[firewall4] Methode séparée pour les blacklist upload

d447b954 · Valentin Samir · 5e8c54a0 · d447b954
Commit d447b954 authored May 01, 2013 by Valentin Samir
--- a/gestion/gen_confs/firewall4.py
+++ b/gestion/gen_confs/firewall4.py
@@ -479,13 +479,14 @@ class firewall_komaz(firewall_base_routeur):
            'connexion_secours' : self.connexion_secours,
            'connexion_appartement' : self.connexion_appartement,
            'blacklist_soft' : self.blacklist_soft,
+            'blacklist_upload' : self.blacklist_upload,
            'reseaux_non_routable' : self.reseaux_non_routable,
            'filtrage_ports' : self.filtrage_ports,
            'limitation_debit' : self.limitation_debit,
            'limit_ssh_connexion' : self.limit_ssh_connexion,
        })

-        self.use_ipset.extend([self.blacklist_soft, self.reseaux_non_routable])
+        self.use_ipset.extend([self.blacklist_soft, self.blacklist_upload, self.reseaux_non_routable])
        self.use_tc.extend([self.limitation_debit])

        self.ipset['reseaux_non_routable'] = {
@@ -518,6 +519,7 @@ class firewall_komaz(firewall_base_routeur):
        chain = 'POSTROUTING'
        self.add(table, chain, '-j %s' % self.clamp_mss(table))
        self.add(table,chain, '-j %s' % self.limitation_debit(table, run_tc=True))
+        self.add(table, chain, '-j %s' % self.blacklist_upload(table, fill_ipset=True))
        return

    def filter_table(self):
@@ -720,15 +722,6 @@ class firewall_komaz(firewall_base_routeur):
                try: self.ipset['blacklist']['soft'].delete(ip)
                except IpsetError: pass

-            # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
-            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
-                try: self.ipset['blacklist']['upload'].add(ip)
-                except IpsetError: pass
-            else:
-                try: self.ipset['blacklist']['upload'].delete(ip)
-                except IpsetError: pass
-
-
    def blacklist_soft(self, table=None, fill_ipset=False, apply=False):
        """Redirige les gens blacklisté vers le portail captif"""
        chain = 'BLACKLIST_SOFT'
@@ -745,17 +738,7 @@ class firewall_komaz(firewall_base_routeur):
                for ip in ips
            )

-            bl_upload_ips = set(
-                str(ip) for ips in
-                [
-                    machine['ipHostNumber'] for machine in self.blacklisted_machines()
-                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
-                ]
-                for ip in ips
-            )
-
            self.ipset['blacklist']['soft'].restore(bl_soft_ips)
-            self.ipset['blacklist']['upload'].restore(bl_upload_ips)
            print OK

        if table == 'mangle':
@@ -783,6 +766,47 @@ class firewall_komaz(firewall_base_routeur):
            self.apply(table, chain)
        return chain

+    def blacklist_upload_maj(self, ip_list):
+        for ip in ip_list:
+            machine = conn.search("ipHostNumber=%s" % ip)
+            # Est-ce qu'il y a des blacklists pour upload parmis les blacklists de la machine
+            if machine and set([bl.value['type'] for bl in machine[0].blacklist_actif() ]).intersection(blacklist_bridage_upload):
+                try: self.ipset['blacklist']['upload'].add(ip)
+                except IpsetError: pass
+            else:
+                try: self.ipset['blacklist']['upload'].delete(ip)
+                except IpsetError: pass
+
+    def blacklist_upload(self, table=None, fill_ipset=False, apply=False):
+        """Redirige les gens blacklisté vers le portail captif"""
+        chain = 'BLACKLIST_UPLOAD'
+
+        if fill_ipset:
+            anim('\tRestoration de l\'ipset %s' % self.ipset['blacklist']['upload'])
+            # On récupère la liste de toutes les ips blacklistés pour upload
+            bl_upload_ips = set(
+                str(ip) for ips in
+                [
+                    machine['ipHostNumber'] for machine in self.blacklisted_machines()
+                    if set([bl.value['type'] for bl in machine.blacklist_actif() ]).intersection(blacklist_bridage_upload)
+                ]
+                for ip in ips
+            )
+
+            self.ipset['blacklist']['upload'].restore(bl_upload_ips)
+            print OK
+
+        if table == 'mangle':
+            pretty_print(table, chain)
+            # Classification pour les blacklists upload
+            self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
+
+            print OK
+
+        if apply:
+            self.apply(table, chain)
+        return chain
+
    def reseaux_non_routable(self, table=None, fill_ipset=False, apply=False):
        """Bloque les réseaux non routables autres que ceux utilisés par le crans"""
        chain = 'RESEAUX_NON_ROUTABLES'
@@ -891,9 +915,6 @@ class firewall_komaz(firewall_base_routeur):
                self.add(table, chain, '-o %s -d %s -j CLASSIFY --set-class 1:3' % (dev['app'], net))
                self.add(table, chain, '-o %s -s %s -j CLASSIFY --set-class 1:2' % (dev['out'], net))

-            # Classification pour les blacklists upload
-            self.add(table, chain, '-o %s -m set --match-set %s src -j CLASSIFY --set-class 1:11' % (dev['out'], self.ipset['blacklist']['upload']))
-
            # Classification pour la voip
            self.add(table, chain, '-d sip.crans.org -j CLASSIFY --set-class 1:12')
            self.add(table, chain, '-s sip.crans.org -j CLASSIFY --set-class 1:12')