o

bhAbJ�@s�gd�
Zd
dl
mZ
d
dlZd
dlZd
dlZd
dlmZ
d
dlm	Z	m
Z
mZmZm
Z
mZ
d
dlmZmZ
d
dlmZmZmZ
d
dlmZmZmZmZ
d
dlmZ
d
d	lmZ
d
d
lmZ
d
dl m!Z!
Gdd
�d
e�Z"Gdd�de�Z#ddd�
Z$ddd�
Z%dS))�Zone�zone_reader�zone_writer�N)
�config)�checkIPnMask�
checkIP6nMask�checkInterface�uniqify�max_zone_name_len�	check_mac)�DEFAULT_ZONE_TARGET�ZONE_TARGETS)�	IO_Object�IO_Object_ContentHandler�IO_Object_XMLGenerator)�common_startElement�common_endElement�common_check_config�
common_writer)
�rich)
�log)
�errors)
�
FirewallErrorcs�
eZ
dZd
Zdddddddg
fd	d
g
fddg
fdd
dg
fddg
fddg
fddg
fddg
fdd
g
fddfZgd�
Zidd�
dd�
dd�
ddg
�
dddg�
ddg
�
d dg
�
d!d�
d"ddg�
d#dg
�
d$d�
d%d�
d&d�
dd'g
�
d(ddg�
d)d�
d*d�
ddddd+g
d'g
dd,��
Zgd-�
d.g
d/d0gd1d2ggd3�
gd4�
d5d6ggd7�
d8g
d'g
d9�
Zed:d;��
Z	�f
d<d=�Z
d>d?�Z�f
d@dA�Z�f
dBdC�Z
dDdE�Z�f
dFdG�ZdHdI�Z�ZS)Jr
z Zone class )�version�)�shortr)�descriptionr)�UNUSEDF)�targetr�servicesr�ports)rr�icmp_blocks)�
masqueradeF�
forward_ports)rrrr�
interfaces�sources�	rules_str�	protocols�source_ports)�icmp_block_inversionF)�forwardT)�
_�
-�
/rNr�zone�service�name�port�protocolz
icmp-blockz	icmp-typer*�forward-port�	interface�rule�source�destination�valuezsource-portr�nflog�set)�audit�accept�reject�drop�mark�limit�icmp-block-inversion)r0�	immutablerr�enabledzto-portzto-addr�family�priority)�address�mac�invertrD�ipset)rFrHrI�prefix�level)�grouprJz
queue-size�type)
r.r"r3r5r6r7rr9r=z
tcp-mss-clampc
Cs4tt
j�
D]\}
\}}||kr|

Sqttjd
��
)Nz
index_of())�	enumerater
�IMPORT_EXPORT_STRUCTURErr�
UNKNOWN_ERROR)�element�
i�el�dummy�rU�7/usr/lib/python3/dist-packages/firewall/core/io/zone.py�index_offs


�z
Zone.index_ofc

s�tt
|���
d
|_d
|_d
|_d|_t|_g|_	g|_
g|_g|_d|_
d|_g|_g|_g|_g|_g|_g|_d|_d|_d|_dS�NrFT)�superr
�__init__rrrrrrrr r'r!r*r"r#r(r$r%�rulesr&r)�combined�applied�
�self�
�	__class__rUrVrZms*





















z
Zone.__init__c

Cs�d
|_d
|_
d
|_d|_t|_|jdd�=|jdd�=|jdd�=|j	dd�=d|_
d|_|jdd�=|j
dd�=|jdd�=|jdd�=|jdd�=|jdd�=d|_d|_d|_dSrX)rrrrrrrr r'r!r*r"r#r(r$r%r[r&r)r\r]r^rUrUrV�cleanup�s(




















zZone.cleanupcsP|
d
krdd�|D�
|_t
t|��|
dd�|jD�
�
dSt
t|��|
|�
dS)Nr&c
Ssg|]}
tj
|
d�
�qS)
)
�rule_str)r�	Rich_Rule��.0�
srUrUrV�
<listcomp>�sz$Zone.__setattr__.<locals>.<listcomp>c
Ssg|]}
t|
�
�qSrU)
�strrerUrUrVrh�s)r[rYr
�__setattr__)r_r0r8r`rUrVrj�s

"zZone.__setattr__c
stt
|���}
|
d
=|
S)Nr)rYr
�export_config_dict)r_�confr`rUrVrk�s


zZone.export_config_dictc	Csj
t||
|||�
|j
|d
vrttjd�|j
�
��
|dkr.|
tv
r,ttjd�|j
|
���
dS|dkrj|
D]3}t|�
sEttj	d�|j
|���
|dD]}||j
krQqI||d|j
vrfttj	d�|j
||���
qIq4dS|d	kr�|
D]B}t|�
s�t|�
s�t
|�
s�|�d
�
s�ttjd�|j
|���
|dD]}||j
kr�q�||d|jvr�ttjd�|j
||���
q�qpdSdS)
N�policiesz0Zone '{}': Can't have the same name as a policy.rzZone '{}': invalid target '{}'r$z!Zone '{}': invalid interface '{}'�zonesz4Zone '{}': interface '{}' already bound to zone '{}'r%�ipset:zZone '{}': invalid source '{}'z1Zone '{}': source '{}' already bound to zone '{}')rr0rr�
NAME_CONFLICT�formatr
�INVALID_TARGETr�INVALID_INTERFACEr$rrr�
startswith�INVALID_ADDRr%)r_r�item�
all_config�all_io_objectsr4r.r6rUrUrV�
_check_config�sd





��




�






�����


�
�

�






�����
zZone._check_configcs�tt
|��|
�

|
�d
�
rttjd�|
�
��
|
�d
�
r$ttjd�|
�
��
|
�	d
�
dkr4ttjd�|
�
��
d
|
vrB|
d|
�
d
�
�}n|
}t|�
t�krYttjd�|
t|�
t����
dS)Nr-z$Zone '{}': name can't start with '/'z"Zone '{}': name can't end with '/'�
z%Zone '{}': name has more than one '/'z'Zone '{}': name has {} chars, max is {})
rYr
�
check_namertrr�INVALID_NAMErq�endswith�count�find�lenr
)r_r0�checked_namer`rUrVr{�s0




�


�

�





���zZone.check_namec
Cs�
d
|_d|_
d|_d|_d|_|
jD]
}||jv
r|j�|�

q|
jD]
}||jv
r0|j�|�

q#|
jD]
}||jv
rA|j�|�

q4|
j	D]
}||j	v
rR|j	�|�

qE|
j
D]
}||j
v
rc|j
�|�

qV|
jD]
}||jv
rt|j�|�

qg|
jr{d
|_|
j
r�d
|_
|
jD]
}||jv
r�|j�|�

q�|
jD]
}||jv
r�|j�|�

q�|
jD]}	|j�|	�

|j�t|	�
�

q�|
jr�d
|_dSdS)NTr)r\�filenamerrrr$�appendr%rr r'r!r*r"r#r(r[r&rir))
r_r.r4r6r/r1�proto�icmpr*r5rUrUrV�combine�s^








�




�




�




�




�




�








�




�






�zZone.combine)�__name__�
__module__�__qualname__�__doc__rO�ADDITIONAL_ALNUM_CHARS�PARSER_REQUIRED_ELEMENT_ATTRS�PARSER_OPTIONAL_ELEMENT_ATTRS�staticmethodrWrZrbrjrkryr{r��
__classcell__rUrUr`rVr
(s�
















�

��������	�
���
�����





�








�

%r
c@s$eZ
dZd
d�Zdd�Zdd�ZdS)�zone_ContentHandlercCs"t�
||
�
d|_d
|_d|_dS)NF)rrZ�_rule�_rule_error�	_limit_ok)r_rvrUrUrVrZ
s




zzone_ContentHandler.__init__c	Cs�t�
||
|�
|jrdS|j�|
|�
t||
|�rdS|
d
krgd|vr+t�d|d�
d|vr5|d|j_d|vrAt�d|d�
d|vra|d}|t	v
rSt
tj|��
|dkrc|t
kre||j_dSdSdSdS|
d	kr||jjrvt�d
�

dSd|j_dS|
dkr�|jr�t�d
�

d|_dSd|v
r�t�d�

d|_dS|d|jjv
r�|jj�|d�

dSt�d|d�
dS|
dk�
r�|j�
r|jjr�t�dt|j�
�
d|_dSd}d|vr�|d��dvr�d}d}}}d|vr�|d}d|vr�|d}d|v�
r|d}tj||||d�|j_dSd|v
�
r d|v
�
r t�d�

dSd|v�
r1d|v�
r1t�d�

dSd|v�
r>t�d|d�
d|v�
rJt�d�

dSd|v�
rlt|d�
�
slt|d�
�
slt|d�
�
slt
tj|d��
d|v�
r�d|d}||jjv
�
r�|jj�|�

nt�d|d�
d|v�
r�|d}||jjv
�
r�|jj�|�

dSt�d|d�
dSdS|
d k�
r�|jj�
r�t�d!�

dSd|j_dSt�d"|
�
dS)#Nr.r0z'Ignoring deprecated attribute name='%s'rrBz,Ignoring deprecated attribute immutable='%s'rrr*zForward already set, ignoring.Tr4z$Invalid rule: interface use in rule.z Invalid interface: Name missing.z%Interface '%s' already set, ignoring.r6z:Invalid rule: More than one source in rule '%s', ignoring.FrH)�yes�truerFrGrI)
rHz$Invalid source: No address no ipset.z"Invalid source: Address and ipset.rDz)Ignoring deprecated attribute family='%s'z+Invalid source: Invertion not allowed here.zipset:%sz"Source '%s' already set, ignoring.rAz+Icmp-Block-Inversion already set, ignoring.zUnknown XML element '%s')r�startElementr�rv�parser_check_element_attrsrr�warningrr
rrrrrrr*r�r$r�r6ri�lowerr�Rich_Sourcerrrrur%r))	r_r0�attrsrrH�addrrGrI�entryrUrUrVr�
s�






�



�




�













�




�
















�










�








�
�





�




��




z zone_ContentHandler.startElementcCst�
||
�
t||
�
dS�
N)r�
endElementr)r_r0rUrUrVr��
s
zzone_ContentHandler.endElementN)r�r�r�rZr�r�rUrUrUrVr�

s
pr�Fc
Cs
t�}|�
d
�
sttjd|��
|dd�|_|s|�|j�

||_|
|_|
�	t
j�
r-dn
d|_|j|_
d|_t|�
}t��}|�|�

d|
|f}t|d��4}t�d�
}|�|�

z|�|�

Wntjyx
}	
z
ttjd|	����
d}	~	w
wWd�
~~|S1s�w



Y
~~|S)	Nz.xmlz'%s' is missing .xml suffix���FT�%s/%s�rbznot a valid zone file: %s)r
r}rrr|r0r{r��pathrtr�
ETC_FIREWALLD�builtin�defaultr*r��sax�make_parser�setContentHandler�open�InputSource�
setByteStream�parse�SAXParseException�INVALID_ZONE�getException)
r�r��
no_check_namer.�handler�parserr0�
fr6�msgrUrUrVr�
sN




�





















�����
�	

�	

rc
CsF|
r|
n|j}|j
rd
||j
f}nd||jf}tj�|�
rCz
t�|d|�
WntyB
}
z
t�	d||�
WYd}~nd}~w
wtj�
|�
}|�tj
�
ritj�|�
sitj�tj
�
sct�tj
d�
t�|d�
tj|ddd�}t|�
}|��
i}|jr�|jd	kr�|j|d
<|jtkr�|j|d<|�d|�
|�d
�

t||�
t|j�
D]}	|�d�

|�dd|	i
�
|�d
�

q�t|j�
D]%}
|�d�

d|
vr�|�dd|
dd�i
�
n|�dd|
i
�
|�d
�

q�|jr�|�d�

|�di�
|�d
�

|j�
r|�d�

|�di�
|�d
�

|�d�

|�d
�

|� �
|�!�
~dS)Nr�z	%s/%s.xmlz%s.oldzBackup of file '%s' failed: %si�
�wtzUTF-8)�mode�encodingrrrr.�

z  r4r0ror6rI�rFrAr*)"r�r�r0�os�exists�shutil�copy2�	Exceptionr�error�dirnamertrr��mkdir�ior�r�
startDocumentrrrr��ignorableWhitespacerr	r$�
simpleElementr%r)r*r��endDocument�close)r.r��_pathr0r��dirpathr�r�r�r4r6rUrUrVr�
sd





��









































r)
Fr�)&�__all__�xml.saxr�r�r�r��firewallr�firewall.functionsrrrr	r
r�firewall.core.baserr
�firewall.core.io.io_objectrrr�firewall.core.io.policyrrrr�
firewall.corer�firewall.core.loggerrr�firewall.errorsrr
r�rrrUrUrUrV�<module>
s&


 






f
|!