reyes 1.2.0 → 1.2.1
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +8 -8
- data/lib/reyes/group_manager.rb +60 -11
- data/lib/reyes/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
YjY2OTM2MzJiMTg1MTJjYzkzY2JiZjU4YzFhOTc5MmUxNWY4MDZlZQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
NzJiNTU1ODI2MmU5NTljOWRiMTA0OTRlMzFkZTkyMmZmMDU2ZTIzYQ==
|
|
7
7
|
SHA512:
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
ZDRjNmVjZjczZmY1NjZkNWY5YjMyNjA3ODc3NTA4ZDZjMzExZDI3NmYyYTMy
|
|
10
|
+
OTVmYjMzZjZmZjQ4M2I3MjNkYjljNTAxN2E1NTg2NmE4YzQ4ZTgyY2YwOGIz
|
|
11
|
+
OWRhNjkwOTg4NTJiM2Q5ZjI2YzE0MTc4ZWZkYThjZjRhYmM0YWI=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
ZDgzYTdkZjRmN2YyMTliNDZlYmQzYmYzY2RkNzQ1ZmQ4NDg3YjdmZDc1NGY1
|
|
14
|
+
YmRjZDVlNmZmMjdiNDMwZGNhOTMzYWQyN2ZiMTZkMjY2NGY3OTUwYzYxNThl
|
|
15
|
+
ZmE0ZGY0YzAxODVkNzEyNGZhNGQ2OTQ1ZTVjZjgxZmZhNTljOGM=
|
data/lib/reyes/group_manager.rb
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'ipaddr'
|
|
2
|
+
require 'socket'
|
|
2
3
|
|
|
3
4
|
module Reyes
|
|
4
5
|
|
|
@@ -47,6 +48,16 @@ module Reyes
|
|
|
47
48
|
fake_aws.instance(@region, @instance_id)
|
|
48
49
|
end
|
|
49
50
|
|
|
51
|
+
# List IPv4 addresses of the current host.
|
|
52
|
+
#
|
|
53
|
+
# @return [Array<IPAddr>]
|
|
54
|
+
#
|
|
55
|
+
def local_ipv4_addresses
|
|
56
|
+
Socket.ip_address_list.find_all(&:ipv4?).map {|a|
|
|
57
|
+
IPAddr.new(a.ip_address)
|
|
58
|
+
}
|
|
59
|
+
end
|
|
60
|
+
|
|
50
61
|
# @return [Hash]
|
|
51
62
|
def our_groups(skip_excluded=true)
|
|
52
63
|
data = fake_aws.security_groups_for_instance(@region, @instance_id)
|
|
@@ -230,17 +241,7 @@ module Reyes
|
|
|
230
241
|
# filter all remote CIDR blocks through reyes
|
|
231
242
|
fake_aws.remote_cidr_blocks(vpc_id).map do |cidr|
|
|
232
243
|
|
|
233
|
-
|
|
234
|
-
IPAddr.new(cidr)
|
|
235
|
-
|
|
236
|
-
# safeguard against accidentally including our own CIDR block
|
|
237
|
-
if cidr == fake_aws.vpcs.fetch(vpc_id).fetch('cidr_block')
|
|
238
|
-
log.error('Somehow remote_cidr_blocks includes our cidr_block')
|
|
239
|
-
log.error("Our VPC: #{vpc_id.inspect}")
|
|
240
|
-
log.error("Our CIDR block: #{cidr.inspect}")
|
|
241
|
-
raise ArgumentError.new(
|
|
242
|
-
"Refusing to filter CIDR block for self VPC")
|
|
243
|
-
end
|
|
244
|
+
check_cidr_ok_for_reyes(cidr)
|
|
244
245
|
|
|
245
246
|
"-A INPUT -s #{cidr} -j #{ReyesInputChain}"
|
|
246
247
|
end
|
|
@@ -344,6 +345,54 @@ module Reyes
|
|
|
344
345
|
|
|
345
346
|
private
|
|
346
347
|
|
|
348
|
+
# Reyes should never filter incoming traffic that would natively be covered
|
|
349
|
+
# by security groups. Our paranoia here stems from a desire not to
|
|
350
|
+
# accidentally lock ourselves out of large groups of instances.
|
|
351
|
+
#
|
|
352
|
+
# Ensure that the passed CIDR block is not the block for the current VPC
|
|
353
|
+
# and does not include the current hosts's local IP addresses.
|
|
354
|
+
#
|
|
355
|
+
# @param [String, IPAddr] cidr_block
|
|
356
|
+
#
|
|
357
|
+
# @raise [Reyes::Error] If the cidr block is found to be invalid for Reyes.
|
|
358
|
+
#
|
|
359
|
+
def check_cidr_ok_for_reyes(cidr_block)
|
|
360
|
+
case cidr_block
|
|
361
|
+
when String
|
|
362
|
+
cidr_block = IPAddr.new(cidr_block)
|
|
363
|
+
when IPAddr
|
|
364
|
+
else
|
|
365
|
+
raise ArgumentError.new("Invalid CIDR block: #{cidr_block.inspect}")
|
|
366
|
+
end
|
|
367
|
+
|
|
368
|
+
self_vpc_block = fake_aws.vpcs.fetch(vpc_id).fetch('cidr_block')
|
|
369
|
+
|
|
370
|
+
# safeguard against accidentally including our own CIDR block
|
|
371
|
+
if cidr_block == IPAddr.new(self_vpc_block)
|
|
372
|
+
log.error('Somehow remote_cidr_blocks includes our cidr_block')
|
|
373
|
+
log.error("Our VPC: #{vpc_id.inspect}")
|
|
374
|
+
log.error("Our VPC CIDR block: #{self_vpc_block.inspect}")
|
|
375
|
+
raise Error.new('Refusing to filter CIDR block for self VPC')
|
|
376
|
+
end
|
|
377
|
+
|
|
378
|
+
# Safeguard against accidentally including a CIDR block overlapping a
|
|
379
|
+
# local address
|
|
380
|
+
unless cidr_block.ipv4?
|
|
381
|
+
raise Error.new("Cannot handle non-IPv4 address #{cidr_block.inspect}")
|
|
382
|
+
end
|
|
383
|
+
|
|
384
|
+
local_ipv4_addresses.each do |addr|
|
|
385
|
+
if cidr_block.include?(addr)
|
|
386
|
+
log.error('Somehow remote_cidr_blocks include local IP addr')
|
|
387
|
+
log.error("Local IP address: #{addr.inspect}")
|
|
388
|
+
log.error("Overlapping CIDR block: #{cidr_block.inspect}")
|
|
389
|
+
raise Error.new('Refusing to filter CIDR block over local addr')
|
|
390
|
+
end
|
|
391
|
+
end
|
|
392
|
+
|
|
393
|
+
true
|
|
394
|
+
end
|
|
395
|
+
|
|
347
396
|
def dynamic_rules_from_data(data)
|
|
348
397
|
log.info("Generating dynamic iptables rules")
|
|
349
398
|
|
data/lib/reyes/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: reyes
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.2.
|
|
4
|
+
version: 1.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andy Brody
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-03-
|
|
12
|
+
date: 2015-03-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|