HEX
Server: LiteSpeed
System: Linux php-prod-1.spaceapp.ru 5.15.0-157-generic #167-Ubuntu SMP Wed Sep 17 21:35:53 UTC 2025 x86_64
User: xnsbb3110 (1041)
PHP: 8.1.33
Disabled: NONE
$ pwd: /proc/self/root/lib/python3/dist-packages/firewall/core/__pycache__/
Upload Files
File: //proc/self/root/lib/python3/dist-packages/firewall/core/__pycache__/nftables.cpython-310.pyc
o

bhAb�t�@s0ddlZddlZddlZddlmZddlmZmZmZm	Z	m
Z
ddlmZm
Z
mZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlmZddlm Z dZ!e!d	d
Z"dZ#dZ$id
dde$fidde$fdde$fdde$fd�dde$fdde$fdde$fdde$fd�d�Z%d^dd�Z&ide&ddd��de&dd��de&dd��d e&dd ��d!e&ddd"��d#e&ddd$��d%e&ddd��d&e&dd'd(��d)e&ddd*��d+e&ddd(��d,e&dd-d(��d.e&ddd/��d0e&dd'd��d1e&ddd2��d3e&ddd��d-e&dd-��d4e&ddd5��id6e&ddd7��d8e&ddd9��d'e&dd'��d:e&dd-d(��d;e&dd;��d<e&dd<��d=e&dd=��d>e&ddd?��d@e&dd@��dAe&ddA��dBe&ddB��dCe&dd'd5��dDe&dddE��dFe&dd'd9��dGe&dddH��dIe&dd@d(��dJe&dd@d���idKe&dLdd5��dMe&dLd-d��dNe&dLdd9��de&dLdd(��de&dLd��de&dLd��d e&dLd ��dOe&dLdd?��dPe&dLdQ��dRe&dLdS��dTe&dLdd��dUe&dLdU��d-e&dLd-��d4e&dLdd"��d'e&dLdV��dWe&dLdd2��d;e&dLdX��e&dLdY�e&dLd@�e&dLd@d(�e&dLd@d�e&dLd-d(�e&dLd-d9�dZ��d[�Z'Gd\d]�d]e(�Z)dS)_�N)�log)�	check_mac�getPortRange�normalizeIP6�check_single_address�
check_address)�
FirewallError�
UNKNOWN_ERROR�INVALID_RULE�INVALID_ICMPTYPE�INVALID_TYPE�
INVALID_ENTRY�INVALID_PORT)	�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock�Rich_Tcp_Mss_Clamp�
Rich_NFLog)�DEFAULT_ZONE_TARGET)�Nftables�	firewalld�_�policy_drop�policy_�
�
PREROUTING�
preroutingij���i�����postrouting�d�output)r�POSTROUTING�OUTPUT�input�forward)r�INPUT�FORWARDr%)�raw�mangle�nat�filtercCsHdd|dd�id|d�ig}|dur"|�dd|dd�id|d�i�|S)N�match�payload�type��protocol�field�==��left�op�right�code)�append)r2r0r9�	fragments�r<�8/usr/lib/python3/dist-packages/firewall/core/nftables.py�_icmp_types_fragmentsSs
�
�r>zcommunication-prohibited�icmpzdestination-unreachable�
z
echo-replyzecho-requestzfragmentation-needed�zhost-precedence-violation��host-prohibitedz
host-redirect�redirect�zhost-unknown��host-unreachablez
ip-header-badzparameter-problemznetwork-prohibited�znetwork-redirectznetwork-unknown�znetwork-unreachable�port-unreachable�zprecedence-cutoff�zprotocol-unreachable�zrequired-option-missingzrouter-advertisement�router-solicitationz
source-quenchzsource-route-failed��
time-exceededztimestamp-replyztimestamp-requestztos-host-redirectztos-host-unreachable�ztos-network-redirectztos-network-unreachable��ttl-zero-during-reassembly�ttl-zero-during-transitzaddress-unreachable�icmpv6z
bad-headerzbeyond-scopez
failed-policyzneighbour-advertisementznd-neighbor-advertzneighbour-solicitation�nd-neighbor-solicit�no-routezpacket-too-bigznd-redirectzreject-route�nd-router-advertznd-router-solicit)rNrPrSrTzunknown-header-typezunknown-option��ipv4�ipv6c@sReZdZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Z	dd
�Z
dd�Zd�dd�Zdd�Z
dd�Zdd�Zd�dd�Zdd�Zd�dd�Zd d!�Zd"d#�Z	$d�d%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Zd3d4�Zd5d6�Zd7d8�Zd9d:�Zd;d<�Z d=d>�Z!d?d@�Z"dAdB�Z#dCdD�Z$dEdF�Z%d�dGdH�Z&dIdJ�Z'dKdL�Z(dMdN�Z)dOdP�Z*d�dQdR�Z+d�dSdT�Z,	d�dUdV�Z-	d�dWdX�Z.dYdZ�Z/d�d[d\�Z0d�d]d^�Z1	d�d_d`�Z2dadb�Z3d�dcdd�Z4dedf�Z5d�dgdh�Z6didj�Z7dkdl�Z8dmdn�Z9dodp�Z:d�dqdr�Z;d�dsdt�Z<dudv�Z=d�dwdx�Z>dydz�Z?d{d|�Z@d}d~�ZAdd��ZBd�d��ZCd�d��ZDd�d��ZE	d�d�d��ZFdS)��nftablesTcCs^||_d|_g|_i|_i|_i|_i|_i|_dgi|_t	�|_
|j
�d�|j
�d�dS)NT�inet)
�_fw�restore_command_exists�available_tables�rule_to_handle�rule_ref_count�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cache�created_tablesrr\�set_echo_output�set_handle_output)�self�fwr<r<r=�__init__�s
znftables.__init__cCs�dD]}||vr
nqd||dvr/||ddd||dddf}||dd=nd||dvrAd}||dd=ndS||dd}|rh|dkrh||vrd|||vrf||�|�dSdSdS|dkr�||vrtg||<|r�|||vr�||�|�||jd	d
�d�||�|�}nt||�}||}||=|dkr�||d
<dS|d8}||d<||ddd<dSdS)N��add�insert�delete�%%ZONE_SOURCE%%�rule�zone�address�%%ZONE_INTERFACE%%�familyrocSs|dS)Nrr<)�xr<r<r=�<lambda>�sz3nftables._run_replace_zone_source.<locals>.<lambda>)�keyrrnrErm�index)�remover:�sortry�len)rirqre�verb�zone_sourcerury�
_verb_snippetr<r<r=�_run_replace_zone_source�sJ����z!nftables._run_replace_zone_sourcecCs>d|vr
dt�|d�iSd|vrdt�|d�iSttd��)NrnrormzFailed to reverse rule)�copy�deepcopyrr	)ri�dictr<r<r=�reverse_rule�s

znftables.reverse_rulec
Cs�dD]}||vr
nq|||dvr�||d|}||d|=t|�tkr-ttd��||dd||ddf}|dkrd||vsS|||vsS|||dkrXttd��|||d	8<dS||vrli||<|||vrxd|||<d}t||���D]}||kr�|d
kr�n||||7}||kr�|dkr�nq�|||d	7<||}	||=|dkr�|	|d
<dS|d	8}|	|d<||ddd<dSdS)
Nrlrqz%priority must be followed by a numberru�chainrorz*nonexistent or underflow of priority countrErnrmry)r0�intrr
r	�sorted�keys)
rirq�priority_counts�tokenr}�priorityr�ry�prr<r<r=�_set_rule_replace_priority�sJ�
 
��z#nftables._set_rule_replace_prioritycCsbdD],}||vr.d||vr.t�||d�}dD]	}||vr"||=qtj|dd�}|SqdS)Nrlrq)ry�handle�positionT)�	sort_keys)r�r��json�dumps)rirqr}�rule_key�non_keyr<r<r=�
_get_rule_keys��znftables._get_rule_keycCs gd�}gd�}g}g}t�|j�}t�|j�}t�|j�}	|j��}
|D]�}t|�tkr4tt	d|��|D]}||vr>nq6||vrJtt
d|��|�|�}
|
|
vr�t�
d|j|
|
|
�|dkrk|
|
d7<q%|
|
dkrz|
|
d8<q%|
|
dkr�|
|
d8<ntt	d|
|
|
f��|
r�|dkr�d|
|
<|�|�t�|�}|
r�ttd||d	d
��||d	d
<|�||d�|�||d�|�||	�|dkr�dd	|dd	d
|dd	d|dd	d|j|
d�ii}|�|�q%ddddiig|i}t��dk�rt�d|jt�|��|j�|�\}}}|dk�r2tdd|t�|�f��||_||_|	|_|
|_d}|D]K}|d7}|�|�}
|
�sR�qBd|v�ra|j|
=|j|
=�qB|D]}||d|v�rpn�qc||d|v�r}�qB|d||d	d|j|
<�qBdS)N)rmrnro�flush�replace)rmrnr�z#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %srorEz)rule ref count bug: rule_key '%s', cnt %drq�expr�%%RICH_RULE_PRIORITY%%�%%POLICY_PRIORITY%%ru�tabler�)rur�r�r�r\�metainfo�json_schema_versionrKz.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s
JSON blob:
%szpython-nftablesr�)r�r�rcrdrerbr0r�rr	r
r�r�debug2�	__class__r:�listr-r�r�ra�getDebugLogLevel�debug3r�r�r\�json_cmd�
ValueError)ri�rules�
log_denied�_valid_verbs�_valid_add_verbs�_deduplicated_rules�_executed_rulesrcrdrerbrqr}r��_rule�	json_blob�rcr#�errorryr<r<r=�	set_rules$s�
�

�
�

&
�
�


�"�znftables.set_rulescCs|�|g|�dS)N�)r�)rirqr�r<r<r=�set_rule�sznftables.set_ruleNcCs|r|gSt��S�N)�IPTABLES_TO_NFT_HOOKr��rir�r<r<r=�get_available_tables�sznftables.get_available_tablescCs�i}i}|�d�D]}|�|�}||jvr#|j|||<|j|||<q	||_||_i|_i|_i|_g}t|jdvrP|�	dddtd�ii�|jd�
t�|S)NTr]ror��ru�name)� _build_set_policy_rules_ct_rulesr�rarbrcrdre�
TABLE_NAMErfr:rz)ri�saved_rule_to_handle�saved_rule_ref_countrq�
policy_keyr�r<r<r=�build_flush_rules�s(

�
�znftables.build_flush_rulescCshddd�|}g}dD]&}|�|ddtdd|fd	d
ddiid
dddgid�iddigd�ii�q|S)Nrmro�TF�r&r'r#rqr]�%s_%sr-r.�ctrx�state�in�set�established�relatedr5�accept�rur�r�r�)r:�TABLE_NAME_POLICY)ri�enable�add_delr��hookr<r<r=r��s


���z)nftables._build_set_policy_rules_ct_rulesc
Cslg}|dkr8|�dddtd�ii�|jd�t�dD]}|�dddtdd	|fd
|dtdd
d�ii�q|dkrw|�dddtd�ii�|jd�t�dD]}|�dddtdd
|fd
|dtdd
d�ii�qR||�d�7}|S|dkr�|�d�D]}|�|�}||jvr�|�|�q�t|jdvr�|�dddtd�ii�|jd�t�|Stt	d�|S)N�PANICrmr�r]r�)r r#r�r�r*r-i���rE�drop)rur�r�r0r��prio�policy�DROPr�rT�ACCEPTFroznot implemented)
r:r�rf�NFT_HOOK_OFFSETr�r�rarzrr	)rir�r�r�rqr�r<r<r=�build_set_policy_rules�sZ
�


�
�


��


�
�
�znftables.build_set_policy_rulescCs8t�}|r|gnt��D]}|�t|���qt|�Sr�)r��ICMP_TYPES_FRAGMENTSr��updater�)ri�ipv�	supported�_ipvr<r<r=�supported_icmp_types�sznftables.supported_icmp_typescCs0g}|�dddtd�ii�|jd�t�|S)Nrmr�r]r�)r:r�rf)ri�default_tablesr<r<r=�build_default_tables�s
�znftables.build_default_tables�offcCsg}td��D]V}|�dddtd|ddtd|dtd|d	d
�ii�dD]}|�dddtd||fd
�ii�q,dD]}|�dddtd|ddd||fiigd�ii�qBqtd��D]�}|�dddtd|ddtd|dtd|d	d
�ii�|dvr�dD],}|�dddtd||fd
�ii�|�dddtd|ddd||fiigd�ii�q�qedD]}|�dddtd||fd
�ii�q�dD]}|�dddtd|ddd||fiigd�ii�q�qetd��D]"}|�dddtd|ddtd|dtd|d	d
�ii�q�|�dddtddddddiiddd d!gid"�id#digd�ii�|�dddtdddddd$iidd%d"�id#digd�ii�|�dddtdddd&dd'iid(d)d"�id#digd�ii�dD]}|�dddtd*d|fd
�ii��qydD]}|�dddtddddd*d|fiigd�ii��q�|d+k�r�|�dddtddddddiiddd,gid"�i|�|�d-d.d/iigd�ii�|�dddtddddddiiddd,gid"�id0digd�ii�|d+k�r|�dddtdd|�|�d-d.d1iigd�ii�|�dddtddd2d3d4d5�igd�ii�|�dddtdd6ddddiiddd d!gid"�id#digd�ii�|�dddtdd6dddd$iidd%d"�id#digd�ii�|�dddtdd6dd&dd'iid(d)d"�id#digd�ii�d7D]}|�dddtd*d6|fd
�ii��q�dD]-}|�dddtd*d6|fd
�ii�|�dddtdd6ddd*d6|fiigd�ii��q�d8D]}|�dddtd*d6|fd
�ii��q�|d+k�r|�dddtdd6ddddiiddd,gid"�i|�|�d-d.d/iigd�ii�|�dddtdd6ddddiiddd,gid"�id0digd�ii�|d+k�rU|�dddtdd6|�|�d-d.d1iigd�ii�|�dddtdd6d2d3d4d5�igd�ii�|�dddtdd9ddddiiddd d!gid"�id#digd�ii�|�dddtd:dd&dd;iid(d)d"�id#digd�ii�d7D]-}|�dddtd*d9|fd
�ii�|�dddtdd9ddd*d9|fiigd�ii��q�d8D]-}|�dddtd*d9|fd
�ii�|�dddtdd9ddd*d9|fiigd�ii��q�|S)<Nr+rmr�r]z	mangle_%sr-�%srrE)rur�r�r0r�r�)�POLICIES_pre�ZONES�
POLICIES_postzmangle_%s_%s�rur�r�)r�rq�jump�targetr�r,znat_%s)r%)r�r��	nat_%s_%sz	filter_%sr(r.r�rxr�r�r�r�r�r5r��status�dnat�meta�iifnamer4�lo�filter_%s_%sr��invalidr�prefixzSTATE_INVALID_DROP: r�zFINAL_REJECT: �reject�icmpx�admin-prohibited�r0r�r))r�)r�r%�
filter_OUTPUT�oifname)r�r�r:r��_pkttype_match_fragment)rir��
default_rulesr��dispatch_suffixr<r<r=�build_default_rules�s
�

�
��
�

�
��	

�
��
�

���
���
���

�
�

�
��
���


��
�

���
���
���

�

�
�

�

�
��
���


��
�

���
���

�
�

�
�znftables.build_default_rulescCs2|dkrddgS|dkrdgS|dkrddgSgS)Nr-r(r)r+rr,r$r<r�r<r<r=�get_zone_table_chains�sznftables.get_zone_table_chainsc	s|�jj�|���jdkrdnd��dkr�dkrdnd}	�jj�|�t|	��g}
g}|r?|
�dd	d
diidd
t|�id�i�|rT|�dd	d
diidd
t|�id�i�|rd|D]}|
���d|��qX|rt|D]}
|���d|
��qh�������fdd�}g}|
r�|
D]}|r�|D]
}|�|||��q�q�|�||d��q�|S|r�|D]
}|�|d|��q�|S|�|dd��|S)Nr�pre�postr,r$TFr.r�rxr�r4r�r5r��saddr�daddrcs~g}|r	|�|�|r|�|�|�ddd��fii�dtd���f|d�}|�������r9dd|iiSd	d|iiS)
Nr�r�r�r]z%s_%s_POLICIES_%sr�rmrqro)r:r�r��_policy_priority_fragment)�ingress_fragment�egress_fragment�expr_fragmentsrq��_policyr��chain_suffixr��p_objrir�r<r=�_generate_policy_dispatch_rule�s

�zRnftables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)	r^r��
get_policyr��policy_base_chain_name�POLICY_CHAIN_PREFIXr:r��_rule_addr_fragment)rir�r�r�r��ingress_interfaces�egress_interfaces�ingress_sources�egress_sources�isSNAT�ingress_fragments�egress_fragments�src�dstrr�r�r�r<rr=�!build_policy_ingress_egress_rules�sL

�

��
��z*nftables.build_policy_ingress_egress_rulesFcCsJ|dkr
|dkr
dnd}|jjj||t|d�}	dddddd�|}
|t|�d	d
kr7|dt|�d	�d}d}|dkrI|d
d||	fiig}nddd|
iid|d�i|d
d||	fiig}|rx|sxd}
dtd||f|d�}|�|���n&|r�d}
dtd||f|d�}nd}
dtd||f|d�}|s�|�|���|
d|iigS)Nr,r$TF�rr�r��rr$r(r)r%rE�+�*�gotor�r�r.r�rxr4r5rnr]�%s_%s_ZONESr�rmrorq)r^r�rrr|r�r��_zone_interface_fragment)rir�rrr��	interfacer�r�r:rr�opt�actionrr}rqr<r<r=�!build_zone_source_interface_rulessZ����
�
�
�z*nftables.build_zone_source_interface_rulesc
	Cs�|dkr
|dkr
dnd}|jjj||t|d�}ddd�|}	d	d
d	d	d
d�|}
d}d
td||f|�|
|�|dd||fiigd�}|�|�||��|	d|iigS)Nr,r$TFrrnror�r�r�rrr]rr�r�r�rq)r^r�rrr�r	r��_zone_source_fragment)
rir�rrr�rsr�r�rrr�rrrqr<r<r=�build_zone_source_address_rulesIs*��

��z(nftables.build_zone_source_address_rulescCsfddd�|}|dkr|dkrdnd}|jjj||t|d�}|jj�|�}g}	|	�|d	d
td||fd�ii�d
D]}
|	�|d	d
td|||
fd�ii�q:|jrn|	�ddd
td||fddd||dfiigd�ii�d
D]}
|	�|dd
td||fddd|||
fiigd�ii�qp|jr�|	�ddd
td||fddd||dfiigd�ii�|jjj|j	}|j�
�dkr�|dkr�|tdddfvr�|}|tdfvr�d}|	�|dd
td||f|�|j�
��ddd||fiigd�ii�|dk�r*|tddddfv�r*|tddfv�r|�
�}
n|��di}
|	�|dd
td||f|
gd�ii�|�s1|	��|	S)Nrmror�r,r$TFrr�r]r�r�)r�r�deny�allowr��%s_%s_%srqr�r�r�r�r�r�r-�REJECTz
%%REJECT%%r�rr�z"filter_%s_%s: "r�)r^r�rrrr:r��derived_from_zone�	_policiesr��get_log_deniedrr��_reject_fragment�lower�reverse)rir�r�r�r�r�rrrr�rr��
log_suffix�target_fragmentr<r<r=�build_policy_chain_rulesasv

�
�

�

�

�

��



�z!nftables.build_policy_chain_rulescCs8|dkriS|dvrddddiid|d�iSttd	|��)
N�all)�unicast�	broadcast�	multicastr.r�rx�pkttyper4r5zInvalid pkttype "%s"�rr
)rir2r<r<r=r��s�z nftables._pkttype_match_fragmentc	Csfiddddd�i�ddddd�i�ddddd�i�d	dddd�i�d
dddd�i�ddddd�i�d
dddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�ddddd�i�dddd�idddd�idddd�idddd�idd d!iidd d!iid"��}||S)#Nzicmp-host-prohibitedr�r?rCr�zhost-prohibzicmp-net-prohibitedznet-prohibitedz
net-prohibzicmp-admin-prohibitedr�zadmin-prohibzicmp6-adm-prohibitedrUzadm-prohibitedzicmp-net-unreachableznet-unreachableznet-unreachzicmp-host-unreachablerGzhost-unreachzicmp-port-unreachablerJzicmp6-port-unreachablezport-unreachr�zicmp-proto-unreachablezprot-unreachablez
proto-unreachzaddr-unreachablerWr0z	tcp reset)zicmp6-addr-unreachable�addr-unreachzicmp6-no-routerWz	tcp-resetztcp-rstr<)ri�reject_type�fragsr<r<r=�_reject_types_fragment�sV�������	���
�������

�znftables._reject_types_fragmentcCsdddd�iS)Nr�r�r�r�r<�rir<r<r=r(�s�znftables._reject_fragmentcCs ddddiiddddgid	�iS)
Nr.r�rx�l4protor4r�r?rUr5r<r8r<r<r=�_icmp_match_fragment�s
�znftables._icmp_match_fragmentcCsj|siSddddd�}z|j�d�}Wntyttd��wdt|jd	|��||j|d
d�iS)N�second�minute�hour�day)�s�m�h�d�/zExpected '/' in limit�limitrrE)�rate�per)�valueryr�rr
r�)rirD�rich_to_nft�ir<r<r=�_rich_rule_limit_fragment�s�
��z"nftables._rich_rule_limit_fragmentcCs�t|j�ttttfvrn|jr%t|j�ttt	t
fvr$ttdt|j���nttd��|j
dkrYt|j�tttfvsBt|j�tt
fvrDdSt|j�tfvsUt|j�tt	fvrWdSdS|j
dkr`dSdS)N�Unknown action %szNo rule action specified.rr"r!r�r�)r0�elementrrrrrrrrrrr
r��ri�	rich_ruler<r<r=�_rich_rule_chain_suffix�s$�

�
z nftables._rich_rule_chain_suffixcCs6|js|jsttd��|jdkrdS|jdkrdSdS)NzNot log or auditrrr�r�)r�auditrr
r�rMr<r<r=� _rich_rule_chain_suffix_from_log�s


z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nrtr<r8r<r<r=r
sz!nftables._zone_interface_fragmentcCsNtd|�r
t|�}ntd|�r |�d�}t|d�d|d}d||d�iS)Nr[rCrrErp)rrrs)rrr�split)rirrrs�
addr_splitr<r<r=r
s



znftables._zone_source_fragmentcCs
d|jiS)Nr��r�)rir�r<r<r=r�s
z"nftables._policy_priority_fragmentcCs|r|jdkr	iSd|jiS)Nrr�rTrMr<r<r=�_rich_rule_priority_fragments
z%nftables._rich_rule_priority_fragmentcCs
|jsiS|jj�||t�}ddd�|}|�|�}i}	t|j�tkr>|jjr-t	|jj�nd|	d<|jj
r=t	|jj
�|	d<n|jjrTd|jjkrJdn|jj}
d	|
|	d
<|jjr`d	|jj|	d<dt
d
|||f|d|	i|�|jj�gd�}|�|�|��|d|iiS)Nrmror�r�groupzqueue-threshold�warning�warnr��levelr�r]r#rr�rq)rr^r�rrrQr0rrVr��	thresholdrYr�r�rJrDr�rU)rir�rNr�r�rrr�r�log_optionsrYrqr<r<r=�_rich_rule_logs6
����znftables._rich_rule_logc
Cs�|jsiS|jj�||t�}ddd�|}|�|�}dtd|||f|dddii|�|jj�gd	�}	|	�	|�
|��|d
|	iiS)Nrmror�r]r#rrYrPr�rq)rPr^r�rrrQr�rJrDr�rU)
rir�rNr�r�rrr�rrqr<r<r=�_rich_rule_audit=s 

���znftables._rich_rule_auditc
Cs�|jsiS|jj�||t�}ddd�|}|�|�}d|||f}	t|j�tkr-ddi}
n~t|j�tkrE|jjr@|�	|jj�}
nkddi}
nft|j�t
krQddi}
nZt|j�tkr�d}|jj�||t�}d|||f}	|jj�
d	�}t|�d
kr�dddd
iiddddd
ii|d
gi|dgid�i}
ndddd
ii|dd�i}
n
ttdt|j���dt|	||�|jj�|
gd�}|�|�|��|d|iiS)Nrmror�r#r�r�r�r+rCrEr�rx�mark�^�&r�rxrGrKr]r�rq)rr^r�rrrOr0rrr7rrr�rRr|rr
r�rJrDr�rU)
rir�rNr�r�rrr�rr��rule_actionrGrqr<r<r=�_rich_rule_actionOsL



"
�
����znftables._rich_rule_actioncCs�|�d�r|�|td�d�d|krd|�Sd|�St|�r!d}nCtd|�r)d}n;td|�rBd}tj|dd�}d	|jj	|j
d
�i}n"td|�rNd}t|�}nd}|�d
�}d	t|d�t
|d�d
�i}dd||d�i|rodnd|d�iS)N�ipset:r�TF�etherrZ�ip)�strictr���addrr|r[�ip6rCrrEr.r/r1�!=r4r5)�
startswith�_set_match_fragmentr|rrr�	ipaddress�IPv4Network�network_address�
compressed�	prefixlenrrRr�)ri�
addr_fieldrs�invertru�normalized_address�addr_lenr<r<r=r	zs,
*




�
�znftables._rule_addr_fragmentcCs6|siS|dvrttd|��ddddiid|d�iS)	NrYzInvalid familyr.r�rx�nfprotor4r5r3)ri�rich_familyr<r<r=�_rich_rule_family_fragment�s��z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jrd|j}|jd||jd�S)Nrdr��rt)ri�ipsetr	rt)ri�	rich_destrsr<r<r=�_rich_rule_destination_fragment�s
z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}nt|d�r|jr|j}n
t|d�r$|jr$d|j}|jd||jd�S)N�macr{rdr�rz)ri�hasattrr~r{r	rt)ri�rich_sourcersr<r<r=�_rich_rule_source_fragment�s
z#nftables._rich_rule_source_fragmentcCsJt|�}t|t�r|dkrtt��t|�dkr|dSd|d|dgiS)NrrE�range)r�
isinstancer�rrr|)ri�portr�r<r<r=�_port_fragment�sznftables._port_fragmentc
C�`ddd�|}d}|jj�||t�}	g}
|r|
�|�|j��|r*|
�|�d|��|r>|
�|�|j	��|
�|�
|j��|
�dd|dd	�id
|�|�d�i�|rZt
|j�tkrm|
�ddd
diiddddgid�i�g}|r�|�|�|||||
��|�|�|||||
��|�|�|||||
��|S|�|ddtd||	f|
ddigd�ii�|S)Nrmror�r-r�r.r/�dportr1r4r5r�rxr�r�r��new�	untrackedrqr]�%s_%s_allowr�r��r^r�rrr:ryrur	r}�destinationr��sourcer�r0rrr\r]rcr��rir�r��protor�r�rNr�r�rrr�r<r<r=�build_policy_ports_rules�sD
�
�

�
�
�z!nftables.build_policy_ports_rulesc
CsXddd�|}d}|jj�||t�}g}	|r|	�|�|j��|r*|	�|�d|��|r>|	�|�|j	��|	�|�
|j��|	�dddd	iid
|d�i�|rVt|j
�tkri|	�dddd
iiddddgid�i�g}
|r�|
�|�|||||	��|
�|�|||||	��|
�|�|||||	��|
S|
�|ddtd||f|	ddigd�ii�|
S)Nrmror�r-r�r.r�rxr9r4r5r�r�r�r�r�r�rqr]r�r�r�)r^r�rrr:ryrur	r}r�r�r�r0rrr\r]rcr�)rir�r�r2r�rNr�r�rrr�r<r<r=�build_policy_protocol_rules�s@
�

�
�
�z$nftables.build_policy_protocol_rulesc	Cs�d}|jj�||t�}ddd�|}g}	|r-|	�|�|j��|	�|�|j��|�	|�}
|	�ddddd	d
�idd�i�|d
ksE|durY|	�ddddd�idddiid�i�n|	�ddddd�i|d�i�g}|�|ddt
d||
f|	d�ii�|S)Nr-rmror�r.r�r/�tcp�flagsr1�syn)r7r6r8�pmtur+z
tcp option�maxseg�size)r�r3�rtrx�mturarqr]r�r�)r^r�rrr:r}r�r�r�rOr�)rir�r��tcp_mss_clamp_valuer�rNr�rr�rrr�r<r<r=� build_policy_tcp_mss_clamp_ruless4

�
�
�

�z)nftables.build_policy_tcp_mss_clamp_rulesc
Cr�)Nrmror�r-r�r.r/�sportr1r4r5r�rxr�r�r�r�r�rqr]r�r�r�r�r�r<r<r=�build_policy_source_ports_rules#sD
�
�

�
�
�z(nftables.build_policy_source_ports_rulesc

Cs�d}|jj�||t�}	ddd�|}
g}|r)|�dddtd||f||d�ii�g}|r6|�|�d	|��|�d
d|dd
�id|�|�d�i�|�dd||fi�|�|
ddtd|	|d�ii�|S)Nr-rmror�z	ct helperr]zhelper-%s-%s)rur�r�r0r2r�r.r/r�r1r4r5rq�filter_%s_allowr�)r^r�rrr:r�r	r�)
rir�r�r�r�r��helper_name�module_short_namer�rr�r�rr<r<r=�build_policy_helper_ports_rulesHs6

�
�
�
�z(nftables.build_policy_helper_ports_rulescCs�ddd�|}|jj�||t�}g}	|r;|t|�ddkr*|dt|�d�d}ddd	d
iid|d�id
dig}
n
|�d|�d
dig}
dtd||
d�}|	�|d|ii�|	S)Nrmror�rErrr.r�rxr�r4r5r�r�r]r�r�rq)r^r�rrr|r	r�r:)rir�rrr�r�rr�r�rr�r�rqr<r<r=�build_zone_forward_ruleses(���z!nftables.build_zone_forward_rulesc	Cs�ddd�|}g}g}|r.|�|�|j��|�|�|j��|�|�|j��|�|�}n|�ddddiidd	d
�i�d}d}|jj	j
||td
d�}	dtd|	|f|ddddiiddd
�iddigd�}
|
�
|�|��|�|d|
ii�|S)Nrmror�r.r�rxrwr4rZr5r"r,Trr]r�r�rkr��
masquerader�rq)r:ryrur}r�r�r�rOr^r�rrr�r�rU)rir�r�rNr�r�rrr�rrqr<r<r=�build_policy_masquerade_rules~s<
�
����z&nftables.build_policy_masquerade_rulescCsjd}|jj�||t�}	ddd�|}
g}|r7|�|�|j��|�|�|j��|�|�	|j
��|�|�}nd}
|rBtd|�rBd}
|�ddd	d
iid|
d�i�d
}|�dd|dd�id|�
|�d�i�|r�td|�rqt|�}|r�|dkr�|�d||�
|�d�i�n|�dd|ii�n|�dd|�
|�ii�dtd|	|f|d�}|�|�|��|
d|iigS)Nr,rmror�rZr[r.r�rxrwr4r5r"r/r�r1r�r�)rir�rirDr�r]r�r�rq)r^r�rrr:ryrur}r�r�r�rOrr�rr�r�rU)rir�r�r�r2�toport�toaddrrNr�rr�rrrwrqr<r<r=�build_policy_forward_port_rules�sJ
�
�
�

�z(nftables.build_policy_forward_port_rulescCs.|t|vrt||Sttd||j|f��)Nz)ICMP type '%s' not supported by %s for %s)r�rrr�)rir��	icmp_typer<r<r=�_icmp_types_to_nft_fragments�s
�z%nftables._icmp_types_to_nft_fragmentscCs4d}|jj�||t�}ddd�|}|r|jr|j}n|jr5g}d|jvr*|�d�d|jvr4|�d�nddg}g}	|D]�}
|jj�|�rQd||f}ddi}n
d	||f}|��}g}
|rz|
�|�	|j
��|
�|�|j��|
�|�|j
��|
�|�|
|j��|r�|	�|�|||||
��|	�|�|||||
��|jr�|	�|�|||||
��q=|�|�}d
td|||f|
|��gd�}|�|�|��|	�|d
|ii�q=|j��dk�r|jj�|��s|	�|d
d
t||
|�|j���ddd||fiigd�ii�|	�|d
d
t||
|gd�ii�q=|	S)Nr-rmror�rZr[r�r�z
%s_%s_denyr]r#r�rqr�rr�z"%s_%s_ICMP_BLOCK: ")r^r�rr�ipvsr�r:�query_icmp_block_inversionr(ryrur}r�r��extendr�r�r\r]rrcrOr�r�rUr'r�)rir�r��ictrNr�rr�r�r�r��final_chainr,rrrqr<r<r=�build_policy_icmp_block_rules�sn




�

� 
���
�z&nftables.build_policy_icmp_block_rulescCs�d}|jj�||t�}g}ddd�|}|jj�|�r |��}nddi}|�|ddtd||fd	|��|gd
�ii�|j�	�dkro|jj�|�ro|�|ddtd||fd	|��|�
|j�	��dd
d||fiigd
�ii�|S)Nr-rmror�r�rqr]r�rI�rur�r�ryr�r�rr�z%s_%s_ICMP_BLOCK: )r^r�rrr�r(r:r�r:r'r�)rir�r�r�rr�r�r,r<r<r=�'build_policy_icmp_block_inversion_ruless4


��

��z0nftables.build_policy_icmp_block_inversion_rulesc
Cs�g}ddddiiddd�iddgd	�d
d�iddd�ig}|d
kr*|�dddii�|�ddi�|�dddtd|d�ii�|�dddtdddddd�iddddgid�iddigd�ii�|S)Nr.r�rxrwr4r[r5�fib)r��iifr^�oif)r��resultFr�rr�zrpfilter_DROP: r�rnrqr]�filter_PREROUTINGr�r/rUr0r1r�rXrVr�)r:r�)rir�r�rr<r<r=�build_rpfilter_rules+sB�
���
�
�
���znftables.build_rpfilter_rulesc
Cs�gd�}dd�|D�}ddddd�id	d
|id�ig}|jjdvr*|�d
ddii�|�|�d��g}|�dddtdd|d�ii�|�dddtdd|d�ii�|S)N)	z::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]}d|�d�dt|�d�d�d�i�qS)r�rCrrErh)rRr�)�.0rvr<r<r=�
<listcomp>Rs2z5nftables.build_rfc3964_ipv4_rules.<locals>.<listcomp>r.r/rjr�r1r4r�r5)r/r.rr�zRFC3964_IPv4_REJECT: r4rmrqr]r�rEr��filter_FORWARDrM)r^�_log_deniedr:r7r�)ri�	daddr_setrr�r<r<r=�build_rfc3964_ipv4_rulesGs2
�
�
�
�z!nftables.build_rfc3964_ipv4_rulesc	Cs�d}g}|�|�|j��|�|�|j��|�|�|j��g}|�|�|||||��|�|�|||||��|�|�	|||||��|S)Nr-)
r:ryrur}r�r�r�r\r]rc)rir�r�rNr�rr�r<r<r=�*build_policy_rich_source_destination_rulesjsz3nftables.build_policy_rich_source_destination_rulescCs|dvrdSdS)N)rZr[�ebTFr<)rir�r<r<r=�is_ipv_supportedysznftables.is_ipv_supportedc
Cs�ddd�}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd	�}||vrO||Sttd
|��)N�	ipv4_addr�	ipv6_addrrY�
inet_proto�inet_servicer^�ifname�
ether_addr)zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,iface�hash:macz!ipset type name '%s' is not valid)rr)rir�r0�ipv_addr�typesr<r<r=�_set_type_list~s(�

��znftables._set_type_listcCs�|rd|vr|ddkrd}nd}dt||�||�d�}|�d�d�d	�D]
}|d
vr3dg|d<nq&|rJd
|vr@|d
|d
<d|vrJ|d|d<dd|iigS)Nru�inet6r[rZr])rur�r�r0�:rE�,)rf�netr��intervalr��timeout�maxelemr�rmr�)r�r�rR)rir�r0�optionsr��set_dict�tr<r<r=�build_set_create_rules�s&
�
�znftables.build_set_create_rulescCs$|�|||�}|�||j���dSr�)r�r�r^r')rir�r0r�r�r<r<r=�
set_create�sznftables.set_createcCs*dddt|d�ii}|�||j���dS)Nror�r]r�)r�r�r^r')rir�rqr<r<r=�set_destroy�s

�znftables.set_destroycCs,|jj�|�j�d�d�d�}g}tt|��D]c}||dkr8|�dddii�|�dd	|r1d
ndd�i�q||d
vrP|�d|�|�|rIdndd�i�q||dkrd|�dd|r^dndii�q||dkrt|�dddii�qt	d||��dt|�dkr�d|in|d|r�dndd|d�iS)Nr�rEr�r�r�rxr9r/�thr�r�r1)rfr�r~r�r��ifacer�r�r^z-Unsupported ipset type for match fragment: %sr.�concatrrkr4�@r5)
r^r{�	get_ipsetr0rRr�r|r:�_set_get_familyr)rir��
match_destrt�type_formatr;rIr<r<r=rm�s* 
�
�
�znftables._set_match_fragmentc	Cs|jj�|�}|j�d�d�d�}|�d�}t|�t|�kr$ttd��g}tt|��D]�}||dkr�z	||�	d�}Wnt
yO|�d�||}	Ynw|�||d|��|||dd�}	z|	�	d�}Wnt
yz|�|	�Yq,w|�d|	d|�|	|dd�gi�q,||d	vr�z	||�	d
�}Wn"t
y�||}
d|jvr�|jddkr�t
|
�}
|�|
�Yq,w||d|�}
d|jvr�|jddkr�t
|
�}
|�d
|
t|||dd��d�i�q,|�||�q,t|�dk�rd|igS|S)Nr�rEr�z+Number of values does not match ipset type.r�r��-r�)rfr�rCrur�r�rhr�)r^r{r�r0rRr|rr
r�ryr�r:r�rr�)rir��entry�objr��entry_tokens�fragmentrIry�port_strrir<r<r=�_set_entry_fragment�sR
�
��(��znftables._set_entry_fragmentc	Cs0g}|�||�}|�dddt||d�ii�|S)NrmrLr]�rur�r��elem)r�r:r�)rir�r�r�rLr<r<r=�build_set_add_ruless
�znftables.build_set_add_rulescCs"|�||�}|�||j���dSr�)r�r�r^r')rir�r�r�r<r<r=�set_addsznftables.set_addcCs8|�||�}dddt||d�ii}|�||j���dS)NrorLr]r�)r�r�r�r^r')rir�r�rLrqr<r<r=�
set_deletes
�znftables.set_deletecCsdddt|d�iigS)Nr�r�r]r�)r�)rir�r<r<r=�build_set_flush_ruless�znftables.build_set_flush_rulescCs |�|�}|�||j���dSr�)r�r�r^r')rir�r�r<r<r=�	set_flushs
znftables.set_flushcCsN|jj�|�}|jdkrd}|S|jr#d|jvr#|jddkr#d}|Sd}|S)Nr�rerur�rjrf)r^r{r�r0r�)rir�r{rur<r<r=r�!s
��znftables._set_get_familycCsZg}|�|�|||��|�|�|��|D]}|�|�||��q|�||j���dSr�)r�r�r�r�r�r^r')ri�set_name�	type_name�entries�create_options�
entry_optionsr�r�r<r<r=�set_restore.sznftables.set_restorer�)r�)F)NN)G�__name__�
__module__�__qualname__r��policies_supportedrkr�r�r�r�r�r�r�r�r�r�r�r�r�r�rrr r-r�r7r(r:rJrOrQrrr�rUr\r]rcr	ryr}r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rmr�r�r�r�r�r�r�r�r<r<r<r=r\�s�,.`

4

V
C
�2B
  
+

	
$$
�
�%

!
�+
<
#


1	�r\r�)*r�r�rn�firewall.core.loggerr�firewall.functionsrrrrr�firewall.errorsrr	r
rrr
r�firewall.core.richrrrrrrrrr�firewall.core.baser�nftables.nftablesrr�r�rr�r�r>r��objectr\r<r<r<r=�<module>s$,�


�



��
�
�
�
�����	�
���
���
����
��
�
�
��
�
�
���� �!�"�%����
�
�
��
	�

��
�

��
��
�



��A
@ Telegram