firewall: ignore unmanaged vlans

68b9fe68 · Bach Dániel · 47a01c9a · 68b9fe68 · 68b9fe68
Commit 68b9fe68 authored Jul 10, 2014 by Bach Dániel
Show whitespace changes
Inline Side-by-side

Showing with 32 additions and 25 deletions

circle/firewall/fw.py
+2 -1

circle/firewall/models.py
+30 -24

No files found.
--- a/circle/firewall/fw.py
+++ b/circle/firewall/fw.py
@@ -319,7 +319,8 @@ def dhcp():
 def vlan():
-    obj = Vlan.objects.values('vid', 'name', 'network4', 'network6')
+    obj = Vlan.objects.filter(managed=True).values(
+        'vid', 'name', 'network4', 'network6')
    retval = {x['name']: {'tag': x['vid'],
                          'type': 'internal',
                          'interfaces': [x['name']],

--- a/circle/firewall/models.py
+++ b/circle/firewall/models.py
@@ -189,19 +189,31 @@ class Rule(models.Model):
    def get_absolute_url(self):
        return ('network.rule', None, {'pk': self.pk})
-    @staticmethod
+    def get_chain_name(self, local, remote):
-    def get_chain_name(local, remote, direction):
+        if local:  # host or vlan
-        if direction == 'in':
+            if self.direction == 'in':
                # remote -> local
-            return '%s_%s' % (remote, local)
+                return '%s_%s' % (remote.name, local.name)
            else:
                # local -> remote
-            return '%s_%s' % (local, remote)
+                return '%s_%s' % (local.name, remote.name)
+            # firewall rule
+        elif self.firewall_id:
+            return 'INPUT' if self.direction == 'in' else 'OUTPUT'
+    def get_dport_sport(self):
+        if self.direction == 'in':
+            return self.dport, self.sport
+        else:
+            return self.sport, self.dport
    def get_ipt_rules(self, host=None):
        # action
        action = 'LOG_ACC' if self.action == 'accept' else 'LOG_DROP'
+        # 'chain_name': rule dict
+        retval = {}
        # src and dst addresses
        src = None
        dst = None
@@ -212,34 +224,28 @@ class Rule(models.Model):
                dst = ip
            else:
                src = ip
+            vlan = host.vlan
-        # src and dst ports
+        elif self.vlan_id:
-        if self.direction == 'in':
+            vlan = self.vlan
-            dport = self.dport
-            sport = self.sport
        else:
-            dport = self.sport
+            vlan = None
-            sport = self.dport
-        # 'chain_name': rule dict
+        if vlan and not vlan.managed:
-        retval = {}
+            return retval
+        # src and dst ports
+        dport, sport = self.get_dport_sport()
        # process foreign vlans
        for foreign_vlan in self.foreign_network.vlans.all():
+            if not foreign_vlan.managed:
+                continue
            r = IptRule(priority=self.weight, action=action,
                        proto=self.proto, extra=self.extra,
                        comment='Rule #%s' % self.pk,
                        src=src, dst=dst, dport=dport, sport=sport)
-            # host, hostgroup or vlan rule
+            chain_name = self.get_chain_name(local=vlan, remote=foreign_vlan)
-            if host or self.vlan_id:
-                local_vlan = host.vlan.name if host else self.vlan.name
-                chain_name = Rule.get_chain_name(local=local_vlan,
-                                                 remote=foreign_vlan.name,
-                                                 direction=self.direction)
-            # firewall rule
-            elif self.firewall_id:
-                chain_name = 'INPUT' if self.direction == 'in' else 'OUTPUT'
            retval[chain_name] = r
        return retval