[firewall4, generate] MaJ blacklist / mac-ip
This commit is contained in:
Valentin Samir
parent
13b144b12e
commit
bd105b43d3
2 changed files with 50 additions and 51 deletions
|
|
@ -68,14 +68,14 @@ class firewall_base(object) :
|
||||||
"""Renvois la liste de toutes les machines"""
|
"""Renvois la liste de toutes les machines"""
|
||||||
if self._machines:
|
if self._machines:
|
||||||
return self._machines
|
return self._machines
|
||||||
self._machines, self._adherents = conn.allMachinesAdherents()
|
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||||
return self._machines
|
return self._machines
|
||||||
|
|
||||||
def adherents(self):
|
def adherents(self):
|
||||||
"""Renvois la liste de tous les adhérents"""
|
"""Renvois la liste de tous les adhérents"""
|
||||||
if self._adherents:
|
if self._adherents:
|
||||||
return self._adherents
|
return self._adherents
|
||||||
self._machines, self._adherents = conn.allMachinesAdherents()
|
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||||
self._adherents = [ adh for adh in self._adherents if adh.paiement_ok ]
|
self._adherents = [ adh for adh in self._adherents if adh.paiement_ok ]
|
||||||
return self._adherents
|
return self._adherents
|
||||||
|
|
||||||
|
|
@ -86,7 +86,7 @@ class firewall_base(object) :
|
||||||
if self._machines:
|
if self._machines:
|
||||||
self._blacklisted_machines = [ machine for machine in self._machines if machine.blacklist_actif() ]
|
self._blacklisted_machines = [ machine for machine in self._machines if machine.blacklist_actif() ]
|
||||||
return self._blacklisted_machines
|
return self._blacklisted_machines
|
||||||
blacklisted = [ machine for machine in conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ]
|
blacklisted = [ machine for machine in self.conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ]
|
||||||
self._blacklisted_machines = set()
|
self._blacklisted_machines = set()
|
||||||
for item in blacklisted:
|
for item in blacklisted:
|
||||||
if isinstance(item, lc_ldap.objets.proprio):
|
if isinstance(item, lc_ldap.objets.proprio):
|
||||||
|
|
@ -200,7 +200,6 @@ class firewall_base(object) :
|
||||||
print OK
|
print OK
|
||||||
|
|
||||||
def __init__(self):
|
def __init__(self):
|
||||||
global conn
|
|
||||||
#initialisation des structures communes : récupération des ipset
|
#initialisation des structures communes : récupération des ipset
|
||||||
if os.getuid() != 0:
|
if os.getuid() != 0:
|
||||||
from affich_tools import coul
|
from affich_tools import coul
|
||||||
|
|
@ -208,7 +207,7 @@ class firewall_base(object) :
|
||||||
sys.exit(1)
|
sys.exit(1)
|
||||||
|
|
||||||
# Connection à la base ldap
|
# Connection à la base ldap
|
||||||
conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall')
|
self.conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall')
|
||||||
|
|
||||||
self.reloadable = {
|
self.reloadable = {
|
||||||
'blacklist_hard' : self.blacklist_hard,
|
'blacklist_hard' : self.blacklist_hard,
|
||||||
|
|
@ -284,8 +283,7 @@ class firewall_base(object) :
|
||||||
|
|
||||||
def blacklist_maj(self, ips):
|
def blacklist_maj(self, ips):
|
||||||
"""Met à jours les blacklists pour les ip présentent dans la liste ``ips``"""
|
"""Met à jours les blacklists pour les ip présentent dans la liste ``ips``"""
|
||||||
#self.blacklist_hard_maj(ips)
|
self.blacklist_hard_maj(ips)
|
||||||
self.reload('blacklist_hard')
|
|
||||||
|
|
||||||
def raw_table(self):
|
def raw_table(self):
|
||||||
"""Génère les règles pour la table ``raw`` et remplis les chaines de la table"""
|
"""Génère les règles pour la table ``raw`` et remplis les chaines de la table"""
|
||||||
|
|
@ -327,15 +325,16 @@ class firewall_base(object) :
|
||||||
|
|
||||||
def blacklist_hard_maj(self, ip_list):
|
def blacklist_hard_maj(self, ip_list):
|
||||||
"""Met à jour les blacklists hard, est appelée par :py:func:`blacklist_maj`"""
|
"""Met à jour les blacklists hard, est appelée par :py:func:`blacklist_maj`"""
|
||||||
for ip in ip_list:
|
self.blacklist_hard(fill_ipset=True)
|
||||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
# for ip in ip_list:
|
||||||
# Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
|
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions):
|
# # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
|
||||||
try: self.ipset['blacklist']['hard'].add(ip)
|
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions):
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['hard'].add(ip)
|
||||||
else:
|
# except IpsetError: pass
|
||||||
try: self.ipset['blacklist']['hard'].delete(ip)
|
# else:
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['hard'].delete(ip)
|
||||||
|
# except IpsetError: pass
|
||||||
|
|
||||||
def blacklist_hard(self, table=None, fill_ipset=False, apply=False):
|
def blacklist_hard(self, table=None, fill_ipset=False, apply=False):
|
||||||
"""Génère la chaine ``BLACKLIST_HARD``.
|
"""Génère la chaine ``BLACKLIST_HARD``.
|
||||||
|
|
@ -412,7 +411,7 @@ class firewall_base(object) :
|
||||||
self.add(table, chain, '-m set --match-set %s src,src -j RETURN' % self.ipset['mac_ip'][key])
|
self.add(table, chain, '-m set --match-set %s src,src -j RETURN' % self.ipset['mac_ip'][key])
|
||||||
|
|
||||||
# Proxy ARP de Komaz et Titanic pour OVH
|
# Proxy ARP de Komaz et Titanic pour OVH
|
||||||
ip_ovh = conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0]
|
ip_ovh = self.conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0]
|
||||||
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_komaz))
|
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_komaz))
|
||||||
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_titanic))
|
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_titanic))
|
||||||
|
|
||||||
|
|
@ -425,8 +424,9 @@ class firewall_base(object) :
|
||||||
|
|
||||||
def mac_ip_maj(self, ip_list):
|
def mac_ip_maj(self, ip_list):
|
||||||
"""Met à jour la correspondance mac-ip"""
|
"""Met à jour la correspondance mac-ip"""
|
||||||
|
anim('\tActualisation de la correspondance mac-ipv4')
|
||||||
for ip in ip_list:
|
for ip in ip_list:
|
||||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||||
if machine:
|
if machine:
|
||||||
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
||||||
except IpsetError: pass
|
except IpsetError: pass
|
||||||
|
|
@ -434,6 +434,7 @@ class firewall_base(object) :
|
||||||
else:
|
else:
|
||||||
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
||||||
except IpsetError: pass
|
except IpsetError: pass
|
||||||
|
print OK
|
||||||
|
|
||||||
class firewall_base_routeur(firewall_base):
|
class firewall_base_routeur(firewall_base):
|
||||||
"""Associe mac-ip pour les machines voyant plusieurs réseaux (wifi, filaire, personnel, ...)"""
|
"""Associe mac-ip pour les machines voyant plusieurs réseaux (wifi, filaire, personnel, ...)"""
|
||||||
|
|
@ -503,12 +504,9 @@ class firewall_komaz(firewall_base_routeur):
|
||||||
})
|
})
|
||||||
|
|
||||||
def blacklist_maj(self, ips):
|
def blacklist_maj(self, ips):
|
||||||
#self.blacklist_hard_maj(ips)
|
self.blacklist_hard_maj(ips)
|
||||||
#self.blacklist_soft_maj(ips)
|
self.blacklist_soft_maj(ips)
|
||||||
#self.blacklist_upload_maj(ips)
|
self.blacklist_upload_maj(ips)
|
||||||
self.reload('blacklist_hard')
|
|
||||||
self.reload('blacklist_soft')
|
|
||||||
self.reload('blacklist_upload')
|
|
||||||
|
|
||||||
def raw_table(self):
|
def raw_table(self):
|
||||||
return
|
return
|
||||||
|
|
@ -720,15 +718,16 @@ class firewall_komaz(firewall_base_routeur):
|
||||||
return chain
|
return chain
|
||||||
|
|
||||||
def blacklist_soft_maj(self, ip_list):
|
def blacklist_soft_maj(self, ip_list):
|
||||||
for ip in ip_list:
|
self.blacklist_soft(fill_ipset=True)
|
||||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
# for ip in ip_list:
|
||||||
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
|
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
|
# # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
|
||||||
try: self.ipset['blacklist']['soft'].add(ip)
|
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['soft'].add(ip)
|
||||||
else:
|
# except IpsetError: pass
|
||||||
try: self.ipset['blacklist']['soft'].delete(ip)
|
# else:
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['soft'].delete(ip)
|
||||||
|
# except IpsetError: pass
|
||||||
|
|
||||||
def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
|
def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
|
||||||
"""Redirige les gens blacklisté vers le portail captif"""
|
"""Redirige les gens blacklisté vers le portail captif"""
|
||||||
|
|
@ -775,15 +774,16 @@ class firewall_komaz(firewall_base_routeur):
|
||||||
return chain
|
return chain
|
||||||
|
|
||||||
def blacklist_upload_maj(self, ip_list):
|
def blacklist_upload_maj(self, ip_list):
|
||||||
for ip in ip_list:
|
self.blacklist_upload(fill_ipset=True)
|
||||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
# for ip in ip_list:
|
||||||
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
|
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
|
# # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
|
||||||
try: self.ipset['blacklist']['upload'].add(ip)
|
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['upload'].add(ip)
|
||||||
else:
|
# except IpsetError: pass
|
||||||
try: self.ipset['blacklist']['upload'].delete(ip)
|
# else:
|
||||||
except IpsetError: pass
|
# try: self.ipset['blacklist']['upload'].delete(ip)
|
||||||
|
# except IpsetError: pass
|
||||||
|
|
||||||
def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
|
def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
|
||||||
"""Redirige les gens blacklisté vers le portail captif"""
|
"""Redirige les gens blacklisté vers le portail captif"""
|
||||||
|
|
@ -1055,7 +1055,7 @@ class firewall_zamok(firewall_base):
|
||||||
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
|
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
|
||||||
except KeyError: print "Utilisateur %s inconnu" % user
|
except KeyError: print "Utilisateur %s inconnu" % user
|
||||||
|
|
||||||
for nounou in conn.search(u"droits=%s" % lc_ldap.attributs.nounou):
|
for nounou in self.conn.search(u"droits=%s" % lc_ldap.attributs.nounou):
|
||||||
self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0])
|
self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0])
|
||||||
|
|
||||||
# Rien d'autre ne passe
|
# Rien d'autre ne passe
|
||||||
|
|
@ -1067,11 +1067,8 @@ class firewall_zamok(firewall_base):
|
||||||
return chain
|
return chain
|
||||||
|
|
||||||
def blacklist_maj(self, ips):
|
def blacklist_maj(self, ips):
|
||||||
anim('\tMise à jour des blacklists')
|
|
||||||
self.blacklist_output('filter', apply=True)
|
self.blacklist_output('filter', apply=True)
|
||||||
#self.blacklist_hard_maj(ips)
|
self.blacklist_hard_maj(ips)
|
||||||
self.reload('blacklist_hard')
|
|
||||||
print OK
|
|
||||||
|
|
||||||
def blacklist_output(self, table=None, apply=False):
|
def blacklist_output(self, table=None, apply=False):
|
||||||
"""Empêche les gens blacklisté d'utiliser zamok comme relaie"""
|
"""Empêche les gens blacklisté d'utiliser zamok comme relaie"""
|
||||||
|
|
|
||||||
|
|
@ -162,10 +162,12 @@ class base_reconfigure:
|
||||||
return self.__real_fw
|
return self.__real_fw
|
||||||
|
|
||||||
def macip(self, ips):
|
def macip(self, ips):
|
||||||
|
if self.__service_develop.get('macip', []):
|
||||||
cprint(u"Mise a jour correspondance MAC-IP", 'gras')
|
cprint(u"Mise a jour correspondance MAC-IP", 'gras')
|
||||||
self._fw().mac_ip_maj(ips)
|
self._fw().mac_ip_maj(ips)
|
||||||
|
|
||||||
def blacklist(self, ips):
|
def blacklist(self, ips):
|
||||||
|
if self.__service_develop.get('blacklist', []):
|
||||||
cprint(u"Mise a jour des blacklists", 'gras')
|
cprint(u"Mise a jour des blacklists", 'gras')
|
||||||
self._fw().blacklist_maj(ips)
|
self._fw().blacklist_maj(ips)
|
||||||
|
|
||||||
|
|
|
||||||
Loading…
Add table
Add a link
Reference in a new issue