首页 发现 帮助
注册 登录
FreifunkHochstift
/
ffho-salt-public
2
0
派生 2
文件 工单管理 0 合并请求 0
浏览代码

nftables: Enhance support for Netbox service ACLs

  We changed the acl custom field of services in Netbox to multiselect, so we
  are able to store multiple pre-defined ACLs to a service (like infra + mgmt
  networks).  We introduced a custom field for services in Netbox to allow to
  specify additional prefixes which should be allowed to access the service.
  This commit reflects both changes to Netbox and NACL and leverages the new
  features.

Signed-off-by: Maximilian Wilhelm <max@sdn.clinic>
Maximilian Wilhelm 2 年之前
父节点
843507256e
当前提交
eb75d9cf9d
共有 1 个文件被更改,包括 45 次插入8 次删除
分列视图 显示文件统计
  1. 45 8
      _modules/ffho_netfilter.py

+ 45 - 8
_modules/ffho_netfilter.py
查看文件 

@@ -2,12 +2,15 @@
 
 # FFHO netfilter helper functions
 
 #
 
 
+import ipaddress
 
+
 
 def generate_service_rules (services, acls, af):
 
 	rules = []
 
 
 	for srv in services:
 
 		rule = ""
 
 		comment = srv['descr']
 
+		src_prefixes = []
 
 
 		# If there are no DST IPs set at all or DST IPs for this AF set, we have a rule to build,
 
 		# if this is NOT the case, there is no rule for this AF to generate, carry on.
 
@@ -24,18 +27,52 @@ def generate_service_rules (services, acls, af):
 
 			else:
 
 				rule += " daddr { %s } " % ", ".join (dst_ips)
 
 
-		# ACL defined for this service?
 
+		# ACLs defined for this service?
 
 		if srv['acl']:
 
-			rule += "ip" if af == 4 else "ip6"
 
-			acl = acls[srv['acl']][af]
 
+			srv_acl = sorted (srv['acl'])
 
+			for ace in srv_acl:
 
+				ace_pfx = (acls[ace][af])
 
+
 
+				# Many entries
 
+				if type (ace_pfx) == list:
 
+					src_prefixes.extend (ace_pfx)
 
+				else:
 
+					src_prefixes.append (ace_pfx)
 
+
 
+			acl_comment = "acl: %s" % ", ".join (srv_acl)
 
+
 
+		# Additional prefixes defined for this service?
 
+		if srv['additional_prefixes']:
 
+			add_pfx = []
 
+			# Additional prefixes are given as a space separated list
 
+			for entry in srv['additional_prefixes'].split ():
 
+				# Strip commas and spaces, just in case
 
+				pfx_str = entry.strip (" ,")
 
+				pfx_obj = ipaddress.ip_network (pfx_str)
 
 
-			# Many entries
 
-			if type (acl) == list:
 
-				rule += " saddr { %s } " % ", ".join (acl)
 
+				# We only care for additional pfx for this AF
 
+				if pfx_obj.version != af:
 
+					continue
 
+
 
+				add_pfx.append (pfx_str)
 
+
 
+			if add_pfx:
 
+				src_prefixes.extend (add_pfx)
 
+
 
+				if acl_comment:
 
+					acl_comment += ", "
 
+				acl_comment += "additional pfx"
 
+
 
+		# Combine ACL + additional prefixes (if any)
 
+		if src_prefixes:
 
+			rule += "ip" if af == 4 else "ip6"
 
+			if len (src_prefixes) > 1:
 
+				rule += " saddr { %s } " % ", ".join (src_prefixes)
 
 			else:
 
-				rule += " saddr %s " % acl
 
+				rule += " saddr %s " % src_prefixes[0]
 
 
-			comment += " (acl: %s)" % srv['acl']
 
+		if acl_comment:
 
+			comment += " (%s)" % acl_comment
 
 
 		# Multiple ports?
 
 		if len (srv['ports']) > 1: