Skip to content
Toggle navigation
P
Projects
G
Groups
S
Snippets
Help
CIRCLE
/
fwdriver
This project
Loading...
Sign in
Toggle navigation
Go to a project
Project
Repository
Issues
0
Merge Requests
1
Wiki
Snippets
Members
Activity
Graph
Charts
Create a new issue
Commits
Issue Boards
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Commit
17888275
authored
Dec 24, 2013
by
Bach Dániel
Browse files
Options
Browse Files
Download
Email Patches
Plain Diff
add netns support
parent
d59f5827
Show whitespace changes
Inline
Side-by-side
Showing
3 changed files
with
76 additions
and
69 deletions
+76
-69
fw.py
+31
-52
ovs.py
+21
-17
utils.py
+24
-0
No files found.
fw.py
View file @
17888275
from
celery
import
Celery
,
task
from
os
import
getenv
import
subprocess
import
re
import
json
import
socket
from
ovs
import
Switch
IRC_CHANNEL
=
getenv
(
'IRC_CHANNEL'
,
'/home/cloud/irc/irc.atw.hu/#ik/in'
)
DHCP_LOGFILE
=
getenv
(
'DHCP_LOGFILE'
,
'/var/log/syslog'
)
VLAN_CONF
=
getenv
(
'VLAN_CONF'
,
'vlan.conf'
)
FIREWALL_CONF
=
getenv
(
'FIREWALL_CONF'
,
'firewall.conf'
)
from
utils
import
NETNS
,
ns_exec
celery
=
Celery
(
'tasks'
,
backend
=
'amqp'
,
)
celery
.
conf
.
update
(
CELERY_TASK_RESULT_EXPIRES
=
300
,
...
...
@@ -21,16 +19,14 @@ celery.conf.update(CELERY_TASK_RESULT_EXPIRES=300,
@task
(
name
=
"firewall.reload_firewall"
)
def
reload_firewall
(
data4
,
data6
,
onstart
=
False
):
print
"fw"
process
=
subprocess
.
Popen
([
'/usr/bin/sudo'
,
'/sbin/ip6tables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
data6
[
'filter'
])
+
"
\n
"
)
process
=
subprocess
.
Popen
([
'/usr/bin/sudo'
,
'/sbin/iptables-restore'
,
'-c'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
process
.
communicate
(
"
\n
"
.
join
(
data4
[
'filter'
])
+
"
\n
"
+
"
\n
"
.
join
(
data4
[
'nat'
])
+
"
\n
"
)
ns_exec
(
NETNS
,
(
'/sbin/ip6tables-restore'
,
'-c'
),
'
\n
'
.
join
(
data6
[
'filter'
])
+
'
\n
'
)
ns_exec
(
NETNS
,
(
'/sbin/iptables-restore'
,
'-c'
),
(
'
\n
'
.
join
(
data4
[
'filter'
])
+
'
\n
'
+
'
\n
'
.
join
(
data4
[
'nat'
])
+
'
\n
'
))
if
onstart
is
False
:
with
open
(
FIREWALL_CONF
,
'w'
)
as
f
:
json
.
dump
([
data4
,
data6
],
f
)
...
...
@@ -39,22 +35,24 @@ def reload_firewall(data4, data6, onstart=False):
@task
(
name
=
"firewall.reload_firewall_vlan"
)
def
reload_firewall_vlan
(
data
,
onstart
=
False
):
print
"fw vlan"
# print data
br
=
Switch
(
'firewall'
)
br
.
migrate
(
data
)
# print br.list_ports()
if
onstart
is
False
:
with
open
(
VLAN_CONF
,
'w'
)
as
f
:
json
.
dump
(
data
,
f
)
subprocess
.
call
(
"/sbin/ip ro add default via 10.7.255.254"
,
shell
=
True
)
GATEWAY
=
getenv
(
'GATEWAY'
,
'152.66.243.254'
)
try
:
ns_exec
(
NETNS
,
(
'/sbin/ip'
,
'ro'
,
'add'
,
'default'
,
'via'
,
GATEWAY
))
except
:
pass
@task
(
name
=
"firewall.reload_dhcp"
)
def
reload_dhcp
(
data
):
print
"dhcp"
with
open
(
'/tools/dhcp3/dhcpd.conf.generated'
,
'w'
)
as
f
:
f
.
write
(
"
\n
"
.
join
(
data
)
+
"
\n
"
)
subprocess
.
call
([
'sudo'
,
'/etc/init.d/isc-dhcp-server'
,
'restart'
],
shell
=
False
)
ns_exec
(
NETNS
,
(
'/etc/init.d/isc-dhcp-server'
,
'restart'
))
def
ipset_save
(
data
):
...
...
@@ -63,9 +61,8 @@ def ipset_save(data):
data_new
=
[
x
[
'ipv4'
]
for
x
in
data
]
data_old
=
[]
p
=
subprocess
.
Popen
([
'/usr/bin/sudo'
,
'/usr/sbin/ipset'
,
'save'
,
'blacklist'
],
shell
=
False
,
stdout
=
subprocess
.
PIPE
)
for
line
in
p
.
stdout
:
lines
=
ns_exec
(
NETNS
,
(
'/usr/sbin/ipset'
,
'save'
,
'blacklist'
))
for
line
in
lines
.
splitlines
():
x
=
r
.
match
(
line
.
rstrip
())
if
x
:
data_old
.
append
(
x
.
group
(
1
))
...
...
@@ -73,7 +70,7 @@ def ipset_save(data):
l_add
=
list
(
set
(
data_new
)
.
difference
(
set
(
data_old
)))
l_del
=
list
(
set
(
data_old
)
.
difference
(
set
(
data_new
)))
return
(
l_add
,
l_del
,
)
return
(
l_add
,
l_del
)
def
ipset_restore
(
l_add
,
l_del
):
...
...
@@ -83,29 +80,8 @@ def ipset_restore(l_add, l_del):
ipset
=
ipset
+
[
'add blacklist
%
s'
%
x
for
x
in
l_add
]
ipset
=
ipset
+
[
'del blacklist
%
s'
%
x
for
x
in
l_del
]
print
"
\n
"
.
join
(
ipset
)
+
"
\n
"
p
=
subprocess
.
Popen
([
'/usr/bin/sudo'
,
'/usr/sbin/ipset'
,
'restore'
,
'-exist'
],
shell
=
False
,
stdin
=
subprocess
.
PIPE
)
p
.
communicate
(
"
\n
"
.
join
(
ipset
)
+
"
\n
"
)
def
irc_message
(
data
,
l_add
):
try
:
with
open
(
IRC_CHANNEL
,
'w+'
)
as
f
:
for
x
in
data
:
try
:
hostname
=
socket
.
gethostbyaddr
(
x
[
'ipv4'
])[
0
]
except
:
hostname
=
x
[
'ipv4'
]
if
x
[
'ipv4'
]
in
l_add
:
f
.
write
(
'
%(ip)
s(
%(hostname)
s) kibachva
%(reason)
s '
'miatt
\n
'
%
{
'ip'
:
x
[
'ipv4'
],
'reason'
:
x
[
'reason'
],
'hostname'
:
hostname
})
except
:
print
"nem sikerult mircre irni"
# raise
ns_exec
(
NETNS
,
(
'/usr/sbin/ipset'
,
'restore'
,
'-exist'
),
'
\n
'
.
join
(
ipset
)
+
'
\n
'
)
@task
(
name
=
"firewall.reload_blacklist"
)
...
...
@@ -114,7 +90,6 @@ def reload_blacklist(data):
l_add
,
l_del
=
ipset_save
(
data
)
ipset_restore
(
l_add
,
l_del
)
irc_message
(
data
,
l_add
)
# 2013-06-26 12:16:59 DHCPACK on 10.4.0.14 to 5c:b5:24:e6:5c:81
...
...
@@ -131,8 +106,6 @@ dhcp_ack_re = re.compile(r'\S DHCPACK on (?P<ip>[0-9.]+) to '
dhcp_no_free_re
=
re
.
compile
(
r'\S DHCPDISCOVER '
r'from (?P<mac>[a-zA-Z0-9:]+) '
r'via (?P<interface>[a-zA-Z0-9]+):'
)
# r'.* no free leases')
# r'(\((?P<hostnamename>[^)]+)\) )?'
@task
(
name
=
"firewall.get_dhcp_clients"
)
...
...
@@ -152,21 +125,26 @@ def get_dhcp_clients():
ip
=
m
.
get
(
'ip'
,
None
)
hostname
=
m
.
get
(
'hostname'
,
None
)
interface
=
m
.
get
(
'interface'
,
None
)
clients
[
mac
]
=
{
'ip'
:
ip
,
'hostname'
:
hostname
,
'interface'
:
interface
}
clients
[
mac
]
=
{
'ip'
:
ip
,
'hostname'
:
hostname
,
'interface'
:
interface
}
return
clients
def
start_firewall
():
try
:
subprocess
.
call
(
'sudo ipset create blacklist hash:ip family '
'inet hashsize 4096 maxelem 65536 2>/dev/null'
,
shell
=
True
)
ns_exec
(
NETNS
,
(
'/usr/sbin/ipset'
,
'create'
,
'blacklist'
,
'hash:ip'
,
'family'
,
'inet'
,
'hashsize'
,
'4096'
,
'maxelem'
,
'65536'
))
except
:
pass
try
:
with
open
(
FIREWALL_CONF
,
'r'
)
as
f
:
data4
,
data6
=
json
.
load
(
f
)
reload_firewall
(
data4
,
data6
,
True
)
except
:
print
'nemsikerult:('
raise
def
start_networking
():
...
...
@@ -176,6 +154,7 @@ def start_networking():
reload_firewall_vlan
(
data
,
True
)
except
:
print
'nemsikerult:('
raise
def
main
():
...
...
ovs.py
View file @
17888275
import
subprocess
from
netaddr
import
IPNetwork
import
logging
from
utils
import
NETNS
,
sudo
,
ns_exec
class
IPDevice
:
def
__init__
(
self
,
devname
):
self
.
devname
=
devname
def
_run
(
self
,
*
args
):
args
=
(
'sudo'
,
'ip'
,
'addr'
,
)
+
args
logging
.
debug
(
'subprocess_check_output: {}'
.
format
(
args
))
return
subprocess
.
check_output
(
args
)
args
=
(
'/sbin/ip'
,
'addr'
,
)
+
args
return
ns_exec
(
NETNS
,
args
)
def
show
(
self
):
retval
=
[]
...
...
@@ -28,6 +28,9 @@ class IPDevice:
def
add
(
self
,
address
):
self
.
_run
(
'add'
,
str
(
address
),
'dev'
,
self
.
devname
)
def
up
(
self
):
ns_exec
(
NETNS
,
(
'/sbin/ip'
,
'link'
,
'set'
,
'up'
,
self
.
devname
))
def
migrate
(
self
,
new_addresses
):
old_addresses
=
[
str
(
x
)
for
x
in
self
.
show
()]
new_addresses
=
[
str
(
x
)
for
x
in
new_addresses
]
...
...
@@ -53,8 +56,12 @@ class Switch:
pass
def
_run
(
self
,
*
args
):
args
=
(
'sudo'
,
'ovs-vsctl'
,
)
+
args
return
subprocess
.
check_output
(
args
)
args
=
(
'ovs-vsctl'
,
)
+
args
return
sudo
(
args
)
def
_setns
(
self
,
dev
):
args
=
(
'/sbin/ip'
,
'link'
,
'set'
,
dev
,
'netns'
,
NETNS
)
return
sudo
(
args
)
def
list_ports
(
self
):
retval
=
{}
...
...
@@ -88,22 +95,17 @@ class Switch:
params
=
[
'add-bond'
,
self
.
brname
,
name
]
+
interfaces
+
[
'tag=
%
d'
%
int
(
tag
)]
else
:
params
=
[
'add-port'
,
self
.
brname
,
name
,
'tag=
%
d'
%
int
(
tag
)]
params
=
[
'add-port'
,
self
.
brname
,
name
]
if
tag
is
not
None
:
params
=
params
+
[
'tag=
%
d'
%
int
(
tag
)]
if
internal
:
params
=
params
+
[
'--'
,
'set'
,
'Interface'
,
interfaces
[
0
],
'type=internal'
]
if
trunks
is
not
None
and
len
(
trunks
)
>
0
:
params
.
append
(
'trunks=
%
s'
%
trunks
)
self
.
_run
(
*
params
)
self
.
ip_link_up
(
interfaces
)
def
ip_link_up
(
self
,
interfaces
):
for
interface
in
interfaces
:
try
:
subprocess
.
check_output
([
'sudo'
,
'ip'
,
'link'
,
'set'
,
'up'
,
interface
])
except
:
pass
if
not
internal
:
self
.
_setns
(
name
)
def
delete_port
(
self
,
name
):
self
.
_run
(
'del-port'
,
self
.
brname
,
name
)
...
...
@@ -139,7 +141,7 @@ class Switch:
self
.
delete_port
(
i
)
for
i
in
add
:
internal
=
new_ports
[
i
]
.
get
(
'type'
,
''
)
==
'internal'
tag
=
new_ports
[
i
]
[
'tag'
]
tag
=
new_ports
[
i
]
.
get
(
'tag'
,
None
)
trunks
=
new_ports
[
i
]
.
get
(
'trunks'
,
[])
interfaces
=
new_ports
[
i
][
'interfaces'
]
self
.
add_port
(
i
,
interfaces
,
tag
,
trunks
,
internal
)
...
...
@@ -150,5 +152,7 @@ class Switch:
interface
.
migrate
([
IPNetwork
(
x
)
for
x
in
data
.
get
(
'addresses'
,
[])
if
x
!=
'None'
])
if
new_ports
[
i
]
.
get
(
'type'
,
''
)
==
'internal'
:
interface
.
up
()
except
:
pass
utils.py
0 → 100644
View file @
17888275
from
os
import
getenv
,
devnull
import
subprocess
as
sp
import
logging
logger
=
logging
.
getLogger
(
__name__
)
logger
.
setLevel
(
logging
.
DEBUG
)
NETNS
=
getenv
(
'NETNS'
,
'fw'
)
def
sudo
(
args
,
stdin
=
None
):
FNULL
=
open
(
devnull
,
'w'
)
args
=
(
'/usr/bin/sudo'
,
)
+
args
logger
.
debug
(
'EXEC {}'
.
format
(
' '
.
join
(
args
)))
if
isinstance
(
stdin
,
basestring
):
proc
=
sp
.
Popen
(
args
,
stdin
=
sp
.
PIPE
,
stderr
=
FNULL
)
return
proc
.
communicate
(
stdin
)
else
:
return
sp
.
check_output
(
args
,
stderr
=
FNULL
)
def
ns_exec
(
netns
,
args
,
stdin
=
None
):
return
sudo
((
'/sbin/ip'
,
'netns'
,
'exec'
,
NETNS
)
+
args
,
stdin
)
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment