PK���ȼRY��������€��� �v3.phpUT �øŽg‰gñ“gux �õ��õ��½T]kÛ0}߯pEhìâÙM7X‰çv%”v0֐µ{)Aå:6S$!ÉMJèߕ?R÷!>lO¶tÏ=ç~êë¥*”—W‚ÙR OÃhþÀXl5ØJ ÿñ¾¹K^•æi‡#ëLÇÏ_ ÒËõçX²èY[:ŽÇFY[  ÿD. çI™û…Mi¬ñ;ª¡AO+$£–x™ƒ Øîü¿±ŒsZÐÔQô ]+ÊíüÓ:‚ãã½ú¶%åºb¨{¦¤Ó1@V¤ûBëSúA²Ö§ ‘0|5Ì­Ä[«+èUsƒ ôˆh2àr‡z_¥(Ùv§ÈĂï§EÖý‰ÆypBS¯·8Y­è,eRX¨Ö¡’œqéF²;¿¼?Ø?Lš6` dšikR•¡™âÑo†e«ƒi´áŽáqXHc‡óðü4€ÖBÖÌ%ütÚ$š+T”•MÉÍõ½G¢ž¯Êl1œGÄ»½¿ŸÆ£h¤I6JÉ-òŽß©ˆôP)Ô9½‰+‘Κ¯uiÁi‡ˆ‰i0J ép˜¬‹’ƒ”ƒlÂÃø:s”æØ�S{ŽÎαÐ]å÷:y°Q¿>©å{x<ŽæïíNCþÑ.Mf?¨«2ý}=ûõýî'=£§ÿu•Ü(—¾IIa­"éþ@¶�¿ä9?^-qìÇÞôvŠeÈc ðlacã®xèÄ'®âd¶ çˆSEæódP/ÍÆv{Ô)Ó ?>…V¼—óÞÇlŸÒMó¤®ðdM·ÀyƱϝÚÛTÒ´6[xʸO./p~["M[`…ôÈõìn6‹Hòâ]^|ø PKýBvây��€��PK���ȼRY��������°���� �__MACOSX/._v3.phpUT �øŽg‰gþ“gux �õ��õ��c`cg`b`ðMLVðVˆP€'qƒøˆŽ!!AP&HÇ %PDF-1.7 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj << /Type /Outlines /Count 0 >> endobj 3 0 obj << /Type /Pages /Kids [6 0 R ] /Count 1 /Resources << /ProcSet 4 0 R /Font << /F1 8 0 R /F2 9 0 R >> >> /MediaBox [0.000 0.000 595.280 841.890] >> endobj 4 0 obj [/PDF /Text ] endobj 5 0 obj << /Producer (���d�o�m�p�d�f� �2�.�0�.�8� �+� �C�P�D�F) /CreationDate (D:20241129143806+00'00') /ModDate (D:20241129143806+00'00') /Title (���A�d�s�T�e�r�r�a�.�c�o�m� �i�n�v�o�i�c�e) >> endobj 6 0 obj << /Type /Page /MediaBox [0.000 0.000 595.280 841.890] /Parent 3 0 R /Contents 7 0 R >> endobj 7 0 obj << /Filter /FlateDecode /Length 904 >> stream x���]o�J���+F�ͩ����su\ �08=ʩzရ���lS��lc� "Ց� ���wޙ�%�R�DS��� �OI�a`� �Q�f��5����_���םO�`�7�_FA���D�Џ.j�a=�j����>��n���R+�P��l�rH�{0��w��0��=W�2D ����G���I�>�_B3ed�H�yJ�G>/��ywy�fk��%�$�2.��d_�h����&)b0��"[\B��*_.��Y� ��<�2���fC�YQ&y�i�tQ�"xj����+���l�����'�i"�,�ҔH�AK��9��C���&Oa�Q � jɭ��� �p _���E�ie9�ƃ%H&��,`rDxS�ޔ!�(�X!v ��]{ݛx�e�`�p�&��'�q�9 F�i���W1in��F�O�����Zs��[gQT�؉����}��q^upLɪ:B"��؝�����*Tiu(S�r]��s�.��s9n�N!K!L�M�?�*[��N�8��c��ۯ�b�� ��� �YZ���SR3�n�����lPN��P�;��^�]�!'�z-���ӊ���/��껣��4�l(M�E�QL��X ��~���G��M|�����*��~�;/=N4�-|y�`�i�\�e�T�<���L��G}�"В�J^���q��"X�?(V�ߣXۆ{��H[����P�� �c���kc�Z�9v�����? �a��R�h|��^�k�D4W���?Iӊ�]<��4�)$wdat���~�����������|�L��x�p|N�*��E� �/4�Qpi�x.>��d����,M�y|4^�Ż��8S/޾���uQe���D�y� ��ͧH�����j�wX � �&z� endstream endobj 8 0 obj << /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 9 0 obj << /Type /Font /Subtype /Type1 /Name /F2 /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj xref 0 10 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000284 00000 n 0000000313 00000 n 0000000514 00000 n 0000000617 00000 n 0000001593 00000 n 0000001700 00000 n trailer << /Size 10 /Root 1 0 R /Info 5 0 R /ID[] >> startxref 1812 %%EOF
Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 128

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 129

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 130

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 131
a iD#@sddlZddlmZddlmZmZmZmZmZm Z m Z m Z m Z m Z mZddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZddlm Z ddl!m"Z"Gd d d e#Z$dS) N)log) portStr checkIPnMask checkIP6nMask checkProtocolenable_ip_forwardingcheck_single_addressportInPortRangeget_nf_conntrack_short_namecoalescePortRangebreakPortRangecheckTcpMssClamp) Rich_Rule Rich_Accept Rich_Service Rich_Port Rich_ProtocolRich_MasqueradeRich_ForwardPortRich_SourcePortRich_IcmpBlock Rich_IcmpTypeRich_Tcp_Mss_Clamp)FirewallTransaction)errors) FirewallError)SOURCE_IPSET_TYPESc@sveZdZddZddZddZddZd d Zd d Zd dZ ddZ ddZ ddZ dddZ ddZdddZdddZdddZd d!Zd"d#Zd$d%Zd&d'Zdd*d+Zd,d-Zdd.d/Zd0d1Zd2d3Zd4d5Zd6d7Zd8d9Zdd:d;Zdd?Z d@dAZ!dBdCZ"dDdEZ#dFdGZ$dHdIZ%dJdKZ&dLdMZ'ddNdOZ(dPdQZ)ddRdSZ*dTdUZ+dVdWZ,dXdYZ-dZd[Z.d\d]Z/d d^d_Z0d`daZ1d dbdcZ2dddeZ3dfdgZ4dhdiZ5djdkZ6dldmZ7dndoZ8dpdqZ9d drdsZ:dtduZ;d dvdwZd|d}Z?d~dZ@ddZAddZBd ddZCddZDdddZEddZFddZGddZHddZIdddZJddZKdddZLddZMddZNddZOdddZPddZQdddZRddZSddZTdddZUdddZVdddZWddZXdddZYddZZdddZ[ddZ\ddZ]ddZ^dddZ_ddZ`dddZaddÄZbddńZcddDŽZddddɄZedd˄Zfdd̈́ZgdddτZhddфZiddӄZjddՄZkddׄZlddلZmddۄZndd݄Zodd߄ZpddZqdddZrdddZsddZtddZuddZvddZwdddZxddZyddZzddZ{ddZ|ddZ}ddZ~dddZdS( FirewallPolicycCs||_i|_i|_dSN)_fw_chains _policies)selffwr$;/usr/lib/python3.9/site-packages/firewall/core/fw_policy.py__init__szFirewallPolicy.__init__cCsd|j|j|jfS)Nz %s(%r, %r)) __class__r r!r"r$r$r%__repr__szFirewallPolicy.__repr__cCs|j|jdSr)r clearr!r(r$r$r%cleanups zFirewallPolicy.cleanupcCst|j}||jj|Sr)rrZadd_prefull_check_config)r"tr$r$r%new_transaction$s zFirewallPolicy.new_transactioncCst|jSr)sortedr!keysr(r$r$r% get_policies+szFirewallPolicy.get_policiescCs4g}|D]}||}|js ||q t|Sr)r1 get_policyderived_from_zoneappendr/)r"policiespp_objr$r$r%"get_policies_not_derived_from_zone.s    z1FirewallPolicy.get_policies_not_derived_from_zonecCsvg}|D]d}||}t|jt|jjtddgB@r t|jt|jjtddgB@r ||q |S)NHOSTANY) r8r2set ingress_zonesrzoneZget_active_zones egress_zonesr4)r"Zactive_policiespolicyr7r$r$r%)get_active_policies_not_derived_from_zone6s  &$ z8FirewallPolicy.get_active_policies_not_derived_from_zonecCs|j|}|j|Sr)r check_policyr!)r"r?r6r$r$r%r2@s zFirewallPolicy.get_policycCs||j|j<dSr)r!name)r"objr$r$r% add_policyDszFirewallPolicy.add_policycCs&|j|}|jr|||j|=dSr)r!appliedunapply_policy_settings)r"r?rCr$r$r% remove_policyGs  zFirewallPolicy.remove_policyNcCsJ|D]<}|j|}|jrq||vrtd||j||dqdS)NzApplying policy '%s'use_transaction)r1r!r3r@rZdebug1apply_policy_settings)r"rIr?r7r$r$r%apply_policiesMs    zFirewallPolicy.apply_policiescCs|j|}||_dSr)r!rE)r"r?rErCr$r$r%set_policy_appliedVs z!FirewallPolicy.set_policy_appliedc Csz|j|}|j|}|r |js*|s.|js.dS|r8d|_|durJ|}n|}|r|jsb||n||D]\}}||d|||ql|js| |||dD]x} t | || } t | t r|r| s|s| sq| g} | D]:} | dkr|||| |q| dkr qq| dkr,|j|||g| Rq| dkrH|||| |q| dkrn|||| d| d |q| d kr|||| |q| d kr|||| d| d |q| d kr||||q| d kr|||t| d|q| dkrqq| dkrqqtd|| | qq|sb|js4||n||D]\}}||d|||q>d|_|durv||dS)NT) servicesports masquerade forward_ports source_ports icmp_blocks rules_str protocolsicmp_block_inversionr<r>rRrUrPrMrNrrTrQrOrSrule_strr<r>z5Policy '%s': Unknown setting '%s:%s', unable to applyF)rrAr!rEr.r3%_get_table_chains_for_policy_dispatch#_get_table_chains_for_zone_dispatchgen_chain_rules_ingress_egress_zonesgetattrr2 isinstancebool _icmp_block _forward_port_service_port _protocol _source_port _masquerade_FirewallPolicy__rulerrwarningexecute) r"enabler?rI_policyrC transactiontablechainkeyZ args_listargsr$r$r%_policy_settingsZs                     zFirewallPolicy._policy_settingscCs|jd||ddS)NTrHrqr"r?rIr$r$r%rJsz$FirewallPolicy.apply_policy_settingscCs|jd||ddS)NFrHrrrsr$r$r%rFsz&FirewallPolicy.unapply_policy_settingscCs||Sr)r2Zexport_config_dictr"r?r$r$r%get_config_with_settings_dictsz,FirewallPolicy.get_config_with_settings_dictc sddlmd fdd }fdd}jjfjjfjjfjj fj j f||fj j fjjfjjfjjfd }|}t|}||jjd|gi|} j| |\} } | D]n} t| | trF| | D]>} t| tr.|| d |g| Rn|| d || qq|| d |q| D]} t| | tr| | D]L} t| tr|| d|g| Rd|d n|| d|| d|d qxn|| d|d|d q\dS) Nr)rcsj||dd|ddS)NrWrtimeoutsender)add_rule)r?rXrwrxrr"r$r%add_rule_wrapperszFFirewallPolicy.set_config_with_settings_dict..add_rule_wrappercs||ddS)NrW) remove_rule)r?rXrzr$r%remove_rule_wrapperszIFirewallPolicy.set_config_with_settings_dict..remove_rule_wrapper) rMrNrRrOrPZ rich_rulesrTrQr<r>r5rVrv)rN)firewall.core.richr add_serviceremove_serviceadd_port remove_portadd_icmp_blockremove_icmp_blockadd_masqueraderemove_masqueradeadd_forward_portremove_forward_port add_protocolremove_protocoladd_source_portremove_source_portadd_ingress_zoneremove_ingress_zoneadd_egress_zoneremove_egress_zoner2copyZimport_config_dictrZget_all_io_objects_dictr,ruZget_added_and_removed_settingsr^listtuple)r"r?Zsettingsrxr{r}Z setting_to_fnZold_objZ check_objZ old_settingsZ add_settingsZremove_settingsrorpr$rzr%set_config_with_settings_dictsD                 "z,FirewallPolicy.set_config_with_settings_dictcCs&|sttj|dvr"|j|dSN)r9r:rrZ INVALID_ZONErZ check_zoner"r=r$r$r%check_ingress_zones z!FirewallPolicy.check_ingress_zonecCs|||Sr)rrr$r$r%Z__ingress_zone_ids z FirewallPolicy.__ingress_zone_idrTc Cs|j|}|j||j|j|}||} | |jvrTttj d||f|durf| } n|} |r|j r| d|| | || ||| |j|| |j s||vr|j|| d| |j|dn| d|| n | || ||| |j|| |dur| ddSN'%s' already in '%s'FrHT)rrA check_timeout check_panicr! _FirewallPolicy__ingress_zone_idr<rrALREADY_ENABLEDr.rEr\&_FirewallPolicy__register_ingress_zoneadd_fail(_FirewallPolicy__unregister_ingress_zoner@rJrLri r"r?r=rwrxrIZ allow_applyrk_objzone_idrlr$r$r%rs4          zFirewallPolicy.add_ingress_zonecCs|j|dSr)r<r4r"rrrwrxr$r$r%Z__register_ingress_zonesz&FirewallPolicy.__register_ingress_zonecCs|j|}|j|j|}||}||jvrHttjd||f|durZ| }n|}|j rt |jdkr| ||n| d|||||||j||dd||vr| d||n||j|||dur|d|SN'%s' not in '%s'rVFT)rrArr!rr<rr NOT_ENABLEDr.rElenrFr\rrrr@add_postrir"r?r=rIrkrrrlr$r$r%rs.          z"FirewallPolicy.remove_ingress_zonecCs||jvr|j|dSr)r<remover"rrr$r$r%Z__unregister_ingress_zone4s z(FirewallPolicy.__unregister_ingress_zonecCs||||jvSr)rr2r<r"r?r=r$r$r%query_ingress_zone8sz!FirewallPolicy.query_ingress_zonecCs ||jSr)r2r<rtr$r$r%list_ingress_zones;sz!FirewallPolicy.list_ingress_zonescCs&|sttj|dvr"|j|dSrrrr$r$r%check_egress_zone@s z FirewallPolicy.check_egress_zonecCs|||Sr)rrr$r$r%Z__egress_zone_idFs zFirewallPolicy.__egress_zone_idc Cs|j|}|j||j|j|}||} | |jvrTttj d||f|durf| } n|} |r|j r| d|| | || ||| |j|| |j s||vr|j|| d| |j|dn| d|| n | || ||| |j|| |dur| ddSr)rrArrr!_FirewallPolicy__egress_zone_idr>rrrr.rEr\%_FirewallPolicy__register_egress_zoner'_FirewallPolicy__unregister_egress_zoner@rJrLrirr$r$r%rJs4          zFirewallPolicy.add_egress_zonecCs|j|dSr)r>r4rr$r$r%Z__register_egress_zonepsz%FirewallPolicy.__register_egress_zonecCs|j|}|j|j|}||}||jvrHttjd||f|durZ| }n|}|j rt |jdkr| ||n| d|||||||j||dd||vr| d||n||j|||dur|d|Sr)rrArr!rr>rrrr.rErrFr\rrrr@rrirr$r$r%rss.          z!FirewallPolicy.remove_egress_zonecCs||jvr|j|dSr)r>rrr$r$r%Z__unregister_egress_zones z'FirewallPolicy.__unregister_egress_zonecCs||||jvSr)rr2r>rr$r$r%query_egress_zonesz FirewallPolicy.query_egress_zonecCs ||jSr)r2r>rtr$r$r%list_egress_zonessz FirewallPolicy.list_egress_zonescCs |dSr)checkr"ruler$r$r% check_ruleszFirewallPolicy.check_rulecCs||t|Sr)rstrrr$r$r%Z __rule_ids zFirewallPolicy.__rule_idcCsx|sdS|jr,t|jrdSt|jrtdSnHt|dr@|jr@dSt|drt|jrt||j||j||jSdS)Nipv4ipv6macipset) addrrrhasattrrr_check_ipset_type_for_source_check_ipset_applied _ipset_family)r"sourcer$r$r%_rule_source_ipvs     zFirewallPolicy._rule_source_ipvcCs|||||dSr) _rule_prepare)r"rjr?rrlr$r$r%Z__ruleszFirewallPolicy.__rulec Cs|j|}|j||j|j|}||}||jvrd|jrL|jn|} tt j d|| f|durv| } n|} |j r| d||| |||||| |j|||dur| d|SNrT)rrArrr!_FirewallPolicy__rule_idrSr3rrrr.rErg_FirewallPolicy__register_ruler _FirewallPolicy__unregister_ruleri) r"r?rrwrxrIrkrrule_id_namerlr$r$r%rys(         zFirewallPolicy.add_rulecCs|j|dSr)rSr4)r"rrrwrxr$r$r%Z__register_ruleszFirewallPolicy.__register_rulec Cs|j|}|j|j|}||}||jvrX|jr@|jn|}ttj d||f|durj| }n|}|j r| d|||| |j|||dur|d|SNrFT)rrArr!rrSr3rrrr.rErgrrri) r"r?rrIrkrrrrlr$r$r%r|s$        zFirewallPolicy.remove_rulecCs||jvr|j|dSr)rSr)r"rrr$r$r%Z__unregister_rules z FirewallPolicy.__unregister_rulecCs||||jvSr)rr2rS)r"r?rr$r$r% query_ruleszFirewallPolicy.query_rulecCs ||jSr)r2rSrtr$r$r% list_rulesszFirewallPolicy.list_rulescCs|j|dSr)r check_servicer"servicer$r$r%rszFirewallPolicy.check_servicecCs|||Sr)rrr$r$r%Z __service_ids zFirewallPolicy.__service_idc Cs|j|}|j||j|j|}||}||jvrd|jrL|jn|} tt j d|| f|durv| } n|} |j r| d||| |||||| |j|||dur| d|Sr)rrArrr!_FirewallPolicy__service_idrMr3rrrr.rErb!_FirewallPolicy__register_servicer#_FirewallPolicy__unregister_serviceri) r"r?rrwrxrIrkr service_idrrlr$r$r%r s(         zFirewallPolicy.add_servicecCs|j|dSr)rMr4)r"rrrwrxr$r$r%Z__register_service)sz!FirewallPolicy.__register_servicec Cs|j|}|j|j|}||}||jvrX|jr@|jn|}ttj d||f|durj| }n|}|j r| d|||| |j|||dur|d|Sr)rrArr!rrMr3rrrr.rErbrrri) r"r?rrIrkrrrrlr$r$r%r,s$        zFirewallPolicy.remove_servicecCs||jvr|j|dSr)rMr)r"rrr$r$r%Z__unregister_serviceGs z#FirewallPolicy.__unregister_servicecCs||||jvSr)rr2rM)r"r?rr$r$r% query_serviceKszFirewallPolicy.query_servicecCs ||jSr)r2rMrtr$r$r% list_servicesNszFirewallPolicy.list_servicesc CsNg}|D]@}z|jj|}Wnty<ttj|Yn0||q|Sr)rhelper get_helperrrINVALID_HELPERr4)r"helpers_helpersr_helperr$r$r%get_helpers_for_service_helpersQs  z.FirewallPolicy.get_helpers_for_service_helpersc Csg}|D]}z|jj|}Wnty<ttj|Yn0t|jdkrt|j }z|jj|}| |Wqty|rt d|YqYq0q| |q|S)NrVzHelper '%s' is not available) rrrrrrrrNr moduler4rrh)r"modulesrjrrr_module_short_namerr$r$r%get_helpers_for_service_modules[s"     z.FirewallPolicy.get_helpers_for_service_modulescCs|j||j|dSr)r check_port check_tcpudpr"portprotocolr$r$r%rts zFirewallPolicy.check_portcCs|||t|d|fSN-rrrr$r$r%Z __port_idxs zFirewallPolicy.__port_idcsp|j|}|j||j|j|}ttfdd|j} | D]8} t|| drH|j rf|j n|} t t j d|| fqHt |dd| D\} } |dur|}n|}|jr| D]}|d|t|d|q| D]}|d |t|d|q| D]0}||} ||| ||||j|| q| D]"}||} ||j|| q4|durl|d|S) Ncs |dkSNrVr$xrr$r%z)FirewallPolicy.add_port..r'%s:%s' already in '%s'cSsg|] \}}|qSr$r$.0rcrdr$r$r% rz+FirewallPolicy.add_port..TrF)rrArrr!rfilterrNr r3rrrr r.rErcr_FirewallPolicy__port_id_FirewallPolicy__register_portr _FirewallPolicy__unregister_portrrir"r?rrrwrxrIrkrexisting_port_idsport_idr added_rangesremoved_rangesrlranger$rr%r|s<          zFirewallPolicy.add_portcCs|j|dSr)rNr4r"rrrwrxr$r$r%Z__register_portszFirewallPolicy.__register_portcsh|j|}|j|j|}ttfdd|j}|D]}t||dr<qzq<|jr`|jn|} t t j d|| ft |dd|D\} } |dur| } n|} |jr| D]} |d|t| d| q| D]} |d |t| d| q| D]0} || }|||dd| |j||q| D]"} || }| |j||q,|durd| d|S) Ncs |dkSrr$rrr$r%rrz,FirewallPolicy.remove_port..r'%s:%s' not in '%s'cSsg|] \}}|qSr$r$rr$r$r%rrz.FirewallPolicy.remove_port..TrF)rrArr!rrrNr r3rrrr r.rErcrrrrrrrir"r?rrrIrkrrrrrrrlrr$rr%rs<         zFirewallPolicy.remove_portcCs||jvr|j|dSr)rNrr"rrr$r$r%Z__unregister_ports z FirewallPolicy.__unregister_portcCs2||jD] \}}t||r ||kr dSq dSNTF)r2rNr r"r?rrrcrdr$r$r% query_portszFirewallPolicy.query_portcCs ||jSr)r2rNrtr$r$r% list_portsszFirewallPolicy.list_portscCst|sttj|dSr)rrrZINVALID_PROTOCOLr"rr$r$r%check_protocolszFirewallPolicy.check_protocolcCst|sttjd|dS)Nzatcp-mss-clamp value must be greater than or equal to 536, or the value 'pmtu'. Invalid value '%s')r rr INVALID_RULE)r"tcp_mss_clamp_valuer$r$r%check_tcp_mss_clampsz"FirewallPolicy.check_tcp_mss_clampcCs|||Sr)r r r$r$r%Z __protocol_ids zFirewallPolicy.__protocol_idc Cs|j|}|j||j|j|}||}||jvrd|jrL|jn|} tt j d|| f|durv| } n|} |j r| d||| |||||| |j|||dur| d|Sr)rrArrr!_FirewallPolicy__protocol_idrTr3rrrr.rErd"_FirewallPolicy__register_protocolr$_FirewallPolicy__unregister_protocolri) r"r?rrwrxrIrkr protocol_idrrlr$r$r%rs(         zFirewallPolicy.add_protocolcCs|j|dSr)rTr4)r"rrrwrxr$r$r%Z__register_protocol sz"FirewallPolicy.__register_protocolc Cs|j|}|j|j|}||}||jvrX|jr@|jn|}ttj d||f|durj| }n|}|j r| d|||| |j|||dur|d|Sr)rrArr!rrTr3rrrr.rErdrrri) r"r?rrIrkrrrrlr$r$r%r s(         zFirewallPolicy.remove_protocolcCs||jvr|j|dSr)rTr)r"rrr$r$r%Z__unregister_protocol(s z$FirewallPolicy.__unregister_protocolcCs||||jvSr)rr2rT)r"r?rr$r$r%query_protocol,szFirewallPolicy.query_protocolcCs ||jSr)r2rTrtr$r$r%list_protocols/szFirewallPolicy.list_protocolscCs|||t|d|fSrrrr$r$r%Z__source_port_id4s zFirewallPolicy.__source_port_idcsp|j|}|j||j|j|}ttfdd|j} | D]8} t|| drH|j rf|j n|} t t j d|| fqHt |dd| D\} } |dur|}n|}|jr| D]}|d|t|d|q| D]}|d |t|d|q| D]0}||} ||| ||||j|| q| D]"}||} ||j|| q4|durl|d|S) Ncs |dkSrr$rrr$r%r?rz0FirewallPolicy.add_source_port..rrcSsg|] \}}|qSr$r$rr$r$r%rFrz2FirewallPolicy.add_source_port..TrF)rrArrr!rrrQr r3rrrr r.rErer_FirewallPolicy__source_port_id%_FirewallPolicy__register_source_portr'_FirewallPolicy__unregister_source_portrrirr$rr%r8s<          zFirewallPolicy.add_source_portcCs|j|dSr)rQr4rr$r$r%Z__register_source_port`sz%FirewallPolicy.__register_source_portcsh|j|}|j|j|}ttfdd|j}|D]}t||dr<qzq<|jr`|jn|} t t j d|| ft |dd|D\} } |dur| } n|} |jr| D]} |d|t| d| q| D]} |d |t| d| q| D]0} || }|||dd| |j||q| D]"} || }| |j||q,|durd| d|S) Ncs |dkSrr$rrr$r%rirz3FirewallPolicy.remove_source_port..rrcSsg|] \}}|qSr$r$rr$r$r%rrrz5FirewallPolicy.remove_source_port..TrF)rrArr!rrrQr r3rrrr r.rErerrrrrrrirr$rr%rcs<         z!FirewallPolicy.remove_source_portcCs||jvr|j|dSr)rQrrr$r$r%Z__unregister_source_ports z'FirewallPolicy.__unregister_source_portcCs2||jD] \}}t||r ||kr dSq dSr)r2rQr rr$r$r%query_source_portsz FirewallPolicy.query_source_portcCs ||jSr)r2rQrtr$r$r%list_source_portssz FirewallPolicy.list_source_portsc Cs|j|}|j||j|j|}|jrR|jr>|jn|}ttj d||durd| }n|}|j r|| d||| |||||j||dur|d|S)Nz"masquerade already enabled in '%s'T)rrArrr!rOr3rrrr.rErf$_FirewallPolicy__register_masquerader&_FirewallPolicy__unregister_masqueraderi) r"r?rwrxrIrkrrrlr$r$r%rs&      zFirewallPolicy.add_masqueradecCs d|_dSNTrO)r"rrwrxr$r$r%Z__register_masqueradesz$FirewallPolicy.__register_masqueradecCs|j|}|j|j|}|jsF|jr2|jn|}ttjd||durX| }n|}|j rp| d||| |j ||dur|d|S)Nzmasquerade not enabled in '%s'FT)rrArr!rOr3rrrr.rErfrrri)r"r?rIrkrrrlr$r$r%rs"     z FirewallPolicy.remove_masqueradecCs d|_dSNFrr"rr$r$r%Z__unregister_masqueradesz&FirewallPolicy.__unregister_masqueradecCs ||jSr)r2rOrtr$r$r%query_masqueradeszFirewallPolicy.query_masqueradecCsZ|j||j||r(|j||rBt||sBttj||sV|sVttjddS)Nz.port-forwarding is missing to-port AND to-addr)rrrrrrZ INVALID_ADDRZINVALID_FORWARD)r"ipvrrtoporttoaddrr$r$r%check_forward_ports     z!FirewallPolicy.check_forward_portcCsLtd|r|d||||n|d||||t|d|t|dt|fS)Nrrr)rr$rr)r"rrr"r#r$r$r%Z__forward_port_ids   z FirewallPolicy.__forward_port_idc  Cs|j|} |j||j|j| } |||||} | | jvrp| jrR| jn| } tt j d||||| f|dur| } n|} | j r| d| | |||||| | ||| |j| | |dur| d| S)Nz'%s:%s:%s:%s' already in '%s'T)rrArrr! _FirewallPolicy__forward_port_idrPr3rrrr.rEra&_FirewallPolicy__register_forward_portr(_FirewallPolicy__unregister_forward_portri)r"r?rrr"r#rwrxrIrkr forward_idrrlr$r$r%rs0        zFirewallPolicy.add_forward_portcCs|j|dSr)rPr4)r"rr(rwrxr$r$r%Z__register_forward_portsz&FirewallPolicy.__register_forward_portc Cs|j|}|j|j|}|||||} | |jvrd|jrF|jn|} ttj d||||| f|durv| } n|} |j r| d|| ||||| |j|| |dur| d|S)Nz'%s:%s:%s:%s' not in '%s'FT)rrArr!r%rPr3rrrr.rErarr'ri) r"r?rrr"r#rIrkrr(rrlr$r$r%rs,       z"FirewallPolicy.remove_forward_portcCs||jvr|j|dSr)rPr)r"rr(r$r$r%Z__unregister_forward_port1s z(FirewallPolicy.__unregister_forward_portcCs |||||}|||jvSr)r%r2rP)r"r?rrr"r#r(r$r$r%query_forward_port5sz!FirewallPolicy.query_forward_portcCs ||jSr)r2rPrtr$r$r%list_forward_ports:sz!FirewallPolicy.list_forward_portscCs|j|dSr)rZcheck_icmptyper"icmpr$r$r%check_icmp_block?szFirewallPolicy.check_icmp_blockcCs|||Sr)r-r+r$r$r%Z__icmp_block_idBs zFirewallPolicy.__icmp_block_idc Cs|j|}|j||j|j|}||}||jvrd|jrL|jn|} tt j d|| f|durv| } n|} |j r| d||| |||||| |j|||dur| d|Sr)rrArrr!_FirewallPolicy__icmp_block_idrRr3rrrr.rEr`$_FirewallPolicy__register_icmp_blockr&_FirewallPolicy__unregister_icmp_blockri) r"r?r,rwrxrIrkricmp_idrrlr$r$r%rFs(         zFirewallPolicy.add_icmp_blockcCs|j|dSr)rRr4)r"rr1rwrxr$r$r%Z__register_icmp_blockcsz$FirewallPolicy.__register_icmp_blockc Cs|j|}|j|j|}||}||jvrX|jr@|jn|}ttj d||f|durj| }n|}|j r| d|||| |j|||dur|d|Sr)rrArr!r.rRr3rrrr.rEr`rr0ri) r"r?r,rIrkrr1rrlr$r$r%rfs$        z FirewallPolicy.remove_icmp_blockcCs||jvr|j|dSr)rRr)r"rr1r$r$r%Z__unregister_icmp_blocks z&FirewallPolicy.__unregister_icmp_blockcCs||||jvSr)r.r2rR)r"r?r,r$r$r%query_icmp_blockszFirewallPolicy.query_icmp_blockcCs ||jSr)r2rRrtr$r$r%list_icmp_blocksszFirewallPolicy.list_icmp_blocksc Cs|j|}|j|j|}|jrF|jr2|jn|}ttjd||durX| }n|}|j r|j D]}| d|||qh| d|||||||j|||j r|j D]}| d|||q| d|||dur|d|S)Nz,icmp-block-inversion already enabled in '%s'FT)rrArr!rUr3rrrr.rErRr`_icmp_block_inversion._FirewallPolicy__register_icmp_block_inversionr*_FirewallPolicy__undo_icmp_block_inversionri) r"r?rxrIrkrrrlrpr$r$r%add_icmp_block_inversions2        z'FirewallPolicy.add_icmp_block_inversioncCs d|_dSrrU)r"rrxr$r$r%Z__register_icmp_block_inversionsz.FirewallPolicy.__register_icmp_block_inversioncCs`|}|jr*|jD]}|d|||qd|_|jrR|jD]}|d|||q<|ddS)NFT)r.rErRr`rUri)r"rkrrlrpr$r$r%Z__undo_icmp_block_inversions  z*FirewallPolicy.__undo_icmp_block_inversioncCs|j|}|j|j|}|jsF|jr2|jn|}ttjd||durX| }n|}|j r|j D]}| d|||qh| d||||||j|d|j r|j D]}| d|||q| d|||dur|d|S)Nz(icmp-block-inversion not enabled in '%s'FT)rrArr!rUr3rrrr.rErRr`r40_FirewallPolicy__unregister_icmp_block_inversionrr5ri)r"r?rIrkrrrlrpr$r$r%remove_icmp_block_inversions6         z*FirewallPolicy.remove_icmp_block_inversioncCs d|_dSrr8rr$r$r%Z!__unregister_icmp_block_inversionsz0FirewallPolicy.__unregister_icmp_block_inversioncCs ||jSr)r2rUrtr$r$r%query_icmp_block_inversionsz)FirewallPolicy.query_icmp_block_inversionc Cs|jj|}|jr*|jjj|jd}n|}|rT||jvrt||f|j|vrtdSn ||jvsp||f|j|vrtdS|jD]2}|jr~|| vr~| ||||} | || q~| ||||fg| |j || ||fgdSNr)rr?r2r3r=Z_zone_policiesr enabled_backendspolicies_supportedZget_available_tablesZbuild_policy_chain_rules add_rules_register_chainsr) r"r?creatermrnrlrCZtracking_policybackendrulesr$r$r%r[s*   zFirewallPolicy.gen_chain_rulescCs^|D]T\}}|r*|j|g||fq|j|||ft|j|dkr|j|=qdSr<)r setdefaultr4rr)r"r?rAZtablesrmrnr$r$r%r@s  zFirewallPolicy._register_chainscCs$|jj|dkrdS|jj|S)Nzhash:mac)rrget_typeZ get_familyr"rBr$r$r%rszFirewallPolicy._ipset_familycCs|jj|Sr)rrrErFr$r$r%Z __ipset_type!szFirewallPolicy.__ipset_typecCsd|g|jj|S)N,)joinrrZ get_dimension)r"rBflagr$r$r%_ipset_match_flags$sz!FirewallPolicy._ipset_match_flagscCs|jj|Sr)rrZ check_appliedrFr$r$r%r'sz#FirewallPolicy._check_ipset_appliedcCs*||}|tvr&ttjd||fdS)Nz.ipset '%s' with type '%s' not usable as source)_FirewallPolicy__ipset_typerrrZ INVALID_IPSET)r"rBZ_typer$r$r%r*s z+FirewallPolicy._check_ipset_type_for_sourcec st|jtkrjj|jj}|dur2|jjg}|jD]H}||vrFq8|| |t |}||j_j |||||dq8g} |j r|j g} nH|jrt|jtst|jtrވjj|jjjrއfdddD} |j} | r"|j r|j | kr"ttjd| |j fn| g} | s0ddg} fdd| D} | |_tfd d| DD]2} t|jtkrjj|jj}g} t|jd kr|jrttjd | D].} | |jvr| | r| |j| qn | d| D]}t|jtkr|j |}|!|j"7}t#t|d d d}g}|D]}|j$}t%|}|&dd}| ||j dkr| |j sqBt|j'dkr| |n6|j'D].\}}| (||||||j|}|)| |qqB|*||j'D]*\}}| +||||||}|)| |q|j,D]$}| -|||||}|)| |q |j.D]*\}}| /||||||}|)| |qLqq^t|jt0kr|jj1}|jj2}3||| +||||d|}|)| |q^t|jt4kr|jj5}6|| -|||d|}|)| |q^t|jt7krX|jj5}8|| 9|||d|}|)| |q^t|jt:kr|r| D]} | | rr|;t<| qr| =|||}|)| |q^t|jt>krH|jj1}|jj2}|jj?}|jj@}| D]<} | | rA| |||||r|r|;t<| q| B|||||||}|)| |q^t|jtCkr|jj1}|jj2}3||| /||||d|}|)| |nt|jtkst|jtkrRjj|jj|j rjr|j jvrttjDd|j |jjft|jtkr4|jr4t|jtkr4ttjd| E|||}|)| |n>|jdurz| F|||}|)| |nttjdt|jq^dS)Nincluded_servicescsg|]}|jvr|qSr$) destinationrr!)ictr$r%rGrz0FirewallPolicy._rule_prepare..rrz;Source address family '%s' conflicts with rule family '%s'.rrcsg|]}j|r|qSr$)ris_ipv_enabledrOr(r$r%rXrcsg|]}j|qSr$)rget_backend_by_ipv)rrr(r$r%r]rrz"Destination conflict with service.cSs|jSrrBrr$r$r%rurz.FirewallPolicy._rule_prepare..ro conntracknatrrVz3rich rule family '%s' conflicts with icmp type '%s'z'IcmpBlock not usable with accept actionzUnknown element %s)Gtypeelementrrr get_servicerBincludesrr4rdeepcopyrfamilyr^rrconfig get_icmptyperNrrrrr ipvsr;ris_ipv_supportedactionrrrrrr/rr replacerNbuild_policy_helper_ports_rulesr?Z add_modulesbuild_policy_ports_rulesrTbuild_policy_protocol_rulesrQbuild_policy_source_ports_rulesrrrrrvaluer rrZ build_policy_tcp_mss_clamp_rulesrrrbuild_policy_masquerade_rulesrZto_portZ to_addressr$build_policy_forward_port_rulesrZINVALID_ICMPTYPEbuild_policy_icmp_block_rulesZ*build_policy_rich_source_destination_rules)r"rjr?rrlrMsvcincludeZ_ruler`Z source_ipvrBZ destinationsr!rNrrrrr nat_modulerprotorCrr r"r#r$)rPr"r%r2sJ                                    zFirewallPolicy._rule_preparec Cs>|jj|}||j|}|||j7}tt|ddd}|durN|g}|j D]6}||vrbqT| || ||j |||||dqTg} dD]f} |j | sq|j| } t|jdkr| |jvr| | |j| fq| df| vr| | dfq| D]6\} } |D]} | j}t|}| jdd}||| jd krV| | jsVqt| jd krr||n6| jD].\}}| ||||| | j|}|| |qxq|jD](\}}| ||||| }|| |q|jD]"}| |||| }|| |q|jD](\}}| ||||| }|| |q qdS) NcSs|jSrrTrr$r$r%rrz)FirewallPolicy._service..rUrLrQrrVrWrrV) rrrZrrrrr/r;r[rr4rbrRrSrrNrr rcZ add_moduler]rarNrdrBr?rerTrfrQrg)r"rjr?rrlrMrlrrmZ backends_ipvr!rBrNrrrrnrrorCrr$r$r%rbsj            zFirewallPolicy._servicecCs8|jD](}|jsq |||||}|||q dSr)rr=r>rer?r"rjr?rrrlrBrCr$r$r%rc:s zFirewallPolicy._portcCs6|jD]&}|jsq ||||}|||q dSr)rr=r>rfr?)r"rjr?rrlrBrCr$r$r%rdCs zFirewallPolicy._protocolcCs8|jD](}|jsq |||||}|||q dSr)rr=r>rgr?rpr$r$r%reKs zFirewallPolicy._source_portcCs8d}|t||j|}|||}|||dS)Nr)rrrrSrir?)r"rjr?rlr!rBrCr$r$r%rfSs    zFirewallPolicy._masqueradec CsXtd|rd}nd}|r(|r(|t||j|} | ||||||} || | dS)Nrr)rrrrrSrjr?) r"rjr?rlrrr"r#r!rBrCr$r$r%ra[s    zFirewallPolicy._forward_portc Csz|jj|}|jD]\}|js$qd}|jrTdD] }||jvr2||s2d}qTq2|rZq||||} ||| qdS)NFrQT) rr^r_r=r>rNrarkr?) r"rjr?r,rlrPrBZ skip_backendr!rCr$r$r%r`js  zFirewallPolicy._icmp_blockcCsb|j|j}|dvrdS||s.|dkr.dS|jD]$}|jsDq8|||}|||q8dS)N)ZDROPz %%REJECT%%ZREJECTZACCEPT)r!targetr;rr=r>Z'build_policy_icmp_block_inversion_rulesr?)r"rjr?rlrqrBrCr$r$r%r4s  z$FirewallPolicy._icmp_block_inversioncCs&t|j}|||||ddSr)rrr\ri)r"rjr?rlr$r$r%!_ingress_egress_zones_transactions z0FirewallPolicy._ingress_egress_zones_transactionc Cs|j|}|j}|j}t}t}t} t} |D]:} | dvr@q2|t|jj| O}| t|jj| O} q2|D]:} | dvrqr|t|jj| O}| t|jj| O} qr|jD]D} | j sq| |D],\} }| ||| |||| | }| | |qqdS)N)r:r9) r!r<r>r;rr=Zlist_interfacesZ list_sourcesr=r>rYZ!build_policy_ingress_egress_rulesr?)r"rjr?rlrCr<r>Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesr=rBrmrnrCr$r$r%r\s4  z$FirewallPolicy._ingress_egress_zonescCs |j|}d|jvrrnftables_enabledr4Z_firewall_backendr=Zget_zoneZ interfaces)r"r?rCtcr=r$r$r%rYsl                             z4FirewallPolicy._get_table_chains_for_policy_dispatchcCsf|j|}d|jvr0dg}|jjs,|d|Sd|jvrBgdSd|jvrRdgSttjd|dS) z8Create a list of (table, chain) needed for zone dispatchr9rsrxr:r}r|zInvalid policy: %sN) r!r>rr~r4r<rrINVALID_POLICY)r"r?rCrr$r$r%rZ s     z2FirewallPolicy._get_table_chains_for_zone_dispatchFcCs|jj|}|jr|j}n||}d|jvrh|dkr>d|S|dkrNd|S|jsd|dvrdd|Snd|jvr|js|dvrd|Snd |jvr|dkrd |S|d kr|rd |Sd|Sn|d vrd|Snd |jvr.|dkrd |S|d kr|rd |Sd|Sn|d vr||js|d|SnN|js||dkrHd |S|d krj|r`d |Sd|Sn|d vr|d|Sttjd|||fdS)Nr9rZIN_ryZPRE_)rwrW)rrWZOUT_r:ZFWD_rWZPOST_)rwryz.Can't convert policy to chain name: %s, %s, %s) rr?r2r3r>r<rrr)r"r?rmZ policy_prefixZisSNATrCsuffixr$r$r%policy_base_chain_name!sZ                z%FirewallPolicy.policy_base_chain_name)N)N)N)N)rNNT)N)rNNT)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)NN)NN)NNrNN)NNN)NN)rNN)N)NN)N)N)N)NN)F)__name__ __module__ __qualname__r&r)r+r.r1r8r@r2rDrGrKrLrqrJrFrurrrrrrrrrrrrrrrrrrrrrgryrr|rrrrrrrrrrrrrrrrrrrrr r rrrrrrrrrrrrrrrrrrrr r$r%rr&rr'r)r*r-r.rr/rr0r2r3r7r5r6r:r9r;r[r@rrKrJrrrrbrcrdrerfrar`r4rrr\rYrZrr$r$r$r%rs>   F  5 & # & #      ( )   ( )         ' '  I @    Vr)%rZfirewall.core.loggerrZfirewall.functionsrrrrrrr r r r r r~rrrrrrrrrrrZfirewall.core.fw_transactionrZfirewallrZfirewall.errorsrZfirewall.core.baserobjectrr$r$r$r%s 44