[firewall4, generate] MaJ blacklist / mac-ip
This commit is contained in:
Valentin Samir
parent
13b144b12e
commit
bd105b43d3
2 changed files with 50 additions and 51 deletions
|
|
@ -68,14 +68,14 @@ class firewall_base(object) :
|
|||
"""Renvois la liste de toutes les machines"""
|
||||
if self._machines:
|
||||
return self._machines
|
||||
self._machines, self._adherents = conn.allMachinesAdherents()
|
||||
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||
return self._machines
|
||||
|
||||
def adherents(self):
|
||||
"""Renvois la liste de tous les adhérents"""
|
||||
if self._adherents:
|
||||
return self._adherents
|
||||
self._machines, self._adherents = conn.allMachinesAdherents()
|
||||
self._machines, self._adherents = self.conn.allMachinesAdherents()
|
||||
self._adherents = [ adh for adh in self._adherents if adh.paiement_ok ]
|
||||
return self._adherents
|
||||
|
||||
|
|
@ -86,7 +86,7 @@ class firewall_base(object) :
|
|||
if self._machines:
|
||||
self._blacklisted_machines = [ machine for machine in self._machines if machine.blacklist_actif() ]
|
||||
return self._blacklisted_machines
|
||||
blacklisted = [ machine for machine in conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ]
|
||||
blacklisted = [ machine for machine in self.conn.search(u"blacklist=*",sizelimit=4096) if machine.blacklist_actif() ]
|
||||
self._blacklisted_machines = set()
|
||||
for item in blacklisted:
|
||||
if isinstance(item, lc_ldap.objets.proprio):
|
||||
|
|
@ -200,7 +200,6 @@ class firewall_base(object) :
|
|||
print OK
|
||||
|
||||
def __init__(self):
|
||||
global conn
|
||||
#initialisation des structures communes : récupération des ipset
|
||||
if os.getuid() != 0:
|
||||
from affich_tools import coul
|
||||
|
|
@ -208,7 +207,7 @@ class firewall_base(object) :
|
|||
sys.exit(1)
|
||||
|
||||
# Connection à la base ldap
|
||||
conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall')
|
||||
self.conn = lc_ldap.shortcuts.lc_ldap_admin(user=u'firewall')
|
||||
|
||||
self.reloadable = {
|
||||
'blacklist_hard' : self.blacklist_hard,
|
||||
|
|
@ -284,8 +283,7 @@ class firewall_base(object) :
|
|||
|
||||
def blacklist_maj(self, ips):
|
||||
"""Met à jours les blacklists pour les ip présentent dans la liste ``ips``"""
|
||||
#self.blacklist_hard_maj(ips)
|
||||
self.reload('blacklist_hard')
|
||||
self.blacklist_hard_maj(ips)
|
||||
|
||||
def raw_table(self):
|
||||
"""Génère les règles pour la table ``raw`` et remplis les chaines de la table"""
|
||||
|
|
@ -327,15 +325,16 @@ class firewall_base(object) :
|
|||
|
||||
def blacklist_hard_maj(self, ip_list):
|
||||
"""Met à jour les blacklists hard, est appelée par :py:func:`blacklist_maj`"""
|
||||
for ip in ip_list:
|
||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
||||
# Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
|
||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions):
|
||||
try: self.ipset['blacklist']['hard'].add(ip)
|
||||
except IpsetError: pass
|
||||
else:
|
||||
try: self.ipset['blacklist']['hard'].delete(ip)
|
||||
except IpsetError: pass
|
||||
self.blacklist_hard(fill_ipset=True)
|
||||
# for ip in ip_list:
|
||||
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||
# # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine
|
||||
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions):
|
||||
# try: self.ipset['blacklist']['hard'].add(ip)
|
||||
# except IpsetError: pass
|
||||
# else:
|
||||
# try: self.ipset['blacklist']['hard'].delete(ip)
|
||||
# except IpsetError: pass
|
||||
|
||||
def blacklist_hard(self, table=None, fill_ipset=False, apply=False):
|
||||
"""Génère la chaine ``BLACKLIST_HARD``.
|
||||
|
|
@ -412,7 +411,7 @@ class firewall_base(object) :
|
|||
self.add(table, chain, '-m set --match-set %s src,src -j RETURN' % self.ipset['mac_ip'][key])
|
||||
|
||||
# Proxy ARP de Komaz et Titanic pour OVH
|
||||
ip_ovh = conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0]
|
||||
ip_ovh = self.conn.search(u"host=ovh.adm.crans.org")[0]['ipHostNumber'][0]
|
||||
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_komaz))
|
||||
self.add(table, chain, '-m mac -s %s --mac-source %s -j RETURN' % (ip_ovh, mac_titanic))
|
||||
|
||||
|
|
@ -425,8 +424,9 @@ class firewall_base(object) :
|
|||
|
||||
def mac_ip_maj(self, ip_list):
|
||||
"""Met à jour la correspondance mac-ip"""
|
||||
anim('\tActualisation de la correspondance mac-ipv4')
|
||||
for ip in ip_list:
|
||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
||||
machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||
if machine:
|
||||
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
||||
except IpsetError: pass
|
||||
|
|
@ -434,6 +434,7 @@ class firewall_base(object) :
|
|||
else:
|
||||
try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] })
|
||||
except IpsetError: pass
|
||||
print OK
|
||||
|
||||
class firewall_base_routeur(firewall_base):
|
||||
"""Associe mac-ip pour les machines voyant plusieurs réseaux (wifi, filaire, personnel, ...)"""
|
||||
|
|
@ -503,12 +504,9 @@ class firewall_komaz(firewall_base_routeur):
|
|||
})
|
||||
|
||||
def blacklist_maj(self, ips):
|
||||
#self.blacklist_hard_maj(ips)
|
||||
#self.blacklist_soft_maj(ips)
|
||||
#self.blacklist_upload_maj(ips)
|
||||
self.reload('blacklist_hard')
|
||||
self.reload('blacklist_soft')
|
||||
self.reload('blacklist_upload')
|
||||
self.blacklist_hard_maj(ips)
|
||||
self.blacklist_soft_maj(ips)
|
||||
self.blacklist_upload_maj(ips)
|
||||
|
||||
def raw_table(self):
|
||||
return
|
||||
|
|
@ -720,15 +718,16 @@ class firewall_komaz(firewall_base_routeur):
|
|||
return chain
|
||||
|
||||
def blacklist_soft_maj(self, ip_list):
|
||||
for ip in ip_list:
|
||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
||||
# Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
|
||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
|
||||
try: self.ipset['blacklist']['soft'].add(ip)
|
||||
except IpsetError: pass
|
||||
else:
|
||||
try: self.ipset['blacklist']['soft'].delete(ip)
|
||||
except IpsetError: pass
|
||||
self.blacklist_soft(fill_ipset=True)
|
||||
# for ip in ip_list:
|
||||
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||
# # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine
|
||||
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft):
|
||||
# try: self.ipset['blacklist']['soft'].add(ip)
|
||||
# except IpsetError: pass
|
||||
# else:
|
||||
# try: self.ipset['blacklist']['soft'].delete(ip)
|
||||
# except IpsetError: pass
|
||||
|
||||
def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
|
||||
"""Redirige les gens blacklisté vers le portail captif"""
|
||||
|
|
@ -775,15 +774,16 @@ class firewall_komaz(firewall_base_routeur):
|
|||
return chain
|
||||
|
||||
def blacklist_upload_maj(self, ip_list):
|
||||
for ip in ip_list:
|
||||
machine = conn.search(u"ipHostNumber=%s" % ip)
|
||||
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
|
||||
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
|
||||
try: self.ipset['blacklist']['upload'].add(ip)
|
||||
except IpsetError: pass
|
||||
else:
|
||||
try: self.ipset['blacklist']['upload'].delete(ip)
|
||||
except IpsetError: pass
|
||||
self.blacklist_upload(fill_ipset=True)
|
||||
# for ip in ip_list:
|
||||
# machine = self.conn.search(u"ipHostNumber=%s" % ip)
|
||||
# # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
|
||||
# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
|
||||
# try: self.ipset['blacklist']['upload'].add(ip)
|
||||
# except IpsetError: pass
|
||||
# else:
|
||||
# try: self.ipset['blacklist']['upload'].delete(ip)
|
||||
# except IpsetError: pass
|
||||
|
||||
def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
|
||||
"""Redirige les gens blacklisté vers le portail captif"""
|
||||
|
|
@ -1055,7 +1055,7 @@ class firewall_zamok(firewall_base):
|
|||
try: self.add(table, chain, '-m owner --uid-owner %d -j ACCEPT' % pwd.getpwnam(user)[2])
|
||||
except KeyError: print "Utilisateur %s inconnu" % user
|
||||
|
||||
for nounou in conn.search(u"droits=%s" % lc_ldap.attributs.nounou):
|
||||
for nounou in self.conn.search(u"droits=%s" % lc_ldap.attributs.nounou):
|
||||
self.add(table, chain, '-m owner --uid-owner %s -j RETURN' % nounou['uidNumber'][0])
|
||||
|
||||
# Rien d'autre ne passe
|
||||
|
|
@ -1067,11 +1067,8 @@ class firewall_zamok(firewall_base):
|
|||
return chain
|
||||
|
||||
def blacklist_maj(self, ips):
|
||||
anim('\tMise à jour des blacklists')
|
||||
self.blacklist_output('filter', apply=True)
|
||||
#self.blacklist_hard_maj(ips)
|
||||
self.reload('blacklist_hard')
|
||||
print OK
|
||||
self.blacklist_hard_maj(ips)
|
||||
|
||||
def blacklist_output(self, table=None, apply=False):
|
||||
"""Empêche les gens blacklisté d'utiliser zamok comme relaie"""
|
||||
|
|
|
|||
|
|
@ -162,10 +162,12 @@ class base_reconfigure:
|
|||
return self.__real_fw
|
||||
|
||||
def macip(self, ips):
|
||||
if self.__service_develop.get('macip', []):
|
||||
cprint(u"Mise a jour correspondance MAC-IP", 'gras')
|
||||
self._fw().mac_ip_maj(ips)
|
||||
|
||||
def blacklist(self, ips):
|
||||
if self.__service_develop.get('blacklist', []):
|
||||
cprint(u"Mise a jour des blacklists", 'gras')
|
||||
self._fw().blacklist_maj(ips)
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue