Why Gemfury? Push, build, and install  RubyGems npm packages Python packages Maven artifacts PHP packages Go Modules Debian packages RPM packages NuGet packages

triliodata-4-0-patch / contego deb

Repository URL to install this package:

Version: 
4.0.109  ▾
Details    
contego / home / tvault / .virtenv / lib / python2.7 / site-packages / nova / virt / libvirt / firewall.pyc
Size: Mime: 
ó
±EYc@sddlZddlmZddlmZddlmZddlm	Z	ddlm
Z
ddlmZddl
ZddlmZdd	lmZddljjZdd
lmZejeƒZejjZeadejfd„ƒYZ d
ej!fd„ƒYZ!dS(iÿÿÿÿN(tgreenthread(tetree(tlog(texcutils(timportutils(tpipelib(t_LI(t_LW(tnetutilstNWFilterFirewallcBs³eZdZd„Zd„Zd„ZeeƒZd„Zd„Z	d„Z
d„Zd„Zd	„Z
d
„Zd„Zd„Zd
„Zd„Zedd„ƒZd„ZRS(sThis class implements a network filtering mechanism by using
    libvirt's nwfilter.
    all instances get a filter ("nova-base") applied. This filter
    provides some basic security such as protection against MAC
    spoofing, IP spoofing, and ARP spoofing.
    cKshtdkrIytjdƒaWqItk
rEtjtdƒƒqIXn||_t	|_
t	|_dS(sŽCreate an NWFilter firewall driver

        :param host: nova.virt.libvirt.host.Host instance
        :param kwargs: currently unused
        tlibvirtsMLibvirt module could not be loaded. NWFilterFirewall will not work correctly.N(R
tNoneRt
import_moduletImportErrortLOGtwarningRt_hosttFalsetstatic_filters_configuredthandle_security_groups(tselfthosttkwargs((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt__init__/s
		cCsdS(s5No-op. Everything is done in prepare_instance_filter.N((Rtinstancetnetwork_info((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytapply_instance_filterAscCs
|jjƒS(N(Rtget_connection(R((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt_get_connectionEscCs|jdƒ}d|S(s_This filter protects false positives on IPv6 Duplicate Address
        Detection(DAD).
        snova-no-nd-reflectionsã<filter name='nova-no-nd-reflection' chain='ipv6'>
                  <!-- no nd reflection -->
                  <!-- drop if destination mac is v6 mcast mac addr and
                       we sent it. -->
                  <uuid>%s</uuid>
                  <rule action='drop' direction='in'>
                      <mac dstmacaddr='33:33:00:00:00:00'
                           dstmacmask='ff:ff:00:00:00:00' srcmacaddr='$MAC'/>
                  </rule>
                  </filter>(t_get_filter_uuid(Rtuuid((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytnova_no_nd_reflection_filterIs
cCs|jdƒ}d|S(sÆThe standard allow-dhcp-server filter is an <ip> one, so it uses
           ebtables to allow traffic through. Without a corresponding rule in
           iptables, it'll get blocked anyway.
        snova-allow-dhcp-serversÃ<filter name='nova-allow-dhcp-server' chain='ipv4'>
                    <uuid>%s</uuid>
                    <rule action='accept' direction='out'
                          priority='100'>
                      <udp srcipaddr='0.0.0.0'
                           dstipaddr='255.255.255.255'
                           srcportstart='68'
                           dstportstart='67'/>
                    </rule>
                    <rule action='accept' direction='in'
                          priority='100'>
                      <udp srcipaddr='$DHCPSERVER'
                           srcportstart='67'
                           dstportstart='68'/>
                    </rule>
                  </filter>(R(RR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytnova_dhcp_filterYscCsÖtjtdƒd|ƒ|jr&dStjtdƒd|ƒ|jƒ|j|tƒ}|j|tƒ}xb|D]Z}|}x/|ddD]}|jdƒr|}PqqW|j	|j
|||ƒƒqtWdS(s>Set up basic filtering (MAC, IP, and ARP spoofing protection).s(Called setup_basic_filtering in nwfilterRNsEnsuring static filterstnetworktsubnetstdhcp_server(RtinfoRRt_ensure_static_filterstget_base_filter_listRtTruetget_metat_define_filtert_get_instance_filter_xml(RRRtnodhcp_base_filtertdhcp_base_filtertvift_base_filtertsubnet((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytsetup_basic_filteringps"	

cCs,g}d„}|d}|ds3|ddr7|Sg|dD]}|ddkrB|^qB}g|dD]}|ddkro|^qo}xk|D]c}x,|dD] }	|j|d|	d	ƒƒq©W|jd
ƒ}
|
r˜|j|d|
ƒƒq˜q˜WtjrXxM|D]B}|jdƒ}|r|d	d
}|j|d|ƒƒqqWntjr(xY|D]Q}|d}
tj|
ƒ\}}|j|d|ƒƒ|j|d|ƒƒqhWtjr(x\|D]Q}|d}tj|ƒ\}}|j|d|ƒƒ|j|d|ƒƒqÍWq(n|S(NcSsd||fS(Ns!<parameter name='%s' value='%s'/>((t	parametertvalue((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytformat_parametersR!R"tversioniitipstIPtaddressR#t
DHCPSERVERtgateways/128tRASERVERtcidrtPROJNETtPROJMASKtPROJNET6t	PROJMASK6(	tappendR(tCONFtuse_ipv6tgettallow_same_net_trafficRtget_net_and_masktget_net_and_prefixlen(RR-t
parametersR3R!tst
v4_subnetst
v6_subnetsR/tipR#R9t	ra_servert	ipv4_cidrtnettmaskt	ipv6_cidrtprefix((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt_get_instance_filter_parametersŠs@	
--
	
 	

	

 c
Cs¨|djddƒ}|j||ƒ}|j|ƒ}|j|ƒ}d|}|d|7}x9|D]1}	|d|	7}|dj|ƒ7}|d7}qeW|d7}|S(	NR7t:ts<filter name='%s' chain='root'>s<uuid>%s</uuid>s<filterref filter='%s'>s</filterref>s	</filter>(treplacet_instance_filter_nameRRRtjoin(
RRtfiltersR-tnic_idtinstance_filter_nameRGRtxmltf((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR*µs


cCs7tj|jƒrd}n|r*d}nd}|gS(sZObtain a list of base filters to apply to an instance.
        The return value should be a list of strings, each
        specifying a filter name.  Subclasses can override this
        function to add additional filters as needed.  Additional
        filters added to the list must also be correctly defined
        within the subclass.
        snova-vpns	nova-basesnova-nodhcp(Rtis_vpn_imaget	image_ref(RRt
allow_dhcptbase_filter((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR&Ãs		cCs·|jr
dSdddg}|j|jƒƒ|jdƒ|j|jd|ƒƒ|jdƒ|j|jd|ƒƒ|j|jd	dgƒƒ|j|jƒƒt|_dS(
sÂStatic filters are filters that have no need to be IP aware.

        There is no configuration or tuneability of these filters, so they
        can be set up once and forgotten about.

        Nsno-mac-spoofingsno-ip-spoofingsno-arp-spoofingsnova-no-nd-reflectionsnova-nodhcpsallow-dhcp-servers	nova-basesnova-vpn(RR)RR@t_filter_containerR R'(Rt
filter_set((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR%Ós		


cCsI|j|ƒ}d||djg|D]}d|f^q%ƒf}|S(Nss<filter name='%s' chain='root'>
                   <uuid>%s</uuid>
                   %s
                 </filter>RTs<filterref filter='%s'/>(RRW(RtnameRXRR\R[((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRaís	-cCs yF|jj|ƒ}|jdƒ}tj|ƒ}|jdƒj}Wn@tk
rˆ}tj	di|d6|d6ƒt
jƒj}nXtj	d||ƒ|S(Nis./uuidu/Cannot find UUID for filter '%(name)s': '%(e)s'RctesUUID for filter '%s' is '%s'(
t_conntnwfilterLookupByNametXMLDescRt
fromstringtfindttextt	ExceptionRtdebugRtuuid4thex(RRctfltR[tdoctuRd((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRös	cCs t|ƒr|ƒ}ny|jj|ƒWnmtjk
r›}tjƒI}|jƒ}|tjkr’|j	ƒ}d|kr’t
|_q’nWdQXnXdS(Nsalready exists with uuid(tcallableRetnwfilterDefineXMLR
tlibvirtErrorRtsave_and_reraise_exceptiontget_error_codetVIR_ERR_OPERATION_FAILEDtget_error_messageRtreraise(RR[textctxtterrcodeterrmsg((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR)scCs$x|D]}|djddƒ}|j||ƒ}tj}xÛt|ƒD]Í}y!|jj|ƒ}|jƒPWqKtj	k
r}	||dkr‚n|	j
ƒ}
|
tjkrýtj
tdƒi|d6|dd6|d6d	|ƒtjdƒqtjd
|d	|ƒPqKXqKWqWdS(sClear out the nwfilter rules.R7RSRTisIFailed to undefine network filter %(name)s. Try %(cnt)d of %(max_retry)d.Rctcntt	max_retryRsThe nwfilter(%s) is not found.N(RURVRAtlive_migration_retry_counttrangeReRftundefineR
RtRvtVIR_ERR_OPERATION_INVALIDRR$RRtsleepRl(RRRR-RYRZRR~t_nwRdR|((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytunfilter_instances.
	


	
cCs"|sd|jSd|j|fS(Nsnova-instance-%ssnova-instance-%s-%s(Rc(RRY((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRV8scCs–x|D]‡}|djddƒ}|j||ƒ}y|jj|ƒWqtjk
r|j}tjdi|d6|d6d|ƒt	SXqWt
S(s(Check nova-instance-instance-xxx exists.R7RSRTs@The nwfilter(%(instance_filter_name)s) for%(name)s is not found.RZRcR(RURVReRfR
RtRcRRlRR'(RRRR-RYRZRc((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pytinstance_filter_exists>s
		

	N(t__name__t
__module__t__doc__RRRtpropertyReRR R0RRR*R&R%RaRR)R†tstaticmethodRRVR‡(((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR	's&							+								"tIptablesFirewallDrivercBs8eZdd„Zd„Zd„Zd„Zd„ZRS(cKs-tt|ƒj|t|dƒ|_dS(sCreate an IP tables firewall driver instance

        :param execute: unused, pass None
        :param kwargs: extra arguments

        The @kwargs parameter must contain a key 'host' that
        maps to an instance of the nova.virt.libvirt.host.Host
        class.
        RN(tsuperRRR	tnwfilter(RtexecuteR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRQscCs|jj||ƒdS(sSet up basic NWFilter.N(RR0(RRR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR0_scCsdS(s5No-op. Everything is done in prepare_instance_filter.N((RRR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRcscCse|jj|jdƒrH|j|ƒ|jjƒ|jj||ƒnt	j
tdƒd|ƒdS(Ns4Attempted to unfilter instance which is not filteredR(t
instance_infotpoptidRtremove_filters_for_instancetiptablestapplyRR†RR$R(RRR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR†gs

cCs|jj||ƒS(s(Check nova-instance-instance-xxx exists.(RR‡(RRR((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyR‡rsN(RˆR‰RRR0RR†R‡(((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyRPs
			("RteventletRtlxmlRtoslo_logRtloggingt
oslo_utilsRRtnova.cloudpipeRt	nova.conftnovat	nova.i18nRRtnova.virt.firewalltvirttfirewallt
base_firewallt	nova.virtRt	getLoggerRˆRtconfRARR
tFirewallDriverR	R(((sO/home/tvault/.virtenv/lib/python2.7/site-packages/nova/virt/libvirt/firewall.pyt<module>s"ÿ*

Products

About

Resources

Contact Gemfury