def __init__(self, definedroutes, chain_name, routing_rules,
update_interval):
self.definedroutes = definedroutes
self.chain_name = chain_name
self.update_interval = update_interval
self.routing_rules = routing_rules
self.current_routes = []
self.default_rule = None
self.current_default_route = None
self.iptables = IPTables()
self.last_update_time = None
# Sorry but for now we need this cleanup script because gunicorn doesn't have an # on_exit hook to cleanup what the application need to run. # So you should run this script to cleanup all the iptable rules the application # created during its runtime. Please notice that the database will persist! from iptables import IPTables ipt = IPTables() ipt.shutdown()
from config import ConfigReader
from iptables import IPTables
from api import run_main
if __name__ == '__main__':
cfg = ConfigReader()
ipt = IPTables(cfg)
# Used one time for the initial setup.
# ipt.setup_chain()
# ipt.get_chain()
# ipt.add_rule('192.168.1.6')
run_main(cfg)
#!/usr/local/bin/python
# script to remove all MACs older than 12 hours
# add this to
import db as database
from iptables import IPTables
ipt = IPTables()
db = database.DB()
# remove all MACs older than 12 hours from db and iptables
for mac in db.getExpiredMACs():
print("removed: " + mac)
db.rmMAC(mac)
ipt.lockMAC(mac)
class RoutingHelper:
def __init__(self, definedroutes, chain_name, routing_rules,
update_interval):
self.definedroutes = definedroutes
self.chain_name = chain_name
self.update_interval = update_interval
self.routing_rules = routing_rules
self.current_routes = []
self.default_rule = None
self.current_default_route = None
self.iptables = IPTables()
self.last_update_time = None
def initialize_iptables(self):
fwmark_drop = self.definedroutes.get_fwmark_drop()
main_chain = self.chain_name["main"]
self.iptables.add_chain("mangle", main_chain)
self.iptables.add_rule("mangle", main_chain, "-j MARK --set-mark 0")
i = 0
for routing_rule in self.routing_rules:
self.current_routes.append(None)
check_chain = self.chain_name["check"] % i
rule_chain = self.chain_name["rule"] % i
self.iptables.add_chain("mangle", check_chain)
self.iptables.add_chain("mangle", rule_chain)
# If the packet match this rule in check chain, jump to the rule chain
def add_rule_callback(filter_phrase):
self.iptables.add_rule(
"mangle", check_chain,
"%s -j %s" % (filter_phrase, rule_chain))
if "match" in routing_rule:
rulematchers.add_match_rule(add_rule_callback,
routing_rule["match"],
routing_rule["match_value"])
else:
# This is the default rule, should be added to the main table
self.default_rule = routing_rule["route"]
# If a packet returned to check chain from rule chain, it doesn't routed in rule chain
# Because no available routing rule
# Fallthrough?
if "fallthrough" in routing_rule and routing_rule["fallthrough"]:
# Clear the 'drop' mark to match the next rule
self.iptables.add_rule("mangle", check_chain,
"-j MARK --set-mark 0")
# Append the rule's check chain to main chain
self.iptables.add_rule("mangle", main_chain,
"-m mark --mark 0 -j %s" % check_chain)
i += 1
self.iptables.add_rule("mangle", "OUTPUT", "-j %s" % main_chain)
self.iptables.add_rule("mangle", "PREROUTING", "-j %s" % main_chain)
def update_states(self, states):
def compute_route(route, states):
for case in route:
if eval(case["condition"]):
return case["to"]
return None
current_time = time.time()
if self.last_update_time and current_time - self.last_update_time < self.update_interval:
# Update only once in an interval
return
self.last_update_time = current_time
i = 0
for routing_rule in self.routing_rules:
# Compute the new route based on the new state
self.update_rule_route(
i, compute_route(routing_rule["route"], states))
i += 1
# Update 'default' rule route
self.update_default_route(compute_route(self.default_rule, states))
#sorry but for now we need this starter script
from iptables import IPTables
import db as database
db = database.DB()
ipt = IPTables()
dns1 = '188.40.255.242'
dns2 = '213.73.91.35'
ipt.start()
ipt.unlockDNS(dns1)
ipt.unlockDNS(dns2)
db.removeExpired()
for mac in db.getMACs():
ipt.unlockMAC(mac)
