^XSrSSKJr SSKJr SSKJr SSKJr SSKJr SSKJ r Sr "S S \ R5rS>S jrS rSrSrS>SjrS?SjrSrSr"SS\ R5rS@SjrS>SjrS>SjrS?SjrSASjrSASjrSBSjrSCSjrSCSjr SCSjr!SCS jr"SCS!jr#SCS"jr$S#r%SCS$jr&SCS%jr'S?S&jr(SCS'jr)SBS(jr*S)r+S*r,S+r-S,r.S-r/SCS.jr0SCS/jr1SCS0jr2SCS1jr3S2r4S3r5S4r6SCS5jr7SCS6jr8SCS7jr9S8r:SCS9jr;SCS:jrSCS=jr?g )DzEFlags and helpers for the compute network firewall policies commands.)absolute_import)division)unicode_literals) arg_parsers) completers)flagsz9 table( name:label=NAME, description )c(^\rSrSrU4SjrSrU=r$) NetworkFirewallPoliciesCompleter c 4>[[U] "SSSS.UD6 g)Ncompute.networkFirewallPoliciesz,compute network-firewall-policies list --uri collection list_command)superr __init__selfkwargs __class__s Ilib/googlecloudsdk/command_lib/compute/network_firewall_policies/flags.pyr)NetworkFirewallPoliciesCompleter.__init__"s( *D:4C r__name__ __module__ __qualname____firstlineno__r__static_attributes__ __classcell__rs@rr r rr Nc `[R"SS[UUSSRU5SSS9 $)NFIREWALL_POLICYfirewall policyzfirewall policiesz+name of the network firewall policy to {0}.r %compute.regionNetworkFirewallPolicies) name resource_name completerpluralrequired custom_plural short_helpglobal_collectionregional_collection) compute_flagsResourceArgumentr formatr,r+ operations rNetworkFirewallPolicyArgumentr6*s@  ' ' %0 '>EE :A  rc$URSSS9 g)z8Adds the arguments for network firewall policy creation. --descriptionAAn optional, textual description for the network firewall policy.helpN add_argumentparsers r#AddArgNetworkFirewallPolicyCreationr@: Nrc2URSSSS/U-SS9 g)zAdds policy type argument.z --policy-typeF VPC_POLICYRDMA_ROCE_POLICYzNetwork firewall policy type.r,choicesr;Nr<)r?additional_choicess r AddPolicyTyperHBs-/03EE * rc$URSSS9 g)z/Adds the arguments for firewall policy update.r8r9r:Nr<r>s r"AddArgsUpdateNetworkFirewallPolicyrJLrArc T[R"SSUUSRU5SSS9$)N--firewall-policyr&z1Firewall policy ID with which to {0} association.r r'r(r)r+r,r.r/r0r1r2r3r4s r(NetworkFirewallPolicyAssociationArgumentrOTs<  ' ' % DKK :A  rcURSSS9 URSSSS9 U(aURSS SS S 9 UnU(a"URSS S 9nURS S SSS 9 URSSS S SS9 g)z+Adds the arguments of association creation.--nameName of the association.r: --networkTz:Name of the network with which the association is created.r,r; --priorityFPriority of the association.r,hiddenr;)mutexr,z"--associated-policy-to-be-replacedz9Name of an already associated firewall policy to replace.z--replace-association-on-target store_truezBy default, if you attempt to insert an association to a network that is already associated with a firewall policy the method will fail. If this is set, the existing association will be deleted at the same time that the new association is created.)actiondefaultr,r;N)r= add_group)r?support_priority(support_associated_policy_to_be_replacedgroups rAddArgsCreateAssociationrads  h%?@ G   +  %-   4%  8E , H '  $  rcHURSSSS9 URSSSS9 g)z)Adds the arguments of association update.rQTrRrTrUrVNr<r>s rAddArgsUpdateAssociationrcs3h4NOT(Frc&URSSSS9 g)z+Adds the arguments of association deletion.rQTz"Name of the association to delete.rTNr<r>s rAddArgsDeleteAssociationres$Hrc(^\rSrSrU4SjrSrU=r$)NetworksCompleterc 4>[[U] "SSSS.UD6 g)Ncompute.networkszcompute networks list --urirr)rrgrrs rrNetworksCompleter.__init__s( T+%2 rrrr"s@rrgrgr#rrgc @[R"SS[SUSUUS9$)NrSnetworkFrj)r(r)r*r+r,r/r. detailed_help)r1r2rg)r.r,rns rNetworkArgumentForOtherResourceros/  ' ' ! *!  rc T[R"SSUUSRU5SSS9$)NrLr&*Firewall policy ID with which to {0} rule.r r'rMrNr4s r!NetworkFirewallPolicyRuleArgumentrrs7  ' ' % =DDYO9A rc R[R"SSUUSRU5SS9$)NrLr&rqr )r(r)r+r,r.r/rNr4s r0NetworkFirewallPolicyPacketMirroringRuleArgumentrts4  ' ' % =DDYO9  rc 6[R"SSUUSSSS9$)N--source-firewall-policyr&z5Source Firewall policy NAME with which to clone rule.r r'rM)r1r2)r,r+s r$NetworkSrcFirewallPolicyRuleArgumentrws*  ' ' %% H9A rc0URS/SQSUSS9 g))Adds the action argument to the argparse.--action)allowdeny goto_nextapply_security_profile_groupc"UR5$Nlowerxs rAddAction.. QWWYr:Action to take if the request matches the match condition.rFtyper,r;Nr<r?r,s r AddActionrs$L  G rc0URS/SQSUSS9 g)ryrz)mirror do_not_mirrorr}c"UR5$rrrs rr*AddPacketMirroringAction..rrrrNr<rs rAddPacketMirroringActionrs$6  G rcBURSSRU5S9 g)z0Adds the rule priority argument to the argparse.priorityz8Priority of the rule to be {}. Valid in [0, 2147483547].r:Nr=r3r?r5s rAddRulePriorityrs) E L L  rcPURS[R"5USSS9 g)zAdds the source IP ranges.z--src-ip-ranges SRC_IP_RANGEa\A list of IP address blocks that are allowed to make inbound connections that match the firewall rule to the instances on the network. The IP address blocks must be specified in CIDR format: http://en.wikipedia.org/wiki/Classless_Inter-Domain_Routing.Either --src-ip-ranges or --src-secure-tags must be specified for INGRESS traffic. If both --src-ip-ranges and --src-secure-tags are specified, the rule matches if either the range of the source matches --src-ip-ranges or the secure tag of the source matches --src-secure-tags.Multiple IP address blocks can be specified if they are separated by commas.rr,metavarr;Nr=rArgListrs rAddSrcIpRangesrs/      rcPURS[R"5USSS9 g)zAdds the destination IP ranges.z--dest-ip-ranges DEST_IP_RANGEz.Destination IP ranges to match for this rule. rNrrs rAddDestIpRangesrs-     ; rcPURS[R"5USSS9 g)zAdds the layer4 configs.z--layer4-configs LAYER4_CONFIGzPA list of destination protocols and ports to which the firewall rule will apply.rNrrs rAddLayer4Configsr%s/       rc,URSUSS/SS9 g)z?Adds the direction of the traffic to which the rule is applied.z --directionINGRESSEGRESSzZDirection of the traffic the rule is applied. The default is to apply on incoming traffic.rENr<rs r AddDirectionr3s((# ( rcDURSU[RSS9 g)z"Adds the option to enable logging.z--enable-loggingzSUse this flag to enable logging of connections that allowed or denied by this rule.r,r[r;Nr=rStoreTrueFalseActionrs rAddEnableLoggingr@s)  - - ! rcDURSU[RSS9 g)z$Adds the option to disable the rule.z --disabledzJUse this flag to disable the rule. Disabled rules will not affect traffic.rNrrs r AddDisabledrMs)  - -  rc(URSSSSS9 g)z'Adds the --global-firewall-policy flag.z--global-firewall-policyTrZz9Use this flag to indicate that firewall policy is global.rNr<r>s rAddGlobalFirewallPolicyrZs#    F rcPURS[R"5SUSS9 g)z.Adds the target service accounts for the rule.z--target-service-accountsTARGET_SERVICE_ACCOUNTSz-List of target service accounts for the rule.rrr,r;Nrrs rAddTargetServiceAccountsris-!    ' : rc&URSUSS9 g)z"Adds the description of this rule.r8z.An optional, textual description for the rule.rTNr<rs rAddDescriptionrts ;rclSnU(aUS- nURS[R"5SUUS9 g)z'Adds a source secure tag to this rule.aA list of instance secure tags indicating the set of instances on the network to which the rule applies if all other fields match. Either --src-ip-ranges or --src-secure-tags must be specified for ingress traffic. If both --src-ip-ranges and --src-secure-tags are specified, an inbound connection is allowed if either the range of the source matches --src-ip-ranges or the tag of the source matches --src-secure-tags. Secure Tags can be assigned to instances during instance creation.zD Secure tags cannot be specified if source network type is INTERNET.z--src-secure-tagsSOURCE_SECURE_TAGSrNr)r?r,support_network_scopes help_texts rAddSrcSecureTagsr}sK  NI     "  rcPURS[R"5SUSS9 g)z&Adds a target secure tag to this rule.z--target-secure-tagsTARGET_SECURE_TAGSzdAn optional, list of target secure tags with a name of the format tagValues/ or full namespaced namerNrrs rAddTargetSecureTagsrs/    " 6  rcBURSSRU5S9 g)z;Adds the new firewall policy rule priority to the argparse.z--new-priorityz6New priority for the rule to {}. Valid in [0, 65535]. r:Nrrs rAddNewPriorityrs) B I I rc&URSSSS9 g)z:Adds the argument for network firewall policy clone rules.rvTzBName of the source network firewall policy to copy the rules from.rTNr<r>s rAddArgsCloneRulesrs  OrcPURS[R"5SSSS9 g)z)Adds a source address group to this rule.z--src-address-groupsSOURCE_ADDRESS_GROUPSFz\Source address groups to match for this rule. Can only be specified if DIRECTION is ingress.rNrr>s rAddSrcAddressGroupsrs/    % ;  rcPURS[R"5SSSS9 g)z.Adds a destination address group to this rule.z--dest-address-groupsDEST_ADDRESS_GROUPSFzaDestination address groups to match for this rule. Can only be specified if DIRECTION is engress.rNrr>s rAddDestAddressGroupsrs/    # ;  rcPURS[R"5SSSS9 g)zAdds source fqdns to this rule.z --src-fqdns SOURCE_FQDNSFzUSource FQDNs to match for this rule. Can only be specified if DIRECTION is `ingress`.rNrr>s r AddSrcFqdnsrs/     =  rcPURS[R"5SSSS9 g)z$Adds destination fqdns to this rule.z --dest-fqdns DEST_FQDNSFzYDestination FQDNs to match for this rule. Can only be specified if DIRECTION is `egress`.rNrr>s r AddDestFqdnsrs/     <  rclSnU(aUS- nURS[R"5SSUS9 g)z'Adds a source region code to this rule.z[Source Region Code to match for this rule. Can only be specified if DIRECTION is `ingress`.z\ Cannot be specified when the source network type is NON_INTERNET, VPC_NETWORK or INTRA_VPC.z--src-region-codesSOURCE_REGION_CODESFrNrr?rrs rAddSrcRegionCodesrsM!   ;I     #  rclSnU(aUS- nURS[R"5SSUS9 g)z,Adds a destination region code to this rule.z_Destination Region Code to match for this rule. Can only be specified if DIRECTION is `egress`.zB Cannot be specified when the source network type is NON_INTERNET.z--dest-region-codesDEST_REGION_CODESFrNrrs rAddDestRegionCodesrsK   LI     !  rcfSnU(aSnURS[R"5SSUS9 g)z8Adds source threat intelligence list names to this rule.zSource Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is `ingress`. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.aLSource Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is `ingress`. Cannot be specified when the source network type is NON_INTERNET, VPC_NETWORK or INTRA_VPC. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.z--src-threat-intelligence SOURCE_THREAT_INTELLIGENCE_LISTSFrNrrs rAddSrcThreatIntelligencersJh  j !    0  rcfSnU(aSnURS[R"5SSUS9 g)z=Adds destination threat intelligence list names to this rule.zDestination Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is `egress`. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.a2Destination Threat Intelligence lists to match for this rule. Can only be specified if DIRECTION is `egress`. Cannot be specified when source network type is NON_INTERNET. The available lists can be found here: https://cloud.google.com/vpc/docs/firewall-policies-rule-details#threat-intelligence-fw-policy.z--dest-threat-intelligenceDEST_THREAT_INTELLIGENCE_LISTSFrNrrs rAddDestThreatIntelligencer4sJh  j "    .  rc(URSSSSS9 g))Adds security profile group to this rule.--security-profile-groupSECURITY_PROFILE_GROUPFzMA security profile group to be used with apply_security_profile_group action.rr,r;Nr<r>s rAddSecurityProfileGrouprMs# & 2 rc(URSSSSS9 g)rrrFz7A security profile group to be used with mirror action.rNr<r>s r AddMirroringSecurityProfileGrouprZs! & D rcDURSS[RSS9 g)z6Adds the option to turn on TLS decryption on the rule.z --tls-inspectFzUse this flag to indicate whether TLS traffic should be inspected using the TLS inspection policy when the security profile group is applied. Default: no TLS inspection.rNrr>s r AddTlsInspectrds)  - - 4  rc(URSUSSS9 g)z'Adds source network scope to this rule.z--src-network-scopeTaEDeprecated. Use --src-network-type instead. Use this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-network. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.rWNr<rs rAddSrcNetworkScoperrs#  (  rc&URSUSS9 g)z&Adds source network type to this rule.z--src-network-typeUse this flag to indicate that the rule should match internet, non-internet traffic or traffic coming from the network specified by --src-networks. It applies to ingress rules. Valid values are INTERNET, NON_INTERNET, VPC_NETWORKS and INTRA_VPC. Use empty string to clear the field.rTNr<rs rAddSrcNetworkTypers  (  rc&URSUSS9 g)z)Adds source network context to this rule.z--src-network-contextrrTNr<rs rAddSrcNetworkContextrs  (  rcPURS[R"5SSSS9 g)z+Adds source network urls list to this rule.z--src-networks SRC_NETWORKSFzThe source VPC networks to match for this rule. It can only be specified when --src-network-type is VPC_NETWORKS. It applies to ingress rules. It accepts full or partial URLs.rNrr>s rAddSrcNetworksrs/     =  rc(URSUSSS9 g)z,Adds destination network scope to this rule.z--dest-network-scopeTaDeprecated. Use --dest-network-type instead. Use this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.rWNr<rs rAddDestNetworkScopers#  .  rc&URSUSS9 g)z+Adds destination network type to this rule.z--dest-network-typeUse this flag to indicate that the rule should match internet or non-internet traffic. It applies to destination traffic for egress rules. Valid values are INTERNET and NON_INTERNET. Use empty string to clear the field.rTNr<rs rAddDestNetworkTypers  .  rc&URSUSS9 g)z.Adds destination network context to this rule.z--dest-network-contextrrTNr<rs rAddDestNetworkContextrs  .  rc,URSUSS/SS9 g)zAdds target type to this rule.z --target-type INSTANCESINTERNAL_MANAGED_LBzTarget type of the rule. By default a rule applies to VM instances (target-type = INSTANCES). Use INTERNAL_MANAGED_LB value to apply the rule to load balancers.rENr<rs r AddTargetTypers)12 )  rcPURSU[R"5SSS9 g)z*Adds target forwarding rules to this rule.z--target-forwarding-rulesTARGET_FORWARDING_RULESa(A list of forwarding rules to which this rule applies. This field allows you to control which load balancers get this rule. If not specified, the rule applies to all load balancers. This field is only applicable when --target-type is INTERNAL_MANAGED_LB. It accepts full or partial resource URLs.)r,rrr;Nrrs rAddTargetForwardingRulesrs/!    ' 4  r)FFN)FF)TN)Tr)F)@__doc__ __future__rrrgooglecloudsdk.callioper"googlecloudsdk.command_lib.computercompute_completersrr1DEFAULT_LIST_FORMATListCommandCompleterr r6r@rHrJrOrarcrergrorrrtrwrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrrsXL&'/OE '9'N'N  -1 $-2,^*??.2  -1 -1  .     4      (&62  "       r