moved

darcs-hash:20041212124327-1d643-e4350947cab533589d3aa9c3feb70c1d5c3d0c1c.gz
2004-12-12 13:43:27 +01:00 · 2004-12-12 13:43:27 +01:00 · b2714f4009
commit b2714f4009
parent 8d9d568992
2 changed files with 114 additions and 54 deletions
--- a/gestion/gen_confs/firewall-komaz.py
+++ b/gestion/gen_confs/firewall-komaz.py
@ -152,60 +152,80 @@ class firewall_komaz :
 	remove_lock('firewall')

    def restart(self):
-	""" Idem start """
-	self.start()
+	""" Rédémarrage du firewall """
+	cprint('Redémarrage firewall' % esthetisme,'gras')
+	self.__exception_catcher(self.__stop)
+	self.start(False)
    
-    def start(self) :
-	""" Construction du firewall """
-	cprint('Démarrage firewall','gras')
+    def start(self,aff_txt_intro=True) :
+	""" Construction du firewall 
+	aff_txt_intro s'occupe uniquement de l'esthétisme
+	"""
+	if aff_txt_intro : cprint('Démarrage firewall','gras')
 	# Préliminaires
-	if not self.__machines() or self.stop() :
-	    print "Abandon"
+	if not self.__machines() or self.__exception_catcher(self.__stop) :
+	    cprint("Abandon",'rouge')
 	    return
-		
-	def procedure() :
-	    self.anim = anim('    Structure de la table nat')
-	    for chaine in [ 'LOG_VIRUS', 'LOG_FLOOD', 'TEST_VIRUS_FLOOD' , 'TEST_MAC-IP' , 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] :
-		iptables('-t nat -N %s' % chaine)
-
-	    iptables("-t nat -P PREROUTING ACCEPT")
-	    iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
-	    iptables("-t nat -A PREROUTING -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
-	    iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST")
-	    iptables("-t nat -A PREROUTING -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
-	    iptables("-t nat -A PREROUTING -d %s -j ACCEPT" % self.zone_serveur )
-	    iptables("-t nat -A PREROUTING -s %s -j ACCEPT" % self.zone_serveur )
-	    iptables("-t nat -A PREROUTING -i %s -j ACCEPT" % self.eth_ext )
-	    iptables("-t nat -A PREROUTING -j TEST_MAC-IP")
-	    iptables("-t nat -P PREROUTING DROP")
-	    print OK
-	
-	    self.anim = anim('    Structure de la table filter')
-	    for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' ] :
-		iptables('-N %s' % chaine)
-	    
-	    iptables("-A FORWARD -i lo -j ACCEPT")
-	    iptables("-A FORWARD -p icmp -j ACCEPT")
-	    iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
-	    iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
-	    iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
-	    iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
-	    iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
-	    iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
-	    iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
-	    print OK
 	
 	# Initialisation
-	self.__exception_catcher(procedure)
-	
+	self.__exception_catcher(self.__start)
+		    
 	# Remplisage
 	for tache in [ self.log_chaines, self.test_virus_flood, self.reseaux_non_routables,
 	               self.blacklist , self.serveurs_vers_ext, self.ext_vers_serveurs, 
 		       self.crans_vers_ext, self.ext_vers_crans, self.test_mac_ip ] :
 	    self.__exception_catcher(tache)
 	
+	# On peux router
+	self.anim  = anim("    Mise en place routage")
+	warn = ''
+	for cmd in [ 'echo 1 > /proc/sys/net/ipv4/ip_forward' ,
+		     'echo 65536 > /proc/sys/net/ipv4/ip_conntrack_max' ,
+		     'modprobe ip_conntrack_ftp' ] :
+	    status,output=getstatusoutput(cmd)
+	    if status :
+		warn += output +'\n'
+	if warn :
+	    print WARNING
+	    if debug :
+		print warn
+	else :
+	    print OK
+	
 	cprint("     -> fin de la procédure de démarrage",'vert')
+		
+    def __start(self) :
+	self.anim = anim('    Structure de la table nat')
+	for chaine in [ 'LOG_VIRUS', 'LOG_FLOOD', 'TEST_VIRUS_FLOOD' , 'TEST_MAC-IP' , 'RESEAUX_NON_ROUTABLES_SRC', 'RESEAUX_NON_ROUTABLES_DST' ] :
+	    iptables('-t nat -N %s' % chaine)
+
+	iptables("-t nat -P PREROUTING ACCEPT")
+	iptables("-t nat -A PREROUTING -i lo -j ACCEPT")
+	iptables("-t nat -A PREROUTING -s ! %s -j TEST_VIRUS_FLOOD" % self.zone_serveur)
+	iptables("-t nat -A PREROUTING -j RESEAUX_NON_ROUTABLES_DST")
+	iptables("-t nat -A PREROUTING -i %s -j RESEAUX_NON_ROUTABLES_SRC" % self.eth_ext )
+	iptables("-t nat -A PREROUTING -d %s -j ACCEPT" % self.zone_serveur )
+	iptables("-t nat -A PREROUTING -s %s -j ACCEPT" % self.zone_serveur )
+	iptables("-t nat -A PREROUTING -i %s -j ACCEPT" % self.eth_ext )
+	iptables("-t nat -A PREROUTING -j TEST_MAC-IP")
+	iptables("-t nat -P PREROUTING DROP")
+	print OK
+	
+	self.anim = anim('    Structure de la table filter')
+	for chaine in [ 'EXT_VERS_SERVEURS', 'SERVEURS_VERS_EXT' , 'EXT_VERS_CRANS', 'CRANS_VERS_EXT', 'BLACKLIST_SRC', 'BLACKLIST_DST' ] :
+	    iptables('-N %s' % chaine)
 	    
+	iptables("-A FORWARD -i lo -j ACCEPT")
+	iptables("-A FORWARD -p icmp -j ACCEPT")
+	iptables("-A FORWARD -i %s -j BLACKLIST_DST" % self.eth_ext )
+	iptables("-A FORWARD -o %s -j BLACKLIST_SRC" % self.eth_ext )
+	iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
+	iptables("-A FORWARD -i %s -d %s -j EXT_VERS_SERVEURS" % (self.eth_ext, self.zone_serveur) )
+	iptables("-A FORWARD -o %s -s %s -j SERVEURS_VERS_EXT" % (self.eth_ext, self.zone_serveur) )
+	iptables("-A FORWARD -i %s -j EXT_VERS_CRANS" % self.eth_ext )
+	iptables("-A FORWARD -o %s -j CRANS_VERS_EXT" % self.eth_ext )
+	print OK
+			    
    def log_chaines(self) :
 	""" Construction des chaines de log (LOG_VIRUS et LOG_FLOOD) """
 	self.anim = anim('    Création des chaines de log')
@ -242,18 +262,25 @@ class firewall_komaz :

    def stop(self):
        """ Arrête le firewall """
-        self.anim  = anim("    Arrêt du firewall")
-	def procedure() :
-	    iptables("-t nat -P PREROUTING ACCEPT")
-	    iptables("-F")
-	    iptables("-t nat -F")
-	    iptables("-X")
-	    iptables("-t nat -X")
+        cprint("Arrêt du firewall",'gras')
+	self.anim  = anim("    Arrêt routage")
+	status,output=getstatusoutput('echo 0 > /proc/sys/net/ipv4/ip_forward')
+	if status :
+	    print ERREUR
+	else :
 	    print OK
-	    
-	return self.__exception_catcher(procedure)
-	
+	self.__exception_catcher(self.__stop)
+	cprint("     -> fin de la procédure d'arrêt",'vert')
    
+    def __stop(self) :
+	self.anim  = anim("    Supression règles")
+	iptables("-t nat -P PREROUTING ACCEPT")
+	iptables("-F")
+	iptables("-t nat -F")
+	iptables("-X")
+	iptables("-t nat -X")
+	print OK
+	    
    def test_mac_ip(self) :
 	""" Reconstruit la correspondance MAC-IP des machines des adhérents """
 	self.anim = anim('    Chaîne TEST_MAC-IP',len(self.__machines())+1)
@ -487,6 +514,8 @@ class firewall_komaz :
 				 to_del.append(num)
 				 to_add.append(machine)
 				 
+		to_del.sort()
+		to_del.reverse()
 		for i in to_del :
 		    iptables('-t nat -D TEST_MAC-IP %s' % i )
 		for machine in ( to_add + mac_ip_maj.values() ) :
@ -511,7 +540,7 @@ if __name__ == '__main__' :
   %(p)s start   : Construction du firewall.
   %(p)s restart : Reconstruction du firewall.
   %(p)s stop    : Arrêt du firewall.
-   %(p)s chaine <noms de chaines> : recontruit les chaines spécifiées
+   %(p)s chaine <noms de chaines> : reconstruit les chaines
 Les chaines pouvant être reconstruites sont :
   %(chaines)s
 Pour reconfiguration d'IPs particulières, utiliser generate. """ % \
--- a/gestion/gen_confs/generate.py
+++ b/gestion/gen_confs/generate.py
@ -30,6 +30,8 @@ elif hostname == 'nectaris' :
    args_autorises += [ 'conf_wifi', 'bornes_wifi=' , 'droits-nectaris', 'dhcp-nectaris']
 elif hostname == 'sila' :
    args_autorises += [ 'bl_squid_upload', 'blacklist_virus' , 'blacklist_warez' , 'bl_chbre_invalide', 'bl_carte_etudiant' ]
+elif hostname == 'egon' :
+    args_autorises += [ 'firewall-komaz' , 'firewall-komaz-ports' , 'firewall-komaz-blacklist']

 # On vérifie que l'on est root
 if os.getuid() != 0:
@ -232,6 +234,7 @@ if hostname == 'zamok':
    if 'blacklist_upload' in to_do.keys() :
 	if auto : db.services_to_restart('-blacklist_upload')
 	db.services_to_restart('bl_squid_upload')
+	db.services_to_restart('firewall-komaz-upload')
 	try:
 	    from gen_confs.firewall import bl_upload_fw
 	    a = bl_upload_fw()
@ -308,8 +311,6 @@ Subject: Modifications sur une machine du CR@NS

    if 'firewall' in to_do.keys() :
        # Quand sila et komaz liront la base LDAP
-        # db.services_to_restart('firewall-komaz')
-        # db.services_to_restart('firewall-sila')
        from gen_confs.firewall import firewall
        inst.append([firewall(),"firewall"])

@ -405,6 +406,36 @@ elif hostname == 'sila' :
 	except:
 	    if auto: db.services_to_restart('bl_chbre_invalide')

+elif hostname == 'egon' :
+    if 'firewall-komaz' in to_do.keys() or \
+       'firewall-komaz-ports' in to_do.keys() or \
+       'firewall-komaz-blacklist' in to_do.keys() :
+	from classe_firewall import firewall_komaz
+	fw = firewall_komaz()
+	fw.debug = debug
+		    
+	cprint('Reconfiguration firewall','gras')
+	if 'firewall-komaz' in to_do.keys() :
+	    if auto : db.services_to_restart('-firewall-komaz')
+	    try :
+		fw.mac_ip_maj(to_do['firewall-komaz'])
+	    except :
+		if auto : db.services_to_restart('firewall-komaz',to_do['firewall-komaz'])
+	    
+	if 'firewall-komaz-ports' in to_do.keys() :
+	    if auto : db.services_to_restart('-firewall-komaz-ports')
+	    try :
+		fw.port_maj(to_do['firewall-komaz-ports'])
+	    except :
+		if auto : db.services_to_restart('firewall-komaz-ports',to_do['firewall-komaz-ports'])
+		
+	if 'firewall-komaz-blacklist' in to_do.keys() :
+	    if auto : db.services_to_restart('-firewall-komaz-blacklist')
+	    try :
+		fw.blacklist(to_do['firewall-komaz-blacklist'])
+	    except :
+		if auto : db.services_to_restart('firewall-komaz-blacklist',to_do['firewall-komaz-blacklist'])
+	        
 # On indique que les services seront a priori redemarrés
 if auto :
    for i in inst: