apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-10-26 08:42:29 +01:00
Code Issues Packages Projects Releases Wiki Activity

That is the acls.

Browse Source 
Need to check the order stays good
This commit is contained in:
Ian Southam 2014-08-20 18:34:25 +02:00 committed by wilderrodrigues
parent 8a92a0a460
commit 0e8c79c7f1
3 changed files with 106 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
View File

@ -156,6 +156,8 @@ class CsNetfilter(object):
self.seen = True
def __convert_to_dict(self, rule):
rule = rule.lstrip()
rule = rule.replace(' ', ' ')
rule = rule.replace('! -', '!_-')
# -m can appear twice in a string
rule = rule.replace('-m state', '-m2 state')

54
systemvm/patches/debian/config/opt/cloud/bin/configure.py
View File

@ -502,6 +502,7 @@ class CsAcl(CsDataBag):
"""
Deal with Network acls
"""
class AclDevice():
""" A little class for each list of acls per device """
@ -518,12 +519,56 @@ class CsAcl(CsDataBag):
self.egress = obj['egress_rules']
def create(self):
self.process(self.ingress)
self.process(self.egress)
self.process("ingress", self.ingress)
self.process("egress", self.egress)
def process(self,rule_list):
def process(self, direction, rule_list):
for i in rule_list:
pprint(i)
r = self.AclRule(direction, self.device, i)
r.create()
class AclRule():
def __init__(self, direction, device, rule):
self.table = ""
self.device = device
self.chain = "ACL_INBOUND_%s" % self.device
self.dest = "-s %s" % rule['cidr']
if direction == "egress":
self.table = "mangle"
self.chain = "ACL_OUTBOUND_%s" % self.device
self.dest = "-d %s" % rule['cidr']
self.type = ""
self.type = rule['type']
self.icmp_type = "any"
self.protocol = self.type
if "icmp_type" in rule.keys() and rule['icmp_type'] != -1:
self.icmp_type = rule['icmp_type']
if "icmp_code" in rule.keys() and rule['icmp_code'] != -1:
self.icmp_type = "%s/%s" % (self.icmp_type, rule['icmp_code'])
if self.type == "protocol":
self.protocol = rule['protocol']
self.action = "DENY"
self.dport = ""
if 'allowed' in rule.keys() and rule['allowed'] and rule['allowed']:
self.action = "ACCEPT"
global fw
if 'first_port' in rule.keys():
self.dport = "--dport %s" % rule['first_port']
if 'last_port' in rule.keys() and self.dport and \
rule['last_port'] != rule['first_port']:
self.dport = "%s:%s" % (self.dport, rule['last_port'])
def create(self):
rstr = ""
rstr = "%s -A %s -p %s %s" % (rstr, self.chain, self.protocol, self.dest)
if self.type == "icmp":
rstr = "%s -icmp_type %s" % (rstr, self.icmp_type)
rstr = "%s %s -j %s" % (rstr, self.dport, self.action)
fw.append([self.table, "front", rstr])
def process(self):
for item in self.dbag:
@ -760,5 +805,6 @@ def main(argv):
dh = CsDataBag("dhcpentry")
dhcp = CsDhcp(dh.get_bag(), cl)
if __name__ == "__main__":
main(sys.argv)

54
systemvm/patches/debian/config/opt/cloud/testdata/acl0001.json vendored Normal file
View File

@ -0,0 +1,54 @@
{
"eth2": {
"device": "eth2",
"egress_rules": [
{
"allowed": false,
"cidr": "10.0.6.0/8",
"first_port": 60,
"last_port": 60,
"type": "tcp"
}
],
"ingress_rules": [
{
"allowed": true,
"cidr": "10.0.1.0/8",
"protocol": 41,
"type": "protocol"
},
{
"allowed": true,
"cidr": "10.0.4.0/8",
"type": "all"
},
{
"allowed": true,
"cidr": "10.0.3.0/8",
"icmp_code": -1,
"icmp_type": -1,
"type": "icmp"
},
{
"allowed": true,
"cidr": "10.0.2.0/8",
"first_port": 40,
"last_port": 40,
"type": "udp"
},
{
"allowed": true,
"cidr": "10.0.1.0/8",
"first_port": 30,
"last_port": 30,
"type": "tcp"
}
],
"mac_address": "02:00:0d:7b:00:04",
"nic_ip": "172.16.1.1",
"nic_netmask": "24",
"private_gateway_acl": false,
"type": "networkacl"
},
"id": "networkacl"
}