Skip to content

GitLab

R
router_services
Commit 93e4e33a authored by Sigmund Augdal's avatar Sigmund Augdal
Browse files
Options

Change iptables configurators to write rules in ipset restore format and load them

parent d8f50673
Hide whitespace changes
Inline Side-by-side
Showing with 16 additions and 21 deletions
iptables_configurator.py
View file @ 93e4e33a
......@@ -9,6 +9,7 @@ import time
import argparse
import daemon
import sys
import tempfile
try:
from daemon.pidfile import TimeoutPIDLockFile
except ImportError:
......@@ -50,8 +51,7 @@ class Generator(object):
def create_ipset(self, name, set_type):
for family in ("inet", "inet6"):
self.output("ipset create {}_{} {} family {}".format(name, family,
set_type, family))
self.output("create {}_{} {} family {}".format(name, family, set_type, family))
def add_ipset_member(self, name, member, protocol="tcp", port=None, net=None, source=None):
suffix = ""
......@@ -64,21 +64,21 @@ class Generator(object):
if source is not None:
if source in self.addresses_v4:
suffix4 = "{},{}".format(suffix, self.addresses_v4[source])
self.output("ipset add {}_inet {}{}".format(name, self.addresses_v4[member],
suffix4))
self.output("add {}_inet {}{}".format(name, self.addresses_v4[member],
suffix4))
else:
self.output("ipset add {}_inet {}{}".format(name, self.addresses_v4[member],
suffix))
self.output("add {}_inet {}{}".format(name, self.addresses_v4[member],
suffix))
if member in self.addresses_v6 and (net is None or ":" in net):
if source is not None:
if source in self.addresses_v6:
suffix6 = "{},{}".format(suffix, self.addresses_v6[source])
self.output("ipset add {}_inet6 {}{}".format(name, self.addresses_v6[member],
suffix6))
self.output("add {}_inet6 {}{}".format(name, self.addresses_v6[member],
suffix6))
else:
self.output("ipset add {}_inet6 {}{}".format(name, self.addresses_v6[member],
suffix))
self.output("add {}_inet6 {}{}".format(name, self.addresses_v6[member],
suffix))
def process_security_group(self, group_id, name):
rules = security_groups.get_group_rules(self.etcd_client, group_id)
......@@ -118,27 +118,22 @@ class Generator(object):
index = None
self.addresses_v4 = self.get_addresses("ipv4")
self.addresses_v6 = self.get_addresses("ipv6_public")
self.output_file = open("output.sh", "w")
self.output_file = tempfile.TemporaryFile()
self.create_ipset("rules_from_any", "hash:ip,port")
self.create_ipset("rules_from_cidr", "hash:ip,port,net")
self.create_ipset("rules_from_sg", "hash:ip,port,ip")
self.output("flush")
groups = security_groups.get_security_groups(self.etcd_client)
for group_id, name in groups.items():
self.process_security_group(group_id, name)
self.output("iptables -A FORWARD -m set --match-set rules_from_any_inet dst,dst -j ACCEPT")
self.output("ip6tables -A FORWARD -m set --match-set rules_from_any_inet6 dst,dst -j ACCEPT")
self.output("iptables -A FORWARD -m set --match-set rules_from_cidr_inet dst,dst,src -j ACCEPT")
self.output("ip6tables -A FORWARD -m set --match-set rules_from_cidr_inet6 dst,dst,src -j ACCEPT")
self.output("iptables -A FORWARD -m set --match-set rules_from_sg_inet dst,dst,src -j ACCEPT")
self.output("ip6tables -A FORWARD -m set --match-set rules_from_sg_inet6 dst,dst,src -j ACCEPT")
self.output_file.seek(0)
subprocess.call("ipset restore", stdin=self.output_file, shell=True)
return index
def main(self):
index = self.generate_all()
sys.exit(0)
while True:
data = self.etcd_client.watch("/nova/iaas/instances", index+1)
data = self.etcd_client.watch("/nova/iaas", index+1)
logging.debug("new config index %d", data.index)
time.sleep(1)
index = self.generate_all()
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment