U

��\7j�@s~dZd
dl
Z
d
dlZd
dlZd
dlZd
dlZd
dlZd
dlZd
dlm	Z	m
Z
mZmZ
d
dl
mZmZ
d
dlZGdd�d�ZdS)z&backend.py: interface for ufw backends�N)�error�warn�debug�	_findpath)�UFWError�UFWRulec@s�eZ
dZd
Zd=dd�
Zdd�Zdd�Zd	d
�Zd>d
d�
Zdd�Z	dd�Z
dd�Zdd�Zdd�Z
dd�Zdd�Zdd�Zdd �Zd!d"�Zd#d$�Zd%d&�Zd'd(�Zd)d*�Zd+d,�Zd-d.�Zd/d0�Zd1d2�Zd3d4�Zd5d6�Zd7d8�Zd9d:�Zd;d<�ZdS)?�
UFWBackendzInterface for backendsNcCsJ
d|_|
|_
||_g|_g|_ttjj|�}t	j
�|d
�t	j
�|d�t	j
�|d�d�|_|dk	rl|j�
|�

ddddd	d
�|_tjj|_|��
|��
|��
tj�|jd�
|_t	j
�tjjd�|_t	j
�tjjd
�|_t	j
�tjjd�|_t	j
�tjjd�|_ztj�|j�
|_Wn&tk
�
r>


td�
}t |�
�
YnXd|_!dS)Nzdefault/ufwzufw/ufw.confzufw/applications.d)�defaults�conf�appsr
�d��i,
i�
)�off�lowZmediumZhighZfullr�iptablesziptables-restore�	ip6tableszip6tables-restorez#Couldn't determine iptables version)"r	�name�dryrun�rules�rules6r�ufw�commonZ
config_dir�os�path�join�files�update�	loglevels�	do_checks�
_do_checks�
_get_defaultsZ_read_rules�applicationsZget_profiles�profilesZiptables_dirrZiptables_restorerZip6tables_restore�utilZget_iptables_versionZiptables_version�OSError�
_r�caps)�selfrrZextra_filesZrootdirZdatadir�
p�err_msg�r*�-/usr/lib/python3/dist-packages/ufw/backend.py�__init__ sJ






�




�





�

�



zUFWBackend.__init__c

Csf
|jd
k	rd
Si|_i|jd<d|jdd<d|jdd<|j
�
rbt��dk�
rb|j�
sbztj�|j�
}
WnHt	k
r�
}
z*d|}|�
�r�t|�

t|�

WY�d
Sd
}~XYnXd	|
kr�d
|
kr�d|jdd<nd|jdd<|�
��
rbztj�|j�
}
Wn0t	k
�
r.
}
ztd|�

W5d
}~XYnXd	|
k�
rTd
|
k�
rTd|jdd<nd|jdd<d
S)zgInitialize the capabilities database. This needs to be called
           before accessing the database.N�limitT�
4F�
6r
zinitcaps
%sz
recent-setz
recent-update)r&rr�getuidrrr#Zget_netfilter_capabilitiesrr$�
is_enabledrr�use_ipv6r)r'Znf_caps�
e�msgr*r*r+�initcapsLs4



















zUFWBackend.initcapsc

Cs d
|jkr|jd
dkrdSdS)z!Is firewall configured as enabled�enabled�yesTF)
r	�
r'r*r*r+r1xs


�
zUFWBackend.is_enabledc

Cs,d
|jkr(|jd
dkr(t
j�d�
r(dSdS)z"Is firewall configured to use IPv6Zipv6r7z/proc/sys/net/ipv6TF)r	rr�existsr8r*r*r+r2s

�
�
zUFWBackend.use_ipv6�inputFc	Cs�d
|
d}d}|j|dkr$d}n|j|dkr8d}nd}|r�|
dkr�d	}t
d
�
}tj�ddg�
\}}|d
krxt|�
�
d|kr�d}|��r�tj�ddg�
\}}|d
kr�d|kr�d}tj�ddg�
\}}|d
kr�d|kr�d}|s�d}|S)z.Get default policy for specified primary chainZdefault_Z_policy��accept�allow�reject�deny�forwardFzproblem running sysctlZsysctlznet.ipv4.ip_forwardr
�
1Tz net.ipv6.conf.default.forwardingznet.ipv6.conf.all.forwardingZdisabled)r	r%rr#�cmdrr2)	r'ZprimaryZ
check_forward�policy�rstrr6r)Zrc�outr*r*r+�_get_default_policy�s2















zUFWBackend._get_default_policyc
	Csp|jst
d
�
}
t|
�

dSt��t��kr:t
d�
}
t|
�
�
t��t��krZt
d�
}
t|
�
�
t��}|dkrzt
d�
}
t|
�
�
i}i}i}g}tj	�
|jd�
s�t
d�
|jd}t|�

nDt�
d	�
}t�|jd�
D](}	|�|	�
s�|�tj	�|jd|	��

q�t|j���
tj	�tjd�
g
|D�
]�}
|
�d
�
�
sDdt��|
f}
td|
�

|
|jdk�
rxtj	�
|jd�
�
sx�
q"zt�|
�
}|tj}Wn@tk
�
r�


t
d
�
|
}
t|
�
�
Yntk
�
r�


�YnXd}
d}d}z4t�|j �
d|
k�st�|j �
d|k�rd}Wnt!k
�r(


YnX|j dk�rt|�st|
|k�rtt
d�
t"|�
|
t"|j �
d�}t|�

d||
<|tj#@�r�|
|k�r�t
d�
|
}t|�

d||
<|tj$@�r�|
|k�r�|j%dk�r�t
d�
|
}t|�

d||
<|
d
k�r�
q"|
}tj	�&|
�
}
|
�
sDtt'j(d|��
�
qD�
q"|jD]D}|dk�r&tj	�)|j|�
�s&t
d�
||j|d�}
t|
�
�
�q&dS)a8Perform basic security checks:
        is setuid or setgid (for non-Linux systems)
        checks that script is owned by root
        checks that every component in absolute path are owned by root
        warn if script is group writable
        warn if part of script path is group writable

        Doing this at the beginning causes a race condition with later
        operations that don't do these checks.  However, if the user running
        this script is root, then need to be root to exploit the race
        condition (and you are hosed anyway...)
        zChecks disabledTz%ERROR: this script should not be SUIDz%ERROR: this script should not be SGIDr
z&You need to be root to run this scriptrz'%s' does not existz^\.�
/z%s/%sz	Checking zCouldn't stat '%s'ZclickpkgZ	snappypkgFz4uid is %(uid)s but '%(path)s' is owned by %(st_uid)s)�uidr�st_uidz%s is world writable!z%s is group writable!zCould not find parent for '%s'z&'%(f)s' file '%(name)s' does not exist)�
frN)*rr%rrr0�geteuidr�getgid�getegidr�isdirr�re�compile�listdir�search�appendr�list�values�abspath�sys�argv�
startswith�getcwdr�stat�ST_MODEr$�	Exception�pwd�getpwuidrI�KeyError�str�S_IWOTH�S_IWGRP�st_gid�dirname�errnoZENOENT�isfile)r'r)rHZwarned_world_writeZwarned_group_writeZwarned_ownerr"Zwarn_msg�pat�profilerZstatinfo�modeZ
click_userZ	snap_userZis_unpack_userZ	last_pathrJr*r*r+r�s�






















��



�












�


�


��






�








��



�zUFWBackend._do_checksc

	Cs
i|_|j
d
|j
dfD]�}
ztj�|
�
}Wn(tk
rV


td�
|
}t|�
�
YnXt�	d�
}|D]>}|�
|�
rft�d|���}|d�
��d�
|j|d�
�<qf|��
qd	d
dg}dD]V}d
||jkr�td|�
}t|�
�
|jd
|}	|	|kr�td|	|d��
}t|�
�
q�dS)z#Get all settings from defaults filer	r
zCouldn't open '%s' for readingz^\w+="?\w+"?�
=�
�"'r
r<Zdropr>)r:�outputr@zdefault_%s_policyzMissing policy for '%s'z+Invalid policy '%(policy)s' for '%(chain)s')rC�chainN)r	rrr#Zopen_file_readr]r%rrOrPrR�split�strip�lower�close)
r'rJ�origr)rh�line�tmpZpolicies�
cr(r*r*r+r 
s0












"









�zUFWBackend._get_defaultsc
Cs
t�
d
|�std�
}t|�
�
t�|
tj�s>td|
�
}t|�
�
tj�	|
�
}|d}d}t�
d|d�
}|dD]<}	|�|	�
r�tj�||d|d	�
d
}qptj�||	�
qp|s�tj�||d|d	�
ztj�
|�

Wntk
r�


�YnX|���d�
|j|��<dS)
zSets option in defaults filez^[\w_]+$zInvalid optionz'%s' is not writablervF�
^rkrt�

TrmN)rO�matchr%rr�access�W_OKrr#Z
open_filesrPrRZ
write_to_fileZclose_filesr]rrrqr	)
r'�fnZopt�valuer)Zfns�fd�foundrhrur*r*r+�set_default:
s,














zUFWBackend.set_defaultcCs�|js�|
d
kr$|�
|jddd�
nn|
dkrB|�
|jddd�
nP|
dkr`|�
|jddd�
n2|
d	kr~|�
|jddd
�
ntd�
|
}t|�
�
td�
|
}|S)
z+Sets default application policy of firewallr=r	ZDEFAULT_APPLICATION_POLICYz"ACCEPT"r?z"DROP"r>z"REJECT"�skipz"SKIP"zUnsupported policy '%s'z*Default application policy changed to '%s')rr�rr%r)r'rCr)rDr*r*r+�set_default_application_policy^
s2



�


�


�


�
z)UFWBackend.set_default_application_policycCs\g}t|j
���
}|
j|k�
r\|
j|k�
r\tj�|j
|
j�
}tj�|j
|
j�
}|D�
]}|
��}d
|_	|�
dd�
tj�|�
\}}	|�
|	�

|�
|d�
|
j	|_	|
j|
jkr�d
|_tj�|�
\}}	|�
|	�

|�
|d�
|
j|_|�|�

qV|D]b}
|��}d
|_tj�|
�
\}}	|�
|	�

|�
|d�
|jdk�
rD|�
|j�

|
j|_|�|�

q�qVn�|
j|k�
r�tj�|j
|
j�
D]L}|
��}d
|_tj�|�
\}}	|�
|	�

|�
|d�
|
j|_|�|�

�
q|nn|
j|k�r:tj�|j
|
j�
D]L}|
��}d
|_	tj�|�
\}}	|�
|	�

|�
|d�
|
j	|_	|�|�

�
q�t|�
dk�rXtd�
}
t|
�
�
|S)z4Return a list of UFWRules based on the template ruler;�any�src�dstrlz&No rules found for application profile)rTr"�keysZdportZsportrr!Z	get_ports�dup_rule�dapp�set_portr#Zparse_port_proto�set_protocol�sapprSZprotocol�lenr%r)r'�templaterZ
profile_namesZdportsZsports�
irvZport�proto�
j�ruler(r)r*r*r+�get_app_rules_from_templatey
sh












































z&UFWBackend.get_app_rules_from_templatec
CsX
g}g}d
}d
}d}|j|j
D]�}|j|
ks8|j|
kr�|��}||krLq q�|��}	|	�d�

|	jd
krv|	�|	jd�
|	jd
kr�|	�|	jd�
|�|	�
}
|
D](}|�	�
|j
r�|�|�

q�|�|�

q�|}d}q |j
r�|�|�

q |�|�

q |�
rP||_||_
|td�
|
7}z|�
d�

|�
d�

Wn&tk
�
rN


td�
}t|�
�
YnX||fS)	z�Update rule for profile in place. Returns result string and bool
           on whether or not the profile is used in the current ruleset.
        r;Fr�r�r�TzRules updated for profile '%s'z!Couldn't update application rules)rrr�r��
get_app_tupler�r�r�r�Z	normalize�v6rSr%Z_write_rulesr]r)
r'riZ
updated_rulesZupdated_rules6Z
last_tuplerDZupdated_profile�
r�tuplr�Z
new_app_rulesZnew_rr)r*r*r+�update_app_rule�
sP















�













zUFWBackend.update_app_rulecCs�|
|jkr|
Sd
}d}t
|j���
D] }|��|
��kr$|}|d7}q$d||
f}t|�

|dkrf|S|dkr|td�
|
}ntd�
|
}t|�
�
dS)z2Find the application profile name for profile_namer;r
rlz'%d' matches for '%s'z>Found multiple matches for '%s'. Please use exact profile namez&Could not find a profile matching '%s'N)r"rTr�rrrr%r)r'Zprofile_namerzZmatches�
nZ	debug_msgr)r*r*r+�find_application_name�
s(













�
�z UFWBackend.find_application_namecCs@
|r|
t|j
�
krt��
|s0|
t|j�
kr0t��
|
d
kr>t��
g}|rN|j
}n|j}i}d}t|�
D]N\}}||
krx
q�d}|jdks�|jdkrd|��}||kr�|d
7}qdd||<qdg}|r�|j}|j
|
d
|��}	|	�	d�

n&|j
}|j|
d
|��}	|	�	d�

d
}
|D](}t
�||	�dk�
r0|

S|
d
7}
�
qdS)a.
Return the absolute position in the other list of the rule with the
           user position of the given list. For example, find_other_position(4,
           True) will return the absolute position of the rule in the ipv4 list
           matching the user specified '4' rule in the ipv6 list.
        rlr
r;TF)r�r�
ValueErrorr�	enumerater�r�r�r�Zset_v6rrz)r'Zpositionr�r�	app_rulesZtuple_offsetr�r�r�Z
match_rule�countr*r*r+�find_other_positionsF

























zUFWBackend.find_other_positionc
Cs|d
}
td�
}d|j
ks.|j
dt|j���
kr@d}
|td�
7}n4|j|j
d}
|
d
krb|d7}n|d|j
d7}|
|fS)z"Gets current log level of firewallr
z	Logging: �loglevel����unknownrzon (%s))r%r	rTrr�)r'�levelrDr*r*r+�get_loglevelOs



�




zUFWBackend.get_loglevelcCs�|
t|j
���
d
g
kr,td�
|
}t|�
�
|
}|
d
kr`d|jksP|jddkrVd}n
|jd}|�|jdd|�
|�|�

|dkr�td�
Std	�
Sd
S)zSets log level of firewallZonzInvalid log level '%s'r�rrr
ZLOGLEVELzLogging disabledzLogging enabledN)	rTrr�r%rr	r�r�update_logging)r'r�r)Z	new_levelr*r*r+�set_loglevel_s





�



zUFWBackend.set_loglevelc

Cs|j|j
S)
zReturn list of all rules)rrr8r*r*r+�	get_rulesuszUFWBackend.get_rulescCstg}|
r|j}n|j
}d
}i}|D]L}d}|jdks>|jdkrf|��}||kr^td|�

q"nd||<|d7}q"|S)z/Return number of ufw rules (not iptables rules)r
r;�Skipping found tuple '%s'Trl)rrr�r�r�r)r'r�rr�r�r�r�r*r*r+�get_rules_countys 










zUFWBackend.get_rules_countcCsz|��}d
}i}|D]`}d}|j
dks0|jdkrX|��}||krPtd|�

qnd||<|t|
�
krl|
S|d
7}qdS)z:Return rule specified by number seen via "status numbered"rlr;r�TN)r�r�r�r�r�int)r'Znumrr�r�r�r�r*r*r+�get_rule_by_number�s










zUFWBackend.get_rule_by_numbercCs>g}d
}|��D](}|d7}|
�
|�
}|dkr|�|�

q|S)zmSee if there is a matching rule in the existing ruleset. Note this
           does not group rules by tuples.r
rl)r�Zfuzzy_dst_matchrS)r'r�Zmatchedr�r�Zretr*r*r+�get_matching�s






zUFWBackend.get_matchingcCstd
�
�
dS)z*Set default policy for specified directionz/UFWBackend.set_default_policy: need to overrideN�
r)r'rC�	directionr*r*r+�set_default_policy�szUFWBackend.set_default_policycCstd
�
�
dS)zGet status of running firewallz,UFWBackend.get_running_raw: need to overrideNr�)r'Z
rules_typer*r*r+�get_running_raw�szUFWBackend.get_running_rawcCstd
�
�
dS)zGet managed rulesz'UFWBackend.get_status: need to overrideNr�)r'�verboseZ
show_countr*r*r+�
get_status�szUFWBackend.get_statuscCstd
�
�
dS)zUpdate firewall with rulez%UFWBackend.set_rule: need to overrideNr�)r'r�Zallow_reloadr*r*r+�set_rule�szUFWBackend.set_rulec

Cstd
�
�
dS)zStart the firewallz+UFWBackend.start_firewall: need to overrideNr�r8r*r*r+�start_firewall�szUFWBackend.start_firewallc

Cstd
�
�
dS)zStop the firewallz*UFWBackend.stop_firewall: need to overrideNr�r8r*r*r+�
stop_firewall�szUFWBackend.stop_firewallcCstd
�
�
dS)z%Get a list if rules based on templatez6UFWBackend.get_app_rules_from_system: need to overrideNr�)r'r�r�r*r*r+�get_app_rules_from_system�sz$UFWBackend.get_app_rules_from_systemcCstd
�
�
dS)z#Update loglevel of running firewallz+UFWBackend.update_logging: need to overrideNr�)r'r�r*r*r+r��szUFWBackend.update_loggingc

Cstd
�
�
dS)zReset the firewallz"UFWBackend.reset: need to overrideNr�r8r*r*r+�reset�szUFWBackend.reset)NNN)r:F) �__name__�
__module__�__qualname__�__doc__r,r5r1r2rFrr r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r*r*r*r+rs@


�
,,
&p$D><r)r�rfrr^rOr[rWZufw.utilrrrrrZ
ufw.commonrrZufw.applicationsrr*r*r*r+�<module>
s