python是很强大,其中很大一部分的原因是python具有丰富的库支撑,比如我们想实现一个自己控制防火墙的功能来完成某些特定的功能需要,我们就可以使用python的iptables库来很轻松的实现对iptables规则的管理。具体的文档可以参考如下:python iptables
下面来看一个具体的列子吧,基于rpc实现了一个对外接口,可以远程添加iptables规则,另外还有一个周期性调度的功能,定期检测新增的规则是否还存在,不存在则添加。
import iptc
import time
import mylogger
from SimpleXMLRPCServer import SimpleXMLRPCServer
from apscheduler.scheduler import Scheduler
vmrouters = set()
logger = mylogger.Logger(logname='myiptc.log', logger='myiptc').getlog()
def task():
"""This is rolling task and execute every 5 minute,
and check the rule is exist, if not exsit the task will add the rule"""
logger.debug('rolling task')
for mac in vmrouters:
try:
istarget = insert(mac)
if (istarget == 0):
vmrouters.remove(mac)
logger.debug('rolling task remove not match target ' + mac)
except Exception, e:
logger.error(e)
def insert(mac):
istarget = 0
try:
existrule = 0
table = iptc.Table(iptc.Table.FILTER)
for chain in table.chains:
if (chain.name.startswith('neutron-openvswi-s')):
break
for rule in chain.rules:
for match in rule.matches:
if (match.mac_source == mac.upper()):
istarget = 1
break
if (rule.src.startswith('0.0.0.0/') and rule.dst.startswith('0.0.0.0/0') and rule.target.name == 'RETURN'):
existrule = 1
if (istarget == 1 and existrule == 0):
rule = iptc.Rule()
rule.src = '0.0.0.0/0.0.0.0'
rule.dst = '0.0.0.0/0.0.0.0'
target = iptc.Target(rule, 'RETURN')
rule.target = target
chain.insert_rule(rule)
if (istarget == 1 and existrule == 1):
logger.debug(mac + ' rule already added')
except Exception, e:
logger.error(e)
return istarget
def add_rule(mac):
logger.debug('add_rule ' + mac)
ret = 'success'
try:
istarget = insert(mac)
if (istarget == 1):
vmrouters.add(mac)
else:
ret = 'error'
logger.error('no match target ' + mac)
except Exception, e:
logger.error(e)
ret = 'error'
return ret
if __name__ == '__main__':
sched = Scheduler(daemonic=False)
sched.add_cron_job(task, day_of_week='*', hour='*', minute='*/5', second='*')
sched.start()
server = SimpleXMLRPCServer(('192.168.5.12', 4501), allow_none=True)
logger.debug('Listening on port 4501...')
server.register_function(add_rule, 'add_rule')
server.serve_forever()