def main(): usage = 'usage: python -c "from cephbackupstorage import cdaemon; cdaemon.main()" start|stop|restart' if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']: print usage sys.exit(1) global pidfile prepare_pid_dir(pidfile) try: iptc = iptables.from_iptables_save() iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7761 -j ACCEPT') iptc.iptable_restore() cmd = sys.argv[1] agentdaemon = cephagent.CephDaemon(pidfile) if cmd == 'start': logger.debug('zstack-ceph-backupstorage starts') agentdaemon.start() elif cmd == 'stop': logger.debug('zstack-ceph-backupstorage stops') agentdaemon.stop() elif cmd == 'restart': logger.debug('zstack-ceph-backupstorage restarts') agentdaemon.restart() sys.exit(0) except Exception: logger.warning(linux.get_exception_stacktrace()) sys.exit(1)
def update_group_member(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = UpdateGroupMemberResponse() ips_mn = ipset.IPSetManager() ipt = iptables.from_iptables_save() to_del_ipset_names = [] for uto in cmd.updateGroupTOs: if uto.actionCode == self.ACTION_CODE_DELETE_GROUP: to_del_ipset_names.append( self._make_security_group_ipset_name( uto.securityGroupUuid)) elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER: set_name = self._make_security_group_ipset_name( uto.securityGroupUuid) ips_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps) ips_mn.refresh_my_ipsets() if len(to_del_ipset_names) > 0: to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names) for rule in to_del_rules: ipt.remove_rule(str(rule)) ipt.iptable_restore() ips_mn.clean_ipsets(to_del_ipset_names) return jsonobject.dumps(rsp)
def sync_eip(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = SyncEipRsp() def remove_eip_chain(table): for c in table.children: if c.name.startswith('eip-'): c.delete() ipt = iptables.from_iptables_save() nat = ipt.get_table(ipt.NAT_TABLE_NAME) if nat: remove_eip_chain(nat) filter_table = ipt.get_table(ipt.FILTER_TABLE_NAME) if filter_table: remove_eip_chain(filter_table) ipt.iptable_restore() try: for eip in cmd.eips: self._create_eip(eip) except virtualrouter.VirtualRouterError as e: logger.warning(linux.get_exception_stacktrace()) rsp.error = str(e) rsp.success = False return jsonobject.dumps(rsp)
def main(): usage = 'usage: python -c "from kvmagent import kdaemon; kdaemon.main()" start|stop|restart' if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']: print usage sys.exit(1) global pidfile prepare_pid_dir(pidfile) try: iptc = iptables.from_iptables_save() iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7070 -j ACCEPT') iptc.add_rule('-A INPUT -p tcp -m tcp --dport 16509 -j ACCEPT') iptc.iptable_restore() cmd = sys.argv[1] py_process_name = 'from kvmagent import kdaemon' agentdaemon = kvmagent.KvmDaemon(pidfile, py_process_name) if cmd == 'start': logger.debug('zstack-kvmagent starts') agentdaemon.start() elif cmd == 'stop': logger.debug('zstack-kvmagent stops') agentdaemon.stop() elif cmd == 'restart': logger.debug('zstack-kvmagent restarts') agentdaemon.restart() sys.exit(0) except Exception: logger.warning(linux.get_exception_stacktrace()) sys.exit(1)
def main(): usage = 'usage: python -c "from baremetalpxeserver import cdaemon; cdaemon.main()" start|stop|restart' if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']: print usage sys.exit(1) global pidfile prepare_pid_dir(pidfile) try: iptc = iptables.from_iptables_save() iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7770 -j ACCEPT') iptc.iptable_restore() cmd = sys.argv[1] py_process_name = 'from baremetalpxeserver import cdaemon' agentdaemon = pxeserveragent.PxeServerDaemon(pidfile, py_process_name) if cmd == 'start': logger.debug('zstack-baremetalpxeserver starts') agentdaemon.start() elif cmd == 'stop': logger.debug('zstack-baremetalpxeserver stops') agentdaemon.stop() elif cmd == 'restart': logger.debug('zstack-baremetalpxeserver restarts') agentdaemon.restart() sys.exit(0) except Exception: logger.warning(linux.get_exception_stacktrace()) sys.exit(1)
def sync_rule(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = SyncPortForwardingRuleRsp() iptc = iptables.from_iptables_save() # destroy all port forwarding related chains def remove_pf_chain(talble): for c in talble.children: if c.name.startswith('pf-'): c.delete() nat_table = iptc.get_table(iptc.NAT_TABLE_NAME) if nat_table: remove_pf_chain(nat_table) filter_table = iptc.get_table(iptc.FILTER_TABLE_NAME) if filter_table: remove_pf_chain(filter_table) for to in cmd.rules: self._create_rule(iptc, to) iptc.iptable_restore() return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = CleanupUnusedRulesOnHostResponse() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV4]) def match_set_name_ip6(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT[self.IPV6]) ipt = iptables.from_iptables_save() ips_mn = ipset.IPSetManager() self._cleanup_stale_chains(ipt) ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() ips_mn.cleanup_other_ipset(match_set_name, used_ipset) if not cmd.skipIpv6: ip6t = iptables.from_ip6tables_save() self._cleanup_stale_chains(ip6t) ip6t.iptable_restore() used_ipset6 = ip6t.list_used_ipset_name() ips_mn.cleanup_other_ipset(match_set_name_ip6, used_ipset6) self._cleanup_conntrack() return jsonobject.dumps(rsp)
def main(): usage = 'usage: python -c "from kvmagent import kdaemon; kdaemon.main()" start|stop|restart' if len(sys.argv) != 2 or not sys.argv[1] in ['start', 'stop', 'restart']: print usage sys.exit(1) global pidfile prepare_pid_dir(pidfile) try: iptc = iptables.from_iptables_save() iptc.add_rule('-A INPUT -p tcp -m tcp --dport 7070 -j ACCEPT') # open vnc ports iptc.add_rule('-A INPUT -p tcp -m tcp --dport 5900:6200 -j ACCEPT') iptc.iptable_restore() cmd = sys.argv[1] agentdaemon = kvmagent.KvmDaemon(pidfile) if cmd == 'start': logger.debug('zstack-kvmagent starts') agentdaemon.start() elif cmd == 'stop': logger.debug('zstack-kvmagent stops') agentdaemon.stop() elif cmd == 'restart': logger.debug('zstack-kvmagent restarts') agentdaemon.restart() sys.exit(0) except Exception: logger.warning(linux.get_exception_stacktrace()) sys.exit(1)
def _apply_rules_using_iprange_match(self, cmd, iptable=None, ipset_mn=None): if not iptable: ipt = iptables.from_iptables_save() else: ipt = iptable if not ipset_mn: ips_mn = ipset.IPSetManager() else: ips_mn = ipset_mn self._create_default_rules(ipt) for rto in cmd.ruleTOs: if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN: self._delete_vnic_chain(ipt, rto.vmNicInternalName) elif rto.actionCode == self.ACTION_CODE_APPLY_RULE: self._apply_rules_on_vnic_chain(ipt, ips_mn, rto) else: raise Exception('unknown action code: %s' % rto.actionCode) self._cleanup_conntrack(rto.vmNicIp) default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN ipt.remove_rule(default_accept_rule) ipt.add_rule(default_accept_rule) self._cleanup_stale_chains(ipt) ips_mn.refresh_my_ipsets() ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def _apply_rules_using_iprange_match(self, cmd, iptable=None, ipset_mn=None): if not iptable: ipt = iptables.from_iptables_save() else: ipt = iptable if not ipset_mn: ips_mn = ipset.IPSetManager() else: ips_mn = ipset_mn self._create_default_rules(ipt) for rto in cmd.ruleTOs: if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN: self._delete_vnic_chain(ipt, rto.vmNicInternalName) elif rto.actionCode == self.ACTION_CODE_APPLY_RULE: self._apply_rules_on_vnic_chain(ipt, ips_mn, rto) else: raise Exception('unknown action code: %s' % rto.actionCode) default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN ipt.remove_rule(default_accept_rule) ipt.add_rule(default_accept_rule) self._cleanup_stale_chains(ipt) ips_mn.refresh_my_ipsets() ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset)
def cleanup_unused_rules_on_host(self, req): rsp = CleanupUnusedRulesOnHostResponse() ipt = iptables.from_iptables_save() self._cleanup_stale_chains(ipt) ipt.iptable_restore() return jsonobject.dumps(rsp)
def revoke_rule(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = RevokePortForwardingRuleRsp() iptc = iptables.from_iptables_save() for to in cmd.rules: self._revoke_rule(iptc, to) iptc.iptable_restore() return jsonobject.dumps(rsp)
def _refresh_rules_on_host_using_iprange_match(self, cmd): if cmd.ruleTOs is not None: ipt = iptables.from_iptables_save() self._delete_all_chains(ipt) self._apply_rules_using_iprange_match(cmd, ipt) if cmd.ipv6RuleTOs is not None: ip6t = iptables.from_ip6tables_save() self._delete_all_chains(ip6t) self._apply_rules_using_iprange_match_ip6(cmd, ip6t)
def check_default_sg_rules(self, req): rsp = CheckDefaultSecurityGroupResponse() ipt = iptables.from_iptables_save() default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain: self._create_default_rules(ipt) ipt.iptable_restore() return jsonobject.dumps(rsp)
def update_group_member(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = UpdateGroupMemberResponse() utos4 = [] utos6 = [] for uto in cmd.updateGroupTOs: if int(uto.ipVersion) == 4: utos4.append(uto) else: utos6.append(uto) ips_mn = ipset.IPSetManager() ipt = iptables.from_iptables_save() to_del_ipset_names = [] for uto in utos4: if uto.actionCode == self.ACTION_CODE_DELETE_GROUP: to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid)) elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER: set_name = self._make_security_group_ipset_name(uto.securityGroupUuid) ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)] ips_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version) ips_mn.refresh_my_ipsets() if len(to_del_ipset_names) > 0: to_del_rules = ipt.list_reference_ipset_rules(to_del_ipset_names) for rule in to_del_rules: ipt.remove_rule(str(rule)) ipt.iptable_restore() ips_mn.clean_ipsets(to_del_ipset_names) ip6s_mn = ipset.IPSetManager() ip6t = iptables.from_ip6tables_save() to_del_ipset_names = [] for uto in utos6: if uto.actionCode == self.ACTION_CODE_DELETE_GROUP: to_del_ipset_names.append(self._make_security_group_ipset_name(uto.securityGroupUuid)) elif uto.actionCode == self.ACTION_CODE_UPDATE_GROUP_MEMBER: set_name = self._make_security_group_ipset_name(uto.securityGroupUuid) ip_version = self.ZSTACK_IPSET_FAMILYS[int(uto.ipVersion)] ip6s_mn.create_set(name=set_name, match_ips=uto.securityGroupVmIps, ip_version=ip_version) ip6s_mn.refresh_my_ipsets() if len(to_del_ipset_names) > 0: to_del_rules = ip6t.list_reference_ipset_rules(to_del_ipset_names) for rule in to_del_rules: ip6t.remove_rule(str(rule)) ip6t.iptable_restore() ip6s_mn.clean_ipsets(to_del_ipset_names) self._cleanup_conntrack() return jsonobject.dumps(rsp)
def refresh_rule(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = RefreshFirewallRsp() ipt = iptables.from_iptables_save() # replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT') eth0_ip = linux.get_ip_by_nic_name('eth0') assert eth0_ip, 'cannot find IP of eth0' ipt.add_rule( '-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip) chain_name = 'appliancevm' ipt.delete_chain(chain_name) ipt.add_rule('-A INPUT -j %s' % chain_name) for to in cmd.rules: if to.destIp: nic_name = linux.get_nic_name_by_ip(to.destIp) else: nic_name = linux.get_nic_name_from_alias( linux.get_nic_names_by_mac(to.nicMac)) r = [] if to.protocol == 'all' or to.protocol == 'udp': r.append('-A %s' % chain_name) if to.sourceIp: r.append('-s %s' % to.sourceIp) if to.destIp: r.append('-d %s' % to.destIp) r.append( '-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort)) rule = ' '.join(r) ipt.add_rule(rule) r = [] if to.protocol == 'all' or to.protocol == 'tcp': r.append('-A %s' % chain_name) if to.sourceIp: r.append('-s %s' % to.sourceIp) if to.destIp: r.append('-d %s' % to.destIp) r.append( '-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort)) rule = ' '.join(r) ipt.add_rule(rule) ipt.iptable_restore() logger.debug('refreshed rules for appliance vm') return jsonobject.dumps(rsp)
def _kill_lb(self, to): pid_file_path = self._make_pid_file_path(to.lbUuid, to.listenerUuid) pid = linux.find_process_by_cmdline([pid_file_path]) if pid: shell.call('kill %s' % pid) shell.call('rm -f %s' % pid_file_path) shell.call('rm -f %s' % self._make_conf_file_path(to.lbUuid, to.listenerUuid)) ipt = iptables.from_iptables_save() ipt.delete_chain(self._make_chain_name(to)) ipt.iptable_restore()
def _kill_lb(self, to): pid_file_path = self._make_pid_file_path(to.lbUuid, to.listenerUuid) pid = linux.find_process_by_cmdline([pid_file_path]) if pid: shell.call('kill %s' % pid) linux.rm_file_force(pid_file_path) linux.rm_file_force(self._make_conf_file_path(to.lbUuid, to.listenerUuid)) ipt = iptables.from_iptables_save() ipt.delete_chain(self._make_chain_name(to)) ipt.iptable_restore()
def set_default_iptable_rules(self): shell.call('iptables --policy INPUT DROP') shell.call('iptables --policy FORWARD DROP') # NOTE: 22 port of eth0 is opened in /etc/sysconfig/iptables by default ipt = iptables.from_iptables_save() ipt.add_rule('-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT') ipt.add_rule('-A INPUT -i lo -j ACCEPT') ipt.add_rule('-A INPUT -p icmp -j ACCEPT') ipt.add_rule('-A INPUT -j REJECT --reject-with icmp-host-prohibited') ipt.add_rule('-A FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT') ipt.add_rule('-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill', iptables.IPTables.MANGLE_TABLE_NAME) ipt.iptable_restore()
def _default_iptable_rules(self, nicname): in_chain_name = "%s-in" % nicname ipt = iptables.from_iptables_save() ipt.delete_chain(in_chain_name) ipt.add_rule('-A INPUT -i %s -j %s' % (nicname, in_chain_name)) ipt.add_rule('-A %s -m state --state RELATED,ESTABLISHED -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -p udp -m udp --sport 68 --dport 67 -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -p udp -m udp --sport 67 --dport 68 -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -p udp -m udp --dport 53 -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -p icmp -m icmp -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -p tcp -m tcp --dport 22 -m state --state NEW -j ACCEPT' % in_chain_name) ipt.add_rule('-A %s -j REJECT --reject-with icmp-host-prohibited' % in_chain_name) ipt.iptable_restore()
def remove_snat(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = RemoveSNATRsp() try: iptc = iptables.from_iptables_save() for info in cmd.natInfo: self._remove_snat(info, iptc) iptc.iptable_restore() except virtualrouter.VirtualRouterError as e: logger.warn(linux.get_exception_stacktrace()) err = 'unable to remove snat, %s' % str(e) rsp.error = err rsp.success = False return jsonobject.dumps(rsp)
def set_snat(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = SetSNATRsp() try: iptc = iptables.from_iptables_save() self._create_snat(cmd.snat, iptc) iptc.iptable_restore() except virtualrouter.VirtualRouterError as e: logger.warn(linux.get_exception_stacktrace()) err = "unable to create snat, %s" % str(e) rsp.error = err rsp.success = False return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req): rsp = CleanupUnusedRulesOnHostResponse() ipt = iptables.from_iptables_save() ips_mn = ipset.IPSetManager() self._cleanup_stale_chains(ipt) ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset) return jsonobject.dumps(rsp)
def refresh_rule(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = RefreshFirewallRsp() ipt = iptables.from_iptables_save() # replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT') eth0_ip = linux.get_ip_by_nic_name('eth0') assert eth0_ip, 'cannot find IP of eth0' ipt.add_rule('-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip) chain_name = 'appliancevm' ipt.delete_chain(chain_name) ipt.add_rule('-A INPUT -j %s' % chain_name) for to in cmd.rules: if to.destIp: nic_name = linux.get_nic_name_by_ip(to.destIp) else: nic_name = linux.get_nic_name_from_alias(linux.get_nic_names_by_mac(to.nicMac)) r =[] if to.protocol == 'all' or to.protocol == 'udp': r.append('-A %s' % chain_name) if to.sourceIp: r.append('-s %s' % to.sourceIp) if to.destIp: r.append('-d %s' % to.destIp) r.append('-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort)) rule = ' '.join(r) ipt.add_rule(rule) r = [] if to.protocol == 'all' or to.protocol == 'tcp': r.append('-A %s' % chain_name) if to.sourceIp: r.append('-s %s' % to.sourceIp) if to.destIp: r.append('-d %s' % to.destIp) r.append('-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort)) rule = ' '.join(r) ipt.add_rule(rule) ipt.iptable_restore() logger.debug('refreshed rules for appliance vm') return jsonobject.dumps(rsp)
def apply_rules(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = ApplySecurityGroupRuleResponse() try: if cmd.ruleTOs is not None: ipt = iptables.from_iptables_save() self._apply_rules_using_iprange_match(cmd, ipt) if cmd.ipv6RuleTOs is not None: ip6t = iptables.from_ip6tables_save() self._apply_rules_using_iprange_match_ip6(cmd, ip6t) except iptables.IPTablesError as e: err_log = linux.get_exception_stacktrace() logger.warn(err_log) rsp.error = str(e) rsp.success = False return jsonobject.dumps(rsp)
def check_default_sg_rules(self, req): rsp = CheckDefaultSecurityGroupResponse() ipt = iptables.from_iptables_save() default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain: self._create_default_rules(ipt) ipt.iptable_restore() ip6t = iptables.from_ip6tables_save() default_chain6 = ip6t.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain6: self._create_default_rules_ip6(ip6t) ip6t.iptable_restore() if not default_chain or not default_chain6: self._cleanup_conntrack() return jsonobject.dumps(rsp)
def _create_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) #def check_eip(table): #if not table: #return #for chain in table.children: #vip_nic = self._get_vip_nic_name_from_chain_name(chain.name) #if vip_nic == vip_nic_name: #raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip) #check_eip(ipt.get_table(ipt.NAT_TABLE_NAME)) #check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME)) order = 999 ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order) ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order) ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order) if eip.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order) ipt.iptable_restore() logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _create_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) def check_eip(table): if not table: return for chain in table.children: vip_nic = self._get_vip_nic_name_from_chain_name(chain.name) if vip_nic == vip_nic_name: raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip) check_eip(ipt.get_table(ipt.NAT_TABLE_NAME)) check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME)) order = 999 ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order) ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order) ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order) if eip.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order) ipt.iptable_restore() logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _apply_rules_using_iprange_match(self, cmd, iptable=None): if not iptable: ipt = iptables.from_iptables_save() else: ipt = iptable self._create_default_rules(ipt) for rto in cmd.ruleTOs: if rto.actionCode == self.ACTION_CODE_DELETE_CHAIN: self._delete_vnic_chain(ipt, rto.vmNicInternalName) elif rto.actionCode == self.ACTION_CODE_APPLY_RULE: self._apply_rules_on_vnic_chain(ipt, rto) else: raise Exception('unknown action code: %s' % rto.actionCode) default_accept_rule = "-A %s -j ACCEPT" % self.ZSTACK_DEFAULT_CHAIN ipt.remove_rule(default_accept_rule) ipt.add_rule(default_accept_rule) self._cleanup_stale_chains(ipt) ipt.iptable_restore()
def _remove_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(fwd_name) ipt.iptable_restore() logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def check_default_sg_rules(self, req): cmd = jsonobject.loads(req[http.REQUEST_BODY]) rsp = CheckDefaultSecurityGroupResponse() ipt = iptables.from_iptables_save() default_chain = ipt.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain: self._create_default_rules(ipt) ipt.iptable_restore() if not cmd.skipIpv6: ip6t = iptables.from_ip6tables_save() default_chain6 = ip6t.get_chain(self.ZSTACK_DEFAULT_CHAIN) if not default_chain6: self._create_default_rules_ip6(ip6t) ip6t.iptable_restore() if not default_chain or not default_chain6: self._cleanup_conntrack() return jsonobject.dumps(rsp)
def cleanup_unused_rules_on_host(self, req): rsp = CleanupUnusedRulesOnHostResponse() ipt = iptables.from_iptables_save() ips_mn = ipset.IPSetManager() self._cleanup_stale_chains(ipt) ipt.iptable_restore() used_ipset = ipt.list_used_ipset_name() ip6t = iptables.from_ip6tables_save() self._cleanup_stale_chains(ip6t) ip6t.iptable_restore() used_ipset6 = ip6t.list_used_ipset_name() for uset in used_ipset6: used_ipset.appaned(uset) def match_set_name(name): return name.startswith(self.ZSTACK_IPSET_NAME_FORMAT) ips_mn.cleanup_other_ipset(match_set_name, used_ipset) self._cleanup_conntrack() return jsonobject.dumps(rsp)
def _refresh(self, to): conf = '''global maxconn {{maxConnection}} log 127.0.0.1 local1 user haproxy group haproxy daemon listen {{listenerUuid}} mode {{mode}} timeout client {{connectionIdleTimeout}}s timeout server {{connectionIdleTimeout}}s timeout connect 60s balance {{balancerAlgorithm}} bind {{vip}}:{{loadBalancerPort}} {% for ip in nicIps %} server nic-{{ip}} {{ip}}:{{loadBalancerPort}} check port {{checkPort}} inter {{healthCheckInterval}}s rise {{healthyThreshold}} fall {{unhealthyThreshold}} {% endfor %} ''' pid_file = self._make_pid_file_path(to.lbUuid, to.listenerUuid) if not os.path.exists(pid_file): shell.call('touch %s' % pid_file) @rollbackable def _0(): shell.call('rm -f %s' % pid_file) _0() conf_file = self._make_conf_file_path(to.lbUuid, to.listenerUuid) md5sum = '' # if the first time to create lb, no config file will be found if os.path.exists(conf_file): md5sum = shell.call('md5sum %s' % conf_file) context = {} context.update(to.__dict__) for p in to.parameters: k, v = p.split('::') if k == 'healthCheckTarget': check_method, check_port = v.split(':') if check_port == 'default': context['checkPort'] = to.instancePort else: context['checkPort'] = check_port context[k] = v conf_tmpt = Template(conf) conf = conf_tmpt.render(context) with open(conf_file, 'w') as fd: fd.write(conf) if md5sum == shell.call('md5sum %s' % conf_file): return shell.call("iptables -I INPUT -d %s -p tcp --dport %s --syn -j DROP && sleep 0.5" % (to.vip, to.loadBalancerPort)) @rollbackable def _1(): shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort)) _1() shell.call('haproxy -D -f %s -p %s -sf $(cat %s)' % (conf_file, pid_file, pid_file)) shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort)) ipt = iptables.from_iptables_save() chain_name = self._make_chain_name(to) ipt.add_rule('-A INPUT -d %s/32 -j %s' % (to.vip, chain_name)) ipt.add_rule('-A %s -p tcp -m tcp --dport %s -j ACCEPT' % (chain_name, to.loadBalancerPort)) ipt.iptable_restore()
def _refresh_rules_on_host_using_iprange_match(self, cmd): ipt = iptables.from_iptables_save() self._delete_all_chains(ipt) self._apply_rules_using_iprange_match(cmd, ipt)
def _refresh(self, to): conf = '''global maxconn {{maxConnection}} log 127.0.0.1 local1 user haproxy group haproxy daemon listen {{listenerUuid}} mode {{mode}} timeout client {{connectionIdleTimeout}}s timeout server {{connectionIdleTimeout}}s timeout connect 60s balance {{balancerAlgorithm}} bind {{vip}}:{{loadBalancerPort}} {% for ip in nicIps %} server nic-{{ip}} {{ip}}:{{loadBalancerPort}} check port {{checkPort}} inter {{healthCheckInterval}}s rise {{healthyThreshold}} fall {{unhealthyThreshold}} {% endfor %} ''' pid_file = self._make_pid_file_path(to.lbUuid, to.listenerUuid) if not os.path.exists(pid_file): linux.touch_file(pid_file) @rollbackable def _0(): linux.rm_file_force(pid_file) _0() conf_file = self._make_conf_file_path(to.lbUuid, to.listenerUuid) md5sum = '' # if the first time to create lb, no config file will be found if os.path.exists(conf_file): md5sum = shell.call('md5sum %s' % conf_file) context = {} context.update(to.__dict__) for p in to.parameters: k, v = p.split('::') if k == 'healthCheckTarget': check_method, check_port = v.split(':') if check_port == 'default': context['checkPort'] = to.instancePort else: context['checkPort'] = check_port context[k] = v conf_tmpt = Template(conf) conf = conf_tmpt.render(context) with open(conf_file, 'w') as fd: fd.write(conf) if md5sum == shell.call('md5sum %s' % conf_file): return shell.call("iptables -I INPUT -d %s -p tcp --dport %s --syn -j DROP && sleep 0.5" % (to.vip, to.loadBalancerPort)) @rollbackable def _1(): shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort)) _1() shell.call('haproxy -D -f %s -p %s -sf $(cat %s)' % (conf_file, pid_file, pid_file)) shell.call("iptables -D INPUT -d %s -p tcp --dport %s --syn -j DROP" % (to.vip, to.loadBalancerPort)) ipt = iptables.from_iptables_save() chain_name = self._make_chain_name(to) ipt.add_rule('-A INPUT -d %s/32 -j %s' % (to.vip, chain_name)) ipt.add_rule('-A %s -p tcp -m tcp --dport %s -j ACCEPT' % (chain_name, to.loadBalancerPort)) ipt.iptable_restore()