public synchronized List<String> generateNatTable( List<SecurityGroup> securityGroups, List<String> existingChains) { LOG.debug(String.format("generateNatTable(%s, %s)", securityGroups, existingChains)); lines = new ArrayList<String>(); if (!existingChains.contains(PI_PREROUTING)) { lines.add(ipTablesHelper.addChain(PI_PREROUTING)); lines.add(ipTablesHelper.appendForwardChainToChain(PREROUTING, PI_PREROUTING)); } if (!existingChains.contains(PI_OUTPUT)) { lines.add(ipTablesHelper.addChain(PI_OUTPUT)); lines.add(ipTablesHelper.appendForwardChainToChain(OUTPUT, PI_OUTPUT)); } for (SecurityGroup securityGroup : securityGroups) { if (!validateSecurityGroup(securityGroup)) { LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup)); continue; } LOG.debug(String.format("Processing Security group: %s for nat rules.", securityGroup)); String postChainName = getChainNameForSecurityGroup(POST_PREFIX, securityGroup.getSecurityGroupId()); String destinationNetwork = String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet()); if (!existingChains.contains(postChainName)) lines.add(ipTablesHelper.addChain(postChainName)); lines.add( ipTablesHelper.insertChainForwardToChain(POSTROUTING, destinationNetwork, postChainName)); // TODO: Handle case where rule name specified instead of network for (Entry<String, InstanceAddress> addressEntry : securityGroup.getInstances().entrySet()) { LOG.debug(String.format("Processing addressEntry: %s for nat rules.", addressEntry)); InstanceAddress address = addressEntry.getValue(); if (null == address) { LOG.warn( String.format("null entry in instance table for instance %s", addressEntry.getKey())); continue; } if (address.getPublicIpAddress() != null && address.getPrivateIpAddress() != null) { addNatRule(postChainName, address.getPublicIpAddress(), address.getPrivateIpAddress()); } else { LOG.debug( String.format( "Skipping NAT rule within group %s as one or both addresses are null (%s / %s)", securityGroup.getSecurityGroupId(), address.getPublicIpAddress(), address.getPrivateIpAddress())); } } } logFlushRules("Generated nat iptables:\n%s", lines); return lines; }
public synchronized List<String> generateFilterTable( List<SecurityGroup> securityGroups, List<String> existingChains) { LOG.debug(String.format("generateFilterTable(%s, %s)", securityGroups, existingChains)); lines = new ArrayList<String>(); // if (!existingChains.contains(PI_CHAIN)) // addChain(PI_CHAIN); // addForwardAllToChain(PI_CHAIN); for (SecurityGroup securityGroup : securityGroups) { if (!validateSecurityGroup(securityGroup)) { LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup)); continue; } LOG.debug(String.format("Processing Security group: %s for filter rules.", securityGroup)); String filterChainName = getChainNameForSecurityGroup(FLTR_PREFIX, securityGroup.getSecurityGroupId()); String destinationNetwork = String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet()); if (!existingChains.contains(filterChainName)) lines.add(ipTablesHelper.addChain(filterChainName)); lines.add( ipTablesHelper.appendForwardChainToChain(PI_CHAIN, destinationNetwork, filterChainName)); // TODO: Handle case where rule name specificed instead of network for (NetworkRule networkRule : securityGroup.getNetworkRules()) { for (String sourceNetwork : networkRule.getSourceNetworks()) { addFilterRule( filterChainName, sourceNetwork, destinationNetwork, networkRule.getNetworkProtocol(), networkRule.getPortRangeMin(), networkRule.getPortRangeMax()); } } } logFlushRules("Generated filter iptables:\n%s", lines); return lines; }