Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
Gelencsér Szabolcs
/
cloud
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
0
Pipelines
Wiki
Members
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
d936ba61
authored
Mar 22, 2014
by
Bach Dániel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
firewall: fix ipv6 firewall
parent
df2c02ff
Hide whitespace changes
Inline
Side-by-side
Showing
4 changed files
with
24 additions
and
13 deletions
+24
-13
circle/firewall/fw.py
+4
-6
circle/firewall/iptables.py
+13
-4
circle/firewall/tasks/local_tasks.py
+2
-2
circle/firewall/templates/firewall/iptables.conf
+5
-1
No files found.
circle/firewall/fw.py
View file @
d936ba61
...
@@ -103,8 +103,6 @@ class BuildFirewall:
...
@@ -103,8 +103,6 @@ class BuildFirewall:
def
build_ipt
(
self
):
def
build_ipt
(
self
):
"""Build rules."""
"""Build rules."""
# TODO remove ipv4-specific rules
self
.
ipt_filter_firewall
()
self
.
ipt_filter_firewall
()
self
.
ipt_filter_host_rules
()
self
.
ipt_filter_host_rules
()
self
.
ipt_filter_vlan_rules
()
self
.
ipt_filter_vlan_rules
()
...
@@ -113,10 +111,10 @@ class BuildFirewall:
...
@@ -113,10 +111,10 @@ class BuildFirewall:
self
.
build_ipt_nat
()
self
.
build_ipt_nat
()
context
=
{
context
=
{
'filter'
:
(
chain
for
name
,
chain
in
self
.
chains
.
iteritems
()
'filter'
:
lambda
:
(
chain
for
name
,
chain
in
self
.
chains
.
iteritems
()
if
chain
.
name
not
in
(
'PREROUTING'
,
'POSTROUTING'
)
),
if
chain
.
name
not
in
IptChain
.
nat_chains
),
'nat'
:
(
chain
for
name
,
chain
in
self
.
chains
.
iteritems
()
'nat'
:
lambda
:
(
chain
for
name
,
chain
in
self
.
chains
.
iteritems
()
if
chain
.
name
in
(
'PREROUTING'
,
'POSTROUTING'
)
)}
if
chain
.
name
in
IptChain
.
nat_chains
)}
template
=
loader
.
get_template
(
'firewall/iptables.conf'
)
template
=
loader
.
get_template
(
'firewall/iptables.conf'
)
context
[
'proto'
]
=
'ipv4'
context
[
'proto'
]
=
'ipv4'
...
...
circle/firewall/iptables.py
View file @
d936ba61
...
@@ -15,7 +15,8 @@ class InvalidRuleExcepion(Exception):
...
@@ -15,7 +15,8 @@ class InvalidRuleExcepion(Exception):
class
IptRule
(
object
):
class
IptRule
(
object
):
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
def
__init__
(
self
,
priority
=
1000
,
action
=
None
,
src
=
None
,
dst
=
None
,
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
):
proto
=
None
,
sport
=
None
,
dport
=
None
,
extra
=
None
,
ipv4_only
=
False
):
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
if
proto
not
in
[
'tcp'
,
'udp'
,
'icmp'
,
None
]:
raise
InvalidRuleExcepion
()
raise
InvalidRuleExcepion
()
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
if
proto
not
in
[
'tcp'
,
'udp'
]
and
(
sport
is
not
None
or
...
@@ -28,16 +29,21 @@ class IptRule(object):
...
@@ -28,16 +29,21 @@ class IptRule(object):
(
self
.
src4
,
self
.
src6
)
=
(
None
,
None
)
(
self
.
src4
,
self
.
src6
)
=
(
None
,
None
)
if
isinstance
(
src
,
tuple
):
if
isinstance
(
src
,
tuple
):
(
self
.
src4
,
self
.
src6
)
=
src
(
self
.
src4
,
self
.
src6
)
=
src
if
not
self
.
src6
:
ipv4_only
=
True
(
self
.
dst4
,
self
.
dst6
)
=
(
None
,
None
)
(
self
.
dst4
,
self
.
dst6
)
=
(
None
,
None
)
if
isinstance
(
dst
,
tuple
):
if
isinstance
(
dst
,
tuple
):
(
self
.
dst4
,
self
.
dst6
)
=
dst
(
self
.
dst4
,
self
.
dst6
)
=
dst
if
not
self
.
dst6
:
ipv4_only
=
True
self
.
proto
=
proto
self
.
proto
=
proto
self
.
sport
=
sport
self
.
sport
=
sport
self
.
dport
=
dport
self
.
dport
=
dport
self
.
extra
=
extra
self
.
extra
=
extra
self
.
ipv4_only
=
extra
and
bool
(
ipv4_re
.
search
(
extra
))
self
.
ipv4_only
=
(
ipv4_only
or
extra
is
not
None
and
bool
(
ipv4_re
.
search
(
extra
)))
def
__hash__
(
self
):
def
__hash__
(
self
):
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
return
hash
(
frozenset
(
self
.
__dict__
.
items
()))
...
@@ -69,8 +75,8 @@ class IptRule(object):
...
@@ -69,8 +75,8 @@ class IptRule(object):
class
IptChain
(
object
):
class
IptChain
(
object
):
builtin_chains
=
(
'FORWARD'
,
'INPUT'
,
'OUTPUT'
,
'PREROUTING'
,
nat_chains
=
(
'PREROUTING'
,
'POSTROUTING'
)
'POSTROUTING'
)
builtin_chains
=
(
'FORWARD'
,
'INPUT'
,
'OUTPUT'
)
+
nat_chains
def
__init__
(
self
,
name
):
def
__init__
(
self
,
name
):
self
.
rules
=
set
()
self
.
rules
=
set
()
...
@@ -98,3 +104,6 @@ class IptChain(object):
...
@@ -98,3 +104,6 @@ class IptChain(object):
return
'
\n
'
.
join
([
prefix
+
rule
.
compile
(
proto
)
return
'
\n
'
.
join
([
prefix
+
rule
.
compile
(
proto
)
for
rule
in
self
.
sort
()
for
rule
in
self
.
sort
()
if
not
(
proto
==
'ipv6'
and
rule
.
ipv4_only
)])
if
not
(
proto
==
'ipv6'
and
rule
.
ipv4_only
)])
def
compile_v6
(
self
):
return
self
.
compile
(
'ipv6'
)
circle/firewall/tasks/local_tasks.py
View file @
d936ba61
...
@@ -26,7 +26,7 @@ def _apply_once(name, queues, task, data):
...
@@ -26,7 +26,7 @@ def _apply_once(name, queues, task, data):
@celery.task
(
ignore_result
=
True
)
@celery.task
(
ignore_result
=
True
)
def
periodic_task
():
def
periodic_task
():
from
firewall.fw
import
Firewall
,
dhcp
,
dns
,
ipset
,
vlan
from
firewall.fw
import
Build
Firewall
,
dhcp
,
dns
,
ipset
,
vlan
from
remote_tasks
import
(
reload_dns
,
reload_dhcp
,
reload_firewall
,
from
remote_tasks
import
(
reload_dns
,
reload_dhcp
,
reload_firewall
,
reload_firewall_vlan
,
reload_blacklist
)
reload_firewall_vlan
,
reload_blacklist
)
...
@@ -40,7 +40,7 @@ def periodic_task():
...
@@ -40,7 +40,7 @@ def periodic_task():
_apply_once
(
'dhcp'
,
firewall_queues
,
reload_dhcp
,
_apply_once
(
'dhcp'
,
firewall_queues
,
reload_dhcp
,
lambda
:
(
dhcp
(),
))
lambda
:
(
dhcp
(),
))
_apply_once
(
'firewall'
,
firewall_queues
,
reload_firewall
,
_apply_once
(
'firewall'
,
firewall_queues
,
reload_firewall
,
lambda
:
(
Firewall
(
proto
=
4
)
.
get
(),
Firewall
(
proto
=
6
)
.
ge
t
()))
lambda
:
(
BuildFirewall
()
.
build_ip
t
()))
_apply_once
(
'firewall_vlan'
,
firewall_queues
,
reload_firewall_vlan
,
_apply_once
(
'firewall_vlan'
,
firewall_queues
,
reload_firewall_vlan
,
lambda
:
(
vlan
(),
))
lambda
:
(
vlan
(),
))
_apply_once
(
'blacklist'
,
firewall_queues
,
reload_blacklist
,
_apply_once
(
'blacklist'
,
firewall_queues
,
reload_blacklist
,
...
...
circle/firewall/templates/firewall/iptables.conf
View file @
d936ba61
{%
if
nat
%}
{%
if
proto
==
"ipv4"
%}
*
nat
*
nat
:
PREROUTING
ACCEPT
[
0
:
0
]
:
PREROUTING
ACCEPT
[
0
:
0
]
:
INPUT
ACCEPT
[
0
:
0
]
:
INPUT
ACCEPT
[
0
:
0
]
...
@@ -45,7 +45,11 @@ COMMIT
...
@@ -45,7 +45,11 @@ COMMIT
{%
for
chain
in
filter
%}
{%
for
chain
in
filter
%}
{%
if
chain
.
name
not
in
chain
.
builtin_chains
%}-
N
{{
chain
.
name
}}{%
endif
%}
{%
if
chain
.
name
not
in
chain
.
builtin_chains
%}-
N
{{
chain
.
name
}}{%
endif
%}
{%
if
proto
==
"ipv4"
%}
{{
chain
.
compile
}}
{{
chain
.
compile
}}
{%
else
%}
{{
chain
.
compile_v6
}}
{%
endif
%}
{%
endfor
%}
{%
endfor
%}
# close all chains
# close all chains
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment