Skip to content

CIRCLE / cloud

Go to a project
Commit 9fa75044 by Őry Máté
Options

firewall: cleanup models

parent de7816ad
Showing with 90 additions and 41 deletions
firewall/models.py
...@@ -2,21 +2,22 @@ ...@@ -2,21 +2,22 @@
from django.contrib.auth.models import User from django.contrib.auth.models import User
from django.db import models from django.db import models
from django.forms import fields, ValidationError from django.forms import ValidationError
from django.utils.translation import ugettext_lazy as _ from django.utils.translation import ugettext_lazy as _
from firewall.fields import * from firewall.fields import *
from south.modelsinspector import add_introspection_rules
from django.core.validators import MinValueValidator, MaxValueValidator from django.core.validators import MinValueValidator, MaxValueValidator
import django.conf import django.conf
from django.db.models.signals import post_save from django.db.models.signals import post_save
import re
import random import random
settings = django.conf.settings.FIREWALL_SETTINGS settings = django.conf.settings.FIREWALL_SETTINGS
class Rule(models.Model): class Rule(models.Model):
""" """
A rule of a packet filter, changing the behavior of a host, vlan or firewall. A rule of a packet filter, changing the behavior of a host, vlan or
firewall.
Some rules accept or deny packets matching some criteria. Some rules accept or deny packets matching some criteria.
Others set address translation or other free-form iptables parameters. Others set address translation or other free-form iptables parameters.
...@@ -28,52 +29,77 @@ class Rule(models.Model): ...@@ -28,52 +29,77 @@ class Rule(models.Model):
direction = models.CharField(max_length=1, choices=CHOICES_dir, direction = models.CharField(max_length=1, choices=CHOICES_dir,
blank=False, verbose_name=_("direction"), blank=False, verbose_name=_("direction"),
help_text=_("If the rule matches egress or ingress packets.")) help_text=_("If the rule matches egress "
"or ingress packets."))
description = models.TextField(blank=True, description = models.TextField(blank=True,
help_text=_("Why is the rule needed, or how does it work.")) help_text=_("Why is the rule needed, "
foreign_network = models.ForeignKey('VlanGroup', verbose_name=_("foreign network"), "or how does it work."))
help_text=_("The group of vlans the matching packet goes to (direction out) or from (in)."), foreign_network = models.ForeignKey(
'VlanGroup', verbose_name=_("foreign network"),
help_text=_("The group of vlans the matching packet goes to "
"(direction out) or from (in)."),
related_name="ForeignRules") related_name="ForeignRules")
dport = models.IntegerField(blank=True, null=True, verbose_name=_("dest. port"), dport = models.IntegerField(
blank=True, null=True, verbose_name=_("dest. port"),
validators=[MinValueValidator(1), MaxValueValidator(65535)], validators=[MinValueValidator(1), MaxValueValidator(65535)],
help_text=_("Destination port number of packets that match.")) help_text=_("Destination port number of packets that match."))
sport = models.IntegerField(blank=True, null=True, verbose_name=_("source port"), sport = models.IntegerField(
blank=True, null=True, verbose_name=_("source port"),
validators=[MinValueValidator(1), MaxValueValidator(65535)], validators=[MinValueValidator(1), MaxValueValidator(65535)],
help_text=_("Source port number of packets that match.")) help_text=_("Source port number of packets that match."))
proto = models.CharField(max_length=10, choices=CHOICES_proto, proto = models.CharField(max_length=10, choices=CHOICES_proto,
blank=True, null=True, verbose_name=_("protocol"), blank=True, null=True, verbose_name=_("protocol"),
help_text=_("Protocol of packets that match.")) help_text=_("Protocol of packets that match."))
extra = models.TextField(blank=True, verbose_name=_("extra arguments"), extra = models.TextField(blank=True, verbose_name=_("extra arguments"),
help_text=_("Additional arguments passed literally to the iptables-rule.")) help_text=_("Additional arguments passed "
"literally to the iptables-rule."))
accept = models.BooleanField(default=False, verbose_name=_("accept"), accept = models.BooleanField(default=False, verbose_name=_("accept"),
help_text=_("Accept the matching packets (or deny if not checked).")) help_text=_("Accept the matching packets "
"(or deny if not checked)."))
owner = models.ForeignKey(User, blank=True, null=True, owner = models.ForeignKey(User, blank=True, null=True,
verbose_name=_("owner"), verbose_name=_("owner"),
help_text=_("The user responsible for this rule.")) help_text=_("The user responsible for "
"this rule."))
r_type = models.CharField(max_length=10, verbose_name=_("Rule type"), r_type = models.CharField(max_length=10, verbose_name=_("Rule type"),
choices=CHOICES_type, choices=CHOICES_type,
help_text=_("The type of entity the rule belongs to.")) help_text=_("The type of entity the rule "
"belongs to."))
nat = models.BooleanField(default=False, verbose_name=_("NAT"), nat = models.BooleanField(default=False, verbose_name=_("NAT"),
help_text=_("If network address translation shoud be done.")) help_text=_("If network address translation "
"shoud be done."))
nat_dport = models.IntegerField(blank=True, null=True, nat_dport = models.IntegerField(blank=True, null=True,
help_text=_("Rewrite destination port number to."), help_text=_(
"Rewrite destination port number to."),
validators=[MinValueValidator(1), validators=[MinValueValidator(1),
MaxValueValidator(65535)]) MaxValueValidator(65535)])
created_at = models.DateTimeField(auto_now_add=True, verbose_name=_("created at")) created_at = models.DateTimeField(
modified_at = models.DateTimeField(auto_now=True, verbose_name=_("modified at")) auto_now_add=True,
verbose_name=_("created at"))
modified_at = models.DateTimeField(
auto_now=True,
verbose_name=_("modified at"))
vlan = models.ForeignKey('Vlan', related_name="rules", blank=True, vlan = models.ForeignKey('Vlan', related_name="rules", blank=True,
null=True, verbose_name=_("vlan"), null=True, verbose_name=_("vlan"),
help_text=_("Vlan the rule applies to (if type is vlan).")) help_text=_("Vlan the rule applies to "
"(if type is vlan)."))
vlangroup = models.ForeignKey('VlanGroup', related_name="rules", vlangroup = models.ForeignKey('VlanGroup', related_name="rules",
blank=True, null=True, verbose_name=_("vlan group"), blank=True, null=True, verbose_name=_(
help_text=_("Group of vlans the rule applies to (if type is vlan).")) "vlan group"),
help_text=_("Group of vlans the rule "
"applies to (if type is vlan)."))
host = models.ForeignKey('Host', related_name="rules", blank=True, host = models.ForeignKey('Host', related_name="rules", blank=True,
verbose_name=_('host'), null=True, help_text=_("Host the rule applies to (if type is host).")) verbose_name=_('host'), null=True,
hostgroup = models.ForeignKey('Group', related_name="rules", verbose_name=_("host group"), help_text=_("Host the rule applies to "
blank=True, null=True, help_text=_("Group of hosts the rule applies to (if type is host).")) "(if type is host)."))
firewall = models.ForeignKey('Firewall', related_name="rules", verbose_name=_("firewall"), hostgroup = models.ForeignKey(
help_text=_("Firewall the rule applies to (if type is firewall)."), 'Group', related_name="rules", verbose_name=_("host group"),
blank=True, null=True, help_text=_("Group of hosts the rule applies "
"to (if type is host)."))
firewall = models.ForeignKey(
'Firewall', related_name="rules", verbose_name=_("firewall"),
help_text=_("Firewall the rule applies to "
"(if type is firewall)."),
blank=True, null=True) blank=True, null=True)
def __unicode__(self): def __unicode__(self):
...@@ -101,7 +127,16 @@ class Rule(models.Model): ...@@ -101,7 +127,16 @@ class Rule(models.Model):
class Meta: class Meta:
verbose_name = _("rule") verbose_name = _("rule")
verbose_name_plural = _("rules") verbose_name_plural = _("rules")
ordering = ('r_type', 'direction', 'proto', 'sport', 'dport', 'nat_dport', 'host', ) ordering = (
'r_type',
'direction',
'proto',
'sport',
'dport',
'nat_dport',
'host',
)
class Vlan(models.Model): class Vlan(models.Model):
vid = models.IntegerField(unique=True) vid = models.IntegerField(unique=True)
...@@ -136,6 +171,7 @@ class Vlan(models.Model): ...@@ -136,6 +171,7 @@ class Vlan(models.Model):
def net_ipv4(self): def net_ipv4(self):
return self.net4 + "/" + unicode(self.prefix4) return self.net4 + "/" + unicode(self.prefix4)
class VlanGroup(models.Model): class VlanGroup(models.Model):
name = models.CharField(max_length=20, unique=True) name = models.CharField(max_length=20, unique=True)
vlans = models.ManyToManyField('Vlan', symmetrical=False, blank=True, vlans = models.ManyToManyField('Vlan', symmetrical=False, blank=True,
...@@ -148,6 +184,7 @@ class VlanGroup(models.Model): ...@@ -148,6 +184,7 @@ class VlanGroup(models.Model):
def __unicode__(self): def __unicode__(self):
return self.name return self.name
class Group(models.Model): class Group(models.Model):
name = models.CharField(max_length=20, unique=True) name = models.CharField(max_length=20, unique=True)
description = models.TextField(blank=True) description = models.TextField(blank=True)
...@@ -158,6 +195,7 @@ class Group(models.Model): ...@@ -158,6 +195,7 @@ class Group(models.Model):
def __unicode__(self): def __unicode__(self):
return self.name return self.name
class Host(models.Model): class Host(models.Model):
hostname = models.CharField(max_length=40, unique=True, hostname = models.CharField(max_length=40, unique=True,
validators=[val_alfanum]) validators=[val_alfanum])
...@@ -210,7 +248,8 @@ class Host(models.Model): ...@@ -210,7 +248,8 @@ class Host(models.Model):
proto = "tcp" if proto == "tcp" else "udp" proto = "tcp" if proto == "tcp" else "udp"
if self.shared_ip: if self.shared_ip:
used_ports = Rule.objects.filter(host__pub_ipv4=self.pub_ipv4, used_ports = Rule.objects.filter(host__pub_ipv4=self.pub_ipv4,
nat=True, proto=proto).values_list('dport', flat=True) nat=True, proto=proto
).values_list('dport', flat=True)
if public is None: if public is None:
public = random.randint(1024, 21000) public = random.randint(1024, 21000)
...@@ -220,20 +259,21 @@ class Host(models.Model): ...@@ -220,20 +259,21 @@ class Host(models.Model):
public = i public = i
break break
else: else:
raise ValidationError(_("Port %s %s is already in use.") % raise ValidationError(
_("Port %s %s is already in use.") %
(proto, public)) (proto, public))
else: else:
if public < 1024: if public < 1024:
raise ValidationError(_("Only ports above 1024 can be used.")) raise ValidationError(
_("Only ports above 1024 can be used."))
if public in used_ports: if public in used_ports:
raise ValidationError(_("Port %s %s is already in use.") % raise ValidationError(_("Port %s %s is already in use.") %
(proto, public)) (proto, public))
vg = VlanGroup.objects.get(name=settings["default_vlangroup"])
rule = Rule(direction='1', owner=self.owner, dport=public, rule = Rule(direction='1', owner=self.owner, dport=public,
proto=proto, nat=True, accept=True, r_type="host", proto=proto, nat=True, accept=True, r_type="host",
nat_dport=private, host=self, foreign_network=VlanGroup. nat_dport=private, host=self, foreign_network=vg)
objects.get(name=settings["default_vlangroup"]))
else: else:
if self.rules.filter(proto=proto, dport=public): if self.rules.filter(proto=proto, dport=public):
raise ValidationError(_("Port %s %s is already in use.") % raise ValidationError(_("Port %s %s is already in use.") %
...@@ -309,6 +349,7 @@ class Firewall(models.Model): ...@@ -309,6 +349,7 @@ class Firewall(models.Model):
def __unicode__(self): def __unicode__(self):
return self.name return self.name
class Domain(models.Model): class Domain(models.Model):
name = models.CharField(max_length=40, validators=[val_domain]) name = models.CharField(max_length=40, validators=[val_domain])
owner = models.ForeignKey(User) owner = models.ForeignKey(User)
...@@ -320,6 +361,7 @@ class Domain(models.Model): ...@@ -320,6 +361,7 @@ class Domain(models.Model):
def __unicode__(self): def __unicode__(self):
return self.name return self.name
class Record(models.Model): class Record(models.Model):
CHOICES_type = (('A', 'A'), ('CNAME', 'CNAME'), ('AAAA', 'AAAA'), CHOICES_type = (('A', 'A'), ('CNAME', 'CNAME'), ('AAAA', 'AAAA'),
('MX', 'MX'), ('NS', 'NS'), ('PTR', 'PTR'), ('TXT', 'TXT')) ('MX', 'MX'), ('NS', 'NS'), ('PTR', 'PTR'), ('TXT', 'TXT'))
...@@ -354,11 +396,11 @@ class Record(models.Model): ...@@ -354,11 +396,11 @@ class Record(models.Model):
if self.host: if self.host:
if self.type in ['A', 'AAAA']: if self.type in ['A', 'AAAA']:
if self.address: if self.address:
raise ValidationError(_("Can't specify address for " raise ValidationError(_("Can't specify address for A "
"A or AAAA records if host is set!")) "or AAAA records if host is set!"))
if self.name: if self.name:
raise ValidationError(_("Can't specify name for " raise ValidationError(_("Can't specify name for A "
"A or AAAA records if host is set!")) "or AAAA records if host is set!"))
elif self.type == 'CNAME': elif self.type == 'CNAME':
if not self.name: if not self.name:
raise ValidationError(_("Name must be specified for " raise ValidationError(_("Name must be specified for "
...@@ -380,8 +422,8 @@ class Record(models.Model): ...@@ -380,8 +422,8 @@ class Record(models.Model):
mx = self.address.split(':', 1) mx = self.address.split(':', 1)
if not (len(mx) == 2 and mx[0].isdigit() and if not (len(mx) == 2 and mx[0].isdigit() and
domain_re.match(mx[1])): domain_re.match(mx[1])):
raise ValidationError(_("Bad address format. " raise ValidationError(_("Bad MX address format. "
"Should be: <priority>:<hostname>")) "Should be: <priority>:<name>"))
else: else:
raise ValidationError(_("Unknown record type.")) raise ValidationError(_("Unknown record type."))
...@@ -425,22 +467,29 @@ class Record(models.Model): ...@@ -425,22 +467,29 @@ class Record(models.Model):
'ttl': self.ttl, 'ttl': self.ttl,
'address': address} 'address': address}
class Blacklist(models.Model): class Blacklist(models.Model):
CHOICES_type = (('permban', 'permanent ban'), ('tempban', 'temporary ban'), ('whitelist', 'whitelist'), ('tempwhite', 'tempwhite')) CHOICES_type = (('permban', 'permanent ban'), ('tempban', 'temporary ban'),
('whitelist', 'whitelist'), ('tempwhite', 'tempwhite'))
ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True) ipv4 = models.GenericIPAddressField(protocol='ipv4', unique=True)
host = models.ForeignKey('Host', blank=True, null=True) host = models.ForeignKey('Host', blank=True, null=True)
reason = models.TextField(blank=True) reason = models.TextField(blank=True)
snort_message = models.TextField(blank=True) snort_message = models.TextField(blank=True)
type = models.CharField(max_length=10, choices=CHOICES_type, default='tempban') type = models.CharField(
max_length=10,
choices=CHOICES_type,
default='tempban')
created_at = models.DateTimeField(auto_now_add=True) created_at = models.DateTimeField(auto_now_add=True)
modified_at = models.DateTimeField(auto_now=True) modified_at = models.DateTimeField(auto_now=True)
def save(self, *args, **kwargs): def save(self, *args, **kwargs):
self.full_clean() self.full_clean()
super(Blacklist, self).save(*args, **kwargs) super(Blacklist, self).save(*args, **kwargs)
def __unicode__(self): def __unicode__(self):
return self.ipv4 return self.ipv4
def send_task(sender, instance, created, **kwargs): def send_task(sender, instance, created, **kwargs):
from firewall.tasks import ReloadTask from firewall.tasks import ReloadTask
ReloadTask.apply_async(args=[sender.__name__]) ReloadTask.apply_async(args=[sender.__name__])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment