/usr/share/pyshared/firewall/functions.py is in firewalld 0.3.7-1.
This file is owned by root:root, with mode 0o644.
The actual contents of the file can be viewed below.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 | # -*- coding: utf-8 -*-
#
# Copyright (C) 2007,2008,2011,2012 Red Hat, Inc.
#
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import socket
import os.path
import shlex, pipes
from firewall.core.logger import log
def getPortID(port):
""" Check and Get port id from port string or port id using socket.getservbyname
@param port port string or port id
@return Port id if valid, -1 if port can not be found and -2 if port is too big
"""
if isinstance(port, int):
id = port
else:
if port:
port = port.strip()
try:
id = int(port)
except:
try:
id = socket.getservbyname(port)
except:
return -1
if id > 65535:
return -2
return id
def getPortRange(ports):
""" Get port range for port range string or single port id
@param ports an integer or port string or port range string
@return Array containing start and end port id for a valid range or -1 if port can not be found and -2 if port is too big for integer input or -1 for invalid ranges or None if the range is ambiguous.
"""
if isinstance(ports, int):
id = getPortID(ports)
if id >= 0:
return (id,)
return id
splits = ports.split("-")
matched = [ ]
for i in xrange(len(splits), 0, -1):
id1 = getPortID("-".join(splits[:i]))
port2 = "-".join(splits[i:])
if len(port2) > 0:
id2 = getPortID(port2)
if id1 >= 0 and id2 >= 0:
if id1 < id2:
matched.append((id1, id2))
elif id1 > id2:
matched.append((id2, id1))
else:
matched.append((id1, ))
else:
if id1 >= 0:
matched.append((id1,))
if i == len(splits):
# full match, stop here
break
if len(matched) < 1:
return -1
elif len(matched) > 1:
return None
return matched[0]
def portStr(port, delimiter=":"):
""" Create port and port range string
@param port port or port range int or [int, int]
@param delimiter of the output string for port ranges, default ':'
@return Port or port range string, empty string if port isn't specified, None if port or port range is not valid
"""
if port == "":
return ""
range = getPortRange(port)
if isinstance(range, int) and range < 0:
return None
elif len(range) == 1:
return "%s" % range
else:
return "%s%s%s" % (range[0], delimiter, range[1])
def getServiceName(port, proto):
""" Check and Get service name from port and proto string combination using socket.getservbyport
@param port string or id
@param protocol string
@return Service name if port and protocol are valid, else None
"""
try:
name = socket.getservbyport(int(port), proto)
except:
return None
return name
def checkIP(ip):
""" Check IPv4 address.
@param ip address string
@return True if address is valid, else False
"""
try:
socket.inet_pton(socket.AF_INET, ip)
except socket.error as err:
return False
return True
def checkIP6(ip):
""" Check IPv6 address.
@param ip address string
@return True if address is valid, else False
"""
try:
socket.inet_pton(socket.AF_INET6, ip)
except socket.error as err:
return False
return True
def checkIPnMask(ip):
if "/" in ip:
addr = ip[:ip.index("/")]
mask = ip[ip.index("/")+1:]
else:
addr = ip
mask = None
if not checkIP(addr):
return False
if mask:
if "." in mask and checkIP(addr):
return False
else:
try:
i = int(mask)
except:
return False
if i < 0 or i > 32:
return False
return True
def checkIP6nMask(ip):
if "/" in ip:
addr = ip[:ip.index("/")]
mask = ip[ip.index("/")+1:]
else:
addr = ip
mask = None
if not checkIP6(addr):
return False
if mask:
try:
i = int(mask)
except:
return False
if i < 0 or i > 128:
return False
return True
def checkProtocol(protocol):
try:
i = int(protocol)
except:
# string
try:
socket.getprotobyname(protocol)
except:
return False
else:
if i < 0 or i > 255:
return False
return True
def checkInterface(iface):
""" Check interface string
@param interface string
@return True if interface is valid (maximum 16 chars and does not contain ' ', '/', '!', ':', '*'), else False
"""
if not iface or len(iface) > 16:
return False
for ch in [ ' ', '/', '!', '*' ]:
# !:* are limits for iptables <= 1.4.5
if ch in iface:
return False
# disabled old iptables check
#if iface == "+":
# # limit for iptables <= 1.4.5
# return False
return True
def firewalld_is_active():
""" Check if firewalld is active
@return True if there is a firewalld pid file and the pid is used by firewalld
"""
if not os.path.exists("/var/run/firewalld.pid"):
return False
try:
with open("/var/run/firewalld.pid", "r") as fd:
pid = fd.readline()
except:
return False
if not os.path.exists("/proc/%s" % pid):
return False
try:
with open("/proc/%s/cmdline" % pid, "r") as fd:
cmdline = fd.readline()
except:
return False
if "firewalld" in cmdline:
return True
return False
def readfile(filename):
try:
with open(filename, "r") as f:
line = "".join(f.readlines())
except Exception as e:
log.error('Failed to read file "%s": %s' % (filename, e))
return None
return line
def writefile(filename, line):
try:
with open(filename, "w") as f:
f.write(line)
except Exception as e:
log.error('Failed to write to file "%s": %s' % (filename, e))
return False
return True
def enable_ip_forwarding(ipv):
if ipv == "ipv4":
return writefile("/proc/sys/net/ipv4/ip_forward", "1\n")
elif ipv == "ipv6":
return writefile("/proc/sys/net/ipv6/conf/all/forwarding", "1\n")
return False
def check_port(port):
range = getPortRange(port)
if range == -2 or range == -1 or range == None or \
(len(range) == 2 and range[0] >= range[1]):
if range == -2:
log.debug2("'%s': port > 65535" % port)
elif range == -1:
log.debug2("'%s': port is invalid" % port)
elif range == None:
log.debug2("'%s': port is ambiguous" % port)
elif len(range) == 2 and range[0] >= range[1]:
log.debug2("'%s': range start >= end" % port)
return False
return True
def check_address(ipv, source):
if ipv == "ipv4":
if not checkIPnMask(source):
return False
elif ipv == "ipv6":
if not checkIP6nMask(source):
return False
else:
return False
return True
def check_single_address(ipv, source):
if ipv == "ipv4":
if not checkIP(source):
return False
elif ipv == "ipv6":
if not checkIP6(source):
return False
else:
return False
return True
def uniqify(input):
# removes duplicates from list, whilst preserving order
output = []
for x in input:
if x not in output:
output.append(x)
return output
def ppid_of_pid(pid):
""" Get parent for pid """
try:
f = os.popen("ps -o ppid -h -p %d 2>/dev/null" % pid)
pid = int(f.readlines()[0].strip())
f.close()
except:
return None
return pid
def max_zone_name_len():
"""
Netfilter limits length of chain to (currently) 28 chars.
The longest chain we create is FWDI_<zone>_allow,
which leaves 28 - 11 = 17 chars for <zone>.
"""
from firewall.core.base import SHORTCUTS
longest_shortcut = max(map (len, SHORTCUTS.values()))
return 28 - (longest_shortcut + len("__allow"))
def checkUser(user):
if len(user) < 1 or len(user) > os.sysconf('SC_LOGIN_NAME_MAX'):
return False
return True
def checkUid(uid):
if type(uid) == str:
try:
uid = int(uid)
except:
return False
if uid > 0 or uid <= 2^31-1:
return True
return False
def checkCommand(command):
if len(command) < 1 or len(command) > 1024:
return False
for ch in [ "|", "\n", "\0" ]:
if ch in command:
return False
return True
def joinArgs(args):
if "quote" in dir(shlex):
return " ".join(shlex.quote(a) for a in args)
else:
return " ".join(pipes.quote(a) for a in args)
def splitArgs(string):
return shlex.split(string)
def b2u(string):
""" bytes to unicode """
if isinstance(string, bytes):
return string.decode('utf-8', 'replace')
return string
|