Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
551b4fdf
authored
Mar 27, 2014
by
Bach Dániel
1
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: replace rule.accept with rule.action
parent
1d9db1cf
Expand all
Show whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
31 additions
and
17 deletions
+31
-17
circle/firewall/admin.py
+2
-2
circle/firewall/iptables.py
+4
-1
circle/firewall/migrations/0048_auto__add_field_rule_action.py
+0
-0
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
+0
-0
circle/firewall/models.py
+14
-10
circle/firewall/tests/test_firewall.py
+8
-2
circle/network/forms.py
+2
-1
circle/network/tables.py
+1
-1
No files found.
circle/firewall/admin.py
View file @
551b4fdf
...
@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
...
@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
class
RuleAdmin
(
admin
.
ModelAdmin
):
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
'used_in'
)
'nat_external_port'
,
'used_in'
)
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
cept
'
,
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
tion
'
,
'proto'
,
'nat'
)
'proto'
,
'nat'
)
def
color_desc
(
self
,
instance
):
def
color_desc
(
self
,
instance
):
...
...
circle/firewall/iptables.py
View file @
551b4fdf
...
@@ -16,7 +16,7 @@ class IptRule(object):
...
@@ -16,7 +16,7 @@ class IptRule(object):
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
ipv4_only
=
False
):
ipv4_only
=
False
,
ignored
=
False
):
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
raise
InvalidRuleExcepion
()
raise
InvalidRuleExcepion
()
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
...
@@ -44,6 +44,7 @@ class IptRule(object):
...
@@ -44,6 +44,7 @@ class IptRule(object):
self
.
extra
=
extra
self
.
extra
=
extra
self
.
ipv4_only
=
(
ipv4_only
or
self
.
ipv4_only
=
(
ipv4_only
or
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
self
.
ignored
=
ignored
def
__hash__
(
self
):
def
__hash__
(
self
):
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
...
@@ -71,6 +72,8 @@ class IptRule(object):
...
@@ -71,6 +72,8 @@ class IptRule(object):
params
=
[
opts
[
param
]
%
getattr
(
self
,
param
)
params
=
[
opts
[
param
]
%
getattr
(
self
,
param
)
for
param
in
opts
for
param
in
opts
if
getattr
(
self
,
param
)
is
not
None
]
if
getattr
(
self
,
param
)
is
not
None
]
if
self
.
ignored
:
params
.
insert
(
0
,
'# '
)
return
' '
.
join
(
params
)
return
' '
.
join
(
params
)
...
...
circle/firewall/migrations/0048_auto__add_field_rule_action.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/models.py
View file @
551b4fdf
...
@@ -37,7 +37,9 @@ class Rule(models.Model):
...
@@ -37,7 +37,9 @@ class Rule(models.Model):
CHOICES_type
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
CHOICES_type
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
(
'vlan'
,
'vlan'
))
(
'vlan'
,
'vlan'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
CHOICES_dir
=
((
'out'
,
'out'
),
(
'in'
,
'in'
))
CHOICES_dir
=
((
'out'
,
_
(
'out'
)),
(
'in'
,
_
(
'in'
)))
CHOICES_action
=
((
'accept'
,
_
(
'accept'
)),
(
'drop'
,
_
(
'drop'
)),
(
'ignore'
,
_
(
'ignore'
)))
direction
=
models
.
CharField
(
max_length
=
3
,
choices
=
CHOICES_dir
,
direction
=
models
.
CharField
(
max_length
=
3
,
choices
=
CHOICES_dir
,
blank
=
False
,
verbose_name
=
_
(
"direction"
),
blank
=
False
,
verbose_name
=
_
(
"direction"
),
...
@@ -70,9 +72,10 @@ class Rule(models.Model):
...
@@ -70,9 +72,10 @@ class Rule(models.Model):
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
help_text
=
_
(
"Additional arguments passed "
help_text
=
_
(
"Additional arguments passed "
"literally to the iptables-rule."
))
"literally to the iptables-rule."
))
accept
=
models
.
BooleanField
(
default
=
True
,
verbose_name
=
_
(
"accept"
),
action
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_action
,
help_text
=
_
(
"Accept the matching packets "
default
=
'drop'
,
verbose_name
=
_
(
'action'
),
"(or deny if not checked)."
))
help_text
=
_
(
"Accept, drop or ignore the "
"matching packets."
))
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"owner"
),
verbose_name
=
_
(
"owner"
),
help_text
=
_
(
"The user responsible for "
help_text
=
_
(
"The user responsible for "
...
@@ -179,7 +182,7 @@ class Rule(models.Model):
...
@@ -179,7 +182,7 @@ class Rule(models.Model):
def
get_ipt_rules
(
self
,
host
=
None
):
def
get_ipt_rules
(
self
,
host
=
None
):
# action
# action
action
=
'LOG_ACC'
if
self
.
ac
cept
else
'LOG_DROP'
action
=
'LOG_ACC'
if
self
.
ac
tion
==
'accept'
else
'LOG_DROP'
# src and dst addresses
# src and dst addresses
src
=
None
src
=
None
...
@@ -207,7 +210,8 @@ class Rule(models.Model):
...
@@ -207,7 +210,8 @@ class Rule(models.Model):
for
foreign_vlan
in
self
.
foreign_network
.
vlans
.
all
():
for
foreign_vlan
in
self
.
foreign_network
.
vlans
.
all
():
r
=
IptRule
(
priority
=
self
.
weight
,
action
=
action
,
r
=
IptRule
(
priority
=
self
.
weight
,
action
=
action
,
proto
=
self
.
proto
,
extra
=
self
.
extra
,
proto
=
self
.
proto
,
extra
=
self
.
extra
,
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
)
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
,
ignored
=
(
self
.
action
==
'ignore'
))
# host, hostgroup or vlan rule
# host, hostgroup or vlan rule
if
host
or
self
.
vlan_id
:
if
host
or
self
.
vlan_id
:
local_vlan
=
host
.
vlan
.
name
if
host
else
self
.
vlan
.
name
local_vlan
=
host
.
vlan
.
name
if
host
else
self
.
vlan
.
name
...
@@ -646,7 +650,7 @@ class Host(models.Model):
...
@@ -646,7 +650,7 @@ class Host(models.Model):
vgname
,
unicode
(
e
))
vgname
,
unicode
(
e
))
else
:
else
:
rule
=
Rule
(
direction
=
'in'
,
owner
=
self
.
owner
,
dport
=
private
,
rule
=
Rule
(
direction
=
'in'
,
owner
=
self
.
owner
,
dport
=
private
,
proto
=
proto
,
nat
=
False
,
ac
cept
=
True
,
proto
=
proto
,
nat
=
False
,
ac
tion
=
'accept'
,
host
=
self
,
foreign_network
=
vg
)
host
=
self
,
foreign_network
=
vg
)
if
self
.
behind_nat
:
if
self
.
behind_nat
:
if
public
<
1024
:
if
public
<
1024
:
...
@@ -735,7 +739,7 @@ class Host(models.Model):
...
@@ -735,7 +739,7 @@ class Host(models.Model):
"""
"""
endpoints
=
{}
endpoints
=
{}
# IPv4
# IPv4
ports
=
self
.
incoming_rules
.
filter
(
ac
cept
=
True
,
dport
=
port
,
ports
=
self
.
incoming_rules
.
filter
(
ac
tion
=
'accept'
,
dport
=
port
,
proto
=
protocol
)
proto
=
protocol
)
public_port
=
(
ports
[
0
]
.
get_external_port
(
proto
=
'ipv4'
)
public_port
=
(
ports
[
0
]
.
get_external_port
(
proto
=
'ipv4'
)
if
ports
.
exists
()
else
None
)
if
ports
.
exists
()
else
None
)
...
@@ -743,8 +747,8 @@ class Host(models.Model):
...
@@ -743,8 +747,8 @@ class Host(models.Model):
if
public_port
else
if
public_port
else
None
)
None
)
# IPv6
# IPv6
blocked
=
self
.
incoming_rules
.
filter
(
accept
=
False
,
dport
=
port
,
blocked
=
self
.
incoming_rules
.
exclude
(
proto
=
protocol
)
.
exists
()
action
=
'accept'
)
.
filter
(
dport
=
port
,
proto
=
protocol
)
.
exists
()
endpoints
[
'ipv6'
]
=
(
self
.
ipv6
,
port
)
if
not
blocked
else
None
endpoints
[
'ipv6'
]
=
(
self
.
ipv6
,
port
)
if
not
blocked
else
None
return
endpoints
return
endpoints
...
...
circle/firewall/tests/test_firewall.py
View file @
551b4fdf
...
@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
...
@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
IptRule
(
priority
=
2
,
action
=
'ACCEPT'
,
IptRule
(
priority
=
2
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.2'
,
None
),
dst
=
(
'127.0.0.2'
,
None
),
proto
=
'icmp'
),
proto
=
'icmp'
),
IptRule
(
priority
=
10
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.10'
,
None
),
proto
=
'icmp'
,
ignored
=
True
),
IptRule
(
priority
=
6
,
action
=
'ACCEPT'
,
IptRule
(
priority
=
6
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.6'
,
None
),
dst
=
(
'127.0.0.6'
,
None
),
proto
=
'tcp'
,
dport
=
'1337'
)]
proto
=
'tcp'
,
dport
=
'1337'
)]
...
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
...
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
self
.
assertEqual
(
self
.
r
[
5
]
.
compile
(),
self
.
assertEqual
(
self
.
r
[
5
]
.
compile
(),
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT'
)
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT'
)
def
test_ignored_rule_compile_ok
(
self
):
assert
self
.
r
[
7
]
.
compile
()
.
startswith
(
'# '
)
def
test_rule_compile_fail
(
self
):
def
test_rule_compile_fail
(
self
):
self
.
assertRaises
(
InvalidRuleExcepion
,
self
.
assertRaises
(
InvalidRuleExcepion
,
IptRule
,
**
{
'proto'
:
'test'
})
IptRule
,
**
{
'proto'
:
'test'
})
...
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
...
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
vlg
=
VlanGroup
.
objects
.
create
(
name
=
'public'
)
vlg
=
VlanGroup
.
objects
.
create
(
name
=
'public'
)
vlg
.
vlans
.
add
(
self
.
vlan
,
self
.
vlan2
)
vlg
.
vlans
.
add
(
self
.
vlan
,
self
.
vlan2
)
self
.
hg
=
Group
.
objects
.
create
(
name
=
'netezhet'
)
self
.
hg
=
Group
.
objects
.
create
(
name
=
'netezhet'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
hostgroup
=
self
.
hg
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
hostgroup
=
self
.
hg
,
foreign_network
=
vlg
)
foreign_network
=
vlg
)
firewall
=
Firewall
.
objects
.
create
(
name
=
'fw'
)
firewall
=
Firewall
.
objects
.
create
(
name
=
'fw'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
firewall
=
firewall
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
firewall
=
firewall
,
foreign_network
=
vlg
)
foreign_network
=
vlg
)
for
i
in
range
(
1
,
6
):
for
i
in
range
(
1
,
6
):
...
...
circle/network/forms.py
View file @
551b4fdf
...
@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
...
@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
'foreign_network'
,
'foreign_network'
,
'dport'
,
'dport'
,
'sport'
,
'sport'
,
'weight'
,
'proto'
,
'proto'
,
'extra'
,
'extra'
,
'ac
cept
'
,
'ac
tion
'
,
'owner'
,
'owner'
,
'nat'
,
'nat'
,
'nat_external_port'
,
'nat_external_port'
,
...
...
circle/network/tables.py
View file @
551b4fdf
...
@@ -128,7 +128,7 @@ class RuleTable(Table):
...
@@ -128,7 +128,7 @@ class RuleTable(Table):
model
=
Rule
model
=
Rule
attrs
=
{
'class'
:
'table table-striped table-hover table-condensed'
}
attrs
=
{
'class'
:
'table table-striped table-hover table-condensed'
}
fields
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
fields
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
)
'nat_external_port'
,
)
order_by
=
'direction'
order_by
=
'direction'
...
...
Bach Dániel
@bachdaniel
mentioned in merge request
!46 (merged)
Mar 27, 2014
mentioned in merge request
!46 (merged)
mentioned in merge request !46
Toggle commit list
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment