Commit fca5ebd2 authored by Sigmund Augdal's avatar Sigmund Augdal

Fix problem when hosts get overlapping port ranges in generated rules

We expand port ranges when generating ipsets and remove
duplicates. Ipset already does this expansion under the hood (or so we
suspect) so filtering performance or memory usage should not change.
parent 046b5c8f
......@@ -128,17 +128,24 @@ class Generator(object):
self.output("add {} {}{}".format(setname, to, suffix))
def add_ipset_member(self, name, member, protocol="tcp", port=None, net=None, source=None):
suffix = ""
if port is not None and protocol in ['tcp', 'udp']:
suffix += ",{}:{}".format(protocol, port)
if net is not None:
suffix += ",{}".format(net)
member = member.lower()
if member in self.addresses_v4 and (net is None or "." in net):
self.add_ipset_member_family(name, member, "inet", suffix, source, self.addresses_v4)
if member in self.addresses_v6 and (net is None or ":" in net):
self.add_ipset_member_family(name, member, "inet6", suffix, source, self.addresses_v6)
if '-' in port:
first, last = (int(x) for x in port.split('-'))
portrange = range(first, last+1)
else:
portrange = [port]
suffixes = (",{}:{}".format(protocol, port) for port in portrange)
else:
suffixes = [""]
for suffix in suffixes:
if net is not None:
suffix += ",{}".format(net)
member = member.lower()
if member in self.addresses_v4 and (net is None or "." in net):
self.add_ipset_member_family(name, member, "inet", suffix, source, self.addresses_v4)
if member in self.addresses_v6 and (net is None or ":" in net):
self.add_ipset_member_family(name, member, "inet6", suffix, source, self.addresses_v6)
def process_security_group(self, group_id, name):
rules = security_groups.get_group_rules(self.etcd_client, group_id)
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment