Added cronjob for IPtables retention

which, by default, deletes IPtables rules
that have not been updated the last 24h.

cronjobs/README.md

@@ -0,0 +1,10 @@
+# Cronjob directory for vpn-proxy
+
+Executables contained in this directory are used to create cronjobs.
+
+## IPtables Retention
+
+In order to minimize the overhead of parsing large IPtables chains, we are
+applying an IPtables retention policy. The `iptables.sh` appends a daily
+cronjob under /etc/cron.daily/ in order to take care of disabling IPtables
+rules, which have not been updated the last 24h.

cronjobs/iptables.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+
+DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )"/.. && pwd )"
+LOG="$DIR/iptables-retention.log"
+
+cat > /etc/cron.daily/vpn-proxy-iptables << EOF
+#!/bin/sh
+
+main () {
+    echo
+    echo "=========== IPtables Retention ==========="
+    echo "Triggered at: `date`"
+    echo "=========================================="
+    echo
+    cd $DIR/vpn-proxy && ./manage.py retain_iptables
+}
+
+main >> $LOG 2>&1
+EOF
+chmod +x /etc/cron.daily/vpn-proxy-iptables
+
+echo "Cronjob for IPtables retention added under /etc/cron.daily/"

vpn-proxy/app/management/commands/retain_iptables.py

@@ -0,0 +1,24 @@
+from django.core.management.base import BaseCommand
+from app.models import Forwarding
+
+import datetime
+
+
+class Command(BaseCommand):
+    help = "Trigger IPtables retention."
+
+    def add_arguments(self, parser):
+        parser.add_argument('tunnel', nargs='*', type=int)
+        parser.add_argument('--time', default=(60 * 60 * 24), type=int)
+
+    def handle(self, *args, **kwargs):
+        query = {}
+        query['updated_at__lt'] = (
+            datetime.datetime.utcnow() -
+            datetime.timedelta(seconds=kwargs['time'])
+        )
+        if kwargs['tunnel']:
+            query['tunnel_id__in'] = kwargs['tunnel']
+        for frule in Forwarding.objects.filter(**query):
+            self.stdout.write("Disabling %s..." % frule)
+            frule.disable()