a «°iß©ã@sÀddlZddlmZmZmZddlmZddlmZddl m Z ddlmZm Z mZmZmZmZmZmZmZmZmZddlmZddlmZmZmZdd lmZdd lm Z Gdd„de!ƒZ"dS) éN)Ú SHORTCUTSÚDEFAULT_ZONE_TARGETÚSOURCE_IPSET_TYPES)ÚFirewallTransaction)ÚPolicy)Úlog)ÚRich_ForwardPortÚRich_IcmpBlockÚ Rich_IcmpTypeÚ Rich_MarkÚRich_MasqueradeÚ Rich_PortÚ Rich_ProtocolÚ Rich_RuleÚRich_ServiceÚRich_SourcePortÚRich_Tcp_Mss_Clamp)Únm_get_bus_name)ÚcheckIPnMaskÚ checkIP6nMaskÚ check_mac)Úerrors)Ú FirewallErrorc@s&eZdZdZdd„Zdd„Zdd„Zdd „Zd d„Zdd „Z dd„Z dd„Zdd„Zdd„Z dd„Zdd„Zdd„Zd½dd„Zdd „Zd!d"„Zd#d$„Zd¾d%d&„Zd'd(„Zd¿d)d*„ZdÀd+d,„Zd-d.„Zd/d0„Zd1d2„Zd3d4„Zd5d6„ZdÁd8d9„Zd:d;„ZdÂdd?„Z!dÄd@dA„Z"dBdC„Z#dDdE„Z$dFdG„Z%dÅdIdJ„Z&dÆdKdL„Z'dÇdMdN„Z(dOdP„Z)dÈdQdR„Z*dÉdSdT„Z+dUdV„Z,dWdX„Z-dYdZ„Z.dÊd[d\„Z/d]d^„Z0d_d`„Z1dadb„Z2dcdd„Z3dedf„Z4dgdh„Z5dËdidj„Z6dkdl„Z7dmdn„Z8dodp„Z9dÌdqdr„Z:dsdt„Z;dudv„Zd{d|„Z?d}d~„Z@dd€„ZAdd‚„ZBdÎdƒd„„ZCd…d†„ZDd‡dˆ„ZEd‰dŠ„ZFdÏd‹dŒ„ZGddŽ„ZHdd„ZId‘d’„ZJdÐd“d”„ZKd•d–„ZLd—d˜„ZMdÑd™dš„ZNdÒd›dœ„ZOdÓddž„ZPdŸd „ZQdÔd¡d¢„ZRd£d¤„ZSd¥d¦„ZTd§d¨„ZUdÕd©dª„ZVd«d¬„ZWdd®„ZXd¯d°„ZYd±d²„ZZdÖd³d´„Z[dµd¶„Z\d×d·d¸„Z]d¹dº„Z^d»d¼„Z_dS)ØÚFirewallZonercCs||_i|_i|_dS©N)Ú_fwÚ_zonesÚ_zone_policies)ÚselfÚfw©r ú9/usr/lib/python3.9/site-packages/firewall/core/fw_zone.pyÚ__init__0szFirewallZone.__init__cCsd|j|jfS)Nz%s(%r))Ú __class__r©rr r r!Ú__repr__5szFirewallZone.__repr__cCs|j ¡|j ¡dSr)rÚclearrr$r r r!Úcleanup8s zFirewallZone.cleanupcCst|jƒ}| |jj¡|Sr)rrZadd_preÚfull_check_config)rÚtr r r!Únew_transaction<s zFirewallZone.new_transactioncCsdj||dS)Nzzone_{fromZone}_{toZone})ÚfromZoneÚtoZone)Úformat)rr+r,r r r!Úpolicy_name_from_zonesAsz#FirewallZone.policy_name_from_zonescCst|j ¡ƒSr)ÚsortedrÚkeysr$r r r!Ú get_zonesFszFirewallZone.get_zonescCs4g}| ¡D]"}| |¡s$| |¡r| |¡q|Sr)r1Úlist_interfacesÚlist_sourcesÚappend)rZactive_zonesÚzoner r r!Úget_active_zonesIs zFirewallZone.get_active_zonescCs2| |¡}|jD]}||j|jvr|SqdSr)Ú_FirewallZone__interface_idrÚ interfaces)rÚ interfaceÚinterface_idr5r r r!Úget_zone_of_interfacePs z"FirewallZone.get_zone_of_interfacecCs2| |¡}|jD]}||j|jvr|SqdSr)Ú_FirewallZone__source_idrÚsources)rÚsourceÚ source_idr5r r r!Úget_zone_of_sourceXs zFirewallZone.get_zone_of_sourcecCs|j |¡}|j|Sr)rÚ check_zoner)rr5Úzr r r!Úget_zone`szFirewallZone.get_zonec CsHtƒ}|j|_| ||¡|_|j|_|j|_|g|_|g|_dD]}||jkrz|dkrz|dvrzt ||t t||ƒ¡ƒq@|dkr®||jkr®|dvr®t ||t t||ƒ¡ƒq@||jkrâ|dkrâ|dvrât ||t t||ƒ¡ƒq@|dvr@g|_ g|_|j D]D}| ||¡}t|d}|| |j|¡vrü|j |¡|j |¡qüq@|S) N) ÚservicesÚportsÚ masqueradeÚ forward_portsÚsource_portsÚicmp_blocksÚicmp_block_inversionÚ rules_strÚ protocolsÚHOST)rDrErHrIrJrLÚANY)rF)rG)rK©Úrule_str)rÚnameZderived_from_zoner.ÚZONE_POLICY_PRIORITYÚpriorityÚtargetZ ingress_zonesZegress_zonesÚsetattrÚcopyÚdeepcopyÚgetattrrKÚrulesrÚ_rich_rule_to_policiesr4) rÚz_objr+r,Úp_objZsettingrPZcurrent_policyÚruler r r!Úpolicy_obj_from_zone_objds8 ÿÿ z%FirewallZone.policy_obj_from_zone_objcCsr||j|j<g|j|j<|jdfd|jf|jdffD]8\}}| |||¡}|jj |¡|j|j |j¡q4dS)NrMrN)rrQrr^rÚpolicyZ add_policyr4)rÚobjr+r,r\r r r!Úadd_zoneŽsÿzFirewallZone.add_zonecCs.|j|}|jr| |¡|j|=|j|=dSr)rÚappliedÚunapply_zone_settingsr)rr5r`r r r!Úremove_zone¡s zFirewallZone.remove_zoneNcCsR| ¡D]D}|j|}t|jƒdks2t|jƒdkrt d|¡|j||dqdS)NrzApplying zone '%s'©Úuse_transaction)r1rÚlenr8r=rÚdebug1Úapply_zone_settings)rrfr5r[r r r!Úapply_zones¨s zFirewallZone.apply_zonescCs|j|}||_dSr)rrb)rr5rbr`r r r!Úset_zone_applied¯s zFirewallZone.set_zone_appliedcCs˜d|vrdS| d¡}t|ƒdkr&dSd}tD]}|dt|kr.|}q.|dur”|d| ¡vrddSt|ƒdksˆt|ƒdkr”|ddvr”|d|fSdS)NÚ_éréé)ZprerZdenyZallowZpost)Úsplitrgrr1)rÚchainZsplitsÚ_chainÚxr r r!Úzone_from_chainµs& ÿ ÿzFirewallZone.zone_from_chaincCst| |¡}|durdS|\}}|dvr0|}d}n4|dvrB|}d}n"|dvrTd}|}nttjd|ƒ‚| ||¡|fS)N)Z PREROUTINGZFORWARDrN)ZINPUTrM)ZPOSTROUTINGz&chain '%s' can't be mapped to a policy)rtrrZ INVALID_CHAINr.)rrqrsr5rrr+r,r r r!Úpolicy_from_chainÉs zFirewallZone.policy_from_chainc Csj|dvrf| |¡}|durf| |¡\}}|dur:| ¡}n|}|jj |d|||¡|durf| d¡dS)N)Úipv4Úipv6T)rur*rr_Zgen_chain_rulesÚexecute) rÚipvÚtablerqrfrsr_rrÚtransactionr r r!Úcreate_zone_base_by_chainÞs ÿz&FirewallZone.create_zone_base_by_chainc Cs°dD]”}t| |¡|ƒ}t|tƒr(|g}|D]j}|dkrJ| ||||¡q,|dkrp| |¡}| |||||¡q,|dkr|q,q,|dkr†q,t d|||¡q,q|r¬| |||¡dS)N)r8r=ÚforwardrJr8r=rJr}z3Zone '%s': Unknown setting '%s:%s', unable to apply) rXrCÚ isinstanceÚboolÚ _interfaceÚcheck_sourceÚ_sourcerZwarningÚ_icmp_block_inversion)rÚenabler5r{ÚkeyZ args_listÚargsryr r r!Ú_zone_settingsñs& ÿzFirewallZone._zone_settingscCs|j |¡}|j|}|jr dSd|_|dur8| ¡}n|}|j|D]$}t d||¡|jjj ||dqF| d||¡|durŒ| d¡dS)NTz+Applying policy (%s) derived from zone '%s're)rrArrbr*rrrhr_Úapply_policy_settingsr‡rx©rr5rfÚ_zoner`r{r_r r r!ri s z FirewallZone.apply_zone_settingscCs||j |¡}|j|}|js dS|dur2| ¡}n|}|j|D]}|jjj||dq@| d||¡|durx| d¡dS)NreFT) rrArrbr*rr_Úunapply_policy_settingsr‡rxr‰r r r!rcs z"FirewallZone.unapply_zone_settingsc Csz| |¡}| |¡}g}tdƒD]P}|j|d|vrX| t t||j|dƒ¡¡q | ||j|d¡q t|ƒS)úH :return: exported config updated with runtime settings ér) rCÚget_config_with_settings_dictÚrangeZIMPORT_EXPORT_STRUCTUREr4rVrWrXÚtuple)rr5r`Z conf_dictZ conf_listÚir r r!Úget_config_with_settings1s "z%FirewallZone.get_config_with_settingscCs–| |¡ ¡}|dtkr"d|d<| |¡| |¡| |¡| |¡| |¡| |¡| |¡| |¡| |¡| |¡| |¡| |¡dœ}|j ||¡S)rŒrTÚdefault©rDrErIrFrGr8r=rKrLrHrJr})rCZexport_config_dictrÚ list_servicesÚ list_portsÚlist_icmp_blocksÚquery_masqueradeÚlist_forward_portsr2r3Ú list_rulesÚlist_protocolsÚlist_source_portsÚquery_icmp_block_inversionÚ query_forwardrZ'combine_runtime_with_permanent_settings)rr5Z permanentZruntimer r r!rŽAs"õ z*FirewallZone.get_config_with_settings_dictc s,d ‡fdd„ }‡fdd„}ˆjˆjfˆjˆjfˆjˆjfˆjˆjfˆjˆj fˆj ˆjfˆjˆj f||fˆjˆjfˆjˆjfˆjˆjfˆjˆjfdœ}ˆ |¡}t |¡}| |ˆj ¡¡ˆj d|gi¡ˆ |¡} ˆj | |¡\} }|D]n}t||tƒrJ||D]>} t| t ƒr2||d|g| ¢RŽn||d|| ƒqqì||d|ƒqì| D]Æ}t| |tƒrî| |D]n} |d vr¢||d|| |d nFt| t ƒrÐ||d|g| ¢Rd|dœŽn||d|| d|dq|n6|dvr||d||d n||d|d|dq`dS)Nrcsˆj|t|dd|ddS)NrOr©ÚtimeoutÚsender)Úadd_ruler)r5rPr r¡r$r r!Úadd_rule_wrapperYszDFirewallZone.set_config_with_settings_dict..add_rule_wrappercsˆ |t|d¡dS)NrO)Úremove_ruler)r5rPr$r r!Úremove_rule_wrapper[szGFirewallZone.set_config_with_settings_dict..remove_rule_wrapperr”Zzonesrn)r8r=)r¡rŸ)rJ)rN)!Úadd_serviceÚremove_serviceÚadd_portÚremove_portÚadd_icmp_blockÚremove_icmp_blockÚadd_masqueradeÚremove_masqueradeÚadd_forward_portÚremove_forward_portÚ add_interfaceÚremove_interfaceÚ add_sourceÚ remove_sourceÚadd_protocolÚremove_protocolÚadd_source_portÚremove_source_portÚadd_icmp_block_inversionÚremove_icmp_block_inversionÚadd_forwardÚremove_forwardrCrVZimport_config_dictrZget_all_io_objects_dictr(rŽZget_added_and_removed_settingsr~Úlistr)rr5Zsettingsr¡r£r¥Z setting_to_fnZold_objZ check_objZold_settingsZadd_settingsZremove_settingsr…r†r r$r!Úset_config_with_settings_dictWsN ô " z*FirewallZone.set_config_with_settings_dictcCs|j |¡dSr)rÚcheck_interface©rr9r r r!r¾•szFirewallZone.check_interfacecCs| |¡|Sr)r¾r¿r r r!Z__interface_id˜s zFirewallZone.__interface_idTcCs |j ¡|j |¡}|j|}| |¡}||jvrHttjd||fƒ‚| |¡} | durnttj d|| fƒ‚t d||f¡|dur’| ¡} n|} |js¾|r¾|j|| d| |j|d¡|rÒ| d||| ¡| ||||¡| |j||¡|dur| d¡|S)Nú'%s' already bound to '%s'z&Setting zone of interface '%s' to '%s'reFT)rÚcheck_panicrArr7r8rrÚZONE_ALREADY_SETr;Ú ZONE_CONFLICTrrhr*rbriÚadd_failrkr€Ú!_FirewallZone__register_interfaceÚ#_FirewallZone__unregister_interfacerx)rr5r9r¡rfÚallow_applyrŠÚ_objr:Úzoir{r r r!r°œsJ ÿÿ ÿÿÿ ÿ ÿ zFirewallZone.add_interfacecCsB|j |¡|r|dkr&|jj |¡|tƒkr>|jj |¡dS)NÚ)r8r4rÚ_default_zone_interfacesrÚ_nm_assigned_interfaces)rrÈr:r5r¡r r r!Z__register_interfaceÇs z!FirewallZone.__register_interfacecCsR|j ¡| |¡}|j |¡}||kr,|S|dur@| ||¡| |||¡}|Sr)rrÁr;rAr±r°)rr5r9r¡Ú _old_zoneÚ _new_zonerŠr r r!Úchange_zone_of_interfaceÎs z%FirewallZone.change_zone_of_interfacecCsz|j ¡|dur| ¡}n|}| ||¡|jd|d|dd|durd|dkrd|jd|d|dd|durv| d¡dS)NTú+)r4rÊF)rrÁr*rir€rx)rZold_zoneZnew_zonerfr{r r r!Úchange_default_zoneÝs z FirewallZone.change_default_zonec CsÂ|j ¡| |¡}|dur,ttjd|ƒ‚|dkr8|n |j |¡}||krbttjd|||fƒ‚|durt| ¡}n|}|j |}| |¡}| |j||¡| d|||¡|dur¾| d¡|S)Nú'%s' is not in any zonerÊz"remove_interface(%s, %s): zoi='%s'FT)rrÁr;rrZUNKNOWN_INTERFACErArÃr*rr7Úadd_postrÆr€rx) rr5r9rfrÉrŠr{rÈr:r r r!r±ís. ÿÿÿ zFirewallZone.remove_interfacecCsN||jvr|j |¡||jjvr0|jj |¡||jjvrJ|jj |¡dSr)r8ÚremoverrËrÌ)rrÈr:r r r!Z__unregister_interface s z#FirewallZone.__unregister_interfacecCs| |¡| |¡jvSr)r7rCr8)rr5r9r r r!Úquery_interfaceszFirewallZone.query_interfacecCs| |¡jSr)rCr8©rr5r r r!r2szFirewallZone.list_interfacesFcCsxt|ƒrdSt|ƒrdSt|ƒr$dS| d¡rh| |dd…¡|rV| |dd…¡| |dd…¡Sttj |ƒ‚dS)NrvrwrÊzipset:é) rrrÚ startswithÚ_check_ipset_type_for_sourceÚ_check_ipset_appliedÚ _ipset_familyrrZINVALID_ADDR©rr>rbr r r!rs zFirewallZone.check_sourcecCs|j||d|S)N©rb)rrÜr r r!Z__source_id(szFirewallZone.__source_idcCs|j ¡|j |¡}|j|}t|ƒr0| ¡}|j||d}|j||d} | |jvrjt t jd||fƒ‚| |¡durˆt t j d|ƒ‚|durš| ¡} n|} |jsÆ|rÆ|j|| d| |j|d¡|rÜ| d||| | ¡| || ||¡| |j|| ¡|dur| d¡|S)NrÝrÀz'%s' already bound to a zonereFT)rrÁrArrÚupperrr<r=rrrÂr@rÃr*rbrirÄrkr‚Ú_FirewallZone__register_sourceÚ _FirewallZone__unregister_sourcerx)rr5r>r¡rfrÇrŠrÈryr?r{r r r!r²,s< ÿÿ ÿ zFirewallZone.add_sourcecCs|j |¡dSr)r=r4)rrÈr?r5r¡r r r!Z__register_sourceTszFirewallZone.__register_sourcecCsb|j ¡| |¡}|j |¡}||kr,|St|ƒr<| ¡}|durP| ||¡| |||¡}|Sr)rrÁr@rArrÞr³r²)rr5r>r¡rÍrÎrŠr r r!Úchange_zone_of_sourceWs z"FirewallZone.change_zone_of_sourcec CsÞ|j ¡t|ƒr| ¡}| |¡}|durrfZzosrŠr{rÈryr?r r r!r³is4 ÿÿÿ zFirewallZone.remove_sourcecCs||jvr|j |¡dSr)r=rÔ)rrÈr?r r r!Z__unregister_sourceˆs z FirewallZone.__unregister_sourcecCs&t|ƒr| ¡}| |¡| |¡jvSr)rrÞr<rCr=)rr5r>r r r!Úquery_sourceŒszFirewallZone.query_sourcecCs| |¡jSr)rCr=rÖr r r!r3‘szFirewallZone.list_sourcescspˆj ¡D]–}|jsq ˆj|D]>}ˆjj |¡D]*\}} | |||||| |¡} | || ¡q2q ˆ |d¡}ˆ |¡j r |dvr |j|||d|d} | || ¡q ˆjj ¡D]¼}|ˆjj |¡vrØ|ˆjj |¡vrØq®|ˆjj ¡vrRˆjj |¡jrR|s*tˆ |¡ƒdkr*ˆjjj||dn&ˆjj d||¡| ‡fdd „|¡q®|r®| ‡fd d „|¡q®dS)NrN)rÐÚ*Úfilter©r9rnreFcs |ˆjj ¡voˆjj d|¡S©NT©rr_Ú)get_active_policies_not_derived_from_zoneZ!_ingress_egress_zones_transaction©Úpr$r r!Ú¸sz)FirewallZone._interface..cs|ˆjj ¡voˆjj |¡Sr©rr_rèrˆrér$r r!rë»s)rÚenabled_backendsÚpolicies_supportedrr_Ú#_get_table_chains_for_zone_dispatchZ!build_zone_source_interface_rulesÚ add_rulesr.rCr}Úbuild_zone_forward_rulesÚ"get_policies_not_derived_from_zoneÚlist_ingress_zonesÚlist_egress_zonesrèÚ get_policyrbrgr2r‹Ú_ingress_egress_zonesrÓ)rr„r5r9r{r4Úbackendr_rzrqrYr r$r!r€”s:ÿÿ$ÿÿzFirewallZone._interfacecCs$| |¡dkrdS|jjj|ddS)Nzhash:macFrÝ)Ú_ipset_typerÚipsetZ get_family©rrQr r r!rÛÀszFirewallZone._ipset_familycCs|jjj|ddS)NFrÝ)rrùZget_typerúr r r!røÅszFirewallZone._ipset_typecCsd |g|jj |¡¡S)Nú,)ÚjoinrrùZ get_dimension)rrQÚflagr r r!Ú_ipset_match_flagsÈszFirewallZone._ipset_match_flagscCs|jj |¡Sr)rrùZ check_appliedrúr r r!rÚËsz!FirewallZone._check_ipset_appliedcCs*| |¡}|tvr&ttjd||fƒ‚dS)Nz.ipset '%s' with type '%s' not usable as source)rørrrZ INVALID_IPSET)rrQZ_typer r r!rÙÎs ÿþz)FirewallZone._check_ipset_type_for_sourcecsx|rˆj |¡gnˆj ¡D]Œ}|js(qˆj|D]<}ˆjj |¡D](\}} | |||||| ¡} | || ¡qDq2ˆ |d¡}ˆ |¡jr|j|||d|d} | || ¡qˆjj ¡D]¼}|ˆjj |¡vrà|ˆjj |¡vràq¶|ˆjj ¡vrZˆjj |¡jrZ|s2tˆ |¡ƒdkr2ˆjjj||dn&ˆjj d||¡| ‡fdd„|¡q¶|r¶| ‡fd d„|¡q¶dS) NrNrä©r>rnreFcs |ˆjj ¡voˆjj d|¡Srærçrér$r r!rëøsz&FirewallZone._source..cs|ˆjj ¡voˆjj |¡Srrìrér$r r!rëûs)rÚget_backend_by_ipvrírîrr_rïZbuild_zone_source_address_rulesrðr.rCr}rñròrórôrèrõrbrgr3r‹rörÓ)rr„r5ryr>r{r÷r_rzrqrYr r$r!r‚Ös: ÿÿ$ÿÿzFirewallZone._sourcecCs0|j |¡}| |d¡}|jj ||||¡|S©NrM)rrAr.r_r¦)rr5Úservicer r¡Úp_namer r r!r¦þszFirewallZone.add_servicecCs,|j |¡}| |d¡}|jj ||¡|Sr)rrAr.r_r§©rr5rrr r r!r§szFirewallZone.remove_servicecCs(|j |¡}| |d¡}|jj ||¡Sr)rrAr.r_Ú query_servicerr r r!r szFirewallZone.query_servicecCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_r•©rr5rr r r!r•szFirewallZone.list_servicescCs2|j |¡}| |d¡}|jj |||||¡|Sr)rrAr.r_r¨)rr5ÚportÚprotocolr r¡rr r r!r¨szFirewallZone.add_portcCs.|j |¡}| |d¡}|jj |||¡|Sr)rrAr.r_r©©rr5rrrr r r!r©szFirewallZone.remove_portcCs*|j |¡}| |d¡}|jj |||¡Sr)rrAr.r_Ú query_portr r r r!r szFirewallZone.query_portcCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_r–rr r r!r–%szFirewallZone.list_portscCs2|j |¡}| |d¡}|jj |||||¡|Sr)rrAr.r_r¶)rr5Úsource_portrr r¡rr r r!r¶*szFirewallZone.add_source_portcCs.|j |¡}| |d¡}|jj |||¡|Sr)rrAr.r_r·©rr5rrrr r r!r·0szFirewallZone.remove_source_portcCs*|j |¡}| |d¡}|jj |||¡Sr)rrAr.r_Úquery_source_portrr r r!r 6szFirewallZone.query_source_portcCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_rœrr r r!rœ;szFirewallZone.list_source_portscCsÜ|j |¡}t|jƒtkr(| |d¡gSt|jƒttt t ttfvrP| |d¡gSt|jƒt fvrn| |d¡gSt|jƒtfvrŒ| d|¡gSt|jƒtfvrª| |d¡gS|jdurÂ| |d¡gSttjdt|jƒƒ‚dS)NrNrMz Rich rule type (%s) not handled.)rrAÚtypeÚactionrr.Úelementrr rrr r rrrrrZINVALID_RULE)rr5r]r r r!rZ@s ÿ z#FirewallZone._rich_rule_to_policiescCs*| ||¡D]}|jj ||||¡q|Sr)rZrr_r¢)rr5r]r r¡rr r r!r¢RszFirewallZone.add_rulecCs&| ||¡D]}|jj ||¡q|Sr)rZrr_r¤)rr5r]rr r r!r¤WszFirewallZone.remove_rulecCs.d}| ||¡D]}|o&|jj ||¡}q|Sræ)rZrr_Ú query_rule)rr5r]Úretrr r r!r\szFirewallZone.query_rulecCsZ|j |¡}tƒ}| |d¡| |d¡| d|¡fD]}| t|jj |¡ƒ¡q4t|ƒS)NrNrM)rrAÚsetr.Úupdater_ršr¼)rr5rrr r r!ršbs þzFirewallZone.list_rulescCs0|j |¡}| |d¡}|jj ||||¡|Sr)rrAr.r_r´)rr5rr r¡rr r r!r´kszFirewallZone.add_protocolcCs,|j |¡}| |d¡}|jj ||¡|Sr)rrAr.r_rµ©rr5rrr r r!rµqszFirewallZone.remove_protocolcCs(|j |¡}| |d¡}|jj ||¡Sr)rrAr.r_Úquery_protocolrr r r!rwszFirewallZone.query_protocolcCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_r›rr r r!r›|szFirewallZone.list_protocolscCs.|j |¡}| d|¡}|jj |||¡|S©NrN)rrAr.r_r¬)rr5r r¡rr r r!r¬szFirewallZone.add_masqueradecCs*|j |¡}| d|¡}|jj |¡|Sr)rrAr.r_rrr r r!r‡szFirewallZone.remove_masqueradecCs&|j |¡}| d|¡}|jj |¡Sr)rrAr.r_r˜rr r r!r˜szFirewallZone.query_masqueradec Cs6|j |¡}| |d¡}|jj |||||||¡|Sr)rrAr.r_r®) rr5rrÚtoportÚtoaddrr r¡rr r r!r®’sÿzFirewallZone.add_forward_portcCs2|j |¡}| |d¡}|jj |||||¡|Sr)rrAr.r_r¯©rr5rrrrrr r r!r¯šsz FirewallZone.remove_forward_portcCs.|j |¡}| |d¡}|jj |||||¡Sr)rrAr.r_Úquery_forward_portrr r r!r¡s ÿzFirewallZone.query_forward_portcCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_r™rr r r!r™¨szFirewallZone.list_forward_portscCs0|j |¡}| |d¡}|jj ||||¡|Sr)rrAr.r_rª)rr5Úicmpr r¡rr r r!rªszFirewallZone.add_icmp_blockcCs,|j |¡}| |d¡}|jj ||¡|Sr)rrAr.r_r«)rr5rrr r r!r«´szFirewallZone.remove_icmp_blockcCs(|j |¡}| |d¡}|jj ||¡Sr)rrAr.r_Úquery_icmp_block)rr5rÚp_name_hostr r r!r»szFirewallZone.query_icmp_blockcCs.|j |¡}| |d¡}tt|jj |¡ƒƒSr)rrAr.r/rr_r—©rr5rr r r!r—ÀszFirewallZone.list_icmp_blockscCs,|j |¡}| |d¡}|jj ||¡|Sr)rrAr.r_r¸)rr5r¡rr r r!r¸Åsz%FirewallZone.add_icmp_block_inversioncCs.|j |¡}| |d¡}|jj |||¡dSr)rrAr.r_rƒ)rr„r5r{rr r r!rƒÌsz"FirewallZone._icmp_block_inversioncCs*|j |¡}| |d¡}|jj |¡|Sr)rrAr.r_r¹rr r r!r¹Ñsz(FirewallZone.remove_icmp_block_inversioncCs&|j |¡}| |d¡}|jj |¡Sr)rrAr.r_rrr r r!rØsz'FirewallZone.query_icmp_block_inversionc CsÀ| |d¡}|j|jD]<}|j ¡D],}|js2q&|j|||d|d}| ||¡q&q|j|jD]X}| |¡} | r‚|j | ¡gn|j ¡D],}|js˜qŒ|j|||d|d}| ||¡qŒqbdS)NrNrärårÿ)r.rr8rrírîrñrðr=rr) rr„r5r{rr9r÷rYr>ryr r r!Ú_forwardÝs zFirewallZone._forwardcCsž|j |¡}|j |¡|j ¡|j|}|jrBttjd|ƒ‚|durT| ¡}n|}|j rl| d||¡| |||¡| |j|¡|durš| d¡|S)Nzforward already enabled in '%s'T)rrAZ check_timeoutrÁrr}rrZALREADY_ENABLEDr*rbr Ú_FirewallZone__register_forwardrÄÚ!_FirewallZone__unregister_forwardrx)rr5r r¡rfrŠrÈr{r r r!rºïs$ ÿ zFirewallZone.add_forwardcCs d|_dSræ©r})rrÈr r¡r r r!Z__register_forward szFirewallZone.__register_forwardcCs„|j |¡}|j ¡|j|}|js6ttjd|ƒ‚|durH| ¡}n|}|j r`| d||¡| |j|¡|dur€| d¡|S)Nzforward not enabled in '%s'FT)rrArÁrr}rrZNOT_ENABLEDr*rbr rÓr"rx)rr5rfrŠrÈr{r r r!r» s ÿ zFirewallZone.remove_forwardcCs d|_dS)NFr#)rrÈr r r!Z__unregister_forward%sz!FirewallZone.__unregister_forwardcCs| |¡jSr)rCr}rÖr r r!rž(szFirewallZone.query_forward)N)N)N)N)NNT)N)N)N)F)F)NNT)N)N)F)rN)rN)rN)rN)rN)rN)NNrN)NN)NN)rN)N)rNN)N)`Ú__name__Ú __module__Ú__qualname__rRr"r%r'r*r.r1r6r;r@rCr^rardrjrkrtrur|r‡rircr’rŽr½r¾r7r°rÅrÏrÑr±rÆrÕr2rr<r²rßrár³ràrâr3r€rÛrørþrÚrÙr‚r¦r§rr•r¨r©r r–r¶r·r rœrZr¢r¤rršr´rµrr›r¬rr˜r®r¯rr™rªr«rr—r¸rƒr¹rr rºr!r»r"ržr r r r!r-sØ* ÿ >ÿ + ÿ ÿ ( ÿ ,( ÿ ÿ ÿ ÿ r)#rVZfirewall.core.baserrrZfirewall.core.fw_transactionrZfirewall.core.io.policyrZfirewall.core.loggerrZfirewall.core.richrr r rrr rrrrrZfirewall.core.fw_nmrZfirewall.functionsrrrZfirewallrZfirewall.errorsrÚobjectrr r r r!Ús4