Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
94
Merge Requests
10
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
afed5d58
authored
Dec 23, 2012
by
root
Committed by
Őry Máté
Dec 25, 2012
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
admin improvements, bugfixes, occi migration
parent
e6dd3a56
Show whitespace changes
Inline
Side-by-side
Showing
5 changed files
with
72 additions
and
34 deletions
+72
-34
firewall/admin.py
+7
-3
firewall/fw.py
+33
-16
firewall/models.py
+11
-1
firewall/views.py
+16
-9
one/models.py
+5
-5
No files found.
firewall/admin.py
View file @
afed5d58
...
...
@@ -4,14 +4,18 @@ from firewall.models import *
class
HostAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'hostname'
,
'vlan'
,
'ipv4'
,
'ipv6'
,
'mac'
,
'owner'
,
'groups_l'
,
'rules_l'
,
'description'
)
ordering
=
(
'-hostname'
,)
ordering
=
(
'hostname'
,)
list_filter
=
(
'owner'
,
'vlan'
,
'groups'
)
search_fields
=
(
'hostname'
,
'description'
,
'ipv4'
,
'ipv6'
,
'mac'
)
filter_horizontal
=
(
'groups'
,
'rules'
,)
class
VlanAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'vid'
,
'name'
,
'rules_l'
,
'ipv4'
,
'net_ipv4'
,
'ipv6'
,
'net_ipv6'
,
'description'
,
'domain'
,
'snat_ip'
,
'snat_to_l'
)
ordering
=
(
'
-
vid'
,)
ordering
=
(
'vid'
,)
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'r_type'
,
'desc'
,
'description'
,
'vlan_l'
,
'owner'
,
'extra'
,
'direction'
,
'action'
,
'nat'
,
'nat_dport'
)
list_display
=
(
'r_type'
,
'desc'
,
'description'
,
'vlan_l'
,
'owner'
,
'extra'
,
'direction'
,
'accept'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_dport'
)
list_filter
=
(
'r_type'
,
'vlan'
,
'owner'
,
'direction'
,
'accept'
,
'proto'
,
'nat'
)
admin
.
site
.
register
(
Host
,
HostAdmin
)
admin
.
site
.
register
(
Vlan
,
VlanAdmin
)
...
...
firewall/fw.py
View file @
afed5d58
...
...
@@ -16,14 +16,27 @@ DNS_SERVER = "152.66.243.60"
class
firewall
:
IPV6
=
False
SZABALYOK
=
[]
SZABALYOK_NAT
=
[]
SZABALYOK
=
None
SZABALYOK_NAT
=
[]
vlans
=
None
dmz
=
None
pub
=
None
hosts
=
None
fw
=
None
def
dportsport
(
self
,
rule
,
repl
=
True
):
retval
=
" "
if
(
rule
.
proto
==
"tcp"
or
rule
.
proto
==
"udp"
):
retval
=
"-p
%
s "
%
rule
.
proto
if
(
rule
.
sport
):
retval
+=
" --sport
%
s "
%
rule
.
sport
if
(
rule
.
dport
):
retval
+=
" --dport
%
s "
%
(
rule
.
nat_dport
if
(
repl
and
rule
.
nat
and
rule
.
direction
)
else
rule
.
dport
)
elif
(
rule
.
proto
==
"icmp"
):
retval
=
"-p
%
s "
%
rule
.
proto
return
retval
def
iptables
(
self
,
s
):
self
.
SZABALYOK
.
append
(
s
)
...
...
@@ -36,12 +49,10 @@ class firewall:
else
:
ipaddr
=
host
.
ipv4
extra
=
rule
.
extra
if
(
rule
.
nat
and
rule
.
direction
):
extra
=
re
.
sub
(
r'--dport [0-9]+'
,
'--dport
%
i'
%
rule
.
nat_dport
,
rule
.
extra
)
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
vlan
.
all
():
if
(
rule
.
ac
tion
):
if
(
rule
.
ac
cept
):
if
((
not
rule
.
direction
)
and
vlan
.
name
==
"PUB"
):
action
=
"PUB_OUT"
else
:
...
...
@@ -50,21 +61,25 @@ class firewall:
action
=
"LOG_DROP"
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s -d
%
s
%
s
-g
%
s"
%
(
vlan
,
host
.
vlan
,
ipaddr
,
extra
,
action
));
self
.
iptables
(
"-A
%
s_
%
s -d
%
s
%
s
%
s -g
%
s"
%
(
vlan
,
host
.
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
));
else
:
self
.
iptables
(
"-A
%
s_
%
s -s
%
s
%
s
-g
%
s"
%
(
host
.
vlan
,
vlan
,
ipaddr
,
extra
,
action
));
self
.
iptables
(
"-A
%
s_
%
s -s
%
s
%
s
%
s -g
%
s"
%
(
host
.
vlan
,
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
));
def
fw2vlan
(
self
,
rule
):
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
vlan
.
all
():
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A INPUT -i
%
s
%
s
-g
%
s"
%
(
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
self
.
iptables
(
"-A INPUT -i
%
s
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
accept
else
"LOG_DROP"
));
else
:
self
.
iptables
(
"-A OUTPUT -o
%
s
%
s
-g
%
s"
%
(
vlan
.
interface
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
action
else
"LOG_DROP"
));
self
.
iptables
(
"-A OUTPUT -o
%
s
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
accept
else
"LOG_DROP"
));
def
vlan2vlan
(
self
,
l_vlan
,
rule
):
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
vlan
.
all
():
if
(
rule
.
ac
tion
):
if
(
rule
.
ac
cept
):
if
((
not
rule
.
direction
)
and
vlan
.
name
==
"PUB"
):
action
=
"PUB_OUT"
else
:
...
...
@@ -73,9 +88,9 @@ class firewall:
action
=
"LOG_DROP"
if
(
rule
.
direction
):
#HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s
%
s
-g
%
s"
%
(
vlan
,
l_vlan
,
rule
.
extra
,
action
));
self
.
iptables
(
"-A
%
s_
%
s
%
s
%
s -g
%
s"
%
(
vlan
,
l_vlan
,
dport_sport
,
rule
.
extra
,
action
));
else
:
self
.
iptables
(
"-A
%
s_
%
s
%
s
-g
%
s"
%
(
l_vlan
,
vlan
,
rule
.
extra
,
action
));
self
.
iptables
(
"-A
%
s_
%
s
%
s
%
s -g
%
s"
%
(
l_vlan
,
vlan
,
dport_sport
,
rule
.
extra
,
action
));
def
prerun
(
self
):
...
...
@@ -167,7 +182,9 @@ class firewall:
#portforward
for
host
in
self
.
hosts
.
filter
(
pub_ipv4
=
None
):
for
rule
in
host
.
rules
.
filter
(
nat
=
True
,
direction
=
True
):
self
.
iptablesnat
(
"-A PREROUTING -d
%
s
%
s -j DNAT --to-destination
%
s:
%
s"
%
(
host
.
vlan
.
snat_ip
,
rule
.
extra
,
host
.
ipv4
,
rule
.
nat_dport
))
dport_sport
=
self
.
dportsport
(
rule
,
False
)
if
host
.
vlan
.
snat_ip
:
self
.
iptablesnat
(
"-A PREROUTING -d
%
s
%
s
%
s -j DNAT --to-destination
%
s:
%
s"
%
(
host
.
vlan
.
snat_ip
,
dport_sport
,
rule
.
extra
,
host
.
ipv4
,
rule
.
nat_dport
))
#sajat publikus ipvel rendelkezo gepek szabalyai
for
host
in
self
.
hosts
:
...
...
@@ -185,7 +202,7 @@ class firewall:
#bedrotozott szabalyok
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254"
)
#man elerheto legyen
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247"
)
#wolf halozat a nyomtatashoz
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o vlan000
6
-j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#kulonben nemmegy a du
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o vlan000
2
-j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
#kulonben nemmegy a du
self
.
iptablesnat
(
"COMMIT"
)
...
...
@@ -236,7 +253,7 @@ class firewall:
def
__init__
(
self
,
IPV6
=
False
):
self
.
SZABALYOK
=
[]
self
.
SZABALYOK
=
[]
self
.
SZABALYOK
_NAT
=
[]
self
.
IPV6
=
IPV6
self
.
vlans
=
models
.
Vlan
.
objects
.
all
()
self
.
hosts
=
models
.
Host
.
objects
.
all
()
...
...
firewall/models.py
View file @
afed5d58
...
...
@@ -7,15 +7,21 @@ from south.modelsinspector import add_introspection_rules
class
Rule
(
models
.
Model
):
CHOICES
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
(
'vlan'
,
'vlan'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
direction
=
models
.
BooleanField
()
description
=
models
.
TextField
(
blank
=
True
)
vlan
=
models
.
ManyToManyField
(
'Vlan'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
);
sport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
);
proto
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_proto
,
blank
=
True
,
null
=
True
)
nat_dport
=
models
.
IntegerField
(
blank
=
True
,
null
=
True
);
extra
=
models
.
TextField
(
blank
=
True
);
ac
tion
=
models
.
BooleanField
(
default
=
False
)
ac
cept
=
models
.
BooleanField
(
default
=
False
)
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
)
r_type
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES
)
nat
=
models
.
BooleanField
(
default
=
False
)
nat_dport
=
models
.
IntegerField
();
def
__unicode__
(
self
):
return
self
.
desc
()
def
desc
(
self
):
...
...
@@ -43,6 +49,7 @@ class Vlan(models.Model):
comment
=
models
.
TextField
(
blank
=
True
)
domain
=
models
.
TextField
(
blank
=
True
,
validators
=
[
val_domain
])
dhcp_pool
=
models
.
TextField
(
blank
=
True
)
def
__unicode__
(
self
):
return
self
.
name
def
net_ipv6
(
self
):
...
...
@@ -63,6 +70,7 @@ class Vlan(models.Model):
class
Group
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
rules
=
models
.
ManyToManyField
(
'Rule'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
def
__unicode__
(
self
):
return
self
.
name
...
...
@@ -79,6 +87,7 @@ class Host(models.Model):
owner
=
models
.
ForeignKey
(
User
)
groups
=
models
.
ManyToManyField
(
'Group'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
rules
=
models
.
ManyToManyField
(
'Rule'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
def
__unicode__
(
self
):
return
self
.
hostname
def
save
(
self
,
*
args
,
**
kwargs
):
...
...
@@ -100,6 +109,7 @@ class Host(models.Model):
class
Firewall
(
models
.
Model
):
name
=
models
.
CharField
(
max_length
=
20
,
unique
=
True
)
rules
=
models
.
ManyToManyField
(
'Rule'
,
symmetrical
=
False
,
blank
=
True
,
null
=
True
)
def
__unicode__
(
self
):
return
self
.
name
firewall/views.py
View file @
afed5d58
...
...
@@ -43,31 +43,38 @@ def firewall_api(request):
try
:
data
=
json
.
loads
(
base64
.
b64decode
(
request
.
POST
[
"data"
]))
command
=
request
.
POST
[
"command"
]
if
(
command
!=
"create"
and
command
!=
"destroy"
):
raise
Exception
(
"bajvan"
)
if
(
command
==
"create"
):
# data = {"hostname": "hello", "vlan": "dmz", "mac": "00:90:78:83:56:7f", "ip": "10.2.1.99", "description": "teszt", "portforward": [{"sport": 5353, "dport": "4949", "proto": "tcp"}]}
data
[
"owner"
]
=
"tarokkk"
owner
=
auth
.
models
.
User
.
objects
.
get
(
username
=
data
[
"owner"
])
host
=
models
.
Host
(
hostname
=
data
[
"hostname"
],
vlan
=
models
.
Vlan
.
objects
.
get
(
name
=
data
[
"vlan"
]),
mac
=
data
[
"mac"
],
ipv4
=
data
[
"ip"
],
owner
=
owner
,
description
=
data
[
"description"
])
host
.
full_clean
()
host
.
save
()
for
p
in
data
[
"portforward"
]:
proto
=
"tcp"
if
(
p
[
"proto"
]
==
"tcp"
)
else
"udp"
rule
=
models
.
Rule
(
direction
=
True
,
owner
=
owner
,
description
=
"
%
s
%
s
%
s->
%
s"
%
(
data
[
"hostname"
],
proto
,
p
[
"
sport"
],
p
[
"dport"
]),
extra
=
"-p
%
s --dport
%
s"
%
(
proto
,
int
(
p
[
"sport"
])),
nat
=
True
,
action
=
True
,
r_type
=
"host"
,
nat_dport
=
int
(
p
[
"d
port"
]))
rule
=
models
.
Rule
(
direction
=
True
,
owner
=
owner
,
description
=
"
%
s
%
s
%
s->
%
s"
%
(
data
[
"hostname"
],
proto
,
p
[
"
public_port"
],
p
[
"private_port"
]),
dport
=
int
(
p
[
"public_port"
]),
proto
=
p
[
"proto"
],
nat
=
True
,
accept
=
True
,
r_type
=
"host"
,
nat_dport
=
int
(
p
[
"private_
port"
]))
rule
.
save
()
rule
.
vlan
.
add
(
models
.
Vlan
.
objects
.
get
(
name
=
"PUB"
))
host
.
rules
.
add
(
rule
)
except
(
ValidationError
,
IntegrityError
,
AttributeError
)
as
e
:
elif
(
command
==
"destory"
):
print
""
else
:
raise
Exception
(
"rossz parancs"
)
except
(
ValidationError
,
IntegrityError
,
AttributeError
,
Exception
)
as
e
:
return
HttpResponse
(
u"rosszul hasznalod! :(
\n
%
s
\n
"
%
e
);
except
:
raise
#
raise
return
HttpResponse
(
u"rosszul hasznalod! :(
\n
"
);
return
HttpResponse
(
u"ok"
);
for
r
in
models
.
Rule
.
objects
.
filter
(
r_type
=
"host"
):
print
[
r
.
host_set
.
all
(),
r
.
group_set
.
all
()]
print
"VEGE"
## for r in models.Rule.objects.filter(r_type="host"):
## print [r.host_set.all(), r.group_set.all()]
## print "VEGE"
return
HttpResponse
(
u"ez kerlek egy api lesz!
\n
"
);
one/models.py
View file @
afed5d58
...
...
@@ -93,7 +93,7 @@ class Disk(models.Model):
@classmethod
def
update
(
cls
):
import
subprocess
proc
=
subprocess
.
Popen
([
"/
var/lib/opennebula/bin
/occi.sh"
,
proc
=
subprocess
.
Popen
([
"/
opt
/occi.sh"
,
"storage"
,
"list"
],
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
)
(
out
,
err
)
=
proc
.
communicate
()
from
xml.dom.minidom
import
parse
,
parseString
...
...
@@ -127,7 +127,7 @@ class Network(models.Model):
@classmethod
def
update
(
cls
):
import
subprocess
proc
=
subprocess
.
Popen
([
"/
var/lib/opennebula/bin
/occi.sh"
,
proc
=
subprocess
.
Popen
([
"/
opt
/occi.sh"
,
"network"
,
"list"
],
stdout
=
subprocess
.
PIPE
,
stderr
=
subprocess
.
PIPE
)
(
out
,
err
)
=
proc
.
communicate
()
from
xml.dom.minidom
import
parse
,
parseString
...
...
@@ -218,7 +218,7 @@ class Instance(models.Model):
if
not
self
.
one_id
:
return
proc
=
subprocess
.
Popen
([
"/
var/lib/opennebula/bin
/occi.sh"
,
proc
=
subprocess
.
Popen
([
"/
opt
/occi.sh"
,
"compute"
,
"show"
,
"
%
d"
%
self
.
one_id
],
stdout
=
subprocess
.
PIPE
)
(
out
,
err
)
=
proc
.
communicate
()
...
...
@@ -298,7 +298,7 @@ class Instance(models.Model):
f
.
write
(
tpl
)
f
.
close
()
import
subprocess
proc
=
subprocess
.
Popen
([
"/
var/lib/opennebula/bin
/occi.sh"
,
proc
=
subprocess
.
Popen
([
"/
opt
/occi.sh"
,
"compute"
,
"create"
,
f
.
name
],
stdout
=
subprocess
.
PIPE
)
(
out
,
err
)
=
proc
.
communicate
()
...
...
@@ -316,7 +316,7 @@ class Instance(models.Model):
return
inst
def
delete
(
self
):
proc
=
subprocess
.
Popen
([
"/
var/lib/opennebula/bin
/occi.sh"
,
"compute"
,
proc
=
subprocess
.
Popen
([
"/
opt
/occi.sh"
,
"compute"
,
"delete"
,
"
%
d"
%
self
.
one_id
],
stdout
=
subprocess
.
PIPE
)
(
out
,
err
)
=
proc
.
communicate
()
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment