diff options
| author | Ilya Alekseyev <ialekseev@griddynamics.com> | 2011-03-17 21:17:37 +0300 |
|---|---|---|
| committer | Ilya Alekseyev <ialekseev@griddynamics.com> | 2011-03-17 21:17:37 +0300 |
| commit | 6e1a9d56729691ff5afff286b5fbf91bca39238c (patch) | |
| tree | bb010919cdd70bd188827c1100889da484acb675 | |
| parent | 31388f18f8c0ebe3cae58ebd2a46e2bedb376fd4 (diff) | |
| parent | 0bf00a181b3f6ddc0586b0cfb0239f2d0e213cf5 (diff) | |
iptables filter firewall changes merged
| -rw-r--r-- | nova/virt/libvirt_conn.py | 97 |
1 files changed, 47 insertions, 50 deletions
diff --git a/nova/virt/libvirt_conn.py b/nova/virt/libvirt_conn.py index bc6c9f37d..5ce097bd5 100644 --- a/nova/virt/libvirt_conn.py +++ b/nova/virt/libvirt_conn.py @@ -1685,6 +1685,8 @@ class IptablesFirewallDriver(FirewallDriver): def setup_basic_filtering(self, instance, network_info=None): """Use NWFilter from libvirt for this.""" + if not network_info: + network_info = _get_network_info(instance) return self.nwfilter.setup_basic_filtering(instance, network_info) def apply_instance_filter(self, instance): @@ -1700,28 +1702,41 @@ class IptablesFirewallDriver(FirewallDriver): 'filtered'), instance['id']) def prepare_instance_filter(self, instance, network_info=None): + if not network_info: + network_info = _get_network_info(instance) self.instances[instance['id']] = instance - self.add_filters_for_instance(instance) + self.add_filters_for_instance(instance, network_info) self.iptables.apply() - def add_filters_for_instance(self, instance): + def add_filters_for_instance(self, instance, network_info=None): + if not network_info: + network_info = _get_network_info(instance) chain_name = self._instance_chain_name(instance) self.iptables.ipv4['filter'].add_chain(chain_name) - ipv4_address = self._ip_for_instance(instance) - self.iptables.ipv4['filter'].add_rule('local', - '-d %s -j $%s' % - (ipv4_address, chain_name)) + + ips_v4 = [] + for (_n, mapping) in network_info: + for ip in mapping['ips']: + ips_v4.append(ip['ip']) + + for ipv4_address in ips_v4: + self.iptables.ipv4['filter'].add_rule('local', + '-d %s -j $%s' % + (ipv4_address, chain_name)) if FLAGS.use_ipv6: self.iptables.ipv6['filter'].add_chain(chain_name) - ipv6_address = self._ip_for_instance_v6(instance) - self.iptables.ipv6['filter'].add_rule('local', - '-d %s -j $%s' % - (ipv6_address, - chain_name)) + ips_v6 = [ip['ip'] for ip in mapping['ip6s'] for (_n, mapping) + in network_info] + + for ipv6_address in ips_v6: + self.iptables.ipv6['filter'].add_rule('local', + '-d %s -j $%s' % + (ipv6_address, + chain_name)) - ipv4_rules, ipv6_rules = self.instance_rules(instance) + ipv4_rules, ipv6_rules = self.instance_rules(instance, network_info) for rule in ipv4_rules: self.iptables.ipv4['filter'].add_rule(chain_name, rule) @@ -1737,7 +1752,9 @@ class IptablesFirewallDriver(FirewallDriver): if FLAGS.use_ipv6: self.iptables.ipv6['filter'].remove_chain(chain_name) - def instance_rules(self, instance): + def instance_rules(self, instance, network_info=None): + if not network_info: + network_info = _get_network_info(instance) ctxt = context.get_admin_context() ipv4_rules = [] @@ -1751,28 +1768,36 @@ class IptablesFirewallDriver(FirewallDriver): ipv4_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] ipv6_rules += ['-m state --state ESTABLISHED,RELATED -j ACCEPT'] - dhcp_server = self._dhcp_server_for_instance(instance) - ipv4_rules += ['-s %s -p udp --sport 67 --dport 68 ' - '-j ACCEPT' % (dhcp_server,)] + dhcp_servers = [network['gateway'] for (network, _m) in network_info] + + for dhcp_server in dhcp_servers: + ipv4_rules += ['-s %s -p udp --sport 67 --dport 68 ' + '-j ACCEPT' % (dhcp_server,)] #Allow project network traffic if FLAGS.allow_project_net_traffic: - cidr = self._project_cidr_for_instance(instance) - ipv4_rules += ['-s %s -j ACCEPT' % (cidr,)] + cidrs = [network['cidr'] for (network, _m) in network_info] + for cidr in cidrs: + ipv4_rules += ['-s %s -j ACCEPT' % (cidr,)] # We wrap these in FLAGS.use_ipv6 because they might cause # a DB lookup. The other ones are just list operations, so # they're not worth the clutter. if FLAGS.use_ipv6: # Allow RA responses - ra_server = self._ra_server_for_instance(instance) - if ra_server: + ra_servers = [network['ra_server'] for (network, _m) + in network_info] + + for ra_server in ra_servers: ipv6_rules += ['-s %s/128 -p icmpv6 -j ACCEPT' % (ra_server,)] #Allow project network traffic if FLAGS.allow_project_net_traffic: - cidrv6 = self._project_cidrv6_for_instance(instance) - ipv6_rules += ['-s %s -j ACCEPT' % (cidrv6,)] + cidrv6s = [network['cidr_v6'] for (network, _m) + in network_info] + + for cidrv6 in cidrv6s: + ipv6_rules += ['-s %s -j ACCEPT' % (cidrv6,)] security_groups = db.security_group_get_by_instance(ctxt, instance['id']) @@ -1854,31 +1879,3 @@ class IptablesFirewallDriver(FirewallDriver): def _instance_chain_name(self, instance): return 'inst-%s' % (instance['id'],) - - def _ip_for_instance(self, instance): - return db.instance_get_fixed_address(context.get_admin_context(), - instance['id']) - - def _ip_for_instance_v6(self, instance): - return db.instance_get_fixed_address_v6(context.get_admin_context(), - instance['id']) - - def _dhcp_server_for_instance(self, instance): - network = db.network_get_by_instance(context.get_admin_context(), - instance['id']) - return network['gateway'] - - def _ra_server_for_instance(self, instance): - network = db.network_get_by_instance(context.get_admin_context(), - instance['id']) - return network['ra_server'] - - def _project_cidr_for_instance(self, instance): - network = db.network_get_by_instance(context.get_admin_context(), - instance['id']) - return network['cidr'] - - def _project_cidrv6_for_instance(self, instance): - network = db.network_get_by_instance(context.get_admin_context(), - instance['id']) - return network['cidr_v6'] |