Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gutyán Gábor
/
circlestack
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
551b4fdf
authored
Mar 27, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: replace rule.accept with rule.action
parent
1d9db1cf
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
31 additions
and
17 deletions
+31
-17
circle/firewall/admin.py
+2
-2
circle/firewall/iptables.py
+4
-1
circle/firewall/migrations/0048_auto__add_field_rule_action.py
+0
-0
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
+0
-0
circle/firewall/models.py
+14
-10
circle/firewall/tests/test_firewall.py
+8
-2
circle/network/forms.py
+2
-1
circle/network/tables.py
+1
-1
No files found.
circle/firewall/admin.py
View file @
551b4fdf
...
...
@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
'used_in'
)
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
cept
'
,
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
tion
'
,
'proto'
,
'nat'
)
def
color_desc
(
self
,
instance
):
...
...
circle/firewall/iptables.py
View file @
551b4fdf
...
...
@@ -16,7 +16,7 @@ class IptRule(object):
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
ipv4_only
=
False
):
ipv4_only
=
False
,
ignored
=
False
):
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
raise
InvalidRuleExcepion
()
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
...
...
@@ -44,6 +44,7 @@ class IptRule(object):
self
.
extra
=
extra
self
.
ipv4_only
=
(
ipv4_only
or
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
self
.
ignored
=
ignored
def
__hash__
(
self
):
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
...
...
@@ -71,6 +72,8 @@ class IptRule(object):
params
=
[
opts
[
param
]
%
getattr
(
self
,
param
)
for
param
in
opts
if
getattr
(
self
,
param
)
is
not
None
]
if
self
.
ignored
:
params
.
insert
(
0
,
'# '
)
return
' '
.
join
(
params
)
...
...
circle/firewall/migrations/0048_auto__add_field_rule_action.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/models.py
View file @
551b4fdf
...
...
@@ -37,7 +37,9 @@ class Rule(models.Model):
CHOICES_type
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
(
'vlan'
,
'vlan'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
CHOICES_dir
=
((
'out'
,
'out'
),
(
'in'
,
'in'
))
CHOICES_dir
=
((
'out'
,
_
(
'out'
)),
(
'in'
,
_
(
'in'
)))
CHOICES_action
=
((
'accept'
,
_
(
'accept'
)),
(
'drop'
,
_
(
'drop'
)),
(
'ignore'
,
_
(
'ignore'
)))
direction
=
models
.
CharField
(
max_length
=
3
,
choices
=
CHOICES_dir
,
blank
=
False
,
verbose_name
=
_
(
"direction"
),
...
...
@@ -70,9 +72,10 @@ class Rule(models.Model):
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
help_text
=
_
(
"Additional arguments passed "
"literally to the iptables-rule."
))
accept
=
models
.
BooleanField
(
default
=
True
,
verbose_name
=
_
(
"accept"
),
help_text
=
_
(
"Accept the matching packets "
"(or deny if not checked)."
))
action
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_action
,
default
=
'drop'
,
verbose_name
=
_
(
'action'
),
help_text
=
_
(
"Accept, drop or ignore the "
"matching packets."
))
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"owner"
),
help_text
=
_
(
"The user responsible for "
...
...
@@ -179,7 +182,7 @@ class Rule(models.Model):
def
get_ipt_rules
(
self
,
host
=
None
):
# action
action
=
'LOG_ACC'
if
self
.
ac
cept
else
'LOG_DROP'
action
=
'LOG_ACC'
if
self
.
ac
tion
==
'accept'
else
'LOG_DROP'
# src and dst addresses
src
=
None
...
...
@@ -207,7 +210,8 @@ class Rule(models.Model):
for
foreign_vlan
in
self
.
foreign_network
.
vlans
.
all
():
r
=
IptRule
(
priority
=
self
.
weight
,
action
=
action
,
proto
=
self
.
proto
,
extra
=
self
.
extra
,
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
)
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
,
ignored
=
(
self
.
action
==
'ignore'
))
# host, hostgroup or vlan rule
if
host
or
self
.
vlan_id
:
local_vlan
=
host
.
vlan
.
name
if
host
else
self
.
vlan
.
name
...
...
@@ -646,7 +650,7 @@ class Host(models.Model):
vgname
,
unicode
(
e
))
else
:
rule
=
Rule
(
direction
=
'in'
,
owner
=
self
.
owner
,
dport
=
private
,
proto
=
proto
,
nat
=
False
,
ac
cept
=
True
,
proto
=
proto
,
nat
=
False
,
ac
tion
=
'accept'
,
host
=
self
,
foreign_network
=
vg
)
if
self
.
behind_nat
:
if
public
<
1024
:
...
...
@@ -735,7 +739,7 @@ class Host(models.Model):
"""
endpoints
=
{}
# IPv4
ports
=
self
.
incoming_rules
.
filter
(
ac
cept
=
True
,
dport
=
port
,
ports
=
self
.
incoming_rules
.
filter
(
ac
tion
=
'accept'
,
dport
=
port
,
proto
=
protocol
)
public_port
=
(
ports
[
0
]
.
get_external_port
(
proto
=
'ipv4'
)
if
ports
.
exists
()
else
None
)
...
...
@@ -743,8 +747,8 @@ class Host(models.Model):
if
public_port
else
None
)
# IPv6
blocked
=
self
.
incoming_rules
.
filter
(
accept
=
False
,
dport
=
port
,
proto
=
protocol
)
.
exists
()
blocked
=
self
.
incoming_rules
.
exclude
(
action
=
'accept'
)
.
filter
(
dport
=
port
,
proto
=
protocol
)
.
exists
()
endpoints
[
'ipv6'
]
=
(
self
.
ipv6
,
port
)
if
not
blocked
else
None
return
endpoints
...
...
circle/firewall/tests/test_firewall.py
View file @
551b4fdf
...
...
@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
IptRule
(
priority
=
2
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.2'
,
None
),
proto
=
'icmp'
),
IptRule
(
priority
=
10
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.10'
,
None
),
proto
=
'icmp'
,
ignored
=
True
),
IptRule
(
priority
=
6
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.6'
,
None
),
proto
=
'tcp'
,
dport
=
'1337'
)]
...
...
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
self
.
assertEqual
(
self
.
r
[
5
]
.
compile
(),
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT'
)
def
test_ignored_rule_compile_ok
(
self
):
assert
self
.
r
[
7
]
.
compile
()
.
startswith
(
'# '
)
def
test_rule_compile_fail
(
self
):
self
.
assertRaises
(
InvalidRuleExcepion
,
IptRule
,
**
{
'proto'
:
'test'
})
...
...
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
vlg
=
VlanGroup
.
objects
.
create
(
name
=
'public'
)
vlg
.
vlans
.
add
(
self
.
vlan
,
self
.
vlan2
)
self
.
hg
=
Group
.
objects
.
create
(
name
=
'netezhet'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
hostgroup
=
self
.
hg
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
hostgroup
=
self
.
hg
,
foreign_network
=
vlg
)
firewall
=
Firewall
.
objects
.
create
(
name
=
'fw'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
firewall
=
firewall
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
firewall
=
firewall
,
foreign_network
=
vlg
)
for
i
in
range
(
1
,
6
):
...
...
circle/network/forms.py
View file @
551b4fdf
...
...
@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
'foreign_network'
,
'dport'
,
'sport'
,
'weight'
,
'proto'
,
'extra'
,
'ac
cept
'
,
'ac
tion
'
,
'owner'
,
'nat'
,
'nat_external_port'
,
...
...
circle/network/tables.py
View file @
551b4fdf
...
...
@@ -128,7 +128,7 @@ class RuleTable(Table):
model
=
Rule
attrs
=
{
'class'
:
'table table-striped table-hover table-condensed'
}
fields
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
)
order_by
=
'direction'
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment