From d447b9546b8a16049e95a278f50dd96459a6859c Mon Sep 17 00:00:00 2001 From: Valentin Samir Date: Wed, 1 May 2013 17:57:34 +0200 Subject: [PATCH] =?UTF-8?q?[firewall4]=20Methode=20s=C3=A9par=C3=A9e=20pou?= =?UTF-8?q?r=20les=20blacklist=20upload?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- gestion/gen_confs/firewall4.py | 67 ++++++++++++++++++++++------------ 1 file changed, 44 insertions(+), 23 deletions(-) diff --git a/gestion/gen_confs/firewall4.py b/gestion/gen_confs/firewall4.py index b8539f95..56903ec9 100755 --- a/gestion/gen_confs/firewall4.py +++ b/gestion/gen_confs/firewall4.py @@ -479,13 +479,14 @@ class firewall_komaz(firewall_base_routeur): 'connexion_secours' : self.connexion_secours, 'connexion_appartement' : self.connexion_appartement, 'blacklist_soft' : self.blacklist_soft, + 'blacklist_upload' : self.blacklist_upload, 'reseaux_non_routable' : self.reseaux_non_routable, 'filtrage_ports' : self.filtrage_ports, 'limitation_debit' : self.limitation_debit, 'limit_ssh_connexion' : self.limit_ssh_connexion, }) - self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable]) + self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable]) self.use_tc.extend([self.limitation_debit]) self.ipset['reseaux_non_routable'] = { @@ -518,6 +519,7 @@ class firewall_komaz(firewall_base_routeur): chain = 'POSTROUTING' self.add(table, chain, '-j %s' % self.clamp_mss(table)) self.add(table,chain, '-j %s' % self.limitation_debit(table, run_tc=True)) + self.add(table, chain, '-j %s' % self.blacklist_upload(table, fill_ipset=True)) return def filter_table(self): @@ -720,15 +722,6 @@ class firewall_komaz(firewall_base_routeur): try: self.ipset['blacklist']['soft'].delete(ip) except IpsetError: pass - # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine - if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): - try: self.ipset['blacklist']['upload'].add(ip) - except IpsetError: pass - else: - try: self.ipset['blacklist']['upload'].delete(ip) - except IpsetError: pass - - def blacklist_soft(self, table=None, fill_ipset=False, apply=False): """Redirige les gens blacklisté vers le portail captif""" chain = 'BLACKLIST_SOFT' @@ -745,17 +738,7 @@ class firewall_komaz(firewall_base_routeur): for ip in ips ) - bl_upload_ips = set( - str(ip) for ips in - [ - machine['ipHostNumber'] for machine in self.blacklisted_machines() - if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload) - ] - for ip in ips - ) - self.ipset['blacklist']['soft'].restore(bl_soft_ips) - self.ipset['blacklist']['upload'].restore(bl_upload_ips) print OK if table == 'mangle': @@ -783,6 +766,47 @@ class firewall_komaz(firewall_base_routeur): self.apply(table, chain) return chain + def blacklist_upload_maj(self, ip_list): + for ip in ip_list: + machine = conn.search("ipHostNumber=%s" % ip) + # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine + if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload): + try: self.ipset['blacklist']['upload'].add(ip) + except IpsetError: pass + else: + try: self.ipset['blacklist']['upload'].delete(ip) + except IpsetError: pass + + def blacklist_upload(self, table=None, fill_ipset=False, apply=False): + """Redirige les gens blacklisté vers le portail captif""" + chain = 'BLACKLIST_UPLOAD' + + if fill_ipset: + anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload']) + # On récupère la liste de toutes les ips blacklistés pour upload + bl_upload_ips = set( + str(ip) for ips in + [ + machine['ipHostNumber'] for machine in self.blacklisted_machines() + if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload) + ] + for ip in ips + ) + + self.ipset['blacklist']['upload'].restore(bl_upload_ips) + print OK + + if table == 'mangle': + pretty_print(table, chain) + # Classification pour les blacklists upload + self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload'])) + + print OK + + if apply: + self.apply(table, chain) + return chain + def reseaux_non_routable(self, table=None, fill_ipset=False, apply=False): """Bloque les réseaux non routables autres que ceux utilisés par le crans""" chain = 'RESEAUX_NON_ROUTABLES' @@ -891,9 +915,6 @@ class firewall_komaz(firewall_base_routeur): self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net)) self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net)) - # Classification pour les blacklists upload - self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload'])) - # Classification pour la voip self.add(table, chain, '-d sip.crans.org -j CLASSIFY --set-class 1:12') self.add(table, chain, '-s sip.crans.org -j CLASSIFY --set-class 1:12')