wakame-vdc-agents 11.06.0 → 11.12.0

Sign up to get free protection for your applications and to get access to all the features.
Files changed (138) hide show
  1. data/Rakefile +19 -31
  2. data/bin/hva +15 -5
  3. data/bin/nsa +15 -5
  4. data/bin/sta +9 -222
  5. data/config/db/migrations/0001_v1110_origin.rb +446 -0
  6. data/config/hva.conf.example +19 -11
  7. data/config/nsa.conf.example +1 -1
  8. data/lib/dcmgr.rb +99 -22
  9. data/lib/dcmgr/cli/base.rb +34 -1
  10. data/lib/dcmgr/cli/host.rb +24 -20
  11. data/lib/dcmgr/cli/image.rb +38 -19
  12. data/lib/dcmgr/cli/keypair.rb +16 -12
  13. data/lib/dcmgr/cli/network.rb +189 -81
  14. data/lib/dcmgr/cli/quota.rb +2 -2
  15. data/lib/dcmgr/cli/security_group.rb +106 -0
  16. data/lib/dcmgr/cli/spec.rb +144 -39
  17. data/lib/dcmgr/cli/storage.rb +16 -15
  18. data/lib/dcmgr/cli/tag.rb +20 -14
  19. data/lib/dcmgr/cli/vlan.rb +5 -5
  20. data/lib/dcmgr/drivers/backing_store.rb +32 -0
  21. data/lib/dcmgr/drivers/comstar.rb +81 -0
  22. data/lib/dcmgr/drivers/iijgio_storage.rb +9 -19
  23. data/lib/dcmgr/drivers/iscsi_target.rb +41 -0
  24. data/lib/dcmgr/drivers/kvm.rb +161 -28
  25. data/lib/dcmgr/drivers/linux_iscsi.rb +60 -0
  26. data/lib/dcmgr/drivers/local_storage.rb +24 -0
  27. data/lib/dcmgr/drivers/lxc.rb +167 -125
  28. data/lib/dcmgr/drivers/raw.rb +74 -0
  29. data/lib/dcmgr/drivers/s3_storage.rb +7 -19
  30. data/lib/dcmgr/drivers/snapshot_storage.rb +18 -28
  31. data/lib/dcmgr/drivers/storage_initiator.rb +28 -0
  32. data/lib/dcmgr/drivers/sun_iscsi.rb +32 -0
  33. data/lib/dcmgr/drivers/zfs.rb +77 -0
  34. data/lib/dcmgr/endpoints/core_api.rb +315 -263
  35. data/lib/dcmgr/endpoints/errors.rb +21 -10
  36. data/lib/dcmgr/endpoints/metadata.rb +360 -23
  37. data/lib/dcmgr/helpers/cli_helper.rb +6 -3
  38. data/lib/dcmgr/helpers/ec2_metadata_helper.rb +9 -0
  39. data/lib/dcmgr/helpers/nic_helper.rb +11 -0
  40. data/lib/dcmgr/helpers/snapshot_storage_helper.rb +34 -0
  41. data/lib/dcmgr/models/account.rb +0 -6
  42. data/lib/dcmgr/models/account_resource.rb +0 -4
  43. data/lib/dcmgr/models/base_new.rb +14 -2
  44. data/lib/dcmgr/models/dhcp_range.rb +38 -0
  45. data/lib/dcmgr/models/frontend_system.rb +0 -6
  46. data/lib/dcmgr/models/history.rb +0 -11
  47. data/lib/dcmgr/models/host_node.rb +131 -0
  48. data/lib/dcmgr/models/hostname_lease.rb +0 -8
  49. data/lib/dcmgr/models/image.rb +31 -18
  50. data/lib/dcmgr/models/instance.rb +137 -143
  51. data/lib/dcmgr/models/instance_nic.rb +52 -29
  52. data/lib/dcmgr/models/instance_security_group.rb +9 -0
  53. data/lib/dcmgr/models/instance_spec.rb +163 -31
  54. data/lib/dcmgr/models/ip_lease.rb +10 -21
  55. data/lib/dcmgr/models/mac_lease.rb +30 -11
  56. data/lib/dcmgr/models/network.rb +148 -27
  57. data/lib/dcmgr/models/physical_network.rb +18 -0
  58. data/lib/dcmgr/models/quota.rb +0 -10
  59. data/lib/dcmgr/models/request_log.rb +3 -18
  60. data/lib/dcmgr/models/security_group.rb +66 -0
  61. data/lib/dcmgr/models/security_group_rule.rb +145 -0
  62. data/lib/dcmgr/models/ssh_key_pair.rb +16 -19
  63. data/lib/dcmgr/models/{storage_pool.rb → storage_node.rb} +35 -25
  64. data/lib/dcmgr/models/tag.rb +0 -14
  65. data/lib/dcmgr/models/tag_mapping.rb +1 -7
  66. data/lib/dcmgr/models/vlan_lease.rb +2 -8
  67. data/lib/dcmgr/models/volume.rb +49 -37
  68. data/lib/dcmgr/models/volume_snapshot.rb +15 -17
  69. data/lib/dcmgr/node_modules/hva_collector.rb +69 -28
  70. data/lib/dcmgr/node_modules/instance_ha.rb +23 -12
  71. data/lib/dcmgr/node_modules/instance_monitor.rb +16 -2
  72. data/lib/dcmgr/node_modules/openflow_controller.rb +784 -0
  73. data/lib/dcmgr/node_modules/scheduler.rb +189 -0
  74. data/lib/dcmgr/node_modules/service_netfilter.rb +452 -227
  75. data/lib/dcmgr/node_modules/service_openflow.rb +731 -0
  76. data/lib/dcmgr/node_modules/sta_collector.rb +20 -0
  77. data/lib/dcmgr/node_modules/sta_tgt_initializer.rb +35 -0
  78. data/lib/dcmgr/rack/request_logger.rb +11 -6
  79. data/lib/dcmgr/rpc/hva_handler.rb +256 -110
  80. data/lib/dcmgr/rpc/sta_handler.rb +244 -0
  81. data/lib/dcmgr/scheduler.rb +122 -8
  82. data/lib/dcmgr/scheduler/host_node/exclude_same.rb +24 -0
  83. data/lib/dcmgr/scheduler/host_node/find_first.rb +12 -0
  84. data/lib/dcmgr/scheduler/host_node/least_usage.rb +28 -0
  85. data/lib/dcmgr/scheduler/host_node/per_instance.rb +18 -0
  86. data/lib/dcmgr/scheduler/host_node/specify_node.rb +26 -0
  87. data/lib/dcmgr/scheduler/network/flat_single.rb +23 -0
  88. data/lib/dcmgr/scheduler/network/nat_one_to_one.rb +23 -0
  89. data/lib/dcmgr/scheduler/network/per_instance.rb +39 -0
  90. data/lib/dcmgr/scheduler/network/vif_template.rb +19 -0
  91. data/lib/dcmgr/scheduler/storage_node/find_first.rb +13 -0
  92. data/lib/dcmgr/scheduler/storage_node/least_usage.rb +23 -0
  93. data/lib/dcmgr/storage_service.rb +39 -40
  94. data/lib/dcmgr/tags.rb +3 -3
  95. data/lib/dcmgr/version.rb +1 -1
  96. data/lib/dcmgr/vnet.rb +105 -0
  97. data/lib/dcmgr/vnet/factories.rb +141 -0
  98. data/lib/dcmgr/vnet/isolators/by_securitygroup.rb +21 -0
  99. data/lib/dcmgr/vnet/isolators/dummy.rb +17 -0
  100. data/lib/dcmgr/vnet/netfilter/cache.rb +51 -0
  101. data/lib/dcmgr/vnet/netfilter/chain.rb +66 -0
  102. data/lib/dcmgr/vnet/netfilter/controller.rb +193 -0
  103. data/lib/dcmgr/vnet/netfilter/ebtables_rule.rb +53 -0
  104. data/lib/dcmgr/vnet/netfilter/iptables_rule.rb +45 -0
  105. data/lib/dcmgr/vnet/netfilter/task_manager.rb +459 -0
  106. data/lib/dcmgr/vnet/tasks/accept_all_dns.rb +19 -0
  107. data/lib/dcmgr/vnet/tasks/accept_arp_broadcast.rb +24 -0
  108. data/lib/dcmgr/vnet/tasks/accept_arp_from_friends.rb +34 -0
  109. data/lib/dcmgr/vnet/tasks/accept_arp_from_gateway.rb +21 -0
  110. data/lib/dcmgr/vnet/tasks/accept_arp_to_host.rb +30 -0
  111. data/lib/dcmgr/vnet/tasks/accept_ip_from_friends.rb +26 -0
  112. data/lib/dcmgr/vnet/tasks/accept_ip_from_gateway.rb +23 -0
  113. data/lib/dcmgr/vnet/tasks/accept_ip_to_anywhere.rb +18 -0
  114. data/lib/dcmgr/vnet/tasks/accept_related_established.rb +45 -0
  115. data/lib/dcmgr/vnet/tasks/accept_wakame_dhcp_only.rb +33 -0
  116. data/lib/dcmgr/vnet/tasks/accept_wakame_dns_only.rb +33 -0
  117. data/lib/dcmgr/vnet/tasks/debug_iptables.rb +21 -0
  118. data/lib/dcmgr/vnet/tasks/drop_arp_forwarding.rb +27 -0
  119. data/lib/dcmgr/vnet/tasks/drop_arp_to_host.rb +24 -0
  120. data/lib/dcmgr/vnet/tasks/drop_ip_from_anywhere.rb +18 -0
  121. data/lib/dcmgr/vnet/tasks/drop_ip_spoofing.rb +34 -0
  122. data/lib/dcmgr/vnet/tasks/drop_mac_spoofing.rb +33 -0
  123. data/lib/dcmgr/vnet/tasks/exclude_from_nat.rb +47 -0
  124. data/lib/dcmgr/vnet/tasks/security_group.rb +37 -0
  125. data/lib/dcmgr/vnet/tasks/static_nat.rb +54 -0
  126. data/lib/dcmgr/vnet/tasks/translate_metadata_address.rb +32 -0
  127. metadata +105 -68
  128. data/lib/dcmgr/cli/group.rb +0 -101
  129. data/lib/dcmgr/endpoints/core_api_mock.rb +0 -865
  130. data/lib/dcmgr/models/host_pool.rb +0 -122
  131. data/lib/dcmgr/models/instance_netfilter_group.rb +0 -16
  132. data/lib/dcmgr/models/netfilter_group.rb +0 -89
  133. data/lib/dcmgr/models/netfilter_rule.rb +0 -21
  134. data/lib/dcmgr/scheduler/find_last.rb +0 -16
  135. data/lib/dcmgr/scheduler/find_random.rb +0 -16
  136. data/lib/dcmgr/stm/instance.rb +0 -25
  137. data/lib/dcmgr/stm/snapshot_context.rb +0 -33
  138. data/lib/dcmgr/stm/volume_context.rb +0 -65
@@ -0,0 +1,19 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ class AcceptAllDNS < Task
8
+ include Dcmgr::VNet::Netfilter
9
+ def initialize()
10
+ super()
11
+ # Allow DNS traffic to take place
12
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:outgoing,"-p udp --dport 53 -j ACCEPT")
13
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp --dport 53 -j ACCEPT")
14
+ end
15
+ end
16
+
17
+ end
18
+ end
19
+ end
@@ -0,0 +1,24 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ class AcceptArpBroadcast < Task
8
+ include Dcmgr::VNet::Netfilter
9
+ attr_accessor :hva_ip
10
+
11
+ def initialize(hva_ip,enable_logging = false,log_prefix = nil)
12
+ super()
13
+ self.hva_ip = hva_ip
14
+
15
+ # Allow broadcast from the network
16
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-mac-dst 00:00:00:00:00:00 #{EbtablesRule.log_arp(log_prefix) if enable_logging} -j ACCEPT")
17
+ # Allow broadcast from the host
18
+ self.rules << EbtablesRule.new(:filter,:output,:arp,:outgoing,"--protocol arp --arp-ip-src=#{self.hva_ip} #{EbtablesRule.log_arp(log_prefix) if enable_logging} --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT")
19
+ end
20
+ end
21
+
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,34 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Explicitely allows ARP traffic between "friend" instances
8
+ # Friends are decided by an Isolator class
9
+ class AcceptARPFromFriends < Task
10
+ include Dcmgr::VNet::Netfilter
11
+ attr_reader :inst_ip
12
+ attr_reader :friend_ips
13
+ attr_reader :enable_logging
14
+ attr_reader :log_prefix
15
+
16
+ def initialize(inst_ip,friend_ips,enable_logging,log_prefix)
17
+ super()
18
+
19
+ @enable_logging = enable_logging
20
+ @log_prefix = log_prefix
21
+ @inst_ip = inst_ip
22
+ @friend_ips = friend_ips
23
+
24
+ friend_ips.each { |friend_ip|
25
+ # Log traffic
26
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src #{friend_ip} --arp-ip-dst #{self.inst_ip} --log-ip --log-arp --log-prefix '#{self.log_prefix}' -j CONTINUE") if self.enable_logging
27
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src #{friend_ip} --arp-ip-dst #{self.inst_ip} -j ACCEPT")
28
+ }
29
+ end
30
+ end
31
+
32
+ end
33
+ end
34
+ end
@@ -0,0 +1,21 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ class AcceptARPFromGateway < Task
8
+ include Dcmgr::VNet::Netfilter
9
+ attr_accessor :gw_ip
10
+
11
+ def initialize(gw_ip,enable_logging = false,log_prefix = nil)
12
+ super()
13
+ self.gw_ip = gw_ip
14
+ # Allow broadcast from the gateway
15
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src=#{self.gw_ip} #{EbtablesRule.log_arp(log_prefix) if enable_logging} -j ACCEPT")
16
+ end
17
+ end
18
+
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,30 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Explicitely allows ARP traffic to take place from the instance to the host
8
+ class AcceptARPToHost < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ attr_reader :enable_logging
11
+ attr_reader :log_prefix
12
+ attr_reader :host_ip
13
+ attr_reader :inst_ip
14
+
15
+ def initialize(host_ip,inst_ip,enable_logging,log_prefix)
16
+ super()
17
+
18
+ @enable_logging = enable_logging
19
+ @log_prefix = log_prefix
20
+ @host_ip = host_ip
21
+ @inst_ip = inst_ip
22
+
23
+ self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src #{self.inst_ip} --arp-ip-dst #{self.host_ip} --log-ip --log-arp --log-prefix '#{self.log_prefix}' -j CONTINUE") if self.enable_logging
24
+ self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src #{self.inst_ip} -j ACCEPT")
25
+ end
26
+ end
27
+
28
+ end
29
+ end
30
+ end
@@ -0,0 +1,26 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Explicitely allows IP traffic between "friend" instances
8
+ # Friends are determined by an Isolator class
9
+ class AcceptIpFromFriends < Task
10
+ include Dcmgr::VNet::Netfilter
11
+ attr_reader :friend_ips
12
+
13
+ def initialize(friend_ips)
14
+ super()
15
+
16
+ @friend_ips = friend_ips
17
+
18
+ friend_ips.each { |friend_ip|
19
+ self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-s #{friend_ip} -j ACCEPT")
20
+ }
21
+ end
22
+ end
23
+
24
+ end
25
+ end
26
+ end
@@ -0,0 +1,23 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Explicitely allows IP traffic between the gateway and the instances
8
+ class AcceptIpFromGateway < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ attr_reader :gateway_ip
11
+
12
+ def initialize(gateway_ip)
13
+ super()
14
+
15
+ @gateway_ip = gateway_ip
16
+
17
+ self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-s #{gateway_ip} -j ACCEPT")
18
+ end
19
+ end
20
+
21
+ end
22
+ end
23
+ end
@@ -0,0 +1,18 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Allows any outgoing IP layer traffic from the instance to pass through
8
+ class AcceptIpToAnywhere < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ def initialize
11
+ super()
12
+ self.rules << IptablesRule.new(:filter,:forward,nil,:outgoing,"-j ACCEPT")
13
+ end
14
+ end
15
+
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,45 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Accept related and established connections for tco
8
+ class AcceptTcpRelatedEstablished < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ def initialize
11
+ super()
12
+ self.rules << IptablesRule.new(:filter,:forward,:tcp,:incoming,"-m state --state RELATED,ESTABLISHED -p tcp -j ACCEPT")
13
+ end
14
+ end
15
+
16
+ # Accept related and established connections for icmp
17
+ class AcceptIcmpRelatedEstablished < Task
18
+ include Dcmgr::VNet::Netfilter
19
+ def initialize
20
+ super()
21
+ self.rules << IptablesRule.new(:filter,:forward,:icmp,:incoming,"-m state --state RELATED,ESTABLISHED -p icmp -j ACCEPT")
22
+ end
23
+ end
24
+
25
+ # Accept established connections for any udp
26
+ class AcceptUdpEstablished < Task
27
+ include Dcmgr::VNet::Netfilter
28
+ def initialize
29
+ super()
30
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-m state --state ESTABLISHED -p udp -j ACCEPT")
31
+ end
32
+ end
33
+
34
+ # Accept related and established connaction for any protocol
35
+ class AcceptRelatedEstablished < Task
36
+ include Dcmgr::VNet::Netfilter
37
+ def initialize
38
+ super()
39
+ self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-m state --state RELATED,ESTABLISHED -j ACCEPT")
40
+ end
41
+ end
42
+
43
+ end
44
+ end
45
+ end
@@ -0,0 +1,33 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Allows for DHCP traffic to take place with and only with wakame's DHCP server
8
+ class AcceptWakameDHCPOnly < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ #TODO: allow ARP traffic to DHCP server
11
+ attr_reader :dhcp_server_ip
12
+
13
+ def initialize(dhcp_server_ip,fport = 67, tport = 68)
14
+ super()
15
+
16
+ @dhcp_server_ip = dhcp_server_ip
17
+
18
+ # Block DHCP replies that aren't coming from our DHCP server
19
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp ! -s #{self.dhcp_server_ip} --sport #{fport}:#{tport} -j DROP")
20
+
21
+ # Accept DHCP replies coming from our DHCP server
22
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp -s #{self.dhcp_server_ip} --sport #{fport}:#{tport} -j ACCEPT")
23
+
24
+ # Drop all non DHCP traffic to our DHCP server
25
+ [:udp,:tcp,:icmp].each { |protocol|
26
+ self.rules << IptablesRule.new(:filter,:forward,protocol,:outgoing,"-d #{self.dhcp_server_ip} -p #{protocol} -j DROP")
27
+ }
28
+ end
29
+ end
30
+
31
+ end
32
+ end
33
+ end
@@ -0,0 +1,33 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Allows for DNS traffic to be exchanged with and only with Wakame's DNS server
8
+ class AcceptWakameDNSOnly < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ #TODO: allow ARP traffic to DNS server
11
+ attr_reader :dns_server_ip
12
+ attr_reader :dns_server_port
13
+
14
+ def initialize(dns_server_ip,dns_server_port="53")
15
+ super()
16
+
17
+ @dns_server_ip = dns_server_ip
18
+ @dns_server_port = dns_server_port
19
+
20
+ # Allow DNS traffic to take place
21
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:outgoing,"-p udp -d #{self.dns_server_ip} --dport #{self.dns_server_port} -j ACCEPT")
22
+ self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp -d #{self.dns_server_ip} --dport #{self.dns_server_port} -j ACCEPT")
23
+
24
+ # Disable any non DNS traffic to DNS server
25
+ #[:udp,:tcp,:icmp].each { |protocol|
26
+ #self.rules << IptablesRule.new(:filter,:forward,protocol,:outgoing,"-d #{self.dns_server_ip} -p #{protocol} -j DROP")
27
+ #}
28
+ end
29
+ end
30
+
31
+ end
32
+ end
33
+ end
@@ -0,0 +1,21 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # via http://backreference.org/2010/06/11/iptables-debugging/
8
+ # To debug ipv4 packets.
9
+ # $ sudo tail -F /var/log/kern.log | grep TRACE:
10
+ class DebugIptables < Task
11
+ include Dcmgr::VNet::Netfilter
12
+ def initialize
13
+ super()
14
+ self.rules << IptablesRule.new(:raw,:output,:icmp,:outgoing,"-p icmp -j TRACE")
15
+ self.rules << IptablesRule.new(:raw,:prerouting,:icmp,:incoming,"-p icmp -j TRACE")
16
+ end
17
+ end
18
+
19
+ end
20
+ end
21
+ end
@@ -0,0 +1,27 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Drops all ARP packet forwarding
8
+ class DropArpForwarding < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ attr_reader :enable_logging
11
+ attr_reader :log_prefix
12
+
13
+ def initialize(enable_logging,log_prefix)
14
+ super()
15
+
16
+ @enable_logging = enable_logging
17
+ @log_prefix = log_prefix
18
+
19
+ # Drop forwarding to other instances
20
+ #self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--log-level 4 --log-ip --log-arp --log-prefix 'D d_#{self.log_prefix}_arp:' -j CONTINUE") if self.enable_logging
21
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"#{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
22
+ end
23
+ end
24
+
25
+ end
26
+ end
27
+ end
@@ -0,0 +1,24 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Drops all ARP packets coming into the host
8
+ class DropArpToHost < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ attr_reader :enable_logging
11
+ attr_reader :log_prefix
12
+
13
+ def initialize
14
+ super()
15
+
16
+ # Drop forwarding to host
17
+ #self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--log-level 4 --log-ip --log-arp --log-prefix '#{self.log_prefix}' -j CONTINUE") if self.enable_logging
18
+ self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"#{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
19
+ end
20
+ end
21
+
22
+ end
23
+ end
24
+ end
@@ -0,0 +1,18 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Drop all incoming IP layer traffic
8
+ class DropIpFromAnywhere < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ def initialize
11
+ super()
12
+ self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-j DROP")
13
+ end
14
+ end
15
+
16
+ end
17
+ end
18
+ end
@@ -0,0 +1,34 @@
1
+ # -*- coding: utf-8 -*-
2
+
3
+ module Dcmgr
4
+ module VNet
5
+ module Tasks
6
+
7
+ # Disable instances from spoofing another ip address
8
+ class DropIpSpoofing < Task
9
+ include Dcmgr::VNet::Netfilter
10
+ attr_accessor :ip
11
+ attr_accessor :enable_logging
12
+ attr_accessor :log_prefix
13
+
14
+ def initialize(ip,enable_logging,log_prefix)
15
+ super()
16
+ self.ip = ip
17
+ self.enable_logging = enable_logging
18
+ self.log_prefix = log_prefix
19
+
20
+ # Prevent spoofing to the outside world
21
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:outgoing,"--protocol arp --arp-ip-src ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
22
+ # Prevent spoofing to the host
23
+ self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
24
+
25
+ # Prevent the outside world from spoofing to the instance
26
+ self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-dst ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
27
+ # Prevent the host from spoofing to the instance
28
+ self.rules << EbtablesRule.new(:filter,:output,:arp,:incoming,"--protocol arp --arp-ip-dst ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
29
+ end
30
+ end
31
+
32
+ end
33
+ end
34
+ end