a «°iD#ã@sÀddlZddlmZddlmZmZmZmZmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZddlm Z ddl!m"Z"Gd d „d e#ƒZ$dS) éN)Úlog) ÚportStrÚ checkIPnMaskÚ checkIP6nMaskÚ checkProtocolÚenable_ip_forwardingÚcheck_single_addressÚportInPortRangeÚget_nf_conntrack_short_nameÚcoalescePortRangeÚbreakPortRangeÚcheckTcpMssClamp) Ú Rich_RuleÚ Rich_AcceptÚ Rich_ServiceÚ Rich_PortÚ Rich_ProtocolÚRich_MasqueradeÚRich_ForwardPortÚRich_SourcePortÚRich_IcmpBlockÚ Rich_IcmpTypeÚRich_Tcp_Mss_Clamp)ÚFirewallTransaction)Úerrors)Ú FirewallError)ÚSOURCE_IPSET_TYPESc@sveZdZdd„Zdd„Zdd„Zdd„Zd d „Zd d „Zd d„Z dd„Z dd„Z dd„Z dÿdd„Z dd„Zddd„Zddd„Zddd„Zd d!„Zd"d#„Zd$d%„Zd&d'„Zdd*d+„Zd,d-„Zdd.d/„Zd0d1„Zd2d3„Zd4d5„Zd6d7„Zd8d9„Zdd:d;„Zdd?„Z d@dA„Z!dBdC„Z"dDdE„Z#dFdG„Z$dHdI„Z%dJdK„Z&dLdM„Z'ddNdO„Z(dPdQ„Z)ddRdS„Z*dTdU„Z+dVdW„Z,dXdY„Z-dZd[„Z.d\d]„Z/d d^d_„Z0d`da„Z1d dbdc„Z2ddde„Z3dfdg„Z4dhdi„Z5djdk„Z6dldm„Z7dndo„Z8dpdq„Z9d drds„Z:dtdu„Z;d dvdw„Zd|d}„Z?d~d„Z@d€d„ZAd‚dƒ„ZBd d„d…„ZCd†d‡„ZDddˆd‰„ZEdŠd‹„ZFdŒd„ZGdŽd„ZHdd‘„ZIdd’d“„ZJd”d•„ZKdd–d—„ZLd˜d™„ZMdšd›„ZNdœd„ZOddždŸ„ZPd d¡„ZQdd¢d£„ZRd¤d¥„ZSd¦d§„ZTdd¨d©„ZUddªd«„ZVdd¬d­„ZWd®d¯„ZXdd°d±„ZYd²d³„ZZdd´dµ„Z[d¶d·„Z\d¸d¹„Z]dºd»„Z^dd¼d½„Z_d¾d¿„Z`ddÀdÁ„ZadÂdÄZbdÄdÅ„ZcdÆdÇ„ZdddÈdÉ„ZedÊdË„ZfdÌdÍ„ZgddÎdÏ„ZhdÐdÑ„ZidÒdÓ„ZjdÔdÕ„ZkdÖdׄZldØdÙ„ZmdÚdÛ„ZndÜdÝ„ZodÞdß„Zpdàdá„Zqddâdã„Zrddädå„Zsdædç„Ztdèdé„Zudêdë„Zvdìdí„Zwddîdï„Zxdðdñ„Zydòdó„Zzdôdõ„Z{död÷„Z|dødù„Z}dúdû„Z~ddýdþ„ZdS( ÚFirewallPolicycCs||_i|_i|_dS©N)Ú_fwÚ_chainsÚ _policies)ÚselfÚfw©r$ú;/usr/lib/python3.9/site-packages/firewall/core/fw_policy.pyÚ__init__szFirewallPolicy.__init__cCsd|j|j|jfS)Nz %s(%r, %r))Ú __class__r r!©r"r$r$r%Ú__repr__szFirewallPolicy.__repr__cCs|j ¡|j ¡dSr)r Úclearr!r(r$r$r%Úcleanups zFirewallPolicy.cleanupcCst|jƒ}| |jj¡|Sr)rrZadd_preÚfull_check_config)r"Útr$r$r%Únew_transaction$s zFirewallPolicy.new_transactioncCst|j ¡ƒSr)Úsortedr!Úkeysr(r$r$r%Ú get_policies+szFirewallPolicy.get_policiescCs4g}| ¡D]}| |¡}|js | |¡q t|ƒSr)r1Ú get_policyÚderived_from_zoneÚappendr/)r"ÚpoliciesÚpÚp_objr$r$r%Ú"get_policies_not_derived_from_zone.s    z1FirewallPolicy.get_policies_not_derived_from_zonecCsvg}| ¡D]d}| |¡}t|jƒt|jj ¡ƒtddgƒB@r t|jƒt|jj ¡ƒtddgƒB@r | |¡q |S)NÚHOSTÚANY) r8r2ÚsetÚ ingress_zonesrÚzoneZget_active_zonesÚ egress_zonesr4)r"Zactive_policiesÚpolicyr7r$r$r%Ú)get_active_policies_not_derived_from_zone6s  &$ÿ z8FirewallPolicy.get_active_policies_not_derived_from_zonecCs|j |¡}|j|Sr)rÚ check_policyr!)r"r?r6r$r$r%r2@s zFirewallPolicy.get_policycCs||j|j<dSr)r!Úname)r"Úobjr$r$r%Ú add_policyDszFirewallPolicy.add_policycCs&|j|}|jr| |¡|j|=dSr)r!ÚappliedÚunapply_policy_settings)r"r?rCr$r$r%Ú remove_policyGs  zFirewallPolicy.remove_policyNcCsJ| ¡D]<}|j|}|jrq|| ¡vrt d|¡|j||dqdS)NzApplying policy '%s'©Úuse_transaction)r1r!r3r@rZdebug1Úapply_policy_settings)r"rIr?r7r$r$r%Úapply_policiesMs    zFirewallPolicy.apply_policiescCs|j|}||_dSr)r!rE)r"r?rErCr$r$r%Úset_policy_appliedVs z!FirewallPolicy.set_policy_appliedc Csz|j |¡}|j|}|r |js*|s.|js.dS|r8d|_|durJ| ¡}n|}|rˆ|jsb| |¡n| |¡D]\}}| |d|||¡ql|jsœ|  |||¡dD]x} t |  |¡| ƒ} t | t ƒrØ|rÈ| sÒ|s | sÒq | g} | D]:} | dkrü| ||| |¡qÜ| dkr qÜqÜ| dkr,|j|||g| ¢RŽqÜ| dkrH| ||| |¡qÜ| dkrn| ||| d| d |¡qÜ| d krŠ| ||| |¡qÜ| d kr°| ||| d| d |¡qÜ| d krÊ| |||¡qÜ| d krì| ||t| d|¡qÜ| dkrúqÜqÜ| dkrqÜqÜt d|| | ¡qÜq |sb|js4| |¡n| |¡D]\}}| |d|||¡q>d|_|durv| |¡dS)NT) ÚservicesÚportsÚ masqueradeÚ forward_portsÚ source_portsÚ icmp_blocksÚ rules_strÚ protocolsÚicmp_block_inversionr<r>rRrUrPrMrNrérTrQrOrS©Úrule_strr<r>z5Policy '%s': Unknown setting '%s:%s', unable to applyF)rrAr!rEr.r3Ú%_get_table_chains_for_policy_dispatchÚ#_get_table_chains_for_zone_dispatchÚgen_chain_rulesÚ_ingress_egress_zonesÚgetattrr2Ú isinstanceÚboolÚ _icmp_blockÚ _forward_portÚ_serviceÚ_portÚ _protocolÚ _source_portÚ _masqueradeÚ_FirewallPolicy__rulerrÚwarningÚexecute) r"Úenabler?rIÚ_policyrCÚ transactionÚtableÚchainÚkeyZ args_listÚargsr$r$r%Ú_policy_settingsZs€   ÿ       ÿ   ÿ  ÿ  ÿ  ÿÿ  zFirewallPolicy._policy_settingscCs|jd||ddS)NTrH©rq©r"r?rIr$r$r%rJ sz$FirewallPolicy.apply_policy_settingscCs|jd||ddS)NFrHrrrsr$r$r%rF£sz&FirewallPolicy.unapply_policy_settingscCs| |¡ ¡Sr)r2Zexport_config_dict©r"r?r$r$r%Úget_config_with_settings_dict¦sz,FirewallPolicy.get_config_with_settings_dictc sæddlm‰d ‡‡fdd„ }‡‡fdd„}ˆjˆjfˆjˆjfˆjˆjfˆjˆj fˆj ˆj f||fˆj ˆj fˆjˆjfˆjˆjfˆjˆjfdœ }ˆ |¡}t |¡}| |ˆj ¡¡ˆj d|gi¡ˆ |¡} ˆj | |¡\} } | D]n} t| | tƒrF| | D]>} t| tƒr.|| d |g| ¢RŽn|| d || ƒqqè|| d |ƒqè| D]„} t| | tƒrÈ| | D]L} t| tƒrª|| d|g| ¢Rd|d œŽn|| d|| d|d qxn|| d|d|d q\dS) Nr)rcsˆj|ˆ|dd|ddS)NrWr©ÚtimeoutÚsender)Úadd_rule)r?rXrwrx©rr"r$r%Úadd_rule_wrapper¬szFFirewallPolicy.set_config_with_settings_dict..add_rule_wrappercsˆ |ˆ|d¡dS)NrW)Ú remove_rule)r?rXrzr$r%Úremove_rule_wrapper®szIFirewallPolicy.set_config_with_settings_dict..remove_rule_wrapper) rMrNrRrOrPZ rich_rulesrTrQr<r>r5rVrv)rN)Úfirewall.core.richrÚ add_serviceÚremove_serviceÚadd_portÚ remove_portÚadd_icmp_blockÚremove_icmp_blockÚadd_masqueradeÚremove_masqueradeÚadd_forward_portÚremove_forward_portÚ add_protocolÚremove_protocolÚadd_source_portÚremove_source_portÚadd_ingress_zoneÚremove_ingress_zoneÚadd_egress_zoneÚremove_egress_zoner2ÚcopyZimport_config_dictrZget_all_io_objects_dictr,ruZget_added_and_removed_settingsr^ÚlistÚtuple)r"r?Zsettingsrxr{r}Z setting_to_fnZold_objZ check_objZ old_settingsZ add_settingsZremove_settingsrorpr$rzr%Úset_config_with_settings_dict©sD          ö       "z,FirewallPolicy.set_config_with_settings_dictcCs&|sttjƒ‚|dvr"|j |¡dS©N)r9r:©rrZ INVALID_ZONErZ check_zone©r"r=r$r$r%Úcheck_ingress_zoneÞs z!FirewallPolicy.check_ingress_zonecCs| |¡|Sr)r˜r—r$r$r%Z__ingress_zone_idäs z FirewallPolicy.__ingress_zone_idrTc Cs|j |¡}|j |¡|j ¡|j|}| |¡} | |jvrTttj d||fƒ‚|durf|  ¡} n|} |rä|j r‚|  d|| ¡|  || ||¡|  |j|| ¡|j sÔ|| ¡vrâ|j|| d|  |j|d¡n|  d|| ¡n |  || ||¡|  |j|| ¡|dur|  d¡dS©Nú'%s' already in '%s'FrHT)rrAÚ check_timeoutÚ check_panicr!Ú _FirewallPolicy__ingress_zone_idr<rrÚALREADY_ENABLEDr.rEr\Ú&_FirewallPolicy__register_ingress_zoneÚadd_failÚ(_FirewallPolicy__unregister_ingress_zoner@rJrLri© r"r?r=rwrxrIZ allow_applyrkÚ_objÚzone_idrlr$r$r%rès4       ÿ   zFirewallPolicy.add_ingress_zonecCs|j |¡dSr)r<r4©r"r£r¤rwrxr$r$r%Z__register_ingress_zonesz&FirewallPolicy.__register_ingress_zonecCsð|j |¡}|j ¡|j|}| |¡}||jvrHttjd||fƒ‚|durZ|  ¡}n|}|j rÊt |jƒdkr€|  ||¡n|  d||¡| ||¡| |j||dd¡|| ¡vrÚ|  d||¡n| |j||¡|durì| d¡|S©Nú'%s' not in '%s'rVFT)rrArœr!rr<rrÚ NOT_ENABLEDr.rEÚlenrFr\r¡r rŸr@Úadd_postri©r"r?r=rIrkr£r¤rlr$r$r%rŽs.      ÿ    z"FirewallPolicy.remove_ingress_zonecCs||jvr|j |¡dSr)r<Úremove©r"r£r¤r$r$r%Z__unregister_ingress_zone4s z(FirewallPolicy.__unregister_ingress_zonecCs| |¡| |¡jvSr)rr2r<©r"r?r=r$r$r%Úquery_ingress_zone8sz!FirewallPolicy.query_ingress_zonecCs | |¡jSr)r2r<rtr$r$r%Úlist_ingress_zones;sz!FirewallPolicy.list_ingress_zonescCs&|sttjƒ‚|dvr"|j |¡dSr•r–r—r$r$r%Úcheck_egress_zone@s z FirewallPolicy.check_egress_zonecCs| |¡|Sr)r±r—r$r$r%Z__egress_zone_idFs zFirewallPolicy.__egress_zone_idc Cs|j |¡}|j |¡|j ¡|j|}| |¡} | |jvrTttj d||fƒ‚|durf|  ¡} n|} |rä|j r‚|  d|| ¡|  || ||¡|  |j|| ¡|j sÔ|| ¡vrâ|j|| d|  |j|d¡n|  d|| ¡n |  || ||¡|  |j|| ¡|dur|  d¡dSr™)rrAr›rœr!Ú_FirewallPolicy__egress_zone_idr>rrržr.rEr\Ú%_FirewallPolicy__register_egress_zoner Ú'_FirewallPolicy__unregister_egress_zoner@rJrLrir¢r$r$r%rJs4       ÿ   zFirewallPolicy.add_egress_zonecCs|j |¡dSr)r>r4r¥r$r$r%Z__register_egress_zonepsz%FirewallPolicy.__register_egress_zonecCsð|j |¡}|j ¡|j|}| |¡}||jvrHttjd||fƒ‚|durZ|  ¡}n|}|j rÊt |jƒdkr€|  ||¡n|  d||¡| ||¡| |j||dd¡|| ¡vrÚ|  d||¡n| |j||¡|durì| d¡|Sr¦)rrArœr!r²r>rrr¨r.rEr©rFr\r´r r³r@rªrir«r$r$r%rss.      ÿ    z!FirewallPolicy.remove_egress_zonecCs||jvr|j |¡dSr)r>r¬r­r$r$r%Z__unregister_egress_zone–s z'FirewallPolicy.__unregister_egress_zonecCs| |¡| |¡jvSr)r²r2r>r®r$r$r%Úquery_egress_zonešsz FirewallPolicy.query_egress_zonecCs | |¡jSr)r2r>rtr$r$r%Úlist_egress_zonessz FirewallPolicy.list_egress_zonescCs | ¡dSr)Úcheck©r"Úruler$r$r%Ú check_rule¢szFirewallPolicy.check_rulecCs| |¡t|ƒSr)rºÚstrr¸r$r$r%Z __rule_id¥s zFirewallPolicy.__rule_idcCsx|sdS|jr,t|jƒrdSt|jƒrtdSnHt|dƒr@|jr@dSt|dƒrt|jrt| |j¡| |j¡| |j¡SdS)NÚipv4Úipv6ÚmacÚÚipset) ÚaddrrrÚhasattrr¾rÀÚ_check_ipset_type_for_sourceÚ_check_ipset_appliedÚ _ipset_family)r"Úsourcer$r$r%Ú_rule_source_ipv©s     zFirewallPolicy._rule_source_ipvcCs| ||||¡dSr)Ú _rule_prepare)r"rjr?r¹rlr$r$r%Z__rule»szFirewallPolicy.__rulec CsÆ|j |¡}|j |¡|j ¡|j|}| |¡}||jvrd|jrL|jn|} tt j d|| fƒ‚|durv|  ¡} n|} |j r|  d||| ¡| ||||¡|  |j||¡|durÂ|  d¡|S©NršT)rrAr›rœr!Ú_FirewallPolicy__rule_idrSr3rrržr.rErgÚ_FirewallPolicy__register_ruler Ú _FirewallPolicy__unregister_ruleri) r"r?r¹rwrxrIrkr£Úrule_idÚ_namerlr$r$r%ry¾s(       ÿ  zFirewallPolicy.add_rulecCs|j |¡dSr)rSr4)r"r£rÍrwrxr$r$r%Z__register_ruleÛszFirewallPolicy.__register_rulec Csª|j |¡}|j ¡|j|}| |¡}||jvrX|jr@|jn|}ttj d||fƒ‚|durj|  ¡}n|}|j r„|  d|||¡|  |j||¡|dur¦| d¡|S©Nr§FT)rrArœr!rÊrSr3rrr¨r.rErgrªrÌri) r"r?r¹rIrkr£rÍrÎrlr$r$r%r|Þs$      ÿ  zFirewallPolicy.remove_rulecCs||jvr|j |¡dSr)rSr¬)r"r£rÍr$r$r%Z__unregister_ruleùs z FirewallPolicy.__unregister_rulecCs| |¡| |¡jvSr)rÊr2rS)r"r?r¹r$r$r%Ú query_ruleýszFirewallPolicy.query_rulecCs | |¡jSr)r2rSrtr$r$r%Ú list_rulesszFirewallPolicy.list_rulescCs|j |¡dSr)rÚ check_service©r"Úservicer$r$r%rÒszFirewallPolicy.check_servicecCs| |¡|Sr)rÒrÓr$r$r%Z __service_ids zFirewallPolicy.__service_idc CsÆ|j |¡}|j |¡|j ¡|j|}| |¡}||jvrd|jrL|jn|} tt j d|| fƒ‚|durv|  ¡} n|} |j r|  d||| ¡| ||||¡|  |j||¡|durÂ|  d¡|SrÉ)rrAr›rœr!Ú_FirewallPolicy__service_idrMr3rrržr.rErbÚ!_FirewallPolicy__register_servicer Ú#_FirewallPolicy__unregister_serviceri) r"r?rÔrwrxrIrkr£Ú service_idrÎrlr$r$r%r s(       ÿ  zFirewallPolicy.add_servicecCs|j |¡dSr)rMr4)r"r£rØrwrxr$r$r%Z__register_service)sz!FirewallPolicy.__register_servicec Csª|j |¡}|j ¡|j|}| |¡}||jvrX|jr@|jn|}ttj d||fƒ‚|durj|  ¡}n|}|j r„|  d|||¡|  |j||¡|dur¦| d¡|SrÏ)rrArœr!rÕrMr3rrr¨r.rErbrªr×ri) r"r?rÔrIrkr£rØrÎrlr$r$r%r€,s$      ÿ  zFirewallPolicy.remove_servicecCs||jvr|j |¡dSr)rMr¬)r"r£rØr$r$r%Z__unregister_serviceGs z#FirewallPolicy.__unregister_servicecCs| |¡| |¡jvSr)rÕr2rM)r"r?rÔr$r$r%Ú query_serviceKszFirewallPolicy.query_servicecCs | |¡jSr)r2rMrtr$r$r%Ú list_servicesNszFirewallPolicy.list_servicesc CsNg}|D]@}z|jj |¡}Wnty<ttj|ƒ‚Yn0| |¡q|Sr)rÚhelperÚ get_helperrrÚINVALID_HELPERr4)r"ÚhelpersÚ_helpersrÛÚ_helperr$r$r%Úget_helpers_for_service_helpersQs  z.FirewallPolicy.get_helpers_for_service_helpersc Cs®g}|D] }z|jj |¡}Wnty<ttj|ƒ‚Yn0t|jƒdkržt|j ƒ}z|jj |¡}|  |¡Wq¨tyš|r’t   d|¡YqYq¨0q|  |¡q|S)NrVzHelper '%s' is not available) rrÛrÜrrrÝr©rNr Úmoduler4rrh)r"ÚmodulesrjrßrârÛÚ_module_short_nameràr$r$r%Úget_helpers_for_service_modules[s"     z.FirewallPolicy.get_helpers_for_service_modulescCs|j |¡|j |¡dSr)rÚ check_portÚ check_tcpudp©r"ÚportÚprotocolr$r$r%ræts zFirewallPolicy.check_portcCs| ||¡t|dƒ|fS©Nú-©rærrèr$r$r%Z __port_idxs zFirewallPolicy.__port_idcsp|j |¡}|j |¡|j ¡|j|}tt‡fdd„|jƒƒ} | D]8} t|| dƒrH|j rf|j n|} t t j d|ˆ| fƒ‚qHt |dd„| Dƒƒ\} } |dur¬| ¡}n|}|jrú| D]}| d|t|dƒˆ|¡qº| D]}| d |t|dƒˆ|¡qÜ| D]0}| |ˆ¡} | || ||¡| |j|| ¡qþ| D]"}| |ˆ¡} | |j|| ¡q4|durl| d¡|S) Ncs |dˆkS©NrVr$©Úx©rêr$r%Úƒóz)FirewallPolicy.add_port..rú'%s:%s' already in '%s'cSsg|] \}}|‘qSr$r$©Ú.0rcrdr$r$r%Ú Šróz+FirewallPolicy.add_port..TrìF)rrAr›rœr!r’ÚfilterrNr r3rrržr r.rErcrÚ_FirewallPolicy__port_idÚ_FirewallPolicy__register_portr Ú _FirewallPolicy__unregister_portrªri©r"r?rérêrwrxrIrkr£Úexisting_port_idsÚport_idrÎÚ added_rangesÚremoved_rangesrlÚranger$rñr%r|s<     ÿ     zFirewallPolicy.add_portcCs|j |¡dSr)rNr4©r"r£rþrwrxr$r$r%Z__register_port¤szFirewallPolicy.__register_portcsh|j |¡}|j ¡|j|}tt‡fdd„|jƒƒ}|D]}t||dƒr<qzq<|jr`|jn|} t t j d|ˆ| fƒ‚t |dd„|Dƒƒ\} } |dur¤|  ¡} n|} |jrò| D]} | d|t| dƒˆ| ¡q²| D]} | d |t| dƒˆ| ¡qÔ| D]0} | | ˆ¡}| ||dd¡|  |j||¡qö| D]"} | | ˆ¡}|  |j||¡q,|durd|  d¡|S) Ncs |dˆkSrîr$rïrñr$r%rò­róz,FirewallPolicy.remove_port..rú'%s:%s' not in '%s'cSsg|] \}}|‘qSr$r$rõr$r$r%r÷¶róz.FirewallPolicy.remove_port..TrìF)rrArœr!r’rørNr r3rrr¨r r.rErcrrùrúr rûrªri©r"r?rérêrIrkr£rýrþrÎrÿrrlrr$rñr%r‚§s<    ÿ     zFirewallPolicy.remove_portcCs||jvr|j |¡dSr)rNr¬©r"r£rþr$r$r%Z__unregister_portÐs z FirewallPolicy.__unregister_portcCs2| |¡jD] \}}t||ƒr ||kr dSq dS©NTF)r2rNr ©r"r?rérêrcrdr$r$r%Ú query_portÔszFirewallPolicy.query_portcCs | |¡jSr)r2rNrtr$r$r%Ú list_portsÛszFirewallPolicy.list_portscCst|ƒsttj|ƒ‚dSr)rrrZINVALID_PROTOCOL©r"rêr$r$r%Úcheck_protocolàszFirewallPolicy.check_protocolcCst|ƒsttjd|ƒ‚dS)Nzatcp-mss-clamp value must be greater than or equal to 536, or the value 'pmtu'. Invalid value '%s')r rrÚ INVALID_RULE)r"Útcp_mss_clamp_valuer$r$r%Úcheck_tcp_mss_clampäsz"FirewallPolicy.check_tcp_mss_clampcCs| |¡|Sr)r r r$r$r%Z __protocol_idès zFirewallPolicy.__protocol_idc CsÆ|j |¡}|j |¡|j ¡|j|}| |¡}||jvrd|jrL|jn|} tt j d|| fƒ‚|durv|  ¡} n|} |j r|  d||| ¡| ||||¡|  |j||¡|durÂ|  d¡|SrÉ)rrAr›rœr!Ú_FirewallPolicy__protocol_idrTr3rrržr.rErdÚ"_FirewallPolicy__register_protocolr Ú$_FirewallPolicy__unregister_protocolri) r"r?rêrwrxrIrkr£Ú protocol_idrÎrlr$r$r%r‰ìs(       ÿ  zFirewallPolicy.add_protocolcCs|j |¡dSr)rTr4)r"r£rrwrxr$r$r%Z__register_protocol sz"FirewallPolicy.__register_protocolc Csª|j |¡}|j ¡|j|}| |¡}||jvrX|jr@|jn|}ttj d||fƒ‚|durj|  ¡}n|}|j r„|  d|||¡|  |j||¡|dur¦| d¡|SrÏ)rrArœr!rrTr3rrr¨r.rErdrªrri) r"r?rêrIrkr£rrÎrlr$r$r%rŠ s(      ÿ  ÿ zFirewallPolicy.remove_protocolcCs||jvr|j |¡dSr)rTr¬)r"r£rr$r$r%Z__unregister_protocol(s z$FirewallPolicy.__unregister_protocolcCs| |¡| |¡jvSr)rr2rT)r"r?rêr$r$r%Úquery_protocol,szFirewallPolicy.query_protocolcCs | |¡jSr)r2rTrtr$r$r%Úlist_protocols/szFirewallPolicy.list_protocolscCs| ||¡t|dƒ|fSrërírèr$r$r%Z__source_port_id4s zFirewallPolicy.__source_port_idcsp|j |¡}|j |¡|j ¡|j|}tt‡fdd„|jƒƒ} | D]8} t|| dƒrH|j rf|j n|} t t j d|ˆ| fƒ‚qHt |dd„| Dƒƒ\} } |dur¬| ¡}n|}|jrú| D]}| d|t|dƒˆ|¡qº| D]}| d |t|dƒˆ|¡qÜ| D]0}| |ˆ¡} | || ||¡| |j|| ¡qþ| D]"}| |ˆ¡} | |j|| ¡q4|durl| d¡|S) Ncs |dˆkSrîr$rïrñr$r%rò?róz0FirewallPolicy.add_source_port..rrôcSsg|] \}}|‘qSr$r$rõr$r$r%r÷Fróz2FirewallPolicy.add_source_port..TrìF)rrAr›rœr!r’rørQr r3rrržr r.rErerÚ_FirewallPolicy__source_port_idÚ%_FirewallPolicy__register_source_portr Ú'_FirewallPolicy__unregister_source_portrªrirür$rñr%r‹8s<     ÿ     zFirewallPolicy.add_source_portcCs|j |¡dSr)rQr4rr$r$r%Z__register_source_port`sz%FirewallPolicy.__register_source_portcsh|j |¡}|j ¡|j|}tt‡fdd„|jƒƒ}|D]}t||dƒr<qzq<|jr`|jn|} t t j d|ˆ| fƒ‚t |dd„|Dƒƒ\} } |dur¤|  ¡} n|} |jrò| D]} | d|t| dƒˆ| ¡q²| D]} | d |t| dƒˆ| ¡qÔ| D]0} | | ˆ¡}| ||dd¡|  |j||¡qö| D]"} | | ˆ¡}|  |j||¡q,|durd|  d¡|S) Ncs |dˆkSrîr$rïrñr$r%ròiróz3FirewallPolicy.remove_source_port..rrcSsg|] \}}|‘qSr$r$rõr$r$r%r÷rróz5FirewallPolicy.remove_source_port..TrìF)rrArœr!r’rørQr r3rrr¨r r.rErerrrr rrªrirr$rñr%rŒcs<    ÿ     z!FirewallPolicy.remove_source_portcCs||jvr|j |¡dSr)rQr¬rr$r$r%Z__unregister_source_portŒs z'FirewallPolicy.__unregister_source_portcCs2| |¡jD] \}}t||ƒr ||kr dSq dSr)r2rQr rr$r$r%Úquery_source_portsz FirewallPolicy.query_source_portcCs | |¡jSr)r2rQrtr$r$r%Úlist_source_ports—sz FirewallPolicy.list_source_portsc Cs®|j |¡}|j |¡|j ¡|j|}|jrR|jr>|jn|}ttj d|ƒ‚|durd|  ¡}n|}|j r||  d||¡|  |||¡| |j|¡|durª| d¡|S)Nz"masquerade already enabled in '%s'T)rrAr›rœr!rOr3rrržr.rErfÚ$_FirewallPolicy__register_masquerader Ú&_FirewallPolicy__unregister_masqueraderi) r"r?rwrxrIrkr£rÎrlr$r$r%r…œs&    ÿ  zFirewallPolicy.add_masqueradecCs d|_dS©NT©rO)r"r£rwrxr$r$r%Z__register_masquerade¸sz$FirewallPolicy.__register_masqueradecCs”|j |¡}|j ¡|j|}|jsF|jr2|jn|}ttjd|ƒ‚|durX|  ¡}n|}|j rp|  d||¡|  |j |¡|dur| d¡|S)Nzmasquerade not enabled in '%s'FT)rrArœr!rOr3rrr¨r.rErfrªrri)r"r?rIrkr£rÎrlr$r$r%r†»s"   ÿ  z FirewallPolicy.remove_masqueradecCs d|_dS©NFr©r"r£r$r$r%Z__unregister_masqueradeÔsz&FirewallPolicy.__unregister_masqueradecCs | |¡jSr)r2rOrtr$r$r%Úquery_masquerade×szFirewallPolicy.query_masqueradecCsZ|j |¡|j |¡|r(|j |¡|rBt||ƒsBttj|ƒ‚|sV|sVttjdƒ‚dS)Nz.port-forwarding is missing to-port AND to-addr)rrærçrrrZ INVALID_ADDRZINVALID_FORWARD)r"ÚipvrérêÚtoportÚtoaddrr$r$r%Úcheck_forward_portÜs     þz!FirewallPolicy.check_forward_portcCsLtd|ƒr| d||||¡n| d||||¡t|dƒ|t|dƒt|ƒfS)Nr½r¼rì)rr$rr»)r"rérêr"r#r$r$r%Z__forward_port_idés   ÿz FirewallPolicy.__forward_port_idc  CsØ|j |¡} |j |¡|j ¡|j| } | ||||¡} | | jvrp| jrR| jn| } tt j d||||| fƒ‚|dur‚|  ¡} n|} | j r¢|  d| | ||||¡| | | ||¡|  |j| | ¡|durÔ|  d¡| S)Nz'%s:%s:%s:%s' already in '%s'T)rrAr›rœr!Ú _FirewallPolicy__forward_port_idrPr3rrržr.rEraÚ&_FirewallPolicy__register_forward_portr Ú(_FirewallPolicy__unregister_forward_portri)r"r?rérêr"r#rwrxrIrkr£Ú forward_idrÎrlr$r$r%r‡ñs0      ÿÿ ÿ zFirewallPolicy.add_forward_portcCs|j |¡dSr)rPr4)r"r£r(rwrxr$r$r%Z__register_forward_portsz&FirewallPolicy.__register_forward_portc Cs¼|j |¡}|j ¡|j|}| ||||¡} | |jvrd|jrF|jn|} ttj d||||| fƒ‚|durv|  ¡} n|} |j r–|  d|| ||||¡|   |j|| ¡|dur¸|  d¡|S)Nz'%s:%s:%s:%s' not in '%s'FT)rrArœr!r%rPr3rrr¨r.rErarªr'ri) r"r?rérêr"r#rIrkr£r(rÎrlr$r$r%rˆs,     ÿÿ ÿ z"FirewallPolicy.remove_forward_portcCs||jvr|j |¡dSr)rPr¬)r"r£r(r$r$r%Z__unregister_forward_port1s z(FirewallPolicy.__unregister_forward_portcCs | ||||¡}|| |¡jvSr)r%r2rP)r"r?rérêr"r#r(r$r$r%Úquery_forward_port5sz!FirewallPolicy.query_forward_portcCs | |¡jSr)r2rPrtr$r$r%Úlist_forward_ports:sz!FirewallPolicy.list_forward_portscCs|j |¡dSr)rZcheck_icmptype©r"Úicmpr$r$r%Úcheck_icmp_block?szFirewallPolicy.check_icmp_blockcCs| |¡|Sr)r-r+r$r$r%Z__icmp_block_idBs zFirewallPolicy.__icmp_block_idc CsÆ|j |¡}|j |¡|j ¡|j|}| |¡}||jvrd|jrL|jn|} tt j d|| fƒ‚|durv|  ¡} n|} |j r|  d||| ¡| ||||¡|  |j||¡|durÂ|  d¡|SrÉ)rrAr›rœr!Ú_FirewallPolicy__icmp_block_idrRr3rrržr.rEr`Ú$_FirewallPolicy__register_icmp_blockr Ú&_FirewallPolicy__unregister_icmp_blockri) r"r?r,rwrxrIrkr£Úicmp_idrÎrlr$r$r%rƒFs(       ÿ  zFirewallPolicy.add_icmp_blockcCs|j |¡dSr)rRr4)r"r£r1rwrxr$r$r%Z__register_icmp_blockcsz$FirewallPolicy.__register_icmp_blockc Csª|j |¡}|j ¡|j|}| |¡}||jvrX|jr@|jn|}ttj d||fƒ‚|durj|  ¡}n|}|j r„|  d|||¡|  |j||¡|dur¦| d¡|SrÏ)rrArœr!r.rRr3rrr¨r.rEr`rªr0ri) r"r?r,rIrkr£r1rÎrlr$r$r%r„fs$      ÿ  z FirewallPolicy.remove_icmp_blockcCs||jvr|j |¡dSr)rRr¬)r"r£r1r$r$r%Z__unregister_icmp_block€s z&FirewallPolicy.__unregister_icmp_blockcCs| |¡| |¡jvSr)r.r2rR)r"r?r,r$r$r%Úquery_icmp_block„szFirewallPolicy.query_icmp_blockcCs | |¡jSr)r2rRrtr$r$r%Úlist_icmp_blocks‡szFirewallPolicy.list_icmp_blocksc Csî|j |¡}|j ¡|j|}|jrF|jr2|jn|}ttjd|ƒ‚|durX|  ¡}n|}|j rŒ|j D]}|  d|||¡qh|  d||¡| ||¡| |j||¡|j rØ|j D]}|  d|||¡q´|  d||¡|durê| d¡|S)Nz,icmp-block-inversion already enabled in '%s'FT)rrArœr!rUr3rrržr.rErRr`Ú_icmp_block_inversionÚ._FirewallPolicy__register_icmp_block_inversionr Ú*_FirewallPolicy__undo_icmp_block_inversionri) r"r?rxrIrkr£rÎrlrpr$r$r%Úadd_icmp_block_inversionŒs2   þ     z'FirewallPolicy.add_icmp_block_inversioncCs d|_dSr©rU)r"r£rxr$r$r%Z__register_icmp_block_inversion³sz.FirewallPolicy.__register_icmp_block_inversioncCs`| ¡}|jr*|jD]}| d|||¡qd|_|jrR|jD]}| d|||¡q<| d¡dS)NFT)r.rErRr`rUri)r"rkr£rlrpr$r$r%Z__undo_icmp_block_inversion¶s  z*FirewallPolicy.__undo_icmp_block_inversioncCsì|j |¡}|j ¡|j|}|jsF|jr2|jn|}ttjd|ƒ‚|durX|  ¡}n|}|j rŒ|j D]}|  d|||¡qh|  d||¡| |¡| |j|d¡|j rÖ|j D]}|  d|||¡q²|  d||¡|durè| d¡|S)Nz(icmp-block-inversion not enabled in '%s'FT)rrArœr!rUr3rrr¨r.rErRr`r4Ú0_FirewallPolicy__unregister_icmp_block_inversionr r5ri)r"r?rIrkr£rÎrlrpr$r$r%Úremove_icmp_block_inversionÇs6   þ    ÿ  z*FirewallPolicy.remove_icmp_block_inversioncCs d|_dSrr8rr$r$r%Z!__unregister_icmp_block_inversionîsz0FirewallPolicy.__unregister_icmp_block_inversioncCs | |¡jSr)r2rUrtr$r$r%Úquery_icmp_block_inversionñsz)FirewallPolicy.query_icmp_block_inversionc Csä|jj |¡}|jr*|jjj|jd}n|}|rT||jvrt||f|j|vrtdSn ||jvsp||f|j|vrtdS|j ¡D]2}|jr~||  ¡vr~|  ||||¡} |  || ¡q~|  ||||fg¡|  |j || ||fg¡dS©Nr)rr?r2r3r=Z_zone_policiesr Úenabled_backendsÚpolicies_supportedZget_available_tablesZbuild_policy_chain_rulesÚ add_rulesÚ_register_chainsr ) r"r?ÚcreatermrnrlrCZtracking_policyÚbackendÚrulesr$r$r%r[ôs* ÿ ÿ ÿzFirewallPolicy.gen_chain_rulescCs^|D]T\}}|r*|j |g¡ ||f¡q|j| ||f¡t|j|ƒdkr|j|=qdSr<)r Ú setdefaultr4r¬r©)r"r?rAZtablesrmrnr$r$r%r@s  zFirewallPolicy._register_chainscCs$|jj |¡dkrdS|jj |¡S)Nzhash:mac)rrÀÚget_typeZ get_family©r"rBr$r$r%rÅszFirewallPolicy._ipset_familycCs|jj |¡Sr)rrÀrErFr$r$r%Z __ipset_type!szFirewallPolicy.__ipset_typecCsd |g|jj |¡¡S)Nú,)ÚjoinrrÀZ get_dimension)r"rBÚflagr$r$r%Ú_ipset_match_flags$sz!FirewallPolicy._ipset_match_flagscCs|jj |¡Sr)rrÀZ check_appliedrFr$r$r%rÄ'sz#FirewallPolicy._check_ipset_appliedcCs*| |¡}|tvr&ttjd||fƒ‚dS)Nz.ipset '%s' with type '%s' not usable as source)Ú_FirewallPolicy__ipset_typerrrZ INVALID_IPSET)r"rBZ_typer$r$r%rÃ*s ÿþz+FirewallPolicy._check_ipset_type_for_sourcec s˜t|jƒtkr‚ˆjj |jj¡}|dur2|jjg}|jD]H}||vrFq8ˆ |¡|  |¡t   |¡}||j_ˆj |||||dq8g} |j r–|j g} nH|jrÞt|jtƒs´t|jtƒrÞˆjj |jj¡‰ˆjrÞ‡fdd„dDƒ} ˆ |j¡} | r"|j r|j | kr"ttjd| |j fƒ‚n| g} | s0ddg} ‡fdd„| Dƒ} | |_t‡fd d„| DƒƒD]2} t|jƒtkr€ˆjj |jj¡}g} t|jƒd krä|jr®ttjd ƒ‚| D].} | |jvr²|  | ¡r²|   |j| ¡q²n |   d¡| D]†}t|jƒtkr舠|j |¡}|ˆ !|j"¡7}t#t|ƒd d „d}g}|D]š}|j$}t%|ƒ}| &dd¡}|  |¡|j dkrˆ|  |j ¡sˆqBt|j'ƒdkr¤|  |¡n6|j'D].\}}|  (||||||j|¡}| )| |¡qªqB| *|¡|j'D]*\}}|  +||||||¡}| )| |¡qî|j,D]$}|  -|||||¡}| )| |¡q |j.D]*\}}|  /||||||¡}| )| |¡qLqòq^t|jƒt0krÐ|jj1}|jj2}ˆ 3||¡|  +||||d|¡}| )| |¡q^t|jƒt4kr|jj5}ˆ 6|¡|  -|||d|¡}| )| |¡q^t|jƒt7krX|jj5}ˆ 8|¡|  9|||d|¡}| )| |¡q^t|jƒt:kr°|r’| D]} |  | ¡rr| ;t<| ¡qr|  =|||¡}| )| |¡q^t|jƒt>krH|jj1}|jj2}|jj?}|jj@}| D]<} |  | ¡rˆ A| ||||¡|rä|rä| ;t<| ¡qä|  B|||||||¡}| )| |¡q^t|jƒtCkr–|jj1}|jj2}ˆ 3||¡|  /||||d|¡}| )| |¡nút|jƒtks¶t|jƒtkrRˆjj |jj¡‰|j rˆjr|j ˆjvrttjDd|j |jjfƒ‚t|jƒtkr4|jr4t|jƒtkr4ttjdƒ‚|  E||ˆ|¡}| )| |¡n>|jdurz|  F|||¡}| )| |¡nttjdt|jƒƒ‚q^dS)N©Úincluded_servicescsg|]}|ˆjvr|‘qSr$)Ú destination©rör!)Úictr$r%r÷Gróz0FirewallPolicy._rule_prepare..©r¼r½z;Source address family '%s' conflicts with rule family '%s'.r¼r½csg|]}ˆj |¡r|‘qSr$)rÚis_ipv_enabledrOr(r$r%r÷Xrócsg|]}ˆj |¡‘qSr$)rÚget_backend_by_ipv)rörðr(r$r%r÷]rórz"Destination conflict with service.cSs|jSr©rBrïr$r$r%ròuróz.FirewallPolicy._rule_prepare..©roÚ conntrackÚnatr¿rVz3rich rule family '%s' conflicts with icmp type '%s'z'IcmpBlock not usable with accept actionzUnknown element %s)GÚtypeÚelementrrrÔÚ get_servicerBÚincludesrÒr4r‘ÚdeepcopyrÈÚfamilyr^rrÚconfigÚ get_icmptyperNrÇrÆrrr Úipvsr;r©Úis_ipv_supportedÚactionrrårãrárÞr/râr ÚreplacerNÚbuild_policy_helper_ports_rulesr?Z add_modulesÚbuild_policy_ports_rulesrTÚbuild_policy_protocol_rulesrQÚbuild_policy_source_ports_rulesrrérêrærÚvaluer rrZ build_policy_tcp_mss_clamp_rulesrrªrÚbuild_policy_masquerade_rulesrZto_portZ to_addressr$Úbuild_policy_forward_port_rulesrZINVALID_ICMPTYPEÚbuild_policy_icmp_block_rulesZ*build_policy_rich_source_destination_rules)r"rjr?r¹rlrMÚsvcÚincludeZ_ruler`Z source_ipvrBZ destinationsr!rNrÞrãrÛrâräÚ nat_moduleréÚprotorCrêr r"r#r$)rPr"r%rÈ2sJ         ÿÿ  ÿ   þ  ÿ  ÿ ÿ  ÿ  ÿ  ÿ    þ  ÿ ÿ ÿ ÿÿÿ ÿÿ ÿÿzFirewallPolicy._rule_preparec Cs>|jj |¡}| |j|¡}|| |j¡7}tt|ƒdd„d}|durN|g}|j D]6}||vrbqT|  |¡|  |¡|j |||||dqTg} dD]f} |j  | ¡s¦q”|j | ¡} t|jƒdkrà| |jvrú|   | |j| f¡q”| df| vr”|   | df¡q”| D]6\} } |D]œ} | j}t|ƒ}| j dd¡}| |¡| jd krV|  | j¡sVqt| jƒd krr| |¡n6| jD].\}}|  ||||| | j|¡}| | |¡qxq|jD](\}}|  ||||| ¡}| | |¡q²|jD]"}|  |||| ¡}| | |¡qâ|jD](\}}|  ||||| ¡}| | |¡q qdS) NcSs|jSrrTrïr$r$r%ròþróz)FirewallPolicy._service..rUrLrQrrVrWr¿rV) rrÔrZrårãrárÞr/r;r[rÒr4rbrRrSr©rNrâr rcZ add_moduler]rarNrdrBr?rerTrfrQrg)r"rjr?rÔrlrMrlrÞrmZ backends_ipvr!rBrNrÛrârärnrérorCrêr$r$r%rbúsj         þ ÿ ÿ ÿzFirewallPolicy._servicecCs8|j ¡D](}|jsq | ||||¡}| ||¡q dSr)rr=r>rer?©r"rjr?rérêrlrBrCr$r$r%rc:s ÿzFirewallPolicy._portcCs6|j ¡D]&}|jsq | |||¡}| ||¡q dSr)rr=r>rfr?)r"rjr?rêrlrBrCr$r$r%rdCs zFirewallPolicy._protocolcCs8|j ¡D](}|jsq | ||||¡}| ||¡q dSr)rr=r>rgr?rpr$r$r%reKs zFirewallPolicy._source_portcCs8d}| t|¡|j |¡}| ||¡}| ||¡dS)Nr¼)rªrrrSrir?)r"rjr?rlr!rBrCr$r$r%rfSs    zFirewallPolicy._masqueradec CsXtd|ƒrd}nd}|r(|r(| t|¡|j |¡} |  ||||||¡} | | | ¡dS)Nr½r¼)rrªrrrSrjr?) r"rjr?rlrérêr"r#r!rBrCr$r$r%ra[s    þzFirewallPolicy._forward_portc Csz|jj |¡}|j ¡D]\}|js$qd}|jrTdD] }||jvr2| |¡s2d}qTq2|rZq| |||¡} | || ¡qdS)NFrQT) rr^r_r=r>rNrarkr?) r"rjr?r,rlrPrBZ skip_backendr!rCr$r$r%r`js  zFirewallPolicy._icmp_blockcCsb|j|j}|dvrdS| |¡s.|dkr.dS|j ¡D]$}|jsDq8| ||¡}| ||¡q8dS)N)ZDROPz %%REJECT%%ZREJECTZACCEPT)r!Útargetr;rr=r>Z'build_policy_icmp_block_inversion_rulesr?)r"rjr?rlrqrBrCr$r$r%r4s  z$FirewallPolicy._icmp_block_inversioncCs&t|jƒ}| |||¡| d¡dSr)rrr\ri)r"rjr?rlr$r$r%Ú!_ingress_egress_zones_transaction’s z0FirewallPolicy._ingress_egress_zones_transactionc Cs|j|}|j}|j}tƒ}tƒ}tƒ} tƒ} |D]:} | dvr@q2|t|jj | ¡ƒO}| t|jj | ¡ƒO} q2|D]:} | dvr€qr|t|jj | ¡ƒO}| t|jj | ¡ƒO} qr|j ¡D]D} | j sÄq¸|  |¡D],\} }|   ||| |||| | ¡}|  | |¡qÎq¸dS)N)r:r9) r!r<r>r;rr=Zlist_interfacesZ list_sourcesr=r>rYZ!build_policy_ingress_egress_rulesr?)r"rjr?rlrCr<r>Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesr=rBrmrnrCr$r$r%r\—s4  þz$FirewallPolicy._ingress_egress_zonescCs |j|}d|jvrrÚnftables_enabledr4Z_firewall_backendr=Zget_zoneZ interfaces)r"r?rCÚtcr=r$r$r%rY·sl                             z4FirewallPolicy._get_table_chains_for_policy_dispatchcCsf|j|}d|jvr0dg}|jjs,| d¡|Sd|jvrBgd¢Sd|jvrRdgSttjd|ƒ‚dS) z8Create a list of (table, chain) needed for zone dispatchr9rsrxr:r}r|zInvalid policy: %sN) r!r>rr~r4r<rrÚINVALID_POLICY)r"r?rCrr$r$r%rZ s     z2FirewallPolicy._get_table_chains_for_zone_dispatchFcCs–|jj |¡}|jr|j}n||}d|jvrh|dkr>d|S|dkrNd|S|jsd|dvrdd|Snd|jvrŠ|jsˆ|dvrˆd|Snòd |jvrÔ|dkr¤d |S|d krÂ|r¸d |Sd|Sn|d vrÒd|Sn¨d |jvr.|dkrðd |S|d kr|rd |Sd|Sn|d vr||js|d|SnN|js||dkrHd |S|d krj|r`d |Sd|Sn|d vr|d|Sttjd|||fƒ‚dS)Nr9røZIN_ryZPRE_)rwrW)rørWZOUT_r:ZFWD_rWZPOST_)rwryz.Can't convert policy to chain name: %s, %s, %s) rr?r2r3r>r<rrr€)r"r?rmZ policy_prefixZisSNATrCÚsuffixr$r$r%Úpolicy_base_chain_name!sZ                z%FirewallPolicy.policy_base_chain_name)N)N)N)N)rNNT)N)rNNT)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)NN)NN)NNrNN)NNN)NN)rNN)N)NN)N)N)N)NN)F)€Ú__name__Ú __module__Ú __qualname__r&r)r+r.r1r8r@r2rDrGrKrLrqrJrFrur”r˜rrrŸrŽr¡r¯r°r±r²rr³rr´rµr¶rºrÊrÇrgryrËr|rÌrÐrÑrÒrÕrrÖr€r×rÙrÚrárårærùrrúr‚rûrr r rrr‰rrŠrrrrr‹rrŒrrrr…rr†rr r$r%r‡r&rˆr'r)r*r-r.rƒr/r„r0r2r3r7r5r6r:r9r;r[r@rÅrKrJrÄrÃrÈrbrcrdrerfrar`r4rrr\rYrZr‚r$r$r$r%rs>   F  5ÿ & #ÿ & #ÿ ÿ ÿ ÿ  ÿ (ÿ )ÿ ÿ ÿ (ÿ )ÿ   þ ÿ ÿ ÿ  ÿ ' '  I @  ÿ  Vr)%r‘Zfirewall.core.loggerrZfirewall.functionsrrrrrrr r r r r r~rrrrrrrrrrrZfirewall.core.fw_transactionrZfirewallrZfirewall.errorsrZfirewall.core.baserÚobjectrr$r$r$r%Ús 44