2016-12-14 23:18:16 +00:00
|
|
|
#!/usr/bin/env python
|
2017-02-22 13:41:58 +00:00
|
|
|
# Python helper tool to add IPtables rule using the iptc library. This must
|
|
|
|
# of course run as root for iptc to work.
|
2016-12-14 23:18:16 +00:00
|
|
|
|
2017-11-16 21:17:40 +00:00
|
|
|
from os import getuid
|
2017-03-06 15:03:57 +00:00
|
|
|
from sys import exit
|
2017-09-29 16:40:57 +00:00
|
|
|
from argparse import ArgumentParser, FileType, ArgumentTypeError
|
2016-12-14 23:18:16 +00:00
|
|
|
from pprint import pprint as pp
|
2017-03-03 00:04:12 +00:00
|
|
|
from configparser import RawConfigParser
|
2017-09-29 15:56:16 +00:00
|
|
|
from datetime import datetime, timedelta
|
2017-11-15 22:12:16 +00:00
|
|
|
from io import BytesIO
|
2016-12-14 23:18:16 +00:00
|
|
|
|
2017-11-17 16:23:51 +00:00
|
|
|
from portalclientlib.client import Client
|
|
|
|
from portalclientlib.storage import StoragePostgres
|
|
|
|
from portalclientlib.helpers import run_ipset
|
2016-12-14 23:18:16 +00:00
|
|
|
|
2017-09-29 15:44:40 +00:00
|
|
|
|
|
|
|
# Custom defined argparse types for dates
|
|
|
|
def valid_date_type(arg_date_str):
|
|
|
|
"""custom argparse *date* type for user dates values given from the command line"""
|
|
|
|
try:
|
2017-09-29 16:40:57 +00:00
|
|
|
return datetime.strptime(arg_date_str, "%Y-%m-%d")
|
2017-09-29 15:44:40 +00:00
|
|
|
except ValueError:
|
|
|
|
msg = "Given Date ({0}) not valid! Expected format, YYYY-MM-DD!".format(arg_date_str)
|
2017-09-29 16:40:57 +00:00
|
|
|
raise ArgumentTypeError(msg)
|
2017-09-29 15:44:40 +00:00
|
|
|
|
|
|
|
|
|
|
|
def valid_datetime_type(arg_datetime_str):
|
|
|
|
"""custom argparse type for user datetime values given from the command line"""
|
|
|
|
try:
|
2017-09-29 16:40:57 +00:00
|
|
|
return datetime.strptime(arg_datetime_str, "%Y-%m-%d %H:%M")
|
2017-09-29 15:44:40 +00:00
|
|
|
except ValueError:
|
2017-11-18 20:33:37 +00:00
|
|
|
msg = "Given Datetime ({0}) not valid! Expected format, 'YYYY-MM-DD HH:mm'!".format(
|
|
|
|
arg_datetime_str)
|
|
|
|
raise ArgumentTypeError(msg)
|
2017-09-29 15:44:40 +00:00
|
|
|
|
|
|
|
|
2017-11-15 22:12:16 +00:00
|
|
|
parser = ArgumentParser(
|
|
|
|
'''
|
|
|
|
Handle clients in the captive portal. Default mode of operation is to
|
|
|
|
create new clients and enable them.
|
|
|
|
'''
|
|
|
|
)
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
'-v', '--verbose',
|
|
|
|
action='count',
|
|
|
|
default=False,
|
|
|
|
dest='verbose',
|
|
|
|
help='Verbose output, use more v\'s to increase verbosity'
|
|
|
|
)
|
2017-03-07 16:15:39 +00:00
|
|
|
|
2017-09-29 15:44:40 +00:00
|
|
|
parser.add_argument(
|
|
|
|
'--expires',
|
|
|
|
type=valid_datetime_type,
|
|
|
|
default=datetime.now() + timedelta(days=1),
|
|
|
|
help='Expiry date in format "YYYY-MM-DD HH:mm"'
|
|
|
|
)
|
|
|
|
|
2017-03-07 16:15:39 +00:00
|
|
|
parser.add_argument(
|
|
|
|
'--disable',
|
|
|
|
default=False,
|
2017-03-07 16:21:52 +00:00
|
|
|
action='store_true',
|
2017-03-07 16:15:39 +00:00
|
|
|
help='Disable the client in the DB and delete from firewall'
|
|
|
|
)
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
'--delete',
|
|
|
|
default=False,
|
2017-03-07 16:21:52 +00:00
|
|
|
action='store_true',
|
2017-03-07 16:15:39 +00:00
|
|
|
help='Delete the client from DB and firewall'
|
|
|
|
)
|
2016-12-14 23:18:16 +00:00
|
|
|
|
2017-03-03 00:04:12 +00:00
|
|
|
parser.add_argument(
|
2017-11-15 22:12:16 +00:00
|
|
|
'--refresh',
|
|
|
|
action='store_true',
|
|
|
|
help='Refresh client ipset data first'
|
2017-03-03 00:04:12 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
'--config',
|
|
|
|
type=FileType('r'),
|
|
|
|
required=True,
|
|
|
|
help='Configuration file'
|
|
|
|
)
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
'src_ip',
|
2017-11-15 22:12:16 +00:00
|
|
|
nargs='*',
|
2017-03-03 00:04:12 +00:00
|
|
|
help='Client source IP to add'
|
|
|
|
)
|
2016-12-14 23:18:16 +00:00
|
|
|
|
|
|
|
args = parser.parse_args()
|
|
|
|
|
2017-03-03 00:04:12 +00:00
|
|
|
config = RawConfigParser()
|
|
|
|
config.readfp(args.config)
|
|
|
|
|
2017-03-06 15:03:57 +00:00
|
|
|
sr = StoragePostgres(config=config)
|
2017-11-15 22:12:16 +00:00
|
|
|
|
2017-11-18 23:45:24 +00:00
|
|
|
if getuid() == 0:
|
|
|
|
use_sudo = False
|
|
|
|
else:
|
|
|
|
use_sudo = True
|
2017-11-16 21:17:40 +00:00
|
|
|
|
2017-11-18 23:45:24 +00:00
|
|
|
if args.refresh:
|
2017-11-15 22:12:16 +00:00
|
|
|
# Sync clients and packet counters from ipset into storage.
|
|
|
|
proc = run_ipset(
|
|
|
|
'list',
|
2017-11-20 09:58:21 +00:00
|
|
|
config.get('portalclient', 'ipset_name'),
|
2017-11-15 22:12:16 +00:00
|
|
|
'-output',
|
2017-11-16 12:46:30 +00:00
|
|
|
'save',
|
2017-11-16 21:17:40 +00:00
|
|
|
use_sudo=use_sudo,
|
2017-11-16 17:39:01 +00:00
|
|
|
timeout=600
|
2017-11-15 22:12:16 +00:00
|
|
|
)
|
|
|
|
|
2017-11-18 20:33:37 +00:00
|
|
|
current_time = datetime.now()
|
2017-11-16 20:10:25 +00:00
|
|
|
|
2017-11-16 20:36:37 +00:00
|
|
|
for _line in proc.splitlines():
|
2017-11-15 22:12:16 +00:00
|
|
|
# Convert from bytestring first
|
|
|
|
line = _line.decode('utf-8')
|
2017-11-18 20:33:37 +00:00
|
|
|
expired = False
|
2017-11-15 22:12:16 +00:00
|
|
|
|
|
|
|
if not line.startswith('add'):
|
|
|
|
continue
|
|
|
|
|
|
|
|
(
|
|
|
|
cmd,
|
|
|
|
set_name,
|
|
|
|
client_ip,
|
|
|
|
packets_str,
|
|
|
|
packets_val,
|
|
|
|
bytes_str,
|
|
|
|
bytes_val
|
|
|
|
) = line.split()
|
|
|
|
|
|
|
|
try:
|
|
|
|
client = Client(
|
|
|
|
storage=sr,
|
|
|
|
ip_address=client_ip,
|
2017-11-20 09:58:21 +00:00
|
|
|
ipset_name=config.get('portalclient', 'ipset_name'),
|
2017-11-16 22:56:15 +00:00
|
|
|
use_sudo=use_sudo
|
2017-11-15 22:12:16 +00:00
|
|
|
)
|
|
|
|
except Exception as e:
|
|
|
|
if args.verbose:
|
|
|
|
print('Failed to init client:{ip}: {error}'.format(
|
|
|
|
ip=client_ip,
|
|
|
|
error=str(e)
|
|
|
|
))
|
2017-11-18 20:33:37 +00:00
|
|
|
|
|
|
|
if args.verbose > 2:
|
|
|
|
raise
|
|
|
|
|
2017-11-15 22:12:16 +00:00
|
|
|
continue
|
|
|
|
|
2017-11-18 20:33:37 +00:00
|
|
|
if current_time > client.expires:
|
|
|
|
expired = True
|
|
|
|
|
|
|
|
if client._new:
|
2017-11-16 20:53:22 +00:00
|
|
|
if args.verbose:
|
|
|
|
print('Creating new client:{ip}'.format(
|
|
|
|
ip=client.ip_address
|
|
|
|
))
|
2017-11-16 21:26:57 +00:00
|
|
|
client.enabled = True
|
2017-11-18 20:33:37 +00:00
|
|
|
|
|
|
|
if not client.last_activity and expired:
|
|
|
|
if args.verbose:
|
|
|
|
print('Client:{ip} disabled, no activity ever logged'.format(
|
|
|
|
ip=client.ip_address
|
|
|
|
))
|
|
|
|
|
|
|
|
client.enabled = False
|
2017-11-15 22:12:16 +00:00
|
|
|
client.commit()
|
2017-11-18 20:33:37 +00:00
|
|
|
# No more processing for these types of clients.
|
|
|
|
continue
|
2017-11-15 22:12:16 +00:00
|
|
|
|
2017-11-18 20:33:37 +00:00
|
|
|
if int(packets_val) > client.last_packets:
|
2017-11-17 16:23:51 +00:00
|
|
|
if args.verbose > 1:
|
2017-11-18 20:33:37 +00:00
|
|
|
print('Client:{ip} updated'.format(
|
2017-11-16 20:53:22 +00:00
|
|
|
ip=client.ip_address
|
|
|
|
))
|
2017-11-15 22:12:16 +00:00
|
|
|
|
2017-11-18 20:33:37 +00:00
|
|
|
client.last_packets = packets_val
|
|
|
|
client.last_activity = current_time
|
2017-11-16 20:46:05 +00:00
|
|
|
|
2017-11-18 20:33:37 +00:00
|
|
|
if client.last_activity and expired:
|
|
|
|
active_diff = current_time - client.last_activity
|
|
|
|
|
|
|
|
if active_diff.days >= 1 and client.last_activity != current_time:
|
2017-11-16 20:53:22 +00:00
|
|
|
if args.verbose:
|
2017-11-18 20:33:37 +00:00
|
|
|
print('Client:{ip} disabled, no activity since "{last_activity}"'.format(
|
|
|
|
last_activity=client.last_activity,
|
2017-11-16 20:53:22 +00:00
|
|
|
ip=client.ip_address
|
|
|
|
))
|
2017-11-18 20:33:37 +00:00
|
|
|
|
|
|
|
client.enabled = False
|
|
|
|
|
|
|
|
client.commit()
|
2017-11-16 20:10:25 +00:00
|
|
|
|
2017-11-15 22:12:16 +00:00
|
|
|
for src_ip in args.src_ip:
|
|
|
|
# Get client by IP or create a new one.
|
2017-03-06 15:03:57 +00:00
|
|
|
client = Client(
|
|
|
|
storage=sr,
|
2017-11-15 22:12:16 +00:00
|
|
|
ip_address=src_ip,
|
2017-11-20 09:58:21 +00:00
|
|
|
ipset_name=config.get('portalclient', 'ipset_name'),
|
2017-11-18 23:45:24 +00:00
|
|
|
use_sudo=use_sudo
|
2017-03-06 15:03:57 +00:00
|
|
|
)
|
2017-11-15 22:12:16 +00:00
|
|
|
|
|
|
|
if args.delete:
|
|
|
|
# This both deletes the ipset entry AND the client entry from DB. Normally
|
|
|
|
# excessive and disable is better.
|
|
|
|
client.delete()
|
|
|
|
exit(0)
|
|
|
|
|
|
|
|
if args.disable:
|
|
|
|
client.enabled = False
|
|
|
|
else:
|
|
|
|
client.enabled = True
|
|
|
|
|
2017-09-29 16:50:41 +00:00
|
|
|
if args.expires:
|
|
|
|
client.expires = args.expires
|
2017-11-15 22:12:16 +00:00
|
|
|
|
2017-03-07 16:15:39 +00:00
|
|
|
client.commit()
|