shell bypass 403

GrazzMean Shell

: /usr/lib/python3.6/site-packages/firewall/core/__pycache__/ [ drwxr-xr-x ]
Uname: Linux web3.us.cloudlogin.co 5.10.226-xeon-hst #2 SMP Fri Sep 13 12:28:44 UTC 2024 x86_64
Software: Apache
PHP version: 8.1.31 [ PHP INFO ] PHP os: Linux
Server Ip: 162.210.96.117
Your Ip: 13.59.22.143
User: edustar (269686) | Group: tty (888)
Safe Mode: OFF
Disable Function:
NONE
upload mass deface mass delete console

name : nftables.cpython-36.pyc 
3

]ûf��%@slddlmZddlZddlZddlZddlmZddlmZm	Z	m
Z
mZmZddl
mZmZmZmZmZmZmZddlmZmZmZmZmZmZmZddlmZdZed	d
Z dZ!dZ"id
ddCe"fiddDe"fdde"fd�dde"fdde"fdde"fdde"fd�d�Z#dEdd�Z$e$ddd�e$dd�e$dd�e$dd�e$ddd�e$ddd �e$ddd�e$dd!d"�e$ddd#�e$ddd"�e$dd$d"�e$ddd%�e$dd!d�e$ddd&�e$ddd�e$dd$�e$ddd'�e$ddd(�e$ddd)�e$dd!�e$dd$d"�e$dd*�e$dd+�e$dd,�e$ddd-�e$dd.�e$dd/�e$dd0�e$dd!d'�e$ddd1�e$dd!d)�e$ddd2�e$dd.d"�e$dd.d�d3�"e$d4dd'�e$d4d$d�e$d4dd)�e$d4dd"�e$d4d�e$d4d�e$d4d�e$d4dd-�e$d4d5�e$d4d6�e$d4d7�e$d4d8�e$d4d9�e$d4d:�e$d4dd�e$d4d;�e$d4d$�e$d4dd�e$d4d<�e$d4dd&�e$d4d=�e$d4d>�e$d4d.�e$d4d.d"�e$d4d.d�e$d4d$d"�e$d4d$d)�d?�d@�Z%GdAdB�dBe&�Z'dS)F�)�absolute_importN)�log)�	check_mac�getPortRange�normalizeIP6�check_single_address�
check_address)�
FirewallError�
UNKNOWN_ERROR�INVALID_RULE�INVALID_ICMPTYPE�INVALID_TYPE�
INVALID_ENTRY�INVALID_PORT)�Rich_Accept�Rich_Reject�	Rich_Drop�	Rich_Mark�Rich_Masquerade�Rich_ForwardPort�Rich_IcmpBlock)�NftablesZ	firewalld�_Zpolicy_dropZpolicy_�
�
PREROUTING�
prerouting��dZpostrouting)r�POSTROUTING�input�forward�output)r�INPUT�FORWARD�OUTPUT)�raw�mangle�nat�filtercCsHdd|dd�id|d�ig}|dk	rD|jdd|dd�id|d�i�|S)N�match�payload�type)�protocol�fieldz==)�left�op�right�code)�append)r,r+r1�	fragments�r4�/usr/lib/python3.6/nftables.py�_icmp_types_fragmentsSsr6�icmpzdestination-unreachable�
z
echo-replyzecho-request���redirect��zparameter-problem�����zrouter-advertisementzrouter-solicitationz
source-quench�z
time-exceededztimestamp-replyztimestamp-request��)"zcommunication-prohibitedzdestination-unreachablez
echo-replyzecho-requestzfragmentation-neededzhost-precedence-violationzhost-prohibitedz
host-redirectzhost-unknownzhost-unreachablez
ip-header-badznetwork-prohibitedznetwork-redirectznetwork-unknownznetwork-unreachablezparameter-problemzport-unreachablezprecedence-cutoffzprotocol-unreachabler;zrequired-option-missingzrouter-advertisementzrouter-solicitationz
source-quenchzsource-route-failedz
time-exceededztimestamp-replyztimestamp-requestztos-host-redirectztos-host-unreachableztos-network-redirectztos-network-unreachablezttl-zero-during-reassemblyzttl-zero-during-transit�icmpv6zmld-listener-donezmld-listener-queryzmld-listener-reportzmld2-listener-reportznd-neighbor-advertznd-neighbor-solicitzpacket-too-bigznd-redirectznd-router-advertznd-router-solicit)zaddress-unreachablez
bad-headerzbeyond-scopezcommunication-prohibitedzdestination-unreachablez
echo-replyzecho-requestz
failed-policyzmld-listener-donezmld-listener-queryzmld-listener-reportzmld2-listener-reportzneighbour-advertisementzneighbour-solicitationzno-routezpacket-too-bigzparameter-problemzport-unreachabler;zreject-routezrouter-advertisementzrouter-solicitationz
time-exceededzttl-zero-during-reassemblyzttl-zero-during-transitzunknown-header-typezunknown-option)�ipv4�ipv6c@s`eZdZdZdZdd�Zdd�Zdd�Zdd	�Zd
d�Z	dd
�Z
dd�Zd�dd�Zdd�Z
dd�Zdd�Zdd�Zd�dd�Zdd�Zd�d d!�Zd"d#�Zd�d%d&�Zd�d(d)�Zd�d*d+�Zd�d,d-�Zd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Zd:d;�Zd<d=�Z d>d?�Z!d@dA�Z"dBdC�Z#dDdE�Z$dFdG�Z%dHdI�Z&d�dJdK�Z'dLdM�Z(dNdO�Z)dPdQ�Z*dRdS�Z+d�dTdU�Z,d�dVdW�Z-d�dXdY�Z.dZd[�Z/d�d\d]�Z0d�d^d_�Z1d�d`da�Z2d�dbdc�Z3d�ddde�Z4dfdg�Z5d�dhdi�Z6djdk�Z7d�dldm�Z8dndo�Z9dpdq�Z:drds�Z;dtdu�Z<d�dvdw�Z=d�dxdy�Z>dzd{�Z?d�d|d}�Z@d~d�ZAd�d��ZBd�d��ZCd�d��ZDd�d��ZEd�d��ZFd�d��ZGd�d�d��ZHdS)��nftablesTcCsb||_d|_g|_i|_i|_i|_i|_i|_gggd�|_t	�|_
|j
jd�|j
jd�dS)NT)�inet�ip�ip6)
�_fwZrestore_command_existsZavailable_tables�rule_to_handle�rule_ref_count�rich_rule_priority_counts�policy_priority_counts�zone_source_index_cache�created_tablesrrIZset_echo_outputZset_handle_output)�self�fwr4r4r5�__init__�sznftables.__init__cCs�xdD]}||krPqWd||dkr`||ddd||dddf}||dd=n(d||dkr�d}||dd=ndS||dd	}|r�|dkr�||kr�|||kr�||j|�n�|dk�r�||kr�g||<|�r(|||k�r||j|�||jd
d�d�||j|�}n|jj�r8d
}nt||�}||}||=|d
k�rf||d<n |d8}||d<||ddd<dS)N�add�insert�deletez%%ZONE_SOURCE%%�rule�zone�addressz%%ZONE_INTERFACE%%�familycSs|dS)Nrr4)�xr4r4r5�<lambda>�sz3nftables._run_replace_zone_source.<locals>.<lambda>)�keyrr<�index)rWrXrY)�remover2�sortrarM�_allow_zone_drifting�len)rTrZrR�verbZzone_sourcer]ra�
_verb_snippetr4r4r5�_run_replace_zone_source�sD




z!nftables._run_replace_zone_sourcecCsBd|krdtj|d�iSd|kr4dtj|d�iSttd��dS)NrXrYrWzFailed to reverse rule)�copy�deepcopyr	r
)rT�dictr4r4r5�reverse_rule�s
znftables.reverse_rulec
Cs�xdD]}||krPqW|||dk�r�||d|}||d|=t|�tkr^ttd��||dd||ddf}|dkr�||ks�|||ks�|||dkr�ttd	��|||d
8<n�||kr�i||<|||kr�d|||<d}xVt||j��D]B}||k�r"|dk�r"P||||7}||k�r|dk�rP�qW|||d
7<||}	||=|dk�r�|	|d<n |d
8}|	|d<||ddd<dS)
NrWrXrYrZz%priority must be followed by a numberr]�chainrz*nonexistent or underflow of priority countr<ra)rWrXrY)r+�intr	rr
�sorted�keys)
rTrZZpriority_counts�tokenrf�priorityrmra�prgr4r4r5�_set_rule_replace_priority�sD

 


z#nftables._set_rule_replace_prioritycCsfx`d
D]X}||krd||krtj||d�}xdD]}||kr6||=q6Wtj|dd	�}|SqWdS)NrWrXrYrZra�handle�positionT)Z	sort_keys)rWrXrY)rarurv)rirj�json�dumps)rTrZrf�rule_keyZnon_keyr4r4r5�
_get_rule_keys


znftables._get_rule_keycCsLdddddg}dddg}g}g}tj|j�}tj|j�}tj|j�}	|jj�}
�x�|D�]�}t|�tkrvtt	d|��x|D]}||kr|Pq|W||kr�tt
d|��|j|�}
|
|
k�rDtj
d|j|
|
|
�|dkr�|
|
d	7<qVnX|
|
d	k�r|
|
d	8<qVn6|
|
d	k�r,|
|
d	8<ntt	d
|
|
|
f��n|
�r\|dk�r\d	|
|
<|j|�tj|�}|
�rttd||dd��||dd<|j||d
�|j||d�|j||	�|dk�rdd|ddd|ddd|ddd|j|
d�ii}|j|�qVWdddd	iig|i}tj�dk�rVtjd|jtj|��|jj|�\}}}|dk�r�tdd|tj|�f��||_||_|	|_|
|_d}x�|D]�}|d	7}|j|�}
|
�s̐q�d|k�r�|j|
=|j|
=�q�x"|D]}||d|k�r�P�q�W||d|k�r$�q�|d||dd|j|
<�q�WdS)NrWrXrY�flush�replacez#rule must be a dictionary, rule: %szno valid verb found, rule: %sz%s: prev rule ref cnt %d, %sr<z)rule ref count bug: rule_key '%s', cnt %drZ�exprz%%RICH_RULE_PRIORITY%%z%%POLICY_PRIORITY%%r]�tablerm)r]r~rmrurIZmetainfoZjson_schema_versionr@z.%s: calling python-nftables with JSON blob: %srz'%s' failed: %s
JSON blob:
%szpython-nftablesru)rirjrPrQrRrOr+rkr	r
rrzrZdebug2�	__class__r2�listr(rtrhrNZgetDebugLogLevelZdebug3rwrxrIZjson_cmd�
ValueError)rT�rules�
log_deniedZ_valid_verbsZ_valid_add_verbsZ_deduplicated_rulesZ_executed_rulesrPrQrRrOrZrfryZ_ruleZ	json_blobZrcr!�errorrar4r4r5�	set_rules+s�







&






znftables.set_rulescCs|j|g|�dS)N�)r�)rTrZr�r4r4r5�set_rule�sznftables.set_ruleNcCs|r
|gStj�S)N)�IPTABLES_TO_NFT_HOOKrp)rTr~r4r4r5�get_available_tables�sznftables.get_available_tablescCsFg}x<dD]4}|jdd||d�ii�|jdd||d�ii�q
W|S)	NrJrKrLrWr~)r]�namerY)rJrKrL)r2)rTr~r�r]r4r4r5�_build_delete_table_rules�s


z"nftables._build_delete_table_rulescCs�i}i}xB|jd�D]4}|j|�}||jkr|j|||<|j|||<qW||_||_i|_i|_i|_x*dD]"}t|j|krp|j|j	t�qpW|j
t�S)NTrJrKrL)rJrKrL)� _build_set_policy_rules_ct_rulesrzrNrOrPrQrR�
TABLE_NAMErSrbr�)rTZsaved_rule_to_handleZsaved_rule_ref_countrZ�
policy_keyr]r4r4r5�build_flush_rules�s 


znftables.build_flush_rulesc
Cslddd�|}g}xTdD]L}|j|ddtd	d
|fddd
diiddddgid�iddigd�ii�qW|S)NrWrY)TFrr r!rZrJz%s_%sr(r)�ctr`�state�in�set�established�related)r.r/r0�accept)r]r~rmr})rr r!)r2�TABLE_NAME_POLICY)rT�enable�add_delr��hookr4r4r5r��s


z)nftables._build_set_policy_rules_ct_rulescCstg}|dkrt|jdddtd�ii�|jdjt�x>dD]6}|jdddtd	d
|fd|dtd
dd�ii�q:W|dk�r�|jdddtd�ii�|jdjt�x>dD]6}|jdddtd	d|fd|dtd
dd�ii�q�W||jd�7}nz|dk�rfx4|jd�D]&}|j|�}||jk�r|j|��qW||jt�7}t|jdk�rp|jdjt�n
t	t
d�|S)NZPANICrWr~rJ)r]r�rr!rmz%s_%sr%r(i,r<�drop)r]r~r�r+r��prio�policy�DROPrr rT�ACCEPTFznot implemented)rr!i���)rr r!)r2r�rS�NFT_HOOK_OFFSETr�rzrNr�rbr	r
)rTr�r�r�rZr�r4r4r5�build_set_policy_rules�sH













znftables.build_set_policy_rulescCs<t�}x,|r|gntj�D]}|jt|j��qWt|�S)N)r��ICMP_TYPES_FRAGMENTSrp�updater�)rT�ipvZ	supportedZ_ipvr4r4r5�supported_icmp_types�sznftables.supported_icmp_typescCs>g}x4dD],}|jdd|td�ii�|j|jt�q
W|S)NrJrKrLrWr~)r]r�)rJrKrL)r2r�rS)rTZdefault_tablesr]r4r4r5�build_default_tabless

znftables.build_default_tables�offcCs�g}x�tdj�D]�}|jdddtd|ddtd|dtd|d	d
�ii�xz|jjrlddd
dgndd
dgD]X}|jdddtd||fd�ii�|jdddtd|ddd||fiigd�ii�qvWqWx�d?D]�}x�tdj�D]�}|jdd|td|ddtd|dtd|d	d
�ii�x~|jj�rJddd
dgndd
dgD]Z}|jdd|td||fd�ii�|jdd|td|ddd||fiigd�ii��qTWq�Wq�WxVtdj�D]F}|jdddtd|ddtd|dtd|d	d
�ii��q�W|jdddtddddddiid d!d"d#gid$�id%digd�ii�|jdddtdddddd&iid d'd$�id%digd�ii�|jdddtdddd(dd)iid*d+d$�id%digd�ii�x~|jj�r�ddd
dgndd
dgD]Z}|jdddtd,d|fd�ii�|jdddtddddd,d|fiigd�ii��q�W|d-k�r�|jdddtddddddiid d!d.gid$�i|j|�d/d0d1iigd�ii�|jdddtddddddiid d!d.gid$�id2digd�ii�|d-k�r$|jdddtdd|j|�d/d0d3iigd�ii�|jdddtddd4d5d6d7�igd�ii�|jdddtdd8ddddiid d!d"d#gid$�id%digd�ii�|jdddtdd8dddd&iid d'd$�id%digd�ii�|jdddtdd8dd(dd)iid*d+d$�id%digd�ii�xbd@D]Z}|jdddtd,d8|fd�ii�|jdddtdd8ddd,d8|fiigd�ii��qWx�dAD]�}xz|jj�r�dd
gnd
gD]^}|jdddtd;d8||fd�ii�|jdddtdd8ddd;d8||fiigd�ii��q�W�qvWxbdBD]Z}|jdddtd,d8|fd�ii�|jdddtdd8ddd,d8|fiigd�ii��qW|d-k�r�|jdddtdd8ddddiid d!d.gid$�i|j|�d/d0d1iigd�ii�|jdddtdd8ddddiid d!d.gid$�id2digd�ii�|d-k�r6|jdddtdd8|j|�d/d0d3iigd�ii�|jdddtdd8d4d5d6d7�igd�ii�|jdddtdd<ddddiid d!d"d#gid$�id%digd�ii�|jdddtd=dd(dd>iid*d+d$�id%digd�ii�xbdCD]Z}|jdddtd,d<|fd�ii�|jdddtdd<ddd,d<|fiigd�ii��q�WxbdDD]Z}|jdddtd,d<|fd�ii�|jdddtdd<ddd,d<|fiigd�ii��qHW|S)ENr&rWrmrJz	mangle_%sr(z%srr<)r]r~r�r+r�r��POLICIES_preZZONES_SOURCEZZONES�
POLICIES_postzmangle_%s_%s)r]r~r�rZ�jump�target)r]r~rmr}rKrLr'znat_%sz	nat_%s_%sz	filter_%sr"r)r�r`r�r�r�r�r�)r.r/r0r�Zstatus�dnat�meta�iifnamez==�lozfilter_%s_%sr�Zinvalidr�prefixzSTATE_INVALID_DROP: r�zFINAL_REJECT: �reject�icmpxzadmin-prohibited)r+r}r#�IN�OUTzfilter_%s_%s_%sr$�
filter_OUTPUT�oifname)rKrL)r�)r�r�)r�)r�)r�)r�rpr2r�rMrd�_pkttype_match_fragment)rTr�Z
default_rulesrmZdispatch_suffixr]�	directionr4r4r5�build_default_ruless�
$

(

&

.
 


&

&











&


.


&










&


&znftables.build_default_rulescCs4|dkrdddgS|dkr dgS|dkr0ddgSgS)	Nr(r"�
FORWARD_IN�FORWARD_OUTr&rr'rr4)rTr~r4r4r5�get_zone_table_chains�s
znftables.get_zone_table_chainsrJc
s��dkr\�dkr\g}
|
j�j�|��||||dd�	�|
j�j�|��||||dd�	�|
S�jjj|���jdkrxdnd��dkr��d	kr�d
nd}�jjj|�t|��g}g}
|r�|jdd
ddiiddt	|�id�i�|�r|
jdd
ddiiddt	|�id�i�ddd�}|�rlxT|D]L}�dk�rT�jj
j|�}||k�rT�||k�rT�q|j�jd|���qW|�r�xT|D]L}�dk�r��jj
j|�}||k�r��||k�r��qx|
j�jd|���qxW��������fdd�}g}
|�rHx�|D]P}|
�rxB|
D]}|
j|||���qWn"�dk�r0|�r0n|
j||d���q�Wn\�dk�rZ|�rZnJ|
�r�xB|
D]}|
j|d|���qfWn"�dk�r�|�r�n|
j|dd��|
S)Nr'rJrK)r]rLr�pre�postrTFr)r�r`r�z==r�)r.r/r0r�)rGrH�saddr�daddrcs�g}|r|j|�|r |j|�|jddd��fii��td���f|d�}|j�j����rrdd|iiSdd|iiSdS)	Nr�r�z%s_%sz%s_%s_POLICIES_%s)r]r~rmr}rWrZrY)r2r�r��_policy_priority_fragment)�ingress_fragment�egress_fragment�expr_fragmentsrZ)�_policyrm�chain_suffixr�r]�p_objrTr~r4r5�_generate_policy_dispatch_rules

zRnftables.build_policy_ingress_egress_rules.<locals>._generate_policy_dispatch_rule)
�extend�!build_policy_ingress_egress_rulesrMr�Z
get_policyrr�policy_base_chain_name�POLICY_CHAIN_PREFIXr2r�r[Zcheck_source�_rule_addr_fragment)rTr�r�r~rmZingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesr]r��isSNATZingress_fragmentsZegress_fragmentsZ
ipv_to_family�srcr��dstr�r�r�r4)r�rmr�r�r]r�rTr~r5r��sv









z*nftables.build_policy_ingress_egress_rulesFc	
Cs�|dkrT|dkrTg}	|	j|j|||||||d��|	j|j|||||||d��|	S|dkrh|dkrhdnd}
|jjj||t|
d�}d	d
d	d	d
d
d�|}|t|�dd
kr�|dt|�d�d}d}
|dkr�|
dd||fiig}n,ddd|iid|d�i|
dd||fiig}|�rL|�rLd}|td||f|d�}|j|j	��nP|�rnd}|td||f|d�}n.d}|td||f|d�}|�s�|j|j	��|d|iigS)Nr'rJrKrLrTF)r�r�r�)rrr"r�r�r$r<�+�*�gotor�z%s_%sr)r�r`z==)r.r/r0rXz%s_%s_ZONES)r]r~rmr}rWrYrZ)
r��!build_zone_source_interface_rulesrMr�r�r�rer�r��_zone_interface_fragment)rTr�r[r��	interfacer~rmr2r]r�r�r��opt�actionr�rfrZr4r4r5r�Qs\



z*nftables.build_zone_source_interface_rulesc	Csn|dkr�|dkr�g}|jd�r6|j|td�d��}	nd}	td|�sTt|�sT|	dkrp|j|j||||||d��td|�s�t|�s�|	dkr�|j|j||||||d��|S|dkr�|dkr�d	nd
}
|jjj	||t
|
d�}dd
d�|}ddddddd�|}
|jj�rd||f}nd||f}d}|t||j
|
|�|dd||fiigd�}|j|j||��|d|iigS)Nr'rJzipset:rGrKrHrLrTF)r�rXrY)TFr�r�)rrr"r�r�r$z%s_%s_ZONES_SOURCEz%s_%s_ZONESr�r�z%s_%s)r]r~rmr}rZ)�
startswith�_set_get_familyrerrr��build_zone_source_address_rulesrMr�r�r�rdr�r�r��_zone_source_fragment)rTr�r[r�r\r~rmr]r�Zipset_familyr�r�r�r�Zzone_dispatch_chainr�rZr4r4r5r��sB


z(nftables.build_zone_source_address_rulesc
Cs|dkrH|dkrHg}|j|j||||d��|j|j||||d��|Sddd�|}|dkrj|dkrjd	nd
}|jjj||t|d�}	g}|j|d|td
||	fd�ii�x0d!D](}
|j|d|td||	|
fd�ii�q�WxDd"D]<}
|j|d|td
||	fddd||	|
fiigd�ii�q�W|jjj|j	}|jj
�dk�r�|dk�r�|d#k�r�|}|dk�rhd}|j|d|td
||	f|j|jj
��ddd|	|fiigd�ii�|dk�r|d$k�r|d%k�r�|j�}
n|j
�di}
|j|d|td
||	f|
gd�ii�|�s|j�|S)&Nr'rJrKrLrWrY)TFrTF)r�rmz%s_%s)r]r~r�r�r�deny�allowr�z%s_%s_%srZr�r�)r]r~rmr}r�r(�REJECT�
%%REJECT%%r�r�z"filter_%s_%s: "r�)r�rr�r�r�)r�rr�r�r�)r�r�r�)r�r�r�r�)r�r�)r��build_policy_chain_rulesrMr�r�r�r2r�Z	_policiesr��get_log_deniedr��_reject_fragment�lower�reverse)rTr�r�r~rmr]r�r�r�r�r�r�Z
log_suffix�target_fragmentr4r4r5r��sZ





&




 





z!nftables.build_policy_chain_rulescCs<|dkriS|dkr,ddddiid	|d
�iSttd|��dS)
N�all�unicast�	broadcast�	multicastr)r�r`�pkttypez==)r.r/r0zInvalid pkttype "%s")r�r�r�)r	r)rTr�r4r4r5r��s
z nftables._pkttype_match_fragmentcCsdddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�idddd�iddd	d�iddd	d�iddd
d�iddd
d�iddd
d�idddd�idddd�iddd
d�iddd
d�idddd�idddd�idddiidddiid�}||S)Nr�r7zhost-prohibited)r+r}znet-prohibitedzadmin-prohibitedrFznet-unreachablezhost-unreachablezport-unreachabler�zprot-unreachablezaddr-unreachablezno-router+z	tcp reset)zicmp-host-prohibitedzhost-prohibzicmp-net-prohibitedz
net-prohibzicmp-admin-prohibitedzadmin-prohibzicmp6-adm-prohibitedzadm-prohibitedzicmp-net-unreachableznet-unreachzicmp-host-unreachablezhost-unreachzicmp-port-unreachablezicmp6-port-unreachablezport-unreachzicmp-proto-unreachablez
proto-unreachzicmp6-addr-unreachablezaddr-unreachzicmp6-no-routezno-routez	tcp-resetztcp-rstr4)rTZreject_typeZfragsr4r4r5�_reject_types_fragment�s0
znftables._reject_types_fragmentcCsdddd�iS)Nr�r�zadmin-prohibited)r+r}r4)rTr4r4r5r�sznftables._reject_fragmentcCs ddddiiddddgid	�iS)
Nr)r�r`�l4protoz==r�r7rF)r.r/r0r4)rTr4r4r5�_icmp_match_fragment"sznftables._icmp_match_fragmentcCsP|siSddddd�}|j�\}}|||d�}|j�}|dk	rH||d<d|iS)	N�secondZminuteZhourZday)�s�m�h�d)�rateZper�burst�limit)Zvalue_parseZburst_parse)rTr�Zrich_to_nftr�Zdurationr�r�r4r4r5�_rich_rule_limit_fragment'sz"nftables._rich_rule_limit_fragmentcCs�t|j�tttgkrn<|jrHt|j�tttt	gkrRt
tdt|j���n
t
td��|jdkr�t|j�ttgks�t|j�tt	gkr�dSt|j�tgks�t|j�ttgkr�dSn|jdkr�dSdSdS)NzUnknown action %szNo rule action specified.rr�r�r�r�)
r+�elementrrrr�rrrrr	rrr)rT�	rich_ruler4r4r5�_rich_rule_chain_suffix?s 


z nftables._rich_rule_chain_suffixcCs>|jr|jrttd��|jdkr(dS|jdkr6dSdSdS)NzNot log or auditrrr�r�)r�auditr	rrr)rTr�r4r4r5� _rich_rule_chain_suffix_from_logUs


z)nftables._rich_rule_chain_suffix_from_logcCsddiS)Nz%%ZONE_INTERFACE%%r4)rTr4r4r5r�`sz!nftables._zone_interface_fragmentcCsNtd|�rt|�}n,td|�r@|jd�}t|d�d|d}d||d�iS)NrH�/rr<z%%ZONE_SOURCE%%)r[r\)rrr�split)rTr[r\Z
addr_splitr4r4r5r�cs



znftables._zone_source_fragmentcCs
d|jiS)Nz%%POLICY_PRIORITY%%)rr)rTr�r4r4r5r�ksz"nftables._policy_priority_fragmentcCs|s|jdkriSd|jiS)Nrz%%RICH_RULE_PRIORITY%%)rr)rTr�r4r4r5�_rich_rule_priority_fragmentnsz%nftables._rich_rule_priority_fragmentcCs�|js
iS|jjj||t�}ddd�|}|j|�}i}	|jjrPd|jj|	d<|jjr|d|jjkrhdn|jj}
d|
|	d<d	td
|||f||j	|jj
�d|	igd�}|j|j|��|d
|iiS)NrWrY)TFz%sr�Zwarning�warn�levelrJz%s_%s_%sr)r]r~rmr}rZ)
rrMr�r�r�r�r�rr�r�r�r�r�)rTr�r�r�r~r�r�r�r�Zlog_optionsrrZr4r4r5�_rich_rule_logss&
znftables._rich_rule_logc
Cs�|js
iS|jjj||t�}ddd�|}|j|�}dtd|||f||j|jj�dddiigd	�}	|	j	|j
|��|d
|	iiS)NrWrY)TFrJz%s_%s_%srrr�)r]r~rmr}rZ)r�rMr�r�r�r�r�r�r�r�r�)
rTr�r�r�r~r�r�r�r�rZr4r4r5�_rich_rule_audit�s
znftables._rich_rule_auditc
Cs�|js
iS|jjj||t�}ddd�|}|j|�}d|||f}	t|j�tkr\ddi}
�nt|j�tkr�|jjr�|j	|jj�}
nddi}
n�t|j�t
kr�ddi}
n�t|j�tk�rHd}|jjj||t�}d|||f}	|jjj
d	�}t|�d
k�r,dddd
iiddddd
ii|d
gi|dgid�i}
ndddd
ii|dd�i}
nttdt|j���dt|	||j|jj�|
gd�}|j|j|��|d|iiS)NrWrY)TFz%s_%s_%sr�r�r�r&r�r<r�r`�mark�^�&r)r`�valuezUnknown action %srJ)r]r~rmr}rZ)r�rMr�r�r�r�r+rrr�rrr�r�rer	rr�r�r�r�r�)
rTr�r�r�r~r�r�r�r�rmZrule_actionrrZr4r4r5�_rich_rule_action�sB


,znftables._rich_rule_actioncCs�|jd�r0|j|td�d�d|kr(dnd|�St|�r>d}n�td|�rNd}nvtd|�r�d}tj|dd�}d	|jj	|j
d
�i}nDtd|�r�d}t|�}n,d}|jd
�}d	t|d�t
|d�d
�i}dd||d�i|r�dnd|d�iSdS)Nzipset:r�TF�etherrGrK)�strictr�)�addrrerHrLr�rr<r)r*)r,r-z!=z==)r.r/r0)r��_set_match_fragmentrerrr�	ipaddressZIPv4NetworkZnetwork_addressZ
compressedZ	prefixlenrr�rn)rTZ
addr_fieldr\�invertr]Znormalized_addressZaddr_lenr4r4r5r��s(
&





znftables._rule_addr_fragmentcCs6|siS|d
krttd|��ddddiid|d	�iS)NrGrHzInvalid familyr)r�r`�nfprotoz==)r.r/r0)rGrH)r	r)rTZrich_familyr4r4r5�_rich_rule_family_fragment�s
z#nftables._rich_rule_family_fragmentcCs8|siS|jr|j}n|jr&d|j}|jd||jd�S)Nzipset:r�)r)r�ipsetr�r)rTZ	rich_destr\r4r4r5�_rich_rule_destination_fragment�s
z(nftables._rich_rule_destination_fragmentcCsZ|siS|jr|j}n2t|d�r.|jr.|j}nt|d�rH|jrHd|j}|jd||jd�S)N�macrzipset:r�)r)r�hasattrrrr�r)rTZrich_sourcer\r4r4r5�_rich_rule_source_fragment�s
z#nftables._rich_rule_source_fragmentcCsPt|�}t|t�r$|dkr$tt��n(t|�dkr8|dSd|d|dgiSdS)Nrr<�range)r�
isinstancernr	rre)rT�portrr4r4r5�_port_fragments
znftables._port_fragmentc	Csbddd�|}d}|jjj||t�}	g}
|r>|
j|j|j��|rT|
j|jd|��|r||
j|j|j	��|
j|j
|j��|
jdd|dd	�id
|j|�d�i�|s�t
|j�tkr�|
jddd
diiddddgid�i�g}|�r0|j|j|||||
��|j|j|||||
��|j|j|||||
��n.|j|ddtd||	f|
ddigd�ii�|S)NrWrY)TFr(r�r)r*�dport)r,r-z==)r.r/r0r�r`r�r�r��new�	untrackedrZrJz%s_%s_allowr�)r]r~rmr})rMr�r�r�r2rr]r�r�destinationr�sourcerr+r�rrrrr�)rTr�r��protorrr�r�r~r�r�r�r4r4r5�build_policy_ports_ruless:


z!nftables.build_policy_ports_rulesc	CsZddd�|}d}|jjj||t�}g}	|r>|	j|j|j��|rT|	j|jd|��|r||	j|j|j	��|	j|j
|j��|	jdddd	iid
|d�i�|s�t|j
�tkr�|	jdddd
iiddddgid�i�g}
|�r(|
j|j|||||	��|
j|j|||||	��|
j|j|||||	��n.|
j|ddtd||f|	ddigd�ii�|
S)NrWrY)TFr(r�r)r�r`r�z==)r.r/r0r�r�r�r�rrrZrJz%s_%s_allowr�)r]r~rmr})rMr�r�r�r2rr]r�rrrrr+r�rrrrr�)rTr�r�r,rr�r�r~r�r�r�r4r4r5�build_policy_protocol_rules2s8

z$nftables.build_policy_protocol_rulesc	Csbddd�|}d}|jjj||t�}	g}
|r>|
j|j|j��|rT|
j|jd|��|r||
j|j|j	��|
j|j
|j��|
jdd|dd	�id
|j|�d�i�|s�t
|j�tkr�|
jddd
diiddddgid�i�g}|�r0|j|j|||||
��|j|j|||||
��|j|j|||||
��n.|j|ddtd||	f|
ddigd�ii�|S)NrWrY)TFr(r�r)r*�sport)r,r-z==)r.r/r0r�r`r�r�r�rrrZrJz%s_%s_allowr�)r]r~rmr})rMr�r�r�r2rr]r�rrrrrr+r�rrrrr�)rTr�r�rrrr�r�r~r�r�r�r4r4r5�build_policy_source_ports_rulesUs:


z(nftables.build_policy_source_ports_rulesc
	Cs�d}|jjj||t�}	ddd�|}
g}|rR|jdddtd||f||d�ii�g}|rl|j|jd	|��|jd
d|dd
�id|j|�d�i�|jdd||fi�|j|
ddtd|	|d�ii�|S)Nr(rWrY)TFz	ct helperrJzhelper-%s-%s)r]r~r�r+r,r�r)r*r)r,r-z==)r.r/r0rZzfilter_%s_allow)r]r~rmr})rMr�r�r�r2r�r�r)
rTr�r�rrrZhelper_nameZmodule_short_namer~r�r�r�r�r4r4r5�build_policy_helper_ports_ruleszs.



z(nftables.build_policy_helper_ports_rulescCs�ddd�|}|jjj||t�}g}	|rv|t|�ddkrT|dt|�d�d}ddd	d
iid|d�id
dig}
n|jd|�d
dig}
dtd||
d�}|	j|d|ii�|	S)NrWrY)TFr<r�r�r)r�r`r�z==)r.r/r0r�r�rJzfilter_%s_allow)r]r~rmr}rZ)rMr�r�r�rer�r�r2)rTr�r[r�r~r�rr�r�r�r}rZr4r4r5�build_zone_forward_rules�s"z!nftables.build_zone_forward_rulesc	Cs�d}|jjj||tdd�}ddd�|}g}|r`|j|j|j��|j|j|j��|j	|�}	nd}	|t
d||	f|d	d
ddiid
dd�iddigd�}
|
j|j|��|d|
iigS)Nr'T)r�rWrY)TFr�z	nat_%s_%sr)r�r`r�z!=r�)r.r/r0Z
masquerade)r]r~rmr}rZ)
rMr�r�r�r2rrrrr�r�r�r�)rTr�r�r]r�r~r�r�r�r�rZr4r4r5�"_build_policy_masquerade_nat_rules�s&
z+nftables._build_policy_masquerade_nat_rulesc
Cs^g}|rD|jr|jdks,|jrDtd|jj�rD|j|j||d|��nV|r�|jrX|jdksl|jr�td|jj�r�|j|j||d|��n|j|j||d|��d}|jjj||t	�}ddd�|}g}|r�|j
|j|j��|j
|j
|j��|j|�}	nd	}	d
td||	f|dd
ddiiddddgid�iddigd�}
|
j|j|��|j
|d|
ii�|S)NrHrLrGrKr(rWrY)TFr�rJzfilter_%s_%sr)r�r`r�r�r�rr)r.r/r0r�)r]r~rmr}rZ)r]rrrr�r&rMr�r�r�r2rrrr�r�r�r�)rTr�r�r�r�r~r�r�r�r�rZr4r4r5�build_policy_masquerade_rules�s8
z&nftables.build_policy_masquerade_rulesc	Cs$d}	|jjj||	t�}
ddd�|}g}|r\|j|j|j��|j|j|j��|j	|�}
nd}
|jdd|dd	�id
|j
|�d�i�|r�td|�r�t|�}|r�|d
kr�|jd||j
|�d�i�q�|jdd|ii�n|jdd|j
|�ii�|t
d|
|
f|d�}|j|j|��|d|iigS)Nr'rWrY)TFr�r)r*r)r,r-z==)r.r/r0rHr�r�)rrrr;rz	nat_%s_%s)r]r~rmr}rZ)rMr�r�r�r2rrrrr�rrrr�r�r�)rTr�r�rr,�toaddr�toportr]r�r~r�r�r�r�rZr4r4r5�$_build_policy_forward_port_nat_rules�s4


z-nftables._build_policy_forward_port_nat_rulesc	
Cs�g}|rF|jr|jdks&|rFtd|�rF|j|j||||||d|��n�|r�|jrZ|jdksh|r�td|�r�|j|j||||||d|��nL|r�td|�r�|j|j||||||d|��n|j|j||||||d|��|S)NrHrLrGrK)r]rr�r*)	rTr�r�rr,r)r(r�r�r4r4r5�build_policy_forward_port_rulessz(nftables.build_policy_forward_port_rulescCs2|t|krt||Sttd||j|f��dS)Nz)ICMP type '%s' not supported by %s for %s)r�r	rr�)rTr�Z	icmp_typer4r4r5�_icmp_types_to_nft_fragments(sz%nftables._icmp_types_to_nft_fragmentscCsBd}|jjj||t�}ddd�|}|r6|jr6|j}n<|jrjg}d|jkrT|jd�d|jkrr|jd�nddg}g}	�x�|D�]�}
|jjj|�r�d||f}ddi}nd	||f}|j�}g}
|r�|
j|j	|j
��|
j|j|j��|
j|j|j
��|
j|j|
|j��|�r�|	j|j|||||
��|	j|j|||||
��|j�rf|	j|j|||||
��nN|j|�}d
td|||f|
|j�gd�}|j|j|��|	j|d
|ii�q~|jj�dk�r|jjj|��r|	j|d
d
t||
|j|jj��ddd||fiigd�ii�|	j|d
d
t||
|gd�ii�q~W|	S)Nr(rWrY)TFrGrHz%s_%s_allowr�z
%s_%s_denyrJz%s_%s_%s)r]r~rmr}rZr�rr�z"%s_%s_ICMP_BLOCK: ")rMr�r�r��ipvsrr2�query_icmp_block_inversionr�rr]rrrr�r,r�rrr�rr�r�r�r�r�r�)rTr�r�Zictr�r~r�r�r-r�r�Zfinal_chainr�r�r�rZr4r4r5�build_policy_icmp_block_rules/sb





"
"
z&nftables.build_policy_icmp_block_rulescCs�d}|jjj||t�}g}ddd�|}|jjj|�r@|j�}nddi}|j|ddtd||fd	|j�|gd
�ii�|jj	�dkr�|jjj|�r�|j|ddtd||fd	|j�|j
|jj	��dd
d||fiigd
�ii�|S)Nr(rWrY)TFr�rZrJz%s_%sr9)r]r~rmrar}r�rr�z%s_%s_ICMP_BLOCK: )rMr�r�r�r.r�r2r�r�r�r�)rTr�r�r~r�r�r�r�r4r4r5�'build_policy_icmp_block_inversion_rulesks,




 z0nftables.build_policy_icmp_block_inversion_rulescCs�g}ddddiiddd�iddd	d
dgdd
�iddd�ig}|dkrV|jdddii�|jddi�|jdddtd|d�ii�|jdddtdddddd�iddddgid�id digd�ii�|S)!Nr)r�r`rz==rH)r.r/r0Zfibr�ZiifrZoif)�flags�resultFr�rr�zrpfilter_DROP: r�rXrZrJZfilter_PREROUTING)r]r~rmr}r*rFr+)r,r-r�znd-router-advertznd-neighbor-solicitr�)r2r�)rTr�r�r�r4r4r5�build_rpfilter_rules�s0

znftables.build_rpfilter_rulesc	Cs�ddddddddd	g	}d
d�|D�}dd
ddd�idd|id�ig}|jjd"krb|jdddii�|j|jd��g}|jdddtdd|d�ii�|jdddtd d!|d�ii�|S)#Nz::0.0.0.0/96z::ffff:0.0.0.0/96z2002:0000::/24z2002:0a00::/24z2002:7f00::/24z2002:ac10::/28z2002:c0a8::/32z2002:a9fe::/32z2002:e000::/19cSs2g|]*}d|jd�dt|jd�d�d�i�qS)r�r�rr<)rre)r�rn)�.0r^r4r4r5�
<listcomp>�sz5nftables.build_rfc3964_ipv4_rules.<locals>.<listcomp>r)r*rLr�)r,r-z==r�)r.r/r0r�r�rr�zRFC3964_IPv4_REJECT: zaddr-unreachrWrZrJr�r<)r]r~rmrar}Zfilter_FORWARDrB)r�r�)rMZ_log_deniedr2r�r�)rTZ	daddr_setr�r�r4r4r5�build_rfc3964_ipv4_rules�s:

z!nftables.build_rfc3964_ipv4_rulescCs�d}g}|j|j|j��|j|j|j��|j|j|j��g}|j|j|||||��|j|j|||||��|j|j	|||||��|S)Nr()
r2rr]rrrrrrr)rTr�r�r�r~r�r�r4r4r5�*build_policy_rich_source_destination_rules�sz3nftables.build_policy_rich_source_destination_rulescCs|dkrdSdS)NrGrH�ebTF)rGrHr8r4)rTr�r4r4r5�is_ipv_supported�sznftables.is_ipv_supportedc
Cs�ddd�}||||ddg||dd||g||dd||g||dg||||||g||ddg||dd||g||dgdd	�}||kr�||Sttd
|��dS)NZ	ipv4_addrZ	ipv6_addr)rGrHZ
inet_protoZinet_servicerZifnameZ
ether_addr)zhash:ipzhash:ip,portzhash:ip,port,ipzhash:ip,port,netzhash:ip,markzhash:netzhash:net,netz
hash:net,portzhash:net,port,netzhash:net,ifacezhash:macz!ipset type name '%s' is not valid)r	r
)rTr�r+Zipv_addr�typesr4r4r5�_set_type_list�s"

znftables._set_type_listc
Cs�|rd|kr|ddkrd}nd}t||j||�d�}x0|jd�djd�D]}|dkrLdg|d
<PqLW|r�d|kr�|d|d<d|kr�|d|d<g}x0dD](}d|i}	|	j|�|jdd|	ii�q�W|S)Nr]�inet6rHrG)r~r�r+�:r<�,rK�netrZintervalr1ZtimeoutZmaxelem�sizerJrLrWr�)rKr?r)rJrKrL)r�r;r�r�r2)
rTr�r+�optionsr�Zset_dict�tr�r]Z	rule_dictr4r4r5�build_set_create_rules�s*


znftables.build_set_create_rulescCs$|j|||�}|j||jj��dS)N)rCr�rMr�)rTr�r+rAr�r4r4r5�
set_createsznftables.set_createcCs8x2dD]*}dd|t|d�ii}|j||jj��qWdS)NrJrKrLrYr�)r]r~r�)rJrKrL)r�r�rMr�)rTr�r]rZr4r4r5�set_destroys

znftables.set_destroycCs6|jjj|�jjd�djd�}g}x�tt|��D]�}||dkrr|jdddii�|jdd	|rdd
ndd�i�q2||dkr�|jd|j|�|r�dndd�i�q2||dkr�|jdd|r�dndii�q2||dkr�|jdddii�q2t	d||��q2Wdt|�dk�rd|in|d|�r&dndd|d�iS)Nr=r<r>rr�r`r�r*Zthrr")r,r-rKr?rr�r�Zifacer�r�rz-Unsupported ipset type for match fragment: %sr)�concatrz!=z==�@)r.r/r0)rKr?r)
rMr�	get_ipsetr+r�rrer2r�r	)rTr�Z
match_destr�type_formatr3�ir4r4r5r s$ znftables._set_match_fragmentcCsN|jjj|�}|jjd�djd�}|jd�}t|�t|�krHttd��g}�x�tt|��D�]�}||dk�r,y||j	d�}Wn&t
k
r�|jd�||}	Yn,X|j||d|��|||dd�}	y|	j	d�}Wn t
k
�r|j|	�Yn(X|jd|	d|�|	|dd�gi�q\||dk�r d||k�rb|jd||jd�i�n�y||j	d�}WnLt
k
�r�||}
d|jk�r�|jdd
k�r�t
|
�}
|j|
�Yn^X||d|�}
d|jk�r�|jdd
k�r�t
|
�}
|jd|
t|||dd��d�i�q\|j||�q\Wt|�dk�rJd|igS|S)Nr=r<r>z+Number of values does not match ipset type.rZtcp�-rrKr?r�r]r<r�)rrerF)rKr?)rMrrHr+r�rer	rrrar�r2rArrn)rTr��entry�objrIZentry_tokensZfragmentrJraZport_strrr4r4r5�_set_entry_fragment7sL

("znftables._set_entry_fragmentc	Cs>g}|j||�}x(dD] }|jdd|t||d�ii�qW|S)NrJrKrLrWr�)r]r~r��elem)rJrKrL)rNr2r�)rTr�rLr�r�r]r4r4r5�build_set_add_rulesks

znftables.build_set_add_rulescCs"|j||�}|j||jj��dS)N)rPr�rMr�)rTr�rLr�r4r4r5�set_addusznftables.set_addcCsF|j||�}x4dD],}dd|t||d�ii}|j||jj��qWdS)NrJrKrLrYr�)r]r~r�rO)rJrKrL)rNr�r�rMr�)rTr�rLr�r]rZr4r4r5�
set_deleteys
znftables.set_deletecCs4g}x*dD]"}dd|t|d�ii}|j|�q
W|S)NrJrKrLr{r�)r]r~r�)rJrKrL)r�r2)rTr�r�r]rZr4r4r5�build_set_flush_rules�s
znftables.build_set_flush_rulescCs |j|�}|j||jj��dS)N)rSr�rMr�)rTr�r�r4r4r5�	set_flush�s
znftables.set_flushcCsJ|jjj|�}|jdkrd}n(|jrBd|jkrB|jddkrBd}nd}|S)Nzhash:macr	r]r<rLrK)rMrrHr+rA)rTr�rr]r4r4r5r��s
znftables._set_get_familyc	Cs�g}|j|j|||��|j|j|��d}x^|D]D}|j|j||��|d7}|dkr2|j||jj��|j�d}q2W|j||jj��dS)Nrr<i�)r�rCrSrPr�rMr��clear)	rTZset_nameZ	type_nameZentriesZcreate_optionsZ
entry_optionsr��chunkrLr4r4r5�set_restore�s
znftables.set_restore)N)N)r�)rJ)FrJ)rJ)rJ)F)NN)NN)NN)NN)N)N)N)N)N)F)N)N)F)NN)I�__name__�
__module__�__qualname__r�Zpolicies_supportedrVrhrlrtrzr�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rrrr�rrrrr r!r#r$r%r&r'r*r+r,r/r0r3r6r7r9r;rCrDrErrNrPrQrRrSrTr�rWr4r4r4r5rI�s�/.`

4


R
i
;
-
9
 +


	
$
$
$


'
$

<
#


4
		rIij���i����)N)(Z
__future__rrirwr
Zfirewall.core.loggerrZfirewall.functionsrrrrrZfirewall.errorsr	r
rrr
rrZfirewall.core.richrrrrrrrZnftables.nftablesrr�r�r�r�r�r6r��objectrIr4r4r4r5�<module>s�$$






































© 2025 GrazzMean