U

��\l��@szdZd
dl
Z
d
dlZd
dlZd
dlmZ
d
dlZd
dlmZm	Z	m
Z

d
dlmZ
d
dl
Zdd�Zdd	�ZGd
d�d�ZdS)z'frontend.py: frontend interface for ufw�N)
�UFWError)�error�warn�msg)
�UFWBackendIptablesc

Cs�
tj
��}
d
D]}|
�tj
�|�
�

qdD]}|
�tj
�|�
�

q*dD]}|
�tj
�|�
�

qFdD]}|
�tj
�|�
�

qbdD]}|
�tj
�|�
�

q~dD]}|
�tj
�	|�
�

q�ddd	d
ddd
g}|D](}|
�tj
�
|�
�

|
�tj
�|�
�

q�t|�
dk�
r\d}||�
�dk�
rd}||�
�dk�
r\||�
�dk�
r\||�
�|k�
r\|�|d�
t|�
dk�
s�d|k�
r�t|�
dk�
r�td�

z|
�|dd��
}WnTtk
�
r�
}
ztd|j�

W5d}~XYn$tk
�
r�


tddd�
�YnX|S)zEParse command. Returns tuple for action, rule, ip_version and dryrun.)�enable�disable�helpz--help�versionz	--version�reload�reset)�list�info�default�update)�on�offZlowZmediumZhighZfull)�allow�deny�reject)N�verboseZnumbered)�rawzbefore-rulesz
user-ruleszafter-rulesz
logging-rules�builtins�	listening�addedr�limitrr�insert�delete�prepend��
�	--dry-runr�route�rule�znot enough argsNz%szInvalid syntaxF)
Zdo_exit)�ufw�parserZ	UFWParserZregister_commandZUFWCommandBasicZ
UFWCommandAppZUFWCommandLoggingZUFWCommandDefaultZUFWCommandStatusZUFWCommandShow�UFWCommandRule�UFWCommandRouteRule�len�lowerrr�
parse_commandr�value�	Exception)�argv�
p�
iZ
rule_commands�idx�pr�
e�r4�./usr/lib/python3/dist-packages/ufw/frontend.pyr+sN





�






��&






r+c
&Cs\td
t
jjdddddddd	d
ddd
ddddddddddddddddddd d!d"d#d$�#�
}|S)%zPrint help messagea	
Usage: %(progname)s %(command)s

%(commands)s:
 %(enable)-31s enables the firewall
 %(disable)-31s disables the firewall
 %(default)-31s set default policy
 %(logging)-31s set logging to %(level)s
 %(allow)-31s add allow %(rule)s
 %(deny)-31s add deny %(rule)s
 %(reject)-31s add reject %(rule)s
 %(limit)-31s add limit %(rule)s
 %(delete)-31s delete %(urule)s
 %(insert)-31s insert %(urule)s at %(number)s
 %(route)-31s add route %(urule)s
 %(route-delete)-31s delete route %(urule)s
 %(route-insert)-31s insert route %(urule)s at %(number)s
 %(reload)-31s reload firewall
 %(reset)-31s reset firewall
 %(status)-31s show firewall status
 %(statusnum)-31s show firewall status as numbered list of %(rules)s
 %(statusverbose)-31s show verbose firewall status
 %(show)-31s show firewall report
 %(version)-31s display version information

%(appcommands)s:
 %(applist)-31s list application profiles
 %(appinfo)-31s show information on %(profile)s
 %(appupdate)-31s update %(profile)s
 %(appdefault)-31s set default application policy
ZCOMMANDZCommandsrrzdefault ARGz
logging LEVELZLEVELz
allow ARGSr#z	deny ARGSzreject ARGSz
limit ARGSzdelete RULE|NUMZRULEzinsert NUM RULEzprepend RULEz
route RULEzroute delete RULE|NUMzroute insert NUM RULEZNUMrr�statuszstatus numberedZRULESzstatus verbosezshow ARGr
zApplication profile commandszapp listzapp info PROFILEZPROFILEzapp update PROFILEzapp default ARG)#ZprognameZcommandZcommandsrrrZlogging�levelrr#rrrrZurulerrr"zroute-deletezroute-insert�numberrrr6Z	statusnum�rulesZ
statusverbose�showr
ZappcommandsZapplistZappinfo�profileZ	appupdateZ
appdefault)�
_r%�commonZprogramName)
Zhelp_msgr4r4r5�get_command_help[sN

































��Br>c@s�eZ
dZd
Zd,dd�
Zdd�Zdd	�Zd
d�Zd-d
d�
Zd.dd�
Z	dd�Z
dd�Zdd�Zd/dd�
Z
d0dd�
Zdd�Zdd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Zd(d)�Zd1d*d+�
ZdS)2�UFWFrontendZUI�iptablesNcCsd|d
kr6zt|
||d�|_
WqBtk
r2


�YqBXntd|�
�
td�
|_td�
|_td�
|_dS)Nr@)�rootdir�datadirzUnsupported backend type '%s'�
n�
y�yes)r�backendr-rr<�norE�yes_full)�self�dryrunZbackend_typerArBr4r4r5�__init__�s


�





zUFWFrontend.__init__c
Csz
d
}d}|
rd}d}|
r"|j�
�r0|
s4|j�
�r4d}|r�z|j�|jjdd|�
Wn,tk
r�
}
zt|j�

W5d}~XYnXd
}|
�
r0z|j��
Wn,tk
r�
}
z|r�|j}W5d}~XYnX|d
k�
r&z|j�|jjddd�
Wn.tk
�
r
}
zt|j�

W5d}~XYnXt|�

td	�
}nFz|j�	�
Wn.tk
�
rl
}
zt|j�

W5d}~XYnXtd
�
}|S)zlToggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
           stops running firewall.
        �rGrEFT�confZENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup)
rF�
is_enabledZset_default�filesrrr,�start_firewallr<�
stop_firewall)rI�enabled�resZ
config_strZchangedr3Z	error_strr4r4r5�set_enabled�sT



�
�


�









�




zUFWFrontend.set_enabledc
Csfd
}z0|j�
|
|�}|j��r2|j��
|j��
Wn,tk
r`
}
zt|j�

W5d}~XYnX|S)zSets default policy of firewallrLN)rF�set_default_policyrNrQrPrrr,)rI�policy�	directionrSr3r4r4r5rU�s








zUFWFrontend.set_default_policyc
CsFd
}z|j�
|
�
}Wn,tk
r@
}
zt|j�

W5d}~XYnX|S)zSets log level of firewallrLN)rF�set_loglevelrrr,)rIr7rSr3r4r4r5rX�s



zUFWFrontend.set_loglevelFc
CsDz|j�
|
|�}Wn,tk
r>
}
zt|j�

W5d
}~XYnX|S)zShows status of firewallN)rF�
get_statusrrr,)rIrZ
show_count�outr3r4r4r5rY

s



zUFWFrontend.get_statusrc
CsBz|j�
|
�
}Wn,tk
r<
}
zt|j�

W5d
}~XYnX|S)zShows raw output of firewallN)rFZget_running_rawrrr,)rIZ
rules_typerZr3r4r4r5�get_show_raw

s



zUFWFrontend.get_show_rawc
Cs$d
}
ztj
�|j���
}Wn$tk
r>


td�
}t|�
�
YnX|j��}t	|�
��
}|��
|D�
]�}|j��s||dkr|qb|
d|7}
t	||�
��
}|��
|D�
]^}|||D�
]J}	|	d}
|
�d�
s�|
�d�
s�d
}|
d|7}
|
d	ks�|
d
k�
r|
d7}
d|	d}
n|
d
|
7}
tj
�
|
�
}|
dtj�|	d�
7}
tjjd|dd�||
ddd�}|�|�d�
�

|d
k�
r�|�d|�
|��
|j�|�
}
t|
�
dk�
r�|
d7}
|
D]D}|dk�
r�|dt|�
k�
r�|
d|tjj�||d�
f7}
�
q�|
d7}
q�q�qb|j���s tj
�d�

|
S)zMShows listening services and incoming rules that might affect
           themrLzCould not get listening status)Ztcp6Zudp6z%s:
Zladdrz127.z::1z  %s z0.0.0.0z::z* z%s/0z%s z(%s)�exerNr$�inF)�actionZprotocolZdport�dstrW�forward�
6r
�

r z   [%2d] %s
z)Skipping tcp6 and udp6 (IPv6 is disabled))r%�utilZparse_netstat_outputrF�use_ipv6r-r<r�	get_rulesr
�keys�sort�
startswithZget_if_from_ip�os�path�basenamer=ZUFWRule�set_v6�endswithZ
set_interfaceZ	normalizeZget_matchingr)r&r'�get_command�debug)rIrS�
d�err_msgr9Z	protocols�proto�portsZport�itemZaddrZifnamer#Zmatchingr0r4r4r5�get_show_listening
sl




















�










�








��
zUFWFrontend.get_show_listeningc
Cs�|j�
�}
td
�
}t|
�
dkr*|td�
Sg}|j�
�D]L}|jrVdtjj�|�
}ntjj	�|�
}||krnq8|�
|�

|d|7}q8|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):r
z
(None)�route %sz
ufw %s)rFrer<r)r`r%r&r(rnr'�append)rIr9rZr�
r�rstrr4r4r5�get_show_added[
s 





�


zUFWFrontend.get_show_addedcCsd
}d
}d
}g}|
jd
kr2|
j
d
kr2|�|
�

�
n�g}�
zt|
j�
r�|dkrZ|j�|
d�}n�|dkrr|j�|
d�}nt|dkr�|j�|
d�}|j�|
d�}|D]4}	|D]*}
|
j}d|
_|	�|
�
s�||
_|�|
�

q�q�ntd�
|}t	|�
�
t
|�
dk�
rJ|jj�
sJtd	�
}|dk�
r|}n.|dk�
r*|d
}n|dk�
rD|d|d
}|WS|D]8}|��}|
j|_|�
|
j�

|�|
j�

|�|�

�
qNn |j�|
�
}|
jdk�
r�|��
Wntk
�
r�


�YnXd}
d}td�
}|j�d�
}|j�d�
}t|�
D�]\}}|}
|j||k�r.|t|j�
d
7}t	|�
�
�z�|j���r(|dk�r�|jdk�r||
dk�rl|dk�rldnd}|�|�

n&|j|k�r�|t|j�
d
7}t	|�
�
|�d�

|j�|�
}�q�|dk�rd|jdk�r�|
dk�r�|dk�r�dnd}|�|�

nP|j|k�r|�|j|�

n2|jdk�rJ|j|k
�rJ|t|j�
d
7}t	|�
�
|�d�

|j�|�
}�q�|dk�r|j}|�d�

|dk�r�|
dk�r�|dk�r�dnd}|�|�

nH|j�s�||k�r�|j�|||
d�}|dk�r�|�|�

n
|�d�

|j�|�
}|j�s0|dk�r0|j�d�
}|�|d�

|�d�

|dk�rl|
dk�r\|dk�r\dnd}|�|�

nT|j�s�|jdk�r�|j|k
�r�|j�|jd�}|dk�r�|�||
�

n
|�d�

|d
k�r�|d7}|j�s|j|k�r|dk�r|�|j|�

||j�|�
7}ntd�
|}t	|�
�
n�|jdk�rZ|
dk�rL|dk�rLdnd}|�|�

|dk�sn|dk�r�|�d�

|j�|�
}n0|dk�r�td�
}t	|�
�
ntd�
|}t	|�
�
Wn:t	k
�r�
}
z|j}d}WY�

�qW5d}~XYnX|j�
r�td�
}t� |�

�
q�|�s"||7}n�t
|�
dk�r:t!|�

n�d}t"t#|
d�
�
}|��
|D]p}|
dk�rZ||�rZ||��}d|_z|�||�
Wn2tk
�r�


d}td�
|�$�}t |�

YnX�qZ|td�
7}|�r�|td�
7}n|td�
7}t	|�
�
|S)zUpdates firewall with rulerL�v4F�v6TZbothzInvalid IP version '%s'r
z"Could not delete non-existent rulez (v6)rbzInvalid position '�
'���r zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z"
Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.)%�dapp�sapprw�removerFZget_app_rules_from_systemr|�matchr<rr)rJZdup_ruleZ
set_actionr^Zset_logtypeZlogtypeZget_app_rules_from_templateZposition�reverser-Zget_rules_count�	enumerate�strrdZset_positionrl�set_ruleZfind_other_positionr,�updated�warningsrrr
�rangeZformat_rule)rIr#�
ip_versionrSrq�tmpr9ZtmprulesZ	tmprules6�
xrDZprev6rx�countZ	set_errorZpos_err_msgZnum_v4Znum_v6r0ZbeginZuser_posr/r3Zwarn_msgZ
undo_errorZindexes�
jZbackout_ruler4r4r5r�x
sX









�

�

�
�










































































�












�

�





�


































�

zUFWFrontend.set_rulec
Cs^
zt|
�
}Wn(t
k
r4


td
�
|
}t|�
�
YnX|j��}|dk
sT|t|�
krhtd�
|}t|�
�
|j�|�
}|s�td�
|}t|�
�
d|_d}|j	r�d}d}|�
s:|j
r�dtjj
�|�
}	ntjj�|�
}	td�
|	|j|jd	�}
t|
tjd
d�
tj������}|dk�
r:||j��k�
r:||j��k�
r:d
}d
}|�
rR|�||�}ntd�
}|S)zDelete rulezCould not find rule '%s'r
zCould not find rule '%d'Tr{r|rvz=Deleting:
 %(rule)s
Proceed with operation (%(yes)s|%(no)s)? )r#rErGF��output�newlinerDrL�Aborted)�intr-r<rrFrer)Zget_rule_by_numberr�r|r`r%r&r(rnr'rErGr�sys�stdout�stdin�readliner*�striprHr�)
rIr8�forcerCrqr9r#r��proceedry�prompt�ansrSr4r4r5�delete_ruleDsR
















�



��


�

zUFWFrontend.delete_rulec	
CsVd
}|
�d�
rB|
�
d�
}t|�
dkr4|�|d�
}n
|�d�
}�n|
dkrX|�d�
}�n�|
�d�
r�td	�
}|
�
d
�
}t|�
dkr�t|�
�
|�|d|d�}�n�|
d
kr�|�|�
}�n�|
dkr�|��}�n�|
dkr�|�d�
}�nr|
�d�
�
r0|
�
d
�
d}|dk�
r|�	�}n|dk�
r"|�
�}n
|�|�
}�n"|
dk�
rJ|�dd�}�n|
dk�
rb|�d�
}�
n�|
dk�
rz|�d�
}�
n�|
dk�
r�|j
���
r�|�d�

|�d�

td�
}ntd�
}�
n�|
�d�
�
r�|�|
�
d
�
d|�}�
nr|
dk�s|
dk�s|
dk�s|
dk�r>|jd
k�r�z0|j
�|j�
}||jk�rB||_|�|d �
WnVtk
�r�
}
z6|j�sjt|j�

tj�|j�
�s�td!�
}t|�
�
W5d"}~XYnX|jd
k�r0z0|j
�|j�
}||jk�r�||_|�|d �
WnVtk
�r.
}
z6|j�s�t|j�

tj�|j�
�std!�
}t|�
�
W5d"}~XYnX|�||�}ntd#�
|
}t|�
�
|S)$z�Perform action on rule. action, rule and ip_version are usually
           based on return values from parse_command().
        rLz
logging-onr<r rzlogging-offrzdefault-zUnsupported default policy�
-r$rrr6zstatus-verboseTr:rrzstatus-numberedFrrr�Firewall reloadedz&Firewall not enabled (skipping reload)zdelete-rrrrr_�Invalid profile nameN�Unsupported action '%s')rh�splitr)rXr<rrUrrYrurzr[rTrFrNr�rZfind_application_nameZset_portr�rr,r%�applications�valid_profile_namer�r�)	rIr^r#r�r�rSr�rqr3r4r4r5�	do_actionus�





















































�






















zUFWFrontend.do_actionc
CsFd
}z|j�
|
�
}Wn,tk
r@
}
zt|j�

W5d}~XYnX|S)z+Sets default application policy of firewallrLN)rF�set_default_application_policyrrr,)rIrVrSr3r4r4r5r��s



z*UFWFrontend.set_default_application_policyc
Cs:t|j
j���
}
|
��
td
�
}|
D]}|d|7}q$|S)z*Display list of known application profileszAvailable applications:�
  %s)r
rF�profilesrfrgr<)rI�namesryrCr4r4r5�get_application_list�s




z UFWFrontend.get_application_listcCs�
g}|
d
kr&t|j
j���
}|��
n&tj�|
�
sBtd�
}t	|�
�
|�
|
�

d}|D�
]$}||j
jksr|j
j|s�td�
|}t	|�
�
tj�||j
j|�s�td�
}t	|�
�
|td�
|7}|td�
tj�|j
j|�
7}|td�
tj�
|j
j|�
7}tj�|j
j|�
}t|�
d	k�
s,d
|dk�
r:|td�
7}n|td
�
7}|D]}|d|7}�
qJ||t|�
d	krT|d7}qTtj�|�
S)zDisplay information on profile�allr�rLzCould not find profile '%s'zInvalid profilezProfile: %s
z
Title: %s
zDescription: %s

r �
,r
zPorts:zPort:r�z

--

)r
rFr�rfrgr%r�r�r<rrwZverify_profileZ	get_titleZget_descriptionZ	get_portsr)rc�	wrap_text)rIZpnamer�rqry�namersr/r4r4r5�get_application_info�sL












�


�



�


��




z UFWFrontend.get_application_infoc	Cs
d
}d}d}z|jj
r$tj��r$d}Wntk
r>


d}YnX|
dkr�t|jj���
}|�	�
|D]4}|j�
|�
\}}|rd|d
kr�|d7}||7}|}qdn |j�
|
�
\}}|d
kr�|d7}|�
r|j���
r|�
rz|j��
Wntk
r�


�YnX|t
d�
7}n|t
d�
7}|S)�Refresh application profilerLTFr�rbr�zSkipped reloading firewall)rF�	do_checksr%rc�	under_sshr-r
r�rfrgZupdate_app_rulerNZ_reload_user_rulesr<)	rIr;ryZallow_reloadZtrigger_reloadr�r/r��foundr4r4r5�application_updates<





















zUFWFrontend.application_updatecCs
d
}d
}|
dkr td�
}t
|�
�
|jjd}|dkrLtj�d||
f�

|S|dkrZd}n0|d	krhd
}n"|dkrvd}ntd�
|}t
|�
�
d
g
}|jjr�|�d�

|||
g7}zt	|�
}Wnt
k
r�


�YnXd|jkr�|�|j
|jd|jd�}n|�|j
d
d
�}|S)r�rLr�z%Cannot specify 'all' with '--add-new'Zdefault_application_policy�skipz'Policy is '%s', not adding profile '%s'ZacceptrZdroprrzUnknown policy '%s'r%r!r#Ziptype)r<rrF�defaultsr%rcrorJrwr+r-�datar�r^)rIr;ryrVrqr�argsr2r4r4r5�application_add7sB





�
















�zUFWFrontend.application_addcCs�d
}|
dkr|�d�
}n�|
dkr,|�d�
}n�|
dkr@|�d�
}n�|
dkrT|�d	�
}n�|
d
krf|�
�}nz|
dkrz|�|�
}nf|
dks�|
d
kr�|�|�
}d
}|
d
kr�|�|�
}|d
kr�|d
kr�|d7}||}ntd�
|
}t|�
�
|S)zzPerform action on profile. action and profile are usually based on
           return values from parse_command().
        rLz
default-allowrzdefault-denyrzdefault-rejectrzdefault-skipr�r
rrzupdate-with-newrbr�)r�r�r�r�r�r<r)rIr^r;rSZstr1Zstr2rqr4r4r5�do_application_actionas0























z!UFWFrontend.do_application_actionc
Csrd
}
|jj
rntj��rntd�
|j|jd�}t|t	j
dd�
t	j���
���}|dkrn||jkrn||jkrnd}
|
S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? �rErGFr�rD)rFr�r%rcr�r<rErGrr�r�r�r�r*r�rH)rIr�r�r�r4r4r5�continue_under_ssh�s

�


zUFWFrontend.continue_under_sshcCs�d
}td�
|j
|jd�}|jjrBtj��rBtd�
|j
|jd�}|jjr�|
s�ttj�	|�
t
jdd�
t
j�
�����}|dkr�||j
kr�||jkr�td�
}|S|j��r�||�d�
7}|j��}|S)	zReset the firewallrLzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? r�zResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? Fr�rDr�)r<rErGrFr�r%rcr�rr�r�r�r�r�r*r�rHrNrTr)rIr�rSr�r�r4r4r5r�s$
�
�








zUFWFrontend.reset)r@NN)FF)
r)
F)
F)
F)�__name__�
__module__�__qualname__�__doc__rKrTrUrXrYr[rurzr�r�r�r�r�r�r�r�r�r�rr4r4r4r5r?�s0


�
6


	
	HM
1
V
	.+* r?)r�rir�r�Z
ufw.commonrZufw.utilr%rrrZufw.backend_iptablesrZ
ufw.parserr+r>r?r4r4r4r5�<module>
s





>G