crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[gestion/ipt.py] Eval is evil

Browse source 
Python nazis are back

darcs-hash:20120119121655-28565-ec11f555ca24cb553d4f9fc4c5a33b2241c2c6c0.gz
This commit is contained in:
Daniel STAN 2012-01-19 13:16:55 +01:00
parent a8f2d7b192
commit 4356da97cd
1 changed files with 16 additions and 17 deletions
Download patch file Download diff file Expand all files Collapse all files

33
gestion/ipt.py
View file

@ -116,39 +116,39 @@ class Ip6tables(object):
def macip(self, mac, type_m): def macip(self, mac, type_m):
'''Fait la correspondance MAC-IP''' '''Fait la correspondance MAC-IP'''
type_mm = re.sub('-', '', type_m) type_mm = re.sub('-', '', type_m)
eval('self.filter.mac' + type_mm)(" ".join(['-m mac --mac-source', mac, getattr(self.filter,'mac' + type_mm)(" ".join(['-m mac --mac-source', mac,
'-j RETURN'])) '-j RETURN']))
# self.filter.mac(" ".join(['-m mac --mac-source', mac, # self.filter.mac(" ".join(['-m mac --mac-source', mac,
# '-j RETURN'])) # '-j RETURN']))
def extcrans(self, type_machine, ports, mac, dev): def extcrans(self, type_machine, ports, mac, dev):
'''Ouverture des ports de l'extérieur vers la zone crans''' '''Ouverture des ports de l'extérieur vers la zone crans'''
tab = { 'fil' : 'self.filter.extfil', 'fil-v6' : 'self.filter.extfilv6', tab = { 'fil' : 'extfil', 'fil-v6' : 'extfilv6',
'wifi' : 'self.filter.extwifi', 'wifi' : 'extwifi',
'wifi-v6' : 'self.filter.extwifiv6' } 'wifi-v6' : 'extwifiv6' }
ip = ipv6_addr(mac, type_machine) ip = ipv6_addr(mac, type_machine)
for proto in ['tcp', 'udp']: for proto in ['tcp', 'udp']:
for port in ports[proto]: for port in ports[proto]:
if port != ':': if port != ':':
eval(tab[type_machine])('-i %s -p %s -d %s --dport %s -j \ getattr(self.filter,tab[type_machine])('-i %s -p %s -d %s --dport %s -j \
ACCEPT' % (dev, proto, ip, port)) ACCEPT' % (dev, proto, ip, port))
else: else:
eval(tab[type_machine])('-i %s -p %s -s %s -j ACCEPT' % getattr(self.filter,tab[type_machine])('-i %s -p %s -s %s -j ACCEPT' %
(dev, proto, ip)) (dev, proto, ip))
def cransext(self, type_machine, ports, mac, dev): def cransext(self, type_machine, ports, mac, dev):
'''Ouverture des ports de la zone crans vers l'extérieur''' '''Ouverture des ports de la zone crans vers l'extérieur'''
tab = { 'fil' : 'self.filter.cransfil', 'fil-v6' : tab = { 'fil' : 'cransfil', 'fil-v6' :
'self.filter.cransfilv6', 'wifi' : 'self.filter.cranswifi', 'cransfilv6', 'wifi' : 'cranswifi',
'wifi-v6' : 'self.filter.cranswifiv6' } 'wifi-v6' : 'cranswifiv6' }
ip = ipv6_addr(mac, type_machine) ip = ipv6_addr(mac, type_machine)
for proto in ['tcp', 'udp']: for proto in ['tcp', 'udp']:
for port in ports[proto]: for port in ports[proto]:
if port != ':': if port != ':':
eval(tab[type_machine])('-i %s -p %s -s %s --sport %s -j \ getattr(self.filter,tab[type_machine])('-i %s -p %s -s %s --sport %s -j \
ACCEPT' % (dev, proto, ip, port)) ACCEPT' % (dev, proto, ip, port))
else: else:
eval(tab[type_machine])('-i %s -p %s -s %s -j ACCEPT' % getattr(self.filter,tab[type_machine])('-i %s -p %s -s %s -j ACCEPT' %
(dev, proto, ip)) (dev, proto, ip))
def blacklist(self, machine): def blacklist(self, machine):
@ -207,8 +207,7 @@ class Update(object):
# On vérifie si la machine a déjà des entrées dans les chaînes # On vérifie si la machine a déjà des entrées dans les chaînes
# On est un peu sous optimal ici # On est un peu sous optimal ici
for sens in ['crans', 'ext']: for sens in ['crans', 'ext']:
items = eval('ipt_p.filter.%s.items' % (sens + re.sub('-', '', items = getattr(ipt_p.filter,sens + re.sub('-', '',net)).items
net)))
i = 0 i = 0
while i < len(items): while i < len(items):
if ip in items[i] or 'REJECT' in items[i]: if ip in items[i] or 'REJECT' in items[i]:
@ -216,9 +215,9 @@ class Update(object):
else: else:
i = i + 1 i = i + 1
ports_io(ipt_p, machine[0], net, dev_ext, dev_crans) ports_io(ipt_p, machine[0], net, dev_ext, dev_crans)
eval('ipt_p.filter.ext' + re.sub('-', '', net))('-j \ getattr(ipt_p.filter,'ext' + re.sub('-', '', net))('-j \
REJECT --reject-with icmp6-port-unreachable') REJECT --reject-with icmp6-port-unreachable')
eval('ipt_p.filter.crans' + re.sub('-', '', net))('-j \ getattr(ipt_p.filter,'crans' + re.sub('-', '', net))('-j \
REJECT --reject-with icmp6-port-unreachable') REJECT --reject-with icmp6-port-unreachable')
# On écrit et applique les règles # On écrit et applique les règles
write_rules(ipt_p) write_rules(ipt_p)
@ -254,7 +253,7 @@ REJECT --reject-with icmp6-port-unreachable')
ipt_p = open_pickle(ip_proto) ipt_p = open_pickle(ip_proto)
for type_m in ['fil', 'fil-v6', 'adm']: for type_m in ['fil', 'fil-v6', 'adm']:
type_mm = re.sub('-', '', type_m) type_mm = re.sub('-', '', type_m)
eval('ipt_p.filter.mac%s.items' % type_mm)[:] = [] getattr(ipt_p.filter,'mac%s' % type_mm).items[:] = []
machines = db.all_machines(graphic = True) machines = db.all_machines(graphic = True)
macips(ipt_p, machines, ['fil', 'fil-v6', 'adm']) macips(ipt_p, machines, ['fil', 'fil-v6', 'adm'])
@ -728,7 +727,7 @@ def macips(ipt, machines, types_machines):
break break
for type_m in types_machines: for type_m in types_machines:
type_mm = re.sub('-', '', type_m) type_mm = re.sub('-', '', type_m)
eval('ipt.filter.mac' + type_mm)('-j DROP') getattr(ipt.filter,'mac' + type_mm)('-j DROP')
#eval('ipt.filter.mac' + type_mm)('-j REJECT') #eval('ipt.filter.mac' + type_mm)('-j REJECT')
return 0 return 0