Commit 2520bc34 authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files

Logging

parent 5fdcd194
...@@ -4,8 +4,10 @@ import configparser ...@@ -4,8 +4,10 @@ import configparser
import getpass import getpass
import ipaddress import ipaddress
import json import json
import logging
import os import os
import subprocess import subprocess
import sys
import jinja2 import jinja2
import ldap import ldap
...@@ -15,6 +17,12 @@ import re2oapi ...@@ -15,6 +17,12 @@ import re2oapi
path = os.path.dirname(os.path.abspath(__file__)) path = os.path.dirname(os.path.abspath(__file__))
logger = logging.getLogger('firewall')
handler = logging.StreamHandler(sys.stderr)
formatter = logging.Formatter('%(asctime)s - %(name)s[%(process)d] - %(levelname)s - %(message)s')
handler.setFormatter(formatter)
logger.addHandler(handler)
def nat_map(private_subnet, public_subnet): def nat_map(private_subnet, public_subnet):
""" """
...@@ -30,23 +38,39 @@ if __name__ == "__main__": ...@@ -30,23 +38,39 @@ if __name__ == "__main__":
) )
parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu sur la sortie standard", action="store_true") parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu sur la sortie standard", action="store_true")
parser.add_argument("-l", "--ldap-server", help="URL de la base ldap à contacter", type=str, default=None) parser.add_argument("-l", "--ldap-server", help="URL de la base ldap à contacter", type=str, default=None)
parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true")
parser.add_argument("-q", "--quiet", help="Diminue la verbosité des logs (à spécifier plusieurs fois pour diminuer la verbosité)", action='count', default=0)
parser.add_argument("-r", "--re2o-server", help="Nom du serveur re2o à contacter", type=str, default=None) parser.add_argument("-r", "--re2o-server", help="Nom du serveur re2o à contacter", type=str, default=None)
parser.add_argument("-u", "--re2o-user", help="Utilisateur re2o", type=str, default=None) parser.add_argument("-u", "--re2o-user", help="Utilisateur re2o", type=str, default=None)
parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true") parser.add_argument("-v", "--verbose", help="Augmente la verbosité des logs (à spécifier plusieurs fois pour augmenter la verbosité)", action='count', default=0)
args = parser.parse_args() args = parser.parse_args()
verbosity = args.verbose - args.quiet
if verbosity <= -1:
logger.setLevel(logging.WARNING)
elif verbosity == 0:
logger.setLevel(logging.INFO)
elif verbosity >= 1:
logger.setLevel(logging.DEBUG)
logger.info("Reading configuration")
with open(os.path.join(path, "firewall.json")) as config_file: with open(os.path.join(path, "firewall.json")) as config_file:
config = json.load(config_file) config = json.load(config_file)
logger.debug("Loaded {}".format(config))
if args.ldap_server is not None: if args.ldap_server is not None:
config['ldap_url'] = args.ldap_server config['ldap_url'] = args.ldap_server
logger.info("Connecting to LDAP")
base = ldap.initialize(config['ldap_url']) base = ldap.initialize(config['ldap_url'])
if config['ldap_url'].startswith('ldaps://'): if config['ldap_url'].startswith('ldaps://'):
# On ne vérifie pas le certificat pour le LDAPS # On ne vérifie pas le certificat pour le LDAPS
logger.debug("Using LDAPS: changing TLS context")
base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW) base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
base.set_option(ldap.OPT_X_TLS_NEWCTX, 0) base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)
logger.info("Querying LDAP")
hosts_query_id = base.search("ou=hosts,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipHost") hosts_query_id = base.search("ou=hosts,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
hosts_query = base.result(hosts_query_id) hosts_query = base.result(hosts_query_id)
services_query_id = base.search("ou=services,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipService") services_query_id = base.search("ou=services,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipService")
...@@ -108,6 +132,7 @@ if __name__ == "__main__": ...@@ -108,6 +132,7 @@ if __name__ == "__main__":
udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out ) udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out)) ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
logger.info("Reading Re2o configuration")
re2o_config = configparser.ConfigParser() re2o_config = configparser.ConfigParser()
re2o_config.read(os.path.join(path, 're2o-config.ini')) re2o_config.read(os.path.join(path, 're2o-config.ini'))
...@@ -124,8 +149,10 @@ if __name__ == "__main__": ...@@ -124,8 +149,10 @@ if __name__ == "__main__":
else: else:
api_password = re2o_config.get('Re2o', 'password') api_password = re2o_config.get('Re2o', 'password')
logger.info("Connecting to Re2o")
api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False) api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
logger.info("Querying Re2o")
interface_ports = api_client.list("firewall/interface-ports/") interface_ports = api_client.list("firewall/interface-ports/")
ports_openings_adh = [] # les ouvertures de ports des serveurs des adhérents ports_openings_adh = [] # les ouvertures de ports des serveurs des adhérents
...@@ -163,6 +190,7 @@ if __name__ == "__main__": ...@@ -163,6 +190,7 @@ if __name__ == "__main__":
with open(os.path.join(path, 'templates', 'nftables.conf.j2')) as firewall_template: with open(os.path.join(path, 'templates', 'nftables.conf.j2')) as firewall_template:
template = jinja2.Template(firewall_template.read()) template = jinja2.Template(firewall_template.read())
logger.info("Generating NAT")
nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] } nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] }
if args.export: if args.export:
......
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment