One Hat Cyber Team
Your IP :
216.73.216.14
Server IP :
194.44.31.54
Server :
Linux zen.imath.kiev.ua 4.18.0-553.77.1.el8_10.x86_64 #1 SMP Fri Oct 3 14:30:23 UTC 2025 x86_64
Server Software :
Apache/2.4.37 (Rocky Linux) OpenSSL/1.1.1k
PHP Version :
5.6.40
Buat File
|
Buat Folder
Eksekusi
Dir :
~
/
backup
/
oldserver
/
2
/
bin
/
Edit File:
firewall-cmd
#!/usr/bin/python -Es # -*- coding: utf-8 -*- # # Copyright (C) 2009-2014 Red Hat, Inc. # # Authors: # Thomas Woerner <twoerner@redhat.com> # Jiri Popelka <jpopelka@redhat.com> # # This program is free software; you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation; either version 2 of the License, or # (at your option) any later version. # # This program is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with this program. If not, see <http://www.gnu.org/licenses/>. # from gi.repository import GObject import sys sys.modules['gobject'] = GObject import argparse import dbus import os from firewall.client import * from firewall.errors import * from firewall.functions import joinArgs, splitArgs def __print(msg=None): if msg and not a.quiet: print(msg) def __print_and_exit(msg=None, exit_code=0): FAIL = '\033[91m' OK = '\033[92m' END = '\033[00m' if exit_code > 1: __print(FAIL + msg + END) else: __print(msg) #__print(OK + msg + END) sys.exit(exit_code) def __fail(msg=None): __print_and_exit(msg, 2) def __print_if_verbose(msg=None): if msg and a.verbose: print(msg) def __usage(): print (""" Usage: firewall-cmd [OPTIONS...] General Options -h, --help Prints a short help text and exists -V, --version Print the version string of firewalld -q, --quiet Do not print status messages Status Options --state Return and print firewalld state --reload Reload firewall and keep state information --complete-reload Reload firewall and loose state information --runtime-to-permanent Create permanent from runtime configuration Permanent Options --permanent Set an option permanently Usable for options maked with [P] Zone Options --get-default-zone Print default zone for connections and interfaces --set-default-zone=<zone> Set default zone --get-active-zones Print currently active zones --get-zones Print predefined zones [P] --get-services Print predefined services [P] --get-icmptypes Print predefined icmptypes [P] --get-zone-of-interface=<interface> Print name of the zone the interface is bound to [P] --get-zone-of-source=<source>[/<mask>] Print name of the zone the source[/mask] is bound to [P] --list-all-zones List everything added for or enabled in all zones [P] --new-zone=<zone> Add a new zone [P only] --delete-zone=<zone> Delete an existing zone [P only] --zone=<zone> Use this zone to set or query options, else default zone Usable for options maked with [Z] --get-target Get the zone target [P only] [Z] --set-target=<target> Set the zone target [P only] [Z] IcmpType Options --new-icmptype=<icmptype> Add a new icmptype [P only] --delete-icmptype=<icmptype> Delete and existing icmptype [P only] Service Options --new-service=<service> Add a new service [P only] --delete-service=<service> Delete and existing service [P only] Options to Adapt and Query Zones --list-all List everything added for or enabled in a zone [P] [Z] --list-services List services added for a zone [P] [Z] --timeout=<timeval> Enable an option for timeval time, where timeval is a number followed by one of letters 's' or 'm' or 'h' Usable for options maked with [T] --add-service=<service> Add a service for a zone [P] [Z] [T] --remove-service=<service> Remove a service from a zone [P] [Z] --query-service=<service> Return whether service has been added for a zone [P] [Z] --list-ports List ports added for a zone [P] [Z] --add-port=<portid>[-<portid>]/<protocol> Add the port for a zone [P] [Z] [T] --remove-port=<portid>[-<portid>]/<protocol> Remove the port from a zone [P] [Z] --query-port=<portid>[-<portid>]/<protocol> Return whether the port has been added for zone [P] [Z] --list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z] --add-icmp-block=<icmptype> Add an ICMP block for a zone [P] [Z] [T] --remove-icmp-block=<icmptype> Remove the ICMP block from a zone [P] [Z] --query-icmp-block=<icmptype> Return whether an ICMP block has been added for a zone [P] [Z] --list-forward-ports List IPv4 forward ports added for a zone [P] [Z] --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Add the IPv4 forward port for a zone [P] [Z] [T] --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Remove the IPv4 forward port from a zone [P] [Z] --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] Return whether the IPv4 forward port has been added for a zone [P] [Z] --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T] --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z] --query-masquerade Return whether IPv4 masquerading has been enabled for a zone [P] [Z] --list-rich-rules List rich language rules added for a zone [P] [Z] --add-rich-rule=<rule> Add rich language rule 'rule' for a zone [P] [Z] [T] --remove-rich-rule=<rule> Remove rich language rule 'rule' from a zone [P] [Z] --query-rich-rule=<rule> Return whether a rich language rule 'rule' has been added for a zone [P] [Z] Options to Handle Bindings of Interfaces --list-interfaces List interfaces that are bound to a zone [P] [Z] --add-interface=<interface> Bind the <interface> to a zone [P] [Z] --change-interface=<interface> Change zone the <interface> is bound to [Z] --query-interface=<interface> Query whether <interface> is bound to a zone [P] [Z] --remove-interface=<interface> Remove binding of <interface> from a zone [P] [Z] Options to Handle Bindings of Sources --list-sources List sources that are bound to a zone [P] [Z] --add-source=<source>[/<mask>] Bind <source>[/<mask>] to a zone [P] [Z] --change-source=<source>[/<mask>] Change zone the <source>[/<mask>] is bound to [Z] --query-source=<source>[/<mask>] Query whether <source>[/<mask>] is bound to a zone [P] [Z] --remove-source=<source>[/<mask>] Remove binding of <source>[/<mask>] from a zone [P] [Z] Direct Options --direct First option for all direct options --get-all-chains Get all chains [P] --get-chains {ipv4|ipv6|eb} <table> Get all chains added to the table [P] --add-chain {ipv4|ipv6|eb} <table> <chain> Add a new chain to the table [P] --remove-chain {ipv4|ipv6|eb} <table> <chain> Remove the chain from the table [P] --query-chain {ipv4|ipv6|eb} <table> <chain> Return whether the chain has been added to the table [P] --get-all-rules Get all rules [P] --get-rules {ipv4|ipv6|eb} <table> <chain> Get all rules added to chain in table [P] --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Add rule to chain in table [P] --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Remove rule with priority from chain in table [P] --remove-rules {ipv4|ipv6|eb} <table> <chain> Remove rules from chain in table [P] --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... Return whether a rule with priority has been added to chain in table [P] --passthrough {ipv4|ipv6|eb} <arg>... Pass a command through (untracked by firewalld) --get-all-passthroughs Get all tracked passthrough rules [P] --get-passthroughs {ipv4|ipv6|eb} <arg>... Get tracked passthrough rules [P] --add-passthrough {ipv4|ipv6|eb} <arg>... Add a new tracked passthrough rule [P] --remove-passthrough {ipv4|ipv6|eb} <arg>... Remove a tracked passthrough rule [P] --query-passthrough {ipv4|ipv6|eb} <arg>... Return whether the tracked passthrough rule has been added [P] Lockdown Options --lockdown-on Enable lockdown. --lockdown-off Disable lockdown. --query-lockdown Query whether lockdown is enabled Lockdown Whitelist Options --list-lockdown-whitelist-commands List all command lines that are on the whitelist [P] --add-lockdown-whitelist-command=<command> Add the command to the whitelist [P] --remove-lockdown-whitelist-command=<command> Remove the command from the whitelist [P] --query-lockdown-whitelist-command=<command> Query whether the command is on the whitelist [P] --list-lockdown-whitelist-contexts List all contexts that are on the whitelist [P] --add-lockdown-whitelist-context=<context> Add the context context to the whitelist [P] --remove-lockdown-whitelist-context=<context> Remove the context from the whitelist [P] --query-lockdown-whitelist-context=<context> Query whether the context is on the whitelist [P] --list-lockdown-whitelist-uids List all user ids that are on the whitelist [P] --add-lockdown-whitelist-uid=<uid> Add the user id uid to the whitelist [P] --remove-lockdown-whitelist-uid=<uid> Remove the user id uid from the whitelist [P] --query-lockdown-whitelist-uid=<uid> Query whether the user id uid is on the whitelist [P] --list-lockdown-whitelist-users List all user names that are on the whitelist [P] --add-lockdown-whitelist-user=<user> Add the user name user to the whitelist [P] --remove-lockdown-whitelist-user=<user> Remove the user name user from the whitelist [P] --query-lockdown-whitelist-user=<user> Query whether the user name user is on the whitelist [P] Panic Options --panic-on Enable panic mode --panic-off Disable panic mode --query-panic Query whether panic mode is enabled """) def __parse_port(value): try: (port, proto) = value.split("/") except Exception as e: __fail("bad port (most likely missing protocol), correct syntax is portid[-portid]/protocol") return (port, proto) def __parse_forward_port(value): port = None protocol = None toport = None toaddr = None args = value.split(":") for arg in args: try: (opt,val) = arg.split("=") if opt == "port": port = val elif opt == "proto": protocol = val elif opt == "toport": toport = val elif opt == "toaddr": toaddr = val except: __fail("invalid forward port arg '%s'" % (arg)) if not port: __fail("missing port") if not protocol: __fail("missing protocol") if not (toport or toaddr): __fail("missing destination") return (port, protocol, toport, toaddr) def _check_ipv(value): if value != "ipv4" and value != "ipv6" and value != "eb": __fail("invalid argument: %s (choose from 'ipv4', 'ipv6', 'eb')" % value) return value def __print_all(zone, interfaces, sources, services, ports, masquerade, forward_ports, icmp_blocks, rules): attributes = [] if zone == fw.getDefaultZone(): attributes.append("default") if interfaces: attributes.append("active") if attributes: zone = zone + " (%s)" % ", ".join(attributes) __print(zone) __print(" interfaces: " + " ".join(interfaces)) __print(" sources: " + " ".join(sources)) __print(" services: " + " ".join(services)) __print(" ports: " + " ".join(["%s/%s" % (port[0], port[1]) for port in ports])) __print(" masquerade: %s" % ("yes" if masquerade else "no")) __print(" forward-ports: " + "\n\t".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in forward_ports])) __print(" icmp-blocks: " + " ".join(icmp_blocks)) __print(" rich rules: \n\t" + "\n\t".join(rules)) def __list_all(fw, zone): interfaces = fw.getInterfaces(zone) sources = fw.getSources(zone) services = fw.getServices(zone) ports = fw.getPorts(zone) masquerade = fw.queryMasquerade(zone) forward_ports = fw.getForwardPorts(zone) icmp_blocks = fw.getIcmpBlocks(zone) rules = fw.getRichRules(zone) __print_all(zone, interfaces, sources, services, ports, masquerade, forward_ports, icmp_blocks, rules) def __list_all_permanent(fw_settings, zone): interfaces = fw_settings.getInterfaces() sources = fw_settings.getSources() services = fw_settings.getServices() ports = fw_settings.getPorts() masquerade = fw_settings.getMasquerade() forward_ports = fw_settings.getForwardPorts() icmp_blocks = fw_settings.getIcmpBlocks() rules = fw_settings.getRichRules() __print_all(zone, interfaces, sources, services, ports, masquerade, forward_ports, icmp_blocks, rules) def __print_query_result(value): if value: __print_and_exit("yes") else: __print_and_exit("no", 1) def __exception_handler(exception_message): if "NotAuthorizedException" in exception_message: msg = """Authorization failed. Make sure polkit agent is running or run the application as superuser.""" __print_and_exit(msg, NOT_AUTHORIZED) else: code = FirewallError.get_code(exception_message) if code in [ ALREADY_ENABLED, NOT_ENABLED, ZONE_ALREADY_SET ]: __print_and_exit("Warning: %s" % exception_message) else: __print_and_exit("Error: %s" % exception_message, code) parser = argparse.ArgumentParser(usage="see firewall-cmd man page", add_help=False) parser_group_output = parser.add_mutually_exclusive_group() parser_group_output.add_argument("-v", "--verbose", action="store_true") parser_group_output.add_argument("-q", "--quiet", action="store_true") parser_group_standalone = parser.add_mutually_exclusive_group() parser_group_standalone.add_argument("-h", "--help", action="store_true") parser_group_standalone.add_argument("-V", "--version", action="store_true") parser_group_standalone.add_argument("--state", action="store_true") parser_group_standalone.add_argument("--reload", action="store_true") parser_group_standalone.add_argument("--complete-reload", action="store_true") parser_group_standalone.add_argument("--runtime-to-permanent", action="store_true") parser_group_standalone.add_argument("--panic-on", action="store_true") parser_group_standalone.add_argument("--panic-off", action="store_true") parser_group_standalone.add_argument("--query-panic", action="store_true") parser_group_standalone.add_argument("--lockdown-on", action="store_true") parser_group_standalone.add_argument("--lockdown-off", action="store_true") parser_group_standalone.add_argument("--query-lockdown", action="store_true") parser_group_standalone.add_argument("--get-default-zone", action="store_true") parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>") parser_group_standalone.add_argument("--get-zones", action="store_true") parser_group_standalone.add_argument("--get-services", action="store_true") parser_group_standalone.add_argument("--get-icmptypes", action="store_true") parser_group_standalone.add_argument("--get-active-zones", action="store_true") parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>") parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>") parser_group_standalone.add_argument("--list-all-zones", action="store_true") parser_group_config = parser.add_mutually_exclusive_group() parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>") parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>") parser_group_config.add_argument("--new-service", metavar="<service>") parser_group_config.add_argument("--delete-service", metavar="<service>") parser_group_config.add_argument("--new-zone", metavar="<zone>") parser_group_config.add_argument("--delete-zone", metavar="<zone>") parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group() parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>") parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>") parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>") parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>") parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>") parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>") parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int) parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int) parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int) parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true") parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>") parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>") parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>") parser.add_argument("--permanent", action="store_true") parser.add_argument("--zone", default="", metavar="<zone>") parser.add_argument("--timeout", default="0", metavar="<seconds>") parser_group_zone = parser.add_mutually_exclusive_group() parser_group_zone.add_argument("--add-interface", metavar="<iface>") parser_group_zone.add_argument("--remove-interface", metavar="<iface>") parser_group_zone.add_argument("--query-interface", metavar="<iface>") parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>") parser_group_zone.add_argument("--list-interfaces", action="store_true") parser_group_zone.add_argument("--add-source", metavar="<source>") parser_group_zone.add_argument("--remove-source", metavar="<source>") parser_group_zone.add_argument("--query-source", metavar="<source>") parser_group_zone.add_argument("--change-source", metavar="<source>") parser_group_zone.add_argument("--list-sources", action="store_true") parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append') parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append') parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>") parser_group_zone.add_argument("--add-service", metavar="<service>", action='append') parser_group_zone.add_argument("--remove-service", metavar="<zone>", action='append') parser_group_zone.add_argument("--query-service", metavar="<zone>") parser_group_zone.add_argument("--add-port", metavar="<port>", action='append') parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append') parser_group_zone.add_argument("--query-port", metavar="<port>") parser_group_zone.add_argument("--add-masquerade", action="store_true") parser_group_zone.add_argument("--remove-masquerade", action="store_true") parser_group_zone.add_argument("--query-masquerade", action="store_true") parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append') parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append') parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>") parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append') parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append') parser_group_zone.add_argument("--query-forward-port", metavar="<port>") parser_group_zone.add_argument("--list-rich-rules", action="store_true") parser_group_zone.add_argument("--list-services", action="store_true") parser_group_zone.add_argument("--list-ports", action="store_true") parser_group_zone.add_argument("--list-icmp-blocks", action="store_true") parser_group_zone.add_argument("--list-forward-ports", action="store_true") parser_group_zone.add_argument("--list-all", action="store_true") parser_group_zone.add_argument("--get-target", action="store_true") parser_group_zone.add_argument("--set-target", metavar="<target>") parser.add_argument("--direct", action="store_true") parser_direct = parser.add_mutually_exclusive_group() parser_direct.add_argument("--passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<args>")) parser_direct.add_argument("--get-passthroughs", nargs=1, metavar=("{ ipv4 | ipv6 | eb }")) parser_direct.add_argument("--get-all-passthroughs", action="store_true") parser_direct.add_argument("--add-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--remove-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--query-chain", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--get-all-chains", action="store_true") parser_direct.add_argument("--get-chains", nargs=2, metavar=("{ ipv4 | ipv6 | eb }", "<table>")) parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--remove-rules", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain>")) parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER, metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) parser_direct.add_argument("--get-rules", nargs=3, metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) parser_direct.add_argument("--get-all-rules", action="store_true") i = -1 args = sys.argv[1:] if '--passthrough' in args: i = args.index('--passthrough') + 1 elif '--add-passthrough' in args: i = args.index('--add-passthrough') + 1 elif '--remove-passthrough' in args: i = args.index('--remove-passthrough') + 1 elif '--query-passthrough' in args: i = args.index('--query-passthrough') + 1 elif '--add-rule' in args: i = args.index('--add-rule') + 4 elif '--remove-rule' in args: i = args.index('--remove-rule') + 4 elif '--query-rule' in args: i = args.index('--query-rule') + 4 # join <args> into one argument to prevent parser from parsing each iptables # option, because they can conflict with firewall-cmd options # # e.g. --delete (iptables) and --delete-* (firewall-cmd) if (i > -1) and (i < len(args) - 1): aux_args = args[:] args = aux_args[:i+1] # all but not <args> args.append(joinArgs(aux_args[i+1:])) # add <args> as one arg a = parser.parse_args(args) options_standalone = a.help or a.version or \ a.state or a.reload or a.complete_reload or a.runtime_to_permanent or \ a.panic_on or a.panic_off or a.query_panic or \ a.lockdown_on or a.lockdown_off or a.query_lockdown or \ a.get_default_zone or a.set_default_zone or \ a.get_active_zones options_lockdown_whitelist = \ a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \ a.remove_lockdown_whitelist_command or \ a.query_lockdown_whitelist_command or \ a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \ a.remove_lockdown_whitelist_context or \ a.query_lockdown_whitelist_context or \ a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid is not None or \ a.remove_lockdown_whitelist_uid is not None or \ a.query_lockdown_whitelist_uid is not None or \ a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \ a.remove_lockdown_whitelist_user or \ a.query_lockdown_whitelist_user options_config = a.get_zones or a.get_services or a.get_icmptypes or \ options_lockdown_whitelist or a.list_all_zones or \ a.get_zone_of_interface or a.get_zone_of_source options_zone_action_action = \ a.add_service or a.remove_service or a.query_service or \ a.add_port or a.remove_port or a.query_port or \ a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \ a.add_forward_port or a.remove_forward_port or a.query_forward_port options_zone_interfaces_sources = \ a.list_interfaces or a.change_interface or \ a.add_interface or a.remove_interface or a.query_interface or \ a.list_sources or a.change_source or \ a.add_source or a.remove_source or a.query_source options_zone_adapt_query = \ a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \ a.add_masquerade or a.remove_masquerade or a.query_masquerade or \ a.list_services or a.list_ports or a.list_icmp_blocks or \ a.list_forward_ports or a.list_rich_rules or a.list_all or \ a.get_target or a.set_target options_zone_ops = options_zone_interfaces_sources or \ options_zone_action_action or options_zone_adapt_query options_zone = a.zone or a.timeout != "0" or options_zone_ops options_permanent = a.permanent or options_config or a.zone or options_zone_ops options_permanent_only = a.new_icmptype or a.delete_icmptype or \ a.new_service or a.delete_service or \ a.new_zone or a.delete_zone options_direct = a.passthrough or \ a.add_chain or a.remove_chain or a.query_chain or \ a.get_chains or a.get_all_chains or \ a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \ a.get_rules or a.get_all_rules or \ a.add_passthrough or a.remove_passthrough or a.query_passthrough or \ a.get_passthroughs or a.get_all_passthroughs options_require_permanent = options_permanent_only or \ a.get_target or a.set_target # these are supposed to only write out some output options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \ a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \ a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \ a.list_services or a.list_ports or a.list_icmp_blocks or a.list_forward_ports \ or a.list_rich_rules or a.list_interfaces or a.list_sources or \ a.get_default_zone or a.get_active_zones or a.get_zone_of_interface or \ a.get_zone_of_source or a.get_zones or a.get_services or a.get_icmptypes or \ a.get_target # Check various impossible combinations of options if not (options_standalone or \ options_config or options_zone_ops or \ options_direct or options_permanent_only): __fail(parser.format_usage() + "No option specified.") if options_standalone and (options_zone or options_permanent or \ options_direct or options_permanent_only): __fail(parser.format_usage() + "Can't use stand-alone options with other options.") if (options_direct or options_permanent_only) and (options_zone): __fail(parser.format_usage() + "Can't be used with --zone.") if (a.direct and not options_direct) or (options_direct and not a.direct): __fail(parser.format_usage() + "Wrong usage of 'direct' options.") if options_require_permanent and not a.permanent: __fail(parser.format_usage() + "Option can be used only with --permanent.") if options_config and options_zone: __fail(parser.format_usage() + "Wrong usage of --get-zones | --get-services | --get-icmptypes.") if a.timeout != "0": value = 0 unit = 's' if len(a.timeout) < 1: __fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) elif len(a.timeout) == 1: if a.timeout.isdigit(): value = int (a.timeout[0]) else: __fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) elif len(a.timeout) > 1: if a.timeout.isdigit(): value = int(a.timeout) unit = 's' else: if a.timeout[:-1].isdigit(): value = int (a.timeout[:-1]) else: __fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) unit = a.timeout[-1:].lower() if unit == 's': a.timeout = value elif unit == 'm': a.timeout = value * 60 elif unit == 'h': a.timeout = value * 60 * 60 else: __fail(parser.format_usage() + "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) else: a.timeout = 0 if a.timeout and not (a.add_service or a.add_port or a.add_icmp_block or \ a.add_forward_port or a.add_masquerade or \ a.add_rich_rule): __fail(parser.format_usage() + "Wrong --timeout usage") if a.permanent: if a.timeout: __fail(parser.format_usage() + "Can't specify timeout for permanent action.") if options_config and not a.zone: pass elif options_permanent: pass else: __fail(parser.format_usage() + "Wrong --permanent usage.") if a.quiet and options_list_get: # it makes no sense to use --quiet with these options a.quiet = False __fail("-q/--quiet can't be used with this option(s)") if a.help: __usage() sys.exit(0) zone = a.zone fw = FirewallClient() fw.setExceptionHandler(__exception_handler) if fw.connected == False: if a.state: __print_and_exit ("not running", NOT_RUNNING) else: __print_and_exit ("FirewallD is not running", NOT_RUNNING) if options_zone_ops and not zone: default = fw.getDefaultZone() __print_if_verbose("No zone specified, using default zone, i.e. '%s'" % default) active = list(fw.getActiveZones().keys()) if active and default not in active: __print ("""You're performing an operation over default zone ('%s'), but your connections/interfaces are in zone '%s' (see --get-active-zones) You most likely need to use --zone=%s option.\n""" % (default, ",".join(active), active[0])) if a.permanent: if a.get_zones: zones = fw.config().listZones() l = [fw.config().getZone(z).get_property("name") for z in zones] __print_and_exit(" ".join(sorted(l))) elif a.get_services: services = fw.config().listServices() l = [fw.config().getService(s).get_property("name") for s in services] __print_and_exit(" ".join(sorted(l))) elif a.get_icmptypes: icmptypes = fw.config().listIcmpTypes() l = [fw.config().getIcmpType(i).get_property("name") for i in icmptypes] __print_and_exit(" ".join(sorted(l))) elif a.new_zone: config = fw.config() config.addZone(a.new_zone, FirewallClientZoneSettings()) elif a.delete_zone: zone = fw.config().getZoneByName(a.delete_zone) zone.remove() elif a.new_service: config = fw.config() config.addService(a.new_service, FirewallClientServiceSettings()) elif a.delete_service: service = fw.config().getServiceByName(a.delete_service) service.remove() elif a.new_icmptype: config = fw.config() config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings()) elif a.delete_icmptype: icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype) icmptype.remove() # lockdown whitelist elif options_lockdown_whitelist: policies = fw.config().policies() # commands if a.list_lockdown_whitelist_commands: l = policies.getLockdownWhitelistCommands() __print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_command: policies.addLockdownWhitelistCommand(a.add_lockdown_whitelist_command) elif a.remove_lockdown_whitelist_command: policies.removeLockdownWhitelistCommand(a.remove_lockdown_whitelist_command) elif a.query_lockdown_whitelist_command: r = policies.queryLockdownWhitelistCommand(a.query_lockdown_whitelist_command) __print_query_result(r) # contexts elif a.list_lockdown_whitelist_contexts: l = policies.getLockdownWhitelistContexts() __print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_context: policies.addLockdownWhitelistContext(a.add_lockdown_whitelist_context) elif a.remove_lockdown_whitelist_context: policies.removeLockdownWhitelistContext(a.remove_lockdown_whitelist_context) elif a.query_lockdown_whitelist_context: r = policies.queryLockdownWhitelistContext(a.query_lockdown_whitelist_context) __print_query_result(r) # uids elif a.list_lockdown_whitelist_uids: l = policies.getLockdownWhitelistUids() __print_and_exit(" ".join(map(str, l))) elif a.add_lockdown_whitelist_uid is not None: policies.addLockdownWhitelistUid(a.add_lockdown_whitelist_uid) elif a.remove_lockdown_whitelist_uid is not None: policies.removeLockdownWhitelistUid(a.remove_lockdown_whitelist_uid) elif a.query_lockdown_whitelist_uid is not None: r = policies.queryLockdownWhitelistUid(a.query_lockdown_whitelist_uid) __print_query_result(r) # users elif a.list_lockdown_whitelist_users: l = policies.getLockdownWhitelistUsers() __print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_user: policies.addLockdownWhitelistUser(a.add_lockdown_whitelist_user) elif a.remove_lockdown_whitelist_user: policies.removeLockdownWhitelistUser(a.remove_lockdown_whitelist_user) elif a.query_lockdown_whitelist_user: r = policies.queryLockdownWhitelistUser(a.query_lockdown_whitelist_user) __print_query_result(r) elif options_direct: direct = fw.config().direct() if a.passthrough: if len (a.passthrough) < 2: __fail("usage: --permanent --direct --passthrough { ipv4 | ipv6 | eb } <args>") __print(direct.addPassthrough(_check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1]))) if a.add_passthrough: if len (a.add_passthrough) < 2: __fail("usage: --permanent --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") __print(direct.addPassthrough(_check_ipv(a.add_passthrough[0]), splitArgs(a.add_passthrough[1]))) elif a.remove_passthrough: if len (a.remove_passthrough) < 2: __fail("usage: --permanent --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") direct.removePassthrough(_check_ipv(a.remove_passthrough[0]), splitArgs(a.remove_passthrough[1])) elif a.query_passthrough: if len (a.query_passthrough) < 2: __fail("usage: --permanent --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") __print_query_result( direct.queryPassthrough(_check_ipv(a.query_passthrough[0]), splitArgs(a.query_passthrough[1]))) sys.exit(0) elif a.get_passthroughs: rules = direct.getPassthroughs(_check_ipv(a.get_passthroughs[0])) for rule in rules: __print(joinArgs(rule)) sys.exit(0) elif a.get_all_passthroughs: for (ipv, rule) in direct.getAllPassthroughs(): __print("%s %s" % (ipv, joinArgs(rule))) sys.exit(0) elif a.add_chain: direct.addChain(_check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2]) elif a.remove_chain: direct.removeChain(_check_ipv(a.remove_chain[0]), a.remove_chain[1], a.remove_chain[2]) elif a.query_chain: __print_query_result( direct.queryChain(_check_ipv(a.query_chain[0]), a.query_chain[1], a.query_chain[2])) sys.exit(0) elif a.get_chains: __print_and_exit( " ".join(direct.getChains(_check_ipv(a.get_chains[0]), a.get_chains[1]))) sys.exit(0) elif a.get_all_chains: chains = direct.getAllChains() for (ipv, table, chain) in chains: __print("%s %s %s" % (ipv, table, chain)) sys.exit(0) elif a.add_rule: if len(a.add_rule) < 5: __fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.add_rule[3]) except ValueError: __fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") direct.addRule(_check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2], priority, splitArgs(a.add_rule[4])) elif a.remove_rule: if len(a.remove_rule) < 5: __fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.remove_rule[3]) except ValueError: __fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") direct.removeRule(_check_ipv(a.remove_rule[0]), a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) elif a.remove_rules: if len(a.remove_rules) < 3: __fail("usage: --permanent --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") direct.removeRules(_check_ipv(a.remove_rules[0]), a.remove_rules[1], a.remove_rules[2]) elif a.query_rule: if len(a.query_rule) < 5: __fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.query_rule[3]) except ValueError: __fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") __print_query_result( direct.queryRule(_check_ipv(a.query_rule[0]), a.query_rule[1], a.query_rule[2], priority, splitArgs(a.query_rule[4]))) sys.exit(0) elif a.get_rules: rules = direct.getRules(_check_ipv(a.get_rules[0]), a.get_rules[1], a.get_rules[2]) for (priority, rule) in rules: __print("%d %s" % (priority, joinArgs(rule))) sys.exit(0) elif a.get_all_rules: rules = direct.getAllRules() for (ipv, table, chain, priority, rule) in rules: __print("%s %s %s %d %s" % (ipv, table, chain, priority, joinArgs(rule))) sys.exit(0) else: if zone == "": zone = fw.getDefaultZone() fw_zone = fw.config().getZoneByName(zone) # interface if a.list_interfaces: l = fw_zone.getInterfaces() __print_and_exit(" ".join(l)) elif a.get_zone_of_interface: zone = fw.config().getZoneOfInterface(a.get_zone_of_interface) if zone: __print_and_exit(zone) else: __fail("no zone") elif a.change_interface: old_zone_name = fw.config().getZoneOfInterface(a.change_interface) if old_zone_name != zone: if old_zone_name: old_zone_obj = fw.config().getZoneByName(old_zone_name) old_zone_obj.removeInterface(a.change_interface) # remove from old fw_zone.addInterface(a.change_interface) # add to new elif a.add_interface: fw_zone.addInterface(a.add_interface) elif a.remove_interface: fw_zone.removeInterface(a.remove_interface) elif a.query_interface: __print_query_result(fw_zone.queryInterface(a.query_interface)) # source if a.list_sources: sources = fw_zone.getSources() __print_and_exit(" ".join(sources)) elif a.get_zone_of_source: zone = fw.config().getZoneOfSource(a.get_zone_of_source) if zone: __print_and_exit(zone) else: __fail("no zone") elif a.change_source: old_zone_name = fw.config().getZoneOfSource(a.change_source) old_zone_obj = fw.config().getZoneByName(old_zone_name) old_zone_obj.removeSource(a.change_source) # remove from old fw_zone.addSource(a.change_source) # add to new elif a.add_source: fw_zone.addSource(a.add_source) elif a.remove_source: fw_zone.removeSource(a.remove_source) elif a.query_source: __print_query_result(fw_zone.querySource(a.query_source)) # rich rules if a.list_rich_rules: l = fw_zone.getRichRules() __print_and_exit("\n".join(l)) elif a.add_rich_rule: for s in a.add_rich_rule: fw_zone.addRichRule(s) elif a.remove_rich_rule: for s in a.remove_rich_rule: fw_zone.removeRichRule(s) elif a.query_rich_rule: __print_query_result(fw_zone.queryRichRule(a.query_rich_rule)) # service if a.list_services: l = fw_zone.getServices() __print_and_exit(" ".join(l)) elif a.add_service: for s in a.add_service: fw_zone.addService(s) elif a.remove_service: for s in a.remove_service: fw_zone.removeService(s) elif a.query_service: __print_query_result(fw_zone.queryService(a.query_service)) # port elif a.list_ports: l = fw_zone.getPorts() __print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_port: for port_proto in a.add_port: (port, proto) = __parse_port(port_proto) fw_zone.addPort(port, proto) elif a.remove_port: for port_proto in a.remove_port: (port, proto) = __parse_port(port_proto) fw_zone.removePort(port, proto) elif a.query_port: (port, proto) = __parse_port(a.query_port) __print_query_result(fw_zone.queryPort(port, proto)) # masquerade elif a.add_masquerade: fw_zone.addMasquerade() elif a.remove_masquerade: fw_zone.removeMasquerade() elif a.query_masquerade: __print_query_result(fw_zone.queryMasquerade()) # forward port elif a.list_forward_ports: l = fw_zone.getForwardPorts() __print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) elif a.add_forward_port: for fp in a.add_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(fp) fw_zone.addForwardPort(port, protocol, toport, toaddr) elif a.remove_forward_port: for fp in a.remove_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(fp) fw_zone.removeForwardPort(port, protocol, toport, toaddr) elif a.query_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(a.query_forward_port) __print_query_result(fw_zone.queryForwardPort(port, protocol, toport, toaddr)) # block icmp elif a.list_icmp_blocks: l = fw_zone.getIcmpBlocks() __print_and_exit(" ".join(l)) elif a.add_icmp_block: for ib in a.add_icmp_block: fw_zone.addIcmpBlock(ib) elif a.remove_icmp_block: for ib in a.remove_icmp_block: fw_zone.removeIcmpBlock(ib) elif a.query_icmp_block: __print_query_result(fw_zone.queryIcmpBlock(a.query_icmp_block)) # zone target elif a.get_target: target = fw_zone.getTarget() __print_and_exit(target if target != "%%REJECT%%" else "REJECT") elif a.set_target: fw_zone.setTarget(a.set_target if a.set_target != "REJECT" else "%%REJECT%%") # list all zone settings elif a.list_all: fw_settings = fw_zone.getSettings() __list_all_permanent(fw_settings, zone if zone else fw.getDefaultZone()) sys.exit(0) # list everything elif a.list_all_zones: zones = fw.config().listZones() names = [fw.config().getZone(z).get_property("name") for z in zones] for zone in sorted(names): fw_zone = fw.config().getZoneByName(zone) fw_settings = fw_zone.getSettings() __list_all_permanent(fw_settings, zone) __print("") sys.exit(0) elif a.version: __print_and_exit(fw.get_property("version")) elif a.state: state = fw.get_property("state") if state == "RUNNING": __print_and_exit ("running") else: __print_and_exit ("not running", NOT_RUNNING) elif a.reload: fw.reload() elif a.complete_reload: fw.complete_reload() elif a.runtime_to_permanent: fw.runtimeToPermanent() elif a.direct: if a.passthrough: if len (a.passthrough) < 2: __fail("usage: --direct --passthrough { ipv4 | ipv6 | eb } <args>") msg = fw.passthrough(_check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1])) if msg: print(msg) elif a.add_passthrough: if len (a.add_passthrough) < 2: __fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") fw.addPassthrough(_check_ipv(a.add_passthrough[0]), splitArgs(a.add_passthrough[1])) elif a.remove_passthrough: if len (a.remove_passthrough) < 2: __fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") fw.removePassthrough(_check_ipv(a.remove_passthrough[0]), splitArgs(a.remove_passthrough[1])) elif a.query_passthrough: if len (a.query_passthrough) < 2: __fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") __print_query_result( fw.queryPassthrough(_check_ipv(a.query_passthrough[0]), splitArgs(a.query_passthrough[1]))) elif a.get_passthroughs: rules = fw.getPassthroughs(_check_ipv(a.get_passthroughs[0])) for rule in rules: __print(joinArgs(rule)) sys.exit(0) elif a.get_all_passthroughs: for (ipv,rule) in fw.getAllPassthroughs(): __print("%s %s" % (ipv, joinArgs(rule))) sys.exit(0) elif a.add_chain: fw.addChain(_check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2]) elif a.remove_chain: fw.removeChain(_check_ipv(a.remove_chain[0]), a.remove_chain[1], a.remove_chain[2]) elif a.query_chain: __print_query_result(fw.queryChain(_check_ipv(a.query_chain[0]), a.query_chain[1], a.query_chain[2])) elif a.get_chains: __print_and_exit(" ".join(fw.getChains(_check_ipv(a.get_chains[0]), a.get_chains[1]))) elif a.get_all_chains: chains = fw.getAllChains() for (ipv, table, chain) in chains: __print("%s %s %s" % (ipv, table, chain)) sys.exit(0) elif a.add_rule: if len (a.add_rule) < 5: __fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.add_rule[3]) except ValueError: __fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") fw.addRule(_check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2], priority, splitArgs(a.add_rule[4])) elif a.remove_rule: if len (a.remove_rule) < 5: __fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.remove_rule[3]) except ValueError: __fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") fw.removeRule(_check_ipv(a.remove_rule[0]), a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) elif a.remove_rules: if len (a.remove_rules) < 3: __fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") fw.removeRules(_check_ipv(a.remove_rules[0]), a.remove_rules[1], a.remove_rules[2]) elif a.query_rule: if len (a.query_rule) < 5: __fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") try: priority = int(a.query_rule[3]) except ValueError: __fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") __print_query_result(fw.queryRule(_check_ipv(a.query_rule[0]), a.query_rule[1], a.query_rule[2], priority, splitArgs(a.query_rule[4]))) elif a.get_rules: rules = fw.getRules(_check_ipv(a.get_rules[0]), a.get_rules[1], a.get_rules[2]) for (priority, rule) in rules: __print("%d %s" % (priority, joinArgs(rule))) sys.exit(0) elif a.get_all_rules: rules = fw.getAllRules() for (ipv, table, chain, priority, rule) in rules: __print("%s %s %s %d %s" % (ipv, table, chain, priority, joinArgs(rule))) sys.exit(0) elif a.get_default_zone: __print_and_exit(fw.getDefaultZone()) elif a.set_default_zone: fw.setDefaultZone(a.set_default_zone) elif a.get_zones: __print_and_exit(" ".join(fw.getZones())) elif a.get_active_zones: zones = fw.getActiveZones() for zone in zones: __print("%s" % zone) for x in [ "interfaces", "sources" ]: if x in zones[zone]: __print(" %s: %s" % (x, " ".join(zones[zone][x]))) sys.exit(0) elif a.get_services: l = fw.listServices() __print_and_exit(" ".join(l)) elif a.get_icmptypes: l = fw.listIcmpTypes() __print_and_exit(" ".join(l)) # panic elif a.panic_on: fw.enablePanicMode() elif a.panic_off: fw.disablePanicMode() elif a.query_panic: __print_query_result(fw.queryPanicMode()) # lockdown elif a.lockdown_on: fw.config().set_property("Lockdown", "yes") # permanent fw.enableLockdown() # runtime elif a.lockdown_off: fw.config().set_property("Lockdown", "no") # permanent fw.disableLockdown() # runtime elif a.query_lockdown: __print_query_result(fw.queryLockdown()) # runtime #lockdown = fw.config().get_property("Lockdown") #__print_query_result(lockdown.lower() in [ "yes", "true" ]) # lockdown whitelist # commands elif a.list_lockdown_whitelist_commands: l = fw.getLockdownWhitelistCommands() __print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_command: fw.addLockdownWhitelistCommand(a.add_lockdown_whitelist_command) elif a.remove_lockdown_whitelist_command: fw.removeLockdownWhitelistCommand(a.remove_lockdown_whitelist_command) elif a.query_lockdown_whitelist_command: __print_query_result(fw.queryLockdownWhitelistCommand( a.query_lockdown_whitelist_command)) # contexts elif a.list_lockdown_whitelist_contexts: l = fw.getLockdownWhitelistContexts() __print_and_exit("\n".join(l)) elif a.add_lockdown_whitelist_context: fw.addLockdownWhitelistContext(a.add_lockdown_whitelist_context) elif a.remove_lockdown_whitelist_context: fw.removeLockdownWhitelistContext(a.remove_lockdown_whitelist_context) elif a.query_lockdown_whitelist_context: __print_query_result(fw.queryLockdownWhitelistContext( a.query_lockdown_whitelist_context)) # uids elif a.list_lockdown_whitelist_uids: l = fw.getLockdownWhitelistUids() __print_and_exit(" ".join(map(str, l))) elif a.add_lockdown_whitelist_uid is not None: fw.addLockdownWhitelistUid(a.add_lockdown_whitelist_uid) elif a.remove_lockdown_whitelist_uid is not None: fw.removeLockdownWhitelistUid(a.remove_lockdown_whitelist_uid) elif a.query_lockdown_whitelist_uid is not None: __print_query_result(fw.queryLockdownWhitelistUid( a.query_lockdown_whitelist_uid)) # users elif a.list_lockdown_whitelist_users: l = fw.getLockdownWhitelistUsers() __print_and_exit(" ".join(l)) elif a.add_lockdown_whitelist_user: fw.addLockdownWhitelistUser(a.add_lockdown_whitelist_user) elif a.remove_lockdown_whitelist_user: fw.removeLockdownWhitelistUser(a.remove_lockdown_whitelist_user) elif a.query_lockdown_whitelist_user: __print_query_result(fw.queryLockdownWhitelistUser( a.query_lockdown_whitelist_user)) # interface elif a.list_interfaces: l = fw.getInterfaces(zone) __print_and_exit(" ".join(l)) elif a.get_zone_of_interface: zone = fw.getZoneOfInterface(a.get_zone_of_interface) if zone: __print_and_exit(zone) else: __fail("no zone") elif a.add_interface: fw.addInterface(zone, a.add_interface) elif a.change_interface: fw.changeZoneOfInterface(zone, a.change_interface) elif a.remove_interface: fw.removeInterface(zone, a.remove_interface) elif a.query_interface: __print_query_result(fw.queryInterface(zone, a.query_interface)) # source elif a.list_sources: sources = fw.getSources(zone) __print_and_exit(" ".join(sources)) elif a.get_zone_of_source: zone = fw.getZoneOfSource(a.get_zone_of_source) if zone: __print_and_exit(zone) else: __fail("no zone") elif a.add_source: fw.addSource(zone, a.add_source) elif a.change_source: fw.changeZoneOfSource(zone, a.change_source) elif a.remove_source: fw.removeSource(zone, a.remove_source) elif a.query_source: __print_query_result(fw.querySource(zone, a.query_source)) # rich rules elif a.list_rich_rules: l = fw.getRichRules(zone) __print_and_exit("\n".join(l)) elif a.add_rich_rule: for s in a.add_rich_rule: fw.addRichRule(zone, s, a.timeout) elif a.remove_rich_rule: for s in a.remove_rich_rule: fw.removeRichRule(zone, s) elif a.query_rich_rule: __print_query_result(fw.queryRichRule(zone, a.query_rich_rule)) # service elif a.list_services: l = fw.getServices(zone) __print_and_exit(" ".join(l)) elif a.add_service: for s in a.add_service: fw.addService(zone, s, a.timeout) elif a.remove_service: for s in a.remove_service: fw.removeService(zone, s) elif a.query_service: __print_query_result(fw.queryService(zone, a.query_service)) # port elif a.list_ports: l = fw.getPorts(zone) __print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) elif a.add_port: for port_proto in a.add_port: (port, proto) = __parse_port(port_proto) fw.addPort(zone, port, proto, a.timeout) elif a.remove_port: for port_proto in a.remove_port: (port, proto) = __parse_port(port_proto) fw.removePort(zone, port, proto) elif a.query_port: (port, proto) = __parse_port(a.query_port) __print_query_result(fw.queryPort(zone, port, proto)) # masquerade elif a.add_masquerade: fw.addMasquerade(zone, a.timeout) elif a.remove_masquerade: fw.removeMasquerade(zone) elif a.query_masquerade: __print_query_result(fw.queryMasquerade(zone)) # forward port elif a.list_forward_ports: l = fw.getForwardPorts(zone) __print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) elif a.add_forward_port: for fp in a.add_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(fp) fw.addForwardPort(zone, port, protocol, toport, toaddr, a.timeout) elif a.remove_forward_port: for fp in a.remove_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(fp) fw.removeForwardPort(zone, port, protocol, toport, toaddr) elif a.query_forward_port: (port, protocol, toport, toaddr) = __parse_forward_port(a.query_forward_port) __print_query_result(fw.queryForwardPort(zone, port, protocol, toport, toaddr)) # block icmp elif a.list_icmp_blocks: l = fw.getIcmpBlocks(zone) __print_and_exit(" ".join(l)) elif a.add_icmp_block: for ib in a.add_icmp_block: fw.addIcmpBlock(zone, ib, a.timeout) elif a.remove_icmp_block: for ib in a.remove_icmp_block: fw.removeIcmpBlock(zone, ib) elif a.query_icmp_block: __print_query_result(fw.queryIcmpBlock(zone, a.query_icmp_block)) # list all elif a.list_all: __list_all(fw, zone if zone else fw.getDefaultZone()) sys.exit(0) # list everything elif a.list_all_zones: for zone in fw.getZones(): __list_all(fw, zone) __print("") sys.exit(0) __print_and_exit("success")
Simpan