Pare-feu des machines des adhérents via re2o

firewall.py

 #!/bin/env python3
 import argparse
+import configparser
 import ipaddress
 import json
 import os
@@ -8,6 +9,8 @@ import subprocess
 import jinja2
 import ldap
 
+import re2oapi
+
 
 path = os.path.dirname(os.path.abspath(__file__))
 
@@ -88,14 +91,57 @@ if __name__ == "__main__":
             udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
             ports_openings.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
 
+    re2o_config = configparser.ConfigParser()
+    re2o_config.read(os.path.join(path, 're2o-config.ini'))
+
+    api_hostname = re2o_config.get('Re2o', 'hostname')
+    api_password = re2o_config.get('Re2o', 'password')
+    api_username = re2o_config.get('Re2o', 'username')
+
+    api_client = re2oapi.Re2oAPIClient(api_hostname, api_username, api_password, use_tls=False)
+
+    interface_ports = api_client.list("firewall/interface-ports/")
+    ports_openings_adh = []
+
+    for interface in interface_ports:
+        for ip in [ ipaddress.ip_address(interface['ipv4']) ] + [ ipaddress.ip_address(ipv6['ipv6']) for ipv6 in interface['ipv6'] ]:
+            tcp_ports_in = []
+            for opening in interface['port_lists']:
+                for port_range in opening['tcp_ports_in']:
+                    tcp_ports_in.append((port_range['begin'], port_range['end']))
+            if tcp_ports_in:
+                tcp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_in )
+                ports_openings_adh.append('ip{ip_version} daddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_in))
+            tcp_ports_out = []
+            for opening in interface['port_lists']:
+                for port_range in opening['tcp_ports_out']:
+                    tcp_ports_out.append((port_range['begin'], port_range['end']))
+            if tcp_ports_out:
+                tcp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in tcp_ports_out )
+                ports_openings_adh.append('ip{ip_version} saddr {ip} tcp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=tcp_ports_out))
+            udp_ports_in = []
+            for opening in interface['port_lists']:
+                for port_range in opening['udp_ports_in']:
+                    udp_ports_in.append((port_range['begin'], port_range['end']))
+            if udp_ports_in:
+                udp_ports_in = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_in )
+                ports_openings_adh.append('ip{ip_version} daddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_in))
+            udp_ports_out = []
+            for opening in interface['port_lists']:
+                for port_range in opening['udp_ports_out']:
+                    udp_ports_out.append((port_range['begin'], port_range['end']))
+            if udp_ports_out:
+                udp_ports_out = ','.join( '{}-{}'.format(port[0], port[1]) if port[0] != port[1] else str(port[0]) for port in udp_ports_out )
+                ports_openings_adh.append('ip{ip_version} saddr {ip} udp dport {{ {ports} }} accept'.format(ip_version='' if ip.version == 4 else '6', ip=ip, ports=udp_ports_out))
+
     with open(os.path.join(path, 'templates', 'nftables.conf.j2')) as firewall_template:
         template = jinja2.Template(firewall_template.read())
 
     nat = { subnet: nat_map(networks[subnet], ipaddress.ip_network(config['NAT'][subnet])) for subnet in config['NAT'] }
 
     if args.export:
-        print(template.render(nat=nat, ports_openings=ports_openings))
+        print(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
     else:
         with open('/etc/nftables.conf') as nftables:
-            nftables.write(template.render(nat=nat, ports_openings=ports_openings))
+            nftables.write(template.render(nat=nat, ports_openings=ports_openings, ports_openings_adh=ports_openings_adh))
         subprocess.run(['systemctl', 'reload', 'nftables'])

re2o-config.ini

+[Re2o]
+hostname = re2o
+username = firewall
+password = changeme

re2oapi/__init__.py

+from .re2oapi import *

re2oapi/re2oapi/__init__.py

+from .client import ApiSendMail, Re2oAPIClient
+from . import exceptions
+
+__all__ = ['Re2oAPIClient', 'ApiSendMail', 'exceptions']

re2oapi/re2oapi/exceptions.py

+class APIClientGenericError(ValueError):
+    template = "{}"
+
+    def __init__(self, *data):
+        self.data = data
+        self.message = self.template.format(*data)
+        super(APIClientGenericError, self).__init__(self.message)
+
+
+class InvalidCredentials(APIClientGenericError):
+    template = "The credentials for {}@{} are not valid."
+
+
+class PermissionDenied(APIClientGenericError):
+    template = "The {} request to '{}' was denied for {}."
+
+
+class TokenFileNotFound(APIClientGenericError):
+    template = "Token file at {} not found."
+
+
+class TokenFileNotReadable(APIClientGenericError):
+    template = "Token file at {} is not a JSON readable file."
+
+
+class TokenNotInTokenFile(APIClientGenericError):
+    template = "Token for {}@{} not found in token file ({})."

templates/nftables.conf.j2

@@ -57,6 +57,9 @@ table inet filter {
 
 		# Ouvetures de ports des serveurs du CRANS
 {% for rule in ports_openings %}		{{ rule }}
+{% endfor %}
+		# Ouvetures de ports des machines des adhérents
+{% for rule in ports_openings_adh %}		{{ rule }}
 {% endfor %}
 		reject
 	}