def _ensure_common_chain():
"""The common chain allows access for all services to certain resources."""
iptables.ensure_chain(
"PAASTA-COMMON",
(
# Allow return traffic for incoming connections
iptables.Rule(
protocol="ip",
src="0.0.0.0/0.0.0.0",
dst="0.0.0.0/0.0.0.0",
target="ACCEPT",
matches=(("conntrack", (("ctstate", ("ESTABLISHED", )), )), ),
target_parameters=(),
),
_yocalhost_rule(1463, "scribed"),
_yocalhost_rule(8125, "metrics-relay", protocol="udp"),
_yocalhost_rule(3030, "sensu"),
iptables.Rule(
protocol="ip",
src="0.0.0.0/0.0.0.0",
dst="0.0.0.0/0.0.0.0",
target="PAASTA-DNS",
matches=(),
target_parameters=(),
),
),
)
def test_ensure_chain():
with mock.patch.object(
iptables, 'list_chain', autospec=True, return_value={
EMPTY_RULE._replace(target='DROP'),
EMPTY_RULE._replace(target='ACCEPT', src='1.0.0.0/255.255.255.0'),
},
), mock.patch.object(
iptables, 'insert_rule', autospec=True,
) as mock_insert_rule, mock.patch.object(
iptables, 'delete_rules', autospec=True,
) as mock_delete_rules:
iptables.ensure_chain(
'PAASTA.service', (
EMPTY_RULE._replace(target='DROP'),
EMPTY_RULE._replace(target='ACCEPT', src='2.0.0.0/255.255.255.0'),
),
)
# It should add the missing rule
assert mock_insert_rule.mock_calls == [
mock.call(
'PAASTA.service',
EMPTY_RULE._replace(target='ACCEPT', src='2.0.0.0/255.255.255.0'),
),
]
# It should delete the extra rule
assert mock_delete_rules.mock_calls == [
mock.call(
'PAASTA.service',
{EMPTY_RULE._replace(target='ACCEPT', src='1.0.0.0/255.255.255.0')},
),
]
def _ensure_common_chain():
"""The common chain allows access for all services to certain resources."""
iptables.ensure_chain(
'PAASTA-COMMON',
(
# Allow return traffic for incoming connections
iptables.Rule(
protocol='ip',
src='0.0.0.0/0.0.0.0',
dst='0.0.0.0/0.0.0.0',
target='ACCEPT',
matches=(('conntrack', (('ctstate', ('ESTABLISHED', )), )), ),
target_parameters=(),
),
_yocalhost_rule(1463, 'scribed'),
_yocalhost_rule(8125, 'metrics-relay', protocol='udp'),
_yocalhost_rule(3030, 'sensu'),
iptables.Rule(
protocol='ip',
src='0.0.0.0/0.0.0.0',
dst='0.0.0.0/0.0.0.0',
target='PAASTA-DNS',
matches=(),
target_parameters=(),
),
),
)
def _ensure_internet_chain():
iptables.ensure_chain(
"PAASTA-INTERNET",
(
iptables.Rule(
protocol="ip",
src="0.0.0.0/0.0.0.0",
dst="0.0.0.0/0.0.0.0",
target="ACCEPT",
matches=(),
target_parameters=(),
),
)
+ tuple(
iptables.Rule(
protocol="ip",
src="0.0.0.0/0.0.0.0",
dst=ip_range,
target="RETURN",
matches=(),
target_parameters=(),
)
for ip_range in OUTBOUND_PRIVATE_IP_RANGES
),
)
def _ensure_dns_chain():
iptables.ensure_chain(
"PAASTA-DNS",
tuple(
itertools.chain.from_iterable(
(
iptables.Rule(
protocol="udp",
src="0.0.0.0/0.0.0.0",
dst=f"{dns_server}/255.255.255.255",
target="ACCEPT",
matches=(("udp", (("dport", ("53",)),)),),
target_parameters=(),
),
# DNS goes over TCP sometimes, too!
iptables.Rule(
protocol="tcp",
src="0.0.0.0/0.0.0.0",
dst=f"{dns_server}/255.255.255.255",
target="ACCEPT",
matches=(("tcp", (("dport", ("53",)),)),),
target_parameters=(),
),
)
for dns_server in _dns_servers()
)
),
)
def test_ensure_chain_creates_chain_if_doesnt_exist():
with mock.patch.object(iptables,
"list_chain",
side_effect=iptables.ChainDoesNotExist(
"PAASTA.service")), mock.patch.object(
iptables, "create_chain",
autospec=True) as mock_create_chain:
iptables.ensure_chain("PAASTA.service", ())
assert mock_create_chain.mock_calls == [mock.call("PAASTA.service")]
def test_ensure_chain_creates_chain_if_doesnt_exist():
with mock.patch.object(
iptables, 'list_chain',
side_effect=iptables.ChainDoesNotExist('PAASTA.service'),
), mock.patch.object(
iptables, 'create_chain', autospec=True,
) as mock_create_chain:
iptables.ensure_chain('PAASTA.service', ())
assert mock_create_chain.mock_calls == [
mock.call('PAASTA.service'),
]
def ensure_internet_chain():
iptables.ensure_chain('PAASTA-INTERNET', (iptables.Rule(
protocol='ip',
src='0.0.0.0/0.0.0.0',
dst='0.0.0.0/0.0.0.0',
target='ACCEPT',
matches=(),
), ) + tuple(
iptables.Rule(
protocol='ip',
src='0.0.0.0/0.0.0.0',
dst=ip_range,
target='RETURN',
matches=(),
) for ip_range in PRIVATE_IP_RANGES))
def ensure_dispatch_chains(service_chains):
paasta_rules = set(
itertools.chain.from_iterable(
(dispatch_rule(chain, mac) for mac in macs)
for chain, macs in service_chains.items()))
iptables.ensure_chain('PAASTA', paasta_rules)
jump_to_paasta = iptables.Rule(
protocol='ip',
src='0.0.0.0/0.0.0.0',
dst='0.0.0.0/0.0.0.0',
target='PAASTA',
matches=(),
target_parameters=(),
)
iptables.ensure_rule('INPUT', jump_to_paasta)
iptables.ensure_rule('FORWARD', jump_to_paasta)
def ensure_dispatch_chains(service_chains):
paasta_rules = set(
itertools.chain.from_iterable(
(dispatch_rule(chain, mac) for mac in macs)
for chain, macs in service_chains.items()))
iptables.ensure_chain("PAASTA", paasta_rules)
jump_to_paasta = iptables.Rule(
protocol="ip",
src="0.0.0.0/0.0.0.0",
dst="0.0.0.0/0.0.0.0",
target="PAASTA",
matches=(),
target_parameters=(),
)
iptables.ensure_rule("INPUT", jump_to_paasta)
iptables.ensure_rule("FORWARD", jump_to_paasta)
def test_ensure_chain():
with mock.patch.object(
iptables,
"list_chain",
autospec=True,
return_value={
EMPTY_RULE._replace(target="DROP"),
EMPTY_RULE._replace(target="ACCEPT",
src="1.0.0.0/255.255.255.0"),
},
), mock.patch.object(iptables, "insert_rule",
autospec=True) as mock_insert_rule, mock.patch.object(
iptables, "delete_rules",
autospec=True) as mock_delete_rules:
iptables.ensure_chain(
"PAASTA.service",
(
EMPTY_RULE._replace(target="DROP"),
EMPTY_RULE._replace(target="ACCEPT",
src="2.0.0.0/255.255.255.0"),
),
)
# It should add the missing rule
assert mock_insert_rule.mock_calls == [
mock.call(
"PAASTA.service",
EMPTY_RULE._replace(target="ACCEPT", src="2.0.0.0/255.255.255.0"),
)
]
# It should delete the extra rule
assert mock_delete_rules.mock_calls == [
mock.call(
"PAASTA.service",
{
EMPTY_RULE._replace(target="ACCEPT",
src="1.0.0.0/255.255.255.0")
},
)
]
def _ensure_dns_chain():
iptables.ensure_chain(
'PAASTA-DNS',
tuple(
itertools.chain.from_iterable((
iptables.Rule(
protocol='udp',
src='0.0.0.0/0.0.0.0',
dst='{}/255.255.255.255'.format(dns_server),
target='ACCEPT',
matches=(('udp', (('dport', ('53', )), )), ),
target_parameters=(),
),
# DNS goes over TCP sometimes, too!
iptables.Rule(
protocol='tcp',
src='0.0.0.0/0.0.0.0',
dst='{}/255.255.255.255'.format(dns_server),
target='ACCEPT',
matches=(('tcp', (('dport', ('53', )), )), ),
target_parameters=(),
),
) for dns_server in _dns_servers())))
def update_rules(self):
iptables.ensure_chain(self.chain_name, self.rules)
def update_rules(self, soa_dir, synapse_service_dir):
iptables.ensure_chain(self.chain_name,
self.get_rules(soa_dir, synapse_service_dir))
iptables.reorder_chain(self.chain_name)
