????

Your IP : 216.73.216.152

Current Path : /usr/lib/python2.7/site-packages/firewall/core/
Upload File :
Current File : //usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyc

�
`q^c@s�ddlZddlmZmZddlmZddlmZddl	m
Z
mZmZm
Z
mZmZddlmZddlmZmZmZddlmZmZmZmZddlZid	d
dgd6d
d
gd6d
dd	d
dgd6d
dd
gd6d	d
dgd6Zidd6dd6Zidd6dd6Zd�Zd�Z d�Z!de"fd��YZ#de#fd��YZ$dS( i����N(t	SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(ttempFiletreadfilet	splitArgst	check_mactportStrtcheck_single_address(tconfig(t
FirewallErrortINVALID_PASSTHROUGHtINVALID_RULE(tRich_AccepttRich_Rejectt	Rich_Dropt	Rich_MarktINPUTtOUTPUTtFORWARDtsecurityt
PREROUTINGtrawtPOSTROUTINGtmangletnattfiltersicmp-host-prohibitedtipv4sicmp6-adm-prohibitedtipv6ticmps	ipv6-icmpcCs�idd6dd6dd6dd6dd6d	d
6}|}x�|D]�}y|j|�}Wntk
rmq>nX|dkr�yt||d�Wntk
r�q�X|j|d�n||||<q>W|S(
s Inverse valid rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains--new-chaini(s-Is--insert(tindext	Exceptiontinttpop(targstreplace_argstret_argstargtidx((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_rule6s*



cCs�idd6dd6dd6dd6dd6d	d
6}|}x�|D]�}y|j|�}Wntk
rmq>nX|dkr�yt||d�Wntk
r�q�X|j|d�n||||<|SWttd��d
S(s Reverse valid passthough rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains--new-chainisno '-A', '-I' or '-N' argN(s-Is--insert(Rt
ValueErrorR!R"RR(R#R$R%txR'((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_passthrough[s.



cCs�t|�}tddddddddd	d
ddd
dddddddg�}t||@�dkr�ttdt||@�d��ntddddddg�}t||@�dkr�ttd��ndS(sZ Check if passthough rule is valid (only add, insert and new chain
    rules are allowed) s-Cs--checks-Ds--deletes-Rs	--replaces-Ls--lists-Ss--list-ruless-Fs--flushs-Zs--zeros-Xs--delete-chains-Ps--policys-Es--rename-chainisarg '%s' is not alloweds-As--appends-Is--inserts-Ns--new-chainsno '-A', '-I' or '-N' argN(tsettlenRRtlist(R#tnot_allowedtneeded((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_check_passthrough�s*		t	ip4tablescBs�eZdZdZeZd�Zd�Zd�Zd-d�Z
d�Zd�Zd�Z
d	�Zd
�Zd�Zd�Zd
�Zd�Zd�Zd-d�Zd�Zd�Zd�Zd�Zd�Zd�Zdd�Zd�Zed�Zd�Z d�Z!d�Z"d�Z#d�Z$d �Z%d!�Z&d"�Z'd-d-d#�Z(d-d-d$�Z)d-d-d%�Z*d&�Z+d-d'�Z,d-d(�Z-d-d)�Z.d*�Z/d+�Z0d,�Z1RS(.RR2cCsq||_tj|j|_tjd|j|_|j�|_|j�|_	|j
�g|_i|_dS(Ns
%s-restore(
t_fwR
tCOMMANDStipvt_commandt_restore_commandt_detect_wait_optiontwait_optiont_detect_restore_wait_optiontrestore_wait_optiontfill_existstavailable_tablest
our_chains(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__init__�s	
	cCs4tjj|j�|_tjj|j�|_dS(N(tostpathtexistsR6tcommand_existsR7trestore_command_exists(R?((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR<�scCs�|jrB|j|krB|jgg|D]}d|^q(}ng|D]}d|^qI}tjd|j|jdj|��t|j|�\}}|dkr�td|jdj|�|f��n|S(Ns%ss	%s: %s %st is'%s %s' failed: %s(R9Rtdebug2t	__class__R6tjoinRR)(R?R#titemt_argststatustret((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__run�s*%cCs�|dkr|Sg}x�|D]�}t}x�|D]�}y|j|�}Wntk
r\q0Xt|�|kr0d||dkr0t}||djd�}x3|D](}	|}
|	|
|d<|j|
�q�Wq0q0W|s|j|�qqW|S(s5Split values combined with commas for options in optst,iN(tNonetFalseRR)R-tTruetsplittappend(R?trulestoptst	out_rulestrulet	processedtopttititemsRKt_rule((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytsplit_value�s(


&
cCsAy|j|�}Wntk
r'tSX||||d+tSdS(Ni(RR)RRRS(R?RYtpatterntreplacementR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt
_rule_replace�s
cCs|tko|t|kS(N(tBUILT_IN_CHAINS(R?R5ttabletchain((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_chain_builtin�scCsCd|g}|r"|jd�n
|jd�|j|�|gS(Ns-ts-Ns-X(RU(R?taddRdReRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_chain_rules�s

cCsLd|g}|r.|d|t|�g7}n|d|g7}||7}|S(Ns-ts-Is-D(tstr(R?RgRdReRR#RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt
build_rule�s
cCs
t|�S(N(R((R?R#((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_rulescCst|�dS(N(R1(R?R#((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcheck_passthroughscCs
t|�S(N(R+(R?R#((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_passthroughscCs�d}y|jd�}Wntk
r,n(Xt|�|dkrT||d}nd}xndddddd	gD]T}y|j|�}Wntk
r�qsXt|�|dkrs||d}qsqsW||fS(
NRs-tis-As--appends-Is--inserts-Ns--new-chain(RR)R-RQ(R?R#RdR\ReR[((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytpassthrough_parse_table_chains$
	
cCs�t�}i}x�|D]�}|}|j|dddt|jg�|j|dt|jg�y|jd�}Wntk
r�nLX|dkr�qn|d&kr�d
dd|g|||d
+n
|j|�d}xpddgD]b}	y|j|	�}Wntk
rq�Xt|�|d
kr�|j|�|j|�}q�q�Wxzt	t|��D]f}x]t
jD]R}
|
||krq||jd�o�||j
d�rqd||||<qqqqWqaW|j|g�j|�qWx�|D]�}||}|j|ddg�}|j|ddg�}|jd|�x(|D] }|jdj|�d�qGW|jd�q�W|j�tj|j�}tjd|j|jd|j|jf�g}|jr�|j|j�n|jd�t|j|d|j�\}
}tj�dkr�t|j�}|dk	r�d
}xc|D]X}tj!d ||fd!d
d"d#�|j
d�s�tj!d$d!d
�n|d
7}qNWq�ntj"|j�|
d#kr�td%|jdj|�|f��n|S('Ns
%%REJECT%%tREJECTs
--reject-withs%%ICMP%%s%%LOGTYPE%%tofftunicastt	broadcastt	multicasts-mtpkttypes
--pkt-typeiRs-ts--tablet"s"%s"s-ss--sources-ds
--destinations*%s
RGs
sCOMMIT
s	%s: %s %ss%s: %ds-ntstdinis%8d: %stnofmttnlits'%s %s' failed: %s(RqRrRs(#RRbtDEFAULT_REJECT_TYPER5tICMPRR)R"R-trangetstringt
whitespacet
startswithtendswitht
setdefaultRUR_twriteRJtcloseRBtstattnameRRHRIR7tst_sizeR;RtgetDebugLogLevelRRQtdebug3tunlink(R?RVt
log_deniedt	temp_filettable_rulesR^RYR\RdR[tcR�R#RMRNtlinestline((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt	set_rules!s~	

 


#



	

#cCs�|j|dddt|jg�|j|dt|jg�y|jd�}Wntk
rfnJX|dkrwdS|dkr�ddd
|g|||d+n
|j|�|j|�S(Ns
%%REJECT%%Ros
--reject-withs%%ICMP%%s%%LOGTYPE%%RpRyRqRrRss-mRts
--pkt-typei(sunicasts	broadcasts	multicast(RbRzR5R{RR)R"t_ip4tables__run(R?RYR�R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytset_rule{s
 
cCs�g}|r|gn	tj�}x�|D]�}||jkrM|j|�q(y:|jd|ddg�|jj|�|j|�Wq(tk
r�tjd|j|f�q(Xq(W|S(Ns-ts-Ls-nsA%s table '%s' does not exist (or not enough permission to check).(	RctkeysR=RUR�R)Rtdebug1R5(R?RdRNttables((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytget_available_tables�s

"cCs�d}t|jdddg�}|ddkr�d}t|jdddg�}|ddkrkd}ntjd|j|j|�n|S(NRys-ws-Ls-nis-w10s%s: %s will be using %s option.(RR6RRHRI(R?R9RN((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR8�s	cCs�t�}|jd�|j�d}xlddgD]^}t|j|gd|j�}|ddkr3d|dkr3d	|dkr3|}Pq3q3Wtjd
|j|j|�t	j
|j�|S(Ns#fooRys-ws--wait=2Rvisinvalid optionisunrecognized options%s: %s will be using %s option.(RR�R�RR7R�RRHRIRBR�(R?R�R9ttest_optionRN((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR:�s	

 cCsQg}xDtj�D]6}x-dddgD]}|jd||g�q)WqW|S(Ns-Fs-Xs-Zs-t(RcR�RU(R?RVRdtflag((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_flush_rules�s
cCsdg}xWtj�D]I}|dkr+qnx.t|D]"}|jd|d||g�q6WqW|S(NRs-ts-P(RcR�RU(R?tpolicyRVRdRe((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_set_policy_rules�s$c
Cs{g}d}y1|jd|jdkr-dnddg�}WnGtk
r�}|jdkrrtjd|�q�tjd|�nX|j�}t}x�|D]�}|r.|j�j�}|j	�}xa|D]V}|j
d	�r|jd
�r|dd!}	n|}	|	|kr�|j|	�q�q�Wn|jdkrL|j
d
�sj|jdkr�|j
d�r�t
}q�q�W|S(sQReturn ICMP types that are supported by the iptables/ip6tables command and kernelRys-pRRs	ipv6-icmps--helpsiptables error: %ssip6tables error: %st(t)ii����sValid ICMP Types:RsValid ICMPv6 Types:(R�R5R)RR�t
splitlinesRRtstriptlowerRTRR�RURS(
R?RNtoutputtexR�tin_typesR�tsplitsRTR*((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytsupported_icmp_types�s4	


cCsgS(N((R?((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_default_tables�sRpcCsmi}g|d<t�|jd<xZtdD]N}|djd|�|djd||f�|jdjd|�q+Wg|d<t�|jd<x�tdD]�}|djd|�|djd||f�|jdjd|�|dkr�|djd|�|djd|�|djd	||f�|djd
||f�|jdjtd|d|g��q�q�Wg|d
<t�|jd
<x�td
D]�}|d
jd|�|d
jd||f�|jd
jd|�|dkr�|d
jd|�|d
jd|�|d
jd	||f�|d
jd
||f�|jd
jtd|d|g��q�q�Wg|d<t�|jd<x�tdD]�}|djd|�|djd||f�|jdjd|�|d;kr�|djd|�|djd|�|djd	||f�|djd
||f�|jdjtd|d|g��q�q�Wddddddddg|d<|dkr�|djd�n|djd�|dkr|djd�n|djd�|dcddd d!d"d#d$d%d&d'd(d)g7<|dkr|djd*�n|djd+�|dkr�|djd,�n|djd-�|dcd.d/d0g7<td1d2d3d4d5d6d7d8d9g	�|jd<g}xX|D]P}||j�kr3qnx/||D]#}|jd:|gt|��q>WqW|S(<NRs-N %s_directs-A %s -j %s_directs	%s_directRRs-N %s_ZONES_SOURCEs-N %s_ZONESs-A %s -j %s_ZONES_SOURCEs-A %s -j %s_ZONESs%s_ZONES_SOURCEs%s_ZONESRRRs-N INPUT_directs-N INPUT_ZONES_SOURCEs-N INPUT_ZONESs=-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTs-A INPUT -i lo -j ACCEPTs-A INPUT -j INPUT_directs-A INPUT -j INPUT_ZONES_SOURCEs-A INPUT -j INPUT_ZONESRRps^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 's/-A INPUT -m conntrack --ctstate INVALID -j DROPs9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 's-A INPUT -j %%REJECT%%s-N FORWARD_directs-N FORWARD_IN_ZONES_SOURCEs-N FORWARD_IN_ZONESs-N FORWARD_OUT_ZONES_SOURCEs-N FORWARD_OUT_ZONESs?-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTs-A FORWARD -i lo -j ACCEPTs-A FORWARD -j FORWARD_directs%-A FORWARD -j FORWARD_IN_ZONES_SOURCEs-A FORWARD -j FORWARD_IN_ZONESs&-A FORWARD -j FORWARD_OUT_ZONES_SOURCEs-A FORWARD -j FORWARD_OUT_ZONESs`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 's1-A FORWARD -m conntrack --ctstate INVALID -j DROPs;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 's-A FORWARD -j %%REJECT%%s-N OUTPUT_directs-A OUTPUT -o lo -j ACCEPTs-A OUTPUT -j OUTPUT_directtINPUT_directtINPUT_ZONES_SOURCEtINPUT_ZONEStFORWARD_directtFORWARD_IN_ZONES_SOURCEtFORWARD_IN_ZONEStFORWARD_OUT_ZONES_SOURCEtFORWARD_OUT_ZONESt
OUTPUT_directs-t(RR(R,R>RcRURgtupdateR�R(R?R�t
default_rulesRetfinal_default_rulesRdRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_default_rules�s�

/
/
/

	
	
%cCs�|dkrdddhS|dkrSd|j�krSd|j�krSdhSn|dkr~d|j�kr~ddhSn|d	kr�d	|j�kr�dhSniS(
NRRt
FORWARD_INtFORWARD_OUTRRRRR(R�(R?Rd((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytget_zone_table_chainsjs



cCs�idd6dd6dd6dd6dd6dd6|}tjd	t|d
|�}	|tkred}
nd}
|r�|r�d
d|dg}n)|r�dd|g}ndd|g}|d||||
|	g7}|gS(Ns-iRs-oRRR�R�RRetzones-gs-js-Is%s_ZONESt1s-As-Ds-t(RtformatR(R?tenableR�tzone_targett	interfaceRdReRUR[ttargettactionRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt!build_zone_source_interface_ruleszs&	
cCs�idt6dt6|}idd6dd6dd6dd6dd	6dd
6|}tjdt|d|�}	|tkr}d
}
nd}
|jd�r
|d}|dkr�d}nd}dj|g|jjj	|��}|d|d|ddd|||
|	g}
not
|�rW|dkr&dS|d|d|ddd|j�|
|	g
}
n"|d|d||||
|	g}
|
gS(Ns-As-Ds-sRs-dRRR�R�RReR�s-gs-jsipset:itdsttsrcRPs%s_ZONES_SOURCEs-ts-mR,s--match-setRytmacs--mac-source(RSRRRR�RRRJR3tipsett
get_dimensionRtupper(R?R�R�R�taddressRdRetadd_delR[R�R�R�tflagsRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_source_address_rules�sD	
	%


cCs6tjdt|d|�}|j|jt|d|d|d|g��g}|jd|d|g�|jdd|d|g�|jdd|d|g�|jdd|d|g�|jd|d|d	d|g�|jd|d|d	d|g�|jd|d|d	d|g�|jjj	|j
}|jj�d
kr�|dkr�|dkr�|dkr�|jd|d|dd	ddd|g	�n|dkr�|jd|d|dd	ddd|g	�q�q�n|dkr2|dkr2|dkr2|jd|d|d	|g�n|S(NReR�s%s_logs%s_denys%s_allows-Ns-ts-As-jRpRRR�R�RRos
%%REJECT%%s%%LOGTYPE%%tLOGs--log-prefixs
"%s_REJECT: "tDROPs"%s_DROP: "tACCEPT(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(sREJECTs
%%REJECT%%(R�sREJECTs
%%REJECT%%R�(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(RR�RR>R�R,RUR3R�t_zonesR�tget_log_denied(R?R�RdRet_zoneRVR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_chain_rules�s<###		"cCs|rddd|jgSgS(Ns-mtlimits--limit(tvalue(R?R�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rule_limit�scCs�|js
gSidt6dt6|}|d|d|g}||ddg7}|jjrx|dd|jjg7}n|jjr�|d	d
|jjg7}n||j|jj�7}|S(Ns-As-Ds%s_logs-ts-jR�s--log-prefixs'%s's--log-levels%s(RRSRRtprefixtlevelR�R�(R?t	rich_ruleR�RdR�t
rule_fragmentR�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_log�s	c	Cs�|js
gSidt6dt6|}|d|d|g|}t|j�tkr]d}nBt|j�tkr{d}n$t|j�tkr�d}nd}|d	d
d|g7}||j|jj	�7}|S(Ns-As-Ds%s_logs-ttaccepttrejecttdroptunknowns-jtAUDITs--type(
tauditRSRRttypeR�RRRR�R�(	R?R�R�RdR�R�R�RYt_type((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_audits				cCs�|js
gSidt6dt6|}t|j�tkrSd|}ddg}	n�t|j�tkr�d|}ddg}	|jjrL|	d|jjg7}	qLn�t|j�tkr�d|}dd	g}	nxt|j�tkr0tj	d
t
dd|�}d
}d|}ddd|jjg}	ntt
dt|j���||d|g}
|
||	7}
|
|j|jj�7}
|
S(Ns-As-Ds%s_allows-jR�s%s_denyRos
--reject-withR�ReRR�RtMARKs--set-xmarksUnknown action %ss-t(R�RSRRR�RRRRRR�RR,RR
R�R�(R?R�R�R�RdR�R�R�Retrule_actionRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_actions4	


	
cCs@|s
gSg}|jr)|jd�n|d|jg7}|S(Nt!s-d(tinvertRUtaddr(R?t	rich_destR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_destination_fragment9s	cCs|s
gSg}|jrH|jr2|jd�n|d|jg7}n�t|d�r�|jr�|ddg7}|jr�|jd�n|d|jg7}nut|d�r|jr|ddg7}|jr�|jd�n|jjj|jd�}|d	|j|g7}n|S(
NR�s-sR�s-ms--mac-sourceR�R,R�s--match-set(	R�R�RUthasattrR�R�R3R�t_ipset_match_flags(R?trich_sourceR�R�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_source_fragmentDs&				c	Cs�idt6dt6|}d}tjdtdd|�}	d|g}
|ri|
dd	t|�g7}
n|r�|
d
|g7}
n|r�|
|j|j�7}
|
|j|j	�7}
n|s�|j
tkr�|
ddd
dg7}
ng}|r^|j|j
||||	|
��|j|j||||	|
��|j|j|||||	|
��n+|j|d|	d|g|
ddg�|S(Ns-As-DRReRR�s-ps--dports%ss-ds-mt	conntracks	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RSRRRR�RRR�tdestinationR�tsourceR�RRUR�R�R�(R?R�R�tprototportR�R�R�RdR�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_ports_rules[s,	""(%c	Csjidt6dt6|}d}tjdtdd|�}d|g}	|r_|	d|g7}	n|r�|	|j|j�7}	|	|j|j�7}	n|s�|j	t
kr�|	d	d
ddg7}	ng}
|r;|
j|j|||||	��|
j|j
|||||	��|
j|j||||||	��n+|
j|d
|d|g|	ddg�|
S(Ns-As-DRReRR�s-ps-ds-mR�s	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RSRRRR�RR�R�R�R�R�RRUR�R�R�(R?R�R�tprotocolR�R�R�RdR�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_protocol_rulesws&""(%c	Cs�idt6dt6|}d}tjdtdd|�}	d|g}
|ri|
dd	t|�g7}
n|r�|
d
|g7}
n|r�|
|j|j�7}
|
|j|j	�7}
n|s�|j
tkr�|
ddd
dg7}
ng}|r^|j|j
||||	|
��|j|j||||	|
��|j|j|||||	|
��n+|j|d|	d|g|
ddg�|S(Ns-As-DRReRR�s-ps--sports%ss-ds-mR�s	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RSRRRR�RRR�R�R�R�R�RRUR�R�R�(R?R�R�R�R�R�R�R�RdR�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_source_ports_rules�s*""(%c
Cs�idt6dt6|}tjdtdd|�}|d|ddd	|g}	|rs|	d
dt|�g7}	n|r�|	d|g7}	n|	d
dd|g7}	|	gS(Ns-As-DReRR�s%s_allows-tRs-ps--dports%ss-ds-jtCTs--helper(RSRRRR�RR(
R?R�R�R�R�R�thelper_nameR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_helper_ports_rules�s	cCs;idt6dt6|}tjdtdd|�}g}|ro||j|j�7}||j|j�7}ng}|j	|d|ddg|d	d
ddd
g�tjdtdd|�}g}|r||j|j�7}||j|j�7}n|j	|d|ddg|ddddddg�|S(Ns-As-DReRR�s%s_allows-tRR�s-otlos-jt
MASQUERADER�Rs-mR�s	--ctstates
NEW,UNTRACKEDR�(
RSRRRR�RR�R�R�R�RU(R?R�R�R�R�R�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_masquerade_rules�s*		c

Cs�idt6dt6|}
d|}ddd|g}d}
|rmtd|�r`|
d	|7}
qm|
|7}
n|r�|dkr�|
d
t|d�7}
ntjdtd
d|�}d|dt|�g}|	r||j|	j�7}||j	|	j
�7}ng}|	r3|j|j|	|d||��n|j|
d|ddg|ddd|g�|j|
d|ddd|g|ddd|
g�tjdt|d|�}|j|
d|ddddddg|ddg�|S(Ns-As-Ds0x%xs-mtmarks--markRyRs[%s]s:%st-ReRR�s-ps--dportRs%s_allows-ts-jR�s
--set-markRtDNATs--to-destinationRR�s	--ctstates
NEW,UNTRACKEDR�(
RSRRR	RRR�RR�R�R�R�RUR�(R?R�R�tfilter_chainR�R�ttoportttoaddrtmark_idR�R�tmark_strR�ttoR�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_forward_port_rules�s<

	%	1c
CsXd}idt6dt6|}|jdkrQddg}ddd|jg}n!dd	g}dd
d|jg}g}	x�dd
gD]�}
tjdt|
d|�}|jjj	|�r�d|}d}
nd|}d}
g}|r||j
|j�7}||j|j
�7}n|||7}|r�|	j|j|||||��|	j|j|||||��|jr�|	j|j||||||��qP|	j|d|d|g|ddg�q�|jj�dkr)|
dkr)|	j||d|g|ddddd|g�n|	j||d|g|d|
g�q�W|	S(NRs-As-DRs-pRs-ms--icmp-types	ipv6-icmpticmp6s
--icmpv6-typeRR�ReR�s%s_allowR�s%s_denys
%%REJECT%%s-ts-jRps%%LOGTYPE%%R�s--log-prefixs"%s_ICMP_BLOCK: "(RSRRR5R�RR�RR3R�tquery_icmp_block_inversionR�R�R�R�RUR�R�R�R�R�(R?R�R�tictR�RdR�R�tmatchRVReR�tfinal_chaintfinal_targetR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_icmp_block_rulessL	
	
""	(!	c
CsBd}g}x/ddgD]!}d}tjdt|d|�}|jjj|�r�d}|jj�dkr�|r�d	|t|�g}	nd
|g}	|	d|dd
ddddd|g	}	|j|	�|d7}q�nd}|rd	|t|�g}	nd
|g}	|	d|dd
d|g}	|j|	�qW|S(NRRR�iReR�s
%%REJECT%%Rps-Is-Ds-ts-ps%%ICMP%%s%%LOGTYPE%%s-jR�s--log-prefixs"%s_ICMP_BLOCK: "iR�(	RR�RR3R�RR�RiRU(
R?R�R�RdRVRetrule_idxR�t
ibi_targetRY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt%build_zone_icmp_block_inversion_rules3s2		
cCs�d}tjdtdd|�}g}||j|j�7}||j|j�7}g}|j|j|||||��|j|j	|||||��|j|j
||||||��|S(NRReRR�(RR�RR�R�R�R�RUR�R�R�(R?R�R�R�RdR�R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt(build_zone_rich_source_destination_rulesVs	""%cCs
||jkS(N(R5(R?R5((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_ipv_supportedfsN(2t__name__t
__module__R5R�RStzones_supportedRAR<R�RQR_RbRfRhRjRkRlRmRnR�R�R�R8R:R�R�R�R�R�R�RRR�R�R�R�R�R�R�R�R�R�R�R�R�R�RR
RRR(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR2�sZ	
		
												Z				
			!	q		-	,				!			,1	#	t	ip6tablescBs eZdZdZed�ZRS(RRcCs�g}|jddddddddd	g	�|d
krk|jddddddddddd
g�n|jdddddddddg	�|jdddddddddg	�|S(Ns-IRs-tRs-mtrpfilters--inverts-jR�RpR�s--log-prefixsrpfilter_DROP: s-ps	ipv6-icmps$--icmpv6-type=neighbour-solicitationR�s"--icmpv6-type=router-advertisement(RU(R?R�RV((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_rpfilter_rulesms"	

(RRR5R�RRR(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyRis(%tos.pathRBtfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRR	tfirewallR
tfirewall.errorsRRR
tfirewall.core.richRRRRR}RcRzR{R(R+R1tobjectR2R(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt<module>s8."


	%	*	 ����