#!/usr/bin/python2 -Es # -*- coding: utf-8 -*- # # Copyright (C) 2009-2016 Red Hat, Inc. # # Authors: # Thomas Woerner <twoerner@redhat.com> # Jiri Popelka <jpopelka@redhat.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # from gi.repository import GObject import sys sys.modules['gobject'] = GObject import argparse import os from firewall.client import FirewallClient, FirewallClientIPSetSettings, \ FirewallClientZoneSettings, FirewallClientServiceSettings, \ FirewallClientIcmpTypeSettings, FirewallClientHelperSettings from firewall.errors import FirewallError from firewall import errors from firewall.functions import joinArgs, splitArgs from firewall.core.fw_nm import nm_is_imported, \ nm_get_connection_of_interface, nm_get_zone_of_connection, \ nm_set_zone_of_connection, nm_get_interfaces_in_zone from firewall.core.io.zone import zone_reader from firewall.core.io.service import service_reader from firewall.core.io.ipset import ipset_reader from firewall.core.io.icmptype import icmptype_reader from firewall.core.io.helper import helper_reader from firewall.command import FirewallCommand def __usage(): sys.stdout.write(""" Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and lose state information --runtime-to-permanent Create permanent from runtime configuration --check-config Check permanent configuration for errors Log Denied Options --get-log-denied Print the log denied value --set-log-denied=<value> Set log denied value Automatic Helpers Options --get-automatic-helpers Print the automatic helpers value --set-automatic-helpers=<value> Set automatic helpers value Permanent Options --permanent Set an option permanently Usable for options marked with [P] Zone Options --get-default-zone Print default zone for connections and interfaces --set-default-zone=<zone> Set default zone --get-active-zones Print currently active zones --get-zones Print predefined zones [P] --get-services Print predefined services [P] --get-icmptypes Print predefined icmptypes [P] --get-zone-of-interface=<interface> Print name of the zone the interface is bound to [P] --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Print name of the zone the source is bound to [P] --list-all-zones List everything added for or enabled in all zones [P] --new-zone=<zone> Add a new zone [P only] --new-zone-from-file=<filename> [--name=<zone>] Add a new zone from file with optional name [P only] --delete-zone=<zone> Delete an existing zone [P only] --load-zone-defaults=<zone> Load zone default settings [P only] [Z] --zone=<zone> Use this zone to set or query options, else default zone Usable for options marked with [Z] --get-target Get the zone target [P only] [Z] --set-target=<target> Set the zone target [P only] [Z] --info-zone=<zone> Print information about a zone --path-zone=<zone> Print file path of a zone [P only] IPSet Options --get-ipset-types Print the supported ipset types --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]].. Add a new ipset [P only] --new-ipset-from-file=<filename> [--name=<ipset>] Add a new ipset from file with optional name [P only] --delete-ipset=<ipset> Delete an existing ipset [P only] --load-ipset-defaults=<ipset> Load ipset default settings [P only] --info-ipset=<ipset> Print information about an ipset --path-ipset=<ipset> Print file path of an ipset [P only] --get-ipsets Print predefined ipsets --ipset=<ipset> --set-description=<description> Set new description to ipset [P only] --ipset=<ipset> --get-description Print description for ipset [P only] --ipset=<ipset> --set-short=<description> Set new short description to ipset [P only] --ipset=<ipset> --get-short Print short description for ipset [P only] --ipset=<ipset> --add-entry=<entry> Add a new entry to an ipset [P] --ipset=<ipset> --remove-entry=<entry> Remove an entry from an ipset [P] --ipset=<ipset> --query-entry=<entry> Return whether ipset has an entry [P] --ipset=<ipset> --get-entries List entries of an ipset [P] --ipset=<ipset> --add-entries-from-file=<entry> Add a new entries to an ipset [P] --ipset=<ipset> --remove-entries-from-file=<entry> Remove entries from an ipset [P] IcmpType Options --new-icmptype=<icmptype> Add a new icmptype [P only] --new-icmptype-from-file=<filename> [--name=<icmptype>] Add a new icmptype from file with optional name [P only] --delete-icmptype=<icmptype> Delete an existing icmptype [P only] --load-icmptype-defaults=<icmptype> Load icmptype default settings [P only] --info-icmptype=<icmptype> Print information about an icmptype --path-icmptype=<icmptype> Print file path of an icmptype [P only] --icmptype=<icmptype> --set-description=<description> Set new description to icmptype [P only] --icmptype=<icmptype> --get-description Print description for icmptype [P only] --icmptype=<icmptype> --set-short=<description> Set new short description to icmptype [P only] --icmptype=<icmptype> --get-short Print short description for icmptype [P only] --icmptype=<icmptype> --add-destination=<ipv> Enable destination for ipv in icmptype [P only] --icmptype=<icmptype> --remove-destination=<ipv> Disable destination for ipv in icmptype [P only] --icmptype=<icmptype> --query-destination=<ipv> Return whether destination ipv is enabled in icmptype [P only] --icmptype=<icmptype> --get-destinations List destinations in icmptype [P only] Service Options --new-service=<service> Add a new service [P only] --new-service-from-file=<filename> [--name=<service>] Add a new service from file with optional name [P only] --delete-service=<service> Delete an existing service [P only] --load-service-defaults=<service> Load icmptype default settings [P only] --info-service=<service> Print information about a service --path-service=<service> Print file path of a service [P only] --service=<service> --set-description=<description> Set new description to service [P only] --service=<service> --get-description Print description for service [P only] --service=<service> --set-short=<description> Set new short description to service [P only] --service=<service> --get-short Print short description for service [P only] --service=<service> --add-port=<portid>[-<portid>]/<protocol> Add a new port to service [P only] --service=<service> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from service [P only] --service=<service> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for service [P only] --service=<service> --get-ports List ports of service [P only] --service=<service> --add-protocol=<protocol> Add a new protocol to service [P only] --service=<service> --remove-protocol=<protocol> Remove a protocol from service [P only] --service=<service> --query-protocol=<protocol> Return whether the protocol has been added for service [P only] --service=<service> --get-protocols List protocols of service [P only] --service=<service> --add-source-port=<portid>[-<portid>]/<protocol> Add a new source port to service [P only] --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol> Remove a source port from service [P only] --service=<service> --query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for service [P only] --service=<service> --get-source-ports List source ports of service [P only] --service=<service> --add-module=<module> Add a new module to service [P only] --service=<service> --remove-module=<module> Remove a module from service [P only] --service=<service> --query-module=<module> Return whether the module has been added for service [P only] --service=<service> --get-modules List modules of service [P only] --service=<service> --set-destination=<ipv>:<address>[/<mask>] Set destination for ipv to address in service [P only] --service=<service> --remove-destination=<ipv> Disable destination for ipv i service [P only] --service=<service> --query-destination=<ipv>:<address>[/<mask>] Return whether destination ipv is set for service [P only] --service=<service> --get-destinations List destinations in service [P only] Options to Adapt and Query Zones --list-all List everything added for or enabled in a zone [P] [Z] --list-services List services added for a zone [P] [Z] --timeout=<timeval> Enable an option for timeval time, where timeval is a number followed by one of letters 's' or 'm' or 'h' Usable for options marked with [T] --set-description=<description> Set new description to zone [P only] [Z] --get-description Print description for zone [P only] [Z] --set-short=<description> Set new short description to zone [P only] [Z] --get-short Print short description for zone [P only] [Z] --add-service=<service> Add a service for a zone [P] [Z] [T] --remove-service=<service> Remove a service from a zone [P] [Z] --query-service=<service> Return whether service has been added for a zone [P] [Z] --list-ports List ports added for a zone [P] [Z] --add-port=<portid>[-<portid>]/<protocol> Add the port for a zone [P] [Z] [T] --remove-port=<portid>[-<portid>]/<protocol> Remove the port from a zone [P] [Z] --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for zone [P] [Z] --list-protocols List protocols added for a zone [P] [Z] --add-protocol=<protocol> Add the protocol for a zone [P] [Z] [T] --remove-protocol=<protocol> Remove the protocol from a zone [P] [Z] --query-protocol=<protocol> Return whether the protocol has been added for zone [P] [Z] --list-source-ports List source ports added for a zone [P] [Z] --add-source-port=<portid>[-<portid>]/<protocol> Add the source port for a zone [P] [Z] [T] --remove-source-port=<portid>[-<portid>]/<protocol> Remove the source port from a zone [P] [Z] --query-source-port=<portid>[-<portid>]/<protocol> Return whether the source port has been added for zone [P] [Z] --list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z] --add-icmp-block=<icmptype> Add an ICMP block for a zone [P] [Z] [T] --remove-icmp-block=<icmptype> Remove the ICMP block from a zone [P] [Z] --query-icmp-block=<icmptype> Return whether an ICMP block has been added for a zone [P] [Z] --add-icmp-block-inversion Enable inversion of icmp blocks for a zone [P] [Z] --remove-icmp-block-inversion Disable inversion of icmp blocks for a zone [P] [Z] --query-icmp-block-inversion Return whether inversion of icmp blocks has been enabled for a zone [P] [Z] --list-forward-ports List IPv4 forward ports added for a zone [P] [Z] --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Add the IPv4 forward port for a zone [P] [Z] [T] --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Remove the IPv4 forward port from a zone [P] [Z] --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Return whether the IPv4 forward port has been added for a zone [P] [Z] --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T] --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z] --query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z] --list-rich-rules List rich language rules added for a zone [P] [Z] --add-rich-rule=<rule> Add rich language rule 'rule' for a zone [P] [Z] [T] --remove-rich-rule=<rule> Remove rich language rule 'rule' from a zone [P] [Z] --query-rich-rule=<rule> Return whether a rich language rule 'rule' has been added for a zone [P] [Z] Options to Handle Bindings of Interfaces --list-interfaces List interfaces that are bound to a zone [P] [Z] --add-interface=<interface> Bind the <interface> to a zone [P] [Z] --change-interface=<interface> Change zone the <interface> is bound to [P] [Z] --query-interface=<interface> Query whether <interface> is bound to a zone [P] [Z] --remove-interface=<interface> Remove binding of <interface> from a zone [P] [Z] Options to Handle Bindings of Sources --list-sources List sources that are bound to a zone [P] [Z] --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Bind the source to a zone [P] [Z] --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Change zone the source is bound to [Z] --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Query whether the source is bound to a zone [P] [Z] --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset> Remove binding of the source from a zone [P] [Z] Helper Options --new-helper=<helper> --module=<module> [--family=<family>] Add a new helper [P only] --new-helper-from-file=<filename> [--name=<helper>] Add a new helper from file with optional name [P only] --delete-helper=<helper> Delete an existing helper [P only] --load-helper-defaults=<helper> Load helper default settings [P only] --info-helper=<helper> Print information about an helper --path-helper=<helper> Print file path of an helper [P only] --get-helpers Print predefined helpers --helper=<helper> --set-description=<description> Set new description to helper [P only] --helper=<helper> --get-description Print description for helper [P only] --helper=<helper> --set-short=<description> Set new short description to helper [P only] --helper=<helper> --get-short Print short description for helper [P only] --helper=<helper> --add-port=<portid>[-<portid>]/<protocol> Add a new port to helper [P only] --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol> Remove a port from helper [P only] --helper=<helper> --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for helper [P only] --helper=<helper> --get-ports List ports of helper [P only] --helper=<helper> --set-module=<module> Set module to helper [P only] --helper=<helper> --get-module Get module from helper [P only] --helper=<helper> --set-family={ipv4|ipv6|} Set family for helper [P only] --helper=<helper> --get-family Get module from helper [P only] Direct Options --direct First option for all direct options --get-all-chains Get all chains [P] --get-chains {ipv4|ipv6|eb} <table> Get all chains added to the table [P] --add-chain {ipv4|ipv6|eb} <table> <chain> Add a new chain to the table [P] --remove-chain {ipv4|ipv6|eb} <table> <chain> Remove the chain from the table [P] --query-chain {ipv4|ipv6|eb} <table> <chain> Return whether the chain has been added to the table [P] --get-all-rules Get all rules [P] --get-rules {ipv4|ipv6|eb} <table> <chain> Get all rules added to chain in table [P] --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Add rule to chain in table [P] --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Remove rule with priority from chain in table [P] --remove-rules {ipv4|ipv6|eb} <table> <chain> Remove rules from chain in table [P] --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Return whether a rule with priority has been added to chain in table [P] --passthrough {ipv4|ipv6|eb} <arg>... Pass a command through (untracked by firewalld) --get-all-passthroughs Get all tracked passthrough rules [P] --get-passthroughs {ipv4|ipv6|eb} <arg>... Get tracked passthrough rules [P] --add-passthrough {ipv4|ipv6|eb} <arg>... Add a new tracked passthrough rule [P] --remove-passthrough {ipv4|ipv6|eb} <arg>... Remove a tracked passthrough rule [P] --query-passthrough {ipv4|ipv6|eb} <arg>... Return whether the tracked passthrough rule has been added [P] Lockdown Options --lockdown-on Enable lockdown. --lockdown-off Disable lockdown. --query-lockdown Query whether lockdown is enabled Lockdown Whitelist Options --list-lockdown-whitelist-commands List all command lines that are on the whitelist [P] --add-lockdown-whitelist-command=<command> Add the command to the whitelist [P] --remove-lockdown-whitelist-command=<command> Remove the command from the whitelist [P] --query-lockdown-whitelist-command=<command> Query whether the command is on the whitelist [P] --list-lockdown-whitelist-contexts List all contexts that are on the whitelist [P] --add-lockdown-whitelist-context=<context> Add the context context to the whitelist [P] --remove-lockdown-whitelist-context=<context> Remove the context from the whitelist [P] --query-lockdown-whitelist-context=<context> Query whether the context is on the whitelist [P] --list-lockdown-whitelist-uids List all user ids that are on the whitelist [P] --add-lockdown-whitelist-uid=<uid> Add the user id uid to the whitelist [P] --remove-lockdown-whitelist-uid=<uid> Remove the user id uid from the whitelist [P] --query-lockdown-whitelist-uid=<uid> Query whether the user id uid is on the whitelist [P] --list-lockdown-whitelist-users List all user names that are on the whitelist [P] --add-lockdown-whitelist-user=<user> Add the user name user to the whitelist [P] --remove-lockdown-whitelist-user=<user> Remove the user name user from the whitelist [P] --query-lockdown-whitelist-user=<user> Query whether the user name user is on the whitelist [P] Panic Options --panic-on Enable panic mode --panic-off Disable panic mode --query-panic Query whether panic mode is enabled """) def try_set_zone_of_interface(_zone, interface): if nm_is_imported(): try: connection = nm_get_connection_of_interface(interface) except Exception: pass else: if connection is not None: if _zone == nm_get_zone_of_connection(connection): if _zone == "": cmd.print_warning("The interface is under control of NetworkManager and already bound to the default zone") else: cmd.print_warning("The interface is under control of NetworkManager and already bound to '%s'" % _zone) if _zone == "": cmd.print_msg("The interface is under control of NetworkManager, setting zone to default.") else: cmd.print_msg("The interface is under control of NetworkManager, setting zone to '%s'." % _zone) nm_set_zone_of_connection(_zone, connection) return True return False def try_get_zone_of_interface(interface): if nm_is_imported(): try: connection = nm_get_connection_of_interface(interface) except Exception: pass else: if connection is not None: return nm_get_zone_of_connection(connection) return False def try_nm_get_interfaces_in_zone(zone): if nm_is_imported(): try: return nm_get_interfaces_in_zone(zone) except Exception: pass return [] parser = argparse.ArgumentParser(usage="see firewall-cmd man page", add_help=False) parser_group_output = parser.add_mutually_exclusive_group() parser_group_output.add_argument("-v", "--verbose", action="store_true") parser_group_output.add_argument("-q", "--quiet", action="store_true") parser_group_standalone = parser.add_mutually_exclusive_group() parser_group_standalone.add_argument("-h", "--help", action="store_true") parser_group_standalone.add_argument("-V", "--version", action="store_true") parser_group_standalone.add_argument("--state", action="store_true") parser_group_standalone.add_argument("--reload", action="store_true") parser_group_standalone.add_argument("--complete-reload", action="store_true") parser_group_standalone.add_argument("--runtime-to-permanent", action="store_true") parser_group_standalone.add_argument("--check-config", action="store_true") parser_group_standalone.add_argument("--get-ipset-types", action="store_true") parser_group_standalone.add_argument("--get-log-denied", action="store_true") parser_group_standalone.add_argument("--set-log-denied", metavar="<value>") parser_group_standalone.add_argument("--get-automatic-helpers", action="store_true") parser_group_standalone.add_argument("--set-automatic-helpers", metavar="<value>") parser_group_standalone.add_argument("--panic-on", action="store_true") parser_group_standalone.add_argument("--panic-off", action="store_true") parser_group_standalone.add_argument("--query-panic", action="store_true") parser_group_standalone.add_argument("--lockdown-on", action="store_true") parser_group_standalone.add_argument("--lockdown-off", action="store_true") parser_group_standalone.add_argument("--query-lockdown", action="store_true") parser_group_standalone.add_argument("--get-default-zone", action="store_true") parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>") parser_group_standalone.add_argument("--get-zones", action="store_true") parser_group_standalone.add_argument("--get-services", action="store_true") parser_group_standalone.add_argument("--get-icmptypes", action="store_true") parser_group_standalone.add_argument("--get-active-zones", action="store_true") parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>", action='append') parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>", action='append') parser_group_standalone.add_argument("--list-all-zones", action="store_true") parser_group_standalone.add_argument("--info-zone", metavar="<zone>") parser_group_standalone.add_argument("--info-service", metavar="<service>") parser_group_standalone.add_argument("--info-icmptype", metavar="<icmptype>") parser_group_standalone.add_argument("--info-ipset", metavar="<ipset>") parser_group_standalone.add_argument("--info-helper", metavar="<helper>") parser_group_config = parser.add_mutually_exclusive_group() parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>") parser_group_config.add_argument("--new-icmptype-from-file", metavar="<filename>") parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>") parser_group_config.add_argument("--load-icmptype-defaults", metavar="<icmptype>") parser_group_config.add_argument("--new-service", metavar="<service>") parser_group_config.add_argument("--new-service-from-file", metavar="<filename>") parser_group_config.add_argument("--delete-service", metavar="<service>") parser_group_config.add_argument("--load-service-defaults", metavar="<service>") parser_group_config.add_argument("--new-zone", metavar="<zone>") parser_group_config.add_argument("--new-zone-from-file", metavar="<filename>") parser_group_config.add_argument("--delete-zone", metavar="<zone>") parser_group_config.add_argument("--load-zone-defaults", metavar="<zone>") parser_group_config.add_argument("--new-ipset", metavar="<ipset>") parser_group_config.add_argument("--new-ipset-from-file", metavar="<filename>") parser_group_config.add_argument("--delete-ipset", metavar="<ipset>") parser_group_config.add_argument("--load-ipset-defaults", metavar="<ipset>") parser_group_config.add_argument("--new-helper", metavar="<helper>") parser_group_config.add_argument("--new-helper-from-file", metavar="<filename>") parser_group_config.add_argument("--delete-helper", metavar="<helper>") parser_group_config.add_argument("--load-helper-defaults", metavar="<helper>") parser_group_config.add_argument("--path-zone", metavar="<zone>") parser_group_config.add_argument("--path-service", metavar="<service>") parser_group_config.add_argument("--path-icmptype", metavar="<icmptype>") parser_group_config.add_argument("--path-ipset", metavar="<ipset>") parser_group_config.add_argument("--path-helper", metavar="<helper>") parser.add_argument("--name", default="", metavar="<name>") parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group() parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>", action='append') parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>", action='append') parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>", action='append') parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>", action='append') parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>", action='append') parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>", action='append') parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>", action='append') parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>", action='append') parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>", action='append') parser.add_argument("--permanent", action="store_true") parser.add_argument("--zone", default="", metavar="<zone>") parser.add_argument("--timeout", default="0", metavar="<seconds>") parser_group_zone = parser.add_mutually_exclusive_group() parser_group_zone.add_argument("--add-interface", metavar="<iface>", action='append') parser_group_zone.add_argument("--remove-interface", metavar="<iface>", action='append') parser_group_zone.add_argument("--query-interface", metavar="<iface>", action='append') parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>", action='append') parser_group_zone.add_argument("--list-interfaces", action="store_true") parser_group_zone.add_argument("--add-source", metavar="<source>", action='append') parser_group_zone.add_argument("--remove-source", metavar="<source>", action='append') parser_group_zone.add_argument("--query-source", metavar="<source>", action='append') parser_group_zone.add_argument("--change-source", metavar="<source>", action='append') parser_group_zone.add_argument("--list-sources", action="store_true") parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append') parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append') parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>", action='append') parser_group_zone.add_argument("--add-service", metavar="<service>", action='append') parser_group_zone.add_argument("--remove-service", metavar="<zone>", action='append') parser_group_zone.add_argument("--query-service", metavar="<zone>", action='append') parser_group_zone.add_argument("--add-port", metavar="<port>", action='append') parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append') parser_group_zone.add_argument("--query-port", metavar="<port>", action='append') parser_group_zone.add_argument("--add-protocol", metavar="<protocol>", action='append') parser_group_zone.add_argument("--remove-protocol", metavar="<protocol>", action='append') parser_group_zone.add_argument("--query-protocol", metavar="<protocol>", action='append') parser_group_zone.add_argument("--add-source-port", metavar="<port>", action='append') parser_group_zone.add_argument("--remove-source-port", metavar="<port>", action='append') parser_group_zone.add_argument("--query-source-port", metavar="<port>", action='append') parser_group_zone.add_argument("--add-masquerade", action="store_true") parser_group_zone.add_argument("--remove-masquerade", action="store_true") parser_group_zone.add_argument("--query-masquerade", action="store_true") parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append') parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append') parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>", action='append') parser_group_zone.add_argument("--add-icmp-block-inversion", action="store_true") parser_group_zone.add_argument("--remove-icmp-block-inversion", action="store_true") parser_group_zone.add_argument("--query-icmp-block-inversion", action="store_true") parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append') parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append') parser_group_zone.add_argument("--query-forward-port", metavar="<port>", action='append') parser_group_zone.add_argument("--list-rich-rules", action="store_true") parser_group_zone.add_argument("--list-services", action="store_true") parser_group_zone.add_argument("--list-ports", action="store_true") parser_group_zone.add_argument("--list-protocols", action="store_true") parser_group_zone.add_argument("--list-icmp-blocks", action="store_true") parser_group_zone.add_argument("--list-forward-ports", action="store_true") parser_group_zone.add_argument("--list-source-ports", action="store_true") parser_group_zone.add_argument("--list-all", action="store_true") parser_group_zone.add_argument("--get-target", action="store_true") parser_group_zone.add_argument("--set-target", metavar="<target>") parser.add_argument("--option", metavar="<key>[=<value>]", action='append') parser.add_argument("--type", metavar="<ipsettype>") parser.add_argument("--ipset", metavar="<ipset>") parser_ipset = parser.add_mutually_exclusive_group() #parser_ipset.add_argument("--add-option", metavar="<key>[=<value>]") #parser_ipset.add_argument("--remove-option", metavar="<key>[=<value>]") #parser_ipset.add_argument("--query-option", metavar="<key>[=<value>]") #parser_ipset.add_argument("--get-options", action="store_true") parser_ipset.add_argument("--get-ipsets", action="store_true") parser_ipset.add_argument("--add-entry", metavar="<entry>", action='append') parser_ipset.add_argument("--remove-entry", metavar="<entry>", action='append') parser_ipset.add_argument("--query-entry", metavar="<entry>", action='append') parser_ipset.add_argument("--get-entries", action="store_true") parser_ipset.add_argument("--add-entries-from-file", metavar="<filename>", action='append') parser_ipset.add_argument("--remove-entries-from-file", metavar="<filename>", action='append') parser.add_argument("--icmptype", metavar="<icmptype>") parser_icmptype = parser.add_mutually_exclusive_group() parser_icmptype.add_argument("--add-destination", metavar="<ipv>", action='append') parser_icmptype.add_argument("--remove-destination", metavar="<ipv>", action='append') parser_icmptype.add_argument("--query-destination", metavar="<ipv>", action='append') parser_icmptype.add_argument("--get-destinations", action="store_true") parser.add_argument("--service", metavar="<service>") parser_service = parser.add_mutually_exclusive_group() parser_service.add_argument("--get-ports", action="store_true") parser_service.add_argument("--get-source-ports", action="store_true") parser_service.add_argument("--get-protocols", action="store_true") parser_service.add_argument("--add-module", metavar="<module>", action='append') parser_service.add_argument("--remove-module", metavar="<module>", action='append') parser_service.add_argument("--query-module", metavar="<module>", action='append') parser_service.add_argument("--get-modules", action="store_true") parser_service.add_argument("--set-destination", metavar="<destination>", action='append') parser_service.add_argument("--get-destination", action="store_true") parser_service.add_argument("--set-description", metavar="<description>") parser_service.add_argument("--get-description", action="store_true") parser_service.add_argument("--set-short", metavar="<description>") parser_service.add_argument("--get-short", action="store_true") parser.add_argument("--helper", metavar="<helper>") parser.add_argument("--family", metavar="<family>") parser.add_argument("--module", metavar="<module>") parser_helper = parser.add_mutually_exclusive_group() #parser_helper.add_argument("--get-ports", action="store_true") parser_helper.add_argument("--get-helpers", action="store_true") parser_helper.add_argument("--set-module", metavar="<module>") parser_helper.add_argument("--get-module", action="store_true") #parser_helper.add_argument("--query-module", metavar="<module>") parser_helper.add_argument("--set-family", metavar="<family>|''", nargs="*") parser_helper.add_argument("--get-family", action="store_true") parser.add_argument("--direct", action="store_true") # not possible to have sequences of options here parser_direct = parser.add_mutually_exclusive_group() parser_direct.add_argument("--passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--get-passthroughs", nargs=1, metavar=("{ ipv4 | ipv6 | eb }")) parser_direct.add_argument("--get-all-passthroughs", action="store_true") parser_direct.add_argument("--add-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--remove-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--query-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--get-all-chains", action="store_true") parser_direct.add_argument("--get-chains", nargs=2, metavar=("{ ipv4 | ipv6 | eb }", "<table>")) parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--remove-rules", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain>")) parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--get-rules", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--get-all-rules", action="store_true") ############################################################################## args = sys.argv[1:] if len(sys.argv) > 1: i = -1 if '--passthrough' in args: i = args.index('--passthrough') + 1 elif '--add-passthrough' in args: i = args.index('--add-passthrough') + 1 elif '--remove-passthrough' in args: i = args.index('--remove-passthrough') + 1 elif '--query-passthrough' in args: i = args.index('--query-passthrough') + 1 elif '--add-rule' in args: i = args.index('--add-rule') + 4 elif '--remove-rule' in args: i = args.index('--remove-rule') + 4 elif '--query-rule' in args: i = args.index('--query-rule') + 4 # join <args> into one argument to prevent parser from parsing each iptables # option, because they can conflict with firewall-cmd options # # e.g. --delete (iptables) and --delete-* (firewall-cmd) if (i > -1) and (i < len(args) - 1): aux_args = args[:] args = aux_args[:i+1] # all but not <args> args.append(joinArgs(aux_args[i+1:])) # add <args> as one arg a = parser.parse_args(args) options_standalone = a.help or a.version or \ a.state or a.reload or a.complete_reload or a.runtime_to_permanent or \ a.panic_on or a.panic_off or a.query_panic or \ a.lockdown_on or a.lockdown_off or a.query_lockdown or \ a.get_default_zone or a.set_default_zone or \ a.get_active_zones or a.get_ipset_types or \ a.get_log_denied or a.set_log_denied or \ a.get_automatic_helpers or a.set_automatic_helpers or a.check_config options_desc_xml_file = a.set_description or a.get_description or \ a.set_short or a.get_short options_lockdown_whitelist = \ a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \ a.remove_lockdown_whitelist_command or \ a.query_lockdown_whitelist_command or \ a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \ a.remove_lockdown_whitelist_context or \ a.query_lockdown_whitelist_context or \ a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid is not None or \ a.remove_lockdown_whitelist_uid is not None or \ a.query_lockdown_whitelist_uid is not None or \ a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \ a.remove_lockdown_whitelist_user or \ a.query_lockdown_whitelist_user options_config = a.get_zones or a.get_services or a.get_icmptypes or \ options_lockdown_whitelist or a.list_all_zones or \ a.get_zone_of_interface or a.get_zone_of_source or \ a.info_zone or a.info_icmptype or a.info_service or \ a.info_ipset or a.get_ipsets or a.info_helper or \ a.get_helpers options_zone_action_action = \ a.add_service or a.remove_service or a.query_service or \ a.add_port or a.remove_port or a.query_port or \ a.add_protocol or a.remove_protocol or a.query_protocol or \ a.add_source_port or a.remove_source_port or a.query_source_port or \ a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \ a.add_forward_port or a.remove_forward_port or a.query_forward_port options_zone_interfaces_sources = \ a.list_interfaces or a.change_interface or \ a.add_interface or a.remove_interface or a.query_interface or \ a.list_sources or a.change_source or \ a.add_source or a.remove_source or a.query_source options_zone_adapt_query = \ a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \ a.add_masquerade or a.remove_masquerade or a.query_masquerade or \ a.list_services or a.list_ports or a.list_protocols or \ a.list_source_ports or \ a.list_icmp_blocks or a.list_forward_ports or a.list_rich_rules or \ a.add_icmp_block_inversion or a.remove_icmp_block_inversion or \ a.query_icmp_block_inversion or \ a.list_all or a.get_target or a.set_target options_zone_ops = options_zone_interfaces_sources or \ options_zone_action_action or options_zone_adapt_query options_zone = a.zone or a.timeout != "0" or options_zone_ops or \ options_desc_xml_file options_ipset = a.add_entry or a.remove_entry or a.query_entry or \ a.get_entries or a.add_entries_from_file or \ a.remove_entries_from_file or options_desc_xml_file options_icmptype = a.add_destination or a.remove_destination or \ a.query_destination or a.get_destinations or \ options_desc_xml_file options_service = a.add_port or a.remove_port or a.query_port or \ a.get_ports or \ a.add_protocol or a.remove_protocol or a.query_protocol or \ a.get_protocols or \ a.add_source_port or a.remove_source_port or \ a.query_source_port or a.get_source_ports or \ a.add_module or a.remove_module or a.query_module or \ a.get_modules or \ a.set_destination or a.remove_destination or \ a.query_destination or a.get_destinations or \ options_desc_xml_file options_helper = a.add_port or a.remove_port or a.query_port or \ a.get_ports or a.set_module or a.get_module or \ a.set_family or a.get_family or \ options_desc_xml_file options_permanent = a.permanent or options_config or \ a.zone or options_zone_ops or \ a.ipset or options_ipset or \ a.helper or options_helper options_permanent_only = a.new_icmptype or a.delete_icmptype or \ a.new_icmptype_from_file or \ a.load_icmptype_defaults or \ a.new_service or a.delete_service or \ a.new_service_from_file or \ a.load_service_defaults or \ a.new_zone or a.delete_zone or \ a.new_zone_from_file or \ a.load_zone_defaults or \ a.new_ipset or a.delete_ipset or \ a.new_ipset_from_file or \ a.load_ipset_defaults or \ a.new_helper or a.delete_helper or \ a.new_helper_from_file or \ a.load_helper_defaults or \ (a.icmptype and options_icmptype) or \ (a.service and options_service) or \ (a.helper and options_helper) or \ a.path_zone or a.path_icmptype or a.path_service or \ a.path_ipset or a.path_helper or options_desc_xml_file options_direct = a.passthrough or \ a.add_chain or a.remove_chain or a.query_chain or \ a.get_chains or a.get_all_chains or \ a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \ a.get_rules or a.get_all_rules or \ a.add_passthrough or a.remove_passthrough or a.query_passthrough or \ a.get_passthroughs or a.get_all_passthroughs options_require_permanent = options_permanent_only or \ a.get_target or a.set_target # these are supposed to only write out some output options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \ a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \ a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \ a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \ a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \ a.list_sources or a.get_default_zone or a.get_active_zones or \ a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \ a.get_services or a.get_icmptypes or a.get_target or \ a.info_zone or a.info_icmptype or a.info_service or \ a.info_ipset or a.get_ipsets or a.get_entries or \ a.info_helper or a.get_helpers or \ a.get_destinations or a.get_description # Set quiet and verbose cmd = FirewallCommand(a.quiet, a.verbose) def myexcepthook(exctype, value, traceback): cmd.exception_handler(str(value)) sys.excepthook = myexcepthook # Check various impossible combinations of options if not (options_standalone or options_ipset or \ options_icmptype or options_service or options_helper or \ options_config or options_zone_ops or \ options_direct or options_permanent_only): cmd.fail(parser.format_usage() + "No option specified.") if options_standalone and (options_zone or options_permanent or \ options_direct or options_permanent_only or\ options_ipset): cmd.fail(parser.format_usage() + "Can't use stand-alone options with other options.") if options_ipset and not options_desc_xml_file and not a.ipset: cmd.fail(parser.format_usage() + "No ipset specified.") if (options_icmptype and not a.icmptype) and \ not (options_service and a.service) and not options_desc_xml_file: cmd.fail(parser.format_usage() + "No icmptype specified.") if (options_helper and not a.helper) and \ not (options_service and a.service) and \ not options_zone and not options_desc_xml_file: cmd.fail(parser.format_usage() + "No helper specified.") if (options_direct or options_permanent_only) and \ (options_zone and not a.zone) and (options_service and not a.service) and \ (options_icmptype and a.icmptype) and not options_desc_xml_file: cmd.fail(parser.format_usage() + "Can't be used with --zone.") if (a.direct and not options_direct) or (options_direct and not a.direct): cmd.fail(parser.format_usage() + "Wrong usage of 'direct' options.") if a.name and not (a.new_zone_from_file or a.new_service_from_file or \ a.new_ipset_from_file or a.new_icmptype_from_file or \ a.new_helper_from_file): cmd.fail(parser.format_usage() + "Wrong usage of '--name' option.") if options_require_permanent and not a.permanent: cmd.fail(parser.format_usage() + "Option can be used only with --permanent.") if options_config and options_zone: cmd.fail(parser.format_usage() + "Wrong usage of --get-zones | --get-services | --get-icmptypes.") if a.timeout != "0": value = 0 unit = 's' if len(a.timeout) < 1: cmd.fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) elif len(a.timeout) == 1: if a.timeout.isdigit(): value = int (a.timeout[0]) else: cmd.fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) elif len(a.timeout) > 1: if a.timeout.isdigit(): value = int(a.timeout) unit = 's' else: if a.timeout[:-1].isdigit(): value = int (a.timeout[:-1]) else: cmd.fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) unit = a.timeout[-1:].lower() if unit == 's': a.timeout = value elif unit == 'm': a.timeout = value * 60 elif unit == 'h': a.timeout = value * 60 * 60 else: cmd.fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) else: a.timeout = 0 if a.timeout and not (a.add_service or a.add_port or a.add_protocol or \ a.add_icmp_block or a.add_forward_port or \ a.add_source_port or a.add_masquerade or a.add_rich_rule): cmd.fail(parser.format_usage() + "Wrong --timeout usage") if a.permanent: if a.timeout: cmd.fail(parser.format_usage() + "Can't specify timeout for permanent action.") if options_config and not a.zone: pass elif options_permanent: pass else: cmd.fail(parser.format_usage() + "Wrong --permanent usage.") if a.quiet and options_list_get: # it makes no sense to use --quiet with these options a.quiet = False cmd.set_quiet(a.quiet) cmd.fail("-q/--quiet can't be used with this option(s)") if a.help: __usage() sys.exit(0) zone = a.zone try: fw = FirewallClient() except FirewallError as msg: code = FirewallError.get_code(str(msg)) cmd.print_and_exit("Error: %s" % msg, code) fw.setExceptionHandler(cmd.exception_handler) if not fw.connected: if a.state: cmd.print_and_exit ("not running", errors.NOT_RUNNING) else: cmd.print_and_exit ("FirewallD is not running", errors.NOT_RUNNING) cmd.set_fw(fw) if options_zone_ops and not zone and not \ (a.service and options_service) and not \ (a.helper and options_helper): default = fw.getDefaultZone() cmd.print_if_verbose("No zone specified, using default zone, i.e. '%s'" % default) active = list(fw.getActiveZones().keys()) if active and default not in active: cmd.print_msg("""You're performing an operation over default zone ('%s'), but your connections/interfaces are in zone '%s' (see --get-active-zones) You most likely need to use --zone=%s option.\n""" % (default, ",".join(active), active[0])) if a.permanent: if a.get_ipsets: cmd.print_and_exit(" ".join(fw.config().getIPSetNames())) elif a.new_ipset: if not a.type: cmd.fail(parser.format_usage() + "No type specified.") settings = FirewallClientIPSetSettings() settings.setType(a.type) if a.option: for opt in a.option: settings.addOption(*cmd.parse_ipset_option(opt)) if a.family: settings.addOption("family", a.family) config = fw.config() config.addIPSet(a.new_ipset, settings) elif a.new_ipset_from_file: filename = os.path.basename(a.new_ipset_from_file) dirname = os.path.dirname(a.new_ipset_from_file) if dirname == "": dirname = "./" try: obj = ipset_reader(filename, dirname) except FirewallError as msg: cmd.fail("Failed to load ipset file '%s': %s" % \ (a.new_ipset_from_file, msg)) except IOError as msg: cmd.fail("Failed to load ipset file: %s" % msg) if a.name: obj.name = a.name config = fw.config() config.addIPSet(obj.name, obj.export_config()) elif a.delete_ipset: ipset = fw.config().getIPSetByName(a.delete_ipset) ipset.remove() elif a.load_ipset_defaults: ipset = fw.config().getIPSetByName(a.load_ipset_defaults) ipset.loadDefaults() elif a.info_ipset: ipset = fw.config().getIPSetByName(a.info_ipset) cmd.print_ipset_info(a.info_ipset, ipset.getSettings()) sys.exit(0) elif a.path_ipset: ipset = fw.config().getIPSetByName(a.path_ipset) cmd.print_and_exit("%s/%s" % (ipset.get_property("path"), ipset.get_property("filename"))) elif a.ipset: ipset = fw.config().getIPSetByName(a.ipset) settings = ipset.getSettings() if a.add_entry: cmd.add_sequence(a.add_entry, settings.addEntry, settings.queryEntry, None, "'%s'") ipset.update(settings) elif a.remove_entry: cmd.remove_sequence(a.remove_entry, settings.removeEntry, settings.queryEntry, None, "'%s'") ipset.update(settings) elif a.query_entry: cmd.query_sequence(a.query_entry, settings.queryEntry, None, "'%s'") elif a.get_entries: l = settings.getEntries() cmd.print_and_exit("\n".join(l)) elif a.add_entries_from_file: changed = False for filename in a.add_entries_from_file: try: entries = cmd.get_ipset_entries_from_file(filename) except IOError as msg: message = "Failed to read file '%s': %s" % (filename, msg) if len(a.add_entries_from_file) > 1: cmd.print_warning(message) else: cmd.print_and_exit(message) else: old_entries = settings.getEntries() entries_set = set() for entry in old_entries: entries_set.add(entry) for entry in entries: if entry not in entries_set: old_entries.append(entry) entries_set.add(entry) changed = True else: cmd.print_if_verbose( "Warning: ALREADY_ENABLED: %s" % entry) if changed: settings.setEntries(old_entries) if changed: ipset.update(settings) elif a.remove_entries_from_file: changed = False for filename in a.remove_entries_from_file: try: entries = cmd.get_ipset_entries_from_file(filename) except IOError as msg: message = "Failed to read file '%s': %s" % (filename, msg) if len(a.remove_entries_from_file) > 1: cmd.print_warning(message) else: cmd.print_and_exit(message) else: old_entries = settings.getEntries() entries_set = set() for entry in old_entries: entries_set.add(entry) for entry in entries: if entry in entries_set: old_entries.remove(entry) entries_set.discard(entry) changed = True else: cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry) if changed: settings.setEntries(old_entries) if changed: ipset.update(settings) elif a.set_description: settings.setDescription(a.set_description) ipset.update(settings) elif a.get_description: cmd.print_and_exit(settings.getDescription()) elif a.set_short: settings.setShort(a.set_short) ipset.update(settings) elif a.get_short: cmd.print_and_exit(settings.getShort()) else: cmd.fail(parser.format_usage() + "Unknown option") elif a.get_zones: cmd.print_and_exit(" ".join(fw.config().getZoneNames())) elif a.new_zone: config = fw.config() config.addZone(a.new_zone, FirewallClientZoneSettings()) elif a.new_zone_from_file: filename = os.path.basename(a.new_zone_from_file) dirname = os.path.dirname(a.new_zone_from_file) if dirname == "": dirname = "./" try: obj = zone_reader(filename, dirname) except FirewallError as msg: cmd.fail("Failed to load zone file '%s': %s" % \ (a.new_zone_from_file, msg)) except IOError as msg: cmd.fail("Failed to load zone file: %s" % msg) if a.name: obj.name = a.name config = fw.config() config.addZone(obj.name, obj.export_config()) elif a.delete_zone: zone = fw.config().getZoneByName(a.delete_zone) zone.remove() elif a.load_zone_defaults: zone = fw.config().getZoneByName(a.load_zone_defaults) zone.loadDefaults() elif a.info_zone: zone = fw.config().getZoneByName(a.info_zone) cmd.print_zone_info(a.info_zone, zone.getSettings(), True) sys.exit(0) elif a.path_zone: zone = fw.config().getZoneByName(a.path_zone) cmd.print_and_exit("%s/%s" % (zone.get_property("path"), zone.get_property("filename"))) elif a.get_services: cmd.print_and_exit(" ".join(fw.config().getServiceNames())) elif a.new_service: config = fw.config() config.addService(a.new_service, FirewallClientServiceSettings()) elif a.new_service_from_file: filename = os.path.basename(a.new_service_from_file) dirname = os.path.dirname(a.new_service_from_file) if dirname == "": dirname = "./" try: obj = service_reader(filename, dirname) except FirewallError as msg: cmd.fail("Failed to load service file '%s': %s" % \ (a.new_service_from_file, msg)) except IOError as msg: cmd.fail("Failed to load service file: %s" % msg) if a.name: obj.name = a.name config = fw.config() config.addService(obj.name, obj.export_config()) elif a.delete_service: service = fw.config().getServiceByName(a.delete_service) service.remove() elif a.load_service_defaults: service = fw.config().getServiceByName(a.load_service_defaults) service.loadDefaults() elif a.info_service: service = fw.config().getServiceByName(a.info_service) cmd.print_service_info(a.info_service, service.getSettings()) sys.exit(0) elif a.path_service: service = fw.config().getServiceByName(a.path_service) cmd.print_and_exit("%s/%s" % (service.get_property("path"), service.get_property("filename"))) elif a.get_helpers: cmd.print_and_exit(" ".join(fw.config().getHelperNames())) elif a.new_helper: if not a.module: cmd.fail(parser.format_usage() + "No module specified.") settings = FirewallClientHelperSettings() settings.setModule(a.module) if a.family: settings.setFamily(a.family) config = fw.config() config.addHelper(a.new_helper, settings) elif a.new_helper_from_file: filename = os.path.basename(a.new_helper_from_file) dirname = os.path.dirname(a.new_helper_from_file) if dirname == "": dirname = "./" try: obj = helper_reader(filename, dirname) except FirewallError as msg: cmd.fail("Failed to load helper file '%s': %s" % \ (a.new_helper_from_file, msg)) except IOError as msg: cmd.fail("Failed to load helper file: %s" % msg) if a.name: obj.name = a.name config = fw.config() config.addHelper(obj.name, obj.export_config()) elif a.delete_helper: helper = fw.config().getHelperByName(a.delete_helper) helper.remove() elif a.load_helper_defaults: helper = fw.config().getHelperByName(a.load_helper_defaults) helper.loadDefaults() elif a.info_helper: helper = fw.config().getHelperByName(a.info_helper) cmd.print_helper_info(a.info_helper, helper.getSettings()) sys.exit(0) elif a.path_helper: helper = fw.config().getHelperByName(a.path_helper) cmd.print_and_exit("%s/%s" % (helper.get_property("path"), helper.get_property("filename"))) elif a.helper: helper = fw.config().getHelperByName(a.helper) settings = helper.getSettings() if a.add_port: cmd.add_sequence(a.add_port, settings.addPort, settings.queryPort, cmd.parse_port, "%s/%s") helper.update(settings) elif a.remove_port: cmd.remove_sequence(a.remove_port, settings.removePort, settings.queryPort, cmd.parse_port, "%s/%s") helper.update(settings) elif a.query_port: cmd.query_sequence(a.query_port, settings.queryPort, cmd.parse_port, "%s/%s") elif a.get_ports: l = helper.getPorts() cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.get_module: cmd.print_and_exit(settings.getModule()) elif a.set_module: settings.setModule(cmd.check_module(a.set_module)) helper.update(settings) elif a.get_family: cmd.print_and_exit(settings.getFamily()) elif a.set_family: settings.setFamily(cmd.check_helper_family(a.set_family[0])) helper.update(settings) elif a.set_description: settings.setDescription(a.set_description) helper.update(settings) elif a.get_description: cmd.print_and_exit(settings.getDescription()) elif a.set_short: settings.setShort(a.set_short) helper.update(settings) elif a.get_short: cmd.print_and_exit(settings.getShort()) else: cmd.fail(parser.format_usage() + "Unknown option") elif a.get_icmptypes: cmd.print_and_exit(" ".join(fw.config().getIcmpTypeNames())) elif a.new_icmptype: config = fw.config() config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings()) elif a.new_icmptype_from_file: filename = os.path.basename(a.new_icmptype_from_file) dirname = os.path.dirname(a.new_icmptype_from_file) if dirname == "": dirname = "./" try: obj = icmptype_reader(filename, dirname) except FirewallError as msg: cmd.fail("Failed to load icmptype file '%s': %s" % \ (a.new_icmptype_from_file, msg)) except IOError as msg: cmd.fail("Failed to load icmptype file: %s" % msg) if a.name: obj.name = a.name config = fw.config() config.addIcmpType(obj.name, obj.export_config()) elif a.delete_icmptype: icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype) icmptype.remove() elif a.load_icmptype_defaults: icmptype = fw.config().getIcmpTypeByName(a.load_icmptype_defaults) icmptype.loadDefaults() elif a.info_icmptype: icmptype = fw.config().getIcmpTypeByName(a.info_icmptype) cmd.print_icmptype_info(a.info_icmptype, icmptype.getSettings()) sys.exit(0) elif a.path_icmptype: icmptype = fw.config().getIcmpTypeByName(a.path_icmptype) cmd.print_and_exit("%s/%s" % (icmptype.get_property("path"), icmptype.get_property("filename"))) elif a.icmptype: icmptype = fw.config().getIcmpTypeByName(a.icmptype) settings = icmptype.getSettings() if a.add_destination: cmd.add_sequence(a.add_destination, settings.addDestination, settings.queryDestination, cmd.check_destination_ipv, "'%s'") icmptype.update(settings) elif a.remove_destination: cmd.remove_sequence(a.remove_destination, settings.removeDestination, settings.queryDestination, cmd.check_destination_ipv, "'%s'") icmptype.update(settings) elif a.query_destination: cmd.query_sequence(a.query_destination, settings.queryDestination, cmd.check_destination_ipv , "'%s'") elif a.get_destinations: l = settings.getDestinations() if len(l) == 0: l = [ "ipv4", "ipv6" ] cmd.print_and_exit("\n".join(l)) elif a.set_description: settings.setDescription(a.set_description) icmptype.update(settings) elif a.get_description: cmd.print_and_exit(settings.getDescription()) elif a.set_short: settings.setShort(a.set_short) icmptype.update(settings) elif a.get_short: cmd.print_and_exit(settings.getShort()) else: cmd.fail(parser.format_usage() + "Unknown option") elif a.service: service = fw.config().getServiceByName(a.service) settings = service.getSettings() if a.add_port: cmd.add_sequence(a.add_port, settings.addPort, settings.queryPort, cmd.parse_port, "%s/%s") service.update(settings) elif a.remove_port: cmd.remove_sequence(a.remove_port, settings.removePort, settings.queryPort, cmd.parse_port, "%s/%s") service.update(settings) elif a.query_port: cmd.query_sequence(a.query_port, settings.queryPort, cmd.parse_port, "%s/%s") elif a.get_ports: l = settings.getPorts() cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_protocol: cmd.add_sequence(a.add_protocol, settings.addProtocol, settings.queryProtocol, None, "'%s'") service.update(settings) elif a.remove_protocol: cmd.remove_sequence(a.remove_protocol, settings.removeProtocol, settings.queryProtocol, None, "'%s'") service.update(settings) elif a.query_protocol: cmd.query_sequence(a.query_protocol, settings.queryProtocol, None, "'%s'") elif a.get_protocols: l = settings.getProtocols() cmd.print_and_exit(" ".join(["%s" % protocol for protocol in l])) elif a.add_source_port: cmd.add_sequence(a.add_source_port, settings.addSourcePort, settings.querySourcePort, cmd.parse_port, "%s/%s") service.update(settings) elif a.remove_source_port: cmd.remove_sequence(a.remove_source_port, settings.removeSourcePort, settings.querySourcePort, cmd.parse_port, "%s/%s") service.update(settings) elif a.query_source_port: cmd.query_sequence(a.query_source_port, settings.querySourcePort, cmd.parse_port, "%s/%s") elif a.get_source_ports: l = settings.getSourcePorts() cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_module: cmd.add_sequence(a.add_module, settings.addModule, settings.queryModule, None, "'%s'") service.update(settings) elif a.remove_module: cmd.remove_sequence(a.remove_module, settings.removeModule, settings.queryModule, None, "'%s'") service.update(settings) elif a.query_module: cmd.query_sequence(a.query_module, settings.queryModule, None, "'%s'") elif a.get_modules: l = settings.getModules() cmd.print_and_exit(" ".join(["%s" % module for module in l])) elif a.set_destination: cmd.add_sequence(a.set_destination, settings.setDestination, settings.queryDestination, cmd.parse_service_destination, "%s:%s") service.update(settings) elif a.remove_destination: # special case for removeDestination: Only ipv, no address for ipv in a.remove_destination: cmd.check_destination_ipv(ipv) if ipv not in settings.getDestinations(): if len(a.remove_destination) > 1: cmd.print_warning("Warning: NOT_ENABLED: '%s'" % ipv) else: code = FirewallError.get_code("NOT_ENABLED") cmd.print_and_exit("Error: NOT_ENABLED: '%s'" % ipv, code) else: settings.removeDestination(ipv) service.update(settings) elif a.query_destination: cmd.query_sequence(a.query_destination, settings.queryDestination, cmd.parse_service_destination, "'%s'") elif a.get_destinations: l = settings.getDestinations() cmd.print_and_exit(" ".join(["%s:%s" % (dest[0], dest[1]) for dest in l.items()])) elif a.set_description: settings.setDescription(a.set_description) service.update(settings) elif a.get_description: cmd.print_and_exit(settings.getDescription()) elif a.set_short: settings.setShort(a.set_short) service.update(settings) elif a.get_short: cmd.print_and_exit(settings.getShort()) else: cmd.fail(parser.format_usage() + "Unknown option") # lockdown whitelist elif options_lockdown_whitelist: policies = fw.config().policies() # commands if a.list_lockdown_whitelist_commands: l = policies.getLockdownWhitelistCommands() cmd.print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_command: cmd.add_sequence(a.add_lockdown_whitelist_command, policies.addLockdownWhitelistCommand, policies.queryLockdownWhitelistCommand, None, "'%s'") elif a.remove_lockdown_whitelist_command: cmd.remove_sequence(a.remove_lockdown_whitelist_command, policies.removeLockdownWhitelistCommand, policies.queryLockdownWhitelistCommand, None, "'%s'") elif a.query_lockdown_whitelist_command: cmd.query_sequence(a.query_lockdown_whitelist_command, policies.queryLockdownWhitelistCommand, None, "'%s'") # contexts elif a.list_lockdown_whitelist_contexts: l = policies.getLockdownWhitelistContexts() cmd.print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_context: cmd.add_sequence(a.add_lockdown_whitelist_context, policies.addLockdownWhitelistContext, policies.queryLockdownWhitelistContext, None, "'%s'") elif a.remove_lockdown_whitelist_context: cmd.remove_sequence(a.remove_lockdown_whitelist_context, policies.removeLockdownWhitelistContext, policies.queryLockdownWhitelistContext, None, "'%s'") elif a.query_lockdown_whitelist_context: cmd.query_sequence(a.query_lockdown_whitelist_context, policies.queryLockdownWhitelistContext, None, "'%s'") # uids elif a.list_lockdown_whitelist_uids: l = policies.getLockdownWhitelistUids() cmd.print_and_exit(" ".join(map(str, l))) elif a.add_lockdown_whitelist_uid is not None: cmd.add_sequence(a.add_lockdown_whitelist_uid, policies.addLockdownWhitelistUid, policies.queryLockdownWhitelistUid, None, "%s") elif a.remove_lockdown_whitelist_uid is not None: cmd.remove_sequence(a.remove_lockdown_whitelist_uid, policies.removeLockdownWhitelistUid, policies.queryLockdownWhitelistUid, None, "%s") elif a.query_lockdown_whitelist_uid is not None: cmd.query_sequence(a.query_lockdown_whitelist_uid, policies.queryLockdownWhitelistUid, None, "%s") # users elif a.list_lockdown_whitelist_users: l = policies.getLockdownWhitelistUsers() cmd.print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_user: cmd.add_sequence(a.add_lockdown_whitelist_user, policies.addLockdownWhitelistUser, policies.queryLockdownWhitelistUser, None, "%s") elif a.remove_lockdown_whitelist_user: cmd.remove_sequence(a.remove_lockdown_whitelist_user, policies.removeLockdownWhitelistUser, policies.queryLockdownWhitelistUser, None, "%s") elif a.query_lockdown_whitelist_user: cmd.query_sequence(a.query_lockdown_whitelist_user, policies.queryLockdownWhitelistUser, None, "'%s'") elif options_direct: direct = fw.config().direct() if a.passthrough: if len(a.passthrough) < 2: cmd.fail("usage: --permanent --direct --passthrough { ipv4 | ipv6 | eb } <args>") cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1]))) if a.add_passthrough: if len(a.add_passthrough) < 2: cmd.fail("usage: --permanent --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.add_passthrough[0]), splitArgs(a.add_passthrough[1]))) elif a.remove_passthrough: if len(a.remove_passthrough) < 2: cmd.fail("usage: --permanent --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") direct.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]), splitArgs(a.remove_passthrough[1])) elif a.query_passthrough: if len(a.query_passthrough) < 2: cmd.fail("usage: --permanent --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") cmd.print_query_result( direct.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]), splitArgs(a.query_passthrough[1]))) sys.exit(0) elif a.get_passthroughs: rules = direct.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0])) for rule in rules: cmd.print_msg(joinArgs(rule)) sys.exit(0) elif a.get_all_passthroughs: for (ipv, rule) in direct.getAllPassthroughs(): cmd.print_msg("%s %s" % (ipv, joinArgs(rule))) sys.exit(0) elif a.add_chain: direct.addChain(cmd.check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2]) elif a.remove_chain: direct.removeChain(cmd.check_ipv(a.remove_chain[0]), a.remove_chain[1], a.remove_chain[2]) elif a.query_chain: cmd.print_query_result( direct.queryChain(cmd.check_ipv(a.query_chain[0]), a.query_chain[1], a.query_chain[2])) sys.exit(0) elif a.get_chains: cmd.print_and_exit( " ".join(direct.getChains(cmd.check_ipv(a.get_chains[0]), a.get_chains[1]))) sys.exit(0) elif a.get_all_chains: chains = direct.getAllChains() for (ipv, table, chain) in chains: cmd.print_msg("%s %s %s" % (ipv, table, chain)) sys.exit(0) elif a.add_rule: if len(a.add_rule) < 5: cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.add_rule[3]) except ValueError: cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") direct.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2], priority, splitArgs(a.add_rule[4])) elif a.remove_rule: if len(a.remove_rule) < 5: cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.remove_rule[3]) except ValueError: cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") direct.removeRule(cmd.check_ipv(a.remove_rule[0]), a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) elif a.remove_rules: if len(a.remove_rules) < 3: cmd.fail("usage: --permanent --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") direct.removeRules(cmd.check_ipv(a.remove_rules[0]), a.remove_rules[1], a.remove_rules[2]) elif a.query_rule: if len(a.query_rule) < 5: cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.query_rule[3]) except ValueError: cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") cmd.print_query_result( direct.queryRule(cmd.check_ipv(a.query_rule[0]), a.query_rule[1], a.query_rule[2], priority, splitArgs(a.query_rule[4]))) sys.exit(0) elif a.get_rules: rules = direct.getRules(cmd.check_ipv(a.get_rules[0]), a.get_rules[1], a.get_rules[2]) for (priority, rule) in rules: cmd.print_msg("%d %s" % (priority, joinArgs(rule))) sys.exit(0) elif a.get_all_rules: rules = direct.getAllRules() for (ipv, table, chain, priority, rule) in rules: cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority, joinArgs(rule))) sys.exit(0) else: if zone == "": zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(zone) # interface if a.list_interfaces: interfaces = sorted(set(try_nm_get_interfaces_in_zone(zone)) | set(fw_zone.getInterfaces())) cmd.print_and_exit(" ".join(interfaces)) elif a.get_zone_of_interface: for interface in a.get_zone_of_interface: # ask NM before checking our config zone = try_get_zone_of_interface(interface) if not zone: zone = fw.config().getZoneOfInterface(interface) if zone: if len(a.get_zone_of_interface) > 1: cmd.print_warning("%s: %s" % (interface, zone)) else: cmd.print_and_exit(zone) else: if len(a.get_zone_of_interface) > 1: cmd.print_warning("%s: no zone" % interface) else: cmd.fail("no zone") elif a.change_interface: interfaces = [ ] for interface in a.change_interface: if not try_set_zone_of_interface(zone, interface): interfaces.append(interface) for interface in interfaces: old_zone_name = fw.config().getZoneOfInterface(interface) if old_zone_name != zone: if old_zone_name: old_zone_obj = fw.config().getZoneByName(old_zone_name) old_zone_obj.removeInterface(interface)# remove from old fw_zone.addInterface(interface) # add to new elif a.add_interface: interfaces = [ ] for interface in a.add_interface: if not try_set_zone_of_interface(a.zone, interface): interfaces.append(interface) cmd.add_sequence(interfaces, fw_zone.addInterface, fw_zone.queryInterface, None, "'%s'") elif a.remove_interface: interfaces = [ ] for interface in a.remove_interface: if not try_set_zone_of_interface("", interface): interfaces.append(interface) cmd.remove_sequence(interfaces, fw_zone.removeInterface, fw_zone.queryInterface, None, "'%s'") elif a.query_interface: cmd.query_sequence(a.query_interface, fw_zone.queryInterface, None, "'%s'") # source if a.list_sources: sources = fw_zone.getSources() cmd.print_and_exit(" ".join(sources)) elif a.get_zone_of_source: for source in a.get_zone_of_source: zone = fw.config().getZoneOfSource(source) if zone: if len(a.get_zone_of_source) > 1: cmd.print_warning("%s: %s" % (source, zone)) else: cmd.print_and_exit(zone) else: if len(a.get_zone_of_source) > 1: cmd.print_warning("%s: no zone" % source) else: cmd.fail("no zone") elif a.change_source: for source in a.change_source: old_zone_name = fw.config().getZoneOfSource(source) if old_zone_name != zone: if old_zone_name: old_zone_obj = fw.config().getZoneByName(old_zone_name) old_zone_obj.removeSource(source) # remove from old fw_zone.addSource(source) # add to new elif a.add_source: cmd.add_sequence(a.add_source, fw_zone.addSource, fw_zone.querySource, None, "'%s'") elif a.remove_source: cmd.remove_sequence(a.remove_source, fw_zone.removeSource, fw_zone.querySource, None, "'%s'") elif a.query_source: cmd.query_sequence(a.query_source, fw_zone.querySource, None, "'%s'") # rich rules if a.list_rich_rules: l = fw_zone.getRichRules() cmd.print_and_exit("\n".join(l)) elif a.add_rich_rule: cmd.add_sequence(a.add_rich_rule, fw_zone.addRichRule, fw_zone.queryRichRule, None, "'%s'") elif a.remove_rich_rule: cmd.remove_sequence(a.remove_rich_rule, fw_zone.removeRichRule, fw_zone.queryRichRule, None, "'%s'") elif a.query_rich_rule: cmd.query_sequence(a.query_rich_rule, fw_zone.queryRichRule, None, "'%s'") # service if a.list_services: l = fw_zone.getServices() cmd.print_and_exit(" ".join(sorted(l))) elif a.add_service: cmd.add_sequence(a.add_service, fw_zone.addService, fw_zone.queryService, None, "'%s'") elif a.remove_service: cmd.remove_sequence(a.remove_service, fw_zone.removeService, fw_zone.queryService, None, "'%s'") elif a.query_service: cmd.query_sequence(a.query_service, fw_zone.queryService, None, "'%s'") # port elif a.list_ports: l = fw_zone.getPorts() cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_port: cmd.add_sequence(a.add_port, fw_zone.addPort, fw_zone.queryPort, cmd.parse_port, "%s/%s") elif a.remove_port: cmd.remove_sequence(a.remove_port, fw_zone.removePort, fw_zone.queryPort, cmd.parse_port, "%s/%s") elif a.query_port: cmd.query_sequence(a.query_port, fw_zone.queryPort, cmd.parse_port, "%s/%s") # protocol elif a.list_protocols: l = fw_zone.getProtocols() cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)])) elif a.add_protocol: cmd.add_sequence(a.add_protocol, fw_zone.addProtocol, fw_zone.queryProtocol, None, "'%s'") elif a.remove_protocol: cmd.remove_sequence(a.remove_protocol, fw_zone.removeProtocol, fw_zone.queryProtocol, None, "'%s'") elif a.query_protocol: cmd.query_sequence(a.query_protocol, fw_zone.queryProtocol, None, "'%s'") # source port elif a.list_source_ports: l = fw_zone.getSourcePorts() cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_source_port: cmd.add_sequence(a.add_source_port, fw_zone.addSourcePort, fw_zone.querySourcePort, cmd.parse_port, "%s/%s") elif a.remove_source_port: cmd.remove_sequence(a.remove_source_port, fw_zone.removeSourcePort, fw_zone.querySourcePort, cmd.parse_port, "%s/%s") elif a.query_source_port: cmd.query_sequence(a.query_source_port, fw_zone.querySourcePort, cmd.parse_port, "%s/%s") # masquerade elif a.add_masquerade: fw_zone.addMasquerade() elif a.remove_masquerade: fw_zone.removeMasquerade() elif a.query_masquerade: cmd.print_query_result(fw_zone.queryMasquerade()) # forward port elif a.list_forward_ports: l = fw_zone.getForwardPorts() cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) elif a.add_forward_port: cmd.add_sequence(a.add_forward_port, fw_zone.addForwardPort, fw_zone.queryForwardPort, cmd.parse_forward_port, "port=%s:proto=%s:toport=%s:toaddr=%s") elif a.remove_forward_port: cmd.remove_sequence(a.remove_forward_port, fw_zone.removeForwardPort, fw_zone.queryForwardPort, cmd.parse_forward_port, "port=%s:proto=%s:toport=%s:toaddr=%s") elif a.query_forward_port: cmd.query_sequence(a.query_forward_port, fw_zone.queryForwardPort, cmd.parse_forward_port, "port=%s:proto=%s:toport=%s:toaddr=%s") # block icmp elif a.list_icmp_blocks: l = fw_zone.getIcmpBlocks() cmd.print_and_exit(" ".join(l)) elif a.add_icmp_block: cmd.add_sequence(a.add_icmp_block, fw_zone.addIcmpBlock, fw_zone.queryIcmpBlock, None, "'%s'") elif a.remove_icmp_block: cmd.remove_sequence(a.remove_icmp_block, fw_zone.removeIcmpBlock, fw_zone.queryIcmpBlock, None, "'%s'") elif a.query_icmp_block: cmd.query_sequence(a.query_icmp_block, fw_zone.queryIcmpBlock, None, "'%s'") # icmp block inversion elif a.add_icmp_block_inversion: fw_zone.addIcmpBlockInversion() elif a.remove_icmp_block_inversion: fw_zone.removeIcmpBlockInversion() elif a.query_icmp_block_inversion: cmd.print_query_result(fw_zone.queryIcmpBlockInversion()) # zone target elif a.get_target: target = fw_zone.getTarget() cmd.print_and_exit(target if target != "%%REJECT%%" else "REJECT") elif a.set_target: fw_zone.setTarget(a.set_target if a.set_target != "REJECT" else "%%REJECT%%") # list all zone settings elif a.list_all: interfaces = try_nm_get_interfaces_in_zone(zone) cmd.print_zone_info(zone, fw_zone.getSettings(), extra_interfaces=interfaces) sys.exit(0) # list everything elif a.list_all_zones: names = fw.config().getZoneNames() for zone in sorted(names): interfaces = try_nm_get_interfaces_in_zone(zone) settings = fw.config().getZoneByName(zone).getSettings() cmd.print_zone_info(zone, settings, extra_interfaces=interfaces) cmd.print_msg("") sys.exit(0) # set zone description elif a.set_description: settings = fw.config().getZoneByName(zone).getSettings() settings.setDescription(a.set_description) fw_zone.update(settings) # get zone description elif a.get_description: settings = fw.config().getZoneByName(zone).getSettings() cmd.print_and_exit(settings.getDescription()) # set zone short description elif a.set_short: settings = fw.config().getZoneByName(zone).getSettings() settings.setShort(a.set_short) fw_zone.update(settings) # get zone short description elif a.get_short: settings = fw.config().getZoneByName(zone).getSettings() cmd.print_and_exit(settings.getShort()) elif a.version: cmd.print_and_exit(fw.get_property("version")) elif a.state: state = fw.get_property("state") if state == "RUNNING": cmd.print_and_exit ("running") elif state == "FAILED": cmd.print_and_exit("failed", errors.RUNNING_BUT_FAILED) else: cmd.print_and_exit ("not running", errors.NOT_RUNNING) elif a.get_log_denied: cmd.print_and_exit(fw.getLogDenied()) elif a.set_log_denied: fw.setLogDenied(a.set_log_denied) elif a.get_automatic_helpers: cmd.print_and_exit(fw.getAutomaticHelpers()) elif a.set_automatic_helpers: fw.setAutomaticHelpers(a.set_automatic_helpers) elif a.get_ipset_types: types = fw.get_property("IPSetTypes") cmd.print_and_exit(" ".join(sorted(types))) elif a.reload: fw.reload() elif a.complete_reload: fw.complete_reload() elif a.runtime_to_permanent: fw.runtimeToPermanent() elif a.check_config: fw.checkPermanentConfig() elif a.direct: if a.passthrough: if len(a.passthrough) < 2: cmd.fail("usage: --direct --passthrough { ipv4 | ipv6 | eb } <args>") msg = fw.passthrough(cmd.check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1])) if msg: sys.stdout.write(msg + "\n") elif a.add_passthrough: if len(a.add_passthrough) < 2: cmd.fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") fw.addPassthrough(cmd.check_ipv(a.add_passthrough[0]), splitArgs(a.add_passthrough[1])) elif a.remove_passthrough: if len(a.remove_passthrough) < 2: cmd.fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") fw.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]), splitArgs(a.remove_passthrough[1])) elif a.query_passthrough: if len(a.query_passthrough) < 2: cmd.fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") cmd.print_query_result( fw.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]), splitArgs(a.query_passthrough[1]))) elif a.get_passthroughs: rules = fw.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0])) for rule in rules: cmd.print_msg(joinArgs(rule)) sys.exit(0) elif a.get_all_passthroughs: for (ipv, rule) in fw.getAllPassthroughs(): cmd.print_msg("%s %s" % (ipv, joinArgs(rule))) sys.exit(0) elif a.add_chain: fw.addChain(cmd.check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2]) elif a.remove_chain: fw.removeChain(cmd.check_ipv(a.remove_chain[0]), a.remove_chain[1], a.remove_chain[2]) elif a.query_chain: cmd.print_query_result(fw.queryChain(cmd.check_ipv(a.query_chain[0]), a.query_chain[1], a.query_chain[2])) elif a.get_chains: cmd.print_and_exit(" ".join(fw.getChains(cmd.check_ipv(a.get_chains[0]), a.get_chains[1]))) elif a.get_all_chains: chains = fw.getAllChains() for (ipv, table, chain) in chains: cmd.print_msg("%s %s %s" % (ipv, table, chain)) sys.exit(0) elif a.add_rule: if len(a.add_rule) < 5: cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.add_rule[3]) except ValueError: cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") fw.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2], priority, splitArgs(a.add_rule[4])) elif a.remove_rule: if len(a.remove_rule) < 5: cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.remove_rule[3]) except ValueError: cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") fw.removeRule(cmd.check_ipv(a.remove_rule[0]), a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) elif a.remove_rules: if len(a.remove_rules) < 3: cmd.fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") fw.removeRules(cmd.check_ipv(a.remove_rules[0]), a.remove_rules[1], a.remove_rules[2]) elif a.query_rule: if len(a.query_rule) < 5: cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.query_rule[3]) except ValueError: cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") cmd.print_query_result( fw.queryRule(cmd.check_ipv(a.query_rule[0]), a.query_rule[1], a.query_rule[2], priority, splitArgs(a.query_rule[4]))) elif a.get_rules: rules = fw.getRules(cmd.check_ipv(a.get_rules[0]), a.get_rules[1], a.get_rules[2]) for (priority, rule) in rules: cmd.print_msg("%d %s" % (priority, joinArgs(rule))) sys.exit(0) elif a.get_all_rules: rules = fw.getAllRules() for (ipv, table, chain, priority, rule) in rules: cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority, joinArgs(rule))) sys.exit(0) elif a.get_default_zone: cmd.print_and_exit(fw.getDefaultZone()) elif a.set_default_zone: fw.setDefaultZone(a.set_default_zone) elif a.get_zones: cmd.print_and_exit(" ".join(fw.getZones())) elif a.get_active_zones: zones = fw.getActiveZones() for zone in zones: cmd.print_msg("%s" % zone) for x in [ "interfaces", "sources" ]: if x in zones[zone]: cmd.print_msg(" %s: %s" % (x, " ".join(zones[zone][x]))) sys.exit(0) elif a.get_services: l = fw.listServices() cmd.print_and_exit(" ".join(l)) elif a.get_icmptypes: l = fw.listIcmpTypes() cmd.print_and_exit(" ".join(l)) # panic elif a.panic_on: fw.enablePanicMode() elif a.panic_off: fw.disablePanicMode() elif a.query_panic: cmd.print_query_result(fw.queryPanicMode()) # ipset elif a.get_ipsets: ipsets = fw.getIPSets() cmd.print_and_exit(" ".join(sorted(ipsets))) elif a.info_ipset: cmd.print_ipset_info(a.info_ipset, fw.getIPSetSettings(a.info_ipset)) sys.exit(0) elif a.add_entry: cmd.x_add_sequence(a.ipset, a.add_entry, fw.addEntry, fw.queryEntry, None, "'%s'") elif a.remove_entry: cmd.x_remove_sequence(a.ipset, a.remove_entry, fw.removeEntry, fw.queryEntry, None, "'%s'") elif a.query_entry: cmd.x_query_sequence(a.ipset, a.query_entry, fw.queryEntry, None, "'%s'") elif a.get_entries: l = fw.getEntries(a.ipset) cmd.print_and_exit("\n".join(l)) elif a.add_entries_from_file: old_entries = fw.getEntries(a.ipset) changed = False for filename in a.add_entries_from_file: try: entries = cmd.get_ipset_entries_from_file(filename) except IOError as msg: message = "Failed to read file '%s': %s" % (filename, msg) if len(a.add_entries_from_file) > 1: cmd.print_warning(message) else: cmd.print_and_exit(message) else: entries_set = set() for entry in old_entries: entries_set.add(entry) for entry in entries: if entry not in entries_set: old_entries.append(entry) entries_set.add(entry) changed = True else: cmd.print_if_verbose("Warning: ALREADY_ENABLED: %s" % entry) if changed: fw.setEntries(a.ipset, old_entries) elif a.remove_entries_from_file: old_entries = fw.getEntries(a.ipset) changed = False for filename in a.remove_entries_from_file: try: entries = cmd.get_ipset_entries_from_file(filename) except IOError as msg: message = "Failed to read file '%s': %s" % (filename, msg) if len(a.remove_entries_from_file) > 1: cmd.print_warning(message) else: cmd.print_and_exit(message) else: entries_set = set() for entry in old_entries: entries_set.add(entry) for entry in entries: if entry in entries_set: old_entries.remove(entry) entries_set.discard(entry) changed = True else: cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry) if changed: fw.setEntries(a.ipset, old_entries) # helper elif a.get_helpers: helpers = fw.getHelpers() cmd.print_and_exit(" ".join(sorted(helpers))) elif a.info_helper: cmd.print_helper_info(a.info_helper, fw.getHelperSettings(a.info_helper)) sys.exit(0) # lockdown elif a.lockdown_on: fw.config().set_property("Lockdown", "yes") # permanent fw.enableLockdown() # runtime elif a.lockdown_off: fw.config().set_property("Lockdown", "no") # permanent fw.disableLockdown() # runtime elif a.query_lockdown: cmd.print_query_result(fw.queryLockdown()) # runtime #lockdown = fw.config().get_property("Lockdown") #cmd.print_query_result(lockdown.lower() in [ "yes", "true" ]) # lockdown whitelist # commands elif a.list_lockdown_whitelist_commands: l = fw.getLockdownWhitelistCommands() cmd.print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_command: cmd.add_sequence(a.add_lockdown_whitelist_command, fw.addLockdownWhitelistCommand, fw.queryLockdownWhitelistCommand, None, "'%s'") elif a.remove_lockdown_whitelist_command: cmd.remove_sequence(a.remove_lockdown_whitelist_command, fw.removeLockdownWhitelistCommand, fw.queryLockdownWhitelistCommand, None, "'%s'") elif a.query_lockdown_whitelist_command: cmd.query_sequence(a.query_lockdown_whitelist_command, fw.queryLockdownWhitelistCommand, None, "'%s'") # contexts elif a.list_lockdown_whitelist_contexts: l = fw.getLockdownWhitelistContexts() cmd.print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_context: cmd.add_sequence(a.add_lockdown_whitelist_context, fw.addLockdownWhitelistContext, fw.queryLockdownWhitelistContext, None, "'%s'") elif a.remove_lockdown_whitelist_context: cmd.remove_sequence(a.remove_lockdown_whitelist_context, fw.removeLockdownWhitelistContext, fw.queryLockdownWhitelistContext, None, "'%s'") elif a.query_lockdown_whitelist_context: cmd.query_sequence(a.query_lockdown_whitelist_context, fw.queryLockdownWhitelistContext, None, "'%s'") # uids elif a.list_lockdown_whitelist_uids: l = fw.getLockdownWhitelistUids() cmd.print_and_exit(" ".join(map(str, l))) elif a.add_lockdown_whitelist_uid is not None: cmd.add_sequence(a.add_lockdown_whitelist_uid, fw.addLockdownWhitelistUid, fw.queryLockdownWhitelistUid, None, "'%s'") elif a.remove_lockdown_whitelist_uid is not None: cmd.remove_sequence(a.remove_lockdown_whitelist_uid, fw.removeLockdownWhitelistUid, fw.queryLockdownWhitelistUid, None, "'%s'") elif a.query_lockdown_whitelist_uid is not None: cmd.query_sequence(a.query_lockdown_whitelist_uid, fw.queryLockdownWhitelistUid, None, "'%s'") # users elif a.list_lockdown_whitelist_users: l = fw.getLockdownWhitelistUsers() cmd.print_and_exit(" ".join(l)) elif a.add_lockdown_whitelist_user: cmd.add_sequence(a.add_lockdown_whitelist_user, fw.addLockdownWhitelistUser, fw.queryLockdownWhitelistUser, None, "'%s'") elif a.remove_lockdown_whitelist_user: cmd.remove_sequence(a.remove_lockdown_whitelist_user, fw.removeLockdownWhitelistUser, fw.queryLockdownWhitelistUser, None, "'%s'") elif a.query_lockdown_whitelist_user: cmd.query_sequence(a.query_lockdown_whitelist_user, fw.queryLockdownWhitelistUser, None, "'%s'") # interface elif a.list_interfaces: l = fw.getInterfaces(zone) cmd.print_and_exit(" ".join(l)) elif a.get_zone_of_interface: for interface in a.get_zone_of_interface: zone = fw.getZoneOfInterface(interface) if zone: if len(a.get_zone_of_interface) > 1: cmd.print_warning("%s: %s" % (interface, zone)) else: cmd.print_and_exit(zone) else: if len(a.get_zone_of_interface) > 1: cmd.print_warning("%s: no zone" % interface) else: cmd.fail("no zone") elif a.add_interface: interfaces = [ ] for interface in a.add_interface: interfaces.append(interface) cmd.x_add_sequence(zone, interfaces, fw.addInterface, fw.queryInterface, None, "'%s'") elif a.change_interface: interfaces = [ ] for interface in a.change_interface: interfaces.append(interface) cmd.x_add_sequence(zone, interfaces, fw.changeZoneOfInterface, fw.queryInterface, None, "'%s'") elif a.remove_interface: interfaces = [ ] for interface in a.remove_interface: interfaces.append(interface) cmd.x_remove_sequence(zone, interfaces, fw.removeInterface, fw.queryInterface, None, "'%s'") elif a.query_interface: cmd.x_query_sequence(zone, a.query_interface, fw.queryInterface, None, "'%s'") # source elif a.list_sources: sources = fw.getSources(zone) cmd.print_and_exit(" ".join(sources)) elif a.get_zone_of_source: for source in a.get_zone_of_source: zone = fw.getZoneOfSource(source) if zone: if len(a.get_zone_of_source) > 1: cmd.print_warning("%s: %s" % (source, zone)) else: cmd.print_and_exit(zone) else: if len(a.get_zone_of_source) > 1: cmd.print_warning("%s: no zone" % source) else: cmd.fail("no zone") sys.exit(0) elif a.add_source: cmd.x_add_sequence(zone, a.add_source, fw.addSource, fw.querySource, None, "'%s'") elif a.change_source: cmd.x_add_sequence(zone, a.change_source, fw.changeZoneOfSource, fw.querySource, None, "'%s'") elif a.remove_source: cmd.x_remove_sequence(zone, a.remove_source, fw.removeSource, fw.querySource, None, "'%s'") elif a.query_source: cmd.x_query_sequence(zone, a.query_source, fw.querySource, None, "'%s'") # rich rules elif a.list_rich_rules: l = fw.getRichRules(zone) cmd.print_and_exit("\n".join(l)) elif a.add_rich_rule: cmd.zone_add_timeout_sequence(zone, a.add_rich_rule, fw.addRichRule, fw.queryRichRule, None, "'%s'", a.timeout) elif a.remove_rich_rule: cmd.x_remove_sequence(zone, a.remove_rich_rule, fw.removeRichRule, fw.queryRichRule, None, "'%s'") elif a.query_rich_rule: cmd.x_query_sequence(zone, a.query_rich_rule, fw.queryRichRule, None, "'%s'") # service elif a.list_services: l = fw.getServices(zone) cmd.print_and_exit(" ".join(sorted(l))) elif a.add_service: cmd.zone_add_timeout_sequence(zone, a.add_service, fw.addService, fw.queryService, None, "'%s'", a.timeout) elif a.remove_service: cmd.x_remove_sequence(zone, a.remove_service, fw.removeService, fw.queryService, None, "'%s'") elif a.query_service: cmd.x_query_sequence(zone, a.query_service, fw.queryService, None, "'%s'") # port elif a.list_ports: l = fw.getPorts(zone) cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_port: cmd.zone_add_timeout_sequence(zone, a.add_port, fw.addPort, fw.queryPort, cmd.parse_port, "'%s/%s'", a.timeout) elif a.remove_port: cmd.x_remove_sequence(zone, a.remove_port, fw.removePort, fw.queryPort, cmd.parse_port, "'%s/%s'") elif a.query_port: cmd.x_query_sequence(zone, a.query_port, fw.queryPort, cmd.parse_port, "'%s/%s'") # protocol elif a.list_protocols: l = fw.getProtocols(zone) cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)])) elif a.add_protocol: cmd.zone_add_timeout_sequence(zone, a.add_protocol, fw.addProtocol, fw.queryProtocol, None, "'%s'", a.timeout) elif a.remove_protocol: cmd.x_remove_sequence(zone, a.remove_protocol, fw.removeProtocol, fw.queryProtocol, None, "'%s'") elif a.query_protocol: cmd.x_query_sequence(zone, a.query_protocol, fw.queryProtocol, None, "'%s'") # source port elif a.list_source_ports: l = fw.getSourcePorts(zone) cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_source_port: cmd.zone_add_timeout_sequence(zone, a.add_source_port, fw.addSourcePort, fw.querySourcePort, cmd.parse_port, "'%s/%s'", a.timeout) elif a.remove_source_port: cmd.x_remove_sequence(zone, a.remove_source_port, fw.removeSourcePort, fw.querySourcePort, cmd.parse_port, "'%s/%s'") elif a.query_source_port: cmd.x_query_sequence(zone, a.query_source_port, fw.querySourcePort, cmd.parse_port, "'%s/%s'") # masquerade elif a.add_masquerade: fw.addMasquerade(zone, a.timeout) elif a.remove_masquerade: fw.removeMasquerade(zone) elif a.query_masquerade: cmd.print_query_result(fw.queryMasquerade(zone)) # forward port elif a.list_forward_ports: l = fw.getForwardPorts(zone) cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) elif a.add_forward_port: cmd.zone_add_timeout_sequence(zone, a.add_forward_port, fw.addForwardPort, fw.queryForwardPort, cmd.parse_forward_port, "'port=%s:proto=%s:toport=%s:toaddr=%s'", a.timeout) elif a.remove_forward_port: cmd.x_remove_sequence(zone, a.remove_forward_port, fw.removeForwardPort, fw.queryForwardPort, cmd.parse_forward_port, "'port=%s:proto=%s:toport=%s:toaddr=%s'") elif a.query_forward_port: cmd.x_query_sequence(zone, a.query_forward_port, fw.queryForwardPort, cmd.parse_forward_port, "'port=%s:proto=%s:toport=%s:toaddr=%s'") # block icmp elif a.list_icmp_blocks: l = fw.getIcmpBlocks(zone) cmd.print_and_exit(" ".join(l)) elif a.add_icmp_block: cmd.zone_add_timeout_sequence(zone, a.add_icmp_block, fw.addIcmpBlock, fw.queryIcmpBlock, None, "'%s'", a.timeout) elif a.remove_icmp_block: cmd.x_remove_sequence(zone, a.remove_icmp_block, fw.removeIcmpBlock, fw.queryIcmpBlock, None, "'%s'") elif a.query_icmp_block: cmd.x_query_sequence(zone, a.query_icmp_block, fw.queryIcmpBlock, None, "'%s'") # icmp block inversion elif a.add_icmp_block_inversion: fw.addIcmpBlockInversion(zone) elif a.remove_icmp_block_inversion: fw.removeIcmpBlockInversion(zone) elif a.query_icmp_block_inversion: cmd.print_query_result(fw.queryIcmpBlockInversion(zone)) # list all elif a.list_all: z = zone if zone else fw.getDefaultZone() cmd.print_zone_info(z, fw.getZoneSettings(z)) sys.exit(0) # list everything elif a.list_all_zones: for zone in fw.getZones(): cmd.print_zone_info(zone, fw.getZoneSettings(zone)) cmd.print_msg("") sys.exit(0) elif a.info_zone: cmd.print_zone_info(a.info_zone, fw.getZoneSettings(a.info_zone), True) sys.exit(0) elif a.info_service: cmd.print_service_info(a.info_service, fw.getServiceSettings(a.info_service)) sys.exit(0) elif a.info_icmptype: cmd.print_icmptype_info(a.info_icmptype, fw.getIcmpTypeSettings(a.info_icmptype)) sys.exit(0) cmd.print_and_exit("success")