diff --git a/gestion/gen_confs/firewall4/base.py b/gestion/gen_confs/firewall4/base.py index d98f5f54..9962ac8b 100644 --- a/gestion/gen_confs/firewall4/base.py +++ b/gestion/gen_confs/firewall4/base.py @@ -3,7 +3,6 @@ import os import sys import socket -import netaddr import utils from utils import pretty_print, anim, OK, cprint @@ -96,7 +95,7 @@ class firewall(utils.firewall_tools) : # for ip in ip_list: # machine = self.conn.search(u"ipHostNumber=%s" % ip) # # Est-ce qu'il y a des blacklists hard parmis les blacklists de la machine -# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(config.blacklist_sanctions): +# if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(config.blacklist_sanctions): # try: self.ipset['blacklist']['hard'].add(ip) # except IpsetError: pass # else: @@ -112,15 +111,7 @@ class firewall(utils.firewall_tools) : if fill_ipset: anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['hard']) # On récupère la liste de toutes les ips blacklistés hard - bl_hard_ips = set( - str(ip) for ips in - [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() if machine['ipHostNumber'] and reduce(lambda x,y: x or y, ( ip.value in netaddr.IPNetwork(n) for n in config.NETs['all'] for ip in machine['ipHostNumber'])) - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(config.blacklist_sanctions) - ] - for ip in ips - ) - + bl_hard_ips = self.blacklisted_ips(config.blacklist_sanctions, config.NETs['all']) self.ipset['blacklist']['hard'].restore(bl_hard_ips) print OK diff --git a/gestion/gen_confs/firewall4/komaz.py b/gestion/gen_confs/firewall4/komaz.py index e1104e3d..da380759 100644 --- a/gestion/gen_confs/firewall4/komaz.py +++ b/gestion/gen_confs/firewall4/komaz.py @@ -298,7 +298,7 @@ class firewall(base.firewall_routeur): # for ip in ip_list: # machine = self.conn.search(u"ipHostNumber=%s" % ip) # # Est-ce qu'il y a des blacklists soft parmis les blacklists de la machine -# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft): +# if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft): # try: self.ipset['blacklist']['soft'].add(ip) # except IpsetError: pass # else: @@ -312,15 +312,7 @@ class firewall(base.firewall_routeur): if fill_ipset: anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['soft']) # On récupère la liste de toutes les ips blacklistés soft - bl_soft_ips = set( - str(ip) for ips in - [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() if machine['ipHostNumber'] and reduce(lambda x,y: x or y, ( ip.value in base.netaddr.IPNetwork(n) for n in base.config.NETs['all'] for ip in machine['ipHostNumber'])) - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(base.config.blacklist_sanctions_soft) - ] - for ip in ips - ) - + bl_soft_ips = self.blacklisted_ips(base.config.blacklist_sanctions_soft, base.config.NETs['all']) self.ipset['blacklist']['soft'].restore(bl_soft_ips) print OK @@ -348,7 +340,7 @@ class firewall(base.firewall_routeur): # for ip in ip_list: # machine = self.conn.search(u"ipHostNumber=%s" % ip) # # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine -# if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): +# if machine and set([bl['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): # try: self.ipset['blacklist']['upload'].add(ip) # except IpsetError: pass # else: @@ -362,15 +354,7 @@ class firewall(base.firewall_routeur): if fill_ipset: anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload']) # On récupère la liste de toutes les ips blacklistés pour upload - bl_upload_ips = set( - str(ip) for ips in - [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(base.config.blacklist_bridage_upload) - ] - for ip in ips - ) - + bl_upload_ips = self.blacklisted_ips(base.config.blacklist_bridage_upload, base.config.NETs['all']) self.ipset['blacklist']['upload'].restore(bl_upload_ips) print OK @@ -446,13 +430,13 @@ class firewall(base.firewall_routeur): for machine in self.machines(): for ip in machine['ipHostNumber']: - if 'portTCPout' in machine.attrs.keys(): + if 'portTCPout' in machine: add_ports(ip, machine, 'tcp', 'out') - if 'portUDPout' in machine.attrs.keys(): + if 'portUDPout' in machine: add_ports(ip, machine, 'udp', 'out') - if 'portTCPin' in machine.attrs.keys(): + if 'portTCPin' in machine: add_ports(ip, machine, 'tcp', 'in') - if 'portUDPin' in machine.attrs.keys(): + if 'portUDPin' in machine: add_ports(ip, machine, 'udp', 'in') self.add(table, chain, '-j REJECT') diff --git a/gestion/gen_confs/firewall4/utils.py b/gestion/gen_confs/firewall4/utils.py index a2f84514..7e49198b 100644 --- a/gestion/gen_confs/firewall4/utils.py +++ b/gestion/gen_confs/firewall4/utils.py @@ -2,6 +2,7 @@ # -*- coding: utf-8 -*- import os import sys +import netaddr if '/usr/scripts/' not in sys.path: sys.path.append('/usr/scripts/') @@ -58,11 +59,19 @@ class firewall_tools(object) : """Renvois la liste de toutes les machines""" if self._machines: return self._machines + # On utilise allMachinesAdherents car on a besoin que + # les machine.proprio() soit déjà peuplés. En effet, on regarde + # les blacklistes d'un proprio lorsque l'on regarde les blacklistes + # d'une machine self._machines, self._adherents = self.conn.allMachinesAdherents() + self._adherents = [ adh for adh in self._adherents if adh.paiement_ok() ] return self._machines def adherents(self): - """Renvois la liste de tous les adhérents""" + """ + Renvois la liste de tous les adhérents à jour de paiement + (car on suppose que la blackliste paiement est hard) + """ if self._adherents: return self._adherents self._machines, self._adherents = self.conn.allMachinesAdherents() @@ -76,8 +85,22 @@ class firewall_tools(object) : self._blacklisted_machines = [ machine for machine in self.machines() if machine.blacklist_actif() ] return self._blacklisted_machines + def blacklisted_ips(self, blacklist_sanctions=None, nets=None): + """Renvois l'ensemble des ips des machines ayant une blacklist dans blacklist_sanctions et étant dans nets si spécifié""" + bl_ips = set() + for machine in self.blacklisted_machines(): + if blacklist_sanctions is None or set(bl['type'] for bl in machine.blacklist_actif()).intersection(blacklist_sanctions): + for ip in machine['ipHostNumber']: + if nets is None: + bl_ips.add(str(ip)) + else: + for net in nets: + if ip in netaddr.IPNetwork(net): + bl_ips.add(str(ip)) + return bl_ips + def blacklisted_adherents(self, excepts=[]): - """Renvois la liste de tous les adhérents ayant une blackliste active""" + """Renvois la liste de tous les adhérents ayant une blackliste active en ignorant les blacklist de excepts""" if self._blacklisted_adherents and self._blacklisted_adherents_type == set(excepts): return self._blacklisted_adherents self._blacklisted_adherents = filter(lambda adh: adh.blacklist_actif(excepts), self.adherents()) diff --git a/gestion/gen_confs/firewall4/zamok.py b/gestion/gen_confs/firewall4/zamok.py index 1413602e..e3f0796d 100644 --- a/gestion/gen_confs/firewall4/zamok.py +++ b/gestion/gen_confs/firewall4/zamok.py @@ -102,8 +102,8 @@ class firewall(base.firewall): self.add(table, chain, '-d 127.0.0.1/8 -j RETURN') for net in base.config.NETs['all']: self.add(table, chain, '-d %s -j RETURN' % net) - for adh in self.blacklisted_adherents(['paiement']): - if 'uidNumber' in adh.attrs.keys(): + for adh in self.blacklisted_adherents(): + if 'uidNumber' in adh: self.add(table, chain, '-m owner --uid-owner %s -j REJECT' % adh['uidNumber'][0]) print OK