firewall: create iptables debug comments

eb9047bb · Bach Dániel · c5c0da8d · eb9047bb · eb9047bb · eb9047bb
Commit eb9047bb authored Mar 28, 2014 by Bach Dániel
Hide whitespace changes
Inline Side-by-side

Showing with 7 additions and 4 deletions

circle/firewall/iptables.py
+3 -1

circle/firewall/models.py
+1 -0

circle/firewall/templates/firewall/iptables.conf
+3 -3

No files found.
--- a/circle/firewall/iptables.py
+++ b/circle/firewall/iptables.py
@@ -16,7 +16,7 @@ class IptRule(object):

    def __init__(self, priority=1000, action=None, src=None, dst=None,
                 proto=None, sport=None, dport=None, extra=None,
-                 ipv4_only=False):
+                 ipv4_only=False, comment=None):
        if proto not in ['tcp', 'udp', 'icmp', None]:
            raise InvalidRuleExcepion()
        if proto not in ['tcp', 'udp'] and (sport is not None or
@@ -44,6 +44,7 @@ class IptRule(object):
        self.extra = extra
        self.ipv4_only = (ipv4_only or
                          extra is not None and bool(ipv4_re.search(extra)))
+        self.comment = comment

    def __hash__(self):
        return hash(frozenset(self.__dict__.items()))
@@ -67,6 +68,7 @@ class IptRule(object):
                            ('sport', '--sport %s'),
                            ('dport', '--dport %s'),
                            ('extra', '%s'),
+                            ('comment', '-m comment --comment "%s"'),
                            ('action', '-g %s')])
        params = [opts[param] % getattr(self, param)
                  for param in opts

--- a/circle/firewall/models.py
+++ b/circle/firewall/models.py
@@ -210,6 +210,7 @@ class Rule(models.Model):
        for foreign_vlan in self.foreign_network.vlans.all():
            r = IptRule(priority=self.weight, action=action,
                        proto=self.proto, extra=self.extra,
+                        comment='Rule #%s' % self.pk,
                        src=src, dst=dst, dport=dport, sport=sport)
            # host, hostgroup or vlan rule
            if host or self.vlan_id:

--- a/circle/firewall/templates/firewall/iptables.conf
+++ b/circle/firewall/templates/firewall/iptables.conf
@@ -5,7 +5,7 @@
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 {% for chain in nat %}
-{{ chain.compile }}
+{{ chain.compile|safe }}
 {% endfor %}
 COMMIT
 {% endif %}
@@ -46,9 +46,9 @@ COMMIT
 {% for chain in filter %}
 {% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %}
 {% if proto == "ipv4" %}
-{{ chain.compile }}
+{{ chain.compile|safe }}
 {% else %}
-{{ chain.compile_v6 }}
+{{ chain.compile_v6|safe }}
 {% endif %}
 {% endfor %}