admin improvements, bugfixes, occi migration

firewall/admin.py

@@ -4,14 +4,18 @@ from firewall.models import *
 
 class HostAdmin(admin.ModelAdmin):
     list_display = ('hostname', 'vlan', 'ipv4', 'ipv6', 'mac', 'owner', 'groups_l', 'rules_l', 'description')
-    ordering = ('-hostname',)
+    ordering = ('hostname',)
+    list_filter = ('owner', 'vlan', 'groups')
+    search_fields = ('hostname', 'description', 'ipv4', 'ipv6', 'mac')
+    filter_horizontal = ('groups', 'rules',)
 
 class VlanAdmin(admin.ModelAdmin):
     list_display = ('vid', 'name', 'rules_l', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain', 'snat_ip', 'snat_to_l')
-    ordering = ('-vid',)
+    ordering = ('vid',)
 
 class RuleAdmin(admin.ModelAdmin):
-    list_display = ('r_type', 'desc', 'description', 'vlan_l', 'owner', 'extra', 'direction', 'action', 'nat', 'nat_dport')
+    list_display = ('r_type', 'desc', 'description', 'vlan_l', 'owner', 'extra', 'direction', 'accept', 'proto', 'sport', 'dport', 'nat', 'nat_dport')
+    list_filter = ('r_type', 'vlan', 'owner', 'direction', 'accept', 'proto', 'nat')
 
 admin.site.register(Host, HostAdmin)
 admin.site.register(Vlan, VlanAdmin)

firewall/fw.py

@@ -16,14 +16,27 @@ DNS_SERVER = "152.66.243.60"
 
 class firewall:
 	IPV6=False
-	SZABALYOK=[]
-	SZABALYOK_NAT=[]
+	SZABALYOK = None
+	SZABALYOK_NAT = []
 	vlans = None
 	dmz = None
 	pub = None
 	hosts = None
 	fw = None
 
+	def dportsport(self, rule, repl=True):
+		retval = " "
+		if(rule.proto == "tcp" or rule.proto == "udp"):
+			retval = "-p %s " % rule.proto
+			if(rule.sport):
+				retval += " --sport %s " % rule.sport 
+			if(rule.dport):
+				retval += " --dport %s " % ( rule.nat_dport if (repl and rule.nat and rule.direction) else rule.dport )
+		elif(rule.proto == "icmp"):
+			retval = "-p %s " % rule.proto
+		return retval
+	
+			
 	def iptables(self, s):
 		self.SZABALYOK.append(s)
 
@@ -36,12 +49,10 @@ class firewall:
 		else:
 			ipaddr = host.ipv4
 
-		extra = rule.extra
-		if(rule.nat and rule.direction):
-			extra = re.sub(r'--dport [0-9]+', '--dport %i' %rule.nat_dport, rule.extra)
+		dport_sport = self.dportsport(rule)
 
 		for vlan in rule.vlan.all():
-			if(rule.action):
+			if(rule.accept):
 				if((not rule.direction) and vlan.name == "PUB"):
 					action = "PUB_OUT"
 				else:
@@ -50,21 +61,25 @@ class firewall:
 				action = "LOG_DROP"
 
 			if(rule.direction): #HOSTHOZ megy
-				self.iptables("-A %s_%s -d %s %s -g %s" % (vlan, host.vlan, ipaddr, extra, action));
+				self.iptables("-A %s_%s -d %s %s %s -g %s" % (vlan, host.vlan, ipaddr, dport_sport, rule.extra, action));
 			else:
-				self.iptables("-A %s_%s -s %s %s -g %s" % (host.vlan, vlan, ipaddr, extra, action));
+				self.iptables("-A %s_%s -s %s %s %s -g %s" % (host.vlan, vlan, ipaddr, dport_sport, rule.extra, action));
 
 
 	def fw2vlan(self, rule):	
+		dport_sport = self.dportsport(rule)
+
 		for vlan in rule.vlan.all():
 			if(rule.direction): #HOSTHOZ megy
-				self.iptables("-A INPUT -i %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
+				self.iptables("-A INPUT -i %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"));
 			else:
-				self.iptables("-A OUTPUT -o %s %s -g %s" % (vlan.interface, rule.extra, "LOG_ACC" if rule.action else "LOG_DROP"));
+				self.iptables("-A OUTPUT -o %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"));
 
 	def vlan2vlan(self, l_vlan, rule):
+		dport_sport = self.dportsport(rule)
+
 		for vlan in rule.vlan.all():
-			if(rule.action):
+			if(rule.accept):
 				if((not rule.direction) and vlan.name == "PUB"):
 					action = "PUB_OUT"
 				else:
@@ -73,9 +88,9 @@ class firewall:
 				action = "LOG_DROP"
 
 			if(rule.direction): #HOSTHOZ megy
-				self.iptables("-A %s_%s %s -g %s" % (vlan, l_vlan, rule.extra, action));
+				self.iptables("-A %s_%s %s %s -g %s" % (vlan, l_vlan, dport_sport, rule.extra, action));
 			else:
-				self.iptables("-A %s_%s %s -g %s" % (l_vlan, vlan, rule.extra, action));			
+				self.iptables("-A %s_%s %s %s -g %s" % (l_vlan, vlan, dport_sport, rule.extra, action));			
 
 
 	def prerun(self):
@@ -167,7 +182,9 @@ class firewall:
 		#portforward
 		for host in self.hosts.filter(pub_ipv4=None):
 			for rule in host.rules.filter(nat=True, direction=True):
-				self.iptablesnat("-A PREROUTING -d %s %s -j DNAT --to-destination %s:%s" % (host.vlan.snat_ip, rule.extra, host.ipv4, rule.nat_dport))
+				dport_sport = self.dportsport(rule, False)
+				if host.vlan.snat_ip:
+					self.iptablesnat("-A PREROUTING -d %s %s %s -j DNAT --to-destination %s:%s" % (host.vlan.snat_ip, dport_sport, rule.extra, host.ipv4, rule.nat_dport))
 
 		#sajat publikus ipvel rendelkezo gepek szabalyai
 		for host in self.hosts:
@@ -185,7 +202,7 @@ class firewall:
 		#bedrotozott szabalyok
 		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254") #man elerheto legyen
 		self.iptablesnat("-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247") #wolf halozat a nyomtatashoz
-		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0006 -j SNAT --to-source %s" % self.pub.ipv4) #kulonben nemmegy a du
+		self.iptablesnat("-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT --to-source %s" % self.pub.ipv4) #kulonben nemmegy a du
 
 		self.iptablesnat("COMMIT")
 
@@ -236,7 +253,7 @@ class firewall:
 
 	def __init__(self, IPV6=False):
 		self.SZABALYOK=[]
-		self.SZABALYOK=[]
+		self.SZABALYOK_NAT=[]
 		self.IPV6 = IPV6
 		self.vlans = models.Vlan.objects.all()
 		self.hosts = models.Host.objects.all()

firewall/models.py

@@ -7,15 +7,21 @@ from south.modelsinspector import add_introspection_rules
 
 class Rule(models.Model):
      CHOICES = (('host', 'host'), ('firewall', 'firewall'), ('vlan', 'vlan'))
+     CHOICES_proto = (('tcp', 'tcp'), ('udp', 'udp'), ('icmp', 'icmp'))
      direction = models.BooleanField()
      description = models.TextField(blank=True)
      vlan = models.ManyToManyField('Vlan', symmetrical=False, blank=True, null=True)
+     dport = models.IntegerField(blank=True, null=True);
+     sport = models.IntegerField(blank=True, null=True);
+     proto = models.CharField(max_length=10, choices=CHOICES_proto, blank=True, null=True)
+     nat_dport = models.IntegerField(blank=True, null=True);
      extra = models.TextField(blank=True);
-     action = models.BooleanField(default=False)
+     accept = models.BooleanField(default=False)
      owner = models.ForeignKey(User, blank=True, null=True)
      r_type = models.CharField(max_length=10, choices=CHOICES)
      nat = models.BooleanField(default=False)
      nat_dport = models.IntegerField();
+
      def __unicode__(self):
         return self.desc()
      def desc(self):
@@ -43,6 +49,7 @@ class Vlan(models.Model):
     comment = models.TextField(blank=True)
     domain = models.TextField(blank=True, validators=[val_domain])
     dhcp_pool = models.TextField(blank=True)
+
     def __unicode__(self):
         return self.name
     def net_ipv6(self):
@@ -63,6 +70,7 @@ class Vlan(models.Model):
 class Group(models.Model):
     name = models.CharField(max_length=20, unique=True)
     rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
+
     def __unicode__(self):
         return self.name
 
@@ -79,6 +87,7 @@ class Host(models.Model):
     owner = models.ForeignKey(User)
     groups = models.ManyToManyField('Group', symmetrical=False, blank=True, null=True)
     rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
+
     def __unicode__(self):
         return self.hostname
     def save(self, *args, **kwargs):
@@ -100,6 +109,7 @@ class Host(models.Model):
 class Firewall(models.Model):
     name = models.CharField(max_length=20, unique=True)
     rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
+
     def __unicode__(self):
         return self.name
 

firewall/views.py

@@ -43,31 +43,38 @@ def firewall_api(request):
 		try:
 			data=json.loads(base64.b64decode(request.POST["data"]))
 			command = request.POST["command"]
-			if(command != "create" and command != "destroy"):
-				raise Exception("bajvan")
+
 			if(command == "create"):
-#				data = {"hostname": "hello", "vlan": "dmz", "mac": "00:90:78:83:56:7f", "ip": "10.2.1.99", "description": "teszt", "portforward": [{"sport": 5353, "dport": "4949", "proto": "tcp"}]}
 				data["owner"] = "tarokkk"
 				owner = auth.models.User.objects.get(username=data["owner"])
 				host = models.Host(hostname=data["hostname"], vlan=models.Vlan.objects.get(name=data["vlan"]), mac=data["mac"], ipv4=data["ip"], owner=owner, description=data["description"])
+				host.full_clean()
 				host.save()
+
 				for p in data["portforward"]:
 					proto = "tcp" if (p["proto"] == "tcp") else "udp"
-					rule = models.Rule(direction=True, owner=owner, description="%s %s %s->%s" % (data["hostname"], proto, p["sport"], p["dport"]), extra = "-p %s --dport %s" % (proto, int(p["sport"])), nat=True, action=True, r_type="host", nat_dport=int(p["dport"]))
+					rule = models.Rule(direction=True, owner=owner, description="%s %s %s->%s" % (data["hostname"], proto, p["public_port"], p["private_port"]), dport=int(p["public_port"]), proto=p["proto"], nat=True, accept=True, r_type="host", nat_dport=int(p["private_port"]))
 					rule.save()
 					rule.vlan.add(models.Vlan.objects.get(name="PUB"))
 					host.rules.add(rule)
 
-		except (ValidationError, IntegrityError, AttributeError) as e:
+			elif(command == "destory"):
+				print ""
+
+			else:
+				raise Exception("rossz parancs")
+
+		except (ValidationError, IntegrityError, AttributeError, Exception) as e:
 			return HttpResponse(u"rosszul hasznalod! :(\n%s\n" % e);
 		except:
-			raise
+#			raise
 			return HttpResponse(u"rosszul hasznalod! :(\n");
 		
 		return HttpResponse(u"ok");
 
-	for r in models.Rule.objects.filter(r_type="host"):
-		print [r.host_set.all(), r.group_set.all()]
-		print "VEGE"
+##	for r in models.Rule.objects.filter(r_type="host"):
+##		print [r.host_set.all(), r.group_set.all()]
+##		print "VEGE"
+
 	return HttpResponse(u"ez kerlek egy api lesz!\n");
 

one/models.py

@@ -93,7 +93,7 @@ class Disk(models.Model):
     @classmethod
     def update(cls):
         import subprocess
-        proc = subprocess.Popen(["/var/lib/opennebula/bin/occi.sh",
+        proc = subprocess.Popen(["/opt/occi.sh",
         "storage", "list"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         (out, err) = proc.communicate()
         from xml.dom.minidom import parse, parseString
@@ -127,7 +127,7 @@ class Network(models.Model):
     @classmethod
     def update(cls):
         import subprocess
-        proc = subprocess.Popen(["/var/lib/opennebula/bin/occi.sh",
+        proc = subprocess.Popen(["/opt/occi.sh",
         "network", "list"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
         (out, err) = proc.communicate()
         from xml.dom.minidom import parse, parseString
@@ -218,7 +218,7 @@ class Instance(models.Model):
 
         if not self.one_id:
             return
-        proc = subprocess.Popen(["/var/lib/opennebula/bin/occi.sh",
+        proc = subprocess.Popen(["/opt/occi.sh",
         "compute", "show",
         "%d"%self.one_id], stdout=subprocess.PIPE)
         (out, err) = proc.communicate()
@@ -298,7 +298,7 @@ class Instance(models.Model):
             f.write(tpl)
             f.close()
             import subprocess
-            proc = subprocess.Popen(["/var/lib/opennebula/bin/occi.sh",
+            proc = subprocess.Popen(["/opt/occi.sh",
                        "compute", "create",
                        f.name], stdout=subprocess.PIPE)
             (out, err) = proc.communicate()
@@ -316,7 +316,7 @@ class Instance(models.Model):
         return inst
 
     def delete(self):
-        proc = subprocess.Popen(["/var/lib/opennebula/bin/occi.sh", "compute",
+        proc = subprocess.Popen(["/opt/occi.sh", "compute",
                "delete", "%d"%self.one_id], stdout=subprocess.PIPE)
         (out, err) = proc.communicate()