Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
9fa75044
authored
Jun 18, 2013
by
Őry Máté
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: cleanup models
parent
de7816ad
Show whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
90 additions
and
41 deletions
+90
-41
firewall/models.py
+90
-41
No files found.
firewall/models.py
View file @
9fa75044
...
@@ -2,21 +2,22 @@
...
@@ -2,21 +2,22 @@
from
django.contrib.auth.models
import
User
from
django.contrib.auth.models
import
User
from
django.db
import
models
from
django.db
import
models
from
django.forms
import
fields
,
ValidationError
from
django.forms
import
ValidationError
from
django.utils.translation
import
ugettext_lazy
as
_
from
django.utils.translation
import
ugettext_lazy
as
_
from
firewall.fields
import
*
from
firewall.fields
import
*
from
south.modelsinspector
import
add_introspection_rules
from
django.core.validators
import
MinValueValidator
,
MaxValueValidator
from
django.core.validators
import
MinValueValidator
,
MaxValueValidator
import
django.conf
import
django.conf
from
django.db.models.signals
import
post_save
from
django.db.models.signals
import
post_save
import
re
import
random
import
random
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
settings
=
django
.
conf
.
settings
.
FIREWALL_SETTINGS
class
Rule
(
models
.
Model
):
class
Rule
(
models
.
Model
):
"""
"""
A rule of a packet filter, changing the behavior of a host, vlan or firewall.
A rule of a packet filter, changing the behavior of a host, vlan or
firewall.
Some rules accept or deny packets matching some criteria.
Some rules accept or deny packets matching some criteria.
Others set address translation or other free-form iptables parameters.
Others set address translation or other free-form iptables parameters.
...
@@ -28,52 +29,77 @@ class Rule(models.Model):
...
@@ -28,52 +29,77 @@ class Rule(models.Model):
direction
=
models
.
CharField
(
max_length
=
1
,
choices
=
CHOICES_dir
,
direction
=
models
.
CharField
(
max_length
=
1
,
choices
=
CHOICES_dir
,
blank
=
False
,
verbose_name
=
_
(
"direction"
),
blank
=
False
,
verbose_name
=
_
(
"direction"
),
help_text
=
_
(
"If the rule matches egress or ingress packets."
))
help_text
=
_
(
"If the rule matches egress "
"or ingress packets."
))
description
=
models
.
TextField
(
blank
=
True
,
description
=
models
.
TextField
(
blank
=
True
,
help_text
=
_
(
"Why is the rule needed, or how does it work."
))
help_text
=
_
(
"Why is the rule needed, "
foreign_network
=
models
.
ForeignKey
(
'VlanGroup'
,
verbose_name
=
_
(
"foreign network"
),
"or how does it work."
))
help_text
=
_
(
"The group of vlans the matching packet goes to (direction out) or from (in)."
),
foreign_network
=
models
.
ForeignKey
(
'VlanGroup'
,
verbose_name
=
_
(
"foreign network"
),
help_text
=
_
(
"The group of vlans the matching packet goes to "
"(direction out) or from (in)."
),
related_name
=
"ForeignRules"
)
related_name
=
"ForeignRules"
)
dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"dest. port"
),
dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"dest. port"
),
validators
=
[
MinValueValidator
(
1
),
MaxValueValidator
(
65535
)],
validators
=
[
MinValueValidator
(
1
),
MaxValueValidator
(
65535
)],
help_text
=
_
(
"Destination port number of packets that match."
))
help_text
=
_
(
"Destination port number of packets that match."
))
sport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"source port"
),
sport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"source port"
),
validators
=
[
MinValueValidator
(
1
),
MaxValueValidator
(
65535
)],
validators
=
[
MinValueValidator
(
1
),
MaxValueValidator
(
65535
)],
help_text
=
_
(
"Source port number of packets that match."
))
help_text
=
_
(
"Source port number of packets that match."
))
proto
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_proto
,
proto
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_proto
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"protocol"
),
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"protocol"
),
help_text
=
_
(
"Protocol of packets that match."
))
help_text
=
_
(
"Protocol of packets that match."
))
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
help_text
=
_
(
"Additional arguments passed literally to the iptables-rule."
))
help_text
=
_
(
"Additional arguments passed "
"literally to the iptables-rule."
))
accept
=
models
.
BooleanField
(
default
=
False
,
verbose_name
=
_
(
"accept"
),
accept
=
models
.
BooleanField
(
default
=
False
,
verbose_name
=
_
(
"accept"
),
help_text
=
_
(
"Accept the matching packets (or deny if not checked)."
))
help_text
=
_
(
"Accept the matching packets "
"(or deny if not checked)."
))
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"owner"
),
verbose_name
=
_
(
"owner"
),
help_text
=
_
(
"The user responsible for this rule."
))
help_text
=
_
(
"The user responsible for "
"this rule."
))
r_type
=
models
.
CharField
(
max_length
=
10
,
verbose_name
=
_
(
"Rule type"
),
r_type
=
models
.
CharField
(
max_length
=
10
,
verbose_name
=
_
(
"Rule type"
),
choices
=
CHOICES_type
,
choices
=
CHOICES_type
,
help_text
=
_
(
"The type of entity the rule belongs to."
))
help_text
=
_
(
"The type of entity the rule "
"belongs to."
))
nat
=
models
.
BooleanField
(
default
=
False
,
verbose_name
=
_
(
"NAT"
),
nat
=
models
.
BooleanField
(
default
=
False
,
verbose_name
=
_
(
"NAT"
),
help_text
=
_
(
"If network address translation shoud be done."
))
help_text
=
_
(
"If network address translation "
"shoud be done."
))
nat_dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
nat_dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
,
help_text
=
_
(
"Rewrite destination port number to."
),
help_text
=
_
(
"Rewrite destination port number to."
),
validators
=
[
MinValueValidator
(
1
),
validators
=
[
MinValueValidator
(
1
),
MaxValueValidator
(
65535
)])
MaxValueValidator
(
65535
)])
created_at
=
models
.
DateTimeField
(
auto_now_add
=
True
,
verbose_name
=
_
(
"created at"
))
created_at
=
models
.
DateTimeField
(
modified_at
=
models
.
DateTimeField
(
auto_now
=
True
,
verbose_name
=
_
(
"modified at"
))
auto_now_add
=
True
,
verbose_name
=
_
(
"created at"
))
modified_at
=
models
.
DateTimeField
(
auto_now
=
True
,
verbose_name
=
_
(
"modified at"
))
vlan
=
models
.
ForeignKey
(
'Vlan'
,
related_name
=
"rules"
,
blank
=
True
,
vlan
=
models
.
ForeignKey
(
'Vlan'
,
related_name
=
"rules"
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"vlan"
),
null
=
True
,
verbose_name
=
_
(
"vlan"
),
help_text
=
_
(
"Vlan the rule applies to (if type is vlan)."
))
help_text
=
_
(
"Vlan the rule applies to "
"(if type is vlan)."
))
vlangroup
=
models
.
ForeignKey
(
'VlanGroup'
,
related_name
=
"rules"
,
vlangroup
=
models
.
ForeignKey
(
'VlanGroup'
,
related_name
=
"rules"
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"vlan group"
),
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
help_text
=
_
(
"Group of vlans the rule applies to (if type is vlan)."
))
"vlan group"
),
help_text
=
_
(
"Group of vlans the rule "
"applies to (if type is vlan)."
))
host
=
models
.
ForeignKey
(
'Host'
,
related_name
=
"rules"
,
blank
=
True
,
host
=
models
.
ForeignKey
(
'Host'
,
related_name
=
"rules"
,
blank
=
True
,
verbose_name
=
_
(
'host'
),
null
=
True
,
help_text
=
_
(
"Host the rule applies to (if type is host)."
))
verbose_name
=
_
(
'host'
),
null
=
True
,
hostgroup
=
models
.
ForeignKey
(
'Group'
,
related_name
=
"rules"
,
verbose_name
=
_
(
"host group"
),
help_text
=
_
(
"Host the rule applies to "
blank
=
True
,
null
=
True
,
help_text
=
_
(
"Group of hosts the rule applies to (if type is host)."
))
"(if type is host)."
))
firewall
=
models
.
ForeignKey
(
'Firewall'
,
related_name
=
"rules"
,
verbose_name
=
_
(
"firewall"
),
hostgroup
=
models
.
ForeignKey
(
help_text
=
_
(
"Firewall the rule applies to (if type is firewall)."
),
'Group'
,
related_name
=
"rules"
,
verbose_name
=
_
(
"host group"
),
blank
=
True
,
null
=
True
,
help_text
=
_
(
"Group of hosts the rule applies "
"to (if type is host)."
))
firewall
=
models
.
ForeignKey
(
'Firewall'
,
related_name
=
"rules"
,
verbose_name
=
_
(
"firewall"
),
help_text
=
_
(
"Firewall the rule applies to "
"(if type is firewall)."
),
blank
=
True
,
null
=
True
)
blank
=
True
,
null
=
True
)
def
__unicode__
(
self
):
def
__unicode__
(
self
):
...
@@ -101,7 +127,16 @@ class Rule(models.Model):
...
@@ -101,7 +127,16 @@ class Rule(models.Model):
class
Meta
:
class
Meta
:
verbose_name
=
_
(
"rule"
)
verbose_name
=
_
(
"rule"
)
verbose_name_plural
=
_
(
"rules"
)
verbose_name_plural
=
_
(
"rules"
)
ordering
=
(
'r_type'
,
'direction'
,
'proto'
,
'sport'
,
'dport'
,
'nat_dport'
,
'host'
,
)
ordering
=
(
'r_type'
,
'direction'
,
'proto'
,
'sport'
,
'dport'
,
'nat_dport'
,
'host'
,
)
class
Vlan
(
models
.
Model
):
class
Vlan
(
models
.
Model
):
vid
=
models
.
IntegerField
(
unique
=
True
)
vid
=
models
.
IntegerField
(
unique
=
True
)
...
@@ -136,6 +171,7 @@ class Vlan(models.Model):
...
@@ -136,6 +171,7 @@ class Vlan(models.Model):
def
net_ipv4
(
self
):
def
net_ipv4
(
self
):
return
self
.
net4
+
"/"
+
unicode
(
self
.
prefix4
)
return
self
.
net4
+
"/"
+
unicode
(
self
.
prefix4
)
class
VlanGroup
(
models
.
Model
):
class
VlanGroup
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
vlans
=
models
.
ManyToManyField
(
'Vlan'
,
symmetrical
=
False
,
blank
=
True
,
vlans
=
models
.
ManyToManyField
(
'Vlan'
,
symmetrical
=
False
,
blank
=
True
,
...
@@ -148,6 +184,7 @@ class VlanGroup(models.Model):
...
@@ -148,6 +184,7 @@ class VlanGroup(models.Model):
def
__unicode__
(
self
):
def
__unicode__
(
self
):
return
self
.
name
return
self
.
name
class
Group
(
models
.
Model
):
class
Group
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
description
=
models
.
TextField
(
blank
=
True
)
description
=
models
.
TextField
(
blank
=
True
)
...
@@ -158,6 +195,7 @@ class Group(models.Model):
...
@@ -158,6 +195,7 @@ class Group(models.Model):
def
__unicode__
(
self
):
def
__unicode__
(
self
):
return
self
.
name
return
self
.
name
class
Host
(
models
.
Model
):
class
Host
(
models
.
Model
):
hostname
=
models
.
CharField
(
max_length
=
40
,
unique
=
True
,
hostname
=
models
.
CharField
(
max_length
=
40
,
unique
=
True
,
validators
=
[
val_alfanum
])
validators
=
[
val_alfanum
])
...
@@ -210,7 +248,8 @@ class Host(models.Model):
...
@@ -210,7 +248,8 @@ class Host(models.Model):
proto
=
"tcp"
if
proto
==
"tcp"
else
"udp"
proto
=
"tcp"
if
proto
==
"tcp"
else
"udp"
if
self
.
shared_ip
:
if
self
.
shared_ip
:
used_ports
=
Rule
.
objects
.
filter
(
host__pub_ipv4
=
self
.
pub_ipv4
,
used_ports
=
Rule
.
objects
.
filter
(
host__pub_ipv4
=
self
.
pub_ipv4
,
nat
=
True
,
proto
=
proto
)
.
values_list
(
'dport'
,
flat
=
True
)
nat
=
True
,
proto
=
proto
)
.
values_list
(
'dport'
,
flat
=
True
)
if
public
is
None
:
if
public
is
None
:
public
=
random
.
randint
(
1024
,
21000
)
public
=
random
.
randint
(
1024
,
21000
)
...
@@ -220,20 +259,21 @@ class Host(models.Model):
...
@@ -220,20 +259,21 @@ class Host(models.Model):
public
=
i
public
=
i
break
break
else
:
else
:
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
(
proto
,
public
))
(
proto
,
public
))
else
:
else
:
if
public
<
1024
:
if
public
<
1024
:
raise
ValidationError
(
_
(
"Only ports above 1024 can be used."
))
raise
ValidationError
(
_
(
"Only ports above 1024 can be used."
))
if
public
in
used_ports
:
if
public
in
used_ports
:
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
(
proto
,
public
))
(
proto
,
public
))
vg
=
VlanGroup
.
objects
.
get
(
name
=
settings
[
"default_vlangroup"
])
rule
=
Rule
(
direction
=
'1'
,
owner
=
self
.
owner
,
dport
=
public
,
rule
=
Rule
(
direction
=
'1'
,
owner
=
self
.
owner
,
dport
=
public
,
proto
=
proto
,
nat
=
True
,
accept
=
True
,
r_type
=
"host"
,
proto
=
proto
,
nat
=
True
,
accept
=
True
,
r_type
=
"host"
,
nat_dport
=
private
,
host
=
self
,
foreign_network
=
VlanGroup
.
nat_dport
=
private
,
host
=
self
,
foreign_network
=
vg
)
objects
.
get
(
name
=
settings
[
"default_vlangroup"
]))
else
:
else
:
if
self
.
rules
.
filter
(
proto
=
proto
,
dport
=
public
):
if
self
.
rules
.
filter
(
proto
=
proto
,
dport
=
public
):
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
raise
ValidationError
(
_
(
"Port
%
s
%
s is already in use."
)
%
...
@@ -309,6 +349,7 @@ class Firewall(models.Model):
...
@@ -309,6 +349,7 @@ class Firewall(models.Model):
def
__unicode__
(
self
):
def
__unicode__
(
self
):
return
self
.
name
return
self
.
name
class
Domain
(
models
.
Model
):
class
Domain
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
40
,
validators
=
[
val_domain
])
name
=
models
.
CharField
(
max_length
=
40
,
validators
=
[
val_domain
])
owner
=
models
.
ForeignKey
(
User
)
owner
=
models
.
ForeignKey
(
User
)
...
@@ -320,6 +361,7 @@ class Domain(models.Model):
...
@@ -320,6 +361,7 @@ class Domain(models.Model):
def
__unicode__
(
self
):
def
__unicode__
(
self
):
return
self
.
name
return
self
.
name
class
Record
(
models
.
Model
):
class
Record
(
models
.
Model
):
CHOICES_type
=
((
'A'
,
'A'
),
(
'CNAME'
,
'CNAME'
),
(
'AAAA'
,
'AAAA'
),
CHOICES_type
=
((
'A'
,
'A'
),
(
'CNAME'
,
'CNAME'
),
(
'AAAA'
,
'AAAA'
),
(
'MX'
,
'MX'
),
(
'NS'
,
'NS'
),
(
'PTR'
,
'PTR'
),
(
'TXT'
,
'TXT'
))
(
'MX'
,
'MX'
),
(
'NS'
,
'NS'
),
(
'PTR'
,
'PTR'
),
(
'TXT'
,
'TXT'
))
...
@@ -354,11 +396,11 @@ class Record(models.Model):
...
@@ -354,11 +396,11 @@ class Record(models.Model):
if
self
.
host
:
if
self
.
host
:
if
self
.
type
in
[
'A'
,
'AAAA'
]:
if
self
.
type
in
[
'A'
,
'AAAA'
]:
if
self
.
address
:
if
self
.
address
:
raise
ValidationError
(
_
(
"Can't specify address for "
raise
ValidationError
(
_
(
"Can't specify address for
A
"
"A
or AAAA records if host is set!"
))
"
or AAAA records if host is set!"
))
if
self
.
name
:
if
self
.
name
:
raise
ValidationError
(
_
(
"Can't specify name for "
raise
ValidationError
(
_
(
"Can't specify name for
A
"
"A
or AAAA records if host is set!"
))
"
or AAAA records if host is set!"
))
elif
self
.
type
==
'CNAME'
:
elif
self
.
type
==
'CNAME'
:
if
not
self
.
name
:
if
not
self
.
name
:
raise
ValidationError
(
_
(
"Name must be specified for "
raise
ValidationError
(
_
(
"Name must be specified for "
...
@@ -380,8 +422,8 @@ class Record(models.Model):
...
@@ -380,8 +422,8 @@ class Record(models.Model):
mx
=
self
.
address
.
split
(
':'
,
1
)
mx
=
self
.
address
.
split
(
':'
,
1
)
if
not
(
len
(
mx
)
==
2
and
mx
[
0
]
.
isdigit
()
and
if
not
(
len
(
mx
)
==
2
and
mx
[
0
]
.
isdigit
()
and
domain_re
.
match
(
mx
[
1
])):
domain_re
.
match
(
mx
[
1
])):
raise
ValidationError
(
_
(
"Bad address format. "
raise
ValidationError
(
_
(
"Bad
MX
address format. "
"Should be: <priority>:<host
name>"
))
"Should be: <priority>:<
name>"
))
else
:
else
:
raise
ValidationError
(
_
(
"Unknown record type."
))
raise
ValidationError
(
_
(
"Unknown record type."
))
...
@@ -425,22 +467,29 @@ class Record(models.Model):
...
@@ -425,22 +467,29 @@ class Record(models.Model):
'ttl'
:
self
.
ttl
,
'ttl'
:
self
.
ttl
,
'address'
:
address
}
'address'
:
address
}
class
Blacklist
(
models
.
Model
):
class
Blacklist
(
models
.
Model
):
CHOICES_type
=
((
'permban'
,
'permanent ban'
),
(
'tempban'
,
'temporary ban'
),
(
'whitelist'
,
'whitelist'
),
(
'tempwhite'
,
'tempwhite'
))
CHOICES_type
=
((
'permban'
,
'permanent ban'
),
(
'tempban'
,
'temporary ban'
),
(
'whitelist'
,
'whitelist'
),
(
'tempwhite'
,
'tempwhite'
))
ipv4
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
unique
=
True
)
ipv4
=
models
.
GenericIPAddressField
(
protocol
=
'ipv4'
,
unique
=
True
)
host
=
models
.
ForeignKey
(
'Host'
,
blank
=
True
,
null
=
True
)
host
=
models
.
ForeignKey
(
'Host'
,
blank
=
True
,
null
=
True
)
reason
=
models
.
TextField
(
blank
=
True
)
reason
=
models
.
TextField
(
blank
=
True
)
snort_message
=
models
.
TextField
(
blank
=
True
)
snort_message
=
models
.
TextField
(
blank
=
True
)
type
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_type
,
default
=
'tempban'
)
type
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_type
,
default
=
'tempban'
)
created_at
=
models
.
DateTimeField
(
auto_now_add
=
True
)
created_at
=
models
.
DateTimeField
(
auto_now_add
=
True
)
modified_at
=
models
.
DateTimeField
(
auto_now
=
True
)
modified_at
=
models
.
DateTimeField
(
auto_now
=
True
)
def
save
(
self
,
*
args
,
**
kwargs
):
def
save
(
self
,
*
args
,
**
kwargs
):
self
.
full_clean
()
self
.
full_clean
()
super
(
Blacklist
,
self
)
.
save
(
*
args
,
**
kwargs
)
super
(
Blacklist
,
self
)
.
save
(
*
args
,
**
kwargs
)
def
__unicode__
(
self
):
def
__unicode__
(
self
):
return
self
.
ipv4
return
self
.
ipv4
def
send_task
(
sender
,
instance
,
created
,
**
kwargs
):
def
send_task
(
sender
,
instance
,
created
,
**
kwargs
):
from
firewall.tasks
import
ReloadTask
from
firewall.tasks
import
ReloadTask
ReloadTask
.
apply_async
(
args
=
[
sender
.
__name__
])
ReloadTask
.
apply_async
(
args
=
[
sender
.
__name__
])
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment