Include base rule sets in Acls

Also made some adjustments to the base rule sets to ensure my parsing routine works
2025-11-02 20:02:29 +01:00 · 2014-09-04 10:58:47 +02:00 · 2014-09-04 10:58:47 +02:00 · 733bc19eac
commit 733bc19eac
parent e779c9b1e3
4 changed files with 38 additions and 53 deletions
--- a/systemvm/patches/debian/config/etc/iptables/iptables-router
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-router
@ -36,8 +36,8 @@ COMMIT
 -A INPUT -i eth0 -p udp -m udp --dport 67 -j ACCEPT
 -A INPUT -i eth0 -p udp -m udp --dport 53 -j ACCEPT
 -A INPUT -i eth0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUT -i eth1 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 80 -j ACCEPT
+-A INPUT -i eth1 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 80 -j ACCEPT
 -A FORWARD -i eth0 -o eth1 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth2 -o eth0 -m state --state RELATED,ESTABLISHED -j ACCEPT
 -A FORWARD -i eth0 -o eth0 -m state --state NEW -j ACCEPT
@ -54,5 +54,5 @@ COMMIT
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
 -A PREROUTING -m state --state ESTABLISHED,RELATED -j CONNMARK --restore-mark
-A POSTROUTING -p udp --dport bootpc -j CHECKSUM --checksum-fill
+-A POSTROUTING -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
 COMMIT
--- a/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
+++ b/systemvm/patches/debian/config/etc/iptables/iptables-vpcrouter
@ -28,7 +28,7 @@ COMMIT
 -A INPUT -d 225.0.0.50/32 -j ACCEPT
 -A INPUT -p icmp -j ACCEPT
 -A INPUT -i lo -j ACCEPT
-A INPUT -i eth0 -p tcp -m state --state NEW --dport 3922 -j ACCEPT
+-A INPUT -i eth0 -p tcp -m tcp -m state --state NEW --dport 3922 -j ACCEPT
 -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
 -A FORWARD -m state --state ESTABLISHED,RELATED -j ACCEPT
 COMMIT
@ -38,5 +38,5 @@ COMMIT
 :FORWARD ACCEPT [0:0]
 :OUTPUT ACCEPT [0:0]
 :POSTROUTING ACCEPT [0:0]
-A OUTPUT -p udp --dport bootpc -j CHECKSUM --checksum-fill
+-A OUTPUT -p udp -m udp --dport bootpc -j CHECKSUM --checksum-fill
 COMMIT
--- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py
@ -1,6 +1,7 @@
 # -- coding: utf-8 --
 import CsHelper
 from pprint import pprint
+from cs_databag import CsDataBag, CsCmdLine
 import logging

 class CsChain(object):
@ -99,7 +100,6 @@ class CsNetfilters(object):
            # Ensure all inbound chains have a default drop rule
            if c.startswith("ACL_INBOUND"):
                list.append(["filter", "", "-A %s -j DROP" % c])
-        print list
        for fw in list:
            new_rule = CsNetfilter()
            new_rule.parse(fw[2])
@ -127,16 +127,20 @@ class CsNetfilters(object):

    def del_standard(self):
        """ Del rules that are there but should not be deleted 
-        from the host but that configure does not actually manage """
-        self.del_rule("mangle", "-m udp --dport 68 -A OUTPUT -p udp -j CHECKSUM")
+        These standard firewall rules vary according to the device type
+        """
+        type = CsCmdLine("cmdline").get_type()

-        self.del_rule("filter", "-d 224.0.0.18/32 -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-d 225.0.0.50/32 -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-A INPUT -p icmp -j ACCEPT")
-        self.del_rule("filter", "-i lo -A INPUT -j ACCEPT")
-        self.del_rule("filter", "-A INPUT -m tcp -i eth0 -m state --dport 3922 -p tcp --state NEW -j ACCEPT")
-        self.del_rule("filter", "-j ACCEPT -A INPUT --state RELATED,ESTABLISHED -m state")
-        self.del_rule("filter", "-j ACCEPT -A FORWARD --state RELATED,ESTABLISHED -m state")
+        try:
+            table = ''
+            for i in open("/etc/iptables/iptables-%s" % type):
+                if i.startswith('*'): # Table
+                    table = i[1:].strip()
+                if i.startswith('-A'): # Rule
+                    self.del_rule(table, i.strip())
+        except IOError:
+            # Nothing can be done
+            return

    def del_rule(self, table, rule):
        nr = CsNetfilter()
@ -149,7 +153,6 @@ class CsNetfilters(object):
        The rule will not actually be removed on the host """
        self.rules[:] = [x for x in self.rules if not x == rule]

-
 class CsNetfilter(object):
     
    def __init__(self):
@ -172,8 +175,10 @@ class CsNetfilter(object):
        rule = rule.replace('! -', '!_-')
        rule = rule.replace('-p all', '')
        rule = rule.replace('  ', ' ')
+        rule = rule.replace('bootpc', '68')
        # -m can appear twice in a string
        rule = rule.replace('-m state', '-m2 state')
+        rule = rule.replace('ESTABLISHED,RELATED', 'RELATED,ESTABLISHED')
        bits = rule.split(' ')
        rule = dict(zip(bits[0::2],bits[1::2]))
        if "-A" in rule.keys():
--- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py
+++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py
@ -19,6 +19,7 @@
 import sys
 import os
 from merge import dataBag
+from cs_databag import CsDataBag, CsCmdLine
 from pprint import pprint
 import subprocess
 import logging
@ -488,28 +489,27 @@ class CsIP:
            self.post_config_change("delete")


-class CsDataBag(object):

-    def __init__(self, key):
-        self.data = {}
-        db = dataBag()
-        db.setKey(key)
-        db.load()
-        self.dbag = db.getDataBag()
-        global fw

-    def get_bag(self):
-        return self.dbag
+class CsPassword(CsDataBag):
+    """
+      Update the password cache
+
+      A stupid step really as we should just rewrite the password server to
+      use the databag
+    """
+    cache = "/var/cache/cloud/passwords"

    def process(self):
-        pass
+        file = CsFile(self.cache)
+        for item in self.dbag:
+            if item == "id":
+                continue
+            self.__update(file, item, self.dbag[item])
+        file.commit()

-class CsCmdLine(CsDataBag):
-    """ Get cmdline config parameters """
-    def is_redundant(self):
-        if "redundant" in self.dbag['config']:
-            return self.dbag['config']['redundant'] == "true"
-        return False
+    def __update(self, file, ip, password):
+        file.search("%s=" % ip, "%s=%s" % (ip, password))

 class CsAcl(CsDataBag):
    """
@ -592,26 +592,6 @@ class CsAcl(CsDataBag):
            dev_obj = self.AclDevice(self.dbag[item]).create()


-class CsPassword(CsDataBag):
-    """
-      Update the password cache
-
-      A stupid step really as we should just rewrite the password server to
-      use the databag
-    """
-    cache = "/var/cache/cloud/passwords"
-
-    def process(self):
-        file = CsFile(self.cache)
-        for item in self.dbag:
-            if item == "id":
-                continue
-            self.__update(file, item, self.dbag[item])
-        file.commit()
-
-    def __update(self, file, ip, password):
-        file.search("%s=" % ip, "%s=%s" % (ip, password))
-
 class CsVmMetadata(CsDataBag):

    def process(self):