def _provider_rules(self): """Generate a list of rules from provider for IP4 & IP6. Note: We could not use the common code from virt.firewall because XS doesn't accept the '-m multiport' option. """ ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] rules = self._virtapi.provider_fw_rule_get_all(ctxt) for rule in rules: LOG.debug('Adding provider rule: %s', rule['cidr']) version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule['cidr']] if protocol in ['udp', 'tcp']: if rule['from_port'] == rule['to_port']: args += ['--dport', '%s' % (rule['from_port'],)] else: args += ['--dport', '%s:%s' % (rule['from_port'], rule['to_port'])] elif protocol == 'icmp': icmp_type = rule['from_port'] icmp_code = rule['to_port'] if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] args += ['-j DROP'] fw_rules += [' '.join(args)] return ipv4_rules, ipv6_rules
def _provider_rules(self): """Generate a list of rules from provider for IP4 & IP6. Note: We could not use the common code from virt.firewall because XS doesn't accept the '-m multiport' option. """ ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] rules = self._virtapi.provider_fw_rule_get_all(ctxt) for rule in rules: LOG.debug(_("Adding provider rule: %s"), rule["cidr"]) version = netutils.get_ip_version(rule["cidr"]) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule["protocol"] if version == 6 and protocol == "icmp": protocol = "icmpv6" args = ["-p", protocol, "-s", rule["cidr"]] if protocol in ["udp", "tcp"]: if rule["from_port"] == rule["to_port"]: args += ["--dport", "%s" % (rule["from_port"],)] else: args += ["--dport", "%s:%s" % (rule["from_port"], rule["to_port"])] elif protocol == "icmp": icmp_type = rule["from_port"] icmp_code = rule["to_port"] if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = "%s" % icmp_type if not icmp_code == -1: icmp_type_arg += "/%s" % icmp_code if icmp_type_arg: if version == 4: args += ["-m", "icmp", "--icmp-type", icmp_type_arg] elif version == 6: args += ["-m", "icmp6", "--icmpv6-type", icmp_type_arg] args += ["-j DROP"] fw_rules += [" ".join(args)] return ipv4_rules, ipv6_rules
def _provider_rules(): """Generate a list of rules from provider for IP4 & IP6.""" ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] rules = db.provider_fw_rule_get_all(ctxt) for rule in rules: LOG.debug(_('Adding provider rule: %s'), rule['cidr']) version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule['cidr']] if protocol in ['udp', 'tcp']: if rule['from_port'] == rule['to_port']: args += ['--dport', '%s' % (rule['from_port'],)] else: args += ['-m', 'multiport', '--dports', '%s:%s' % (rule['from_port'], rule['to_port'])] elif protocol == 'icmp': icmp_type = rule['from_port'] icmp_code = rule['to_port'] if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] args += ['-j DROP'] fw_rules += [' '.join(args)] return ipv4_rules, ipv6_rules
def security_group_to_nwfilter_xml(security_group_id): security_group = db.security_group_get(context.get_admin_context(), security_group_id) rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} for rule in security_group.rules: rule_xml += "<rule action='accept' direction='in' priority='300'>" if rule.cidr: version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-secgroup-%s' " % security_group_id if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def provider_fw_to_nwfilter_xml(): """Compose a filter of drop rules from specified cidrs.""" rule_xml = "" v6protocol = {'tcp': 'tcp-ipv6', 'udp': 'udp-ipv6', 'icmp': 'icmpv6'} rules = db.provider_fw_rule_get_all(context.get_admin_context()) for rule in rules: rule_xml += "<rule action='block' direction='in' priority='150'>" version = netutils.get_ip_version(rule.cidr) if(FLAGS.use_ipv6 and version == 6): net, prefixlen = netutils.get_net_and_prefixlen(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (v6protocol[rule.protocol], net, prefixlen) else: net, mask = netutils.get_net_and_mask(rule.cidr) rule_xml += "<%s srcipaddr='%s' srcipmask='%s' " % \ (rule.protocol, net, mask) if rule.protocol in ['tcp', 'udp']: rule_xml += "dstportstart='%s' dstportend='%s' " % \ (rule.from_port, rule.to_port) elif rule.protocol == 'icmp': LOG.info('rule.protocol: %r, rule.from_port: %r, ' 'rule.to_port: %r', rule.protocol, rule.from_port, rule.to_port) if rule.from_port != -1: rule_xml += "type='%s' " % rule.from_port if rule.to_port != -1: rule_xml += "code='%s' " % rule.to_port rule_xml += '/>\n' rule_xml += "</rule>\n" xml = "<filter name='nova-provider-rules' " if(FLAGS.use_ipv6): xml += "chain='root'>%s</filter>" % rule_xml else: xml += "chain='ipv4'>%s</filter>" % rule_xml return xml
def instance_rules(self, instance, network_info): # make sure this is legacy nw_info network_info = self._handle_network_info_model(network_info) ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) #Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = self._virtapi.security_group_get_by_instance( ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = self._virtapi.security_group_rule_get_by_security_group( ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule, instance=instance) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if protocol: protocol = rule.protocol.lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule.cidr: LOG.debug('Using cidr %r', rule.cidr, instance=instance) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: # FIXME(jkoelker) This needs to be ported up into # the compute manager which already # has access to a nw_api handle, # and should be the only one making # making rpc calls. nw_api = network.API() for instance in rule['grantee_group']['instances']: nw_info = nw_api.get_instance_nw_info(ctxt, instance) ips = [ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.debug('Using fw_rules: %r', fw_rules, instance=instance) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() if isinstance(instance, dict): # NOTE(danms): allow old-world instance objects from # unconverted callers; all we need is instance.uuid below instance = objects.Instance._from_db_object( ctxt, objects.Instance(), instance, []) ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) #Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = security_group_obj.SecurityGroupList.get_by_instance( ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules_cls = security_group_rule_obj.SecurityGroupRuleList rules = rules_cls.get_by_security_group(ctxt, security_group) for rule in rules: if not rule['cidr']: version = 4 else: version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if protocol: protocol = rule['protocol'].lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule['cidr']: args += ['-s', str(rule['cidr'])] fw_rules += [' '.join(args)] else: if rule['grantee_group']: insts = ( objects.InstanceList.get_by_security_group( ctxt, rule['grantee_group'])) for instance in insts: if instance['info_cache']['deleted']: LOG.debug('ignoring deleted cache') continue nw_info = compute_utils.get_nw_info_for_instance( instance) ips = [ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] LOG.debug('Security Groups %s translated to ipv4: %r, ipv6: %r', security_groups, ipv4_rules, ipv6_rules, instance=instance) return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) # Allow project network traffic if FLAGS.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = db.security_group_get_by_instance(ctxt, instance["id"]) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group["id"]) for rule in rules: LOG.debug(_("Adding security group rule: %r"), rule) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == "icmp": protocol = "icmpv6" args = ["-j ACCEPT"] if protocol: args += ["-p", protocol] if protocol in ["udp", "tcp"]: args += self._build_tcp_udp_rule(rule, version) elif protocol == "icmp": args += self._build_icmp_rule(rule, version) if rule.cidr: LOG.info("Using cidr %r", rule.cidr) args += ["-s", rule.cidr] fw_rules += [" ".join(args)] else: if rule["grantee_group"]: # FIXME(jkoelker) This needs to be ported up into # the compute manager which already # has access to a nw_api handle, # and should be the only one making # making rpc calls. import nova.network nw_api = nova.network.API() for instance in rule["grantee_group"]["instances"]: LOG.info("instance: %r", instance) ips = [] nw_info = nw_api.get_instance_nw_info(ctxt, instance) for net in nw_info: ips.extend(net[1]["ips"]) LOG.info("ips: %r", ips) for ip in ips: subrule = args + ["-s %s" % ip["ip"]] fw_rules += [" ".join(subrule)] LOG.info("Using fw_rules: %r", fw_rules) ipv4_rules += ["-j $sg-fallback"] ipv6_rules += ["-j $sg-fallback"] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) #Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = self._virtapi.security_group_get_by_instance( ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules = self._virtapi.security_group_rule_get_by_security_group( ctxt, security_group) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule, instance=instance) if not rule['cidr']: version = 4 else: version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if protocol: protocol = rule['protocol'].lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule['cidr']: LOG.debug('Using cidr %r', rule['cidr'], instance=instance) args += ['-s', rule['cidr']] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: nw_info = compute_utils.get_nw_info_for_instance( instance) ips = [ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.debug('Using fw_rules: %r', fw_rules, instance=instance) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): # make sure this is legacy nw_info network_info = self._handle_network_info_model(network_info) ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) # NOTE: (stanzgy) insert intranet firewall rule here # # iptables -I nova-compute-inst-{inst-id} 4 # -m set --match-set {inst-set-name} src -j ACCEPT # # then drop all other packets not been NATed # # iptables -I nova-compute-inst-[inst-id] 5 -d fixed_range # -m conntrack ! --ctstate DNAT -j DROP if FLAGS.intranet_firewall_mode == 'tenant': setname = instance['project_id'][0:31] self._do_intranet_firewall_rules(ipv4_rules, ipv6_rules, setname) #Allow project network traffic if FLAGS.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) # Allow IP encapsulated in IP packets? if FLAGS.allow_ipencap: self._do_ipencap_rules(ipv4_rules, ipv6_rules) security_groups = db.security_group_get_by_instance(ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule, instance=instance) if not rule.cidr: version = 4 else: version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if protocol: protocol = rule.protocol.lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule.cidr: LOG.debug('Using cidr %r', rule.cidr, instance=instance) args += ['-s', rule.cidr] fw_rules += [' '.join(args)] else: if rule['grantee_group']: # FIXME(jkoelker) This needs to be ported up into # the compute manager which already # has access to a nw_api handle, # and should be the only one making # making rpc calls. import nova.network nw_api = nova.network.API() for instance in rule['grantee_group']['instances']: nw_info = nw_api.get_instance_nw_info(ctxt, instance) ips = [ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.debug('Using fw_rules: %r', fw_rules, instance=instance) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() if isinstance(instance, dict): # NOTE(danms): allow old-world instance objects from # unconverted callers; all we need is instance.uuid below instance = objects.Instance._from_db_object(ctxt, objects.Instance(), instance, []) ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) # Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = security_group_obj.SecurityGroupList.get_by_instance(ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules_cls = security_group_rule_obj.SecurityGroupRuleList rules = rules_cls.get_by_security_group(ctxt, security_group) for rule in rules: LOG.debug("Adding security group rule: %r", rule, instance=instance) if not rule["cidr"]: version = 4 else: version = netutils.get_ip_version(rule["cidr"]) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule["protocol"] if protocol: protocol = rule["protocol"].lower() if version == 6 and protocol == "icmp": protocol = "icmpv6" args = ["-j ACCEPT"] if protocol: args += ["-p", protocol] if protocol in ["udp", "tcp"]: args += self._build_tcp_udp_rule(rule, version) elif protocol == "icmp": args += self._build_icmp_rule(rule, version) if rule["cidr"]: LOG.debug("Using cidr %r", rule["cidr"], instance=instance) args += ["-s", str(rule["cidr"])] fw_rules += [" ".join(args)] else: if rule["grantee_group"]: insts = objects.InstanceList.get_by_security_group(ctxt, rule["grantee_group"]) for instance in insts: if instance["info_cache"]["deleted"]: LOG.debug("ignoring deleted cache") continue nw_info = compute_utils.get_nw_info_for_instance(instance) ips = [ip["address"] for ip in nw_info.fixed_ips() if ip["version"] == version] LOG.debug("ips: %r", ips, instance=instance) for ip in ips: subrule = args + ["-s %s" % ip] fw_rules += [" ".join(subrule)] LOG.debug("Using fw_rules: %r", fw_rules, instance=instance) ipv4_rules += ["-j $sg-fallback"] ipv6_rules += ["-j $sg-fallback"] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) #Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = self._virtapi.security_group_get_by_instance( ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules = self._virtapi.security_group_rule_get_by_security_group( ctxt, security_group) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule, instance=instance) if not rule['cidr']: version = 4 else: version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if protocol: protocol = rule['protocol'].lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule['cidr']: LOG.debug('Using cidr %r', rule['cidr'], instance=instance) args += ['-s', rule['cidr']] fw_rules += [' '.join(args)] else: if rule['grantee_group']: for instance in rule['grantee_group']['instances']: nw_info = compute_utils.get_nw_info_for_instance( instance) ips = [ ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version ] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] LOG.debug('Using fw_rules: %r', fw_rules, instance=instance) ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules