Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
0731aa4e
authored
Aug 15, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'firewall-fixes' into 'master'
Firewall Fixes
parents
601f4803
048d3e30
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
32 additions
and
9 deletions
+32
-9
circle/firewall/fw.py
+18
-6
circle/firewall/iptables.py
+1
-1
circle/firewall/models.py
+7
-1
circle/firewall/templates/firewall/iptables.conf
+6
-1
No files found.
circle/firewall/fw.py
View file @
0731aa4e
...
@@ -62,6 +62,15 @@ class BuildFirewall:
...
@@ -62,6 +62,15 @@ class BuildFirewall:
extra
=
'-j DNAT --to-destination
%
s:
%
s'
%
(
rule
.
host
.
ipv4
,
extra
=
'-j DNAT --to-destination
%
s:
%
s'
%
(
rule
.
host
.
ipv4
,
rule
.
dport
)))
rule
.
dport
)))
# SNAT rules for machines with public IPv4
for
host
in
Host
.
objects
.
exclude
(
external_ipv4
=
None
)
.
select_related
(
'vlan'
)
.
prefetch_related
(
'vlan__snat_to'
):
for
vl_out
in
host
.
vlan
.
snat_to
.
all
():
self
.
add_rules
(
POSTROUTING
=
IptRule
(
priority
=
1500
,
src
=
(
host
.
ipv4
,
None
),
extra
=
'-o
%
s -j SNAT --to-source
%
s'
%
(
vl_out
.
name
,
host
.
external_ipv4
)))
# default outbound NAT rules for VLANs
# default outbound NAT rules for VLANs
for
vl_in
in
Vlan
.
objects
.
exclude
(
for
vl_in
in
Vlan
.
objects
.
exclude
(
snat_ip
=
None
)
.
prefetch_related
(
'snat_to'
):
snat_ip
=
None
)
.
prefetch_related
(
'snat_to'
):
...
@@ -183,9 +192,12 @@ def generate_ptr_records():
...
@@ -183,9 +192,12 @@ def generate_ptr_records():
for
host
in
Host
.
objects
.
order_by
(
'vlan'
)
.
all
():
for
host
in
Host
.
objects
.
order_by
(
'vlan'
)
.
all
():
template
=
host
.
vlan
.
reverse_domain
template
=
host
.
vlan
.
reverse_domain
i
=
host
.
get_external_ipv4
()
.
words
if
not
host
.
shared_ip
and
host
.
external_ipv4
:
# DMZ
reverse
=
(
host
.
reverse
if
host
.
reverse
not
in
[
None
,
''
]
i
=
host
.
external_ipv4
.
words
else
host
.
get_fqdn
())
reverse
=
host
.
get_hostname
(
'ipv4'
,
public
=
True
)
else
:
i
=
host
.
ipv4
.
words
reverse
=
host
.
get_hostname
(
'ipv4'
,
public
=
False
)
# ipv4
# ipv4
if
host
.
ipv4
:
if
host
.
ipv4
:
...
@@ -194,7 +206,7 @@ def generate_ptr_records():
...
@@ -194,7 +206,7 @@ def generate_ptr_records():
# ipv6
# ipv6
if
host
.
ipv6
:
if
host
.
ipv6
:
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
host
.
ipv6
.
reverse_dns
,
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
host
.
ipv6
.
reverse_dns
.
rstrip
(
'.'
)
,
reverse
,
settings
[
'dns_ttl'
]))
reverse
,
settings
[
'dns_ttl'
]))
return
DNS
return
DNS
...
@@ -211,14 +223,14 @@ def generate_records():
...
@@ -211,14 +223,14 @@ def generate_records():
'CNAME'
:
'C
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'CNAME'
:
'C
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'MX'
:
'@
%(fqdn)
s::
%(address)
s:
%(dist)
s:
%(ttl)
s'
,
'MX'
:
'@
%(fqdn)
s::
%(address)
s:
%(dist)
s:
%(ttl)
s'
,
'PTR'
:
'^
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'PTR'
:
'^
%(fqdn)
s:
%(address)
s:
%(ttl)
s'
,
'TXT'
:
'
%(fqdn)
s:
%(octal)
s:
%(ttl)
s'
}
'TXT'
:
"'
%(fqdn)
s:
%(octal)
s:
%(ttl)
s"
}
retval
=
[]
retval
=
[]
for
r
in
Record
.
objects
.
all
():
for
r
in
Record
.
objects
.
all
():
params
=
{
'fqdn'
:
r
.
fqdn
,
'address'
:
r
.
address
,
'ttl'
:
r
.
ttl
}
params
=
{
'fqdn'
:
r
.
fqdn
,
'address'
:
r
.
address
,
'ttl'
:
r
.
ttl
}
if
r
.
type
==
'MX'
:
if
r
.
type
==
'MX'
:
params
[
'
address'
],
params
[
'dist
'
]
=
r
.
address
.
split
(
':'
,
2
)
params
[
'
dist'
],
params
[
'address
'
]
=
r
.
address
.
split
(
':'
,
2
)
if
r
.
type
==
'AAAA'
:
if
r
.
type
==
'AAAA'
:
try
:
try
:
params
[
'octal'
]
=
ipv6_to_octal
(
r
.
address
)
params
[
'octal'
]
=
ipv6_to_octal
(
r
.
address
)
...
...
circle/firewall/iptables.py
View file @
0731aa4e
...
@@ -22,7 +22,7 @@ from collections import OrderedDict
...
@@ -22,7 +22,7 @@ from collections import OrderedDict
logger
=
logging
.
getLogger
()
logger
=
logging
.
getLogger
()
ipv4_re
=
re
.
compile
(
ipv4_re
=
re
.
compile
(
r'
^
(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
)
r'(25[0-5]|2[0-4]\d|[0-1]?\d?\d)(\.(25[0-5]|2[0-4]\d|[0-1]?\d?\d)){3}'
)
class
InvalidRuleExcepion
(
Exception
):
class
InvalidRuleExcepion
(
Exception
):
...
...
circle/firewall/models.py
View file @
0731aa4e
...
@@ -575,10 +575,14 @@ class Host(models.Model):
...
@@ -575,10 +575,14 @@ class Host(models.Model):
# IPv4
# IPv4
if
self
.
ipv4
is
not
None
:
if
self
.
ipv4
is
not
None
:
if
not
self
.
shared_ip
and
self
.
external_ipv4
:
# DMZ
ipv4
=
self
.
external_ipv4
else
:
ipv4
=
self
.
ipv4
# update existing records
# update existing records
affected_records
=
Record
.
objects
.
filter
(
affected_records
=
Record
.
objects
.
filter
(
host
=
self
,
name
=
self
.
hostname
,
host
=
self
,
name
=
self
.
hostname
,
type
=
'A'
)
.
update
(
address
=
self
.
ipv4
)
type
=
'A'
)
.
update
(
address
=
ipv4
)
# create new record
# create new record
if
affected_records
==
0
:
if
affected_records
==
0
:
Record
(
host
=
self
,
Record
(
host
=
self
,
...
@@ -714,6 +718,8 @@ class Host(models.Model):
...
@@ -714,6 +718,8 @@ class Host(models.Model):
:type proto: str.
:type proto: str.
"""
"""
assert
proto
in
(
'ipv6'
,
'ipv4'
,
)
assert
proto
in
(
'ipv6'
,
'ipv4'
,
)
if
self
.
reverse
:
return
self
.
reverse
try
:
try
:
if
proto
==
'ipv6'
:
if
proto
==
'ipv6'
:
res
=
self
.
record_set
.
filter
(
type
=
'AAAA'
,
res
=
self
.
record_set
.
filter
(
type
=
'AAAA'
,
...
...
circle/firewall/templates/firewall/iptables.conf
View file @
0731aa4e
...
@@ -35,7 +35,7 @@ COMMIT
...
@@ -35,7 +35,7 @@ COMMIT
{%
if
proto
==
"ipv4"
%}
{%
if
proto
==
"ipv4"
%}
-
A
FORWARD
-
p
icmp
--
icmp
-
type
echo
-
request
-
g
LOG_ACC
-
A
FORWARD
-
p
icmp
--
icmp
-
type
echo
-
request
-
g
LOG_ACC
{%
else
%}
{%
else
%}
-
A
FORWARD
-
p
icmpv6
-
-
icmpv6
-
type
echo
-
request
-
g
LOG_ACC
-
A
FORWARD
-
p
icmpv6
-
g
LOG_ACC
{%
endif
%}
{%
endif
%}
# initialize INPUT chain
# initialize INPUT chain
...
@@ -45,6 +45,11 @@ COMMIT
...
@@ -45,6 +45,11 @@ COMMIT
-
A
INPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
-
A
INPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
-
A
INPUT
-
i
lo
-
j
ACCEPT
-
A
INPUT
-
i
lo
-
j
ACCEPT
-
A
INPUT
-
m
state
--
state
ESTABLISHED
,
RELATED
-
j
ACCEPT
-
A
INPUT
-
m
state
--
state
ESTABLISHED
,
RELATED
-
j
ACCEPT
{%
if
proto
==
"ipv4"
%}
-
A
INPUT
-
p
icmp
--
icmp
-
type
echo
-
request
-
g
LOG_ACC
{%
else
%}
-
A
INPUT
-
p
icmpv6
-
g
LOG_ACC
{%
endif
%}
# initialize OUTPUT chain
# initialize OUTPUT chain
-
A
OUTPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
-
A
OUTPUT
-
m
state
--
state
INVALID
-
g
LOG_DROP
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment