WWWWWW

Current Directory: /usr/lib/python2.7/site-packages/firewall/core
Viewing File: /usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyo
�
�c�`c@s�ddlZddlZddlmZmZddlmZddlm	Z	ddl
mZmZm
Z
mZmZmZmZmZddlmZddlmZmZmZddlmZmZmZmZddlZid	d
dgd6d
d
gd6d
dd	d
dgd6d
dd
gd6d	d
dgd6Zidd6dd6Z idd6dd6Z!d�Z"d�Z#d�Z$de%fd��YZ&de&fd��YZ'dS( i����N(t	SHORTCUTStDEFAULT_ZONE_TARGET(trunProg(tlog(ttempFiletreadfilet	splitArgst	check_mactportStrtcheck_single_addresst
check_addresstnormalizeIP6(tconfig(t
FirewallErrortINVALID_PASSTHROUGHtINVALID_RULE(tRich_AccepttRich_Rejectt	Rich_Dropt	Rich_MarktINPUTtOUTPUTtFORWARDtsecurityt
PREROUTINGtrawtPOSTROUTINGtmangletnattfiltersicmp-host-prohibitedtipv4sicmp6-adm-prohibitedtipv6ticmps	ipv6-icmpcCs�idd6dd6dd6dd6dd6d	d
6}|}x�|D]�}y|j|�}Wntk
rmq>nX|dkr�yt||d�Wntk
r�q�X|j|d�n||||<q>W|S(
s Inverse valid rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains--new-chaini(s-Is--insert(tindext	Exceptiontinttpop(targstreplace_argstret_argstargtidx((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_rule7s*



cCs�idd6dd6dd6dd6dd6d	d
6}|}x�|D]�}y|j|�}Wntk
rmq>nX|dkr�yt||d�Wntk
r�q�X|j|d�n||||<|SWttd��d
S(s Reverse valid passthough rule s-Ds-As--deletes--appends-Is--inserts-Xs-Ns--delete-chains--new-chainisno '-A', '-I' or '-N' argN(s-Is--insert(R!t
ValueErrorR#R$R
R(R%R&R'txR)((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_reverse_passthrough\s.



cCs�t|�}tddddddddd	d
ddd
dddddddg�}t||@�dkr�ttdt||@�d��ntddddddg�}t||@�dkr�ttd��ndS(sZ Check if passthough rule is valid (only add, insert and new chain
    rules are allowed) s-Cs--checks-Ds--deletes-Rs	--replaces-Ls--lists-Ss--list-ruless-Fs--flushs-Zs--zeros-Xs--delete-chains-Ps--policys-Es--rename-chainisarg '%s' is not alloweds-As--appends-Is--inserts-Ns--new-chainsno '-A', '-I' or '-N' argN(tsettlenR
Rtlist(R%tnot_allowedtneeded((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcommon_check_passthrough�s*		t	ip4tablescBs�eZdZdZeZd�Zd�Zd�Zd.d�Z
d�Zd�Zd�Z
d	�Zd
�Zd�Zd�Zd
�Zd�Zd�Zd�Zd.d�Zd�Zd�Zd�Zd�Zd�Zd�Zdd�Zd�Zed�Z d�Z!d�Z"d�Z#d�Z$d �Z%d!�Z&d"�Z'd#�Z(d.d.d$�Z)d.d.d%�Z*d.d.d&�Z+d'�Z,d.d(�Z-d.d)�Z.d.d*�Z/d+�Z0d,�Z1d-�Z2RS(/RR4cCsz||_tj|j|_tjd|j|_|j�|_|j�|_	|j
�g|_g|_i|_
dS(Ns
%s-restore(t_fwRtCOMMANDStipvt_commandt_restore_commandt_detect_wait_optiontwait_optiont_detect_restore_wait_optiontrestore_wait_optiontfill_existstavailable_tablestzone_source_index_cachet
our_chains(tselftfw((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__init__�s	
		cCs4tjj|j�|_tjj|j�|_dS(N(tostpathtexistsR8tcommand_existsR9trestore_command_exists(RB((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR>�scCs�|jrB|j|krB|jgg|D]}d|^q(}ng|D]}d|^qI}tjd|j|jdj|��t|j|�\}}|dkr�td|jdj|�|f��n|S(Ns%ss	%s: %s %st is'%s %s' failed: %s(R;Rtdebug2t	__class__R8tjoinRR+(RBR%titemt_argststatustret((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt__run�s*%cCs�|dkr|Sg}x�|D]�}t}x�|D]�}y|j|�}Wntk
r\q0Xt|�|kr0d||dkr0t}||djd�}x3|D](}	|}
|	|
|d<|j|
�q�Wq0q0W|s|j|�qqW|S(s5Split values combined with commas for options in optst,iN(tNonetFalseR!R+R/tTruetsplittappend(RBtrulestoptst	out_rulestrulet	processedtopttititemsRNt_rule((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytsplit_value�s(


&
cCsAy|j|�}Wntk
r'tSX||||d+tSdS(Ni(R!R+RURV(RBR\tpatterntreplacementR_((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt
_rule_replace�s
cCs|tko|t|kS(N(tBUILT_IN_CHAINS(RBR7ttabletchain((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_chain_builtin�scCsCd|g}|r"|jd�n
|jd�|j|�|gS(Ns-ts-Ns-X(RX(RBtaddRgRhR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_chain_rules�s

cCsLd|g}|r.|d|t|�g7}n|d|g7}||7}|S(Ns-ts-Is-D(tstr(RBRjRgRhR!R%R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt
build_rule�s
cCs
t|�S(N(R*(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_rulescCst|�dS(N(R3(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytcheck_passthroughscCs
t|�S(N(R-(RBR%((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytreverse_passthrough
scCs�d}y|jd�}Wntk
r,n(Xt|�|dkrT||d}nd}xndddddd	gD]T}y|j|�}Wntk
r�qsXt|�|dkrs||d}qsqsW||fS(
NRs-tis-As--appends-Is--inserts-Ns--new-chain(R!R+R/RT(RBR%RgR_RhR^((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytpassthrough_parse_table_chain
s$
	
cCs�yb|jd�}|j|�|j|�}d|dkrQ||df}n||df}WnLtk
r�y&|jd�}|j|�d}Wq�tk
r�dSXnXt}|ddkr�t}n|r�|r�||kr�|j|�q�n�|r�|rI||kr7|j|�|jd
d��n|j|�}n!|j	j
r^d}nt|�}d|d<|jd
d|d�ndS(Ns%%ZONE_SOURCE%%s-miiis%%ZONE_INTERFACE%%is-Ds--deletetkeycSs|dS(Ni((R,((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt<lambda>@ss-Iis%di(s-Ds--delete(
R!R$R+RTRVRUtremoveRXtsortR5t_allow_zone_driftingR/tinsert(RBR\R@R_tzonetzone_sourcetrule_addR!((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_run_replace_zone_source#s>



		

	
cCs#t�}i}tj|j�}x�|D]�}|}|j|dddt|jg�|j|dt|jg�y|jd�}Wnt	k
r�nLX|dkr�q(n|d&kr�d
dd|g|||d
+n
|j
|�|j||�d}	xpddgD]b}
y|j|
�}Wnt	k
r6q
Xt|�|d
kr
|j
|�|j
|�}	q
q
Wxzt
t|��D]f}x]tjD]R}|||kr�||jd�o�||jd�r�d||||<q�q�Wq�W|j|	g�j|�q(Wx�|D]�}	||	}|j|ddg�}|j|ddg�}|jd|	�x(|D] }|jdj|�d�qiW|jd�qW|j�tj|j�}tjd|j|jd|j|jf�g}
|j r|
j|j �n|
jd�t!|j|
d|j�\}}tj"�dkr�t#|j�}|dk	r�d
}xc|D]X}tj%d ||fd!d
d"d#�|jd�s�tj%d$d!d
�n|d
7}qpWq�ntj&|j�|d#krt	d%|jdj|
�|f��n||_|S('Ns
%%REJECT%%tREJECTs
--reject-withs%%ICMP%%s%%LOGTYPE%%tofftunicastt	broadcastt	multicasts-mtpkttypes
--pkt-typeiRs-ts--tablet"s"%s"s-ss--sources-ds
--destinations*%s
RJs
sCOMMIT
s	%s: %s %ss%s: %ds-ntstdinis%8d: %stnofmttnlits'%s %s' failed: %s(R~RR�('RtcopytdeepcopyR@RetDEFAULT_REJECT_TYPER7tICMPR!R+R$R{R/trangetstringt
whitespacet
startswithtendswitht
setdefaultRXRbtwriteRMtcloseREtstattnameRRKRLR9tst_sizeR=RtgetDebugLogLevelRRTtdebug3tunlink(RBRYt
log_deniedt	temp_filettable_rulesR@RaR\R_RgR^tcR�R%RPRQtlinestline((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt	set_rulesLs�	

 


#


	

#	cCs�|j|dddt|jg�|j|dt|jg�y|jd�}Wntk
rfnJX|dkrwdS|dkr�ddd
|g|||d+n
|j|�tj|j	�}|j
||�|j|�}||_	|S(Ns
%%REJECT%%R|s
--reject-withs%%ICMP%%s%%LOGTYPE%%R}R�R~RR�s-mR�s
--pkt-typei(sunicasts	broadcasts	multicast(ReR�R7R�R!R+R$R�R�R@R{t_ip4tables__run(RBR\R�R_R@toutput((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytset_rule�s"
 
	cCs�g}|r|gn	tj�}x�|D]�}||jkrM|j|�q(y:|jd|ddg�|jj|�|j|�Wq(tk
r�tjd|j|f�q(Xq(W|S(Ns-ts-Ls-nsA%s table '%s' does not exist (or not enough permission to check).(	RftkeysR?RXR�R+Rtdebug1R7(RBRgRQttables((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytget_available_tables�s

"cCs�d}t|jdddg�}|ddkr�d}t|jdddg�}|ddkrkd}ntjd|j|j|�n|S(NR�s-ws-Ls-nis-w10s%s: %s will be using %s option.(RR8RRKRL(RBR;RQ((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR:�s	cCs�t�}|jd�|j�d}xlddgD]^}t|j|gd|j�}|ddkr3d|dkr3d	|dkr3|}Pq3q3Wtjd
|j|j|�t	j
|j�|S(Ns#fooR�s-ws--wait=2R�isinvalid optionisunrecognized options%s: %s will be using %s option.(RR�R�RR9R�RRKRLRER�(RBR�R;ttest_optionRQ((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR<�s	
 cCsog|_g}xYtj�D]K}|j|�s7qnx-dddgD]}|jd||g�qGWqW|S(Ns-Fs-Xs-Zs-t(R@RfR�R�RX(RBRYRgtflag((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_flush_rules�s	cCsyg}xltj�D]^}|j|�s.qn|dkr@qnx.t|D]"}|jd|d||g�qKWqW|S(NRs-ts-P(RfR�R�RX(RBtpolicyRYRgRh((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_set_policy_ruless$c
Cs{g}d}y1|jd|jdkr-dnddg�}WnGtk
r�}|jdkrrtjd|�q�tjd|�nX|j�}t}x�|D]�}|r.|j�j�}|j	�}xa|D]V}|j
d	�r|jd
�r|dd!}	n|}	|	|kr�|j|	�q�q�Wn|jdkrL|j
d
�sj|jdkr�|j
d�r�t
}q�q�W|S(sQReturn ICMP types that are supported by the iptables/ip6tables command and kernelR�s-pRR s	ipv6-icmps--helpsiptables error: %ssip6tables error: %st(t)ii����sValid ICMP Types:RsValid ICMPv6 Types:(R�R7R+RR�t
splitlinesRUtstriptlowerRWR�R�RXRV(
RBRQR�texR�tin_typesR�tsplitsRWR,((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytsupported_icmp_typess4	


cCsgS(N((RB((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_default_tables/sR}c	Cs>i}|jd�r�g|d<t�|jd<x]tdD]N}|djd|�|djd||f�|jdjd|�q:Wn|jd�r�g|d<t�|jd<x�tdD]�}|djd|�|djd||f�|jdjd|�|dkr�x�|jjr8ddgndgD]f}|djd	||f�|djd
|||f�|jdjtd||fg��q?Wq�q�Wn|jd�r�g|d<t�|jd<x�tdD]�}|djd|�|djd||f�|jdjd|�|dkr�x�|jjr\ddgndgD]f}|djd	||f�|djd
|||f�|jdjtd||fg��qcWq�q�Wn|jd
�r�g|d
<t�|jd
<x�td
D]�}|d
jd|�|d
jd||f�|jd
jd|�|d0krx�|jjr�ddgndgD]f}|d
jd	||f�|d
jd
|||f�|jd
jtd||fg��q�WqqWng|d<t�|jd<|djd�|djd�|djd�|djd�|jdjtd��xq|jjr�ddgndgD]N}|djd|�|djd|�|jdjtd|��q�W|dkr|djd�n|djd�|dkr8|djd�n|djd�|djd�|djd�|djd�|djd �|jdjtd!��x�d"d#gD]�}x�|jjr�ddgndgD]`}|djd$||f�|djd%||f�|jdjtd&||f��q�Wq�W|dkrd|djd'�n|djd(�|dkr�|djd)�n|djd*�|dcd+d,d-g7<|jdjtd.��g}xX|D]P}||j�krq�nx/||D]#}|jd/|gt	|��qWq�W|S(1NRs-N %s_directs-A %s -j %s_directs	%s_directRRtZONES_SOURCEtZONESs-N %s_%ss-A %s -j %s_%ss%s_%sRRRRs=-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTs-A INPUT -i lo -j ACCEPTs-N INPUT_directs-A INPUT -j INPUT_directtINPUT_directs-N INPUT_%ss-A INPUT -j INPUT_%ssINPUT_%sR}s^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 's/-A INPUT -m conntrack --ctstate INVALID -j DROPs9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 's-A INPUT -j %%REJECT%%s?-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTs-A FORWARD -i lo -j ACCEPTs-N FORWARD_directs-A FORWARD -j FORWARD_directtFORWARD_directtINtOUTs-N FORWARD_%s_%ss-A FORWARD -j FORWARD_%s_%ss
FORWARD_%s_%ss`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 's1-A FORWARD -m conntrack --ctstate INVALID -j DROPs;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 's-A FORWARD -j %%REJECT%%s-N OUTPUT_directs-A OUTPUT -o lo -j ACCEPTs-A OUTPUT -j OUTPUT_directt
OUTPUT_directs-t(RR(
R�R.RARfRXRjR5RvtupdateR(	RBR�t
default_rulesRhtdispatch_suffixt	directiontfinal_default_rulesRgR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_default_rules3s�

(5
(5
(5
("(,
	
%cCs�|dkrdddhS|dkrSd|j�krSd|j�krSdhSn|dkr~d|j�kr~ddhSn|d	kr�d	|j�kr�dhSniS(
NRRt
FORWARD_INtFORWARD_OUTRRRRR(R�(RBRg((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytget_zone_table_chains�s



cCs�idd6dd6dd6dd6dd6dd6|}tjd	t|d
|�}d}	|ry|rydd
|dg}
n?|r�dd
|g}
n&dd
|g}
|s�|
dg7}
n|
d||||	|g7}
|
gS(Ns-iRs-oRRR�R�RRhRxs-gs-Is%s_ZONESs%%ZONE_INTERFACE%%s-As-Ds-t(RtformatR(RBtenableRxt	interfaceRgRhRXR^ttargettactionR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt!build_zone_source_interface_rules�s&
c
Cs�idt6dt6|}idd6dd6dd6dd6dd	6dd
6|}|jjred|}n
d|}tjd
t|d|�}	d}
|jd�r|d}|dkr�d}nd}dj|g|jj	j
|��}||d|d|ddd|||
|	g
}
n�t|�ri|dkr6dS||d|d|ddd|j�|
|	g}
nt
d|�r�t|�}n=td|�r�|jd�}t|d�d|d }n||d|d||||
|	g
}
|
gS(!Ns-Is-Ds-sRs-dRRR�R�Rs%s_ZONES_SOURCEs%s_ZONESRhRxs-gsipset:itdsttsrcRSs%%ZONE_SOURCE%%s-ts-mR.s--match-setR�tmacs--mac-sourceRt/ii(RVRUR5RvRR�RR�RMtipsett
get_dimensionRtupperR	RR
RW(RBR�RxtaddressRgRhtadd_delR^tzone_dispatch_chainR�R�R�tflagsR\t
addr_split((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_source_address_rules�sV

	%cCs6tjdt|d|�}|j|jt|d|d|d|g��g}|jd|d|g�|jdd|d|g�|jdd|d|g�|jdd|d|g�|jd|d|d	d|g�|jd|d|d	d|g�|jd|d|d	d|g�|jjj	|j
}|jj�d
kr�|dkr�|dkr�|dkr�|jd|d|dd	ddd|g	�n|dkr�|jd|d|dd	ddd|g	�q�q�n|dkr2|dkr2|dkr2|jd|d|d	|g�n|S(NRhRxs%s_logs%s_denys%s_allows-Ns-ts-As-jR}RRR�R�RR|s
%%REJECT%%s%%LOGTYPE%%tLOGs--log-prefixs
"%s_REJECT: "tDROPs"%s_DROP: "tACCEPT(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(sREJECTs
%%REJECT%%(R�sREJECTs
%%REJECT%%R�(sINPUTs
FORWARD_INsFORWARD_OUTsOUTPUT(RR�RRAR�R.RXR5Rxt_zonesR�tget_log_denied(RBRxRgRht_zoneRYR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_chain_rules�s<###		"cCs|rddd|jgSgS(Ns-mtlimits--limit(tvalue(RBR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rule_limit*scCs�|js
gSidt6dt6|}|d|d|g}||ddg7}|jjrx|dd|jjg7}n|jjr�|d	d
|jjg7}n||j|jj�7}|S(Ns-As-Ds%s_logs-ts-jR�s--log-prefixs'%s's--log-levels%s(RRVRUtprefixtlevelR�R�(RBt	rich_ruleR�RgR�t
rule_fragmentR�R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_log/s	c	Cs�|js
gSidt6dt6|}|d|d|g|}t|j�tkr]d}nBt|j�tkr{d}n$t|j�tkr�d}nd}|d	d
d|g7}||j|jj	�7}|S(Ns-As-Ds%s_logs-ttaccepttrejecttdroptunknowns-jtAUDITs--type(
tauditRVRUttypeR�RRRR�R�(	RBR�R�RgR�R�R�R\t_type((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_audit?s				cCs�|js
gSidt6dt6|}t|j�tkrSd|}ddg}	n�t|j�tkr�d|}ddg}	|jjrL|	d|jjg7}	qLn�t|j�tkr�d|}dd	g}	nxt|j�tkr0tj	d
t
dd|�}d
}d|}ddd|jjg}	ntt
dt|j���||d|g}
|
||	7}
|
|j|jj�7}
|
S(Ns-As-Ds%s_allows-jR�s%s_denyR|s
--reject-withR�RhRRxRtMARKs--set-xmarksUnknown action %ss-t(R�RVRUR�RRRRRR�RR.R
RR�R�(RBRxR�R�RgR�R�R�Rhtrule_actionR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_actionSs4	


	
cCs�|s
gSg}|jr)|jd�ntd|j�rW|dt|j�g7}n`td|j�r�|jjd�}|dt|d�d|dg7}n|d|jg7}|S(Nt!Rs-dR�ii(tinvertRXR	taddrRR
RW(RBt	rich_destR�R�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_destination_fragmentts	)cCs�|s
gSg}|jr�|jr2|jd�ntd|j�r`|dt|j�g7}q�td|j�r�|jjd�}|dt|d�d|dg7}q�|d|jg7}n�t|d�r|jr|ddg7}|jr|jd�n|d	|jg7}nut|d
�r�|j	r�|ddg7}|jr[|jd�n|j
jj|j	d�}|d
|j	|g7}n|S(NR�Rs-sR�iiR�s-ms--mac-sourceR�R.R�s--match-set(
R�R�RXR	RR
RWthasattrR�R�R5Rxt_ipset_match_flags(RBtrich_sourceR�R�R�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt_rich_rule_source_fragment�s0		)		c	Cs�idt6dt6|}d}tjdtdd|�}	d|g}
|ri|
dd	t|�g7}
n|r�|
d
|g7}
n|r�|
|j|j�7}
|
|j|j	�7}
n|s�t
|j�tkr�|
ddd
dg7}
ng}|rd|j
|j||||	|
��|j
|j||||	|
��|j
|j|||||	|
��n+|j
|d|	d|g|
ddg�|S(Ns-As-DRRhRRxs-ps--dports%ss-ds-mt	conntracks	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RVRURR�RRR�tdestinationR�tsourceR�R�RRXR�R�R�(RBR�RxtprototportR�R�R�RgR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_ports_rules�s,	""(%c	Cspidt6dt6|}d}tjdtdd|�}d|g}	|r_|	d|g7}	n|r�|	|j|j�7}	|	|j|j�7}	n|s�t	|j
�tkr�|	d	d
ddg7}	ng}
|rA|
j|j
|||||	��|
j|j|||||	��|
j|j||||||	��n+|
j|d
|d|g|	ddg�|
S(Ns-As-DRRhRRxs-ps-ds-mR�s	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RVRURR�RR�R�R�R�R�R�RRXR�R�R�(RBR�RxtprotocolR�R�R�RgR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_protocol_rules�s&""(%c	Cs�idt6dt6|}d}tjdtdd|�}	d|g}
|ri|
dd	t|�g7}
n|r�|
d
|g7}
n|r�|
|j|j�7}
|
|j|j	�7}
n|s�t
|j�tkr�|
ddd
dg7}
ng}|rd|j
|j||||	|
��|j
|j||||	|
��|j
|j|||||	|
��n+|j
|d|	d|g|
ddg�|S(Ns-As-DRRhRRxs-ps--sports%ss-ds-mR�s	--ctstates
NEW,UNTRACKEDs%s_allows-ts-jR�(RVRURR�RRR�R�R�R�R�R�RRXR�R�R�(RBR�RxRRR�R�R�RgR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_source_ports_rules�s*""(%cCs�idt6dt6|}tjdtdd|�}	|d|	ddd	|g}
|rs|
d
dt|�g7}
n|r�|
d|g7}
n|
d
dd|g7}
|
gS(Ns-As-DRhRRxs%s_allows-tRs-ps--dports%ss-ds-jtCTs--helper(RVRURR�RR(RBR�RxRRR�thelper_nametmodule_short_nameR�R�R\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_helper_ports_rules�s	cCs;idt6dt6|}tjdtdd|�}g}|ro||j|j�7}||j|j�7}ng}|j	|d|ddg|d	d
ddd
g�tjdtdd|�}g}|r||j|j�7}||j|j�7}n|j	|d|ddg|ddddddg�|S(Ns-As-DRhRRxs%s_allows-tRR�s-otlos-jt
MASQUERADER�Rs-mR�s	--ctstates
NEW,UNTRACKEDR�(
RVRURR�RR�R�R�R�RX(RBR�RxR�R�R�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_masquerade_ruless*		c

Cs�idt6dt6|}
d|}ddd|g}d}
|rstd|�rf|
d	t|�7}
qs|
|7}
n|r�|dkr�|
d
t|d�7}
ntjdtd
d|�}d|dt|�g}|	r||j|	j	�7}||j
|	j�7}ng}|	r9|j|j
|	|d||��n|j|
d|ddg|ddd|g�|j|
d|ddd|g|ddd|
g�tjdt|d|�}|j|
d|ddddddg|ddg�|S(Ns-As-Ds0x%xs-mtmarks--markR�Rs[%s]s:%st-RhRRxs-ps--dportRs%s_allows-ts-jR�s
--set-markRtDNATs--to-destinationRR�s	--ctstates
NEW,UNTRACKEDR�(RVRUR	RRRR�RR�R�R�R�RXR�(RBR�Rxtfilter_chainRRttoportttoaddrtmark_idR�R�tmark_strR
ttoR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_forward_port_ruless<

	%	1c
CsXd}idt6dt6|}|jdkrQddg}ddd|jg}n!dd	g}dd
d|jg}g}	x�dd
gD]�}
tjdt|
d|�}|jjj	|�r�d|}d}
nd|}d}
g}|r||j
|j�7}||j|j
�7}n|||7}|r�|	j|j|||||��|	j|j|||||��|jr�|	j|j||||||��qP|	j|d|d|g|ddg�q�|jj�dkr)|
dkr)|	j||d|g|ddddd|g�n|	j||d|g|d|
g�q�W|	S(NRs-As-DRs-pR s-ms--icmp-types	ipv6-icmpticmp6s
--icmpv6-typeRR�RhRxs%s_allowR�s%s_denys
%%REJECT%%s-ts-jR}s%%LOGTYPE%%R�s--log-prefixs"%s_ICMP_BLOCK: "(RVRUR7R�RR�RR5Rxtquery_icmp_block_inversionR�R�R�R�RXR�R�R�R�R�(RBR�RxtictR�RgR�RtmatchRYRhR�tfinal_chaintfinal_targetR�((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_zone_icmp_block_rulesIsL	
	
""	(!	c
CsBd}g}x/ddgD]!}d}tjdt|d|�}|jjj|�r�d}|jj�dkr�|r�d	|t|�g}	nd
|g}	|	d|dd
ddddd|g	}	|j|	�|d7}q�nd}|rd	|t|�g}	nd
|g}	|	d|dd
d|g}	|j|	�qW|S(NRRR�iRhRxs
%%REJECT%%R}s-Is-Ds-ts-ps%%ICMP%%s%%LOGTYPE%%s-jR�s--log-prefixs"%s_ICMP_BLOCK: "iR�(	RR�RR5RxRR�RlRX(
RBR�RxRgRYRhtrule_idxR�t
ibi_targetR\((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt%build_zone_icmp_block_inversion_ruleszs2		
cCs�d}tjdtdd|�}g}||j|j�7}||j|j�7}g}|j|j|||||��|j|j	|||||��|j|j
||||||��|S(NRRhRRx(RR�RR�R�R�R�RXR�R�R�(RBR�RxR�RgR�R�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt(build_zone_rich_source_destination_rules�s	""%cCs
||jkS(N(R7(RBR7((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytis_ipv_supported�sN(3t__name__t
__module__R7R�RVtzones_supportedRDR>R�RTRbReRiRkRmRnRoRpRqR{R�R�R�R:R<R�R�R�R�R�R�RUR�R�R�R�R�R�R�R�R�RRRR	RRRR R!R"(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR4�s\			
												)	^				
		!	i		7	,				!			,1	#	t	ip6tablescBs eZdZdZed�ZRS(RR&cCs�g}|jddddddddd	g	�|d
krk|jddddddddddd
g�n|jdddddddddg	�|jdddddddddg	�|S(Ns-IRs-tRs-mtrpfilters--inverts-jR�R}R�s--log-prefixsrpfilter_DROP: s-ps	ipv6-icmps$--icmpv6-type=neighbour-solicitationR�s"--icmpv6-type=router-advertisement(RX(RBR�RY((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pytbuild_rpfilter_rules�s"	

(R#R$R7R�RUR((((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyR&�s((tos.pathRER�tfirewall.core.baseRRtfirewall.core.progRtfirewall.core.loggerRtfirewall.functionsRRRRRR	R
RtfirewallRtfirewall.errorsR
RRtfirewall.core.richRRRRR�RfR�R�R*R-R3tobjectR4R&(((s;/usr/lib/python2.7/site-packages/firewall/core/ipXtables.pyt<module>s<:"


	%	*	 ����
F1l3 Manager
