Example 1 with IptablesFilterEntry
use of org.platformlayer.ops.firewall.scripts.IptablesFilterEntry in project platformlayer by platformlayer.
the class PlatformLayerFirewallEntry method addChildren.
@Override
protected void addChildren() throws OpsException {
// TODO: Need to register a dependency on destItem?
MachineResolver dest = MachineResolver.build(destItem);
addChild(dest);
List<Transport> transports;
if (transport == null) {
String cidr = sourceCidr;
if (!Strings.isNullOrEmpty(sourceCidr)) {
IpRange range = IpRange.parse(cidr);
if (range.isIpv6()) {
transport = Transport.Ipv6;
} else {
transport = Transport.Ipv4;
}
}
}
if (transport == null) {
transports = Transport.all();
} else {
transports = Collections.singletonList(transport);
}
for (final Transport transport : transports) {
if (!Strings.isNullOrEmpty(sourceCidr)) {
IptablesFilterEntry entry = dest.addChild(IptablesFilterEntry.class);
entry.port = port;
entry.sourceCidr = sourceCidr;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
} else if (sourceItemKey != null) {
LateBound<IptablesFilterEntry> entry = new LateBound<IptablesFilterEntry>() {
@Override
public IptablesFilterEntry get() throws OpsException {
ItemBase sourceItem = platformLayerHelpers.getItem(sourceItemKey);
NetworkPoint targetNetworkPoint = NetworkPoint.forTargetInContext();
boolean required = !OpsContext.isDelete();
Machine sourceMachine = instanceHelpers.getMachine(sourceItem, required);
if (sourceMachine == null) {
// TODO: Store by key? Delete by key?
log.warn("Source machine not found for firewall rule; assuming already deleted");
return null;
}
String sourceCidr = null;
List<InetAddress> addresses = sourceMachine.getNetworkPoint().findAddresses(targetNetworkPoint);
if (transport == Transport.Ipv4) {
Iterables.removeIf(addresses, InetAddressUtils.IS_IPV6);
if (addresses.size() == 1) {
sourceCidr = addresses.get(0).getHostAddress() + "/32";
} else {
if (addresses.isEmpty()) {
return null;
}
throw new IllegalStateException("Not implemented");
}
} else {
Iterables.removeIf(addresses, InetAddressUtils.IS_IPV4);
if (addresses.size() == 1) {
sourceCidr = addresses.get(0).getHostAddress() + "/128";
} else {
if (addresses.isEmpty()) {
return null;
}
throw new IllegalStateException("Not implemented");
}
}
IptablesFilterEntry entry = injected(IptablesFilterEntry.class);
entry.port = port;
entry.sourceCidr = sourceCidr;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
return entry;
}
@Override
public String getDescription() throws Exception {
return "Firewall rules";
}
};
dest.addChild(entry);
} else {
// Both empty => wildcard
IptablesFilterEntry entry = dest.addChild(IptablesFilterEntry.class);
entry.port = port;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
}
}
// TODO: Add source rules??
}
Also used :
IpRange(org.platformlayer.ops.networks.IpRange)
OpsException(org.platformlayer.ops.OpsException)
ItemBase(org.platformlayer.core.model.ItemBase)
IptablesFilterEntry(org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)
NetworkPoint(org.platformlayer.ops.networks.NetworkPoint)
Machine(org.platformlayer.ops.Machine)
OpsException(org.platformlayer.ops.OpsException)
List(java.util.List)
Transport(org.platformlayer.ops.firewall.Transport)
LateBound(org.platformlayer.ops.tree.LateBound)
Example 2 with IptablesFilterEntry
use of org.platformlayer.ops.firewall.scripts.IptablesFilterEntry in project platformlayer by platformlayer.
the class IpsecInstall method addChildren.
@Override
protected void addChildren() throws OpsException {
addChild(PackageDependency.build("racoon"));
addChild(SimpleFile.build(getClass(), new File("/etc/racoon/racoon.conf")));
// addChild(SimpleFile.build(getClass(), new File("/etc/racoon/psk.txt")));
addChild(SimpleFile.build(getClass(), new File("/etc/ipsec-tools.conf")));
addChild(IpsecBootstrap.class);
ItemBase model = OpsContext.get().getInstance(ItemBase.class);
String uuid = platformLayerClient.getOrCreateUuid(model).toString();
// TODO: Rationalize between our complicated version that can open cloud ports, and this streamlined version
for (Transport transport : Transport.all()) {
{
IptablesFilterEntry allowIKE = addChild(IptablesFilterEntry.class);
allowIKE.port = 500;
allowIKE.protocol = Protocol.Udp;
allowIKE.ruleKey = transport.getKey() + "-ike-" + uuid;
allowIKE.transport = transport;
}
{
// TODO: Do we want to open NAT-T (4500?)
IptablesFilterEntry allowEsp = addChild(IptablesFilterEntry.class);
allowEsp.protocol = Protocol.Esp;
allowEsp.ruleKey = transport.getKey() + "-esp-" + uuid;
allowEsp.transport = transport;
}
// AH iptables allow doesn't seem to work
// AllowProtocol allowAh = addChild(AllowProtocol.class);
// allowAh.protocol = Protocol.Ah;
// allowAh.uuid = "ah-" + uuid;
{
IptablesFilterPolicy allowPolicy = addChild(IptablesFilterPolicy.class);
allowPolicy.direction = Direction.In;
allowPolicy.policy = "ipsec";
allowPolicy.ruleKey = transport.getKey() + "-ipsec-" + uuid;
allowPolicy.transport = transport;
}
}
addChild(ManagedService.build("racoon"));
}
Also used :
ItemBase(org.platformlayer.core.model.ItemBase)
Transport(org.platformlayer.ops.firewall.Transport)
IptablesFilterEntry(org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)
IptablesFilterPolicy(org.platformlayer.ops.firewall.scripts.IptablesFilterPolicy)
File(java.io.File)
SimpleFile(org.platformlayer.ops.filesystem.SimpleFile)
Aggregations
ItemBase (org.platformlayer.core.model.ItemBase)2
Transport (org.platformlayer.ops.firewall.Transport)2
IptablesFilterEntry (org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)2
File (java.io.File)1
List (java.util.List)1
Machine (org.platformlayer.ops.Machine)1
OpsException (org.platformlayer.ops.OpsException)1
SimpleFile (org.platformlayer.ops.filesystem.SimpleFile)1
IptablesFilterPolicy (org.platformlayer.ops.firewall.scripts.IptablesFilterPolicy)1
IpRange (org.platformlayer.ops.networks.IpRange)1
NetworkPoint (org.platformlayer.ops.networks.NetworkPoint)1
LateBound (org.platformlayer.ops.tree.LateBound)1
