From 3403e773f5a38c5d415e4ab66799c6e239223a0d Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Mon, 17 Jan 2011 19:40:35 -0500 Subject: Stubbed-out code for working with provider-firewalls. --- nova/api/ec2/admin.py | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 758b612e8..b784c5a00 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -209,3 +209,11 @@ class AdminController(object): def describe_host(self, _context, name, **_kwargs): """Returns status info for single node.""" return host_dict(db.host_get(name)) + + def block_external_addresses(self, context, cidr): + """Add provider-level firewall rules to block incoming traffic.""" + LOG.audit(_("Blocking access to all projects incoming from %s"), + cidr, context=context) + raise NotImplementedError(_("Awaiting implementation.")) + # TODO(todd): implement + # return {'status': 'OK', 'message': 'Disabled (number) IPs'} -- cgit From d4e7eb818c9f4ec51fd3a88a0e92d557867511d4 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Mon, 17 Jan 2011 23:18:46 -0500 Subject: Add rules to database, cast refresh message and trickle down to firewall driver. --- nova/api/ec2/admin.py | 43 +++++++++++++++++++++++++++++++++++++++---- 1 file changed, 39 insertions(+), 4 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index b784c5a00..1ae5f7094 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -21,7 +21,10 @@ Admin API controller, exposed through http via the api worker. """ import base64 +import IPy +import urllib +from nova import compute from nova import db from nova import exception from nova import log as logging @@ -70,6 +73,9 @@ class AdminController(object): def __str__(self): return 'AdminController' + def __init__(self): + self.compute_api = compute.API() + def describe_user(self, _context, name, **_kwargs): """Returns user data, including access and secret keys.""" return user_dict(manager.AuthManager().get_user(name)) @@ -210,10 +216,39 @@ class AdminController(object): """Returns status info for single node.""" return host_dict(db.host_get(name)) + def _provider_fw_rule_exists(context, rule): + for old_rule in db.provider_fw_rule_get_all(context): + for key in ('cidr', 'from_port', 'to_port', 'protocol'): + dupe = True + if rule[key] != old_rule[key]: + dupe = False + if dupe: + return dupe + return False + + def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" - LOG.audit(_("Blocking access to all projects incoming from %s"), + LOG.audit(_("Blocking traffic to all projects incoming from %s"), cidr, context=context) - raise NotImplementedError(_("Awaiting implementation.")) - # TODO(todd): implement - # return {'status': 'OK', 'message': 'Disabled (number) IPs'} + rule = {'cidr': IPy.IP(urllib.unquote(cidr).decode())} + tcp_rule = rule.copy() + tcp_rule.update({"protocol": "TCP", "from_port": 1, "to_port": 65535}) + udp_rule = rule.copy() + udp_rule.update({"protocol": "UDP", "from_port": 1, "to_port": 65535}) + icmp_rule = rule.copy() + icmp_rule.update({"protocol": "ICMP", "from_port": -1, "to_port": -1}) + rules_added = 0 + if not self._provider_fw_rule_exists(context, tcp_rule): + db.provider_fw_rule_create(context, tcp_rule) + rules_added += 1 + if not self._provider_fw_rule_exists(context, udp_rule): + db.provider_fw_rule_create(context, udp_rule) + rules_added += 1 + if not self._provider_fw_rule_exists(context, icmp_rule): + db.provider_fw_rule_create(context, icmp_rule) + rules_added += 1 + if rules_added == 0: + raise exception.ApiError(_('Duplicate rule')) + self.compute_api.trigger_provider_fw_rules_refresh(context) + return {'status': 'OK', 'message': 'Disabled (number) IPs'} -- cgit From 46c1c554e7d98959a2b20597d6b0f2b0f648cdc9 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Wed, 19 Jan 2011 15:16:12 -0500 Subject: Whitespace (pep8) cleanups. --- nova/api/ec2/admin.py | 1 - 1 file changed, 1 deletion(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 1ae5f7094..3a8ed39eb 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -226,7 +226,6 @@ class AdminController(object): return dupe return False - def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_("Blocking traffic to all projects incoming from %s"), -- cgit From f02c9e781bdddd609601da81b97a438b6d5b9781 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Fri, 21 Jan 2011 12:30:26 -0500 Subject: Add provider_fw_rules awareness to iptables firewall driver. --- nova/api/ec2/admin.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 3a8ed39eb..c83f84b15 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -236,7 +236,8 @@ class AdminController(object): udp_rule = rule.copy() udp_rule.update({"protocol": "UDP", "from_port": 1, "to_port": 65535}) icmp_rule = rule.copy() - icmp_rule.update({"protocol": "ICMP", "from_port": -1, "to_port": -1}) + icmp_rule.update({"protocol": "ICMP", "from_port": -1, + "to_port": None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) -- cgit From 4e3524c57f6fa0f917bdb30ec15c8d4633a307e5 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Tue, 25 Jan 2011 12:52:00 -0800 Subject: Updates for provider_fw_rules in admin api. --- nova/api/ec2/admin.py | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 4a34476d3..0dabf2092 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -223,7 +223,7 @@ class AdminController(object): """Returns status info for single node.""" return host_dict(db.host_get(name)) - def _provider_fw_rule_exists(context, rule): + def _provider_fw_rule_exists(self, context, rule): for old_rule in db.provider_fw_rule_get_all(context): for key in ('cidr', 'from_port', 'to_port', 'protocol'): dupe = True @@ -237,7 +237,10 @@ class AdminController(object): """Add provider-level firewall rules to block incoming traffic.""" LOG.audit(_("Blocking traffic to all projects incoming from %s"), cidr, context=context) - rule = {'cidr': IPy.IP(urllib.unquote(cidr).decode())} + cidr = urllib.unquote(cidr).decode() + # raise if invalid + IPy.IP(cidr) + rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({"protocol": "TCP", "from_port": 1, "to_port": 65535}) udp_rule = rule.copy() -- cgit From d6c6d8115b9dda07716d85fb1201cde0e907a9bd Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Wed, 26 Jan 2011 22:54:39 -0800 Subject: A couple of bugfixes. --- nova/api/ec2/admin.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 478032ce9..b019e8e8b 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -237,9 +237,10 @@ class AdminController(object): return host_dict(db.host_get(name)) def _provider_fw_rule_exists(self, context, rule): + # TODO(todd): we call this repeatedly, can we filter by protocol? for old_rule in db.provider_fw_rule_get_all(context): + dupe = True for key in ('cidr', 'from_port', 'to_port', 'protocol'): - dupe = True if rule[key] != old_rule[key]: dupe = False if dupe: -- cgit From 2b79fa82872c55368167fc7433cb28a2369f5191 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Thu, 7 Apr 2011 01:42:49 -0400 Subject: test provider fw rules at the virt/ipteables layer. lowercase protocol names in admin api to match what the firewall driver expects. add provider fw rule chain in iptables6 as well. fix a couple of small typos and copy-paste errors. --- nova/api/ec2/admin.py | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 0b27854ef..c0c2bcd0d 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -356,11 +356,11 @@ class AdminController(object): IPy.IP(cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() - tcp_rule.update({"protocol": "TCP", "from_port": 1, "to_port": 65535}) + tcp_rule.update({"protocol": "tcp", "from_port": 1, "to_port": 65535}) udp_rule = rule.copy() - udp_rule.update({"protocol": "UDP", "from_port": 1, "to_port": 65535}) + udp_rule.update({"protocol": "udp", "from_port": 1, "to_port": 65535}) icmp_rule = rule.copy() - icmp_rule.update({"protocol": "ICMP", "from_port": -1, + icmp_rule.update({"protocol": "icmp", "from_port": -1, "to_port": None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): -- cgit From 0be9e06c09c1d08802a8963e34090b5fcedb19be Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Thu, 26 May 2011 11:35:58 -0400 Subject: Double quotes are ugly. --- nova/api/ec2/admin.py | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 0d08aba7a..3c7a60277 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -349,19 +349,19 @@ class AdminController(object): def block_external_addresses(self, context, cidr): """Add provider-level firewall rules to block incoming traffic.""" - LOG.audit(_("Blocking traffic to all projects incoming from %s"), + LOG.audit(_('Blocking traffic to all projects incoming from %s'), cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid IPy.IP(cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() - tcp_rule.update({"protocol": "tcp", "from_port": 1, "to_port": 65535}) + tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) udp_rule = rule.copy() - udp_rule.update({"protocol": "udp", "from_port": 1, "to_port": 65535}) + udp_rule.update({'protocol': 'udp', 'from_port': 1, 'to_port': 65535}) icmp_rule = rule.copy() - icmp_rule.update({"protocol": "icmp", "from_port": -1, - "to_port": None}) + icmp_rule.update({'protocol': 'icmp', 'from_port': -1, + 'to_port': None}) rules_added = 0 if not self._provider_fw_rule_exists(context, tcp_rule): db.provider_fw_rule_create(context, tcp_rule) @@ -375,4 +375,4 @@ class AdminController(object): if rules_added == 0: raise exception.ApiError(_('Duplicate rule')) self.compute_api.trigger_provider_fw_rules_refresh(context) - return {'status': 'OK', 'message': 'Disabled (number) IPs'} + return {'status': 'OK', 'message': 'Added %s rules' % rules_added} -- cgit From 1fd3f5a6edf911dc84e11130bc2c590567d780c3 Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Thu, 26 May 2011 17:05:55 -0400 Subject: Fixes from Ed Leafe's review suggestions. --- nova/api/ec2/admin.py | 11 ++++------- 1 file changed, 4 insertions(+), 7 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index 3c7a60277..1d4cffff3 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -339,12 +339,9 @@ class AdminController(object): def _provider_fw_rule_exists(self, context, rule): # TODO(todd): we call this repeatedly, can we filter by protocol? for old_rule in db.provider_fw_rule_get_all(context): - dupe = True - for key in ('cidr', 'from_port', 'to_port', 'protocol'): - if rule[key] != old_rule[key]: - dupe = False - if dupe: - return dupe + if all([rule[k] == old_rule[k] for k in ('cidr', 'from_port', + 'to_port', 'protocol')]): + return True return False def block_external_addresses(self, context, cidr): @@ -372,7 +369,7 @@ class AdminController(object): if not self._provider_fw_rule_exists(context, icmp_rule): db.provider_fw_rule_create(context, icmp_rule) rules_added += 1 - if rules_added == 0: + if not rules_added: raise exception.ApiError(_('Duplicate rule')) self.compute_api.trigger_provider_fw_rules_refresh(context) return {'status': 'OK', 'message': 'Added %s rules' % rules_added} -- cgit From 7a2712ebf74e5565663a6723a992151f71255eff Mon Sep 17 00:00:00 2001 From: Todd Willey Date: Tue, 14 Jun 2011 11:34:03 -0700 Subject: Move ipy commands to netaddr. --- nova/api/ec2/admin.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) (limited to 'nova/api') diff --git a/nova/api/ec2/admin.py b/nova/api/ec2/admin.py index fcf7f674c..343bc61c4 100644 --- a/nova/api/ec2/admin.py +++ b/nova/api/ec2/admin.py @@ -22,7 +22,7 @@ Admin API controller, exposed through http via the api worker. import base64 import datetime -import IPy +import netaddr import urllib from nova import compute @@ -346,7 +346,7 @@ class AdminController(object): cidr, context=context) cidr = urllib.unquote(cidr).decode() # raise if invalid - IPy.IP(cidr) + netaddr.IPNetwork(cidr) rule = {'cidr': cidr} tcp_rule = rule.copy() tcp_rule.update({'protocol': 'tcp', 'from_port': 1, 'to_port': 65535}) -- cgit