Search in sources :

Example 1 with PolicyCommand

use of com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand in project vespa by vespa-engine.

the class Acl method toCommands.

public List<Command> toCommands() {
    final ImmutableList.Builder<Command> commands = ImmutableList.builder();
    commands.add(// Default policies. Packets that do not match any rules will be processed according to policy.
    new PolicyCommand(Chain.INPUT, Action.DROP), new PolicyCommand(Chain.FORWARD, Action.DROP), new PolicyCommand(Chain.OUTPUT, Action.ACCEPT), // Allow packets belonging to established connections
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-m", "state").withOption("--state", "RELATED,ESTABLISHED"), // Allow any loopback traffic
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-i", "lo"), // Allow IPv6 ICMP packets. This is required for IPv6 routing (e.g. path MTU) to work correctly.
    new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-p", "ipv6-icmp"));
    // Allow traffic from trusted containers
    containerAclSpecs.stream().map(ContainerAclSpec::ipAddress).filter(Acl::isIpv6).map(ipAddress -> new FilterCommand(Chain.INPUT, Action.ACCEPT).withOption("-s", String.format("%s/128", ipAddress))).forEach(commands::add);
    // Reject all other packets. This means that packets that would otherwise be processed according to policy, are
    // matched by the following rule.
    // 
    // Ideally, we want to set the INPUT policy to REJECT and get rid of this rule, but unfortunately REJECT is not
    // a valid policy action.
    commands.add(new FilterCommand(Chain.INPUT, Action.REJECT));
    return commands.build();
}
Also used : Objects(java.util.Objects) Inet6Address(java.net.Inet6Address) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) List(java.util.List) ImmutableList(com.google.common.collect.ImmutableList) Chain(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Chain) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) InetAddresses(com.google.common.net.InetAddresses) Action(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) FilterCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand) ImmutableList(com.google.common.collect.ImmutableList) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand)

Example 2 with PolicyCommand

use of com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand in project vespa by vespa-engine.

the class AclMaintainer method applyAcl.

private void applyAcl(ContainerName containerName, Acl acl) {
    if (isAclActive(containerName, acl)) {
        return;
    }
    final Command flush = new FlushCommand(Chain.INPUT);
    final Command rollback = new PolicyCommand(Chain.INPUT, Action.ACCEPT);
    try {
        String commands = Stream.concat(Stream.of(flush), acl.toCommands().stream()).map(command -> command.asString(IPTABLES_COMMAND)).collect(Collectors.joining("; "));
        log.debug("Running ACL command '" + commands + "' in " + containerName.asString());
        dockerOperations.executeCommandInNetworkNamespace(containerName, "/bin/sh", "-c", commands);
        containerAcls.put(containerName, acl);
    } catch (Exception e) {
        log.error("Exception occurred while configuring ACLs for " + containerName.asString() + ", attempting rollback", e);
        try {
            dockerOperations.executeCommandInNetworkNamespace(containerName, rollback.asArray(IPTABLES_COMMAND));
        } catch (Exception ne) {
            log.error("Rollback of ACLs for " + containerName.asString() + " failed, giving up", ne);
        }
    }
}
Also used : PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) ContainerName(com.yahoo.vespa.hosted.dockerapi.ContainerName) DockerOperations(com.yahoo.vespa.hosted.node.admin.docker.DockerOperations) FlushCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FlushCommand) HashMap(java.util.HashMap) NodeRepository(com.yahoo.vespa.hosted.node.admin.configserver.noderepository.NodeRepository) Collectors(java.util.stream.Collectors) Pair(com.yahoo.collections.Pair) List(java.util.List) Stream(java.util.stream.Stream) Chain(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Chain) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) Map(java.util.Map) ContainerAclSpec(com.yahoo.vespa.hosted.node.admin.ContainerAclSpec) Optional(java.util.Optional) Action(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action) PrefixLogger(com.yahoo.vespa.hosted.node.admin.util.PrefixLogger) FlushCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FlushCommand) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand) FlushCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FlushCommand) Command(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command) PolicyCommand(com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand)

Aggregations

ContainerAclSpec (com.yahoo.vespa.hosted.node.admin.ContainerAclSpec)2 Action (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Action)2 Chain (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Chain)2 Command (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.Command)2 PolicyCommand (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.PolicyCommand)2 List (java.util.List)2 ImmutableList (com.google.common.collect.ImmutableList)1 InetAddresses (com.google.common.net.InetAddresses)1 Pair (com.yahoo.collections.Pair)1 ContainerName (com.yahoo.vespa.hosted.dockerapi.ContainerName)1 NodeRepository (com.yahoo.vespa.hosted.node.admin.configserver.noderepository.NodeRepository)1 DockerOperations (com.yahoo.vespa.hosted.node.admin.docker.DockerOperations)1 FilterCommand (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FilterCommand)1 FlushCommand (com.yahoo.vespa.hosted.node.admin.maintenance.acl.iptables.FlushCommand)1 PrefixLogger (com.yahoo.vespa.hosted.node.admin.util.PrefixLogger)1 Inet6Address (java.net.Inet6Address)1 HashMap (java.util.HashMap)1 Map (java.util.Map)1 Objects (java.util.Objects)1 Optional (java.util.Optional)1