File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/states/__pycache__/iptables.cpython-310.pyc
o
�����N�g�n�����������������������@���sr���d�Z�d�d�l�Z�d�d�l�m�Z���d�d���Z�d�d�d ��Z�d�d
d���Z�d�d�d
��Z�d�d�d���Z d�d�d���Z
d�d�d���Z�d�d�d���Z�d�d���Z
d�S�)�a,���
Management of iptables
======================
This is an iptables-specific module designed to manage Linux firewalls. It is
expected that this state module, and other system-specific firewall states, may
at some point be deprecated in favor of a more generic ``firewall`` state.
.. code-block:: yaml
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
.. Invert Rule
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: '! 127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match:
- state
- comment
- comment: "Allow HTTP"
- connstate: NEW
- source: 'not 127.0.0.1'
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.append:
- table: filter
- family: ipv4
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dports:
- 80
- 443
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
httpd:
iptables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- protocol: tcp
- sport: 1025:65535
- save: True
default to accept:
iptables.set_policy:
- chain: INPUT
- policy: ACCEPT
.. note::
Whereas iptables will accept ``-p``, ``--proto[c[o[l]]]`` as synonyms of
``--protocol``, if ``--proto`` appears in an iptables command after the
appearance of ``-m policy``, it is interpreted as the ``--proto`` option of
the policy extension (see the iptables-extensions(8) man page).
Example rules for IPSec policy:
.. code-block:: yaml
accept_esp_in:
iptables.append:
- table: filter
- chain: INPUT
- jump: ACCEPT
- source: 10.20.0.0/24
- destination: 10.10.0.0/24
- in-interface: eth0
- match: policy
- dir: in
- pol: ipsec
- reqid: 1
- proto: esp
accept_esp_forward_in:
iptables.append:
- use:
- iptables: accept_esp_in
- chain: FORWARD
accept_esp_out:
iptables.append:
- table: filter
- chain: OUTPUT
- jump: ACCEPT
- source: 10.10.0.0/24
- destination: 10.20.0.0/24
- out-interface: eth0
- match: policy
- dir: out
- pol: ipsec
- reqid: 1
- proto: esp
accept_esp_forward_out:
iptables.append:
- use:
- iptables: accept_esp_out
- chain: FORWARD
.. note::
``name`` is reserved for the Salt state name. To pass ``--name EXAMPLE`` to
iptables, provide it with ``- name_: EXAMPLE``.
.. note::
Various functions of the ``iptables`` module use the ``--check`` option. If
the version of ``iptables`` on the target system does not include this
option, an alternate version of this check will be performed using the
output of iptables-save. This may have unintended consequences on legacy
releases of ``iptables``.
�����N)���STATE_INTERNAL_KEYWORDSc��������������������C���s����d�t�v�r�d�S�d�S�)�zA
Only load if the locale module is available in __salt__
z�iptables.versionT)�Fz#iptables module could not be loaded)���__salt__��r����r�����H/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/iptables.py��__virtual__����s����������r������filter��ipv4c��������������������C���s����|�i�d�d�d���}�t�d���|�|�|���}�|�d�u�r"d�|�d�<�d���|�|�|���|�d�<�|�S�t�d ��r1d
��|�|�|���|�d�<�|�S�t�d���|�|�|���}�|�d�u�rRd�|�i�|�d
<�d�|�d�<�d���|�|�|���|�d�<�|�S�d�|�d�<�d���|�|�|�����|���|�d�<�|�S�)�z�
.. versionadded:: 2014.1.0
Verify the chain is exist.
name
A user-defined chain name.
table
The table to own the chain.
family
Networking family, either ipv4 or ipv6
N������name��changes��result��comment��iptables.check_chainTr
���z5iptables {} chain is already exist in {} table for {}r������testz4iptables {} chain in {} table needs to be set for {}z�iptables.new_chain��localer����z3iptables {} chain in {} table create success for {}Fz0Failed to create {} chain in {} table: {} for {}��r������format��__opts__��strip)�r������table��family��ret��chain_check��commandr����r����r�����
chain_present����s4�������������������������������������������������������r����c��������������������C���s����|�i�d�d�d���}�t�d���|�|�|���}�|�s d�|�d�<�d���|�|�|���|�d�<�|�S�t�d ��r/d
��|�|�|���|�d�<�|�S�t�d���|�|�|���}�|�slt�d���|�|�|���}�|�d�u�rZd
|�i�|�d�<�d�|�d�<�d���|�|�|���|�d�<�|�S�d�|�d�<�d���|�|�|�����|���|�d�<�|�S�d�|�d�<�d���|�|�|�����|���|�d�<�|�S�)�z�
.. versionadded:: 2014.1.0
Verify the chain is absent.
table
The table to remove the chain from
family
Networking family, either ipv4 or ipv6
Nr ���r
���r����Tr
���z6iptables {} chain is already absent in {} table for {}r����r����z4iptables {} chain in {} table needs to be removed {}��iptables.flushz�iptables.delete_chainr����r����z3iptables {} chain in {} table delete success for {}Fz0Failed to delete {} chain in {} table: {} for {}z/Failed to flush {} chain in {} table: {} for {}r����)�r����r����r����r����r����Z�flush_chainr����r����r����r������chain_absent6���sF����
��������������������������������������������������������������������r����c���������������� ���K���s����|�i�d�d�d���}�d�|�v�r�g�|�d���d�<�g�}�d�}�|�d���D�]R}�d�|�v�r"|�d�=�d�|�v�r)|�d�=�d |�v�rD|�d ��rDd
}�|�d ��d
u�r>|�d ��}�n�d
}�d�|�d <�t�d%i�|�����} d�| d���v�r^|�d���d�����| d���d�������|���| d�������| d���|�d�<�q�|�r||�d
u�rtd�}�t�d
��|�|�d�����|�d���d���s�|�d���d�=�d���|���|�d�<�|�S�d�|�v�r�|�d�=�t�D�] }
|
|�v�r�|�|
=�q�|�|�d�<�|�|�d�<�t�d���d%d�|�i�|�����}�t�d���d%d�|�d�d���|�����}�t�d���|�|�d���|�|���d
u���r]d
|�d�<�d���|�|�����|���|�d�<�d |�v���r[|�d ����r[|�d ��d
u�r�|�d ��}�n�d�}�t�d���|�|�d���}
t�d���|�d���}�g�}�|�D�]�}�|�|���D�]�}�|���|�|���|�����d���������q���q
g�}�|
D�]�}�|
|���D�]�}�|���|
|���|�����d���������q,��q&|�|�k���r[t�d
��|�|�d���}�|�d�����d���|�|�|�����|���7���<�|�S�t�d�����rod ��|�|�����|���|�d�<�|�S�t�d!��|�|�d���|�|�����r�d�|�i�|�d�<�d
|�d�<�d"��|�|�����|���|�d�<�d |�v���r�|�d ����r�|�d ��d
u���r�|�d ��}�n�d�}�t�d
��|�|�d���}�d#��|�|�|�����|���|�d�<�|�S�d�|�d�<�d$��|�|�����|���|�d�<�|�S�)&a����
.. versionadded:: 0.17.0
Add a rule to the end of the specified chain.
If the rule is already present anywhere in the chain, its position is
not changed.
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
table
The table that owns the chain which should be modified
family
Network family, ipv4 or ipv6.
save
If set to a true value, the new iptables rules for the given family
will be saved to a file.
If the value is True, rules are saved to an OS-dependent file
that will be loaded during system startup, resulting in the
firewall rule remaining active across reboots if possible.
Note that loading the iptables rules during system startup
may require non-default packages to be installed.
On Debian-derived systems, the iptables-persistent
package is required.
If the value is a string, it is taken to be a filename to which
the rules will be saved. Arranging for the rules to be loaded
during system startup must be done separately.
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: ``--state`` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Jump options that doesn't take arguments should be passed in with an empty
string.
Nr ���r
�����rulesr����r����F��__agg__��saveTr����r
����
iptables.save����filenamer������
r����r������iptables.build_ruler������True��A����fullr����r������iptables.check��chainz,iptables rule for {} already set ({}) for {}��iptables.get_saved_rules��Z conf_filer������iptables.get_rules��r�����$
Saved iptables rule {} for {}
{}
{}r����z0iptables rule for {} needs to be set ({}) for {}z�iptables.append�&Set iptables rule for {} to: {} for {}�+Set and saved iptables rule {} for {}
{}
{}z@Failed to set iptables rule for {}.
Attempted rule was {} for {}r����)���appendr������join��_STATE_INTERNAL_KEYWORDSr����r������getr������r����r����r������kwargsr������commentsr �����rule� save_file��_ret��ignorer����r#���Z�saved_rulesZ�_rulesZ�__rulesr+���Z
__saved_rules��outr����r����r����r3���k���s�����+������������������������
�������������������������
���������������������������������������
�������
�������������������������������
�����������
���
�������������
�������
�����������������
�������r3���c���������������� ���K���s����|�i�d�d�d���}�d�|�v�r�g�|�d���d�<�g�}�d�}�|�d���D�]R}�d�|�v�r"|�d�=�d�|�v�r)|�d�=�d |�v�rD|�d ��rDd
}�|�d ��d
u�r>|�d ��}�n�d
}�d�|�d <�t�d%i�|�����} d�| d���v�r^|�d���d�����| d���d�������|���| d�������| d���|�d�<�q�|�r||�d
u�rtd�}�t�d
��|�|�d�����|�d���d���s�|�d���d�=�d���|���|�d�<�|�S�t�D�] }
|
|�v�r�|�|
=�q�|�|�d�<�|�|�d�<�t�d���d%d�|�i�|�����}�t�d���d%d
|�d�d���|�����}�t�d���|�|�d���|�|���d
u���rVd
|�d�<�d���|�|�|�������|�d�<�d |�v���rT|�d ����rT|�d ��d
u�r�|�d ��}�n�d�}�t�d���|�|�d���}
t�d���|�d���}�g�}�|�D�]�}�|�|���D�]�}�|���|�|���|�����d���������q ��q�g�}�|
D�]�}�|
|���D�]�}�|���|
|���|�����d���������q%��q�|�|�k���rTt�d
��|�|�d���}�|�d�����d���|�|�|�����|���7���<�|�S�t�d�����rhd���|�|�|�������|�d�<�|�S�t�d ��|�|�d���|�d!��|�|�����s�d�|�i�|�d�<�d
|�d�<�d"��|�|�����|���|�d�<�d |�v���r�|�d ����r�|�d ��d
u���r�|�d ��}�n�d�}�t�d
��|�|�d���}�d#��|�|�|�����|���|�d�<�|�S�d�|�d�<�d$��|�|�������|�d�<�|�S�)&aF���
.. versionadded:: 2014.1.0
Insert a rule into a chain. If the rule is already present anywhere
in the chain, its position is not changed.
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
table
The table that owns the chain that should be modified
family
Networking family, either ipv4 or ipv6
position
The numerical representation of where the rule should be inserted into
the chain. Note that ``-1`` is not a supported position value.
save
If set to a true value, the new iptables rules for the given family
will be saved to a file. See the ``append`` state for more details.
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: ``--state`` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Jump options that doesn't take arguments should be passed in with an empty
string.
Nr ���r
���r����r����r����Fr����r ���Tr����r
���r!���r"���r$���r����r����r%���r������Ir(���r*���r+���z,iptables rule for {} already set for {} ({})r,���r-���r.���r/���r0���r����z0iptables rule for {} needs to be set for {} ({})z�iptables.insert��positionr1���r2���z9Failed to set iptables rule for {}.
Attempted rule was {}r����) ��insertr3���r����r4���r5���r����r����r6���r����r7���r����r����r����rA�������s�����!������������������������
�������������������������
�����������������������������������
�������
�������������������������������
�����������
���
�����������������
�������
�������������������������rA���c��������������������K���s����|�i�d�d�d���}�d�|�v�r�g�|�d���d�<�g�}�d�}�|�d���D�]P}�d�|�v�r"|�d�=�d�|�v�r)|�d�=�d |�v�rB|�d ��rB|�d ��d
u�r<|�d ��}�n�d
}�d�|�d <�t�d#i�|�����} d�| d���v�r\|�d���d�����| d���d�������|���| d�������| d���|�d�<�q�|�rz|�d
u�rrd�}�t�d
��|�|�d�����|�d���d���s�|�d���d�=�d���|���|�d�<�|�S�t�D�] }
|
|�v�r�|�|
=�q�|�|�d�<�|�|�d�<�t�d���d#d�|�i�|�����}�t�d���d#d
|�d�d���|�����}�t�d���|�|�d���|�|���d
u�r�d�|�v�r�d
|�d�<�d���|�|�|�������|�d�<�|�S�t�d���r�d���|�|�|�������|�d�<�|�S�d�|�v���r�t�d���|�|�d���|�|�d���d���}�n�t�d���|�|�d���|�|�d���}�|���sTd�|�i�|�d�<�d
|�d�<�d�|���d |���������|�d�<�d |�v���rR|�d ����rR|�d ��d
u���r<|�d ��}
n�d�}
t�d
��|
|�d���}�d!��|�|�|�����|���|�d�<�|�S�d�|�d�<�d"��|�|�������|�d�<�|�S�)$a����
.. versionadded:: 2014.1.0
Delete a rule from a chain if present. If the rule is already absent,
this is not an error and nothing is changed.
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
table
The table that owns the chain that should be modified
family
Networking family, either ipv4 or ipv6
save
If set to a true value, the new iptables rules for the given family
will be saved to a file. See the ``append`` state for more details.
All other arguments are passed in with the same name as the long option
that would normally be used for iptables, with one exception: ``--state`` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Jump options that doesn't take arguments should be passed in with an empty
string.
Nr ���r
���r����r����r����Fr����r ���Tr����r
���r!���r"���r$���r����r����r%���r������Dr(���r*���r+���r@���z/iptables rule for {} already absent for {} ({})r����z4iptables rule for {} needs to be deleted for {} ({})z�iptables.delete)�r����r@���)�r����r:���z�Delete iptables rule for �� z/Deleted and saved iptables rule {} for {}
{}
{}z<Failed to delete iptables rule for {}.
Attempted rule was {}r����)���deleter3���r����r4���r5���r����r����r����)�r����r����r����r8���r����r9���r ���r:���r;���r<���r=���r����r
���r#���r>���r����r����r����rD�������s����������������������������
�������������������������
�������������������������������������
���������
�����
�������������������������
�������������������������rD���c��������������������K���sF���|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q t�d���|�|�d���|���|�d���k�r5d�|�d�<�d ��|�d���|�|�|�d�����|�d
<�|�S�t�d���rId���|�d���|�|�|�d�����|�d
<�|�S�t�d
��|�|�d���|�d���|���s�d�|�i�|�d�<�d�|�d�<�d���|�d���|�d���|���|�d
<�d�|�v�r�|�d���r�|�d���d�u�r�|�d���}�n�d�}�t�d���|�|�d�����d���|�d���|�d���|���|�d
<�|�S�d�|�d�<�d�|�d
<�|�S�)�a����
.. versionadded:: 2014.1.0
Sets the default policy for iptables firewall tables
table
The table that owns the chain that should be modified
family
Networking family, either ipv4 or ipv6
policy
The requested table policy
save
If set to a true value, the new iptables rules for the given family
will be saved to a file. See the ``append`` state for more details.
Nr ���r
���z�iptables.get_policyr+�����policyTr
���zIiptables default policy for chain {} on table {} for {} already set to {}r����r����zMiptables default policy for chain {} on table {} for {} needs to be set to {}z�iptables.set_policyr����r����z)Set default policy for {} to {} family {}r ���r!���r"���z3Set and saved default policy for {} to {} family {}Fz%Failed to set iptables default policy)�r5���r����r����r����)�r����r����r����r8���r����r=���r#���r����r����r�����
set_policy����sP�������������������������������������������������������������
���������������������rF���c��������������������K���s����|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q d�|�v�r�d�|�d�<�t�d���r*d���|�|�|���|�d�<�|�S�t�d���|�|�d���|���sKd |�i�|�d
<�d�|�d�<�d
��|�|�d���|���|�d�<�|�S�d�|�d�<�d�|�d�<�|�S�)�a&���
.. versionadded:: 2014.1.0
Flush current iptables state
table
The table that owns the chain that should be modified
family
Networking family, either ipv4 or ipv6
chain
The chain to be flushed. All the chains in the table if none is given.
Nr ���r
���r+���r����zAiptables rules in {} table {} chain {} family needs to be flushedr����r����r����r����Tr
���z3Flush iptables rules in {} table {} chain {} familyFz�Failed to flush iptables rules)�r5���r����r����r����)�r����r����r����r8���r����r=���r����r����r������flush>���s.�������������������������������������
�����������rG���c��������������������C���s����g�}�d�d�g�}�|���d���|�v�r�|�S�|�D�]4}�t�d���|���}�|�|�v�r�q�|���d���d�k�rEd�|�v�r*q�|���d���|���d���k�r5q�|�|�v�rE|���t���|�������d�|�d�<�q�|�rYd |�v�rU|�d ����|�����|�S�|�|�d <�|�S�)
z�
The mod_aggregate function which looks up all rules in the available
low chunks and merges them into a single rules ref in the present low data
r3���rA���Z�funz
state.gen_tag��stateZ�iptablesr����Tr����)�r6���Z __utils__r3�����copy��deepcopy��extend)���low��chunksZ�runningr����Z�agg_enabled��chunk��tagr����r����r�����
mod_aggregatek���s2�����������������������������������������������������rP���)�r����r����)���__doc__rI���Z
salt.stater����r5���r����r����r����r3���rA���rD���rF���rG���rP���r����r����r����r������<module>����s��������y����
/
5�
��
t
E�-