def net4to6x96(prefix, net): prefix = str(ipaddress.IPv6Network(prefix)).split('/')[0] net = net.split('/')[0] nets = net.split('.') if prefix.count(':') == 5: prefix = prefix[:-1] net_num = int(nets[0]) * 256**3 + int(nets[1]) * 256**2 + \ int(nets[2]) * 256**1 + int(nets[3]) * 256**0 net_hex = hex(net_num) net6 = prefix + net_hex[2:6] + ':' + net_hex[6:10] + ':0:0/96' return str(ipaddress.IPv6Network(net6))
def host_put(hst=None): if settings.app.demo_mode: return utils.demo_blocked() hst = host.get_by_id(hst) if 'name' in flask.request.json: hst.name = utils.filter_str( flask.request.json['name']) or utils.random_name() if 'public_address' in flask.request.json: hst.public_address = utils.filter_str( flask.request.json['public_address']) if 'public_address6' in flask.request.json: hst.public_address6 = utils.filter_str( flask.request.json['public_address6']) if 'routed_subnet6' in flask.request.json: routed_subnet6 = flask.request.json['routed_subnet6'] if routed_subnet6: try: routed_subnet6 = ipaddress.IPv6Network( flask.request.json['routed_subnet6']) except (ipaddress.AddressValueError, ValueError): return utils.jsonify({ 'error': IPV6_SUBNET_INVALID, 'error_msg': IPV6_SUBNET_INVALID_MSG, }, 400) if routed_subnet6.prefixlen > 64: return utils.jsonify({ 'error': IPV6_SUBNET_SIZE_INVALID, 'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG, }, 400) routed_subnet6 = str(routed_subnet6) else: routed_subnet6 = None if hst.routed_subnet6 != routed_subnet6: if server.get_online_ipv6_count(): return utils.jsonify({ 'error': IPV6_SUBNET_ONLINE, 'error_msg': IPV6_SUBNET_ONLINE_MSG, }, 400) hst.routed_subnet6 = routed_subnet6 if 'link_address' in flask.request.json: hst.link_address = utils.filter_str( flask.request.json['link_address']) hst.commit(hst.changed) event.Event(type=HOSTS_UPDATED) messenger.publish('hosts', 'updated') return utils.jsonify(hst.dict())
def ip4to6x96(prefix, net, addr): prefix = str(ipaddress.IPv6Network(prefix)).split('/')[0] addrs = addr.split('/')[0].split('.') net = net.split('/')[0] nets = net.split('.') if prefix.count(':') == 5: prefix = prefix[:-1] net_num = int(nets[0]) * 256**3 + int(nets[1]) * 256**2 + \ int(nets[2]) * 256**1 + int(nets[3]) * 256**0 net_hex = hex(net_num) addr_num = int(addrs[0]) * 256**3 + int(addrs[1]) * 256**2 + \ int(addrs[2]) * 256**1 + int(addrs[3]) * 256**0 addr_hex = hex(addr_num) addr6 = prefix + net_hex[2:6] + ':' + net_hex[6:10] + ':' + \ addr_hex[2:6] + ':' + addr_hex[6:10] return str(ipaddress.IPv6Address(addr6))
def generate_iptables_rules(self): server_addr = utils.get_network_gateway(self.server.network) server_addr6 = utils.get_network_gateway(self.server.network6) ipv6_firewall = self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 self.iptables.id = self.server.id self.iptables.ipv6 = self.server.ipv6 self.iptables.server_addr = server_addr self.iptables.server_addr6 = server_addr6 self.iptables.virt_interface = self.interface self.iptables.virt_network = self.server.network self.iptables.virt_network6 = self.server.network6 self.iptables.ipv6_firewall = ipv6_firewall self.iptables.inter_client = self.server.inter_client self.iptables.restrict_routes = self.server.restrict_routes try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception( 'Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = [] default_interface = None for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: if line_split[0] == '0.0.0.0': if default_interface: continue default_interface = line_split[7] routes.append((ipaddress.IPNetwork( '%s/%s' % (line_split[0], utils.subnet_to_cidr(line_split[2]))), line_split[7])) routes.reverse() if not default_interface: raise IptablesError('Failed to find default network interface') routes6 = [] default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception( 'Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: route_network = ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if line_split[0] == '::/0': if default_interface6: continue default_interface6 = line_split[6] routes6.append(( route_network, line_split[6], )) if not default_interface6: raise IptablesError( 'Failed to find default IPv6 network interface') if default_interface6 == 'lo': logger.error( 'Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) routes6.reverse() interfaces = set() interfaces6 = set() for route in self.server.get_routes( include_hidden=True, include_server_links=True, include_default=True, ): if route['virtual_network'] or route['link_virtual_network']: self.iptables.add_nat_network(route['network']) if route['virtual_network'] or route['net_gateway']: continue network = route['network'] is6 = ':' in network network_obj = ipaddress.IPNetwork(network) interface = route['nat_interface'] if is6: if not interface: for route_net, route_intf in routes6: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 interfaces6.add(interface) else: if not interface: for route_net, route_intf in routes: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface interfaces.add(interface) self.iptables.add_route( network, nat=route['nat'], nat_interface=interface, ) if self.vxlan: self.iptables.add_route(self.vxlan.vxlan_net) self.iptables.generate()
def settings_put(): if settings.app.demo_mode: return utils.demo_blocked() org_event = False admin_event = False admin = flask.g.administrator changes = set() settings_commit = False update_server = False update_acme = False update_cert = False if 'username' in flask.request.json and flask.request.json['username']: username = utils.filter_str(flask.request.json['username']).lower() if username != admin.username: changes.add('username') admin.username = username if 'password' in flask.request.json and flask.request.json['password']: password = flask.request.json['password'] changes.add('password') admin.password = password if 'server_cert' in flask.request.json: settings_commit = True server_cert = flask.request.json['server_cert'] if server_cert: server_cert = server_cert.strip() else: server_cert = None if server_cert != settings.app.server_cert: update_server = True settings.app.server_cert = server_cert if 'server_key' in flask.request.json: settings_commit = True server_key = flask.request.json['server_key'] if server_key: server_key = server_key.strip() else: server_key = None if server_key != settings.app.server_key: update_server = True settings.app.server_key = server_key if 'server_port' in flask.request.json: settings_commit = True server_port = flask.request.json['server_port'] if not server_port: server_port = 443 try: server_port = int(server_port) if server_port < 1 or server_port > 65535: raise ValueError('Port invalid') except ValueError: return utils.jsonify( { 'error': PORT_INVALID, 'error_msg': PORT_INVALID_MSG, }, 400) if settings.app.redirect_server and server_port == 80: return utils.jsonify( { 'error': PORT_RESERVED, 'error_msg': PORT_RESERVED_MSG, }, 400) if server_port != settings.app.server_port: update_server = True settings.app.server_port = server_port if 'acme_domain' in flask.request.json: settings_commit = True acme_domain = utils.filter_str(flask.request.json['acme_domain'] or None) if acme_domain: acme_domain = acme_domain.replace('https://', '') acme_domain = acme_domain.replace('http://', '') acme_domain = acme_domain.replace('/', '') if acme_domain != settings.app.acme_domain: if not acme_domain: settings.app.acme_key = None settings.app.acme_timestamp = None settings.app.server_key = None settings.app.server_cert = None update_server = True update_cert = True else: update_acme = True settings.app.acme_domain = acme_domain if 'auditing' in flask.request.json: settings_commit = True auditing = flask.request.json['auditing'] or None if settings.app.auditing != auditing: if not flask.g.administrator.super_user: return utils.jsonify( { 'error': REQUIRES_SUPER_USER, 'error_msg': REQUIRES_SUPER_USER_MSG, }, 400) admin_event = True org_event = True settings.app.auditing = auditing if 'monitoring' in flask.request.json: settings_commit = True monitoring = flask.request.json['monitoring'] or None settings.app.monitoring = monitoring if 'influxdb_uri' in flask.request.json: settings_commit = True influxdb_uri = flask.request.json['influxdb_uri'] or None settings.app.influxdb_uri = influxdb_uri if 'email_from' in flask.request.json: settings_commit = True email_from = flask.request.json['email_from'] or None if email_from != settings.app.email_from: changes.add('smtp') settings.app.email_from = email_from if 'email_server' in flask.request.json: settings_commit = True email_server = flask.request.json['email_server'] or None if email_server != settings.app.email_server: changes.add('smtp') settings.app.email_server = email_server if 'email_username' in flask.request.json: settings_commit = True email_username = flask.request.json['email_username'] or None if email_username != settings.app.email_username: changes.add('smtp') settings.app.email_username = email_username if 'email_password' in flask.request.json: settings_commit = True email_password = flask.request.json['email_password'] or None if email_password != settings.app.email_password: changes.add('smtp') settings.app.email_password = email_password if 'pin_mode' in flask.request.json: settings_commit = True pin_mode = flask.request.json['pin_mode'] or None if pin_mode != settings.user.pin_mode: changes.add('pin_mode') settings.user.pin_mode = pin_mode if 'sso' in flask.request.json: org_event = True settings_commit = True sso = flask.request.json['sso'] or None if sso != settings.app.sso: changes.add('sso') settings.app.sso = sso if 'sso_match' in flask.request.json: settings_commit = True sso_match = flask.request.json['sso_match'] or None if sso_match != settings.app.sso_match: changes.add('sso') if isinstance(sso_match, list): settings.app.sso_match = sso_match else: settings.app.sso_match = None if 'sso_duo_token' in flask.request.json: settings_commit = True sso_duo_token = flask.request.json['sso_duo_token'] or None if sso_duo_token != settings.app.sso_duo_token: changes.add('sso') settings.app.sso_duo_token = sso_duo_token if 'sso_duo_secret' in flask.request.json: settings_commit = True sso_duo_secret = flask.request.json['sso_duo_secret'] or None if sso_duo_secret != settings.app.sso_duo_secret: changes.add('sso') settings.app.sso_duo_secret = sso_duo_secret if 'sso_duo_host' in flask.request.json: settings_commit = True sso_duo_host = flask.request.json['sso_duo_host'] or None if sso_duo_host != settings.app.sso_duo_host: changes.add('sso') settings.app.sso_duo_host = sso_duo_host if 'sso_duo_mode' in flask.request.json: settings_commit = True sso_duo_mode = flask.request.json['sso_duo_mode'] or None if sso_duo_mode != settings.app.sso_duo_mode: changes.add('sso') settings.app.sso_duo_mode = sso_duo_mode if 'sso_radius_secret' in flask.request.json: settings_commit = True sso_radius_secret = flask.request.json['sso_radius_secret'] or None if sso_radius_secret != settings.app.sso_radius_secret: changes.add('sso') settings.app.sso_radius_secret = sso_radius_secret if 'sso_radius_host' in flask.request.json: settings_commit = True sso_radius_host = flask.request.json['sso_radius_host'] or None if sso_radius_host != settings.app.sso_radius_host: changes.add('sso') settings.app.sso_radius_host = sso_radius_host if 'sso_org' in flask.request.json: settings_commit = True sso_org = flask.request.json['sso_org'] or None if sso_org: sso_org = utils.ObjectId(sso_org) else: sso_org = None if sso_org != settings.app.sso_org: changes.add('sso') if settings.app.sso and not sso_org: return utils.jsonify( { 'error': SSO_ORG_NULL, 'error_msg': SSO_ORG_NULL_MSG, }, 400) settings.app.sso_org = sso_org if 'sso_saml_url' in flask.request.json: settings_commit = True sso_saml_url = flask.request.json['sso_saml_url'] or None if sso_saml_url != settings.app.sso_saml_url: changes.add('sso') settings.app.sso_saml_url = sso_saml_url if 'sso_saml_issuer_url' in flask.request.json: settings_commit = True sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None if sso_saml_issuer_url != settings.app.sso_saml_issuer_url: changes.add('sso') settings.app.sso_saml_issuer_url = sso_saml_issuer_url if 'sso_saml_cert' in flask.request.json: settings_commit = True sso_saml_cert = flask.request.json['sso_saml_cert'] or None if sso_saml_cert != settings.app.sso_saml_cert: changes.add('sso') settings.app.sso_saml_cert = sso_saml_cert if 'sso_okta_token' in flask.request.json: settings_commit = True sso_okta_token = flask.request.json['sso_okta_token'] or None if sso_okta_token != settings.app.sso_okta_token: changes.add('sso') settings.app.sso_okta_token = sso_okta_token if 'sso_onelogin_id' in flask.request.json: settings_commit = True sso_onelogin_id = flask.request.json['sso_onelogin_id'] or None if sso_onelogin_id != settings.app.sso_onelogin_id: changes.add('sso') settings.app.sso_onelogin_id = sso_onelogin_id if 'sso_onelogin_secret' in flask.request.json: settings_commit = True sso_onelogin_secret = \ flask.request.json['sso_onelogin_secret'] or None if sso_onelogin_secret != settings.app.sso_onelogin_secret: changes.add('sso') settings.app.sso_onelogin_secret = sso_onelogin_secret if 'sso_client_cache' in flask.request.json: settings_commit = True sso_client_cache = True if \ flask.request.json['sso_client_cache'] else False if sso_client_cache != settings.app.sso_client_cache: changes.add('sso') settings.app.sso_client_cache = sso_client_cache if 'sso_yubico_client' in flask.request.json: settings_commit = True sso_yubico_client = \ flask.request.json['sso_yubico_client'] or None if sso_yubico_client != settings.app.sso_yubico_client: changes.add('sso') settings.app.sso_yubico_client = sso_yubico_client if 'sso_yubico_secret' in flask.request.json: settings_commit = True sso_yubico_secret = \ flask.request.json['sso_yubico_secret'] or None if sso_yubico_secret != settings.app.sso_yubico_secret: changes.add('sso') settings.app.sso_yubico_secret = sso_yubico_secret if flask.request.json.get('theme'): settings_commit = True theme = 'light' if flask.request.json['theme'] == 'light' else 'dark' if theme != settings.app.theme: if theme == 'dark': event.Event(type=THEME_DARK) else: event.Event(type=THEME_LIGHT) settings.app.theme = theme if 'public_address' in flask.request.json: public_address = flask.request.json['public_address'] or None if public_address != settings.local.host.public_addr: settings.local.host.public_address = public_address settings.local.host.commit('public_address') if 'public_address6' in flask.request.json: public_address6 = flask.request.json['public_address6'] or None if public_address6 != settings.local.host.public_addr6: settings.local.host.public_address6 = public_address6 settings.local.host.commit('public_address6') if 'routed_subnet6' in flask.request.json: routed_subnet6 = flask.request.json['routed_subnet6'] if routed_subnet6: try: routed_subnet6 = ipaddress.IPv6Network( flask.request.json['routed_subnet6']) except (ipaddress.AddressValueError, ValueError): return utils.jsonify( { 'error': IPV6_SUBNET_INVALID, 'error_msg': IPV6_SUBNET_INVALID_MSG, }, 400) if routed_subnet6.prefixlen > 64: return utils.jsonify( { 'error': IPV6_SUBNET_SIZE_INVALID, 'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG, }, 400) routed_subnet6 = str(routed_subnet6) else: routed_subnet6 = None if settings.local.host.routed_subnet6 != routed_subnet6: if server.get_online_ipv6_count(): return utils.jsonify( { 'error': IPV6_SUBNET_ONLINE, 'error_msg': IPV6_SUBNET_ONLINE_MSG, }, 400) settings.local.host.routed_subnet6 = routed_subnet6 settings.local.host.commit('routed_subnet6') if 'reverse_proxy' in flask.request.json: settings_commit = True reverse_proxy = flask.request.json['reverse_proxy'] settings.app.reverse_proxy = True if reverse_proxy else False if 'cloud_provider' in flask.request.json: settings_commit = True cloud_provider = flask.request.json['cloud_provider'] or None settings.app.cloud_provider = cloud_provider if 'route53_region' in flask.request.json: settings_commit = True settings.app.route53_region = utils.filter_str( flask.request.json['route53_region']) or None if 'route53_zone' in flask.request.json: settings_commit = True settings.app.route53_zone = utils.filter_str( flask.request.json['route53_zone']) or None for aws_key in ( 'us_east_1_access_key', 'us_east_1_secret_key', 'us_east_2_access_key', 'us_east_2_secret_key', 'us_west_1_access_key', 'us_west_1_secret_key', 'us_west_2_access_key', 'us_west_2_secret_key', 'eu_west_1_access_key', 'eu_west_1_secret_key', 'eu_central_1_access_key', 'eu_central_1_secret_key', 'ap_northeast_1_access_key', 'ap_northeast_1_secret_key', 'ap_northeast_2_access_key', 'ap_northeast_2_secret_key', 'ap_southeast_1_access_key', 'ap_southeast_1_secret_key', 'ap_southeast_2_access_key', 'ap_southeast_2_secret_key', 'ap_south_1_access_key', 'ap_south_1_secret_key', 'sa_east_1_access_key', 'sa_east_1_secret_key', ): if aws_key in flask.request.json: settings_commit = True aws_value = flask.request.json[aws_key] if aws_value: setattr(settings.app, aws_key, utils.filter_str(aws_value)) else: setattr(settings.app, aws_key, None) if not settings.app.sso: settings.app.sso_host = None settings.app.sso_token = None settings.app.sso_secret = None settings.app.sso_match = None settings.app.sso_duo_token = None settings.app.sso_duo_secret = None settings.app.sso_duo_host = None settings.app.sso_yubico_client = None settings.app.sso_yubico_secret = None settings.app.sso_org = None settings.app.sso_saml_url = None settings.app.sso_saml_issuer_url = None settings.app.sso_saml_cert = None settings.app.sso_okta_token = None settings.app.sso_onelogin_key = None settings.app.sso_onelogin_id = None settings.app.sso_onelogin_secret = None settings.app.sso_radius_secret = None settings.app.sso_radius_host = None else: if RADIUS_AUTH in settings.app.sso and \ settings.app.sso_duo_mode == 'passcode': return utils.jsonify( { 'error': RADIUS_DUO_PASSCODE, 'error_msg': RADIUS_DUO_PASSCODE_MSG, }, 400) if settings.app.sso == DUO_AUTH and \ settings.app.sso_duo_mode == 'passcode': return utils.jsonify( { 'error': DUO_PASSCODE, 'error_msg': DUO_PASSCODE_MSG, }, 400) for change in changes: flask.g.administrator.audit_event( 'admin_settings', _changes_audit_text[change], remote_addr=utils.get_remote_addr(), ) if settings_commit: settings.commit() admin.commit(admin.changed) if admin_event: event.Event(type=ADMINS_UPDATED) if org_event: for org in organization.iter_orgs(fields=('_id')): event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SETTINGS_UPDATED) if update_acme: try: acme.update_acme_cert() app.update_server(0.5) except: logger.exception( 'Failed to get LetsEncrypt cert', 'handler', acme_domain=settings.app.acme_domain, ) settings.app.acme_domain = None settings.app.acme_key = None settings.app.acme_timestamp = None settings.commit() return utils.jsonify( { 'error': ACME_ERROR, 'error_msg': ACME_ERROR_MSG, }, 400) elif update_cert: logger.info('Regenerating server certificate...', 'handler') utils.create_server_cert() app.update_server(0.5) elif update_server: app.update_server(0.5) response = flask.g.administrator.dict() response.update(_dict()) return utils.jsonify(response)
def generate_iptables_rules(self): rules = [] rules6 = [] try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception('Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = [] default_interface = None for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: if line_split[0] == '0.0.0.0': default_interface = line_split[7] routes.append(( ipaddress.IPNetwork('%s/%s' % (line_split[0], utils.subnet_to_cidr(line_split[2]))), line_split[7] )) routes.reverse() if not default_interface: raise IptablesError('Failed to find default network interface') routes6 = [] default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception('Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: route_network = ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if not default_interface6 and line_split[0] == '::/0': default_interface6 = line_split[6] routes6.append(( route_network, line_split[6] )) if not default_interface6: raise IptablesError( 'Failed to find default IPv6 network interface') if default_interface6 == 'lo': logger.error('Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) routes6.reverse() route_all = self.server.is_route_all() if route_all: rules.append([ 'INPUT', '-i', self.interface, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-j', 'ACCEPT', ]) if self.server.ipv6: if self.server.ipv6_firewall and \ settings.local.host.routed_subnet6: rules6.append([ 'INPUT', '-d', self.server.network6, '-m', 'conntrack', '--ctstate','RELATED,ESTABLISHED', '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-d', self.server.network6, '-j', 'DROP', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-j', 'DROP', ]) else: rules6.append([ 'INPUT', '-d', self.server.network6, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-d', self.server.network6, '-j', 'ACCEPT', ]) elif self.server.restrict_routes: if self.server.inter_client: rules.append([ 'INPUT', '-i', self.interface, '-d', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-i', self.interface, '-d', self.server.network6, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', self.server.network6, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-d', self.server.network, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-o', self.interface, '-s', self.server.network, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-d', self.server.network6, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-o', self.interface, '-s', self.server.network6, '-j', 'ACCEPT', ]) else: server_addr = utils.get_network_gateway(self.server.network) server_addr6 = utils.get_network_gateway(self.server.network6) rules.append([ 'INPUT', '-i', self.interface, '-d', server_addr, '-j', 'ACCEPT', ]) rules6.append([ 'INPUT', '-i', self.interface, '-d', server_addr6, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', server_addr, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', server_addr6, '-j', 'ACCEPT', ]) for route in self.server.get_routes( include_hidden=True, include_server_links=True, include_default=False, ): network_address = route['network'] is6 = ':' in network_address is_nat = route['nat'] if route['virtual_network']: continue if self.server.restrict_routes: if is6: rules6.append([ 'INPUT', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) rules6.append([ 'OUTPUT', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) if is_nat: rules6.append([ 'FORWARD', '-o', self.interface, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-s', network_address, '-j', 'ACCEPT', ]) else: rules6.append([ 'FORWARD', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) else: rules.append([ 'INPUT', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) rules.append([ 'OUTPUT', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-d', network_address, '-j', 'ACCEPT', ]) if is_nat: rules.append([ 'FORWARD', '-o', self.interface, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-s', network_address, '-j', 'ACCEPT', ]) else: rules.append([ 'FORWARD', '-o', self.interface, '-s', network_address, '-j', 'ACCEPT', ]) interfaces = set() interfaces6 = set() link_svr_networks = [] for link_svr in self.server.iter_links(fields=('_id', 'network', 'network_start', 'network_end', 'organizations', 'routes', 'links')): link_svr_networks.append(link_svr.network) for route in self.server.get_routes(include_hidden=True): if route['virtual_network'] or not route['nat']: continue network_address = route['network'] args_base = ['POSTROUTING', '-t', 'nat'] is6 = ':' in network_address if is6: network = network_address else: network = utils.parse_network(network_address)[0] network_obj = ipaddress.IPNetwork(network_address) if is6: interface = None for route_net, route_intf in routes6: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 interfaces6.add(interface) else: interface = None for route_net, route_intf in routes: if network_obj in route_net: interface = route_intf break if not interface: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface interfaces.add(interface) if network != '0.0.0.0' and network != '::/0': args_base += ['-d', network_address] args_base += [ '-o', interface, '-j', 'MASQUERADE', ] if is6: rules6.append(args_base + ['-s', self.server.network6]) else: rules.append(args_base + ['-s', self.server.network]) for link_svr_net in link_svr_networks: if ':' in link_svr_net: rules6.append(args_base + ['-s', link_svr_net]) else: rules.append(args_base + ['-s', link_svr_net]) if route_all: for interface in interfaces: rules.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) for interface in interfaces6: if self.server.ipv6 and self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 and \ interface == default_interface6: continue rules6.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) extra_args = [ '-m', 'comment', '--comment', 'pritunl_%s' % self.server.id, ] if settings.local.iptables_wait: extra_args.append('--wait') rules = [x + extra_args for x in rules] rules6 = [x + extra_args for x in rules6] return rules, rules6
def generate_iptables_rules(self): rules = [] rules6 = [] try: routes_output = utils.check_output_logged(['route', '-n']) except subprocess.CalledProcessError: logger.exception('Failed to get IP routes', 'server', server_id=self.server.id, ) raise routes = {} for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 8 or not re.match(IP_REGEX, line_split[0]): continue if line_split[0] not in routes: routes[line_split[0]] = line_split[7] if '0.0.0.0' not in routes: raise IptablesError('Failed to find default network interface') default_interface = routes['0.0.0.0'] routes6 = {} default_interface6 = None if self.server.ipv6: try: routes_output = utils.check_output_logged( ['route', '-n', '-A', 'inet6']) except subprocess.CalledProcessError: logger.exception('Failed to get IPv6 routes', 'server', server_id=self.server.id, ) raise for line in routes_output.splitlines(): line_split = line.split() if len(line_split) < 7: continue try: ipaddress.IPv6Network(line_split[0]) except (ipaddress.AddressValueError, ValueError): continue if line_split[0] not in routes6: routes6[line_split[0]] = line_split[6] if '::/0' not in routes6: raise IptablesError( 'Failed to find default IPv6 network interface') default_interface6 = routes6['::/0'] if default_interface6 == 'lo': logger.error('Failed to find default IPv6 interface', 'server', server_id=self.server.id, ) rules.append(['INPUT', '-i', self.interface, '-j', 'ACCEPT']) rules.append(['FORWARD', '-i', self.interface, '-j', 'ACCEPT']) if self.server.ipv6: if self.server.ipv6_firewall and \ settings.local.host.routed_subnet6: rules6.append( ['INPUT', '-d', self.server.network6, '-j', 'DROP']) rules6.append( ['INPUT', '-d', self.server.network6, '-m', 'conntrack', '--ctstate','RELATED,ESTABLISHED', '-j', 'ACCEPT']) rules6.append( ['INPUT', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT']) rules6.append( ['FORWARD', '-d', self.server.network6, '-j', 'DROP']) rules6.append( ['FORWARD', '-d', self.server.network6, '-m', 'conntrack', '--ctstate', 'RELATED,ESTABLISHED', '-j', 'ACCEPT']) rules6.append( ['FORWARD', '-d', self.server.network6, '-p', 'icmpv6', '-m', 'conntrack', '--ctstate', 'NEW', '-j', 'ACCEPT']) else: rules6.append( ['INPUT', '-d', self.server.network6, '-j', 'ACCEPT']) rules6.append( ['FORWARD', '-d', self.server.network6, '-j', 'ACCEPT']) interfaces = set() interfaces6 = set() other_networks = [] if self.server.mode == ALL_TRAFFIC and \ self.server.network_mode != BRIDGE: other_networks = ['0.0.0.0/0'] if self.server.ipv6 and not settings.local.host.routed_subnet6: other_networks.append('::/0') link_svr_networks = [] for link_svr in self.server.iter_links(fields=( '_id', 'network', 'network_start', 'network_end')): link_svr_networks.append(link_svr.network) if settings.vpn.nat_routes: for network_address in self.server.local_networks or \ other_networks: args_base = ['POSTROUTING', '-t', 'nat'] is6 = ':' in network_address if is6: network = network_address else: network = utils.parse_network(network_address)[0] if is6: if network not in routes6: logger.info( 'Failed to find interface for local ' + \ 'IPv6 network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface6 else: interface = routes6[network] interfaces6.add(interface) else: if network not in routes: logger.info( 'Failed to find interface for local ' + \ 'network route, using default route', 'server', server_id=self.server.id, network=network, ) interface = default_interface else: interface = routes[network] interfaces.add(interface) if network != '0.0.0.0' and network != '::/0': args_base += ['-d', network_address] args_base += [ '-o', interface, '-j', 'MASQUERADE', ] if is6: rules6.append(args_base + ['-s', self.server.network6]) else: rules.append(args_base + ['-s', self.server.network]) for link_svr_net in link_svr_networks: if ':' in link_svr_net: rules6.append(args_base + ['-s', link_svr_net]) else: rules.append(args_base + ['-s', link_svr_net]) for interface in interfaces: rules.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) for interface in interfaces6: if self.server.ipv6 and self.server.ipv6_firewall and \ settings.local.host.routed_subnet6 and \ interface == default_interface6: continue rules6.append([ 'FORWARD', '-i', interface, '-o', self.interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) rules6.append([ 'FORWARD', '-i', self.interface, '-o', interface, '-m', 'state', '--state', 'ESTABLISHED,RELATED', '-j', 'ACCEPT', ]) extra_args = [ '-m', 'comment', '--comment', 'pritunl_%s' % self.server.id, ] if settings.local.iptables_wait: extra_args.append('--wait') rules = [x + extra_args for x in rules] rules6 = [x + extra_args for x in rules6] return rules, rules6
def settings_put(): if settings.app.demo_mode: return utils.demo_blocked() org_event = False admin = flask.g.administrator changes = set() if 'username' in flask.request.json and flask.request.json['username']: username = utils.filter_str(flask.request.json['username']).lower() if username != admin.username: changes.add('username') admin.username = username if 'password' in flask.request.json and flask.request.json['password']: password = flask.request.json['password'] changes.add('password') admin.password = password if 'token' in flask.request.json and flask.request.json['token']: admin.generate_token() changes.add('token') if 'secret' in flask.request.json and flask.request.json['secret']: admin.generate_secret() changes.add('token') settings_commit = False if 'auditing' in flask.request.json: settings_commit = True auditing = flask.request.json['auditing'] or None if settings.app.auditing != auditing: org_event = True settings.app.auditing = auditing if 'monitoring' in flask.request.json: settings_commit = True monitoring = flask.request.json['monitoring'] or None settings.app.monitoring = monitoring if 'datadog_api_key' in flask.request.json: settings_commit = True datadog_api_key = flask.request.json['datadog_api_key'] or None settings.app.datadog_api_key = datadog_api_key if 'email_from' in flask.request.json: settings_commit = True email_from = flask.request.json['email_from'] or None if email_from != settings.app.email_from: changes.add('smtp') settings.app.email_from = email_from if 'email_server' in flask.request.json: settings_commit = True email_server = flask.request.json['email_server'] or None if email_server != settings.app.email_server: changes.add('smtp') settings.app.email_server = email_server if 'email_username' in flask.request.json: settings_commit = True email_username = flask.request.json['email_username'] or None if email_username != settings.app.email_username: changes.add('smtp') settings.app.email_username = email_username if 'email_password' in flask.request.json: settings_commit = True email_password = flask.request.json['email_password'] or None if email_password != settings.app.email_password: changes.add('smtp') settings.app.email_password = email_password if 'pin_mode' in flask.request.json: settings_commit = True pin_mode = flask.request.json['pin_mode'] or None if pin_mode != settings.user.pin_mode: changes.add('pin_mode') settings.user.pin_mode = pin_mode if 'sso' in flask.request.json: org_event = True settings_commit = True sso = flask.request.json['sso'] or None if sso != settings.app.sso: changes.add('sso') settings.app.sso = sso if 'sso_match' in flask.request.json: settings_commit = True sso_match = flask.request.json['sso_match'] or None if sso_match != settings.app.sso_match: changes.add('sso') if isinstance(sso_match, list): settings.app.sso_match = sso_match else: settings.app.sso_match = None if 'sso_token' in flask.request.json: settings_commit = True sso_token = flask.request.json['sso_token'] or None if sso_token != settings.app.sso_token: changes.add('sso') settings.app.sso_token = sso_token if 'sso_secret' in flask.request.json: settings_commit = True sso_secret = flask.request.json['sso_secret'] or None if sso_secret != settings.app.sso_secret: changes.add('sso') settings.app.sso_secret = sso_secret if 'sso_host' in flask.request.json: settings_commit = True sso_host = flask.request.json['sso_host'] or None if sso_host != settings.app.sso_host: changes.add('sso') settings.app.sso_host = sso_host if 'sso_admin' in flask.request.json: settings_commit = True sso_admin = flask.request.json['sso_admin'] or None if sso_admin != settings.app.sso_admin: changes.add('sso') settings.app.sso_admin = sso_admin if 'sso_org' in flask.request.json: settings_commit = True sso_org = flask.request.json['sso_org'] if sso_org: sso_org = utils.ObjectId(sso_org) else: sso_org = None if sso_org != settings.app.sso_org: changes.add('sso') settings.app.sso_org = sso_org if 'sso_saml_url' in flask.request.json: settings_commit = True sso_saml_url = flask.request.json['sso_saml_url'] or None if sso_saml_url != settings.app.sso_saml_url: changes.add('sso') settings.app.sso_saml_url = sso_saml_url if 'sso_saml_issuer_url' in flask.request.json: settings_commit = True sso_saml_issuer_url = flask.request.json['sso_saml_issuer_url'] or None if sso_saml_issuer_url != settings.app.sso_saml_issuer_url: changes.add('sso') settings.app.sso_saml_issuer_url = sso_saml_issuer_url if 'sso_saml_cert' in flask.request.json: settings_commit = True sso_saml_cert = flask.request.json['sso_saml_cert'] or None if sso_saml_cert != settings.app.sso_saml_cert: changes.add('sso') settings.app.sso_saml_cert = sso_saml_cert if 'sso_okta_token' in flask.request.json: settings_commit = True sso_okta_token = flask.request.json['sso_okta_token'] or None if sso_okta_token != settings.app.sso_okta_token: changes.add('sso') settings.app.sso_okta_token = sso_okta_token if 'sso_onelogin_key' in flask.request.json: settings_commit = True sso_onelogin_key = flask.request.json['sso_onelogin_key'] or None if sso_onelogin_key != settings.app.sso_onelogin_key: changes.add('sso') settings.app.sso_onelogin_key = sso_onelogin_key if 'theme' in flask.request.json: settings_commit = True theme = 'dark' if flask.request.json['theme'] == 'dark' else 'light' if theme != settings.app.theme: if theme == 'dark': event.Event(type=THEME_DARK) else: event.Event(type=THEME_LIGHT) settings.app.theme = theme if 'public_address' in flask.request.json: public_address = flask.request.json['public_address'] settings.local.host.public_address = public_address settings.local.host.commit('public_address') if 'public_address6' in flask.request.json: public_address6 = flask.request.json['public_address6'] settings.local.host.public_address6 = public_address6 settings.local.host.commit('public_address6') if 'routed_subnet6' in flask.request.json: routed_subnet6 = flask.request.json['routed_subnet6'] if routed_subnet6: try: routed_subnet6 = ipaddress.IPv6Network( flask.request.json['routed_subnet6']) except (ipaddress.AddressValueError, ValueError): return utils.jsonify( { 'error': IPV6_SUBNET_INVALID, 'error_msg': IPV6_SUBNET_INVALID_MSG, }, 400) if routed_subnet6.prefixlen > 64: return utils.jsonify( { 'error': IPV6_SUBNET_SIZE_INVALID, 'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG, }, 400) routed_subnet6 = str(routed_subnet6) else: routed_subnet6 = None if settings.local.host.routed_subnet6 != routed_subnet6: if server.get_online_ipv6_count(): return utils.jsonify( { 'error': IPV6_SUBNET_ONLINE, 'error_msg': IPV6_SUBNET_ONLINE_MSG, }, 400) settings.local.host.routed_subnet6 = routed_subnet6 settings.local.host.commit('routed_subnet6') if 'server_cert' in flask.request.json: settings_commit = True server_cert = flask.request.json['server_cert'] if server_cert: settings.app.server_cert = server_cert.strip() else: settings.app.server_cert = None if 'server_key' in flask.request.json: settings_commit = True server_key = flask.request.json['server_key'] if server_key: settings.app.server_key = server_key.strip() else: settings.app.server_key = None if not settings.app.sso: settings.app.sso_match = None settings.app.sso_token = None settings.app.sso_secret = None settings.app.sso_host = None settings.app.sso_admin = None settings.app.sso_org = None settings.app.sso_saml_url = None settings.app.sso_saml_issuer_url = None settings.app.sso_saml_cert = None settings.app.sso_okta_token = None settings.app.sso_onelogin_key = None for change in changes: auth.audit_event( 'admin_settings', _changes_audit_text[change], remote_addr=utils.get_remote_addr(), ) if settings_commit: settings.commit() admin.commit(admin.changed) if org_event: for org in organization.iter_orgs(fields=('_id')): event.Event(type=USERS_UPDATED, resource_id=org.id) event.Event(type=SETTINGS_UPDATED) response = flask.g.administrator.dict() response.update({ 'theme': settings.app.theme, 'auditing': settings.app.auditing, 'monitoring': settings.app.monitoring, 'datadog_api_key': settings.app.datadog_api_key, 'email_from': settings.app.email_from, 'email_server': settings.app.email_server, 'email_username': settings.app.email_username, 'email_password': bool(settings.app.email_password), 'pin_mode': settings.user.pin_mode, 'sso': settings.app.sso, 'sso_match': settings.app.sso_match, 'sso_token': settings.app.sso_token, 'sso_secret': settings.app.sso_secret, 'sso_host': settings.app.sso_host, 'sso_admin': settings.app.sso_admin, 'sso_org': settings.app.sso_org, 'sso_saml_url': settings.app.sso_saml_url, 'sso_saml_issuer_url': settings.app.sso_saml_issuer_url, 'sso_saml_cert': settings.app.sso_saml_cert, 'sso_okta_token': settings.app.sso_okta_token, 'sso_onelogin_key': settings.app.sso_onelogin_key, 'public_address': settings.local.host.public_addr, }) return utils.jsonify(response)
def settings_put(): admin = flask.g.administrator if 'username' in flask.request.json and flask.request.json['username']: admin.username = utils.filter_str( flask.request.json['username']).lower() if 'password' in flask.request.json and flask.request.json['password']: admin.password = flask.request.json['password'] if 'token' in flask.request.json and flask.request.json['token']: admin.generate_token() if 'secret' in flask.request.json and flask.request.json['secret']: admin.generate_secret() settings_commit = False if 'email_from' in flask.request.json: settings_commit = True email_from = flask.request.json['email_from'] settings.app.email_from = email_from or None if 'email_server' in flask.request.json: settings_commit = True email_server = flask.request.json['email_server'] settings.app.email_server = email_server or None if 'email_username' in flask.request.json: settings_commit = True email_username = flask.request.json['email_username'] settings.app.email_username = email_username or None if 'email_password' in flask.request.json: settings_commit = True email_password = flask.request.json['email_password'] settings.app.email_password = email_password or None if 'sso' in flask.request.json: settings_commit = True sso = flask.request.json['sso'] settings.app.sso = sso or None if 'sso_match' in flask.request.json: sso_match = flask.request.json['sso_match'] if isinstance(sso_match, list): settings_commit = True settings.app.sso_match = sso_match or None if 'sso_token' in flask.request.json: sso_token = flask.request.json['sso_token'] settings_commit = True settings.app.sso_token = sso_token or None if 'sso_secret' in flask.request.json: sso_secret = flask.request.json['sso_secret'] settings_commit = True settings.app.sso_secret = sso_secret or None if 'sso_host' in flask.request.json: sso_host = flask.request.json['sso_host'] settings_commit = True settings.app.sso_host = sso_host or None if 'sso_admin' in flask.request.json: sso_admin = flask.request.json['sso_admin'] settings_commit = True settings.app.sso_admin = sso_admin or None if 'sso_org' in flask.request.json: settings_commit = True sso_org = flask.request.json['sso_org'] if sso_org: settings.app.sso_org = utils.ObjectId(sso_org) else: settings.app.sso_org = None if 'theme' in flask.request.json: settings_commit = True theme = 'dark' if flask.request.json['theme'] == 'dark' else 'light' if theme != settings.app.theme: if theme == 'dark': event.Event(type=THEME_DARK) else: event.Event(type=THEME_LIGHT) settings.app.theme = theme if 'public_address' in flask.request.json: public_address = flask.request.json['public_address'] settings.local.host.public_address = public_address settings.local.host.commit('public_address') if 'public_address6' in flask.request.json: public_address6 = flask.request.json['public_address6'] settings.local.host.public_address6 = public_address6 settings.local.host.commit('public_address6') if 'routed_subnet6' in flask.request.json: routed_subnet6 = flask.request.json['routed_subnet6'] if routed_subnet6: try: routed_subnet6 = ipaddress.IPv6Network( flask.request.json['routed_subnet6']) except (ipaddress.AddressValueError, ValueError): return utils.jsonify( { 'error': IPV6_SUBNET_INVALID, 'error_msg': IPV6_SUBNET_INVALID_MSG, }, 400) if routed_subnet6.prefixlen > 64: return utils.jsonify( { 'error': IPV6_SUBNET_SIZE_INVALID, 'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG, }, 400) routed_subnet6 = str(routed_subnet6) else: routed_subnet6 = None if settings.local.host.routed_subnet6 != routed_subnet6: if server.get_online_ipv6_count(): return utils.jsonify( { 'error': IPV6_SUBNET_ONLINE, 'error_msg': IPV6_SUBNET_ONLINE_MSG, }, 400) settings.local.host.routed_subnet6 = routed_subnet6 settings.local.host.commit('routed_subnet6') if 'server_cert' in flask.request.json: settings_commit = True server_cert = flask.request.json['server_cert'] if server_cert: settings.app.server_cert = server_cert.strip() else: settings.app.server_cert = None if 'server_key' in flask.request.json: settings_commit = True server_key = flask.request.json['server_key'] if server_key: settings.app.server_key = server_key.strip() else: settings.app.server_key = None if not settings.app.sso: settings.app.sso_match = None settings.app.sso_token = None settings.app.sso_secret = None settings.app.sso_host = None settings.app.sso_admin = None settings.app.sso_org = None if settings_commit: settings.commit() admin.commit(admin.changed) response = flask.g.administrator.dict() response.update({ 'theme': settings.app.theme, 'email_from': settings.app.email_from, 'email_server': settings.app.email_server, 'email_username': settings.app.email_username, 'email_password': bool(settings.app.email_password), 'sso': settings.app.sso, 'sso_match': settings.app.sso_match, 'sso_token': settings.app.sso_token, 'sso_secret': settings.app.sso_secret, 'sso_host': settings.app.sso_host, 'sso_admin': settings.app.sso_admin, 'sso_org': settings.app.sso_org, 'public_address': settings.local.host.public_addr, }) return utils.jsonify(response)
def host_put(hst=None): if settings.app.demo_mode: return utils.demo_blocked() hst = host.get_by_id(hst) if 'name' in flask.request.json: hst.name = utils.filter_str( flask.request.json['name']) or utils.random_name() if 'public_address' in flask.request.json: public_address = utils.filter_str(flask.request.json['public_address']) hst.public_address = public_address if 'public_address6' in flask.request.json: public_address6 = utils.filter_str( flask.request.json['public_address6']) hst.public_address6 = public_address6 if 'routed_subnet6' in flask.request.json: routed_subnet6 = flask.request.json['routed_subnet6'] if routed_subnet6: try: routed_subnet6 = ipaddress.IPv6Network( flask.request.json['routed_subnet6']) except (ipaddress.AddressValueError, ValueError): return utils.jsonify( { 'error': IPV6_SUBNET_INVALID, 'error_msg': IPV6_SUBNET_INVALID_MSG, }, 400) if routed_subnet6.prefixlen > 64: return utils.jsonify( { 'error': IPV6_SUBNET_SIZE_INVALID, 'error_msg': IPV6_SUBNET_SIZE_INVALID_MSG, }, 400) routed_subnet6 = str(routed_subnet6) else: routed_subnet6 = None if hst.routed_subnet6 != routed_subnet6: if server.get_online_ipv6_count(): return utils.jsonify( { 'error': IPV6_SUBNET_ONLINE, 'error_msg': IPV6_SUBNET_ONLINE_MSG, }, 400) hst.routed_subnet6 = routed_subnet6 if 'proxy_ndp' in flask.request.json: proxy_ndp = True if flask.request.json['proxy_ndp'] else False hst.proxy_ndp = proxy_ndp if 'local_address' in flask.request.json: local_address = utils.filter_str(flask.request.json['local_address']) hst.local_address = local_address if 'local_address6' in flask.request.json: local_address6 = utils.filter_str(flask.request.json['local_address6']) hst.local_address6 = local_address6 if 'link_address' in flask.request.json: link_address = utils.filter_str(flask.request.json['link_address']) hst.link_address = link_address if 'sync_address' in flask.request.json: sync_address = utils.filter_str(flask.request.json['sync_address']) hst.sync_address = sync_address if 'availability_group' in flask.request.json: hst.availability_group = utils.filter_str( flask.request.json['availability_group']) or DEFAULT if 'instance_id' in flask.request.json: instance_id = utils.filter_str(flask.request.json['instance_id']) if instance_id != hst.aws_id: hst.instance_id = instance_id hst.commit(hst.changed) event.Event(type=HOSTS_UPDATED) messenger.publish('hosts', 'updated') return utils.jsonify(hst.dict())