# -*- coding: utf-8 -*-
#
# Copyright (C) 2007-2016 Red Hat, Inc.
# Authors:
# Thomas Woerner <twoerner@redhat.com>
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 2 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
from __future__ import absolute_import
# translation
import locale
try:
locale.setlocale(locale.LC_ALL, "")
except locale.Error:
import os
os.environ['LC_ALL'] = 'C'
locale.setlocale(locale.LC_ALL, "")
DOMAIN = 'firewalld'
import gettext
gettext.install(domain=DOMAIN)
from . import dbus # noqa: F401
# configuration
DAEMON_NAME = 'firewalld'
CONFIG_NAME = 'firewall-config'
APPLET_NAME = 'firewall-applet'
DATADIR = '/usr/share/' + DAEMON_NAME
CONFIG_GLADE_NAME = CONFIG_NAME + '.glade'
COPYRIGHT = '(C) 2010-2017 Red Hat, Inc.'
VERSION = '0.6.3'
AUTHORS = [
"Thomas Woerner <twoerner@redhat.com>",
"Jiri Popelka <jpopelka@redhat.com>",
"Eric Garver <e@erig.me>",
]
LICENSE = gettext.gettext(
"This program is free software; you can redistribute it and/or modify "
"it under the terms of the GNU General Public License as published by "
"the Free Software Foundation; either version 2 of the License, or "
"(at your option) any later version.\n"
"\n"
"This program is distributed in the hope that it will be useful, "
"but WITHOUT ANY WARRANTY; without even the implied warranty of "
"MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the "
"GNU General Public License for more details.\n"
"\n"
"You should have received a copy of the GNU General Public License "
"along with this program. If not, see <http://www.gnu.org/licenses/>.")
WEBSITE = 'http://www.firewalld.org'
def set_system_config_paths(path):
global ETC_FIREWALLD, FIREWALLD_CONF, ETC_FIREWALLD_ZONES, \
ETC_FIREWALLD_SERVICES, ETC_FIREWALLD_ICMPTYPES, \
ETC_FIREWALLD_IPSETS, ETC_FIREWALLD_HELPERS, \
FIREWALLD_DIRECT, LOCKDOWN_WHITELIST
ETC_FIREWALLD = path
FIREWALLD_CONF = path + '/firewalld.conf'
ETC_FIREWALLD_ZONES = path + '/zones'
ETC_FIREWALLD_SERVICES = path + '/services'
ETC_FIREWALLD_ICMPTYPES = path + '/icmptypes'
ETC_FIREWALLD_IPSETS = path + '/ipsets'
ETC_FIREWALLD_HELPERS = path + '/helpers'
FIREWALLD_DIRECT = path + '/direct.xml'
LOCKDOWN_WHITELIST = path + '/lockdown-whitelist.xml'
set_system_config_paths('/etc/firewalld')
def set_default_config_paths(path):
global USR_LIB_FIREWALLD, FIREWALLD_ZONES, FIREWALLD_SERVICES, \
FIREWALLD_ICMPTYPES, FIREWALLD_IPSETS, FIREWALLD_HELPERS
USR_LIB_FIREWALLD = path
FIREWALLD_ZONES = path + '/zones'
FIREWALLD_SERVICES = path + '/services'
FIREWALLD_ICMPTYPES = path + '/icmptypes'
FIREWALLD_IPSETS = path + '/ipsets'
FIREWALLD_HELPERS = path + '/helpers'
set_default_config_paths('/usr/lib/firewalld')
FIREWALLD_LOGFILE = '/var/log/firewalld'
FIREWALLD_PIDFILE = "/var/run/firewalld.pid"
FIREWALLD_TEMPDIR = '/run/firewalld'
SYSCONFIGDIR = '/etc/sysconfig'
IFCFGDIR = "/etc/sysconfig/network-scripts"
SYSCTL_CONFIG = '/etc/sysctl.conf'
# commands used by backends
COMMANDS = {
"ipv4": "/usr/sbin/iptables",
"ipv4-restore": "/usr/sbin/iptables-restore",
"ipv6": "/usr/sbin/ip6tables",
"ipv6-restore": "/usr/sbin/ip6tables-restore",
"eb": "/usr/sbin/ebtables",
"eb-restore": "/usr/sbin/ebtables-restore",
"ipset": "/usr/sbin/ipset",
"modprobe": "/usr/sbin/modprobe",
"rmmod": "/usr/sbin/rmmod",
"nft": "@NFT@",
}
LOG_DENIED_VALUES = [ "all", "unicast", "broadcast", "multicast", "off" ]
AUTOMATIC_HELPERS_VALUES = [ "yes", "no", "system" ]
# fallbacks: will be overloaded by firewalld.conf
FALLBACK_ZONE = "public"
FALLBACK_MINIMAL_MARK = 100
FALLBACK_CLEANUP_ON_EXIT = True
FALLBACK_LOCKDOWN = False
FALLBACK_IPV6_RPFILTER = True
FALLBACK_INDIVIDUAL_CALLS = False
FALLBACK_LOG_DENIED = "off"
FALLBACK_AUTOMATIC_HELPERS = "system"
FALLBACK_FIREWALL_BACKEND = "iptables"
FALLBACK_ALLOW_ZONE_DRIFTING = True