[firewall] Ajout de macip pour gordon (espérons...)

Ignore-this: 8b0e0a9aeedc0a1d99a4e9110504f95a darcs-hash:20100110235856-ffbb2-ac6d9607d5fef5e799464823c822c04e8fcfff5a.gz
2010-01-11 00:58:56 +01:00 · 2010-01-11 00:58:56 +01:00 · 1fd27cbf22
commit 1fd27cbf22
parent 5330a5506e
2 changed files with 70 additions and 3 deletions
--- a/gestion/gen_confs/firewall.py
+++ b/gestion/gen_confs/firewall.py
@ -252,11 +252,11 @@ class firewall_crans :
        mac=machine.mac()

        insert = '-I'
-        if isinstance(machine, MachineWifi) or isinstance(machine, BorneWifi):
+        if hostname != "gordon" and isinstance(machine, (MachineWifi, BorneWifi)):
            # Machine wifi, c'est la mac de Nectaris
            iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
            "%s -m mac --mac-source %s -j RETURN"%(ip, mac_wifi))
-        elif ip.startswith('138.231.151.'):
+        elif hostname != "dyson" and ip.startswith('138.231.151.'):
            # Machine du G, c'est la mac de dyson
            iptables("-t nat %s TEST_MAC-IP -s "%(insert)+\
            "%s -m mac --mac-source %s -j RETURN"%(ip, mac_g))
@ -1278,6 +1278,73 @@ class firewall_sable(firewall_rouge):

 firewall_bleu = firewall_zamok

+"""
+Gordon
+"""
+
+class firewall_gordon(firewall_crans) :
+    """
+    Structure du firewall :
+        table nat :
+            MAC-IP
+        table filter :
+            FORWARD (policy par défaut : ACCEPT)
+            INPUT (policy par défaut : ACCEPT)
+        table mangle :
+            POSTROUTING : le proxy transparent
+
+    """
+
+    # interfaces physiques
+    eth_crans = "eth0"
+    eth_wifi = "eth0.3"
+
+    def nat_table(self) :
+        self.anim = anim('\tStructure de la table nat')
+        iptables('-t nat -N TEST_MAC-IP')
+
+        iptables("-t nat -P PREROUTING ACCEPT")
+        iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
+        iptables("-t nat -A PREROUTING -d 224.0.0.0/4 -j DROP")
+
+        for net in NETs['fil'] + NETs['vlan-adm'] + NETs['wifi'] :
+            iptables("-t nat -A PREROUTING -s %s -j TEST_MAC-IP" % net)
+
+        iptables("-t nat -P PREROUTING ACCEPT")
+        iptables("-t nat -P OUTPUT ACCEPT")
+        print OK
+
+    def filter_table_tweaks(self) :
+        self.anim = anim('\tRègles spécifiques à gordon')
+        iptables("-P INPUT ACCEPT")
+        iptables("-P FORWARD ACCEPT")
+        print OK
+
+    def mangle_table(self):
+        self.anim = anim('\tRègles spécifiques à gordon')
+        iptables("-t mangle -A PREROUTING " +
+                 "-d ! 138.231.136.0/21 " +
+                 ("-i %s " % eth_wifi) +
+                 "-p tcp -m tcp --dport 80 " +
+                 "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
+        print OK
+
+    def post_start_hook(self) :
+        self.anim = anim("\tMise en place du routage")
+        warn = ''
+        for cmd in [ 'echo 1 > /proc/sys/net/ipv4/ip_forward' ,
+            'echo 65536 > /proc/sys/net/ipv4/netfilter/ip_conntrack_max' ] :
+            status,output=getstatusoutput(cmd)
+            if status :
+                warn += output + '\n'
+        if warn :
+            print WARNING
+            if self.debug :
+                print warn
+        else :
+            print OK
+
+
 if __name__ == '__main__' :
    # Chaînes pouvant ętre recontruites
    fw = eval('firewall_%s()' % hostname)