6mgXvSrSSKrSSKrSSKrSSKJr SrSrSr\r Sr Sr S r S r "S S \5r"S S5rg)z!common.py: common classes for ufwN)debugufwz/lib/ufwz/usr/share/ufwz/etcz/usrz /usr/sbinTc$\rSrSrSrSrSrSrg)UFWError!z$This class represents ufw exceptionscXlgNvalue)selfr s ,/usr/lib/python3/dist-packages/ufw/common.py__init__UFWError.__init__#s c,[UR5$r )reprr r s r __str__UFWError.__str__&sDJJrr N)__name__ __module__ __qualname____firstlineno____doc__rr__static_attributes__rr rr!s. rrc\rSrSrSrSSjrSrSrSrSr Sr SS jr S r S r S rS rSrSrSrSrSrSrSrSrSrSrSrSrSrSrg)UFWRule*z$This class represents firewall rulesc >SUlSUlSUlSUlSUlSUlSUlSUlSUlSUl SUl SUl SUl SUl SUlSUlSUlXlSUlUR'U5 UR)U5 UR+U5 UR+US5 UR-U5 UR/U5 UR1U5 UR3U 5 g![4a ef=f)NFrsrc)removeupdatedv6dstr"dportsportprotocolmultidappsappactionpositionlogtype interface_in interface_out directionforwardcomment set_action set_protocolset_portset_srcset_dst set_direction set_commentr) r r-r)r'r&r(r"r2r3r4s r rUFWRule.__init__,s               OOF #   h ' MM% MM% ' LL  LL    y )   W %   s B D Dc"UR5$r ) format_rulers r rUFWRule.__str__Os!!rcSU-n[UR5nUR5 UHnUSU<SURU<3- nM U$)zPrint rule to stdoutz'%s'z, =)list__dict__sort)r reskeysks r _get_attribUFWRule._get_attribRsIoDMM" A 4==#34 4C rc[URUR5nURUlURUlUR UlUR UlURUlURUlURUl URUl URUl URUl URUl URUlURUlUR UlUR"UlUR$UlUR&UlU$)zReturn a duplicate of a rule)rr-r)r#r$r%r&r"r'r(r*r+r,r.r/r0r1r2r3r4)r rules r dup_ruleUFWRule.dup_rule[st{{DMM2kk || ''8888ZZ ZZ ZZ II II   ||  --!//|| ||  rcSnURS:waUSUR-- nURS:waUSUR-- nURS:XaUS- nOUSUR-- nUR(aUS- nURS:wa:UR S:wa*USUR-- nUS- nUS UR -- nOEURS:waUSUR-- nO"UR S:waUS UR -- nUR S :wa"UR S :waUS UR -- nUR(d"URS:waUS UR-- nURS :wa"URS :waUSUR-- nUR(d"UR S:waUSUR -- nSnURS:waSUR-nURS:Xa USU-- nOOURS:XaUSU-- nURS:XaUS- nO!URS:Xa USU-- nOUSU-- nURS:wdURS:waSn[R"S5nURS:wa"USURSUR5-- nURS:waURS:waUS- nURS:wa"USURSUR5-- nUS - nUSU-- nUR5$)!zFormat rule for later parsingr!z -i %sz -o %sanyz -p allz -p z -m multiportz --dports z --sports 0.0.0.0/0::/0z -d z --dport z -s z --sport _allowz -j ACCEPT%srejectz -j REJECT%stcpz --reject-with tcp-resetlimitz -j LIMIT%sz -j DROP%sz-m comment --comment ' dapp_z%20,sapp_')r0r1r)r*r'r(r&r"r/r-r+r,recompilesubstrip)r rule_strlstrr4 pat_spaces r r>UFWRule.format_rulers    " D$5$56 6H    # D$6$67 7H ==E !  !H . .HzzO+::&4::+> tzz 99H/H tzz 99HZZ5( tzz 99HZZ5( tzz 99H 88{ "txx6'9 ) )HzzdjjE1  djj0 0H 88{ "txx6'9 ) )HzzdjjE1  djj0 0H <<2 %D ;;' ! $/ /H [[H $ $/ /H}}%66 [[G #  . .H  - -H 99?dii2o.G 3IyyB7Y]]5$))%DDDyyB499?3yyB7Y]]5$))%DDD sNG g %H~~rcUR5RS5nUSS:XdUSS:Xd USS:Xa USUlOSUlSn[U5S:aUSnUR U5 g ) zSets action of the rulerRrrSrTrVdenyr!N)lowersplitr-len set_logtype)r r-tmpr/s r r5UFWRule.set_actionsslln""3' q6W A( 2c!f6Ga&DK DK s8a<!fG !rc[S5U-nUS:XaGOUS:XaUR(aGOUS:XaUR(aGO[R"SU5(d[R"SU5(a [ U5eUR S5UR S5-S :a [ U5eURS5n[U5S :aS Ul S nUGH?n[R"S U5(atS Ul URS5nUH,n[U5S :d[U5S:dM#[ U5e [US5[US 5:a [ U5eO[R"SU5(a*[U5S :d[U5S:a [ U5eO?[R"SU5(a[R"U5nO [ U5eU(aUS[U5-- nGM4[U5nGMB UnUS:Xa[U5Ulg[U5Ulg![a [ U5ef=f)z:Sets port and location (destination or source) of the rulez Bad port '%s'rOr&r"z^[,:]z[,:]$rY:rfTr!z ^\d+:\d+$irz^\d+$z ^\w[\w\-]+N)rRr+r,r\matchrcountrhrir*intsocket getservbyname Exceptionstrr(r') r portlocerr_msgportsrkpranqs r r7UFWRule.set_portsO$- 5=  E\dii  E\dii  XXh % %(D)A)A7# #jjo 3/2 57# #JJsOE5zA~! C88L!,,!%DJ''#,C q6A:Q%"*7"33!3q6{c#a&k1&w//2XXh**1vzSVe^&w//&4XXmQ//0"003#7++3Q<'Ca&C14D %<TDJTDJ%0&w//0s II-cU[RRS/-;aXlg[ S5U-n[ U5e)zSets protocol of the rulerOzUnsupported protocol '%s'N)rutilsupported_protocolsr)rRr)r r)rys r r6UFWRule.set_protocols; sxx33ug= =$M34AG7# #rcUR(asUR(a'URS:XdURS:XaSUlUR(a)URS:XdURS:XaSUlgggUR(a'URS:XdURS:XaSUlUR(a)URS:XdURS:XaSUlggg)zAdjusts src and dst based on v6rOrPrQN)r%r&r"rs r _fix_anywhereUFWRule._fix_anywheres 77xxTXX.$((k2I!xxTXX.$((k2I!3JxxxTXX.$((f2D&xxTXX.$((f2D&3Exrc0XlUR5 g)zESets whether this is ipv6 rule, and adjusts src and dst accordingly. N)r%r)r r%s r set_v6UFWRule.set_v6 s rcUR5nUS:wa;[RRUS5(d[ S5n[ U5eX lUR5 g)zSets source address of rulerOzBad source addressN)rgrr valid_addressrRrr"rr addrrkrys r r8UFWRule.set_srcsQjjl %< 6 6sE B B,-G7# # rcUR5nUS:wa;[RRUS5(d[ S5n[ U5eX lUR5 g)z Sets destination address of rulerOzBad destination addressN)rgrrrrRrr&rrs r r9UFWRule.set_dstsQjjl %< 6 6sE B B12G7# # rcUS:waUS:wa[S5n[U5eS[U5;a[S5n[U5eS[U5;a[S5n[U5e[U5S:Xd[U5S :Xa[S 5n[U5e[[U55S :Xa[S 5n[U5e[[U55S :a[S5n[U5e[R "S[U55(d[S5n[U5eUS:XaX lgX lg)zSets an interface for ruleinoutzBad interface type!z+Bad interface name: reserved character: '!'rnz/Bad interface name: can't use interface aliases.z..z)Bad interface name: can't use '.' or '..'rz+Bad interface name: interface name is emptyz+Bad interface name: interface name too longz^[a-zA-Z0-9_\-\.\+,=%@]+$zBad interface nameN)rRrrvrir\rpr0r1)r if_typenamerys r set_interfaceUFWRule.set_interface's( d?w%/,-G7# # #d) EFG7# # #d) IJG7# # t9 s4yD0CDG7# # D Na EFG7# # D NR EFG7# #xx4c$i@@,-G7# # d? $ !% rc[U5S:wa>[R"S[U55(d[S5U-n[ U5e[ U5Ulg)zSets the position of the rulez-1z^[0-9]+z,Insert position '%s' is not a valid positionN)rvr\rprRrrrr.)r numrys r set_positionUFWRule.set_positionWsJ s8t BHHZS$B$BFG3OG7# #C rcUR5S:XdUR5S:XdUS:XaUR5Ulg[S5U-n[U5e)zSets logtype of the rulelogzlog-allr!zInvalid log type '%s'N)rgr/rRr)r r/rys r rjUFWRule.set_logtypeasL ==?e #w}})'C b="==?DL/0G 'N 55AEE> 'N 44144< 'N 66QVV  'N 66QVV  'N >>Q^^ + 'N ??aoo - 'N ;;!++ % 'N 99 ! 'N 88qxx AII$: QYY&+,G 'N 88qxx AII$: QYY&>?G 'NFGHHAHHIIQYYIIQYY89 grc SnU(aU(d [5eURU5S:XagSU<SUR<SU<SUR<S3 nURS:wa[ SU-S -5 g UR UR :wa[ US -5 g UR UR :waUR S :wa[ S U-5 g URS :wa1U"URUR5(d[ SU-5 g URS:XGa$URS:Xa"URUR5(aGO]URUR:waSUR;a[ SU-5 g URUR:waSUR;aURUR:Xas[RRURURUR5(d/[ SU-SUR<SUR<S3-5 g GOkURS:waIURUR:wa/[ SU-SUR<SUR<S3-5 g [RRURUR5nURU:wa5SUR;a%[ SU-SUR<SU<S3-5 g URU:waSUR;axURUR:Xa^[RRXARUR5(d%[ SU-SU<SUR<S3-5 g URUR:wa/[ SU-SUR<SUR<S3-5 g [ SU<SUR<SU<SUR<S3 5 g![a! [ SU-SUR--5 g f=f)a`This will match if x is more specific than y. Eg, for protocol if x is tcp and y is all or for address if y is a network and x is a subset of y (where x is either an address or network). Returns: 0 match 1 no match -1 fuzzy match This is a fuzzy destination match, so source ports or addresses are not considered, and (currently) only incoming. cSU;dSU;aX:XaggURS5HYnX:Xa gSU;dMURS5up4[U5[U5:dM?[U5[U5::dMY g g)z:Returns True if p is an exact match or within a multi rulerYrnTF)rhrr)test_pto_matchrwlowhighs r _match_ports-UFWRule.fuzzy_dst_match.._match_portsssf}v % s+>$;"&**S/KS6{c#h.3v;#d)3K# ,rrzNo fuzzy match 'z (v6=z)' 'z)'rz (direction) z (not incoming)rfz (forward does not match)rOz (protocol) z(dport) r!/z(dst) z ('z' not in network 'z')z (interface) z (z != )z %s does not existz(v6) z(fuzzy match) 'r)rrpr%r2rr3r)r'r0 _is_anywherer&rr in_networkget_ip_from_ifIOError)rrrrif_ips r fuzzy_dst_matchUFWRule.fuzzy_dst_matchsS ",  771:? qttQ& ;;$  .7*->> ? 99 ! '77 8 :: # e(; -') * 77e L!''$B$B *w& ' >>R ~~#quu(=(=!%%Cquu$4h()!%%C155LQTTQTT\88&&quuaeeQTT::h(uuaee,%%& ~~#!..(Hnw.~~q~~2778 //E uu~#QUU"2nw.uue2%%&%C155LQTTQTT\88&&ueeQTT::nw.7T[0rcSnURS:wdURS:wGaCUR<SUR<SUR<SUR<3nURS:Xa9UR<SUR<SUR<SUR<3nURS:Xa9UR<SUR<SUR <SUR<3nUR S:Xa$URS:XaUSUR-- nU$UR S:waUSUR -- nURS:waUSUR-- nU$)a{Returns a tuple to identify an app rule. Tuple is: dapp dst sapp src direction_iface|direction or dport dst sapp src direction_iface|direction or dapp dst sport src direction_iface|direction where direction_iface is of form 'in_eth0', 'out_eth0' or 'in_eth0 out_eth0' (ie, both interfaces used). If no interfaces are specified, then tuple ends with the direction instead. r!rWz %sz in_%sz out_%s) r+r,r&r"r'r(r0r1r2)r tupls r get_app_tupleUFWRule.get_app_tupleTs 99?dii2o$(IItxxDHHMDyyB(, DHHdii)-3yyB(, 488TZZ)-3  B&4+=+=+C00 $$*H(9(9::D%%+I););<!]],w''': 8r)r-r4r+r2r'r&r3r0r1r/r*r.r)r#r,r(r"r$r%N)rOrPrOrPrFr!)r&)rrrrrrrrHrLr>r5r7r6rrr8r9rrrjr:rr;rrprrrrrrrr rr*s.:EGL!F".A F "3#j$ '.&`!$$1!)FAFl\ D(rr)rr\rsufw.utilrr programName state_dir share_dir trans_dir config_dir prefix_dir iptables_dir do_checksrurrrrr rsV'"          y ` (` (r