From c0e19b7247b87707752f48e999f2999b9d501984 Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Sat, 6 Apr 2013 14:48:21 +0200 Subject: [PATCH] =?UTF-8?q?[firewall4]=20Fonctions=20de=20mise=20=C3=A0=20?= =?UTF-8?q?jour=20pour=20generate=20pour=20mac-ip,=20l'ouverture=20des=20p?= =?UTF-8?q?orts=20et=20les=20blacklists.=20On=20utilise=20l'h=C3=A9ritage?= =?UTF-8?q?=20pour=20traiter=20les=20cas=20particuli=C3=A9s=20de=20mac-ip?= =?UTF-8?q?=20sur=20komaz?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gestion/gen_confs/firewall4.py | 98 +++++++++++++++++++--------------- 1 file changed, 55 insertions(+), 43 deletions(-) diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index a7a3fdb7..57bf1c61 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -139,11 +139,8 @@ class firewall_base(object) : def apply(self, table, chain): if not chain in self.chain_list[table]: return - - str = self.format([chain]) - # TODO - - self.clear(table, chain) + self.restore(table, [chain], noflush=True) + self.delete(table, chain) def format(self, chains=[]): str = '' @@ -156,7 +153,6 @@ class firewall_base(object) : if not chains or chain in chains : for rule in self.rules_list[table][chain]: str += '-A %s %s\n' % (chain, rule) - self.clear(table, chain) str += 'COMMIT\n' return str @@ -234,6 +230,8 @@ class firewall_base(object) : self.start() return + def blacklist_maj(self, ips): + self.blacklist_hard_maj(ips) def raw_table(self): table = 'raw' @@ -271,9 +269,9 @@ class firewall_base(object) : def blacklist_hard_maj(self, ip_list): for ip in ip_list: - machine = db.search("ipHostNumber=%s" % ip) + machine = conn.search("ipHostNumber=%s" % ip) # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions): + if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions): try: self.ipset['blacklist']['hard'].add(ip) except IpsetError: pass else: @@ -314,22 +312,13 @@ class firewall_base(object) : for ip in ips: # Si la machines est sur le réseau des adhérents if AddrInNet(str(ip), NETs['wifi']): - # Komaz voit directement les machines wifi - if hostname == 'komaz': - func('adh', "%s,%s" % (ip, machine['macAddress'][0])) - # Les autres serveurs les voient à travers komaz - else: - func('adh', "%s,%s" % (ip, mac_komaz)) + # Les machines wifi sont vues à travers komaz + func('adh', "%s,%s" % (ip, mac_komaz)) elif AddrInNet(str(ip), NETs['fil']): func('adh', "%s,%s" % (ip, machine['macAddress'][0])) # Si la machine est sur le réseau admin elif AddrInNet(str(ip), NETs['adm']): func('adm', "%s,%s" % (ip, machine['macAddress'][0])) - # Si la machine est sur le réseaux des appartements de l'ENS - elif AddrInNet(str(ip), NETs['personnel-ens']): - # Les machines sont natter derrire komaz - if hostname == 'komaz': - func('app', "%s,%s" % (ip, machine['macAddress'][0])) def test_mac_ip(self, table=None, fill_ipset=False, apply=False): chain = 'TEST_MAC-IP' @@ -350,9 +339,6 @@ class firewall_base(object) : if table == 'filter': pretty_print(table, chain) - if hostname == 'komaz': - for key in ['out', 'tun-ovh' ]: - self.add(table, chain, '-i %s -j RETURN' % dev[key]) for key in ['accueil', 'isolement', ]: for net in NETs[key]: @@ -374,12 +360,12 @@ class firewall_base(object) : def mac_ip_maj(self, ip_list): for ip in ip_list: - machine = db.search("ipHostNumber=%s" % ip) + machine = conn.search("ipHostNumber=%s" % ip) if machine: - try: test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].add(data), machine) + try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].add(data), machine[0]) except IpsetError: pass else: - try: test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data), machine) + try: self.test_mac_ip_dispatch(lambda set, data: self.ipset['mac_ip'][set].delete(data.split(',',1)[0]), {'ipHostNumber' : [ip], 'macAddress':[''] }) except IpsetError: pass @@ -410,6 +396,10 @@ class firewall_komaz(firewall_base): 'allow' : Ipset("RESEAUX-NON-ROUTABLE-ALLOW","nethash"), } + def blacklist_maj(self, ips): + self.blacklist_hard_maj(ips) + self.blacklist_soft_maj(ips) + def raw_table(self): return @@ -436,7 +426,7 @@ class firewall_komaz(firewall_base): blacklist_hard_chain = self.blacklist_hard() chain = 'FORWARD' - self.clear(table, chain) + self.flush(table, chain) self.add(table, chain, '-i lo -j ACCEPT') self.add(table, chain, '-p icmp -j ACCEPT') self.add(table, chain, '-j %s' % self.admin_vlan(table)) @@ -467,6 +457,32 @@ class firewall_komaz(firewall_base): return + def test_mac_ip_dispatch(self, func, machine): + """Détermine à quel set de mac-ip appliquer la fonction func (add, delete, append, ...)""" + ips = machine['ipHostNumber'] + for ip in ips: + # Si la machines est sur le réseau des adhérents + if AddrInNet(str(ip), NETs['wifi']): + func('adh', "%s,%s" % (ip, machine['macAddress'][0])) + elif AddrInNet(str(ip), NETs['fil']): + func('adh', "%s,%s" % (ip, machine['macAddress'][0])) + # Si la machine est sur le réseau admin + elif AddrInNet(str(ip), NETs['adm']): + func('adm', "%s,%s" % (ip, machine['macAddress'][0])) + # Si la machine est sur le réseaux des appartements de l'ENS + elif AddrInNet(str(ip), NETs['personnel-ens']): + func('app', "%s,%s" % (ip, machine['macAddress'][0])) + + def test_mac_ip(self, table=None, fill_ipset=False, apply=False): + chain = super(self.__class__, self).test_mac_ip() + + if table == 'filter': + for key in ['out', 'tun-ovh' ]: + self.add(table, chain, '-i %s -j RETURN' % dev[key]) + + return super(self.__class__, self).test_mac_ip(table, fill_ipset, apply) + + def log_all(self, table=None, apply=False): chain = 'LOG_ALL' @@ -592,18 +608,14 @@ class firewall_komaz(firewall_base): def blacklist_soft_maj(self, ip_list): for ip in ip_list: - machine = db.search("ipHostNumber=%s" % ip) - if not machine: - try: self.ipset['blacklist']['soft'].delete(ip) + machine = conn.search("ipHostNumber=%s" % ip) + # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine + if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_sanctions_soft): + try: self.ipset['blacklist']['soft'].add(ip) except IpsetError: pass else: - # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_sanctions_soft): - try: self.ipset['blacklist']['soft'].add(ip) - except IpsetError: pass - else: - try: self.ipset['blacklist']['soft'].delete(ip) - except IpsetError: pass + try: self.ipset['blacklist']['soft'].delete(ip) + except IpsetError: pass def blacklist_soft(self, table=None, fill_ipset=False, apply=False): chain = 'BLACKLIST_SOFT' @@ -697,6 +709,13 @@ class firewall_komaz(firewall_base): if table == 'filter': pretty_print(table, chain) + for net in NETs['adherents'] + NETs['wifi-adh'] + NETs['personnel-ens']: + for proto in config.firewall.ports_default.keys(): + if config.firewall.ports_default[proto]['output']: + self.add(table, chain, '-p %s -s %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['output']))) + if config.firewall.ports_default[proto]['input']: + self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['input']))) + for machine in self.machines(): for ip in machine['ipHostNumber']: if 'portTCPout' in machine.attrs.keys(): @@ -708,13 +727,6 @@ class firewall_komaz(firewall_base): if 'portUDPin' in machine.attrs.keys(): add_ports(ip,'udp','in') - for net in NETs['adherents'] + NETs['wifi-adh'] + NETs['personnel-ens']: - for proto in config.firewall.ports_default.keys(): - if config.firewall.ports_default[proto]['output']: - self.add(table, chain, '-p %s -s %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['output']))) - if config.firewall.ports_default[proto]['input']: - self.add(table, chain, '-p %s -d %s -m multiport --dports %s -j RETURN' % (proto, net, ','.join( format_port(port) for port in config.firewall.ports_default[proto]['input']))) - self.add(table, chain, '-j REJECT') print OK