public List<String> generateNatFlushRules(
String[] chainNames, String[] existingPiRules, List<String> newChains) {
LOG.debug(
String.format("generateNatFlushRules(%s, %s, %s)", chainNames, existingPiRules, newChains));
List<String> res = new ArrayList<String>();
for (String rule : existingPiRules) {
boolean isNatRule = rule.contains("SNAT") || rule.contains("DNAT");
boolean isPostroutingRule = rule.contains(POSTROUTING) && rule.contains(POST_PREFIX);
if (rule.startsWith(DASH_A) && (isNatRule || isPostroutingRule)) {
res.add(rule.replaceFirst(DASH_A, "-D"));
}
}
for (String chainName : chainNames) {
if (chainName.startsWith(POST_PREFIX)) {
res.add(ipTablesHelper.generateFlushChainRule(chainName));
// NOTE: for the moment, we comment this out as it causes issues when run within a single
// commit.
// The 'right' way to do this is to rewrite all our chains and rules from scratch, rather
// than
// incrementally
// if (!newChains.contains(chainName))
// res.add(generateRemoveChainRule(chainName));
} else {
LOG.debug(String.format("Skipping non-nat chain name: %s", chainName));
}
}
logFlushRules("Generated nat flush rules:\n%s", res);
return res;
}
public synchronized List<String> generateFilterTable(
List<SecurityGroup> securityGroups, List<String> existingChains) {
LOG.debug(String.format("generateFilterTable(%s, %s)", securityGroups, existingChains));
lines = new ArrayList<String>();
// if (!existingChains.contains(PI_CHAIN))
// addChain(PI_CHAIN);
// addForwardAllToChain(PI_CHAIN);
for (SecurityGroup securityGroup : securityGroups) {
if (!validateSecurityGroup(securityGroup)) {
LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
continue;
}
LOG.debug(String.format("Processing Security group: %s for filter rules.", securityGroup));
String filterChainName =
getChainNameForSecurityGroup(FLTR_PREFIX, securityGroup.getSecurityGroupId());
String destinationNetwork =
String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());
if (!existingChains.contains(filterChainName))
lines.add(ipTablesHelper.addChain(filterChainName));
lines.add(
ipTablesHelper.appendForwardChainToChain(PI_CHAIN, destinationNetwork, filterChainName));
// TODO: Handle case where rule name specificed instead of network
for (NetworkRule networkRule : securityGroup.getNetworkRules()) {
for (String sourceNetwork : networkRule.getSourceNetworks()) {
addFilterRule(
filterChainName,
sourceNetwork,
destinationNetwork,
networkRule.getNetworkProtocol(),
networkRule.getPortRangeMin(),
networkRule.getPortRangeMax());
}
}
}
logFlushRules("Generated filter iptables:\n%s", lines);
return lines;
}
public List<String> generateFilterFlushRules(String[] chainNames, List<String> newChains) {
LOG.debug(String.format("generateFilterFlushRules(%s, %s)", chainNames, newChains));
List<String> res = new ArrayList<String>();
for (String chainName : chainNames) {
if (chainName.equals(PI_CHAIN)) {
res.add("-D FORWARD -j " + PI_CHAIN);
res.add(ipTablesHelper.generateFlushChainRule(chainName));
} else if (chainName.startsWith(FLTR_PREFIX)) {
res.add(ipTablesHelper.generateFlushChainRule(chainName));
} else {
LOG.debug(String.format("Skipping non-filter chain name: %s", chainName));
}
}
for (String chainName : chainNames) {
if (!newChains.contains(chainName) && chainName.startsWith(FLTR_PREFIX)) {
res.add(ipTablesHelper.generateRemoveChainRule(chainName));
}
}
logFlushRules("Generated chain flush rules:\n%s", res);
return res;
}
public synchronized List<String> generateNatTable(
List<SecurityGroup> securityGroups, List<String> existingChains) {
LOG.debug(String.format("generateNatTable(%s, %s)", securityGroups, existingChains));
lines = new ArrayList<String>();
if (!existingChains.contains(PI_PREROUTING)) {
lines.add(ipTablesHelper.addChain(PI_PREROUTING));
lines.add(ipTablesHelper.appendForwardChainToChain(PREROUTING, PI_PREROUTING));
}
if (!existingChains.contains(PI_OUTPUT)) {
lines.add(ipTablesHelper.addChain(PI_OUTPUT));
lines.add(ipTablesHelper.appendForwardChainToChain(OUTPUT, PI_OUTPUT));
}
for (SecurityGroup securityGroup : securityGroups) {
if (!validateSecurityGroup(securityGroup)) {
LOG.debug(String.format(SKIPPING_SECURITY_GROUP_S_AS_IT_IS_NOT_POPULATED, securityGroup));
continue;
}
LOG.debug(String.format("Processing Security group: %s for nat rules.", securityGroup));
String postChainName =
getChainNameForSecurityGroup(POST_PREFIX, securityGroup.getSecurityGroupId());
String destinationNetwork =
String.format(S_SLASH_S, securityGroup.getNetworkAddress(), securityGroup.getSlashnet());
if (!existingChains.contains(postChainName))
lines.add(ipTablesHelper.addChain(postChainName));
lines.add(
ipTablesHelper.insertChainForwardToChain(POSTROUTING, destinationNetwork, postChainName));
// TODO: Handle case where rule name specified instead of network
for (Entry<String, InstanceAddress> addressEntry : securityGroup.getInstances().entrySet()) {
LOG.debug(String.format("Processing addressEntry: %s for nat rules.", addressEntry));
InstanceAddress address = addressEntry.getValue();
if (null == address) {
LOG.warn(
String.format("null entry in instance table for instance %s", addressEntry.getKey()));
continue;
}
if (address.getPublicIpAddress() != null && address.getPrivateIpAddress() != null) {
addNatRule(postChainName, address.getPublicIpAddress(), address.getPrivateIpAddress());
} else {
LOG.debug(
String.format(
"Skipping NAT rule within group %s as one or both addresses are null (%s / %s)",
securityGroup.getSecurityGroupId(),
address.getPublicIpAddress(),
address.getPrivateIpAddress()));
}
}
}
logFlushRules("Generated nat iptables:\n%s", lines);
return lines;
}
private void logFlushRules(String textString, List<String> res) {
if (LOG.isDebugEnabled())
LOG.debug(String.format(textString, ipTablesHelper.linesToLogFriendlyString(res)));
}