Ajoute une option dry run + 2 options exportv4 et exportv6
This commit is contained in:
root
parent
17c1f9fe25
commit
0a0f6c708a
1 changed files with 37 additions and 14 deletions
51
main.py
51
main.py
|
|
@ -40,12 +40,17 @@ class iptables:
|
|||
self.nat6 = "\n*nat"
|
||||
self.mangle6 = "\n*mangle"
|
||||
self.filter6 = "\n*filter"
|
||||
self.global_chain4 = None
|
||||
self.global_chain6 = None
|
||||
self.subnet_ports = api_client.list("firewall/subnet-ports/")
|
||||
self.interface_ports = api_client.list("firewall/interface-ports/")
|
||||
self.normal_users = api_client.list("users/normaluser/")
|
||||
self.verbose = False
|
||||
self.action = None
|
||||
self.dry = False
|
||||
self.export = False
|
||||
self.export4 = False
|
||||
self.export6 = False
|
||||
self.role = getattr(firewall_config, 'role', None)
|
||||
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
|
||||
self.nat_settings = getattr(firewall_config, 'nat', None)
|
||||
|
|
@ -517,18 +522,29 @@ class iptables:
|
|||
getattr(self, role)('mangle')
|
||||
self.commit_mangle()
|
||||
|
||||
def gen_firewall(self, empty=False):
|
||||
"""Assemblage des chaines et export si il y a lieu"""
|
||||
self.gen_mangle(empty=empty)
|
||||
self.gen_nat(empty=empty)
|
||||
self.gen_filter(empty=empty)
|
||||
self.global_chain4 = self.nat4 + self.filter4 + self.mangle4
|
||||
self.global_chain6 = self.nat6 + self.filter6 + self.mangle6
|
||||
if self.export or self.export4:
|
||||
print(self.global_chain4)
|
||||
if self.export or self.export6:
|
||||
print(self.global_chain6)
|
||||
|
||||
def restore_iptables(self, mode='4'):
|
||||
"""Restoration de l'iptable générée"""
|
||||
if mode == '6':
|
||||
global_chain = self.nat6 + self.filter6 + self.mangle6
|
||||
global_chain = self.global_chain6
|
||||
command_to_execute = ["sudo","-n","/sbin/ip6tables-restore"]
|
||||
else:
|
||||
global_chain = self.nat4 + self.filter4 + self.mangle4
|
||||
global_chain = self.global_chain4
|
||||
command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
|
||||
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
|
||||
process.communicate(input=global_chain.encode('utf-8'))
|
||||
if self.export:
|
||||
print(global_chain)
|
||||
|
||||
|
||||
def complete_flush_iptables(self, mode='4'):
|
||||
"""Insère un parefeuv6 vide, appellé par l'arrét du parefeu"""
|
||||
|
|
@ -537,17 +553,18 @@ class iptables:
|
|||
def do_action(self):
|
||||
"""Effectue l'action demandée"""
|
||||
if self.action == "start" or self.action == "restart":
|
||||
self.reload()
|
||||
self.gen_firewall()
|
||||
if not self.dry:
|
||||
self.reload()
|
||||
elif self.action == "stop":
|
||||
self.flush()
|
||||
self.gen_firewall(empty=True)
|
||||
if not self.dry:
|
||||
self.flush()
|
||||
else:
|
||||
raise NotImplementedError("Action non reconnu, actions valides : start, stop ou restart")
|
||||
|
||||
def reload(self):
|
||||
"""Recharge le parefeu"""
|
||||
self.gen_mangle()
|
||||
self.gen_nat()
|
||||
self.gen_filter()
|
||||
if any('6' in role for role in self.role):
|
||||
self.restore_iptables(mode='6')
|
||||
return
|
||||
|
|
@ -559,13 +576,12 @@ class iptables:
|
|||
|
||||
def flush(self):
|
||||
"""Vide la chaine iptables, ou ip6tables suivant le role du serveur"""
|
||||
self.gen_mangle(empty=True)
|
||||
self.gen_nat(empty=True)
|
||||
self.gen_filter(empty=True)
|
||||
if any('6' in role for role in self.role):
|
||||
return
|
||||
self.complete_flush_iptables(mode='6')
|
||||
if any('4' in role for role in self.role):
|
||||
self.complete_flush_iptables(mode='4')
|
||||
return
|
||||
self.restore_iptables(mode='6')
|
||||
self.restore_iptables(mode='4')
|
||||
|
||||
|
|
@ -587,15 +603,21 @@ def run(args):
|
|||
table.verbose = True
|
||||
table.action = args.action
|
||||
table.export = args.export
|
||||
table.dry = args.dry
|
||||
table.export4 = args.export4
|
||||
table.export6 = args.export6
|
||||
table.do_action()
|
||||
|
||||
|
||||
if __name__ == '__main__':
|
||||
parser = argparse.ArgumentParser()
|
||||
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
|
||||
parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true")
|
||||
parser.add_argument("-e", "--export", help="export le contenu des parefeus", action="store_true")
|
||||
parser.add_argument("-e4", "--export4", help="export le contenu du parefeu v4", action="store_true")
|
||||
parser.add_argument("-e6", "--export6", help="export le contenu du parefeu v6", action="store_true")
|
||||
parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?")
|
||||
parser.add_argument("--force", help="Force l'action", action="store_true")
|
||||
parser.add_argument("--dry", help="Ne pas effectuer de modification sur le pare-feu", default=False, action="store_true")
|
||||
args = parser.parse_args()
|
||||
|
||||
if args.force:
|
||||
|
|
@ -606,5 +628,6 @@ if __name__ == '__main__':
|
|||
service['service_name'] == 'firewall' and \
|
||||
service['need_regen']:
|
||||
run(args)
|
||||
api_client.patch(service['api_url'], data={'need_regen': False})
|
||||
if not args.dry:
|
||||
api_client.patch(service['api_url'], data={'need_regen': False})
|
||||
|
||||
|
|
|
|||
Loading…
Reference in a new issue