def main():
usage = 'usage: python -c "from cephbackupstorage import cdaemon; cdaemon.main()" start|stop|restart'
if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']:
print usage
sys.exit(1)
global pidfile
prepare_pid_dir(pidfile)
try:
iptc = iptables.from_iptables_save()
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7761 -j ACCEPT')
iptc.iptable_restore()
cmd = sys.argv[1]
agentdaemon = cephagent.CephDaemon(pidfile)
if cmd == 'start':
logger.debug('zstack-ceph-backupstorage starts')
agentdaemon.start()
elif cmd == 'stop':
logger.debug('zstack-ceph-backupstorage stops')
agentdaemon.stop()
elif cmd == 'restart':
logger.debug('zstack-ceph-backupstorage restarts')
agentdaemon.restart()
sys.exit(0)
except Exception:
logger.warning(linux.get_exception_stacktrace())
sys.exit(1)
def update_group_member(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = UpdateGroupMemberResponse()
ips_mn = ipset.IPSetManager()
ipt = iptables.from_iptables_save()
to_del_ipset_names = []
for uto in cmd.updateGroupTOs:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(
self._make_security_group_ipset_name(
uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(
uto.securityGroupUuid)
ips_mn.create_set(name=set_name,
match_ips=uto.securityGroupVmIps)
ips_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ipt.remove_rule(str(rule))
ipt.iptable_restore()
ips_mn.clean_ipsets(to_del_ipset_names)
return jsonobject.dumps(rsp)
def sync_eip(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = SyncEipRsp()
def remove_eip_chain(table):
for c in table.children:
if c.name.startswith('eip-'):
c.delete()
ipt = iptables.from_iptables_save()
nat = ipt.get_table(ipt.NAT_TABLE_NAME)
if nat:
remove_eip_chain(nat)
filter_table = ipt.get_table(ipt.FILTER_TABLE_NAME)
if filter_table:
remove_eip_chain(filter_table)
ipt.iptable_restore()
try:
for eip in cmd.eips:
self._create_eip(eip)
except virtualrouter.VirtualRouterError as e:
logger.warning(linux.get_exception_stacktrace())
rsp.error = str(e)
rsp.success = False
return jsonobject.dumps(rsp)
def main():
usage = 'usage: python -c "from kvmagent import kdaemon; kdaemon.main()" start|stop|restart'
if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']:
print usage
sys.exit(1)
global pidfile
prepare_pid_dir(pidfile)
try:
iptc = iptables.from_iptables_save()
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7070 -j ACCEPT')
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT')
iptc.iptable_restore()
cmd = sys.argv[1]
py_process_name = 'from kvmagent import kdaemon'
agentdaemon = kvmagent.KvmDaemon(pidfile, py_process_name)
if cmd == 'start':
logger.debug('zstack-kvmagent starts')
agentdaemon.start()
elif cmd == 'stop':
logger.debug('zstack-kvmagent stops')
agentdaemon.stop()
elif cmd == 'restart':
logger.debug('zstack-kvmagent restarts')
agentdaemon.restart()
sys.exit(0)
except Exception:
logger.warning(linux.get_exception_stacktrace())
sys.exit(1)
def main():
usage = 'usage: python -c "from baremetalpxeserver import cdaemon; cdaemon.main()" start|stop|restart'
if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']:
print usage
sys.exit(1)
global pidfile
prepare_pid_dir(pidfile)
try:
iptc = iptables.from_iptables_save()
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7770 -j ACCEPT')
iptc.iptable_restore()
cmd = sys.argv[1]
py_process_name = 'from baremetalpxeserver import cdaemon'
agentdaemon = pxeserveragent.PxeServerDaemon(pidfile, py_process_name)
if cmd == 'start':
logger.debug('zstack-baremetalpxeserver starts')
agentdaemon.start()
elif cmd == 'stop':
logger.debug('zstack-baremetalpxeserver stops')
agentdaemon.stop()
elif cmd == 'restart':
logger.debug('zstack-baremetalpxeserver restarts')
agentdaemon.restart()
sys.exit(0)
except Exception:
logger.warning(linux.get_exception_stacktrace())
sys.exit(1)
def sync_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = SyncPortForwardingRuleRsp()
iptc = iptables.from_iptables_save()
# destroy all port forwarding related chains
def remove_pf_chain(talble):
for c in talble.children:
if c.name.startswith('pf-'):
c.delete()
nat_table = iptc.get_table(iptc.NAT_TABLE_NAME)
if nat_table:
remove_pf_chain(nat_table)
filter_table = iptc.get_table(iptc.FILTER_TABLE_NAME)
if filter_table:
remove_pf_chain(filter_table)
for to in cmd.rules:
self._create_rule(iptc, to)
iptc.iptable_restore()
return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = CleanupUnusedRulesOnHostResponse()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV4])
def match_set_name_ip6(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV6])
ipt = iptables.from_iptables_save()
ips_mn = ipset.IPSetManager()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
if not cmd.skipIpv6:
ip6t = iptables.from_ip6tables_save()
self._cleanup_stale_chains(ip6t)
ip6t.iptable_restore()
used_ipset6 = ip6t.list_used_ipset_name()
ips_mn.cleanup_other_ipset(match_set_name_ip6, used_ipset6)
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def main():
usage = 'usage: python -c "from kvmagent import kdaemon; kdaemon.main()" start|stop|restart'
if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']:
print usage
sys.exit(1)
global pidfile
prepare_pid_dir(pidfile)
try:
iptc = iptables.from_iptables_save()
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7070 -j ACCEPT')
# open vnc ports
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 5900:6200 -j ACCEPT')
iptc.iptable_restore()
cmd = sys.argv[1]
agentdaemon = kvmagent.KvmDaemon(pidfile)
if cmd == 'start':
logger.debug('zstack-kvmagent starts')
agentdaemon.start()
elif cmd == 'stop':
logger.debug('zstack-kvmagent stops')
agentdaemon.stop()
elif cmd == 'restart':
logger.debug('zstack-kvmagent restarts')
agentdaemon.restart()
sys.exit(0)
except Exception:
logger.warning(linux.get_exception_stacktrace())
sys.exit(1)
def _apply_rules_using_iprange_match(self, cmd, iptable=None, ipset_mn=None):
if not iptable:
ipt = iptables.from_iptables_save()
else:
ipt = iptable
if not ipset_mn:
ips_mn = ipset.IPSetManager()
else:
ips_mn = ipset_mn
self._create_default_rules(ipt)
for rto in cmd.ruleTOs:
if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN:
self._delete_vnic_chain(ipt, rto.vmNicInternalName)
elif rto.actionCode == self.ACTION_CODE_APPLY_RULE:
self._apply_rules_on_vnic_chain(ipt, ips_mn, rto)
else:
raise Exception('unknown action code: %s' % rto.actionCode)
self._cleanup_conntrack(rto.vmNicIp)
default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN
ipt.remove_rule(default_accept_rule)
ipt.add_rule(default_accept_rule)
self._cleanup_stale_chains(ipt)
ips_mn.refresh_my_ipsets()
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def main():
usage = 'usage: python -c "from cephbackupstorage import cdaemon; cdaemon.main()" start|stop|restart'
if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']:
print usage
sys.exit(1)
global pidfile
prepare_pid_dir(pidfile)
try:
iptc = iptables.from_iptables_save()
iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7761 -j ACCEPT')
iptc.iptable_restore()
cmd = sys.argv[1]
agentdaemon = cephagent.CephDaemon(pidfile)
if cmd == 'start':
logger.debug('zstack-ceph-backupstorage starts')
agentdaemon.start()
elif cmd == 'stop':
logger.debug('zstack-ceph-backupstorage stops')
agentdaemon.stop()
elif cmd == 'restart':
logger.debug('zstack-ceph-backupstorage restarts')
agentdaemon.restart()
sys.exit(0)
except Exception:
logger.warning(linux.get_exception_stacktrace())
sys.exit(1)
def sync_eip(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = SyncEipRsp()
def remove_eip_chain(table):
for c in table.children:
if c.name.startswith('eip-'):
c.delete()
ipt = iptables.from_iptables_save()
nat = ipt.get_table(ipt.NAT_TABLE_NAME)
if nat:
remove_eip_chain(nat)
filter_table = ipt.get_table(ipt.FILTER_TABLE_NAME)
if filter_table:
remove_eip_chain(filter_table)
ipt.iptable_restore()
try:
for eip in cmd.eips:
self._create_eip(eip)
except virtualrouter.VirtualRouterError as e:
logger.warning(linux.get_exception_stacktrace())
rsp.error = str(e)
rsp.success = False
return jsonobject.dumps(rsp)
def _apply_rules_using_iprange_match(self, cmd, iptable=None, ipset_mn=None):
if not iptable:
ipt = iptables.from_iptables_save()
else:
ipt = iptable
if not ipset_mn:
ips_mn = ipset.IPSetManager()
else:
ips_mn = ipset_mn
self._create_default_rules(ipt)
for rto in cmd.ruleTOs:
if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN:
self._delete_vnic_chain(ipt, rto.vmNicInternalName)
elif rto.actionCode == self.ACTION_CODE_APPLY_RULE:
self._apply_rules_on_vnic_chain(ipt, ips_mn, rto)
else:
raise Exception('unknown action code: %s' % rto.actionCode)
default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN
ipt.remove_rule(default_accept_rule)
ipt.add_rule(default_accept_rule)
self._cleanup_stale_chains(ipt)
ips_mn.refresh_my_ipsets()
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def cleanup_unused_rules_on_host(self, req):
rsp = CleanupUnusedRulesOnHostResponse()
ipt = iptables.from_iptables_save()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
return jsonobject.dumps(rsp)
def revoke_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RevokePortForwardingRuleRsp()
iptc = iptables.from_iptables_save()
for to in cmd.rules:
self._revoke_rule(iptc, to)
iptc.iptable_restore()
return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req):
rsp = CleanupUnusedRulesOnHostResponse()
ipt = iptables.from_iptables_save()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
return jsonobject.dumps(rsp)
def revoke_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RevokePortForwardingRuleRsp()
iptc = iptables.from_iptables_save()
for to in cmd.rules:
self._revoke_rule(iptc, to)
iptc.iptable_restore()
return jsonobject.dumps(rsp)
def _refresh_rules_on_host_using_iprange_match(self, cmd):
if cmd.ruleTOs is not None:
ipt = iptables.from_iptables_save()
self._delete_all_chains(ipt)
self._apply_rules_using_iprange_match(cmd, ipt)
if cmd.ipv6RuleTOs is not None:
ip6t = iptables.from_ip6tables_save()
self._delete_all_chains(ip6t)
self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
def _refresh_rules_on_host_using_iprange_match(self, cmd):
if cmd.ruleTOs is not None:
ipt = iptables.from_iptables_save()
self._delete_all_chains(ipt)
self._apply_rules_using_iprange_match(cmd, ipt)
if cmd.ipv6RuleTOs is not None:
ip6t = iptables.from_ip6tables_save()
self._delete_all_chains(ip6t)
self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
def check_default_sg_rules(self, req):
rsp = CheckDefaultSecurityGroupResponse()
ipt = iptables.from_iptables_save()
default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN)
if not default_chain:
self._create_default_rules(ipt)
ipt.iptable_restore()
return jsonobject.dumps(rsp)
def update_group_member(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = UpdateGroupMemberResponse()
utos4 = []
utos6 = []
for uto in cmd.updateGroupTOs:
if int(uto.ipVersion) == 4:
utos4.append(uto)
else:
utos6.append(uto)
ips_mn = ipset.IPSetManager()
ipt = iptables.from_iptables_save()
to_del_ipset_names = []
for uto in utos4:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(uto.securityGroupUuid)
ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)]
ips_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version)
ips_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ipt.remove_rule(str(rule))
ipt.iptable_restore()
ips_mn.clean_ipsets(to_del_ipset_names)
ip6s_mn = ipset.IPSetManager()
ip6t = iptables.from_ip6tables_save()
to_del_ipset_names = []
for uto in utos6:
if uto.actionCode == self.ACTION_CODE_DELETE_GROUP:
to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid))
elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER:
set_name = self._make_security_group_ipset_name(uto.securityGroupUuid)
ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)]
ip6s_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version)
ip6s_mn.refresh_my_ipsets()
if len(to_del_ipset_names) > 0:
to_del_rules = ip6t.list_reference_ipset_rules(to_del_ipset_names)
for rule in to_del_rules:
ip6t.remove_rule(str(rule))
ip6t.iptable_restore()
ip6s_mn.clean_ipsets(to_del_ipset_names)
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule(
'-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' %
eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(
linux.get_nic_names_by_mac(to.nicMac))
r = []
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def _kill_lb(self, to):
pid_file_path = self._make_pid_file_path(to.lbUuid, to.listenerUuid)
pid = linux.find_process_by_cmdline([pid_file_path])
if pid:
shell.call('kill %s' % pid)
shell.call('rm -f %s' % pid_file_path)
shell.call('rm -f %s' % self._make_conf_file_path(to.lbUuid, to.listenerUuid))
ipt = iptables.from_iptables_save()
ipt.delete_chain(self._make_chain_name(to))
ipt.iptable_restore()
def _kill_lb(self, to):
pid_file_path = self._make_pid_file_path(to.lbUuid, to.listenerUuid)
pid = linux.find_process_by_cmdline([pid_file_path])
if pid:
shell.call('kill %s' % pid)
linux.rm_file_force(pid_file_path)
linux.rm_file_force(self._make_conf_file_path(to.lbUuid, to.listenerUuid))
ipt = iptables.from_iptables_save()
ipt.delete_chain(self._make_chain_name(to))
ipt.iptable_restore()
def set_default_iptable_rules(self):
shell.call('iptables --policy INPUT DROP')
shell.call('iptables --policy FORWARD DROP')
# NOTE: 22 port of eth0 is opened in /etc/sysconfig/iptables by default
ipt = iptables.from_iptables_save()
ipt.add_rule('-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT')
ipt.add_rule('-A INPUT -i lo -j ACCEPT')
ipt.add_rule('-A INPUT -p icmp -j ACCEPT')
ipt.add_rule('-A INPUT -j REJECT --reject-with icmp-host-prohibited')
ipt.add_rule('-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT')
ipt.add_rule('-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill', iptables.IPTables.MANGLE_TABLE_NAME)
ipt.iptable_restore()
def set_default_iptable_rules(self):
shell.call('iptables --policy INPUT DROP')
shell.call('iptables --policy FORWARD DROP')
# NOTE: 22 port of eth0 is opened in /etc/sysconfig/iptables by default
ipt = iptables.from_iptables_save()
ipt.add_rule('-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT')
ipt.add_rule('-A INPUT -i lo -j ACCEPT')
ipt.add_rule('-A INPUT -p icmp -j ACCEPT')
ipt.add_rule('-A INPUT -j REJECT --reject-with icmp-host-prohibited')
ipt.add_rule('-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT')
ipt.add_rule('-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill', iptables.IPTables.MANGLE_TABLE_NAME)
ipt.iptable_restore()
def _default_iptable_rules(self, nicname):
in_chain_name = "%s-in" % nicname
ipt = iptables.from_iptables_save()
ipt.delete_chain(in_chain_name)
ipt.add_rule('-A INPUT -i %s -j %s' % (nicname, in_chain_name))
ipt.add_rule('-A %s -m state --state RELATED,ESTABLISHED -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --sport 68 --dport 67 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --sport 67 --dport 68 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --dport 53 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p icmp -m icmp -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -j REJECT --reject-with icmp-host-prohibited' % in_chain_name)
ipt.iptable_restore()
def _default_iptable_rules(self, nicname):
in_chain_name = "%s-in" % nicname
ipt = iptables.from_iptables_save()
ipt.delete_chain(in_chain_name)
ipt.add_rule('-A INPUT -i %s -j %s' % (nicname, in_chain_name))
ipt.add_rule('-A %s -m state --state RELATED,ESTABLISHED -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --sport 68 --dport 67 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --sport 67 --dport 68 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p udp -m udp --dport 53 -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p icmp -m icmp -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT' % in_chain_name)
ipt.add_rule('-A %s -j REJECT --reject-with icmp-host-prohibited' % in_chain_name)
ipt.iptable_restore()
def remove_snat(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RemoveSNATRsp()
try:
iptc = iptables.from_iptables_save()
for info in cmd.natInfo:
self._remove_snat(info, iptc)
iptc.iptable_restore()
except virtualrouter.VirtualRouterError as e:
logger.warn(linux.get_exception_stacktrace())
err = 'unable to remove snat, %s' % str(e)
rsp.error = err
rsp.success = False
return jsonobject.dumps(rsp)
def set_snat(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = SetSNATRsp()
try:
iptc = iptables.from_iptables_save()
self._create_snat(cmd.snat, iptc)
iptc.iptable_restore()
except virtualrouter.VirtualRouterError as e:
logger.warn(linux.get_exception_stacktrace())
err = "unable to create snat, %s" % str(e)
rsp.error = err
rsp.success = False
return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req):
rsp = CleanupUnusedRulesOnHostResponse()
ipt = iptables.from_iptables_save()
ips_mn = ipset.IPSetManager()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
return jsonobject.dumps(rsp)
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule('-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(linux.get_nic_names_by_mac(to.nicMac))
r =[]
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def apply_rules(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = ApplySecurityGroupRuleResponse()
try:
if cmd.ruleTOs is not None:
ipt = iptables.from_iptables_save()
self._apply_rules_using_iprange_match(cmd, ipt)
if cmd.ipv6RuleTOs is not None:
ip6t = iptables.from_ip6tables_save()
self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
except iptables.IPTablesError as e:
err_log = linux.get_exception_stacktrace()
logger.warn(err_log)
rsp.error = str(e)
rsp.success = False
return jsonobject.dumps(rsp)
def apply_rules(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = ApplySecurityGroupRuleResponse()
try:
if cmd.ruleTOs is not None:
ipt = iptables.from_iptables_save()
self._apply_rules_using_iprange_match(cmd, ipt)
if cmd.ipv6RuleTOs is not None:
ip6t = iptables.from_ip6tables_save()
self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
except iptables.IPTablesError as e:
err_log = linux.get_exception_stacktrace()
logger.warn(err_log)
rsp.error = str(e)
rsp.success = False
return jsonobject.dumps(rsp)
def check_default_sg_rules(self, req):
rsp = CheckDefaultSecurityGroupResponse()
ipt = iptables.from_iptables_save()
default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN)
if not default_chain:
self._create_default_rules(ipt)
ipt.iptable_restore()
ip6t = iptables.from_ip6tables_save()
default_chain6 = ip6t.get_chain(self.ZSTACK_DEFAULT_CHAIN)
if not default_chain6:
self._create_default_rules_ip6(ip6t)
ip6t.iptable_restore()
if not default_chain or not default_chain6:
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def _create_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
#def check_eip(table):
#if not table:
#return
#for chain in table.children:
#vip_nic = self._get_vip_nic_name_from_chain_name(chain.name)
#if vip_nic == vip_nic_name:
#raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip)
#check_eip(ipt.get_table(ipt.NAT_TABLE_NAME))
#check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME))
order = 999
ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order)
ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order)
ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order)
if eip.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.iptable_restore()
logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _create_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
def check_eip(table):
if not table:
return
for chain in table.children:
vip_nic = self._get_vip_nic_name_from_chain_name(chain.name)
if vip_nic == vip_nic_name:
raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip)
check_eip(ipt.get_table(ipt.NAT_TABLE_NAME))
check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME))
order = 999
ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order)
ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order)
ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order)
ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order)
if eip.snatInboundTraffic:
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name)
ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order)
ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order)
ipt.iptable_restore()
logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _apply_rules_using_iprange_match(self, cmd, iptable=None):
if not iptable:
ipt = iptables.from_iptables_save()
else:
ipt = iptable
self._create_default_rules(ipt)
for rto in cmd.ruleTOs:
if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN:
self._delete_vnic_chain(ipt, rto.vmNicInternalName)
elif rto.actionCode == self.ACTION_CODE_APPLY_RULE:
self._apply_rules_on_vnic_chain(ipt, rto)
else:
raise Exception('unknown action code: %s' % rto.actionCode)
default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN
ipt.remove_rule(default_accept_rule)
ipt.add_rule(default_accept_rule)
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
def _remove_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(fwd_name)
ipt.iptable_restore()
logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _remove_eip(self, eip):
ipt = iptables.from_iptables_save()
private_nic_name = linux.get_nic_name_by_mac(eip.privateMac)
assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac
vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp)
assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp
guest_ip = eip.guestIp
vip = eip.vipIp
dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name)
snat_name = self._make_snat_name(vip_nic_name, private_nic_name)
fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name)
gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name)
ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME)
ipt.delete_chain(fwd_name)
ipt.iptable_restore()
logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def check_default_sg_rules(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = CheckDefaultSecurityGroupResponse()
ipt = iptables.from_iptables_save()
default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN)
if not default_chain:
self._create_default_rules(ipt)
ipt.iptable_restore()
if not cmd.skipIpv6:
ip6t = iptables.from_ip6tables_save()
default_chain6 = ip6t.get_chain(self.ZSTACK_DEFAULT_CHAIN)
if not default_chain6:
self._create_default_rules_ip6(ip6t)
ip6t.iptable_restore()
if not default_chain or not default_chain6:
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def _apply_rules_using_iprange_match(self, cmd, iptable=None):
if not iptable:
ipt = iptables.from_iptables_save()
else:
ipt = iptable
self._create_default_rules(ipt)
for rto in cmd.ruleTOs:
if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN:
self._delete_vnic_chain(ipt, rto.vmNicInternalName)
elif rto.actionCode == self.ACTION_CODE_APPLY_RULE:
self._apply_rules_on_vnic_chain(ipt, rto)
else:
raise Exception('unknown action code: %s' % rto.actionCode)
default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN
ipt.remove_rule(default_accept_rule)
ipt.add_rule(default_accept_rule)
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
def cleanup_unused_rules_on_host(self, req):
rsp = CleanupUnusedRulesOnHostResponse()
ipt = iptables.from_iptables_save()
ips_mn = ipset.IPSetManager()
self._cleanup_stale_chains(ipt)
ipt.iptable_restore()
used_ipset = ipt.list_used_ipset_name()
ip6t = iptables.from_ip6tables_save()
self._cleanup_stale_chains(ip6t)
ip6t.iptable_restore()
used_ipset6 = ip6t.list_used_ipset_name()
for uset in used_ipset6:
used_ipset.appaned(uset)
def match_set_name(name):
return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT)
ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
self._cleanup_conntrack()
return jsonobject.dumps(rsp)
def sync_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = SyncPortForwardingRuleRsp()
iptc = iptables.from_iptables_save()
# destroy all port forwarding related chains
def remove_pf_chain(talble):
for c in talble.children:
if c.name.startswith('pf-'):
c.delete()
nat_table = iptc.get_table(iptc.NAT_TABLE_NAME)
if nat_table:
remove_pf_chain(nat_table)
filter_table = iptc.get_table(iptc.FILTER_TABLE_NAME)
if filter_table:
remove_pf_chain(filter_table)
for to in cmd.rules:
self._create_rule(iptc, to)
iptc.iptable_restore()
return jsonobject.dumps(rsp)
def _refresh(self, to):
conf = '''global
maxconn {{maxConnection}}
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
listen {{listenerUuid}}
mode {{mode}}
timeout client {{connectionIdleTimeout}}s
timeout server {{connectionIdleTimeout}}s
timeout connect 60s
balance {{balancerAlgorithm}}
bind {{vip}}:{{loadBalancerPort}}
{% for ip in nicIps %}
server nic-{{ip}} {{ip}}:{{loadBalancerPort}} check port {{checkPort}} inter {{healthCheckInterval}}s rise {{healthyThreshold}} fall {{unhealthyThreshold}}
{% endfor %}
'''
pid_file = self._make_pid_file_path(to.lbUuid, to.listenerUuid)
if not os.path.exists(pid_file):
shell.call('touch %s' % pid_file)
@rollbackable
def _0():
shell.call('rm -f %s' % pid_file)
_0()
conf_file = self._make_conf_file_path(to.lbUuid, to.listenerUuid)
md5sum = ''
# if the first time to create lb, no config file will be found
if os.path.exists(conf_file):
md5sum = shell.call('md5sum %s' % conf_file)
context = {}
context.update(to.__dict__)
for p in to.parameters:
k, v = p.split('::')
if k == 'healthCheckTarget':
check_method, check_port = v.split(':')
if check_port == 'default':
context['checkPort'] = to.instancePort
else:
context['checkPort'] = check_port
context[k] = v
conf_tmpt = Template(conf)
conf = conf_tmpt.render(context)
with open(conf_file, 'w') as fd:
fd.write(conf)
if md5sum == shell.call('md5sum %s' % conf_file):
return
shell.call("iptables -I INPUT -d %s -p tcp --dport %s --syn -j DROP && sleep 0.5" % (to.vip, to.loadBalancerPort))
@rollbackable
def _1():
shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort))
_1()
shell.call('haproxy -D -f %s -p %s -sf $(cat %s)' % (conf_file, pid_file, pid_file))
shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort))
ipt = iptables.from_iptables_save()
chain_name = self._make_chain_name(to)
ipt.add_rule('-A INPUT -d %s/32 -j %s' % (to.vip, chain_name))
ipt.add_rule('-A %s -p tcp -m tcp --dport %s -j ACCEPT' % (chain_name, to.loadBalancerPort))
ipt.iptable_restore()
def _refresh_rules_on_host_using_iprange_match(self, cmd):
ipt = iptables.from_iptables_save()
self._delete_all_chains(ipt)
self._apply_rules_using_iprange_match(cmd, ipt)
def _refresh(self, to):
conf = '''global
maxconn {{maxConnection}}
log 127.0.0.1 local1
user haproxy
group haproxy
daemon
listen {{listenerUuid}}
mode {{mode}}
timeout client {{connectionIdleTimeout}}s
timeout server {{connectionIdleTimeout}}s
timeout connect 60s
balance {{balancerAlgorithm}}
bind {{vip}}:{{loadBalancerPort}}
{% for ip in nicIps %}
server nic-{{ip}} {{ip}}:{{loadBalancerPort}} check port {{checkPort}} inter {{healthCheckInterval}}s rise {{healthyThreshold}} fall {{unhealthyThreshold}}
{% endfor %}
'''
pid_file = self._make_pid_file_path(to.lbUuid, to.listenerUuid)
if not os.path.exists(pid_file):
linux.touch_file(pid_file)
@rollbackable
def _0():
linux.rm_file_force(pid_file)
_0()
conf_file = self._make_conf_file_path(to.lbUuid, to.listenerUuid)
md5sum = ''
# if the first time to create lb, no config file will be found
if os.path.exists(conf_file):
md5sum = shell.call('md5sum %s' % conf_file)
context = {}
context.update(to.__dict__)
for p in to.parameters:
k, v = p.split('::')
if k == 'healthCheckTarget':
check_method, check_port = v.split(':')
if check_port == 'default':
context['checkPort'] = to.instancePort
else:
context['checkPort'] = check_port
context[k] = v
conf_tmpt = Template(conf)
conf = conf_tmpt.render(context)
with open(conf_file, 'w') as fd:
fd.write(conf)
if md5sum == shell.call('md5sum %s' % conf_file):
return
shell.call("iptables -I INPUT -d %s -p tcp --dport %s --syn -j DROP && sleep 0.5" % (to.vip, to.loadBalancerPort))
@rollbackable
def _1():
shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort))
_1()
shell.call('haproxy -D -f %s -p %s -sf $(cat %s)' % (conf_file, pid_file, pid_file))
shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort))
ipt = iptables.from_iptables_save()
chain_name = self._make_chain_name(to)
ipt.add_rule('-A INPUT -d %s/32 -j %s' % (to.vip, chain_name))
ipt.add_rule('-A %s -p tcp -m tcp --dport %s -j ACCEPT' % (chain_name, to.loadBalancerPort))
ipt.iptable_restore()
def _refresh_rules_on_host_using_iprange_match(self, cmd):
ipt = iptables.from_iptables_save()
self._delete_all_chains(ipt)
self._apply_rules_using_iprange_match(cmd, ipt)