firewalld-0.8.0.tar.gz: .../firewall-cmd.in

"Fossies" - the Fresh Open Source Software Archive

Member "firewalld-0.8.0/src/firewall-cmd.in" (5 Nov 2019, 118735 Bytes) of package /linux/misc/firewalld-0.8.0.tar.gz:

As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) Python source code syntax highlighting (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "firewall-cmd.in":

0.7.2_vs_0.8.0.

1 #!@PYTHON@ 2 # -*- coding: utf-8 -*- 3 # 4 # Copyright (C) 2009-2016 Red Hat, Inc. 5 # 6 # Authors: 7 # Thomas Woerner <twoerner@redhat.com> 8 # Jiri Popelka <jpopelka@redhat.com> 9 # 10 # This program is free software; you can redistribute it and/or modify 11 # it under the terms of the GNU General Public License as published by 12 # the Free Software Foundation; either version 2 of the License, or 13 # (at your option) any later version. 14 # 15 # This program is distributed in the hope that it will be useful, 16 # but WITHOUT ANY WARRANTY; without even the implied warranty of 17 # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the 18 # GNU General Public License for more details. 19 # 20 # You should have received a copy of the GNU General Public License 21 # along with this program. If not, see <http://www.gnu.org/licenses/>. 22 # 23 24 from gi.repository import GObject 25 import sys 26 sys.modules['gobject'] = GObject 27 28 import argparse 29 import os 30 31 from firewall.client import FirewallClient, FirewallClientIPSetSettings, \ 32 FirewallClientZoneSettings, FirewallClientServiceSettings, \ 33 FirewallClientIcmpTypeSettings, FirewallClientHelperSettings 34 from firewall.errors import FirewallError 35 from firewall import errors 36 from firewall.functions import joinArgs, splitArgs 37 from firewall.core.fw_nm import nm_is_imported, \ 38 nm_get_connection_of_interface, nm_get_zone_of_connection, \ 39 nm_set_zone_of_connection, nm_get_interfaces_in_zone 40 from firewall.core.io.zone import zone_reader 41 from firewall.core.io.service import service_reader 42 from firewall.core.io.ipset import ipset_reader 43 from firewall.core.io.icmptype import icmptype_reader 44 from firewall.core.io.helper import helper_reader 45 from firewall.command import FirewallCommand 46 47 def __usage(): 48 sys.stdout.write(""" 49 Usage: firewall-cmd [OPTIONS...] 50 51 General Options 52 -h, --help Prints a short help text and exists 53 -V, --version Print the version string of firewalld 54 -q, --quiet Do not print status messages 55 56 Status Options 57 --state Return and print firewalld state 58 --reload Reload firewall and keep state information 59 --complete-reload Reload firewall and lose state information 60 --runtime-to-permanent 61 Create permanent from runtime configuration 62 --check-config Check permanent configuration for errors 63 64 Log Denied Options 65 --get-log-denied Print the log denied value 66 --set-log-denied=<value> 67 Set log denied value 68 69 Permanent Options 70 --permanent Set an option permanently 71 Usable for options marked with [P] 72 73 Zone Options 74 --get-default-zone Print default zone for connections and interfaces 75 --set-default-zone=<zone> 76 Set default zone 77 --get-active-zones Print currently active zones 78 --get-zones Print predefined zones [P] 79 --get-services Print predefined services [P] 80 --get-icmptypes Print predefined icmptypes [P] 81 --get-zone-of-interface=<interface> 82 Print name of the zone the interface is bound to [P] 83 --get-zone-of-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 84 Print name of the zone the source is bound to [P] 85 --list-all-zones List everything added for or enabled in all zones [P] 86 --new-zone=<zone> Add a new zone [P only] 87 --new-zone-from-file=<filename> [--name=<zone>] 88 Add a new zone from file with optional name [P only] 89 --delete-zone=<zone> Delete an existing zone [P only] 90 --load-zone-defaults=<zone> 91 Load zone default settings [P only] [Z] 92 --zone=<zone> Use this zone to set or query options, else default zone 93 Usable for options marked with [Z] 94 --get-target Get the zone target [P only] [Z] 95 --set-target=<target> 96 Set the zone target [P only] [Z] 97 --info-zone=<zone> Print information about a zone 98 --path-zone=<zone> Print file path of a zone [P only] 99 100 IPSet Options 101 --get-ipset-types Print the supported ipset types 102 --new-ipset=<ipset> --type=<ipset type> [--option=<key>[=<value>]].. 103 Add a new ipset [P only] 104 --new-ipset-from-file=<filename> [--name=<ipset>] 105 Add a new ipset from file with optional name [P only] 106 --delete-ipset=<ipset> 107 Delete an existing ipset [P only] 108 --load-ipset-defaults=<ipset> 109 Load ipset default settings [P only] 110 --info-ipset=<ipset> Print information about an ipset 111 --path-ipset=<ipset> Print file path of an ipset [P only] 112 --get-ipsets Print predefined ipsets 113 --ipset=<ipset> --set-description=<description> 114 Set new description to ipset [P only] 115 --ipset=<ipset> --get-description 116 Print description for ipset [P only] 117 --ipset=<ipset> --set-short=<description> 118 Set new short description to ipset [P only] 119 --ipset=<ipset> --get-short 120 Print short description for ipset [P only] 121 --ipset=<ipset> --add-entry=<entry> 122 Add a new entry to an ipset [P] 123 --ipset=<ipset> --remove-entry=<entry> 124 Remove an entry from an ipset [P] 125 --ipset=<ipset> --query-entry=<entry> 126 Return whether ipset has an entry [P] 127 --ipset=<ipset> --get-entries 128 List entries of an ipset [P] 129 --ipset=<ipset> --add-entries-from-file=<entry> 130 Add a new entries to an ipset [P] 131 --ipset=<ipset> --remove-entries-from-file=<entry> 132 Remove entries from an ipset [P] 133 134 IcmpType Options 135 --new-icmptype=<icmptype> 136 Add a new icmptype [P only] 137 --new-icmptype-from-file=<filename> [--name=<icmptype>] 138 Add a new icmptype from file with optional name [P only] 139 --delete-icmptype=<icmptype> 140 Delete an existing icmptype [P only] 141 --load-icmptype-defaults=<icmptype> 142 Load icmptype default settings [P only] 143 --info-icmptype=<icmptype> 144 Print information about an icmptype 145 --path-icmptype=<icmptype> 146 Print file path of an icmptype [P only] 147 --icmptype=<icmptype> --set-description=<description> 148 Set new description to icmptype [P only] 149 --icmptype=<icmptype> --get-description 150 Print description for icmptype [P only] 151 --icmptype=<icmptype> --set-short=<description> 152 Set new short description to icmptype [P only] 153 --icmptype=<icmptype> --get-short 154 Print short description for icmptype [P only] 155 --icmptype=<icmptype> --add-destination=<ipv> 156 Enable destination for ipv in icmptype [P only] 157 --icmptype=<icmptype> --remove-destination=<ipv> 158 Disable destination for ipv in icmptype [P only] 159 --icmptype=<icmptype> --query-destination=<ipv> 160 Return whether destination ipv is enabled in icmptype [P only] 161 --icmptype=<icmptype> --get-destinations 162 List destinations in icmptype [P only] 163 164 Service Options 165 --new-service=<service> 166 Add a new service [P only] 167 --new-service-from-file=<filename> [--name=<service>] 168 Add a new service from file with optional name [P only] 169 --delete-service=<service> 170 Delete an existing service [P only] 171 --load-service-defaults=<service> 172 Load icmptype default settings [P only] 173 --info-service=<service> 174 Print information about a service 175 --path-service=<service> 176 Print file path of a service [P only] 177 --service=<service> --set-description=<description> 178 Set new description to service [P only] 179 --service=<service> --get-description 180 Print description for service [P only] 181 --service=<service> --set-short=<description> 182 Set new short description to service [P only] 183 --service=<service> --get-short 184 Print short description for service [P only] 185 --service=<service> --add-port=<portid>[-<portid>]/<protocol> 186 Add a new port to service [P only] 187 --service=<service> --remove-port=<portid>[-<portid>]/<protocol> 188 Remove a port from service [P only] 189 --service=<service> --query-port=<portid>[-<portid>]/<protocol> 190 Return whether the port has been added for service [P only] 191 --service=<service> --get-ports 192 List ports of service [P only] 193 --service=<service> --add-protocol=<protocol> 194 Add a new protocol to service [P only] 195 --service=<service> --remove-protocol=<protocol> 196 Remove a protocol from service [P only] 197 --service=<service> --query-protocol=<protocol> 198 Return whether the protocol has been added for service [P only] 199 --service=<service> --get-protocols 200 List protocols of service [P only] 201 --service=<service> --add-source-port=<portid>[-<portid>]/<protocol> 202 Add a new source port to service [P only] 203 --service=<service> --remove-source-port=<portid>[-<portid>]/<protocol> 204 Remove a source port from service [P only] 205 --service=<service> --query-source-port=<portid>[-<portid>]/<protocol> 206 Return whether the source port has been added for service [P only] 207 --service=<service> --get-source-ports 208 List source ports of service [P only] 209 --service=<service> --add-helper=<helper> 210 Add a new helper to service [P only] 211 --service=<service> --remove-helper=<helper> 212 Remove a helper from service [P only] 213 --service=<service> --query-helper=<helper> 214 Return whether the helper has been added for service [P only] 215 --service=<service> --get-service-helpers 216 List helpers of service [P only] 217 --service=<service> --set-destination=<ipv>:<address>[/<mask>] 218 Set destination for ipv to address in service [P only] 219 --service=<service> --remove-destination=<ipv> 220 Disable destination for ipv i service [P only] 221 --service=<service> --query-destination=<ipv>:<address>[/<mask>] 222 Return whether destination ipv is set for service [P only] 223 --service=<service> --get-destinations 224 List destinations in service [P only] 225 --service=<service> --add-include=<service> 226 Add a new include to service [P only] 227 --service=<service> --remove-include=<service> 228 Remove a include from service [P only] 229 --service=<service> --query-include=<service> 230 Return whether the include has been added for service [P only] 231 --service=<service> --get-includes 232 List includes of service [P only] 233 234 Options to Adapt and Query Zones 235 --list-all List everything added for or enabled in a zone [P] [Z] 236 --list-services List services added for a zone [P] [Z] 237 --timeout=<timeval> Enable an option for timeval time, where timeval is 238 a number followed by one of letters 's' or 'm' or 'h' 239 Usable for options marked with [T] 240 --set-description=<description> 241 Set new description to zone [P only] [Z] 242 --get-description Print description for zone [P only] [Z] 243 --set-short=<description> 244 Set new short description to zone [P only] [Z] 245 --get-short Print short description for zone [P only] [Z] 246 --add-service=<service> 247 Add a service for a zone [P] [Z] [T] 248 --remove-service=<service> 249 Remove a service from a zone [P] [Z] 250 --query-service=<service> 251 Return whether service has been added for a zone [P] [Z] 252 --list-ports List ports added for a zone [P] [Z] 253 --add-port=<portid>[-<portid>]/<protocol> 254 Add the port for a zone [P] [Z] [T] 255 --remove-port=<portid>[-<portid>]/<protocol> 256 Remove the port from a zone [P] [Z] 257 --query-port=<portid>[-<portid>]/<protocol> 258 Return whether the port has been added for zone [P] [Z] 259 --list-protocols List protocols added for a zone [P] [Z] 260 --add-protocol=<protocol> 261 Add the protocol for a zone [P] [Z] [T] 262 --remove-protocol=<protocol> 263 Remove the protocol from a zone [P] [Z] 264 --query-protocol=<protocol> 265 Return whether the protocol has been added for zone [P] [Z] 266 --list-source-ports List source ports added for a zone [P] [Z] 267 --add-source-port=<portid>[-<portid>]/<protocol> 268 Add the source port for a zone [P] [Z] [T] 269 --remove-source-port=<portid>[-<portid>]/<protocol> 270 Remove the source port from a zone [P] [Z] 271 --query-source-port=<portid>[-<portid>]/<protocol> 272 Return whether the source port has been added for zone [P] [Z] 273 --list-icmp-blocks List Internet ICMP type blocks added for a zone [P] [Z] 274 --add-icmp-block=<icmptype> 275 Add an ICMP block for a zone [P] [Z] [T] 276 --remove-icmp-block=<icmptype> 277 Remove the ICMP block from a zone [P] [Z] 278 --query-icmp-block=<icmptype> 279 Return whether an ICMP block has been added for a zone 280 [P] [Z] 281 --add-icmp-block-inversion 282 Enable inversion of icmp blocks for a zone [P] [Z] 283 --remove-icmp-block-inversion 284 Disable inversion of icmp blocks for a zone [P] [Z] 285 --query-icmp-block-inversion 286 Return whether inversion of icmp blocks has been enabled 287 for a zone [P] [Z] 288 --list-forward-ports List IPv4 forward ports added for a zone [P] [Z] 289 --add-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] 290 Add the IPv4 forward port for a zone [P] [Z] [T] 291 --remove-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] 292 Remove the IPv4 forward port from a zone [P] [Z] 293 --query-forward-port=port=<portid>[-<portid>]:proto=<protocol>[:toport=<portid>[-<portid>]][:toaddr=<address>[/<mask>]] 294 Return whether the IPv4 forward port has been added for 295 a zone [P] [Z] 296 --add-masquerade Enable IPv4 masquerade for a zone [P] [Z] [T] 297 --remove-masquerade Disable IPv4 masquerade for a zone [P] [Z] 298 --query-masquerade Return whether IPv4 masquerading has been enabled for a 299 zone [P] [Z] 300 --list-rich-rules List rich language rules added for a zone [P] [Z] 301 --add-rich-rule=<rule> 302 Add rich language rule 'rule' for a zone [P] [Z] [T] 303 --remove-rich-rule=<rule> 304 Remove rich language rule 'rule' from a zone [P] [Z] 305 --query-rich-rule=<rule> 306 Return whether a rich language rule 'rule' has been 307 added for a zone [P] [Z] 308 309 Options to Handle Bindings of Interfaces 310 --list-interfaces List interfaces that are bound to a zone [P] [Z] 311 --add-interface=<interface> 312 Bind the <interface> to a zone [P] [Z] 313 --change-interface=<interface> 314 Change zone the <interface> is bound to [P] [Z] 315 --query-interface=<interface> 316 Query whether <interface> is bound to a zone [P] [Z] 317 --remove-interface=<interface> 318 Remove binding of <interface> from a zone [P] [Z] 319 320 Options to Handle Bindings of Sources 321 --list-sources List sources that are bound to a zone [P] [Z] 322 --add-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 323 Bind the source to a zone [P] [Z] 324 --change-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 325 Change zone the source is bound to [Z] 326 --query-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 327 Query whether the source is bound to a zone [P] [Z] 328 --remove-source=<source>[/<mask>]|<MAC>|ipset:<ipset> 329 Remove binding of the source from a zone [P] [Z] 330 331 Helper Options 332 --new-helper=<helper> --module=<module> [--family=<family>] 333 Add a new helper [P only] 334 --new-helper-from-file=<filename> [--name=<helper>] 335 Add a new helper from file with optional name [P only] 336 --delete-helper=<helper> 337 Delete an existing helper [P only] 338 --load-helper-defaults=<helper> 339 Load helper default settings [P only] 340 --info-helper=<helper> Print information about an helper 341 --path-helper=<helper> Print file path of an helper [P only] 342 --get-helpers Print predefined helpers 343 --helper=<helper> --set-description=<description> 344 Set new description to helper [P only] 345 --helper=<helper> --get-description 346 Print description for helper [P only] 347 --helper=<helper> --set-short=<description> 348 Set new short description to helper [P only] 349 --helper=<helper> --get-short 350 Print short description for helper [P only] 351 --helper=<helper> --add-port=<portid>[-<portid>]/<protocol> 352 Add a new port to helper [P only] 353 --helper=<helper> --remove-port=<portid>[-<portid>]/<protocol> 354 Remove a port from helper [P only] 355 --helper=<helper> --query-port=<portid>[-<portid>]/<protocol> 356 Return whether the port has been added for helper [P only] 357 --helper=<helper> --get-ports 358 List ports of helper [P only] 359 --helper=<helper> --set-module=<module> 360 Set module to helper [P only] 361 --helper=<helper> --get-module 362 Get module from helper [P only] 363 --helper=<helper> --set-family={ipv4|ipv6|} 364 Set family for helper [P only] 365 --helper=<helper> --get-family 366 Get module from helper [P only] 367 368 Direct Options 369 --direct First option for all direct options 370 --get-all-chains 371 Get all chains [P] 372 --get-chains {ipv4|ipv6|eb} <table> 373 Get all chains added to the table [P] 374 --add-chain {ipv4|ipv6|eb} <table> <chain> 375 Add a new chain to the table [P] 376 --remove-chain {ipv4|ipv6|eb} <table> <chain> 377 Remove the chain from the table [P] 378 --query-chain {ipv4|ipv6|eb} <table> <chain> 379 Return whether the chain has been added to the table [P] 380 --get-all-rules 381 Get all rules [P] 382 --get-rules {ipv4|ipv6|eb} <table> <chain> 383 Get all rules added to chain in table [P] 384 --add-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... 385 Add rule to chain in table [P] 386 --remove-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... 387 Remove rule with priority from chain in table [P] 388 --remove-rules {ipv4|ipv6|eb} <table> <chain> 389 Remove rules from chain in table [P] 390 --query-rule {ipv4|ipv6|eb} <table> <chain> <priority> <arg>... 391 Return whether a rule with priority has been added to 392 chain in table [P] 393 --passthrough {ipv4|ipv6|eb} <arg>... 394 Pass a command through (untracked by firewalld) 395 --get-all-passthroughs 396 Get all tracked passthrough rules [P] 397 --get-passthroughs {ipv4|ipv6|eb} <arg>... 398 Get tracked passthrough rules [P] 399 --add-passthrough {ipv4|ipv6|eb} <arg>... 400 Add a new tracked passthrough rule [P] 401 --remove-passthrough {ipv4|ipv6|eb} <arg>... 402 Remove a tracked passthrough rule [P] 403 --query-passthrough {ipv4|ipv6|eb} <arg>... 404 Return whether the tracked passthrough rule has been 405 added [P] 406 407 Lockdown Options 408 --lockdown-on Enable lockdown. 409 --lockdown-off Disable lockdown. 410 --query-lockdown Query whether lockdown is enabled 411 412 Lockdown Whitelist Options 413 --list-lockdown-whitelist-commands 414 List all command lines that are on the whitelist [P] 415 --add-lockdown-whitelist-command=<command> 416 Add the command to the whitelist [P] 417 --remove-lockdown-whitelist-command=<command> 418 Remove the command from the whitelist [P] 419 --query-lockdown-whitelist-command=<command> 420 Query whether the command is on the whitelist [P] 421 --list-lockdown-whitelist-contexts 422 List all contexts that are on the whitelist [P] 423 --add-lockdown-whitelist-context=<context> 424 Add the context context to the whitelist [P] 425 --remove-lockdown-whitelist-context=<context> 426 Remove the context from the whitelist [P] 427 --query-lockdown-whitelist-context=<context> 428 Query whether the context is on the whitelist [P] 429 --list-lockdown-whitelist-uids 430 List all user ids that are on the whitelist [P] 431 --add-lockdown-whitelist-uid=<uid> 432 Add the user id uid to the whitelist [P] 433 --remove-lockdown-whitelist-uid=<uid> 434 Remove the user id uid from the whitelist [P] 435 --query-lockdown-whitelist-uid=<uid> 436 Query whether the user id uid is on the whitelist [P] 437 --list-lockdown-whitelist-users 438 List all user names that are on the whitelist [P] 439 --add-lockdown-whitelist-user=<user> 440 Add the user name user to the whitelist [P] 441 --remove-lockdown-whitelist-user=<user> 442 Remove the user name user from the whitelist [P] 443 --query-lockdown-whitelist-user=<user> 444 Query whether the user name user is on the whitelist [P] 445 446 Panic Options 447 --panic-on Enable panic mode 448 --panic-off Disable panic mode 449 --query-panic Query whether panic mode is enabled 450 451 """) 452 453 def try_set_zone_of_interface(_zone, interface): 454 if nm_is_imported(): 455 try: 456 connection = nm_get_connection_of_interface(interface) 457 except Exception: 458 pass 459 else: 460 if connection is not None: 461 if _zone == nm_get_zone_of_connection(connection): 462 if _zone == "": 463 cmd.print_warning("The interface is under control of NetworkManager and already bound to the default zone") 464 else: 465 cmd.print_warning("The interface is under control of NetworkManager and already bound to '%s'" % _zone) 466 if _zone == "": 467 cmd.print_msg("The interface is under control of NetworkManager, setting zone to default.") 468 else: 469 cmd.print_msg("The interface is under control of NetworkManager, setting zone to '%s'." % _zone) 470 nm_set_zone_of_connection(_zone, connection) 471 return True 472 return False 473 474 def try_get_zone_of_interface(interface): 475 if nm_is_imported(): 476 try: 477 connection = nm_get_connection_of_interface(interface) 478 except Exception: 479 pass 480 else: 481 if connection is not None: 482 return nm_get_zone_of_connection(connection) 483 return False 484 485 def try_nm_get_interfaces_in_zone(zone): 486 if nm_is_imported(): 487 try: 488 return nm_get_interfaces_in_zone(zone) 489 except Exception: 490 pass 491 return [] 492 493 parser = argparse.ArgumentParser(usage="see firewall-cmd man page", 494 add_help=False) 495 496 parser_group_output = parser.add_mutually_exclusive_group() 497 parser_group_output.add_argument("-v", "--verbose", action="store_true") 498 parser_group_output.add_argument("-q", "--quiet", action="store_true") 499 500 parser_group_standalone = parser.add_mutually_exclusive_group() 501 parser_group_standalone.add_argument("-h", "--help", 502 action="store_true") 503 parser_group_standalone.add_argument("-V", "--version", action="store_true") 504 parser_group_standalone.add_argument("--state", action="store_true") 505 parser_group_standalone.add_argument("--reload", action="store_true") 506 parser_group_standalone.add_argument("--complete-reload", action="store_true") 507 parser_group_standalone.add_argument("--runtime-to-permanent", 508 action="store_true") 509 parser_group_standalone.add_argument("--check-config", action="store_true") 510 parser_group_standalone.add_argument("--get-ipset-types", action="store_true") 511 parser_group_standalone.add_argument("--get-log-denied", action="store_true") 512 parser_group_standalone.add_argument("--set-log-denied", metavar="<value>") 513 parser_group_standalone.add_argument("--get-automatic-helpers", action="store_true") 514 parser_group_standalone.add_argument("--set-automatic-helpers", metavar="<value>") 515 parser_group_standalone.add_argument("--panic-on", action="store_true") 516 parser_group_standalone.add_argument("--panic-off", action="store_true") 517 parser_group_standalone.add_argument("--query-panic", action="store_true") 518 parser_group_standalone.add_argument("--lockdown-on", action="store_true") 519 parser_group_standalone.add_argument("--lockdown-off", action="store_true") 520 parser_group_standalone.add_argument("--query-lockdown", action="store_true") 521 522 parser_group_standalone.add_argument("--get-default-zone", action="store_true") 523 parser_group_standalone.add_argument("--set-default-zone", metavar="<zone>") 524 parser_group_standalone.add_argument("--get-zones", action="store_true") 525 parser_group_standalone.add_argument("--get-services", action="store_true") 526 parser_group_standalone.add_argument("--get-icmptypes", action="store_true") 527 parser_group_standalone.add_argument("--get-active-zones", action="store_true") 528 parser_group_standalone.add_argument("--get-zone-of-interface", metavar="<iface>", action='append') 529 parser_group_standalone.add_argument("--get-zone-of-source", metavar="<source>", action='append') 530 parser_group_standalone.add_argument("--list-all-zones", action="store_true") 531 532 parser_group_standalone.add_argument("--info-zone", metavar="<zone>") 533 parser_group_standalone.add_argument("--info-service", metavar="<service>") 534 parser_group_standalone.add_argument("--info-icmptype", metavar="<icmptype>") 535 parser_group_standalone.add_argument("--info-ipset", metavar="<ipset>") 536 parser_group_standalone.add_argument("--info-helper", metavar="<helper>") 537 538 parser_group_config = parser.add_mutually_exclusive_group() 539 parser_group_config.add_argument("--new-icmptype", metavar="<icmptype>") 540 parser_group_config.add_argument("--new-icmptype-from-file", metavar="<filename>") 541 parser_group_config.add_argument("--delete-icmptype", metavar="<icmptype>") 542 parser_group_config.add_argument("--load-icmptype-defaults", 543 metavar="<icmptype>") 544 parser_group_config.add_argument("--new-service", metavar="<service>") 545 parser_group_config.add_argument("--new-service-from-file", metavar="<filename>") 546 parser_group_config.add_argument("--delete-service", metavar="<service>") 547 parser_group_config.add_argument("--load-service-defaults", metavar="<service>") 548 parser_group_config.add_argument("--new-zone", metavar="<zone>") 549 parser_group_config.add_argument("--new-zone-from-file", metavar="<filename>") 550 parser_group_config.add_argument("--delete-zone", metavar="<zone>") 551 parser_group_config.add_argument("--load-zone-defaults", metavar="<zone>") 552 parser_group_config.add_argument("--new-ipset", metavar="<ipset>") 553 parser_group_config.add_argument("--new-ipset-from-file", metavar="<filename>") 554 parser_group_config.add_argument("--delete-ipset", metavar="<ipset>") 555 parser_group_config.add_argument("--load-ipset-defaults", metavar="<ipset>") 556 parser_group_config.add_argument("--new-helper", metavar="<helper>") 557 parser_group_config.add_argument("--new-helper-from-file", metavar="<filename>") 558 parser_group_config.add_argument("--delete-helper", metavar="<helper>") 559 parser_group_config.add_argument("--load-helper-defaults", metavar="<helper>") 560 561 parser_group_config.add_argument("--path-zone", metavar="<zone>") 562 parser_group_config.add_argument("--path-service", metavar="<service>") 563 parser_group_config.add_argument("--path-icmptype", metavar="<icmptype>") 564 parser_group_config.add_argument("--path-ipset", metavar="<ipset>") 565 parser_group_config.add_argument("--path-helper", metavar="<helper>") 566 567 parser.add_argument("--name", default="", metavar="<name>") 568 569 parser_group_lockdown_whitelist = parser.add_mutually_exclusive_group() 570 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-commands", action="store_true") 571 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-command", metavar="<command>", action='append') 572 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-command", metavar="<command>", action='append') 573 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-command", metavar="<command>", action='append') 574 575 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-contexts", action="store_true") 576 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-context", metavar="<context>", action='append') 577 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-context", metavar="<context>", action='append') 578 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-context", metavar="<context>", action='append') 579 580 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-uids", action="store_true") 581 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') 582 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') 583 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-uid", metavar="<uid>", type=int, action='append') 584 585 parser_group_lockdown_whitelist.add_argument("--list-lockdown-whitelist-users", action="store_true") 586 parser_group_lockdown_whitelist.add_argument("--add-lockdown-whitelist-user", metavar="<user>", action='append') 587 parser_group_lockdown_whitelist.add_argument("--remove-lockdown-whitelist-user", metavar="<user>", action='append') 588 parser_group_lockdown_whitelist.add_argument("--query-lockdown-whitelist-user", metavar="<user>", action='append') 589 590 parser.add_argument("--permanent", action="store_true") 591 parser.add_argument("--zone", default="", metavar="<zone>") 592 parser.add_argument("--timeout", default="0", metavar="<seconds>") 593 594 parser_group_zone = parser.add_mutually_exclusive_group() 595 parser_group_zone.add_argument("--add-interface", metavar="<iface>", action='append') 596 parser_group_zone.add_argument("--remove-interface", metavar="<iface>", action='append') 597 parser_group_zone.add_argument("--query-interface", metavar="<iface>", action='append') 598 parser_group_zone.add_argument("--change-interface", "--change-zone", metavar="<iface>", action='append') 599 parser_group_zone.add_argument("--list-interfaces", action="store_true") 600 parser_group_zone.add_argument("--add-source", metavar="<source>", action='append') 601 parser_group_zone.add_argument("--remove-source", metavar="<source>", action='append') 602 parser_group_zone.add_argument("--query-source", metavar="<source>", action='append') 603 parser_group_zone.add_argument("--change-source", metavar="<source>", action='append') 604 parser_group_zone.add_argument("--list-sources", action="store_true") 605 parser_group_zone.add_argument("--add-rich-rule", metavar="<rule>", action='append') 606 parser_group_zone.add_argument("--remove-rich-rule", metavar="<rule>", action='append') 607 parser_group_zone.add_argument("--query-rich-rule", metavar="<rule>", action='append') 608 parser_group_zone.add_argument("--add-service", metavar="<service>", action='append') 609 parser_group_zone.add_argument("--remove-service", metavar="<zone>", action='append') 610 parser_group_zone.add_argument("--query-service", metavar="<zone>", action='append') 611 parser_group_zone.add_argument("--add-port", metavar="<port>", action='append') 612 parser_group_zone.add_argument("--remove-port", metavar="<port>", action='append') 613 parser_group_zone.add_argument("--query-port", metavar="<port>", action='append') 614 parser_group_zone.add_argument("--add-protocol", metavar="<protocol>", action='append') 615 parser_group_zone.add_argument("--remove-protocol", metavar="<protocol>", action='append') 616 parser_group_zone.add_argument("--query-protocol", metavar="<protocol>", action='append') 617 parser_group_zone.add_argument("--add-source-port", metavar="<port>", action='append') 618 parser_group_zone.add_argument("--remove-source-port", metavar="<port>", action='append') 619 parser_group_zone.add_argument("--query-source-port", metavar="<port>", action='append') 620 parser_group_zone.add_argument("--add-masquerade", action="store_true") 621 parser_group_zone.add_argument("--remove-masquerade", action="store_true") 622 parser_group_zone.add_argument("--query-masquerade", action="store_true") 623 parser_group_zone.add_argument("--add-icmp-block", metavar="<icmptype>", action='append') 624 parser_group_zone.add_argument("--remove-icmp-block", metavar="<icmptype>", action='append') 625 parser_group_zone.add_argument("--query-icmp-block", metavar="<icmptype>", action='append') 626 parser_group_zone.add_argument("--add-icmp-block-inversion", action="store_true") 627 parser_group_zone.add_argument("--remove-icmp-block-inversion", action="store_true") 628 parser_group_zone.add_argument("--query-icmp-block-inversion", action="store_true") 629 parser_group_zone.add_argument("--add-forward-port", metavar="<port>", action='append') 630 parser_group_zone.add_argument("--remove-forward-port", metavar="<port>", action='append') 631 parser_group_zone.add_argument("--query-forward-port", metavar="<port>", action='append') 632 parser_group_zone.add_argument("--list-rich-rules", action="store_true") 633 parser_group_zone.add_argument("--list-services", action="store_true") 634 parser_group_zone.add_argument("--list-ports", action="store_true") 635 parser_group_zone.add_argument("--list-protocols", action="store_true") 636 parser_group_zone.add_argument("--list-icmp-blocks", action="store_true") 637 parser_group_zone.add_argument("--list-forward-ports", action="store_true") 638 parser_group_zone.add_argument("--list-source-ports", action="store_true") 639 parser_group_zone.add_argument("--list-all", action="store_true") 640 parser_group_zone.add_argument("--get-target", action="store_true") 641 parser_group_zone.add_argument("--set-target", metavar="<target>") 642 643 parser.add_argument("--option", metavar="<key>[=<value>]", action='append') 644 parser.add_argument("--type", metavar="<ipsettype>") 645 parser.add_argument("--ipset", metavar="<ipset>") 646 647 parser_ipset = parser.add_mutually_exclusive_group() 648 #parser_ipset.add_argument("--add-option", metavar="<key>[=<value>]") 649 #parser_ipset.add_argument("--remove-option", metavar="<key>[=<value>]") 650 #parser_ipset.add_argument("--query-option", metavar="<key>[=<value>]") 651 #parser_ipset.add_argument("--get-options", action="store_true") 652 653 parser_ipset.add_argument("--get-ipsets", action="store_true") 654 parser_ipset.add_argument("--add-entry", metavar="<entry>", action='append') 655 parser_ipset.add_argument("--remove-entry", metavar="<entry>", action='append') 656 parser_ipset.add_argument("--query-entry", metavar="<entry>", action='append') 657 parser_ipset.add_argument("--get-entries", action="store_true") 658 parser_ipset.add_argument("--add-entries-from-file", metavar="<filename>", action='append') 659 parser_ipset.add_argument("--remove-entries-from-file", metavar="<filename>", action='append') 660 661 parser.add_argument("--icmptype", metavar="<icmptype>") 662 663 parser_icmptype = parser.add_mutually_exclusive_group() 664 parser_icmptype.add_argument("--add-destination", metavar="<ipv>", action='append') 665 parser_icmptype.add_argument("--remove-destination", metavar="<ipv>", action='append') 666 parser_icmptype.add_argument("--query-destination", metavar="<ipv>", action='append') 667 parser_icmptype.add_argument("--get-destinations", action="store_true") 668 669 parser.add_argument("--service", metavar="<service>") 670 671 parser_service = parser.add_mutually_exclusive_group() 672 parser_service.add_argument("--get-ports", action="store_true") 673 parser_service.add_argument("--get-source-ports", action="store_true") 674 parser_service.add_argument("--get-protocols", action="store_true") 675 676 parser_service.add_argument("--add-module", metavar="<module>", action='append') 677 parser_service.add_argument("--remove-module", metavar="<module>", action='append') 678 parser_service.add_argument("--query-module", metavar="<module>", action='append') 679 parser_service.add_argument("--get-modules", action="store_true") 680 681 parser_service.add_argument("--add-helper", metavar="<helper>", action='append') 682 parser_service.add_argument("--remove-helper", metavar="<helper>", action='append') 683 parser_service.add_argument("--query-helper", metavar="<helper>", action='append') 684 parser_service.add_argument("--get-service-helpers", action="store_true") 685 686 parser_service.add_argument("--add-include", metavar="<service>", action='append') 687 parser_service.add_argument("--remove-include", metavar="<service>", action='append') 688 parser_service.add_argument("--query-include", metavar="<service>", action='append') 689 parser_service.add_argument("--get-includes", action="store_true") 690 691 parser_service.add_argument("--set-destination", metavar="<destination>", action='append') 692 parser_service.add_argument("--get-destination", action="store_true") 693 694 parser_service.add_argument("--set-description", metavar="<description>") 695 parser_service.add_argument("--get-description", action="store_true") 696 697 parser_service.add_argument("--set-short", metavar="<description>") 698 parser_service.add_argument("--get-short", action="store_true") 699 700 parser.add_argument("--helper", metavar="<helper>") 701 parser.add_argument("--family", metavar="<family>") 702 parser.add_argument("--module", metavar="<module>") 703 704 parser_helper = parser.add_mutually_exclusive_group() 705 #parser_helper.add_argument("--get-ports", action="store_true") 706 parser_helper.add_argument("--get-helpers", action="store_true") 707 parser_helper.add_argument("--set-module", metavar="<module>") 708 parser_helper.add_argument("--get-module", action="store_true") 709 #parser_helper.add_argument("--query-module", metavar="<module>") 710 parser_helper.add_argument("--set-family", metavar="<family>|''", nargs="*") 711 parser_helper.add_argument("--get-family", action="store_true") 712 713 parser.add_argument("--direct", action="store_true") 714 715 # not possible to have sequences of options here 716 parser_direct = parser.add_mutually_exclusive_group() 717 parser_direct.add_argument("--passthrough", nargs=argparse.REMAINDER, 718 metavar=("{ ipv4 | ipv6 | eb }", "<args>")) 719 parser_direct.add_argument("--add-passthrough", nargs=argparse.REMAINDER, 720 metavar=("{ ipv4 | ipv6 | eb }", "<args>")) 721 parser_direct.add_argument("--remove-passthrough", nargs=argparse.REMAINDER, 722 metavar=("{ ipv4 | ipv6 | eb }", "<args>")) 723 parser_direct.add_argument("--query-passthrough", nargs=argparse.REMAINDER, 724 metavar=("{ ipv4 | ipv6 | eb }", "<args>")) 725 parser_direct.add_argument("--get-passthroughs", nargs=1, 726 metavar=("{ ipv4 | ipv6 | eb }")) 727 parser_direct.add_argument("--get-all-passthroughs", action="store_true") 728 parser_direct.add_argument("--add-chain", nargs=3, 729 metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) 730 parser_direct.add_argument("--remove-chain", nargs=3, 731 metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) 732 parser_direct.add_argument("--query-chain", nargs=3, 733 metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) 734 parser_direct.add_argument("--get-all-chains", action="store_true") 735 parser_direct.add_argument("--get-chains", nargs=2, 736 metavar=("{ ipv4 | ipv6 | eb }", "<table>")) 737 parser_direct.add_argument("--add-rule", nargs=argparse.REMAINDER, 738 metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) 739 parser_direct.add_argument("--remove-rule", nargs=argparse.REMAINDER, 740 metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) 741 parser_direct.add_argument("--remove-rules", nargs=3, 742 metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain>")) 743 parser_direct.add_argument("--query-rule", nargs=argparse.REMAINDER, 744 metavar=("{ ipv4 | ipv6 | eb }", "<table> <chain> <priority> <args>")) 745 parser_direct.add_argument("--get-rules", nargs=3, 746 metavar=("{ ipv4 | ipv6 | eb }", "<table>", "<chain>")) 747 parser_direct.add_argument("--get-all-rules", action="store_true") 748 749 ############################################################################## 750 751 args = sys.argv[1:] 752 753 if len(sys.argv) > 1: 754 i = -1 755 if '--passthrough' in args: 756 i = args.index('--passthrough') + 1 757 elif '--add-passthrough' in args: 758 i = args.index('--add-passthrough') + 1 759 elif '--remove-passthrough' in args: 760 i = args.index('--remove-passthrough') + 1 761 elif '--query-passthrough' in args: 762 i = args.index('--query-passthrough') + 1 763 elif '--add-rule' in args: 764 i = args.index('--add-rule') + 4 765 elif '--remove-rule' in args: 766 i = args.index('--remove-rule') + 4 767 elif '--query-rule' in args: 768 i = args.index('--query-rule') + 4 769 # join <args> into one argument to prevent parser from parsing each iptables 770 # option, because they can conflict with firewall-cmd options 771 # # e.g. --delete (iptables) and --delete-* (firewall-cmd) 772 if (i > -1) and (i < len(args) - 1): 773 aux_args = args[:] 774 args = aux_args[:i+1] # all but not <args> 775 args.append(joinArgs(aux_args[i+1:])) # add <args> as one arg 776 777 a = parser.parse_args(args) 778 779 options_standalone = a.help or a.version or \ 780 a.state or a.reload or a.complete_reload or a.runtime_to_permanent or \ 781 a.panic_on or a.panic_off or a.query_panic or \ 782 a.lockdown_on or a.lockdown_off or a.query_lockdown or \ 783 a.get_default_zone or a.set_default_zone or \ 784 a.get_active_zones or a.get_ipset_types or \ 785 a.get_log_denied or a.set_log_denied or \ 786 a.get_automatic_helpers or a.set_automatic_helpers or a.check_config 787 788 options_desc_xml_file = a.set_description or a.get_description or \ 789 a.set_short or a.get_short 790 791 options_lockdown_whitelist = \ 792 a.list_lockdown_whitelist_commands or a.add_lockdown_whitelist_command or \ 793 a.remove_lockdown_whitelist_command or \ 794 a.query_lockdown_whitelist_command or \ 795 a.list_lockdown_whitelist_contexts or a.add_lockdown_whitelist_context or \ 796 a.remove_lockdown_whitelist_context or \ 797 a.query_lockdown_whitelist_context or \ 798 a.list_lockdown_whitelist_uids or a.add_lockdown_whitelist_uid is not None or \ 799 a.remove_lockdown_whitelist_uid is not None or \ 800 a.query_lockdown_whitelist_uid is not None or \ 801 a.list_lockdown_whitelist_users or a.add_lockdown_whitelist_user or \ 802 a.remove_lockdown_whitelist_user or \ 803 a.query_lockdown_whitelist_user 804 805 options_config = a.get_zones or a.get_services or a.get_icmptypes or \ 806 options_lockdown_whitelist or a.list_all_zones or \ 807 a.get_zone_of_interface or a.get_zone_of_source or \ 808 a.info_zone or a.info_icmptype or a.info_service or \ 809 a.info_ipset or a.get_ipsets or a.info_helper or \ 810 a.get_helpers 811 812 options_zone_action_action = \ 813 a.add_service or a.remove_service or a.query_service or \ 814 a.add_port or a.remove_port or a.query_port or \ 815 a.add_protocol or a.remove_protocol or a.query_protocol or \ 816 a.add_source_port or a.remove_source_port or a.query_source_port or \ 817 a.add_icmp_block or a.remove_icmp_block or a.query_icmp_block or \ 818 a.add_forward_port or a.remove_forward_port or a.query_forward_port 819 820 options_zone_interfaces_sources = \ 821 a.list_interfaces or a.change_interface or \ 822 a.add_interface or a.remove_interface or a.query_interface or \ 823 a.list_sources or a.change_source or \ 824 a.add_source or a.remove_source or a.query_source 825 826 options_zone_adapt_query = \ 827 a.add_rich_rule or a.remove_rich_rule or a.query_rich_rule or \ 828 a.add_masquerade or a.remove_masquerade or a.query_masquerade or \ 829 a.list_services or a.list_ports or a.list_protocols or \ 830 a.list_source_ports or \ 831 a.list_icmp_blocks or a.list_forward_ports or a.list_rich_rules or \ 832 a.add_icmp_block_inversion or a.remove_icmp_block_inversion or \ 833 a.query_icmp_block_inversion or \ 834 a.list_all or a.get_target or a.set_target 835 836 options_zone_ops = options_zone_interfaces_sources or \ 837 options_zone_action_action or options_zone_adapt_query 838 839 options_zone = a.zone or a.timeout != "0" or options_zone_ops or \ 840 options_desc_xml_file 841 842 options_ipset = a.add_entry or a.remove_entry or a.query_entry or \ 843 a.get_entries or a.add_entries_from_file or \ 844 a.remove_entries_from_file or options_desc_xml_file 845 846 options_icmptype = a.add_destination or a.remove_destination or \ 847 a.query_destination or a.get_destinations or \ 848 options_desc_xml_file 849 850 options_service = a.add_port or a.remove_port or a.query_port or \ 851 a.get_ports or \ 852 a.add_protocol or a.remove_protocol or a.query_protocol or \ 853 a.get_protocols or \ 854 a.add_source_port or a.remove_source_port or \ 855 a.query_source_port or a.get_source_ports or \ 856 a.add_module or a.remove_module or a.query_module or \ 857 a.get_modules or \ 858 a.set_destination or a.remove_destination or \ 859 a.query_destination or a.get_destinations or \ 860 options_desc_xml_file or \ 861 a.add_include or a.remove_include or a.query_include or \ 862 a.get_includes or \ 863 a.add_helper or a.remove_helper or a.query_helper or \ 864 a.get_service_helpers 865 866 options_helper = a.add_port or a.remove_port or a.query_port or \ 867 a.get_ports or a.set_module or a.get_module or \ 868 a.set_family or a.get_family or \ 869 options_desc_xml_file 870 871 options_permanent = a.permanent or options_config or \ 872 a.zone or options_zone_ops or \ 873 a.ipset or options_ipset or \ 874 a.helper or options_helper 875 876 options_permanent_only = a.new_icmptype or a.delete_icmptype or \ 877 a.new_icmptype_from_file or \ 878 a.load_icmptype_defaults or \ 879 a.new_service or a.delete_service or \ 880 a.new_service_from_file or \ 881 a.load_service_defaults or \ 882 a.new_zone or a.delete_zone or \ 883 a.new_zone_from_file or \ 884 a.load_zone_defaults or \ 885 a.new_ipset or a.delete_ipset or \ 886 a.new_ipset_from_file or \ 887 a.load_ipset_defaults or \ 888 a.new_helper or a.delete_helper or \ 889 a.new_helper_from_file or \ 890 a.load_helper_defaults or \ 891 (a.icmptype and options_icmptype) or \ 892 (a.service and options_service) or \ 893 (a.helper and options_helper) or \ 894 a.path_zone or a.path_icmptype or a.path_service or \ 895 a.path_ipset or a.path_helper or options_desc_xml_file 896 897 options_direct = a.passthrough or \ 898 a.add_chain or a.remove_chain or a.query_chain or \ 899 a.get_chains or a.get_all_chains or \ 900 a.add_rule or a.remove_rule or a.remove_rules or a.query_rule or \ 901 a.get_rules or a.get_all_rules or \ 902 a.add_passthrough or a.remove_passthrough or a.query_passthrough or \ 903 a.get_passthroughs or a.get_all_passthroughs 904 905 options_require_permanent = options_permanent_only or \ 906 a.get_target or a.set_target 907 908 # these are supposed to only write out some output 909 options_list_get = a.help or a.version or a.list_all or a.list_all_zones or \ 910 a.list_lockdown_whitelist_commands or a.list_lockdown_whitelist_contexts or \ 911 a.list_lockdown_whitelist_uids or a.list_lockdown_whitelist_users or \ 912 a.list_services or a.list_ports or a.list_protocols or a.list_icmp_blocks or \ 913 a.list_forward_ports or a.list_rich_rules or a.list_interfaces or \ 914 a.list_sources or a.get_default_zone or a.get_active_zones or \ 915 a.get_zone_of_interface or a.get_zone_of_source or a.get_zones or \ 916 a.get_services or a.get_icmptypes or a.get_target or \ 917 a.info_zone or a.info_icmptype or a.info_service or \ 918 a.info_ipset or a.get_ipsets or a.get_entries or \ 919 a.info_helper or a.get_helpers or \ 920 a.get_destinations or a.get_description 921 922 # Set quiet and verbose 923 924 cmd = FirewallCommand(a.quiet, a.verbose) 925 926 def myexcepthook(exctype, value, traceback): 927 cmd.exception_handler(str(value)) 928 sys.excepthook = myexcepthook 929 930 # Check various impossible combinations of options 931 932 if not (options_standalone or options_ipset or \ 933 options_icmptype or options_service or options_helper or \ 934 options_config or options_zone_ops or \ 935 options_direct or options_permanent_only): 936 cmd.fail(parser.format_usage() + "No option specified.") 937 938 if options_standalone and (options_zone or options_permanent or \ 939 options_direct or options_permanent_only or\ 940 options_ipset): 941 cmd.fail(parser.format_usage() + 942 "Can't use stand-alone options with other options.") 943 944 if options_ipset and not options_desc_xml_file and not a.ipset: 945 cmd.fail(parser.format_usage() + "No ipset specified.") 946 947 if (options_icmptype and not a.icmptype) and \ 948 not (options_service and a.service) and not options_desc_xml_file: 949 cmd.fail(parser.format_usage() + "No icmptype specified.") 950 951 if (options_helper and not a.helper) and \ 952 not (options_service and a.service) and \ 953 not options_zone and not options_desc_xml_file: 954 cmd.fail(parser.format_usage() + "No helper specified.") 955 956 if (options_direct or options_permanent_only) and \ 957 (options_zone and not a.zone) and (options_service and not a.service) and \ 958 (options_icmptype and a.icmptype) and not options_desc_xml_file: 959 cmd.fail(parser.format_usage() + "Can't be used with --zone.") 960 961 if (a.direct and not options_direct) or (options_direct and not a.direct): 962 cmd.fail(parser.format_usage() + 963 "Wrong usage of 'direct' options.") 964 965 if a.name and not (a.new_zone_from_file or a.new_service_from_file or \ 966 a.new_ipset_from_file or a.new_icmptype_from_file or \ 967 a.new_helper_from_file): 968 cmd.fail(parser.format_usage() + "Wrong usage of '--name' option.") 969 970 if options_require_permanent and not a.permanent: 971 cmd.fail(parser.format_usage() + 972 "Option can be used only with --permanent.") 973 974 if options_config and options_zone: 975 cmd.fail(parser.format_usage() + 976 "Wrong usage of --get-zones | --get-services | --get-icmptypes.") 977 978 if a.timeout != "0": 979 value = 0 980 unit = 's' 981 if len(a.timeout) < 1: 982 cmd.fail(parser.format_usage() + 983 "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) 984 elif len(a.timeout) == 1: 985 if a.timeout.isdigit(): 986 value = int (a.timeout[0]) 987 else: 988 cmd.fail(parser.format_usage() + 989 "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) 990 elif len(a.timeout) > 1: 991 if a.timeout.isdigit(): 992 value = int(a.timeout) 993 unit = 's' 994 else: 995 if a.timeout[:-1].isdigit(): 996 value = int (a.timeout[:-1]) 997 else: 998 cmd.fail(parser.format_usage() + 999 "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) 1000 unit = a.timeout[-1:].lower() 1001 if unit == 's': 1002 a.timeout = value 1003 elif unit == 'm': 1004 a.timeout = value * 60 1005 elif unit == 'h': 1006 a.timeout = value * 60 * 60 1007 else: 1008 cmd.fail(parser.format_usage() + 1009 "'%s' is wrong timeout value. Use for example '2m' or '1h'" % a.timeout) 1010 else: 1011 a.timeout = 0 1012 1013 if a.timeout and not (a.add_service or a.add_port or a.add_protocol or \ 1014 a.add_icmp_block or a.add_forward_port or \ 1015 a.add_source_port or a.add_masquerade or a.add_rich_rule): 1016 cmd.fail(parser.format_usage() + "Wrong --timeout usage") 1017 1018 if a.permanent: 1019 if a.timeout: 1020 cmd.fail(parser.format_usage() + 1021 "Can't specify timeout for permanent action.") 1022 if options_config and not a.zone: 1023 pass 1024 elif options_permanent: 1025 pass 1026 else: 1027 cmd.fail(parser.format_usage() + "Wrong --permanent usage.") 1028 1029 if a.quiet and options_list_get: 1030 # it makes no sense to use --quiet with these options 1031 a.quiet = False 1032 cmd.set_quiet(a.quiet) 1033 cmd.fail("-q/--quiet can't be used with this option(s)") 1034 1035 if a.help: 1036 __usage() 1037 sys.exit(0) 1038 1039 zone = a.zone 1040 1041 try: 1042 fw = FirewallClient() 1043 except FirewallError as msg: 1044 code = FirewallError.get_code(str(msg)) 1045 cmd.print_and_exit("Error: %s" % msg, code) 1046 1047 fw.setExceptionHandler(cmd.exception_handler) 1048 if not fw.connected: 1049 if a.state: 1050 cmd.print_and_exit ("not running", errors.NOT_RUNNING) 1051 else: 1052 cmd.print_and_exit ("FirewallD is not running", errors.NOT_RUNNING) 1053 cmd.set_fw(fw) 1054 1055 if options_zone_ops and not zone and not \ 1056 (a.service and options_service) and not \ 1057 (a.helper and options_helper): 1058 default = fw.getDefaultZone() 1059 cmd.print_if_verbose("No zone specified, using default zone, i.e. '%s'" % default) 1060 active = list(fw.getActiveZones().keys()) 1061 if active and default not in active: 1062 cmd.print_msg("""You're performing an operation over default zone ('%s'), 1063 but your connections/interfaces are in zone '%s' (see --get-active-zones) 1064 You most likely need to use --zone=%s option.\n""" % (default, ",".join(active), active[0])) 1065 1066 if a.permanent: 1067 if a.get_ipsets: 1068 cmd.print_and_exit(" ".join(fw.config().getIPSetNames())) 1069 1070 elif a.new_ipset: 1071 if not a.type: 1072 cmd.fail(parser.format_usage() + "No type specified.") 1073 1074 settings = FirewallClientIPSetSettings() 1075 settings.setType(a.type) 1076 if a.option: 1077 for opt in a.option: 1078 settings.addOption(*cmd.parse_ipset_option(opt)) 1079 if a.family: 1080 settings.addOption("family", a.family) 1081 config = fw.config() 1082 config.addIPSet(a.new_ipset, settings) 1083 1084 elif a.new_ipset_from_file: 1085 filename = os.path.basename(a.new_ipset_from_file) 1086 dirname = os.path.dirname(a.new_ipset_from_file) 1087 if dirname == "": 1088 dirname = "./" 1089 try: 1090 obj = ipset_reader(filename, dirname) 1091 except FirewallError as msg: 1092 cmd.fail("Failed to load ipset file '%s': %s" % \ 1093 (a.new_ipset_from_file, msg)) 1094 except IOError as msg: 1095 cmd.fail("Failed to load ipset file: %s" % msg) 1096 1097 if a.name: 1098 obj.name = a.name 1099 1100 config = fw.config() 1101 config.addIPSet(obj.name, obj.export_config()) 1102 1103 elif a.delete_ipset: 1104 ipset = fw.config().getIPSetByName(a.delete_ipset) 1105 ipset.remove() 1106 1107 elif a.load_ipset_defaults: 1108 ipset = fw.config().getIPSetByName(a.load_ipset_defaults) 1109 ipset.loadDefaults() 1110 1111 elif a.info_ipset: 1112 ipset = fw.config().getIPSetByName(a.info_ipset) 1113 cmd.print_ipset_info(a.info_ipset, ipset.getSettings()) 1114 sys.exit(0) 1115 1116 elif a.path_ipset: 1117 ipset = fw.config().getIPSetByName(a.path_ipset) 1118 cmd.print_and_exit("%s/%s" % (ipset.get_property("path"), 1119 ipset.get_property("filename"))) 1120 1121 elif a.ipset: 1122 ipset = fw.config().getIPSetByName(a.ipset) 1123 settings = ipset.getSettings() 1124 1125 if a.add_entry: 1126 cmd.add_sequence(a.add_entry, settings.addEntry, 1127 settings.queryEntry, None, "'%s'") 1128 ipset.update(settings) 1129 1130 elif a.remove_entry: 1131 cmd.remove_sequence(a.remove_entry, settings.removeEntry, 1132 settings.queryEntry, None, "'%s'") 1133 ipset.update(settings) 1134 1135 elif a.query_entry: 1136 cmd.query_sequence(a.query_entry, settings.queryEntry, None, "'%s'") 1137 1138 elif a.get_entries: 1139 l = settings.getEntries() 1140 cmd.print_and_exit("\n".join(l)) 1141 1142 elif a.add_entries_from_file: 1143 changed = False 1144 1145 for filename in a.add_entries_from_file: 1146 try: 1147 entries = cmd.get_ipset_entries_from_file(filename) 1148 except IOError as msg: 1149 message = "Failed to read file '%s': %s" % (filename, msg) 1150 if len(a.add_entries_from_file) > 1: 1151 cmd.print_warning(message) 1152 else: 1153 cmd.print_and_exit(message) 1154 else: 1155 old_entries = settings.getEntries() 1156 entries_set = set() 1157 for entry in old_entries: 1158 entries_set.add(entry) 1159 for entry in entries: 1160 if entry not in entries_set: 1161 old_entries.append(entry) 1162 entries_set.add(entry) 1163 changed = True 1164 else: 1165 cmd.print_if_verbose( 1166 "Warning: ALREADY_ENABLED: %s" % entry) 1167 if changed: 1168 settings.setEntries(old_entries) 1169 if changed: 1170 ipset.update(settings) 1171 1172 elif a.remove_entries_from_file: 1173 changed = False 1174 1175 for filename in a.remove_entries_from_file: 1176 try: 1177 entries = cmd.get_ipset_entries_from_file(filename) 1178 except IOError as msg: 1179 message = "Failed to read file '%s': %s" % (filename, msg) 1180 if len(a.remove_entries_from_file) > 1: 1181 cmd.print_warning(message) 1182 else: 1183 cmd.print_and_exit(message) 1184 else: 1185 old_entries = settings.getEntries() 1186 entries_set = set() 1187 for entry in old_entries: 1188 entries_set.add(entry) 1189 for entry in entries: 1190 if entry in entries_set: 1191 old_entries.remove(entry) 1192 entries_set.discard(entry) 1193 changed = True 1194 else: 1195 cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry) 1196 if changed: 1197 settings.setEntries(old_entries) 1198 if changed: 1199 ipset.update(settings) 1200 1201 elif a.set_description: 1202 settings.setDescription(a.set_description) 1203 ipset.update(settings) 1204 1205 elif a.get_description: 1206 cmd.print_and_exit(settings.getDescription()) 1207 1208 elif a.set_short: 1209 settings.setShort(a.set_short) 1210 ipset.update(settings) 1211 1212 elif a.get_short: 1213 cmd.print_and_exit(settings.getShort()) 1214 1215 else: 1216 cmd.fail(parser.format_usage() + "Unknown option") 1217 1218 elif a.get_zones: 1219 cmd.print_and_exit(" ".join(fw.config().getZoneNames())) 1220 1221 elif a.new_zone: 1222 config = fw.config() 1223 config.addZone(a.new_zone, FirewallClientZoneSettings()) 1224 1225 elif a.new_zone_from_file: 1226 filename = os.path.basename(a.new_zone_from_file) 1227 dirname = os.path.dirname(a.new_zone_from_file) 1228 if dirname == "": 1229 dirname = "./" 1230 try: 1231 obj = zone_reader(filename, dirname) 1232 except FirewallError as msg: 1233 cmd.fail("Failed to load zone file '%s': %s" % \ 1234 (a.new_zone_from_file, msg)) 1235 except IOError as msg: 1236 cmd.fail("Failed to load zone file: %s" % msg) 1237 1238 if a.name: 1239 obj.name = a.name 1240 1241 config = fw.config() 1242 config.addZone(obj.name, obj.export_config()) 1243 1244 elif a.delete_zone: 1245 zone = fw.config().getZoneByName(a.delete_zone) 1246 zone.remove() 1247 1248 elif a.load_zone_defaults: 1249 zone = fw.config().getZoneByName(a.load_zone_defaults) 1250 zone.loadDefaults() 1251 1252 elif a.info_zone: 1253 zone = fw.config().getZoneByName(a.info_zone) 1254 cmd.print_zone_info(a.info_zone, zone.getSettings(), True) 1255 sys.exit(0) 1256 1257 elif a.path_zone: 1258 zone = fw.config().getZoneByName(a.path_zone) 1259 cmd.print_and_exit("%s/%s" % (zone.get_property("path"), 1260 zone.get_property("filename"))) 1261 1262 elif a.get_services: 1263 cmd.print_and_exit(" ".join(fw.config().getServiceNames())) 1264 1265 elif a.new_service: 1266 config = fw.config() 1267 config.addService(a.new_service, FirewallClientServiceSettings()) 1268 1269 elif a.new_service_from_file: 1270 filename = os.path.basename(a.new_service_from_file) 1271 dirname = os.path.dirname(a.new_service_from_file) 1272 if dirname == "": 1273 dirname = "./" 1274 try: 1275 obj = service_reader(filename, dirname) 1276 except FirewallError as msg: 1277 cmd.fail("Failed to load service file '%s': %s" % \ 1278 (a.new_service_from_file, msg)) 1279 except IOError as msg: 1280 cmd.fail("Failed to load service file: %s" % msg) 1281 1282 if a.name: 1283 obj.name = a.name 1284 1285 config = fw.config() 1286 config.addService(obj.name, obj.export_config()) 1287 1288 elif a.delete_service: 1289 service = fw.config().getServiceByName(a.delete_service) 1290 service.remove() 1291 1292 elif a.load_service_defaults: 1293 service = fw.config().getServiceByName(a.load_service_defaults) 1294 service.loadDefaults() 1295 1296 elif a.info_service: 1297 service = fw.config().getServiceByName(a.info_service) 1298 cmd.print_service_info(a.info_service, service.getSettings()) 1299 sys.exit(0) 1300 1301 elif a.path_service: 1302 service = fw.config().getServiceByName(a.path_service) 1303 cmd.print_and_exit("%s/%s" % (service.get_property("path"), 1304 service.get_property("filename"))) 1305 1306 elif a.get_helpers: 1307 cmd.print_and_exit(" ".join(fw.config().getHelperNames())) 1308 1309 elif a.new_helper: 1310 if not a.module: 1311 cmd.fail(parser.format_usage() + "No module specified.") 1312 settings = FirewallClientHelperSettings() 1313 settings.setModule(a.module) 1314 if a.family: 1315 settings.setFamily(a.family) 1316 config = fw.config() 1317 config.addHelper(a.new_helper, settings) 1318 1319 elif a.new_helper_from_file: 1320 filename = os.path.basename(a.new_helper_from_file) 1321 dirname = os.path.dirname(a.new_helper_from_file) 1322 if dirname == "": 1323 dirname = "./" 1324 try: 1325 obj = helper_reader(filename, dirname) 1326 except FirewallError as msg: 1327 cmd.fail("Failed to load helper file '%s': %s" % \ 1328 (a.new_helper_from_file, msg)) 1329 except IOError as msg: 1330 cmd.fail("Failed to load helper file: %s" % msg) 1331 1332 if a.name: 1333 obj.name = a.name 1334 1335 config = fw.config() 1336 config.addHelper(obj.name, obj.export_config()) 1337 1338 elif a.delete_helper: 1339 helper = fw.config().getHelperByName(a.delete_helper) 1340 helper.remove() 1341 1342 elif a.load_helper_defaults: 1343 helper = fw.config().getHelperByName(a.load_helper_defaults) 1344 helper.loadDefaults() 1345 1346 elif a.info_helper: 1347 helper = fw.config().getHelperByName(a.info_helper) 1348 cmd.print_helper_info(a.info_helper, helper.getSettings()) 1349 sys.exit(0) 1350 1351 elif a.path_helper: 1352 helper = fw.config().getHelperByName(a.path_helper) 1353 cmd.print_and_exit("%s/%s" % (helper.get_property("path"), 1354 helper.get_property("filename"))) 1355 1356 elif a.helper: 1357 helper = fw.config().getHelperByName(a.helper) 1358 settings = helper.getSettings() 1359 1360 if a.add_port: 1361 cmd.add_sequence(a.add_port, settings.addPort, 1362 settings.queryPort, cmd.parse_port, "%s/%s") 1363 helper.update(settings) 1364 1365 elif a.remove_port: 1366 cmd.remove_sequence(a.remove_port, settings.removePort, 1367 settings.queryPort, cmd.parse_port, "%s/%s") 1368 helper.update(settings) 1369 1370 elif a.query_port: 1371 cmd.query_sequence(a.query_port, settings.queryPort, 1372 cmd.parse_port, "%s/%s") 1373 1374 elif a.get_ports: 1375 l = helper.getPorts() 1376 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 1377 1378 elif a.get_module: 1379 cmd.print_and_exit(settings.getModule()) 1380 1381 elif a.set_module: 1382 settings.setModule(cmd.check_module(a.set_module)) 1383 helper.update(settings) 1384 1385 elif a.get_family: 1386 cmd.print_and_exit(settings.getFamily()) 1387 1388 elif a.set_family: 1389 settings.setFamily(cmd.check_helper_family(a.set_family[0])) 1390 helper.update(settings) 1391 1392 elif a.set_description: 1393 settings.setDescription(a.set_description) 1394 helper.update(settings) 1395 1396 elif a.get_description: 1397 cmd.print_and_exit(settings.getDescription()) 1398 1399 elif a.set_short: 1400 settings.setShort(a.set_short) 1401 helper.update(settings) 1402 1403 elif a.get_short: 1404 cmd.print_and_exit(settings.getShort()) 1405 1406 else: 1407 cmd.fail(parser.format_usage() + "Unknown option") 1408 1409 elif a.get_icmptypes: 1410 cmd.print_and_exit(" ".join(fw.config().getIcmpTypeNames())) 1411 1412 elif a.new_icmptype: 1413 config = fw.config() 1414 config.addIcmpType(a.new_icmptype, FirewallClientIcmpTypeSettings()) 1415 1416 elif a.new_icmptype_from_file: 1417 filename = os.path.basename(a.new_icmptype_from_file) 1418 dirname = os.path.dirname(a.new_icmptype_from_file) 1419 if dirname == "": 1420 dirname = "./" 1421 try: 1422 obj = icmptype_reader(filename, dirname) 1423 except FirewallError as msg: 1424 cmd.fail("Failed to load icmptype file '%s': %s" % \ 1425 (a.new_icmptype_from_file, msg)) 1426 except IOError as msg: 1427 cmd.fail("Failed to load icmptype file: %s" % msg) 1428 1429 if a.name: 1430 obj.name = a.name 1431 1432 config = fw.config() 1433 config.addIcmpType(obj.name, obj.export_config()) 1434 1435 elif a.delete_icmptype: 1436 icmptype = fw.config().getIcmpTypeByName(a.delete_icmptype) 1437 icmptype.remove() 1438 1439 elif a.load_icmptype_defaults: 1440 icmptype = fw.config().getIcmpTypeByName(a.load_icmptype_defaults) 1441 icmptype.loadDefaults() 1442 1443 elif a.info_icmptype: 1444 icmptype = fw.config().getIcmpTypeByName(a.info_icmptype) 1445 cmd.print_icmptype_info(a.info_icmptype, icmptype.getSettings()) 1446 sys.exit(0) 1447 1448 elif a.path_icmptype: 1449 icmptype = fw.config().getIcmpTypeByName(a.path_icmptype) 1450 cmd.print_and_exit("%s/%s" % (icmptype.get_property("path"), 1451 icmptype.get_property("filename"))) 1452 1453 elif a.icmptype: 1454 icmptype = fw.config().getIcmpTypeByName(a.icmptype) 1455 settings = icmptype.getSettings() 1456 1457 if a.add_destination: 1458 cmd.add_sequence(a.add_destination, settings.addDestination, 1459 settings.queryDestination, 1460 cmd.check_destination_ipv, "'%s'") 1461 icmptype.update(settings) 1462 1463 elif a.remove_destination: 1464 cmd.remove_sequence(a.remove_destination, 1465 settings.removeDestination, 1466 settings.queryDestination, 1467 cmd.check_destination_ipv, "'%s'") 1468 icmptype.update(settings) 1469 1470 elif a.query_destination: 1471 cmd.query_sequence(a.query_destination, settings.queryDestination, 1472 cmd.check_destination_ipv , "'%s'") 1473 1474 elif a.get_destinations: 1475 l = settings.getDestinations() 1476 if len(l) == 0: 1477 l = [ "ipv4", "ipv6" ] 1478 cmd.print_and_exit("\n".join(l)) 1479 1480 elif a.set_description: 1481 settings.setDescription(a.set_description) 1482 icmptype.update(settings) 1483 1484 elif a.get_description: 1485 cmd.print_and_exit(settings.getDescription()) 1486 1487 elif a.set_short: 1488 settings.setShort(a.set_short) 1489 icmptype.update(settings) 1490 1491 elif a.get_short: 1492 cmd.print_and_exit(settings.getShort()) 1493 1494 else: 1495 cmd.fail(parser.format_usage() + "Unknown option") 1496 1497 elif a.service: 1498 service = fw.config().getServiceByName(a.service) 1499 settings = service.getSettings() 1500 1501 if a.add_port: 1502 cmd.add_sequence(a.add_port, settings.addPort, 1503 settings.queryPort, cmd.parse_port, "%s/%s") 1504 service.update(settings) 1505 1506 elif a.remove_port: 1507 cmd.remove_sequence(a.remove_port, settings.removePort, 1508 settings.queryPort, cmd.parse_port, "%s/%s") 1509 service.update(settings) 1510 1511 elif a.query_port: 1512 cmd.query_sequence(a.query_port, settings.queryPort, 1513 cmd.parse_port, "%s/%s") 1514 1515 elif a.get_ports: 1516 l = settings.getPorts() 1517 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 1518 1519 elif a.add_protocol: 1520 cmd.add_sequence(a.add_protocol, settings.addProtocol, 1521 settings.queryProtocol, None, "'%s'") 1522 service.update(settings) 1523 1524 elif a.remove_protocol: 1525 cmd.remove_sequence(a.remove_protocol, settings.removeProtocol, 1526 settings.queryProtocol, None, "'%s'") 1527 service.update(settings) 1528 1529 elif a.query_protocol: 1530 cmd.query_sequence(a.query_protocol, settings.queryProtocol, 1531 None, "'%s'") 1532 1533 elif a.get_protocols: 1534 l = settings.getProtocols() 1535 cmd.print_and_exit(" ".join(["%s" % protocol for protocol in l])) 1536 1537 elif a.add_source_port: 1538 cmd.add_sequence(a.add_source_port, settings.addSourcePort, 1539 settings.querySourcePort, cmd.parse_port, "%s/%s") 1540 service.update(settings) 1541 1542 elif a.remove_source_port: 1543 cmd.remove_sequence(a.remove_source_port, settings.removeSourcePort, 1544 settings.querySourcePort, cmd.parse_port, 1545 "%s/%s") 1546 service.update(settings) 1547 1548 elif a.query_source_port: 1549 cmd.query_sequence(a.query_source_port, settings.querySourcePort, 1550 cmd.parse_port, "%s/%s") 1551 1552 elif a.get_source_ports: 1553 l = settings.getSourcePorts() 1554 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 1555 1556 elif a.add_module: 1557 cmd.add_sequence(a.add_module, settings.addModule, 1558 settings.queryModule, None, "'%s'") 1559 service.update(settings) 1560 1561 elif a.remove_module: 1562 cmd.remove_sequence(a.remove_module, settings.removeModule, 1563 settings.queryModule, None, "'%s'") 1564 service.update(settings) 1565 1566 elif a.query_module: 1567 cmd.query_sequence(a.query_module, settings.queryModule, 1568 None, "'%s'") 1569 1570 elif a.get_modules: 1571 l = settings.getModules() 1572 cmd.print_and_exit(" ".join(["%s" % module for module in l])) 1573 1574 elif a.set_destination: 1575 cmd.add_sequence(a.set_destination, settings.setDestination, 1576 settings.queryDestination, 1577 cmd.parse_service_destination, "%s:%s") 1578 service.update(settings) 1579 1580 elif a.remove_destination: 1581 # special case for removeDestination: Only ipv, no address 1582 for ipv in a.remove_destination: 1583 cmd.check_destination_ipv(ipv) 1584 if ipv not in settings.getDestinations(): 1585 if len(a.remove_destination) > 1: 1586 cmd.print_warning("Warning: NOT_ENABLED: '%s'" % ipv) 1587 else: 1588 code = FirewallError.get_code("NOT_ENABLED") 1589 cmd.print_and_exit("Error: NOT_ENABLED: '%s'" % ipv, 1590 code) 1591 else: 1592 settings.removeDestination(ipv) 1593 service.update(settings) 1594 1595 elif a.query_destination: 1596 cmd.query_sequence(a.query_destination, settings.queryDestination, 1597 cmd.parse_service_destination, "'%s'") 1598 1599 elif a.get_destinations: 1600 l = settings.getDestinations() 1601 cmd.print_and_exit(" ".join(["%s:%s" % (dest[0], dest[1]) for dest in l.items()])) 1602 1603 elif a.add_include: 1604 cmd.add_sequence(a.add_include, settings.addInclude, 1605 settings.queryInclude, None, "'%s'") 1606 service.update(settings) 1607 1608 elif a.remove_include: 1609 cmd.remove_sequence(a.remove_include, settings.removeInclude, 1610 settings.queryInclude, None, "'%s'") 1611 service.update(settings) 1612 1613 elif a.query_include: 1614 cmd.query_sequence(a.query_include, settings.queryInclude, 1615 None, "'%s'") 1616 1617 elif a.get_includes: 1618 l = settings.getIncludes() 1619 cmd.print_and_exit(" ".join(["%s" % include for include in sorted(l)])) 1620 1621 elif a.add_helper: 1622 cmd.add_sequence(a.add_helper, settings.addHelper, 1623 settings.queryHelper, None, "'%s'") 1624 service.update(settings) 1625 1626 elif a.remove_helper: 1627 cmd.remove_sequence(a.remove_helper, settings.removeHelper, 1628 settings.queryHelper, None, "'%s'") 1629 service.update(settings) 1630 1631 elif a.query_helper: 1632 cmd.query_sequence(a.query_helper, settings.queryHelper, 1633 None, "'%s'") 1634 1635 elif a.get_service_helpers: 1636 l = settings.getHelpers() 1637 cmd.print_and_exit(" ".join(["%s" % helper for helper in sorted(l)])) 1638 1639 elif a.set_description: 1640 settings.setDescription(a.set_description) 1641 service.update(settings) 1642 1643 elif a.get_description: 1644 cmd.print_and_exit(settings.getDescription()) 1645 1646 elif a.set_short: 1647 settings.setShort(a.set_short) 1648 service.update(settings) 1649 1650 elif a.get_short: 1651 cmd.print_and_exit(settings.getShort()) 1652 1653 else: 1654 cmd.fail(parser.format_usage() + "Unknown option") 1655 1656 # lockdown whitelist 1657 1658 elif options_lockdown_whitelist: 1659 policies = fw.config().policies() 1660 1661 # commands 1662 if a.list_lockdown_whitelist_commands: 1663 l = policies.getLockdownWhitelistCommands() 1664 cmd.print_and_exit("\n".join(l)) 1665 elif a.add_lockdown_whitelist_command: 1666 cmd.add_sequence(a.add_lockdown_whitelist_command, 1667 policies.addLockdownWhitelistCommand, 1668 policies.queryLockdownWhitelistCommand, 1669 None, "'%s'") 1670 elif a.remove_lockdown_whitelist_command: 1671 cmd.remove_sequence(a.remove_lockdown_whitelist_command, 1672 policies.removeLockdownWhitelistCommand, 1673 policies.queryLockdownWhitelistCommand, 1674 None, "'%s'") 1675 elif a.query_lockdown_whitelist_command: 1676 cmd.query_sequence(a.query_lockdown_whitelist_command, 1677 policies.queryLockdownWhitelistCommand, 1678 None, "'%s'") 1679 1680 # contexts 1681 elif a.list_lockdown_whitelist_contexts: 1682 l = policies.getLockdownWhitelistContexts() 1683 cmd.print_and_exit("\n".join(l)) 1684 elif a.add_lockdown_whitelist_context: 1685 cmd.add_sequence(a.add_lockdown_whitelist_context, 1686 policies.addLockdownWhitelistContext, 1687 policies.queryLockdownWhitelistContext, 1688 None, "'%s'") 1689 elif a.remove_lockdown_whitelist_context: 1690 cmd.remove_sequence(a.remove_lockdown_whitelist_context, 1691 policies.removeLockdownWhitelistContext, 1692 policies.queryLockdownWhitelistContext, 1693 None, "'%s'") 1694 elif a.query_lockdown_whitelist_context: 1695 cmd.query_sequence(a.query_lockdown_whitelist_context, 1696 policies.queryLockdownWhitelistContext, 1697 None, "'%s'") 1698 1699 # uids 1700 elif a.list_lockdown_whitelist_uids: 1701 l = policies.getLockdownWhitelistUids() 1702 cmd.print_and_exit(" ".join(map(str, l))) 1703 elif a.add_lockdown_whitelist_uid is not None: 1704 cmd.add_sequence(a.add_lockdown_whitelist_uid, 1705 policies.addLockdownWhitelistUid, 1706 policies.queryLockdownWhitelistUid, None, "%s") 1707 elif a.remove_lockdown_whitelist_uid is not None: 1708 cmd.remove_sequence(a.remove_lockdown_whitelist_uid, 1709 policies.removeLockdownWhitelistUid, 1710 policies.queryLockdownWhitelistUid, None, "%s") 1711 elif a.query_lockdown_whitelist_uid is not None: 1712 cmd.query_sequence(a.query_lockdown_whitelist_uid, 1713 policies.queryLockdownWhitelistUid, None, "%s") 1714 1715 # users 1716 elif a.list_lockdown_whitelist_users: 1717 l = policies.getLockdownWhitelistUsers() 1718 cmd.print_and_exit("\n".join(l)) 1719 elif a.add_lockdown_whitelist_user: 1720 cmd.add_sequence(a.add_lockdown_whitelist_user, 1721 policies.addLockdownWhitelistUser, 1722 policies.queryLockdownWhitelistUser, 1723 None, "%s") 1724 elif a.remove_lockdown_whitelist_user: 1725 cmd.remove_sequence(a.remove_lockdown_whitelist_user, 1726 policies.removeLockdownWhitelistUser, 1727 policies.queryLockdownWhitelistUser, 1728 None, "%s") 1729 elif a.query_lockdown_whitelist_user: 1730 cmd.query_sequence(a.query_lockdown_whitelist_user, 1731 policies.queryLockdownWhitelistUser, 1732 None, "'%s'") 1733 1734 elif options_direct: 1735 direct = fw.config().direct() 1736 1737 if a.passthrough: 1738 if len(a.passthrough) < 2: 1739 cmd.fail("usage: --permanent --direct --passthrough { ipv4 | ipv6 | eb } <args>") 1740 cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.passthrough[0]), 1741 splitArgs(a.passthrough[1]))) 1742 1743 if a.add_passthrough: 1744 if len(a.add_passthrough) < 2: 1745 cmd.fail("usage: --permanent --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") 1746 cmd.print_msg(direct.addPassthrough(cmd.check_ipv(a.add_passthrough[0]), 1747 splitArgs(a.add_passthrough[1]))) 1748 1749 elif a.remove_passthrough: 1750 if len(a.remove_passthrough) < 2: 1751 cmd.fail("usage: --permanent --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") 1752 direct.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]), 1753 splitArgs(a.remove_passthrough[1])) 1754 elif a.query_passthrough: 1755 if len(a.query_passthrough) < 2: 1756 cmd.fail("usage: --permanent --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") 1757 cmd.print_query_result( 1758 direct.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]), 1759 splitArgs(a.query_passthrough[1]))) 1760 sys.exit(0) 1761 elif a.get_passthroughs: 1762 rules = direct.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0])) 1763 for rule in rules: 1764 cmd.print_msg(joinArgs(rule)) 1765 sys.exit(0) 1766 elif a.get_all_passthroughs: 1767 for (ipv, rule) in direct.getAllPassthroughs(): 1768 cmd.print_msg("%s %s" % (ipv, joinArgs(rule))) 1769 sys.exit(0) 1770 1771 elif a.add_chain: 1772 direct.addChain(cmd.check_ipv(a.add_chain[0]), 1773 a.add_chain[1], a.add_chain[2]) 1774 elif a.remove_chain: 1775 direct.removeChain(cmd.check_ipv(a.remove_chain[0]), 1776 a.remove_chain[1], a.remove_chain[2]) 1777 elif a.query_chain: 1778 cmd.print_query_result( 1779 direct.queryChain(cmd.check_ipv(a.query_chain[0]), 1780 a.query_chain[1], a.query_chain[2])) 1781 sys.exit(0) 1782 elif a.get_chains: 1783 cmd.print_and_exit( 1784 " ".join(direct.getChains(cmd.check_ipv(a.get_chains[0]), 1785 a.get_chains[1]))) 1786 sys.exit(0) 1787 elif a.get_all_chains: 1788 chains = direct.getAllChains() 1789 for (ipv, table, chain) in chains: 1790 cmd.print_msg("%s %s %s" % (ipv, table, chain)) 1791 sys.exit(0) 1792 elif a.add_rule: 1793 if len(a.add_rule) < 5: 1794 cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1795 try: 1796 priority = int(a.add_rule[3]) 1797 except ValueError: 1798 cmd.fail("usage: --permanent --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1799 direct.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1], 1800 a.add_rule[2], priority, splitArgs(a.add_rule[4])) 1801 elif a.remove_rule: 1802 if len(a.remove_rule) < 5: 1803 cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1804 try: 1805 priority = int(a.remove_rule[3]) 1806 except ValueError: 1807 cmd.fail("usage: --permanent --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1808 direct.removeRule(cmd.check_ipv(a.remove_rule[0]), a.remove_rule[1], 1809 a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) 1810 elif a.remove_rules: 1811 if len(a.remove_rules) < 3: 1812 cmd.fail("usage: --permanent --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") 1813 direct.removeRules(cmd.check_ipv(a.remove_rules[0]), 1814 a.remove_rules[1], a.remove_rules[2]) 1815 elif a.query_rule: 1816 if len(a.query_rule) < 5: 1817 cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1818 try: 1819 priority = int(a.query_rule[3]) 1820 except ValueError: 1821 cmd.fail("usage: --permanent --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 1822 cmd.print_query_result( 1823 direct.queryRule(cmd.check_ipv(a.query_rule[0]), 1824 a.query_rule[1], a.query_rule[2], 1825 priority, splitArgs(a.query_rule[4]))) 1826 sys.exit(0) 1827 elif a.get_rules: 1828 rules = direct.getRules(cmd.check_ipv(a.get_rules[0]), 1829 a.get_rules[1], a.get_rules[2]) 1830 for (priority, rule) in rules: 1831 cmd.print_msg("%d %s" % (priority, joinArgs(rule))) 1832 sys.exit(0) 1833 elif a.get_all_rules: 1834 rules = direct.getAllRules() 1835 for (ipv, table, chain, priority, rule) in rules: 1836 cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority, 1837 joinArgs(rule))) 1838 sys.exit(0) 1839 1840 else: 1841 if zone == "": 1842 zone = fw.getDefaultZone() 1843 fw_zone = fw.config().getZoneByName(zone) 1844 1845 # interface 1846 if a.list_interfaces: 1847 interfaces = sorted(set(try_nm_get_interfaces_in_zone(zone)) 1848 | set(fw_zone.getInterfaces())) 1849 cmd.print_and_exit(" ".join(interfaces)) 1850 elif a.get_zone_of_interface: 1851 for interface in a.get_zone_of_interface: 1852 # ask NM before checking our config 1853 zone = try_get_zone_of_interface(interface) 1854 if not zone: 1855 zone = fw.config().getZoneOfInterface(interface) 1856 if zone: 1857 if len(a.get_zone_of_interface) > 1: 1858 cmd.print_warning("%s: %s" % (interface, zone)) 1859 else: 1860 cmd.print_and_exit(zone) 1861 else: 1862 if len(a.get_zone_of_interface) > 1: 1863 cmd.print_warning("%s: no zone" % interface) 1864 else: 1865 cmd.fail("no zone") 1866 elif a.change_interface: 1867 interfaces = [ ] 1868 for interface in a.change_interface: 1869 if not try_set_zone_of_interface(zone, interface): 1870 interfaces.append(interface) 1871 for interface in interfaces: 1872 old_zone_name = fw.config().getZoneOfInterface(interface) 1873 if old_zone_name != zone: 1874 if old_zone_name: 1875 old_zone_obj = fw.config().getZoneByName(old_zone_name) 1876 old_zone_obj.removeInterface(interface)# remove from old 1877 fw_zone.addInterface(interface) # add to new 1878 elif a.add_interface: 1879 interfaces = [ ] 1880 for interface in a.add_interface: 1881 if not try_set_zone_of_interface(a.zone, interface): 1882 interfaces.append(interface) 1883 cmd.add_sequence(interfaces, fw_zone.addInterface, 1884 fw_zone.queryInterface, None, "'%s'") 1885 elif a.remove_interface: 1886 interfaces = [ ] 1887 for interface in a.remove_interface: 1888 if not try_set_zone_of_interface("", interface): 1889 interfaces.append(interface) 1890 cmd.remove_sequence(interfaces, fw_zone.removeInterface, 1891 fw_zone.queryInterface, None, "'%s'") 1892 elif a.query_interface: 1893 cmd.query_sequence(a.query_interface, fw_zone.queryInterface, 1894 None, "'%s'") 1895 1896 # source 1897 if a.list_sources: 1898 sources = fw_zone.getSources() 1899 cmd.print_and_exit(" ".join(sources)) 1900 elif a.get_zone_of_source: 1901 for source in a.get_zone_of_source: 1902 zone = fw.config().getZoneOfSource(source) 1903 if zone: 1904 if len(a.get_zone_of_source) > 1: 1905 cmd.print_warning("%s: %s" % (source, zone)) 1906 else: 1907 cmd.print_and_exit(zone) 1908 else: 1909 if len(a.get_zone_of_source) > 1: 1910 cmd.print_warning("%s: no zone" % source) 1911 else: 1912 cmd.fail("no zone") 1913 elif a.change_source: 1914 for source in a.change_source: 1915 old_zone_name = fw.config().getZoneOfSource(source) 1916 if old_zone_name != zone: 1917 if old_zone_name: 1918 old_zone_obj = fw.config().getZoneByName(old_zone_name) 1919 old_zone_obj.removeSource(source) # remove from old 1920 fw_zone.addSource(source) # add to new 1921 elif a.add_source: 1922 cmd.add_sequence(a.add_source, fw_zone.addSource, 1923 fw_zone.querySource, None, "'%s'") 1924 elif a.remove_source: 1925 cmd.remove_sequence(a.remove_source, fw_zone.removeSource, 1926 fw_zone.querySource, None, "'%s'") 1927 elif a.query_source: 1928 cmd.query_sequence(a.query_source, fw_zone.querySource, 1929 None, "'%s'") 1930 1931 # rich rules 1932 if a.list_rich_rules: 1933 l = fw_zone.getRichRules() 1934 cmd.print_and_exit("\n".join(l)) 1935 elif a.add_rich_rule: 1936 cmd.add_sequence(a.add_rich_rule, fw_zone.addRichRule, 1937 fw_zone.queryRichRule, None, "'%s'") 1938 elif a.remove_rich_rule: 1939 cmd.remove_sequence(a.remove_rich_rule, fw_zone.removeRichRule, 1940 fw_zone.queryRichRule, None, "'%s'") 1941 elif a.query_rich_rule: 1942 cmd.query_sequence(a.query_rich_rule, fw_zone.queryRichRule, 1943 None, "'%s'") 1944 1945 # service 1946 if a.list_services: 1947 l = fw_zone.getServices() 1948 cmd.print_and_exit(" ".join(sorted(l))) 1949 elif a.add_service: 1950 cmd.add_sequence(a.add_service, fw_zone.addService, 1951 fw_zone.queryService, None, "'%s'") 1952 elif a.remove_service: 1953 cmd.remove_sequence(a.remove_service, fw_zone.removeService, 1954 fw_zone.queryService, None, "'%s'") 1955 elif a.query_service: 1956 cmd.query_sequence(a.query_service, fw_zone.queryService, 1957 None, "'%s'") 1958 1959 # port 1960 elif a.list_ports: 1961 l = fw_zone.getPorts() 1962 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 1963 elif a.add_port: 1964 cmd.add_sequence(a.add_port, fw_zone.addPort, 1965 fw_zone.queryPort, cmd.parse_port, "%s/%s") 1966 elif a.remove_port: 1967 cmd.remove_sequence(a.remove_port, fw_zone.removePort, 1968 fw_zone.queryPort, cmd.parse_port, "%s/%s") 1969 elif a.query_port: 1970 cmd.query_sequence(a.query_port, fw_zone.queryPort, 1971 cmd.parse_port, "%s/%s") 1972 1973 # protocol 1974 elif a.list_protocols: 1975 l = fw_zone.getProtocols() 1976 cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)])) 1977 elif a.add_protocol: 1978 cmd.add_sequence(a.add_protocol, fw_zone.addProtocol, 1979 fw_zone.queryProtocol, None, "'%s'") 1980 elif a.remove_protocol: 1981 cmd.remove_sequence(a.remove_protocol, fw_zone.removeProtocol, 1982 fw_zone.queryProtocol, None, "'%s'") 1983 elif a.query_protocol: 1984 cmd.query_sequence(a.query_protocol, fw_zone.queryProtocol, 1985 None, "'%s'") 1986 1987 # source port 1988 elif a.list_source_ports: 1989 l = fw_zone.getSourcePorts() 1990 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 1991 elif a.add_source_port: 1992 cmd.add_sequence(a.add_source_port, fw_zone.addSourcePort, 1993 fw_zone.querySourcePort, cmd.parse_port, "%s/%s") 1994 elif a.remove_source_port: 1995 cmd.remove_sequence(a.remove_source_port, fw_zone.removeSourcePort, 1996 fw_zone.querySourcePort, cmd.parse_port, 1997 "%s/%s") 1998 elif a.query_source_port: 1999 cmd.query_sequence(a.query_source_port, fw_zone.querySourcePort, 2000 cmd.parse_port, "%s/%s") 2001 2002 # masquerade 2003 elif a.add_masquerade: 2004 fw_zone.addMasquerade() 2005 elif a.remove_masquerade: 2006 fw_zone.removeMasquerade() 2007 elif a.query_masquerade: 2008 cmd.print_query_result(fw_zone.queryMasquerade()) 2009 2010 # forward port 2011 elif a.list_forward_ports: 2012 l = fw_zone.getForwardPorts() 2013 cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) 2014 elif a.add_forward_port: 2015 cmd.add_sequence(a.add_forward_port, fw_zone.addForwardPort, 2016 fw_zone.queryForwardPort, cmd.parse_forward_port, 2017 "port=%s:proto=%s:toport=%s:toaddr=%s") 2018 elif a.remove_forward_port: 2019 cmd.remove_sequence(a.remove_forward_port, 2020 fw_zone.removeForwardPort, 2021 fw_zone.queryForwardPort, 2022 cmd.parse_forward_port, 2023 "port=%s:proto=%s:toport=%s:toaddr=%s") 2024 elif a.query_forward_port: 2025 cmd.query_sequence(a.query_forward_port, fw_zone.queryForwardPort, 2026 cmd.parse_forward_port, 2027 "port=%s:proto=%s:toport=%s:toaddr=%s") 2028 2029 # block icmp 2030 elif a.list_icmp_blocks: 2031 l = fw_zone.getIcmpBlocks() 2032 cmd.print_and_exit(" ".join(l)) 2033 elif a.add_icmp_block: 2034 cmd.add_sequence(a.add_icmp_block, fw_zone.addIcmpBlock, 2035 fw_zone.queryIcmpBlock, None, "'%s'") 2036 elif a.remove_icmp_block: 2037 cmd.remove_sequence(a.remove_icmp_block, fw_zone.removeIcmpBlock, 2038 fw_zone.queryIcmpBlock, None, "'%s'") 2039 elif a.query_icmp_block: 2040 cmd.query_sequence(a.query_icmp_block, fw_zone.queryIcmpBlock, 2041 None, "'%s'") 2042 2043 # icmp block inversion 2044 elif a.add_icmp_block_inversion: 2045 fw_zone.addIcmpBlockInversion() 2046 elif a.remove_icmp_block_inversion: 2047 fw_zone.removeIcmpBlockInversion() 2048 elif a.query_icmp_block_inversion: 2049 cmd.print_query_result(fw_zone.queryIcmpBlockInversion()) 2050 2051 # zone target 2052 elif a.get_target: 2053 target = fw_zone.getTarget() 2054 cmd.print_and_exit(target if target != "%%REJECT%%" else "REJECT") 2055 elif a.set_target: 2056 fw_zone.setTarget(a.set_target if a.set_target != "REJECT" else "%%REJECT%%") 2057 2058 # list all zone settings 2059 elif a.list_all: 2060 interfaces = try_nm_get_interfaces_in_zone(zone) 2061 cmd.print_zone_info(zone, fw_zone.getSettings(), extra_interfaces=interfaces) 2062 sys.exit(0) 2063 2064 # list everything 2065 elif a.list_all_zones: 2066 names = fw.config().getZoneNames() 2067 for zone in sorted(names): 2068 interfaces = try_nm_get_interfaces_in_zone(zone) 2069 settings = fw.config().getZoneByName(zone).getSettings() 2070 cmd.print_zone_info(zone, settings, extra_interfaces=interfaces) 2071 cmd.print_msg("") 2072 sys.exit(0) 2073 2074 # set zone description 2075 elif a.set_description: 2076 settings = fw.config().getZoneByName(zone).getSettings() 2077 settings.setDescription(a.set_description) 2078 fw_zone.update(settings) 2079 2080 # get zone description 2081 elif a.get_description: 2082 settings = fw.config().getZoneByName(zone).getSettings() 2083 cmd.print_and_exit(settings.getDescription()) 2084 2085 # set zone short description 2086 elif a.set_short: 2087 settings = fw.config().getZoneByName(zone).getSettings() 2088 settings.setShort(a.set_short) 2089 fw_zone.update(settings) 2090 2091 # get zone short description 2092 elif a.get_short: 2093 settings = fw.config().getZoneByName(zone).getSettings() 2094 cmd.print_and_exit(settings.getShort()) 2095 2096 elif a.version: 2097 cmd.print_and_exit(fw.get_property("version")) 2098 elif a.state: 2099 state = fw.get_property("state") 2100 if state == "RUNNING": 2101 cmd.print_and_exit ("running") 2102 elif state == "FAILED": 2103 cmd.print_and_exit("failed", errors.RUNNING_BUT_FAILED) 2104 else: 2105 cmd.print_and_exit ("not running", errors.NOT_RUNNING) 2106 elif a.get_log_denied: 2107 cmd.print_and_exit(fw.getLogDenied()) 2108 elif a.set_log_denied: 2109 fw.setLogDenied(a.set_log_denied) 2110 elif a.get_automatic_helpers: 2111 cmd.print_and_exit(fw.getAutomaticHelpers()) 2112 elif a.set_automatic_helpers: 2113 fw.setAutomaticHelpers(a.set_automatic_helpers) 2114 elif a.get_ipset_types: 2115 types = fw.get_property("IPSetTypes") 2116 cmd.print_and_exit(" ".join(sorted(types))) 2117 elif a.reload: 2118 fw.reload() 2119 elif a.complete_reload: 2120 fw.complete_reload() 2121 elif a.runtime_to_permanent: 2122 fw.runtimeToPermanent() 2123 elif a.check_config: 2124 fw.checkPermanentConfig() 2125 elif a.direct: 2126 if a.passthrough: 2127 if len(a.passthrough) < 2: 2128 cmd.fail("usage: --direct --passthrough { ipv4 | ipv6 | eb } <args>") 2129 msg = fw.passthrough(cmd.check_ipv(a.passthrough[0]), splitArgs(a.passthrough[1])) 2130 if msg: 2131 sys.stdout.write(msg + "\n") 2132 2133 elif a.add_passthrough: 2134 if len(a.add_passthrough) < 2: 2135 cmd.fail("usage: --direct --add-passthrough { ipv4 | ipv6 | eb } <args>") 2136 fw.addPassthrough(cmd.check_ipv(a.add_passthrough[0]), 2137 splitArgs(a.add_passthrough[1])) 2138 elif a.remove_passthrough: 2139 if len(a.remove_passthrough) < 2: 2140 cmd.fail("usage: --direct --remove-passthrough { ipv4 | ipv6 | eb } <args>") 2141 fw.removePassthrough(cmd.check_ipv(a.remove_passthrough[0]), 2142 splitArgs(a.remove_passthrough[1])) 2143 elif a.query_passthrough: 2144 if len(a.query_passthrough) < 2: 2145 cmd.fail("usage: --direct --query-passthrough { ipv4 | ipv6 | eb } <args>") 2146 cmd.print_query_result( 2147 fw.queryPassthrough(cmd.check_ipv(a.query_passthrough[0]), 2148 splitArgs(a.query_passthrough[1]))) 2149 elif a.get_passthroughs: 2150 rules = fw.getPassthroughs(cmd.check_ipv(a.get_passthroughs[0])) 2151 for rule in rules: 2152 cmd.print_msg(joinArgs(rule)) 2153 sys.exit(0) 2154 elif a.get_all_passthroughs: 2155 for (ipv, rule) in fw.getAllPassthroughs(): 2156 cmd.print_msg("%s %s" % (ipv, joinArgs(rule))) 2157 sys.exit(0) 2158 elif a.add_chain: 2159 fw.addChain(cmd.check_ipv(a.add_chain[0]), a.add_chain[1], a.add_chain[2]) 2160 elif a.remove_chain: 2161 fw.removeChain(cmd.check_ipv(a.remove_chain[0]), 2162 a.remove_chain[1], a.remove_chain[2]) 2163 elif a.query_chain: 2164 cmd.print_query_result(fw.queryChain(cmd.check_ipv(a.query_chain[0]), 2165 a.query_chain[1], 2166 a.query_chain[2])) 2167 elif a.get_chains: 2168 cmd.print_and_exit(" ".join(fw.getChains(cmd.check_ipv(a.get_chains[0]), 2169 a.get_chains[1]))) 2170 elif a.get_all_chains: 2171 chains = fw.getAllChains() 2172 for (ipv, table, chain) in chains: 2173 cmd.print_msg("%s %s %s" % (ipv, table, chain)) 2174 sys.exit(0) 2175 elif a.add_rule: 2176 if len(a.add_rule) < 5: 2177 cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2178 try: 2179 priority = int(a.add_rule[3]) 2180 except ValueError: 2181 cmd.fail("usage: --direct --add-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2182 fw.addRule(cmd.check_ipv(a.add_rule[0]), a.add_rule[1], a.add_rule[2], 2183 priority, splitArgs(a.add_rule[4])) 2184 elif a.remove_rule: 2185 if len(a.remove_rule) < 5: 2186 cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2187 try: 2188 priority = int(a.remove_rule[3]) 2189 except ValueError: 2190 cmd.fail("usage: --direct --remove-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2191 fw.removeRule(cmd.check_ipv(a.remove_rule[0]), 2192 a.remove_rule[1], a.remove_rule[2], priority, splitArgs(a.remove_rule[4])) 2193 elif a.remove_rules: 2194 if len(a.remove_rules) < 3: 2195 cmd.fail("usage: --direct --remove-rules { ipv4 | ipv6 | eb } <table> <chain>") 2196 fw.removeRules(cmd.check_ipv(a.remove_rules[0]), 2197 a.remove_rules[1], a.remove_rules[2]) 2198 elif a.query_rule: 2199 if len(a.query_rule) < 5: 2200 cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2201 try: 2202 priority = int(a.query_rule[3]) 2203 except ValueError: 2204 cmd.fail("usage: --direct --query-rule { ipv4 | ipv6 | eb } <table> <chain> <priority> <args>") 2205 cmd.print_query_result( 2206 fw.queryRule(cmd.check_ipv(a.query_rule[0]), 2207 a.query_rule[1], a.query_rule[2], 2208 priority, splitArgs(a.query_rule[4]))) 2209 elif a.get_rules: 2210 rules = fw.getRules(cmd.check_ipv(a.get_rules[0]), 2211 a.get_rules[1], a.get_rules[2]) 2212 for (priority, rule) in rules: 2213 cmd.print_msg("%d %s" % (priority, joinArgs(rule))) 2214 sys.exit(0) 2215 elif a.get_all_rules: 2216 rules = fw.getAllRules() 2217 for (ipv, table, chain, priority, rule) in rules: 2218 cmd.print_msg("%s %s %s %d %s" % (ipv, table, chain, priority, 2219 joinArgs(rule))) 2220 sys.exit(0) 2221 2222 elif a.get_default_zone: 2223 cmd.print_and_exit(fw.getDefaultZone()) 2224 elif a.set_default_zone: 2225 fw.setDefaultZone(a.set_default_zone) 2226 elif a.get_zones: 2227 cmd.print_and_exit(" ".join(fw.getZones())) 2228 elif a.get_active_zones: 2229 zones = fw.getActiveZones() 2230 for zone in zones: 2231 cmd.print_msg("%s" % zone) 2232 for x in [ "interfaces", "sources" ]: 2233 if x in zones[zone]: 2234 cmd.print_msg(" %s: %s" % (x, " ".join(zones[zone][x]))) 2235 sys.exit(0) 2236 elif a.get_services: 2237 l = fw.listServices() 2238 cmd.print_and_exit(" ".join(l)) 2239 elif a.get_icmptypes: 2240 l = fw.listIcmpTypes() 2241 cmd.print_and_exit(" ".join(l)) 2242 2243 # panic 2244 elif a.panic_on: 2245 fw.enablePanicMode() 2246 elif a.panic_off: 2247 fw.disablePanicMode() 2248 elif a.query_panic: 2249 cmd.print_query_result(fw.queryPanicMode()) 2250 2251 # ipset 2252 elif a.get_ipsets: 2253 ipsets = fw.getIPSets() 2254 cmd.print_and_exit(" ".join(sorted(ipsets))) 2255 2256 elif a.info_ipset: 2257 cmd.print_ipset_info(a.info_ipset, fw.getIPSetSettings(a.info_ipset)) 2258 sys.exit(0) 2259 2260 elif a.add_entry: 2261 cmd.x_add_sequence(a.ipset, a.add_entry, fw.addEntry, fw.queryEntry, 2262 None, "'%s'") 2263 2264 elif a.remove_entry: 2265 cmd.x_remove_sequence(a.ipset, a.remove_entry, fw.removeEntry, 2266 fw.queryEntry, None, "'%s'") 2267 2268 elif a.query_entry: 2269 cmd.x_query_sequence(a.ipset, a.query_entry, fw.queryEntry, None, "'%s'") 2270 2271 elif a.get_entries: 2272 l = fw.getEntries(a.ipset) 2273 cmd.print_and_exit("\n".join(l)) 2274 2275 elif a.add_entries_from_file: 2276 old_entries = fw.getEntries(a.ipset) 2277 changed = False 2278 2279 for filename in a.add_entries_from_file: 2280 try: 2281 entries = cmd.get_ipset_entries_from_file(filename) 2282 except IOError as msg: 2283 message = "Failed to read file '%s': %s" % (filename, msg) 2284 if len(a.add_entries_from_file) > 1: 2285 cmd.print_warning(message) 2286 else: 2287 cmd.print_and_exit(message) 2288 else: 2289 entries_set = set() 2290 for entry in old_entries: 2291 entries_set.add(entry) 2292 for entry in entries: 2293 if entry not in entries_set: 2294 old_entries.append(entry) 2295 entries_set.add(entry) 2296 changed = True 2297 else: 2298 cmd.print_if_verbose("Warning: ALREADY_ENABLED: %s" % entry) 2299 if changed: 2300 fw.setEntries(a.ipset, old_entries) 2301 2302 elif a.remove_entries_from_file: 2303 old_entries = fw.getEntries(a.ipset) 2304 changed = False 2305 2306 for filename in a.remove_entries_from_file: 2307 try: 2308 entries = cmd.get_ipset_entries_from_file(filename) 2309 except IOError as msg: 2310 message = "Failed to read file '%s': %s" % (filename, msg) 2311 if len(a.remove_entries_from_file) > 1: 2312 cmd.print_warning(message) 2313 else: 2314 cmd.print_and_exit(message) 2315 else: 2316 entries_set = set() 2317 for entry in old_entries: 2318 entries_set.add(entry) 2319 for entry in entries: 2320 if entry in entries_set: 2321 old_entries.remove(entry) 2322 entries_set.discard(entry) 2323 changed = True 2324 else: 2325 cmd.print_if_verbose("Warning: NOT_ENABLED: %s" % entry) 2326 if changed: 2327 fw.setEntries(a.ipset, old_entries) 2328 2329 # helper 2330 elif a.get_helpers: 2331 helpers = fw.getHelpers() 2332 cmd.print_and_exit(" ".join(sorted(helpers))) 2333 2334 elif a.info_helper: 2335 cmd.print_helper_info(a.info_helper, fw.getHelperSettings(a.info_helper)) 2336 sys.exit(0) 2337 2338 # lockdown 2339 elif a.lockdown_on: 2340 fw.config().set_property("Lockdown", "yes") # permanent 2341 fw.enableLockdown() # runtime 2342 elif a.lockdown_off: 2343 fw.config().set_property("Lockdown", "no") # permanent 2344 fw.disableLockdown() # runtime 2345 elif a.query_lockdown: 2346 cmd.print_query_result(fw.queryLockdown()) # runtime 2347 #lockdown = fw.config().get_property("Lockdown") 2348 #cmd.print_query_result(lockdown.lower() in [ "yes", "true" ]) 2349 2350 # lockdown whitelist 2351 2352 # commands 2353 elif a.list_lockdown_whitelist_commands: 2354 l = fw.getLockdownWhitelistCommands() 2355 cmd.print_and_exit("\n".join(l)) 2356 elif a.add_lockdown_whitelist_command: 2357 cmd.add_sequence(a.add_lockdown_whitelist_command, 2358 fw.addLockdownWhitelistCommand, 2359 fw.queryLockdownWhitelistCommand, None, "'%s'") 2360 elif a.remove_lockdown_whitelist_command: 2361 cmd.remove_sequence(a.remove_lockdown_whitelist_command, 2362 fw.removeLockdownWhitelistCommand, 2363 fw.queryLockdownWhitelistCommand, None, "'%s'") 2364 elif a.query_lockdown_whitelist_command: 2365 cmd.query_sequence(a.query_lockdown_whitelist_command, 2366 fw.queryLockdownWhitelistCommand, None, "'%s'") 2367 2368 # contexts 2369 elif a.list_lockdown_whitelist_contexts: 2370 l = fw.getLockdownWhitelistContexts() 2371 cmd.print_and_exit("\n".join(l)) 2372 elif a.add_lockdown_whitelist_context: 2373 cmd.add_sequence(a.add_lockdown_whitelist_context, 2374 fw.addLockdownWhitelistContext, 2375 fw.queryLockdownWhitelistContext, None, "'%s'") 2376 elif a.remove_lockdown_whitelist_context: 2377 cmd.remove_sequence(a.remove_lockdown_whitelist_context, 2378 fw.removeLockdownWhitelistContext, 2379 fw.queryLockdownWhitelistContext, None, "'%s'") 2380 elif a.query_lockdown_whitelist_context: 2381 cmd.query_sequence(a.query_lockdown_whitelist_context, 2382 fw.queryLockdownWhitelistContext, None, "'%s'") 2383 2384 # uids 2385 elif a.list_lockdown_whitelist_uids: 2386 l = fw.getLockdownWhitelistUids() 2387 cmd.print_and_exit(" ".join(map(str, l))) 2388 elif a.add_lockdown_whitelist_uid is not None: 2389 cmd.add_sequence(a.add_lockdown_whitelist_uid, 2390 fw.addLockdownWhitelistUid, 2391 fw.queryLockdownWhitelistUid, None, "'%s'") 2392 elif a.remove_lockdown_whitelist_uid is not None: 2393 cmd.remove_sequence(a.remove_lockdown_whitelist_uid, 2394 fw.removeLockdownWhitelistUid, 2395 fw.queryLockdownWhitelistUid, None, "'%s'") 2396 elif a.query_lockdown_whitelist_uid is not None: 2397 cmd.query_sequence(a.query_lockdown_whitelist_uid, 2398 fw.queryLockdownWhitelistUid, None, "'%s'") 2399 2400 # users 2401 elif a.list_lockdown_whitelist_users: 2402 l = fw.getLockdownWhitelistUsers() 2403 cmd.print_and_exit(" ".join(l)) 2404 elif a.add_lockdown_whitelist_user: 2405 cmd.add_sequence(a.add_lockdown_whitelist_user, 2406 fw.addLockdownWhitelistUser, 2407 fw.queryLockdownWhitelistUser, None, "'%s'") 2408 elif a.remove_lockdown_whitelist_user: 2409 cmd.remove_sequence(a.remove_lockdown_whitelist_user, 2410 fw.removeLockdownWhitelistUser, 2411 fw.queryLockdownWhitelistUser, None, "'%s'") 2412 elif a.query_lockdown_whitelist_user: 2413 cmd.query_sequence(a.query_lockdown_whitelist_user, 2414 fw.queryLockdownWhitelistUser, None, "'%s'") 2415 2416 # interface 2417 elif a.list_interfaces: 2418 l = fw.getInterfaces(zone) 2419 cmd.print_and_exit(" ".join(l)) 2420 elif a.get_zone_of_interface: 2421 for interface in a.get_zone_of_interface: 2422 zone = fw.getZoneOfInterface(interface) 2423 if zone: 2424 if len(a.get_zone_of_interface) > 1: 2425 cmd.print_warning("%s: %s" % (interface, zone)) 2426 else: 2427 cmd.print_and_exit(zone) 2428 else: 2429 if len(a.get_zone_of_interface) > 1: 2430 cmd.print_warning("%s: no zone" % interface) 2431 else: 2432 cmd.fail("no zone") 2433 elif a.add_interface: 2434 interfaces = [ ] 2435 for interface in a.add_interface: 2436 interfaces.append(interface) 2437 cmd.x_add_sequence(zone, interfaces, fw.addInterface, 2438 fw.queryInterface, None, "'%s'") 2439 elif a.change_interface: 2440 interfaces = [ ] 2441 for interface in a.change_interface: 2442 interfaces.append(interface) 2443 cmd.x_add_sequence(zone, interfaces, fw.changeZoneOfInterface, 2444 fw.queryInterface, None, "'%s'") 2445 elif a.remove_interface: 2446 interfaces = [ ] 2447 for interface in a.remove_interface: 2448 interfaces.append(interface) 2449 cmd.x_remove_sequence(zone, interfaces, fw.removeInterface, 2450 fw.queryInterface, None, "'%s'") 2451 elif a.query_interface: 2452 cmd.x_query_sequence(zone, a.query_interface, fw.queryInterface, None, 2453 "'%s'") 2454 2455 # source 2456 elif a.list_sources: 2457 sources = fw.getSources(zone) 2458 cmd.print_and_exit(" ".join(sources)) 2459 elif a.get_zone_of_source: 2460 for source in a.get_zone_of_source: 2461 zone = fw.getZoneOfSource(source) 2462 if zone: 2463 if len(a.get_zone_of_source) > 1: 2464 cmd.print_warning("%s: %s" % (source, zone)) 2465 else: 2466 cmd.print_and_exit(zone) 2467 else: 2468 if len(a.get_zone_of_source) > 1: 2469 cmd.print_warning("%s: no zone" % source) 2470 else: 2471 cmd.fail("no zone") 2472 sys.exit(0) 2473 elif a.add_source: 2474 cmd.x_add_sequence(zone, a.add_source, fw.addSource, 2475 fw.querySource, None, "'%s'") 2476 elif a.change_source: 2477 cmd.x_add_sequence(zone, a.change_source, fw.changeZoneOfSource, 2478 fw.querySource, None, "'%s'") 2479 elif a.remove_source: 2480 cmd.x_remove_sequence(zone, a.remove_source, fw.removeSource, 2481 fw.querySource, None, "'%s'") 2482 elif a.query_source: 2483 cmd.x_query_sequence(zone, a.query_source, fw.querySource, None, "'%s'") 2484 2485 # rich rules 2486 elif a.list_rich_rules: 2487 l = fw.getRichRules(zone) 2488 cmd.print_and_exit("\n".join(l)) 2489 elif a.add_rich_rule: 2490 cmd.zone_add_timeout_sequence(zone, a.add_rich_rule, fw.addRichRule, 2491 fw.queryRichRule, None, "'%s'", 2492 a.timeout) 2493 elif a.remove_rich_rule: 2494 cmd.x_remove_sequence(zone, a.remove_rich_rule, fw.removeRichRule, 2495 fw.queryRichRule, None, "'%s'") 2496 elif a.query_rich_rule: 2497 cmd.x_query_sequence(zone, a.query_rich_rule, fw.queryRichRule, None, 2498 "'%s'") 2499 2500 # service 2501 elif a.list_services: 2502 l = fw.getServices(zone) 2503 cmd.print_and_exit(" ".join(sorted(l))) 2504 elif a.add_service: 2505 cmd.zone_add_timeout_sequence(zone, a.add_service, fw.addService, 2506 fw.queryService, None, "'%s'", 2507 a.timeout) 2508 elif a.remove_service: 2509 cmd.x_remove_sequence(zone, a.remove_service, fw.removeService, 2510 fw.queryService, None, "'%s'") 2511 elif a.query_service: 2512 cmd.x_query_sequence(zone, a.query_service, fw.queryService, None, "'%s'") 2513 2514 # port 2515 elif a.list_ports: 2516 l = fw.getPorts(zone) 2517 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 2518 elif a.add_port: 2519 cmd.zone_add_timeout_sequence(zone, a.add_port, fw.addPort, fw.queryPort, 2520 cmd.parse_port, "'%s/%s'", a.timeout) 2521 elif a.remove_port: 2522 cmd.x_remove_sequence(zone, a.remove_port, fw.removePort, fw.queryPort, 2523 cmd.parse_port, "'%s/%s'") 2524 elif a.query_port: 2525 cmd.x_query_sequence(zone, a.query_port, fw.queryPort, cmd.parse_port, 2526 "'%s/%s'") 2527 2528 # protocol 2529 elif a.list_protocols: 2530 l = fw.getProtocols(zone) 2531 cmd.print_and_exit(" ".join(["%s" % protocol for protocol in sorted(l)])) 2532 elif a.add_protocol: 2533 cmd.zone_add_timeout_sequence(zone, a.add_protocol, fw.addProtocol, 2534 fw.queryProtocol, None, "'%s'", a.timeout) 2535 elif a.remove_protocol: 2536 cmd.x_remove_sequence(zone, a.remove_protocol, fw.removeProtocol, 2537 fw.queryProtocol, None, "'%s'") 2538 elif a.query_protocol: 2539 cmd.x_query_sequence(zone, a.query_protocol, fw.queryProtocol, None, "'%s'") 2540 2541 # source port 2542 elif a.list_source_ports: 2543 l = fw.getSourcePorts(zone) 2544 cmd.print_and_exit(" ".join(["%s/%s" % (port[0], port[1]) for port in l])) 2545 elif a.add_source_port: 2546 cmd.zone_add_timeout_sequence(zone, a.add_source_port, fw.addSourcePort, 2547 fw.querySourcePort, cmd.parse_port, 2548 "'%s/%s'", a.timeout) 2549 elif a.remove_source_port: 2550 cmd.x_remove_sequence(zone, a.remove_source_port, fw.removeSourcePort, 2551 fw.querySourcePort, cmd.parse_port, "'%s/%s'") 2552 elif a.query_source_port: 2553 cmd.x_query_sequence(zone, a.query_source_port, fw.querySourcePort, 2554 cmd.parse_port, "'%s/%s'") 2555 2556 # masquerade 2557 elif a.add_masquerade: 2558 fw.addMasquerade(zone, a.timeout) 2559 elif a.remove_masquerade: 2560 fw.removeMasquerade(zone) 2561 elif a.query_masquerade: 2562 cmd.print_query_result(fw.queryMasquerade(zone)) 2563 2564 # forward port 2565 elif a.list_forward_ports: 2566 l = fw.getForwardPorts(zone) 2567 cmd.print_and_exit("\n".join(["port=%s:proto=%s:toport=%s:toaddr=%s" % (port, protocol, toport, toaddr) for (port, protocol, toport, toaddr) in l])) 2568 elif a.add_forward_port: 2569 cmd.zone_add_timeout_sequence(zone, a.add_forward_port, fw.addForwardPort, 2570 fw.queryForwardPort, cmd.parse_forward_port, 2571 "'port=%s:proto=%s:toport=%s:toaddr=%s'", 2572 a.timeout) 2573 elif a.remove_forward_port: 2574 cmd.x_remove_sequence(zone, a.remove_forward_port, 2575 fw.removeForwardPort, fw.queryForwardPort, 2576 cmd.parse_forward_port, 2577 "'port=%s:proto=%s:toport=%s:toaddr=%s'") 2578 elif a.query_forward_port: 2579 cmd.x_query_sequence(zone, a.query_forward_port, fw.queryForwardPort, 2580 cmd.parse_forward_port, 2581 "'port=%s:proto=%s:toport=%s:toaddr=%s'") 2582 2583 # block icmp 2584 elif a.list_icmp_blocks: 2585 l = fw.getIcmpBlocks(zone) 2586 cmd.print_and_exit(" ".join(l)) 2587 elif a.add_icmp_block: 2588 cmd.zone_add_timeout_sequence(zone, a.add_icmp_block, fw.addIcmpBlock, 2589 fw.queryIcmpBlock, None, "'%s'", a.timeout) 2590 elif a.remove_icmp_block: 2591 cmd.x_remove_sequence(zone, a.remove_icmp_block, fw.removeIcmpBlock, 2592 fw.queryIcmpBlock, None, "'%s'") 2593 elif a.query_icmp_block: 2594 cmd.x_query_sequence(zone, a.query_icmp_block, fw.queryIcmpBlock, None, 2595 "'%s'") 2596 2597 # icmp block inversion 2598 elif a.add_icmp_block_inversion: 2599 fw.addIcmpBlockInversion(zone) 2600 elif a.remove_icmp_block_inversion: 2601 fw.removeIcmpBlockInversion(zone) 2602 elif a.query_icmp_block_inversion: 2603 cmd.print_query_result(fw.queryIcmpBlockInversion(zone)) 2604 2605 # list all 2606 elif a.list_all: 2607 z = zone if zone else fw.getDefaultZone() 2608 cmd.print_zone_info(z, fw.getZoneSettings(z)) 2609 sys.exit(0) 2610 2611 # list everything 2612 elif a.list_all_zones: 2613 for zone in fw.getZones(): 2614 cmd.print_zone_info(zone, fw.getZoneSettings(zone)) 2615 cmd.print_msg("") 2616 sys.exit(0) 2617 2618 elif a.info_zone: 2619 cmd.print_zone_info(a.info_zone, fw.getZoneSettings(a.info_zone), True) 2620 sys.exit(0) 2621 2622 elif a.info_service: 2623 cmd.print_service_info(a.info_service, fw.getServiceSettings(a.info_service)) 2624 sys.exit(0) 2625 2626 elif a.info_icmptype: 2627 cmd.print_icmptype_info(a.info_icmptype, fw.getIcmpTypeSettings(a.info_icmptype)) 2628 sys.exit(0) 2629 2630 cmd.print_and_exit("success")