#!/bin/bash
µµµµµµµµµµ
µµµµµµµµµµ une regle conteneur :
µµµµµµµµµµ creer un regle d autorisation dans le conteneur courant si une interface existe
µµµµµµµµµµ sinon creer une regle de DNAT depuis le maitre
µµµµµµµµµµ
µµµµµµµµµµ une regle maitre/non conteneur :
µµµµµµµµµµ creer des regles d autorisation sur le maitre
µµµµµµµµµµ
µµµµµµµµµµ une restriction est mise en place, n autorise que sur cette page/ip
µµµµµµµµµµ
%set interfaces = dict()
%for %%interface in %%creole_client.get_interfaces()
    %set %%interfaces.setdefault(%%interface['container_group'], {})[%%interface['linkto']] = %%interface['name']
%end for
µµµµµµµµµµ
µµµµµµµµµµ
µµµµµµµµµµ build restrictions dictionary used to limit access to a service
µµµµµµµµµµ
#IMPORTANT: rules are at this end of this file
%set %%restrictions = dict()
%for %%restriction in %%creole_client.get_service_restrictions()
    %if 'activate' in %%restriction
        %set %%container = %%restriction['container_group']
        %set %%interface = %%restriction.get('interface')
        %if %%interface is None
            %continue
        %end if
        %set %%service = %%restriction['service']
        %if 'name' in %%restriction
            %if %%isinstance(%%restriction['name'], list)
                %set %%netmask = %%restriction['netmask']
                %if %%restriction['name'] == []
                    %set %%l_interface = %%interface
                    %if %%l_interface == []
                      %%l_interface = None
                    %end if
                    %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%l_interface, []).append(None)
                %end if
                %for %%idx, %%rest in %%enumerate(%%restriction['name'])
                    %if %%isinstance(%%interface, list)
                        %set %%l_interface = %%interface[idx]
                    %else
                        %set %%l_interface = %%interface
                    %end if
                    %set %%ip = %%restriction['name'][idx]
                    %if %%ip is None
                    %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%l_interface), []).append(None)
                        %continue
                    %end if
                    %if %%isinstance(%%netmask, list)
                       %set %%l_netmask = %%netmask[idx]
                    %else
                       %set %%l_netmask = %%netmask
                    %end if
                    %if %%l_interface == 'auto'
                        %set %%calc_interface = %%get_interface_from_ip(%%ip)
                    %else
                        %set %%calc_interface = %%getVar('nom_zone_' + %%l_interface, None)
                        %if %%calc_interface == None
                        %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%l_interface, []).append(None)
                            %continue
                        %end if
                    %end if
                    %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%calc_interface, []).append(%%ip + '/' + %%l_netmask)
                %end for
            %else
                %set %%ip = %%restriction['name']
                %if %%ip is None
                %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%interface, []).append(None)
                    %continue
                %end if
                %if %%interface == 'auto'
                    %set %%calc_interface = %%get_interface_from_ip(%%ip)
                %else
                    %set %%calc_interface = %%getVar('nom_zone_' + %%interface, None)
                    %if %%calc_interface == None
                    %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%interface, []).append(None)
                        %continue
                    %end if
                %end if
                %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%calc_interface, []).append(%%ip + '/' + %%restriction['netmask'])
            %end if
        %else
        %%restrictions.setdefault(%%service, {}).setdefault(%%container, {}).setdefault(%%interface, []).append(None)
        %end if
    %end if
%end for
µµµµµµµµµµ
µµµµµµµµµµ
µµµµµµµµµµ build access (and remove duplication)
µµµµµµµµµµ
%set %%accesses = {}
%for num_int in %%range(0, %%int(%%nombre_interfaces))
    %set %%eth_name = 'eth' + %%str(num_int)
    %set %%chain = %%eth_name + '-root'
    %set %%accesses[%%chain] = {'tcp': {}, 'udp': {}}
%end for
%for access in %%creole_client.get_service_accesss()
    %if 'activate' in %%access and 'name' in %%access and %%access['node_name'] == 'port'
        %set %%container_name = %%access['container_group']
        %set %%container_ip = %%getVar('container_ip_' + %%container_name)
        %set %%port = %%access['name']
        %set %%service = %%access['service']
        %set %%current_restrictions = %%restrictions.get(%%access['service'], {})
        %set %%protocol = %%access['protocol']
        %if %%protocol == 'tcp'
            %set %%protocol_chain = '-p tcp --syn'
        %else
            %set %%protocol_chain = '-p udp -m udp'
        %end if
        %for num_int in %%range(0, %%int(%%nombre_interfaces))
            %set %%eth_name = 'eth' + %%str(num_int)
            %set %%interface_in_container = %%interfaces.get(%%container_name, {}).get(%%eth_name, None)
            %set %%interface = %%getVar('nom_zone_' + %%eth_name)
            %set %%chain = %%eth_name + '-root'
            %set %%chain_cont = %%eth_name + '-cont'
            %if %%container_name in %%current_restrictions
                µµµµµµµµµµ some restrictions are apply to an interface, so get restrictions for current eth_name or add no rule
                %set %%sources = %%current_restrictions[%%container_name].get(%%interface, [])
            %else
                µµµµµµµµµµ no restriction, so open for every one
                %set %%sources = ['0/0']
            %end if
            %for %%source in %%sources
                %if %%source == None
                    µµµµµµµµµµ source == None so no value
                    %break
                %end if
                %if not %%port in %%accesses[%%chain][%%protocol]
                    %set %%accesses[%%chain][%%protocol][%%port] = {}
                %end if
                %if %%source == 'all'
                    %set %%accesses[%%chain][%%protocol][%%port][%%source] = "#desactivate for {0}:{1} in chain {2} source {3}, all source are forbidden".format(%%container_ip, %%port, %%chain, %%source)
                    %break
                %end if
                %if %%current_container.ip == %%container_ip
                    %if %%current_container.ip != '127.0.0.1' and %%interface_in_container == None
                        %set %%accesses[%%chain][%%protocol][%%port][%%source] = "#desactivate for {0}:{1} in chain {2} no interface in this container".format(%%container_ip, %%port, %%chain)
                    %else
                        %set %%accesses[%%chain][%%protocol][%%port][%%source] = "/sbin/iptables -A {0} -s {1} {2} --dport {3} -j ACCEPT".format(%%chain, %%source, %%protocol_chain, %%port)
                    %end if
                %else
                    %if %%current_container.ip == '127.0.0.1'
                        %if %%interface_in_container == None
                            %set %%accesses[%%chain][%%protocol][%%port][%%source] = """/sbin/iptables -A {0} -s {1} {2} --dport {3} -d {4} -j ACCEPT
/sbin/iptables -t nat -A PREROUTING -i {5} -s {1} {2} --dport {3} -j DNAT --to-destination {4}:{3}""".format(%%chain_cont, %%source, %%protocol_chain, %%port, %%container_ip, %%interface)
                        %else
                            %set %%accesses[%%chain][%%protocol][%%port][%%source] = "#desactivate DNAT for {0}:{1} in chain {2} source {3}, already in container".format(%%container_ip, %%port, %%chain_cont, %%source)
                        %end if
                    %else
                        %set %%accesses[%%chain][%%protocol][%%port][%%source] = "#desactivate for {0}:{1} in chain {2} source {3}, must be set in an other container".format(%%container_ip, %%port, %%chain, %%source)
                    %end if
                %end if
            %end for
        %end for
    %end if
%end for
µµµµµµµµµµ
µµµµµµµµµµ
µµµµµµµµµµ Write rules
µµµµµµµµµµ
%for %%name, %%chain in %%accesses.items()
#%%name
    %for %%protocol in %%chain.values()
        %for %%port in %%protocol.values()
            %for %%access in %%port.values()
%%access
            %end for
        %end for
    %end for
%end for
