From ac32514c7e605a8d71396be0ae0e0aaa7f819479 Mon Sep 17 00:00:00 2001 From: Olivier Huber Date: Thu, 4 Mar 2010 06:44:30 +0100 Subject: [PATCH] [./gestion/gen_confs/firewall6.py] Ajout d'un debut de support du wifi darcs-hash:20100304054430-8fbb1-881857301965b6ac91d8b7096b94a474fdbf2766.gz --- gestion/gen_confs/firewall6.py | 27 ++++++++++++++++++++++----- gestion/ipt.py | 2 ++ 2 files changed, 24 insertions(+), 5 deletions(-) diff --git a/gestion/gen_confs/firewall6.py b/gestion/gen_confs/firewall6.py index 272ae60c..955ef117 100755 --- a/gestion/gen_confs/firewall6.py +++ b/gestion/gen_confs/firewall6.py @@ -26,7 +26,7 @@ sys.path.append('/usr/scripts/gestion') from ldap_crans import hostname from config import conf_fw, mid, prefix, role, file_pickle, open_ports -from config import authorized_icmpv6 +from config import authorized_icmpv6, mac_wifi from ipt import * # On invoque Ip6tables @@ -94,6 +94,12 @@ def basic_fw(): ip6tables.filter.input('-p icmpv6 -m icmp6 --icmpv6-type \ router-advertisement -j DROP') + # XXX Code spécifique pour le wifi, peut être pas la manière la plus + # élégante, mais peut être la plus pratique + if hostname in role.keys() and ('wifi-router' not in role[hostname]): + ip6tables.filter.ieui64('-i %s -s %s -m mac --mac-source %s -j RETURN' + % (iface6('fil'), prefix['wifi'][0], mac_wifi)) + # Correspondance MAC-IP mac_ip(ip6tables, machines, ['fil', 'fil-v6', 'adm']) @@ -126,13 +132,15 @@ def main_router(): ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j \ ACCEPT') - + # Pour les autres connections for type_m in [i for i in ['fil', 'fil-v6'] if not 'v6' in i]: ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + type_m.upper())) ip6tables.filter.forward('-i %s -j MAC' % dev_crans) ip6tables.filter.forward('-i %s -j FEUI64' % dev_crans) + ip6tables.filter.feui64('-s %s -m mac --mac-source %s -j RETURN' % + (prefix['wifi'][0], mac_wifi)) ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix['fil'][0]) ip6tables.filter.feui64('-j DROP') @@ -164,16 +172,25 @@ def wifi_router(): # Stop aux RA ip6tables.filter.forward('-p icmpv6 -m icmp6 --icmpv6-type \ - router-advertisement -j DROP') +router-advertisement -j DROP') + # Un peu moche, mais il faut supprimer les dernière règles dans IEUI64 + # avant de rajouter la règle pour les machines wifi. + l = len(ip6tables.filter.ieui64.items) + del ip6tables.filter.ieui64.items[l-1] + del ip6tables.filter.ieui64.items[l-2] mac_ip(ip6tables, machines, ['wifi', 'wifi-v6']) - for type_m in [i for i in ['fil', 'fil-v6', 'wifi', 'wifi-v6'] - if not 'v6' in i]: + liste_net = ['fil', 'fil-v6', 'wifi', 'wifi-v6'] + for type_m in [i for i in liste_net if not 'v6' in i]: ip6tables.filter.mac('-s %s -j %s' % (prefix[type_m][0], 'MAC' + type_m.upper())) ip6tables.filter.feui64('-s %s -m eui64 -j RETURN' % prefix[type_m][0]) + ip6tables.filter.feui64('-j DROP') + + ip6tables.filter.forward('-m conntrack --ctstate RELATED,ESTABLISHED -j \ +ACCEPT') ip6tables.filter.forward('-j MAC') ip6tables.filter.forward('-j FEUI64') diff --git a/gestion/ipt.py b/gestion/ipt.py index d84c8da8..1c861af3 100755 --- a/gestion/ipt.py +++ b/gestion/ipt.py @@ -88,6 +88,8 @@ class Table(object): self.macfil = Chain() self.macfilv6 = Chain() self.macadm = Chain() + self.macwifi = Chain() + self.macwifiv6 = Chain() self.extfil = Chain() self.extfilv6 = Chain() self.extwifi = Chain()