Commit 2520bc34 authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files


parent 5fdcd194
......@@ -4,8 +4,10 @@ import configparser
import getpass
import ipaddress
import json
import logging
import os
import subprocess
import sys
import jinja2
import ldap
......@@ -15,6 +17,12 @@ import re2oapi
path = os.path.dirname(os.path.abspath(__file__))
logger = logging.getLogger('firewall')
handler = logging.StreamHandler(sys.stderr)
formatter = logging.Formatter('%(asctime)s - %(name)s[%(process)d] - %(levelname)s - %(message)s')
def nat_map(private_subnet, public_subnet):
......@@ -30,23 +38,39 @@ if __name__ == "__main__":
parser.add_argument("-e", "--export", help="Exporte le contenu des pare-feu sur la sortie standard", action="store_true")
parser.add_argument("-l", "--ldap-server", help="URL de la base ldap à contacter", type=str, default=None)
parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true")
parser.add_argument("-q", "--quiet", help="Diminue la verbosité des logs (à spécifier plusieurs fois pour diminuer la verbosité)", action='count', default=0)
parser.add_argument("-r", "--re2o-server", help="Nom du serveur re2o à contacter", type=str, default=None)
parser.add_argument("-u", "--re2o-user", help="Utilisateur re2o", type=str, default=None)
parser.add_argument("-p", "--re2o-password", help="Demande le mot de passe de l'utilisateur re2o", action="store_true")
parser.add_argument("-v", "--verbose", help="Augmente la verbosité des logs (à spécifier plusieurs fois pour augmenter la verbosité)", action='count', default=0)
args = parser.parse_args()
verbosity = args.verbose - args.quiet
if verbosity <= -1:
elif verbosity == 0:
elif verbosity >= 1:
logger.setLevel(logging.DEBUG)"Reading configuration")
with open(os.path.join(path, "firewall.json")) as config_file:
config = json.load(config_file)
logger.debug("Loaded {}".format(config))
if args.ldap_server is not None:
config['ldap_url'] = args.ldap_server"Connecting to LDAP")
base = ldap.initialize(config['ldap_url'])
if config['ldap_url'].startswith('ldaps://'):
# On ne vérifie pas le certificat pour le LDAPS
logger.debug("Using LDAPS: changing TLS context")
base.set_option(ldap.OPT_X_TLS_REQUIRE_CERT, ldap.OPT_X_TLS_ALLOW)
base.set_option(ldap.OPT_X_TLS_NEWCTX, 0)"Querying LDAP")
hosts_query_id ="ou=hosts,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipHost")
hosts_query = base.result(hosts_query_id)
services_query_id ="ou=services,dc=crans,dc=org", ldap.SCOPE_SUBTREE, "objectClass=ipService")
......@@ -108,6 +132,7 @@ if __name__ == "__main__":
udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))"Reading Re2o configuration")
re2o_config = configparser.ConfigParser(), 're2o-config.ini'))
......@@ -124,8 +149,10 @@ if __name__ == "__main__":
api_password = re2o_config.get('Re2o', 'password')"Connecting to Re2o")
api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)"Querying Re2o")
interface_ports = api_client.list("firewall/interface-ports/")
ports_openings_adh = [] # les ouvertures de ports des serveurs des adhérents
......@@ -163,6 +190,7 @@ if __name__ == "__main__":
with open(os.path.join(path, 'templates', 'nftables.conf.j2')) as firewall_template:
template = jinja2.Template("Generating NAT")
nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] }
if args.export:
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment