Correction de la non prise en charge des blacklists appartements
This commit is contained in:
parent
8b86e04dba
commit
14167847db
5 changed files with 66 additions and 82 deletions
|
@ -34,13 +34,13 @@ class firewall(utils.firewall_tools) :
|
|||
self.use_ipset = [self.blacklist_hard, self.test_mac_ip, self.blacklists]
|
||||
|
||||
self.ipset['mac_ip']={
|
||||
'adh' : Ipset("MAC-IP-ADH","macipmap","--from 138.231.136.0 --to 138.231.151.255"),
|
||||
'adm' : Ipset("MAC-IP-ADM","macipmap","--from 10.231.136.0 --to 10.231.136.255"),
|
||||
'app' : Ipset("MAC-IP-APP","macipmap","--from 10.2.9.0 --to 10.2.9.255"),
|
||||
'adh' : Ipset("MAC-IP-ADH", "bitmap:ip,mac", "range 138.231.136.0-138.231.151.255"),
|
||||
'adm' : Ipset("MAC-IP-ADM", "bitmap:ip,mac", "range 10.231.136.0-10.231.136.255"),
|
||||
'app' : Ipset("MAC-IP-APP", "bitmap:ip,mac", "range 10.2.9.0-10.2.9.255"),
|
||||
}
|
||||
|
||||
self.ipset['blacklist']={
|
||||
'hard' : Ipset("BLACKLIST-HARD","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
|
||||
'hard' : Ipset("BLACKLIST-HARD", "hash:ip"),
|
||||
}
|
||||
|
||||
|
||||
|
@ -110,7 +110,7 @@ class firewall(utils.firewall_tools) :
|
|||
|
||||
if fill_ipset:
|
||||
# On récupère la liste de toutes les ips blacklistés hard
|
||||
bl_hard_ips = self.blacklisted_ips(config.blacklist_sanctions, config.NETs['all'])
|
||||
bl_hard_ips = self.blacklisted_ips(config.blacklist_sanctions)
|
||||
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard'])
|
||||
self.ipset['blacklist']['hard'].restore(bl_hard_ips)
|
||||
print OK
|
||||
|
|
|
@ -33,13 +33,13 @@ class firewall(base.firewall_routeur):
|
|||
self.use_tc.extend([self.limitation_debit])
|
||||
|
||||
self.ipset['reseaux_non_routable'] = {
|
||||
'deny' : base.Ipset("RESEAUX-NON-ROUTABLE-DENY","nethash"),
|
||||
'allow' : base.Ipset("RESEAUX-NON-ROUTABLE-ALLOW","nethash"),
|
||||
'deny' : base.Ipset("RESEAUX-NON-ROUTABLE-DENY", "hash:net"),
|
||||
'allow' : base.Ipset("RESEAUX-NON-ROUTABLE-ALLOW", "hash:net"),
|
||||
}
|
||||
|
||||
self.ipset['blacklist'].update({
|
||||
'soft' : base.Ipset("BLACKLIST-SOFT","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
|
||||
'upload' : base.Ipset("BLACKLIST-UPLOAD","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
|
||||
'soft' : base.Ipset("BLACKLIST-SOFT", "hash:ip"),
|
||||
'upload' : base.Ipset("BLACKLIST-UPLOAD", "hash:ip"),
|
||||
})
|
||||
|
||||
# Portail captif/blacklist soft: ipset des gens ayant cliqué pour continuer à naviguer
|
||||
|
@ -344,7 +344,7 @@ class firewall(base.firewall_routeur):
|
|||
|
||||
if fill_ipset:
|
||||
# On récupère la liste de toutes les ips blacklistés soft
|
||||
bl_soft_ips = self.blacklisted_ips(base.config.blacklist_sanctions_soft, base.config.NETs['all'])
|
||||
bl_soft_ips = self.blacklisted_ips(base.config.blacklist_sanctions_soft)
|
||||
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['soft'])
|
||||
self.ipset['blacklist']['soft'].restore(bl_soft_ips)
|
||||
print OK
|
||||
|
@ -375,7 +375,7 @@ class firewall(base.firewall_routeur):
|
|||
|
||||
if fill_ipset:
|
||||
# On récupère la liste de toutes les ips blacklistés hard
|
||||
bl_hard_ips = self.blacklisted_ips(base.config.blacklist_sanctions, base.config.NETs['all'])
|
||||
bl_hard_ips = self.blacklisted_ips(base.config.blacklist_sanctions)
|
||||
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard'])
|
||||
self.ipset['blacklist']['hard'].restore(bl_hard_ips)
|
||||
print OK
|
||||
|
@ -422,7 +422,7 @@ class firewall(base.firewall_routeur):
|
|||
|
||||
if fill_ipset:
|
||||
# On récupère la liste de toutes les ips blacklistés pour upload
|
||||
bl_upload_ips = self.blacklisted_ips(base.config.blacklist_bridage_upload, base.config.NETs['all'])
|
||||
bl_upload_ips = self.blacklisted_ips(base.config.blacklist_bridage_upload)
|
||||
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload'])
|
||||
self.ipset['blacklist']['upload'].restore(bl_upload_ips)
|
||||
print OK
|
||||
|
|
|
@ -55,7 +55,7 @@ class firewall_tools(object) :
|
|||
"""Classe de base du pare-feu implémentant l'association mac-ip (pour les machines filaires) et les blacklists hard"""
|
||||
|
||||
def machines(self):
|
||||
"""Renvois la liste de toutes les machines"""
|
||||
"""Renvoit la liste de toutes les machines"""
|
||||
if self._machines:
|
||||
return self._machines
|
||||
# On utilise allMachinesAdherents car on a besoin que
|
||||
|
@ -63,48 +63,37 @@ class firewall_tools(object) :
|
|||
# les blacklistes d'un proprio lorsque l'on regarde les blacklistes
|
||||
# d'une machine
|
||||
anim('\tChargement des machines')
|
||||
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||
self._adherents = [ adh for adh in self._adherents if adh.paiement_ok() ]
|
||||
# On prend toutes les machines y compris celles de ceux qui n'ont pas payé
|
||||
# elles seront ajoutées dans mac_ip mais blacklistées du fait du non paiement ensuite
|
||||
self._machines = self.conn.allMachines()
|
||||
|
||||
print OK
|
||||
return self._machines
|
||||
|
||||
def adherents(self):
|
||||
"""
|
||||
Renvois la liste de tous les adhérents à jour de paiement
|
||||
(car on suppose que la blackliste paiement est hard)
|
||||
"""
|
||||
if self._adherents:
|
||||
return self._adherents
|
||||
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||
self._adherents = [ adh for adh in self._adherents if adh.paiement_ok() ]
|
||||
return self._adherents
|
||||
|
||||
def blacklisted_machines(self):
|
||||
"""Renvois la liste de toutes les machines ayant une blackliste actives"""
|
||||
"""Renvoit la liste de toutes les machines ayant une blackliste actives"""
|
||||
if self._blacklisted_machines:
|
||||
return self._blacklisted_machines
|
||||
self._blacklisted_machines = [ machine for machine in self.machines() if machine.blacklist_actif() ]
|
||||
return self._blacklisted_machines
|
||||
|
||||
def blacklisted_ips(self, blacklist_sanctions=None, nets=None):
|
||||
"""Renvois l'ensemble des ips des machines ayant une blacklist dans blacklist_sanctions et étant dans nets si spécifié"""
|
||||
def blacklisted_ips(self, blacklist_sanctions=None):
|
||||
"""Renvoit l'ensemble des ips des machines ayant une blacklist dans blacklist_sanctions et étant dans nets si spécifié"""
|
||||
bl_ips = set()
|
||||
for machine in self.blacklisted_machines():
|
||||
if blacklist_sanctions is None or set(bl['type'] for bl in machine.blacklist_actif()).intersection(blacklist_sanctions):
|
||||
for ip in machine['ipHostNumber']:
|
||||
if nets is None:
|
||||
bl_ips.add(str(ip))
|
||||
else:
|
||||
for net in nets:
|
||||
if ip.value in netaddr.IPNetwork(net):
|
||||
bl_ips.add(str(ip))
|
||||
bl_ips.add(str(ip))
|
||||
return bl_ips
|
||||
|
||||
def blacklisted_adherents(self, excepts=[]):
|
||||
"""Renvois la liste de tous les adhérents ayant une blackliste active en ignorant les blacklist de excepts"""
|
||||
"""Renvoit la liste de tous les adhérents ayant une blackliste active en ignorant les blacklist de excepts"""
|
||||
if not self._adherents:
|
||||
self._adherents = self.conn.allAdherents()
|
||||
|
||||
if self._blacklisted_adherents and self._blacklisted_adherents_type == set(excepts):
|
||||
return self._blacklisted_adherents
|
||||
self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(excepts), self.adherents())
|
||||
self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(excepts), self._adherents)
|
||||
self._blacklisted_adherents_type = set(excepts)
|
||||
return self._blacklisted_adherents
|
||||
|
||||
|
|
|
@ -102,7 +102,7 @@ class firewall(base.firewall):
|
|||
self.add(table, chain, '-d 127.0.0.1/8 -j RETURN')
|
||||
for net in base.config.NETs['all']:
|
||||
self.add(table, chain, '-d %s -j RETURN' % net)
|
||||
for adh in self.blacklisted_adherents():
|
||||
for adh in self.blacklisted_adherents(excepts=['paiement']):
|
||||
if 'uidNumber' in adh:
|
||||
self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
|
||||
print OK
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue