def _update_chains(self): """ Updates the chains in the dataplane. """ _log.info("%s Programming iptables with our chains.", self) updates = {} for direction in ("inbound", "outbound"): _log.debug("Updating %s chain for profile %s", direction, self.id) new_profile = self._profile or {} _log.debug("Profile %s: %s", self.id, self._profile) rules_key = "%s_rules" % direction new_rules = new_profile.get(rules_key, []) chain_name = self.chain_names[direction] tag_to_ip_set_name = {} for tag, ipset in self.ipset_refs.iteritems(): tag_to_ip_set_name[tag] = ipset.name updates[chain_name] = rules_to_chain_rewrite_lines( chain_name, new_rules, self.ip_version, tag_to_ip_set_name, on_allow="RETURN") _log.debug("Queueing programming for rules %s: %s", self.id, updates) self._iptables_updater.rewrite_chains(updates, {}, async=False) # TODO Isolate exceptions from programming the chains to this profile. # Radical thought - could we just say that the profile should be OK, # and therefore we don't care? In other words, do we need to handle the # error cleverly, or could we just say that since we built the rules # they really should always work. if not self.notified_ready: self._notify_ready() self.notified_ready = True
def _update_chains(self): """ Updates the chains in the dataplane. Blocks until the update is complete. On entry, self._pending_profile must not be None. :raises FailedSystemCall: if the update fails. """ _log.info("%s Programming iptables with our chains.", self) assert self._pending_profile is not None, \ "_update_chains called with no _pending_profile" updates = {} for direction in ("inbound", "outbound"): chain_name = self.chain_names[direction] _log.info("Updating %s chain %r for profile %s", direction, chain_name, self.id) _log.debug("Profile %s: %s", self.id, self._profile) rules_key = "%s_rules" % direction new_rules = self._pending_profile.get(rules_key, []) tag_to_ip_set_name = {} for tag, ipset in self._ipset_refs.iteritems(): tag_to_ip_set_name[tag] = ipset.ipset_name updates[chain_name] = rules_to_chain_rewrite_lines( chain_name, new_rules, self.ip_version, tag_to_ip_set_name, on_allow="RETURN", comment_tag=self.id) _log.debug("Queueing programming for rules %s: %s", self.id, updates) self._iptables_updater.rewrite_chains(updates, {}, async=False)
def _update_chains(self): """ Updates the chains in the dataplane. """ _log.info("%s Programming iptables with our chains.", self) updates = {} for direction in ("inbound", "outbound"): chain_name = self.chain_names[direction] _log.info("Updating %s chain %r for profile %s", direction, chain_name, self.id) _log.debug("Profile %s: %s", self.id, self._profile) new_profile = self._pending_profile or {} rules_key = "%s_rules" % direction new_rules = new_profile.get(rules_key, []) tag_to_ip_set_name = {} for tag, ipset in self._ipset_refs.iteritems(): tag_to_ip_set_name[tag] = ipset.name updates[chain_name] = rules_to_chain_rewrite_lines( chain_name, new_rules, self.ip_version, tag_to_ip_set_name, on_allow="RETURN", comment_tag=self.id) _log.debug("Queueing programming for rules %s: %s", self.id, updates) self._iptables_updater.rewrite_chains(updates, {}, async=False)
def _update_chains(self): """ Updates the chains in the dataplane. """ _log.info("%s Programming iptables with our chains: %s") updates = {} for direction in ("inbound", "outbound"): _log.debug("Updating %s chain for profile %s", direction, self.id) new_profile = self._profile or {} _log.debug("Profile %s: %s", self.id, self._profile) rules_key = "%s_rules" % direction new_rules = new_profile.get(rules_key, []) chain_name = self.chain_names[direction] tag_to_ip_set_name = {} for tag, ipset in self.ipset_refs.iteritems(): tag_to_ip_set_name[tag] = ipset.name updates[chain_name] = rules_to_chain_rewrite_lines( chain_name, new_rules, self.ip_version, tag_to_ip_set_name, on_allow="RETURN") _log.debug("Queueing programming for rules %s: %s", self.id, updates) self._iptables_updater.rewrite_chains(updates, {}, async=False) # TODO Isolate exceptions from programming the chains to this profile. # PLW: Radical thought - could we just say that the profile should be # OK, and therefore we don't care? In other words, do we need to handle # the error cleverly in the short term, or could we just say that since # we built the rules they really should always work. if not self.notified_ready: self._notify_ready() self.notified_ready = True
def test_rules_generation(self): for rules, ip_version, expected_output in RULES_TESTS: fragments = rules_to_chain_rewrite_lines( "chain-foo", rules, ip_version, IP_SET_MAPPING, on_allow="RETURN", ) self.assertEqual(fragments, expected_output)