Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gyuricska Milán
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
bc37daf9
authored
Feb 05, 2013
by
Dudás Ádám
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
guideline enforcement
parent
0689cfbd
Hide whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
275 additions
and
191 deletions
+275
-191
firewall/admin.py
+23
-13
firewall/fields.py
+3
-1
firewall/fw.py
+249
-177
No files found.
firewall/admin.py
View file @
bc37daf9
...
...
@@ -21,9 +21,10 @@ class HostAdmin(admin.ModelAdmin):
inlines
=
(
AliasInline
,
RuleInline
)
def
groups_l
(
self
,
instance
):
"""Returns instance's groups' names as a comma-separated list."""
retval
=
[]
for
i
in
instance
.
groups
.
all
():
retval
.
append
(
i
.
name
)
for
group
in
instance
.
groups
.
all
():
retval
.
append
(
group
.
name
)
return
u', '
.
join
(
retval
)
class
HostInline
(
contrib
.
admin
.
TabularInline
):
...
...
@@ -44,25 +45,34 @@ class RuleAdmin(admin.ModelAdmin):
'proto'
,
'nat'
)
def
color_desc
(
self
,
instance
):
"""Returns a colorful description of the instance."""
para
=
'</span>'
if
(
instance
.
dport
):
para
=
"dport=
%
s
%
s"
%
(
instance
.
dport
,
para
)
if
(
instance
.
sport
):
para
=
"sport=
%
s
%
s"
%
(
instance
.
sport
,
para
)
if
(
instance
.
proto
):
para
=
"proto=
%
s
%
s"
%
(
instance
.
proto
,
para
)
para
=
u'<span style="color: #00FF00;">'
+
para
return
u'<span style="color: #FF0000;">['
+
instance
.
r_type
+
u']</span> '
+
(
instance
.
foreign_network
.
name
+
u'<span style="color: #0000FF;"> ▸ </span>'
+
instance
.
r_type
if
instance
.
direction
==
'1'
else
instance
.
r_type
+
u'<span style="color: #0000FF;"> ▸ </span>'
+
instance
.
foreign_network
.
name
)
+
' '
+
para
+
' '
+
instance
.
description
if
instance
.
dport
:
para
=
'dport=
%
s
%
s'
%
(
instance
.
dport
,
para
)
if
instance
.
sport
:
para
=
'sport=
%
s
%
s'
%
(
instance
.
sport
,
para
)
if
instance
.
proto
:
para
=
'proto=
%
s
%
s'
%
(
instance
.
proto
,
para
)
para
=
u'<span style="color: #00FF00;">'
+
para
return
(
u'<span style="color: #FF0000;">[
%
s]</span> '
%
instance
.
r_type
+
(
u'
%
s<span style="color: #0000FF;"> ▸ </span>
%
s'
%
((
instance
.
foreign_network
.
name
,
instance
.
r_type
)
if
instance
.
direction
==
'1'
else
(
instance
.
r_type
,
instance
.
foreign_network
.
name
)))
+
' '
+
para
+
' '
+
instance
.
description
)
color_desc
.
allow_tags
=
True
def
vlan_l
(
self
,
instance
):
"""Returns instance's VLANs' names as a comma-separated list."""
retval
=
[]
for
vl
in
instance
.
foreign_network
.
vlans
.
all
():
retval
.
append
(
vl
.
name
)
for
vl
an
in
instance
.
foreign_network
.
vlans
.
all
():
retval
.
append
(
vl
an
.
name
)
return
u', '
.
join
(
retval
)
def
used_in
(
self
,
instance
):
for
field
in
[
instance
.
vlan
,
instance
.
vlangroup
,
instance
.
host
,
instance
.
hostgroup
,
instance
.
firewall
]:
for
field
in
[
instance
.
vlan
,
instance
.
vlangroup
,
instance
.
host
,
instance
.
hostgroup
,
instance
.
firewall
]:
if
field
is
not
None
:
return
unicode
(
field
)
+
' '
+
field
.
_meta
.
object_name
...
...
firewall/fields.py
View file @
bc37daf9
...
...
@@ -34,17 +34,19 @@ class MACAddressField(models.Field):
add_introspection_rules
([],
[
"firewall
\
.fields
\
.MACAddressField"
])
def
val_alfanum
(
value
):
"""Check whether the parameter is a valid alphanumeric value."""
if
alfanum_re
.
search
(
value
)
is
None
:
raise
ValidationError
(
_
(
u'
%
s - only letters, numbers, underscores and hyphens are '
'allowed!'
)
%
value
)
def
val_domain
(
value
):
"""Check wheter the parameter is a valid domin."""
if
domain_re
.
search
(
value
)
is
None
:
raise
ValidationError
(
_
(
u'
%
s - invalid domain'
)
%
value
)
def
ipv4_2_ipv6
(
ipv4
):
"""Convert IPv4 addr
. string to IPv6 addr.
string."""
"""Convert IPv4 addr
ess string to IPv6 address
string."""
m
=
ipv4_re
.
match
(
ipv4
)
if
m
is
None
:
raise
ValidationError
(
_
(
u'
%
s - not an IPv4 address'
)
%
ipv4
)
...
...
firewall/fw.py
View file @
bc37daf9
...
...
@@ -10,8 +10,8 @@ import json
class
firewall
:
IPV6
=
False
SZABALYOK
=
None
SZABALYOK
_NAT
=
[]
RULES
=
None
RULES
_NAT
=
[]
vlans
=
None
dmz
=
None
pub
=
None
...
...
@@ -19,51 +19,58 @@ class firewall:
fw
=
None
def
dportsport
(
self
,
rule
,
repl
=
True
):
retval
=
" "
if
(
rule
.
proto
==
"tcp"
or
rule
.
proto
==
"udp"
):
retval
=
"-p
%
s "
%
rule
.
proto
if
(
rule
.
sport
):
retval
+=
" --sport
%
s "
%
rule
.
sport
if
(
rule
.
dport
):
retval
+=
" --dport
%
s "
%
(
rule
.
nat_dport
if
(
repl
and
rule
.
nat
and
rule
.
direction
==
'1'
)
else
rule
.
dport
)
elif
(
rule
.
proto
==
"icmp"
):
retval
=
"-p
%
s "
%
rule
.
proto
retval
=
' '
if
rule
.
proto
==
'tcp'
or
rule
.
proto
==
'udp'
:
retval
=
'-p
%
s '
%
rule
.
proto
if
rule
.
sport
:
retval
+=
' --sport
%
s '
%
rule
.
sport
if
rule
.
dport
:
retval
+=
' --dport
%
s '
%
(
rule
.
nat_dport
if
(
repl
and
rule
.
nat
and
rule
.
direction
==
'1'
)
else
rule
.
dport
)
elif
rule
.
proto
==
'icmp'
:
retval
=
'-p
%
s '
%
rule
.
proto
return
retval
def
iptables
(
self
,
s
):
self
.
SZABALYOK
.
append
(
s
)
"""Append rule."""
self
.
RULES
.
append
(
s
)
def
iptablesnat
(
self
,
s
):
self
.
SZABALYOK
_NAT
.
append
(
s
)
self
.
RULES
_NAT
.
append
(
s
)
def
host2vlan
(
self
,
host
,
rule
):
if
rule
.
foreign_network
is
None
:
return
if
(
self
.
IPV6
and
host
.
ipv6
)
:
ipaddr
=
host
.
ipv6
+
"/112"
if
self
.
IPV6
and
host
.
ipv6
:
ipaddr
=
host
.
ipv6
+
'/112'
else
:
ipaddr
=
host
.
ipv4
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
foreign_network
.
vlans
.
all
():
if
(
rule
.
accept
):
if
(
rule
.
direction
==
'0'
and
vlan
.
name
==
"PUB"
):
if
(
rule
.
dport
==
25
):
self
.
iptables
(
"-A PUB_OUT -s
%
s
%
s -p tcp --dport 25 -j LOG_ACC"
%
(
ipaddr
,
rule
.
extra
))
if
rule
.
accept
:
if
rule
.
direction
==
'0'
and
vlan
.
name
==
'PUB'
:
if
rule
.
dport
==
25
:
self
.
iptables
(
'-A PUB_OUT -s
%
s
%
s -p tcp '
'--dport 25 -j LOG_ACC'
%
(
ipaddr
,
rule
.
extra
))
break
action
=
"PUB_OUT"
action
=
'PUB_OUT'
else
:
action
=
"LOG_ACC"
action
=
'LOG_ACC'
else
:
action
=
"LOG_DROP"
action
=
'LOG_DROP'
if
(
rule
.
direction
==
'1'
):
# HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s -d
%
s
%
s
%
s -g
%
s"
%
(
vlan
,
host
.
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
if
rule
.
direction
==
'1'
:
# going TO host
self
.
iptables
(
'-A
%
s_
%
s -d
%
s
%
s
%
s -g
%
s'
%
(
vlan
,
host
.
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
else
:
self
.
iptables
(
"-A
%
s_
%
s -s
%
s
%
s
%
s -g
%
s"
%
(
host
.
vlan
,
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
self
.
iptables
(
'-A
%
s_
%
s -s
%
s
%
s
%
s -g
%
s'
%
(
host
.
vlan
,
vlan
,
ipaddr
,
dport_sport
,
rule
.
extra
,
action
))
def
fw2vlan
(
self
,
rule
):
...
...
@@ -73,10 +80,14 @@ class firewall:
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
foreign_network
.
vlans
.
all
():
if
(
rule
.
direction
==
'1'
):
# HOSTHOZ megy
self
.
iptables
(
"-A INPUT -i
%
s
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
accept
else
"LOG_DROP"
))
if
rule
.
direction
==
'1'
:
# going TO host
self
.
iptables
(
'-A INPUT -i
%
s
%
s
%
s -g
%
s'
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
'LOG_ACC'
if
rule
.
accept
else
'LOG_DROP'
))
else
:
self
.
iptables
(
"-A OUTPUT -o
%
s
%
s
%
s -g
%
s"
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
"LOG_ACC"
if
rule
.
accept
else
"LOG_DROP"
))
self
.
iptables
(
'-A OUTPUT -o
%
s
%
s
%
s -g
%
s'
%
(
vlan
.
interface
,
dport_sport
,
rule
.
extra
,
'LOG_ACC'
if
rule
.
accept
else
'LOG_DROP'
))
def
vlan2vlan
(
self
,
l_vlan
,
rule
):
if
rule
.
foreign_network
is
None
:
...
...
@@ -85,144 +96,163 @@ class firewall:
dport_sport
=
self
.
dportsport
(
rule
)
for
vlan
in
rule
.
foreign_network
.
vlans
.
all
():
if
(
rule
.
accept
)
:
if
((
rule
.
direction
==
'0'
)
and
vlan
.
name
==
"PUB"
)
:
action
=
"PUB_OUT"
if
rule
.
accept
:
if
rule
.
direction
==
'0'
and
vlan
.
name
==
'PUB'
:
action
=
'PUB_OUT'
else
:
action
=
"LOG_ACC"
action
=
'LOG_ACC'
else
:
action
=
"LOG_DROP"
action
=
'LOG_DROP'
if
(
rule
.
direction
==
'1'
):
# HOSTHOZ megy
self
.
iptables
(
"-A
%
s_
%
s
%
s
%
s -g
%
s"
%
(
vlan
,
l_vlan
,
dport_sport
,
rule
.
extra
,
action
))
if
rule
.
direction
==
'1'
:
# going TO host
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
(
vlan
,
l_vlan
,
dport_sport
,
rule
.
extra
,
action
))
else
:
self
.
iptables
(
"-A
%
s_
%
s
%
s
%
s -g
%
s"
%
(
l_vlan
,
vlan
,
dport_sport
,
rule
.
extra
,
action
))
self
.
iptables
(
'-A
%
s_
%
s
%
s
%
s -g
%
s'
%
(
l_vlan
,
vlan
,
dport_sport
,
rule
.
extra
,
action
))
def
prerun
(
self
):
self
.
iptables
(
"*filter"
)
self
.
iptables
(
":INPUT DROP [88:6448]"
)
self
.
iptables
(
":FORWARD DROP [0:0]"
)
self
.
iptables
(
":OUTPUT DROP [50:6936]"
)
self
.
iptables
(
'*filter'
)
self
.
iptables
(
':INPUT DROP [88:6448]'
)
self
.
iptables
(
':FORWARD DROP [0:0]'
)
self
.
iptables
(
':OUTPUT DROP [50:6936]'
)
# inicialize logging
self
.
iptables
(
"-N LOG_DROP"
)
self
.
iptables
(
'-N LOG_DROP'
)
# windows port scan are silently dropped
self
.
iptables
(
"-A LOG_DROP -p tcp --dport 445 -j DROP"
)
self
.
iptables
(
"-A LOG_DROP -p udp --dport 137 -j DROP"
)
self
.
iptables
(
"-A LOG_DROP -j LOG --log-level 7 --log-prefix
\"
[ipt][drop]
\"
"
)
self
.
iptables
(
"-A LOG_DROP -j DROP"
)
self
.
iptables
(
"-N LOG_ACC"
)
self
.
iptables
(
"-A LOG_ACC -j LOG --log-level 7 --log-prefix
\"
[ipt][isok]
\"
"
)
self
.
iptables
(
"-A LOG_ACC -j ACCEPT"
)
self
.
iptables
(
'-A LOG_DROP -p tcp --dport 445 -j DROP'
)
self
.
iptables
(
'-A LOG_DROP -p udp --dport 137 -j DROP'
)
self
.
iptables
(
'-A LOG_DROP -j LOG --log-level 7'
'--log-prefix "[ipt][drop]"'
)
self
.
iptables
(
'-A LOG_DROP -j DROP'
)
self
.
iptables
(
'-N LOG_ACC'
)
self
.
iptables
(
'-A LOG_ACC -j LOG --log-level 7'
'--log-prefix "[ipt][isok]"'
)
self
.
iptables
(
'-A LOG_ACC -j ACCEPT'
)
if
not
self
.
IPV6
:
# The chain which test is a packet has a valid public destination IP
# (RFC-3330) packages passing this chain has valid destination IP addressed
self
.
iptables
(
"-N r_pub_dIP"
)
self
.
iptables
(
"-A r_pub_dIP -d 0.0.0.0/8 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_dIP -d 169.254.0.0/16 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_dIP -d 172.16.0.0/12 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_dIP -d 192.0.2.0/24 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_dIP -d 192.168.0.0/16 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_dIP -d 127.0.0.0/8 -g LOG_DROP"
)
# self.iptables("-A r_pub_dIP -d 10.0.0.0/8 -g LOG_DROP"
)
self
.
iptables
(
'-N r_pub_dIP'
)
self
.
iptables
(
'-A r_pub_dIP -d 0.0.0.0/8 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_dIP -d 169.254.0.0/16 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_dIP -d 172.16.0.0/12 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_dIP -d 192.0.2.0/24 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_dIP -d 192.168.0.0/16 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_dIP -d 127.0.0.0/8 -g LOG_DROP'
)
# self.iptables('-A r_pub_dIP -d 10.0.0.0/8 -g LOG_DROP'
)
# The chain which test is a packet has a valid public source IP
# (RFC-3330) packages passing this chain has valid destination IP addressed
self
.
iptables
(
"-N r_pub_sIP"
)
self
.
iptables
(
"-A r_pub_sIP -s 0.0.0.0/8 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_sIP -s 169.254.0.0/16 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_sIP -s 172.16.0.0/12 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_sIP -s 192.0.2.0/24 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_sIP -s 192.168.0.0/16 -g LOG_DROP"
)
self
.
iptables
(
"-A r_pub_sIP -s 127.0.0.0/8 -g LOG_DROP"
)
# self.iptables("-A r_pub_sIP -s 10.0.0.0/8 -g LOG_DROP")
# chain which tests if the destination specified by the DMZ host is valid
self
.
iptables
(
"-N r_DMZ_dIP"
)
self
.
iptables
(
"-A r_DMZ_dIP -d 10.2.0.0/16 -j RETURN"
)
self
.
iptables
(
"-A r_DMZ_dIP -j r_pub_dIP"
)
self
.
iptables
(
"-N PUB_OUT"
)
self
.
iptables
(
'-N r_pub_sIP'
)
self
.
iptables
(
'-A r_pub_sIP -s 0.0.0.0/8 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_sIP -s 169.254.0.0/16 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_sIP -s 172.16.0.0/12 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_sIP -s 192.0.2.0/24 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_sIP -s 192.168.0.0/16 -g LOG_DROP'
)
self
.
iptables
(
'-A r_pub_sIP -s 127.0.0.0/8 -g LOG_DROP'
)
# self.iptables('-A r_pub_sIP -s 10.0.0.0/8 -g LOG_DROP')
# Chain which tests whether the destination specified by the
# DMZ host is valid
self
.
iptables
(
'-N r_DMZ_dIP'
)
self
.
iptables
(
'-A r_DMZ_dIP -d 10.2.0.0/16 -j RETURN'
)
self
.
iptables
(
'-A r_DMZ_dIP -j r_pub_dIP'
)
self
.
iptables
(
'-N PUB_OUT'
)
if
not
self
.
IPV6
:
self
.
iptables
(
"-A PUB_OUT -j r_pub_dIP"
)
self
.
iptables
(
'-A PUB_OUT -j r_pub_dIP'
)
self
.
iptables
(
"-A FORWARD -m state --state INVALID -g LOG_DROP"
)
self
.
iptables
(
"-A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT"
)
self
.
iptables
(
"-A FORWARD -p icmp --icmp-type echo-request -g LOG_ACC"
)
self
.
iptables
(
'-A FORWARD -m state --state INVALID -g LOG_DROP'
)
self
.
iptables
(
'-A FORWARD -m state --state ESTABLISHED,RELATED'
'-j ACCEPT'
)
self
.
iptables
(
'-A FORWARD -p icmp --icmp-type echo-request'
'-g LOG_ACC'
)
if
not
self
.
IPV6
:
self
.
iptables
(
"-A FORWARD -j r_pub_sIP -o pub"
)
self
.
iptables
(
"-A INPUT -m state --state INVALID -g LOG_DROP"
)
self
.
iptables
(
"-A INPUT -i lo -j ACCEPT"
)
self
.
iptables
(
'-A FORWARD -j r_pub_sIP -o pub'
)
self
.
iptables
(
'-A INPUT -m state --state INVALID -g LOG_DROP'
)
self
.
iptables
(
'-A INPUT -i lo -j ACCEPT'
)
if
not
self
.
IPV6
:
self
.
iptables
(
"-A INPUT -j r_pub_sIP"
)
self
.
iptables
(
"-A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
)
self
.
iptables
(
'-A INPUT -j r_pub_sIP'
)
self
.
iptables
(
'-A INPUT -m state --state ESTABLISHED,RELATED'
'-j ACCEPT'
)
self
.
iptables
(
"-A OUTPUT -m state --state INVALID -g LOG_DROP"
)
self
.
iptables
(
"-A OUTPUT -o lo -j ACCEPT"
)
self
.
iptables
(
"-A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT"
)
self
.
iptables
(
'-A OUTPUT -m state --state INVALID -g LOG_DROP'
)
self
.
iptables
(
'-A OUTPUT -o lo -j ACCEPT'
)
self
.
iptables
(
'-A OUTPUT -m state --state ESTABLISHED,RELATED'
'-j ACCEPT'
)
def
postrun
(
self
):
self
.
iptables
(
"-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25 -j LOG_ACC"
)
self
.
iptables
(
"-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 445 -j LOG_ACC"
)
self
.
iptables
(
"-A PUB_OUT -p tcp --dport 25 -j LOG_DROP"
)
self
.
iptables
(
"-A PUB_OUT -p tcp --dport 445 -j LOG_DROP"
)
self
.
iptables
(
"-A PUB_OUT -p udp --dport 445 -j LOG_DROP"
)
self
.
iptables
(
'-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 25'
'-j LOG_ACC'
)
self
.
iptables
(
'-A PUB_OUT -s 152.66.243.160/27 -p tcp --dport 445'
'-j LOG_ACC'
)
self
.
iptables
(
'-A PUB_OUT -p tcp --dport 25 -j LOG_DROP'
)
self
.
iptables
(
'-A PUB_OUT -p tcp --dport 445 -j LOG_DROP'
)
self
.
iptables
(
'-A PUB_OUT -p udp --dport 445 -j LOG_DROP'
)
self
.
iptables
(
"-A PUB_OUT -g LOG_ACC"
)
self
.
iptables
(
"-A FORWARD -g LOG_DROP"
)
self
.
iptables
(
"-A INPUT -g LOG_DROP"
)
self
.
iptables
(
"-A OUTPUT -g LOG_DROP"
)
self
.
iptables
(
"COMMIT"
)
self
.
iptables
(
'-A PUB_OUT -g LOG_ACC'
)
self
.
iptables
(
'-A FORWARD -g LOG_DROP'
)
self
.
iptables
(
'-A INPUT -g LOG_DROP'
)
self
.
iptables
(
'-A OUTPUT -g LOG_DROP'
)
self
.
iptables
(
'COMMIT'
)
def
ipt_nat
(
self
):
self
.
iptablesnat
(
"*nat"
)
self
.
iptablesnat
(
":PREROUTING ACCEPT [0:0]"
)
self
.
iptablesnat
(
":INPUT ACCEPT [0:0]"
)
self
.
iptablesnat
(
":OUTPUT ACCEPT [1:708]"
)
self
.
iptablesnat
(
":POSTROUTING ACCEPT [1:708]"
)
self
.
iptablesnat
(
'*nat'
)
self
.
iptablesnat
(
':PREROUTING ACCEPT [0:0]'
)
self
.
iptablesnat
(
':INPUT ACCEPT [0:0]'
)
self
.
iptablesnat
(
':OUTPUT ACCEPT [1:708]'
)
self
.
iptablesnat
(
':POSTROUTING ACCEPT [1:708]'
)
# portforward
for
host
in
self
.
hosts
.
exclude
(
pub_ipv4
=
None
):
for
rule
in
host
.
rules
.
filter
(
nat
=
True
,
direction
=
'1'
):
dport_sport
=
self
.
dportsport
(
rule
,
False
)
if
host
.
vlan
.
snat_ip
:
self
.
iptablesnat
(
"-A PREROUTING -d
%
s
%
s
%
s -j DNAT --to-destination
%
s:
%
s"
%
(
host
.
pub_ipv4
,
dport_sport
,
rule
.
extra
,
host
.
ipv4
,
rule
.
nat_dport
))
self
.
iptablesnat
(
'-A PREROUTING -d
%
s
%
s
%
s -j DNAT'
'--to-destination
%
s:
%
s'
%
(
host
.
pub_ipv4
,
dport_sport
,
rule
.
extra
,
host
.
ipv4
,
rule
.
nat_dport
))
#
sajat publikus ipvel rendelkezo gepek szabalyai
#
rules for machines with dedicated public IP
for
host
in
self
.
hosts
.
exclude
(
shared_ip
=
True
):
if
(
host
.
pub_ipv4
):
self
.
iptablesnat
(
"-A PREROUTING -d
%
s -j DNAT --to-destination
%
s"
%
(
host
.
pub_ipv4
,
host
.
ipv4
))
self
.
iptablesnat
(
"-A POSTROUTING -s
%
s -j SNAT --to-source
%
s"
%
(
host
.
ipv4
,
host
.
pub_ipv4
))
if
host
.
pub_ipv4
:
self
.
iptablesnat
(
'-A PREROUTING -d
%
s -j DNAT'
'--to-destination
%
s'
%
(
host
.
pub_ipv4
,
host
.
ipv4
))
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -j SNAT'
'--to-source
%
s'
%
(
host
.
ipv4
,
host
.
pub_ipv4
))
#
alapertelmezett nat szabalyok a vlanokra
#
default NAT rules for VLANs
for
s_vlan
in
self
.
vlans
:
if
(
s_vlan
.
snat_ip
)
:
if
s_vlan
.
snat_ip
:
for
d_vlan
in
s_vlan
.
snat_to
.
all
():
self
.
iptablesnat
(
"-A POSTROUTING -s
%
s -o
%
s -j SNAT --to-source
%
s"
%
(
s_vlan
.
net_ipv4
(),
d_vlan
.
interface
,
s_vlan
.
snat_ip
))
self
.
iptablesnat
(
'-A POSTROUTING -s
%
s -o
%
s -j SNAT'
'--to-source
%
s'
%
(
s_vlan
.
net_ipv4
(),
d_vlan
.
interface
,
s_vlan
.
snat_ip
))
# bedrotozott szabalyok
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT --to-source 10.3.255.254"
)
# man elerheto legyen
self
.
iptablesnat
(
"-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT --to-source 10.0.0.247"
)
# wolf halozat a nyomtatashoz
self
.
iptablesnat
(
"-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT --to-source
%
s"
%
self
.
pub
.
ipv4
)
# kulonben nemmegy a du
# hard-wired rules
self
.
iptablesnat
(
'-A POSTROUTING -s 10.5.0.0/16 -o vlan0003 -j SNAT'
'--to-source 10.3.255.254'
)
# man elerheto legyen
self
.
iptablesnat
(
'-A POSTROUTING -s 10.5.0.0/16 -o vlan0008 -j SNAT'
'--to-source 10.0.0.247'
)
# wolf network for printing
self
.
iptablesnat
(
'-A POSTROUTING -s 10.3.0.0/16 -o vlan0002 -j SNAT'
'--to-source
%
s'
%
self
.
pub
.
ipv4
)
# kulonben nemmegy a du
self
.
iptablesnat
(
"COMMIT"
)
self
.
iptablesnat
(
'COMMIT'
)
def
ipt_filter
(
self
):
regexp
=
re
.
compile
(
'[0-9]+
\
.[0-9]+
\
.[0-9]+
\
.[0-9]+'
)
regexp_icmp
=
re
.
compile
(
'icmp'
)
ipv4_re
=
re
.
compile
(
'([0-9]{1,3}
\
.){3}[0-9]{1,3}'
)
#
futas elotti dolgok
#
pre-run stuff
self
.
prerun
()
#
tuzfal sajat szabalyai
#
firewall's own rules
for
f
in
self
.
fw
:
for
rule
in
f
.
rules
.
all
():
self
.
fw2vlan
(
rule
)
...
...
@@ -230,10 +260,10 @@ class firewall:
# zonak kozotti lancokra ugras
for
s_vlan
in
self
.
vlans
:
for
d_vlan
in
self
.
vlans
:
self
.
iptables
(
"-N
%
s_
%
s"
%
(
s_vlan
,
d_vlan
))
self
.
iptables
(
"-A FORWARD -i
%
s -o
%
s -g
%
s_
%
s"
%
(
s_vlan
.
interface
,
d_vlan
.
interface
,
s_vlan
,
d_vlan
))
self
.
iptables
(
'-N
%
s_
%
s'
%
(
s_vlan
,
d_vlan
))
self
.
iptables
(
'-A FORWARD -i
%
s -o
%
s -g
%
s_
%
s'
%
(
s_vlan
.
interface
,
d_vlan
.
interface
,
s_vlan
,
d_vlan
))
# hos
ztok szabalyai
# hos
ts' rules
for
i_vlan
in
self
.
vlans
:
for
i_host
in
i_vlan
.
host_set
.
all
():
for
group
in
i_host
.
groups
.
all
():
...
...
@@ -242,7 +272,7 @@ class firewall:
for
rule
in
i_host
.
rules
.
all
():
self
.
host2vlan
(
i_host
,
rule
)
#
vlanok kozotti kommunikacio engedelyezese
#
enable communication between VLANs
for
s_vlan
in
self
.
vlans
:
for
rule
in
s_vlan
.
rules
.
all
():
self
.
vlan2vlan
(
s_vlan
,
rule
)
...
...
@@ -250,23 +280,23 @@ class firewall:
# zonak kozotti lancokat zarja le
for
s_vlan
in
self
.
vlans
:
for
d_vlan
in
self
.
vlans
:
self
.
iptables
(
"-A
%
s_
%
s -g LOG_DROP"
%
(
s_vlan
,
d_vlan
))
self
.
iptables
(
'-A
%
s_
%
s -g LOG_DROP'
%
(
s_vlan
,
d_vlan
))
#
futas utani dolgok
#
post-run stuff
self
.
postrun
()
if
self
.
IPV6
:
self
.
SZABALYOK
=
[
x
for
x
in
self
.
SZABALYOK
if
not
regexp
.
search
(
x
)]
self
.
SZABALYOK
=
[
regexp_icmp
.
sub
(
'icmpv6'
,
x
)
for
x
in
self
.
SZABALYOK
]
self
.
RULES
=
[
x
for
x
in
self
.
RULES
if
not
ipv4_re
.
search
(
x
)]
self
.
RULES
=
[
x
.
replace
(
'icmp'
,
'icmpv6'
)
for
x
in
self
.
RULES
]
def
__init__
(
self
,
IPV6
=
False
):
self
.
SZABALYOK
=
[]
self
.
SZABALYOK
_NAT
=
[]
self
.
RULES
=
[]
self
.
RULES
_NAT
=
[]
self
.
IPV6
=
IPV6
self
.
vlans
=
models
.
Vlan
.
objects
.
all
()
self
.
hosts
=
models
.
Host
.
objects
.
all
()
self
.
dmz
=
models
.
Vlan
.
objects
.
get
(
name
=
"DMZ"
)
self
.
pub
=
models
.
Vlan
.
objects
.
get
(
name
=
"PUB"
)
self
.
dmz
=
models
.
Vlan
.
objects
.
get
(
name
=
'DMZ'
)
self
.
pub
=
models
.
Vlan
.
objects
.
get
(
name
=
'PUB'
)
self
.
fw
=
models
.
Firewall
.
objects
.
all
()
self
.
ipt_filter
()
if
not
self
.
IPV6
:
...
...
@@ -274,17 +304,23 @@ class firewall:
def
reload
(
self
):
if
self
.
IPV6
:
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/ip6tables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
)
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/ip6tables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
)
else
:
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
+
"
\n
"
.
join
(
self
.
SZABALYOK_NAT
)
+
"
\n
"
)
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
def
show
(
self
):
if
self
.
IPV6
:
return
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
return
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
else
:
return
"
\n
"
.
join
(
self
.
SZABALYOK
)
+
"
\n
"
+
"
\n
"
.
join
(
self
.
SZABALYOK_NAT
)
+
"
\n
"
return
(
'
\n
'
.
join
(
self
.
RULES
)
+
'
\n
'
+
'
\n
'
.
join
(
self
.
RULES_NAT
)
+
'
\n
'
)
def
ipv6_to_octal
(
ipv6
):
...
...
@@ -303,10 +339,12 @@ def ipv6_to_octal(ipv6):
def
ipv4_to_arpa
(
ipv4
,
cname
=
False
):
m2
=
re
.
search
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
,
ipv4
)
if
(
cname
):
return
"
%
s.dns1.
%
s.
%
s.
%
s.in-addr.arpa"
%
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
))
if
cname
:
return
(
'
%
s.dns1.
%
s.
%
s.
%
s.in-addr.arpa'
%
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
)))
else
:
return
"
%
s.
%
s.
%
s.
%
s.in-addr.arpa"
%
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
))
return
(
'
%
s.
%
s.
%
s.
%
s.in-addr.arpa'
%
(
m2
.
group
(
4
),
m2
.
group
(
3
),
m2
.
group
(
2
),
m2
.
group
(
1
)))
def
ipv6_to_arpa
(
ipv6
):
while
len
(
ipv6
.
split
(
':'
))
<
8
:
...
...
@@ -325,7 +363,6 @@ def ipv6_to_arpa(ipv6):
return
'.'
.
join
([
'
%1
x'
%
x
for
x
in
octets
])
+
'.ip6.arpa'
# =fqdn:ip:ttl A, PTR
# &fqdn:ip:x:ttl NS
# ZfqdnSOA
...
...
@@ -339,50 +376,80 @@ def dns():
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.([0-9]+)\.([0-9]+)$'
)
DNS
=
[]
DNS
.
append
(
"=cloud.ik.bme.hu:152.66.243.98:600::"
)
DNS
.
append
(
":cloud.ik.bme.hu:28:
\040\001\007\070\040\001\100\061\000\002\000\000\000\007\000\000
:600"
)
DNS
.
append
(
":cloud.ik.bme.hu:28:"
"
\040\001\007\070\040\001\100\061\000\002\000\000\000\007\000\000
:"
"600"
)
DNS
.
append
(
"=r.cloud.ik.bme.hu:152.66.243.62:600::"
)
DNS
.
append
(
"Z1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa:dns1.ik.bme.hu:support.ik.bme.hu::::::600"
)
# soa
DNS
.
append
(
"&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::dns1.ik.bme.hu:600::"
)
# ns rekord
DNS
.
append
(
"&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::nic.bme.hu:600::"
)
# ns rekord
DNS
.
append
(
"Z1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa:"
"dns1.ik.bme.hu:support.ik.bme.hu::::::600"
)
# soa
DNS
.
append
(
"&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::"
"dns1.ik.bme.hu:600::"
)
# ns rekord
DNS
.
append
(
"&1.3.0.4.1.0.0.2.8.3.7.0.1.0.0.2.ip6.arpa::"
"nic.bme.hu:600::"
)
# ns rekord
for
i_vlan
in
vlans
:
m
=
regex
.
search
(
i_vlan
.
net4
)
if
(
i_vlan
.
name
!=
"DMZ"
and
i_vlan
.
name
!=
"PUB"
):
DNS
.
append
(
"Z
%
s.
%
s.in-addr.arpa:
%
s:support.ik.bme.hu::::::
%
s"
%
(
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&
%
s.
%
s.in-addr.arpa::
%
s:
%
s:"
%
(
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"Z
%
s:
%
s:support.ik.bme.hu::::::
%
s"
%
(
i_vlan
.
domain
,
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&
%
s::
%
s:
%
s"
%
(
i_vlan
.
domain
,
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
if
(
i_vlan
.
name
==
"WAR"
):
DNS
.
append
(
"Zdns1.
%
s.
%
s.
%
s.in-addr.arpa:
%
s:support.ik.bme.hu::::::
%
s"
%
(
m
.
group
(
3
),
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&dns1.
%
s.
%
s.
%
s.in-addr.arpa::
%
s:
%
s::"
%
(
m
.
group
(
3
),
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
if
i_vlan
.
name
!=
"DMZ"
and
i_vlan
.
name
!=
"PUB"
:
DNS
.
append
(
"Z
%
s.
%
s.in-addr.arpa:
%
s:support.ik.bme.hu::::::
%
s"
%
(
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&
%
s.
%
s.in-addr.arpa::
%
s:
%
s:"
%
(
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"Z
%
s:
%
s:support.ik.bme.hu::::::
%
s"
%
(
i_vlan
.
domain
,
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&
%
s::
%
s:
%
s"
%
(
i_vlan
.
domain
,
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
if
i_vlan
.
name
==
"WAR"
:
DNS
.
append
(
"Zdns1.
%
s.
%
s.
%
s.in-addr.arpa:
%
s:"
"support.ik.bme.hu::::::
%
s"
%
(
m
.
group
(
3
),
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"&dns1.
%
s.
%
s.
%
s.in-addr.arpa::
%
s:
%
s::"
%
(
m
.
group
(
3
),
m
.
group
(
2
),
m
.
group
(
1
),
models
.
settings
[
'dns_hostname'
],
models
.
settings
[
'dns_ttl'
]))
for
i_host
in
i_vlan
.
host_set
.
all
():
ipv4
=
(
i_host
.
pub_ipv4
if
i_host
.
pub_ipv4
and
not
i_host
.
shared_ip
else
i_host
.
ipv4
)
reverse
=
i_host
.
reverse
if
(
i_host
.
reverse
and
len
(
i_host
.
reverse
))
else
i_host
.
hostname
+
u'.'
+
i_vlan
.
domain
ipv4
=
(
i_host
.
pub_ipv4
if
i_host
.
pub_ipv4
and
not
i_host
.
shared_ip
else
i_host
.
ipv4
)
reverse
=
(
i_host
.
reverse
if
i_host
.
reverse
and
len
(
i_host
.
reverse
)
else
i_host
.
hostname
+
u'.'
+
i_vlan
.
domain
)
hostname
=
i_host
.
hostname
+
u'.'
+
i_vlan
.
domain
# ipv4
if
i_host
.
ipv4
:
# A record
DNS
.
append
(
"+
%
s:
%
s:
%
s"
%
(
hostname
,
ipv4
,
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"+
%
s:
%
s:
%
s"
%
(
hostname
,
ipv4
,
models
.
settings
[
'dns_ttl'
]))
# PTR record 4.3.2.1.in-addr.arpa
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv4_to_arpa
(
i_host
.
ipv4
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv4_to_arpa
(
i_host
.
ipv4
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
# PTR record 4.dns1.3.2.1.in-addr.arpa
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv4_to_arpa
(
i_host
.
ipv4
,
cname
=
True
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv4_to_arpa
(
i_host
.
ipv4
,
cname
=
True
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
# ipv6
if
i_host
.
ipv6
:
# AAAA record
DNS
.
append
(
":
%
s:28:
%
s:
%
s"
%
(
hostname
,
ipv6_to_octal
(
i_host
.
ipv6
),
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
":
%
s:28:
%
s:
%
s"
%
(
hostname
,
ipv6_to_octal
(
i_host
.
ipv6
),
models
.
settings
[
'dns_ttl'
]))
# PTR record
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv6_to_arpa
(
i_host
.
ipv6
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"^
%
s:
%
s:
%
s"
%
(
ipv6_to_arpa
(
i_host
.
ipv6
),
reverse
,
models
.
settings
[
'dns_ttl'
]))
# cname
for
i_alias
in
i_host
.
alias_set
.
all
():
DNS
.
append
(
"C
%
s:
%
s:
%
s"
%
(
i_alias
.
alias
,
hostname
,
models
.
settings
[
'dns_ttl'
]))
DNS
.
append
(
"C
%
s:
%
s:
%
s"
%
(
i_alias
.
alias
,
hostname
,
models
.
settings
[
'dns_ttl'
]))
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'tinydns@
%
s'
%
models
.
settings
[
'dns_hostname'
]],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'tinydns@
%
s'
%
models
.
settings
[
'dns_hostname'
]],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
DNS
)
+
"
\n
"
)
# print "\n".join(DNS)+"\n"
...
...
@@ -390,15 +457,16 @@ def dns():
def
prefix_to_mask
(
prefix
):
t
=
[
0
,
0
,
0
,
0
]
for
i
in
range
(
0
,
4
):
if
prefix
>
i
*
8
+
7
:
if
prefix
>
i
*
8
+
7
:
t
[
i
]
=
255
elif
i
*
8
<
prefix
and
prefix
<=
(
i
+
1
)
*
8
:
t
[
i
]
=
256
-
(
2
**
((
i
+
1
)
*
8
-
prefix
))
elif
i
*
8
<
prefix
and
prefix
<=
(
i
+
1
)
*
8
:
t
[
i
]
=
256
-
(
2
**
((
i
+
1
)
*
8
-
prefix
))
return
"."
.
join
([
str
(
i
)
for
i
in
t
])
def
dhcp
():
vlans
=
models
.
Vlan
.
objects
.
all
()
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+\s+([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+$'
)
regex
=
re
.
compile
(
r'^([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+\s+'
r'([0-9]+)\.([0-9]+)\.[0-9]+\.[0-9]+$'
)
DHCP
=
[]
# /tools/dhcp3/dhcpd.conf.generated
...
...
@@ -408,25 +476,26 @@ def dhcp():
m
=
regex
.
search
(
i_vlan
.
dhcp_pool
)
if
(
m
or
i_vlan
.
dhcp_pool
==
"manual"
):
DHCP
.
append
(
'''
#
%(name)
s -
%(interface)
s
subnet
%(net)
s netmask
%(netmask)
s {
%(extra)
s;
option domain-name "
%(domain)
s";
option routers
%(router)
s;
option domain-name-servers
%(dnsserver)
s;
option ntp-servers
%(ntp)
s;
next-server
%(tftp)
s;
authoritative;
filename
\"
pxelinux.0
\"
;
allow bootp; allow booting;
}'''
%
{
#
%(name)
s -
%(interface)
s
subnet
%(net)
s netmask
%(netmask)
s {
%(extra)
s;
option domain-name "
%(domain)
s";
option routers
%(router)
s;
option domain-name-servers
%(dnsserver)
s;
option ntp-servers
%(ntp)
s;
next-server
%(tftp)
s;
authoritative;
filename
\"
pxelinux.0
\"
;
allow bootp; allow booting;
}'''
%
{
'net'
:
i_vlan
.
net4
,
'netmask'
:
prefix_to_mask
(
i_vlan
.
prefix4
),
'domain'
:
i_vlan
.
domain
,
'router'
:
i_vlan
.
ipv4
,
'ntp'
:
i_vlan
.
ipv4
,
'dnsserver'
:
models
.
settings
[
'rdns_ip'
],
'extra'
:
"range
%
s"
%
i_vlan
.
dhcp_pool
if
m
else
"deny unknown-clients"
,
'extra'
:
"range
%
s"
%
(
i_vlan
.
dhcp_pool
if
m
else
"deny unknown-clients"
),
'interface'
:
i_vlan
.
interface
,
'name'
:
i_vlan
.
name
,
'tftp'
:
i_vlan
.
ipv4
...
...
@@ -443,7 +512,10 @@ def dhcp():
'ipv4'
:
i_host
.
ipv4
,
})
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'cat > /tools/dhcp3/dhcpd.conf.generated;sudo /etc/init.d/isc-dhcp-server restart'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
=
subprocess
.
Popen
([
'/usr/bin/ssh'
,
'fw2'
,
'cat > /tools/dhcp3/dhcpd.conf.generated;'
'sudo /etc/init.d/isc-dhcp-server restart'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
# print "\n".join(DHCP)+"\n"
process
.
communicate
(
"
\n
"
.
join
(
DHCP
)
+
"
\n
"
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment