firewall: code formatting

40c3495c · x · 114e301a · 40c3495c · 40c3495c · 40c3495c
Commit 40c3495c authored Jan 24, 2013 by x
Show whitespace changes
Inline Side-by-side

Showing with 45 additions and 74 deletions

firewall/fields.py
+0 -0

firewall/fw.py
+45 -74

firewall/models.py
+0 -0

firewall/tasks.py
+0 -0

firewall/views.py
+0 -0

No files found.
--- a/firewall/fields.py
+++ b/firewall/fields.py
--- a/firewall/fw.py
+++ b/firewall/fw.py
-#!/usr/bin/env python
-#from django.core.management import setup_environ
-#from teszt import settings
-#setup_environ(settings)
 from django.contrib import auth
 from firewall import models
 import os
@@ -63,20 +56,20 @@ class firewall:
            else:
                action = "LOG_DROP"
-			if(rule.direction == '1'): #HOSTHOZ megy
+            if(rule.direction == '1'): # HOSTHOZ megy
-				self.iptables("-A %s_%s -d %s %s %s -g %s" % (vlan, host.vlan, ipaddr, dport_sport, rule.extra, action));
+                self.iptables("-A %s_%s -d %s %s %s -g %s" % (vlan, host.vlan, ipaddr, dport_sport, rule.extra, action))
            else:
-				self.iptables("-A %s_%s -s %s %s %s -g %s" % (host.vlan, vlan, ipaddr, dport_sport, rule.extra, action));
+                self.iptables("-A %s_%s -s %s %s %s -g %s" % (host.vlan, vlan, ipaddr, dport_sport, rule.extra, action))
    def fw2vlan(self, rule):
        dport_sport = self.dportsport(rule)
        for vlan in rule.vlan.all():
-			if(rule.direction == '1'): #HOSTHOZ megy
+            if(rule.direction == '1'): # HOSTHOZ megy
-				self.iptables("-A INPUT -i %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"));
+                self.iptables("-A INPUT -i %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"))
            else:
-				self.iptables("-A OUTPUT -o %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"));
+                self.iptables("-A OUTPUT -o %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"))
    def vlan2vlan(self, l_vlan, rule):
        dport_sport = self.dportsport(rule)
@@ -90,10 +83,10 @@ class firewall:
            else:
                action = "LOG_DROP"
-			if(rule.direction == '1'): #HOSTHOZ megy
+            if(rule.direction == '1'): # HOSTHOZ megy
-				self.iptables("-A %s_%s %s %s -g %s" % (vlan, l_vlan, dport_sport, rule.extra, action));
+                self.iptables("-A %s_%s %s %s -g %s" % (vlan, l_vlan, dport_sport, rule.extra, action))
            else:
-				self.iptables("-A %s_%s %s %s -g %s" % (l_vlan, vlan, dport_sport, rule.extra, action));			
+                self.iptables("-A %s_%s %s %s -g %s" % (l_vlan, vlan, dport_sport, rule.extra, action))
    def prerun(self):
@@ -102,9 +95,9 @@ class firewall:
        self.iptables(":FORWARD DROP [0:0]")
        self.iptables(":OUTPUT DROP [50:6936]")
-		#inicialize logging
+        # inicialize logging
        self.iptables("-N LOG_DROP")
-		#windows port scan are silently dropped
+        # windows port scan are silently dropped
        self.iptables("-A LOG_DROP -p tcp --dport 445 -j DROP")
        self.iptables("-A LOG_DROP -p udp --dport 137 -j DROP")
        self.iptables("-A LOG_DROP -j LOG --log-level 7 --log-prefix \"[ipt][drop]\"")
@@ -114,8 +107,8 @@ class firewall:
        self.iptables("-A LOG_ACC -j ACCEPT")
        if not self.IPV6:
-			#The chain which test is a packet has a valid public destination IP
+            # The chain which test is a packet has a valid public destination IP
-			#(RFC-3330) packages passing this chain has valid destination IP addressed
+            # (RFC-3330) packages passing this chain has valid destination IP addressed
            self.iptables("-N r_pub_dIP")
            self.iptables("-A r_pub_dIP -d 0.0.0.0/8 -g LOG_DROP")
            self.iptables("-A r_pub_dIP -d 169.254.0.0/16 -g LOG_DROP")
@@ -123,10 +116,10 @@ class firewall:
            self.iptables("-A r_pub_dIP -d 192.0.2.0/24 -g LOG_DROP")
            self.iptables("-A r_pub_dIP -d 192.168.0.0/16 -g LOG_DROP")
            self.iptables("-A r_pub_dIP -d 127.0.0.0/8 -g LOG_DROP")
-			#self.iptables("-A r_pub_dIP -d 10.0.0.0/8 -g LOG_DROP")
+#           self.iptables("-A r_pub_dIP -d 10.0.0.0/8 -g LOG_DROP")
-			#The chain which test is a packet has a valid public source IP
+            # The chain which test is a packet has a valid public source IP
-			#(RFC-3330) packages passing this chain has valid destination IP addressed
+            # (RFC-3330) packages passing this chain has valid destination IP addressed
            self.iptables("-N r_pub_sIP")
            self.iptables("-A r_pub_sIP -s 0.0.0.0/8 -g LOG_DROP")
            self.iptables("-A r_pub_sIP -s 169.254.0.0/16 -g LOG_DROP")
@@ -134,9 +127,9 @@ class firewall:
            self.iptables("-A r_pub_sIP -s 192.0.2.0/24 -g LOG_DROP")
            self.iptables("-A r_pub_sIP -s 192.168.0.0/16 -g LOG_DROP")
            self.iptables("-A r_pub_sIP -s 127.0.0.0/8 -g LOG_DROP")
-			#self.iptables("-A r_pub_sIP -s 10.0.0.0/8 -g LOG_DROP")
+            # self.iptables("-A r_pub_sIP -s 10.0.0.0/8 -g LOG_DROP")
-			#chain which tests if the destination specified by the DMZ host is valid
+            # chain which tests if the destination specified by the DMZ host is valid
            self.iptables("-N r_DMZ_dIP")
            self.iptables("-A r_DMZ_dIP -d 10.2.0.0/16 -j RETURN")
            self.iptables("-A r_DMZ_dIP -j r_pub_dIP")
@@ -185,52 +178,52 @@ class firewall:
        self.iptablesnat(":POSTROUTING ACCEPT [1:708]")
-		#portforward
+        # portforward
        for host in self.hosts.exclude(pub_ipv4=None):
            for rule in host.rules.filter(nat=True, direction='1'):
                dport_sport = self.dportsport(rule, False)
                if host.vlan.snat_ip:
                    self.iptablesnat("-A PREROUTING -d %s %s %s -j DNAT --to-destination %s:%s" % (host.pub_ipv4, dport_sport, rule.extra, host.ipv4, rule.nat_dport))
-		#sajat publikus ipvel rendelkezo gepek szabalyai
+        # sajat publikus ipvel rendelkezo gepek szabalyai
        for host in self.hosts.exclude(shared_ip=True):
            if(host.pub_ipv4):
                self.iptablesnat("-A PREROUTING -d %s -j DNAT --to-destination %s" % (host.pub_ipv4, host.ipv4))
                self.iptablesnat("-A POSTROUTING -s %s -j SNAT --to-source %s" % (host.ipv4, host.pub_ipv4))
-		#alapertelmezett nat szabalyok a vlanokra
+        # alapertelmezett nat szabalyok a vlanokra
        for s_vlan in self.vlans:
            if(s_vlan.snat_ip):
                for d_vlan in s_vlan.snat_to.all():
                    self.iptablesnat("-A POSTROUTING -s %s -o %s -j SNAT --to-source %s" % (s_vlan.net_ipv4(), d_vlan.interface, s_vlan.snat_ip))
-		#bedrotozott szabalyok
+        # bedrotozott szabalyok
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254") #man elerheto legyen
+        self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254") # man elerheto legyen
-		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247") #wolf halozat a nyomtatashoz
+        self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247") # wolf halozat a nyomtatashoz
-		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT --to-source %s" % self.pub.ipv4) #kulonben nemmegy a du
+        self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT --to-source %s" % self.pub.ipv4) # kulonben nemmegy a du
        self.iptablesnat("COMMIT")
    def ipt_filter(self):
        regexp = re.compile('[0-9]+\.[0-9]+\.[0-9]+\.[0-9]+')
-		regexp_icmp = re.compile('icmp');
+        regexp_icmp = re.compile('icmp')
-		#futas elotti dolgok
+        # futas elotti dolgok
        self.prerun()
-		#tuzfal sajat szabalyai
+        # tuzfal sajat szabalyai
        for f in self.fw:
            for rule in f.rules.all():
                self.fw2vlan(rule)
-		#zonak kozotti lancokra ugras
+        # zonak kozotti lancokra ugras
        for s_vlan in self.vlans:
            for d_vlan in self.vlans:
                self.iptables("-N %s_%s" % (s_vlan, d_vlan))
                self.iptables("-A FORWARD -i %s -o %s -g %s_%s" % (s_vlan.interface, d_vlan.interface, s_vlan, d_vlan))
-		#hosztok szabalyai
+        # hosztok szabalyai
        for i_vlan in self.vlans:
            for i_host in i_vlan.host_set.all():
                for group in i_host.groups.all():
@@ -239,23 +232,22 @@ class firewall:
                for rule in i_host.rules.all():
                    self.host2vlan(i_host, rule)
-		#vlanok kozotti kommunikacio engedelyezese
+        # vlanok kozotti kommunikacio engedelyezese
        for s_vlan in self.vlans:
            for rule in s_vlan.rules.all():
                self.vlan2vlan(s_vlan, rule)
-		#zonak kozotti lancokat zarja le
+        # zonak kozotti lancokat zarja le
        for s_vlan in self.vlans:
            for d_vlan in self.vlans:
                self.iptables("-A %s_%s -g LOG_DROP" % (s_vlan, d_vlan))
-		#futas utani dolgok
+        # futas utani dolgok
        self.postrun()
        if self.IPV6:
            self.SZABALYOK = [x for x in self.SZABALYOK if not regexp.search(x)]
            self.SZABALYOK = [regexp_icmp.sub('icmpv6', x) for x in self.SZABALYOK]
-	#####
    def __init__(self, IPV6=False):
        self.SZABALYOK=[]
@@ -324,7 +316,7 @@ def dns():
    DNS = []
    DNS.append("=cloud.ik.bme.hu:152.66.243.98:600::\n")
    DNS.append(":cloud.ik.bme.hu:28:\040\001\007\070\040\001\100\061\000\002\000\000\000\007\000\000:600\n")
-#tarokkknak
+# tarokkknak
    DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (75, 243, 66, 152, "se.hpc.iit.bme.hu"))
    DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (76, 243, 66, 152, "ce.hpc.iit.bme.hu"))
    DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s:600::\n" % (77, 243, 66, 152, "mon.hpc.iit.bme.hu"))
@@ -332,10 +324,10 @@ def dns():
    DNS.append("=r.cloud.ik.bme.hu:152.66.243.62:600::\n")
-	DNS.append("Z1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa:dns1.ik.bme.hu:support.ik.bme.hu::::::600\n") #soa
+    DNS.append("Z1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa:dns1.ik.bme.hu:support.ik.bme.hu::::::600\n") # soa
-	DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::dns1.ik.bme.hu:600::\n")      #ns
+    DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::dns1.ik.bme.hu:600::\n")      # ns rekord
-	DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::nic.bme.hu:600::\n")      #ns
+    DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::nic.bme.hu:600::\n")      # ns rekord
-#	DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::ns.bme.hu:600::\n")      #ns
+#   DNS.append("&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::ns.bme.hu:600::\n")      # ns rekord
    for i_vlan in vlans:
        m = regex.search(i_vlan.net4)
@@ -350,10 +342,10 @@ def dns():
        for i_host in i_vlan.host_set.all():
            ipv4 = ( i_host.pub_ipv4 if i_host.pub_ipv4 and not i_host.shared_ip else i_host.ipv4 )
            m2 = regex.search(ipv4)
-			#ipv4
+            # ipv4
            DNS.append("=%s.%s:%s:600::\n" % (i_host.hostname, i_vlan.domain, ipv4))
            DNS.append("^%s.dns1.%s.%s.%s.in-addr.arpa:%s.%s:600::\n" % (m2.group(4), m2.group(3), m2.group(2), m2.group(1), i_host.hostname, i_vlan.domain))
-			#ipv6
+            # ipv6
            DNS.append(":%s.%s:28:%s:600\n" % (i_host.hostname, i_vlan.domain, ipv6_to_octal(i_host.ipv6)))
            DNS.append("^%s:%s.%s:600::\n" % (ipv6_to_arpa(i_host.ipv6), i_host.hostname, i_vlan.domain))
@@ -362,8 +354,8 @@ def dns():
 def prefix_to_mask(prefix):
-	t = [0,0,0,0]
+    t = [0, 0, 0, 0]
-	for i in range(0,4):
+    for i in range(0, 4):
        if prefix > i*8+7:
            t[i] = 255
        elif i*8 < prefix and prefix <= (i+1)*8:
@@ -375,14 +367,14 @@ def dhcp():
    regex = re.compile(r'^([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+\s+([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+$')
    DHCP = []
-#/tools/dhcp3/dhcpd.conf.generated
+# /tools/dhcp3/dhcpd.conf.generated
    for i_vlan in vlans:
        if(i_vlan.dhcp_pool):
            m = regex.search(i_vlan.dhcp_pool)
            if(m or i_vlan.dhcp_pool == "manual"):
                DHCP.append ('''
-				#%(name)s - %(interface)s
+                # %(name)s - %(interface)s
                subnet %(net)s netmask %(netmask)s {
                  %(extra)s;
                  option domain-name "%(domain)s";
@@ -421,24 +413,9 @@ def dhcp():
 #   print "\n".join(DHCP)+"\n"
    process.communicate("\n".join(DHCP)+"\n")
-#ipt_filter()
-#ipt_nat()
-#process = subprocess.Popen(['/usr/bin/sudo', 'iptables-restore'], shell=False, stdin=subprocess.PIPE)
-#process.communicate("\n".join(SZABALYOK)+"\n"+"\n".join(SZABALYOK_NAT)+"\n")
-#blabla = firewall()
-#process = subprocess.Popen(['/usr/bin/sudo', 'ip6tables-restore'], shell=False, stdin=subprocess.PIPE)
-#process.communicate("\n".join(SZABALYOK)+"\n")
-#dns()
-#dhcp()
-i=2
 '''
+i=2
 for mac, name, ipend in [("18:a9:05:64:19:aa", "mega6", 16), ("00:1e:0b:e9:79:1e", "blade1", 21), ("00:22:64:9c:fd:34", "blade2", 22), ("00:1e:0b:ec:65:46", "blade3", 23), ("b4:b5:2f:61:d2:5a", "cloud-man", 1)]:
    h1 = models.Host(hostname= name, vlan=models.Vlan.objects.get(vid=3), mac=mac, ipv4="10.3.1.%d" % ipend, ipv6="2001:738:2001:4031:3:1:%d:0" % ipend, owner=auth.models.User.objects.get(username="bd"))
    try:
@@ -450,9 +427,3 @@ for mac, name, ipend in [("18:a9:05:64:19:aa", "mega6", 16), ("00:1e:0b:e9:79:1e
        print "nemok %s" % name
 '''
-#try:
-#	h1.save()
-#	h1.groups.add(models.Group.objects.get(name="irodai gep"))
-#	h1.save()
-#except:
-#	print "nemsikerult"
--- a/firewall/models.py
+++ b/firewall/models.py
--- a/firewall/tasks.py
+++ b/firewall/tasks.py
--- a/firewall/views.py
+++ b/firewall/views.py