Exemplo n.º 1
0
    def refresh_rule(self, req):
        cmd = jsonobject.loads(req[http.REQUEST_BODY])
        rsp = RefreshFirewallRsp()

        ipt = iptables.from_iptables_save()

        # replace bootstrap 22 port rule with a more restricted one that binds to eth0's IP
        ipt.remove_rule('-A INPUT -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT')
        eth0_ip = linux.get_ip_by_nic_name('eth0')
        assert eth0_ip, 'cannot find IP of eth0'
        ipt.add_rule('-A INPUT -d %s/32 -i eth0 -p tcp -m tcp --dport 22 -j ACCEPT' % eth0_ip)

        chain_name = 'appliancevm'
        ipt.delete_chain(chain_name)

        ipt.add_rule('-A INPUT -j %s' % chain_name)
        for to in cmd.rules:
            if to.destIp:
                nic_name = linux.get_nic_name_by_ip(to.destIp)
            else:
                nic_name = linux.get_nic_name_from_alias(linux.get_nic_names_by_mac(to.nicMac))
            r =[]
            if to.protocol == 'all' or to.protocol == 'udp':
                r.append('-A %s' % chain_name)
                if to.sourceIp:
                    r.append('-s %s' % to.sourceIp)
                if to.destIp:
                    r.append('-d %s' % to.destIp)
                r.append('-i %s -p udp -m state --state NEW -m udp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
                rule = ' '.join(r)
                ipt.add_rule(rule)
            r = []
            if to.protocol == 'all' or to.protocol == 'tcp':
                r.append('-A %s' % chain_name)
                if to.sourceIp:
                    r.append('-s %s' % to.sourceIp)
                if to.destIp:
                    r.append('-d %s' % to.destIp)
                r.append('-i %s -p tcp -m state --state NEW -m tcp --dport %s:%s -j ACCEPT' % (nic_name, to.startPort, to.endPort))
                rule = ' '.join(r)
                ipt.add_rule(rule)

        ipt.iptable_restore()
        logger.debug('refreshed rules for appliance vm')

        return jsonobject.dumps(rsp)
Exemplo n.º 2
0
    def _create_snat(self, info, iptc):
        privnicname = linux.get_nic_name_by_mac(info.privateNicMac)
        if not privnicname:
            raise virtualrouter.VirtualRouterError('cannot get private nic name for mac[%s]' % info.privateNicMac)
        pubnicnames = linux.get_nic_names_by_mac(info.publicNicMac)
        if not pubnicnames:
            raise virtualrouter.VirtualRouterError('cannot get public nic name for mac[%s]' % info.publicNicMac)
        pubnicname = pubnicnames[0].split(':')[0]

        snat_chain_name = self.make_snat_chain_name(privnicname)
        iptc.add_rule('-A POSTROUTING -j %s' % snat_chain_name, iptc.NAT_TABLE_NAME)
        iptc.add_rule('-A {0} -o {1} -j SNAT --to-source {2}'.format(snat_chain_name, pubnicname, info.publicIp), iptc.NAT_TABLE_NAME)

        fwd_chain_name = self._make_forward_chain_name(privnicname)
        iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(pubnicname, privnicname, fwd_chain_name))
        iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, pubnicname, fwd_chain_name))
        iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, privnicname, fwd_chain_name))
        iptc.add_rule('-A {0} -j ACCEPT'.format(fwd_chain_name))