shaba/one
1
0
Fork 0
mirror of https://github.com/OpenNebula/one.git synced 2025-03-22 18:50:08 +03:00
Code Releases Wiki Activity

M #-: NIC_ALIAS IP Spoofing support (#1292)

Browse Source 
Signed-off-by: Ricardo Diaz <rdiaz@opennebula.io>
Co-authored-by: Anton Todorov <a.todorov@storpool.com>
This commit is contained in:
Ricardo Diaz 2021-06-10 16:53:41 +02:00 committed by GitHub
parent fcfdaf0f4f
commit 7011820d98
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 95 additions and 37 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
src/vmm_mad/exec/one_vmm_exec.rb
View File

@ -1041,7 +1041,7 @@ class ExecDriver < VirtualMachineDriver
]
}
]
elsif nic_alias && external
elsif nic_alias
steps = [
# Execute pre-attach networking setup
{
@ -1139,7 +1139,7 @@ class ExecDriver < VirtualMachineDriver
:parameters => [:host]
}
]
elsif nic_alias && external
elsif nic_alias
steps = [
# Clean networking setup
{

2
src/vnm_mad/remotes/elastic/elastic.rb
View File

@ -105,7 +105,7 @@ class ElasticDriver < VNMMAD::VNMDriver
provider.deactivate(cmds, nic) if provider.respond_to? :deactivate
# TODO: MUST check if bridge is empty. Move to remote_clean
# next if nic[:parent_nic] || nic[:conf][:keep_empty_bridge]
# next nic[:conf][:keep_empty_bridge]
#
# cmds.add :ip, "link delete #{nic[:bridge]} | true"
end

57
src/vnm_mad/remotes/lib/security_groups_iptables.rb
View File

@ -332,7 +332,11 @@ module SGIPTables
vars[:nic] = nic
vars[:vm_id] = vm_id
vars[:nic_id] = nic_id
vars[:chain] = "one-#{vm_id}-#{nic_id}"
if nic[:alias_id].nil?
vars[:chain] = "one-#{vm_id}-#{nic_id}"
else
vars[:chain] = "one-#{vm_id}-#{nic[:parent_id]}"
end
vars[:chain_in] = "#{vars[:chain]}-i"
vars[:chain_out] = "#{vars[:chain]}-o"
@ -341,6 +345,16 @@ module SGIPTables
vars[:set_sg_out] = "#{vars[:chain]}-#{sg_id}-o"
end
vars[:nics_alias] = []
if !nic[:alias_ids].nil?
alias_ids = nic[:alias_ids].split(',')
vm.each_nic_alias do |nic_alias|
vars[:nics_alias] << nic_alias \
if alias_ids.include?(nic_alias[:nic_id])
end
end
vars
end
@ -447,12 +461,17 @@ module SGIPTables
"--mac-source #{nic[:mac]} -j DROP"
end
# IP-spofing
if nic[:filter_ip_spoofing] == "YES"
# IP-spoofing
if nic[:filter_ip_spoofing] == "YES" && nic[:alias_id].nil?
ipv4s = Array.new
[:ip, :vrouter_ip].each do |key|
ipv4s << nic[key] if !nic[key].nil? && !nic[key].empty?
vars[:nics_alias].each do |nic_alias|
ipv4s << nic_alias[key] \
if !nic_alias[key].nil? && !nic_alias[key].empty?
end
end
if !ipv4s.empty?
@ -480,6 +499,11 @@ module SGIPTables
[:ip6, :ip6_global, :ip6_link, :ip6_ula].each do |key|
ipv6s << nic[key] if !nic[key].nil? && !nic[key].empty?
vars[:nics_alias].each do |nic_alias|
ipv6s << nic_alias[key] \
if !nic_alias[key].nil? && !nic_alias[key].empty?
end
end
if !ipv6s.empty?
@ -592,6 +616,33 @@ module SGIPTables
commands.run!
end
def self.nic_alias_activate(vm, nic)
vars = SGIPTables.vars(vm, nic)
chain = vars[:chain]
commands = VNMNetwork::Commands.new
# Enable IP-spoofing
set = "#{chain}-ip-spoofing"
commands.add :ipset, "-q add -exist #{set} #{nic[:ip]} | true"
commands.run!
end
def self.nic_alias_deactivate(vm, nic)
vars = SGIPTables.vars(vm, nic)
chain = vars[:chain]
commands = VNMNetwork::Commands.new
# Disable IP-spoofing
set = "#{chain}-ip-spoofing"
commands.add :ipset, "-q -D #{set} #{nic[:ip]} | true"
commands.run!
end
end
end

21
src/vnm_mad/remotes/lib/sg_driver.rb
View File

@ -85,10 +85,11 @@ module VNMMAD
attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
end
# Process the rules
process_all do |nic|
# Process the rules for each NIC
process do |nic|
next if attach_nic_id && attach_nic_id != nic[:nic_id]
# SG not supported for NIC_ALIAS
if nic[:security_groups].nil?
nic[:security_groups] = "0"
@security_group_rules = EMPTY_RULES
@ -117,6 +118,13 @@ module VNMMAD
SGIPTables.nic_post(@vm, nic)
end
# Process the rules for each NIC_ALIAS
process_alias do |nic|
next if attach_nic_id && attach_nic_id != nic[:nic_id]
SGIPTables.nic_alias_activate(@vm, nic)
end
unlock
0
@ -132,11 +140,18 @@ module VNMMAD
attach_nic_id ||= @vm['TEMPLATE/NIC_ALIAS[ATTACH="YES"]/NIC_ID']
end
process_all do |nic|
process_alias do |nic|
next if attach_nic_id && attach_nic_id != nic[:nic_id]
SGIPTables.nic_alias_deactivate(@vm, nic)
end
process do |nic|
next if attach_nic_id && attach_nic_id != nic[:nic_id]
SGIPTables.nic_deactivate(@vm, nic)
end
rescue Exception => e
raise e
ensure

40
src/vnm_mad/remotes/lib/vm.rb
View File

@ -31,17 +31,20 @@ module VNMMAD
# @param xpath_filer [String] to get the VM NICs
# @param deploy_id [String] refers to the VM in the hypervisor
def initialize(vm_root, xpath_filter, deploy_id)
@vm_root = vm_root
@deploy_id = deploy_id
@vm_root = vm_root
@deploy_id = deploy_id
@vm_info = {}
@vm_info = {}
@deploy_id = nil if deploy_id == '-'
nics = VNMNetwork::Nics.new(hypervisor)
@nics = VNMNetwork::Nics.new(hypervisor)
@nics_alias = VNMNetwork::Nics.new(hypervisor)
return if xpath_filter.nil?
@vm_root.elements.each(xpath_filter) do |nic_element|
nic = nics.new_nic
nic = @nics.new_nic
nic_build_hash(nic_element, nic)
@ -50,35 +53,16 @@ module VNMMAD
nic.get_tap(self)
end
nics << nic
@nics << nic
end
@nics = nics
nics_alias = VNMNetwork::Nics.new(hypervisor)
if xpath_filter.nil?
xpath_alias = nil
else
xpath_alias = xpath_filter.gsub('TEMPLATE/NIC',
'TEMPLATE/NIC_ALIAS')
end
@vm_root.elements.each(xpath_alias) do |nic_element|
nic = nics_alias.new_nic
@vm_root.elements.each('TEMPLATE/NIC_ALIAS') do |nic_element|
nic = @nics_alias.new_nic
nic_build_hash(nic_element, nic)
parent = @nics.select do |n|
n[:nic_id] == nic[:parent_id]
end
nic[:parent_nic] = parent.first
nics_alias << nic
@nics_alias << nic
end
@nics_alias = nics_alias
end
# Iterator on each NIC of the VM

8
src/vnm_mad/remotes/lib/vnm_driver.rb
View File

@ -76,6 +76,14 @@ module VNMMAD
end
end
# Executes the given block on each NIC_ALIAS
def process_alias
@vm.each_nic_alias do |nic|
nic_confs(nic)
yield(nic)
end
end
# Executes the given block on each NIC
def process_all
@vm.each_nic do |nic|