Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
What's new
7
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Contribute to GitLab
Sign in
Toggle navigation
Open sidebar
Thomas Blanc
scripts
Commits
d447b954
Commit
d447b954
authored
May 01, 2013
by
Valentin Samir
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
[firewall4] Methode séparée pour les blacklist upload
parent
5e8c54a0
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
44 additions
and
23 deletions
+44
-23
gestion/gen_confs/firewall4.py
gestion/gen_confs/firewall4.py
+44
-23
No files found.
gestion/gen_confs/firewall4.py
View file @
d447b954
...
...
@@ -479,13 +479,14 @@ class firewall_komaz(firewall_base_routeur):
'connexion_secours'
:
self
.
connexion_secours
,
'connexion_appartement'
:
self
.
connexion_appartement
,
'blacklist_soft'
:
self
.
blacklist_soft
,
'blacklist_upload'
:
self
.
blacklist_upload
,
'reseaux_non_routable'
:
self
.
reseaux_non_routable
,
'filtrage_ports'
:
self
.
filtrage_ports
,
'limitation_debit'
:
self
.
limitation_debit
,
'limit_ssh_connexion'
:
self
.
limit_ssh_connexion
,
})
self
.
use_ipset
.
extend
([
self
.
blacklist_soft
,
self
.
reseaux_non_routable
])
self
.
use_ipset
.
extend
([
self
.
blacklist_soft
,
self
.
blacklist_upload
,
self
.
reseaux_non_routable
])
self
.
use_tc
.
extend
([
self
.
limitation_debit
])
self
.
ipset
[
'reseaux_non_routable'
]
=
{
...
...
@@ -518,6 +519,7 @@ class firewall_komaz(firewall_base_routeur):
chain
=
'POSTROUTING'
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
clamp_mss
(
table
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
limitation_debit
(
table
,
run_tc
=
True
))
self
.
add
(
table
,
chain
,
'-j %s'
%
self
.
blacklist_upload
(
table
,
fill_ipset
=
True
))
return
def
filter_table
(
self
):
...
...
@@ -720,15 +722,6 @@ class firewall_komaz(firewall_base_routeur):
try
:
self
.
ipset
[
'blacklist'
][
'soft'
].
delete
(
ip
)
except
IpsetError
:
pass
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if
machine
and
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
):
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
add
(
ip
)
except
IpsetError
:
pass
else
:
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
delete
(
ip
)
except
IpsetError
:
pass
def
blacklist_soft
(
self
,
table
=
None
,
fill_ipset
=
False
,
apply
=
False
):
"""Redirige les gens blacklisté vers le portail captif"""
chain
=
'BLACKLIST_SOFT'
...
...
@@ -745,17 +738,7 @@ class firewall_komaz(firewall_base_routeur):
for
ip
in
ips
)
bl_upload_ips
=
set
(
str
(
ip
)
for
ips
in
[
machine
[
'ipHostNumber'
]
for
machine
in
self
.
blacklisted_machines
()
if
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
.
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
)
]
for
ip
in
ips
)
self
.
ipset
[
'blacklist'
][
'soft'
].
restore
(
bl_soft_ips
)
self
.
ipset
[
'blacklist'
][
'upload'
].
restore
(
bl_upload_ips
)
print
OK
if
table
==
'mangle'
:
...
...
@@ -783,6 +766,47 @@ class firewall_komaz(firewall_base_routeur):
self
.
apply
(
table
,
chain
)
return
chain
def
blacklist_upload_maj
(
self
,
ip_list
):
for
ip
in
ip_list
:
machine
=
conn
.
search
(
"ipHostNumber=%s"
%
ip
)
# Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
if
machine
and
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
[
0
].
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
):
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
add
(
ip
)
except
IpsetError
:
pass
else
:
try
:
self
.
ipset
[
'blacklist'
][
'upload'
].
delete
(
ip
)
except
IpsetError
:
pass
def
blacklist_upload
(
self
,
table
=
None
,
fill_ipset
=
False
,
apply
=
False
):
"""Redirige les gens blacklisté vers le portail captif"""
chain
=
'BLACKLIST_UPLOAD'
if
fill_ipset
:
anim
(
'
\t
Restoration de l
\'
ipset %s'
%
self
.
ipset
[
'blacklist'
][
'upload'
])
# On récupère la liste de toutes les ips blacklistés pour upload
bl_upload_ips
=
set
(
str
(
ip
)
for
ips
in
[
machine
[
'ipHostNumber'
]
for
machine
in
self
.
blacklisted_machines
()
if
set
([
bl
.
value
[
'type'
]
for
bl
in
machine
.
blacklist_actif
()
]).
intersection
(
blacklist_bridage_upload
)
]
for
ip
in
ips
)
self
.
ipset
[
'blacklist'
][
'upload'
].
restore
(
bl_upload_ips
)
print
OK
if
table
==
'mangle'
:
pretty_print
(
table
,
chain
)
# Classification pour les blacklists upload
self
.
add
(
table
,
chain
,
'-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11'
%
(
dev
[
'out'
],
self
.
ipset
[
'blacklist'
][
'upload'
]))
print
OK
if
apply
:
self
.
apply
(
table
,
chain
)
return
chain
def
reseaux_non_routable
(
self
,
table
=
None
,
fill_ipset
=
False
,
apply
=
False
):
"""Bloque les réseaux non routables autres que ceux utilisés par le crans"""
chain
=
'RESEAUX_NON_ROUTABLES'
...
...
@@ -891,9 +915,6 @@ class firewall_komaz(firewall_base_routeur):
self
.
add
(
table
,
chain
,
'-o %s -d %s -j CLASSIFY --set-class 1:3'
%
(
dev
[
'app'
],
net
))
self
.
add
(
table
,
chain
,
'-o %s -s %s -j CLASSIFY --set-class 1:2'
%
(
dev
[
'out'
],
net
))
# Classification pour les blacklists upload
self
.
add
(
table
,
chain
,
'-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11'
%
(
dev
[
'out'
],
self
.
ipset
[
'blacklist'
][
'upload'
]))
# Classification pour la voip
self
.
add
(
table
,
chain
,
'-d sip.crans.org -j CLASSIFY --set-class 1:12'
)
self
.
add
(
table
,
chain
,
'-s sip.crans.org -j CLASSIFY --set-class 1:12'
)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
.
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment