crans/scripts
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[config, firewall4, ipt, deconnexion] Bridage pour les décos pour upload

Browse source
This commit is contained in:
Valentin Samir 2013-04-13 22:20:21 +02:00
parent c03e0187b3
commit 90764dba42
6 changed files with 50 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

41
gestion/gen_confs/firewall4.py
View file

@ -7,7 +7,7 @@ import sys
sys.path.append('/usr/scripts/gestion')
sys.path.append('/usr/scripts/lc_ldap')
from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, mac_komaz, mac_titanic, adm_users, accueil_route
from config import NETs, blacklist_sanctions, blacklist_sanctions_soft, blacklist_bridage_upload, mac_komaz, mac_titanic, adm_users, accueil_route
import pwd
import config.firewall
@ -223,7 +223,6 @@ class firewall_base(object) :
}
self.ipset['blacklist']={
'soft' : Ipset("BLACKLIST-SOFT","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
'hard' : Ipset("BLACKLIST-HARD","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
}
@ -472,6 +471,11 @@ class firewall_komaz(firewall_base_routeur):
'allow' : Ipset("RESEAUX-NON-ROUTABLE-ALLOW","nethash"),
}
self.ipset['blacklist'].update({
'soft' : Ipset("BLACKLIST-SOFT","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
'upload' : Ipset("BLACKLIST-UPLOAD","ipmap","--from 138.231.136.0 --to 138.231.151.255"),
})
def blacklist_maj(self, ips):
self.blacklist_hard_maj(ips)
self.blacklist_soft_maj(ips)
@ -673,12 +677,19 @@ class firewall_komaz(firewall_base_routeur):
for ip in ip_list:
machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass
if machine:
if set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
try: self.ipset['blacklist']['soft'].add(ip)
except IpsetError: pass
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass
try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass
def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
"""Redirige les gens blacklisté vers le portail captif"""
@ -696,7 +707,17 @@ class firewall_komaz(firewall_base_routeur):
for ip in ips
)
bl_upload_ips = set(
str(ip) for ips in
[
machine['ipHostNumber'] for machine in self.blacklisted_machines()
if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
]
for ip in ips
)
self.ipset['blacklist']['soft'].restore(bl_soft_ips)
self.ipset['blacklist']['upload'].restore(bl_upload_ips)
print OK
if table == 'mangle':
@ -830,6 +851,9 @@ class firewall_komaz(firewall_base_routeur):
for net in NETs['personnel-ens']:
self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net))
self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net))
# Classification pour les blacklists upload
self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
print OK
if run_tc:
@ -851,6 +875,13 @@ class firewall_komaz(firewall_base_routeur):
tc('qdisc add dev %s parent 1:10 '
'handle 10: sfq perturb 10' % dev[int_key])
#Classe des decos upload
tc('class add dev %s parent 1:2 classid 1:11 '
'htb rate 40kbps ceil 40kbps prio 1' % dev['out'])
tc('qdisc add dev %s parent 1:11 '
'handle 11: sfq perturb 10' % dev['out'])
for int_key in ['app']:
try:
tc('qdisc del dev %s root' % dev[int_key])