ó  c‰`c#@sXdddddddddd d d d d ddddddddddddddddddd d!d"g#Zd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d$lZd#d%l m Z d#d&l m Z m Z ejd'kZd(„Zd)„Zd*d+„Zd,„Zd-„Zd.„Zd/„Zd0„Zd1„Zd2„Zd3„Zd4„Zd5„Zd6„Zd7„Zd8„Zd9„Z d:„Z!d;„Z"d<„Z#d=„Z$d>„Z%d?„Z&d@„Z'dA„Z(dB„Z)dC„Z*dD„Z+dE„Z,dF„Z-dG„Z.dH„Z/dI„Z0dJ„Z1dK„Z2dL„Z3dM„Z4d$S(NtPY2t getPortIDt getPortRangetportStrtgetServiceNametcheckIPtcheckIP6t checkIPnMaskt checkIP6nMaskt checkProtocoltcheckInterfacet checkUINT32tfirewalld_is_activettempFiletreadfilet writefiletenable_ip_forwardingtget_nf_conntrack_helper_settingtset_nf_conntrack_helper_settingt check_portt check_addresstcheck_single_addresst check_mactuniqifyt ppid_of_pidtmax_zone_name_lent checkUsertcheckUidt checkCommandt checkContexttjoinArgst splitArgstb2utu2bt u2b_if_py2i˙˙˙˙N(tlog(tFIREWALLD_TEMPDIRtFIREWALLD_PIDFILEt3cCst|tƒr|}nd|r-|jƒ}nyt|ƒ}Wn<tk r{ytj|ƒ}Wq|tjk rwdSXnX|dkrŒdS|S(sÎ Check and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big i˙˙˙˙i˙˙iţ˙˙˙(t isinstancetinttstript ValueErrortsockett getservbynameterror(tportt_id((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR.s    c Cs>t|tƒs|jƒr>t|ƒ}|dkr:|fS|S|jdƒ}t|ƒdkrđ|djƒrđ|djƒrđt|dƒ}t|dƒ}|dkrđ|dkrđ||krÍ||fS||kră||fS|fSqđng}xtt|ƒddƒD]÷}tdj|| ƒƒ}dj||ƒ}t|ƒdkrŃt|ƒ}|dkr|dkr||kr™|j||fƒqÎ||krť|j||fƒqÎ|j|fƒqq|dkr|j|fƒ|t|ƒkrPqqqWt|ƒdkr dSt|ƒdkr6dS|dS(sI Get port range for port range string or single port id @param ports an integer or port string or port range string @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous. it-iii˙˙˙˙N( R'R(tisdigitRtsplittlentrangetjointappendtNone(tportstid1tsplitstid2tmatchedtitport2((s6/usr/lib/python2.7/site-packages/firewall/functions.pyREsH  2          t:cCsr|dkrdSt|ƒ}t|tƒr;|dkr;dSt|ƒdkrUd|Sd|d||dfSdS(s Create port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid tiis%ss%s%s%sN(RR'R(R7R3(R.t delimitert_range((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR{s  cCs„t|ƒ}t|ƒ}t|ƒdkr>|t|dƒkSt|ƒdkr€|t|dƒkr€|t|dƒkr€tStS(Niii(RRR3tTruetFalse(R.R4t_portRB((s6/usr/lib/python2.7/site-packages/firewall/functions.pytportInPortRanges  ,cCs8ytjt|ƒ|ƒ}Wntjk r3dSX|S(sŢ Check and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None N(R+t getservbyportR(R-R7(R.tprototname((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR™s cCs3ytjtj|ƒWntjk r.tSXtS(sl Check IPv4 address. @param ip address string @return True if address is valid, else False (R+t inet_ptontAF_INETR-RDRC(tip((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR§s cCs |jdƒS(s Normalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 s[](R)(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyt normalizeIP6´scCs9ytjtjt|ƒƒWntjk r4tSXtS(sl Check IPv6 address. @param ip address string @return True if address is valid, else False (R+RJtAF_INET6RMR-RDRC(RL((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRźs cCsád|kra||jdƒ }||jdƒd}t|ƒdksZt|ƒdkrmtSn |}d}t|ƒs}tS|rÝd|kr™t|ƒSyt|ƒ}Wntk r˝tSX|dksÖ|dkrÝtSntS(Nt/it.ii (tindexR3RDR7RR(R*RC(RLtaddrtmaskR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRÉs& $    cCsËd|kra||jdƒ }||jdƒd}t|ƒdksZt|ƒdkrmtSn |}d}t|ƒs}tS|rÇyt|ƒ}Wntk r§tSX|dksŔ|dkrÇtSntS(NROiii€(RQR3RDR7RR(R*RC(RLRRRSR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRŕs" $  cCsmyt|ƒ}Wn:tk rLytj|ƒWqitjk rHtSXnX|dkse|dkritStS(Nii˙(R(R*R+tgetprotobynameR-RDRC(tprotocolR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR ős  cCsN| st|ƒdkrtSx*ddddgD]}||kr0tSq0WtS(sŹ Check interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False it ROt!t*(R3RDRC(tifacetch((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s  cCsHyt|dƒ}Wntk r'tSX|dkrD|dkrDtStS(NiI˙˙˙˙(R(R*RDRC(tvaltx((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR s cCsÂtjjtƒstSy(ttdƒ}|jƒ}WdQXWntk rRtSXtjjd|ƒsmtSy,td|dƒ}|jƒ}WdQXWntk r­tSXd|kržtStS(sv Check if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld trNs/proc/%ss/proc/%s/cmdlinet firewalld( tostpathtexistsR%RDtopentreadlinet ExceptionRC(tfdtpidtcmdline((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR !s"   c CsyyKtjjtƒs(tjtdƒntjdddddtdtƒSWn'tk rt}t j d|ƒ‚nXdS( Ničtmodetwttprefixstemp.tdirtdeletes#Failed to create temporary file: %s( R_R`RaR$tmkdirttempfiletNamedTemporaryFileRDRdR#R-R7(tmsg((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR >scCsWy&t|dƒ}|jƒSWdQXWn*tk rR}tjd||fƒnXdS(NR]sFailed to read file "%s": %s(Rbt readlinesRdR#R-R7(tfilenametfte((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRJs cCs[y)t|dƒ}|j|ƒWdQXWn+tk rV}tjd||fƒtSXtS(Ntws Failed to write to file "%s": %s(RbtwriteRdR#R-RDRC(RrtlineRsRt((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRRscCs6|dkrtddƒS|dkr2tddƒStS(Ntipv4s/proc/sys/net/ipv4/ip_forwards1 tipv6s&/proc/sys/net/ipv6/conf/all/forwarding(RRD(tipv((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR[s     cCs|jddƒjddƒS(Nt_R0s nf-conntrack-R@(treplace(tmodule((s6/usr/lib/python2.7/site-packages/firewall/functions.pytget_nf_conntrack_short_namebscCs>yttdƒdƒSWntk r9tjdƒdSXdS(Ns+/proc/sys/net/netfilter/nf_conntrack_helperis3Failed to get and parse nf_conntrack_helper setting(R(RRdR#twarning(((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRes   cCstd|rdndƒS(Ns+/proc/sys/net/netfilter/nf_conntrack_helpers1 s0 (R(tflag((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRlscCsřt|ƒ}|dksV|dksV|dksVt|ƒdkrô|d|dkrô|dkrvtjd|ƒnz|dkr–tjd|ƒnZ|dkrśtjd|ƒn:t|ƒdkrđ|d|dkrđtjd |ƒntStS( Niţ˙˙˙i˙˙˙˙iiis'%s': port > 65535s'%s': port is invalids'%s': port is ambiguouss'%s': range start >= end(RR7R3R#tdebug2RDRC(R.RB((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRps $&   &cCs4|dkrt|ƒS|dkr,t|ƒStSdS(NRxRy(RRRD(Rztsource((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs     cCs4|dkrt|ƒS|dkr,t|ƒStSdS(NRxRy(RRRD(RzR‚((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR‡s     c Csgt|ƒdkrcx"dD]}||dkrtSqWx%dD]}||tjkr>tSq>WtStS(Ni iiii iR?iiiiiii i i iii(iiii i( iiiiiii i i i ii(R3RDtstringt hexdigitsRC(tmacR=((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRs  cCs7g}x*|D]"}||kr |j|ƒq q W|S(N(R6(t_listtoutputR\((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR›s   cCsVy=tjd|ƒ}t|jƒdjƒƒ}|jƒWntk rQdSX|S(s Get parent for pid sps -o ppid -h -p %d 2>/dev/nulliN(R_tpopenR(RqR)tcloseRdR7(RfRs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRŁs cCs=ddlm}ttt|jƒƒƒ}d|tdƒS(sŠ Netfilter limits length of chain to (currently) 28 chars. The longest chain we create is FWDI__allow, which leaves 28 - 11 = 17 chars for . i˙˙˙˙(t SHORTCUTSit__allow(tfirewall.core.baseRŠtmaxtmapR3tvalues(RŠtlongest_shortcut((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR­sc Cstt|ƒdks-t|ƒtjdƒkr1tSx<|D]4}|tjkr8|tjkr8|dkr8tSq8WtS(NitSC_LOGIN_NAME_MAXRPR0R{t$(RPR0R{R’(R3R_tsysconfRDRƒt ascii_letterstdigitsRC(tusertc((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRˇs-  cCsWt|tƒr7yt|ƒ}Wq7tk r3tSXn|dkrS|dkrStStS(NiiiiI€i˙˙˙(R'tstrR(R*RDRC(tuid((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRÁs cCsjt|ƒdks$t|ƒdkr(tSx'dddgD]}||kr8tSq8W|ddkrftStS(Niit|s tiRO(R3RDRC(tcommandRZ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRËs$ cCs›|jdƒ}t|ƒd kr%tS|ddkrM|dddkrMtS|ddd kretS|d dd kr}tSt|d ƒdkr—tStS(NR?iiitrootiţ˙˙˙t_uit_rit_ti(ii(R2R3RDRC(tcontextR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRŐs$cCsDdttƒkr)djd„|DƒƒSdjd„|DƒƒSdS(NtquoteRVcss|]}tj|ƒVqdS(N(tshlexR˘(t.0ta((s6/usr/lib/python2.7/site-packages/firewall/functions.pys éscss|]}tj|ƒVqdS(N(tpipesR˘(R¤RĽ((s6/usr/lib/python2.7/site-packages/firewall/functions.pys ës(RkRŁR5(targs((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRçscCsNtr=t|tƒr=t|ƒ}tj|ƒ}tt|ƒStj|ƒSdS(N(RR'tunicodeR!RŁR2RŽR (t_stringR:((s6/usr/lib/python2.7/site-packages/firewall/functions.pyRís   cCs#t|tƒr|jddƒS|S(s bytes to unicode sUTF-8R|(R'tbytestdecode(RŠ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR öscCs#t|tƒs|jddƒS|S(s unicode to bytes sUTF-8R|(R'RŞtencode(RŠ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR!üscCs)tr%t|tƒr%|jddƒS|S(s" unicode to bytes only if Python 2sUTF-8R|(RR'R¨RŹ(RŠ((s6/usr/lib/python2.7/site-packages/firewall/functions.pyR"s(5t__all__R+R_tos.pathRŁRŚRƒtsysRntfirewall.core.loggerR#tfirewall.configR$R%tversionRRRRRFRRRMRRRR R R R R RRRR~RRRRRRRRRRRRRRRR R!R"(((s6/usr/lib/python2.7/site-packages/firewall/functions.pytsr                 6