diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index d4c0efc9..134b00fa 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -68,14 +68,14 @@ class firewall_base(object) : """Renvois la liste de toutes les machines""" if self._machines: return self._machines - self._machines, self._adherents = conn.allMachinesAdherents() + self._machines, self._adherents = self.conn.allMachinesAdherents() return self._machines def adherents(self): """Renvois la liste de tous les adhérents""" if self._adherents: return self._adherents - self._machines, self._adherents = conn.allMachinesAdherents() + self._machines, self._adherents = self.conn.allMachinesAdherents() self._adherents = [ adh for adh in self._adherents if adh.paiement_ok ] return self._adherents @@ -86,7 +86,7 @@ class firewall_base(object) : if self._machines: self._blacklisted_machines = [ machine for machine in self._machines if machine.blacklist_actif() ] return self._blacklisted_machines - blacklisted = [ machine for machine in conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ] + blacklisted = [ machine for machine in self.conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ] self._blacklisted_machines = set() for item in blacklisted: if isinstance(item, lc_ldap.objets.proprio): @@ -200,7 +200,6 @@ class firewall_base(object) : print OK def __init__(self): - global conn #initialisation des structures communes : récupération des ipset if os.getuid() != 0: from affich_tools import coul @@ -208,7 +207,7 @@ class firewall_base(object) : sys.exit(1) # Connection à la base ldap - conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall') + self.conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall') self.reloadable = { 'blacklist_hard' : self.blacklist_hard, @@ -284,8 +283,7 @@ class firewall_base(object) : def blacklist_maj(self, ips): """Met à jours les blacklists pour les ip présentent dans la liste ``ips``""" - #self.blacklist_hard_maj(ips) - self.reload('blacklist_hard') + self.blacklist_hard_maj(ips) def raw_table(self): """Génère les règles pour la table ``raw`` et remplis les chaines de la table""" @@ -327,15 +325,16 @@ class firewall_base(object) : def blacklist_hard_maj(self, ip_list): """Met à jour les blacklists hard, est appelée par :py:func:`blacklist_maj`""" - for ip in ip_list: - machine = conn.search(u"ipHostNumber=%s" % ip) - # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine - if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions): - try: self.ipset['blacklist']['hard'].add(ip) - except IpsetError: pass - else: - try: self.ipset['blacklist']['hard'].delete(ip) - except IpsetError: pass + self.blacklist_hard(fill_ipset=True) +# for ip in ip_list: +# machine = self.conn.search(u"ipHostNumber=%s" % ip) +# # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine +# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions): +# try: self.ipset['blacklist']['hard'].add(ip) +# except IpsetError: pass +# else: +# try: self.ipset['blacklist']['hard'].delete(ip) +# except IpsetError: pass def blacklist_hard(self, table=None, fill_ipset=False, apply=False): """Génère la chaine ``BLACKLIST_HARD``. @@ -412,7 +411,7 @@ class firewall_base(object) : self.add(table, chain, '-m set --match-set %s src,src -j RETURN' % self.ipset['mac_ip'][key]) # Proxy ARP de Komaz et Titanic pour OVH - ip_ovh = conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0] + ip_ovh = self.conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0] self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_komaz)) self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_titanic)) @@ -425,8 +424,9 @@ class firewall_base(object) : def mac_ip_maj(self, ip_list): """Met à jour la correspondance mac-ip""" + anim('\tActualisation de la correspondance mac-ipv4') for ip in ip_list: - machine = conn.search(u"ipHostNumber=%s" % ip) + machine = self.conn.search(u"ipHostNumber=%s" % ip) if machine: try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] }) except IpsetError: pass @@ -434,6 +434,7 @@ class firewall_base(object) : else: try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] }) except IpsetError: pass + print OK class firewall_base_routeur(firewall_base): """Associe mac-ip pour les machines voyant plusieurs réseaux (wifi, filaire, personnel, ...)""" @@ -503,12 +504,9 @@ class firewall_komaz(firewall_base_routeur): }) def blacklist_maj(self, ips): - #self.blacklist_hard_maj(ips) - #self.blacklist_soft_maj(ips) - #self.blacklist_upload_maj(ips) - self.reload('blacklist_hard') - self.reload('blacklist_soft') - self.reload('blacklist_upload') + self.blacklist_hard_maj(ips) + self.blacklist_soft_maj(ips) + self.blacklist_upload_maj(ips) def raw_table(self): return @@ -720,15 +718,16 @@ class firewall_komaz(firewall_base_routeur): return chain def blacklist_soft_maj(self, ip_list): - for ip in ip_list: - machine = conn.search(u"ipHostNumber=%s" % ip) - # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine - if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): - try: self.ipset['blacklist']['soft'].add(ip) - except IpsetError: pass - else: - try: self.ipset['blacklist']['soft'].delete(ip) - except IpsetError: pass + self.blacklist_soft(fill_ipset=True) +# for ip in ip_list: +# machine = self.conn.search(u"ipHostNumber=%s" % ip) +# # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine +# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): +# try: self.ipset['blacklist']['soft'].add(ip) +# except IpsetError: pass +# else: +# try: self.ipset['blacklist']['soft'].delete(ip) +# except IpsetError: pass def blacklist_soft(self, table=None, fill_ipset=False, apply=False): """Redirige les gens blacklisté vers le portail captif""" @@ -775,15 +774,16 @@ class firewall_komaz(firewall_base_routeur): return chain def blacklist_upload_maj(self, ip_list): - for ip in ip_list: - machine = conn.search(u"ipHostNumber=%s" % ip) - # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine - if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): - try: self.ipset['blacklist']['upload'].add(ip) - except IpsetError: pass - else: - try: self.ipset['blacklist']['upload'].delete(ip) - except IpsetError: pass + self.blacklist_upload(fill_ipset=True) +# for ip in ip_list: +# machine = self.conn.search(u"ipHostNumber=%s" % ip) +# # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine +# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): +# try: self.ipset['blacklist']['upload'].add(ip) +# except IpsetError: pass +# else: +# try: self.ipset['blacklist']['upload'].delete(ip) +# except IpsetError: pass def blacklist_upload(self, table=None, fill_ipset=False, apply=False): """Redirige les gens blacklisté vers le portail captif""" @@ -1055,7 +1055,7 @@ class firewall_zamok(firewall_base): try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2]) except KeyError: print "Utilisateur %s inconnu" % user - for nounou in conn.search(u"droits=%s" % lc_ldap.attributs.nounou): + for nounou in self.conn.search(u"droits=%s" % lc_ldap.attributs.nounou): self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0]) # Rien d'autre ne passe @@ -1067,11 +1067,8 @@ class firewall_zamok(firewall_base): return chain def blacklist_maj(self, ips): - anim('\tMise à jour des blacklists') self.blacklist_output('filter', apply=True) - #self.blacklist_hard_maj(ips) - self.reload('blacklist_hard') - print OK + self.blacklist_hard_maj(ips) def blacklist_output(self, table=None, apply=False): """Empêche les gens blacklisté d'utiliser zamok comme relaie""" diff --git a/gestion/gen_confs/generate.py b/gestion/gen_confs/generate.py index 8346a081..4b4b2c4d 100755 --- a/gestion/gen_confs/generate.py +++ b/gestion/gen_confs/generate.py @@ -162,12 +162,14 @@ class base_reconfigure: return self.__real_fw def macip(self, ips): - cprint(u"Mise a jour correspondance MAC-IP", 'gras') - self._fw().mac_ip_maj(ips) + if self.__service_develop.get('macip', []): + cprint(u"Mise a jour correspondance MAC-IP", 'gras') + self._fw().mac_ip_maj(ips) def blacklist(self, ips): - cprint(u"Mise a jour des blacklists", 'gras') - self._fw().blacklist_maj(ips) + if self.__service_develop.get('blacklist', []): + cprint(u"Mise a jour des blacklists", 'gras') + self._fw().blacklist_maj(ips) class redisdead(base_reconfigure): def droits(self):