[gestion/gen_conf/firewall*] renommage de conf_fw en config.firewall

2013-03-26 17:55:58 +01:00 · 2013-03-26 17:55:58 +01:00 · c371496e74
commit c371496e74
parent 2d23ea5085
3 changed files with 52 additions and 50 deletions
--- a/gestion/gen_confs/firewall_new.py
+++ b/gestion/gen_confs/firewall_new.py
@ -37,7 +37,8 @@ from ldap_crans import AssociationCrans, Machine, MachineWifi, BorneWifi
 from affich_tools import *
 from commands import getstatusoutput
 from iptools import AddrInNet, NetSubnets, IpSubnet
-from config import NETs, mac_komaz, mac_wifi, mac_titanic, conf_fw, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
+from config import NETs, mac_komaz, mac_wifi, mac_titanic, p2p, vlans, debit_max_radin, adm_users, accueil_route, blacklist_sanctions, blacklist_sanctions_soft, periode_transitoire
+import config.firewall
 from ipset import IpsetError, Ipset
 from lc_ldap import lc_ldap
 from ipt import gethostbyname
@ -551,9 +552,9 @@ class firewall_komaz(firewall_crans) :
        iptables("-t mangle -A PREROUTING -s %s -j RETURN" % self.zone_serveur)
        #~ iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
                 #~ "-s %s -d ! %s -j MARK --set-mark %s" %
-                 #~ (NETs['fil'][0], NETs['wifi'][0], conf_fw.mark['proxy']))
+                 #~ (NETs['fil'][0], NETs['wifi'][0], config.firewall.mark['proxy']))
        #~ iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" %
-                 #~ conf_fw.mark['proxy'])
+                 #~ config.firewall.mark['proxy'])
        iptables("-t mangle -N BLACKLIST_SOFT")
        for ip_fil in NETs['fil']:
            iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
@ -562,16 +563,16 @@ class firewall_komaz(firewall_crans) :
        iptables("-t mangle -A PREROUTING -p tcp --destination-port 80 "
                 "-s %s -d ! %s -j BLACKLIST_SOFT" %
                 (NETs['wifi'][0], '138.231.136.0/21'))
-        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
        
        
        #connection de secours
-        iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (conf_fw.mark['secours']))
-        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
+        iptables("-t mangle -A PREROUTING -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 80 -m condition --condition secours -j MARK --set-mark %s" % (config.firewall.mark['secours']))
+        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])

        # Parametres pour iptables/tc
-        mark = conf_fw.mark['bittorrent']
-        debit_max = conf_fw.debit_max
+        mark = config.firewall.mark['bittorrent']
+        debit_max = config.firewall.debit_max
        debit_max_semi=debit_max/2
        eth_ext = self.eth_ext
        eth_int = self.eth_int
@ -614,14 +615,14 @@ class firewall_komaz(firewall_crans) :

        # On crée les chaînes de sous-réseaux
        for net in NETs['all']:
-            for mask in conf_fw.mask:
+            for mask in config.firewall.mask:
                for subnet in NetSubnets(net, mask):
-                    index = conf_fw.mask.index(mask)
+                    index = config.firewall.mask.index(mask)
                    if index == 0:
                        prev_chain = "POSTROUTING"
                    else:
                        ip = subnet.split('/')[0]
-                        prev_subnet = IpSubnet(ip, conf_fw.mask[index-1])
+                        prev_subnet = IpSubnet(ip, config.firewall.mask[index-1])
                        prev_chain = "SUBNET-%s" % prev_subnet
                    next_chain = "SUBNET-%s" % subnet
                    redirect_chain('mangle', prev_chain, next_chain, subnet)
@ -683,12 +684,12 @@ class firewall_komaz(firewall_crans) :
            self.mangle_table()
        
        # On desactive la QoS lorsque le debit augmente
-        if not conf_fw.debit_jour:
+        if not config.firewall.debit_jour:
            return

        # Parametres pour iptables/tc
-        mark = conf_fw.mark['bittorrent']
-        debit_max = conf_fw.debit_max
+        mark = config.firewall.mark['bittorrent']
+        debit_max = config.firewall.debit_max
        debit_max_semi=debit_max/2
        eth_ext = self.eth_ext
        eth_int = self.eth_int
@ -718,7 +719,7 @@ class firewall_komaz(firewall_crans) :
                if not AddrInNet(ip, NETs['all']):
                    # Cas particulier d'une machine ayant une IP non CRANS
                    continue
-                subnet = IpSubnet(machine.ip(), conf_fw.mask[-1])
+                subnet = IpSubnet(machine.ip(), config.firewall.mask[-1])
                iptables("-t mangle -A SUBNET-%(subnet)s -o crans -d %(ip)s "
                         "-j CLASSIFY --set-class 1:%(class_id)s" % locals())
                iptables("-t mangle -A SUBNET-%(subnet)s -o ens   -s %(ip)s "
@ -752,7 +753,7 @@ class firewall_komaz(firewall_crans) :
        # iptables("-t nat -A POSTROUTING -o %s -p tcp --dport 81 -s 138.231.136.0/21 -d 138.231.136.3 -j SNAT --to-source 138.231.136.4" % self.eth_int )

        # Proxy transparent pour deconnexion soft
-        iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['proxy'] +
+        iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['proxy'] +
                 "-j DNAT --to-destination 10.231.136.4:3128")
                 
        # Appartement ENS
@ -760,7 +761,7 @@ class firewall_komaz(firewall_crans) :
        iptables("-t nat -A POSTROUTING -o crans -s %s -j SNAT --to 138.231.136.44" % NETs['personnel-ens'][0])
                 
        #Connection de secours
-        iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % conf_fw.mark['secours'] +
+        iptables("-t nat -A PREROUTING -p tcp -m mark --mark %s " % config.firewall.mark['secours'] +
                 "-j DNAT --to-destination 10.231.136.4:3129")
        print OK

@ -775,7 +776,7 @@ class firewall_komaz(firewall_crans) :
        iptables("-A FORWARD -i tun-ovh -j ACCEPT")
        iptables("-A FORWARD -d 224.0.0.0/4 -j DROP")
        # Proxy transparent, pour les deconnexion soft
-        iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
        #iptables("-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT")
        for net in  NETs['fil'] + NETs['wifi'] + NETs['serveurs']:
            iptables("-A FORWARD -s %s -i %s -j TEST_MAC-IP" % (net, self.eth_int))
@ -790,7 +791,7 @@ class firewall_komaz(firewall_crans) :
        #Connection de secours
        # on ne peut pas faire passer https dans un proxy transparent sans faire de man in the middle et sans recompiler squid
        iptables("-A FORWARD -p tcp -s 138.231.136.0/16 ! -d 138.231.136.0/16 --destination-port 443 -m condition --condition secours -j REJECT") 
-        iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % conf_fw.mark['secours'])
+        iptables("-A FORWARD -m mark --mark %s -j ACCEPT" % config.firewall.mark['secours'])

        iptables("-P FORWARD ACCEPT")

@ -871,9 +872,9 @@ class firewall_komaz(firewall_crans) :
            warn = ''

            # Parametres pour iptables/tc
-            mark = conf_fw.mark['bittorrent']
-            debit_max = conf_fw.debit_max
-            debit_adh = int(conf_fw.debit_max / 1200.) # XXX: guesstimate 
+            mark = config.firewall.mark['bittorrent']
+            debit_max = config.firewall.debit_max
+            debit_adh = int(config.firewall.debit_max / 1200.) # XXX: guesstimate 
            eth_ext = self.eth_ext
            eth_int = self.eth_int
            eth_wifi = self.eth_wifi
@ -889,7 +890,7 @@ class firewall_komaz(firewall_crans) :
                    if not machines:
                        # Il faut supprimer cette entrée
                        iptables_option = '-D'
-                        subnet = IpSubnet(ip, conf_fw.mask[-1])
+                        subnet = IpSubnet(ip, config.firewall.mask[-1])
                        all_regles = iptables("-t mangle -L SUBNET-%(subnet)s -n" % locals()).split('\n')
                        regles = [line for line in all_regles if ip in line]
                        # On sélectionne la première qui doit contenir ce que l'on veut
@ -903,7 +904,7 @@ class firewall_komaz(firewall_crans) :
                        machine = machines[0]
                        adherent = machine.proprietaire()
                        ip = machine.ip()
-                        subnet = IpSubnet(ip, conf_fw.mask[-1])
+                        subnet = IpSubnet(ip, config.firewall.mask[-1])
                        # On ne peut pas reprendre le numéro 1
                        class_id = int(adherent.id()) + 1
                        # On cree la classe et la qdisc s'il elles n'existent pas deja
@ -1203,8 +1204,8 @@ class firewall_komaz(firewall_crans) :
        self.anim = anim("\tMarquage des machines pour blacklist soft", len(blacklist_soft))
        for machine in blacklist_soft:
            self.anim.cycle()
-            #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(),  conf_fw.mark['proxy']))
-            rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(),  conf_fw.mark['proxy']))
+            #~ iptables("-t mangle -A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(),  config.firewall.mark['proxy']))
+            rules.append("-A BLACKLIST_SOFT -s %s -j MARK --set-mark %s" % (machine.ip(),  config.firewall.mark['proxy']))
        self.anim.reinit()
        rules.append('COMMIT\n')
        f = open('/tmp/ipt_blacklist', 'w')
@ -1452,14 +1453,14 @@ class firewall_sable(firewall_redisdead):
        iptables("-t mangle -i eth0.2 -A PREROUTING -p tcp --destination-port 3128 " +
                 "--destination 10.231.136.9 " +
                 "-m mac --mac-source %s " % mac_komaz +
-                 "-j MARK --set-mark %s" % conf_fw.mark['proxy'])
-        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+                 "-j MARK --set-mark %s" % config.firewall.mark['proxy'])
+        iptables("-t mangle -A PREROUTING -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])


    def nat_table(self):
        firewall_redisdead.nat_table(self)
        # Proxy transparent pour le filiaire
-        iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % conf_fw.mark['proxy'])
+        iptables("-t nat -A PREROUTING -i eth0.2 -m mark --mark %s -j ACCEPT" % config.firewall.mark['proxy'])
        if_defaut = "eth0"
        if_radin = "eth0.%d" % vlans["radin"]
        if_accueil = "eth0.%d" % vlans["accueil"]
@ -1541,7 +1542,7 @@ class firewall_gordon(firewall_crans) :
                 #~ "-d ! 138.231.136.0/21 " +
                 #~ ("-i %s " % self.eth_wifi) +
                 #~ "-p tcp -m tcp --dport 80 " +
-                 #~ "-j MARK --set-xmark %s/0xffffffff" % conf_fw.mark['proxy'])
+                 #~ "-j MARK --set-xmark %s/0xffffffff" % config.firewall.mark['proxy'])
        print OK

    def post_start_hook(self) :