def filter_table_set(filter_in_nonprod_chain, filter_out_nonprod_chain):
"""Initialize the filter table chains' rules with the provided rules.
NOTE: Requires `SET_INFRA_SVC`, `SET_PROD_CONTAINERS`,
`SET_NONPROD_CONTAINERS` and `_SET_CONTAINERS` to be already defined. See
`func:filter_sets_set`.
:param filter_in_nonprod_chain:
prod/nonprod -> non-prod FORWARD filter rules.
:param filter_out_nonprod_chain:
non-prod -> prod/nonprod FORWARD filter rules.
"""
filtering_table = templates.render(
IPTABLES_FILTER_TABLE_RESTORE,
any_container=_SET_CONTAINERS,
infra_services=SET_INFRA_SVC,
nonprod_mark=_CONNTRACK_NONPROD_MARK,
prod_containers=SET_PROD_CONTAINERS,
nonprod_containers=SET_NONPROD_CONTAINERS,
filter_in_nonprod_chain=filter_in_nonprod_chain,
filter_out_nonprod_chain=filter_out_nonprod_chain,
filter_exception_chain=EXCEPTION_FILTER,
)
# NOTE: The filter_exception_chain needs to be created separately because
# iptables-restores always flushes the chains. Doing it like this allows
# for 'ensure exists' semantics.
create_chain('filter', EXCEPTION_FILTER)
return _iptables_restore(filtering_table, noflush=True)
def initialize_container():
"""Initialize iptables firewall by bulk loading all the Treadmill static
rules. Container version
It is assumed that none but Treadmill manages these tables.
"""
_iptables_restore(templates.render(IPTABLES_EMPTY_RESTORE))
def initialize_container():
"""Initialize iptables firewall by bulk loading all the Treadmill static
rules. Container version
It is assumed that none but Treadmill manages these tables.
"""
# Exclude all *our* ports from the default ephemeral port range.
netdev.net_conf_ip_port_range(
max(NONPROD_PORT_HIGH, PROD_PORT_HIGH) + 1, # Highest in PROD/NONPROD
65535 # Default
)
# Load empty default rules.
_iptables_restore(templates.render(IPTABLES_EMPTY_RESTORE))
def initialize(external_ip):
"""Initialize iptables firewall by bulk loading all the Treadmill static
rules and enable ip forwarding
It is assumed that none but Treadmill manages these tables.
:param ``str`` external_ip:
External IP to use with NAT rules
"""
# Exclude all *our* ports from the default ephemeral port range.
netdev.net_conf_ip_port_range(
max(NONPROD_PORT_HIGH, PROD_PORT_HIGH) + 1, # Highest in PROD/NONPROD
65535 # Default
)
# Ensure all the IPSets exists.
ipsets_ensure_exist()
# Do one time IPSet clean up.
flush_set(_SET_CONTAINERS)
add_ip_set(_SET_CONTAINERS, SET_PROD_CONTAINERS)
add_ip_set(_SET_CONTAINERS, SET_NONPROD_CONTAINERS)
flush_set(SET_INFRA_SVC)
flush_set(SET_VRING_CONTAINERS)
iptables_state = templates.render(
IPTABLES_HOST_RESTORE,
any_container=_SET_CONTAINERS,
dnat_chain=PREROUTING_DNAT,
external_ip=external_ip,
nodes=SET_TM_NODES,
nonprod_containers=SET_NONPROD_CONTAINERS,
nonprod_high=NONPROD_PORT_HIGH,
nonprod_low=NONPROD_PORT_LOW,
nonprod_mark=_CONNTRACK_NONPROD_MARK,
passthroughs=SET_PASSTHROUGHS,
passthrough_chain=PREROUTING_PASSTHROUGH,
prod_containers=SET_PROD_CONTAINERS,
prod_high=PROD_PORT_HIGH,
prod_low=PROD_PORT_LOW,
prod_mark=_CONNTRACK_PROD_MARK,
prod_sources=SET_PROD_SOURCES,
snat_chain=POSTROUTING_SNAT,
vring_containers=SET_VRING_CONTAINERS,
vring_dnat_chain=VRING_DNAT,
vring_snat_chain=VRING_SNAT,
infra_inbound=SET_INFRA_INBOUND,
infra_outbound=SET_INFRA_INBOUND,
)
_iptables_restore(iptables_state)
def ipsets_ensure_exist():
"""Initialize all used IPSets.
"""
ipset_rules = templates.render(
IPSET_HOST_RESTORE,
any_container=_SET_CONTAINERS,
infra_services=SET_INFRA_SVC,
passthroughs=SET_PASSTHROUGHS,
nodes=SET_TM_NODES,
nonprod_containers=SET_NONPROD_CONTAINERS,
prod_containers=SET_PROD_CONTAINERS,
prod_sources=SET_PROD_SOURCES,
vring_containers=SET_VRING_CONTAINERS,
)
ipset_restore(ipset_rules)