def create_network_isolation_rules(self):
rules = list()
transport_list = list()
_logger.debug('{0}: adding network isolation rules.'.format(self.get_name()))
for cidr in self._allowed_networks.split(' '):
cidr = cidr.encode('utf-8')
if not validate_network_address(cidr):
_logger.error('{0} unable to validate network cidr value "{1}"'.format(self.get_name(), cidr))
continue
# Get IP transport version from address.
ipaddr, bits = cidr.split('/')
transport = check_transport_value(ipaddr, ipt.TRANSPORT_AUTO)
# Save the transports we use so we can add the reject rules later.
if transport not in transport_list:
transport_list.append(transport)
rules.append(ipt.get_machine_subset(
"network iso",
Slots.network_iso,
[
ipt.get_chain(
u'filter',
[
ipt.get_ring(
u'input',
transport,
[
ipt.get_rule(source_address=cidr, jump=ipt.get_jump(target=u'RETURN'))
]
),
ipt.get_ring(
u'output',
transport,
[
ipt.get_rule(dest_address=cidr, jump=ipt.get_jump(target=u'RETURN'))
]
),
]
)
]
))
# Create network isolation rejection rules.
for transport in transport_list:
rules.append(create_iptables_ingress_egress_reject_rule(Slots.network_iso, transport, 'iso reject'))
return rules
def create_network_isolation_rules(self):
rules = list()
transport_list = list()
_logger.debug('{0}: adding network isolation rules.'.format(self.get_name()))
for cidr in self._allowed_networks.split(' '):
cidr = cidr.encode('utf-8')
if not validate_network_address(cidr):
_logger.error('{0} unable to validate network cidr value "{1}"'.format(self.get_name(), cidr))
continue
# Get IP transport version from address.
ipaddr, bits = cidr.split('/')
transport = check_transport_value(ipaddr, ipt.TRANSPORT_AUTO)
# Save the transports we use so we can add the reject rules later.
if transport not in transport_list:
transport_list.append(transport)
rules.append(ipt.get_machine_subset(
"network iso",
Slots.network_iso,
[
ipt.get_chain(
u'filter',
[
ipt.get_ring(
u'input',
transport,
[
ipt.get_rule(source_address=cidr, jump=ipt.get_jump(target=u'RETURN'))
]
),
ipt.get_ring(
u'output',
transport,
[
ipt.get_rule(dest_address=cidr, jump=ipt.get_jump(target=u'RETURN'))
]
),
]
)
]
))
# Create network isolation rejection rules.
for transport in transport_list:
rules.append(create_iptables_ingress_egress_reject_rule(Slots.network_iso, transport, 'iso reject'))
return rules
def validate_config(self, config):
"""
Virtual Override
Validate configuration file arguments and save values to our config object.
:param config: A ConfigParser object.
"""
self._allowed_networks = config.get(self._config_section_name, 'allowed_networks')
# if we have network addresses, check them.
if self._allowed_networks:
if not validate_network_address(self._allowed_networks):
_logger.error('{0} invalid Allowed Networks value.'.format(self.get_name()))
return False
self._disable_auto_ssh = \
True if config.get(self._config_section_name, 'disable_auto_ssh').lower() == 'yes' else False
return True
def validate_config(self, config):
"""
Virtual Override
Validate configuration file arguments and save values to our config object.
:param config: A ConfigParser object.
"""
self._allowed_networks = config.get(self._config_section_name, 'allowed_networks')
# if we have network addresses, check them.
if self._allowed_networks:
if not validate_network_address(self._allowed_networks):
_logger.error('{0} invalid Allowed Networks value.'.format(self.get_name()))
return False
self._disable_auto_ssh = \
True if config.get(self._config_section_name, 'disable_auto_ssh').lower() == 'yes' else False
return True
def validate_arguments(self, args):
"""
Virtual Override
Validate command line arguments and save values to our configuration object.
:param args: An argparse object.
"""
self._allowed_networks = args.allowed_networks
# if we have network addresses, check them.
if self._allowed_networks:
if not validate_network_address(self._allowed_networks):
print('sdc-install: argument --allowed-networks value invalid.')
return False
if '--allowed-networks' not in sys.argv and '--iso-all-rules' in sys.argv:
print('sdc-install: warning, --iso-all-rules parameter has no affect.')
self._disable_auto_ssh = args.disable_auto_ssh
return True
def validate_arguments(self, args):
"""
Virtual Override
Validate command line arguments and save values to our configuration object.
:param args: An argparse object.
"""
self._allowed_networks = args.allowed_networks
# if we have network addresses, check them.
if self._allowed_networks:
if not validate_network_address(self._allowed_networks):
print('sdc-install: argument --allowed-networks value invalid.')
return False
if '--allowed-networks' not in sys.argv and '--iso-all-rules' in sys.argv:
print('sdc-install: warning, --iso-all-rules parameter has no affect.')
self._disable_auto_ssh = args.disable_auto_ssh
return True
def test_network_addresses(self):
assert validate_network_address('10.0.0.0/255.255.255.255')
assert validate_network_address('10.0.0.0/32')
assert not validate_network_address('10.0.0.0/255.255.255.256')
assert not validate_network_address('10.0.0.0/33')
assert validate_network_address('10.0.0.0/0.0.0.0')
assert not validate_network_address('10.0.0.0/0.0.0')
assert validate_network_address('127.0.0.1/255.0.0.0')
assert validate_network_address('10.0.0.0/8')
assert validate_network_address('::1/128')
assert not validate_network_address('::1/129')
# Check multiple values.
assert validate_network_address(
'10.0.0.0/255.255.255.255 20.0.0.0/255.255.255.255')
assert validate_network_address('10.0.0.0/24 20.0.0.0/24')
assert validate_network_address(
'10.0.0.0/24 20.0.0.0/24 127.0.0.1/8 ::1/128')
def test_network_addresses(self):
assert validate_network_address('10.0.0.0/255.255.255.255')
assert validate_network_address('10.0.0.0/32')
assert not validate_network_address('10.0.0.0/255.255.255.256')
assert not validate_network_address('10.0.0.0/33')
assert validate_network_address('10.0.0.0/0.0.0.0')
assert not validate_network_address('10.0.0.0/0.0.0')
assert validate_network_address('127.0.0.1/255.0.0.0')
assert validate_network_address('10.0.0.0/8')
assert validate_network_address('::1/128')
assert not validate_network_address('::1/129')
# Check multiple values.
assert validate_network_address('10.0.0.0/255.255.255.255 20.0.0.0/255.255.255.255')
assert validate_network_address('10.0.0.0/24 20.0.0.0/24')
assert validate_network_address('10.0.0.0/24 20.0.0.0/24 127.0.0.1/8 ::1/128')
