;mSrSSKJr SSKJr SSKJr SSKrSSKrSSKJr SSK J r SSK Jr Sr \R"S \R5rS rS rS rS r"SS\R*5r"SS\R.5rS!SjrS"SjrS"Sjr\R84SjrSrSrSr Sr!Sr"Sr#Sr$Sr%Sr&Sr'S r(g)#z0Common classes and functions for firewall rules.)absolute_import)division)unicode_literalsN) exceptions) arg_parserszPROTOCOL[:PORT[-PORT]]z (?P[a-zA-Z0-9+.-]+) # The protocol group. (:(?P\d+(-\d+)?))? # The optional ports group. # May specify a range. $ # End of input marker. z table( type, firewall_policy_name, firewall_policy_priority, priority, action, direction, disabled, ip_ranges.list():label=IP_RANGES )z table( type, security_policy_name, priority, action, preview, expression, src_ip_ranges.list():label=SRC_IP_RANGES )zTo show all fields of the firewall, please show in JSON format: --format=json To show more fields in table format, please see the examples in --help. zTo show all fields of the security policy, please show in JSON format: --format=json To show more fields in table format, please see the examples in --help. c\rSrSrSrSrg)ArgumentValidationErrorGzERaised when a user specifies --rules and --allow parameters together.N)__name__ __module__ __qualname____firstlineno____doc____static_attributes__r 5lib/googlecloudsdk/api_lib/compute/firewalls_utils.pyr r GsMrr c \rSrSrSrSrSrSrg) ActionTypeKzFirewall Action type.r N)r r rrrALLOWDENYrr rrrrKs % $rrc U(aSOSnU(d6URSSSS9 URS[R"5SS S 9 UnU(aURU(+S 9nURS [[R "US 9U(+=(a U(+SU(aSOS-S9 URSSR U(aSOS5S9 SnU(aUS- nOUS- nURSU(aSO/S[R "US 9US9 SnU(aUS- nU(aUS- nURS U(aSO/S![R "US 9US9 S"nU(aS#nU(aUS$- nURS%U(aSO/S![R "US 9US9 S&n U(dU S'- n URS(S)SU S*9 U(a [XU5 gg)+z@Adds common arguments for firewall create or update subcommands.rrz --networkdefaultz The network to which this rule is attached. If omitted, the rule is attached to the ``default'' network. )rhelpz--resource-manager-tagsz KEY=VALUEz^ A comma-separated list of Resource Manager tags to apply to the firewall. )typemetavarr)requiredz--allow min_lengthaV A list of protocols and ports whose traffic will be allowed. The protocols allowed over this connection. This can be the (case-sensitive) string values `tcp`, `udp`, `icmp`, `esp`, `ah`, `sctp`, or any IP protocol number. An IP-based protocol must be specified for each rule. The rule applies only to specified protocol. For port-based protocols - `tcp`, `udp`, and `sctp` - a list of destination ports or port ranges to which the rule applies may optionally be specified. If no port or port range is specified, the rule applies to all destination ports. The ICMP protocol is supported, but there is no support for configuring ICMP packet filtering by ICMP code. For example, to create a rule that allows TCP traffic through port 80 and ICMP traffic: $ {command} MY-RULE --allow tcp:80,icmp To create a rule that allows TCP traffic from port 20000 to 25000: $ {command} MY-RULE --allow tcp:20000-25000 To create a rule that allows all TCP traffic: $ {command} MY-RULE --allow tcp < Setting this will override the current values. )rrr rz --descriptionz/A textual description for the firewall rule.{0}z* Set to an empty string to clear existing.)ra A list of IP address blocks that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address blocks must be specified in CIDR format: link:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[]. If neither --source-ranges nor --source-tags are specified, --source-ranges defaults to `0.0.0.0/0`, which means that the rule applies to all incoming IPv4 connections from inside or outside the network. If both --source-ranges and --source-tags are specified, the rule matches if either the range of the source matches --source-ranges or the tag of the source matches --source-tags. z Setting this will override the existing source ranges for the firewall. The following will clear the existing source ranges: $ {command} MY-RULE --source-ranges z` Multiple IP address blocks can be specified if they are separated by commas. z--source-rangesN CIDR_RANGErrrra A list of instance tags indicating the set of instances on the network to which the rule applies if all other fields match. If neither --source-ranges nor --source-tags are specified, --source-ranges defaults to `0.0.0.0/0`, which means that the rule applies to all incoming IPv4 connections from inside or outside the network. If both --source-ranges and --source-tags are specified, an inbound connection is allowed if either the range of the source matches --source-ranges or the tag of the source matches --source-tags. Tags can be assigned to instances during instance creation. zx If source tags are specified then neither a source nor target service account can also be specified. z Setting this will override the existing source tags for the firewall. The following will clear the existing source tags: $ {command} MY-RULE --source-tags z --source-tagsTAGa1 A list of instance tags indicating which instances the rule is applied to. If the field is set, the rule applies to only instances with a matching tag. If omitted, the rule applies to all instances in the network. Tags can be assigned to instances during instance creation. a List of instance tags indicating the set of instances on the network which may accept connections that match the firewall rule. Note that tags can be assigned to instances during instance creation. If target tags are specified, then neither a source nor target service account can also be specified. If both target tags and target service account are omitted, all instances on the network can receive connections that match the rule. z Setting this will override the existing target tags for the firewall. The following will clear the existing target tags: $ {command} MY-RULE --target-tags z --target-tagsa Disable a firewall rule and stop it from being enforced in the network. If a firewall rule is disabled, the associated network behaves as if the rule did not exist. To enable a disabled rule, use: $ {parent_command} update MY-RULE --no-disabled z&Firewall rules are enabled by default.z --disabled store_true)actionrr) add_argumentrArgDictadd_mutually_exclusive_groupALLOWED_METAVARArgListformatAddArgsForEgress) parser for_updatewith_egress_supportwith_service_accountr"ruleset_parsersource_ranges_helpsource_tags_helptarget_tags_help disabled_helps r AddCommonArgsr:Qsg qA*     !  "  .889!N   * 5=)<%< > ? ! $"L  < C C:D 6" NO        db   * 5           db   * 5          db   * 5   - AAM<MKVZ8rc U(aSOSnU(dURSSS/SSS9 S nU(aUS - nOUS - nURS [[R"US 9USS9 U(dURS/SQSSS9 URS[SS9 SnU(aUS- nOUS- nURSU(aSO/S[R"US 9US9 g)z@Adds arguments for egress firewall create or update subcommands.rrz--actionrrc"UR5$Nupperxs r"AddArgsForEgress.. qwwyrz The action for the firewall rule: whether to allow or deny matching traffic. If specified, the flag `--rules` must also be specified. )choicesrra A list of protocols and ports to which the firewall rule will apply. PROTOCOL is the IP protocol whose traffic will be checked. PROTOCOL can be either the name of a well-known protocol (e.g., tcp or icmp) or the IP protocol number. A list of IP protocols can be found at http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml A port or port range can be specified after PROTOCOL to which the firewall rule apply on traffic through specific ports. If no port or port range is specified, connections through all ranges are applied. TCP and UDP rules must include a port or port range. r#z If specified, the flag --action must also be specified. For example, the following will create a rule that blocks TCP traffic through port 80 and ICMP traffic: $ {command} MY-RULE --action deny --rules tcp:80,icmp z--rulesr!F)rrrr z --direction)INGRESSEGRESSINOUTc"UR5$r=r>r@s rrBrCCrDra6 If direction is NOT specified, then default is to apply on incoming traffic. For outbound traffic, it is NOT supported to specify source-tags. For convenience, 'IN' can be used to represent ingress direction and 'OUT' can be used to represent egress direction. z --prioritya; This is an integer between 0 and 65535, both inclusive. When NOT specified, the value assumed is 1000. Relative priority determines precedence of conflicting rules: lower priority values imply higher precedence. DENY rules take precedence over ALLOW rules having equal priority. )rra The firewall rule will apply to traffic that has destination IP address in these IP address block list. The IP address blocks must be specified in CIDR format: link:http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing[]. z Setting this will override the existing destination ranges for the firewall. The following will clear the existing destination ranges: $ {command} MY-RULE --destination-ranges z If --destination-ranges is NOT provided, then this flag will default to 0.0.0.0/0, allowing all IPv4 destinations. Multiple IP address blocks can be specified if they are separated by commas. z--destination-rangesNr%r&)r*r-rr.int)r1r5r2r" rules_helpdestination_ranges_helps rr0r0s7qA* &!      *  J  J    * 5    2                  db   * 5 " $rc  U(aSOSnSnU(aUS- nURSU(aSO/S[R"US9US 9 S nU(aUS - nURS U(aSO/S[R"US9US 9 g) z@Adds arguments for secure firewall create or update subcommands.rra  The email of a service account indicating the set of instances on the network which match a traffic source in the firewall rule. If a source service account is specified then neither source tags nor target tags can also be specified. z Setting this will override the existing source service accounts for the firewall. The following will clear the existing source service accounts: $ {command} MY-RULE --source-service-accounts z--source-service-accountsNEMAILr!r&af The email of a service account indicating the set of instances to which firewall rules apply. If both target tags and target service account are omitted, the firewall rule is applied to all instances on the network. If a target service account is specified then neither source tag nor target tags can also be specified. z Setting this will override the existing target service accounts for the firewall. The following will clear the existing target service accounts: $ {command} MY-RULE --target-service-accounts z--target-service-accounts)r*rr.)r1r2r"source_service_accounts_helptarget_service_accounts_helps rAddArgsForServiceAccountrRssqA*"  %    ! db   * 5 ' )"  %    ! db   * 5 ' )rc/nU=(d /Hn[RU5nU(d*[R"SR [ U55eUR S5(aUR S5/nO/nU[R:Xa*URRUR S5US9nO)URRUR S5US9nURU5 M U$)zCParses protocol:port mappings from --allow or --rules command line.z7Firewall rules must be of the form {0}; received [{1}].portsprotocol) IPProtocolrT) LEGAL_SPECSmatchcompute_exceptions ArgumentErrorr/r-grouprrFirewallAllowedValueListEntryDeniedValueListEntryappend)rulesmessage_classesr)rule_value_listspecrXrTrules r ParseRulesres/krkd   d #E   , , C J Jt % && {{7{{7#$ee !!!  % % ; ;[[,E<;d % % : :[[,E;;d4 #$ rcUVs/sH>o"RURRRR:XdM<UPM@ nnUR SSS9 UVs/sH>o"RURRRR :XdM<UPM@ nnUR SSS9 X4-$s snfs snf)z:Sort the network firewall rules by direction and priority.cUR$r=priorityr@s rrB*SortNetworkFirewallRules..ajjrFkeyreversecUR$r=rhr@s rrBrjsQZZr) directionmessagesr\DirectionValueValuesEnumrFsortrG)clientr`itemingress_network_firewallegress_network_firewalls rSortNetworkFirewallRulesrxst oo77??!@du$8%Ht oo77>>!?du#7G ! ;; ;B=B=!;C Cc///pCnUHn[USS5nUcURU5 M&UURRRR :XaURU5 MgUURRRR :XdMURU5 M X#U4HnURSSS9 M X#-U-$)zHSort the organization firewall rules by optional direction and priority.rpNcUR$r=rhr@s rrB&SortOrgFirewallRules..srFrl)getattrr_rqSecurityPolicyRulerrrFrGrs)rtr` ingress_rule egress_rulecloud_armor_rulerurp rule_lists rSortOrgFirewallRulesrs02B-,dk40Id# ?? - - F F N N O$ ?? - - F F M M N!/?@i NN+UN;A  #&6 66rcUVs/sH>o"RURRRR:XdM<UPM@ nnUR SSS9 UVs/sH>o"RURRRR :XdM<UPM@ nnUR SSS9 X4-$s snfs snf)z?Sort the organization firewall rules by direction and priority.cUR$r=rhr@s rrB)SortFirewallPolicyRules..sqzzrFrlcUR$r=rhr@s rrBrrkr)rprqFirewallPolicyRulerrrFrsrG)rtr`ruingress_org_firewall_ruleegress_org_firewall_rules rSortFirewallPolicyRulesrst oo((AAII!Jdu  %95 It oo((AAHH!Idu$8%H " == rycUURRRR:Xd\UURRRR:Xd.UURR RR:XagUURRRR :Xd\UURRRR:Xd.UURR RR:XagUURRRR:Xd.UURR RR:XagUURRRR:Xd\UURRRR:Xd.UURR RR:XagUURRRR:Xd.UURR RR:Xagg)zDefines Firewall evaluation order. Args: client: API client. fp_type: Firewall Policy type. Returns: int representing type ordering rrr) rq[TUR5URcS4$UR4$)Nr)rrri)fprts rrB&SortFirewallPolicies..*s. "6277 3{{"!(* r)rm)sorted)rtfpss` rSortFirewallPoliciesr&s    rc/nURH3n[XU5nURSS05 URU5 M5 URH3n[XU5nURSS05 URU5 M5 U$)zGConvert organization firewall policy rules to effective firewall rules. rule_type FIREWALL_RULEPACKET_MIRRORING_RULE)r`ConvertFirewallPolicyRuleupdater_packetMirroringRules)rtfirewall_policyresultrdrus r,ConvertFirewallPolicyRulesToEffectiveFwRulesr1s &##d $Vd CDKKo./ MM$$ 22d $Vd CDKK567 MM$3 -rc2 0nURURRRR:XdpURURR RR:Xd8URURR RR:XaURSS05 GOURURRRR:XdpURURR RR:Xd8URURR RR:XaURSS05 GOURURR RR:Xd8URURR RR:XaURSS05 GOSURURRRR:XdpURURR RR:Xd8URURR RR:XaURSS05 OURURR RR:Xd8URURR RR:XaURSS05 OURSS05 URSUR05 URS UR05 URS UR05 URS UR05 URS UR 05 URS UR"R%505 URS['UR(505 UR*R,(a'URSUR*R,05 UR*R.(a'URSUR*R.05 UR0(aURSUR005 UR2(aURSUR205 U$)z/Convert rule to effective firewall rule output.r org-firewallznetwork-firewall-policyz network-regional-firewall-policyzsystem-network-firewall-policyz'system-network-regional-firewall-policyunknownfirewall_policy_priority descriptionfirewall_policy_namerirpr)disabled ip_rangestarget_svc_accttarget_resources)rrqrrrrrrrrrrrrirnamerpr)r?boolrrX srcIpRanges destIpRangestargetServiceAccountstargetResources)rtrrdrus rrrAs $  U U i i s st     V V j j t t u     j j ~ ~ I I I KK()  U U i i q qr     V V j j r r s     j j ~ ~ G G G KK234  V V j j { {|     j j ~ ~ P P P KK;<=  U U i i p pq     V V j j x x y     j j ~ ~ M M M KK9:;  V V j j z z{     j j ~ ~ O O O KKBCDKK#$++)?+C+CDE++}d../0++%';';<=++z4==)*++{DNN+,++x**,-.++z4 ./0 ZZKKdjj4456 ZZKKdjj5567 KK"D$>$>?@ KK#T%9%9:; +rc/nURGHn0nURSS05 URSUR05 URSUR05 URSUR05 URSUR 05 URSUR R505 URSS 05 URRR(a1URS URRR05 URRR(a1URS URRR05 UR(aURS UR05 UR(aURS UR05 URU5 GM U$) zGConvert organization security policy rules to effective firewall rules.rrrrrirpr)rFalserrr)r`rridrirpr)r?rXconfigrrrrr_security_policyrrdrus r/ConvertOrgSecurityPolicyRulesToEffectiveFwRulesrsr &##d DKK()KK 0 012KK'););<=KKT]]+,KKdnn-.KK4;;,,./0KKW%& zz$$ kk; 1 1 = =>? zz%% kk; 1 1 > >?@ !! kk$d&@&@AB  kk%t';';<= MM$#$$ -rc\/nUGH"n0nURSS05 URSUR05 URSUR05 URSUR05 UR(aURSS05 OURSS05 UR (aURS UR 05 UR (aURS UR 05 UR(aURS UR05 UR(aURS UR05 UR(aURS UR05 UR(aURS UR05 UR(aURSS05 OURSS05 URSUR05 URU5 GM% U$)z;Convert network firewall rules to effective firewall rules.rznetwork-firewallrrirpr)rrrr target_tagssrc_tags src_svc_acctrTFr)rrrirpallowed sourceRangesdestinationRangesr targetTags sourceTagssourceServiceAccountsrrr_)network_firewallsrrdrus r-ConvertNetworkFirewallRulesToEffectiveFwRulesrs &d DKK+,-KK 0 012KKT]]+,KKdnn-. || kk8W%& kk8V$%  kk; 1 123  kk; 6 678 !! kk$d&@&@AB  kk=$//23  kk:t/0 !! kk>4??34 }} kk:t$% kk:u%&KK#$ MM$7 8 -rc/nURGHn0nURSS05 URSUR05 URSUR05 URSUR05 URSUR R 505 URSUR05 URR(aVURRR(a1URSURRR05 URR(aVURRR(a1URS URRR05 URU5 GM U$) zEConvert org security policy rules to effective security policy rules.rzorg-security-policyrsecurity_policy_namerir)preview expression src_ip_ranges)r`rr shortNamerir)r?rrXexprrrrr_rs r/ConvertOrgSecurityPolicyRulesToEffectiveSpRulesrs2 &##d DKK./0KK 0 012KK')B)BCDKKT]]+,KK4;;,,./0KKDLL)* zz4::??55 kk<!;!;<= zzTZZ..:: kk?DJJ$5$5$A$ABC MM$$ -rc/nURGHn0nURSS05 URSUR05 URSUR05 URSUR05 URSUR R 505 URSUR05 URR(aVURRR(a1URSURRR05 URR(aVURRR(a1URS URRR05 URU5 GM U$) zAConvert security policy rules to effective security policy rules.rzsecurity-policyrrrir)rrr)r`rrrrir)r?rrXrrrrr_rs r,ConvertSecurityPolicyRulesToEffectiveSpRulesrs2 &##d DKK*+,KK 0 012KK')=)=>?KKT]]+,KK4;;,,./0KKDLL)* zz4::??55 kk<!;!;<= zzTZZ..:: kk?DJJ$5$5$A$ABC MM$$ -r)FFF)F))r __future__rrrenumregooglecloudsdk.api_lib.computergooglecloudsdk.callioper"googlecloudsdk.command_lib.computerYr-compileVERBOSErWEFFECTIVE_FIREWALL_LIST_FORMAT%EFFECTIVE_SECURITY_POLICY_LIST_FORMAT LIST_NOTICELIST_NOTICE_SECURITY_POLICYErrorr Enumrr:r0rRrrerxrrrrrrrrrrr rrrs7&' 5/O*jj    " )%  Nj..N  #&+',z9zb$J.)b/9.>.>0 <7, >3 l  =@0D&r