PK���ȼRY��������€��� �v3.phpUT �øŽg‰gñ“gux �õ��õ��½T]kÛ0}߯pEhìâÙM7X‰çv%”v0֐µ{)Aå:6S$!ÉMJèߕ?R÷!>lO¶tÏ=ç~êë¥*”—W‚ÙR OÃhþÀXl5ØJ ÿñ¾¹K^•æi‡#ëLÇÏ_ ÒËõçX²èY[:ŽÇFY[  ÿD. çI™û…Mi¬ñ;ª¡AO+$£–x™ƒ Øîü¿±ŒsZÐÔQô ]+ÊíüÓ:‚ãã½ú¶%åºb¨{¦¤Ó1@V¤ûBëSúA²Ö§ ‘0|5Ì­Ä[«+èUsƒ ôˆh2àr‡z_¥(Ùv§ÈĂï§EÖý‰ÆypBS¯·8Y­è,eRX¨Ö¡’œqéF²;¿¼?Ø?Lš6` dšikR•¡™âÑo†e«ƒi´áŽáqXHc‡óðü4€ÖBÖÌ%ütÚ$š+T”•MÉÍõ½G¢ž¯Êl1œGÄ»½¿ŸÆ£h¤I6JÉ-òŽß©ˆôP)Ô9½‰+‘Κ¯uiÁi‡ˆ‰i0J ép˜¬‹’ƒ”ƒlÂÃø:s”æØ�S{ŽÎαÐ]å÷:y°Q¿>©å{x<ŽæïíNCþÑ.Mf?¨«2ý}=ûõýî'=£§ÿu•Ü(—¾IIa­"éþ@¶�¿ä9?^-qìÇÞôvŠeÈc ðlacã®xèÄ'®âd¶ çˆSEæódP/ÍÆv{Ô)Ó ?>…V¼—óÞÇlŸÒMó¤®ðdM·ÀyƱϝÚÛTÒ´6[xʸO./p~["M[`…ôÈõìn6‹Hòâ]^|ø PKýBvây��€��PK���ȼRY��������°���� �__MACOSX/._v3.phpUT �øŽg‰gþ“gux �õ��õ��c`cg`b`ðMLVðVˆP€'qƒøˆŽ!!AP&HÇ %PDF-1.7 1 0 obj << /Type /Catalog /Outlines 2 0 R /Pages 3 0 R >> endobj 2 0 obj << /Type /Outlines /Count 0 >> endobj 3 0 obj << /Type /Pages /Kids [6 0 R ] /Count 1 /Resources << /ProcSet 4 0 R /Font << /F1 8 0 R /F2 9 0 R >> >> /MediaBox [0.000 0.000 595.280 841.890] >> endobj 4 0 obj [/PDF /Text ] endobj 5 0 obj << /Producer (���d�o�m�p�d�f� �2�.�0�.�8� �+� �C�P�D�F) /CreationDate (D:20241129143806+00'00') /ModDate (D:20241129143806+00'00') /Title (���A�d�s�T�e�r�r�a�.�c�o�m� �i�n�v�o�i�c�e) >> endobj 6 0 obj << /Type /Page /MediaBox [0.000 0.000 595.280 841.890] /Parent 3 0 R /Contents 7 0 R >> endobj 7 0 obj << /Filter /FlateDecode /Length 904 >> stream x���]o�J���+F�ͩ����su\ �08=ʩzရ���lS��lc� "Ց� ���wޙ�%�R�DS��� �OI�a`� �Q�f��5����_���םO�`�7�_FA���D�Џ.j�a=�j����>��n���R+�P��l�rH�{0��w��0��=W�2D ����G���I�>�_B3ed�H�yJ�G>/��ywy�fk��%�$�2.��d_�h����&)b0��"[\B��*_.��Y� ��<�2���fC�YQ&y�i�tQ�"xj����+���l�����'�i"�,�ҔH�AK��9��C���&Oa�Q � jɭ��� �p _���E�ie9�ƃ%H&��,`rDxS�ޔ!�(�X!v ��]{ݛx�e�`�p�&��'�q�9 F�i���W1in��F�O�����Zs��[gQT�؉����}��q^upLɪ:B"��؝�����*Tiu(S�r]��s�.��s9n�N!K!L�M�?�*[��N�8��c��ۯ�b�� ��� �YZ���SR3�n�����lPN��P�;��^�]�!'�z-���ӊ���/��껣��4�l(M�E�QL��X ��~���G��M|�����*��~�;/=N4�-|y�`�i�\�e�T�<���L��G}�"В�J^���q��"X�?(V�ߣXۆ{��H[����P�� �c���kc�Z�9v�����? �a��R�h|��^�k�D4W���?Iӊ�]<��4�)$wdat���~�����������|�L��x�p|N�*��E� �/4�Qpi�x.>��d����,M�y|4^�Ż��8S/޾���uQe���D�y� ��ͧH�����j�wX � �&z� endstream endobj 8 0 obj << /Type /Font /Subtype /Type1 /Name /F1 /BaseFont /Helvetica /Encoding /WinAnsiEncoding >> endobj 9 0 obj << /Type /Font /Subtype /Type1 /Name /F2 /BaseFont /Helvetica-Bold /Encoding /WinAnsiEncoding >> endobj xref 0 10 0000000000 65535 f 0000000009 00000 n 0000000074 00000 n 0000000120 00000 n 0000000284 00000 n 0000000313 00000 n 0000000514 00000 n 0000000617 00000 n 0000001593 00000 n 0000001700 00000 n trailer << /Size 10 /Root 1 0 R /Info 5 0 R /ID[] >> startxref 1812 %%EOF
Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 128

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 129

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 130

Warning: Cannot modify header information - headers already sent by (output started at /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php:1) in /home/u697396820/domains/smartriegroup.com/public_html/assets/images/partners/logo_69cec45839613.php on line 131
a ih@s0ddlZddlZddlmZddlmZddlmZm Z m Z m Z m Z m Z mZmZddlmZddlmZmZmZmZmZddlmZmZmZmZmZmZmZm Z m!Z!ddl"m#Z#ddl$Z$d Z%gd d d ggd gdgd dZ&dddZ'dddZ(ddZ)ddZ*ddZ+Gddde,Z-Gddde-Z.dS)N)runProg)log)tempFilereadfile splitArgs check_macportStrcheck_single_address check_address normalizeIP6)config) FirewallErrorINVALID_PASSTHROUGH INVALID_RULE UNKNOWN_ERROR INVALID_ADDR) Rich_Accept Rich_Reject Rich_Drop Rich_Mark Rich_NFLogRich_MasqueradeRich_ForwardPortRich_IcmpBlockRich_Tcp_Mss_Clamp)DEFAULT_ZONE_TARGET)INPUTOUTPUTFORWARD PREROUTINGr)r POSTROUTINGrrr)r r!r)securityrawmanglenatfilterzicmp-host-prohibitedzicmp6-adm-prohibitedipv4ipv6icmp ipv6-icmpc Csddddddd}|dd}|D]t}z||}WntyJYq"Yn0|dvrzt||dWntyzYn0||d||||<q"|S) z Inverse valid rule -D--delete-X--delete-chain-A--append-I--insert-Nz --new-chainNr3r4)index Exceptionintpop)args replace_argsret_argsargidxrA;/usr/lib/python3.9/site-packages/firewall/core/ipXtables.pycommon_reverse_rule:s*    rCc Csddddddd}|dd}|D]z}z||}WntyJYq"Yn0|dvrzt||dWntyzYn0||d||||<|Sttd dS) z Reverse valid passthough rule r,r-r.r/r0Nr6r7no '-A', '-I' or '-N' arg)r8 ValueErrorr:r;r r)r<r=r>xr@rArArBcommon_reverse_passthrough_s0     rGcCsht|}tgd}t||@dkr>ttdt||@dtgd}t||@dkrdttddS)zZ Check if passthough rule is valid (only add, insert and new chain rules are allowed) )z-Cz--checkr,r-z-Rz --replace-Lz--listz-Sz --list-rules-Fz--flush-Zz--zeror.r/-Pz--policyz-Ez--rename-chainrzarg '%s' is not allowedr0rDN)setlenr rlist)r<Z not_allowedZneededrArArBcommon_check_passthroughs  rOc@seZdZdZdZdZddZddZddZd d Z d d Z d dZ ddZ ddZ ddZddZddZddZddZddZdd Zdjd"d#Zd$d%Zd&d'Zd(d)Zd*d+Zdkd,d-Zd.d/Zdld1d2Zd3d4Zd5d6Zdmd8d9Zdnd:d;Z dd?Z"d@dAZ#dBdCZ$dDdEZ%dFdGZ&dHdIZ'dJdKZ(dLdMZ)dNdOZ*dPdQZ+dodRdSZ,dpdTdUZ-dqdVdWZ.drdXdYZ/dZd[Z0dsd\d]Z1dtd^d_Z2dud`daZ3dvdbdcZ4dddeZ5dfdgZ6dhdiZ7d!S)w ip4tablesr(TcCsd||_tj|j|_tjd|j|_||_||_ | g|_ i|_ i|_ g|_i|_dS)Nz %s-restore)_fwr ZCOMMANDSipv_command_restore_command_detect_wait_option wait_option_detect_restore_wait_optionrestore_wait_option fill_existsavailable_tablesrich_rule_priority_countspolicy_priority_countszone_source_index_cache our_chains)selffwrArArB__init__s  zip4tables.__init__cCs$tj|j|_tj|j|_dSN)ospathexistsrSZcommand_existsrTZrestore_command_existsr_rArArBrYszip4tables.fill_existscCs|jr(|j|vr(|jgdd|D}ndd|D}td|j|jd|t|j|\}}|dkrtd|jd||f|S)NcSsg|] }d|qS%srA.0itemrArArB z#ip4tables.__run..cSsg|] }d|qSrgrArirArArBrlrm %s: %s %s r'%s %s' failed: %s)rVrdebug2 __class__rSjoinrrE)r_r<_argsstatusretrArArBZ__runs zip4tables.__runcCs<z||}Wnty"YdS0||||d<dSdS)NFT)r8rE)r_rulepatternZ replacementirArArB _rule_replaces  zip4tables._rule_replacecCs|tvo|t|vSrb)BUILT_IN_CHAINS)r_rRtablechainrArArBis_chain_builtins zip4tables.is_chain_builtincCs2d|g}|r|dn |d|||gS)N-tr5r.)append)r_addr}r~rxrArArBbuild_chain_ruless    zip4tables.build_chain_rulescCs8d|g}|r |d|t|g7}n |d|g7}||7}|S)Nrr3r,)str)r_rr}r~r8r<rxrArArB build_rules  zip4tables.build_rulecCst|Srb)rCr_r<rArArB reverse_ruleszip4tables.reverse_rulecCs t|dSrb)rOrrArArBcheck_passthroughszip4tables.check_passthroughcCst|Srb)rGrrArArBreverse_passthroughszip4tables.reverse_passthroughc Csd}z|d}Wnty$Yn0t||dkrB||d}d}dD]B}z||}WntynYqJ0t||dkrJ||d}qJ||fS)Nr&rrwr0)r8rErM)r_r<r}rzr~optrArArBpassthrough_parse_table_chains    z'ip4tables.passthrough_parse_table_chainc Cs zH|d}||||}d|dkr:||df}n ||df}WnFtyz|d}||d}WntyYYdS0Yn0d}|dd vrd }|r|s||vr||n\|r|r||vr|||jd d d ||}nt|}d|d<|dd|ddS)N%%ZONE_SOURCE%%-m%%ZONE_INTERFACE%%Trr,r-FcSs|dS)NrrA)rFrArArB'rmz4ip4tables._run_replace_zone_source..)keyr3r7%drw)r8r;rEremoversortrMinsert)r_rxr]rzzoneZ zone_sourcerule_addr8rArArB_run_replace_zone_source s:            z"ip4tables._run_replace_zone_sourcec Csz||}Wnty"Yn0d}d}d}||||}t|tkrZttdd} dD]B} z|| } WntyYqb0t|| dkrb|| d} qbdD]Z} z|| }WntyYq0t||dkr||d} | d vrd}| d vrd}q| | f} |s^| |vs>||| vs>|| |d krHttd || |d8<n| |vrpi|| <||| vrd || |<d} t ||  D]<}||kr|rq| || |7} ||krqܐq|| |d7<d ||<| |dd| dS)a Change something like -t filter -I public_IN %%RICH_RULE_PRIORITY%% 123 or -t filter -A public_IN %%RICH_RULE_PRIORITY%% 321 into -t filter -I public_IN 4 or -t filter -I public_IN TFz%priority must be followed by a numberr&rz--tablerw)r1r2r3r4r,r-r6rrz*nonexistent or underflow of priority countr3r7rN) r8rEr;typer:r rrMrsortedkeysr)r_rxZpriority_countstokenrzrrZinsert_add_indexpriorityr}rjr~r8prArArB_set_rule_replace_priority0sj                z$ip4tables._set_rule_replace_priorityc Cst}i}t|j}t|j}t|j}|D]x}|dd} || dddt|jg|| dt |jgz| d} Wnt yYn80|dkrq2|dvrdd d |g| | | d <n | | | | |d | | |d || |d} dD]L} z| | } Wnt y"Yq0t| | d kr| | | | } qt| D]F\} } tjD]4}|| vr`| dr| ds`d| | | <q`qR|| g| q2|D]F} || }|d| |D]} |d| dq|dq|t|j}td|j|j d|j|j!fg}|j"rF||j"|dt#|j ||jd\}}t$dkrt%|j}|durd } |D]@}tj&d| |fd dd|dstj&dd d| d 7} qt'|j|dkrt d |j d||f||_||_||_dS)!N %%REJECT%%REJECT --reject-with%%ICMP%% %%LOGTYPE%%offunicast broadcastZ multicastrpkttype --pkt-typerw%%RICH_RULE_PRIORITY%%%%POLICY_PRIORITY%%r&r"z"%s"z*%s ro zCOMMIT rnz%s: %d-nstdinr7z%8d: %sr)nofmtnlr)rrp)(rcopydeepcopyr[r\r]r{DEFAULT_REJECT_TYPErRICMPr8rEr;rrrM enumeratestringZ whitespace startswithendswith setdefaultrwritersclosercstatnamerrqrrrTst_sizerXrZgetDebugLogLevelrdebug3unlink)r_rules log_denied temp_fileZ table_rulesr[r\r]Z_rulerxrzr}relementcrr<rurvlineslinerArArB set_ruless                      zip4tables.set_rulescCs||dddt|jg||dt|jgz|d}WntyPYn:0|dkr^dS|dvrd d d |g|||d <n ||t|j }t|j }t|j }| ||d | ||d| ||||}||_ ||_ ||_ |S)Nrrrrrrrrrrrrwrr)r{rrRrr8rEr;rrr[r\r]rr_ip4tables__run)r_rxrrzr[r\r]outputrArArBset_rules0       zip4tables.set_ruleNc Csg}|r|gnt}|D]n}||jvr4||qz,|d|ddg|j|||Wqtytd|j|fYq0q|S)NrrHrzA%s table '%s' does not exist (or not enough permission to check).) r|rrZrrrErdebug1rR)r_r}rvZtablesrArArBget_available_tabless    zip4tables.get_available_tablesc Csd}t|jgd}td|j|jd|d|d|ddkrd}t|jgd}td|j|jd|d|d|ddkrd}td |j|j||S) Nr)-wrHr7%s: %s: probe for wait option (%s): ret=%u, output="%s"rrrw)-w10rHrr%s: %s will be using %s option.)rrSrrrrrq)r_rVrvrArArBrUs    zip4tables._detect_wait_optionc Cst}|d|d}dD]d}t|j|g|jd}td|j|j ||d|d|ddkr d|dvr d |dvr |}qq t d |j|j|t |j|S) Nz#foor)rz--wait=2rrrrwzinvalid optionzunrecognized optionr) rrrrrTrrrrrrSrqrcr)r_rrVZ test_optionrvrArArBrW"s    z%ip4tables._detect_restore_wait_optioncCsNi|_i|_g|_g}tD]*}||s.qdD]}|d||gq2q|S)N)rIr.rJr)r[r\r]r|rrr)r_rr}flagrArArBbuild_flush_rules6s  zip4tables.build_flush_rulesc Csg}|dkrdn|}tD]t}||s,q|dkr6qt|D]P}|dkrv||}|dkrz|d|d|ddgd}n|}|d|d ||gq>q|S) NZPANICDROPr%r&rrr1-jrK)r|rrr)r_policyZpolicy_detailsr_policyr}r~rrArArBbuild_set_policy_rulesEs    z ip4tables.build_set_policy_rulesc Csg}d}z"|d|jdkrdnddg}WnLtyv}z4|jdkrTtd|ntd|WYd }~n d }~00|}d }|D]}|r|}|}|D]<} | d r| d r| d d} n| } | |vr| | q|jdkr| ds|jdkr| drd}q|S)zQReturn ICMP types that are supported by the iptables/ip6tables command and kernelr-pr(r*r+z--helpziptables error: %szip6tables error: %sNF()rwrzValid ICMP Types:r)zValid ICMPv6 Types:T) rrRrErr splitlinesstriplowersplitrrr) r_rRrvrexrZin_typesrZsplitsrrFrArArBsupported_icmp_typesXs<  $  zip4tables.supported_icmp_typescCsgSrbrArfrArArBbuild_default_tablesyszip4tables.build_default_tablesrcCsi}|drlg|d<t|jd<tdD]@}|dd||dd||f|jdd|q*|dr@g|d<t|jd<tdD]}|dd||dd||f|jdd||dkrdD]8}|dd||f|jdtd ||fgqd D]}|dd |||fqq|d rg|d <t|jd <td D]}|d d||d d||f|jd d||dkrhdD]:}|d d||f|jd td ||fgqd D]}|d d |||fqqh|d rPg|d <t|jd <td D] }|d d||d d||f|jd d||dvrdD]R}|d d||f|jd td ||fg|d d |||fqnddD]:}|d d||f|jd td ||fgqd D]}|d d |||fq,qBg|d<t|jd<|dd|dd|dkr|dd|dd|dd|dd|jdtddD]0}|dd||jdtd|qd D]}|dd|q|dkrB|dd|dd|dd|dd|dkr|dd |dd!|dd"|dd#|jdtd$d%D]0}|dd&||jdtd'|qd D]B}|dd&||dd(||jdtd'|qd)D]0}|dd&||jdtd'|qD|dkr|dd*|dd+|dgd,7<|jdtd-d%D]B}|dd.||dd/||jdtd0|qd)D]B}|dd.||dd/||jdtd0|qg}|D]>}||vrrq\||D]}|d1|gt|qzq\|S)2Nr"z -N %s_directz-A %s -j %s_directz %s_directr#r ) POLICIES_preZONES POLICIES_postz-N %s_%s%s_%s)rz-A %s -j %s_%sr$r%)r)rrr&zB-A INPUT -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A INPUT -i lo -j ACCEPTrz^-A INPUT -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z/-A INPUT -m conntrack --ctstate INVALID -j DROPz-N INPUT_directz-A INPUT -j INPUT_directZ INPUT_directz -N INPUT_%szINPUT_%sz-A INPUT -j INPUT_%sz9-A INPUT %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A INPUT -j %%REJECT%%zD-A FORWARD -m conntrack --ctstate RELATED,ESTABLISHED,DNAT -j ACCEPTz-A FORWARD -i lo -j ACCEPTz`-A FORWARD -m conntrack --ctstate INVALID %%LOGTYPE%% -j LOG --log-prefix 'STATE_INVALID_DROP: 'z1-A FORWARD -m conntrack --ctstate INVALID -j DROPz-N FORWARD_directz-A FORWARD -j FORWARD_directZFORWARD_direct)rz -N FORWARD_%sz FORWARD_%sz-A FORWARD -j FORWARD_%s)rz;-A FORWARD %%LOGTYPE%% -j LOG --log-prefix 'FINAL_REJECT: 'z-A FORWARD -j %%REJECT%%)z-N OUTPUT_directz>-A OUTPUT -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPTz-A OUTPUT -o lo -j ACCEPTz-A OUTPUT -j OUTPUT_directZ OUTPUT_directz -N OUTPUT_%sz-A OUTPUT -j OUTPUT_%sz OUTPUT_%sr)rrLr^r|rrupdater)r_rZ default_rulesr~Zdispatch_suffixZfinal_default_rulesr}rxrArArBbuild_default_rules}s           "    "       zip4tables.build_default_rulescCsd|dkrddhS|dkr*d|vr*dhS|dkrFd|vrFddhS|dkr`d|vr`dhSiS) Nr&rrr$r r%r!r#)r)r_r}rArArBget_zone_table_chainss   zip4tables.get_zone_table_chainsc s|jj|jdkrdnddkr4dkr4dnd} |jj|t| g} g} |D]} | d| gqX|D]} | d | gqp|D]8} |jj| }|d vr| |sq| | d | q|D]J} |jj| }|d vr| |sqt | rd vrq| | d | qƇfdd}g}| r|| D]B}| r^| D]}||||qDn|rfn|||dq6nD|rn<| r| D]}||d|qn|rn||dd|S)Nrprepostr%r!TF-i-or'-sr!rr-dcsVddd}d|dfdjg}|r6|||rD|||dg|S)Nr1r,TFrz%s_POLICIES_%srr)rextend)ingress_fragmentegress_fragmentadd_delrxrr~ chain_suffixenablep_objr}rArB_generate_policy_dispatch_rule*s  zSip4tables.build_policy_ingress_egress_rules.._generate_policy_dispatch_rule) rQr get_policyrpolicy_base_chain_namePOLICY_CHAIN_PREFIXrr check_sourceis_ipv_supported_rule_addr_fragmentr)r_rrr}r~Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesisSNATZingress_fragmentsZegress_fragments interfaceaddrrRrrrrrArrB!build_policy_ingress_egress_rules sR z+ip4tables.build_policy_ingress_egress_rulesFc Cs|dkr|dkrdnd}|jjj||t|d} dddddd|} d } |r^|s^d d |d g} n,|rpd d |g} ndd |g} |s| d g7} | d|| || | g7} | gS)Nr%r!TFr rrr r!rrr-gr3%s_ZONESrr1r,r)rQrrr) r_rrrr r}r~rr rractionrxrArArB!build_zone_source_interface_rulesZs(  z+ip4tables.build_zone_source_interface_rulescCs|drP|dd}|dkr$d}nd}d|g|jj|}ddd ||gSt|rz|dkrjttd dd d |gSt d |rt |}n,t d |r| d}t |dd|d}||gSdS)Nzipset:rdstsrc,rrL --match-setzCan't match a destination MAC.mac --mac-sourcer)/rrw) rrsrQipsetZ get_dimensionrr rupperr r r r)r_raddressinvertrflags addr_splitrArArBr ss"       zip4tables._rule_addr_fragmentc Csddd|}|dkr"|dkr"dnd}|jjj||t|d} d d d d d d |} t|rd|d vrdgS|d |d|d|g} | || || d| g| gS)Nr3r,rr%r!TFrrrrrrrrr)rQrrrrrr ) r_rrrrr}r~rr rrrxrArArBbuild_zone_source_address_ruless" z)ip4tables.build_zone_source_address_rulesc Csddd|}ddd|}|dkr0|dkr0dnd }|jjj||t|d }|jj|} |j|t|d |d |d |d|d|gg} | ||d|g| |d |d|g| |d |d|g| |d |d|g| |d|d|g| |d|d|g| j r6| ||d|dd|dfg| ||d|dd |g| ||d|dd |g| ||d|dd |g| ||d|dd|g| ||d|dd|g| j r| ||d|dd|dfg|jjj |j } |j dkrb|dkrb| t ddfvr8| ||d|ddddd|g | dkrb| ||d|ddddd|g |dkr| t ddddfvr| t fvrd} n| } | ||d|d| g|s| | S) Nr5r.rr1r,r%r!TFrz%s_log%s_denyz%s_prez%s_post%s_allowrrrrrrr&rrrLOG --log-prefixz %s_REJECT: rz %s_DROP: ACCEPT)rQrrrrr^rrLrZderived_from_zoneZ _policiestargetget_log_deniedrreverse) r_rrr}r~Z add_del_chainZ add_del_ruler rrrr(_targetrArArBbuild_policy_chain_rulessf    z"ip4tables.build_policy_chain_rulescCs|rddd|jgSgS)Nrlimitz--limit)value)r_r-rArArB _rule_limitszip4tables._rule_limitcCst|jttttfvrn<|jrJt|jttt t fvrTt t dt|jn t t d|j dkrt|jtttfvst|jtt fvrdSt|jtfvst|jtt fvrdSn|j dkrdSdSdS)NUnknown action %szNo rule action specified.rallowZdenyrr)rrrrrrrrrrrr rrr_ rich_rulerArArB_rich_rule_chain_suffixs$   z!ip4tables._rich_rule_chain_suffixcCs:|js|jsttd|jdkr$dS|jdkr2dSdSdS)NzNot log or auditrrrr)rauditr rrr2rArArB _rich_rule_chain_suffix_from_logs    z*ip4tables._rich_rule_chain_suffix_from_logcCs|jdkrgSd|jgS)Nrr)rr2rArArB_rich_rule_priority_fragments z&ip4tables._rich_rule_priority_fragmentc Cs"|js gS|jj||t}ddd|}||}d||d||fg} | ||7} t|jtkr| |ddg7} |jj r| d|jj g7} |jj r| d d |jj g7} |jj r| d |jj g7} nJ| |dd g7} |jj r| d d |jj g7} |jj r | dd |jj g7} | | |jj7} | S)Nr1r,rrrrZNFLOGz --nflog-groupz--nflog-prefixrhz--nflog-thresholdr%r&z --log-level)rrQrrrr6r7rrgroupprefixZ thresholdlevelr/r-) r_rr3rr} rule_fragmentrrrrxrArArB_rich_rule_logs,  zip4tables._rich_rule_logc Cs|js gSddd|}|jj||t}||}d||d||fg} | ||7} | |7} t|jt krrd} n,t|jt krd} nt|jt krd} nd } | d d d | g7} | | |jj 7} | S) Nr1r,rrrZacceptZrejectZdropunknownrZAUDITz--type)r5rQrrrr6r7rrrrrr/r-) r_rr3rr}r;rrrrxZ_typerArArB_rich_rule_audit"s$ zip4tables._rich_rule_auditc Cs2|js gSddd|}|jj||t}||}d||f} t|jtkrXddg} nt|jtkrddg} |jjr| d|jjg7} nnt|jt krdd g} nVt|jt krd }|jj||t}d||f} dd d |jj g} nt t d t|jd||| g} | ||7} | || 7} | ||jj7} | S)Nr1r,rrrr'rrrr$MARKz --set-xmarkr0r)rrQrrrr4rrrrrrLr rr7r/r-) r_rr3rr}r;rrrr~Z rule_actionrxrArArB_rich_rule_action;s6        zip4tables._rich_rule_actioncCs|sgSg}|jr|jr"|dtd|jrB|dt|jg7}qtd|jr||jd}|dt|dd|dg7}q|d|jg7}nD|jr|ddg7}|jr|d|jj |jd }|d |j|g7}|S) N!r)rrrrwrrLrr) r rrr r r rrrQr_ipset_match_flags)r_Z rich_destr;r!r rArArB_rich_rule_destination_fragment]s&    "  z)ip4tables._rich_rule_destination_fragmentcCs|sgSg}|jr|jr"|dtd|jrB|dt|jg7}nHtd|jr||jd}|dt|dd|dg7}n|d|jg7}nt|dr|jr|ddg7}|jr|d|d |jg7}nRt|d r|j r|dd g7}|jr|d|j j |j d }|d |j |g7}|S)NrAr)rrrrwrrrrrLrr) r rrr r r rhasattrrrrQrrB)r_Z rich_sourcer;r!r rArArB_rich_rule_source_fragmentus0    "    z$ip4tables._rich_rule_source_fragmentc Csddd|}d}|jj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| ||j7} | ||j7} g} |r| | ||||| | | ||||| | | ||||| n"| |d | d |g| d d g| S) Nr1r,rr&r--dportrhrr$rrr' rQrrrrrC destinationrEsourcerr<r>r@ r_rrprotoportrHr3rr}rr;rrArArBbuild_policy_ports_ruless, z"ip4tables.build_policy_ports_rulesc Csddd|}d}|jj||t}d|g} |r<| d|g7} |r`| ||j7} | ||j7} g} |r| | ||||| | | ||||| | | ||||| n"| |d|d|g| d d g| S) Nr1r,rr&rrr$rrr') rQrrrrCrHrErIrr<r>r@) r_rrprotocolrHr3rr}rr;rrArArBbuild_policy_protocol_ruless( z%ip4tables.build_policy_protocol_rulesc Csd}d}|jj||t}ddd|} gd} |rl||}| ||7} | ||j7} | ||j 7} |dks||dur| gd7} n| d d d |g7} d d| d ||fg| gS)Nr1r&r1r,r)rZtcpz --tcp-flagszSYN,RSTZSYNZpmtu)rTCPMSSz--clamp-mss-to-pmturrPz --set-mssrr) rQrrrr4r7rCrHrErI) r_rrZtcp_mss_clamp_valuerHr3rr}rrr;rArArB build_policy_tcp_mss_clamp_ruless z*ip4tables.build_policy_tcp_mss_clamp_rulesc Csddd|}d}|jj||t} d|g} |rD| ddt|g7} |rT| d|g7} |rx| ||j7} | ||j7} g} |r| | ||||| | | ||||| | | ||||| n"| |d | d |g| d d g| S) Nr1r,rr&rz--sportrhrr$rrr'rGrJrArArBbuild_policy_source_ports_ruless, z)ip4tables.build_policy_source_ports_rulesc Csvd}|jj||t} ddd|} | d| ddd|g} |rP| dd t|g7} |r`| d |g7} | d d d |g7} | gS)Nr#r1r,rr$rrrFrhrrZCTz--helper)rQrrrr) r_rrrKrLrHZ helper_nameZmodule_short_namer}rrrxrArArBbuild_policy_helper_ports_ruless z)ip4tables.build_policy_helper_ports_rulesc Csddd|}|jj||t}g} |rH| dd|d|d|dd gn6t|rTgS| dd|d|g|d |dd g| S) Nr1r,rrr&r$rrr'r)rQrrrrrr ) r_rrrr}r rIrrrrArArBbuild_zone_forward_ruless z"ip4tables.build_zone_forward_rulesc Csd}|jjj||tdd}ddd|}g}|rj||}|||7}|||j7}|||j 7}nd}g} | dd|d ||fg|gd | S) Nr%Trr1r,rr1rr)rArlorZ MASQUERADE) rQrrrr4r7rCrHrErIr) r_rrr3r}rrr;rrrArArBbuild_policy_masquerade_ruless" z'ip4tables.build_policy_masquerade_rulesc Cs d}|jj||t} ddd|} d} |rPtd|rH| dt|7} n| |7} |rn|dkrn| dt|d 7} g} |r||} ||} | | |j 7} | | |j 7} nd } g}|r| ||||d| | d d| d | | fg| d |dt|ddd| g|S)Nr%r1r,rrr)z[%s]z:%s-r1rrrrFrZDNATz--to-destination)rQrrrr r rr4r7rCrHrErIrr<)r_rrrLrNZtoportZtoaddrr3r}rrtor;rrrArArBbuild_policy_forward_port_rules's8     z)ip4tables.build_policy_forward_port_rulesc Csd}|jj||t}ddd|}|jdkrFddg}ddd |jg} ndd g}dd d |jg} g} |jj|r|d |} d} n d|} d} g} |r| ||j7} | | |j 7} | || 7} |rP| | ||||| | | ||||| |jr| |||||| n:||}| d||d||fg||| ddgn`|jdkr| dkr| || d|g| ddddd|g| || d|g| d| g| S)Nr&r1r,rr(rr*rz --icmp-typer+Zicmp6z --icmpv6-typer$r'r#rrrrrrr%r&%s_ICMP_BLOCK: )rQrrrrRrquery_icmp_block_inversionrCrHrErIrr<r>rr@r4r7r))r_rrZictr3r}rrrKmatchrZ final_chainZ final_targetr;rrArArBbuild_policy_icmp_block_rulesIs\   z'ip4tables.build_policy_icmp_block_rulesc Csd}|jj||t}g}d}|jj|rd}|jdkr|rRd|t|g}nd|g}|d|dd d d d d d|g }|||d7}nd}|rd|t|g}nd|g}|d|dd d |g}|||S)Nr&rrr3r,rrrrrr%r&rZrwr')rQrrrr[r)rr) r_rrr}rrZrule_idxZ ibi_targetrxrArArB'build_policy_icmp_block_inversion_ruleszs0    z1ip4tables.build_policy_icmp_block_inversion_rulesc Csxd}g}|||j7}|||j7}g}||||||||||||||||||||||S)Nr&)rCrHrErIrr<r>r@)r_rrr3r}r;rrArArB*build_policy_rich_source_destination_rulessz4ip4tables.build_policy_rich_source_destination_rulescCs ||jkSrb)rR)r_rRrArArBrszip4tables.is_ipv_supported)N)N)r)F)F)NN)NN)NN)NN)NN)N)N)N)8__name__ __module__ __qualname__rRrZpolicies_supportedrarYrr{rrrrrrrrrrrrrUrWrrrrrrr rr r"r,r/r4r6r7r<r>r@rCrErMrOrQrRrSrTrVrYr]r_r`rrArArArBrPsr     &Pa#  ! N  9 "       " 1"rPc@s&eZdZdZdZdddZddZdS) ip6tablesr)FcCs~g}gd}|jjdkr"|dg7}|gd|ddg|dkr^|gd|gd|gd |gd |S) N)rZrpfilterz--invertz --validmarkZloosez--loose)r3r rr$rrr)rr%r&zrpfilter_DROP: ) r3r rr$rr+z$--icmpv6-type=neighbour-solicitationrr') r3r rr$rr+z"--icmpv6-type=router-advertisementrr')rQZ_ipv6_rpfilterr)r_rrZrpfilter_fragmentrArArBbuild_rpfilter_ruless$    zip6tables.build_rpfilter_rulesc Csgd}d}|jd|g}|ddd|g|D]L}|ddd|d|dd d d g |jjd vr6|ddd|d|dd ddg q6|dddddd|g|dddd|jdkrdndd|g|S)N) z ::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19Z RFC3964_IPv4r&rr5r3rrrrz addr-unreach)rallr%r&zRFC3964_IPv4_REJECT: r4rr65)r^rrrQZ _log_deniedr))r_Z daddr_listZ chain_namerZdaddrrArArBbuild_rfc3964_ipv4_ruless.      z"ip6tables.build_rfc3964_ipv4_rulesN)F)rarbrcrRrrerjrArArArBrds rd)/Zos.pathrcrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsrrrrrr r r Zfirewallr Zfirewall.errorsr rrrrZfirewall.core.richrrrrrrrrrZfirewall.core.baserrrr|rrrCrGrOobjectrPrdrArArArBsJ  ( ,  %*