U Ldh@sdZddlZddlZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZddlZGdddejjZdS)z-backend_iptables.py: iptables backend for ufwN)UFWErrorUFWRule)warndebugmsgcmdcmd_pipe _findpathc@seZdZdZd+ddZddZddZd d Zd,d d ZddZ ddZ ddZ ddZ ddZ ddZddZd-ddZd.dd Zd!d"Zd/d#d$Zd%d&Zd'd(Zd)d*ZdS)0UFWBackendIptableszInstance class for UFWBackendNc Csdtjjd|_||_||_i}ttjj|}ttjj|}t j |d|d<t j |d|d<t j |d|d<t j |d |d <t j |d |d <t j |d |d<t j |d|d<tj j j|d||||dggggd|_dD]}d}|dkr|r||7}n |dkrqdD]0} dD]$} d|| | f} |j| | q(q |jd|d|jd|dqdddd d!d"d#g|_d$|_d%S)&z!UFWBackendIptables initializationz# z _comment #zufw/user.rulesruleszufw/before.rulesZ before_ruleszufw/after.rules after_ruleszufw/user6.rulesrules6zufw/before6.rulesZ before6_ruleszufw/after6.rules after6_ruleszufw-initinitiptables)rootdirdatadir)beforeuseraftermisc)46ufwr)rrrinputoutputforwardz%s-%s-logging-%srz -logging-denyz-logging-allow-mlimit--limitz3/minute-jLOG --log-prefixz[UFW LIMIT BLOCK]N)rcommonZ programName comment_strrrr config_dir state_dirospathjoinbackend UFWBackend__init__chainsuse_ipv6appendufw_user_limit_logufw_user_limit_log_text) selfdryrunrrfilesr&r'Zver chain_prefixloctargetchainr:6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr- sN    zUFWBackendIptables.__init__cCs\td}|jddkr |d7}n8|jddkr8|d7}n |jddkrP|d7}n|d 7}|S) zGet current policyz New profiles:Zdefault_application_policyacceptz allowZdropz denyrejectz rejectz skip)_defaults)r3rstrr:r:r;get_default_application_policyLs   z1UFWBackendIptables.get_default_application_policyc Cs>|js|dkr4|dkr4|dkr4td|}t||dkr`|dkr`|dkr`td|}t|d }|dkrrd }n |dkr~d }d }d }|dkrz||jd d|dWntk rYnXd}d}n|dkrz||jd d|dWntk r YnXd}d}n>z||jd d|dWntk rJYnXd}d}td |}|jd|jdfD]}ztj |} Wntk rYnX| d} | dD]8} | | rtj | | || ntj | | qztj | Wntk rYnXqvtd||d} | td7} | S)zSets default policy of firewallallowdenyr=zUnsupported policy '%s'ZincomingZoutgoingroutedz%Unsupported policy for direction '%s'INPUTOUTPUTFORWARDr?zDEFAULT_%s_POLICYz"ACCEPT"z UFW BLOCKz UFW ALLOWz"REJECT"z"DROP"r rtmporigz5Default %(direction)s policy changed to '%(policy)s' ) directionpolicyz*(be sure to update your rules accordingly))r4r>rZ set_defaultr5 Exceptionrecompilerutil open_filessearch write_to_filesub close_files) r3rLrKerr_msgr9Z old_log_strZ new_log_strpatffnsfdliner@r:r:r;set_default_policyZs         z%UFWBackendIptables.set_default_policyc Cs|jr&dtd}|dtd7}|S|ddddg}g}g}|dkrn|d d d d dg}d d dg}n|d krdD] }|d||d|q|dD] }|d||d|qdD] }|d||d|qdD]}|d|qnx|dkr zChecking raw iptables zChecking raw ip6tables -nz-vz-x-Lrawz-tfilterZnatZmanglebuiltins)rErGrFz filter:%s) PREROUTINGrErGrF POSTROUTINGz mangle:%s)rcrFzraw:%s)rcrdrFznat:%sr)rrrz ufw-before-%szufw6-before-%sr ufw-user-%s ufw6-user-%srrzufw-user-limit-acceptufw-user-limitrzufw6-user-limit-acceptufw6-user-limitrz ufw-after-%sz ufw6-after-%sZloggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyz IPV4 (%s): :z(%s)  rz IPV6: ) r4r>initcapsr0capssplitrrrr/ ip6tables) r3Z rules_typeoutargsitemsZitems6cbitrcrIr:r:r;get_running_raws                             z"UFWBackendIptables.get_running_rawFc$Csd}|jr2dtd}|r.|dtd7}|Std}dD]}t|jdd|d g\}}|d krptd S|d krt|d ||r>t|jdd|d g\}}|d kr>t|dq>d}d} d} |j|j} d } i} | D]L}d}i}d}d}|sF|j dks|j dkrFd}| }|| kr>t d|qnd| |<dD]}d||<d}d}|dkr|j }|s|j dkr|j }|jr|dkr|d7}n|j}n@|j}|s|j dkr|j }|jr|dkr|d7}n|j}|dkr|dkr|||<|dkr(||dkr*|||<n||d|7<|rf|jdkrf||d|j7<|r(|dkr|j dkr||d|j 7<|jr|dkr||d7<||d7<|dkr(|j dkr(||d|j 7<|jr|dkr||d7<||d7<|dkr|dksF|dkrd||<|r|jdkr|j |jkr|j|jkr||d|j7<|dkr||d7<n6|r$|jdkr$|j|jkr$||d|j7<n>|jr$|jdkr$|j dkr$d||kr$||d7<|jr|dkrX|jdkrX||d|j7<|dkr|jdkr||d|j7<nX|dkr|jdkr||d|j7<|dkrJ|jdkrJ||d|j7<qJg}d}|js|jd krT|jr||j|r8|jd kr8||jt|d krTd!d"|}|rf|d#| 7}|j}|jr|d$}|jd%kr|js|s|sd}d}|jdkrd&|}|d'|dd|j|g|d||f7}|r||7}n0|jr | |7} n|jd kr"| |7} n||7}| d 7} q|dksR| dksR| dkrHd(}|rd|d)7}td*}td+}td,}d-}||||f}|r|d)7}||d.t|d.t|d.t|f7}||7}|dkr||7}|dkr| dkr|td/7}| dkr|| 7}|dkr2| dkr2|td/7}| dkrD|| 7}|}|r| \} }!td0|!|!d1|!d2dd3}"|"}#td4|!|"|#|d5Std6|Sd7S)8zShow ufw managed rulesrHr]zChecking iptables zChecking ip6tables problem runningrr_rer^zStatus: inactiverz iptables: %s rf ip6tablesTFzSkipping found tuple '%s')dstsrcr{z::/0 (v6)z 0.0.0.0/0any /z (%s)r|ZAnywherez on %sroz (%s)z, z[%2d] ZFWDinz # %sz%-26s %-12s%-26s%s%s z z ZToZFromZActionz%-26s %-12s%s -rjzCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)rr)rrorDz0Status: active %(log)s %(pol)s %(app)s%(status)s)logZpolZappZstatuszStatus: active%sN)#r4r>r/rrrrnr r dappsapp get_app_tuplerr{v6dportr|sportprotocolr interface_in interface_outlogtyperKlowerr0lenr*uppercommentZ get_commentactionZ get_loglevel_get_default_policyrA)$r3verboseZ show_countrorVrKrvZout6sZstr_outZstr_rter count app_rulesrZtmp_strlocationtuplZ show_protor7ZportrIZattribsZ attrib_strZdir_strr%Zfull_strZstr_toZstr_fromZ str_actionZrules_header_fmtZ rules_headerlevelZ logging_strZ policy_strZapp_policy_strr:r:r; get_statuss~                                           zUFWBackendIptables.get_statuscCs|jrtdtdng}||jd|jdk rl|jdk rl|d||j|d||j|dt|\}}|dkrtd |}t|dS) zStop the firewallr]running ufw-initrN --rootdir --datadirz force-stoprproblem running ufw-init %s) r4rr>r0r5rrrrr3rprvrorVr:r:r; stop_firewalls       z UFWBackendIptables.stop_firewallcCs8|jrtdtdng}||jd|jdk rn|jdk rn|d||j|d||j|dt|\}}|dkrtd |}t|d |j ks|j d t |j krz| d Wn$tk rtd }t|YnXnr0r5rrrrr?list loglevelskeysZ set_loglevelrMupdate_loggingrr:r:r;start_firewalls6        z!UFWBackendIptables.start_firewallcCs|jr dS|d}|j}|r*d}|j}dD]p}|dksB|dkrl|rX|jddsXq.n|sl|jddslq.t|d d |d |g\}}|d kr.td dSq.dS)zCheck if all chains existFrufw6)rrrr limit-acceptrrrrr^r_z-user-rz_need_reload: forcing reloadT)r4rkrrnrlrr)r3rprefixexer9rvror:r:r; _need_reloads&zUFWBackendIptables._need_reloadcCstd}|jr(td|rtdn|rz4|jdD]$}||d|g||d|gq | iptables-restorez> | ip6tables-restorer-F-Zcatr r^rz iptablesr rzN) r>r4rr/ is_enabledr. _chain_cmdrMrrr5Ziptables_restoreZip6tables_restore)r3rVrrrvror:r:r;_reload_user_rules6s.  z%UFWBackendIptables._reload_user_rulesc Cs@g}td}td}td}||r||r||r\||d|d|n||d|||d|q||d|n ||td}td } td } d } t|D]\} } || r|d | }|d krd}n|dkrd}nd}d| |f}| | s8d|}|d| || <|| |d|d|| || | d|d||d| || | d|d||d|| qtd}t|D]j\} } || r|d| }|d|d| }|d|d| }||| <|| ||| |q|S) z5Return list of iptables rules appropriate for sendingz-p all zport z-j (REJECT(_log(-all)?)?)z-p tcp z-j \1 --reject-with tcp-resetz-p udp rHz(.*)-j ([A-Z]+)_log(-all)?(.*)z-j [A-Z]+_log-allz(-A|-D) ([a-zA-Z0-9\-]+)z'-m limit --limit 3/min --limit-burst 10\2r<ZALLOWrZLIMITZBLOCKz"%s -j LOG --log-prefix "[UFW %s] "z-m conntrack --ctstate NEW z \1-j \2\4z\1-j z-user-logging-z\1 z \1-j RETURN\1z -j LIMITz+ -m conntrack --ctstate NEW -m recent --setzL -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j z -user-limitz -j z-user-limit-accept) rNrOrRr0rT enumeratestriprinsert)r3frulersuffixsnippetsZ pat_protoZpat_portZ pat_rejectpat_logZ pat_logallZ pat_chain limit_argsrtrrLZlstrZ pat_limitZtmp1Ztmp2Ztmp3r:r:r;_get_rules_from_formattedRs                z,UFWBackendIptables._get_rules_from_formattedc Csg}||||}td}t|D]p\}}||d|||r$||d|||d|dd|||d|7<q$|S)z_Return list of iptables rules appropriate for sending as arguments to cmd() z(.*) --log-prefix (".* ")(.*)rr#r"rHz\3) rrNrOrr0rTrmmatchreplace) r3rrrrZ str_snippetsrWrtrr:r:r;_get_lists_from_formatteds  z,UFWBackendIptables._get_lists_from_formattedc Cs|jdg}|r$||jd|D]v}ztj|}Wn(tk rftd|}t|YnXt d}t d}t d}|D] }|} d} d|kr| d\} } | } | | r|d| } t d | } t| d kst| d krtd | }t|qqd }d}d}t| dks6t| d krtd| }| d dd}d| dkrd| dkr|| dr|| dr| d dddd}| d dddd}nR| ddr| ddd}n.| ddr| ddd}n t|qz | d}d}d|krHd}| dd}t| dkrt|| d| d| d| d| d||| }nvt|| d| d| d| d| d||| }t d}| d d kr|d!| d |_| dd kr|d!| d|_|dkr|d ||dkr&|d"|Wn.tk rVtd#| }t|YqYnX||jdkr|d|j|q|d|j|q|q(d$S)%z$Read in rules that were added by ufwr r zCouldn't open '%s' for readingz^### tuple ###\s*zin_\w+zout_\w+rHz comment=z\s+ z)Skipping malformed tuple (bad length): %srz$Skipping malformed tuple (iface): %sr>r!ryZin_Zout_FriT%20rrrozSkipping malformed tuple: %sN)r5r/r0rrPZopen_file_readrMr>rrNrOrmrrrTrrrR partition startswithrrrZ set_interfaceset_v6r r close)r3ZrfnsrXrJrVZ pat_tupleZ pat_iface_inZ pat_iface_outZ orig_liner[rhexrrIZwmsgZdtyperrrrrule pat_spacewarn_msgr:r:r; _read_ruless                   zUFWBackendIptables._read_rulesc Cs8|jd}|r|jd}t|tjs:td|}t|ztj|}Wnt k r`YnX| d}|j }|rd}|j }|j rtj}n|d}tj|dtj|d|d tj|d|d tj|d|d tj|d|d tj|d|d tj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|d|dkr|jdds|dkr>|jddr>tj|d|dtj|d|dtj|d|D]}|j} |jrnd|j} |jdkr| d|j7} d} |jdkr|jdkr|j} n`|jdkr|jdkrd |j|jf} n6|jdkr| d!|j|jf7} n| d!|j|jf7} |jdkrr|jdkrrd"| |j|j|j|j|j| f} |j dkr^| d#|j 7} tj|| d$nt!"d%} d&} |jr| #d'|j} d&}|jr| #d'|j}d(| |j|j|j|j|j| || f } |j dkr| d#|j 7} tj|| d$d)}|jrd*}n|jd+kr"d,}d-||f}d.||$f}|%|||D]}tj||qLqPtj|d/tj|d0z|&|j'd1}Wnt k rYnX|D]d\}}}t(|d2kr|d2d3krސq|)|d&rtj|d%*|+d4d5+d6d7d$qtj|d8|dkrB|jdds\|dkr|jddrtj|d9|j'd1d:krtj|d;|d<d%*|j,d=|j-d>tj|d;|d?tj|d;|d@tj|dAtj|dBz(|j r tj.|dCn tj.|Wnt k r2YnXdDS)Ez.Write out new rules to file to user chain filer r z'%s' is not writablerrrIz*filter riz-user-input - [0:0] z-user-output - [0:0] z-user-forward - [0:0] z-before-logging-input - [0:0] z-before-logging-output - [0:0] z -before-logging-forward - [0:0] z-user-logging-input - [0:0] z-user-logging-output - [0:0] z-user-logging-forward - [0:0] z-after-logging-input - [0:0] z-after-logging-output - [0:0] z-after-logging-forward - [0:0] z-logging-deny - [0:0] z-logging-allow - [0:0] rrrz-user-limit - [0:0] z-user-limit-accept - [0:0] z### RULES ### zroute:rHr>z in_%s!out_%sz%s_%sz# ### tuple ### %s %s %s %s %s %s %sz comment=%srjrrrz) ### tuple ### %s %s %s %s %s %s %s %s %srrror %s-user-%sz -A %s %s z ### END RULES ### z ### LOGGING ### rr-D[z"[z] z] "z### END LOGGING ### z ### RATE LIMITING ### offz-A z -user-limit z "z " z-user-limit -j REJECT z-user-limit-accept -j ACCEPT z### END RATE LIMITING ### zCOMMIT FN)/r5r(accessW_OKr>rrrPrQrMrkr r r4sysstdoutfilenorSrlrrrrrrKrrrrr{rr|rrNrOrT format_ruler_get_logging_rulesr?rrr*rr1r2rU)r3rZ rules_filerVrYr6r rZrrZifacesZtstrrrr chain_suffixr9rule_strrZlrules_trrqr:r:r; _write_rules sZ                 zUFWBackendIptables._write_rulesTc Cs|d}|jrR|s*td}t||jdkrx|jddsxtd|jSn&|jdkrx|jddsxtd|jS|jr|jdkr|jd krtd }t|g}d }d }|j }|j } |jr|j d kr|j dks|j dkrtd S|j}| dks| t|krtd| }t|| dkr:|jr:td}t|| t|kr\td| }t|z |Wntk rYnXd} d } d} d} |D]p}z |Wntk rYnX|j|j|j |j f}| | krL| ddkr| ddkr| dks,|ddkr"|ddks,| |krDd} ||d} n| d7} |} | d7} t||}|dkrv| d7} |dkr|s| sd}|js||n^|dkr|jr|jdkrd}n:|dkr|js| sd}d}||n ||q| r8| dkrtd}|jr2|d7}|Sn~|sT|jsT|||s|jr|jstd}|jr|d7}|S|r|js|std}|jr|d7}|S|jr||_n||_ z||jWn<tk rYn&tk rtd}t|YnXtd}|jr2td}|r|jsd}|sb||jsb| rd}| rz|td7}n |td 7}|jr|d7}|rz |Wntk rYnXn |td!7}n|r<|jrrrrlZmultirr positionZiptables_versionrrr rremove normalizerMr{r|r0dup_rulerrrr4rrrrrrnrrKrrrNrOrrrstderrrRr*rTr)r3rZ allow_reloadr@rVZnewrulesfoundZmodifiedr rrZinsertedZmatchesZlastrZcurrentZretflagrr6rr9rvrorrrrrr:r:r;set_rulesR       &                 zUFWBackendIptables.set_rulec Cstg}g}|r|j}n|j}|}||||}|D].}|}||} | |kr@||q@|S)z@Return a list of UFWRules from the system based on template rule)r r rrrrr0) r3templaterr rZnormrrrIZ tmp_tupler:r:r;get_app_rules_from_systems   z,UFWBackendIptables.get_app_rules_from_systemcCsZ|j}|dr|j}t|g|\}}|dkrVtd|}|rNtd|nt|dS)zPerform command on chainrrzCould not perform '%s'zFAILOK: N)rrrnrr>rr)r3r9rpfail_okrrvrorVr:r:r;rs  zUFWBackendIptables._chain_cmdc Cs|jr dS|g}z||}Wntk r:YnXz|jdd|jddWn8tk rnYn$tk rtd}t|YnX|sdStd}|jd|jd|jd |jd D]:}z| |d |d gWqtk rt|YqXqzJ|jd|jd |jd D]&}| |d |g| |d|gq*Wntk rrt|YnX|D]\}}}d}t |dkr|ddkrd}zH|dkrt |dkr|j |dg|dddd| |||Wntk r t|YnXqxdD]}|j ddr4|dksN|j ddr|dkr|j |d|g|j |j dgdd|jddkr|j |d|g|j |j dgddqdS)z#Update loglevel of running firewallNF)rTz&Couldn't update rules file for loggingrrrrrr_r^rrrr delete_firstry)r)rgrhrrrgrrhrrr-I)r4rkrrMrrr>rr.rrrlr1r2r?) r3rrules_trVrrrrrr9r:r:r;rs      z!UFWBackendIptables.update_loggingc Csg}|t|jkr*td|}t||dkr^|jdD]}||d|ddgdgq<|S|jdD]}||d|ddgd gqhd d d d ddg}|j||jdkr@g}|j||jdkr|}|jdD]}dD]}||r||dks||dkr.d}||d|ddd|g|d gq|j||jdkrd}||d|ddd|g|d gqqg}|j||jdkr|}|jdD]}|drd}nt|drd}|j||jdkr||d|d ddd ddg|d gn(||d|d ddd dddd!g |d g||d|ddd|g|d gq|j||jdkrg}|j||jd"krt|}|j||jdkrd ddd#g|}d$}|jd%D]&}||d|ddd|g|d gq|S)&z%Get rules for specified logging levelzInvalid log level '%s'rrrr!rrrrHrrr z3/minz --limit-burstZ10rZhighrrr=rCz [UFW BLOCK] rr"r#Zmediumz [UFW ALLOW] rrBZ conntrackz --ctstateZINVALIDz[UFW AUDIT INVALID] ZfullZNEWz [UFW AUDIT] r) rrrr>rr.r0endswithr) r3rrrVrrrZlargsrurr:r:r;r s        z%UFWBackendIptables._get_logging_rulesc Csd}ttjj|j}g}|jD]d}|j|ds4q||j|tj |dtj |j|}tj |st d|}t|qtd}|D]0}d||f}tj |rt d|}t|q|D]:}d||f}|t dtj ||d 7}t||q|D]}d||f}ttj |dtj |tj |t||zt|} | tj} Wn0tk rt d |} t| YqYnX| tj@r|t d |7}n| tj@r|t d |7}q|S) zReset the firewallrHz.rulesrzCould not find '%s'. Abortingz %Y%m%d_%H%M%Sz%s.%sz'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s' )oldnewzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r rr$ share_dirrr5rr0r(r)r*basenameisfiler>rtimestrftimeexistsrenameshutilcopydirnameZcopymodestatST_MODErMrS_IWOTHS_IROTH) r3resrZallfilesrtfnrVZextrZstatinfomoderr:r:r;resetgsZ                    zUFWBackendIptables.reset)NN)FF)F)T)F)__name__ __module__ __qualname____doc__r-rAr\rwrrrrrrrrrrrrrrrr:r:r:r;r s. ,K] f!De * i JZr )rr(rNrrrrZ ufw.commonrrZufw.utilrrrrrr Z ufw.backendrr+r,r r:r:r:r;s