def cleanup_unused_rules_on_host(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = CleanupUnusedRulesOnHostResponse() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV4]) def match_set_name_ip6(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV6]) ipt = iptables.from_iptables_save() ips_mn = ipset.IPSetManager() self._cleanup_stale_chains(ipt) ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() ips_mn.cleanup_other_ipset(match_set_name, used_ipset) if not cmd.skipIpv6: ip6t = iptables.from_ip6tables_save() self._cleanup_stale_chains(ip6t) ip6t.iptable_restore() used_ipset6 = ip6t.list_used_ipset_name() ips_mn.cleanup_other_ipset(match_set_name_ip6, used_ipset6) self._cleanup_conntrack() return jsonobject.dumps(rsp)
def _apply_rules_using_iprange_match_ip6(self, cmd, iptable=None, ipset_mn=None): if not iptable: ipt = iptables.from_ip6tables_save() else: ipt = iptable if not ipset_mn: ips_mn = ipset.IPSetManager() else: ips_mn = ipset_mn self._create_default_rules_ip6(ipt) for rto in cmd.ipv6RuleTOs: if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN: self._delete_vnic_chain(ipt, rto.vmNicInternalName) elif rto.actionCode == self.ACTION_CODE_APPLY_RULE: self._apply_rules_on_vnic_chain_ip6(ipt, ips_mn, rto) else: raise Exception('unknown action code: %s' % rto.actionCode) self._cleanup_conntrack(rto.vmNicIp, "ipv6") default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN ipt.remove_rule(default_accept_rule) ipt.add_rule(default_accept_rule) self._cleanup_stale_chains(ipt) ips_mn.refresh_my_ipsets() ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def _apply_rules_using_iprange_match_ip6(self, cmd, iptable=None, ipset_mn=None): if not iptable: ipt = iptables.from_ip6tables_save() else: ipt = iptable if not ipset_mn: ips_mn = ipset.IPSetManager() else: ips_mn = ipset_mn self._create_default_rules_ip6(ipt) for rto in cmd.ipv6RuleTOs: if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN: self._delete_vnic_chain(ipt, rto.vmNicInternalName) elif rto.actionCode == self.ACTION_CODE_APPLY_RULE: self._apply_rules_on_vnic_chain_ip6(ipt, ips_mn, rto) else: raise Exception('unknown action code: %s' % rto.actionCode) self._cleanup_conntrack(rto.vmNicIp, "ipv6") default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN ipt.remove_rule(default_accept_rule) ipt.add_rule(default_accept_rule) self._cleanup_stale_chains(ipt) ips_mn.refresh_my_ipsets() ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV6]) ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def _refresh_rules_on_host_using_iprange_match(self, cmd): if cmd.ruleTOs is not None: ipt = iptables.from_iptables_save() self._delete_all_chains(ipt) self._apply_rules_using_iprange_match(cmd, ipt) if cmd.ipv6RuleTOs is not None: ip6t = iptables.from_ip6tables_save() self._delete_all_chains(ip6t) self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
def update_group_member(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = UpdateGroupMemberResponse() utos4 = [] utos6 = [] for uto in cmd.updateGroupTOs: if int(uto.ipVersion) == 4: utos4.append(uto) else: utos6.append(uto) ips_mn = ipset.IPSetManager() ipt = iptables.from_iptables_save() to_del_ipset_names = [] for uto in utos4: if uto.actionCode == self.ACTION_CODE_DELETE_GROUP: to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid)) elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER: set_name = self._make_security_group_ipset_name(uto.securityGroupUuid) ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)] ips_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version) ips_mn.refresh_my_ipsets() if len(to_del_ipset_names) > 0: to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names) for rule in to_del_rules: ipt.remove_rule(str(rule)) ipt.iptable_restore() ips_mn.clean_ipsets(to_del_ipset_names) ip6s_mn = ipset.IPSetManager() ip6t = iptables.from_ip6tables_save() to_del_ipset_names = [] for uto in utos6: if uto.actionCode == self.ACTION_CODE_DELETE_GROUP: to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid)) elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER: set_name = self._make_security_group_ipset_name(uto.securityGroupUuid) ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)] ip6s_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version) ip6s_mn.refresh_my_ipsets() if len(to_del_ipset_names) > 0: to_del_rules = ip6t.list_reference_ipset_rules(to_del_ipset_names) for rule in to_del_rules: ip6t.remove_rule(str(rule)) ip6t.iptable_restore() ip6s_mn.clean_ipsets(to_del_ipset_names) self._cleanup_conntrack() return jsonobject.dumps(rsp)
def apply_rules(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = ApplySecurityGroupRuleResponse() try: if cmd.ruleTOs is not None: ipt = iptables.from_iptables_save() self._apply_rules_using_iprange_match(cmd, ipt) if cmd.ipv6RuleTOs is not None: ip6t = iptables.from_ip6tables_save() self._apply_rules_using_iprange_match_ip6(cmd, ip6t) except iptables.IPTablesError as e: err_log = linux.get_exception_stacktrace() logger.warn(err_log) rsp.error = str(e) rsp.success = False return jsonobject.dumps(rsp)
def check_default_sg_rules(self, req): rsp = CheckDefaultSecurityGroupResponse() ipt = iptables.from_iptables_save() default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain: self._create_default_rules(ipt) ipt.iptable_restore() ip6t = iptables.from_ip6tables_save() default_chain6 = ip6t.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain6: self._create_default_rules_ip6(ip6t) ip6t.iptable_restore() if not default_chain or not default_chain6: self._cleanup_conntrack() return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req): rsp = CleanupUnusedRulesOnHostResponse() ipt = iptables.from_iptables_save() ips_mn = ipset.IPSetManager() self._cleanup_stale_chains(ipt) ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() ip6t = iptables.from_ip6tables_save() self._cleanup_stale_chains(ip6t) ip6t.iptable_restore() used_ipset6 = ip6t.list_used_ipset_name() for uset in used_ipset6: used_ipset.appaned(uset) def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset) self._cleanup_conntrack() return jsonobject.dumps(rsp)