def update_group_member(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = UpdateGroupMemberResponse()
utos4 = []
utos6 = []
for uto in cmd.updateGroupTOs:
if int(uto.ipVersion) == 4:
utos4.append(uto)
else:
utos6.append(uto)
ips_mn = ipset.IPSetManager()
ipt = iptables.from_iptables_save()
to_del_ipset_names = []
for uto in utos4:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(uto.securityGroupUuid)
ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)]
ips_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version)
ips_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ipt.remove_rule(str(rule))
ipt.iptable_restore()
ips_mn.clean_ipsets(to_del_ipset_names)
ip6s_mn = ipset.IPSetManager()
ip6t = iptables.from_ip6tables_save()
to_del_ipset_names = []
for uto in utos6:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(uto.securityGroupUuid)
ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)]
ip6s_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version)
ip6s_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ip6t.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ip6t.remove_rule(str(rule))
ip6t.iptable_restore()
ip6s_mn.clean_ipsets(to_del_ipset_names)
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def _apply_rules_using_iprange_match(self, cmd, iptable=None, ipset_mn=None):
if not iptable:
ipt = iptables.from_iptables_save()
else:
ipt = iptable
if not ipset_mn:
ips_mn = ipset.IPSetManager()
else:
ips_mn = ipset_mn
self._create_default_rules(ipt)
for rto in cmd.ruleTOs:
if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN:
self._delete_vnic_chain(ipt, rto.vmNicInternalName)
elif rto.actionCode == self.ACTION_CODE_APPLY_RULE:
self._apply_rules_on_vnic_chain(ipt, ips_mn, rto)
else:
raise Exception('unknown action code: %s' % rto.actionCode)
default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN
ipt.remove_rule(default_accept_rule)
ipt.add_rule(default_accept_rule)
self._cleanup_stale_chains(ipt)
ips_mn.refresh_my_ipsets()
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def cleanup_unused_rules_on_host(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = CleanupUnusedRulesOnHostResponse()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV4])
def match_set_name_ip6(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV6])
ipt = iptables.from_iptables_save()
ips_mn = ipset.IPSetManager()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
if not cmd.skipIpv6:
ip6t = iptables.from_ip6tables_save()
self._cleanup_stale_chains(ip6t)
ip6t.iptable_restore()
used_ipset6 = ip6t.list_used_ipset_name()
ips_mn.cleanup_other_ipset(match_set_name_ip6, used_ipset6)
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def update_group_member(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = UpdateGroupMemberResponse()
ips_mn = ipset.IPSetManager()
ipt = iptables.from_iptables_save()
to_del_ipset_names = []
for uto in cmd.updateGroupTOs:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(
self._make_security_group_ipset_name(
uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(
uto.securityGroupUuid)
ips_mn.create_set(name=set_name,
match_ips=uto.securityGroupVmIps)
ips_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ipt.remove_rule(str(rule))
ipt.iptable_restore()
ips_mn.clean_ipsets(to_del_ipset_names)
return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req):
rsp = CleanupUnusedRulesOnHostResponse()
ipt = iptables.from_iptables_save()
ips_mn = ipset.IPSetManager()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
return jsonobject.dumps(rsp)
