o

�N�g{G�@sdZd
dl
Z
d
dlZd
dlmZ
e
�e�
Zddddd�Z	hd�
Z
hd�
hd	�
hd	�
hd
�
hd�
hd
�
hd
�
hd
�
hd
�
hd
�
hd
�
hd
�
hd�
hd
�
hd
�
d�Zhd�
Zdg
dg
dg
ggggggggggggd�Z
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
hd�
d�ZdZdd�Zdd�Zdd�ZdGdd �
ZdHd!d"�
ZdId#d$�
ZdJd%d&�
ZdHd'd(�
ZdId)d*�
ZdId+d,�
ZdId-d.�
ZdId/d0�
ZdHd1d2�
Zd3d4�Zd5d6�Zd7d8�Zd9d:�Z dKd;d<�
Z!d=d>�Z"d?d@�Z#dAdB�Z$dCdD�Z%dEdF�Z&dS)Lz
Support for ipset
�N)
�	ipaddressZinetZinet6)�ipv4Zip4Zipv6Zip6>�hash:ip,mark�hash:ip�hash:net,port,net�hash:net�list:set�hash:ip,port�hash:ip,port,ip�hash:ip,port,net�hash:net,net�	bitmap:ip�
hash:net,port�
bitmap:ip,mac�hash:net,iface�bitmap:port�hash:mac>�skbinfo�timeout�range�comment�netmask�counters>rrrrr>r�hashsizerrr�familyr�maxelem>rrrrrr>rrrrrZmarkmaskrr>�sizerrr)r
rrrrrrrrr
rr	rrr>rrrr)r
rrrrrrr	rr
rrrrr>r�skbmark�bytes�packets�skbqueue�skbprio>rrrrr!>rZnomatchrrrr r!)r
rrrrrrrrr
rr	rrr�ipsetcCstj
j�d
�
r	dSdS)z4
    Only load the module if ipset is installed
    r"T)FzGThe ipset execution modules cannot be loaded: ipset binary not in path.��salt�utils�path�which�r(r(�F/opt/saltstack/salt/lib/python3.10/site-packages/salt/modules/ipset.py�__virtual__�s

r*cCstj
j�d
�
S)z 
    Return correct command
    r"r#r(r(r(r)�
_ipset_cmd
sr+cCs&t�d
g}t
d|dd���}
|
dS)zz
    Return version from ipset --version

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.version

    z	--version�cmd.runF�
Zpython_shell�
�r+�__salt__�split)�cmd�outr(r(r)�version
s


r4rFc	Ks�t|}|sd
S|
sdS|
t
v
rdSt|
D]}||v
r$d|�d�
Sqt�d||
g}t|
D]}||vrI|tvr@|�|�

q0|�|||g�

q0dt|
vrW|�d|g�

|r^|�d�

td	|d
d�}|sjd}|S)
a.

    .. versionadded:: 2014.7.0

    Create new custom set

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.new_set custom_set list:set

        salt '*' ipset.new_set custom_set list:set comment=True

        IPv6:
        salt '*' ipset.new_set custom_set list:set family=ipv6
    z%Error: Set Name needs to be specifiedz%Error: Set Type needs to be specifiedzError: Set Type is invalid�Error: z is a required argument�createrrr,Fr-T)	�_IPSET_FAMILIES�_IPSET_SET_TYPES�_CREATE_OPTIONS_REQUIREDr+�_CREATE_OPTIONS�_CREATE_OPTIONS_WITHOUT_VALUE�append�extendr0)	�name�set_typerr�kwargsZipset_family�itemr2r3r(r(r)�new_set
s4





�


�




rBcCs0|sd
St�d|g}t
d|dd�}|sd}|S)z�
    .. versionadded:: 2014.7.0

    Delete ipset set.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.delete_set custom_set

        IPv6:
        salt '*' ipset.delete_set custom_set family=ipv6
    � Error: Set needs to be specifiedZdestroyr,Fr-T)r+r0�r>rr2r3r(r(r)�
delete_setV
s



rEcCsZ|sd
S|
sdSt|�
}|sdSt|
�
}|rdSt
�d||
g}td|dd�}|s+d	}|S)
a

    .. versionadded:: 2014.7.0

    Delete ipset set.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.rename_set custom_set new_set=new_set_name

        IPv6:
        salt '*' ipset.rename_set custom_set new_set=new_set_name family=ipv6
    rCz-Error: New name for set needs to be specifiedzError: Set does not existzError: New Set already exists�renamer,Fr-T��_find_set_typer+r0)r>rBr�settyper2r3r(r(r)�
rename_setq
s








rJc
	Cs�t�d
dg}
t
d|
dd�}|�d�
}d}g}|�i�

|D] }|s,|d}|�i�

q|�d	d�\}}|dd
�|||<q|S)z�
    .. versionadded:: 2014.7.0

    List all ipset sets.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.list_sets

    �list�-tr,Fr-�

r
r.�
:N�r+r0r1r<)	rr2r3�_tmp�countZsetsrA�key�valuer(r(r)�	list_sets�
s














rTcCs|sd
St|�
}|sdSdS)z�
    Check that given ipset set exists.

    .. versionadded:: 2014.7.0

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.check_set name

    rCFT�
�_find_set_info)r>r�setinfor(r(r)�	check_set�
s




rXc
Ks^
|sd
S|
sdSt|�
}|sd|�d�S|d}t
�dd|g|
��}d|vr3d|d	v
r3d|�d
�Sd|vs;d|vrGd
|d	v
rGd|�d�Sd|vrdd|d	v
rWd|�d�Sd|
v
rd|d|d�g}hd�
t|���
@rzd|d	v
rzd|�d�St|D]}||vr�|�|||g�

q~t|�
}|
|vr�d|
�d|��Std|dd�}	|	s�dSd|	��S)z�
    Append an entry to the specified set.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.add name 192.168.1.26

        salt '*' ipset.add name 192.168.0.3,AA:BB:CC:DD:EE:FF

    rC�"Error: Entry needs to be specified�Error: Set � does not exist�Type�addz-existr�Headerz! not created with timeout supportrrrz" not created with counters supportrz! not created with comment support>r!rr rz! not created with skbinfo supportzWarn: Entry z already exists in set r,Fr-�Successr5)	rVr+r1�set�keys�_ADD_OPTIONSr=�_find_set_membersr0)
r>�entryrr@rWrIr2rA�current_membersr3r(r(r)r]�
sD

















�




r]cKsX|sd
S|
sdSt|�
}|sd|�d�St
�d||
g}td|dd�}|s'd	Sd
|��S)z�
    Delete an entry from the specified set.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.delete name 192.168.0.3,AA:BB:CC:DD:EE:FF

    rCrYrZr[�delr,Fr-r_r5rG�r>rdrr@rIr2r3r(r(r)�deletes







rhcCs�|sd
S|
sdSt|�
}|sd|�d�St
|t|�
�}|sdSt|
t�r*t
||
�}nt||
�g
}|D]}|D]}
t||
�rA

dSq6q2dS)a	
    Check that an entry exists in the specified set.

    name
        The ipset name

    entry
        An entry in the ipset.  This parameter can be a single IP address, a
        range of IP addresses, or a subnet block.  Example:

        .. code-block:: cfg

            192.168.0.1
            192.168.0.2-192.168.0.19
            192.168.0.0/25

    family
        IP protocol version: ipv4 or ipv6

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.check name '192.168.0.1 comment "Hello"'

    rCrYrZr[FT)rH�_parse_membersrc�
isinstancerK�
_parse_member�_member_contains)r>rdrrIre�entriesZcurrent_memberr(r(r)�check%s(











��rncKsZ|sd
S|
sdSt|�
}|sd|�d�St
�d||
g}td|dd�}|d	d
kr+dSdS)z�
    Test if an entry is in the specified set.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.test name 192.168.0.2

        IPv6:
        salt '*' ipset.test name fd81:fc56:9ac7::/48
    rCrYrZr[�test�cmd.run_allFr-�retcoder
TrGrgr(r(r)ro[s






rocCs.t�d
g}|r|�
|�

td|dd�}|S)a

    Flush entries in the specified set,
    Flush all sets if set is not specified.

    CLI Example:

    .. code-block:: bash

        salt '*' ipset.flush

        salt '*' ipset.flush set

        IPv6:
        salt '*' ipset.flush

        salt '*' ipset.flush set
    �flushr,Fr-)r+r<r0rDr(r(r)rr{s





rrc
Csjt�d
|g}
t
d|
dd�}|ddkrdS|d�d�
}g}d}|D]}|r,|�|�

d	|vr2d
}q#|S)z*
    Return list of members for a set
    rKrpFr-rqr
�stdoutrMzMembers:TrO)r>r2r3rP�membersZstartMembers�
ir(r(r)rc�s








�
rcc
Csvt�d
d|g}
t
d|
dd�}|ddkrdSi}|d�d	�
}|D]}d
|vr8|�d
d�\}}|dd�||<q"|S)
z*
    Return information about the set
    rKrLrpFr-rqr
rsrMrNr.Nr/)r>r2r3rWrPrArRrSr(r(r)rV�s




�
rVc
Cst|�
}
|
r
|
d
SdS)z"
    Find the type of the set
    r\FrU)r>rWr(r(r)rH�s
rHcs(t|
t
�rt�|
�g
S�f
d
d�|
D�
S)Nc
sg|]}
t�|
��qSr()
rk)�.0�member�
rIr(r)�
<listcomp>�sz"_parse_members.<locals>.<listcomp>)rj�strrk)rIrtr(rxr)ri�s

ric	Cs�|�d
�
d�d�
}|
�dd�}|d�d�
}g}t
|�
D]P\}}||}	|dvr`z-d|	vr6tj|	|d�}	nd	|	vrPtttj|	�d	�
��
\}
}tt�|
|��
}	nt�|	�
}	Wnty_


Yn	w|d
krht	|	�
}	|�
|	�

qt|�
dkr{|�
|d�

|S)NrNr.�
,�
 r
)�ip�net�
/)
�strict�
-�port)r1�	enumerater�
ip_networkrK�map�
ip_address�summarize_address_range�
ValueError�intr<�len)rIrwr�ZsubtypesZ	all_parts�partsZ
parsed_memberru�subtype�part�start�endr(r(r)rk�s0









�

�

rkc
CsdS�
Nr()rtrdr(r(r)�_members_contain�s
r�cCs>t|�
t|
�
kr
d
St
|
�
D]\}}t|||�s
d
SqdS)NFT)r�r��_compare_member_parts)rwrdruZ_entryr(r(r)rl�s



�rlcCsp||
krd
St|
t
�r|
D]
}t||�s
dSq
d
St|�
r(t|
�
r&||
vSdSt|�
r6t|
�
r4|
|vSdSdS)NTF)rjrKr��_is_address�_is_network)Zmember_partZ
entry_partZentry_part_itemr(r(r)r�s"





�

�

r�c

C�t|t
jt
jf�Sr�)rjr�IPv4Network�IPv6Network�
�
or(r(r)r�*�
r�c

Cr�r�)rjr�IPv4Address�IPv6Addressr�r(r(r)r�.r�r�)NNrF)Nr)NNr)
r)
F)'�__doc__�loggingZsalt.utils.pathr$Zsalt._compatr�	getLogger�__name__�logr7r8r:r;r9rbZ__virtualname__r*r+r4rBrErJrTrXr]rhrnrorrrcrVrHrirkr�rlr�r�r�r(r(r(r)�<module>
s�




�













�l













�




							
�Q

7

&


<

6
 
""