Commit 551b4fdf by Bach Dániel

firewall: replace rule.accept with rule.action

parent 1d9db1cf
...@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin): ...@@ -52,9 +52,9 @@ class VlanAdmin(admin.ModelAdmin):
class RuleAdmin(admin.ModelAdmin): class RuleAdmin(admin.ModelAdmin):
list_display = ('r_type', 'color_desc', 'owner', 'extra', 'direction', list_display = ('r_type', 'color_desc', 'owner', 'extra', 'direction',
'accept', 'proto', 'sport', 'dport', 'nat', 'action', 'proto', 'sport', 'dport', 'nat',
'nat_external_port', 'used_in') 'nat_external_port', 'used_in')
list_filter = ('vlan', 'owner', 'direction', 'accept', list_filter = ('vlan', 'owner', 'direction', 'action',
'proto', 'nat') 'proto', 'nat')
def color_desc(self, instance): def color_desc(self, instance):
......
...@@ -16,7 +16,7 @@ class IptRule(object): ...@@ -16,7 +16,7 @@ class IptRule(object):
def __init__(self, priority=1000, action=None, src=None, dst=None, def __init__(self, priority=1000, action=None, src=None, dst=None,
proto=None, sport=None, dport=None, extra=None, proto=None, sport=None, dport=None, extra=None,
ipv4_only=False): ipv4_only=False, ignored=False):
if proto not in ['tcp', 'udp', 'icmp', None]: if proto not in ['tcp', 'udp', 'icmp', None]:
raise InvalidRuleExcepion() raise InvalidRuleExcepion()
if proto not in ['tcp', 'udp'] and (sport is not None or if proto not in ['tcp', 'udp'] and (sport is not None or
...@@ -44,6 +44,7 @@ class IptRule(object): ...@@ -44,6 +44,7 @@ class IptRule(object):
self.extra = extra self.extra = extra
self.ipv4_only = (ipv4_only or self.ipv4_only = (ipv4_only or
extra is not None and bool(ipv4_re.search(extra))) extra is not None and bool(ipv4_re.search(extra)))
self.ignored = ignored
def __hash__(self): def __hash__(self):
return hash(frozenset(self.__dict__.items())) return hash(frozenset(self.__dict__.items()))
...@@ -71,6 +72,8 @@ class IptRule(object): ...@@ -71,6 +72,8 @@ class IptRule(object):
params = [opts[param] % getattr(self, param) params = [opts[param] % getattr(self, param)
for param in opts for param in opts
if getattr(self, param) is not None] if getattr(self, param) is not None]
if self.ignored:
params.insert(0, '# ')
return ' '.join(params) return ' '.join(params)
......
...@@ -37,7 +37,9 @@ class Rule(models.Model): ...@@ -37,7 +37,9 @@ class Rule(models.Model):
CHOICES_type = (('host', 'host'), ('firewall', 'firewall'), CHOICES_type = (('host', 'host'), ('firewall', 'firewall'),
('vlan', 'vlan')) ('vlan', 'vlan'))
CHOICES_proto = (('tcp', 'tcp'), ('udp', 'udp'), ('icmp', 'icmp')) CHOICES_proto = (('tcp', 'tcp'), ('udp', 'udp'), ('icmp', 'icmp'))
CHOICES_dir = (('out', 'out'), ('in', 'in')) CHOICES_dir = (('out', _('out')), ('in', _('in')))
CHOICES_action = (('accept', _('accept')), ('drop', _('drop')),
('ignore', _('ignore')))
direction = models.CharField(max_length=3, choices=CHOICES_dir, direction = models.CharField(max_length=3, choices=CHOICES_dir,
blank=False, verbose_name=_("direction"), blank=False, verbose_name=_("direction"),
...@@ -70,9 +72,10 @@ class Rule(models.Model): ...@@ -70,9 +72,10 @@ class Rule(models.Model):
extra = models.TextField(blank=True, verbose_name=_("extra arguments"), extra = models.TextField(blank=True, verbose_name=_("extra arguments"),
help_text=_("Additional arguments passed " help_text=_("Additional arguments passed "
"literally to the iptables-rule.")) "literally to the iptables-rule."))
accept = models.BooleanField(default=True, verbose_name=_("accept"), action = models.CharField(max_length=10, choices=CHOICES_action,
help_text=_("Accept the matching packets " default='drop', verbose_name=_('action'),
"(or deny if not checked).")) help_text=_("Accept, drop or ignore the "
"matching packets."))
owner = models.ForeignKey(User, blank=True, null=True, owner = models.ForeignKey(User, blank=True, null=True,
verbose_name=_("owner"), verbose_name=_("owner"),
help_text=_("The user responsible for " help_text=_("The user responsible for "
...@@ -179,7 +182,7 @@ class Rule(models.Model): ...@@ -179,7 +182,7 @@ class Rule(models.Model):
def get_ipt_rules(self, host=None): def get_ipt_rules(self, host=None):
# action # action
action = 'LOG_ACC' if self.accept else 'LOG_DROP' action = 'LOG_ACC' if self.action == 'accept' else 'LOG_DROP'
# src and dst addresses # src and dst addresses
src = None src = None
...@@ -207,7 +210,8 @@ class Rule(models.Model): ...@@ -207,7 +210,8 @@ class Rule(models.Model):
for foreign_vlan in self.foreign_network.vlans.all(): for foreign_vlan in self.foreign_network.vlans.all():
r = IptRule(priority=self.weight, action=action, r = IptRule(priority=self.weight, action=action,
proto=self.proto, extra=self.extra, proto=self.proto, extra=self.extra,
src=src, dst=dst, dport=dport, sport=sport) src=src, dst=dst, dport=dport, sport=sport,
ignored=(self.action == 'ignore'))
# host, hostgroup or vlan rule # host, hostgroup or vlan rule
if host or self.vlan_id: if host or self.vlan_id:
local_vlan = host.vlan.name if host else self.vlan.name local_vlan = host.vlan.name if host else self.vlan.name
...@@ -646,7 +650,7 @@ class Host(models.Model): ...@@ -646,7 +650,7 @@ class Host(models.Model):
vgname, unicode(e)) vgname, unicode(e))
else: else:
rule = Rule(direction='in', owner=self.owner, dport=private, rule = Rule(direction='in', owner=self.owner, dport=private,
proto=proto, nat=False, accept=True, proto=proto, nat=False, action='accept',
host=self, foreign_network=vg) host=self, foreign_network=vg)
if self.behind_nat: if self.behind_nat:
if public < 1024: if public < 1024:
...@@ -735,7 +739,7 @@ class Host(models.Model): ...@@ -735,7 +739,7 @@ class Host(models.Model):
""" """
endpoints = {} endpoints = {}
# IPv4 # IPv4
ports = self.incoming_rules.filter(accept=True, dport=port, ports = self.incoming_rules.filter(action='accept', dport=port,
proto=protocol) proto=protocol)
public_port = (ports[0].get_external_port(proto='ipv4') public_port = (ports[0].get_external_port(proto='ipv4')
if ports.exists() else None) if ports.exists() else None)
...@@ -743,8 +747,8 @@ class Host(models.Model): ...@@ -743,8 +747,8 @@ class Host(models.Model):
if public_port else if public_port else
None) None)
# IPv6 # IPv6
blocked = self.incoming_rules.filter(accept=False, dport=port, blocked = self.incoming_rules.exclude(
proto=protocol).exists() action='accept').filter(dport=port, proto=protocol).exists()
endpoints['ipv6'] = (self.ipv6, port) if not blocked else None endpoints['ipv6'] = (self.ipv6, port) if not blocked else None
return endpoints return endpoints
......
...@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase): ...@@ -140,6 +140,9 @@ class IptablesTestCase(TestCase):
IptRule(priority=2, action='ACCEPT', IptRule(priority=2, action='ACCEPT',
dst=('127.0.0.2', None), dst=('127.0.0.2', None),
proto='icmp'), proto='icmp'),
IptRule(priority=10, action='ACCEPT',
dst=('127.0.0.10', None),
proto='icmp', ignored=True),
IptRule(priority=6, action='ACCEPT', IptRule(priority=6, action='ACCEPT',
dst=('127.0.0.6', None), dst=('127.0.0.6', None),
proto='tcp', dport='1337')] proto='tcp', dport='1337')]
...@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase): ...@@ -154,6 +157,9 @@ class IptablesTestCase(TestCase):
self.assertEqual(self.r[5].compile(), self.assertEqual(self.r[5].compile(),
'-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT') '-d 127.0.0.5 -p tcp --dport 443 -g ACCEPT')
def test_ignored_rule_compile_ok(self):
assert self.r[7].compile().startswith('# ')
def test_rule_compile_fail(self): def test_rule_compile_fail(self):
self.assertRaises(InvalidRuleExcepion, self.assertRaises(InvalidRuleExcepion,
IptRule, **{'proto': 'test'}) IptRule, **{'proto': 'test'})
...@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase): ...@@ -194,11 +200,11 @@ class ReloadTestCase(TestCase):
vlg = VlanGroup.objects.create(name='public') vlg = VlanGroup.objects.create(name='public')
vlg.vlans.add(self.vlan, self.vlan2) vlg.vlans.add(self.vlan, self.vlan2)
self.hg = Group.objects.create(name='netezhet') self.hg = Group.objects.create(name='netezhet')
Rule.objects.create(accept=True, hostgroup=self.hg, Rule.objects.create(action='accept', hostgroup=self.hg,
foreign_network=vlg) foreign_network=vlg)
firewall = Firewall.objects.create(name='fw') firewall = Firewall.objects.create(name='fw')
Rule.objects.create(accept=True, firewall=firewall, Rule.objects.create(action='accept', firewall=firewall,
foreign_network=vlg) foreign_network=vlg)
for i in range(1, 6): for i in range(1, 6):
......
...@@ -162,9 +162,10 @@ class RuleForm(ModelForm): ...@@ -162,9 +162,10 @@ class RuleForm(ModelForm):
'foreign_network', 'foreign_network',
'dport', 'dport',
'sport', 'sport',
'weight',
'proto', 'proto',
'extra', 'extra',
'accept', 'action',
'owner', 'owner',
'nat', 'nat',
'nat_external_port', 'nat_external_port',
......
...@@ -128,7 +128,7 @@ class RuleTable(Table): ...@@ -128,7 +128,7 @@ class RuleTable(Table):
model = Rule model = Rule
attrs = {'class': 'table table-striped table-hover table-condensed'} attrs = {'class': 'table table-striped table-hover table-condensed'}
fields = ('r_type', 'color_desc', 'owner', 'extra', 'direction', fields = ('r_type', 'color_desc', 'owner', 'extra', 'direction',
'accept', 'proto', 'sport', 'dport', 'nat', 'action', 'proto', 'sport', 'dport', 'nat',
'nat_external_port', ) 'nat_external_port', )
order_by = 'direction' order_by = 'direction'
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment