From 0e8c79c7f1f959d0968016950e7289d0aadc64ca Mon Sep 17 00:00:00 2001 From: Ian Southam Date: Wed, 20 Aug 2014 18:34:25 +0200 Subject: [PATCH] That is the acls. Need to check the order stays good --- .../config/opt/cloud/bin/CsNetfilter.py | 2 + .../debian/config/opt/cloud/bin/configure.py | 54 +++++++++++++++++-- .../config/opt/cloud/testdata/acl0001.json | 54 +++++++++++++++++++ 3 files changed, 106 insertions(+), 4 deletions(-) create mode 100644 systemvm/patches/debian/config/opt/cloud/testdata/acl0001.json diff --git a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py index e72601bf62b..816c791ea5b 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/CsNetfilter.py @@ -156,6 +156,8 @@ class CsNetfilter(object): self.seen = True def __convert_to_dict(self, rule): + rule = rule.lstrip() + rule = rule.replace(' ', ' ') rule = rule.replace('! -', '!_-') # -m can appear twice in a string rule = rule.replace('-m state', '-m2 state') diff --git a/systemvm/patches/debian/config/opt/cloud/bin/configure.py b/systemvm/patches/debian/config/opt/cloud/bin/configure.py index e17e4355a21..d7bf0ae1b78 100755 --- a/systemvm/patches/debian/config/opt/cloud/bin/configure.py +++ b/systemvm/patches/debian/config/opt/cloud/bin/configure.py @@ -502,6 +502,7 @@ class CsAcl(CsDataBag): """ Deal with Network acls """ + class AclDevice(): """ A little class for each list of acls per device """ @@ -518,12 +519,56 @@ class CsAcl(CsDataBag): self.egress = obj['egress_rules'] def create(self): - self.process(self.ingress) - self.process(self.egress) + self.process("ingress", self.ingress) + self.process("egress", self.egress) - def process(self,rule_list): + def process(self, direction, rule_list): for i in rule_list: - pprint(i) + r = self.AclRule(direction, self.device, i) + r.create() + + class AclRule(): + + def __init__(self, direction, device, rule): + self.table = "" + self.device = device + self.chain = "ACL_INBOUND_%s" % self.device + self.dest = "-s %s" % rule['cidr'] + if direction == "egress": + self.table = "mangle" + self.chain = "ACL_OUTBOUND_%s" % self.device + self.dest = "-d %s" % rule['cidr'] + self.type = "" + self.type = rule['type'] + self.icmp_type = "any" + self.protocol = self.type + if "icmp_type" in rule.keys() and rule['icmp_type'] != -1: + self.icmp_type = rule['icmp_type'] + if "icmp_code" in rule.keys() and rule['icmp_code'] != -1: + self.icmp_type = "%s/%s" % (self.icmp_type, rule['icmp_code']) + if self.type == "protocol": + self.protocol = rule['protocol'] + self.action = "DENY" + self.dport = "" + if 'allowed' in rule.keys() and rule['allowed'] and rule['allowed']: + self.action = "ACCEPT" + global fw + if 'first_port' in rule.keys(): + self.dport = "--dport %s" % rule['first_port'] + if 'last_port' in rule.keys() and self.dport and \ + rule['last_port'] != rule['first_port']: + self.dport = "%s:%s" % (self.dport, rule['last_port']) + + + def create(self): + rstr = "" + rstr = "%s -A %s -p %s %s" % (rstr, self.chain, self.protocol, self.dest) + if self.type == "icmp": + rstr = "%s -icmp_type %s" % (rstr, self.icmp_type) + rstr = "%s %s -j %s" % (rstr, self.dport, self.action) + fw.append([self.table, "front", rstr]) + + def process(self): for item in self.dbag: @@ -760,5 +805,6 @@ def main(argv): dh = CsDataBag("dhcpentry") dhcp = CsDhcp(dh.get_bag(), cl) + if __name__ == "__main__": main(sys.argv) diff --git a/systemvm/patches/debian/config/opt/cloud/testdata/acl0001.json b/systemvm/patches/debian/config/opt/cloud/testdata/acl0001.json new file mode 100644 index 00000000000..4a07b405a54 --- /dev/null +++ b/systemvm/patches/debian/config/opt/cloud/testdata/acl0001.json @@ -0,0 +1,54 @@ +{ + "eth2": { + "device": "eth2", + "egress_rules": [ + { + "allowed": false, + "cidr": "10.0.6.0/8", + "first_port": 60, + "last_port": 60, + "type": "tcp" + } + ], + "ingress_rules": [ + { + "allowed": true, + "cidr": "10.0.1.0/8", + "protocol": 41, + "type": "protocol" + }, + { + "allowed": true, + "cidr": "10.0.4.0/8", + "type": "all" + }, + { + "allowed": true, + "cidr": "10.0.3.0/8", + "icmp_code": -1, + "icmp_type": -1, + "type": "icmp" + }, + { + "allowed": true, + "cidr": "10.0.2.0/8", + "first_port": 40, + "last_port": 40, + "type": "udp" + }, + { + "allowed": true, + "cidr": "10.0.1.0/8", + "first_port": 30, + "last_port": 30, + "type": "tcp" + } + ], + "mac_address": "02:00:0d:7b:00:04", + "nic_ip": "172.16.1.1", + "nic_netmask": "24", + "private_gateway_acl": false, + "type": "networkacl" + }, + "id": "networkacl" +}