Skip to content
GitLab
Projects
Groups
Snippets
Help
Loading...
Help
Help
Support
Community forum
Keyboard shortcuts
?
Submit feedback
Sign in
Toggle navigation
R
router_services
Project overview
Project overview
Details
Activity
Releases
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Issues
1
Issues
1
List
Boards
Labels
Service Desk
Milestones
Iterations
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Operations
Operations
Incidents
Environments
Analytics
Analytics
CI / CD
Code Review
Repository
Value Stream
Wiki
Wiki
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
nova
router_services
Commits
b0791944
Commit
b0791944
authored
Dec 04, 2013
by
Sigmund Augdal
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
refactor some very long lines
parent
e87e614e
Changes
1
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
13 additions
and
5 deletions
+13
-5
iptables_configurator.py
iptables_configurator.py
+13
-5
No files found.
iptables_configurator.py
View file @
b0791944
...
...
@@ -15,6 +15,10 @@ from nova_router import security_groups
APP
=
"nova_sg_configurator"
DESCRIPTION
=
"Configure ipset based on data from etcd"
IPTABLES_ANY
=
"-A FORWARD -m set --match-set {} dst,dst -j ACCEPT
\n
"
IPTABLES_CIDR
=
"-A FORWARD -m set --match-set {} dst,dst,src -j ACCEPT
\n
"
IPTABLES_SG
=
"-A FORWARD -m set --match-set {} src -m set --match-set {} dst,dst -j ACCEPT
\n
"
class
Generator
(
object
):
def
__init__
(
self
,
cert
,
key
,
cacert
,
logfile
=
None
):
...
...
@@ -95,7 +99,8 @@ class Generator(object):
elif
rule
[
"source_type"
]
==
"security_group"
:
source_group
=
rule
[
"source_security_group"
]
if
not
source_group
in
self
.
by_source_groups
:
self
.
by_source_groups
[
source_group
]
=
self
.
create_ipset
(
"rules_by_source"
,
"hash:ip,port"
,
True
)
setname
=
self
.
create_ipset
(
"rules_by_source"
,
"hash:ip,port"
,
True
)
self
.
by_source_groups
[
source_group
]
=
setname
group_name
=
self
.
by_source_groups
[
source_group
]
self
.
add_ipset_member
(
group_name
,
member
,
rule
[
"protocol"
],
rule
[
"destination_port"
])
...
...
@@ -153,11 +158,14 @@ class Generator(object):
self
.
import_iptables
(
"/etc/iptables.save"
,
iptables_output
)
self
.
import_iptables
(
"/etc/ip6tables.save"
,
ip6tables_output
)
for
family
,
output
in
((
"inet"
,
iptables_output
),
(
"inet6"
,
ip6tables_output
)):
output
.
write
(
"-A FORWARD -m set --match-set {} dst,dst -j ACCEPT
\n
"
.
format
(
self
.
set_name
(
"rules_from_any"
,
family
)))
output
.
write
(
"-A FORWARD -m set --match-set {} dst,dst,src -j ACCEPT
\n
"
.
format
(
self
.
set_name
(
"rules_from_cidr"
,
family
)))
from_any
=
self
.
set_name
(
"rules_from_any"
,
family
)
output
.
write
(
IPTABLES_ANY
.
format
(
from_any
))
from_cidr
=
self
.
set_name
(
"rules_from_cidr"
,
family
)
output
.
write
(
IPTABLES_CIDR
.
format
(
from_cidr
))
for
group
,
ipset
in
self
.
by_source_groups
.
items
():
output
.
write
(
"-A FORWARD -m set --match-set {} src -m set --match-set {} dst,dst -j ACCEPT
\n
"
.
format
(
self
.
set_name
(
self
.
group_members_groups
[
group
],
family
),
self
.
set_name
(
ipset
,
family
)))
source
=
self
.
set_name
(
self
.
group_members_groups
[
group
],
family
)
dest
=
self
.
set_name
(
ipset
,
family
)
output
.
write
(
IPTABLES_SG
.
format
(
source
,
dest
))
output
.
write
(
"COMMIT
\n
"
)
output
.
seek
(
0
)
# subprocess.call("cat", stdin=iptables_output, shell=True)
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
