[firewall4] Séparation en plusieurs fichiers

En gros, un par pare feu

gestion/gen_confs/firewall4/zamok.py

@@ -0,0 +1,109 @@
+#!/usr/bin/env python
+# -*- coding: utf-8 -*-
+import utils
+import base
+import pwd
+
+from utils import pretty_print, OK, anim
+from base import dev
+
+class firewall(base.firewall):
+
+    def __init__(self):
+        super(self.__class__, self).__init__()
+
+        self.reloadable.update({
+            'admin_vlan' : self.admin_vlan,
+            'blacklist_output' : self.blacklist_output,
+        })
+
+        self.use_ipset.extend([])
+        self.use_tc.extend([])
+
+
+    def raw_table(self):
+        table = 'raw'
+
+        super(self.__class__, self).raw_table()
+
+        return
+
+    def mangle_table(self):
+        table = 'mangle'
+
+        super(self.__class__, self).mangle_table()
+
+        return
+
+    def filter_table(self):
+        table = 'filter'
+
+        super(self.__class__, self).filter_table()
+
+        chain = 'OUTPUT'
+        self.add(table, chain , '-d 224.0.0.0/4 -j DROP')
+        admin_vlan_chain = self.admin_vlan(table)
+        self.add(table, chain, '-m state --state RELATED,ESTABLISHED -j ACCEPT')
+        for net in base.config.NETs['adm']:
+            self.add(table, chain, '-d %s -j %s' % (net, admin_vlan_chain))
+        self.add(table, chain, '-o lo -j ACCEPT')
+        self.add(table, chain, '-j %s' % self.blacklist_output(table))
+
+        return
+
+    def nat_table(self):
+        table = 'nat'
+
+        super(self.__class__, self).raw_table()
+        return
+
+    def admin_vlan(self, table=None, apply=False):
+        chain='ADMIN-VLAN'
+
+        if table == 'filter':
+            pretty_print(table, chain)
+            # ldap et dns toujours joinable
+            self.add(table, chain, '-p tcp --dport ldap -j ACCEPT')
+            self.add(table, chain, '-p tcp --dport domain -j ACCEPT')
+            self.add(table, chain, '-p udp --dport domain -j ACCEPT')
+
+            # Pour le nfs (le paquet à laisser passer n'a pas d'owner)
+            self.add(table, chain, '-d nfs.adm.crans.org -j ACCEPT')
+
+            for user in base.config.adm_users:
+                try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
+                except KeyError: print "Utilisateur %s inconnu" % user
+
+            for adh in self.conn.search(u"(|(droits=%s)(droits=%s))" % (utils.lc_ldap.attributs.nounou, utils.lc_ldap.attributs.apprenti)):
+                self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % adh['uidNumber'][0])
+
+            # Rien d'autre ne passe
+            self.add(table, chain, '-j REJECT --reject-with icmp-net-prohibited')
+            print OK
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
+    def blacklist_maj(self, ips):
+        self.blacklist_output('filter', apply=True)
+        self.blacklist_hard_maj(ips)
+
+    def blacklist_output(self, table=None, apply=False):
+        """Empêche les gens blacklisté d'utiliser zamok comme relaie"""
+        chain='BLACKLIST-OUTPUT'
+
+        if table == 'filter':
+            pretty_print(table, chain)
+            self.add(table, chain, '-d 127.0.0.1/8 -j RETURN')
+            for net in base.config.NETs['all']:
+                        self.add(table, chain, '-d %s -j RETURN' % net)
+            for adh in self.blacklisted_adherents(['paiement']):
+                if 'uidNumber' in adh.attrs.keys():
+                    self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0])
+            print OK
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+