def _create_rule(self, iptc, to): private_nic_name = linux.get_nic_name_by_mac(to.privateMac) vip_nic_name = linux.get_nic_name_by_ip(to.vipIp) forward_chain_name = self._make_forward_chain_name(vip_nic_name, to) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, forward_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, forward_chain_name)) iptc.add_rule('-A %s -j ACCEPT' % forward_chain_name) dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to) iptc.add_rule('-A PREROUTING -p {0} -m {0} -d {1} -j {2}'.format(to.protocolType.lower(), to.vipIp, dnat_chain_name), iptc.NAT_TABLE_NAME) if to.allowedCidr: iptc.add_rule('-A {0} -s {1} -p {2} --dport {3}:{4} -j DNAT --to-destination {5}:{6}-{7}'.format(dnat_chain_name, to.allowedCidr, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME) else: iptc.add_rule('-A {0} -p {1} --dport {2}:{3} -j DNAT --to-destination {4}:{5}-{6}'.format(dnat_chain_name, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME) if to.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, to) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) iptc.add_rule('-A POSTROUTING -p {0} --dport {1}:{2} -d {3} -j {4}'.format(to.protocolType.lower(), to.privatePortStart, to.privatePortEnd, to.privateIp, gw_snat_name), iptc.NAT_TABLE_NAME, order=998) iptc.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), iptc.NAT_TABLE_NAME)
def _create_snat(self, info, iptc): privnicname = linux.get_nic_name_by_mac(info.privateNicMac) if not privnicname: raise virtualrouter.VirtualRouterError( 'cannot get private nic name for mac[%s]' % info.privateNicMac) pubnicnames = linux.get_nic_names_by_mac(info.publicNicMac) if not pubnicnames: raise virtualrouter.VirtualRouterError( 'cannot get public nic name for mac[%s]' % info.publicNicMac) pubnicname = pubnicnames[0].split(':')[0] snat_chain_name = self.make_snat_chain_name(privnicname) iptc.add_rule('-A POSTROUTING -j %s' % snat_chain_name, iptc.NAT_TABLE_NAME) iptc.add_rule( '-A {0} -o {1} -j SNAT --to-source {2}'.format( snat_chain_name, pubnicname, info.publicIp), iptc.NAT_TABLE_NAME) fwd_chain_name = self._make_forward_chain_name(privnicname) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format( pubnicname, privnicname, fwd_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format( privnicname, pubnicname, fwd_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format( privnicname, privnicname, fwd_chain_name)) iptc.add_rule('-A {0} -j ACCEPT'.format(fwd_chain_name))
def _remove_snat(self, info, iptc): privnicname = linux.get_nic_name_by_mac(info.privateNicMac) if not privnicname: raise virtualrouter.VirtualRouterError('cannot get private nic name for mac[%s]' % info.privateNicMac) snat_chain_name = self.make_snat_chain_name(privnicname) iptc.delete_chain(snat_chain_name, iptc.NAT_TABLE_NAME) fwd_chain_name = self._make_forward_chain_name(privnicname) iptc.delete_chain(fwd_chain_name)
def _create_rule(self, iptc, to): private_nic_name = linux.get_nic_name_by_mac(to.privateMac) vip_nic_name = linux.get_nic_name_by_ip(to.vipIp) forward_chain_name = self._make_forward_chain_name(vip_nic_name, to) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format( vip_nic_name, private_nic_name, forward_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format( private_nic_name, vip_nic_name, forward_chain_name)) iptc.add_rule('-A %s -j ACCEPT' % forward_chain_name) dnat_chain_name = self.make_dnat_chain_name(vip_nic_name, to) iptc.add_rule( '-A PREROUTING -p {0} -m {0} -d {1} -j {2}'.format( to.protocolType.lower(), to.vipIp, dnat_chain_name), iptc.NAT_TABLE_NAME) if to.allowedCidr: iptc.add_rule( '-A {0} -s {1} -p {2} --dport {3}:{4} -j DNAT --to-destination {5}:{6}-{7}' .format(dnat_chain_name, to.allowedCidr, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME) else: iptc.add_rule( '-A {0} -p {1} --dport {2}:{3} -j DNAT --to-destination {4}:{5}-{6}' .format(dnat_chain_name, to.protocolType.lower(), to.vipPortStart, to.vipPortEnd, to.privateIp, to.privatePortStart, to.privatePortEnd), iptc.NAT_TABLE_NAME) if to.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, to) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) iptc.add_rule( '-A POSTROUTING -p {0} --dport {1}:{2} -d {3} -j {4}'.format( to.protocolType.lower(), to.privatePortStart, to.privatePortEnd, to.privateIp, gw_snat_name), iptc.NAT_TABLE_NAME, order=998) iptc.add_rule( '-A {0} -j SNAT --to-source {1}'.format( gw_snat_name, guest_gw_ip), iptc.NAT_TABLE_NAME)
def _create_snat(self, info, iptc): privnicname = linux.get_nic_name_by_mac(info.privateNicMac) if not privnicname: raise virtualrouter.VirtualRouterError('cannot get private nic name for mac[%s]' % info.privateNicMac) pubnicnames = linux.get_nic_names_by_mac(info.publicNicMac) if not pubnicnames: raise virtualrouter.VirtualRouterError('cannot get public nic name for mac[%s]' % info.publicNicMac) pubnicname = pubnicnames[0].split(':')[0] snat_chain_name = self.make_snat_chain_name(privnicname) iptc.add_rule('-A POSTROUTING -j %s' % snat_chain_name, iptc.NAT_TABLE_NAME) iptc.add_rule('-A {0} -o {1} -j SNAT --to-source {2}'.format(snat_chain_name, pubnicname, info.publicIp), iptc.NAT_TABLE_NAME) fwd_chain_name = self._make_forward_chain_name(privnicname) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(pubnicname, privnicname, fwd_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, pubnicname, fwd_chain_name)) iptc.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(privnicname, privnicname, fwd_chain_name)) iptc.add_rule('-A {0} -j ACCEPT'.format(fwd_chain_name))
def _create_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) #def check_eip(table): #if not table: #return #for chain in table.children: #vip_nic = self._get_vip_nic_name_from_chain_name(chain.name) #if vip_nic == vip_nic_name: #raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip) #check_eip(ipt.get_table(ipt.NAT_TABLE_NAME)) #check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME)) order = 999 ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order) ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order) ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order) if eip.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order) ipt.iptable_restore() logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _create_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) def check_eip(table): if not table: return for chain in table.children: vip_nic = self._get_vip_nic_name_from_chain_name(chain.name) if vip_nic == vip_nic_name: raise virtualrouter.VirtualRouterError('eip[%s] has been occupied, this is an internal error' % vip) check_eip(ipt.get_table(ipt.NAT_TABLE_NAME)) check_eip(ipt.get_table(ipt.FILTER_TABLE_NAME)) order = 999 ipt.add_rule('-A PREROUTING -d {0} -j {1}'.format(vip, dnat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j DNAT --to-destination {1}'.format(dnat_name, guest_ip), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(vip_nic_name, private_nic_name, fwd_name), order=order) ipt.add_rule('-A FORWARD -i {0} -o {1} -j {2}'.format(private_nic_name, vip_nic_name, fwd_name), order=order) ipt.add_rule('-A {0} -j ACCEPT'.format(fwd_name), order=order) ipt.add_rule('-A POSTROUTING -s {0} -j {1}'.format(guest_ip, snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(snat_name, vip), ipt.NAT_TABLE_NAME, order=order) if eip.snatInboundTraffic: gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) guest_gw_ip = linux.get_ip_by_nic_name(private_nic_name) ipt.add_rule('-A POSTROUTING -d {0} -j {1}'.format(guest_ip, gw_snat_name), ipt.NAT_TABLE_NAME, order=order) ipt.add_rule('-A {0} -j SNAT --to-source {1}'.format(gw_snat_name, guest_gw_ip), ipt.NAT_TABLE_NAME, order=order) ipt.iptable_restore() logger.debug('successfully created eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))
def _remove_eip(self, eip): ipt = iptables.from_iptables_save() private_nic_name = linux.get_nic_name_by_mac(eip.privateMac) assert private_nic_name, "cannot find private nic by MAC[%s]" % eip.privateMac vip_nic_name = linux.get_nic_name_by_ip(eip.vipIp) assert vip_nic_name, "cannot find vip nic by IP[%s]" % eip.vipIp guest_ip = eip.guestIp vip = eip.vipIp dnat_name = self._make_dnat_name(vip_nic_name, private_nic_name) snat_name = self._make_snat_name(vip_nic_name, private_nic_name) fwd_name = self._make_fwd_name(vip_nic_name, private_nic_name) gw_snat_name = self._make_gateway_snat_name(vip_nic_name, private_nic_name) ipt.delete_chain(dnat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(snat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(gw_snat_name, ipt.NAT_TABLE_NAME) ipt.delete_chain(fwd_name) ipt.iptable_restore() logger.debug('successfully deleted eip[{0}] to guest ip[{1}] from device[{2}] to device[{3}]'.format(vip, guest_ip, vip_nic_name, private_nic_name))