�ICMPr8rEr;r�r�rM�range�string�
whitespace�
startswith�endswith�
setdefaultr��writery�closerf�stat�namerrwrxrW�st_sizer[r�getDebugLogLevelr�debug3�unlink)rb�rules�
log_denied�	temp_file�table_rulesr^r_r`�_rulerr�r�r��cr�r<r{r|�lines�linerArArB�	set_rules�s���
�

�
����

�



�
zip4tables.set_rulescCs�|�|dddt|jg�|�|dt|jg�z|�d�}Wn	ty(Ynw|dkr/dS|dvr@d	d
d|g|||d�<n|�|�t�|j	�}t�|j
�}t�|j�}|�||d
�|�||d�|�
||�|�|�}||_	||_
||_|S)Nr�r�r�r�r�r�rr�r�r�r�r~r�r�)r�r�rUr�r8rEr;r�r�r^r_r`r�r��_ip4tables__run)rbrr�r�r^r_r`�outputrArArB�set_rule�s2��

zip4tables.set_ruleNc	Cs�g}|r|gnt��}|D]6}||jvr|�|�q
z|�d|ddg�|j�|�|�|�Wq
tyCt�d|j|f�Yq
w|S)Nr�rHr�zA%s table '%s' does not exist (or not enough permission to check).)	r�r�r]r�r�rEr�debug1rU)rbr�r|�tablesrArArB�get_available_tabless
�zip4tables.get_available_tablesc	Cs�d}t|jgd��}t�d|j|jd|d|d�|ddkrLd}t|jgd��}t�d|j|jd|d|d�|ddkrBd}t�d	|j|j|�|S)
Nr)�-wrHr��7%s: %s: probe for wait option (%s): ret=%u, output="%s"r�rr~)�-w10rHr�r��%s: %s will be using %s option.)rrVrr�rxrw)rbrYr|rArArBrXs  zip4tables._detect_wait_optionc
Cs�t�}|�d�|��d}dD]2}t|j|g|jd�}t�d|j|j	||d|d�|ddkrBd|dvrBd	|dvrB|}nqt�
d
|j|j|�t�|j�|S)Nz#foor)r�z--wait=2r�r�rr~zinvalid optionzunrecognized optionr�)
rr�r�rrWr�rr�rxrVrwrfr�)rbr�rY�test_optionr|rArArBrZ"s
 �z%ip4tables._detect_restore_wait_optioncCsNi|_i|_g|_g}t��D]}|�|�sqdD]
}|�d||g�qq|S)N)rIr.rJr�)r^r_r`r�r�r�r�)rbr�r��flagrArArB�build_flush_rules6s
�zip4tables.build_flush_rulesc	Cs^g}|dkrdn|}t��D]}|�|�sq|dkrqt|D]}|�d|d||g�qq|S)N�PANIC�DROPr%r�rK)r�r�r�r�)rb�policyr��_policyr�r�rArArB�build_set_policy_rulesEs
�z ip4tables.build_set_policy_rulesc
Csg}d}z|�d|jdkrdnddg�}Wn&ty;}z|jdkr*t�d|�nt�d|�WYd	}~nd	}~ww|��}d
}|D]E}|rs|����}|��}|D]}	|	�	d�rg|	�
d�rg|	d
d�}
n|	}
|
|vrr|�|
�qT|jdkr}|�	d�s�|jdkr�|�	d�r�d}qD|S)zQReturn ICMP types that are supported by the iptables/ip6tables command and kernelr�-pr(r*r+z--helpziptables error: %szip6tables error: %sNF�(�)r~r�zValid ICMP Types:r)zValid ICMPv6 Types:T)r�rUrErr��
splitlines�strip�lower�splitr�r�r�)rbrUr|r��exr��in_typesr��splitsr�rFrArArB�supported_icmp_typesQs>
�
��
��zip4tables.supported_icmp_typescCsgSrerArkrArArB�build_default_tablesrszip4tables.build_default_tablesr�cCs�i}|�d�r6g|d<t�|jd<tdD] }|d�d|�|d�d||f�|jd�d|�q|�d�r�g|d<t�|jd<tdD]T}|d�d|�|d�d||f�|jd�d|�|dkr�dD]}|d�d||f�|jd�td	||fg��qod
D]}|d�d|||f�q�qI|�d��rg|d<t�|jd<tdD]U}|d�d|�|d�d||f�|jd�d|�|dk�rdD]}|d�d||f�|jd�td	||fg��q�d
D]}|d�d|||f�q�q�|�d
��r�g|d
<t�|jd
<td
D]�}|d
�d|�|d
�d||f�|jd
�d|�|dv�rodD])}|d
�d||f�|jd
�td	||fg��|d
�d|||f��qC�qdD]}|d
�d||f�|jd
�td	||fg���qqd
D]}|d
�d|||f��q��qg|d<t�|jd<|d�d�|d�d�|d�d�|d�d�|jd�td��dD]}|d�d|�|jd�td|���q�d
D]}|d�d|��q�|dk�r	|d�d�|d�d�|dk�r|d�d�|d�d�|d�d�|d�d�|d�d �|d�d!�|jd�td"��d#D]}|d�d$|�|jd�td%|���qKd
D]!}|d�d$|�|d�d&|�|jd�td%|���qfd'D]}|d�d$|�|jd�td%|���q�|dk�r�|d�d(�|d�d)�|dk�r�|d�d*�|d�d+�|dgd,�7<|jd�td-��d#D]!}|d�d.|�|d�d/|�|jd�td0|���q�d'D]!}|d�d.|�|d�d/|�|jd�td0|���qg}|D]}||��v�r4�q)||D]}|�d1|gt|���q8�q)|S)2Nr"z-N %s_directz-A %s -j %s_directz	%s_directr#r )�POLICIES_pre�ZONES�
POLICIES_postz-N %s_%s�%s_%s)rz-A %s -j %s_%sr$r%)r)rrr&zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTz-N INPUT_directz-A INPUT -j INPUT_direct�INPUT_directz-N INPUT_%szINPUT_%sz-A INPUT -j INPUT_%sr�z^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz-N FORWARD_directz-A FORWARD -j FORWARD_direct�FORWARD_direct)rz
-N FORWARD_%sz
FORWARD_%sz-A FORWARD -j FORWARD_%s)rz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%)z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_direct�
OUTPUT_directz-N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz	OUTPUT_%sr�)r�rLrar�r�r��updater)rbr��
default_rulesr��dispatch_suffix�final_default_rulesr�rrArArB�build_default_rulesvs�

 �
 �
�"�



�zip4tables.build_default_rulescCsd|dkrddhS|dkrd|��vrdhS|dkr#d|��vr#ddhS|dkr0d|��vr0dhSiS)	Nr&rrr$r r%r!r#)r�)rbr�rArArB�get_zone_table_chains�szip4tables.get_zone_table_chainsc	s�|jj�|���jdkrdnd��dkr�dkrdnd}	|jj�|�t|	��g}
g}|D]	}|
�d|g�q,|D]	}|�d	|g�q8|D]}
|jj�|
�}|d
vrW|�	|�sWqD|
�|�
d|
��qD|D]%}
|jj�|
�}|d
vrv|�	|�svqct|
�r�dvrqc|�|�
d
|
��qc������fdd�}g}|
r�|
D]}|r�|D]
}|�|||��q�q�|r�q�|�||d��q�|S|r�	|S|r�|D]
}|�|d|��q�|S|r�	|S|�|dd��|S)Nr�pre�postr%r!TF�-i�-or'�-s�r!rr�-dcsVddd��}d�|d��fd�jg}|r|�|�|r"|�|�|�d�g�|S)Nr1r,�TFr�z%s_POLICIES_%sr��-j)r��extend)�ingress_fragment�egress_fragment�add_delr�r�r��chain_suffix�enable�p_objr�rArB�_generate_policy_dispatch_rule#s�

zSip4tables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)rSr��
get_policyr��policy_base_chain_name�POLICY_CHAIN_PREFIXr�r��check_source�is_ipv_supported�_rule_addr_fragmentr)rbrr�r�r��ingress_interfaces�egress_interfaces�ingress_sources�egress_sources�isSNAT�ingress_fragments�egress_fragments�	interface�addrrUr r�rrrArrB�!build_policy_ingress_egress_ruless\���
��z+ip4tables.build_policy_ingress_egress_rulesFc
Cs�|dkr
|dkr
dnd}|jjj||t|d�}	dddddd�|}
d	}|r/|s/d
d|dg}n|r8d
d|g}n
dd|g}|sE|dg7}|d||
|||	g7}|gS)Nr%r!TF�r+rr�r r!rrr�-gr3�%s_ZONESr�r1r,r�)rSr�r"r#)
rbrr�r�r.r�r�r�r+r�r��actionrrArArB�!build_zone_source_interface_rulesSs(��
z+ip4tables.build_zone_source_interface_rulescCs�|�d�r(|dd�}|dkrd}nd}d�|g|jj�|��}ddd	||gSt|�r=|dkr5ttd
��ddd|��gSt	d
|�rJt
|�}||gStd
|�r`|�d�}t
|d�d|d}||gS)Nzipset:�r�dst�src�,r�rL�--match-setzCan't match a destination MAC.�mac�--mac-sourcer)�/rr~)
r�ryrS�ipset�
get_dimensionrr
r�upperr	rr
r�)rbr��address�invertr��flags�
addr_splitrArArBr&ls$



�
zip4tables._rule_addr_fragmentcCs�ddd�|}|dkr|dkrdnd}|jjj||t|d�}	d	d
d	d	d
d�|}
t|�r2|dvr2gS|d
|d|d|g}|�|�|
|��|�d|	g�|gS)Nr3r,rr%r!TFr1rrr2rr4r�r�r3)rSr�r"r#rrr&)rbrr�r�rBr�r�rr+r�r�rrArArB�build_zone_source_address_rules�s"��	z)ip4tables.build_zone_source_address_rulesc
Cs�ddd�|}ddd�|}|dkr|dkrdnd	}|jjj||t|d
�}|jj�|�}	|j|�t|d|d|d
|d|d|g��g}
|
�||d|g�|
�|d
|d|g�|
�|d|d|g�|
�|d|d|g�|
�|d|d|g�|
�|d|d|g�|	j	r�|
�||d|dd|dfg�|
�||d|dd
|g�|
�||d|dd|g�|
�||d|dd|g�|
�||d|dd|g�|
�||d|dd|g�|	j	r�|
�||d|dd|dfg�|jjj
|j}|j��dk�r/|dk�r/|t
ddfv�r|
�||d|ddddd|g	�|dk�r/|
�||d|ddddd|g	�|dk�rT|t
ddddfv�rT|t
fv�rGd}n|}|
�||d|d|g�|�s[|
��|
S) Nr5r.rr1r,r%r!TFr1z%s_log�%s_denyz%s_prez%s_post�%s_allowr�rrrrr�r&r�r�r��LOG�--log-prefixz
"%s_REJECT: "r�z"%s_DROP: "�ACCEPT)rSr�r"r#r!rar	rLr��derived_from_zone�	_policies�target�get_log_deniedr�reverse)
rbrr�r�r��
add_del_chain�add_del_ruler+r�rr�rN�_targetrArArB�build_policy_chain_rules�sd�
�
�
z"ip4tables.build_policy_chain_rulescCs|r	ddd|jgSgS)Nr��limitz--limit)�value)rbrUrArArB�_rule_limit�szip4tables._rule_limitcCs�t|j�ttttfvrn|jr%t|j�ttt	t
fvr$ttdt|j���nttd��|j
dkrYt|j�tttfvsBt|j�tt
fvrDdSt|j�tfvsUt|j�tt	fvrWdSdS|j
dkr`dSdS)N�Unknown action %szNo rule action specified.r�allow�denyrr)r��elementrrrrr5rrrrr
rr��rb�	rich_rulerArArB�_rich_rule_chain_suffix�s$�

�
z!ip4tables._rich_rule_chain_suffixcCs6|js|jsttd��|jdkrdS|jdkrdSdS)NzNot log or auditrrrr)r�auditr
rr�r\rArArB� _rich_rule_chain_suffix_from_log�s


z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrr�)r�r\rArArB�_rich_rule_priority_fragment�s

z&ip4tables._rich_rule_priority_fragmentc
Cs |jsgS|jj�||t�}ddd�|}|�|�}d||d||fg}	|	|�|�7}	t|j�tkra|	|ddg7}	|jj	rF|	d|jj	g7}	|jj
rT|	d	d
|jj
g7}	|jjr`|	d|jjg7}	n$|	|ddg7}	|jj
rw|	d
d|jj
g7}	|jjr�|	dd
|jjg7}	|	|�
|jj�7}	|	S)Nr1r,rr�rr�NFLOGz
--nflog-groupz--nflog-prefixrnz--nflog-thresholdrIrJz'%s'z--log-level)rrSr�r"r#r`rar�r�group�prefix�	threshold�levelrWrU)
rbr�r]rr��
rule_fragmentr�rrrrArArB�_rich_rule_log�s.
�zip4tables._rich_rule_logcCs�|jsgSddd�|}|jj�||t�}|�|�}d||d||fg}	|	|�|�7}	|	|7}	t|j�t	kr9d}
nt|j�t
krCd}
nt|j�tkrMd}
nd	}
|	d
dd|
g7}	|	|�|jj
�7}	|	S)
Nr1r,rr�r�accept�reject�drop�unknownr�AUDITz--type)r_rSr�r"r#r`rar�r5rrrrWrU)rbr�r]rr�rgrr�rr�_typerArArB�_rich_rule_audits$
zip4tables._rich_rule_auditcCs2|jsgSddd�|}|jj�||t�}|�|�}d||f}	t|j�tkr,ddg}
nOt|j�tkrDddg}
|jjrC|
d|jjg7}
n7t|j�t	krPdd	g}
n+t|j�t
krqd
}|jj�||t�}d||f}	ddd|jjg}
n
tt
d
t|j���d|||	g}||�|�7}|||
7}||�|jj�7}|S)Nr1r,rrrrKr�r�r�r$�MARKz--set-xmarkrXr�)r5rSr�r"r#r^r�rrrrrLr
rrarWrU)rbr�r]rr�rgrr�rr��rule_actionrrArArB�_rich_rule_action4s8

�
�zip4tables._rich_rule_actioncCs�|sgSg}|jrI|jr|�d�td|j�r"|dt|j�g7}|Std|j�r@|j�d�}|dt|d�d|dg7}|S|d|jg7}|S|jrk|ddg7}|jrZ|�d�|jj	�
|jd	�}|d
|j|g7}|S)N�!r)rr>rr~r�rLr8r;)r/rCr�r	rr
r�r?rSr��_ipset_match_flags)rb�	rich_destrgrErDrArArB�_rich_rule_destination_fragmentVs,

� 
��
z)ip4tables._rich_rule_destination_fragmentcCs"|sgSg}|jrI|jr|�d�td|j�r"|dt|j�g7}|Std|j�r@|j�d�}|dt|d�d|dg7}|S|d|jg7}|St|d�rh|jrh|ddg7}|jr_|�d�|d	|jg7}|St|d
�r�|j	r�|ddg7}|jr~|�d�|j
j�|j	d�}|d
|j	|g7}|S)Nrsr)rr>rr~r<r�r=r?rLr9r;)
r/rCr�r	rr
r��hasattrr<r?rSr�rt)rb�rich_sourcergrErDrArArB�_rich_rule_source_fragmentns8
� �
�
�
z$ip4tables._rich_rule_source_fragmentc	C�ddd�|}d}|jj�||t�}	d|g}
|r"|
ddt|�g7}
|r*|
d|g7}
|r<|
|�|j�7}
|
|�|j�7}
|rEt	|j
�tkrK|
gd	�7}
g}|ru|�|�
|||||
��|�|�|||||
��|�|�|||||
��|S|�|d
|	d|g|
dd
g�|S)Nr1r,rr&r��--dportrnr�r��	conntrackz	--ctstatez
NEW,UNTRACKEDrHr�rrK�rSr�r"r#rrv�destinationry�sourcer�r5rr�rhrorr�rbrr��proto�portrr]rr�r�rgr�rArArB�build_policy_ports_rules�s2���z"ip4tables.build_policy_ports_rulesc	Cs�ddd�|}d}|jj�||t�}d|g}	|r|	d|g7}	|r0|	|�|j�7}	|	|�|j�7}	|r9t|j	�t
kr?|	gd�7}	g}
|ri|
�|�|||||	��|
�|�
|||||	��|
�|�|||||	��|
S|
�|d|d	|g|	d
dg�|
S)Nr1r,rr&r�rr|rHr�rrK)rSr�r"r#rvrryr�r�r5rr�rhrorr)rbrr��protocolrr]rr�r�rgr�rArArB�build_policy_protocol_rules�s.���z%ip4tables.build_policy_protocol_rulescCsd}|jj�||t�}ddd�|}g}	|r2|�|�}
|	|�|�7}	|	|�|j�7}	|	|�|j	�7}	g}ddg}	|dks@|durG|	gd�7}	n|	d	d
ddd
d|g7}	|rp|�|�}
|	|�|�7}	|	|�|j�7}	|	|�|j	�7}	|�
dd|d||
fg|	�|S)Nr&r1r,rr��tcp�pmtu)�--tcp-flags�SYN,RST�SYNr�TCPMSSz--clamp-mss-to-pmtur�r�r�rr�z	--set-mssr�r�rSr�r"r#r^rarvrryr�r�)rbrr��tcp_mss_clamp_valuerr]r�r�rrgrr�rArArB� build_policy_tcp_mss_clamp_rules�s.

�z*ip4tables.build_policy_tcp_mss_clamp_rulesc	Crz)Nr1r,rr&r�z--sportrnrr|rHr�rrKr~r�rArArB�build_policy_source_ports_rules�s2���z)ip4tables.build_policy_source_ports_rulescCsvd}|jj�||t�}	ddd�|}
|
d|	ddd|g}|r(|dd	t|�g7}|r0|d
|g7}|ddd
|g7}|gS)Nr#r1r,rrHr�r�r{rnrr�CTz--helper)rSr�r"r#r)rbrr�r�r�r�helper_name�module_short_namer�r�rrrArArB�build_policy_helper_ports_rules�sz)ip4tables.build_policy_helper_ports_rulesc

Cs�ddd�|}|jj�||t�}g}	|r%|	�dd|d|d|dd	g�|	St|�r+gS|	�dd|d|g|�d
|�dd	g�|	S)Nr1r,rr�r&rHrrrKr)rSr�r"r#r�rr&)
rbrr�r�r�r.r�rr�r�rArArB�build_zone_forward_ruless �
�
��z"ip4tables.build_zone_forward_rulesc
Cs�d}|jjj||tdd�}ddd�|}g}|r5|�|�}||�|�7}||�|j�7}||�|j	�7}nd}g}	|	�
dd|d	||fg|gd
��|	S)Nr%Tr1r1r,rrYr�r)rsr�lor�
MASQUERADEr�)
rbrr�r]r�r�rrgrr�rArArB�build_policy_masquerade_ruless"
��z'ip4tables.build_policy_masquerade_rulescCs
d}|jj�||t�}	ddd�|}
d}|r(td|�r$|dt|�7}n||7}|r7|dkr7|dt|d	�7}g}|rV|�|�}
|�|�}||�	|j
�7}||�|j�7}nd
}
g}|rh|�
|�|||d|��|�
dd|
d|	|
fg|d
|dt|�ddd|g�|S)Nr%r1r,rrr)z[%s]z:%s�-rYr�rr�r{r�DNATz--to-destination)rSr�r"r#r	rrr^rarvrryr�r�rh)rbrr�r�r��toport�toaddrr]r�r�r�torgrr�rArArB�build_policy_forward_port_rules.s8


���z)ip4tables.build_policy_forward_port_rulesc	Cs�d}|jj�||t�}ddd�|}|jdkr#ddg}ddd	|jg}	ndd
g}ddd|jg}	g}
|jj�|�r>d
|}d}nd|}d}g}
|rX|
|�|j�7}
|
|�	|j
�7}
|
||	7}
|r�|
�|�|||||
��|
�|�
|||||
��|jr�|
�|�|||||
��|
S|�|�}|
�d||d||fg|�|�|
ddg�|
S|j��dkr�|dkr�|
�||d|g|
ddddd|g�|
�||d|g|
d|g�|
S)Nr&r1r,rr(r�r*r�z--icmp-typer+�icmp6z
--icmpv6-typerHrKrGr�r�rrr�r�rIrJ�"%s_ICMP_BLOCK: ")rSr�r"r#rUr��query_icmp_block_inversionrvrryr�r�rhror5rrr^rarO)rbrr��ictr]r�r�rr��matchr��final_chain�final_targetrgrrArArB�build_policy_icmp_block_rulesPs`

����������z'ip4tables.build_policy_icmp_block_rulesc	Cs�d}|jj�||t�}g}d}|jj�|�rFd}|j��dkrE|r)d|t|�g}nd|g}|d|dd	d
ddd
d|g	}|�|�|d7}nd}|rRd|t|�g}nd|g}|d|dd	d|g}|�|�|S)Nr&�r�r�r3r,r�r�r�r�rrIrJr�r~rK)rSr�r"r#r�rOr�r�)	rbrr�r�r�r��rule_idx�
ibi_targetrrArArB�'build_policy_icmp_block_inversion_rules�s2
�
�
z1ip4tables.build_policy_icmp_block_inversion_rulesc	Csxd}g}||�|j�7}||�|j�7}g}|�|�|||||��|�|�|||||��|�|�|||||��|S)Nr&)rvrryr�r�rhrorr)rbrr�r]r�rgr�rArArB�*build_policy_rich_source_destination_rules�sz4ip4tables.build_policy_rich_source_destination_rulescCs
||jkSre)rU)rbrUrArArBr%�s
zip4tables.is_ipv_supportedre)r��F)NN)8�__name__�
__module__�__qualname__rUr��policies_supportedrdr\r�r�r�r�r�r�r�r�r�r�r�r�r�r�rXrZr�r�rrr
rr0r6r&rFrTrWr^r`rarhrorrrvryr�r�r�r�r�r�r�r�r�r�r�r%rArArArBrR�st

			&Pa
#
!
N
�
9"



�


�
"1"rRc@s&eZdZdZdZddd�Zdd�ZdS)	�	ip6tablesr)FcCsHg}|�gd��|dkr|�gd��|�gd��|�gd��|S)N)
r3r r�r$r��rpfilter�--invert�--validmarkrr�r�)r3r r�r$r�r�r�r�rrIrJzrpfilter_DROP: )	r3r r�r$r�r+z$--icmpv6-type=neighbour-solicitationrrK)	r3r r�r$r�r+z"--icmpv6-type=router-advertisementrrKr�)rbr�r�rArArB�build_rpfilter_rules�szip6tables.build_rpfilter_rulesc
Cs�gd�}d}|jd�|�g}|�ddd|g�|D]&}|�ddd|d|dd	d
dg
�|jjdvrA|�ddd|d|dd
ddg
�q|�dddddd|g�|�dddddd|g�|S)N)	z::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19�RFC3964_IPv4r&r�r5r3rrr�r�zaddr-unreach)r��allrIrJz"RFC3964_IPv4_REJECT: "r�4r)rar�r�rS�_log_denied)rb�
daddr_list�
chain_namer��daddrrArArB�build_rfc3964_ipv4_rules�s.
�����z"ip6tables.build_rfc3964_ipv4_rulesNr�)r�r�r�rUr�r�r�rArArArBr��s

r�)/�os.pathrfr��firewall.core.progr�firewall.core.loggerr�firewall.functionsrrrrrr	r
r�firewallr�firewall.errorsr
rrrr�firewall.core.richrrrrrrrrr�firewall.core.baserr�r#r�r�r�rCrGrQ�objectrRr�rArArArB�<module>sL(,�	��%* 
@ Telegram