def on_deleted(path): """Invoked when a network rule is deleted.""" # Edge case, if the directory where the rules are kept gets removed, # abort if path == rulemgr.path: _LOGGER.critical('Network rules directory was removed: %r', path) utils.sys_exit(1) # The rule is the filename rule_file = os.path.basename(path) _LOGGER.info('Removing %r', rule_file) chain_rule = rulemgr.get_rule(rule_file) if chain_rule is not None: chain, rule = chain_rule iptables.delete_rule(rule, chain=chain) if isinstance(rule, fw.PassThroughRule): if passthrough[rule.src_ip] == 1: # Remove the IPs from the passthrough set passthrough.pop(rule.src_ip) _LOGGER.info('Removing passthrough %r', rule.src_ip) iptables.rm_ip_set(iptables.SET_PASSTHROUGHS, rule.src_ip) iptables.flush_pt_conntrack_table(rule.src_ip) else: passthrough[rule.src_ip] -= 1 else: _LOGGER.warning('Ignoring unparseable file %r', rule_file)
def test_rm_ip_set(self): """Test removal of IP from a given set""" # Disable W0212: Test access protected members of admin module. # pylint: disable=W0212 iptables.rm_ip_set('foo', '1.2.3.4') treadmill.iptables._ipset.assert_called_with('del', 'foo', '1.2.3.4')
def test_rm_ip_set(self): """Test removal of IP from a given set""" # Disable protected-access: Test access protected members . # pylint: disable=protected-access iptables.rm_ip_set('foo', '1.2.3.4') treadmill.iptables._ipset.assert_called_with('-exist', 'del', 'foo', '1.2.3.4')
def _delete_mark_rule(src_ip, environment): """Remove an environment mark from a source IP. :param ``str`` src_ip: Source IP on which the mark is set. :param ``str`` environment: Environment to use for the mark """ assert environment in _SET_BY_ENVIRONMENT, \ 'Unknown environment: %r' % environment target_set = _SET_BY_ENVIRONMENT[environment] iptables.rm_ip_set(target_set, src_ip)
def _cleanup_ports(tm_env, unique_name, vip, ports, proto): """Cleanup firewall rules for ports.""" for port in ports: # We treat ephemeral ports as infra, consistent with current # prodperim behavior. iptables.rm_ip_set( iptables.SET_INFRA_SVC, '{ip},{proto}:{port}'.format(ip=vip, proto=proto, port=port)) dnatrule = firewall.DNATRule(proto=proto, orig_ip=tm_env.host_ip, orig_port=port, new_ip=vip, new_port=port) tm_env.rules.unlink_rule(rule=dnatrule, owner=unique_name)
def _cleanup_network(tm_env, app, network_client): """Cleanup the network part of a container. """ # Generate a unique name for the app unique_name = appmgr.app_unique_name(app) try: app_network = network_client.get(unique_name) except services.ResourceServiceError: _LOGGER.warning('network never allocated') return if app_network is None: _LOGGER.info('Network resource already freed') return # Unconfigure passthrough if hasattr(app, 'passthrough'): _LOGGER.info('Deleting passthrough for: %r', app.passthrough) # Resolve all the hosts # FIXME: There is no guarantie the hosts will resolve to # the same IPs as they did during creation. ips = set([socket.gethostbyname(host) for host in app.passthrough]) for ip in ips: tm_env.rules.unlink_rule( rule=firewall.PassThroughRule(src_ip=ip, dst_ip=app_network['vip']), owner=unique_name, ) for endpoint in app.endpoints: tm_env.rules.unlink_rule( rule=firewall.DNATRule(proto=endpoint.proto, orig_ip=app.host_ip, orig_port=endpoint.real_port, new_ip=app_network['vip'], new_port=endpoint.port), owner=unique_name, ) # See if this was an "infra" endpoint and if so remove it # from the whitelist set. if getattr(endpoint, 'type', None) == 'infra': _LOGGER.debug('removing %s:%s from infra services set', app_network['vip'], endpoint.port) iptables.rm_ip_set( iptables.SET_INFRA_SVC, '{ip},{proto}:{port}'.format( ip=app_network['vip'], proto=endpoint.proto, port=endpoint.port, )) _cleanup_ports(tm_env, unique_name, app_network['vip'], app.ephemeral_ports.tcp, 'tcp') _cleanup_ports(tm_env, unique_name, app_network['vip'], app.ephemeral_ports.udp, 'udp') # Terminate any entries in the conntrack table iptables.flush_conntrack_table(app_network['vip']) # Cleanup network resources network_client.delete(unique_name)