Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
29bbf837
authored
Jul 04, 2013
by
Kálmán Viktor
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: fixing trivial pep8 errors
parent
935d2a02
Show whitespace changes
Inline
Side-by-side
Showing
6 changed files
with
131 additions
and
93 deletions
+131
-93
firewall/admin.py
+16
-4
firewall/fields.py
+14
-0
firewall/fw.py
+63
-68
firewall/models.py
+8
-4
firewall/tasks.py
+9
-3
firewall/views.py
+21
-14
No files found.
firewall/admin.py
View file @
29bbf837
# -*- coding: utf8 -*-
# -*- coding: utf8 -*-
from
django.contrib
import
admin
from
django.contrib
import
admin
from
firewall.models
import
*
from
firewall.models
import
(
Rule
,
Host
,
Vlan
,
Group
,
VlanGroup
,
Firewall
,
Domain
,
Record
,
Blacklist
)
from
django
import
contrib
from
django
import
contrib
class
RuleInline
(
contrib
.
admin
.
TabularInline
):
class
RuleInline
(
contrib
.
admin
.
TabularInline
):
model
=
Rule
model
=
Rule
class
RecordInline
(
contrib
.
admin
.
TabularInline
):
class
RecordInline
(
contrib
.
admin
.
TabularInline
):
model
=
Record
model
=
Record
class
HostAdmin
(
admin
.
ModelAdmin
):
class
HostAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'hostname'
,
'vlan'
,
'ipv4'
,
'ipv6'
,
'pub_ipv4'
,
'mac'
,
list_display
=
(
'hostname'
,
'vlan'
,
'ipv4'
,
'ipv6'
,
'pub_ipv4'
,
'mac'
,
'shared_ip'
,
'owner'
,
'description'
,
'reverse'
,
'list_groups'
)
'shared_ip'
,
'owner'
,
'description'
,
'reverse'
,
'list_groups'
)
ordering
=
(
'hostname'
,
)
ordering
=
(
'hostname'
,
)
list_filter
=
(
'owner'
,
'vlan'
,
'groups'
)
list_filter
=
(
'owner'
,
'vlan'
,
'groups'
)
search_fields
=
(
'hostname'
,
'description'
,
'ipv4'
,
'ipv6'
,
'mac'
)
search_fields
=
(
'hostname'
,
'description'
,
'ipv4'
,
'ipv6'
,
'mac'
)
...
@@ -26,20 +30,24 @@ class HostAdmin(admin.ModelAdmin):
...
@@ -26,20 +30,24 @@ class HostAdmin(admin.ModelAdmin):
names
=
[
group
.
name
for
group
in
instance
.
groups
.
all
()]
names
=
[
group
.
name
for
group
in
instance
.
groups
.
all
()]
return
u', '
.
join
(
names
)
return
u', '
.
join
(
names
)
class
HostInline
(
contrib
.
admin
.
TabularInline
):
class
HostInline
(
contrib
.
admin
.
TabularInline
):
model
=
Host
model
=
Host
fields
=
(
'hostname'
,
'ipv4'
,
'ipv6'
,
'pub_ipv4'
,
'mac'
,
'shared_ip'
,
fields
=
(
'hostname'
,
'ipv4'
,
'ipv6'
,
'pub_ipv4'
,
'mac'
,
'shared_ip'
,
'owner'
,
'reverse'
)
'owner'
,
'reverse'
)
class
VlanAdmin
(
admin
.
ModelAdmin
):
class
VlanAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'vid'
,
'name'
,
'ipv4'
,
'net_ipv4'
,
'ipv6'
,
'net_ipv6'
,
list_display
=
(
'vid'
,
'name'
,
'ipv4'
,
'net_ipv4'
,
'ipv6'
,
'net_ipv6'
,
'description'
,
'domain'
,
'snat_ip'
,
)
'description'
,
'domain'
,
'snat_ip'
,
)
ordering
=
(
'vid'
,
)
ordering
=
(
'vid'
,
)
inlines
=
(
RuleInline
,
)
inlines
=
(
RuleInline
,
)
class
RuleAdmin
(
admin
.
ModelAdmin
):
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'accept'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_dport'
,
'used_in'
)
'accept'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_dport'
,
'used_in'
)
list_filter
=
(
'r_type'
,
'vlan'
,
'owner'
,
'direction'
,
'accept'
,
list_filter
=
(
'r_type'
,
'vlan'
,
'owner'
,
'direction'
,
'accept'
,
'proto'
,
'nat'
)
'proto'
,
'nat'
)
...
@@ -81,16 +89,20 @@ class RuleAdmin(admin.ModelAdmin):
...
@@ -81,16 +89,20 @@ class RuleAdmin(admin.ModelAdmin):
class
AliasAdmin
(
admin
.
ModelAdmin
):
class
AliasAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'alias'
,
'host'
)
list_display
=
(
'alias'
,
'host'
)
class
GroupAdmin
(
admin
.
ModelAdmin
):
class
GroupAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'name'
,
'owner'
,
'description'
)
list_display
=
(
'name'
,
'owner'
,
'description'
)
inlines
=
(
RuleInline
,
)
inlines
=
(
RuleInline
,
)
class
FirewallAdmin
(
admin
.
ModelAdmin
):
class
FirewallAdmin
(
admin
.
ModelAdmin
):
inlines
=
(
RuleInline
,
)
inlines
=
(
RuleInline
,
)
class
DomainAdmin
(
admin
.
ModelAdmin
):
class
DomainAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'name'
,
'owner'
)
list_display
=
(
'name'
,
'owner'
)
class
RecordAdmin
(
admin
.
ModelAdmin
):
class
RecordAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'name_'
,
'type'
,
'address_'
,
'ttl'
,
'host'
,
'owner'
)
list_display
=
(
'name_'
,
'type'
,
'address_'
,
'ttl'
,
'host'
,
'owner'
)
...
@@ -104,6 +116,7 @@ class RecordAdmin(admin.ModelAdmin):
...
@@ -104,6 +116,7 @@ class RecordAdmin(admin.ModelAdmin):
a
=
instance
.
get_data
()
a
=
instance
.
get_data
()
return
a
[
'name'
]
if
a
else
None
return
a
[
'name'
]
if
a
else
None
class
BlacklistAdmin
(
admin
.
ModelAdmin
):
class
BlacklistAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'ipv4'
,
'reason'
,
'created_at'
,
'modified_at'
)
list_display
=
(
'ipv4'
,
'reason'
,
'created_at'
,
'modified_at'
)
...
@@ -116,4 +129,3 @@ admin.site.register(Firewall, FirewallAdmin)
...
@@ -116,4 +129,3 @@ admin.site.register(Firewall, FirewallAdmin)
admin
.
site
.
register
(
Domain
,
DomainAdmin
)
admin
.
site
.
register
(
Domain
,
DomainAdmin
)
admin
.
site
.
register
(
Record
,
RecordAdmin
)
admin
.
site
.
register
(
Record
,
RecordAdmin
)
admin
.
site
.
register
(
Blacklist
,
BlacklistAdmin
)
admin
.
site
.
register
(
Blacklist
,
BlacklistAdmin
)
firewall/fields.py
View file @
29bbf837
...
@@ -6,12 +6,14 @@ from django.utils.ipv6 import is_valid_ipv6_address
...
@@ -6,12 +6,14 @@ from django.utils.ipv6 import is_valid_ipv6_address
from
south.modelsinspector
import
add_introspection_rules
from
south.modelsinspector
import
add_introspection_rules
import
re
import
re
mac_re
=
re
.
compile
(
r'^([0-9a-fA-F]{2}(:|$)){6}$'
)
mac_re
=
re
.
compile
(
r'^([0-9a-fA-F]{2}(:|$)){6}$'
)
alfanum_re
=
re
.
compile
(
r'^[A-Za-z0-9_-]+$'
)
alfanum_re
=
re
.
compile
(
r'^[A-Za-z0-9_-]+$'
)
domain_re
=
re
.
compile
(
r'^([A-Za-z0-9_-]\.?)+$'
)
domain_re
=
re
.
compile
(
r'^([A-Za-z0-9_-]\.?)+$'
)
ipv4_re
=
re
.
compile
(
'^[0-9]+
\
.([0-9]+)
\
.([0-9]+)
\
.([0-9]+)$'
)
ipv4_re
=
re
.
compile
(
'^[0-9]+
\
.([0-9]+)
\
.([0-9]+)
\
.([0-9]+)$'
)
reverse_domain_re
=
re
.
compile
(
r'^(
%
\([abcd]\)d|[a-z0-9.-])+$'
)
reverse_domain_re
=
re
.
compile
(
r'^(
%
\([abcd]\)d|[a-z0-9.-])+$'
)
class
MACAddressFormField
(
fields
.
RegexField
):
class
MACAddressFormField
(
fields
.
RegexField
):
default_error_messages
=
{
default_error_messages
=
{
'invalid'
:
_
(
u'Enter a valid MAC address.'
),
'invalid'
:
_
(
u'Enter a valid MAC address.'
),
...
@@ -20,8 +22,10 @@ class MACAddressFormField(fields.RegexField):
...
@@ -20,8 +22,10 @@ class MACAddressFormField(fields.RegexField):
def
__init__
(
self
,
*
args
,
**
kwargs
):
def
__init__
(
self
,
*
args
,
**
kwargs
):
super
(
MACAddressFormField
,
self
)
.
__init__
(
mac_re
,
*
args
,
**
kwargs
)
super
(
MACAddressFormField
,
self
)
.
__init__
(
mac_re
,
*
args
,
**
kwargs
)
class
MACAddressField
(
models
.
Field
):
class
MACAddressField
(
models
.
Field
):
empty_strings_allowed
=
False
empty_strings_allowed
=
False
def
__init__
(
self
,
*
args
,
**
kwargs
):
def
__init__
(
self
,
*
args
,
**
kwargs
):
kwargs
[
'max_length'
]
=
17
kwargs
[
'max_length'
]
=
17
super
(
MACAddressField
,
self
)
.
__init__
(
*
args
,
**
kwargs
)
super
(
MACAddressField
,
self
)
.
__init__
(
*
args
,
**
kwargs
)
...
@@ -35,44 +39,53 @@ class MACAddressField(models.Field):
...
@@ -35,44 +39,53 @@ class MACAddressField(models.Field):
return
super
(
MACAddressField
,
self
)
.
formfield
(
**
defaults
)
return
super
(
MACAddressField
,
self
)
.
formfield
(
**
defaults
)
add_introspection_rules
([],
[
"firewall
\
.fields
\
.MACAddressField"
])
add_introspection_rules
([],
[
"firewall
\
.fields
\
.MACAddressField"
])
def
val_alfanum
(
value
):
def
val_alfanum
(
value
):
"""Validate whether the parameter is a valid alphanumeric value."""
"""Validate whether the parameter is a valid alphanumeric value."""
if
not
alfanum_re
.
match
(
value
):
if
not
alfanum_re
.
match
(
value
):
raise
ValidationError
(
_
(
u'
%
s - only letters, numbers, underscores '
raise
ValidationError
(
_
(
u'
%
s - only letters, numbers, underscores '
'and hyphens are allowed!'
)
%
value
)
'and hyphens are allowed!'
)
%
value
)
def
is_valid_domain
(
value
):
def
is_valid_domain
(
value
):
"""Check whether the parameter is a valid domain name."""
"""Check whether the parameter is a valid domain name."""
return
domain_re
.
match
(
value
)
is
not
None
return
domain_re
.
match
(
value
)
is
not
None
def
val_domain
(
value
):
def
val_domain
(
value
):
"""Validate whether the parameter is a valid domin name."""
"""Validate whether the parameter is a valid domin name."""
if
not
is_valid_domain
(
value
):
if
not
is_valid_domain
(
value
):
raise
ValidationError
(
_
(
u'
%
s - invalid domain name'
)
%
value
)
raise
ValidationError
(
_
(
u'
%
s - invalid domain name'
)
%
value
)
def
is_valid_reverse_domain
(
value
):
def
is_valid_reverse_domain
(
value
):
"""Check whether the parameter is a valid reverse domain name."""
"""Check whether the parameter is a valid reverse domain name."""
return
reverse_domain_re
.
match
(
value
)
is
not
None
return
reverse_domain_re
.
match
(
value
)
is
not
None
def
val_reverse_domain
(
value
):
def
val_reverse_domain
(
value
):
"""Validate whether the parameter is a valid reverse domain name."""
"""Validate whether the parameter is a valid reverse domain name."""
if
not
is_valid_reverse_domain
(
value
):
if
not
is_valid_reverse_domain
(
value
):
raise
ValidationError
(
u'
%
s - invalid reverse domain name'
%
value
)
raise
ValidationError
(
u'
%
s - invalid reverse domain name'
%
value
)
def
is_valid_ipv4_address
(
value
):
def
is_valid_ipv4_address
(
value
):
"""Check whether the parameter is a valid IPv4 address."""
"""Check whether the parameter is a valid IPv4 address."""
return
ipv4_re
.
match
(
value
)
is
not
None
return
ipv4_re
.
match
(
value
)
is
not
None
def
val_ipv4
(
value
):
def
val_ipv4
(
value
):
"""Validate whether the parameter is a valid IPv4 address."""
"""Validate whether the parameter is a valid IPv4 address."""
if
not
is_valid_ipv4_address
(
value
):
if
not
is_valid_ipv4_address
(
value
):
raise
ValidationError
(
_
(
u'
%
s - not an IPv4 address'
)
%
value
)
raise
ValidationError
(
_
(
u'
%
s - not an IPv4 address'
)
%
value
)
def
val_ipv6
(
value
):
def
val_ipv6
(
value
):
"""Validate whether the parameter is a valid IPv6 address."""
"""Validate whether the parameter is a valid IPv6 address."""
if
not
is_valid_ipv6_address
(
value
):
if
not
is_valid_ipv6_address
(
value
):
raise
ValidationError
(
_
(
u'
%
s - not an IPv6 address'
)
%
value
)
raise
ValidationError
(
_
(
u'
%
s - not an IPv6 address'
)
%
value
)
def
val_mx
(
value
):
def
val_mx
(
value
):
"""Validate whether the parameter is a valid MX address definition.
"""Validate whether the parameter is a valid MX address definition.
...
@@ -84,6 +97,7 @@ def val_mx(value):
...
@@ -84,6 +97,7 @@ def val_mx(value):
raise
ValidationError
(
_
(
"Bad MX address format. "
raise
ValidationError
(
_
(
"Bad MX address format. "
"Should be: <priority>:<hostname>"
))
"Should be: <priority>:<hostname>"
))
def
ipv4_2_ipv6
(
ipv4
):
def
ipv4_2_ipv6
(
ipv4
):
"""Convert IPv4 address string to IPv6 address string."""
"""Convert IPv4 address string to IPv6 address string."""
val_ipv4
(
ipv4
)
val_ipv4
(
ipv4
)
...
...
firewall/fw.py
View file @
29bbf837
from
django.contrib
import
auth
from
firewall
import
models
from
firewall
import
models
import
os
import
django.conf
import
django.conf
import
subprocess
import
subprocess
import
re
import
re
import
json
from
datetime
import
datetime
,
timedelta
from
datetime
import
datetime
,
timedelta
from
django.db.models
import
Q
from
django.db.models
import
Q
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
class
Firewall
:
class
Firewall
:
IPV6
=
False
IPV6
=
False
RULES
=
None
RULES
=
None
RULES_NAT
=
[]
RULES_NAT
=
[]
vlans
=
None
vlans
=
None
...
@@ -35,7 +34,6 @@ class Firewall:
...
@@ -35,7 +34,6 @@ class Firewall:
retval
=
'-p
%
s '
%
rule
.
proto
retval
=
'-p
%
s '
%
rule
.
proto
return
retval
return
retval
def
iptables
(
self
,
s
):
def
iptables
(
self
,
s
):
"""Append rule to filter table."""
"""Append rule to filter table."""
self
.
RULES
.
append
(
s
)
self
.
RULES
.
append
(
s
)
...
@@ -70,12 +68,13 @@ class Firewall:
...
@@ -70,12 +68,13 @@ class Firewall:
action
=
'LOG_DROP'
action
=
'LOG_DROP'
if
rule
.
direction
==
'1'
:
# going TO host
if
rule
.
direction
==
'1'
:
# going TO host
self
.
iptables
(
'-A
%
s_
%
s -d
%
s
%
s
%
s -g
%
s'
%
(
vlan
,
self
.
iptables
(
'-A
%
s_
%
s -d
%
s
%
s
%
s -g
%
s'
%
host
.
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
(
vlan
,
host
.
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
else
:
else
:
self
.
iptables
(
'-A
%
s_
%
s -s
%
s
%
s
%
s -g
%
s'
%
(
host
.
vlan
,
self
.
iptables
(
'-A
%
s_
%
s -s
%
s
%
s
%
s -g
%
s'
%
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
(
host
.
vlan
,
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
def
fw2vlan
(
self
,
rule
):
def
fw2vlan
(
self
,
rule
):
if
not
rule
.
foreign_network
:
if
not
rule
.
foreign_network
:
...
@@ -109,12 +108,12 @@ class Firewall:
...
@@ -109,12 +108,12 @@ class Firewall:
action
=
'LOG_DROP'
action
=
'LOG_DROP'
if
rule
.
direction
==
'1'
:
# going TO host
if
rule
.
direction
==
'1'
:
# going TO host
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
(
vlan
,
l_vlan
,
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
dport_sport
,
rule
.
extra
,
action
))
(
vlan
,
l_vlan
,
dport_sport
,
rule
.
extra
,
action
))
else
:
else
:
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
(
l_vlan
,
vlan
,
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
(
l_vlan
,
vlan
,
dport_sport
,
rule
.
extra
,
action
))
dport_sport
,
rule
.
extra
,
action
))
def
prerun
(
self
):
def
prerun
(
self
):
self
.
iptables
(
'*filter'
)
self
.
iptables
(
'*filter'
)
...
@@ -137,7 +136,8 @@ class Firewall:
...
@@ -137,7 +136,8 @@ class Firewall:
self
.
iptables
(
'-N PUB_OUT'
)
self
.
iptables
(
'-N PUB_OUT'
)
self
.
iptables
(
'-A FORWARD -m set --match-set blacklist src,dst -j DROP'
)
self
.
iptables
(
'-A FORWARD -m set --match-set blacklist src,dst'
'-j DROP'
)
self
.
iptables
(
'-A FORWARD -m state --state INVALID -g LOG_DROP'
)
self
.
iptables
(
'-A FORWARD -m state --state INVALID -g LOG_DROP'
)
self
.
iptables
(
'-A FORWARD -m state --state ESTABLISHED,RELATED '
self
.
iptables
(
'-A FORWARD -m state --state ESTABLISHED,RELATED '
'-j ACCEPT'
)
'-j ACCEPT'
)
...
@@ -155,7 +155,6 @@ class Firewall:
...
@@ -155,7 +155,6 @@ class Firewall:
self
.
iptables
(
'-A OUTPUT -m state --state ESTABLISHED,RELATED '
self
.
iptables
(
'-A OUTPUT -m state --state ESTABLISHED,RELATED '
'-j ACCEPT'
)
'-j ACCEPT'
)
def
postrun
(
self
):
def
postrun
(
self
):
self
.
iptables
(
'-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25 '
self
.
iptables
(
'-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25 '
'-j LOG_ACC'
)
'-j LOG_ACC'
)
...
@@ -171,9 +170,6 @@ class Firewall:
...
@@ -171,9 +170,6 @@ class Firewall:
self
.
iptables
(
'-A OUTPUT -g LOG_DROP'
)
self
.
iptables
(
'-A OUTPUT -g LOG_DROP'
)
self
.
iptables
(
'COMMIT'
)
self
.
iptables
(
'COMMIT'
)
def
ipt_nat
(
self
):
def
ipt_nat
(
self
):
self
.
iptablesnat
(
'*nat'
)
self
.
iptablesnat
(
'*nat'
)
self
.
iptablesnat
(
':PREROUTING ACCEPT [0:0]'
)
self
.
iptablesnat
(
':PREROUTING ACCEPT [0:0]'
)
...
@@ -187,34 +183,37 @@ class Firewall:
...
@@ -187,34 +183,37 @@ class Firewall:
dport_sport
=
self
.
dportsport
(
rule
,
False
)
dport_sport
=
self
.
dportsport
(
rule
,
False
)
if
host
.
vlan
.
snat_ip
:
if
host
.
vlan
.
snat_ip
:
self
.
iptablesnat
(
'-A PREROUTING -d
%
s
%
s
%
s -j DNAT '
self
.
iptablesnat
(
'-A PREROUTING -d
%
s
%
s
%
s -j DNAT '
'--to-destination
%
s:
%
s'
%
(
host
.
pub_ipv4
,
'--to-destination
%
s:
%
s'
%
dport_sport
,
rule
.
extra
,
host
.
ipv4
,
(
host
.
pub_ipv4
,
dport_sport
,
rule
.
extra
,
rule
.
nat_dport
))
host
.
ipv4
,
rule
.
nat_dport
))
# rules for machines with dedicated public IP
# rules for machines with dedicated public IP
for
host
in
self
.
hosts
.
exclude
(
shared_ip
=
True
):
for
host
in
self
.
hosts
.
exclude
(
shared_ip
=
True
):
if
host
.
pub_ipv4
:
if
host
.
pub_ipv4
:
self
.
iptablesnat
(
'-A PREROUTING -d
%
s -j DNAT '
self
.
iptablesnat
(
'-A PREROUTING -d
%
s -j DNAT '
'--to-destination
%
s'
%
(
host
.
pub_ipv4
,
host
.
ipv4
))
'--to-destination
%
s'
%
(
host
.
pub_ipv4
,
host
.
ipv4
))
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -j SNAT '
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -j SNAT '
'--to-source
%
s'
%
(
host
.
ipv4
,
host
.
pub_ipv4
))
'--to-source
%
s'
%
(
host
.
ipv4
,
host
.
pub_ipv4
))
# default NAT rules for VLANs
# default NAT rules for VLANs
for
s_vlan
in
self
.
vlans
:
for
s_vlan
in
self
.
vlans
:
if
s_vlan
.
snat_ip
:
if
s_vlan
.
snat_ip
:
for
d_vlan
in
s_vlan
.
snat_to
.
all
():
for
d_vlan
in
s_vlan
.
snat_to
.
all
():
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -o
%
s -j SNAT '
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -o
%
s -j SNAT '
'--to-source
%
s'
%
(
s_vlan
.
net_ipv4
(),
'--to-source
%
s'
%
d_vlan
.
interface
,
s_vlan
.
snat_ip
))
(
s_vlan
.
net_ipv4
(),
d_vlan
.
interface
,
s_vlan
.
snat_ip
))
# hard-wired rules
# hard-wired rules
self
.
iptablesnat
(
'-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT '
self
.
iptablesnat
(
'-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT '
'--to-source 10.3.255.254'
)
# man elerheto legyen
'--to-source 10.3.255.254'
)
# man elerheto legyen
self
.
iptablesnat
(
'-A POSTROUTING -o vlan0008 -j SNAT '
self
.
iptablesnat
(
'-A POSTROUTING -o vlan0008 -j SNAT '
'--to-source 10.0.0.247'
)
# wolf network for printing
'--to-source 10.0.0.247'
)
# wolf network for printing
self
.
iptablesnat
(
'-A POSTROUTING -s 10.3.0.0/16 -p udp --dport 53 -o vlan0002 -j SNAT '
self
.
iptablesnat
(
'-A POSTROUTING -s 10.3.0.0/16 -p udp --dport 53'
'--to-source
%
s'
%
self
.
pub
.
ipv4
)
# kulonben nem megy a dns man-ban
'-o vlan0002 -j SNAT ''--to-source
%
s'
%
self
.
pub
.
ipv4
)
# kulonben nem megy a dns man-ban
self
.
iptablesnat
(
'COMMIT'
)
self
.
iptablesnat
(
'COMMIT'
)
...
@@ -234,7 +233,8 @@ class Firewall:
...
@@ -234,7 +233,8 @@ class Firewall:
for
d_vlan
in
self
.
vlans
:
for
d_vlan
in
self
.
vlans
:
self
.
iptables
(
'-N
%
s_
%
s'
%
(
s_vlan
,
d_vlan
))
self
.
iptables
(
'-N
%
s_
%
s'
%
(
s_vlan
,
d_vlan
))
self
.
iptables
(
'-A FORWARD -i
%
s -o
%
s -g
%
s_
%
s'
%
self
.
iptables
(
'-A FORWARD -i
%
s -o
%
s -g
%
s_
%
s'
%
(
s_vlan
.
interface
,
d_vlan
.
interface
,
s_vlan
,
d_vlan
))
(
s_vlan
.
interface
,
d_vlan
.
interface
,
s_vlan
,
d_vlan
))
# hosts' rules
# hosts' rules
for
i_vlan
in
self
.
vlans
:
for
i_vlan
in
self
.
vlans
:
...
@@ -263,8 +263,8 @@ class Firewall:
...
@@ -263,8 +263,8 @@ class Firewall:
self
.
RULES
=
[
x
.
replace
(
'icmp'
,
'icmpv6'
)
for
x
in
self
.
RULES
]
self
.
RULES
=
[
x
.
replace
(
'icmp'
,
'icmpv6'
)
for
x
in
self
.
RULES
]
def
__init__
(
self
,
IPV6
=
False
):
def
__init__
(
self
,
IPV6
=
False
):
self
.
RULES
=
[]
self
.
RULES
=
[]
self
.
RULES_NAT
=
[]
self
.
RULES_NAT
=
[]
self
.
IPV6
=
IPV6
self
.
IPV6
=
IPV6
self
.
vlans
=
models
.
Vlan
.
objects
.
all
()
self
.
vlans
=
models
.
Vlan
.
objects
.
all
()
self
.
hosts
=
models
.
Host
.
objects
.
all
()
self
.
hosts
=
models
.
Host
.
objects
.
all
()
...
@@ -277,21 +277,23 @@ class Firewall:
...
@@ -277,21 +277,23 @@ class Firewall:
def
reload
(
self
):
def
reload
(
self
):
if
self
.
IPV6
:
if
self
.
IPV6
:
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/ip6tables-restore'
,
'-c'
],
'/usr/bin/sudo'
,
'/sbin/ip6tables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
)
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
)
else
:
else
:
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
def
get
(
self
):
def
get
(
self
):
if
self
.
IPV6
:
if
self
.
IPV6
:
return
{
'filter'
:
self
.
RULES
,
}
return
{
'filter'
:
self
.
RULES
,
}
else
:
else
:
return
{
'filter'
:
self
.
RULES
,
'nat'
:
self
.
RULES_NAT
}
return
{
'filter'
:
self
.
RULES
,
'nat'
:
self
.
RULES_NAT
}
def
show
(
self
):
def
show
(
self
):
if
self
.
IPV6
:
if
self
.
IPV6
:
...
@@ -300,9 +302,12 @@ class Firewall:
...
@@ -300,9 +302,12 @@ class Firewall:
return
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
return
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
def
ipset
():
def
ipset
():
week
=
datetime
.
now
()
-
timedelta
(
days
=
2
)
week
=
datetime
.
now
()
-
timedelta
(
days
=
2
)
return
models
.
Blacklist
.
objects
.
filter
(
Q
(
type
=
'tempban'
,
modified_at__gte
=
week
)
|
Q
(
type
=
'permban'
))
.
values
(
'ipv4'
,
'reason'
)
filter_ban
=
(
Q
(
type
=
'tempban'
,
modified_at__gte
=
week
)
|
Q
(
type
=
'permban'
))
.
values
(
'ipv4'
,
'reason'
)
return
models
.
Blacklist
.
objects
.
filter
(
filter_ban
)
def
ipv6_to_octal
(
ipv6
):
def
ipv6_to_octal
(
ipv6
):
...
@@ -319,6 +324,7 @@ def ipv6_to_octal(ipv6):
...
@@ -319,6 +324,7 @@ def ipv6_to_octal(ipv6):
octets
.
append
(
int
(
part
[
2
:],
16
))
octets
.
append
(
int
(
part
[
2
:],
16
))
return
'
\\
'
+
'
\\
'
.
join
([
'
%03
o'
%
x
for
x
in
octets
])
return
'
\\
'
+
'
\\
'
.
join
([
'
%03
o'
%
x
for
x
in
octets
])
def
ipv4_to_arpa
(
ipv4
,
cname
=
False
):
def
ipv4_to_arpa
(
ipv4
,
cname
=
False
):
m2
=
re
.
search
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
,
ipv4
)
m2
=
re
.
search
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
,
ipv4
)
if
cname
:
if
cname
:
...
@@ -328,6 +334,7 @@ def ipv4_to_arpa(ipv4, cname=False):
...
@@ -328,6 +334,7 @@ def ipv4_to_arpa(ipv4, cname=False):
return
(
'
%
s.
%
s.
%
s.
%
s.in-addr.arpa'
%
return
(
'
%
s.
%
s.
%
s.
%
s.in-addr.arpa'
%
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
)))
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
)))
def
ipv6_to_arpa
(
ipv6
):
def
ipv6_to_arpa
(
ipv6
):
while
len
(
ipv6
.
split
(
':'
))
<
8
:
while
len
(
ipv6
.
split
(
':'
))
<
8
:
ipv6
=
ipv6
.
replace
(
'::'
,
':::'
)
ipv6
=
ipv6
.
replace
(
'::'
,
':::'
)
...
@@ -355,11 +362,11 @@ def ipv6_to_arpa(ipv6):
...
@@ -355,11 +362,11 @@ def ipv6_to_arpa(ipv6):
def
dns
():
def
dns
():
vlans
=
models
.
Vlan
.
objects
.
all
()
vlans
=
models
.
Vlan
.
objects
.
all
()
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
)
#
regex = re.compile(r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$')
DNS
=
[]
DNS
=
[]
for
i_vlan
in
vlans
:
for
i_vlan
in
vlans
:
m
=
regex
.
search
(
i_vlan
.
net4
)
#
m = regex.search(i_vlan.net4)
rev
=
i_vlan
.
reverse_domain
rev
=
i_vlan
.
reverse_domain
for
i_host
in
i_vlan
.
host_set
.
all
():
for
i_host
in
i_vlan
.
host_set
.
all
():
...
@@ -372,8 +379,8 @@ def dns():
...
@@ -372,8 +379,8 @@ def dns():
# ipv4
# ipv4
if
i_host
.
ipv4
:
if
i_host
.
ipv4
:
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
(
rev
%
{
'a'
:
int
(
i
[
0
]),
'b'
:
int
(
i
[
1
]),
'c'
:
int
(
i
[
2
]),
(
rev
%
{
'a'
:
int
(
i
[
0
]),
'b'
:
int
(
i
[
1
]),
'c'
:
int
(
i
[
2
]),
'd'
:
int
(
i
[
3
])
}),
'd'
:
int
(
i
[
3
])
}),
reverse
,
models
.
settings
[
'dns_ttl'
]))
reverse
,
models
.
settings
[
'dns_ttl'
]))
# ipv6
# ipv6
...
@@ -382,16 +389,17 @@ def dns():
...
@@ -382,16 +389,17 @@ def dns():
reverse
,
models
.
settings
[
'dns_ttl'
]))
reverse
,
models
.
settings
[
'dns_ttl'
]))
for
domain
in
models
.
Domain
.
objects
.
all
():
for
domain
in
models
.
Domain
.
objects
.
all
():
DNS
.
append
(
"Z
%
s:
%
s:support.ik.bme.hu::::::
%
s"
%
(
domain
.
name
,
DNS
.
append
(
"Z
%
s:
%
s:support.ik.bme.hu::::::
%
s"
%
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
(
domain
.
name
,
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
for
r
in
models
.
Record
.
objects
.
all
():
for
r
in
models
.
Record
.
objects
.
all
():
d
=
r
.
get_data
()
d
=
r
.
get_data
()
if
d
[
'type'
]
==
'A'
:
if
d
[
'type'
]
==
'A'
:
DNS
.
append
(
"+
%
s:
%
s:
%
s"
%
(
d
[
'name'
],
d
[
'address'
],
d
[
'ttl'
]))
DNS
.
append
(
"+
%
s:
%
s:
%
s"
%
(
d
[
'name'
],
d
[
'address'
],
d
[
'ttl'
]))
elif
d
[
'type'
]
==
'AAAA'
:
elif
d
[
'type'
]
==
'AAAA'
:
DNS
.
append
(
":
%
s:28:
%
s:
%
s"
%
(
d
[
'name'
],
DNS
.
append
(
":
%
s:28:
%
s:
%
s"
%
ipv6_to_octal
(
d
[
'address'
]),
d
[
'ttl'
]))
(
d
[
'name'
],
ipv6_to_octal
(
d
[
'address'
]),
d
[
'ttl'
]))
elif
d
[
'type'
]
==
'NS'
:
elif
d
[
'type'
]
==
'NS'
:
DNS
.
append
(
"&
%
s::
%
s:
%
s"
%
(
d
[
'name'
],
d
[
'address'
],
d
[
'ttl'
]))
DNS
.
append
(
"&
%
s::
%
s:
%
s"
%
(
d
[
'name'
],
d
[
'address'
],
d
[
'ttl'
]))
elif
d
[
'type'
]
==
'CNAME'
:
elif
d
[
'type'
]
==
'CNAME'
:
...
@@ -406,8 +414,9 @@ def dns():
...
@@ -406,8 +414,9 @@ def dns():
return
DNS
return
DNS
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'tinydns@
%
s'
%
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'tinydns@
%
s'
%
settings
[
'dns_hostname'
]],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
settings
[
'dns_hostname'
]],
process
.
communicate
(
"
\n
"
.
join
(
DNS
)
+
"
\n
"
)
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
DNS
)
+
"
\n
"
)
# print "\n".join(DNS)+"\n"
# print "\n".join(DNS)+"\n"
...
@@ -420,6 +429,7 @@ def prefix_to_mask(prefix):
...
@@ -420,6 +429,7 @@ def prefix_to_mask(prefix):
t
[
i
]
=
256
-
(
2
**
((
i
+
1
)
*
8
-
prefix
))
t
[
i
]
=
256
-
(
2
**
((
i
+
1
)
*
8
-
prefix
))
return
"."
.
join
([
str
(
i
)
for
i
in
t
])
return
"."
.
join
([
str
(
i
)
for
i
in
t
])
def
dhcp
():
def
dhcp
():
vlans
=
models
.
Vlan
.
objects
.
all
()
vlans
=
models
.
Vlan
.
objects
.
all
()
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+\s+'
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+\s+'
...
@@ -432,7 +442,7 @@ def dhcp():
...
@@ -432,7 +442,7 @@ def dhcp():
if
(
i_vlan
.
dhcp_pool
):
if
(
i_vlan
.
dhcp_pool
):
m
=
regex
.
search
(
i_vlan
.
dhcp_pool
)
m
=
regex
.
search
(
i_vlan
.
dhcp_pool
)
if
(
m
or
i_vlan
.
dhcp_pool
==
"manual"
):
if
(
m
or
i_vlan
.
dhcp_pool
==
"manual"
):
DHCP
.
append
(
'''
DHCP
.
append
(
'''
#
%(name)
s -
%(interface)
s
#
%(name)
s -
%(interface)
s
subnet
%(net)
s netmask
%(netmask)
s {
subnet
%(net)
s netmask
%(netmask)
s {
%(extra)
s;
%(extra)
s;
...
@@ -459,7 +469,7 @@ def dhcp():
...
@@ -459,7 +469,7 @@ def dhcp():
})
})
for
i_host
in
i_vlan
.
host_set
.
all
():
for
i_host
in
i_vlan
.
host_set
.
all
():
DHCP
.
append
(
'''
DHCP
.
append
(
'''
host
%(hostname)
s {
host
%(hostname)
s {
hardware ethernet
%(mac)
s;
hardware ethernet
%(mac)
s;
fixed-address
%(ipv4)
s;
fixed-address
%(ipv4)
s;
...
@@ -472,22 +482,7 @@ def dhcp():
...
@@ -472,22 +482,7 @@ def dhcp():
return
DHCP
return
DHCP
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'cat > /tools/dhcp3/dhcpd.conf.generated;'
'cat > /tools/dhcp3/dhcpd.conf.generated;'
'sudo /etc/init.d/isc-dhcp-server restart'
],
shell
=
False
,
'sudo /etc/init.d/isc-dhcp-server restart'
]
,
stdin
=
subprocess
.
PIPE
)
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
# print "\n".join(DHCP)+"\n"
# print "\n".join(DHCP)+"\n"
process
.
communicate
(
"
\n
"
.
join
(
DHCP
)
+
"
\n
"
)
process
.
communicate
(
"
\n
"
.
join
(
DHCP
)
+
"
\n
"
)
'''
i=2
for mac, name, ipend in [("18:a9:05:64:19:aa", "mega6", 16), ("00:1e:0b:e9:79:1e", "blade1", 21), ("00:22:64:9c:fd:34", "blade2", 22), ("00:1e:0b:ec:65:46", "blade3", 23), ("b4:b5:2f:61:d2:5a", "cloud-man", 1)]:
h1 = models.Host(hostname= name, vlan=models.Vlan.objects.get(vid=3), mac=mac, ipv4="10.3.1.
%
d"
%
ipend, ipv6="2001:738:2001:4031:3:1:
%
d:0"
%
ipend, owner=auth.models.User.objects.get(username="bd"))
try:
h1.save()
h1.groups.add(models.Group.objects.get(name="netezhet manbol"))
h1.save()
# i = i + 1
except:
print "nemok
%
s"
%
name
'''
firewall/models.py
View file @
29bbf837
...
@@ -4,7 +4,9 @@ from django.contrib.auth.models import User
...
@@ -4,7 +4,9 @@ from django.contrib.auth.models import User
from
django.db
import
models
from
django.db
import
models
from
django.forms
import
ValidationError
from
django.forms
import
ValidationError
from
django.utils.translation
import
ugettext_lazy
as
_
from
django.utils.translation
import
ugettext_lazy
as
_
from
firewall.fields
import
*
from
firewall.fields
import
(
MACAddressField
,
val_alfanum
,
val_reverse_domain
,
val_domain
,
val_ipv4
,
val_ipv6
,
val_mx
,
ipv4_2_ipv6
)
from
django.core.validators
import
MinValueValidator
,
MaxValueValidator
from
django.core.validators
import
MinValueValidator
,
MaxValueValidator
import
django.conf
import
django.conf
from
django.db.models.signals
import
post_save
from
django.db.models.signals
import
post_save
...
@@ -186,14 +188,16 @@ class Vlan(models.Model):
...
@@ -186,14 +188,16 @@ class Vlan(models.Model):
verbose_name
=
_
(
'IPv4 address'
),
verbose_name
=
_
(
'IPv4 address'
),
help_text
=
_
(
help_text
=
_
(
'The IPv4 address of the gateway. '
'The IPv4 address of the gateway. '
'Recommended value is the last valid '
'Recommended value is the last '
'address of the subnet, for example '
'valid address of the subnet, '
'for example '
'10.4.255.254 for 10.4.0.0/16.'
))
'10.4.255.254 for 10.4.0.0/16.'
))
ipv6
=
models
.
GenericIPAddressField
(
protocol
=
'ipv6'
,
ipv6
=
models
.
GenericIPAddressField
(
protocol
=
'ipv6'
,
unique
=
True
,
unique
=
True
,
verbose_name
=
_
(
'IPv6 address'
),
verbose_name
=
_
(
'IPv6 address'
),
help_text
=
_
(
help_text
=
_
(
'The IPv6 address of the gateway.'
))
'The IPv6 address of the '
'gateway.'
))
snat_ip
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
blank
=
True
,
snat_ip
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
blank
=
True
,
null
=
True
,
null
=
True
,
verbose_name
=
_
(
'NAT IP address'
),
verbose_name
=
_
(
'NAT IP address'
),
...
...
firewall/tasks.py
View file @
29bbf837
from
celery.task
import
Task
,
PeriodicTask
from
celery.task
import
Task
,
PeriodicTask
import
celery
import
celery
from
django.core.cache
import
cache
from
django.core.cache
import
cache
import
os
import
time
from
firewall.fw
import
*
from
firewall.fw
import
*
import
django.conf
import
django.conf
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
@celery.task
@celery.task
def
reload_dns_task
(
data
):
def
reload_dns_task
(
data
):
pass
pass
@celery.task
@celery.task
def
reload_firewall_task
(
data4
,
data6
):
def
reload_firewall_task
(
data4
,
data6
):
pass
pass
@celery.task
@celery.task
def
reload_dhcp_task
(
data
):
def
reload_dhcp_task
(
data
):
pass
pass
@celery.task
@celery.task
def
reload_blacklist_task
(
data
):
def
reload_blacklist_task
(
data
):
pass
pass
class
Periodic
(
PeriodicTask
):
class
Periodic
(
PeriodicTask
):
run_every
=
timedelta
(
seconds
=
10
)
run_every
=
timedelta
(
seconds
=
10
)
...
@@ -48,6 +54,7 @@ class Periodic(PeriodicTask):
...
@@ -48,6 +54,7 @@ class Periodic(PeriodicTask):
reload_blacklist_task
.
delay
(
list
(
ipset
()))
reload_blacklist_task
.
delay
(
list
(
ipset
()))
print
"blacklist ujratoltese kesz"
print
"blacklist ujratoltese kesz"
class
ReloadTask
(
Task
):
class
ReloadTask
(
Task
):
def
run
(
self
,
type
=
'Host'
):
def
run
(
self
,
type
=
'Host'
):
...
@@ -64,4 +71,3 @@ class ReloadTask(Task):
...
@@ -64,4 +71,3 @@ class ReloadTask(Task):
cache
.
add
(
"blacklist_lock"
,
"true"
,
30
)
cache
.
add
(
"blacklist_lock"
,
"true"
,
30
)
print
type
print
type
firewall/views.py
View file @
29bbf837
...
@@ -2,12 +2,10 @@ import base64
...
@@ -2,12 +2,10 @@ import base64
import
datetime
import
datetime
import
json
import
json
import
re
import
re
import
sys
from
django.conf
import
settings
from
django.conf
import
settings
from
django.db
import
IntegrityError
from
django.db
import
IntegrityError
from
django.http
import
HttpResponse
from
django.http
import
HttpResponse
from
django.shortcuts
import
render_to_response
from
django.template.loader
import
render_to_string
from
django.template.loader
import
render_to_string
from
django.utils
import
translation
from
django.utils
import
translation
from
django.utils.timezone
import
utc
from
django.utils.timezone
import
utc
...
@@ -15,13 +13,13 @@ from django.utils.translation import ugettext_lazy as _
...
@@ -15,13 +13,13 @@ from django.utils.translation import ugettext_lazy as _
from
django.views.decorators.csrf
import
csrf_exempt
from
django.views.decorators.csrf
import
csrf_exempt
from
django.views.decorators.http
import
require_POST
from
django.views.decorators.http
import
require_POST
from
celery.task.control
import
inspect
from
tasks
import
*
from
tasks
import
*
from
firewall.fw
import
*
from
firewall.fw
import
*
from
firewall.models
import
*
from
firewall.models
import
*
from
one.tasks
import
SendMailTask
from
one.tasks
import
SendMailTask
def
reload_firewall
(
request
):
def
reload_firewall
(
request
):
if
request
.
user
.
is_authenticated
():
if
request
.
user
.
is_authenticated
():
if
request
.
user
.
is_superuser
:
if
request
.
user
.
is_superuser
:
...
@@ -34,34 +32,44 @@ def reload_firewall(request):
...
@@ -34,34 +32,44 @@ def reload_firewall(request):
html
=
_
(
"Dear anonymous, you've not signed in yet!"
)
html
=
_
(
"Dear anonymous, you've not signed in yet!"
)
return
HttpResponse
(
html
)
return
HttpResponse
(
html
)
@csrf_exempt
@csrf_exempt
@require_POST
@require_POST
def
firewall_api
(
request
):
def
firewall_api
(
request
):
try
:
try
:
data
=
json
.
loads
(
base64
.
b64decode
(
request
.
POST
[
"data"
]))
data
=
json
.
loads
(
base64
.
b64decode
(
request
.
POST
[
"data"
]))
command
=
request
.
POST
[
"command"
]
command
=
request
.
POST
[
"command"
]
if
data
[
"password"
]
!=
"bdmegintelrontottaanetet"
:
if
data
[
"password"
]
!=
"bdmegintelrontottaanetet"
:
raise
Exception
(
_
(
"Wrong password."
))
raise
Exception
(
_
(
"Wrong password."
))
if
command
==
"blacklist"
:
if
command
==
"blacklist"
:
obj
,
created
=
Blacklist
.
objects
.
get_or_create
(
ipv4
=
data
[
"ip"
])
obj
,
created
=
Blacklist
.
objects
.
get_or_create
(
ipv4
=
data
[
"ip"
])
obj
.
reason
=
data
[
"reason"
]
obj
.
reason
=
data
[
"reason"
]
obj
.
snort_message
=
data
[
"snort_message"
]
obj
.
snort_message
=
data
[
"snort_message"
]
if
created
:
if
created
:
try
:
try
:
obj
.
host
=
Host
.
objects
.
get
(
ipv4
=
data
[
"ip"
])
obj
.
host
=
Host
.
objects
.
get
(
ipv4
=
data
[
"ip"
])
user
=
obj
.
host
.
owner
user
=
obj
.
host
.
owner
lang
=
user
.
person_set
.
all
()[
0
]
.
language
lang
=
user
.
person_set
.
all
()[
0
]
.
language
translation
.
activate
(
lang
)
translation
.
activate
(
lang
)
msg
=
render_to_string
(
'mails/notification-ban-now.txt'
,
msg
=
render_to_string
(
{
'user'
:
user
,
'mails/notification-ban-now.txt'
,
{
'user'
:
user
,
'bl'
:
obj
,
'bl'
:
obj
,
'instance:'
:
obj
.
host
.
instance_set
.
get
(),
'instance:'
:
obj
.
host
.
instance_set
.
get
(),
'url'
:
settings
.
CLOUD_URL
}
)
'url'
:
settings
.
CLOUD_URL
})
SendMailTask
.
delay
(
to
=
obj
.
host
.
owner
.
email
,
subject
=
'[IK Cloud]
%
s'
%
obj
.
host
.
instance_set
.
get
()
.
name
,
msg
=
msg
,
sender
=
u'cloud@ik.bme.hu'
)
SendMailTask
.
delay
(
except
(
Host
.
DoesNotExist
,
ValidationError
,
IntegrityError
,
AttributeError
):
to
=
obj
.
host
.
owner
.
email
,
subject
=
'[IK Cloud]
%
s'
%
obj
.
host
.
instance_set
.
get
()
.
name
,
msg
=
msg
,
sender
=
u'cloud@ik.bme.hu'
)
except
(
Host
.
DoesNotExist
,
ValidationError
,
IntegrityError
,
AttributeError
):
pass
pass
if
obj
.
type
==
'tempwhite'
and
obj
.
modified_at
+
datetime
.
timedelta
(
minutes
=
1
)
<
datetime
.
datetime
.
utcnow
()
.
replace
(
tzinfo
=
utc
):
modified
=
obj
.
modified_at
+
datetime
.
timedelta
(
minutes
=
1
)
now
=
datetime
.
dateime
.
utcnow
()
.
replace
(
tzinfo
=
utc
)
if
obj
.
type
==
'tempwhite'
and
modified
<
now
:
obj
.
type
=
'tempban'
obj
.
type
=
'tempban'
obj
.
save
()
obj
.
save
()
return
HttpResponse
(
unicode
(
_
(
"OK"
)))
return
HttpResponse
(
unicode
(
_
(
"OK"
)))
...
@@ -86,8 +94,7 @@ def firewall_api(request):
...
@@ -86,8 +94,7 @@ def firewall_api(request):
host
.
enable_net
()
host
.
enable_net
()
for
p
in
data
[
"portforward"
]:
for
p
in
data
[
"portforward"
]:
host
.
add_port
(
proto
=
p
[
"proto"
],
host
.
add_port
(
proto
=
p
[
"proto"
],
public
=
int
(
p
[
"public_port"
]),
public
=
int
(
p
[
"public_port"
]),
private
=
int
(
p
[
"private_port"
]))
private
=
int
(
p
[
"private_port"
]))
elif
command
==
"destroy"
:
elif
command
==
"destroy"
:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment