Exemplo n.º 1
0
  public List<String> generateNatFlushRules(
      String[] chainNames, String[] existingPiRules, List<String> newChains) {
    LOG.debug(
        String.format("generateNatFlushRules(%s, %s, %s)", chainNames, existingPiRules, newChains));
    List<String> res = new ArrayList<String>();
    for (String rule : existingPiRules) {
      boolean isNatRule = rule.contains("SNAT") || rule.contains("DNAT");
      boolean isPostroutingRule = rule.contains(POSTROUTING) && rule.contains(POST_PREFIX);
      if (rule.startsWith(DASH_A) && (isNatRule || isPostroutingRule)) {
        res.add(rule.replaceFirst(DASH_A, "-D"));
      }
    }

    for (String chainName : chainNames) {
      if (chainName.startsWith(POST_PREFIX)) {
        res.add(ipTablesHelper.generateFlushChainRule(chainName));
        // NOTE: for the moment, we comment this out as it causes issues when run within a single
        // commit.
        // The 'right' way to do this is to rewrite all our chains and rules from scratch, rather
        // than
        // incrementally
        // if (!newChains.contains(chainName))
        // res.add(generateRemoveChainRule(chainName));
      } else {
        LOG.debug(String.format("Skipping non-nat chain name: %s", chainName));
      }
    }
    logFlushRules("Generated nat flush rules:\n%s", res);
    return res;
  }
Exemplo n.º 2
0
 public List<String> generateFilterFlushRules(String[] chainNames, List<String> newChains) {
   LOG.debug(String.format("generateFilterFlushRules(%s, %s)", chainNames, newChains));
   List<String> res = new ArrayList<String>();
   for (String chainName : chainNames) {
     if (chainName.equals(PI_CHAIN)) {
       res.add("-D FORWARD -j " + PI_CHAIN);
       res.add(ipTablesHelper.generateFlushChainRule(chainName));
     } else if (chainName.startsWith(FLTR_PREFIX)) {
       res.add(ipTablesHelper.generateFlushChainRule(chainName));
     } else {
       LOG.debug(String.format("Skipping non-filter chain name: %s", chainName));
     }
   }
   for (String chainName : chainNames) {
     if (!newChains.contains(chainName) && chainName.startsWith(FLTR_PREFIX)) {
       res.add(ipTablesHelper.generateRemoveChainRule(chainName));
     }
   }
   logFlushRules("Generated chain flush rules:\n%s", res);
   return res;
 }