def main(argv): # The file we are currently processing, if it is "cmd_line.json" everything will be processed. process_file = argv[1] # process_file can be None, if so assume cmd_line.json if process_file is None: process_file = "cmd_line.json" # Track if changes need to be committed to NetFilter iptables_change = False # The "GLOBAL" Configuration object config = CsConfig() logging.basicConfig(filename=config.get_logger(), level=config.get_level(), format=config.get_format()) # Load stored ip adresses from disk to CsConfig() config.set_address() logging.debug("Configuring ip addresses") config.address().compare() config.address().process() if process_file in ["cmd_line.json", "guest_network.json"]: logging.debug("Configuring Guest Network") iptables_change = True if process_file in ["cmd_line.json", "vm_password.json"]: logging.debug("Configuring vmpassword") password = CsPassword("vmpassword", config) password.process() if process_file in ["cmd_line.json", "vm_metadata.json"]: logging.debug("Configuring vmdata") metadata = CsVmMetadata('vmdata', config) metadata.process() if process_file in ["cmd_line.json", "network_acl.json"]: logging.debug("Configuring networkacl") iptables_change = True if process_file in ["cmd_line.json", "firewall_rules.json"]: logging.debug("Configuring firewall rules") iptables_change = True if process_file in [ "cmd_line.json", "forwarding_rules.json", "staticnat_rules.json" ]: logging.debug("Configuring PF rules") iptables_change = True if process_file in ["cmd_line.json", "site_2_site_vpn.json"]: logging.debug("Configuring s2s vpn") iptables_change = True if process_file in ["cmd_line.json", "remote_access_vpn.json"]: logging.debug("Configuring remote access vpn") iptables_change = True if process_file in ["cmd_line.json", "vpn_user_list.json"]: logging.debug("Configuring vpn users list") vpnuser = CsVpnUser("vpnuserlist", config) vpnuser.process() if process_file in ["cmd_line.json", "vm_dhcp_entry.json", "dhcp.json"]: logging.debug("Configuring dhcp entry") dhcp = CsDhcp("dhcpentry", config) dhcp.process() if process_file in ["cmd_line.json", "load_balancer.json"]: logging.debug("Configuring load balancer") iptables_change = True if process_file in ["cmd_line.json", "monitor_service.json"]: logging.debug("Configuring monitor service") mon = CsMonitor("monitorservice", config) mon.process() # If iptable rules have changed, apply them. if iptables_change: acls = CsAcl('networkacl', config) acls.process() acls = CsAcl('firewallrules', config) acls.process() fwd = CsForwardingRules("forwardingrules", config) fwd.process() vpns = CsSite2SiteVpn("site2sitevpn", config) vpns.process() rvpn = CsRemoteAccessVpn("remoteaccessvpn", config) rvpn.process() lb = CsLoadBalancer("loadbalancer", config) lb.process() logging.debug("Configuring iptables rules") nf = CsNetfilters() nf.compare(config.get_fw()) logging.debug("Configuring iptables rules done ...saving rules") # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4") CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6") red = CsRedundant(config) red.set() if process_file in ["cmd_line.json", "static_routes.json"]: logging.debug("Configuring static routes") static_routes = CsStaticRoutes("staticroutes", config) static_routes.process()
def main(argv): # The file we are currently processing, if it is "cmd_line.json" everything will be processed. process_file = argv[1] if process_file is None: logging.debug( "No file was received, do not go on processing the other actions. Just leave for now." ) return json_type = os.path.basename(process_file).split('.json')[0] # The "GLOBAL" Configuration object config = CsConfig() # Load stored ip addresses from disk to CsConfig() config.set_address() logging.debug("Configuring ip addresses") config.address().compare() config.address().process() databag_map = OrderedDict([ ("guest_network", { "process_iptables": True, "executor": [] }), ("ip_aliases", { "process_iptables": True, "executor": [] }), ("vm_password", { "process_iptables": False, "executor": [CsPassword("vmpassword", config)] }), ("vm_metadata", { "process_iptables": False, "executor": [CsVmMetadata('vmdata', config)] }), ("network_acl", { "process_iptables": True, "executor": [] }), ("firewall_rules", { "process_iptables": True, "executor": [] }), ("forwarding_rules", { "process_iptables": True, "executor": [] }), ("staticnat_rules", { "process_iptables": True, "executor": [] }), ("site_2_site_vpn", { "process_iptables": True, "executor": [] }), ("remote_access_vpn", { "process_iptables": True, "executor": [] }), ("vpn_user_list", { "process_iptables": False, "executor": [CsVpnUser("vpnuserlist", config)] }), ("vm_dhcp_entry", { "process_iptables": False, "executor": [CsDhcp("dhcpentry", config)] }), ("dhcp", { "process_iptables": False, "executor": [CsDhcp("dhcpentry", config)] }), ("load_balancer", { "process_iptables": True, "executor": [] }), ("monitor_service", { "process_iptables": False, "executor": [CsMonitor("monitorservice", config)] }), ("static_routes", { "process_iptables": False, "executor": [CsStaticRoutes("staticroutes", config)] }) ]) def execDatabag(key, db): if key not in db.keys() or 'executor' not in db[key]: logging.warn( "Unable to find config or executor(s) for the databag type %s" % key) return for executor in db[key]['executor']: logging.debug("Processing for databag type: %s" % key) executor.process() def execIptables(config): logging.debug("Processing iptables rules") iptables_executor = IpTablesExecutor(config) iptables_executor.process() if json_type == "cmd_line": logging.debug( "cmd_line.json changed. All other files will be processed as well." ) for key in databag_map.keys(): execDatabag(key, databag_map) execIptables(config) elif json_type in databag_map.keys(): execDatabag(json_type, databag_map) if databag_map[json_type]['process_iptables']: execIptables(config) else: logging.warn( "Unable to find and process databag for file: %s, for json type=%s" % (process_file, json_type)) red = CsRedundant(config) red.set() return 0
def main(argv): config = CsConfig() logging.basicConfig(filename=config.get_logger(), level=config.get_level(), format=config.get_format()) config.set_address() logging.debug("Configuring ip addresses") # IP configuration config.address().compare() config.address().process() logging.debug("Configuring vmpassword") password = CsPassword("vmpassword", config) password.process() logging.debug("Configuring vmdata") metadata = CsVmMetadata('vmdata', config) metadata.process() logging.debug("Configuring networkacl") acls = CsAcl('networkacl', config) acls.process() logging.debug("Configuring firewall rules") acls = CsAcl('firewallrules', config) acls.process() logging.debug("Configuring PF rules") fwd = CsForwardingRules("forwardingrules", config) fwd.process() red = CsRedundant(config) red.set() logging.debug("Configuring s2s vpn") vpns = CsSite2SiteVpn("site2sitevpn", config) vpns.process() logging.debug("Configuring remote access vpn") #remote access vpn rvpn = CsRemoteAccessVpn("remoteaccessvpn", config) rvpn.process() logging.debug("Configuring vpn users list") #remote access vpn users vpnuser = CsVpnUser("vpnuserlist", config) vpnuser.process() logging.debug("Configuring dhcp entry") dhcp = CsDhcp("dhcpentry", config) dhcp.process() logging.debug("Configuring load balancer") lb = CsLoadBalancer("loadbalancer", config) lb.process() logging.debug("Configuring monitor service") mon = CsMonitor("monitorservice", config) mon.process() logging.debug("Configuring iptables rules .....") nf = CsNetfilters() nf.compare(config.get_fw()) logging.debug("Configuring iptables rules done ...saving rules") # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4") CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6")
def main(argv): # The file we are currently processing, if it is "cmd_line.json" everything will be processed. process_file = argv[1] # process_file can be None, if so assume cmd_line.json if process_file is None: process_file = "cmd_line.json" # Track if changes need to be committed to NetFilter iptables_change = False # The "GLOBAL" Configuration object config = CsConfig() logging.basicConfig(filename=config.get_logger(), level=config.get_level(), format=config.get_format()) try: # Load stored ip adresses from disk to CsConfig() config.set_address() logging.debug("Configuring ip addresses") config.address().compare() config.address().process() #lllkkk .................. if process_file in ["cmd_line.json", "sql_restart.json"]: logging.debug("Configuring sqlrestart") password = CsSqlRestart("sqlrestrt", config) password.process() if process_file in ["cmd_line.json", "sql_chport.json"]: logging.debug("Configuring sqlport") password = CsSqlPort("sqlport", config) password.process() if process_file in ["cmd_line.json", "sql_chpassword.json"]: logging.debug("Configuring sqlpassword") password = CsSqlPassword("sqlpassword", config) password.process() #lllkkk------------------- if process_file in ["cmd_line.json", "guest_network.json"]: logging.debug("Configuring Guest Network") iptables_change = True if process_file in ["cmd_line.json", "vm_password.json"]: logging.debug("Configuring vmpassword") password = CsPassword("vmpassword", config) password.process() if process_file in ["cmd_line.json", "vm_metadata.json"]: logging.debug("Configuring vmdata") metadata = CsVmMetadata('vmdata', config) metadata.process() if process_file in ["cmd_line.json", "network_acl.json"]: logging.debug("Configuring networkacl") iptables_change = True if process_file in ["cmd_line.json", "firewall_rules.json"]: logging.debug("Configuring firewall rules") iptables_change = True if process_file in ["cmd_line.json", "forwarding_rules.json", "staticnat_rules.json"]: logging.debug("Configuring PF rules") iptables_change = True if process_file in ["cmd_line.json", "site_2_site_vpn.json"]: logging.debug("Configuring s2s vpn") iptables_change = True if process_file in ["cmd_line.json", "remote_access_vpn.json"]: logging.debug("Configuring remote access vpn") iptables_change = True if process_file in ["cmd_line.json", "vpn_user_list.json"]: logging.debug("Configuring vpn users list") vpnuser = CsVpnUser("vpnuserlist", config) vpnuser.process() if process_file in ["cmd_line.json", "vm_dhcp_entry.json", "dhcp.json"]: logging.debug("Configuring dhcp entry") dhcp = CsDhcp("dhcpentry", config) dhcp.process() if process_file in ["cmd_line.json", "load_balancer.json"]: logging.debug("Configuring load balancer") iptables_change = True if process_file in ["cmd_line.json", "monitor_service.json"]: logging.debug("Configuring monitor service") mon = CsMonitor("monitorservice", config) mon.process() # If iptable rules have changed, apply them. if iptables_change: acls = CsAcl('networkacl', config) acls.process() acls = CsAcl('firewallrules', config) acls.flushAllowAllEgressRules() acls.process() fwd = CsForwardingRules("forwardingrules", config) fwd.process() vpns = CsSite2SiteVpn("site2sitevpn", config) vpns.process() rvpn = CsRemoteAccessVpn("remoteaccessvpn", config) rvpn.process() lb = CsLoadBalancer("loadbalancer", config) lb.process() logging.debug("Configuring iptables rules") nf = CsNetfilters() nf.compare(config.get_fw()) # zhangxilei 20171117 update start ( Add static routing firewall to release static routing and subnet ) # staticRoutesRules = "/etc/cloudstack/static_routes_rules.json" logging.debug("xrstack - Read Configuring static routes rules file: %s" % staticRoutesRules) if os.path.isfile(staticRoutesRules): logging.debug("xrstack - Configuring static routes rules json file exist") f = open(staticRoutesRules) setting = json.load(f) logging.debug("xrstack - Processing static routes rules json file id ==> %s " % setting['id']) for item in setting['configs']: if item['add']: #iptables -A FORWARD -s 192.168.2.0/24 -d 192.168.3.0/24 -j ACCEPT logging.debug("xrstack - Processing add static routes rules , subnet:router ==> [%s, %s]" % (item['tier'], item['router'])) command = "iptables -A FORWARD -s %s -d %s -j ACCEPT" % (item['tier'], item['router']) CsHelper.execute(command) else: logging.debug("xrstack - Processing add static routes rules Json file add is false , subnet:router ==> [%s, %s]" % (item['tier'], item['router'])) else: logging.debug("xrstack - Configuring static routes rules json file not exist") # zhangxilei 20171117 update end ( Add static routing firewall to release static routing and subnet ) # # zhangxilei 20171206 update start ( Set static NAT. First determine active NAT. If there is no. Add static NAT firewall rules ) # forwardingrules = "/etc/cloudstack/forwardingrules.json" logging.debug("xrstack - Read Configuring forwardingrules.json: %s" % forwardingrules) if os.path.isfile(forwardingrules): logging.debug("xrstack - Configuring static routes rules json file exist") f = open(forwardingrules) setting = json.load(f) logging.debug("xrstack - Processing json file id ==> %s " % setting['id']) for key,value in setting.items(): if len(value) and "public_ip" in value[0] and value[0].get("internal_ip") and value[0].get("type") == "staticnat": logging.debug("xrstack - Processing add firewall rules internal_ip ==> %s" % value[0].get("internal_ip")) command = "iptables -A FORWARD -s %s/32 ! -d %s/32 -j ACCEPT" % (value[0].get("internal_ip"), value[0].get("internal_ip")) CsHelper.execute(command) else: logging.debug("xrstack - Processing add firewall rules Json, value = %s" % value) else: logging.debug("xrstack - Configuring forwardingrules.json file not exist") # zhangxilei 20171206 update end ( Set static NAT. First determine active NAT. If there is no. Add static NAT firewall rules ) # logging.debug("Configuring iptables rules done ...saving rules") # Save iptables configuration - will be loaded on reboot by the iptables-restore that is configured on /etc/rc.local CsHelper.save_iptables("iptables-save", "/etc/iptables/router_rules.v4") CsHelper.save_iptables("ip6tables-save", "/etc/iptables/router_rules.v6") red = CsRedundant(config) red.set() if process_file in ["cmd_line.json", "static_routes.json"]: logging.debug("Configuring static routes") static_routes = CsStaticRoutes("staticroutes", config) static_routes.process() except Exception: logging.exception("Exception while configuring router")
def main(argv): # The file we are currently processing, if it is "cmd_line.json" everything will be processed. process_file = argv[1] if process_file is None: logging.debug("No file was received, do not go on processing the other actions. Just leave for now.") return # Track if changes need to be committed to NetFilter iptables_change = False # The "GLOBAL" Configuration object config = CsConfig() logging.basicConfig(filename=config.get_logger(), level=config.get_level(), format=config.get_format()) # Load stored ip adresses from disk to CsConfig() config.set_address() logging.debug("Configuring ip addresses") config.address().compare() config.address().process() databag_map = OrderedDict([("guest_network.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("vm_metadata.json", {"process_iptables" : False, "executor" : CsVmMetadata('vmdata', config)}), ("network_acl.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("firewall_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("forwarding_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("staticnat_rules.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("site_2_site_vpn.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("remote_access_vpn.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("vpn_user_list.json", {"process_iptables" : False, "executor" : CsVpnUser("vpnuserlist", config)}), ("vm_dhcp_entry.json", {"process_iptables" : False, "executor" : CsDhcp("dhcpentry", config)}), ("dhcp.json", {"process_iptables" : False, "executor" : CsDhcp("dhcpentry", config)}), ("load_balancer.json", {"process_iptables" : True, "executor" : IpTablesExecutor(config)}), ("monitor_service.json", {"process_iptables" : False, "executor" : CsMonitor("monitorservice", config)}), ("static_routes.json", {"process_iptables" : False, "executor" : CsStaticRoutes("staticroutes", config)}) ]) if process_file.count("cmd_line.json") == OCCURRENCES: logging.debug("cmd_line.json changed. All other files will be processed as well.") while databag_map: item = databag_map.popitem(last = False) item_name = item[0] item_dict = item[1] if not item_dict["process_iptables"]: executor = item_dict["executor"] executor.process() iptables_executor = IpTablesExecutor(config) iptables_executor.process() else: while databag_map: item = databag_map.popitem(last = False) item_name = item[0] item_dict = item[1] if process_file.count(item_name) == OCCURRENCES: executor = item_dict["executor"] executor.process() if item_dict["process_iptables"]: iptables_executor = IpTablesExecutor(config) iptables_executor.process() break red = CsRedundant(config) red.set()