3

��g'K�#@sdd
dddddddd	d
ddd
ddddddddddddddddddd d!d"g#Zd#d$l
Z
d#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l	m
Z

d#d&lmZm
Z

ejd'kZd(d)�ed#d*�D�
Zd+d
�Zd,d�ZdXd.d�
Zd/d0�Zd1d2�Zd3d4�Zd5d�Zd6d�Zd7d8�Zd9d�Zd:d�Zd;d"�Zd<d�Zd=d	�Zd>d
�Z d?d�Z!d@d�Z"dAd
�Z#dBd�Z$dCd�Z%dDd�Z&dEdF�Z'dGd�Z(dHd�Z)dId�Z*dJd�Z+dKd�Z,dLd�Z-dMd!�Z.dNd�Z/dOd�Z0dPd�Z1dQd�Z2dRd�Z3dSd�Z4dTd�Z5dUd�Z6dVd�Z7dWd �Z8d$S)Y�PY2�	getPortID�getPortRange�portStr�getServiceName�checkIP�checkIP6�checkIPnMask�
checkIP6nMask�
checkProtocol�checkInterface�checkUINT32�firewalld_is_active�tempFile�readfile�	writefile�enable_ip_forwarding�
check_port�
check_address�check_single_address�	check_mac�uniqify�ppid_of_pid�max_zone_name_len�	checkUser�checkUid�checkCommand�checkContext�joinArgs�	splitArgs�b2u�u2b�
u2b_if_py2�max_policy_name_len�stripNonPrintableCharacters�N)
�log)�FIREWALLD_TEMPDIR�FIREWALLD_PIDFILE�
3c
Cs"i|]}
|
dko|
d
ksd|
�qS)��N�)�.0�
ir+r+�/usr/lib/python3.6/functions.py�
<dictcomp>.sr/�c
Cstt|t
�r|}
nT|r|j�}yt
|�
}
Wn:tk
rb


ytj|�
}
Wntjk
r\


dSXYnX|
dkrpdS|
S)z� Check and Get port id from port string or port id using socket.getservbyname

    @param port port string or port id
    @return Port id if valid, -1 if port can not be found and -2 if port is too big
    �
i�������������)�
isinstance�int�strip�
ValueError�socketZ
getservbyname�error)�portZ_idr+r+r.r7s












c
Cs�
t|t
�st|t�r|St|t�s*|j�rDt|�
}
|
d
kr@|
f
S|
S|jd�
}t|�
dkr�|d
j�r�|dj�r�t|d
�
}
t|d�
}|
d
kr�|d
kr�|
|kr�|
|fS|
|kr�||
fS|
f
Sg}x�tt|�
d
d�D]�}tdj	|d|��
�
}
dj	||d��
}t|�
d
k�
rnt|�
}|
d
k�
r�|d
k�
r�|
|k�
rF|j
|
|f�

n&|
|k�
r`|j
||
f�

n|j
|
f
�

q�|
d
kr�|j
|
f
�

|t|�
kr�Pq�Wt|�
dk�
r�dSt|�
dk�
r�dS|d
S)aI
 Get port range for port range string or single port id

    @param ports an integer or port string or port range string
    @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous.
    r$�
-r2r1Nr3r3)r5�tuple�listr6�isdigitr�split�len�range�join�append)ZportsZid1�splitsZid2Zmatchedr-Zport2r+r+r.rNsL





$

























�
:cCsX|d
krd
St|�
}t
|t�r*|dkr*dSt|�
dkr>d|Sd|d|
|dfSdS)a
 Create port and port range string

    @param port port or port range int or [int, int]
    @param delimiter of the output string for port ranges, default ':'
    @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid
    �r$Nr1z%sz%s%s%s)rr5r6rA)r;Z	delimiter�_ranger+r+r.r�s




cCs
t|�
}t|
�
}t
|�
d
kr�t
|�
d
kr@t|d�
t|d�
kSt
|�
dkr�t|d�
t|d�
kr�t|d�
t|d
�
k
r�dSn|t
|�
dkr�t
|�
dkr�t|d�
t|d�
kr�t|d�
t|d
�
k
r�t|d
�
t|d�
kr�t|d
�
t|d
�
k
r�dSdS)Nr1r$r2TF)rrAr)r;rBZ_portrHr+r+r.�portInPortRange�s





0



0
0
rIcCsT
t|�
}t
|�
d
kr$|d|df}tt|
�}ttdd�|�dd�d�}g}x�|D]�}|d|dk
r�|d
|d
kr�|j|�

qR|d|dk
r�|d
|d
kr�|d
|dkr�|j|�

|d|d
f}qR|d|dko�|d
|d
ko�|d|d
k
rR|j|�

|d|d
f}qRWttdd�|��
}|d|d
k�
rJ|df
}|g
|fS)z� Coalesce a port range with existing list of port ranges

        @param new_range tuple/list/string
        @param ranges list of tuple/list/string
        @return tuple of (list of ranges added after coalescing, list of removed original ranges)
    r1r$c

Ss t|�
d
kr|d|dfS|S)Nr1r$)
rA)
�
xr+r+r.�<lambda>�sz#coalescePortRange.<locals>.<lambda>c

Ss|d
S)Nr$r+)
rJr+r+r.rK�s)
�keyc

Ss|d
|dkr|d
f
S|S)Nr$r1r+)
rJr+r+r.rK�s)rrA�map�sortedrDr>)Z	new_range�rangesZcoalesced_range�_ranges�removed_rangesrBr+r+r.�coalescePortRange�s*






 
 



 





rRcCs�
t|�
}t
|�
d
kr$|d|df}tt|
�}ttdd�|�dd�d�}g}g}�
xJ|D�
]@}|d|dk
r�|d
|d
kr�|j|�

qX|d|dk
r�|d
|d
kr�|d
|dkr�|j|�

|j|d
d
|d
f�

qX|d|dk�
r<|d
|d
k�
r<|d|d
k
�
r<|j|�

|j|d|dd
f�

qX|d|dkrX|d
|d
krX|j|�

|j|d|dd
f�

|j|d
d
|d
f�

qXWttdd�|��
}ttdd�|��
}||fS)	z� break a port range from existing list of port ranges

        @param remove_range tuple/list/string
        @param ranges list of tuple/list/string
        @return tuple of (list of ranges added after breaking up, list of removed original ranges)
    r1r$c

Ss t|�
d
kr|d|dfS|S)Nr1r$)
rA)
rJr+r+r.rK�sz breakPortRange.<locals>.<lambda>c

Ss|d
S)Nr$r+)
rJr+r+r.rK�s)
rLc

Ss|d
|dkr|d
f
S|S)Nr$r1r+)
rJr+r+r.rK�sc

Ss|d
|dkr|d
f
S|S)Nr$r1r+)
rJr+r+r.rK�s)rrArMrNrDr>)Zremove_rangerOrPrQZadded_rangesrBr+r+r.�breakPortRange�s2






 
 



$



 



rScCs0ytj
t|�
|
�}Wntjk
r*


d
SX|S)z� Check and Get service name from port and proto string combination using socket.getservbyport

    @param port string or id
    @param protocol string
    @return Service name if port and protocol are valid, else None
    N)r9Z
getservbyportr6r:)r;�proto�namer+r+r.r�s




c

Cs.ytj
tj|�
Wntjk
r(


d
SXdS)zl Check IPv4 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r9�	inet_ptonZAF_INETr:)
�ipr+r+r.r
s




c

Cs
|jd
�
S)z� Normalize the IPv6 address

    This is mostly about converting URL-like IPv6 address to normal ones.
    e.g. [1234::4321] --> 1234:4321
    z[])
r7)
rWr+r+r.�normalizeIP6
srXc

Cs2ytj
tjt|�
�
Wntjk
r,


d
SXdS)zl Check IPv6 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r9rVZAF_INET6rXr:)
rWr+r+r.r 
s




c
Cs�d
|krN|d|jd
�
�}
||jd
�
dd�}t
|
�
dksHt
|�
dkrVdSn|}
d}t|
�
sbdS|r�d|krvt|�
Syt|�
}Wntk
r�


dSX|dks�|dkr�dSdS)N�
/r1F�
.r$� T)�indexrArr6r8)rW�addr�maskr-r+r+r.r-
s&
















c

Cs
|jt
�
S)
N)�	translate�NOPRINT_TRANS_TABLE)
Zrule_strr+r+r.r#D
s
c
Cs�d
|krN|d|jd
�
�}
||jd
�
dd�}t
|
�
dksHt
|�
dkrVdSn|}
d}t|
�
sbdS|r�yt|�
}Wntk
r�


dSX|dks�|dkr�dSdS)NrYr1Fr$�T)r\rArr6r8)rWr]r^r-r+r+r.r	G
s"














c
Cs`yt|�
}
Wn:t
k
rF


ytj|�

Wntjk
r@


d
SXYnX|
dksX|
dkr\d
SdS)NFr$��T)r6r8r9Zgetprotobynamer:)Zprotocolr-r+r+r.r
\
s






c
Cs4|st|�
d
krdSxdD]}
|
|krdSqWdS)	z� Check interface string

    @param interface string
    @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False
    �F�
 rY�
!�
*T)rdrYrerf)
rA)Ziface�chr+r+r.rk
s



c
Cs<yt|d
�}
Wnt
k
r"


dSX|
d
kr8|
dk
r8dSdS)Nr$Fl��T)r6r8)�valrJr+r+r.r~
s





cCs�tj
jt�
sd
Sy"ttd��}|j�}
WdQRXWntk
rF


d
SXtj
jd|
�
s\d
Sy&td|
d��}|j�}WdQRXWntk
r�


d
SXd|kr�dSd
S)zv Check if firewalld is active

    @return True if there is a firewalld pid file and the pid is used by firewalld
    F�
rNz/proc/%sz/proc/%s/cmdlineZ	firewalldT)�os�path�existsr'�open�readline�	Exception)�fd�pidZcmdliner+r+r.r
�
s"










c
Csby*tj
jt�
stjtd
�
tjddtdd�Stk
r\
}
ztj	d|�

�WYdd}~XnXdS)Ni�
Zwtztemp.F)�mode�prefix�dir�deletez#Failed to create temporary file: %s)
rjrkrlr&�mkdir�tempfileZNamedTemporaryFileror%r:)
�msgr+r+r.r�
s








c
CsXyt|d
��
}
|
j
�SQRXWn4tk
rR
}
ztjd||f�

WYdd}~XnXdS)NrizFailed to read file "%s": %s)rm�	readlinesror%r:)�filename�
f�
er+r+r.r�
s




$
cCs\y$t|d
��}|j
|
�

WdQRXWn2tk
rV
}
ztjd||f�

dSd}~XnXdS)N�
wz Failed to write to file "%s": %sFT)rm�writeror%r:)rz�liner{r|r+r+r.r�
s






c

Cs(|d
krtdd�S|dkr$tdd�SdS)N�ipv4z/proc/sys/net/ipv4/ip_forwardz1
�ipv6z&/proc/sys/net/ipv6/conf/all/forwardingF)
r)
�ipvr+r+r.r�
s







c

Cs|jd
d�jdd�S)N�
_r<z
nf-conntrack-rG)
�replace)
�moduler+r+r.�get_nf_conntrack_short_name�
s
r�c
Cs�t|�
}
|
d
ks<|
dks<|
dks<t
|
�
d
kr�|
d|
dkr�|
dkrTtjd|�

nZ|
d
krltjd|�

nB|
dkr�tjd|�

n*t
|
�
d
kr�|
d|
dkr�tjd|�

dSd	S)Nr2r1r$z'%s': port > 65535z'%s': port is invalidz'%s': port is ambiguousz'%s': range start >= endFTr4r3r4r3)rrAr%Zdebug2)r;rHr+r+r.r�
s












cCs(|d
krt|
�
S|dkr t
|
�
SdSdS)Nr�r�F)rr	)r��sourcer+r+r.r�
s




cCs(|d
krt|
�
S|dkr t
|
�
SdSdS)Nr�r�F)rr)r�r�r+r+r.r�
s




c
CsRt|�
dkrNxdD]}
||
dkrdSqWxdD]}
||
t
jkr0dSq0WdSdS)N��r2���rFFr$r1�����	�
�
�rcT�)r2r�r�r�r�)r$r1r�r�r�r�r�r�r�r�r�rc)rA�stringZ	hexdigits)Zmacr-r+r+r.r�
s









c
Cs(g}
x|D]}||
kr
|
j|�

q
W|
S)
N)
rD)Z_list�outputrJr+r+r.r�
s





c
CsHy.tj
d
|�
}
t|
j�dj��
}|
j�
Wntk
rB


dSX|S)z Get parent for pid zps -o ppid -h -p %d 2>/dev/nullr$N)rj�popenr6ryr7�closero)rqr{r+r+r.r�
s





cCsBd
dlm
}
d
dlm}

ttt|
j���
}d|t|�
td�
S)z�
    iptables limits length of chain to (currently) 28 chars.
    The longest chain we create is POST_<policy>_allow,
    which leaves 28 - 11 = 17 chars for <policy>.
    r$)
�POLICY_CHAIN_PREFIX)
�	SHORTCUTS�Z_allow)Zfirewall.core.ipXtablesr��firewall.core.baser��maxrMrA�values)r�r��longest_shortcutr+r+r.r"	s


cCs.d
dlm
}
ttt|j���
}
d|
td�
S)z�
    Netfilter limits length of chain to (currently) 28 chars.
    The longest chain we create is FWDI_<zone>_allow,
    which leaves 28 - 11 = 17 chars for <zone>.
    r$)
r�r�Z__allow)r�r�r�rMrAr�)r�r�r+r+r.rs

c
CsTt|�
d
kst|�
t
jd�
kr"dSx,|D]$}
|
tjkr(|
tjkr(|
d	kr(dSq(WdS)
Nr1�SC_LOGIN_NAME_MAXFrZr<r��
$T)rZr<r�r�)rArj�sysconfr�Z
ascii_lettersZdigits)�user�
cr+r+r.rs










c

CsDt|t
�r,yt|�
}Wntk
r*


d
SX|dkr@|dk
r@dSd
S)	NFr$r2r)r1Tli���)r5�strr6r8)
Zuidr+r+r.r(s








c
CsJt|�
d
kst|�
dkrdSxd
D]}
|
|kr"dSq"W|ddkrFdSd	S)Nr1iF�
|�

�
r$rYT)r�r�r�)
rA)Zcommandrgr+r+r.r2s








c
Cs�|jd
�
}
t
|
�
dkrdS|
ddkr>|
ddd�dkr>dS|
d	dd�d
krVdS|
ddd�dkrndSt
|
d�
d	kr�dSd
S)NrFr�r�Fr$�rootr2Z_ur1Z_rZ_tr�T)r�r�r4r4r4)r@rA)�contextrEr+r+r.r<s



 




c

Cs8d
tt
�
kr djdd�|D�
�
Sdjdd�|D�
�
SdS)N�quoterdc
ss|]}
tj
|
�
V
qdS)
N)�shlexr�)r,�
ar+r+r.�	<genexpr>PszjoinArgs.<locals>.<genexpr>c
ss|]}
tj
|
�
V
qdS)
N)�pipesr�)r,r�r+r+r.r�Rs)rtr�rC)
�argsr+r+r.rNs

c
Cs8tr*t
|t�r*t|�
}tj|�
}
tt|
�Stj|�
SdS)
N)r
r5�unicoder r�r@rMr)�_stringrEr+r+r.rTs





c

Cst|t
�r|jd
d�S|S)z bytes to unicode zUTF-8r�)r5�bytes�decode)
r�r+r+r.r]s


c

Cst|t
�s|jd
d�S|S)z unicode to bytes zUTF-8r�)r5r��encode)
r�r+r+r.r cs


c

Cstrt
|t�r|jd
d�S|S)z" unicode to bytes only if Python 2zUTF-8r�)r
r5r�r�)
r�r+r+r.r!is

)
rF)9�__all__r9rjZos.pathr�r�r��sysrwZfirewall.core.loggerr%Zfirewall.configr&r'�versionr
rBr`rrrrIrRrSrrrXrrr#r	r
rrr
rrrrr�rrrrrrr"rrrrrrrrr r!r+r+r+r.�<module>sz



















:
&+