Commit 5480010c authored by Benjamin Graillot's avatar Benjamin Graillot
Browse files

Skip empty ports opening

parent 4d0c66c0
......@@ -125,16 +125,20 @@ if __name__ == "__main__":
for ip in ip_addresses:
tcp_ports_in = [ services[service][0] for service in opening_in if 'tcp' in services[service][1] ]
tcp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_in )
ports_openings.append('ip{ip_version} daddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_in))
if tcp_ports_in:
ports_openings.append('ip{ip_version} daddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_in))
udp_ports_in = [ services[service][0] for service in opening_in if 'udp' in services[service][1] ]
udp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_in )
ports_openings.append('ip{ip_version} daddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_in))
if udp_ports_in:
ports_openings.append('ip{ip_version} daddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_in))
tcp_ports_out = [ services[service][0] for service in opening_out if 'tcp' in services[service][1] ]
tcp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_out )
ports_openings.append('ip{ip_version} saddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_out))
if tcp_ports_out:
ports_openings.append('ip{ip_version} saddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_out))
udp_ports_out = [ services[service][0] for service in opening_out if 'udp' in services[service][1] ]
udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
if udp_ports_out:
ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
logger.debug("Generated {} ports openings".format(len(ports_openings)))
......@@ -202,7 +206,7 @@ if __name__ == "__main__":
nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] }
if args.export:
print(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
print(template.render(nat=nat, nat_interface=config['nat_interface'], ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
else:
with open('/etc/nftables.conf', 'w') as nftables:
nftables.write(template.render(nat=nat, nat_interface=config['nat_interface'], ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment