o Faj@sdZddlZddlZddlZddlZddlZddlZddlmZm Z ddl m Z m Z m Z mZmZmZddlZGdddejjZdS)z-backend_iptables.py: iptables backend for ufwN)UFWErrorUFWRule)warndebugmsgcmdcmd_pipe _findpathc@seZdZdZd+ddZddZddZd d Zd,d d ZddZ ddZ ddZ ddZ ddZ ddZddZd-ddZd.dd Zd!d"Zd-d#d$Zd%d&Zd'd(Zd)d*ZdS)/UFWBackendIptableszInstance class for UFWBackendNc Csdtjjd|_||_||_i}ttjj|}tj |d|d<tj |d|d<tj |d|d<tj |d |d <tj |d |d <tj |d |d<tj ttjj |d|d<tj j j|d||||dggggd|_dD]C}d}|dkr|r||7}n|dkrqsdD]}dD]} d||| f} |j|| qq|jd|d|jd|dqsgd|_d|_dS) z!UFWBackendIptables initializationz# z _comment #zufw/user.rulesruleszufw/before.rules before_ruleszufw/after.rules after_ruleszufw/user6.rulesrules6zufw/before6.rules before6_ruleszufw/after6.rules after6_ruleszufw-initinitiptables)rootdirdatadir)beforeuseraftermisc)46ufwr)rrrinputoutputforwardz%s-%s-logging-%srz -logging-denyz-logging-allow)-mlimit--limitz3/minute-jLOG --log-prefixz[UFW LIMIT BLOCK]N)rcommon programName comment_strrrr config_dirospathjoin state_dirbackend UFWBackend__init__chainsuse_ipv6appendufw_user_limit_logufw_user_limit_log_text) selfdryrunrrfilesr)ver chain_prefixloctargetchainr>6/usr/lib/python3/dist-packages/ufw/backend_iptables.pyr0 sD   zUFWBackendIptables.__init__cCsbtd}|jddkr|d7}|S|jddkr|d7}|S|jddkr+|d7}|S|d 7}|S) zGet current policyz New profiles:default_application_policyacceptz allowdropz denyrejectz rejectz skip)_defaults)r6rstrr>r>r?get_default_application_policyPsz1UFWBackendIptables.get_default_application_policyc Cs |js|dkr|dkr|dkrtd|}t||dkr/|dkr/|dkr/td|}t|d }|dkr8d }n|dkr>d }d }d }|dkrbz||jd d|dWnty\wd}d}n;|dkrz||jd d|dWnty|wd}d}nz||jd d|dWntywd}d}td |}|jd|jdfD]F}ztj |} Wntyw| d} | dD]} | | rtj | | || qtj | | qztj | Wqtywtd||d} | td7} | S)zSets default policy of firewallallowdenyrCzUnsupported policy '%s'incomingoutgoingroutedz%Unsupported policy for direction '%s'INPUTOUTPUTFORWARDrEzDEFAULT_%s_POLICYz"ACCEPT"z UFW BLOCKz UFW ALLOWz"REJECT"z"DROP"r rtmporigz5Default %(direction)s policy changed to '%(policy)s' ) directionpolicyz*(be sure to update your rules accordingly))r7rDr set_defaultr8 Exceptionrecompilerutil open_filessearch write_to_filesub close_files) r6rTrSerr_msgr= old_log_str new_log_strpatffnsfdlinerFr>r>r?set_default_policy^s            z%UFWBackendIptables.set_default_policyc Cs|jrdtd}|dtd7}|S|gd}g}g}|dkr1|dgd}gd}n|d kr{d D]}|d ||d |q7d D]}|d ||d |qJdD]}|d||d|q]dD] }|d|qpn|dkrdD]}|d||d|qn|dkrdD]}|d||d|q|jddr|d|d|jddr|d|dn`|d krdD]}|d!||d"|qnH|d#kr-dD],}|d$||d%||d&||d'||d(||d)|q|d*|d+|d,|d-d.|}|D]H}d/|vrW|d/\} }|d0| 7}t|jg||d| g\} } n t|jg||g\} } || 7}|dkrq|d17}| d2krzt|q3|dks| r|d37}|D]H}d/|vr|d/\} }|d0| 7}t|jg||d| g\} } n t|j g||g\} } || 7}|dkr|d17}| d2krt|q|S)4z'Show current running status of firewall> zChecking raw iptables zChecking raw ip6tables )-nz-vz-x-Lrawz-t)filternatmanglerk)rlrnrkbuiltins)rMrOrNz filter:%s) PREROUTINGrMrOrN POSTROUTINGz mangle:%s)rprNzraw:%s)rprqrNznat:%sr)rrrz ufw-before-%szufw6-before-%sr ufw-user-%s ufw6-user-%sr!rzufw-user-limit-acceptufw-user-limitrzufw6-user-limit-acceptufw6-user-limitrz ufw-after-%sz ufw6-after-%sloggingzufw-before-logging-%szufw6-before-logging-%szufw-user-logging-%szufw6-user-logging-%szufw-after-logging-%szufw6-after-logging-%szufw-logging-allowzufw-logging-denyzufw6-logging-allowzufw6-logging-denyz IPV4 (%s): :z(%s)  rz IPV6: ) r7rDinitcapsr3capssplitrrrr2 ip6tables) r6 rules_typeoutargsitemsitems6cbitrcrQr>r>r?get_running_raws                      z"UFWBackendIptables.get_running_rawFc$Csd}|jrdtd}|r|dtd7}|Std}dD]@}t|jdd|d g\}}|d kr8td S|d krDt|d ||r_t|jdd|d g\}}|d kr_t|dqd}d} d} |j|j} d } i} | D]}d}i}d}d}|s|j dks|j dkrd}| }|| vrt d|qrd| |<dD]}d||<d}d}|dkr|j }|s|j dkr|j }|jr|dkr|d7}n |j}n|j}|s|j dkr|j }|jr|dkr|d7}n|j}|dkr|dkr|||<|dkr||dkr|||<n ||d|7<|r#|jdkr#||d|j7<|r|dkrU|j dkrU||d|j 7<|jrM|dkrM||d7<||d7<|dkr|j dkr||d|j 7<|jr||dkr|||d7<||d7<|dkr|dks|dkrd||<|r|jdkr|j |jkr|j|jkr||d|j7<|dkr||d7<n;|r|jdkr|j|jkr||d|j7<n|jr|jdkr|j dkrd||vr||d7<|jr3|dkr|jdkr||d|j7<|dkr2|jdkr2||d|j7<q|dkrI|jdkrI||d|j7<|dkr_|jdkr_||d|j7<qg}d}|jsp|jd kr|jr|||j|r|jd kr||jt|d krd!d"|}|r|d#| 7}|j}|jrd$}|jd%kr|js|s|sd}d}|jdkrd&|}|d'|dd|j|g|d||f7}|r||7}n|jr| |7} n|jd kr| |7} n||7}| d 7} qr|dks| dks| dkrd(}|r!|d)7}td*}td+}td,}d-}||||f}|r=|d)7}||d.t|d.t|d.t|f7}||7}|dkr_||7}|dkro| dkro|td/7}| dkrx|| 7}|dkr| dkr|td/7}| dkr|| 7}|}|r| \} }!td0|!|!d1|!d2dd3}"|"}#td4|!|"|#|d5Std6|S)7zShow ufw managed rulesrPrhzChecking iptables zChecking ip6tables problem runningrrjrrrizStatus: inactiverz iptables: %s rs ip6tablesTFzSkipping found tuple '%s')dstsrcrz::/0 (v6)z 0.0.0.0/0any /z (%s)rAnywherez on %sr~z (%s)z, z[%2d] FWDinz # %sz%-26s %-12s%-26s%s%s z z ToFromActionz%-26s %-12s%s -rxzCDefault: %(in)s (incoming), %(out)s (outgoing), %(routed)s (routed)rr)rr~rLz0Status: active %(log)s %(pol)s %(app)s%(status)s)logpolappstatuszStatus: active%s)#r7rDr2rrrr|r rdappsapp get_app_tuplerrv6dportrsportprotocolr interface_in interface_outlogtyperSlowerr3lenr,uppercomment get_commentaction get_loglevel_get_default_policyrG)$r6verbose show_countr~r_rSrout6sstr_outstr_rter count app_rulesrtmp_strlocationtupl show_protor;portrQattribs attrib_strdir_strr(full_strstr_tostr_from str_actionrules_header_fmt rules_headerlevel logging_str policy_strapp_policy_strr>r>r? get_statussz                                     zUFWBackendIptables.get_statuscCs|jr tdtddSg}||jd|jdur7|jdur7|d||j|d||j|dt|\}}|dkrPtd |}t|dS) zStop the firewallrhrunning ufw-initrN --rootdir --datadirz force-stoprproblem running ufw-init %s) r7rrDr3r8rrrrr6rrr~r_r>r>r? stop_firewalls       z UFWBackendIptables.stop_firewallcCs(|jr tdtddSg}||jd|jdur7|jdur7|d||j|d||j|dt|\}}|dkrPtd |}t|d |j vsa|j d t |j vryz| d WdStyxtd }t|wz ||j d WdStytd }t|w)zStart the firewallrhrrNrrstartrrloglevellowzCould not set LOGLEVELzCould not load logging rules)r7rrDr3r8rrrrrElist loglevelskeys set_loglevelrVupdate_loggingrr>r>r?start_firewalls8          z!UFWBackendIptables.start_firewallcCs|jrdS|d}|j}|rd}|j}dD]7}|dks!|dkr5|r+|jdds+q|s5|jdds5qt|d d |d |g\}}|d krNtd dSqdS)zCheck if all chains existFrufw6)rrrr! limit-acceptr!rrrrirjz-user-rz_need_reload: forcing reloadT)r7ryrr|rzrr)r6rprefixexer=rr~r>r>r? _need_reloads(zUFWBackendIptables._need_reloadcCstd}|jrtd|rtddSdS|rwz|jdD]}||d|g||d|gq!Wn ty@t|wt d|j dg|j d g\}}|d krZt|d |ryt d|j d g|j d g\}}|d kr{t|d dSdSdS)zReload firewall rules filerz> | iptables-restorez> | ip6tables-restorer-F-Zcatr rirz iptablesrrN) rDr7rr2 is_enabledr1 _chain_cmdrVrrr8iptables_restoreip6tables_restore)r6r_rrr~r>r>r?_reload_user_rules:s:    z%UFWBackendIptables._reload_user_rulesc Cs8g}td}td}td}||rK||rA||r.||d|d|n ||d|||d|n||d|n||td}td } td } d } t|D]v\} } || r|d | }|d krd}n |dkrd}nd}d| |f}| | sd|}|d| || <|| |d|d|| || | d|d||d| || | d|d||d|| qetd}t|D]4\} } || r|d| }|d|d| }|d|d| }||| <|| ||| |q|S) z5Return list of iptables rules appropriate for sendingz-p all zport z-j (REJECT(_log(-all)?)?)z-p tcp z-j \1 --reject-with tcp-resetz-p udp rPz(.*)-j ([A-Z]+)_log(-all)?(.*)z-j [A-Z]+_log-allz(-A|-D) ([a-zA-Z0-9\-]+)z'-m limit --limit 3/min --limit-burst 10\2rAALLOWr!LIMITBLOCKz"%s -j LOG --log-prefix "[UFW %s] "z-m conntrack --ctstate NEW z \1-j \2\4z\1-j z-user-logging-z\1 z \1-j RETURN\1z -j LIMITz+ -m conntrack --ctstate NEW -m recent --setzL -m conntrack --ctstate NEW -m recent --update --seconds 30 --hitcount 6 -j z -user-limitz -j z-user-limit-accept) rWrXr[r3r] enumeratestriprinsert)r6frulersuffixsnippets pat_protopat_port pat_rejectpat_log pat_logall pat_chain limit_argsrrrTlstr pat_limittmp1tmp2tmp3r>r>r?_get_rules_from_formattedVs                   z,UFWBackendIptables._get_rules_from_formattedc Csg}||||}td}t|D]8\}}||d|||rJ||d|||d|dd|||d|7<q|S)z_Return list of iptables rules appropriate for sending as arguments to cmd() z(.*) --log-prefix (".* ")(.*)rr%r"rPz\3) rrWrXrr3r]r{matchreplace) r6rrrr str_snippetsrbrrr>r>r?_get_lists_from_formatteds  z,UFWBackendIptables._get_lists_from_formattedc Cs|jdg}|r||jd|D]}ztj|}Wnty0td|}t|wt d}t d}t d}|D]z}|} d} d|vrX| d\} } | } | | r|d| } t d | } t| d ksxt| d krtd | }t|qBd }d}d}t| dkst| d krtd| }| d dd}d| dvrd| dvr|| dr|| dr| d dddd}| d dddd}n'| ddr| ddd}n| ddr| ddd}nt|qBz| d}d}d|vrd}| dd}t| dkr7t|| d| d| d| d| d||| }n;t|| d| d| d| d| d||| }t d}| d d krb|d!| d |_| dd krr|d!| d|_|dkr}|d ||dkr|d"|Wntytd#| }t|YqBw||jdkr|d|j|qB|d|j|qB|qd$S)%z$Read in rules that were added by ufwr rzCouldn't open '%s' for readingz^### tuple ###\s*zin_\w+zout_\w+rPz comment=z\s+ z)Skipping malformed tuple (bad length): %srz$Skipping malformed tuple (iface): %srDr!rin_out_FrwT%20rrr~zSkipping malformed tuple: %sN)r8r2r3rrYopen_file_readrVrDrrWrXr{rrr]rrr[ partition startswithrrr set_interfaceset_v6rr close)r6rfnsrcrRr_ pat_tuple pat_iface_in pat_iface_out orig_linerfrhexrrQwmsgdtyperrrrrule pat_spacewarn_msgr>r>r? _read_ruless                       zUFWBackendIptables._read_rulesc Cs&|jd}|r |jd}t|tjstd|}t|ztj|}Wnt y-w| d}|j }|r>d}|j }|j rGtj}n|d}tj|dtj|d|d tj|d|d tj|d|d tj|d|d tj|d|d tj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|dtj|d|d|dkr|jdds|dkr|jddrtj|d|dtj|d|dtj|d|D] }|j} |jr3d|j} |jdkr@| d|j7} d} |jdkrR|jdkrR|j} n0|jdkrg|jdkrgd |j|jf} n|jdkrx| d!|j|jf7} n | d!|j|jf7} |jdkr|jdkrd"| |j|j|j|j|j| f} |j dkr| d#|j 7} tj|| d$nGt!"d%} d&} |jr| #d'|j} d&}|jr| #d'|j}d(| |j|j|j|j|j| || f } |j dkr| d#|j 7} tj|| d$d)}|jrd*}n|jd+kr d,}d-||f}d.||$f}|%|||D] }tj||q"q$tj|d/tj|d0z |&|j'd1}Wn t yPw|D]2\}}}t(|d2krh|d2d3krhqS|)|d&rtj|d%*|+d4d5+d6d7d$qStj|d8|dkr|jdds|dkr|jddrtj|d9|j'd1d:krtj|d;|d<d%*|j,d=|j-d>tj|d;|d?tj|d;|d@tj|dAtj|dBz|j rtj.|dCWdDStj.|WdDSt yw)Ez.Write out new rules to file to user chain filer rz'%s' is not writablerrrQz*filter rwz-user-input - [0:0] z-user-output - [0:0] z-user-forward - [0:0] z-before-logging-input - [0:0] z-before-logging-output - [0:0] z -before-logging-forward - [0:0] z-user-logging-input - [0:0] z-user-logging-output - [0:0] z-user-logging-forward - [0:0] z-after-logging-input - [0:0] z-after-logging-output - [0:0] z-after-logging-forward - [0:0] z-logging-deny - [0:0] z-logging-allow - [0:0] r!rrz-user-limit - [0:0] z-user-limit-accept - [0:0] z### RULES ### zroute:rPrDz in_%s!out_%sz%s_%sz# ### tuple ### %s %s %s %s %s %s %sz comment=%srxrrrz) ### tuple ### %s %s %s %s %s %s %s %s %srrr~r %s-user-%sz -A %s %s z ### END RULES ### z ### LOGGING ### rr-D[z"[z] z] "z### END LOGGING ### z ### RATE LIMITING ### offz-A z -user-limit z "z " z-user-limit -j REJECT z-user-limit-accept -j ACCEPT z### END RATE LIMITING ### zCOMMIT FN)/r8r*accessW_OKrDrrrYrZrVryr rr7sysstdoutfilenor\rzrrrrrrSrrrrrrrrrWrXr] format_ruler_get_logging_rulesrErrr,rr4r5r^)r6r rules_filer_rdr:r rerrifaceststrr rr chain_suffixr=rule_strrlrules_trqr>r>r? _write_rulessT                zUFWBackendIptables._write_rulesTc Csn|d}|jr)|std}t||jdkr(|jdds(td|jSn|jdkr<|jddsr>r?set_rulesZ          "                  zUFWBackendIptables.set_rulec Cstg}g}|r |j}n|j}|}||||}|D]}|}||} | |kr7||q |S)z@Return a list of UFWRules from the system based on template rule)rr rArr@rr3) r6templaterr rnormrrrQ tmp_tupler>r>r?get_app_rules_from_systems"  z,UFWBackendIptables.get_app_rules_from_systemcCs\|j}|dr |j}t|g|\}}|dkr,td|}|r(td|dSt|dS)zPerform command on chainrrzCould not perform '%s'zFAILOK: N)rrr|rrDrr)r6r=rfail_okrrr~r_r>r>r?rs  zUFWBackendIptables._chain_cmdc Csx|jrdS|g}z||}Wntywz|jdd|jddWnty1tyAtd}t|Ynw|sHdStd}|jd|jd|jd |jd D]}z | |d |d gWq`tyxt|wz$|jd|jd |jd D]}| |d |g| |d|gqWn tyt|w|D]B\}}}d}t |dkr|ddkrd}z"|dkrt |dkr|j |dg|dddd| |||Wqtyt|wdD]I}|j ddr|dks |j ddr9|dkr9|j |d|g|j |j dgdd|jddkr9|j |d|g|j |j dgddqdS)z#Update loglevel of running firewallNF)rTz&Couldn't update rules file for loggingr:rrrrrjrirrrr$ delete_firstr)rR)rtrur!rrtrrurrr&-I)r7ryr-rVr5rrDrr1rrrzr4r5rE) r6rrules_tr_rrr4rRr=r>r>r?rs              z!UFWBackendIptables.update_loggingc Csg}|t|jvrtd|}t||dkr/|jdD]}||d|ddgdgq|S|jdD]}||d|ddgd gq4gd }|j||jd krg}|j||jd kr`|}|jd D]I}dD]D}||r||dks~||dkrd}||d|ddd|g|d gqi|j||jdkrd}||d|ddd|g|d gqiqeg}|j||jd kr|}|jdD]S}|drd}n9|drd}|j||jdkr||d|ddddddg|d gn||d|ddddddddg |d g||d|ddd|g|d gq|j||jdkr\g}|j||jdkr0|}|j||jd krAgd|}d }|jd!D]}||d|ddd|g|d gqH|S)"z%Get rules for specified logging levelzInvalid log level '%s'r&rrTr#r;rSr$rP)r r!r"z3/minz --limit-burst10rhighrrrCrIz [UFW BLOCK] r9r$r%mediumz [UFW ALLOW] rrHr conntrack --ctstateINVALIDz[UFW AUDIT INVALID] full)r rYrZNEWz [UFW AUDIT] r) rrrrDrr1r3endswithr) r6rrUr_rrlargsrrr>r>r?r-s      z%UFWBackendIptables._get_logging_rulesc Csd}ttjj|j}g}|jD]2}|j|dsq||j|tj |dtj |j|}tj |sAt d|}t|qtd}|D]}d||f}tj |rat d|}t|qI|D]}d||f}|t dtj ||d 7}t||qd|D]]}d||f}ttj |dtj |tj |t||z t|} | tj} Wntyt d |} t| Yqw| tj@r|t d |7}q| tj@r|t d |7}q|S) zReset the firewallrPz.rulesrzCould not find '%s'. Abortingz %Y%m%d_%H%M%Sz%s.%sz'%s' already exists. Abortingz"Backing up '%(old)s' to '%(new)s' )oldnewzCouldn't stat '%s'zWARN: '%s' is world writablezWARN: '%s' is world readable)r rr& share_dirrr8r^r3r*r+r,basenameisfilerDrtimestrftimeexistsrenameshutilcopydirnamecopymodestatST_MODErVrS_IWOTHS_IROTH) r6resrballfilesrfnr_extr`statinfomoder!r>r>r?resetksb                  zUFWBackendIptables.reset)NN)FF)F)T)__name__ __module__ __qualname____doc__r0rGrgrrrrrrrrr"r5rMrQrrr-rwr>r>r>r?r s0 0K ]f!D e *i  J Zr )r{r*rWrirmr)re ufw.commonrrufw.utilrrrrrr ufw.backendrr.r/r r>r>r>r?s