B #5017: fix IPv6 secgroups for specific networks

Also takes into account mixed networks (IPv4+IPv6)
2025-03-22 18:50:08 +03:00 · 2017-02-10 18:40:11 +01:00 · 2017-02-10 18:40:11 +01:00 · b8293bb6a2
commit b8293bb6a2
parent 6dd92c0828
2 changed files with 43 additions and 27 deletions
--- a/src/vnm_mad/remotes/lib/security_groups.rb
+++ b/src/vnm_mad/remotes/lib/security_groups.rb
@ -68,10 +68,12 @@ module VNMNetwork
            @icmp_type = @rule[:icmp_type]
            @icmpv6_type = @rule[:icmpv6_type]

-            @range = @rule[:range]
-            @ip    = @rule[:ip]
-            @size  = @rule[:size]
-            @type  = set_type
+            @range      = @rule[:range]
+            @ip         = @rule[:ip]
+            @ip6_global = @rule[:ip6_global]
+            @ip6_ula    = @rule[:ip6_ula]
+            @size       = @rule[:size]
+            @type       = set_type
        end

        # Process the rule and generates the associated commands of the rule
@ -108,9 +110,17 @@ module VNMNetwork
        # Return the network blocks associated to the rule
        #   @return [Array<String>] each network block in CIDR.
        def net
-            return [] if @ip.nil? || @size.nil?
+            nets = []

-            VNMNetwork::to_nets(@ip, @size.to_i)
+            if @ip && @size
+                nets += VNMNetwork::to_nets(@ip, @size.to_i)
+            elsif @ip6_global && @size
+                nets += VNMNetwork::to_nets(@ip6_global, @size.to_i)
+            elsif @ip6_ula && @size
+                nets += VNMNetwork::to_nets(@ip6_ula, @size.to_i)
+            end
+
+            return nets
        end

        # Expand the ICMP type with associated codes if any
--- a/src/vnm_mad/remotes/lib/security_groups_iptables.rb
+++ b/src/vnm_mad/remotes/lib/security_groups_iptables.rb
@ -81,29 +81,35 @@ module SGIPTables

            return if the_nets.empty?

-            if IPAddr.new(the_nets[0]).ipv6?
-                command = :ip6tables
-                family  = "inet6"
-            else
-                command = :iptables
-                family  = "inet"
-            end
-
-            if @rule_type == :inbound
-                chain = vars[:chain_in]
-                set = "#{vars[:set_sg_in]}-#{@protocol}-n-#{family}"
-                dir = "src"
-            else
-                chain = vars[:chain_out]
-                set = "#{vars[:set_sg_out]}-#{@protocol}-n-#{family}"
-                dir = "dst"
-            end
-
-            cmds.add :ipset, "create #{set} hash:net family #{family}"
-            cmds.add command, "-A #{chain} -p #{@protocol} -m set" \
-                " --match-set #{set} #{dir} -j RETURN"
+            sets = []

            the_nets.each do |n|
+                if IPAddr.new(the_nets[0]).ipv6?
+                    command = :ip6tables
+                    family  = "inet6"
+                else
+                    command = :iptables
+                    family  = "inet"
+                end
+
+                if @rule_type == :inbound
+                    chain = vars[:chain_in]
+                    set = "#{vars[:set_sg_in]}-#{@protocol}-n-#{family}"
+                    dir = "src"
+                else
+                    chain = vars[:chain_out]
+                    set = "#{vars[:set_sg_out]}-#{@protocol}-n-#{family}"
+                    dir = "dst"
+                end
+
+                if !sets.include?(set)
+                    cmds.add :ipset, "create #{set} hash:net family #{family}"
+                    cmds.add command, "-A #{chain} -p #{@protocol} -m set" \
+                        " --match-set #{set} #{dir} -j RETURN"
+
+                    sets << set
+                end
+
                cmds.add :ipset, "add -exist #{set} #{n}"
            end
        end