HEX
Server: Apache
System: Linux scp1.abinfocom.com 5.4.0-216-generic #236-Ubuntu SMP Fri Apr 11 19:53:21 UTC 2025 x86_64
User: confeduphaar (1010)
PHP: 8.1.33
Disabled: exec,passthru,shell_exec,system
$ pwd: /lib/python3/dist-packages/ufw/__pycache__/
Upload Files
File: //lib/python3/dist-packages/ufw/__pycache__/backend_iptables.cpython-38.pyc
U

�L�dh��@s�dZddlZddlZddlZddlZddlZddlZddlmZm	Z	ddl
mZmZm
Z
mZmZmZddlZGdd�dejj�ZdS)z-backend_iptables.py: iptables backend for ufw�N)�UFWError�UFWRule)�warn�debug�msg�cmd�cmd_pipe�	_findpathc@s�eZdZdZd+dd�Zdd�Zdd�Zd	d
�Zd,dd
�Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zd-dd�Zd.dd �Zd!d"�Zd/d#d$�Zd%d&�Zd'd(�Zd)d*�ZdS)0�UFWBackendIptableszInstance class for UFWBackendNcCs�dtjjd|_||_||_i}ttjj|�}ttjj|�}t	j
�|d�|d<t	j
�|d�|d<t	j
�|d�|d<t	j
�|d	�|d
<t	j
�|d�|d<t	j
�|d
�|d<t	j
�|d�|d<tjj
j|d||||d�ggggd�|_dD]�}d}|dk�r|���r||7}n|dk�rq�dD]0}	dD]$}
d||	|
f}|j|	�|��q(�q |jd�|d�|jd�|d�q�dddd d!d"d#g|_d$|_d%S)&z!UFWBackendIptables initializationz# z
_comment #zufw/user.rules�ruleszufw/before.rulesZbefore_ruleszufw/after.rules�after_ruleszufw/user6.rules�rules6zufw/before6.rulesZ
before6_ruleszufw/after6.rules�after6_ruleszufw-init�init�iptables)�rootdir�datadir)�before�user�after�misc)�4�6�ufwr)rrr��input�output�forwardz%s-%s-logging-%srz
-logging-denyz-logging-allow�-m�limit�--limitz3/minute�-j�LOG�--log-prefixz[UFW LIMIT BLOCK]N)r�commonZprogramName�comment_strrrr	�
config_dir�	state_dir�os�path�join�backend�
UFWBackend�__init__�chains�use_ipv6�append�ufw_user_limit_log�ufw_user_limit_log_text)�self�dryrunrr�filesr&r'Zver�chain_prefix�loc�target�chain�r:�6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr- sN�



�zUFWBackendIptables.__init__cCs\td�}|jddkr |d7}n8|jddkr8|d7}n |jddkrP|d7}n|d	7}|S)
zGet current policyz
New profiles:Zdefault_application_policy�acceptz allowZdropz deny�rejectz rejectz skip)�_�defaults)r3�rstrr:r:r;�get_default_application_policyLs


z1UFWBackendIptables.get_default_application_policyc
	Cs>|j�s|dkr4|dkr4|dkr4td�|}t|��|dkr`|dkr`|dkr`td�|}t|��d	}|dkrrd
}n|dkr~d}d}d}|dkr�z|�|jd
d|d�Wntk
r��YnXd}d}n�|dk�rz|�|jd
d|d�Wntk
�r
�YnXd}d}n>z|�|jd
d|d�Wntk
�rJ�YnXd}d}t�d|�}|jd|jdfD]�}ztj	�
|�}	Wntk
�r��YnX|	d}
|	dD]8}|�|��r�tj	�|
|�
||��ntj	�|
|��q�ztj	�|	�Wntk
�r�YnX�qvtd�||d�}|td�7}|S)zSets default policy of firewall�allow�denyr=zUnsupported policy '%s'ZincomingZoutgoing�routedz%Unsupported policy for direction '%s'�INPUT�OUTPUT�FORWARD�r?zDEFAULT_%s_POLICYz"ACCEPT"z	UFW BLOCKz	UFW ALLOWz"REJECT"z"DROP"rr�tmp�origz5Default %(direction)s policy changed to '%(policy)s'
)�	direction�policyz*(be sure to update your rules accordingly))r4r>rZset_defaultr5�	Exception�re�compiler�util�
open_files�search�
write_to_file�sub�close_files)
r3rLrK�err_msgr9Zold_log_strZnew_log_str�pat�f�fns�fd�liner@r:r:r;�set_default_policyZs����
���z%UFWBackendIptables.set_default_policycCs�|jr&dtd�}|dtd�7}|S|��ddddg}g}g}|dkrn|�d	�d
dddg}d
ddg}�n|d
k�rdD] }|�d|�|�d|�q|dD] }|�d|�|�d|�q�dD] }|�d|�|�d|�q�dD]}|�d|�q�nx|dk�r<dD]"}|�d|�|�d|��q�nB|dk�r�dD]"}|�d|�|�d|��qJ|jdd�r�|�d�|�d �|jdd!�r~|�d"�|�d#�n�|d$k�r�dD]"}|�d%|�|�d&|��q�n�|d'k�r~dD]Z}|�d(|�|�d)|�|�d*|�|�d+|�|�d,|�|�d-|��q�|�d.�|�d/�|�d0�|�d1�d2|}|D]�}d3|k�r�|�d3�\}	}|d4|	7}t|jg||d	|	g�\}
}nt|jg||g�\}
}||7}|dk�r|d57}|
d6k�r�t|���q�|dk�s0|�	��r�|d77}|D]�}d3|k�r�|�d3�\}	}|d4|	7}t|jg||d	|	g�\}
}nt|j
g||g�\}
}||7}|dk�r�|d57}|
d6k�r<t|���q<|S)8z'Show current running status of firewall�> zChecking raw iptables
zChecking raw ip6tables
�-nz-vz-x�-L�rawz-t�filterZnatZmangle�builtins)rErGrFz	filter:%s)�
PREROUTINGrErGrF�POSTROUTINGz	mangle:%s)rcrFzraw:%s)rcrdrFznat:%sr)rrrz
ufw-before-%szufw6-before-%sr�ufw-user-%s�ufw6-user-%srrzufw-user-limit-accept�ufw-user-limitrzufw6-user-limit-accept�ufw6-user-limitrzufw-after-%sz
ufw6-after-%sZloggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyzIPV4 (%s):
�:z(%s) �
rz

IPV6:
)r4r>�initcapsr0�caps�splitrrrr/�	ip6tables)r3Z
rules_type�out�args�itemsZitems6�c�b�i�t�rcrIr:r:r;�get_running_raw�s�













 


 

z"UFWBackendIptables.get_running_rawFc$Cs�d}|jr2dtd�}|��r.|dtd�7}|Std�}dD]�}t|jdd|d	g�\}}|d
krptd�S|dkr�t|d
|��|��r>t|jdd|d	g�\}}|dkr>t|d��q>d}d}	d}
|j|j}d
}i}
|D�]L}d}i}d}d}|�sF|j	dk�s|j
dk�rFd}|��}||
k�r>td|�q�nd|
|<dD�]�}d||<d}d}|dk�r�|j
}|�s�|j	dk�r�|j	}|j�r�|dk�r�|d7}n|j}n@|j}|�s�|j
dk�r�|j
}|j�r�|dk�r�|d7}n|j}|dk�r|dk�r|||<|dk�r(||dk�r*|||<n||d|7<|�rf|jdk�rf||d|j7<|�r(|dk�r�|j	dk�r�||d|j	7<|j�r�|dk�r�||d7<||d7<|dk�r(|j
dk�r(||d|j
7<|j�r|dk�r||d7<||d7<|dk�r�|dk�sF|dk�r�d||<|�r�|jdk�r�|j
|jk�r�|j|jk�r�||d|j7<|dk�r�||d7<n6|�r$|jdk�r$|j|jk�r$||d|j7<n>|j�r$|jdk�r$|j
dk�r$d||k�r$||d7<|j�r�|dk�rX|jdk�rX||d|j7<|dk�r�|jdk�r�||d|j7<nX|dk�r�|jdk�r�||d|j7<|dk�rJ|jdk�rJ||d|j7<�qJg}d}|j�s|j��d k�rT|j�r|�|j���|�r8|jd k�r8|�|j�t|�dk�rTd!d"�|�}|�rf|d#|7}|j��}|j�r|d$}|jd%k�r�|j�s�|�s�|�s�d}d}|jdk�r�d&|��}|d'|dd�|j��|g�|d||f7}|�r�||7}n0|j�r|
|7}
n|jd k�r"|	|7}	n||7}|d
7}q�|dk�sR|	dk�sR|
dk�rHd(}|�rd|d)7}td*�}td+�}td,�}d-}||||f}|�r�|d)7}||d.t|�d.t|�d.t|�f7}||7}|dk�r�||7}|dk�r|	dk�r|td/�7}|	dk�r||	7}|dk�r2|
dk�r2|td/�7}|
dk�rD||
7}|}|�r�|� �\} }!td0�|�!�|�!d1�|�!d2d�d3�}"|�"�}#td4�|!|"|#|d5�Std6�|Sd7S)8zShow ufw managed rulesrHr]zChecking iptables
zChecking ip6tables
�problem runningrr_rer^�zStatus: inactiverz iptables: %s
rf�
 ip6tablesTFzSkipping found tuple '%s')�dst�srcr{z::/0� (v6)z	0.0.0.0/0�any� �/z (%s�)r|ZAnywherez on %sroz (%s)z, z[%2d] ZFWD�inz # %sz%-26s %-12s%-26s%s%s
z

z     ZToZFromZActionz%-26s %-12s%s
�-rjzCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)rr)r�rorDz0Status: active
%(log)s
%(pol)s
%(app)s%(status)s)�logZpolZappZstatuszStatus: active%sN)#r4r>r/rrrrnrr
�dapp�sapp�
get_app_tuplerr{�v6�dportr|�sport�protocolr�interface_in�
interface_out�logtyperK�lowerr0�lenr*�upper�commentZget_comment�actionZget_loglevel�_get_default_policyrA)$r3�verboseZ
show_countrorVrKrvZout6�sZstr_outZstr_rter�count�	app_rules�rZtmp_str�location�tuplZ
show_protor7ZportrIZattribsZ
attrib_strZdir_strr%Zfull_strZstr_toZstr_fromZ
str_actionZrules_header_fmtZrules_header�levelZlogging_strZ
policy_strZapp_policy_strr:r:r;�
get_statuss~�
�










�
�

� 
�
��
��






��


�����zUFWBackendIptables.get_statuscCs�|jrtdtd��n�g}|�|jd�|jdk	rl|jdk	rl|�d�|�|j�|�d�|�|j�|�d�t|�\}}|dkr�td	|�}t|��dS)
zStop the firewallr]�running ufw-initrN�	--rootdir�	--datadirz
force-stopr�problem running ufw-init
%s)	r4rr>r0r5rrrr�r3rprvrorVr:r:r;�
stop_firewall�s


z UFWBackendIptables.stop_firewallcCs8|jrtdtd���ng}|�|jd�|jdk	rn|jdk	rn|�d�|�|j�|�d�|�|j�|�d�t|�\}}|dkr�td	|�}t|��d
|j	ks�|j	d
t
|j���kr�z|�
d�Wn$tk
r�td�}t|��YnXn<z|�|j	d
�Wn&tk
�r2td
�}t|��YnXdS)zStart the firewallr]r�rNr�r��startrr��loglevel�lowzCould not set LOGLEVELzCould not load logging rules)r4rr>r0r5rrrrr?�list�	loglevels�keysZset_loglevelrM�update_loggingr�r:r:r;�start_firewall�s6



�z!UFWBackendIptables.start_firewallcCs�|jr
dS|��d}|j}|r*d}|j}dD]p}|dksB|dkrl|rX|jddsXq.n|sl|jddslq.t|d	d
|d|g�\}}|dkr.td
�dSq.dS)zCheck if all chains existFr�ufw6)rrrr�limit-acceptrr�rrr^r_z-user-rz_need_reload: forcing reloadT)r4rkrrnrlrr)r3r��prefix�exer9rvror:r:r;�_need_reloads&zUFWBackendIptables._need_reloadcCs�td�}|jr(td�|��r�td�n�|��r�z4|jdD]$}|�|d|g�|�|d|g�q<Wntk
r�t|��YnXt	d|j
dg|jd	g�\}}|d
kr�t|d��|��r�t	d|j
dg|jd	g�\}}|d
kr�t|d
��dS)zReload firewall rules filerxz> | iptables-restorez> | ip6tables-restorer�-F�-Z�catrr^rz	 iptablesr
rzN)
r>r4rr/�
is_enabledr.�
_chain_cmdrMrrr5Ziptables_restoreZip6tables_restore)r3rVrrrvror:r:r;�_reload_user_rules6s.
��z%UFWBackendIptables._reload_user_rulescCs@g}t�d�}t�d�}t�d�}|�|�r�|�|�r�|�|�r\|�|�d|�d|���n|�|�d|��|�|�d|��q�|�|�d|��n
|�|�t�d�}t�d	�}	t�d
�}
d}t|�D]�\}}
|�|
�r�|�d|
���}|��d
k�rd}n|��dk�rd}nd}d||f}|	�|
��s8d|}|�d|
�||<|�||�d|d||
��|�||
�d|d||�d|
���|�||
�d|d||�d||
���q�t�d�}t|�D]j\}}
|�|
��r�|�d|
�}|�d|d|
�}|�d|d|
�}|||<|�||�|�||��q�|S) z5Return list of iptables rules appropriate for sendingz-p all zport z-j (REJECT(_log(-all)?)?)z-p tcp z-j \1 --reject-with tcp-resetz-p udp rHz(.*)-j ([A-Z]+)_log(-all)?(.*)z-j [A-Z]+_log-allz(-A|-D) ([a-zA-Z0-9\-]+)z'-m limit --limit 3/min --limit-burst 10�\2r<ZALLOWrZLIMITZBLOCKz"%s -j LOG --log-prefix "[UFW %s] "z-m conntrack --ctstate NEW z	\1-j \2\4z\1-j z-user-logging-z\1 z\1-j RETURN�\1z	 -j LIMITz+ -m conntrack --ctstate NEW -m recent --setzL -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j z-user-limitz -j z-user-limit-accept)	rNrOrRr0rT�	enumerate�stripr��insert)r3�fruler��suffix�snippetsZ	pat_protoZpat_portZ
pat_reject�pat_logZ
pat_logallZ	pat_chain�
limit_argsrtr�rLZlstrZ	pat_limitZtmp1Ztmp2Ztmp3r:r:r;�_get_rules_from_formattedRs�






��




�����������
����z,UFWBackendIptables._get_rules_from_formattedc	Cs�g}|�|||�}t�d�}t|�D]p\}}|�|�d|����|�|�r$||�d�||�|�d|��dd��|||�d|���7<q$|S)z_Return list of iptables rules appropriate for sending as arguments
           to cmd()
        z(.*) --log-prefix (".* ")(.*)r�r#r��"rHz\3)	r�rNrOr�r0rTrm�match�replace)	r3r�r�r�r�Zstr_snippetsrWrtr�r:r:r;�_get_lists_from_formatted�s

z,UFWBackendIptables._get_lists_from_formattedcCs�|jdg}|��r$|�|jd�|D�]v}ztj�|�}Wn(tk
rftd�|}t|��YnXt	�
d�}t	�
d�}t	�
d�}|D�]
}|}	d}
d|kr�|�d�\}	}|��}
|�
|	�r�|�d|	�}t	�d	|���}
t|
�d
ks�t|
�dk�rtd�|}t|�q�q�d
}d}d}t|
�dk�s6t|
�dk�rtd�|}|
d�d�d}d|
dk�rd|
dk�r�|�|
d��r�|�|
d��r�|
d�d�d�d�d}|
d�d�d�d�d}nR|
d�d��r�|
d�d�d}n.|
d�d��r|
d�d�d}n
t|�q��z
|
d}d}d|k�rHd}|�d�d}t|
�dk�r�t||
d|
d|
d|
d|
d|||
�	}nvt||
d|
d|
d|
d|
d|||
�	}t	�
d�}|
d
d k�r�|�d!|
d
�|_|
dd k�r�|�d!|
d�|_|dk�r|�d
|�|dk�r&|�d"|�Wn.tk
�rVtd#�|}t|�Yq�YnX||jdk�r�|�d�|j�|�q�|�d�|j�|�q�|��q(d$S)%z$Read in rules that were added by ufwrr
zCouldn't open '%s' for readingz^### tuple ###\s*zin_\w+zout_\w+rHz	 comment=z\s+��	z)Skipping malformed tuple (bad length): %sr��z$Skipping malformed tuple (iface): %s���r>r�!�ryZin_Zout_FriT�����%20r�rrozSkipping malformed tuple: %sN)r5r/r0rrPZopen_file_readrMr>rrNrOrmr�r�rTr�rrR�	partition�
startswithrr�r�Z
set_interface�set_v6r
r�close)r3ZrfnsrXrJrVZ	pat_tupleZpat_iface_inZ
pat_iface_outZ	orig_liner[r��hexr�rIZwmsgZdtyper�r�r�r�rule�	pat_space�warn_msgr:r:r;�_read_rules�s�





������
��


�


zUFWBackendIptables._read_rulescCs8|jd}|r|jd}t�|tj�s:td|�}t|��ztj�|�}Wnt	k
r`�YnX|�
�d}|j}|r�d}|j}|j
r�tj��}n|d}tj�|d�tj�|d|d	�tj�|d|d
�tj�|d|d�tj�|d|d�tj�|d|d
�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�tj�|d|d�|dk�r�|jdd�s|dk�r>|jdd�r>tj�|d|d�tj�|d|d�tj�|d�|D�]}|j}	|j�rnd|j}	|jdk�r�|	d|j7}	d}
|jdk�r�|jdk�r�|j}
n`|jdk�r�|jdk�r�d |j|jf}
n6|jdk�r�|
d!|j|jf7}
n|
d!|j|jf7}
|jdk�rr|jdk�rrd"|	|j|j|j|j|j|
f}|j dk�r^|d#|j 7}tj�||d$�n�t!�"d%�}d&}
|j�r�|�#d'|j�}
d&}|j�r�|�#d'|j�}d(|	|j|j|j|j|j|
||
f	}|j dk�r�|d#|j 7}tj�||d$�d)}|j�rd*}n|jd+k�r"d,}d-||f}d.||�$�f}|�%|||�D]}tj�||��qL�qPtj�|d/�tj�|d0�z|�&|j'd1�}Wnt	k
�r��YnX|D]d\}}}t(|�d2k�r�|d2d3k�rސq�|�)|d&��r�tj�|d%�*|��+d4d5��+d6d7�d$��q�tj�|d8�|dk�rB|jdd�s\|dk�r�|jdd�r�tj�|d9�|j'd1d:k�r�tj�|d;|d<d%�*|j,�d=|j-d>�tj�|d;|d?�tj�|d;|d@�tj�|dA�tj�|dB�z(|j
�rtj�.|dC�ntj�.|�Wnt	k
�r2�YnXdDS)Ez.Write out new rules to file to user chain filerr
z'%s' is not writablerr�rIz*filter
riz-user-input - [0:0]
z-user-output - [0:0]
z-user-forward - [0:0]
z-before-logging-input - [0:0]
z-before-logging-output - [0:0]
z -before-logging-forward - [0:0]
z-user-logging-input - [0:0]
z-user-logging-output - [0:0]
z-user-logging-forward - [0:0]
z-after-logging-input - [0:0]
z-after-logging-output - [0:0]
z-after-logging-forward - [0:0]
z-logging-deny - [0:0]
z-logging-allow - [0:0]
rrrz-user-limit - [0:0]
z-user-limit-accept - [0:0]
z### RULES ###
zroute:rHr>zin_%s!out_%sz%s_%sz#
### tuple ### %s %s %s %s %s %s %sz comment=%srjrr�r�z)
### tuple ### %s %s %s %s %s %s %s %s %srrror�
%s-user-%sz	-A %s %s
z
### END RULES ###
z
### LOGGING ###
r�r�-D�[z"[z] z] "z### END LOGGING ###
z
### RATE LIMITING ###
�offz-A z-user-limit z "z "
z-user-limit -j REJECT
z-user-limit-accept -j ACCEPT
z### END RATE LIMITING ###
zCOMMIT
FN)/r5r(�access�W_OKr>rrrPrQrMrkrr
r4�sys�stdout�filenorSrlr�rr�r�r�rKr�r�r�r�r{r�r|r�rNrOrT�format_ruler��_get_logging_rulesr?r�r�r*r�r1r2rU)r3r�Z
rules_filerVrYr6rrZr�r�ZifacesZtstrr�r�r��chain_suffixr9�rule_strr�Zlrules_trr�qr:r:r;�_write_rules
sZ

�����������������

��
�������
��
������zUFWBackendIptables._write_rulesTc	Cs�|��d}|jrR|��s*td�}t|��|jdkrx|jddsxtd�|jSn&|jdkrx|jddsxtd�|jS|jr�|jdkr�|jd	kr�td
�}t|��g}d}d}|j	}|j
}	|jr�|jdkr�|jdks�|j
dkr�td
�S|j}|	dk�s|	t|�k�rtd�|	}t|��|	dk�r:|j�r:td�}t|��|	t|�k�r\td�|	}t|��z|��Wntk
�r��YnXd}
d}d}d}
|D�]p}z|��Wntk
�r��YnX|j|j|j|j
f}|
|	k�rL|
ddk�r|
ddk�r|
dk�s,|ddk�r"|ddk�s,|
|k�rDd}|�|���d}
n|	d7}	|}
|
d7}
t�||�}|dk�rv|d7}|dk�r�|�s�|�s�d}|j�s|�|���n^|dk�r�|j�r�|jdk�r�d}n:|dk�r�|j�s�|�s�d}d}|�|���n
|�|��q�|�r8|dk�r�td�}|j�r2|d7}|Sn~|�sT|j�sT|�|���|�s�|j�r�|j�s�td�}|j�r�|d7}|S|�r�|j�s�|�s�td�}|j�r�|d7}|S|j�r�||_n||_	z|�|j�Wn<tk
�r��Yn&tk
�rtd�}t|�YnXtd�}|j�r2td�}|���r�|j�s�d}|�sb|�|j��sb|�r�d}|�rz|td�7}n|td �7}|j�r�|d7}|�r�z|��Wntk
�r��YnXn|td!�7}n�|�r<|j�r<d"}td#�}|j�r�|d7}|�r.z|��Wntk
�r&�YnXd}n|td!�7}n |�s\|�s\|j�s\d$}td%�}|dk�r�|j}d&}|j�r�|j }d'}|d7}d(}|j!�r�d)}n|j"d*k�r�d+}d,||f}td-�}t#|d.|d/g�\}}|dk�r�t|��d0|||�$�f}t%�&d1�}|�'|||�D]�}t#|g|�\}}|dk�rDt(|t)j*�t|�|d$k�r|�+d2�,|���r|�-d3d2�,|��}t#|d"|d4d5g�\}}|dk�rt.d6|��q|S)7aXUpdates firewall with rule by:
        * appending the rule to the chain if new rule and firewall enabled
        * deleting the rule from the chain if found and firewall enabled
        * inserting the rule if possible and firewall enabled
        * updating user rules file
        * reloading the user rules file if rule is modified
        rHz)Adding IPv6 rule failed: IPv6 not enabledrrz#Skipping unsupported IPv6 '%s' rulerz#Skipping unsupported IPv4 '%s' ruleZudpZtcpz/Must specify 'tcp' or 'udp' with multiple portsFz1.4z:Skipping IPv6 application rule. Need at least iptables 1.4rzInvalid position '%d'z Cannot specify insert and deletez#Cannot insert rule at position '%d'ry)rHrHrHrHr�r�T���z Skipping inserting existing ruler}z"Could not delete non-existent rulezSkipping adding existing rulezCouldn't update rules filez
Rules updatedzRules updated (v6)z
Rule insertedzRule updatedz (skipped reloading firewall)r�zRule deleted�-Az
Rule addedrr�rrrorr��!Could not update running firewallr_r^z%s %s %sz(-A +)(ufw6?-user-[a-z\-]+)(.*)rr�r!�RETURNzFAILOK: -D %s -j RETURN)/rkr�r/r>rr�rlZmultir�r�positionZiptables_versionr�r�r
r��remove�	normalizerMr{r|r0�dup_rulerr�r�r4r�r�r�r�rrnrrKrr�rNrOr�rr��stderrrRr*rTr)r3r�Zallow_reloadr@rVZnewrules�foundZmodifiedrr�r�ZinsertedZmatchesZlastr�ZcurrentZret�flagr�r6r�r9rvror�r�r�rrr:r:r;�set_rule�sR
�

&
�
��





�

zUFWBackendIptables.set_rulec
Cstg}g}|r|j}n|j}|��}|�|�|��|��}|D].}|��}|��|��}	|	|kr@|�|�q@|S)z@Return a list of UFWRules from the system based on template rule)r
rr�r�r�r�r0)
r3�templater�rr�Znormr�r�rIZ	tmp_tupler:r:r;�get_app_rules_from_system�s 
z,UFWBackendIptables.get_app_rules_from_systemcCsZ|j}|�d�r|j}t|g|�\}}|dkrVtd|�}|rNtd|�nt|��dS)zPerform command on chainr�rzCould not perform '%s'zFAILOK: N)rr�rnrr>rr)r3r9rp�fail_okr�rvrorVr:r:r;r��s
zUFWBackendIptables._chain_cmdc		Cs�|jr
dS|��g}z|�|�}Wntk
r:�YnXz|jdd�|jdd�Wn8tk
rn�Yn$tk
r�td�}t|�YnX|��s�dStd�}|jd|jd|jd	|jd
D]:}z|�	|d|dg�Wq�tk
�rt|��Yq�Xq�zJ|jd|jd	|jd
D]&}|�	|d
|g�|�	|d|g��q*Wntk
�rrt|��YnX|D]�\}}}d}t
|�dk�r�|ddk�r�d}zH|dk�r�t
|�dk�r�|j	|dg|dd�dd�|�	|||�Wntk
�rt|��YnX�qxdD]�}|jdd�r4|dk�sN|jdd�r|dk�r|j	|d|g|j|j
dgdd�|jddk�r|j	|d|g|j|j
dgdd��qdS)z#Update loglevel of running firewallNF)r�Tz&Couldn't update rules file for loggingr�rrrrr_r^r�r�rr��delete_firstry)r�)rgrhrrrgrrhrr�r��-I)r4rkr�rMr�rr>r�r.r�r�rlr1r2r?)	r3r��rules_trVrrr�r�r�r9r:r:r;r��s�������
���
��z!UFWBackendIptables.update_loggingc	Cs�g}|t|j���kr*td�|}t|��|dkr^|jdD]}|�|d|ddgdg�q<|S|jdD]}|�|d|ddgd	g�qhd
ddd
ddg}|j||jdk�r@g}|j||jdkr�|}|jdD]�}dD]�}|�|�r�|�|�dk�s|�|�dk�r.d}|�|d|ddd|g|d	g�q�|j||jdkr�d}|�|d|ddd|g|d	g�q�q�g}|j||jdk�r�|}|jdD]�}|�d��r�d}nt|�d��rd}|j||jdk�r�|�|d|d
ddd ddg|d	g�n(|�|d|d
ddd dddd!g
|d	g�|�|d|ddd|g|d	g��q�|j||jdk�r�g}|j||jd"k�rt|}|j||jdk�r�d
ddd#g|}d$}|jd%D]&}|�|d|ddd|g|d	g��q�|S)&z%Get rules for specified logging levelzInvalid log level '%s'r�rr�r!r�r�r�rHrrr z3/minz
--limit-burstZ10r�Zhighrrr=rCz[UFW BLOCK] r�r"r#Zmediumz[UFW ALLOW] rrBZ	conntrackz	--ctstateZINVALIDz[UFW AUDIT INVALID] ZfullZNEWz[UFW AUDIT] r)	r�r�r�r>rr.r0�endswithr�)	r3r�r�rVrrr�Zlargsrur�r:r:r;r�
s�
�������
���������
���
z%UFWBackendIptables._get_logging_rulesc
Cs�d}ttjj|j�}g}|jD]d}|j|�d�s4q|�|j|�tj	�
|dtj	�|j|��}tj	�|�st
d�|}t|��qt�d�}|D]0}d||f}tj	�|�r�t
d�|}t|��q�|D]:}d||f}|t
d�tj	�|�|d	�7}t�||�q�|D]�}d||f}t�tj	�
|dtj	�|��tj	�|��t�||�zt�|�}	|	tj}
Wn0tk
�r�t
d
�|}t|�Y�qYnX|
tj@�r�|t
d�|7}n|
tj@�r|t
d�|7}�q|S)
zReset the firewallrHz.rulesrzCould not find '%s'. Abortingz
%Y%m%d_%H%M%Sz%s.%sz'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s'
)�old�newzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r	rr$�	share_dirrr5r�r0r(r)r*�basename�isfiler>r�time�strftime�exists�rename�shutil�copy�dirnameZcopymode�stat�ST_MODErMr�S_IWOTH�S_IROTH)r3�resr�Zallfilesrt�fnrVZextr�Zstatinfo�moder�r:r:r;�resetgsZ

�


�
�
�
zUFWBackendIptables.reset)NN)FF)F)T)F)�__name__�
__module__�__qualname__�__doc__r-rAr\rwr�r�r�r�r�r�r�r�r�r�r�r�r�r�rr:r:r:r;r
s.
,K]
f!De
*
i

JZr
)rr(rNrrr�rZ
ufw.commonrrZufw.utilrrrrrr	Zufw.backendrr+r,r
r:r:r:r;�<module>s 
@ Telegram