Commit d447b954 authored by Valentin Samir's avatar Valentin Samir

[firewall4] Methode séparée pour les blacklist upload

parent 5e8c54a0
......@@ -479,13 +479,14 @@ class firewall_komaz(firewall_base_routeur):
'connexion_secours' : self.connexion_secours,
'connexion_appartement' : self.connexion_appartement,
'blacklist_soft' : self.blacklist_soft,
'blacklist_upload' : self.blacklist_upload,
'reseaux_non_routable' : self.reseaux_non_routable,
'filtrage_ports' : self.filtrage_ports,
'limitation_debit' : self.limitation_debit,
'limit_ssh_connexion' : self.limit_ssh_connexion,
})
self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
self.use_tc.extend([self.limitation_debit])
self.ipset['reseaux_non_routable'] = {
......@@ -518,6 +519,7 @@ class firewall_komaz(firewall_base_routeur):
chain = 'POSTROUTING'
self.add(table, chain, '-j %s' % self.clamp_mss(table))
self.add(table,chain, '-j %s' % self.limitation_debit(table, run_tc=True))
self.add(table, chain, '-j %s' % self.blacklist_upload(table, fill_ipset=True))
return
def filter_table(self):
......@@ -720,15 +722,6 @@ class firewall_komaz(firewall_base_routeur):
try: self.ipset['blacklist']['soft'].delete(ip)
except IpsetError: pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass
def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
"""Redirige les gens blacklisté vers le portail captif"""
chain = 'BLACKLIST_SOFT'
......@@ -745,17 +738,7 @@ class firewall_komaz(firewall_base_routeur):
for ip in ips
)
bl_upload_ips = set(
str(ip) for ips in
[
machine['ipHostNumber'] for machine in self.blacklisted_machines()
if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
]
for ip in ips
)
self.ipset['blacklist']['soft'].restore(bl_soft_ips)
self.ipset['blacklist']['upload'].restore(bl_upload_ips)
print OK
if table == 'mangle':
......@@ -783,6 +766,47 @@ class firewall_komaz(firewall_base_routeur):
self.apply(table, chain)
return chain
def blacklist_upload_maj(self, ip_list):
for ip in ip_list:
machine = conn.search("ipHostNumber=%s" % ip)
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
try: self.ipset['blacklist']['upload'].add(ip)
except IpsetError: pass
else:
try: self.ipset['blacklist']['upload'].delete(ip)
except IpsetError: pass
def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
"""Redirige les gens blacklisté vers le portail captif"""
chain = 'BLACKLIST_UPLOAD'
if fill_ipset:
anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload'])
# On récupère la liste de toutes les ips blacklistés pour upload
bl_upload_ips = set(
str(ip) for ips in
[
machine['ipHostNumber'] for machine in self.blacklisted_machines()
if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
]
for ip in ips
)
self.ipset['blacklist']['upload'].restore(bl_upload_ips)
print OK
if table == 'mangle':
pretty_print(table, chain)
# Classification pour les blacklists upload
self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
print OK
if apply:
self.apply(table, chain)
return chain
def reseaux_non_routable(self, table=None, fill_ipset=False, apply=False):
"""Bloque les réseaux non routables autres que ceux utilisés par le crans"""
chain = 'RESEAUX_NON_ROUTABLES'
......@@ -891,9 +915,6 @@ class firewall_komaz(firewall_base_routeur):
self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net))
self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net))
# Classification pour les blacklists upload
self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
# Classification pour la voip
self.add(table, chain, '-d sip.crans.org -j CLASSIFY --set-class 1:12')
self.add(table, chain, '-s sip.crans.org -j CLASSIFY --set-class 1:12')
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment