#fd|dZddlZddlZddlZddlmZddlZddlmZm Z m Z ddl m Z ddl ZdZdZGdd Zy) z'frontend.py: frontend interface for ufwN)UFWError)errorwarnmsg)UFWBackendIptablesctjj}dD]0}|jtjj |2dD]0}|jtjj |2dD]0}|jtjj |2dD]0}|jtjj|2dD]0}|jtjj|2dD]0}|jtjj|2gd}|D]^}|jtjj||jtjj|`t|dkDrmd }||jd k(rd}||jd k7r=||jd k7r'||j|vr|j|d t|dksd |vr%t|dkrtddt! |j#|d d}|S#t$$r#}td|j&zYd}~Sd}~wt($rtddwxYw)zEParse command. Returns tuple for action, rule, ip_version and dryrun.) enabledisablehelpz--helpz-hversionz --versionreloadreset)listinfodefaultupdate)onofflowmediumhighfull)allowdenyreject)Nverbosenumbered)rawz before-rulesz user-rulesz after-rulesz logging-rulesbuiltins listeningadded)rlimitrrinsertdeleteprepend --dry-runrrouteruleznot enough argsF)do_exitNz%szInvalid syntax)ufwparser UFWParserregister_commandUFWCommandBasic UFWCommandAppUFWCommandLoggingUFWCommandDefaultUFWCommandStatusUFWCommandShowUFWCommandRuleUFWCommandRouteRulelenlowerr#r ValueError parse_commandrvalue Exception)argvpi rule_commandsidxpres ./usr/lib/python3/dist-packages/ufw/frontend.pyr<r<s A  : 3::55a89 :38 3::33A678<< 3::77:;<)< 3::77:;<+; 3::66q9:;A9 3::44Q789  M > 3::44Q78 3::99!<=>  4y1} 9??  +C 9??  ) 9??  ' 9??  - KKV $ 4y1},TQ /l __T!"X & I   dagg I  . s7J KJ44Kc*tdidtjjddddddddd d d d d dddddddddddddddddddid d!d"d#d$d%d&d'd(d(d)d)d*d*d+d,d-d.d/d0d1d2d3d3d4d5d6d7d8d9d:d;dd?iz}|S)@zPrint help messagea+ Usage: %(progname)s %(command)s %(commands)s: %(enable)-31s enables the firewall %(disable)-31s disables the firewall %(default)-31s set default policy %(logging)-31s set logging to %(level)s %(allow)-31s add allow %(rule)s %(deny)-31s add deny %(rule)s %(reject)-31s add reject %(rule)s %(limit)-31s add limit %(rule)s %(delete)-31s delete %(urule)s %(insert)-31s insert %(urule)s at %(number)s %(prepend)-31s prepend %(urule)s %(route)-31s add route %(urule)s %(route-delete)-31s delete route %(urule)s %(route-insert)-31s insert route %(urule)s at %(number)s %(reload)-31s reload firewall %(reset)-31s reset firewall %(status)-31s show firewall status %(statusnum)-31s show firewall status as numbered list of %(rules)s %(statusverbose)-31s show verbose firewall status %(show)-31s show firewall report %(version)-31s display version information %(appcommands)s: %(applist)-31s list application profiles %(appinfo)-31s show information on %(profile)s %(appupdate)-31s update %(profile)s %(appdefault)-31s set default application policy prognamecommandCOMMANDcommandsCommandsr r rz default ARGloggingz logging LEVELlevelLEVELrz allow ARGSr*rz deny ARGSrz reject ARGSr"z limit ARGSr$zdelete RULE|NUMuruleRULEr#zinsert NUM RULEr%z prepend RULEr)z route RULEz route-deletezroute delete RULE|NUMz route-insertzroute insert NUM RULEnumberNUMr rstatus statusnumzstatus numberedrulesRULES statusverbosezstatus verboseshowzshow ARGr appcommandszApplication profile commandsapplistzapp listappinfozapp info PROFILEprofilePROFILE appupdatezapp update PROFILE appdefaultzapp default ARG)_r-common programName)help_msgs rFget_command_helprees>"* CJJ**"* I"* Z"* 8"* I "* M "* O "* '"* ,"* "* "* ="* ,"* $"* &"* $"* N!"*" ,#"*$ 0%"*& 0'"*( 5)"** 8+"*, '-"*. 8/"*0 '1"*2 '3"*4 *5"*6 7"*8 I9"*: 6;"*< J="*> &?"*@ IA"*B *C"*D (E"*?A+A,HF ceZdZdZ ddZdZdZdZddZddZ d Z d Z d Z dd Z dd ZdZdZdZdZdZdZdZddZy) UFWFrontendUINc|dk(r t||||_ntd|zt d|_t d|_t d|_y#t$rwxYw)Niptables)rootdirdatadirzUnsupported backend type '%s'nyyes)rbackendr>rranorpyes_full)selfdryrun backend_typerlrms rF__init__zUFWFrontend.__init__sm : % 1&':A C :lKL LC&S6%   s A A%ctd}d}|rd}d}|r|jjr|s|jjrd}|r5 |jj|jjdd|d}|rm |jj|dk7r@ |jj|jjdddt |td }|S |jjtd }|S#t$r}t |j Yd}~d}~wwxYw#t$r}|r |j }Yd}~d}~wwxYw#t$r}t |j Yd}~d}~wwxYw#t$r}t |j Yd}~d}~wwxYw) zlToggles ENABLED state in /ufw/ufw.conf and starts or stops running firewall. rrrpFTconfENABLEDNz0Firewall is active and enabled on system startupz/Firewall stopped and disabled on system startup) rq is_enabled set_defaultfilesrrr=start_firewallra stop_firewall)rtenabledres config_strchangedrE error_strs rF set_enabledzUFWFrontend.set_enableds J DLL335DLL335G   ((););F)C)2J@   ( ++- B#LL,,T\\-?-?-G-6> i FGC   **,EFC A agg  ( !I ( #!''NN# agg s`4DE!4E$.F D=D88D= E! EE!$ F -FF  F7F22F7c8d} |jj||}|jjr4|jj|jj |S#t $r }t |jYd}~|Sd}~wwxYw)zSets default policy of firewallryN)rqset_default_policyr|rrrrr=)rtpolicy directionrrEs rFrzUFWFrontend.set_default_policys} ,,11&)DC||&&( **, ++-   !''NN  sA*A00 B9BBcd} |jj|}|S#t$r }t|jYd}~|Sd}~wwxYw)zSets log level of firewallryN)rq set_loglevelrrr=)rtrNrrEs rFrzUFWFrontend.set_loglevelsK ,,++E2C   !''NN  ! A AA c |jj||}|S#t$r }t|jYd}~Sd}~wwxYw)zShows status of firewallN)rq get_statusrrr=)rtr show_countoutrEs rFrzUFWFrontend.get_status sH ,,))':>C   !''NN  s A AA c |jj|}|S#t$r }t|jYd}~Sd}~wwxYw)zShows raw output of firewallN)rqget_running_rawrrr=)rt rules_typerrEs rF get_show_rawzUFWFrontend.get_show_rawsF ,,..z:C   !''NN  s AAAc d} tjj|jj }|jj}t|j}|j|D]}|jj s|dvr#|d|zz }t||j}|j|D]}|||D]} | d} | jdr| jdr-d} |d|zz }| d k(s| d k(r|d z }d | dz} n'|d | zz }tjj| } |dtjj!| dzz }tj"j%d|dd|| dd} | j'|j)d| dk7r| j+d| | j-|jj/| } t1| dkDr[|dz }| D]Q}|dkDs |dz t1|ks|d|tj2j4j7||dz fzz }S|dz }|jj stjj9d|S#t $rt d}t|wxYw)zMShows listening services and incoming rules that might affect themryzCould not get listening status)tcp6udp6z%s: laddrz127.z::1z %s z0.0.0.0z::z* z%s/0z%s z(%s)exerNr+inF)actionprotocoldportdstrforward6r r'z [%2d] %s z)Skipping tcp6 and udp6 (IPv6 is disabled))r-utilparse_netstat_outputrquse_ipv6r>rar get_rulesrkeyssort startswithget_if_from_ipospathbasenamerbUFWRuleset_v6endswith set_interface normalize get_matchingr9r.r7 get_commanddebug)rtrderr_msgrV protocolsprotoportsportitemaddrifnamer*matchingrAs rFget_show_listeningzUFWFrontend.get_show_listenings $--dll.C.C.EFA  &&(N 3 $E<<((*u8H/H 7e$ $C5)E JJL- $eHTN,$D=D??62??51!#w~-9, 4KC#)T']#;D54</C%(XX%<%&,&%&C&t Y,$- $ 3 $j||$$& HHNNF G A $89G7# # $s 7J?? Kc|jj}td}t|dk(r|tdzSg}|jjD]}|jr-dt j jj|z}n)t j jj|}||vrj|j||d|zz }|S)z!Shows added rules to the firewallz9Added user rules (see 'ufw status' for running firewall):rz (None)route %sz ufw %s) rqrrar9rr-r.r8rr7append)rtrVrr!rrstrs rFget_show_addedzUFWFrontend.get_show_addedfs &&(KL u:?:& &'') %Ayy! 66BB1EFzz00<get_rules_count enumeratestrr set_positionrset_rulefind_other_positionr=updatedwarningsrrrrange format_rule)rtr* ip_versionrrtmprVtmprules tmprules6xroprev6rcount set_error pos_err_msgnum_v4num_v6rAbeginuser_posr@rEwarn_msg undo_errorindexesj backout_rules rFrzUFWFrontend.set_rules 99?tyyB LL H2 ;;!T)#'<<#I#ICG$P#t+#'<<#I#ICG$O#v-#'<<#I#ICG$P$(LL$J$JCG%O "*7A%.7()','(wwqz+0AD$,OOA$6 77#$$=">*"M&w//8})$,,2E2E DE%-"%C # (4/"%-C # (61"%*s"2W"?ZZ1_v1E'3qzz?S+@@K"*;"77"ll33A6#v-#$::#r>).!! AENN51!"h.?!% @ @ (6 1E 94!AA 1u !q 1!"q 1"ll33A6 !xxHqL%)\\%A%A%%HFNN8a<8#r>).!! AENN51!"ajj1n::/!% @ @AF!HA 1u !q5y 9!"q 1"94KC !xxAJJ,?#r>NN1::+>?t||44Q77"#$=">*"M&w//zzR'%*aZFaKQu-!T)Z6-A"ll33A6#t+"#$>"?&w//"#$=">*"M&w// yy?@ h'Gc (J 3JC> =Z1_ 'N8 1J5q>*G OO  '19q#(8#4#4#6L*.L'' lJ? ' q>? ?G1BCC7# #1GHH7# #Y  H ''  6%'%) #$%C#D%&]]_$5X 'sQB<`:A-`( `4`B*`Q`:a ` a'`;;a2a87a8c t|}|jj }|dks|t |kDrtd|z}t||jj|}|std|z}t|d|_d}|jrd}d}|s|jr-dtjjj|z} n)tjjj|} td| |j |j"d z} t%| t&j(d t&j*j-j/j1} | d k7r<| |j j/k7r| |j2j/k7rd }d } |r|j5||} | Std} | S#t$rtd|z}t|wxYw)z Delete rulezCould not find rule '%s'rzCould not find rule '%d'Trrrz=Deleting: %(rule)s Proceed with operation (%(yes)s|%(no)s)? )r*rprrFoutputnewlineroryAborted)intr>rarrqrr9get_rule_by_numberrrrr-r.r8rr7rprrrsysstdoutstdinreadliner:striprsr) rtrRforcernrrVr*rproceedrpromptansrs rF delete_rulezUFWFrontend.delete_ruleOs $F A  &&( 6QU^23a7G7# #||..q123a7G7# #  77J||! 66BB4HIzz00<>tyyI"#$:";&w//J 0 0;;agg++>>tyyI"#$:";&w//J 0s4A MA O  O  A OO  QA P<<Qcd} |jj|}|S#t$r }t|jYd}~|Sd}~wwxYw)z+Sets default application policy of firewallryN)rqset_default_application_policyrrr=)rtrrrEs rFrz*UFWFrontend.set_default_application_policysK ,,==fEC   !''NN  rct|jjj}|j t d}|D] }|d|zz } |S)z*Display list of known application profileszAvailable applications: %s)rrqprofilesrrra)rtnamesrrns rFget_application_listz UFWFrontend.get_application_listsUT\\**//12 *+ #A HN "D # rfcg}|dk(r>t|jjj}|j nFt j j|std}t||j|d}|D]}||jjvs|jj|std|z}t|t j j||jj|std}t||td|zz }|tdt j j|jj|zz }|tdt j j|jj|zz }t j j|jj|}t|d kDsd |d vr|td z }n|td z }|D] }|d|zz } ||t|d z k7s|dz }t j j#|S)zDisplay information on profileallr ryzCould not find profile '%s'zInvalid profilez Profile: %s z Title: %s zDescription: %s r',rzPorts:zPort:rz -- )rrqrrrr-rrrarrverify_profile get_titleget_description get_portsr9r wrap_text)rtpnamerrrnamerr@s rFget_application_infoz UFWFrontend.get_application_infos< E>..3356E JJL##66u=23w'' LL  %D4<<000<<((.9:dCw''##224||$$T*,-.w'' Ao&$/ /D Am$(8(8(B(B(, (=(=d(C)EF FD A+,-0-=-=-M-M-1\\-B-B4-H.JK KD$$..t||/D/DT/JKE5zA~a( #' " 'A& 'uSZ\** $; %>xx!!$''rfcd}d}d} |jjr tjj rd}|dk(rwt |jjj}|j|D]4}|jj|\}}|s$|dk7r|dz }||z }|}6n(|jj|\}}|dk7r|dz }|rU|jjr;|r+ |jj|tdz }|S|tdz }|S#t $rd}Y wxYw#t $rwxYw)Refresh application profileryTFrrrzSkipped reloading firewall)rq do_checksr-r under_sshr>rrrrupdate_app_ruler|_reload_user_rulesra) rtr]r allow_reloadtrigger_reloadrr@rfounds rFapplication_updatezUFWFrontend.application_updates_  !||%%#((*<*<*>$  e DLL116689H MMO +#||;;A> ebyt CKD%*N  +&*\\%A%A'%J "T>rz  dll557LL335-.. 677 ? !!L  !2!s6D;E ; E  E  Ecd}d}|dk(rtd}t||jjd}|dk(r(tj j d|d|d|S|d k(rd }n)|d k(rd }n!|d k(rd }ntd|z}t|dg}|jjr|jd|||gz } t|}d|jvr9|j|j|jd|jd}|S|j|jdd}|S#t$rwxYw)r$ryrz%Cannot specify 'all' with '--add-new'default_application_policyskipz Policy is 'z', not adding profile 'racceptrdroprrzUnknown policy '%s'r-r(r*iptype)rarrqdefaultsr-rrrurr<r>datarr)rtr]rrrrargsrDs rFapplication_addzUFWFrontend.application_addBsV e ?@G7# #,,''(DE f  HHNN"G- .K  F  F  F-.':G7# #y <<   KK $ &'## t$B RWW >>"))RWWV_"$''("35D  >>"))R4D    s D:: Ecd}|dk(r|jd}|S|dk(r|jd}|S|dk(r|jd}|S|dk(r|jd }|S|d k(r|j}|S|d k(r|j|}|S|d k(s|d k(r?|j|}d}|d k(r|j |}|dk7r |dk7r|dz }||z}|St d|z}t |)zzPerform action on profile. action and profile are usually based on return values from parse_command(). ryz default-allowrz default-denyrzdefault-rejectrz default-skipr/rrrzupdate-with-newrr )rrr"r,r6rar)rtrr]rstr1str2rs rFdo_application_actionz!UFWFrontend.do_application_actionlsO _ $55g>C0 /~ %55f=C, +' '55h?C( '~ %55f=C$ #v ++-C  v ++G4C x 6->#>**73DD**++G4rzdbj +C  12f=G7# #rfcd}|jjrtjj rt d|j |jdz}t|tjdtjjjj}|dk7r ||j k7r||jk7rd}|S)z6If running under ssh, prompt the user for confirmationTzWCommand may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? rprrFrro)rqr%r-rr&rarprrrrrrrr:rrs)rtrrrs rFcontinue_under_sshzUFWFrontend.continue_under_sshs << ! !chh&8&8&:CD $8:F szz5 9))$$&,,.446CczcTXXo#2Frfc d}td|j|jdz}|jjrCt j jr%td|j|jdz}|jjr|stt j j|tjdtjjjj}|dk7r+||jk7r||j k7r td}|S|jj#r||j%dz }|jj'}|S) zReset the firewallryzTResetting all rules to installed defaults. Proceed with operation (%(yes)s|%(no)s)? r<zResetting all rules to installed defaults. This may disrupt existing ssh connections. Proceed with operation (%(yes)s|%(no)s)? Frror)rarprrrqr%r-rr&rrrrrrr:rrsr|rr)rtrrrrs rFrzUFWFrontend.resets)23 HHDGG46 << ! !chh&8&8&:67!%8:F << ! !% ""6*3::u M))$$&,,.446CczcTXXo#2F l << " " $ 4##E* *Cll  " rf)rkNN)FF)r)F)__name__ __module__ __qualname____doc__rwrrrrrrrrrrrrr"r,r6r:r=rrfrFrhrhsv ,6'+! 4l FP:JX/bTl,(\)V(T@ rfrh)rBrrr ufw.commonrufw.utilr-rrrufw.backend_iptablesr ufw.parserr<rerhrCrfrFrHs?-" %%3EPEPD D rf