"Fossies" - the Fresh Open Source Software Archive

Member "firewalld-0.8.0/src/firewall-cmd.in" (5 Nov 2019, 118735 Bytes) of package /linux/misc/firewalld-0.8.0.tar.gz:


As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "firewall-cmd.in": 0.7.2_vs_0.8.0.

    1 #!@PYTHON@
    2 # -*- coding: utf-8 -*-
    3 #
    4 # Copyright (C) 2009-2016 Red Hat, Inc.
    5 #
    6 # Authors:
    7 # Thomas Woerner <twoerner@redhat.com>
    8 # Jiri Popelka <jpopelka@redhat.com>
    9 #
   10 # This program is free software; you can redistribute it and/or modify
   11 # it under the terms of the GNU General Public License as published by
   12 # the Free Software Foundation; either version 2 of the License, or
   13 # (at your option) any later version.
   14 #
   15 # This program is distributed in the hope that it will be useful,
   16 # but WITHOUT ANY WARRANTY; without even the implied warranty of
   17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
   18 # GNU General Public License for more details.
   19 #
   20 # You should have received a copy of the GNU General Public License
   21 # along with this program.  If not, see <http://www.gnu.org/licenses/>.
   22 #
   23 
   24 from gi.repository import GObject
   25 import sys
   26 sys.modules['gobject'] = GObject
   27 
   28 import argparse
   29 import os
   30 
   31 from firewall.client import FirewallClient, FirewallClientIPSetSettings, \
   32     FirewallClientZoneSettings, FirewallClientServiceSettings, \
   33     FirewallClientIcmpTypeSettings, FirewallClientHelperSettings
   34 from firewall.errors import FirewallError
   35 from firewall import errors
   36 from firewall.functions import joinArgs, splitArgs
   37 from firewall.core.fw_nm import nm_is_imported, \
   38     nm_get_connection_of_interface, nm_get_zone_of_connection, \
   39     nm_set_zone_of_connection, nm_get_interfaces_in_zone
   40 from firewall.core.io.zone import zone_reader
   41 from firewall.core.io.service import service_reader
   42 from firewall.core.io.ipset import ipset_reader
   43 from firewall.core.io.icmptype import icmptype_reader
   44 from firewall.core.io.helper import helper_reader
   45 from firewall.command import FirewallCommand
   46 
   47 def __usage():
   48     sys.stdout.write("""
   49 Usage: firewall-cmd [OPTIONS...]
   50 
   51 General Options
   52   -h, --help           Prints a short help text and exists
   53   -V, --version        Print the version string of firewalld
   54   -q, --quiet          Do not print status messages
   55 
   56 Status Options
   57   --state              Return and print firewalld state
   58   --reload             Reload firewall and keep state information
   59   --complete-reload    Reload firewall and lose state information
   60   --runtime-to-permanent
   61                        Create permanent from runtime configuration
   62   --check-config       Check permanent configuration for errors
   63 
   64 Log Denied Options
   65   --get-log-denied     Print the log denied value
   66   --set-log-denied=<value>
   67                        Set log denied value
   68 
   69 Permanent Options
   70   --permanent          Set an option permanently
   71                        Usable for options marked with [P]
   72 
   73 Zone Options
   74   --get-default-zone   Print default zone for connections and interfaces
   75   --set-default-zone=<zone>
   76                        Set default zone
   77   --get-active-zones   Print currently active zones
   78   --get-zones          Print predefined zones [P]
   79   --get-services       Print predefined services [P]
   80   --get-icmptypes      Print predefined icmptypes [P]
   81   --get-zone-of-interface=<interface>
   82                        Print name of the zone the interface is bound to [P]
   83   --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
   84                        Print name of the zone the source is bound to [P]
   85   --list-all-zones     List everything added for or enabled in all zones [P]
   86   --new-zone=<zone>    Add a new zone [P only]
   87   --new-zone-from-file=<filename> [--name=<zone>]
   88                        Add a new zone from file with optional name [P only]
   89   --delete-zone=<zone> Delete an existing zone [P only]
   90   --load-zone-defaults=<zone>
   91                        Load zone default settings [P only] [Z]
   92   --zone=<zone>        Use this zone to set or query options, else default zone
   93                        Usable for options marked with [Z]
   94   --get-target         Get the zone target [P only] [Z]
   95   --set-target=<target>
   96                        Set the zone target [P only] [Z]
   97   --info-zone=<zone>   Print information about a zone
   98   --path-zone=<zone>   Print file path of a zone [P only]
   99 
  100 IPSet Options
  101   --get-ipset-types    Print the supported ipset types
  102   --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]]..
  103                        Add a new ipset [P only]
  104   --new-ipset-from-file=<filename> [--name=<ipset>]
  105                        Add a new ipset from file with optional name [P only]
  106   --delete-ipset=<ipset>
  107                        Delete an existing ipset [P only]
  108   --load-ipset-defaults=<ipset>
  109                        Load ipset default settings [P only]
  110   --info-ipset=<ipset> Print information about an ipset
  111   --path-ipset=<ipset> Print file path of an ipset [P only]
  112   --get-ipsets         Print predefined ipsets
  113   --ipset=<ipset> --set-description=<description>
  114                        Set new description to ipset [P only]
  115   --ipset=<ipset> --get-description
  116                        Print description for ipset [P only]
  117   --ipset=<ipset> --set-short=<description>
  118                        Set new short description to ipset [P only]
  119   --ipset=<ipset> --get-short
  120                        Print short description for ipset [P only]
  121   --ipset=<ipset> --add-entry=<entry>
  122                        Add a new entry to an ipset [P]
  123   --ipset=<ipset> --remove-entry=<entry>
  124                        Remove an entry from an ipset [P]
  125   --ipset=<ipset> --query-entry=<entry>
  126                        Return whether ipset has an entry [P]
  127   --ipset=<ipset> --get-entries
  128                        List entries of an ipset [P]
  129   --ipset=<ipset> --add-entries-from-file=<entry>
  130                        Add a new entries to an ipset [P]
  131   --ipset=<ipset> --remove-entries-from-file=<entry>
  132                        Remove entries from an ipset [P]
  133 
  134 IcmpType Options
  135   --new-icmptype=<icmptype>
  136                        Add a new icmptype [P only]
  137   --new-icmptype-from-file=<filename> [--name=<icmptype>]
  138                        Add a new icmptype from file with optional name [P only]
  139   --delete-icmptype=<icmptype>
  140                        Delete an existing icmptype [P only]
  141   --load-icmptype-defaults=<icmptype>
  142                        Load icmptype default settings [P only]
  143   --info-icmptype=<icmptype>
  144                        Print information about an icmptype
  145   --path-icmptype=<icmptype>
  146                        Print file path of an icmptype [P only]
  147   --icmptype=<icmptype> --set-description=<description>
  148                        Set new description to icmptype [P only]
  149   --icmptype=<icmptype> --get-description
  150                        Print description for icmptype [P only]
  151   --icmptype=<icmptype> --set-short=<description>
  152                        Set new short description to icmptype [P only]
  153   --icmptype=<icmptype> --get-short
  154                        Print short description for icmptype [P only]
  155   --icmptype=<icmptype> --add-destination=<ipv>
  156                        Enable destination for ipv in icmptype [P only]
  157   --icmptype=<icmptype> --remove-destination=<ipv>
  158                        Disable destination for ipv in icmptype [P only]
  159   --icmptype=<icmptype> --query-destination=<ipv>
  160                        Return whether destination ipv is enabled in icmptype [P only]
  161   --icmptype=<icmptype> --get-destinations
  162                        List destinations in icmptype [P only]
  163 
  164 Service Options
  165   --new-service=<service>
  166                        Add a new service [P only]
  167   --new-service-from-file=<filename> [--name=<service>]
  168                        Add a new service from file with optional name [P only]
  169   --delete-service=<service>
  170                        Delete an existing service [P only]
  171   --load-service-defaults=<service>
  172                        Load icmptype default settings [P only]
  173   --info-service=<service>
  174                        Print information about a service
  175   --path-service=<service>
  176                        Print file path of a service [P only]
  177   --service=<service> --set-description=<description>
  178                        Set new description to service [P only]
  179   --service=<service> --get-description
  180                        Print description for service [P only]
  181   --service=<service> --set-short=<description>
  182                        Set new short description to service [P only]
  183   --service=<service> --get-short
  184                        Print short description for service [P only]
  185   --service=<service> --add-port=<portid>[-<portid>]/<protocol>
  186                        Add a new port to service [P only]
  187   --service=<service> --remove-port=<portid>[-<portid>]/<protocol>
  188                        Remove a port from service [P only]
  189   --service=<service> --query-port=<portid>[-<portid>]/<protocol>
  190                        Return whether the port has been added for service [P only]
  191   --service=<service> --get-ports
  192                        List ports of service [P only]
  193   --service=<service> --add-protocol=<protocol>
  194                        Add a new protocol to service [P only]
  195   --service=<service> --remove-protocol=<protocol>
  196                        Remove a protocol from service [P only]
  197   --service=<service> --query-protocol=<protocol>
  198                        Return whether the protocol has been added for service [P only]
  199   --service=<service> --get-protocols
  200                        List protocols of service [P only]
  201   --service=<service> --add-source-port=<portid>[-<portid>]/<protocol>
  202                        Add a new source port to service [P only]
  203   --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol>
  204                        Remove a source port from service [P only]
  205   --service=<service> --query-source-port=<portid>[-<portid>]/<protocol>
  206                        Return whether the source port has been added for service [P only]
  207   --service=<service> --get-source-ports
  208                        List source ports of service [P only]
  209   --service=<service> --add-helper=<helper>
  210                        Add a new helper to service [P only]
  211   --service=<service> --remove-helper=<helper>
  212                        Remove a helper from service [P only]
  213   --service=<service> --query-helper=<helper>
  214                        Return whether the helper has been added for service [P only]
  215   --service=<service> --get-service-helpers
  216                        List helpers of service [P only]
  217   --service=<service> --set-destination=<ipv>:<address>[/<mask>]
  218                        Set destination for ipv to address in service [P only]
  219   --service=<service> --remove-destination=<ipv>
  220                        Disable destination for ipv i service [P only]
  221   --service=<service> --query-destination=<ipv>:<address>[/<mask>]
  222                        Return whether destination ipv is set for service [P only]
  223   --service=<service> --get-destinations
  224                        List destinations in service [P only]
  225   --service=<service> --add-include=<service>
  226                        Add a new include to service [P only]
  227   --service=<service> --remove-include=<service>
  228                        Remove a include from service [P only]
  229   --service=<service> --query-include=<service>
  230                        Return whether the include has been added for service [P only]
  231   --service=<service> --get-includes
  232                        List includes of service [P only]
  233 
  234 Options to Adapt and Query Zones
  235   --list-all           List everything added for or enabled in a zone [P] [Z]
  236   --list-services      List services added for a zone [P] [Z]
  237   --timeout=<timeval>  Enable an option for timeval time, where timeval is
  238                        a number followed by one of letters 's' or 'm' or 'h'
  239                        Usable for options marked with [T]
  240   --set-description=<description>
  241                        Set new description to zone [P only] [Z]
  242   --get-description    Print description for zone [P only] [Z]
  243   --set-short=<description>
  244                        Set new short description to zone [P only] [Z]
  245   --get-short          Print short description for zone [P only] [Z]
  246   --add-service=<service>
  247                        Add a service for a zone [P] [Z] [T]
  248   --remove-service=<service>
  249                        Remove a service from a zone [P] [Z]
  250   --query-service=<service>
  251                        Return whether service has been added for a zone [P] [Z]
  252   --list-ports         List ports added for a zone [P] [Z]
  253   --add-port=<portid>[-<portid>]/<protocol>
  254                        Add the port for a zone [P] [Z] [T]
  255   --remove-port=<portid>[-<portid>]/<protocol>
  256                        Remove the port from a zone [P] [Z]
  257   --query-port=<portid>[-<portid>]/<protocol>
  258                        Return whether the port has been added for zone [P] [Z]
  259   --list-protocols     List protocols added for a zone [P] [Z]
  260   --add-protocol=<protocol>
  261                        Add the protocol for a zone [P] [Z] [T]
  262   --remove-protocol=<protocol>
  263                        Remove the protocol from a zone [P] [Z]
  264   --query-protocol=<protocol>
  265                        Return whether the protocol has been added for zone [P] [Z]
  266   --list-source-ports  List source ports added for a zone [P] [Z]
  267   --add-source-port=<portid>[-<portid>]/<protocol>
  268                        Add the source port for a zone [P] [Z] [T]
  269   --remove-source-port=<portid>[-<portid>]/<protocol>
  270                        Remove the source port from a zone [P] [Z]
  271   --query-source-port=<portid>[-<portid>]/<protocol>
  272                        Return whether the source port has been added for zone [P] [Z]
  273   --list-icmp-blocks   List Internet ICMP type blocks added for a zone [P] [Z]
  274   --add-icmp-block=<icmptype>
  275                        Add an ICMP block for a zone [P] [Z] [T]
  276   --remove-icmp-block=<icmptype>
  277                        Remove the ICMP block from a zone [P] [Z]
  278   --query-icmp-block=<icmptype>
  279                        Return whether an ICMP block has been added for a zone
  280                        [P] [Z]
  281   --add-icmp-block-inversion
  282                        Enable inversion of icmp blocks for a zone [P] [Z]
  283   --remove-icmp-block-inversion
  284                        Disable inversion of icmp blocks for a zone [P] [Z]
  285   --query-icmp-block-inversion
  286                        Return whether inversion of icmp blocks has been enabled
  287                        for a zone [P] [Z]
  288   --list-forward-ports List IPv4 forward ports added for a zone [P] [Z]
  289   --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
  290                        Add the IPv4 forward port for a zone [P] [Z] [T]
  291   --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
  292                        Remove the IPv4 forward port from a zone [P] [Z]
  293   --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]]
  294                        Return whether the IPv4 forward port has been added for
  295                        a zone [P] [Z]
  296   --add-masquerade     Enable IPv4 masquerade for a zone [P] [Z] [T]
  297   --remove-masquerade  Disable IPv4 masquerade for a zone [P] [Z]
  298   --query-masquerade   Return whether IPv4 masquerading has been enabled for a
  299                        zone [P] [Z]
  300   --list-rich-rules    List rich language rules added for a zone [P] [Z]
  301   --add-rich-rule=<rule>
  302                        Add rich language rule 'rule' for a zone [P] [Z] [T]
  303   --remove-rich-rule=<rule>
  304                        Remove rich language rule 'rule' from a zone [P] [Z]
  305   --query-rich-rule=<rule>
  306                        Return whether a rich language rule 'rule' has been
  307                        added for a zone [P] [Z]
  308 
  309 Options to Handle Bindings of Interfaces
  310   --list-interfaces    List interfaces that are bound to a zone [P] [Z]
  311   --add-interface=<interface>
  312                        Bind the <interface> to a zone [P] [Z]
  313   --change-interface=<interface>
  314                        Change zone the <interface> is bound to [P] [Z]
  315   --query-interface=<interface>
  316                        Query whether <interface> is bound to a zone [P] [Z]
  317   --remove-interface=<interface>
  318                        Remove binding of <interface> from a zone [P] [Z]
  319 
  320 Options to Handle Bindings of Sources
  321   --list-sources       List sources that are bound to a zone [P] [Z]
  322   --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
  323                        Bind the source to a zone [P] [Z]
  324   --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
  325                        Change zone the source is bound to [Z]
  326   --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
  327                        Query whether the source is bound to a zone [P] [Z]
  328   --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset>
  329                        Remove binding of the source from a zone [P] [Z]
  330 
  331 Helper Options
  332   --new-helper=<helper> --module=<module> [--family=<family>]
  333                        Add a new helper [P only]
  334   --new-helper-from-file=<filename> [--name=<helper>]
  335                        Add a new helper from file with optional name [P only]
  336   --delete-helper=<helper>
  337                        Delete an existing helper [P only]
  338   --load-helper-defaults=<helper>
  339                        Load helper default settings [P only]
  340   --info-helper=<helper> Print information about an helper
  341   --path-helper=<helper> Print file path of an helper [P only]
  342   --get-helpers         Print predefined helpers
  343   --helper=<helper> --set-description=<description>
  344                        Set new description to helper [P only]
  345   --helper=<helper> --get-description
  346                        Print description for helper [P only]
  347   --helper=<helper> --set-short=<description>
  348                        Set new short description to helper [P only]
  349   --helper=<helper> --get-short
  350                        Print short description for helper [P only]
  351   --helper=<helper> --add-port=<portid>[-<portid>]/<protocol>
  352                        Add a new port to helper [P only]
  353   --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol>
  354                        Remove a port from helper [P only]
  355   --helper=<helper> --query-port=<portid>[-<portid>]/<protocol>
  356                        Return whether the port has been added for helper [P only]
  357   --helper=<helper> --get-ports
  358                        List ports of helper [P only]
  359   --helper=<helper> --set-module=<module>
  360                        Set module to helper [P only]
  361   --helper=<helper> --get-module
  362                        Get module from helper [P only]
  363   --helper=<helper> --set-family={ipv4|ipv6|}
  364                        Set family for helper [P only]
  365   --helper=<helper> --get-family
  366                        Get module from helper [P only]
  367 
  368 Direct Options
  369   --direct             First option for all direct options
  370   --get-all-chains
  371                        Get all chains [P]
  372   --get-chains {ipv4|ipv6|eb} <table>
  373                        Get all chains added to the table [P]
  374   --add-chain {ipv4|ipv6|eb} <table> <chain>
  375                        Add a new chain to the table [P]
  376   --remove-chain {ipv4|ipv6|eb} <table> <chain>
  377                        Remove the chain from the table [P]
  378   --query-chain {ipv4|ipv6|eb} <table> <chain>
  379                        Return whether the chain has been added to the table [P]
  380   --get-all-rules
  381                        Get all rules [P]
  382   --get-rules {ipv4|ipv6|eb} <table> <chain>
  383                        Get all rules added to chain in table [P]
  384   --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
  385                        Add rule to chain in table [P]
  386   --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
  387                        Remove rule with priority from chain in table [P]
  388   --remove-rules {ipv4|ipv6|eb} <table> <chain>
  389                        Remove rules from chain in table [P]
  390   --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>...
  391                        Return whether a rule with priority has been added to
  392                        chain in table [P]
  393   --passthrough {ipv4|ipv6|eb} <arg>...
  394                        Pass a command through (untracked by firewalld)
  395   --get-all-passthroughs
  396                        Get all tracked passthrough rules [P]
  397   --get-passthroughs {ipv4|ipv6|eb} <arg>...
  398                        Get tracked passthrough rules [P]
  399   --add-passthrough {ipv4|ipv6|eb} <arg>...
  400                        Add a new tracked passthrough rule [P]
  401   --remove-passthrough {ipv4|ipv6|eb} <arg>...
  402                        Remove a tracked passthrough rule [P]
  403   --query-passthrough {ipv4|ipv6|eb} <arg>...
  404                        Return whether the tracked passthrough rule has been
  405                        added [P]
  406 
  407 Lockdown Options
  408   --lockdown-on        Enable lockdown.
  409   --lockdown-off       Disable lockdown.
  410   --query-lockdown     Query whether lockdown is enabled
  411 
  412 Lockdown Whitelist Options
  413   --list-lockdown-whitelist-commands
  414                        List all command lines that are on the whitelist [P]
  415   --add-lockdown-whitelist-command=<command>
  416                        Add the command to the whitelist [P]
  417   --remove-lockdown-whitelist-command=<command>
  418                        Remove the command from the whitelist [P]
  419   --query-lockdown-whitelist-command=<command>
  420                        Query whether the command is on the whitelist [P]
  421   --list-lockdown-whitelist-contexts
  422                        List all contexts that are on the whitelist [P]
  423   --add-lockdown-whitelist-context=<context>
  424                        Add the context context to the whitelist [P]
  425   --remove-lockdown-whitelist-context=<context>
  426                        Remove the context from the whitelist [P]
  427   --query-lockdown-whitelist-context=<context>
  428                        Query whether the context is on the whitelist [P]
  429   --list-lockdown-whitelist-uids
  430                        List all user ids that are on the whitelist [P]
  431   --add-lockdown-whitelist-uid=<uid>
  432                        Add the user id uid to the whitelist [P]
  433   --remove-lockdown-whitelist-uid=<uid>
  434                        Remove the user id uid from the whitelist [P]
  435   --query-lockdown-whitelist-uid=<uid>
  436                        Query whether the user id uid is on the whitelist [P]
  437   --list-lockdown-whitelist-users
  438                        List all user names that are on the whitelist [P]
  439   --add-lockdown-whitelist-user=<user>
  440                        Add the user name user to the whitelist [P]
  441   --remove-lockdown-whitelist-user=<user>
  442                        Remove the user name user from the whitelist [P]
  443   --query-lockdown-whitelist-user=<user>
  444                        Query whether the user name user is on the whitelist [P]
  445 
  446 Panic Options
  447   --panic-on           Enable panic mode
  448   --panic-off          Disable panic mode
  449   --query-panic        Query whether panic mode is enabled
  450 
  451 """)
  452 
  453 def try_set_zone_of_interface(_zone, interface):
  454     if nm_is_imported():
  455         try:
  456             connection = nm_get_connection_of_interface(interface)
  457         except Exception:
  458             pass
  459         else:
  460             if connection is not None:
  461                 if _zone == nm_get_zone_of_connection(connection):
  462                     if _zone == "":
  463                         cmd.print_warning("The interface is under control of NetworkManager and already bound to the default zone")
  464                     else:
  465                         cmd.print_warning("The interface is under control of NetworkManager and already bound to '%s'" % _zone)
  466                 if _zone == "":
  467                     cmd.print_msg("The interface is under control of NetworkManager, setting zone to default.")
  468                 else:
  469                     cmd.print_msg("The interface is under control of NetworkManager, setting zone to '%s'." % _zone)
  470                 nm_set_zone_of_connection(_zone, connection)
  471                 return True
  472     return False
  473 
  474 def try_get_zone_of_interface(interface):
  475     if nm_is_imported():
  476         try:
  477             connection = nm_get_connection_of_interface(interface)
  478         except Exception:
  479             pass
  480         else:
  481             if connection is not None:
  482                 return nm_get_zone_of_connection(connection)
  483     return False
  484 
  485 def try_nm_get_interfaces_in_zone(zone):
  486     if nm_is_imported():
  487         try:
  488             return nm_get_interfaces_in_zone(zone)
  489         except Exception:
  490             pass
  491     return []
  492 
  493 parser = argparse.ArgumentParser(usage="see firewall-cmd man page",
  494                                  add_help=False)
  495 
  496 parser_group_output = parser.add_mutually_exclusive_group()
  497 parser_group_output.add_argument("-v", "--verbose", action="store_true")
  498 parser_group_output.add_argument("-q", "--quiet", action="store_true")
  499 
  500 parser_group_standalone = parser.add_mutually_exclusive_group()
  501 parser_group_standalone.add_argument("-h", "--help",
  502                                      action="store_true")
  503 parser_group_standalone.add_argument("-V", "--version", action="store_true")
  504 parser_group_standalone.add_argument("--state", action="store_true")
  505 parser_group_standalone.add_argument("--reload", action="store_true")
  506 parser_group_standalone.add_argument("--complete-reload", action="store_true")
  507 parser_group_standalone.add_argument("--runtime-to-permanent",
  508                                      action="store_true")
  509 parser_group_standalone.add_argument("--check-config", action="store_true")
  510 parser_group_standalone.add_argument("--get-ipset-types", action="store_true")
  511 parser_group_standalone.add_argument("--get-log-denied", action="store_true")
  512 parser_group_standalone.add_argument("--set-log-denied", metavar="<value>")
  513 parser_group_standalone.add_argument("--get-automatic-helpers", action="store_true")
  514 parser_group_standalone.add_argument("--set-automatic-helpers", metavar="<value>")
  515 parser_group_standalone.add_argument("--panic-on", action="store_true")
  516 parser_group_standalone.add_argument("--panic-off", action="store_true")
  517 parser_group_standalone.add_argument("--query-panic", action="store_true")
  518 parser_group_standalone.add_argument("--lockdown-on", action="store_true")
  519 parser_group_standalone.add_argument("--lockdown-off", action="store_true")
  520 parser_group_standalone.add_argument("--query-lockdown", action="store_true")
  521 
  522 parser_group_standalone.add_argument("--get-default-zone", action="store_true")
  523 parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>")
  524 parser_group_standalone.add_argument("--get-zones", action="store_true")
  525 parser_group_standalone.add_argument("--get-services", action="store_true")
  526 parser_group_standalone.add_argument("--get-icmptypes", action="store_true")
  527 parser_group_standalone.add_argument("--get-active-zones", action="store_true")
  528 parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>", action='append')
  529 parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>", action='append')
  530 parser_group_standalone.add_argument("--list-all-zones", action="store_true")
  531 
  532 parser_group_standalone.add_argument("--info-zone", metavar="<zone>")
  533 parser_group_standalone.add_argument("--info-service", metavar="<service>")
  534 parser_group_standalone.add_argument("--info-icmptype", metavar="<icmptype>")
  535 parser_group_standalone.add_argument("--info-ipset", metavar="<ipset>")
  536 parser_group_standalone.add_argument("--info-helper", metavar="<helper>")
  537 
  538 parser_group_config = parser.add_mutually_exclusive_group()
  539 parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>")
  540 parser_group_config.add_argument("--new-icmptype-from-file", metavar="<filename>")
  541 parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>")
  542 parser_group_config.add_argument("--load-icmptype-defaults",
  543                                  metavar="<icmptype>")
  544 parser_group_config.add_argument("--new-service", metavar="<service>")
  545 parser_group_config.add_argument("--new-service-from-file", metavar="<filename>")
  546 parser_group_config.add_argument("--delete-service", metavar="<service>")
  547 parser_group_config.add_argument("--load-service-defaults", metavar="<service>")
  548 parser_group_config.add_argument("--new-zone", metavar="<zone>")
  549 parser_group_config.add_argument("--new-zone-from-file", metavar="<filename>")
  550 parser_group_config.add_argument("--delete-zone", metavar="<zone>")
  551 parser_group_config.add_argument("--load-zone-defaults", metavar="<zone>")
  552 parser_group_config.add_argument("--new-ipset", metavar="<ipset>")
  553 parser_group_config.add_argument("--new-ipset-from-file", metavar="<filename>")
  554 parser_group_config.add_argument("--delete-ipset", metavar="<ipset>")
  555 parser_group_config.add_argument("--load-ipset-defaults", metavar="<ipset>")
  556 parser_group_config.add_argument("--new-helper", metavar="<helper>")
  557 parser_group_config.add_argument("--new-helper-from-file", metavar="<filename>")
  558 parser_group_config.add_argument("--delete-helper", metavar="<helper>")
  559 parser_group_config.add_argument("--load-helper-defaults", metavar="<helper>")
  560 
  561 parser_group_config.add_argument("--path-zone", metavar="<zone>")
  562 parser_group_config.add_argument("--path-service", metavar="<service>")
  563 parser_group_config.add_argument("--path-icmptype", metavar="<icmptype>")
  564 parser_group_config.add_argument("--path-ipset", metavar="<ipset>")
  565 parser_group_config.add_argument("--path-helper", metavar="<helper>")
  566 
  567 parser.add_argument("--name", default="", metavar="<name>")
  568 
  569 parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group()
  570 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true")
  571 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>", action='append')
  572 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>", action='append')
  573 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>", action='append')
  574 
  575 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true")
  576 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>", action='append')
  577 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>", action='append')
  578 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>", action='append')
  579 
  580 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true")
  581 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
  582 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
  583 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append')
  584 
  585 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true")
  586 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>", action='append')
  587 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>", action='append')
  588 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>", action='append')
  589 
  590 parser.add_argument("--permanent", action="store_true")
  591 parser.add_argument("--zone", default="", metavar="<zone>")
  592 parser.add_argument("--timeout", default="0", metavar="<seconds>")
  593 
  594 parser_group_zone = parser.add_mutually_exclusive_group()
  595 parser_group_zone.add_argument("--add-interface", metavar="<iface>", action='append')
  596 parser_group_zone.add_argument("--remove-interface", metavar="<iface>", action='append')
  597 parser_group_zone.add_argument("--query-interface", metavar="<iface>", action='append')
  598 parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>", action='append')
  599 parser_group_zone.add_argument("--list-interfaces", action="store_true")
  600 parser_group_zone.add_argument("--add-source", metavar="<source>", action='append')
  601 parser_group_zone.add_argument("--remove-source", metavar="<source>", action='append')
  602 parser_group_zone.add_argument("--query-source", metavar="<source>", action='append')
  603 parser_group_zone.add_argument("--change-source", metavar="<source>", action='append')
  604 parser_group_zone.add_argument("--list-sources", action="store_true")
  605 parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append')
  606 parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append')
  607 parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>", action='append')
  608 parser_group_zone.add_argument("--add-service", metavar="<service>", action='append')
  609 parser_group_zone.add_argument("--remove-service", metavar="<zone>", action='append')
  610 parser_group_zone.add_argument("--query-service", metavar="<zone>", action='append')
  611 parser_group_zone.add_argument("--add-port", metavar="<port>", action='append')
  612 parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append')
  613 parser_group_zone.add_argument("--query-port", metavar="<port>", action='append')
  614 parser_group_zone.add_argument("--add-protocol", metavar="<protocol>", action='append')
  615 parser_group_zone.add_argument("--remove-protocol", metavar="<protocol>", action='append')
  616 parser_group_zone.add_argument("--query-protocol", metavar="<protocol>", action='append')
  617 parser_group_zone.add_argument("--add-source-port", metavar="<port>", action='append')
  618 parser_group_zone.add_argument("--remove-source-port", metavar="<port>", action='append')
  619 parser_group_zone.add_argument("--query-source-port", metavar="<port>", action='append')
  620 parser_group_zone.add_argument("--add-masquerade", action="store_true")
  621 parser_group_zone.add_argument("--remove-masquerade", action="store_true")
  622 parser_group_zone.add_argument("--query-masquerade", action="store_true")
  623 parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append')
  624 parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append')
  625 parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>", action='append')
  626 parser_group_zone.add_argument("--add-icmp-block-inversion", action="store_true")
  627 parser_group_zone.add_argument("--remove-icmp-block-inversion", action="store_true")
  628 parser_group_zone.add_argument("--query-icmp-block-inversion", action="store_true")
  629 parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append')
  630 parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append')
  631 parser_group_zone.add_argument("--query-forward-port", metavar="<port>", action='append')
  632 parser_group_zone.add_argument("--list-rich-rules", action="store_true")
  633 parser_group_zone.add_argument("--list-services", action="store_true")
  634 parser_group_zone.add_argument("--list-ports", action="store_true")
  635 parser_group_zone.add_argument("--list-protocols", action="store_true")
  636 parser_group_zone.add_argument("--list-icmp-blocks", action="store_true")
  637 parser_group_zone.add_argument("--list-forward-ports", action="store_true")
  638 parser_group_zone.add_argument("--list-source-ports", action="store_true")
  639 parser_group_zone.add_argument("--list-all", action="store_true")
  640 parser_group_zone.add_argument("--get-target", action="store_true")
  641 parser_group_zone.add_argument("--set-target", metavar="<target>")
  642 
  643 parser.add_argument("--option", metavar="<key>[=<value>]", action='append')
  644 parser.add_argument("--type", metavar="<ipsettype>")
  645 parser.add_argument("--ipset", metavar="<ipset>")
  646 
  647 parser_ipset = parser.add_mutually_exclusive_group()
  648 #parser_ipset.add_argument("--add-option", metavar="<key>[=<value>]")
  649 #parser_ipset.add_argument("--remove-option", metavar="<key>[=<value>]")
  650 #parser_ipset.add_argument("--query-option", metavar="<key>[=<value>]")
  651 #parser_ipset.add_argument("--get-options", action="store_true")
  652 
  653 parser_ipset.add_argument("--get-ipsets", action="store_true")
  654 parser_ipset.add_argument("--add-entry", metavar="<entry>", action='append')
  655 parser_ipset.add_argument("--remove-entry", metavar="<entry>", action='append')
  656 parser_ipset.add_argument("--query-entry", metavar="<entry>", action='append')
  657 parser_ipset.add_argument("--get-entries", action="store_true")
  658 parser_ipset.add_argument("--add-entries-from-file", metavar="<filename>", action='append')
  659 parser_ipset.add_argument("--remove-entries-from-file", metavar="<filename>", action='append')
  660 
  661 parser.add_argument("--icmptype", metavar="<icmptype>")
  662 
  663 parser_icmptype = parser.add_mutually_exclusive_group()
  664 parser_icmptype.add_argument("--add-destination", metavar="<ipv>", action='append')
  665 parser_icmptype.add_argument("--remove-destination", metavar="<ipv>", action='append')
  666 parser_icmptype.add_argument("--query-destination", metavar="<ipv>", action='append')
  667 parser_icmptype.add_argument("--get-destinations", action="store_true")
  668 
  669 parser.add_argument("--service", metavar="<service>")
  670 
  671 parser_service = parser.add_mutually_exclusive_group()
  672 parser_service.add_argument("--get-ports", action="store_true")
  673 parser_service.add_argument("--get-source-ports", action="store_true")
  674 parser_service.add_argument("--get-protocols", action="store_true")
  675 
  676 parser_service.add_argument("--add-module", metavar="<module>", action='append')
  677 parser_service.add_argument("--remove-module", metavar="<module>", action='append')
  678 parser_service.add_argument("--query-module", metavar="<module>", action='append')
  679 parser_service.add_argument("--get-modules", action="store_true")
  680 
  681 parser_service.add_argument("--add-helper", metavar="<helper>", action='append')
  682 parser_service.add_argument("--remove-helper", metavar="<helper>", action='append')
  683 parser_service.add_argument("--query-helper", metavar="<helper>", action='append')
  684 parser_service.add_argument("--get-service-helpers", action="store_true")
  685 
  686 parser_service.add_argument("--add-include", metavar="<service>", action='append')
  687 parser_service.add_argument("--remove-include", metavar="<service>", action='append')
  688 parser_service.add_argument("--query-include", metavar="<service>", action='append')
  689 parser_service.add_argument("--get-includes", action="store_true")
  690 
  691 parser_service.add_argument("--set-destination", metavar="<destination>", action='append')
  692 parser_service.add_argument("--get-destination", action="store_true")
  693 
  694 parser_service.add_argument("--set-description", metavar="<description>")
  695 parser_service.add_argument("--get-description", action="store_true")
  696 
  697 parser_service.add_argument("--set-short", metavar="<description>")
  698 parser_service.add_argument("--get-short", action="store_true")
  699 
  700 parser.add_argument("--helper", metavar="<helper>")
  701 parser.add_argument("--family", metavar="<family>")
  702 parser.add_argument("--module", metavar="<module>")
  703 
  704 parser_helper = parser.add_mutually_exclusive_group()
  705 #parser_helper.add_argument("--get-ports", action="store_true")
  706 parser_helper.add_argument("--get-helpers", action="store_true")
  707 parser_helper.add_argument("--set-module", metavar="<module>")
  708 parser_helper.add_argument("--get-module", action="store_true")
  709 #parser_helper.add_argument("--query-module", metavar="<module>")
  710 parser_helper.add_argument("--set-family", metavar="<family>|''", nargs="*")
  711 parser_helper.add_argument("--get-family", action="store_true")
  712 
  713 parser.add_argument("--direct", action="store_true")
  714 
  715 # not possible to have sequences of options here
  716 parser_direct = parser.add_mutually_exclusive_group()
  717 parser_direct.add_argument("--passthrough", nargs=argparse.REMAINDER,
  718                            metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
  719 parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER,
  720                            metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
  721 parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER,
  722                            metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
  723 parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER,
  724                            metavar=("{ ipv4 | ipv6 | eb }", "<args>"))
  725 parser_direct.add_argument("--get-passthroughs", nargs=1,
  726                            metavar=("{ ipv4 | ipv6 | eb }"))
  727 parser_direct.add_argument("--get-all-passthroughs", action="store_true")
  728 parser_direct.add_argument("--add-chain", nargs=3,
  729                            metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
  730 parser_direct.add_argument("--remove-chain", nargs=3,
  731                            metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
  732 parser_direct.add_argument("--query-chain", nargs=3,
  733                            metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
  734 parser_direct.add_argument("--get-all-chains", action="store_true")
  735 parser_direct.add_argument("--get-chains", nargs=2,
  736                            metavar=("{ ipv4 | ipv6 | eb }", "<table>"))
  737 parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER,
  738                            metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
  739 parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER,
  740                            metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
  741 parser_direct.add_argument("--remove-rules", nargs=3,
  742                            metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain>"))
  743 parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER,
  744                            metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>"))
  745 parser_direct.add_argument("--get-rules", nargs=3,
  746                            metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>"))
  747 parser_direct.add_argument("--get-all-rules", action="store_true")
  748 
  749 ##############################################################################
  750 
  751 args = sys.argv[1:]
  752 
  753 if len(sys.argv) > 1:
  754     i = -1
  755     if '--passthrough' in args:
  756         i = args.index('--passthrough') + 1
  757     elif '--add-passthrough' in args:
  758         i = args.index('--add-passthrough') + 1
  759     elif '--remove-passthrough' in args:
  760         i = args.index('--remove-passthrough') + 1
  761     elif '--query-passthrough' in args:
  762         i = args.index('--query-passthrough') + 1
  763     elif '--add-rule' in args:
  764         i = args.index('--add-rule') + 4
  765     elif '--remove-rule' in args:
  766         i = args.index('--remove-rule') + 4
  767     elif '--query-rule' in args:
  768         i = args.index('--query-rule') + 4
  769     # join <args> into one argument to prevent parser from parsing each iptables
  770     # option, because they can conflict with firewall-cmd options
  771     # # e.g. --delete (iptables) and --delete-* (firewall-cmd)
  772     if (i > -1) and (i < len(args) - 1):
  773         aux_args = args[:]
  774         args = aux_args[:i+1] # all but not <args>
  775         args.append(joinArgs(aux_args[i+1:])) # add <args> as one arg
  776 
  777 a = parser.parse_args(args)
  778 
  779 options_standalone = a.help or a.version or \
  780     a.state or a.reload or a.complete_reload or a.runtime_to_permanent or \
  781     a.panic_on or a.panic_off or a.query_panic or \
  782     a.lockdown_on or a.lockdown_off or a.query_lockdown or \
  783     a.get_default_zone or a.set_default_zone or \
  784     a.get_active_zones or a.get_ipset_types or \
  785     a.get_log_denied or a.set_log_denied or \
  786     a.get_automatic_helpers or a.set_automatic_helpers or a.check_config
  787 
  788 options_desc_xml_file = a.set_description or a.get_description or \
  789                         a.set_short or a.get_short
  790 
  791 options_lockdown_whitelist = \
  792     a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \
  793     a.remove_lockdown_whitelist_command or \
  794     a.query_lockdown_whitelist_command or \
  795     a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \
  796     a.remove_lockdown_whitelist_context or \
  797     a.query_lockdown_whitelist_context or \
  798     a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid is not None or \
  799     a.remove_lockdown_whitelist_uid is not None or \
  800     a.query_lockdown_whitelist_uid is not None or \
  801     a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \
  802     a.remove_lockdown_whitelist_user or \
  803     a.query_lockdown_whitelist_user
  804 
  805 options_config = a.get_zones or a.get_services or a.get_icmptypes or \
  806                  options_lockdown_whitelist or a.list_all_zones or \
  807                  a.get_zone_of_interface or a.get_zone_of_source or \
  808                  a.info_zone or a.info_icmptype or a.info_service or \
  809                  a.info_ipset or a.get_ipsets or a.info_helper or \
  810                  a.get_helpers
  811 
  812 options_zone_action_action = \
  813     a.add_service or a.remove_service or a.query_service or \
  814     a.add_port or a.remove_port or a.query_port or \
  815     a.add_protocol or a.remove_protocol or a.query_protocol or \
  816     a.add_source_port or a.remove_source_port or a.query_source_port or \
  817     a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \
  818     a.add_forward_port or a.remove_forward_port or a.query_forward_port
  819 
  820 options_zone_interfaces_sources = \
  821     a.list_interfaces or a.change_interface or \
  822     a.add_interface or a.remove_interface or a.query_interface or \
  823     a.list_sources or a.change_source or \
  824     a.add_source or a.remove_source or a.query_source
  825 
  826 options_zone_adapt_query = \
  827     a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \
  828     a.add_masquerade or a.remove_masquerade or a.query_masquerade or \
  829     a.list_services or a.list_ports or a.list_protocols or \
  830     a.list_source_ports or \
  831     a.list_icmp_blocks or a.list_forward_ports or a.list_rich_rules or \
  832     a.add_icmp_block_inversion or a.remove_icmp_block_inversion or \
  833     a.query_icmp_block_inversion or \
  834     a.list_all or a.get_target or a.set_target
  835 
  836 options_zone_ops = options_zone_interfaces_sources or \
  837                    options_zone_action_action or options_zone_adapt_query
  838 
  839 options_zone = a.zone or a.timeout != "0" or options_zone_ops or \
  840                options_desc_xml_file
  841 
  842 options_ipset = a.add_entry or a.remove_entry or a.query_entry or \
  843                 a.get_entries or a.add_entries_from_file or \
  844                 a.remove_entries_from_file or options_desc_xml_file
  845 
  846 options_icmptype = a.add_destination or a.remove_destination or \
  847                    a.query_destination or a.get_destinations or \
  848                    options_desc_xml_file
  849 
  850 options_service = a.add_port or a.remove_port or a.query_port or \
  851                   a.get_ports or \
  852                   a.add_protocol or a.remove_protocol or a.query_protocol or \
  853                   a.get_protocols or \
  854                   a.add_source_port or a.remove_source_port or \
  855                   a.query_source_port or a.get_source_ports or \
  856                   a.add_module or a.remove_module or a.query_module or \
  857                   a.get_modules or \
  858                   a.set_destination or a.remove_destination or \
  859                   a.query_destination or a.get_destinations or \
  860                   options_desc_xml_file or \
  861                   a.add_include or a.remove_include or a.query_include or \
  862                   a.get_includes or \
  863                   a.add_helper or a.remove_helper or a.query_helper or \
  864                   a.get_service_helpers
  865 
  866 options_helper = a.add_port or a.remove_port or a.query_port or \
  867                  a.get_ports or a.set_module or a.get_module or \
  868                  a.set_family or a.get_family or \
  869                  options_desc_xml_file
  870 
  871 options_permanent = a.permanent or options_config or \
  872                     a.zone or options_zone_ops or \
  873                     a.ipset or options_ipset or \
  874                     a.helper or options_helper
  875 
  876 options_permanent_only = a.new_icmptype or a.delete_icmptype or \
  877                          a.new_icmptype_from_file or \
  878                          a.load_icmptype_defaults or \
  879                          a.new_service or a.delete_service or \
  880                          a.new_service_from_file or \
  881                          a.load_service_defaults or \
  882                          a.new_zone or a.delete_zone or \
  883                          a.new_zone_from_file or \
  884                          a.load_zone_defaults or \
  885                          a.new_ipset or a.delete_ipset or \
  886                          a.new_ipset_from_file or \
  887                          a.load_ipset_defaults or \
  888                          a.new_helper or a.delete_helper or \
  889                          a.new_helper_from_file or \
  890                          a.load_helper_defaults or \
  891                          (a.icmptype and options_icmptype) or \
  892                          (a.service and options_service) or \
  893                          (a.helper and options_helper) or \
  894                          a.path_zone or a.path_icmptype or a.path_service or \
  895                          a.path_ipset or a.path_helper or options_desc_xml_file
  896 
  897 options_direct = a.passthrough or \
  898            a.add_chain or a.remove_chain or a.query_chain or \
  899            a.get_chains or a.get_all_chains or \
  900            a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \
  901            a.get_rules or a.get_all_rules or \
  902            a.add_passthrough or a.remove_passthrough or a.query_passthrough or \
  903            a.get_passthroughs or a.get_all_passthroughs
  904 
  905 options_require_permanent = options_permanent_only or \
  906                             a.get_target or a.set_target
  907 
  908 # these are supposed to only write out some output
  909 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \
  910  a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \
  911  a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \
  912  a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \
  913  a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \
  914  a.list_sources or a.get_default_zone or a.get_active_zones or \
  915  a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \
  916  a.get_services or a.get_icmptypes or a.get_target or \
  917  a.info_zone or a.info_icmptype or a.info_service or \
  918  a.info_ipset or a.get_ipsets or a.get_entries or \
  919  a.info_helper or a.get_helpers or \
  920  a.get_destinations or a.get_description
  921 
  922 # Set quiet and verbose
  923 
  924 cmd = FirewallCommand(a.quiet, a.verbose)
  925 
  926 def myexcepthook(exctype, value, traceback):
  927     cmd.exception_handler(str(value))
  928 sys.excepthook = myexcepthook
  929 
  930 # Check various impossible combinations of options
  931 
  932 if not (options_standalone or options_ipset or \
  933         options_icmptype or options_service or options_helper or \
  934         options_config or options_zone_ops or \
  935         options_direct or options_permanent_only):
  936     cmd.fail(parser.format_usage() + "No option specified.")
  937 
  938 if options_standalone and (options_zone or options_permanent or \
  939                            options_direct or options_permanent_only or\
  940                            options_ipset):
  941     cmd.fail(parser.format_usage() +
  942              "Can't use stand-alone options with other options.")
  943 
  944 if options_ipset and not options_desc_xml_file and not a.ipset:
  945     cmd.fail(parser.format_usage() + "No ipset specified.")
  946 
  947 if (options_icmptype and not a.icmptype) and \
  948    not (options_service and a.service) and not options_desc_xml_file:
  949     cmd.fail(parser.format_usage() + "No icmptype specified.")
  950 
  951 if (options_helper and not a.helper) and \
  952    not (options_service and a.service) and \
  953    not options_zone and not options_desc_xml_file:
  954     cmd.fail(parser.format_usage() + "No helper specified.")
  955 
  956 if (options_direct or options_permanent_only) and \
  957    (options_zone and not a.zone) and (options_service and not a.service) and \
  958    (options_icmptype and a.icmptype) and not options_desc_xml_file:
  959     cmd.fail(parser.format_usage() + "Can't be used with --zone.")
  960 
  961 if (a.direct and not options_direct) or (options_direct and not a.direct):
  962     cmd.fail(parser.format_usage() +
  963              "Wrong usage of 'direct' options.")
  964 
  965 if a.name and not (a.new_zone_from_file or a.new_service_from_file or \
  966                    a.new_ipset_from_file or a.new_icmptype_from_file or \
  967                    a.new_helper_from_file):
  968     cmd.fail(parser.format_usage() + "Wrong usage of '--name' option.")
  969 
  970 if options_require_permanent and not a.permanent:
  971     cmd.fail(parser.format_usage() +
  972              "Option can be used only with --permanent.")
  973 
  974 if options_config and options_zone:
  975     cmd.fail(parser.format_usage() +
  976              "Wrong usage of --get-zones | --get-services | --get-icmptypes.")
  977 
  978 if a.timeout != "0":
  979     value = 0
  980     unit = 's'
  981     if len(a.timeout) < 1:
  982         cmd.fail(parser.format_usage() +
  983                  "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
  984     elif len(a.timeout) == 1:
  985         if a.timeout.isdigit():
  986             value = int (a.timeout[0])
  987         else:
  988             cmd.fail(parser.format_usage() +
  989                      "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
  990     elif len(a.timeout) > 1:
  991         if a.timeout.isdigit():
  992             value = int(a.timeout)
  993             unit = 's'
  994         else:
  995             if a.timeout[:-1].isdigit():
  996                 value = int (a.timeout[:-1])
  997             else:
  998                 cmd.fail(parser.format_usage() +
  999                          "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
 1000             unit = a.timeout[-1:].lower()
 1001     if unit == 's':
 1002         a.timeout = value
 1003     elif unit == 'm':
 1004         a.timeout = value * 60
 1005     elif unit == 'h':
 1006         a.timeout = value * 60 * 60
 1007     else:
 1008         cmd.fail(parser.format_usage() +
 1009                  "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout)
 1010 else:
 1011     a.timeout = 0
 1012 
 1013 if a.timeout and not (a.add_service or a.add_port or a.add_protocol or \
 1014                       a.add_icmp_block or a.add_forward_port or \
 1015                       a.add_source_port or a.add_masquerade or a.add_rich_rule):
 1016     cmd.fail(parser.format_usage() + "Wrong --timeout usage")
 1017 
 1018 if a.permanent:
 1019     if a.timeout:
 1020         cmd.fail(parser.format_usage() +
 1021                  "Can't specify timeout for permanent action.")
 1022     if options_config and not a.zone:
 1023         pass
 1024     elif options_permanent:
 1025         pass
 1026     else:
 1027         cmd.fail(parser.format_usage() + "Wrong --permanent usage.")
 1028 
 1029 if a.quiet and options_list_get:
 1030     # it makes no sense to use --quiet with these options
 1031     a.quiet = False
 1032     cmd.set_quiet(a.quiet)
 1033     cmd.fail("-q/--quiet can't be used with this option(s)")
 1034 
 1035 if a.help:
 1036     __usage()
 1037     sys.exit(0)
 1038 
 1039 zone = a.zone
 1040 
 1041 try:
 1042     fw = FirewallClient()
 1043 except FirewallError as msg:
 1044     code = FirewallError.get_code(str(msg))
 1045     cmd.print_and_exit("Error: %s" % msg, code)
 1046 
 1047 fw.setExceptionHandler(cmd.exception_handler)
 1048 if not fw.connected:
 1049     if a.state:
 1050         cmd.print_and_exit ("not running", errors.NOT_RUNNING)
 1051     else:
 1052         cmd.print_and_exit ("FirewallD is not running", errors.NOT_RUNNING)
 1053 cmd.set_fw(fw)
 1054 
 1055 if options_zone_ops and not zone and not \
 1056    (a.service and options_service) and not \
 1057    (a.helper and options_helper):
 1058     default = fw.getDefaultZone()
 1059     cmd.print_if_verbose("No zone specified, using default zone, i.e. '%s'" % default)
 1060     active = list(fw.getActiveZones().keys())
 1061     if active and default not in active:
 1062         cmd.print_msg("""You're performing an operation over default zone ('%s'),
 1063 but your connections/interfaces are in zone '%s' (see --get-active-zones)
 1064 You most likely need to use --zone=%s option.\n""" % (default, ",".join(active), active[0]))
 1065 
 1066 if a.permanent:
 1067     if a.get_ipsets:
 1068         cmd.print_and_exit(" ".join(fw.config().getIPSetNames()))
 1069 
 1070     elif a.new_ipset:
 1071         if not a.type:
 1072             cmd.fail(parser.format_usage() + "No type specified.")
 1073 
 1074         settings = FirewallClientIPSetSettings()
 1075         settings.setType(a.type)
 1076         if a.option:
 1077             for opt in a.option:
 1078                 settings.addOption(*cmd.parse_ipset_option(opt))
 1079         if a.family:
 1080             settings.addOption("family", a.family)
 1081         config = fw.config()
 1082         config.addIPSet(a.new_ipset, settings)
 1083 
 1084     elif a.new_ipset_from_file:
 1085         filename = os.path.basename(a.new_ipset_from_file)
 1086         dirname = os.path.dirname(a.new_ipset_from_file)
 1087         if dirname == "":
 1088             dirname = "./"
 1089         try:
 1090             obj = ipset_reader(filename, dirname)
 1091         except FirewallError as msg:
 1092             cmd.fail("Failed to load ipset file '%s': %s" % \
 1093                    (a.new_ipset_from_file, msg))
 1094         except IOError as msg:
 1095             cmd.fail("Failed to load ipset file: %s" % msg)
 1096 
 1097         if a.name:
 1098             obj.name = a.name
 1099 
 1100         config = fw.config()
 1101         config.addIPSet(obj.name, obj.export_config())
 1102 
 1103     elif a.delete_ipset:
 1104         ipset = fw.config().getIPSetByName(a.delete_ipset)
 1105         ipset.remove()
 1106 
 1107     elif a.load_ipset_defaults:
 1108         ipset = fw.config().getIPSetByName(a.load_ipset_defaults)
 1109         ipset.loadDefaults()
 1110 
 1111     elif a.info_ipset:
 1112         ipset = fw.config().getIPSetByName(a.info_ipset)
 1113         cmd.print_ipset_info(a.info_ipset, ipset.getSettings())
 1114         sys.exit(0)
 1115 
 1116     elif a.path_ipset:
 1117         ipset = fw.config().getIPSetByName(a.path_ipset)
 1118         cmd.print_and_exit("%s/%s" % (ipset.get_property("path"),
 1119                                       ipset.get_property("filename")))
 1120 
 1121     elif a.ipset:
 1122         ipset = fw.config().getIPSetByName(a.ipset)
 1123         settings = ipset.getSettings()
 1124 
 1125         if a.add_entry:
 1126             cmd.add_sequence(a.add_entry, settings.addEntry,
 1127                              settings.queryEntry, None, "'%s'")
 1128             ipset.update(settings)
 1129 
 1130         elif a.remove_entry:
 1131             cmd.remove_sequence(a.remove_entry, settings.removeEntry,
 1132                                 settings.queryEntry, None, "'%s'")
 1133             ipset.update(settings)
 1134 
 1135         elif a.query_entry:
 1136             cmd.query_sequence(a.query_entry, settings.queryEntry, None, "'%s'")
 1137 
 1138         elif a.get_entries:
 1139             l = settings.getEntries()
 1140             cmd.print_and_exit("\n".join(l))
 1141 
 1142         elif a.add_entries_from_file:
 1143             changed = False
 1144 
 1145             for filename in a.add_entries_from_file:
 1146                 try:
 1147                     entries = cmd.get_ipset_entries_from_file(filename)
 1148                 except IOError as msg:
 1149                     message = "Failed to read file '%s': %s" % (filename, msg)
 1150                     if len(a.add_entries_from_file) > 1:
 1151                         cmd.print_warning(message)
 1152                     else:
 1153                         cmd.print_and_exit(message)
 1154                 else:
 1155                     old_entries = settings.getEntries()
 1156                     entries_set = set()
 1157                     for entry in old_entries:
 1158                         entries_set.add(entry)
 1159                     for entry in entries:
 1160                         if entry not in entries_set:
 1161                             old_entries.append(entry)
 1162                             entries_set.add(entry)
 1163                             changed = True
 1164                         else:
 1165                             cmd.print_if_verbose(
 1166                                 "Warning: ALREADY_ENABLED: %s" % entry)
 1167                     if changed:
 1168                         settings.setEntries(old_entries)
 1169             if changed:
 1170                 ipset.update(settings)
 1171 
 1172         elif a.remove_entries_from_file:
 1173             changed = False
 1174 
 1175             for filename in a.remove_entries_from_file:
 1176                 try:
 1177                     entries = cmd.get_ipset_entries_from_file(filename)
 1178                 except IOError as msg:
 1179                     message = "Failed to read file '%s': %s" % (filename, msg)
 1180                     if len(a.remove_entries_from_file) > 1:
 1181                         cmd.print_warning(message)
 1182                     else:
 1183                         cmd.print_and_exit(message)
 1184                 else:
 1185                     old_entries = settings.getEntries()
 1186                     entries_set = set()
 1187                     for entry in old_entries:
 1188                         entries_set.add(entry)
 1189                     for entry in entries:
 1190                         if entry in entries_set:
 1191                             old_entries.remove(entry)
 1192                             entries_set.discard(entry)
 1193                             changed = True
 1194                         else:
 1195                             cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry)
 1196                     if changed:
 1197                         settings.setEntries(old_entries)
 1198             if changed:
 1199                 ipset.update(settings)
 1200 
 1201         elif a.set_description:
 1202             settings.setDescription(a.set_description)
 1203             ipset.update(settings)
 1204 
 1205         elif a.get_description:
 1206             cmd.print_and_exit(settings.getDescription())
 1207 
 1208         elif a.set_short:
 1209             settings.setShort(a.set_short)
 1210             ipset.update(settings)
 1211 
 1212         elif a.get_short:
 1213             cmd.print_and_exit(settings.getShort())
 1214 
 1215         else:
 1216             cmd.fail(parser.format_usage() + "Unknown option")
 1217 
 1218     elif a.get_zones:
 1219         cmd.print_and_exit(" ".join(fw.config().getZoneNames()))
 1220 
 1221     elif a.new_zone:
 1222         config = fw.config()
 1223         config.addZone(a.new_zone, FirewallClientZoneSettings())
 1224 
 1225     elif a.new_zone_from_file:
 1226         filename = os.path.basename(a.new_zone_from_file)
 1227         dirname = os.path.dirname(a.new_zone_from_file)
 1228         if dirname == "":
 1229             dirname = "./"
 1230         try:
 1231             obj = zone_reader(filename, dirname)
 1232         except FirewallError as msg:
 1233             cmd.fail("Failed to load zone file '%s': %s" % \
 1234                    (a.new_zone_from_file, msg))
 1235         except IOError as msg:
 1236             cmd.fail("Failed to load zone file: %s" % msg)
 1237 
 1238         if a.name:
 1239             obj.name = a.name
 1240 
 1241         config = fw.config()
 1242         config.addZone(obj.name, obj.export_config())
 1243 
 1244     elif a.delete_zone:
 1245         zone = fw.config().getZoneByName(a.delete_zone)
 1246         zone.remove()
 1247 
 1248     elif a.load_zone_defaults:
 1249         zone = fw.config().getZoneByName(a.load_zone_defaults)
 1250         zone.loadDefaults()
 1251 
 1252     elif a.info_zone:
 1253         zone = fw.config().getZoneByName(a.info_zone)
 1254         cmd.print_zone_info(a.info_zone, zone.getSettings(), True)
 1255         sys.exit(0)
 1256 
 1257     elif a.path_zone:
 1258         zone = fw.config().getZoneByName(a.path_zone)
 1259         cmd.print_and_exit("%s/%s" % (zone.get_property("path"),
 1260                                       zone.get_property("filename")))
 1261 
 1262     elif a.get_services:
 1263         cmd.print_and_exit(" ".join(fw.config().getServiceNames()))
 1264 
 1265     elif a.new_service:
 1266         config = fw.config()
 1267         config.addService(a.new_service, FirewallClientServiceSettings())
 1268 
 1269     elif a.new_service_from_file:
 1270         filename = os.path.basename(a.new_service_from_file)
 1271         dirname = os.path.dirname(a.new_service_from_file)
 1272         if dirname == "":
 1273             dirname = "./"
 1274         try:
 1275             obj = service_reader(filename, dirname)
 1276         except FirewallError as msg:
 1277             cmd.fail("Failed to load service file '%s': %s" % \
 1278                      (a.new_service_from_file, msg))
 1279         except IOError as msg:
 1280             cmd.fail("Failed to load service file: %s" % msg)
 1281 
 1282         if a.name:
 1283             obj.name = a.name
 1284 
 1285         config = fw.config()
 1286         config.addService(obj.name, obj.export_config())
 1287 
 1288     elif a.delete_service:
 1289         service = fw.config().getServiceByName(a.delete_service)
 1290         service.remove()
 1291 
 1292     elif a.load_service_defaults:
 1293         service = fw.config().getServiceByName(a.load_service_defaults)
 1294         service.loadDefaults()
 1295 
 1296     elif a.info_service:
 1297         service = fw.config().getServiceByName(a.info_service)
 1298         cmd.print_service_info(a.info_service, service.getSettings())
 1299         sys.exit(0)
 1300 
 1301     elif a.path_service:
 1302         service = fw.config().getServiceByName(a.path_service)
 1303         cmd.print_and_exit("%s/%s" % (service.get_property("path"),
 1304                                       service.get_property("filename")))
 1305 
 1306     elif a.get_helpers:
 1307         cmd.print_and_exit(" ".join(fw.config().getHelperNames()))
 1308 
 1309     elif a.new_helper:
 1310         if not a.module:
 1311             cmd.fail(parser.format_usage() + "No module specified.")
 1312         settings = FirewallClientHelperSettings()
 1313         settings.setModule(a.module)
 1314         if a.family:
 1315             settings.setFamily(a.family)
 1316         config = fw.config()
 1317         config.addHelper(a.new_helper, settings)
 1318 
 1319     elif a.new_helper_from_file:
 1320         filename = os.path.basename(a.new_helper_from_file)
 1321         dirname = os.path.dirname(a.new_helper_from_file)
 1322         if dirname == "":
 1323             dirname = "./"
 1324         try:
 1325             obj = helper_reader(filename, dirname)
 1326         except FirewallError as msg:
 1327             cmd.fail("Failed to load helper file '%s': %s" % \
 1328                      (a.new_helper_from_file, msg))
 1329         except IOError as msg:
 1330             cmd.fail("Failed to load helper file: %s" % msg)
 1331 
 1332         if a.name:
 1333             obj.name = a.name
 1334 
 1335         config = fw.config()
 1336         config.addHelper(obj.name, obj.export_config())
 1337 
 1338     elif a.delete_helper:
 1339         helper = fw.config().getHelperByName(a.delete_helper)
 1340         helper.remove()
 1341 
 1342     elif a.load_helper_defaults:
 1343         helper = fw.config().getHelperByName(a.load_helper_defaults)
 1344         helper.loadDefaults()
 1345 
 1346     elif a.info_helper:
 1347         helper = fw.config().getHelperByName(a.info_helper)
 1348         cmd.print_helper_info(a.info_helper, helper.getSettings())
 1349         sys.exit(0)
 1350 
 1351     elif a.path_helper:
 1352         helper = fw.config().getHelperByName(a.path_helper)
 1353         cmd.print_and_exit("%s/%s" % (helper.get_property("path"),
 1354                                       helper.get_property("filename")))
 1355 
 1356     elif a.helper:
 1357         helper = fw.config().getHelperByName(a.helper)
 1358         settings = helper.getSettings()
 1359 
 1360         if a.add_port:
 1361             cmd.add_sequence(a.add_port, settings.addPort,
 1362                              settings.queryPort, cmd.parse_port, "%s/%s")
 1363             helper.update(settings)
 1364 
 1365         elif a.remove_port:
 1366             cmd.remove_sequence(a.remove_port, settings.removePort,
 1367                                 settings.queryPort, cmd.parse_port, "%s/%s")
 1368             helper.update(settings)
 1369 
 1370         elif a.query_port:
 1371             cmd.query_sequence(a.query_port, settings.queryPort,
 1372                                cmd.parse_port, "%s/%s")
 1373 
 1374         elif a.get_ports:
 1375             l = helper.getPorts()
 1376             cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 1377 
 1378         elif a.get_module:
 1379             cmd.print_and_exit(settings.getModule())
 1380 
 1381         elif a.set_module:
 1382             settings.setModule(cmd.check_module(a.set_module))
 1383             helper.update(settings)
 1384 
 1385         elif a.get_family:
 1386             cmd.print_and_exit(settings.getFamily())
 1387 
 1388         elif a.set_family:
 1389             settings.setFamily(cmd.check_helper_family(a.set_family[0]))
 1390             helper.update(settings)
 1391 
 1392         elif a.set_description:
 1393             settings.setDescription(a.set_description)
 1394             helper.update(settings)
 1395 
 1396         elif a.get_description:
 1397             cmd.print_and_exit(settings.getDescription())
 1398 
 1399         elif a.set_short:
 1400             settings.setShort(a.set_short)
 1401             helper.update(settings)
 1402 
 1403         elif a.get_short:
 1404             cmd.print_and_exit(settings.getShort())
 1405 
 1406         else:
 1407             cmd.fail(parser.format_usage() + "Unknown option")
 1408 
 1409     elif a.get_icmptypes:
 1410         cmd.print_and_exit(" ".join(fw.config().getIcmpTypeNames()))
 1411 
 1412     elif a.new_icmptype:
 1413         config = fw.config()
 1414         config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings())
 1415 
 1416     elif a.new_icmptype_from_file:
 1417         filename = os.path.basename(a.new_icmptype_from_file)
 1418         dirname = os.path.dirname(a.new_icmptype_from_file)
 1419         if dirname == "":
 1420             dirname = "./"
 1421         try:
 1422             obj = icmptype_reader(filename, dirname)
 1423         except FirewallError as msg:
 1424             cmd.fail("Failed to load icmptype file '%s': %s" % \
 1425                      (a.new_icmptype_from_file, msg))
 1426         except IOError as msg:
 1427             cmd.fail("Failed to load icmptype file: %s" % msg)
 1428 
 1429         if a.name:
 1430             obj.name = a.name
 1431 
 1432         config = fw.config()
 1433         config.addIcmpType(obj.name, obj.export_config())
 1434 
 1435     elif a.delete_icmptype:
 1436         icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype)
 1437         icmptype.remove()
 1438 
 1439     elif a.load_icmptype_defaults:
 1440         icmptype = fw.config().getIcmpTypeByName(a.load_icmptype_defaults)
 1441         icmptype.loadDefaults()
 1442 
 1443     elif a.info_icmptype:
 1444         icmptype = fw.config().getIcmpTypeByName(a.info_icmptype)
 1445         cmd.print_icmptype_info(a.info_icmptype, icmptype.getSettings())
 1446         sys.exit(0)
 1447 
 1448     elif a.path_icmptype:
 1449         icmptype = fw.config().getIcmpTypeByName(a.path_icmptype)
 1450         cmd.print_and_exit("%s/%s" % (icmptype.get_property("path"),
 1451                                       icmptype.get_property("filename")))
 1452 
 1453     elif a.icmptype:
 1454         icmptype = fw.config().getIcmpTypeByName(a.icmptype)
 1455         settings = icmptype.getSettings()
 1456 
 1457         if a.add_destination:
 1458             cmd.add_sequence(a.add_destination, settings.addDestination,
 1459                              settings.queryDestination,
 1460                              cmd.check_destination_ipv, "'%s'")
 1461             icmptype.update(settings)
 1462 
 1463         elif a.remove_destination:
 1464             cmd.remove_sequence(a.remove_destination,
 1465                                 settings.removeDestination,
 1466                                 settings.queryDestination,
 1467                                 cmd.check_destination_ipv, "'%s'")
 1468             icmptype.update(settings)
 1469 
 1470         elif a.query_destination:
 1471             cmd.query_sequence(a.query_destination, settings.queryDestination,
 1472                                cmd.check_destination_ipv , "'%s'")
 1473 
 1474         elif a.get_destinations:
 1475             l = settings.getDestinations()
 1476             if len(l) == 0:
 1477                 l = [ "ipv4", "ipv6" ]
 1478             cmd.print_and_exit("\n".join(l))
 1479 
 1480         elif a.set_description:
 1481             settings.setDescription(a.set_description)
 1482             icmptype.update(settings)
 1483 
 1484         elif a.get_description:
 1485             cmd.print_and_exit(settings.getDescription())
 1486 
 1487         elif a.set_short:
 1488             settings.setShort(a.set_short)
 1489             icmptype.update(settings)
 1490 
 1491         elif a.get_short:
 1492             cmd.print_and_exit(settings.getShort())
 1493 
 1494         else:
 1495             cmd.fail(parser.format_usage() + "Unknown option")
 1496 
 1497     elif a.service:
 1498         service = fw.config().getServiceByName(a.service)
 1499         settings = service.getSettings()
 1500 
 1501         if a.add_port:
 1502             cmd.add_sequence(a.add_port, settings.addPort,
 1503                              settings.queryPort, cmd.parse_port, "%s/%s")
 1504             service.update(settings)
 1505 
 1506         elif a.remove_port:
 1507             cmd.remove_sequence(a.remove_port, settings.removePort,
 1508                                 settings.queryPort, cmd.parse_port, "%s/%s")
 1509             service.update(settings)
 1510 
 1511         elif a.query_port:
 1512             cmd.query_sequence(a.query_port, settings.queryPort,
 1513                                cmd.parse_port, "%s/%s")
 1514 
 1515         elif a.get_ports:
 1516             l = settings.getPorts()
 1517             cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 1518 
 1519         elif a.add_protocol:
 1520             cmd.add_sequence(a.add_protocol, settings.addProtocol,
 1521                              settings.queryProtocol, None, "'%s'")
 1522             service.update(settings)
 1523 
 1524         elif a.remove_protocol:
 1525             cmd.remove_sequence(a.remove_protocol, settings.removeProtocol,
 1526                                 settings.queryProtocol, None, "'%s'")
 1527             service.update(settings)
 1528 
 1529         elif a.query_protocol:
 1530             cmd.query_sequence(a.query_protocol, settings.queryProtocol,
 1531                                None, "'%s'")
 1532 
 1533         elif a.get_protocols:
 1534             l = settings.getProtocols()
 1535             cmd.print_and_exit(" ".join(["%s" % protocol for protocol in l]))
 1536 
 1537         elif a.add_source_port:
 1538             cmd.add_sequence(a.add_source_port, settings.addSourcePort,
 1539                              settings.querySourcePort, cmd.parse_port, "%s/%s")
 1540             service.update(settings)
 1541 
 1542         elif a.remove_source_port:
 1543             cmd.remove_sequence(a.remove_source_port, settings.removeSourcePort,
 1544                                 settings.querySourcePort, cmd.parse_port,
 1545                                 "%s/%s")
 1546             service.update(settings)
 1547 
 1548         elif a.query_source_port:
 1549             cmd.query_sequence(a.query_source_port, settings.querySourcePort,
 1550                                cmd.parse_port, "%s/%s")
 1551 
 1552         elif a.get_source_ports:
 1553             l = settings.getSourcePorts()
 1554             cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 1555 
 1556         elif a.add_module:
 1557             cmd.add_sequence(a.add_module, settings.addModule,
 1558                              settings.queryModule, None, "'%s'")
 1559             service.update(settings)
 1560 
 1561         elif a.remove_module:
 1562             cmd.remove_sequence(a.remove_module, settings.removeModule,
 1563                                 settings.queryModule, None, "'%s'")
 1564             service.update(settings)
 1565 
 1566         elif a.query_module:
 1567             cmd.query_sequence(a.query_module, settings.queryModule,
 1568                                None, "'%s'")
 1569 
 1570         elif a.get_modules:
 1571             l = settings.getModules()
 1572             cmd.print_and_exit(" ".join(["%s" % module for module in l]))
 1573 
 1574         elif a.set_destination:
 1575             cmd.add_sequence(a.set_destination, settings.setDestination,
 1576                              settings.queryDestination,
 1577                              cmd.parse_service_destination, "%s:%s")
 1578             service.update(settings)
 1579 
 1580         elif a.remove_destination:
 1581             # special case for removeDestination: Only ipv, no address
 1582             for ipv in a.remove_destination:
 1583                 cmd.check_destination_ipv(ipv)
 1584                 if ipv not in settings.getDestinations():
 1585                     if len(a.remove_destination) > 1:
 1586                         cmd.print_warning("Warning: NOT_ENABLED: '%s'" % ipv)
 1587                     else:
 1588                         code = FirewallError.get_code("NOT_ENABLED")
 1589                         cmd.print_and_exit("Error: NOT_ENABLED: '%s'" % ipv,
 1590                                            code)
 1591                 else:
 1592                     settings.removeDestination(ipv)
 1593             service.update(settings)
 1594 
 1595         elif a.query_destination:
 1596             cmd.query_sequence(a.query_destination, settings.queryDestination,
 1597                                cmd.parse_service_destination, "'%s'")
 1598 
 1599         elif a.get_destinations:
 1600             l = settings.getDestinations()
 1601             cmd.print_and_exit(" ".join(["%s:%s" % (dest[0], dest[1]) for dest in l.items()]))
 1602 
 1603         elif a.add_include:
 1604             cmd.add_sequence(a.add_include, settings.addInclude,
 1605                              settings.queryInclude, None, "'%s'")
 1606             service.update(settings)
 1607 
 1608         elif a.remove_include:
 1609             cmd.remove_sequence(a.remove_include, settings.removeInclude,
 1610                                 settings.queryInclude, None, "'%s'")
 1611             service.update(settings)
 1612 
 1613         elif a.query_include:
 1614             cmd.query_sequence(a.query_include, settings.queryInclude,
 1615                                None, "'%s'")
 1616 
 1617         elif a.get_includes:
 1618             l = settings.getIncludes()
 1619             cmd.print_and_exit(" ".join(["%s" % include for include in sorted(l)]))
 1620 
 1621         elif a.add_helper:
 1622             cmd.add_sequence(a.add_helper, settings.addHelper,
 1623                              settings.queryHelper, None, "'%s'")
 1624             service.update(settings)
 1625 
 1626         elif a.remove_helper:
 1627             cmd.remove_sequence(a.remove_helper, settings.removeHelper,
 1628                                 settings.queryHelper, None, "'%s'")
 1629             service.update(settings)
 1630 
 1631         elif a.query_helper:
 1632             cmd.query_sequence(a.query_helper, settings.queryHelper,
 1633                                None, "'%s'")
 1634 
 1635         elif a.get_service_helpers:
 1636             l = settings.getHelpers()
 1637             cmd.print_and_exit(" ".join(["%s" % helper for helper in sorted(l)]))
 1638 
 1639         elif a.set_description:
 1640             settings.setDescription(a.set_description)
 1641             service.update(settings)
 1642 
 1643         elif a.get_description:
 1644             cmd.print_and_exit(settings.getDescription())
 1645 
 1646         elif a.set_short:
 1647             settings.setShort(a.set_short)
 1648             service.update(settings)
 1649 
 1650         elif a.get_short:
 1651             cmd.print_and_exit(settings.getShort())
 1652 
 1653         else:
 1654             cmd.fail(parser.format_usage() + "Unknown option")
 1655 
 1656     # lockdown whitelist
 1657 
 1658     elif options_lockdown_whitelist:
 1659         policies = fw.config().policies()
 1660 
 1661         # commands
 1662         if a.list_lockdown_whitelist_commands:
 1663             l = policies.getLockdownWhitelistCommands()
 1664             cmd.print_and_exit("\n".join(l))
 1665         elif a.add_lockdown_whitelist_command:
 1666             cmd.add_sequence(a.add_lockdown_whitelist_command,
 1667                              policies.addLockdownWhitelistCommand,
 1668                              policies.queryLockdownWhitelistCommand,
 1669                              None, "'%s'")
 1670         elif a.remove_lockdown_whitelist_command:
 1671             cmd.remove_sequence(a.remove_lockdown_whitelist_command,
 1672                                 policies.removeLockdownWhitelistCommand,
 1673                                 policies.queryLockdownWhitelistCommand,
 1674                                 None, "'%s'")
 1675         elif a.query_lockdown_whitelist_command:
 1676             cmd.query_sequence(a.query_lockdown_whitelist_command,
 1677                                policies.queryLockdownWhitelistCommand,
 1678                                None, "'%s'")
 1679 
 1680         # contexts
 1681         elif a.list_lockdown_whitelist_contexts:
 1682             l = policies.getLockdownWhitelistContexts()
 1683             cmd.print_and_exit("\n".join(l))
 1684         elif a.add_lockdown_whitelist_context:
 1685             cmd.add_sequence(a.add_lockdown_whitelist_context,
 1686                              policies.addLockdownWhitelistContext,
 1687                              policies.queryLockdownWhitelistContext,
 1688                              None, "'%s'")
 1689         elif a.remove_lockdown_whitelist_context:
 1690             cmd.remove_sequence(a.remove_lockdown_whitelist_context,
 1691                                 policies.removeLockdownWhitelistContext,
 1692                                 policies.queryLockdownWhitelistContext,
 1693                                 None, "'%s'")
 1694         elif a.query_lockdown_whitelist_context:
 1695             cmd.query_sequence(a.query_lockdown_whitelist_context,
 1696                                policies.queryLockdownWhitelistContext,
 1697                                None, "'%s'")
 1698 
 1699         # uids
 1700         elif a.list_lockdown_whitelist_uids:
 1701             l = policies.getLockdownWhitelistUids()
 1702             cmd.print_and_exit(" ".join(map(str, l)))
 1703         elif a.add_lockdown_whitelist_uid is not None:
 1704             cmd.add_sequence(a.add_lockdown_whitelist_uid,
 1705                              policies.addLockdownWhitelistUid,
 1706                              policies.queryLockdownWhitelistUid, None, "%s")
 1707         elif a.remove_lockdown_whitelist_uid is not None:
 1708             cmd.remove_sequence(a.remove_lockdown_whitelist_uid,
 1709                                 policies.removeLockdownWhitelistUid,
 1710                                 policies.queryLockdownWhitelistUid, None, "%s")
 1711         elif a.query_lockdown_whitelist_uid is not None:
 1712             cmd.query_sequence(a.query_lockdown_whitelist_uid,
 1713                                policies.queryLockdownWhitelistUid, None, "%s")
 1714 
 1715         # users
 1716         elif a.list_lockdown_whitelist_users:
 1717             l = policies.getLockdownWhitelistUsers()
 1718             cmd.print_and_exit("\n".join(l))
 1719         elif a.add_lockdown_whitelist_user:
 1720             cmd.add_sequence(a.add_lockdown_whitelist_user,
 1721                              policies.addLockdownWhitelistUser,
 1722                              policies.queryLockdownWhitelistUser,
 1723                              None, "%s")
 1724         elif a.remove_lockdown_whitelist_user:
 1725             cmd.remove_sequence(a.remove_lockdown_whitelist_user,
 1726                                 policies.removeLockdownWhitelistUser,
 1727                                 policies.queryLockdownWhitelistUser,
 1728                                 None, "%s")
 1729         elif a.query_lockdown_whitelist_user:
 1730             cmd.query_sequence(a.query_lockdown_whitelist_user,
 1731                                policies.queryLockdownWhitelistUser,
 1732                                None, "'%s'")
 1733 
 1734     elif options_direct:
 1735         direct = fw.config().direct()
 1736 
 1737         if a.passthrough:
 1738             if len(a.passthrough) < 2:
 1739                 cmd.fail("usage: --permanent --direct --passthrough { ipv4 | ipv6 | eb } <args>")
 1740             cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.passthrough[0]),
 1741                                                 splitArgs(a.passthrough[1])))
 1742 
 1743         if a.add_passthrough:
 1744             if len(a.add_passthrough) < 2:
 1745                 cmd.fail("usage: --permanent --direct --add-passthrough { ipv4 | ipv6 | eb } <args>")
 1746             cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.add_passthrough[0]),
 1747                                                 splitArgs(a.add_passthrough[1])))
 1748 
 1749         elif a.remove_passthrough:
 1750             if len(a.remove_passthrough) < 2:
 1751                 cmd.fail("usage: --permanent --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>")
 1752             direct.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]),
 1753                                      splitArgs(a.remove_passthrough[1]))
 1754         elif a.query_passthrough:
 1755             if len(a.query_passthrough) < 2:
 1756                 cmd.fail("usage: --permanent --direct --query-passthrough { ipv4 | ipv6 | eb } <args>")
 1757             cmd.print_query_result(
 1758                 direct.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]),
 1759                                         splitArgs(a.query_passthrough[1])))
 1760             sys.exit(0)
 1761         elif a.get_passthroughs:
 1762             rules = direct.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0]))
 1763             for rule in rules:
 1764                 cmd.print_msg(joinArgs(rule))
 1765             sys.exit(0)
 1766         elif a.get_all_passthroughs:
 1767             for (ipv, rule) in direct.getAllPassthroughs():
 1768                 cmd.print_msg("%s %s" % (ipv, joinArgs(rule)))
 1769             sys.exit(0)
 1770 
 1771         elif a.add_chain:
 1772             direct.addChain(cmd.check_ipv(a.add_chain[0]),
 1773                             a.add_chain[1], a.add_chain[2])
 1774         elif a.remove_chain:
 1775             direct.removeChain(cmd.check_ipv(a.remove_chain[0]),
 1776                                a.remove_chain[1], a.remove_chain[2])
 1777         elif a.query_chain:
 1778             cmd.print_query_result(
 1779                 direct.queryChain(cmd.check_ipv(a.query_chain[0]),
 1780                                   a.query_chain[1], a.query_chain[2]))
 1781             sys.exit(0)
 1782         elif a.get_chains:
 1783             cmd.print_and_exit(
 1784                 " ".join(direct.getChains(cmd.check_ipv(a.get_chains[0]),
 1785                                           a.get_chains[1])))
 1786             sys.exit(0)
 1787         elif a.get_all_chains:
 1788             chains = direct.getAllChains()
 1789             for (ipv, table, chain) in chains:
 1790                 cmd.print_msg("%s %s %s" % (ipv, table, chain))
 1791             sys.exit(0)
 1792         elif a.add_rule:
 1793             if len(a.add_rule) < 5:
 1794                 cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1795             try:
 1796                 priority = int(a.add_rule[3])
 1797             except ValueError:
 1798                 cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1799             direct.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1],
 1800                            a.add_rule[2], priority, splitArgs(a.add_rule[4]))
 1801         elif a.remove_rule:
 1802             if len(a.remove_rule) < 5:
 1803                 cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1804             try:
 1805                 priority = int(a.remove_rule[3])
 1806             except ValueError:
 1807                 cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1808             direct.removeRule(cmd.check_ipv(a.remove_rule[0]), a.remove_rule[1],
 1809                               a.remove_rule[2], priority, splitArgs(a.remove_rule[4]))
 1810         elif a.remove_rules:
 1811             if len(a.remove_rules) < 3:
 1812                 cmd.fail("usage: --permanent --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>")
 1813             direct.removeRules(cmd.check_ipv(a.remove_rules[0]),
 1814                                a.remove_rules[1], a.remove_rules[2])
 1815         elif a.query_rule:
 1816             if len(a.query_rule) < 5:
 1817                 cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1818             try:
 1819                 priority = int(a.query_rule[3])
 1820             except ValueError:
 1821                 cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 1822             cmd.print_query_result(
 1823                 direct.queryRule(cmd.check_ipv(a.query_rule[0]),
 1824                                  a.query_rule[1], a.query_rule[2],
 1825                                  priority, splitArgs(a.query_rule[4])))
 1826             sys.exit(0)
 1827         elif a.get_rules:
 1828             rules = direct.getRules(cmd.check_ipv(a.get_rules[0]),
 1829                                     a.get_rules[1], a.get_rules[2])
 1830             for (priority, rule) in rules:
 1831                 cmd.print_msg("%d %s" % (priority, joinArgs(rule)))
 1832             sys.exit(0)
 1833         elif a.get_all_rules:
 1834             rules = direct.getAllRules()
 1835             for (ipv, table, chain, priority, rule) in rules:
 1836                 cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority,
 1837                                                   joinArgs(rule)))
 1838             sys.exit(0)
 1839 
 1840     else:
 1841         if zone == "":
 1842             zone = fw.getDefaultZone()
 1843         fw_zone = fw.config().getZoneByName(zone)
 1844 
 1845         # interface
 1846         if a.list_interfaces:
 1847             interfaces = sorted(set(try_nm_get_interfaces_in_zone(zone))
 1848                                 | set(fw_zone.getInterfaces()))
 1849             cmd.print_and_exit(" ".join(interfaces))
 1850         elif a.get_zone_of_interface:
 1851             for interface in a.get_zone_of_interface:
 1852                 # ask NM before checking our config
 1853                 zone = try_get_zone_of_interface(interface)
 1854                 if not zone:
 1855                     zone = fw.config().getZoneOfInterface(interface)
 1856                 if zone:
 1857                     if len(a.get_zone_of_interface) > 1:
 1858                         cmd.print_warning("%s: %s" % (interface, zone))
 1859                     else:
 1860                         cmd.print_and_exit(zone)
 1861                 else:
 1862                     if len(a.get_zone_of_interface) > 1:
 1863                         cmd.print_warning("%s: no zone" % interface)
 1864                     else:
 1865                         cmd.fail("no zone")
 1866         elif a.change_interface:
 1867             interfaces = [ ]
 1868             for interface in a.change_interface:
 1869                 if not try_set_zone_of_interface(zone, interface):
 1870                     interfaces.append(interface)
 1871             for interface in interfaces:
 1872                 old_zone_name = fw.config().getZoneOfInterface(interface)
 1873                 if old_zone_name != zone:
 1874                     if old_zone_name:
 1875                         old_zone_obj = fw.config().getZoneByName(old_zone_name)
 1876                         old_zone_obj.removeInterface(interface)# remove from old
 1877                     fw_zone.addInterface(interface)            # add to new
 1878         elif a.add_interface:
 1879             interfaces = [ ]
 1880             for interface in a.add_interface:
 1881                 if not try_set_zone_of_interface(a.zone, interface):
 1882                     interfaces.append(interface)
 1883             cmd.add_sequence(interfaces, fw_zone.addInterface,
 1884                              fw_zone.queryInterface, None, "'%s'")
 1885         elif a.remove_interface:
 1886             interfaces = [ ]
 1887             for interface in a.remove_interface:
 1888                 if not try_set_zone_of_interface("", interface):
 1889                     interfaces.append(interface)
 1890             cmd.remove_sequence(interfaces, fw_zone.removeInterface,
 1891                                 fw_zone.queryInterface, None, "'%s'")
 1892         elif a.query_interface:
 1893             cmd.query_sequence(a.query_interface, fw_zone.queryInterface,
 1894                                None, "'%s'")
 1895 
 1896         # source
 1897         if a.list_sources:
 1898             sources = fw_zone.getSources()
 1899             cmd.print_and_exit(" ".join(sources))
 1900         elif a.get_zone_of_source:
 1901             for source in a.get_zone_of_source:
 1902                 zone = fw.config().getZoneOfSource(source)
 1903                 if zone:
 1904                     if len(a.get_zone_of_source) > 1:
 1905                         cmd.print_warning("%s: %s" % (source, zone))
 1906                     else:
 1907                         cmd.print_and_exit(zone)
 1908                 else:
 1909                     if len(a.get_zone_of_source) > 1:
 1910                         cmd.print_warning("%s: no zone" % source)
 1911                     else:
 1912                         cmd.fail("no zone")
 1913         elif a.change_source:
 1914             for source in a.change_source:
 1915                 old_zone_name = fw.config().getZoneOfSource(source)
 1916                 if old_zone_name != zone:
 1917                     if old_zone_name:
 1918                         old_zone_obj = fw.config().getZoneByName(old_zone_name)
 1919                         old_zone_obj.removeSource(source) # remove from old
 1920                     fw_zone.addSource(source)             # add to new
 1921         elif a.add_source:
 1922             cmd.add_sequence(a.add_source, fw_zone.addSource,
 1923                              fw_zone.querySource, None, "'%s'")
 1924         elif a.remove_source:
 1925             cmd.remove_sequence(a.remove_source, fw_zone.removeSource,
 1926                                 fw_zone.querySource, None, "'%s'")
 1927         elif a.query_source:
 1928             cmd.query_sequence(a.query_source, fw_zone.querySource,
 1929                                None, "'%s'")
 1930 
 1931         # rich rules
 1932         if a.list_rich_rules:
 1933             l = fw_zone.getRichRules()
 1934             cmd.print_and_exit("\n".join(l))
 1935         elif a.add_rich_rule:
 1936             cmd.add_sequence(a.add_rich_rule, fw_zone.addRichRule,
 1937                              fw_zone.queryRichRule, None, "'%s'")
 1938         elif a.remove_rich_rule:
 1939             cmd.remove_sequence(a.remove_rich_rule, fw_zone.removeRichRule,
 1940                                 fw_zone.queryRichRule, None, "'%s'")
 1941         elif a.query_rich_rule:
 1942             cmd.query_sequence(a.query_rich_rule, fw_zone.queryRichRule,
 1943                                None, "'%s'")
 1944 
 1945         # service
 1946         if a.list_services:
 1947             l = fw_zone.getServices()
 1948             cmd.print_and_exit(" ".join(sorted(l)))
 1949         elif a.add_service:
 1950             cmd.add_sequence(a.add_service, fw_zone.addService,
 1951                              fw_zone.queryService, None, "'%s'")
 1952         elif a.remove_service:
 1953             cmd.remove_sequence(a.remove_service, fw_zone.removeService,
 1954                                 fw_zone.queryService, None, "'%s'")
 1955         elif a.query_service:
 1956             cmd.query_sequence(a.query_service, fw_zone.queryService,
 1957                                None, "'%s'")
 1958 
 1959         # port
 1960         elif a.list_ports:
 1961             l = fw_zone.getPorts()
 1962             cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 1963         elif a.add_port:
 1964             cmd.add_sequence(a.add_port, fw_zone.addPort,
 1965                              fw_zone.queryPort, cmd.parse_port, "%s/%s")
 1966         elif a.remove_port:
 1967             cmd.remove_sequence(a.remove_port, fw_zone.removePort,
 1968                                 fw_zone.queryPort, cmd.parse_port, "%s/%s")
 1969         elif a.query_port:
 1970             cmd.query_sequence(a.query_port, fw_zone.queryPort,
 1971                                cmd.parse_port, "%s/%s")
 1972 
 1973         # protocol
 1974         elif a.list_protocols:
 1975             l = fw_zone.getProtocols()
 1976             cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)]))
 1977         elif a.add_protocol:
 1978             cmd.add_sequence(a.add_protocol, fw_zone.addProtocol,
 1979                              fw_zone.queryProtocol, None, "'%s'")
 1980         elif a.remove_protocol:
 1981             cmd.remove_sequence(a.remove_protocol, fw_zone.removeProtocol,
 1982                                 fw_zone.queryProtocol, None, "'%s'")
 1983         elif a.query_protocol:
 1984             cmd.query_sequence(a.query_protocol, fw_zone.queryProtocol,
 1985                                None, "'%s'")
 1986 
 1987         # source port
 1988         elif a.list_source_ports:
 1989             l = fw_zone.getSourcePorts()
 1990             cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 1991         elif a.add_source_port:
 1992             cmd.add_sequence(a.add_source_port, fw_zone.addSourcePort,
 1993                              fw_zone.querySourcePort, cmd.parse_port, "%s/%s")
 1994         elif a.remove_source_port:
 1995             cmd.remove_sequence(a.remove_source_port, fw_zone.removeSourcePort,
 1996                                 fw_zone.querySourcePort, cmd.parse_port,
 1997                                 "%s/%s")
 1998         elif a.query_source_port:
 1999             cmd.query_sequence(a.query_source_port, fw_zone.querySourcePort,
 2000                                cmd.parse_port, "%s/%s")
 2001 
 2002         # masquerade
 2003         elif a.add_masquerade:
 2004             fw_zone.addMasquerade()
 2005         elif a.remove_masquerade:
 2006             fw_zone.removeMasquerade()
 2007         elif a.query_masquerade:
 2008             cmd.print_query_result(fw_zone.queryMasquerade())
 2009 
 2010         # forward port
 2011         elif a.list_forward_ports:
 2012             l = fw_zone.getForwardPorts()
 2013             cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l]))
 2014         elif a.add_forward_port:
 2015             cmd.add_sequence(a.add_forward_port, fw_zone.addForwardPort,
 2016                              fw_zone.queryForwardPort, cmd.parse_forward_port,
 2017                              "port=%s:proto=%s:toport=%s:toaddr=%s")
 2018         elif a.remove_forward_port:
 2019             cmd.remove_sequence(a.remove_forward_port,
 2020                                 fw_zone.removeForwardPort,
 2021                                 fw_zone.queryForwardPort,
 2022                                 cmd.parse_forward_port,
 2023                                 "port=%s:proto=%s:toport=%s:toaddr=%s")
 2024         elif a.query_forward_port:
 2025             cmd.query_sequence(a.query_forward_port, fw_zone.queryForwardPort,
 2026                                cmd.parse_forward_port,
 2027                                "port=%s:proto=%s:toport=%s:toaddr=%s")
 2028 
 2029         # block icmp
 2030         elif a.list_icmp_blocks:
 2031             l = fw_zone.getIcmpBlocks()
 2032             cmd.print_and_exit(" ".join(l))
 2033         elif a.add_icmp_block:
 2034             cmd.add_sequence(a.add_icmp_block, fw_zone.addIcmpBlock,
 2035                              fw_zone.queryIcmpBlock, None, "'%s'")
 2036         elif a.remove_icmp_block:
 2037             cmd.remove_sequence(a.remove_icmp_block, fw_zone.removeIcmpBlock,
 2038                                 fw_zone.queryIcmpBlock, None, "'%s'")
 2039         elif a.query_icmp_block:
 2040             cmd.query_sequence(a.query_icmp_block, fw_zone.queryIcmpBlock,
 2041                                None, "'%s'")
 2042 
 2043         # icmp block inversion
 2044         elif a.add_icmp_block_inversion:
 2045             fw_zone.addIcmpBlockInversion()
 2046         elif a.remove_icmp_block_inversion:
 2047             fw_zone.removeIcmpBlockInversion()
 2048         elif a.query_icmp_block_inversion:
 2049             cmd.print_query_result(fw_zone.queryIcmpBlockInversion())
 2050 
 2051         # zone target
 2052         elif a.get_target:
 2053             target = fw_zone.getTarget()
 2054             cmd.print_and_exit(target if target != "%%REJECT%%" else "REJECT")
 2055         elif a.set_target:
 2056             fw_zone.setTarget(a.set_target if a.set_target != "REJECT" else "%%REJECT%%")
 2057 
 2058         # list all zone settings
 2059         elif a.list_all:
 2060             interfaces = try_nm_get_interfaces_in_zone(zone)
 2061             cmd.print_zone_info(zone, fw_zone.getSettings(), extra_interfaces=interfaces)
 2062             sys.exit(0)
 2063 
 2064         # list everything
 2065         elif a.list_all_zones:
 2066             names = fw.config().getZoneNames()
 2067             for zone in sorted(names):
 2068                 interfaces = try_nm_get_interfaces_in_zone(zone)
 2069                 settings = fw.config().getZoneByName(zone).getSettings()
 2070                 cmd.print_zone_info(zone, settings, extra_interfaces=interfaces)
 2071                 cmd.print_msg("")
 2072             sys.exit(0)
 2073 
 2074         # set zone description
 2075         elif a.set_description:
 2076             settings = fw.config().getZoneByName(zone).getSettings()
 2077             settings.setDescription(a.set_description)
 2078             fw_zone.update(settings)
 2079 
 2080         # get zone description
 2081         elif a.get_description:
 2082             settings = fw.config().getZoneByName(zone).getSettings()
 2083             cmd.print_and_exit(settings.getDescription())
 2084 
 2085         # set zone short description
 2086         elif a.set_short:
 2087             settings = fw.config().getZoneByName(zone).getSettings()
 2088             settings.setShort(a.set_short)
 2089             fw_zone.update(settings)
 2090 
 2091         # get zone short description
 2092         elif a.get_short:
 2093             settings = fw.config().getZoneByName(zone).getSettings()
 2094             cmd.print_and_exit(settings.getShort())
 2095 
 2096 elif a.version:
 2097     cmd.print_and_exit(fw.get_property("version"))
 2098 elif a.state:
 2099     state = fw.get_property("state")
 2100     if state == "RUNNING":
 2101         cmd.print_and_exit ("running")
 2102     elif state == "FAILED":
 2103         cmd.print_and_exit("failed", errors.RUNNING_BUT_FAILED)
 2104     else:
 2105         cmd.print_and_exit ("not running", errors.NOT_RUNNING)
 2106 elif a.get_log_denied:
 2107     cmd.print_and_exit(fw.getLogDenied())
 2108 elif a.set_log_denied:
 2109     fw.setLogDenied(a.set_log_denied)
 2110 elif a.get_automatic_helpers:
 2111     cmd.print_and_exit(fw.getAutomaticHelpers())
 2112 elif a.set_automatic_helpers:
 2113     fw.setAutomaticHelpers(a.set_automatic_helpers)
 2114 elif a.get_ipset_types:
 2115     types = fw.get_property("IPSetTypes")
 2116     cmd.print_and_exit(" ".join(sorted(types)))
 2117 elif a.reload:
 2118     fw.reload()
 2119 elif a.complete_reload:
 2120     fw.complete_reload()
 2121 elif a.runtime_to_permanent:
 2122     fw.runtimeToPermanent()
 2123 elif a.check_config:
 2124     fw.checkPermanentConfig()
 2125 elif a.direct:
 2126     if a.passthrough:
 2127         if len(a.passthrough) < 2:
 2128             cmd.fail("usage: --direct --passthrough { ipv4 | ipv6 | eb } <args>")
 2129         msg = fw.passthrough(cmd.check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1]))
 2130         if msg:
 2131             sys.stdout.write(msg + "\n")
 2132 
 2133     elif a.add_passthrough:
 2134         if len(a.add_passthrough) < 2:
 2135             cmd.fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>")
 2136         fw.addPassthrough(cmd.check_ipv(a.add_passthrough[0]),
 2137                           splitArgs(a.add_passthrough[1]))
 2138     elif a.remove_passthrough:
 2139         if len(a.remove_passthrough) < 2:
 2140             cmd.fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>")
 2141         fw.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]),
 2142                              splitArgs(a.remove_passthrough[1]))
 2143     elif a.query_passthrough:
 2144         if len(a.query_passthrough) < 2:
 2145             cmd.fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>")
 2146         cmd.print_query_result(
 2147             fw.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]),
 2148                                 splitArgs(a.query_passthrough[1])))
 2149     elif a.get_passthroughs:
 2150         rules = fw.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0]))
 2151         for rule in rules:
 2152             cmd.print_msg(joinArgs(rule))
 2153         sys.exit(0)
 2154     elif a.get_all_passthroughs:
 2155         for (ipv, rule) in fw.getAllPassthroughs():
 2156             cmd.print_msg("%s %s" % (ipv, joinArgs(rule)))
 2157         sys.exit(0)
 2158     elif a.add_chain:
 2159         fw.addChain(cmd.check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2])
 2160     elif a.remove_chain:
 2161         fw.removeChain(cmd.check_ipv(a.remove_chain[0]),
 2162                        a.remove_chain[1], a.remove_chain[2])
 2163     elif a.query_chain:
 2164         cmd.print_query_result(fw.queryChain(cmd.check_ipv(a.query_chain[0]),
 2165                                              a.query_chain[1],
 2166                                              a.query_chain[2]))
 2167     elif a.get_chains:
 2168         cmd.print_and_exit(" ".join(fw.getChains(cmd.check_ipv(a.get_chains[0]),
 2169                                                  a.get_chains[1])))
 2170     elif a.get_all_chains:
 2171         chains = fw.getAllChains()
 2172         for (ipv, table, chain) in chains:
 2173             cmd.print_msg("%s %s %s" % (ipv, table, chain))
 2174         sys.exit(0)
 2175     elif a.add_rule:
 2176         if len(a.add_rule) < 5:
 2177             cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2178         try:
 2179             priority = int(a.add_rule[3])
 2180         except ValueError:
 2181             cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2182         fw.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2],
 2183                    priority, splitArgs(a.add_rule[4]))
 2184     elif a.remove_rule:
 2185         if len(a.remove_rule) < 5:
 2186             cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2187         try:
 2188             priority = int(a.remove_rule[3])
 2189         except ValueError:
 2190             cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2191         fw.removeRule(cmd.check_ipv(a.remove_rule[0]),
 2192                       a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4]))
 2193     elif a.remove_rules:
 2194         if len(a.remove_rules) < 3:
 2195             cmd.fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>")
 2196         fw.removeRules(cmd.check_ipv(a.remove_rules[0]),
 2197                        a.remove_rules[1], a.remove_rules[2])
 2198     elif a.query_rule:
 2199         if len(a.query_rule) < 5:
 2200             cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2201         try:
 2202             priority = int(a.query_rule[3])
 2203         except ValueError:
 2204             cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>")
 2205         cmd.print_query_result(
 2206             fw.queryRule(cmd.check_ipv(a.query_rule[0]),
 2207                          a.query_rule[1], a.query_rule[2],
 2208                          priority, splitArgs(a.query_rule[4])))
 2209     elif a.get_rules:
 2210         rules = fw.getRules(cmd.check_ipv(a.get_rules[0]),
 2211                             a.get_rules[1], a.get_rules[2])
 2212         for (priority, rule) in rules:
 2213             cmd.print_msg("%d %s" % (priority, joinArgs(rule)))
 2214         sys.exit(0)
 2215     elif a.get_all_rules:
 2216         rules = fw.getAllRules()
 2217         for (ipv, table, chain, priority, rule) in rules:
 2218             cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority,
 2219                                               joinArgs(rule)))
 2220         sys.exit(0)
 2221 
 2222 elif a.get_default_zone:
 2223     cmd.print_and_exit(fw.getDefaultZone())
 2224 elif a.set_default_zone:
 2225     fw.setDefaultZone(a.set_default_zone)
 2226 elif a.get_zones:
 2227     cmd.print_and_exit(" ".join(fw.getZones()))
 2228 elif a.get_active_zones:
 2229     zones = fw.getActiveZones()
 2230     for zone in zones:
 2231         cmd.print_msg("%s" % zone)
 2232         for x in [ "interfaces", "sources" ]:
 2233             if x in zones[zone]:
 2234                 cmd.print_msg("  %s: %s" % (x, " ".join(zones[zone][x])))
 2235     sys.exit(0)
 2236 elif a.get_services:
 2237     l = fw.listServices()
 2238     cmd.print_and_exit(" ".join(l))
 2239 elif a.get_icmptypes:
 2240     l = fw.listIcmpTypes()
 2241     cmd.print_and_exit(" ".join(l))
 2242 
 2243 # panic
 2244 elif a.panic_on:
 2245     fw.enablePanicMode()
 2246 elif a.panic_off:
 2247     fw.disablePanicMode()
 2248 elif a.query_panic:
 2249     cmd.print_query_result(fw.queryPanicMode())
 2250 
 2251 # ipset
 2252 elif a.get_ipsets:
 2253     ipsets = fw.getIPSets()
 2254     cmd.print_and_exit(" ".join(sorted(ipsets)))
 2255 
 2256 elif a.info_ipset:
 2257     cmd.print_ipset_info(a.info_ipset, fw.getIPSetSettings(a.info_ipset))
 2258     sys.exit(0)
 2259 
 2260 elif a.add_entry:
 2261     cmd.x_add_sequence(a.ipset, a.add_entry, fw.addEntry, fw.queryEntry,
 2262                        None, "'%s'")
 2263 
 2264 elif a.remove_entry:
 2265     cmd.x_remove_sequence(a.ipset, a.remove_entry, fw.removeEntry,
 2266                           fw.queryEntry, None, "'%s'")
 2267 
 2268 elif a.query_entry:
 2269     cmd.x_query_sequence(a.ipset, a.query_entry, fw.queryEntry, None, "'%s'")
 2270 
 2271 elif a.get_entries:
 2272     l = fw.getEntries(a.ipset)
 2273     cmd.print_and_exit("\n".join(l))
 2274 
 2275 elif a.add_entries_from_file:
 2276     old_entries = fw.getEntries(a.ipset)
 2277     changed = False
 2278 
 2279     for filename in a.add_entries_from_file:
 2280         try:
 2281             entries = cmd.get_ipset_entries_from_file(filename)
 2282         except IOError as msg:
 2283             message = "Failed to read file '%s': %s" % (filename, msg)
 2284             if len(a.add_entries_from_file) > 1:
 2285                 cmd.print_warning(message)
 2286             else:
 2287                 cmd.print_and_exit(message)
 2288         else:
 2289             entries_set = set()
 2290             for entry in old_entries:
 2291                 entries_set.add(entry)
 2292             for entry in entries:
 2293                 if entry not in entries_set:
 2294                     old_entries.append(entry)
 2295                     entries_set.add(entry)
 2296                     changed = True
 2297                 else:
 2298                     cmd.print_if_verbose("Warning: ALREADY_ENABLED: %s" % entry)
 2299     if changed:
 2300         fw.setEntries(a.ipset, old_entries)
 2301 
 2302 elif a.remove_entries_from_file:
 2303     old_entries = fw.getEntries(a.ipset)
 2304     changed = False
 2305 
 2306     for filename in a.remove_entries_from_file:
 2307         try:
 2308             entries = cmd.get_ipset_entries_from_file(filename)
 2309         except IOError as msg:
 2310             message = "Failed to read file '%s': %s" % (filename, msg)
 2311             if len(a.remove_entries_from_file) > 1:
 2312                 cmd.print_warning(message)
 2313             else:
 2314                 cmd.print_and_exit(message)
 2315         else:
 2316             entries_set = set()
 2317             for entry in old_entries:
 2318                 entries_set.add(entry)
 2319             for entry in entries:
 2320                 if entry in entries_set:
 2321                     old_entries.remove(entry)
 2322                     entries_set.discard(entry)
 2323                     changed = True
 2324                 else:
 2325                     cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry)
 2326     if changed:
 2327         fw.setEntries(a.ipset, old_entries)
 2328 
 2329 # helper
 2330 elif a.get_helpers:
 2331     helpers = fw.getHelpers()
 2332     cmd.print_and_exit(" ".join(sorted(helpers)))
 2333 
 2334 elif a.info_helper:
 2335     cmd.print_helper_info(a.info_helper, fw.getHelperSettings(a.info_helper))
 2336     sys.exit(0)
 2337 
 2338 # lockdown
 2339 elif a.lockdown_on:
 2340     fw.config().set_property("Lockdown", "yes")   # permanent
 2341     fw.enableLockdown()                           # runtime
 2342 elif a.lockdown_off:
 2343     fw.config().set_property("Lockdown", "no")    # permanent
 2344     fw.disableLockdown()                          # runtime
 2345 elif a.query_lockdown:
 2346     cmd.print_query_result(fw.queryLockdown())      # runtime
 2347     #lockdown = fw.config().get_property("Lockdown")
 2348     #cmd.print_query_result(lockdown.lower() in [ "yes", "true" ])
 2349 
 2350 # lockdown whitelist
 2351 
 2352 # commands
 2353 elif a.list_lockdown_whitelist_commands:
 2354     l = fw.getLockdownWhitelistCommands()
 2355     cmd.print_and_exit("\n".join(l))
 2356 elif a.add_lockdown_whitelist_command:
 2357     cmd.add_sequence(a.add_lockdown_whitelist_command,
 2358                      fw.addLockdownWhitelistCommand,
 2359                      fw.queryLockdownWhitelistCommand, None, "'%s'")
 2360 elif a.remove_lockdown_whitelist_command:
 2361     cmd.remove_sequence(a.remove_lockdown_whitelist_command,
 2362                         fw.removeLockdownWhitelistCommand,
 2363                         fw.queryLockdownWhitelistCommand, None, "'%s'")
 2364 elif a.query_lockdown_whitelist_command:
 2365     cmd.query_sequence(a.query_lockdown_whitelist_command,
 2366                        fw.queryLockdownWhitelistCommand, None, "'%s'")
 2367 
 2368 # contexts
 2369 elif a.list_lockdown_whitelist_contexts:
 2370     l = fw.getLockdownWhitelistContexts()
 2371     cmd.print_and_exit("\n".join(l))
 2372 elif a.add_lockdown_whitelist_context:
 2373     cmd.add_sequence(a.add_lockdown_whitelist_context,
 2374                      fw.addLockdownWhitelistContext,
 2375                      fw.queryLockdownWhitelistContext, None, "'%s'")
 2376 elif a.remove_lockdown_whitelist_context:
 2377     cmd.remove_sequence(a.remove_lockdown_whitelist_context,
 2378                         fw.removeLockdownWhitelistContext,
 2379                         fw.queryLockdownWhitelistContext, None, "'%s'")
 2380 elif a.query_lockdown_whitelist_context:
 2381     cmd.query_sequence(a.query_lockdown_whitelist_context,
 2382                        fw.queryLockdownWhitelistContext, None, "'%s'")
 2383 
 2384 # uids
 2385 elif a.list_lockdown_whitelist_uids:
 2386     l = fw.getLockdownWhitelistUids()
 2387     cmd.print_and_exit(" ".join(map(str, l)))
 2388 elif a.add_lockdown_whitelist_uid is not None:
 2389     cmd.add_sequence(a.add_lockdown_whitelist_uid,
 2390                      fw.addLockdownWhitelistUid,
 2391                      fw.queryLockdownWhitelistUid, None, "'%s'")
 2392 elif a.remove_lockdown_whitelist_uid is not None:
 2393     cmd.remove_sequence(a.remove_lockdown_whitelist_uid,
 2394                         fw.removeLockdownWhitelistUid,
 2395                         fw.queryLockdownWhitelistUid, None, "'%s'")
 2396 elif a.query_lockdown_whitelist_uid is not None:
 2397     cmd.query_sequence(a.query_lockdown_whitelist_uid,
 2398                        fw.queryLockdownWhitelistUid, None, "'%s'")
 2399 
 2400 # users
 2401 elif a.list_lockdown_whitelist_users:
 2402     l = fw.getLockdownWhitelistUsers()
 2403     cmd.print_and_exit(" ".join(l))
 2404 elif a.add_lockdown_whitelist_user:
 2405     cmd.add_sequence(a.add_lockdown_whitelist_user,
 2406                      fw.addLockdownWhitelistUser,
 2407                      fw.queryLockdownWhitelistUser, None, "'%s'")
 2408 elif a.remove_lockdown_whitelist_user:
 2409     cmd.remove_sequence(a.remove_lockdown_whitelist_user,
 2410                         fw.removeLockdownWhitelistUser,
 2411                         fw.queryLockdownWhitelistUser, None, "'%s'")
 2412 elif a.query_lockdown_whitelist_user:
 2413     cmd.query_sequence(a.query_lockdown_whitelist_user,
 2414                        fw.queryLockdownWhitelistUser, None, "'%s'")
 2415 
 2416 # interface
 2417 elif a.list_interfaces:
 2418     l = fw.getInterfaces(zone)
 2419     cmd.print_and_exit(" ".join(l))
 2420 elif a.get_zone_of_interface:
 2421     for interface in a.get_zone_of_interface:
 2422         zone = fw.getZoneOfInterface(interface)
 2423         if zone:
 2424             if len(a.get_zone_of_interface) > 1:
 2425                 cmd.print_warning("%s: %s" % (interface, zone))
 2426             else:
 2427                 cmd.print_and_exit(zone)
 2428         else:
 2429             if len(a.get_zone_of_interface) > 1:
 2430                 cmd.print_warning("%s: no zone" % interface)
 2431             else:
 2432                 cmd.fail("no zone")
 2433 elif a.add_interface:
 2434     interfaces = [ ]
 2435     for interface in a.add_interface:
 2436         interfaces.append(interface)
 2437     cmd.x_add_sequence(zone, interfaces, fw.addInterface,
 2438                        fw.queryInterface, None, "'%s'")
 2439 elif a.change_interface:
 2440     interfaces = [ ]
 2441     for interface in a.change_interface:
 2442         interfaces.append(interface)
 2443     cmd.x_add_sequence(zone, interfaces, fw.changeZoneOfInterface,
 2444                        fw.queryInterface, None, "'%s'")
 2445 elif a.remove_interface:
 2446     interfaces = [ ]
 2447     for interface in a.remove_interface:
 2448         interfaces.append(interface)
 2449     cmd.x_remove_sequence(zone, interfaces, fw.removeInterface,
 2450                           fw.queryInterface, None, "'%s'")
 2451 elif a.query_interface:
 2452     cmd.x_query_sequence(zone, a.query_interface, fw.queryInterface, None,
 2453                          "'%s'")
 2454 
 2455 # source
 2456 elif a.list_sources:
 2457     sources = fw.getSources(zone)
 2458     cmd.print_and_exit(" ".join(sources))
 2459 elif a.get_zone_of_source:
 2460     for source in a.get_zone_of_source:
 2461         zone = fw.getZoneOfSource(source)
 2462         if zone:
 2463             if len(a.get_zone_of_source) > 1:
 2464                 cmd.print_warning("%s: %s" % (source, zone))
 2465             else:
 2466                 cmd.print_and_exit(zone)
 2467         else:
 2468             if len(a.get_zone_of_source) > 1:
 2469                 cmd.print_warning("%s: no zone" % source)
 2470             else:
 2471                 cmd.fail("no zone")
 2472         sys.exit(0)
 2473 elif a.add_source:
 2474     cmd.x_add_sequence(zone, a.add_source, fw.addSource,
 2475                        fw.querySource, None, "'%s'")
 2476 elif a.change_source:
 2477     cmd.x_add_sequence(zone, a.change_source, fw.changeZoneOfSource,
 2478                        fw.querySource, None, "'%s'")
 2479 elif a.remove_source:
 2480     cmd.x_remove_sequence(zone, a.remove_source, fw.removeSource,
 2481                           fw.querySource, None, "'%s'")
 2482 elif a.query_source:
 2483     cmd.x_query_sequence(zone, a.query_source, fw.querySource, None, "'%s'")
 2484 
 2485 # rich rules
 2486 elif a.list_rich_rules:
 2487     l = fw.getRichRules(zone)
 2488     cmd.print_and_exit("\n".join(l))
 2489 elif a.add_rich_rule:
 2490     cmd.zone_add_timeout_sequence(zone, a.add_rich_rule, fw.addRichRule,
 2491                                   fw.queryRichRule, None, "'%s'",
 2492                                   a.timeout)
 2493 elif a.remove_rich_rule:
 2494     cmd.x_remove_sequence(zone, a.remove_rich_rule, fw.removeRichRule,
 2495                           fw.queryRichRule, None, "'%s'")
 2496 elif a.query_rich_rule:
 2497     cmd.x_query_sequence(zone, a.query_rich_rule, fw.queryRichRule, None,
 2498                          "'%s'")
 2499 
 2500 # service
 2501 elif a.list_services:
 2502     l = fw.getServices(zone)
 2503     cmd.print_and_exit(" ".join(sorted(l)))
 2504 elif a.add_service:
 2505     cmd.zone_add_timeout_sequence(zone, a.add_service, fw.addService,
 2506                                   fw.queryService, None, "'%s'",
 2507                                   a.timeout)
 2508 elif a.remove_service:
 2509     cmd.x_remove_sequence(zone, a.remove_service, fw.removeService,
 2510                           fw.queryService, None, "'%s'")
 2511 elif a.query_service:
 2512     cmd.x_query_sequence(zone, a.query_service, fw.queryService, None, "'%s'")
 2513 
 2514 # port
 2515 elif a.list_ports:
 2516     l = fw.getPorts(zone)
 2517     cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 2518 elif a.add_port:
 2519     cmd.zone_add_timeout_sequence(zone, a.add_port, fw.addPort, fw.queryPort,
 2520                                   cmd.parse_port, "'%s/%s'", a.timeout)
 2521 elif a.remove_port:
 2522     cmd.x_remove_sequence(zone, a.remove_port, fw.removePort, fw.queryPort,
 2523                           cmd.parse_port, "'%s/%s'")
 2524 elif a.query_port:
 2525     cmd.x_query_sequence(zone, a.query_port, fw.queryPort, cmd.parse_port,
 2526                          "'%s/%s'")
 2527 
 2528 # protocol
 2529 elif a.list_protocols:
 2530     l = fw.getProtocols(zone)
 2531     cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)]))
 2532 elif a.add_protocol:
 2533     cmd.zone_add_timeout_sequence(zone, a.add_protocol, fw.addProtocol,
 2534                                   fw.queryProtocol, None, "'%s'", a.timeout)
 2535 elif a.remove_protocol:
 2536     cmd.x_remove_sequence(zone, a.remove_protocol, fw.removeProtocol,
 2537                           fw.queryProtocol, None, "'%s'")
 2538 elif a.query_protocol:
 2539     cmd.x_query_sequence(zone, a.query_protocol, fw.queryProtocol, None, "'%s'")
 2540 
 2541 # source port
 2542 elif a.list_source_ports:
 2543     l = fw.getSourcePorts(zone)
 2544     cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l]))
 2545 elif a.add_source_port:
 2546     cmd.zone_add_timeout_sequence(zone, a.add_source_port, fw.addSourcePort,
 2547                                   fw.querySourcePort, cmd.parse_port,
 2548                                   "'%s/%s'", a.timeout)
 2549 elif a.remove_source_port:
 2550     cmd.x_remove_sequence(zone, a.remove_source_port, fw.removeSourcePort,
 2551                           fw.querySourcePort, cmd.parse_port, "'%s/%s'")
 2552 elif a.query_source_port:
 2553     cmd.x_query_sequence(zone, a.query_source_port, fw.querySourcePort,
 2554                          cmd.parse_port, "'%s/%s'")
 2555 
 2556 # masquerade
 2557 elif a.add_masquerade:
 2558     fw.addMasquerade(zone, a.timeout)
 2559 elif a.remove_masquerade:
 2560     fw.removeMasquerade(zone)
 2561 elif a.query_masquerade:
 2562     cmd.print_query_result(fw.queryMasquerade(zone))
 2563 
 2564 # forward port
 2565 elif a.list_forward_ports:
 2566     l = fw.getForwardPorts(zone)
 2567     cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l]))
 2568 elif a.add_forward_port:
 2569     cmd.zone_add_timeout_sequence(zone, a.add_forward_port, fw.addForwardPort,
 2570                                   fw.queryForwardPort, cmd.parse_forward_port,
 2571                                   "'port=%s:proto=%s:toport=%s:toaddr=%s'",
 2572                                   a.timeout)
 2573 elif a.remove_forward_port:
 2574     cmd.x_remove_sequence(zone, a.remove_forward_port,
 2575                           fw.removeForwardPort, fw.queryForwardPort,
 2576                           cmd.parse_forward_port,
 2577                           "'port=%s:proto=%s:toport=%s:toaddr=%s'")
 2578 elif a.query_forward_port:
 2579     cmd.x_query_sequence(zone, a.query_forward_port, fw.queryForwardPort,
 2580                          cmd.parse_forward_port,
 2581                          "'port=%s:proto=%s:toport=%s:toaddr=%s'")
 2582 
 2583 # block icmp
 2584 elif a.list_icmp_blocks:
 2585     l = fw.getIcmpBlocks(zone)
 2586     cmd.print_and_exit(" ".join(l))
 2587 elif a.add_icmp_block:
 2588     cmd.zone_add_timeout_sequence(zone, a.add_icmp_block, fw.addIcmpBlock,
 2589                                   fw.queryIcmpBlock, None, "'%s'", a.timeout)
 2590 elif a.remove_icmp_block:
 2591     cmd.x_remove_sequence(zone, a.remove_icmp_block, fw.removeIcmpBlock,
 2592                           fw.queryIcmpBlock, None, "'%s'")
 2593 elif a.query_icmp_block:
 2594     cmd.x_query_sequence(zone, a.query_icmp_block, fw.queryIcmpBlock, None,
 2595                          "'%s'")
 2596 
 2597 # icmp block inversion
 2598 elif a.add_icmp_block_inversion:
 2599     fw.addIcmpBlockInversion(zone)
 2600 elif a.remove_icmp_block_inversion:
 2601     fw.removeIcmpBlockInversion(zone)
 2602 elif a.query_icmp_block_inversion:
 2603     cmd.print_query_result(fw.queryIcmpBlockInversion(zone))
 2604 
 2605 # list all
 2606 elif a.list_all:
 2607     z = zone if zone else fw.getDefaultZone()
 2608     cmd.print_zone_info(z, fw.getZoneSettings(z))
 2609     sys.exit(0)
 2610 
 2611 # list everything
 2612 elif a.list_all_zones:
 2613     for zone in fw.getZones():
 2614         cmd.print_zone_info(zone, fw.getZoneSettings(zone))
 2615         cmd.print_msg("")
 2616     sys.exit(0)
 2617 
 2618 elif a.info_zone:
 2619     cmd.print_zone_info(a.info_zone, fw.getZoneSettings(a.info_zone), True)
 2620     sys.exit(0)
 2621 
 2622 elif a.info_service:
 2623     cmd.print_service_info(a.info_service, fw.getServiceSettings(a.info_service))
 2624     sys.exit(0)
 2625 
 2626 elif a.info_icmptype:
 2627     cmd.print_icmptype_info(a.info_icmptype, fw.getIcmpTypeSettings(a.info_icmptype))
 2628     sys.exit(0)
 2629 
 2630 cmd.print_and_exit("success")