firewall: redesign model

firewall/admin.py

@@ -8,38 +8,72 @@ from django import contrib
 class AliasInline(contrib.admin.TabularInline):
     model = Alias
 
+class RuleInline(contrib.admin.TabularInline):
+    model = Rule
+
 class HostAdmin(admin.ModelAdmin):
-    list_display = ('hostname', 'vlan', 'ipv4', 'ipv6', 'pub_ipv4', 'mac', 'shared_ip', 'owner', 'groups_l', 'rules_l', 'description', 'reverse')
+    list_display = ('hostname', 'vlan', 'ipv4', 'ipv6', 'pub_ipv4', 'mac', 'shared_ip', 'owner', 'description', 'reverse')
     ordering = ('hostname', )
     list_filter = ('owner', 'vlan', 'groups')
     search_fields = ('hostname', 'description', 'ipv4', 'ipv6', 'mac')
-    filter_horizontal = ('groups', 'rules', )
-    inlines = (AliasInline, )
+    filter_horizontal = ('groups', )
+    inlines = (AliasInline, RuleInline)
 
 class HostInline(contrib.admin.TabularInline):
     model = Host
     fields = ('hostname', 'ipv4', 'ipv6', 'pub_ipv4', 'mac', 'shared_ip', 'owner', 'reverse')
 
 class VlanAdmin(admin.ModelAdmin):
-    list_display = ('vid', 'name', 'rules_l', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain', 'snat_ip', 'snat_to_l')
+    list_display = ('vid', 'name', 'ipv4', 'net_ipv4', 'ipv6', 'net_ipv6', 'description', 'domain', 'snat_ip', )
     ordering = ('vid', )
-    inlines = (HostInline, )
+    inlines = (HostInline, RuleInline)
 
 class RuleAdmin(admin.ModelAdmin):
-    list_display = ('r_type', 'color_desc', 'description', 'vlan_l', 'owner', 'extra', 'direction', 'accept', 'proto', 'sport', 'dport', 'nat', 'nat_dport')
+    list_display = ('r_type', 'color_desc', 'owner', 'extra', 'direction', 'accept', 'proto', 'sport', 'dport', 'nat', 'nat_dport', 'used_in')
     list_filter = ('r_type', 'vlan', 'owner', 'direction', 'accept', 'proto', 'nat')
 
+    def color_desc(self, instance):
+        para = '</span>'
+        if(instance.dport):
+            para = "dport=%s %s" % (instance.dport, para)
+        if(instance.sport):
+            para = "sport=%s %s" % (instance.sport, para)
+        if(instance.proto):
+            para = "proto=%s %s" % (instance.proto, para)
+        para= u'<span style="color: #00FF00;">' + para
+        return u'<span style="color: #FF0000;">[' + instance.r_type + u']</span> ' + (instance.foreign_network.name + u'<span style="color: #0000FF;"> ▸ </span>' + instance.r_type if instance.direction=='1' else instance.r_type + u'<span style="color: #0000FF;"> ▸ </span>' + instance.foreign_network.name) + ' ' + para + ' ' + instance.description
+    color_desc.allow_tags = True
+
+    def vlan_l(self, instance):
+        retval = []
+        for vl in instance.foreign_network.vlans.all():
+            retval.append(vl.name)
+        return u', '.join(retval)
+
+    def used_in(self, instance):
+        for field in [instance.vlan, instance.vlangroup, instance.host, instance.hostgroup, instance.firewall]:
+            if field is not None:
+                return unicode(field) + ' ' + field._meta.object_name
+
+
 class AliasAdmin(admin.ModelAdmin):
     list_display = ('alias', 'host')
 
 class SettingAdmin(admin.ModelAdmin):
-    list_display = ('key', 'value')
+    list_display = ('key', 'value', 'description')
+
+class GroupAdmin(admin.ModelAdmin):
+    list_display = ('name', 'owner', 'description')
+    inlines = (RuleInline, )
 
+class FirewallAdmin(admin.ModelAdmin):
+    inlines = (RuleInline, )
 
 admin.site.register(Host, HostAdmin)
 admin.site.register(Vlan, VlanAdmin)
 admin.site.register(Rule, RuleAdmin)
 admin.site.register(Alias, AliasAdmin)
 admin.site.register(Setting, SettingAdmin)
-admin.site.register(Group)
-admin.site.register(Firewall)
+admin.site.register(Group, GroupAdmin)
+admin.site.register(VlanGroup)
+admin.site.register(Firewall, FirewallAdmin)

firewall/fw.py

@@ -38,6 +38,9 @@ class firewall:
         self.SZABALYOK_NAT.append(s)
 
     def host2vlan(self, host, rule):
+        if rule.foreign_network is None:
+            return
+
         if(self.IPV6 and host.ipv6):
             ipaddr = host.ipv6 + "/112"
         else:
@@ -45,7 +48,7 @@ class firewall:
 
         dport_sport = self.dportsport(rule)
 
-        for vlan in rule.vlan.all():
+        for vlan in rule.foreign_network.vlans.all():
             if(rule.accept):
                 if(rule.direction == '0' and vlan.name == "PUB"):
                     if(rule.dport == 25):
@@ -64,18 +67,24 @@ class firewall:
 
 
     def fw2vlan(self, rule):
+        if rule.foreign_network is None:
+            return
+
         dport_sport = self.dportsport(rule)
 
-        for vlan in rule.vlan.all():
+        for vlan in rule.foreign_network.vlans.all():
             if(rule.direction == '1'): # HOSTHOZ megy
                 self.iptables("-A INPUT -i %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"))
             else:
                 self.iptables("-A OUTPUT -o %s %s %s -g %s" % (vlan.interface, dport_sport, rule.extra, "LOG_ACC" if rule.accept else "LOG_DROP"))
 
     def vlan2vlan(self, l_vlan, rule):
+        if rule.foreign_network is None:
+            return
+
         dport_sport = self.dportsport(rule)
 
-        for vlan in rule.vlan.all():
+        for vlan in rule.foreign_network.vlans.all():
             if(rule.accept):
                 if((rule.direction == '0') and vlan.name == "PUB"):
                     action = "PUB_OUT"

firewall/models.py

@@ -23,7 +23,7 @@ class Rule(models.Model):
 
     direction = models.CharField(max_length=1, choices=CHOICES_dir, blank=False)
     description = models.TextField(blank=True)
-    vlan = models.ManyToManyField('Vlan', symmetrical=False, blank=True, null=True)
+    foreign_network = models.ForeignKey('VlanGroup', related_name="ForeignRules")
     dport = models.IntegerField(blank=True, null=True, validators=[MinValueValidator(1), MaxValueValidator(65535)])
     sport = models.IntegerField(blank=True, null=True, validators=[MinValueValidator(1), MaxValueValidator(65535)])
     proto = models.CharField(max_length=10, choices=CHOICES_proto, blank=True, null=True)
@@ -36,20 +36,22 @@ class Rule(models.Model):
     created_at = models.DateTimeField(auto_now_add=True)
     modified_at = models.DateTimeField(auto_now=True)
 
+    vlan = models.ForeignKey('Vlan', related_name="rules", blank=True, null=True)
+    vlangroup = models.ForeignKey('VlanGroup', related_name="rules", blank=True, null=True)
+    host = models.ForeignKey('Host', related_name="rules", blank=True, null=True)
+    hostgroup = models.ForeignKey('Group', related_name="rules", blank=True, null=True)
+    firewall = models.ForeignKey('Firewall', related_name="rules", blank=True, null=True)
+
     def __unicode__(self):
         return self.desc()
 
-    def color_desc(self):
-        para = '</span>'
-        if(self.dport):
-            para = "dport=%s %s" % (self.dport, para)
-        if(self.sport):
-            para = "sport=%s %s" % (self.sport, para)
-        if(self.proto):
-            para = "proto=%s %s" % (self.proto, para)
-        para= u'<span style="color: #00FF00;">' + para
-        return u'<span style="color: #FF0000;">[' + self.r_type + u']</span> ' + (self.vlan_l() + u'<span style="color: #0000FF;"> ▸ </span>' + self.r_type if self.direction=='1' else self.r_type + u'<span style="color: #0000FF;"> ▸ </span>' + self.vlan_l()) + ' ' + para + ' ' +self.description
-    color_desc.allow_tags = True
+    def clean(self):
+        count = 0
+        for field in [self.vlan, self.vlangroup, self.host, self.hostgroup, self.firewall]:
+             if field is None:
+                 count = count + 1
+        if count != 4:
+            raise ValidationError('jaj')
 
     def desc(self):
         para = u""
@@ -59,12 +61,7 @@ class Rule(models.Model):
             para = "sport=%s %s" % (self.sport, para)
         if(self.proto):
             para = "proto=%s %s" % (self.proto, para)
-        return u'[' + self.r_type + u'] ' + (self.vlan_l() + u' ▸ ' + self.r_type if self.direction=='1' else self.r_type + u' ▸ ' + self.vlan_l()) + u' ' + para + u' ' +self.description
-    def vlan_l(self):
-        retval = []
-        for vl in self.vlan.all():
-            retval.append(vl.name)
-        return u', '.join(retval)
+        return u'[' + self.r_type + u'] ' + (unicode(self.foreign_network) + u' ▸ ' + self.r_type if self.direction=='1' else self.r_type + u' ▸ ' + unicode(self.foreign_network)) + u' ' + para + u' ' +self.description
 
 class Vlan(models.Model):
     vid = models.IntegerField(unique=True)
@@ -78,7 +75,6 @@ class Vlan(models.Model):
     ipv6 = models.GenericIPAddressField(protocol='ipv6', unique=True)
     snat_ip = models.GenericIPAddressField(protocol='ipv4', blank=True, null=True)
     snat_to = models.ManyToManyField('self', symmetrical=False, blank=True, null=True)
-    rules = models.ManyToManyField('Rule', related_name="%(app_label)s_%(class)s_related", symmetrical=False, blank=True, null=True)
     description = models.TextField(blank=True)
     comment = models.TextField(blank=True)
     domain = models.TextField(blank=True, validators=[val_domain])
@@ -95,20 +91,22 @@ class Vlan(models.Model):
 
     def net_ipv4(self):
         return self.net4 + "/" + unicode(self.prefix4)
-    def rules_l(self):
-        retval = []
-        for rl in self.rules.all():
-            retval.append(unicode(rl))
-        return ', '.join(retval)
-    def snat_to_l(self):
-        retval = []
-        for rl in self.snat_to.all():
-            retval.append(unicode(rl))
-        return ', '.join(retval)
+
+class VlanGroup(models.Model):
+    name = models.CharField(max_length=20, unique=True)
+    vlans = models.ManyToManyField('Vlan', symmetrical=False, blank=True, null=True)
+    description = models.TextField(blank=True)
+    owner = models.ForeignKey(User, blank=True, null=True)
+    created_at = models.DateTimeField(auto_now_add=True)
+    modified_at = models.DateTimeField(auto_now=True)
+
+    def __unicode__(self):
+        return self.name
 
 class Group(models.Model):
     name = models.CharField(max_length=20, unique=True)
-    rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
+    description = models.TextField(blank=True)
+    owner = models.ForeignKey(User, blank=True, null=True)
     created_at = models.DateTimeField(auto_now_add=True)
     modified_at = models.DateTimeField(auto_now=True)
 
@@ -139,7 +137,6 @@ class Host(models.Model):
     vlan = models.ForeignKey('Vlan')
     owner = models.ForeignKey(User)
     groups = models.ManyToManyField('Group', symmetrical=False, blank=True, null=True)
-    rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
     created_at = models.DateTimeField(auto_now_add=True)
     modified_at = models.DateTimeField(auto_now=True)
 
@@ -153,18 +150,9 @@ class Host(models.Model):
             raise ValidationError("Ha a shared_ip be van pipalva, akkor egyedinek kell lennie a pub_ipv4-nek!")
         if Host.objects.exclude(id=self.id).filter(pub_ipv4=self.ipv4):
             raise ValidationError("Egy masik host natolt cimet nem hasznalhatod sajat ipv4-nek")
+        self.full_clean()
         super(Host, self).save(*args, **kwargs)
-    def groups_l(self):
-        retval = []
-        for grp in self.groups.all():
-            retval.append(grp.name)
-        return ', '.join(retval)
-    def rules_l(self):
-        retval = []
-        for rl in self.rules.all():
-            retval.append(unicode(rl.color_desc()))
-        return '<br>'.join(retval)
-    rules_l.allow_tags = True
+
     def enable_net(self):
         self.groups.add(Group.objects.get(name="netezhet"))
 
@@ -175,17 +163,9 @@ class Host(models.Model):
         for host in Host.objects.filter(pub_ipv4=self.pub_ipv4):
             if host.rules.filter(nat=True, proto=proto, dport=public):
                 raise ValidationError("A %s %s port mar hasznalva" % (proto, public))
-        rule = Rule(direction='1', owner=self.owner, description=u"%s %s %s ▸ %s" % (self.hostname, proto, public, private), dport=public, proto=proto, nat=True, accept=True, r_type="host", nat_dport=private)
+        rule = Rule(direction='1', owner=self.owner, dport=public, proto=proto, nat=True, accept=True, r_type="host", nat_dport=private, host=host, foreign_network=VlanGroup.objects.get(name=settings["default_vlangroup"]))
         rule.full_clean()
         rule.save()
-        rule.vlan.add(Vlan.objects.get(name="PUB"))
-        rule.vlan.add(Vlan.objects.get(name="HOT"))
-        rule.vlan.add(Vlan.objects.get(name="LAB"))
-        rule.vlan.add(Vlan.objects.get(name="DMZ"))
-        rule.vlan.add(Vlan.objects.get(name="VM-NET"))
-        rule.vlan.add(Vlan.objects.get(name="WAR"))
-        rule.vlan.add(Vlan.objects.get(name="OFF2"))
-        self.rules.add(rule)
 
     def del_port(self, proto, public):
         self.rules.filter(owner=self.owner, proto=proto, nat=True, dport=public).delete()
@@ -201,7 +181,6 @@ class Host(models.Model):
 
 class Firewall(models.Model):
     name = models.CharField(max_length=20, unique=True)
-    rules = models.ManyToManyField('Rule', symmetrical=False, blank=True, null=True)
 
     def __unicode__(self):
         return self.name

firewall/views.py

@@ -17,6 +17,8 @@ import sys
 def reload_firewall(request):
     if request.user.is_authenticated():
         if(request.user.is_superuser):
+            ipv4 = firewall()
+            return HttpResponse(ipv4.show())
             html = u"Be vagy jelentkezve es admin is vagy, kedves %s!" % request.user.username
             html += "<br> 10 masodperc mulva ujratoltodik"
             ReloadTask.delay()

one/models.py

@@ -392,8 +392,7 @@ class Instance(models.Model):
         host.hostname = u"id-%d_user-%s" % (inst.id, owner.username)
         host.mac = x.getElementsByTagName("MAC")[0].childNodes[0].nodeValue
         host.ipv4 = inst.ip
-        host.pub_ipv4 = "152.66.243.62"
-        host.full_clean()
+        host.pub_ipv4 = Vlan.objects.get(name=template.network.name).snat_ip
         host.save()
         host.enable_net()
         host.add_port("tcp", inst.get_port(), {"rdp": 3389, "nx": 22, "ssh": 22}[inst.template.access_type])
@@ -409,7 +408,6 @@ class Instance(models.Model):
         proc = subprocess.Popen(["/opt/occi.sh", "compute",
                "delete", "%d"%self.one_id], stdout=subprocess.PIPE)
         (out, err) = proc.communicate()
-        self.firewall_host.del_rules()
         self.firewall_host.delete()
         reload_firewall_lock()