mirror of
https://github.com/apache/cloudstack.git
synced 2025-10-26 08:42:29 +01:00
96 lines
3.8 KiB
Python
Executable File
96 lines
3.8 KiB
Python
Executable File
# Licensed to the Apache Software Foundation (ASF) under one
|
|
# or more contributor license agreements. See the NOTICE file
|
|
# distributed with this work for additional information
|
|
# regarding copyright ownership. The ASF licenses this file
|
|
# to you under the Apache License, Version 2.0 (the
|
|
# "License"); you may not use this file except in compliance
|
|
# with the License. You may obtain a copy of the License at
|
|
#
|
|
# http://www.apache.org/licenses/LICENSE-2.0
|
|
#
|
|
# Unless required by applicable law or agreed to in writing,
|
|
# software distributed under the License is distributed on an
|
|
# "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
|
|
# KIND, either express or implied. See the License for the
|
|
# specific language governing permissions and limitations
|
|
# under the License.
|
|
|
|
|
|
import logging
|
|
|
|
def merge(dbag, rules):
|
|
for rule in rules["rules"]:
|
|
source_ip = rule["source_ip_address"]
|
|
destination_ip = rule["destination_ip_address"]
|
|
revoke = rule["revoke"]
|
|
|
|
newrule = dict()
|
|
newrule["public_ip"] = source_ip
|
|
newrule["internal_ip"] = destination_ip
|
|
|
|
if rules["type"] == "staticnatrules":
|
|
newrule["type"] = "staticnat"
|
|
elif rules["type"] == "forwardrules":
|
|
newrule["type"] = "forward"
|
|
newrule["public_ports"] = rule["source_port_range"]
|
|
newrule["internal_ports"] = rule["destination_port_range"]
|
|
newrule["protocol"] = rule["protocol"]
|
|
if "source_cidr_list" in rule:
|
|
newrule["source_cidr_list"] = rule["source_cidr_list"]
|
|
|
|
if not revoke:
|
|
if rules["type"] == "staticnatrules":
|
|
dbag[source_ip] = [newrule]
|
|
elif rules["type"] == "forwardrules":
|
|
index = -1
|
|
if source_ip in list(dbag.keys()):
|
|
for forward in dbag[source_ip]:
|
|
if ruleCompare(forward, newrule):
|
|
index = dbag[source_ip].index(forward)
|
|
if not index == -1:
|
|
dbag[source_ip][index] = newrule
|
|
else:
|
|
dbag[source_ip].append(newrule)
|
|
else:
|
|
dbag[source_ip] = [newrule]
|
|
else:
|
|
if rules["type"] == "staticnatrules":
|
|
if source_ip in list(dbag.keys()):
|
|
del dbag[source_ip]
|
|
elif rules["type"] == "forwardrules":
|
|
if source_ip in list(dbag.keys()):
|
|
index = -1
|
|
for forward in dbag[source_ip]:
|
|
if ruleCompare(forward, newrule):
|
|
index = dbag[source_ip].index(forward)
|
|
logging.info("Removing forwarding rule [%s] at index [%s].", forward, index)
|
|
if not index == -1:
|
|
del dbag[source_ip][index]
|
|
|
|
return dbag
|
|
|
|
|
|
# Compare function checks only the public side, those must be equal the internal details could change
|
|
def ruleCompare(ruleA, ruleB):
|
|
if not ruleA["type"] == ruleB["type"]:
|
|
return False
|
|
if ruleA["type"] == "staticnat":
|
|
return ruleA["public_ip"] == ruleB["public_ip"]
|
|
elif ruleA["type"] == "forward":
|
|
return ruleA["public_ip"] == ruleB["public_ip"] and ruleA["public_ports"] == ruleB["public_ports"] \
|
|
and ruleA["protocol"] == ruleB["protocol"] and cidrsConflict(ruleA.get("source_cidr_list"), ruleB.get("source_cidr_list"))
|
|
|
|
# Same validation as in com.cloud.network.firewall.FirewallManagerImpl.detectConflictingCidrs
|
|
def cidrsConflict(cidrListA, cidrListB):
|
|
if not cidrListA and not cidrListB:
|
|
return True
|
|
if not cidrListA:
|
|
return False
|
|
if not cidrListB:
|
|
return False
|
|
|
|
cidrListA = set(cidrListA.split(","))
|
|
cidrListB = set(cidrListB.split(","))
|
|
|
|
return len(cidrListA.intersection(cidrListB)) > 0
|