Skip to content

CIRCLE / cloud

Go to a project
Commit eb9047bb by Bach Dániel
Options

firewall: create iptables debug comments

parent c5c0da8d
Showing with 7 additions and 4 deletions
circle/firewall/iptables.py
...@@ -16,7 +16,7 @@ class IptRule(object): ...@@ -16,7 +16,7 @@ class IptRule(object):
def __init__(self, priority=1000, action=None, src=None, dst=None, def __init__(self, priority=1000, action=None, src=None, dst=None,
proto=None, sport=None, dport=None, extra=None, proto=None, sport=None, dport=None, extra=None,
ipv4_only=False): ipv4_only=False, comment=None):
if proto not in ['tcp', 'udp', 'icmp', None]: if proto not in ['tcp', 'udp', 'icmp', None]:
raise InvalidRuleExcepion() raise InvalidRuleExcepion()
if proto not in ['tcp', 'udp'] and (sport is not None or if proto not in ['tcp', 'udp'] and (sport is not None or
...@@ -44,6 +44,7 @@ class IptRule(object): ...@@ -44,6 +44,7 @@ class IptRule(object):
self.extra = extra self.extra = extra
self.ipv4_only = (ipv4_only or self.ipv4_only = (ipv4_only or
extra is not None and bool(ipv4_re.search(extra))) extra is not None and bool(ipv4_re.search(extra)))
self.comment = comment
def __hash__(self): def __hash__(self):
return hash(frozenset(self.__dict__.items())) return hash(frozenset(self.__dict__.items()))
...@@ -67,6 +68,7 @@ class IptRule(object): ...@@ -67,6 +68,7 @@ class IptRule(object):
('sport', '--sport %s'), ('sport', '--sport %s'),
('dport', '--dport %s'), ('dport', '--dport %s'),
('extra', '%s'), ('extra', '%s'),
('comment', '-m comment --comment "%s"'),
('action', '-g %s')]) ('action', '-g %s')])
params = [opts[param] % getattr(self, param) params = [opts[param] % getattr(self, param)
for param in opts for param in opts
......
circle/firewall/models.py
...@@ -210,6 +210,7 @@ class Rule(models.Model): ...@@ -210,6 +210,7 @@ class Rule(models.Model):
for foreign_vlan in self.foreign_network.vlans.all(): for foreign_vlan in self.foreign_network.vlans.all():
r = IptRule(priority=self.weight, action=action, r = IptRule(priority=self.weight, action=action,
proto=self.proto, extra=self.extra, proto=self.proto, extra=self.extra,
comment='Rule #%s' % self.pk,
src=src, dst=dst, dport=dport, sport=sport) src=src, dst=dst, dport=dport, sport=sport)
# host, hostgroup or vlan rule # host, hostgroup or vlan rule
if host or self.vlan_id: if host or self.vlan_id:
......
circle/firewall/templates/firewall/iptables.conf
...@@ -5,7 +5,7 @@ ...@@ -5,7 +5,7 @@
:OUTPUT ACCEPT [0:0] :OUTPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0] :POSTROUTING ACCEPT [0:0]
{% for chain in nat %} {% for chain in nat %}
{{ chain.compile }} {{ chain.compile|safe }}
{% endfor %} {% endfor %}
COMMIT COMMIT
{% endif %} {% endif %}
...@@ -46,9 +46,9 @@ COMMIT ...@@ -46,9 +46,9 @@ COMMIT
{% for chain in filter %} {% for chain in filter %}
{% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %} {% if chain.name not in chain.builtin_chains %}-N {{ chain.name }}{% endif %}
{% if proto == "ipv4" %} {% if proto == "ipv4" %}
{{ chain.compile }} {{ chain.compile|safe }}
{% else %} {% else %}
{{ chain.compile_v6 }} {{ chain.compile_v6|safe }}
{% endif %} {% endif %}
{% endfor %} {% endfor %}
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment