a

	�	i�/�@s�dZgd
�
Z
ddlZddlZddlmZ
ddlmZ
ddl	m
Z

ddlmZ
ddl
mZmZ
dd	lmZ
d
Zgd�
Zdd
d
dd�Zdddd�ZGdd�de�Zdd�Zdd�Zdd�Zdd�Zdd�ZdS) zThe ipset command wrapper)�ipset�check_ipset_name�remove_default_create_options�N)
�errors)
�
FirewallError)
�runProg)
�log)�tempFile�readfile)
�COMMANDS� )zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz
inet|inet6�valuez
value in secs)�family�hashsize�maxelem�timeoutZinetZ1024Z65536)rrrc@s�eZ
dZd
Zdd�Zdd�Zdd�Zdd	�Zd%dd�
Zd
d�Z	dd�Z
dd�Zd&dd�
Zd'dd�
Z
dd�Zd(dd�
Zd)dd�
Zdd�Zdd �Zd!d"�Zd#d$�Zd
S)*r
zipset command wrapper classc

Cstd
|_
d
|_dS)Nr
)r�_command�name�
�self�r�7/usr/lib/python3.9/site-packages/firewall/core/ipset.py�__init__Ks


zipset.__init__cCs^d
d�|
D�
}t�
d|j|jd�|�
�
t|j|�\}}|dkrZtd|jd�|�
|f�
�
|S)zCall ipset with argsc
Ssg|]}
d|
�qS)
�%sr)�.0�itemrrr�
<listcomp>R�zipset.__run.<locals>.<listcomp>z	%s: %s %s�
 r�'%s %s' failed: %s)r�debug2�	__class__r�joinr�
ValueError)r�args�_args�status�retrrrZ__runOs





�zipset.__runcCs t|
�
t
krttjd
|
��
dS)zCheck ipset namezipset name '%s' is not validN)�len�IPSET_MAXNAMELENrrZINVALID_NAME)rrrrr�
check_nameZs

�zipset.check_namecCs(t|
�
t
ks|
tv
r$ttjd
|
��
dS)zCheck ipset typez!ipset type name '%s' is not validN)r(r)�IPSET_TYPESrrZINVALID_TYPE)r�	type_namerrr�
check_type`s

�zipset.check_typeNcCs`|�|
�

|�
|�

d
|
|g}t|t�rV|��D]$\}}|�|�

|dkr0|�|�

q0|�|�
S)z+Create an ipset with name, type and options�create�)r*r-�
isinstance�dict�items�append�_ipset__run)r�set_namer,�optionsr$�key�valrrr�
set_createfs











zipset.set_createcCs|�|
�

|�
d
|
g�
S)NZdestroy)r*r4)rr5rrr�set_destroyss


zipset.set_destroycCsd
|
|g}|�|�
S)N�add�
r4�rr5�entryr$rrr�set_addws


z
ipset.set_addcCsd
|
|g}|�|�
S)N�delr<r=rrr�
set_delete{s


zipset.set_deletecCs,d
|
|g}|r"|�dd�
|�
�

|�|�
S)N�testrr)r3r"r4)rr5r>r6r$rrrrBs




z
ipset.testcCs2d
g
}|
r|�|
�

|r"|�
|�

|�|�
�d�
S)N�list�

)r3�extendr4�split)rr5r6r$rrr�set_list�s







zipset.set_listc
Cs4
|jd
g
d�
}
i}d}}i}|
D�
]
}t
|�
dkr6q"dd�|�dd�D�
}t
|�
dkr\q"q"|d	d
krr|d}q"|d	dkr�|d}q"|d	dkr"|d��}d	}	|	t
|�
k�
r||	}
|
d
vr�t
|�
|	kr�|	d7}	||	||
<nt�d|�
i
S|	d7}	q�|�
r|�
r|t|�
f||<d}}|��
q"|S)z" Get active ipsets (only headers) z-terse)
r6N�
c
Ssg|]}
|
���qSr)
�strip�r�
xrrrr�rz.ipset.set_get_active_terse.<locals>.<listcomp>�
:�r�Name�TypeZHeader)rrrr�netmaskz&Malformed ipset list -terse output: %s)rGr(rFr�errorr�clear)r�linesr'�_nameZ_type�_options�lineZpairZsplits�
i�optrrr�set_get_active_terse�sF























�




�


zipset.set_get_active_tersecCsd
g
}|
r|�|
�

|�
|�
S)N�save�r3r4�rr5r$rrrrZ�s




z
ipset.savec	Cs�
|�|
�

|�
|�

t�}d
|
vr*d|
}
d|
|dg}|rh|��D]$\}}	|�|�

|	dkrB|�|	�

qB|�dd
�|�
�

|�d|
�

|D]F}
d
|
vr�d|
}
|r�|�d|
|
d
�|�
f�

q�|�d	|
|
f�

q�|��
t�	|j
�
}t�d
|j
|jd|j
|jf�
dg
}t|j||j
d
�\}}
t��dk�
r�zt|j
�

Wnt�
yV


YnR0d}t|j
�
D]@}tjd||fddd�
|�d�
�
s�tjddd�
|d7}�
qft�|j
�

|dk�
r�td|jd
�|�
|
f�
�
|
S)Nrz'%s'r.z-existr/z%s
z	flush %s
z
add %s %s %s
z
add %s %s
z%s: %s restore %sz%s: %dZrestore)
�stdinrMrHz%8d: %sr)�nofmt�nlrD)
r^r)r*r-r	r2r3�writer"�close�os�statrrr r!r�st_sizerZgetDebugLogLevelr
�	ExceptionZdebug3�endswith�unlinkr#)rr5r,�entriesZcreate_optionsZ
entry_optionsZ	temp_filer$r7r8r>rcr&r'rWrVrrr�set_restore�s^

















�


�

�













�zipset.set_restorecCsd
g
}|
r|�|
�

|�
|�
S)N�flushr[r\rrr�	set_flush�s




zipset.set_flushcCs|�d
|
|g�
S)N�renamer<)rZold_set_nameZnew_set_namerrrrl�s
zipset.renamecCs|�d
|
|g�
S)N�swapr<)rZ
set_name_1Z
set_name_2rrrrm�s
z
ipset.swapc

Cs|�d
g
�
S)N�versionr<rrrrrn�s
z
ipset.version)
N)
N)NN)
N)NN)�__name__�
__module__�__qualname__�__doc__rr4r*r-r9r:r?rArBrGrYrZrirkrlrmrnrrrrr
Hs&




'
�
8r
c

Cst|�
t
krd
SdS)z"Return true if ipset name is validFT)r(r))
rrrrr
s

rc
Cs4|��}
t
D]"}||
vrt
||
|kr|
|=q|
S)
z( Return only non default create options )�copy�IPSET_DEFAULT_CREATE_OPTIONS)r6rUrXrrrr
s


�
rc
	Csbg}
|�d
�
D]H}z&|�
d�

|
�ttj|dd��
�

WqtyT


|
�|�

Yq0qd
�|
�
S)z! Normalize IP addresses in entry �
,�
/F�
�strict)rF�indexr3�str�	ipaddress�
ip_networkr#r")r>Z_entryZ_partrrr�normalize_ipset_entry
s






r}cCstt|�
d
�
�
dkrdSztj|dd�}Wnty<


YdS0|
D],}|�tj|dd��
rBttjd�	||���
qBdS)z: Check if entry overlaps any entry in the list of entries rurHNFrwz,Entry '{}' overlaps with existing entry '{}')
r(rFr{r|r#�overlapsrr�
INVALID_ENTRY�format)r>rhZ
entry_network�itrrrr�check_entry_overlaps_existing
s




r�c
Cszzd
d�|D�
}Wnty&


YdS0t
|�
dkr8dS|��
|�d�
}
|D]&}|
�|�
rpttjd�|
|���
|}
qNdS)z> Check if any entry overlaps any entry in the list of entries c
Ssg|]}
tj
|
dd
��qS)Frw)r{r|rJrrrr0
rz1check_for_overlapping_entries.<locals>.<listcomp>NrzEntry '{}' overlaps entry '{}')	r#r(�sort�popr~rrrr�)rhZprev_networkZcurrent_networkrrr�check_for_overlapping_entries-
s


2






r�)rr�__all__Zos.pathrbr{ZfirewallrZfirewall.errorsrZfirewall.core.progrZfirewall.core.loggerrZfirewall.functionsr	r
Zfirewall.configrr)r+ZIPSET_CREATE_OPTIONSrt�objectr
rrr}r�r�rrrr�<module>s6









�	

�;