dF.~ddlmZddlmZddlmZGddeZGddZGdd eZ Gd d eZ y ) )ustr) shellutil) CommandErrorcJeZdZdZdZedZdZdZdZ dZ dZ d Z y ) RouteEntryz Represents a single route. The destination, gateway, and mask members are hex representations of the IPv4 address in network byte order. c~||_||_||_||_t |d|_t ||_y)N) interface destinationgatewaymaskintflagsmetric)selfr r r r rrs J/usr/lib/python3/dist-packages/azurelinuxagent/common/utils/networkutil.py__init__zRouteEntry.__init__s7"&  ^ &k c t|dk7r tdg}tdddD],}|jt t |||dzd.dj |S)Nz5String to dotted quad conversion must be 8 charactersr .)len Exceptionrangeappendstrrjoin)valueoctetsidxs r_net_hex_to_dotted_quadz"RouteEntry._net_hex_to_dotted_quad&sh u:?ST TB# :71 1 hrrc:eZdZdZdZdZdZedZdZ y)NetworkInterfaceCardc\||_t|_t|_||_yr&)namesetipv4ipv6link)rr@ link_infos rrzNetworkInterfaceCard.__init__Hs" E E  rc:|jj|yr&)rBaddrinfos radd_ipv4zNetworkInterfaceCard.add_ipv4N drc:|jj|yr&)rCrGrHs radd_ipv6zNetworkInterfaceCard.add_ipv6QrKrc|j|jk(xr4|j|jk(xr|j|jk(Sr&)rDrBrC)rothers r__eq__zNetworkInterfaceCard.__eq__TsAyyEJJ&'yyEJJ&'yyEJJ& 'rc djdjt|Dcgc]}dj|c}Scc}w)Nz[{0}],z"{0}")r/r sorted)itemsxs r _json_arrayz NetworkInterfaceCard._json_arrayYs5~~chh6%='Qaq(9'QRSS'QsA cdj|jdj|jg}t|jdkDr9|j dj|j |jt|jdkDr9|j dj|j |jdjdj|S)Nz "name": "{0}"z "link": "{0}"rz "ipv4": {0}z "ipv6": {0}z {{ {0} }}z, ) r/r@rDrrBrrVrCr )rentriess rr4zNetworkInterfaceCard.__str__]s"))$))4"))$))46 tyy>A  NN=//0@0@0KL M tyy>A  NN=//0@0@0KL M!!$))G"455rN) r7r8r9rrJrMrPr;rVr4r<rrr>r>Gs1 ' TT6rr>ceZdZdZdZdZy)FirewallCmdDirectCommandsz --passthroughz--query-passthroughz--remove-passthroughN)r7r8r9 PassThroughQueryPassThroughRemovePassThroughr<rrrZrZgs"K- /rrZc2eZdZdZdZdZdZdZeddZ edZ ed Z edd Z edd Z edd Zedd ZedZedZedZedZeeddfdZedZedZedZedZy)AddFirewallRulesa This class is a utility class which is only meant to orchestrate adding Firewall rules (both iptables and firewalld). This would also be called from a separate utility binary which would be very early up in the boot order of the VM, due to which it would not have access to basic mounts like file-system. Please make sure to not log anything in any function this class. z-Az-Iz-Dz-Cc|dk7rddgSdgS)za If 'wait' is True, adds the wait option (-w) to the given iptables command line r`iptablesz-wr<waits r__get_iptables_base_commandz,AddFirewallRules.__get_iptables_base_commands 2:% %|rcddd|dgS)Nz firewall-cmdz --permanentz--directrBr<)commands r__get_firewalld_base_commandz-AddFirewallRules.__get_firewalld_base_commands z7FKKrcdd|dd|ddgS)Nz-tsecurityOUTPUTz-dz-ptcpr<)rgr s r__get_common_command_paramsz,AddFirewallRules.__get_common_command_paramssj'8T;eTTrc|dk7rtj|}ntj|}|jtj |||S)Nr`)r_-_AddFirewallRules__get_firewalld_base_command,_AddFirewallRules__get_iptables_base_commandextend,_AddFirewallRules__get_common_command_paramsrgr firewalld_commandrdcmds r__get_firewall_base_commandz,AddFirewallRules.__get_firewall_base_commandsL  ""??@QRC">>tDC #??UV rc\tj||||}|jgd|S)N)z--destination-port53-jACCEPTr_,_AddFirewallRules__get_firewall_base_commandrqrss rget_accept_tcp_rulez$AddFirewallRules.get_accept_tcp_rules.::7KQbdhi ?@ rcvtj||||}|jdddt|ddg|S)N-mownerz --uid-ownerryrz)r_r|rqr)rgr owner_uidrtrdrus rget_wire_root_accept_rulez*AddFirewallRules.get_wire_root_accept_rules<::7KQbdhi D'=#i.$QR rc\tj||||}|jgd|S)N)r conntrackz --ctstatez INVALID,NEWryDROPr{rss rget_wire_non_root_drop_rulez,AddFirewallRules.get_wire_non_root_drop_rules,::7KQbdhi PQ rcB|dk(rtdj|y)Nr`z{0} should not be empty)rr/)valr@s r__raise_if_emptyz!AddFirewallRules.__raise_if_emptys% "95<Command {0} failed with exit-code: {1} Stdout: {2} Stderr: {3} ) r run_commandrr/r returncoderstdoutstderrr)ruerrormsgs r __execute_cmdzAddFirewallRules.__execute_cmdsx !  ! !# & !T[[\_\d\deh\i\a\l\l\`afamam\n\`afamam\npCC.  !s BAA??Bc| tj|y#t$r}|jdk7rYd}~yd}~wwxYw)NTF)rrrr)ruerrs r__execute_check_commandz(AddFirewallRules.__execute_check_commands?   ! !# & ~~"#  s ;6;cntjtj||}tjtj|||}tj tj||}tj |xr,tj |xrtj |S)Nrc)r_r} CHECK_COMMANDrr(_AddFirewallRules__execute_check_command)rddst_ipuidcheck_cmd_tcp_rulecheck_cmd_accept_rulecheck_cmd_drop_rules rverify_iptables_rules_existz,AddFirewallRules.verify_iptables_rules_exists-AABRB`B`bhosAt 0 J JK[KiKikqsvPT!K!V.JJK[KiKikqx|J}778JKQP`PxPxzOQPQ#;;>wQbim?o&&7%??QTRcjn@p &&z2#??ct{?A&&x0rcRtj||tj|y)N)rgrd)r_,_AddFirewallRules__execute_firewall_commandsAPPEND_COMMAND)rdrrs radd_iptables_rulesz#AddFirewallRules.add_iptables_ruless!44VSJZJiJipt4urcPtj||tjyN)rt)r_rrZr[rrs radd_firewalld_rulesz$AddFirewallRules.add_firewalld_ruless 44VSTmTyTy4zrcPtj||tjyr)r_rrZr\rs rcheck_firewalld_rule_appliedz-AddFirewallRules.check_firewalld_rule_applieds44VSTmT~T~4rcPtj||tjyr)r_rrZr]rs rremove_firewalld_rulesz'AddFirewallRules.remove_firewalld_ruless!44VSTmTT4 ArN)r`)r`r`)r7r8r9r:rINSERT_COMMANDDELETE_COMMANDrr;rprorrr|r}rrrrrrrrrrrr<rrr_r_zszN NNMLLUU   DD!!  QQ9G[]df11"vv{{ @@AArr_N) azurelinuxagent.common.futurerazurelinuxagent.common.utilsr&azurelinuxagent.common.utils.shellutilrobjectrr>rZr_r<rrrsF&/2?,h,h^66@//&NAvNAr