????

Your IP : 216.73.216.152

Current Path : /proc/self/root/proc/self/root/lib/python2.7/site-packages/firewall/core/
Upload File :
Current File : //proc/self/root/proc/self/root/lib/python2.7/site-packages/firewall/core/nftables.pyc

�
`q^c@srddlZddlmZmZddlmZddlmZddl	m
Z
mZmZm
Z
mZddlmZddlmZmZmZmZmZmZddlmZmZmZmZd	Zd
Ziiddefd
6d6iddefd
6d6iddefd
6ddefd6d6iddefd6ddefd6d6Ziid6id6id6Z ii"dd d!dd"d#gd$6dd d!gd!6dd d%gd%6dd d&gd&6dd d!dd"d'gd(6dd d!dd"d)gd*6dd d!dd"d+gd,6dd d-dd"d.gd/6dd d!dd"d0gd16dd d!dd"d.gd26dd d3dd"d.gd46dd d!dd"d5gd66dd d-dd"d7gd86dd d!dd"d9gd:6dd d!dd"d7gd;6dd d3gd36dd d!dd"d<gd=6dd d!dd"d>gd?6dd d!dd"d@gdA6dd d-gd-6dd d3dd"d.gdB6dd dCgdC6dd dDgdD6dd dEgdE6dd d!dd"dFgdG6dd dHgdH6dd dIgdI6dd dJgdJ6dd d-dd"d<gdK6dd d!dd"dLgdM6dd d-dd"d@gdN6dd d!dd"dOgdP6dd dHdd"d.gdQ6dd dHdd"d7gdR6dS6idTd d!dTd"d<gdU6dTd d3dTd"d7gdV6dTd d!dTd"d@gdW6dTd d!dTd"d.gd$6dTd d!gd!6dTd d%gd%6dTd d&gd&6dTd d!dTd"dFgdX6dTd dYgdZ6dTd d[gd\6dTd d!dTd"d7gd]6dTd d^gd^6dTd d3gd36dTd d!dTd"d'gd=6dTd d_gd-6dTd d!dTd"d9gd`6dTd dagdC6dTd dbgdD6dTd dHgdH6dTd dHdTd"d.gdQ6dTd dHdTd"d7gdR6dTd d3dTd"d.gdc6dTd d3dTd"d@gdd6de6Z!dfe"fdg��YZ#dS(hi����N(t	SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(t	splitArgst	check_mactportStrtcheck_single_addresst
check_address(tconfig(t
FirewallErrort
UNKNOWN_ERRORtINVALID_RULEtINVALID_ICMPTYPEtINVALID_TYPEt
INVALID_ENTRY(tRich_AccepttRich_Rejectt	Rich_Dropt	Rich_Markt	firewalldi
t
preroutingi���t
PREROUTINGtrawij���tmanglei����tpostroutingidtPOSTROUTINGtnattinputitINPUTtforwardtFORWARDtfiltertinettiptip6ticmpttypesdestination-unreachabletcodet13scommunication-prohibiteds
echo-replysecho-requestt4sfragmentation-neededt14shost-precedence-violationt10shost-prohibitedtredirectt1s
host-redirectt7shost-unknownshost-unreachablesparameter-problems
ip-header-badt8snetwork-prohibitedt0snetwork-redirectt6snetwork-unknownsnetwork-unreachablet3sport-unreachablet15sprecedence-cutofft2sprotocol-unreachablesrequired-option-missingsrouter-advertisementsrouter-solicitations
source-quencht5ssource-route-faileds
time-exceededstimestamp-replystimestamp-requeststos-host-redirectt12stos-host-unreachablestos-network-redirectt11stos-network-unreachablesttl-zero-during-reassemblysttl-zero-during-transittipv4ticmpv6saddress-unreachables
bad-headersbeyond-scopes
failed-policysnd-neighbor-advertsneighbour-advertisementsnd-neighbor-solicitsneighbour-solicitationsno-routespacket-too-bigsnd-redirectsreject-routesnd-router-advertsnd-router-solicitsunknown-header-typesunknown-optiontipv6tnftablescBs�eZdZeZd�Zd�Zd�Zd�Zd�Z	d�Z
d�Zd2d�Z
d	�Zd
�Zd�Zd�Zd
d�Zd�Zedd�Zdd�Zdd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd�Zd2d2d�Z d2d2d�Z!d2d2d�Z"d�Z#d2d �Z$d2d!�Z%d"�Z&d2d#�Z'd$�Z(d2d%�Z)d&�Z*ed'�Z+d(�Z,d)�Z-d*�Z.d2d+�Z/d,�Z0d-�Z1d.�Z2d/�Z3d0�Z4d1�Z5RS(3R:cCsB||_tjd|_|j�g|_i|_i|_dS(Ntnft(t_fwR	tCOMMANDSt_commandtfill_existstavailable_tablestrule_to_handletrule_ref_count(tselftfw((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__init__�s	
		cCs%tjj|j�|_t|_dS(N(tostpathtexistsR>tcommand_existstFalsetrestore_command_exists(RC((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR?�sc
Csnddg}|}|ddkrs|ddkrs|}d|d<t|j||�\}}|dkrsdSnd}|ddkr|ddkrt}|d}|d
dkryt|d�Wn tk
r�ttd��qX|jd
�|jd
�ndj	|�}nj|ddkr�|ddkr�t
}|d}dj	|�}ddg|dd!d|j|g}ndj	|�}	||jkre|r�|j|cd7<dS|r�|j|dkr�|j|cd8<dS|j|dkr|j|cd8<n tt
d||j|f��tjd|j|j||j|	�n|s�|r�|j|dks�|rj||jkrjtjd|j|j|	�t|j||�\}}|dkr�td|j|	|f��n|rj|rPd}
|j|
�t|
�}||j�|j|<d|j|<qg|j|=|j|=qjn|S(Ns--echos--handleitdeleteittabletlistttaddtinserttruleiitpositionisposition without a numbert ithandles)rule ref count bug: rule_key '%s', cnt %ds%s: rule ref cnt %d, %s %ss	%s: %s %ss'%s %s' failed: %ss	# handle (saddsinsert(RL(RR>tNonetTruetintt	ExceptionR
RtpoptjoinRJRARBRRtdebug2t	__class__t
ValueErrortindextlentstrip(RCtargstnft_optst_argst
_args_testtstatustoutputtrule_keytrule_addt	_args_strtstrtoffset((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt__run�sp 
 


 
	!
cCsAy|j|�}Wntk
r'tSX||||d+tSdS(Ni(R_R^RJRW(RCRRtpatterntreplacementti((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
_rule_replace�s
cCs|}d|d<|S(NRLi((RCRbtret_args((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytreverse_rule�s
cCsttd��dS(Nsnot implemented(R
R(RCtrulest
log_denied((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt	set_rulesscCsd}d|ks*d|ks*d|kr3d}n-d|ksWd|ksWd|kr`d}n|j|dd	d
|ddg�|j|d
dddg�y|jd�}Wntk
r�nDX|dkr�dS|dkr�d|g|||d+n
|j|�|j|�S(NticmpxR7R"R$R9R#R8s
%%REJECT%%trejecttwithR%sadmin-prohibiteds%%ICMP%%tmetatl4protos{icmp, icmpv6}s%%LOGTYPE%%toffROtunicastt	broadcastt	multicasttpkttypei(R}R~R(RqR_R^RZt_nftables__run(RCRRRuticmp_keywordRp((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_rules$$	$	

cCs|r
|gStj�S(N(tIPTABLES_TO_NFT_HOOKtkeys(RCRM((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_available_tables+scCsPi|_i|_g}x1tj�D]#}|jdd|dtg�q%W|S(NRLRMs%s(RARBt
OUR_CHAINSR�tappendt
TABLE_NAME(RCRttfamily((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_flush_rules/s		!cCs�tdd}g}|dkr�|jddd|g�x�ddgD]:}d	|d
||dtdf}|jt|��qFWn5|d
kr�|jddd|g�n
ttd�|S(Nt_tpolicy_droptDROPRPRMR!RRgsMadd chain inet %s %s_%s '{ type filter hook %s priority %d ; policy drop ; }'Ri���itACCEPTRLsnot implemented(R�R�tNFT_HOOK_OFFSETRR
R(RCtpolicyt
table_nameRtthookt
_add_chain((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_set_policy_rules8s
cCsAt�}x+tj�D]}|jt|j��qWt|�S(N(tsettICMP_TYPES_FRAGMENTR�tupdateRN(RCt	supportedtipv((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytsupported_icmp_typesPs	cCsAg}x+tj�D]}|jd|tf�qWtt|�S(Nsadd table %s %s(R�R�R�R�tmapR(RCtdefault_tablesR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_tablesZsR|c
Csg}t�tdd<x�tdj�D]�}|jdt|td|dtd|df�|jdt|f�|jdt|f�|jdt||f�|jd	t||f�tddjtd
|d|g��q(Wt�tdd<x�tdj�D]�}|jd
t|td|dtd|df�|jdt|f�|jdt|f�|jdt||f�|jdt||f�tddjtd
|d|g��qWt�tdd<t�tdd<x�ddgD]�}x�tdj�D]�}|jd|t|td|dtd|df�|jd|t|f�|jd|t|f�|jd|t||f�|jd|t||f�t|djtd
|d|g��q$Wq
Wt�tdd<xMtdj�D];}|jdt|td|dtd|df�q#W|jdtdf�|jdtdf�|jdtdf�|jd tdf�|jd!tddf�|jd"tddf�|d#kr|jd$tdf�n|jd%tdf�|d#krU|jd&tdf�n|jd'tdf�|jd(td)f�|jd*td)f�|jd+td)f�|jd,td)f�|jdtd)f�|jd td)f�|jd-td)d)f�|jd.td)d)f�|jd/td)d)f�|jd0td)d)f�|d#kr�|jd$td)f�n|jd%td)f�|d#kr�|jd&td)f�n|jd'td)f�td1d2d3d4d5d6g�tdd<tt|�S(7NR!Rs@add chain inet %s raw_%s '{ type filter hook %s priority %d ; }'iis%add chain inet %s raw_%s_ZONES_SOURCEsadd chain inet %s raw_%s_ZONESs0add rule inet %s raw_%s jump raw_%s_ZONES_SOURCEs)add rule inet %s raw_%s jump raw_%s_ZONESs%s_ZONES_SOURCEs%s_ZONESRsCadd chain inet %s mangle_%s '{ type filter hook %s priority %d ; }'s(add chain inet %s mangle_%s_ZONES_SOURCEs!add chain inet %s mangle_%s_ZONESs6add rule inet %s mangle_%s jump mangle_%s_ZONES_SOURCEs/add rule inet %s mangle_%s jump mangle_%s_ZONESR"RR#s;add chain %s %s nat_%s '{ type nat hook %s priority %d ; }'s#add chain %s %s nat_%s_ZONES_SOURCEsadd chain %s %s nat_%s_ZONESs.add rule %s %s nat_%s jump nat_%s_ZONES_SOURCEs'add rule %s %s nat_%s jump nat_%s_ZONESR sCadd chain inet %s filter_%s '{ type filter hook %s priority %d ; }'s(add chain inet %s filter_%s_ZONES_SOURCERs!add chain inet %s filter_%s_ZONESs>add rule inet %s filter_%s ct state established,related accepts,add rule inet %s filter_%s iifname lo accepts6add rule inet %s filter_%s jump filter_%s_ZONES_SOURCEs/add rule inet %s filter_%s jump filter_%s_ZONESR|s_add rule inet %s filter_%s ct state invalid %%%%LOGTYPE%%%% log prefix '"STATE_INVALID_DROP: "'s0add rule inet %s filter_%s ct state invalid dropsHadd rule inet %s filter_%s %%%%LOGTYPE%%%% log prefix '"FINAL_REJECT: "'sBadd rule inet %s filter_%s reject with icmpx type admin-prohibiteds+add chain inet %s filter_%s_IN_ZONES_SOURCERs$add chain inet %s filter_%s_IN_ZONESs,add chain inet %s filter_%s_OUT_ZONES_SOURCEs%add chain inet %s filter_%s_OUT_ZONESs9add rule inet %s filter_%s jump filter_%s_IN_ZONES_SOURCEs2add rule inet %s filter_%s jump filter_%s_IN_ZONESs:add rule inet %s filter_%s jump filter_%s_OUT_ZONES_SOURCEs3add rule inet %s filter_%s jump filter_%s_OUT_ZONEStINPUT_ZONES_SOURCEtINPUT_ZONEStFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONES(	R�R�R�R�R�R�R�R�R(RCRut
default_rulestchainR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_default_rules`s�	-	-		1	cCsY|dkrdddgS|dkr,dgS|dkrBddgS|d	krUdgSiS(
NR Rt
FORWARD_INtFORWARD_OUTRRRRR((RCRM((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytget_zone_table_chains�s

R!c	Cs�|dkrx|dkrxg}	|	j|j|||||||d��|	j|j|||||||d��|	Sidd6dd6dd	6dd
6dd6dd6|}
|t|�d
dkr�|t|�d
 d}ntjdt|d|�}|tkrd}nd}|rK|rKdd|dtd||fg}
nO|rwdd|dtd||fg}
n#dd|dtd||fg}
|dkr�|
|d||fg7}
n(|
|
d|d|d||fg7}
|
gS(NRR!R"R#tiifnameRtoifnameRRR�R�tOUTPUTit+t*R�tzonetgototjumpRQRRs%ss%s_%s_ZONESRPRLs%s_%ss"(textendt!build_zone_source_interface_rulesR`RtformatRR�(RCtenableR�tzone_targett	interfaceRMR�R�R�RttoptttargettactionRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR��s<	
&&#(cCs�|dkr�|dkr�g}td|�s9t|�rd|j|j||||||d��ntd|�st|�r�|j|j||||||d��n|Sidt6dt6|}	id	d
6dd6d	d
6d	d6dd6dd6|}
tjdt|d|�}|tkr+d}nd}|j	d�rl|t
d�}
|j|
�}d|
}nCt|�r�|
dkr�dSd}ntd|�r�d}nd}|	d|dtd||f||
||d||fg
}|gS(NRR!R7R"R9R#RPRLtsaddrRtdaddrRRR�R�R�R�R�R�R�sipset:t@ROtetherRRs%ss%s_%s_ZONES_SOURCEs%s_%s(
RRR�tbuild_zone_source_address_rulesRWRJRR�Rt
startswithR`t_set_get_familyR�(RCR�R�R�taddressRMR�R�Rttadd_delR�R�R�tipsettrule_familyRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR��sJ	
		
c	Cs.|dkr`|dkr`g}|j|j|||d��|j|j|||d��|Stjdt|d|�}t||jt|d|d|d	|g��g}|jd
d|dt	d||fg�|jd
d|dt	d
||fg�|jd
d|dt	d||fg�|jd
d|dt	d||fg�|jd
d|dt	d||fdd
||fg�|jd
d|dt	d||fdd||fg�|jd
d|dt	d||fdd||fg�|j
jj|j
}|j
j�dkr�|dkr�|d kr�|d!kr�|}|dkrud}n|jd
d|dt	d||fdddd||fg	�q�q�n|dkr*|d"kr*|d#kr*|jd
d|dt	d||f|dkr|j�ndg�n|S($NRR!R"R#R�R�s%s_logs%s_denys%s_allowRPs%ss%s_%ss	%s_%s_logs
%s_%s_denys%s_%s_allowRRR�R|R RR�R�R�tREJECTs
%%REJECT%%R�s%%LOGTYPE%%Rtprefixs"filter_%s_%s: "R�(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(R�s
%%REJECT%%sDROP(sACCEPTR�s
%%REJECT%%sDROP(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(R�tbuild_zone_chain_rulesRR�RR�R�R�R�R�R<R�t_zonesR�tget_log_deniedtlower(	RCR�RMR�R�Rtt_zoneR�t
log_suffix((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR�$s^


	
%cCs�iddddgd6ddddgd6ddddgd6ddddgd	6dddd
gd6dddd
gd6dd
dd
gd6dd
dd
gd6ddddgd6ddddgd6ddddgd6ddddgd6ddddgd6dd
ddgd6ddddgd6ddddgd6ddddgd6dd
ddgd6dd
ddgd 6dd
dd!gd"6dd
dd!gd!6dd#d$gd%6dd#d$gd&6}||S('NRyR$R%shost-prohibitedsicmp-host-prohibitedshost-prohibsnet-prohibitedsicmp-net-prohibiteds
net-prohibsadmin-prohibitedsicmp-admin-prohibitedsadmin-prohibR8sicmp6-adm-prohibitedsadm-prohibitedsnet-unreachablesicmp-net-unreachablesnet-unreachshost-unreachablesicmp-host-unreachableshost-unreachsport-unreachablesicmp-port-unreachablesicmp6-port-unreachableRwsport-unreachsprot-unreachablesicmp-proto-unreachables
proto-unreachsaddr-unreachablesicmp6-addr-unreachablesaddr-unreachsno-routesicmp6-no-routettcptresets	tcp-resetstcp-rst((RCtreject_typetfrags((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_reject_types_fragmentds2cCs�|s
gSidd6dd6dd6dd6}y|jjd	�}Wn tk
rdttd
��nXdd|jd
|!d	||j|dgS(Ntsecondtstminutetmthourthtdaytdt/sExpected '/' in limittlimittrateii(tvalueR_R^R
R(RCR�trich_to_nftRp((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_limit_fragment�s

cCs�|js
gSidt6dt6|}|dddtd||fg}||dg7}|jjr�|dd	|jjg7}n|jjr�|d
d	|jjg7}n||j|jj�7}|S(NRPRLRRR!s%ss	%s_%s_logRR�s"%s"tlevel(RRWRJR�R�R�R�R�(RCt	rich_ruleR�RMR�t
rule_fragmentR�RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_log�s	cCs||js
gSidt6dt6|}|dddtd||fg}||ddd	g7}||j|jj�7}|S(
NRPRLRRR!s%ss	%s_%s_logRR�taudit(R�RWRJR�R�R�(RCR�R�RMR�R�R�RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_audit�s	cCs�|js
gSidt6dt6|}t|j�tkrVd||f}dg}	nt|j�tkr�d||f}dg}	|jjr^|	|j|jj�7}	q^n�t|j�tkr�d||f}dg}	n~t|j�tkrBt	j
dtd	d
|�}d}d||f}dd
d|jjg}	nt
tdt|j���|dddt|g}
|
|7}
|
|j|jj�7}
|
|	7}
|
S(NRPRLs%s_%s_allowtaccepts
%s_%s_denyRxtdropR�RR�RRztmarkR�sUnknown action %sRRR!s%s(R�RWRJR%RRR�RRRR�RR�R
RR�R�R�(RCR�R�R�RMR�R�R�R�trule_actionRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_action�s6			

cCsS|s
gS|dkr#dddgS|dkr<dddgSttd|��dS(NR7RztnfprotoR9sInvalid family(R
R(RCtrich_family((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_family_fragment�s

cCsx|s
gSg}td|j�r2|dg7}n
|dg7}|jra|dd|jg7}n|d|jg7}|S(NR7R"R#R�s!=(Rtaddrtinvert(RCt	rich_destR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_destination_fragment�s
	cCsJ|s
gSg}|jr�td|j�r;|dg7}n
|dg7}|jrj|dd|jg7}qF|d|jg7}n�t|d�r�|jr�|jr�|ddd|jg7}qF|dd|jg7}npt|d�rF|jrF|j|j�}|jr)||ddd	|jg7}qF||dd	|jg7}n|S(
NR7R"R#R�s!=tmacR�R�R�(R�RR�thasattrR�R�R�(RCtrich_sourceR�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_rich_rule_source_fragment�s(	
			 cCs�idt6dt6|}d}tjdtdd|�}	g}
|r_|
|j|j�7}
n|r�td|�r�|
dg7}
n
|
d	g7}
|
d
|g7}
n|r�|
|j|j	�7}
|
|j
|j�7}
n|
|ddt|d
�g7}
|
dddg7}
g}|r�|j
|j||||	|
��|j
|j||||	|
��|j
|j|||||	|
��n5|j
|dddtd||	fg|
dg�|S(NRPRLR R�RR�R7R"R#R�tdports%st-tcttstates
new,untrackedRRR!s%s_%s_allowR�(RWRJRR�RR�R�RR�tdestinationR�tsourceRR�R�R�R�R�(RCR�R�tprototportR�R�R�RMR�R�Rt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_ports_ruless0
 ""(/cCs�idt6dt6|}d}tjdtdd|�}g}	|r_|	|j|j�7}	n|r�td|�r�|	dg7}	n
|	d	g7}	|	d
|g7}	n|r�|	|j|j�7}	|	|j|j	�7}	|	|j
|j�7}	ndd|g}	|	d
ddg7}	g}
|r�|
j|j
|||||	��|
j|j|||||	��|
j|j||||||	��n/|
j|dddtd|g|	dg�|
S(NRPRLR R�RR�R7R"R#R�RzR{R�R�s
new,untrackedRRR!s%ssfilter_%s_allowR�(RWRJRR�RR�R�RR�R�R�R�R�R�R�R�R�(RCR�R�tprotocolR�R�R�RMR�R�Rt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_protocol_rules/s2
""()cCs�idt6dt6|}d}tjdtdd|�}	g}
|r_|
|j|j�7}
n|r�td|�r�|
dg7}
n
|
d	g7}
|
d
|g7}
n|r�|
|j|j	�7}
|
|j
|j�7}
n|
|ddt|d
�g7}
|
dddg7}
g}|r�|j
|j||||	|
��|j
|j||||	|
��|j
|j|||||	|
��n5|j
|dddtd||	fg|
dg�|S(NRPRLR R�RR�R7R"R#R�tsports%sR�R�R�s
new,untrackedRRR!s%s_%s_allowR�(RWRJRR�RR�R�RR�R�R�R�RR�R�R�R�R�(RCR�R�R�R�R�R�R�RMR�R�Rt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_source_ports_rulesPs0
 ""(/c
Cs�idt6dt6|}tjdtdd|�}|dddtd	||g}	|r�td
|�ry|	dg7}	n
|	dg7}	|	d
|g7}	n|	ddt|d�g7}	|	dd|g7}	|	gS(NRPRLR�RR�RRR!s%ssraw_%s_allowR7R"R#R�R�R�R�thelper(RWRJRR�RR�RR(
RCR�R�R�R�R�thelper_nameR�R�RR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_helper_ports_rulesqs	
cCs�idt6dt6|}tjdtdd|�}g}|ro||j|j�7}||j|j�7}n|d|dt	d|g|d	d
ddggS(
NRPRLR�RR�RRs%ssnat_%s_allowR�s!=tlot
masquerade(
RWRJRR�RR�R�R�R�R�(RCR�R�R�R�R�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt _build_zone_masquerade_nat_rules�s	cCs�g}|rd|jr$|jdksB|jrdtd|jj�rd|j|j||d|��n�|r�|jr�|jdks�|jr�td|jj�r�|j|j||d|��n>|j|j||d|��|j|j||d|��idt6dt6|}tj	dt
dd	|�}g}|ro||j|j�7}||j
|j�7}n|j|d
ddtd
|g|ddddg�|S(NR9R#R7R"RPRLR�R�R�RRR!s%ssfilter_%s_allowR�R�s
new,untrackedR�(R�R�RR�R�R
RWRJRR�RR�R�R�R�R�(RCR�R�R�RtR�R�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_masquerade_rules�s&""	2c	Cs�idt6dt6|}tjdtdd|�}	g}
|rV|
dd|g7}
n|
ddg7}
|r�|d	kr�|
d
t|d�g7}
n|d|d
td|	dd|g||
gS(NRPRLR�RR�tdnatttoR+ROs:%sR�RRs%ssnat_%s_allowRzR{(RWRJRR�RRR�(RCR�R�Rt
mark_fragmentttoaddrttoportR�R�R�t
dnat_fragment((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt"_build_zone_forward_port_nat_rules�s	c
Cs{idt6dt6|}
d|}dd|g}tjdtdd|�}
g}|	r�||j|	j�7}||j|	j�7}||j	|	j
�7}ng}|j|
d	d
dtd|
g||d
|ddd|g�|	rC|	jr|	jdks|rCt
d|�rC|j|j||||||d��n�|	r�|	jra|	jdksv|r�t
d|�r�|j|j||||||d��n�|s�t
d|�r�|j|j||||||d��n|s�t
d|�r#|j|j||||||d��ntjdt|d|�}
|j|
d	d
dtd|
dddg|dg�|S(NRPRLs0x%xRzR�R�RR�RRR!s%ssmangle_%s_allowR�R�R9R#R7R"sfilter_%s_allowR�R�s
new,untrackedR�(RWRJRR�RR�R�R�R�R�R�R�R�RR�R(RCR�R�tfilter_chainR�RRRtmark_idR�R�tmark_strRR�R�Rt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_forward_port_rules�sB
		2cCs<|t|krt||Sttd||jf��dS(Ns"ICMP type '%s' not supported by %s(R�R
R
tname(RCR�t	icmp_type((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_icmp_types_to_nft_fragment�scCs�d}idt6dt6|}|r9|jr9|j}n\|jr�g}d|jkrg|jd�nd|jkr�|jd�q�nddg}g}x/|D]'}	xddgD]}
tjdt|
d	|�}|jj	j
|�rd
||f}d}
nd||f}d
}
g}|rl||j|j�7}||j
|j�7}||j|j�7}n||j|	|j�7}|r8|j|j|||||��|j|j|||||��|jr|j|j||||||��q�|j|dddtd||fg|d
g�q�|jj�dkr�|
dkr�|j|dddt|g|dddd||fg�n|j|dddt|g||
g�q�Wq�W|S(NR RPRLR7R9RR�R�R�s%s_%s_allowR�s
%s_%s_denys
%%REJECT%%RRR!s%sR|s%%LOGTYPE%%RR�s"%s_%s_ICMP_BLOCK: "(RWRJtipvsR�R�RR�RR<R�tquery_icmp_block_inversionR�R�R�R�R�RRR�R�R�R�R�R�(RCR�R�tictR�RMR�RRtR�R�R�tfinal_chaintfinal_targetR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_zone_icmp_block_rules�sT	
		""	(2!	-c	Cs�d}g}x�ddgD]�}tjdt|d|�}djddtd	||fd
d||fg�}|j|}|jjj|�r�d}	nd
}	|r�ddddtd	||fd|g}
n#ddddtd	||fg}
|
d|	g7}
|j	|
�|jjj|�r|jj
�dkr�|rpddddtd	||fd|g}
n#ddddtd	||fg}
|
ddddd||fg7}
|j	|
�q�qqW|S(NR RR�R�R�RTR!s%ss%s_%sR�s%s_%s_allows
%%REJECT%%R�RPRRRSRLs%%ICMP%%R|s%%LOGTYPE%%RR�s"%s_%s_ICMP_BLOCK: "(RR�RR[R�RAR<R�RR�R�(RCR�R�RMRtR�R�Rhtrule_handlet
ibi_targetRR((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt%build_zone_icmp_block_inversion_rules+s<	


	
cCs�g}|jddddtdddd	d
ddd
dddg�|dkr�|jddddtdddd	d
ddd
dddddg�n|jddddtdddddg	�|S(NRQRRR!s%ssraw_%sRRzR�R9tfibR�t.tiiftoiftmissingR�R|RR�s"rpfilter_DROP: "R8R%s){ nd-router-advert, nd-neighbor-solicit }R�traw_PREROUTINGR(R((R�R�(RCRuRt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytbuild_rpfilter_rules]s	
cCs�d}tjdtdd|�}g}||j|j�7}||j|j�7}||j|j�7}g}|j	|j
|||||��|j	|j|||||��|j	|j||||||��|S(NR R�RR�(
RR�RR�R�R�R�R�R�R�R�R�R�(RCR�R�R�RMR�R�Rt((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt(build_zone_rich_source_destination_rulesns	""%cCs|dkrtStS(NR7R9teb(sipv4sipv6R+(RWRJ(RCR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytis_ipv_supportedscCs;idd6dd6}i||gd6||ddgd6||dd	||gd
6||dd	||gd6||dgd
6||gd6||ddgd6||dd	||gd6||dd	||gd6||dgd6dgd6}ydg||dgSWn$tk
r6ttd|��nXdS(Nt	ipv4_addrR7t	ipv6_addrR9shash:ips. inet_protos. inet_serviceshash:ip,ports. inet_service .shash:ip,port,ipshash:ip,port,nets. markshash:ip,markshash:nets
hash:net,portshash:net,port,ipshash:net,port,nets. ifnameshash:net,ifacet
ether_addrshash:macR%t;s!ipset type name '%s' is not valid(tKeyErrorR
R(RCR�R%tipv_addrttypes((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_type_fragment�s(


c
Cs)|r+d|kr+|ddkr+d}nd}|dg}||j||�7}|r�d|kr�|d|dddg7}nd	|kr�|d
|d	dg7}q�n|s�d|kr�d|kr�|dd
dg7}n|dg7}x4dddgD]#}|jdd|tg|�q�WdS(NR�tinet6R9R7t{ttimeoutR�R0tmaxelemtsizet,tflagstintervalt}R!R"R#RPR�(R4R�R�(RCRR%toptionsR�tcmdR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
set_create�s "	
cCs:x3dddgD]"}|jdd|t|g�qWdS(NR!R"R#RLR�(R�R�(RCRR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_destroy�scCs)|jjj|�jd�djd�}|jd�}t|�t|�krdttd��ng}x�tt|��D]�}||dkr�y||jd�}Wn(t	k
r�|dd||g7}qX|||| d|||dg7}n|j
||�|j
d�q}W|d S(	Nt:iR:s+Number of values does not match ipset type.R�R�R$i����(R<R�tget_typetsplitR`R
RtrangeR_R^R�(RCRtentryttype_formattentry_tokenstfragmentRpR_((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt_set_entry_fragment�s +
*cCsTxMdddgD]<}|jdd|t|dg|j||�dg�qWdS(NR!R"R#RPtelementR6R=(R�R�RJ(RCRRFR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pytset_add�scCsTxMdddgD]<}|jdd|t|dg|j||�dg�qWdS(NR!R"R#RLRKR6R=(R�R�RJ(RCRRFR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt
set_delete�scCs:x3dddgD]"}|jdd|t|g�qWdS(NR!R"R#tflushR�(R�R�(RCRR�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt	set_flush�scCsk|jjj|�}|jdkr-d}n:|jrad|jkra|jddkrad}nd}|S(Nshash:macR�R�R5R#R"(R<R�t	get_ipsetR%R>(RCRR�R�((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR��s		N(6t__name__t
__module__RRWtzones_supportedRER?R�RqRsRvR�RVR�R�R�R�R�R�R�RJR�R�R�R�R�R�R�R�R�R�R�RRRRR
RRRRRR"R)R*R,R4R@RARJRLRMROR�(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyR:�sb			M										
	[	*1@	 			
	"	
		 " 		,	6	2								($tos.pathRFtfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRtfirewallR	tfirewall.errorsR
RRR
RRtfirewall.core.richRRRRR�R�R�R�R�tobjectR:(((s:/usr/lib/python2.7/site-packages/firewall/core/nftables.pyt<module>s�(."