Domů Procházet Nápověda
Registrovat se Přihlásit se
FreifunkHochstift
/
ffho-salt-public
2
0
Rozštěpit 2
Soubory Úkoly 0 Pull Requesty 0
Procházet zdrojové kódy

nftables: Enhance support for Netbox service ACLs

  We changed the acl custom field of services in Netbox to multiselect, so we
  are able to store multiple pre-defined ACLs to a service (like infra + mgmt
  networks).  We introduced a custom field for services in Netbox to allow to
  specify additional prefixes which should be allowed to access the service.
  This commit reflects both changes to Netbox and NACL and leverages the new
  features.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm před 2 roky
rodič
843507256e
revize
eb75d9cf9d
1 změnil soubory, kde provedl 45 přidání a 8 odebrání
Rozdělené zobrazení Ukázat statistiku rozdílových dat
  1. 45 8
      _modules/ffho_netfilter.py

+ 45 - 8
_modules/ffho_netfilter.py
Zobrazit soubor 

@@ -2,12 +2,15 @@
 
 # FFHO netfilter helper functions
 
 #
 
 
+import ipaddress
 
+
 
 def generate_service_rules (services, acls, af):
 
 	rules = []
 
 
 	for srv in services:
 
 		rule = ""
 
 		comment = srv['descr']
 
+		src_prefixes = []
 
 
 		# If there are no DST IPs set at all or DST IPs for this AF set, we have a rule to build,
 
 		# if this is NOT the case, there is no rule for this AF to generate, carry on.
 
@@ -24,18 +27,52 @@ def generate_service_rules (services, acls, af):
 
 			else:
 
 				rule += " daddr { %s } " % ", ".join (dst_ips)
 
 
-		# ACL defined for this service?
 
+		# ACLs defined for this service?
 
 		if srv['acl']:
 
-			rule += "ip" if af == 4 else "ip6"
 
-			acl = acls[srv['acl']][af]
 
+			srv_acl = sorted (srv['acl'])
 
+			for ace in srv_acl:
 
+				ace_pfx = (acls[ace][af])
 
+
 
+				# Many entries
 
+				if type (ace_pfx) == list:
 
+					src_prefixes.extend (ace_pfx)
 
+				else:
 
+					src_prefixes.append (ace_pfx)
 
+
 
+			acl_comment = "acl: %s" % ", ".join (srv_acl)
 
+
 
+		# Additional prefixes defined for this service?
 
+		if srv['additional_prefixes']:
 
+			add_pfx = []
 
+			# Additional prefixes are given as a space separated list
 
+			for entry in srv['additional_prefixes'].split ():
 
+				# Strip commas and spaces, just in case
 
+				pfx_str = entry.strip (" ,")
 
+				pfx_obj = ipaddress.ip_network (pfx_str)
 
 
-			# Many entries
 
-			if type (acl) == list:
 
-				rule += " saddr { %s } " % ", ".join (acl)
 
+				# We only care for additional pfx for this AF
 
+				if pfx_obj.version != af:
 
+					continue
 
+
 
+				add_pfx.append (pfx_str)
 
+
 
+			if add_pfx:
 
+				src_prefixes.extend (add_pfx)
 
+
 
+				if acl_comment:
 
+					acl_comment += ", "
 
+				acl_comment += "additional pfx"
 
+
 
+		# Combine ACL + additional prefixes (if any)
 
+		if src_prefixes:
 
+			rule += "ip" if af == 4 else "ip6"
 
+			if len (src_prefixes) > 1:
 
+				rule += " saddr { %s } " % ", ".join (src_prefixes)
 
 			else:
 
-				rule += " saddr %s " % acl
 
+				rule += " saddr %s " % src_prefixes[0]
 
 
-			comment += " (acl: %s)" % srv['acl']
 
+		if acl_comment:
 
+			comment += " (%s)" % acl_comment
 
 
 		# Multiple ports?
 
 		if len (srv['ports']) > 1: