YunoHost/moulinette
1
0
Fork 0
mirror of https://github.com/YunoHost/moulinette.git synced 2024-09-03 20:06:31 +02:00
Code Issues Projects Releases Packages Wiki Activity

Merge branch 'dev' of https://github.com/titoko/moulinette into dev

Browse source 
Conflicts:
	parse_args
This commit is contained in:
titoko 2013-03-02 19:28:58 +01:00
commit a04ad829b4
3 changed files with 120 additions and 36 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
action_map.yml
View file

@ -442,7 +442,11 @@ firewall:
### firewall_reload() ### firewall_reload()
reload: reload:
action_help: Reload all firewall rules action_help: Reload all firewall rules
arguments:
-u:
full: --upnp
help: upnp
action: store_true
### firewall_allow() ### firewall_allow()
allow: allow:
action_help: Allow connection port/protocol action_help: Allow connection port/protocol
@ -459,6 +463,10 @@ firewall:
full: --ipv6 full: --ipv6
help: ipv6 help: ipv6
action: store_true action: store_true
-u:
full: --upnp
help: upnp
action: store_true
### firewall_disallow() ### firewall_disallow()
@ -477,6 +485,10 @@ firewall:
full: --ipv6 full: --ipv6
help: ipv6 help: ipv6
action: store_true action: store_true
-u:
full: --upnp
help: upnp
action: store_true
############################# #############################

48
parse_args
View file

@ -2,21 +2,21 @@
# -*- coding: utf-8 -*- # -*- coding: utf-8 -*-
__credits__ = """ __credits__ = """
Copyright (C) 2012 YunoHost Copyright (C) 2012 YunoHost
This program is free software; you can redistribute it and/or modify This program is free software; you can redistribute it and/or modify
it under the terms of the GNU Affero General Public License as published it under the terms of the GNU Affero General Public License as published
by the Free Software Foundation, either version 3 of the License, or by the Free Software Foundation, either version 3 of the License, or
(at your option) any later version. (at your option) any later version.
This program is distributed in the hope that it will be useful, This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU Affero General Public License for more details. GNU Affero General Public License for more details.
You should have received a copy of the GNU Affero General Public License You should have received a copy of the GNU Affero General Public License
along with this program; if not, see http://www.gnu.org/licenses along with this program; if not, see http://www.gnu.org/licenses
""" """
__author__ = 'Kload <kload@kload.fr>' __author__ = 'Kload <kload@kload.fr>'
__version__ = '2.0 beta1' __version__ = '2.0 beta1'
@ -46,15 +46,15 @@ except ImportError:
def parse_dict(action_map): def parse_dict(action_map):
""" """
Turn action dictionnary to parser, subparsers and arguments Turn action dictionnary to parser, subparsers and arguments
Keyword arguments: Keyword arguments:
action_map -- Multi-level dictionnary of categories/actions/arguments list action_map -- Multi-level dictionnary of categories/actions/arguments list
Returns: Returns:
Namespace of args Namespace of args
""" """
# Intialize parsers # Intialize parsers
parsers = subparsers_category = subparsers_action = {} parsers = subparsers_category = subparsers_action = {}
parsers['general'] = argparse.ArgumentParser() parsers['general'] = argparse.ArgumentParser()
@ -152,15 +152,15 @@ def parse_dict(action_map):
def main(): def main():
""" """
Main instructions Main instructions
Parse the action_dict and execute the action-specific function, Parse the action_dict and execute the action-specific function,
then print json or pretty result if executed in a tty :) then print json or pretty result if executed in a tty :)
Returns: Returns:
int -- 0 or error code int -- 0 or error code
""" """
if len(sys.argv) < 2: if len(sys.argv) < 2:
sys.argv.append('-h') sys.argv.append('-h')

92
yunohost_firewall.py
View file

@ -2,6 +2,8 @@
import os import os
import sys import sys
import miniupnpc
try: try:
import yaml import yaml
except ImportError: except ImportError:
@ -12,7 +14,7 @@ from yunohost import YunoHostError, win_msg
def firewall_allow(protocol=None,port=None,ipv6=None): def firewall_allow(protocol=None,port=None,ipv6=None,upnp=False):
""" """
Allow port in iptables Allow port in iptables
@ -20,6 +22,7 @@ def firewall_allow(protocol=None,port=None,ipv6=None):
protocol -- Protocol used protocol -- Protocol used
port -- Port to open port -- Port to open
ipv6 -- Boolean ipv6 ipv6 -- Boolean ipv6
upnp --Boolean upnp
Return Return
Dict Dict
@ -39,11 +42,11 @@ def firewall_allow(protocol=None,port=None,ipv6=None):
else: else:
raise YunoHostError(22,_("Port not between 1 and 65535 : ")+str(port)) raise YunoHostError(22,_("Port not between 1 and 65535 : ")+str(port))
return firewall_reload() return firewall_reload(upnp)
def firewall_disallow(protocol=None,port=None,ipv6=None): def firewall_disallow(protocol=None,port=None,ipv6=None,upnp=False):
""" """
Disallow port in iptables Disallow port in iptables
@ -51,6 +54,7 @@ def firewall_disallow(protocol=None,port=None,ipv6=None):
protocol -- Protocol used protocol -- Protocol used
port -- Port to open port -- Port to open
ipv6 -- Boolean ipv6 ipv6 -- Boolean ipv6
upnp --Boolan upnp
Return Return
Dict Dict
@ -65,7 +69,7 @@ def firewall_disallow(protocol=None,port=None,ipv6=None):
update_yml(port,protocol,'r',ipv6) update_yml(port,protocol,'r',ipv6)
win_msg(_("Port successfully closed")) win_msg(_("Port successfully closed"))
return firewall_reload() return firewall_reload(upnp)
@ -86,12 +90,12 @@ def firewall_list():
def firewall_reload(): def firewall_reload(upnp=False):
''' '''
Reload iptables configuration Reload iptables configuration
Keyword arguments: Keyword arguments:
None upnp --Boolean upnp
Return Return
Dict Dict
@ -102,6 +106,7 @@ def firewall_reload():
os.system ("iptables -P INPUT ACCEPT") os.system ("iptables -P INPUT ACCEPT")
os.system ("iptables -F") os.system ("iptables -F")
os.system ("iptables -X") os.system ("iptables -X")
if 22 not in firewall['ipv4']['TCP']: if 22 not in firewall['ipv4']['TCP']:
update_yml(22,'TCP','a',False) update_yml(22,'TCP','a',False)
@ -109,23 +114,40 @@ def firewall_reload():
os.system ("ip6tables -P INPUT ACCEPT") os.system ("ip6tables -P INPUT ACCEPT")
os.system ("ip6tables -F") os.system ("ip6tables -F")
os.system ("ip6tables -X") os.system ("ip6tables -X")
if 22 not in firewall['ipv6']['TCP']:
update_yml(22,'TCP','a',True)
for i,port in enumerate (firewall['ipv4']['TCP']): if 22 not in firewall['ipv6']['TCP']:
update_yml(22,'TCP','a',False)
add_portmapping('TCP',upnp,False);
add_portmapping('UDP',upnp,False);
add_portmapping('TCP',upnp,True);
add_portmapping('UDP',upnp,True);
"""for i,port in enumerate (firewall['ipv4']['TCP']):
os.system ("iptables -A INPUT -p tcp -i eth0 --dport "+ str(port) +" -j ACCEPT") os.system ("iptables -A INPUT -p tcp -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
add_portmapping(port,'TCP',upnp)
for i,port in enumerate (firewall['ipv4']['UDP']): for i,port in enumerate (firewall['ipv4']['UDP']):
os.system ("iptables -A INPUT -p udp -i eth0 --dport "+ str(port) +" -j ACCEPT") os.system ("iptables -A INPUT -p udp -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
add_portmapping(port,'UDP',upnp)
for i,port in enumerate (firewall['ipv6']['TCP']): for i,port in enumerate (firewall['ipv6']['TCP']):
os.system ("ip6tables -A INPUT -p tcp -i eth0 --dport "+ str(port) +" -j ACCEPT") os.system ("ip6tables -A INPUT -p tcp -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
add_portmapping(port,'TCP',upnp)
for i,port in enumerate (firewall['ipv6']['UDP']): for i,port in enumerate (firewall['ipv6']['UDP']):
os.system ("ip6tables -A INPUT -p udp -i eth0 --dport "+ str(port) +" -j ACCEPT") os.system ("ip6tables -A INPUT -p udp -i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
add_portmapping(port,'UDP',upnp)"""
os.system ("iptables -P INPUT DROP") os.system ("iptables -P INPUT DROP")
@ -136,7 +158,6 @@ def firewall_reload():
return firewall_list() return firewall_list()
def update_yml(port=None,protocol=None,mode=None,ipv6=None): def update_yml(port=None,protocol=None,mode=None,ipv6=None):
""" """
Update firewall.yml Update firewall.yml
@ -177,3 +198,54 @@ def update_yml(port=None,protocol=None,mode=None,ipv6=None):
with open('firewall.yml','w') as f: with open('firewall.yml','w') as f:
yaml.dump(firewall,f) yaml.dump(firewall,f)
def add_portmapping(protocol=None,upnp=False,ipv6=None):
"""
Send a port mapping rules to igd device
Keyword arguments:
protocol -- Protocol used
port -- Port to open
Return
None
"""
if upnp:
upnp=miniupnpc.UPnP()
upnp.discoverdelay=200
nbigd= upnp.discover()
if nbigd:
try:
upnp.selectigd()
except:
raise YunoHostError(167,_("No upnp devices found"))
else:
raise YunoHostError(22,_("Can't connect to the igd device"))
# list the redirections :
i = 0
for i in (0,100):
p = upnp.getgenericportmapping(i)
if p==None:
break
port=p[0]
proto=p[1]
upnp.deleteportmapping(port,proto);
i += 1
if ipv6:
ip = 'ipv6'
else:
ip = 'ipv4'
with open('firewall.yml','r') as f:
firewall = yaml.load(f)
for i,port in enumerate (firewall[ip][protocol]):
os.system ("iptables -A INPUT -p"+ protocol +"-i eth0 --dport "+ str(port) +" -j ACCEPT")
if upnp:
upnp.addportmapping(port,protocol,upnp.lanaddr,port,'yunohost firewall : port %u' % port, '')