def on_deleted(path):
"""Invoked when a network rule is deleted."""
# Edge case, if the directory where the rules are kept gets removed,
# abort
if path == rulemgr.path:
_LOGGER.critical('Network rules directory was removed: %r',
path)
utils.sys_exit(1)
# The rule is the filename
rule_file = os.path.basename(path)
_LOGGER.info('Removing %r', rule_file)
chain_rule = rulemgr.get_rule(rule_file)
if chain_rule is not None:
chain, rule = chain_rule
iptables.delete_rule(rule, chain=chain)
if isinstance(rule, fw.PassThroughRule):
if passthrough[rule.src_ip] == 1:
# Remove the IPs from the passthrough set
passthrough.pop(rule.src_ip)
_LOGGER.info('Removing passthrough %r', rule.src_ip)
iptables.rm_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip)
iptables.flush_pt_conntrack_table(rule.src_ip)
else:
passthrough[rule.src_ip] -= 1
else:
_LOGGER.warning('Ignoring unparseable file %r', rule_file)
def test_rm_ip_set(self):
"""Test removal of IP from a given set"""
# Disable W0212: Test access protected members of admin module.
# pylint: disable=W0212
iptables.rm_ip_set('foo', '1.2.3.4')
treadmill.iptables._ipset.assert_called_with('del', 'foo', '1.2.3.4')
def test_rm_ip_set(self):
"""Test removal of IP from a given set"""
# Disable protected-access: Test access protected members .
# pylint: disable=protected-access
iptables.rm_ip_set('foo', '1.2.3.4')
treadmill.iptables._ipset.assert_called_with('-exist', 'del', 'foo',
'1.2.3.4')
def _delete_mark_rule(src_ip, environment):
"""Remove an environment mark from a source IP.
:param ``str`` src_ip:
Source IP on which the mark is set.
:param ``str`` environment:
Environment to use for the mark
"""
assert environment in _SET_BY_ENVIRONMENT, \
'Unknown environment: %r' % environment
target_set = _SET_BY_ENVIRONMENT[environment]
iptables.rm_ip_set(target_set, src_ip)
def _cleanup_ports(tm_env, unique_name, vip, ports, proto):
"""Cleanup firewall rules for ports."""
for port in ports:
# We treat ephemeral ports as infra, consistent with current
# prodperim behavior.
iptables.rm_ip_set(
iptables.SET_INFRA_SVC, '{ip},{proto}:{port}'.format(ip=vip,
proto=proto,
port=port))
dnatrule = firewall.DNATRule(proto=proto,
orig_ip=tm_env.host_ip,
orig_port=port,
new_ip=vip,
new_port=port)
tm_env.rules.unlink_rule(rule=dnatrule, owner=unique_name)
def _cleanup_network(tm_env, app, network_client):
"""Cleanup the network part of a container.
"""
# Generate a unique name for the app
unique_name = appmgr.app_unique_name(app)
try:
app_network = network_client.get(unique_name)
except services.ResourceServiceError:
_LOGGER.warning('network never allocated')
return
if app_network is None:
_LOGGER.info('Network resource already freed')
return
# Unconfigure passthrough
if hasattr(app, 'passthrough'):
_LOGGER.info('Deleting passthrough for: %r', app.passthrough)
# Resolve all the hosts
# FIXME: There is no guarantie the hosts will resolve to
# the same IPs as they did during creation.
ips = set([socket.gethostbyname(host) for host in app.passthrough])
for ip in ips:
tm_env.rules.unlink_rule(
rule=firewall.PassThroughRule(src_ip=ip,
dst_ip=app_network['vip']),
owner=unique_name,
)
for endpoint in app.endpoints:
tm_env.rules.unlink_rule(
rule=firewall.DNATRule(proto=endpoint.proto,
orig_ip=app.host_ip,
orig_port=endpoint.real_port,
new_ip=app_network['vip'],
new_port=endpoint.port),
owner=unique_name,
)
# See if this was an "infra" endpoint and if so remove it
# from the whitelist set.
if getattr(endpoint, 'type', None) == 'infra':
_LOGGER.debug('removing %s:%s from infra services set',
app_network['vip'], endpoint.port)
iptables.rm_ip_set(
iptables.SET_INFRA_SVC, '{ip},{proto}:{port}'.format(
ip=app_network['vip'],
proto=endpoint.proto,
port=endpoint.port,
))
_cleanup_ports(tm_env, unique_name, app_network['vip'],
app.ephemeral_ports.tcp, 'tcp')
_cleanup_ports(tm_env, unique_name, app_network['vip'],
app.ephemeral_ports.udp, 'udp')
# Terminate any entries in the conntrack table
iptables.flush_conntrack_table(app_network['vip'])
# Cleanup network resources
network_client.delete(unique_name)
