Home Explore Help
Register Sign In
FreifunkHochstift
/
ffho-salt-public
2
0
Fork 2
Files Issues 0 Pull Requests 0
Tree: eb75d9cf9d
Branches Tags
ffho-salt-pu...
/
_modules
/
ffho_netfilter.py

ffho_netfilter.py 2.2 KB
History Raw

1234567891011121314151617181920212223242526272829303132333435363738394041424344454647484950515253545556575859606162636465666768697071727374757677787980818283848586 
  1. #
    2. 

  2. # FFHO netfilter helper functions
    3. 

  3. #
    4. 

  4. 

  5. import ipaddress
    6. 

  6. 

  7. def generate_service_rules (services, acls, af):
    8. 

  8. 	rules = []
    9. 

  9. 

  10. 	for srv in services:
    11. 

  11. 		rule = ""
    12. 

  12. 		comment = srv['descr']
    13. 

  13. 		src_prefixes = []
    14. 

  14. 

  15. 		# If there are no DST IPs set at all or DST IPs for this AF set, we have a rule to build,
    16. 

  16. 		# if this is NOT the case, there is no rule for this AF to generate, carry on.
    17. 

  17. 		if not ((not srv['ips']['4'] and not srv['ips']['6']) or srv['ips'][str(af)]):
    18. 

  18. 			continue
    19. 

  19. 

  20. 		# Is/are IP(s) set for this service?
    21. 

  21. 		if srv['ips'][str(af)]:
    22. 

  22. 			rule += "ip" if af == 4 else "ip6"
    23. 

  23. 

  24. 			dst_ips = srv['ips'][str(af)]
    25. 

  25. 			if len (dst_ips) == 1:
    26. 

  26. 				rule += " daddr %s " % dst_ips[0]
    27. 

  27. 			else:
    28. 

  28. 				rule += " daddr { %s } " % ", ".join (dst_ips)
    29. 

  29. 

  30. 		# ACLs defined for this service?
    31. 

  31. 		if srv['acl']:
    32. 

  32. 			srv_acl = sorted (srv['acl'])
    33. 

  33. 			for ace in srv_acl:
    34. 

  34. 				ace_pfx = (acls[ace][af])
    35. 

  35. 

  36. 				# Many entries
    37. 

  37. 				if type (ace_pfx) == list:
    38. 

  38. 					src_prefixes.extend (ace_pfx)
    39. 

  39. 				else:
    40. 

  40. 					src_prefixes.append (ace_pfx)
    41. 

  41. 

  42. 			acl_comment = "acl: %s" % ", ".join (srv_acl)
    43. 

  43. 

  44. 		# Additional prefixes defined for this service?
    45. 

  45. 		if srv['additional_prefixes']:
    46. 

  46. 			add_pfx = []
    47. 

  47. 			# Additional prefixes are given as a space separated list
    48. 

  48. 			for entry in srv['additional_prefixes'].split ():
    49. 

  49. 				# Strip commas and spaces, just in case
    50. 

  50. 				pfx_str = entry.strip (" ,")
    51. 

  51. 				pfx_obj = ipaddress.ip_network (pfx_str)
    52. 

  52. 

  53. 				# We only care for additional pfx for this AF
    54. 

  54. 				if pfx_obj.version != af:
    55. 

  55. 					continue
    56. 

  56. 

  57. 				add_pfx.append (pfx_str)
    58. 

  58. 

  59. 			if add_pfx:
    60. 

  60. 				src_prefixes.extend (add_pfx)
    61. 

  61. 

  62. 				if acl_comment:
    63. 

  63. 					acl_comment += ", "
    64. 

  64. 				acl_comment += "additional pfx"
    65. 

  65. 

  66. 		# Combine ACL + additional prefixes (if any)
    67. 

  67. 		if src_prefixes:
    68. 

  68. 			rule += "ip" if af == 4 else "ip6"
    69. 

  69. 			if len (src_prefixes) > 1:
    70. 

  70. 				rule += " saddr { %s } " % ", ".join (src_prefixes)
    71. 

  71. 			else:
    72. 

  72. 				rule += " saddr %s " % src_prefixes[0]
    73. 

  73. 

  74. 		if acl_comment:
    75. 

  75. 			comment += " (%s)" % acl_comment
    76. 

  76. 

  77. 		# Multiple ports?
    78. 

  78. 		if len (srv['ports']) > 1:
    79. 

  79. 			ports = "{ %s }" % ", ".join (map (str, sorted (srv['ports'])))
    80. 

  80. 		else:
    81. 

  81. 			ports = srv['ports'][0]
    82. 

  82. 

  83. 		rule += "%s dport %s counter accept comment \"%s\"" % (srv['proto'], ports, comment)
    84. 

  84. 		rules.append (rule)
    85. 

  85. 

  86. 	return rules
    87.