def _update_chains(self):
"""
Updates the chains in the dataplane.
"""
_log.info("%s Programming iptables with our chains.", self)
updates = {}
for direction in ("inbound", "outbound"):
_log.debug("Updating %s chain for profile %s", direction,
self.id)
new_profile = self._profile or {}
_log.debug("Profile %s: %s", self.id, self._profile)
rules_key = "%s_rules" % direction
new_rules = new_profile.get(rules_key, [])
chain_name = self.chain_names[direction]
tag_to_ip_set_name = {}
for tag, ipset in self.ipset_refs.iteritems():
tag_to_ip_set_name[tag] = ipset.name
updates[chain_name] = rules_to_chain_rewrite_lines(
chain_name,
new_rules,
self.ip_version,
tag_to_ip_set_name,
on_allow="RETURN")
_log.debug("Queueing programming for rules %s: %s", self.id,
updates)
self._iptables_updater.rewrite_chains(updates, {}, async=False)
# TODO Isolate exceptions from programming the chains to this profile.
# Radical thought - could we just say that the profile should be OK,
# and therefore we don't care? In other words, do we need to handle the
# error cleverly, or could we just say that since we built the rules
# they really should always work.
if not self.notified_ready:
self._notify_ready()
self.notified_ready = True
def _update_chains(self):
"""
Updates the chains in the dataplane.
Blocks until the update is complete.
On entry, self._pending_profile must not be None.
:raises FailedSystemCall: if the update fails.
"""
_log.info("%s Programming iptables with our chains.", self)
assert self._pending_profile is not None, \
"_update_chains called with no _pending_profile"
updates = {}
for direction in ("inbound", "outbound"):
chain_name = self.chain_names[direction]
_log.info("Updating %s chain %r for profile %s", direction,
chain_name, self.id)
_log.debug("Profile %s: %s", self.id, self._profile)
rules_key = "%s_rules" % direction
new_rules = self._pending_profile.get(rules_key, [])
tag_to_ip_set_name = {}
for tag, ipset in self._ipset_refs.iteritems():
tag_to_ip_set_name[tag] = ipset.ipset_name
updates[chain_name] = rules_to_chain_rewrite_lines(
chain_name,
new_rules,
self.ip_version,
tag_to_ip_set_name,
on_allow="RETURN",
comment_tag=self.id)
_log.debug("Queueing programming for rules %s: %s", self.id, updates)
self._iptables_updater.rewrite_chains(updates, {}, async=False)
def _update_chains(self):
"""
Updates the chains in the dataplane.
Blocks until the update is complete.
On entry, self._pending_profile must not be None.
:raises FailedSystemCall: if the update fails.
"""
_log.info("%s Programming iptables with our chains.", self)
assert self._pending_profile is not None, \
"_update_chains called with no _pending_profile"
updates = {}
for direction in ("inbound", "outbound"):
chain_name = self.chain_names[direction]
_log.info("Updating %s chain %r for profile %s",
direction, chain_name, self.id)
_log.debug("Profile %s: %s", self.id, self._profile)
rules_key = "%s_rules" % direction
new_rules = self._pending_profile.get(rules_key, [])
tag_to_ip_set_name = {}
for tag, ipset in self._ipset_refs.iteritems():
tag_to_ip_set_name[tag] = ipset.ipset_name
updates[chain_name] = rules_to_chain_rewrite_lines(
chain_name,
new_rules,
self.ip_version,
tag_to_ip_set_name,
on_allow="RETURN",
comment_tag=self.id)
_log.debug("Queueing programming for rules %s: %s", self.id,
updates)
self._iptables_updater.rewrite_chains(updates, {}, async=False)
def _update_chains(self):
"""
Updates the chains in the dataplane.
"""
_log.info("%s Programming iptables with our chains.", self)
updates = {}
for direction in ("inbound", "outbound"):
chain_name = self.chain_names[direction]
_log.info("Updating %s chain %r for profile %s",
direction, chain_name, self.id)
_log.debug("Profile %s: %s", self.id, self._profile)
new_profile = self._pending_profile or {}
rules_key = "%s_rules" % direction
new_rules = new_profile.get(rules_key, [])
tag_to_ip_set_name = {}
for tag, ipset in self._ipset_refs.iteritems():
tag_to_ip_set_name[tag] = ipset.name
updates[chain_name] = rules_to_chain_rewrite_lines(
chain_name,
new_rules,
self.ip_version,
tag_to_ip_set_name,
on_allow="RETURN",
comment_tag=self.id)
_log.debug("Queueing programming for rules %s: %s", self.id,
updates)
self._iptables_updater.rewrite_chains(updates, {}, async=False)
def _update_chains(self):
"""
Updates the chains in the dataplane.
"""
_log.info("%s Programming iptables with our chains: %s")
updates = {}
for direction in ("inbound", "outbound"):
_log.debug("Updating %s chain for profile %s", direction,
self.id)
new_profile = self._profile or {}
_log.debug("Profile %s: %s", self.id, self._profile)
rules_key = "%s_rules" % direction
new_rules = new_profile.get(rules_key, [])
chain_name = self.chain_names[direction]
tag_to_ip_set_name = {}
for tag, ipset in self.ipset_refs.iteritems():
tag_to_ip_set_name[tag] = ipset.name
updates[chain_name] = rules_to_chain_rewrite_lines(
chain_name,
new_rules,
self.ip_version,
tag_to_ip_set_name,
on_allow="RETURN")
_log.debug("Queueing programming for rules %s: %s", self.id,
updates)
self._iptables_updater.rewrite_chains(updates, {}, async=False)
# TODO Isolate exceptions from programming the chains to this profile.
# PLW: Radical thought - could we just say that the profile should be
# OK, and therefore we don't care? In other words, do we need to handle
# the error cleverly in the short term, or could we just say that since
# we built the rules they really should always work.
if not self.notified_ready:
self._notify_ready()
self.notified_ready = True
def test_rules_generation(self):
for rules, ip_version, expected_output in RULES_TESTS:
fragments = rules_to_chain_rewrite_lines(
"chain-foo",
rules,
ip_version,
IP_SET_MAPPING,
on_allow="RETURN",
)
self.assertEqual(fragments, expected_output)
def test_rules_generation(self):
for rules, ip_version, expected_output in RULES_TESTS:
fragments = rules_to_chain_rewrite_lines(
"chain-foo",
rules,
ip_version,
IP_SET_MAPPING,
on_allow="RETURN",
)
self.assertEqual(fragments, expected_output)
