def setup_basic_filtering(self, instance, network_info=None):
"""Set up basic filtering (MAC, IP, and ARP spoofing protection)"""
logging.info('called setup_basic_filtering in nwfilter')
if not network_info:
network_info = netutils.get_network_info(instance)
if self.handle_security_groups:
# No point in setting up a filter set that we'll be overriding
# anyway.
return
logging.info('ensuring static filters')
self._ensure_static_filters()
if instance['image_ref'] == str(FLAGS.vpn_image_id):
base_filter = 'nova-vpn'
else:
base_filter = 'nova-base'
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
self._define_filter(
self._filter_container(instance_filter_name, [base_filter]))
def unfilter_instance(self, instance, network_info=None):
"""Clear out the nwfilter rules."""
if not network_info:
network_info = netutils.get_network_info(instance)
instance_name = instance.name
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
try:
self._conn.nwfilterLookupByName(instance_filter_name).\
undefine()
except libvirt.libvirtError:
LOG.debug(
_('The nwfilter(%(instance_filter_name)s) '
'for %(instance_name)s is not found.') % locals())
instance_secgroup_filter_name =\
'%s-secgroup' % (self._instance_filter_name(instance))
try:
self._conn.nwfilterLookupByName(instance_secgroup_filter_name)\
.undefine()
except libvirt.libvirtError:
LOG.debug(
_('The nwfilter(%(instance_secgroup_filter_name)s) '
'for %(instance_name)s is not found.') % locals())
def setup_basic_filtering(self, instance, network_info=None):
"""Set up basic filtering (MAC, IP, and ARP spoofing protection)"""
logging.info('called setup_basic_filtering in nwfilter')
if not network_info:
network_info = netutils.get_network_info(instance)
if self.handle_security_groups:
# No point in setting up a filter set that we'll be overriding
# anyway.
return
logging.info('ensuring static filters')
self._ensure_static_filters()
if instance['image_ref'] == str(FLAGS.vpn_image_id):
base_filter = 'nova-vpn'
else:
base_filter = 'nova-base'
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
self._define_filter(self._filter_container(instance_filter_name,
[base_filter]))
def do_refresh_security_group_rules(self,
security_group,
network_info=None):
for instance in self.instances.values():
self.remove_filters_for_instance(instance)
if not network_info:
network_info = netutils.get_network_info(instance)
self.add_filters_for_instance(instance, network_info)
def do_refresh_security_group_rules(self,
security_group,
network_info=None):
for instance in self.instances.values():
self.remove_filters_for_instance(instance)
if not network_info:
network_info = netutils.get_network_info(instance)
self.add_filters_for_instance(instance, network_info)
def setup_basic_filtering(self, instance, network_info=None):
"""Set up provider rules and basic NWFilter."""
if not network_info:
network_info = netutils.get_network_info(instance)
self.nwfilter.setup_basic_filtering(instance, network_info)
if not self.basicly_filtered:
LOG.debug(_('iptables firewall: Setup Basic Filtering'))
self.refresh_provider_fw_rules()
self.basicly_filtered = True
def setup_basic_filtering(self, instance, network_info=None):
"""Set up provider rules and basic NWFilter."""
if not network_info:
network_info = netutils.get_network_info(instance)
self.nwfilter.setup_basic_filtering(instance, network_info)
if not self.basicly_filtered:
LOG.debug(_('iptables firewall: Setup Basic Filtering'))
self.refresh_provider_fw_rules()
self.basicly_filtered = True
def instance_filter_exists(self, instance):
"""Check nova-instance-instance-xxx exists"""
network_info = netutils.get_network_info(instance)
for (network, mapping) in network_info:
nic_id = mapping["mac"].replace(":", "")
instance_filter_name = self._instance_filter_name(instance, nic_id)
try:
self._conn.nwfilterLookupByName(instance_filter_name)
except libvirt.libvirtError:
name = instance.name
LOG.debug(_("The nwfilter(%(instance_filter_name)s) for" "%(name)s is not found.") % locals())
return False
return True
def prepare_instance_filter(self, instance, network_info=None):
"""Creates an NWFilter for the given instance.
In the process, it makes sure the filters for the provider blocks,
security groups, and base filter are all in place.
"""
if not network_info:
network_info = netutils.get_network_info(instance)
self.refresh_provider_fw_rules()
ctxt = context.get_admin_context()
instance_secgroup_filter_name = \
'%s-secgroup' % (self._instance_filter_name(instance))
instance_secgroup_filter_children = [
'nova-base-ipv4', 'nova-base-ipv6', 'nova-allow-dhcp-server'
]
if FLAGS.use_ipv6:
networks = [
network for (network, _m) in network_info
if network['gateway_v6']
]
if networks:
instance_secgroup_filter_children.\
append('nova-allow-ra-server')
for security_group in \
db.security_group_get_by_instance(ctxt, instance['id']):
self.refresh_security_group_rules(security_group['id'])
instance_secgroup_filter_children.append('nova-secgroup-%s' %
security_group['id'])
self._define_filter(
self._filter_container(instance_secgroup_filter_name,
instance_secgroup_filter_children))
network_filters = self.\
_create_network_filters(instance, network_info,
instance_secgroup_filter_name)
for (name, children) in network_filters:
self._define_filters(name, children)
def instance_filter_exists(self, instance):
"""Check nova-instance-instance-xxx exists"""
network_info = netutils.get_network_info(instance)
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
try:
self._conn.nwfilterLookupByName(instance_filter_name)
except libvirt.libvirtError:
name = instance.name
LOG.debug(
_('The nwfilter(%(instance_filter_name)s) for'
'%(name)s is not found.') % locals())
return False
return True
def prepare_instance_filter(self, instance, network_info=None):
"""Creates an NWFilter for the given instance.
In the process, it makes sure the filters for the provider blocks,
security groups, and base filter are all in place.
"""
if not network_info:
network_info = netutils.get_network_info(instance)
self.refresh_provider_fw_rules()
ctxt = context.get_admin_context()
instance_secgroup_filter_name = \
'%s-secgroup' % (self._instance_filter_name(instance))
instance_secgroup_filter_children = ['nova-base-ipv4',
'nova-base-ipv6',
'nova-allow-dhcp-server']
if FLAGS.use_ipv6:
networks = [network for (network, _m) in network_info if
network['gateway_v6']]
if networks:
instance_secgroup_filter_children.\
append('nova-allow-ra-server')
for security_group in \
db.security_group_get_by_instance(ctxt, instance['id']):
self.refresh_security_group_rules(security_group['id'])
instance_secgroup_filter_children.append('nova-secgroup-%s' %
security_group['id'])
self._define_filter(
self._filter_container(instance_secgroup_filter_name,
instance_secgroup_filter_children))
network_filters = self.\
_create_network_filters(instance, network_info,
instance_secgroup_filter_name)
for (name, children) in network_filters:
self._define_filters(name, children)
def unfilter_instance(self, instance, network_info=None):
"""Clear out the nwfilter rules."""
if not network_info:
network_info = netutils.get_network_info(instance)
instance_name = instance.name
for (network, mapping) in network_info:
nic_id = mapping["mac"].replace(":", "")
instance_filter_name = self._instance_filter_name(instance, nic_id)
try:
self._conn.nwfilterLookupByName(instance_filter_name).undefine()
except libvirt.libvirtError:
LOG.debug(_("The nwfilter(%(instance_filter_name)s) " "for %(instance_name)s is not found.") % locals())
instance_secgroup_filter_name = "%s-secgroup" % (self._instance_filter_name(instance))
try:
self._conn.nwfilterLookupByName(instance_secgroup_filter_name).undefine()
except libvirt.libvirtError:
LOG.debug(
_("The nwfilter(%(instance_secgroup_filter_name)s) " "for %(instance_name)s is not found.") % locals()
)
def unfilter_instance(self, instance):
"""Clear out the nwfilter rules."""
network_info = netutils.get_network_info(instance)
instance_name = instance.name
for (network, mapping) in network_info:
nic_id = mapping['mac'].replace(':', '')
instance_filter_name = self._instance_filter_name(instance, nic_id)
try:
self._conn.nwfilterLookupByName(instance_filter_name).\
undefine()
except libvirt.libvirtError:
LOG.debug(_('The nwfilter(%(instance_filter_name)s) '
'for %(instance_name)s is not found.') % locals())
instance_secgroup_filter_name =\
'%s-secgroup' % (self._instance_filter_name(instance))
try:
self._conn.nwfilterLookupByName(instance_secgroup_filter_name)\
.undefine()
except libvirt.libvirtError:
LOG.debug(_('The nwfilter(%(instance_secgroup_filter_name)s) '
'for %(instance_name)s is not found.') % locals())
def prepare_instance_filter(self, instance, network_info=None):
if not network_info:
network_info = netutils.get_network_info(instance)
self.instances[instance['id']] = instance
self.add_filters_for_instance(instance, network_info)
self.iptables.apply()
def instance_rules(self, instance, network_info=None):
if not network_info:
network_info = netutils.get_network_info(instance)
ctxt = context.get_admin_context()
ipv4_rules = []
ipv6_rules = []
# Always drop invalid packets
ipv4_rules += ["-m state --state " "INVALID -j DROP"]
ipv6_rules += ["-m state --state " "INVALID -j DROP"]
# Allow established connections
ipv4_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"]
ipv6_rules += ["-m state --state ESTABLISHED,RELATED -j ACCEPT"]
# Pass through provider-wide drops
ipv4_rules += ["-j $provider"]
ipv6_rules += ["-j $provider"]
dhcp_servers = [info["gateway"] for (_n, info) in network_info]
for dhcp_server in dhcp_servers:
ipv4_rules.append("-s %s -p udp --sport 67 --dport 68 " "-j ACCEPT" % (dhcp_server,))
# Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrs = [network["cidr"] for (network, _m) in network_info]
for cidr in cidrs:
ipv4_rules.append("-s %s -j ACCEPT" % (cidr,))
# We wrap these in FLAGS.use_ipv6 because they might cause
# a DB lookup. The other ones are just list operations, so
# they're not worth the clutter.
if FLAGS.use_ipv6:
# Allow RA responses
gateways_v6 = [mapping["gateway6"] for (_n, mapping) in network_info]
for gateway_v6 in gateways_v6:
ipv6_rules.append("-s %s/128 -p icmpv6 -j ACCEPT" % (gateway_v6,))
# Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrv6s = [network["cidr_v6"] for (network, _m) in network_info]
for cidrv6 in cidrv6s:
ipv6_rules.append("-s %s -j ACCEPT" % (cidrv6,))
security_groups = db.security_group_get_by_instance(ctxt, instance["id"])
# then, security group chains and rules
for security_group in security_groups:
rules = db.security_group_rule_get_by_security_group(ctxt, security_group["id"])
for rule in rules:
LOG.debug(_("Adding security group rule: %r"), rule)
if not rule.cidr:
# Eventually, a mechanism to grant access for security
# groups will turn up here. It'll use ipsets.
continue
version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
fw_rules = ipv6_rules
protocol = rule.protocol
if version == 6 and rule.protocol == "icmp":
protocol = "icmpv6"
args = ["-p", protocol, "-s", rule.cidr]
if rule.protocol in ["udp", "tcp"]:
if rule.from_port == rule.to_port:
args += ["--dport", "%s" % (rule.from_port,)]
else:
args += ["-m", "multiport", "--dports", "%s:%s" % (rule.from_port, rule.to_port)]
elif rule.protocol == "icmp":
icmp_type = rule.from_port
icmp_code = rule.to_port
if icmp_type == -1:
icmp_type_arg = None
else:
icmp_type_arg = "%s" % icmp_type
if not icmp_code == -1:
icmp_type_arg += "/%s" % icmp_code
if icmp_type_arg:
if version == 4:
args += ["-m", "icmp", "--icmp-type", icmp_type_arg]
elif version == 6:
args += ["-m", "icmp6", "--icmpv6-type", icmp_type_arg]
args += ["-j ACCEPT"]
fw_rules += [" ".join(args)]
ipv4_rules += ["-j $sg-fallback"]
ipv6_rules += ["-j $sg-fallback"]
return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info=None):
if not network_info:
network_info = netutils.get_network_info(instance)
ctxt = context.get_admin_context()
ipv4_rules = []
ipv6_rules = []
# Always drop invalid packets
ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
ipv6_rules += ['-m state --state ' 'INVALID -j DROP']
# Allow established connections
ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
# Pass through provider-wide drops
ipv4_rules += ['-j $provider']
ipv6_rules += ['-j $provider']
dhcp_servers = [info['gateway'] for (_n, info) in network_info]
for dhcp_server in dhcp_servers:
ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
'-j ACCEPT' % (dhcp_server, ))
#Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrs = [network['cidr'] for (network, _m) in network_info]
for cidr in cidrs:
ipv4_rules.append('-s %s -j ACCEPT' % (cidr, ))
# We wrap these in FLAGS.use_ipv6 because they might cause
# a DB lookup. The other ones are just list operations, so
# they're not worth the clutter.
if FLAGS.use_ipv6:
# Allow RA responses
gateways_v6 = [
mapping['gateway6'] for (_n, mapping) in network_info
]
for gateway_v6 in gateways_v6:
ipv6_rules.append('-s %s/128 -p icmpv6 -j ACCEPT' %
(gateway_v6, ))
#Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrv6s = [
network['cidr_v6'] for (network, _m) in network_info
]
for cidrv6 in cidrv6s:
ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6, ))
security_groups = db.security_group_get_by_instance(
ctxt, instance['id'])
# then, security group chains and rules
for security_group in security_groups:
rules = db.security_group_rule_get_by_security_group(
ctxt, security_group['id'])
for rule in rules:
LOG.debug(_('Adding security group rule: %r'), rule)
if not rule.cidr:
# Eventually, a mechanism to grant access for security
# groups will turn up here. It'll use ipsets.
continue
version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
fw_rules = ipv6_rules
protocol = rule.protocol
if version == 6 and rule.protocol == 'icmp':
protocol = 'icmpv6'
args = ['-p', protocol, '-s', rule.cidr]
if rule.protocol in ['udp', 'tcp']:
if rule.from_port == rule.to_port:
args += ['--dport', '%s' % (rule.from_port, )]
else:
args += [
'-m', 'multiport', '--dports',
'%s:%s' % (rule.from_port, rule.to_port)
]
elif rule.protocol == 'icmp':
icmp_type = rule.from_port
icmp_code = rule.to_port
if icmp_type == -1:
icmp_type_arg = None
else:
icmp_type_arg = '%s' % icmp_type
if not icmp_code == -1:
icmp_type_arg += '/%s' % icmp_code
if icmp_type_arg:
if version == 4:
args += [
'-m', 'icmp', '--icmp-type', icmp_type_arg
]
elif version == 6:
args += [
'-m', 'icmp6', '--icmpv6-type', icmp_type_arg
]
args += ['-j ACCEPT']
fw_rules += [' '.join(args)]
ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback']
return ipv4_rules, ipv6_rules
def instance_rules(self, instance, network_info=None):
if not network_info:
network_info = netutils.get_network_info(instance)
ctxt = context.get_admin_context()
ipv4_rules = []
ipv6_rules = []
# Always drop invalid packets
ipv4_rules += ['-m state --state ' 'INVALID -j DROP']
ipv6_rules += ['-m state --state ' 'INVALID -j DROP']
# Allow established connections
ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT']
# Pass through provider-wide drops
ipv4_rules += ['-j $provider']
ipv6_rules += ['-j $provider']
dhcp_servers = [info['gateway'] for (_n, info) in network_info]
for dhcp_server in dhcp_servers:
ipv4_rules.append('-s %s -p udp --sport 67 --dport 68 '
'-j ACCEPT' % (dhcp_server,))
#Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrs = [network['cidr'] for (network, _m) in network_info]
for cidr in cidrs:
ipv4_rules.append('-s %s -j ACCEPT' % (cidr,))
# We wrap these in FLAGS.use_ipv6 because they might cause
# a DB lookup. The other ones are just list operations, so
# they're not worth the clutter.
if FLAGS.use_ipv6:
# Allow RA responses
gateways_v6 = [mapping['gateway6'] for (_n, mapping) in
network_info]
for gateway_v6 in gateways_v6:
ipv6_rules.append(
'-s %s/128 -p icmpv6 -j ACCEPT' % (gateway_v6,))
#Allow project network traffic
if FLAGS.allow_project_net_traffic:
cidrv6s = [network['cidr_v6'] for (network, _m) in
network_info]
for cidrv6 in cidrv6s:
ipv6_rules.append('-s %s -j ACCEPT' % (cidrv6,))
security_groups = db.security_group_get_by_instance(ctxt,
instance['id'])
# then, security group chains and rules
for security_group in security_groups:
rules = db.security_group_rule_get_by_security_group(ctxt,
security_group['id'])
for rule in rules:
LOG.debug(_('Adding security group rule: %r'), rule)
if not rule.cidr:
# Eventually, a mechanism to grant access for security
# groups will turn up here. It'll use ipsets.
continue
version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
fw_rules = ipv6_rules
protocol = rule.protocol
if version == 6 and rule.protocol == 'icmp':
protocol = 'icmpv6'
args = ['-p', protocol, '-s', rule.cidr]
if rule.protocol in ['udp', 'tcp']:
if rule.from_port == rule.to_port:
args += ['--dport', '%s' % (rule.from_port,)]
else:
args += ['-m', 'multiport',
'--dports', '%s:%s' % (rule.from_port,
rule.to_port)]
elif rule.protocol == 'icmp':
icmp_type = rule.from_port
icmp_code = rule.to_port
if icmp_type == -1:
icmp_type_arg = None
else:
icmp_type_arg = '%s' % icmp_type
if not icmp_code == -1:
icmp_type_arg += '/%s' % icmp_code
if icmp_type_arg:
if version == 4:
args += ['-m', 'icmp', '--icmp-type',
icmp_type_arg]
elif version == 6:
args += ['-m', 'icmp6', '--icmpv6-type',
icmp_type_arg]
args += ['-j ACCEPT']
fw_rules += [' '.join(args)]
ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback']
return ipv4_rules, ipv6_rules
def prepare_instance_filter(self, instance, network_info=None):
if not network_info:
network_info = netutils.get_network_info(instance)
self.instances[instance['id']] = instance
self.add_filters_for_instance(instance, network_info)
self.iptables.apply()
def setup_basic_filtering(self, instance, network_info=None):
"""Use NWFilter from libvirt for this."""
if not network_info:
network_info = netutils.get_network_info(instance)
return self.nwfilter.setup_basic_filtering(instance, network_info)
