؛L *dZddlZddlZddlZddlZddlmZddlmZm Z m Z m Z ddl m cmZddlmZmZddlmZddlmZddlmZdd lmZdd lmZmZmZmZmZdd lm Z m!Z!dd l"m#Z#gd Z$ddl%m&Z&e dde'fde'fde'fgZ(e dde'fde)fde*fde*fde'fde'fgZ+dZ,dZ-ej.e/Z0dZ1dZ2de e3fdZ4d Z5d!Z6Gd"d#e$Zd%e fd&Z7d'Z8d(Z9ed)*d+Z:d,e+fd-Z;d,e)fd.Zz6SMTPBlocking._get_filter_smtp_rules..(DDSVVDDDDDDrN-olorDowner --uid-owner0c3hK|],}gdddt|dtjRV-dSrSrbrcrDNrZrACCEPTr\uid common_argss r.r^z6SMTPBlocking._get_filter_smtp_rules..         C     $        rNc3hK|],}gdddt|dtjRV-dSrSrbz --gid-ownerrDNrgr\gidrks r.r^z6SMTPBlocking._get_filter_smtp_rules..          C     $         rN)r@prefix)actionz --reject-withzicmp{}-port-unreachable6)rGr#joinr&appendrrhextendr9 itertoolschainr$rKsmtp_allow_usersrAr%rrr SMTP compose_rule nflog_action nflog_grouprEr'rREJECTformatr IPV6rLrulesrks @r._get_filter_smtp_rulesz#SMTPBlocking._get_filter_smtp_ruless '- I      HHDDT%=%CDDD D D    # /  LLF+FtFTF4F1EFF                 $         !,8'8      $      !!9!FGG     $ % % *>  $+ +  LL "/,9"/";DO"L"L#6#;        $ - (4 !11  LL "($  .44#+.2CCC     rNc |jjr|jjr |jjsgSg}ddddddd|jjDf|gdd d t jR|gdd d d d t jR|fdttj |jj |j jD|fdt|jjD|gd t jR|S)z Return a list of rules that should be used in OUTPUT_imunify360_SMTP chain in nat table. These can either be installed using append_rule / insert_rule or checked using has_rule methods of the firewall interface. rQrRrSrTrUrVc34K|]}t|VdSrXrYr[s r.r^z3SMTPBlocking._get_nat_smtp_rules..r_rNr`rarDrbrcrdc3hK|],}gdddt|dtjRV-dSrfrZrRETURNris r.r^z3SMTPBlocking._get_nat_smtp_rules..rlrNc3hK|],}gdddt|dtjRV-dSrnrros r.r^z3SMTPBlocking._get_nat_smtp_rules..#rqrN)rGr#r&r'rvrwrrrxr9ryrzr$rKr{rAr%REDIRECTrs @r._get_nat_smtp_rulesz SMTPBlocking._get_nat_smtp_ruless  $ * (4 (1  I      HHDDT%=%CDDD D D    K{KDK$KKm6JKKLLL              $         !,8'8      $      !!9!FGG      A{ADA-*@AABBB rNtablec|tkr|S|tkr|SgSrX)FILTERrNATr)rLrs r._get_smtp_rules_forz SMTPBlocking._get_smtp_rules_for4s= F??..00 0 C<<++-- - rNc<|||jgS)Nrrz) has_chainIM360_SMTP_CHAINrLrr-s r._im360_chain_existsz SMTPBlocking._im360_chain_exists;s!""d6K"LLMMrNc>||d|jgS)NOUTPUTrrzrule)has_ruleIM360_SMTP_TARGET_RULErs r._im360_chain_referencedz$SMTPBlocking._im360_chain_referenced>s.   8$2M     rNcVgfdD}|S)zW Check if SMTP rules in Imunify chain are in accord with new settings. c3RK|]!}j|V"dSrN)rrr\rr-rLrs r.r^z/SMTPBlocking._im360_rules_ok..JsX!!t'<4"rN)r)rLrr-check_commandss``` r._im360_rules_okzSMTPBlocking._im360_rules_okEsY !44U;;  rNNc#K||d|jgV|||j|||jgVdS)z Return commands that will ensure no OUTPUT blocking on Imunify part. Since the possible errors need to be suppressed we yield commands in batches, each of which can only contain one error-prone command. rrrN) delete_ruler flush_chainr delete_chainrs r._reset_commandszSMTPBlocking._reset_commandsSs  8$2M !       uD4I J J  ! !T5J ! K K      rN table_statec|j}|j}|dS|j p^|j pV|jo|j pG|j|jkp7t |j|jz pt |j|jz S)z)Check whether rules need to be recreated.NT) rHrGrr r&r'boolr$r%)rLractivenews r._should_create_rulesz!SMTPBlocking._should_create_rulesgs%& >4( ( <'' <":3?': <3</ <F&899  < F'#*::;;  rNcVg}|js/|j|js0|dj|rf|j| fd Dn;j j s/|j|S)zf Return commands that will ensure firewall rules are in accord with settings. )rrrc3RK|]!}j|V"dSr) append_rulerrs r.r^z.SMTPBlocking._sync_commands..sX$$t'<4%rN) rrw create_chainrr insert_rulerrrrxrrGr#)rLrrr-r*s`` ` r._sync_commandszSMTPBlocking._sync_commandsysw '  OO%%d&;5%II   +  OO$$"4%     $ $[ 1 1  OO$$T%:%$HH    OO!44U;;     +1 (()>e(LLrNcK|||D]I}tt5||d{Vdddn #1swxYwYJtd|dS)Nz(SMTP Rules in table '%s' have been reset)rrrr,r5info)rLrr-batchs r._reset_rules_in_tablez"SMTPBlocking._reset_rules_in_tables))%:: - -E344 - -ooe,,,,,,,,, - - - - - - - - - - - - - - - >FFFFFsAA A c Kt||||d{V}|jjs |r|||d{VdSt |t||||d{Vt||||d{V}||||}|r8| |d{Vt d|dSdS)N)rrr z;SMTP settings have been synced with the rules in table '%s') r/rrGr"rrrrrr,r5r)rLrr-rrr*s r._sync_rules_in_tablez!SMTPBlocking._sync_rules_in_tables- d..uh??        '/  B00AAAAAAAAA F %#3$66uhGG$$,$..uh??    &&uk8DD  //(++ + + + + + + + KKM       rNcK|pt|jd{V}|t|d{Vt |jr!|t |d{Vd|_dS)z*Ensure no OUTPUT blocking on Imunify part.NT)rrErrrrrI)rLr-s r. reset_ruleszSMTPBlocking.reset_rulessB\$/%B%BBBBBBB((::::::::: DO , , <,,S(;; ; ; ; ; ; ; ; $rNcKt|jd{V}||_|t|d{Vt |jr!|t |d{V|j|_d|_dS)z2Ensure iptables rules are in accord with settings.NF) rrErGrrrrrHrI)rL new_settingsr-s r. sync_ruleszSMTPBlocking.sync_ruless%do66666666#/ ''999999999 DO , , ;++C:: : : : : : : : $7 %rNrX)rON)__name__ __module__ __qualname____doc__rrrrMrrrZrrlistrrrdictrrrrrrrrrrrrNr.r r os 0"$45;9;;;;gU38_(=ggggRJT%S/%:JJJJXNNN    $t*     4:tT) *    (  t    $#C#j####JGGGGG 6%%%%% & & & & & &rNr ) metaclassip_versions_to_resetcK|D]=}t|js't|d{V>dSrX)r rIr)rversions r._reset_rules_for_ip_versionsrs_'66G$$5 6w''3355 5 5 5 5 5 5 566rNcvKdtjD}|rt|d{VdSdS)z8 Mainly used for `SMTPBlocker` plugin shutdown. c:g|]}t|j|Sr)r rI)r\rs r. z0reset_rules_for_all_versions..s9 G$$5rNN)r allr)rs r.rrsk"(( A*+?@@@@@@@@@@@AArNcKtj4d{VtjD]*}t ||d{V+ dddd{VdS#1d{VswxYwYdS)z Used whenever there is a need to check compatibility between Imunify config and currently used SMTP blocking iptables rules. N)r RULE_EDIT_LOCKr r"r r)rrs r.rrsF 'AAAAAAAA"*,, A AGw''22<@@ @ @ @ @ @ @ @ @ AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAs?A(( A25A2)maxsizecvKtj4d{Vttjjd{V} ||dtj gd{Vn"#t$rYdddd{VdSwxYw || dtj gd{Vn2#t$r%}t d|Yd}~nd}~wwxYwdddd{Vn#1d{VswxYwYdS)z&Check if iptables has xt_owner module.Nr)rzrFzASomething went wrong during the removal of the SMTP test rule: %sT)r rrr rV4r,rrsmtp_test_rulerrr5r6)r-errs r.rrs|'%kn&788888888 //((&]-I-K-K)             //((&]-I-K-K)            NN@         -8 4s`%D(AA>=D(> BD(BD(!AC$#D($ D.D D(DD(( D25D2rOcttjtjt tjt tjtjtjS)z,Return current settings from Imunify config.)r"r#r$r%r&r') r! SMTPConfigENABLEDPORTSset ALLOW_USERS ALLOW_GROUPS ALLOW_LOCALrrrNr.rrsM " .//011*$    rNcg}tjD])}|t|j*|S)zk Return the latest applied SMTP settings. Used to compare with the settings from config file. )r r"rwr rH)active_settings_listrs r.rrsL &((KK##L$9$9$IJJJJ rNcKtj}tt jd{V|fS)zC Return True if any other SMTP blocking features is active N)rrJget_SMTP_conflict_statusanycsfis_SMTP_block_enabled)panel_SMTP_conflicts r.rr+sV "$$==?? c/111111113FG H HHrN)>rr<ryloggingr1 contextlibrtypingrrrrim360.subsys.csfsubsysrdefence360agent.utilsrr im360.contracts.configr r rr im360.internals.corer im360.internals.core.firewallrrrrr"im360.internals.core.firewall.baserrim360.subsys.panelsr__all__defence360agent.utils.validaterrrrrr!CAPTURE_CSF_LOCKCSF_LOCK_TIMEOUT getLoggerrr5rrrr/r9rArrrrrrrrrNr.rs   555555555555-,,,,,======666666,,,,,,.-----   544444 Zd0$7*d9KL z D $    T      8 $ $  tDz(b&b&b&b&b&Yb&b&b&b&J 6T6666 A A AAAAB L      $     ItIIIIIIrN