o Fa@szdZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZddZdd ZGd d d ZdS) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablesc Cstj}dD] }|tj|qdD] }|tj|qdD] }|tj|q#dD] }|tj|q1dD] }|tj|q?dD] }|tj |qMgd}|D]}|tj ||tj |q_t |dkrd }|| d krd}|| d kr|| d kr|| |vr||d t |dksd |vrt |dkrtdz ||d d}W|Sty}ztd|jWYd}~|Sd}~wtytdddw)zEParse command. Returns tuple for action, rule, ip_version and dryrun.)enabledisablehelpz--helpversionz --versionreloadreset)listinfodefaultupdate)onofflowmediumhighfull)allowdenyreject)Nverbosenumbered)rawz before-rulesz user-rulesz after-rulesz logging-rulesbuiltins listeningadded)rlimitrrinsertdeleteprepend --dry-runrrouteruleznot enough argsNz%szInvalid syntaxF)do_exit)ufwparser UFWParserregister_commandUFWCommandBasic UFWCommandAppUFWCommandLoggingUFWCommandDefaultUFWCommandStatusUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerr!r parse_commandrvalue Exception)argvpi rule_commandsidxprerC./usr/lib/python3/dist-packages/ufw/frontend.pyr9sL     r9cCstdidtjjddddddddd d d d d dddddddddddddddddddid d!d"d#d$d%d&d'd(d(d)d)d*d*d+d,d-d.d/d0d1d2d3d3d4d5d6d7d8d9d:d;dd?i}|S)@zPrint help messagea+ Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(prepend)-31s prepend %(urule)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy prognamecommandCOMMANDcommandsCommandsrrrz default ARGloggingz logging LEVELlevelLEVELrz allow ARGSr(rz deny ARGSrz reject ARGSr z limit ARGSr"zdelete RULE|NUMuruleRULEr!zinsert NUM RULEr#z prepend RULEr'z route RULEz route-deletezroute delete RULE|NUMz route-insertzroute insert NUM RULEnumberNUMr r status statusnumzstatus numberedrulesRULES statusverbosezstatus verboseshowzshow ARGr appcommandszApplication profile commandsapplistzapp listappinfozapp info PROFILEprofilePROFILE appupdatezapp update PROFILE appdefaultzapp default ARG)_r+common programName)help_msgrCrCrDget_command_help[s       !"Crbc@seZdZdZ  d,ddZddZdd Zd d Zd-d dZd.ddZ ddZ ddZ ddZ d/ddZ d/ddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd/d*d+ZdS)0 UFWFrontendUIiptablesNcCs\|dkrz t|||d|_Wntywtd|td|_td|_td|_dS)Nre)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr;rr^norjyes_full)selfdryrun backend_typerfrgrCrCrD__init__s    zUFWFrontend.__init__c Cs|d}d}|rd}d}|r|jr|s|jrd}|rBz|j|jjdd|WntyA}z t|jWYd}~nd}~wwd}|rz|jWntyd}z |rZ|j}WYd}~nd}~ww|dkrz|j|jjdddWnty}z t|jWYd}~nd}~wwt|td }|Sz|j Wnty}z t|jWYd}~nd}~wwtd }|S) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rlrjFTconfENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rk is_enabled set_defaultfilesrrr:start_firewallr^ stop_firewall)rnenabledres config_strchangedrB error_strrCrCrD set_enabledsb zUFWFrontend.set_enabledc Csnd}z|j||}|jr|j|jW|SW|Sty6}z t|jWYd}~|Sd}~ww)zSets default policy of firewallrrN)rkset_default_policyruryrxrrr:)rnpolicy directionr{rBrCrCrDrs   zUFWFrontend.set_default_policyc CHd}z |j|}W|Sty#}z t|jWYd}~|Sd}~ww)zSets log level of firewallrrN)rk set_loglevelrrr:)rnrKr{rBrCrCrDrzUFWFrontend.set_loglevelFc CsFz |j||}W|Sty"}z t|jWYd}~|Sd}~ww)zShows status of firewallN)rk get_statusrrr:)rnr show_countoutrBrCrCrDrszUFWFrontend.get_statusrc CsDz |j|}W|Sty!}z t|jWYd}~|Sd}~ww)zShows raw output of firewallN)rkget_running_rawrrr:)rn rules_typerrBrCrCrD get_show_raw szUFWFrontend.get_show_rawc Cs d}z tj|j}Wntytd}t|w|j}t | }| |D]}|js:|dvr:q.|d|7}t || }| |D]}|||D]} | d} | ds| dsd} |d|7}| d ksv| d kr|d 7}d | d} n |d | 7}tj | } |dtj| d7}tjjd|dd|| ddd} | |d| dkr| d| | |j| } t| dkr|d7}| D]}|dkr|dt|kr|d|tjj||df7}q|d7}qVqNq.|jstjd|S)zMShows listening services and incoming rules that might affect themrrzCould not get listening status)tcp6udp6z%s: laddrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr)inF)actionprotocoldportdstrforward6r r%z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))r+utilparse_netstat_outputrkuse_ipv6r;r^r get_rulesr keyssort startswithget_if_from_ipospathbasenamer_UFWRuleset_v6endswith set_interface normalize get_matchingr7r,r5 get_commanddebug)rnr{derr_msgrS protocolsprotoportsportitemaddrifnamer(matchingr>rCrCrDget_show_listeningsv              / zUFWFrontend.get_show_listeningcCs|j}td}t|dkr|tdSg}|jD]&}|jr+dtjj|}ntjj |}||vr7q| ||d|7}q|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)route %sz ufw %s) rkrr^r7rr+r,r6rr5append)rnrSrrrrstrrCrCrDget_show_added\s     zUFWFrontend.get_show_addedc Csd}d}d}g}|jdkr|jdkr||ng}z|jr|dkr*|j|d}nF|dkr6|j|d}n:|dkrf|j|d}|j|d}|D]} |D]} | j} d| _| | sc| | _|| qNqJn td|}t |t |dkr|jj std }|dkr|}|WS|dkr|d }|WS|dkr|d |d }|WS|D]}| } |j| _| |j| |j|| qn|j|}|jdkr|Wntywd} d}td }|jd}|jd}t|D]\}} |} | j||kr |t| jd 7}t |z|jr|dkrT| jdkr4| dkr,|dkr,dnd}| |n| j|krG|t| jd 7}t || d|j| }n{|dkr| jdkrs| dkrk|dkrkdnd}| |n(| j|kr| | j|n| jdkr| j|kr|t| jd 7}t || d|j| }n'|dkr| j}| d|dkr| dkr|dkrdnd}| |n$| js||kr|j||| d}|dkr| |n| d|j| }| js|dkr|jd}| |d| d|dkr,| dkr$|dkr$dnd}| |n*| jsV| jdkrV| j|krV|j| jd}|dkrQ| || n| d|dkr_|d 7}| jsv| j|krv|dkrv| | j|||j| 7}nPtd|}t || jdkr| dkr|dkrdnd}| ||dks|dkr| d|j| }n|dkrtd}t |td|}t |Wnt y}z |j}d}WYd}~nd}~ww| jrtd}t |q|s||7}|St |dkrt!||Sd}t"t#| d}||D]9}| dkrV||rV|| }d|_z |||WqtyUd}td| $}t |Yqwq|td7}|rk|td7}t ||td7}t |)zUpdates firewall with rulerrv4Fv6TbothzInvalid IP version '%s'rz"Could not delete non-existent rulez (v6)rzInvalid position ''r%zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z" Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.)%dappsapprremoverkget_app_rules_from_systemrmatchr^rr7rodup_rule set_actionr set_logtypelogtypeget_app_rules_from_templatepositionreverser;get_rules_count enumeratestrr set_positionrset_rulefind_other_positionr:updatedwarningsrrr range format_rule)rnr( ip_versionr{rtmprStmprules tmprules6xriprev6rcount set_error pos_err_msgnum_v4num_v6r>beginuser_posr=rBwarn_msg undo_errorindexesj backout_rulerCrCrDrysj                                                     zUFWFrontend.set_rulec CsPzt|}Wntytd|}t|w|j}|dks'|t|kr1td|}t||j|}|sCtd|}t|d|_d}|j rMd}d}|s|j r^dt j j |} nt j j|} td| |j|jd } t| tjd d tj} | d kr| |jkr| |jkrd }d } |r|||} | Std} | S)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Trrrz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r(rjrlFoutputnewlinerirrAborted)intr;r^rrkrr7get_rule_by_numberrrrr+r,r6rr5rjrlrsysstdoutstdinreadliner8striprmr) rnrOforcerhrrSr(rproceedrpromptansr{rCrCrD delete_ruleEsT         zUFWFrontend.delete_rulec CsHd}|dr"|d}t|dkr||d}|S|d}|S|dkr-|d}|S|drQtd }|d }t|d krEt|||d|d }|S|d kr\||}|S|dkrf|}|S|dkrq|d}|S|dr|d d}|dkr| }|S|dkr| }|S| |}|S|dkr|dd}|S|dkr| d}|S|dkr| d}|S|dkr|j r| d| dtd}|Std}|S|dr||d d|}|S|dks|dks|dks|dkr|jdkrGz|j |j}||jkr||_||d Wn,tyF}z|js,t|jtj|js < 86 4 2 0 .   )' %             zUFWFrontend.do_actionc Cr)z+Sets default application policy of firewallrrN)rkset_default_application_policyrrr:)rnrr{rBrCrCrDrrz*UFWFrontend.set_default_application_policycCs:t|jj}|td}|D]}|d|7}q|S)z*Display list of known application profileszAvailable applications: %s)r rkprofilesrrr^)rnnamesrrhrCrCrDget_application_lists z UFWFrontend.get_application_listcCsg}|dkrt|jj}|ntj|s!td}t || |d}|D]}||jjvs8|jj|sBtd|}t |tj ||jj|sUtd}t ||td|7}|tdtj |jj|7}|tdtj |jj|7}tj|jj|}t|d ksd |d vr|td 7}n|td 7}|D]}|d|7}q||t|d kr|d7}q*tj|S)zDisplay information on profileallrrrzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r%,rzPorts:zPort:rz -- )r rkrrrr+rrr^rrverify_profile get_titleget_description get_portsr7r wrap_text)rnpnamerrrnamerr=rCrCrDget_application_infosN           z UFWFrontend.get_application_infoc Cs d}d}d}z |jjrtjrd}Wn tyd}Ynw|dkrMt|jj}| |D]}|j |\}}|rK|dkrE|d7}||7}|}q1n|j |\}}|dkr]|d7}|r|j r|r~z|j Wntyuw|t d7}|S|t d7}|S)Refresh application profilerrTFrrrzSkipped reloading firewall)rk do_checksr+r under_sshr;r rrrupdate_app_ruleru_reload_user_rulesr^) rnrZr allow_reloadtrigger_reloadrr=rfoundrCrCrDapplication_update sH    zUFWFrontend.application_updatecCs d}d}|dkrtd}t||jjd}|dkr&tjd||f|S|dkr-d}n|d kr4d }n|d kr;d }n td |}t|d g}|jjrQ|d|||g7}zt |}Wnt yewd|j vr{| |j |j d|j d}|S| |j dd}|S)rrrrz%Cannot specify 'all' with '--add-new'default_application_policyskipz'Policy is '%s', not adding profile '%s'acceptrdroprrzUnknown policy '%s'r+r&r(iptype)r^rrkdefaultsr+rrrorr9r;datarr)rnrZrrrrargsrArCrCrDapplication_add8sF       zUFWFrontend.application_addcCsd}|dkr |d}|S|dkr|d}|S|dkr#|d}|S|dkr.|d }|S|d kr8|}|S|d krC||}|S|d ksK|d krm||}d}|d kr[||}|dkrg|dkrg|d7}||}|Std|}t|)zzPerform action on profile. action and profile are usually based on return values from parse_command(). rrz default-allowrz default-denyrzdefault-rejectrz default-skiprr rrzupdate-with-newrr)rrrrr"r^r)rnrrZr{str1str2rrCrCrDdo_application_actionbs<        z!UFWFrontend.do_application_actioncCsrd}|jjr7tjr7td|j|jd}t|t j ddt j }|dkr7||jkr7||jkr7d}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? rjrlFrri)rkrr+rrr^rjrlrrrrrr8rrm)rnrrrrCrCrDcontinue_under_sshs zUFWFrontend.continue_under_sshcCsd}td|j|jd}|jjr!tjr!td|j|jd}|jjrP|sPttj |t j ddt j }|dkrP||jkrP||jkrPtd}|S|jr\||d7}|j}|S) zReset the firewallrrzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? r&zResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? Frrir)r^rjrlrkrr+rrrr rrrrr8rrmrurr )rnrr{rrrCrCrDr s$     zUFWFrontend.reset)reNN)FF)r)F)__name__ __module__ __qualname____doc__rqrrrrrrrrrrrrrrr"r%r'r rCrCrCrDrcs0 6  H M 1V  .+* rc)r+rrr ufw.commonrufw.utilr+rrrufw.backend_iptablesr ufw.parserr9rbrcrCrCrCrDs  >H