Example #1
0
    def _provider_rules():
        """Generate a list of rules from provider for IP4 & IP6."""
        ctxt = context.get_admin_context()
        ipv4_rules = []
        ipv6_rules = []
        rules = db.provider_fw_rule_get_all(ctxt)
        for rule in rules:
            LOG.debug(_('Adding provider rule: %s'), rule['cidr'])
            version = netutils.get_ip_version(rule['cidr'])
            if version == 4:
                fw_rules = ipv4_rules
            else:
                fw_rules = ipv6_rules

            protocol = rule['protocol']
            if version == 6 and protocol == 'icmp':
                protocol = 'icmpv6'

            args = ['-p', protocol, '-s', rule['cidr']]

            if protocol in ['udp', 'tcp']:
                if rule['from_port'] == rule['to_port']:
                    args += ['--dport', '%s' % (rule['from_port'],)]
                else:
                    args += ['-m', 'multiport',
                             '--dports', '%s:%s' % (rule['from_port'],
                                                    rule['to_port'])]
            elif protocol == 'icmp':
                icmp_type = rule['from_port']
                icmp_code = rule['to_port']

                if icmp_type == -1:
                    icmp_type_arg = None
                else:
                    icmp_type_arg = '%s' % icmp_type
                    if not icmp_code == -1:
                        icmp_type_arg += '/%s' % icmp_code

                if icmp_type_arg:
                    if version == 4:
                        args += ['-m', 'icmp', '--icmp-type',
                                 icmp_type_arg]
                    elif version == 6:
                        args += ['-m', 'icmp6', '--icmpv6-type',
                                 icmp_type_arg]
            args += ['-j DROP']
            fw_rules += [' '.join(args)]
        return ipv4_rules, ipv6_rules
Example #2
0
    def _provider_rules(self):
        """Generate a list of rules from provider for IP4 & IP6."""
        ctxt = context.get_admin_context()
        ipv4_rules = []
        ipv6_rules = []
        rules = db.provider_fw_rule_get_all(ctxt)
        for rule in rules:
            LOG.debug(_('Adding provider rule: %s'), rule['cidr'])
            version = netutils.get_ip_version(rule['cidr'])
            if version == 4:
                fw_rules = ipv4_rules
            else:
                fw_rules = ipv6_rules

            protocol = rule['protocol']
            if version == 6 and protocol == 'icmp':
                protocol = 'icmpv6'

            args = ['-p', protocol, '-s', rule['cidr']]

            if protocol in ['udp', 'tcp']:
                if rule['from_port'] == rule['to_port']:
                    args += ['--dport', '%s' % (rule['from_port'],)]
                else:
                    args += ['-m', 'multiport',
                             '--dports', '%s:%s' % (rule['from_port'],
                                                    rule['to_port'])]
            elif protocol == 'icmp':
                icmp_type = rule['from_port']
                icmp_code = rule['to_port']

                if icmp_type == -1:
                    icmp_type_arg = None
                else:
                    icmp_type_arg = '%s' % icmp_type
                    if not icmp_code == -1:
                        icmp_type_arg += '/%s' % icmp_code

                if icmp_type_arg:
                    if version == 4:
                        args += ['-m', 'icmp', '--icmp-type',
                                 icmp_type_arg]
                    elif version == 6:
                        args += ['-m', 'icmp6', '--icmpv6-type',
                                 icmp_type_arg]
            args += ['-j DROP']
            fw_rules += [' '.join(args)]
        return ipv4_rules, ipv6_rules
Example #3
0
    def _provider_rules(self):
        """Generate a list of rules from provider for IP4 & IP6."""
        ctxt = context.get_admin_context()
        ipv4_rules = []
        ipv6_rules = []
        rules = db.provider_fw_rule_get_all(ctxt)
        for rule in rules:
            LOG.debug(_("Adding provider rule: %s"), rule["cidr"])
            version = netutils.get_ip_version(rule["cidr"])
            if version == 4:
                fw_rules = ipv4_rules
            else:
                fw_rules = ipv6_rules

            protocol = rule["protocol"]
            if version == 6 and protocol == "icmp":
                protocol = "icmpv6"

            args = ["-p", protocol, "-s", rule["cidr"]]

            if protocol in ["udp", "tcp"]:
                if rule["from_port"] == rule["to_port"]:
                    args += ["--dport", "%s" % (rule["from_port"],)]
                else:
                    args += ["-m", "multiport", "--dports", "%s:%s" % (rule["from_port"], rule["to_port"])]
            elif protocol == "icmp":
                icmp_type = rule["from_port"]
                icmp_code = rule["to_port"]

                if icmp_type == -1:
                    icmp_type_arg = None
                else:
                    icmp_type_arg = "%s" % icmp_type
                    if not icmp_code == -1:
                        icmp_type_arg += "/%s" % icmp_code

                if icmp_type_arg:
                    if version == 4:
                        args += ["-m", "icmp", "--icmp-type", icmp_type_arg]
                    elif version == 6:
                        args += ["-m", "icmp6", "--icmpv6-type", icmp_type_arg]
            args += ["-j DROP"]
            fw_rules += [" ".join(args)]
        return ipv4_rules, ipv6_rules
Example #4
0
    def security_group_to_nwfilter_xml(self, security_group_id):
        security_group = db.security_group_get(context.get_admin_context(),
                                               security_group_id)
        rule_xml = ""
        v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
        for rule in security_group.rules:
            rule_xml += "<rule action='accept' direction='in' priority='300'>"
            if rule.cidr:
                version = netutils.get_ip_version(rule.cidr)
                if (FLAGS.use_ipv6 and version == 6):
                    net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                                (v6protocol[rule.protocol], net, prefixlen)
                else:
                    net, mask = netutils.get_net_and_mask(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                                (rule.protocol, net, mask)
                if rule.protocol in ['tcp', 'udp']:
                    rule_xml += "dstportstart='%s' dstportend='%s' " % \
                                (rule.from_port, rule.to_port)
                elif rule.protocol == 'icmp':
                    LOG.info(
                        'rule.protocol: %r, rule.from_port: %r, '
                        'rule.to_port: %r', rule.protocol, rule.from_port,
                        rule.to_port)
                    if rule.from_port != -1:
                        rule_xml += "type='%s' " % rule.from_port
                    if rule.to_port != -1:
                        rule_xml += "code='%s' " % rule.to_port

                rule_xml += '/>\n'
            rule_xml += "</rule>\n"
        xml = "<filter name='nova-secgroup-%s' " % security_group_id
        if (FLAGS.use_ipv6):
            xml += "chain='root'>%s</filter>" % rule_xml
        else:
            xml += "chain='ipv4'>%s</filter>" % rule_xml
        return xml
Example #5
0
    def security_group_to_nwfilter_xml(self, security_group_id):
        security_group = db.security_group_get(context.get_admin_context(),
                                               security_group_id)
        rule_xml = ""
        v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
        for rule in security_group.rules:
            rule_xml += "<rule action='accept' direction='in' priority='300'>"
            if rule.cidr:
                version = netutils.get_ip_version(rule.cidr)
                protocol = rule.protocol.lower()
                if(FLAGS.use_ipv6 and version == 6):
                    net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                                (v6protocol[protocol], net, prefixlen)
                else:
                    net, mask = netutils.get_net_and_mask(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                                (protocol, net, mask)
                if protocol in ['tcp', 'udp']:
                    rule_xml += "dstportstart='%s' dstportend='%s' " % \
                                (rule.from_port, rule.to_port)
                elif protocol == 'icmp':
                    LOG.info('rule.protocol: %r, rule.from_port: %r, '
                             'rule.to_port: %r', protocol,
                             rule.from_port, rule.to_port)
                    if rule.from_port != -1:
                        rule_xml += "type='%s' " % rule.from_port
                    if rule.to_port != -1:
                        rule_xml += "code='%s' " % rule.to_port

                rule_xml += '/>\n'
            rule_xml += "</rule>\n"
        xml = "<filter name='nova-secgroup-%s' " % security_group_id
        if(FLAGS.use_ipv6):
            xml += "chain='root'>%s</filter>" % rule_xml
        else:
            xml += "chain='ipv4'>%s</filter>" % rule_xml
        return xml
Example #6
0
    def provider_fw_to_nwfilter_xml(self):
        """Compose a filter of drop rules from specified cidrs."""
        rule_xml = ""
        v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
        rules = db.provider_fw_rule_get_all(context.get_admin_context())
        for rule in rules:
            rule_xml += "<rule action='block' direction='in' priority='150'>"
            version = netutils.get_ip_version(rule.cidr)
            if (FLAGS.use_ipv6 and version == 6):
                net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
                rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                            (v6protocol[rule.protocol], net, prefixlen)
            else:
                net, mask = netutils.get_net_and_mask(rule.cidr)
                rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                            (rule.protocol, net, mask)
            if rule.protocol in ['tcp', 'udp']:
                rule_xml += "dstportstart='%s' dstportend='%s' " % \
                            (rule.from_port, rule.to_port)
            elif rule.protocol == 'icmp':
                LOG.info(
                    'rule.protocol: %r, rule.from_port: %r, '
                    'rule.to_port: %r', rule.protocol, rule.from_port,
                    rule.to_port)
                if rule.from_port != -1:
                    rule_xml += "type='%s' " % rule.from_port
                if rule.to_port != -1:
                    rule_xml += "code='%s' " % rule.to_port

                rule_xml += '/>\n'
            rule_xml += "</rule>\n"
        xml = "<filter name='nova-provider-rules' "
        if (FLAGS.use_ipv6):
            xml += "chain='root'>%s</filter>" % rule_xml
        else:
            xml += "chain='ipv4'>%s</filter>" % rule_xml
        return xml
Example #7
0
    def provider_fw_to_nwfilter_xml(self):
        """Compose a filter of drop rules from specified cidrs."""
        rule_xml = ""
        v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'}
        rules = db.provider_fw_rule_get_all(context.get_admin_context())
        for rule in rules:
            rule_xml += "<rule action='block' direction='in' priority='150'>"
            version = netutils.get_ip_version(rule.cidr)
            if(FLAGS.use_ipv6 and version == 6):
                net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
                rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                            (v6protocol[rule.protocol], net, prefixlen)
            else:
                net, mask = netutils.get_net_and_mask(rule.cidr)
                rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \
                            (rule.protocol, net, mask)
            if rule.protocol in ['tcp', 'udp']:
                rule_xml += "dstportstart='%s' dstportend='%s' " % \
                            (rule.from_port, rule.to_port)
            elif rule.protocol == 'icmp':
                LOG.info('rule.protocol: %r, rule.from_port: %r, '
                         'rule.to_port: %r', rule.protocol,
                         rule.from_port, rule.to_port)
                if rule.from_port != -1:
                    rule_xml += "type='%s' " % rule.from_port
                if rule.to_port != -1:
                    rule_xml += "code='%s' " % rule.to_port

                rule_xml += '/>\n'
            rule_xml += "</rule>\n"
        xml = "<filter name='nova-provider-rules' "
        if(FLAGS.use_ipv6):
            xml += "chain='root'>%s</filter>" % rule_xml
        else:
            xml += "chain='ipv4'>%s</filter>" % rule_xml
        return xml
Example #8
0
    def security_group_to_nwfilter_xml(self, security_group_id):
        security_group = db.security_group_get(context.get_admin_context(), security_group_id)
        rule_xml = ""
        v6protocol = {"tcp": "tcp-ipv6", "udp": "udp-ipv6", "icmp": "icmpv6"}
        for rule in security_group.rules:
            rule_xml += "<rule action='accept' direction='in' priority='300'>"
            if rule.cidr:
                version = netutils.get_ip_version(rule.cidr)
                if FLAGS.use_ipv6 and version == 6:
                    net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (v6protocol[rule.protocol], net, prefixlen)
                else:
                    net, mask = netutils.get_net_and_mask(rule.cidr)
                    rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % (rule.protocol, net, mask)
                if rule.protocol in ["tcp", "udp"]:
                    rule_xml += "dstportstart='%s' dstportend='%s' " % (rule.from_port, rule.to_port)
                elif rule.protocol == "icmp":
                    LOG.info(
                        "rule.protocol: %r, rule.from_port: %r, " "rule.to_port: %r",
                        rule.protocol,
                        rule.from_port,
                        rule.to_port,
                    )
                    if rule.from_port != -1:
                        rule_xml += "type='%s' " % rule.from_port
                    if rule.to_port != -1:
                        rule_xml += "code='%s' " % rule.to_port

                rule_xml += "/>\n"
            rule_xml += "</rule>\n"
        xml = "<filter name='nova-secgroup-%s' " % security_group_id
        if FLAGS.use_ipv6:
            xml += "chain='root'>%s</filter>" % rule_xml
        else:
            xml += "chain='ipv4'>%s</filter>" % rule_xml
        return xml
Example #9
0
    def instance_rules(self, instance, network_info=None):
        if not network_info:
            network_info = netutils.get_network_info(instance)
        ctxt = context.get_admin_context()

        ipv4_rules = []
        ipv6_rules = []

        # Always drop invalid packets
        ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
        ipv6_rules += ['-m state --state ' 'INVALID -j DROP']

        # Allow established connections
        ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
        ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']

        # Pass through provider-wide drops
        ipv4_rules += ['-j $provider']
        ipv6_rules += ['-j $provider']

        dhcp_servers = [info['gateway'] for (_n, info) in network_info]

        for dhcp_server in dhcp_servers:
            ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
                              '-j ACCEPT' % (dhcp_server,))

        #Allow project network traffic
        if FLAGS.allow_project_net_traffic:
            cidrs = [network['cidr'] for (network, _m) in network_info]
            for cidr in cidrs:
                ipv4_rules.append('-s %s -j ACCEPT' % (cidr,))

        # We wrap these in FLAGS.use_ipv6 because they might cause
        # a DB lookup. The other ones are just list operations, so
        # they're not worth the clutter.
        if FLAGS.use_ipv6:
            # Allow RA responses
            gateways_v6 = [mapping['gateway6'] for (_n, mapping) in
                           network_info]
            for gateway_v6 in gateways_v6:
                ipv6_rules.append(
                        '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,))

            #Allow project network traffic
            if FLAGS.allow_project_net_traffic:
                cidrv6s = [network['cidr_v6'] for (network, _m) in
                           network_info]

                for cidrv6 in cidrv6s:
                    ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,))

        security_groups = db.security_group_get_by_instance(ctxt,
                                                            instance['id'])

        # then, security group chains and rules
        for security_group in security_groups:
            rules = db.security_group_rule_get_by_security_group(ctxt,
                                                          security_group['id'])

            for rule in rules:
                LOG.debug(_('Adding security group rule: %r'), rule)

                if not rule.cidr:
                    # Eventually, a mechanism to grant access for security
                    # groups will turn up here. It'll use ipsets.
                    continue

                version = netutils.get_ip_version(rule.cidr)
                if version == 4:
                    fw_rules = ipv4_rules
                else:
                    fw_rules = ipv6_rules

                protocol = rule.protocol
                if version == 6 and rule.protocol == 'icmp':
                    protocol = 'icmpv6'

                args = ['-p', protocol, '-s', rule.cidr]

                if rule.protocol in ['udp', 'tcp']:
                    if rule.from_port == rule.to_port:
                        args += ['--dport', '%s' % (rule.from_port,)]
                    else:
                        args += ['-m', 'multiport',
                                 '--dports', '%s:%s' % (rule.from_port,
                                                        rule.to_port)]
                elif rule.protocol == 'icmp':
                    icmp_type = rule.from_port
                    icmp_code = rule.to_port

                    if icmp_type == -1:
                        icmp_type_arg = None
                    else:
                        icmp_type_arg = '%s' % icmp_type
                        if not icmp_code == -1:
                            icmp_type_arg += '/%s' % icmp_code

                    if icmp_type_arg:
                        if version == 4:
                            args += ['-m', 'icmp', '--icmp-type',
                                     icmp_type_arg]
                        elif version == 6:
                            args += ['-m', 'icmp6', '--icmpv6-type',
                                     icmp_type_arg]

                args += ['-j ACCEPT']
                fw_rules += [' '.join(args)]

        ipv4_rules += ['-j $sg-fallback']
        ipv6_rules += ['-j $sg-fallback']

        return ipv4_rules, ipv6_rules
Example #10
0
    def instance_rules(self, instance, network_info):
        ctxt = context.get_admin_context()

        ipv4_rules = []
        ipv6_rules = []

        # Always drop invalid packets
        ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
        ipv6_rules += ['-m state --state ' 'INVALID -j DROP']

        # Allow established connections
        ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
        ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']

        # Pass through provider-wide drops
        ipv4_rules += ['-j $provider']
        ipv6_rules += ['-j $provider']

        dhcp_servers = [info['dhcp_server'] for (_n, info) in network_info]

        for dhcp_server in dhcp_servers:
            ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
                              '-j ACCEPT' % (dhcp_server, ))

        #Allow project network traffic
        if FLAGS.allow_same_net_traffic:
            cidrs = [network['cidr'] for (network, _m) in network_info]
            for cidr in cidrs:
                ipv4_rules.append('-s %s -j ACCEPT' % (cidr, ))

        # We wrap these in FLAGS.use_ipv6 because they might cause
        # a DB lookup. The other ones are just list operations, so
        # they're not worth the clutter.
        if FLAGS.use_ipv6:
            # Allow RA responses
            gateways_v6 = [
                mapping['gateway6'] for (_n, mapping) in network_info
            ]
            for gateway_v6 in gateways_v6:
                ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' %
                                  (gateway_v6, ))

            #Allow project network traffic
            if FLAGS.allow_same_net_traffic:
                cidrv6s = [
                    network['cidr_v6'] for (network, _m) in network_info
                ]

                for cidrv6 in cidrv6s:
                    ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, ))

        security_groups = db.security_group_get_by_instance(
            ctxt, instance['id'])

        # then, security group chains and rules
        for security_group in security_groups:
            rules = db.security_group_rule_get_by_security_group(
                ctxt, security_group['id'])

            for rule in rules:
                LOG.debug(_('Adding security group rule: %r'), rule)

                if not rule.cidr:
                    version = 4
                else:
                    version = netutils.get_ip_version(rule.cidr)

                if version == 4:
                    fw_rules = ipv4_rules
                else:
                    fw_rules = ipv6_rules

                protocol = rule.protocol
                if version == 6 and rule.protocol == 'icmp':
                    protocol = 'icmpv6'

                args = ['-j ACCEPT']
                if protocol:
                    args += ['-p', protocol]

                if protocol in ['udp', 'tcp']:
                    if rule.from_port == rule.to_port:
                        args += ['--dport', '%s' % (rule.from_port, )]
                    else:
                        args += [
                            '-m', 'multiport', '--dports',
                            '%s:%s' % (rule.from_port, rule.to_port)
                        ]
                elif protocol == 'icmp':
                    icmp_type = rule.from_port
                    icmp_code = rule.to_port

                    if icmp_type == -1:
                        icmp_type_arg = None
                    else:
                        icmp_type_arg = '%s' % icmp_type
                        if not icmp_code == -1:
                            icmp_type_arg += '/%s' % icmp_code

                    if icmp_type_arg:
                        if version == 4:
                            args += [
                                '-m', 'icmp', '--icmp-type', icmp_type_arg
                            ]
                        elif version == 6:
                            args += [
                                '-m', 'icmp6', '--icmpv6-type', icmp_type_arg
                            ]

                if rule.cidr:
                    LOG.info('Using cidr %r', rule.cidr)
                    args += ['-s', rule.cidr]
                    fw_rules += [' '.join(args)]
                else:
                    if rule['grantee_group']:
                        for instance in rule['grantee_group']['instances']:
                            LOG.info('instance: %r', instance)
                            ips = db.instance_get_fixed_addresses(
                                ctxt, instance['id'])
                            LOG.info('ips: %r', ips)
                            for ip in ips:
                                subrule = args + ['-s %s' % ip]
                                fw_rules += [' '.join(subrule)]

                LOG.info('Using fw_rules: %r', fw_rules)
        ipv4_rules += ['-j $sg-fallback']
        ipv6_rules += ['-j $sg-fallback']

        return ipv4_rules, ipv6_rules
Example #11
0
    def instance_rules(self, instance, network_info=None):
        if not network_info:
            network_info = netutils.get_network_info(instance)
        ctxt = context.get_admin_context()

        ipv4_rules = []
        ipv6_rules = []

        # Always drop invalid packets
        ipv4_rules += ["-m state --state " "INVALID -j DROP"]
        ipv6_rules += ["-m state --state " "INVALID -j DROP"]

        # Allow established connections
        ipv4_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"]
        ipv6_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"]

        # Pass through provider-wide drops
        ipv4_rules += ["-j $provider"]
        ipv6_rules += ["-j $provider"]

        dhcp_servers = [info["gateway"] for (_n, info) in network_info]

        for dhcp_server in dhcp_servers:
            ipv4_rules.append("-s %s -p udp --sport 67 --dport 68 " "-j ACCEPT" % (dhcp_server,))

        # Allow project network traffic
        if FLAGS.allow_project_net_traffic:
            cidrs = [network["cidr"] for (network, _m) in network_info]
            for cidr in cidrs:
                ipv4_rules.append("-s %s -j ACCEPT" % (cidr,))

        # We wrap these in FLAGS.use_ipv6 because they might cause
        # a DB lookup. The other ones are just list operations, so
        # they're not worth the clutter.
        if FLAGS.use_ipv6:
            # Allow RA responses
            gateways_v6 = [mapping["gateway6"] for (_n, mapping) in network_info]
            for gateway_v6 in gateways_v6:
                ipv6_rules.append("-s %s/128 -p icmpv6 -j ACCEPT" % (gateway_v6,))

            # Allow project network traffic
            if FLAGS.allow_project_net_traffic:
                cidrv6s = [network["cidr_v6"] for (network, _m) in network_info]

                for cidrv6 in cidrv6s:
                    ipv6_rules.append("-s %s -j ACCEPT" % (cidrv6,))

        security_groups = db.security_group_get_by_instance(ctxt, instance["id"])

        # then, security group chains and rules
        for security_group in security_groups:
            rules = db.security_group_rule_get_by_security_group(ctxt, security_group["id"])

            for rule in rules:
                LOG.debug(_("Adding security group rule: %r"), rule)

                if not rule.cidr:
                    # Eventually, a mechanism to grant access for security
                    # groups will turn up here. It'll use ipsets.
                    continue

                version = netutils.get_ip_version(rule.cidr)
                if version == 4:
                    fw_rules = ipv4_rules
                else:
                    fw_rules = ipv6_rules

                protocol = rule.protocol
                if version == 6 and rule.protocol == "icmp":
                    protocol = "icmpv6"

                args = ["-p", protocol, "-s", rule.cidr]

                if rule.protocol in ["udp", "tcp"]:
                    if rule.from_port == rule.to_port:
                        args += ["--dport", "%s" % (rule.from_port,)]
                    else:
                        args += ["-m", "multiport", "--dports", "%s:%s" % (rule.from_port, rule.to_port)]
                elif rule.protocol == "icmp":
                    icmp_type = rule.from_port
                    icmp_code = rule.to_port

                    if icmp_type == -1:
                        icmp_type_arg = None
                    else:
                        icmp_type_arg = "%s" % icmp_type
                        if not icmp_code == -1:
                            icmp_type_arg += "/%s" % icmp_code

                    if icmp_type_arg:
                        if version == 4:
                            args += ["-m", "icmp", "--icmp-type", icmp_type_arg]
                        elif version == 6:
                            args += ["-m", "icmp6", "--icmpv6-type", icmp_type_arg]

                args += ["-j ACCEPT"]
                fw_rules += [" ".join(args)]

        ipv4_rules += ["-j $sg-fallback"]
        ipv6_rules += ["-j $sg-fallback"]

        return ipv4_rules, ipv6_rules