def clean_int_v4netmaskbit(self):
ip = self.cleaned_data.get("int_ipv4address")
nw = self.cleaned_data.get("int_v4netmaskbit")
if not nw or not ip:
return nw
network = IPNetwork('%s/%s' % (ip, nw))
used_networks = []
qs = models.Interfaces.objects.all()
if self.instance.id:
qs = qs.exclude(id=self.instance.id)
for iface in qs:
if iface.int_v4netmaskbit:
used_networks.append(
IPNetwork('%s/%s' % (
iface.int_ipv4address,
iface.int_v4netmaskbit,
)))
for alias in iface.alias_set.all():
if alias.alias_v4netmaskbit:
used_networks.append(
IPNetwork('%s/%s' % (
alias.alias_v4address,
alias.alias_v4netmaskbit,
)))
for unet in used_networks:
if unet.overlaps(network):
raise forms.ValidationError(
_("The network %s is already in use by another NIC.") %
(network.masked(), ))
return nw
def get_nodes_deployed_state(self):
if not self.environment().has_snapshot('nodes-deployed'):
self.ci().get_empty_state()
self.update_modules()
self.remote().execute("killall bootstrap_admin_node.sh")
write_config(
self.remote(), "/root/fuel.defaults",
iso_master.get_config(
hostname="master",
domain="localdomain",
management_interface=INTERFACES["internal"],
management_ip=self.nodes(
).masters[0].get_ip_address_by_network_name("internal"),
management_mask=self.ci().internal_net_mask(),
external_interface=INTERFACES["public"],
dhcp_start_address=IPNetwork(
self.ci().internal_network())[50],
dhcp_end_address=IPNetwork(
self.ci().internal_network())[100],
mirror_type='custom',
external_ip="",
external_mask="",
parent_proxy=PARENT_PROXY,
puppet_master_version=PUPPET_MASTER_VERSION))
self.remote().execute(
"/usr/local/sbin/bootstrap_admin_node.sh --batch-mode")
self.prepare_cobbler_environment()
self.environment().revert('nodes-deployed')
for node in self.nodes():
node. await ('internal')
def clean(self):
cdata = self.cleaned_data
ipv4vip = cdata.get("alias_vip")
ipv4addr = cdata.get("alias_v4address")
ipv4net = cdata.get("alias_v4netmaskbit")
ipv6addr = cdata.get("alias_v6address")
ipv6net = cdata.get("alias_v6netmaskbit")
ipv4 = True if ipv4addr and ipv4net else False
ipv6 = True if ipv6addr and ipv6net else False
# IF one field of ipv4 is entered, require the another
if (ipv4addr or ipv4net) and not ipv4:
if not ipv4addr and not self._errors.get('alias_v4address'):
self._errors['alias_v4address'] = self.error_class([
_("You have to specify IPv4 address as well per alias"),
])
if not ipv4net and 'alias_v4netmaskbit' not in self._errors:
self._errors['alias_v4netmaskbit'] = self.error_class([
_("You have to choose IPv4 netmask as well per alias"),
])
# IF one field of ipv6 is entered, require the another
if (ipv6addr or ipv6net) and not ipv6:
if not ipv6addr and not self._errors.get('alias_v6address'):
self._errors['alias_v6address'] = self.error_class([
_("You have to specify IPv6 address as well per alias"),
])
if not ipv6net:
self._errors['alias_v6netmaskbit'] = self.error_class([
_("You have to choose IPv6 netmask as well per alias"),
])
if ipv6 and ipv4:
self._errors['__all__'] = self.error_class([
_("You have to choose between IPv4 or IPv6 per alias"),
])
configured_vip = False
if ipv4vip and hasattr(self, 'parent'):
iface = self.parent.instance
ip = IPNetwork('%s/32' % ipv4vip)
network = IPNetwork('%s/%s' % (
iface.int_ipv4address,
iface.int_v4netmaskbit,
))
if ip.overlaps(network):
configured_vip = True
if (
not configured_vip and not ipv6 and not (ipv6addr or ipv6net) and
not ipv4 and not (ipv4addr or ipv4net)
):
self._errors['__all__'] = self.error_class([
_("You must specify either an valid IPv4 or IPv6 with maskbit "
"per alias"),
])
return cdata
def clean(self):
cdata = self.cleaned_data
ipv4key = 'int_ipv4address'
ipv4addr = cdata.get(ipv4key)
ipv4addr_b = cdata.get('int_ipv4address_b')
ipv4net = cdata.get("int_v4netmaskbit")
if ipv4addr and ipv4addr_b and ipv4net:
network = IPNetwork('%s/%s' % (ipv4addr, ipv4net))
if not network.overlaps(IPNetwork('%s/%s' %
(ipv4addr_b, ipv4net))):
self._errors['int_ipv4address_b'] = self.error_class(
[_('The IP must be within the same network')])
ipv6addr = cdata.get("int_ipv6address")
ipv6net = cdata.get("int_v6netmaskbit")
ipv4 = True if ipv4addr and ipv4net else False
ipv6 = True if ipv6addr and ipv6net else False
# IF one field of ipv4 is entered, require the another
if (ipv4addr or ipv4net) and not ipv4:
if not (ipv4addr or ipv4addr_b) and not self._errors.get(ipv4key):
self._errors[ipv4key] = self.error_class([
_("You have to specify IPv4 address as well"),
])
if not ipv4net and 'int_v4netmaskbit' not in self._errors:
self._errors['int_v4netmaskbit'] = self.error_class([
_("You have to choose IPv4 netmask as well"),
])
# IF one field of ipv6 is entered, require the another
if (ipv6addr or ipv6net) and not ipv6:
if not ipv6addr and not self._errors.get('int_ipv6address'):
self._errors['int_ipv6address'] = self.error_class([
_("You have to specify IPv6 address as well"),
])
if not ipv6net:
self._errors['int_v6netmaskbit'] = self.error_class([
_("You have to choose IPv6 netmask as well"),
])
if ipv6 and ipv4:
self._errors['__all__'] = self.error_class([
_("You have to choose between IPv4 or IPv6"),
])
vip = cdata.get("int_vip")
dhcp = cdata.get("int_dhcp")
if not dhcp:
if vip and not ipv4addr_b:
self._errors['int_ipv4address_b'] = self.error_class(
[_("This field is required for failover")])
if vip and not ipv4addr:
self._errors['int_ipv4address'] = self.error_class(
[_("This field is required for failover")])
return cdata
def router(self, router_name=None):
router_name = router_name or self.admin_net
if router_name == self.admin_net2:
return str(
IPNetwork(self.get_virtual_environment().network_by_name(
router_name).ip_network)[2])
return str(
IPNetwork(self.get_virtual_environment().network_by_name(
router_name).ip_network)[1])
def __chk_ip(self, tnode, my_ip):
if IPNetwork(my_ip) in tnode.key:
return tnode
else:
sub = tnode.subs[IPNetwork(my_ip) >
tnode.key] # k is in left or right?
if sub != NIL_NODE: # we have a subtree that side
return self.__chk_ip(sub, my_ip)
else:
return None
def clean_alias_v4netmaskbit(self):
vip = self.cleaned_data.get("alias_vip")
ip = self.cleaned_data.get("alias_v4address")
nw = self.cleaned_data.get("alias_v4netmaskbit")
if not nw or not ip:
return nw
network = IPNetwork('%s/%s' % (ip, nw))
if vip:
if not network.overlaps(IPNetwork('%s/%s' % (vip, nw))):
raise forms.ValidationError(_(
'Virtual IP is not in the same network'
))
if (
self.instance.id and
self.instance.alias_interface.int_interface.startswith('carp')
):
return nw
used_networks = []
qs = models.Interfaces.objects.all().exclude(
int_interface__startswith='carp'
)
if self.instance.id:
qs = qs.exclude(id=self.instance.alias_interface.id)
elif self.parent.instance.id:
qs = qs.exclude(id=self.parent.instance.id)
for iface in qs:
if iface.int_v4netmaskbit:
used_networks.append(
IPNetwork('%s/%s' % (
iface.int_ipv4address,
iface.int_v4netmaskbit,
))
)
for alias in iface.alias_set.all():
if alias.alias_v4netmaskbit:
used_networks.append(
IPNetwork('%s/%s' % (
alias.alias_v4address,
alias.alias_v4netmaskbit,
))
)
for unet in used_networks:
if unet.overlaps(network):
raise forms.ValidationError(
_("The network %s is already in use by another NIC.") % (
network.masked(),
)
)
return nw
def load_cluster_networks(self):
self.cluster_net = None
self.public_net = None
osd = self.get_alive_osd()
if osd is not None:
cluster_net_str = osd.config.get('cluster_network')
if cluster_net_str is not None and cluster_net_str != "":
self.cluster_net = IPNetwork(cluster_net_str)
public_net_str = osd.config.get('public_network', None)
if public_net_str is not None and public_net_str != "":
self.public_net = IPNetwork(public_net_str)
def one():
environment = Environment.create('cdrom')
internal_pool = Network.create_network_pool(
networks=[IPNetwork('10.108.0.0/16')], prefix=24)
private_pool = Network.create_network_pool(
networks=[IPNetwork('10.108.0.0/16')], prefix=24)
external_pool = Network.create_network_pool(
networks=[IPNetwork('172.18.95.0/24')], prefix=27)
internal = Network.network_create(environment=environment,
name='internal',
pool=internal_pool)
external = Network.network_create(environment=environment,
name='external',
pool=external_pool,
forward='nat')
private = Network.network_create(environment=environment,
name='private',
pool=private_pool)
for i in range(1, 2):
node = Node.node_create(name='test_node' + str(i),
environment=environment)
Interface.interface_create(node=node, network=internal)
Interface.interface_create(node=node, network=external)
Interface.interface_create(node=node, network=private)
volume = Volume.volume_get_predefined(
'/var/lib/libvirt/images/centos63-cobbler-base.qcow2')
v3 = Volume.volume_create_child('test_vp895' + str(i),
backing_store=volume,
environment=environment)
v4 = Volume.volume_create_child('test_vp896' + str(i),
backing_store=volume,
environment=environment)
DiskDevice.node_attach_volume(node=node, volume=v3)
DiskDevice.node_attach_volume(node, v4)
DiskDevice.node_attach_volume(
node,
Volume.volume_get_predefined(
'/var/lib/libvirt/images/fuel-centos-6.3-x86_64.iso'),
device='cdrom',
bus='sata')
environment.define()
environment.start()
remotes = []
for node in environment.get_nodes():
node. await ('internal')
node.remote('internal', 'root', 'r00tme').check_stderr('ls -la',
verbose=True)
remotes.append(node.remote('internal', 'root', 'r00tme'))
SSHClient.execute_together(remotes, 'ls -la')
def _fix_connected_route(self, ifaceobj, vifacename, addr):
#
# XXX: Hack to make sure the primary address
# is the first in the routing table.
#
# We use `ip route get` on the vrr network to see which
# device the kernel returns. if it is the mac vlan device,
# flap the macvlan device to adjust the routing table entry.
#
# flapping the macvlan device makes sure the macvlan
# connected route goes through delete + add, hence adjusting
# the order in the routing table.
#
try:
self.logger.info('%s: checking route entry ...' % ifaceobj.name)
ip = IPNetwork(addr)
route_prefix = '%s/%d' % (ip.network, ip.prefixlen)
dev = self.ipcmd.ip_route_get_dev(route_prefix)
if dev and dev == vifacename:
self.logger.info(
'%s: preferred routing entry ' % ifaceobj.name +
'seems to be of the macvlan dev %s' % vifacename +
' .. flapping macvlan dev to fix entry.')
self.ipcmd.link_down(vifacename)
self.ipcmd.link_up(vifacename)
except Exception, e:
self.logger.debug('%s: fixing route entry failed (%s)' % str(e))
pass
def configure_second_admin_cobbler(self):
dhcp_template = '/etc/cobbler/dnsmasq.template'
remote = self.get_admin_remote()
main_admin_ip = str(self.nodes().admin.get_ip_address_by_network_name(
self.admin_net))
second_admin_ip = str(self.nodes().admin.get_ip_address_by_network_name(
self.admin_net2))
second_admin_network = self.get_network(self.admin_net2).split('/')[0]
second_admin_netmask = self.get_net_mask(self.admin_net2)
network = IPNetwork('{0}/{1}'.format(second_admin_network,
second_admin_netmask))
discovery_subnet = [net for net in network.iter_subnets(1)][-1]
first_discovery_address = str(discovery_subnet.network)
last_discovery_address = str(discovery_subnet.broadcast - 1)
new_range = ('dhcp-range=internal2,{0},{1},{2}\\n'
'dhcp-option=net:internal2,option:router,{3}\\n'
'dhcp-boot=net:internal2,pxelinux.0,boothost,{4}\\n').\
format(first_discovery_address, last_discovery_address,
second_admin_netmask, second_admin_ip, main_admin_ip)
cmd = ("dockerctl shell cobbler sed -r '$a \{0}' -i {1};"
"dockerctl shell cobbler cobbler sync").format(
new_range, dhcp_template)
result = remote.execute(cmd)
assert_equal(result['exit_code'], 0,
('Failed to add second admin'
'network to cobbler: {0}').format(result))
def afi_match(host):
if host == "any":
return True
elif IPNetwork(host).version == afi:
return True
else:
return False
def test_ip_blacklist(self):
http.DISALLOWED_IPS = set([
IPNetwork('127.0.0.1'),
IPNetwork('::1'),
IPNetwork('10.0.0.0/8')
])
with pytest.raises(SuspiciousOperation):
http.safe_urlopen('http://127.0.0.1')
with pytest.raises(SuspiciousOperation):
http.safe_urlopen('http://10.0.0.10')
with pytest.raises(SuspiciousOperation):
# '2130706433' is dword for '127.0.0.1'
http.safe_urlopen('http://2130706433')
with pytest.raises(SuspiciousOperation):
# ipv6
http.safe_urlopen('http://[::1]')
def is_valid_url(url):
"""
Tests a URL to ensure it doesn't appear to be a blacklisted IP range.
"""
parsed = urlparse(url)
if not parsed.hostname:
return False
server_hostname = get_server_hostname()
if parsed.hostname == server_hostname:
return True
try:
ip_address = socket.gethostbyname(parsed.hostname)
except socket.gaierror:
return False
if ip_address == server_hostname:
return True
ip_network = IPNetwork(ip_address)
for addr in DISALLOWED_IPS:
if ip_network in addr:
return False
return True
def __init__(self, network):
#XXX: overload type?
self.network = IPNetwork(network)
self.managed_addresses = []
self.unmanaged_addresses = self.addresses
#XXX: should auto call save?
print "Instantiated NetworkManager for %s" % self.network
def get_normalized_ipv6_line(line):
"""
Return a normalized IPv6 line as produced by frr,
with all letters in lower case and trailing and leading
zeros removed, and only the network portion present if
the IPv6 word is a network
"""
norm_line = ""
words = line.split(' ')
for word in words:
if ":" in word:
norm_word = None
if "/" in word:
try:
v6word = IPNetwork(word)
norm_word = '%s/%s' % (v6word.network, v6word.prefixlen)
except ValueError:
pass
if not norm_word:
try:
norm_word = '%s' % IPv6Address(word)
except ValueError:
norm_word = word
else:
norm_word = word
norm_line = norm_line + " " + norm_word
return norm_line.strip()
def get(self):
esstore = current_app.extensions['es_access_store']
mpstore = current_app.extensions['mp_access_store']
args = self.parser.parse_args()
event = args['event'][:120]
auth_token = request.headers.get('Auth-Token')
ip_resolver = current_app.config['IP_RESOLVER']
ip = RateLimiter.get_remote_addr()
ip_net = IPNetwork(ip)
resolved_org = ip_resolver['default']
for net, org in ip_resolver.items():
if isinstance(net, (IPv4Network, IPv6Network)):
if net.overlaps(ip_net):
resolved_org = org
break
data = dict(ip=ip,
org=resolved_org,
host=request.host,
timestamp=datetime.now(),
event=event)
if auth_token:
payload = TokenAuthentication.get_payload_from_token(auth_token)
data['app_name'] = payload['app_name']
# esstore.store_event(data)
mpstore.store_event(data)
data['timestamp'] = str(data['timestamp'])
return CTTVResponse.OK(SimpleResult(None, data=data))
def idx_lastDecimalIp(self):
last_decimal_ip = None
if isip(self.id):
net = IPNetwork(ipunwrap(self.id))
first_decimal_ip = long(int(net.network))
last_decimal_ip = str(long(first_decimal_ip + math.pow(2, net.max_prefixlen - self.netmask) - 1))
return last_decimal_ip
def clean_whitelist_ip(self):
data = self.cleaned_data['whitelist_ip']
if data:
try:
address = IPNetwork(data)
if address.version == 4:
if address.prefixlen < settings.WHITELIST_IP_MAX_SUBNET_V4:
error = _(
"Currently no prefix lengths < %s are allowed"
) % settings.WHITELIST_IP_MAX_SUBNET_V4
raise forms.ValidationError(error)
if address.version == 6:
if address.prefixlen < settings.WHITELIST_IP_MAX_SUBNET_V6:
error = _(
"Currently no prefix lengths < %s are allowed"
) % settings.WHITELIST_IP_MAX_SUBNET_V6
raise forms.ValidationError(error)
if address.is_unspecified:
raise forms.ValidationError('Address is unspecified')
except ValueError:
raise forms.ValidationError(
_('%(address)s is not a valid address') %
{'address': data})
data = address.compressed
return data
def forwards(self, orm):
"Write your forwards methods here."
# Note: Remember to use orm['appname.ModelName'] rather than "from appname.models..."
for share in orm['sharing.NFS_Share'].objects.all():
net = share.nfs_network
net = re.sub(r'\s{2,}|\n', ' ', net).strip()
networks = []
hosts = []
for n in net.split(' '):
try:
IPNetwork(n.encode('utf-8'))
if n.find("/") == -1:
raise ValueError(n)
networks.append(n)
except:
hosts.append(n)
share.nfs_network = ' '.join(networks)
share.nfs_hosts = ' '.join(hosts)
spath = orm['sharing.NFS_Share_Path']()
spath.path = share.nfs_path
spath.share = share
spath.save()
share.save()
def _syntax_check_multiple_gateway(self, family, found, addr, type_obj):
if type(IPNetwork(addr)) == type_obj:
if found:
raise Exception('%s: multiple gateways for %s family' %
(addr, family))
return True
return False
def gen_nets(self, locations, infile):
for row in csv.DictReader(infile):
nets = [IPNetwork(row['network'])]
org = decode_text(row['autonomous_system_organization'])
asn = row['autonomous_system_number']
entry = u'AS{} {}'.format(asn, org)
yield nets, (serialize_text(entry),)
def create_networks(self, name, l2_device_config, address_pools):
# TODO(ddmitriev): use 'address_pool' attribute to get the address_pool
# for 'l2_device' as an object
# Get address_pool from 'address_pools' object
if 'address_pool' in l2_device_config:
address_pool = address_pools[l2_device_config['address_pool']]
networks, prefix = address_pool['net'].split(':')
ip_networks = [IPNetwork(x) for x in networks.split(',')]
new_prefix = int(prefix)
pool = Network.create_network_pool(networks=ip_networks,
prefix=new_prefix)
else:
pool = None
if 'forward' in l2_device_config:
forward = l2_device_config['forward']['mode']
else:
forward = None
has_dhcp_server = (l2_device_config.get('dhcp', 'false') == 'true')
net = Network.network_create(
name=name,
environment=self,
pool=pool,
forward=forward,
has_dhcp_server=has_dhcp_server)
net.define()
return net
def get_ip_obj(cls, module_name, ifname, addr):
if addr:
try:
return IPNetwork(addr) if '/' in addr else IPAddress(addr)
except Exception as e:
cls.logger.warning('%s: %s: %s' % (module_name, ifname, str(e)))
return None
def gen_nets(self, locations, infile):
for row in csv.DictReader(infile):
location = locations.get(row['geoname_id'])
if location is None:
continue
nets = [IPNetwork(row['network'])]
country_iso_code = location['country_iso_code'] or location[
'continent_code']
fips_code = geoname2fips.get(location['geoname_id'])
if fips_code is None:
logging.debug('Missing fips-10-4 for {}'.format(
location['subdivision_1_name']))
fips_code = '00'
else:
logging.debug('fips-10-4 for {} is {}'.format(
location['subdivision_1_name'], fips_code))
yield nets, (
country_iso_code,
serialize_text(fips_code), # region
serialize_text(decode_text(location['city_name'])),
serialize_text(row['postal_code']),
row['latitude'],
row['longitude'],
location['metro_code'],
'') # area_code
def get_network(ip):
try:
address = IPNetwork(ip)
except Exception:
return (False, _('Invalid network address format'))
else:
return (True, address)
def _contain_public_ip(data, _used_networks):
_has_public_ip = False
_ip_regex = (r'\b((\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])\.){3}'
r'(\d|[1-9]\d|1\d{2}|2[0-4]\d|25[0-5])\b')
_not_public_regex = [
r'\b10(\.\d{1,3}){3}',
r'\b127(\.\d{1,3}){3}',
r'\b169\.254(\.\d{1,3}){2}',
r'172\.(1[6-9]|2[0-9]|3[0-1])(\.\d{1,3}){2}',
r'192\.168(\.\d{1,3}){2}',
r'2(2[4-9]|[3-5][0-9])(\.\d{1,3}){3}'
]
for _match in re.finditer(_ip_regex, data):
# If IP address isn't public and doesn't belong to defined for
# deployment pools (e.g. admin, public, storage), then skip it
if any(re.search(_r, _match.group()) for _r in _not_public_regex) \
and not any(IPAddress(_match.group()) in IPNetwork(net) for
net in _used_networks):
continue
logger.debug('Usage statistics with public IP(s):\n {0}'.
format(data))
logger.error('Found public IP in usage statistics: "{0}"'.format(
_match.group()))
_has_public_ip = True
return _has_public_ip
def is_valid_url(url):
"""
Tests a URL to ensure it doesn't appear to be a blacklisted IP range.
"""
# If we have no disallowed ips, we can skip any further validation
# and there's no point in doing a DNS lookup to validate against
# an empty list.
if not DISALLOWED_IPS:
return True
parsed = urlparse(url)
if not parsed.hostname:
return False
server_hostname = get_server_hostname()
if parsed.hostname == server_hostname:
return True
try:
ip_address = socket.gethostbyname(parsed.hostname)
except socket.gaierror:
return False
if ip_address == server_hostname:
return True
ip_network = IPNetwork(ip_address)
for addr in DISALLOWED_IPS:
if ip_network in addr:
return False
return True
def do_add_netrange(self, cidr):
''' Add a known CIDR owned by the target eg: 8.8.8.0/23 '''
ip = cidr.split('/')[0]
whoisObj = IPWhois(ip)
whois = whoisObj.lookup_whois
for x in whois()['nets']:
print(x['description'])
host_lookup = input("Do a host lookup on each address (y/n)? ")
if cidr != "":
target.networks.append(cidr)
netrange = IPNetwork(cidr)
else:
print("You have to specify a cidr")
netrange = input("Network? (eg:192.168.0.1/30)")
if cidr != "":
if host_lookup.lower() == 'y':
for ip in netrange:
ip = str(ip)
self.add_new_ip(ip, source="{}".format('manual_cidr'))
fqdn = str(socket.getfqdn(ip))
if fqdn not in target.master[ip]['fqdns']:
target.master[ip]['fqdns'].append(fqdn)
print("Added: {}\t{}".format(ip, fqdn))
else:
for ip in netrange:
ip = str(ip)
if ip not in target.master.keys():
self.add_new_ip(ip, source="{}".format('manual_cidr'))
def call_proxy_url(request, uuid):
context = request.GET.get('context')
ip = IPAddress(request.META['REMOTE_ADDR'])
for subnet in TrustedSubnet.objects.all():
if ip in IPNetwork(subnet.subnet):
break
else:
return HttpResponseForbidden()
proxy_url = get_object_or_404(
ProxyUrl.objects.filter(uuid=uuid, context=context, subnet=subnet))
proxy_url.last_access = datetime.now()
proxy_url.save()
view, args, kwargs = resolve(proxy_url.url)
user = proxy_url.user
user.backend = proxy_url.user_backend or \
settings.AUTHENTICATION_BACKENDS[0]
login(request, user)
request.proxy_url = proxy_url
kwargs['request'] = request
return view(*args, **kwargs)
