def create_vrf_default_rules(vrf_name, vrf_id, rule_id_list=None): for af in [socket.AF_INET, socket.AF_INET6]: any_ip_str = '0.0.0.0' if af == socket.AF_INET else '::' intf_list = ['lo'] if vrf_name == 'default': intf_list.append('vdef-nsid%s' % str(vrf_id)) else: intf_list.append('veth-nsid%s' % str(vrf_id)) for intf in intf_list: rule_id = process_vrf_svcs_rule_add( VrfIncomingSvcsRule.RULE_TYPE_ACL, vrf_name, VrfIncomingSvcsRule.RULE_ACTION_ALLOW, af, src_ip=socket.inet_pton(af, any_ip_str), prefix_len=0, high_prio=True, in_intf=intf) if rule_id is None: log_err( 'Failed to create default ACL rules: VRF %s af %d intf %s' % (vrf_name, af, intf)) return False if rule_id_list is not None: log_info('Deault rule created: VRF %s af %d intf %s ID %d' % (vrf_name, af, intf, rule_id)) rule_id_list.append(rule_id) return True
def get_vrf_intf_cb_int(methods, params): obj = cps_object.CPSObject(obj=params['filter']) resp = params['list'] src_vrf_name = None dst_vrf_name = None try: src_vrf_name = obj.get_attr_data( 'vrf-mgmt/get-vrf-internal-binding/input/ni-name') dst_vrf_name = obj.get_attr_data( 'vrf-mgmt/get-vrf-internal-binding/input/dst-ni-name') except ValueError as e: log_msg = 'Missing mandatory attribute ' + e.args[0] log_err(log_msg) return False ret_val, veth_intf = get_vrf_intf_to_dst_vrf(src_vrf_name, dst_vrf_name) if ret_val == False: return False cps_obj = cps_object.CPSObject( module='vrf-mgmt/get-vrf-internal-binding', qual='target', data={'vrf-mgmt/get-vrf-internal-binding/output/ifname': veth_intf}) resp.append(cps_obj.get()) return True
def get_incoming_ip_svcs_int(methods, params): log_info('Callback for incoming IP service reading') obj_attr_map = { 'ni-name': 'vrf_name', 'af': 'af', 'src-ip': 'src_ip', 'src-prefix-len': 'prefix_len', 'protocol': 'protocol', 'dst-port': 'dst_port', 'action': 'action', 'seq-num': 'seq_num', 'id': 'rule_id' } obj = cps_object.CPSObject(obj=params['filter']) resp = params['list'] args = {} for key, val in obj_attr_map.items(): attr_name = incoming_ip_svcs_attr(key) try: attr_val = obj.get_attr_data(attr_name) except ValueError: attr_val = None if attr_val is not None: args[val] = attr_val # check af if 'af' in args and args['af'] is not None: af = args['af'] if af != socket.AF_INET and af != socket.AF_INET6: log_err('Invalid address family number %d' % af) return False # check source IP if 'src_ip' in args and args['src_ip'] is not None: af = args['af'] if 'af' in args else None af_ip = check_ip_validity(af, args['src_ip']) if af_ip is None: log_err('Invalid source IP %s for rule reading' % args['src_ip']) return False args['af'], args['src_ip'] = af_ip # add default prefix length af = args['af'] if 'prefix_len' not in args or args['prefix_len'] is None: if af == socket.AF_INET: args['prefix_len'] = 32 else: args['prefix_len'] = 128 log_info('Input parameters:') for name, val in args.items(): if val is not None: log_info(' %-10s : %s' % (name, str(val))) return process_vrf_svcs_rule_get(resp, **args)
def process_vrf_svcs_rule_set(rule_id, **params): try: if not VrfIncomingSvcsRuleCache.update_rule(rule_id, **params): return False except ValueError: log_err('Failed to update rule with params: %s' % params) return False except Exception as ex: logging.exception(ex) return False return True
def get_next_avail_id(self): self.avail_id += 1 while self.max_resved_id is None or self.avail_id <= self.max_resved_id: if self.avail_id not in self.resved_ids: break self.avail_id += 1 if self.max_id is not None and self.avail_id > self.max_id: log_err( 'Unable to get next available ID: min %d max %d buffer_used %d' % (self.min_id, self.max_id, len(self.resved_ids))) self.avail_id = None
def process_vrf_svcs_rule_add(rule_type, vrf_name, action, af, **params): try: rule = VrfIncomingSvcsRule(rule_type, vrf_name, action, af, **params) if not VrfIncomingSvcsRuleCache.insert_rule(rule): return None except ValueError: log_err('Failed to initiate rule object') return None except Exception as ex: logging.exception(ex) return None return rule.rule_id
def process_vrf_svcs_rule_del(rule_type, vrf_name, action, af, **params): try: rule = VrfIncomingSvcsRule(rule_type, vrf_name, action, af, **params) if not VrfIncomingSvcsRuleCache.delete_rule(rule): return False except ValueError: log_err('Failed to initiate rule object') return False except Exception as ex: logging.exception(ex) return False return True
def get_new_id(self): self.mutex.acquire() if self.avail_id is None: log_err('No ID could be allocated') self.mutex.release() return None avail_id = self.avail_id self.resved_ids.add(avail_id) self.get_next_avail_id() if self.max_resved_id is None or avail_id > self.max_resved_id: self.max_resved_id = avail_id self.mutex.release() return avail_id
def __init__(self, min_id=None, max_id=None): self.resved_ids = set([]) if min_id is not None and max_id is not None and min_id >= max_id: log_err('Invalid min_id %d or max_id %d' % (min_id, max_id)) raise ValueError if min_id is None: self.min_id = 1 else: self.min_id = min_id self.max_id = max_id self.avail_id = self.min_id self.max_resved_id = None self.mutex = threading.Lock()
def delete_rule_by_id(cls, rule_id): log_info('Handling delete rule by ID: %d' % rule_id) cls.mutex.acquire() ret_val = True found_rule = cls.find_rule_by_id(rule_id) if found_rule is not None: del_rule, idx = found_rule rule_list = cls.ip_rules[del_rule.af] \ if del_rule.rule_type == del_rule.RULE_TYPE_IP else cls.acl_rules[del_rule.af] if rule_list[del_rule.vrf_name].remove_by_id(rule_id) is None: log_err('Failed to remove rule with ID %d' % rule_id) cls.mutex.release() return False if not IptablesHandler.proc_rule('delete', del_rule, idx): log_err('Failed to call iptables to delete ACL rule') # rollback rule_list = cls.ip_rules[del_rule.af] \ if del_rule.rule_type == del_rule.RULE_TYPE_IP else cls.acl_rules[del_rule.af] rule_list[del_rule.vrf_name].insert(del_rule) ret_val = False if len(rule_list[del_rule.vrf_name]) == 0: del rule_list[del_rule.vrf_name] else: log_err('Rule ID %d not found for delete' % rule_id) ret_val = False cls.mutex.release() if ret_val: if not cls.id_generator.release_id(rule_id): log_err('Failed to release rule ID %d' % rule_id) log_info(str(cls.id_generator)) log_info('Rule deleted') return ret_val
def __setattr__(self, key, val): if key == 'grp_priority' and val is not None: if val: val = self.HIGH_GRP_PRIO else: val = self.DEFAULT_GRP_PRIO elif key == 'in_intf' and val is not None: if len(val) > 0 and val[0] == '!': val = val[1:] super(VrfIncomingSvcsRule, self).__setattr__('negtive', True) else: super(VrfIncomingSvcsRule, self).__setattr__('negtive', False) super(VrfIncomingSvcsRule, self).__setattr__(key, val) if key == 'rule_type' and self.get_rule_type_name() is None: log_err('Invalid rule type %s' % str(self.rule_type)) raise ValueError elif key == 'af' and self.get_af_name() is None: log_err('Invalid address family number %s' % str(self.af)) raise ValueError elif key == 'action' and self.get_action_name() is None: log_err('Invalid action ID %s' % str(self.action)) raise ValueError if val is not None: if key == 'protocol' and self.get_proto_name() is None: log_err('Invalid protocol number %s' % str(self.protocol)) raise ValueError
def delete_rule(cls, rule): log_info('Handling delete rule: %s' % rule) cls.mutex.acquire() rule_list = cls.ip_rules[ rule.af] if rule.rule_type == rule.RULE_TYPE_IP else cls.acl_rules[ rule.af] if rule.vrf_name not in rule_list: log_err('VRF name %s not found in cache' % rule.vrf_name) cls.mutex.release() return False ret_val = rule_list[rule.vrf_name].remove(rule) if ret_val is None: log_err('Failed to delete rule from cache') cls.mutex.release() return False del_rule, idx = ret_val ret_val = True if not IptablesHandler.proc_rule('delete', del_rule, idx): log_err('Failed to call iptables to delete ACL rule') # rollback rule_list[del_rule.vrf_name].insert(del_rule) ret_val = False if len(rule_list[rule.vrf_name]) == 0: del rule_list[rule.vrf_name] cls.mutex.release() if ret_val: if not cls.id_generator.release_id(del_rule.rule_id): log_err('Failed to release rule ID %d' % del_rule.rule_id) log_info(str(cls.id_generator)) log_info('Rule deleted') return ret_val
def __init__(self, rule_type, vrf_name, action, af, src_ip=None, prefix_len=None, protocol=None, dst_port=None, dst_ip=None, seq_num=0, rule_id=None, high_prio=False, in_intf=None): """ Constructor to create a ACL rule object @rule_type - either IP or ACL rule @vrf_name - namespace @action - 1: accept 2: drop 3: dnat @af - address family, either IPv4 or IPv6, it could be direct number or string @src_ip - matched source IP address @prefix_len - prefix length to specify subnet @protocol - IP protocol: 1: tcp, 2: udp, 3: icmp @dst_port - L4 destination port @dst_ip - specify destination IP when action is DNAT @seq_num - sequence number of the rule @rule_id - rule ID. it is optional @high_prio - if it is high priority rule @in_intf - interface where packets coming from """ self.rule_type = rule_type self.vrf_name = vrf_name self.af = af self.src_ip = src_ip self.prefix_len = prefix_len self.protocol = protocol self.dst_port = dst_port self.dst_ip = dst_ip self.seq_num = seq_num self.action = action self.grp_priority = high_prio if self.action == self.RULE_ACTION_DNAT and self.dst_ip is None: log_err('Destination IP is mandatory for DNAT action') raise ValueError if self.action == self.RULE_ACTION_DENY and self.rule_type == self.RULE_TYPE_ACL: # For ACL rule, use REJECT action instead of DROP self.action = self.RULE_ACTION_REJECT self.rule_id = rule_id self.in_intf = in_intf
def is_vrf_valid(vrf_name): cmd = [iplink_cmd, 'netns', 'show'] res = [] if run_command(cmd, res) != 0: log_err('Failed to run command: %s' % ' '.join(cmd)) return False for token in res: m = re.search('(.*)\s+\(id:\s+(\S+)\)', token) if m is not None: vrf, _ = m.groups() else: vrf = token if vrf == vrf_name: return True return False
def remove(self, rule): if rule.rule_id is not None and rule.rule_id in self.rule_id_map: idx = self.rule_id_map[rule.rule_id] rule_id = rule.rule_id else: try: idx = self.index(rule) except ValueError: # rule not found log_err('Rule not found for delete') return None rule_id = self[idx].rule_id orig_rule = self[idx] del self[idx] del self.seq_num_list[idx] del self.rule_id_map[rule_id] self.update_rule_id_map(idx) return (orig_rule, idx)
def create_default_lo_pkts_rule(): loopback_ip_str = '127.0.0.1' loopback_intf = 'lo' rule_id = process_vrf_svcs_rule_add( VrfSvcsRuleType.RULE_TYPE_IP, 'default', VrfSvcsRuleAction.RULE_ACTION_ALLOW, socket.AF_INET, src_ip=socket.inet_pton(socket.AF_INET, loopback_ip_str), src_prefix_len=32, dst_ip=socket.inet_pton(socket.AF_INET, loopback_ip_str), dst_prefix_len=32, high_prio=True, in_intf=loopback_intf) if rule_id is None: log_err('Failed to create default rule to accept pkts on lo') return (False, rule_id) return (True, rule_id)
def insert_rule(cls, rule): log_info('Handling add rule: %s' % rule) cls.mutex.acquire() rule_list = cls.ip_rules[ rule.af] if rule.rule_type == rule.RULE_TYPE_IP else cls.acl_rules[ rule.af] if rule.vrf_name not in rule_list: rule_list[rule.vrf_name] = VrfIncomingSvcsRuleList() if rule.rule_id is None: rule.rule_id = cls.id_generator.get_new_id() if rule.rule_id is None: log_err('Could not generate new rule ID') log_info(str(cls.id_generator)) cls.mutex.release() return False else: if cls.id_generator.is_id_used(rule.rule_id): log_err('Given rule ID %d is used' % rule.rule_id) log_info(str(cls.id_generator)) cls.mutex.release() return False if not cls.id_generator.reserve_id(rule.rule_id): log_err('Failed to reserve rule ID %d' % rule.rule_id) log_info(str(cls.id_generator)) cls.mutex.release() return False ret_val = True idx = rule_list[rule.vrf_name].insert(rule) if idx is not None: if not IptablesHandler.proc_rule('insert', rule, idx): log_err('Failed to call iptables to insert ACL rule') # rollback rule_list[rule.vrf_name].remove(rule) ret_val = False else: log_err('Failed to insert rule to cache') cls.id_generator.release_id(rule.rule_id) ret_val = False cls.mutex.release() if ret_val: log_info('Rule added, ID=%d' % rule.rule_id) return ret_val
def insert(self, rule): if rule.rule_id is None or rule.rule_id in self.rule_id_map: # rule ID should be assigned and not used by another rule log_err('Rule ID is not assigned' if rule.rule_id is None else ( 'Rule ID %d is used' % rule.rule_id)) return None try: idx = self.index(rule) except ValueError: idx = None if idx is not None: # same rule already in list log_err('Rule to be inserted is already in list') return None idx = bisect.bisect_right(self.seq_num_list, (rule.grp_priority, rule.seq_num)) super(VrfIncomingSvcsRuleList, self).insert(idx, rule) self.seq_num_list.insert(idx, (rule.grp_priority, rule.seq_num)) self.update_rule_id_map(idx) return idx
def reserve_id(self, obj_id): self.mutex.acquire() if obj_id < self.min_id or (self.max_id is not None and obj_id > self.max_id): log_err('ID %s was not in valid range' % obj_id) self.mutex.release() return False if obj_id in self.resved_ids: log_err( 'ID %d was already reserved and could not be reserved again' % obj_id) self.mutex.release() return False self.resved_ids.add(obj_id) if obj_id == self.avail_id: self.get_next_avail_id() if self.max_resved_id is None or obj_id > self.max_resved_id: self.max_resved_id = obj_id self.mutex.release() return True
def release_id(self, obj_id): self.mutex.acquire() if obj_id not in self.resved_ids: log_err('ID %d was not reserved for being released') self.mutex.release() return False self.resved_ids.remove(obj_id) if obj_id < self.avail_id: self.avail_id = obj_id if obj_id == self.max_resved_id: while obj_id >= self.min_id: if obj_id in self.resved_ids: break obj_id -= 1 if obj_id < self.min_id: self.max_resved_id = None else: self.max_resved_id = obj_id self.mutex.release() return True
def replace_rule(cls, rule_id, new_rule): log_info('Handling replace rule with ID %d' % rule_id) cls.mutex.acquire() ret_val = True found_rule = cls.find_rule_by_id(rule_id) if found_rule is not None: old_rule, idx = found_rule rule_list = cls.ip_rules[old_rule.af] \ if old_rule.rule_type == old_rule.RULE_TYPE_IP else cls.acl_rules[old_rule.af] if not IptablesHandler.proc_rule('replace', new_rule, idx): log_err('Failed to call iptables to replace ACL rule') ret_val = False else: rule_list[old_rule.vrf_name][idx] = new_rule else: log_err('Rule ID %d not found for replace' % rule_id) ret_val = False cls.mutex.release() if ret_val: log_info('Rule replaced') return ret_val
def set_vrf_intf_ip_cb_int(methods, params): obj = cps_object.CPSObject(obj=params['change']) if params['operation'] != 'rpc': log_err('oper is not RPC') return False operation = 1 vrf_name = None af = None ip = None try: operation = obj.get_attr_data('vrf-mgmt/src-ip-config/input/operation') vrf_name = obj.get_attr_data('vrf-mgmt/src-ip-config/input/ni-name') af = obj.get_attr_data('vrf-mgmt/src-ip-config/input/af') ip = obj.get_attr_data('vrf-mgmt/src-ip-config/input/src-ip') except ValueError as e: log_msg = 'Missing mandatory attribute ' + e.args[0] log_err(log_msg) return False # Operation types #BASE_CMN_OPERATION_TYPE_CREATE=1 #BASE_CMN_OPERATION_TYPE_DELETE=2 #BASE_CMN_OPERATION_TYPE_UPDATE=3 is_add = True if operation == 3: log_msg = 'Update operation is not supported!' log_err(log_msg) return False elif operation == 2: is_add = False if af != socket.AF_INET and af != socket.AF_INET6: log_msg = 'Invalid address family' + str(af) log_err(log_msg) return False ip = binascii.unhexlify(ip) ip = socket.inet_ntop(af, ip) family = 'ipv4' if af == socket.AF_INET6: family = 'ipv6' if dn_base_vrf_tool.process_src_ip_config(vrf_name, is_add, family, ip): return True return False
def handle_leaked_rt_event(): _leaked_rt_evt_handle = cps.event_connect() cps.event_register(_leaked_rt_evt_handle, _leaked_rt_key) while True: leaked_rt_evt = cps.event_wait(_leaked_rt_evt_handle) obj = cps_object.CPSObject(obj=leaked_rt_evt) if obj is None: continue if not 'operation' in leaked_rt_evt.keys(): continue op = None if leaked_rt_evt['operation'] == 'create': op = 'add' if leaked_rt_evt['operation'] == 'delete': op = 'del' src_vrf_name = None af = None prefix = None prefix_len = 0 dst_vrf_name = None try: dst_vrf_name = obj.get_attr_data( 'os-re/os-leak-route-config/vrf-name') af = obj.get_attr_data('os-re/os-leak-route-config/af') prefix = obj.get_attr_data( 'os-re/os-leak-route-config/route-prefix') prefix = binascii.unhexlify(prefix) prefix = get_ip_str(af, prefix) prefix_len = obj.get_attr_data( 'os-re/os-leak-route-config/prefix-len') src_vrf_name = obj.get_attr_data( 'os-re/os-leak-route-config/src-vrf-name') except ValueError as e: log_err( 'Error - Mandatatory object attributes are not present for route leak configuration!' ) continue global _vrf_mutex _vrf_mutex.acquire() ret_val, nexthop_ip, nexthop_ip6 = _veth_ip_get( dst_vrf_name, src_vrf_name, True) _vrf_mutex.release() if ret_val is False: log_err('veth info. not found while handling src-vrf:%s af:%s prefix:%s/%s dst-vrd:%s'\ % (src_vrf_name, str(af), prefix, str(prefix_len), dst_vrf_name)) continue if af == socket.AF_INET6: nexthop_ip = nexthop_ip6 if dn_base_vrf_tool.process_leaked_rt_config(op, af, dst_vrf_name, prefix,\ prefix_len, nexthop_ip) != True: log_err('VRF route leaking configuration failed op:%s src-vrf:%s af:%s prefix:%s/%s dst-vrd:%s'\ % (op, src_vrf_name, str(af), prefix, str(prefix_len), dst_vrf_name)) continue
def create_vrf_default_rules(vrf_name, rule_id_list=None): for af in [socket.AF_INET, socket.AF_INET6]: any_ip_str = '0.0.0.0' if af == socket.AF_INET else '::' intf = 'vdst-nsid+' rule_id = process_vrf_svcs_rule_add( VrfSvcsRuleType.RULE_TYPE_ACL, vrf_name, VrfSvcsRuleAction.RULE_ACTION_ALLOW, af, src_ip=socket.inet_pton(af, any_ip_str), src_prefix_len=0, high_prio=True, in_intf=intf) if rule_id is None: log_err( 'Failed to create default ACL rules: VRF %s af %d intf %s' % (vrf_name, af, intf)) return False if rule_id_list is not None: log_info('Default rule created: VRF %s af %d intf %s ID %d' % (vrf_name, af, intf, rule_id)) rule_id_list.append(rule_id) return True
def normalize_ip_with_prefix(af, ip, pfx_len=None): if af is None: chk_af_list = [socket.AF_INET, socket.AF_INET6] else: chk_af_list = [af] ip_str = None for af in chk_af_list: # if input is hexlified string, convert it to regular string try: ip = binascii.unhexlify(ip) except TypeError: # if ip is not hexlified string, keep it as is pass # test if input is binary try: ip_str = socket.inet_ntop(af, ip) break except (ValueError, socket.error): pass if ip_str is None: log_err('Invalid AF or IP: %s %s' % (str(af), str(ip))) return None if pfx_len is None: pfx_len = ipaddress.IPV4LENGTH if af == socket.AF_INET else ipaddress.IPV6LENGTH try: ip_net = netaddr.IPNetwork('%s/%d' % (ip_str, pfx_len)) except netaddr.AddrFormatError: log_err('Invalid IP or prefix length: %s %d' % (ip_str, pfx_len)) return None ip = ip_net.cidr.ip.packed return (af, ip, pfx_len)
def set_vrf_intf_cb_int(methods, params): obj = cps_object.CPSObject(obj=params['change']) if_name = None vrf_name = None if_name = 'if/interfaces/interface/name' if_type = 'if/interfaces/interface/type' vrf_name = 'ni/if/interfaces/interface/bind-ni-name' try: if_name = obj.get_attr_data(if_name) vrf_name = obj.get_attr_data(vrf_name) # Dont mandate interface type for mgmt interface when it is getting moved to mgmt VRF, # since we dont need to alloc. MAC for the same. if vrf_name != _management_vrf_name: if_type = obj.get_attr_data(if_type) except ValueError as e: log_msg = 'Missing mandatory attribute ' + e.args[0] log_err(log_msg) return False operation = params['operation'] try: if operation == 'set': return False else: op = True if operation == 'delete': op = False log_msg = 'VRF ' + vrf_name + ' intf ' + if_name + ' request ' + operation log_info(log_msg) ret_val, v_if_name, v_if_index, v_mac_str = dn_base_vrf_tool.process_vrf_intf_config( op, if_name, vrf_name, if_type) if ret_val is True: if op: cps_obj = cps_object.CPSObject( module='vrf-mgmt/ni/if/interfaces/interface', qual='target', data={ intf_attr('name'): if_name, ni_intf_attr('bind-ni-name'): vrf_name, vrf_mgmt_intf_attr('ifname'): v_if_name, vrf_mgmt_intf_attr('ifindex'): v_if_index, vrf_mgmt_intf_attr('mac-addr'): v_mac_str, }) params['change'] = cps_obj.get() return True log_msg = 'Failed to execute VRF ' + vrf_name + ' intf ' + if_name + ' request ' + operation log_err(log_msg) except Exception as e: logging.exception(e) log_msg = 'Faild to commit operation.' + str(e) + params log_err(log_msg) return False
def get_outgoing_ip_svcs_int(methods, params): log_info('Callback for outgoing IP service reading') obj_attr_map = { 'ni-name': 'vrf_name', 'af': 'af', 'public-ip': 'dst_ip', 'protocol': 'protocol', 'public-port': 'dst_port', 'private-ip': 'private_ip', 'private-port': 'private_port', 'outgoing-source-ip': 'out_src_ip', 'id': 'rule_id' } obj = cps_object.CPSObject(obj=params['filter']) resp = params['list'] args = {} for key, val in obj_attr_map.items(): attr_name = outgoing_ip_svcs_attr(key) try: attr_val = obj.get_attr_data(attr_name) except ValueError: attr_val = None if attr_val is not None: args[val] = attr_val # check af if 'af' in args and args['af'] is not None: af = args['af'] if af != socket.AF_INET and af != socket.AF_INET6: log_err('Invalid address family number %d' % af) return False # check public IP if 'dst_ip' in args and args['dst_ip'] is not None: af = args['af'] if 'af' in args else None af_ip = normalize_ip_with_prefix(af, args['dst_ip']) if af_ip is None: log_err('Invalid public IP %s for rule reading' % args['dst_ip']) return False args['af'], args['dst_ip'], _ = af_ip # check source IP if 'out_src_ip' in args and args['out_src_ip'] is not None: af = args['af'] if 'af' in args else None af_ip = normalize_ip_with_prefix(af, args['out_src_ip']) if af_ip is None: log_err('Invalid outgoing source IP %s for rule reading' % args['out_src_ip']) return False args['af'], args['out_src_ip'], _ = af_ip # check private IP if 'private_ip' in args and args['private_ip'] is not None: af = args['af'] if 'af' in args else None af_ip = normalize_ip_with_prefix(af, args['private_ip']) if af_ip is None: log_err('Invalid private IP %s for rule reading' % args['private_ip']) return False args['af'], args['private_ip'], _ = af_ip log_info('Input parameters:') for name, val in args.items(): if val is not None: if name == 'dst_ip' or name == 'out_src_ip': log_info(' %-10s - %s' % (name, binascii.hexlify(val))) else: log_info(' %-10s : %s' % (name, str(val))) return process_vrf_outgoing_svcs_rule_get(resp, **args)
def get_incoming_ip_svcs_int(methods, params): log_info('Callback for incoming IP service reading') obj_attr_map = { 'ni-name': 'vrf_name', 'af': 'af', 'src-ip': 'src_ip', 'src-prefix-len': 'src_prefix_len', 'dst-ip': 'dst_ip', 'dst-prefix-len': 'dst_prefix_len', 'protocol': 'protocol', 'dst-port': 'dst_port', 'lower-dst-port': 'low_dst_port', 'upper-dst-port': 'high_dst_port', 'action': 'action', 'seq-num': 'seq_num', 'ifname': 'in_intf', 'id': 'rule_id' } obj = cps_object.CPSObject(obj=params['filter']) resp = params['list'] args = {} for key, val in obj_attr_map.items(): attr_name = incoming_ip_svcs_attr(key) try: attr_val = obj.get_attr_data(attr_name) except ValueError: attr_val = None if attr_val is not None: args[val] = attr_val # check af if 'af' in args and args['af'] is not None: af = args['af'] if af != socket.AF_INET and af != socket.AF_INET6: log_err('Invalid address family number %d' % af) return False # check source and destination IP if 'src_ip' in args and args['src_ip'] is not None: af = args['af'] if 'af' in args else None pfx_len = args['src_prefix_len'] if 'src_prefix_len' in args else None ip_tuple = normalize_ip_with_prefix(af, args['src_ip'], pfx_len) if ip_tuple is None: log_err('Invalid source IP %s for rule reading' % args['src_ip']) return False args['af'], args['src_ip'], args['src_prefix_len'] = ip_tuple if 'dst_ip' in args and args['dst_ip'] is not None: af = args['af'] if 'af' in args else None pfx_len = args['dst_prefix_len'] if 'dst_prefix_len' in args else None ip_tuple = normalize_ip_with_prefix(af, args['dst_ip'], pfx_len) if ip_tuple is None: log_err('Invalid destination IP %s for rule reading' % args['dst_ip']) return False args['af'], args['dst_ip'], args['dst_prefix_len'] = ip_tuple log_info('Input parameters:') for name, val in args.items(): if val is not None: log_info(' %-10s : %s' % (name, str(val))) return process_vrf_svcs_rule_get(resp, **args)
def config_outgoing_ip_svcs_int(methods, params): obj = cps_object.CPSObject(obj=params['change']) in_param_list = {} log_info('Callback for outgoing IP service configuration') def get_svcs_attr_val(attr_name, dft_val=None): attr_id = outgoing_ip_svcs_attr(attr_name) try: attr_val = obj.get_attr_data(attr_id) except ValueError: attr_val = None if attr_val is None: attr_val = dft_val in_param_list[attr_name] = attr_val return attr_val operation = params['operation'] vrf_name = get_svcs_attr_val('ni-name') af = get_svcs_attr_val('af') public_ip_attr = get_svcs_attr_val('public-ip') outgoing_source_ip_attr = get_svcs_attr_val('outgoing-source-ip') protocol = get_svcs_attr_val('protocol') public_port = get_svcs_attr_val('public-port') private_ip_attr = get_svcs_attr_val('private-ip') private_port = get_svcs_attr_val('private-port') rule_id = get_svcs_attr_val('id') orig_af = af public_ip = None # check public IP if public_ip_attr is not None: af_ip = normalize_ip_with_prefix(orig_af, public_ip_attr) if af_ip is None: log_err('Invalid public IP %s for rule configuration' % public_ip_attr) return False af, public_ip, _ = af_ip if orig_af is None: log_info('Address family %d is deducted from input public IP %s' % (af, public_ip_attr)) in_param_list['af'] = af in_param_list['public-ip'] = public_ip orig_af = af outgoing_source_ip = None # check outgoing source IP if outgoing_source_ip_attr is not None: af_ip = normalize_ip_with_prefix(orig_af, outgoing_source_ip_attr) if af_ip is None: log_err('Invalid outgoing source IP %s for rule configuration' % outgoing_source_ip_attr) return False af, outgoing_source_ip, _ = af_ip if orig_af is None: log_info('Address family %d is deducted from input source IP %s' % (af, outgoing_source_ip_attr)) in_param_list['af'] = af in_param_list['outgoing-source-ip'] = outgoing_source_ip orig_af = af private_ip = None # check private IP if private_ip_attr is not None: af_ip = normalize_ip_with_prefix(orig_af, private_ip_attr) if af_ip is None: log_err('Invalid private IP %s for rule configuration' % private_ip_attr) return False af, private_ip, _ = af_ip if orig_af is None: log_info('Address family %d is deducted from input private IP %s' % (af, private_ip_attr)) in_param_list['af'] = af in_param_list['private-ip'] = private_ip """ The input object stands for Source IP configuration request if: 1. Outgoing source IP attribute is given For all other cases, input object stands for VRF outgoing IP service binding request. """ def is_egress_source_ip_config(): if outgoing_source_ip is not None: return True return False log_info('Input parameters:') for name, val in in_param_list.items(): if val is not None: if name == 'public-ip' or name == 'outgoing-source-ip' or name == 'private-ip': log_info(' %-10s - %s' % (name, binascii.hexlify(val))) else: log_info(' %-10s - %s' % (name, str(val))) if is_egress_source_ip_config(): log_info('Handle Outgoing Source IP configuration, operation: %s' % operation) rule_type = VrfSvcsRuleType.RULE_TYPE_SNAT action = VrfSvcsRuleAction.RULE_ACTION_SNAT reqd_input = [ 'ni-name', 'af', 'public-ip', 'protocol', 'public-port', 'outgoing-source-ip' ] else: log_info( 'Handle Outgoing IP service binding configuration, operation: %s' % operation) rule_type = VrfSvcsRuleType.RULE_TYPE_OUT_IP action = VrfSvcsRuleAction.RULE_ACTION_DNAT reqd_input = ['ni-name', 'af', 'public-ip', 'protocol', 'public-port'] def check_rule_input(missed_attr_list=None): """ The keys to identify a rule """ if operation == 'delete': """ For delete operation, either rule ID or rule keys need to be given to find rule to be deleted """ if rule_id is not None: return True else: if check_attr_list(reqd_input, in_param_list, missed_attr_list): return True elif operation == 'set': """ set operation, not supported on outgoing IP service configuration """ return False elif operation == 'create': """ For create operation, all key attributes need to be given """ if check_attr_list(reqd_input, in_param_list, missed_attr_list): return True return False not_found_list = [] if not check_rule_input(not_found_list): log_err( 'Operation not support or Mandatory attributes %s not found for operation %s' % (str(not_found_list), operation)) return False log_info( 'Outgoing IP service rule: Operation %s VRF %s AF %s%s%s%s%s%s' % (operation, vrf_name, (_af[af] if af is not None else ' '), (' public-ip %s' % (get_ip_str(af, public_ip)) if public_ip is not None else ''), (' protocol %s' % _protocol[protocol] if protocol is not None else ''), (' public-port %d' % public_port if public_port is not None else ''), (' outgoing-source-ip %s' % (get_ip_str(af, outgoing_source_ip)) if outgoing_source_ip is not None else ''), (' ID %d' % rule_id if rule_id is not None else ''))) try: if operation == 'set': return False elif operation == 'create': ret_val, private_ip, private_port = process_vrf_outgoing_svcs_rule_add( rule_type, vrf_name, action, af, dst_ip=public_ip, protocol=protocol, dst_port=public_port, out_src_ip=outgoing_source_ip, private_ip=private_ip, private_port=private_port, rule_id=rule_id) log_info( '%s in adding outgoing %s: VRF %s AF %s%s%s%s%s%s%s%s%s' % (('Success' if ret_val is not None else 'Failure'), ('%s rule' % 'SNAT' if rule_type == VrfSvcsRuleType.RULE_TYPE_SNAT else 'IP'), vrf_name, (_af[af] if af is not None else ' '), (' PROTO %s' % _protocol[protocol] if protocol is not None else ''), (' DST IP %s' % get_ip_str(af, public_ip) if public_ip is not None else ''), (' PORT %d' % public_port if public_port is not None else ''), (' ACTION %s' % _action[action] if action is not None else ''), (' SRC IP %s' % get_ip_str(af, outgoing_source_ip) if outgoing_source_ip is not None else ''), (' PRIVATE IP %s' % get_ip_str(af, private_ip) if private_ip is not None else ''), (' PRIVATE PORT %d' % private_port if private_port is not None else ''), (' ID %d' % ret_val if ret_val is not None else ''))) if ret_val is not None: if rule_type == VrfSvcsRuleType.RULE_TYPE_SNAT: #SNAT flow obj.add_attr(outgoing_ip_svcs_attr('id'), ret_val) params['change'] = obj.get() else: #DNAT - service binding flow private_ip = binascii.hexlify(private_ip) cps_obj = cps_object.CPSObject( module='vrf-firewall/ns-outgoing-service', qual='target', data={ outgoing_ip_svcs_attr('id'): ret_val, outgoing_ip_svcs_attr('ni-name'): vrf_name, outgoing_ip_svcs_attr('af'): af, outgoing_ip_svcs_attr('public-ip'): public_ip_attr, outgoing_ip_svcs_attr('protocol'): protocol, outgoing_ip_svcs_attr('public-port'): public_port, outgoing_ip_svcs_attr('private-ip'): private_ip, outgoing_ip_svcs_attr('private-port'): private_port }) params['change'] = cps_obj.get() return True elif operation == 'delete': if rule_id is None: ret_val = process_vrf_outgoing_svcs_rule_del( rule_type, vrf_name, action, af, dst_ip=public_ip, protocol=protocol, dst_port=public_port, out_src_ip=outgoing_source_ip, private_ip=private_ip, private_port=private_port) else: ret_val = process_vrf_outgoing_svcs_rule_del_by_id(rule_id) if ret_val is True: #deleted successfully return True except Exception as e: log_msg = ('%s %s %s' % ('Failed to commit operation.', e, params)) log_err(log_msg) return False log_err( 'Outgoing IP service rule: Operation %s Failed VRF %s AF %s%s%s%s%s%s' % (operation, vrf_name, (_af[af] if af is not None else ' '), (' public-ip %s' % (get_ip_str(af, public_ip)) if public_ip is not None else ''), (' protocol %s' % _protocol[protocol] if protocol is not None else ''), (' public-port %d' % public_port if public_port is not None else ''), (' outgoing-source-ip %s' % (get_ip_str(af, outgoing_source_ip)) if outgoing_source_ip is not None else ''), (' ID %d' % rule_id if rule_id is not None else ''))) return False
def config_incoming_ip_svcs_int(methods, params): obj = cps_object.CPSObject(obj=params['change']) in_param_list = {} log_info('Callback for incoming IP service configuration') def get_svcs_attr_val(attr_name, dft_val=None): attr_id = incoming_ip_svcs_attr(attr_name) try: attr_val = obj.get_attr_data(attr_id) except ValueError: attr_val = None if attr_val is None: attr_val = dft_val in_param_list[attr_name] = attr_val return attr_val operation = params['operation'] af = get_svcs_attr_val('af') vrf_name = get_svcs_attr_val('ni-name') protocol = get_svcs_attr_val('protocol') dst_port = get_svcs_attr_val('dst-port') low_dst_port = get_svcs_attr_val('lower-dst-port') high_dst_port = get_svcs_attr_val('upper-dst-port') action = get_svcs_attr_val('action') src_ip = get_svcs_attr_val('src-ip') src_prefix_len = get_svcs_attr_val('src-prefix-len') dst_ip = get_svcs_attr_val('dst-ip') dst_prefix_len = get_svcs_attr_val('dst-prefix-len') in_intf = get_svcs_attr_val('ifname') if operation == 'create': # set default seq number to 0 for create seq_num = get_svcs_attr_val('seq-num', 0) else: seq_num = get_svcs_attr_val('seq-num') rule_id = get_svcs_attr_val('id') # check source and destination IP if src_ip is not None: ip_tuple = normalize_ip_with_prefix(af, src_ip, src_prefix_len) if ip_tuple is None: log_err('Failed to normalize source IP with prefix') return False orig_af = af af, src_ip, src_prefix_len = ip_tuple if orig_af is None: log_info('Address family %d is deduced from input source IP %s' % (af, src_ip)) in_param_list['af'] = af in_param_list['src-ip'] = src_ip in_param_list['src-prefix-len'] = src_prefix_len if dst_ip is not None: ip_tuple = normalize_ip_with_prefix(af, dst_ip, dst_prefix_len) if ip_tuple is None: log_err('Failed to normalize destination IP with prefix') return False orig_af = af af, dst_ip, dst_prefix_len = ip_tuple if orig_af is None: log_info( 'Address family %d is deduced from input destination IP %s' % (af, dst_ip)) in_param_list['af'] = af in_param_list['dst-ip'] = dst_ip in_param_list['dst-prefix-len'] = dst_prefix_len # check lower & upper destination ports if low_dst_port is not None and high_dst_port is None: log_err('Missing upper-dst-port for VTY ACL rule configuration') return False if low_dst_port is None and high_dst_port is not None: log_err('Missing lower-dst-port for VTY ACL rule configuration') return False if (low_dst_port is not None or high_dst_port is not None) and dst_port is not None: log_err('Invalid VTY ACL rule configuration, \ dst port attribute cannot be configured along with dst port range attributes' ) return False """ The input object stands for VTY ACL configuration request if: 1. Destination L4 port attribute is not given or given value is 0, 2. Or Source IP address attribute is given, 3. Or lower & upper destination L4 port attributes are given. For all other cases, input object stands for VRF incoming IP service request. """ def is_vty_acl_config(): if dst_port is None or dst_port == 0: return True if src_ip is not None: return True if low_dst_port is not None and high_dst_port is not None: return True return False log_info('Input parameters:') for name, val in in_param_list.items(): if val is not None: if name == 'src-ip' or name == 'dst-ip': log_info(' %-10s - %s' % (name, binascii.hexlify(val))) else: log_info(' %-10s - %s' % (name, str(val))) if is_vty_acl_config(): log_info('Handle VTY ACL configuration, operation: %s' % operation) rule_type = VrfSvcsRuleType.RULE_TYPE_ACL reqd_input = ['ni-name', 'af', 'src-ip', 'src-prefix-len', 'action'] else: log_info('Handle incoming IP configuration, operation: %s' % operation) rule_type = VrfSvcsRuleType.RULE_TYPE_IP reqd_input = ['af', 'ni-name', 'protocol', 'dst-port'] if vrf_name == 'default': reqd_input.append('action') def check_rule_input(missed_attr_list=None): """ The keys to identify a rule """ if operation == 'delete': """ For delete operation, either rule ID or rule keys need to be given to find rule to be deleted """ if rule_id is not None: return True else: if check_attr_list(reqd_input, in_param_list, missed_attr_list): return True elif operation == 'set': """ For set operation, rule ID is the only required input to find the rule to be updated. And the attributes of the rule will be changed to attribute value given by input """ if rule_id is not None: return True else: if missed_attr_list is not None: missed_attr_list.append('id') elif operation == 'create': """ For create operation, all key attributes plus sequence number need to be given by input """ if check_attr_list(reqd_input + ['seq-num'], in_param_list, missed_attr_list): return True return False not_found_list = [] if not check_rule_input(not_found_list): log_err('Mandatory attributes %s not found for operation %s' % (str(not_found_list), operation)) return False if operation == 'create': if rule_type == VrfSvcsRuleType.RULE_TYPE_IP and vrf_name != 'default': """ If it is IP forwarding rule and the name space is not default, we set its action type as DNAT """ dst_ip = dn_base_vrf_tool.get_veth_ip(af, vrf_name) action = VrfSvcsRuleAction.RULE_ACTION_DNAT else: if (dst_port is not None and protocol != VrfSvcsRuleProto.RULE_PROTO_TCP and protocol != VrfSvcsRuleProto.RULE_PROTO_UDP): log_err( 'L4 destination port filter must with protocol type TCP or UDP' ) return False if (low_dst_port is not None and protocol != VrfSvcsRuleProto.RULE_PROTO_TCP and protocol != VrfSvcsRuleProto.RULE_PROTO_UDP): log_err( 'L4 destination port range filter must with protocol type TCP or UDP' ) return False ret_val = process_vrf_svcs_rule_add(rule_type, vrf_name, action, af, src_ip=src_ip, src_prefix_len=src_prefix_len, dst_ip=dst_ip, dst_prefix_len=dst_prefix_len, seq_num=seq_num, protocol=protocol, dst_port=dst_port, low_dst_port=low_dst_port, high_dst_port=high_dst_port, in_intf=in_intf, rule_id=rule_id) if ret_val is None: log_err( 'Failed to add incoming IP rule: VRF %s AF %s%s%s%s%s%s%s%s%s%s%s' % (vrf_name, _af[af], (' IIF %s' % in_intf if in_intf is not None else ' '), (' SRC %s/%d' % (get_ip_str(af, src_ip), src_prefix_len) if src_ip is not None and src_prefix_len is not None else ''), (' DST %s/%d' % (get_ip_str(af, dst_ip), dst_prefix_len) if dst_ip is not None and dst_prefix_len is not None else ''), (' PROTO %s' % _protocol[protocol] if protocol is not None else ''), (' PORT %d' % dst_port if dst_port is not None else ''), (' PORT RANGE %d-%d' % (low_dst_port, high_dst_port) if low_dst_port is not None else ''), (' SEQ %d' % seq_num if seq_num is not None else ''), (' ACTION %s' % _action[action] if action is not None else ''), (' DST %s' % get_ip_str(af, dst_ip) if dst_ip is not None else ''), (' ID %d' % rule_id if rule_id is not None else ''))) return False if rule_id is not None and ret_val != rule_id: log_err('Given rule id %d is not equal to actually used id %d' % (rule_id, ret_val)) obj.add_attr(incoming_ip_svcs_attr('id'), ret_val) params['change'] = obj.get() elif operation == 'set': ret_val = process_vrf_svcs_rule_set(rule_id, src_ip=src_ip, src_prefix_len=src_prefix_len, protocol=protocol, dst_ip=dst_ip, dst_prefix_len=dst_prefix_len, dst_port=dst_port, action=action, low_dst_port=low_dst_port, high_dst_port=high_dst_port, seq_num=seq_num, in_intf=in_intf) if not ret_val: log_err('Failed to update rule with ID %d' % rule_id) return False elif operation == 'delete': if rule_id is None: if rule_type == VrfSvcsRuleType.RULE_TYPE_IP and vrf_name != 'default': """ If it is IP forwarding rule and the name space is not default, we set its action type as DNAT """ dst_ip = dn_base_vrf_tool.get_veth_ip(af, vrf_name) action = VrfSvcsRuleAction.RULE_ACTION_DNAT ret_val = process_vrf_svcs_rule_del(rule_type, vrf_name, action, af, src_ip=src_ip, src_prefix_len=src_prefix_len, dst_ip=dst_ip, dst_prefix_len=dst_prefix_len, protocol=protocol, dst_port=dst_port, low_dst_port=low_dst_port, high_dst_port=high_dst_port, in_intf=in_intf) else: ret_val = process_vrf_svcs_rule_del_by_id(rule_id) if not ret_val: log_err('Failed to delete rule') return False else: log_err('Invalid operation type %s' % operation) return False return True