U \l@szdZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZddZdd ZGd d d ZdS) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablesc Cstj}dD]}|tj|qdD]}|tj|q*dD]}|tj|qFdD]}|tj|qbdD]}|tj|q~dD]}|tj |qddd d d d d g}|D](}|tj ||tj |qt |dkr\d}|| dkrd}|| dkr\|| dkr\|| |kr\||dt |dksd|krt |dkrtdz||dd}WnTtk r}ztd|jW5d}~XYn$tk rtdddYnX|S)zEParse command. Returns tuple for action, rule, ip_version and dryrun.)enabledisablehelpz--helpversionz --versionreloadreset)listinfodefaultupdate)onoffZlowZmediumZhighZfull)allowdenyreject)NverboseZnumbered)rawz before-rulesz user-rulesz after-rulesz logging-rulesbuiltins listeningaddedrlimitrrinsertdeleteprepend --dry-runrrouteruleznot enough argsNz%szInvalid syntaxF)Zdo_exit)ufwparserZ UFWParserZregister_commandZUFWCommandBasicZ UFWCommandAppZUFWCommandLoggingZUFWCommandDefaultZUFWCommandStatusZUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerrr parse_commandrvalue Exception)argvpiZ rule_commandsidxprer4./usr/lib/python3/dist-packages/ufw/frontend.pyr+sN   & r+c&Cs\tdtjjdddddddd d d d d ddddddddddddddddddd d!d"d#d$#}|S)%zPrint help messagea  Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy ZCOMMANDZCommandsrrz default ARGz logging LEVELZLEVELz allow ARGSr#z deny ARGSz reject ARGSz limit ARGSzdelete RULE|NUMZRULEzinsert NUM RULEz prepend RULEz route RULEzroute delete RULE|NUMzroute insert NUM RULEZNUMr r statuszstatus numberedZRULESzstatus verbosezshow ARGr zApplication profile commandszapp listzapp info PROFILEZPROFILEzapp update PROFILEzapp default ARG)#ZprognameZcommandZcommandsrrrZlogginglevelrr#rrrrZurulerrr"z route-deletez route-insertnumberr r r6Z statusnumrulesZ statusverboseshowr Z appcommandsZapplistZappinfoprofileZ appupdateZ appdefault)_r%commonZ programName)Zhelp_msgr4r4r5get_command_help[sNBr>c@seZdZdZd,ddZddZdd Zd d Zd-d dZd.ddZ ddZ ddZ ddZ d/ddZ d0ddZddZddZd d!Zd"d#Zd$d%Zd&d'Zd(d)Zd1d*d+ZdS)2 UFWFrontendZUIiptablesNcCsd|dkr6zt|||d|_WqBtk r2YqBXn td|td|_td|_td|_dS)Nr@)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr-rr<norEyes_full)selfdryrunZ backend_typerArBr4r4r5__init__s     zUFWFrontend.__init__c Cszd}d}|rd}d}|r"|jr0|s4|jr4d}|rz|j|jjdd|Wn,tk r}zt|jW5d}~XYnXd}|r0z|jWn,tk r}z|r|j}W5d}~XYnX|dkr&z|j|jjdddWn.tk r}zt|jW5d}~XYnXt|td }nFz|j Wn.tk rl}zt|jW5d}~XYnXtd }|S) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rGrEFTconfZENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rF is_enabledZ set_defaultfilesrrr,start_firewallr< stop_firewall)rIenabledresZ config_strZchangedr3Z error_strr4r4r5 set_enabledsT  zUFWFrontend.set_enabledc Csfd}z0|j||}|jr2|j|jWn,tk r`}zt|jW5d}~XYnX|S)zSets default policy of firewallrLN)rFset_default_policyrNrQrPrrr,)rIpolicy directionrSr3r4r4r5rUs  zUFWFrontend.set_default_policyc CsFd}z|j|}Wn,tk r@}zt|jW5d}~XYnX|S)zSets log level of firewallrLN)rF set_loglevelrrr,)rIr7rSr3r4r4r5rXs zUFWFrontend.set_loglevelFc CsDz|j||}Wn,tk r>}zt|jW5d}~XYnX|S)zShows status of firewallN)rF get_statusrrr,)rIrZ show_countoutr3r4r4r5rYs zUFWFrontend.get_statusrc CsBz|j|}Wn,tk r<}zt|jW5d}~XYnX|S)zShows raw output of firewallN)rFZget_running_rawrrr,)rIZ rules_typerZr3r4r4r5 get_show_raw s zUFWFrontend.get_show_rawc Cs$d}ztj|j}Wn$tk r>td}t|YnX|j}t | }| |D]}|js||dkr|qb|d|7}t || }| |D]^}|||D]J} | d} | ds| dsd} |d|7}| d ks| d kr|d 7}d | d} n|d | 7}tj | } |dtj| d7}tjjd|dd|| ddd} | |d| dkr| d| | |j| } t| dkr|d7}| D]D}|dkr|dt|kr|d|tjj||df7}q|d7}qqqb|js tjd|S)zMShows listening services and incoming rules that might affect themrLzCould not get listening status)Ztcp6Zudp6z%s: Zladdrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr$inF)actionZprotocolZdportdstrWforward6r r z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))r%utilZparse_netstat_outputrFuse_ipv6r-r<r get_rulesr keyssort startswithZget_if_from_ipospathbasenamer=ZUFWRuleset_v6endswithZ set_interfaceZ normalizeZ get_matchingr)r&r' get_commanddebug)rIrSderr_msgr9Z protocolsprotoportsZportitemZaddrZifnamer#Zmatchingr0r4r4r5get_show_listeningsl                 zUFWFrontend.get_show_listeningcCs|j}td}t|dkr*|tdSg}|jD]L}|jrVdtjj|}ntjj |}||krnq8| ||d|7}q8|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)route %sz ufw %s) rFrer<r)r`r%r&r(rnr'append)rIr9rZrrrstrr4r4r5get_show_added[s      zUFWFrontend.get_show_addedc Csd}d}d}g}|jdkr2|jdkr2||ng}zt|jr|dkrZ|j|d}n|dkrr|j|d}nt|dkr|j|d}|j|d}|D]4} |D]*} | j} d| _| | s| | _|| qqntd|}t |t |dkrJ|jj sJtd }|dkr|}n.|dkr*|d }n|dkrD|d |d }|WS|D]8}| } |j| _| |j| |j|| qNn |j|}|jdkr|Wntk rYnXd} d}td }|jd}|jd}t|D]\}} |} | j||kr.|t| jd 7}t |z|jr(|dkr| jdkr|| dkrl|dkrldnd}| |n&| j|kr|t| jd 7}t || d|j| }q|dkrd| jdkr| dkr|dkrdnd}| |nP| j|kr| | j|n2| jdkrJ| j|krJ|t| jd 7}t || d|j| }q|dkr| j}| d|dkr| dkr|dkrdnd}| |nH| js||kr|j||| d}|dkr| |n | d|j| }| js0|dkr0|jd}| |d| d|dkrl| dkr\|dkr\dnd}| |nT| js| jdkr| j|kr|j| jd}|dkr| || n | d|dkr|d 7}| js| j|kr|dkr| | j|||j| 7}ntd|}t |n| jdkrZ| dkrL|dkrLdnd}| ||dksn|dkr| d|j| }n0|dkrtd}t |ntd|}t |Wn:t k r}z|j}d}WY qW5d}~XYnX| jrtd}t |q|s"||7}nt |dkr:t!|nd}t"t#| d}||D]p}| dkrZ||rZ|| }d|_z|||Wn2tk rd}td| $}t |YnXqZ|td7}|r|td7}n |td7}t ||S)zUpdates firewall with rulerLv4Fv6TZbothzInvalid IP version '%s'rz"Could not delete non-existent rulez (v6)rbzInvalid position ''r zIPv6 support not enabledNz Rule changed after normalizationzCould not back out rule '%s'z" Error applying application rules.z# Some rules could not be unapplied.z( Attempted rules successfully unapplied.)%dappsapprwremoverFZget_app_rules_from_systemr|matchr<rr)rJZdup_ruleZ set_actionr^Z set_logtypeZlogtypeZget_app_rules_from_templateZpositionreverser-Zget_rules_count enumeratestrrdZ set_positionrlset_ruleZfind_other_positionr,updatedwarningsrrr rangeZ format_rule)rIr# ip_versionrSrqtmpr9ZtmprulesZ tmprules6xrDZprev6rxcountZ set_errorZ pos_err_msgZnum_v4Znum_v6r0ZbeginZuser_posr/r3Zwarn_msgZ undo_errorZindexesjZ backout_ruler4r4r5rxsX                                                       zUFWFrontend.set_rulec Cs^z t|}Wn(tk r4td|}t|YnX|j}|dksT|t|krhtd|}t||j|}|std|}t|d|_d}|j rd}d}|s:|j rdt j j |} nt j j|} td| |j|jd } t| tjd d tj} | d kr:| |jkr:| |jkr:d }d } |rR|||} ntd} | S)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Tr{r|rvz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r#rErGFoutputnewlinerDrLAborted)intr-r<rrFrer)Zget_rule_by_numberrr|r`r%r&r(rnr'rErGrsysstdoutstdinreadliner*striprHr) rIr8forcerCrqr9r#rproceedrypromptansrSr4r4r5 delete_ruleDsR        zUFWFrontend.delete_rulec CsVd}|drB|d}t|dkr4||d}n |d}n|dkrX|d}n|drtd }|d }t|d krt|||d|d }n|d kr||}n|dkr|}n|dkr|d}nr|dr0|d d}|dkr| }n|dkr"| }n | |}n"|dkrJ|dd}n|dkrb| d}n|dkrz| d}n|dkr|j r| d| dtd}ntd}n|dr||d d|}nr|dks|dks|dks|dkr>|jdkrz0|j |j}||jkrB||_||d WnVtk r}z6|jsjt|jtj|jstd!}t|W5d"}~XYnX|jdkr0z0|j |j}||jkr||_||d WnVtk r.}z6|jst|jtj|jstd!}t|W5d"}~XYnX|||}ntd#|}t||S)$zPerform action on rule. action, rule and ip_version are usually based on return values from parse_command(). rLz logging-onr<r rz logging-offrzdefault-zUnsupported default policy-r$rr r6zstatus-verboseTr:rrzstatus-numberedFrrr Firewall reloadedz&Firewall not enabled (skipping reload)zdelete-rrrrr_Invalid profile nameNUnsupported action '%s')rhsplitr)rXr<rrUr rYrurzr[rTrFrNrrZfind_application_nameZset_portrrr,r% applicationsvalid_profile_namerr) rIr^r#rrrSrrqr3r4r4r5 do_actionus                             zUFWFrontend.do_actionc CsFd}z|j|}Wn,tk r@}zt|jW5d}~XYnX|S)z+Sets default application policy of firewallrLN)rFset_default_application_policyrrr,)rIrVrSr3r4r4r5rs z*UFWFrontend.set_default_application_policycCs:t|jj}|td}|D]}|d|7}q$|S)z*Display list of known application profileszAvailable applications: %s)r rFprofilesrfrgr<)rInamesryrCr4r4r5get_application_lists z UFWFrontend.get_application_listcCsg}|dkr&t|jj}|n&tj|sBtd}t || |d}|D]$}||jjksr|jj|std|}t |tj ||jj|std}t ||td|7}|tdtj |jj|7}|tdtj |jj|7}tj|jj|}t|d ks,d |d kr:|td 7}n |td 7}|D]}|d|7}qJ||t|d krT|d7}qTtj|S)zDisplay information on profileallrrLzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r ,rzPorts:zPort:rz -- )r rFrrfrgr%rrr<rrwZverify_profileZ get_titleZget_descriptionZ get_portsr)rc wrap_text)rIZpnamerrqrynamersr/r4r4r5get_application_infosL            z UFWFrontend.get_application_infoc Csd}d}d}z|jjr$tjr$d}Wntk r>d}YnX|dkrt|jj}| |D]4}|j |\}}|rd|dkr|d7}||7}|}qdn |j |\}}|dkr|d7}|r|j r|rz|j Wntk rYnX|t d7}n |t d7}|S)Refresh application profilerLTFrrbrzSkipped reloading firewall)rF do_checksr%rc under_sshr-r rrfrgZupdate_app_rulerNZ_reload_user_rulesr<) rIr;ryZ allow_reloadZtrigger_reloadrr/rfoundr4r4r5application_update s<  zUFWFrontend.application_updatecCsd}d}|dkr td}t||jjd}|dkrLtjd||f|S|dkrZd}n0|d krhd }n"|d krvd }ntd |}t|d g}|jjr|d|||g7}z t |}Wnt k rYnXd|j kr| |j |j d|j d}n| |j dd}|S)rrLrz%Cannot specify 'all' with '--add-new'Zdefault_application_policyskipz'Policy is '%s', not adding profile '%s'ZacceptrZdroprrzUnknown policy '%s'r%r!r#Ziptype)r<rrFdefaultsr%rcrorJrwr+r-datarr^)rIr;ryrVrqrargsr2r4r4r5application_add7sB      zUFWFrontend.application_addcCsd}|dkr|d}n|dkr,|d}n|dkr@|d}n|dkrT|d }n|d krf|}nz|d krz||}nf|d ks|d kr||}d}|d kr||}|dkr|dkr|d7}||}ntd|}t||S)zzPerform action on profile. action and profile are usually based on return values from parse_command(). rLz default-allowrz default-denyrzdefault-rejectrz default-skiprr rrzupdate-with-newrbr)rrrrrr<r)rIr^r;rSZstr1Zstr2rqr4r4r5do_application_actionas0          z!UFWFrontend.do_application_actioncCsrd}|jjrntjrntd|j|jd}t|t j ddt j }|dkrn||jkrn||jkrnd}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? rErGFrrD)rFrr%rcrr<rErGrrrrrr*rrH)rIrrrr4r4r5continue_under_sshs zUFWFrontend.continue_under_sshcCsd}td|j|jd}|jjrBtjrBtd|j|jd}|jjr|sttj |t j ddt j }|dkr||jkr||jkrtd}|S|jr||d7}|j}|S) zReset the firewallrLzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? rzResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? FrrDr)r<rErGrFrr%rcrrrrrrrr*rrHrNrTr )rIrrSrrr4r4r5r s$     zUFWFrontend.reset)r@NN)FF)r)F)F)F)__name__ __module__ __qualname____doc__rKrTrUrXrYr[rurzrrrrrrrrrrr r4r4r4r5r?s0 6  HM 1 V  .+* r?)rrirrZ ufw.commonrZufw.utilr%rrrZufw.backend_iptablesrZ ufw.parserr+r>r?r4r4r4r5s  >G