Example 1 with Transport
use of org.platformlayer.ops.firewall.Transport in project platformlayer by platformlayer.
the class IptablesSimpleRuleBase method handler.
@Handler
public void handler(OpsTarget target) throws OpsException {
// We're trying not parsing everything (as IpTablesManager does!)
List<Protocol> protocols = Lists.newArrayList();
if (protocol == null) {
protocols = Arrays.asList(Protocol.Tcp, Protocol.Udp);
} else {
protocols = Collections.singletonList(protocol);
}
List<Transport> transports = Lists.newArrayList();
if (transport == null) {
transports = Transport.all();
} else {
transports = Collections.singletonList(transport);
}
IptablesChain chain = getChain();
for (Transport transport : transports) {
SimpleIptablesRules rules = SimpleIptablesRules.listRules(target, transport, chain);
for (Protocol protocol : protocols) {
String comment = "pl-" + uuid + "-" + protocol.toString().toLowerCase();
SimpleIptablesRules matches = rules.filterByComment(comment);
if (matches.size() > 1) {
log.warn("Found multiple matching rules: " + Joiner.on("\n").join(matches));
}
if (OpsContext.isConfigure()) {
List<SimpleIptablesRule> correct = checkMatchingRules(matches, protocol);
if (correct.isEmpty()) {
String ruleSpec = buildRuleSpec(protocol);
Command command = SimpleIptablesRules.buildCommand(transport, chain);
command.addLiteral("-A").addLiteral(ruleSpec);
command.addLiteral("-m").addLiteral("comment");
command.addLiteral("--comment").addQuoted(comment);
target.executeCommand(command);
} else {
log.info("Found existing rule: " + Joiner.on("\n").join(matches));
}
}
if (OpsContext.isDelete()) {
if (!matches.isEmpty()) {
for (SimpleIptablesRule rule : matches) {
log.info("Deleting rule: " + rule);
String deleteRuleSpec = rule.convertToDeleteSpec();
Command command = SimpleIptablesRules.buildCommand(transport, chain);
command.addLiteral(deleteRuleSpec);
target.executeCommand(command);
}
}
}
}
}
}
Also used :
Command(org.platformlayer.ops.Command)
IptablesChain(org.platformlayer.ops.firewall.IptablesChain)
Protocol(org.platformlayer.ops.firewall.Protocol)
Transport(org.platformlayer.ops.firewall.Transport)
Handler(org.platformlayer.ops.Handler)
Example 2 with Transport
use of org.platformlayer.ops.firewall.Transport in project platformlayer by platformlayer.
the class PlatformLayerFirewallEntry method addChildren.
@Override
protected void addChildren() throws OpsException {
// TODO: Need to register a dependency on destItem?
MachineResolver dest = MachineResolver.build(destItem);
addChild(dest);
List<Transport> transports;
if (transport == null) {
String cidr = sourceCidr;
if (!Strings.isNullOrEmpty(sourceCidr)) {
IpRange range = IpRange.parse(cidr);
if (range.isIpv6()) {
transport = Transport.Ipv6;
} else {
transport = Transport.Ipv4;
}
}
}
if (transport == null) {
transports = Transport.all();
} else {
transports = Collections.singletonList(transport);
}
for (final Transport transport : transports) {
if (!Strings.isNullOrEmpty(sourceCidr)) {
IptablesFilterEntry entry = dest.addChild(IptablesFilterEntry.class);
entry.port = port;
entry.sourceCidr = sourceCidr;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
} else if (sourceItemKey != null) {
LateBound<IptablesFilterEntry> entry = new LateBound<IptablesFilterEntry>() {
@Override
public IptablesFilterEntry get() throws OpsException {
ItemBase sourceItem = platformLayerHelpers.getItem(sourceItemKey);
NetworkPoint targetNetworkPoint = NetworkPoint.forTargetInContext();
boolean required = !OpsContext.isDelete();
Machine sourceMachine = instanceHelpers.getMachine(sourceItem, required);
if (sourceMachine == null) {
// TODO: Store by key? Delete by key?
log.warn("Source machine not found for firewall rule; assuming already deleted");
return null;
}
String sourceCidr = null;
List<InetAddress> addresses = sourceMachine.getNetworkPoint().findAddresses(targetNetworkPoint);
if (transport == Transport.Ipv4) {
Iterables.removeIf(addresses, InetAddressUtils.IS_IPV6);
if (addresses.size() == 1) {
sourceCidr = addresses.get(0).getHostAddress() + "/32";
} else {
if (addresses.isEmpty()) {
return null;
}
throw new IllegalStateException("Not implemented");
}
} else {
Iterables.removeIf(addresses, InetAddressUtils.IS_IPV4);
if (addresses.size() == 1) {
sourceCidr = addresses.get(0).getHostAddress() + "/128";
} else {
if (addresses.isEmpty()) {
return null;
}
throw new IllegalStateException("Not implemented");
}
}
IptablesFilterEntry entry = injected(IptablesFilterEntry.class);
entry.port = port;
entry.sourceCidr = sourceCidr;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
return entry;
}
@Override
public String getDescription() throws Exception {
return "Firewall rules";
}
};
dest.addChild(entry);
} else {
// Both empty => wildcard
IptablesFilterEntry entry = dest.addChild(IptablesFilterEntry.class);
entry.port = port;
entry.protocol = protocol;
entry.transport = transport;
entry.ruleKey = uniqueId;
}
}
// TODO: Add source rules??
}
Also used :
IpRange(org.platformlayer.ops.networks.IpRange)
OpsException(org.platformlayer.ops.OpsException)
ItemBase(org.platformlayer.core.model.ItemBase)
IptablesFilterEntry(org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)
NetworkPoint(org.platformlayer.ops.networks.NetworkPoint)
Machine(org.platformlayer.ops.Machine)
OpsException(org.platformlayer.ops.OpsException)
List(java.util.List)
Transport(org.platformlayer.ops.firewall.Transport)
LateBound(org.platformlayer.ops.tree.LateBound)
Example 3 with Transport
use of org.platformlayer.ops.firewall.Transport in project platformlayer by platformlayer.
the class NetworkConnectionController method addChildren.
@Override
protected void addChildren() throws OpsException {
NetworkConnection model = ops.getInstance(NetworkConnection.class);
Protocol protocol = null;
if (model.protocol != null) {
protocol = EnumUtils.valueOfCaseInsensitive(Protocol.class, model.protocol);
}
Transport transport = null;
// if (model.transport != null) {
// protocol = EnumUtils.valueOfCaseInsensitive(Transport.class, model.transport);
// }
List<Integer> ports = Lists.newArrayList();
if (model.port != 0) {
ports.add(model.port);
if (model.protocol == null) {
protocol = Protocol.Tcp;
}
} else {
ItemBase destItem = platformLayer.getItem(model.destItem);
HasPorts hasPorts = providers.toInterface(destItem, HasPorts.class);
ports.addAll(hasPorts.getPorts());
if (model.protocol == null) {
// TODO: Support UDP?
protocol = Protocol.Tcp;
}
}
UUID uniqueId = platformLayer.getOrCreateUuid(model);
for (int port : ports) {
PlatformLayerFirewallEntry net = injected(PlatformLayerFirewallEntry.class);
net.destItem = model.destItem;
net.port = port;
net.sourceItemKey = model.sourceItem;
net.sourceCidr = model.sourceCidr;
net.protocol = protocol;
net.transport = transport;
net.uniqueId = port + "-" + uniqueId.toString();
addChild(net);
}
}
Also used :
HasPorts(org.platformlayer.ops.networks.HasPorts)
ItemBase(org.platformlayer.core.model.ItemBase)
NetworkConnection(org.platformlayer.service.network.model.NetworkConnection)
Protocol(org.platformlayer.ops.firewall.Protocol)
Transport(org.platformlayer.ops.firewall.Transport)
UUID(java.util.UUID)
Example 4 with Transport
use of org.platformlayer.ops.firewall.Transport in project platformlayer by platformlayer.
the class IpsecInstall method addChildren.
@Override
protected void addChildren() throws OpsException {
addChild(PackageDependency.build("racoon"));
addChild(SimpleFile.build(getClass(), new File("/etc/racoon/racoon.conf")));
// addChild(SimpleFile.build(getClass(), new File("/etc/racoon/psk.txt")));
addChild(SimpleFile.build(getClass(), new File("/etc/ipsec-tools.conf")));
addChild(IpsecBootstrap.class);
ItemBase model = OpsContext.get().getInstance(ItemBase.class);
String uuid = platformLayerClient.getOrCreateUuid(model).toString();
// TODO: Rationalize between our complicated version that can open cloud ports, and this streamlined version
for (Transport transport : Transport.all()) {
{
IptablesFilterEntry allowIKE = addChild(IptablesFilterEntry.class);
allowIKE.port = 500;
allowIKE.protocol = Protocol.Udp;
allowIKE.ruleKey = transport.getKey() + "-ike-" + uuid;
allowIKE.transport = transport;
}
{
// TODO: Do we want to open NAT-T (4500?)
IptablesFilterEntry allowEsp = addChild(IptablesFilterEntry.class);
allowEsp.protocol = Protocol.Esp;
allowEsp.ruleKey = transport.getKey() + "-esp-" + uuid;
allowEsp.transport = transport;
}
// AH iptables allow doesn't seem to work
// AllowProtocol allowAh = addChild(AllowProtocol.class);
// allowAh.protocol = Protocol.Ah;
// allowAh.uuid = "ah-" + uuid;
{
IptablesFilterPolicy allowPolicy = addChild(IptablesFilterPolicy.class);
allowPolicy.direction = Direction.In;
allowPolicy.policy = "ipsec";
allowPolicy.ruleKey = transport.getKey() + "-ipsec-" + uuid;
allowPolicy.transport = transport;
}
}
addChild(ManagedService.build("racoon"));
}
Also used :
ItemBase(org.platformlayer.core.model.ItemBase)
Transport(org.platformlayer.ops.firewall.Transport)
IptablesFilterEntry(org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)
IptablesFilterPolicy(org.platformlayer.ops.firewall.scripts.IptablesFilterPolicy)
File(java.io.File)
SimpleFile(org.platformlayer.ops.filesystem.SimpleFile)
Aggregations
Transport (org.platformlayer.ops.firewall.Transport)4
ItemBase (org.platformlayer.core.model.ItemBase)3
Protocol (org.platformlayer.ops.firewall.Protocol)2
IptablesFilterEntry (org.platformlayer.ops.firewall.scripts.IptablesFilterEntry)2
File (java.io.File)1
List (java.util.List)1
UUID (java.util.UUID)1
Command (org.platformlayer.ops.Command)1
Handler (org.platformlayer.ops.Handler)1
Machine (org.platformlayer.ops.Machine)1
OpsException (org.platformlayer.ops.OpsException)1
SimpleFile (org.platformlayer.ops.filesystem.SimpleFile)1
IptablesChain (org.platformlayer.ops.firewall.IptablesChain)1
IptablesFilterPolicy (org.platformlayer.ops.firewall.scripts.IptablesFilterPolicy)1
HasPorts (org.platformlayer.ops.networks.HasPorts)1
IpRange (org.platformlayer.ops.networks.IpRange)1
NetworkPoint (org.platformlayer.ops.networks.NetworkPoint)1
LateBound (org.platformlayer.ops.tree.LateBound)1
NetworkConnection (org.platformlayer.service.network.model.NetworkConnection)1
