U

/ �^�8�!@s�
dd
dddddddd	d
ddd
ddddddddddddddddddd g!Zd!d"l
Z
d!d"lZd!d"lZd!d"lZd!d"lZd!d"lZd!d"lZd!d"lZd!d#l	m
Z

d!d$lmZm
Z

ejd%kZd&d
�Zd'd�ZdMd)d�
Zd*d+�Zd,d�Zd-d�Zd.d/�Zd0d�Zd1d�Zd2d�Zd3d	�Zd4d
�Zd5d�Zd6d�Zd7d
�Zd8d�Zd9d�Z d:d�Z!d;d<�Z"d=d�Z#d>d�Z$d?d�Z%d@d�Z&dAd�Z'dBd�Z(dCd�Z)dDd�Z*dEd�Z+dFd�Z,dGd�Z-dHd�Z.dId�Z/dJd�Z0dKd�Z1dLd �Z2d"S)N�PY2�	getPortID�getPortRange�portStr�getServiceName�checkIP�checkIP6�checkIPnMask�
checkIP6nMask�
checkProtocol�checkInterface�checkUINT32�firewalld_is_active�tempFile�readfile�	writefile�enable_ip_forwarding�
check_port�
check_address�check_single_address�	check_mac�uniqify�ppid_of_pid�max_zone_name_len�	checkUser�checkUid�checkCommand�checkContext�joinArgs�	splitArgs�b2u�u2b�
u2b_if_py2�N)
�log)�FIREWALLD_TEMPDIR�FIREWALLD_PIDFILE�
3c
Csxt|t
�r|}
nX|r|��}zt
|�
}
Wn>tk
rf


zt�|�
}
Wntjk
r`


YYd
SXYnX|
dkrtdS|
S)z� Check and Get port id from port string or port id using socket.getservbyname

    @param port port string or port id
    @return Port id if valid, -1 if port can not be found and -2 if port is too big
    ���i�����)�
isinstance�int�strip�
ValueError�socketZ
getservbyname�error)�portZ_id�r0�4/usr/lib/python3/dist-packages/firewall/functions.pyr-s












c
Cs�
t|t
�s|��r,t|�
}
|
d
kr(|
f
S|
S|�d�
}t|�
dkr�|d
��r�|d��r�t|d
�
}
t|d�
}|
d
kr�|d
kr�|
|kr�|
|fS|
|kr�||
fS|
f
Sg}tt|�
d
d�D]�}td�|d|��
�
}
d�||d��
}t|�
d
k�
rTt|�
}|
d
k�
rz|d
k�
rz|
|k�
r,|�|
|f�

n&|
|k�
rF|�||
f�

n|�|
f
�

q�|
d
kr�|�|
f
�

|t|�
kr�
�
q|q�t|�
dk�
r�dSt|�
dk�
r�dS|d
S)aI
 Get port range for port range string or single port id

    @param ports an integer or port string or port range string
    @return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous.
    r"�
-��
r'N)	r)r*�isdigitr�split�len�range�join�append)ZportsZid1�splitsZid2Zmatched�
iZport2r0r0r1rDsH




$

























�
:cCsX|d
krd
St|�
}t
|t�r*|dkr*dSt|�
dkr>d|Sd|d|
|dfSdS)a
 Create port and port range string

    @param port port or port range int or [int, int]
    @param delimiter of the output string for port ranges, default ':'
    @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid
    �r"Nr4z%sz%s%s%s)rr)r*r7)r/Z	delimiter�_ranger0r0r1rzs




cCs
t|�
}t|
�
}t
|�
d
kr�t
|�
d
kr@t|d�
t|d�
kSt
|�
dkr�t|d�
t|d�
kr�t|d�
t|d
�
k
r�dSn|t
|�
dkr�t
|�
dkr�t|d�
t|d�
kr�t|d�
t|d
�
k
r�t|d
�
t|d�
kr�t|d
�
t|d
�
k
r�dSdS)Nr4r"r3TF)rr7r)r/r8Z_portr?r0r0r1�portInPortRange�s.





�
�


�
���r@cCs2zt�
t|�
|
�}Wntjk
r,


Yd
SX|S)z� Check and Get service name from port and proto string combination using socket.getservbyport

    @param port string or id
    @param protocol string
    @return Service name if port and protocol are valid, else None
    N)r-Z
getservbyportr*r.)r/�proto�namer0r0r1r�s




c

Cs0zt�
tj|�
Wntjk
r*


Yd
SXdS)zl Check IPv4 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r-�	inet_ptonZAF_INETr.�
�ipr0r0r1r�s




c

Cs
|�d
�
S)z� Normalize the IPv6 address

    This is mostly about converting URL-like IPv6 address to normal ones.
    e.g. [1234::4321] --> 1234:4321
    z[])
r+rDr0r0r1�normalizeIP6�srFc

Cs4zt�
tjt|�
�
Wntjk
r.


Yd
SXdS)zl Check IPv6 address.
    
    @param ip address string
    @return True if address is valid, else False
    FT)r-rCZAF_INET6rFr.rDr0r0r1r�s




c
Cs�d
|krN|d|�d
�
�}
||�d
�
dd�}t
|
�
dksHt
|�
dkrVdSn|}
d}t|
�
sbdS|r�d|krvt|�
Szt|�
}Wntk
r�


YdSX|dks�|dkr�dSdS)N�
/r4F�
.r"� T)�indexr7rr*r,�rEZaddr�maskr<r0r0r1r�s&
















c
Cs�d
|krN|d|�d
�
�}
||�d
�
dd�}t
|
�
dksHt
|�
dkrVdSn|}
d}t|
�
sbdS|r�zt|�
}Wntk
r�


YdSX|dks�|dkr�dSdS)NrGr4Fr"�T)rJr7rr*r,rKr0r0r1r	�s"














c
Csdzt|�
}
Wn>t
k
rJ


zt�|�

Wntjk
rD


YYd
SXYnX|
dks\|
dkr`d
SdS)NFr"�T)r*r,r-Zgetprotobynamer.)Zprotocolr<r0r0r1r
�s






c
Cs0|rt|�
d
krdSdD]}
|
|kr
dSqdS)z� Check interface string

    @param interface string
    @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False
    �F)�
 rG�
!�
*T�
r7)Ziface�chr0r0r1r	
s


c
Cs>zt|d
�}
Wnt
k
r$


YdSX|
d
kr:|
dk
r:dSdS)Nr"Fl��T)r*r,)�val�
xr0r0r1r
s





c	Cs�tj
�t�
sd
Sz"ttd��}|��}
W5QRXWntk
rH


Yd
SXtj
�d|
�
s^d
Sz&td|
d��}|��}W5QRXWntk
r�


Yd
SXd|kr�dSd
S)zv Check if firewalld is active

    @return True if there is a firewalld pid file and the pid is used by firewalld
    F�
rz/proc/%sz/proc/%s/cmdlineZ	firewalldT)�os�path�existsr%�open�readline�	Exception)�fd�pidZcmdliner0r0r1r
&
s"










c

Csdz,tj
�t�
st�td
�
tjddtdd�WStk
r^
}
zt�	d|�

�W5d}~XYnXdS)Ni�
Zwtztemp.F)�mode�prefix�dir�deletez#Failed to create temporary file: %s)
rXrYrZr$�mkdir�tempfileZNamedTemporaryFiler]r#r.)
�msgr0r0r1rC
s



�


c

Csfz,t|d
��}
|
�
�W5QR�WSQRXWn4tk
r`
}
zt�d||f�

W5d}~XYnXdS)NrWzFailed to read file "%s": %s)r[�	readlinesr]r#r.)�filename�
f�
er0r0r1rO
s


 

$
c
Csdz$t|d
��}|�
|
�

W5QRXWn:tk
r^
}
zt�d||f�

WY�dSd}~XYnXdS)N�
wz Failed to write to file "%s": %sFT)r[�writer]r#r.)rh�linerirjr0r0r1rW
s






c

Cs(|d
krtdd�S|dkr$tdd�SdS)N�ipv4z/proc/sys/net/ipv4/ip_forwardz1
�ipv6z&/proc/sys/net/ipv6/conf/all/forwardingF)
r)
�ipvr0r0r1r`
s







c

Cs|�d
d��dd�S)N�
_r2z
nf-conntrack-r>)
�replace)
�moduler0r0r1�get_nf_conntrack_short_nameg
s
rtc
Cs�t|�
}
|
d
ks<|
dks<|
dks<t
|
�
dkr�|
d|
dkr�|
d
krTt�d|�

nZ|
dkrlt�d|�

nB|
dkr�t�d|�

n*t
|
�
dkr�|
d|
dkr�t�d	|�

d
SdS)Nr(r'r3r"r4z'%s': port > 65535z'%s': port is invalidz'%s': port is ambiguousz'%s': range start >= endFT)rr7r#Zdebug2)r/r?r0r0r1rj
s 



�
�








cCs(|d
krt|
�
S|dkr t
|
�
SdSdS�NrnroF)rr	�rp�sourcer0r0r1ry
s




cCs(|d
krt|
�
S|dkr t
|
�
SdSdSru)rrrvr0r0r1r�
s




c
CsNt|�
d
krJdD]}
||
dkr
dSqdD]}
||
t
jkr,
dSq,dSdS)N�)r3����r=F)r"r4�����	�
��
�rOT)r7�stringZ	hexdigits)Zmacr<r0r0r1r�
s







c
Cs$g}
|D]}||
kr|
�|�

q|
S�
N)
r:)Z_list�outputrVr0r0r1r�
s




c
CsJz.t�
d
|�
}
t|
��d���
}|
��
Wntk
rD


YdSX|S)z Get parent for pid zps -o ppid -h -p %d 2>/dev/nullr"N)rX�popenr*rgr+�closer])r_rir0r0r1r�
s





cCs.d
dlm
}
ttt|����
}
d|
td�
S)z�
    Netfilter limits length of chain to (currently) 28 chars.
    The longest chain we create is FWDI_<zone>_allow,
    which leaves 28 - 11 = 17 chars for <zone>.
    r")
�	SHORTCUTS�Z__allow)Zfirewall.core.baser��max�mapr7�values)r�Zlongest_shortcutr0r0r1r�
s

c
CsRt|�
d
kst|�
t
�d�
kr"dS|D]&}
|
tjkr&|
tjkr&|
dkr&
dSq&dS)Nr4�SC_LOGIN_NAME_MAXF)rHr2rq�
$T)r7rX�sysconfr�Z
ascii_lettersZdigits)�user�
cr0r0r1r�
s





��
c

CsFt|t
�r.zt|�
}Wntk
r,


Yd
SX|dkrB|dk
rBdSd
S)NFr"i���T)r)�strr*r,)
Zuidr0r0r1r�
s








c
CsHt|�
d
kst|�
dkrdSdD]}
|
|kr 
dSq |ddkrDdSdS)Nr4iF)�
|�

�
r"rGTrS)ZcommandrTr0r0r1r�
s







c
Cs�|�d
�
}
t
|
�
dkrdS|
ddkr>|
ddd�dkr>dS|
ddd�d	krVdS|
d
dd�dkrndSt
|
d�
dkr�dSd
S)Nr=)r~ryFr"�rootr(Z_ur4Z_rr3Z_tr}T)r6r7)�contextr;r0r0r1r�
s



 




c

Cs8d
tt
�
kr d�dd�|D�
�
Sd�dd�|D�
�
SdS)N�quoterPc
ss|]}
t�
|
�
V
qdSr�)�shlexr���.0�
ar0r0r1�	<genexpr>�
szjoinArgs.<locals>.<genexpr>c
ss|]}
t�
|
�
V
qdSr�)�pipesr�r�r0r0r1r��
s)rbr�r9)
�argsr0r0r1r�
s

c
Cs8tr*t
|t�r*t|�
}t�|�
}
tt|
�St�|�
SdSr�)r
r)�unicoder r�r6r�r)�_stringr;r0r0r1r�
s





c

Cst|t
�r|�d
d�S|S)z bytes to unicode �UTF-8rr)r)�bytes�decode�
r�r0r0r1r�
s


c

Cst|t
�s|�d
d�S|S)z unicode to bytes r�rr)r)r��encoder�r0r0r1r �
s


c

Cstrt
|t�r|�d
d�S|S)z" unicode to bytes only if Python 2r�rr)r
r)r�r�r�r0r0r1r!�
s

)
r=)3�__all__r-rX�os.pathr�r�r��sysreZfirewall.core.loggerr#Zfirewall.configr$r%�versionr
rrrr@rrrFrrr	r
rrr
rrrrrtrrrrrrrrrrrrrrr r!r0r0r0r1�<module>s�








�










6