apache/cloudstack
1
0
Fork 0
mirror of https://github.com/apache/cloudstack.git synced 2025-12-16 10:32:34 +01:00
Code Issues Packages Projects Releases Wiki Activity

Truncated trailing/double spaces

Browse Source 
Signed-off-by: Rene Diepstraten <mail@renediepstraten.nl>
This commit is contained in:
Rene Diepstraten 2013-07-17 00:13:05 +02:00 committed by Wido den Hollander
parent bfe76b44da
commit ffe7cfe076
1 changed files with 155 additions and 155 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

104
scripts/vm/network/security_group.py
View File

@ -90,7 +90,7 @@ def destroy_network_rules_for_vm(vm_name, vif=None):
delete_rules_for_vm_in_bridge_firewall_chain(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
if vm_name.startswith('i-') or vm_name.startswith('r-'): if vm_name.startswith('i-') or vm_name.startswith('r-'):
vmchain_default = '-'.join(vm_name.split('-')[:-1]) + "-def" vmchain_default = '-'.join(vm_name.split('-')[:-1]) + "-def"
destroy_ebtables_rules(vmchain, vif) destroy_ebtables_rules(vmchain, vif)
@ -98,34 +98,34 @@ def destroy_network_rules_for_vm(vm_name, vif=None):
if vmchain_default != None: if vmchain_default != None:
execute("iptables -F " + vmchain_default) execute("iptables -F " + vmchain_default)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain_default) logging.debug("Ignoring failure to delete chain " + vmchain_default)
try: try:
if vmchain_default != None: if vmchain_default != None:
execute("iptables -X " + vmchain_default) execute("iptables -X " + vmchain_default)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain_default) logging.debug("Ignoring failure to delete chain " + vmchain_default)
try: try:
execute("iptables -F " + vmchain) execute("iptables -F " + vmchain)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain) logging.debug("Ignoring failure to delete chain " + vmchain)
try: try:
execute("iptables -X " + vmchain) execute("iptables -X " + vmchain)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain) logging.debug("Ignoring failure to delete chain " + vmchain)
try: try:
execute("iptables -F " + vmchain_egress) execute("iptables -F " + vmchain_egress)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain_egress) logging.debug("Ignoring failure to delete chain " + vmchain_egress)
try: try:
execute("iptables -X " + vmchain_egress) execute("iptables -X " + vmchain_egress)
except: except:
logging.debug("Ignoring failure to delete chain " + vmchain_egress) logging.debug("Ignoring failure to delete chain " + vmchain_egress)
try: try:
execute("ipset -F " + vm_name) execute("ipset -F " + vm_name)
@ -174,14 +174,14 @@ def destroy_ebtables_rules(vm_name, vif):
for cmd in delcmds: for cmd in delcmds:
try: try:
execute("ebtables -t nat " + cmd) execute("ebtables -t nat " + cmd)
except: except:
logging.debug("Ignoring failure to delete ebtables rules for vm " + vm_name) logging.debug("Ignoring failure to delete ebtables rules for vm " + vm_name)
chains = [vm_name+"-in", vm_name+"-out", vm_name+"-in-ips", vm_name+"-out-ips"] chains = [vm_name+"-in", vm_name+"-out", vm_name+"-in-ips", vm_name+"-out-ips"]
for chain in chains: for chain in chains:
try: try:
execute("ebtables -t nat -F " + chain) execute("ebtables -t nat -F " + chain)
execute("ebtables -t nat -X " + chain) execute("ebtables -t nat -X " + chain)
except: except:
logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_name) logging.debug("Ignoring failure to delete ebtables chain for vm " + vm_name)
@ -199,33 +199,33 @@ def default_ebtables_rules(vm_name, vm_ip, vm_mac, vif):
try: try:
# -s ! 52:54:0:56:44:32 -j DROP # -s ! 52:54:0:56:44:32 -j DROP
execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " + vmchain_in) execute("ebtables -t nat -A PREROUTING -i " + vif + " -j " + vmchain_in)
execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out) execute("ebtables -t nat -A POSTROUTING -o " + vif + " -j " + vmchain_out)
execute("ebtables -t nat -A " + vmchain_in_ips + " -j DROP") execute("ebtables -t nat -A " + vmchain_in_ips + " -j DROP")
execute("ebtables -t nat -A " + vmchain_out_ips + " -j DROP") execute("ebtables -t nat -A " + vmchain_out_ips + " -j DROP")
except: except:
logging.debug("Failed to program default rules") logging.debug("Failed to program default rules")
return 'false' return 'false'
try: try:
execute("ebtables -t nat -A " + vmchain_in + " -s ! " + vm_mac + " -j DROP") execute("ebtables -t nat -A " + vmchain_in + " -s ! " + vm_mac + " -j DROP")
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP") execute("ebtables -t nat -A " + vmchain_in + " -p ARP -s ! " + vm_mac + " -j DROP")
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP") execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-mac-src ! " + vm_mac + " -j DROP")
if vm_ip is not None: if vm_ip is not None:
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j " + vmchain_in_ips) execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j " + vmchain_in_ips)
execute("ebtables -t nat -I " + vmchain_in_ips + " -p ARP --arp-ip-src " + vm_ip + " -j RETURN") execute("ebtables -t nat -I " + vmchain_in_ips + " -p ARP --arp-ip-src " + vm_ip + " -j RETURN")
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT") execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Request -j ACCEPT")
execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Reply -j ACCEPT") execute("ebtables -t nat -A " + vmchain_in + " -p ARP --arp-op Reply -j ACCEPT")
execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j DROP") execute("ebtables -t nat -A " + vmchain_in + " -p ARP -j DROP")
except: except:
logging.exception("Failed to program default ebtables IN rules") logging.exception("Failed to program default ebtables IN rules")
return 'false' return 'false'
try: try:
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " + vm_mac + " -j DROP") execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply --arp-mac-dst ! " + vm_mac + " -j DROP")
if vm_ip is not None: if vm_ip is not None:
execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j " + vmchain_out_ips ) execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j " + vmchain_out_ips )
execute("ebtables -t nat -I " + vmchain_out_ips + " -p ARP --arp-ip-dst " + vm_ip + " -j RETURN") execute("ebtables -t nat -I " + vmchain_out_ips + " -p ARP --arp-ip-dst " + vm_ip + " -j RETURN")
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT") execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Request -j ACCEPT")
execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT") execute("ebtables -t nat -A " + vmchain_out + " -p ARP --arp-op Reply -j ACCEPT")
execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP") execute("ebtables -t nat -A " + vmchain_out + " -p ARP -j DROP")
@ -254,8 +254,8 @@ def default_network_rules_systemvm(vm_name, localbrname):
vifs = getVifsForBridge(vm_name, bridge) vifs = getVifsForBridge(vm_name, bridge)
for vif in vifs: for vif in vifs:
try: try:
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain) execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain)
execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN") execute("iptables -A " + vmchain + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j RETURN")
except: except:
logging.debug("Failed to program default rules") logging.debug("Failed to program default rules")
@ -305,7 +305,7 @@ def create_ipset_forvm (ipsetname):
logging.debug("Creating ipset chain .... " + ipsetname) logging.debug("Creating ipset chain .... " + ipsetname)
execute("ipset -F " + ipsetname) execute("ipset -F " + ipsetname)
execute("ipset -X " + ipsetname) execute("ipset -X " + ipsetname)
execute("ipset -N " + ipsetname + " iphash") execute("ipset -N " + ipsetname + " iphash")
except: except:
logging.debug("ipset chain not exists creating.... " + ipsetname) logging.debug("ipset chain not exists creating.... " + ipsetname)
execute("ipset -N " + ipsetname + " iphash") execute("ipset -N " + ipsetname + " iphash")
@ -317,7 +317,7 @@ def add_to_ipset(ipsetname, ips, action):
for ip in ips: for ip in ips:
try: try:
logging.debug("vm ip " + ip) logging.debug("vm ip " + ip)
execute("ipset " + action + " " + ipsetname + " " + ip) execute("ipset " + action + " " + ipsetname + " " + ip)
except: except:
logging.debug("vm ip alreday in ip set " + ip) logging.debug("vm ip alreday in ip set " + ip)
continue continue
@ -345,10 +345,10 @@ def ebtables_rules_vmip (vmname, ips, action):
for ip in ips: for ip in ips:
logging.debug("ip = "+ip) logging.debug("ip = "+ip)
try: try:
execute("ebtables -t nat -I " + vmchain_inips + " -p ARP --arp-ip-src " + ip + " -j RETURN") execute("ebtables -t nat -I " + vmchain_inips + " -p ARP --arp-ip-src " + ip + " -j RETURN")
execute("ebtables -t nat -I " + vmchain_outips + " -p ARP --arp-ip-dst " + ip + " -j RETURN") execute("ebtables -t nat -I " + vmchain_outips + " -p ARP --arp-ip-dst " + ip + " -j RETURN")
except: except:
logging.debug("Failed to program ebtables rules for secondary ip "+ ip) logging.debug("Failed to program ebtables rules for secondary ip "+ ip)
continue continue
def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips): def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
@ -360,7 +360,7 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
domID = getvmId(vm_name) domID = getvmId(vm_name)
delete_rules_for_vm_in_bridge_firewall_chain(vmName) delete_rules_for_vm_in_bridge_firewall_chain(vmName)
vmchain = vm_name vmchain = vm_name
vmchain_egress = egress_chain_name(vm_name) vmchain_egress = egress_chain_name(vm_name)
vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def" vmchain_default = '-'.join(vmchain.split('-')[:-1]) + "-def"
destroy_ebtables_rules(vmName, vif) destroy_ebtables_rules(vmName, vif)
@ -406,18 +406,18 @@ def default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, sec_ips):
logging.debug("Failed to log default network rules, ignoring") logging.debug("Failed to log default network rules, ignoring")
try: try:
execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain_default) execute("iptables -A " + brfw + "-OUT" + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain_default)
execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain_default) execute("iptables -A " + brfw + "-IN" + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -j " + vmchain_default)
execute("iptables -A " + vmchain_default + " -m state --state RELATED,ESTABLISHED -j ACCEPT") execute("iptables -A " + vmchain_default + " -m state --state RELATED,ESTABLISHED -j ACCEPT")
#allow dhcp #allow dhcp
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -p udp --dport 67 --sport 68 -j ACCEPT") execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -p udp --dport 67 --sport 68 -j ACCEPT")
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -p udp --dport 68 --sport 67 -j ACCEPT") execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -p udp --dport 68 --sport 67 -j ACCEPT")
#don't let vm spoof its ip address #don't let vm spoof its ip address
if vm_ip is not None: if vm_ip is not None:
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53 -j RETURN ") execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -p udp --dport 53 -j RETURN ")
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress) execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-in " + vif + " -m set --set " + vmipsetName + " src -j " + vmchain_egress)
execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain) execute("iptables -A " + vmchain_default + " -m physdev --physdev-is-bridged --physdev-out " + vif + " -j " + vmchain)
execute("iptables -A " + vmchain + " -j DROP") execute("iptables -A " + vmchain + " -j DROP")
except: except:
logging.debug("Failed to program default rules for vm " + vm_name) logging.debug("Failed to program default rules for vm " + vm_name)
@ -440,7 +440,7 @@ def post_default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, dhcpS
vmchain_out = vm_name + "-out" vmchain_out = vm_name + "-out"
domID = getvmId(vm_name) domID = getvmId(vm_name)
try: try:
execute("iptables -I " + vmchain_default + " 4 -m physdev --physdev-is-bridged --physdev-in " + vif + " --source " + vm_ip + " -j ACCEPT") execute("iptables -I " + vmchain_default + " 4 -m physdev --physdev-is-bridged --physdev-in " + vif + " --source " + vm_ip + " -j ACCEPT")
except: except:
pass pass
try: try:
@ -454,7 +454,7 @@ def post_default_network_rules(vm_name, vm_id, vm_ip, vm_mac, vif, brname, dhcpS
pass pass
try: try:
execute("ebtables -t nat -I " + vmchain_in + " 4 -p ARP --arp-ip-src ! " + vm_ip + " -j DROP") execute("ebtables -t nat -I " + vmchain_in + " 4 -p ARP --arp-ip-src ! " + vm_ip + " -j DROP")
except: except:
pass pass
try: try:
@ -470,7 +470,7 @@ def delete_rules_for_vm_in_bridge_firewall_chain(vmName):
vmchain = vm_name vmchain = vm_name
delcmd = "iptables-save | grep BF | grep " + vmchain + " | grep physdev-is-bridged | sed 's/-A/-D/'" delcmd = "iptables-save | grep BF | grep " + vmchain + " | grep physdev-is-bridged | sed 's/-A/-D/'"
delcmds = execute(delcmd).split('\n') delcmds = execute(delcmd).split('\n')
delcmds.pop() delcmds.pop()
for cmd in delcmds: for cmd in delcmds:
@ -541,7 +541,7 @@ def network_rules_for_rebooted_vm(vmName):
if curr_domid == '-1': if curr_domid == '-1':
return True return True
logging.debug("Found a rebooted VM -- reprogramming rules for " + vm_name) logging.debug("Found a rebooted VM -- reprogramming rules for " + vm_name)
delete_rules_for_vm_in_bridge_firewall_chain(vm_name) delete_rules_for_vm_in_bridge_firewall_chain(vm_name)
@ -567,8 +567,8 @@ def network_rules_for_rebooted_vm(vmName):
#change antispoof rule in vmchain #change antispoof rule in vmchain
try: try:
delcmd = "iptables-save | grep '\-A " + vmchain_default + "' | grep physdev | sed 's/-A/-D/'" delcmd = "iptables-save | grep '\-A " + vmchain_default + "' | grep physdev | sed 's/-A/-D/'"
inscmd = "iptables-save |grep '\-A " + vmchain_default + "' | grep physdev | sed -r 's/vnet[0-9]+/ " + vifs[0] + "/' | sed 's/-A/-I/'" inscmd = "iptables-save |grep '\-A " + vmchain_default + "' | grep physdev | sed -r 's/vnet[0-9]+/ " + vifs[0] + "/' | sed 's/-A/-I/'"
ipts = [] ipts = []
for cmd in [delcmd, inscmd]: for cmd in [delcmd, inscmd]:
logging.debug(cmd) logging.debug(cmd)
@ -743,14 +743,14 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
else: else:
lines = rules.split(';')[:-1] lines = rules.split(';')[:-1]
logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name) logging.debug(" programming network rules for IP: " + vm_ip + " vmname=" + vm_name)
try: try:
vmchain = vm_name vmchain = vm_name
execute("iptables -F " + vmchain) execute("iptables -F " + vmchain)
egress_vmchain = egress_chain_name(vm_name) egress_vmchain = egress_chain_name(vm_name)
execute("iptables -F " + egress_vmchain) execute("iptables -F " + egress_vmchain)
except: except:
logging.debug("Error flushing iptables rules for " + vmchain + ". Presuming firewall rules deleted, re-initializing." ) logging.debug("Error flushing iptables rules for " + vmchain + ". Presuming firewall rules deleted, re-initializing." )
default_network_rules(vm_name, vm_id, vm_ip, vmMac, vif, brname) default_network_rules(vm_name, vm_id, vm_ip, vmMac, vif, brname)
egressrule = 0 egressrule = 0
for line in lines: for line in lines:
@ -775,7 +775,7 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
vmchain = vm_name vmchain = vm_name
action = "ACCEPT" action = "ACCEPT"
direction = "-s" direction = "-s"
if '0.0.0.0/0' in ips: if '0.0.0.0/0' in ips:
i = ips.index('0.0.0.0/0') i = ips.index('0.0.0.0/0')
del ips[i] del ips[i]
allow_any = True allow_any = True
@ -792,11 +792,11 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
if start == "-1": if start == "-1":
range = "any" range = "any"
for ip in ips: for ip in ips:
execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " " + direction + " " + ip + " -j "+ action) execute("iptables -I " + vmchain + " -p icmp --icmp-type " + range + " " + direction + " " + ip + " -j "+ action)
if allow_any and protocol != 'all': if allow_any and protocol != 'all':
if protocol != 'icmp': if protocol != 'icmp':
execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j "+ action) execute("iptables -I " + vmchain + " -p " + protocol + " -m " + protocol + " --dport " + range + " -m state --state NEW -j "+ action)
else: else:
range = start + "/" + end range = start + "/" + end
if start == "-1": if start == "-1":
@ -805,14 +805,14 @@ def add_network_rules(vm_name, vm_id, vm_ip, signature, seqno, vmMac, rules, vif
egress_vmchain = egress_chain_name(vm_name) egress_vmchain = egress_chain_name(vm_name)
if egressrule == 0 : if egressrule == 0 :
iptables = "iptables -A " + egress_vmchain + " -j RETURN" iptables = "iptables -A " + egress_vmchain + " -j RETURN"
execute(iptables) execute(iptables)
else: else:
iptables = "iptables -A " + egress_vmchain + " -j DROP" iptables = "iptables -A " + egress_vmchain + " -j DROP"
execute(iptables) execute(iptables)
vmchain = vm_name vmchain = vm_name
iptables = "iptables -A " + vmchain + " -j DROP" iptables = "iptables -A " + vmchain + " -j DROP"
execute(iptables) execute(iptables)
if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False: if write_rule_log_for_vm(vmName, vm_id, vm_ip, domId, signature, seqno) == False:
@ -904,7 +904,7 @@ def addFWFramework(brname):
execute("iptables -N " + brfwin) execute("iptables -N " + brfwin)
try: try:
refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip() refs = execute("iptables -n -L " + brfw + " |grep " + brfw + " | cut -d \( -f2 | awk '{print $1}'").strip()
if refs == "0": if refs == "0":
execute("iptables -I FORWARD -i " + brname + " -j DROP") execute("iptables -I FORWARD -i " + brname + " -j DROP")
execute("iptables -I FORWARD -o " + brname + " -j DROP") execute("iptables -I FORWARD -o " + brname + " -j DROP")