RubyGems - wakame-vdc-agents - Versions diffs - 11.06.0 → 11.12.0 - Mend

wakame-vdc-agents 11.06.0 → 11.12.0

Files changed (138) hide show

data/Rakefile +19 -31
data/bin/hva +15 -5
data/bin/nsa +15 -5
data/bin/sta +9 -222
data/config/db/migrations/0001_v1110_origin.rb +446 -0
data/config/hva.conf.example +19 -11
data/config/nsa.conf.example +1 -1
data/lib/dcmgr.rb +99 -22
data/lib/dcmgr/cli/base.rb +34 -1
data/lib/dcmgr/cli/host.rb +24 -20
data/lib/dcmgr/cli/image.rb +38 -19
data/lib/dcmgr/cli/keypair.rb +16 -12
data/lib/dcmgr/cli/network.rb +189 -81
data/lib/dcmgr/cli/quota.rb +2 -2
data/lib/dcmgr/cli/security_group.rb +106 -0
data/lib/dcmgr/cli/spec.rb +144 -39
data/lib/dcmgr/cli/storage.rb +16 -15
data/lib/dcmgr/cli/tag.rb +20 -14
data/lib/dcmgr/cli/vlan.rb +5 -5
data/lib/dcmgr/drivers/backing_store.rb +32 -0
data/lib/dcmgr/drivers/comstar.rb +81 -0
data/lib/dcmgr/drivers/iijgio_storage.rb +9 -19
data/lib/dcmgr/drivers/iscsi_target.rb +41 -0
data/lib/dcmgr/drivers/kvm.rb +161 -28
data/lib/dcmgr/drivers/linux_iscsi.rb +60 -0
data/lib/dcmgr/drivers/local_storage.rb +24 -0
data/lib/dcmgr/drivers/lxc.rb +167 -125
data/lib/dcmgr/drivers/raw.rb +74 -0
data/lib/dcmgr/drivers/s3_storage.rb +7 -19
data/lib/dcmgr/drivers/snapshot_storage.rb +18 -28
data/lib/dcmgr/drivers/storage_initiator.rb +28 -0
data/lib/dcmgr/drivers/sun_iscsi.rb +32 -0
data/lib/dcmgr/drivers/zfs.rb +77 -0
data/lib/dcmgr/endpoints/core_api.rb +315 -263
data/lib/dcmgr/endpoints/errors.rb +21 -10
data/lib/dcmgr/endpoints/metadata.rb +360 -23
data/lib/dcmgr/helpers/cli_helper.rb +6 -3
data/lib/dcmgr/helpers/ec2_metadata_helper.rb +9 -0
data/lib/dcmgr/helpers/nic_helper.rb +11 -0
data/lib/dcmgr/helpers/snapshot_storage_helper.rb +34 -0
data/lib/dcmgr/models/account.rb +0 -6
data/lib/dcmgr/models/account_resource.rb +0 -4
data/lib/dcmgr/models/base_new.rb +14 -2
data/lib/dcmgr/models/dhcp_range.rb +38 -0
data/lib/dcmgr/models/frontend_system.rb +0 -6
data/lib/dcmgr/models/history.rb +0 -11
data/lib/dcmgr/models/host_node.rb +131 -0
data/lib/dcmgr/models/hostname_lease.rb +0 -8
data/lib/dcmgr/models/image.rb +31 -18
data/lib/dcmgr/models/instance.rb +137 -143
data/lib/dcmgr/models/instance_nic.rb +52 -29
data/lib/dcmgr/models/instance_security_group.rb +9 -0
data/lib/dcmgr/models/instance_spec.rb +163 -31
data/lib/dcmgr/models/ip_lease.rb +10 -21
data/lib/dcmgr/models/mac_lease.rb +30 -11
data/lib/dcmgr/models/network.rb +148 -27
data/lib/dcmgr/models/physical_network.rb +18 -0
data/lib/dcmgr/models/quota.rb +0 -10
data/lib/dcmgr/models/request_log.rb +3 -18
data/lib/dcmgr/models/security_group.rb +66 -0
data/lib/dcmgr/models/security_group_rule.rb +145 -0
data/lib/dcmgr/models/ssh_key_pair.rb +16 -19
data/lib/dcmgr/models/{storage_pool.rb → storage_node.rb} +35 -25
data/lib/dcmgr/models/tag.rb +0 -14
data/lib/dcmgr/models/tag_mapping.rb +1 -7
data/lib/dcmgr/models/vlan_lease.rb +2 -8
data/lib/dcmgr/models/volume.rb +49 -37
data/lib/dcmgr/models/volume_snapshot.rb +15 -17
data/lib/dcmgr/node_modules/hva_collector.rb +69 -28
data/lib/dcmgr/node_modules/instance_ha.rb +23 -12
data/lib/dcmgr/node_modules/instance_monitor.rb +16 -2
data/lib/dcmgr/node_modules/openflow_controller.rb +784 -0
data/lib/dcmgr/node_modules/scheduler.rb +189 -0
data/lib/dcmgr/node_modules/service_netfilter.rb +452 -227
data/lib/dcmgr/node_modules/service_openflow.rb +731 -0
data/lib/dcmgr/node_modules/sta_collector.rb +20 -0
data/lib/dcmgr/node_modules/sta_tgt_initializer.rb +35 -0
data/lib/dcmgr/rack/request_logger.rb +11 -6
data/lib/dcmgr/rpc/hva_handler.rb +256 -110
data/lib/dcmgr/rpc/sta_handler.rb +244 -0
data/lib/dcmgr/scheduler.rb +122 -8
data/lib/dcmgr/scheduler/host_node/exclude_same.rb +24 -0
data/lib/dcmgr/scheduler/host_node/find_first.rb +12 -0
data/lib/dcmgr/scheduler/host_node/least_usage.rb +28 -0
data/lib/dcmgr/scheduler/host_node/per_instance.rb +18 -0
data/lib/dcmgr/scheduler/host_node/specify_node.rb +26 -0
data/lib/dcmgr/scheduler/network/flat_single.rb +23 -0
data/lib/dcmgr/scheduler/network/nat_one_to_one.rb +23 -0
data/lib/dcmgr/scheduler/network/per_instance.rb +39 -0
data/lib/dcmgr/scheduler/network/vif_template.rb +19 -0
data/lib/dcmgr/scheduler/storage_node/find_first.rb +13 -0
data/lib/dcmgr/scheduler/storage_node/least_usage.rb +23 -0
data/lib/dcmgr/storage_service.rb +39 -40
data/lib/dcmgr/tags.rb +3 -3
data/lib/dcmgr/version.rb +1 -1
data/lib/dcmgr/vnet.rb +105 -0
data/lib/dcmgr/vnet/factories.rb +141 -0
data/lib/dcmgr/vnet/isolators/by_securitygroup.rb +21 -0
data/lib/dcmgr/vnet/isolators/dummy.rb +17 -0
data/lib/dcmgr/vnet/netfilter/cache.rb +51 -0
data/lib/dcmgr/vnet/netfilter/chain.rb +66 -0
data/lib/dcmgr/vnet/netfilter/controller.rb +193 -0
data/lib/dcmgr/vnet/netfilter/ebtables_rule.rb +53 -0
data/lib/dcmgr/vnet/netfilter/iptables_rule.rb +45 -0
data/lib/dcmgr/vnet/netfilter/task_manager.rb +459 -0
data/lib/dcmgr/vnet/tasks/accept_all_dns.rb +19 -0
data/lib/dcmgr/vnet/tasks/accept_arp_broadcast.rb +24 -0
data/lib/dcmgr/vnet/tasks/accept_arp_from_friends.rb +34 -0
data/lib/dcmgr/vnet/tasks/accept_arp_from_gateway.rb +21 -0
data/lib/dcmgr/vnet/tasks/accept_arp_to_host.rb +30 -0
data/lib/dcmgr/vnet/tasks/accept_ip_from_friends.rb +26 -0
data/lib/dcmgr/vnet/tasks/accept_ip_from_gateway.rb +23 -0
data/lib/dcmgr/vnet/tasks/accept_ip_to_anywhere.rb +18 -0
data/lib/dcmgr/vnet/tasks/accept_related_established.rb +45 -0
data/lib/dcmgr/vnet/tasks/accept_wakame_dhcp_only.rb +33 -0
data/lib/dcmgr/vnet/tasks/accept_wakame_dns_only.rb +33 -0
data/lib/dcmgr/vnet/tasks/debug_iptables.rb +21 -0
data/lib/dcmgr/vnet/tasks/drop_arp_forwarding.rb +27 -0
data/lib/dcmgr/vnet/tasks/drop_arp_to_host.rb +24 -0
data/lib/dcmgr/vnet/tasks/drop_ip_from_anywhere.rb +18 -0
data/lib/dcmgr/vnet/tasks/drop_ip_spoofing.rb +34 -0
data/lib/dcmgr/vnet/tasks/drop_mac_spoofing.rb +33 -0
data/lib/dcmgr/vnet/tasks/exclude_from_nat.rb +47 -0
data/lib/dcmgr/vnet/tasks/security_group.rb +37 -0
data/lib/dcmgr/vnet/tasks/static_nat.rb +54 -0
data/lib/dcmgr/vnet/tasks/translate_metadata_address.rb +32 -0
metadata +105 -68
data/lib/dcmgr/cli/group.rb +0 -101
data/lib/dcmgr/endpoints/core_api_mock.rb +0 -865
data/lib/dcmgr/models/host_pool.rb +0 -122
data/lib/dcmgr/models/instance_netfilter_group.rb +0 -16
data/lib/dcmgr/models/netfilter_group.rb +0 -89
data/lib/dcmgr/models/netfilter_rule.rb +0 -21
data/lib/dcmgr/scheduler/find_last.rb +0 -16
data/lib/dcmgr/scheduler/find_random.rb +0 -16
data/lib/dcmgr/stm/instance.rb +0 -25
data/lib/dcmgr/stm/snapshot_context.rb +0 -33
data/lib/dcmgr/stm/volume_context.rb +0 -65

data/lib/dcmgr/vnet/tasks/accept_all_dns.rb ADDED

@@ -0,0 +1,19 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      class AcceptAllDNS < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize()
+          super()
+          # Allow DNS traffic to take place
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:outgoing,"-p udp --dport 53 -j ACCEPT")
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp --dport 53 -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_arp_broadcast.rb ADDED

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      class AcceptArpBroadcast < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :hva_ip
+        def initialize(hva_ip,enable_logging = false,log_prefix = nil)
+          super()
+          self.hva_ip = hva_ip
+          # Allow broadcast from the network
+          self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-mac-dst 00:00:00:00:00:00 #{EbtablesRule.log_arp(log_prefix) if enable_logging} -j ACCEPT")
+          # Allow broadcast from the host
+          self.rules << EbtablesRule.new(:filter,:output,:arp,:outgoing,"--protocol arp --arp-ip-src=#{self.hva_ip} #{EbtablesRule.log_arp(log_prefix) if enable_logging} --arp-mac-dst 00:00:00:00:00:00 -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_arp_from_friends.rb ADDED

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Explicitely allows ARP traffic between "friend" instances
+      # Friends are decided by an Isolator class
+      class AcceptARPFromFriends < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :inst_ip
+        attr_reader :friend_ips
+        attr_reader :enable_logging
+        attr_reader :log_prefix
+        def initialize(inst_ip,friend_ips,enable_logging,log_prefix)
+          super()
+          @enable_logging = enable_logging
+          @log_prefix = log_prefix
+          @inst_ip = inst_ip
+          @friend_ips = friend_ips
+          friend_ips.each { |friend_ip|
+            # Log traffic
+            self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src #{friend_ip} --arp-ip-dst #{self.inst_ip} --log-ip --log-arp --log-prefix '#{self.log_prefix}'       -j CONTINUE") if self.enable_logging
+            self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src #{friend_ip} --arp-ip-dst #{self.inst_ip} -j ACCEPT")
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_arp_from_gateway.rb ADDED

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      class AcceptARPFromGateway < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :gw_ip
+        def initialize(gw_ip,enable_logging = false,log_prefix = nil)
+          super()
+          self.gw_ip = gw_ip
+          # Allow broadcast from the gateway
+          self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-src=#{self.gw_ip} #{EbtablesRule.log_arp(log_prefix) if enable_logging} -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_arp_to_host.rb ADDED

@@ -0,0 +1,30 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Explicitely allows ARP traffic to take place from the instance to the host
+      class AcceptARPToHost < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :enable_logging
+        attr_reader :log_prefix
+        attr_reader :host_ip
+        attr_reader :inst_ip
+        def initialize(host_ip,inst_ip,enable_logging,log_prefix)
+          super()
+          @enable_logging = enable_logging
+          @log_prefix = log_prefix
+          @host_ip = host_ip
+          @inst_ip = inst_ip
+          self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src #{self.inst_ip} --arp-ip-dst #{self.host_ip} --log-ip --log-arp --log-prefix '#{self.log_prefix}' -j CONTINUE") if self.enable_logging
+          self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src #{self.inst_ip} -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_ip_from_friends.rb ADDED

@@ -0,0 +1,26 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Explicitely allows IP traffic between "friend" instances
+      # Friends are determined by an Isolator class
+      class AcceptIpFromFriends < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :friend_ips
+        def initialize(friend_ips)
+          super()
+          @friend_ips = friend_ips
+          friend_ips.each { |friend_ip|
+            self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-s #{friend_ip} -j ACCEPT")
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_ip_from_gateway.rb ADDED

@@ -0,0 +1,23 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Explicitely allows IP traffic between the gateway and the instances
+      class AcceptIpFromGateway < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :gateway_ip
+        def initialize(gateway_ip)
+          super()
+          @gateway_ip = gateway_ip
+          self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-s #{gateway_ip} -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_ip_to_anywhere.rb ADDED

@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Allows any outgoing IP layer traffic from the instance to pass through
+      class AcceptIpToAnywhere < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,nil,:outgoing,"-j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_related_established.rb ADDED

@@ -0,0 +1,45 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Accept related and established connections for tco
+      class AcceptTcpRelatedEstablished < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,:tcp,:incoming,"-m state --state RELATED,ESTABLISHED -p tcp -j ACCEPT")
+        end
+      end
+      # Accept related and established connections for icmp
+      class AcceptIcmpRelatedEstablished < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,:icmp,:incoming,"-m state --state RELATED,ESTABLISHED -p icmp -j ACCEPT")
+        end
+      end
+      # Accept established connections for any udp
+      class AcceptUdpEstablished < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-m state --state ESTABLISHED -p udp -j ACCEPT")
+        end
+      end
+      # Accept related and established connaction for any protocol
+      class AcceptRelatedEstablished < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-m state --state RELATED,ESTABLISHED -j ACCEPT")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_wakame_dhcp_only.rb ADDED

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Allows for DHCP traffic to take place with and only with wakame's DHCP server
+      class AcceptWakameDHCPOnly < Task
+        include Dcmgr::VNet::Netfilter
+        #TODO: allow ARP traffic to DHCP server
+        attr_reader :dhcp_server_ip
+        def initialize(dhcp_server_ip,fport = 67, tport = 68)
+          super()
+          @dhcp_server_ip = dhcp_server_ip
+          # Block DHCP replies that aren't coming from our DHCP server
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp ! -s #{self.dhcp_server_ip} --sport #{fport}:#{tport} -j DROP")
+          # Accept DHCP replies coming from our DHCP server
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp -s #{self.dhcp_server_ip} --sport #{fport}:#{tport} -j ACCEPT")
+          # Drop all non DHCP traffic to our DHCP server
+          [:udp,:tcp,:icmp].each { |protocol|
+            self.rules << IptablesRule.new(:filter,:forward,protocol,:outgoing,"-d #{self.dhcp_server_ip} -p #{protocol} -j DROP")
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/accept_wakame_dns_only.rb ADDED

@@ -0,0 +1,33 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Allows for DNS traffic to be exchanged with and only with Wakame's DNS server
+      class AcceptWakameDNSOnly < Task
+        include Dcmgr::VNet::Netfilter
+        #TODO: allow ARP traffic to DNS server
+        attr_reader :dns_server_ip
+        attr_reader :dns_server_port
+        def initialize(dns_server_ip,dns_server_port="53")
+          super()
+          @dns_server_ip = dns_server_ip
+          @dns_server_port = dns_server_port
+          # Allow DNS traffic to take place
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:outgoing,"-p udp -d #{self.dns_server_ip} --dport #{self.dns_server_port} -j ACCEPT")
+          self.rules << IptablesRule.new(:filter,:forward,:udp,:incoming,"-p udp -d #{self.dns_server_ip} --dport #{self.dns_server_port} -j ACCEPT")
+          # Disable any non DNS traffic to DNS server
+          #[:udp,:tcp,:icmp].each { |protocol|
+            #self.rules << IptablesRule.new(:filter,:forward,protocol,:outgoing,"-d #{self.dns_server_ip} -p #{protocol} -j DROP")
+          #}
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/debug_iptables.rb ADDED

@@ -0,0 +1,21 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # via http://backreference.org/2010/06/11/iptables-debugging/
+      # To debug ipv4 packets.
+      # $ sudo tail -F /var/log/kern.log | grep TRACE:
+      class DebugIptables < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:raw,:output,:icmp,:outgoing,"-p icmp -j TRACE")
+          self.rules << IptablesRule.new(:raw,:prerouting,:icmp,:incoming,"-p icmp -j TRACE")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/drop_arp_forwarding.rb ADDED

@@ -0,0 +1,27 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Drops all ARP packet forwarding
+      class DropArpForwarding < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :enable_logging
+        attr_reader :log_prefix
+        def initialize(enable_logging,log_prefix)
+          super()
+          @enable_logging = enable_logging
+          @log_prefix = log_prefix
+          # Drop forwarding to other instances
+          #self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--log-level 4 --log-ip --log-arp --log-prefix 'D d_#{self.log_prefix}_arp:' -j CONTINUE") if self.enable_logging
+          self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"#{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/drop_arp_to_host.rb ADDED

@@ -0,0 +1,24 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Drops all ARP packets coming into the host
+      class DropArpToHost < Task
+        include Dcmgr::VNet::Netfilter
+        attr_reader :enable_logging
+        attr_reader :log_prefix
+        def initialize
+          super()
+          # Drop forwarding to host
+          #self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--log-level 4 --log-ip --log-arp --log-prefix '#{self.log_prefix}' -j CONTINUE") if self.enable_logging
+          self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"#{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/drop_ip_from_anywhere.rb ADDED

@@ -0,0 +1,18 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Drop all incoming IP layer traffic
+      class DropIpFromAnywhere < Task
+        include Dcmgr::VNet::Netfilter
+        def initialize
+          super()
+          self.rules << IptablesRule.new(:filter,:forward,nil,:incoming,"-j DROP")
+        end
+      end
+    end
+  end
+end

data/lib/dcmgr/vnet/tasks/drop_ip_spoofing.rb ADDED

@@ -0,0 +1,34 @@
+# -*- coding: utf-8 -*-
+module Dcmgr
+  module VNet
+    module Tasks
+      # Disable instances from spoofing another ip address
+      class DropIpSpoofing < Task
+        include Dcmgr::VNet::Netfilter
+        attr_accessor :ip
+        attr_accessor :enable_logging
+        attr_accessor :log_prefix
+        def initialize(ip,enable_logging,log_prefix)
+        super()
+        self.ip = ip
+        self.enable_logging = enable_logging
+        self.log_prefix = log_prefix
+        # Prevent spoofing to the outside world
+        self.rules << EbtablesRule.new(:filter,:forward,:arp,:outgoing,"--protocol arp --arp-ip-src ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent spoofing to the host
+        self.rules << EbtablesRule.new(:filter,:input,:arp,:outgoing,"--protocol arp --arp-ip-src ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent the outside world from spoofing to the instance
+        self.rules << EbtablesRule.new(:filter,:forward,:arp,:incoming,"--protocol arp --arp-ip-dst ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        # Prevent the host from spoofing to the instance
+        self.rules << EbtablesRule.new(:filter,:output,:arp,:incoming,"--protocol arp --arp-ip-dst ! #{self.ip} #{EbtablesRule.log_arp(self.log_prefix) if self.enable_logging} -j DROP")
+        end
+      end
+    end
+  end
+end