summaryrefslogtreecommitdiffstats
path: root/nova/virt
diff options
context:
space:
mode:
authorSoren Hansen <soren@linux2go.dk>2011-08-14 04:17:48 +0000
committerTarmac <>2011-08-14 04:17:48 +0000
commiteede601db836643a0fbc6689fb9ee9db15a822bc (patch)
tree835bb238ff8018d1490f247f1b378ddde4863cba /nova/virt
parenta538f400b5ced8357fa0e892fffd5a01b8e63cec (diff)
parentadc4d2dc71b6dcdad4bca57925f89d7344a613e8 (diff)
Add source-group filtering.
Move refresh to be triggered by allocation and deallocation of IP's rather than creation/destruction of instances. There really needs a way to use ipsets for this, but it's not widely supported yet (went into mainline linux at 2.6.39), so this implementation just uses regular iptables.
Diffstat (limited to 'nova/virt')
-rw-r--r--nova/virt/libvirt/firewall.py35
1 files changed, 24 insertions, 11 deletions
diff --git a/nova/virt/libvirt/firewall.py b/nova/virt/libvirt/firewall.py
index 9ce57b6c9..16e5070c6 100644
--- a/nova/virt/libvirt/firewall.py
+++ b/nova/virt/libvirt/firewall.py
@@ -664,11 +664,10 @@ class IptablesFirewallDriver(FirewallDriver):
LOG.debug(_('Adding security group rule: %r'), rule)
if not rule.cidr:
- # Eventually, a mechanism to grant access for security
- # groups will turn up here. It'll use ipsets.
- continue
+ version = 4
+ else:
+ version = netutils.get_ip_version(rule.cidr)
- version = netutils.get_ip_version(rule.cidr)
if version == 4:
fw_rules = ipv4_rules
else:
@@ -678,16 +677,16 @@ class IptablesFirewallDriver(FirewallDriver):
if version == 6 and rule.protocol == 'icmp':
protocol = 'icmpv6'
- args = ['-p', protocol, '-s', rule.cidr]
+ args = ['-j ACCEPT', '-p', protocol]
- if rule.protocol in ['udp', 'tcp']:
+ if protocol in ['udp', 'tcp']:
if rule.from_port == rule.to_port:
args += ['--dport', '%s' % (rule.from_port,)]
else:
args += ['-m', 'multiport',
'--dports', '%s:%s' % (rule.from_port,
rule.to_port)]
- elif rule.protocol == 'icmp':
+ elif protocol == 'icmp':
icmp_type = rule.from_port
icmp_code = rule.to_port
@@ -706,9 +705,22 @@ class IptablesFirewallDriver(FirewallDriver):
args += ['-m', 'icmp6', '--icmpv6-type',
icmp_type_arg]
- args += ['-j ACCEPT']
- fw_rules += [' '.join(args)]
-
+ if rule.cidr:
+ LOG.info('Using cidr %r', rule.cidr)
+ args += ['-s', rule.cidr]
+ fw_rules += [' '.join(args)]
+ else:
+ if rule['grantee_group']:
+ for instance in rule['grantee_group']['instances']:
+ LOG.info('instance: %r', instance)
+ ips = db.instance_get_fixed_addresses(ctxt,
+ instance['id'])
+ LOG.info('ips: %r', ips)
+ for ip in ips:
+ subrule = args + ['-s %s' % ip]
+ fw_rules += [' '.join(subrule)]
+
+ LOG.info('Using fw_rules: %r', fw_rules)
ipv4_rules += ['-j $sg-fallback']
ipv6_rules += ['-j $sg-fallback']
@@ -719,7 +731,8 @@ class IptablesFirewallDriver(FirewallDriver):
return self.nwfilter.instance_filter_exists(instance)
def refresh_security_group_members(self, security_group):
- pass
+ self.do_refresh_security_group_rules(security_group)
+ self.iptables.apply()
def refresh_security_group_rules(self, security_group, network_info=None):
self.do_refresh_security_group_rules(security_group, network_info)
generated by cgit (git 2.34.1) at 2026-04-11 09:57:43 +0000