def _create_snat(self, info, iptc):
privnicname = linux.get_nic_name_by_mac(info.privateNicMac)
if not privnicname:
raise virtualrouter.VirtualRouterError(
'cannot get private nic name for mac[%s]' % info.privateNicMac)
pubnicnames = linux.get_nic_names_by_mac(info.publicNicMac)
if not pubnicnames:
raise virtualrouter.VirtualRouterError(
'cannot get public nic name for mac[%s]' % info.publicNicMac)
pubnicname = pubnicnames[0].split(':')[0]
snat_chain_name = self.make_snat_chain_name(privnicname)
iptc.add_rule('-A POSTROUTING -j %s' % snat_chain_name,
iptc.NAT_TABLE_NAME)
iptc.add_rule(
'-A {0} -o {1} -j SNAT --to-source {2}'.format(
snat_chain_name, pubnicname, info.publicIp),
iptc.NAT_TABLE_NAME)
fwd_chain_name = self._make_forward_chain_name(privnicname)
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(
pubnicname, privnicname, fwd_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(
privnicname, pubnicname, fwd_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(
privnicname, privnicname, fwd_chain_name))
iptc.add_rule('-A {0} -j ACCEPT'.format(fwd_chain_name))
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule(
'-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' %
eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(
linux.get_nic_names_by_mac(to.nicMac))
r = []
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append(
'-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT'
% (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def refresh_rule(self, req):
cmd = jsonobject.loads(req[http.REQUEST_BODY])
rsp = RefreshFirewallRsp()
ipt = iptables.from_iptables_save()
# replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
eth0_ip = linux.get_ip_by_nic_name('eth0')
assert eth0_ip, 'cannot find IP of eth0'
ipt.add_rule('-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip)
chain_name = 'appliancevm'
ipt.delete_chain(chain_name)
ipt.add_rule('-A INPUT -j %s' % chain_name)
for to in cmd.rules:
if to.destIp:
nic_name = linux.get_nic_name_by_ip(to.destIp)
else:
nic_name = linux.get_nic_name_from_alias(linux.get_nic_names_by_mac(to.nicMac))
r =[]
if to.protocol == 'all' or to.protocol == 'udp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
r = []
if to.protocol == 'all' or to.protocol == 'tcp':
r.append('-A %s' % chain_name)
if to.sourceIp:
r.append('-s %s' % to.sourceIp)
if to.destIp:
r.append('-d %s' % to.destIp)
r.append('-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
rule = ' '.join(r)
ipt.add_rule(rule)
ipt.iptable_restore()
logger.debug('refreshed rules for appliance vm')
return jsonobject.dumps(rsp)
def _create_snat(self, info, iptc):
privnicname = linux.get_nic_name_by_mac(info.privateNicMac)
if not privnicname:
raise virtualrouter.VirtualRouterError('cannot get private nic name for mac[%s]' % info.privateNicMac)
pubnicnames = linux.get_nic_names_by_mac(info.publicNicMac)
if not pubnicnames:
raise virtualrouter.VirtualRouterError('cannot get public nic name for mac[%s]' % info.publicNicMac)
pubnicname = pubnicnames[0].split(':')[0]
snat_chain_name = self.make_snat_chain_name(privnicname)
iptc.add_rule('-A POSTROUTING -j %s' % snat_chain_name, iptc.NAT_TABLE_NAME)
iptc.add_rule('-A {0} -o {1} -j SNAT --to-source {2}'.format(snat_chain_name, pubnicname, info.publicIp), iptc.NAT_TABLE_NAME)
fwd_chain_name = self._make_forward_chain_name(privnicname)
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(pubnicname, privnicname, fwd_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, pubnicname, fwd_chain_name))
iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, privnicname, fwd_chain_name))
iptc.add_rule('-A {0} -j ACCEPT'.format(fwd_chain_name))