def _ensure_common_chain(): """The common chain allows access for all services to certain resources.""" iptables.ensure_chain( "PAASTA-COMMON", ( # Allow return traffic for incoming connections iptables.Rule( protocol="ip", src="0.0.0.0/0.0.0.0", dst="0.0.0.0/0.0.0.0", target="ACCEPT", matches=(("conntrack", (("ctstate", ("ESTABLISHED", )), )), ), target_parameters=(), ), _yocalhost_rule(1463, "scribed"), _yocalhost_rule(8125, "metrics-relay", protocol="udp"), _yocalhost_rule(3030, "sensu"), iptables.Rule( protocol="ip", src="0.0.0.0/0.0.0.0", dst="0.0.0.0/0.0.0.0", target="PAASTA-DNS", matches=(), target_parameters=(), ), ), )
def test_ensure_chain(): with mock.patch.object( iptables, 'list_chain', autospec=True, return_value={ EMPTY_RULE._replace(target='DROP'), EMPTY_RULE._replace(target='ACCEPT', src='1.0.0.0/255.255.255.0'), }, ), mock.patch.object( iptables, 'insert_rule', autospec=True, ) as mock_insert_rule, mock.patch.object( iptables, 'delete_rules', autospec=True, ) as mock_delete_rules: iptables.ensure_chain( 'PAASTA.service', ( EMPTY_RULE._replace(target='DROP'), EMPTY_RULE._replace(target='ACCEPT', src='2.0.0.0/255.255.255.0'), ), ) # It should add the missing rule assert mock_insert_rule.mock_calls == [ mock.call( 'PAASTA.service', EMPTY_RULE._replace(target='ACCEPT', src='2.0.0.0/255.255.255.0'), ), ] # It should delete the extra rule assert mock_delete_rules.mock_calls == [ mock.call( 'PAASTA.service', {EMPTY_RULE._replace(target='ACCEPT', src='1.0.0.0/255.255.255.0')}, ), ]
def _ensure_common_chain(): """The common chain allows access for all services to certain resources.""" iptables.ensure_chain( 'PAASTA-COMMON', ( # Allow return traffic for incoming connections iptables.Rule( protocol='ip', src='0.0.0.0/0.0.0.0', dst='0.0.0.0/0.0.0.0', target='ACCEPT', matches=(('conntrack', (('ctstate', ('ESTABLISHED', )), )), ), target_parameters=(), ), _yocalhost_rule(1463, 'scribed'), _yocalhost_rule(8125, 'metrics-relay', protocol='udp'), _yocalhost_rule(3030, 'sensu'), iptables.Rule( protocol='ip', src='0.0.0.0/0.0.0.0', dst='0.0.0.0/0.0.0.0', target='PAASTA-DNS', matches=(), target_parameters=(), ), ), )
def _ensure_internet_chain(): iptables.ensure_chain( "PAASTA-INTERNET", ( iptables.Rule( protocol="ip", src="0.0.0.0/0.0.0.0", dst="0.0.0.0/0.0.0.0", target="ACCEPT", matches=(), target_parameters=(), ), ) + tuple( iptables.Rule( protocol="ip", src="0.0.0.0/0.0.0.0", dst=ip_range, target="RETURN", matches=(), target_parameters=(), ) for ip_range in OUTBOUND_PRIVATE_IP_RANGES ), )
def _ensure_dns_chain(): iptables.ensure_chain( "PAASTA-DNS", tuple( itertools.chain.from_iterable( ( iptables.Rule( protocol="udp", src="0.0.0.0/0.0.0.0", dst=f"{dns_server}/255.255.255.255", target="ACCEPT", matches=(("udp", (("dport", ("53",)),)),), target_parameters=(), ), # DNS goes over TCP sometimes, too! iptables.Rule( protocol="tcp", src="0.0.0.0/0.0.0.0", dst=f"{dns_server}/255.255.255.255", target="ACCEPT", matches=(("tcp", (("dport", ("53",)),)),), target_parameters=(), ), ) for dns_server in _dns_servers() ) ), )
def test_ensure_chain_creates_chain_if_doesnt_exist(): with mock.patch.object(iptables, "list_chain", side_effect=iptables.ChainDoesNotExist( "PAASTA.service")), mock.patch.object( iptables, "create_chain", autospec=True) as mock_create_chain: iptables.ensure_chain("PAASTA.service", ()) assert mock_create_chain.mock_calls == [mock.call("PAASTA.service")]
def test_ensure_chain_creates_chain_if_doesnt_exist(): with mock.patch.object( iptables, 'list_chain', side_effect=iptables.ChainDoesNotExist('PAASTA.service'), ), mock.patch.object( iptables, 'create_chain', autospec=True, ) as mock_create_chain: iptables.ensure_chain('PAASTA.service', ()) assert mock_create_chain.mock_calls == [ mock.call('PAASTA.service'), ]
def ensure_internet_chain(): iptables.ensure_chain('PAASTA-INTERNET', (iptables.Rule( protocol='ip', src='0.0.0.0/0.0.0.0', dst='0.0.0.0/0.0.0.0', target='ACCEPT', matches=(), ), ) + tuple( iptables.Rule( protocol='ip', src='0.0.0.0/0.0.0.0', dst=ip_range, target='RETURN', matches=(), ) for ip_range in PRIVATE_IP_RANGES))
def ensure_dispatch_chains(service_chains): paasta_rules = set( itertools.chain.from_iterable( (dispatch_rule(chain, mac) for mac in macs) for chain, macs in service_chains.items())) iptables.ensure_chain('PAASTA', paasta_rules) jump_to_paasta = iptables.Rule( protocol='ip', src='0.0.0.0/0.0.0.0', dst='0.0.0.0/0.0.0.0', target='PAASTA', matches=(), target_parameters=(), ) iptables.ensure_rule('INPUT', jump_to_paasta) iptables.ensure_rule('FORWARD', jump_to_paasta)
def ensure_dispatch_chains(service_chains): paasta_rules = set( itertools.chain.from_iterable( (dispatch_rule(chain, mac) for mac in macs) for chain, macs in service_chains.items())) iptables.ensure_chain("PAASTA", paasta_rules) jump_to_paasta = iptables.Rule( protocol="ip", src="0.0.0.0/0.0.0.0", dst="0.0.0.0/0.0.0.0", target="PAASTA", matches=(), target_parameters=(), ) iptables.ensure_rule("INPUT", jump_to_paasta) iptables.ensure_rule("FORWARD", jump_to_paasta)
def test_ensure_chain(): with mock.patch.object( iptables, "list_chain", autospec=True, return_value={ EMPTY_RULE._replace(target="DROP"), EMPTY_RULE._replace(target="ACCEPT", src="1.0.0.0/255.255.255.0"), }, ), mock.patch.object(iptables, "insert_rule", autospec=True) as mock_insert_rule, mock.patch.object( iptables, "delete_rules", autospec=True) as mock_delete_rules: iptables.ensure_chain( "PAASTA.service", ( EMPTY_RULE._replace(target="DROP"), EMPTY_RULE._replace(target="ACCEPT", src="2.0.0.0/255.255.255.0"), ), ) # It should add the missing rule assert mock_insert_rule.mock_calls == [ mock.call( "PAASTA.service", EMPTY_RULE._replace(target="ACCEPT", src="2.0.0.0/255.255.255.0"), ) ] # It should delete the extra rule assert mock_delete_rules.mock_calls == [ mock.call( "PAASTA.service", { EMPTY_RULE._replace(target="ACCEPT", src="1.0.0.0/255.255.255.0") }, ) ]
def _ensure_dns_chain(): iptables.ensure_chain( 'PAASTA-DNS', tuple( itertools.chain.from_iterable(( iptables.Rule( protocol='udp', src='0.0.0.0/0.0.0.0', dst='{}/255.255.255.255'.format(dns_server), target='ACCEPT', matches=(('udp', (('dport', ('53', )), )), ), target_parameters=(), ), # DNS goes over TCP sometimes, too! iptables.Rule( protocol='tcp', src='0.0.0.0/0.0.0.0', dst='{}/255.255.255.255'.format(dns_server), target='ACCEPT', matches=(('tcp', (('dport', ('53', )), )), ), target_parameters=(), ), ) for dns_server in _dns_servers())))
def update_rules(self): iptables.ensure_chain(self.chain_name, self.rules)
def update_rules(self, soa_dir, synapse_service_dir): iptables.ensure_chain(self.chain_name, self.get_rules(soa_dir, synapse_service_dir)) iptables.reorder_chain(self.chain_name)