Skip to content

CIRCLE / fwdriver

Go to a project
Commit 80bde00a by Bach Dániel
Options

remove /sbin/ from commands

parent 8ed2bc6f
Showing with 18 additions and 13 deletions
docs/install.rst
...@@ -33,7 +33,8 @@ Configure ISC-DHCP server:: ...@@ -33,7 +33,8 @@ Configure ISC-DHCP server::
Configure sudo:: Configure sudo::
$ sudo tee /etc/sudoers.d/firewall <<END $ sudo tee /etc/sudoers.d/firewall <<END
fw ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw /sbin/ip addr *, /sbin/ip netns exec fw /sbin/ip ro *, /sbin/ip netns exec fw /sbin/ip link *, /sbin/ip netns exec fw /usr/sbin/ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw /sbin/iptables-restore -c, /sbin/ip netns exec fw /sbin/ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link * fw ALL= (ALL) NOPASSWD: /sbin/ip netns exec fw ip addr *, /sbin/ip netns exec fw ip ro *, /sbin/ip netns exec fw ip link *, /sbin/ip netns exec fw ipset *, /usr/bin/ovs-vsctl, /sbin/ip netns exec fw iptables-restore -c, /sbin/ip netns exec fw ip6tables-restore -c, /etc/init.d/isc-dhcp-server restart, /sbin/ip link *
END END
$ sudo chmod 440 /etc/sudoers.d/firewall $ sudo chmod 440 /etc/sudoers.d/firewall
......
fw.py
...@@ -37,9 +37,9 @@ def reload_firewall(data4, data6, save_config=True): ...@@ -37,9 +37,9 @@ def reload_firewall(data4, data6, save_config=True):
if isinstance(data6, dict): if isinstance(data6, dict):
data6 = ('\n'.join(data6['filter']) + '\n') data6 = ('\n'.join(data6['filter']) + '\n')
ns_exec(NETNS, ('/sbin/ip6tables-restore', '-c'), data6) ns_exec(NETNS, ('ip6tables-restore', '-c'), data6)
ns_exec(NETNS, ('/sbin/iptables-restore', '-c'), data4) ns_exec(NETNS, ('iptables-restore', '-c'), data4)
if save_config: if save_config:
with open(FIREWALL_CONF, 'w') as f: with open(FIREWALL_CONF, 'w') as f:
...@@ -54,6 +54,10 @@ def reload_firewall_vlan(data, save_config=True): ...@@ -54,6 +54,10 @@ def reload_firewall_vlan(data, save_config=True):
for k, v in ADDRESSES.items(): for k, v in ADDRESSES.items():
data[k]['addresses'] += v data[k]['addresses'] += v
uplink = getenv('UPLINK', None)
if uplink:
data[uplink] = {'interfaces': uplink}
br = Switch('firewall') br = Switch('firewall')
br.migrate(data) br.migrate(data)
...@@ -62,7 +66,7 @@ def reload_firewall_vlan(data, save_config=True): ...@@ -62,7 +66,7 @@ def reload_firewall_vlan(data, save_config=True):
json.dump(data, f) json.dump(data, f)
try: try:
ns_exec(NETNS, ('/sbin/ip', 'ro', 'add', 'default', 'via', ns_exec(NETNS, ('ip', 'ro', 'add', 'default', 'via',
getenv('GATEWAY', '152.66.243.254'))) getenv('GATEWAY', '152.66.243.254')))
except: except:
pass pass
...@@ -84,7 +88,7 @@ def ipset_save(data): ...@@ -84,7 +88,7 @@ def ipset_save(data):
data_new = [x['ipv4'] for x in data] data_new = [x['ipv4'] for x in data]
data_old = [] data_old = []
lines = ns_exec(NETNS, ('/usr/sbin/ipset', 'save', 'blacklist')) lines = ns_exec(NETNS, ('ipset', 'save', 'blacklist'))
for line in lines.splitlines(): for line in lines.splitlines():
x = r.match(line.rstrip()) x = r.match(line.rstrip())
if x: if x:
...@@ -103,7 +107,7 @@ def ipset_restore(l_add, l_del): ...@@ -103,7 +107,7 @@ def ipset_restore(l_add, l_del):
ipset += ['add blacklist %s' % x for x in l_add] ipset += ['add blacklist %s' % x for x in l_add]
ipset += ['del blacklist %s' % x for x in l_del] ipset += ['del blacklist %s' % x for x in l_del]
ns_exec(NETNS, ('/usr/sbin/ipset', 'restore', '-exist'), ns_exec(NETNS, ('ipset', 'restore', '-exist'),
'\n'.join(ipset) + '\n') '\n'.join(ipset) + '\n')
...@@ -139,7 +143,7 @@ def get_dhcp_clients(): ...@@ -139,7 +143,7 @@ def get_dhcp_clients():
def start_firewall(): def start_firewall():
try: try:
ns_exec(NETNS, ('/usr/sbin/ipset', 'create', 'blacklist', ns_exec(NETNS, ('ipset', 'create', 'blacklist',
'hash:ip', 'family', 'inet', 'hashsize', 'hash:ip', 'family', 'inet', 'hashsize',
'4096', 'maxelem', '65536')) '4096', 'maxelem', '65536'))
except: except:
......
ovs.py
...@@ -54,7 +54,7 @@ class Interface(object): ...@@ -54,7 +54,7 @@ class Interface(object):
return self.name return self.name
def _run(self, *args): def _run(self, *args):
args = ('/sbin/ip', 'addr', ) + args args = ('ip', 'addr', ) + args
return ns_exec(NETNS, args) return ns_exec(NETNS, args)
def show(self): def show(self):
...@@ -79,8 +79,8 @@ class Interface(object): ...@@ -79,8 +79,8 @@ class Interface(object):
def up(self): def up(self):
if self.is_veth: if self.is_veth:
ns_exec(NETNS, ('/sbin/ip', 'link', 'set', 'up', self.name)) ns_exec(NETNS, ('ip', 'link', 'set', 'up', self.name))
sudo(('/sbin/ip', 'link', 'set', 'up', self.external_name)) sudo(('ip', 'link', 'set', 'up', self.external_name))
def migrate(self): def migrate(self):
old_addresses = [str(x) for x in self.show()] old_addresses = [str(x) for x in self.show()]
...@@ -111,7 +111,7 @@ class Switch(object): ...@@ -111,7 +111,7 @@ class Switch(object):
return sudo(args) return sudo(args)
def _setns(self, dev): def _setns(self, dev):
args = ('/sbin/ip', 'link', 'set', dev, 'netns', NETNS) args = ('ip', 'link', 'set', dev, 'netns', NETNS)
return sudo(args) return sudo(args)
def list_ports(self): def list_ports(self):
...@@ -152,7 +152,7 @@ class Switch(object): ...@@ -152,7 +152,7 @@ class Switch(object):
# move interface into namespace # move interface into namespace
try: try:
if interface.is_veth: if interface.is_veth:
sudo(('/sbin/ip', 'link', 'add', interface.external_name, sudo(('ip', 'link', 'add', interface.external_name,
'type', 'veth', 'peer', 'name', interface.name)) 'type', 'veth', 'peer', 'name', interface.name))
self._setns(interface.name) self._setns(interface.name)
except: except:
...@@ -162,7 +162,7 @@ class Switch(object): ...@@ -162,7 +162,7 @@ class Switch(object):
self._run('del-port', self.brname, interface.external_name) self._run('del-port', self.brname, interface.external_name)
if interface.is_veth: if interface.is_veth:
try: try:
sudo(('/sbin/ip', 'link', 'del', interface.external_name)) sudo(('ip', 'link', 'del', interface.external_name))
except CalledProcessError: except CalledProcessError:
pass pass
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment