%PDF- %PDF-
Mini Shell

Mini Shell

Direktori : /usr/lib/python2.7/site-packages/salt/modules/
Upload File :
Create Path :
Current File : //usr/lib/python2.7/site-packages/salt/modules/iptables.pyo

�
���^c@@sZdZddlmZmZmZddlZddlZddlZddlZddl	Z	ddl
ZddlZddl
ZddlmZddlmZddlmZddlZeje�Zd�Zdd	�Zdd
�Zdd�Zd�Zed
�Zdd�Z deededd�Z!edd�Z"dd�Z#deedd�Z$dedd�Z%deedd�Z&edd�Z'deedd�Z(dedd�Z)dedd�Z*dedd�Z+deedd�Z,deeedd�Z-eeedd�Z.dddd�Z/ee0dd �Z1d!�Z2dS("u�
Support for iptables

Configuration Options
---------------------

The following options can be set in the minion config, grains, pillar, or
master config. The configuration is read using :py:func:`config.get
<salt.modules.config.get>`.

- ``iptables.save_filters``: List of REGEX strings to FILTER OUT matching lines

  This is useful for filtering out chains, rules, etc that you do not wish to
  persist, such as ephemeral Docker rules.

  The default is to not filter out anything.

  .. code-block:: yaml

      iptables.save_filters:
        - "-j CATTLE_PREROUTING"
        - "-j DOCKER"
        - "-A POSTROUTING"
        - "-A CATTLE_POSTROUTING"
        - "-A FORWARD"
i(tabsolute_importtunicode_literalstprint_functionN(tSTATE_INTERNAL_KEYWORDS(t
SaltException(tsixcC@s#tjjjd�stdfStS(u7
    Only load the module if iptables is installed
    uiptablesuGThe iptables execution module cannot be loaded: iptables not installed.(tsalttutilstpathtwhichtFalsetTrue(((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt__virtual__1s
uipv4cC@s6|dkrtjjjd�Stjjjd�SdS(uG
    Return correct command based on the family, e.g. ipv4 or ipv6
    uipv6u	ip6tablesuiptablesN(RRRR	(tfamily((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt
_iptables_cmd;scC@s9djt|��}|td|dd�kr5tStS(u�
    Return truth of whether iptables has `option`.  For example:

    .. code-block:: python

        _has_option('--wait')
        _has_option('--check', family='ipv6')
    u
{0} --helpucmd.runtoutput_logleveluquiet(tformatRt__salt__RR
(toptionR
tcmd((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt_has_optionEs	cC@s#tddkr'|dkr dSdSn�tddkrN|dkrGdSdSn�tdd	kru|dkrnd
SdSn�tdd
kr�|dkr�dSdSn�tddkr�dStddkr�|dkr�dSdSnHtddkr�|dkr�dSdSn!tddjtd�d��dS(u@
    Some distros have a specific location for config files
    u	os_familyuRedHatuipv6u/etc/sysconfig/ip6tablesu/etc/sysconfig/iptablesuArchu/etc/iptables/ip6tables.rulesu/etc/iptables/iptables.rulesuDebianu/etc/iptables/rules.v6u/etc/iptables/rules.v4uosuGentoou/var/lib/ip6tables/rules-saveu/var/lib/iptables/rules-saveuSuseu+/etc/sysconfig/scripts/SuSEfirewall2-customuVoiduipv4uAlpineu/etc/iptables/rules6-saveu/etc/iptables/rules-saveuSaving iptables to file is notu supported on {0}.u$ Please file an issue with SaltStackN(t
__grains__RR(R
((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt_confTs:cC@stddg�}|S(u
    Return array of strings from `save_filters` in config.

    This array will be pulled from minion config, minion grains,
    minion pillar, or master config.  The default value returned is [].

    .. code-block:: python

        _conf_save_filters()
    u
config.optionuiptables.save_filters(R(tconfig((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt_conf_save_filterssc@s�dtkr�gtd<xg|p%t�D]S}ytdjtj|��Wq&tjk
rx}tjd||�q&q&Xq&Wnttd�dkr�g|j	t
�D],�t�fd�tdD��s��^q�}dj|�S|S(ur
    Return string with `save_filter` regex entries removed.  For example:

    If `filters` is not provided, it will be pulled from minion config,
    minion grains, minion pillar, or master config. Default return value
    if no filters found is the original cmd_output string.

    .. code-block:: python

        _regex_iptables_save(cmd_output, ['-A DOCKER*'])
    uiptables.save_filtersuSkipping regex rule: '%s': %sic3@s|]}|j��VqdS(N(tsearch(t.0treg(tline(s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pys	<genexpr>�su(
t__context__Rtappendtretcompileterrortlogtwarningtlent
splitlinesRtanytjoin(t
cmd_outputtfilterstpatterntet_filtered_cmd_output((Rs9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt_regex_iptables_save�s 


	

cC@s3djt|��}td|�j�}|dS(u�
    Return version from iptables --version

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.version

        IPv6:
        salt '*' iptables.version family=ipv6
    u
{0} --versionucmd.runi(RRRtsplit(R
Rtout((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytversion�s
ufilterucs@s�d�kr"�jd��d<n�jdd���jdd��x7tt�dddgD]}|�kr\�|=q\q\Wg}t}	tjd����fd	�}
d
�kr�|jdj|
d
��d
���d
=nd�kr|jd
j|
d��d���d=nd�krT�j	d�dkrT�d�d<�d=nd�kr�|	s�|jdj|
d��d��t
}	n�d=nd�kr��d}t|t�s�|jd�}nxf|D]^}|jdj|��d�kr�|j
�d�kr�|jdj�d���d=q�q�Wd�kr��j	d�dkr�|jdj|
d��d���d=n�d=nd�krDt�dtj�r��dg�d<nxm�dD]a}
d}|
jd�s�|
jd�rd}tj�d|
�}
n|jd j||
��q�W�d=nd!�kr�d"|krl|jd"�n|jd#j|
d!��d!���d!=nd$�kr�|jd%j|
d$��d$���d$=nd&�kr|jd'j|
d&��d&���d&=nxAd�D]9}|�krd*|krJ|jd*�|	sJd+Sn�|}t|t�r�td,�|D��r�g|D]!}tj�dt|��^q�}|jd�ndjd-�|D��}nUt|�jd�s�t|�jd�r"tj�d|�}|jd�n|}|jd.j||���|=qqWd/�kr�d0|krw|jd0�n|jd1j�d/���d/=nd2�kr��d2r�|jd3j|
d2��d2���d2=ng}d�}x�|D]�}|�kr��|��d�kr2|jd�j|��nTt�fd��tjD��rm|jd�j|���n|jd.j|����|=q�q�Wx��D]z}|
|�}�|�t|�d�kr�d�nd�}�d�kr�dnd�j���|jd�j|||���q�W||7}|r�|s3d�S|s=d�S|sGd�S|d�kr\d�}nd�}td�|�rwd�nd}d�jt|�||||||d�j|��Sd�j|�S(�u�
    Build a well-formatted iptables rule based on kwargs. A `table` and `chain`
    are not required, unless `full` is True.

    If `full` is `True`, then `table`, `chain` and `command` are required.
    `command` may be specified as either a short option ('I') or a long option
    (`--insert`). This will return the iptables command, exactly as it would
    be used from the command line.

    If a position is required (as with `-I` or `-D`), it may be specified as
    `position`. This will only be useful if `full` is True.

    If `state` is passed, it will be ignored, use `connstate`.
    If `connstate` is passed in, it will automatically be changed to `state`.

    To pass in jump options that doesn't take arguments, pass in an empty
    string.

    .. note::

        Whereas iptables will accept ``-p``, ``--proto[c[o[l]]]`` as synonyms
        of ``--protocol``, if ``--proto`` appears in an iptables command after
        the appearance of ``-m policy``, it is interpreted as the ``--proto``
        option of the policy extension (see the iptables-extensions(8) man
        page).

    CLI Examples:

    .. code-block:: bash

        salt '*' iptables.build_rule match=state \
            connstate=RELATED,ESTABLISHED jump=ACCEPT

        salt '*' iptables.build_rule filter INPUT command=I position=3 \
            full=True match=state connstate=RELATED,ESTABLISHED jump=ACCEPT

        salt '*' iptables.build_rule filter INPUT command=A \
            full=True match=state connstate=RELATED,ESTABLISHED \
            source='127.0.0.1' jump=ACCEPT

        .. Invert Rules
        salt '*' iptables.build_rule filter INPUT command=A \
            full=True match=state connstate=RELATED,ESTABLISHED \
            source='!127.0.0.1' jump=ACCEPT

        salt '*' iptables.build_rule filter INPUT command=A \
            full=True match=state connstate=RELATED,ESTABLISHED \
            destination='not 127.0.0.1' jump=ACCEPT

        IPv6:
        salt '*' iptables.build_rule match=state \
            connstate=RELATED,ESTABLISHED jump=ACCEPT \
            family=ipv6
        salt '*' iptables.build_rule filter INPUT command=I position=3 \
            full=True match=state connstate=RELATED,ESTABLISHED jump=ACCEPT \
            family=ipv6
    utargetujumpunameustateuchainusaveutableu
(!|not)\s?c@sOt�|�}|jd�s.|jd�rKtj�d|��|<dSdS(u�
        Will check if the defined argument is intended to be negated,
        (i.e. prefixed with '!' or 'not'), and add a '! ' to the rule.

        The prefix will be removed from the value in the kwargs dict.
        u!unotuu! (tstrt
startswithRtsub(targtvalue(tbang_not_pattkwargs(s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytmaybe_add_negation
s
uifu	{0}-i {1}uofu	{0}-o {1}uprotoumatchupolicyuprotocolu	{0}-p {1}u,u-m {0}uname_upknockuquota2urecentu
--name {0}u{0}--proto {1}u	match-setuu!unotu! u-m set {0}--match-set {1}u	connstateu-m stateu{0}--state {1}udportu{0}--dport {1}usportu{0}--sport {1}udportsusportsu-m multiportu!Error: protocol must be specifiedcs@s?|]5}t|�jd�s3t|�jd�r|VqdS(u!unotN(R1R2(Rti((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pys	<genexpr>^scs@s|]}t|�VqdS(N(R1(RR9((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pys	<genexpr>asu	--{0} {1}ucommentu
-m commentu--comment "{0}"usetu{0}--match-set {1}ujuadd-setuand-markuand-tosu
checksum-filluclamp-mss-to-pmtuu
clustermacucteventsuctmaskudel-setuecn-tcp-removeuexistu	expeventsugatewayu	hash-inituhashmodeuhelperulabelu
local-nodeulog-ip-optionsu	log-levelu
log-prefixulog-tcp-optionsulog-tcp-sequenceulog-uidumaskunewunfmaskunflog-groupunflog-prefixunflog-rangeunflog-thresholdunodstunotrackuon-ipuon-portuor-markuor-tosu
persistentu
queue-balanceuqueue-bypassu	queue-numurandomurateest-ewmalogurateest-intervalurateest-nameureject-withurestoreurestore-marku	save-markuselctxu	set-classuset-dscpuset-dscp-classuset-markuset-mssuset-tosu	set-xmarku
strip-optionsutimeoututouto-destinationuto-portsu	to-sourceutotal-nodesutproxy-markuttl-decuttl-incuttl-setutypeuulog-cprangeuulog-nlgroupuulog-prefixuulog-qthresholduxor-markuxor-tosuzoneudst-pfxuhl-decuhl-incuhl-setuhmark-dport-maskuhmark-dst-prefixu	hmark-moduhmark-offsetuhmark-proto-masku	hmark-rnduhmark-spi-maskuhmark-sport-maskuhmark-src-prefixuhmark-tupleuled-always-blinku	led-delayuled-trigger-iduqueue-cpu-fanoutusrc-pfxuto-portuaddruand-maskudeludeuhoneypotuor-maskuprefixuresetureuseuset-macushiftustaticutarpitutnameuttlu--{0}c3@s!|]}|t��kVqdS(N(R1(Rtws_char(R5(s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pys	<genexpr>�su--{0} "{1}"iu-u--u {0}u{0}{1}{2}{3}u"Error: Table needs to be specifiedu"Error: Chain needs to be specifiedu$Error: Command needs to be specifiedu
ACDIRLSFZNXPEu--waitu!{0} {1} -t {2} {3}{4} {5} {6} {7}u N(upknockuquota2urecent(udportsusports(pujujumpuadd-setuand-markuand-tosu
checksum-filluclamp-mss-to-pmtuu
clustermacucteventsuctmaskudel-setuecn-tcp-removeuexistu	expeventsugatewayu	hash-inituhashmodeuhelperulabelu
local-nodeulog-ip-optionsu	log-levelu
log-prefixulog-tcp-optionsulog-tcp-sequenceulog-uidumaskunewunfmaskunflog-groupunflog-prefixunflog-rangeunflog-thresholdunodstunotrackuon-ipuon-portuor-markuor-tosu
persistentu
queue-balanceuqueue-bypassu	queue-numurandomurateest-ewmalogurateest-intervalurateest-nameureject-withurestoreurestore-marku	save-markuselctxu	set-classuset-dscpuset-dscp-classuset-markuset-mssuset-tosu	set-xmarku
strip-optionsutimeoututouto-destinationuto-portsu	to-sourceutotal-nodesutproxy-markuttl-decuttl-incuttl-setutypeuulog-cprangeuulog-nlgroupuulog-prefixuulog-qthresholduxor-markuxor-tosuzoneudst-pfxuhl-decuhl-incuhl-setuhmark-dport-maskuhmark-dst-prefixu	hmark-moduhmark-offsetuhmark-proto-masku	hmark-rnduhmark-spi-maskuhmark-sport-maskuhmark-src-prefixuhmark-tupleuled-always-blinku	led-delayuled-trigger-iduqueue-cpu-fanoutusrc-pfxuto-portuaddruand-maskudeludeuhoneypotuor-maskuprefixuresetureuseuset-macushiftustaticutarpitutnameuttl(Nu(Nu(tpoptNonetlistt_STATE_INTERNAL_KEYWORDSR
RR RRtgetRt
isinstanceR.tstripRtstring_typesR2R3R&R1R'tstringt
whitespaceR$RR(ttabletchaintcommandtpositiontfullR
R7tignoretruletprotocolR8tmatch_valuetmatcht	match_settnegative_match_sett
multiport_argtmp_valuetitemtdportst
after_jumptafter_jump_argumentstafter_jump_argumenttkeytnegationtflagtwait((R6R7R5s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt
build_rule�s�; 
#
#
!
#	


!#


#
#
#



.*
#




!#
	"cC@std|d|�S(u�
    Return a data structure of the rules in the conf file

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.get_saved_rules

        IPv6:
        salt '*' iptables.get_saved_rules family=ipv6
    t	conf_fileR
(t_parse_conf(R]R
((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytget_saved_rules$s
cC@stdtd|�S(u�
    Return a data structure of the current, in-memory rules

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.get_rules

        IPv6:
        salt '*' iptables.get_rules family=ipv6

    tin_memR
(R^R(R
((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt	get_rules4scC@sI|s
dSt|d|�}y|||dSWntk
rDdSXdS(u�
    Return the current policy for the specified table/chain

    CLI Examples:

    .. code-block:: bash

        salt '*' iptables.get_saved_policy filter INPUT
        salt '*' iptables.get_saved_policy filter INPUT \
            conf_file=/etc/iptables.saved

        IPv6:
        salt '*' iptables.get_saved_policy filter INPUT family=ipv6
        salt '*' iptables.get_saved_policy filter INPUT \
            conf_file=/etc/iptables.saved family=ipv6

    u"Error: Chain needs to be specifiedR
upolicyN(R^tKeyErrorR<(RERFR]R
trules((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytget_saved_policyEs
cC@sL|s
dStdtd|�}y|||dSWntk
rGdSXdS(u�
    Return the current policy for the specified table/chain

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.get_policy filter INPUT

        IPv6:
        salt '*' iptables.get_policy filter INPUT family=ipv6
    u"Error: Chain needs to be specifiedR`R
upolicyN(R^RRbR<(RERFR
Rc((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt
get_policyas

cC@sd|s
dS|sdStd|�r)dnd}djt|�||||�}td|�}|S(u�
    Set the current policy for the specified table/chain

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.set_policy filter INPUT ACCEPT

        IPv6:
        salt '*' iptables.set_policy filter INPUT ACCEPT family=ipv6
    u"Error: Chain needs to be specifiedu#Error: Policy needs to be specifiedu--waituu{0} {1} -t {2} -P {3} {4}ucmd.run(RRRR(RERFtpolicyR
R[RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt
set_policyxs
cC@s�t�r|rt|�}ntjd|�tjj|�}tjj|�sctj|�ndjt	|��}t
d|�}tt��dkr�t
|�}nt
d||�}|S(u�
    Save the current in-memory rules to disk

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.save /etc/sysconfig/iptables

        IPv6:
        salt '*' iptables.save /etc/sysconfig/iptables family=ipv6
    uSaving rules to %su{0}-saveucmd.runiu
file.write(RR"tdebugtosRtdirnametisdirtmakedirsRRRR$RR-(tfilenameR
t
parent_dirRtiptR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytsave�s
c	C@sh|s
dS|sdSt|�}td|�r`dj||||�}td|dd�}n�ttj��}tddj|||��tdd	j||||��tdd
j|��}tddj|||��tddj|||��xQ|j�D]C}|jd
j|��r|j	||�|j�krRt
SqqWtS|sdt
S|S(u�
    Check for the existence of a rule in the table and chain

    This function accepts a rule in a standard iptables command format,
        starting with the chain. Trying to force users to adapt to a new
        method of creating rules would be irritating at best, and we
        already have a parser that can handle it.

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.check filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

        IPv6:
        salt '*' iptables.check filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
            family=ipv6
    u"Error: Chain needs to be specifiedu!Error: Rule needs to be specifiedu--checku{0} -t {1} -C {2} {3}ucmd.runRuquietu{0} -t {1} -N {2}u{0} -t {1} -A {2} {3}u{0}-saveu{0} -t {1} -F {2}u{0} -t {1} -X {2}u-A {0}(RRRRthextuuidtgetnodeR%R2treplaceRR
(	RERFRKR
tipt_cmdRR/t_chain_nameR9((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytcheck�s, cC@sc|s
dSdjt|�|�}td|�jdj|��}|dkrYt}nt}|S(u
    .. versionadded:: 2014.1.0

    Check for the existence of a chain in the table

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.check_chain filter INPUT

        IPv6:
        salt '*' iptables.check_chain filter INPUT family=ipv6
    u"Error: Chain needs to be specifiedu{0}-save -t {1}ucmd.runu:{0} i����(RRRtfindRR
(RERFR
RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytcheck_chain�s"	cC@sf|s
dStd|�rdnd}djt|�|||�}td|�}|sbt}n|S(u
    .. versionadded:: 2014.1.0

    Create new custom chain to the specified table.

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.new_chain filter CUSTOM_CHAIN

        IPv6:
        salt '*' iptables.new_chain filter CUSTOM_CHAIN family=ipv6
    u"Error: Chain needs to be specifiedu--waituu{0} {1} -t {2} -N {3}ucmd.run(RRRRR(RERFR
R[RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt	new_chains	cC@sf|s
dStd|�rdnd}djt|�|||�}td|�}|sbt}n|S(u
    .. versionadded:: 2014.1.0

    Delete custom chain to the specified table.

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.delete_chain filter CUSTOM_CHAIN

        IPv6:
        salt '*' iptables.delete_chain filter CUSTOM_CHAIN family=ipv6
    u"Error: Chain needs to be specifiedu--waituu{0} {1} -t {2} -X {3}ucmd.run(RRRRR(RERFR
R[RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytdelete_chain#s	cC@s�|s
dS|sdStd|�r)dnd}t||||�}t|t�r]|r]tSdjt|�||||�}td|�}t|�dkr�t	StSdS(	ux
    Append a rule to the specified table/chain.

    This function accepts a rule in a standard iptables command format,
        starting with the chain. Trying to force users to adapt to a new
        method of creating rules would be irritating at best, and we
        already have a parser that can handle it.

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.append filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

        IPv6:
        salt '*' iptables.append filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
            family=ipv6
    u"Error: Chain needs to be specifiedu!Error: Rule needs to be specifiedu--waituu{0} {1} -t {2} -A {3} {4}ucmd.runiN(
RRwR@tboolR
RRRR$R(RERFRKR
R[treturnCheckRR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyR@scC@s�|s
dS|sdS|sdS|dkrwtd|�}t|||d�}||d}|dkrwd}qwntd|�r�dnd	}t||||�}t|t�r�|r�tSd
jt|�|||||�}	t	d|	�}
|
S(u�
    Insert a rule into the specified table/chain, at the specified position.

    This function accepts a rule in a standard iptables command format,
        starting with the chain. Trying to force users to adapt to a new
        method of creating rules would be irritating at best, and we
        already have a parser that can handle it.

    If the position specified is a negative number, then the insert will be
        performed counting from the end of the list. For instance, a position
        of -1 will insert the rule as the second to last rule. To insert a rule
        in the last position, use the append function instead.

    CLI Examples:

    .. code-block:: bash

        salt '*' iptables.insert filter INPUT position=3 \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

        IPv6:
        salt '*' iptables.insert filter INPUT position=3 \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
            family=ipv6
    u"Error: Chain needs to be specifiedu8Error: Position needs to be specified or use append (-A)u!Error: Rule needs to be specifiediR
urulesiu--waituu{0} {1} -t {2} -I {3} {4} {5}ucmd.run(
RaR$RRwR@R|R
RRR(RERFRHRKR
RctsizeR[R}RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytinsertgs(cC@so|r|rdS|r|}ntd|�r4dnd}djt|�||||�}td|�}|S(uR
    Delete a rule from the specified table/chain, specifying either the rule
        in its entirety, or the rule's position in the chain.

    This function accepts a rule in a standard iptables command format,
        starting with the chain. Trying to force users to adapt to a new
        method of creating rules would be irritating at best, and we
        already have a parser that can handle it.

    CLI Examples:

    .. code-block:: bash

        salt '*' iptables.delete filter INPUT position=3
        salt '*' iptables.delete filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT'

        IPv6:
        salt '*' iptables.delete filter INPUT position=3 family=ipv6
        salt '*' iptables.delete filter INPUT \
            rule='-m state --state RELATED,ESTABLISHED -j ACCEPT' \
            family=ipv6
    u2Error: Only specify a position or a rule, not bothu--waituu{0} {1} -t {2} -D {3} {4}ucmd.run(RRRR(RERFRHRKR
R[RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytdelete�s	cC@sMtd|�rdnd}djt|�|||�}td|�}|S(u
    Flush the chain in the specified table, flush all chains in the specified
    table if not specified chain.

    CLI Example:

    .. code-block:: bash

        salt '*' iptables.flush filter INPUT

        IPv6:
        salt '*' iptables.flush filter INPUT family=ipv6
    u--waituu{0} {1} -t {2} -F {3}ucmd.run(RRRR(RERFR
R[RR/((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pytflush�scC@sNt�r&|r&|r&t|�}nd}|rbtjjj|d��}|j�}WdQXn:|r�djt|��}td|�}nt	d��i}d}t
�}x�|j�D]�}	tjjj
|	�}	|	jd�r|	jdd�}i||<q�|	jd�r�|	j�}
|
d	jdd�}i|||<|
d
|||d<|
djd
d�jdd�}|jd�\}
}|
|||d<||||d<g|||d<i|||d<q�|	jd�r�tjjj|	�}d	}xE|d
t|�krO||dkoE||d
jd�}|rv||d
||||<||d
<n||jd�rB|d
7}||jd�s�||dkr�|r�|j|d�qBxo|d
t|�kr>||d
dkr>||d
jd�r>||cdj|j|d
��7<q�Wn|d
7}qW|djd�rs|jd�ng}|j|�\}}t|�}i}|d}x5|D]-}||r�|dk	r�||||<q�q�W|ddk	r&|dd	jd�}||||d	d|<n|||d	dj|�q�q�W|S(ug
    If a file is not passed in, and the correct one for this OS is not
    detected, return False
    uurNu{0}-saveucmd.runuA file was not found to parseu*u:iiupolicyiu[u]upacket countu
byte counturulesu
rules_commentu-Au!u-u {0}i����uappenducommentu"(RRRtfilestfopentreadRRRRt_parserR%tstringutilst
to_unicodeR2RtR.targstshlex_splitR$RR;Rtparse_known_argstvarsR<RA(R]R`R
RctifileRtretREtparserRtcompsRFtcounterstpcounttbcountR�tindextswaptparsed_argstoptst_tret_argsR4tcomment((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyR^�sz	
"'(
#-

$cC@sp!d}tjjd�r<ddl}|j�}|j}n!ddl}|j�}|j	}|dddddd�|d	d
dddd�|dd
dddd�|dddddd�|dddddd�|dddddd�|dddddd�|dddddd�|dddd dd�|d!d"dd#dd�|d$d%dd&dd�|d'd(dd)dd�|d*d+dd,dd�|d-d.dd/dd�|d0d1dd2dd�|d3d4dd5dd�|d6d7dd8dd�|d9d:dd;dd�|d<d=dd>dd�|d?d@ddAdd�|dBdCddDdd�|dEddFdd�|dGddHdd�|dIddJdd�|dKddLdd�|dMddNdd�|dOddPdd�|dQddRdd�|dSddTdd�|dUddVdd�|dWddXdd�|dYddZdd�|d[dd\dd�|d]dd^dd�|d_dd`dd�|daddbdd�|dcddddd�|deddfdd�|dgddhdd�|diddjdd�|dkddldd�|dmddndd�|doddpdd�|dqddrdd�|dsddtdd�|duddvdd�|dwddxdd�|dyddzdd�|d{dd|dd�|d}dd~dd�|ddd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�d�dd�dd�|d�d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dddd�|ddddd�|ddddd�|ddddd�|dddd	dd�|d
ddddd�|d
dddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddd dd�|d!dd"dd�|d#dd$dd�|d%dd&dd�|d'dd(dd�|d)dd*dd�|d+dd,dd�|d-dd.dd�|d/dd0dd�|d1dd2dd�|d3dd4dd�|d5dd6dd�|d7dd8dd�|d9dd:dd�|d;dd<dd�|d=dd>dd�|d?dd@dd�|dAddBdd�|dCddDdd�|dEddFdd�|dGddHdd�|dIddJdd�|dKddLdd�|dMddNdd�|dOddPdd�|dQddRdd�|dSddTdd�|dUddVdd�|dWddXdd�|dYddZdd�|d[dd\dd�|d]dd^dd�|d_dd`dd�|daddbdd�|dcddddd�|deddfdd�|dgddhdd�|diddjdd�|dkddldd�|dmddndd�|doddpdd�|dqddrdd�|dsddtdd�|duddvdd�|dwddxdd�|dyddzdd�|d{dd|dd�|d}dd~dd�|ddd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�d�dd�dd�|d�d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dddd�|ddddd�|ddddd�|ddddd�|ddddd�|d	dd
dd�|ddddd�|d
dddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddd dd�|d!dd"dd�|d#dd$dd�|d%dd&dd�|d'dd(dd�|d)dd*dd�|d+dd,dd�|d-dd.dd�|d/dd0dd�|d1dd2dd�|d3dd4dd�|d5dd6dd�|d7dd8dd�|d9dd:dd�|d;dd<dd�|d=dd>dd�|d?dd@dd�|dAddBdd�|dCddDdd�|dEddFdd�|dGddHdd�|dIddJdd�|dKddLdd�|dMddNdd�|dOddPdd�|dQddRdd�|dSddTdd�|dUddVdd�|dWddXdd�|dYddZdd�|d[dd\dd�|d]dd^dd�|d_dd`dd�|daddbdd�|dcddddd�|deddfdd�|dgddhdd�|diddjdd�|dkddldd�|dmddndd�|doddpdd�|dqddrdd�|dsddtdd�|duddvdd�|dwddxdd�|dyddzdd�|d{dd|dd�|d}dd~dd�|ddd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dd�dd�|d�dddd�|ddddd�|ddddd�|ddddd�|ddddd�|d	dd
dd�|ddddd�|d
dddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|ddddd�|S(u�
    This function attempts to list all the options documented in the
    iptables(8) and iptables-extensions(8) man pages.  They will not all be
    used by all parts of the module; use them intelligently and appropriately.
    u2.6iNu-Au--appendtdestuappendtactionu-Du--deleteudeleteu-Iu--insertuinsertu-Ru	--replaceureplaceu-Lu--listulistu-Fu--flushuflushu-Zu--zerouzerou-Nu--new-chainu	new-chainu-Xu--delete-chainudelete-chainu-Pu--policyupolicyu-Eu--rename-chainurename-chainu-pu
--protocoluprotocolu-su--sourceusourceu-du
--destinationudestinationu-ju--jumpujumpu-gu--gotougotou-iu--in-interfaceuin-interfaceu-ou--out-interfaceu
out-interfaceu-fu
--fragmentufragmentu-cu--set-countersuset-countersu-mu--matchumatchu
--src-typeusrc-typeu
--dst-typeudst-typeu--limit-iface-inulimit-iface-inu--limit-iface-outulimit-iface-outu--ahspiuahspiu--ahlenuahlenu--ahresuahresu
--bytecodeubytecodeu--cgroupucgroupu--cluster-total-nodesucluster-total-nodesu--cluster-local-nodeucluster-local-nodeu--cluster-local-nodemaskucluster-local-nodemasku--cluster-hash-seeducluster-hash-seedu
--h-lengthuh-lengthu--mangle-mac-sumangle-mac-su--mangle-mac-dumangle-mac-du	--commentucommentu--connbytesu	connbytesu--connbytes-diru
connbytes-diru--connbytes-modeuconnbytes-modeu--labelulabelu--connlimit-uptouconnlimit-uptou--connlimit-aboveuconnlimit-aboveu--connlimit-maskuconnlimit-masku--connlimit-saddruconnlimit-saddru--connlimit-daddruconnlimit-daddru--markumarku	--ctstateuctstateu	--ctprotouctprotou--ctorigsrcu	ctorigsrcu--ctorigdstu	ctorigdstu--ctreplsrcu	ctreplsrcu--ctrepldstu	ctrepldstu--ctorigsrcportu
ctorigsrcportu--ctorigdstportu
ctorigdstportu--ctreplsrcportu
ctreplsrcportu--ctrepldstportu
ctrepldstportu
--ctstatusuctstatusu
--ctexpireuctexpireu--ctdiructdiru--cpuucpuu--sportu
--source-portusource_portu--dportu--destination-portudestination_portu--dccp-typesu
dccp-typesu
--dccp-optionudccp-optionu--src-groupu	src-groupu--dst-groupu	dst-groupu--dscpudscpu--dscp-classu
dscp-classu	--dst-lenudst-lenu
--dst-optsudst-optsu
--ecn-tcp-cwruecn-tcp-cwru
--ecn-tcp-eceuecn-tcp-eceu--ecn-ip-ectu
ecn-ip-ectu--espspiuespspiu--fragidufragidu	--fraglenufraglenu	--fragresufragresu--fragfirstu	fragfirstu
--fragmoreufragmoreu
--fraglastufraglastu--hashlimit-uptouhashlimit-uptou--hashlimit-aboveuhashlimit-aboveu--hashlimit-burstuhashlimit-burstu--hashlimit-modeuhashlimit-modeu--hashlimit-srcmaskuhashlimit-srcmasku--hashlimit-dstmaskuhashlimit-dstmasku--hashlimit-nameuhashlimit-nameu--hashlimit-htable-sizeuhashlimit-htable-sizeu--hashlimit-htable-maxuhashlimit-htable-maxu--hashlimit-htable-expireuhashlimit-htable-expireu--hashlimit-htable-gcintervaluhashlimit-htable-gcintervalu	--hbh-lenuhbh-lenu
--hbh-optsuhbh-optsu--helperuhelperu--hl-equhl-equ--hl-ltuhl-ltu--hl-gtuhl-gtu--icmp-typeu	icmp-typeu
--icmpv6-typeuicmpv6-typeu--src-rangeu	src-rangeu--dst-rangeu	dst-rangeu--softusoftu--headeruheaderu--ipvsuipvsu--vprotouvprotou--vaddruvaddru--vportuvportu--vdiruvdiru	--vmethoduvmethodu
--vportctluvportctlu--lengthulengthu--limitulimitu
--limit-burstulimit-burstu--mac-sourceu
mac-sourceu	--mh-typeumh-typeu--sportsu--source-portsusource-portsu--dportsu--destination-portsudestination-portsu--portsuportsu
--nfacct-nameunfacct-nameu--genreugenreu--ttluttlu--logulogu--uid-owneru	uid-owneru--gid-owneru	gid-owneru--socket-existsu
socket-existsu--physdev-inu
physdev-inu
--physdev-outuphysdev-outu--physdev-is-inu
physdev-is-inu--physdev-is-outuphysdev-is-outu--physdev-is-bridgeduphysdev-is-bridgedu
--pkt-typeupkt-typeu--dirudiru--polupolu--strictustrictu--reqidureqidu--spiuspiu--protouprotou--modeumodeu--tunnel-srcu
tunnel-srcu--tunnel-dstu
tunnel-dstu--nextunextu--quotauquotau	--rateesturateestu
--rateest1urateest1u
--rateest2urateest2u--rateest-deltau
rateest-deltau
--rateest-bpsurateest-bpsu--rateest-bps1urateest-bps1u--rateest-bps2urateest-bps2u
--rateest-ppsurateest-ppsu--rateest-pps1urateest-pps1u--rateest-pps2urateest-pps2u--rateest-ltu
rateest-ltu--rateest-gtu
rateest-gtu--rateest-equ
rateest-equ--rateest-nameurateest-nameu--rateest-intervalurateest-intervalu--rateest-ewmaurateest-ewmau--realmurealmu--nameunameu--setusetu	--rsourceursourceu--rdesturdestu--maskumasku--rcheckurchecku--updateuupdateu--removeuremoveu	--secondsusecondsu--reapureapu
--hitcountuhitcountu--rttlurttlu--looseulooseu--validmarku	validmarku--accept-localuaccept-localu--invertuinvertu	--rt-typeurt-typeu
--rt-segslefturt-segsleftu--rt-lenurt-lenu
--rt-0-resurt-0-resu--rt-0-addrsu
rt-0-addrsu--rt-0-not-stricturt-0-not-strictu
--chunk-typesuchunk-typesu--match-setu	match-setu--return-nomatchureturn-nomatchu--update-countersuupdate-countersu--update-subcountersuupdate-subcountersu--packets-equ
packets-equ--packets-ltu
packets-ltu--packets-gtu
packets-gtu
--bytes-equbytes-equ
--bytes-ltubytes-ltu
--bytes-gtubytes-gtu
--transparentutransparentu--nowildcardu
nowildcardu--stateustateu
--probabilityuprobabilityu--everyueveryu--packetupacketu--algoualgou--fromufromu--toutou--stringustringu--hex-stringu
hex-stringu--tcp-flagsu	tcp-flagsu--synusynu--tcp-optionu
tcp-optionu--mssumssu--datestartu	datestartu
--datestopudatestopu--timestartu	timestartu
--timestoputimestopu--monthdaysu	monthdaysu
--weekdaysuweekdaysu--contiguousu
contiguousu
--kerneltzukerneltzu--utcuutcu	--localtzulocaltzu--tosutosu--ttl-equttl-equ--ttl-gtuttl-gtu--ttl-ltuttl-ltu--u32uu32u--conditionu	conditionu--macumacu
--lower-limitulower-limitu
--upper-limituupper-limitu--src-ccu--source-countryusource-countryu--dst-ccu--destination-countryudestination-countryu	--enableduenabledu
--disabledudisabledu--ifaceuifaceu--dev-inudev-inu	--dev-outudev-outu--upuupu--downudownu--broadcastu	broadcastu
--loopbackuloopbacku--pointtopointupointtopointu	--runningurunningu--noarpunoarpu--arpuarpu	--promiscupromiscu--multicastu	multicastu	--dynamicudynamicu
--lower-upulower-upu	--dormantudormantu--edkuedku--kazaaukazaau--gnuugnuu--dcudcu--bitubitu--appleuappleu--soulusoulu--winmxuwinmxu--aresuaresu--debugudebugu--flagsuflagsu--anyuanyu--layer3ulayer3u--layer4ulayer4u--layer5ulayer5u	--stealthustealthu	--synscanusynscanu--cnscanucnscanu--grscanugrscanu--psd-weight-thresholdupsd-weight-thresholdu--psd-delay-thresholdupsd-delay-thresholdu--psd-lo-ports-weightupsd-lo-ports-weightu--psd-hi-ports-weightupsd-hi-ports-weightu--growugrowu--no-changeu	no-changeu	--packetsupacketsu--knockportsu
knockportsu--timeutimeu--autocloseu	autocloseu	--checkipucheckipu--typeutypeu--checksum-fillu
checksum-fillu--set-classu	set-classu--newunewu
--hashmodeuhashmodeu--clustermacu
clustermacu
--total-nodesutotal-nodesu--local-nodeu
local-nodeu--hash-initu	hash-initu--set-xmarku	set-xmarku--save-marku	save-marku--restore-markurestore-marku
--and-markuand-marku	--or-markuor-marku
--xor-markuxor-marku
--set-markuset-marku--nfmaskunfmasku--ctmaskuctmasku--saveusaveu	--restoreurestoreu	--notrackunotracku
--cteventsucteventsu--expeventsu	expeventsu--zoneuzoneu	--timeoututimeoutu--to-destinationuto-destinationu--randomurandomu--persistentu
persistentu	--src-pfxusrc-pfxu	--dst-pfxudst-pfxu
--set-dscpuset-dscpu--set-dscp-classuset-dscp-classu--ecn-tcp-removeuecn-tcp-removeu--hl-setuhl-setu--hl-decuhl-decu--hl-incuhl-incu
--hmark-tupleuhmark-tupleu--hmark-modu	hmark-modu--hmark-offsetuhmark-offsetu--hmark-src-prefixuhmark-src-prefixu--hmark-dst-prefixuhmark-dst-prefixu--hmark-sport-maskuhmark-sport-masku--hmark-dport-maskuhmark-dport-masku--hmark-spi-maskuhmark-spi-masku--hmark-proto-maskuhmark-proto-masku--hmark-rndu	hmark-rndu--led-trigger-iduled-trigger-idu--led-delayu	led-delayu--led-always-blinkuled-always-blinku--log-levelu	log-levelu--log-prefixu
log-prefixu--log-tcp-sequenceulog-tcp-sequenceu--log-tcp-optionsulog-tcp-optionsu--log-ip-optionsulog-ip-optionsu	--log-uidulog-uidu
--to-portsuto-portsu
--nflog-groupunflog-groupu--nflog-prefixunflog-prefixu
--nflog-rangeunflog-rangeu--nflog-thresholdunflog-thresholdu--queue-numu	queue-numu--queue-balanceu
queue-balanceu--queue-bypassuqueue-bypassu--queue-cpu-fanoutuqueue-cpu-fanoutu--rateest-ewmalogurateest-ewmalogu
--reject-withureject-withu--nodstunodstu--selctxuselctxu	--add-setuadd-setu	--del-setudel-setu--existuexistu--to-sourceu	to-sourceu	--set-mssuset-mssu--clamp-mss-to-pmtuuclamp-mss-to-pmtuu--strip-optionsu
strip-optionsu	--gatewayugatewayu	--set-tosuset-tosu	--and-tosuand-tosu--or-tosuor-tosu	--xor-tosuxor-tosu	--on-portuon-portu--on-ipuon-ipu
--tproxy-markutproxy-marku	--ttl-setuttl-setu	--ttl-decuttl-decu	--ttl-incuttl-incu--ulog-nlgroupuulog-nlgroupu
--ulog-prefixuulog-prefixu--ulog-cprangeuulog-cprangeu--ulog-qthresholduulog-qthresholdu--addruaddru--tnameutnameu--deludeudeludeu--tarpitutarpitu	--set-macuset-macu--prefixuprefixu--reuseureuseu--staticustaticu
--and-maskuand-masku	--or-maskuor-masku--shiftushiftu
--honeypotuhoneypotu--resetureset(
R<tsysR0R2toptparsetOptionParsert
add_optiontargparsetArgumentParsertadd_argument(tadd_argR�R�R�((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyR�sL											(3t__doc__t
__future__RRRRiRR�RrRCtsalt.utils.argsRtsalt.utils.filestsalt.utils.patht
salt.stateRR>tsalt.exceptionsRtsalt.extRtloggingt	getLoggert__name__R"RRRRRR<R-R0R\R_RaRdReRgRpRwRyRzR{RRR�R�R
R^R�(((s9/usr/lib/python2.7/site-packages/salt/modules/iptables.pyt<module>sN	

+	#�b 7'2&H

Zerion Mini Shell 1.0