From 5c103abe57c0ed7447b8be289ea116c23d8d9263 Mon Sep 17 00:00:00 2001 From: glondu Date: Sat, 17 Jun 2006 11:54:13 +0200 Subject: [PATCH] Encore. darcs-hash:20060617095413-68412-06cae856eaf4d13a3c37d50ccddf0dcb620f2cc0.gz --- gestion/gen_confs/firewall.py | 59 ++++++++++++++++++++--------------- 1 file changed, 34 insertions(+), 25 deletions(-) diff --git a/gestion/gen_confs/firewall.py b/gestion/gen_confs/firewall.py index 8d2fd54c..2a6a1415 100755 --- a/gestion/gen_confs/firewall.py +++ b/gestion/gen_confs/firewall.py @@ -504,27 +504,33 @@ class firewall_komaz(firewall_crans) : (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy'])) iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy']) + + # Parametres pour iptables/tc + mark = conf_fw.mark['bittorrent'] + debit_adh = p2p.debit_adh + debit_max = p2p.debit_max + eth_ext = self.eth_ext + eth_int = self.eth_int # On ne va pas plus loin si il ne s'agit pas de bittorrent - iptables("-t mangle -A POSTROUTING -m mark ! --mark %s -j ACCEPT" % - conf_fw.mark['bittorrent']) + iptables("-t mangle -A POSTROUTING -m mark ! --mark %s -j ACCEPT" % mark) # On marque les paquets bittorrent uniquement iptables("-t mangle -A PREROUTING -p tcp -j CONNMARK --restore-mark") iptables("-t mangle -A PREROUTING -p tcp -m mark ! --mark 0x0 -j ACCEPT") iptables("-t mangle -A PREROUTING -p tcp -m ipp2p --bit " - "-j MARK --set-mark %s" % conf_fw.mark['bittorrent']) + "-j MARK --set-mark %s" % mark) iptables("-t mangle -A PREROUTING -p tcp -m mark --mark %s " - "-j CONNMARK --save-mark" % conf_fw.mark['bittorrent']) + "-j CONNMARK --save-mark" % mark) warn = '' # Par défaut, on envoit les paquets dans la classe 9998 for net in NETs['all']: - iptables("-t mangle -A POSTROUTING -o crans -d %s " - "-j CLASSIFY --set-class 1:9998" % net) - iptables("-t mangle -A POSTROUTING -o ens -s %s " - "-j CLASSIFY --set-class 1:9998" % net) + iptables("-t mangle -A POSTROUTING -o %(eth_int)s -d %(net)s " + "-j CLASSIFY --set-class 1:9998" % locals()) + iptables("-t mangle -A POSTROUTING -o %(eth_ext)s -s %(net)s " + "-j CLASSIFY --set-class 1:9998" % locals()) # On crée les chaînes de sous-réseaux for net in NETs['all']: @@ -545,7 +551,7 @@ class firewall_komaz(firewall_crans) : self.anim = anim('\tGénération des classes de filtrage p2p', len(adherents)) # Création des classes et qdisc - for interface in [self.eth_ext, self.eth_int]: + for interface in [eth_ext, eth_int]: # On vide les classes et qdisc try: tc("qdisc del dev %s root" % interface) @@ -553,12 +559,13 @@ class firewall_komaz(firewall_crans) : warn += str(c) + '\n' # On construit les classes et qdisc de base # La partie principale qui définit le comportement par défaut - tc("qdisc add dev %s root handle 1: htb r2q 1" % interface) - tc("class add dev %s parent 1: classid 1:1 htb rate %s ceil %s" % - (interface, p2p.debit_max, p2p.debit_max)) - tc("class add dev %s parent 1:1 classid 1:9998 htb rate %s ceil %s" % - (interface, p2p.debit_adh, p2p.debit_adh)) - tc("qdisc add dev %s parent 1:9998 handle 9999: sfq perturb 10" % interface) + tc("qdisc add dev %(interface)s root handle 1: htb r2q 1" % locals()) + tc("class add dev %(interface)s parent 1: classid 1:1 " + "htb rate %(debit_max)s ceil %(debit_max)s" % locals()) + tc("class add dev %(interface)s parent 1:1 classid 1:9998 " + "htb rate %(debit_adh)s ceil %(debit_adh)s" % locals()) + tc("qdisc add dev %(interface)s parent 1:9998 " + "handle 9999: sfq perturb 10" % locals()) # On construit ensuite les classes et qdisc pour chaque adhérent for adherent in adherents: @@ -568,10 +575,10 @@ class firewall_komaz(firewall_crans) : # Il nous faut un n° inférieur à 9998 unique qdisc_id = class_id + 5000 for interface in [self.eth_ext, self.eth_int]: - tc("class add dev %s parent 1:1 classid 1:%d htb rate %s ceil %s" % - (interface, class_id, p2p.debit_adh, p2p.debit_max)) - tc("qdisc add dev %s parent 1:%d handle %d: sfq perturb 10" % - (interface, class_id, qdisc_id)) + tc("class add dev %(interface)s parent 1:1 classid 1:%(class_id)d " + "htb rate %(debit_adh)s ceil %(debit_max)s" % locals()) + tc("qdisc add dev %(interface)s parent 1:%(class_id)d " + "handle %(qdisc_id)d: sfq perturb 10" % locals()) # Classification des adhérents dans leur classe respective for machine in adherent.machines(): @@ -642,17 +649,19 @@ class firewall_komaz(firewall_crans) : return print OK + + # Parametres pour iptables/tc + mark = conf_fw.mark['bittorrent'] + debit_adh = p2p.debit_adh + debit_max = p2p.debit_max + eth_ext = self.eth_ext + eth_int = self.eth_int ## Traitement # MAJ des règles de classification de l'IP def procedure(): self.anim = anim('\tMise à jour des classes p2p') warn = '' - mark = conf_fw.mark['bittorrent'] - debit_adh = p2p.debit_adh - debit_max = p2p.debit_max - eth_ext = self.eth_ext - eth_int = self.eth_int try: for ip in ip_list: recherche = db.search('ip=%s&paiement=ok' % ip) @@ -666,7 +675,7 @@ class firewall_komaz(firewall_crans) : iptables_option = '-D' tc_option = 'del' subnet = IpSubnet(ip, conf_fw.mask[-1]) - regles = iptables("-t mangle -L SUBNET-%s -n | tee `tempfile -s _firewall`date -u +%y%m%d%H%M%S`` | grep %s" % (subnet, ip)).split('\n') + regles = iptables("-t mangle -L SUBNET-%(subnet)s -n | tee `tempfile -s _firewall`date -u +%y%m%d%H%M%S`` | grep %(ip)s" % locals()).split('\n') # On sélectionne la première qui doit contenir ce que l'on veut regle = regles[0].split() class_id = int(regle[7].split(':')[1])