$6L`sdZddlZddlZddlZddlZddlZddlmZddlm Z ddl m Z ddl m Z ddlmZmZddlmZmZmZdd lmZmZmZmZdd lmZdd lmZdd lmZmZm Z dd l!m"Z"m#Z#ddl$m%Z%ddl&m'Z'm(Z(m)Z)ddl*m+Z+ddl,m-Z-m.Z.ddl/m0Z0m1Z1ddl2m3Z4ddl5m6Z6m7Z7ddl8m9Z9ej:e;Z<e dZ=GddZ>GddeZ?GddZ@dZAdZBdS)ztThis plugin periodically checks set of rules and ipsets, and recreates it if needed, process block/unblock messages.N)suppress)Path)Set)g)log_error_and_ignoretimeit)DAY ServiceBase rate_limit)FirewallNetworkInterfaceDOS EnhancedDOS) Protector) Webshield)IPSetNoRedirectPortRuleSet ip_versions) IPSetError$IPSetCannotBeSwappedIncompatibleType) get_firewall)FirewallBatchCommandError FirewallErrorFirewallTemporaryError) IPSetCountry) IPSetStaticIPSetStaticRemoteProxy)InputPortBlockingDenyModeIPSetOutputPortBlockingDenyModeIPSet)Mode)IP IPVersion) smtp_blockingz(/var/imunify360/.rules_check_in_progressceZdZdZdS) VersionStatec>d|_d|_d|_d|_dS)NFrgT)transient_error_on_createerrors next_try_timerunningselfs J/opt/imunify360/venv/lib/python3.11/site-packages/im360/utils/lazy_init.py__init__zVersionState.__init__3s$).&   N)__name__ __module__ __qualname__r.r/r-r%r%2s#r/r%ceZdZdZeejddZdZ dZ dZ dZ dZ eZejdhejd hiZfd Zd(d)dZeeedZd(dZ d(deded d fdZ d(d efdZ d*dZdede dede!e"de!e"de!e"defdZ# d(dede d efdZ$ded d fd Z%ded d fd!Z&ded efd"Z' d+d#Z(d,d)d$Z)d,d)d%Z*d(d&Z+e,d'Z-xZ.S)- RulesCheckerz=Periodically checks if rules exist and if not, recreate them.IMUNIFY360_RULE_CHECK_INTERVAL iTi,zi360.ipv4.whitelist.host_ipszi360.ipv6.whitelist.host_ipsct|t|_tj|_tj|_ dtj D|_ d|j D|_ dtj D|_tj|_dS)Nc,i|]}|tSr3)r%.0vers r- z)RulesChecker.__init__..YsJJJlnnJJJr/c6i|]}|tjSr3)asyncioEventr;s r-r>z)RulesChecker.__init__..Zs-( ( ( %(C( ( ( r/c,i|]}|tSr3)setr;s r-r>z)RulesChecker.__init__..]sHHHsSUUHHHr/)superr.rrulesetConfigRULE_EDIT_LOCKlock_rules_create_destroyr get_interface_confactive_interface_confrallversions_ipsets_outdated_eventsoutdated_ipsetsr@Lock ipset_lock)r,loop __class__s r-r.zRulesChecker.__init__Ms yy *0)>&%5%H%J%J"JJ 8I8IJJJ ( ( ,0M( ( ( $ IHko6G6GHHH!,..r/FreturnNcK|j4d{Vtj}||jks;td||jd{VnM|jD]3\}}|j|j r| ||d{V4| ||d{V||_dddd{VdS#1d{VswxYwYdS)Nz>Target & ignore interfaces config was changed,recreating rules) rHr rIrJloggerinfo_destroy_rules_and_setsrLitemsr'%_RulesChecker__check_ipset_consistent$_ensure_rules_exist_for_all_versions)r,recreate_any_waynew_confversionstates r-recreate_rules_if_neededz%RulesChecker.recreate_rules_if_needed`s1 2 2 2 2 2 2 2 2':<K|d{VdSN)_check_ipsets_consistentr+s r-check_ipsets_consistentz$RulesChecker.check_ipsets_consistentss2++-----------r/cK|j4d{V|jD]"\}}||||d{V# dddd{VdS#1d{VswxYwYdSrb)rHrLrXrY)r, check_allr]r^s r-rcz%RulesChecker._check_ipsets_consistentxsI1 O O O O O O O O"&-"5"5"7"7 O O33GUINNNNNNNNNN O O O O O O O O O O O O O O O O O O O O O O O O O O O O O O Os=A!! A+.A+r]r^cZKtd|tj5|jr|j||j|<|j||d{Vx}rWtd|D}|j| |t |dnz8RulesChecker.__check_ipset_consistent..s5***2 ******r/z# ipsets are outdated. Recreate themzOnly host ipsets z, z will be updated) rrUrVr* HOST_IPSETSrNrEget_outdated_ipsetsrCupdatewarningjoinrM)r,r]r^rfoutdatedrNs r-__check_ipset_consistentz%RulesChecker.__check_ipset_consistent}s999v{ K K K < <} <040@0I$W-%)\%E%EY&&      8'***6>***''O(188IIINN#HHHKK& IId&6w&?@@&&& ,W599;;;+ < < < < < < < < < < < < < < < < < d}~wt$$r}tj |} | rd}j|xj dz c_ j|j jkrItj|r5 jzj|_td|n jzj|_td | rd nd ||Yd}~$d}~wwxYw|o| S) Nc3pK|]0}tj|sj|jk,|V1dSrb)r is_enabledrLr))r<r]nowr,s r-rmz-RulesChecker._ensure_rules..s[  &w//  =)7#== >===   r/FTrz%s firewall support is enabledz8Transient error while creating firewall rules for %s: %szB%s firewall support is disabled due to multiple consecutive errorsz/Failed to recreate firewall rules for %s %s: %senableddisabled)time monotonicrCrrKrLr*rP _ensure_forr(r'rwenablerUrVrr isinstancerERROR_THRESHOLDdisableRETRY_INTERVALr)rq) r,interface_confr[target_versions recreated_any has_failedr]rexcenabled_ip_versionrxs ` @r- _ensure_ruleszRulesChecker._ensure_rulessn     &?,,       &0 K0 KG-2DM' " *. K?"..1AA!. 2 H26 g&.01 g&-CH g&@"-g66K&w///KK @'JJJQ+J7   ! c:..LGKDM'*D N !   %0%;G%D%D"%!%JM'*11Q611}W-48LLL&.w77 #d&9 9!M'2@#KK!B 'd11M'*8E!3CII ' D/Z/sJ! D-.B D- B( (D-+B( ,D--I4>AF  I4CI//I4cK|p|j}|||d{VrtddSdS)Nz=Rules and sets successfully recreated for enabled ip versions)rJrrUrV)r,rr[s r-rZz1RulesChecker._ensure_rules_exist_for_all_versionssm(E4+E##N4DEE E E E E E E  KKO       r/ ip_versionrrecreate_ipsetsrNmissing_ipsetsredundant_ipsetsrecreate_rulesc0K|j||}|s|rRtd|tj5|||d{Vdddn #1swxYwY|rXtd|tj5|j||d{Vdddn #1swxYwYn|j||rWtd|tj5|j||d{Vdddn #1swxYwY|s|rRtd|tj5| ||d{Vdddn #1swxYwY|rtdtj5 |j ||d{Vn#t$rt d|||d{V|j||d{V|j||d{V| ||d{VYnwxYwddddS#1swxYwYdSdS)NzDestroying rules for rhzDestroying redundant ipsets: zCreating missing ipsets: zRecreating rules for zRecreating ipsetszrOutdated ipset has incompatible type, so it cannot be swapped. Ipset needs to be recreated after destroying rules.) rEhas_ipset_to_destroyrrUrV_destroy_rulesdestroy_ipsetsclean_previously_failed_ipsets fill_ipsets _create_rulesrrrq) r,rrrrNrrrwe_have_ipsets_to_destroys r- _recreate_forzRulesChecker._recreate_fors,%)L$E$E (% % !  F6 F< <<&+NNN F F)).*EEEEEEEEE F F F F F F F F F F F F F F F  DB0@BBK P Pl11*>NOOOOOOOOO  P P P P P P P P P P P P P P P L 7 7 C C C  KJJJJJJJJJ K K K K K K K K K K K K K K K  E6 E< <<&+NNN E E((DDDDDDDDD E E E E E E E E E E E E E E E  I+=== I II,66"O< I I INN- --njIIIIIIIII,55"O,22:OOOOOOOOO,,^ZHHHHHHHHHHH I  I I I I I I I I I I I I I I I I I I I IsA))A-0A-"CC C"D66D:=D:#F  FF4J 6!GJ BI96J 8I99J  J J c K|j|d{V}|j|}|}|j|||}||ko"|j| o| }||z } ||z}|r"||krt|| tj | ||d{V} |j || z |z |z} tj drtd|td|td|td| td| td || rd nd |rd nd || r|r|r|s>|j||j |td || rd nd |rd nd ||||| | | || p| d{VdSdS)aCreates imunify360 ruleset for given IP version in iptables. If all required ipsets, rules and chains exist, does nothing. Otherwise recreates everything as required. Returns True if rules or sets has been (re-)created, False otherwise.NrrriDEBUGzRequired ipsets: %szExisting ipsets: %szMissing ipsets: %szRedundant ipsets: %szOutdated ipsets: %sz>dbg Rules status for %s [rules: %s], [ipset: %s], [forced: %s]okbadz:Rules status for %s [rules: %s], [ipset: %s], [forced: %s])rrNrrrTF)rEexisting_ipsetsrequired_ipsetscopyipsets_to_refillrMis_set_log_ipsets_mismatchrUrq _rules_okrNrgetrVclearr) r,rrr[rrrto_refill_ipsets ipsets_okrrules_okrNs r-r~zRulesChecker._ensure_fors!% < >  KK- ? ? ? KK- ? ? ? KK,n = = = KK.0@ A A A KK- ? ? ? KK  +e!,u     Y /?  9,Z8>>@@@$Z066888 KKL +e!,u    $$$- /!1-#+|?/?%       4ur/cKtd|t|d{V4d{V}|j|D]I}t t 5||d{Vdddn #1swxYwYJ|j|||d{V}||d{Vdddd{VdS#1d{VswxYwYdS)NzCreating rules for %s) rUrVrrEpersistent_chain_commandsrrcommitcreate_commands)r,rrfirewallcmdsbatchs r-rzRulesChecker._create_rulesms  +Z888%j11111111 ) ) ) ) ) ) )X >>xHH 0 078800"//$/////////000000000000000,66.*E//%(( ( ( ( ( ( ( ( ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) ) )s61C.*B C.B C.B AC.. C8;C8cKtd|t|d{V4d{V}|j|||D]I}t t 5||d{Vdddn #1swxYwYJ dddd{VdS#1d{VswxYwYdS)NzDestroying rules for %s)rUrVrrEdestroy_commandsrrr)r,rrrrs r-rzRulesChecker._destroy_ruleszs  -z:::%j11111111 1 1 1 1 1 1 1X66.* 1 178811"//%000000000111111111111111 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1 1s53B4,B B4B B4B B44 B>B>cKt|d{V4d{V}|j|||d{V} ||d{Vn"#t$rYdddd{VdSwxYw|j||d{V}|j||d{V}|o|cdddd{VS#1d{VswxYwYdSNF)rrEcheck_commandsrrcheck_input_ordercheck_output_order)r,rrractionsinput_order_okoutput_order_oks r-rzRulesChecker._rules_oks/%j11111111 6 6 6 6 6 6 6X L77.*G oog..........,    6 6 6 6 6 6 6 6 6 6 6 6 6 6  $(<#A#A*$$N%)L$C$C*%%O"5o 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6 6s6#CAC A=(C<A==AC C"%C"cKg}tjD]}d|j|_ |r|||d{V|r"|j||d{VX#t$r}||Yd}~|d}~wwxYw|sdSt|dkr|dt|dkr|d|dJd)NF)forceryrzmax 2 ip versions expected) rrzrLr*rrEr Exceptionappendlen)r,r destroy_rulesrforce_destroy_ipsetr(res r-rWz$RulesChecker._destroy_rules_and_setssP%-// ! !J05DM* % - ! J--njIIIIIIIII!,55"*=6 ! ! ! a         ! 3 F [[A  )O [[A  ) * 22 2 21sAA00 B:BBcK|p|j}|j4d{V||dd{Vdddd{VdS#1d{VswxYwYdS)NT)rrJrHrWr,rs r-clear_everythingzRulesChecker.clear_everythings'E4+E1        ..D/                                     A  AAcK|p|j}|j4d{V||dd{Vdddd{VdS#1d{VswxYwYdS)NF)rrrs r- clear_ruleszRulesChecker.clear_ruless'E4+E1        ..u/                                     rc4Ktj}|r||sdStjd{VsdStjd{Vrtjd{VdStj|d{VdSrb)r#read_SMTP_settings_is_smtp_settings_changedis_SMTP_blocking_supportedconflicts_existreset_rules_for_all_versionssync_rules_for_all_versions)r,check_settings new_settingss r-check_smtp_state_and_resetz'RulesChecker.check_smtp_state_and_resets$799  $"@"@"N"N  F"=????????  F.00 0 0 0 0 0 0 <>> > > > > > > > F7 EEEEEEEEEEEr/c\tfdtjDS)Nc3$K|] }|kV dSrbr3)r<active_settingsrs r-rmz9RulesChecker._is_smtp_settings_changed..s<   | +      r/)anyr#get_active_settings_list)rs`r-rz&RulesChecker._is_smtp_settings_changedsD    #0#I#K#K      r/)FrSNr)TTFrb)/r0r1r2__doc__intosenvironrRULE_CHECK_INTERVALCONSECUTIVE_ERROR_LIMITrrCAPTURE_CSF_LOCKCSF_LOCK_TIMEOUTr IPSETS_CHECK_INTERVALr!V4V6rnr.r_r rrdrcr%rYboolrrZr"dictrstrrr~rrrrWrrr staticmethodr __classcell__)rRs@r-r5r5:s6GG# 7<<!ON ./ ./K )))))&22222&Z,---...-.OOOO  "%+"D1D  4 4 6 6 ,    ():)<)< = =  #  & " r/ctjtjtjtjtjtjtjtjfSrb) r TCP_IN_IPV4 TCP_OUT_IPV4 UDP_IN_IPV4 UDP_OUT_IPV4 TCP_IN_IPV6 TCP_OUT_IPV6 UDP_IN_IPV6 UDP_OUT_IPV6r+s r-rz1RealProtector._get_port_blocking_deny_mode_valuess<   !   !   !   !  r/cHK|jj4d{Vtdt t fD]0}|r|d{V1 dddd{VdS#1d{VswxYwYdS)Nz!Applying global white list update)rrHrUrVrrrwreset)r,ipsets r-process_global_whitelist_updatez-RealProtector.process_global_whitelist_updates>&@ ( ( ( ( ( ( ( ( KK; < < <%--)?)A)AB ( (##%%(++--''''''' ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( ( (sA(B BBrSNc(K|jj4d{Vtdt jD])}t |d{V* dddd{VdS#1d{VswxYwYdS)Nz%Updating ipset rules on geo ip update)rrHrUrVrrzrrestore)r,rs r-process_country_list_updatez)RealProtector.process_country_list_updates-&@ 9 9 9 9 9 9 9 9 KK? @ @ @)133 9 9 "nn,,Z8888888888 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9 9sAB B B cKd}tjtjtjtjtjf}||jkr*t d|j|||_d}tj }|j |kr*t d|j |||_ d}tjp tj}|j|kr*t d|j|||_d}|j dk}|rw|jdd{Vt d|r6|d{Vrt d dSdSdS|d{Vrt d dSdS) NFzWebshield status (Webshield.ENABLE, WebshieldMode.wants_redirect, Webshield.SPLASH_SCREEN, Webshield.PANEL_PROTECTION) changed from %s to %sTz)Ports blocking mode changed from %s to %szSEffective DoS protection status changed from %s to %s. Triggering rules recreation.DENY)r[z,Firewall rules recreated due to ConfigUpdatezBlocked ports ipsets reffiledz/Blocked ports deny mode updated on ConfigUpdate)rrrrrrrrrUrVr rrrrrrrr__refill_port_blocking_ipsets0_update_port_blocking_deny_mode_ipsets_if_needed)r,messagerecreatecurrent_statuscurrent_port_blocking_modecurrent_dos_enabledrefill_bp_ipests r-_on_config_update_unlockedz(RealProtector._on_config_update_unlockeds3    ():)<)< = =  #  &   T3 3 3 KKD&    &4D "H%-%@"  #'A A A KK;(*    (BD $H!k@[-@   3 3 3 KK>!#     !4D H2f<  K%>>!%?        KKF G G G =)J)J)L)L#L#L#L#L#L#L = ;<<<<< = = = =GGII I I I I I I K KKI J J J J J K Kr/cKd}|}||jkr\tdt |jt |||_|d{V}|S)NFz-Port blocking deny mode changed from %s to %s)rrrUrV _format_portsr)r,updatednew_ports_blocking_valuess r-rz>RealProtector._update_port_blocking_deny_mode_ipsets_if_needed:s$($L$L$N$N! $(L L L KK?dBCC788    4MD 0 ==????????Gr/cKd}|jj4d{Vttt g}|D]} |t jd{V|t jd{VN#t$r2}t d|j j |d}Yd}~d}~wwxYw dddd{Vn#1d{VswxYwY|S)NTzFailed to update ipset %s: %sF)rrHrrrr r!rrrrUerrorrRr0)r,rsetsip_setrs r-rz*RealProtector._refill_port_blocking_ipsetsHs&@        .00/11#%%D     ..///////// ..//////////!LL7(1 $GHHHH                             &s<.C#A BC# C (CC#C  C## C-0C-r) r0r1r2r5__annotations__r.rr r rrrr3r/r-rrs          (((9999 0K0K0Kd   r/rc |s|sJ|ddt|zdt|o|zdt|zd|t|zd|t|zdS)z Report missing/redundant ipsets.z6Detected %s%s%s ipsets while ensuring ipsets/rules%s%smissing/ redundantz; missing ipsets: z; redundant ipsets: N)rrs r-rr`s ---- -C@D((( d>6&6777d+,,,-^--^0D0DD1/11D9I4J4JJ r/cdd}tjtt||S)zFormat ports for logging.)rrrrrrrr)jsondumpsrzip)portsnamess r-rrms- E :d3ue,,-- . ..r/)Crr@r&loggingrr| contextlibrpathlibrtypingr&defence360agent.internals.global_scoperdefence360agent.utilsrrdefence360agent.utils.commonr r r im360.contracts.configr r rrrrFrim360.internals.corerrr#im360.internals.core.ipset.libipsetrrim360.internals.core.firewallr"im360.internals.core.firewall.baserrr"im360.internals.core.ipset.countryrim360.internals.core.ipset.iprr$im360.internals.core.ipset.port_denyrrim360.subsys.webshield_moder rdefence360agent.utils.validater!r" im360.subsysr# getLoggerr0rURULES_CHECK_IN_PROGRESSr%r5rrrr3r/r-r?s ??  444444>>>>>>>>EEEEEEEEEEOOOOOOOOOOOO666666,,,,,,JJJJJJJJJJ766666 <;;;;;>=====88888888&&&&&&  8 $ $$IJJ] ] ] ] ] ;] ] ] @ CCCCCCCCL    / / / / /r/