def _provider_rules(self): """Generate a list of rules from provider for IP4 & IP6. Note: We could not use the common code from virt.firewall because XS doesn't accept the '-m multiport' option. """ ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] rules = self._virtapi.provider_fw_rule_get_all(ctxt) for rule in rules: LOG.debug('Adding provider rule: %s', rule['cidr']) version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule['cidr']] if protocol in ['udp', 'tcp']: if rule['from_port'] == rule['to_port']: args += ['--dport', '%s' % (rule['from_port'],)] else: args += ['--dport', '%s:%s' % (rule['from_port'], rule['to_port'])] elif protocol == 'icmp': icmp_type = rule['from_port'] icmp_code = rule['to_port'] if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] args += ['-j DROP'] fw_rules += [' '.join(args)] return ipv4_rules, ipv6_rules
def _provider_rules(self): """Generate a list of rules from provider for IP4 & IP6. Note: We could not use the common code from virt.firewall because XS doesn't accept the '-m multiport' option. """ ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] rules = self._virtapi.provider_fw_rule_get_all(ctxt) for rule in rules: LOG.debug('Adding provider rule: %s', rule['cidr']) version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule['cidr']] if protocol in ['udp', 'tcp']: if rule['from_port'] == rule['to_port']: args += ['--dport', '%s' % (rule['from_port'], )] else: args += [ '--dport', '%s:%s' % (rule['from_port'], rule['to_port']) ] elif protocol == 'icmp': icmp_type = rule['from_port'] icmp_code = rule['to_port'] if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] args += ['-j DROP'] fw_rules += [' '.join(args)] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() if isinstance(instance, dict): # NOTE(danms): allow old-world instance objects from # unconverted callers; all we need is instance.uuid below instance = objects.Instance._from_db_object( ctxt, objects.Instance(), instance, []) ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) # Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = objects.SecurityGroupList.get_by_instance( ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules = objects.SecurityGroupRuleList.get_by_security_group( ctxt, security_group) for rule in rules: if not rule['cidr']: version = 4 else: version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if protocol: protocol = rule['protocol'].lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule['cidr']: args += ['-s', str(rule['cidr'])] fw_rules += [' '.join(args)] else: if rule['grantee_group']: insts = (objects.InstanceList.get_by_security_group( ctxt, rule['grantee_group'])) for instance in insts: if instance.info_cache['deleted']: LOG.debug('ignoring deleted cache') continue nw_info = compute_utils.get_nw_info_for_instance( instance) ips = [ ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version ] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] LOG.debug('Security Groups %s translated to ipv4: %r, ipv6: %r', security_groups, ipv4_rules, ipv6_rules, instance=instance) return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info): ctxt = context.get_admin_context() if isinstance(instance, dict): # NOTE(danms): allow old-world instance objects from # unconverted callers; all we need is instance.uuid below instance = objects.Instance._from_db_object( ctxt, objects.Instance(), instance, []) ipv4_rules = [] ipv6_rules = [] # Initialize with basic rules self._do_basic_rules(ipv4_rules, ipv6_rules, network_info) # Set up rules to allow traffic to/from DHCP server self._do_dhcp_rules(ipv4_rules, network_info) # Allow project network traffic if CONF.allow_same_net_traffic: self._do_project_network_rules(ipv4_rules, ipv6_rules, network_info) # We wrap these in CONF.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if CONF.use_ipv6: # Allow RA responses self._do_ra_rules(ipv6_rules, network_info) security_groups = objects.SecurityGroupList.get_by_instance( ctxt, instance) # then, security group chains and rules for security_group in security_groups: rules = objects.SecurityGroupRuleList.get_by_security_group( ctxt, security_group) for rule in rules: if not rule['cidr']: version = 4 else: version = netutils.get_ip_version(rule['cidr']) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule['protocol'] if protocol: protocol = rule['protocol'].lower() if version == 6 and protocol == 'icmp': protocol = 'icmpv6' args = ['-j ACCEPT'] if protocol: args += ['-p', protocol] if protocol in ['udp', 'tcp']: args += self._build_tcp_udp_rule(rule, version) elif protocol == 'icmp': args += self._build_icmp_rule(rule, version) if rule['cidr']: args += ['-s', str(rule['cidr'])] fw_rules += [' '.join(args)] else: if rule['grantee_group']: insts = ( objects.InstanceList.get_by_security_group( ctxt, rule['grantee_group'])) for instance in insts: if instance.info_cache['deleted']: LOG.debug('ignoring deleted cache') continue nw_info = compute_utils.get_nw_info_for_instance( instance) ips = [ip['address'] for ip in nw_info.fixed_ips() if ip['version'] == version] LOG.debug('ips: %r', ips, instance=instance) for ip in ips: subrule = args + ['-s %s' % ip] fw_rules += [' '.join(subrule)] ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] LOG.debug('Security Groups %s translated to ipv4: %r, ipv6: %r', security_groups, ipv4_rules, ipv6_rules, instance=instance) return ipv4_rules, ipv6_rules