rc/friwall
2
0
Fork 0
Code Issues Pull requests Actions Packages Projects Releases Wiki Activity

Generate ipsets for network groups

Browse source 
Like office and server.
This commit is contained in:
Timotej Lazar 2023-10-03 13:21:53 +02:00
parent c09410f731
commit abc7a0728b
1 changed files with 24 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

29
web/system.py
View file

@ -43,6 +43,19 @@ def run(fun, args=()):
fun(*args) fun(*args)
multiprocessing.Process(target=task).start() multiprocessing.Process(target=task).start()
# For a network named 'xyzzy-foo', return xyzzy. Used for creating
# ipsets for office-* and server-* networks.
def network_group(name):
match name.split('-'):
case group, _:
return group
case _:
return None
def ipset_add(ipsets, name, ip=None, ip6=None):
ipsets[name].update(ip or ())
ipsets[f'{name}/6'].update(ip6 or ())
def save_config(): def save_config():
output = None output = None
try: try:
@ -76,18 +89,24 @@ def save_config():
# Populate IP sets. # Populate IP sets.
ipsets = collections.defaultdict(set) ipsets = collections.defaultdict(set)
for name, network in db.read('networks').items():
if group := network_group(name):
ipset_add(ipsets, group, network.get('ip'), network.get('ip6'))
ipset_add(ipsets, name, network.get('ip'), network.get('ip6'))
for name, network in db.read('ipsets').items(): for name, network in db.read('ipsets').items():
ipsets[name].update(network.get('ip', ())) ipset_add(ipsets, name, network.get('ip'), network.get('ip6'))
ipsets[f'{name}/6'].update(network.get('ip6', ()))
# Add registered VPN addresses for each network based on # Add registered VPN addresses for each network based on
# LDAP group membership. # LDAP group membership.
wireguard = db.read('wireguard') wireguard = db.read('wireguard')
for ip, key in wireguard.items(): for ip, key in wireguard.items():
ip4 = [f'{ip}/32']
ip6 = [f'{key["ip6"]}/128'] if 'ip6' in key else None
for network in user_networks.get(key.get('user', ''), ()): for network in user_networks.get(key.get('user', ''), ()):
ipsets[network].add(f'{ip}/32') if group := network_group(network):
if 'ip6' in key: ipset_add(ipsets, group, ip4, ip6)
ipsets[f'{network}/6'].add(f'{key["ip6"]}/128') ipset_add(ipsets, network, ip4, ip6)
# Create config files. # Create config files.
output = pathlib.Path.home() / 'config' / f'{version}' output = pathlib.Path.home() / 'config' / f'{version}'