public synchronized List<String> generateNatTable(
List<SecurityGroup> securityGroups, List<String> existingChains) {
LOG.debug(String.format("generateNatTable(%s, %s)", securityGroups, existingChains));
lines = new ArrayList<String>();
if (!existingChains.contains(PI_PREROUTING)) {
lines.add(ipTablesHelper.addChain(PI_PREROUTING));
lines.add(ipTablesHelper.appendForwardChainToChain(PREROUTING, PI_PREROUTING));
}
if (!existingChains.contains(PI_OUTPUT)) {
lines.add(ipTablesHelper.addChain(PI_OUTPUT));
lines.add(ipTablesHelper.appendForwardChainToChain(OUTPUT, PI_OUTPUT));
}
for (SecurityGroup securityGroup : securityGroups) {
if (!validateSecurityGroup(securityGroup)) {
LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
continue;
}
LOG.debug(String.format("Processing Security group: %s for nat rules.", securityGroup));
String postChainName =
getChainNameForSecurityGroup(POST_PREFIX, securityGroup.getSecurityGroupId());
String destinationNetwork =
String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());
if (!existingChains.contains(postChainName))
lines.add(ipTablesHelper.addChain(postChainName));
lines.add(
ipTablesHelper.insertChainForwardToChain(POSTROUTING, destinationNetwork, postChainName));
// TODO: Handle case where rule name specified instead of network
for (Entry<String, InstanceAddress> addressEntry : securityGroup.getInstances().entrySet()) {
LOG.debug(String.format("Processing addressEntry: %s for nat rules.", addressEntry));
InstanceAddress address = addressEntry.getValue();
if (null == address) {
LOG.warn(
String.format("null entry in instance table for instance %s", addressEntry.getKey()));
continue;
}
if (address.getPublicIpAddress() != null && address.getPrivateIpAddress() != null) {
addNatRule(postChainName, address.getPublicIpAddress(), address.getPrivateIpAddress());
} else {
LOG.debug(
String.format(
"Skipping NAT rule within group %s as one or both addresses are null (%s / %s)",
securityGroup.getSecurityGroupId(),
address.getPublicIpAddress(),
address.getPrivateIpAddress()));
}
}
}
logFlushRules("Generated nat iptables:\n%s", lines);
return lines;
}
public void refreshVirtualNetworks() {
LOG.debug(String.format("Refreshing virtual networks"));
Set<URI> vlanIds =
consumedUriResourceRegistry.getResourceIdsByScheme(
ResourceSchemes.VIRTUAL_NETWORK.toString());
/*
* Because the vlanId gets inserted into the consumedUriResourceRegistry a few continuations after a security
* group gets added, sometimes this fails and then the pibr never actually gets onto the network manager. So we
* do some reconciliation between the security group and vlan registries. For now, we aren't looking for entries
* in the vlan registry that aren't in the security group list...needs some thought on whether that is needed but
* certainly not until we see some issues pertaining to that!
*/
List<SecurityGroup> securityGroups = consumedDhtResourceRegistry.getByType(SecurityGroup.class);
for (SecurityGroup securityGroup : securityGroups) {
Long vlanId = securityGroup.getVlanId();
if (null == vlanId) continue;
URI vlanUri = URI.create(String.format(S_D, ResourceSchemes.VIRTUAL_NETWORK, vlanId));
if (!vlanIds.contains(vlanUri)) {
LOG.debug(
String.format(
"Vlan Id %d present in the security groups in consumedDhtResourceRegistry is not present in the list of vlans in consumedUriResourceRegistry",
securityGroup.getVlanId()));
consumedUriResourceRegistry.registerConsumer(
vlanUri, securityGroup.getSecurityGroupId(), new LoggingContinuation<Boolean>());
networkCommandRunner.addManagedNetwork(vlanId, privateInterface);
}
}
List<String> deviceList = deviceUtils.getDeviceList();
for (URI uri : vlanIds) {
long vlanId = Long.parseLong(uri.getSchemeSpecificPart());
LOG.debug(String.format("Checking to see if vlan %d exists", vlanId));
if (!deviceUtils.deviceExists(
networkCommandRunner.getVlanInterface(vlanId, privateInterface), deviceList)) {
networkCommandRunner.addManagedNetwork(vlanId, privateInterface);
}
}
Collection<String> allVlanDevicesForInterface =
deviceUtils.getAllVlanDevicesForInterface(privateInterface, deviceList);
for (String vlan : allVlanDevicesForInterface) {
if (vlan.contains(DOT)) {
long vlanId = Long.parseLong(vlan.split(String.format("\\%s", DOT))[1]);
if (!vlanIds.contains(
URI.create(String.format(S_D, ResourceSchemes.VIRTUAL_NETWORK, vlanId))))
addressDeleteQueue.add(
new VlanDeleteItem(vlanId, privateInterface, networkCommandRunner));
}
}
}
public synchronized List<String> generateFilterTable(
List<SecurityGroup> securityGroups, List<String> existingChains) {
LOG.debug(String.format("generateFilterTable(%s, %s)", securityGroups, existingChains));
lines = new ArrayList<String>();
// if (!existingChains.contains(PI_CHAIN))
// addChain(PI_CHAIN);
// addForwardAllToChain(PI_CHAIN);
for (SecurityGroup securityGroup : securityGroups) {
if (!validateSecurityGroup(securityGroup)) {
LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
continue;
}
LOG.debug(String.format("Processing Security group: %s for filter rules.", securityGroup));
String filterChainName =
getChainNameForSecurityGroup(FLTR_PREFIX, securityGroup.getSecurityGroupId());
String destinationNetwork =
String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());
if (!existingChains.contains(filterChainName))
lines.add(ipTablesHelper.addChain(filterChainName));
lines.add(
ipTablesHelper.appendForwardChainToChain(PI_CHAIN, destinationNetwork, filterChainName));
// TODO: Handle case where rule name specificed instead of network
for (NetworkRule networkRule : securityGroup.getNetworkRules()) {
for (String sourceNetwork : networkRule.getSourceNetworks()) {
addFilterRule(
filterChainName,
sourceNetwork,
destinationNetwork,
networkRule.getNetworkProtocol(),
networkRule.getPortRangeMin(),
networkRule.getPortRangeMax());
}
}
}
logFlushRules("Generated filter iptables:\n%s", lines);
return lines;
}