a is @s`ddlmZddlZddlZddlZddlmZddlmZm Z m Z m Z m Z ddl mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZmZmZddlm Z ddl!m"Z"m#Z#dd l$m%Z%d Z&e&d d Z'e&d d Z(dZ)dZ*iddde*fidde*fdde*fdde*fddde*fdde*fdde*fdde*fddZ+Gddde,Z-dS))GLibN)log) check_mac getPortRange normalizeIP6check_single_address check_address) FirewallError UNKNOWN_ERROR INVALID_RULEINVALID_ICMPTYPE INVALID_TYPE INVALID_ENTRY INVALID_PORT) Rich_Accept Rich_Reject Rich_Drop Rich_MarkRich_MasqueradeRich_ForwardPortRich_IcmpBlockRich_Tcp_Mss_Clamp Rich_NFLog)DEFAULT_ZONE_TARGET) ICMP_TYPES ICMPV6_TYPES)NftablesZ firewalld_Z policy_dropZprobeZpolicy_ PREROUTING preroutingijiZ postroutingdoutput)r POSTROUTINGOUTPUTinputZforward)rINPUTFORWARDr$)rawmanglenatfilterc@sreZdZdZdZddZddZddZdd Zd d Z d d Z ddZ ddZ ddZ dddZddZddZddZddZdd Zdd!d"Zd#d$Zdd&d'Zd(d)Zd*d+Zdd-d.Zd/d0Zd1d2Zd3d4Zd5d6Zd7d8Zd9d:Zd;d<Z d=d>Z!d?d@Z"dAdBZ#dCdDZ$dEdFZ%dGdHZ&dIdJZ'dKdLZ(dMdNZ)ddOdPZ*dQdRZ+dSdTZ,dUdVZ-dWdXZ.ddYdZZ/dd[d\Z0dd]d^Z1dd_d`Z2dadbZ3ddcddZ4ddedfZ5ddgdhZ6ddidjZ7dkdlZ8ddmdnZ9dodpZ:ddqdrZ;dsdtZdydzZ?dd{d|Z@dd}d~ZAddZBdddZCddZDddZEddZFddZGddZHddZIddZJdddZKdS)nftablesTcCsZ||_d|_d|_g|_i|_i|_i|_i|_i|_t |_ |j d|j ddS)NTF) _fwZrestore_command_existssupports_table_ownerZavailable_tablesrule_to_handlerule_ref_countrich_rule_priority_countspolicy_priority_countszone_source_index_cacherr,set_echo_outputZset_handle_output)selffwr7:/usr/lib/python3.9/site-packages/firewall/core/nftables.py__init__\s znftables.__init__cCszddddiidddtdd gd iigi}|j|\}}}|rHtd ddddiid ddtd iigi}|jd|j|\}}}|jd|dddd}|dddtd ii|jd|vsd |vrtd t dd|_ Wnt dd|_ Yn0dS)Nr,metainfojson_schema_versionaddtableinetownerpersist)familynameflagsz!nftables probe table owner failedlistrBrCFTrDdeletez3nftables: probe_support(): owner flag is supported.z7nftables: probe_support(): owner flag is NOT supported.) TABLE_NAME_PROBEr,json_cmd ValueErrorr4set_ruler-get_log_deniedrdebug2r.)r5rulesrcr"rrDr7r7r8_probe_support_table_ownerksH       z#nftables._probe_support_table_ownercCs |dSN)rPr5r7r7r8 probe_supportsznftables.probe_supportcCsxdD]}||vrqqd||dvr^||ddd||dddf}||dd=n(d||dvrd}||dd=ndS||dd}|r|dkr||vr|||vr|||n|dkrt||vrg||<|r&|||vr|||||jd d d |||}n t||}||}||=|d krT||d <n |d8}||d<||ddd<dS)Nr=insertrG%%ZONE_SOURCE%%rulezoneaddress%%ZONE_INTERFACE%%rBrGcSs|dS)Nrr7xr7r7r8z3nftables._run_replace_zone_source..)keyrrUr<r=index)removeappendsortr`len)r5rWr3verbZ zone_sourcerBr` _verb_snippetr7r7r8_run_replace_zone_sourcesD      z!nftables._run_replace_zone_sourcecCsBd|vrdt|diSd|vr4dt|diSttddS)NrUrGr=zFailed to reverse rule)copydeepcopyr r )r5dictr7r7r8 reverse_rules znftables.reverse_rulec CsdD]}||vrqq|||dvr||d|}||d|=t|tkr\ttd||dd||ddf}|dkr||vs|||vs|||dkrttd|||d 8<n||vri||<|||vrd|||<d}t||D]J}||kr"|d kr"qP||||7}||kr|d krqPq|||d 7<||} ||=|dkr| |d <n |d 8}| |d <||d dd <dS) NrTrWz%priority must be followed by a numberrBchainrGrz*nonexistent or underflow of priority countr<rUr=r`)typeintr r r sortedkeys) r5rWZpriority_countstokenrepriorityrlr`prfr7r7r8_set_rule_replace_prioritysH          z#nftables._set_rule_replace_prioritycCsbdD]X}||vrd||vrt||d}dD]}||vr2||=q2tj|dd}|SqdS)NrTrW)r`handleZpositionT)Z sort_keys)rhrijsondumps)r5rWrerule_keyZnon_keyr7r7r8 _get_rule_keys znftables._get_rule_keycCsXgd}gd}g}g}t|j}t|j}t|j} |j} |D]} t| tkrjtt d| |D]} | | vrnqqn| | vrtt d| | | } | | vr4t d|j| | | | dkr| | d7<qJnV| | dkr| | d8<qJn6| | dkr| | d8<ntt d| | | fn| rL| dkrLd| | <|| t| }| rttd|| d d || d d <|||d |||d ||| | dkrdd |dd d |dd d|dd d|j| dii}||qJddddiig|i}t dkrDt d|jt||j|\}}}|dkrxtdd|t|f||_||_| |_| |_d}|D]} |d7}| | } | sqd| vr|j| =|j| =q|D]} | |d|vrqq| |d|vrqt|d|| d dkr2q|d|| d d|j| <qdS)N)r=rUrGflushreplace)r=rUr{z#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %srGr<z)rule ref count bug: rule_key '%s', cnt %drWexpr%%RICH_RULE_PRIORITY%%%%POLICY_PRIORITY%%rBr>rl)rBr>rlrur,r:r;z.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s JSON blob: %szpython-nftablesru)rhrir1r2r3r0rmrjr r r ryrrM __class__rbrEr+rtrgr/ZgetDebugLogLevelZdebug3rvrwr,rIrJTABLE_NAME_POLICY)r5rN log_deniedZ _valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesr1r2r3r0rWrerxZ_ruleZ json_blobrOr"errorr`r7r7r8 set_ruless             &         znftables.set_rulescCs||g|dS)N)r)r5rWrr7r7r8rKssznftables.set_ruleNcCs|r |gStSrQ)IPTABLES_TO_NFT_HOOKrpr5r>r7r7r8get_available_tableswsznftables.get_available_tablescCsBddd|dii}|tkr<|jjr<|jrr?rFr@rArD) TABLE_NAMEr-Z_nftables_table_ownerr.)r5r>rWr7r7r8_build_add_table_rules{sznftables._build_add_table_rulescCs||ddd|diigS)NrGr>r?rF)rrr7r7r8_build_delete_table_rulessz"nftables._build_delete_table_rulescCs(i|_i|_i|_i|_i|_|tSrQ)r/r0r1r2r3rrrRr7r7r8build_flush_ruless znftables.build_flush_rulesc CsPddd|}|ddtdd|fdd d d iid d ddgididdigdiiS)Nr=rGTFrWr?%s_%sr+matchctr_stateinset establishedrelatedleftoprightacceptrBr>rlr|)r)r5enablehookadd_delr7r7r8_build_set_policy_rules_ct_rules   z(nftables._build_set_policy_rules_ct_rulec CsNg}|dkrZ||tdD]6}|dddtdd|fd|d td d d iiq n|d kr&||tdD]}||}|}d|}|dddt|d|dtd d d ii||d||dkrddi}n |d krd di}nddddi}|dddt||gdiiqxn$|dkr@||t7}n tt d|S)NZPANIC)r r"r=rlr?rr(r+ir<drop)rBr>rCrmrpriopolicyDROP)r&r'r$Zfilter_rTACCEPTrrejecticmpxadmin-prohibitedrmr|rWrznot implemented) extendrrrbNFT_HOOK_OFFSETlowerrrr r )r5rZpolicy_detailsrNrZd_policyZ chain_nameZ expr_fragmentr7r7r8build_set_policy_ruless`             znftables.build_set_policy_rulescCsJt}|dus|dkr$|t|dus4|dkrB|tt|S)Nipv4ipv6)rupdaterrprrE)r5ipvZ supportedr7r7r8supported_icmp_typess znftables.supported_icmp_typescCs |tSrQ)rrrRr7r7r8build_default_tablessznftables.build_default_tablesoffcCs"g}tdD]}|dddtd|ddtd|dtd|d d iid D]&}|dddtd ||fd iiqXdD]6}|dddtd|ddd ||fiigdiiqqtdD]}|dddtd|ddtd|dtd|d d ii|dvr|dD]Z}|dddtd||fd ii|dddtd|ddd||fiigdiiqqd D](}|dddtd||fd iiqdD]8}|dddtd|ddd||fiigdiiqqtdD]F}|dddtd|ddtd|dtd|d d iiq|dddtddddddiiddd d!gid"id#digdii|dddtdddddd$iidd%d"id#digdii|dddtdddd&dd'iid(d)d"id#digdii|d*krR|dddtddddddiiddd+gid"i||d,d-d.iigdii|dddtddddddiiddd+gid"id/digdiid D](}|dddtd0d|fd iiqdD]8}|dddtddddd0d|fiigdiiq|d*kr<|dddtdd||d,d-d1iigdii|dddtddd2d3d4d5igdii|dddtdd6ddddiiddd d!gid"id#digdii|dddtdd6dddd$iidd%d"id#digdii|dddtdd6dd&dd'iid(d)d"id#digdii|d*kr||dddtdd6ddddiiddd+gid"i||d,d-d.iigdii|dddtdd6ddddiiddd+gid"id/digdiid7D](}|dddtd0d6|fd iiqdD]Z}|dddtd0d6|fd ii|dddtdd6ddd0d6|fiigdiiqd8D](}|dddtd0d6|fd iiqP|d*kr|dddtdd6||d,d-d1iigdii|dddtdd6d2d3d4d5igdii|dddtdd9ddddiiddd d!gid"id#digdii|dddtd:dd&dd;iid(d)d"id#digdiid7D]Z}|dddtd0d9|fd ii|dddtdd9ddd0d9|fiigdiiqbd8D]Z}|dddtd0d9|fd ii|dddtdd9ddd0d9|fiigdiiq|S)rCrmrr) POLICIES_preZONES POLICIES_postz mangle_%s_%srBr>rC)rrWjumptargetrr*znat_%s)r$)rr nat_%s_%sz filter_%sr&rrr_rrrrrrrstatusdnatmetaiifname==lorZinvalidrprefixzSTATE_INVALID_DROP: r filter_%s_%szFINAL_REJECT: rrrrr')r)rr$ filter_OUTPUToifname)rrprbr_pkttype_match_fragment)r5rZ default_rulesrlZdispatch_suffixr7r7r8build_default_ruless                                                                                      znftables.build_default_rulescCs2|dkrddgS|dkrdgS|dkr.ddgSgS)Nr+r&r'r)rr*r#r7rr7r7r8get_zone_table_chainssznftables.get_zone_table_chainsc  sJjj|jdkrdnddkr4dkr4dnd} jj|t| g} g} g} g} |D]V}|t|dd kr| d d d d iid|dt|dddiq`| |q`|D]X}|t|dd kr | d d d diid|dt|dddiq| |q| r>| d d d d iidd| idi| rf| d d d diidd| idi|r|D]}| d|qp|r|D]}| d|qfdd}g}| r| D]:}| r| D]}||||qn|||dqn4| r6| D]}||d|qn||dd|S)Nrprepostr*r#TFr<+rrr_rr*rrrsaddrdaddrcs|rT|rTd|ddvrTd|ddvrT|dddd|ddddkrTdSg}|rf|||rt|||dddfiidtd f|d }|rd d |iiSd d |iiSdS)Npayloadrrprotocolrrrr?z%s_%s_POLICIES_%srr=rWrG)rbrr_policy_priority_fragment)ingress_fragmentegress_fragmentexpr_fragmentsrW_policyrl chain_suffixrp_objr5r>r7r8_generate_policy_dispatch_rules0    zRnftables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) r-r get_policyrrpolicy_base_chain_namePOLICY_CHAIN_PREFIXrdrb_rule_addr_fragment)r5rrr>rlZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesisSNATZingress_fragmentsZegress_fragmentsZ$ingress_interfaces_without_wildcardsZ#egress_interfaces_without_wildcardsZingress_interfaceZegress_interfacesrcdstrrNrrr7rr8!build_policy_ingress_egress_rulessf      z*nftables.build_policy_ingress_egress_rulesFcCsN|dkr|dkrdnd}|jjj||t|d} dddddd|} |t|d d krn|dt|d d }d } |d kr| d d|| fiig} n,ddd| iid|di| d d|| fiig} |r|sd} dtd||f| d}||nP|rd} dtd||f| d}n.d} dtd||f| d}|s@||| d|iigS)Nr*r#TFrrrrr#r&r'r$r<rrgotorrrrr_rrrUr? %s_%s_ZONESrr=rGrW)r-rrrrdrr_zone_interface_fragment)r5rrXr interfacer>rlrbrroptactionrrerWr7r7r8!build_zone_source_interface_rules5sZ    z*nftables.build_zone_source_interface_rulesc Cs|dkr|dkrdnd}|jjj||t|d}ddd|} d d d d d d |} d } d td||f|| || dd||fiigd} | |||| d| iigS)Nr*r#TFrrUrGrrrrrr?rrrrrW)r-rrrrrr_zone_source_fragment) r5rrXrrYr>rlrrrrrrWr7r7r8build_zone_source_address_rulesgs*  z(nftables.build_zone_source_address_rulescCspddd|}|dkr"|dkr"dnd}|jjj||t|d}|jj|}g} | |d d td ||fd iid D](} | |d d td||| fd iiqt|jr| ddd td ||fddd||dfiigdiid D]<} | |dd td ||fddd||| fiigdiiq|jr^| ddd td ||fddd||dfiigdii|jjj|j } |j dkr|dkr| t dddfvr| } | t dfvrd} | |dd td ||f| |j ddd|| fiigdii|dkr^| t ddddfvr^| t ddfvr,| } n | di} | |dd td ||f| gdii|sl| | S)Nr=rGrr*r#TFrrlr?rr)rrdenyallowr%s_%s_%srWrrrrrrr+ZREJECTz %%REJECT%%rrrzfilter_%s_%s: r)r-rrrrrbrZderived_from_zoneZ _policiesrrLrr_reject_fragmentrreverse)r5rrr>rlrrrrrNrrZ log_suffixtarget_fragmentr7r7r8build_policy_chain_rulessx                      z!nftables.build_policy_chain_rulescCs<|dkr iS|dvr,ddddiid|diSttd |dS) Nall)unicast broadcastZ multicastrrr_pkttyperrzInvalid pkttype "%s"r r )r5rr7r7r8rs z nftables._pkttype_match_fragmentcCsddddiddddiddddiddddiddddiddddiddddiddddiddddiddddiddd diddd diddd diddd didd d diddd diddd diddd diddd diddddiddddidddiidddiid}||S)Nricmpzhost-prohibitedrznet-prohibitedricmpv6znet-unreachablezhost-unreachablezport-unreachablerzprot-unreachablezaddr-unreachableno-routermz tcp reset)zicmp-host-prohibitedz host-prohibzicmp-net-prohibitedz net-prohibzicmp-admin-prohibitedz admin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachablez net-unreachzicmp-host-unreachablez host-unreachzicmp-port-unreachablezicmp6-port-unreachablez port-unreachzicmp-proto-unreachablez proto-unreachzicmp6-addr-unreachable addr-unreachzicmp6-no-routerz tcp-resetztcp-rstr7)r5Z reject_typeZfragsr7r7r8_reject_types_fragments2                       znftables._reject_types_fragmentcCsddddiS)Nrrrrr7rRr7r7r8rsznftables._reject_fragmentcCs ddddiiddddgid iS) Nrrr_l4protorrrrrr7rRr7r7r8_icmp_match_fragments  znftables._icmp_match_fragmentcCsn|siSddddd}z|jd}WntyBttdYn0dt|jd |||j|d d iS) NsecondZminuteZhourZday)smhd/zExpected '/' in limitlimitrr<)ZrateZper)valuer`rJr r rn)r5rZ rich_to_nftir7r7r8_rich_rule_limit_fragments z"nftables._rich_rule_limit_fragmentcCst|jttttfvrn<|jrJt|jttt t fvrTt t dt|jn t t d|j dkrt|jtttfvst|jtt fvrdSt|jtfvst|jtt fvrdSn|j dkrdSdSdS)NUnknown action %szNo rule action specified.rrrrr)rmelementrrrrrrrrrr r rrr5 rich_ruler7r7r8_rich_rule_chain_suffixs$   z nftables._rich_rule_chain_suffixcCs:|js|jsttd|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrrr)rauditr r rrr r7r7r8 _rich_rule_chain_suffix_from_logs    z)nftables._rich_rule_chain_suffix_from_logcCsddiS)NrZr7rRr7r7r8r(sz!nftables._zone_interface_fragmentcCsNtd|rt|}n,td|r@|d}t|dd|d}d||diS)Nrrrr<rV)rXrY)rrrsplit)r5rXrYZ addr_splitr7r7r8r+s     znftables._zone_source_fragmentcCs d|jiS)Nr~rr)r5rr7r7r8r3sz"nftables._policy_priority_fragmentcCs|r|jdkriSd|jiS)Nrr}rr r7r7r8_rich_rule_priority_fragment6sz%nftables._rich_rule_priority_fragmentc Cs |js iS|jj||t}ddd|}||}i} t|jtkr||jjrZt |jjnd| d<|jj rt |jj | d<n,|jj rd|jj krdn|jj } d | | d <|jj rd |jj | d <d t d |||f|||jjd| igd} | |||d| iiS)Nr=rGrrgroupzqueue-thresholdZwarningwarnrlevelrr?rrrrW)rr-rrrrrmrrrnZ thresholdrrrr rrr) r5rr rr>rrrrZ log_optionsrrWr7r7r8_rich_rule_log;s4    znftables._rich_rule_logc Cs|js iS|jj||t}ddd|}||}dtd|||f|||jjdddiigd } | | ||d | iiS) Nr=rGrr?rrrrrrW) rr-rrrrrr rrr) r5rr rr>rrrrrWr7r7r8_rich_rule_audit[s     znftables._rich_rule_auditc Cs|js iS|jj||t}ddd|}||}d|||f} t|jtkr\ddi} nt|jtkr|jjr| |jj} nddi} nt|jt krddi} nt|jt krHd}|jj||t}d|||f} |jj d } t| d kr,dd d d iiddd d d ii| d gi| dgidi} ndd d d ii| ddi} nttdt|jdt| |||jj| gd} | |||d| iiS)Nr=rGrrrrrr)rr<rr_mark^&rr_rr r?rrW)rr-rrrrrmrrrrrrrrdr r rr rrr) r5rr rr>rrrrrlZ rule_actionrrWr7r7r8_rich_rule_actionmsL     "    znftables._rich_rule_actioncCs|dr0||tddd|kr(dnd|St|r>d}ntd|rNd}nvtd|rd}tj|dd}d |jj |j d i}nDtd |rd }t |}n,d }| d }d t |dt |dd i}dd||di|rdnd|diSdS)Nipset:rTFetherrip)strictraddrrdrip6rrr<rrrfield!=rr) startswith_set_match_fragmentrdrrr ipaddress IPv4Networknetwork_address compressed prefixlenrrrn)r5Z addr_fieldrYinvertrBZnormalized_addressZaddr_lenr7r7r8rs, &      znftables._rule_addr_fragmentcCs6|siS|dvrttd|ddddiid|diS) NrrzInvalid familyrrr_nfprotorrr)r5Z rich_familyr7r7r8_rich_rule_family_fragments z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jdS)Nrrr/)r#ipsetrr/)r5Z rich_destrYr7r7r8_rich_rule_destination_fragments z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|dr.|jr.|j}nt|drH|jrHd|j}|jd||jdS)Nmacr4rrr3)r#hasattrr6r4rr/)r5Z rich_sourcerYr7r7r8_rich_rule_source_fragments z#nftables._rich_rule_source_fragmentcCsPt|}t|tr$|dkr$ttn(t|dkr8|dSd|d|dgiSdS)Nrr<range)r isinstancernr rrd)r5portr9r7r7r8_port_fragments   znftables._port_fragmentc Cs&ddd|}d}|jj||t} g} |r>| ||j|rT| |d||r|| ||j | | |j | dd|dd id | |d ig} |r| | ||||| | |||||| | |||||| n.| |d d td|| f| ddigdii| S)Nr=rGrr+rrrdportr%rrrWr? %s_%s_allowrrr-rrrrbr2rBrr5 destinationr8sourcer<rrrr r5rrprotor;r@r rr>rrrNr7r7r8build_policy_ports_ruless8     z!nftables.build_policy_ports_rulesc Csddd|}d}|jj||t}g} |r>| ||j|rT| |d||r|| ||j | | |j | dddd iid |d ig} |r| | ||||| | | ||||| | |||||| n.| |d d td||f| ddigdii| S)Nr=rGrr+rrrr_rrrrWr?r>rr)r-rrrrbr2rBrr5r@r8rArrrr) r5rrrr@r rr>rrrNr7r7r8build_policy_protocol_ruless4    z$nftables.build_policy_protocol_rulesc Csd}d}|jj||t}ddd|} g} |r^| ||j| ||j| |}| dddd d d id d i|dks|dur| dddddidddiidin| dddddi|di| ddt d||f| diigS)Nrr+r=rGrrrrtcprDr%Zsyn)rrrZpmtur)z tcp optionZmaxsegsize)rCr&Zrtr_ZmturrWr?rr) r-rrrrbr5r@r8rArr) r5rrZtcp_mss_clamp_valuer@r rr>rrrr7r7r8 build_policy_tcp_mss_clamp_ruless2      z)nftables.build_policy_tcp_mss_clamp_rulesc Cs&ddd|}d}|jj||t} g} |r>| ||j|rT| |d||r|| ||j | | |j | dd|dd id | |d ig} |r| | ||||| | |||||| | |||||| n.| |d d td|| f| ddigdii| S)Nr=rGrr+rrrsportr%rrrWr?r>rrr?rBr7r7r8build_policy_source_ports_rules8s8     z(nftables.build_policy_source_ports_rulesc Csd}|jj||t} ddd|} g} |rR| dddtd||f||diig} |rl| |d || d d |d d id||di| dd||fi| | ddtd| | dii| S)Nr+r=rGrz ct helperr?z helper-%s-%s)rBr>rCrmrrrrr=r%rrrWfilter_%s_allowr)r-rrrrbrrr<) r5rrrCr;r@Z helper_nameZmodule_short_namer>rrrNrr7r7r8build_policy_helper_ports_rulesYs6       z(nftables.build_policy_helper_ports_rulesc Csddd|}|jj||t}g} |rv|t|ddkrT|dt|dd}ddd d iid |d id dig} n|d|d dig} dtd|| d} | |d| ii| S)Nr=rGrr<rrrrr_rrrrrr?rKrrW)r-rrrrdrrrb) r5rrXrr>rrArrrNr|rWr7r7r8build_zone_forward_rulesvs( z!nftables.build_zone_forward_rulesc Csddd|}g}g}|r\|||j|||j|||j||}n"|ddddiidd d id }d }|jj j ||t d d} dt d| |f|ddddiiddd iddigd} | ||||d| ii|S)Nr=rGrrrr_r1rrrrr*Trr?rrr'rZ masqueraderrW)rbr2rBr5r@r8rArr-rrrrrr) r5rrr rrNrrr>rrWr7r7r8build_policy_masquerade_ruless<    z&nftables.build_policy_masquerade_rulescCspd}|jj||t} ddd|} g} |rn| ||j| ||j| | |j | |} n8d} |rt d|rd} | ddd d iid | d id } | dd|ddid | |d i|r$t d|rt|}|r|dkr| d|| |din| dd|iin| dd| |iidtd| | f| d}|||| d|iigS)Nr*r=rGrrrrrr_r1rrrrr=r%rr)r#r;r#Zredirectr;r?rrrW)r-rrrrbr2rBr5r@r8rArrr<rrrr)r5rrr;rZtoportZtoaddrr r>rrrrr1rWr7r7r8build_policy_forward_port_rulessJ      z(nftables.build_policy_forward_port_rulescCsHdd|ddid|dig}|durD|dd|ddid|di|S)Nrrrmr%rrcode)rb)r5rrmrP fragmentsr7r7r8_icmp_types_fragmentss  znftables._icmp_types_fragmentscCs|dkr4|tvr4t|\}}}|d||r.dn|S|dkrh|tvrht|\}}}|d||rbdn|Sttd||j|fdS)Nrrrrz)ICMP type '%s' not supported by %s for %s)rrRrr r rC)r5rZ icmp_typeZ_type_codeZ _omit_coder7r7r8_icmp_types_to_nft_fragmentssz%nftables._icmp_types_to_nft_fragmentscCs:d}|jj||t}ddd|}|r6|jr6|j}n<|jrjg}d|jvrT|dd|jvrr|dnddg}g} |D]} |jj|rd||f} ddi} nd ||f} |} g} |r| | |j | | |j| | |j | || |j|r| |||||| | |||||| |jrb| |||||| nN||}d td |||f| |gd }|||| |d |iiqz|jdkr|jj|s| |d d t| | ||jddd||fiigd ii| |d d t| | | gd iiqz| S)Nr+r=rGrrrr>rz %s_%s_denyr?rrrWrrr%s_%s_ICMP_BLOCK: )r-rrripvsr@rbquery_icmp_block_inversionrr2rBr5r8rArrTrCrrrrrrrrrLr)r5rrZictr r>rrrVrNrZ final_chainrrrrWr7r7r8build_policy_icmp_block_rulessl                z&nftables.build_policy_icmp_block_rulescCsd}|jj||t}g}ddd|}|jj|r@|}nddi}||ddtd||fd ||gd ii|j d kr|jj|r||ddtd||fd || |j d d d||fiigd ii|S)Nr+r=rGrrrWr?rrBr>rlr`r|rrrrU) r-rrrrWrrbrrrLr)r5rrr>rrNrrr7r7r8'build_policy_icmp_block_inversion_rules/s4       z0nftables.build_policy_icmp_block_inversion_rulesc Cs$g}d}|jjdkrddg}n<|jjdkr8ddg}d}n"|jjdkrRgd}d}ngd}d d d d iid ddid d|ddid ddig}|dkr|dddii|ddi|dddt||dii|jjdvr |dddt|d ddd d!id d"d#d$gidid%digdii|S)&NZfilter_PREROUTINGZlooserr loose-forwardfilter_FORWARDstrict-forward)rrZiifrrr_r1rrrZfibZoif)rDresultFrrrzrpfilter_DROP: rrUrWr?rr\r^rrrmr%rznd-router-advertznd-neighbor-solicitr)r-_ipv6_rpfilterrbr)r5rrNZrpfilter_chainZ fib_flagsrr7r7r8build_rpfilter_rulesNsX          znftables.build_rpfilter_rulesc Csgd}dd|D}dddddid d |id ig}|jjd vrT|d ddii||dg}|dddtdd|diid}|jdkr|d7}|jjdvr|d7}|dddtd||dii|S)N) z ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|ddt|dddiqS)rrrr<r")rrn).0r\r7r7r8 r^z5nftables.build_rfc3964_ipv4_rules..rrr$rr%rrr)rrrrzRFC3964_IPv4_REJECT: rr=rWr?rr<rZrrr`r])r-Z _log_deniedrbrrrLra)r5Z daddr_setrrNZ forward_indexr7r7r8build_rfc3964_ipv4_rulesys<        z!nftables.build_rfc3964_ipv4_rulesc Csd}g}|||j|||j|||jg}|||||||||||||||| ||||||S)Nr+) rbr2rBr5r@r8rArrr)r5rrr r>rrNr7r7r8*build_policy_rich_source_destination_rulessz3nftables.build_policy_rich_source_destination_rulescCs|dvr dSdS)N)rrZebTFr7)r5rr7r7r8is_ipv_supportedsznftables.is_ipv_supportedc Csddd}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd }||vr||Sttd |dS) NZ ipv4_addrZ ipv6_addrr0Z inet_protoZ inet_servicerZifnameZ ether_addr) zhash:ipz hash:ip,portzhash:ip,port,ipzhash:ip,port,netz hash:ip,markzhash:netz hash:net,netz hash:net,portzhash:net,port,netzhash:net,ifacehash:macz!ipset type name '%s' is not valid)r r )r5rrmZipv_addrtypesr7r7r8_set_type_lists(    znftables._set_type_listcCs|rd|vr|ddkrd}nd}dt||||d}|ddd D]}|d vrLd g|d <qhqL|rd |vrt|d |d <d|vrt|d|d<dd|iigS)NrBinet6rrr?)rBr>rCrm:r<,)r netr;intervalrDtimeoutZmaxelemrGr=r)rrjrrn)r5rCrmoptionsrZset_dicttr7r7r8build_set_create_ruless$  znftables.build_set_create_rulescCs$||||}|||jdSrQ)rsrr-rL)r5rCrmrqrNr7r7r8 set_createsznftables.set_createcCs*dddt|dii}|||jdS)NrGrr?r)rrKr-rL)r5rCrWr7r7r8 set_destroys  znftables.set_destroycCs|jj|jddd}g}|D]}|dkrd|dddii|dd |rVd nd d iq(|d vr|d|||rdndd iq(|dkr|dd|rdndiiq(|dkr|dddiiq(ttd|q(dt |dkrd|in|d|rdndd|diS)Nrlr<rmr;rr_rrthr=rIr%)r rnr6rrZifacerrrz-Unsupported ipset type for match fragment: %srconcatrr'r@r) r-r4 get_ipsetrmrrb_set_get_familyr r rd)r5rCZ match_destr/ type_formatrQformatr7r7r8r)s*    znftables._set_match_fragmentc Cs8|jj|}|jddd}|d}t|t|krHttdg}t|D]\}}|dkrz|| d} Wn$t y| d||} Yn,0| ||d| ||| dd} z| d} Wnt y| | Yn(0| d| d| | | ddgiqT|d vr d||vrP| d||dinz|| d } WnJt y||} d |j vr|j d d krt | } | | Yn^0||d| } d |j vr|j d d krt | } | d | t||| dddiqT| ||qTt|dkr4d|igS|S)Nrlr<rmz+Number of values does not match ipset type.r;rF-r9)r rnrrBrkrr"rw)r-r4ryrmrrdr r enumerater`rJrbrqrrn) r5rCentryobjr{Z entry_tokensfragmentrr|r`Zport_strr#r7r7r8_set_entry_fragment sP     (  znftables._set_entry_fragmentc Cs0g}|||}|dddt||dii|S)Nr=r r?rBr>rCelem)rrbr)r5rCrrNr r7r7r8build_set_add_rules=s   znftables.build_set_add_rulescCs"|||}|||jdSrQ)rrr-rL)r5rCrrNr7r7r8set_addFs znftables.set_addcCs8|||}dddt||dii}|||jdS)NrGr r?r)rrrKr-rL)r5rCrr rWr7r7r8 set_deleteJs  znftables.set_deletecCsdddt|diigS)Nrzrr?r)r)r5rCr7r7r8build_set_flush_rulesRsznftables.build_set_flush_rulescCs ||}|||jdSrQ)rrr-rL)r5rCrNr7r7r8 set_flushWs znftables.set_flushcCsJ|jj|}|jdkrd}n(|jrBd|jvrB|jddkrBd}nd}|S)NrhrrBrkr$r )r-r4ryrmrq)r5rCr4rBr7r7r8rz[s  znftables._set_get_familyc sg}|||||||jfddd}g}|D]B}||||d7}|dkrRtfdd|g}d}qRtfdd|dS) Nc sTz|jWn8tyN}z tdt|WYd}~n d}~00dS)Nz;While restoring ipset entries the following Error occurred:)rr-rL Exceptionrr)rNerRr7r8_idle_set_add_entriesos  z3nftables.set_restore.._idle_set_add_entriesrr<ics|SrQr7r[rr7r8r]r^z&nftables.set_restore..cs|SrQr7r[rr7r8r]r^) rrsrrr-rLrrZidle_add) r5Zset_name type_nameentriesZcreate_optionsZ entry_optionsrNchunkrr7)rr5r8 set_restorehs znftables.set_restore)N)N)r)F)F)NN)NN)NN)NN)NN)N)N)N)N)F)N)N)F)NN)L__name__ __module__ __qualname__rCZpolicies_supportedr9rPrSrgrkrtryrrKrrrrrrrrrrrrrrrrrrr rrrrrrrrrrr2r5r8r<rDrErHrJrLrMrNrOrRrTrXr[rbrerfrgrjrsrtrur)rrrrrrrzrr7r7r7r8r,Xs0,.e     C  V c 2B    +      !  ! +  < +(   4 r,).Z gi.repositoryrrhrvr*Zfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr r r r r rrZfirewall.core.richrrrrrrrrrZfirewall.core.baserZfirewall.core.icmprrZnftables.nftablesrrrrHrrrobjectr,r7r7r7r8s:  $,