JFIFxxC      C  " }!1AQa"q2#BR$3br %&'()*456789:CDEFGHIJSTUVWXYZcdefghijstuvwxyz w!1AQaq"2B #3Rbr RܷeJFddlZddlZddlZddlZddlZddlZddlmZddlm Z m Z e ddDcic]}|dkDr|dks|dc}Z dZ dZd.d Zd Zd Zd Zd ZdZdZdZdZdZdZdZdZdZdZdZdZdZ dZ!dZ"dZ#dZ$dZ%d Z&d!Z'd"Z(d#Z)d$Z*d%Z+d&Z,d'Z-d(Z.d)Z/d*Z0d+Z1d,Z2d-Z3ycc}w)/N)log)FIREWALLD_TEMPDIRFIREWALLD_PIDFILEct|tr|}n|r|j} t|}|dkDry|S#t$r4 t j |}n#tj $rYYywxYwYDwxYw)zCheck and Get port id from port string or port id using socket.getservbyname @param port port string or port id @return Port id if valid, -1 if port can not be found and -2 if port is too big ) isinstanceintstrip ValueErrorsocket getservbynameerror)port_ids 4/usr/lib/python3/dist-packages/firewall/functions.py getPortIDrs$ ::E"CaxC1H9NNC:.3YNNC:.NNC6*axv&F ##$ 7|a W  1:c|dk(ryt|}t|tr|dkryt|dk(rd|zS|d||dS)aCreate port and port range string @param port port or port range int or [int, int] @param delimiter of the output string for port ranges, default ':' @return Port or port range string, empty string if port isn't specified, None if port or port range is not valid rNrz%s)r+r rr )r delimiter_ranges rportStrr1psV rz $ F&#6A: V f}!!9i;;r,cXt|}t|}t|dk(rut|dk(rt|dt|dk(St|dk(r;t|dt|dk\rt|dt|dkryyt|dk(rt|dk(rut|dt|dk\rXt|dt|dkr;t|dt|dk\rt|dt|dkryy)NrrrTF)r+r r)rr!_portr0s rportInPortRanger4s  E % F 5zQ v;! U1X&)F1I*>> > K1 %(#y';;%(#y';;  Uq K1 %(#y';;%(#y';;%(#y';;%(#y';; r,cLt|}t|dk(r |d|df}tt|}ttd|d}g}|D]}|d|dkr|d|dk\r|j |+|d|dkr2|d|dkr'|d|dk\r|j ||d|df}h|d|dkDst|d|dk\s|d|dks|j ||d|df}t td|}|d|dk(r|df}|g|fS)zCoalesce a port range with existing list of port ranges @param new_range tuple/list/string @param ranges list of tuple/list/string @return tuple of (list of ranges added after coalescing, list of removed original ranges) rrc6t|dk(r |d|dfS|SNrrr xs rz#coalescePortRange.. c!fkqtQqTlqr,c |dSNrr9s rr;z#coalescePortRange.. RSTURVr,keyc(|d|dk(r|dfS|SNrrr?r9s rr;z#coalescePortRange..1Q41Q4<1Qr,r+r mapsortedr#r) new_rangerangescoalesced_range_rangesremoved_rangesr!s rcoalescePortRangerNs#9-O ?q *1-q/AB,'G 8'BGN= 1 q )oa.@E!H.L  ! !% ( A %( *"U1X-"eAh.  ! !% (.q158.r<r,c |dSr>r?r9s rr;z breakPortRange..r@r,rAc(|d|dk(r|dfS|SrDr?r9s rr;z breakPortRange..rEr,c(|d|dk(r|dfS|SrDr?r9s rr;z breakPortRange..s11qtg1r,rF) remove_rangerJrLrM added_rangesr!s rbreakPortRangerVs -L <A$Qa9 ,'G 8'BGNLA ?eAh &<?eAh+F  ! !% ( OuQx 'Q%(*Q58+  ! !% (   a1!4eAh ? @ OeAh &Q58+Q58+  ! !% (   q<?Q+> ? @ !_uQx 'LOeAh,F  ! !% (   q<?Q+> ? @   a1!4eAh ? @1A6#FWXNDlSTL . ))r,cx tjt||}|S#tj$rYywxYw)zCheck and Get service name from port and proto string combination using socket.getservbyport @param port string or id @param protocol string @return Service name if port and protocol are valid, else None N)r getservbyportrr)rprotonames rgetServiceNamer[s<##CIu5 K <<s #99c tjtj|y#tj$rYywxYw)zgCheck IPv4 address. @param ip address string @return True if address is valid, else False FT)r inet_ptonAF_INETrips rcheckIPras8,  <<s $'==c$|jdS)zNormalize the IPv6 address This is mostly about converting URL-like IPv6 address to normal ones. e.g. [1234::4321] --> 1234:4321 z[])rr_s r normalizeIP6rcs 88D>r,c tjtjt|y#tj$rYywxYw)zgCheck IPv6 address. @param ip address string @return True if address is valid, else False FT)rr]AF_INET6rcrr_s rcheckIP6rf&s=,r*:;  <<s-0AAc|jd}|dk7r|d|}||dzd}|r|sy|}d}t|sy|r&d|vr t|S t|}|dks|dkDryy#t$rYywxYw) N/r rF.r T)findrarrr`indexaddrmaskr)s r checkIPnMaskrp4s GGCLE {&5z%!)+4 4= $;4=  I1uB    s A"" A.-A.c,|jtSN) translateNOPRINT_TRANS_TABLE)rule_strs rstripNonPrintableCharactersrvMs   1 22r,c|jd}|dk7r|d|}||dzd}|r|sy|}d}t|sy|r t|}|dks|dkDryy#t$rYywxYw)Nrhr rFrT)rkrfrrrls r checkIP6nMaskryQs GGCLE {&5z%!)+4 D>  D A q5AG    s A AAc t|}|dks|dkDryy#t$r3 tj|Yy#tj$rYYywxYwwxYw)NrFT)rrrgetprotobynamer)protocolr)s r checkProtocolr~hsf  M q5AG     ! !( +  ||   s$  A:A AAAc`|r,|jrt|dkryy|dk(ry|dk7ryy)NiFNoneTpmtu)rr)tcp_mss_clamp_values rcheckTcpMssClamprxsB  & & (&'#-  !F * F * r,c@|rt|dkDrydD]}||vsyy)zCheck interface string @param interface string @return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False F) rh!*Tr8)ifacechs rcheckInterfacers2 CJO" ; r,cR t|d}|dk\r|dkryy#t$rYywxYw)Nrr TFrrvalr:s r checkUINT16rs; QK 6a5j    &&cR t|d}|dk\r|dkryy#t$rYywxYw)NrlTFrrs r checkUINT32rs; QK 6a:o  rctjjtsy t td5}|j }dddtjjdzsy t d|zd5}|j }ddddvryy#1swY[xYw#t $rYywxYw#1swY*xYw#t $rYywxYw)zuCheck if firewalld is active @return True if there is a firewalld pid file and the pid is used by firewalld FrNz/proc/%sz/proc/%s/cmdline firewalldT)ospathexistsropenreadline Exception)fdpidcmdlines rfirewalld_is_activers 77>>+ , #S ) R++-C 77>>*s* + $s*C 0 $BkkmG $ g #   $ $ sRB-B!B-3CB<C!B*&B-- B98B9<CC CCc  tjjtstjtdt j ddtdS#t$r}tjd|zd}~wwxYw)Niwtztemp.F)modeprefixdirdeletez#Failed to create temporary file: %s) rrrrmkdirtempfileNamedTemporaryFilerrr)msgs rtempFilersk ww~~/0 HH& .**g+ sAA B%A>>Bc t|d5}|jcdddS#1swYyxYw#t$r%}tjd|d|Yd}~yd}~wwxYw)NrzFailed to read file "": )r readlinesrrr)filenamefes rreadfilersaB (C  !A;;= ! ! !  B Ha@AA Bs( 4( 4144 A"AA"c t|d5}|j|dddy#1swYyxYw#t$r%}tjd|d|Yd}~yd}~wwxYw)NwzFailed to write to file "rFT)rwriterrr)rlinerrs r writefilers] (C  A GGDM       !DEs( 5)5255 A#AA#cH|dk(r tddS|dk(r tddSy)Nipv4z/proc/sys/net/ipv4/ip_forwardz1 ipv6z&/proc/sys/net/ipv6/conf/all/forwardingF)r)ipvs renable_ip_forwardingrs/ f}8%@@ A5II r,cF|jddjddS)N_rz nf-conntrack-r.)replace)modules rget_nf_conntrack_short_namers >>#s # + +OR @@r,cvt|}|dk(s |dk(s|t|dk(r|d|dk\r|dk(rtjd|zy |dk(rtjd|zy |tjd|zy t|dk(r#|d|dk\rtjd |zy y ) Nr r rrrz'%s': port > 65535z'%s': port is invalidz'%s': port is ambiguousz'%s': range start >= endFT)r+r rdebug2)rr0s r check_portrs $ F" R< > K1 fQi!7 R< JJ+d2 3 r\ JJ.5 6  ^ JJ047 8[A &)vay"8 JJ1D8 9 r,cD|dk(r t|S|dk(r t|SyNrrF)rpryrsources r check_addressr s) f}F## V$$r,cD|dk(r t|S|dk(r t|Syr)rarfrs rcheck_single_addressrs( f}v r,ct|dk(r0dD] }||dk7s ydD]}||tjvsyyy)N)r :F) rr rT)r string hexdigits)macr)s r check_macrsY 3x6" A1v} ; A1vV---  r,cDg}|D]}||vs|j||Srr)r#)_listoutputr:s runiqifyr+s0 F  F? MM!  Mr,c tjd|z}t|jdj }|j |S#t $rYywxYw)zGet parent for pidzps -o ppid -h -p %d 2>/dev/nullrN)rpopenrrrcloser)rrs r ppid_of_pidr4s] HH6< =!++-"((*+   J sAA A"!A"cddlm}ddlm}t t t |j}d|t |zt dzz S)z iptables limits length of chain to (currently) 28 chars. The longest chain we create is POST__allow, which leaves 28 - 11 = 17 chars for . r)POLICY_CHAIN_PREFIX SHORTCUTS_allow)firewall.core.ipXtablesrfirewall.core.basermaxrGr values)rrlongest_shortcuts rmax_policy_name_lenr?sE <,3sI$4$4$678 !C(;$<_allow, which leaves 28 - 11 = 17 chars for . rrr__allow)rrrrGr r)rrs rmax_zone_name_lenrLs7 -3sI$4$4$678 !C N2 33r,ct|dks!t|tjdkDry|D].}|tjvs|tj vs)|dvs.yy)NrSC_LOGIN_NAME_MAXF)rirr$T)r rsysconfr ascii_lettersdigits)usercs r checkUserrXs_ 4y1}D BJJ/B$CC  V)) )&--  r,cpt|tr t|}|dk\r|dkryy#t$rYywxYw)NFriT)r strrr)uids rcheckUidresD#s c(C axC9$    s ) 55cjt|dkst|dkDrydD]}||vsy|ddk7ryy)NriF)| rrhTr8)commandrs r checkCommandr psI 7|a3w<$. =qzS r,c|jd}t|dvry|ddk7r |ddddk7ry|dddd k7ry|d ddd k7ryt|d dkryy )Nr)rrFrrootr _ur_rr_trT)rr )contextr&s r checkContextr{s ]]3 F 6{&  ayFvay~5 ay~ ay~ 6!9~ r,c2djd|DS)Nrc3FK|]}tj|ywrr)shlexquote).0as r zjoinArgs..s1qEKKN1s!)r")argss rjoinArgsrs 881D1 11r,c,tj|Srr)rr)_strings r splitArgsrs ;;w r,cXddl} |j|g|i|y#t$rYywxYw)NrFT)inspectbind TypeError)fcnrkwrs rwrong_args_for_callabler#s;  S#1##  s  )))r)4rros.pathrrrfirewall.core.loggerrfirewall.configrrr!rtrr+r1r4rNrVr[rarcrfrprvryr~rrrrrrrrrrrrrrrrrrrrr rrrr#)r)s0rr's!  $@1c]  Fq3wtG 08v<&4,/^1*h   23.  (< A(  N 4 &2  K sC