File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/states/__pycache__/nftables.cpython-310.pyc
o
�����N�gUN�����������������������@���s����d�Z�d�d�l�Z�d�d�l�m�Z���e���e���Z�d�d���Z� �d�d�d ��Z d�d
d���Z
d�d�d
��Z�d�d�d���Z�d�d�d���Z
d�d�d���Z�d�d�d���Z�d�d�d���Z�d�d�d���Z�d�S�)�a ��
Management of nftables
======================
This is an nftables-specific module designed to manage Linux firewalls. It is
expected that this state module, and other system-specific firewall states, may
at some point be deprecated in favor of a more generic `firewall` state.
.. code-block:: yaml
httpd:
nftables.append:
- table: filter
- chain: input
- jump: accept
- match: state
- connstate: new
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.append:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.insert:
- position: 1
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- position: 1
- table: filter
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
httpd:
nftables.delete:
- table: filter
- family: ipv6
- chain: INPUT
- jump: ACCEPT
- match: state
- connstate: NEW
- dport: 80
- proto: tcp
- sport: 1025:65535
- save: True
output:
nftables.chain_present:
- family: ip
- table: filter
output:
nftables.chain_absent:
- family: ip
- table: filter
�����N)���STATE_INTERNAL_KEYWORDSc��������������������C���s����d�t�v�r�d�S�d�S�)�zA
Only load if the locale module is available in __salt__
z�nftables.versionZ�nftables)�Fz#nftables module could not be loaded)���__salt__��r����r�����H/opt/saltstack/salt/lib/python3.10/site-packages/salt/states/nftables.py��__virtual__x���s����������r������filter��ipv4c������������ �������C���s����|�i�d�d�d���}�t�d���|�|�|�d���}�|�d���d�u�r%d�|�d�<�d���|�|�|���|�d <�|�S�t�d
��r4d���|�|�|���|�d <�|�S�t�d���|�|�|�|�|�|�d
��}�|�d���d�u�r[d�|�i�|�d�<�d�|�d�<�d���|�|�|���|�d <�|�S�d�|�d�<�d���|�|�|�d ������|���|�d <�|�S�)�a����
.. versionadded:: 2014.7.0
.. versionchanged:: 3002
Verify a chain exists in a table.
name
A user-defined chain name.
table
The table to own the chain.
family
Networking family, either ipv4 or ipv6
N������name��changes��result��comment��nftables.check_chain����familyr
���Tz5nftables {} chain is already exist in {} table for {}r������testz<nftables chain {} would be created in table {} for family {}z�nftables.new_chain)��
table_type��hook��priorityr������localer����z3nftables {} chain in {} table create success for {}Fz0Failed to create {} chain in {} table: {} for {})�r������format��__opts__��strip) r������tabler����r����r����r������ret��chain_check��resr����r����r�����
chain_present����s:�������������������������������������������������������������r����c��������������������C���s����|�i�d�d�d���}�t�d���|�|�|���}�|�s d�|�d�<�d���|�|�|���|�d�<�|�S�t�d ��|�|�|���}�|�r]t�d
��|�|�|���}�|�d�u�rKd�|�i�|�d�<�d�|�d�<�d
��|�|�|���|�d�<�|�S�d�|�d�<�d���|�|�|�����|���|�d�<�|�S�d�|�d�<�d���|�|�|�����|���|�d�<�|�S�)�z�
.. versionadded:: 2014.7.0
Verify the chain is absent.
family
Networking family, either ipv4 or ipv6
Nr ���r
���r����Tr
���z6nftables {} chain is already absent in {} table for {}r������nftables.flushz�nftables.delete_chainr����r����z3nftables {} chain in {} table delete success for {}Fz0Failed to delete {} chain in {} table: {} for {}z/Failed to flush {} chain in {} table: {} for {})�r����r����r����)�r����r����r����r����r����Z�flush_chain��commandr����r����r������chain_absent����s<����
����������������������������������������������������������r!���c��������������������K���s����|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q t�d���d�d�|�i�|�����}�|�d���s$|�S�|�d���}�t�d���d�d�|�d d
��|�����}�|�d���s;|�S�|�d���}�t�d���|�d���|�d
��|�|���}�|�d���rad�|�d�<�d���|�|�����|���|�d�<�|�S�d�t�v�rvt�d���rvd���|�|�����|���|�d�<�|�S�t�d���|�d���|�d
��|�|���}�|�d���r�d�|�i�|�d�<�d�|�d�<�d���|�|�����|���|�d�<�d�|�v�r�|�d���r�t�d���d�|�d�����d���|�|�����|���|�d�<�|�S�d�|�d�<�d���|�|�����|�|�d�����|�d�<�|�S�)�a����
.. versionadded:: 0.17.0
Append a rule to a chain
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
family
Network family, ipv4 or ipv6.
All other arguments are passed in with the same name as the long option
that would normally be used for nftables, with one exception: `--state` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Nr ���r
�����nftables.build_ruler����r
�����ruleT��add����fullr����r �����nftables.checkr������chainz,nftables rule for {} already set ({}) for {}r����r����z0nftables rule for {} needs to be set ({}) for {}z�nftables.appendr����r�����&Set nftables rule for {} to: {} for {}��save�
nftables.save����filenamer�����0Set and Saved nftables rule for {} to: {} for {}FzDFailed to set nftables rule for {}.
Attempted rule was {} for {}.
{}r��������_STATE_INTERNAL_KEYWORDSr����r����r����r������r����r������kwargsr������ignorer����r#���r ���r����r����r������append����sd���������������������������������������������
���������
���������������
�����������
�������������������r4���c��������������������K���s����|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q t�d���d�d�|�i�|�����}�|�d���s$|�S�|�d���}�t�d���d�d�|�d d
��|�����}�|�d���s;|�S�|�d���}�t�d���|�d���|�d
��|�|���}�|�d���rad�|�d�<�d���|�|�|�������|�d�<�|�S�d�t�v�rvt�d���rvd���|�|�|�������|�d�<�|�S�t�d���|�d���|�d
��|�d���|�|���}�|�d���r�d�|�i�|�d�<�d�|�d�<�d���|�|�����|���|�d�<�d�|�v�r�|�d���r�t�d���d�|�d�����d���|�|�����|���|�d�<�|�S�d�|�d�<�d���|�|�������|�d�<�|�S�)�a����
.. versionadded:: 2014.7.0
Insert a rule into a chain
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
family
Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option
that would normally be used for nftables, with one exception: `--state` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Nr ���r
���r"���r����r
���r#���T��insertr%���r'���r����r(���z,nftables rule for {} already set for {} ({})r����r����z0nftables rule for {} needs to be set for {} ({})z�nftables.insert��positionr����r����r)���r*���r+���r,���r.���Fz9Failed to set nftables rule for {}.
Attempted rule was {}r����r/���r1���r����r����r����r5���1���sh���������������������������������������������
���������
�������������������
�����������
�������������������r5���c��������������������K���s����|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q t�d���d d�|�i�|�����}�|�d���s$|�S�|�d���}�t�d���d d�|�d d
��|�����}�|�d���s;|�S�|�d���}�t�d���|�d���|�d
��|�|���}�|�d���sad�|�d�<�d���|�|�|�������|�d�<�|�S�d�t�v�rvt�d���rvd���|�|�|�������|�d�<�|�S�d�|�v�r�t�d���|�d���|�d
��|�|�d���d���}�n�t�d���|�d���|�d
��|�|�d���}�|�d���r�d�|�i�|�d�<�d�|�d�<�d�|���d�|���������|�d�<�d�|�v�r�|�d���r�t�d���d�|�d�����d���|�|�����|���|�d�<�|�S�d�|�d�<�d���|�|�������|�d�<�|�S�)!a����
.. versionadded:: 2014.7.0
Delete a rule to a chain
name
A user-defined name to call this rule by in another part of a state or
formula. This should not be an actual rule.
family
Networking family, either ipv4 or ipv6
All other arguments are passed in with the same name as the long option
that would normally be used for nftables, with one exception: `--state` is
specified as `connstate` instead of `state` (not to be confused with
`ctstate`).
Nr ���r
���r"���r����r
���r#���T��Dr%���r'���r����r(���z/nftables rule for {} already absent for {} ({})r����r����z4nftables rule for {} needs to be deleted for {} ({})r6���z�nftables.delete)�r����r6���)�r����r#���r����r����z�Delete nftables rule for �� r*���r+���r,���z/Deleted and Saved nftables rule for {} for {}{}Fz<Failed to delete nftables rule for {}.
Attempted rule was {}r����r/���r1���r����r����r������delete|���sl���������������������������������������������
���������
�����������������������������������
�������������������r9���Fc������������ �������K���sb���|�i�d�d�d���}�t�d���r�d�|�d�<�|�S�t�D�] }�|�|�v�r�|�|�=�q�d�|�v�r%d�|�d�<�t�d ��|�d���|�d
��}�|�sE|�d���sEd�|�d�<�d
��|�d���|���|�d�<�|�S�d�|�v�rNd�|�d�<�n&t�d���|�d���|�d���|�d
��}�|�st|�d���std�|�d�<�d���|�d���|�d���|���|�d�<�|�S�t�d���|�d���|�d���|���}�|�d���s�|�r�|�d���r�|�d���s�d�|�i�|�d�<�d�|�d�<�d���|�d���|�d���|���|�d�<�|�S�d�|�d�<�d�|�d�<�|�S�)�a>���
.. versionadded:: 2014.7.0
.. versionchanged:: 3002
Flush current nftables state
family
Networking family, either ipv4 or ipv6
ignore_absence
If set to True, attempts to flush a non-existent table will not
result in a failed state.
.. versionadded:: 3002
Nr ���r
���r����z*nftables flush not performed in test mode.r����r����r������nftables.check_tabler����r
���Fz<Failed to flush table {} in family {}, table does not exist.r(���r����zHFailed to flush chain {} in table {} in family {}, chain does not exist.r����r����r����Tz3Flush nftables rules in {} table {} chain {} familyz�Failed to flush nftables rules)�r����r0���r����r����) r����r����Z�ignore_absencer2���r����r3���Z�check_tableZ�check_chainr����r����r����r������flush����s\�����������������������������������������
�����������������������������������������������������r;���c��������������������K���sF���|�i�d�d�d���}�t�D�] }�|�|�v�r�|�|�=�q t�d���|�|�d���|���}�|�p d�����|�d�������k�r=d�|�d�<�d ��|�d���|�|�|�d�����|�d
<�|�S�t�d���rQd���|�d���|�|�|�d�����|�d
<�|�S�t�d
��|�|�d���|�d�������|���r�d�|�i�|�d�<�d�|�d�<�d���|�d���|�d���|���|�d
<�d�|�v�r�|�d���r�t�d���|���d���|�d�����d���|�d���|�d���|���|�d
<�|�S�d�|�d�<�d�|�d
<�|�S�)�a����
.. versionadded:: 3002
Sets the default policy for nftables chains
table
The table that owns the chain that should be modified
family
Networking family, either ipv4 or ipv6
policy
The requested table policy (accept or drop)
save
Boolean to save the in-memory nftables settings to a file.
save_filename
The filename to save the nftables settings (default: /etc/nftables
or /etc/nftables/salt-all-in-one.nft if the former is a directory)
Nr ���r
���z�nftables.get_policyr(�����policyTr
���zInftables default policy for chain {} on table {} for {} already set to {}r����r����zMnftables default policy for chain {} on table {} for {} needs to be set to {}z�nftables.set_policyr����r����z)Set default policy for {} to {} family {}r*���r+���Z
save_filenamer,���z3Set and saved default policy for {} to {} family {}Fz%Failed to set nftables default policy)�r0���r������lowerr����r������get)�r����r����r����r2���r����r3���r<���r����r����r�����
set_policy����sN�������������������������������������������������������������
������������ ������r?���c��������������������K���s����|�i�d�d�d���}�t�d���|�|�d���}�|�d���d�u�r#d�|�d�<�d���|�|���|�d <�|�S�t�d
��r1d���|�|���|�d <�|�S�t�d���|�|�d���}�|�d���d�u�rSd
|�i�|�d�<�d�|�d�<�d���|�|���|�d <�|�S�d�|�d�<�d�|���d�|�����|�d <�|�S�)�z�
.. versionadded:: 3002
Ensure an nftables table is present
name
A user-defined table name.
family
Networking family, either ipv4 or ipv6
Nr ���r
���r:���r����r
���Tz-nftables table {} already exists in family {}r����r����z/nftables table {} would be created in family {}z�nftables.new_tabler����r����z3nftables table {} successfully created in family {}Fz�Failed to create table z� for family ��r����r����r������r����r����r2���r����Z�table_checkr����r����r����r�����
table_present]���s0����
����������������������������������������������rB���c��������������������K���s����|�i�d�d�d���}�t�d���|�|���}�|�d���d�u�r"d�|�d�<�d���|�|���|�d <�|�S�t�d
��r0d���|�|���|�d <�|�S�t�d���|�|�d
��}�|�d���d�u�rRd�|�i�|�d�<�d�|�d�<�d���|�|���|�d <�|�S�d�|�d�<�d�|���d�|�����|�d <�|�S�)�z�
.. versionadded:: 3002
Ensure an nftables table is absent
name
Name of the table to ensure is absent
family
Networking family, either ipv4 or ipv6
Nr ���r
���r:���r
���FTz2nftables table {} is already absent from family {}r����r����z1nftables table {} would be deleted from family {}z�nftables.delete_tabler����r����r����z5nftables table {} successfully deleted from family {}z�Failed to delete table z
from family r@���rA���r����r����r������table_absent����s0����
����������������������������������������������rC���)�r����NNNr����)�r����r����)�r����)�r����F)���__doc__��loggingZ
salt.stater����r0���� getLogger��__name__��logr����r����r!���r4���r5���r9���r;���r?���rB���rC���r����r����r����r������<module>����s�������p��
����
�
9
.
I
K
Q
G
I�-