^Oc@sdZddlZddlZddlZddlmZddlZddlmZm Z ddl m Z ddl ZdZ dZdd d YZdS( s'frontend.py: frontend interface for ufwiN(tUFWError(terrortwarn(tUFWBackendIptablescCstjj}x?ddddddddgD]}|jtjj|q.Wx3d d d d gD]}|jtjj|qdWx9d dddddgD]}|jtjj|qWx0dddgD]}|jtjj|qWx0d*ddgD]}|jtjj |qWx<dddddddgD]}|jtjj |qEWddddd d!g}x'|D]}|jtjj |qWt |d"kr#d#}||j d$krd"}n||j d kr#||j |kr#|j|d%q#nt |d"ksSd$|krpt |d&krptjd'IJtjd#ny|j|d#}WnTtk r}tjd(|jIJtjd#n!tk rtjd)IJnX|S(+sEParse command. Returns tuple for action, rule, ip_version and dryrun.tenabletdisablethelps--helptversions --versiontreloadtresettlisttinfotdefaulttupdatetontofftlowtmediumthightfulltallowtdenytrejecttverbosetnumberedtraws before-ruless user-ruless after-ruless logging-rulestbuiltinst listeningtlimittinserttdeleteiis --dry-runtruleisERROR: not enough argss ERROR: %ssInvalid syntaxN(tufwtparsert UFWParsertregister_commandtUFWCommandBasict UFWCommandApptUFWCommandLoggingtUFWCommandDefaulttNonetUFWCommandStatustUFWCommandShowtUFWCommandRuletlentlowerRtsyststderrtexitt parse_commandRtvaluet Exception(targvtptit rule_commandstidxtprte((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyR1sJ  0   cCstditjjd6dd6dd6dd6dd6d d 6d d 6d d6dd6dd6dd6dd6dd6dd6dd6dd6dd6d d 6d!d!6d"d#6d$d%6d&d'6d(d)6d*d*6d+d,6d-d.6d/d06d1d26d3d46d5d66}|S(7sPrint help messagesb Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy tprognametCOMMANDtcommandtCommandstcommandsRRs default ARGR s logging LEVELtloggingtLEVELtlevels allow ARGSRRs deny ARGSRs reject ARGSRs limit ARGSRsdelete RULE|NUMRtRULEturulesinsert NUM RULERtNUMtnumberR tstatussstatus numberedt statusnumtRULEStrulessstatus verboset statusverbosesshow ARGtshowRsApplication profile commandst appcommandssapp listtapplistsapp info PROFILEtappinfotPROFILEtprofilesapp update PROFILEt appupdatesapp default ARGt appdefault(t_R tcommont programName(tmsg((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytget_command_helpXs@t UFWFrontendcBseZdZddZdZdZdZeedZddZ d Z d Z ed Z ed Z d ZdZdZdZdZdZdZedZRS(tUItiptablescCsz|dkr9yt||_WqItk r5qIXntd|td|_td|_td|_dS(NR[sUnsupported backend type '%s'tntytyes(RtbackendR3RRTtnoR^tyes_full(tselftdryrunt backend_type((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyt__init__s   cCsd}d}|rd}nt}|r7|jj sM| rV|jjrVt}n|ry$|jj|jjdd|Wqtk r}t|jqXnd}|rZy|jj Wn%tk r}|r|j}qnX|dkrKy$|jj|jjdddWn tk r=}t|jnXt|nt d}n@y|jj Wn tk r}t|jnXt d}|S(slToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. tR`R^tconftENABLEDs0Firewall is active and enabled on system startups/Firewall stopped and disabled on system startup( tFalseR_t is_enabledtTruet set_defaulttfilesRRR2tstart_firewallRTt stop_firewall(Rbtenabledtrest config_strtchangedR:t error_str((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyt set_enabledsF     cCsrd}yE|jj||}|jjrJ|jj|jjnWn tk rm}t|jnX|S(sSets default policy of firewallRf(R_tset_default_policyRjRoRnRRR2(Rbtpolicyt directionRqR:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRvs cCsCd}y|jj|}Wn tk r>}t|jnX|S(sSets log level of firewallRf(R_t set_loglevelRRR2(RbRBRqR:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRys cCs@y|jj||}Wn tk r;}t|jnX|S(sShows status of firewall(R_t get_statusRRR2(RbRt show_counttoutR:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRzs RcCs=y|jj|}Wn tk r8}t|jnX|S(sShows raw output of firewall(R_tget_running_rawRRR2(Rbt rules_typeR|R:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyt get_show_raws cCsd}ytjj|jj}Wn)tk rPtd}t|nX|jj}|j }|j x.|D]&}|jj r|dkrq}n|d|7}||j }|j x|D]}x|||D]} | d} | j d r| j d rd} |d |7}| d ksE| d kr`|d 7}d | d} n |d| 7}tjj | } |dt jj| d7}tjjd|d || } | j|jd| dkr| jd| n| j|jj| } t| dkr|d7}xa| D]V}|dkr1|dt|kr1|d|tjjj||df7}q1q1Wn|d7}qqWqWq}W|jjstjjdn|S(sShows listening servicesRfsCould not get listening statusttcp6tudp6s%s: tladdrs127.s::1s %s s0.0.0.0s::s* s%s/0s%s s(%s)texeRit6tinis is [%2d] %s s)Skipping tcp6 and udp6 (IPv6 is disabled)(RR(R tutiltparse_netstat_outputR_tuse_ipv6R3RTRt get_rulestkeystsortt startswithtget_if_from_iptostpathtbasenameRUtUFWRuletset_v6tendswitht set_interfacet normalizet get_matchingR,R!R+t get_commandtdebug(RbRqtdterr_msgRJt protocolstprototportstporttitemtaddrtifnameRtmatchingR6((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytget_show_listenings\              "   c Csd}d}d}g}|jdkrF|jdkrF|j|n(g}y |jr(|dkr||jj|t}n|dkr|jj|t}n|dkr5|jj|t}|jj|t}xx|D]Q} xH|D]@} | j} t| _| j | s| | _|j| qqWqWnt d|}t |t |dkr|jj rt d}|dkr|}n:|dkr|d}n!|dkr|d |d}n|Sx|D]K}|j} |j| _| j|j| j|j|j| qWn.|jj|}|jdkrV|jnWntk rmnXd} t}t d }|jjt}|jjt}xt|D]\}} |} | j||kr|t| jd 7}t |nyX|jjr|dkrw| j|krU|t| jd 7}t |n| jt|jj| }qY|dkr| j|kr| j| j|nD| jdkr| j|kr|t| jd 7}t |n| jt|jj| }qY|dkr| j}| jt| j r||kr|jj||| t}|dkr| j|q| jdn|jj| }| j r|dkr|jjt}| j|d n| jt| j r[| jdkr[| j|kr[|jj| jt}|dkrK| j|| q[| jdn|dkrt|d 7}n| j r| j|kr| j| j|n||jj| 7}qYt d|}t |n}|dks|dkr| jt|jj| }nC|dkr=t d }t |nt d|}t |Wn#t k r}|j}t}PnX| j rt d}t!j"|qqW|s||7}nt |d krt#|nt}t$| d }|jx|D]}| dkr||r||j}t|_y|j||Wqtk rt}t d| j%}t"|qXqqW|t d7}|r|t d7}n|t d7}t ||S(sUpdates firewall with ruleRftv4tv6tbothsInvalid IP version '%s'is"Could not delete non-existent rules (v6)s sInvalid position 't'isIPv6 support not enableds Rule changed after normalizationsCould not back out rule '%s's" Error applying application rules.s# Some rules could not be unapplied.s( Attempted rules successfully unapplied.(&tdapptsapptappendtremoveR_tget_app_rules_from_systemRiRkRtmatchRTRR,Rctdup_rulet set_actiontactiont set_logtypetlogtypetget_app_rules_from_templatetpositiontreverseR3tget_rules_countt enumeratetstrRRtset_rulet set_positiontfind_other_positionR2tupdatedtwarningsRRtranget format_rule(RbRt ip_versionRqRttmpRJttmprulest tmprules6txR]tprev6trtcountt set_errort pos_err_msgtnum_v4tnum_v6R6tuser_posR5R:twarn_msgt undo_errortindexestjt backout_rule((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRDs                                                        c Csyt|}Wn-tk r?td|}t|nX|jj}|dksm|t|krtd|}t|n|jj|}|std|}t|nt|_ d}|j rd}nt}|st j j j|} tdi| d6|jd6|jd 6} tjtjj| tjjjj} | d kr| |jkr| |jkrt}qnd } |r|j||} n td } | S( s Delete rulesCould not find rule '%s'isCould not find rule '%d'RRs=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? RR^R`R]RftAborted(tintR3RTRR_RR,tget_rule_by_numberRkRRR R!R+RR^R`RtwriteR.tstdouttfilenotstdintreadlineR-tstripRaRiR( RbRFtforceR\RRJRRtproceedtrstrtprompttansRq((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyt delete_rulesB       *  c Cs:d}|jdr^|jd}t|dkrL|j|d}q6|jd}n|dkr||jd}n|jdrtd }|jd }t|d krt|n|j|d|d }nR|d kr|j|}n4|dkr|j}n|dkr;|jt }n|jdr|jd d}|dkrx|j }q6|j |}n|dkr|jt t }n|dkr|j t }nm|dkr|j t }nO|dkr:|jjr+|j t |j t td}q6td}n|jdrk|j|jd d|}n|dks|dks|dks|dkr|jdkrPyD|jj|j}||jkr||_|j|dnWqPtk rL}|jst|jntjj|jsMtd}t|qMqPXn|jdkryD|jj|j}||jkr||_|j|dnWqtk r}|jst|jntjj|jstd}t|qqXn|j||}ntd|}t||S( sPerform action on rule. action, rule and ip_version are usually based on return values from parse_command(). Rfs logging-onRTiRs logging-offRsdefault-sUnsupported default policyt-iiR RGsstatus-verboseRLRsstatus-numberedRRRsFirewall reloadeds&Firewall not enabled (skipping reload)sdelete-RRRRtdstsInvalid profile namesUnsupported action '%s'(RtsplitR,RyRTRRvR RzRkRRRiRuR_RjRRtfind_application_nametset_portRRR2R t applicationstvalid_profile_nameRR( RbRRRRRqRRR:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyt do_action,s            "$        cCsCd}y|jj|}Wn tk r>}t|jnX|S(s+Sets default application policy of firewallRf(R_tset_default_application_policyRRR2(RbRwRqR:((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRs cCsK|jjj}|jtd}x|D]}|d|7}q/W|S(s*Display list of known application profilessAvailable applications:s %s(R_tprofilesRRRT(RbtnamesRR\((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytget_application_lists    cCs!g}|dkr1|jjj}|jn:tjj|s^td}t|n|j |d}x|D]}|jjj | s|jj| rtd|}t|ntjj ||jj|std}t|n|td|7}|tdtjj |jj|7}|tdtjj |jj|7}tjj|jj|}t|d ksd |d kr|td 7}n|td 7}x|D]}|d|7}qW||t|d krx|d7}qxqxWtjj|S(sDisplay information on profiletallsInvalid profile nameRfsCould not find profile '%s'sInvalid profiles Profile: %s s Title: %s sDescription: %s it,isPorts:sPort:s %ss -- (R_RRRR RRRTRRthas_keytverify_profilet get_titletget_descriptiont get_portsR,Rt wrap_text(RbtpnameRRRtnameRR5((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytget_application_infosB         " c Csxd}t}t}y(|jjr9tjjr9t}nWntk rSt}nX|dkr|jjj }|j x|D]P}|jj |\}}|r|dkr|d7}n||7}|}qqWn1|jj |\}}|dkr |d7}n|rt|jj rt|ray|jj Wntk rMnX|td7}qt|td7}n|S(sRefresh application profileRfRs sFirewall reloadedsSkipped reloading firewall(RkRiR_t do_checksR Rt under_sshR3RRRtupdate_app_ruleRjt_reload_user_rulesRT( RbRQRt allow_reloadttrigger_reloadRR5Rtfound((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytapplication_updates<            cCs{d}d}|dkr3td}t|n|jjd}|dkrmtjjd||f|S|dkrd}nF|d krd }n1|d krd }ntd |}t|d g}|jjr|jdn|||g7}yt |}Wnt k r#nX|j j dr_|j |j|j d|j d}n|j |jdd}|S(sRefresh application profileRfRs%Cannot specify 'all' with '--add-new'tdefault_application_policytskips'Policy is '%s', not adding profile '%s'tacceptRtdropRRsUnknown policy '%s'R s --dry-runRtiptype(RTRR_tdefaultsR RRRcRR1R3tdataRRR(RbRQRRwRR targsR9((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytapplication_adds>              cCsTd}|dkr$|jd}n,|dkrB|jd}n|dkr`|jd}n|dkr~|jd }n|d kr|j}n|d kr|j|}n|d ks|d kr4|j|}d}|d kr|j|}n|dkr'|dkr'|d7}n||}ntd|}t||S(szPerform action on profile. action and profile are usually based on return values from parse_command(). Rfs default-allowRs default-denyRsdefault-rejectRs default-skipRR R R supdate-with-news sUnsupported action '%s'(RRRRRRTR(RbRRQRqtstr1tstr2R((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytdo_application_actions0          cCst}|jjrtjjrtdi|jd6|jd6}t j t j j |t jjjj}|dkr||jkr||jkrt}qn|S(s6If running under ssh, prompt the user for confirmationsWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? R^R`R](RkR_RR RRRTR^R`RRR.RRRRR-RRaRi(RbRRR((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pytcontinue_under_ssh6s * cCs4d}tdi|jd6|jd6}|jjrltjjrltdi|jd6|jd6}n|jjr| rtj t j j tjj |t jjjj}|dkr||jkr||jkrtd}|Sn|jjr!||jt7}n|jj}|S(sReset the firewallRfsTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? R^R`sResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? R]R(RTR^R`R_RR RRRRR.RRRRRR-RRaRjRuRiR (RbRRqRR((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyR Ds   %* (t__name__t __module__t__doc__ReRuRvRyRiRzRRRRRRRRRRR R R (((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyRYs&  6  ? , T . + * ((RRR.Rt ufw.commonRtufw.utilR RRtufw.backend_iptablesRt ufw.parserR1RXRY(((s0/usr/lib/python2.7/dist-packages/ufw/frontend.pyts      < >