Commit 9c27cd88 authored by Sigmund Augdal's avatar Sigmund Augdal

Process library groups in iptables_configurator

parent 7815b0b4
......@@ -151,6 +151,17 @@ class Generator(object):
if member in self.addresses_v6 and (net is None or ":" in net):
self.add_ipset_member_family(name, member, "inet6", suffix, source, self.addresses_v6)
def process_library_group(self, group_id, group):
if not 'entries' in group:
logging.debug("skipping empty library group {}".format(group_id))
return
members_name = self.create_ipset("source", "hash:net", True)
name = group['name']
logging.info("Using ipset {setname} for library group {group} ({group_id})".format(setname=members_name, group=name, group_id=group_id))
for net in sorted((entry['cidr'] for entry in group['entries'].values())):
self.add_ipset_net(members_name, net)
self.group_members_groups[group_id] = members_name
def process_security_group(self, group_id, name):
rules = security_groups.get_group_rules(self.etcd_client, group_id)
......@@ -193,8 +204,8 @@ class Generator(object):
self.add_ipset_member(RULES_FROM_CIDR, member,
rule["protocol"], rule.get("destination_port", None),
rule["source_cidr"])
elif rule["source_type"] == "security_group":
source_group = rule["source_security_group"]
elif rule["source_type"] == "security_group" or rule["source_type"] == "library_group":
source_group = rule.get("source_security_group", None) or rule["source_library_group"]
if not source_group in self.by_source_groups:
setname = self.create_ipset(RULES_BY_SRC, "hash:ip,port", True)
setname_ip = self.create_ipset(RULES_BY_SRC_TO_IP, "hash:ip", True)
......@@ -257,6 +268,9 @@ class Generator(object):
# Destroy old, unused sets to reduce risk of hitting max number of sets
destroy_ipsets(old_groups)
for group_id, group in sorted(security_groups.get_library_groups(self.etcd_client).items(), key=lambda x: x[0]):
self.process_library_group(group_id, group)
groups = security_groups.get_security_groups(self.etcd_client)
for group_id, group in sorted(groups.items(), key=lambda x: x[0]):
self.process_security_group(group_id, group['name'])
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment