def _create_rule(self, iptc, to):
private_nic_name = linux.get_nic_name_by_mac(to.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(to.vipIp)
forward_chain_name = self._make_forward_chain_name(vip_nic_name, to)
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, forward_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, forward_chain_name))
iptc.add_rule('-A %s -j ACCEPT' % forward_chain_name)
dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to)
iptc.add_rule('-A PREROUTING -p {0} -m {0} -d {1} -j {2}'.format(to.protocolType.lower(), to.vipIp, dnat_chain_name), iptc.NAT_TABLE_NAME)
if to.allowedCidr:
iptc.add_rule('-A {0} -s {1} -p {2} --dport {3}:{4} -j DNAT --to-destination {5}:{6}-{7}'.format(dnat_chain_name, to.allowedCidr, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME)
else:
iptc.add_rule('-A {0} -p {1} --dport {2}:{3} -j DNAT --to-destination {4}:{5}-{6}'.format(dnat_chain_name, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME)
if to.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, to)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
iptc.add_rule('-A POSTROUTING -p {0} --dport {1}:{2} -d {3} -j {4}'.format(to.protocolType.lower(),
to.privatePortStart, to.privatePortEnd,
to.privateIp, gw_snat_name), iptc.NAT_TABLE_NAME, order=998)
iptc.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), iptc.NAT_TABLE_NAME)
def _revoke_rule(self, iptc, to):
vip_nic_name = linux.get_nic_name_by_ip(to.vipIp)
dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to)
iptc.delete_chain(dnat_chain_name, iptc.NAT_TABLE_NAME)
forwarding_chain_name = self._make_forward_chain_name(vip_nic_name, to)
iptc.delete_chain(forwarding_chain_name)
gw_snat_chain_name = self._make_gateway_snat_name(vip_nic_name, to)
iptc.delete_chain(gw_snat_chain_name, iptc.NAT_TABLE_NAME)
def _revoke_rule(self, iptc, to):
vip_nic_name = linux.get_nic_name_by_ip(to.vipIp)
dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to)
iptc.delete_chain(dnat_chain_name, iptc.NAT_TABLE_NAME)
forwarding_chain_name = self._make_forward_chain_name(vip_nic_name, to)
iptc.delete_chain(forwarding_chain_name)
gw_snat_chain_name = self._make_gateway_snat_name(vip_nic_name, to)
iptc.delete_chain(gw_snat_chain_name, iptc.NAT_TABLE_NAME)
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule(
'-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' %
eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(
linux.get_nic_names_by_mac(to.nicMac))
r = []
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule('-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(linux.get_nic_names_by_mac(to.nicMac))
r =[]
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def _create_rule(self, iptc, to):
private_nic_name = linux.get_nic_name_by_mac(to.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(to.vipIp)
forward_chain_name = self._make_forward_chain_name(vip_nic_name, to)
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(
vip_nic_name, private_nic_name, forward_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(
private_nic_name, vip_nic_name, forward_chain_name))
iptc.add_rule('-A %s -j ACCEPT' % forward_chain_name)
dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to)
iptc.add_rule(
'-A PREROUTING -p {0} -m {0} -d {1} -j {2}'.format(
to.protocolType.lower(), to.vipIp, dnat_chain_name),
iptc.NAT_TABLE_NAME)
if to.allowedCidr:
iptc.add_rule(
'-A {0} -s {1} -p {2} --dport {3}:{4} -j DNAT --to-destination {5}:{6}-{7}'
.format(dnat_chain_name, to.allowedCidr,
to.protocolType.lower(), to.vipPortStart,
to.vipPortEnd, to.privateIp, to.privatePortStart,
to.privatePortEnd), iptc.NAT_TABLE_NAME)
else:
iptc.add_rule(
'-A {0} -p {1} --dport {2}:{3} -j DNAT --to-destination {4}:{5}-{6}'
.format(dnat_chain_name, to.protocolType.lower(),
to.vipPortStart, to.vipPortEnd, to.privateIp,
to.privatePortStart, to.privatePortEnd),
iptc.NAT_TABLE_NAME)
if to.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, to)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
iptc.add_rule(
'-A POSTROUTING -p {0} --dport {1}:{2} -d {3} -j {4}'.format(
to.protocolType.lower(), to.privatePortStart,
to.privatePortEnd, to.privateIp, gw_snat_name),
iptc.NAT_TABLE_NAME,
order=998)
iptc.add_rule(
'-A {0} -j SNAT --to-source {1}'.format(
gw_snat_name, guest_gw_ip), iptc.NAT_TABLE_NAME)
def _create_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
#def check_eip(table):
#if not table:
#return
#for chain in table.children:
#vip_nic = self._get_vip_nic_name_from_chain_name(chain.name)
#if vip_nic == vip_nic_name:
#raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip)
#check_eip(ipt.get_table(ipt.NAT_TABLE_NAME))
#check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME))
order = 999
ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order)
ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order)
ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order)
if eip.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.iptable_restore()
logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _create_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
def check_eip(table):
if not table:
return
for chain in table.children:
vip_nic = self._get_vip_nic_name_from_chain_name(chain.name)
if vip_nic == vip_nic_name:
raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip)
check_eip(ipt.get_table(ipt.NAT_TABLE_NAME))
check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME))
order = 999
ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order)
ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order)
ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order)
if eip.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.iptable_restore()
logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _remove_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(fwd_name)
ipt.iptable_restore()
logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _remove_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(fwd_name)
ipt.iptable_restore()
logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))