Commit f4cb71c4 authored by Wágner Ferenc's avatar Wágner Ferenc
Browse files

Directly emit netfilter set syntax from dnslookup filter plugins

parent fecc3460
......@@ -2,8 +2,8 @@ import dns.resolver
class FilterModule(object):
def filters(self):
return { 'dnsLookupA': self.dnsLookupA,
'dnsLookupAAAA': self.dnsLookupAAAA }
return { 'dnsSetA': self.dnsSetA,
'dnsSetAAAA': self.dnsSetAAAA }
def dnsLookup(self, record_type, names):
records = []
......@@ -12,8 +12,11 @@ class FilterModule(object):
records.append(rdata.to_text())
return records
def dnsLookupA(self, names):
return self.dnsLookup('A', names)
def dnsSet(self, recType, names):
return '{ ' + ', '.join(self.dnsLookup(recType, names)) + ' }'
def dnsLookupAAAA(self, names):
return self.dnsLookup('AAAA', names)
def dnsSetA(self, names):
return self.dnsSet('A', names)
def dnsSetAAAA(self, names):
return self.dnsSet('AAAA', names)
......@@ -43,11 +43,11 @@ table inet filter {
chain new-in {
tcp flags & (syn|ack) == syn|ack counter reject with tcp reset
tcp flags & (fin|syn|rst|ack) != syn counter jump bad-new
ip saddr { {{ monitor_hosts|dnsLookupA|join(',') }} } tcp dport { {{ monitor_ports|join(',') }} } accept
ip6 saddr { {{ monitor_hosts|dnsLookupAAAA|join(',') }} } tcp dport { {{ monitor_ports|join(',') }} } accept
ip saddr {{ monitor_hosts|dnsSetA }} tcp dport { {{ monitor_ports|join(',') }} } accept
ip6 saddr {{ monitor_hosts|dnsSetAAAA }} tcp dport { {{ monitor_ports|join(',') }} } accept
tcp dport { ssh, https, smtp, submission } accept
tcp dport { auth, http } reject
ip saddr {{ lookup('dig','baas-dir1.niif.hu') }} tcp dport bacula-fd accept
ip saddr {{ lookup('dig', 'baas-dir1.niif.hu') }} tcp dport bacula-fd accept
icmp type echo-request accept
}
chain new-out {
......@@ -55,7 +55,7 @@ table inet filter {
udp dport { domain, snmp, 33434-33600 } accept
ip protocol icmp accept
ip daddr {{ lookup('dig','rspamd.mail.einfra.hu') }} tcp dport 11333 accept
ip daddr { {{ ['baas-sd1.niif.hu', 'baas-sd2.niif.hu']|dnsLookupA|join(',') }} } tcp dport bacula-sd accept
ip daddr {{ ['baas-sd1.niif.hu', 'baas-sd2.niif.hu']|dnsSetA }} tcp dport bacula-sd accept
ip daddr {{ lookup('dig','ingest.logger.niif.hu') }} tcp dport 9200 accept
ip6 daddr {{ lookup('dig','ingest.logger.niif.hu/AAAA') }} tcp dport 9200 accept
}
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment