Skip to content

CIRCLE / cloud

Go to a project
Commit d936ba61 by Bach Dániel
Options

firewall: fix ipv6 firewall

parent df2c02ff
Showing with 24 additions and 13 deletions
circle/firewall/fw.py
...@@ -103,8 +103,6 @@ class BuildFirewall: ...@@ -103,8 +103,6 @@ class BuildFirewall:
def build_ipt(self): def build_ipt(self):
"""Build rules.""" """Build rules."""
# TODO remove ipv4-specific rules
self.ipt_filter_firewall() self.ipt_filter_firewall()
self.ipt_filter_host_rules() self.ipt_filter_host_rules()
self.ipt_filter_vlan_rules() self.ipt_filter_vlan_rules()
...@@ -113,10 +111,10 @@ class BuildFirewall: ...@@ -113,10 +111,10 @@ class BuildFirewall:
self.build_ipt_nat() self.build_ipt_nat()
context = { context = {
'filter': (chain for name, chain in self.chains.iteritems() 'filter': lambda: (chain for name, chain in self.chains.iteritems()
if chain.name not in ('PREROUTING', 'POSTROUTING')), if chain.name not in IptChain.nat_chains),
'nat': (chain for name, chain in self.chains.iteritems() 'nat': lambda: (chain for name, chain in self.chains.iteritems()
if chain.name in ('PREROUTING', 'POSTROUTING'))} if chain.name in IptChain.nat_chains)}
template = loader.get_template('firewall/iptables.conf') template = loader.get_template('firewall/iptables.conf')
context['proto'] = 'ipv4' context['proto'] = 'ipv4'
......
circle/firewall/iptables.py
...@@ -15,7 +15,8 @@ class InvalidRuleExcepion(Exception): ...@@ -15,7 +15,8 @@ class InvalidRuleExcepion(Exception):
class IptRule(object): class IptRule(object):
def __init__(self, priority=1000, action=None, src=None, dst=None, def __init__(self, priority=1000, action=None, src=None, dst=None,
proto=None, sport=None, dport=None, extra=None): proto=None, sport=None, dport=None, extra=None,
ipv4_only=False):
if proto not in ['tcp', 'udp', 'icmp', None]: if proto not in ['tcp', 'udp', 'icmp', None]:
raise InvalidRuleExcepion() raise InvalidRuleExcepion()
if proto not in ['tcp', 'udp'] and (sport is not None or if proto not in ['tcp', 'udp'] and (sport is not None or
...@@ -28,16 +29,21 @@ class IptRule(object): ...@@ -28,16 +29,21 @@ class IptRule(object):
(self.src4, self.src6) = (None, None) (self.src4, self.src6) = (None, None)
if isinstance(src, tuple): if isinstance(src, tuple):
(self.src4, self.src6) = src (self.src4, self.src6) = src
if not self.src6:
ipv4_only = True
(self.dst4, self.dst6) = (None, None) (self.dst4, self.dst6) = (None, None)
if isinstance(dst, tuple): if isinstance(dst, tuple):
(self.dst4, self.dst6) = dst (self.dst4, self.dst6) = dst
if not self.dst6:
ipv4_only = True
self.proto = proto self.proto = proto
self.sport = sport self.sport = sport
self.dport = dport self.dport = dport
self.extra = extra self.extra = extra
self.ipv4_only = extra and bool(ipv4_re.search(extra)) self.ipv4_only = (ipv4_only or
extra is not None and bool(ipv4_re.search(extra)))
def __hash__(self): def __hash__(self):
return hash(frozenset(self.__dict__.items())) return hash(frozenset(self.__dict__.items()))
...@@ -69,8 +75,8 @@ class IptRule(object): ...@@ -69,8 +75,8 @@ class IptRule(object):
class IptChain(object): class IptChain(object):
builtin_chains = ('FORWARD', 'INPUT', 'OUTPUT', 'PREROUTING', nat_chains = ('PREROUTING', 'POSTROUTING')
'POSTROUTING') builtin_chains = ('FORWARD', 'INPUT', 'OUTPUT') + nat_chains
def __init__(self, name): def __init__(self, name):
self.rules = set() self.rules = set()
...@@ -98,3 +104,6 @@ class IptChain(object): ...@@ -98,3 +104,6 @@ class IptChain(object):
return '\n'.join([prefix + rule.compile(proto) return '\n'.join([prefix + rule.compile(proto)
for rule in self.sort() for rule in self.sort()
if not (proto == 'ipv6' and rule.ipv4_only)]) if not (proto == 'ipv6' and rule.ipv4_only)])
def compile_v6(self):
return self.compile('ipv6')
circle/firewall/tasks/local_tasks.py
...@@ -26,7 +26,7 @@ def _apply_once(name, queues, task, data): ...@@ -26,7 +26,7 @@ def _apply_once(name, queues, task, data):
@celery.task(ignore_result=True) @celery.task(ignore_result=True)
def periodic_task(): def periodic_task():
from firewall.fw import Firewall, dhcp, dns, ipset, vlan from firewall.fw import BuildFirewall, dhcp, dns, ipset, vlan
from remote_tasks import (reload_dns, reload_dhcp, reload_firewall, from remote_tasks import (reload_dns, reload_dhcp, reload_firewall,
reload_firewall_vlan, reload_blacklist) reload_firewall_vlan, reload_blacklist)
...@@ -40,7 +40,7 @@ def periodic_task(): ...@@ -40,7 +40,7 @@ def periodic_task():
_apply_once('dhcp', firewall_queues, reload_dhcp, _apply_once('dhcp', firewall_queues, reload_dhcp,
lambda: (dhcp(), )) lambda: (dhcp(), ))
_apply_once('firewall', firewall_queues, reload_firewall, _apply_once('firewall', firewall_queues, reload_firewall,
lambda: (Firewall(proto=4).get(), Firewall(proto=6).get())) lambda: (BuildFirewall().build_ipt()))
_apply_once('firewall_vlan', firewall_queues, reload_firewall_vlan, _apply_once('firewall_vlan', firewall_queues, reload_firewall_vlan,
lambda: (vlan(), )) lambda: (vlan(), ))
_apply_once('blacklist', firewall_queues, reload_blacklist, _apply_once('blacklist', firewall_queues, reload_blacklist,
......
circle/firewall/templates/firewall/iptables.conf
{% if nat %} {% if proto == "ipv4" %}
*nat *nat
:PREROUTING ACCEPT [0:0] :PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0] :INPUT ACCEPT [0:0]
...@@ -45,7 +45,11 @@ COMMIT ...@@ -45,7 +45,11 @@ COMMIT
{% for chain in filter %} {% for chain in filter %}
{% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %} {% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %}
{% if proto == "ipv4" %}
{{ chain.compile }} {{ chain.compile }}
{% else %}
{{ chain.compile_v6 }}
{% endif %}
{% endfor %} {% endfor %}
# close all chains # close all chains
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment