????

Your IP : 18.190.219.46

Current Path : /lib/python3.6/site-packages/firewall/core/io/__pycache__/
Upload File :
Current File : //lib/python3.6/site-packages/firewall/core/io/__pycache__/policy.cpython-36.pyc

3

@)�fϢ�@s dddgZddljZddlZddlZddlZddlmZddlm	Z	m
Z
ddlmZmZm
Z
ddlmZmZmZdd	lmZmZmZmZmZmZdd
lmZddlmZddlmZdd
lmZdd�Z dd�Z!dd�Z"dd�Z#dd�Z$Gdd�de�Z%Gdd�de�Z&ddd�Z'ddd�Z(dS) �Policy�
policy_reader�
policy_writer�N)�config)�checkIP�checkIP6)�uniqify�max_policy_name_len�portStr)�DEFAULT_POLICY_TARGET�POLICY_TARGETS�DEFAULT_POLICY_PRIORITY)�	IO_Object�IO_Object_ContentHandler�IO_Object_XMLGenerator�
check_port�check_tcpudp�check_protocol)�rich)�log)�errors)�
FirewallErrorc	Cs�|dkr�n�|dkr�n�|dkr�|jr`|jjrJtjdt|j��d|_dStj|d�|j_dS|d|jj	kr�|jj	j
|d�ntjd|d��n|dk�rN|jr�|jjr�tjdt|j��d|_dStj|d|d	�|j_dSt|d�t
|d	�t|dd
�|d	f}||jjk�r4|jjj
|�ntjd|d|d	��nN|d	k�r�|j�r�|jj�r�tjdt|j��d|_dStj|d�|j_nBt|d�|d|jjk�r�|jjj
|d�ntjd
|d��n�|dk�rh|j�r.|jj�rtjdt|j��d|_dStj|d�|j_dS|d|jjk�rT|jjj
|d�ntjd|d��n4|dk�r�|j�r�|jj�r�tjdt|j��d|_dStj|d�|j_dStjd|d��n�|dk�r2|j�r|jj�rtjdt|j��d|_dStj�|j_n|jj�r&tjd�nd|j_�nj|dk�r�d}d|k�rR|d}d}d|k�rh|d}|j�r�|jj�r�tjdt|j��d|_dStj|d|d	||�|j_dSt|d�t
|d	�|�r�t|�|�r
t|��r
t|��r
ttjd|��t|dd
�|d	t|d
�t|�f}||jjk�rL|jjj
|�n6tjd|d|d	|�rld|nd|�r|d|nd��n|dk�r@|j�r�|jj�r�tjdt|j��d|_dStj|d|d	�|j_dSt|d�t
|d	�t|dd
�|d	f}||jj k�r&|jj j
|�ntjd|d|d	��n\|dk�r�|j�sftjd�d|_dS|jj!�r�tjd t|j��dSd!}d}d"|k�r�|d"}d}d#|k�r�|d#}d$|k�r�|d$j"�dLk�r�d}tj#|||�|j_!�n�|dMk�r�|j�stjd+�d|_dS|jj$�r0tjd,�d|_dS|d'k�rHtj%�|j_$nh|d(k�rxd}	d-|k�rh|d-}	tj&|	�|j_$n8|d)k�r�tj'�|j_$n |d*k�r�|d.}
tj(|
�|j_$|jj$|_)�n�|d/k�r^|j�s�tjd0�dS|jj�r�tjd1�dSd}d2|k�r*|d2}|dNk�r*tjd;�d|_dSd<|k�r<|d<nd}tj*||�|j_|jj|_)�n>|d=k�r�|j�s~tjd>�dS|jj+�r�tjd?t|j��d|_dStj,�|j_+|jj+|_)n�|d@k�r,d}
dA}dB|k�r|dB}
|
dOk�rtjdE|dB�d|_dSdF|k�rt-|dF�}tj.|
|dG�|_np|dHk�r�|j)�sRtjdI�d|_dS|j)j/�rxtjdJt|j��d|_dS|d}tj0||j1dK��|j)_/nd!SdS)PN�short�description�servicez;Invalid rule: More than one element in rule '%s', ignoring.T�namez#Service '%s' already set, ignoring.�port�protocol�-z#Port '%s/%s' already set, ignoring.�valuez$Protocol '%s' already set, ignoring.z
icmp-blockz&icmp-block '%s' already set, ignoring.z	icmp-typez-Invalid rule: icmp-block '%s' outside of rule�
masqueradez!Masquerade already set, ignoring.zforward-port�zto-portzto-addrz#to-addr '%s' is not a valid addressz-Forward port %s/%s%s%s already set, ignoring.z >%sz @%szsource-portz*Source port '%s/%s' already set, ignoring.�destinationz)Invalid rule: Destination outside of rulez?Invalid rule: More than one destination in rule '%s', ignoring.F�address�ipset�invert�yes�true�accept�reject�drop�markz$Invalid rule: Action outside of rulez"Invalid rule: More than one action�type�setrz!Invalid rule: Log outside of rulezInvalid rule: More than one log�level�emerg�alert�crit�error�warning�notice�info�debugzInvalid rule: Invalid log level�prefix�auditz#Invalid rule: Audit outside of rulez9Invalid rule: More than one audit in rule '%s', ignoring.�ruler�family�ipv4�ipv6z&Invalid rule: Rule family "%s" invalid�priority)r:r=�limitz4Invalid rule: Limit outside of action, log and auditz9Invalid rule: More than one limit in rule '%s', ignoring.�burst)r&r')r(r)r*r+)r/r0r1r2r3r4r5r6)r;r<)2�_rule�elementrr3�str�_rule_errorr�Rich_Service�item�services�append�	Rich_Portrrr
�ports�
Rich_Protocolr�	protocols�Rich_IcmpBlock�icmp_blocks�
Rich_IcmpType�Rich_Masquerader �Rich_ForwardPortrrrr�INVALID_ADDR�
forward_ports�Rich_SourcePort�source_portsr"�lowerZRich_Destination�action�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�	_limit_okZRich_Logr8Z
Rich_Audit�int�	Rich_Ruler>Z
Rich_Limit�get)�objr�attrs�entry�to_portZto_addrr%r#r$Z_typeZ_setr.r7r:r=r�rc�/usr/lib/python3.6/policy.py�common_startElements�


















































recCs�|dkr�|js�y|jj�Wn6tk
rR}ztjd|t|j��WYdd}~XnLXt|j�|jjkr�|jj	j
|j�|jjj
t|j��ntjdt|j��d|_d|_n|dkr�d|_dS)Nr9z%s: %sz Rule '%s' already set, ignoring.Fr(r)r*r+rr8)r(r)r*r+rr8)rCr@Zcheck�	Exceptionrr3rBrE�	rules_str�rulesrGr[)r_r�ercrcrd�common_endElements&rjcCs�t|t�rdnd}|dkrT|jrT|jj�}x$|D]}||kr0ttjd|��q0W�n�|dkr�x$|D]}t|d�t|d�qbW�nb|dkr�x|D]}t	|�q�W�n@|d	kr�|jr�|jj
�}	x$|D]}
|
|	kr�ttjd
|
��q�W�n�|dk�r�x�|D]�}t|d�t|d�|d�r>|d
�r>ttjd|��|d�rTt|d�|d
r�t
|d
�r�t|d
�r�ttjd|d
��q�W�nT|dk�r�x&|D]}t|d�t|d��q�W�n|dk�r�x|D�]}tj|d�}
|j�r�|
j�r�t|
jtj��st|
jtj��r�|jj
�}	|
jj|	k�rLttjd
|
jj��nH|
j�r�|jj|
jj�}|j�r�|
j|jk�r�ttjd|
j|
jjf��nL|j�r�t|
jtj��r�|jj�}|
jj|k�r�ttjdj||j|
jj����q�WdS)NrZZonerFz '%s' not among existing servicesrIr�rKrMz"'%s' not among existing icmp typesrR��z$'%s' is missing to-port AND to-addr z#to-addr '%s' is not a valid addressrTrg�
rich_rules)�rule_strz3rich rule family '%s' conflicts with icmp type '%s'z){} '{}': '{}' not among existing services)rgrn)�
isinstancer�	fw_configZget_servicesrrZINVALID_SERVICErrrZ
get_icmptypesZINVALID_ICMPTYPE�INVALID_FORWARDrrrQrr]rArLrNrr:Zget_icmptyper"rD�format)r_rrE�
all_configZobj_typeZexisting_servicesrr�protoZexisting_icmptypesZicmptype�fwd_portr9Zobj_richZictrcrcrd�common_check_config2s�












 

rwcCs0d|ji}|j}|dk	r ||d<|jd|�dS)Nrr?r>)rr?�
simpleElement)�handlerr>�dr?rcrcrd�_handler_add_rich_limitxs

r{cCs�|jrF|jdkrF|jd�|jdi�|j|j�|jd�|jd�|jr�|jdkr�|jd�|jdi�|j|j�|jd�|jd�x6t|j�D](}|jd�|jdd|i�|jd�q�Wx@t|j	�D]2}|jd�|jd|d	|d
d��|jd�q�Wx8t|j
�D]*}|jd�|jdd
|i�|jd��qWx8t|j�D]*}|jd�|jdd|i�|jd��qLW|j�r�|jd�|jdi�|jd�x�t|j
�D]�}|jd�|d	|d
d�}|d�r�|ddk�r�|d|d<|d�r|ddk�r|d|d<|jd|�|jd��q�WxBt|j�D]4}|jd�|jd|d	|d
d��|jd��q>W�xT|jD�]H}i}|j�r�|j|d<|jd	k�r�t|j�|d<|jd�|jd|�|jd�|j�rVi}|jj�r�|jj|d<|jj�r|jj|d<|jj�r$|jj|d<|jj�r6d|d<|jd�|jd|�|jd�|j�r�i}|jj�rx|jj|d<|jj�r�|jj|d<|jj�r�d|d<|jd�|jd |�|jd�|j�rxd}	i}t|j�tjk�r�d}	|jj|d<�nbt|j�tjk�r(d}	|jj|d<|jj |d<�n0t|j�tj!k�rNd}	|jj"|d
<�n
t|j�tj#k�rfd}	n�t|j�tj$k�r�d}	|jj|d<n�t|j�tj%k�r�d!}	|jj|d<n�t|j�tj&k�rd}	|jj|d<|jj |d<|jj'dk�r�|jj'|d<|jj(dk�rX|jj(|d<nFt|j�tj)k�rBd}	|jj|d<|jj |d<nt*t+j,d"t|j���|jd�|j|	|�|jd�|j-�ri}|j-j.�r�|j-j.|d#<|j-j/�r�|j-j/|d$<|j-j0�r�|jd�|jd%|�|jd&�t1||j-j0�|jd'�|jd%�n|jd�|jd%|�|jd�|j2�r�i}|j2j0�rx|jd�|jd(i�|jd&�t1||j2j0�|jd'�|jd(�n|jd�|jd(|�|jd�|j3�r�d}
i}t|j3�tj4k�r�d)}
n|t|j3�tj5k�r�d*}
|j3j�r<|j3j|d+<nNt|j3�tj6k�rd,}
n6t|j3�tj7k�r*d-}
|j3j8|d.<nt-j9d/t|j3��|j3j0�r�|jd�|j|
|�|jd&�t1||j3j0�|jd'�|j|
�n|jd�|j|
|�|jd�|jd�|jd�|jd��q�WdS)0Nr!z  r�
rrrrrrk)rrrrz
icmp-blockr rlzto-portrmzto-addrzforward-portzsource-portr:r=r9r#�macr$�Truer%z    �sourcer"z	icmp-typez"Unknown element '%s' in obj_writerr7r.rz
      z
    r8r(r)r,r*r+r-zUnknown action '%s'):r�ignorableWhitespace�startElementZ
characters�
endElementrrrFrxrIrKrMr rRrTrhr:r=rBr�addrr}r$r%r"rAr,rrDrrHrrrJrrOrLrNrPrb�
to_addressrSrrZINVALID_OBJECTrr7r.r>r{r8rVrWrXrYrZr-r3)r_ryrrrZicmpZforwardr`r9rArVrcrcrd�
common_writer�s\




















































r�csPeZdZd7ZdZeZdgZd8d9d:d;d	dgfd
d<gfddgfd=dd>gfddgfddgfdd?gfd@ddgfddgffZdddgZ	dddgdgddgdgdgdddgddddgddgddddddgdgdgdgd�Z
ddgdd gd!dgd"d#d$d!d%gd"d$d%gd&d'gd(gd)gd*�Z�fd+d,�Zd-d.�Z
�fd/d0�Z�fd1d2�Zd3d4�Z�fd5d6�Z�ZS)Ari�i�r�versionr!rr�targetrFrIrMr FrRrnrKrTr=�
ingress_zones�egress_zones�_r�/Nrrrrr-)rr�policyrrz
icmp-blockz	icmp-typer zforward-portr9rr"rzsource-portrr8r(r)r*r+r>zingress-zonezegress-zonezto-portzto-addrr:r#r}r%r$r7r.r,r?)r�zforward-portr9rr"rr)r>cs�tt|�j�d|_d|_d|_t|_g|_g|_	g|_
g|_d|_g|_
g|_d|_g|_g|_d|_|j|_d|_g|_g|_dS)Nr!F)�superr�__init__r�rrrr�rFrIrKrMr rRrTrqrhrg�applied�priority_defaultr=Zderived_from_zoner�r�)�self)�	__class__rcrdr��s(zPolicy.__init__cCs�d|_d|_d|_t|_|jdd�=|jdd�=|jdd�=|jdd�=d|_	|j
dd�=|jdd�=d|_|j
dd�=|jdd�=d|_|j|_|jdd�=|jdd�=dS)Nr!F)r�rrrr�rFrIrKrMr rRrTrqrhrgr�r�r=r�r�)r�rcrcrd�cleanup�s$zPolicy.cleanupcs"|dkr|jSttt|�|�SdS)Nrn)rg�getattrr�r)r�r)r�rcrd�__getattr__�szPolicy.__getattr__csB|dkr,dd�|D�|_dd�|jD�|_ntt|�j||�dS)NrncSsg|]}tj|d��qS))ro)rr])�.0�srcrcrd�
<listcomp>�sz&Policy.__setattr__.<locals>.<listcomp>cSsg|]}t|��qSrc)rB)r�r�rcrcrdr��s)rhrgr�r�__setattr__)r�rr)r�rcrdr��szPolicy.__setattr__c
Cst||||�|dkr2|tkr.ttjd|���n�|dkrz||jksX||jksX||jkrvttjd||j|j|jf���n�|dk�rhddg}|j	r�||j	j
�7}x�|D]�}||kr�ttjd	|��|dkr�tddg�t|�@�s�|dk�rt|�t|g��rttjd
|��|dkr�|dk�r8d|k�r8d|dk�sT|dkr�d|kr�d|dkr�ttjd��q�W�n�|dk�r|�rd|k�r�d|dk�r�ttjd
��nxd|k�rd|dk�r�ttjd��xR|dD]F}|dk�rސq�|j	j
|�}|j	�r�d|j	j|�k�r�ttjd���q�W�n�|dk�r4�x�|D�]}tj|d�}|j�r�t|jtj��r�d|k�r|d|dk�r|ttjd
��nxd|k�r,d|dk�r�ttjd��xR|dD]F}|dk�r��q�|j	j
|�}|j	�r�d|j	j|�k�r�ttjd���q�W�q,|j�r�t|jtj��r�d|k�r,d|dk�r@|jj�r�ttjd��nt|d�r,|jj�s`ttjd��d|dk�r,x�|dD]8}|j	j
|�}|j	�rxd|j	j|�k�rxttjd���qxWnv|j�r,t|jtj��r,d|k�r,xR|dD]F}|dk�r�q�|j	j
|�}|j	�r�d|j	j|�k�r�ttjd���q�W�q,Wn�|dk�rx�|D]�}	d|k�rnd|dk�rnttjd��n�d|k�rDd|dk�r�|	d�rttjd��nt|d�rD|	d�s�ttjd��d|dk�rDxD|dD]8}|j	j
|�}|j	�r�d|j	j|�k�r�ttjd���q�W�qDWdS)Nr�z'%s' is invalid targetr=zQ%d is invalid priority. Must be in range [%d, %d]. The following are reserved: %sr�r��ANY�HOSTz'%s' not among existing zonesz>'%s' may only contain one of: many regular zones, ANY, or HOSTzF'HOST' can only appear in either ingress or egress zones, but not bothr z.'masquerade' is invalid for egress zone 'HOST'z/'masquerade' is invalid for ingress zone 'HOST'Z
interfaceszR'masquerade' cannot be used in a policy if an ingress zone has assigned interfacesrn)rozAA 'forward-port' with 'to-addr' is invalid for egress zone 'HOST'zC'forward-port' requires 'to-addr' if egress zone is 'ANY' or a zonezS'forward-port' cannot be used in a policy if an egress zone has assigned interfaceszR'mark' action cannot be used in a policy if an egress zone has assigned interfacesrRz1'forward-port' is invalid for ingress zone 'HOST'rm)r�r�)r�r�)r�r�)r�r�)rwrrr�INVALID_TARGET�priority_reserved�priority_max�priority_minZINVALID_PRIORITYrq�	get_zonesZINVALID_ZONEr-Zget_zoneZget_zone_config_dictrr]rArprOrPr�rrrVrZ)
r�rrErtZexisting_zones�zoneZz_objr9r_rvrcrcrd�
_check_config�s�






"
















zPolicy._check_configcs�tt|�j|�|jd�r,ttjd|��n�|jd�rHttjd|��n�|jd�dkrhttjd|��njd|kr�|d|j	d��}n|}t
|�t�kr�ttjd|t
|�t�f��|jr�||jj
�kr�ttjd��dS)Nr�z'%s' can't start with '/'z'%s' can't end with '/'rkzmore than one '/' in '%s'z&Policy of '%s' has %d chars, max is %dz,Policies can't have the same name as a zone.)r�r�
check_name�
startswithrr�INVALID_NAME�endswith�count�find�lenr	rqr�Z
NAME_CONFLICT)r�rZchecked_name)r�rcrdr�,s*

zPolicy.check_namei���)r�r!)rr!)rr!)r�r!)r!r!)r F)r!r!r!r!)r!r!)r=r)�__name__�
__module__�__qualname__r�r�r
r�r�ZIMPORT_EXPORT_STRUCTUREZADDITIONAL_ALNUM_CHARSZPARSER_REQUIRED_ELEMENT_ATTRSZPARSER_OPTIONAL_ELEMENT_ATTRSr�r�r�r�r�r��
__classcell__rcrc)r�rdrZsr


^c@s$eZdZdd�Zdd�Zdd�ZdS)�policy_ContentHandlercCs"tj||�d|_d|_d|_dS)NF)rr�r@rCr[)r�rErcrcrdr�Hszpolicy_ContentHandler.__init__cCstj|||�|jrdS|jj||�t|||�r6dS|dkr�d|krR|d|j_d|krjt|d�|j_d|kr�|d}|t	kr�t
tj|��|r�||j_
�n^|dkr�|d|jjkr�|jjj|d�ntjd|d��n|dk�r |d|jjk�r|jjj|d�ntjd	|d�n�|d
k�r�|j�sFtjd�d|_dS|jj�rltjd
t|j��d|_dSd}d|k�r�|dj�dk�r�d}d}}}d|k�r�|d}d|k�r�|d}d|k�r�|d}tj||||d�|j_dStjd|�dSdS)Nr�r�r=r�zingress-zonerz(Ingress zone '%s' already set, ignoring.zegress-zonez'Egress zone '%s' already set, ignoring.rz$Invalid rule: Source outside of ruleTz:Invalid rule: More than one source in rule '%s', ignoring.Fr%r&r'r#r}r$)r%zUnknown XML element '%s')r&r')rr�rCrEZparser_check_element_attrsrer�r\r=rrrr�r�r�rGrr3r�r@rrBrUrZRich_Source)r�rr`r�r%r�r}r$rcrcrdr�Nsf








z"policy_ContentHandler.startElementcCstj||�t||�dS)N)rr�rj)r�rrcrcrdr��sz policy_ContentHandler.endElementN)r�r�r�r�r�r�rcrcrcrdr�Gs@r�Fc
Cst�}|jd�s ttjd|��|dd	�|_|s>|j|j�||_||_|j	t
j�rZdnd|_|j|_
t|�}tj�}|j|�d||f}t|d��b}tjd�}|j|�y|j|�Wn8tjk
r�}	zttjd|	j���WYdd}	~	XnXWdQRX~~|S)
Nz.xmlz'%s' is missing .xml suffix�FTz%s/%s�rbznot a valid policy file: %s���)rr�rrr�rr��filename�pathr�r�
ETC_FIREWALLDZbuiltin�defaultr��saxZmake_parserZsetContentHandler�openZInputSourceZ
setByteStream�parseZSAXParseExceptionZINVALID_POLICYZgetException)
r�r�Z
no_check_namer�ry�parserr�fr�msgrcrcrdr�s6




(c
Cs�|r|n|j}|jr$d||jf}nd||jf}tjj|�r�ytj|d|�Wn0tk
r�}ztj	d||�WYdd}~XnXtjj
|�}|jtj
�r�tjj|�r�tjjtj
�s�tjtj
d�tj|d�tj|ddd�}t|�}|j�i}|j�r|jd	k�r|j|d
<|j|jk�r0t|j�|d<|j|d<|jd
|�|jd�t||�x8t|j�D]*}	|jd�|jdd|	i�|jd��qfWx8t|j�D]*}	|jd�|jdd|	i�|jd��q�W|jd
�|jd�|j �|j!�~dS)Nz%s/%sz	%s/%s.xmlz%s.oldzBackup of file '%s' failed: %si�ZwtzUTF-8)�mode�encodingr!r�r=r�r�r|z  zingress-zonerzegress-zone)"r�r�r�os�exists�shutilZcopy2rfrr2�dirnamer�rr��mkdir�ior�rZ
startDocumentr�r=r�rBr�r�r�r�rr�rxr�r�ZendDocument�close)
r�r��_pathrr��dirpathr�ryr`r�rcrcrdr�sN 







)F)N))�__all__Zxml.saxr�r�r�r�ZfirewallrZfirewall.functionsrrrr	r
Zfirewall.core.baserrr
Zfirewall.core.io.io_objectrrrrrrZ
firewall.corerZfirewall.core.loggerrrZfirewall.errorsrrerjrwr{r�rr�rrrcrcrcrd�<module>s4

 F[nL