Ajoute une option dry run + 2 options exportv4 et exportv6

This commit is contained in:
chirac 2019-06-24 22:50:50 +02:00 committed by root
parent 17c1f9fe25
commit 0a0f6c708a

51
main.py
View file

@ -40,12 +40,17 @@ class iptables:
self.nat6 = "\n*nat" self.nat6 = "\n*nat"
self.mangle6 = "\n*mangle" self.mangle6 = "\n*mangle"
self.filter6 = "\n*filter" self.filter6 = "\n*filter"
self.global_chain4 = None
self.global_chain6 = None
self.subnet_ports = api_client.list("firewall/subnet-ports/") self.subnet_ports = api_client.list("firewall/subnet-ports/")
self.interface_ports = api_client.list("firewall/interface-ports/") self.interface_ports = api_client.list("firewall/interface-ports/")
self.normal_users = api_client.list("users/normaluser/") self.normal_users = api_client.list("users/normaluser/")
self.verbose = False self.verbose = False
self.action = None self.action = None
self.dry = False
self.export = False self.export = False
self.export4 = False
self.export6 = False
self.role = getattr(firewall_config, 'role', None) self.role = getattr(firewall_config, 'role', None)
self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None) self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
self.nat_settings = getattr(firewall_config, 'nat', None) self.nat_settings = getattr(firewall_config, 'nat', None)
@ -517,18 +522,29 @@ class iptables:
getattr(self, role)('mangle') getattr(self, role)('mangle')
self.commit_mangle() self.commit_mangle()
def gen_firewall(self, empty=False):
"""Assemblage des chaines et export si il y a lieu"""
self.gen_mangle(empty=empty)
self.gen_nat(empty=empty)
self.gen_filter(empty=empty)
self.global_chain4 = self.nat4 + self.filter4 + self.mangle4
self.global_chain6 = self.nat6 + self.filter6 + self.mangle6
if self.export or self.export4:
print(self.global_chain4)
if self.export or self.export6:
print(self.global_chain6)
def restore_iptables(self, mode='4'): def restore_iptables(self, mode='4'):
"""Restoration de l'iptable générée""" """Restoration de l'iptable générée"""
if mode == '6': if mode == '6':
global_chain = self.nat6 + self.filter6 + self.mangle6 global_chain = self.global_chain6
command_to_execute = ["sudo","-n","/sbin/ip6tables-restore"] command_to_execute = ["sudo","-n","/sbin/ip6tables-restore"]
else: else:
global_chain = self.nat4 + self.filter4 + self.mangle4 global_chain = self.global_chain4
command_to_execute = ["sudo","-n","/sbin/iptables-restore"] command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE) process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
process.communicate(input=global_chain.encode('utf-8')) process.communicate(input=global_chain.encode('utf-8'))
if self.export:
print(global_chain)
def complete_flush_iptables(self, mode='4'): def complete_flush_iptables(self, mode='4'):
"""Insère un parefeuv6 vide, appellé par l'arrét du parefeu""" """Insère un parefeuv6 vide, appellé par l'arrét du parefeu"""
@ -537,17 +553,18 @@ class iptables:
def do_action(self): def do_action(self):
"""Effectue l'action demandée""" """Effectue l'action demandée"""
if self.action == "start" or self.action == "restart": if self.action == "start" or self.action == "restart":
self.reload() self.gen_firewall()
if not self.dry:
self.reload()
elif self.action == "stop": elif self.action == "stop":
self.flush() self.gen_firewall(empty=True)
if not self.dry:
self.flush()
else: else:
raise NotImplementedError("Action non reconnu, actions valides : start, stop ou restart") raise NotImplementedError("Action non reconnu, actions valides : start, stop ou restart")
def reload(self): def reload(self):
"""Recharge le parefeu""" """Recharge le parefeu"""
self.gen_mangle()
self.gen_nat()
self.gen_filter()
if any('6' in role for role in self.role): if any('6' in role for role in self.role):
self.restore_iptables(mode='6') self.restore_iptables(mode='6')
return return
@ -559,13 +576,12 @@ class iptables:
def flush(self): def flush(self):
"""Vide la chaine iptables, ou ip6tables suivant le role du serveur""" """Vide la chaine iptables, ou ip6tables suivant le role du serveur"""
self.gen_mangle(empty=True)
self.gen_nat(empty=True)
self.gen_filter(empty=True)
if any('6' in role for role in self.role): if any('6' in role for role in self.role):
return
self.complete_flush_iptables(mode='6') self.complete_flush_iptables(mode='6')
if any('4' in role for role in self.role): if any('4' in role for role in self.role):
self.complete_flush_iptables(mode='4') self.complete_flush_iptables(mode='4')
return
self.restore_iptables(mode='6') self.restore_iptables(mode='6')
self.restore_iptables(mode='4') self.restore_iptables(mode='4')
@ -587,15 +603,21 @@ def run(args):
table.verbose = True table.verbose = True
table.action = args.action table.action = args.action
table.export = args.export table.export = args.export
table.dry = args.dry
table.export4 = args.export4
table.export6 = args.export6
table.do_action() table.do_action()
if __name__ == '__main__': if __name__ == '__main__':
parser = argparse.ArgumentParser() parser = argparse.ArgumentParser()
parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true") parser.add_argument("-v", "--verbose", help="increase output verbosity", action="store_true")
parser.add_argument("-e", "--export", help="export le contenu du parefeu", action="store_true") parser.add_argument("-e", "--export", help="export le contenu des parefeus", action="store_true")
parser.add_argument("-e4", "--export4", help="export le contenu du parefeu v4", action="store_true")
parser.add_argument("-e6", "--export6", help="export le contenu du parefeu v6", action="store_true")
parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?") parser.add_argument("action", help="Mode reconnus : start, stop ou restart", default="restart", nargs="?")
parser.add_argument("--force", help="Force l'action", action="store_true") parser.add_argument("--force", help="Force l'action", action="store_true")
parser.add_argument("--dry", help="Ne pas effectuer de modification sur le pare-feu", default=False, action="store_true")
args = parser.parse_args() args = parser.parse_args()
if args.force: if args.force:
@ -606,5 +628,6 @@ if __name__ == '__main__':
service['service_name'] == 'firewall' and \ service['service_name'] == 'firewall' and \
service['need_regen']: service['need_regen']:
run(args) run(args)
api_client.patch(service['api_url'], data={'need_regen': False}) if not args.dry:
api_client.patch(service['api_url'], data={'need_regen': False})