6mgFSrSSKJr SSKrSSKrSSKrSSKrSSKrSSKrSSK r SSK r SSK r SSK r SSK r SSKrSSKrSSKJr SSKJrJr SrSr/SQr/SQrS S /rS rS rS rSrSrS9SjrSr Sr!Sr"Sr#S:Sjr$Sr%Sr&Sr'S:Sjr(Sr)\RTS4Sjr+Sr,Sr-Sr.S r/\ R`"54S!jr1\ R`"54S"jr2S#r3S$r4S%r5S&r6S'r7S(r8S)r9S*r:S;S+jr;SS/r?S0r@S1rAS2rBS3rCS4rDS5rES6rFS>S7jrGS8rHg)?z"util.py: utility functions for ufw)print_functionN)reduce)mkstempmktempF)tcpudpipv6espahigmpgrevrrp)r r r r r rr r cSn[R"U5 [R"US5 Sn[R"US5 US:XaSnU$SnU$![a ef=f![a NBf=f![a U$f=f)z8Get the protocol for a specified port from /etc/servicesrrany)socket getservbyname Exception)portprotos */usr/lib/python3/dist-packages/ufw/util.pyget_services_protor.s ET" T5) T5) E>E L E L%         L s3AA*A:A: A'* A76A7: BBc SnSnURS5n[U5S:Xa USnSnX4$[U5S:Xa1USnUSnU[;a[SU-5n[ U5eX4$[S5n[ U5e) zParse port or port and protocolr/rrzInvalid port with protocol '%s'zBad port)splitlenportless_protocols_ ValueError)p_strrrtmperr_msgs rparse_port_protor%Hs D E ++c C 3x1}1v = SQ1vA & &9EABGW% % ' =J-!!c[R(d [S5 g[U5S:d[R "SU5(dgUR S5n[R"[RUS5 [U5S:ag[U5S:Xa[USS 5(dgg ![a gf=f) zVerifies if valid IPv6 addressz"python does not have IPv6 support.F+z^[a-fA-F0-9:\./]+$rrrrT) rhas_ipv6warnrrematchr inet_ptonAF_INET6r_valid_cidr_netmaskaddrnets rvalid_address6r3\s ?? 12 4y2~RXX&;TBB **S/C#a&1 3x!| SQ"3q6400  s (B== C  C c[U5S:d[R"SU5(dgURS5n[R "[R US5 [USS5(dg[U5S:ag[U5S:Xa[USS5(dgg![a gf=f) zVerifies if valid IPv4 addressz ^[0-9\./]+$FrrrrT) rr+r,rrr-AF_INET_valid_dotted_quadsr valid_netmaskr0s rvalid_address4r9vs 4y2~RXXnd;; **S/CQ0"3q65112  3x!| SQSVU++  sB?c<[X5=(d [X5$)z(Verifies if valid cidr or dotted netmask)r/r7)nmv6s rr8r8s r & E*=b*EEr&cUS:Xa [U5$US:Xa [U5$US:Xa[U5=(d [U5$[e)zValidate IP addresses64r)r3r9r!)r1versions r valid_addressrAsI#~d## Cd## E d#;~d';; r&c/nSnSn[RnU(aSn[RnSU;aBURS5nU(a USS:XaUS O.U(dUSS:Xd USS:XaUS OUR U5 U(d6[ U5S :Xa'[ USU5(a[USU5US'US n[R"U[R"XV55nXbS :waS n[ U5S :Xa<USUS-- nU(d*[U5nXv:waS U<S U<S3n[U5 UnS n[Xd5(dSU-n[U5 [eXc4$![a Nf=f)zConvert address to standard form. Use no netmask for IP addresses. If netmask is specified and not all 1's, for IPv4 use cidr if possible, otherwise dotted netmask and for IPv6, use cidr. Fr?r>rr12832z255.255.255.255rrTzUsing 'z' for address ''zInvalid address '%s')rr6r.rappendrr7_dotted_netmask_to_cidrr inet_ntopr-_address4_to_networkdebugrAr!) origr<r2changedr@s_typer1networkdbg_msgs rnormalize_addressrPsy CGG ^^F  d{jjo #a&E/AQ43q65F+FA 4 #c(a-$7A$C$C ,SVR8CF q6D   FF$4$4V$B CD 1v~ 3x1} c!f *40G;BDIg  ' '(D1 g ?5   s4E44 FFc[US5$)z"Opens the specified file read-onlyr)open)fns ropen_file_readrUs C=r&cz[U5n[5up#XX#S.$![a UR5 ef=f)z=Opens the specified file read-only and a tempfile read-write.)rKorignamer#tmpname)rUrrclose)rTrKr#rXs r open_filesrZsD " D  # KK   s :cUS:XagU(d[[RS5e[(a8U[R R 5:Xa[RU5 gSn[RSS:a"[R"U[US55nO[R"X5nUS::a[[RS5eg) zwWrite to the file descriptor and error out of 0 bytes written. Intended to be used with open_files() and close_files().rNzNot a valid file descriptorrasciiz"Could not write to file descriptor) OSErrorerrnoENOENT msg_outputsysstdoutfilenowrite version_infoosbytesEIO)fdoutrcs r write_to_filerns by ell$ABBzbCJJ--// B a XXb%W- . XXb  Qweii!EFFr&TcUSR5 [R"US5 U(a:[R"USUS5 [R"USUS5 [R "US5 g)zjCloses the specified files (as returned by open_files), and update original file with the temporary file. rKr#rWrXN)rYrhshutilcopystatcopyunlink)fnsupdates r close_filesrvscKHHSZ JY8 C NC O4IIc)nr&c[U5 [R"U[R[RSS9nUR5SnUR[ U5/$![ anS[ U5/sSnA$SnAff=f)z!Try to execute the given command.T)rdstderruniversal_newlinesNr) rJ subprocessPopenPIPESTDOUTr_str communicate returncode)commandspexrls rcmdrsx 'N   gjoo%/%6%6157 .. 1 C MM3s8 $$ SW~s3A** B 4 BB B c"[R"U[RS9n[R"XRS9nUR 5SnUR[ U5/$![anS[ U5/sSnA$SnAff=f)z#Try to pipe command1 into command2.)rd)stdinrzNr)r{r|r}rdr_rrr)command1command2sp1sp2rrls rcmd_piper$swx @xzz: // A C NNCH %% SW~sAA-- B7 B B BclURnURSS5n[(a;[R "[ R5(aURU5 OUR[U55 UR5 g![a UnNf=f![a UnNf=f)zJImplement our own print statement that will output utf-8 when appropriate.utf-8ignoreN) bufferrencoderbinspectisclassioStringIOrfriflush)outputswriterrls r_printr2shhw) zgoobkk22 Q U3Z  LLN  s" BB$ B! B!$ B32B3c[[RSU-5 U(a[R"S5 gg![a N+f=f)zPrint error message and exitz ERROR: %s rN)rrcrxIOErrorexit)rldo_exits rerrorrGsC szz=3./      s> A  A c`[[RSU-5 g![a gf=f)zPrint warning messagez WARN: %s N)rrcrxrrls rr*r*Rs, szz<#-.    s  --c[(aU[R:Xa[nU(a[USU-5 g[USU-5 g![a gf=f)z Print messagez%s %sN)rbrcrdrr)rlrnewlines rmsgrZsMzf *  66C< ( 64#: &    sAA AAcx[(a[[RSU-5 gg![a gf=f)zPrint debug messagez DEBUG: %s N) DEBUGGINGrrcrxrrs rrJrJhs8y  3::}s2 3   s , 99c@[U4SjURS55$)z A word-wrap function that preserves existing line breaks and most spaces in the text. Expects that existing line breaks are posix newlines ( ). c U<S[U5URS5- S- [URSS5S5-U:<U<3$)Nz  rr)rrfindr)linewordwidths rword_wrap..wsT#d)DJJt$44q8djjq1!4569>?A 3r& )rr)textrs r word_wraprqs% 5 **S/  r&c[US5$)zWord wrap to a specific widthK)r)rs r wrap_textrs T2 r&c2^SmURU4SjS9 g)zSorts list of strings into numeric order, with text case-insensitive. Modifies list in place. Eg: [ '80', 'a222', 'a32', 'a2', 'b1', '443', 'telnet', '3', 'http', 'ZZZ'] sorts to: ['3', '80', '443', 'a2', 'a32', 'a222', 'b1', 'http', 'telnet', 'ZZZ'] cbUR5(a [U5$UR5$N)isdigitintlower)ts rrhuman_sort..s qyy{{SV9 9r&cj>[R"SU5Vs/sH nT"U5PM sn$s snf)Nz([0-9]+))r+r)kcnorms rrrs(bhhz1.EF.ET!W.EFFs0)keyN)sort)lstrs @r human_sortrs :DHHFHGr&c[U5n[RR S[ U5S5n[RRU5(d[SU-5e[U5R5SRSS5SR5Sn[U5$![a [S5ef=f)zYFinds parent process id for pid based on /proc//stat. See 'man 5 proc' for details. zpid must be an integer/procstatCouldn't find '%s'r)r) rrr!rhpathjoinrisfilerrS readlinesrsplitr)mypidpidnameppids rget_ppidrs3%j 77<<S6 2D 77>>$  *d344 :   !! $ + +C 3A 6 < < >q AD t9 31223s B44C c[U5nUS:XdUS::ag[RRS[ U5S5n[RRU5(d[S5U-n[ U5e[U5R5SR5Sn[S U-5 US :Xag [U5$![a [S5n[U5 g[a# [S5[ U5-n[ U5ef=f![a [S 5U-n[ U5ef=f) z1Determine if current process is running under sshz%Couldn't find pid (is /proc mounted?)Fz!Couldn't find parent pid for '%s'rrrrrz"Could not find executable for '%s'zunder_ssh: exe is '%s'z(sshd)T)rrr r*rrr!rhrrrrSrrrJ under_ssh)rrwarn_msgr$rexes rrrs2"} ax419 77<<TF 3D 77>>$  ()T2!!"4j""$Q'--/2 "c *+ h; <= X "78CHE!!" "89TB!!"s C-D  D1,D $EcSnU(aSn[R"SU5(a[U5S:d[U5U:agg)zVerifies cidr netmasks ^[0-9]+$rFT)r+r,r)r;r<nums rr/r/s: C  88K $ $B! s2w} r&cU(ag[R"SU5(aRURS5n[U5S:wagUH*nU(a [ U5S:d[ U5S:dM* g gg)z.Verifies dotted quad ip addresses and netmasksFz^[0-9]+\.[0-9\.]+$.rT)r+r,rrr)r;r<quadsqs rr7r7sc  88)2 . .HHSME5zQCFQJ#a&3,  r&c SnU(a[e[X5(d[eSn[[R"S[ R "U55S5nSn[S5H"nXF- S-S:XaSnMU(aSn O US- nM$ US:aUS::a[SU- 5n[X!5(d[eU$![a: [[R"S[ R "U55S5nNf=f) z@Convert netmask to cidr. IPv6 dotted netmasks are not supported.rr>LFrrTr\) r!r7longstructunpackr inet_aton NameErrorrrangerr/)r;r<cidrmbitsbits found_onens rrGrGs D "2**   E dF,<,> q6D!fG B2u%% $R /DtV-=-=d-CDQGH v}}T6+;+;B+?@CD &Lv{{4>?Gw '' D dF,<,?BCDs8A.DA8FFcSnSU;a [S5 U$URS5n[U5S:wd[USS5(d[eUSnUSn[ R "S[R"[RU55n[S5n[S 5H?nU"XWS 5n[S 5H"n US[X5-S U - US -- --nM$ MA [S5n [S 5HnU[U5:dMU SS U- --n M! Xj-n /n [S 5H1nU R[U"U S 5US -US -S -S55 M3 [R"[R[ R "SU SU SU SU S U SU SU SU S5 5n U <SU<3$![a SnGN?f=f![a Sn Nf=f)z8Convert an IPv6 address and netmask to a network addressc SR[US- SS5Vs/sHn[X- S-5PM sn5$s snf)zDecimal to binaryrrr\)rrr)rcountys rdec2bin%_address6_to_network..dec2binfs=wwU57B5KL5KSXN+5KLMMLs?rz8_address6_to_network: skipping address without a netmaskrrTrz>8Hrzrr]r)rJrrr8r!rrrr-r.rrrrrFrHr)r1rr# orig_hostnetmaskunpackedrirjrr2rrNs r_address6_to_networkr dsN $ HI **S/C 3x1}M#a&$77AI!fG}}UF$4$4V__5>%@AHG 1X HK $rA !c!$i-SU1R4Z8 8I q'3Z s7|  qWM) )G  C C 1X 3wsC(2ad2g6:;v%{{5#a&#a&+.q63q63q6+.q63q63q6 CDG w ''A   s$ G0 G$ G! G!$ G32G3cvURS5n[U5S:wd[USU5(d[eUSnUSnUS:XdUS:XagUnSU;a?URS5n[U5S:wd[USU5(d[eUSnUS:XdUS:XagU(a'[ U5(a[ U5(d[eO&[ U5(a[ U5(d[e[ XR5(aU(d [XR5nU(aL[U<SU<35RS5Sn[U<SU<35RS5SnX:H$[U<SU<35RS5Sn[U<SU<35RS5SnX:H$)z&Determine if address x is in network yrrrrz0.0.0.0z::T) rrr8r!r3r9r/rr rI) tested_add tested_netr<r#rraddress orig_networkrNs r in_networkrs   3 C 3x1}M#a&"55AI!fGId!2G g~mmC  s8q= c!fb 9 9 a&)w$ g&&nY.G.G /Hg&&nY.G.G 7'')'6 +-6-ABBG%*QP &(/(:;;@5:aI  "" ,-6-ABBG%*QP &(/(:;;@5:aI  ""r&cSnSHKn[RRUS5n[RRU5(a OSnMM US:Xa[ [ R S5eU$)Nr)z/sbinz/binz /usr/sbinz/usr/binz/usr/local/sbinz/usr/local/biniptableszCould not find iptables)rhrrexistsr_r`ra)rds r_find_system_iptablesrsd C3ggll1j) 77>>#   C3 byell$=>> Jr&cUc [5n[US/5upUS:wa[[RSU-5eUR 5n[ R"SSUS5$)zReturn iptables versionz-VrzError running '%s'z^vrr)rrr_r`rarr+sub)rrmrlr#s rget_iptables_versionrs_ {#%S$K IR Qwell$8C$@AA ))+C 66$CF ##r&cLSnU(a3[R"5S:wa[[RS5eUc [ 5n/nSnUR S5(aSnU[SSS9- n[US U/5upVUS:wa[[RU5eU"X/S Q5(aURS 5 U"X/S Q5(aURS 5 [USU/5 [USU/5upVUS:wa[[RU5eU$)zTReturn capabilities set for netfilter to support new features. Callers must be root.c:USU/n[X2-5upEUS:Xagg)Nz-ArTF)r)rchainruleargsrmrls rtest_cap,get_netfilter_capabilities..test_caps)T5! $  7r&rz Must be rootz ufw-caps-test ip6tableszufw6-caps-testr)prefixdirz-N)-m conntrack --ctstateNEWr%recentz--setz recent-set) r%r&r'r(r%r)z--updatez --seconds30z --hitcountr>z recent-updatez-Fz-X) rhgetuidr_r`EPERMrendswithrrrarF)r do_checksr capsrrmrls rget_netfilter_capabilitiesr0sRYY[A%ekk>22 {#% D E ||K     V22 &&ES$&'IR QwellC(( 677 L!011 O$dES$&'IR QwellC(( Kr&c[U5n[5nUR5GHnURS5(dURS5(dM2UR 5nUSnUSR S5Sn[5nSR USR S5SS5US'US US 'US R S 5SUS 'US S:Xa US US'OUS R S 5SUS'XR;a[5X%'/X%U'OXbU;a/X%U'X%UR U5 GM U$)z:Get and parse netstat the output from get_netstat_output()rrrr:r\Nladdrr]uidrrr-r)get_netstat_outputdict splitlines startswithrrrF)r<netstat_outputrrr#rritems rparse_netstat_outputr<'sE (+N A))+u%%dooe.D.D jjlA1v||C $vQc!23B!78W !fU !fll3'*U ;# u+DKa&,,s+A.DK >vAHAHTNU8#!# d#1,4 Hr&c SnU(GaSn[RRU5(d[[R SU-5e[ U5R5HnUR5nXS:XdMSR[S[US5S5Vs/sH oeSXfS-PM sn5nUSR5S :wdMvU<S [USR5S 5<3nM US:Xa[[RS 5eO[ R "[ R"[ R$5n[ R&"[(R*"UR-5S [.R0"SUSS55SS5n[5X!5S$s snf![2a [[RS 5ef=f)zGet IP address for interfacer/proc/net/if_inet6'%s' does not existrr2rrr80rrNo such devicei256sN)rhrrr_r`rarSrrrrrrrrENODEVrr6 SOCK_DGRAMrfcntlioctlrerrrrP)ifnamer<r1procrr#r rs rget_ip_from_ifrLMs D #ww~~d##%,,(=(DE EJ((*D**,CQxx38CAK3KL3KaF1qSM3KLNq6<<>T)&*CA ,CDD+ 2:%,,(89 9  MM&..&*;*; < :##EKK F$*KKs $D%FFH%MND T &q ))M :%,,(89 9 :s*F= AG%G'c SnSn[U5(aSnSnO*[U5(d[[RS5e[ R RU5(d[[RSU-5eSnU(a[U5R5HnUR5nUSR5nS R[S [!US 5S 5Vs/sH ouS XwS -PM sn5nUS R#5S :wa$U<S[%US R#5S5<3nX:XdSU;dM['XS5(dMUn U$ U$[U5R5HDnS U;aM URS 5S R5n[)US5n X:XdMAUn U$ U$s snf![a M\f=f)zGet interface for IP addressFz /proc/net/devTr>rAr?rrr2rrrr@rr)r3r9rr`rFrhrrr_rarSrrstriprrrrrrrL) r1r<rKmatchedrr#rJr tmp_addrips rget_if_from_iprRms B Dd # D ! !ell$455 77>>$  ell$9D$@AAG J((*D**,CV\\^Fxx38CAK3KL3KaF1qSM3KLNH1v||~%&.CFLLNB0GHxJtt$D$D  N9+8 NJ((*D$ZZ_Q'--/F #FE2z  N+ N/M   s3G 9 G G('G(ch[R"S5nUR5 [R"S5n[ 5nUGH1nUR U5(dM[RRSUS5n[R"U[R[R-5(dMzSn[R"[RRSUS55n[R"U5nUHbn[R"[RRXG55SnU<S[RRU5<3X('Md GM4 U$![a Nf=f![a GMVf=f![a Mf=f)zGet inodes of files in /procrrrkr5rrr)rhlistdirrr+compiler7r,rraccessF_OKR_OKreadlinkrrbasename) proc_filespatinodesr fd_pathexe_pathdirsr inodes r_get_proc_inodesrbsMG$JOO **[ !C VF yy|| '',,w40yy"''BGG"344  {{277<<E#BCH ::g&DA  W 89!<()"''*:*:8*DEFM +8 M          s65F<F6F# F F F F # F10F1c SSSSSSSSS S S S . nS SSSS.n[RRSU5n[R"U[R[R -5(d[ e/nSn[U5R5nUHnUR5nU(dSnMU[XSS5n URS5(aSn OURS5(aU S :waMiXSRS5upXSn XSn URU [U S5XU 45 M U$)z=Read /proc/net/(tcp|udp)[6] file and return a list of tuples ESTABLISHEDSYN_SENTSYN_RECV FIN_WAIT1 FIN_WAIT2 TIME_WAITCLOSE CLOSE_WAITLAST_ACKLISTENCLOSING) rrr]rrrrr rr]rro) local_addrstater4raz /proc/netFTrsrrNArrrr2r4ra) rhrrrVrWrXr!rSrrrr9rF)protocol tcp_statesproc_net_fieldsrTr skipped_firstlinesrfieldsrsr3rr4ras r_read_proc_net_protocolr{sU#  !!!"   J'(!" !"O k8 ,B 99R277* + + CM H   E M 3vg&>?DE   u % %E   ' 'EX,= \:;AA#F U+,w/0 E3tR=#e<= Jr&c lSn[U5S:aSn[SSS5H;nUSR[US-US5Vs/sH o@US- UPM sn5- nM= [SR[S[U5S5Vs/sHoBXDS-R 5PM sn5S 5SnU$/n[SSS5Vs/sH o@US- UPM snH'nUR [ [US 555 M) [S RU5S 5SnU$s snfs snfs snf) zDConvert an address from /proc/net/(tcp|udp)* to a normalized addressrrrrrr2rTrrF)rrrrPrrFrr)paddr convertedr#r r s rconvert_proc_addressrs.I 5zA~q"aA 27751a3DF3Da1Q3q\3DFG GC!%chh,1!SXq,AB,AqAc   ",AB'D   ).q!R:A1Q<:A JJs3q": ';%chhsmU;A> GB;sD' D, D1c[5nSS/nU(aUSS/- nUHn[U5X'M [ 5n[ UR55nUR5 SnUHdnXHYuppn [U5n Sn[U 5U;aU[U 5nXs<SS U <S U <3<S S U <S S U <SS U <S S U<S 3 - nM[ Mf U$![a [SU-5n[ U5 Mf=f)z5netstat-style output, without IPv6 address truncationrrtcp6udp6z!Could not get statistics for '%s'rr55rr24611r) r7r{rr r*rblistkeysrrr)r< proc_net_datarprr] protocolsrr3rr4rarsr1rs rr6r6s FM ENE  &&!!  6q9M  F]'')*I NN A 0=0@ ,U#e'.DC5zV#SZ( qBF7M7 ? F Fw OOr&c[RSS:aURSS9RS5$[R"S[ U5S-(aUSS OU-5RSS 5$) z,Take a hex string and convert it to a stringrr]r)encodingrrrNr\backslashreplace)rcrgrr unhexlifyr)hs r hex_decoder=sn Qxxx'..w77   dA afB C J J# r&czSnU(d1[US5n[R"U[R5 U$)zCreate a blocking lockfileNw)rSrHlockfLOCK_EX)lockfiledryrunlocks r create_lockrLs- D Hc" D%--( Kr&cUcg[R"U[R5 UR5 g![a gf=f)z(Free lockfile created with create_lock()N)rHrLOCK_UNrYr!)rs r release_lockrUs> |  D%--(    s5< A A )r)Tr)NT)F)z /run/ufw.lockF)I__doc__ __future__rrrr`rHrrrhr+rprrr{rc functoolsrtempfilerrrrbsupported_protocolsripv4_only_protocolsrr%r3r9r8rArPrUrZrnrvrrrrr*rdrrJrrrgetpidrrr/r7rGrrIr rrrr0r<rLrRrbr{rr6rrrrrr&rrsr("&   $   QAv&4(42F 4n LG2  % &* JJ    H99;.))+!N 2$\: (F7(t,#h  $6r# L*@,^"J,^&  F P   r&