예제 #1
0
  public List<String> generateNatFlushRules(
      String[] chainNames, String[] existingPiRules, List<String> newChains) {
    LOG.debug(
        String.format("generateNatFlushRules(%s, %s, %s)", chainNames, existingPiRules, newChains));
    List<String> res = new ArrayList<String>();
    for (String rule : existingPiRules) {
      boolean isNatRule = rule.contains("SNAT") || rule.contains("DNAT");
      boolean isPostroutingRule = rule.contains(POSTROUTING) && rule.contains(POST_PREFIX);
      if (rule.startsWith(DASH_A) && (isNatRule || isPostroutingRule)) {
        res.add(rule.replaceFirst(DASH_A, "-D"));
      }
    }

    for (String chainName : chainNames) {
      if (chainName.startsWith(POST_PREFIX)) {
        res.add(ipTablesHelper.generateFlushChainRule(chainName));
        // NOTE: for the moment, we comment this out as it causes issues when run within a single
        // commit.
        // The 'right' way to do this is to rewrite all our chains and rules from scratch, rather
        // than
        // incrementally
        // if (!newChains.contains(chainName))
        // res.add(generateRemoveChainRule(chainName));
      } else {
        LOG.debug(String.format("Skipping non-nat chain name: %s", chainName));
      }
    }
    logFlushRules("Generated nat flush rules:\n%s", res);
    return res;
  }
예제 #2
0
  public synchronized List<String> generateFilterTable(
      List<SecurityGroup> securityGroups, List<String> existingChains) {

    LOG.debug(String.format("generateFilterTable(%s, %s)", securityGroups, existingChains));
    lines = new ArrayList<String>();

    // if (!existingChains.contains(PI_CHAIN))
    // addChain(PI_CHAIN);
    // addForwardAllToChain(PI_CHAIN);

    for (SecurityGroup securityGroup : securityGroups) {
      if (!validateSecurityGroup(securityGroup)) {
        LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
        continue;
      }

      LOG.debug(String.format("Processing Security group: %s for filter rules.", securityGroup));
      String filterChainName =
          getChainNameForSecurityGroup(FLTR_PREFIX, securityGroup.getSecurityGroupId());
      String destinationNetwork =
          String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());

      if (!existingChains.contains(filterChainName))
        lines.add(ipTablesHelper.addChain(filterChainName));

      lines.add(
          ipTablesHelper.appendForwardChainToChain(PI_CHAIN, destinationNetwork, filterChainName));

      // TODO: Handle case where rule name specificed instead of network

      for (NetworkRule networkRule : securityGroup.getNetworkRules()) {
        for (String sourceNetwork : networkRule.getSourceNetworks()) {
          addFilterRule(
              filterChainName,
              sourceNetwork,
              destinationNetwork,
              networkRule.getNetworkProtocol(),
              networkRule.getPortRangeMin(),
              networkRule.getPortRangeMax());
        }
      }
    }
    logFlushRules("Generated filter iptables:\n%s", lines);
    return lines;
  }
예제 #3
0
 public List<String> generateFilterFlushRules(String[] chainNames, List<String> newChains) {
   LOG.debug(String.format("generateFilterFlushRules(%s, %s)", chainNames, newChains));
   List<String> res = new ArrayList<String>();
   for (String chainName : chainNames) {
     if (chainName.equals(PI_CHAIN)) {
       res.add("-D FORWARD -j " + PI_CHAIN);
       res.add(ipTablesHelper.generateFlushChainRule(chainName));
     } else if (chainName.startsWith(FLTR_PREFIX)) {
       res.add(ipTablesHelper.generateFlushChainRule(chainName));
     } else {
       LOG.debug(String.format("Skipping non-filter chain name: %s", chainName));
     }
   }
   for (String chainName : chainNames) {
     if (!newChains.contains(chainName) && chainName.startsWith(FLTR_PREFIX)) {
       res.add(ipTablesHelper.generateRemoveChainRule(chainName));
     }
   }
   logFlushRules("Generated chain flush rules:\n%s", res);
   return res;
 }
예제 #4
0
  public synchronized List<String> generateNatTable(
      List<SecurityGroup> securityGroups, List<String> existingChains) {

    LOG.debug(String.format("generateNatTable(%s, %s)", securityGroups, existingChains));
    lines = new ArrayList<String>();

    if (!existingChains.contains(PI_PREROUTING)) {
      lines.add(ipTablesHelper.addChain(PI_PREROUTING));
      lines.add(ipTablesHelper.appendForwardChainToChain(PREROUTING, PI_PREROUTING));
    }
    if (!existingChains.contains(PI_OUTPUT)) {
      lines.add(ipTablesHelper.addChain(PI_OUTPUT));
      lines.add(ipTablesHelper.appendForwardChainToChain(OUTPUT, PI_OUTPUT));
    }

    for (SecurityGroup securityGroup : securityGroups) {
      if (!validateSecurityGroup(securityGroup)) {
        LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
        continue;
      }
      LOG.debug(String.format("Processing Security group: %s for nat rules.", securityGroup));
      String postChainName =
          getChainNameForSecurityGroup(POST_PREFIX, securityGroup.getSecurityGroupId());
      String destinationNetwork =
          String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());

      if (!existingChains.contains(postChainName))
        lines.add(ipTablesHelper.addChain(postChainName));

      lines.add(
          ipTablesHelper.insertChainForwardToChain(POSTROUTING, destinationNetwork, postChainName));

      // TODO: Handle case where rule name specified instead of network

      for (Entry<String, InstanceAddress> addressEntry : securityGroup.getInstances().entrySet()) {
        LOG.debug(String.format("Processing addressEntry: %s for nat rules.", addressEntry));
        InstanceAddress address = addressEntry.getValue();
        if (null == address) {
          LOG.warn(
              String.format("null entry in instance table for instance %s", addressEntry.getKey()));
          continue;
        }
        if (address.getPublicIpAddress() != null && address.getPrivateIpAddress() != null) {
          addNatRule(postChainName, address.getPublicIpAddress(), address.getPrivateIpAddress());
        } else {
          LOG.debug(
              String.format(
                  "Skipping NAT rule within group %s as one or both addresses are null (%s / %s)",
                  securityGroup.getSecurityGroupId(),
                  address.getPublicIpAddress(),
                  address.getPrivateIpAddress()));
        }
      }
    }
    logFlushRules("Generated nat iptables:\n%s", lines);

    return lines;
  }
예제 #5
0
 private void logFlushRules(String textString, List<String> res) {
   if (LOG.isDebugEnabled())
     LOG.debug(String.format(textString, ipTablesHelper.linesToLogFriendlyString(res)));
 }