Why Gemfury?
Push, build, and install
RubyGems
npm packages
Python packages
Maven artifacts
PHP packages
Go Modules
Debian packages
RPM packages
NuGet packages
triliodata-3-4 / contego deb
Repository URL to install this package:
|
Version:
3.4.52 ▾
|
ó
±EYc�����������@���s��d��d�l��Z��d��d�l�m�Z�d��d�l�m�Z�d��d�l�m�Z�d��d�l�m �Z �d��d�l�m
�Z
�d��d�l
�m
�Z
�d��d�l
�Z�d��d�l�m�Z�d��d �l�m�Z�d��d�l�j�j�Z�d��d
�l�m�Z�e�j�e��Z�e�j�j
�Z
�e
�a
�d
�e�j �f�d
�����YZ �d
�e�j!�f�d�����YZ!�d�S(���iÿÿÿÿN(���t
���greenthread(���t���etree(���t���log(���t���excutils(���t
���importutils(���t���pipelib(���t���_LI(���t���_LW(���t���netutilst���NWFilterFirewallc�����������B���s³���e��Z�d��Z�d���Z�d���Z�d���Z�e�e��Z�d���Z�d���Z �d���Z
�d���Z
�d���Z
�d ���Z
�d
���Z�d
���Z�d
���Z�d
���Z�d���Z�e�d�d���Z�d���Z�RS(���s��This class implements a network filtering mechanism by using
libvirt's nwfilter.
all instances get a filter ("nova-base") applied. This filter
provides some basic security such as protection against MAC
spoofing, IP spoofing, and ARP spoofing.
c���������K���sh���t��d�k�rI�y�t�j�d��a��WqI�t�k
�rE�t�j�t�d���qI�Xn��|�|��_�t �|��_
�t �|��_
�d�S(���s���Create an NWFilter firewall driver
:param host: nova.virt.libvirt.host.Host instance
:param kwargs: currently unused
t���libvirtsM���Libvirt module could not be loaded. NWFilterFirewall will not work correctly.N(
���R
���t���NoneR���t
���import_modulet
���ImportErrort���LOGt���warningR���t���_hostt���Falset���static_filters_configuredt���handle_security_groups(���t���selft���hostt���kwargs(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���__init__/���s����
c���������C���s���d�S(���s5���No-op. Everything is done in prepare_instance_filter.N(����(���R���t���instancet
���network_info(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���apply_instance_filterA���s����c���������C���s
���|��j��j���S(���N(���R���t���get_connection(���R���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���_get_connectionE���s����c���������C���s���|��j��d��}�d�|�S(���s_���This filter protects false positives on IPv6 Duplicate Address
Detection(DAD).
s���nova-no-nd-reflections�<filter name='nova-no-nd-reflection' chain='ipv6'>
<!-- no nd reflection -->
<!-- drop if destination mac is v6 mcast mac addr and
we sent it. -->
<uuid>%s</uuid>
<rule action='drop' direction='in'>
<mac dstmacaddr='33:33:00:00:00:00'
dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
</rule>
</filter>(���t���_get_filter_uuid(���R���t���uuid(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt
���nova_no_nd_reflection_filterI���s����
c���������C���s���|��j��d��}�d�|�S(���s���The standard allow-dhcp-server filter is an <ip> one, so it uses
ebtables to allow traffic through. Without a corresponding rule in
iptables, it'll get blocked anyway.
s���nova-allow-dhcp-servers��<filter name='nova-allow-dhcp-server' chain='ipv4'>
<uuid>%s</uuid>
<rule action='accept' direction='out'
priority='100'>
<udp srcipaddr='0.0.0.0'
dstipaddr='255.255.255.255'
srcportstart='68'
dstportstart='67'/>
</rule>
<rule action='accept' direction='in'
priority='100'>
<udp srcipaddr='$DHCPSERVER'
srcportstart='67'
dstportstart='68'/>
</rule>
</filter>(���R
���(���R���R
���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���nova_dhcp_filterY���s����c���������C���s���t��j�t�d��d�|�|��j�r&�d�St��j�t�d��d�|�|��j���|��j�|�t��}�|��j�|�t��}�xb�|�D]Z�}�|�}�x/�|�d�d�D] �}�|�j�d��r�|�}�Pq�q�W|��j �|��j
�|�|�|���qt�Wd�S(���s>���Set up basic filtering (MAC, IP, and ARP spoofing protection).s(���Called setup_basic_filtering in nwfilterR���Ns���Ensuring static filterst���networkt���subnetst
���dhcp_server(
���R���t���infoR���R���t���_ensure_static_filterst���get_base_filter_listR���t���Truet���get_metat���_define_filtert���_get_instance_filter_xml(���R���R���R���t���nodhcp_base_filtert���dhcp_base_filtert���vift
���_base_filtert���subnet(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���setup_basic_filteringp���s"����
c���������C���s,��g��}�d���}�|�d�}�|�d�
s3�|�d�d�
r7�|�Sg��|�d�D]
�}�|�d�d�k�rB�|�^�qB�}�g��|�d�D]
�}�|�d�d�k�ro�|�^�qo�}�xk�|�D]c�}�x,�|�d�D] �} �|�j��|�d�| �d ���q©�W|�j�d
��}
�|
�r�|�j��|�d
�|
���q�q�Wt�j�rXxM�|�D]B�}�|�j�d
��}
�|
�r|
�d �d
�}
�|�j��|�d�|
���qqWn��t�j�r(xY�|�D]Q�}�|�d�}
�t�j�|
��\�}�}�|�j��|�d�|���|�j��|�d�|���qhWt�j�r(x\�|�D]Q�}�|�d�}�t�j�|��\�}�}�|�j��|�d�|���|�j��|�d�|���qÍWq(n��|�S(���Nc���������S���s���d�|��|�f�S(���Ns!���<parameter name='%s' value='%s'/>(����(���t ���parametert���value(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���format_parameter���s����R!���R"���t���versioni���i���t���ipst���IPt���addressR#���t
���DHCPSERVERt���gateways���/128t���RASERVERt���cidrt���PROJNETt���PROJMASKt���PROJNET6t ���PROJMASK6( ���t���appendR(���t���CONFt���use_ipv6t���gett���allow_same_net_trafficR���t���get_net_and_maskt���get_net_and_prefixlen(���R���R-���t
���parametersR3���R!���t���st
���v4_subnetst
���v6_subnetsR/���t���ipR#���R9���t ���ra_servert ���ipv4_cidrt���nett���maskt ���ipv6_cidrt���prefix(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt ���_get_instance_filter_parameters���s@����
--
c���
������C���s¨���|�d�j��d�d��}�|��j�|�|��}�|��j�|��}�|��j�|��}�d�|�}�|�d�|�7}�x9�|�D]1�} �|�d�| �7}�|�d�j�|��7}�|�d�7}�qe�W|�d�7}�|�S( ���NR7���t���:t����s ���<filter name='%s' chain='root'>s���<uuid>%s</uuid>s���<filterref filter='%s'>s
���</filterref>s ���</filter>(���t���replacet���_instance_filter_nameRR���R
���t���join(
���R���R���t���filtersR-���t���nic_idt���instance_filter_nameRG���R
���t���xmlt���f(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR*���µ���s����
c���������C���s7���t��j�|�j��r�d�}�n�|�r*�d�}�n�d�}�|�g�S(���sZ��Obtain a list of base filters to apply to an instance.
The return value should be a list of strings, each
specifying a filter name. Subclasses can override this
function to add additional filters as needed. Additional
filters added to the list must also be correctly defined
within the subclass.
s���nova-vpns ���nova-bases
���nova-nodhcp(���R���t
���is_vpn_imaget ���image_ref(���R���R���t
���allow_dhcpt
���base_filter(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR&������s
���� c���������C���s·���|��j��r
�d�Sd�d�d�g�}�|��j�|��j����|�j�d��|��j�|��j�d�|���|�j�d��|��j�|��j�d�|���|��j�|��j�d �d�g���|��j�|��j����t�|��_��d�S(
���s���Static filters are filters that have no need to be IP aware.
There is no configuration or tuneability of these filters, so they
can be set up once and forgotten about.
Ns���no-mac-spoofings���no-ip-spoofings���no-arp-spoofings���nova-no-nd-reflections
���nova-nodhcps���allow-dhcp-servers ���nova-bases���nova-vpn(���R���R)���R ���R@���t���_filter_containerR ���R'���(���R���t
���filter_set(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR%������s
����
c���������C���sI���|��j��|��}�d�|�|�d�j�g��|�D]�}�d�|�f�^�q%��f�}�|�S(���Nss���<filter name='%s' chain='root'>
<uuid>%s</uuid>
%s
</filter>RT���s���<filterref filter='%s'/>(���R
���RW���(���R���t���nameRX���R
���R\���R[���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRa�����s���� -c���������C���s ���yF�|��j��j�|��}�|�j�d��}�t�j�|��}�|�j�d��j�}�Wn@�t�k
�r�}�t�j �d�i�|�d�6|�d�6�t
�j
���j
�}�n�Xt�j �d�|�|��|�S(���Ni����s���./uuidu/���Cannot find UUID for filter '%(name)s': '%(e)s'Rc���t���es
���UUID for filter '%s' is '%s'(
���t���_connt���nwfilterLookupByNamet���XMLDescR���t
���fromstringt���findt���textt ���ExceptionR���t���debugR
���t���uuid4t���hex(���R���Rc���t���fltR[���t���doct���uRd���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR
���ö���s���� c���������C���s ���t��|��r�|���}�n��y�|��j�j�|��Wnm�t�j�k
�r�}�t�j���I�}�|�j���}�|�t�j�k�r�|�j ���}�d�|�k�r�t
�|�_
�q�n��Wd��QXn�Xd��S(���Ns���already exists with uuid(
���t���callableRe���t���nwfilterDefineXMLR
���t
���libvirtErrorR���t���save_and_reraise_exceptiont���get_error_codet���VIR_ERR_OPERATION_FAILEDt���get_error_messageR���t���reraise(���R���R[���t���ext���ctxtt���errcodet���errmsg(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR)�����s����
c���
������C���s$��x
|�D]}�|�d�j��d�d��}�|��j�|�|��}�t�j�}�x�t�|��D]�}�y!�|��j�j�|��}�|�j���PWqK�t�j �k
�r} �|�|�d�k�r���n��| �j
���}
�|
�t�j
�k�rý�t
�j
�t�d��i�|�d�6|�d�d�6|�d�6d �|�t�j�d��qt
�j�d
�|�d �|�PqK�XqK�Wq�Wd
�S(
���s
���Clear out the nwfilter rules.R7���RS���RT���i���sI���Failed to undefine network filter %(name)s. Try %(cnt)d of %(max_retry)d.Rc���t���cntt ���max_retryR���s
���The nwfilter(%s) is not found.N(���RU���RV���RA���t���live_migration_retry_countt���rangeRe���Rf���t���undefineR
���Rt���Rv���t���VIR_ERR_OPERATION_INVALIDR���R$���R���R����t���sleepRl���(
���R���R���R���R-���RY���RZ���R���R~���t���_nwRd���R|���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���unfilter_instance��s.����
c���������C���s"���|�s�d�|��j��Sd�|��j��|�f�S(���Ns���nova-instance-%ss���nova-instance-%s-%s(���Rc���(���R���RY���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRV���8��s����
c���������C���s���x�|�D]�}�|�d�j��d�d��}�|��j�|�|��}�y�|��j�j�|��Wq�t�j�k
�r�|�j�}�t�j�d�i�|�d�6|�d�6d�|�t �SXq�Wt
�S(���s(���Check nova-instance-instance-xxx exists.R7���RS���RT���s@���The nwfilter(%(instance_filter_name)s) for%(name)s is not found.RZ���Rc���R���(
���RU���RV���Re���Rf���R
���Rt���Rc���R���Rl���R���R'���(���R���R���R���R-���RY���RZ���Rc���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���instance_filter_exists>��s����
N(���t���__name__t
���__module__t���__doc__R���R���R
���t���propertyRe���R ���R ���R0���RR���R*���R&���R%���Ra���R
���R)���R���t
���staticmethodR
���RV���R���(����(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR ���'���s&���
+ "t���IptablesFirewallDriverc�����������B���s8���e��Z�d�d���Z�d���Z�d���Z�d���Z�d���Z�RS(���c���������K���s-���t��t�|���j�|���t�|�d��|��_�d�S(���s��Create an IP tables firewall driver instance
:param execute: unused, pass None
:param kwargs: extra arguments
The @kwargs parameter must contain a key 'host' that
maps to an instance of the nova.virt.libvirt.host.Host
class.
R���N(���t���superR���R���R ���t���nwfilter(���R���t���executeR���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR���Q��s����
c���������C���s���|��j��j�|�|��d�S(���s���Set up basic NWFilter.N(���R���R0���(���R���R���R���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR0���_��s����c���������C���s���d�S(���s5���No-op. Everything is done in prepare_instance_filter.N(����(���R���R���R���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR���c��s����c���������C���se���|��j��j�|�j�d���rH�|��j�|��|��j�j���|��j�j�|�|��n�t �j
�t
�d��d�|�d��S(���Ns4���Attempted to unfilter instance which is not filteredR���(
���t
���instance_infot���popt���idR
���t���remove_filters_for_instancet���iptablest���applyR���R���R���R$���R���(���R���R���R���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR���g��s
����
c���������C���s���|��j��j�|�|��S(���s(���Check nova-instance-instance-xxx exists.(���R���R���(���R���R���R���(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR���r��s����N(���R���R���R
���R���R0���R���R���R���(����(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR���P��s
���
("���R
���t���eventletR����t���lxmlR���t���oslo_logR���t���loggingt
���oslo_utilsR���R���t���nova.cloudpipeR���t ���nova.conft���novat ���nova.i18nR���R���t���nova.virt.firewallt���virtt���firewallt
���base_firewallt ���nova.virtR���t ���getLoggerR���R���t���confRA���R
���R
���t���FirewallDriverR ���R���(����(����(����sO���/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt���<module>���s"���
ÿ�*