Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gutyán Gábor
/
circlestack
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
551b4fdf
authored
Mar 27, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: replace rule.accept with rule.action
parent
1d9db1cf
Expand all
Hide whitespace changes
Inline
Side-by-side
Showing
8 changed files
with
31 additions
and
17 deletions
+31
-17
circle/firewall/admin.py
+2
-2
circle/firewall/iptables.py
+4
-1
circle/firewall/migrations/0048_auto__add_field_rule_action.py
+0
-0
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
+0
-0
circle/firewall/models.py
+14
-10
circle/firewall/tests/test_firewall.py
+8
-2
circle/network/forms.py
+2
-1
circle/network/tables.py
+1
-1
No files found.
circle/firewall/admin.py
View file @
551b4fdf
...
@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
...
@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
class
RuleAdmin
(
admin
.
ModelAdmin
):
class
RuleAdmin
(
admin
.
ModelAdmin
):
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
list_display
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
'used_in'
)
'nat_external_port'
,
'used_in'
)
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
cept
'
,
list_filter
=
(
'vlan'
,
'owner'
,
'direction'
,
'ac
tion
'
,
'proto'
,
'nat'
)
'proto'
,
'nat'
)
def
color_desc
(
self
,
instance
):
def
color_desc
(
self
,
instance
):
...
...
circle/firewall/iptables.py
View file @
551b4fdf
...
@@ -16,7 +16,7 @@ class IptRule(object):
...
@@ -16,7 +16,7 @@ class IptRule(object):
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
ipv4_only
=
False
):
ipv4_only
=
False
,
ignored
=
False
):
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
raise
InvalidRuleExcepion
()
raise
InvalidRuleExcepion
()
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
...
@@ -44,6 +44,7 @@ class IptRule(object):
...
@@ -44,6 +44,7 @@ class IptRule(object):
self
.
extra
=
extra
self
.
extra
=
extra
self
.
ipv4_only
=
(
ipv4_only
or
self
.
ipv4_only
=
(
ipv4_only
or
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
self
.
ignored
=
ignored
def
__hash__
(
self
):
def
__hash__
(
self
):
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
...
@@ -71,6 +72,8 @@ class IptRule(object):
...
@@ -71,6 +72,8 @@ class IptRule(object):
params
=
[
opts
[
param
]
%
getattr
(
self
,
param
)
params
=
[
opts
[
param
]
%
getattr
(
self
,
param
)
for
param
in
opts
for
param
in
opts
if
getattr
(
self
,
param
)
is
not
None
]
if
getattr
(
self
,
param
)
is
not
None
]
if
self
.
ignored
:
params
.
insert
(
0
,
'# '
)
return
' '
.
join
(
params
)
return
' '
.
join
(
params
)
...
...
circle/firewall/migrations/0048_auto__add_field_rule_action.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/migrations/0049_auto__del_field_rule_accept.py
0 → 100644
View file @
551b4fdf
This diff is collapsed.
Click to expand it.
circle/firewall/models.py
View file @
551b4fdf
...
@@ -37,7 +37,9 @@ class Rule(models.Model):
...
@@ -37,7 +37,9 @@ class Rule(models.Model):
CHOICES_type
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
CHOICES_type
=
((
'host'
,
'host'
),
(
'firewall'
,
'firewall'
),
(
'vlan'
,
'vlan'
))
(
'vlan'
,
'vlan'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
CHOICES_proto
=
((
'tcp'
,
'tcp'
),
(
'udp'
,
'udp'
),
(
'icmp'
,
'icmp'
))
CHOICES_dir
=
((
'out'
,
'out'
),
(
'in'
,
'in'
))
CHOICES_dir
=
((
'out'
,
_
(
'out'
)),
(
'in'
,
_
(
'in'
)))
CHOICES_action
=
((
'accept'
,
_
(
'accept'
)),
(
'drop'
,
_
(
'drop'
)),
(
'ignore'
,
_
(
'ignore'
)))
direction
=
models
.
CharField
(
max_length
=
3
,
choices
=
CHOICES_dir
,
direction
=
models
.
CharField
(
max_length
=
3
,
choices
=
CHOICES_dir
,
blank
=
False
,
verbose_name
=
_
(
"direction"
),
blank
=
False
,
verbose_name
=
_
(
"direction"
),
...
@@ -70,9 +72,10 @@ class Rule(models.Model):
...
@@ -70,9 +72,10 @@ class Rule(models.Model):
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
extra
=
models
.
TextField
(
blank
=
True
,
verbose_name
=
_
(
"extra arguments"
),
help_text
=
_
(
"Additional arguments passed "
help_text
=
_
(
"Additional arguments passed "
"literally to the iptables-rule."
))
"literally to the iptables-rule."
))
accept
=
models
.
BooleanField
(
default
=
True
,
verbose_name
=
_
(
"accept"
),
action
=
models
.
CharField
(
max_length
=
10
,
choices
=
CHOICES_action
,
help_text
=
_
(
"Accept the matching packets "
default
=
'drop'
,
verbose_name
=
_
(
'action'
),
"(or deny if not checked)."
))
help_text
=
_
(
"Accept, drop or ignore the "
"matching packets."
))
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
owner
=
models
.
ForeignKey
(
User
,
blank
=
True
,
null
=
True
,
verbose_name
=
_
(
"owner"
),
verbose_name
=
_
(
"owner"
),
help_text
=
_
(
"The user responsible for "
help_text
=
_
(
"The user responsible for "
...
@@ -179,7 +182,7 @@ class Rule(models.Model):
...
@@ -179,7 +182,7 @@ class Rule(models.Model):
def
get_ipt_rules
(
self
,
host
=
None
):
def
get_ipt_rules
(
self
,
host
=
None
):
# action
# action
action
=
'LOG_ACC'
if
self
.
ac
cept
else
'LOG_DROP'
action
=
'LOG_ACC'
if
self
.
ac
tion
==
'accept'
else
'LOG_DROP'
# src and dst addresses
# src and dst addresses
src
=
None
src
=
None
...
@@ -207,7 +210,8 @@ class Rule(models.Model):
...
@@ -207,7 +210,8 @@ class Rule(models.Model):
for
foreign_vlan
in
self
.
foreign_network
.
vlans
.
all
():
for
foreign_vlan
in
self
.
foreign_network
.
vlans
.
all
():
r
=
IptRule
(
priority
=
self
.
weight
,
action
=
action
,
r
=
IptRule
(
priority
=
self
.
weight
,
action
=
action
,
proto
=
self
.
proto
,
extra
=
self
.
extra
,
proto
=
self
.
proto
,
extra
=
self
.
extra
,
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
)
src
=
src
,
dst
=
dst
,
dport
=
dport
,
sport
=
sport
,
ignored
=
(
self
.
action
==
'ignore'
))
# host, hostgroup or vlan rule
# host, hostgroup or vlan rule
if
host
or
self
.
vlan_id
:
if
host
or
self
.
vlan_id
:
local_vlan
=
host
.
vlan
.
name
if
host
else
self
.
vlan
.
name
local_vlan
=
host
.
vlan
.
name
if
host
else
self
.
vlan
.
name
...
@@ -646,7 +650,7 @@ class Host(models.Model):
...
@@ -646,7 +650,7 @@ class Host(models.Model):
vgname
,
unicode
(
e
))
vgname
,
unicode
(
e
))
else
:
else
:
rule
=
Rule
(
direction
=
'in'
,
owner
=
self
.
owner
,
dport
=
private
,
rule
=
Rule
(
direction
=
'in'
,
owner
=
self
.
owner
,
dport
=
private
,
proto
=
proto
,
nat
=
False
,
ac
cept
=
True
,
proto
=
proto
,
nat
=
False
,
ac
tion
=
'accept'
,
host
=
self
,
foreign_network
=
vg
)
host
=
self
,
foreign_network
=
vg
)
if
self
.
behind_nat
:
if
self
.
behind_nat
:
if
public
<
1024
:
if
public
<
1024
:
...
@@ -735,7 +739,7 @@ class Host(models.Model):
...
@@ -735,7 +739,7 @@ class Host(models.Model):
"""
"""
endpoints
=
{}
endpoints
=
{}
# IPv4
# IPv4
ports
=
self
.
incoming_rules
.
filter
(
ac
cept
=
True
,
dport
=
port
,
ports
=
self
.
incoming_rules
.
filter
(
ac
tion
=
'accept'
,
dport
=
port
,
proto
=
protocol
)
proto
=
protocol
)
public_port
=
(
ports
[
0
]
.
get_external_port
(
proto
=
'ipv4'
)
public_port
=
(
ports
[
0
]
.
get_external_port
(
proto
=
'ipv4'
)
if
ports
.
exists
()
else
None
)
if
ports
.
exists
()
else
None
)
...
@@ -743,8 +747,8 @@ class Host(models.Model):
...
@@ -743,8 +747,8 @@ class Host(models.Model):
if
public_port
else
if
public_port
else
None
)
None
)
# IPv6
# IPv6
blocked
=
self
.
incoming_rules
.
filter
(
accept
=
False
,
dport
=
port
,
blocked
=
self
.
incoming_rules
.
exclude
(
proto
=
protocol
)
.
exists
()
action
=
'accept'
)
.
filter
(
dport
=
port
,
proto
=
protocol
)
.
exists
()
endpoints
[
'ipv6'
]
=
(
self
.
ipv6
,
port
)
if
not
blocked
else
None
endpoints
[
'ipv6'
]
=
(
self
.
ipv6
,
port
)
if
not
blocked
else
None
return
endpoints
return
endpoints
...
...
circle/firewall/tests/test_firewall.py
View file @
551b4fdf
...
@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
...
@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
IptRule
(
priority
=
2
,
action
=
'ACCEPT'
,
IptRule
(
priority
=
2
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.2'
,
None
),
dst
=
(
'127.0.0.2'
,
None
),
proto
=
'icmp'
),
proto
=
'icmp'
),
IptRule
(
priority
=
10
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.10'
,
None
),
proto
=
'icmp'
,
ignored
=
True
),
IptRule
(
priority
=
6
,
action
=
'ACCEPT'
,
IptRule
(
priority
=
6
,
action
=
'ACCEPT'
,
dst
=
(
'127.0.0.6'
,
None
),
dst
=
(
'127.0.0.6'
,
None
),
proto
=
'tcp'
,
dport
=
'1337'
)]
proto
=
'tcp'
,
dport
=
'1337'
)]
...
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
...
@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
self
.
assertEqual
(
self
.
r
[
5
]
.
compile
(),
self
.
assertEqual
(
self
.
r
[
5
]
.
compile
(),
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT'
)
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT'
)
def
test_ignored_rule_compile_ok
(
self
):
assert
self
.
r
[
7
]
.
compile
()
.
startswith
(
'# '
)
def
test_rule_compile_fail
(
self
):
def
test_rule_compile_fail
(
self
):
self
.
assertRaises
(
InvalidRuleExcepion
,
self
.
assertRaises
(
InvalidRuleExcepion
,
IptRule
,
**
{
'proto'
:
'test'
})
IptRule
,
**
{
'proto'
:
'test'
})
...
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
...
@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
vlg
=
VlanGroup
.
objects
.
create
(
name
=
'public'
)
vlg
=
VlanGroup
.
objects
.
create
(
name
=
'public'
)
vlg
.
vlans
.
add
(
self
.
vlan
,
self
.
vlan2
)
vlg
.
vlans
.
add
(
self
.
vlan
,
self
.
vlan2
)
self
.
hg
=
Group
.
objects
.
create
(
name
=
'netezhet'
)
self
.
hg
=
Group
.
objects
.
create
(
name
=
'netezhet'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
hostgroup
=
self
.
hg
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
hostgroup
=
self
.
hg
,
foreign_network
=
vlg
)
foreign_network
=
vlg
)
firewall
=
Firewall
.
objects
.
create
(
name
=
'fw'
)
firewall
=
Firewall
.
objects
.
create
(
name
=
'fw'
)
Rule
.
objects
.
create
(
ac
cept
=
True
,
firewall
=
firewall
,
Rule
.
objects
.
create
(
ac
tion
=
'accept'
,
firewall
=
firewall
,
foreign_network
=
vlg
)
foreign_network
=
vlg
)
for
i
in
range
(
1
,
6
):
for
i
in
range
(
1
,
6
):
...
...
circle/network/forms.py
View file @
551b4fdf
...
@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
...
@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
'foreign_network'
,
'foreign_network'
,
'dport'
,
'dport'
,
'sport'
,
'sport'
,
'weight'
,
'proto'
,
'proto'
,
'extra'
,
'extra'
,
'ac
cept
'
,
'ac
tion
'
,
'owner'
,
'owner'
,
'nat'
,
'nat'
,
'nat_external_port'
,
'nat_external_port'
,
...
...
circle/network/tables.py
View file @
551b4fdf
...
@@ -128,7 +128,7 @@ class RuleTable(Table):
...
@@ -128,7 +128,7 @@ class RuleTable(Table):
model
=
Rule
model
=
Rule
attrs
=
{
'class'
:
'table table-striped table-hover table-condensed'
}
attrs
=
{
'class'
:
'table table-striped table-hover table-condensed'
}
fields
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
fields
=
(
'r_type'
,
'color_desc'
,
'owner'
,
'extra'
,
'direction'
,
'ac
cept
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'ac
tion
'
,
'proto'
,
'sport'
,
'dport'
,
'nat'
,
'nat_external_port'
,
)
'nat_external_port'
,
)
order_by
=
'direction'
order_by
=
'direction'
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment