use of com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand in project vespa by vespa-engine.
the class Acl method toCommands.
public List<Command> toCommands() {
final ImmutableList.Builder<Command> commands = ImmutableList.builder();
commands.add(// Default policies. Packets that do not match any rules will be processed according to policy.
new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), // Allow packets belonging to established connections
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-m", "state").withOption("--state", "RELATED,ESTABLISHED"), // Allow any loopback traffic
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-i", "lo"), // Allow IPv6 ICMP packets. This is required for IPv6 routing (e.g. path MTU) to work correctly.
new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-p", "ipv6-icmp"));
// Allow traffic from trusted containers
containerAclSpecs.stream().map(ContainerAclSpec::ipAddress).filter(Acl::isIpv6).map(ipAddress -> new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-s", String.format("%s/128", ipAddress))).forEach(commands::add);
// Reject all other packets. This means that packets that would otherwise be processed according to policy, are
// matched by the following rule.
//
// Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not
// a valid policy action.
commands.add(new FilterCommand(Chain.INPUT, Action.REJECT));
return commands.build();
}
use of com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand in project vespa by vespa-engine.
the class AclMaintainer method applyAcl.
private void applyAcl(ContainerName containerName, Acl acl) {
if (isAclActive(containerName, acl)) {
return;
}
final Command flush = new FlushCommand(Chain.INPUT);
final Command rollback = new PolicyCommand(Chain.INPUT, Action.ACCEPT);
try {
String commands = Stream.concat(Stream.of(flush), acl.toCommands().stream()).map(command -> command.asString(IPTABLES_COMMAND)).collect(Collectors.joining("; "));
log.debug("Running ACL command '" + commands + "' in " + containerName.asString());
dockerOperations.executeCommandInNetworkNamespace(containerName, "/bin/sh", "-c", commands);
containerAcls.put(containerName, acl);
} catch (Exception e) {
log.error("Exception occurred while configuring ACLs for " + containerName.asString() + ", attempting rollback", e);
try {
dockerOperations.executeCommandInNetworkNamespace(containerName, rollback.asArray(IPTABLES_COMMAND));
} catch (Exception ne) {
log.error("Rollback of ACLs for " + containerName.asString() + " failed, giving up", ne);
}
}
}
Aggregations