[firewall4] Methode séparée pour les blacklist upload

gestion/gen_confs/firewall4.py

@@ -479,13 +479,14 @@ class firewall_komaz(firewall_base_routeur):
             'connexion_secours' : self.connexion_secours,
             'connexion_appartement' : self.connexion_appartement,
             'blacklist_soft' : self.blacklist_soft,
+            'blacklist_upload' : self.blacklist_upload,
             'reseaux_non_routable' : self.reseaux_non_routable,
             'filtrage_ports' : self.filtrage_ports,
             'limitation_debit' : self.limitation_debit,
             'limit_ssh_connexion' : self.limit_ssh_connexion,
         })
 
-        self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
+        self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
         self.use_tc.extend([self.limitation_debit])
 
         self.ipset['reseaux_non_routable'] = {
@@ -518,6 +519,7 @@ class firewall_komaz(firewall_base_routeur):
         chain = 'POSTROUTING'
         self.add(table, chain, '-j %s' % self.clamp_mss(table))
         self.add(table,chain, '-j %s' % self.limitation_debit(table, run_tc=True))
+        self.add(table, chain, '-j %s' % self.blacklist_upload(table, fill_ipset=True))
         return
 
     def filter_table(self):
@@ -720,15 +722,6 @@ class firewall_komaz(firewall_base_routeur):
                 try: self.ipset['blacklist']['soft'].delete(ip)
                 except IpsetError: pass
 
-            # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
-            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
-                try: self.ipset['blacklist']['upload'].add(ip)
-                except IpsetError: pass
-            else:
-                try: self.ipset['blacklist']['upload'].delete(ip)
-                except IpsetError: pass
-
-
     def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
         """Redirige les gens blacklisté vers le portail captif"""
         chain = 'BLACKLIST_SOFT'
@@ -745,17 +738,7 @@ class firewall_komaz(firewall_base_routeur):
                 for ip in ips
             )
 
-            bl_upload_ips = set(
-                str(ip) for ips in
-                [
-                    machine['ipHostNumber'] for machine in self.blacklisted_machines()
-                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
-                ]
-                for ip in ips
-            )
-
             self.ipset['blacklist']['soft'].restore(bl_soft_ips)
-            self.ipset['blacklist']['upload'].restore(bl_upload_ips)
             print OK
 
         if table == 'mangle':
@@ -783,6 +766,47 @@ class firewall_komaz(firewall_base_routeur):
             self.apply(table, chain)
         return chain
 
+    def blacklist_upload_maj(self, ip_list):
+        for ip in ip_list:
+            machine = conn.search("ipHostNumber=%s" % ip)
+            # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
+            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
+                try: self.ipset['blacklist']['upload'].add(ip)
+                except IpsetError: pass
+            else:
+                try: self.ipset['blacklist']['upload'].delete(ip)
+                except IpsetError: pass
+
+    def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
+        """Redirige les gens blacklisté vers le portail captif"""
+        chain = 'BLACKLIST_UPLOAD'
+
+        if fill_ipset:
+            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload'])
+            # On récupère la liste de toutes les ips blacklistés pour upload
+            bl_upload_ips = set(
+                str(ip) for ips in
+                [
+                    machine['ipHostNumber'] for machine in self.blacklisted_machines()
+                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
+                ]
+                for ip in ips
+            )
+
+            self.ipset['blacklist']['upload'].restore(bl_upload_ips)
+            print OK
+
+        if table == 'mangle':
+            pretty_print(table, chain)
+            # Classification pour les blacklists upload
+            self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
+
+            print OK
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
     def reseaux_non_routable(self, table=None, fill_ipset=False, apply=False):
         """Bloque les réseaux non routables autres que ceux utilisés par le crans"""
         chain = 'RESEAUX_NON_ROUTABLES'
@@ -891,9 +915,6 @@ class firewall_komaz(firewall_base_routeur):
                 self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net))
                 self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net))
 
-            # Classification pour les blacklists upload
-            self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
-
             # Classification pour la voip
             self.add(table, chain, '-d sip.crans.org -j CLASSIFY --set-class 1:12')
             self.add(table, chain, '-s sip.crans.org -j CLASSIFY --set-class 1:12')