def _check_for_dup_router_subnet(self, context, router_id,
network_id, subnet_id):
try:
rport_qry = context.session.query(models_v2.Port)
rports = rport_qry.filter_by(
device_id=router_id,
device_owner=DEVICE_OWNER_ROUTER_INTF,).all()
# its possible these ports on on the same network, but
# different subnet
new_cidr = self._get_subnet(context, subnet_id)['cidr']
new_ipnet = netaddr.IPNetwork(new_cidr)
for p in rports:
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = ("Router already has a port on subnet %s"
% subnet_id)
raise q_exc.BadRequest(resource='router', msg=msg)
cidr = self._get_subnet(context, ip['subnet_id'])['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [new_cidr])
if match1 or match2:
msg = (("Cidr %s of subnet %s is overlapped "
+ "with cidr %s of subnet %s")
% (new_cidr, subnet_id, cidr, ip['subnet_id']))
raise q_exc.BadRequest(resource='router', msg=msg)
except exc.NoResultFound:
pass
def process_asn(ip_address):
# Determine if ASN Already Found
found_asn = 0
if not len(netaddr.all_matching_cidrs(ip_address, tmp_asn_ip_ranges)):
r = requests.get('https://api.bgpview.io/ip/' + ip_address)
asn_data = r.json()
for prefix in asn_data['data']['prefixes']:
found_asn = prefix['asn']['asn']
tmp_asn_ip_ranges.append(su(prefix['prefix']))
ans_dict = {
'asn_number': prefix['asn']['asn'],
'prefixes': [su(prefix['prefix'])],
'country_code': su(prefix['asn']['country_code']),
'name': su(prefix['asn']['name']),
'description': su(prefix['asn']['description'])
}
if prefix['asn']['asn'] not in final_found_asns:
final_found_asns[prefix['asn']['asn']] = ans_dict
else:
if prefix['prefix'] not in final_found_asns[
prefix['asn']['asn']]['prefixes']:
final_found_asns[prefix['asn']['asn']]['prefixes'].append(
prefix['prefix'])
else:
for k, v in final_found_asns.iteritems():
for prefix in v['prefixes']:
if len(netaddr.all_matching_cidrs(ip_address, [prefix])):
found_asn = k
def _check_for_dup_router_subnet(self, context, router_id, network_id,
subnet_id):
try:
rport_qry = context.session.query(models_v2.Port)
rports = rport_qry.filter_by(
device_id=router_id,
device_owner=DEVICE_OWNER_ROUTER_INTF,
).all()
# its possible these ports on on the same network, but
# different subnet
new_cidr = self._get_subnet(context, subnet_id)['cidr']
new_ipnet = netaddr.IPNetwork(new_cidr)
for p in rports:
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = ("Router already has a port on subnet %s" %
subnet_id)
raise q_exc.BadRequest(resource='router', msg=msg)
cidr = self._get_subnet(context, ip['subnet_id'])['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [new_cidr])
if match1 or match2:
msg = (("Cidr %s of subnet %s is overlapped " +
"with cidr %s of subnet %s") %
(new_cidr, subnet_id, cidr, ip['subnet_id']))
raise q_exc.BadRequest(resource='router', msg=msg)
except exc.NoResultFound:
pass
def _check_for_dup_router_subnet(self, context, router_id, network_id,
subnet_id, subnet_cidr):
try:
rport_qry = context.session.query(models_v2.Port)
rports = rport_qry.filter_by(device_id=router_id)
# It's possible these ports are on the same network, but
# different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for p in rports:
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = (_("Router already has a port on subnet %s") %
subnet_id)
raise q_exc.BadRequest(resource='router', msg=msg)
sub_id = ip['subnet_id']
cidr = self._core_plugin._get_subnet(
context.elevated(), sub_id)['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {
'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id
}
msg = (_("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
raise q_exc.BadRequest(resource='router', msg=msg)
except exc.NoResultFound:
pass
def _check_for_dup_router_subnet(self, context, router_id,
network_id, subnet_id, subnet_cidr):
try:
rport_qry = context.session.query(models_v2.Port)
rports = rport_qry.filter_by(
device_id=router_id).all()
# its possible these ports on on the same network, but
# different subnet
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for p in rports:
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = (_("Router already has a port on subnet %s")
% subnet_id)
raise q_exc.BadRequest(resource='router', msg=msg)
sub_id = ip['subnet_id']
cidr = self._get_subnet(context.elevated(),
sub_id)['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id}
msg = (_("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
raise q_exc.BadRequest(resource='router', msg=msg)
except exc.NoResultFound:
pass
def _check_for_dup_router_subnet(self, router_obj, subnet_id, subnet_cidr):
from neutron_plugin_contrail.plugins.opencontrail.vnc_client.subnet_res_handler import SubnetHandler
try:
router_vmi_objs = []
if router_obj.get_virtual_machine_interface_refs():
vmis = [
x['uuid']
for x in router_obj.virtual_machine_interface_refs
]
router_vmi_objs = self._vnc_lib.virtual_machine_interfaces_list(
obj_uuids=vmis,
detail=True,
fields=['instance_ip_back_refs'])
# It's possible router ports are on the same network, but
# different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
port_req_memo = {
'virtual-machines': {},
'instance-ips': {},
'subnets': {}
}
for vmi_obj in router_vmi_objs:
net_id = self._vmi_handler.get_vmi_net_id(vmi_obj)
vn_obj = self._vnc_lib.virtual_network_read(id=net_id)
fixed_ips = self._vmi_handler.get_vmi_ip_dict(
vmi_obj, vn_obj, port_req_memo)
vn_subnets = (SubnetHandler.get_vn_subnets(vn_obj))
for ip in fixed_ips:
if ip['subnet_id'] == subnet_id:
msg = ("Router %s already has a port on subnet %s" %
(router_obj.uuid, subnet_id))
self._raise_contrail_exception('BadRequest',
resource='router',
msg=msg)
sub_id = ip['subnet_id']
cidr = self._get_subnet_cidr(sub_id, vn_subnets)
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {
'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id
}
msg = (("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
self._raise_contrail_exception('BadRequest',
resource='router',
msg=msg)
except vnc_exc.NoIdError:
pass
def test_all_matching_cidrs_v6():
assert all_matching_cidrs('::ffff:192.0.2.1', ['::ffff:192.0.2.0/96']) == [
IPNetwork('::ffff:192.0.2.0/96')
]
assert all_matching_cidrs(
'::192.0.2.1', ['::192.0.2.0/96']) == [IPNetwork('::192.0.2.0/96')]
assert all_matching_cidrs('::192.0.2.1', ['192.0.2.0/23']) == []
assert all_matching_cidrs(
'::192.0.2.1',
['192.0.2.0/24', '::192.0.2.0/120']) == [IPNetwork('::192.0.2.0/120')]
assert all_matching_cidrs(
'::192.0.2.1',
[IPNetwork('192.0.2.0/24'),
IPNetwork('::192.0.2.0/120')]) == [IPNetwork('::192.0.2.0/120')]
def _check_for_dup_router_subnet(self, router_obj, subnet_id,
subnet_cidr):
try:
router_vmi_objs = []
if router_obj.get_virtual_machine_interface_refs():
vmis = [x['uuid']
for x in router_obj.virtual_machine_interface_refs]
router_vmi_objs = self._vnc_lib.virtual_machine_interfaces_list(
obj_uuids=vmis, detail=True,
fields=['instance_ip_back_refs'])
# It's possible router ports are on the same network, but
# different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
port_req_memo = {'virtual-machines': {},
'instance-ips': {},
'subnets': {}}
for vmi_obj in router_vmi_objs:
net_id = self._vmi_handler.get_vmi_net_id(vmi_obj)
vn_obj = self._vnc_lib.virtual_network_read(id=net_id)
fixed_ips = self._vmi_handler.get_vmi_ip_dict(vmi_obj, vn_obj,
port_req_memo)
vn_subnets = (
subnet_handler.SubnetHandler.get_vn_subnets(
vn_obj))
for ip in fixed_ips:
if ip['subnet_id'] == subnet_id:
msg = ("Router %s already has a port on subnet %s"
% (router_obj.uuid, subnet_id))
self._raise_contrail_exception(
'BadRequest', resource='router', msg=msg)
sub_id = ip['subnet_id']
cidr = self._get_subnet_cidr(sub_id, vn_subnets)
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id}
msg = (("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
self._raise_contrail_exception(
'BadRequest', resource='router', msg=msg)
except vnc_exc.NoIdError:
pass
def before_request():
client_ip = bottle.request.environ['REMOTE_ADDR']
allowed = bool(
netaddr.all_matching_cidrs(client_ip,
app.config['appconfig']['allowed_cidrs']))
if not allowed:
raise bottle.HTTPError(403, 'Forbidden')
def auto_tags(self):
res = [u'state:' + self.context.state] if self.context.state else []
if self.context.architecture:
for i in self.context.architecture:
res.append(u'arch:' + i)
from opennode.knot.model.virtualizationcontainer import IVirtualizationContainer
p = sudo(self.context)
if (IVirtualCompute.providedBy(p) and
IVirtualizationContainer.providedBy(p.__parent__)):
res.append(u'virt_type:' + p.__parent__.backend)
res.append(u'virt:yes')
else:
res.append(u'virt:no')
config = get_config()
if config.has_section('netenv-tags'):
for tag, nets in config.items('netenv-tags'):
try:
if (self.context.ipv4_address is not None and
len(netaddr.all_matching_cidrs(self.context.ipv4_address.split('/')[0],
nets.split(','))) > 0):
res.append(u'env:' + tag)
except ValueError:
# graceful ignoring of incorrect ips
pass
return res
def check_cidr_overlap(self, service_settings, new_cidr):
cidr_list = list(
models.SubNet.objects.filter(service_settings=service_settings).values_list(
'cidr', flat=True
)
)
for old_cidr in cidr_list:
old_ipnet = IPNetwork(old_cidr)
new_ipnet = IPNetwork(new_cidr)
if all_matching_cidrs(new_ipnet, [old_cidr]) or all_matching_cidrs(
old_ipnet, [new_cidr]
):
raise serializers.ValidationError(
_("CIDR %(new_cidr)s overlaps with CIDR %(old_cidr)s")
% dict(new_cidr=new_cidr, old_cidr=old_cidr)
)
def test_051_check_instance_info(self):
(status, body) = self.gce.zone_get("/instances/",
self.ctx.instance_name)
self.assertEqual(200, status, message=body.get("message"))
self.assertEqual(self.ctx.instance_name, body["name"])
self.assertEqual("test instance", body["description"])
self.assertEqual("RUNNING", body["status"])
self.assertEqual("ACTIVE", body["statusMessage"])
self.assertEqual(self.ctx.machine_type["selfLink"],
body["machineType"])
nwifs = body.get("networkInterfaces")
self.assertEqual(1, len(nwifs))
nwif = nwifs[0]
try:
self.assertEqual(self.ctx.network_name, nwif["name"])
except Exception:
LOG.exception("Is nova network here?")
# NOTE(apavlov): change network name for future usage in this case
self.ctx.network_name = nwif["name"]
cidrs = netaddr.all_matching_cidrs(nwif["networkIP"],
[self.ctx.network_cidr])
try:
self.assertEqual(1, len(cidrs))
except Exception:
LOG.exception("Is nova network here?")
try:
self.assertEqual(self.ctx.network_cidr, str(cidrs[0]))
except Exception:
LOG.exception("Is nova network here?")
self.verify_zone_resource_uri(body["selfLink"], "/instances",
self.ctx.instance_name)
self.ctx.instance = body
def finisher(the_record):
"""
POST finished chain to a callback URL provided
"""
db.session.add(the_record)
verify_ssl = app.config['SSL_HOST_VALIDATION']
# Set the correct headers for the postback
headers = {'Content-type': 'application/json', 'Accept': 'text/plain', 'Connection': 'close'}
#proxy = {"http": "127.0.0.1:8080"}
try:
# Blacklist IP addresses
ip_addr = socket.gethostbyname(grab_domain(the_record.url))
if app.config['IP_BLACKLISTING']:
if netaddr.all_matching_cidrs(ip_addr, app.config['IP_BLACKLISTING_RANGE'].split(',')):
the_record.capture_status = "IP BLACKLISTED:{} - ".format(ip_addr) + the_record.capture_status
except:
pass
req = post(the_record.callback, verify=verify_ssl, data=json.dumps(the_record.as_dict()), headers=headers)
# If a 4xx or 5xx status is received, raise an exception
req.raise_for_status()
# Update capture_record and save to database
the_record.job_status = 'COMPLETED'
# Removed to propagate blacklist message
#the_record.capture_status = 'CALLBACK_SUCCEEDED'
db.session.add(the_record)
db.session.commit()
def _validate_signature(self, project, request):
secret_key = request.GET.get("key", None)
if secret_key is None:
return False
if not hasattr(project, "modules_config"):
return False
if project.modules_config.config is None:
return False
project_secret = project.modules_config.config.get("bitbucket", {}).get("secret", "")
if not project_secret:
return False
bitbucket_config = project.modules_config.config.get("bitbucket", {})
valid_origin_ips = bitbucket_config.get("valid_origin_ips",
settings.BITBUCKET_VALID_ORIGIN_IPS)
origin_ip = get_ip(request)
mathching_origin_ip = True
if valid_origin_ips:
try:
mathching_origin_ip = len(all_matching_cidrs(origin_ip,valid_origin_ips)) > 0
except(AddrFormatError, ValueError):
mathching_origin_ip = False
if not mathching_origin_ip:
return False
return project_secret == secret_key
def isin(self,ip):
if not self.cidrs:
return False
if netaddr.all_matching_cidrs(ip, self.cidrs):
return True
else:
return False
def finisher(the_record):
"""
POST finished chain to a callback URL provided
"""
db.session.add(the_record)
verify_ssl = app.config['SSL_HOST_VALIDATION']
# Set the correct headers for the postback
headers = {'Content-type': 'application/json', 'Accept': 'text/plain', 'Connection': 'close'}
#proxy = {"http": "127.0.0.1:8080"}
try:
# Blacklist IP addresses
ip_addr = socket.gethostbyname(grab_domain(the_record.url))
if app.config['IP_BLACKLISTING']:
if netaddr.all_matching_cidrs(ip_addr, app.config['IP_BLACKLISTING_RANGE'].split(',')):
the_record.capture_status = "IP BLACKLISTED:{} - ".format(ip_addr) + the_record.capture_status
except:
pass
req = post(the_record.callback, verify=verify_ssl, data=json.dumps(the_record.as_dict()), headers=headers)
# If a 4xx or 5xx status is recived, raise an exception
req.raise_for_status()
# Update capture_record and save to database
the_record.job_status = 'COMPLETED'
# Removed to propigate blacklist message
#the_record.capture_status = 'CALLBACK_SUCCEEDED'
db.session.add(the_record)
db.session.commit()
def auto_tags(self):
res = [u'state:' + self.context.state] if self.context.state else []
if self.context.architecture:
for i in self.context.architecture:
res.append(u'arch:' + i)
from opennode.knot.model.virtualizationcontainer import IVirtualizationContainer
p = sudo(self.context)
if (IVirtualCompute.providedBy(p) and
IVirtualizationContainer.providedBy(p.__parent__)):
res.append(u'virt_type:' + p.__parent__.backend)
res.append(u'virt:yes')
else:
res.append(u'virt:no')
config = get_config()
if config.has_section('netenv-tags'):
for tag, nets in config.items('netenv-tags'):
try:
if (self.context.ipv4_address is not None and
len(netaddr.all_matching_cidrs(self.context.ipv4_address.split('/')[0],
nets.split(','))) > 0):
res.append(u'env:' + tag)
except ValueError:
# graceful ignoring of incorrect ips
pass
return res
def _validate_signature(self, project, request):
secret_key = request.GET.get("key", None)
if secret_key is None:
return False
if not hasattr(project, "modules_config"):
return False
if project.modules_config.config is None:
return False
gitlab_config = project.modules_config.config.get("gitlab", {})
project_secret = gitlab_config.get("secret", "")
if not project_secret:
return False
valid_origin_ips = gitlab_config.get("valid_origin_ips", settings.GITLAB_VALID_ORIGIN_IPS)
origin_ip = get_ip(request)
matching_origin_ip = True
if valid_origin_ips:
try:
matching_origin_ip = len(all_matching_cidrs(origin_ip,valid_origin_ips)) > 0
except (AddrFormatError, ValueError):
matching_origin_ip = False
if not matching_origin_ip:
return False
return project_secret == secret_key
def _validate_signature(self, project, request):
secret_key = request.GET.get("key", None)
if secret_key is None:
return False
if not hasattr(project, "modules_config"):
return False
if project.modules_config.config is None:
return False
project_secret = project.modules_config.config.get("bitbucket", {}).get("secret", "")
if not project_secret:
return False
bitbucket_config = project.modules_config.config.get("bitbucket", {})
valid_origin_ips = bitbucket_config.get("valid_origin_ips",
settings.BITBUCKET_VALID_ORIGIN_IPS)
origin_ip = get_ip(request)
mathching_origin_ip = True
if valid_origin_ips:
try:
mathching_origin_ip = len(all_matching_cidrs(origin_ip,valid_origin_ips)) > 0
except AddrFormatError:
mathching_origin_ip = False
if not mathching_origin_ip:
return False
return project_secret == secret_key
def get_reverse_net_dns(ip, ip_ranges):
rev_cidr = all_matching_cidrs(ip, ip_ranges)
if len(rev_cidr) > 1:
print "ERROR: overlapping CIDRs"
sys.exit()
rev_net = str(rev_cidr[0])
rev_dns = netaddr.IPAddress(ip).reverse_dns
return rev_net, rev_dns
def check_allowed_ip(self, request):
""" Raise a 404 if this request is not from an allowed IP. """
if request.META['REMOTE_ADDR'] in self.allowed_IPs:
return
if bool(len(all_matching_cidrs(request.META['REMOTE_ADDR'],
self.allowed_cidr_blocks))):
return
raise Http404
def get_reverse_net_dns(ip, ip_ranges):
rev_cidr = all_matching_cidrs(ip, ip_ranges)
if len(rev_cidr) > 1:
print "ERROR: overlapping CIDRs"
sys.exit()
rev_net = str(rev_cidr[0])
rev_dns = netaddr.IPAddress(ip).reverse_dns
return rev_net, rev_dns
def _confirm_router_interface_not_in_use(self, context, router_id, subnet_id):
super(ExtraRoute_db_mixin, self)._confirm_router_interface_not_in_use(context, router_id, subnet_id)
subnet_db = self._get_subnet(context, subnet_id)
subnet_cidr = netaddr.IPNetwork(subnet_db["cidr"])
extra_routes = self._get_extra_routes_by_router_id(context, router_id)
for route in extra_routes:
if netaddr.all_matching_cidrs(route["nexthop"], [subnet_cidr]):
raise extraroute.RouterInterfaceInUseByRoute(router_id=router_id, subnet_id=subnet_id)
def match_ip_ranges(source_ip, ip_cidr):
"""
Check if an ip is in a specific range
:param source_ip: ip to test
:param ip_cidr: mask of ip to test
:return: True if match, False otherwise
"""
return False if len(netaddr.all_matching_cidrs(source_ip, ip_cidr)) <= 0 else True
def accept(ip):
hasAccess = ["127.0.0.1/32", "192.168.0.0/16"]
check = all_matching_cidrs(ip, hasAccess)
if len(check) > 0:
return True
else:
return False
def comprobar_nombre_con_IP(nombre_host, ip):
nombre = nombre_host.lower()
regexname = re_servidor_fe
match_fe = re.match(regexname, nombre)
if not match_fe:
regexname = re_servidor_be
match_be = re.match(regexname, nombre)
if not match_be:
regexname = re_servidor_consola
match_c = re.match(regexname, nombre)
if not match_c:
print "ERROR - La IP indicada corresponde a un rango de otro entorno al indicado: %s y %s" % (nombre, ip)
print "Solución: verificar el documento 'Estandar - Nomenclatura HW y Servicios.pdf' v1.10"
sys.exit(13)
else:
listado_pro = conf_dir + "listado_ips/listado_rangos_C"
listado_pre = conf_dir + "listado_ips/listado_rangos_C"
listado_des = conf_dir + "listado_ips/listado_rangos_C"
listado_int = conf_dir + "listado_ips/listado_rangos_C"
listado_maq = conf_dir + "listado_ips/listado_rangos_C"
entorno_servidor = match_c.group('entorno_srv')
else:
listado_pro = conf_dir + "listado_ips/listado_rangos_BE_pro"
listado_pre = conf_dir + "listado_ips/listado_rangos_BE_pre"
listado_des = conf_dir + "listado_ips/listado_rangos_BE_desarrollo"
listado_int = conf_dir + "listado_ips/listado_rangos_BE_integracion"
listado_maq = conf_dir + "listado_ips/listado_rangos_BE_maqueta"
entorno_servidor = match_be.group('entorno_srv')
else:
listado_pro = conf_dir + "listado_ips/listado_rangos_FE_pro"
listado_pre = conf_dir + "listado_ips/listado_rangos_FE_pre"
listado_des = conf_dir + "listado_ips/listado_rangos_FE_desarrollo"
listado_int = conf_dir + "listado_ips/listado_rangos_FE_integracion"
listado_maq = conf_dir + "listado_ips/listado_rangos_FE_maqueta"
entorno_servidor = match_fe.group('entorno_srv')
if entorno_servidor == 'p':
vlans = open(listado_pro).read().splitlines()
elif entorno_servidor == 'y':
vlans = open(listado_pro).read().splitlines()
elif entorno_servidor == 'r':
vlans = open(listado_pre).read().splitlines()
elif entorno_servidor == 'i':
vlans = open(listado_int).read().splitlines()
elif entorno_servidor == 'd':
vlans = open(listado_des).read().splitlines()
elif entorno_servidor == 'f':
vlans = open(listado_int).read().splitlines()
elif entorno_servidor == 'm':
vlans = open(listado_maq).read().splitlines()
match = netaddr.all_matching_cidrs(ip, vlans)
if len(match) == 0:
print "ERROR - El entorno del servidor no coincide con el direccionamiento indicado."
print "Solución: verificar que la IP %s corresponde al entorno '%s'" % (ip, entorno_servidor)
sys.exit(14)
return
def _validate_routes_nexthop(self, cidrs, ips, routes, nexthop):
# Note(nati): Nexthop should be connected,
# so we need to check
# nexthop belongs to one of cidrs of the router ports
if not netaddr.all_matching_cidrs(nexthop, cidrs):
raise extraroute.InvalidRoutes(routes=routes, reason=_("the nexthop is not connected with router"))
# Note(nati) nexthop should not be same as fixed_ips
if nexthop in ips:
raise extraroute.InvalidRoutes(routes=routes, reason=_("the nexthop is used by router"))
def test_all_matching_cidrs_v4():
assert all_matching_cidrs('192.0.2.32', [
'0.0.0.0/0', '10.0.0.0/8', '192.0.0.0/8', '192.0.1.0/24',
'192.0.2.0/24', '192.0.3.0/24'
]) == [
IPNetwork('0.0.0.0/0'),
IPNetwork('192.0.0.0/8'),
IPNetwork('192.0.2.0/24'),
]
def comprobar_entorno(ip):
listado_pro = conf_dir + "listado_ips/listado_rangos_FE_pro"
vlans = open(listado_pro).read().splitlines()
match = netaddr.all_matching_cidrs(ip, vlans)
if len(match) == 0:
entorno = "no-pro"
else:
entorno = "pro"
return entorno
def in_known_cidr_block(ip_address):
redis_con = redis.StrictRedis(host=settings.REDIS_HOST,
port=settings.REDIS_PORT,
db=settings.REDIS_DB)
cidrs = redis_con.get('cidrs')
if not cidrs or not len(cidrs):
return False
return len(netaddr.all_matching_cidrs(ip_address, cidrs.split(','))) > 0
def _check_for_dup_router_subnet(self, router_id, subnet_id,
subnet_cidr):
try:
router_vmi_objs = self._vmi_handler.get_vmi_list(
back_ref_id=[router_id])
# It's possible router ports are on the same network, but
# different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
port_req_memo = {'virtual-machines': {},
'instance-ips': {},
'subnets': {}}
for vmi_obj in router_vmi_objs:
net_id = self._vmi_handler.get_vmi_net_id(vmi_obj)
vn_obj = self._vnc_lib.virtual_network_read(id=net_id)
fixed_ips = self._vmi_handler.get_vmi_ip_dict(vmi_obj, vn_obj,
port_req_memo)
vn_subnets = (
subnet_handler.ContrailSubnetHandler.get_vn_subnets(
vn_obj))
for ip in fixed_ips:
if ip['subnet_id'] == subnet_id:
msg = ("Router %s already has a port on subnet %s"
% (router_id, subnet_id))
self._raise_contrail_exception(
'BadRequest', resource='router', msg=msg)
sub_id = ip['subnet_id']
cidr = self._get_subnet_cidr(sub_id, vn_subnets)
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id}
msg = (("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
self._raise_contrail_exception(
'BadRequest', resource='router', msg=msg)
except vnc_exc.NoIdError:
pass
def accept(ip):
hasAccess = [ "127.0.0.1/32",
"192.168.0.0/16" ]
check = all_matching_cidrs(ip , hasAccess )
if len(check) > 0:
return True
else:
return False
def confirm_router_interface_not_in_use(self, neutron_router_id,
neutron_subnet):
nuage_routes = self._get_nuage_static_routes_by_router_id(
neutron_router_id)
for route in nuage_routes:
if netaddr.all_matching_cidrs(route['nextHopIp'],
[neutron_subnet['cidr']]):
msg = ("router interface for subnet %s is required by one or"
" more routes") % neutron_subnet['name']
raise restproxy.ResourceConflictException(msg)
def in_known_cidr_block(ip_address):
redis_con = redis.StrictRedis(host=settings.REDIS_HOST,
port=settings.REDIS_PORT,
db=settings.REDIS_DB)
cidrs = redis_con.get('cidrs')
if not cidrs or not len(cidrs):
return False
return len(netaddr.all_matching_cidrs(ip_address, cidrs.split(','))) > 0
def _confirm_router_interface_not_in_use(self, context, router_id, subnet):
super(ExtraRoute_dbonly_mixin,
self)._confirm_router_interface_not_in_use(
context, router_id, subnet)
subnet_cidr = netaddr.IPNetwork(subnet['cidr'])
extra_routes = self._get_extra_routes_by_router_id(context, router_id)
for route in extra_routes:
if netaddr.all_matching_cidrs(route['nexthop'], [subnet_cidr]):
raise xroute_exc.RouterInterfaceInUseByRoute(
router_id=router_id, subnet_id=subnet['id'])
def isinsubnet(x): # use netaddr to evaluate if given ip in subnet
for item in masterlist:
# check if given ip is in the masterlist
iprange = netaddr.all_matching_cidrs(x, [item])
if iprange is not False: # if ip is in masterlist return yes
return 'Yes'
if iprange is False:
return 'No' # if ip is not in masterlist return no.
def _validate_routes_nexthop(self, cidrs, ips, routes, nexthop):
#Note(nati): Nexthop should be connected,
# so we need to check
# nexthop belongs to one of cidrs of the router ports
extern_relay_cidr = cfg.CONF.l3gw_extern_net_ip_range
if not netaddr.all_matching_cidrs(nexthop, cidrs):
if (cfg.CONF.cascade_str == 'cascaded'
and extern_relay_cidr and netaddr.all_matching_cidrs(
nexthop, [extern_relay_cidr])):
LOG.debug(
_('nexthop(%s) is in extern_relay_cidr,'
'so not raise InvalidRoutes exception'), nexthop)
return
raise extraroute.InvalidRoutes(
routes=routes,
reason=_('the nexthop is not connected with router'))
#Note(nati) nexthop should not be same as fixed_ips
if nexthop in ips:
raise extraroute.InvalidRoutes(
routes=routes, reason=_('the nexthop is used by router'))
def is_whitelisted(self, ident):
for whitelisted in settings.REST_FRAMEWORK['DEFAULT_THROTTLE_WHITELIST']:
if isinstance(whitelisted, int) and whitelisted == ident:
return True
elif isinstance(whitelisted, str):
try:
if all_matching_cidrs(ident, [whitelisted]) != []:
return True
except(AddrFormatError, ValueError):
pass
return False
def check_for_dup_router_subnet(self, context, router_id,
subnet_id, subnet_cidr):
# called from l3 db
openvpn_conns = self.get_openvpnconnections(
context, filters={'router_id': [router_id]})
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for openvpn in openvpn_conns:
cidr = openvpn['peer_cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'vpn_id': openvpn['id']}
msg = (_("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of openvpn %(vpn_id)s") % data)
raise n_exc.BadRequest(resource='router', msg=msg)
def is_whitelisted(self, ident):
for whitelisted in settings.REST_FRAMEWORK['DEFAULT_THROTTLE_WHITELIST']:
if isinstance(whitelisted, int) and whitelisted == ident:
return True
elif isinstance(whitelisted, str):
try:
if all_matching_cidrs(ident, [whitelisted]) != []:
return True
except(AddrFormatError, ValueError):
pass
return False
def _validate_secgroup(cache, instance, source_ip):
"""Search through an instance's security groups for pingability
"""
for instance_secgroup in instance.security_groups:
for secgroup in cache:
if ((secgroup['tenant_id'] == instance.tenant_id
and secgroup['name'] == instance_secgroup['name'])):
for rule in secgroup['security_group_rules']:
if ((rule['protocol'] == 'icmp' and all_matching_cidrs(
source_ip, [rule['remote_ip_prefix']]))):
return True
def check_router_interface_not_in_use(self, **kwargs):
context = kwargs.get('context')
router_id = kwargs.get('router_id')
subnet_id = kwargs.get('subnet_id')
subnet = self._core_plugin.get_subnet(context, subnet_id)
subnet_cidr = netaddr.IPNetwork(subnet['cidr'])
all_next_hops = self._get_all_next_hop_ips_of_router(context, router_id)
for next_hop_ip in set(all_next_hops):
if netaddr.all_matching_cidrs(next_hop_ip, [subnet_cidr]):
raise exception.RouterInterfaceInUseBySlbEcmp(
router_id=router_id, subnet_id=subnet_id)
def _validate_secgroup(cache, instance, source_ip):
"""Search through an instance's security groups for pingability
"""
for instance_secgroup in instance.security_groups:
for secgroup in cache:
if ((secgroup['tenant_id'] == instance.tenant_id and
secgroup['name'] == instance_secgroup['name'])):
for rule in secgroup['security_group_rules']:
if ((rule['protocol'] == 'icmp' and
all_matching_cidrs(source_ip,
[rule['remote_ip_prefix']]))):
return True
def _validate_routes_nexthop(self, cidrs, ips, routes, nexthop):
#Note(nati): Nexthop should be connected,
# so we need to check
# nexthop belongs to one of cidrs of the router ports
extern_relay_cidr = cfg.CONF.l3gw_extern_net_ip_range
if not netaddr.all_matching_cidrs(nexthop, cidrs):
if(cfg.CONF.cascade_str == 'cascaded'
and extern_relay_cidr
and netaddr.all_matching_cidrs(nexthop,
[extern_relay_cidr])):
LOG.debug(_('nexthop(%s) is in extern_relay_cidr,'
'so not raise InvalidRoutes exception'), nexthop)
return
raise extraroute.InvalidRoutes(
routes=routes,
reason=_('the nexthop is not connected with router'))
#Note(nati) nexthop should not be same as fixed_ips
if nexthop in ips:
raise extraroute.InvalidRoutes(
routes=routes,
reason=_('the nexthop is used by router'))
def _validate_routes_nexthop(self, cidrs, ips, routes, nexthop):
#Note(nati): Nexthop should be connected,
# so we need to check
# nexthop belongs to one of cidrs of the router ports
if not netaddr.all_matching_cidrs(nexthop, cidrs):
raise extraroute.InvalidRoutes(
routes=routes,
reason=_('the nexthop is not connected with router'))
#Note(nati) nexthop should not be same as fixed_ips
if nexthop in ips:
raise extraroute.InvalidRoutes(
routes=routes, reason=_('the nexthop is used by router'))
def ignore_ip_addr(vm_, ip):
'''
Return True if we are to ignore the specified IP. Compatible with IPv4.
'''
if HAS_NETADDR is False:
return 'Error: netaddr is not installed'
cidr = vm_.get('ip_ignore', __opts__.get('OPENSTACK.ignore_cidr', ''))
if cidr != '' and all_matching_cidrs(ip, [cidr]):
return True
else:
return False
def _confirm_router_interface_not_in_use(self, context, router_id,
subnet_id):
super(ExtraRoute_dbonly_mixin,
self)._confirm_router_interface_not_in_use(
context, router_id, subnet_id)
subnet = self._core_plugin.get_subnet(context, subnet_id)
subnet_cidr = netaddr.IPNetwork(subnet['cidr'])
extra_routes = self._get_extra_routes_by_router_id(context, router_id)
for route in extra_routes:
if netaddr.all_matching_cidrs(route['nexthop'], [subnet_cidr]):
raise xroute_exc.RouterInterfaceInUseByRoute(
router_id=router_id, subnet_id=subnet_id)
def _check_for_dup_router_subnet(self, context, router_id, network_id, subnet_id, subnet_cidr):
try:
rport_qry = context.session.query(models_v2.Port)
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py rport_qry: %s"), rport_qry)
rports = rport_qry.filter_by(device_id=router_id)
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py rports: %s"), rports)
# It's possible these ports are on the same network, but different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for p in rports:
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py p in rports: %s"), p)
for ip in p["fixed_ips"]:
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py ip in p: %s"), ip)
if ip["subnet_id"] == subnet_id:
msg = _("Router already has a port on subnet %s") % subnet_id
raise q_exc.BadRequest(resource="router", msg=msg)
sub_id = ip["subnet_id"]
LOG.debug(
_("check_for_dup_router_subnet called in l3_db.py get_subnet returns: %s"),
self._core_plugin._get_subnet(context.elevated(), sub_id),
)
cidr = self._core_plugin._get_subnet(context.elevated(), sub_id)["cidr"]
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py match1: %s"), match1)
LOG.debug(_("check_for_dup_router_subnet called in l3_db.py match2: %s"), match2)
if match1 or match2:
data = {"subnet_cidr": subnet_cidr, "subnet_id": subnet_id, "cidr": cidr, "sub_id": sub_id}
msg = (
_(
"Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s"
)
% data
)
raise q_exc.BadRequest(resource="router", msg=msg)
except exc.NoResultFound:
pass
def _validate_nuage_staticroutes(self, old_routes, added, removed):
cidrs = []
for old in old_routes:
if old not in removed:
ip = netaddr.IPNetwork(old['destination'])
cidrs.append(ip)
for route in added:
ip = netaddr.IPNetwork(route['destination'])
matching = netaddr.all_matching_cidrs(ip.ip, cidrs)
if matching:
msg = _('for same subnet, multiple static routes not allowed')
raise n_exc.BadRequest(resource='router', msg=msg)
cidrs.append(ip)
def check_for_dup_router_subnet(self, context, router_id, subnet_id,
subnet_cidr):
# called from l3 db
pptp_conns = self.get_pptpconnections(
context, filters={'router_id': [router_id]})
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for pptp in pptp_conns:
cidr = pptp['vpn_cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {
'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'vpn_id': pptp['id']
}
msg = (_("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of pptpvpn %(vpn_id)s") % data)
raise n_exc.BadRequest(resource='router', msg=msg)
def _validate_nuage_staticroutes(self, old_routes, added, removed):
cidrs = []
for old in old_routes:
if old not in removed:
ip = netaddr.IPNetwork(old['destination'])
cidrs.append(ip)
for route in added:
ip = netaddr.IPNetwork(route['destination'])
matching = netaddr.all_matching_cidrs(ip.ip, cidrs)
if matching:
msg = _('for same subnet, multiple static routes not allowed')
raise n_exc.BadRequest(resource='router', msg=msg)
cidrs.append(ip)
def test_netaddr_integration(self):
# just a tiny range, here
test_ip = random.randint(0, 0xFFFFFFFF)
num_ranges = random.randint(1, 10)
whitelist = Whitelist.objects.create(name="anything", slug="anything")
cidrs = []
for idx in range(num_ranges):
r = whitelist.range_set.create(ip=fmt_ip(random.randint(0, 0xFFFFFFFF)), cidr=random.randint(1, 32))
cidrs.append("%s/%d" % (r.ip, r.cidr))
self.assertEqual(whitelist.okay(test_ip), len(netaddr.all_matching_cidrs(test_ip, cidrs)) > 0)
def ignore_cidr(vm_, ip):
"""
Return True if we are to ignore the specified IP. Compatible with IPv4.
"""
if HAS_NETADDR is False:
log.error("Error: netaddr is not installed")
return "Error: netaddr is not installed"
cidr = config.get_cloud_config_value("ignore_cidr", vm_, __opts__, default="", search_global=False)
if cidr != "" and all_matching_cidrs(ip, [cidr]):
log.warning('IP "{0}" found within "{1}"; ignoring it.'.format(ip, cidr))
return True
return False
def _validate_routes_nexthop(self, context, ports, routes, nexthop):
# Note(nati): Nexthop should be connected,
# so we need to check
# nexthop belongs to one of cidrs of the router ports
cidrs = []
for port in ports:
cidrs += [self._get_subnet(context, ip["subnet_id"])["cidr"] for ip in port["fixed_ips"]]
if not netaddr.all_matching_cidrs(nexthop, cidrs):
raise extraroute.InvalidRoutes(routes=routes, reason=_("the nexthop is not connected with router"))
# Note(nati) nexthop should not be same as fixed_ips
for port in ports:
for ip in port["fixed_ips"]:
if nexthop == ip["ip_address"]:
raise extraroute.InvalidRoutes(routes=routes, reason=_("the nexthop is used by router"))
def _check_for_dup_router_subnet(self, context, router, network_id,
subnet_id, subnet_cidr):
try:
# It's possible these ports are on the same network, but
# different subnets.
new_ipnet = netaddr.IPNetwork(subnet_cidr)
for p in (rp.port for rp in router.attached_ports):
for ip in p['fixed_ips']:
if ip['subnet_id'] == subnet_id:
msg = (_("Router already has a port on subnet %s") %
subnet_id)
raise common_exceptions.BadRequest(resource='router',
msg=msg)
# Ignore temporary Prefix Delegation CIDRs
if subnet_cidr == q_const.PROVISIONAL_IPV6_PD_PREFIX:
continue
sub_id = ip['subnet_id']
cidr = self._core_plugin.get_subnet(
context.elevated(), sub_id)['cidr']
ipnet = netaddr.IPNetwork(cidr)
match1 = netaddr.all_matching_cidrs(new_ipnet, [cidr])
match2 = netaddr.all_matching_cidrs(ipnet, [subnet_cidr])
if match1 or match2:
data = {
'subnet_cidr': subnet_cidr,
'subnet_id': subnet_id,
'cidr': cidr,
'sub_id': sub_id
}
msg = (_("Cidr %(subnet_cidr)s of subnet "
"%(subnet_id)s overlaps with cidr %(cidr)s "
"of subnet %(sub_id)s") % data)
raise common_exceptions.BadRequest(resource='router',
msg=msg)
except exc.NoResultFound:
pass
def _allocate_specific_subnet(self, request):
with self._context.session.begin(subtransactions=True):
self._check_subnetpool_tenant_quota(request.tenant_id,
request.prefixlen)
cidr = request.subnet_cidr
available = self._get_available_prefix_list()
matched = netaddr.all_matching_cidrs(cidr, available)
if len(matched) is 1 and matched[0].prefixlen <= cidr.prefixlen:
return IpamSubnet(request.tenant_id,
request.subnet_id,
cidr,
gateway_ip=request.gateway_ip,
allocation_pools=request.allocation_pools)
msg = _("Cannot allocate requested subnet from the available "
"set of prefixes")
raise n_exc.SubnetAllocationError(reason=msg)
def ignore_cidr(vm_, ip):
'''
Return True if we are to ignore the specified IP. Compatible with IPv4.
'''
if HAS_NETADDR is False:
log.error('Error: netaddr is not installed')
return 'Error: netaddr is not installed'
cidr = config.get_config_value(
'ignore_cidr', vm_, __opts__, default='', search_global=False
)
if cidr != '' and all_matching_cidrs(ip, [cidr]):
log.warning('IP "{0}" found within "{1}"; ignoring it.'.format(ip, cidr))
return True
return False
def perform_checking(ip):
validate_ipv4_address(ip)
if not all_matching_cidrs(ip, ip_ranges) and ip_ranges:
raise forms.ValidationError(_('Specified Cluster Static IP is'
'not in valid IP range'))
try:
ip_info = novaclient(request).fixed_ips.get(ip)
except exceptions.UNAUTHORIZED:
exceptions.handle(
request, _("Unable to retrieve information "
"about fixed IP or IP is not valid."),
ignore=True)
else:
if ip_info.hostname:
raise forms.ValidationError(
_('Specified Cluster Static IP is already in use'))
