HEX
Server: LiteSpeed
System: Linux server334.web-hosting.com 4.18.0-553.124.4.lve.el8.x86_64 #1 SMP Fri May 15 13:02:13 UTC 2026 x86_64
User: richfield (1256)
PHP: 8.2.31
Disabled: NONE
$ pwd: /lib/python3.6/site-packages/firewall/core/__pycache__/
Upload Files
File: //lib/python3.6/site-packages/firewall/core/__pycache__/nftables.cpython-36.pyc
3

Y�jBu�	@s6ddlmZddlZddlZddlZddlmZddlmZm	Z	m
Z
mZmZddl
mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZddlmZmZddl m!Z!d	Z"e"d
dZ#dZ$d
Z%iddde%fidde%fdde%fd�dde%fdde%fdde%fdde%fd�d�Z&Gdd�de'�Z(dS)�)�absolute_importN)�log)�	check_mac�getPortRange�normalizeIP6�check_single_address�
check_address)�
FirewallError�
UNKNOWN_ERROR�INVALID_RULE�INVALID_ICMPTYPE�INVALID_TYPE�
INVALID_ENTRY�INVALID_PORT)�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock)�
ICMP_TYPES�ICMPV6_TYPES)�NftablesZ	firewalld�_Zpolicy_dropZpolicy_�
�
PREROUTING�
prerouting��dZpostrouting)r�POSTROUTING�input�forward�output)r�INPUT�FORWARD�OUTPUT)�raw�mangle�nat�filterc@sjeZdZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Z	dd
�Z
dd�Zd�dd�Zdd�Z
dd�Zdd�Zdd�Zd�dd�Zdd�Zd�d d!�Zd"d#�Zd�d%d&�Zd�d(d)�Zd�d*d+�Zd�d,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#dDdE�Z$dFdG�Z%dHdI�Z&d�dJdK�Z'dLdM�Z(dNdO�Z)dPdQ�Z*dRdS�Z+d�dTdU�Z,d�dVdW�Z-d�dXdY�Z.dZd[�Z/d�d\d]�Z0d�d^d_�Z1d�d`da�Z2d�dbdc�Z3d�ddde�Z4d�dfdg�Z5dhdi�Z6d�djdk�Z7dldm�Z8d�dndo�Z9dpdq�Z:drds�Z;dtdu�Z<dvdw�Z=d�dxdy�Z>d�dzd{�Z?d|d}�Z@d�d~d�ZAd�d��ZBd�d��ZCd�d��ZDd�d��ZEd�d��ZFd�d��ZGd�d��ZHd�d�d��ZIdS)��nftablesTcCsb||_d|_g|_i|_i|_i|_i|_i|_gggd�|_t	�|_
|j
jd�|j
jd�dS)NT)�inet�ip�ip6)
�_fwZrestore_command_existsZavailable_tables�rule_to_handle�rule_ref_count�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cache�created_tablesrr+Zset_echo_outputZset_handle_output)�self�fw�r8�/usr/lib/python3.6/nftables.py�__init__Xsznftables.__init__cCs�xdD]}||krPqWd||dkr`||ddd||dddf}||dd=n(d||dkr�d}||dd=ndS||dd	}|r�|dkr�||kr�|||kr�||j|�n�|dk�r�||kr�g||<|�r(|||k�r||j|�||jd
d�d�||j|�}n|jj�r8d
}nt||�}||}||=|d
k�rf||d<n |d8}||d<||ddd<dS)N�add�insert�deletez%%ZONE_SOURCE%%�rule�zone�addressz%%ZONE_INTERFACE%%�familycSs|dS)Nrr8)�xr8r8r9�<lambda>�sz3nftables._run_replace_zone_source.<locals>.<lambda>)�keyr��index)r;r<r=)�remove�append�sortrFr/�_allow_zone_drifting�len)r6r>r4�verbZzone_sourcerArF�
_verb_snippetr8r8r9�_run_replace_zone_sourcegsD




z!nftables._run_replace_zone_sourcecCsBd|krdtj|d�iSd|kr4dtj|d�iSttd��dS)Nr<r=r;zFailed to reverse rule)�copy�deepcopyr	r
)r6�dictr8r8r9�reverse_rule�s
znftables.reverse_rulec
Cs�xdD]}||krPqW|||dk�r�||d|}||d|=t|�tkr^ttd��||dd||ddf}|dkr�||ks�|||ks�|||dkr�ttd	��|||d
8<n�||kr�i||<|||kr�d|||<d}xVt||j��D]B}||k�r"|dk�r"P||||7}||k�r|dk�rP�qW|||d
7<||}	||=|dk�r�|	|d<n |d
8}|	|d<||ddd<dS)
Nr;r<r=r>z%priority must be followed by a numberrA�chainrz*nonexistent or underflow of priority countrErF)r;r<r=)�type�intr	rr
�sorted�keys)
r6r>Zpriority_counts�tokenrL�priorityrSrF�prMr8r8r9�_set_rule_replace_priority�sD

 


z#nftables._set_rule_replace_prioritycCsfx`d
D]X}||krd||krtj||d�}xdD]}||kr6||=q6Wtj|dd	�}|SqWdS)Nr;r<r=r>rF�handle�positionT)Z	sort_keys)r;r<r=)rFr\r])rOrP�json�dumps)r6r>rL�rule_keyZnon_keyr8r8r9�
_get_rule_key�s


znftables._get_rule_keycCsLdddddg}dddg}g}g}tj|j�}tj|j�}tj|j�}	|jj�}
�x�|D�]�}t|�tkrvtt	d|��x|D]}||kr|Pq|W||kr�tt
d|��|j|�}
|
|
k�rDtj
d|j|
|
|
�|dkr�|
|
d	7<qVnX|
|
d	k�r|
|
d	8<qVn6|
|
d	k�r,|
|
d	8<ntt	d
|
|
|
f��n|
�r\|dk�r\d	|
|
<|j|�tj|�}|
�rttd||dd��||dd<|j||d
�|j||d�|j||	�|dk�rdd|ddd|ddd|ddd|j|
d�ii}|j|�qVWdddd	iig|i}tj�dk�rVtjd|jtj|��|jj|�\}}}|dk�r�tdd|tj|�f��||_||_|	|_|
|_d}x�|D]�}|d	7}|j|�}
|
�s̐q�d|k�r�|j|
=|j|
=�q�x"|D]}||d|k�r�P�q�W||d|k�r$�q�|d||dd|j|
<�q�WdS)Nr;r<r=�flush�replacez#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %srEz)rule ref count bug: rule_key '%s', cnt %dr>�exprz%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%rA�tablerS)rArerSr\r+ZmetainfoZjson_schema_version�z.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s
JSON blob:
%szpython-nftablesr\)rOrPr2r3r4r1rTrQr	r
rrarZdebug2�	__class__rH�listr*r[rNr0ZgetDebugLogLevelZdebug3r^r_r+Zjson_cmd�
ValueError)r6�rules�
log_deniedZ_valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesr2r3r4r1r>rLr`Z_ruleZ	json_blobZrcr#�errorrFr8r8r9�	set_rules�s�







&






znftables.set_rulescCs|j|g|�dS)N�)rm)r6r>rkr8r8r9�set_rule:sznftables.set_ruleNcCs|r
|gStj�S)N)�IPTABLES_TO_NFT_HOOKrW)r6rer8r8r9�get_available_tables>sznftables.get_available_tablescCsFg}x<dD]4}|jdd||d�ii�|jdd||d�ii�q
W|S)	Nr,r-r.r;re)rA�namer=)r,r-r.)rH)r6rerjrAr8r8r9�_build_delete_table_rulesBs


z"nftables._build_delete_table_rulescCs�i}i}xB|jd�D]4}|j|�}||jkr|j|||<|j|||<qW||_||_i|_i|_i|_x*dD]"}t|j|krp|j|j	t�qpW|j
t�S)NTr,r-r.)r,r-r.)� _build_set_policy_rules_ct_rulesrar0r1r2r3r4�
TABLE_NAMEr5rGrs)r6Zsaved_rule_to_handleZsaved_rule_ref_countr>�
policy_keyrAr8r8r9�build_flush_rulesPs 


znftables.build_flush_rulesc
Cslddd�|}g}xTdD]L}|j|ddtd	d
|fddd
diiddddgid�iddigd�ii�qW|S)Nr;r=)TFr!r"r#r>r,z%s_%sr*�match�ctrD�state�in�set�established�related)�left�op�right�accept)rArerSrd)r!r"r#)rH�TABLE_NAME_POLICY)r6�enable�add_delrj�hookr8r8r9rtgs


z)nftables._build_set_policy_rules_ct_rulescCstg}|dkrt|jdddtd�ii�|jdjt�x>dD]6}|jdddtd	d
|fd|dtd
dd�ii�q:W|dk�r�|jdddtd�ii�|jdjt�x>dD]6}|jdddtd	d|fd|dtd
dd�ii�q�W||jd�7}nz|dk�rfx4|jd�D]&}|j|�}||jk�r|j|��qW||jt�7}t|jdk�rp|jdjt�n
t	t
d�|S)NZPANICr;rer,)rArrrr#rSz%s_%sr'r*i,rE�drop)rArerrrTr��prio�policy�DROPr!r"rT�ACCEPTFznot implemented)rr#i���)r!r"r#)rHr�r5�NFT_HOOK_OFFSETrtrar0rsrGr	r
)r6r�rjr�r>rvr8r8r9�build_set_policy_rulestsH













znftables.build_set_policy_rulescCsJt�}|dks|dkr$|jtj��|dks4|dkrB|jtj��t|�S)N�ipv4�ipv6)r|�updaterrWrrh)r6�ipvZ	supportedr8r8r9�supported_icmp_types�sznftables.supported_icmp_typescCs>g}x4dD],}|jdd|td�ii�|j|jt�q
W|S)Nr,r-r.r;re)rArr)r,r-r.)rHrur5)r6Zdefault_tablesrAr8r8r9�build_default_tables�s

znftables.build_default_tables�offcCs�g}x�tdj�D]�}|jdddtd|ddtd|dtd|d	d
�ii�xz|jjrlddd
dgndd
dgD]X}|jdddtd||fd�ii�|jdddtd|ddd||fiigd�ii�qvWqWx�d?D]�}x�tdj�D]�}|jdd|td|ddtd|dtd|d	d
�ii�x~|jj�rJddd
dgndd
dgD]Z}|jdd|td||fd�ii�|jdd|td|ddd||fiigd�ii��qTWq�Wq�WxVtdj�D]F}|jdddtd|ddtd|dtd|d	d
�ii��q�W|jdddtddddddiid d!d"d#gid$�id%digd�ii�|jdddtdddddd&iid d'd$�id%digd�ii�|jdddtdddd(dd)iid*d+d$�id%digd�ii�x~|jj�r�ddd
dgndd
dgD]Z}|jdddtd,d|fd�ii�|jdddtddddd,d|fiigd�ii��q�W|d-k�r�|jdddtddddddiid d!d.gid$�i|j|�d/d0d1iigd�ii�|jdddtddddddiid d!d.gid$�id2digd�ii�|d-k�r$|jdddtdd|j|�d/d0d3iigd�ii�|jdddtddd4d5d6d7�igd�ii�|jdddtdd8ddddiid d!d"d#gid$�id%digd�ii�|jdddtdd8dddd&iid d'd$�id%digd�ii�|jdddtdd8dd(dd)iid*d+d$�id%digd�ii�xbd@D]Z}|jdddtd,d8|fd�ii�|jdddtdd8ddd,d8|fiigd�ii��qWx�dAD]�}xz|jj�r�dd
gnd
gD]^}|jdddtd;d8||fd�ii�|jdddtdd8ddd;d8||fiigd�ii��q�W�qvWxbdBD]Z}|jdddtd,d8|fd�ii�|jdddtdd8ddd,d8|fiigd�ii��qW|d-k�r�|jdddtdd8ddddiid d!d.gid$�i|j|�d/d0d1iigd�ii�|jdddtdd8ddddiid d!d.gid$�id2digd�ii�|d-k�r6|jdddtdd8|j|�d/d0d3iigd�ii�|jdddtdd8d4d5d6d7�igd�ii�|jdddtdd<ddddiid d!d"d#gid$�id%digd�ii�|jdddtd=dd(dd>iid*d+d$�id%digd�ii�xbdCD]Z}|jdddtd,d<|fd�ii�|jdddtdd<ddd,d<|fiigd�ii��q�WxbdDD]Z}|jdddtd,d<|fd�ii�|jdddtdd<ddd,d<|fiigd�ii��qHW|S)ENr(r;rSr,z	mangle_%sr*z%srrE)rArerrrTr�r��POLICIES_preZZONES_SOURCEZZONES�
POLICIES_postzmangle_%s_%s)rArerrr>�jump�target)rArerSrdr-r.r)znat_%sz	nat_%s_%sz	filter_%sr$rxryrDrzr{r|r}r~)rr�r�r�Zstatus�dnat�meta�iifnamez==�lozfilter_%s_%sr�Zinvalidr�prefixzSTATE_INVALID_DROP: r�zFINAL_REJECT: �reject�icmpxzadmin-prohibited)rTrdr%�IN�OUTzfilter_%s_%s_%sr&�
filter_OUTPUT�oifname)r-r.)r�)r�r�)r�)r�)r�)rprWrHrur/rJ�_pkttype_match_fragment)r6rkZ
default_rulesrSZdispatch_suffixrA�	directionr8r8r9�build_default_rules�s�
$

(

&

.
 


&

&











&


.


&










&


&znftables.build_default_rulescCs4|dkrdddgS|dkr dgS|dkr0ddgSgS)	Nr*r$�
FORWARD_IN�FORWARD_OUTr(rr)r r8)r6rer8r8r9�get_zone_table_chains�s
znftables.get_zone_table_chainsr,c
s��dkr\�dkr\g}
|
j�j�|��||||dd�	�|
j�j�|��||||dd�	�|
S�jjj|���jdkrxdnd��dkr��d	kr�d
nd}�jjj|�t|��g}g}
|r�|jdd
ddiiddt	|�id�i�|�r|
jdd
ddiiddt	|�id�i�ddd�}|�rlxT|D]L}�dk�rT�jj
j|�}||k�rT�||k�rT�q|j�jd|���qW|�r�xT|D]L}�dk�r��jj
j|�}||k�r��||k�r��qx|
j�jd|���qxW��������fdd�}g}
|�rHx�|D]P}|
�rxB|
D]}|
j|||���qWn"�dk�r0|�r0n|
j||d���q�Wn\�dk�rZ|�rZnJ|
�r�xB|
D]}|
j|d|���qfWn"�dk�r�|�r�n|
j|dd��|
S)Nr)r,r-)rAr.r�pre�postr TFrxr�rDr�z==r|)rr�r�r�)r�r��saddr�daddrcs�g}|r|j|�|r |j|�|jddd��fii��td���f|d�}|j�j����rrdd|iiSdd|iiSdS)	Nr�r�z%s_%sz%s_%s_POLICIES_%s)rArerSrdr;r>r=)rHrur��_policy_priority_fragment)�ingress_fragment�egress_fragment�expr_fragmentsr>)�_policyrS�chain_suffixr�rA�p_objr6rer8r9�_generate_policy_dispatch_rule�s

zRnftables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)
�extend�!build_policy_ingress_egress_rulesr/r�Z
get_policyrY�policy_base_chain_name�POLICY_CHAIN_PREFIXrHrhr?Zcheck_source�_rule_addr_fragment)r6r�r�rerSZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesrArj�isSNATZingress_fragmentsZegress_fragmentsZ
ipv_to_family�srcr��dstr�r�r�r8)r�rSr�r�rAr�r6rer9r��sv









z*nftables.build_policy_ingress_egress_rulesFc	
Cs�|dkrT|dkrTg}	|	j|j|||||||d��|	j|j|||||||d��|	S|dkrh|dkrhdnd}
|jjj||t|
d�}d	d
d	d	d
d
d�|}|t|�dd
kr�|dt|�d�d}d}
|dkr�|
dd||fiig}n,ddd|iid|d�i|
dd||fiig}|�rL|�rLd}|td||f|d�}|j|j	��nP|�rnd}|td||f|d�}n.d}|td||f|d�}|�s�|j|j	��|d|iigS)Nr)r,r-r.r TF)r�r�r�)rr r$r�r�r&rE�+�*�gotor�z%s_%srxr�rDz==)rr�r�r<z%s_%s_ZONES)rArerSrdr;r=r>)
r��!build_zone_source_interface_rulesr/r�r�r�rKrur��_zone_interface_fragment)r6r�r?r��	interfacererSrHrArjr�r��opt�actionr�rLr>r8r8r9r�s\



z*nftables.build_zone_source_interface_rulesc	Csn|dkr�|dkr�g}|jd�r6|j|td�d��}	nd}	td|�sTt|�sT|	dkrp|j|j||||||d��td|�s�t|�s�|	dkr�|j|j||||||d��|S|dkr�|dkr�d	nd
}
|jjj	||t
|
d�}dd
d�|}ddddddd�|}
|jj�rd||f}nd||f}d}|t||j
|
|�|dd||fiigd�}|j|j||��|d|iigS)Nr)r,zipset:r�r-r�r.r TF)r�r<r=)TFr�r�)rr r$r�r�r&z%s_%s_ZONES_SOURCEz%s_%s_ZONESr�r�z%s_%s)rArerSrdr>)�
startswith�_set_get_familyrKrrr��build_zone_source_address_rulesr/r�r�r�rJrur�r��_zone_source_fragment)r6r�r?r�r@rerSrArjZipset_familyr�r�r�r�Zzone_dispatch_chainr�r>r8r8r9r�<sB


z(nftables.build_zone_source_address_rulesc
Cs|dkrH|dkrHg}|j|j||||d��|j|j||||d��|Sddd�|}|dkrj|dkrjd	nd
}|jjj||t|d�}	g}|j|d|td
||	fd�ii�x0d!D](}
|j|d|td||	|
fd�ii�q�WxDd"D]<}
|j|d|td
||	fddd||	|
fiigd�ii�q�W|jjj|j	}|jj
�dk�r�|dk�r�|d#k�r�|}|dk�rhd}|j|d|td
||	f|j|jj
��ddd|	|fiigd�ii�|dk�r|d$k�r|d%k�r�|j�}
n|j
�di}
|j|d|td
||	f|
gd�ii�|�s|j�|S)&Nr)r,r-r.r;r=)TFr TF)r�rSz%s_%s)rArerrr�r�deny�allowr�z%s_%s_%sr>r�r�)rArerSrdr�r*�REJECT�
%%REJECT%%r�r�z"filter_%s_%s: "r�)r�rr�r�r�)r�rr�r�r�)r�r�r�)r�r�r�r�)r�r�)r��build_policy_chain_rulesr/r�r�r�rHruZ	_policiesr��get_log_deniedr��_reject_fragment�lower�reverse)r6r�r�rerSrArjr�r�r�r�r�Z
log_suffix�target_fragmentr8r8r9r�jsZ





&




 





z!nftables.build_policy_chain_rulescCs<|dkriS|dkr,ddddiid	|d
�iSttd|��dS)
N�all�unicast�	broadcast�	multicastrxr�rD�pkttypez==)rr�r�zInvalid pkttype "%s")r�r�r�)r	r)r6r�r8r8r9r��s
z nftables._pkttype_match_fragmentcCsdddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�iddd	d�iddd	d�iddd
d�iddd
d�iddd
d�idddd�idddd�iddd
d�iddd
d�idddd�idddd�idddiidddiid�}||S)Nr��icmpzhost-prohibited)rTrdznet-prohibitedzadmin-prohibited�icmpv6znet-unreachablezhost-unreachablezport-unreachabler�zprot-unreachablezaddr-unreachablezno-routerTz	tcp reset)zicmp-host-prohibitedzhost-prohibzicmp-net-prohibitedz
net-prohibzicmp-admin-prohibitedzadmin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachableznet-unreachzicmp-host-unreachablezhost-unreachzicmp-port-unreachablezicmp6-port-unreachablezport-unreachzicmp-proto-unreachablez
proto-unreachzicmp6-addr-unreachablezaddr-unreachzicmp6-no-routezno-routez	tcp-resetztcp-rstr8)r6Zreject_typeZfragsr8r8r9�_reject_types_fragment�s0
znftables._reject_types_fragmentcCsdddd�iS)Nr�r�zadmin-prohibited)rTrdr8)r6r8r8r9r��sznftables._reject_fragmentcCs ddddiiddddgid	�iS)
Nrxr�rD�l4protoz==r|r�r�)rr�r�r8)r6r8r8r9�_icmp_match_fragment�sznftables._icmp_match_fragmentcCsP|siSddddd�}|j�\}}|||d�}|j�}|dk	rH||d<d|iS)	N�secondZminuteZhourZday)�s�m�h�d)�rateZper�burst�limit)Zvalue_parseZburst_parse)r6r�Zrich_to_nftr�Zdurationr�r�r8r8r9�_rich_rule_limit_fragment�sz"nftables._rich_rule_limit_fragmentcCs�t|j�tttgkrn<|jrHt|j�tttt	gkrRt
tdt|j���n
t
td��|jdkr�t|j�ttgks�t|j�tt	gkr�dSt|j�tgks�t|j�ttgkr�dSn|jdkr�dSdSdS)NzUnknown action %szNo rule action specified.rr�r�r�r�)
rT�elementrrrr�rrrrr	rrY)r6�	rich_ruler8r8r9�_rich_rule_chain_suffix�s 


z nftables._rich_rule_chain_suffixcCs>|jr|jrttd��|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrr�r�)r�auditr	rrY)r6r�r8r8r9� _rich_rule_chain_suffix_from_logs


z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nz%%ZONE_INTERFACE%%r8)r6r8r8r9r�sz!nftables._zone_interface_fragmentcCsNtd|�rt|�}n,td|�r@|jd�}t|d�d|d}d||d�iS)Nr��/rrEz%%ZONE_SOURCE%%)r?r@)rrr�split)r6r?r@Z
addr_splitr8r8r9r�s



znftables._zone_source_fragmentcCs
d|jiS)Nz%%POLICY_PRIORITY%%)rY)r6r�r8r8r9r�sz"nftables._policy_priority_fragmentcCs|s|jdkriSd|jiS)Nrz%%RICH_RULE_PRIORITY%%)rY)r6r�r8r8r9�_rich_rule_priority_fragmentsz%nftables._rich_rule_priority_fragmentcCs�|js
iS|jjj||t�}ddd�|}|j|�}i}	|jjrPd|jj|	d<|jjr|d|jjkrhdn|jj}
d|
|	d<d	td
|||f||j	|jj
�d|	igd�}|j|j|��|d
|iiS)Nr;r=)TFz%sr�Zwarning�warn�levelr,z%s_%s_%sr)rArerSrdr>)
rr/r�r�r�r�r�r�rur�r�r�r�)r6r�r�r�rer�r�r�r�Zlog_optionsr�r>r8r8r9�_rich_rule_log"s&
znftables._rich_rule_logc
Cs�|js
iS|jjj||t�}ddd�|}|j|�}dtd|||f||j|jj�dddiigd	�}	|	j	|j
|��|d
|	iiS)Nr;r=)TFr,z%s_%s_%srr�r�)rArerSrdr>)r�r/r�r�r�r�rur�r�r�r�)
r6r�r�r�rer�r�r�r�r>r8r8r9�_rich_rule_audit<s
znftables._rich_rule_auditc
Cs�|js
iS|jjj||t�}ddd�|}|j|�}d|||f}	t|j�tkr\ddi}
�nt|j�tkr�|jjr�|j	|jj�}
nddi}
n�t|j�t
kr�ddi}
n�t|j�tk�rHd}|jjj||t�}d|||f}	|jjj
d	�}t|�d
k�r,dddd
iiddddd
ii|d
gi|dgid�i}
ndddd
ii|dd�i}
nttdt|j���dt|	||j|jj�|
gd�}|j|j|��|d|iiS)Nr;r=)TFz%s_%s_%sr�r�r�r(r�rEr�rD�mark�^�&r)rD�valuezUnknown action %sr,)rArerSrdr>)r�r/r�r�r�r�rTrrr�rrr|r�rKr	rrur�r�r�r�)
r6r�r�r�rer�r�r�r�rSZrule_actionr�r>r8r8r9�_rich_rule_actionNsB


,znftables._rich_rule_actioncCs�|jd�r0|j|td�d�d|kr(dnd|�St|�r>d}n�td|�rNd}nvtd|�r�d}tj|dd�}d	|jj	|j
d
�i}nDtd|�r�d}t|�}n,d}|jd
�}d	t|d�t
|d�d
�i}dd||d�i|r�dnd|d�iSdS)Nzipset:r�TF�etherr�r-)�strictr�)�addrrKr�r.r�rrErx�payload)�protocol�fieldz!=z==)rr�r�)r��_set_match_fragmentrKrrr�	ipaddressZIPv4NetworkZnetwork_addressZ
compressedZ	prefixlenrr�rU)r6Z
addr_fieldr@�invertrAZnormalized_addressZaddr_lenr8r8r9r�ys(
&





znftables._rule_addr_fragmentcCs6|siS|d
krttd|��ddddiid|d	�iS)Nr�r�zInvalid familyrxr�rD�nfprotoz==)rr�r�)r�r�)r	r)r6Zrich_familyr8r8r9�_rich_rule_family_fragment�s
z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jd�S)Nzipset:r�)r)r��ipsetr�r)r6Z	rich_destr@r8r8r9�_rich_rule_destination_fragment�s
z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|d�r.|jr.|j}nt|d�rH|jrHd|j}|jd||jd�S)N�macrzipset:r�)r)r��hasattrrrr�r)r6Zrich_sourcer@r8r8r9�_rich_rule_source_fragment�s
z#nftables._rich_rule_source_fragmentcCsPt|�}t|t�r$|dkr$tt��n(t|�dkr8|dSd|d|dgiSdS)NrrE�range)r�
isinstancerUr	rrK)r6�portrr8r8r9�_port_fragment�s
znftables._port_fragmentc	Csbddd�|}d}|jjj||t�}	g}
|r>|
j|j|j��|rT|
j|jd|��|r||
j|j|j	��|
j|j
|j��|
jdd|dd	�id
|j|�d�i�|s�t
|j�tkr�|
jddd
diiddddgid�i�g}|�r0|j|j|||||
��|j|j|||||
��|j|j|||||
��n.|j|ddtd||	f|
ddigd�ii�|S)Nr;r=)TFr*r�rxr��dport)r�r�z==)rr�r�ryrDrzr{r|�new�	untrackedr>r,z%s_%s_allowr�)rArerSrd)r/r�r�r�rHrrAr�r�destinationr�sourcerrTr�rr�r�r�ru)r6r�r��protor
rr�r�rer�r�rjr8r8r9�build_policy_ports_rules�s:


z!nftables.build_policy_ports_rulesc	CsZddd�|}d}|jjj||t�}g}	|r>|	j|j|j��|rT|	j|jd|��|r||	j|j|j	��|	j|j
|j��|	jdddd	iid
|d�i�|s�t|j
�tkr�|	jdddd
iiddddgid�i�g}
|�r(|
j|j|||||	��|
j|j|||||	��|
j|j|||||	��n.|
j|ddtd||f|	ddigd�ii�|
S)Nr;r=)TFr*r�rxr�rDr�z==)rr�r�ryrzr{r|r
rr>r,z%s_%s_allowr�)rArerSrd)r/r�r�r�rHrrAr�rrrrrTr�rr�r�r�ru)r6r�r�r�rr�r�rer�r�rjr8r8r9�build_policy_protocol_rules�s8

z$nftables.build_policy_protocol_rulesc	Csbddd�|}d}|jjj||t�}	g}
|r>|
j|j|j��|rT|
j|jd|��|r||
j|j|j	��|
j|j
|j��|
jdd|dd	�id
|j|�d�i�|s�t
|j�tkr�|
jddd
diiddddgid�i�g}|�r0|j|j|||||
��|j|j|||||
��|j|j|||||
��n.|j|ddtd||	f|
ddigd�ii�|S)Nr;r=)TFr*r�rxr��sport)r�r�z==)rr�r�ryrDrzr{r|r
rr>r,z%s_%s_allowr�)rArerSrd)r/r�r�r�rHrrAr�rrrrrrTr�rr�r�r�ru)r6r�r�rr
rr�r�rer�r�rjr8r8r9�build_policy_source_ports_ruless:


z(nftables.build_policy_source_ports_rulesc
	Cs�d}|jjj||t�}	ddd�|}
g}|rR|jdddtd||f||d�ii�g}|rl|j|jd	|��|jd
d|dd
�id|j|�d�i�|jdd||fi�|j|
ddtd|	|d�ii�|S)Nr*r;r=)TFz	ct helperr,zhelper-%s-%s)rArerrrTr�r�rxr�r)r�r�z==)rr�r�r>zfilter_%s_allow)rArerSrd)r/r�r�r�rHrur�r)
r6r�r�rr
rZhelper_nameZmodule_short_namerer�r�rjr�r8r8r9�build_policy_helper_ports_rules)s.



z(nftables.build_policy_helper_ports_rulescCs�ddd�|}|jjj||t�}g}	|rv|t|�ddkrT|dt|�d�d}ddd	d
iid|d�id
dig}
n|jd|�d
dig}
dtd||
d�}|	j|d|ii�|	S)Nr;r=)TFrEr�r�rxr�rDr�z==)rr�r�r�r�r,zfilter_%s_allow)rArerSrdr>)r/r�r�r�rKr�rurH)r6r�r?r�rer�rr�r�rjrdr>r8r8r9�build_zone_forward_rulesFs"z!nftables.build_zone_forward_rulesc	Cs�d}|jjj||tdd�}ddd�|}g}|r`|j|j|j��|j|j|j��|j	|�}	nd}	|t
d||	f|d	d
ddiid
dd�iddigd�}
|
j|j|��|d|
iigS)Nr)T)r�r;r=)TFr�z	nat_%s_%srxr�rDr�z!=r�)rr�r�Z
masquerade)rArerSrdr>)
r/r�r�r�rHrrrrr�rur�r�)r6r�r�rAr�rer�r�r�r�r>r8r8r9�"_build_policy_masquerade_nat_rules_s&
z+nftables._build_policy_masquerade_nat_rulesc
Cs^g}|rD|jr|jdks,|jrDtd|jj�rD|j|j||d|��nV|r�|jrX|jdksl|jr�td|jj�r�|j|j||d|��n|j|j||d|��d}|jjj||t	�}ddd�|}g}|r�|j
|j|j��|j
|j
|j��|j|�}	nd	}	d
td||	f|dd
ddiiddddgid�iddigd�}
|
j|j|��|j
|d|
ii�|S)Nr�r.r�r-r*r;r=)TFr�r,zfilter_%s_%srxryrDrzr{r|r
r)rr�r�r�)rArerSrdr>)rArrr�r�rr/r�r�r�rHrrrr�rur�r�)r6r�r�r�rjrer�r�r�r�r>r8r8r9�build_policy_masquerade_rulesxs8
z&nftables.build_policy_masquerade_rulesc	Cs$d}	|jjj||	t�}
ddd�|}g}|r\|j|j|j��|j|j|j��|j	|�}
nd}
|jdd|dd	�id
|j
|�d�i�|r�td|�r�t|�}|r�|d
kr�|jd||j
|�d�i�q�|jdd|ii�n|jdd|j
|�ii�|t
d|
|
f|d�}|j|j|��|d|iigS)Nr)r;r=)TFr�rxr�r)r�r�z==)rr�r�r�rnr�)r�r
r�Zredirectr
z	nat_%s_%s)rArerSrdr>)r/r�r�r�rHrrrrr�rrrrur�r�)r6r�r�r
r��toaddr�toportrAr�rer�r�r�r�r>r8r8r9�$_build_policy_forward_port_nat_rules�s4


z-nftables._build_policy_forward_port_nat_rulesc	
Cs�g}|rF|jr|jdks&|rFtd|�rF|j|j||||||d|��n�|r�|jrZ|jdksh|r�td|�r�|j|j||||||d|��nL|r�td|�r�|j|j||||||d|��n|j|j||||||d|��|S)Nr�r.r�r-)rArr�r)	r6r�r�r
r�rrr�rjr8r8r9�build_policy_forward_port_rules�sz(nftables.build_policy_forward_port_rulescCsHdd|dd�id|d�ig}|dk	rD|jdd|dd�id|d�i�|S)Nrxr�rT)r�r�z==)rr�r��code)rH)r6r�rTr�	fragmentsr8r8r9�_icmp_types_fragments�sznftables._icmp_types_fragmentscCs�|dkr4|tkr4t|\}}}|jd||r.dn|�S|dkrh|tkrht|\}}}|jd||rbdn|�Sttd||j|f��dS)Nr�r�r�r�z)ICMP type '%s' not supported by %s for %s)rr rr	rrr)r6r�Z	icmp_typeZ_type�_codeZ
_omit_coder8r8r9�_icmp_types_to_nft_fragments�sz%nftables._icmp_types_to_nft_fragmentscCsBd}|jjj||t�}ddd�|}|r6|jr6|j}n<|jrjg}d|jkrT|jd�d|jkrr|jd�nddg}g}	�x�|D�]�}
|jjj|�r�d||f}ddi}nd	||f}|j�}g}
|r�|
j|j	|j
��|
j|j|j��|
j|j|j
��|
j|j|
|j��|�r�|	j|j|||||
��|	j|j|||||
��|j�rf|	j|j|||||
��nN|j|�}d
td|||f|
|j�gd�}|j|j|��|	j|d
|ii�q~|jj�dk�r|jjj|��r|	j|d
d
t||
|j|jj��ddd||fiigd�ii�|	j|d
d
t||
|gd�ii�q~W|	S)Nr*r;r=)TFr�r�z%s_%s_allowr�z
%s_%s_denyr,z%s_%s_%s)rArerSrdr>r�rr�z"%s_%s_ICMP_BLOCK: ")r/r�r�r��ipvsrrH�query_icmp_block_inversionr�rrArrrr�r"rrr�r�r�r�r�rur�r�r�r�)r6r�r�Zictr�rer�r�r#rjr�Zfinal_chainr�r�r�r>r8r8r9�build_policy_icmp_block_rules�sb





"
"
z&nftables.build_policy_icmp_block_rulescCs�d}|jjj||t�}g}ddd�|}|jjj|�r@|j�}nddi}|j|ddtd||fd	|j�|gd
�ii�|jj	�dkr�|jjj|�r�|j|ddtd||fd	|j�|j
|jj	��dd
d||fiigd
�ii�|S)Nr*r;r=)TFr�r>r,z%s_%s�)rArerSrFrdr�rr�z%s_%s_ICMP_BLOCK: )r/r�r�r�r$r�rHrur�r�r�)r6r�r�rer�rjr�r�r8r8r9�'build_policy_icmp_block_inversion_rules(s,




 z0nftables.build_policy_icmp_block_inversion_rulescCs�g}ddddiiddd�iddd	d
dgdd
�iddd�ig}|dkrV|jdddii�|jddi�|jdddtd|d�ii�|jdddtdddddd�iddddgid�id digd�ii�|S)!Nrxr�rDrz==r�)rr�r�Zfibr�Ziifr�Zoif)�flags�resultFr�rr�zrpfilter_DROP: r�r<r>r,Zfilter_PREROUTING)rArerSrdr�r�rT)r�r�r|znd-router-advertznd-neighbor-solicitr�)rHru)r6rkrjr�r8r8r9�build_rpfilter_rulesGs0

znftables.build_rpfilter_rulesc	Cs�ddddddddd	g	}d
d�|D�}dd
ddd�idd|id�ig}|jjd"krb|jdddii�|j|jd��g}|jdddtdd|d�ii�|jdddtd d!|d�ii�|S)#Nz::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|jd�dt|jd�d�d�i�qS)r�r�rrE)r�rK)r�rU)�.0rBr8r8r9�
<listcomp>nsz5nftables.build_rfc3964_ipv4_rules.<locals>.<listcomp>rxr�r.r�)r�r�z==r|)rr�r�r�r�rr�zRFC3964_IPv4_REJECT: zaddr-unreachr;r>r,r�rE)rArerSrFrdZfilter_FORWARD�)r�r�)r/Z_log_deniedrHr�ru)r6Z	daddr_setr�rjr8r8r9�build_rfc3964_ipv4_rulescs:

z!nftables.build_rfc3964_ipv4_rulescCs�d}g}|j|j|j��|j|j|j��|j|j|j��g}|j|j|||||��|j|j|||||��|j|j	|||||��|S)Nr*)
rHrrArrrrr�r�r�)r6r�r�r�rer�rjr8r8r9�*build_policy_rich_source_destination_rules�sz3nftables.build_policy_rich_source_destination_rulescCs|dkrdSdS)Nr�r��ebTF)r�r�r0r8)r6r�r8r8r9�is_ipv_supported�sznftables.is_ipv_supportedc
Cs�ddd�}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd	�}||kr�||Sttd
|��dS)NZ	ipv4_addrZ	ipv6_addr)r�r�Z
inet_protoZinet_servicer�ZifnameZ
ether_addr)zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz!ipset type name '%s' is not valid)r	r
)r6r�rTZipv_addr�typesr8r8r9�_set_type_list�s"

znftables._set_type_listc
Cs�|rd|kr|ddkrd}nd}t||j||�d�}x0|jd�djd�D]}|dkrLdg|d
<PqLW|r�d|kr�|d|d<d|kr�|d|d<g}x0dD](}d|i}	|	j|�|jdd|	ii�q�W|S)NrA�inet6r�r�)rerrrT�:rE�,r-�netr
Zintervalr(ZtimeoutZmaxelem�sizer,r.r;r|)r-r7r
)r,r-r.)rur3r�r�rH)
r6rrrT�optionsr�Zset_dict�trjrAZ	rule_dictr8r8r9�build_set_create_rules�s*


znftables.build_set_create_rulescCs$|j|||�}|j||jj��dS)N)r;rmr/r�)r6rrrTr9rjr8r8r9�
set_create�sznftables.set_createcCs8x2dD]*}dd|t|d�ii}|j||jj��qWdS)Nr,r-r.r=r|)rArerr)r,r-r.)ruror/r�)r6rrrAr>r8r8r9�set_destroy�s

znftables.set_destroycCs6|jjj|�jjd�djd�}g}x�tt|��D]�}||dkrr|jdddii�|jdd	|rdd
ndd�i�q2||dkr�|jd|j|�|r�dndd�i�q2||dkr�|jdd|r�dndii�q2||dkr�|jdddii�q2t	d||��q2Wdt|�dk�rd|in|d|�r&dndd|d�iS)Nr5rEr6r
r�rDr�r�Zthrr)r�r�r-r7rr�r�Zifacer�r�r�z-Unsupported ipset type for match fragment: %srx�concatrz!=z==�@)rr�r�)r-r7r)
r/r�	get_ipsetrTr�rrKrHr�r	)r6rrZ
match_destr�type_formatr�ir8r8r9r��s$ znftables._set_match_fragmentcCsN|jjj|�}|jjd�djd�}|jd�}t|�t|�krHttd��g}�x�tt|��D�]�}||dk�r,y||j	d�}Wn&t
k
r�|jd�||}	Yn,X|j||d|��|||dd�}	y|	j	d�}Wn t
k
�r|j|	�Yn(X|jd|	d|�|	|dd�gi�q\||dk�r d||k�rb|jd||jd�i�n�y||j	d�}WnLt
k
�r�||}
d|jk�r�|jdd
k�r�t
|
�}
|j|
�Yn^X||d|�}
d|jk�r�|jdd
k�r�t
|
�}
|jd|
t|||dd��d�i�q\|j||�q\Wt|�dk�rJd|igS|S)Nr5rEr6z+Number of values does not match ipset type.r
Ztcp�-rr-r7r�rAr4r�)r�rKr>)r-r7)r/rr@rTr�rKr	rrrFrirHr9rrU)r6rr�entry�objrAZentry_tokensZfragmentrBrFZport_strr�r8r8r9�_set_entry_fragment�sL

("znftables._set_entry_fragmentc	Csjg}g}t|ttf�s|g}x|D]}|j|j||��q"Wx(dD] }|jdd|t||d�ii�qBW|S)Nr,r-r.r;r�)rArerr�elem)r,r-r.)r	rh�tupler�rFrHru)r6rr�entriesrj�elementsr�rAr8r8r9�build_set_add_rules(s


znftables.build_set_add_rulescCs"|j||�}|j||jj��dS)N)rKrmr/r�)r6rrrDrjr8r8r9�set_add7sznftables.set_addcCsF|j||�}x4dD],}dd|t||d�ii}|j||jj��qWdS)Nr,r-r.r=r�)rArerrrG)r,r-r.)rFruror/r�)r6rrrDr�rAr>r8r8r9�
set_delete;s
znftables.set_deletecCs4g}x*dD]"}dd|t|d�ii}|j|�q
W|S)Nr,r-r.rbr|)rArerr)r,r-r.)rurH)r6rrrjrAr>r8r8r9�build_set_flush_rulesDs
znftables.build_set_flush_rulescCs |j|�}|j||jj��dS)N)rNrmr/r�)r6rrrjr8r8r9�	set_flushMs
znftables.set_flushcCsJ|jjj|�}|jdkrd}n(|jrBd|jkrB|jddkrBd}nd}|S)Nzhash:macr�rAr4r.r-)r/rr@rTr9)r6rrrrAr8r8r9r�Qs
znftables._set_get_familycCs�g}|j|j|||��|j|j|��xbtdt|�d�D]<}|j|j||||d���|j||jj��|j	�q:W|j||jj��dS)Nri�)
r�r;rNrrKrKrmr/r��clear)r6Zset_nameZ	type_namerIZcreate_optionsZ
entry_optionsrjrBr8r8r9�set_restore^sznftables.set_restore)N)N)r�)r,)Fr,)r,)r,)F)NN)NN)NN)NN)N)N)N)N)N)N)F)N)N)F)NN)J�__name__�
__module__�__qualname__rrZpolicies_supportedr:rNrRr[rarmrorqrsrwrtr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrrrrrrrrrrrr r"r%r'r*r.r/r1r3r;r<r=r�rFrKrLrMrNrOr�rQr8r8r8r9r+Ts�/.`

4


R
i
;
-
9
 +


	
$
$
$


'
$



<
#


4		r+ij���i����))Z
__future__rrOr^r�Zfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr	r
rrr
rrZfirewall.core.richrrrrrrrZfirewall.core.icmprrZnftables.nftablesrrur�r�r�rp�objectr+r8r8r8r9�<module>s,$$




@ Telegram