opennebula-5.2.1-securitygroup6.diff
| opennebula-5.2.1-securitygroup6/share/pkgs/CentOS/opennebula.sudoers 2017-03-13 09:34:45.707235990 -0500 | ||
|---|---|---|
| 2 | 2 |
Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin |
| 3 | 3 | |
| 4 | 4 |
Cmnd_Alias ONE_MISC = /bin/dd, /sbin/mkfs, /bin/sync, /sbin/mkswap |
| 5 |
Cmnd_Alias ONE_NET = /usr/sbin/brctl, /sbin/ebtables, /sbin/iptables, /sbin/ip, /usr/sbin/ipset |
|
| 5 |
Cmnd_Alias ONE_NET = /usr/sbin/brctl, /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ip, /usr/sbin/ipset
|
|
| 6 | 6 |
Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan |
| 7 | 7 |
Cmnd_Alias ONE_ISCSI = /sbin/iscsiadm, /usr/sbin/tgt-admin, /usr/sbin/tgtadm |
| 8 | 8 |
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl |
| opennebula-5.2.1-securitygroup6/share/pkgs/Ubuntu/opennebula.sudoers 2017-03-13 09:34:45.707235990 -0500 | ||
|---|---|---|
| 2 | 2 |
Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin |
| 3 | 3 | |
| 4 | 4 |
Cmnd_Alias ONE_MISC = /bin/dd, /sbin/mkfs, /bin/sync, /sbin/mkswap |
| 5 |
Cmnd_Alias ONE_NET = /sbin/brctl, /sbin/ebtables, /sbin/iptables, /sbin/ip, /sbin/ipset |
|
| 5 |
Cmnd_Alias ONE_NET = /sbin/brctl, /sbin/ebtables, /sbin/iptables, /sbin/ip6tables, /sbin/ip, /sbin/ipset
|
|
| 6 | 6 |
Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan |
| 7 | 7 |
Cmnd_Alias ONE_ISCSI = /usr/bin/iscsiadm, /usr/sbin/tgt-admin, /usr/sbin/tgtadm |
| 8 | 8 |
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl |
| opennebula-5.2.1-securitygroup6/share/pkgs/openSUSE/opennebula.sudoers 2017-03-13 09:34:45.707235990 -0500 | ||
|---|---|---|
| 2 | 2 |
Defaults:oneadmin secure_path = /sbin:/bin:/usr/sbin:/usr/bin |
| 3 | 3 | |
| 4 | 4 |
Cmnd_Alias ONE_MISC = /usr/bin/dd, /sbin/mkfs, /usr/bin/sync |
| 5 |
Cmnd_Alias ONE_NET = /sbin/brctl, /usr/sbin/ebtables, /usr/sbin/iptables, /sbin/ip |
|
| 5 |
Cmnd_Alias ONE_NET = /sbin/brctl, /usr/sbin/ebtables, /usr/sbin/iptables, /usr/sbin/ip6tables, /sbin/ip
|
|
| 6 | 6 |
Cmnd_Alias ONE_LVM = /sbin/lvcreate, /sbin/lvremove, /sbin/lvs, /sbin/vgdisplay, /sbin/lvchange, /sbin/lvscan |
| 7 | 7 |
Cmnd_Alias ONE_ISCSI = /sbin/iscsiadm, /usr/sbin/tgt-admin, /usr/sbin/tgtadm |
| 8 | 8 |
Cmnd_Alias ONE_OVS = /usr/bin/ovs-ofctl, /usr/bin/ovs-vsctl |
| opennebula-5.2.1-securitygroup6/share/sudoers/sudo_commands.rb 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 21 | 21 | |
| 22 | 22 |
CMDS = {
|
| 23 | 23 |
:MISC => %w(dd mkfs sync), |
| 24 |
:NET => %w(brctl ebtables iptables ip ipset), |
|
| 24 |
:NET => %w(brctl ebtables iptables ip6tables ip ipset),
|
|
| 25 | 25 |
:LVM => %w(lvcreate lvremove lvs vgdisplay lvchange lvscan), |
| 26 | 26 |
:ISCSI => %w(iscsiadm tgt-admin tgtadm), |
| 27 | 27 |
:OVS => %w(ovs-ofctl ovs-vsctl), |
| opennebula-5.2.1-securitygroup6/src/cli/one_helper/onesecgroup_helper.rb 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 153 | 153 |
d["ICMP_TYPE"] |
| 154 | 154 |
end |
| 155 | 155 | |
| 156 |
column :ICMVP6_TYPE, "", :left, :size=>11 do |d| |
|
| 157 |
d["ICMPV6_TYPE"] |
|
| 158 |
end |
|
| 159 | ||
| 156 | 160 |
column :NETWORK, "", :left, :donottruncate, :size=>35 do |d| |
| 157 | 161 |
network = "" |
| 158 | 162 |
if(!d["NETWORK_ID"].nil? && d["NETWORK_ID"] != "") |
| opennebula-5.2.1-securitygroup6/src/secgroup/SecurityGroup.cc 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 319 | 319 | |
| 320 | 320 |
one_util::toupper(proto); |
| 321 | 321 | |
| 322 |
if ( proto != "TCP" && proto != "UDP" && proto != "ICMP" && proto != "IPSEC"
|
|
| 323 |
&& proto != "ALL") |
|
| 322 |
if ( proto != "TCP" && proto != "UDP" && proto != "ICMP" && proto != "ICMPV6"
|
|
| 323 |
&& proto != "IPSEC" && proto != "ALL")
|
|
| 324 | 324 |
{
|
| 325 |
error = "Wrong PROTOCOL in rule. Valid options: TCP, UDP, ICMP, IPSEC,"
|
|
| 326 |
" ALL."; |
|
| 325 |
error = "Wrong PROTOCOL in rule. Valid options: TCP, UDP, ICMP, ICMPV6,"
|
|
| 326 |
" IPSEC, ALL.";
|
|
| 327 | 327 |
return false; |
| 328 | 328 |
} |
| 329 | 329 | |
| ... | ... | |
| 362 | 362 |
} |
| 363 | 363 |
} |
| 364 | 364 | |
| 365 |
value = rule->vector_value("ICMPV6_TYPE");
|
|
| 366 | ||
| 367 |
if (!value.empty()) |
|
| 368 |
{
|
|
| 369 |
if (proto != "ICMPV6") |
|
| 370 |
{
|
|
| 371 |
error = "ICMPV6_TYPE is supported only for ICMPV6 protocol."; |
|
| 372 |
return false; |
|
| 373 |
} |
|
| 374 | ||
| 375 |
if (rule->vector_value("ICMPV6_TYPE", ivalue) != 0)
|
|
| 376 |
{
|
|
| 377 |
error = "Wrong ICMPV6_TYPE, it must be integer"; |
|
| 378 |
return false; |
|
| 379 |
} |
|
| 380 |
} |
|
| 381 | ||
| 365 | 382 |
// ------------------------------------------------------------------------- |
| 366 | 383 |
// RULE_TYPE |
| 367 | 384 |
// ------------------------------------------------------------------------- |
| ... | ... | |
| 384 | 401 | |
| 385 | 402 |
if (!ip.empty()) //Target as IP & SIZE |
| 386 | 403 |
{
|
| 387 |
struct in_addr ip_addr; |
|
| 404 |
struct in6_addr ip_addr;
|
|
| 388 | 405 | |
| 389 | 406 |
if (rule->vector_value("SIZE", ivalue) != 0)
|
| 390 | 407 |
{
|
| ... | ... | |
| 392 | 409 |
return false; |
| 393 | 410 |
} |
| 394 | 411 | |
| 395 |
if (inet_pton(AF_INET, ip.c_str(), static_cast<void*>(&ip_addr)) != 1) |
|
| 412 |
if (inet_pton(AF_INET6, ip.c_str(), static_cast<void*>(&ip_addr)) != 1)
|
|
| 396 | 413 |
{
|
| 397 |
error = "Wrong format for IP value."; |
|
| 398 |
return false; |
|
| 414 |
if (inet_pton(AF_INET, ip.c_str(), static_cast<void*>(&ip_addr)) != 1) |
|
| 415 |
{
|
|
| 416 |
error = "Wrong format for IP value."; |
|
| 417 |
return false; |
|
| 418 |
} |
|
| 399 | 419 |
} |
| 400 | 420 |
} |
| 401 | 421 |
else //Target is ANY or NETWORK_ID |
| opennebula-5.2.1-securitygroup6/src/vnm_mad/remotes/lib/address.rb 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 14 | 14 |
# limitations under the License. # |
| 15 | 15 |
#--------------------------------------------------------------------------- # |
| 16 | 16 | |
| 17 |
require 'ipaddr' |
|
| 18 | ||
| 17 | 19 |
module VNMMAD |
| 18 | 20 | |
| 19 | 21 |
module VNMNetwork |
| ... | ... | |
| 26 | 28 |
# @return [Array<String>] The networks in CIDR |
| 27 | 29 |
def self.to_nets(ip_start, size) |
| 28 | 30 |
nets = Array.new |
| 29 |
ip_i = IPv4.to_i(ip_start) |
|
| 31 | ||
| 32 |
if ip_start.match(/:/) |
|
| 33 |
family = "inet6" |
|
| 34 |
else |
|
| 35 |
family = "inet" |
|
| 36 |
end |
|
| 37 | ||
| 38 |
if family == "inet" |
|
| 39 |
ip_i = IPv4.to_i(ip_start) |
|
| 40 |
ip_totalLength = 32 |
|
| 41 |
else |
|
| 42 |
ip_i = IPv6.to_i(ip_start) |
|
| 43 |
ip_totalLength = 128 |
|
| 44 |
end |
|
| 30 | 45 | |
| 31 | 46 |
# Find the largest address block (look for the first 1-bit) |
| 32 | 47 |
lblock = 0 |
| 33 | 48 | |
| 34 |
lblock += 1 while (ip_i[lblock] == 0 && lblock < 32 )
|
|
| 49 |
lblock += 1 while (ip_i[lblock] == 0 && lblock < ip_totalLength )
|
|
| 35 | 50 | |
| 36 | 51 |
# Allocate whole blocks till the size fits |
| 37 | 52 |
while ( size >= 2**lblock ) |
| 38 |
nets << "#{IPv4.to_s(ip_i)}/#{32-lblock}"
|
|
| 53 |
if family == "inet" |
|
| 54 |
nets << "#{IPv4.to_s(ip_i)}/#{ip_totalLength-lblock}"
|
|
| 55 |
else |
|
| 56 |
nets << "#{IPv6.to_s(ip_i)}/#{ip_totalLength-lblock}"
|
|
| 57 |
end |
|
| 39 | 58 | |
| 40 | 59 |
ip_i += 2**lblock |
| 41 | 60 |
size -= 2**lblock |
| 42 | 61 | |
| 43 |
lblock += 1 while (ip_i[lblock] == 0 && lblock < 32 )
|
|
| 62 |
lblock += 1 while (ip_i[lblock] == 0 && lblock < ip_totalLength )
|
|
| 44 | 63 |
end |
| 45 | 64 | |
| 46 | 65 |
# Fit remaining address blocks |
| 47 |
32.downto(0) { |i|
|
|
| 66 |
ip_totalLength.downto(0) { |i|
|
|
| 48 | 67 |
next if size[i] == 0 |
| 49 | 68 | |
| 50 |
nets << "#{IPv4.to_s(ip_i)}/#{32-i}"
|
|
| 69 |
if family == "inet" |
|
| 70 |
nets << "#{IPv4.to_s(ip_i)}/#{ip_totalLength-i}"
|
|
| 71 |
else |
|
| 72 |
nets << "#{IPv6.to_s(ip_i)}/#{ip_totalLength-i}"
|
|
| 73 |
end |
|
| 51 | 74 | |
| 52 | 75 |
ip_i += 2**i |
| 53 | 76 |
} |
| ... | ... | |
| 72 | 95 |
ip = 3.downto(0).collect {|s| (ip >> 8*s) & 0xff }.join('.')
|
| 73 | 96 |
end |
| 74 | 97 |
end |
| 98 | ||
| 99 |
module IPv6 |
|
| 100 |
# Returns the binary equivalent of a IP address |
|
| 101 |
# @param ip [String] IP in dot notation |
|
| 102 |
# @return [Fixnum] IP as an integer |
|
| 103 |
def self.to_i(ip) |
|
| 104 |
ipaddr = IPAddr.new ip, Socket::AF_INET6 |
|
| 105 | ||
| 106 |
return ipaddr.to_i |
|
| 107 |
end |
|
| 108 | ||
| 109 |
# Returns the string equivalent of a IP address |
|
| 110 |
# @param ip [Fixnum] IP as an integer |
|
| 111 |
# @return [String] IP in dot notation |
|
| 112 |
def self.to_s(ip) |
|
| 113 |
ipaddr = IPAddr.new ip, Socket::AF_INET6 |
|
| 114 | ||
| 115 |
return ipaddr.to_s |
|
| 116 |
end |
|
| 117 |
end |
|
| 75 | 118 |
end |
| 76 | 119 | |
| 77 | 120 |
end |
| opennebula-5.2.1-securitygroup6/src/vnm_mad/remotes/lib/command.rb 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 24 | 24 |
COMMANDS = {
|
| 25 | 25 |
:ebtables => "sudo ebtables", |
| 26 | 26 |
:iptables => "sudo iptables", |
| 27 |
:ip6tables=> "sudo ip6tables", |
|
| 27 | 28 |
:brctl => "sudo brctl", |
| 28 | 29 |
:ip => "sudo ip", |
| 29 | 30 |
:virsh => "virsh -c qemu:///system", |
| opennebula-5.2.1-securitygroup6/src/vnm_mad/remotes/lib/security_groups.rb 2017-03-13 09:34:45.708235990 -0500 | ||
|---|---|---|
| 24 | 24 |
# |
| 25 | 25 |
# PROTOCOL (mandatory) |
| 26 | 26 |
# - Specifies the protocol of the rule |
| 27 |
# - values: ['ALL', 'TCP', 'UDP', 'ICMP', 'IPSEC'] |
|
| 27 |
# - values: ['ALL', 'TCP', 'UDP', 'ICMP', 'ICMPV6', 'IPSEC']
|
|
| 28 | 28 |
# |
| 29 | 29 |
# RULE_TYPE (mandatory) |
| 30 | 30 |
# - Specifies the direction of application of the rule |
| ... | ... | |
| 34 | 34 |
# - only works for protocols ['TCP', 'UDP'] |
| 35 | 35 |
# - uses the iptables multiports syntax |
| 36 | 36 |
# |
| 37 |
# ICMP_TYPE (optional) |
|
| 38 |
# - Only works for protocol 'ICMP' |
|
| 37 |
# ICMP_TYPE and ICMPV6_TYPE (optional) |
|
| 38 |
# - Only works for protocol 'ICMP' (for ICMP_TYPE) or protocol 'ICMPV6' (for |
|
| 39 |
# ICMPV6_TYPE) |
|
| 39 | 40 |
# - Is either in the form of '<TYPE>' or '<TYPE>/<CODE>', where both |
| 40 | 41 |
# '<TYPE>' and '<CODE>' are integers. This class has a helper method |
| 41 | 42 |
# tgat expands '<TYPE>' into all the '<TYPE>/<CODE>' subtypes. |
| ... | ... | |
| 50 | 51 |
:protocol, # Type 1: block the whole protocol |
| 51 | 52 |
:portrange, # Type 2a: block a port range within a protocol |
| 52 | 53 |
:icmp_type, # Type 2b: block selected icmp types |
| 54 |
:icmpv6_type, # Type 2c: block selected icmpv6 types |
|
| 53 | 55 |
:net, # Type 3: block a whole protocol for a network |
| 54 | 56 |
:net_portrange, # Type 4a: block a port range from a network |
| 55 |
:net_icmp_type # Type 4b: block selected icmp types from a network |
|
| 57 |
:net_icmp_type, # Type 4b: block selected icmp types from a network |
|
| 58 |
:net_icmpv6_type # Type 4c: block selected icmpv6 types from a network |
|
| 56 | 59 |
] |
| 57 | 60 | |
| 58 | 61 |
# Initialize a new rule. |
| ... | ... | |
| 63 | 66 | |
| 64 | 67 |
@rule_type = @rule[:rule_type].downcase.to_sym |
| 65 | 68 |
@icmp_type = @rule[:icmp_type] |
| 69 |
@icmpv6_type = @rule[:icmpv6_type] |
|
| 66 | 70 | |
| 67 | 71 |
@range = @rule[:range] |
| 68 | 72 |
@ip = @rule[:ip] |
| ... | ... | |
| 84 | 88 |
when :icmp_type |
| 85 | 89 |
process_icmp_type(cmds, vars) |
| 86 | 90 | |
| 91 |
when :icmpv6_type |
|
| 92 |
process_icmpv6_type(cmds, vars) |
|
| 93 | ||
| 87 | 94 |
when :net |
| 88 | 95 |
process_net(cmds, vars) |
| 89 | 96 | |
| ... | ... | |
| 92 | 99 | |
| 93 | 100 |
when :net_icmp_type |
| 94 | 101 |
process_net_icmp_type(cmds, vars) |
| 102 | ||
| 103 |
when :net_icmpv6_type |
|
| 104 |
process_net_icmpv6_type(cmds, vars) |
|
| 95 | 105 |
end |
| 96 | 106 |
end |
| 97 | 107 | |
| ... | ... | |
| 113 | 123 |
end |
| 114 | 124 |
end |
| 115 | 125 | |
| 126 |
# Expand the ICMP type with associated codes if any |
|
| 127 |
# @return [Array<String>] expanded ICMP types to include all codes |
|
| 128 |
def icmpv6_type_expand |
|
| 129 |
# XXX:TODO: Implement expansion of codes for IPv6 types |
|
| 130 |
["#{@icmpv6_type}/0"]
|
|
| 131 |
end |
|
| 132 | ||
| 116 | 133 |
private |
| 117 | 134 | |
| 118 | 135 |
# ICMP Codes for each ICMP type |
| ... | ... | |
| 129 | 146 |
# @protocol + @rule_type => Type 1: 'protocol' |
| 130 | 147 |
# @protocol + @rule_type + @range => Type 2A: 'portrange' |
| 131 | 148 |
# @protocol + @rule_type + @icmp_type => Type 2B: 'icmp_type' |
| 149 |
# @protocol + @rule_type + @icmpv6_type => Type 2C: 'icmpv6_type' |
|
| 132 | 150 |
# @protocol + @rule_type + @ip + @size => Type 3: 'net' |
| 133 | 151 |
# @protocol + @rule_type + @ip + @size + @range => Type 4A: 'net_portrange' |
| 134 | 152 |
# @protocol + @rule_type + @ip + @size + @icmp_type => Type 4B: 'net_icmp_type' |
| 153 |
# @protocol + @rule_type + @ip + @size + @icmpv6_type => Type 4C: 'net_icmpv6_type' |
|
| 135 | 154 |
# |
| 136 | 155 |
# @return [Symbol] The rule type |
| 137 | 156 |
def set_type |
| 138 | 157 |
if @ip.nil? && @size.nil? |
| 158 |
return :icmpv6_type if !@icmpv6_type.nil? |
|
| 139 | 159 |
return :icmp_type if !@icmp_type.nil? |
| 140 | 160 |
return :portrange if !@range.nil? |
| 141 | 161 |
return :protocol |
| 142 | 162 |
else |
| 163 |
return :net_icmpv6_type if !@icmpv6_type.nil? |
|
| 143 | 164 |
return :net_icmp_type if !@icmp_type.nil? |
| 144 | 165 |
return :net_portrange if !@range.nil? |
| 145 | 166 |
return :net |
| ... | ... | |
| 161 | 182 |
def process_icmp_type(cmds, vars) |
| 162 | 183 |
end |
| 163 | 184 | |
| 185 |
def process_icmpv6_type(cmds, vars) |
|
| 186 |
end |
|
| 187 | ||
| 164 | 188 |
def process_net(cmds, vars) |
| 165 | 189 |
end |
| 166 | 190 | |
| ... | ... | |
| 169 | 193 | |
| 170 | 194 |
def process_net_icmp_type(cmds, vars) |
| 171 | 195 |
end |
| 196 | ||
| 197 |
def process_net_icmpv6_type(cmds, vars) |
|
| 198 |
end |
|
| 172 | 199 |
end |
| 173 | 200 | |
| 174 | 201 |
############################################################################ |
| ... | ... | |
| 219 | 246 | |
| 220 | 247 |
end |
| 221 | 248 | |
| 222 |
end |
|
| 249 |
end |
|
| opennebula-5.2.1-securitygroup6/src/vnm_mad/remotes/lib/security_groups_iptables.rb 2017-03-13 10:33:33.811408084 -0500 | ||
|---|---|---|
| 33 | 33 |
def process_protocol(cmds, vars) |
| 34 | 34 |
chain = @rule_type == :inbound ? vars[:chain_in] : vars[:chain_out] |
| 35 | 35 | |
| 36 |
cmds.add :iptables, "-A #{chain} -p #{@protocol} -j RETURN"
|
|
| 36 |
if @protocol != :icmpv6 |
|
| 37 |
cmds.add :iptables, "-A #{chain} -p #{@protocol} -j RETURN"
|
|
| 38 |
end |
|
| 39 |
if @protocol != :icmp |
|
| 40 |
cmds.add :ip6tables, "-A #{chain} -p #{@protocol} -j RETURN"
|
|
| 41 |
end |
|
| 37 | 42 |
end |
| 38 | 43 | |
| 39 | 44 |
# Implements the :portrange rule. Example: |
| ... | ... | |
| 43 | 48 | |
| 44 | 49 |
cmds.add :iptables, "-A #{chain} -p #{@protocol} -m multiport" \
|
| 45 | 50 |
" --dports #{@range} -j RETURN"
|
| 51 |
cmds.add :ip6tables, "-A #{chain} -p #{@protocol} -m multiport" \
|
|
| 52 |
" --dports #{@range} -j RETURN"
|
|
| 46 | 53 |
end |
| 47 | 54 | |
| 48 | 55 |
# Implements the :icmp_type rule. Example: |
| ... | ... | |
| 54 | 61 |
" -j RETURN" |
| 55 | 62 |
end |
| 56 | 63 | |
| 64 |
# Implements the :icmpv6_type rule. Example: |
|
| 65 |
# ip6tables -A one-3-0-o -p icmpv6 --icmpv6-type 128 -j RETURN |
|
| 66 |
def process_icmpv6_type(cmds, vars) |
|
| 67 |
chain = @rule_type == :inbound ? vars[:chain_in] : vars[:chain_out] |
|
| 68 | ||
| 69 |
cmds.add :ip6tables, "-A #{chain} -p icmpv6 --icmpv6-type #{@icmpv6_type}" \
|
|
| 70 |
" -j RETURN" |
|
| 71 |
end |
|
| 72 | ||
| 57 | 73 |
# Implements the :net rule. Example: |
| 58 |
# ipset create one-3-0-1-i-tcp-n hash:net
|
|
| 59 |
# iptables -A one-3-0-i -p tcp -m set --match-set one-3-0-1-i src -j RETURN |
|
| 60 |
# ipset add -exist one-3-0-1-i-tcp-n 10.0.0.0/24 |
|
| 74 |
# ipset create one-3-0-1-i-tcp-n-inet hash:net family inet
|
|
| 75 |
# iptables -A one-3-0-i -p tcp -m set --match-set one-3-0-1-i-tcp-n-inet src -j RETURN
|
|
| 76 |
# ipset add -exist one-3-0-1-i-tcp-n-inet 10.0.0.0/24
|
|
| 61 | 77 |
def process_net(cmds, vars) |
| 62 |
if @rule_type == :inbound |
|
| 63 |
chain = vars[:chain_in] |
|
| 64 |
set = "#{vars[:set_sg_in]}-#{@protocol}-n"
|
|
| 65 |
dir = "src" |
|
| 66 |
else |
|
| 67 |
chain = vars[:chain_out] |
|
| 68 |
set = "#{vars[:set_sg_out]}-#{@protocol}-n"
|
|
| 69 |
dir = "dst" |
|
| 70 |
end |
|
| 78 |
["inet", "inet6"].each do |family| |
|
| 79 |
if family == "inet" |
|
| 80 |
command = :iptables |
|
| 81 |
else |
|
| 82 |
command = :ip6tables |
|
| 83 |
end |
|
| 71 | 84 | |
| 72 |
cmds.add :ipset, "create #{set} hash:net"
|
|
| 73 |
cmds.add :iptables, "-A #{chain} -p #{@protocol} -m set" \
|
|
| 74 |
" --match-set #{set} #{dir} -j RETURN"
|
|
| 85 |
if @rule_type == :inbound |
|
| 86 |
chain = vars[:chain_in] |
|
| 87 |
set = "#{vars[:set_sg_in]}-#{@protocol}-n-#{family}"
|
|
| 88 |
dir = "src" |
|
| 89 |
else |
|
| 90 |
chain = vars[:chain_out] |
|
| 91 |
set = "#{vars[:set_sg_out]}-#{@protocol}-n-#{family}"
|
|
| 92 |
dir = "dst" |
|
| 93 |
end |
|
| 75 | 94 | |
| 76 |
net.each do |n| |
|
| 77 |
cmds.add :ipset, "add -exist #{set} #{n}"
|
|
| 95 |
cmds.add :ipset, "create #{set} hash:net family #{family}"
|
|
| 96 |
cmds.add command, "-A #{chain} -p #{@protocol} -m set" \
|
|
| 97 |
" --match-set #{set} #{dir} -j RETURN"
|
|
| 98 | ||
| 99 |
net.each do |n| |
|
| 100 |
if n.match(/:/) |
|
| 101 |
n_family = "inet6" |
|
| 102 |
else |
|
| 103 |
n_family = "inet" |
|
| 104 |
end |
|
| 105 | ||
| 106 |
if n_family != family |
|
| 107 |
next |
|
| 108 |
end |
|
| 109 | ||
| 110 |
cmds.add :ipset, "add -exist #{set} #{n}"
|
|
| 111 |
end |
|
| 78 | 112 |
end |
| 79 | 113 |
end |
| 80 | 114 | |
| 81 | 115 |
# Implements the :net_portrange rule. Example: |
| 82 |
# ipset create one-3-0-1-i-nr hash:net,port
|
|
| 83 |
# iptables -A one-3-0-i -m set --match-set one-3-0-1-i-nr src,dst -j RETURN |
|
| 84 |
# ipset add -exist one-3-0-1-i-nr 10.0.0.0/24,tcp:80 |
|
| 116 |
# ipset create one-3-0-1-i-nr-inet hash:net,port family inet
|
|
| 117 |
# iptables -A one-3-0-i -m set --match-set one-3-0-1-i-nr-inet src,dst -j RETURN
|
|
| 118 |
# ipset add -exist one-3-0-1-i-nr-inet 10.0.0.0/24,tcp:80
|
|
| 85 | 119 |
def process_net_portrange(cmds, vars) |
| 86 |
if @rule_type == :inbound |
|
| 87 |
chain = vars[:chain_in] |
|
| 88 |
set = "#{vars[:set_sg_in]}-nr"
|
|
| 89 |
dir = "src,dst" |
|
| 90 |
else |
|
| 91 |
chain = vars[:chain_out] |
|
| 92 |
set = "#{vars[:set_sg_out]}-nr"
|
|
| 93 |
dir = "dst,dst" |
|
| 94 |
end |
|
| 120 |
["inet", "inet6"].each do |family| |
|
| 121 |
if family == "inet" |
|
| 122 |
command = :iptables |
|
| 123 |
else |
|
| 124 |
command = :ip6tables |
|
| 125 |
end |
|
| 95 | 126 | |
| 96 |
cmds.add :ipset, "create #{set} hash:net,port"
|
|
| 97 |
cmds.add :iptables, "-A #{chain} -m set --match-set" \
|
|
| 98 |
" #{set} #{dir} -j RETURN"
|
|
| 127 |
if @rule_type == :inbound |
|
| 128 |
chain = vars[:chain_in] |
|
| 129 |
set = "#{vars[:set_sg_in]}-nr-#{family}"
|
|
| 130 |
dir = "src,dst" |
|
| 131 |
else |
|
| 132 |
chain = vars[:chain_out] |
|
| 133 |
set = "#{vars[:set_sg_out]}-nr-#{family}"
|
|
| 134 |
dir = "dst,dst" |
|
| 135 |
end |
|
| 99 | 136 | |
| 100 |
net.each do |n| |
|
| 101 |
@range.split(",").each do |r|
|
|
| 102 |
r.gsub!(":","-")
|
|
| 103 |
net_range = "#{n},#{@protocol}:#{r}"
|
|
| 104 |
cmds.add :ipset, "add -exist #{set} #{net_range}"
|
|
| 137 |
cmds.add :ipset, "create #{set} hash:net,port family #{family}"
|
|
| 138 |
cmds.add command, "-A #{chain} -m set --match-set" \
|
|
| 139 |
" #{set} #{dir} -j RETURN"
|
|
| 140 | ||
| 141 |
net.each do |n| |
|
| 142 |
if n.match(/:/) |
|
| 143 |
n_family = "inet6" |
|
| 144 |
else |
|
| 145 |
n_family = "inet" |
|
| 146 |
end |
|
| 147 | ||
| 148 |
if n_family != family |
|
| 149 |
next |
|
| 150 |
end |
|
| 151 | ||
| 152 |
@range.split(",").each do |r|
|
|
| 153 |
r.gsub!(":","-")
|
|
| 154 |
net_range = "#{n},#{@protocol}:#{r}"
|
|
| 155 |
cmds.add :ipset, "add -exist #{set} #{net_range}"
|
|
| 156 |
end |
|
| 105 | 157 |
end |
| 106 | 158 |
end |
| 107 | 159 |
end |
| 108 | 160 | |
| 109 | 161 |
# Implements the :net_icmp_type rule. Example: |
| 110 |
# ipset create one-3-0-1-i-ni hash:net,port |
|
| 111 |
# iptables -A one-3-0-i -m set --match-set one-3-0-1-i-nr src,dst -j RETURN
|
|
| 162 |
# ipset create one-3-0-1-i-ni hash:net,port family inet
|
|
| 163 |
# iptables -A one-3-0-i -m set --match-set one-3-0-1-i-ni src,dst -j RETURN
|
|
| 112 | 164 |
# ipset add -exist one-3-0-1-i-ni 10.0.0.0/24,icmp:8/0 |
| 113 | 165 |
def process_net_icmp_type(cmds, vars) |
| 114 | 166 |
if @rule_type == :inbound |
| ... | ... | |
| 121 | 173 |
dir = "dst,dst" |
| 122 | 174 |
end |
| 123 | 175 | |
| 124 |
cmds.add :ipset, "create #{set} hash:net,port"
|
|
| 176 |
cmds.add :ipset, "create #{set} hash:net,port family inet"
|
|
| 125 | 177 |
cmds.add :iptables, "-A #{chain} -m set --match-set #{set} #{dir} -j RETURN"
|
| 126 | 178 | |
| 127 | 179 |
net.each do |n| |
| ... | ... | |
| 130 | 182 |
end |
| 131 | 183 |
end |
| 132 | 184 |
end |
| 185 | ||
| 186 |
# Implements the :net_icmpv6_type rule. Example: |
|
| 187 |
# ipset create one-3-0-1-i-ni6 hash:net,port family inet6 |
|
| 188 |
# ip6tables -A one-3-0-i -m set --match-set one-3-0-1-i-ni6 src,dst -j RETURN |
|
| 189 |
# ipset add -exist one-3-0-1-i-ni6 10.0.0.0/24,icmpv6:128/0 |
|
| 190 |
def process_net_icmpv6_type(cmds, vars) |
|
| 191 |
if @rule_type == :inbound |
|
| 192 |
chain = vars[:chain_in] |
|
| 193 |
set = "#{vars[:set_sg_in]}-ni6"
|
|
| 194 |
dir = "src,dst" |
|
| 195 |
else |
|
| 196 |
chain = vars[:chain_out] |
|
| 197 |
set = "#{vars[:set_sg_out]}-ni6"
|
|
| 198 |
dir = "dst,dst" |
|
| 199 |
end |
|
| 200 | ||
| 201 |
cmds.add :ipset, "create #{set} hash:net,port family inet6"
|
|
| 202 |
cmds.add :ip6tables, "-A #{chain} -m set --match-set #{set} #{dir} -j RETURN"
|
|
| 203 | ||
| 204 |
net.each do |n| |
|
| 205 |
icmpv6_type_expand.each do |type_code| |
|
| 206 |
cmds.add :ipset, "add -exist #{set} #{n},icmpv6:#{type_code}"
|
|
| 207 |
end |
|
| 208 |
end |
|
| 209 |
end |
|
| 133 | 210 |
end |
| 134 | 211 | |
| 135 | 212 |
############################################################################ |
| ... | ... | |
| 166 | 243 |
commands.add :iptables, "-S" |
| 167 | 244 |
iptables_s = commands.run! |
| 168 | 245 | |
| 246 |
commands.add :ip6tables, "-S" |
|
| 247 |
ip6tables_s = commands.run! |
|
| 248 | ||
| 169 | 249 |
iptables_forwards = "" |
| 250 |
ip6tables_forwards = "" |
|
| 170 | 251 | |
| 171 | 252 |
if iptables_s.match(/^-N #{GLOBAL_CHAIN}$/)
|
| 172 | 253 |
commands.add :iptables, "-L #{GLOBAL_CHAIN} --line-numbers"
|
| 173 | 254 |
iptables_forwards = commands.run! |
| 174 | 255 |
end |
| 175 | 256 | |
| 257 |
if ip6tables_s.match(/^-N #{GLOBAL_CHAIN}$/)
|
|
| 258 |
commands.add :ip6tables, "-L #{GLOBAL_CHAIN} --line-numbers"
|
|
| 259 |
ip6tables_forwards = commands.run! |
|
| 260 |
end |
|
| 261 | ||
| 176 | 262 |
commands.add :ipset, "list -name" |
| 177 | 263 |
ipset_list = commands.run! |
| 178 | 264 | |
| 179 | 265 |
{
|
| 180 | 266 |
:iptables_forwards => iptables_forwards, |
| 181 | 267 |
:iptables_s => iptables_s, |
| 268 |
:ip6tables_forwards => ip6tables_forwards, |
|
| 269 |
:ip6tables_s => ip6tables_s, |
|
| 182 | 270 |
:ipset_list => ipset_list |
| 183 | 271 |
} |
| 184 | 272 |
end |
| ... | ... | |
| 190 | 278 |
def self.global_bootstrap |
| 191 | 279 |
info = SGIPTables.info |
| 192 | 280 | |
| 193 |
return if info[:iptables_s].split("\n").include? "-N #{GLOBAL_CHAIN}"
|
|
| 281 |
if info[:iptables_s].split("\n").include? "-N #{GLOBAL_CHAIN}"
|
|
| 282 |
if info[:ip6tables_s].split("\n").include? "-N #{GLOBAL_CHAIN}"
|
|
| 283 |
return |
|
| 284 |
end |
|
| 285 |
end |
|
| 194 | 286 | |
| 195 | 287 |
commands = VNMNetwork::Commands.new |
| 196 | 288 | |
| 197 | 289 |
commands.add :iptables, "-N #{GLOBAL_CHAIN}"
|
| 198 | 290 |
commands.add :iptables, "-A FORWARD -m physdev --physdev-is-bridged -j #{GLOBAL_CHAIN}"
|
| 199 | 291 |
commands.add :iptables, "-A #{GLOBAL_CHAIN} -j ACCEPT"
|
| 292 |
commands.add :ip6tables, "-N #{GLOBAL_CHAIN}"
|
|
| 293 |
commands.add :ip6tables, "-A FORWARD -m physdev --physdev-is-bridged -j #{GLOBAL_CHAIN}"
|
|
| 294 |
commands.add :ip6tables, "-A #{GLOBAL_CHAIN} -j ACCEPT"
|
|
| 200 | 295 | |
| 201 | 296 |
commands.run! |
| 202 | 297 |
end |
| ... | ... | |
| 259 | 354 |
# create chains |
| 260 | 355 |
commands.add :iptables, "-N #{chain_in}" # inbound
|
| 261 | 356 |
commands.add :iptables, "-N #{chain_out}" # outbound
|
| 357 |
commands.add :ip6tables, "-N #{chain_in}" # inbound
|
|
| 358 |
commands.add :ip6tables, "-N #{chain_out}" # outbound
|
|
| 262 | 359 | |
| 263 | 360 |
# Send traffic to the NIC chains |
| 264 | 361 |
commands.add :iptables, "-I #{GLOBAL_CHAIN} -m physdev --physdev-out #{nic[:tap]} --physdev-is-bridged -j #{chain_in}"
|
| 265 | 362 |
commands.add :iptables, "-I #{GLOBAL_CHAIN} -m physdev --physdev-in #{nic[:tap]} --physdev-is-bridged -j #{chain_out}"
|
| 363 |
commands.add :ip6tables, "-I #{GLOBAL_CHAIN} -m physdev --physdev-out #{nic[:tap]} --physdev-is-bridged -j #{chain_in}"
|
|
| 364 |
commands.add :ip6tables, "-I #{GLOBAL_CHAIN} -m physdev --physdev-in #{nic[:tap]} --physdev-is-bridged -j #{chain_out}"
|
|
| 365 | ||
| 366 |
# ICMPv6 Neighbor Discovery Protocol (ARP replacement for IPv6) |
|
| 367 |
## Allow routers to send router advertisements |
|
| 368 |
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 134 -j ACCEPT"
|
|
| 369 | ||
| 370 |
## Allow neighbor solicitations to reach the host |
|
| 371 |
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 135 -j ACCEPT"
|
|
| 372 | ||
| 373 |
## Allow neighbor solicitations replies to reach the host |
|
| 374 |
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 136 -j ACCEPT"
|
|
| 375 | ||
| 376 |
## Allow routers to send Redirect messages |
|
| 377 |
commands.add :ip6tables, "-A #{chain_in} -p icmpv6 --icmpv6-type 137 -j ACCEPT"
|
|
| 378 | ||
| 379 |
## Allow the host to send a router solicitation |
|
| 380 |
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 133 -j ACCEPT"
|
|
| 381 | ||
| 382 |
## Allow the host to send neighbor solicitation requests |
|
| 383 |
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 135 -j ACCEPT"
|
|
| 384 | ||
| 385 |
## Allow the host to send neighbor solicitation replies |
|
| 386 |
commands.add :ip6tables, "-A #{chain_out} -p icmpv6 --icmpv6-type 136 -j ACCEPT"
|
|
| 266 | 387 | |
| 267 | 388 |
# Mac-spofing |
| 268 | 389 |
if nic[:filter_mac_spoofing] == "YES" |
| 269 | 390 |
commands.add :iptables, "-A #{chain_out} -m mac ! --mac-source #{nic[:mac]} -j DROP"
|
| 391 |
commands.add :ip6tables, "-A #{chain_out} -m mac ! --mac-source #{nic[:mac]} -j DROP"
|
|
| 270 | 392 |
end |
| 271 | 393 | |
| 272 | 394 |
# IP-spofing |
| 273 | 395 |
if nic[:filter_ip_spoofing] == "YES" |
| 274 |
commands.add :iptables, "-A #{chain_out} -p udp --source 0.0.0.0/32 --sport 68 --destination 255.255.255.255/32 --dport 67 -j ACCEPT"
|
|
| 396 |
if !nic[:ip].nil? and !nic[:ip].empty? |
|
| 397 |
commands.add :iptables, "-A #{chain_out} -p udp --source 0.0.0.0/32 --sport 68 --destination 255.255.255.255/32 --dport 67 -j ACCEPT"
|
|
| 275 | 398 | |
| 276 |
set = "#{vars[:chain]}-ip-spoofing"
|
|
| 399 |
set = "#{vars[:chain]}-ip-spoofing"
|
|
| 277 | 400 | |
| 278 |
commands.add :ipset, "create #{set} hash:ip"
|
|
| 279 |
commands.add :ipset, "add -exist #{set} #{nic[:ip]}"
|
|
| 280 |
commands.add :ipset, "add -exist #{set} #{nic[:vrouter_ip]}" if nic[:vrouter_ip]
|
|
| 401 |
commands.add :ipset, "create #{set} hash:ip"
|
|
| 402 |
commands.add :ipset, "add -exist #{set} #{nic[:ip]}"
|
|
| 403 |
commands.add :ipset, "add -exist #{set} #{nic[:vrouter_ip]}" if nic[:vrouter_ip]
|
|
| 281 | 404 | |
| 282 |
commands.add :iptables, "-A #{chain_out} -m set ! --match-set #{set} src -j DROP"
|
|
| 405 |
commands.add :iptables, "-A #{chain_out} -m set ! --match-set #{set} src -j DROP"
|
|
| 406 |
else |
|
| 407 |
# If there are no IPv4 addresses allowed, block all IPv4 addresses |
|
| 408 |
commands.add :ip6tables, "-A #{chain_out} --source 0.0.0.0/0 -j DROP"
|
|
| 409 |
end |
|
| 410 | ||
| 411 |
ip6_addrs = Array.new |
|
| 412 | ||
| 413 |
[:ip6_global, :ip6_link, :ip6_ula].each do |keyName| |
|
| 414 |
if !nic[keyName].nil? and !nic[keyName].empty? |
|
| 415 |
ip6_addrs << nic[keyName] |
|
| 416 |
end |
|
| 417 |
end |
|
| 418 | ||
| 419 |
if ip6_addrs.length > 1 |
|
| 420 |
set = "#{chain_out}-ip6-spoofing"
|
|
| 421 | ||
| 422 |
commands.add :ipset, "create #{set} hash:ip family inet6"
|
|
| 423 |
ip6_addrs.each do |ip6_addr| |
|
| 424 |
commands.add :ipset, "add -exist #{set} #{ip6_addr}"
|
|
| 425 |
end |
|
| 426 | ||
| 427 |
commands.add :ip6tables, "-A #{chain_out} -m set ! --match-set #{set} src -j DROP"
|
|
| 428 |
elsif ip6_addrs.length == 1 |
|
| 429 |
commands.add :ip6tables, "-A #{chain_out} ! --source #{ip6_addrs[0]} -j DROP"
|
|
| 430 |
else |
|
| 431 |
# If there are no IPv6 addresses allowed, block all IPv6 addresses |
|
| 432 |
commands.add :ip6tables, "-A #{chain_out} --source ::/0 -j DROP"
|
|
| 433 |
end |
|
| 283 | 434 |
end |
| 284 | 435 | |
| 285 | 436 |
# Related, Established |
| 286 | 437 |
commands.add :iptables, "-A #{chain_in} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
| 287 | 438 |
commands.add :iptables, "-A #{chain_out} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
| 439 |
commands.add :ip6tables, "-A #{chain_in} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 440 |
commands.add :ip6tables, "-A #{chain_out} -m state --state ESTABLISHED,RELATED -j ACCEPT"
|
|
| 288 | 441 | |
| 289 | 442 |
commands.run! |
| 290 | 443 |
end |
| ... | ... | |
| 300 | 453 |
commands = VNMNetwork::Commands.new |
| 301 | 454 |
commands.add :iptables, "-A #{chain_in} -j DROP"
|
| 302 | 455 |
commands.add :iptables, "-A #{chain_out} -j DROP"
|
| 456 |
commands.add :ip6tables, "-A #{chain_in} -j DROP"
|
|
| 457 |
commands.add :ip6tables, "-A #{chain_out} -j DROP"
|
|
| 303 | 458 | |
| 304 | 459 |
commands.run! |
| 305 | 460 |
end |
| ... | ... | |
| 314 | 469 |
info = self.info |
| 315 | 470 |
iptables_forwards = info[:iptables_forwards] |
| 316 | 471 |
iptables_s = info[:iptables_s] |
| 472 |
ip6tables_forwards = info[:ip6tables_forwards] |
|
| 473 |
ip6tables_s = info[:ip6tables_s] |
|
| 317 | 474 |
ipset_list = info[:ipset_list] |
| 318 | 475 | |
| 319 | 476 |
commands = VNMNetwork::Commands.new |
| ... | ... | |
| 326 | 483 |
end |
| 327 | 484 |
end |
| 328 | 485 | |
| 486 |
ip6tables_forwards.lines.reverse_each do |line| |
|
| 487 |
fields = line.split |
|
| 488 |
if [chain_in, chain_out].include?(fields[1]) |
|
| 489 |
n = fields[0] |
|
| 490 |
commands.add :ip6tables, "-D #{GLOBAL_CHAIN} #{n}"
|
|
| 491 |
end |
|
| 492 |
end |
|
| 493 | ||
| 329 | 494 |
remove_chains = [] |
| 330 | 495 |
iptables_s.lines.each do |line| |
| 331 | 496 |
if line.match(/^-N #{chain}(-|$)/)
|
| ... | ... | |
| 334 | 499 |
end |
| 335 | 500 |
remove_chains.each {|c| commands.add :iptables, "-F #{c}" }
|
| 336 | 501 |
remove_chains.each {|c| commands.add :iptables, "-X #{c}" }
|
| 502 |
remove_chains.each {|c| commands.add :ip6tables, "-F #{c}" }
|
|
| 503 |
remove_chains.each {|c| commands.add :ip6tables, "-X #{c}" }
|
|
| 337 | 504 | |
| 338 | 505 |
ipset_list.lines.each do |line| |
| 339 | 506 |
if line.match(/^#{chain}(-|$)/)
|