Startseite Erkunden Hilfe
Registrieren Anmelden
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Dateien Issues 0 Pull-Requests 0
Quellcode durchsuchen

nftables: Enhance support for Netbox service ACLs

  We changed the acl custom field of services in Netbox to multiselect, so we
  are able to store multiple pre-defined ACLs to a service (like infra + mgmt
  networks).  We introduced a custom field for services in Netbox to allow to
  specify additional prefixes which should be allowed to access the service.
  This commit reflects both changes to Netbox and NACL and leverages the new
  features.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm vor 3 Jahren
Ursprung
843507256e
Commit
eb75d9cf9d
1 geänderte Dateien mit 45 neuen und 8 gelöschten Zeilen
Geteilte Ansicht Diff-Statistik anzeigen
  1. 45 8
      _modules/ffho_netfilter.py

+ 45 - 8
_modules/ffho_netfilter.py
Datei anzeigen 

@@ -2,12 +2,15 @@
 
 # FFHO netfilter helper functions
 
 #
 
 
+import ipaddress
 
+
 
 def generate_service_rules (services, acls, af):
 
 	rules = []
 
 
 	for srv in services:
 
 		rule = ""
 
 		comment = srv['descr']
 
+		src_prefixes = []
 
 
 		# If there are no DST IPs set at all or DST IPs for this AF set, we have a rule to build,
 
 		# if this is NOT the case, there is no rule for this AF to generate, carry on.
 
@@ -24,18 +27,52 @@ def generate_service_rules (services, acls, af):
 
 			else:
 
 				rule += " daddr { %s } " % ", ".join (dst_ips)
 
 
-		# ACL defined for this service?
 
+		# ACLs defined for this service?
 
 		if srv['acl']:
 
-			rule += "ip" if af == 4 else "ip6"
 
-			acl = acls[srv['acl']][af]
 
+			srv_acl = sorted (srv['acl'])
 
+			for ace in srv_acl:
 
+				ace_pfx = (acls[ace][af])
 
+
 
+				# Many entries
 
+				if type (ace_pfx) == list:
 
+					src_prefixes.extend (ace_pfx)
 
+				else:
 
+					src_prefixes.append (ace_pfx)
 
+
 
+			acl_comment = "acl: %s" % ", ".join (srv_acl)
 
+
 
+		# Additional prefixes defined for this service?
 
+		if srv['additional_prefixes']:
 
+			add_pfx = []
 
+			# Additional prefixes are given as a space separated list
 
+			for entry in srv['additional_prefixes'].split ():
 
+				# Strip commas and spaces, just in case
 
+				pfx_str = entry.strip (" ,")
 
+				pfx_obj = ipaddress.ip_network (pfx_str)
 
 
-			# Many entries
 
-			if type (acl) == list:
 
-				rule += " saddr { %s } " % ", ".join (acl)
 
+				# We only care for additional pfx for this AF
 
+				if pfx_obj.version != af:
 
+					continue
 
+
 
+				add_pfx.append (pfx_str)
 
+
 
+			if add_pfx:
 
+				src_prefixes.extend (add_pfx)
 
+
 
+				if acl_comment:
 
+					acl_comment += ", "
 
+				acl_comment += "additional pfx"
 
+
 
+		# Combine ACL + additional prefixes (if any)
 
+		if src_prefixes:
 
+			rule += "ip" if af == 4 else "ip6"
 
+			if len (src_prefixes) > 1:
 
+				rule += " saddr { %s } " % ", ".join (src_prefixes)
 
 			else:
 
-				rule += " saddr %s " % acl
 
+				rule += " saddr %s " % src_prefixes[0]
 
 
-			comment += " (acl: %s)" % srv['acl']
 
+		if acl_comment:
 
+			comment += " (%s)" % acl_comment
 
 
 		# Multiple ports?
 
 		if len (srv['ports']) > 1: