Gemfury

triliodata-3-3 / contego deb

Repository URL to install this package:
Details
contego / home / tvault / .virtenv / lib / python2.7 / site-packages / nova / virt / firewall.pyc
ó
±EYc@sddlmZddlmZddlmZddlZ	ddl	m
Z
ddlmZddl
mZddl	mZddl	mZdd	lmZejeZe	jjZd
ZdefdYZd
efdYZdefdYZdS(iÿÿÿÿ(tlog(timportutils(tutilsN(tcontext(t_LI(t	linux_net(tobjects(tnetutilscOs%tjtjp|}|||S(N(Rtimport_classtCONFtfirewall_driver(tdefaulttargstkwargstfw_class((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytload_driver#stFirewallDrivercBs_eZdZdZdZdZdZdZdZdZ	dZ
d	ZRS(
srFirewall Driver base class.

    Defines methods that any driver providing security groups should implement.

    cCs
tdS(sbPrepare filters for the instance.

        At this point, the instance isn't running yet.
        N(tNotImplementedError(tselftinstancetnetwork_info((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytprepare_instance_filter.scCsdS(s$Defer application of IPTables rules.N((R((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytfilter_defer_apply_on5scCsdS(s<Turn off deferral of IPTables rules and apply the rules now.N((R((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytfilter_defer_apply_off9scCs
tdS(sStop filtering instance.N(R(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytunfilter_instance=scCs
tdS(sApply instance filter.

        Once this method returns, the instance should be firewalled
        appropriately. This method should as far as possible be a
        no-op. It's vastly preferred to get everything set up in
        prepare_instance_filter.
        N(R(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytapply_instance_filterAscCs
tdS(sRefresh security group rules from data store

        Gets called when a rule has been added to or removed from
        the security group.
        N(R(Rtsecurity_group_id((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytrefresh_security_group_rulesKscCs
tdS(sßRefresh security group rules from data store

        Gets called when an instance gets added to or removed from
        the security group the instance is a member of or if the
        group gains or loses a rule.
        N(R(RR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytrefresh_instance_security_rulesSscCs
tdS(s Create rules to block spoofing and allow dhcp.

        This gets called when spawning an instance, before
        :py:meth:`prepare_instance_filter`.

        N(R(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytsetup_basic_filtering\scCs
tdS(s(Check nova-instance-instance-xxx exists.N(R(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pytinstance_filter_existses(t__name__t
__module__t__doc__RRRRRRRRR(((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR(s					
					tIptablesFirewallDrivercBseZdZdZdZdZdZdZdZdZ	dZ
d	Zd
ZdZ
dZd
ZdZdZdZdZdZdZdZdZdZdZdZejddedZdZdZ RS(s=Driver which enforces security groups through iptables rules.cKstj|_i|_t|_t|_|jjdjd|jjdj	dd|jj
djd|jj
dj	dddS(Ntfilterssg-fallbacks-j DROP(Rtiptables_managertiptablest
instance_infotFalsetdhcp_createtdhcp_createdtipv4t	add_chaintadd_ruletipv6(RR
((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt__init__ms			cCsdS(N((RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRzscCsdS(s5No-op. Everything is done in prepare_instance_filter.N((RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR}scCs|jjdS(N(R%tdefer_apply_on(R((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRscCs|jjdS(N(R%tdefer_apply_off(R((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRscCsR|jj|jdr5|j||jjntjt	dd|dS(Ns4Attempted to unfilter instance which is not filteredR(
R&tpoptidtNonetremove_filters_for_instanceR%tapplytLOGtinfoR(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRs

cCsÁ||f|j|j<|j||\}}|j||||tjd|jd||jr°|jr°|jj	dj
dd|jj	dj
ddt|_n|jjdS(NsFilters added to instance: %sRR#tINPUTsQ-s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j ACCEPTtFORWARD(
R&R2tinstance_rulestadd_filters_for_instanceR6tdebugR(R)R%R*R,tTrueR5(RRRt
ipv4_rulest
ipv6_rules((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRscCs!g|D]}d||f^qS(Ns-d %s -j $%s((Rtipst
chain_nametip((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_create_filter£scCssg}xf|D]^}d|kr
d|dkr
x9|ddD]&}|d|kr>|j|q>q>Wq
q
W|S(Ntnetworktsubnetstversion(tappend(RRRFREtviftsubnet((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_get_subnets¦s
cCsÍ|j|d}|j|d}g|D]!}|dD]}|d^q9q+}|j||}g}	}
tjrÃ|r®g|D]!}|dD]}|d^qq}
n|j|
|}	n||	fS(s©Creates a rule corresponding to each ip that defines a
           jump to the corresponding instance - chain for all the traffic
           destined to that ip.
        iiR@taddress(RJRCR	tuse_ipv6(RRARt
v4_subnetst
v6_subnetsRIRBtips_v4R>R?tips_v6((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_filters_for_instance¯s
!
	
$cCsfx(|D] }|jjdj||qWtjrbx+|D] }|jjdj||q;WndS(NR#(R%R*R,R	RLR-(RRAR>R?trule((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_add_filtersÃs

	
cCs|j|}tjr2|jjdj|n|jjdj||j||\}}|jd|||j|||dS(NR#tlocal(	t_instance_chain_nameR	RLR%R-R+R*RQRS(RRRtinst_ipv4_rulestinst_ipv6_rulesRAR>R?((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR;Ës		cCsM|j|}|jjdj|tjrI|jjdj|ndS(NR#(RUR%R*tremove_chainR	RLR-(RRRA((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR4Ös	cCsd|jfS(Nsinst-%s(R2(RR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRUÝscCs8|dg7}|dg7}|dg7}|dg7}dS(Ns -m state --state INVALID -j DROPs.-m state --state ESTABLISHED,RELATED -j ACCEPT((RR>R?R((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_do_basic_rulesàs


cCs~|j|d}g|D]$}|jdr|jd^q}x4|D],}|rJ|jd|ft|_qJqJWdS(Nitdhcp_servers,-s %s -p udp --sport 67 --dport 68 -j ACCEPT(RJtget_metaRGR=R((RR>RRMRItdhcp_serversRZ((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_do_dhcp_rulesés.
	cCs¸|j|d}|j|d}g|D]}|d^q+}x"|D]}|jd|fqHWtjr´g|D]}|d^qv}	x%|	D]}
|jd|
fqWndS(Niitcidrs-s %s -j ACCEPT(RJRGR	RL(RR>R?RRMRNRItcidrsR^tcidrv6stcidrv6((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_do_project_network_rulesôs
	
cCs\|j|d}g|D]}|dd^q}x"|D]}|jd|fq:WdS(NitgatewayRKs-s %s/128 -p icmpv6 -j ACCEPT(RJRG(RR?RRNRItgateways_v6t
gateway_v6((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_do_ra_rulesÿs
!
cCs|j}|j}|dkr'd}n'd|}|dksN|d|7}n|r|dkrpddd|gS|dkrdd	d
|gSngS(Niÿÿÿÿs%ss/%sis-mticmps--icmp-typeiticmp6s
--icmpv6-type(t	from_porttto_portR3(RRRRFt	icmp_typet	icmp_codet
icmp_type_arg((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_build_icmp_rules			
cCsJ|j|jkr&dd|jfgSdddd|j|jfgSdS(Ns--dports%ss-mt	multiports--dportss%s:%s(RiRj(RRRRF((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_build_tcp_udp_rules
cCs!tj}t|tr?tjj|tj|g}ng}g}|j||||j||t	j
r|j|||nt	jr©|j
||ntjj||}x|D]}|jsÝd}ntj|j}|dkr|}	n|}	|j}
|
r+|jj}
n|dkrL|
dkrLd}
ndg}|
rn|d|
g7}n|
dkr||j||7}n%|
dkr¸||j||7}n|jró|d	t|jg7}|	d
j|g7}	qÅ|jrÅtjj||j}xÀ|D]µ}
|
jjr@tjdqnt j!|
}g|j"D] }|d|kr\|d
^q\}tjd|d|
x5|D]-}|d|g}|	d
j|g7}	qWqWqÅqÅW|dg7}|dg7}tjdt#|||d|||fS(NiiRgticmpv6s	-j ACCEPTs-ptudpttcps-st signoring deleted cacheRFRKsips: %rRs-s %ss-j $sg-fallbacks8Security Group Rules %s translated to ipv4: %r, ipv6: %r(sudpstcp($Rtget_admin_contextt
isinstancetdictRtInstancet_from_db_objectRYR]R	tallow_same_net_trafficRbRLRftSecurityGroupRuleListtget_by_instanceR^Rtget_ip_versiontprotocoltlowerRpRntstrtjoint
grantee_grouptInstanceListtget_by_security_groupt
info_cachetdeletedR6R<t
compute_utilstget_nw_info_for_instancet	fixed_ipstlist(RRRtctxtR>R?trulesRRRFtfw_rulesR~Rtinststinsttnw_infoRBR@tsubrule((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR:"sr		
	
									

	 
%

	cCsdS(N((RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRxscCs|j||jjdS(N(tdo_refresh_security_group_rulesR%R5(Rtsecurity_group((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR{s
cCs|j||jjdS(N(tdo_refresh_instance_rulesR%R5(RR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRs
R%texternalcCso|j|}|jjdj|sHtjtd|d|dS|j||j||||dS(NR#s6instance chain %s disappeared during refresh, skippingR(	RUR%R*t	has_chainR6R7RR4R;(RRRR>R?RA((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_inner_do_refresh_ruless	
cCs|jj}xj|D]b}y|j|\}}Wntk
rIqnX|j||\}}|j||||qWdS(N(R&tkeystKeyErrorR:R(RRtid_listtinstance_idRRR>R?((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRs

	cCsH|j|j\}}|j||\}}|j||||dS(N(R&R2R:R(RRt	_instanceRR>R?((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyRs(!RR R!R.RRRRRRRCRJRQRSR;R4RURYR]RbRfRnRpR:RRRRtsynchronizedR=RRR(((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR"js8	
																						V				tNoopFirewallDrivercBs2eZdZdZdZdZdZRS(s2Firewall driver which just provides No-op methods.cOsdS(N((RRR
((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR.¨scOsdS(N((RRR
((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt_noop«scCs|jS(N(R(Rtkey((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt__getattr__®scCstS(N(R=(RRR((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR±s(RR R!R.RR¡R(((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyR¦s
			(toslo_logRtloggingt
oslo_utilsRtnova.computeRRt	nova.conftnovaRt	nova.i18nRtnova.networkRRt	nova.virtRt	getLoggerRR6tconfR	RtobjectRR"R(((sG/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/firewall.pyt<module>s 	Bÿ=
triliodata-3-3 / contego deb

Products

About

Resources

Contact Gemfury
