Factorisation et correction de bug dans filter ports

6 years ago · 6947ea6673
parent 09e0006d32
commit 6947ea6673
1 changed files with 15 additions and 16 deletions
--- a/main.py
+++ b/main.py
@ -41,7 +41,7 @@ class iptables:
        self.verbose = False
        self.action = None
        self.export = False
-        self.role = config.get('Firewall', 'role').split(',')
+        self.role = getattr(firewall_config, 'role', None)
        self.interfaces_settings = getattr(firewall_config, 'interfaces_type', None)
        self.nat_settings = getattr(firewall_config, 'nat', None)

@ -281,28 +281,27 @@ class iptables:
                    ports = ','.join(rule["show_port"] for rule in subnet["ouverture_ports"]["udp_ports_out"])
                    add_general_rule(ports, ip_type, chain, subtable, subnet, 'udp', 'src')

+        def add_specific_rule(ports, ip_type, chain, interface, subnet, protocol, direction):
+            """Règles spécifique, fonction de factorisation"""
+            if ip_type == '4':
+                self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], interface['ipv4'], protocol, ports))
+            if ip_type == '6':
+                for ipv6_addr in interface['ipv6']:
+                    self.add_in_subtable(chain, subtable, """-%s %s -p %s -m multiport --dports %s -j RETURN""" % (direction[0], ipv6_addr['ipv6'], protocol, ports))

        for interface in self.interface_ports:
            ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_in"]])
            if ports:
-                self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
-                for ipv6_addr in interface['ipv6']:
-                    self.add_in_subtable(chain, subtable, """-d %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
+                add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'dst')
            ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["tcp_ports_out"]])
            if ports:
-                self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
-                for ipv6_addr in interface['ipv6']:
-                    self.add_in_subtable(chain, subtable, """-s %s -p tcp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
+                add_specific_rule(ports, ip_type, chain, interface, subnet, 'tcp', 'src')
            ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_in"]])
            if ports:
-                self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
-                for ipv6_addr in interface['ipv6']:
-                    self.add_in_subtable(chain, subtable, """-d %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
+                add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'dst')
            ports = ','.join([port_list['show_port'] for dict_ports in interface["port_lists"] for port_list in dict_ports["udp_ports_out"]])
            if ports:
-                self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (interface['ipv4'], ports))
-                for ipv6_addr in interface['ipv6']:
-                    self.add_in_subtable(chain, subtable, """-s %s -p udp -m multiport --dports %s -j RETURN""" % (ipv6_addr['ipv6'], ports))
+                add_specific_rule(ports, ip_type, chain, interface, subnet, 'udp', 'src')


        #Rejet du reste
@ -527,7 +526,7 @@ class iptables:

                # On nat
                for interface, pub_ip_range in nat_type['interfaces_ip_to_nat'].items():
-                    ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip/26)
+                    ip_nat = '.'.join(pub_ip_range.split('.')[:3]) + '.' + str(10*(nat_ip_range - 1) + nat_private_ip//26)
                    self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p tcp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))
                    self.add_in_subtable("nat", subrange_name, '-s %s -o %s -p udp -j SNAT --to-source %s' % (ip_src, interface, ip_nat + ':' + str(port_low) + '-' + str(port_high)))

@ -557,8 +556,8 @@ class iptables:
        else:
            global_chain = self.nat4 + self.filter4 + self.mangle4
            command_to_execute = ["sudo","-n","/sbin/iptables-restore"]
-        #process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
-        #process.communicate(input=global_chain.encode('utf-8'))
+        process = subprocess.Popen(command_to_execute, stdin=subprocess.PIPE, stdout=subprocess.PIPE)
+        process.communicate(input=global_chain.encode('utf-8'))
        if self.export:
            print(global_chain)