def set_loglevel(self, level):
'''Sets log level of firewall'''
res = ""
try:
res = self.backend.set_loglevel(level)
except UFWError, e:
error(e.value)
def set_loglevel(self, level):
'''Sets log level of firewall'''
res = ""
try:
res = self.backend.set_loglevel(level)
except UFWError, e:
error(e.value)
def set_default_application_policy(self, policy):
'''Sets default application policy of firewall'''
res = ""
try:
res = self.backend.set_default_application_policy(policy)
except UFWError, e:
error(e.value)
def set_default_application_policy(self, policy):
'''Sets default application policy of firewall'''
res = ""
try:
res = self.backend.set_default_application_policy(policy)
except UFWError, e:
error(e.value)
def get_show_raw(self, rules_type="raw"):
"""Shows raw output of firewall"""
try:
out = self.backend.get_running_raw(rules_type)
except UFWError as e:
error(e.value)
return out
def get_show_raw(self, rules_type="raw"):
'''Shows raw output of firewall'''
try:
out = self.backend.get_running_raw(rules_type)
except UFWError as e: # pragma: no cover
error(e.value)
return out
def get_status(self, verbose=False, show_count=False):
'''Shows status of firewall'''
try:
out = self.backend.get_status(verbose, show_count)
except UFWError as e: # pragma: no cover
error(e.value)
return out
def get_status(self, verbose=False, show_count=False):
'''Shows status of firewall'''
try:
out = self.backend.get_status(verbose, show_count)
except UFWError as e: # pragma: no cover
error(e.value)
return out
def get_show_raw(self, rules_type="raw"):
'''Shows raw output of firewall'''
try:
out = self.backend.get_running_raw(rules_type)
except UFWError as e: # pragma: no cover
error(e.value)
return out
def get_status(self, verbose=False, show_count=False):
"""Shows status of firewall"""
try:
out = self.backend.get_status(verbose, show_count)
except UFWError as e:
error(e.value)
return out
class UFWFrontend:
'''UI'''
def __init__(self, dryrun, backend_type="iptables"):
if backend_type == "iptables":
try:
self.backend = UFWBackendIptables(dryrun)
except Exception:
raise
else:
raise UFWError("Unsupported backend type '%s'" % (backend_type))
# Initialize input strings for translations
self.no = _("n")
self.yes = _("y")
self.yes_full = _("yes")
def set_enabled(self, enabled):
'''Toggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
stops running firewall.
'''
res = ""
config_str = "no"
if enabled:
config_str = "yes"
changed = False
if (enabled and not self.backend.is_enabled()) or \
(not enabled and self.backend.is_enabled()):
changed = True
# Update the config files when toggling enable/disable
if changed:
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", config_str)
except UFWError, e:
error(e.value)
error_str = ""
if enabled:
try:
self.backend.start_firewall()
except UFWError, e:
if changed:
error_str = e.value
if error_str != "":
# Revert config files when toggling enable/disable and
# firewall failed to start
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", "no")
except UFWError, e:
error(e.value)
# Report the error
error(error_str)
def set_loglevel(self, level):
'''Sets log level of firewall'''
res = ""
try:
res = self.backend.set_loglevel(level)
except UFWError as e: # pragma: no cover
error(e.value)
return res
def set_loglevel(self, level):
"""Sets log level of firewall"""
res = ""
try:
res = self.backend.set_loglevel(level)
except UFWError as e:
error(e.value)
return res
def set_default_application_policy(self, policy):
'''Sets default application policy of firewall'''
res = ""
try:
res = self.backend.set_default_application_policy(policy)
except UFWError as e: # pragma: no cover
error(e.value)
return res
def set_loglevel(self, level):
'''Sets log level of firewall'''
res = ""
try:
res = self.backend.set_loglevel(level)
except UFWError as e: # pragma: no cover
error(e.value)
return res
def set_default_application_policy(self, policy):
"""Sets default application policy of firewall"""
res = ""
try:
res = self.backend.set_default_application_policy(policy)
except UFWError as e:
error(e.value)
return res
def set_default_application_policy(self, policy):
'''Sets default application policy of firewall'''
res = ""
try:
res = self.backend.set_default_application_policy(policy)
except UFWError as e: # pragma: no cover
error(e.value)
return res
def set_default_policy(self, policy, direction):
'''Sets default policy of firewall'''
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend.is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError, e:
error(e.value)
def set_default_policy(self, policy, direction):
'''Sets default policy of firewall'''
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend._is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError, e:
error(e.value)
def set_default_policy(self, policy, direction):
"""Sets default policy of firewall"""
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend.is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError as e:
error(e.value)
return res
def set_default_policy(self, policy, direction):
'''Sets default policy of firewall'''
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend.is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError as e: # pragma: no cover
error(e.value)
return res
def initcaps(self):
'''Initialize the capabilities database. This needs to be called
before accessing the database.'''
# Only initialize if not initialized already
if self.caps is not None:
return
self.caps = {}
self.caps['limit'] = {}
# Set defaults for dryrun, non-root, etc
self.caps['limit']['4'] = True
self.caps['limit']['6'] = False # historical default for the testsuite
# Try to get capabilities from the running system if root
if self.do_checks and os.getuid(
) == 0 and not self.dryrun: # pragma: no coverage
# v4
try:
nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
except OSError as e:
msg = "initcaps\n%s" % e
if self.is_enabled():
error(msg)
warn(msg)
return
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['4'] = True
else:
self.caps['limit']['4'] = False
# v6 (skip capabilities check for ipv6 if ipv6 is disabled in ufw
# because the system may not have ipv6 support (LP: #1039729)
if self.use_ipv6():
try:
nf_caps = ufw.util.get_netfilter_capabilities(
self.ip6tables)
except OSError as e:
error("initcaps\n%s" % e)
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['6'] = True
else:
self.caps['limit']['6'] = False
def set_enabled(self, enabled):
'''Toggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
stops running firewall.
'''
res = ""
config_str = "no"
if enabled:
config_str = "yes"
changed = False
if (enabled and not self.backend.is_enabled()) or \
(not enabled and self.backend.is_enabled()):
changed = True
# Update the config files when toggling enable/disable
if changed:
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", config_str)
except UFWError as e: # pragma: no cover
error(e.value)
error_str = ""
if enabled:
try:
self.backend.start_firewall()
except UFWError as e: # pragma: no cover
if changed:
error_str = e.value
if error_str != "": # pragma: no cover
# Revert config files when toggling enable/disable and
# firewall failed to start
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", "no")
except UFWError as e:
error(e.value)
# Report the error
error(error_str)
res = _("Firewall is active and enabled on system startup")
else:
try:
self.backend.stop_firewall()
except UFWError as e: # pragma: no cover
error(e.value)
res = _("Firewall stopped and disabled on system startup")
return res
def set_enabled(self, enabled):
'''Toggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
stops running firewall.
'''
res = ""
config_str = "no"
if enabled:
config_str = "yes"
changed = False
if (enabled and not self.backend.is_enabled()) or \
(not enabled and self.backend.is_enabled()):
changed = True
# Update the config files when toggling enable/disable
if changed:
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", config_str)
except UFWError as e: # pragma: no cover
error(e.value)
error_str = ""
if enabled:
try:
self.backend.start_firewall()
except UFWError as e: # pragma: no cover
if changed:
error_str = e.value
if error_str != "": # pragma: no cover
# Revert config files when toggling enable/disable and
# firewall failed to start
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", "no")
except UFWError as e:
error(e.value)
# Report the error
error(error_str)
res = _("Firewall is active and enabled on system startup")
else:
try:
self.backend.stop_firewall()
except UFWError as e: # pragma: no cover
error(e.value)
res = _("Firewall stopped and disabled on system startup")
return res
def set_enabled(self, enabled):
"""Toggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
stops running firewall.
"""
res = ""
config_str = "no"
if enabled:
config_str = "yes"
changed = False
if (enabled and not self.backend.is_enabled()) or (not enabled and self.backend.is_enabled()):
changed = True
# Update the config files when toggling enable/disable
if changed:
try:
self.backend.set_default(self.backend.files["conf"], "ENABLED", config_str)
except UFWError, e:
error(e.value)
def parse_command(argv):
'''Parse command. Returns tuple for action, rule, ip_version and dryrun.'''
p = ufw.parser.UFWParser()
# Basic commands
for i in ['enable', 'disable', 'help', '--help', 'version', '--version', \
'reload', 'reset' ]:
p.register_command(ufw.parser.UFWCommandBasic(i))
# Application commands
for i in ['list', 'info', 'default', 'update']:
p.register_command(ufw.parser.UFWCommandApp(i))
# Logging commands
for i in ['on', 'off', 'low', 'medium', 'high', 'full']:
p.register_command(ufw.parser.UFWCommandLogging(i))
# Default commands
for i in ['allow', 'deny', 'reject']:
p.register_command(ufw.parser.UFWCommandDefault(i))
# Status commands ('status', 'status verbose', 'status numbered')
for i in [None, 'verbose', 'numbered']:
p.register_command(ufw.parser.UFWCommandStatus(i))
# Show commands
for i in ['raw', 'before-rules', 'user-rules', 'after-rules', \
'logging-rules', 'builtins', 'listening', 'added']:
p.register_command(ufw.parser.UFWCommandShow(i))
# Rule commands
rule_commands = ['allow', 'limit', 'deny', 'reject', 'insert', 'delete']
for i in rule_commands:
p.register_command(ufw.parser.UFWCommandRule(i))
p.register_command(ufw.parser.UFWCommandRouteRule(i))
# Don't require the user to have to specify 'rule' as the command. Instead
# insert 'rule' into the arguments if this is a rule command.
if len(argv) > 2:
idx = 1
if argv[idx].lower() == "--dry-run":
idx = 2
if argv[idx].lower() != "default" and \
argv[idx].lower() != "route" and \
argv[idx].lower() in rule_commands:
argv.insert(idx, 'rule')
if len(argv) < 2 or ('--dry-run' in argv and len(argv) < 3):
error("not enough args") # pragma: no cover
try:
pr = p.parse_command(argv[1:])
except UFWError as e:
error("%s" % (e.value)) # pragma: no cover
except Exception:
error("Invalid syntax", do_exit=False)
raise
return pr
def parse_command(argv):
'''Parse command. Returns tuple for action, rule, ip_version and dryrun.'''
p = ufw.parser.UFWParser()
# Basic commands
for i in ['enable', 'disable', 'help', '--help', 'version', '--version', \
'reload', 'reset' ]:
p.register_command(ufw.parser.UFWCommandBasic(i))
# Application commands
for i in ['list', 'info', 'default', 'update']:
p.register_command(ufw.parser.UFWCommandApp(i))
# Logging commands
for i in ['on', 'off', 'low', 'medium', 'high', 'full']:
p.register_command(ufw.parser.UFWCommandLogging(i))
# Default commands
for i in ['allow', 'deny', 'reject']:
p.register_command(ufw.parser.UFWCommandDefault(i))
# Status commands ('status', 'status verbose', 'status numbered')
for i in [None, 'verbose', 'numbered']:
p.register_command(ufw.parser.UFWCommandStatus(i))
# Show commands
for i in ['raw', 'before-rules', 'user-rules', 'after-rules', \
'logging-rules', 'builtins', 'listening', 'added']:
p.register_command(ufw.parser.UFWCommandShow(i))
# Rule commands
rule_commands = ['allow', 'limit', 'deny' , 'reject', 'insert', 'delete']
for i in rule_commands:
p.register_command(ufw.parser.UFWCommandRule(i))
p.register_command(ufw.parser.UFWCommandRouteRule(i))
# Don't require the user to have to specify 'rule' as the command. Instead
# insert 'rule' into the arguments if this is a rule command.
if len(argv) > 2:
idx = 1
if argv[idx].lower() == "--dry-run":
idx = 2
if argv[idx].lower() != "default" and \
argv[idx].lower() != "route" and \
argv[idx].lower() in rule_commands:
argv.insert(idx, 'rule')
if len(argv) < 2 or ('--dry-run' in argv and len(argv) < 3):
error("not enough args") # pragma: no cover
try:
pr = p.parse_command(argv[1:])
except UFWError as e:
error("%s" % (e.value)) # pragma: no cover
except Exception:
error("Invalid syntax", do_exit=False)
raise
return pr
def set_enabled(self, enabled):
'''Toggles ENABLED state in <config_dir>/ufw/ufw.conf and starts or
stops running firewall.
'''
res = ""
config_str = "no"
if enabled:
config_str = "yes"
changed = False
if (enabled and not self.backend.is_enabled()) or \
(not enabled and self.backend.is_enabled()):
changed = True
# Update the config files when toggling enable/disable
if changed:
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", config_str)
except UFWError, e:
error(e.value)
def initcaps(self):
'''Initialize the capabilities database. This needs to be called
before accessing the database.'''
# Only initialize if not initialized already
if self.caps != None:
return
self.caps = {}
self.caps['limit'] = {}
# Set defaults for dryrun, non-root, etc
self.caps['limit']['4'] = True
self.caps['limit']['6'] = False # historical default for the testsuite
# Try to get capabilities from the running system if root
if self.do_checks and os.getuid() == 0 and not self.dryrun: # pragma: no coverage
# v4
try:
nf_caps = ufw.util.get_netfilter_capabilities(self.iptables)
except OSError as e:
error("initcaps\n%s" % e)
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['4'] = True
else:
self.caps['limit']['4'] = False
# v6 (skip capabilities check for ipv6 if ipv6 is disabled in ufw
# because the system may not have ipv6 support (LP: #1039729)
if self.use_ipv6():
try:
nf_caps = ufw.util.get_netfilter_capabilities(self.ip6tables)
except OSError as e:
error("initcaps\n%s" % e)
if 'recent-set' in nf_caps and 'recent-update' in nf_caps:
self.caps['limit']['6'] = True
else:
self.caps['limit']['6'] = False
def parse_command(argv):
"""Parse command. Returns tuple for action, rule, ip_version and dryrun."""
p = ufw.parser.UFWParser()
# Basic commands
for i in ["enable", "disable", "help", "--help", "version", "--version", "reload", "reset"]:
p.register_command(ufw.parser.UFWCommandBasic(i))
# Application commands
for i in ["list", "info", "default", "update"]:
p.register_command(ufw.parser.UFWCommandApp(i))
# Logging commands
for i in ["on", "off", "low", "medium", "high", "full"]:
p.register_command(ufw.parser.UFWCommandLogging(i))
# Default commands
for i in ["allow", "deny", "reject"]:
p.register_command(ufw.parser.UFWCommandDefault(i))
# Status commands ('status', 'status verbose', 'status numbered')
for i in [None, "verbose", "numbered"]:
p.register_command(ufw.parser.UFWCommandStatus(i))
# Show commands
for i in ["raw", "before-rules", "user-rules", "after-rules", "logging-rules", "builtins", "listening", "added"]:
p.register_command(ufw.parser.UFWCommandShow(i))
# Rule commands
rule_commands = ["allow", "limit", "deny", "reject", "insert", "delete"]
for i in rule_commands:
p.register_command(ufw.parser.UFWCommandRule(i))
# Don't require the user to have to specify 'rule' as the command. Instead
# insert 'rule' into the arguments if this is a rule command.
if len(argv) > 2:
idx = 1
if argv[idx].lower() == "--dry-run":
idx = 2
if argv[idx].lower() != "default" and argv[idx].lower() in rule_commands:
argv.insert(idx, "rule")
if len(argv) < 2 or ("--dry-run" in argv and len(argv) < 3):
error("not enough args")
try:
pr = p.parse_command(argv[1:])
except UFWError as e:
error("%s" % (e.value))
except Exception:
error("Invalid syntax", do_exit=False)
raise
return pr
def get_status(self, verbose=False, show_count=False):
'''Shows status of firewall'''
try:
out = self.backend.get_status(verbose, show_count)
except UFWError, e:
error(e.value)
def do_action(self, action, rule, ip_version, force=False):
'''Perform action on rule. action, rule and ip_version are usually
based on return values from parse_command().
'''
res = ""
if action.startswith("logging-on"):
tmp = action.split('_')
if len(tmp) > 1:
res = self.set_loglevel(tmp[1])
else:
res = self.set_loglevel("on")
elif action == "logging-off":
res = self.set_loglevel("off")
elif action.startswith("default-"):
err_msg = _("Unsupported default policy")
tmp = action.split('-')
if len(tmp) != 3:
raise UFWError(err_msg)
res = self.set_default_policy(tmp[1], tmp[2])
elif action == "reset":
res = self.reset(force)
elif action == "status":
res = self.get_status()
elif action == "status-verbose":
res = self.get_status(True)
elif action.startswith("show"):
tmp = action.split('-')[1]
if tmp == "listening":
res = self.get_show_listening()
elif tmp == "added":
res = self.get_show_added()
else:
res = self.get_show_raw(tmp)
elif action == "status-numbered":
res = self.get_status(False, True)
elif action == "enable":
res = self.set_enabled(True)
elif action == "disable":
res = self.set_enabled(False)
elif action == "reload":
if self.backend.is_enabled():
self.set_enabled(False)
self.set_enabled(True)
res = _("Firewall reloaded")
else:
res = _("Firewall not enabled (skipping reload)")
elif action.startswith("delete-"):
res = self.delete_rule(action.split('-')[1], force)
elif action == "allow" or action == "deny" or action == "reject" or \
action == "limit":
# allow case insensitive matches for application rules
if rule.dapp != "":
try:
tmp = self.backend.find_application_name(rule.dapp)
if tmp != rule.dapp:
rule.dapp = tmp
rule.set_port(tmp, "dst")
except UFWError as e:
# allow for the profile being deleted (LP: #407810)
if not rule.remove: # pragma: no cover
error(e.value)
if not ufw.applications.valid_profile_name(rule.dapp):
err_msg = _("Invalid profile name")
raise UFWError(err_msg)
if rule.sapp != "":
try:
tmp = self.backend.find_application_name(rule.sapp)
if tmp != rule.sapp:
rule.sapp = tmp
rule.set_port(tmp, "dst")
except UFWError as e:
# allow for the profile being deleted (LP: #407810)
if not rule.remove: # pragma: no cover
error(e.value)
if not ufw.applications.valid_profile_name(rule.sapp):
err_msg = _("Invalid profile name")
raise UFWError(err_msg)
res = self.set_rule(rule, ip_version)
else:
err_msg = _("Unsupported action '%s'") % (action)
raise UFWError(err_msg)
return res
def set_rule(self, rule, ip_version):
'''Updates firewall with rule'''
res = ""
err_msg = ""
tmp = ""
rules = []
if rule.dapp == "" and rule.sapp == "":
rules.append(rule)
else:
tmprules = []
try:
if rule.remove:
if ip_version == "v4":
tmprules = self.backend.get_app_rules_from_system(
rule, False)
elif ip_version == "v6":
tmprules = self.backend.get_app_rules_from_system(
rule, True)
elif ip_version == "both":
tmprules = self.backend.get_app_rules_from_system(
rule, False)
tmprules6 = self.backend.get_app_rules_from_system(
rule, True)
# Only add rules that are different by more than v6 (we
# will handle 'ip_version == both' specially, below).
for x in tmprules:
for y in tmprules6:
prev6 = y.v6
y.v6 = False
if not x.match(y):
y.v6 = prev6
tmprules.append(y)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
# Don't process removal of non-existing application rules
if len(tmprules) == 0 and not self.backend.dryrun:
tmp = _("Could not delete non-existent rule")
if ip_version == "v4":
res = tmp
elif ip_version == "v6":
res = tmp + " (v6)"
elif ip_version == "both":
res = tmp + "\n" + tmp + " (v6)"
return res
for tmp in tmprules:
r = tmp.dup_rule()
r.remove = rule.remove
r.set_action(rule.action)
r.set_logtype(rule.logtype)
rules.append(r)
else:
rules = self.backend.get_app_rules_from_template(rule)
# Reverse the order of rules for inserted rules, so they
# are inserted in the right order
if rule.position > 0:
rules.reverse()
except Exception:
raise
count = 0
set_error = False
pos_err_msg = _("Invalid position '")
num_v4 = self.backend.get_rules_count(False)
num_v6 = self.backend.get_rules_count(True)
for i, r in enumerate(rules):
count = i
if r.position > num_v4 + num_v6:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
try:
if self.backend.use_ipv6():
if ip_version == "v4":
if r.position > num_v4:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
r.set_v6(False)
tmp = self.backend.set_rule(r)
elif ip_version == "v6":
if r.position > num_v4:
r.set_position(r.position - num_v4)
elif r.position != 0 and r.position <= num_v4:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
r.set_v6(True)
tmp = self.backend.set_rule(r)
elif ip_version == "both":
user_pos = r.position # user specified position
r.set_v6(False)
if not r.remove and user_pos > num_v4:
# The user specified a v6 rule, so try to find a
# match in the v4 rules and use its position.
p = self.backend.find_other_position( \
user_pos - num_v4 + count, True)
if p > 0:
r.set_position(p)
else:
# If not found, then add the rule
r.set_position(0)
tmp = self.backend.set_rule(r)
# We need to readjust the position since the number
# the number of ipv4 rules increased
if not r.remove and user_pos > 0:
num_v4 = self.backend.get_rules_count(False)
r.set_position(user_pos + 1)
r.set_v6(True)
if not r.remove and r.position > 0 and \
r.position <= num_v4:
# The user specified a v4 rule, so try to find a
# match in the v6 rules and use its position.
p = self.backend.find_other_position(r.position, \
False)
if p > 0:
# Subtract count since the list is reversed
r.set_position(p - count)
else:
# If not found, then add the rule
r.set_position(0)
if tmp != "":
tmp += "\n"
# Readjust position to send to set_rule
if not r.remove and r.position > num_v4:
r.set_position(r.position - num_v4)
tmp += self.backend.set_rule(r)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
else:
if ip_version == "v4" or ip_version == "both":
r.set_v6(False)
tmp = self.backend.set_rule(r)
elif ip_version == "v6":
err_msg = _("IPv6 support not enabled")
raise UFWError(err_msg)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
except UFWError as e:
err_msg = e.value
set_error = True
break
if r.updated:
warn_msg = _("Rule changed after normalization")
warnings.warn(warn_msg)
if not set_error:
# Just return the last result if no error
res += tmp
elif len(rules) == 1:
# If no error, and just one rule, error out
error(err_msg) # pragma: no cover
else:
# If error and more than one rule, delete the successfully added
# rules in reverse order
undo_error = False
indexes = list(range(count + 1))
indexes.reverse()
for j in indexes:
if count > 0 and rules[j]:
backout_rule = rules[j].dup_rule()
backout_rule.remove = True
try:
self.set_rule(backout_rule, ip_version)
except Exception:
# Don't fail, so we can try to backout more
undo_error = True
warn_msg = _("Could not back out rule '%s'") % \
r.format_rule()
warn(warn_msg)
err_msg += _("\nError applying application rules.")
if undo_error:
err_msg += _(" Some rules could not be unapplied.")
else:
err_msg += _(" Attempted rules successfully unapplied.")
raise UFWError(err_msg)
return res
def get_status(self, verbose=False, show_count=False):
'''Shows status of firewall'''
try:
out = self.backend.get_status(verbose, show_count)
except UFWError, e:
error(e.value)
def get_show_raw(self, rules_type="raw"):
'''Shows raw output of firewall'''
try:
out = self.backend.get_running_raw(rules_type)
except UFWError, e:
error(e.value)
def do_action(self, action, rule, ip_version, force=False):
'''Perform action on rule. action, rule and ip_version are usually
based on return values from parse_command().
'''
res = ""
if action.startswith("logging-on"):
tmp = action.split('_')
if len(tmp) > 1:
res = self.set_loglevel(tmp[1])
else:
res = self.set_loglevel("on")
elif action == "logging-off":
res = self.set_loglevel("off")
elif action.startswith("default-"):
err_msg = _("Unsupported default policy")
tmp = action.split('-')
if len(tmp) != 3:
raise UFWError(err_msg)
res = self.set_default_policy(tmp[1], tmp[2])
elif action == "reset":
res = self.reset(force)
elif action == "status":
res = self.get_status()
elif action == "status-verbose":
res = self.get_status(True)
elif action.startswith("show"):
tmp = action.split('-')[1]
if tmp == "listening":
res = self.get_show_listening()
elif tmp == "added":
res = self.get_show_added()
else:
res = self.get_show_raw(tmp)
elif action == "status-numbered":
res = self.get_status(False, True)
elif action == "enable":
res = self.set_enabled(True)
elif action == "disable":
res = self.set_enabled(False)
elif action == "reload":
if self.backend.is_enabled():
self.set_enabled(False)
self.set_enabled(True)
res = _("Firewall reloaded")
else:
res = _("Firewall not enabled (skipping reload)")
elif action.startswith("delete-"):
res = self.delete_rule(action.split('-')[1], force)
elif action == "allow" or action == "deny" or action == "reject" or \
action == "limit":
# allow case insensitive matches for application rules
if rule.dapp != "":
try:
tmp = self.backend.find_application_name(rule.dapp)
if tmp != rule.dapp:
rule.dapp = tmp
rule.set_port(tmp, "dst")
except UFWError as e:
# allow for the profile being deleted (LP: #407810)
if not rule.remove: # pragma: no cover
error(e.value)
if not ufw.applications.valid_profile_name(rule.dapp):
err_msg = _("Invalid profile name")
raise UFWError(err_msg)
if rule.sapp != "":
try:
tmp = self.backend.find_application_name(rule.sapp)
if tmp != rule.sapp:
rule.sapp = tmp
rule.set_port(tmp, "dst")
except UFWError as e:
# allow for the profile being deleted (LP: #407810)
if not rule.remove: # pragma: no cover
error(e.value)
if not ufw.applications.valid_profile_name(rule.sapp):
err_msg = _("Invalid profile name")
raise UFWError(err_msg)
res = self.set_rule(rule, ip_version)
else:
err_msg = _("Unsupported action '%s'") % (action)
raise UFWError(err_msg)
return res
def set_rule(self, rule, ip_version):
'''Updates firewall with rule'''
res = ""
err_msg = ""
tmp = ""
rules = []
if rule.dapp == "" and rule.sapp == "":
rules.append(rule)
else:
tmprules = []
try:
if rule.remove:
if ip_version == "v4":
tmprules = self.backend.get_app_rules_from_system(
rule, False)
elif ip_version == "v6":
tmprules = self.backend.get_app_rules_from_system(
rule, True)
elif ip_version == "both":
tmprules = self.backend.get_app_rules_from_system(
rule, False)
tmprules6 = self.backend.get_app_rules_from_system(
rule, True)
# Only add rules that are different by more than v6 (we
# will handle 'ip_version == both' specially, below).
for x in tmprules:
for y in tmprules6:
prev6 = y.v6
y.v6 = False
if not x.match(y):
y.v6 = prev6
tmprules.append(y)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
# Don't process removal of non-existing application rules
if len(tmprules) == 0 and not self.backend.dryrun:
tmp = _("Could not delete non-existent rule")
if ip_version == "v4":
res = tmp
elif ip_version == "v6":
res = tmp + " (v6)"
elif ip_version == "both":
res = tmp + "\n" + tmp + " (v6)"
return res
for tmp in tmprules:
r = tmp.dup_rule()
r.remove = rule.remove
r.set_action(rule.action)
r.set_logtype(rule.logtype)
rules.append(r)
else:
rules = self.backend.get_app_rules_from_template(rule)
# Reverse the order of rules for inserted rules, so they
# are inserted in the right order
if rule.position > 0:
rules.reverse()
except Exception:
raise
count = 0
set_error = False
pos_err_msg = _("Invalid position '")
num_v4 = self.backend.get_rules_count(False)
num_v6 = self.backend.get_rules_count(True)
for i, r in enumerate(rules):
count = i
if r.position > num_v4 + num_v6:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
try:
if self.backend.use_ipv6():
if ip_version == "v4":
if r.position > num_v4:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
r.set_v6(False)
tmp = self.backend.set_rule(r)
elif ip_version == "v6":
if r.position > num_v4:
r.set_position(r.position - num_v4)
elif r.position != 0 and r.position <= num_v4:
pos_err_msg += str(r.position) + "'"
raise UFWError(pos_err_msg)
r.set_v6(True)
tmp = self.backend.set_rule(r)
elif ip_version == "both":
user_pos = r.position # user specified position
r.set_v6(False)
if not r.remove and user_pos > num_v4:
# The user specified a v6 rule, so try to find a
# match in the v4 rules and use its position.
p = self.backend.find_other_position( \
user_pos - num_v4 + count, True)
if p > 0:
r.set_position(p)
else:
# If not found, then add the rule
r.set_position(0)
tmp = self.backend.set_rule(r)
# We need to readjust the position since the number
# the number of ipv4 rules increased
if not r.remove and user_pos > 0:
num_v4 = self.backend.get_rules_count(False)
r.set_position(user_pos + 1)
r.set_v6(True)
if not r.remove and r.position > 0 and \
r.position <= num_v4:
# The user specified a v4 rule, so try to find a
# match in the v6 rules and use its position.
p = self.backend.find_other_position(r.position, \
False)
if p > 0:
# Subtract count since the list is reversed
r.set_position(p - count)
else:
# If not found, then add the rule
r.set_position(0)
if tmp != "":
tmp += "\n"
# Readjust position to send to set_rule
if not r.remove and r.position > num_v4:
r.set_position(r.position - num_v4)
tmp += self.backend.set_rule(r)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
else:
if ip_version == "v4" or ip_version == "both":
r.set_v6(False)
tmp = self.backend.set_rule(r)
elif ip_version == "v6":
err_msg = _("IPv6 support not enabled")
raise UFWError(err_msg)
else:
err_msg = _("Invalid IP version '%s'") % (ip_version)
raise UFWError(err_msg)
except UFWError as e:
err_msg = e.value
set_error = True
break
if r.updated:
warn_msg = _("Rule changed after normalization")
warnings.warn(warn_msg)
if not set_error:
# Just return the last result if no error
res += tmp
elif len(rules) == 1:
# If no error, and just one rule, error out
error(err_msg) # pragma: no cover
else:
# If error and more than one rule, delete the successfully added
# rules in reverse order
undo_error = False
indexes = list(range(count+1))
indexes.reverse()
for j in indexes:
if count > 0 and rules[j]:
backout_rule = rules[j].dup_rule()
backout_rule.remove = True
try:
self.set_rule(backout_rule, ip_version)
except Exception:
# Don't fail, so we can try to backout more
undo_error = True
warn_msg = _("Could not back out rule '%s'") % \
r.format_rule()
warn(warn_msg)
err_msg += _("\nError applying application rules.")
if undo_error:
err_msg += _(" Some rules could not be unapplied.")
else:
err_msg += _(" Attempted rules successfully unapplied.")
raise UFWError(err_msg)
return res
# firewall failed to start
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", "no")
except UFWError, e:
error(e.value)
# Report the error
error(error_str)
res = _("Firewall is active and enabled on system startup")
else:
try:
self.backend.stop_firewall()
except UFWError, e:
error(e.value)
res = _("Firewall stopped and disabled on system startup")
return res
def set_default_policy(self, policy, direction):
'''Sets default policy of firewall'''
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend._is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError, e:
error(e.value)
# firewall failed to start
try:
self.backend.set_default(self.backend.files['conf'], \
"ENABLED", "no")
except UFWError, e:
error(e.value)
# Report the error
error(error_str)
res = _("Firewall is active and enabled on system startup")
else:
try:
self.backend.stop_firewall()
except UFWError, e:
error(e.value)
res = _("Firewall stopped and disabled on system startup")
return res
def set_default_policy(self, policy, direction):
'''Sets default policy of firewall'''
res = ""
try:
res = self.backend.set_default_policy(policy, direction)
if self.backend.is_enabled():
self.backend.stop_firewall()
self.backend.start_firewall()
except UFWError, e:
error(e.value)
def get_show_raw(self, set="raw"):
'''Shows raw output of firewall'''
try:
out = self.backend.get_running_raw(set)
except UFWError, e:
error(e.value)
