JFIF$        dd7 

Viewing File: /usr/lib/python3.9/site-packages/firewall/core/__pycache__/fw_policy.cpython-39.opt-1.pyc

a

	�	iD#�@s�ddlZddlmZddlmZmZmZmZmZm	Z	m
Z
mZmZm
Z
mZddlmZmZmZmZmZmZmZmZmZmZmZddlmZddlmZddlm Z ddl!m"Z"Gd	d
�d
e#�Z$dS)�N)�log)�portStr�checkIPnMask�
checkIP6nMask�
checkProtocol�enable_ip_forwarding�check_single_address�portInPortRange�get_nf_conntrack_short_name�coalescePortRange�breakPortRange�checkTcpMssClamp)�	Rich_Rule�Rich_Accept�Rich_Service�	Rich_Port�
Rich_Protocol�Rich_Masquerade�Rich_ForwardPort�Rich_SourcePort�Rich_IcmpBlock�
Rich_IcmpType�Rich_Tcp_Mss_Clamp)�FirewallTransaction)�errors)�
FirewallError)�SOURCE_IPSET_TYPESc@sveZdZdd�Zdd�Zdd�Zdd�Zd	d
�Zdd�Zd
d�Z	dd�Z
dd�Zdd�Zd�dd�Z
dd�Z�ddd�Z�ddd�Z�ddd�Zd d!�Zd"d#�Zd$d%�Zd&d'�Z�dd*d+�Zd,d-�Z�dd.d/�Zd0d1�Zd2d3�Zd4d5�Zd6d7�Zd8d9�Z�dd:d;�Zd<d=�Z�dd>d?�Z d@dA�Z!dBdC�Z"dDdE�Z#dFdG�Z$dHdI�Z%dJdK�Z&dLdM�Z'�ddNdO�Z(dPdQ�Z)�ddRdS�Z*dTdU�Z+dVdW�Z,dXdY�Z-dZd[�Z.d\d]�Z/�d	d^d_�Z0d`da�Z1�d
dbdc�Z2ddde�Z3dfdg�Z4dhdi�Z5djdk�Z6dldm�Z7dndo�Z8dpdq�Z9�ddrds�Z:dtdu�Z;�ddvdw�Z<dxdy�Z=dzd{�Z>d|d}�Z?d~d�Z@d�d��ZAd�d��ZB�d
d�d��ZCd�d��ZD�dd�d��ZEd�d��ZFd�d��ZGd�d��ZHd�d��ZI�dd�d��ZJd�d��ZK�dd�d��ZLd�d��ZMd�d��ZNd�d��ZO�dd�d��ZPd�d��ZQ�dd�d��ZRd�d��ZSd�d��ZT�dd�d��ZU�dd�d��ZV�dd�d��ZWd�d��ZX�dd�d��ZYd�d��ZZ�dd�d��Z[d�d��Z\d�d��Z]d�d��Z^�dd�d��Z_d�d��Z`�dd�d��Zad�dÄZbd�dńZcd�dDŽZd�dd�dɄZed�d˄Zfd�d̈́Zg�dd�dτZhd�dфZid�dӄZjd�dՄZkd�dׄZld�dلZmd�dۄZnd�d݄Zod�d߄Zpd�d�Zq�dd�d�Zr�dd�d�Zsd�d�Ztd�d�Zud�d�Zvd�d�Zw�dd�d�Zxd�d�Zyd�d�Zzd�d��Z{d�d��Z|d�d��Z}d�d��Z~�dd�d��ZdS( �FirewallPolicycCs||_i|_i|_dS�N)�_fw�_chains�	_policies)�self�fw�r$�;/usr/lib/python3.9/site-packages/firewall/core/fw_policy.py�__init__szFirewallPolicy.__init__cCsd|j|j|jfS)Nz
%s(%r, %r))�	__class__r r!�r"r$r$r%�__repr__szFirewallPolicy.__repr__cCs|j��|j��dSr)r �clearr!r(r$r$r%�cleanups
zFirewallPolicy.cleanupcCst|j�}|�|jj�|Sr)rrZadd_pre�full_check_config)r"�tr$r$r%�new_transaction$s
zFirewallPolicy.new_transactioncCst|j���Sr)�sortedr!�keysr(r$r$r%�get_policies+szFirewallPolicy.get_policiescCs4g}|��D]}|�|�}|js|�|�qt|�Sr)r1�
get_policy�derived_from_zone�appendr/)r"�policies�p�p_objr$r$r%�"get_policies_not_derived_from_zone.s
z1FirewallPolicy.get_policies_not_derived_from_zonecCsvg}|��D]d}|�|�}t|j�t|jj���tddg�B@rt|j�t|jj���tddg�B@r|�|�q|S)N�HOST�ANY)	r8r2�set�
ingress_zonesr�zoneZget_active_zones�egress_zonesr4)r"Zactive_policies�policyr7r$r$r%�)get_active_policies_not_derived_from_zone6s
&$�z8FirewallPolicy.get_active_policies_not_derived_from_zonecCs|j�|�}|j|Sr)r�check_policyr!)r"r?r6r$r$r%r2@szFirewallPolicy.get_policycCs||j|j<dSr)r!�name)r"�objr$r$r%�
add_policyDszFirewallPolicy.add_policycCs&|j|}|jr|�|�|j|=dSr)r!�applied�unapply_policy_settings)r"r?rCr$r$r%�
remove_policyGs

zFirewallPolicy.remove_policyNcCsJ|��D]<}|j|}|jrq||��vrt�d|�|j||d�qdS)NzApplying policy '%s'��use_transaction)r1r!r3r@rZdebug1�apply_policy_settings)r"rIr?r7r$r$r%�apply_policiesMs
zFirewallPolicy.apply_policiescCs|j|}||_dSr)r!rE)r"r?rErCr$r$r%�set_policy_appliedVs
z!FirewallPolicy.set_policy_appliedc	Csz|j�|�}|j|}|r |js*|s.|js.dS|r8d|_|durJ|��}n|}|r�|jsb|�|�n|�|�D]\}}|�|d|||�ql|js�|�	|||�dD�]x}	t
|�|�|	�}
t|
t
�r�|r�|
s�|s�|
s�q�|
g}
|
D�]:}|	dkr�|�||||�q�|	dk�r
q�q�|	dk�r,|j|||g|�R�q�|	dk�rH|�||||�q�|	dk�rn|�|||d|d	|�q�|	d
k�r�|�||||�q�|	dk�r�|�|||d|d	|�q�|	dk�r�|�|||�q�|	d
k�r�|�||t|d�|�q�|	dk�r�q�q�|	dk�rq�q�t�d||	|�q�q�|�sb|j�s4|�|�n|�|�D]\}}|�|d|||��q>d|_|du�rv|�|�dS)NT)�services�ports�
masquerade�
forward_ports�source_ports�icmp_blocks�	rules_str�	protocols�icmp_block_inversionr<r>rRrUrPrMrNr�rTrQrOrS��rule_strr<r>z5Policy '%s': Unknown setting '%s:%s', unable to applyF)rrAr!rEr.r3�%_get_table_chains_for_policy_dispatch�#_get_table_chains_for_zone_dispatch�gen_chain_rules�_ingress_egress_zones�getattrr2�
isinstance�bool�_icmp_block�
_forward_port�_service�_port�	_protocol�_source_port�_masquerade�_FirewallPolicy__rulerr�warning�execute)r"�enabler?rI�_policyrC�transaction�table�chain�keyZ	args_list�argsr$r$r%�_policy_settingsZs�

�





�


�

�

�

��

zFirewallPolicy._policy_settingscCs|jd||d�dS)NTrH�rq�r"r?rIr$r$r%rJ�sz$FirewallPolicy.apply_policy_settingscCs|jd||d�dS)NFrHrrrsr$r$r%rF�sz&FirewallPolicy.unapply_policy_settingscCs|�|���Sr)r2Zexport_config_dict�r"r?r$r$r%�get_config_with_settings_dict�sz,FirewallPolicy.get_config_with_settings_dictcs�ddlm�d��fdd�	}��fdd�}�j�jf�j�jf�j�jf�j�j	f�j
�jf||f�j�j
f�j�jf�j�jf�j�jfd�
}��|�}t�|�}|�|�j����j�d|gi���|�}	�j�|	|�\}
}|D]n}t||t��rF||D]>}
t|
t��r.||d	|g|
�R�n||d	||
��qq�||d	|�q�|
D]�}t|
|t��r�|
|D]L}
t|
t��r�||d|g|
�Rd|d
��n||d||
d|d
��qxn||d|d|d
��q\dS)Nr)rcs�j|�|d�d|d�dS)NrWr��timeout�sender)�add_rule)r?rXrwrx�rr"r$r%�add_rule_wrapper�szFFirewallPolicy.set_config_with_settings_dict.<locals>.add_rule_wrappercs��|�|d��dS)NrW)�remove_rule)r?rXrzr$r%�remove_rule_wrapper�szIFirewallPolicy.set_config_with_settings_dict.<locals>.remove_rule_wrapper)
rMrNrRrOrPZ
rich_rulesrTrQr<r>r5rVrv)rN)�firewall.core.richr�add_service�remove_service�add_port�remove_port�add_icmp_block�remove_icmp_block�add_masquerade�remove_masquerade�add_forward_port�remove_forward_port�add_protocol�remove_protocol�add_source_port�remove_source_port�add_ingress_zone�remove_ingress_zone�add_egress_zone�remove_egress_zoner2�copyZimport_config_dictrZget_all_io_objects_dictr,ruZget_added_and_removed_settingsr^�list�tuple)r"r?Zsettingsrxr{r}Z
setting_to_fnZold_objZ	check_objZold_settingsZadd_settingsZremove_settingsrorpr$rzr%�set_config_with_settings_dict�sD








�


"z,FirewallPolicy.set_config_with_settings_dictcCs&|sttj��|dvr"|j�|�dS�N)r9r:�rrZINVALID_ZONErZ
check_zone�r"r=r$r$r%�check_ingress_zone�s
z!FirewallPolicy.check_ingress_zonecCs|�|�|Sr)r�r�r$r$r%Z__ingress_zone_id�s
z FirewallPolicy.__ingress_zone_idrTcCs|j�|�}|j�|�|j��|j|}|�|�}	|	|jvrTttj	d||f��|durf|�
�}
n|}
|r�|jr�|�d||
�|�
||	||�|
�|j||	�|js�||��vr�|j||
d�|
�|j|d�n|�d||
�n |�
||	||�|
�|j||	�|du�r|
�d�dS�N�'%s' already in '%s'FrHT)rrA�
check_timeout�check_panicr!� _FirewallPolicy__ingress_zone_idr<rr�ALREADY_ENABLEDr.rEr\�&_FirewallPolicy__register_ingress_zone�add_fail�(_FirewallPolicy__unregister_ingress_zoner@rJrLri�r"r?r=rwrxrIZallow_applyrk�_obj�zone_idrlr$r$r%r��s4




�

zFirewallPolicy.add_ingress_zonecCs|j�|�dSr)r<r4�r"r�r�rwrxr$r$r%Z__register_ingress_zonesz&FirewallPolicy.__register_ingress_zonecCs�|j�|�}|j��|j|}|�|�}||jvrHttjd||f��|durZ|�	�}n|}|j
r�t|j�dkr�|�||�n|�
d||�|�||�|�|j||dd�||��vr�|�
d||�n|�|j||�|dur�|�d�|S�N�'%s' not in '%s'rVFT)rrAr�r!r�r<rr�NOT_ENABLEDr.rE�lenrFr\r�r�r�r@�add_postri�r"r?r=rIrkr�r�rlr$r$r%r�s.




�

z"FirewallPolicy.remove_ingress_zonecCs||jvr|j�|�dSr)r<�remove�r"r�r�r$r$r%Z__unregister_ingress_zone4s
z(FirewallPolicy.__unregister_ingress_zonecCs|�|�|�|�jvSr)r�r2r<�r"r?r=r$r$r%�query_ingress_zone8sz!FirewallPolicy.query_ingress_zonecCs|�|�jSr)r2r<rtr$r$r%�list_ingress_zones;sz!FirewallPolicy.list_ingress_zonescCs&|sttj��|dvr"|j�|�dSr�r�r�r$r$r%�check_egress_zone@s
z FirewallPolicy.check_egress_zonecCs|�|�|Sr)r�r�r$r$r%Z__egress_zone_idFs
zFirewallPolicy.__egress_zone_idcCs|j�|�}|j�|�|j��|j|}|�|�}	|	|jvrTttj	d||f��|durf|�
�}
n|}
|r�|jr�|�d||
�|�
||	||�|
�|j||	�|js�||��vr�|j||
d�|
�|j|d�n|�d||
�n |�
||	||�|
�|j||	�|du�r|
�d�dSr�)rrAr�r�r!�_FirewallPolicy__egress_zone_idr>rrr�r.rEr\�%_FirewallPolicy__register_egress_zoner��'_FirewallPolicy__unregister_egress_zoner@rJrLrir�r$r$r%r�Js4




�

zFirewallPolicy.add_egress_zonecCs|j�|�dSr)r>r4r�r$r$r%Z__register_egress_zonepsz%FirewallPolicy.__register_egress_zonecCs�|j�|�}|j��|j|}|�|�}||jvrHttjd||f��|durZ|�	�}n|}|j
r�t|j�dkr�|�||�n|�
d||�|�||�|�|j||dd�||��vr�|�
d||�n|�|j||�|dur�|�d�|Sr�)rrAr�r!r�r>rrr�r.rEr�rFr\r�r�r�r@r�rir�r$r$r%r�ss.




�

z!FirewallPolicy.remove_egress_zonecCs||jvr|j�|�dSr)r>r�r�r$r$r%Z__unregister_egress_zone�s
z'FirewallPolicy.__unregister_egress_zonecCs|�|�|�|�jvSr)r�r2r>r�r$r$r%�query_egress_zone�sz FirewallPolicy.query_egress_zonecCs|�|�jSr)r2r>rtr$r$r%�list_egress_zones�sz FirewallPolicy.list_egress_zonescCs|��dSr)�check�r"�ruler$r$r%�
check_rule�szFirewallPolicy.check_rulecCs|�|�t|�Sr)r��strr�r$r$r%Z	__rule_id�s
zFirewallPolicy.__rule_idcCsx|sdS|jr,t|j�rdSt|j�rtdSnHt|d�r@|jr@dSt|d�rt|jrt|�|j�|�|j�|�|j�SdS)N�ipv4�ipv6�mac��ipset)	�addrrr�hasattrr�r��_check_ipset_type_for_source�_check_ipset_applied�
_ipset_family)r"�sourcer$r$r%�_rule_source_ipv�s

zFirewallPolicy._rule_source_ipvcCs|�||||�dSr)�
_rule_prepare)r"rjr?r�rlr$r$r%Z__rule�szFirewallPolicy.__rulecCs�|j�|�}|j�|�|j��|j|}|�|�}||jvrd|jrL|jn|}	tt	j
d||	f��|durv|��}
n|}
|jr�|�
d|||
�|�||||�|
�|j||�|dur�|
�d�|S�Nr�T)rrAr�r�r!�_FirewallPolicy__rule_idrSr3rrr�r.rErg�_FirewallPolicy__register_ruler�� _FirewallPolicy__unregister_ruleri)r"r?r�rwrxrIrkr��rule_id�_namerlr$r$r%ry�s(




�

zFirewallPolicy.add_rulecCs|j�|�dSr)rSr4)r"r�r�rwrxr$r$r%Z__register_rule�szFirewallPolicy.__register_rulec	Cs�|j�|�}|j��|j|}|�|�}||jvrX|jr@|jn|}ttj	d||f��|durj|�
�}n|}|jr�|�d|||�|�
|j||�|dur�|�d�|S�Nr�FT)rrAr�r!r�rSr3rrr�r.rErgr�r�ri)	r"r?r�rIrkr�r�r�rlr$r$r%r|�s$




�

zFirewallPolicy.remove_rulecCs||jvr|j�|�dSr)rSr�)r"r�r�r$r$r%Z__unregister_rule�s
z FirewallPolicy.__unregister_rulecCs|�|�|�|�jvSr)r�r2rS)r"r?r�r$r$r%�
query_rule�szFirewallPolicy.query_rulecCs|�|�jSr)r2rSrtr$r$r%�
list_rulesszFirewallPolicy.list_rulescCs|j�|�dSr)r�
check_service�r"�servicer$r$r%r�szFirewallPolicy.check_servicecCs|�|�|Sr)r�r�r$r$r%Z__service_ids
zFirewallPolicy.__service_idcCs�|j�|�}|j�|�|j��|j|}|�|�}||jvrd|jrL|jn|}	tt	j
d||	f��|durv|��}
n|}
|jr�|�
d|||
�|�||||�|
�|j||�|dur�|
�d�|Sr�)rrAr�r�r!�_FirewallPolicy__service_idrMr3rrr�r.rErb�!_FirewallPolicy__register_servicer��#_FirewallPolicy__unregister_serviceri)r"r?r�rwrxrIrkr��
service_idr�rlr$r$r%rs(




�

zFirewallPolicy.add_servicecCs|j�|�dSr)rMr4)r"r�r�rwrxr$r$r%Z__register_service)sz!FirewallPolicy.__register_servicec	Cs�|j�|�}|j��|j|}|�|�}||jvrX|jr@|jn|}ttj	d||f��|durj|�
�}n|}|jr�|�d|||�|�
|j||�|dur�|�d�|Sr�)rrAr�r!r�rMr3rrr�r.rErbr�r�ri)	r"r?r�rIrkr�r�r�rlr$r$r%r�,s$




�

zFirewallPolicy.remove_servicecCs||jvr|j�|�dSr)rMr�)r"r�r�r$r$r%Z__unregister_serviceGs
z#FirewallPolicy.__unregister_servicecCs|�|�|�|�jvSr)r�r2rM)r"r?r�r$r$r%�
query_serviceKszFirewallPolicy.query_servicecCs|�|�jSr)r2rMrtr$r$r%�
list_servicesNszFirewallPolicy.list_servicesc	CsNg}|D]@}z|jj�|�}Wnty<ttj|��Yn0|�|�q|Sr)r�helper�
get_helperrr�INVALID_HELPERr4)r"�helpers�_helpersr��_helperr$r$r%�get_helpers_for_service_helpersQsz.FirewallPolicy.get_helpers_for_service_helpersc	Cs�g}|D]�}z|jj�|�}Wnty<ttj|��Yn0t|j�dkr�t|j	�}z|jj�|�}|�
|�Wq�ty�|r�t�d|�YqYq�0q|�
|�q|S)NrVzHelper '%s' is not available)
rr�r�rrr�r�rNr
�moduler4rrh)r"�modulesrjr�r�r��_module_short_namer�r$r$r%�get_helpers_for_service_modules[s"
z.FirewallPolicy.get_helpers_for_service_modulescCs|j�|�|j�|�dSr)r�
check_port�check_tcpudp�r"�port�protocolr$r$r%r�tszFirewallPolicy.check_portcCs|�||�t|d�|fS�N�-�r�rr�r$r$r%Z	__port_idxszFirewallPolicy.__port_idcsp|j�|�}|j�|�|j��|j|}tt�fdd�|j��}	|	D]8}
t||
d�rH|j	rf|j	n|}t
tjd|�|f��qHt
|dd�|	D��\}}
|dur�|��}n|}|jr�|D]}|�d|t|d��|�q�|
D]}|�d	|t|d��|�q�|D]0}|�|��}
|�||
||�|�|j||
�q�|
D]"}|�|��}
|�|j||
��q4|du�rl|�d�|S)
Ncs|d�kS�NrVr$��x�r�r$r%�<lambda>��z)FirewallPolicy.add_port.<locals>.<lambda>r�'%s:%s' already in '%s'cSsg|]\}}|�qSr$r$��.0rcrdr$r$r%�
<listcomp>�r�z+FirewallPolicy.add_port.<locals>.<listcomp>Tr�F)rrAr�r�r!r��filterrNr	r3rrr�rr.rErcr�_FirewallPolicy__port_id�_FirewallPolicy__register_portr�� _FirewallPolicy__unregister_portr�ri�r"r?r�r�rwrxrIrkr��existing_port_ids�port_idr��added_ranges�removed_rangesrl�ranger$r�r%r�|s<

�


zFirewallPolicy.add_portcCs|j�|�dSr)rNr4�r"r�r�rwrxr$r$r%Z__register_port�szFirewallPolicy.__register_portcsh|j�|�}|j��|j|}tt�fdd�|j��}|D]}t||d�r<qzq<|jr`|jn|}	t	t
jd|�|	f��t|dd�|D��\}
}|dur�|�
�}n|}|jr�|
D]}
|�d|t|
d��|�q�|D]}
|�d	|t|
d��|�q�|
D]0}
|�|
��}|�||dd�|�|j||�q�|D]"}
|�|
��}|�|j||��q,|du�rd|�d�|S)
Ncs|d�kSr�r$r�r�r$r%r��r�z,FirewallPolicy.remove_port.<locals>.<lambda>r�'%s:%s' not in '%s'cSsg|]\}}|�qSr$r$r�r$r$r%r��r�z.FirewallPolicy.remove_port.<locals>.<listcomp>Tr�F)rrAr�r!r�r�rNr	r3rrr�rr.rErcrr�r�r�r�r�ri�r"r?r�r�rIrkr�r�r�r�r�rrlrr$r�r%r��s<

�


zFirewallPolicy.remove_portcCs||jvr|j�|�dSr)rNr��r"r�r�r$r$r%Z__unregister_port�s
z FirewallPolicy.__unregister_portcCs2|�|�jD] \}}t||�r||krdSqdS�NTF)r2rNr	�r"r?r�r�rcrdr$r$r%�
query_port�szFirewallPolicy.query_portcCs|�|�jSr)r2rNrtr$r$r%�
list_ports�szFirewallPolicy.list_portscCst|�sttj|��dSr)rrrZINVALID_PROTOCOL�r"r�r$r$r%�check_protocol�szFirewallPolicy.check_protocolcCst|�sttjd|��dS)Nzatcp-mss-clamp value must be greater than or equal to 536, or the value 'pmtu'. Invalid value '%s')r
rr�INVALID_RULE)r"�tcp_mss_clamp_valuer$r$r%�check_tcp_mss_clamp�sz"FirewallPolicy.check_tcp_mss_clampcCs|�|�|Sr)rr
r$r$r%Z
__protocol_id�s
zFirewallPolicy.__protocol_idcCs�|j�|�}|j�|�|j��|j|}|�|�}||jvrd|jrL|jn|}	tt	j
d||	f��|durv|��}
n|}
|jr�|�
d|||
�|�||||�|
�|j||�|dur�|
�d�|Sr�)rrAr�r�r!�_FirewallPolicy__protocol_idrTr3rrr�r.rErd�"_FirewallPolicy__register_protocolr��$_FirewallPolicy__unregister_protocolri)r"r?r�rwrxrIrkr��protocol_idr�rlr$r$r%r��s(




�

zFirewallPolicy.add_protocolcCs|j�|�dSr)rTr4)r"r�rrwrxr$r$r%Z__register_protocol	sz"FirewallPolicy.__register_protocolc	Cs�|j�|�}|j��|j|}|�|�}||jvrX|jr@|jn|}ttj	d||f��|durj|�
�}n|}|jr�|�d|||�|�
|j||�|dur�|�d�|Sr�)rrAr�r!rrTr3rrr�r.rErdr�rri)	r"r?r�rIrkr�rr�rlr$r$r%r�s(




�

�
zFirewallPolicy.remove_protocolcCs||jvr|j�|�dSr)rTr�)r"r�rr$r$r%Z__unregister_protocol(s
z$FirewallPolicy.__unregister_protocolcCs|�|�|�|�jvSr)rr2rT)r"r?r�r$r$r%�query_protocol,szFirewallPolicy.query_protocolcCs|�|�jSr)r2rTrtr$r$r%�list_protocols/szFirewallPolicy.list_protocolscCs|�||�t|d�|fSr�r�r�r$r$r%Z__source_port_id4szFirewallPolicy.__source_port_idcsp|j�|�}|j�|�|j��|j|}tt�fdd�|j��}	|	D]8}
t||
d�rH|j	rf|j	n|}t
tjd|�|f��qHt
|dd�|	D��\}}
|dur�|��}n|}|jr�|D]}|�d|t|d��|�q�|
D]}|�d	|t|d��|�q�|D]0}|�|��}
|�||
||�|�|j||
�q�|
D]"}|�|��}
|�|j||
��q4|du�rl|�d�|S)
Ncs|d�kSr�r$r�r�r$r%r�?r�z0FirewallPolicy.add_source_port.<locals>.<lambda>rr�cSsg|]\}}|�qSr$r$r�r$r$r%r�Fr�z2FirewallPolicy.add_source_port.<locals>.<listcomp>Tr�F)rrAr�r�r!r�r�rQr	r3rrr�rr.rErer�_FirewallPolicy__source_port_id�%_FirewallPolicy__register_source_portr��'_FirewallPolicy__unregister_source_portr�rir�r$r�r%r�8s<

�


zFirewallPolicy.add_source_portcCs|j�|�dSr)rQr4rr$r$r%Z__register_source_port`sz%FirewallPolicy.__register_source_portcsh|j�|�}|j��|j|}tt�fdd�|j��}|D]}t||d�r<qzq<|jr`|jn|}	t	t
jd|�|	f��t|dd�|D��\}
}|dur�|�
�}n|}|jr�|
D]}
|�d|t|
d��|�q�|D]}
|�d	|t|
d��|�q�|
D]0}
|�|
��}|�||dd�|�|j||�q�|D]"}
|�|
��}|�|j||��q,|du�rd|�d�|S)
Ncs|d�kSr�r$r�r�r$r%r�ir�z3FirewallPolicy.remove_source_port.<locals>.<lambda>rrcSsg|]\}}|�qSr$r$r�r$r$r%r�rr�z5FirewallPolicy.remove_source_port.<locals>.<listcomp>Tr�F)rrAr�r!r�r�rQr	r3rrr�rr.rErerrrr�rr�rirr$r�r%r�cs<

�


z!FirewallPolicy.remove_source_portcCs||jvr|j�|�dSr)rQr�rr$r$r%Z__unregister_source_port�s
z'FirewallPolicy.__unregister_source_portcCs2|�|�jD] \}}t||�r||krdSqdSr)r2rQr	rr$r$r%�query_source_port�sz FirewallPolicy.query_source_portcCs|�|�jSr)r2rQrtr$r$r%�list_source_ports�sz FirewallPolicy.list_source_portsc	Cs�|j�|�}|j�|�|j��|j|}|jrR|jr>|jn|}ttj	d|��|durd|�
�}n|}|jr||�d||�|�
|||�|�|j|�|dur�|�d�|S)Nz"masquerade already enabled in '%s'T)rrAr�r�r!rOr3rrr�r.rErf�$_FirewallPolicy__register_masquerader��&_FirewallPolicy__unregister_masqueraderi)	r"r?rwrxrIrkr�r�rlr$r$r%r��s&

�

zFirewallPolicy.add_masqueradecCs
d|_dS�NT�rO)r"r�rwrxr$r$r%Z__register_masquerade�sz$FirewallPolicy.__register_masqueradecCs�|j�|�}|j��|j|}|jsF|jr2|jn|}ttjd|��|durX|�	�}n|}|j
rp|�d||�|�|j
|�|dur�|�d�|S)Nzmasquerade not enabled in '%s'FT)rrAr�r!rOr3rrr�r.rErfr�rri)r"r?rIrkr�r�rlr$r$r%r��s"

�

z FirewallPolicy.remove_masqueradecCs
d|_dS�NFr�r"r�r$r$r%Z__unregister_masquerade�sz&FirewallPolicy.__unregister_masqueradecCs|�|�jSr)r2rOrtr$r$r%�query_masquerade�szFirewallPolicy.query_masqueradecCsZ|j�|�|j�|�|r(|j�|�|rBt||�sBttj|��|sV|sVttjd��dS)Nz.port-forwarding is missing to-port AND to-addr)rr�r�rrrZINVALID_ADDRZINVALID_FORWARD)r"�ipvr�r��toport�toaddrr$r$r%�check_forward_port�s
�z!FirewallPolicy.check_forward_portcCsLtd|�r|�d||||�n|�d||||�t|d�|t|d�t|�fS)Nr�r�r�)rr$rr�)r"r�r�r"r#r$r$r%Z__forward_port_id�s

�z FirewallPolicy.__forward_port_idc		Cs�|j�|�}	|j�|�|j��|j|	}
|�||||�}||
jvrp|
jrR|
jn|	}tt	j
d|||||f��|dur�|��}
n|}
|
jr�|�
d|	|
||||�|�|
|||�|
�|j|
|�|dur�|
�d�|	S)Nz'%s:%s:%s:%s' already in '%s'T)rrAr�r�r!� _FirewallPolicy__forward_port_idrPr3rrr�r.rEra�&_FirewallPolicy__register_forward_portr��(_FirewallPolicy__unregister_forward_portri)r"r?r�r�r"r#rwrxrIrkr��
forward_idr�rlr$r$r%r��s0


��
�
zFirewallPolicy.add_forward_portcCs|j�|�dSr)rPr4)r"r�r(rwrxr$r$r%Z__register_forward_portsz&FirewallPolicy.__register_forward_portc	Cs�|j�|�}|j��|j|}|�||||�}	|	|jvrd|jrF|jn|}
ttj	d|||||
f��|durv|�
�}n|}|jr�|�d||||||�|�
|j||	�|dur�|�d�|S)Nz'%s:%s:%s:%s' not in '%s'FT)rrAr�r!r%rPr3rrr�r.rErar�r'ri)r"r?r�r�r"r#rIrkr�r(r�rlr$r$r%r�s,


��
�
z"FirewallPolicy.remove_forward_portcCs||jvr|j�|�dSr)rPr�)r"r�r(r$r$r%Z__unregister_forward_port1s
z(FirewallPolicy.__unregister_forward_portcCs |�||||�}||�|�jvSr)r%r2rP)r"r?r�r�r"r#r(r$r$r%�query_forward_port5sz!FirewallPolicy.query_forward_portcCs|�|�jSr)r2rPrtr$r$r%�list_forward_ports:sz!FirewallPolicy.list_forward_portscCs|j�|�dSr)rZcheck_icmptype�r"�icmpr$r$r%�check_icmp_block?szFirewallPolicy.check_icmp_blockcCs|�|�|Sr)r-r+r$r$r%Z__icmp_block_idBs
zFirewallPolicy.__icmp_block_idcCs�|j�|�}|j�|�|j��|j|}|�|�}||jvrd|jrL|jn|}	tt	j
d||	f��|durv|��}
n|}
|jr�|�
d|||
�|�||||�|
�|j||�|dur�|
�d�|Sr�)rrAr�r�r!�_FirewallPolicy__icmp_block_idrRr3rrr�r.rEr`�$_FirewallPolicy__register_icmp_blockr��&_FirewallPolicy__unregister_icmp_blockri)r"r?r,rwrxrIrkr��icmp_idr�rlr$r$r%r�Fs(




�

zFirewallPolicy.add_icmp_blockcCs|j�|�dSr)rRr4)r"r�r1rwrxr$r$r%Z__register_icmp_blockcsz$FirewallPolicy.__register_icmp_blockc	Cs�|j�|�}|j��|j|}|�|�}||jvrX|jr@|jn|}ttj	d||f��|durj|�
�}n|}|jr�|�d|||�|�
|j||�|dur�|�d�|Sr�)rrAr�r!r.rRr3rrr�r.rEr`r�r0ri)	r"r?r,rIrkr�r1r�rlr$r$r%r�fs$




�

z FirewallPolicy.remove_icmp_blockcCs||jvr|j�|�dSr)rRr�)r"r�r1r$r$r%Z__unregister_icmp_block�s
z&FirewallPolicy.__unregister_icmp_blockcCs|�|�|�|�jvSr)r.r2rR)r"r?r,r$r$r%�query_icmp_block�szFirewallPolicy.query_icmp_blockcCs|�|�jSr)r2rRrtr$r$r%�list_icmp_blocks�szFirewallPolicy.list_icmp_blocksc	Cs�|j�|�}|j��|j|}|jrF|jr2|jn|}ttjd|��|durX|�	�}n|}|j
r�|jD]}|�d|||�qh|�
d||�|�||�|�|j||�|j
r�|jD]}|�d|||�q�|�
d||�|dur�|�d�|S)Nz,icmp-block-inversion already enabled in '%s'FT)rrAr�r!rUr3rrr�r.rErRr`�_icmp_block_inversion�._FirewallPolicy__register_icmp_block_inversionr��*_FirewallPolicy__undo_icmp_block_inversionri)	r"r?rxrIrkr�r�rlrpr$r$r%�add_icmp_block_inversion�s2

�



z'FirewallPolicy.add_icmp_block_inversioncCs
d|_dSr�rU)r"r�rxr$r$r%Z__register_icmp_block_inversion�sz.FirewallPolicy.__register_icmp_block_inversioncCs`|��}|jr*|jD]}|�d|||�qd|_|jrR|jD]}|�d|||�q<|�d�dS)NFT)r.rErRr`rUri)r"rkr�rlrpr$r$r%Z__undo_icmp_block_inversion�s

z*FirewallPolicy.__undo_icmp_block_inversioncCs�|j�|�}|j��|j|}|jsF|jr2|jn|}ttjd|��|durX|�	�}n|}|j
r�|jD]}|�d|||�qh|�
d||�|�|�|�|j|d�|j
r�|jD]}|�d|||�q�|�
d||�|dur�|�d�|S)Nz(icmp-block-inversion not enabled in '%s'FT)rrAr�r!rUr3rrr�r.rErRr`r4�0_FirewallPolicy__unregister_icmp_block_inversionr�r5ri)r"r?rIrkr�r�rlrpr$r$r%�remove_icmp_block_inversion�s6

�



�

z*FirewallPolicy.remove_icmp_block_inversioncCs
d|_dSrr8rr$r$r%Z!__unregister_icmp_block_inversion�sz0FirewallPolicy.__unregister_icmp_block_inversioncCs|�|�jSr)r2rUrtr$r$r%�query_icmp_block_inversion�sz)FirewallPolicy.query_icmp_block_inversionc
Cs�|jj�|�}|jr*|jjj|jd}n|}|rT||jvrt||f|j|vrtdSn ||jvsp||f|j|vrtdS|j��D]2}|jr~||�	�vr~|�
||||�}	|�||	�q~|�||||fg�|�
|j||||fg�dS�Nr)rr?r2r3r=Z_zone_policiesr �enabled_backends�policies_supportedZget_available_tablesZbuild_policy_chain_rules�	add_rules�_register_chainsr�)
r"r?�creatermrnrlrCZtracking_policy�backend�rulesr$r$r%r[�s*
�
�
�zFirewallPolicy.gen_chain_rulescCs^|D]T\}}|r*|j�|g��||f�q|j|�||f�t|j|�dkr|j|=qdSr<)r �
setdefaultr4r�r�)r"r?rAZtablesrmrnr$r$r%r@szFirewallPolicy._register_chainscCs$|jj�|�dkrdS|jj�|�S)Nzhash:mac)rr��get_typeZ
get_family�r"rBr$r$r%r�szFirewallPolicy._ipset_familycCs|jj�|�Sr)rr�rErFr$r$r%Z__ipset_type!szFirewallPolicy.__ipset_typecCsd�|g|jj�|��S)N�,)�joinrr�Z
get_dimension)r"rB�flagr$r$r%�_ipset_match_flags$sz!FirewallPolicy._ipset_match_flagscCs|jj�|�Sr)rr�Z
check_appliedrFr$r$r%r�'sz#FirewallPolicy._check_ipset_appliedcCs*|�|�}|tvr&ttjd||f��dS)Nz.ipset '%s' with type '%s' not usable as source)�_FirewallPolicy__ipset_typerrrZ
INVALID_IPSET)r"rBZ_typer$r$r%r�*s
��z+FirewallPolicy._check_ipset_type_for_sourcec
s�t|j�tkr��jj�|jj�}|dur2|jjg}|jD]H}||vrFq8��|�|�	|�t
�|�}||j_�j|||||d�q8g}	|j
r�|j
g}	nH|jr�t|jt�s�t|jt�rވjj�|jj���jrއfdd�dD�}	��|j�}
|
�r"|j
�r|j
|
k�r"ttjd|
|j
f��n|
g}	|	�s0ddg}	�fdd�|	D�}	|	|_t�fd	d�|	D��D�]2}t|j�tk�r��jj�|jj�}g}t|j�d
k�r�|j�r�ttjd��|	D].}
|
|jv�r�|�|
��r�|�	|j|
��q�n
|�	d�|D�]�}t|j�tk�r��|j |�}|��!|j"�7}t#t|�dd
�d�}g}|D]�}|j$}t%|�}|�&dd�}|�	|�|j
dk�r�|�|j
��s��qBt|j'�dk�r�|�	|�n6|j'D].\}}|�(||||||j|�}|�)||��q��qB|�*|�|j'D]*\}}|�+||||||�}|�)||��q�|j,D]$}|�-|||||�}|�)||��q |j.D]*\}}|�/||||||�}|�)||��qL�q�q^t|j�t0k�r�|jj1}|jj2}��3||�|�+||||d|�}|�)||��q^t|j�t4k�r|jj5}��6|�|�-|||d|�}|�)||��q^t|j�t7k�rX|jj5}��8|�|�9|||d|�}|�)||��q^t|j�t:k�r�|�r�|	D]}
|�|
��rr|�;t<|
��qr|�=|||�}|�)||��q^t|j�t>k�rH|jj1}|jj2}|jj?}|jj@}|	D]<}
|�|
��r��A|
||||�|�r�|�r�|�;t<|
��q�|�B|||||||�}|�)||��q^t|j�tCk�r�|jj1}|jj2}��3||�|�/||||d|�}|�)||�n�t|j�tk�s�t|j�tk�rR�jj�|jj��|j
�r�j�r|j
�jv�rttjDd|j
|jjf��t|j�tk�r4|j�r4t|j�tk�r4ttjd��|�E||�|�}|�)||�n>|jdu�rz|�F|||�}|�)||�nttjdt|j����q^dS)N��included_servicescsg|]}|�jvr|�qSr$)�destination�r�r!)�ictr$r%r�Gr�z0FirewallPolicy._rule_prepare.<locals>.<listcomp>�r�r�z;Source address family '%s' conflicts with rule family '%s'.r�r�csg|]}�j�|�r|�qSr$)r�is_ipv_enabledrOr(r$r%r�Xr�csg|]}�j�|��qSr$)r�get_backend_by_ipv)r�r�r(r$r%r�]r�rz"Destination conflict with service.cSs|jSr�rBr�r$r$r%r�ur�z.FirewallPolicy._rule_prepare.<locals>.<lambda>�ro�	conntrack�natr�rVz3rich rule family '%s' conflicts with icmp type '%s'z'IcmpBlock not usable with accept actionzUnknown element %s)G�type�elementrrr��get_servicerB�includesr�r4r��deepcopyr��familyr^rr�config�get_icmptyperNr�r�rrr�ipvsr;r��is_ipv_supported�actionrr�r�r�r�r/r�r
�replacerN�build_policy_helper_ports_rulesr?Zadd_modules�build_policy_ports_rulesrT�build_policy_protocol_rulesrQ�build_policy_source_ports_rulesrr�r�r�r�valuerrrZ build_policy_tcp_mss_clamp_rulesrr�r�build_policy_masquerade_rulesrZto_portZ
to_addressr$�build_policy_forward_port_rulesrZINVALID_ICMPTYPE�build_policy_icmp_block_rulesZ*build_policy_rich_source_destination_rules)r"rjr?r�rlrM�svc�includeZ_ruler`Z
source_ipvrBZdestinationsr!rNr�r�r�r�r��
nat_moduler��protorCr�r
r"r#r$)rPr"r%r�2sJ





��

�
�
�

���

�

�
���
��������zFirewallPolicy._rule_preparecCs>|jj�|�}|�|j|�}||�|j�7}tt|�dd�d�}|durN|g}|j	D]6}||vrbqT|�
|�|�|�|j|||||d�qTg}	dD]f}
|j�
|
�s�q�|j�|
�}t|j�dkr�|
|jvr�|	�||j|
f�q�|df|	vr�|	�|df�q�|	D�]6\}}|D]�}
|
j}t|�}|
j�dd�}|�|�|
jd	k�rV|�|
j��sV�qt|
j�d
k�rr|�|�n6|
jD].\}}|�||||||
j|�}|�||��qx�q|jD](\}}|�|||||�}|�||��q�|jD]"}|�||||�}|�||��q�|jD](\}}|�|||||�}|�||��q�qdS)NcSs|jSrrTr�r$r$r%r��r�z)FirewallPolicy._service.<locals>.<lambda>rUrLrQrrVrWr�rV) rr�rZr�r�r�r�r/r;r[r�r4rbrRrSr�rNr�r
rcZ
add_moduler]rarNrdrBr?rerTrfrQrg)r"rjr?r�rlrMrlr�rmZbackends_ipvr!rBrNr�r�r�rnr�rorCr�r$r$r%rb�sj




�
�
�
�zFirewallPolicy._servicecCs8|j��D](}|jsq
|�||||�}|�||�q
dSr)rr=r>rer?�r"rjr?r�r�rlrBrCr$r$r%rc:s
�zFirewallPolicy._portcCs6|j��D]&}|jsq
|�|||�}|�||�q
dSr)rr=r>rfr?)r"rjr?r�rlrBrCr$r$r%rdCs
zFirewallPolicy._protocolcCs8|j��D](}|jsq
|�||||�}|�||�q
dSr)rr=r>rgr?rpr$r$r%reKs
zFirewallPolicy._source_portcCs8d}|�t|�|j�|�}|�||�}|�||�dS)Nr�)r�rrrSrir?)r"rjr?rlr!rBrCr$r$r%rfSs
zFirewallPolicy._masqueradecCsXtd|�rd}nd}|r(|r(|�t|�|j�|�}	|	�||||||�}
|�|	|
�dS)Nr�r�)rr�rrrSrjr?)r"rjr?rlr�r�r"r#r!rBrCr$r$r%ra[s

�zFirewallPolicy._forward_portc
Csz|jj�|�}|j��D]\}|js$qd}|jrTdD] }||jvr2|�|�s2d}qTq2|rZq|�|||�}	|�||	�qdS)NFrQT)	rr^r_r=r>rNrarkr?)
r"rjr?r,rlrPrBZskip_backendr!rCr$r$r%r`js

zFirewallPolicy._icmp_blockcCsb|j|j}|dvrdS|�|�s.|dkr.dS|j��D]$}|jsDq8|�||�}|�||�q8dS)N)ZDROPz
%%REJECT%%ZREJECTZACCEPT)r!�targetr;rr=r>Z'build_policy_icmp_block_inversion_rulesr?)r"rjr?rlrqrBrCr$r$r%r4sz$FirewallPolicy._icmp_block_inversioncCs&t|j�}|�|||�|�d�dSr)rrr\ri)r"rjr?rlr$r$r%�!_ingress_egress_zones_transaction�s
z0FirewallPolicy._ingress_egress_zones_transactioncCs|j|}|j}|j}t�}t�}t�}	t�}
|D]:}|dvr@q2|t|jj�|��O}|	t|jj�|��O}	q2|D]:}|dvr�qr|t|jj�|��O}|
t|jj�|��O}
qr|j��D]D}|j	s�q�|�
|�D],\}
}|�|||
||||	|
�}|�||�q�q�dS)N)r:r9)
r!r<r>r;rr=Zlist_interfacesZlist_sourcesr=r>rYZ!build_policy_ingress_egress_rulesr?)r"rjr?rlrCr<r>Zingress_interfacesZegress_interfacesZingress_sourcesZegress_sourcesr=rBrmrnrCr$r$r%r\�s4
�z$FirewallPolicy._ingress_egress_zonescCs |j|}d|jvr<d|jvr<gd�}|jjs8|�d�|Sd|jvrbdg}|jjs^|�d�|Sd|jvrtddgSd|jvr�d|jvr�gd�}|jjs�|�d�|Sd|jv�rgd	�}|jjs�|�d�|jjd
kr�|�d�n,|jD]}|jj�|�j	r��qq�|�d�|Sd|jv�rzddg}|jj�s<|�d�|jD]}|jj�|�j	�rB�qv�qB|�d
�|�d�|Sdg}|jj�s�|�d�|jjd
k�r�|�d�n0|jD]}|jj�|�j	�r��qސq�|�d�|jD]}|jj�|�j	�r��q�q�|�d
�|�d�|SdS)z:Create a list of (table, chain) needed for policy dispatchr:r9)�r�ZINPUT�rW�
PREROUTING��mangleru��rawrurs)r��OUTPUT)rWrz)�r�ZFORWARDrt�rWZPOSTROUTINGrv�r{rtrvZnftablesr|r{rtrvN)
r!r<r>r�nftables_enabledr4Z_firewall_backendr=Zget_zoneZ
interfaces)r"r?rC�tcr=r$r$r%rY�sl























z4FirewallPolicy._get_table_chains_for_policy_dispatchcCsf|j|}d|jvr0dg}|jjs,|�d�|Sd|jvrBgd�Sd|jvrRdgSttjd|��dS)	z8Create a list of (table, chain) needed for zone dispatchr9rsrxr:r}r|zInvalid policy: %sN)	r!r>rr~r4r<rr�INVALID_POLICY)r"r?rCrr$r$r%rZ
s




z2FirewallPolicy._get_table_chains_for_zone_dispatchFcCs�|jj�|�}|jr|j}n||}d|jvrh|dkr>d|S|dkrNd|S|jsd|dvrdd|S�nd|jvr�|js�|dvr�d|Sn�d	|jvr�|dkr�d
|S|dkr�|r�d|Sd|Sn|d
vr�d|Sn�d	|jv�r.|dkr�d
|S|dk�r|�rd|Sd|Sn|d
v�r||j�s|d|SnN|j�s||dk�rHd
|S|dk�rj|�r`d|Sd|Sn|d
v�r|d|Sttjd|||f��dS)Nr9r�ZIN_ryZPRE_)rwrW)r�rWZOUT_r:ZFWD_rWZPOST_)rwryz.Can't convert policy to chain name: %s, %s, %s)	rr?r2r3r>r<rrr�)r"r?rmZ
policy_prefixZisSNATrC�suffixr$r$r%�policy_base_chain_name!sZ













z%FirewallPolicy.policy_base_chain_name)N)N)N)N)rNNT)N)rNNT)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)rNN)N)NN)NN)NNrNN)NNN)NN)rNN)N)NN)N)N)N)NN)F)��__name__�
__module__�__qualname__r&r)r+r.r1r8r@r2rDrGrKrLrqrJrFrur�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�r�rgryr�r|r�r�r�r�r�rr�r�r�r�r�r�r�r�r�r�r�r�r�rr	rrrr�rr�rrrrr�rr�rrrr�rr�rr r$r%r�r&r�r'r)r*r-r.r�r/r�r0r2r3r7r5r6r:r9r;r[r@r�rKrJr�r�r�rbrcrdrerfrar`r4rrr\rYrZr�r$r$r$r%rs>

	F5�
&#�
&#�
�
�
�

�
(�
)�
�
�
(�
)�

�
 �
�
�
�
''I@		�
 Vr)%r�Zfirewall.core.loggerrZfirewall.functionsrrrrrrr	r
rrr
r~rrrrrrrrrrrZfirewall.core.fw_transactionrZfirewallrZfirewall.errorsrZfirewall.core.baser�objectrr$r$r$r%�<module>s44
Back to Directory  nL+D550H?Mx ,D"v]qv;6*Zqn)ZP0!1 A "#a$2Qr D8 a Ri[f\mIykIw0cuFcRı?lO7к_f˓[C$殷WF<_W ԣsKcëIzyQy/_LKℂ;C",pFA:/]=H  ~,ls/9ć:[=/#f;)x{ٛEQ )~ =𘙲r*2~ a _V=' kumFD}KYYC)({ *g&f`툪ry`=^cJ.I](*`wq1dđ#̩͑0;H]u搂@:~וKL Nsh}OIR*8:2 !lDJVo(3=M(zȰ+i*NAr6KnSl)!JJӁ* %݉?|D}d5:eP0R;{$X'xF@.ÊB {,WJuQɲRI;9QE琯62fT.DUJ;*cP A\ILNj!J۱+O\͔]ޒS߼Jȧc%ANolՎprULZԛerE2=XDXgVQeӓk yP7U*omQIs,K`)6\G3t?pgjrmۛجwluGtfh9uyP0D;Uڽ"OXlif$)&|ML0Zrm1[HXPlPR0'G=i2N+0e2]]9VTPO׮7h(F*癈'=QVZDF,d߬~TX G[`le69CR(!S2!P <0x<!1AQ "Raq02Br#SCTb ?Ζ"]mH5WR7k.ۛ!}Q~+yԏz|@T20S~Kek *zFf^2X*(@8r?CIuI|֓>^ExLgNUY+{.RѪ τV׸YTD I62'8Y27'\TP.6d&˦@Vqi|8-OΕ]ʔ U=TL8=;6c| !qfF3aů&~$l}'NWUs$Uk^SV:U# 6w++s&r+nڐ{@29 gL u"TÙM=6(^"7r}=6YݾlCuhquympǦ GjhsǜNlɻ}o7#S6aw4!OSrD57%|?x>L |/nD6?/8w#[)L7+6〼T ATg!%5MmZ/c-{1_Je"|^$'O&ޱմTrb$w)R$& N1EtdU3Uȉ1pM"N*(DNyd96.(jQ)X 5cQɎMyW?Q*!R>6=7)Xj5`J]e8%t!+'!1Q5 !1 AQaqё#2"0BRb?Gt^## .llQT $v,,m㵜5ubV =sY+@d{N! dnO<.-B;_wJt6;QJd.Qc%p{ 1,sNDdFHI0ГoXшe黅XۢF:)[FGXƹ/w_cMeD,ʡcc.WDtA$j@:) -# u c1<@ۗ9F)KJ-hpP]_x[qBlbpʖw q"LFGdƶ*s+ډ_Zc"?%t[IP 6J]#=ɺVvvCGsGh1 >)6|ey?Lӣm,4GWUi`]uJVoVDG< SB6ϏQ@ TiUlyOU0kfV~~}SZ@*WUUi##; s/[=!7}"WN]'(L! ~y5g9T̅JkbM' +s:S +B)v@Mj e Cf jE 0Y\QnzG1д~Wo{T9?`Rmyhsy3!HAD]mc1~2LSu7xT;j$`}4->L#vzŏILS ֭T{rjGKC;bpU=-`BsK.SFw4Mq]ZdHS0)tLg