HEX

File: //proc/self/root/lib/python3/dist-packages/firewall/server/__pycache__/config.cpython-310.pyc
o

bhAb"�@sLddlZddlZddlZddlmZddlmZddlmZddl	m
Z
ddlmZddl
mZmZmZmZmZmZddlmZdd	lmZdd
lmZddlmZddlmZdd
lmZddl m!Z!ddl"m#Z#ddl$m%Z%ddl&m'Z'ddl(m)Z)ddl*m+Z+m,Z,m-Z-m.Z.m/Z/m0Z0m1Z1m2Z2ddlm3Z3ddl4m5Z5Gdd�de�Z6dS)�N)�config)�DEFAULT_ZONE_TARGET)�Watcher)�log)�DbusServiceObject)�handle_exceptions�dbus_handle_exceptions�dbus_service_method�dbus_service_method_deprecated�dbus_service_signal_deprecated�dbus_polkit_require_auth)�FirewallDConfigIcmpType)�FirewallDConfigService)�FirewallDConfigZone)�FirewallDConfigPolicy)�FirewallDConfigIPSet)�FirewallDConfigHelper)�IcmpType)�IPSet)�Helper)�LockdownWhitelist)�Direct)�dbus_to_python�command_of_sender�context_of_sender�
uid_of_sender�user_of_uid�%dbus_introspection_prepare_properties�!dbus_introspection_add_properties�!dbus_introspection_add_deprecated)�errors)�
FirewallErrorcs�eZdZdZdZ	ejjZ	e	�fdd��Z
e	dd��Ze	dd��Ze	d	d
��Z
e	dd��Ze	d
d��Ze	dd��Ze	dd��Ze	dd��Ze	dd��Ze	dd��Ze	dd��Ze	dd��Ze	dd��Ze	dd ��Ze	d!d"��Ze	d#d$��Ze	d%d&��Ze	d'd(��Ze	d)d*��Ze	d+d,��Ze	d-d.��Ze	d/d0��Z e!d1d2��Z"e!d3d4��Z#e!d5d6��Z$e%ej&d7d8d9�e!d�d;d<���Z'e%ej&d=d>d9�e!d�d?d@���Z(e)ejj�e%ej&dAdB�e!d�dCdD����Z*ej+j,ej&dEdF�dGdH��Z-e)ejj.�e%ej/d=dI�e!d�fdJdK�	���Z0e%ejj1e2j3dI�e!d�dLdM���Z4e%ejj1e2j3dB�e!d�dNdO���Z5ej+�,ejj1�e!dPdQ���Z6e%ejj1d=dB�e!d�dRdS���Z7e%ejj1d=dB�e!d�dTdU���Z8e%ejj1d=dVd9�e!d�dWdX���Z9e%ejj1dYdI�e!d�dZd[���Z:e%ejj1d=dB�e!d�d\d]���Z;e%ejj1d=dB�e!d�d^d_���Z<e%ejj1d=dVd9�e!d�d`da���Z=e%ejj1dYdI�e!d�dbdc���Z>e%ejj1d=dB�e!d�ddde���Z?e%ejj1d=dB�e!d�dfdg���Z@e%ejj1d=dVd9�e!d�dhdi���ZAe%ejj1dYdI�e!d�djdk���ZBe%ejj1dldB�e!d�dmdn���ZCe%ejj1dldB�e!d�dodp���ZDe%ejj1dldVd9�e!d�dqdr���ZEe%ejj1dsdI�e!d�dtdu���ZFe%ejjGdvdI�e!d�dwdx���ZHe%ejjGdYdI�e!d�dydz���ZIe%ejjGd=d{d9�e!d�d|d}���ZJe%ejjGd=eKj3d{d9�e!d�d~d���ZLej+j,ejjGd=dF�e!d�d����ZMe%ejjGdvdI�e!d�d�d����ZNe%ejjGdYdI�e!d�d�d����ZOe%ejjGd=d{d9�e!d�d�d����ZPe%ejjGd=eQj3d{d9�e!d�d�d����ZRej+j,ejjGd=dF�e!d�d����ZSe%ejjGdvdI�e!d�d�d����ZTe%ejjGdYdI�e!d�d�d����ZUe%ejjGd=d{d9�e!d�d�d����ZVe%ejjGd�d{d9�e!d�d�d����ZWe%ejjGd�d{d9�e!d�d�d����ZXej+j,ejjGd=dF�e!d�d����ZYe%ejjGdvdI�e!d�d�d����ZZe%ejjGdYdI�e!d�d�d����Z[e%ejjGd=d{d9�e!d�d�d����Z\e%ejjGd=d=d9�e!d�d�d����Z]e%ejjGd=d=d9�e!d�d�d����Z^e%ejjGd�d{d9�e!d�d�d����Z_e%ejjGd�d{d9�e!d�d�d����Z`ej+j,ejjGd=dF�e!d�d����Zae%ejjGdvdI�e!d�d�d����Zbe%ejjGdYdI�e!d�d�d����Zce%ejjGd=d{d9�e!d�d�d����Zde%ejjGd�d{d9�e!d�d�d����Zeej+j,ejjGd=dF�e!d�d����Zfe%ejjGdvdI�e!d�d�d����Zge%ejjGdYdI�e!d�d�d����Zhe%ejjGd=d{d9�e!d�d�d����Zie%ejjGd=ejj3d{d9�e!d�d�d����Zkej+j,ejjGd=dF�e!d�d����Zlemejjn�e%ejjneoj3dI�e!d�d�d�����Zpemejjn�e%ejjneoj3dB�e!d�d�d���Zqerejjn�ej+�,ejjn�e!d�dĄ���Zsemejjn�e%ejjnd�dB�e!d�d�dǄ���Ztemejjn�e%ejjnd�dB�e!d�d�dɄ���Zuemejjn�e%ejjnd�dVd9�e!d�d�d˄���Zvemejjn�e%ejjnd7dYd9�e!d�d�d̈́���Zwemejjn�e%ejjnd�d�d9�e!d�d�dф���Zxemejjn�e%ejjnd�dB�e!d�d�dԄ���Zyemejjn�e%ejjnd�dB�e!d�d�dք���Zzemejjn�e%ejjnd�dVd9�e!d�d�d؄���Z{emejjn�e%ejjnd�dB�e!d�d�dڄ���Z|emejjn�e%ejjnd�d�d9�e!d�d�d݄���Z}emejjn�e%ejjnd�d�d9�e!d�d�d����Z~emejjn�e%ejjnd�dB�e!d�d�d����Zemejjn�e%ejjnd�dB�e!d�d�d����Z�emejjn�e%ejjnd�dVd9�e!d�d�d����Z�emejjn�e%ejjnd=d�d9�e!d�d�d����Z�emejjn�e%ejjnd�dI�e!d�d�d����Z��Z�S)��FirewallDConfigzFirewallD main classTcs�tt|�j|i|��||_|d|_|d|_|��t|jd�|_	|j	�
tj�|j	�
tj�|j	�
tj
�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�|j	�
tj�tj�tj�r�tt�tj��D]}dtj|f}tj�|�r�|j	�
|�q�|j	�tj�|j	�tj�|j	�tj�t |tj!j"ddddddddddddd��dS)Nr��z%s/%s�	readwrite)�
CleanupOnExit�CleanupModulesOnExit�
IPv6_rpfilter�Lockdown�MinimalMark�IndividualCalls�	LogDenied�AutomaticHelpers�FirewallBackend�FlushAllOnReload�RFC3964_IPv4�AllowZoneDrifting)#�superr"�__init__r�busname�path�
_init_varsr�
watch_updater�watcher�
add_watch_dir�FIREWALLD_IPSETS�ETC_FIREWALLD_IPSETS�FIREWALLD_ICMPTYPES�ETC_FIREWALLD_ICMPTYPES�FIREWALLD_HELPERS�ETC_FIREWALLD_HELPERS�FIREWALLD_SERVICES�ETC_FIREWALLD_SERVICES�FIREWALLD_ZONES�ETC_FIREWALLD_ZONES�FIREWALLD_POLICIES�ETC_FIREWALLD_POLICIES�os�exists�sorted�listdir�isdir�add_watch_file�LOCKDOWN_WHITELIST�FIREWALLD_DIRECT�FIREWALLD_CONFr�dbus�DBUS_INTERFACE_CONFIG)�self�conf�args�kwargs�filenamer5��	__class__��8/usr/lib/python3/dist-packages/firewall/server/config.pyr3DsV

���zFirewallDConfig.__init__cCsg|_d|_g|_d|_g|_d|_g|_d|_g|_d|_	g|_
d|_|j�
�D]}|�|j�|��q)|j��D]}|�|j�|��q:|j��D]}|�|j�|��qK|j��D]}|�|j�|��q\|j��D]}|�|j�|��qm|j��D]}|�|j�|��q~dS�Nr)�ipsets�	ipset_idx�	icmptypes�icmptype_idx�services�service_idx�zones�zone_idx�helpers�
helper_idx�policy_objects�policy_object_idxr�
get_ipsets�	_addIPSet�	get_ipset�
get_icmptypes�_addIcmpType�get_icmptype�get_services�_addService�get_service�	get_zones�_addZone�get_zone�get_helpers�
_addHelper�
get_helper�get_policy_objects�
_addPolicy�get_policy_object)rQ�ipset�icmptype�service�zone�helper�policyrXrXrYr6rs2�zFirewallDConfig._init_varscCsdS�NrX�rQrXrXrY�__del__�szFirewallDConfig.__del__cCs,t|j�dkr|j��}|��~t|j�dkst|j�dkr0|j��}|��~t|j�dkst|j�dkrH|j��}|��~t|j�dks7t|j�dkr`|j��}|��~t|j�dksOt|j�dkrx|j��}|��~t|j�dksgt|j�dkr�|j��}|��~t|j�dks|�	�dSrZ)
�lenr[�pop�
unregisterr]r_rarcrer6)rQ�itemrXrXrY�reload�s>
�
�
�
�
�
�zFirewallDConfig.reloadc	
Cs�|tjkri|�tjj�}t�dtj�z|j��Wnty6}zt�	d||f�WYd}~dSd}~ww|�tjj��
�}t|���D]}||vrW||||krW||=qFt
|�dkrg|�tjj|g�dS|�tj�su|�tj�r�|�d�r�z
|j�|�\}}Wnty�}zt�	d||f�WYd}~dSd}~ww|dkr�|�|�dS|dkr�|�|�dS|dkr�|�|�dSdS|�tj�s�|�tj��r$|�d��r$z
|j�|�\}}Wnty�}zt�	d	||f�WYd}~dSd}~ww|dk�r
|�|�dS|dk�r|�|�dS|dk�r"|�|�dSdS|�tj��s2|�tj��r�|�d��r�z
|j�|�\}}Wnt�y_}zt�	d
||f�WYd}~dSd}~ww|dk�rl|� |�dS|dk�rx|�!|�dS|dk�r�|�"|�dSdS|�tj��r�|�#tjd��$d�}t
|�d
k�s�d|v�r�dSt%j&�'|��r�|j(�)|��s�|j(�*|�dSdS|j(�)|��r�|j(�+|�dSdSdS|�tj,��s�|�tj-��r2|�d��r2z
|j�.|�\}}Wnt�y}zt�	d||f�WYd}~dSd}~ww|dk�r|�/|�dS|dk�r$|�0|�dS|dk�r0|�1|�dSdS|�tj2��s@|�tj3��r�|�d��r�z
|j�4|�\}}Wnt�ym}zt�	d||f�WYd}~dSd}~ww|dk�rz|�5|�dS|dk�r�|�6|�dS|dk�r�|�7|�dSdS|tj8k�r�z|j�9�Wnt�y�}zt�	d||f�WYd}~dSd}~ww|�:�dS|tj;k�r�z|j�<�Wnt�y�}zt�	d||f�WYd}~dSd}~ww|�=�dS|�tj>��s|�tj?��rX|�d��rVz
|j�@|�\}}Wnt�y1}zt�	d||f�WYd}~dSd}~ww|dk�r>|�A|�dS|dk�rJ|�B|�dS|dk�rZ|�C|�dSdSdSdS)Nz,config: Reloading firewalld config file '%s'z+Failed to load firewalld.conf file '%s': %srz.xmlz%Failed to load icmptype file '%s': %s�new�remove�updatez$Failed to load service file '%s': %sz!Failed to load zone file '%s': %s��/r#z"Failed to load ipset file '%s': %sz#Failed to load helper file '%s': %sz/Failed to load lockdown whitelist file '%s': %sz)Failed to load direct rules file '%s': %sz#Failed to load policy file '%s': %s)DrrN�GetAllrOrPr�debug1�update_firewalld_conf�	Exception�error�copy�list�keysr��PropertiesChanged�
startswithr<r=�endswith�update_icmptype_from_pathrk�removeIcmpType�_updateIcmpTyper@rA�update_service_from_pathrn�
removeService�_updateServicerBrC�update_zone_from_pathrq�
removeZone�_updateZone�replace�striprFr5rJr8�	has_watchr9�remove_watchr:r;�update_ipset_from_pathrh�removeIPSet�_updateIPSetr>r?�update_helper_from_pathrt�removeHelper�
_updateHelperrL�update_lockdown_whitelist�LockdownWhitelistUpdatedrM�
update_direct�UpdatedrDrE�update_policy_object_from_pathrw�removePolicy�
_updatePolicy)	rQ�name�	old_props�msg�props�key�what�obj�_namerXrXrYr7�s`
�����
�
�����
����


�
���


���

�����


�
�����


�������
����


�zFirewallDConfig.watch_updaterc	C�Pt||j||j|jdtjj|jf�}|j�|�|jd7_|�|j	�|S�Nz%s/%dr#)
r
rr^r4rO�DBUS_PATH_CONFIG_ICMPTYPEr]�append�
IcmpTypeAddedr�)rQr��config_icmptyperXrXrYrk?s��zFirewallDConfig._addIcmpTypecC�L|jD] }|jj|jkr#|jj|jkr#|jj|jkr#||_|�|j�qdSr)r]r�r�r5rUr�)rQr�rzrXrXrYr�K�
��zFirewallDConfig._updateIcmpTypecC��d}|jD]%}|��}|j||vr*||�|j�|j�|j|�|_|�|jj�q|jD])}|��}d|vrW|j|dvrW|d�|j�|j�	|j|�|_|�|jj�q.|j
D]}|j|krs|�|j�|��|j
�|�~q[dS)N��icmp_blocks)
ra�getSettingsr�r�r�set_zone_configr�r�re�set_policy_object_config_dictr]�Removedr�)rQr��indexr|�settingsr~rzrXrXrYr�T�.
�
�

��zFirewallDConfig.removeIcmpTypec	Cr�r�)
rrr`r4rO�DBUS_PATH_CONFIG_SERVICEr_r��ServiceAddedr�)rQr��config_servicerXrXrYrnn��zFirewallDConfig._addServicecCr�r)r_r�r�r5rUr�)rQr�r{rXrXrYr�yr�zFirewallDConfig._updateServicecCr�)Nr$r_)
rar�r�r�rr�r�r�rer�r_r�r�)rQr�r�r|r�r~r{rXrXrYr��r�zFirewallDConfig.removeServicec	Cr�r�)
rrrbr4rO�DBUS_PATH_CONFIG_ZONErar��	ZoneAddedr�)rQr��config_zonerXrXrYrq�r�zFirewallDConfig._addZonecCr�r)rar�r�r5rUr��rQr�r|rXrXrYr���
��zFirewallDConfig._updateZonecC�<|jD]}|j|kr|�|j�|��|j�|�~qdSr)rar�r�r�r�r�r�rXrXrYr���

��zFirewallDConfig.removeZonec	Cr�r�)
rrrfr4rO�DBUS_PATH_CONFIG_POLICYrer��PolicyAddedr�)rQr��
config_policyrXrXrYrw�r�zFirewallDConfig._addPolicycCr�r)rer�r�r5rUr��rQr�r~rXrXrYr��r�zFirewallDConfig._updatePolicycCr�r)rer�r�r�r�r�r�rXrXrYr��r�zFirewallDConfig.removePolicyc	Cr�r�)
rrr\r4rO�DBUS_PATH_CONFIG_IPSETr[r��
IPSetAddedr�)rQr��config_ipsetrXrXrYrh�r�zFirewallDConfig._addIPSetcCr�r)r[r�r�r5rUr��rQr�ryrXrXrYr��r�zFirewallDConfig._updateIPSetcCr�r)r[r�r�r�r�r�r�rXrXrYr��r�zFirewallDConfig.removeIPSetc	Cr�r�)
rrrdr4rO�DBUS_PATH_CONFIG_HELPERrcr��HelperAddedr�)rQr��
config_helperrXrXrYrt�r�zFirewallDConfig._addHelpercCr�r)rcr�r�r5rUr��rQr�r}rXrXrYr��r�zFirewallDConfig._updateHelpercCr�r)rcr�r�r�r�r�r�rXrXrYr�r�zFirewallDConfig.removeHelpercCs�|j��rQ|durt�d�dSt��}t||�}|j�d|�r"dSt||�}|j�d|�r0dSt	|�}|j�d|�r=dSt
||�}|j�d|�rKdSttj
d��dS)Nz&Lockdown not possible, sender not set.�context�uid�user�commandzlockdown is enabled)r�lockdown_enabledrr�rO�	SystemBusr�access_checkrrrr!r �
ACCESS_DENIED)rQ�sender�busr�r�r�r�rXrXrY�accessChecks&




�zFirewallDConfig.accessCheckcCs|dvrtj�d|��|j���|�}|dkr$|durtj}t�|�S|dkr9|dur0tj}nt	|�}t�
|�S|dkrM|durHtjrFdnd}t�|�S|dkra|dur\tjrZdnd}t�|�S|d	kru|durptj
rndnd}t�|�S|d
kr�|dur�tjr�dnd}t�|�S|dkr�|dur�tjr�dnd}t�|�S|dkr�|dur�tj}t�|�S|d
kr�|dur�tj}t�|�S|dkr�|dur�tj}t�|�S|dkr�|dur�tjr�dnd}t�|�S|dkr�|dur�tjr�dnd}t�|�S|dk�r|du�rtj�rdnd}t�|�SdS)N�
�DefaultZoner*r&r'r)r(r+r,r-r.r/r0r1�Dorg.freedesktop.DBus.Error.InvalidArgs: Property '%s' does not existr�r*r&�yes�nor'r)r(r+r,r-r.r/r0r1)rO�
exceptions�
DBusExceptionr�get_firewalld_conf�get�
FALLBACK_ZONE�String�FALLBACK_MINIMAL_MARK�int�Int32�FALLBACK_CLEANUP_ON_EXIT� FALLBACK_CLEANUP_MODULES_ON_EXIT�FALLBACK_LOCKDOWN�FALLBACK_IPV6_RPFILTER�FALLBACK_INDIVIDUAL_CALLS�FALLBACK_LOG_DENIED�FALLBACK_AUTOMATIC_HELPERS�FALLBACK_FIREWALL_BACKEND�FALLBACK_FLUSH_ALL_ON_RELOAD�FALLBACK_RFC3964_IPV4�FALLBACK_ALLOW_ZONE_DRIFTING)rQ�prop�valuerXrXrY�
_get_property)sz��














�zFirewallDConfig._get_propertycCsH|dkrt�|�|��S|dkrt�|�|��S|dkr$t�|�|��S|dkr0t�|�|��S|dkr<t�|�|��S|dkrHt�|�|��S|dkrTt�|�|��S|dkr`t�|�|��S|d	krlt�|�|��S|d
krxt�|�|��S|dkr�t�|�|��S|dkr�t�|�|��S|d
kr�t�|�|��Stj�d|��)Nr�r*r&r'r)r(r+r,r-r.r/r0r1r�)rOr�rr�r�r�)rQrrXrXrY�_get_dbus_propertyms>��z"FirewallDConfig._get_dbus_property�ss�v)�in_signature�
out_signatureNcCslt|t�}t|t�}t�d||�|tjjkr|�|�S|tjjtjj	fvr.tj
�d|��tj
�d|��)Nzconfig.Get('%s', '%s')r��Jorg.freedesktop.DBus.Error.UnknownInterface: Interface '%s' does not exist)r�strrr�rrOrPr	�DBUS_INTERFACE_CONFIG_DIRECT�DBUS_INTERFACE_CONFIG_POLICIESr�r�)rQ�interface_name�
property_namer�rXrXrY�Get�s$


�����zFirewallDConfig.Get�sza{sv}cCstt|t�}t�d|�i}|tjjkr dD]	}|�|�||<qn|tjjtjj	fvr+ntj
�d|��tj|dd�S)Nzconfig.GetAll('%s')r�r�sv��	signature)
rrrr�rrOrPrrrr�r��
Dictionary)rQrr��ret�xrXrXrYr��s"
����zFirewallDConfig.GetAll�ssv)rcCsZt|t�}t|t�}t|�}t�d|||�|�|�|tjjkr�|dvr�|dvr:|��dvr9t	t
jd||f��n0|dkrN|tjvrMt	t
jd||f��n|dkrb|tj
vrat	t
jd||f��ntj�d|��|j���||�|j����|�|||ig�dS|d	vr�dStj�d|��|tjjtjjfvr�tj�d|��tj�d
|��)Nzconfig.Set('%s', '%s', '%s'))	r&r'r)r(r+r,r.r/r0)r&r'r)r(r+r/r0)r�r��true�falsez'%s' for %sr,r.r�)r*r-r1r)rrrr�r�rrOrP�lowerr!r �
INVALID_VALUE�LOG_DENIED_VALUES�FIREWALL_BACKEND_VALUESr�r�r��set�writer�rr)rQrr�	new_valuer�rXrXrY�Set�s~

�
���
���
�������������zFirewallDConfig.Setzsa{sv}asrcCs.t|t�}t|�}t|�}t�d|||�dS)Nz*config.PropertiesChanged('%s', '%s', '%s')�rrrr�)rQr�changed_properties�invalidated_propertiesrXrXrYr��s
�z!FirewallDConfig.PropertiesChanged)r
cs`t�d�tt|��|j|j���}t||t	j
j�}t	j
jfD]}t
|||t�jt�j�}q|S)Nzconfig.Introspect())r�debug2r2r"�
Introspectr5r4�get_busrrrOrPrrr
�
deprecatedr)rQr��data�	interfacerVrXrYr+s
�
��zFirewallDConfig.IntrospectcCst�d�|j��j��S)Nz&config.policies.getLockdownWhitelist())rr�r�get_policies�lockdown_whitelist�
export_config�rQr�rXrXrY�getLockdownWhitelists
z$FirewallDConfig.getLockdownWhitelistcCsBt�d�t|�}|j��j�|i�|j��j��|��dS)Nz)config.policies.setLockdownWhitelist(...))	rr�rrr0r1�
import_configr$r��rQr�r�rXrXrY�setLockdownWhitelist"s

z$FirewallDConfig.setLockdownWhitelistcC�t�d�dS)Nz*config.policies.LockdownWhitelistUpdated()�rr�r�rXrXrYr�,sz(FirewallDConfig.LockdownWhitelistUpdatedcC�^t|�}t�d|�|�|�t|���}||dvr!ttj|��|d�	|�|�
|�dS)Nz1config.policies.addLockdownWhitelistCommand('%s')r�rrr�r�r�r4r!r �ALREADY_ENABLEDr�r7�rQr�r�r�rXrXrY�addLockdownWhitelistCommand3�
z+FirewallDConfig.addLockdownWhitelistCommandcC�^t|�}t�d|�|�|�t|���}||dvr!ttj|��|d�	|�|�
|�dS)Nz4config.policies.removeLockdownWhitelistCommand('%s')r�rrr�r�r�r4r!r �NOT_ENABLEDr�r7r=rXrXrY�removeLockdownWhitelistCommand@��
z.FirewallDConfig.removeLockdownWhitelistCommand�bcC�$t|�}t�d|�||��dvS)Nz3config.policies.queryLockdownWhitelistCommand('%s')r�rrr�r4)rQr�r�rXrXrY�queryLockdownWhitelistCommandN�
�z-FirewallDConfig.queryLockdownWhitelistCommand�ascC�t�d�|��dS)Nz.config.policies.getLockdownWhitelistCommands()r�rr�r4r3rXrXrY�getLockdownWhitelistCommandsW�
z,FirewallDConfig.getLockdownWhitelistCommandscCr:)Nz1config.policies.addLockdownWhitelistContext('%s')r#r;�rQr�r�r�rXrXrY�addLockdownWhitelistContext`r?z+FirewallDConfig.addLockdownWhitelistContextcCr@)Nz4config.policies.removeLockdownWhitelistContext('%s')r#rArOrXrXrY�removeLockdownWhitelistContextmrDz.FirewallDConfig.removeLockdownWhitelistContextcCrF)Nz3config.policies.queryLockdownWhitelistContext('%s')r#rG)rQr�r�rXrXrY�queryLockdownWhitelistContext{rIz-FirewallDConfig.queryLockdownWhitelistContextcCrK)Nz.config.policies.getLockdownWhitelistContexts()r#rLr3rXrXrY�getLockdownWhitelistContexts�rNz,FirewallDConfig.getLockdownWhitelistContextscCr:)Nz.config.policies.addLockdownWhitelistUser('%s')�r;�rQr�r�r�rXrXrY�addLockdownWhitelistUser�r?z(FirewallDConfig.addLockdownWhitelistUsercCr@)Nz1config.policies.removeLockdownWhitelistUser('%s')rTrArUrXrXrY�removeLockdownWhitelistUser�r?z+FirewallDConfig.removeLockdownWhitelistUsercCrF)Nz0config.policies.queryLockdownWhitelistUser('%s')rTrG)rQr�r�rXrXrY�queryLockdownWhitelistUser��z*FirewallDConfig.queryLockdownWhitelistUsercCrK)Nz+config.policies.getLockdownWhitelistUsers()rTrLr3rXrXrY�getLockdownWhitelistUsers�rNz)FirewallDConfig.getLockdownWhitelistUsers�icCr:)Nz+config.policies.addLockdownWhitelistUid(%d)�r;�rQr�r�r�rXrXrY�addLockdownWhitelistUid�r?z'FirewallDConfig.addLockdownWhitelistUidcCr@)Nz.config.policies.removeLockdownWhitelistUid(%d)r\rAr]rXrXrY�removeLockdownWhitelistUid�r?z*FirewallDConfig.removeLockdownWhitelistUidcCrF)Nz-config.policies.queryLockdownWhitelistUid(%d)r\rG)rQr�r�rXrXrY�queryLockdownWhitelistUid�rYz)FirewallDConfig.queryLockdownWhitelistUid�aicCrK)Nz*config.policies.getLockdownWhitelistUids()r\rLr3rXrXrY�getLockdownWhitelistUids�rNz(FirewallDConfig.getLockdownWhitelistUids�aocC�t�d�|jS)z"list ipsets objects paths
        zconfig.listIPSets())rr�r[r3rXrXrY�
listIPSets��
zFirewallDConfig.listIPSetscC�0t�d�g}|jD]	}|�|jj�q
t|�S)zget ipset names
        zconfig.getIPSetNames())rr�r[r�r�r�rH)rQr�r[r�rXrXrY�
getIPSetNames��


zFirewallDConfig.getIPSetNames�ocC�Bt|t�}t�d|�|jD]}|jj|kr|Sqttj	|��)z-object path of ipset with given name
        zconfig.getIPSetByName('%s'))
rrrr�r[r�r�r!r �
INVALID_IPSET)rQryr�r�rXrXrY�getIPSetByName��

�zFirewallDConfig.getIPSetByNamecC�Dt|t�}t|�}t�d|�|�|�|j�||�}|�|�}|S)z/add ipset with given name and settings
        zconfig.addIPSet('%s'))rrrr�r�r�	new_ipsetrh)rQryr�r�r�r�rXrXrY�addIPSet�


zFirewallDConfig.addIPSetcC�t|t�}t�d|�dS)Nzconfig.IPSetAdded('%s')r')rQryrXrXrYr��
zFirewallDConfig.IPSetAddedcCrd)z%list icmptypes objects paths
        zconfig.listIcmpTypes())rr�r]r3rXrXrY�
listIcmpTypesrfzFirewallDConfig.listIcmpTypescCrg)zget icmptype names
        zconfig.getIcmpTypeNames())rr�r]r�r�r�rH)rQr�r]r�rXrXrY�getIcmpTypeNames$riz FirewallDConfig.getIcmpTypeNamescCrk)z0object path of icmptype with given name
        zconfig.getIcmpTypeByName('%s'))
rrrr�r]r�r�r!r �INVALID_ICMPTYPE)rQrzr�r�rXrXrY�getIcmpTypeByName/rnz!FirewallDConfig.getIcmpTypeByNamecCro)z2add icmptype with given name and settings
        zconfig.addIcmpType('%s'))rrrr�r�r�new_icmptyperk)rQrzr�r�r�r�rXrXrY�addIcmpType<rrzFirewallDConfig.addIcmpTypecC�t�d|�dS)Nzconfig.IcmpTypeAdded('%s')r9)rQrzrXrXrYr�K�zFirewallDConfig.IcmpTypeAddedcCrd)z$list services objects paths
        zconfig.listServices())rr�r_r3rXrXrY�listServicesRrfzFirewallDConfig.listServicescCrg)zget service names
        zconfig.getServiceNames())rr�r_r�r�r�rH)rQr�r_r�rXrXrY�getServiceNamesZrizFirewallDConfig.getServiceNamescCrk)z/object path of service with given name
        zconfig.getServiceByName('%s'))
rrrr�r_r�r�r!r �INVALID_SERVICE)rQr{r�r�rXrXrY�getServiceByNameernz FirewallDConfig.getServiceByNamezs(sssa(ss)asa{ss}asa(ss))cCro)�1add service with given name and settings
        zconfig.addService('%s'))rrrr�r�r�new_servicern�rQr{r�r�r�r�rXrXrY�
addServicerrrzFirewallDConfig.addServicezsa{sv}cCro)r�zconfig.addService2('%s'))rrrr�r�r�new_service_dictrnr�rXrXrY�addService2�rrzFirewallDConfig.addService2cCr{)Nzconfig.ServiceAdded('%s')r9)rQr{rXrXrYr��r|zFirewallDConfig.ServiceAddedcCrd)z!list zones objects paths
        zconfig.listZones())rr�rar3rXrXrY�	listZones�rfzFirewallDConfig.listZonescCrg)zget zone names
        zconfig.getZoneNames())rr�rar�r�r�rH)rQr�rar�rXrXrY�getZoneNames�rizFirewallDConfig.getZoneNamescCrk)z,object path of zone with given name
        zconfig.getZoneByName('%s'))
rrrr�rar�r�r!r �INVALID_ZONE)rQr|r�r�rXrXrY�
getZoneByName�rnzFirewallDConfig.getZoneByNamecC�vt|t�}t�d|�g}|jD]}||jjvr|�|jj�qt	|�dkr3d�
|�d|t	|�fS|r9|dSdS)z4name of zone the given interface belongs to
        zconfig.getZoneOfInterface('%s')r#� zE  (ERROR: interface '%s' is in %s zone XML files, can be only in one)rr�)rrrr�rar��
interfacesr�r�r��join)rQ�ifacer�rr�rXrXrY�getZoneOfInterface��

�
��z"FirewallDConfig.getZoneOfInterfacecCr�)z1name of zone the given source belongs to
        zconfig.getZoneOfSource('%s')r#r�zB  (ERROR: source '%s' is in %s zone XML files, can be only in one)rr�)rrrr�rar��sourcesr�r�r�r�)rQ�sourcer�rr�rXrXrY�getZoneOfSource�r�zFirewallDConfig.getZoneOfSourcez's(sssbsasa(ss)asba(ssss)asasasasa(ss)b)cCsht|t�}t|�}t�d|�|�|�|ddkr&t|�}t|d<t|�}|j�	||�}|�
|�}|S)�.add zone with given name and settings
        �config.addZone('%s')��default)rrrr�r�r�r�tupler�new_zonerq)rQr|r�r��	_settingsr�r�rXrXrY�addZone�s


zFirewallDConfig.addZonecCs`t|t�}t|�}t�d|�|�|�d|vr"|ddkr"t|d<|j�||�}|�|�}|S)r�r��targetr�)	rrrr�r�rr�
new_zone_dictrq)rQr|r�r�r�r�rXrXrY�addZone2�s


zFirewallDConfig.addZone2cCr{)Nzconfig.ZoneAdded('%s')r9)rQr|rXrXrYr�r|zFirewallDConfig.ZoneAddedcCrd)z$list policies objects paths
        zconfig.listPolicies())rr�rer3rXrXrY�listPoliciesrfzFirewallDConfig.listPoliciescCrg)zget policy names
        zconfig.getPolicyNames())rr�rer�r�r�rH)rQr��policiesr�rXrXrY�getPolicyNamesrizFirewallDConfig.getPolicyNamescCrk)z.object path of policy with given name
        zconfig.getPolicyByName('%s'))
rrrr�rer�r�r!r �INVALID_POLICY)rQr~r�r�rXrXrY�getPolicyByNamernzFirewallDConfig.getPolicyByNamecCro)z0add policy with given name and settings
        zconfig.addPolicy('%s'))rrrr�r�r�new_policy_object_dictrw)rQr~r�r�r�r�rXrXrY�	addPolicy+rrzFirewallDConfig.addPolicycCr{)Nzconfig.PolicyAdded('%s')r9)rQr~rXrXrYr�:r|zFirewallDConfig.PolicyAddedcCrd)z#list helpers objects paths
        zconfig.listHelpers())rr�rcr3rXrXrY�listHelpersCrfzFirewallDConfig.listHelperscCrg)zget helper names
        zconfig.getHelperNames())rr�rcr�r�r�rH)rQr�rcr�rXrXrY�getHelperNamesKrizFirewallDConfig.getHelperNamescCrk)z.object path of helper with given name
        zconfig.getHelperByName('%s'))
rrrr�rcr�r�r!r �INVALID_HELPER)rQr}r�r�rXrXrY�getHelperByNameVrnzFirewallDConfig.getHelperByNamecCro)z0add helper with given name and settings
        zconfig.addHelper('%s'))rrrr�r�r�
new_helperrt)rQr}r�r�r�r�rXrXrY�	addHelpercrrzFirewallDConfig.addHelpercCrs)Nzconfig.HelperAdded('%s')r')rQr}rXrXrYr�rrtzFirewallDConfig.HelperAddedcCst�d�|j����S)Nzconfig.direct.getSettings())rr�r�
get_directr2r3rXrXrYr�{s
zFirewallDConfig.getSettingscCs>t�d�t|�}|j���|i�|j����|��dS)Nzconfig.direct.update())rr�rrr�r5r$r�r6rXrXrYr��s

zFirewallDConfig.updatecCr8)Nzconfig.direct.Updated()r9r�rXrXrYr��szFirewallDConfig.Updated�ssscCs�t|�}t|�}t|�}t�d|||f�|�|�t|||f�}t|���}||dvr9ttj	d|||f��|d�
|�|�|�dS)Nz(config.direct.addChain('%s', '%s', '%s')rz chain '%s' already is in '%s:%s')rrr�r�r�r�r�r!r r<r�r��rQ�ipv�table�chainr��idxr�rXrXrY�addChain�s"�
��zFirewallDConfig.addChaincCs�t|�}t|�}t|�}t�d|||f�|�|�t|||f�}t|���}||dvr9ttj	d|||f��|d�
|�|�|�dS)Nz+config.direct.removeChain('%s', '%s', '%s')rzchain '%s' is not in '%s:%s')rrr�r�r�r�r�r!r rBr�r�r�rXrXrY�removeChain�s"�
��zFirewallDConfig.removeChaincCsJt|�}t|�}t|�}t�d|||f�t|||f�}||��dvS)Nz*config.direct.queryChain('%s', '%s', '%s')r)rrr�r�r�)rQr�r�r�r�r�rXrXrY�
queryChain�s�zFirewallDConfig.queryChaincCsbt|�}t|�}t�d||f�g}|��dD]}|d|kr.|d|kr.|�|d�q|S)Nz#config.direct.getChains('%s', '%s')rr#rT�rrr�r�r�)rQr�r�r�rr�rXrXrY�	getChains�s�zFirewallDConfig.getChainsr�za(sss)cCrK)Nzconfig.direct.getAllChains()r�rr�r�r3rXrXrY�getAllChains��
zFirewallDConfig.getAllChains�sssiasc	
Cs�t|�}t|�}t|�}t|�}t|�}t�d||||d�|�f�|�|�|||||f}t|���}||dvrGttj	d||||f��|d�
|�|�t|��dS)Nz1config.direct.addRule('%s', '%s', '%s', %d, '%s')�','r#z"rule '%s' already is in '%s:%s:%s')
rrr�r�r�r�r�r!r r<r�r�r��	rQr�r�r��priorityrSr�r�r�rXrXrY�addRule��&�

��zFirewallDConfig.addRulec	
Cs�t|�}t|�}t|�}t|�}t|�}t�d||||d�|�f�|�|�|||||f}t|���}||dvrGttj	d||||f��|d�
|�|�t|��dS)Nz4config.direct.removeRule('%s', '%s', '%s', %d, '%s')r�r#zrule '%s' is not in '%s:%s:%s')
rrr�r�r�r�r�r!r rBr�r�r�r�rXrXrY�
removeRule�r�zFirewallDConfig.removeRulec
Csdt|�}t|�}t|�}t|�}t|�}t�d||||d�|�f�|||||f}||��dvS)Nz3config.direct.queryRule('%s', '%s', '%s', %d, '%s')r�r#�rrr�r�r�)rQr�r�r�r�rSr�r�rXrXrY�	queryRules�zFirewallDConfig.queryRulecCs�t|�}t|�}t|�}t�d|||f�|�|�t|���}|ddd�D]}|||f|d|d|dfkrB|d�|�q)|�t|��dS)Nz+config.direct.removeRules('%s', '%s', '%s')r#rrT)	rrr�r�r�r�r�r�r�)rQr�r�r�r�r��rulerXrXrY�removeRules s�
 �zFirewallDConfig.removeRulesza(ias)cCs�t|�}t|�}t|�}t�d|||f�g}|��dD]}|d|kr=|d|kr=|d|kr=|�|d|df�q|S)Nz(config.direct.getRules('%s', '%s', '%s')r#rrTr\r�r�)rQr�r�r�r�rr�rXrXrY�getRules1s�$�zFirewallDConfig.getRulesz	a(sssias)cCrK)Nzconfig.direct.getAllRules()r#r�r3rXrXrY�getAllRulesAr�zFirewallDConfig.getAllRules�sascCs�t|�}t|�}t�d|d�|�f�|�|�||f}t|���}||dvr3ttj	d||f��|d�
|�|�|�dS)Nz(config.direct.addPassthrough('%s', '%s')r�rT�passthrough '%s', '%s')rrr�r�r�r�r�r!r r<r�r��rQr�rSr�r�r�rXrXrY�addPassthroughK��

�zFirewallDConfig.addPassthroughcCs�t|�}t|�}t�d|d�|�f�|�|�||f}t|���}||dvr3ttj	d||f��|d�
|�|�|�dS)Nz+config.direct.removePassthrough('%s', '%s')r�rTr�)rrr�r�r�r�r�r!r rBr�r�r�rXrXrY�removePassthrough^r�z!FirewallDConfig.removePassthroughcCs@t|�}t|�}t�d|d�|�f�||f}||��dvS)Nz*config.direct.queryPassthrough('%s', '%s')r�rTr�)rQr�rSr�r�rXrXrY�queryPassthroughps�z FirewallDConfig.queryPassthrough�aascCsJt|�}t�d|�g}|��dD]}|d|kr"|�|d�q|S)Nz#config.direct.getPassthroughs('%s')rTrr#r�)rQr�r�rr�rXrXrY�getPassthroughs|s�zFirewallDConfig.getPassthroughsza(sas)cCrK)Nz"config.direct.getAllPassthroughs()rTr�r3rXrXrY�getAllPassthroughs�r�z"FirewallDConfig.getAllPassthroughsr)��__name__�
__module__�__qualname__�__doc__�
persistentrrO�PK_ACTION_CONFIG�default_polkit_auth_requiredrr3r6r�r�r7rkr�r�rnr�r�rqr�r�rwr�r�rhr�r�rtr�r�rr�rr	r	�PROPERTIES_IFACErr�rr&r{�signalr��PK_ACTION_INFO�INTROSPECTABLE_IFACEr+rr�DBUS_SIGNATUREr4r7r�r>rCrHrMrPrQrRrSrVrWrXrZr^r_r`rbrPrerhrmrrqr�rurvrxrrzr�r}r~r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rr�r�r
rrr�r�rr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r��
__classcell__rXrXrVrYr"<sT-






























C
 ��
<

���
����
����
�
���
�
��
	�
�
	�
�
	�
��
	�

�
���

	�
�
	�
�
�
�

�
�
�
	�

�
�
�
�
�

�
�
�
�
�
�
	�r")7rFrO�dbus.service�firewallr�firewall.core.baser�firewall.core.watcherr�firewall.core.loggerr�firewall.server.dbusr�firewall.server.decoratorsrrr	r
rr�firewall.server.config_icmptyper
�firewall.server.config_servicer�firewall.server.config_zoner�firewall.server.config_policyr�firewall.server.config_ipsetr�firewall.server.config_helperr�firewall.core.io.icmptyper�firewall.core.io.ipsetr�firewall.core.io.helperr�#firewall.core.io.lockdown_whitelistr�firewall.core.io.directr�firewall.dbus_utilsrrrrrrrrr �firewall.errorsr!r"rXrXrXrY�<module>s0 (