from oslo_concurrency import lockutils from oslo_config import cfg from oslo_log import log as logging from oslo_utils import excutils from neutron.agent.common import config from neutron.agent.linux import iptables_comments as ic from neutron.agent.linux import utils as linux_utils from neutron.common import exceptions as n_exc from neutron.common import utils from neutron.i18n import _LE, _LW LOG = logging.getLogger(__name__) config.register_iptables_opts(cfg.CONF) # NOTE(vish): Iptables supports chain names of up to 28 characters, and we # add up to 12 characters to binary_name which is used as a prefix, # so we limit it to 16 characters. # (max_chain_name_length - len('-POSTROUTING') == 16) def get_binary_name(): """Grab the name of the binary we're running in.""" return os.path.basename(sys.argv[0])[:16].replace(' ', '_') binary_name = get_binary_name() # A length of a chain name must be less than or equal to 11 characters. # <max length of iptables chain name> - (<binary_name> + '-') = 28-(16+1) = 11 MAX_CHAIN_LEN_WRAP = 11
def __init__( self, _execute=None, state_less=False, root_helper=None, use_ipv6=False, namespace=None, binary_name=binary_name ): if _execute: self.execute = _execute else: self.execute = linux_utils.execute config.register_iptables_opts(cfg.CONF) self.use_ipv6 = use_ipv6 self.root_helper = root_helper self.namespace = namespace self.iptables_apply_deferred = False self.wrap_name = binary_name[:16] self.ipv4 = {"filter": IptablesTable(binary_name=self.wrap_name)} self.ipv6 = {"filter": IptablesTable(binary_name=self.wrap_name)} # Add a neutron-filter-top chain. It's intended to be shared # among the various neutron components. It sits at the very top # of FORWARD and OUTPUT. for tables in [self.ipv4, self.ipv6]: tables["filter"].add_chain("neutron-filter-top", wrap=False) tables["filter"].add_rule("FORWARD", "-j neutron-filter-top", wrap=False, top=True) tables["filter"].add_rule("OUTPUT", "-j neutron-filter-top", wrap=False, top=True) tables["filter"].add_chain("local") tables["filter"].add_rule("neutron-filter-top", "-j $local", wrap=False) # Wrap the built-in chains builtin_chains = {4: {"filter": ["INPUT", "OUTPUT", "FORWARD"]}, 6: {"filter": ["INPUT", "OUTPUT", "FORWARD"]}} if not state_less: self.ipv4.update({"nat": IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({"nat": ["PREROUTING", "OUTPUT", "POSTROUTING"]}) self.ipv4.update({"raw": IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({"raw": ["PREROUTING", "OUTPUT"]}) for ip_version in builtin_chains: if ip_version == 4: tables = self.ipv4 elif ip_version == 6: tables = self.ipv6 for table, chains in builtin_chains[ip_version].iteritems(): for chain in chains: tables[table].add_chain(chain) tables[table].add_rule(chain, "-j $%s" % (chain), wrap=False) if not state_less: # Add a neutron-postrouting-bottom chain. It's intended to be # shared among the various neutron components. We set it as the # last chain of POSTROUTING chain. self.ipv4["nat"].add_chain("neutron-postrouting-bottom", wrap=False) self.ipv4["nat"].add_rule("POSTROUTING", "-j neutron-postrouting-bottom", wrap=False) # We add a snat chain to the shared neutron-postrouting-bottom # chain so that it's applied last. self.ipv4["nat"].add_chain("snat") self.ipv4["nat"].add_rule("neutron-postrouting-bottom", "-j $snat", wrap=False, comment=ic.SNAT_OUT) # And then we add a float-snat chain and jump to first thing in # the snat chain. self.ipv4["nat"].add_chain("float-snat") self.ipv4["nat"].add_rule("snat", "-j $float-snat")
from oslo_concurrency import lockutils from oslo_config import cfg from oslo_log import log as logging from oslo_utils import excutils import six from neutron.agent.common import config from neutron.agent.linux import iptables_comments as ic from neutron.agent.linux import utils as linux_utils from neutron.common import exceptions as n_exc from neutron.common import utils from neutron.i18n import _LE, _LW LOG = logging.getLogger(__name__) config.register_iptables_opts(cfg.CONF) # NOTE(vish): Iptables supports chain names of up to 28 characters, and we # add up to 12 characters to binary_name which is used as a prefix, # so we limit it to 16 characters. # (max_chain_name_length - len('-POSTROUTING') == 16) def get_binary_name(): """Grab the name of the binary we're running in.""" return os.path.basename(sys.argv[0])[:16].replace(' ', '_') binary_name = get_binary_name() # A length of a chain name must be less than or equal to 11 characters. # <max length of iptables chain name> - (<binary_name> + '-') = 28-(16+1) = 11
def __init__(self, _execute=None, state_less=False, use_ipv6=False, namespace=None, binary_name=binary_name): if _execute: self.execute = _execute else: self.execute = linux_utils.execute config.register_iptables_opts(cfg.CONF) self.use_ipv6 = use_ipv6 self.namespace = namespace self.iptables_apply_deferred = False self.wrap_name = binary_name[:16] self.ipv4 = {'filter': IptablesTable(binary_name=self.wrap_name)} self.ipv6 = {'filter': IptablesTable(binary_name=self.wrap_name)} # Add a neutron-filter-top chain. It's intended to be shared # among the various neutron components. It sits at the very top # of FORWARD and OUTPUT. for tables in [self.ipv4, self.ipv6]: tables['filter'].add_chain('neutron-filter-top', wrap=False) tables['filter'].add_rule('FORWARD', '-j neutron-filter-top', wrap=False, top=True) tables['filter'].add_rule('OUTPUT', '-j neutron-filter-top', wrap=False, top=True) tables['filter'].add_chain('local') tables['filter'].add_rule('neutron-filter-top', '-j $local', wrap=False) # Wrap the built-in chains builtin_chains = {4: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}, 6: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}} if not state_less: self.ipv4.update( {'mangle': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update( {'mangle': ['PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING']}) self.ipv4.update( {'nat': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({'nat': ['PREROUTING', 'OUTPUT', 'POSTROUTING']}) self.ipv4.update( {'raw': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({'raw': ['PREROUTING', 'OUTPUT']}) for ip_version in builtin_chains: if ip_version == 4: tables = self.ipv4 elif ip_version == 6: tables = self.ipv6 for table, chains in builtin_chains[ip_version].iteritems(): for chain in chains: tables[table].add_chain(chain) tables[table].add_rule(chain, '-j $%s' % (chain), wrap=False) if not state_less: # Add a neutron-postrouting-bottom chain. It's intended to be # shared among the various neutron components. We set it as the # last chain of POSTROUTING chain. self.ipv4['nat'].add_chain('neutron-postrouting-bottom', wrap=False) self.ipv4['nat'].add_rule('POSTROUTING', '-j neutron-postrouting-bottom', wrap=False) # We add a snat chain to the shared neutron-postrouting-bottom # chain so that it's applied last. self.ipv4['nat'].add_chain('snat') self.ipv4['nat'].add_rule('neutron-postrouting-bottom', '-j $snat', wrap=False, comment=ic.SNAT_OUT) # And then we add a float-snat chain and jump to first thing in # the snat chain. self.ipv4['nat'].add_chain('float-snat') self.ipv4['nat'].add_rule('snat', '-j $float-snat') # Add a mark chain to mangle PREROUTING chain. It is used to # identify ingress packets from a certain interface. self.ipv4['mangle'].add_chain('mark') self.ipv4['mangle'].add_rule('PREROUTING', '-j $mark')
def __init__(self, _execute=None, state_less=False, root_helper=None, use_ipv6=False, namespace=None, binary_name=binary_name): if _execute: self.execute = _execute else: self.execute = linux_utils.execute config.register_iptables_opts(cfg.CONF) self.use_ipv6 = use_ipv6 self.root_helper = root_helper self.namespace = namespace self.iptables_apply_deferred = False self.wrap_name = binary_name[:16] self.ipv4 = {'filter': IptablesTable(binary_name=self.wrap_name)} self.ipv6 = {'filter': IptablesTable(binary_name=self.wrap_name)} # Add a neutron-filter-top chain. It's intended to be shared # among the various neutron components. It sits at the very top # of FORWARD and OUTPUT. for tables in [self.ipv4, self.ipv6]: tables['filter'].add_chain('neutron-filter-top', wrap=False) tables['filter'].add_rule('FORWARD', '-j neutron-filter-top', wrap=False, top=True) tables['filter'].add_rule('OUTPUT', '-j neutron-filter-top', wrap=False, top=True) tables['filter'].add_chain('local') tables['filter'].add_rule('neutron-filter-top', '-j $local', wrap=False) # Wrap the built-in chains builtin_chains = {4: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}, 6: {'filter': ['INPUT', 'OUTPUT', 'FORWARD']}} if not state_less: self.ipv4.update( {'mangle': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update( {'mangle': ['PREROUTING', 'INPUT', 'FORWARD', 'OUTPUT', 'POSTROUTING']}) self.ipv4.update( {'nat': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({'nat': ['PREROUTING', 'OUTPUT', 'POSTROUTING']}) self.ipv4.update( {'raw': IptablesTable(binary_name=self.wrap_name)}) builtin_chains[4].update({'raw': ['PREROUTING', 'OUTPUT']}) for ip_version in builtin_chains: if ip_version == 4: tables = self.ipv4 elif ip_version == 6: tables = self.ipv6 for table, chains in builtin_chains[ip_version].iteritems(): for chain in chains: tables[table].add_chain(chain) tables[table].add_rule(chain, '-j $%s' % (chain), wrap=False) if not state_less: # Add a neutron-postrouting-bottom chain. It's intended to be # shared among the various neutron components. We set it as the # last chain of POSTROUTING chain. self.ipv4['nat'].add_chain('neutron-postrouting-bottom', wrap=False) self.ipv4['nat'].add_rule('POSTROUTING', '-j neutron-postrouting-bottom', wrap=False) # We add a snat chain to the shared neutron-postrouting-bottom # chain so that it's applied last. self.ipv4['nat'].add_chain('snat') self.ipv4['nat'].add_rule('neutron-postrouting-bottom', '-j $snat', wrap=False, comment=ic.SNAT_OUT) # And then we add a float-snat chain and jump to first thing in # the snat chain. self.ipv4['nat'].add_chain('float-snat') self.ipv4['nat'].add_rule('snat', '-j $float-snat')