From 8e2fef80cb7577913de62f1da84badc8bfc91dd8 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Tue, 8 Oct 2013 10:16:04 +0200 Subject: [PATCH] =?UTF-8?q?[config,firewall,portail=5Fcaptif]=20Blacklist?= =?UTF-8?q?=20virtuelle=20pour=20les=20gens=20non=20=C3=A0=20jour=20du=20p?= =?UTF-8?q?aiement?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gestion/config/config.py | 4 ++-- gestion/gen_confs/firewall4.py | 28 ++++++++++------------------ utils/portail_captif.py | 3 ++- 3 files changed, 14 insertions(+), 21 deletions(-) diff --git a/gestion/config/config.py b/gestion/config/config.py index 639c83e8..44c20f01 100644 --- a/gestion/config/config.py +++ b/gestion/config/config.py @@ -315,11 +315,11 @@ file_pickle = { 4 : '/tmp/ipt_pickle', 6 : '/tmp/ip6t_pickle' } -blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq'] +blacklist_sanctions = ['warez', 'p2p', 'autodisc_p2p','autodisc_virus','virus', 'bloq', 'paiement'] if bl_carte_et_definitif: blacklist_sanctions.append('carte_etudiant') blacklist_sanctions_soft = ['autodisc_virus','ipv6_ra','mail_invalide','virus', - 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide'] + 'warez', 'p2p', 'autodisc_p2p', 'bloq','carte_etudiant','chambre_invalide', 'paiement'] blacklist_bridage_upload = ['autodisc_upload', 'upload'] adm_users = [ 'root', 'identd', 'daemon', 'postfix', 'freerad', 'amavis', diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index 625ab0a2..76307b45 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -17,6 +17,7 @@ import lc_ldap.attributs import socket from ipset import IpsetError, Ipset from iptools import AddrInNet, NetSubnets, IpSubnet, NetInNets +import netaddr import subprocess import syslog from affich_tools import anim, OK, cprint @@ -83,25 +84,15 @@ class firewall_base(object) : """Renvois la liste de toutes les machines ayant une blackliste actives""" if self._blacklisted_machines: return self._blacklisted_machines - if self._machines: - self._blacklisted_machines = [ machine for machine in self._machines if machine.blacklist_actif() ] - return self._blacklisted_machines - blacklisted = [ machine for machine in self.conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ] - self._blacklisted_machines = set() - for item in blacklisted: - if isinstance(item, lc_ldap.objets.proprio): - self._blacklisted_machines = self._blacklisted_machines.union(item.machines()) - elif isinstance(item, lc_ldap.objets.machine): - self._blacklisted_machines.add(item) - else: - print >> sys.stderr, 'Objet %s inconnu blacklisté' % a.__class__.__name__ + self._blacklisted_machines = [ machine for machine in self.machines() if machine.blacklist_actif() ] return self._blacklisted_machines - def blacklisted_adherents(self): + def blacklisted_adherents(self, excepts=[]): """Renvois la liste de tous les adhérents ayant une blackliste active""" - if self._blacklisted_adherents: + if self._blacklisted_adherents and self._blacklisted_adherents_type == set(excepts): return self._blacklisted_adherents - self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(), self.adherents()) + self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(excepts), self.adherents()) + self._blacklisted_adherents_type = set(excepts) return self._blacklisted_adherents def add(self, table, chain, rule): @@ -253,6 +244,7 @@ class firewall_base(object) : """Démarre le pare-feu : génère les règles, puis les restore""" anim('\tChargement des machines') self.machines() + self.blacklisted_machines() print OK if squeeze: @@ -348,7 +340,7 @@ class firewall_base(object) : bl_hard_ips = set( str(ip) for ips in [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() + machine['ipHostNumber'] for machine in self.blacklisted_machines() if reduce(lambda x,y: x or y, ( ip.value in netaddr.IPNetwork(n) for n in config.NETs['all'] for ip in machine['ipHostNumber'])) if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions) ] for ip in ips @@ -745,7 +737,7 @@ class firewall_komaz(firewall_base_routeur): bl_soft_ips = set( str(ip) for ips in [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() + machine['ipHostNumber'] for machine in self.blacklisted_machines() if reduce(lambda x,y: x or y, ( ip.value in netaddr.IPNetwork(n) for n in config.NETs['all'] for ip in machine['ipHostNumber'])) if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions_soft) ] for ip in ips @@ -1085,7 +1077,7 @@ class firewall_zamok(firewall_base): self.add(table, chain, '-d 127.0.0.1/8 -j RETURN') for net in NETs['all']: self.add(table, chain, '-d %s -j RETURN' % net) - for adh in self.blacklisted_adherents(): + for adh in self.blacklisted_adherents(['paiement']): if 'uidNumber' in adh.attrs.keys(): self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0]) print OK diff --git a/utils/portail_captif.py b/utils/portail_captif.py index 788a1015..e4856786 100644 --- a/utils/portail_captif.py +++ b/utils/portail_captif.py @@ -45,6 +45,7 @@ deco={ 'bloq':'ERR_CUSTOM_BLOQ.html', 'nouvelle_annee':'ERR_CUSTOM_NOUVELLE_ANNEE.html', + 'paiement': 'ERR_CUSTOM_NOUVELLE_ANNEE.html', 'proxy_local':'ERR_CUSTOM_PROXY_LOCAL.html', 'virus':'ERR_CUSTOM_BL_VIRUS.html', @@ -62,7 +63,7 @@ blacklist_key = [ 'p2p','autodisc_p2p','upload','autodisc_uplaod','warez', 'carte_etudiant','chambre_invalide','mail_invalide', 'bloq', - 'nouvelle_annee','proxy_local', + 'nouvelle_annee','proxy_local', 'paiement', 'inscrit' ]