Commit 0d213378 authored by Sigmund Augdal's avatar Sigmund Augdal

Generate shorter ipset names, and fix some name-inconsistencies

parent 166dae9c
......@@ -49,6 +49,12 @@ class Generator(object):
logging.getLogger("").addHandler(handler)
self.range = [150, 200]
self.prefix = "158.38.213."
self.groups = []
def short_group_id(self, group_id):
if group_id not in self.groups:
self.groups.append(group_id)
return self.groups.index(group_id)
def output(self, line):
self.output_file.write(line)
......@@ -78,7 +84,7 @@ class Generator(object):
def process_security_group(self, group_id, name):
rules = security_groups.get_group_rules(self.etcd_client, group_id)
_, members = security_groups.get_group_members(self.etcd_client, group_id)
source_group = "source_{}".format(group_id)
source_group = "source_{}".format(self.short_group_id(group_id))
self.create_ipset(source_group, "hash:ip")
for member in members:
self.add_ipset_member(source_group, member)
......@@ -88,12 +94,12 @@ class Generator(object):
self.add_ipset_member("rules_from_any", member,
rule["protocol"], rule["destination_port"])
elif rule["source_type"] == "cidr":
self.add_ipset_member("rule_from_cidr", member,
self.add_ipset_member("rules_from_cidr", member,
rule["protocol"], rule["destination_port"],
rule["source_cidr"])
elif rule["source_type"] == "security_group":
source_group = rule["source_security_group"]
set_name = "rule_from_group_{}".format(escape_group_name(source_group))
set_name = "rules_from_group_{}".format(self.short_group_id(source_group))
if source_group not in self.source_sets:
self.create_ipset(set_name, "hash:ip,port")
self.source_sets[source_group] = set_name
......@@ -133,8 +139,8 @@ class Generator(object):
self.output("iptables -A FORWARD -m set --match-set rules_from_cidr_inet dst,dst,src -j ACCEPT")
self.output("ip6tables -A FORWARD -m set --match-set rules_from_cidr_inet6 dst,dst,src -j ACCEPT")
for source_group, destination_set in self.source_sets.items():
self.output("iptables -A FORWARD -m set --match-set {}_inet dst,dst --match-set source_{}_inet src -j ACCEPT".format(destination_set, source_group))
self.output("ip6tables -A FORWARD -m set --match-set {}_inet6 dst,dst --match-set source_{}_inet6 src -j ACCEPT".format(destination_set, source_group))
self.output("iptables -A FORWARD -m set --match-set {}_inet dst,dst --match-set source_{}_inet src -j ACCEPT".format(destination_set, self.short_group_id(source_group)))
self.output("ip6tables -A FORWARD -m set --match-set {}_inet6 dst,dst --match-set source_{}_inet6 src -j ACCEPT".format(destination_set, self.short_group_id(source_group)))
return index
def main(self):
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment