def setup_basic_filtering(self, instance, network_info=None): """Set up basic filtering (MAC, IP, and ARP spoofing protection)""" logging.info('called setup_basic_filtering in nwfilter') if not network_info: network_info = netutils.get_network_info(instance) if self.handle_security_groups: # No point in setting up a filter set that we'll be overriding # anyway. return logging.info('ensuring static filters') self._ensure_static_filters() if instance['image_ref'] == str(FLAGS.vpn_image_id): base_filter = 'nova-vpn' else: base_filter = 'nova-base' for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) self._define_filter( self._filter_container(instance_filter_name, [base_filter]))
def unfilter_instance(self, instance, network_info=None): """Clear out the nwfilter rules.""" if not network_info: network_info = netutils.get_network_info(instance) instance_name = instance.name for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name).\ undefine() except libvirt.libvirtError: LOG.debug( _('The nwfilter(%(instance_filter_name)s) ' 'for %(instance_name)s is not found.') % locals()) instance_secgroup_filter_name =\ '%s-secgroup' % (self._instance_filter_name(instance)) try: self._conn.nwfilterLookupByName(instance_secgroup_filter_name)\ .undefine() except libvirt.libvirtError: LOG.debug( _('The nwfilter(%(instance_secgroup_filter_name)s) ' 'for %(instance_name)s is not found.') % locals())
def setup_basic_filtering(self, instance, network_info=None): """Set up basic filtering (MAC, IP, and ARP spoofing protection)""" logging.info('called setup_basic_filtering in nwfilter') if not network_info: network_info = netutils.get_network_info(instance) if self.handle_security_groups: # No point in setting up a filter set that we'll be overriding # anyway. return logging.info('ensuring static filters') self._ensure_static_filters() if instance['image_ref'] == str(FLAGS.vpn_image_id): base_filter = 'nova-vpn' else: base_filter = 'nova-base' for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) self._define_filter(self._filter_container(instance_filter_name, [base_filter]))
def do_refresh_security_group_rules(self, security_group, network_info=None): for instance in self.instances.values(): self.remove_filters_for_instance(instance) if not network_info: network_info = netutils.get_network_info(instance) self.add_filters_for_instance(instance, network_info)
def setup_basic_filtering(self, instance, network_info=None): """Set up provider rules and basic NWFilter.""" if not network_info: network_info = netutils.get_network_info(instance) self.nwfilter.setup_basic_filtering(instance, network_info) if not self.basicly_filtered: LOG.debug(_('iptables firewall: Setup Basic Filtering')) self.refresh_provider_fw_rules() self.basicly_filtered = True
def instance_filter_exists(self, instance): """Check nova-instance-instance-xxx exists""" network_info = netutils.get_network_info(instance) for (network, mapping) in network_info: nic_id = mapping["mac"].replace(":", "") instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name) except libvirt.libvirtError: name = instance.name LOG.debug(_("The nwfilter(%(instance_filter_name)s) for" "%(name)s is not found.") % locals()) return False return True
def prepare_instance_filter(self, instance, network_info=None): """Creates an NWFilter for the given instance. In the process, it makes sure the filters for the provider blocks, security groups, and base filter are all in place. """ if not network_info: network_info = netutils.get_network_info(instance) self.refresh_provider_fw_rules() ctxt = context.get_admin_context() instance_secgroup_filter_name = \ '%s-secgroup' % (self._instance_filter_name(instance)) instance_secgroup_filter_children = [ 'nova-base-ipv4', 'nova-base-ipv6', 'nova-allow-dhcp-server' ] if FLAGS.use_ipv6: networks = [ network for (network, _m) in network_info if network['gateway_v6'] ] if networks: instance_secgroup_filter_children.\ append('nova-allow-ra-server') for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): self.refresh_security_group_rules(security_group['id']) instance_secgroup_filter_children.append('nova-secgroup-%s' % security_group['id']) self._define_filter( self._filter_container(instance_secgroup_filter_name, instance_secgroup_filter_children)) network_filters = self.\ _create_network_filters(instance, network_info, instance_secgroup_filter_name) for (name, children) in network_filters: self._define_filters(name, children)
def instance_filter_exists(self, instance): """Check nova-instance-instance-xxx exists""" network_info = netutils.get_network_info(instance) for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name) except libvirt.libvirtError: name = instance.name LOG.debug( _('The nwfilter(%(instance_filter_name)s) for' '%(name)s is not found.') % locals()) return False return True
def prepare_instance_filter(self, instance, network_info=None): """Creates an NWFilter for the given instance. In the process, it makes sure the filters for the provider blocks, security groups, and base filter are all in place. """ if not network_info: network_info = netutils.get_network_info(instance) self.refresh_provider_fw_rules() ctxt = context.get_admin_context() instance_secgroup_filter_name = \ '%s-secgroup' % (self._instance_filter_name(instance)) instance_secgroup_filter_children = ['nova-base-ipv4', 'nova-base-ipv6', 'nova-allow-dhcp-server'] if FLAGS.use_ipv6: networks = [network for (network, _m) in network_info if network['gateway_v6']] if networks: instance_secgroup_filter_children.\ append('nova-allow-ra-server') for security_group in \ db.security_group_get_by_instance(ctxt, instance['id']): self.refresh_security_group_rules(security_group['id']) instance_secgroup_filter_children.append('nova-secgroup-%s' % security_group['id']) self._define_filter( self._filter_container(instance_secgroup_filter_name, instance_secgroup_filter_children)) network_filters = self.\ _create_network_filters(instance, network_info, instance_secgroup_filter_name) for (name, children) in network_filters: self._define_filters(name, children)
def unfilter_instance(self, instance, network_info=None): """Clear out the nwfilter rules.""" if not network_info: network_info = netutils.get_network_info(instance) instance_name = instance.name for (network, mapping) in network_info: nic_id = mapping["mac"].replace(":", "") instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name).undefine() except libvirt.libvirtError: LOG.debug(_("The nwfilter(%(instance_filter_name)s) " "for %(instance_name)s is not found.") % locals()) instance_secgroup_filter_name = "%s-secgroup" % (self._instance_filter_name(instance)) try: self._conn.nwfilterLookupByName(instance_secgroup_filter_name).undefine() except libvirt.libvirtError: LOG.debug( _("The nwfilter(%(instance_secgroup_filter_name)s) " "for %(instance_name)s is not found.") % locals() )
def unfilter_instance(self, instance): """Clear out the nwfilter rules.""" network_info = netutils.get_network_info(instance) instance_name = instance.name for (network, mapping) in network_info: nic_id = mapping['mac'].replace(':', '') instance_filter_name = self._instance_filter_name(instance, nic_id) try: self._conn.nwfilterLookupByName(instance_filter_name).\ undefine() except libvirt.libvirtError: LOG.debug(_('The nwfilter(%(instance_filter_name)s) ' 'for %(instance_name)s is not found.') % locals()) instance_secgroup_filter_name =\ '%s-secgroup' % (self._instance_filter_name(instance)) try: self._conn.nwfilterLookupByName(instance_secgroup_filter_name)\ .undefine() except libvirt.libvirtError: LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) ' 'for %(instance_name)s is not found.') % locals())
def prepare_instance_filter(self, instance, network_info=None): if not network_info: network_info = netutils.get_network_info(instance) self.instances[instance['id']] = instance self.add_filters_for_instance(instance, network_info) self.iptables.apply()
def instance_rules(self, instance, network_info=None): if not network_info: network_info = netutils.get_network_info(instance) ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ["-m state --state " "INVALID -j DROP"] ipv6_rules += ["-m state --state " "INVALID -j DROP"] # Allow established connections ipv4_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"] ipv6_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"] # Pass through provider-wide drops ipv4_rules += ["-j $provider"] ipv6_rules += ["-j $provider"] dhcp_servers = [info["gateway"] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append("-s %s -p udp --sport 67 --dport 68 " "-j ACCEPT" % (dhcp_server,)) # Allow project network traffic if FLAGS.allow_project_net_traffic: cidrs = [network["cidr"] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append("-s %s -j ACCEPT" % (cidr,)) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [mapping["gateway6"] for (_n, mapping) in network_info] for gateway_v6 in gateways_v6: ipv6_rules.append("-s %s/128 -p icmpv6 -j ACCEPT" % (gateway_v6,)) # Allow project network traffic if FLAGS.allow_project_net_traffic: cidrv6s = [network["cidr_v6"] for (network, _m) in network_info] for cidrv6 in cidrv6s: ipv6_rules.append("-s %s -j ACCEPT" % (cidrv6,)) security_groups = db.security_group_get_by_instance(ctxt, instance["id"]) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group["id"]) for rule in rules: LOG.debug(_("Adding security group rule: %r"), rule) if not rule.cidr: # Eventually, a mechanism to grant access for security # groups will turn up here. It'll use ipsets. continue version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == "icmp": protocol = "icmpv6" args = ["-p", protocol, "-s", rule.cidr] if rule.protocol in ["udp", "tcp"]: if rule.from_port == rule.to_port: args += ["--dport", "%s" % (rule.from_port,)] else: args += ["-m", "multiport", "--dports", "%s:%s" % (rule.from_port, rule.to_port)] elif rule.protocol == "icmp": icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = "%s" % icmp_type if not icmp_code == -1: icmp_type_arg += "/%s" % icmp_code if icmp_type_arg: if version == 4: args += ["-m", "icmp", "--icmp-type", icmp_type_arg] elif version == 6: args += ["-m", "icmp6", "--icmpv6-type", icmp_type_arg] args += ["-j ACCEPT"] fw_rules += [" ".join(args)] ipv4_rules += ["-j $sg-fallback"] ipv6_rules += ["-j $sg-fallback"] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info=None): if not network_info: network_info = netutils.get_network_info(instance) ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['gateway'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server, )) #Allow project network traffic if FLAGS.allow_project_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr, )) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [ mapping['gateway6'] for (_n, mapping) in network_info ] for gateway_v6 in gateways_v6: ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6, )) #Allow project network traffic if FLAGS.allow_project_net_traffic: cidrv6s = [ network['cidr_v6'] for (network, _m) in network_info ] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, )) security_groups = db.security_group_get_by_instance( ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group( ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: # Eventually, a mechanism to grant access for security # groups will turn up here. It'll use ipsets. continue version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule.cidr] if rule.protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port, )] else: args += [ '-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port) ] elif rule.protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += [ '-m', 'icmp', '--icmp-type', icmp_type_arg ] elif version == 6: args += [ '-m', 'icmp6', '--icmpv6-type', icmp_type_arg ] args += ['-j ACCEPT'] fw_rules += [' '.join(args)] ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info=None): if not network_info: network_info = netutils.get_network_info(instance) ctxt = context.get_admin_context() ipv4_rules = [] ipv6_rules = [] # Always drop invalid packets ipv4_rules += ['-m state --state ' 'INVALID -j DROP'] ipv6_rules += ['-m state --state ' 'INVALID -j DROP'] # Allow established connections ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] # Pass through provider-wide drops ipv4_rules += ['-j $provider'] ipv6_rules += ['-j $provider'] dhcp_servers = [info['gateway'] for (_n, info) in network_info] for dhcp_server in dhcp_servers: ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 ' '-j ACCEPT' % (dhcp_server,)) #Allow project network traffic if FLAGS.allow_project_net_traffic: cidrs = [network['cidr'] for (network, _m) in network_info] for cidr in cidrs: ipv4_rules.append('-s %s -j ACCEPT' % (cidr,)) # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses gateways_v6 = [mapping['gateway6'] for (_n, mapping) in network_info] for gateway_v6 in gateways_v6: ipv6_rules.append( '-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,)) #Allow project network traffic if FLAGS.allow_project_net_traffic: cidrv6s = [network['cidr_v6'] for (network, _m) in network_info] for cidrv6 in cidrv6s: ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,)) security_groups = db.security_group_get_by_instance(ctxt, instance['id']) # then, security group chains and rules for security_group in security_groups: rules = db.security_group_rule_get_by_security_group(ctxt, security_group['id']) for rule in rules: LOG.debug(_('Adding security group rule: %r'), rule) if not rule.cidr: # Eventually, a mechanism to grant access for security # groups will turn up here. It'll use ipsets. continue version = netutils.get_ip_version(rule.cidr) if version == 4: fw_rules = ipv4_rules else: fw_rules = ipv6_rules protocol = rule.protocol if version == 6 and rule.protocol == 'icmp': protocol = 'icmpv6' args = ['-p', protocol, '-s', rule.cidr] if rule.protocol in ['udp', 'tcp']: if rule.from_port == rule.to_port: args += ['--dport', '%s' % (rule.from_port,)] else: args += ['-m', 'multiport', '--dports', '%s:%s' % (rule.from_port, rule.to_port)] elif rule.protocol == 'icmp': icmp_type = rule.from_port icmp_code = rule.to_port if icmp_type == -1: icmp_type_arg = None else: icmp_type_arg = '%s' % icmp_type if not icmp_code == -1: icmp_type_arg += '/%s' % icmp_code if icmp_type_arg: if version == 4: args += ['-m', 'icmp', '--icmp-type', icmp_type_arg] elif version == 6: args += ['-m', 'icmp6', '--icmpv6-type', icmp_type_arg] args += ['-j ACCEPT'] fw_rules += [' '.join(args)] ipv4_rules += ['-j $sg-fallback'] ipv6_rules += ['-j $sg-fallback'] return ipv4_rules, ipv6_rules
def setup_basic_filtering(self, instance, network_info=None): """Use NWFilter from libvirt for this.""" if not network_info: network_info = netutils.get_network_info(instance) return self.nwfilter.setup_basic_filtering(instance, network_info)