Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Tree: e3ccbc6e32
Branches Tags
ffho-salt-pu...
/
_modules
/
ffho_netfilter.py

ffho_netfilter.py 2.2 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. #
    2. 

  2. # FFHO netfilter helper functions
    3. 

  3. #
    4. 

  4. 

  5. import ipaddress
    6. 

  6. 

  7. def generate_service_rules (services, acls, af):
    8. 

  8. 	rules = []
    9. 

  9. 

  10. 	for srv in services:
    11. 

  11. 		rule = ""
    12. 

  12. 		comment = srv['descr']
    13. 

  13. 		acl_comment = ""
    14. 

  14. 		src_prefixes = []
    15. 

  15. 

  16. 		# If there are no DST IPs set at all or DST IPs for this AF set, we have a rule to build,
    17. 

  17. 		# if this is NOT the case, there is no rule for this AF to generate, carry on.
    18. 

  18. 		if not ((not srv['ips']['4'] and not srv['ips']['6']) or srv['ips'][str(af)]):
    19. 

  19. 			continue
    20. 

  20. 

  21. 		# Is/are IP(s) set for this service?
    22. 

  22. 		if srv['ips'][str(af)]:
    23. 

  23. 			rule += "ip" if af == 4 else "ip6"
    24. 

  24. 

  25. 			dst_ips = srv['ips'][str(af)]
    26. 

  26. 			if len (dst_ips) == 1:
    27. 

  27. 				rule += " daddr %s " % dst_ips[0]
    28. 

  28. 			else:
    29. 

  29. 				rule += " daddr { %s } " % ", ".join (dst_ips)
    30. 

  30. 

  31. 		# ACLs defined for this service?
    32. 

  32. 		if srv['acl']:
    33. 

  33. 			srv_acl = sorted (srv['acl'])
    34. 

  34. 			for ace in srv_acl:
    35. 

  35. 				ace_pfx = (acls[ace][af])
    36. 

  36. 

  37. 				# Many entries
    38. 

  38. 				if type (ace_pfx) == list:
    39. 

  39. 					src_prefixes.extend (ace_pfx)
    40. 

  40. 				else:
    41. 

  41. 					src_prefixes.append (ace_pfx)
    42. 

  42. 

  43. 			acl_comment = "acl: %s" % ", ".join (srv_acl)
    44. 

  44. 

  45. 		# Additional prefixes defined for this service?
    46. 

  46. 		if srv['additional_prefixes']:
    47. 

  47. 			add_pfx = []
    48. 

  48. 			# Additional prefixes are given as a space separated list
    49. 

  49. 			for entry in srv['additional_prefixes'].split ():
    50. 

  50. 				# Strip commas and spaces, just in case
    51. 

  51. 				pfx_str = entry.strip (" ,")
    52. 

  52. 				pfx_obj = ipaddress.ip_network (pfx_str)
    53. 

  53. 

  54. 				# We only care for additional pfx for this AF
    55. 

  55. 				if pfx_obj.version != af:
    56. 

  56. 					continue
    57. 

  57. 

  58. 				add_pfx.append (pfx_str)
    59. 

  59. 

  60. 			if add_pfx:
    61. 

  61. 				src_prefixes.extend (add_pfx)
    62. 

  62. 

  63. 				if acl_comment:
    64. 

  64. 					acl_comment += ", "
    65. 

  65. 				acl_comment += "additional pfx"
    66. 

  66. 

  67. 		# Combine ACL + additional prefixes (if any)
    68. 

  68. 		if src_prefixes:
    69. 

  69. 			rule += "ip" if af == 4 else "ip6"
    70. 

  70. 			if len (src_prefixes) > 1:
    71. 

  71. 				rule += " saddr { %s } " % ", ".join (src_prefixes)
    72. 

  72. 			else:
    73. 

  73. 				rule += " saddr %s " % src_prefixes[0]
    74. 

  74. 

  75. 		if acl_comment:
    76. 

  76. 			comment += " (%s)" % acl_comment
    77. 

  77. 

  78. 		# Multiple ports?
    79. 

  79. 		if len (srv['ports']) > 1:
    80. 

  80. 			ports = "{ %s }" % ", ".join (map (str, sorted (srv['ports'])))
    81. 

  81. 		else:
    82. 

  82. 			ports = srv['ports'][0]
    83. 

  83. 

  84. 		rule += "%s dport %s counter accept comment \"%s\"" % (srv['proto'], ports, comment)
    85. 

  85. 		rules.append (rule)
    86. 

  86. 

  87. 	return rules
    88.