firewall: replace rule.accept with rule.action

circle/firewall/admin.py

@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
 
 class RuleAdmin(admin.ModelAdmin):
     list_display = ('r_type', 'color_desc', 'owner', 'extra', 'direction',
-                    'accept', 'proto', 'sport', 'dport', 'nat',
+                    'action', 'proto', 'sport', 'dport', 'nat',
                     'nat_external_port', 'used_in')
-    list_filter = ('vlan', 'owner', 'direction', 'accept',
+    list_filter = ('vlan', 'owner', 'direction', 'action',
                    'proto', 'nat')
 
     def color_desc(self, instance):

circle/firewall/iptables.py

@@ -16,7 +16,7 @@ class IptRule(object):
 
     def __init__(self, priority=1000, action=None, src=None, dst=None,
                  proto=None, sport=None, dport=None, extra=None,
-                 ipv4_only=False):
+                 ipv4_only=False, ignored=False):
         if proto not in ['tcp', 'udp', 'icmp', None]:
             raise InvalidRuleExcepion()
         if proto not in ['tcp', 'udp'] and (sport is not None or
@@ -44,6 +44,7 @@ class IptRule(object):
         self.extra = extra
         self.ipv4_only = (ipv4_only or
                           extra is not None and bool(ipv4_re.search(extra)))
+        self.ignored = ignored
 
     def __hash__(self):
         return hash(frozenset(self.__dict__.items()))
@@ -71,6 +72,8 @@ class IptRule(object):
         params = [opts[param] % getattr(self, param)
                   for param in opts
                   if getattr(self, param) is not None]
+        if self.ignored:
+            params.insert(0, '# ')
         return ' '.join(params)
 
 

circle/firewall/models.py

@@ -37,7 +37,9 @@ class Rule(models.Model):
     CHOICES_type = (('host', 'host'), ('firewall', 'firewall'),
                    ('vlan', 'vlan'))
     CHOICES_proto = (('tcp', 'tcp'), ('udp', 'udp'), ('icmp', 'icmp'))
-    CHOICES_dir = (('out', 'out'), ('in', 'in'))
+    CHOICES_dir = (('out', _('out')), ('in', _('in')))
+    CHOICES_action = (('accept', _('accept')), ('drop', _('drop')),
+                      ('ignore', _('ignore')))
 
     direction = models.CharField(max_length=3, choices=CHOICES_dir,
                                  blank=False, verbose_name=_("direction"),
@@ -70,9 +72,10 @@ class Rule(models.Model):
     extra = models.TextField(blank=True, verbose_name=_("extra arguments"),
                              help_text=_("Additional arguments passed "
                                          "literally to the iptables-rule."))
-    accept = models.BooleanField(default=True, verbose_name=_("accept"),
-                                 help_text=_("Accept the matching packets "
-                                             "(or deny if not checked)."))
+    action = models.CharField(max_length=10, choices=CHOICES_action,
+                              default='drop', verbose_name=_('action'),
+                              help_text=_("Accept, drop or ignore the "
+                                          "matching packets."))
     owner = models.ForeignKey(User, blank=True, null=True,
                               verbose_name=_("owner"),
                               help_text=_("The user responsible for "
@@ -179,7 +182,7 @@ class Rule(models.Model):
 
     def get_ipt_rules(self, host=None):
         # action
-        action = 'LOG_ACC' if self.accept else 'LOG_DROP'
+        action = 'LOG_ACC' if self.action == 'accept' else 'LOG_DROP'
 
         # src and dst addresses
         src = None
@@ -207,7 +210,8 @@ class Rule(models.Model):
         for foreign_vlan in self.foreign_network.vlans.all():
             r = IptRule(priority=self.weight, action=action,
                         proto=self.proto, extra=self.extra,
-                        src=src, dst=dst, dport=dport, sport=sport)
+                        src=src, dst=dst, dport=dport, sport=sport,
+                        ignored=(self.action == 'ignore'))
             # host, hostgroup or vlan rule
             if host or self.vlan_id:
                 local_vlan = host.vlan.name if host else self.vlan.name
@@ -646,7 +650,7 @@ class Host(models.Model):
                          vgname, unicode(e))
         else:
             rule = Rule(direction='in', owner=self.owner, dport=private,
-                        proto=proto, nat=False, accept=True,
+                        proto=proto, nat=False, action='accept',
                         host=self, foreign_network=vg)
             if self.behind_nat:
                 if public < 1024:
@@ -735,7 +739,7 @@ class Host(models.Model):
         """
         endpoints = {}
         # IPv4
-        ports = self.incoming_rules.filter(accept=True, dport=port,
+        ports = self.incoming_rules.filter(action='accept', dport=port,
                                            proto=protocol)
         public_port = (ports[0].get_external_port(proto='ipv4')
                        if ports.exists() else None)
@@ -743,8 +747,8 @@ class Host(models.Model):
                              if public_port else
                              None)
         # IPv6
-        blocked = self.incoming_rules.filter(accept=False, dport=port,
-                                             proto=protocol).exists()
+        blocked = self.incoming_rules.exclude(
+            action='accept').filter(dport=port, proto=protocol).exists()
         endpoints['ipv6'] = (self.ipv6, port) if not blocked else None
         return endpoints
 

circle/firewall/tests/test_firewall.py

@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
                   IptRule(priority=2, action='ACCEPT',
                           dst=('127.0.0.2', None),
                           proto='icmp'),
+                  IptRule(priority=10, action='ACCEPT',
+                          dst=('127.0.0.10', None),
+                          proto='icmp', ignored=True),
                   IptRule(priority=6, action='ACCEPT',
                           dst=('127.0.0.6', None),
                           proto='tcp', dport='1337')]
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
         self.assertEqual(self.r[5].compile(),
                          '-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT')
 
+    def test_ignored_rule_compile_ok(self):
+        assert self.r[7].compile().startswith('# ')
+
     def test_rule_compile_fail(self):
         self.assertRaises(InvalidRuleExcepion,
                           IptRule, **{'proto': 'test'})
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
         vlg = VlanGroup.objects.create(name='public')
         vlg.vlans.add(self.vlan, self.vlan2)
         self.hg = Group.objects.create(name='netezhet')
-        Rule.objects.create(accept=True, hostgroup=self.hg,
+        Rule.objects.create(action='accept', hostgroup=self.hg,
                             foreign_network=vlg)
 
         firewall = Firewall.objects.create(name='fw')
-        Rule.objects.create(accept=True, firewall=firewall,
+        Rule.objects.create(action='accept', firewall=firewall,
                             foreign_network=vlg)
 
         for i in range(1, 6):

circle/network/forms.py

@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
                 'foreign_network',
                 'dport',
                 'sport',
+                'weight',
                 'proto',
                 'extra',
-                'accept',
+                'action',
                 'owner',
                 'nat',
                 'nat_external_port',

circle/network/tables.py

@@ -128,7 +128,7 @@ class RuleTable(Table):
         model = Rule
         attrs = {'class': 'table table-striped table-hover table-condensed'}
         fields = ('r_type', 'color_desc', 'owner', 'extra', 'direction',
-                  'accept', 'proto', 'sport', 'dport', 'nat',
+                  'action', 'proto', 'sport', 'dport', 'nat',
                   'nat_external_port', )
         order_by = 'direction'