reyes 1.2.0 → 1.2.1
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- checksums.yaml +8 -8
- data/lib/reyes/group_manager.rb +60 -11
- data/lib/reyes/version.rb +1 -1
- metadata +2 -2
checksums.yaml
CHANGED
|
@@ -1,15 +1,15 @@
|
|
|
1
1
|
---
|
|
2
2
|
!binary "U0hBMQ==":
|
|
3
3
|
metadata.gz: !binary |-
|
|
4
|
-
|
|
4
|
+
YjY2OTM2MzJiMTg1MTJjYzkzY2JiZjU4YzFhOTc5MmUxNWY4MDZlZQ==
|
|
5
5
|
data.tar.gz: !binary |-
|
|
6
|
-
|
|
6
|
+
NzJiNTU1ODI2MmU5NTljOWRiMTA0OTRlMzFkZTkyMmZmMDU2ZTIzYQ==
|
|
7
7
|
SHA512:
|
|
8
8
|
metadata.gz: !binary |-
|
|
9
|
-
|
|
10
|
-
|
|
11
|
-
|
|
9
|
+
ZDRjNmVjZjczZmY1NjZkNWY5YjMyNjA3ODc3NTA4ZDZjMzExZDI3NmYyYTMy
|
|
10
|
+
OTVmYjMzZjZmZjQ4M2I3MjNkYjljNTAxN2E1NTg2NmE4YzQ4ZTgyY2YwOGIz
|
|
11
|
+
OWRhNjkwOTg4NTJiM2Q5ZjI2YzE0MTc4ZWZkYThjZjRhYmM0YWI=
|
|
12
12
|
data.tar.gz: !binary |-
|
|
13
|
-
|
|
14
|
-
|
|
15
|
-
|
|
13
|
+
ZDgzYTdkZjRmN2YyMTliNDZlYmQzYmYzY2RkNzQ1ZmQ4NDg3YjdmZDc1NGY1
|
|
14
|
+
YmRjZDVlNmZmMjdiNDMwZGNhOTMzYWQyN2ZiMTZkMjY2NGY3OTUwYzYxNThl
|
|
15
|
+
ZmE0ZGY0YzAxODVkNzEyNGZhNGQ2OTQ1ZTVjZjgxZmZhNTljOGM=
|
data/lib/reyes/group_manager.rb
CHANGED
|
@@ -1,4 +1,5 @@
|
|
|
1
1
|
require 'ipaddr'
|
|
2
|
+
require 'socket'
|
|
2
3
|
|
|
3
4
|
module Reyes
|
|
4
5
|
|
|
@@ -47,6 +48,16 @@ module Reyes
|
|
|
47
48
|
fake_aws.instance(@region, @instance_id)
|
|
48
49
|
end
|
|
49
50
|
|
|
51
|
+
# List IPv4 addresses of the current host.
|
|
52
|
+
#
|
|
53
|
+
# @return [Array<IPAddr>]
|
|
54
|
+
#
|
|
55
|
+
def local_ipv4_addresses
|
|
56
|
+
Socket.ip_address_list.find_all(&:ipv4?).map {|a|
|
|
57
|
+
IPAddr.new(a.ip_address)
|
|
58
|
+
}
|
|
59
|
+
end
|
|
60
|
+
|
|
50
61
|
# @return [Hash]
|
|
51
62
|
def our_groups(skip_excluded=true)
|
|
52
63
|
data = fake_aws.security_groups_for_instance(@region, @instance_id)
|
|
@@ -230,17 +241,7 @@ module Reyes
|
|
|
230
241
|
# filter all remote CIDR blocks through reyes
|
|
231
242
|
fake_aws.remote_cidr_blocks(vpc_id).map do |cidr|
|
|
232
243
|
|
|
233
|
-
|
|
234
|
-
IPAddr.new(cidr)
|
|
235
|
-
|
|
236
|
-
# safeguard against accidentally including our own CIDR block
|
|
237
|
-
if cidr == fake_aws.vpcs.fetch(vpc_id).fetch('cidr_block')
|
|
238
|
-
log.error('Somehow remote_cidr_blocks includes our cidr_block')
|
|
239
|
-
log.error("Our VPC: #{vpc_id.inspect}")
|
|
240
|
-
log.error("Our CIDR block: #{cidr.inspect}")
|
|
241
|
-
raise ArgumentError.new(
|
|
242
|
-
"Refusing to filter CIDR block for self VPC")
|
|
243
|
-
end
|
|
244
|
+
check_cidr_ok_for_reyes(cidr)
|
|
244
245
|
|
|
245
246
|
"-A INPUT -s #{cidr} -j #{ReyesInputChain}"
|
|
246
247
|
end
|
|
@@ -344,6 +345,54 @@ module Reyes
|
|
|
344
345
|
|
|
345
346
|
private
|
|
346
347
|
|
|
348
|
+
# Reyes should never filter incoming traffic that would natively be covered
|
|
349
|
+
# by security groups. Our paranoia here stems from a desire not to
|
|
350
|
+
# accidentally lock ourselves out of large groups of instances.
|
|
351
|
+
#
|
|
352
|
+
# Ensure that the passed CIDR block is not the block for the current VPC
|
|
353
|
+
# and does not include the current hosts's local IP addresses.
|
|
354
|
+
#
|
|
355
|
+
# @param [String, IPAddr] cidr_block
|
|
356
|
+
#
|
|
357
|
+
# @raise [Reyes::Error] If the cidr block is found to be invalid for Reyes.
|
|
358
|
+
#
|
|
359
|
+
def check_cidr_ok_for_reyes(cidr_block)
|
|
360
|
+
case cidr_block
|
|
361
|
+
when String
|
|
362
|
+
cidr_block = IPAddr.new(cidr_block)
|
|
363
|
+
when IPAddr
|
|
364
|
+
else
|
|
365
|
+
raise ArgumentError.new("Invalid CIDR block: #{cidr_block.inspect}")
|
|
366
|
+
end
|
|
367
|
+
|
|
368
|
+
self_vpc_block = fake_aws.vpcs.fetch(vpc_id).fetch('cidr_block')
|
|
369
|
+
|
|
370
|
+
# safeguard against accidentally including our own CIDR block
|
|
371
|
+
if cidr_block == IPAddr.new(self_vpc_block)
|
|
372
|
+
log.error('Somehow remote_cidr_blocks includes our cidr_block')
|
|
373
|
+
log.error("Our VPC: #{vpc_id.inspect}")
|
|
374
|
+
log.error("Our VPC CIDR block: #{self_vpc_block.inspect}")
|
|
375
|
+
raise Error.new('Refusing to filter CIDR block for self VPC')
|
|
376
|
+
end
|
|
377
|
+
|
|
378
|
+
# Safeguard against accidentally including a CIDR block overlapping a
|
|
379
|
+
# local address
|
|
380
|
+
unless cidr_block.ipv4?
|
|
381
|
+
raise Error.new("Cannot handle non-IPv4 address #{cidr_block.inspect}")
|
|
382
|
+
end
|
|
383
|
+
|
|
384
|
+
local_ipv4_addresses.each do |addr|
|
|
385
|
+
if cidr_block.include?(addr)
|
|
386
|
+
log.error('Somehow remote_cidr_blocks include local IP addr')
|
|
387
|
+
log.error("Local IP address: #{addr.inspect}")
|
|
388
|
+
log.error("Overlapping CIDR block: #{cidr_block.inspect}")
|
|
389
|
+
raise Error.new('Refusing to filter CIDR block over local addr')
|
|
390
|
+
end
|
|
391
|
+
end
|
|
392
|
+
|
|
393
|
+
true
|
|
394
|
+
end
|
|
395
|
+
|
|
347
396
|
def dynamic_rules_from_data(data)
|
|
348
397
|
log.info("Generating dynamic iptables rules")
|
|
349
398
|
|
data/lib/reyes/version.rb
CHANGED
metadata
CHANGED
|
@@ -1,7 +1,7 @@
|
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
|
2
2
|
name: reyes
|
|
3
3
|
version: !ruby/object:Gem::Version
|
|
4
|
-
version: 1.2.
|
|
4
|
+
version: 1.2.1
|
|
5
5
|
platform: ruby
|
|
6
6
|
authors:
|
|
7
7
|
- Andy Brody
|
|
@@ -9,7 +9,7 @@ authors:
|
|
|
9
9
|
autorequire:
|
|
10
10
|
bindir: bin
|
|
11
11
|
cert_chain: []
|
|
12
|
-
date: 2015-03-
|
|
12
|
+
date: 2015-03-05 00:00:00.000000000 Z
|
|
13
13
|
dependencies:
|
|
14
14
|
- !ruby/object:Gem::Dependency
|
|
15
15
|
name: aws-sdk
|