Make the cli more friendly.

README.md

@@ -0,0 +1,6 @@
+# Re2o firewall with nftables
+
+dependencies :
+
+	- re2oapi
+	- python3-click

firewall.service

@@ -5,8 +5,8 @@ After=network.target
 [Service]
 Type=oneshot
 RemainAfterExit=yes
-ExecStart=/usr/local/firewall/init_firewall.py
-ExecReload=/usr/local/firewall/init_firewall.py
+ExecStart=/usr/local/firewall/main.py
+ExecReload=/usr/local/firewall/main.py
 
 [Install]
 WantedBy=multi-user.target

init_firewall.py

@@ -1,47 +0,0 @@
-#! /usr/bin/python3
-import os
-import logging
-from logging.handlers import RotatingFileHandler
-
-import nat
-import mac_ip
-
-BASE_DIR = os.path.dirname(os.path.abspath(__file__))
-
-LOG_LEVEL = logging.INFO
-
-logger = logging.getLogger()
-logger.setLevel(LOG_LEVEL)
-formatter = logging.Formatter('%(asctime)s :: %(levelname)s :: %(message)s')
-file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1)
-file_handler.setLevel(LOG_LEVEL)
-file_handler.setFormatter(formatter)
-logger.addHandler(file_handler)
-stream_handler = logging.StreamHandler()
-stream_handler.setFormatter(formatter)
-stream_handler.setLevel(LOG_LEVEL)
-logger.addHandler(stream_handler)
-
-logger.info("Activation des paramètres noyau")
-logging.debug("Activation du routage des paquets")
-os.system('echo "1" > /proc/sys/net/ipv4/ip_forward')
-logger.debug("Active la protection TCP SYN Cookies (demandes de connexion repetes)")
-os.system('echo "1" > /proc/sys/net/ipv4/tcp_syncookies')
-logger.debug("Filtrage en mode strict des paquets pour éviter l'IP spoofing "
-             "(voir RFC3704 Strict Reverse Path)")
-os.system('echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter')
-os.system('echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter')
-logger.debug("Don't accept source routed packets.")
-os.system('echo "0" > /proc/sys/net/ipv4/conf/all/accept_source_route')
-
-logger.info("Chargement du firewall")
-os.system('nft -I {install_dir} -f {firewall}'.format(
-    install_dir=BASE_DIR,
-    firewall=os.path.join(BASE_DIR, 'firewall.nft')
-))
-
-logger.info("Chargement de la table mac_ip")
-mac_ip.update_macip()
-
-logger.info("Chargement de la table nat")
-nat.main()

main.py

@@ -0,0 +1,49 @@
+#! /usr/bin/python3
+import os
+import logging
+from logging.handlers import RotatingFileHandler
+
+import click
+
+import nat as _nat
+import mac_ip as _mac_ip
+
+BASE_DIR = os.path.dirname(os.path.abspath(__file__))
+
+LOG_LEVEL = logging.INFO
+
+logger = logging.getLogger()
+logger.setLevel(LOG_LEVEL)
+formatter = logging.Formatter('%(levelname)s :: %(message)s')
+file_handler = RotatingFileHandler('/var/log/firewall.log', 'a', 1000000, 1)
+file_handler.setLevel(LOG_LEVEL)
+file_handler.setFormatter(formatter)
+logger.addHandler(file_handler)
+stream_handler = logging.StreamHandler()
+stream_handler.setFormatter(formatter)
+stream_handler.setLevel(LOG_LEVEL)
+logger.addHandler(stream_handler)
+
+@click.group(invoke_without_command=True)
+@click.pass_context
+def cli(ctx):
+    logger.info("Starting Re2o firewall manager.")
+    if ctx.invoked_subcommand is None:
+        logger.info("Loading firewall.")
+        os.system('nft -I {install_dir} -f {firewall}'.format(
+            install_dir=BASE_DIR,
+            firewall=os.path.join(BASE_DIR, 'firewall.nft')
+        ))
+        _mac_ip.update_macip()
+        _nat.main()
+
+@cli.command()
+def macip():
+    _mac_ip.update_macip()
+
+@cli.command()
+def nat():
+    _nat.main()
+
+if __name__ == '__main__':
+    cli()