HEX
Server: Apache
System: Linux server2.voipitup.com.au 4.18.0-553.104.1.lve.el8.x86_64 #1 SMP Tue Feb 10 20:07:30 UTC 2026 x86_64
User: posscale (1027)
PHP: 8.2.29
Disabled: exec,passthru,shell_exec,system
$ pwd: /opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/__pycache__/
Upload Files
File: //opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/__pycache__/csf.cpython-310.pyc
o

�N�gb?�@sdZddlZddlZddlmZmZdd�Zdd�Zdd	�Z			
					
d_dd�Z
dd�Zdd�Zdd�Z
dd�Z			
				
d`dd�Zdd�Z	
				dadd�Zdd�Zd d!�Zd"d#�Zd$d%�Zdbd'd(�Zdbd)d*�Zdbd+d,�Z	
					
dcd-d.�Z							
ddd/d0�Zd1d2�Zd3d4�Zd5d6�Zd7d8�Zd9d:�Zded;d<�Z ded=d>�Z!		
			?		
dfd@dA�Z"		
					
d_dBdC�Z#dDdE�Z$dFdG�Z%dHdI�Z&		
			?		
dfdJdK�Z'dgdLdM�Z(dgdNdO�Z)dPdQ�Z*dRdS�Z+dhdUdV�Z,dWdX�Z-dYdZ�Z.d[d\�Z/d]d^�Z0dS)iz�
Support for Config Server Firewall (CSF)
========================================
:maintainer: Mostafa Hussein <mostafa.hussein91@gmail.com>
:maturity: new
:platform: Linux
�N)�CommandExecutionError�SaltInvocationErrorcCstjj�d�durdSdS)z/
    Only load if csf exists on the system
    �csfN)Fz;The csf execution module cannot be loaded: csf unavailable.T)�salt�utils�path�which�r	r	�D/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/csf.py�__virtual__srcCs8|�dd���}dj||d�}td|�}t|d�S)zn
    Checks if the ip exists as a temporary rule based
    on the method supplied, (tempallow, tempdeny).
    �temp�zccsf -t | awk -v code=1 -v type={_type} -v ip={ip} '$1==type && $2==ip {{code=0}} END {{exit code}}')�_type�ip�cmd.run_all�retcode)�replace�upper�format�__salt__�bool)�methodrr�cmd�existsr	r	r
�_temp_existss��rcCsd|��}td||�S)N�
/etc/csf/csf.z
file.contains�r)r�rulerr	r	r
�_exists_with_port's
r�tcp�in�dr
c	Cs\|�d�r
t||�S|rt|||||||�}	t||	�Stdd|�d|���}
t|
d�S)z�
    Returns true a rule for the ip already exists
    based on the method supplied. Returns false if
    not found.

    CLI Example:

    .. code-block:: bash

        salt '*' csf.exists allow 1.2.3.4
        salt '*' csf.exists tempdeny 1.2.3.4
    rrzegrep ^'z +' /etc/csf/csf.r)�
startswithr�_build_port_rulerrr)rr�port�proto�	direction�port_origin�	ip_origin�ttl�commentrrr	r	r
r,s

�
rcCsbd�tjj�d�|�}td|�}|ddkr+|ds |d}n|d}td|����|d}|S)	z
    Execute csf command
    z{} {}rrrr�stderr�stdoutzcsf failed: )rrrrrrr)rZcsf_cmd�out�retr	r	r
�	__csf_cmdNs
r/cCsd}td|�}t|d�S)z>
    Return True if csf is running otherwise return False
    ztest -e /etc/csf/csf.disablerr)rr)rr-r	r	r
�_status_csf`sr0cCsdddddddd�}||S)	z?
    Returns the cmd option based on a long form argument.
    z-az-dz-arz-drz-taz-tdz-tr)�allow�deny�unallow�undeny�	tempallow�tempdeny�temprmr	)r�optsr	r	r
�_get_optis�	r9cCs,t|�}|�d|��}|r|d|��7}|S)zA
    Returns the cmd args for csf basic allow/deny commands.
    � �r9)rrr*�opt�argsr	r	r
�_build_argsys
r>c	
Cs^t�r-|durddiS|durt|||�}t|�S|dvr!ddiSt||||||||d�SdS)z@
    Handles the cmd execution for allow and deny commands.
    N�error�&You must supply an ip address or CIDR.)r1r2z=Only allow and deny rules are allowed when specifying a port.)rrr$r%r&r'r(r*)r0r>r/�_access_rule_with_port)	rrr$r%r&r'r(r*r=r	r	r
�_access_rule�s*
���rBc	Cs8||||||d�}djdi|��}|r|d|��7}|S)N)rr$r%r&r'r(z9{proto}|{direction}|{port_origin}={port}|{ip_origin}={ip}� #r	)r)	rr$r%r&r'r(r*�kwargsrr	r	r
r#�s�r#c
	CsRt||||||dd�}|�dd�}|�dd�}tdd|��d	|�d
�dd�}	|	S)Nr
�r$r%r&r'r(r*�|z[|]�.z[.]�file.replacer�^z(( +)?\#.*)?$
��pattern�repl)r#rr)
rrr$r%r&r'r(r)r�resultr	r	r
�_remove_access_rule_with_port�s"�

�rNcCs<g}t|�}|r|�d�d�dd��dd�}|�d�}|S)zV
    Extract comma-separated values from a csf.conf
    option and return a list.
    �=�r:r
�"�,)�
get_option�splitr)�optionrM�lineZcsvr	r	r
�_csf_to_list�s
rWcCst�d|�S)Nz(?: +)?\=(?: +)?)�rerT)rUr	r	r
�split_option�srYcCs<d|�d�}tdd|d�}d|vr|dr|d}|SdS)NrI�(\ +)?\=(\ +)?".*"$z	file.grep�/etc/csf/csf.confz-Er,r)rUrKZgreprVr	r	r
rS�srScCs>t|�}|s
ddiStddd|�d�|�d|�d�d	�}|S)
Nr?z!No such option exists in csf.confrHr[rIz(\ +)?\=(\ +)?".*"� = "rQrJ)rSr)rU�valueZcurrent_optionrMr	r	r
�
set_option�s
�r^FcCs|rd}nd}t|�}|S)NZETH6_DEVICE_SKIPZETH_DEVICE_SKIP�rW)�ipv6rUZskipped_nicsr	r	r
�get_skipped_nicss
racCst|d�}|�|�t||�S)N)r`)ra�append�	skip_nics)Znicr`�nicsr	r	r
�skip_nics


recCsJ|rd}nd}d�tt|��}tddd|�d�d|�d	|�d
�d�}|S)N�6r
rRrHr[z^ETHz_DEVICE_SKIP(\ +)?\=(\ +)?".*"ZETHz_DEVICE_SKIP = "rQrJ)�join�map�strr)rdr`Znics_csvrMr	r	r
rcs
�rcc	Cszi}	|dkrddg}
n|g}
|
D]*}t|||||||||d�	}|s:t|||||||d�}d|��}
td|
|�|	|<q|	S)N�bothr r-)r$r%r&r'r(r)r*rErzfile.append)rr#r)rrr$r%r&r'r(r)r*�results�
directions�_existsrrr	r	r
rA"s<
��
	�rAc	CsDt�r |durddiS|durddiSt||||||�}t|�SdS)zH
    Handles the cmd execution for tempdeny and tempallow commands.
    Nr?r@zYou must supply a ttl.)r0�_build_tmp_access_argsr/)	rrr)r$r&r'r(r*r=r	r	r
�_tmp_access_ruleNs
�rocCsVt|�}|�d|�d|��}|r|d|��7}|r |d|��7}|r)|d|��7}|S)z=
    Builds the cmd args for temporary access/deny opts.
    r:z -p z -d rCr;)rrr)r$r&r*r<r=r	r	r
rndsrncCst�S)zd
    Check csf status

    CLI Example:

    .. code-block:: bash

        salt '*' csf.running
    )r0r	r	r	r
�runningss
rpcCst�rtd�SdS)zk
    Disable csf permanently

    CLI Example:

    .. code-block:: bash

        salt '*' csf.disable
    z-xN�r0r/r	r	r	r
�disable��
�rrcCst�std�SdS)zn
    Activate csf if not running

    CLI Example:

    .. code-block:: bash

        salt '*' csf.enable
    z-eNrqr	r	r	r
�enable�rsrtcC�td�S)z^
    Restart csf

    CLI Example:

    .. code-block:: bash

        salt '*' csf.reload
    z-r)r/r	r	r	r
�reload�s
rvcC�td|||||�S)z�
    Add an rule to the temporary ip allow list.
    See :func:`_access_rule`.
    1- Add an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.tempallow 127.0.0.1 3600 port=22 direction='in' comment='# Temp dev ssh access'
    r5�ro�rr)r$r&r*r	r	r
r5��r5cCrw)z�
    Add a rule to the temporary ip deny list.
    See :func:`_access_rule`.
    1- Add an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.tempdeny 127.0.0.1 300 port=22 direction='in' comment='# Brute force attempt'
    r6rxryr	r	r
r6�rzr6�sc
Cstd|||||||d�S)z�
    Add an rule to csf allowed hosts
    See :func:`_access_rule`.
    1- Add an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.allow 127.0.0.1
        salt '*' csf.allow 127.0.0.1 comment="Allow localhost"
    r1rE�rB�rr$r%r&r'r(r)r*r	r	r
r1�s�r1c	Cstd|||||||�S)z�
    Add an rule to csf denied hosts
    See :func:`_access_rule`.
    1- Deny an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.deny 127.0.0.1
        salt '*' csf.deny 127.0.0.1 comment="Too localhosty"
    r2r|r}r	r	r
r2�s�r2cCstd�}|�d|��}t|�S)Nr7r:)r9r/)rr<r=r	r	r
�remove_temp_rulesr~cC�
td|�S)z�
    Remove a rule from the csf denied hosts
    See :func:`_access_rule`.
    1- Deny an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.unallow 127.0.0.1
    r3r|�rr	r	r
r3
�
r3cCr)z�
    Remove a rule from the csf denied hosts
    See :func:`_access_rule`.
    1- Deny an IP:

    CLI Example:

    .. code-block:: bash

        salt '*' csf.undeny 127.0.0.1
    r4r|r�r	r	r
r4r�r4c			CsX|�d�s|rt|�S|s|dkrt|�S|dkrt|�S|r*t|||||||d�SdS)Nrr1r2)rrr$r%r&r'r()r"r~r3r4rN)	rrr$r%r&r'r(r)r*r	r	r
�remove_rule(s$��r�c
Cs�g}t|�}t|�}|��}|��}t||�d�tt|��}t|�}|D] }tddd|�d|�d�|�d|�d|�d�d	�}|�	|�q%|S)
a

    Fully replace the incoming or outgoing ports
    line in the csf.conf file - e.g. TCP_IN, TCP_OUT,
    UDP_IN, UDP_OUT, etc.

    CLI Example:

    .. code-block:: bash

        salt '*' csf.allow_ports ports="[22,80,443,4505,4506]" proto='tcp' direction='in'
    rRrHr[rI�_rZr\rQrJ)
�set�listr�_validate_direction_and_protorgrhri�build_directionsrrb)�portsr%r&rkZ	ports_csvrlrMr	r	r
�allow_portsIs 

�r�cCsN|��}|��}i}t||�t|�}|D]}|�d|��}t|�||<q|S)z�
    Lists ports from csf.conf based on direction and protocol.
    e.g. - TCP_IN, TCP_OUT, UDP_IN, UDP_OUT, etc..

    CLI Example:

    .. code-block:: bash

        salt '*' csf.allow_port 22 proto='tcp' direction='in'
    r�)rr�r�rW)r%r&rkrlrUr	r	r
�	get_portsls
r�cCs,|��dvr
td��|��dvrtd��dS)N)�IN�OUT�BOTHz/You must supply a direction of in, out, or both)ZTCPZUDPZTCP6ZUDP6z=You must supply tcp, udp, tcp6, or udp6 for the proto keyword)rr)r&r%r	r	r
r��s�r�cCs&|��}|dkrddg}|S|g}|S)Nr�r�r�)r)r&rlr	r	r
r��s�r�rjcCs\t||d�}|��}t||�t|�}g}|D]}||}|�|�|t|||d�7}q|S)a
    Like allow_ports, but it will append to the
    existing entry instead of replacing it.
    Takes a single port instead of a list of ports.

    CLI Example:

    .. code-block:: bash

        salt '*' csf.allow_port 22 proto='tcp' direction='in'
    )r%r&)r�rr�r�rbr�)r$r%r&r�rlrkZ_portsr	r	r
�
allow_port�s


r�cCstd�d}|S)NZTESTINGrr_)Ztestingr	r	r
�get_testing_status�sr�cCsB|dkrd}n|dkrd}ntd��tdddd	|�d
�d�}|S)N�on�1�off�0z%Only valid arg is 'on' or 'off' here.rHr[z^TESTING(\ +)?\=(\ +)?".*"zTESTING = "rQrJ)rr)�valrMr	r	r
�_toggle_testing�s
�r�cCru)Nr��r�r	r	r	r
�enable_testing_mode��r�cCru)Nr�r�r	r	r	r
�disable_testing_mode�r�r�)Nrr r!r!Nr
)NNrr r!r!r
)rr r!r!N)F)rr r!r!Nr
)NNNr r!r!r
)NNNNr
)Nrr r!r{Nr
)rr )rrj)1�__doc__rXZsalt.utils.pathrZsalt.exceptionsrrrrrrr/r0r9r>rBr#rNrWrYrSr^rarercrArornrprrrtrvr5r6r1r2r~r3r4r�r�r�r�r�r�r�r�r�r�r	r	r	r
�<module>s�

�"	

�&
� 
	




�.
�



�$
�
�
!
#

	
@ Telegram