Commit 68b9fe68 by Bach Dániel

firewall: ignore unmanaged vlans

parent 47a01c9a
......@@ -319,7 +319,8 @@ def dhcp():
def vlan():
obj = Vlan.objects.values('vid', 'name', 'network4', 'network6')
obj = Vlan.objects.filter(managed=True).values(
'vid', 'name', 'network4', 'network6')
retval = {x['name']: {'tag': x['vid'],
'type': 'internal',
'interfaces': [x['name']],
......
......@@ -189,19 +189,31 @@ class Rule(models.Model):
def get_absolute_url(self):
return ('network.rule', None, {'pk': self.pk})
@staticmethod
def get_chain_name(local, remote, direction):
if direction == 'in':
# remote -> local
return '%s_%s' % (remote, local)
def get_chain_name(self, local, remote):
if local: # host or vlan
if self.direction == 'in':
# remote -> local
return '%s_%s' % (remote.name, local.name)
else:
# local -> remote
return '%s_%s' % (local.name, remote.name)
# firewall rule
elif self.firewall_id:
return 'INPUT' if self.direction == 'in' else 'OUTPUT'
def get_dport_sport(self):
if self.direction == 'in':
return self.dport, self.sport
else:
# local -> remote
return '%s_%s' % (local, remote)
return self.sport, self.dport
def get_ipt_rules(self, host=None):
# action
action = 'LOG_ACC' if self.action == 'accept' else 'LOG_DROP'
# 'chain_name': rule dict
retval = {}
# src and dst addresses
src = None
dst = None
......@@ -212,34 +224,28 @@ class Rule(models.Model):
dst = ip
else:
src = ip
# src and dst ports
if self.direction == 'in':
dport = self.dport
sport = self.sport
vlan = host.vlan
elif self.vlan_id:
vlan = self.vlan
else:
dport = self.sport
sport = self.dport
vlan = None
# 'chain_name': rule dict
retval = {}
if vlan and not vlan.managed:
return retval
# src and dst ports
dport, sport = self.get_dport_sport()
# process foreign vlans
for foreign_vlan in self.foreign_network.vlans.all():
if not foreign_vlan.managed:
continue
r = IptRule(priority=self.weight, action=action,
proto=self.proto, extra=self.extra,
comment='Rule #%s' % self.pk,
src=src, dst=dst, dport=dport, sport=sport)
# host, hostgroup or vlan rule
if host or self.vlan_id:
local_vlan = host.vlan.name if host else self.vlan.name
chain_name = Rule.get_chain_name(local=local_vlan,
remote=foreign_vlan.name,
direction=self.direction)
# firewall rule
elif self.firewall_id:
chain_name = 'INPUT' if self.direction == 'in' else 'OUTPUT'
chain_name = self.get_chain_name(local=vlan, remote=foreign_vlan)
retval[chain_name] = r
return retval
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or sign in to comment